A novel formalization of symbolic trajectory evaluation semantics in Isabelle/HOL  by Li, Yongjian et al.
Theoretical Computer Science 412 (2011) 2746–2765
Contents lists available at ScienceDirect
Theoretical Computer Science
journal homepage: www.elsevier.com/locate/tcs
A novel formalization of symbolic trajectory evaluation semantics in
Isabelle/HOL
Yongjian Li a,∗, William N.N. Hung b, Xiaoyu Song c
a State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China
b Synopsys Inc., Mountain View, CA 94043, USA
c Department of ECE, Portland State University, Portland, OR 97207, USA
a r t i c l e i n f o
Article history:
Received 2 September 2009
Received in revised form 25 January 2011
Accepted 26 January 2011
Communicated by R. Gorrieri
Keywords:
Symbolic trajectory evaluation
Netlist
Formal semantics
Isabelle/HOL
Closure semantics
a b s t r a c t
This paper presents a formal symbolic trajectory evaluation (STE) theory based on a
structural netlist circuit model, instead of an abstract next state function. We introduce
an inductive definition for netlists, which gives an accurate and formal definition for
netlist structures. A closure state function of netlists is formally introduced in terms of
the formal netlist model. We refine the definition of the defining trajectory and the STE
implementation to deal with the closure state function. The close correspondence between
netlist structures and properties is discussed. We present a set of novel algebraic laws
to characterize the relation between the structures and properties of netlists. Finally, the
application of the new laws is demonstrated by parameterized verification of the properties
of content-addressable memories.
© 2011 Elsevier B.V. All rights reserved.
1. Introduction
Symbolic trajectory evaluation (STE) is an efficient formal hardwareverification method that has grown from the
combination of multi-valued simulation and symbolic simulation [1]. It has shown great promise in verifying medium-
to large-scale industrial hardware designs with a higher degree of automation. STE has been in active use in Intel, Motorola,
and IBM. In Intel, for instance, STEwas used to verify a floating point arithmetic unit against IEEE standard 754 and a complex
IA instruction length decoder unit [2,3]. In addition, the FORTE formal hardware verification tool, which combines STE and
theorem proving in a higher-order logic, has been developed at Intel [4].
In the classical STE literature, a circuit is a set of logical gates and storage element connected by nodes (wires). A state of
the circuit is a function from its nodes to their values. The behaviour of the circuit is commonly modelled by some abstract
next-state function, usually written as Y [1,5]. Given a state of the nodes at the current time, the Y function returns the
states of the nodes at the next time. For convenience, we informally call these classical semantics Y-semantics. However,
this work does not formally explain how a corresponding Y function is derived from a netlist structure. Besides, a next-state
function only expresses a relation between nodes in successive points in time, while ignoring the relation between nodes
in the circuit at the same time point. Therefore, a semantics based on next-state functions cannot deal with assertions that
express a relation between circuit nodes at the same time point.
For instance, consider the 2-bit comparator circuit drawn by Quartus II [6] in Fig. 1. The circuit consists of two XNOR-
gates and an AND-gate. Provided that the delay time of all the gates is zero, and that the input primitives a0, b0, a1, b1 of the
circuit are driven by new values 0, 0, 1, 1, then nodes c0, c1, out should be 1, 1, 1 immediately, not at the next time. Because
∗ Corresponding author. Tel.: +86 10 62661658.
E-mail addresses: lyj238@ios.ac.cn, lyj238@gmail.com (Y. Li), william_hung@alumni.utexas.net (W.N.N. Hung), song@ece.pdx.edu (X. Song).
0304-3975/$ – see front matter© 2011 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2011.01.032
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2747
Fig. 1. A netlist example.
the above change of values of nodes is finished at the current time, it is very cumbersome for a Y-semantics to cover such
information calculation because it only depicts the state transition between successive time points.
Recently, Roorda and Claessen clarified the semantics of STE model checking by providing closure semantics [7,8]. The
closure semantics of STE takes as input a state of the circuit, and calculates all information about the circuit state at the same
point in time that can be derived by propagating the information in the input state in a forwards fashion. Subsequently, the
definition of the defining trajectory and the STE implementation are refined to deal with the closure functions rather than
the next-state function. However, they did not formally define the structure of netlist. Their definition is just a sketchy
property description of a circuit; that is, there is neither a cycle in the combinational part nor a name conflict between two
output nodes of two gates in the circuit. However, it does not tell us how the circuit is constructed. From such a definition,
it is very difficult to naturally formalize the closure function of a circuit as a form of a primitive recursive function or a total
recursive function. In addition, many interesting properties of circuits are closely related to their structures. For example,
the output node of an AND-gate will be set low if one of its input nodes is driven by a low value. A good netlist formalization
is a base on which we can conveniently explore these interesting properties. To sum up, a formalization of netlist structures
is the base of the STE theory framework which has a netlist computational model.
1.1. Our contribution
Themain contributions of this paper are twofold. The first is to continue to develop a formal STE theory based on a netlist
computation model. Our work gives a more formal closure semantics which faithfully explains how an STE model checker
(or symbolic simulator) works. Here we not only formally explain how a next-state function Y is derived from a netlist
structure, but also deal with combinational properties. This semantics has netlist as a solid background, therefore makes
STE easier to be understood formally.
• We introduce an inductive definition for netlists. It not only provides us with an accurate and constructive formulation
for a netlist, but also introduces an effective and rigorous technique of rule induction to prove the properties of netlists.
In particular, we use the induction principle on the structures of netlists to formally prove that the output of a logical
entity in a netlist is uniquely defined.
• We formally define the closure semantics of netlists based on the formal netlist model. The simulation result of a netlist
in a driven state is defined as a relation between nodes and values. The relation is formally proved to be single valued,
and is naturally used to derive the closure function of the netlist on driven states.
• We refine the definition of the defining trajectory and the STE implementation to deal with the newly introduced closure
functions.
• We introduce symmetry between netlist structures in our formal netlist model, and relate it to the symmetry between
STE assertions. We prove the close correspondence between the two kinds of symmetry. This result resembles a similar
symmetric reduction methodology shown in [9].
• We show a set of algebraic laws which relates a netlist structure to its properties. These laws can be seen as an algebraic
semantics for STE, and can be used to verify interesting STE trajectory assertions on circuit netlists.
The second contribution is to formalize the STE theory in a theorem prover, with the hope that the theoretical
improvement can make it feasible to mechanize the fundamental STE theory based on a netlist circuit model. By using a
theorem prover to formalize themeta-theory of STE, we hope to raise the standard of rigour of, and hence our confidence in,
STE. We formalize our theory in Isabelle/HOL, an instantiation of the generic theorem prover Isabelle/HOL to higher-order
logic [10]. The formalized theories in Isabelle/HOL are available in [11]. Isabelle/HOL is appropriate because of its support
for inductively defined sets and its automatic tools. However, the fact that we used Isabelle is not especially relevant for the
topic, and the formalization proposal in this work can also be implemented by other higher-order theorem provers such as
PVS and COQ.
1.2. Related work
Besides the inheritance from the proposal of closure semantics in [7,8], our work is also closely related to [12–16]. [12–
14] have demonstrated that higher-order logic is well suited for modelling and reasoning about hardware, so we decided
2748 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
to use higher-order logic to formalize the STE theory. The work in [15] outlined the theoretical foundation for linking the
general logic of STE with higher-order logic. The main result is a formal translation from trajectory evaluation’s temporal
operators over lattices to a shallow embedding of the temporal operators over Boolean streams. Any result verified by the
trajectory evaluation algorithm will hold in the relational world. In [16], Darbari did the machine-based formalization in
HOL for a theory whose details were described in [3], and he extended the work by proving the soundness of a symmetry
reduction method in his framework [17]. The above work provides a formal framework to formalize the lattice value, the
syntax and the semantics of trajectory formulas. These formalizing techniques are still used in our work. But all of this work
formalizes a kind of Y-semantics in which a circuit is modelled by an abstract next-state function Y.
In [18–22], functional program languages have been advocated for hardware verification. In particular, useful insights
of using inductive data types to formally describe circuit structures are provided in the work on µfp [18], Hydra [19,20],
Lava [21]. Other important features of a functional programming language such as Haskell, namely monads, type classes,
polymorphism, and higher-order functions, are employed tomodel, verify, and implement a circuit. However, combinational
cycles and name conflicts between different entries should be eliminated in a legal netlist structure; it may not be very easy
to directly use an inductive data type to formalize the two legal requirements. Instead, we use an inductively defined set
to model all legal netlists. The corresponding induction rules formally specify the legal requirement when a legal netlist is
constructed.
Our formalization technique on the closure semantics is inspired by the work by Nipkow and Paulson in [23,24]. Nipkow
proposed an induction approach to formalize the first 100 pages of Winskel’s textbook [25], which covers the operational
and denotational and axiomatic semantics of an imperative language called IMP. For instance, the natural semantics of IMP
is inductively defined by a set of configurations, each of which is a triple. We borrow the induction principle to formally
specify the closure semantics of a netlist. Namely, we define the simulation result of a netlist by a relation which is also an
inductively defined set of pairs between nodes and values. Furthermore, we use the technique proposed in [24] to define
the unique closure function in such a relation, and prove that the corresponding function is well defined because the closure
relation is single valued.
In the classical literature of STE, some laws have already been introduced to decompose a complex STE assertion [1,17].
However, these laws usually hold for any circuit, and they cannot relate the properties of a circuit to their special structure
due to the lack of a formalization on circuit structures. Different from their work, a set of novel laws is introduced to formally
explore the special structures of a circuit in our formal netlist model. To the best of our knowledge, these laws have never
been discussed in previous STE work.
Darbari proposed a symmetry reduction method for STE model checking using a structured model [17]. Our symmetry
reduction method is deeply inspired by his work. However, he used Y-semantics, and avoided discussing the symmetry
between netlist structures directly. He proposed a higher-level design language which allows one to record the symmetry
of a circuit, and make a connection to the theory of STE logic. This connection is made by giving functions that derive a
next-state function from the structured models and proving lemmas that guarantee that, if the structured models have
symmetry, then the corresponding derived next-state function will have symmetry as well. In our theory, the high-level
modelling language and the connection are not needed; we directly discuss the symmetry between netlist structures in our
formal netlist model, and relate it to the symmetry between STE properties. Here our motivation is to provide a symmetry
reduction method when we face a netlist model which is directly compiled from a popular hardware language such as
Verilog and VHDL which still does not support a type system to record the symmetry in a design.
