# Hardware Verification using Monadic Second-Order Logic 

David A. Basin ${ }^{1}$ and Nils Klarlund ${ }^{\star 2}$<br>${ }^{1}$ Max-Planck-Institut für Informatik, Im Stadtwald, D-66123 Saarbrücken, Germany<br>${ }^{2}$ BRICS, Department of Computer Science University of Aarhus, Ny Munkegade, DK-8000 Aarhus C, Denmark


#### Abstract

We show how the second-order monadic theory of stringa can be used to specify hardware components and their behavior. This logic admits a decision procedure and counter-model generator based on canonical automata for formulas. We have used a system implementing these concepts to verify, or find errors in, a number of circuits proposed in the literature. The techniques we use make it easier to identify regularity in circuits, including those that are parameterized or have parameterized behavioral specifications. Our proofs are semantic and do not require lemmas or induction as would be needed when employing a conventional theory of strings as a recursive data type.


## 1 Introduction

Properties of functions over finite domains may be established by state space enumeration. Consequently, combinational logic circuits may be viewed as Boolean functions, and the equivalence of circuits may be shown by exhaustive testing-which in turn may be optimized using Boolean decision diagrams (BDDs). But when the domain is infinite, direct enumeration is impossible. For example, although we can apply state space enumeration to prove that a l-bit adder meets its specification, we cannot do the same for a parameterized $n$-bit adder.

There are similar problems in verifying temporal properties of a circuit that should hold over all instants of time. Typically such circuits are verified interactively, or semi-automatically using mathematical induction $[1,2,6,9,12,13,15]$; that is, a time-dependent property $P(n)$ is shown to hold for all instants $n$ by induction over $n$.

There is an alternative approach to such problems, however: find and analyze a finite characterization of the infinite state space. For example, an $n$-bit adder may be constructed by chaining together (ripplecarry style) $n$ full adders. The resulting circuit is regular in both the informal and formal sense. If we view the input/output relation of an $n$-bit adder as words of length $n$ over an alphabet describing inputs and outputs at each position, then the language that is the union of all these languages for $n=1,2, \ldots$ can be recognized by a finite automaton and is thus a regular language.

Recently, other groups of researchers, e.g., [7, 16], have presented methods that exploit this kind of regularity. In [16], parameterized circuits are not described as such. Instead, the automaton model is inferred by observing the behavior of circuits for $n=1,2 \ldots$ until some technical conditions indicate a fixed point. Alternatively $[7,8]$ identify classes of parameterized circuits that can be described by recursive BDD tree structures which, for certain classes, correspond to finite automata. While these techniques are novel and can be very effective, they have their drawbacks. In particular, circuits must be encoded directly as automata as opposed to more declaratively by functions or relations that mirror their structure. Similarly, behavioral specifications are encoded instead of being expressed in a more conventional specification language that admits logical connectives, functions, and the like. As a result, circuits and their specifications may be considerably more complex than what is possible in richer languages.

We report here on a logical characterization of regular circuits that generalizes the class of circuits describable by previous methods. We believe it gives a better understanding of when regularity can be exploited to prove automatically the correctness of circuits. Moreover, it allows specification closer to what is possible within richer specification languages.

Our work is based on a second-order monadic theory of strings, M2L(Str), and a system, Mona, that implements a decision procedure and counter-model generator for statements in this logic [10]. M2L(Str) is a very concise, but so far in practice unexplored, way of characterizing regularity. Operators in the logic formalize positions and sets of positions within strings and relate them by means of quantification and logical connectives. These connectives suffice to directly encode Boolean logic and all non-parameterized circuits. Quantification over sets of positions can encode parameterized circuits with regular connectivity like ripple-carry adders. The logic still admits a decision procedure and counter-model generator based

[^0]on constructing a canonical automaton for each subformula. As a result, tautology checking is decidable, although in non-elementary time (the lower bound is a stack of exponentials of height proportional to the size of the formula). Thus in principle, we can automatically verify the correctness of circuits relative to specifications that are also expressible in M2L(Str).

Perhaps surprisingly, we show here that verification is possible in practice too. In this report we document the automatic verification of a parameterized Arithmetic Logic Unit (ALU) and a timed flipflop in Mona. Moreover, we show how counter-model generation within M2L(Str) provides a useful tool for debugging and testing incorrect circuits and specifications. Hence, Mona provides not just a tool for circuit validation, but also for circuit development, debugging, and prototyping.

While the applications we present are new, it has been known for over 30 years that monadic secondorder theories define regular languages and hence are decidable. The staggering theoretical complexity seemed to preclude practical experiments. And the limited expressibility of M2L(Str) means that not all parameterized circuits or their behavior can be specified. For example, one cannot encode a network whose connectivity is non-regular (e.g., parameterized grids). Furthermore, specifications are limited in the amount of arithmetic that may be formalized; the slightly stronger logic WS1S allows one to express Presburger arithmetic, but little more [17]. Even when arithmetic operations are expressible, a specification in M2L(Str) may be less direct than one in a more expressive logic. As we shall see, arithmetic must be encoded as operations over strings.

Despite these obstacles, we were still able to solve interesting problems. For example, the ALU that we verified (see §3) required only half a CPU minute (on a SPARC station 20) and a couple of megabytes of memory; the largest intermediate automaton generated by Mona in this example contained 154 states.

We proceed as follows. In $\S 2$ we give an introduction to M2L(Str) and Mona. In $\$ 3$ we consider verification of parameterized hardware and verify a parameterized adder and ALU. In $\S 4$ we consider timed hardware and use Mona to analyze a D-type flipflop. Such memory devices involve feedback, and formal analysis of their properties is surprisingly difficult. We begin by considering a specification given by [6] that was verified by hand. We use Mona to generate a minimal counterexample to this specification and, through further experiments, we develop a correct specification. This demonstrates how M2L(Str) can be used not just as the basis of a yes/no decision procedure, but also as a tool supporting the development and analysib of complex circuits. In the final section we draw conclusions and make further comparisons.

