A Formal Verication Method of Scheduling in High-level Synthesis

C Karfa C Mandal D Sarkar S R Pentakota

Department of Computer Sc & Engg
Indian Institute of Technology, Kharagpur
WB 721302, INDIA
ckarfa, chitta, [email protected], [email protected]
Chris Reade
Kingston Business School
Kingston University
England KT2 7LB, UK
[email protected]
Abstract
This paper describes a formal method for checking the
equivalence between the nite state machine with data path
(FSMD) model of the high-level behavioural specication
and the FSMD model of the behaviour transformed by the
scheduler. The method consists in introducing cutpoints in
one FSMD, visualizing its computations as concatenation
of paths from cutpoints to cutpoints and nally, identifying
equivalent nite path segments in the other FSMD; the pro-
cess is then repeated with the FSMDs interchanged. The
method is strong enough to accommodate merging of the
segments in the original behaviour by the typical scheduler
such as DLS, a feature very common in scheduling but not
captured by many works reported in the literature. It also
handles arithmetic transformations.
1 Introduction
High-level synthesis is the process of generating the reg-
ister transfer level (RTL) design from the behavioural de-
scription. The synthesis process consists of several in-
ter dependent sub-tasks such as, specication, compila-
tion, scheduling, allocation and binding. The operations in
the behavioural description are assigned time steps through
scheduling process. Input to the scheduling phase is control
data ow graph (CDFG)[4]. While a CDFG is better suited
for the scheduling algorithms, an FSMD is a more appro-
priate model for verication. In fact, we construct FSMD
automatically from a given input CDFG to the scheduler.
In the process of scheduling, operations are often moved
across basic block boundaries so that an optimization may
be incorporated. In general several transformations may be
made to improve the performance of the design. For ex-
ample, path based scheduling techniques [10] perform sev-
eral such non-trivial path based transformations. Hence,
it is important to ensure that the scheduling process pre-
serves the behaviour of the original specication, irrespec-
tive of the scheduling technique that is used. The objective
of this work is to check that the behaviours before and after
scheduling, as represented by FSMDs, are computationally
equivalent.
Methods to verify the high-level synthesis results against
the original behavioural description are still evolving [7]. A
formal synthesis system called FRESH was built and a new
technique for verication was proposed. In this method the
input behaviour is described by using equational specica-
tion (ES) and a set of derivation rules is applied consecu-
tively on the ES. An automatic verication of scheduling
by using symbolic simulation of labeled segments of be-
havioural description has been proposed in [1]. The method
described in this paper transforms the original description
into one which is bisimilar with the scheduled description.
In the approach proposed in [7], break-points are introduced
in both the FSMDs followed by construction of the respec-
tive path sets. Each path of one set is then shown to be
equivalent to some path of the other set. This approach ne-
cessitates that the path structure of the input FSMD is not
disturbed by the scheduling algorithm in the sense that the
respective path sets obtained from the break points are as-
sumed to be bijective. These approaches are likely to fail
for the path based scheduling algorithms [10], [6] where
path structures get changed by the scheduler.
In this paper, we propose a scheduling verication
method which is strong enough to work even when the ba-
sic path structure is changed by the scheduler. This method
formally establishes equivalence between the FSMDs be-
fore and after scheduling. The method is so devised that
construction of the path set P
0
of one FSMD M
0
(say), so
that any computation of M
0
can be captured by concatena-
tion of the members of P
0
, construction of the path set P
1
of the other FSMD M
1
equivalent to those of P
0
proceed
hand-in-hand. The verication steps of our method are il-
lustrated using the MODN(A.B mod N) example. This is
a non-trivial example where the scheduler changes the path
structure of the the input FSMD signicantly.
This paper is organized as follows. In section 2, the nec-
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE
essary formalism is developed and the correctness problem
is encoded. The method is described in section 3. An ex-
ample has been treated in section 4 in detail to illustrate the
working of the algorithm. Some experimental results have
been given in section 5. The paper is concluded in section
6.
2 Problem Encoding
2.1 Finite State Machine with Data Path
An FSMD (nite state machine with data-path) is a uni-
versal specication model, proposed by Gajski in [3], that
can represent all hardware designs. The model is used in
the present work with the addition of a reset state, for en-
coding the specication and implementation of the circuit
to be veried. This reset state is also called the start state of
the FSMD. The FSMD is formally described below.
Denition 1 The FSMD is dened as an ordered tuple
'Q, q
0
, I,V, O, f , h`, where
1. Q=q
0
, q
1
, q
2
, . . . q
n
is the nite set of control states,
2. q
0
Q is the reset state,
3. I is the set of primary input signals and
I
is the input
alphabet,
4. V is the set of storage variables and is the set of all
data storage states or simply, data states,
5. O is the set of primary output signals and
O
is the
output alphabet,
6. f : QS Q, is the state transition function and
7. h : QS U, is the update function of the output and
the storage variables, where U and S are as dened
below.
(a) U = x e[x OV and e E represents
a set of storage or output assignments, where
E = g(x, y, z, . . .) [x, y, z, . . . I V represents
a set of arithmetic expressions over the set I V
of input and storage variables,
(b) S = R(a, b)[a, b E and R is any arithmetic re-
lation represents a set of status signals as arith-
metic relations between two expressions from the
set E.
Since, state transitions and updates have been represented
as functions, an FSMD model is inherently deterministic. It
may be noted that we have not introduced nal states in the
FSMD model. This is because we assume that the systems
work in an innite outer loop.
/
/s 0, a A, b B, n N, i 0
s n/s s n
!i 15/sout s
i i +1
/a a2, b b/2
s s +a
!s n/
i 15 & !b % 2 = 1
i 15 & b % 2 = 1/
a n/a an
!a n/
q
00
q
01
q
02
q
03
q
04 q
0e
Figure 1. FSMD of MODN before scheduling
A path from q
i
to q
j
, where q
i
, q
j
Q, is a nite tran-
sition sequence of states of the form 'q
i
= q
1
c
1
q
2
c
2
,
. . . ,

