Eliminating Higher-Order Quantifiers to Obtain Decision Procedures for Hardware Verifcation*

Klaus Schneider 1 , Ramayya Kumar 2 and Thomas Kropf 1

1 Universit~t Kaxlsruhe, Institut ffir Rechnerentwurf und Fehlertoleranz, (Prof. D. Schmid), P.O. Box 6980, 76128 Kaxlsruhe, Germany,

e-maih {schneidellvropf} Gir a.uka.de 2 Forschungszentrum Informatik, Hald-und-Neustrafle 10-14, 76131 Karlsruhe, Germany,

e-maihkumar@fzi.de

Abstract . In this paper, we present methods for eliminating higher-order quantifiers in proof goals arising in the verification of digital circuits. For the description of the circuits, a subset of higher-order logic called hardware formulae is used which is sufficient for describing hardware specifications and implementations at register transfer level. Real circuits can be dealt with well as abstract (generic) circuits. In case of real circuits, it is formally proved, that the presented transformations result in decidable formulae, such that full automation is achieved for them. Verification goals of abstract circuits can be transformed by the presented methods into goals of logics weaker than higher-order logic, e.g. (temporal) propositional logic. The presented transformations are also capable of dealing with hierarchy and have been implemented in HOLg0.

1 I n t r o d u c t i o n

Higher-order logic is well suited for hardware verification [Gord86, Joyc91], but un- fortunately this logic is neither decidable nor recursively enumerable. Hence, no form of automation is available for the entire logic, although automation is an essential prerequisite for getting verification tools usable by VLSI designers. However, in the limited context of hardware verification, first results have been achieved to automate parts of hardware proofs in higher-order logic by using a definite sequence of trans- formation steps and first-order proving techniques [ScKK91a, KuSK93]. The work presented in this paper establishes a set of eff• algorithms aimed at a further automation of hardware correctness proofs in higher-order logic. To our knowledge, for the first time, decision procedures for a certain class of higher-order formulae are presented. This class is sufficient for describing hardware specifications and imple- mentations at register-transfer level. The basic idea of the presented procedures is the elimination of higher-order quantifiers such that formulae of weaker logics are obtained which can then be proved be appropriate automated theorem proving tools. We always try to achieve the "weakest possible" logic, since the weaker the logic the more efficient the proof techniques are. Indeed, proof goals arising from real circuits

* This work has been partly financed by a german national grant, project Automated System Design, SFB No.358.

386

can always be transformed into equivalent formulae of (temporal) propositional logic and hence the proof can be done automatically and also very efficiently.

Quantifier elimination methods have been an early interest in the research of mathematical logic [Acke35a] and they still belong to recent research in this field [GaOh92]. For example, the SCAN algorithm [GaOh92], is able to eliminate quan- tifiers in the following ways: 3P.[(P V Q) h (-~P V R)] is equivalent to Q v R, and more difficult ~P.[(P(a) V Q) A (-~P(b) Y R)] is equivalent to (a = b) ~ (Q v R). As another example, HOl.'s unwind library uses the following elimination theorem for eliminating combinatorial internal lines in circuit descriptions which occur in the formalisation of implementations [ItaDa86]:

[3ect.(e(t) ~ Aft ) ) ^ ~[/(t)]] ~ [Vt.~[za(t)]]

Sequential llne variables, i.e. outputs of flipflops and registers cannot be eliminated by the above mentioned theorem since they are used to store information. In this paper, further elimination rules are presented for eliminating all internal line qnan- ~ifiers including sequential lines. As a result a decision procedure for real circuits is obtained which is especially useful to verify complex data paths and controllers, since the interactive proofs of these circuits in a higher-order logic environment are quite tedious and time consuming. The main idea of this approach, however, carries over to abstract circuits, too.

In section 2, we define the subset of higher-order logic we use for describing hardware. In section 3, we describe the quantifier elimination methods and in section 4, we prove the decidability of our verification goals for real circuits and indicate a decision procedure. Section 5 demonstrates the presented proof tactics by proving the equivalence of two circuits. In the last section, we summarize the results and discuss our future work.

Before giving the basic definitions, we explain the used notation: IB denotes the set of boolean values and IN is the set of natural numbers which are identified with canonical terms: 0,SUC(0),SUC(SUC(0)), . . . . YAs is the truth value of the propositional formula ~o under the interpretation I and a =~ fl [ 7 means: if a then fl else 7.

