A. Axi, We focus on one of the bus channels, the "read data" channel. This channel uses a variation of the handshake protocol, defined as follows: 1. assume always (ready && ! valid) ? next ready 2. assert always (! ready && valid) ? next valid 3. assume always (ready && valid) ? next !

, ? BUS1: the system control interface, by which the system reads data from the environment

, Due to the size of the design, we need some abstraction to prune the state-space, for the model checker to give a conclusive result. We use our UCEGAR algorithm, ? BUS2: the system interface by which the interruptions are transmitted to the CPU

M. Abadi, L. Lamport, and P. Wolper, Realizable and unrealizable specifications of reactive systems, ICALP, pp.1-17, 1989.

Y. Abarbanel, I. Beer, L. Glushovsky, S. Keidar, and Y. Wolfsthal, Focs: Automatic generation of simulation checkers from formal specifications, Computer Aided Verification, CAV '00, pp.538-542, 2000.

. Accellera, Open Verification Library (OVL), 2014.

Z. S. Andraus, M. H. Liffiton, and K. A. Sakallah, Refinement strategies for verification methods based on datapath abstraction, ASP-DAC, pp.19-24, 2006.

Z. S. Andraus and K. A. Sakallah, Automatic abstraction and verification of Verilog models, Design Automation Conference (DAC), pp.218-223, 2004.

C. Baier and J. Katoen, Principles of Model Checking, 2008.

L. Benini and G. D. Micheli, Dynamic Power Management: Design Techniques and CAD Tools, 1998.

M. Bertasi, G. D. Guglielmo, and G. Pravadelli, Automatic generation of compact formal properties for effective error detection, CODES+ISSS, pp.1-10, 2013.

A. Biere, C. Artho, and V. Schuppan, Liveness checking as safety checking. Electronic Notes in Theoretical Computer Science, vol.66, pp.160-177, 2002.

A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, Symbolic model checking without BDDs, Tools and Algorithms for Construction and Analysis of Systems (TACAS), pp.193-207, 1999.

R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli et al., Automatic hardware synthesis from specifications: A case study, Design, Automation and Test in Europe, DATE '07, pp.1188-1193, 2007.

R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli et al., Compiler Optimization meets Compiler Verification, Specify, compile, run: Hardware from PSL. Electronic Notes in Theoretical Computer Science, vol.190, pp.3-16, 2007.

M. Boule and Z. Zilic, Incorporating efficient assertion checkers into hardware emulation, International Conference on Computer Design, pp.221-228, 2005.

R. K. Brayton and A. Mishchenko, ABC: an academic industrial-strength verification tool, CAV, pp.24-40, 2010.

F. Burns, D. Sokolov, and A. Yakovlev, GALS synthesis and verification for xMAS models, DATE, 2015.

D. Bustan, D. Fisman, and J. Havlicek, Automata construction for psl, 2005.

T. Chaney and C. Molnar, Anomalous behavior of synchronizer and arbiter circuits, IEEE Transactions on Computers, C, vol.22, issue.4, pp.421-422, 1973.

K. Chatterjee, T. A. Henzinger, and B. Jobstmann, Environment assumptions for synthesis, CONCUR, pp.147-161, 2008.

S. Chaturvedi, Static analysis of asynchronous clock domain crossings, 2012 Design, Automation Test in Europe Conference Exhibition (DATE), pp.1122-1125, 2012.

E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith, Counterexample-guided abstraction refinement, CAV, 2000.

E. Clarke, O. Grumberg, and D. E. Long, Model checking and abstraction, ACM, 1991.

E. M. Clarke, E. A. Emerson, and A. P. Sistla, Automatic verification of finite-state concurrent systems using temporal logic specifications, ACM Trans. Program. Lang. Syst, vol.8, issue.2, pp.244-263, 1986.

E. M. Clarke, D. E. Long, and K. L. Mcmillan, Compositional model checking, Fourth Annual Symposium on Logic in Computer Science, pp.353-362, 1989.

E. M. Clarke, O. Grumberg, and D. A. Peled, Model Checking, 1999.

C. E. Cummings, Clock domain crossing design & verification techniques using systemverilog, 2008.

A. Danese, T. Ghasempouri, and G. Pravadelli, Automatic extraction of assertions from execution traces of behavioural models, DATE, pp.67-72, 2015.

