 Welcome to course on VLSI advanced VLSI design. So, continuing with my earlier discussion, I will take you through the model checking techniques for design verification in today's lecture. So, in last lecture we discussed that here we if you want to verify VLSI circuit then we need two things. One is the system model that we define as a transition system and we discuss the transition system is defined as set of states, transition function and label on every state that we obtained by converting the finite state machine to the creep case structure. In creep case structure we transform the label from the edges in state transition diagram to the nodes. And the other thing that we need is the formula or the property that we want to verify and property is encoded in terms of temporal language and that is referred as temporal logic. So, this is defined as formula in temporal language and we discussed that there can be you can express in linear temporal logic or you can represent in the computation tree temporal logic. So, LTL or CTL I will take you briefly through both of these and then we will discuss this. So, and now here we want to say we have model written as m formula as f and then here we say that means in some state a model satisfies the formula f it if it satisfies in that case here that property is all the time respected by your design if it is not in that case here it gives you counter example and that help you debugging the system. So, means as I referred that we can use the linear time temporal logic and then how formally we define a formula in linear temporal logic. So, that formula can be defined as say tautology. So that means here formula can be always true that can be defined as say sorry this is negation of tautology. So, this formula can be tautology or this can be negation of tautology or we can write like this or this can be any formula which is labeled on some particular age. So, when we convert our finite state machine into Kripke structure we transform our input output from the ages to the nodes and then nodes are labeled with the variables which are true in that particular state. So, then all the variables which are labeled on that particular state are formulas. So, now here the formula can be like here in some state transition diagram if I say that this is my p and q are true here q and r are true here r is true in this particular state say this state is s 0 s 1 s 2 and now here I can say this is my state transition diagram they say this is initial state. So, now here in this particular state p and q both of the variables are true. So, these are the true formula for state as s 0 here q and r both are true that means these are true formula for state as 1 and r is true formula for state as 2. Negation of any formula is also a formula in LTL logic. There can be conjunction or there can be a disjunction of two formula. So, now here you can say that in there is one formula phi another formula psi. So, in that case here there can be say phi conjunction psi and there can be phi disjunction psi or there can be a phi implication psi. So, now here you can write in both of the I mean all these ways. So, these are the static formula that normally we use in Boolean logic and I gas you understand the truth table of the static formulas. But, now in order to capture the dynamic behavior of the system here we also define some temporal operators and these temporal operators are x, f, g, u, w and r. x tells us the formula holds good in the next state. f tells you that formula holds good sometimes in the future. The future may be next state, next to next state, next to next to next state and like this. Global operator tells you that this formula holds good in all these states in a path. There is an until operator says that one formula holds good until another formula holds good. In the same way there is a weaker version of the until that is called as weak until. So, that is defined as phi weak until phi that mean. So, this is I will discuss how why this is weak and why we need that and then here there is another operator that is called as release operator. So, these are six temporal operator x, f, g, u, w and r. So, let us say this is a computation this is your creep case structure or a variant of finite state machine and now here I unroll this in order to obtain a computation tree that how the computation progresses. So, say pq this is the state as 0 that is the initial state and now if I start from this state in that case here this can either go to this state or it can go to this state. So, now here first time here this will be this will unroll like this. Now, when you come to this state in that case here either you can go to this state or you can go back to the same previous state. So, now here your computation tree can unroll like this if you are in state r in that case here you can be only in state r. Now, in this way the you can generate the computation tree which is infinitely long. So, this infinite long tree and the and it is of infinite width. So, this keep on keep on growing. Now, here any path starting from the initial state or any progression is defined as a path. So, this is this is one of the paths. So, and now here we define this is the path 1 and which is starting from say state 1. Now, here there can be another path like here this one. So, that is the another path we define path 2 and then here the superscript tells you that from means which is the initial state of this path. So, now this path is starting from state as 1 and this is the second path. Now, here this I can say the third path starting from state as 1. So, now we define multiple paths in this computation tree. So, as I mentioned earlier that here we model system as a transition system and we define a path in this model which is infinite sequence of states as 1 to as 1 to as 2 as 3 so on and so forth. So, a path is represented by pi and then here pi subscript as 1 tells you that all the path is starting from state as 1. Now, the let us look at the semantics of LTL. So, now if there