Hierarchical formal verification using a hybrid tool by Kort, Skander et al.
Software Tools for Technology Transfer manuscript No.
(will be inserted by the editor)








Concordia University, Canada. (ftahar,kortg@ece.concordia.ca)
2
Middlesex University, UK. (p.curzon@mdx.ac.uk)
Received: date / Revised version: date
Key words: HOL (Higher-Order Logic), MDG (Multi-
way Decision Graphs), Hybrid tools, Hierarchical Veri-
cation
Abstract. We describe a hybrid formal hardware veri-
cation tool that links the HOL interactive proof system
and the MDG automated hardware verication tool. It
supports a hierarchical verication approach that mir-
rors the hierarchical structure of designs. We obtain ad-
vantages of both verication paradigms. We illustrate
its use by considering a component of a communications
chip. Verication with the hybrid tool is signicantly
faster and more tractable than using either tool alone.
1 Introduction
Automated decision diagram based formal hardware ver-
ication is fast and convenient, but does not scale well,
especially where datapaths and control circuitry are com-
bined. Details of the version of the design veried need
to be simplied, e.g., considering 1-bit instead of 32-
bit datapaths. Finding a model reduction and appropri-
ate abstractions so that verication is tractable with the
tool can be time-consuming. Moreover, signicant detail
can be lost. An alternative is interactive theorem prov-
ing. The verication can be done hierarchically allow-
ing large designs to be veried without simplication.
Furthermore, it is possible to reason about high level
abstractions of datatypes. It can however be very time-
consuming, requiring signicant user interaction and skill.
The contribution of our work is to implement a hy-
brid tool combining HOL [12] and MDG [5] which pro-
vides explicit support for hierarchical hardware veri-
cation. In particular, we have provided an embedding of
the MDG input language in HOL, implemented a linkage
between HOL and MDG using the PROSPER toolkit [9]
and implemented a series of HOL tactics that automate
hierarchical verication. This means that a hierarchical







: Hierarchical Formal Verication Using a Hybrid Tool
HOL system. However, the MDG tools can be called to
perform verication of components that are within its
capabilities. We have veried a component of a commu-
nication switch using the tool. Verication is shown to be
signicantly faster and more tractable using the hybrid
tool than with either tool individually.
The remainder of this paper is organized as follows.
In Section 2 we overview briey the two tools being
linked. We present our hybrid tool and the methodology
it embodies in Section 3. A case study using the tool to
verify a component of an ATM (Asynchronous Transfer
Mode) switch is described in Section 4. Finally, we dis-
cuss related work in Section 5 and draw conclusions in
Section 6.
2 The Linked Tools
Our hybrid tool links the HOL interactive theorem prover
and the MDG hardware verication system. HOL [12] is
based on higher-order logic. The user works interactively
with the system calling ML functions [19] that imple-
ment inference rules to apply proof steps. New theorems
are created in HOL by applying inference rules|derived
rules call a succession of primitive rules, thus the user
can have great condence in the derived theorems. How-
ever, HOL also provides functions to create theorems
directly without proof. This feature can be used to im-
port results produced by external tools into HOL. Our
hybrid tool uses the PROSPER/Harness Plug-in Inter-
face of HOL [9]. This gives a uniform way of linking
HOL with external proof tools. It provides the low level
client-server communication interface from HOL to var-
ious languages within which other tools are integrated.
A range of dierent external proof tools (such as MDG)
can act as servers to a HOL client. The interface re-
moves the burden of writing low-level communication
tools, leaving the hybrid tool designer to concentrate on
higher-level issues. It also tags theorems produced by
plug-ins with a label indicating their source. These la-
bels are propagated to any theorem generated from the
imported result allowing the pedigree of any result to be
later determined.
The MDG system, which is primarily designed for
hardware verication, provides verication procedures
for equivalence and property checking. The former pro-
vides the verication of two combinational circuits or
the verication of two state machines. The latter allows
verication through invariant checking or model check-
ing. The strength of the MDG system is its automation
and ease of use. It has been used in the verication of
signicant hardware examples [23,4,25]. The MDG sys-
tem is a decision diagram based verication tool based
on Multiway Decision Graphs (MDGs) [5] rather than
on binary decision diagrams. MDGs overcome the data
width problem of Reduced-Order Binary Decision Dia-
gram (ROBDD) based verication tools. An MDG is a
nite, directed acyclic graph (DAG). MDGs essentially