## 2 The Second-Order Monadic Logic on Strings

We employ a theory M2L(Str), where a closed formula is interpreted relative to a natural number $n$, called the length. A first-order variable $p$ denotes a number $i, 0 \leq i<n$, called a position. A second-order variable $P$ denotes a subset of $\{0, \ldots, n-1\}$. Alternatively, a second-order variable can be viewed as designating a bit pattern $b_{0} \ldots b_{n-1}$ of length $n$, where $b_{i}$ is 1 if and only if $i$ belongs to the interpretation of $P$.

First-order terms are formed from first-order variables, and constructors of the form 0 (denoting the position 0 ), $\$$ (denoting the last position $n-1$ ) and $t \oplus i$ and $t \theta i$ where $t$ is a first-order term and $i$ is a natural number (denoting $j+i \bmod n$ and $j-i \bmod n$, where $j$ is the interpretation of $t$ ). Second-order terms are built from second-order variables, the constants empty and all (which denote $\emptyset$ and $\{0, \ldots, n-1\}$ ), and are combined using $\cap, U$, and $C$ (complement relative to $\{0, \ldots, n-1\}$ ). For $t_{1}$ and $t_{2}$ first-order terms and $S$ a second-order term, $t_{1} \in S, t_{1}=t_{2}, t_{1}<t_{2}, t_{1} \leq t_{2}$, and $t_{1} \geq t_{2}$ are formulas. Formulas are combined by the standard connectives $\neg_{2} \wedge, V_{1} \rightarrow$, and $\leftrightarrow$. There are two kinds of quantifiers: $\exists^{2}$ and $\forall^{1}$ over first-order variables and $3^{2}$ and $\forall^{2}$ over second-order variables.

As an example, the formula $\exists^{1} p: p \in P$ states that "there exists a position $p$ in $P^{m}$. More complex is

$$
0 \in P \wedge \forall^{2} p: p<\$ \rightarrow((p \in P \rightarrow p \oplus 1 \notin P) \wedge(p \notin P \rightarrow p \oplus 1 \in P)),
$$

which states that $P$ contains exactly the even positions among $\{0, \ldots, n-1\}$. We also view $P$ as a bit vector and write $P(p)$ for $p \in P$.

A formula $\phi$, with free variables, defines a regular language denoting the interpretations that make $\phi$ true. For example, the formula $\phi \equiv P=\left[Q\right.$ defines a language $L(\phi)$ over $B^{2}$, where each $\left(b^{1}, b^{2}\right) \in B^{2}$ denotes the membership status of the current position relative to the free second-order variables $P$ and $Q$. The language is then the set of words describing interpretations of $P$ and $Q$ that make $\phi$ true. For example, if we represent the letter $\left(b^{1}, b^{2}\right)$ as $\frac{b^{1}}{b^{2}}$ then

$$
{ }_{1001}^{0110} \in L(\phi) \text { and } \quad \begin{aligned}
& 011 \\
& 000
\end{aligned}(\phi) .
$$

This language represents the set of natural numbers $n$ such that $\phi$ holds when interpreted over a string of length $n$.

We can construct an automaton recognizing $L(\phi)$ by standard operations of product, subset construction, and projection. A closed formula $\phi$ corresponds to an automaton over a one-letter alphabet and is a tautology when the automaton accepts strings of all lengths. For any formula $\phi$ that is not valid, we can extract from its corresponding automaton a minimal length string defining an interpretation making $\phi$ invalid. We use this procedure to generate counter-examples to proposed theorems. The automata construction we use is standard (see [17]), however, the implementation is made efficient by using BDDs to compress alphabets, which are exponential in the number of free variables. Implementation details are given in [10].

## 3 Parameterized Hardware

In this section we specify and verify the correctness of a simple parameterized $\boldsymbol{n}$-bit ALU given in [14].

### 3.1 Preliminaries: Boolean Logic

Boolean connectives and quantification over Booleans are not part of M2L(Str), but can easily be encoded. In particular, each Boolean variable $b$ is encoded by a second-order variable $B$, and occurrences of $b$ in formulas are encoded as $0 \in B$. Quantification over Booleans ( ${ }^{\circ}$ and $\exists^{\circ}$ ) is encoded using second-order quantification. ${ }^{1}$ Non-parameterized circuits are then directly encoded using Boolean quantification and propositional connectives.

In hardware verification, circuits are traditionally represented as functions from inputs to outputs or as relations that hold between the port values. In the functional approach, components are connected by


Fig. 1. $n$-bit adder for $n=3$
functional nesting. In the relational approach, circuits are viewed as constraints and joined together using conjunction; internal wires are represented by shared variables that are existentially quantified (see [3, 6] for discussions on this). In our work it makes no difference which approach we use, we may even mix them.

