Abstract. We describe a hybrid formal hardware veri cation tool that links the HOL interactive proof system and the MDG automated hardware veri cation tool. It supports a hierarchical veri cation approach that mirrors the hierarchical structure of designs. We obtain advantages of both veri cation paradigms. We illustrate its use by considering a component of a communications chip. Veri cation with the hybrid tool is signi cantly faster and more tractable than using either tool alone.
Introduction
Automated decision diagram based formal hardware veri cation is fast and convenient, but does not scale well, especially where data paths and control circuitry are combined. Details of the version of the design veri ed need to be simpli ed: e.g., considering 1-bit instead of 32-bit datapaths. Finding a model reduction and appropriate abstractions so that veri cation is tractable with the tool can be time-consuming. Moreover, signi cant detail can be lost. An alternative is interactive theorem proving. The veri cation can be done hierarchically allowing large designs to be veri ed without simpli cation. Furthermore it is possible to reason about high level abstractions of datatypes. It can however be very time-consuming, requiring signi cant user interaction and skill.
The contribution of our work is to implement a h ybrid tool combining HOL 9 and MDG 4 which provides explicit support for hierarchical hardware veri cation. In particular, we h a ve provided an embedding of the MDG input language in HOL, implemented a linkage between HOL and MDG using the PROSPER toolkit 7 and implemented a series of HOL tactics that automate hierarchical veri cation. This means that a hierarchical proof can be performed as it might be done using a pure HOL system. However, the MDG tools can be seemlessly called to perform veri cation of components that are within its capabilities. We have v eri ed a component of a communication switch using the tool. Veri cation is shown to be signi cantly faster and more tractable using the hybrid tool than with either tool individually.
The remainder of this paper is organized as follows. In Section 2 we o verview brie y the two tools being linked. We present our hybrid tool and the methodology it embodies in Section 3. A case study using the tool to verify a component of an ATM switch is described in Section 4. Finally, w e discuss related work in Section 5 and draw conclusions in Section 6. problem is su ciently tractable, the veri cation is completed automatically. I f not, ideally the problem would be attacked in a hierarchical fashion by v erifying the sub-blocks independently. H o wever, the management of this process cannot be done within the tool, though could be done informally outside it.
In a pure HOL hardware veri cation, the proof is structured according to the design hierarchy o f sub-blocks within the implementation. For each block, including the top level block of the design, a structural speci cation and behavioral speci cation are given. Each block's implementation apart from those at the bottom of the hierarchy is veri ed against its speci cation in three steps. Firstly an intermediate veri cation result is obtained about the block based on the behavioral descriptions of its sub-blocks. Essentially the sub-blocks are treated as primitive components in this veri cation. Secondly the process is repeated recursively on the sub-blocks to obtain correctness theorems for them. Finally, the correctness theorems of the sub-blocks are combined with the intermediate correctness theorem of the block itself to give the actual correctness theorem of the block. This is based on the full structural description of the block down to primitive components. The veri cation follows the natural design hierarchy. If this process is applied to the top level design block, a correctness theorem for the whole design is obtained. The integration of the veri cation results of the separate components that would be done informally if at all in an MDG veri cation is thus formalized and machine-checked in the HOL approach.
Our hybrid tool supports hierarchical veri cation, automating the process discussed above, and ts the use of MDG veri cation naturally within the HOL framework of compositional hierarchical veri cation. The HOL system is used to manage the proof, with the MDG system called seemlessly to verify those design blocks that are tractable. This removes the need to provide behavioral speci cations for sub-blocks and the need to verify them separately. In particular, if the design of any sub-block is su ciently simple, then the hierarchical approach can be abandoned for that block and the whole block veri ed in one go in MDG. Furthermore, verifying a block under the assumption that its sub-blocks are all primitive components may also be done using MDG if tractable. If not, a normal HOL proof can still be performed. No information is lost in using MDG via the hybrid tool. To allow the seamless integration of the tools, we use MDG-style behavioral speci cations within HOL. This means the speci cations must be in the form of a nite state machine or table description. If a higher level abstraction, unavailable in MDG, is required then a separate HOL proof is performed that an MDG style speci cation meets this abstraction.