c
n1
q
n
= q
j
` such that l, 1 l n 1, c
l
S such
that f (q
l
, c
l
) = q
l+1
, and q
k
, 1 k n1, are all distinct.
The state q
n
may be identical to q
1
.
The condition of execution of the path =
'q
l
0

c
0
q
l
1

c
1
q
l
2
. . .

c
k1
q
l
k
`, R

, is a logical ex-
pression over the variables in V such that R

is satised by
the (initial) data state at q
l
0
iff the path is traversed.
We assume that inputs and outputs occur through named
ports. The i
th
input from port P is a value represented as P
i
.
Thus if some variable v stores input from port P (for the i
th
time along a path), it is equivalent to the assignment v P
i
.
The output of an expression e to a port P is represented as
OUT(P, e) and put as a member of a list preserved for each
path. The data transformation of a path over V, r

, is the
tuple 's

, O

`, where s

is an ordered tuple 'e

i
` of algebraic
expressions over the variables in V and the inputs in I such
that the expression e
i
represents the value of the variable v
i
after the execution of the path in terms of the initial data
state (i.e., the values of the variables at the initial control
state) of the path and the output list O

= [OUT(P
i
1
, e
1
),
OUT(P
i
2
, e
2
), . . .]. For every expression e output to port P
along the path , there is an OUT(P, e) in the list, in the
order in which the outputs occurred.
Computation of the condition of execution R

can be by
backward substitution or by forward substitution. The for-
mer is more easily perceivable and is based on the following
rule: If a predicate c(y) is true after execution of y g(y),
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE
then the predicate c(g(y)) must have been true before the
execution of the statement [9]. The transformation s

is
found indirectly using the same principle. The forward sub-
stitution method of nding R

is based on symbolic execu-

tion.
Let and be two paths and R

, r

be respectively the
condition of the execution and the data transformation over
; let R

, r

be similarly dened for the path . Then

the condition of execution for the path ( concate-
nated with ) is given by R

(v) R

(s

(v)) and the data

transformation over is 's

(s

(v)), O

(v)O

(s

(v))`,
v represents a vector of values of the variables of I V,
v
f
represents a vector of values of the variables of V.
O

(v)O

(s

(v)) represents the concatenated output list of

O

(v) and O

(s

(v)).
A computation of an FSMD is a nite walk from the re-
set state q
0
back to itself without having any intermediary
occurrence of q
0
. Such a computational semantics of an
FSMD is based on the assumption that a revisit of the reset
state means the beginning of a new computation and each
computation terminates. In other words, the behavioural
representation has a non-terminating outermost loop from
the reset state and each inner loop has a state from which
there is a transition out of the loop.
Any computation c of an FSMDM can be looked upon as
a computation along some concatenated path [
1

