Abstract. Thispaperis anapproachto automatedvericationofcircuitsrepresentedasswitchleveldesigns.Switchlevelmodels(SLM)areawellestablished frameworkfor modellinglowlevel properties of circuits. We use manyvalued propositional logicto representa suitablevariantof SLM.Logicalproperties of circuits (gatelevel)canbe expressedin a standardwayin the samelogic. As a resultwecanexpresssoundnessofswitchleveldesignswrtto gatelevelspecicationsas manyvalueddeductionproblems.Recentadvancesinmanyvalued theoremprovingindicatethatitispossibletohandlereallifeexamples.Wereport rstresultsobtainedwithanexperimentaltheoremprover.
Introduction
Switchlevel models 1 (SLM) are well-established tools for representing a circuit on the transistor level in considerable detail. They can be used to model phenomena like propagation and resolution of undened values, hazard detection, degradation effects, varying capacities, pull-up transistors or depletion mode transistors; see 4] for a very exhaustive list. It is important to note, however, that all dimensions are symbolic values.
Traditionally, SLM have been used as a formal basis for the construction of simulation tools which can be used for testing the behaviour of a circuit before it is actually built. In this paper we present an approach to automated verication on the switch level based on automated deduction in propositional manyvalued logics. Related work was done by Bryant & Seger 1] and B uttner et al . 3] . The relationship between these approaches and our own is discussed in the conclusion.
Propositional manyvalued logics are particularly wellsuited for representing SLM. Given the fact that typical SLM of real circuits contain several hundreds of parts, there is no sense in trying full rstorder predicate logic. Also the expressivity of full rstorder predicate logic is not really needed. On the other hand, mere twovalued propositional logic is not advisable, too, since one has to introduce lots of auxiliary variables that bear no natural meaning, such that the logical representation of SLM would become unreadable and, more important, unfeasible through its many variables. We found that propositional manyvalued logics are just the right tool for adequate representation of ? ResearchsupportedbyIBMGermanyandDeutscheForschungsgemeinschaft. 1 Switchlevelmodelswereintroducedinthelate70smainlybyBryant 2] andHayes 10, 11] asa formalframeworkformodellinglowlevelpropertiesofcircuits.
SLM if truth values are interpreted as different levels of voltage. Together with a logical representation of the intended function of a circuit it becomes possible to establish its soundness in terms of a formal proof in manyvalued logic. Recent research showed that it is well possible to build generic satisability checkers for propositional manyvalued logics that are quite efcient 5, 6, 8] . The logicalbasis for manyvalued deduction here is a suitable extension of analytic tableaux 12]. Moreover, manyvalued tableaux give rise to a reduction of manyvalued deduction problems to integer programming problems 7] . First results suggest that with this technique it is possible to build manyvalued satisability checking programs whose performance comes close to stateoftheart satisability checkers for classical logic.
We are condent that ultimately it is possible to prove properties of real life circuits with our approach. In this paper we sketch the rst steps towards this task. The organization of the paper is as follows: in Section 1 we describe the variant of switchlevel model we used for our experiments. In Section 2 we introduce a manyvalued deduction framework based on analytic tableaux. Section 3 presents the link between SLM and logic in terms of a translation from the former into the latter. This is illustrated by an example. Finally, we give statistical gures from rst tests, we discuss related work and we point out the next steps.
1 The Verication Model
SwitchLevel Representation of Circuits
In SLM we represent a MOS circuit as a set of nodes which are interconnected by switches (transistors). In this paper we consider only combinational and asychronous circuits with zerodelay elements. A NMOStransistor is closed (conducting) iff the voltage at its gate terminal represents a logical 1. The transistor is open (nonconducting) iff the voltage at its gate terminal represents a logical 0. In all other cases, the state of the transistor is called unknown.
For a PMOStransistor, the conditions for the gate terminal are ipped. From now on we use the more general term value instead of voltage to describe the state of the nodes (and the terminals of a transistor are nothing else than nodes).
We follow 11, 4] by using a sevenvalued logic in order to model one particular switch level phenomenon, namely degradation effects in CMOS circuits which occur due to the fact that transistors constitute nonideal switches that degrade the strength of the signals.