The Hybrid Tool
Our Hybrid tool was written in SML. It consists of ve modules: a parsing module, an extraction module, a hierarchical veri cation support module, a code generation module and an MDG interaction module cf. Figure 1 . Subgoal management is done using the HOL subgoal manager. This is an advantage of the hybrid approach|the existing HOL infrastructure augments MDG providing a much more powerful interface to MDG. The hybrid tool supports the hierarchical veri cation process by providing a HOL embedding of the concrete subset of the MDG input language to allow MDG-style speci cations to be written in HOL. Three high-level proof tactics that manage the proof process are also provided. A hierarchy tactic, HIER VERIF TAC, automates the subgoaling of the correctness theorem of a block by analyzing its structure as outlined in the previous section. It later combines the proven subgoals to give the desired correctness theorem. Where a non-primitive component occurs several times within a block, the tactic avoids duplication, generating a single subgoal that once proved is automatically instantiated for each occurence of that component t o p r o ve the correctness of the block. Two other tactics automate the link to the MDG tools: MDG COMB TAC attempts to verify a given correctness theorem for a block using MDG combinational equivalence veri cation; MDG SEQ TAC calls MDG sequential equivalence veri cation to prove the result.
Veri cation using the hybrid tool proceeds as shown in Figure 2 . An initial goal is set that the top level design's implementation meets its behavioral speci cation. If the design can be veri ed using MDG, the appropriate MDG tactic, determined by whether the circuit is sequential, is called. Otherwise, the hierarchy tactic is called to break the design into smaller parts, and the process is repeated. At any point, a HOL proof can be performed directly to prove a goal. MDG veri cation can fail due to state-space explosion leading to the system running out of memory. In general MDG can fail to terminate, however the current v ersion of the hybrid tool does not do so due to the fact that abstract variables are not yet supported. 
Speci cations
The hybrid tool must be supplied with a behavioral speci cation for each block in the design that is veri ed. This is not necessary for sub-blocks within blocks veri ed by calls to MDG. The speci cations are provided as a normal le of HOL de nitions. However, as these de nitions must be analyzed by the tool and ultimately converted into MDG, they must follow a prescribed form: they must consist of a conjunction of tables, which input and output arguments must both be explicitly typed and be in a given order. MDG abstract variables are not currently supported. The tables are an embedding of MDG tables in HOL originally de ned by Curzon et. al. 5 to verify the MDG components in HOL. The veri cation of these components increases con dence that the MDG tools can be trusted when used in the HOL system. Structural speci cations are written in a subset of the HOL logic similar to that for behavioral speci cations. However, the descriptions are not limited to tables but can include any component of the MDG component library. The structural speci cation of a block t h us di ers from a behavioral speci cation in that its body consists of a network of components. A component may be an MDG built-in component, a functional block, a table or a component previously de ned by the user. The MDG built-in components are an embedding in HOL of the actual MDG components.
The Veri cation Process
The hybrid tool is intended to provide automated support for hierarchical verication and to enable the user to verify some blocks using MDG. We will illustrate this by refering to the veri cation of a simple adder circuit. A typical session HA i x:num ! bool, y:num ! bool z:num ! bool, cout:num ! bool = MDG XOR x,y z^MDG AND x,y cout FA i x:num ! bool, y:num ! bool,cin:num ! bool z:num ! bool, cout:num ! bool = 9 z0:num ! bool cout0:num ! bool cout1 :num ! bool.