1.3. Presentation of the paper
As mentioned before, our work involves both developments on the STE theory itself and the formalization of the theory
in a theorem prover in order to providemechanical support for the new STE theory. Because formalization is one of ourmain
objectives in this paper and our implementation is tailored to Isabelle/HOL, we directly use parts of our Isabelle theories to
introduce definitions and lemmas to convey the main idea of the formalization. In order to make the formalized theories
readable for readers who are not familiar with Isabelle, we also try to give a detailed text account for the formalized theories
by using usualmathematical notation. Thus ourwork should be interesting not only for Isabelle/HOL users, but also for those
who either are interested in STE theory or in theorem proving work by using other higher-order theorem provers such as
HOL.
Isabelle/HOL has a polymorphic type system as in ML [26]. Type inference eliminates the need to specify types in
expressions. Lemmas about lists, sets, etc., are polymorphic, and the prover uses the appropriate types automatically.
Besides, a function in Isabelle/HOL syntax is usually defined in a curried form instead of a tupled form; that is, we often
use the notation f x y to stand for f (x, y). The advantage of a curried function is to allow a partial function application [26].
We use the notation [[A1; A2; . . . ; An]] =⇒ B to mean that, with assumptions A1, . . . , An, we can derive a conclusion B.
For a pair (a, b), fst(a, b) ≡ a and snd(a, b) ≡ b. We write x#xs for the list that extends xs with x, [x1, . . . , xn] for a list
x1# . . . xn#[], xs@ys for the result list by concatenating xs with ys, xs!i for the ith element of the list xs (counting from 0 as
the first element), set xs for the set of all the elements in xs, xmem ls for x ∈ (set ls), and length xs for the length of the list
xs. We also need a definite description THE x.P(x) to denote the x such that P(x) is true, provided that there exists a unique
such x; otherwise, it returns an arbitrary value of the expected type.
In Appendix A, we provide a detailed introduction to Isabelle/HOL notations which formalize the concepts in the paper.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2749
Fig. 2. STE lattice.
Fig. 3. Operators over the four-valued lattice (v3 ∈ {tt, ff,X}, v4 ∈ {tt, ff,X,⊤}).
1.4. Structure of the paper
The remainder of this paper is organized as follows. Section 2 formalizes the preliminary definitions on the four-
valued lattice. Section 3 introduces the structure of a netlist and its formal model. Section 4 formalizes the syntax and
semantics of trajectory formulas. Section 5 formalizes the closure function induced from a netlist. Section 6 introduces
the most fundamental result of STE: the soundness of using defining trajectories and a defining sequence to verify STE
assertions. Section 7 discusses subnetlists of a netlist. Section 8 explores the close correspondence between symmetry in
circuit structures and symmetry in circuit properties. Section 9 presents some interesting algebraic laws to explore the close
relation between the structure and properties of a circuit. Section 10 demonstrates how to apply symmetry reduction and
these new laws to decompose STE assertions by a case study on CAMs, which is a typical example used in STE literature.
Section 11 concludes the paper. The appendices introduce the Isabelle notations and some laws of our STE theory.
2. Background
Four values, ff, tt, X, and ⊤, are used in STE simulation [1]. ff and tt are the standard binary values false and true. The
third value X stands for an unknown value, while the fourth value⊤ is a clash value. Formally, we defineV =df {ff, tt,X,⊤}
(Fig. 2).
It is common to introduce a truth information ordering⊑ onV as follows:X ⊑ ff,X ⊑ tt, while ff and tt are incomparable,
ff ⊑ ⊤, and tt ⊑ ⊤. Namely, the unknown value X contains no truth information; themutually incomparable values ff and tt
contain sufficient information to determine the truth exactly, and the top value⊤ contains inconsistent truth information.
We can easily see thatVwith the ordering relation⊑ forms a lattice.We can introduce a join or a least-upper bound operator
⊔ with respect to the ordering ⊑. It is reasonably routine to check that a ⊑ b if and only if a ⊔ b = a. For other operators
on the domain V, there are natural definitions for negation NOT(¬4), conjunction AND(∧4), disjunction OR(∨4),1 etc. The
classic definitions of these operators are shown in Fig. 3.
In order to define the set of four lattice values V, we use the strategy of dual-rail encoding [15,16]. Thus, we introduce a
type boolPairs, and encode the four values in V as four constants of type boolPairs.
types boolPairs = bool× bool
⊤ ≡ (False, False) tt ≡ (True, False)
ff ≡ (False, True) X ≡ (True, True)
1 Here we use the subscript 4 to distinguish the x-symbols of these operators from their counterparts in the Boolean domain.
2750 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
The least-upper bound operator ⊔ and the partial ordering relation⊑ are defined as follows:
a ⊔ b ≡ (fst a ∧ fst b, snd a ∧ snd b)
a ⊑ b ≡ a ⊔ b = b
Formal definitions of other operators can be found in [11]; they are not given here because of space limitations.
3. Circuit netlist formalization
3.1. An informal model of circuit netlists
A circuit is modelled by a netlist, which is a set of nodes connected by logical entities such as I/O devices, gates and one-
phase delays. I/O devices are pins connected to its environment. For simplicity, only input devices are used in thiswork. Gates
describe combinational logics deciding the relationship between values of nodes. Delays refer to all sequential elements
which can keep a ‘‘state’’. In real-world VLSI designs, there are different types of sequential devices, some of which can be
more complex than our delay devices in both structure and behaviour. However, we will see that real-world sequential
devices can be modelled by our simple delay elements in a later discussion.
In a netlist description language such as BLIF [27], the input pins of a circuit are defined as follows:
.inputs x y
A gate is specified by a truth table, as shown below:
.names in1 in2 ...out
in1_value1 in2_value1 ...out_value1
in1_value2 in2_value2 ...out_value2
where in1, in2, . . ., are the names of the inputs of the gate and out is the name of its output. The subsequent lines define
the on–off sets: ini_valuej is one of 0, 1, or – (don’t care), and out_valuei is one 0 or 1.
A truth table encapsulates a programmable logical array (PLA), which is expanded to AND gates driving an OR gate. So
it is natural for us to associate a truth table with a function on V. For example, the table of the XNOR gate corresponds to a
function λ a b.a ∧4 b ∨4 ¬4a ∧4 ¬4b. Informally, we write Ftab for the induced function from the table tab.
For instance, a two-input AND gatewith inputs a and b and output foo, and a two-input XNOR gatewith the same inputs
and output of a netlist could be defined as follows:
.names a b foo .name a b foo
11 1 00 1
11 1
A latch is defined as follows:
.latch latch_input latch_output
where a latch has a data input and an output node. As mentioned before, our latch is simply a one-phase delay element. The
value of node latch_output in the next time is the value of latch_input in the current time.
Remark 1. In fact, the definition of a latch in BLIF is more complex than ours. In BLIF, a latch is defined as the following
statement: .latch latch-input latch-output type control-signal [latch-control-list], where type
specifies whether the latch is edge sensitive or level sensitive. Latch control constructs specifies the set or reset or enable
control signals of the latch. For example, .latch in1 out1 re clk as=set ar=reset en=en1 specifies a flip-
flop which is driven at the rising edge of signal clk with an input signal in1, an output signal out1, an asynchronous
reset signal reset, and an asynchronous set signal set. But any type of latch can be modelled by combinational gates and
delay elements. Fig. 4 gives an example to show how a rising-edge triggered flipflop is modelled by delay elements and
combinational gates, where an inverted triangle stands for a delay element. In Forte, d and d_##_ stand for the input and
output node of the delay element, respectively.
3.2. Formalization of netlists
We first use the type nat as the type of nodes in our theory.
types node=nat
To formally define a truth table, we use an enumerating type LIT to specify a literal for defining on or off sets, a type
LINE to specify a line of a table, and PLA to define a table.
datatype LIT= One | Zero | DontCare
types LINE=LIT list
types PLA=LINE list
Input pins, gates and delays are three kinds of logical entity in a circuit, and they are formally defined as follows:
datatype entity = Input node | Gate node "node list" PLA | Delay node node
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2751
d
clk
clk
s
d
1
0
sel
s
clk_##_
d_##_
s_##_
(1) (2)
Fig. 4. A rising-edge triggered flipflop.
Here we assume that inp, out are node names, inps is a list of node names, and tab is a table of type PLA. Input inpmeans
that inp is an input pin of a netlist under study which is an interface between the netlist and its environment. Gate out inps
tab refers to a gate which has out as its output node, inps as its input nodes, and tab as its truth table. As does the library
function get_node_truth_table in Forte, a PLA in this paper lists clauses for inputs when an output is to go high only. For
example, Gate c1 [a1, b1] [[ONE,ONE]] formally defines an AND gate. Delay out inp defines a delay which has inp as its
input and out as its output, respectively.
For a logical entity g , we define a function fanOut to map g to its output node, namely, fanOut g ≡ inp, if g = Input inp,
or fanOut g ≡ out if g = Gate out inps tab or g = Delay out inp . Similarly, we also define a function fanIn to map g to the
list of all its input nodes, that is, fanIn g ≡ [], if g = Input inp, or fanIn g ≡ inps if g = Gate out inps tab, or fanIn g ≡ [inp]
if g = Delay out inp.
Consider a node n, and a logical entity set nl; we say that isDefinedIn n nl if n is defined as an output of a logical entity
in the nl. More formally, isDefinedIn n nl ≡ l ∈ nl ∧ fanOut l = n. The set of all the nodes defined in the nl is denoted by
defAsOuts nl ≡ {n.isDefinedIn n nl}.