Denition3 SwitchLevel Value. The set of switchlevel values (SLVs) consists of the elements E; D0; D1; DU; S0; S1; SU. These are the only possible values at the nodes of a switchlevel network. The meaning of these SLVs is as follows:
The To compute the value of a node in the network we rely on the # operator introduced by Hayes 10] . The semantics of the operator # corresponds to the computation of the supremum in a lattice if we order the SLVs as shown in Figure 1 . For an exhaustive treatment of this topic see 10, 11] .
Comparedto SLM used in real simulationtools our model seems a bit simplicistic, however, it should be clear that with more truth values we can achieve a much more negrained model.Tokeep this paper readable we have taken the simplest SLM which is nontrivial. 
GateLevel Specication of Circuits
The gatelevel specication of circuits is well known and we restrict ourselves to a short denition.
Denition4 Gate. A gate is the smallest undividable switch element for the processing of binary signals. It is an unidirectional element which computes according to n inputs an output. Common gates are: AND, OR, NOT, NAND, NOR and XOR.
In other words, gates realize (certain) Boolean functions. Denition5 Gate-Level Network. A gatelevel network is a directed graph whose nodes are gates.
The modelling of digital systems exclusively with gate networks is regarded as unsufcient for several reasons:
1. circuits in ratioed logic cannot be modelled properly at the gate level.
2. the analysis of circuits on the gate level is too far from the actual layout of the circuit. Connections on the chip, for instance, the connection with vdd cannot be represented with the gate model.
3. gates are unidirectional elements. 4. a onetoone transformation of circuits described with gates to circuits constructed with transistors does usually not result in an efcient implementation of the desired function.
Vertical and Horizontal Verication
In general, the meaning of verication is the (formal) proof of a certain property, for example, the correctness of a hardware system. Since the construction of a hardware system is done by several design steps in which the designers lay down what the system should do and how it should do it, we have several tasks for verication. We call the design of what the system should do the specication and the design of how it should do it the implementation.
One possible modeof verication is the proof that a single design level (specication or implementation) is correct in itself, for example, that a specication at the gate level does not produce hazards or similar kinds of errors. In a switchlevel design we can verify that only proper (dened) voltage levels occur at the output nodes provided that the voltages at the input nodes are proper. This kind of verication we call horizontal verication, a commonly used term for verications concerning only one design level.
In contrast we can also perform vertical verication which includes two levels of the design hierarchy. For instance, we can prove soundness of a gatelevel specication with respect to a switchlevel implementation.A complete stratication ranging fromthe physical level to highlevel functional properties of complex circuits would incorporate many other formalisms than propositional logic. The type of formal systems used is determined by the complexity of the circuit and the kind of properties which are to be veried. For functional verication of a CPU, for instance, rstorder or even higher order logic may be required. The drawback of these more complicated formalisms is that they are not amenable to full automatization. If the amount of automatization within the whole verication task is to be maximized, it is crucial that at each level the most adequate formalism is used. For the switch level this is manyvalued (temporal) propositional logic.
In the eld of hardware verication several meanings of the term verication are in common use: simulation, complete testing and formal verication. Our understanding is formal verication which means that the verication is mathematical and not experimental. Correctness is understood in this paper as a mathematical relation between two entities, for example, a specication/implementation pair. Formal verication allows a general proposition in contrary to simulation, where we can only prove the presence of bugs, but never their absence. Correctness as a relation can be classied as follows: We choose in the following the logical implication I S which denotes that a specication S is a behavioural abstraction, in other words, the formal verication that a switchlevel network realizes the same function as a given gatelevel network.
For a more detailed survey on formal verication of hardware correctness see 4].
Automatic Proof Search in ManyValued Logic
In this section we give a very brief introduction into the logical formalism underlying our verication approach. For more details we refer the reader to 5, 8]. Denition10 Signed Formula. Let 2 L, S N. Then we call the expression S :
ManyValued Logic
signed formula. The set of signed formulas is denoted with L .
Signed formulas are a device for talking about manyvalued logics with only two truth values on the metalevel. In 5] we introduced systematically truth value sets as signs in order to achieve an adequate representation of the manyvalued search space. We coined this`setsassigns' approach. In 8] it is demonstrated that using setsassigns in some way is crucial for the efciency of any manyvalued proof procedure.
