A technique, based upon abstract interpretation, is presented that allows general gate-level combinational asynchronous circuits with uncertain delay characteristics to be reasoned about. Our approach is particularly suited to the simulation and model checking of circuits where the identification of possible glitch states (static and dynamic hazards) is required. A hierarchy of alternative abstractions linked by Galois connections is presented, each offering varying tradeoffs between accuracy and complexity. Many of these abstract domains resemble extended, multi-value logics: transitional logics that include extra values representing transitions as well as steady states, and static/clean logics that include the values S and C representing 'unknown but fixed for all time' and 'can never glitch' respectively.
Introduction
Most contemporary design approaches assume an underlying synchronous paradigm, where a single global signal drives the clock inputs of every flip flop in the circuit. As a consequence, nearly all synthesis, simulation and model checking tools assume synchronous semantics. Designs in which this rule is relaxed are generally termed asynchronous circuits.
In a synchronous model, glitches (also known as static and dynamic hazards) do not cause problems unless they occur on a wire used as a clock input; with purely synchronous design rules 1 this can not occur. However, such safety restrictions are not enforced by the semantics of either Verilog or VHDL -it is quite easy, deliberately or otherwise, to introduce unsafe logic into a clock path.
We present a technique, based upon abstract interpretation [1, 2] , that allows the glitch states of asynchronous circuits to be identified and reasoned about. The approach taken involves a family of extended, multi-value transitional logics with an underlying dense continuous time model, and has applications in synthesis, simulation and model checking.
Our logics are extended with extra values that capture transitions as well as steady states, with an ability to distinguish clean, glitch-free signals from dirty, potentially glitchy ones. As a motivating example, consider the circuits represented by the expressions (a ∧ c) ∨ (¬a ∧ b) ∨ (b ∧ c) and (a ∧ c) ∨ (¬a ∧ b). With respect to steady-state values for a, b and c, both circuits would appear to be identical, with the latter representing a circuit that might result from naïve optimisation of the former. Our technique can straightforwardly illustrate differences in their dynamic behaviour, however. Consider the critical case a = ↑ 0 and b = c = T 0 , representing b and c being wired to true for all time, and a clean transition from false to true on a (this notation is defined fully in Section 3):
The result T 0 may be interpreted as 'true for all time, with no glitches'. However, T 0..1 represents 'true with zero or one glitches', clearly demonstrating the poorer dynamic behaviour of the smaller circuit.
Hardware Components
In this paper we consider four 2 basic building blocks: (perfect-zero delay) ANDgates, (perfect) NOT-gates, delay elements (whose delays may depend on time, and environmental factors like temperature, and thus are non-deterministic in a formal sense), and inertial delay elements. The difference between an ordinary delay and an inertial delay is that in the former the number of transitions on its input and output are equal, but in the latter a short-duration pulse from high-to-low and back (or vice versa) may be removed entirely from the output.
Of course, real circuits are not so general, in particular no practically realisable circuit of non-zero size can have zero-delay. Hence real-life circuits all correspond to combinations of the above gates with some form of delay element. For the point of designing synchronous hardware all that matters is the maximum delay which can occur from a circuit, so the exact positioning of the delays is often of little importance. When circuits are used asynchronously (e.g. for designing self-timed circuits without a global clock or, more prosaically, when their output is being used to gate a clock signal locally) then their glitch behaviour is often critically important. This leads to two models (the delay-insensitive (DI) and speed-independent (SI) models) of real hardware. In the SI model logic elements may have delays, but wires do not; in the DI model both logic elements and wires have associated delay. One well-known fact about DI models is that it is impossible to have an isochronic fork, whereby the transitions in output from a given gate will arrive delayed contemporaneously at two other gates. Reasoning in the DI model has becomine much more important recently as wire delays (e.g. due to routing) have become dominant over single-gate element delays in modern VLSI technologies [11] .
Ordinary circuits may be embedded in our model as follows. In the SI model each physical logic gate at the hardware level is seen as a perfect logic gate whose output is then passed through a delay element. In the DI model, each physical logic gate is seen as a perfect logic gate whose input(s) first pass through separate delays. In essence, the SI and DI models of a circuit are translations of a physical circuit into idealised circuits composed solely of our four perfect elements. Now consider the circuit in Fig. 1 . Seen as a perfect logic element, its output is always false regardless of the value of its input signal. Seen as an SI circuit (i.e. delays on the output of the AND and NOT), given an input F 1 which starts at false then transitions to true and back, the circuit will be false at all times except (possibly) for a small period just after the rising edge of the input, when the upper AND-input will already be true, but before the delayed NOT-output has yet become false. Thus the output is F 0|1 if we assume an inertial delay and F 1 if we assume a non-inertial delay 3 .