Now we come to the a crucial point, the formalization of netlists. Intuitively, a netlist is simply a set of logical entities
connected by nodes, but adding entities into a netlist should follow some restriction rules to guarantee the legality of the
structure of the netlist. Here we introduce an inductive definition for the set of all the netlists, as shown below:
consts netlists :: (entity set) set
inductive netlists
intros
nilNetlist :∅ ∈ netlists;
addInput :
[[nl ∈ netlists; ¬isDefinedIn n nl]]
=⇒ {Input n} ∪ nl ∈ netlists;
addDelay :
[[nl ∈ netlists; ¬isDefinedIn n nl]]
=⇒ {Delay n inp} ∪ nl ∈ netlists;
addGate :
[[nl ∈ netlists; ¬isDefinedIn n nl;
∀inpsi. (inpsi mem inps) −→ isDefinedIn inpsi nl;∀l.(l mem tab) −→ length l = length inps]]
=⇒ {Gate n inps tab } ∪ nl ∈ netlists.
In the above definition, rule nilNetlist specifies an empty netlist. Other rules specify the order which should be
followed to add a logical entity into a netlist. In the last three rules, the condition¬isDefinedIn n nl requires that the output
node n of the newly added logical entity should not be an output of the existing entities in nl. This resolves the name conflicts
of output nodes between two different logical entities in a netlist. In rule addGate, the third condition requires that all the
input nodes of the newly added combinational gatemust have been defined in the existing netlist. Combining this condition
and the condition ¬isDefinedIn n nl can eliminate combinational cycles in a netlist. Unlike rule addGate, rule addDelay
allows that the input node of a delay can be used before the node is defined. Formally, when a component Delay n inp is
added in the rule, inp is a free variable which is only restricted by its type. If a delay’s output node is in the fanin cone of the
delay, then a cycle passes the delay. Therefore, a cycle is allowed to pass a delay element.
Example 2. Let xnorTab = [[ZERO, ZERO], [ONE,ONE]], xnorG0 = Gate c0 [a0, b0] xnorTab, xnorG1 = Gate c1 [a1, b1]
xnorTab, andTab =[[ONE,ONE]], andG = Gate out [c0, c1] andTab; then the set
nl = {Input a0, Input b0, Input a1, Input b1, xnorG0, xnorG1, andG}
2752 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
stands for the netlist shown in Fig. 1. In Fig. 4, let tab1 = [ONE, ZERO], G1 = Gate sel [clk, clk_##_] tab1, and tab2 =
[[ONE,ONE,DontCare], [ZERO, DontCare,ONE]], G2 = Gate s [sel, d_##_, s_##_] tab2, delay1 = Delay d_##_ d,
delay2 = Delay s_##_ s, nl2 = {G1,G2, delay1, delay2}; nl2 is also a netlist.
Our netlist model is sound in the sense that, for any defined node n in a netlist, there is an unique logical entity in the
netlist whose output node is n. In Isabelle, the unique existence quantifier is denoted by ∃!.
Lemma 3. [[nl ∈netlists; isDefinedIn n nl]] =⇒ ∃!l.l ∈ nl ∧fanOut l = n.
Because of the existence of the one-to-one mapping from a logical entity to its output node name, formally, we define
lookUp nl n ≡ THE g.g ∈ nl ∧ fanOut g = n.
The definition of netlists itself cannot guarantee that each node of a netlist is defined, because an input of a delay can be
used without being defined. In real circuit designs, an input of a delay needs to be defined. If each input node of each logical
entity in a netlist is defined as an output of another logical entity, then we call the netlist closed.
Definition 4. isClosed nl ≡ ∀m n.isDefinedInm nl −→ n ∈ set (fanins ((lookUp nl m))) −→ isDefinedIn n nl.
Example 5. In Example 2, the netlist nl is closed; nl2 is a netlist, but it is not closed because nodes s and d are not defined
in nl2.
We are mainly interested in closed netlists in our work, so we always assume that nl ∈ netlists and isClosed nl in the
following discussion when we meet a word nl. To save space, we omit the two side conditions when we present lemmas
about a netlist nl.
4. Syntax and semantics of a trajectory formula
States. A circuit state is an instantaneous snapshot of a circuit behaviour given by an assignment of lattice values to nodes of
the circuit. Therefore, type state= node ⇒ boolPairs is defined. A state sequence assigns a state to a time point. Here
we still use nat to define the type time. Thus, we define stateSeq = time ⇒ state. Naturally, we extend the ordering
relation on the state and stateSeq types. We define s1 ⊑s s2 ≡ ∀n.s1 x ⊑ s2 x, and sq1 ⊑sq sq2 ≡ ∀t.sq1 t ⊑s sq2 t .
Trajectory evaluation logic. Specifications in STE are symbolic trajectory formulas. In order to formalize the syntax of
trajectory formulas, we introduce a datatype trajForm as follows:
datatype trajForm = Is1 node |Is0 node|chaos
|Next trajForm
|When bool trajForm (infixr −→T 65)
|TAND trajForm trajForm (infixr andT 65)
For convenience in reasoning, we introduce a novel formula chaos in our theory to represent that the values of all the nodes
are unknown at all time. In the above definition, the definition of trajectory formulas is naturally symbolic in the sense that
the Boolean guard P can be simply defined as a Boolean formula in HOL.
The semantics of trajectory formulas is formally defined as a primary recursion function valid on datatype trajForm.
consts
valid :: stateSeq⇒ trajForm⇒ bool
((_  _) [80, 80]80)
primrec
sq  (Is1 n) = tt ⊑ (sq 0 n)
sq  (Is0 n) = ff ⊑ (sq 0 n)
sq  chaos = True
sq  (A1 andT A2) = (sq  A1∧sq  A2)
sq  (P −→T A) = (P −→ sq  A)
sq  (Next A) = ((suffix 1 sq)  A)
where thenotation ((_  _) [80, 80]80) stands for an infix notation  for functionvalid, andsuffixi sq ≡λ t.sq(t+ i).
5. Formalization of closure functions over netlists
During STE simulation, information is propagated forwards through both a circuit structure and time. By simulation, we
mean that a circuit nl takes a stimulating sequence as input and returns a result sequence. We first illustrate the meaning
of information propagation forwards through the circuit structure at a time point. Namely, the circuit takes a state of the
stimulating sequence at some time point, then calculates all information about the circuit at the same point that can be
derived by propagating the information from any combination gate’s input nodes to its output. After this propagation is
finished, a new state of the circuit is returned as a simulation result of this time point. More specifically, given a state s, for
an input node n of the circuit, or a delay node, s n is simply the value of n after simulation. For an internal node nwhich is an
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2753
output of a gate with a truth table tab, provided that the returned values of inputs of the gate are v1, . . . , vi after simulation,
the value of n is returned as the upper bound of s n and Ftab v1 . . . vi.
For instance, suppose that s a0 = tt, s b0 = tt, s a1 = tt, and s n = X for any other nodes, and that a simulation for the
circuit in Fig. 1 is started at s; then at the end of time point 0, the result state s′ after simulation satisfies that s′ n = s n if
n ∈ {a0, b0, a1, b1}, s′ c0 = tt, s′ c1 = X, and s′ out = X. Formally, the information propagation can be represented as a set
of value assignments as follows: {(a0, tt), (b0, tt), (a1, tt), (b1,X)(c0, tt), (c1,X), (out,X)}.
In order to define the closure semantics of netlists, we need some preliminary formalization of the semantics of literals,
lines, and truth tables. These are defined reasonably straightforwardly: funOfLit (v, lit) returns the input value v if lit is on,
else if lit is off, then it returns the negation of v, else it just returns tt . Here we briefly explain why tt is returned when
the literal is DontCare: it is because tt is a unit for the operator AND in the four-valued domain, and funOfLine vs line is a
conjunction of the values of literals in this line. At a state, if a value of a literal in a line is returned as tt, then the value of
this line will not depend on the value of this literal. funOfLine vs line returns the conjunction of the values of literals in a line
provided that the values assigned to inputs are vs. funOfTab tab vs returns the disjunction of the values of lines of a table
provided that the values assigned to inputs are vs.
funOfLit :: boolPairs× Lit⇒ boolPairs
funOfLit x ≡ if (snd x) = ONE then (fst x)
else if ( snd x) = ZERO
then (NOT (fst x))
else tt
funOfLine :: boolPairs list⇒ LINE⇒ boolPairs
primrec funOfLine bps [] = tt
funOfLine (bps) (el0#ls) =
AND (funOfLit ((hd bps), el0)) (funOfLine (tl bps) ls)
funOfTab :: PLA⇒ boolPairs list⇒ boolPairs
primrec funOfTab [] bps = ff
funOfTab (line#tbl) bps =
OR (funOfLine bps line) (funOfTab tbl bps)
Now we formally introduce a so-called closure relation rclosure, which is defined on a netlist and a state. rclosure nl s
returns the closure set of information propagated forwards in the simulation of the netlist nl at the state s, and formally is a
pair set, inductively defined as follows:
consts rclosure :: entity set⇒ state⇒ (node× boolPairs) set
inductive rclosure nl s
intros
stAddInput :
[[Input n ∈ nl]] =⇒ (n, s n) ∈ rclosure nl s
stAddLatch :
[[Delay n inp ∈ nl]] =⇒ (n, s n) ∈ rclosure nls
stAddGate :
[[Gate n inps tab ∈ nl; length stateLs = length inps;
∀l.(l mem tab)) −→ length l = length inps;
∀pair.pair mem (zip inps stateLs) −→ pair ∈ rclosure nl s]]
=⇒ (n, ((funOfTab tab stateLs) ⊔ (s n))) ∈ rclosure nl s
The relation rclosure nl s corresponds to a function, namely, for any node n such that isDefinedIn n nl, there is pair p
such that fst p = n; furthermore, if both (n, v1) and (n, v2) are in rclosure nl s, then v1 = v2. Intuitively, rclosure nl s is single
valued because the output node of a logical entity is uniquely defined and the combination logic of a netlist is acyclic. More
formally, we have the following.
Lemma 6. [[isDefinedIn n nl]] =⇒ ∃!pair.pair ∈ rclosure nl s ∧fst pair = n.
Therefore, we define a function fclosure on a netlist nl and a state s. fclosure nl s returns the result state of nl after
simulation at the driving state s.
fclosure nl s n ≡
if isDefinedIn n nl
then let pair = (THE pair.pair ∈ rclosure nl s ∧ (fst pair) = n)
in (snd pair)
else s n
In this definition, if n is defined as an output of a logical entity, then the value of n in the result is the second element of
the unique element pair which is in the closure set rclosure nl s and fst pair = n.
