On Design Varification between Different Levels of Abstraction Using Regular Temporal Logic by Hamaguchi, Kiyoharu et al.
Title On Design Varification between Different Levels ofAbstraction Using Regular Temporal Logic
Author(s)Hamaguchi, Kiyoharu; Hiraishi. Hiromi; Yajima, Shuzo









between Different Levels of Abstraction
Using Regular Temporal Logic
Kiyoharu Hamaguchi, Hiromi Hiraishi and Shuzo Yajima
Department of Information Science
Faculty of Engineering, Kyoto University
1 Introduction
The progress of VLSI technology makes it a pressing need to establish
methods for verifying the correctness of logic design. In order to verify
whether a designed system satisfies a specification for it, formal verffi-
cation methods have been developed.
In logic design, hierarchical design methodology is adopted to man-
age complex legic systems. Our main concern is to develop a formal
verification method applicable to hierarchical design.
We consider formal verification of sequential machines in this paper.
As a language for describing specffication, we adopt infinitary regular
temporal logic $(\infty RTL)[1]$ which is an extension of $\epsilon$-free RTL proposed
by Hiraishi et al. [2]. While traditional temporal $10$gic or computation
tree logic(CTL) cannot characterize finite state machines $[3,4]$ , $\infty RTL$ is
powerful enough to express regular sets and $\omega$ regular sets.
In hierarchical design, specifications and implementations are often
given at different levels of abstractions. For example, a specification at
register transfer level (a higher level) and an implementation at gate level
(a lower level) can be given. In order to verify whether the lower-level im-
plementation satisfies the higher-level specffication, we must determine
some formal relation and bridge the gap between the two levels.
In this paper, we propose a formal $fi:amework$ based on $\infty RTL$ to




relation as a part of an implementation and show a verification method
for a lower-level implementation (i.e., a lower-level sequential machine
and a relation) and a higher-level specification described in $\infty RTL$ .
This paper is organized as follows: Chapter 2 introduces $\infty RTL$ .
Chapter 3 discusses a formal $fi:ame$work for describing relations between
different levels and shows a design verification method considering two
different levels. Chapter 4 summarizes this paper.
2 Regular Temporal Logic
The empty word $\epsilon,$ $\Sigma^{*}$ and $\Sigma^{+}$ are defined as in the usual way. An omega
word over an alphabet $\Sigma$ is an infinite-length sequence of symbols from
$\Sigma$ . $\Sigma^{\omega}$ is the set of all omega words over $\Sigma$ . $\Sigma^{\infty}def=\Sigma^{*}\cup\Sigma^{\omega}$ .
The class of infinitary regular sets is the union of regular sets [5] and
$\omega$ regular sets [6].
For $\sigma\in\Sigma^{\infty}-\{\epsilon\},$ $|\sigma|$ denotes the length of $\sigma$ , i.e., the number of
symbols in $\sigma$ (If $\sigma$ is in $\Sigma^{\omega}$ , then we denote $|\sigma|=\omega$ ) . $\sigma(i)$ denotes the ith
symbol of $\sigma$ . In the case that $|\sigma|\geq i,$ $\sigma^{i}$ denotes the suffix sub-sequence
of a starting from $\sigma(i)$ .
2.1 Definition of Regular Temporal Logic
Definition 1 Syntax
An $\infty RTL$ formula is simply called an RTL formula. RTL formulas are
defined inductively as follows. Let $AP$ be a set of atomic propositions.
If $p\in AP$ , and $\eta$ and $\xi$ are RTL formulas, then so are $(p),$ $(\neg\eta),$ $(\eta\vee\xi)$ ,
$(O\eta),$ $(\eta:\xi)$ and $($ : $\eta)$ . $\square$
Definition 2 Model and semantics
$M=(\Sigma, I)$ is a linear model, where $\Sigma$ is a set of states and $I$ : $\Sigmaarrow$
$2^{AP}$ is an interpretation function.