2 H a r d w a r e F o r m u l a e

In this section we give the definition of a subset of higher-order logic called hardware formulae which are used to describe the behaviour of digital circuits. This description is based on the consideration that digital circuits are complex finite state systems, and hence corresponding notions such as output and state transition functions are found. The concept of this description goes back to Hanna and Daeche [ttaDa~6] and a detailed description of these formulae can also be found in [KuSK93]. In contrast to simple finite state machines, these formulae can contain an additional subformulae R for handling hierarchy and complex data types. If we neglect this formula N, i.e if we assume N = T, then the obtained subclass is as powerful as finite state machines. If the formulae N are arbitrary quantifier-free formulae, then a subclass called simple hardware formulae is obtained, which has some decidable properties (section 4). In an application, these quantifier-free formulae could stem

387

from parts of the implementation which have not been expanded or which have been replaced by their specification according to a previous correctness result. More powerful descriptions can also be obtained by arbitrary formulae ~ as these formulae can themselves be hardware formulae which thus leads to hierarchical hardware formulae. These hierarchical hardware formulae can be used to specify and verify larger circuits, with the advantage that small portions of the entire proof can be done step after step. Last but not least, ~ can be used for the description of generic n-bit circuits which are defined by primitive recursion. In those cases, ~ is the n-bit circuit which is used to implement the n + 1-bit circuit in the recursion step.

The main focus of this paper is the set of simple hardware formulae, but the presented quantifier elimination methods are independent of the rest formulae ~.

Def in i t ion 2.1 ( H a r d w a r e Formulae) Given that ~ := ( i l , . . . , im),b" := (Ol, . . . ,on), ~':----(s q' :-- (ql , . . . ,qI) are tuples of variables of type r~ -~ m and the formulae ~ ( p ' ) , ~ ( ~ , ~ ( ~ are quantifier-free formulae with the variables f := (Pl,.- . ,Pm+~+l) of ~ype IB, all for- mulae 7i(~, O3 of the following form are called hardware formulae x :

~(~, o3 := ai.%vt. [ ~'(t) ~ ,~(r(t), ~'(0, q-'(t))] ^ (q~O) ("* o~)A (q"(t + I ) - ~(~(t),Z(t),q~t)))]A

o~t) .. ~(~(t), ~(t), q-(t))] A

The variables COMB(7~(i', O3):=2[s SEQ(7/(i', O3):= {ql , . -- , q:}, IN(~/(i', o~) := { i l , . . . , im} and OUT(H(/,O3) :-- {Ol,. . . , o,} are called the combinatorial, sequential, input and output variables, respectively and t denotes the time variable.

is an arbitrary rest formula, which can also be a hardware formula itself. Hardware formulae also have to fulfill the following two restrictions:

1. Given the relation R on COMB(?/(~',O3) x COMB(?/(r, O3), such that tj R s means s occurs in Ai(~(t), g'(t), q'[t)), the transitive closure of R (called as the d e p e n d e n c y re la t ion) has to be acyclic.

9. For each variable belonging to COMB(Tt(i', O3) U SEQ(7~(i', O3) U OUT(7/(i', o-3) 2 there exists exactly one equation in 7r with the variable occurring on the

left hand side applied on the time variable t.

We denote the set of hardware formulae over a given signature ,U by 7/W~:.

I By the equivalence of tuples of formulae ~ *-* ~ we mean the conjunction of the equiva- n

fences of the corresponding components A (~i ~ ~bj). j=o

2 In case of a s equen t i a l llne qu E SEQ(7t(t~ ~) , we cons ide r t h e f o r m u l a (q~,(0) ~ w . ) A

(qu(t 4- 1) *-, J2~(~'(t), [(t), ~t))) as one equation, since it is equivalent to qu(t) ~-, (t = O) =~ w. ] D~.(~(t -- 1), [(t -- 1), ~ t - 1)).

388

3 T r a n s f o r m a t i o n s on H a r d w a r e F o r m u l a e

In general, hardware proof goals look like F- 7/(i', 5) --~ P(i', 6) where ?t(~, 6) e 7r is the description of a circuit and 7~(i ", 6) is a property or an entire specification of the circuit, e.g. a safety or liveness property [Gupt92]. The only free variables of 7~(~, ~ are input and output variables i', 6 of 7r 6).

In this section, we will show how the higher-order quantifiers of the hardware formulae can be eliminated in the general proof goals I- ?/(i', ~ - . ~(i', 6) and also in the special cases of the form l- 7/a(~,o') --* 7/~(i', o-') where P(i,o-) is a hardware formula.

In the next two subsections, we will first outline the principles of quantifier elimination over line variables and in the following subsection, we show how these principles are used in a proof procedure.

3.1 E l i m i n a t i o n o f Combinator ia l Lines

As the dependency relation of the combinatorial line variables has to be acyclic, tj cannot occur in its definitional equation Aj(-((t),g(t), q'~t)). Thus we can substitute gj(t) in the remaining formula by Aj(-((t), [(t), q"(t)) according to the theorem

A multiple application of this theorem eliminates all combinatorial lines [KuSK93]. Thus without any loss of generality, we only consider hardware formulae without combinatorial line variables.