is a model m that is a transition system and path pi that is starting from as 1 as 1 as 2 and the infinitely long path in m. When pi satisfied and pi is an LTL formula then this formula is defined as like here totology that can be in inverse of totology. So, that means here it is always false or it can be a label on some particular state. So, P and where P is member of labels on state as 1 this can be inverse of any formula pi. So, this holds good if pi does not hold good in that particular state and in a path pi can be the conjunction of two formulas phi 1 and phi 2. So, this holds good if and only if formula phi 1 holds good and formula phi 2 holds good or pi can be disjunction. So, that means here this pi holds good when phi 1 holds good or phi 2 holds good or there can be implication. So, that means this says that pi 1 implies phi 2 this means that if phi 2 holds phi 2 will hold good in that path whenever phi 1 holds good. So, that means here we can reason about phi 2 only when phi 1 holds good otherwise we cannot reason about phi 2 whether it holds good or not. The temporal formula here is defined as pi satisfies x of phi if and only if in the very next state formula phi holds good. G is the hold good if and only if in that path everywhere phi holds good for i greater than or equal to 1. Future somewhere there exist at least one state wherein the formula holds good in that particular path pi defined as phi until phi psi if and only if for any value i greater than 1 if phi i holds good means psi holds good in phi pi i and for all value of j. So, that means here after particular state. So, this tells us that in the state progression this phi holds good until psi holds good. So, until this point here whenever you will get psi until that point phi should hold good after that psi may hold good or may not hold good. So, this is phi until psi this is a strong relationship this says that phi should hold good until psi holds good and psi should hold good at least once in that particular path. The w is the weaker version of that and that says that if strong until holds good weak until also holds good. So, that means here if you have this phi phi psi then here phi weak until psi holds good or if so here psi should hold good or if phi always hold good and psi never occur in that case also here phi hold good this phi weak until psi hold good. So, that means here phi phi phi infinitely long phi this is also valid formula for phi weak until psi. So, now here you can say that phi weak until psi is superset of phi until psi and in the same way here you can say that there is another formula which says that phi releases psi. So, that means here until the psi hold good. So, that means psi should hold good until phi appears. So, in the weak until sorry in until and release there is a relationship that in until at you need to have phi phi phi and psi whereas in. So, the and in the release operator you must have phi phi phi and at least in one state you must have phi and psi hold good together whereas that is not requirement in the until operator. So, these are the various operators we use to model the system or to define the property of the system keep in mind that here your implementation is modeled by a transition system and specification is written in LTL formula. Now, we will take. So, these are some of the depiction of these formulas like here x of f. So, like here f holds good in the very next state here it is false and here it become true f you see is that f holds good until g appears f of g is the future operator. So, that means here g holds good sometimes in the future this may be after two states after three states or after five states g of f is f holds good everywhere f releases g is that here this f should hold good until you means it is released by g. So, now here in this state f and g both hold good. So, now here let us say in this unrolled or computation tree let us argue about this formula whether this formula holds good or not. So, now s 0 is p and q. So, now here whether it holds good in the very first state that is s 0 this holds good because p is true. So, p holds good q is true. So, that means q holds good and then their and operation also holds good. So, now here this formula holds good s 0 is negation of r. So, that means here r does not hold good hence here negation of r holds good. So, this formula is true s 0 satisfies x of r that means here in the very next state r should hold good. So, very next state from the s 0 state is either this q r state or r state in both of the cases r holds good hence here you can say that this formula holds good. Now if you look at x of q and r. So, here in this state q and r holds good whereas in this state q and r does not hold good hence means this if this does not hold good in both of the next states your this formula does not hold good. So, this formula does not hold like here we can say s 0 satisfies g of negation of p and r. So, p and r so means both should satisfy in the path starting from s 0. So, now here in this p and r is does not satisfy here it does not satisfy here it does not satisfy. So, in this path nowhere this satisfies hence this formula is satisfied. So, now this way here we can write the sum of the formulas. So, now again here we have several operators in this we have means your conjunction disjunction negation and implication as a static operator and x f g u w and r as temporal operators. So, now here do we need all these operators like here if you want to define a system in that case here do we need negation conjunction disjunction all 3 operators no we do not need do not need these operators and we know that there is a de Morgan's theorem and then here de Morgan's theorem can be be defined like this one although I guess all of you know that. So, I do not need to discuss this. So, now here this can give the give you the equivalence with between different operators this says that out of these 3 operators if we have 2 operators either negation and conjunction or negation or the and disjunction in that