: Hierarchical Formal Verication Using a Hybrid Tool 3
more compact than ROBDDs for designs containing a
datapath. Furthermore, sequential circuits can be ver-
ied independently of the width of the datapath. The
MDG tools combine some of the advantages of repre-
senting a circuit at more abstract levels with the au-
tomation oered by decision-diagram based tools. The
input language for MDG is MDG-HDL, a simple hard-
ware description language (HDL) supporting structural
descriptions, behavioral descriptions as Abstract State
Machine (ASM) or a mixture of both. A structural de-
scription is usually a netlist of components connected
by signals, and a behavioral description is given by a
tabular representation of the transition/output relation
of the ASM. This is done using the Table construct of
MDG-HDL: essentially a case statement that allows the
value of a variable to be specied in terms of the values
of inputs and other expressions
3 The Hybrid Tool and Verication
Methodology
In a pure MDG verication, structural and behavioral
descriptions are given for the top level design. An au-
tomated verication procedure is then applied. If the
problem is suÆciently tractable, the verication is com-
pleted automatically. If not, ideally the problem would
be attacked in a hierarchical fashion by verifying the sub-
blocks independently. However, the management of this
process cannot be done within the tool, though could be
done informally outside it.
In a pure HOL hardware verication, the proof is
structured according to the design hierarchy of sub-blocks
within the implementation. For each block, including the
top level block of the design, a structural specication
and behavioral specication are given. Each block's im-
plementation (apart from those at the bottom of the hi-
erarchy) is veried against its specication in three steps.
Firstly, an intermediate verication result is obtained
about the block based on the behavioral descriptions of
its sub-blocks. Essentially, the sub-blocks are treated as
primitive components in this verication. Secondly, the
process is repeated recursively on the sub-blocks to ob-
tain correctness theorems for them. Finally, the correct-
ness theorems of the sub-blocks are combined with the
intermediate correctness theorem of the block itself to
give the actual correctness theorem of the block. This
is based on the full structural description of the block
down to primitive components. The verication follows
the natural design hierarchy. If this process is applied to
the top level design block, a correctness theorem for the
whole design is obtained. The integration of the veri-
cation results of the separate components that would be
done informally (if at all) in an MDG verication is thus
formalized and machine-checked in the HOL approach.
Our hybrid tool supports hierarchical verication,
automating the process discussed above, and ts the use







: Hierarchical Formal Verication Using a Hybrid Tool
work of compositional hierarchical verication. The HOL
system is used to manage the proof, with the MDG sys-
tem called to verify those design blocks that are tractable.
This removes the need to provide behavioral specica-
tions for sub-blocks and the need to verify them sep-
arately. In particular, if the design of any sub-block is
suÆciently simple, then the hierarchical approach can be
abandoned for that block and the whole block veried
in one go in MDG. Furthermore, verifying a block under
the assumption that its sub-blocks are all primitive com-
ponents may also be done using MDG if tractable. If not,
a normal HOL proof can still be performed. No informa-
tion is lost in using MDG via the hybrid tool. We use
MDG-style behavioral specications within HOL. This
means the specications must be in the form of a -
nite state machine or table description. If a higher level
abstraction, unavailable in MDG, is required then a sep-
arate HOL proof is performed that an MDG style spec-
ication meets this abstraction.
3.1 The Hybrid Tool
Our Hybrid tool was written in SML (Standard ML).
It consists of ve modules: a parsing module, an extrac-
tion module, a hierarchical verication support module,
a code generation module and an MDG interaction mod-
ule (cf. Figure 1). Subgoal management is done using
the HOL subgoal manager. This is an advantage of the
































Fig. 1. The Hybrid Tool's Structure.
ments MDG providing a much more powerful interface
to MDG.
The hybrid tool supports the hierarchical verication
process by providing a HOL embedding of the concrete
subset of the MDG input language to allow MDG-style
specications to be written in HOL. Several high-level
proof tactics that manage and automate the proof pro-
cess are also provided. A hierarchy tactic, HIER VERIF TAC,
automates the creation of subgoals from the correctness
goal of a block by analyzing its structure as outlined in
the previous section. It later combines the proven sub-
goals to give the desired correctness theorem. Where a
non-primitive component occurs several times within a
block, the tactic avoids duplication, generating a single
subgoal that once proved is automatically instantiated
for each occurence of that component to prove the cor-
rectness of the block. Another tactic, MDG TAC, auto-



































