Abstract. We present a new approach to hardware veri cation based on describing circuits in Monadic Second-order Logic (M2L). We show how to use this logic to represent generic designs like n-bit adders, which are parameterized in space, and sequential circuits, where time is an unbounded parameter. M2L admits a decision procedure, implemented in the Mona tool 17], which reduces formulas to canonical automata.
Introduction
Correctness of hardware systems can be established by enumeration when the possible behaviors are nite, or formal theorem proving, when the possible behaviors are in nite. The nite case arises when reasoning, for example, about combinational circuits: these can be represented as functions in Boolean logic and correctness can be established by enumeration of possible inputs and outputs. Although any hardware system is of nite size, the in nite case may arise in several ways. One may be interested in demonstrating the correctness of an in nite family of related systems, for example, families of arithmetical circuits like n-bit adders or n-bit counters, whose description depends uniformly on the parameter n. Alternatively, the behavior of a single circuit may depend not only on current inputs, but on previous values as well. For example, the behavior of a sequential circuit is a function of time, and one may want to establish that the circuit behaves correctly over arbitrarily long time intervals. 2 When behaviors are nite, arguments based on enumeration are popular due to the optimizations often possible using a symbolic representation like Binary Decision Diagrams (BDDs). A BDD is an automaton-like representation of a nite relation or function. In the BDD method, a symbolic representation of the nite function calculated by a combinational circuit is obtained through operations reecting the Boolean semantics of the gates. The BDD calculations are often much faster than other mechanized means of reasoning and demand little user intervention.
We present here a generalized method that can automatically establish properties of many in nite relations and functions. Our method is based on a decidable logic, the Monadic Second-order Logic on Strings, abbreviated M2L. In M2L, propositional variables of Boolean logic are generalized to variables that denote strings of bits. Every M2L formula de nes a language over an alphabet B k , consisting of a cross-product of Booleans: one Boolean for each of the k free variables in . Strings over this alphabet describe the values of all free variables. The language de ned by then is the possibly in nite set of strings de ning values that make the formula true. This correspondence generalizes the way a BDD de nes a set of satisfying truth assignments. Moreover, any such language corresponds to a language recognized by a nite-state machine; hence M2L formulas characterize regularity.
We show how to exploit this logical characterization of regularity to reason about parameterized classes of circuit designs and their behavior. The language that a formula de nes can represent words of unbounded size (the behaviors of members of a parameterized family of circuits) or how the state of a circuit evolves over time.
An example of a parameterized family of circuits is an n-bit adder. In M2L,
we can write a formula (cf. x4) that precisely describes how 1-bit adders are composed in a ripple-carry fashion to form n-bit adders. Under the semantics of M2L, de nes an input-output relation on two inputs A and B of size n, and an output C of size n. This relation can be represented by a language over an alphabet that has three Boolean components so that a string of length n encodes the values of A, B, and C. For example, Similarly, we read o B = 1 = 1000, and C = 4 = 0010. Thus, this string de nes an interpretation such that the sum of the binary numbers A and B is C. Note that variable A can also be thought of as denoting a subset, namely the set f0; 1g of positions where the A-track contains a 1 (similarly, B denotes the subset f0g, and C denotes f2g). Alternatively, we may view the set denoted by A as a predicate A(p) that holds on position p if and only if there is a 1 in the pth position of the 3 A-track. The predicate A(p) is monadic (i.e., of one argument). Thus, when A occurs in a formal logic as a variable, it is monadic second-order. This approach to parameterized veri cation applies to any scenario that can be modeled as a regular set over alphabets of the form B k . Not all parameterized circuits can be so described (e.g., multipliers and grid-shaped circuits with multiple independent parameters). However, our examples indicate that, when applicable, both circuits and their properties can be simply expressed in M2L. An example of temporal parameterization is the modeling of an RS ip-op, where a string of length n with three components models the behavior of the circuit through n time instants, each described by a letter de ning the values of the inputs R and S and the output Q. These examples are very easy to formulate in M2L; with a little syntactic sugar, the M2L speci cations resemble those used in standard hardware description languages.