3
...
k
]
of M such that the path
1
emanates from and the path

k
terminates in the reset state q
0
of M and
i
, 1 i k,
may not all be distinct. If R

i
(v
i
), r

i
(v
i
), 1 i k,
be the condition of execution and the data transformation
respectively of the path
i
, then the condition of execu-
tion (R
c
) and data transformation (r
c
) of c are given by
R

1
(v
1
) R

2
(s

1
(v
1
)) . . . R

k
(s

k1
( (s

1
(v
1
)). . .))
and ' s

k
(s

k1
(. . . (s

1
(v
1
)). . .)), O

1
(v
1
)O

2
(s

1
(v
1
))
. . . O

k
(s

k1
(. . . (s

1
(v
1
)). . .) `, where v
i
represents the
vector of inputs and the data variables before the path

i
, 1 i k.
Denition 2 Two computations c
1
and c
2
of an FSMD are
said to be equivalent if R
c
1
= R
c
2
, r
c
1
= r
c
2
.
Computational equivalence of two paths can be dened
in a similar manner. The fact that a path p
1
is computation-
ally equivalent to p
2
is denoted as p
1
p
2
.
Equivalence checking of paths, therefore, consists in es-
tablishing the computational equivalence of the respective
conditions of execution and the respective data transfor-
mations. Since the condition of execution and the data
transformation of a path involve the whole of integer arith-
metic, checking of path equivalence reduces to the valid-
ity problem of rst order logic; the latter is undecidable
because a canonical form does not exist for integer arith-
metic. Instead, in this work we use the following normal
form adapted from [8, 11].
Denition 3 A nite set of paths P =p
0
, p
1
, p
2
, . . . , p
k
is
said to cover an FSMD M if any computation c of M can be
looked upon as a concatenation of paths from P. P is said
to be a nite path cover of the FSMD M.
2.2 Correctness Problem
Let M
0
be the FSMD representation of the CDFG given
as the input to the scheduler and M
1
be the FSMD of the
scheduled bahaviour. Our main goal is to verify whether
M
0
behaves exactly as M
1
. This means that for all possible
input sequences, M
0
and M
1
produce the same sequences
of output values and eventually, when the respective reset
states are re-visited, they are visited with the same storage
element values. In other words, for every computation from
the reset state back to itself of one FSMD, there exists an
equivalent computation from the reset state back to itself in
the other FSMD and vice-versa. The following denition
captures the notion of equivalence of FSMDs.
Denition 4 Two FSMDs M
0
and M
1
are said to be compu-
tationally equivalent if for any computation c
0
of M
0
, there
exists a computation c
1
of M
1
such that c
0
and c
1
are com-
putationally equivalent and vice-versa.
From the above two denitions, following theorem can be
concluded.
Theorem 1 Two FSMDs M
0
and M
1
are computation-
ally equivalent if there exists a nite cover P
0
=
p
00
, p
01
, . . . , p
0l
of M
0
for which there exists a set P
0
1
=
p
0
10
, p
0
11
, . . . , p
0
1l
of paths of M
1
such that p
0i
p
0
1i
,
0 i l and vice-versa.
The following denition is used in the proposed verica-
tion method.
Denition 5 Corresponding states: Let M
0
= 'Q
0
, q
00
, I,
V
0
, O, f
0
, h
0
` and M
1
= 'Q
1
, q
10
, I,V
1
, O, f
1
, h
1
` be the two
FSMDs having identical input and output sets, I and O, re-
spectively, and q
0i
, q
0k
Q
0
and q
1 j
, q
1l
Q
1
.
The respective reset states q
00
, q
10
are corresponding
states.
If q
0i
Q
0
and q
1 j
Q
1
are corresponding states and
there exist q
0k
Q
0
and q
1l
Q
1
such that, for some
path from q
0i
to q
0k
in M
0
, there exists a path from
q
1 j
to q
1l
in M
1
such that , then q
0k
and q
1l
are
corresponding states.
3 Verication Method
The above theorem, therefore, suggests a verication
method which consists of the following steps:
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE
1. Construct the set P
0
of paths of M
0
so that P
0
covers
M
0
. Let P
0
= p
00
, p
01
, , p
0k
.
2. Showthat p
0i
P
0
, there exists a path p
1 j
of M
1
such
that p
0i
p
1 j
.
3. Repeat steps 1 and 2 with M
0
and M
1
interchanged.
Because of loops it is difcult to nd a path cover of
the whole computation comprising only nite paths. So any
computation is split into paths by putting cutpoints at vari-
ous places in the FSMD so that each loop is cut in at least
one cutpoint. The set of all paths from a cutpoint to an-
other cutpoint without having any intermediary cutpoint is
a path cover of the FSMD. The method of decomposing an
FSMD by putting cutpoints is identical to the Floyd-Hoares
method of program verication [2, 5, 8]. We choose the cut-
points in any FSMD as follows.
1. The reset state.
2. Any state with more than one outward transitions.
Obviously, cutpoints chosen by the above rules cut each
loop of the FSMD in at least one cutpoint, because each
internal loop has an exit point (ensured by our notion of
computation in 2).
In the following we propose one method which combines
the rst two steps listed above into one. More specically,
the method constructs a path cover of M
0
and also nds its
equivalent path set in M
1
hand-in-hand.
3.1 Verication Algorithm
Step 1: Insert cutpoints in M
0
by the following rules.
the start state is a cutpoint,
any state with more than one outward transition is a
cutpoint.
Step 2:
/*Main data stores:
: Set of corresponding nodes
P
0
: path cover of M
0
P
0
1
: paths in M
1
with matching paths in P
0
Working data stores:
F: list of paths of M
0
starting with nodes having
corresponding nodes but ending with nodes whose
corresponding nodes have not yet been found
P: Working list of corresponding nodes from which
paths will be examined */
F := [ ] ; P
0
:= [ ] ; P
1
0
:= [ ] ;
:= 'q
00
, q
10
` ;
P := 'q
00
, q
10
` ;
while ( P is not empty | F is not empty )
// main loop continues till termination
if ( F is empty )
// new paths starting from entries in P to be examined