Fig. 2. Using the Hybrid Tool
correctness theorem for a block using MDG combina-
tional or sequential equivalence verication. This is done
after analysis of the implementation or specication de-
scription. A HOL tactic, BLOCK VERIF TAC, has also
been developed as part of the hybrid tool that can also
verify simple low level blocks automatically, performing
Boolean case analysis according to a user-supplied order.
Verication using the hybrid tool proceeds as shown
in Figure 2. An initial goal is set that the top level de-
sign's implementation meets its behavioral specication.
If the design can be veried using MDG, the appropri-
ate MDG tactic, determined by whether the circuit is
sequential, is called. Otherwise, the hierarchy tactic is
called to break the design into smaller parts, and the
process is repeated. At any point, a HOL proof can be
performed directly to prove a goal. In generalm MDG
can fail to terminate due to state-space explosion leading
to the system running out of memory or due to certain
abstract variables or functions being uninterpreted. This
is handled manually within the MDG tool using one of
the heuristics described in [3].
3.2 Specications
The hybrid tool must be supplied with a behavioral spec-
ication for each block in the design that is veried.
This is not necessary for sub-blocks within blocks veried
by calls to MDG. The specications are intended to be
complete specications covering all aspects of the blocks
rather than just partial properties corresponding to some
high level property of the whole circuit being veried.
The specications are provided as a normal le of HOL
denitions. However, as these denitions must be ana-
lyzed by the tool and ultimately converted into MDG,
they must follow a prescribed form: they must consist of
a conjunction of tables, functional blocks (black-box op-
erations using uninterpreted functions), and input and
output arguments must both be explicitly typed and be
in a given order. The tables are an embedding of MDG
tables in HOL originally dened by Curzon et. al. [6] to
verify the MDG components in HOL. The verication
of these components increases condence that the MDG
tools can be trusted when used in the HOL system.
Structural specications are written in a subset of the
HOL logic similar to that for behavioral specications.
However, the descriptions are not limited to tables but
can include any component of the MDG component li-
brary. The structural specication of a block thus diers







: Hierarchical Formal Verication Using a Hybrid Tool
HA i (x, y) (z, cout) =
(MDG XOR (x,y) z) ^ (MDG AND (x,y) cout)























Fig. 3. A Structural Specication of an Adder
z TAB (x, y) z =
TABLE [x;y] z [[F; F]; [T; T]] [F;F] T
cout TAB (x, y) cout =
TABLE [x;y] cout [[F; DONT CARE];
[T; F]] [F;F] T
HA (x, y) (z, cout) =
(z TAB (x,y) z) ^ (cout TAB (x,y) cout)
Fig. 4. A Behavioural Specication of a Half-Adder
of a network of components. A component may be an
MDG built-in component, a functional block, a table or
a component previously dened by the user. The MDG
built-in components are an embedding in HOL of the
actual MDG components.
3.3 The Verication Process
The hybrid tool is intended to provide automated sup-
port for hierarchical verication and to enable the user
to verify some blocks using MDG. We will illustrate this
by refering to the verication of a simple adder circuit.
A typical session with the hybrid tool goes through the
following steps. First, the user supplies the tool with a
specication le and an implementation le as part of an
initialization procedure. These are SML les containing
normal SML denitions. The specication le includes
the behavioral specications of the design blocks. The
implementation le includes the design structural speci-
cation and follows the design hierarchy. Both les may
include user dened HOL datatypes. An example of a
structural specication for an adder is given in Figure 3.
The behavioral specication of a half-adder in terms of
tables is given in Figure 4. The specication of the full
adder is similar. In a table specication, the rst list
gives the inputs of the table, the next argument is the
output. Next is a list of lists giving possible combinations
of input values and then a list giving the output values
resulting from those combinations. The nal argument
gives the default value for any combination of inputs not
listed. MDG tables are more general than shown in this
example in that general expressions can be used as table
inputs and variables can appear in the rows. We have
ommitted type information from this gure (that each
variable is a function from time to a Boolean). Strictly,
due to the current version of the implementation of the
front end of the hybrid tool this information must be
provided explicitly, though it would be straightforward
to derive it as is done in pure HOL. The initialization
procedure also involves loading the embeddings of the
MDG tables and the MDG components in HOL as well














WHITE BOX = IMPLEMENTATION
HATCHED BOX  = SPECIFICATION
SUBGOAL SUBGOAL
YES/NO YES/NO YES/NO
Fig. 5. Hierarchical Verication using HIER VERIF TAC.
Once the tool is initialized, the user sets the cor-
rectness goal for the whole design using HOL's subgoal
package. This goal states that the design's implementa-
tion implies its specication. For example, for our adder,
we set the goal:
8 x y cin z cout.
FA i (x,y,cin) (z,cout) =) FA (x,y,cin) (z,cout)
This correctness goal could then be resolved directly
through MDG using MDG TAC. Applying this tactic
to complex designs may lead to state explosion. To over-
come this, HIER VERIF TAC is used. The action of this
tactic is summarized in Figure 5. It automatically gener-
ates a correctness subgoal for every immediate sub-block
in the design. Where one sub-block is used in several
places, only one goal is generated: the hybrid tool gener-
ates a general subgoal that justies its use in each situa-
tion. A further subgoal states that the lower level spec-
ications, connected according to the structural speci-
cation, imply the current specication.
For example, HIER VERIF TAC generates two sub-
goals for our adder.
8 x y z cout.
HA i (x,y) (z,cout) =) HA (x,y) (z,cout)
8 x y cin z cout.
FA i hl (x,y,cin) (z,cout) =) FA (x,y,cin) (z,cout)
The rst is a correctness statement for the half-adder
component. Only one such general theorem is generated.
This is used to justify the two slightly dierent con-
crete subgoals for the two instances of this component in
the design. The second subgoal is a correctness goal for
the adder where the half-adder is treated as a primitive
component. It contains an automatically generated new
structural specication FA i hl, which is in terms of the
behavioral specications of the half-adder submodules
rather than their structural specications:






