case here these are sufficient to specify any of the system. Now there is a an equivalence relationship between temporal operators like here we can say some of the these operators are defined as like here you say g of phi is equivalent to negation of g of phi is equivalent to f of negation of phi. What this says is that g of phi negation of that so that means here when g of phi is satisfied when here all along the path you have phi phi phi phi hold good when this formula fails this formula fails if any of the states has negation of phi. So, if I have negation of phi here in that case the negation of g of phi hold good. So, now this is the trace of negation of phi now in this what I can say is that somewhere in the future at least in one of the states negation of phi hold good. So, that means here I can write this formula as f of negation of phi. So, that gives you the logical equivalence of negation of g of phi is equivalent to f of negation of phi this way you means you can write this other way round as negation of f of phi as g of negation of phi in the same way x of phi. So, now in this state is you have phi next state you have phi. So, say in the current state you may have anything but phi or negation of phi, but in the next state if you have phi in that case your formula x phi holds good whereas, if you say that this formula is does not hold good or does not satisfy in that case here your trace must be here you may have negation of phi and the next state must be negation of phi this is equivalent to x of negation of phi because here in the next state negation of phi holds good. So, this way we can write equivalence in the same way you can work out there is a an equivalence relationship between u and r operator. So, it means negation of phi until psi is equal to negation of phi until negation of psi this this relationship is like De Morgan's theorem and or other way round you can also write it in the same way here you can write f of phi as is equivalent to tautology until phi tautology means here no restriction always holds good. So, that means here without any restriction in some state here phi holds good. So, that means here you have negation of phi negation of phi negation of phi and in some state phi holds good. So, this is equivalent to what this is equivalent to f of phi because somewhere in the future your phi holds good. So, this way you can write like this in the same way here global operator you can write g of phi is equivalent to negation of tautology religious phi. So, negation of tautology and as I explained you earlier that your weaker until is superset of until. So, that means here if I add something in. So, now your phi until psi is defined as phi phi phi phi and some other term where psi v until can be either this one or phi phi phi phi phi everywhere phi. So, if this is there in that case here this is equivalent to v until otherwise I have to have somewhere where psi should hold good. So, this I can also write as in order to capture this one I can also write as this as f of psi f of psi means here psi hold good somewhere in the future. So, your weak your strong until is equivalent to weak until and f of psi that gives you exactly this thing. So, this way you can have equivalence between the weak until and strong until. So, now here in this way you can define the equivalence between these operators. Now, here if you want to see which are the essential sets in that case here out of these 6 operators you can say I need either your x or r or x or w or and x. So, now here either set is ok. So, now here you need 2 operators from the temporal logic and 2 operators from the static logic and. So, now here either from static you need to have either this set or you need this set both of the sets are ok and from the temporal you need to have u acts this one or this one. So, now here you can pick any of these 2 and any of these 3. So, and that can define you the complete set. So, now here the question is what we can do with this how we can write or how we can specify property of the system. Let us take a simple example. This example tells you the mutual exclusion or arbiter that gives you access to the common resource what we want from that. There are couple of things that we need from the system and those are defined as like here if one master want to get access to the common resource. In that case here it should be allowed to get access 2 masters cannot get access to the common resource. So, and now here it should not be blocking. So, that means here like whenever somebody wants to access sometimes in the future it should give access to the common resource and it should not allow the strict sequencing that means here it should not mean say give you the say round robin policy or something like that. So, that first gives the access to the master 1 then master 2, master 3, master 4. So, here you have 2 masters say M 1 and M 2 and say they want to get access to the common resource and this common resource may be the bus. So, now here this master can be in any of the state. One state may be here it may request. I say that is trying state that is it is trying to get access and then here once it gets the request is registered you get access to the common resource and you are allowed to transfer your data to on the common bus and that state here we say as critical state. So, now here you are in the critical state and you have access to the system say that is state C and now here many times your master may not want to access to the common resource. So, then you can say that it is not trying for anything it is in the ideal state ideal state say I say referred as N. Now, what are the important properties we are interested in one of the properties one of the properties that is defined as safety property and safety property says that only one process in the critical only one process should be in the critical section. So, that means here more than one process should not access to the common resource. Another property is defined as lioness and lioness says that whenever