3.2 E l i m i n a t i o n of Sequent ia l Line Quant i f ie rs

The elimination of sequential line quantifiers is not as easy as in the combinatorial case. Since the sequential line variables are used to store information, they can in general not be eliminated. In some special cases, however, sequential lines can be eliminated [KuSK93], but we will not consider these cases in this paper. Instead, we show how here the sequential line quantifiers can be completely eliminated without eliminating the sequential line variables. For this reason, we define for each hardware formula, the corresponding state transition formula by:

D e f n i t i o n 3.1 (S ta te Trans i t ion Formula) For each hardware formulae 7t(~, o~ E 7"[~V.v as given in definition ~.1, the corre- sponding state transition formulae S~(i~ is defined as:

:= 31 31 .vt. ^

+ qV,)]

where 3t denotes unique existence.

389

In this formula the state transition function of the circuit is described, while the rest of the hardware formula consists of the output function and the rest formula. The procedures of the next section make use of the following theorem:

T h e o r e m 3.1 For each 7/(~', o-*) E 7/)4~, I- $ x ( ~ is a theorem.

Proof. State transition theorems are eonsequents of the primitive recursion theorem of the natural numbers which is given below:

I l- Vo~V$2.Slf.(I(O) = w) A (Vn.f(n + 1) = 12 (fn) n) I

In this theorem, w has an arbitrary type ~ , f has type IN ~ q and /2 has type c, --. IN --, c, (c~ is a type variable [Andr65]). Given a state transition formula, we first eliminate the combinatorial line quantifiers and obtain a sequential state transition formula which has the following form:

I Su (~ :'-Bg.Vt. [(~(0)~--, ~ ) A (q'(t + I)+-~/2(i'(t), q-(t)))] I

Now we instantiate 113 n for (~, ~ for w and Ab.At./2(g, t) for 12). After applying fl- reduction, the following theorem is obtained:

[" 31f [f(0)~-~] A [Vt.f(t-Jr" 1)= /2 ( f ( t ) , t ) ]

Now, assume //k(B) denotes the ]cth projection of a tuple B. Then we replace f ( t ) by ( / / l ( f ( t ) ) , . . . , / / ,~ ( f ( t ) ) ) , f(0) by ( / / l ( f (0 ) ) , . . . , / / n ( f (0 ) ) ) and f ( t Jr 1) by (H1 ( f ( t + 1)) , . . . , f ln(f(t + 1))). Using the fact that two tnples are equal if and only if the corresponding components are equal, yields finally in:

31.~ (i=AiIIi(-~(O)) +-'wl) A (~=~ Hi(f(t q'1)) +-~ lTi(Ill(f(t)), ' . . ,IIn(.f(t))))

In order to prove , ~ (/"), we add the theorem above to the assumptions and instantiate a new variable f for its quantified variable. Then we instantiate At.(//i(f(t))) for ql on the right side of our proof goal. The rest of the proof is easily done by fl-reduction and rewriting.

Instead of using state transition theorems for eliminating sequential line quan- riflers, one might think of instantiating these quantifiers by the solution of the re- cursion equations of the sequential lines. This solution can be written as a fixpoint as follows: Assume that a given fixpoint operator ~" has the following property: f(yzf) = ~ f , i.e. ~ ' f is a fixpoint of f . Then the solution of q = )~t.(t = O) ~ ~ [ Y2(q(t - 1)) would be the fixpoint of Hq := ,Xf.~t.(t -- 0) :* v [ f2(f(t - 1)) and can therefore be written as Yz(J~f.~t.(t = O) :* oJ I 12(f(t - 1)).

However, the definition of the fixpoint operator .~ is not straightforward in HOL, as it has to be shown that a solution of the recursion equation exists. Of course, we

390

can define ~" := e z . z = f z , where e is Hilbert's Choice-operator 3. It is easy to prove with this definition that ~z.(z = f z ) I- f ( . T f ) = .T f , so what remains is to show the existence of the fixpoints. In case of the natural numbers, this requires again the proof of the primitive recursion theorem. In books about the theory of functional programming languages like [Jone87, Gord88c], fixpoint operators are often defined as ~ := A h . ( A z . h ( z z ) ) ( A z . h ( z z ) ) , but this does not work in typed lambda calculus as z has no finite type.

In the next subsection we use state transition theorems to eliminate quantification over sequential line variables.