HA i x,y z0,cout0^HA i z 0,cin z,cout1 MDG OR cout0,cout1 cout with the hybrid tool goes through the following steps. First, the user supplies the tool with a speci cation le and an implementation le as part of an initialization procedure. These are SML les containing normal SML de nitions. The speci cation le includes the behavioral speci cations of the design blocks. The implementation le includes the design structural speci cation and follows the design hierarchy. Both les may include user de ned HOL datatypes. An example of a structural speci cation for an adder is given in Figure 3 . The behavioral speci cation of a half-adder in terms of tables is given in Figure 4 . The speci cation of the full adder is similar. In a table speci cation, the rst list gives the inputs of the table, the next argument is the output. Next is a list of lists giving possible combinations of input values and then a list giving the output values resulting from those combinations. The nal argument gives the default value for any combination of inputs not listed. MDG tables are more general than shown in this example in that general expressions can be used as table inputs and variables can appear in the rows. For example, the carry out signal in the half-adder is de ned by a table with two inputs x and y and one output cout. If x is False and y is DON'T CARE" i.e. anything then cout is False. Similarly if x is true and y is false then cout is false. The default value for all other combinations of input values is true. The behavioral speci cations of the components are similarly de ned. The initialization procedure also involves loading the embeddings of the MDG tables and the MDG components in HOL as well as starting a server to the MDG system. Once the tool is initialized, the user sets the correctness goal for the whole design using HOL's subgoal package. This goal states that the design's implementation implies its speci cation. For example, for our adder, we set the goal: 8 x y cin z cout. FA i x,y,cin z,cout = FA x,y,cin z,cout This correctness goal could then be resolved directly through MDG using MDG SEQ TAC or MDG COMB TAC. Applying these tactics to complex designs may lead to state explosion. To o vercome this, HIER VERIF TAC is used. The action of this tactic is summarized in Figure 5 . It automatically generates a correctness subgoal for every immediate sub-block i n the design. Where one sub-block is used in several places, only one goal is generated: the hybrid tool generates a general subgoal that justi es its use in each situation. A further subgoal states that the lower level speci cations, connected according to the structural speci cation, imply the current speci cation.
For example, HIER VERIF TAC generates two subgoals for our adder. 8 x y z cout. HA i x,y z,cout = HA x,y z,cout 8 x y cin z cout. FA i hl x,y,cin z,cout = FA x,y,cin z,cout
The rst is a correctness statement for the half-adder component. Only one general version is generated. This is used to create the two theorems justifying each of the two instances of this component in the design. The second subgoal is a correctness goal for the adder where the half-adder is treated as a primitive component. It contains an automatically generated new structural speci cation FA i hl, which is in terms of the behavioral speci cations of the half-adder submodules rather than their structural speci cations: FA i hl x:num ! bool, y:num ! bool,cin:num ! bool z:num ! bool, cout:num ! bool = 9 z 0 :num ! bool cout 0 :num ! bool cout 1 :num ! bool.
HA x,y z 0 ,cout 0 ^HA z 0 ,cin z,cout 1 MDG OR cout 0 ,cout 1 cout HIER VERIF TAC creates a justi cation function that given theorems corresponding to the subgoals creates the theorem corresponding to the original goal. The subgoals it produces could be resolved using a conventional HOL proof, by invoking MDG as above or by applying HIER VERIF TAC once again. If the subgoals are proved, then the justi cation rule of HIER VERIF TAC will automatically derive the original correctness goal from them. In our example, we apply one of the MDG-based tactics. This circuit is purely combinational so MDG COMB TAC is used.
When the MDG-based tactics are applied, the hierarchy in the structural speci cation is automatically attened to the non-hierarchical form of primitive components required by MDG just the next layer down in the case of the second subgoal above. The tool currently generates a static variable ordering for use by MDG though more sophisticated ordering heuristics could be included. Alternatively the tool user can provide the ordering. Each block v eri ed can use a di erent v ariable ordering.
The tool analyses the feedback of MDG in order to nd out whether the verication succeeded or failed. If the veri cation fails a counter-example is generated. If it succeeds, the tactic creates the appropriate HOL theorem. For example, for our adder we obtain the theorems:
MDG 8 x y z cout. HA i x,y z,cout = HA x,y z,cout MDG 8 x y cin z cout. FA i hl x,y,cin z,cout = FA x,y,cin z,cout
The theorem is tagged with an oracle label indicating that it is proved by an external tool. This tag will be passed to any theorem proved using these theorems.
