Hybrid verification integrating HOL theorem proving with MDG model checking

Rabeb Mizounia, Sofiène Taharaa,*, Paul Curzonb

aDepartment of Electrical and Computer Engineering, Concordia University, Montreal, Que., Canada H3G 1M8
bDepartment of Computer Science, Queen Mary University of London, Mile End, London E1 4NS, UK

Accepted 20 June 2006

Abstract

In this paper, we describe a hybrid tool for hardware formal verification that links the HOL (higher-order logic) theorem prover and the MDG (multiway decision graphs) model checker. Our tool supports abstract datatypes and uninterpreted function symbols available in MDG, allowing the verification of high-level specifications. The hybrid tool, HOL–MDG, is based on an embedding in HOL of the grammar of the hardware modeling language, MDG-HDL, as well as an embedding of the first-order temporal logic $L_{mdg}$ used to express properties for the MDG model checker. Verification with the hybrid tool is faster and more tractable than using either tools separately. We hence obtain the advantages of both verification paradigms.

Keywords: Multiway decision graphs (MDG); Higher-order logic (HOL)

1. Introduction

Hybrid verification approaches that link interactive proof tools with automated (e.g. BDD based) proof tools are now common. Such links gain the automation of the BDD tools instead of, for example, using the interactive tool to manage the proof. Whilst abstraction can be dealt with by the interactive tool, it is advantageous if it could also be dealt with by the automated tool. In this paper, we describe a hybrid tool that does this. It combines the HOL theorem prover [1] and the MDG model checker [2]. HOL (higher-order logic) is an interactive theorem prover based on higher-order logic. The MDG (multiway decision graphs) system is a decision diagram-based verification tool for abstract state machines (ASM) verification encoded by multiway decision graphs [3]. The latter extend reduced-ordered binary decision diagrams (ROBDD) [4] with abstract datatypes and uninterpreted function symbols. It is this feature that allows abstract designs to be verified automatically using MDG, rather than needing to do such proof wholly in the theorem prover HOL. The down side of this abstraction facility is that in some cases the state reachability algorithm may not terminate [5]. This is due to the fact that edges may be labeled by terms that are arbitrarily large and hence arbitrarily many. In a pure system for this rare case, the user would have to use one of many heuristics provided in [5,6]. The proposed hybrid tool gives ways to overcome the problem.

There has been a great deal of effort combining model checking tools with proof systems. Similar work to ours, though based on binary decision diagrams rather than multiway ones, includes Rajan et al.’s [7] integration of a propositional $\mu$-calculus model checker with PVS, and Schneider and Hoffmann [8] who linked the CTL model checker SMV to HOL. Gordon [9] took a different approach with the BuDDy BDD package, providing a secure and general programming infrastructure to allow users to implement their own BDD-based verification algorithms integrated within the HOL system rather than tools being linked externally. Sugar2.0 [10] has also been embedded in HOL in order to prove meta-theorems. Sugar provides ways to specify properties for both simulation and formal verification, providing the users with an interface to combine both theorem proving and model checking, with
simulation techniques. Forte [11], based on the work of Aagaard et al. [12] is one of the maturest formal verification environments based on tool integration including simulation. It has been used in large-scale industrial verification projects at Intel. Its power comes from the very tight integration of the two provers, using a single functional language, as both the theorem prover’s meta-language and its object language.

The tool described here extends the capabilities of an earlier HOL–MDG tool and methodology [13,14] for hierarchical hardware verification. The main contribution of the current work is that our hybrid tool supports the abstract datatypes of MDG in addition to concrete (enumeration/Boolean) sorts in [14,13]. This allows abstract designs to be passed from HOL to MDG for verification. This allows, for example, larger data paths to be dealt with automatically than with a BDD-based linkage. In particular, we extended a previous HOL formalization of the MDG modeling language, MDG-HDL [15]. We also implemented an interface that automatically supports the communication between the MDG and HOL tools. It generates the necessary MDG files from the HOL files, passing them to the model checker, takes back the MDG results, interprets them, and finally submits them to HOL in an appropriate form (see Fig. 1).

