Specifying and Verifying Systems with Multiple Clocks Edmund M. Clarke, Daniel Kroening, and Karen Yorav Computer Science Department Carnegie Mellon University e-mail: emc,kroening,kareny@cs.cmu.edu Abstract Multiple clock domains are a challenge for hardware specification and verification. We present a method for specifying the relations between multiple clocks, and for modeling the possible behaviors. We can then verify a hardware design assuming that the clocks meet these con- straints. We implement our ideas in the context of SAT based Bounded Model Checking (BMC), using ANSI–C programs to specify the functional behavior of the design. 1 Introduction Formal methods have become indispensable in design- ing hardware systems. The ability of formal methods, and in particular model checking, to check large systems has in- creased dramatically in the past few years. The presence of multiple clock domains in a hardware design adds ad- ditional complexity that makes formal methods even more desirable. At the same time, the specification of multiple clock domains is a challenge. Typically, high level specifi- cation languages such as SystemC [10] require the users to generate the clocks themselves. Commercial model check- ers available today will either require the user to generate the clocks, or not support multiple clock domains at all. The behavior of designs with multiple clocks often de- pends on specific properties of these clock signals. As a trivial example, consider a simple parallelizer, i.e., a circuit that takes as input a serial signal from one clock domain, A, and outputs it in eight bit packets in the other clock do- main, B. This design will fail if the clock of domain A is This research was supported by the National Science Foundation (NSF) under grants no. CCR-0121547 and CCR-0098072, by the Army Research Office (ARO) under contract no. DAAD19-01-1-0485, by the Of- fice of Naval Research (ONR), the Naval Research Laboratory (NRL) un- der contract no. N00014-01-1-0796, by the Semiconductor Research Cor- poration (SRC) under contract no. 99-TJ-684. The views and conclusions in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of ARO, ONR, NRL, NSF, SRC, the U.S. Government or any other entity. faster than eight times the clock of domain B. Thus, with- out constraints that represent relationships between clocks, any verification effort is bound to fail. We present a way to specify complex relationships be- tween two or more clocks, including constraints on the fre- quency of the clocks. The clock specifications can be loose, allowing many different clocking schemes rather than a spe- cific relationship between clocks. We then show how to model these specifications, so that the system can be veri- fied under the specified constraints, using any type of for- mal verification technique. We do this by adding a special purpose state machine that determines the behaviors of the clocks. This machine is non-deterministic, which allows us to model different clocking schemes at the same time. A counterexample, if found, will contain the full timing infor- mation for a particular clocking scheme causing this error. We have implemented our ideas in the context of Bounded Model Checking (BMC). In BMC, the transition relation for a complex state machine and its specification are jointly unwound to obtain a Boolean formula, which is then checked for satisfiability using a SAT procedure such as Chaff [8]. If the formula is satisfiable, a counterexample is extracted from the output of the SAT procedure. If the formula is not satisfiable, the state machine and its speci- fication are unwound more to determine if a longer coun- terexample exists. This process terminates when the length of the potential counterexample exceeds its completeness threshold (i.e., is sufficiently long to ensure that no coun- terexample exists [7]) or when the SAT procedure exceeds its time or memory bounds. BMC has been successfully used to find subtle errors in very large circuits [12, 6, 3]. Our tool uses BMC to verify Verilog designs against specifications written in ANSI-C [5]. When a new device is designed, a ”golden model” is often written in a program- ming language such as ANSI–C. This model is extensively simulated to insure both correct functionality and perfor- mance and later on implemented in a hardware description language such as Verilog. It is essential to determine that the C and Verilog programs are consistent. We extend the tool of [5] with the results presented here. We translate clock