N. Eén, A. Mishchenko, and R. K. Brayton, Efficient implementation of property directed reachability, FMCAD, pp.125-134, 2011.

E. G. Friedman, Clock distribution networks in synchronous digital integrated circuits, Proceedings of the IEEE, vol.89, pp.665-692, 2001.

T. J. Gabara, G. J. Cyr, and C. E. Stroud, Metastability of CMOS master/slave flip-flops, IEEE Custom Integrated Circuits Conference, 1991.

S. V. Gheorghita and R. Grigore, Constructing checkers from PSL properties, Control Systems and Computer Science, vol.2, pp.757-762, 2005.

R. Ginosar, Fourteen ways to fool your synchronizer, Asynchronous Circuits and Systems, pp.89-96, 2003.

R. Ginosar, Metastability and synchronizers: A tutorial. Design Test of Computers, IEEE, vol.28, issue.5, pp.23-35, 2011.

S. Hagihara, Y. Kitamura, M. Shimakawa, and N. Yonezaki, Extracting environmental constraints to make reactive system specifications realizable, APSEC, pp.61-68, 2009.

-. Haifa, IBM Generalized Buffer, 2017.

S. Hertz, D. Sheridan, and S. Vasudevan, Mining hardware assertions with guidance from static analysis, IEEE Trans. on CAD, vol.32, issue.6, pp.952-965, 2013.

, IEEE standard for verilog hardware description language, IEEE Std, pp.1-560, 2006.

, IEEE standard vhdl language reference manual, IEEE Std, pp.1-620, 1076.

, IEEE standard for property specification language (PSL), IEEE Std 18502010), pp.1-182, 2010.

, IEEE standard for systemverilog-unified hardware design, specification, and verification language, IEEE Std, pp.1-1315, 1800.

B. Jobstmann, S. Galler, M. Weiglhofer, and R. Bloem, Anzu: A Tool for Property Synthesis, pp.258-262, 2007.

T. Kapschitz and R. Ginosar, Formal verification of synchronizers, Correct Hardware Design and Verification Methods, pp.359-362, 2005.

N. Karimi and K. Chakrabarty, Detection, diagnosis, and recovery from clock-domain crossing failures in multiclock SOCs, Computer-Aided Design of Integrated Circuits and Systems, vol.32, issue.9, pp.1395-1408, 2013.

M. Kebaili, J. Brignone, and K. Morin-allory, Clock domain crossing formal verification: a meta-model, IEEE International High Level Design Validation and Test Workshop (HLDVT), pp.136-141, 2016.

M. Kebaili, G. Plassan, J. Brignone, and J. Binois, Conclusive formal verification of clock domain crossings using spyglass-cdc, SNUG France, 2016.

B. Keng, Advances in Debug Automation for a Modern Verification Environment, 2013.

B. Keng, E. Qin, A. Veneris, and B. Le, Automated debugging of missing assumptions, Asia-Pacific DAC, pp.732-737, 2014.

O. Kupferman and M. Y. Vardi, Model checking of safety properties, Formal Methods in System Design, vol.19, issue.3, pp.291-314, 2001.

R. P. Kurshan, Computer-aided Verification of Coordinating Processes: The Automata-theoretic Approach, 1994.

C. Kwok, V. Gupta, and T. Ly, Using assertion-based verification to verify clock domain crossing signals, Design and Verification Conference, pp.654-659, 2003.

C. Leda and . Documentation, Clock domain crossing. Online, 2017.

C. Leong and P. Machado, Built-in clock domain crossing (CDC) test and diagnosis in GALS systems, Proc. DDECS 2010, pp.72-77, 2010.

B. Li and C. Kwok, Automatic formal verification of clock domain crossing signals, ASP-DAC, pp.654-659, 2009.

W. Li, L. Dworkin, and S. A. Seshia, Mining assumptions for synthesis, MEMOCODE, pp.43-50, 2011.

M. Litterick, Pragmatic simulation-based verification of clock domain crossing signals and jitter using SystemVerilog Assertions, DVCON, 2006.