HIER VERIF TAC creates a justication function
that given theorems corresponding to the subgoals cre-
ates the theorem corresponding to the original goal. The
subgoals it produces could be resolved using a conven-







: Hierarchical Formal Verication Using a Hybrid Tool
plying HIER VERIF TAC once again. If the subgoals
are proved, then the justication rule of HIER VERIF TAC
will automatically derive the original correctness goal
from them.
When the MDG-based tactics are applied, the hi-
erarchy in the structural specication is automatically
attened to the non-hierarchical form of primitive com-
ponents required by MDG (just the next layer down in
the case of the second subgoal above). The tool currently
generates a static variable ordering for use by MDG
though more sophisticated ordering heuristics could be
included. Alternatively the tool user can provide the or-
dering. Each block veried can use a dierent variable
ordering.
The tool analyzes the feedback of MDG in order to
nd out whether the verication succeeded or failed. If
the verication fails a counter-example is generated. If it
succeeds, the tactic creates the appropriate HOL theo-
rem. For example, for our adder we obtain the theorems:
[MDG] ` 8 x y z cout.
HA i (x,y) (z,cout) =) HA (x,y) (z,cout)
[MDG] ` 8 x y cin z cout.
FA i hl (x,y,cin) (z,cout) =)
FA (x,y,cin) (z,cout)
The theorem is tagged with a label indicating its
pedigree|that it is proved by an external tool. This
tag will be passed to any theorem proved using these
theorems.
The theorem proved can be instantiated for any in-
stance. We eectively can prove a single correctness the-
orem for a block and reuse it for any instance of the
block. In our example, there are two instances of the
half-adder, but this single theorem is used for both. This
process is managed formally and machine-checked within
HOL. This contrasts with pure automated tools, where
each instance would need a specic theorem to be veri-
ed separately or non-machine-checked reasoning to be
relied upon. For the half-adder, the subgoals are formally
combined using automatic proof by HIER VERIF TAC
to give the desired theorem about the adder:
[MDG] ` 8 x y cin z cout.
FA i (x,y,cin) (z,cout) =)
FA (x,y,cin) (z,cout)
4 Case Study: The 4 4 ATM Switch Fabric
We have applied the hybrid tool to a realistic example:
the verication of a block of the Fairisle ATM (Asyn-
chronous Transfer Mode) switch fabric [17]. The Fairisle
switch fabric is a real switch fabric designed and used
at the University of Cambridge for multimedia applica-
tions. It switches cells of data from 4 input ports to 4
output ports as requested by information in header bytes
in each cell.
Curzon [8] formally veried this ATM switching el-
ement hierarchically using the pure HOL system. How-







: Hierarchical Formal Verication Using a Hybrid Tool 9
ication of the full fabric took approximately two person-
months not including the time to develop the formal
specications. Verifying the fabric can be done hierar-
chically following exactly the same structure as the orig-
inal design using our hybrid tool. However, with the
tool, many of the sub-blocks can be veried automat-
ically using the MDG tool, thus saving a great deal of
time and eort. Furthermore, HIER VERIF TAC auto-
mates much of the management of the proof that was
previously done manually. Attempting the verication in
MDG alone would, on the other hand, be barely tractable
taking days of CPU time. This is discussed in more detail
below.
Full details of the specications for the Fabric are
given in [8]. As a result various groups have reveried
aspects of the circuit using a variety of approaches. For
example, Schneider et al [21] veried individual blocks
of the switch fabric using MEPHISTO. It has also been
used as a case study for the Coq system [14]. Garcez [10]
veried some properties of the fabric using HSIS and
Lu et al [18] performed property checking on various
abstracted models of the fabric using VIS.
The fabric is split into three sub-blocks, namely Ac-
knowledgement, Arbitration and Data Switch. Further
dividing the Arbitration sub-module, we have essentially
two blocks: the arbiters that make arbitration decisions
and a preprocessing block that generates the timing sig-
nal and processes the headers of the cells into a form us-
able by the arbiters (see Figure 6). We consider the veri-
cation of the preprocessor block here (see Figure 7). The
timing block within the preprocessor generates a tim-
ing signal for the arbiters from an external frame signal
and from the data stream. The decoder block (made of
4 independent decoders) takes the four cell headers from
the data stream and extracts the information about the
destinations they are requesting (which is in a binary
encoding). For each destination a unary encoding of the
cells that are requesting that output is created. The pri-
ority lter takes this information together with priority
information from the cell headers. If any cell has high
priority, then requests from low priority cells are not
forwarded to the arbiters.
Setting as goal the correctness statement for the pre-
processor, we attack it using HIER VERIF TAC
1
. We
obtain two subgoals corresponding to the timing block
and the lter-decoder block, together with a subgoal that
the combined preprocessor is correct on the assumption
that its sub-blocks are. We call MDG TAC to automat-
ically prove the timing unit correctness subgoal. This
proves the equivalence of the implementation and its
specication, and so proves the implication in our sub-
goal.
Decoders and Priority Filters are purely combina-
tional circuits. Their specications are the conjunctions
of 32 16-input-tables and 16 32-input-tables, respectively.
MDG takes 16 hours to verify Decoders and it would
1


