Since any M2L formula can be reduced to an automaton that accepts the satisfying interpretations of , validity is decidable. A formula is valid (i.e. always true) if the corresponding automaton accepts all strings. Validity testing can be used to show that the logic of a circuit is consistent with a speci cation of its behavior. For example, if the formula behavior describes the behavior of an n-bit adder and the formula circuit describes a proposed realization as a parameterized circuit, then the property that the circuit behaves as an adder can be checked by verifying that the automaton corresponding to circuit ) behavior accepts all strings. If there is some string that is not accepted by the automaton, then this string encodes a counter-model, which can be used to debug the proposed design.
Remarkably, the decision problem for M2L is non-elementary decidable: a formula of size n may require time and space bounded below by an iterated stack of exponentials whose height is proportional to n. In contrast, Quanti ed Boolean Logic (QBL), which can formalize combinational logic (and be decided using traditional BDD operations), is only PSPACE-complete. The Mona tool, described in 17], implements a decision procedure for formulas in M2L on strings (and trees, which we do not consider here). Mona supports predicate de nitions, libraries, display of automata, and counter-model generation. Its implementation is based on a generalization of BDDs for the representation of automata on large alphabets.
Our contributions
We describe the theory and practice of how M2L, as embodied in Mona, can be used to automatically verify parameterized circuit designs despite the staggering theoretical complexity bound. Our results demonstrate how the Mona automaton model e ciently generalizes BDDs to reasoning about in nite domains that correspond to regular languages. The examples we present here o er various techniques for dealing with the in nite in automatic hardware veri cation.
Our arithmetic logic unit (ALU) example shows how an in nite family of combinational circuits can be concisely described in M2L. 4 Our D-type ip-op example illustrates how M2L can be used as a succinct temporal logic for analysis of di cult sequential circuits. This example also demonstrates how Mona serves not only as a veri cation tool but also provides a means to explore and understand circuit behavior.
Our signal processor example shows how parameterized sequential circuits can be veri ed.
For the circuits studied both in this paper and in the literature, our approach is orders of magnitudes faster than other theorem-proving approaches. For hardware problems expressible in QBL, Mona is as e cient as the direct use of BDD-based procedures, since Mona generalizes standard BDD-based hardware reasoning.
We provide some theoretical explanations why M2L is usable in practice despite the worst-case bounds. In particular, we identify situations where the automatatheoretic subset construction behaves linearly despite its exponential worst-case bound.
Organization
We proceed as follows. In x2, we introduce M2L. In x3, we present the essentials of the Mona tool and relate it to BDD-based hardware procedures. In x4, we consider speci cation and veri cation of parameterized combinational hardware. In x5, we consider timed hardware and we use Mona to analyze temporal properties of a D-type ip-op. In x6, we present a signal-processing circuit as an example of formalizing and reasoning about parameterized, sequential hardware. In x7, we give some theoretical justi cations for why our approach works in practice. Finally in x8, we compare M2L and our use of Mona to other deduction based and automata theoretic approaches.
The Second-Order Monadic Logic on Strings
The Monadic Second-order Logic on strings that we use is closely related to S1S, the second-order monadic theory of one successor, and S2S, the second-order monadic theory of two successors, which are among the most expressive decidable logics known (cf. 29]). In these logics, rst-order terms are interpreted over positions in an in nite string (S1S) or tree (S2S), and second-order variables are interpreted by subsets of positions. In M2L, rst-order terms are interpreted over nite strings. 1 S1S and S2S are more expressive than M2L, but have not been shown to be feasible in practice.
The correspondence between automata and regular languages is well-known. The decidability of the above mentioned logics is based on the well understood (but less widely known) fact that regular languages may be characterized by logics, see 20, 29] . Consider, for example, the automaton which accepts the regular language f1; 10; 101;1010; 10101;: ::g. Now assume that X is a variable over binary strings. We say that X(p) holds, where p 0, if the pth position in X is 1. Now, the regular language above can be described in M2L as
(1) where $ denotes the last position in the string and is addition modulo the length of the string; thus, the formula states that the rst (i.e., 0th) letter in the string X is 1 and that for subsequent positions p, up to the penultimate position, the pth character of X is 1 precisely when the following letter is not.
We describe M2L below. It turns out that the logic precisely characterizes regularity: every M2L formula describes a regular set and, conversely, every regular set is described by an M2L formula.