'q
0i
, q
1 j
` := deQ P ;
put in F all the paths from q
0i
to its successor
cutpoints (in M
0
) ;
else
// now work on the un-matched path frontier
:= deQ F ; // endPtNd ( ) is un-matched!
if ( ( = ndEquivalentPath ( , q
1 j
) ) != NULL )

if ( ! ' endPtNd(), endPtNd()` )

enQ ( P, ' endPtNd(), endPtNd() ` );
// new paths will start from here
:=' endPtNd(), endPtNd() ` ;
P
0
:= P
0
; P
1
0
:= P
1
;
else // no match
// so continue along all paths through successors
if ( the path is marked NOT EXTENDIBLE ) fail ;
tF := all the paths obtained by concatenating to
all the paths from endPtNd () to all the successor
cutpoints of endPtNd ( ) ;
if ( endPtNd of any member of tF is a node of the
same path other than its start node )
fail;
if ( endPtNd of any member of tF is same
as its start node | the reset state)
mark the path as NOT EXTENDIBLE ;
F := append ( tF, F ) ;
// else-if
// else-if
// end while
Step 3: Identify the cutpoints in M
1
Step 4: Repeat the same procedure as described in Step 2
with the roles of M
0
and M
1
interchanged.
Step 5: If it succeeds for both Step 2 and Step 4 then re-
port M
0
and M
1
are computationally equivalent. Otherwise
report a failure.
The functions used are specied as follows.
findEquivalentPath(, q
1 j
) : It tries to nd a path
in M
1
so that R