Fig. 6. The Fairisle ATM Switch Fabric.
take days to verify Priority Filters. The problem is in
nding an eÆcient variable ordering given that the way
the sub-blocks are connected means that the best order-
ing for one table is bad for another. In order to over-
come this problem, we move down one level in the de-
sign hierarchy. More specically, the 32 tables in De-
coders' specication were partitioned into four 8-table-
sub-blocks:Decoder IP0 : : : Decoder IP3. Decoder IPi is
a decoder for input port i; i = 0::3. A more eÆcient
variable ordering is then supplied for each of these sub-
blocks. Similarly, the 16 tables in Priority Filters' spec-
ication were partitioned into four 4-table-sub-blocks:
Priority OP0 : : : Priority OP3. Priority OPi is a prior-
ity lter for output port i; i = 0::3. The preprocessor
hierarchy as veried is shown in Figure 7.
We apply HIER VERIF TAC to verify Decoders and
Priority Filters based on this hierarchy. The sub-goals
associated to Decoder IPi and Priority OPi, i = 0::3, are






Decoder_IP3 Decoder_IP2 Decoder_IP1 Decoder_IP0
Priority_OP3 Priority_OP2 Priority_OP1 Priority_OP0
Fig. 7. The Preprocessor Hierarchy.
Note that this still avoids expanding the hierarchy as far
as in the original HOL proof|so lower level behavioral
specications do not need to be written.
Table 1 shows the hierarchical verication statistics,
including the size of each sub-block and the CPU time
in seconds. Using our hybrid tool, the verication of the
preprocessor is faster than proving in HOL that the im-
plementation implies the high-level specication. Given







: Hierarchical Formal Verication Using a Hybrid Tool 11





Decoder IPi 22 10:050
Priority 80 437:210
Priority OPi 20 107:413
Table 1. Hierarchical Verication Statistics.
eral days to do the proofs of these blocks using interac-
tive proof whereas the verication is done in minutes us-
ing our tool. Verication is also faster than using MDG
alone: splitting the decoder block enabled verifying it
within less than 1 minute using our hybrid tool instead
of 16 hours if only MDG was used. It took a day (ap-
proximately 8 hours) to interactively prove the decoder
block in HOL. Thus verication is faster using the hy-
brid tool than with either system on its own as shown
in Table 2 which gives approximate times for verifying
the decoder block. These times should be treated with
caution, as the pure HOL times are not CPU time but
that for the human to interactively manage the veri-
cation. Times to develop specications, including those
of sub-blocks veried hierarchically rather than directly
using MDG, are not included in these times. Writing
these specications was straightforward. It therefore is
worthwhile additional work, given the overall time im-
provement. Some extra human interaction time for the
verication part is also needed when using the hybrid
tool over the bare CPU time. This is needed to call the
HOL MDG Hybrid Tool
(Human Proof Time) (CPU Time) (CPU Time)
Interactive Automated Semi-automated
8 hours 16 hours 1 minute
Table 2. Comparison of Verications of the Decoder Blocks
appropriate tactics. However, this is minimal|a matter
of minutes rather than hours, since it involves follow-
ing the existing design hierarchy. The main part that
is time consuming is if unsuccessful automated proofs of
sub-blocks are attempted. This obviously requires judge-
ment over the limitations of the tools, in knowing when
it is worth attempting automated proof, and when it is
better to step down a level in the hierarchy.
5 Related Work
Work to combine the advantages of automated and inter-
active tools falls generally into two areas: hybrid tools in
which two existing, stand-alone verication systems are
linked; and systems where external proof packages are
embedded as decision procedures for some subset of the
logic by an interactive system.
Perhaps the most impressive hybrid verication sys-
tem to date is the combined Voss-ThmTac System [2]. It
combines a simple, specially written LCF style proof sys-
tem, ThmTac with the Voss Symbolic Trajectory Anal-
ysis System. This system evolved out of the HOL-VOSS
System [15]. In that system, Voss was interfaced within