In contrast, in the DI model, the separate delays on both inputs to the ANDgate mean that the same input signal F 1 may result in small positive pulses on both the rising and falling edge of the input; thus the output is described as F 0|1|2 . It is important to note that any of these three possible outputs may occur; delays may vary with time, and can also differ on whether an input signal is rising or falling.
Our abstract interpretation framework enables us to formally deduce the above behaviours of the circuit shown in Fig. 1 . Our reasoning is correct, because of the abstract interpretation framework. In some situations our reasoning is also complete in that all abstractly-predicted behaviours may be made to happen by choosing suitable delay functions for the delay elements. For example, in the DI model, our abstraction of the above circuit maps abstract signal F 1 onto F 0|1|2 , but the SI model cannot produce F 2 however (positive) delay intervals are chosen.
Paper Structure
In Section 2 we define a concrete domain that models signals as (possibly nondeterministic) functions from time to the Boolean values. Section 3 describes the most accurate (though complex) of our abstract domains; Sections 5 and 6 show how this can be further abstracted. Section 4 defines the operators necessary to model circuits, Section 4.1 discusses soundness and completeness of these operators. Refinement and equivalence relations are discussed in Section 7.
Concrete Domain
Definition 1. Concrete time R is continuous, linear and dense, having no beginning or end.
Definition 2.
A signal is a total function in S : R → {0, 1} from concrete time to the Boolean values. More precisely, we restrict S to those functions that are finitely piecewise constant 4 , i.e. there exists {k 1 , . . . , k n } which uniquely determines and is determined by a signal s ∈ S such that
The function Ψ s def = {k 1 , . . . , k n } represents the bijection which returns the set of times at which signal s has transitions; |Ψ s| represents the total number, n, of transitions made by s. As a further notational convenience, we denote the values of s at the beginning and end of time respectively as s(−∞) and s(+∞).
We model nondeterministic signals as members of the set ℘(S); e.g. delaying signal s by time δ, where δ min ≤ δ ≤ δ max , gives {λτ.s(τ −δ) | δ min ≤ δ ≤ δ max }.
Abstract Domain

Deterministic Traces
Definition 3. A deterministic trace t ∈ T characterises a deterministic signal s ∈ S, retaining the transitions but abstracting away the times at which they occur. Traces are denoted as finite lists of Boolean values bounded by angle brackets (' . . . '), and must contain at least one element -the empty trace ' ' is not syntactically valid.
F 0 The trace 0 that is 0 for all time. F 1 The trace 0, 1, 0 that has 0 at the beginning and end, containing exactly one pulse. F 2 The trace 0, 1, 0, 1, 0 that begins and ends with 0, containing exactly two pulses. F n The trace 0, 1 1 , 0, 1 2 , 0, . . . , 0, 1 n , 0 that begins and ends with 0, containing exactly n positive-going pulses. T 0 The trace 1 that is 1 for all time. T n The trace 1, 0 1 , 1, 0 2 , 1, . . . , 1, 0 n , 1 that begins and ends with 1, containing exactly n negative-going pulses. ↑ 0 The trace 0, 1 that cleanly transitions from 0 to 1. ↑ n The trace 0, 1 1 , 0, . . . , 0, 1 n , 0, 1 that transitions from 0 to 1 through exactly n intervening cycles. ↓ 0 The trace 1, 0 that cleanly transitions from 1 to 0. ↓ n The trace 1, 0 1 , 1, . . . , 1, 0 n , 1, 0 that transitions from 1 to 0 through exactly n intervening cycles. A singleton trace, denoted 0 or 1 , represents a signal that remains at 0 or 1 respectively for all time. For traces with two or more elements, e.g. a, . . . , b , a is the value at the beginning of time and b is the value at the end of time.
The trace 0, 1, 0 represents a signal that at the start of time takes the value 0, then at some later time switches cleanly to 1, then back to 0 again before the end of time. The instants at which these transitions occur are undefined, although their time order must be preserved.
Values within traces may be discriminated only by their transitions. Therefore, the trace 0, 0, 0, 0, 1, 1, 1 is equivalent to the trace 0, 1 . It follows from this that all traces may be reduced to a form that resembles an alternating sequence . . . , 0, 1, 0, 1, 0, 1, . . . . Any such sequence can be completely characterised by its start and end values, along with the number of intervening full cycles 5 . A convenient shorthand notation that takes advantage of this is defined in Table 1 .
