Abstract. A Ioglc simulator can prove the correctness of a digltidl cn_cmt If it can be shown that only circuits fultllling the system specification will produce a particular response to a sequence of simulation commands. This style of verification has advantages over other proof methods m being readd y automated and requiring less attention on the part of the user to the low-level detad$ of the design. It has advantages over other approaches to simulation in providing more rehable results, often at a comparable cost. This paper presents the theoretical foundations of several related approaches to cmcuit verdlcation based on logic simulation. These approaches explolt the three-valued modehng capabdlty found m most logic simulators, where the third-value X indicates a signal with unknown digital value. Although the cmcuit verification problem N NP-hard as measured in the size of the circuit description, several techmques can reduce tbe simulation complewty to a manageable level for many practical cmcults.
In discussing formal verification, we must remember that the level of confidence it provides is only as strong as the degree to which the abstract model matches actual system operation. Clearly, any specification of such a gate must include restrictions on the environment in which it is placed. As a notable exception to these highly simplified models, Weise [25, 26] example, a simple 1-bit latch has an output dependent on an input that occurred arbitrarily long in the past, as long as no new value is written into it. For such a system, given any value k, there will always be an input sequence of length k that does not cause the system to produce a unique output. When simulating this sequence following an ERASE command, even a correctly designed circuit will give an X on the output.
In Section 4, we show that for any indefinite system specification, there is no way to prove that a circuit fulfills its specification by simply observing the output values resulting from a sequence of input patterns and ERASE commands. This general limitation of black-box simulation can be illustrated using a l-bit latch circuit, as illustrated in the upper-left-hand corner of Figure 2 . A value v is written into this latch by setting DATA to v and LOAD to 1. This value remains in this latch as long as LOAD is held at O. Consider a simulation sequence that is claimed to detect any defective latch design. Since the sequence is finite, there must be some value Z such that the LOAD input is never held at O for 1 or more consecutive patterns.
Consider the "impostor" circuit of Figure 2 The impostor circuit passes the first two tests when new data is written, because this causes the shift register to be cleared. For the final two tests, Q and C are initialized to Boolean values, but all other state variables, including those within the shift register, are initialized to X. The shift register output will remain at X, causing an X to appear on ouT' and the tests to fail.
Mathematical Formulation
The examples of the previous section illustrate the main ideas of our verification methodology.
We now proceed with a more formal presentation, showing that these ideas apply to general classes of digital systems. This section develops a mathematical abstraction of logic circuits, simulation, and the verification problem. Osim: T $~T'n.
Since the simulator is assumed to faithfully model the actual circuit behavior, we make no attempt to distinguish between the circuit and its simulation model. Thus, we can abstract away many details of the actual circuit.
Typically, the automaton modeling a circuit depends on several factors:
-The logic network consisting of a set of interconnected elements.
-The logic nzodel defining a mapping from networks to logical behavior.
-The monotonic extension used to express circuit behavior when some inputs or state variables equal X.
-The clocking methodology defining the patterns applied to the clock inputs as well as the time points at which data inputs are applied and data outputs are sensed. (1) For every q e Q there exists a z G T' for which qA'z.
(2) For any q e Q and z e T' q;z -Ospec(q) = Osim(z) . causes the simulator to set z, to X for 1 < i < ,s.
APPLY(X):
causes the simulator to set z to Nsim(z, x).
OUTPUT: causes the simulator to print Osirn(z).
causes the simulator to set z, to b for b e T. SirnOut( a) = Osirn ( SinzState( a) ) S Osim(z).
Given that SirnOut( a) e Bn', it follows that Osim(z) = SinZOut( a) for all Zeza. Define ,! as
We must show that Z satisfies the three properties of Definition 3.
First, since Nspec is a subjection, it can be shown by induction on k that for every q = Q, there must be some a e tiYA and some q' c Q such that 9 = @ecSfafe( q',~). Thus, every state q must be in set Qu for some a c #Y~. Moreover, the set Z. cannot be empty, and hence for every q e Q, there must be some z such that q{ z.
Second, if qfi z, we must have q = SpecStute( q', a) and SirnState( a) s z for some q' q Q and some a e tiY~.
From the condition of the lemma, it follows that
Ospec( q) = SpecOut( q', a) = SimOut ( a) = Osim (2). SimOut ( a) for each a = .JY~, and accepting the circuit if SimOut( a) = SpecOut( q, a) for all a and any choice of q e Q (in a k-definite specification, the choice of initial state makes no difference.) Lemma 2 shows that this experiment is effective.
Furthermore, the circuit illustrated in Figure 5 , consisting of a p-bit wide, -l--lb- SimOutjZ( a) = X. However, it can be shown using Lemma 3 that under these conditions SimOufJ u) = X, as well. The detailed design of simulation model Y' is somewhat tedious and hence is described in the appendix.
It is also shown that for any 14 k, any a 6 Y-Yl, and any i such that 1 $ i & m: Given a set of circuit assertions, verifying a circuit requires two proofsthat any simulation model satisfying the set of assertions must fulfill the specification, and that the model under consideration satisfies these assertions. Proving the adequacy of a set of assertions involves showing that they cover every transition in the specification automaton.
At the present stage of this research, the set of assertions and a proof of their adequacy must be generated manually.
Although this places additional burden on the user, experience has shown that far less manual effort is required than with structural verifiers.
TESTING ASSERTIONS BY SIMULATION.
Once a set of assertions has been devised, a simulator can verify that a particular model satisfies them. The restricted form of the assertion formulas guarantees that, if a vector x e T" satisfies a formula, then any vector x'~Tn such that x < x' must also satisfy the formula. 
Second, for all v e {O, 1} and for all i and j such that O s i, j < n and i #j, an assertion states that writing into location j does not affect the value in cell i:
' A memory clrcult 1s generally configured as a square array of memory cells with m/2 of the addressbits selecting a row and the remammg selecting a column. Hence, there are \ 6 rows.
Third, for all v G {O, 1} and for all i such that O s i < n, an assertion states that reading location i causes its value to appear on the output:
Finally, for all v G {O, 1} and for all i such that O < i < n, an assertion states that reading a value from any location should have no effect on the value stored in location i:
The above equations represent a total of 2 n2 i-4 n + 1 assertions. 
This reduces the total number of assertions to 2 n log n + 4 n + 1. In practice, many memory circuits would yield false negative responses for some of the assertions of eq. (3) and (4). The simulation of an assertion that causes the word line of a memory cell to be set to X would most likely corrupt the value stored in the cell. With more care, however, the set of assertions can be refined to avoid this problem while maintaining the 0( n log n) bound on the total number of patterns to be simulated [6] . These refined patterns first verify that a memory cell is not affected by an operation on a cell in another row, and then that it is not affected by an operation on a cell in a different column of the same row. Considering that even a minimal validation of a memory circuit requires simulating Q(n) patterns (e. g., read and write every memory location), simulating 0( n log n) patterns seems a very reasonable price to pay for rigorous verification.
The a< bort=O, (5) x, a< band t#O.
That is, the input data is shifted to the output when the control inputs match those given by vector b. The output is cleared to 0 when at least one control input differs from the corresponding element of b but does not equal X. To satisfy monotonicity, we adopt the convention that whenever a < b the output equals O only if the data input equals O, that is, it does not matter whether the input is shifted or the output is cleared, and equals X, otherwise. 