To begin with we define gates as functions:

$$
\begin{aligned}
\operatorname{not}(a) & \equiv \neg a \\
\operatorname{and}(a, b) & \equiv a \wedge b \\
\operatorname{or}(a, b) & \equiv a \vee b \\
\operatorname{xor}(a, b) & \equiv \operatorname{or}(\operatorname{and}(\operatorname{not}(a), b), \operatorname{and}(a, \operatorname{not}(b))) \\
\operatorname{and3}(a, b, c) & \equiv \operatorname{and}(\operatorname{and}(a, b), c) \\
\operatorname{ar} 3(a, b, c) & \equiv \operatorname{or}(\operatorname{or}(a, b), c)
\end{aligned}
$$

We may then define functions that compute the sum and carry bits for an adder and combine these into a relation specifying a full one-bit adder.

$$
\begin{aligned}
\operatorname{sum}(a, b, c) & \equiv \operatorname{sor}(\operatorname{sor}(a, b), c) \\
\operatorname{carry}(a, b, c) & \equiv \operatorname{or}(\operatorname{and}(\operatorname{sor}(a, b), c), \operatorname{and}(a, b)) \\
\text { full_adder }(a, b, \text { out }, \operatorname{cin}, \operatorname{cout}) & \equiv(\operatorname{sum}(a, b, \operatorname{cin}) \leftrightarrow o u t) \wedge(\operatorname{carry}(a, b, \operatorname{cin}) \leftrightarrow \operatorname{cout})
\end{aligned}
$$

Consider now an example of a simple theorem in Mona: if Boolean variables $x, y, z$, cin, and coust fulfill the full-adder relation, then the outputs ( $z$ and cout) are uniquely determined given the inputs.

[^1]\[

$$
\begin{aligned}
& \forall^{\circ} x, y, \text { cin }: \exists^{\circ} z \text {, cout : full_adder }(x, y, z, \text { cin, cout }) \\
& \wedge \forall^{\circ} z^{\prime}, \text { cout } t^{\prime}:\left(\text { full adder }\left(x, y, z^{\prime}, \text { cin }, \text { cout } t^{\prime}\right) \rightarrow\left(\left(z^{\prime} \leftrightarrow z\right) \wedge\left(\text { cout }{ }^{\prime} \leftrightarrow \text { cout }\right)\right)\right)
\end{aligned}
$$
\]

Mona reports that this is a tautology in under 1 CPU second. That is, it reduces this formula to a 1-state automaton that accepts all strings; this indicates that there are no strings, of any length, that encode a counter-model to this formula.

### 3.2 Correctness of an n-bit Adder

We next turn to parameterized hardware. Figure 1 gives an example of this for $n=3$. In the general case, an $n$-bit adder is constructed by wiring together $n 1$-bit adders where the carry-out of the $i$ th becomes the carry-in of the $i+1 s t$. The first and last carry are special cases: the first carry has the value of the carry-in and the last has the value of the carry-out. We can directly specify this using two existentially quantified second-order variables $C$ and $D$ which represent sequences of carry-in and carry-out bits.

$$
\begin{aligned}
n \operatorname{add}(X, Y, Z, c i n, \text { cout }) \equiv & \exists^{2} C, D:\left(\forall^{2} p: \text { full_adder }(X(p), Y(p), Z(p), C(p), D(p))\right) \\
& \wedge\left(\forall^{2} p:(p<\mathbb{S}) \rightarrow(D(p) \leftrightarrow C(p \oplus 1))\right) \\
& \wedge(C(0) \leftrightarrow \operatorname{cin}) \wedge(D(\$) \leftrightarrow \operatorname{con} t)
\end{aligned}
$$

Having described an implementation, we now specify its functionality. M2L(Str) is a logic about strings and string positions, and an arithmetic specification must be encoded within this limited language. In particular, we encode addition as an algorithm over strings representing bit-patterns, i.e., binary addition. A simple way to do this is to mimic how addition is computed with pencil and paper. The ith output bit is set if the sum of the ith inputs and carry-in is 1 mod 2 , and the $i$ th carry bit is set if at least two of the previous inputs and carry was set. The Oth carry and the final values must be computed as special cases.

$$
\begin{aligned}
& \text { at_least_two }(a, b, c) \equiv(a \wedge b) \vee(a \wedge c) \vee(b \wedge c) \\
& \text { mod_two }(a, b, c, d) \equiv a \leftrightarrow b \leftrightarrow c \leftrightarrow d \\
& a d d(X, Y, Z, c i n, c o u t) \equiv \exists^{2} C: C(0) \leftrightarrow c i n \\
& \wedge \forall^{2} p: \bmod \_w o(X(p), Y(p), C(p), Z(p)) \\
& \wedge((p<\$) \rightarrow\langle C(p \oplus 1) \leftrightarrow a t \text { least_two }(X(p), Y(p), C(p)))) \\
& \wedge(\text { cout } \leftrightarrow a t \text { least_two }(X(\$), Y(\$), C(\$)))
\end{aligned}
$$

We may automatically verify that add and n_add are equivalent: Mona reports in one CPU second that the following formula is a tautology.

$$
\forall^{2} X, Y, Z: \not{ }^{\circ} \mathrm{cin}, \text { cout }: \operatorname{add}(X, Y, Z, \text { cin }, \text { cout }) \leftrightarrow n-\operatorname{add}(X, Y, Z, \text { cin, cout })
$$

Often we are interested in more than one property. With Mona, once preliminary definitions are made, it is easy to test them. For example, also in one CPU second Mona verifies that the $n$-bit adder computes a unique function from its outputs to its inputs:

$$
\begin{aligned}
& \forall^{2} X, Y: \forall^{\circ} c i n: \exists^{3} Z: \exists^{\circ} \text { cout }: \operatorname{nadd}(X, Y, Z, \text { cin, cout }) \\
& \wedge \forall^{2} Z^{\prime}: \forall^{\circ} \text { cout } t^{\prime}:\left(n_{-} \text {add }\left(X, Y, Z^{\prime}, \text { cin }, \text { cout }\right) \rightarrow\left(Z=Z^{\prime} \wedge(\text { cout } \leftrightarrow \text { cout })\right)\right)
\end{aligned}
$$

Alternatively, we have checked (one CPU second) that our specification defines a commutative operation:

$$
\forall^{2} X, Y, Z: \forall^{\circ} \text { cin, cout }: \operatorname{add}(X, Y, Z, \text { cin }, \text { cout }) \leftrightarrow \operatorname{add}(Y, X, Z, \text { cin, cout })
$$

### 3.3 Correctness of an r-bit ALU

We now apply our approach to a more complex circuit-a parameterized n-bit ALU. The circuit we analyze is presented in [14]. It is also an interesting theorem for comparison, since it has been recently verified in induction based systems CLAM and PVS (see comparison in §5).