Nondeterministic Traces
Following the approach taken in Section 2, we represent nondeterministic traceŝ t ∈ ℘(T) as sets of deterministic traces 6 .
5 It is of course also possible to represent traces completely in terms of their first (or last) element and their length. However, the representation chosen here turns out to be more convenient, e.g. comparing ↑ 0 with ↑ 4 makes it immediately obvious that both represent traces that eventually transition from 0 to 1, with ↑ 0 being 'cleaner' than ↑ 4 . The utility of this approach will become clear later. 6 We adopt the convention that t andt are separate variables that range over T and ℘(T) respectively.
The need for this extra structure is demonstrated by the following example. Let us attempt to specify the meaning of the expression 0, 1 ∧ ¬ 0, 1 , which represents the effect of feeding a clean transition from 0 to 1 to the a input of the circuit shown in Fig. 1 . The ¬ can be evaluated trivially, giving 0, 1 ∧ 1, 0 . At first sight, it may appear that the resulting trace should be 0, 0 or just 0 . This would be the case if certain constraints on the exact times of the transitions of the 1, 0 and 0, 1 traces were met, but it is not sufficient to cope with all possibilities. If 1, 0 transitions before 0, 1 , then the result is indeed 0 . Should the transitions occur in the opposite order, the result is 0, 1, 0 . Formally,
, the nondeterministic choicet |û is synonymous witht ∪û. For notational compactness, we alternatively allow either or both of the arguments of | to range over T, e.g. where t ∈ T, the expression t |û is equivalent to {t} |û.
The '|' operator allows the above equation to be expressed more compactly as follows:
Using the shorthand notation, this may equivalently be written as:
For example, F 0 | F 1 may equivalently be written as F 0|1 , and rather than fully enumerating a long list of alternate pulse counts of the form F m|m+1|...|n−1|n , the preferred notation F m..n may be used instead. These notations may be combined, e.g. F 0|3|5..7|10.. 12 .
Nondeterministic choice obeys all the laws of set union, e.g.
From this, various subscript laws follow, e.g.
Definition 6. It is convenient to name the following least upper bounds w.r.t. ℘(T), ⊆ :
Galois Connection
Definition 7. Given a deterministic concrete signal s ∈ S, the abstraction function β : S → T returns the corresponding deterministic trace:
Note that βs has exactly 1 + |Ψ s| elements. = {s ∈ S | βs = βs } represents, for any s ∈ S, the equivalence class containing that element.
Note that S is isomorphic with T. x. We choose to prove instead the slightly stronger α • γ(x) =x, and since the ordering relations on ℘(S) and ℘(T) are subset inclusion, we write ⊇ rather than . Proof; lettingx = {x 1 , . . . ,
Circuits
Definition 10. Circuits are modeled by composing four basic operators: zero delay 'and' ∧, zero delay 'not' ¬, transmission line delay ∆ and inertial delay , which are defined on the concrete domain as follows:
where m > 0, n > 0. 
Their abstract counterparts are defined as follows:
where Val : T → {F, T, ↑, ↓} and Subs : T → N are defined as follows:
And. The function ∧ : ℘(S) × ℘(S) → ℘(S) represents a perfect zero-delay AND gate. Its abstract counterpart, ∧ :
, is defined in terms of ∧ by composition with α and γ; note that our semantics is based upon an independent attribute model [10] .
Not. The bijective function ¬ : ℘(S) → ℘(S) represents a perfect zero delay NOT gate. As with ∧, we define ¬ : ℘(T) → ℘(T) by composition of the concrete operator ¬ with α and γ. When tabulated, ∧ and ¬ behave as shown in Table 2 .
Transmission line (non-inertial) delay. Our definition of transmission line delay is essentially a superset of all possible delay functions that preserve the underlying trace structure of the signal. The definition, γ • α, captures this behaviour straightforwardly; the α function abstracts away all details of time, though preserves transitions and the values at the beginning and end of time, then γ concretises this, resulting in the set of all possible traces with similar structure. This definition is more permissive than more typical notions of delay in that it includes negative as well as positive time shifts as well as transformations that can stretch or compress (though not remove or reorder) pulses.