: Hierarchical Formal Verication Using a Hybrid Tool
bolic trajectory analysis to verify assertions about se-
quences of states. The Voss-ThmTac System is thus based
on many years of experience combining systems. It has
been used to verify a series of real hardware designs in-
cluding an IA-32 instruction length decoder claimed to
be one of the most complex hardware verications com-
pleted. Much of its power comes from the very tight inte-
gration of the two provers allowing the user to interact
directly with either tool. This is facilitated by the use
of a single language, , as both the theorem prover's
meta-language and its object language.
Schneider and Homann [22] linked SMV (a CTL
model checker) to HOL using PROSPER. In this hybrid
tool, HOL conversions were used to transform LTL spec-
ications into !-Automata, a form that can be reasoned
about within SMV. These HOL terms are exported to
SMV through the PROSPER plug-in interface. On suc-
cessful model checking, the results are returned to HOL
and turned into tagged theorems. This allows SMV to
be used as a HOL decision procedure. The SMV speci-
cation language has also been deeply embedded in HOL,
allowing CTL specications to be manipulated in HOL
and the model checker user to return a result about its
validity.
The use of tightly integrated decision procedures is
a major focus of the PVS proof system. Rajan et al [20]
integrated a BDD-based model checker for the propo-
sitional -calculus within PVS. An extension of the -
calculus is dened within higher-order logic and tem-
poral operators then dened as -calculus xpoint def-
initions. These expressions are converted into the form
required by the model checker which can then be used
to prove appropriate subgoals generated within PVS.
Such results are treated no dierently to those created
by proof.
An issue with accepting imported results as theorems
is whether the external system can be trusted to produce
\theorems" that really are host system theorems. This
is more of an issue with fully-expansive proof systems
such as HOL where the integrity of the system depends
on a small core of primitive inference rules. Accepting
results from an external package essentially treats that
package as one of the trusted primitives. The approach
taken by Gordon [11] to minimize this problem in the
BuDDy package when integrating BDD based tools is
to provide a small set of BDD primitives in terms of
which full tools are implemented. In this way only the
primitives need to be trusted not the whole package.
Hurd [13] used PROSPER to combine the Gandalf
prover with HOL. Unlike other approaches, the system
reproves the Gandalf theorems within HOL rather than
just accepting the results. The Gandalf proof script is
imported into the HOL system and used to develop a
fast proof within HOL. The tool is thus used to discover
proofs, rather than directly to prove theorems.
The MEPHISTO system [16] was developed to man-
age the higher levels of a verication, producing rst-







: Hierarchical Formal Verication Using a Hybrid Tool 13
prover. The goals of MEPHISTO are similar to ours:
managing the subgoaling of a verication to produce
goals that can be proved by another system. The dif-
ference is the focus of the way the systems do this and
the target system. Our approach is to use the exist-
ing design hierarchy, sending to the automated prover
(here a hardware verication system itself) subgoals that
are correctness theorems about design modules. Thus
HIER VERIF TAC produces subgoals (and results from
failed verication) easily understood by the designer.
This approach avoids the problem of the verier having
to inspect goals that bear little relation to the input to
the system. MEPHISTO does give some support for hier-
archical proof providing a library of preproved modules.
However, in our approach such hierarchical verication
is explicitly supported by the tactics.
Aagaard et al [1] proposed a similar hardware veri-
cation management system. They aimed to complete the
whole proof within the theorem prover (HOL or Nuprl).
As with MEPHISTO, the focus is on producing lem-
mas to be proved by decision procedures. They devel-
oped a series of prototype tactics that could be used to
break down subgoals. However, they do not directly sup-
port hierarchical verication: the rst step proposed is
to rewrite with the module specications.
As in [2] and [22], we integrate a theorem prover
(HOL) to an existing hardware verication tool (MDG)
rather than embedding a package within the system. We
work within the proof system but using the specication
style of the automated tool. This is done by embedding
the language of the automated verication tool within
the proof system. As is done in pure HOL verication,
the proof follows the natural design hierarchy embodied
in the specications. This process is explicitly supported
by our hierarchy tactic. The subgoals automatically gen-
erated also have a direct relation to the specications
produced by the designer. Thus, the novel aspect of our
work is the emphasis on implementing hierarchical ver-
ication explicitly in a hybrid tool. The use of MDG as
the automated tool also opens up interesting possibilities
(not yet fully explored) of making use of its features for
abstraction that allow large datapaths to be dealt with
automatically.
6 Conclusions
We have described a tool linking an interactive theo-
rem prover and an automated decision diagram-based
hardware verication system. This builds on previous
work [24], where we showed formally how anMDG equiv-
alence proof can be imported to an implication-based
correctness theorem in HOL. Our system explicitly sup-
ports the hierarchical compositional verication approach
naturally used in interactive proof systems, when using
an automated tool. The interactive proof system is used
to automatically manage the proof as well as complete
any proof interactively that is beyond the scope of the