Roughly speaking, ‘‘a closure function f ’’ means that applying f once can derive a closure of information in some form.
In detail, (1) f ismonotonic, f x ⊑ f y if x ⊑ y; (2) f is idempotent: f x = f (f x); (3) f is extensive: x ⊑ f x. Function fclosure
nl is a closure function.
2754 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
Function fclosure is a closure function. More formally, we have
1. [[ s1 ⊑s s2]] =⇒ fclosure nl s1 n ⊑ fclosure nl s2 n
2. s n ⊑ fclosure nl s n
3. fclosure nl (fclosure nl s) n = fclosure nl s n.
Now we show how simulation information is propagated forwards through time given a stimulating sequence σ , i.e.,
from each time step t to time step t + 1. Recall that each delay has an output node data_##_ and input node data. For the
delay, the value of node data at time point t is denoted as datat after the simulation at time t , and the information datat
will be propagated to node data_##_ at time t + 1, i.e., the simulator initially sets the value of node data_##_ at time point
t + 1 as the upper bound of datat and σ(t + 1)(data_##_), then starts the simulation over the circuit at time point t + 1.
In order to model this forwards propagation of information through time, we define a function of over a logical entity and
time fSeq nl σ , which returns a result sequence after simulation of nl given a stimulating sequence σ . fSeq nl σ is another
sequence, and it is defined as a primary recursion on time t based on the definition of fclosure. In the following discussion,
we use isDelayName x nl to denote that x is an output node of a delay in the netlist nl.
fSeq nl σ 0 = fclosure nl (σ 0)
fSeq nl σ (t+ 1)
= (let s =
(λn.if (isDelayName n nl)
then (let l = (lookUp nl n) in
let inps = fanins l in
((fSeq nl σ t) (hd inps)) ⊔ (σ (t+ 1) n))
else σ (t+ 1) n)
in fclosure nl s)
Similarly, we also can prove that fSeq is also a closure function, namely,
1. [[nl ∈ netlists; isClosed nl; sq1 ⊑sq sq2]]
=⇒ fSeq nl sq1 ⊑sq fSeq nl sq2
2. [[nl ∈ netlists; isClosed nl]] =⇒ sq ⊑sq fSeq nl sq
3. [[nl ∈ netlists]] =⇒ fSeq nl (fSeq nl sq) = fSeq nl sq.
5.0.1. Trajectories
A trajectory is a result state sequence of some circuit netlist nl after a run of simulation. It is a sequence in which nomore
information can be derived by forward propagation. Namely, the result sequence returned by a simulation run of nl is the
same as the stimulating sequence fed into the simulator. We define trajOfCirc nl as the set of all trajectories of a netlist nl:
trajOfCirc :: entity set⇒ stateSeq set
trajOfCirc nl ≡ {sq.fSeq nl sq = sq}
6. Semantics of STE
Now we define the semantics of an STE assertion A ❀ C , where both A and C are trajectory formulas. A is called the
antecedent, which specifies with what values we should drive the simulation. C is called the consequent, which specifies
the expected results of the simulation. A circuit nl satisfies a trajectory assertion, written cktSat nl A ❀ C , if, for every
trajectory τ of nl, it holds that τ |= A implies that τ |= C .
We define a type assertion to formalize the syntax of an STE assertion.
datatype assertion =
Leadsto trajForm trajForm (infixr ❀ 50)
We introduce a predicate cktSat that checks the validity of an STE assertion.
cktSat :: entity set⇒ assertion⇒ bool
primrec cktSat nl (A ❀ C) =
(∀τ .τ ∈ (trajOfCirc nl) −→ (τ |= A −→ τ |= C))
The key feature of STE logic is that there is a unique weakest sequence that satisfies f for any Boolean symbolic variable
assignment φ. This sequence is called the defining sequence of f . To define the defining sequence of a formula, we introduce
a primary recursive function defSqOfTFwhich operates on a trajectory formula, and returns a symbolic sequence.
Definition 7 (Defining Sequence). Given a trajectory formula A, the defining sequence of A, written defSqOfTrForm A, is
defined as a primary recursive function on type trajForm.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2755
defSqOfTrForm ::trajForm⇒stateSeq
primrec
defSqOfTrForm (Is1 n) =(λt m.(if (t=0∧m=n) then tt else X))
defSqOfTrForm (Is0 n) = (λt m.(if (t=0∧m=n) then ff else X))
defSqOfTrForm (A andT B)=
(λt m.(defSqOfTrForm A t m)⊔(defSqOfTrForm B t m))
defSqOfTrForm (P −→T A) = (λt m. let v = (defSqOfTrForm A t m) in
(P −→ (fst v), P −→ (snd v))
defSqOfTrForm (Next A)= (λt m. let v=(defSqOfTrForm A (t - 1) m) in
if (t≠0) then v else X)
defSqOfTrForm chaos= λt m. X
In the above definition of defSqOfTrForm,−→ denotes the implication operator in the Boolean domain in the case of the
guard trajectory formula.
From the definition of the defining sequence of A, we can easily prove that the sequence satisfies A by induction.
Lemma 8. defSqOfTrForm A |= A.
Furthermore, for any sequence σ that satisfies A, the defining sequence is the weakest of all.
Lemma 9.
(1) defSqOfTrForm A ⊑sq sq =⇒ sq |= A.
(2) sq |= A =⇒ defSqOfTrForm A ⊑sq sq.
Now, we introduce the defining trajectory of trajectory formula A w.r.t. nl, which is the weakest trajectory that satisfies
A. The defining trajectory of Aw.r.t. nl is naturally the result sequence by driving nlwith the defining sequence of A.
Definition 10 (Defining Trajectory). Given a trajectory form A and a netlist nl, the defining trajectory of A w.r.t. nl, denoted
by defTrajOfCirc A nl, is defined as follows:
defTrajOfCirc A nl ≡ fSeq nl (defSqOfTrForm A)
Similarly, we can prove that a defining trajectory of Aw.r.t. nl satisfies A.
Lemma 11. (defTrajOfCirc A nl) ∈ trajOfCirc nl ∧ (defTrajOfCirc A nl) |= A.
The following lemma proves that the defining trajectory of nl is indeed the weakest trajectory of nl that satisfies A.
Lemma 12.
(1) [[τ ∈ trajOfCirc nl; τ |= A]] =⇒ (defTrajOfCirc A nl) ⊑sq τ
(2) [[(defTrajOfCirc A nl )⊑sq τ ]] =⇒ τ |= A.
The following lemma is the most fundamental result of STE theory, which states that (defSqOfTrForm C) ⊑sq
(defTrajOfCirc A nl) if and only if cktSat nl (A ❀ C) for a closed netlist nl. This result guarantees an effective way to
check validity of an STE assertion. In order to check an STE assertion cktSat nl (A ❀ C), we only need to consider whether
(defSqOfTrForm C) ⊑sq (defTrajOfCirc A nl) holds.
Lemma 13.
(1) [[(defSqOfTrForm C) ⊑sq (defTrajOfCirc A nl) =⇒ cktSat nl (A ❀ C).
Proof. In order to prove cktSat nl (A ❀ C), we need fix a trace tr such that tr ∈ trajOfCirc nl and tr |= A, and we
need prove that tr |= C . By Lemma 9(1), we only need prove that defSqOfTrForm C ⊑sq tr . By Lemma 12 (1), we have
(defTrajOfCirc A nl) ⊑sq tr . From the assumption (defSqOfTrForm C) ⊑sq (defTrajOfCirc A nl), and the transitivity of
⊑sq, we have defSqOfTrForm C ⊑sq tr. 
(2) [[cktSat nl (A ❀ C)]] =⇒ (defSqOfTrForm C) ⊑sq (defTrajOfCirc A nl).
Proof. By Lemma 11, we have (defTrajOfCirc A nl) ∈ trajOfCirc nl and (defTrajOfCirc A nl) |= A. From this, by the
definition of cktSat nl (A ❀ C), we have (a) (defTrajOfCirc A nl) |= C . By Lemma 9(2), we easily show defSqOfTrForm
C ⊑sq (defTrajOfCirc A nl). 
2756 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
7. Subnetlists
It is interesting to note that the evaluation of an STE assertion in a netlist may be only related with a part of the netlist,
and this part is also a netlist itself. Therefore, we introduce the concept of a subnetlist. Given two logical entity sets nl and
nl′, usually nl′ ⊆ nl, a subnetlist derived from nl′ in nl is an closure set of entities which is defined as follows.
Definition 14. Let nl, nl′ be two sets of devices, a subnetlist closure function subNet nl nl′, which is an inductively defined
set by the following rules:
consts subNet :: entity set⇒ entity set⇒ entity set
inductive subNet nl nl′
intros
subAddself :
[[enttr ∈ nl′; enttr ∈ nl ]] =⇒ enttr ∈ subNet nl nl′
subAddLink :
[[enttr0∈ subNet nl nl′; enttr1∈ nl;
(fanout (enttr1)) ∈ set (fanins (enttr0))]] =⇒ enttr1∈ subNet nl nl′
In the rule subAddLink, (fanout (enttr1)) ∈ set (fanins (enttr0)) means that the output node of enttr1 is
driving one input node of enttr0. This rule guarantees that all the fanin cones of entities in nl′ are defined in subNet nl nl′.
Obviously, it holds that subNet nl nl′ ⊆ nl for any nl′. Informally we say that nl1 is a subnetlist of nl if nl1 = subNet nl nl0
for some nl0.
Example 15. In Example 2, let nl′ = {xnorG0} and subNet nl nl′ = {Input a0, Input b0, xnorG0}.
Suppose that nl′ is a subnetlist of nl. At a time point, if n is a node defined in nl′, then the same value will be propagated
into node n after simulations for nl and nl′ respectively from a state s.
Lemma 16.
(1)
[[nl′ ⊆ nl; isDefinedIn n ∈ nl′]] =⇒ (n, v) ∈ (rclosure nl′ s) = (n, v) ∈ (rclosure nl s)
(2)
[[nl′ ⊆ nl; isDefinedIn n ∈ nl′]] =⇒ fclosure nl s n = fclosure nl′ s n
Similarly, suppose that n is defined in nl′; node n will be updated with the same value at any time point after two
simulations for nl and nl′ from a same state s.