3 .3 E l i m i n a t i o n o f L i n e Q u a n t i f i e r s i n H a r d w a r e P r o o f G o a l s

G e n e r a l p r o o f goals. The elimination of 3-quantifiers in the antecedent hardware formulae of I- 7~(~', o-') --* 7~(~ ", o') is quite trivial and straightforward. Usual sequent calculus rules are used to eliminate the implication and all the 3-quantifiers in the hardware formula. Furthermore, the V-quantifier is shifted inwards to the conjuncts it binds, and the conjunctions are eliminated according to sequent calculus rules. Thus, we obtain the following result:

[Vt. I(q~O ) ~,~)A (q]t + I)*-~ ~(~'(t), q]t)))] ;] vt. +-> 6(7'(0, {01]

Now all formulae on the left side of the sequent are formulae of first-order logic provided that ~(~', g, q-) is a formula of first-order logic 4 as well. The equivalences on the left side can now be used to rewrite the whole proof goal. Therefore we can eliminate the equations for the output variables and obtain the sequent:

~(i, At.~[i(t), q'[t)], q')

The rest of the proof depends crucially on the structure of ~(i', ~t.6[i'(t), q-'(t)], q3 and 7~(i', M.6[i'(t), q-It)I), thus the general proof paradigm ends here but can be extended for special structures as shown in the next subsection.

P r o o f goals a t t he same level o f abs t r ac t i on . In this subsection, we consider proof goals of the form F ~t~l(l , O') ~ ~'~2(i', O'). As these proof goals are specialized forms of the general proof goals, the same operations can be performed to obtain a sequent of the form:

3 Given that P has a type ~ --* 113, e z .P z denotes some member of the set whose charac- teristic function is P.

4 However, it might not be a theorem of first-order logic, since the knowledge of the natural numbers is only implicitly assumed. Note that Pemao's axioms are not expressible in first- order logic and that the theory of the natural numbers is not even recursively enumerable.

391

r3r .vt. 1 rvt.[(~,(0)++~,) ] / [ (f~(0)++~) /

L ~l(~, At.li[i(t), fx(t)], f~) J

Making use of the fact tha t all s ta te transit ion theorems are valid, the l emma P #

sumption in the antecedent of the sequent given above. Then usual sequent calculus rules are used to instantiate the higher-order quantifiers on the left side with new variables, i.e. variables which do not occur free in the considered sequent (e.g. choose the variables q~ themselves). Now the quantifiers on the right hand side can be in- s tant iated. In contrast to the instantiat ion on the left side of the B-quantifiers, the instant iat ions on the right side can be done with an arbi t rary terms. Therefore, we use exactly the same variables for instantiat ion as on the left side. Additionally, we instant iate the V-quantifier on the right side with a new variable t. As a result we obtain:

~vt./~'(r' ~,,.~,ir(t), ~-,(t)], ~ ' , ) ) ; i ( ~ . ~ ( o ) +-+ <~,) ~ /[~,(r(,),f!(t)).->,~o(t), ~'~(t))j ̂ / L "(~',('+')'-'a:r L~+,~,.<:(,),~',(,)I,+',) J

Next we use the rule for el iminating conjunctions on the right hand side, thus we obtain the subgoals:

- . . ~ (r ~ ) ^ (r + 1 ) ~ ~(r(~), r

- . . . ~- [,&(i'(t), ~',(0) .->,~(i'(t), r ^ ~(r , ~,t.,~[r(O, ~',(t)], ~'~)

The first goal is immedia te ly solved as the succedent occurs on the left side as well. The remaining goal is therefore:

'l~l(~(t), q*l(t)) ,(--i. #2(i'(t), q'2(t)) ^1 /~, (i, ~t.~l [i(t), q', (t)], q',); [~2(i, )~t.~, [i(/), q', (t)], q2) 1 /Vt. [(q'z(O) ,--, ~2)

L + ' ) - I f we abbreviate the conjunction of the equations for q'1 and ~'~ b y / ' , then the goal l- 7/1(~o3 ~ 7/2(i'.o3 is first split into the two subgoals F 7/l(i', o3 -+ 7/~(i', O3 and I- 7r O3 --* 7/z(i, O3 which are then t ransformed by the above tactics into the following four subgoals:

1. r I-- ~ i (i', .~.~l [i'(t 1, ~, (Ol, f , ) -.+ ~t(i', .~.,~, [7"(0, r (t.)l, ~'~ ) . ~. r v ~,(r, ~.,~, [i'(O, r r --+ t%(r(O,y,(O) +-+ ~( i ' (O, r 3. r i- ~,(i', ~t.#,[7(O, 6(0], 6) --+ ~,( i , ,~.~,[ i (O, 6(0 ] , ~',)

392

4. r 4.,(0)

Note that if the additional formulae ~1 and ~2 do not occur in the formulae 7r 5*) and 7/2(i',o-'), all subgoals above are all equivalent to each other. Thus, we have proved the following theorem:

T h e o r e m 3.2 (Equivalence of Simple Ha rdwa r e Formtdae~ Given two hard- ware-formulae 7"lx(i,o~, 7-l gi , ~ with no additional formulae ~a~i, if, qx), ~:~, 3, 6 ) the following holds: ~- 7"11(i, o 0 --* 7"12(-(, 5) is a theorem lift- 7"12(i, 5) ~ 7/x(i, 6) is a theorera.