2
$d\mathfrak{J}5$
Let $\sigma\in\Sigma^{\infty}-\{\epsilon\}$ . $M,$ $\sigma|=\eta$ denotes that an RTL formula $\eta$ holds
along the sequence $\sigma$ with respect to a linear model $M$ . If there is no
confusion, $M$ is omitted like $\sigma\models\eta$ . Let $p$ be an atomic proposition, $\eta$
and $\xi$ be RTL formulas. The relation $|=is$ defined inductively as follows:
1. $\sigma\models p$ iff $p\in I(\sigma(1))$ .
2. $\sigma\models(\neg\eta)$ iff $\sigma\#\eta$ .
3. $\sigma\models(\eta\vee\xi)$ iff $\sigma\models\eta$ or $\sigma\models\xi$ .
4. $\sigma\models(O\eta)$ iff $|\sigma|\geq 2$ and $\sigma^{2}\models\eta$ .
5. $\sigma\models(\eta:\xi)$ iff
there exist $\sigma_{I}\in\Sigma^{+}$ and $\sigma_{2}\in\Sigma^{\infty}-\{\epsilon\}$
such that $\sigma=\sigma_{1}\sigma_{2},$ $\sigma_{1}\models\eta$ and $\sigma_{2}\models\xi$
or
$|\sigma|=\omega$ and $\sigma\models\eta$ .
6. $\sigma\models(:\eta)$ iff
there exist $\sigma_{i}\in\Sigma^{+}(i=1, \ldots, m-1)$ and $\sigma_{m}\in\Sigma^{\infty}-\{\epsilon\}$
such that $\sigma=\sigma_{1}\sigma_{2}\ldots\sigma_{m}$ and $\sigma_{i}\models\eta$ for all $i$
or
there exist an infinite number of finite sequences $\sigma_{i}\in\Sigma^{+}$
such that $\sigma=\sigma_{1}\sigma_{2}\ldots$ and $\sigma_{i}\models\eta(i=1,2, \ldots)$
$\square$
In the following, $‘\wedge,$ $V_{T}$ and $V_{F}$ represent $co$njunction, tautology
and ‘invalid ‘ respectively. Unary operators have higher precedence than
binary operators. If there is no ambiguity, ‘ (’ and ‘)’ are omitted.
Finite $RTL$ is defined as a subclass of $\infty RTL$ , whose semantics do-
main is restricted to $\Sigma^{+}$ . Finite RTL is exactly the same as $\epsilon$-free RTL[2].
2.2 Regular Temporal Logic and Regular Sets
First, we introduce several notations. $Len1$ holds along a set of se-
quences whose length is 1. ‘ $C\rangle$ (sometime’) and ‘ $\square$ (always’) correspond
to the temporal operators used traditionally in other temporal logic. In$f$
and Fin represent infinite sequences and finite sequences respectively.
3
$\bullet$ Lenl $def=$ $\neg OV_{T}$ .
$\bullet\langle\rangle\eta$
$def=$
$\eta\vee(V_{T}:\eta)$ . $\bullet\square \eta$ $def=$ $\neg C\rangle_{\neg\eta=\eta\wedge\neg(V_{T}:\neg\eta)}$
$\bullet$ Inf $def=$ $(V_{T} : V_{F})$ . $\bullet$ Fin $def=$ $\neg Inf=\neg(V_{T} : V_{F})$ .
In order to discuss the relation between $\infty RTL$ and regular sets, we
define $L\langle\Sigma,$ $I$ } $(\eta)def=\{\sigma|\sigma\in\Sigma^{\infty}-\{\epsilon\}, \sigma\models\eta\},$ $L_{f}\langle\Sigma,$ $I$ } $(\eta)def=\{\sigma|\sigma\in$
$\Sigma^{+},$ $\sigma\models\eta$ } and $L_{\omega}\{\Sigma,$ $I\rangle$ $(\eta)def=\{\sigma|\sigma\in\Sigma^{\omega}, \sigma\models\eta\}$ .
If there is no confusion, $L(\eta)$ etc. are used, omitting $\langle\Sigma, I\rangle$ .