Note also that the theorem proved can be instantiated for any instance. We e ectively can prove a single correctness theorem for a block and reuse it for any instance of the block. In our example, there are two instances of the half-adder, but this single theorem is used for both. This process is managed formally and machine-checked within HOL. This contrasts with pure automated tools, where each instance would need a speci c theorem to be veri ed separately or nonmachine-checked reasoning to be relied upon. For the half-adder, the subgoals are formally combined using automatic proof by HIER VERIF TAC to give the desired theorem about the adder: The way HOL and MDG are used together is thus that the former manages the compositional aspects of the proof, ensuring duplicated work is avoided. The latter does fast, automated, low-level veri cation.
Case Study: The ATM Switch Fabric
We have applied the hybrid tool to a realistic example: the veri cation of a block of the Fairisle ATM Asynchronous Transfer Mode switch fabric 13 . The Fairisle switch fabric is a real switch fabric designed and used at the University of Cambridge for multimedia applications. It switches cells of data from 4 input ports to 4 output ports as requested by information in header bytes in each cell.
Curzon 6 formally veri ed this ATM switching element hierarchically using the pure HOL system. However, this veri cation was very time-consuming. Verifying the fabric can be done hierarchically following exactly the same structure as the original design using our hybrid tool. However, with the tool, many of the sub-blocks can be veri ed automatically using the MDG tool, thus saving a great deal of time and e ort. Furthermore, HIER VERIF TAC automates much of the management of the proof that was previously done manually. A ttempting the veri cation in MDG alone would, on the other hand, be barely tractable taking days of CPU time. This is discussed in more detail below.
The fabric is split into three sub-blocks, namely Acknowledgement, Arbitration and Data Switch. Further dividing the Arbitration sub-module, we h a ve essentially two blocks: the arbiters that make arbitration decisions and a preprocessing block that generates the timing signal and processes the headers of the cells into a form usable by the arbiters see Figure 6 . We consider the veri cation of the preprocessor block here see Figure 7 . The timing block within the preprocessor generates a timing signal for the arbiters from an external frame signal and from the data stream. The decoder block made of 4 independent decoders takes the four cell headers from the data stream and extracts the information about the destinations they are requesting which is in a binary encoding. For each destination a unary encoding of the cells that are requesting that output is created. The priority lter takes this information together with priority information from the cell headers. If any cell has high priority, then requests from low priority cells are not forwarded to the arbiters. Setting as goal the correctness statement for the preprocessor, we attack i t using HIER VERIF TAC. We obtain two subgoals corresponding to the timing block and the lter-decoder block, together with a subgoal that the combined preprocessor is correct on the assumption that its sub-blocks are. As the Timing block is a sequential design, we call MDG SEQ TAC to automatically prove the timing unit correctness subgoal. This proves the equivalence of the implementation and its speci cation, and so proves the implication in our subgoal.
Decoders and Priority Filters are purely combinational circuits. Their speci cations are the conjunctions of 32 16-input-tables and 16 32-input-tables, respectively. MDG takes 16 hours to verify Decoders and it would take days to verify Priority Filters. The problem is in nding an e cient variable ordering given that the way the sub-blocks are connected means that the best ordering for one table is bad for another. In order to overcome this problem, we move down one level in the design hierarchy. More speci cally, the 32 tables in Decoders' speci cation were partitioned into four 8-table-sub-blocks: Decoder IP0 : : : Decoder IP3. Decoder IPi is a decoder for input port i; i = 0 ::3. A more efcient v ariable ordering is then supplied for each of these sub-blocks. Similarly, the 16 tables in Priority Filters' speci cation were partitioned into four 4-tablesub-blocks: Priority OP0 : : : Priority OP3. Priority OPi is a priority lter for output port i; i = 0 ::3. The preprocessor hierarchy a s v eri ed is shown in Figure  7 . We apply HIER VERIF TAC t o v erify Decoders and Priority Filters based on this hierarchy. The subgoals associated to Decoder IPi and Priority OPi, i = 0::3, are then proved automatically. Note that this still avoids expanding the hierarchy as far as in the original HOL proof|so lower level behavioral speci cations do not need to be written. Table 1 shows the hierarchical veri cation statistics, including CPU time in seconds. Obviously, using our hybrid tool, the veri cation of the preprocessor is faster than proving in HOL that the implementation implies the high-level speci cation. Given the formal speci cations, Curzon 6 originally took several days to do the proofs of these blocks using interactive proof whereas the veri cation is done in minutes using our tool. Veri cation is also faster than using MDG alone: splitting the decoder block enabled verifying it within less than 1 minute using our hybrid tool instead of 16 hours if only MDG was used. It took a day approximately 8 hours to interactively prove the decoder block in HOL. Thus veri cation is faster using the hybrid tool than with either system on its own as shown in Table 2 which gives approximate times for verifying the decoder block. These times should be treated with caution, as the pure HOL times are not CPU time but that for the human to interactively manage the veri cation. Times to develop speci cations, including those of sub-blocks veri ed hierarchically rather than directly using MDG, are not included in these times. Though, writing these speci cations was straightforward. It therefore is worthwhile additional work, given the overall time improvement. Some extra human interaction time for the veri cation part is also needed when using the hybrid tool over the bare CPU time. This is needed to call the appropriate tactics. However, this is minimal|a matter of minutes rather than hours, since it follows the existing design hierarchy. The main part that is time consuming is if unsuccessful automated proofs of sub-blocks are attempted. This obviously requires judgement over the limitations of MDG, in knowing when it is worth attempting automated proof, and when it is better to step down a level in the hierarchy.