any process request to enter in the critical section it will eventually be permitted. So, that means it is not necessary that in very next state it should be permitted, but it should be permitted somewhere in the future and third property is non-blocking property we are interested in and this says that a process can always request to enter in the critical section once it is it gets access to the critical section it should not be be disallowed for that it can always make any request at any point in time and fourth property that is very important is no strict sequencing you may means in some of the protocol you may use round robin and then these properties is violated, but ideally you may want that here there should not be strict sequencing. So, that means here process need not to enter in a strict sequence that here first process p 1 then p 2 p 3 p 4 something like that it should not happen like that. So, now here we design a mutual exclusion system and that system will work like this. So, let us work out it a little bit. So, say initially both of the resources or masters are not requesting for any resource. So, they are in state wherein in n 1 and n 2 n 1 n 1 says that process p 1 does not request process and n 2 says process p 2 does not request now. So, say this state is s 0 now when you will get request from master m 1 then it will go to state m 2 and now sorry master 1 or process p 1 then it should go to the another state and in that state say p 1 is in trying and n 2 is not trying. So, this is in the trying state that means it raise the request after that what will happen now in this either your t 1 or process p 1 will get access. So, if it gets access in that case here it will go to state c 1 and t 2 is means process p 2 is not trying or process p 2 may also start to try. So, now here it will start to try and then here it will go to state t 1 and t 2. So, let us say come back to process p 1 which gets the access. So, this was s 1 this is s 2 now once it completes here it goes back to the initial state. Now, here if or from this state if t 2 start to t 2 again raises the request. So, far there was no request. So, in that case here it will go to state c 1 and t 2 come back to the previous state t 1 t 2 when it is in t 1 t 2 in that case here either it will give access to c 1 means process p 1 or it will give access to the process p 2. So, say it gives access to the process p 1. So, this will work like this or it gives the access to the process p 2. So, in that case here this will give you t 1 c 2. Now, if it goes to c 1 t 2 in that case or it goes to t 1 c 2 in that case here once it completes t 2 completes here it comes back to the state t 1 and 2 because now here process second is not requesting for anything. So, now here like this you will also get the similar kind of state graph this side. So, now here if you look at this you will get a state transition diagram like this which gives you the implementation of an arbiter or mutual exclusion. I hope this is clear to you by this time. Now, let us see how I can encode these properties and for this one and check whether this implementation is correct or not. So, this is implementation and this is creep case structure. So, creep case structure tells you that here these variables t 1 and n 2 are true in this state here n 1 and n 2 are true in this state and in this we have 6 different variables t 1 t 2 n 1 n 2 c 1 c 2. Now here let us look at the properties. So, first property was the safety property and safety property says that only one process should be in the critical section how I write that. So, that means in every state in this diagram I have to say that only one process should be in the critical section. So, that means here either c 1 should hold good in any of the state or c 2 should hold good both should not hold good. So, means that how I can define I can define that globally c 1 and c 2 both should not hold good. So, that means here c 1 c 2 should not hold good that means here the negation of this should hold good all the time globally. So, I can write this property like this. Second property is liveness property which says that whenever any process request to enter into the critical section it will eventually be permitted. So, that means here whenever a process wants to enter. So, that means whenever it is trying in that case here somewhere in the future it should get access. So, that means here now whenever some process say t 1 is trying. So, in that case after several cycles I do not know how many cycles, but after several cycles it should get access. So, that means here it should go in the critical x section or it can get access to the common resource. So, now here this should hold good and this should hold good globally. This is for process p 1 this should also hold good for process p 2. So, that means here t 2 implies f of c 2. So, now here this encodes liveness property. Third property is non-blocking property. So, non-blocking property says that for every state satisfying n 1 there is a accessory state t 1. So, that means here it should not be at least in some of the paths the next state. So, it should be after n 1 it should be t 1, but now here in this we cannot define property for selective paths. Here this property says that here this need not to hold good all the time this should hold good selectively. So, in that case here we have to we cannot express that and I will come back to this point and we will tell you that this can be expressed in computation tree logic computation tree temporal logic CTL and this is not expressible in LTL. The another property is no strict sequencing. So, no strict sequencing says that you cannot strict sequence that means strict sequence tells you that you have to go in this way. First c 1 goes in the critical section then c 2 then again c 1 then c 2 then c 1 c 2 it has to follow the strict sequence and what we want is that it should not have strict sequence. So, that means here this may follow the sequence as well, but at least there must be one path in