The tool supports both equivalence checking and model checking of abstract designs: a further extension of the original hybrid tool. This involved embedding the MDG temporal property specification language, L_mdg in HOL. An additional novel aspect is the explicit support of model reduction in HOL based on the natural design hierarchy and the specification being verified.

The rest of the paper is organized as follows. Section 2 describes the embedding of MDG-HDL language and the L_mdg. In Section 3, we present the proposed hybrid verification procedure. Section 4 describes the internal structure of the hybrid tool. In Section 5, we display some sample experimental results. Finally, Section 6 concludes the paper.

2. Embedding MDG specification languages in HOL

2.1. MDG-HDL

The MDG tools accepts model descriptions in a Prolog-style HDL (hardware description language) called MDG-HDL [16]. MDG-HDL models are then compiled into ASM, which are encoded using internal MDG data structures.

The syntax used in MDG-HDL is based on an ordinary many-sorted first-order logic. The vocabulary consists of sorts, constants, variables and function symbols, with a distinction between abstract and concrete sorts. Concrete sorts have an enumeration while abstract sorts do not. This enumeration represents a set of distinct constants of one defined sort. These constants are referred to as individual constants. It is possible to define a constant for an abstract sort, referred to as generic constants. The distinction between abstract and concrete sorts leads to a distinction between three kinds of function symbols. Let \( f \) be a function symbol of type \( z_1 \times z_2 \times \cdots \times z_n \rightarrow z_{n+1} \). If \( z_{n+1} \) is an abstract sort, then \( f \) is an abstract function symbol. If all the \( z_1 \ldots z_{n+1} \) are concrete, then \( f \) is a concrete function symbol. If \( z_{n+1} \) is concrete while at least one of the \( z_1 \ldots z_n \) is abstract, then \( f \) is referred to as a cross-operator. Concrete function symbols must have an explicit definition, since they are eliminated before computing the MDG, while abstract function symbols and cross-operators are uninterpreted. This means implementation models can include abstract features such as n-bit words, and abstract functions.

MDG-HDL supports structural descriptions, behavioral ASM descriptions, or a mixture of both. As part of the MDG software package, the user is provided with a large set of pre-defined modules such as logic gates, multiplexers, registers, bus drivers, etc. Besides the logic gates which only use Boolean signals, the other components allow signals with both concrete and abstract types. Moreover, a special table structure is defined. Tables can be used to describe functional blocks in both implementations and specifications. A table is similar to a truth table. It has as entry values first-order terms in the rows. It is composed of a list of rows which define a list of inputs values and their corresponding output. A default value of the output is defined if the inputs sequence given does not fit the defined rows.

The table structure as well as the MDG components library have been embedded previously in HOL [17]. Since the grammar of the language itself was not embedded, the differentiation between various terms (abstract and concrete) was not previously possible. We overcome this limitation in the current work.

Embedding: To embed the grammar of the MDG-HDL language in HOL, it is necessary to cover the syntax of the subset of many sorted first-order logic used by MDG. In HOL, we define an abstract sort to be of type \( z \rightarrow \text{string} \) as seen in the definition below. The second parameter in this definition is specified mainly to permit the user to impose a specific abstract sort like \( \text{word5} \) or \( \text{word10} \), rather than the default abstract MDG sort \( \text{wordn} \) (used for n-bit words).

\[
\text{MDG_sort} = \begin{cases} \text{ABSTRACT of } 'a \Rightarrow \text{string} \\ \text{CONCRETE of } \text{string} \Rightarrow \text{string list} \end{cases}
\]

Predicates that specify which kind of sort we are dealing with are also defined.
Functions, MDG_Fun, are specified by their input list and their output. For MDG, a function has a unique output.

\[
\text{MDG}_\text{Fun} = \text{MDG}_\text{FUN} \text{ of } \text{string} =>
\]
\[
(\text{\textquote{a MDG\_VAR} list} => (\text{\textquote{a MDG\_VAR})}
\]