Analytic tableaux are a refutation procedure. For our purposes it is sufcient to visualize a tableau proof as a nite labelled tree, whose node labels are signed formulas. To proof validityofa formulaS : we begin with a tableau whose single node is labelled with the complement: (N ?S) : . Now this formulais analysed followingits syntactic structure in a topdown manner to the atomic level. If we arrive at a contradiction in any case we have proved that no valuation can satisfy the root, in other words, is a Stautology. Rather than giving the formal denitions we illustrate the process with a small example from classical logic. that we can append to any of the paths containing it as many new branches as there are extensions in the conclusion of the rule whose premise matches S : . The new branches contain the formulas from the rule extensions. In our example we apply rst the rule on the right and then on the rst of the resulting formulas the rule on the left. Formulas within the same branch are conjunctively connected while formulas in different branches are disjunctively connected. We notice that each branch in the example contains a complementary pair of formulas, that is, S 1 : , S 2 : with S 1 \ S 2 = ;. Such branches are called closed. A tableau represents a proof iff all its branches are closed.
The extension of this framework to manyvalued logics is more or less straightforward. To prove that is a Stautology we simply construct a manyvalued tableau with root (N ? S) : . Manyvalued tableau rules can be stated very much like their twovalued counterparts. For instance, if we dene manyvalued conjunction as i^j = min(i; j), where minis the natural minimumon N, we nd the following rule for f0; 1 2 g : ^ in threevalued logic: f0; 1 2 g : ^ f0; 1 2 g : f0; 1 2 
g :
One difference between the twovalued and the manyvalued case is that in the latter more than two extensions in the rules may become necessary. Another important difference is the slightly more general notion of branch closure: Denition11 ManyValued Closure. A branch in a manyvalued tableau is closed iff (i) either it contains signed formulas S 1 : 1 ; : : :; S m : m such that S 1 \ \ S m = ; or (ii) a single signed formula S : F( 1 ; : : :; k ) such that rg(f) \ S = ;, where rg(f) = fiji = f(j 1 ; : : :; j k ); i; j 1 ; : : :; j k 2 Ng.
For some logics, including classical logic, m = 2 is sufcient for completeness and (ii) never occurs 6]. Then, of course, we have the old notion of closure. Remark.It is in general not necessary to have all 2 n possible signs present to achieve a sound and complete system, see 8] for necessary conditions on the set of signs. On the other hand, the more signs are present, the fewer extensions the rules tend to have and, consequently, the shorter the proofs become. Remark.Various improvements of analytic tableaux known from the twovalued case such as lemma generation, structure sharing, selection heuristics etc. carry over to the manyvalued case.
In 7] it is demonstrated that manyvalued tableaux (with a certain extension of the syntax) can be naturally translated into integer programming (IP) problems which can then be solved quite efciently with various algorithms. First results indicate that it is well possible to handle formulas with up to several hundred propositional variables and more than one thousand connectives that way.
Verication with ManyValued Logic
In this section we provide the connection between SLM and manyvalued logic. The basic idea is to treat switchlevel values as truth values and to represent nodes and transistors as manyvalued connectives. Thus we dene a manyvalued propositional logic L SLM called switchlevel logic as follows: Denition12 L SLM . Let L SLM be the sevenvalued propositional logic with truth values N = fE; D0; D1; DU; S0; S1; SUg, binary connectives f#; ntrs; ptrs; ntrd; ptrd; AND; OR; XOR; NAND; NOR; imp; spec; m impg, unary connectives fdefinite; vdd; gnd; NOTg and with the truth table semantics as given in Table 1 Table2. Truthtables for#,ntrs andptrs. In the tablesforthe latter,rowscorrespondto the gateterminalandcolumnstodrain.
# E D0 D1 DU S0 S1 SU E E D0 D1 DU S0 S1 SU D0 D0 D0 DUDU S0 S1 SU D1 D1 DU D1 DU S0 S1 SU DU DUDUDUDU S0 S1 SUm imp(I,S) corresponds to I S and imp(I,out) is true iff the value of I equals the value of out. 3 As can be seen, we have four kinds of connectives: Connectives associated with the gate level, connectives associated with the switch level (#, ntrs, ptrs, ntrd, ptrd), connectives used as a link between these two levels (imp, spec, m imp) and connectives used for expressing facts at the switch level (definite, vdd, gnd) which have sevenvalued input and Boolean output.