ALU specification The ALU is designed to perform 8 arithmetic and 4 logical operations. The 12 functions are selected through 3 "selection" lines $s_{0}, s_{1}, s_{2}$ and the carry-in cin as described in table 1 . For example when the $s_{i}$ are 0 and cin is 1 the ALU increments the $n$-bit input $A$ and places the result in $F$, producing a carry-out when every bit in $F$ is set.

To specify the functionality of the ALU, we must specify each of these functional sub-units. We begin with abbreviations that define relational versions of the previously defined gates. For example:

$$
\begin{aligned}
\operatorname{notrel}(a, b) & \equiv \operatorname{not}(a) \leftrightarrow b \\
\text { andrel }(a, b, c) & \equiv \operatorname{and}(a, b) \leftrightarrow c
\end{aligned}
$$

Other relations used are defined analogously.


Table 1. Function Table for ALU

Using these we may directly define all of the logical and some of the simpler arithmetic functions.

$$
\begin{aligned}
\operatorname{transfer}(\text { To, From }) & \equiv \text { To }=\text { From } \\
\operatorname{compl}(A, F) & \equiv \forall^{1} x: \operatorname{notrel}(A(x), F(x)) \\
O R(A, B, F) & \equiv \forall^{1} x: \operatorname{orrel}(A(x), B(x), F(x)) \\
X O R(A, B, F) & \equiv \forall^{2} x: \operatorname{xorrel}(A(x), B(x), F(x)) \\
A N D(A, B, F) & \equiv \forall^{3} x: \operatorname{andrel}(A(x), B(x), F(x))
\end{aligned}
$$

The other function definitions require some basic arithmetic. For $b$ a Boolean encoded by a second-order variable $B$, define zero(b) to be $B=$ empty and one $(b)$ as $B(0) \wedge \forall^{2} p:(p>0 \rightarrow \neg B(p)$ ). We can now directly define the remaining arithmetic functions using the previously defined addition operator add.

$$
\begin{aligned}
& \text { add_no_carry }(A, B, F, \text { cout }) \equiv \exists^{\circ} \operatorname{cin}: z e r o(\operatorname{cin}) \wedge \operatorname{add}(A, B, F, \text { cin, cout }) \\
& \text { add_with_carry }(A, B, F, \text { cout }) \equiv \exists^{\circ} \text { cin : one }(\text { cin }) \wedge \operatorname{add}(A, B, F, \text { cin, cout }) \\
& \text { one_compl_add }(A, B, F, \text { cout }) \equiv \exists^{\circ} c i n: \exists^{2} C o m p: z e r o(c i n) \\
& \wedge \operatorname{compl}(B, C o m p) \wedge \operatorname{add}(A, C o m p, F, \text { cin, cout }) \\
& \text { two_compl_add }(A, B, F, \text { cout }) \equiv 3^{\circ} \text { cin : } \exists^{2} \text { Comp : one(cin) } \\
& \wedge \operatorname{compl}(B, C o m p) \wedge \operatorname{add}(A, C o m p, F, c i n, \text { cout }) \\
& \text { decrement }(A, F, \text { cout }) \equiv \exists^{0} v: \text { one }(v) \wedge \text { two_compl_add }(A, v, F, \text { cout })
\end{aligned}
$$

Now, using the following auxiliary definitions

$$
\begin{aligned}
i f_{3}(a, b, c, d) & \equiv(a \wedge b \wedge c) \rightarrow d \\
i f_{4}(a, b, c, d, e) & \equiv(a \wedge b \wedge c \wedge d) \rightarrow e
\end{aligned}
$$

we directly encode alu_spec( $s_{0}, s_{1}, s_{2}, A, B, F$, cin, cout) by specifying the function table (Table 1) as follows.

$$
\begin{aligned}
& i f_{4}\left(\neg s_{2}, \neg s_{1}, \neg s_{0}, \neg c i n, \text { transfer }(A, F)\right) \wedge i f_{4}\left(\neg s_{2}, \neg s_{1}, \neg s_{0}, \text { cin, increment }(A, F, \text { cout })\right) \\
\wedge & i f_{4}\left(\neg s_{2}, \neg s_{1}, s_{0}, \neg \operatorname{cin}, \text { add_no_carry }(A, B, F, \text { cout })\right) \wedge i f_{4}\left(\neg s_{2}, \neg s_{1}, s_{0}, \text { cin, add_with_carry }(A, B, F, \text { cout })\right) \\
\wedge & i f_{4}\left(\neg s_{2}, s_{1}, \neg s_{0}, \neg \operatorname{cin}, \text { one_compl_add }(A, B, F, \text { cout })\right) \wedge i f_{4}\left(\neg s_{2}, s_{1}, \neg s_{0}, \operatorname{cin}, \text { two_compl_add }(A, B, F, \text { cout })\right) \\
\wedge & i f_{1}\left(\neg s_{2}, s_{1}, s_{0}, \neg \operatorname{cin}, \text { decrement }(A, F, \operatorname{cout})\right) \wedge i f_{4}\left(\neg s_{2}, s_{1}, s_{0}, \operatorname{cin}, \text { transfer }(A, F)\right) \\
\wedge & i f_{3}\left(s_{2}, \neg s_{1}, \neg s_{0}, O R(A, B, F)\right) \wedge i f_{3}\left(s_{2}, \neg s_{1}, s_{0}, X O R(A, B, F)\right) \\
\wedge & i f_{3}\left(s_{2}, s_{1}, \neg s_{0}, A N D(A, B, F)\right) \wedge i f_{3}\left(s_{2}, s_{1}, s_{0}, \operatorname{compl}(A, F)\right) .
\end{aligned}
$$