Since the domain of the function is a list of variables, to determine if the function is abstract, we test if both inputs and output are of abstract sort. So, we define a predicate to determine recursively if the list is composed of abstract variables. The test is first done on \(h\), the head of the list, and it is repeated recursively on \(tl\), the tail of the list, until reaching the empty list.

\[
\begin{align*}
\text{AbstractVarList}(h::tl) = \\
(\text{IsAbstractVar} h) \land \\
(\text{AbstractVarList} tl) \land \\
(\text{AbstractVarList} [] = \text{T})
\end{align*}
\]

Thereafter, a function is abstract if both its domain and range are abstract:

\[
\begin{align*}
\text{AbstractFunc} (\text{MDG\_FUN} \text{ nm InputVarList OutVar}) = \\
(\text{AbstractVarList InputVarList}) \land \\
(\text{IsAbstractVariable OutVar})
\end{align*}
\]

After defining all the different elements of the MDG vocabulary, we can define the different kinds of MDG terms. An MDG_term is either:

- a concrete constant, CONC_Const, one of the concrete sort enumeration;
- a generic constant, GEN_Const, a constant defined for an abstract sort;
- a variable, VAR_Term, either from a concrete sort or an abstract sort;
- a function, FN_Term, from the MDG_Fun HOL datatype defined above or
- a composed term.

The latter is created using the constructor TERM. It takes as argument a defined MDG_Term and returns a new MDG_Term.

\[
\begin{align*}
\text{MDG\_term} = \text{GEN\_Const of } \text{\textquote{a} Const of string} \\
\mid \text{CONC\_Const of MDG\_VAR} \\
\mid \text{VAR\_Term of MDG\_VAR} \\
\mid \text{FN\_Term of MDG\_Fun} \\
\mid \text{TERM of MDG\_term} => \text{MDG\_term}
\end{align*}
\]

Based on the embedding of the MDG-HDL grammar, an MDG table entry, called Table_Val is defined as follows:

\[
\begin{align*}
\text{Table\_Val} = \text{TABLE\_VAL of } \text{\textquote{a MDG\_term} \mid \text{DONT\_CARE}}
\end{align*}
\]

A function that returns back the value of a table entry is also defined:

\[
\begin{align*}
\text{TableVal\_to\_Val} = \\
(\text{TableVal\_to\_Val} (\text{TABLE\_VAL}(v:\text{\textquote{a MDG\_term}})) = v)
\end{align*}
\]

The above HOL definition specifies a new HOL datatype Table_Val, which has two constructors: TABLE_VAL and DONT_CARE. The latter can take any type. Curzon et al. [17] defined the matching of input values to table values. A match occurs if either the table value is don’t-care, or the value on the input is identical to the table value. This property must hold for each table entry. It is defined recursively by the function table_match.

\[
\begin{align*}
\text{table_match inputs [ ] (t\text{:num}) =} \\
\land (\text{table_match inputs (CONS v vs) t}) = \\
(\text{(HD(inputs) t)} = \\
(\text{TableVal\_to\_Val (v:\text{\textquote{a Table\_Val}}))} \\
\lor (v = \text{DONT\_CARE}) \\
\land (\text{table_match (TL inputs) vs t})
\end{align*}
\]

Next, we give the definition table stating that the Table_match test is first done on the first element in the input list. If there is a match on a given row, the output has the corresponding value. Otherwise it is repeated on the rest of the list until reaching the empty list. If there is no match, the output of the considered entry will be assigned the default value.

\[
\begin{align*}
\text{table inps (out\text{:num} --> b) [ ]:Table\_Val list) =} \\
\text{V\_out default t =} \\
\land (\text{table inps out (CONS v vs) V\_out default t}) = \\
(\text{(Table_match inps v t)} => \\
(\text{(out t = (HD V\_out))}) \\
\lor (\text{table inps out vs (TL V\_out) default t}))
\end{align*}
\]

A given table will relate a given input to a given output, if the table relation is true at all times:

\[
\begin{align*}
\forall \text{table inps out:Table\_Val list) list} \\
\text{V\_out default =} \\
\forall t. \text{table inps out V\_outs V\_out default t}
\end{align*}
\]

Finally, note that the outputs of the table are always considered as signals, which explains their definition according to the time \(t\).