Theorem 1 For an arbitrary $RTL$ formula $\eta$ and an arbitrary model
$(\Sigma, I),$ $L\{\Sigma, I\}(\eta)$ is an $\epsilon$ -free infinitary regular set. Conversely, for an
arbitrary $\epsilon$ -free infinitary regular set $R$ over $\Sigma$ , we can $co$ nstruct an $RTL$
formula $\eta$ such that $L\{\Sigma, I\}(\eta)=R$ , by introducing, for each state $s\in\Sigma$ ,
an atomic proposition $p_{s}$ such that $I(s)=\{p_{s}\}$ .
This theorem is proved in [1].
Corollary 1 $L_{f}(\eta)$ and $L_{\omega}(\eta)$ are an $\epsilon$ -free regular set and an omega
regular set respectively.
From the definition of $L(\eta),$ $L_{f}(\eta)$ and $L_{\omega}(\eta)$ , we can see that an
RTL formula $\eta$ can be used to specify some property of sequences, and
$L(\eta)$ is a set of the sequences that have the property.
3 Formal Verification between Two Different Levels
3.1 Formal Framework for Describing Relations between Two
Different Levels
In this section, we provide a formal framework to explicitly describe
relations between the two different levels. We assume two different lev-




As an implementation to be verified, we consider a Mealy type deter-
ministic sequential machine $M$ with $n$ binary input signals $x_{1},$ $x_{2},$ $\ldots,$ $x_{n}$
and $m$ binary output signals $z_{1},$ $z_{2},$ $\ldots,$ $z_{m}$ . Let $ilT=(X, Z, S, \delta, \lambda, s_{0})$
be a Mealy type determministic sequential machine with an initial stat $e$ ,
where $X,$ $Z$ , and $S$ are finite, nonempty sets of binary input signals, bi-
nary output signals, and states, respectively. $s_{0}\in S$ is the initial state.
$\delta$ : $2^{X}\cross Sarrow S$ is the state transition function (We assume that at least
one next stat $e$ is defined for each state in $S$ ). $\lambda$ : $2^{X}\cross Sarrow 2^{Z}$ (We
assume that the $\lambda$ is defined so long as $\delta$ is defined).
A poss\’ible input-output sequence of the sequential machine $M$ is an
infinite or finite sequence $\rho$ over $2^{X\cup Z}$ such that $x_{i}\in\rho(k)$ iff $x_{1}=1$
at the kth input and $z_{j}\in\rho(k)$ iff $z_{j}=1$ at the kth output, where
$i=1,2,$ $\ldots,$ $n,$ $j=1,2,$ $\ldots,$ $m$ and $k=1,2,$ $\ldots,$ $|\rho|$ .
We can regard the behavior of the machine as the set of all of its pos-
sible input-output sequences. Furthermore, we can identify a possible
input-output sequence with a sequence of states of $\infty RTL$ , by introduc-
ing atomic propositions $p_{x;}$ and $p_{z_{j}}$ associated with input signal $x_{i}$ and
output signal $z_{j}re$spectively, such that $p_{x_{i}}$ is true iff $x_{i}=1$ and $p_{z_{j}}$ is
true iff $z_{j}=1$ . From Theorem 1 and Corollary 1, we can specify the
behavior of the sequential machine in finite RTL or $\infty RTL$ .
In [2], specifications are described for $fini_{j}te$ possible input-output se-
quences by using finite RTL. While finite RTL can express any behavior
of sequential machines, fairness constraints[4], which are important in
describing input constraints, cannot be described. In this paper, we
(1) adopt $\infty RTL$ to describe specifications and
(2) focus our attention to only infinite possible input-output sequences.
When we describe a specification at the higher level, we assume that
there are possible input-output sequences at the level, even if there does
not $e$xist a realized machine, and we specify the property of the sequences
5
258
by an RTL formula. In describing relations between two different lev-
els formally, we should pay attention to higher-level and lower-level se-
quences of states of $\infty RTL$ . We formalize the relations as mappings from
lower-level sequences to higher-level ones.
The fiiamework for describing the relation of two state sequences
of $\infty RTL$ is formalized by the following the transformation rule and
abstraction mapping. Here subscripts $H$ and $L$ are used to distinguish two
objects which belong to the higher level and the lower level respectively.
