Abstract-Verifying the correctness of sequential circuits has been an important problem for a long time. But lack of any formal and efficient method of verification has prevented the creation of practical design aids for this purpose. Since-all the known techniques of simulation apd prototype testing are time consuming and not very reliable, there is an acute need for such tools. In this paper we describe an automatic verification system for sequential circuits in which specifications are expressed in a propositional temporal logic. In contrast to most other mechanical verification systems, our system does not require any user assistance and is quite;fast-experimental results show that state machines with several hundred states can be checked for correctness in a matter of seconds!
machines with several hundred states can be checked for correctness in a matter of seconds!
The verification system uses a simple and efficient algorithm, called a model checker. The algorithm works in two steps: in the first step, it builds a labeled state-transition graph; and in the second step, it determines the truth of a temporal formula with.
respect to the state-transition graph. We discuss two different techniques that we thave implemented for automatically generating the state-transition graphs: The first involves extracting the state graph directly feom the circuit by exhaustive simulation.
The second obtains the state graph by compilation from an HDL specification of the original circuit.
Index Terms-Asynchronous circuits, hardware verification, sequential circuit verification, temporal logic, temporal logic model checking.
I. INTRODUCTION
V ERIFYING the correctness of sequential circuits has been an important problem for a long time. But lack of any formal and efficient method of verification has prevented the creation of practical design aids for this purpose. Since all the known techniques of simulation and prototype testing are time consuming and not very reliable, there is an acute need for such tools. In this paper we describe an automatic verification system for sequential circuits in which specifications are expressed in a propositional temporal logic. In contrast to most other mechanical verification systems, our system is fully automatic and does not require user assistance in the construction of proofs. Also, it is quite fast; experimental results show that state machines with several hundred states can be checked for correctness in a matter of seconds! Propositional logic has long been accepted as an appropriate formalism for describing and reasoning about combinational circuits. We believe that temporal logic may be equally useful for sequential circuits. Bochmann [3] was probably the first to use temporal logic to describe circuits. He verified an implementation of a self-timed arbiter using linear temporal logic and what he called "reachability analysis." Malachi and Owicki [11] identified additional temporal operators required to express interesting properties of circuits and also gave specifications of a large class of modules used in self-timed systems. Although these researchers contributed significantly toward developing an adequate notation for expressing the correctness of circuits, the problem of mechanically verifying a circuit using efficient algorithms still remained unsolved. We show how a simple and efficient algorithm, called a model checker, can be used to verify various temporal properties of a sequential circuit. Roughly speaking, our method works by first building a labeled state-transition graph for the circu'it. This graph can be viewed as a finite Kripke structure or model. By using the model checker we can determine the truth of a temporal formula relative to the state graph. Our algorithm has time complexity linear in both the size of the specification and the size of the state-transition graph. Moreover, if the formula is not true, the model checker will provide a counterexample if possible.
Thus, if we have correctly translated the circuit specification into a state-transition graph, we will know that a formula determined to be true by the model checker must also hold true for the corresponding circuit. We discuss two different techniques that we have implemented for automatically generating such graphs: The first involves extracting the state graph directly from the circuit by simulation. The second obtains the state graph by compilation from an HDL specification of the original circuit.
In the first approach a mixed gate-and switch-level circuit simulator is used to extract a state graph from a structural description of the sequential circuit. Usually, circuits are designed under the assumptions that some input sequences and combinations will not occur. The program exploits this to prevent a combinatorial explosion in the number of states that are generated, by allowing the user to specify a set of conditions under which the inputs can change. The simulator uses a unit-delay timing model in which the switching delays of all transistors and gates are assumed to be equal. [12] . In Section V we outline the alternative approach of extracting a CTL model from a program in a high-level state machine description language with a Pascal-like syntax and illustrate its use with examples. The paper concludes in Section VI with a discussion of directions for future research including the possibility of making our approach hierarchical.
II. CTL AND EMC
The logic that we use to specify circuits is a propositional temporal logic of branching time, called CTL (computation tree logic).' This logic is essentially the same as that described in [1] , [6] , and [9] . The syntax for CTL is as follows: Let (P be the set of all the atomic propositions in the language i, then: 1) Every atomic proposition P in (P is a formula in CTL. We also use the following syntactic abbreviations: [5] .) The algorithm uses three "logical" values: 0, 1, and X (meaning "unknown"). 1 Basically, the simulation performs a set of steps, each step simulating one unit delay. There are logical values assigned to the circuit nodes on entry to each step, either from the results of the previous step or from user-specified initial conditions. A step consists of two phases. First, the logical node values are used to determine whether the transistors are on, off, or unknown. A more detailed description of the program appears in Fig. 1.