In summary, we have semantically embedded the full version of the MDG hardware description language, MDG-HDL, supporting abstract variables and uninterpreted functions in HOL. All redefined modules, such as logic gates, registers, multiplexers, etc., have been defined in HOL and verified against behavioral specifications in
terms of tables. This provides the basis of a trusted integration of HOL and MDG. MDG hardware descriptions can be written directly in HOL via the developed embedding.

2.2. $\mathcal{L}_{\text{mdg}}$

$\mathcal{L}_{\text{mdg}}$ [18] is the properties specification language of the MDG model checker. It is a subset of first-order linear time logic, which supports abstract data sorts and uninterpreted functions.

The properties allowed in $\mathcal{L}_{\text{mdg}}$ can have the following templates:

Property:

- Next_Let_Formula
- G(Next_Let_Formula)
- F(Next_Let_Formula)
- U(Next_Let_Formula)
- (Next_Let_Formula) U (Next_Let_Formula)

G, F, and U are the standard linear time logic operators: for all time, at some time, and until, respectively. A Next_Let_Formula is defined as:

- each atomic formula is a Next_Let_Formula,
- if $p$ and $q$ are Next_Let_Formulas, then so are: $\neg p$ (not $p$), $p \land q$ ($p$ and $q$), $p \lor q$ ($p$ or $q$), $p \rightarrow q$ ($p$ implies $q$), $Xp$ ($p$ holds in the next state), and $\text{LET} (v = t) IN p$ where $t$ is an ASM_variable (input, state or output variable) and $v$ an ordinary variable.

A path $p$ is a sequence of states. We use $\pi_i$ to denote a path starting from $s_i$, where $s_i$ denotes the $i$th state in $\pi$. All formulas in $\mathcal{L}_{\text{mdg}}$ are path formulas. We write $(\pi, \sigma) \vdash p$ to mean that a path formula $p$ is true at path $\pi$ under a $\psi$-compatible assignment $\sigma$ to the ordinary variables. We use $\text{Val}_{\psi}(v)$ to denote the value of term $v$ under a $\psi$-compatible assignment $\sigma$ to state variables, input variables, and output variables, and a $\psi$-compatible assignment $\sigma$ to the ordinary variables. The $\vdash$ is inductively defined as follows [18]:

$$\begin{align*}
\pi, \sigma & \vdash v_1 = v_2 \text{ iff } \text{Val}_{\psi}(v_1) = \text{Val}_{\psi}(v_2) \\
\pi, \sigma & \vdash \text{LET} (v_1 = v_2) \text{ IN } p \text{ iff } \pi, \sigma' \vdash p \text{ where } \\
\pi, \sigma & \vdash \neg p \text{ iff it is not the case that } \pi, \sigma \vdash p. \\
\pi, \sigma & \vdash p \land q \text{ iff } \pi, \sigma \vdash p \text{ and } \pi, \sigma \vdash q. \\
\pi, \sigma & \vdash p \lor q \text{ iff } \pi, \sigma \vdash p \text{ or } \pi, \sigma \vdash q. \\
\pi, \sigma & \vdash p \rightarrow q \text{ iff } \pi, \sigma \vdash p \text{ or } \pi, \sigma \vdash q. \\
\pi, \sigma & \vdash Gp \text{ iff } \pi_i, \sigma \vdash p \text{ for all } j \geq 0. \\
\pi, \sigma & \vdash Fp \text{ iff } \pi_i, \sigma \vdash p \text{ for some } j \geq 0. \\
\pi, \sigma & \vdash Xp \text{ iff } \pi_i, \sigma \vdash p. \\
\pi, \sigma & \vdash qUp \text{ iff for some } k \geq 0, \pi_k, \sigma \vdash q, \text{ and } \\
\pi, \sigma & \vdash p \text{ for all } j (0 \leq j \leq k). 
\end{align*}$$