Definition 3 Transformation Rule
For two given sets of atomic propositions $AP_{H}$ and $AP_{L},$ { $\eta_{L},$ $SI\rangle$ is
called a transformation rule, where
$\bullet$
$\eta_{L}$ is a finite RTL formula,
$\bullet SI=\bigcup_{p_{H}\in AP_{H}}$ {$p_{H}arrow f_{L}|f_{L}$ is a lower-level (finite) RTL formula.}.
$\eta_{L}$ is called a time marker and $p_{H}arrow f_{L}$ a state interpreter. $\square$
Definition 4 Abstraction Mapping
For alower-level sequence $\{I_{L}, \sigma_{L}\}$ and a transformation rule $A=$ { $\eta_{L},$ SI},
it is called transfo rmation of $\sigma_{L}$ by $A$ to obtain a higher-level sequence
\langle $I_{H},$ $\sigma_{H}$ } such that, if $s_{L1}s_{L2}\cdots s_{Li}\models\eta_{L}$ , then $\sigma_{H}(i)$ is a higher-level state
such that $I_{H}(\sigma_{H}(i))\ni p_{H_{\ell}}i_{j}ff_{S_{L1^{S}L2}}\cdots s_{Li}\models\xi_{L_{l}}$ for all $p_{H_{1}}arrow\xi_{L_{t}}\in SI$ ,
otherwise $\sigma_{H}(i)=\epsilon$ . $\square$
Let us consider the example of Figure 1; a specification is assumed
to be written at the higher level, and an implementation is given at the
lower level. The higher-level adder calculates the addition $(mod 16)$ of
two integers $P,$ $Q$ given as inputs and then, after a higher-level unit delay,
it outputs the result. The lower-level adder serial $ly$ adds two integers as















$c$ $0$ $0$ 1 $0(|1$ 1 1 $0$
Figure 1: Adders at Two Different Levels
In Figure 1, a higher-level stat $e$ corresponds to the lower-level se-
quences wltich end with four consecutive bits of inputs, and the output
0010 at the lower level corresponds to 4 at the higher level.
A transformation rule $A=\langle\eta,$ SI} of the example of Figure 1 is
shown as follows, where $P,$ $Q,$ $R$ are represented in binary representation
using atomic propositions, i.e., $(p_{3},p_{2},p_{1},p_{0}),$ $(q_{3}, q_{2}, q_{1}, q_{0}),$ $(r_{3}, r_{2}, r_{1}, r_{0})$
respectively. $p_{3},$ $q_{3}$ and $r_{3}$ are the most significant bits. Here the higher-
level integers are regarded as binary numbers, for simplicity.
$def=$ : Len4$\eta$
SI $def=$ $\{p_{0}arrow last(4,$ $a),$ $p_{1}arrow last(4,$ $Oa),$ $\cdots$
:
$r_{0}arrow last(7, c),$ $r_{1}arrow last(7, Oc)$ ,
$r_{2}arrow last(7, OOc),$ $r_{3}arrow last(7, OOOc)$ }
where last$(i, \eta)def=(\eta\wedge Leni)\vee(V_{T} : (\eta:Leni))$ . $Leni$ holds only along
the sequences that consist of exactly $i$ states.
The example of the transformation fiom a lower-level sequence to a
higher-level sequence of the adders of Figure 1 is shown in Figure 2.
7
260
Figure 2: Transformation from a Lower-level Sequence to a Higher-level Se-
quence
Although the detail is ommitted in this paper, we can prove that the
abstraction mapping can be simulat$ed$ by a generalized sequential ma-
chine $(gsm)[5]$ . Because regular sets and infinitary regular sets are closed
under gsm mapping[5], any higher-level sequence obtained through the
abstraction mapping can be characterized by $\infty RTL$ .
3.2 A Formal Verification Method Considering Two Different
Levels
In this section, we show the outline of a formal verification method for
an implementation and a specification given at two different levels.
We regard that a transformation rule is a part of an implementation.
Here a structure model is introduced to handle possible input-output
sequences easily.
Definition 5 Structure model
$K=(\Sigma, I, R, \Sigma_{0})$ is called a structure model, where $(\Sigma, I)$ is a linear
model of $\infty RTL$ . $R\subseteq\Sigma\cross\Sigma$ is a total binary relation on $\Sigma$ and denotes
the possible transitions between states. $\Sigma_{0}\subseteq\Sigma$ is a set of initial states.
