Ternary system modeling involves extending the traditional set of binary values ¡ 0¢ 1£ with a third value X indicating an unknown or indeterminate condition. By making this extension, we can model a wider range of circuit phenomena. We can also efficiently verify sequential circuits in which the effect of a given operation depends on only a subset of the total system state.
Introduction

Ternary Modeling
Most formal models for hardware verification assume that every signal always has a well-defined, discrete value. For example, a binary model assumes that each signal must be either 0 or 1. In this paper we present a methodology for formal verification in which a third value X is added to the set of possible signal values, indicating an unknown or indeterminate logic value. By shifting to a ternary system model, we gain several advantages.
As a first advantage, this extension makes it possible to model an increased range of circuit phenomena. For example, we can deal with circuits in which nondigital voltages are generated ¤ This research was supported by the Defense Advanced Research Projects Agency, ARPA Order Number 4976, and by the National Science Foundation, under grant number MIP-8913667. in the course of normal circuit operation. This occurs frequently when modeling circuits at the switch-level [6] , due to (generally transient) short circuits or charge sharing. We can also deal with circuits in which indeterminate behavior occurs due either to timing hazards or to circuit oscillation. In all of these cases, the modeling algorithm expresses this uncertainty by assigning value X to the offending circuit nodes, indicating that the actual digital value cannot be determined [8, 15] .
As a second advantage, we can efficiently verify many aspects of digital circuit behavior by representing the circuit with a ternary system model. We do this by ternary symbolic simulation, in which a simulation algorithm designed to operate on scalar values 0, 1, and X, is extended to operate on a set of symbolic values. Each symbolic value indicates the value of a signal for many different operating conditions, parameterized in terms of a set of symbolic Boolean variables. Since the value X indicates that a signal could be either 0 or 1 (or a non-digital voltage), we can often represent many different operating conditions by the constant value X, rather than with a more complex symbolic value. For example, we can verify that a particular sequence of actions will yield a 1 (or 0) on some node regardless of the initial state by verifying that this value results when starting from an initial state where all nodes are set to X. This requires far less effort than analyzing the effect of the action on all possible initial binary states.
Simulators that support ternary modeling intentionally err on the side of pessimism for the sake of efficiency. That is, they will sometimes produce a value even where exhaustive case analysis would indicate that the value should be binary (i.e., 0 or 1). For example, most ternary simulators evaluate logic functions in a ternary algebra created by extending the standard Boolean operators. This algebra does not obey the law of excluded middle, because X When creating a ternary system model, we impose the following monotonicity requirement: In the presence of X signals as stimuli, no action of the circuit should yield a binary value, unless the same value would occur if any subset of these stimuli had binary values instead. That is, when given incomplete information about the exact circuit state, we should never produce a signal inconsistent with one that would result if more information were available. This monotonicity condition makes it possible to verify properties of circuit operation in the presence of potential sources of indeterminate behavior by representing this indeterminacy with the value . It also makes it possible to verify properties under a ternary system model as a means of proving properties under a binary system model.
Contribution of Paper
In earlier work, we demonstrated the utility of ternary modeling for verifying a variety of circuits [1, 7] . Our methodology is based on ternary simulation, either scalar or symbolic. With a simulator we can verify assertions specifying a postcondition on the circuit state that would result given some precondition on the previous state and some condition imposed on the input values. By restricting the form of the precondition, postcondition, and input condition to specifying that some of the nodes have particular binary values, we can verify such an assertion by a single simulation sequence. That is, we perform a simulation in which any node that is constrained by the precondition or action is set to its specified value, while all other nodes are set to X. If the resulting node states satisfy those specified by the postcondition, then the assertion is proved. For some classes of circuits, e.g., random access memories, we can verify correct circuit operation for all possible inputs and initial states by simulating only a polynomial number of scalar patterns. For other circuits, we can overcome the combinatorial complexity of considering many different initial states and input actions via symbolic simulation.