Inertial delay. Inertial delay is broadly similar to transmission line delay, in that, as well as changing the time at which transitions may occur, one or more complete pulses (i.e. pairs of adjacent transitions) may be removed. This models a common property of some physical components, whereby very short pulses are 'soaked up' by internal capacitance and/or inductance and thereby not passed on. We model inertial delay in the abstract domain -in effect, nondeterministic traces are mapped to convex hulls of the form
The concrete inertial delay operator is defined in terms of by composition with γ and α, so as with transmission line delay, it encompasses all possible (correct) inertial delay functions. It can be noted that, for allŝ ∈ ℘(S), ∆ŝ ⊆ ŝ.
Soundness and Completeness
Definition 13. Where f = f best and f •γ = γ •f , the property γ-completeness holds.
Definition 14. Where f = f best and α•f = f •α, the property α-completeness holds.
Note that α-completeness and γ-completeness are orthogonal properties; neither implies the other, though if either or both kinds of completeness hold, soundness must also hold.
Theorem 2. The transmission line delay operator (∆, ∆ ) is sound, α-complete and γ-complete. Proof:
Theorem 3. The inertial delay operator ( , ) is sound, α-complete and γ-complete. Proof:
Theorem 4. The perfect NOT operator (¬, ¬ ) is sound, α-complete and γ-complete. Proof:
Theorem 5. The perfect AND operator (∧, ∧ ) is sound 7 . Proof:
Note that whilst perfect, zero delay AND is sound but not complete, a composite speed-insensitive AND (∧ SI def = ∆ • ∧, ∧ SI def = ∆ • ∧ ) can be straightforwardly be shown to be γ-complete, but not α-complete. Dually, delay-independent AND (∧ DI
is both α-and γ-complete.
Finite Versions of the Abstract Domain
The abstract domain defined in Section 3 allows arbitrary asynchronous combinational circuits to be reasoned about. In this section we present a number of simplifications of this basic model which allow accuracy to be traded off against levels of abstraction. The model presented in Section 3 is useful in identifying possible glitches within circuits, though in this case generally one is interested in whether a particular signal can glitch, rather than the number of possible glitches -this requires less information than that captured by our original abstraction. It follows that further abstraction should be possible, which is indeed the case.
Collapsing Non-Zero Subscripts: the 256-value Transitional
Logic T 256
Mapping all non-zero subscript traces t ∈ X 1..∞ to the single abstract value X + , for X ranging over {F, T, ↑, ↓}, makes it possible to define a finite abstract domain with a Galois connection to T. This domain has the desirable property of abstracting away details of 'how glitchy' a trace may be, whilst retaining the ability to distinguish clean traces from dirty traces.
where Table 3 . Operators on T c
Definition 15. The abstract domain of subscript-collapsed deterministic traces is the set T c def
Following the usual convention, the corresponding abstract domain of subscript-collapsed nondeterministic traces is the set T 256 def = ℘(T c ).
Note that unlike T and ℘(T), both T c and ℘(T c ) are finite sets, with 8 and 256 members respectively.
Definition 16. The Galois connection α
is defined as follows:
It is possible to tabulate 256 × 256 truth tables that fully enumerate all members of T 256 along their edges, but they are too large to reproduce here in full. For brevity, Table 3 Such an approach still captures more nondeterminism than is useful in for many applications. It is possible to further reduce the abstract domain, replacing some nondeterministic choices with appropriate least upper bound elements with respect to ℘(T c ), ⊆ . The hierarchy of domains that results is shown in Fig. 2 -the relationship to 2-value Boolean logic B and 3-value ternary logic B 3 is shown 8 . Note that since B lacks an upper bound that corresponds with , it is not possible to define α : B 3 → B (though γ : B → B 3 can be trivially defined), so a Galois connection does not exist in that particular case. Following Cousot & Cousot [1, 2] , the domain U, useless logic, containing only , completes the lattice.
Finding the smallest lattice including {F 0 , F + , T 0 , T + , ↑ 0 , ↑ + , ↓ 0 , ↓ + } that is closed under ∧ c , and ¬ c results in the 13-value transitional logic,
Though much smaller than ℘(T c ), this logic is equivalently useful for most purposes-note that a special element needs to be explicitly included, , representing the least upper bound (top element) of the lattice.
In cases where it is important to know that a trace is definitely clean, but where it is not necessary to distinguish between 'definitely dirty' and 'possibly dirty', further reducing the domain by folding F + , T + , ↑ + and ↓ + into their respective least upper bounds F ? , T ? , ↑ ? and ↓ ? results in a 9-value transitional logic,
An even simpler 5-value transitional logic T 5 def = {F, T, ↑, ↓, } results from folding all remaining nondeterminism into . T 13 and T 9 are well suited to logic simulation, refinement and model checking, whereas T 5 is only recommended for glitch checking.