IV. EXAMPLE: A SELF-TIMED QUEUE ELEMENT
We apply this technique to a self-timed queue element. The circuit originally appeared in an article by Seitz on self-timed systems [14] . This circuit has practical importance because it can be used to connect pipelined computational units with variable processing time, maximizing the utilization of the connected units. The use of asynchronous design results in a very fast and small implementation of the queue. A diagram of the circuit is shown in Fig. 2 the second inverter to the input of the first. This circuit stores its most recent input signal, and after two gate delays supplies the same signal on the output. The queue is a speed-independent element: It assumes no real-time restrictions on the behavior of the circuits it is connected to. However, the internal design of the queue is not speed-independent. It uses a more liberal assumption that no series of 3 gates is faster than any other series of 2 gates. This is called the "3/2 rule."
We have applied our verification technique to the circuit in the case where there is a single inner cell. The unit-delay assumption is a refinetnent of the 3/2 rule. Any circuit satisfying the unit-delay rule certainly satisfies the 3/2 rule, but not the converse. If our verification finds a problem, then it is definitely a violation of the circuit design rules. On the other hand, a successful verification increases confidence in the circuit design but does not guarantee that the circuit is correct.
A. Temporal Logic Specification of the Queue Element
In this subsection we give a variety of correctness conditions in CTL for the queue element. This is not a complete specification-just a sample of some interesting properties which we would like to check against the state graph constructed as in the previous section. We categorize the conditions as requiring safety or liveness properties. Informally, safety properties say that the circuit does not do anything bad, while liveness properties say that it does do something good.
First, we specify the correct behavior of the two-cycle interfaces with the external world. The following formulae apply to both the input and output cells. ReqIn, ReqOut, AckIn, and AckOut must be substituted for req and ack, as appropriate. The first condition requires that if the req signal is low it must stay low until ack goes low; if ack is high because a previous request has not been acknowledged req is not allowed to change. The second formula gives the corresponding requirement when req is high. The third and fourth formulae require that ack not change unless req has the opposite value.
These previous four formulae are safety properties. For example, in the first formula it is not required that ack goes low-only that req cannot go high before ack goes low. It is also reasonable to give some liveness conditions for the twocycle interfaces: AG(reqA m ack--*AFack) AG(-i reqAack-+AF--ack).
These formulae state that every request must inevitably be acknowledged. We do not require req to change after ack takes on the same value.
There is a problem in verifying these last two formulae. In a correct implementation of the queue element, if the register cell is already full and another input request arrives, the acknowledge signal for the new input must wait for the cell to become empty. This will only happen when the external circuit on the output side raises AckOut to indicate that it has read the contents of the register cell. We must assume that this external circuit responds to an output request in finite time.
The solution to this problem is to use the fairness constraint facility of the model checker. We can require a pending output request to be acknowledged inevitably by the fairness constraint ReqOut + AckOut.
This condition says that the last request has been acknowledged. Any fair path must have infinitely many states satisfying this, so for any state in which there is a pending request (ReqOut * AckOut), there is another state further along the path in which the request has been satisfied. We remind the reader that this is an assumption about the behavior of the circuit environment, not a condition to be verified. Given this constraint, the model checker checks the two liveness conditions above only over the paths in which the external circuit always responds to output requests.
There are also correctness conditions relating the input and output cells. We give a few sample formulae. First, an obvious safety condition is that if there is nothing in the inner cell ( -i Full 1) there will not be an output request until there is an input request,
There are also a number of interesting liveness conditions. For example, if there is an unacknowledged input request and if the inner cell is empty, then the signal to load the shift register cell, A, will inevitably be raised, AG( -n (ReqIn AckIn)A -i Full -AFA).
If the inner cell is full, there should always be an output request to make the data available, AG( -Full 1 --AX(Full 1 -AF -' (ReqOut AckOut))). [2] . The complete semantics for SML will not be given here, but they will appear in a forthcoming paper [4] The best way to illustrate the use of SML is by an example. We will use SML to design a traffic controller that is stationed at the intersection of a two-way highway going north and south and a one-way road going east. For the sake of simplicity, no turns are permitted. At the north, south, and east of this intersection, there is a sensor that goes high for at least one clock cycle when a car arrives. When the intersection is clear of cross traffic, the controller should raise a signal indicating that the car is permitted to cross the intersection. Once the car has crossed, the sensor that indicated the arrival of the car will go low.
Let the names of the sensors be N (north), S (south), and E (east). Furthermore, let N-Go, S-Go, and E-Go be the names of the output signals for each end of the intersection.
Now that the problem is defined, we can express the correctness conditions of the controller in CTL.
AG (E-Go A (N-Go V S-Go)).
This formula is a safety property that is true if the controller does not permit collisions to occur. There are also several interesting liveness properties
These formulas state that every request to enter the intersection is eventually answered, so the controller is starvationfree. If all three of these formulas are true, the controller is deadlock-free as well.
EF(N-Go A S-Go).
This formula insures that simultaneous north and south traffic is possible. Since we want to maximize the amount of traffic, any good implementation should satisfy this formula.