This earlier work demonstrated the viability of circuit verification by symbolic simulation, but it fell short in terms of generality, ease of use, and degree of automation. We did not have a formal notation for specifying the desired circuit properties, nor a method to generate simulation patterns directly from the specification. Instead, we derived symbolic simulation patterns by hand and argued informally that these patterns served to verify the desired properties. Furthermore, it was particularly cumbersome to verify operations requiring multiple state transitions, such as occurs in pipelined systems.
In this paper, we correct this shortcoming by presenting a formal state transition model for a ternary system, a formal syntax for expressing desired properties of the system, and an algorithm to decide whether or not the system obeys the specified property. Our state transition system is quite general, and is compatible with a number of circuit modeling techniques.
Our specifications take the form of symbolic trajectory formulas mixing Boolean expressions and the temporal next-time operator. The Boolean expressions provide a convenient means of describing many different operating conditions in a compact form. For example, we can express the desired behavior of an ALU on all possible inputs. By allowing only the most elementary of temporal operators, the class of properties we can express is relatively restricted, as compared to other temporal logics [10, 17] . In particular, we can only reason about circuit operations involving a bounded number of state transitions. Nonetheless, we have found that we can readily express many aspects of synchronous digital systems. It is quite adequate for expressing many of the subtleties of system operation, including clocking conventions and pipelining.
Our decision algorithm is based on ternary symbolic simulation. It tests the validity of an assertion of the form [
¤ ¢ ¡ £
], where both and £ are trajectory formulas. That is, it determines whether or not every state sequence satisfying (the "antecedent") must also satisfy £ (the "consequent"). It does this by generating a symbolic simulation sequence corresponding to the antecedent, and testing whether the resulting symbolic state sequence satisfies the consequent.
An important property of our algorithm is that it requires a comparatively small amount of simulation and symbolic manipulation to verify an assertion. The restrictions we impose on the formula syntax guarantee that there is a unique weakest symbolic sequence satisfying the antecedent. Furthermore, the symbolic manipulations involve only variables explicitly mentioned in the assertion. Unlike other symbolic circuit verifiers [3] , we do not need to introduce extra variables denoting the initial circuit state or possible primary inputs. Finally, the length of the simulation sequence depends only on the depth of nesting of temporal next-time operators in the assertion.
Some insight into the expressive power of our specification language can be gained by reviewing the different classes of properties examined by Pnueli in his original paper on temporal logic [17] . In particular, our notation is adequate for expressing many invariant properties of the system. That is, we formulate an assertion where the antecedent expresses a set of guaranteed constraints on the circuit inputs and state over multiple time intervals, while the consequent expresses some additional desired constraints on the state. These desired constraints generally include the state guarantees of the antecedent shifted to a later time. By verifying such an assertion, we prove that the desired properties of the consequent hold over the entire operation of the circuit as long as the inputs are supplied correctly. On the other hand, properties that require reasoning about eventuality cannot be expressed with our notation, unless the desired property is guaranteed to hold within a bounded time.
Overview of Implementation
By modifying the COSMOS symbolic simulator [5] , we have been able to implement the algorithm described in this paper and to verify several full scale circuit designs. COSMOS represents a MOS circuit at the switch level as a network of transistor switches connecting charge storage nodes. The simulator preprocesses the circuit to transform it into a Boolean representation [6] . Using this Boolean representation, the switch-level behavior of the circuit can be computed by simply evaluating a series of Boolean operations, much as one would in a gate-level circuit model. The preprocessor is quite general and accurate. The resulting representation is guaranteed to produce the exact same results as more traditional switch-level simulators.
Simulating a circuit symbolically involves evaluating these Boolean operations over the algebra generated by a set of Boolean variables. That is, each element of the algebra corresponds to a Boolean function over the variables. By representing these functions as Ordered Binary Decision Diagrams [4] , complex functions can be represented and manipulated efficiently. Of course, all of the verification properties we wish to decide require solving NP-hard problems. Our approach has a worst case time and space requirement that grows exponentially with the size of the formulas expressing the circuit property to be decided. Nonetheless, we have been successful at avoiding exponential blow-up for many useful cases. Our system model and checking algorithm is not strongly tied to the use of BDDs. In this work, we view our BDD code as simply a package for representing and manipulating Boolean functions symbolically.
