9 Efficient CTL * Model Checking for Analysis of Rainbow Designs W. Visser, H. Barringer, D. Fellows, G. Gough, A. Williams Department of Computer Science University of Manchester, Manchester M13 9PL, UK phone: +44 {0) 161-275-6248 fax: +44 {0) 161-275-6211 email: Abstract We describe an efficient implementation of a CTL • model-checking algorithm based on alternating automata. We use this to check properties of an asynchronous mi- cropipeline design described in the Rainbow framework, which operates at the mi- cropipeline level and leads to compact models of the hardware. We also use alternat- ing automata to characterise the expressive power and model-checking complexity for sub-logics of CTL •. Keywords: CTL • model-checking, alternating automata, asynchronous hardware micropipeline design. 1 INTRODUCTION There is renewed interest in asynchronous hardware design, in particular at the VLSI chip level (Birtwistle & Davis 1995, Asy 1997), as an alternative to the (globally clocked) synchronous approach which has dominated the recent past. The asyn- chronous approach potentially offers low-power, high speed design, which is be- coming increasingly difficult with synchronous systems for the sizes of design pos- sible due to the advances in processing technology. This new interest has coin- cided with the emergence of new asynchronous design methodologies, in particu- lar Sutherland's (1989) Micropipeline technique. This has been used successfully to develop significant designs, including asynchronous versions of the ARM micropro- cessor (Furber 1995, Furber et al. 1997) developed by the AMULET Group at the University of Manchester. However, designers are hampered by the current lack of suitable specialised design representations for asynchronous systems, and support or analysis tools for checking properties such as equivalence or deadlock-freedom, the latter being of particular concern to the asynchronous design community. We have developed the Rainbow asynchronous design framework (Barringer et al. 1996, Barringer et al. 1997) as a means of giving compact abstract descriptions of micropipeline designs. From these, we can generate state-based models for analysis using automated model-checking tools. Of course, model-checking suffers in general @IFIP 1997. Published by Chapman & Hall