= R

and r

= r

. If such an exist
then this function returns , otherwise a NULL path.
endPtNd() : returns the state where the path termi-
nates.
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE
/
b b/2,
i i +1
i i +1
b b/2,
a a2,
b b/2, i i +1
a an
i i +1
b b/2,
a a2,
s s n,
i i +1
a a2, b b/2,
s s +a
q
11
!i 15/sout s
i 15 & !b % 2 = 1/
b % 2 = 1/
!b % 2 = 1
s n/a a2,
s n/
!a n & i 15 &
!a n & i 15 &
!a n & !i 15/sout s
a n & i 15 & b % 2 = 1/
a n & i 15 & !b % 2 = 1/a an,
/s s +a
/a a2,
a n & !i 15/a an, sout s
q
10
q
12
q
13 q
1e
q
15
q
14
/s 0, a A, b B, n N, i 0
i 15 & b % 2 = 1/s s +a
Figure 2. FSMD of MODN after DLS scheduling
4 An example
This method is explained below with MODN example.
Step 1: Cutpoints in M
0
(Fig. 1), FSMD of MODN before
scheduling, are q
00
, q
01
, q
02
, q
04
.
Step 2: Initially, F = [ ], P
0
= [ ], P
0
1
= [ ], =
'q
00
, q
10
`, P = 'q
00
, q
10
`
Iterations:
1. F = 'q
00
, q
01
`
2. ='q
00
, q
01
`. Corresponding equivalent path in
M
1
is = 'q
10
, q
11
`. Put 'q
01
, q
11
` in and P.
Put in P
0
. Put in P
0
1
.
3. F = 'q
01
, q
0e
, q
00
`, 'q
01
, q
02
`, 'q
01
, q
03
, q
04
`
4. = 'q
01
, q
0e
, q
00
`. Corresponding equivalent
path in M
1
is ='q
11
, q
1e
, q
10
`. Put in P
0
and
put in P
0
1
.
5. = 'q
01
, q
02
`. Its equivalent path in M
1
is =
'q
11
, q
12
`. Put 'q
02
, q
12
` in and P. Put in P
0
and put in P
0
1
.
6. = 'q
01
, q
03
, q
04
`. In M
1
, = 'q
11
, q
13
` such
that, . Put 'q
04
, q
13
` in and in P. Put in
P
0
and put in P
0
1
.
7. F = 'q
02
, q
03
, q
04
`, 'q
02
, q
03
, q
04
`.
8. = 'q
02
, q
03
, q
04
`. In M
1
, = 'q
12
, q
13
` such
that . Put in P
0
and put in P
0
1
.
9. = 'q
02
, q
03
, q
04
`. Corresponding equivalent
path in M
1
is = 'q
12
, q
13
`. Put in P
0
and put
in P
0
1
.
10. F ='q
04
, q
01
`, 'q
04
, q
01
`.
11.
7
='q
04
, q
01
`. Function findEquivalentPath
returns NULL.
Thus, tF = 'q
04
, q
01
, q
0e
, q
00
`,
'q
04
, q
01
, q
02
`, 'q
04
, q
01
, q
03
, q
04
`. Put tF in
F.
12. = 'q
04
, q
01
, q
0e
, q
00
`. In M
1
, =
'q
13
, q
1e
, q
10
` such that . Put in P
0
and
put in P
0
1
.
13. = 'q
04
, q
01
, q
02
`. R

= a n & i 15 &
b % 2 = 1 and r

= a an, s s +an.
Corresponding equivalent path in M
1
is =
'q
13
, q
14
, q
12
`. Put in P
0
and put in P
0
1
.
14. = 'q
04
, q
01
, q
03
, q
04
`. R

= a n & i 15
& !(b % 2) = 1 and r

= a a n, a
(a n) 2, b b/2, i i +1. In M
1
, =
'q
13
, q
15
, q
13
` such that . Put in P
0
and
put in P
0
1
.
15. = 'q
04
, q
01
`. Function findEquivalentPath
returns NULL. Thus, tF ='q
04
, q
01
, q
0e
, q
00
`,
'q
04
, q
01
, q
02
`, 'q
04
, q
01
, q
03
, q
04
`. Put tF in
F.
Each of these 3 extended paths has an equivalent path
in M
1
. They will be explored in the following itera-
tions.
So, step 2 terminates successfully generating a path
cover P
0
of M
0
. Every path of P
0
has an equivalent
path in P
0
1
corresponding to M
1
. In iterations 11 and 15
paths had to be extended before their equivalent paths
could be found.
Step 3: The cutpoints in M
1
are q
10
, q
11
, q
12
, q
13
.
Step 4: Iterations of steps 4 can be shown fashion that of
step 2 and are not shown here for brevity.
Step 5: So M
0
and M
1
are computationally equivalent.
5 Experimental Results
The proposed algorithm has been implemented in C
and has been run for some standard high-level synthesis
benchmarks as shown in table 1. These have been run on
an Intel Pentium 4, 1.70 MHz, 256MB RAM machine. The
number of states, number of paths explored in each FSMD
M
0
and M
1
, number of consecutive path segments merged
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE
0
0.5
1
1.5
2
2.5
0 5 10 15 20
e
x
e
c
u
t
i
o
n