Syntax
M2L consists of three kinds of entities: rst-order terms, second-order terms, and formulas. First-order terms are formed from rst-order variables p; q; : : :, the constants 0 (the rst position), $ (the last position), and the expressions t m (the mth position to the right from t), where t is a rst-order term and m is a natural number. Second-order terms are built from second-order variables X; Y; : : :, the constants empty (the empty set) and all (the set of all positions), and they may be combined using \ and . Formulas arise as follows: if t 1 and t 2 are rst-order terms and S 1 and S 2 are second-order terms, then t 1 2 S 1 , t 1 = t 2 , t 1 < t 2 , and S 1 = S 2 are formulas. Formulas may be combined by the standard connectives : and^. Quanti ers also build formulas: if p and X are rst and second-order variables respectively, and f is a formula, then 9 1 p : f and 9 2 X : f are formulas.
The syntax we have given is not minimal, see 29] . For example, rst-order variables can be eliminated by replacing each rst-order variable with a secondorder variable that is constrained to be a singleton set. (This is also the way that Mona handles rst-order variables.) Also, we will make frequent use of standard de nitions and syntactic sugar in the remainder of the paper.
First, the complete set of propositional connectives, inequality, universal quantication and the like are all de nable as is standard in a classical logic. For example f 1 _ f 2 is de ned as :(:f 1^: f 2 ) and 8 2 X : f is de ned as :(9 2 X : :f). 6 Second, since we can view a second-order variable X as a bit vector, we again write X(p) for p 2 X. Finally, when the order of a variable can be determined from context, we may omit superscripts on quanti ers. For example, in the expression X(p)^b, it must be the case that X, p, and b are second-order, rst-order, and Boolean, respectively. To help disambiguation, we use capital letters for second-order variables and lowercase letters like i, j, p, and q for rst-order position variables. Remaining lower-case strings like x, y, cin and cout represent Booleans. With these abbreviations and conventions, (1) is a formula of M2L.
Semantics
A formula is interpreted relative to a natural number n 0, called the length, which de nes positions f0; : : : ; n?1g. A rst-order term denotes a position. Thus, a rst-order variable ranges over the set f0; : : : ; n ? 1g. The constant 0 denotes the position 0, and $ denotes n ? 1. 2 The expressions t m and t m denote the positions j + m mod n and j ? m mod n, where j is the interpretation of t.
A second-order variable P denotes a subset of f0; : : : ; n ? 1g. Alternatively, a second-order variable can be viewed as designating a bit pattern b 0 : : :b n?1 of length n, where b i is 1 if and only if i belongs to the interpretation of P. The constants empty and all denote the sets ; and f0; : : : ; n ? 1g, and the operators \ and are the usual set theoretic operations. A 0th-order (Boolean) variable is simulated by a special second-order variable, which may contain the non-standard position ?1 (and this means \true").
The meaning of formulas is straightforward. For example, the formula t 2 S is true when the position denoted by t is in the set denoted by S. Propositional connectives have their standard meaning. 9 1 p : f is true when there is a position i in f0; : : : ; n ? 1g such that the denotation of f is true with i replacing p. Truth of 9 2 X : f is de ned similarly, with X replaced by a subset of f0; : : : ; n ? 1g.
A formula de nes a regular language denoting the interpretations that make free variables in true. In the formula (1), we have one free variable, X, and the interpretations that make true are exactly the strings in the regular language f1; 10; 101; 1010;10101;: ::g. More generally, if a formula has k free second-order variables (and as noted above, all other variables are encoded using second-order variables), then the language denoted is over the alphabet B k consisting of k-tuples 7 of Booleans. As a simple example, the formula given by 8p : P(p) $ :Q(p) de nes a language L( ) over B 2 as follows. We make the convention that if the letter a b 2 B 2 occurs in position i, then i is in P i a is 1 and i is in Q i b is 1. In this way, a string over B 2 determines an interpretation of P and Q. The language denoted is the set of strings describing interpretations that make true. 3. The Mona Tool
The Mona tool implements a decision procedure for M2L. Details can be found in 17, 20] ; here, we summarize the main algorithms and data structures. Input to Mona is a script consisting of a sequence of de nitions followed by a formula to be proved. For each formula in the script, Mona constructs a deterministic automaton recognizing L( ). Construction of automata proceeds using standard operations (see 29]) by recursion on the structure of .