According to this theorem, the three theorems I- 7~1(i', ~ --* 9/2(~, ~ , I-" 7/2(~*, o 0 --~ 7/1(~', o0 and I- 7/1(~*, 6) *-* 7/2(t, 5) are equivalent to each other. The proof of the equivalence of simple hardware formula is therefore halved by this theorem. In general, proof goals of the following form are obtained which we call Finite State Machine goals or shorter FSM-goals:

] Vt. [ ( 4 . ( 0 ) ~ 0 ) A (4.(t + 1 ) ~ Y2(~'(t), 4.(t)))l F Vt.#('~(t),~t)) ]

The left hand side of these goals describes a state transition system which has the state sequence 4" for a given input sequence ~. If this goal has been obtained by the transformations of this section, then the state transition system is the product machine of the two considered hardware formulae. In the next section, we prove the decidability of the validity of these FSM-goals. Moreover, various decision procedures [ScKK93d] have been implemented in HOL90 for proving these goals.

3.4 Comple teness of t he T rans fo rma t ion

Having proved the correctness of the transformation, the question arises, whether the resulting subgoals are provable for each valid input sequent. The elimination of propositional operators is uncritical, since the resulting subgoals are equivalent to the original sequent. However, the deletion of the quantifiers could be critical, as in general there are formulae which can only he proved when several instances of the quantified formulae are made 5. In the instantiations occurring in the pre- sented procedure, however, exactly one instantiation is always sufficient, as the state transition theorem states that there is exactly one tuple of line variables satisfy- ing the state transition formula. As unique existence is defined as 31x..A(z) :r ~x.A(x)] A ~Vxy.A(x) A A(y) --~ (x = y)], further instances have to be identical to the previous ones to satisfy the state transition formula which is a theorem. Thus further instances add no further information and are therefore useless.

In the domain of hardware verification, often multiple recursion is required. For example, if one wants to describe a periodic signal 110110110 .... the following defi- nition for a variable q can be given (which we call 3-recursive for obvious reasons): (q(0) *-* T) A (q(1) *-~ T) A (q(2) ~-* F) A Vt.(q(t + 3) *-* q(t)). However, the presented tactics do not work with multiple recursion. But it is well known that any n-recursive definition can be replaced by n 1-recursive definitions.

5 For example, in the proof of the theorem ~- (Vz.P(z) A Q(x)) --~ (P(a) v Q(b)) two instantiations of the quantified formula are necessary.

393

4 Decidability of Simple Hardware Formulae Equivalence

In this section we present a decision procedure for the goals resulting from the trans- formations of the previous section provided that ~ is a quantifier-free formula. The procedures might also work for more complicated formulae ~, but then the decid- ability cannot be guaranteed. Some theoretical background is required for proving the decidability:

L e m m a 4.1 (P ropos i t i ona l Abs t r ac t i on ) I f the outermost universal quantifiers of a higher-order formula ~o are removed and the atomic and quantified subformulae are replaced by propositional variables, the resulting formula r is called the proposi- tional abstraction of ~o. I f r is a tautology, ~o is a theorem of higher.order logic as well, otherwise nothing can be said about the validity of ~o.

The next lemma is used to enhance the efficiency of propositional abstraction:

L e m m a 4.2 (Rewr i t e L e m m a ) Given a quantifier-free formula T(ot i , . . . , ~n) with atomic formulae c q , . . . , ~n and some other formulae ~ol, . . . , ~on which do not depend on the ~s 's, the following holds s (F is allowed to contain more atoms than the oej 's and not all ~i 's have to occur in Y.):

/ • ( • i ~ ~oj) b T ( ~ I , . . . , a , ) is a theorem iff k- T(~0a,...,9~,) is a theorem #=1

As a consequence of this lemma, the efficiency of automated proof procedures can be enhanced, since the antecedent can be totally neglected after rewriting with the assumptions). In order to apply this lemma on FSM-goals where m is the largest constant such that t + m occurs in the right-hand formula Vt.~(~t), ~(t)), we first make the copies q'~t + j + 1) *-* ~(q~(t + j) , i'(t + j)) for j E {1 , . . . , m - 1} on the left hand side.

As there is no decision procedure for temporal propositional logics in HOL, we convert the FSM-goals into equivalent propositional formulae. For this reason, we prove the following lemma and theorem. The formulae ~o,7 and ~ ,7 defined in the next lemma represent the states which are reachable in j steps from the initial state and from the state q-~t), respectively (first i tem of the lemma) with the inputs i '(0), . . . , ~'(j) and i ' ( t) , . . . , i(t + j) , respectively.