t
i
m
e
number of paths
Plot : #paths explore vs execution time in step 2
Figure 3. No. of paths explored in M0 Vs execu-
tions time of step 2
by the scheduler and the CPU time are tabulated for each
benchmark example. The number of paths explored vs ex-
ecution time have been plotted in Fig. 3. It is clear from
this gure that execution time is sensitive to the number of
paths explored. In contrast, it also may be noted from the
table that run time of this algorithm is less sensitive on the
number of states in the FSMDs. For example, in table 1, the
run times of EWF and DCT are small compared to GCDand
MODN even though EWF and DCT have greater number of
states.
6 Conclusions
Advances in VLSI technology have enabled its deploy-
ment into complex circuits. Synthesis ow of such circuits
comprises various phases where each phase performs the
task algorithmically providing for ingenious interventions
of experts. The gap between the original behaviour and the
nally synthesized circuits is too wide to be analyzed by any
reasoning mechanism. The validation tasks, therefore, must
be planned to go hand in hand with each phase of synthe-
sis. The present work concerns itself with the validation of
the scheduling phase. Both the behaviours prior to and after
scheduling have been modeled as FSMDs. The validation
task has been treated as an equivalence problem of FSMDs.
The method is strong enough to accommodate merg-
ing of the segments in the original behaviour by the typ-
ical scheduler such as, DLS [10]. It is also able to han-
dle arithmetic transformations and expected to handle sim-
ple code motion. Similar methods reported in the literature
have been found to fail under such situations. The initial
experiments show that the algorithm is usable for practical
equivalence checking cases of scheduling.
Name #state in
FSMD
#path in
cover
#path
extn
CPU
time
M
0
M
1
M
0
M
1
in ms
DIFFEQ 4 12 3 3 0 2.442
EWF 4 35 1 1 0 1.820
GCD 7 4 11 7 3 3.976
DCT 3 29 1 1 0 1.754
TLC 7 8 13 14 2 4.196
MODN 6 7 8 12 2 4.324
PERFECT 9 6 7 5 2 4.028
Table 1. Results for different high-level synthesis
benchmarks
References
[1] H. Eveking, H. Hinrichsen, and G. Ritter. Automatic veri-
cation of scheduling results in high-level synthesis. In Proc.
Conf. Design, Automation and Test in Europe 1999, pages
5964, March 1998.
[2] R. W. Floyd. Assigning meaning to programs. In J. T.
Schwartz, editor, Proceedings the 19
th
Symposium on Ap-
plied Mathematics, pages 1932, Providence, R.I., 1967.
American Mathematical Society. Mathematical Aspects of
Computer Science.
[3] D. Gajski and L. Ramachandran. Introduction to high-level
synthesis. IEEE transactions on Design and Test of Com-
puters, pages 4454, 1994.
[4] D. D. Gajski, N. D. Dutt, A. C. Wu, and S. Y. Lin. High-
Level Synthesis: Introduction to Chip and System Design.
Kluwer Academic Publishers, 1992.
[5] C. A. R. Hoare. An axiomatic basis of computer program-
ming. Commun. ACM, pages 576580, 1969.
[6] R. Jain, A. Majumdar, A. Sharma, and H. Wang. Empirical
evalution of some high-level synthesis scheduling heuristics.
In Procs. of 28th DAC, pages 210215, 1991.
[7] Y. Kim, S. Kopuri, and N. Mansouri. Automated formal
verication of scheduling process using nite state machine
with datapath (FSMD). In 5
th
International Symposium
on Quality Electronic Design (ISQED04), pages 110115,
Carlifornia, March 2004.
[8] J. C. King. Program correctness: On inductive asser-
tion methods. IEEE Trans. on Software Engineering, SE-
6(5):465479, 1980.
[9] Z. Manna. Mathematical Theory of Computation. McGraw-
Hill Kogakusha, Tokyo, 1974.
[10] M. Rahmouni and A. A. Jerraya. Formulation and evalu-
ation of scheduling techniques for control ow graphs. In
Proceedings of EuroDAC95, pages 386391, Brighton, 18-
22 September 1995.
[11] D. Sarkar and S. C. De Sarkar. Some inference rules for
integer arithmetic for verication of owchart programs on
integers. IEEE Trans. Softw. Eng., 15(1):19, 1989.
Proceedings of the 7th International Symposium on Quality Electronic Design (ISQED06)
0-7695-2523-7/06 $20.00 2006 IEEE