In addition to specifying the desired behavior of the controller, we must also specify the behavior of the cars. In particular, we don't want a car to enter the intersection and stay there forever. Since the model checker allows the specification of fairness constraints that must be true infinitely often, we must rephrase this condition to be that the cars must be out of the intersection infinitely often. Since a car from the north is in the intersection if N-Go is true, and it stays there while N is true, the fairness constraint for cars from the north is (N-Go A N) . There are similar constraints for traffic from the south and east. io   11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44   45   46  47  48   40   50  51  52  53 C. An Implementation of the Traffic Controller in SML One approach to this problem is to provide two locks: NSLock, which is true when north-south traffic is in the intersection, and EW-Lock, which is, true when east-west traffic is in the intersection. Traffic from one direction is forbidden to enter the intersection if the lock in the other direction is true. Fig. 3 shows a program that uses this idea. The numbers at the beginning of each line were added for easy reference and are not part of the language.
A few conmients are necessary to explain the operation of this program.
Line 5: In addition to declaring the two locks, N-Req,-SReq, and E-Req are also declared to be internal. N-Req will go high wheni a car arrives at the intersection from the north and go low when the car has crossed the intersection. S-Req and EReq are similar. Wait is a macro definition that delays until its parameter becomes true. Once there is no traffic from the east (Line 20), the intersection is locked and the car is allowed to go (Line 21). After the car leaves the intersection (Line 22), the intersection is released if there is no traffic from the south in the intersection (!S-Go) (Line 24). Lines 31-42: This statement controls traffic from the south. The algorithm is the same as for north traffic. If a car from the north enters the intersection (and raises NS-Lock) at the same time as a car from the south exits the intersection (and lowers NS-Lock), the conflict is resolved by leaving NS-Lock unchanged. Since NS-Lock is already high, it will remain high, so the intersection will remain locked.
Lines i4-52. This statement controls traffic from the east.
Once a request is received, the intersection is iocked (Line 46) and the car waits for the cross traffic to release the ihtersection (Line 47). When the intersection is clear, the car is permitted to cross (Line 48). After the car has crossed, the intersection is released (Line 50 S-Go, E-Go; ock, EW-Lock, N-Req, S-Req, E-Req; procedure wait (expr) while !(expr) do nop intersection, EW-Lock will remain high, so we have a deadlock.
As the counterexample illust-rates, the problem with the program in Fig. 3 is NS-Lock will not be lowered if cars from the north and the south exit the intersection simultaneously. A simple solution is to modify Line 24 so that NS-Lock is lowered if the car from the south is not in the intersection (!SGo) or if the car from the south is exiting the intersection (!S). Line 37 can be changed in a similar' manner. The resulting program is shown in Fig. 5 . This program compiles into 31 states (248 states for the model checker). The correctness of this program is shown by the transcript in Fig. 6 .
VI. CONCLUSION
The approaches presented here are practical for small-and medium-size sequential circuits. Verification is usually viewed as a way to guarantee correctness, and these techniques are no exception. However, we believe that these methods hold even more promise as debugging aids. Tools like those described in this paper could expedite the design process by localizing bugs quickly. They could also allow designers to improve designs more aggressively, freeing them from the natural reluctance to modify a design that is already known to work. Further research is needed in a number of areas. Timing is an important issue when verifying asynchronous sequential circuits. The unit-delay model used in Sections III and IV is easy to implement, but unrealistic. A more commonly used model in asynchronous circuit design assumes arbitrary delays in wires and/or gates. We have a technique for verifying circuits under an arbitrary gate delay model, which we have successfully applied to an asynchronous arbiter [8] . There are a variety of timing assumptions that are less conservative than arbitrary delay models, but more realistic than the unit-delay assumption. Obviously, the 3/2 model used in the design of the queue element example is one of these. Another assumes minimum and maximum delays for the circuit components. It would be useful to be able to verify circuits under these assumptions.
It is probably not practical to use these methods on large circuits, because of the corresponding size of the state graphs. Circuit designers cope with the complexity of large circuits by designing them hierarchically. It seems reasonable that the same circuits could be verified hierarchically by verifying small subcircuits in detail, then using simplified models of them as components in larger circuits. This process can be automated to some extent. If one uses a subset of CTL, small circuits can be simplified by "hiding" some of their internal nodes (more precisely, making it illegal to use them in CTL formulae) and merging groups of states that become indistinguishable into single states (this is called restriction) [7] .
We verified the self-timed queue element in the specific case in which there was only one inner cell. In fact, there is a family of queues, each member having a different number of repeated inner cells. There are many families of circuits designed in this way, for example, systolic arrays in which the number of cells is a parameter. It would be useful to be able to verify entire families of circuits at one time, using a more general technique than the ones in this paper. We conjecture that inductive techniques could be applied to this problem.