L e m m a 4.3 ( Ins t ance L e m m a ) Defining the tuples of formulae ~o,7 and ~.'~ v j _ j

"so := w0, ~'#+1 := '-'0 := ~ t ) and v#+ 1 :=

~(O~':, ~(t + 3")) and given that r := [q~O) ~ ~'0] A Vt. [q~t + 1) ~ ~(q~t), ~(t))] and t is a variable, the following holds:

[(A" )) )] s It has not been stated that I- #=1(a# +-+ ~# --> T(ai ..... a, ~ T(~i,...,~,) is

a theorem. This is not the case since the simple example [(a +-+ b) -+ a] +-+ b is not a tautology (interpret a :--- T, b :---- F).

394

1. F F- ~ j ) 4-~ ~oJ and F F- Vt.q"(t + j) +-+ 0;'~ for all j E IN.

e. r F- vt .~(~O, ~(0) iff F- ~(~.,:, ~(j)) holds/or all ~ e IN.

s. zf r y vt.~(~t),~'(0), then there is a nau,~l number, such that V ~(~o,: ~'(n))

P~oo:. i is obtained by induction over j and the definition of ~0': and ~':. 2 is obtained in two steps, first we have r F- Vt.~(~t), r(0) ifr r F- ~(~j), f(~)) for all j e IN and second r F- ~(~j),~'(j)) iV F- #(~o,:, f(j)) for all j e IN (the fi~t proposition is a conclusion of the fact that the natural numbers have a unique model (up to isomorphisms) and the second is a consequence of the rewrite lemma using 1). Proposition 3 is a consequence of proposition 2. The following theorem can be viewed as a 'pumping lemma' for hardware formulae.

T h e o r e m 4.1 (Decidabi l i ty) Given a goal F I- Vt.~(q~t), ~(t)) and the forrau-

tae ~oS and ~'~ as de~ned in L~mma ~.S, there i, a numb~ ~o, such that r F-

Vt.O(q'(t), i(t)) holds iffF- 0(~o,,, i(j)) holds for all ca,onical t~rms j < "o. Moreover no can be effectively computed, thus the validity of the considered goals is decidable. The number no is called the sequential depth of the problem.

Proof. We prove the statement: there is a number no, such that F- 0 ( 0 ~ ~(j)) holds

for all canonical terms j E IN iffF- o(~oj,~'(j)) holds for all canonical terms j < no which is equivalent to theorem 4.1 according to item 2 of lemma 4.3. '=~:' is trivially true no matter what we choose for no. 'g=:' We show the equivalent formulation: qk E IN. ~ O(~0J, i'(k)) implies 3j <

no. ~ ~(~oj , ~'(j)). Let A4o := {~0,r I k E IN} and ~) be the set of all (propositional) interpretations of A4o. Then we define the equivalence relation ~ on ~ • .Ms by:

(z~, ~ ,~) ~ (~,0 ~ : , , ~z',(~ ,r) = v.4c,~(~o, r)

As IL4s ~ E IB Ir ~. has only a finite number of equivalence classes (at most

21q'l). Let S := {so,..., s~} be these classes and let re(s) be the least k such that ] I e ~.(I , 0~'~) ~ s, then we define no := maz{m(s) I , e s y . Now we can

(0~") = ~1s ~ A j _< no. Thus no has conclude: V(I1, O~ O~163 " " the required property: Assume there is an interpretation I1 which does not satisfy

#(~0J, ~(k)), then there is also an interpretation I~ which does not satisfy a formula

#(O~';',i'(j)) with j < n0. F F- Vt.#(~t), ~'(t)) A decision procedure for our goals would thus be the follow-

no ing: Compute no by a state traversal (maybe outside HOL) 0 s 0,~ t

I- A ~(~o,~, ].(j)) and prove all F- # (0 , '", ]'(j)) with j < no. As # (0 , , ]'(j)) has d - - .~ d

~=0 (j + 1)-[/~ variables, the proof ofF" r r(j)) is of order

Fig. 1.: SEQ_TAC O(2(J+l)'li]), thus the complexity of this decision procedure

r Having a look at finite state machines, these definitions become clearer: S is the set of all possible states aa~d re(s) is the least number of inputs to reach the state s from the initial state, no is the least number of inputs required to reach every reachable state.

395

is of order O(2("~ This decision implemented as a tactic called SEQ_TAC (figure 1).

procedure has been

5 A C a s e S t u d y

In this section, we demonstrate the use of the previously described methods by proving the equivalence of two different implementations of a serial adder. Although this example can also be proved with simple finite state machine algorithms, it shows how the method can be used to transform the higher-order proof goal into simple propositional logic.

Fig. 2. Equivalent implementations of a serial adder.