COSMOS supports a ternary model of switch-level circuit operation, where X indicates either an unknown or potentially non-digital node voltage. It does this by encoding each node state as a pair of binary values, according to a "dual rail" coding of the circuit state. The excitation function for a node is given by a pair of Boolean expressions specifying how the encoded new state of the node should be computed from the encoded old states [6] . This implementation decision greatly helped the development of our symbolic simulator. When simulating the circuit symbolically, we simply represent the state of each node by pointers to the roots of two BDDs, and compute the new states of a node by evaluating the excitation expressions symbolically.
The following table indicates the performance of our verifier on several different circuits. All CPU times were measured on a DEC 3100 (a 10-20 MIPS machine). We also list the maximum memory requirement of the process, as this is more often the limiting factor in BDD-based symbolic manipulation than is CPU time.
Circuit
Transistors 
¢
is the current depth of the stack. As a consequence, the symbolic values manipulated in verifying the stationary data stack are more complex than those for the moving data stack. In both cases, however, the performance was acceptable.
The static RAM example indicates just how efficient symbolic verification can be. We have already demonstrated that this class of circuit can be verified by simulating just ¥ § ¦ © log scalar patterns [7] . By exploiting the bit-level parallelism of the logical instructions in a conventional machine, we were able to simulate 32 of these patterns at a time. Even so, the symbolic verification outperforms the scalar verification by a factor of 4. Furthermore, creating the assertions for the symbolic verification was far more straightforward than was generating the patterns for the scalar verification. For the scalar verification, we had to consider details of the memory's row and column addressing structure to avoid errors caused by the pessimistic modeling of X. No such tuning was required for the symbolic verification.
We are now applying our verifier to more complex circuits such as pipelined data paths and simple microprocessors. We have found the expressive power of our notation and the performance of the verifier acceptable in most of the cases we have considered.
Related Work
Our approach to verification relates most closely to the symbolic model checking algorithms devised by Bose and Fisher (BF) [2, 3] , and by Burch, Clarke, McMillan, and Dill (BCMD) [9] . In fact, all of these approaches are implemented using the same Boolean manipulation code! Furthermore, Bose and Fisher implemented their checker by extending COSMOS. Despite these internal similarities, however, there are significant differences in the capabilities and complexities of the algorithms. In particular, our method is the most restricted in terms of the class of properties that can be verified. Both the BF and BCMD algorithms can decide a class of formulas consisting of a complete branching time, propositional temporal logic under a binary system model. Our method can only be used to verify properties of bounded state sequences. What we loose in expressive power, however, we make up for in computational efficiency. The computational effort required by our model checker is considerably less than theirs. One can view the combined effect of these research projects as providing a spectrum of checking-based verifiers that trade off between expressiveness and performance.
In the BF algorithm, the underlying circuit is assumed to be synchronous and deterministic. Nondeterministic sequential behavior arises due only to the different signals that may be applied to the inputs (expressed as existentially quantified Boolean variables). Their algorithm requires creating an explicit representation of the next state function for every state variable in the system. They create this representation by symbolic simulation. That is, the user identifies each place state is stored in the system, either as charge on a node, or as a pair of complementary values within a static memory element. They then symbolically simulate a single system cycle, where each state variable and each input signal is represented by a distinct Boolean variable. Once they have obtained this Boolean representation of the next state behavior, the validity of a temporal formula can be derived by (rather extensive) symbolic Boolean manipulation. This process of extracting the explicit next state function can be quite costly. In contrast, our method represents the next state function implicitly as a combination of circuit structure and simulation algorithm. We only compute the next state behavior for the particular patterns required to verify a given assertion. These patterns involve far fewer variables than is required by Bose and Fisher's functional extraction.
In the BCMD algorithm, the underlying system can be nondeterministic, and the user can even impose fairness constraints on the model. To support this great expressive power, they require an explicit representation of the next state relation for the entire system. That is, for each state variable in the system they have one Boolean variable representing its "old" value and one representing its "new" value. The next state relation is represented as a Boolean function of all of these variables, where the function yields 1 when the old and new state are related, and 0 otherwise. Generating this characteristic function is even more difficult than generating representations of the individual next state functions for each state variable.