For example, if is the formula 1^ 2 , then Mona rst calculates the automata A i recognizing the language corresponding to i . Second, Mona calculates the automaton corresponding to by forming the product automata of the A i and minimizing the result. In a similar way, negation corresponds to the automatatheoretic operation of swapping nal and non-nal states. Existential quanti cation corresponds to a projection, followed by a subset construction, and minimization. More precisely, if the formula corresponds to an automaton A that reads strings over the alphabet B k , then the automaton for the formula 9 2 X: is built by projection from A by changing it so that it guesses the track corresponding to X. The resulting automaton is non-deterministic and must be determinized in order to be minimized.
Since Mona always stores automata in a minimized form, valid formulas are particularly simple to recognize: they correspond essentially to the trivial automaton whose single state is both the initial and nal state with a self-loop as transition on every input. For any formula that is not valid, Mona extracts from its corresponding automaton a minimal length string de ning an interpretation making invalid. We use this procedure to generate counter-examples to proposed theorems.
BDD Representation
Although the automata constructions are in principle standard, we note that the exponential size of the alphabet B k calls for special consideration|otherwise the representation of the transition function for an automaton corresponding to a formula with k variables would always necessitate space proportional to 2 k . Thus the implementation in 17] uses multi-valued BDDs to compress the representation of the transition function. The exponential blow-up is then often avoided. For example, the string ?1 0 1 2 x 1 X X X y 0 X X X A X 1 0 1 B X 0 1 0 de nes x = 1, y = 0, n = 3, A = f0; 2g, and B = f1g (X means \don't care"). The automaton that accepts all strings de ning satisfying interpretations (i.e., interpretations that make true) is depicted in Figure 1 . The automaton has four states fa; b; c; dg shown in the rectangular box. In practice, the states are just entries in an array. Each state contains a pointer to a BDD node. For example, the initial state a points to a decision node for x. Thus if the letter in position ?1 has a 1 in the x-component (in the rst track), then the pointer labeled 1 is followed, and a decision is then made on the y-component. Consequently, if both the x-component and the y-component have a 1 in the ?1st letter, then a leaf marked b is reached upon reading this letter. This leaf signi es that the state entered next is b, which is an accepting state (denoted by an inner square). 9 From state b, there is a pointer directly to a leaf. We say that the state is looping|this means that the letter read is irrelevant. Thus the automaton accepts all strings that de ne both x and y to be true. If one is false, then the automaton remains in the accepting c state as long as the membership status of the current position is the same for A and B.
Note that by using the position ?1 for the Boolean variables, we have avoided the problem that an encoding based on position 0 would lead to an ill-de ned semantics for Boolean variables in the case of the empty string (where position 0 does not exist).
Canonicity of BDD Representation
The automaton shown above is minimal or canonical in two ways: (1) the BDD representation of the transition function is reduced (canonical) and (2) the transition function represented and state space are those of the canonical automaton. The requirement (1) is maintained automatically by the use of BDD algorithms that reduce the representation as the BDD is calculated. Requirement (2) is enforced by minimizing each new automaton calculated. The current Mona minimization algorithm 17] is quadratic in the size (the number of nodes and states) of the representation, although in practice minimization is often only about twice as costly as the product and projection routines.
Relationship to Usual BDDs
If a formula contains only Boolean variables, then the BDD represented automaton has only three states: the initial state and two looping states, one accepting and one non-accepting. If the pointers of the looping states are deleted, then the resulting graph is identical to the standard BDD representation of for the given track assignment (ordering of variables). Moreover, for propositional logic, and its extension to Quanti ed Boolean Logic, the calculations carried out by Mona are essentially identical to those performed by a standard BDD based procedure. In particular, the automaton product algorithm described in 17] essentially degenerates to a BDD binary apply routine. Similarly, the automaton projection essentially degenerates to a BDD projection routine. From this it follows that We can de ne in M2L predicates at a level that formalizes appropriate building blocks of circuits. We can represent the behavior of such blocks as functions from inputs to outputs or as relations between external circuit ports. The functional approach is used for example in theorem provers based on equational and other quanti er free logics (e.g., the prover of Boyer and Moore, NQTHM 18]), where primitive components are functions. For example, and is a function from two inputs to an output. Larger circuits are built by function composition.