Fig. 2. $n$-bit ALU ( $n=2$ )

ALU implementation The ALU implementation, as specitied in [14] is given in Figure 2. The corresponding M2L(Str) formula is encoded analogously to the parameterized adder. The only additional complication is that the description should be subdivided into two parts: an initialization block and a repeating ALU block. The first part, which we call init computes negations of the selection wires and conjunctions of them and their negations.

$$
\begin{aligned}
\operatorname{init}\left(s_{0}, s_{1}, s_{2}, v_{0}, v_{1}, n\right) \equiv & \exists^{\circ} n_{0}, n_{1}: \operatorname{notrel}\left(s_{0}, n_{0}\right) \wedge \operatorname{notrel}\left(s_{1}, n_{1}\right) \wedge \text { notrel }\left(s_{2}, n\right) \\
& \wedge \operatorname{and3rel}\left(n_{0}, s_{1}, s_{2}, v_{0}\right) \wedge \operatorname{and3rel}\left(n_{0}, n_{1}, s_{2}, v_{1}\right)
\end{aligned}
$$

The remainder of the ALU consists of the regular repetition of 1 -bit ALU sections. These sections also require the switching wires $s_{i}$ and the results of the init section computed on the wires $v_{0}, v_{1}$, and $n$.

```
one_nlu \((a, b, f, \operatorname{cin}\), cout \() \equiv \exists^{\circ} w_{1}, w_{2}, w_{3}, w_{4}, w_{5}, w_{6}, w_{7}, w_{8}:\) andrel \(\left(n\right.\), cin,\(\left.w_{1}\right) \wedge\) andrel \(\left(v_{1}, b, w_{2}\right)\)
    \(\wedge \operatorname{andrel}\left(v_{0}, w_{8}, w_{3}\right) \wedge \operatorname{or} 3 \operatorname{rel}\left(w_{2}, w_{3}, a, w_{4}\right) \wedge \operatorname{andrel}\left(b, s_{0}, w_{5}\right)\)
    \(\wedge\) andrel \(\left(w_{8}, s_{1}, w_{6}\right) \wedge \operatorname{crrel}\left(w_{5}, w_{6}, w_{7}\right) \wedge\) notrel \(\left(b, w_{8}\right)\)
    \(\wedge f u l l\) adder \(\left(w_{4}, w_{7}, f, w_{1}\right.\), cout \()\)
```

We may now combine the init block with ripple-carried 1-bit ALU units to specify the parameterized ALU. The ALU sections are hooked together as were the adder sections in the parameterized adder example.

$$
\begin{aligned}
\text { n_alu }\left(s_{0}, s_{1}, s_{2}, A, B, F, \text { cin, cout }\right) \equiv & \exists^{2} C, D: \exists^{0} v_{0}, v_{1}, n: \operatorname{init}\left(s_{0}, s_{1}, s_{2}, v_{0}, v_{1}, n\right) \\
& \wedge\left(\forall^{2} p: o n e \operatorname{alu}(A(p), B(p), F(p), C(p), D(p))\right) \\
& \wedge\left(\forall^{1} p:(p<\$) \rightarrow(D(p) \leftrightarrow C(p \oplus 1))\right) \\
& \wedge(C(0) \leftrightarrow \operatorname{cin}) \wedge(D(\$) \leftrightarrow c o u t)
\end{aligned}
$$

Mona verifies, in 27 seconds, the correctness of the ALU: when the inputs satisfy the circuit relation, they satisfy the ALU specification.

$$
\begin{aligned}
& \forall^{2} A, B, F: \forall^{0} s_{0}, s_{1}, s_{2}, \text { cin, cont }: \text { n_alu }\left(s_{0}, s_{1}, s_{2}, A, B, F, \text { cin, cout }\right) \\
& \quad \rightarrow \operatorname{alu} \text { _spec }\left(s_{0}, s_{1}, s_{2}, A, B, F, \text { cin, cout }\right)
\end{aligned}
$$

Other properties, such as the functional relation between the inputs and outputs, are also easily checked.

## 4 Timed Hardware

We now consider circuits with timed specifications and feedback. A good example is the standard implementation of a D-type flipflop as shown in Figure 3. Although this circuit looks simple, understanding and demonstrating its correctness is a difficult task. A thorough and very well-written analysis of this flipflop is given by Hanna and Daeche in [9]. ${ }^{2}$ They used Veritas, a theorem prover based on a higher-order logic, to give a comprehensive analysis using a partial description of waveforms. Their analysis is complex, and it took an experienced user a week to construct the proof.

Our starting point is a simpler model of this circuit proposed by Gordon in [6]. He used a discrete representation of time and assumed each gate had a delay of one time unit. The proof that the circuit meets its specification, which he notes "is fairly complicated" was done by hand only. The flipflop and Gordon's specification are easily encoded in Mona with Gordon's choice of timing parameters. To our surprise, our system generated the following counterexample (in only 9 seconds).


Fig. 3. D-Type Flipflop

| $D 11010100$ | $C K 10110010$ |
| :--- | :--- |
| $Q 10101111$ | $P 100010101$ |
| $P 211111111$ | $P 310100111$ |
| $P 41111101$ | $P 510101000$ |

One sees that the $D$ signal changes from 1 to 0 at the same time (instant 2) as the $C K$ signal goes high. Therefore the value 0 is incorrectly propagated to the output gate $Q$. The $D$ value is held constant for two time units before the rise of the clock as specified by [6], but the counter-example shows that the value must also be stable at the moment the clock rises.