Most other automated approaches to sequential circuit verification are based on testing state machine equivalence [11, 13] . Such methods are useful for comparing two different (but hopefully equivalent) representations of the system, such as one at a register-transfer level and one at a gate level. However, they do not work well for verifying the correctness of incompletely specified systems, nor for reasoning about systems that employ methods, such as pipelining, that shift the sequencing of activities in time. Furthermore, most of these methods assume that the system starts in some known initial state. In actual circuits, the initial state usually cannot be predicted.
Other researchers have suggested symbolic simulation as a means of circuit verification [12, 18] . None of this work has presented a clear methodology for sequential circuit verification, however. The above monotonicity definition is consistent with our use of information content. If a function is monotone, we cannot "gain" any information by reducing the information content of the arguments to the function. In other words, changing some signals from binary values to X will either have no effect on the output values, or it will change some binary values to X.
Ternary System
To express the behavior of a circuit operating over time, we must reason about sequences of states. Conceptually, we will consider the state sequences to be infinite, although the properties we will express can always be determined from some bounded length prefix of the sequence. Define a the set to consist of all sequences 
Circuit Model
The underlying model of a circuit we use is quite simple, as well as general. A circuit : is a set of symbolic Boolean variables with which parameterized properties of the circuit are to be expressed.
In the mathematical presentation we will refer to the nodes as
, whereas in our examples we often will use more descriptive names. In logic gate circuits the nodes correspond to the primary inputs and the outputs of the gates. In switch-level circuits the nodes correspond to electrical nodes in the circuit.
The excitation functions are defined in a non-traditional way. We view them as expressing "constraints" on the values the nodes can take on one time unit later given the current values on the nodes. By constraint we mean specific binary values, whereas the value X indicates that no constraint is imposed. Since the value of an input is controlled by the external environment, the circuit itself does not impose any constraint on the value; hence the excitation of an "input node" is X. More formally, if node ¥ determined by the circuit topology and functionality. For example, if the current input to a unit delay inverter is 0, then the output of the inverter one time unit later is constrained to be 1.
It should be pointed out that the "time unit" referred to above is the smallest period of time that is distinguishable in the circuit model. The minimum delay in any individual component of the circuit can be significantly larger. Thus we are not limited to unit delay circuit models. For example, by using the transformation technique described in [19] , both nominal delay and bounded delay circuit models can be used.
The excitation function for a function node is often a ternary extension of a binary excitation function. Note that such an extension can be done in many ways. However, we require that the extended function agrees with the binary on binary inputs, and that the ternary function obtained is monotone. These requirements simply ensure that we do not "loose" information by extending a binary excitation function to the ternary domain. In other cases, like in switch-level models, the excitation functions derived are already ternary, since even binary signals can generate nondigital voltages on some nodes.
Circuit Trajectories
State sequences are useful when reasoning about circuit behaviors. However, not all state sequences represent possible behaviors of a circuit. The excitation functions generally restrict the possible state sequences significantly. We formalize this property by introducing the concept of a circuit trajectory. Given a circuit On first reading, it may seem strange to define a circuit model where a node with excitation X may spontaneously change to either 0 or 1. This is our way of capturing the property that a circuit may exhibit a variety of different behaviors due to variations in the initial state, the primary input values, and the outcome of marginal operating conditions. An input node may change to 0 or 1 on every step, reflecting the fact that its value is determined solely by the operating environment. An uninitialized internal node may change to 0 or 1 to reflect the fact that it could have had either of these as initial values. An internal node that was set to X due to marginal operating conditions can change to 0 or 1 to reflect that the actual node state could resolve in either direction.
To illustrate trajectories, consider a unit delay inverter. Assume the circuit contains two nodes: the inverter input . It is easy to accept that, for example,
a re valid circuit trajectories. Less intuitive is that a sequence like
i s also a valid circuit trajectory. Our methodology verifies properties for all circuit trajectories that satisfies some conditions, including degenerate trajectories as this one. Consequently it will perform a stronger verification than absolutely necessary. Again, this pessimism stems from our use of X as a completely unknown value.