Lemma 17.
[[nl′ ⊆ nl; isDefinedIn n ∈ nl′]] =⇒ fSeq nl s n = fSeq nl′ s n
Using Lemma 17, we can prove that two sequences defTrajOfCirc B nl and defTrajOfCirc B nl′ agree the same value on a
node n at any time point if n is defined in nl′.
Lemma 18.
[[nl′ ⊆ nl; isDefinedIn n ∈ nl′]] =⇒ defTrajOfCirc B nl t n = defTrajOfCirc B nl′ t n
Provided that nl′ is a subnetlist of nl, and all the nodes specified in the consequent C of an STE assertion are defined in
nl′, then it can be safely concluded that cktSat nl A ❀ C iff cktSat nl′ A ❀ C .
Lemma 19 (subsetI).
[[nl′ ⊆ nl; ∀n.n ∈ (onNodes C) −→ isDefinedIn n nl′]]
=⇒ cktSat nl′ A ❀ C = cktSat nl A ❀ C
The proof of this lemma is reasonably straightforward. We mainly combine Lemmas 18 and 13 to prove this result. The
key point is that, for any node n ∈ (onNodes C), we have that defTrajOfCirc A nl t n = defTrajOfCirc A nl′ t n. Therefore,
(defSqOfTrFormC) t n ⊑ (defTrajOfCirc A nl) t n iff (defSqOfTrFormC) t n ⊑sq (defTrajOfCirc A nl′) t n for any t and anynode
n ∈ (onNodes C). We are only interested in the evaluation of nodes n ∈ (onNodes C) because (defSqOfTrForm C) t n = X
for any node n /∈ (onNodes C) and X ⊑ v for any value v.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2757
We need two preliminary definitions before we continue.
Definition 20. Let A be a trajectory formula; then onNodes A, which returns the set of nodes which occur in A, is defined as
follows:
onNodes :: trajForm⇒ node set
primrec
onNodes (Is1 n) = {n}
onNodes (Is0 n) = {n}
onNodes (A andT B)= (onNodes A) ∪ (onNodes B)
onNodes (P −→T A)= onNodes A
onNodes (Next A)= onNodes A
onNodes chaos = ∅
The next definition is of InducedNet nl ns, where nl is a netlist and ns is a node set. InducedNet nl ns returns a subnetlist
which includes the logical entities and which has a node in ns as an output node.
Definition 21.
InducedNet :: entity set⇒ node set⇒ entity set
InducedNet nl ns ≡ subNet nl {g.∃n.isDefinedIn n nl ∧ n ∈ ns ∧ g = lookUp nl n}
The next lemma says that if an antecedent B has nothing to do with nodes which may affect the nodes in the consequent
C , more specifically, (onNodes B) ∩ defAsOuts (InducedNet nl (onNodes C)) = ∅, then B has nothing to do with the truth
of this assertion.
Lemma 22 (steEqAnt).
[[(onNodes B) ∩ defAsOuts (InducedNet nl (onNodes C)) = ∅;
∀n.n ∈ (onNodes C) −→ isDefinedIn n nl]]
=⇒ cktSat nl A ❀ C = cktSat nl (A and B) ❀ C
For instance, let A = (Is1 a0) andT (Is1 b0), B = (Isb a1 Ba1) andT (Isb b1 Bb1), C = Is1 c0, nl be the netlist as shown
in Fig. 1, and let nl′ = InducedNet nl (onNodes C); then we have onNodes B = {a1, b1}, onNodes C = {c0}, nl′
= {Input a0, Input b0, xnorG0}, because (onNodes B) ∩ defAsOuts nl′ = ∅, cktSat nl (A and B) ❀ C is equivalent to
cktSat nl A ❀ C . Usually, (A and B) ❀ C has more symbolic variables than A ❀ C does, so we often use the following
law, which tells us the heuristics to simplify an assertion by eliminating unnecessary antecedents.
Lemma 23 (steDelAnt).
[[(onNodes B) ∩ defAsOuts (InducedNet nl (onNodes C)) = ∅;
cktSat nl A ❀ C]]
=⇒ cktSat nl (A and B) ❀ C
This result tells us the heuristics to simplify an assertion by eliminating some unnecessary antecedents without affecting
the truth of the assertion under study.
8. Symmetry in circuit structure and STE
In this section, we introduce the concept of structure symmetry. Due to the formalization of the structure of circuits, it
is reasonably straightforward to formalize the structure symmetry.
Definition 24. Let nl and nl′ be two closed netlists; nl and nl′ are symmetric w.r.t. a function f , written by sym nl nl′ f , which
is defined as follows:
sym :: (node => node)⇒ entity set⇒ entity set⇒ bool
sym f M N ≡ bij f ∧ f‘(defAsOuts M) = (defAsOuts N)∧
(∀m.isDefinedIn m M −→ isDefinedIn (f m) N∧
(let lx = (lookUp M m) in
let ly = (lookUp N (f m)) in
(case (lx) of
Input x⇒ ly = Input (f x)|
Delay out data⇒ ly = Delay (f out) (f data)|
Gate out inps tab⇒
ly = Gate (f out) (map f inps) tab)))
Roughly speaking, sym f nl nl′ says that f is an isomorphism mapping from the structure of nl to that of nl′. Namely, if n
is an output of a logical entity l in nl, then f n is an output of a similar logical entity l′ and the fanins of l are also mapped to
2758 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
those of l′ under f . Informally, l and l′ are similar in the sense that they are both input devices, or both delays, or both gates
with the same truth table.
Usually, we need discuss the symmetry between two nodes in one netlist, which is defined by symmetry between the
subnetlists induced by the two node sets. The predicate nodeSetSym f M N nl specifies that the subnetlists induced from
node sets M and N in a entity set nl are symmetric w.r.t. some function f . Informally, we say that node sets M and N are
symmetric in nlw.r.t. f .
Definition 25.
nodeSetSym :: (node => node)⇒ node set⇒ node set⇒ entity set => bool
nodeSetSym f M N nl ≡ sym f (InducedNet nl M) (InducedNet nl N)
Example 26. Let nl0 = {Input a0, Input b0, xnorG0}, nl1 = {Input a1, Input b1, xnorG1}, N0 = {c0}, N1 = {c1}, and f = λx.(if
x = a0 then a1 else if x = a1 then a0 else if x = b0 then b1 else if x = b1 then b0 else if x = c0 then c1 else if x = c1 then c0
else x). InducedNet nl N0 = nl0, InducedNet nl N1 = nl1. We have that sym nl0 nl1 f and nodeSetSym f N0 N1 nl.
Next we define permutations on states, sequences, and formulas. These are similar to their conterparts in [17].
Definition 27. Permutation on states.
appSym2State :: (node⇒ node)⇒ state⇒ state
appSym2State f s = λ n.s ((f n))
Definition 28. Permutation on sequences.
appSym2Seq :: (node⇒ node)⇒ stateSeq⇒ stateSeq
appSym2Seq f sq ≡ λ t.appSym2State f (sq t)
Definition 29. Permutation on formulas.
applySym2Form :: (node⇒ node)⇒ trajForm⇒
trajForm
primrec
appSym2Form f (Is0 n) = Is0 (f n)
appSym2Form f (Is0 n) = Is1 (f n)
appSym2Form f (A andT B) = (appSym2Form f A) andT (appSym2Form f B)
appSym2Form f (P −→T A) = P −→T (appSym2Form f A)
appSym2Form f (Next A) = Next (appSym2Form f A)
appSym2Form f chaos = chaos
Each permutation can be defined in terms of a composition of swap functions. Here we use a predicate isSwap to specify
that a function is a swap function: isSwap f ≡ ∀a b.f a = b −→ f b = a.
This is equivalent to applying a swap permutation f on a defining sequence of a formula and to computing the defining
sequence of the permutation of a formula, provided that f is a swap function.
Lemma 30.
isSwap f =⇒
appSym2Seq f (defSqOfTrForm A) = defSqOfTrForm (appSym2Form f A)
Suppose that nl and nl′ are symmetric w.r.t. f ; then a swap permutation on the defining trajectory of A w.r.t. nl is
equivalent to the defining trajectory of appSym2Form f Aw.r.t. nl′.
Lemma 31.
[[nl ∈ netlists; nl′ ∈ netlists; sym f nl nl′; isSwap f ]]
=⇒ appSym2Seq f (trajOfCirc A nl) = trajOfCirc (appSym2Form f A) nl′
With the help of Lemmas 13, 30 and 31, we can derive an important result which encapsulates the relation between
symmetric netlists and the symmetric STE assertions.
Lemma 32.
[[sym f nl nl′; isSwap f ; ]] =⇒
cktSat nl (A ❀ C) = cktSat nl′ (appSym2Form f A ❀ appSym2Form f C)
This result guarantees us that we only need to verify one representative STE assertion from an equivalence class, and
deduce the correctness of the entire class for symmetric circuits.
Provided that all the nodes in onNodes C and onNodes (f C) are defined in nl, and they are symmetric in nl w.r.t.
f , cktSat nl (A ❀ C) implies that cktSat nl (appSym2Form f A ❀ appSym2Form f C). The proof of this result needs the
combination of Lemmas 32 and 19. Because we often meet the case of symmetry between two subnetlists in a netlist, the
following lemma is very useful in our verification.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2759
Lemma 33 (symReduce2).
[[isSwap f ; ∀n.n ∈ (onNodes C)→ isDefinedIn n nl;
∀n.n ∈ (onNodes (appSym2Form f C))→ isDefinedIn n nl;
nodeSetSym f (onNodes C) (onNodes (appSym2Form f C)) nl]]
=⇒ cktSat nl (A ❀ C) = cktSat nl (appSym2Form f A ❀ appSym2Form f C)
9. Novel algebraic laws
In this section, we introduce a set of algebraic laws. The novelty of our laws lies in the fact that they relate the properties
of some circuits to their special structures. In the classical literature of STE, some laws have already been introduced, and
they usually are general in the sense that they are independent in the structures of circuits. For instance, the steConjI
rule, [[nl ∈ netlists; isClosed nl; cktSat nl (A ❀ B) ; cktSat nl (A ❀ C) ]] =⇒ cktSat nl A ❀ (B andT C), has already been
introduced in [1,17], and it holds for any netlist nl. Different from their laws such as steConjI, our laws, which are introduced
below, formally explore the special structures of some circuits in our formal netlist model.