Analysis of this failed proof attempt led us to discover that the theorem as stated in [6] does not hold without additional assumptions; in particular, that the circuit must not oscillate to begin with and that inputs $D$ and $C K$ are further constrained so as to prevent the circuit from becoming unstable.

To help us reason about events and intervals, we use the following predicates:

[^2]- the value of $F$ is stable in $\left[t_{1}, t_{2}\right]$ : stable $\left(t_{1}, t_{2}, F\right) \equiv \forall^{1} t: t_{1} \leq t \leq t_{2} \rightarrow\left(F(t) \leftrightarrow F\left(t_{1}\right)\right)$
$-t_{2}$ is the first instant after $t_{1}$ when $F$ becomes high: $\operatorname{next}\left(t_{1}, t_{2}, F\right) \equiv t_{1}<t_{2} \wedge F\left(t_{2}\right) \wedge\left(\forall^{2} t: t_{1}<t<t_{2} \rightarrow \neg(F(t))\right.$
- $F$ rises at $t$ :
rise $(t, F) \equiv t>0 \wedge(\neg F(t \ominus 1) \wedge F(t))$
- $F$ falls at $t$ :
fall $(t, F) \equiv t>0 \wedge(F(t \ominus 1) \wedge \neg F(t))$
Also, we use the higher-order predicate (also just a macro) eqpred (Out, $Q, I v a l$ ), where $O$ out is a secondorder term, $Q$ is a predicate $Q(p, I)$ with $p$ a first-order variable and $I$ a second-order variable. The predicate eqpred $\left(O_{u t}, Q, I v a l\right)$ holds if and only if for all $p, O u t(p) \leftrightarrow Q(p, I v a l)$. Thus $O u t$ is the result of evaluating $Q$ according to Ival. For example, eqpred $(P$, rise,$C K)$ holds if and only if $P$ is the set of time instants for which the clock goes high.


### 4.1 The circuit

The temporal behavior of a unit-delay nand-gate with inputs $I_{1}$ and $I_{2}$ and output $O$ is described by

$$
\operatorname{nand}\left(I_{1}, I_{2}, O\right) \equiv \forall^{\prime} t: t<\$ \rightarrow O(t \oplus 1) \leftrightarrow \neg\left(I_{1}(t) \wedge I_{2}(t)\right)
$$

If we call the corresponding predicate for three inputs nand $3\left(I_{1}, I_{2}, I_{3}, O\right)$, then the flipflop in Figure 3 is described by

$$
\begin{aligned}
\text { dtype_imp } \equiv & \operatorname{nand}\left(P_{2}, D_{1} P_{1}\right) \wedge \operatorname{nand}\left(P_{3}, C K, P_{1}, P_{2}\right) \wedge \operatorname{nand}\left(P_{4}, C K, P_{3}\right) \wedge \\
& \operatorname{nand}\left(P_{1}, P_{3}, P_{4}\right) \wedge \operatorname{nand}\left(P_{3}, P_{5}, Q\right) \wedge \operatorname{nand}\left(Q, P_{2}, P_{5}\right) .
\end{aligned}
$$

### 4.2 Stability analysis

In our model a simple flipflop may begin to oscillate due to a single negative spike:


One condition for the circuit to be stable is that the inputs do not change for a period of length input_stable_time. We define

$$
\begin{aligned}
\text { input_stable }(t) \equiv & t+\text { input_stable_time }-1 \leq \$ \\
& \wedge \text { stable }(t, t+\text { input_stable_time }-1, D) \\
& \wedge \text { stable }(t, t+\text { input_stable_time }-1, C K)
\end{aligned}
$$

to denote that inputs are stable for a period of length input_stable_time. ${ }^{3}$ For our purposes, we regard the circuit as stable if both flipflops connected to the inputs are stable, i.e.,

$$
\begin{aligned}
\text { circuit_stable }(t) \equiv & t+\text { circuit_stable_time }-1 \leq \$ \\
& \wedge \text { stable }\left(t, t+\text { circuit_stable_time }-1, P_{1}\right) \\
& \wedge \text { stable }\left(t, t+\text { circuit_stable_time }-1, P_{2}\right) \\
& \wedge \text { stable }\left(t, t+\text { circuit_stable_time }-1, P_{3}\right) .
\end{aligned}
$$

(Note that $P_{4}$ need not be restricted for the stability analysis.)

[^3]Stability preservation of the circuit can be expressed informally as: if the circuit is stable at some $t_{s}$ and if the inputs are held stable at $t_{i}$ then there is $t_{s}^{\prime} \geq t_{i}$ such that the circuit is stable at $t$. Thus, we define

$$
\begin{aligned}
& \text { stability_preserved } \equiv\left(\exists^{1} t_{s}: \begin{array}{c}
\text { circuit_stable } \left.\left(t_{s}\right)\right) \rightarrow \\
\\
\left(\forall^{2} t_{i}: \text { input_stable }\left(t_{i}\right) \wedge \text { " } t_{i} \text { not too close to } \mathbb{S}^{n \prime} \rightarrow\right. \\
\left.\exists t_{s}^{\prime}: t_{s}^{\prime} \geq t_{i} \wedge \text { circuit_stable }\left(t_{s}^{\prime}\right)\right) .
\end{array}\right.
\end{aligned}
$$

Here " $t_{i}$ not too close to $\$$ " is a condition that is necessary since formulas are interpreted over finite sequences only. We have chosen it to be simply true. But in general, some constant must be chosen so that the quantification $\exists^{1} t_{s}^{\prime}$ succeeds before "time runs out," i.e. before the finite segment of time that the logic is interpreted over ends.