which it should go like c 1 c 1 c 1 c 2 c 1 c 1 something like that. So, that means we have to now here how I can write this property. We can write this property as a negation of the property because here again we cannot write property for the selective formula, but in this particular case negation can help us that we if we say that there is at least one path in which the strict sequencing that is c 1 c 2 c 1 c 2 does not hold good that means here it does not follow strict sequencing in all the time. So, in this case we are we can write this property as a negation of the property and that says that here your c 1 either should hold good all the time and so that means here c 1 implies c 1 we can tell so that means here either c c 1 continues or it should go to negation of c 1 and then here from negation of c 1 it goes to c 2 and then come back to c 1. So, now here this says that here strict sequencing is not needed and if this property fails that means here strict sequencing passes no strict sequencing passes. So, this way we can write now in the state transition diagram if we look at this property. So, if you go back to the state transition diagram here you can say that nowhere in this c 1 and c 1 both are true. So, if this is false so that means here negation of this this is true so that means here the first property holds good. Second property tells you that what it says that you have to have t 1 and t f c 1 and this holds good globally so that means here after t 1 somewhere in the future you should get c 1. Now here if in this transition diagram if you look at a path s 0 s 1 s 3 s 7 here what you are getting here n 1 n 2 here you will get t 1 so now here t 1 is true now you can reason about f c 1 once t 1 holds good. So, t 1 holds good here now after that what we want that somewhere in the future it should c 1 should hold good. So, that means from t 1 if I look at this one t 1 here you will get c 1 so in this path this holds good, but if you look at this path s 0 s 1 s 3 s 7 s 1 s 2 s s 3 s 7 s 1 s 3 s 7. So, the path that is s 0 s 1 s 3 s 7 s 1 s 3 s 7 and so on and so forth. In this path here you have t 1 t 1 t 1 again t 1 t 1 t 1 t 1 and so you will never get c 1. So, that means this path violates this property. So, what it says that your second property which is liveness property fails. So, that means and what liveness property says that whenever any process request to enter into the critical section it will eventually be be permitted and here it means this counter example that we have discovered as 0 s 1 s 3 s 7 s 1 s 3 s 7. So, if it follows this computation path it would not permit t 1 or the process 1 to enter into the critical section. Hence, there is a design bug and it captures the design bug. I will come back and tell you how we can look at means how we can debug that design bug. Non-blocking. So, the counter example tells you that here which path violates this property. Now, third property is not anyway not encoded in L T L then go back to the fourth property and then here you will find out find in the computation path you can do this on your own that this is always this property is always respected. So, that means here negation of this property holds good. So, now here how I can can set this process right. If you look at this where is the source of error source of error lies here at s 3. When you come to a state s 3 where in t 1 and t 2 both are true. Now, you lose track through which path you came from s 0 s 1 s 3 or you came from s 0 s 5 s 3 and now here this can go to this state or this can go to this state. So, now here you do not have memory otherwise if you remember that if you come through this path then here you would not allow it to go here you can allow it to go here. So, now means in order to debug it or in order to fix this bug say means for debug we get to know that this is the source of bug and in order to fix this bug here. Now, what is the solution what is the remedy? Remedy is that here you split this state in two states. So, that you can remember that whether you came through this path or you came through this path and so now here that will fix your problem. So, now here by splitting this state in state s 3 and s 9 both have t 1 and t 2 variable high or true. So, in that but here now I remember if it came through this path in that case here this should go here. If it came through this path it should go over here and now here there is no confusion and now if you look at it you would not find such a path and hence here both all these three properties will pass and so now here this way you can specify property and then you can verify those properties on given model and so now here that model is generated from the implementation. So, this transition implementation is described as transition system or finite state machine or creep case structure and your specifications are written in terms of LTL formulas and as we know that here LT formulas are evaluated on paths. So, that means here and that is why this is linear because on a path always with the clock tick here you will linearly move to the next state next to next state next to next state always. State of the system satisfies LTL formula if all the paths on a given state satisfies the formula. So, that means from one state if n number of paths are originating in that case here that state satisfies formula only when all paths originating from that state satisfies that formula. Now here LTL implicitly quantifies over the universally over the path. So, that means here all the paths originating from the same state and now here, but some of the properties which assert the existence of path. So, that means those are defined for a selected set of path cannot be expressed in LTL that is the outcome of LTL. Sometimes like here as we have seen that no strict sequencing we can use negation and we can define the property. So, negation can partly help us, but not all the time. So, for that here we need to go to the branching time temporal logic. So, if you look at the computation tree in that case