We need some preliminary definitions before we continue. andFormLists tfs returns the conjunction of a list of trajectory
formulas:
andLists [] = chaos
andLists (A#listA) = A andT (andLists listA)
Two predicates isFullAndLine :: LINE⇒ bool and isAndTab :: PLA⇒ bool are introduced to define a truth table of an AND-
gate:
isFullAndLine line ≡ ∀l.l mem line −→ l = ONE
isAndTab tab ≡ length tab = 1 ∧ isFullAndLine (hd tab)
The first lemma says that if all the input nodes of an AND-gate are set high, then its output node should be high too.
Lemma 34 (andTabPropT).
[[isAndTab tab;Gate out inps tab ∈ nl;
∀l.(lmem tab) −→ length l = length inps]] =⇒
cktSat nl ((andLists (map (λn.Is1 n) inps)) ❀ (Is1 out))
The second lemma says that if one input node of an AND-gate are set low, then its out turns low.
Lemma 35 (andTabPropF).
[[isAndTab tab;Gate out inps tab ∈ nl; inpsi mem inps;
∀l.(lmem tab) −→ length l = length inps]] =⇒
cktSat nl (Is0 inpsi)) ❀ ((Is0 out))
Naturally a table, whose length is greater than 1, is a disjunction of lines. We need not deliberately define an OR-gate.
However, we need to formally define a function which specifies value assignments of all inputs in a line before we go on.
The function posAssertOfLine inps lits returns a list of trajectory formulas, each of which specifies a special value of each
node inpsi according to the literal litsi. If litsi is ZERO, then inpsi is specified as ff by an Is0 formula; else, if litsi is ONE, then
inpsi is specified as tt by an Is1 formula; otherwise, it is set as X by chaos. Let inps = [i1, i2], line = [ONE,ONE]; then
posAssertOfLine inps line = [Is1 i1, Is1 i2].
posAssertOfLine :: node list⇒ Literal list⇒ trajForm list
primrec
posAssertOfLine inps [] = []
posAssertOfLine inps (l#line) =
let otherAss = posAssertOfLine (tl inps) line in
(case l of ZERO⇒ (Is0 (hd inps))#otherAss|
ONE⇒ (Is1 (hd inps))#otherAss|
DONTCARE⇒ chaos#otherAss)
Obviously, if there exists a line l in the table tab of a gate, and the values assigned to the inputs of the gate satisfy the
formula posAssertOfLine inps l, then the output of the line is tt; thus the output of the gate is also set tt.
Lemma 36 (orTabPropT).
[[Gate out inps tab ∈ nl; lmem tab;
∀l.(lmem tab) −→ length l = length inps]] =⇒
cktSat nl (andLists (posAssertOfLine inps l)) ❀ ((Is1 out))
2760 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
Next, we introduce a function isNegAssOfLine A line inps. The function returns true if a formula A specifies a proper value
for some node inpsi according to the literal litsi: if A is Is1 n, then the literal is ZERO; else, if A is Is1 n, then the literal is ONE.
For simplicity, isNegAssOfLine A line inps is defined to be False for any other formula.
isNegAssOfLine :: trajForm⇒ node list⇒ Literal list⇒ bool
primrec
isNegAssOfLine (Is1 n) inps line = n mem inps∧
∃pair.(pair ∈ zip inps line ∧ fst pair = n ∧ snd pair = ZERO)
isNegAssOfLine (Is0 n) inps line = n mem inps ∧
∃pair.(pair ∈ zip inps line ∧ fst pair = n ∧ snd pair = ONE)
isNegAssOfLine A inps line = False,
for any other formula A
For a trajectory formula list asList , for any line l in the table tab of a gate, it holds that there exists a formula A
which is a member of asList and isNegAssOfLine A line inps. Then the value of the output of each line is ff, and thus the
output of the gate is set as ff. For instance, let tab = [[ONE,ONE], [ZERO, ZERO]], asList = [Is1 i1, Is0 i2], we have
∃A. (Amem asList)∧isNegAssOfLine A inps l for any l such that lmem tab.
Lemma 37 (orTabPropF).
[[Gate out inps tab ∈ nl; ∀l.(lmem tab) −→ length l = length inps;
∀l.(lmem tab) −→ (∃A. (Amem asList) ∧ isNegAssOfLine A inps l ) ]] =⇒
cktSat nl (andLists asList) ❀ ((Is0 out))
For convenience, we define a syntactical abbreviation: Isb n a ≡ (a−→TIs1 n) andT (¬a−→TIs0 n). Roughly speaking,
Isb n ameans that node n is set to a Boolean value a. If an input node n of a delay is set to a Boolean value a at time 0, then
the output of the delaywill be set to a at the next time point.
Lemma 38.
[[Delay out data ∈ nl; nl ∈ netlists; isClosed nl]] =⇒
cktSat nl (Isb n a) ❀ Next ((Isb out a))
10. Illustrative case studies
In this section, we use illustrative examples to demonstrate the power of our new laws. We choose content-addressable
memories (CAMs), a classical example used in STE literature. CAMs are widely used wherever fast parallel search operations
are required. Pandey used symbolic indexing techniques to verify CAMs, which is regarded as a classical work in STE
literature [28]. He reported a logarithmic reduction in the number of variables required if the symbolic indexing encoding
style is adopted. Darbari took advantage of a type-checking approach for symmetry detection based on a high-level HDL
description, where he used a richer type system to record the symmetry [9,17]. Using the symmetry type information,
he combined symmetry reduction with other decomposition rules. CAMs could be verified using a fixed number of BDD
variables since he only had to verify one line at a time, and the other lines can be verified by symmetry reduction. The
amount of time used in verification is linear with respect to the tag width, number of CAM lines and the number of CAMs.
The structure and property of a CAM circuit is rather complex, and the core of a CAM is a list of comparators whose
outputs are driving an OR-gate. So we start from an N-bit comparator.
10.1. N-bit comparator
The structure of an N-bits comparator is a natural extension of a 2-bit comparator, which is shown in Fig. 1. For
convenience, we need to define some syntactical abbreviations: [0.. < N] ≡ [0, . . . ,N − 1] if N > 0. Let f be a function
over natural number, [f i. i < N] ≡ map f [0.. < N]. In this work, we usually call such f a vector; f i is denoted by fi. If fi is
still a vector, we write fij for f i j.
Let a, b, c be three vectors of nodes. ai is a node. Let N > 1, xnorTab = [[ONE,ONE], [ZERO, ZERO]], andLine =
[(λj.ONE) i. i < N], xnorGLs = {Gate ci [ai, bi] xnorTab. i < N}, cs = [ci. i < N], andG = Gate out cs [andLine]. Let nl
be a closed netlist such that xnorGLs ∪ {andG} ⊆ nl. To make our results more general, we only require that nl has the gate
andG and all the XNOR-gates in xnorGLs.
Let bvOfAs and bvOfBs be two vectors of Boolean variables to model symbolic values of nodes; bvOfAsi is a Boolean
variable. antOfAs = [Isb ai bvOfAsi. i < N], antOfBs = [Isb bi bvOfBsi. i < N], Gp0 = ∃i.i < N ∧ bvOfAsi ≠ bvOfBsi,
Gp1 = ∀i.i < N −→ bvOfAsi = bvOfBsi. Let ant = andLists (antOfAs@antOfBs), cons0 = Gp0 −→T Is0 out ,
cons1 = Gp1 −→T Is1 out , cons = cons0 andT cons1. Here, we want to prove an assertion cktSat nl (ant ❀ cons). Intuitively,
ant specifies the symbolic values of the nodes to be compared, cons0 says that out is low when a and b do not agree on a bit
i, and cons1 says out is high when a and b agree on all bits i < N . Due to space limitations, we only give key auxiliary results
for the main lemma. Refer to the Isabelle proof scripts [11] for the details.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2761
Fig. 5. AnM–N– CAM.
Lemma 39.
(1) [[i < N; ¬bvOfAsi ∧ bvOfBsi]] =⇒ cktSat nl ant ❀ andLists [Is0 ai, Is1 bi]
(2) [[i < N; bvOfAsi ∧ ¬bvOfBsi]] =⇒ cktSat nl ant ❀ andLists [Is1 ai, Is0 bi]
(3) [[i < N]] =⇒ cktSat nl (andLists [Is0 ai, Is1 bi]) ❀ Is0 ci
(4) [[i < N]] =⇒ cktSat nl (andLists [Is1 ai, Is0 bi]) ❀ Is0 ci
(5) [[i < N; bvOfAsi ≠ bvOfBsi]] =⇒ cktSat nl ant ❀ Is0 ci
(6) [[i < N]] =⇒ cktSat nl Is0 ci ❀ Is0 out
(7) [[i < N; bvOfAsi ∧ bvOfBsi]] =⇒cktSat nl ant ❀ (andLists (posAssertOfLine [ai, bi] [ONE,ONE]))
(8) [[i < N]] =⇒ cktSat nl
(andLists (posAssertOfLine [ai, bi] [ONE,ONE])) ❀ Is1 ci
(9) [[i < N; ¬bvOfAsi ∧ ¬bvOfBsi]] =⇒ cktSat nl ant ❀
(andLists (posAssertOfLine [ai, bi] [ZERO, ZERO]))
(10) [[i < N]] =⇒ cktSat nl
(andLists (posAssertOfLine [ai, bi] [ZERO, ZERO])) ❀ Is1 ci
(11) [[i < N; bvOfAsi = bvOfBsi]] =⇒ cktSat nl ant ❀ Is1 ci
(12) [[Gp1]] =⇒ cktSat nl ant ❀ (andLists [Is1 ci. i < N])
(13) cktSat nl (andLists [Is1 ci. i < N]) ❀ Is1 out.
In Lemma 39, (1)–(5) prove that the value of node ci will be set low if there is a bit i such that nodes ai and bi are set by
different values, and rule orTabPropF is the main rule used to prove these results. (6) says that once ci is set low, then the
output node is set low. (6) is proved by law andTabPropF. (7)–(11) prove that the value of node ci will be set high if nodes ai
and bi agree on the value of a bit i such that i < N , and rule orTabPropT is the main rule used to prove these results. From
these, (12) can be easily proved. (13) can be proved by law andTabPropT.