### 4.3 Input requirements

Stability is not preserved unless the inputs are restrained. The clock signal must not form a negative spike of duration less than min_clock_low or a positive spike of duration less than min_clock. The $D$ signal must be stable for at least setup units before $C K$ rises. We define these conditions as

$$
\begin{aligned}
\text { input_requirements } \equiv \forall^{1} t: & (\text { fall }(t, C K) \rightarrow \text { stable }(t, \text { min_clock_low }-1, C K)) \wedge \\
& (\text { rise }(t, C K) \rightarrow \text { stable }(t, \text { min_clock }-1, C K)) \wedge \\
& (\text { rise }(t, C K) \rightarrow \text { stable }(t-\operatorname{set} u p, t, D)
\end{aligned}
$$

Now, with the choices


Mona proves the implication

$$
\text { dtype_imp } \wedge \text { input_requinements } \rightarrow \text { stability_preserved }
$$

in about 15 seconds. These constants are optimal. For example, if we lower setup to 1 , then the counterexample

$$
\begin{aligned}
& t_{i}=001000 P_{1}=001111 \\
& t_{s}=100000 P_{2}=111010 \\
& D=100000 P_{3}=111010 \\
& C K=00111 P_{4}=x 11010 \\
& Q=101010 \quad P_{5}=101010
\end{aligned}
$$

is produced. Here we have made $t_{s}$ and $t_{i}$ free variables so that Mona can generate a counter-example that identifies the exact spot of trouble. ${ }^{4}$ One clearly sees how the failure of maintaining the $D$ signal stable before the rise of the clock results in oscillations despite that the inputs are later kept stable.

The essential $D$-flipflop behavior is as depicted below: if the circuit is stable at $t_{0}$ and the clock rises at $t_{r}$, then falls at $t_{f}$ (after at least minclock units from $t_{r}$ ), and then rises again at $t_{r}^{\prime}$ (after at least min_clock_low units from $t_{f}$ ), then the value of $D$ at $t_{r}$ appears at $Q$ at time $t_{r}+$ stabilization and remains there until time $t_{r}^{\prime}+$ mem provided that the $D$ value is held constant in the period from $t_{r}-$ setup until $t_{r}+$ hold. This complicated set of circumstances is best illustrated in a diagram:

[^4]

Formally, we express these conditions as:

$$
\begin{aligned}
\text { dtype } \equiv & \forall t_{0}, t_{r}, t_{f}, t_{r}^{\prime}: \\
& \left(\text { circuit_stable }\left(t_{0}\right) \wedge t_{0}<t_{r} \wedge \text { rise }\left(t_{r}, C K\right)\right. \\
& \wedge\left(\exists^{2} P: \text { eqpred }(P, \text { rise }, C K) \wedge \text { next }\left(t_{r}, t_{r}^{\prime}, P\right)\right) \\
& \left.\wedge\left(\exists^{2} P: \operatorname{eqpred}(P, \text { fall }, C K) \wedge \text { next }\left(t_{r}, t_{f}, P\right)\right)\right) \rightarrow \\
& \left(\text { stable }\left(t_{r}+\operatorname{stabilization,~} t_{r}^{\prime}+\text { mem, } Q\right)\right. \\
& \left.\wedge Q\left(t_{r}+\text { stabilization }\right) \leftrightarrow D\left(t_{r}\right)\right)
\end{aligned}
$$

With the additional choices

| min_clock | 2 |
| :--- | :--- |
| hold | 1 |
| mem | 1 |

the implication

$$
\text { dtype_imp } \wedge \text { input_requirements } \rightarrow \text { dtype }
$$

is verified in about 15 seconds. Also, experiments show that these values cannot be lowered.

## 5 Statistics, Comparison, and Conclusions

The case studjes presented here were carried out over two weeks using the Mona system. This time included adding extensions to the system to generate counter-models and debugging of specification errors caused by the primitive front end supported by the current implementation.

It is instructive to compare our proofs with previous proofs of these circuits. The parameterized adder and ALU were also studied by Cantu using the Edinburgh Clam System [5] and by Cyriuk et. al. using PVS [4]. CLAM is a system that generates proofs by induction for a higher-order logic (a constructive type theory). Cantu's development took two weeks and the proof is constructed automatically (in about 6 minutes) by CLAM. His specification shares some similarities to ours, but differs in several important respects. He specified the circuit as a recursive function while we specified it as a non-recursive relation. Both are valid representation techniques, but note that we cannot write explicit recursive functions in M2L(Str). On the other hand, if Cantu had specified a recursively defined relation, the system he uses would have been unable to construct a proof. ${ }^{5}$

The ALU theorem was also verified using PVS. PVS is a semi-interactive theorem prover that features built-in simplifiers and decision procedures; for example BDDs are used for propositional reasoning. Users can control proof construction by writing proof strategies (similar to tactics in the LCF sense). In [4] the adder and the ALU are verified using the induction, normalization, and BDD features of PVS. The

[^5]formalization of these circuits is similar to Cantu's. Verification by induction of the parameterized adder is stated to last approximately 2 minutes (as opposed to our time of one second) although their proof of the ALU required only three times as much time ( 90 seconds versus our 27 seconds).

Reasoning about temporal properties of circuits like flip-flops can be carried out in systems based on different varieties of temporal logic. We believe, however, that the ability to refer directly to instants of time - instead of being restrained by a particular set of termporal modalities (which can be directly defined in Mona) - is a particular advantage when the behavior is as complex as that of the circuit studied.

As discussed in §4, verification of flipflops has been laboriously carried out in theorem provers based on higher-order logic and here the use of Mona brings real advantages. Of course, unlike interactive proof, our approach is inherently limited by the combinatorial explosion that follows when the number of variables or gates become bigger. However, being a subset of higher-order logic, our method is particularly suited for integration into traditional theorem proving systems and would supplement such systems in the same way as integration of BDD and model checking procedures $[4,11]$.