Embedding: In our HOL embedding of $\mathcal{L}_{\text{mdg}}$, we consider that each logical proposition (property) $p$ is a function of the path, expressed here by $s$, and the current state. The path can be formulated as a history function keeping trace of the states, where the property holds. For instance, the HOL definition of the G operator is defined as follows:

$$\begin{align*}
\vdash_{\text{def}} \text{LMDG}_G p \ s = \forall t. p \ s t \\
\vdash_{\text{def}} \text{LMDG}_F p \ s t = \exists t. p \ s t \\
\vdash_{\text{def}} \text{LMDG}_X p \ s t = p \ s (s+t) \\
\vdash_{\text{def}} \text{LMDG}_U p q s = \exists t. (p \ s t \land (\forall t_1. t_1 < t \rightarrow q \ s t)) \\
\vdash_{\text{def}} \text{LMDG}_L (v_1,v_2) p \ s t = (\lambda v_1. p \ s t) \Rightarrow (\lambda v_2. p \ s t) \\
\vdash_{\text{def}} \text{LMDG}_\land p \ s t = p \ s t \land q \ s t \\
\vdash_{\text{def}} \text{LMDG}_\lor p \ s t = p \ s t \lor q \ s t \\
\vdash_{\text{def}} \text{LMDG}_C p q s t = \neg (p \ s t) \lor q \ s t \\
\end{align*}$$

In addition, let, negation, disjunction, conjunction, and implication of predicates are defined as functions of path formulas $p$ and $q$, as follows:

$$\begin{align*}
\vdash_{\text{def}} \text{LMDG}_L (v_1,v_2) p \ s t = (\lambda v_1. p \ s t) \Rightarrow (\lambda v_2. p \ s t) \\
\vdash_{\text{def}} \text{LMDG}_\land p \ s t = p \ s t \land q \ s t \\
\vdash_{\text{def}} \text{LMDG}_\lor p \ s t = p \ s t \lor q \ s t \\
\vdash_{\text{def}} \text{LMDG}_C p q s t = \neg (p \ s t) \lor q \ s t \\
\end{align*}$$

In summary, we have semantically embedded the property specification language of MDG in HOL. $\mathcal{L}_{\text{mdg}}$ specifications can be written directly in the theorem prover using the embedding. This opens the way for writing MDG style model checking goals in HOL, proving them using HOL or MDG.

3. Hybrid verification with HOL–MDG

The hybrid tool developed consists of an interface integrating the HOL theorem prover and the MDG model checker. During the verification procedure, the user deals mainly with HOL. As shown in Fig. 2, the user starts by giving the HOL design model, property specification, and the goal to be proven. The respective MDG files (property specification, design model, symbol order, algebraic specification, and fairness constraints) are generated automatically and sent to the MDG tool for model checking. If the property holds, a HOL theorem is created. This could be used in higher HOL proofs, for example proving theorems about the consequences of the properties. If the verification within the MDG tool fails (due to the property checking to false, non-termination or state
explosion), we have to perform the proof interactively using the theorem prover.

The tool does not accept any arbitrary HOL specification: only MDG-style models and properties using the embedded HOL theories presented. The HOL goal should also be an implication:

\[ \vdash \text{Model} \supset \text{Property}. \]

Since the verification is done in MDG, we need to formalize the (MDG) result in HOL. Therefore, we convert the MDG results into a form that can be used [19]:

\[ \vdash \text{FormalizedMDGresult} \supset \text{Model} \supset \text{Property}. \]

A formalized version of this general conversion theorem into HOL has been proved in HOL [19]. The proved theorem can be instantiated for any design and any property under consideration.

MDG model checking result is converted to a form that can be used in HOL to infer the properties from the design model [19].