Specification Language
Our specification language describes a property of the circuit as an assertion of the form [ 
Symbolic Expressions
Before we can define our language, we need to introduce some notation and definitions. If 
Symbolic Trajectory Formulas
A trajectory formula expresses a set of constraints on a circuit trajectory. When the formula contains Boolean expressions, each interpretation of the variables yields a different set of constraints.
A step-level symbolic trajectory formula is defined recursively as:
1. Constants: TRUE is a trajectory formula. 
Assertions
Our verification methodology entails proving assertions about the model structure. These assertions are of the form [ . Given a circuit and an assertion, the task of our checking algorithm is to compute the Boolean function expressing the set of interpretations under which the assertion is true. For most verification problems, this should simply be the constant function 1, i.e., the assertion should hold under all variable interpretations.
Properties
We have intentionally chosen to introduce only a heavily restricted trajectory formula syntax for our base logic. As discussed previously, we do not support more sophisticated temporal operators such as "Until," "Globally," or "Eventually." Furthermore, we do not even permit such elementary logic operators such as disjunction, negation, or quantification.
By imposing these restrictions, we can guarantee the following key property:
Proposition 1 For any trajectory formula
In the first case above, we say that the formula ¦ is not satisfiable under interpretation . In the second case, we refer to the sequence This theorem can be proved by induction on the formula structure. Rather than prove it here, however, we will show in a later section how the checking algorithm can compute a Boolean function describing the set of interpretations for which the formula is satisfiable, as well as a symbolic sequence representing the weakest trajectory for every satisfiable interpretation.
Note that this theorem expresses a very strong property of our logic. It demonstrates the reason why we can verify an assertion by simulating a single symbolic sequence, namely the one encoding the weakest trajectories allowed by the antecedent for every interpretation. It is stronger than the simple monotonicity condition that if Disjunction is a useful extension to our language and can be implemented using quantified Boolean variables. Negation, on the other hand, seems to run contrary to the principles of ternary modeling.
Extensions
The logic, as described above, is convenient for deriving the underlying theory. Unfortunately, expressing "interesting" assertions about real circuits using only the constructs above is very tedious. Two shortcomings make using the logic cumbersome: the fine granularity of the timing, and the lack of more powerful logical constructs. It is convenient to add extensions that do not add any expressive power, but make it easier to write assertions.
This basic structure of starting with a minimal basic logic and then adding more elaborate structures as extensions also mirrors our current implementation. The implementation consists of two parts. The underlying logic, with some few extensions, is taken care of by our modified version of the COSMOS symbolic switch-level simulator. The syntactic extensions are supported by a front-end written in SCHEME. The user writes SCHEME code that, when evaluated, generates a file of low-level simulation commands which are then evaluated by the simulator.
Timing Extensions
Our main interest is in verifying synchronous circuits. Hence, we would like to reason about time on a more abstract level than basic time units. For many VLSI circuits it is natural to describe the desired behavior in terms of phase level behavior. Let a phase be a period of time during which no inputs (including clocks) change. For simplicity, we will assume that all phases have the same duration. For example, if phases are basic time units long and we want the instantaneous formula ¦ to hold for the entire phase, then this can be translated into . Thus a formula in a logic based on the next-phase operator can be translated directly into a formula in the logic based on the next-step operator. In our current implementation, the logic we support only allows the next-phase operator. The transformation into the next-step logic is taken care of by the COSMOS simulator so that event-scheduling can be used to achieve good performance.
If we are using a nominal or bounded delay circuit model, the basic time step corresponds directly with some exact amount of time. Hence, in these cases it is easy to define the length of a phase. At other times we are not interested in the exact timing of the circuit. For example, if we do not have delay values available (pre-layout) or if we use a very inexact delay model (say unit-delay) it is somewhat meaningless to say that a phase is time units long. In these situations we often want to express the behavior in terms of "stable" phases. In other words, a phase may defined to be as long as needed for the circuit to stabilize. Of course, we must also take care of the case where the circuit never stabilizes, but oscillates. The solution to this is to "force" the circuit simulator to stabilize after some reasonably large number of steps. This can be accomplished by running a normal simulation for that many steps and then forcing oscillating nodes to X. We leave the details on how to do this symbolically to the interested reader.