: Hierarchical Formal Verication Using a Hybrid Tool
the hierarchy can however be done automatically. The
hybrid tool can be used to verify larger examples than
could be done in MDG alone, and these proofs can be
done faster than in either system alone.
We used the PROSPER/Harness toolkit to perform
the linkage of the two tools. This made providing such
a linkage relatively easy. However, it took the Harness
server minutes to answer requests sent by the proof en-
gine. An alternative implementation that communicated
between the tools directly using les was quicker. We are
planning to implement the tools' interaction using sock-
ets. This will allow starting multiple instances of MDG
on dierent machines. The hybrid tool will then be re-
sponsible of dispatching sub-goals to the MDG instances
and collecting verication results back. Load balancing
strategies as well as verication workload estimators will
be needed to ensure better execution times.
We illustrated the use of the hybrid tool by describing
the hierarchical verication of the preprocessing block of
the arbitration unit of an ATM switch. Using the hybrid
tool, a verication that originally required many hours
of interactive proof work, could be done largely auto-
matically using the hybrid tool.
We intend to extend the capabilities of the tool to
increase the automation of the proof management pro-
cess. For example, we will automate dierent forms of
parameterization. Parameterized circuits must currently
be dealt with interactively. A single instance of the pa-
rameterized circuit is veried using the hybrid tactics
and this theorem used in a pure HOL proof of the param-
eterized circuit|performing the inductive part of the
proof [7]. This process could be automated for a range
of common parameterization patterns (see Aagaard et
al [1]) with a similar tactic to HIER VERIF TAC man-
aging the inductive part of the proof. Common abstrac-
tion techniques to reduce a model say from 32-bits to 1
bit to make automated verication tractable could also
be dealt with in this way. However, MDG provides a
better approach: by making fuller use of the abstrac-
tion facilities in MDG itself we will remove the need
for such abstraction. This removes the need to simplify
datapath widths to make verication tractable and en-
ables the handling of data-dependent circuits automati-
cally. We are also in the process of extending the hybrid
tool to support model checking in MDG. While most of
the infrastruture may be reused, ways of translating and
composing properties in HOL need to be developed. For
practical reasons industrial designers often do not work
to clean hierarchies. Important further work is there-
fore to integrate a transformational design system with
the tool. This would allow non-hierarchical parts of a
design to be transformed to a veried equivalent form
more conducive to verication, or alternatively to opti-
mise a veried correct hierarchical design in ways that
break the veried hierarchy but preserve correctness. Fi-
nally, we will consider the verication of more complex







: Hierarchical Formal Verication Using a Hybrid Tool 15
AcknowledgmentsThis work was funded by the NSERC
Strategic Grant STP0201836 and EPSRCResearch Agree-
ment GR/M45221. We are also grateful to Rabeb Mi-
zouni from Concordia University for making improve-
ments to the implementation of the tool.
References
1. M.D. Aagaard, M. Leeser, and P. Windley. Toward a su-
per duper hardware tactic. In J.J. Joyce and C.H. Seger,
editors, Higher Order Logic Theorem Proving and Its Ap-
plications, LNCS 780, pages 400{413. Springer-Verlag,
1993.
2. M.D. Aagaard, R.B. Jones, and C-J.H. Seger. Lifted-
FL:A Pragmatic Implementation of Combined Model
Checking and Theorem Proving. In Y. Bertot, G. Dowek,
A. Hirschowitz, C. Paulin, and L. Thery, editors, Theo-
rem Proving in Higher Order Logics, LNCS 1690, pages
323{340. Springer-Verlag, 1999.
3. O. Ait-Mohamed, X. Song, E. Cerny. On the Nontermi-
nation of MDG-based Abstract State Enumeration. In
Proceedings IFIP Conference on Correct Hardware and
Verication Methods, Montreal, Canada, October 1997,
pages 218{235.
4. S. Balakrishnan and S. Tahar. A Hierarchical Approach
to the Formal Verication of Embedded Systems Using
MDGs. In Proceedings IEEE 9th Great Lakes Symposium
on VLSI, Ann Arbor, Michigan, USA, March 1999, pages
284{287, IEEE Computer Society Press.
5. F. Corella, Z. Zhou, X. Song, M. Langevin, and E. Cerny.
Multiway Decision Graphs for Automated Hardware Ver-
ication. Formal Methods in System Design, 10(1):7{46,
1997.
6. P. Curzon, S. Tahar, and O. Ait-Mohamed. Verication
of the MDG Components Library in HOL. In J. Grundy
and M. Newey, editors, Theorem Proving in Higher Or-
der Logics:Emerging Trends, pages 31{45, Australian Na-
tional University, 1998.
7. P. Curzon and S. Tahar. Automating the Verication
of Parameterized Hardware using a Hybrid Tool. In
Proceeding IEEE International Conference on Microelec-
tronics, Rabat, Morocco, October 2001, pages 261{264.
8. P. Curzon. The Formal Verication of the Fairisle ATM
Switching Element. Technical Report 329, Computer
Laboratory, University of Cambridge, U.K., 1994.
9. L. A. Dennis, G. Collins, M. Norrish, R. Boulton,
K. Slind, G. Robinson, M. Gordon, and T. Melham. The
PROSPER Toolkit. In Proceedings of the Sixth Interna-
tional Conference on Tools and Algorithms for the Con-
struction and Analysis of Systems. LNCS 1785, Springer
Verlag, 2000.
10. E.H.A. Garcez. The Verication of an ATM Switching
Fabric using the HSIS tool. Technical Report WSI-95-
13, University of Tuebingen, Department of Computer
Science, Tuebingen, Germany.
11. M.J.C. Gordon. Combining Deductive Theorem Proving
with Symbolic State Enumeration. 21 Years of Hardware
Verication, December 1998. Royal Society Workshop to
mark 21 years of BCS FACS.
12. M.J.C. Gordon and T.F. Melham. Introduction to
HOL:A Theorem Proving Environment for Higher-Order