Related Work
Work to combine the advantages of automated and interactive tools falls generally into two areas: hybrid tools in which t wo existing, stand-alone veri cation Table 2 . Comparison of Veri cations of the Decoder Blocks systems are linked; and systems where external proof packages are embedded as decision procedures for some subset of the logic by a n i n teractive system. Perhaps the most impressive h ybrid veri cation system to date is the combined Voss-ThmTac System 2 . It combines a simple, specially written LCF style proof system, ThmTac with the Voss Symbolic Trajectory Analysis System. This system evolved out of the HOL-VOSS System 11 . In that system, Voss was interfaced within HOL as a tactic that could be called to perform a symbolic trajectory analysis to verify assertions about sequences of states. The Voss-ThmTac System is thus based on many y ears of experience combining systems. It has been used to verify a series of real hardware designs including an IA-32 Instruction length decoder claimed to be one of the most complex hardware veri cations completed. Much o f i t s p o wer comes from the very tight integration of the two provers allowing the user to interact directly with either tool. This is facilitated by the use of a single language, , as both the theorem prover's meta-language and its object language.
Schneider and Ho mann 15 linked SMV a CTL model checker to HOL using PROSPER. In this hybrid tool, HOL conversions were used to transform LTL speci cations into !-Automata, a form that can be reasoned about within SMV. These HOL terms are exported to SMV through the PROSPER plug-in interface. On successful model checking the results are returned to HOL and turned into tagged theorems. This allows SMV to be used as a HOL decision procedure. The SMV speci cation language has also been deeply embedded in HOL, allowing temporal logic speci cations to be manipulated in HOL and the model checker used to return a result about its validity.
The use of tightly integrated decision procedures is a major focus of the PVS proof system. Rajan et al 14 integrated a BDD-based model checker for the propositional -calculus within PVS. An extension of the -calculus is de ned within higher-order logic and temporal operators then de ned as -calculus xpoint de nitions. These expressions are converted into the form required by the model checker which can then be used to prove appropriate subgoals generated within PVS. Such results are treated no di erently to those created by proof.
An issue with accepting imported results as theorems is whether the external system can be trusted to produce theorems" that really are host system theorems. This is more of an issue with fully-expansive proof systems such as HOL where the integrity of the system depends on a small core of primitive inference rules. Accepting results from an external package essentially treats that package as one of the trusted primitives. The approach taken by Gordon 8 to minimize this problem in the BuDDy package when integrating BDD based tools is to provide a small set of BDD primitives in terms of which full tools are implemented. In this way only the primitives need to be trusted not the whole package.
Hurd 10 used PROSPER to combine the Gandalf prover with HOL. Unlike other approaches, the system reproves the Gandalf theorems within HOL rather than just accepting the results. The Gandalf proof script is imported into the HOL system and used to develop a fast proof within HOL. The tool is thus used to discover proofs, rather than directly to prove theorems.