from every state here now this branches out either it goes to this state or it goes to this state. So, now if we start to define formula based on the computation tree and or you can say the with respect to a state in that case here we can select some of the paths. So, now here from this either it goes here or it goes here. So, now here we can select the paths and so now that formula that is defined as computation tree temporal logic CTL. So, now here a big difference between the LTL and CTL is that with every formula or temporal operator we need to specify one path modality whether this holds good on all the paths originating from a state or it holds good on selected path. So, one path modality is defined as a that is for the representing the universal quantification. So, that means it depends means defined for all the paths originating from one of the state or we define e that that refer the existential quantifier that means here it says that this exist or this holds good at least for one of the paths. And so now means we have to associate these path modalities with each and every temporal logic. So, now here your static formula remains same, but the temporal formula has association with the path modalities either universal or existential. So, now here if we say x operator I have that says that some formula holds good in the next state. So, now there can be several next states from one particular state. So, now here based on whether it should hold good in all the next states or it should hold good in one of the next at least one of the next states we define the path modality. So, if it should hold good in all the next state in that case here we define this we associate a or if it should hold good on selected or at least one of the next state in that case here we define this as e of x. So, in the same way here we can write we can define if some formula hold good sometimes in the future in any of the paths in that case here we define that as e of f or if it holds good in all the paths in that case here we define as a of f. So, now here means we can define this as totology or sorry there must be negation here. So, this is negation of totology or this can be a formula which is label on in particular state it can CTL formula can be negation of a formula it can be conjunction disjunction implication it can be a temporal operator x and that associated with path modality as a it can be associated with path modality as e then here there can be f. So, f or g is global and u generally we do not define v can till or release operator for CTL, but you can define that as well there is no such restriction as we discussed earlier that here we can convert from one formula to another. So, that means, here u to w or u to r or w to u or r to u. So, now here the these formulas are defined in this way. So, these are the static formula though the static formulas are same whereas, the temporal formulas change a little bit. So, now here a of f a x of f. So, it says that that here in all the next states f should hold good e x that means here it should hold good at least in one of the the state a g should say that that here in all the paths starting from state as should means f should hold good or if it is easy then here in one of the paths this should hold good if if it is a f. So, that means, here somewhere in the future the formula f should hold good in all the states in all the paths starting from as now if it is e in that case here f should hold good at least in one of the paths in the future a u is say that here f should hold good in all the paths until g holds good. So, now here this is g hold good here g hold good is e u is defined that here f should hold good at least in one of the paths until g holds good. So, now here some of the things that we can are examples are like this we can say like if there is a request there must be acknowledgement. So, now here when there is a request here sometimes in the future may not be in the next cycle, but sometimes in the future there must be acknowledgement and this should hold good globally in in in a arbiter or a message passing system in some protocol. So, or here now now we can define a a process is enabled infinitely often on every computation paths. So, that means, here it can be enabled again and again and again. So, that we can define that here globally sometimes in the future a enable signal should hold good or should become true. Now, we can also so model that log that log says that sometimes in the future it will stuck to or always it would been in same state. So, that means, here that is that log. So, this can model the that log there you can means say if you want to define that like in a processor you can or in any of the sequential circuit you can always press reset and then it should come back to reset irrespective of in which state it was. So, now here that you can define that globally from every state there exist one one path that can take you to the restart state. So, that that is the restart or reset state like you can also define some formula like here if a elevator is travelling upward in that case here it should keep and some. So, if it an elevator is in a flow at floor 2 and button for floor 5 is pressed it is going upward in that case here it should keep on going upward until floor 5 before changing the changing the direction of the elevator or here if you want to. So, now here the universally globally this should happen that if it in the floor 2 and direction is up and button for floor 5 is pressed in that case here it should always keep direction up until it reaches to floor 5. A elevator can remain in idle state in the on the third floor with its door closed. So, now that you can say that if it is on the floor 3 and it is idle and door is closed in that case here this implies that it should continue to in this state. So, now here one of the property that we want we were not able to encode in LTL now how we can encode that. So, other properties you can also define in CTL like here as I said that LTL properties are