Static/Clean Logics
The T 13 , T 9 and T 5 logics can be usefully extended by introducing two extra upper bounds: S, the least upper bound of traces whose values are fixed for all time, and C, the least upper bound of traces that may transition, but that never glitch.
Definition 17. With respect to ℘(T c ), the least upper bounds S, C and are defined as follows: 
Refinement and Equivalence in Transitional Logics
Hardware engineers frequently concern themselves with modification and optimisation of existing circuits, so it is appropriate to support this by defining equivalence and refinement with respect to our abstract domains. Refinement relationships between circuits are analogous to concepts of refinement in process calculi, and may similarly be used to aid provably correct design. For example, the Boolean equivalence a ∧ ¬a = F is not a strong equivalence in our model, nor is it a weak equivalence -it actually turns out to be a (left-to-right) refinement, i.e. a∧¬a F 0 , reflecting the 'engineer's intuition' that it is safe to replace a∧¬a with F 0 , but that the converse could damage the functionality of the circuit by introducing new glitch states that were not present in the original design.
Informally, if the deterministic trace u ∈ T refines (i.e. retains the steady state behaviour of, but is no more glitchy than) trace t ∈ T, this may be denoted t u.
Definition 18. Given a pair of traces t ∈ T and u ∈ T,
, but ↓ 0 and ↑ 1 are incomparable. Where t ∈ T and u ∈ T, if t u and u t, it follows that t = u.
Refinement and equivalence for nondeterministic traces is slightly less straightforward, in that it is necessary to handle cases like ↓ 1|3|5 ↓ 0|2|4 . To make these comparable, we construct convex hulls of the form X 0..n enclosing the nondeterministic choices, so the above case becomes equivalent to ↓ 0.. 5 ↓ 0.. 4 . In effect, this approach compares worst-case behaviour, disregarding finer detail; in practice, since ∧, ∆, and ¬ typically return results of the general form X 0..n anyway, this tends not to cause any practical difficulties. Less permissive definitions of refinement, e.g.t strictû ≡ ∀t ∈t . ∀u ∈û . t u, often disallow too many possible optimisations that in practice are quite acceptable-our model better reflects the engineer's intuition that 'less glitchy is better,' but that very detailed information about the structure of possible glitches is generally not important.
Definition 19. Wheret ∈ ℘(T) andû ∈ ℘(T), t û def ≡ (∀t ∈t, u ∈û . Val (t) = Val (u)) ∧ MaxSubs(t) ≥ MaxSubs(û)
where MaxSubs(t) def = max t∈t Subs(t) is a function returning the largest subscript of a nondeterministic trace.
Equivalence of Nondeterministic Traces. Wheret ∈ ℘(T) andû ∈ ℘(T), ift =û then the traces are strongly equivalent, i.e. they represent exactly the same sets of nondeterministic choices. If the convex hulls surroundingt andû are identical, as is the case whent û ∧û t , the traces may be said to be weakly equivalent, denotedt û. Wheret û ∨û t , the traces are comparable, denotedt û.
Finite Abstract Domains Refinement and equivalence can also be defined for the finite abstract domain T 256 and some of its simplified forms. Since T 256 is implicitly nondeterministic, we do not need to consider the deterministic case. 
Related Work
There seems to be relatively little work reported in the literature regarding the application of modern program analysis techniques to hardware. Don Gaubatz [4] proposes a 4-value 'quaternary' logic that bears some resemblance to our 5-value transitional logic. Paul Cunningham [3] extends Gaubatz's work in many respects, though his formalism is based on a conventional 2-value logic with transitions handled explicitly as events rather than as values in an extended logic.
Charles Hymans [9] uses abstract interpretation to present a safety property checking technique based upon abstract interpretation of (synchronous) behavioural VHDL specifications.
Conclusions
In this paper, we have presented a technique based upon the solid foundation of abstract interpretation [1, 2] that allows properties of a wide class of digital circuits to be reasoned about. We describe what is essentially a first attempt at applying abstract interpretation to asynchronous hardware-clearly more can be done, particularly in exploring completeness.
Future Work
In Section 7, we define refinement and equivalence relations on circuits. It appears to be possible to generalise this definition of refinement and equivalence to any abstract domain that is itself amenable to abstract interpretation. We have already demonstrated that our technique is potentially useful for logic simulation [13] -implementing a demonstrable simulator is a logical next step.
An experimental proof system exists for the 11-value clean/static transitional logic, and we hope to extend this to cover the more general case, ℘(T).