The MEPHISTO system 12 was developed to manage the higher levels of a veri cation, producing rst-order subgoals to be proved by the FAUST rst order prover. The goals of MEPHISTO are similar to ours: managing the subgoaling of a veri cation to produce goals that can be proved by another system. The di erence is the focus of the way the systems do this and the target system. Our approach is to use the existing design hierarchy, sending to the automated prover here a hardware veri cation system itself subgoals that are correctness theorems about design modules. Thus HIER VERIF TAC produces subgoals and results from failed veri cation easily understood by the designer. This approach avoids the problem of the veri er having to inspect goals that bear little relation to the input to the system. MEPHISTO does give some support for hierarchical proof providing a library of preproved modules. However, in our approach such hierarchical veri cation is explicitly supported by the tactics.
Aagaard et al 1 proposed a similar hardware veri cation management system. They aimed to complete the whole proof within the theorem prover HOL or Nuprl. As with MEPHISTO, the focus is on producing lemmas to be proved by decision procedures. They developed a series of prototype tactics that could be used to break down subgoals. However, they do not directly support hierarchical veri cation: the rst step proposed is to rewrite with the module speci cations.
As in 2 and 15 , we i n tegrate a theorem prover HOL to an existing hardware veri cation tool MDG rather than embedding a package within the system. We work within the proof system but using the speci cation style of the automated tool. This is done by e m bedding the language of the automated veri cation tool within the proof system. As is done in pure HOL veri cation, the proof follows the natural design hierarchy e m bodied in the speci cations. This process is explicitly supported by our hierarchy tactic. By working in this way w e obtain a seamless integration of the tools. The subgoals automatically generated also have a direct relation to the speci cations produced by the designer.
Conclusions
We have described a tool linking an interactive theorem prover and an automated decision diagram-based hardware veri cation system. This builds on previous work 17 , where we showed formally how an MDG equivalence proof can be imported to an implication-based correctness theorem in HOL. Our system explicitly supports the hierarchical compositional veri cation approach naturally used in interactive proof systems, when using an automated tool. The interactive proof system is used to automatically manage the proof as well as complete any proof interactively that is beyond the scope of the automated system. The veri cation of whole blocks in the hierarchy can however be done automatically. The hybrid tool can be used to verify larger examples than could be done in MDG alone, and these proofs can be done faster than in either system alone.
We used the PROSPER toolkit to perform the linkage of the two tools. This made providing such a linkage relatively easy. H o wever, with the early version of PROSPER used the linkage was slow. An alternative implementation that communicated between the tools directly using les was quicker.
We illustrated the use of the hybrid tool by describing the veri cation of the preprocessing block of the arbitration unit of an ATM switch. This was done using hierarchical veri cation with both the combinational and sequential equivalence checking tools of MDG being used. Using the hybrid tool, a veri cation that originally required many hours of interactive proof work, could be done largely automatically using the hybrid tool.
We intend to extend the capabilities of the tool to increase the automation of the proof management process. For example, we will automate di erent forms of parameterization. Parameterized circuits must currently be dealt with interactively. A single instance of the parameterized circuit is veri ed using the hybrid tactics and this theorem used in a pure HOL proof of the parameterized circuit|performing the inductive part of the proof. This process could be automated for a range of common parameterization patterns see Aagaard et al 1 with a similar tactic to HIER VERIF TAC managing the inductive part of the proof. Common abstraction techniques to reduce a model say from 32-bits to 1 bit to make automated veri cation tractable could also be dealt with in this way. However, MDG provides a better approach: by making fuller use of the abstraction facilities in MDG itself we will remove the need for such abstraction. Currently only bit level designs can be veri ed using MDG via the hybrid tool. However, a future version of the hybrid tool will allow designs with abstract variables to be exported. This will remove the need to simplify datapath widths to make v eri cation tractable and will enable us to handle data-dependent circuits automatically. We will also extend the hybrid tool to support model checking in MDG. While most of the infrastruture may be reused, ways of translating and composing temporal properties in HOL need to be developed. Finally, w e will consider the veri cation of more complex examples including a full 16 by 1 6 switch fabric.