Lemma 40. cktSat nl (ant ❀ cons).
Proof. For themain goal,weuse rule steconjI to decompose it two subgoals: (a) cktSat nl ant ❀ cons0 and (b) cktSat nl ant ❀
cons1.
In order to prove (a), by rule steImpI, we assume that (c) Gp0, and need to show that cktSat nl ant ❀ Is0 out . From (c),
we obtain i where i < N and (d) bvOfAsi ≠ bvOfBsi. From this and Lemma 39(5), we have (e) cktSat nl ant ❀ Is0 ci. With
Lemma 39(6), by rule steTrans, we show that cktSat nl ant ❀ Is0 out .
In order to prove (b), by rule steImpI, we assume that (f) Gp1, and need to show that cktSat nl ant ❀ Is1 out . From (f) and
Lemma 39(12), we have (g) cktSat nl ant ❀ (andLists [Is1 ci. i < N]). With Lemma 39(13), by rule steTrans, we can show
that cktSat nl ant ❀ Is1 out . 
10.2. M–N–CAM
Fig. 5 shows a part of an M–N–CAMs circuit. It stores M lines of tags, and the width of each tag is N . Let T and c be two
vectors of vectors of nodes, Tij be a node, Tag and match be a vector of nodes. Let M > 1, N > 1, xnorTab and andLine be
defined as in Section 10.1, css = [[cij. j < N]. i < M], xnorGs = {Gate cij [Tij, Tagj] xnorTab. j < N, i < M}, matches =
[matchi. i < M], andGs = {Gatematchi cssi [andLine]. i < M}, orLine = λi.[(λj.if (j = i) then ONE else DontCare) j. j < M],
orTab = [orLine i.i < M], orG = Gate hit matches orTab. Let nl be a closed netlist such that xnorGs ∪ andGs ∪ {orG} ⊆ nl.
Let bvOfTs be a vector of vectors of Boolean variables to model symbolic values of stored tags; bvOfTag is a vector
of Boolean variables to model the symbolic value of input tag. antOfTag = [Isb Tagj bvOfTagj. j < N], antOfTs =
[[Isb Tij bvOfBsij. j < N]. i < M], GpOfUnHitI = λi.(∃j.j < N ∧ bvOfTagj ≠ bvOfTij), GpOfHitI = λi.(∀j.j <
2762 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
N −→ bvOfTagj = bvOfTij), GpOfUnHit = ∀i.i < M −→ GpOfUnHitI i, GpOfHit = ∃i.i < M ∧ GpOfHitI i. Let
ant = andLists (antOfTag@ (flat antOfTs)), cons0 = GpOfUnHit −→T Is0 hit , cons1 = GpOfHit −→T Is1 hit , cons =
cons0 andT cons1. Here, we want to prove an assertion cktSat nl (ant ❀ cons). In this assertion, ant still specifies that the
symbolic values of the nodes of the input tag and the stored tags, cons0 says that the node hit is set low if no line matches
the input tag, and cons1 says that the node hit is set high if there exists one line which matches the input tag.
Lemma 41.
(1) [[i < M;GpOfUnHitI i]] =⇒ cktSat nl ant ❀ Is0matchi
(2) [[GpOfUnHit]] =⇒ cktSat nl ant ❀ (andLists [Is0matchi. i < M])
(3) cktSat nl (andLists [Is0matchi. i < M]) ❀ Is0 hit
(4) [[GpOfUnHit]] =⇒ cktSat nl ant ❀ Is0 hit
(5) [[i < M;GpOfHitI i]] =⇒ cktSat nl ant ❀ Is1matchi
(6) [[i < M ]] =⇒ cktSat nl (Is1matchi) ❀
(andLists (posAssertOfLinematches (orLine i)))
(7) [[i < M]] =⇒ cktSat nl
(andLists (posAssertOfLinematches (orLine i)) ❀ Is1 hit)
(8) [[i < M;GpOfHitI i]] =⇒ cktSat nl ant ❀ Is1 hit
In Lemma 41, (1) and (2) are simply derived by the results of an N-bit comparator when its output matchi is set low, as
is shown in Lemma 39. Here, the antecedent GpOfUnHitI i specifies that the value of i-th stored tag Ti does not match that
of the input tag Tag . (3) can be proved by law orTabPropF. (4) can be proved by combining (2) and (3). (5) is the result of
an N-bit comparator when its outputmatchi is set high, as is shown in Lemma 39. Here, the antecedent GpOfHitI i specifies
that the value of i-th stored tag Ti matches that of the input tag Tag . (6) can be simply proved by unfolding the definitions of
andLists and posAssertOfLine. The assertion (andLists posAssertOfLinematches (orLine i)) is a list of trajectory formulas in
which the i-th element is (Is1matchi) and any other one is chaos. (7) can be proved by law orTabPropT. (8) can be proved
by combing (5)–(7). From these results, it is reasonably easy to derive the following result by using rules steImpI, steConjI,
and steTrans.
Lemma 42. cktSat nl ant ❀ cons.
Proof. For themain goal,weuse rule steconjI to decompose it two subgoals: (a) cktSat nl ant ❀ cons0 and (b) cktSat nl ant ❀
cons1.
In order to prove (a), by rule steImpI, we assume that (c) GpOfUnHit , and need to show that cktSat nl ant ❀ Is0 hit . This
can be easily proved by Lemma 41(4).
In order to prove (b), by rule steImpI, we assume that (f) GpOfHit , and need to show that cktSat nl ant ❀ Is1 hit .
From (f), we can obtain an i such that i < M and GpOfHitI i. From this, by Lemma 41(8), we can easily prove that
cktSat nl ant ❀ Is1 hit . 
Our proofs are purely algebraic reductions without any symbolic simulation. A distinguishing feature of our approach is
the use of laws andTabPropT(andTabPropF) or orTabPropT(orTabPropF) to decompose one assertion on the output of an
AND-gate or OR-gate to assertions on each branch input node of the gate. This explains why we call the laws the algebraic
semantics of STE. Note that any combinational parts of a circuit is combined by AND-gates or OR-gates; therefore, our
laws andTabPropT(andTabPropF) and orTabPropT(orTabPropF) are proposed for general-purpose use in the sense that
they can be combined together to analyse any combination of parts of a circuit. Second, our proof is a parameterized
verification of CAMs, where M and N are parameters which are arbitrary positive natural numbers. Based on the results
of the N-bit comparator, our parameterized proof has clean deductions which are involved in simple applications of rule
orTabPropT(orTabPropF) and those on quantifiers, and does not suffer from any state explosion problem.
11. Conclusion
The key contribution of ourwork is to introduce the inductive approach to formalize both the structure and the simulation
semantics of a netlist. The legal structure of a netlist requires the following condition: the conflict between output nodes of
two logical entities should be eliminated, and a cycle should not occur in the combinational part of the netlist, but a cycle
is allowed to pass a delay element. It is difficult to simply use a datatype to define the structure because such a cycle exists.
The inductive definition of a netlist formally specifies these requirements by a set of intuitive introduction rules.
The inductive approach also provides a satisfying answer to formalize the information propagation through a netlist
structure in the simulation semantics of a netlist. Essentially, such a propagation is a process of value assignments to nodes
which spreads from each gate’s inputs to its outputs, and this process is started from the primitive input nodes of the
netlists and state-holding nodes of delay entities. The three inductive rules in rclosure accurately capture the semantics
of the information propagation process. Furthermore, we can formally derive functions fclosure and fSeq. Here, the function
fSeq can be seen as a concrete version of the abstract next-state Y function used in classical STE literature. It is sound in the
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2763
sense that fSeq is monotonic. Therefore our work not only proves the existence of a special next-state Y function, but also
shows its formal construction by deriving fSeq.
Not only does the inductive approach help us to formally define the structure and simulation semantics of a netlist, it also
provides an effective inductive principle to prove useful properties of a netlist. In particular, we use the induction principle
to prove two unique-existence results which prove the soundness of the semantical model. The first one says that, for any
defined node n, there is a unique logical entity in the netlist whose output is n. The second proves that the relation rclosure
nl s is single valued; thus the function rclosure nl s can be formally induced.
The advantage of introducing a formal netlist model is to explicitly explore the close relation between the properties
of a circuit and its structure. Our two main results are symmetry reduction and a set of novel algebraic laws, and they are
introduced to decompose an STE assertion. In our case study, we show how to combine some of our laws for parameterized
verification of content-addressable memories (CAMs). This experience has demonstrated both theoretical and practical
benefits because it provides an alternative effective way — algebraic reduction for STE assertion verification.
In the future, we will extend our research in two directions. (1) We will make our reduction method as automatic as
possible. In fact, there are strong heuristics to use some laws. For instance, if the consequent of an assertion specifies that
the output node of an AND-gate is set to a positive value, then rules steTrans and andTabPropT should be applied, and a new
assertion is introduced to specify that the values of all the input nodes should also be set to positive values if the antecedent
of the original assertion holds, as shown in Lemma 40. (2) We look into combining our reduction method with STE model-
checking. Using our reduction method, we decompose a complex assertion into small assertions, then use an STE tool like
Forte to directly model-check the small assertions. The key to combining the two techniques is to select a proper interface
and development environment to integrate them.
Acknowledgement
The first author is supported by grants (No. 60833001, 60603001, 60721061, 60496321, 61050002, 60421001) from the
National Natural Science Foundation of China.
Appendix A. Isabelle notations
We briefly present some Isabelle notation and commands used in this work. For more details, refer to [10].
Types. There are basic types such as bool, the type of truth values: True and Flase; nat, the type of natural numbers. Standard
Boolean operators∧ and∨ and→ are defined as usual. Function types are denoted by⇒, and product types by×. Types can
also be constructed by type constructors such as list and set. For instance, nat list declares the type of lists whose members
are natural numbers.
Terms. The form of terms used in this paper is reasonably simple. It is simply a constant or variable identifier, or a function
application such as f t , where f is a function of type τ1 ⇒ τ2, and t is a term of type τ1.