M. Litterick, Full flow clock domain crossing-from source to si, DVCON, 2016.

A. Lozano and J. L. Balcázar, The complexity of graph problems for succinctly represented graphs, Graph-Theoretic Concepts in Computer Science, pp.277-286, 1989.

Z. Manna and A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, 1992.

P. C. Mcgeer and R. K. Brayton, Efficient algorithms for computing the longest viable path in a combinational network, ACM/IEEE Design Automation Conference, pp.561-567, 1989.

K. L. Mcmillan, Symbolic Model Checking, 1993.

M. Graphics, C. Questa, and . Online, , 2017.

A. Mishchenko, N. Een, and R. Brayton, A toolbox for counter-example analysis and optimization, IWLS, 2013.

K. Morin-allory and D. Borrione, A proof of correctness for the construction of property monitors, Tenth IEEE International High-Level Design Validation and Test Workshop, pp.237-244, 2005.
URL : https://hal.archives-ouvertes.fr/hal-00079004

K. Morin-allory, F. N. Javaheri, and D. Borrione, Efficient and correct by construction assertion-based synthesis, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol.23, pp.2890-2901, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01142595

. Oracle, . Opensparc, and . Online, , 2017.

G. Plassan, K. Morin-allory, and D. Borrione, Extraction of missing formal assumptions in under-constrained designs, ACM-IEEE International Conference on Formal Methods and Models for System Design, MEMOCODE '17, pp.94-103, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01704634

G. Plassan, K. Morin-allory, and D. Borrione, Mining missing assumptions from counter-examples, In ACM Transactions on Embedded Computing Systems. ACM, 2018.
URL : https://hal.archives-ouvertes.fr/hal-02056298

G. Plassan, H. Peter, K. Morin-allory, F. Rahim, S. Sarwary et al., Conclusively verifying clock-domain crossings in very large hardware designs, IFIP/IEEE International Conference on Very Large Scale Integration (VLSI-SoC), 2016.
URL : https://hal.archives-ouvertes.fr/hal-01375436

G. Plassan, H. Peter, K. Morin-allory, S. Sarwary, and D. Borrione, Improving the Efficiency of Formal Verification: The Case of Clock-Domain Crossings, pp.108-129, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01675192

A. Pnueli, The temporal logic of programs, 18th Annual Symposium on Foundations of Computer Science, pp.46-57, 1977.

A. Pnueli, Logics and models of concurrent systems, Transition from Global to Modular Temporal Reasoning About Programs, pp.123-144, 1985.

A. Pnueli and R. Rosner, On the synthesis of a reactive module, Proceedings of the 16th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '89, pp.179-190, 1989.

R. K. Ranjan, C. Coelho, and S. Skalberg, Beyond verification: Leveraging formal for debugging, DAC, pp.648-651, 2009.

R. Intent, C. Meridian, and . Online, , 2017.

S. Sarwary, H. Peter, G. Plassan, B. Chakrabarti, and M. Movahed, Formal clock network analysis visualization, verification and generation, 2017.

S. Sarwary and S. Verma, Critical clock-domain-crossing bugs. Electronics Design, Strategy, News, 2008.

A. P. Sistla, Safety, liveness and fairness in temporal logic, Formal Aspects of Computing, vol.6, issue.5, pp.495-511, 1994.

. Synopsys, C. Spyglass, and . Online, , 2017.

G. Tarawneh, A. Mokhov, and A. Yakovlev, Formal verification of clock domain crossing using gate-level models of metastable flip-flops, DATE, pp.1060-1065, 2016.

W. University, The Daikon Invariant Detector, 2017.

M. Y. Vardi, Alternating automata: Unifying truth and validity checking for temporal logics, pp.191-206, 1997.

M. Y. Vardi and P. Wolper, An automata-theoretic approach to automatic program verification, Proceedings of the Symposium on Logic in Computer Science, pp.332-344, 1986.

S. Vasudevan, D. Sheridan, S. Patel, D. Tcheng, B. Tuohy et al., Goldmine: Automatic assertion generation using data mining and static analysis, DATE, pp.626-629, 2010.

L. Xiu, From frequency to time-average-frequency: a paradigm shift in the design of electronic system, 2015.