Logic Extensions
As already alluded to above, it is very tedious to write assertions using only the basic logic. Thus in our SCHEME translator we provide a number of syntactic extensions. In the following we will outline some of these. Our next addition is to allow the user to specify a domain restriction for a complete assertion, i.e., we allow the user to write Given that the front-end is embedded in SCHEME, and the user actually writes SCHEME code, it is easy to define new extensions. In fact, by writing SCHEME procedures it becomes very natural to express the circuit assertions in a hierarchical way, improving the readability of-and consequently the confidence in-the assertions.
Examples
The extensions described in the previous section provide a phase level timing model and an assertion language with more powerful abstraction capabilities. Given these extensions we claim the logic is both sufficiently powerful and easy to use to express a wide variety of verification tasks. We support this claim with some illustrative examples.
Moving Data Stack
First we will demonstrate the utility of the temporal notation in expressing phase level circuit timing and pipelining. The example is the nMOS stack circuit described by Mead and Conway [16] . Figure 1 shows the block diagram for the circuit. The circuit operates with a two-phase nonoverlapping clock. The stack command is specified by a pair of signals, OP1 and OP2, which are multiplexed onto a single circuit input Op. The control signal is pipelined half a clock cycle ahead of the data signals. That is, the command for clock cycle is specified by supplying OP1 on the Phi2 phase of cycle £ 1, and OP2 on the Phi1 phase of cycle , as illustrated in Figure 2 . The input data must be supplied during the Phi1 phase, and the output is valid during the Phi2 phase. For each stack cell, we will consider the "state" of the cell to be the value held there during the Phi1 phase of the cycle.
Omitted Figure: stack-block 
The formula Cycles defines the operation of the clocks over the time period illustrated in Figure 2 .
Since negative logic is used internally, let Stored¦
We can now express our assertion as:
Note that In this example, verifying the correct operation of a single stack operation requires reasoning about the behavior of the circuit over parts of 3 clock cycles. Such is often the case in pipelined systems.
Static RAM
Our second example is a static RAM, as illustrated in Fig. 3 . The data for each memory location ¡ are stored on node 2 % . Within the RAM cell there is a node holding the complementary value. Unlike in the verification described in [7] based on scalar simulation, we do not need to explicitly set or check this complementary value. The phase level timing abstraction handles this automatically. That is, asserting a value on node Omitted Figure: ram-block The only information we need to know about the design of the RAM is the names of the input/output signals, and the names of the storage nodes of each memory cell, as well as the interface timing. For ease of exposition, we express the specification at the clock cycle level in terms of a cycle-level next-time operator X . Given a specification of the clocking patterns and interface timing for the circuit, we could translate these assertions into phase-level assertions in a similar fashion as we did for the moving data stack.
It is easy to convince oneself that a correct memory must satisfy three properties: 1) that we can write successfully into each cell 
Discussion
As these examples illustrate, our notation works well for expressing the state transition properties of a circuit. For circuits, such as memories and data paths, this is a fairly natural form of specification. That is, one thinks of each operation of the system as updating some portion of the stored system state.
In these examples, we constructed the specification assertion in a hierarchical way, starting with low level timing information and working up to more abstract system operations. This seems to be a fairly convenient way to view the system at different abstraction levels. Because we actually write our specifications as SCHEME programs, we can use the procedural abstraction capabilities of SCHEME to express the specification hierarchically.
Symbolic Simulation
As we have shown, symbolic formulas provide a concise means to specify desired properties of the circuit under many different operating conditions. We are now ready to introduce a method of verifying the assertions via symbolic simulation. The key idea is to preserve the symbolic structure of the formulas in the verification algorithm. By doing so, we can replace the need for large amounts of case analysis with algebraic manipulation.
Symbolic Algebras
In creating a symbolic model, we extend the scalar model defined in terms of the binary and ternary domains and 
¥ ¤
We then extend the operations defined over scalar values to create a symbolic algebra.