Introducing new types. There are three kinds of command for introducing new types. typedecl name introduces a new
‘‘opaque" type namewithout definition; types name = τ introduces an abbreviation name for type τ . Thedatatype command
can introduce a recursive data type. A general datatype definition is of the form
datatype (α1, . . . , αn) = C1 τ11 . . . τ1k1 | . . . | Cm τm1 . . . τmkm
where αi are distinct type variables (the parameters), Ci are distinct constructor names, and τij are types. Note that n can be
0, i.e., there is no type parameter in the datatype declaration.
Definition commands. The consts command declares a function’s name and type. defs gives the definition of a declared
function. constdefs combines the effect of consts and defs. For instance, the following commands define a square function
on nat.
Combining a consts and inductive commands, we can give an inductive definition for a set. An inductively defined set S
is typically of the following form:
consts S::τ set inductive S intros
rule1: [|a11 ∈ S; . . . ; a1k1 ∈ S; A11, . . . , A1i1 |]=⇒ a1 ∈ S ... rulen: [|an1 ∈ S; . . . ; ankn ∈ S; An1, . . . , Anin |]=⇒ an ∈ S
Lemmas. Lemmas are presented by the notation [[A1; A2; . . . ; An]] =⇒ B , which means that, with assumptions A1, . . . , An,
we can derive a conclusion B.
Appendix B. Other Laws
In this part, we introduce some other laws which are used in our work. Many of these laws have been introduced in
previous STE work. They are general in the sense that they are independent in the structure of a netlist.
The first one is the Reflexivity rule.
2764 Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765
Lemma 43 (steRefl).
cktSat nl (A ❀ A)
Next is the transitivity rule. It allows us to combine together STE assertions in a transitive way.
Lemma 44 (steTrans).
[[cktSat nl (A ❀ B); cktSat nl (B ❀ C)]] =⇒ cktSat nl (A ❀ C)
The next rule, steconjI, splits the consequent of an STE assertion into individual conjuncts, which can be verified
separately.
Lemma 45 (steconjI).
[[cktSat nl (A ❀ B); cktSat nl (A ❀ C)]] =⇒ cktSat nl (A ❀ B andT C)
Rule steImpI takes out the Boolean guard g in the consequent of an STE assertion, and turns it into a Boolean assumption.
Lemma 46 (steImpI).
[[g =⇒ cktSat nl (A ❀ B)]] =⇒ cktSat nl (A ❀ g−→TC)
Rule steEnStrenAnt says that, if defSqOfTrForm A′ ⊑sq defSqOfTrForm A, then the assertion A′ ❀ B implies that A ❀ B
because the antecedent A is stronger than A′.
Lemma 47 (steEnStrenAnt).
[[cktSat nl (A′ ❀ B); defSqOfTrForm A′ ⊑sq defSqOfTrForm A]] =⇒ cktSat nl (A ❀ B)
Rule steWeakenCons says that, if defSqOfTrForm B ⊑sq defSqOfTrForm B′, then the assertion A ❀ B′ implies that A ❀ B
because the consequent B is weaker than A′.
Lemma 48 (steWeakenCons).
[[cktSat nl (A ❀ B′); defSqOfTrForm B ⊑sq defSqOfTrForm B′]] =⇒ cktSat nl (A ❀ B)
Lemmas steAndComm and steAndAssoc say that operator andT satisfies commutative and associative laws.
Lemma 49 (steAndComm). defSqOfTrForm (A andT B) = defSqOfTrForm (B andT A).
Lemma 50 (steAndAssoc). defSqOfTrForm ((A andT B) andT C) = defSqOfTrForm (A andT (B andT C))
A conjunct (False−→TB) can be safely eliminated from a trajectory formula.
Lemma 51 (elimFalseGuard). defSqOfTrForm (A andT (False−→TB)) = defSqOfTrForm A
A trajectory formula True−→TA is equivalent to A.
Lemma 52 (simpTrueGuard). defSqOfTrForm (True−→TA) = defSqOfTrForm A
chaos is the unit of the operator andT.
Lemma 53 (andChaosId). defSqOfTrForm (A andT chaos)= defSqOfTrForm A
defSqOfTrForm is congruent for operator andT.
Lemma 54 (steAndCong). defSqOfTrForm (A andT B)= defSqOfTrForm (A andT B′) if defSqOfTrForm B= defSqOfTrForm
B′.
References
[1] C.-J.H. Seger, R.E. Bryant, Formal verification by symbolic evaluation of partially-ordered trajectories, Formal Methods in System Design 6 (2) (1995)
147–189. doi:10.1007/BF01383966.
[2] J. O’Leary, X. Zhao, R. Gerth, C.-J.H. Seger, Formally verifying IEEE compliance of floating-point hardware, Intel Technology Journal Q1 (1999) 147–190.
[3] M.D. Aagaard, R.B. Jones, C.-J.H. Seger, Combining theorem proving and trajectory evaluation in an industrial environment, in: DAC’98: Proceedings
of the 35th Annual Conference on Design Automation, ACM, New York, NY, USA, 1998, pp. 538–541. doi:10.1145/277044.277189.
Y. Li et al. / Theoretical Computer Science 412 (2011) 2746–2765 2765
[4] Technical Publications and Training, Intel Corporation, Forte/fl user guide, 2003rd edition.
[5] C.-T. Chou, Themathematical foundation for symbolic trajectory evaluation, in: CAV’99: Proceedings of the 11th International Conference onComputer
Aided Verification, Springer-Verlag, London, UK, 1999, pp. 196–207.
[6] Altera Corporation, Quartus II quick start guide. http://www.altera.com/literature/manual/mnl_qts_quick_start.pdf.
[7] J.-W. Roorda, K. Claessen, Explaining symbolic trajectory evaluation by giving it a faithful semantics, in: D. Grigoriev, J. Harrison, E.A. Hirsch (Eds.),
Computer Science — Theory and Applications, First International Computer Science Symposium in Russia, CSR 2006, St. Petersburg, Russia, June 8–12,
2006, Proceedings, in: Lecture Notes in Computer Science, vol. 3967, Springer, 2006, pp. 555–566.
[8] J.-W. Roorda, Symbolic trajectory evaluation using a satisfiability solver, Ph.D. Thesis, Department of Computer Science and Engineering Chalmers
University of Technology and Goteborg University, 2005.
[9] A. Darbari, Symmetry reduction for STE model checking, in: FMCAD, IEEE Computer Society, 2006, pp. 97–105.
[10] T. Nipkow, L.C. Paulson, M. Wenzel, Isabelle/HOL — a proof assistant for higher-order logic, in: LNCS, vol. 2283, Springer, 2002.
[11] Y. Li, Formalization of symbolic trajectory semantics, http://lcs.ios.ac.cn/~lyj238/steSymmetry.html, 2009.
[12] M.J.C. Gordon,Why higher-order logic is a good formalism for specifying and verifying hardware, in: G.Milne, P. Subrahmanyam (Eds.), Formal Aspects
of VLSI Design, Elsevier Science Publishers, 1986.
[13] T.F. Melham, Formalizing abstractionmechanisms for hardware verification in higher order logic, Ph.D. Thesis, University of Cambridge, August 1989.
[14] T. Melham, Higher order logic and hardware verification, in: Cambridge Tracts in Theoretical Computer Science, vol. 31, Cambridge University Press,
1993, URL: http://www.comlab.ox.ac.uk/tom.melham/pub/Melham-1993-HOL.html.
[15] M. Aagaard, T.F. Melham, J.W. O’Leary, Xs are for trajectory evaluation, booleans are for theorem proving, in: CHARME’99: Proceedings of the 10th
IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Springer-Verlag, London, UK, 1999,
pp. 202–218.
[16] A. Darbari, Formalization and execution of STE in HOL (extended version), Tech. Rep. RR-03-17, Oxford University Computing Laboratory, March 2003.
[17] A. Darbari, Symmetry reduction for STE model checking using structured models, Ph.D. Thesis, University of Oxford, 2006.
[18] M. Sheeran, µFP, a language for VLSI design, in: LISP and Functional Programming, 1984, pp. 104–112.
[19] J.T. O’Donnell, Hydra: hardware description in a functional language using recursion equations and high order combining forms, in: G.J. Milner (Ed.),
The Fusion of Hardware Design and Verification, North-Holland, 1988, pp. 309–328.
[20] J.T. O’Donnell, Generating netlists from executable circuit specifications, in: J. Launchbury, P.M. Sansom (Eds.), Functional Programming, Workshops
in Computing, Springer, 1992, pp. 178–194.
[21] P. Bjesse, K. Claessen, M. Sheeran, S. Singh, Lava: hardware design in Haskell, in: ICFP, 1998, pp. 174–184.
[22] J. Grundy, T. Melham, J. O’Leary, A reflective functional language for hardware design and theorem proving, Journal of Functional Programming 16 (2)
(2006) 157–196. doi:10.1017/S0956796805005757. URL: http://www.comlab.ox.ac.uk/tom.melham/pub/Grundy-2006-RFL.pdf.
[23] T. Nipkow, Winskel is (almost) right: towards a mechanized semantics textbook, in: Proceedings of the 16th Conference on Foundations of Software
Technology and Theoretical Computer Science, Springer-Verlag, London, UK, 1996, pp. 180–192.
[24] T. Nipkow, L.C. Paulson, Proof pearl: defining functions over finite sets, in: J. Hurd (Ed.), TheoremProving inHigherOrder Logics, TPHOLs 2005, in: LNCS,
vol. 3603, Springer, 2005, pp. 385–396.
[25] G. Winskel, Formal Semantics of Programming Languages, MIT Press, Cambridge, Massachusetts, 1993.
[26] L.C. Paulson, ML for the Working Programmer, University of Cambridge Press, 1996.
[27] University of California, Berkeley, Berkeley logic interchange format (BLIF). http://www.cs.uic.edu/~jlillis/courses/cs594/spring05/blif.pdf, February
22 2005.
[28] M. Pandey, R. Raimi, R.E. Bryant, M.S. Abadir, Formal verification of content addressable memories using symbolic trajectory evaluation, in: DAC’97:
Proceedings of the 34th Annual Design Automation Conference, ACM, New York, NY, USA, 1997, pp. 167–172. doi:10.1145/266021.266056.