In our rst approach only the connectives associated with the switch level have a sevenvalued semantic, whereas all others have a Boolean one. One can imagine our verication model consisting of several components, each with its own associated logic. Each logic can be embedded into the most general one with a suitable reinterpretation of the truth values. Hence, each of the component logics can be altered easily without 3 imp stands for`implements', not for`implies' in contrast to m imp which is material implication. its Boolean equivalent is f1g : NOT( ). A signed formula fSU; DUg : NOT( ) never occurs during the proof procedure, because it has no Boolean equivalent and is therefore not generated by any of the rules.
Example3 Tableau Rules, cf. Section 2.2. The upper left rule shown below is the one we always need for the initial tableau. The upper right rule is one of the rules for the # connective. The lower rule expresses the fact that the variable value has no undened or unknown value. This rule demonstrates the interconnection between the different logics: the premise has a Boolean semantic (it is true that value has a denite value), the conclusion has a 7-valued semantic (value has a truth value from the set fS1,S0,D1,D0g). A simple example illustrates our ideas: Figure 2 shows a correct (on the left) and an incorrect (on the right) implementationof a NOR gate. We want to prove in the rst case fS1,D1gm imp(imp(#(#(ptrs(in2,ptrs(in1,n1)), ntrd(in1,n3)), ntrd(in2,n3)),out), spec(NOR(in1,in2),out)) and in the second case fS1,D1gm imp(imp(#(ntrs(in2,ptrs(in1,n1)), #(ntrd(in1,n3), ptrd(in2,n3)),out), spec(NOR(in1,in2),out))
In standard syntax this would amount to prove validity of (f (in1; in2) $ out) (g(in1; in2) $ out) where f(in1; in2) is the switchlevel design and g(in1; in2) the gate level design of a circuit. The reasons not to use this notation are that (1) we wanted to use the same set of truth values for all levels and (2) the denitions of imp,spec etc are very likely to change when the verication model gets more negrained. e start our proof procedure with the complemented theorem together with the following axioms: fS1,D1g vdd(n1) fS1,D1g gnd(n3) fS1,D1g definit(in1) fS1,D1g definit(in2)
we have our initial database for an automatic theorem prover. Figure 3 shows the rst two rule applications of the proof procedure to the initial tableau corresponding to the correct implementation.
(1)fS1,D1g:vdd(n1) (2)fS1,D1g:gnd(n3) (3)fS1,D1g:definite(in1) (4)fS1,D1g:definite(in2) (5)fS0,D0g:m imp(imp(#(:: : ),out),spec(NOR(in1,in2),out)) (6)from(5)fS1,D1g:imp(#(:::),out) (7)from(5)fS0,D0g:spec(NOR(in1,in2),out)
. . . 
Conclusion
With an experimental tableaubased manyvalued theorem prover implemented in Prolog 9] we have veried the correct NOR implementationwithin 0:250 seconds and have shown the incorrectness of the second implementation within 0:37 seconds (on a SUN 4/75).Amongthe larger problems,we have veried a fulladderfor twobinary variables, with a specication consisting of 7 gates and an implementation using 24 transistors. There we have separated the computation of the sum and the computation of the carry. To verify the computation of the sum of two variables we need 18 seconds and for the verication of the carry computation, we need 5:6 seconds. Other experiments have shown that up to 30 transistors can be handled.
Sequential circuits (i.e., with feedback) can either be handled as in 3] using nite automata or by extending the manyvalued reasoner to a temporal model checker.
These gures seem not very impressive, however, they show that the approach is viable. As already noted recent experiments with a manyvalued propositional satisability checker based on integer programming techniques 7] showed that a speedup by a factor of several hundred may be obtained by using sophisticated implementation techniques. As demonstrated in 8] most inference techniques can be extended from classical to manyvalued logic in an efcient way. We expect that switchlevel circuits consisting of several hundered parts can be handled this way without modularizing the input.