The implementations are given in figure 2 and the corresponding state transition diagrams are given in figure 3. The hardware formulae used for the description of the circuits are given in the following table:

SERIALI(el, e2, a) 8ERIA L2( el, e~, a)

31xl2h4q. XNOR(ea, e2, il)A A N D( ea, e~, /2 )A OR(el, e2, ts)A MVX(q, I~, t~, l,)A DELA Y(1,, q)A XNOR(q, I1, a)

31a 1213141sl6171slolloln i1211aqoqa. AND(el, e~, 11) ̂ OR(qo, la,/2)^ DELAY(12, qo) ^ OR(el, e~, 13)A INV(ls, t,) ^ A ND( qo, t,, ts )^ INV(qa , 16) A AND(16, Is, Ir)^ AND(qo, ql, ls) ^ INV(I1,/9)^ MUX(18,19, lr, lao) A DELA Y(llo, q~ )^ XNOR(et, e2,111 ) ^ XN O R(ql, qo,/x2 )A INV(Ixa, I~3) A XNOR(IIs, 111, a)

396

01 10 10 11

00

00

10

11

O0

Fig. 3. Transition diagrams of the implementations.

01 10 11

The goal we want to prove is Vele~a.SERIALl(el,e~,a) ~ SERIAL2(el,e2, a). After the expansion of the definitions of the serial adder predicates and the used basic circuits, we obtain the goalS:

3111~lsl4q.Vt. (tl ~ (el ~ 4 ) ) A (Z'~ ~ el ^ 4 ) ^ (~ ~ ~i v 4 ) A +-+ (~ ~ (q' ~ ~ I ~'~)) A (q0 ~ F) A (qt+l ~ l~)A

(a' ~ (q' ~ ~I))

311121314151elTls1911Ollli1211sqoql .Vt. t "~ 7t l t (l~ ~ e~ A e2) A (12 ~ qo v If) A

(q0 ~ ~-+ F) A (qt+l ~_, I~) A (z[ ~ g v 4) A (t~ ~ -,t~) A (t~ ~ q~ A z~) A (t~ ++ ~ql ) A (l~ +-+ l[ A I t ) A (I~ ,~, qg A ql) A (1~ ~ -~tl) A (llo ~ (Z~ =~ t~ I t~)) A (q0 ~ F) A (ql + ' +-+ If0 ) A ( ih ~ (el .- . 4 ) ) ^ ( th ~ (ql ~ q~)) A ( th ~ -,zh) A (a, ~ ( th ~ th))

Now the combinatorial line variables can be eliminated and the following goal m obtained:

3qoql.Vt. (qo ~ +'+ F) A (q~+l ~-~ [q[ V (e i A e[)]) A (qO ~ F) A (q~.+l ~ [qt A ql t =~, -~(e[ A e t) I "~qi A q[ A -~(e[ V el)]) A (~' ~ (-" [q[ ~ q~] ~ [~[ ~ ~[]))

3q.Vt. (q~ ~ F) A (q'+~ ~ [q' ~ (~i V 4) I (~i A ~)]) A

Next we split the above equivalence into two implications and prove the state transi- tions theorems. The quantifiers are then eliminated by the instantiation of new line variables. Finally, rewriting with the assumptions leads in both cases (cf. theorem 3.2) to the following goal:

vt.(q~ ~ r ) A (qg+' ~ [q~ v (~i A 4 ) ] ) A (q[+l (qO ,__, F A (q'+~ ~ [q~ A ql =~ -~(e~ A el) I "q[ A q~ A --,(e~ V el)l) A

(q~ ~ F A ~ [q' =~ ( 4 V 4 ) I (el A 4 ) ] ) I- Vt. (-~ [qi + ' qg] ~ [~i - - 4 ] ) ~ ( r ~ [~i ~ e~])

s We write e I instead of el(t).

397

The sequential depth of this goal is 1, i.e. the equivalence of the two circuits is proved iff the following two subgoals of propositional logic can be proved:

1. ~- (-~[F ,--* F] ~ [e ~ ~ e ~ ( F ~ [e ~ ~ e~

_ ( _ 0 =,~:..,~ - - e I e 2

2. ~ (~ [ !F ^ F ~ ~(e ? ^ e ~ i ~ F ^ F ^ ~(e l ~ V ~0)] ~ [F V (~i ~ ^ e~ ~ h i ~ el]) =-F

~^~ (!F ~ (e O v ~o) i(~0 ^ e~)] ~ [el ~ ~])