: Hierarchical Formal Verication Using a Hybrid Tool
13. J. Hurd. Integrating Gandalf and HOL. In Y. Bertot,
G. Dowek, A. Hirschowitz, C. Paulin, and L. Thery, ed-
itors, Theorem Proving in Higher Order Logics, LNCS
1690, pages 311{321. Springer Verlag, 1999.
14. L. Jakubiec, S. Coupet-Grimal and P. Curzon. A compar-
ison of the Coq and HOL proof Systems for specifying
hardware In E. Gunter and A. Felty, editors, Interna-
tional Conference on Theorem Proving in Higher Order
Logics:B-Track, pp 63{78, 1997.
15. J.J. Joyce and C.J.H. Seger. Linking BDD-based Sym-
bolic Evaluation to Interactive Theorem Proving. In
Proceedings of the 30th Design Automation Conference,
pages 469{474, Dallas, TX, June 1993.
16. R. Kumar, K. Schneider and T. Kropf. Structuring
and Automating Hardware Proofs in a Higher-Order
Theorem-Proving Environment Formal Methods in Sys-
tem Design, 2:165{223, 1993.
17. I.M. Leslie and D.R. McAuley. Fairisle:An ATM Net-
work for the Local Area. ACM Communication Review,
19(4):327{336, 1991.
18. J. Lu and S. Tahar. Practical Approaches to the auto-
matic verication of an ATM switch fabric using VIS.
In Proceedings of Great Lakes Symposium on VLSI, 368{
373, 1998.
19. L. Paulson. ML for the Working Programmer. Cam-
bridge University Press, UK, 1996.
20. S. Rajan, N. Shankar, and M.K. Srivas. An Integra-
tion of Model-checking with Automated Proof Checking.
In Pierre Wolper, editor, Computer Aided Verication,
LNCS 939, pages 84{97. Springer Verlag, 1995.
21. K. Schneider and T. Kropf. Verifying Hardware cor-
rectness by combining Theorem Proving and Model
Checking In J. Alves-Foss, editor, International Work-
shop on Higher Order Logic Theorem Proving and its
Applications:B-Track, pp 89{104, 1995.
22. K. Schneider and D.W. Homann. A HOL Conver-
sion for Translating Linear Time Temporal Logic to !-
Automata. In Y. Bertot, G. Dowek, A. Hirschowitz,
C. Paulin, and L. Thery, editors, Theorem Proving in
Higher Order Logics, LNCS 1690. Springer Verlag, 1999.
23. S. Tahar, X. Song, E. Cerny, Z. Zhou, M. Langevin
and O. Ait-Mohamed. Modeling and Verication of
the Fairisle ATM Switch Fabric using MDGs. IEEE
Transactions on CAD of Integrated Circuits and Sys-
tems, 18(7):956{972, 1999.
24. H. Xiong, P. Curzon, and S. Tahar. Importing MDG Re-
sults into HOL. In Y. Bertot, G. Dowek, A. Hirschowitz,
C. Paulin, and L. Thery, editors, Theorem Proving in
Higher Order Logics, LNCS 1690, 293{310. Springer Ver-
lag, 1999.
25. M.H. Zobair. Modeling and Formal Verication of a Tele-
com System Block Using MDGs. M.A.Sc. Thesis, Con-
cordia University, Department of Electrical and Com-
puter Engineering, December 2000.