## Acknowledgements

The first author was funded by the German Ministry for Research and Technology (BMFT) under grant ITS 9102. Responsibility for the content lies with the authors. The authors thank Alan Bundy, Harald Ganzinger, Tom Melham, and Natarajan Shankar for their feedback on a draft of this paper.

## References

1. David Basin and Peter DelVecchio. Verification of combinational logic in Nuprl. In Hardware Specification, Verification and Synthesis: Mathematical Aspeets, Ithaca, New York, 1989. Springer-Verlag.
2. Albert Camilleri, Mike Gordon, and Tom Melham. Hardware verification using higher-order logic. In D. Borrione, editor, Fram HDL Descriptions to Guaranteed Correct Circuit Designs, pages 43-67. Elsevier Science Publishers B. V. (North-Holland), 1987.
3. Albert John Camilleri. Executing Behavioural Definitions in Higher Onder Logic. PhD thesis, University of Cambridge, 1988.
4. Cyrluk D., S. Rajan, N. Shankar, and M.K. Srivas. Effective theorem proving for hardware verification. In Second International Conference On Theorem Proving In Circuit Deisgn: Theory, Practice and Experience, Bad Herrenalb, Germany, September 1994.
5. 1994 Francisco Cantu, Edinburgh DAI. Personal Communication.
6. Michael J. Gordon. Why higher-order logic is a good formalism for specifying and verifying hardware. In G. J. Milne and P. A. Subrahmanyam, editors, Formal Aapects of VLSI Design. North-Holland, 1986.
7. A. Gupta and Allen L. Fisher. Parametric circuit representation using inductive boolean functions. In C. Courcoubetis, editor, Computer Aided Verification, CAV' 93, LNCS 697, pages 15-26. Springer Verlag, 1993.
8. A. Gupta and Allen L. Fisher. Tradeoffs in canonical sequential function representations. In Proceedings of the IEEE International Conference on Computer Design, October 1994.
9. F.K. Hanna and N. Daeche. Specification and verification using higher-order logic: a case study. In G.J. Milne and P.A. Subrahmanyam, editors, Formal Aspects of VLSI Design, pages 179-213. Elsevier Science Publishers B.V., 1986.
10. J.G. Henriksen, J. Jensen, M. Jørgensen, N. Klarlund, B. Paige, T. Rauhe, and A. Sandholm. Mona: Monadic second-order logic in practice. Technical Report RS-95-21, BRICS, Department of Computer Science, University of Aarhus, 1995.
11. Hardi Hungar. Combining model checking and theorem proving to verify parallel processes. In C. Courcoubetis, editor, Computer Aided Verificalion, CAV' 93, LNCS 697, pages 154-165. Springer Verlag, 1993.
12. Warren Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4):429-460, 1989.
13. Warren J. Hunt. The mechanical verification of a microprocessor design. In D. Borrione, editor, From HDL Descriptions to Guaranteed Correct Circuit Designs, pages 89-129. Elsevier Science Publishers B. V. (NorthHolland), 1987.
14. M. Morris Mano. Digital logic and compuler design. Prentice-Hall, Inc., 1979.
15. T. F. Melhan. Using recursive types of reasoning about hardware in higher order logic. In International Working Conference on The Fusion of Hardware Design and Verification, pages 26-49, July 1988.
16. J.-K. Rho. and F. Somenai. Automatic generation of network invariants for the verification of iterative sequential networks. In C. Courcoubetis, editor, Compuler Aided Verification, CAV' 93, LNCS 697, pages 123-137. Springer Verlag, 1993.
17. W. Thomas. Automata on infinite objects. In J. van Leeuwen, editor, Hardbook of Theoretical Computer Science, volume B, pages 133-191. MIT Press/Elsevier, 1990.

[^0]:    * Basic Research in Computer Science, Centre of the Danish National Research Foundation.

[^1]:    ${ }^{1}$ For example the Boolean formula $\forall 0 x, y: \neg(x \wedge \neg y)$ is encoded as the $M 2 L(S t r)$ sentence $\forall^{2} X, Y: \neg(0 \in X \wedge \neg(0 \in$ $Y)$. Input to Mona consists of a sequence of definitions and a formula to be proved. The definitions are expanded using the Unix m4 macro processor and emacs macros. To spare the reader from concrete Mona syntax we will take liberties with syntax in what follows, for example manually pretty printing formulas.

[^2]:    ${ }^{7}$ Hanna and Daeche challenge the reader (page 193):
    "It turns out, on analysis, that the modus operandi of this circuit is far from simple: in fact, it is unusually complex, and (so the authors found) difficult to understand intuitively. (If, like most people, you find this remark difficult to accept at face value, read the rest of this account, then set it aside, and attempt, within (say) one working day, to come up with a carefully justified account of 'how' the proposed implementation is intended to function...)"

[^3]:    ${ }^{3}$ We here use + instead of $\oplus$. The formula $t<t^{\prime}+3$ holds if + is interpreted in the usual sense without "wraparound." We need the conjunct " $t+$ input_stable_time $-1 \leq \$^{n}$ to prevent $t$ from lying too close to the end.

[^4]:    ${ }^{4}$ Note that $t_{i}$ and $t_{\text {, are }}$ first-order position variables. These are actually encoded in Mona as second-order variables
    

[^5]:    To the best of our knowledge, all systems automating proof by mathematical induction are geared towards reasoning about recursively specified functions, but not recursively specified relations. Indeed, some provers used for hardware verification, such as NQTHM, are so biased towards functions that they cannot represent hardware specified relationally (e.g., they lack existential quantification).