Our hybrid tool also supports hierarchical verification, where it is able to extract in HOL the block about which we want to check a property, then generating files of the specific block only. This is achieved by defining the structure “block” in a recursive manner. So, for each block, we are able to determine its subblocks (see Fig. 3). Hence, the model checker deals with the verification of the considered block only, not the whole design. As a result, we save on model size without constraining the user to write another specification for the appropriate block. This idea of program slicing is well-known in the model checking literature [20]. The difference in our work is the fact that the “slices” are extracted while expanding the proof goal by the theorem prover HOL, and based on the definition of the design block. In our approach, it is therefore done formally within HOL rather than informally outside the tool.

4. HOL–MDG hybrid tool structure

Our hybrid tool is written in SML. It is composed of five main modules: the Hybrid Tool Interface, the Property Module, the Description File Module, the HOL Goal Parser Module and the MDG Interaction Module (Fig. 4). The user’s interface [21] to the hybrid tool is a Java GUI. It is responsible for:

1. getting the HOL goal, the property file and the model description file;
2. passing the files to HOL;

![Fig. 2. Verification procedure with the hybrid tool.](image_url)

Figure 2 shows the verification procedure with the hybrid tool.

![Fig. 3. Block extraction.](image_url)

Figure 3 illustrates block extraction.
3. loading the $L_{mdg}$ and MDG-HDL theories; and
4. communicating the result to the user at the end of the verification process.

The user thus sees the hybrid tool as an integrated system but one that is more powerful than MDG alone. In the second module, the Property Parser generates as output a data structure from which the MDG File Generator produces the MDG property file, and the Property Type Generator provides the property type. The latter contains information about the type of property submitted to the tool, according to which, it calls the appropriate property checking algorithm. The Description File Module flattens the specification by removing hierarchy.

When parsing the goal, we obtain the name of the property and the block to check. The latter can be either the main module in the model description or one of its submodules. If the specification is written in a hierarchical way, it is possible to extract the target module, and its submodules, discarding the others. The Block Extraction Module achieves this task. In the next step, the corresponding MDG files are generated, including:

- MDG model and MDG property files;
- an algebraic file containing sorts, functions, and rewriting rules;
- an order file, giving a total order of variables and function symbols, and eventually
- fairness files, each describing an imposed fairness constraint.

The MDG file generation is done automatically. The HOL specification file contains two main parts. The first is dedicated to the definition of the different sorts, functions, and MDG terms used. The second is dedicated to the tables definitions. Using a syntactical analysis of the submitted HOL files, our tool extracts the useful information from
them to generate the MDG files in the appropriate MDG-HDL syntax.

Before proceeding with the model checking operation, the MDG tool has to encode the MDG-HDL syntax to generate ASMs. Since we wanted the communication between the linked tools to be automatic, we implemented a special module, called *ASM Generation Interface* that implicitly executes the appropriate MDG instructions. The *MDG Interaction Module* does the communication with MDG. It takes all the generated MDG files, the property type and the fairness number. The latter are provided by the property parser module. They indicate, respectively, the number of fairness constraints in the HOL property, if they exist, and their temporal type. All these files are supplied to the MDG tool, which performs the verification process and passes the result to HOL through the *MDG Result Interpreter Module*. If the property holds, a theorem is generated in HOL.

5. Experimental results

We have experimented with our hybrid tool using a number of benchmark designs including the island tunnel controller (ITC) [15] (Fig. 5), which experimental results we report here. The ITC controls the traffic lights at both ends of a tunnel connecting a mainland and island. It was chosen for two reasons. First, its specification contains abstract sorts and functions. It was not possible to express the specification of this example in the tool in [14]. Second, the same example was verified in [6], where the authors faced a problem of non-termination in the island counter module. The hybrid tool offers the solution of doing a hybrid verification, such that the subblocks causing the non-termination problem are verified within the HOL theorem prover interactively, while those which do not are verified within the MDG model checker.