An RTL formula $\eta$ is said to be universally K-true, if $\eta$ holds along
all finite and all infinite paths $\pi$ from $s_{0}$ for all $s_{0}\in\Sigma_{0}$ in the structure
model $K$ . Otherwise universally K-false.
8
For a Mealy machine $M_{l}$ $=$ $(X, Z, S, \delta, \lambda, s_{0})$ , its corresponding structure $K_{l}$ $=$
$(\Sigma, I, R, \Sigma_{0})$ is constructed as follows:
$\bullet$ $\Sigma=\{s_{i,j,h}’|s_{i}\in S, j\in 2^{X}, k\in 2^{Z}, \lambda(j, i)=k\}$
$\bullet I(s_{i,j,k}’)=\{p_{x}|x\in j\}\cup\{p_{z}|z\in k\}$
’ $R=\{(s_{i,j,k}, s_{i^{t},j’,k’})|s_{i,j,k}, s_{i’,j’,k^{l}}\in\Sigma, \delta(j, s_{i})=s_{i’}\}$
$\bullet\Sigma_{0}=\{s_{0,j,k}’\in\Sigma\}$
Figure 3: Generation of a Structure Model from a Sequential Machine [2]
When we focus to only infinite paths on the structure model $K$ , the
term universally K-omega true (or false) is employed. $\square$
A structure model $K$ corresponding to a designed sequential machine
$\mathbb{J}I$ is obtained so tbat the possible input-output sequences of $M$ have
one-to-one correspondence with paths on $K$ . The ways of generating a
structure model from a given Mealy machine are shown in Figure 3.
Then formal verification is to make sure that a given specification
formula holds along all the higher-level state sequences obtained by the
transformation rul$e$ from all the lower-level state sequences.
To do this, firstly, we generate a higher-level structure model $K_{H}$
from the lower-level structure model $K_{L}$ corresponding to the machine.
The transformation is performed by applying the abstraction mapping
to all the paths of $K_{L}$ . Its algorithm is omitted in this paper. Our
remaining work is to check whether a specification formula is universally
$I\sigma_{H}$-omega true. The outline of its algorithm is shown in [7].
4 Considerations
In this paper, we show a formal framework based on $\infty RTL$ for describ-
ing relations between two different levels of abstraction and a verification
method for them.
The size of the higher-level structure model obtained from a lower-
9
262
level one can be larger than that of the lower-level one. In order to avoid
the increase of the size, some restriction will be necessary to the frame-
work of abstraction mapping. However, describing the correspondence
between a higher-level sequence and a lower-level one explicitly, seems a
suitable approach for formal $ve$rification of hierarchical design.
Acknowledgment
The authors would like to $e$xpress their sincere appreciation to Dr. N.
Takagi, Mr. N. Ishiura, Mr. H. Danjo and all the members of the Yajima
Laboratory in Kyoto University for their $pre$cious discussion and advice.
References
[1] K. Hamaguchi, H. Hiraishi, and S. Yajima. A Tempo$ral$ Logic Expressively Equiva-
lent to $\omega$ -Regular Set. Technical Report COMP88-8, IEICE, 1988. In Japanese.
[2] H. Hiraishi. Design Verification of Sequential Machines Based on a Model Check-
ing Algorithm of $\epsilon$-free Regular Tempo$ral$ Logic. Technical Report CMU-CS-88-195,
Carnegie Mellon University, 1989.
[3] P. Wolper. Temporal Logic Can Be More Expressive. In Proceedings of $22nd$ Annual
Symposium on Foundations of Computer Science, pages 340-348, 1981.
[4] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic Verffication of Finite State
Concurrent Systems Using Temporal Logic Specifications: A Practical Approach.
In 10th $ACM$ Symposium on Principles of Programming Languages, pages 117-126,
January 1983.
[5] J. E. Hopcroft and J. D. Ullman. Formal Languages and their Relation to Automata.
Addison-Wesley, 1968.
[6] S. Eilenberg. Automata, Languages, and Machines. Academic Press, 1976.
[7] . .
p. 121-122, 1989.
10