implicitly using universal quantification. So, now for the first safety property you can have universal quantification for the lioness again here you can use the universal quantification because this should happen all the time known blocking property we were not able to define. So, that means here this was related to one path what it says is that for every state satisfying n 1 there should be at least one successor that can satisfy C 1. So, that means here we were supposed to write like this that if it is in state n 1 there exist at least one path where in the next state is T 1 and this should hold good globally in all these states. So, now here why we were not able to specify this in the in LTL because here we need existential quantifier and global quantifier if you are needing only existential in that case here your negation can help you, but now here you want to select a path from a set of path. So, now here that is why you cannot specify in the same way here the no strict sequencing property you can also define by converting this into the existential quantifier because earlier this was defined as negation of the property. So, now here if you look at this all these properties will say will pass again here there are various operators you can define the equivalence between these two these operators and finally, here you need a set of three operators in among the temporal operators and negation and conjunction or negation and disjunction as temporal operators. So, now here you need five operators to express any property and now here. So, this theorem says that a set of temporal connectives in CTL is adequate if and only if it contains at least one of A x and or A x and E x means from A x or E x or at least one from E c, A f, A u and E u. So, now here you need to have three operators A x or E x E g or A f or A u and E u. So, now if you want to check the CTL formula CTL checking CTL formula is more straight forward because it is related to state not related to path means checking for temporal formula is more difficult and what we do is we use the labeling concept. So, that means here we start in the reverse way we start from a point where in the formula holds good and then here we go back and try to reach to the initial state. So, now we label those states which are old wherein the current formula is satisfied and then we go back if the previous state of that state satisfies that formula and this way we do the backward reachability and if we happen to reach to the initial state in that case we can say that that property is all the time respected. So, now here for and and not what we need to do is here if both of the formulas are true at a node then here resulting and formula is true and so now here say in this state say you have this state. So, here a formula phi holds good and that is phi say phi and psi. Now if this holds good in that case here I label the this formula say capital phi and now here because this holds good in that case here this would hold good in the previous state. So, everywhere but here only we need to consider so and and not are pretty straight forward, but here now we need to consider e x of and e u and e g of a formula. So, now here e x again here for e x it is straight forward now if x f holds good in some state in that case here e x holds good in the previous state. So, now here input is your creep k structure output is labeled is a state transition diagram or state or labeled a creep k structure wherein you label e x of f. So, now here for each state s of k add label e x of f if f is labeled at the successor of s. So, now here that is what I told you e u of g e u of g it can be referred as now here we look at some state if these are the the the state if g is labeled here in that k k k case here I labeled as here f f until g in this state now this is universal. So, now here you you look at the previous state in this state if the the previous state is labeled as f here f then here I can also label this this as f until g and because here this is existential this means we need to check on only in in one part. So, in one of the successor. So, now here the if you look at the previous one the the next state is labeled as e f u g and then here any earlier state also has f in that case here you can also label this as f until g this way you you keep on going. So, now here you you need not to unroll your finite state machine or in other word you do not need to create complete computation tree which is infinite long and now now here this way you keep on on on going back the moment you you reach to the initial state and initial state is labeled with that particular formula you can say that formula holds good all the time. So, now now here the we can dramatically reduce the complexity of verification of these formulas. Now, so the this algorithm does the same thing it says that assume the formula f and g have been verified. So, now here e f of g is true at the node if there is a path from the node to g labeled node and every node along with the partial path f is labeled but g is not. So, now here the formula holds good wherein g holds good and now you have to check whether g holds good and f is there just before that. So, node satisfies e f you see if g is labeled at that node or f is labeled but node g is labeled at the node and its successor is either labeled as g or f until g. So, this way here you can verify this. So, now here at the end I can summarize this that you model your your implementation as a transition system you write down the properties using either CTL formula or LTL formula say that that formula is f and then here you need to to check whether your formula satisfies in all the paths or or in the the state in which way it is it is referred if it is it satisfies in that case here in in all the cases that properties respected if it fails then it will give you the counter example and counter example will help you in fixing the bug. So, with this I summarize the verification portion of these set of lectures on advanced VLSI design good day.