The input specifications for the ITC were written in HOL, using the HOL MDG-HDL theory [15]. It is composed of a term declaration of the MDG part, the different table specifications and the main modules. The specification is written in a hierarchical way. Each component is represented by the conjunction of its tables. The whole system therefore is the conjunction of the five mentioned blocks.

Experimental results on the verification of a set of properties are given in Table 1. It gives CPU time, memory, MDG nodes, number of components, and number of signals needed for the verification of the properties. The results show that the hybrid tool is able to handle complex specifications and provides a good trade-off between verification time and memory usage.

<table>
<thead>
<tr>
<th>Property</th>
<th>CPU (s)</th>
<th>Memory (MB)</th>
<th>MDG Nodes</th>
<th># Components</th>
<th># Signals</th>
</tr>
</thead>
<tbody>
<tr>
<td>Property 1</td>
<td>0.32</td>
<td>0.66</td>
<td>318</td>
<td>18</td>
<td>32</td>
</tr>
<tr>
<td>Property 2</td>
<td>0.36</td>
<td>0.77</td>
<td>313</td>
<td>13</td>
<td>31</td>
</tr>
<tr>
<td>Property 3</td>
<td>0.41</td>
<td>0.73</td>
<td>401</td>
<td>16</td>
<td>34</td>
</tr>
<tr>
<td>Property 4</td>
<td>1.12</td>
<td>1.91</td>
<td>1266</td>
<td>13</td>
<td>29</td>
</tr>
<tr>
<td>Property 5</td>
<td>0.91</td>
<td>1.26</td>
<td>1027</td>
<td>10</td>
<td>26</td>
</tr>
<tr>
<td>Property 6</td>
<td>0.93</td>
<td>1.77</td>
<td>1166</td>
<td>13</td>
<td>29</td>
</tr>
<tr>
<td>Property 7</td>
<td>1.15</td>
<td>1.39</td>
<td>11002</td>
<td>16</td>
<td>33</td>
</tr>
<tr>
<td>Property 8</td>
<td>1.15</td>
<td>1.39</td>
<td>11002</td>
<td>16</td>
<td>33</td>
</tr>
<tr>
<td>Property 1(*)</td>
<td>0.74</td>
<td>1.38</td>
<td>870</td>
<td>26</td>
<td>62</td>
</tr>
<tr>
<td>Property 3(*)</td>
<td>0.87</td>
<td>1.46</td>
<td>1027</td>
<td>26</td>
<td>62</td>
</tr>
</tbody>
</table>

Fig. 5. Island tunnel controller.
verification memory usage and number of MDG nodes generated as well as the number of components and signals of the reduced (extracted) design model effectively used for model checking in MDG. It is clear that verification is much faster than doing the proof interactively with HOL. At the bottom of Table 1, we give the example experimental results of checking Properties 1 and Properties 3 without block extraction done in the theorem prover side, i.e. on the whole model. We can clearly see that the CPU time and memory consumption were decreased by more than half in the former case, which is due to the block extraction. The results here are similar to those in [2], where only the MDG tool is used on the full model. This fact proves that our hybrid tool achieves the verification without obstructing the model checker.

6. Conclusions

In this paper, we presented a hybrid verification approach and tool integrating the HOL theorem prover and the MDG model checker. In an earlier HOL–MDG tool, where HOL and the MDG equivalence checker were linked, neither abstract data sorts nor abstract functions were supported. The main contribution of our work is the extension of this tool to handle these main features of MDG compared to BDD-based model checkers as with other tools. For this purpose, we embedded in HOL the grammar of the MDG input languages \( \mathcal{L}_{\text{mdg}} \) and MDG-HDL. Next, we provided a new link between HOL and the MDG model checker. Our system handles abstraction for model checking and equivalence checking. Furthermore, it directly supports hierarchical proof to be conducted saving verification time and memory usage. It also provides a way of overcoming the non-termination problem of MDG. The tool has been tested on several examples, including the ITC ties 3 without block extraction done in the theorem prover. Experimental results of checking Properties 1 and Properties 3 are similar to those in [2].

References