~o^~

Both subgoals can be easily proved by a tautology checker. In section 4, we have proved the decidability for the equivalence problem for

simple hardware formulae which allowed an automated proof of the verification of the two serial adder implementations. The decidability result for simple hardware formula does however not carry over to abstract circuits, but the presented tactics are useful in these cases, too. As the primitive recursion theorem has polymorphic types, each B-quantifier over a function of type IN --, a can be eliminated this way. For example, if .4 is a variable of type IN --* IN ~ ]]3 which is representing a time dependent bitvector (A t n denotes the value of the nth bit at time t), it is clear that the primitive recursion theorem can be instantiated such that the following theorem is obtained: F VwV$2.B1A.(A 0 = w) A (Vn.A (n + 1) = $2 (An) n). If A is an internal line in an abstract circuit, then goals of the following form will occur: F F qA.Vt.(.A 0 = wo) A (,4 (t + 1) = $2 (A t) t) A ~(A t). This goal can be transformed by the quantifier elimination tactic into the subgoal F, Vt.(.A 0 = w0) A (..4 (t + 1) = $2 (,4 t) t) ~- Vt.~(A t) which is easier to prove.

6 C o n c l u s i o n s a n d F u t u r e W o r k

We have presented methods how hardware correctness proof goals in higher-order logic can be transformed into weaker logics by eliminating the higher-order quan- tifiers. Proof goals of real combinatorial circuits are transformed into propositional logic and proof goals of real sequential circuits can be transformed into temporal propositional logic, or by a further transformation (SEQ_TAC) into propositional logic, too. The presented tactics have been implemented in HOL90 and as a result, full automation of these proofs has been obtained. All the presented tactics make use of the determinism of the considered circuit. Each internal line of the circuit has at each computation step a definite value which is symbolically computed by the tactics. If the proof can not be done by the instantiation of this value, it can be concluded that the goal which is to be proved is erroneous. The methods can also be carried over to abstract circuits although in general a full automation cannot be achieved for them. However, proofs for special classes can nevertheless be automated.

In our future work, we elaborate proof paradigms for generic circuit classes based on the presented quantifier elimination methods. Problems occur when different classes of circuits are used in an implementation at the next level of design hierarchy.

398

In these cases, further lemmata have to be proved which are required for the original proof. Our future work will also focus on these lemmata, and we try to automate this lemma generation process by completion methods. Another issue for our future work is to discuss the relations of this approach for real circuits to model checking, as model checking can be viewed as a special case of this approach if no abstract circuits are considered.

References

[Acke35a] W. Ackermann. Untersuchungen fiber das Eliminationsproblem der mathema- tischen Logik. Mathematische Annalen, 110:390-413, 1935.

[Andr65] P.B. Andrews. A Transfinite Type Theory with Type Variables. North-Holland Publishing Company, 1965.

[GaOh92] D. Gabbay and H. J. Ohlbach. Quantifier elimination in second-order predi- cate logic. Technical Report MPI-I-92-231, Max-Planck-Institut ffir Informatik, Saaxbrficken, July 1992.

[Gord86] M.J.C. Gordon. Why higher-order logic is a good formalism for specifying and verifying haxdwaxe. In G. Milne and P.A. Subrahmanyam, editors, Formal aspects of VLSI Design. North-Holland, 1986.

[Gord88c] M.J.C. Gordon. Programming Language Theory and its Implementation. Inter- national Series in Computer Science. Prentice Hall, 1988.

[Gupt92] A. Gupta. Formal hardware verification methods: A survey. Journal of Formal Methods in System Design, 1:151-238, 1992.

[HaDa86] F.K. Hanna and N. Da~che. Specification and verification of digital systems using higher-order predicate logic. IEE Proc. Pt. E, 133(3):242-254, 1986.

[Jane87] S.L.P. Jones. The Implementation of Functional Programming Languages. Pren- tice Hall, 1987.

[Joyc91] J. Joyce. More reasons why higher-order logic is a good formalism for specifying and verifying hardware. In International Workshop on Formal Methods in VLSI Design, Miami,1991.

[KuSK93] R. Kumax, K. Sehneid~er, and Th. Kropf. Structuring and automating haxdware proofs in a higher-order theorem-proving environment. Journal of Formal Methods in System Design, 2(2):165-223, 1993.

[ScKKgla] K. Schneider, R. Kumar, and Th. Kropf. Structuring hardware proofs: First steps towards automation in a higher-order environment. In P.B. Denyer A. Halaas, editor, International Conference on Very Large Scale Integration, pages 81-90, Edinburg, Edingburgh, 1991. North Holland.

[ScKK92c] K. Schneider, R. Kumar, and Th. Kropf. Modelling generic hardware structures by abstract datatypes. In L.J.M. Claesen and M.J.C. Gordon, editors, Higher Order Logic Theorem Proving and its Applications, volume A-20 of IFIP Transactions, pages 165-176, Leuven, Belgium, 1992. North-Holland.

[ScKK93d] K. Schneider, R. Kumar, and Th. Kropf. Alternative proof procedures for finite-state machines in a higher-order environment. In International Workshop on Higher-Order Logic Theorem Proving and its Applications, Vancouver, Canada, 1993.