We can also extend the vector and sequence algebra defined over scalar values to their counterparts defined over symbolic values. That is, define the vector domain 
Special Operations
We require one operation that is extended to vectors in a nonstandard way. Define the infix operator ?:
? equals if § is 1, and equals otherwise. When extending this operation to vectors, only the second argument is vector-valued. That is the operation ?:
This operation is then extended symbolically in the manner described above.
As a final operation, we define a variant of the join operation that is defined even when for some 
Translating Instantaneous Formulas to Symbolic Vectors
Given the above definitions, we first give a procedure that for an instantaneous formula 
, where the 0 is in position 
This proposition can be proved by induction on the formula structure.
Checking Assertions
Our first step in verifying an assertion is to rewrite the antecedent and consequent into a normal form where all next-time operators are collected together. It is easy to show that a trajectory formula 
¡
. Hence, without any loss of generality, we will henceforth assume that the antecedent and the consequent in an assertion are trajectory formulas in normal form containing the same number of terms.
Given an assertion [
define a sequence of symbolic ternary vectors Omitted Figure: pseudo-xor Figure 5 : Pseudo XOR Circuit. This circuit satisfies the assertion for an XOR circuit, because the antecedent trajectory fails whenever the output should be nonzero.
The antecedent is converted into the simulation pattern outlined on the left hand side of Figure 4 . That is, the address inputs are set to Boolean variables encoding the possible addresses. The cells are set to more complex symbolic values. For each possible interpretation of the address variables, we see that one cell is set to value , while the other three cells are set to . Verifying the assertion involves simulating this single pattern and then checking that the resulting value on Dout equals .
This example illustrates how our methodology combines symbolic and ternary values when encoding the different possible circuit states. In a binary model of the circuit, there are 16 (in general 2 ¡ ) different initial binary states of the memory. These cases can be covered by 8 (in general 2 ) different initial states in a ternary model-each having one cell set to 0 or 1 and the rest set to . These different cases can then be encoded by a single symbolic case in terms of 3 (in general 1 ¡ log ) Boolean variables. As the size of the memory grows, the reduction in complexity we realize becomes dramatic.
Areas for Future Investigation
The checker described here provides a useful tool for reasoning about digital circuits. However, some questions remain as to exactly how it can and should be used. In particular, we must still devise a comprehensive theory on how to prove that a circuit fully realizes its specification.
To illustrate one subtlety of this task, consider trying to show that a circuit with inputs A and B and output Out implements the exclusive-or function. Intuitively, it seems that it would be sufficient to prove that circuit obeys the assertion . Unfortunately, this is not the case. For example, this assertion is obeyed by the rather useless circuit of Figure 5 , where the two inputs are tied together, and the output is always 0. Any interpretation of the variables for which ¦ § § ¤ ¦ will cause the antecedent trajectory to fail, because inputs A and B are electrically equivalent. The only interpretations for which the trajectory succeeds are ones for which the output should be 0, in which case the consequent is also satisfied.
Any checking based purely on testing implications is prone to this sort of "false positive" error. Problems of this sort have been encountered by people using other systems for hardware verification such as HOL [14] and EMC [10] . We believe that shortcomings of this sort can be corrected by more careful attention to the cases where an implication succeeds due a failure of its antecedent. In all of the verification examples we have performed, we make sure that the specification is formulated in such a way that the antecedent trajectory should never fail. We check this as part of the verification process.
Conclusions
In terms of mathematical sophistication, the problem solved by our algorithm is far less ambitious than what is attempted by full-fledged temporal logic model checkers. However, we believe that our language is rich enough to be able to describe many important properties of a circuit and to provide a direct path by which such properties may be automatically verified. By keeping the goals of our verifier simple, we obtain an algorithm that is capable of dealing with much larger circuits.
One interesting property of our algorithm, in fact, is that its computational complexity is relatively insensitive to the circuit size. That is, the complexity is determined largely by the complexity of the assertion to be verified, measured in terms of the number of symbolic variables, and the depth of nesting of next time operators. We have found that in many circuits, properties can be expressed in terms of a surprisingly small number of variables. For example, our formulas providing a complete specification of of a -bit static RAM involve only 2 ¡ 2 log variables. Thus, we can perform the verification in polynomial time irrespective of the heuristic efficiency of the Boolean manipulator.