The relational approach is typically used with rst-order or higher-order logic. Basic components are relations that de ne constraints between port-values. These relations are joined together using conjunction (which combines constraints), and internal wires are represented by shared variables that are existentially quanti ed. In 5, 12], these two kinds of representation are discussed in detail. Both options are available in our work, and it makes little di erence which one we choose.
We follow the relational approach in specifying circuits. We begin by de ning basic gates as relations over Boolean variables. For example:
The left-hand side of each de nition names a predicate whose meaning is given by the right-hand side. The actual input to Mona is identical except that ASCII syntax, additional key words, and type declarations are required.
Let us now build a full 1-bit adder from these gates. One such design is given in Figure 2 . The top half of the circuit consists of two xor gates, connected by an internal wire w 1 , that compute the sum bit out. The bottom half uses the value of internal wire w 1 as well as the two inputs a and b to compute the carry-out bit cout. Our de nition in M2L conjoins the gate descriptions and projects away the Mona proves this theorem in 0.25 seconds. 3 This includes parsing all de nitions, converting them to automata, and afterwards translating the conjecture into an automaton. In this case, all calculations are equivalent to standard BDD operations, since we are essentially using just Quanti ed Boolean Logic.
Correctness of an n-bit Adder
The circuit We turn now to parameterized hardware and consider an n-bit adder. Figure 3 gives an example of this for n = 3. In the general case, an n-bit adder is constructed by (1) wiring together n 1-bit adders where (2) the carry-out of the ith adder becomes the carry-in of the i+1st. The rst and last carry are special cases; (3) the rst carry has the value of the carry-in and (4) the last has the value of the carry-out.
It is easy to formalize this kind of ripple-carry connectivity. Let us use C and D to represent the carry-ins and carry-outs, respectively. Then we can formalize the general case as the following predicate, which relates three second-order variables (the two input strings A and B and the output string Out) and two Booleans (the carry-in cin and carry-out cout). 
The four lines of the de nition body formalize the four requirements listed above. The way we formalize ripple-carry connectivity is independent of the particular component (here a full-adder) that we are iterating. We later use an identical formalization for specifying an n-bit ALU constructed from 1-bit ALUs.
The speci cation To verify our circuit, we specify how n-bit binary words are added. Since M2L is a logic about strings and string positions, any arithmetic must be encoded within this limited language. In particular, we encode addition as an algorithm over strings representing bit-patterns, i.e., binary addition. A simple way to do this is to mimic how addition is computed with pencil and paper. The ith output bit is set if the sum of the ith inputs and carry-in is 1 mod 2, and the ith carry bit is set if at least two of the previous inputs and carry-in are set. The 0th carry and the nal values must be computed as special cases. 
To give the reader a feel for the complexity involved in translating such speci cations to automata, we mention some statistics for this example. There are, overall, 109 product and projection operations performed, and the average number of states is 5 and BDD nodes is 12. The largest intermediate automaton has 21 states and 71 BDD nodes. We will return to this example in x7 and analyze more carefully why the state-space does not explode during translation.
Veri cation We now have a speci cation of the implementation of a family of adders built from gates and a speci cation in terms of its behavior over binary strings. To verify their equivalence, we give Mona This formula is veri ed in 0.4 seconds. Often we are interested in more than one property of a circuit or its speci cation. For example, the n-bit adder computes a unique function from its inputs to its outputs. We may also check that the addition function de ned is commutative. Both of these are veri ed in under a second.
Correctness of an n-bit ALU
We now apply our approach to a more complex circuit|a parameterized n-bit ALU. The circuit we analyze is presented in 23]. It is also an interesting theorem for comparison (given in x8), since it has been veri ed in several theorem proving systems based on induction.
ALU speci cation The ALU is designed to perform 8 arithmetic and 4 logical operations. The 12 functions are selected through 3 \selection" lines s 0 , s 1 , s 2 and the carry-in cin as described in Table 1 . For example, if the s i are 0 and cin is 1, then the ALU increments the n-bit input A and places the result in F, producing a carry-out when every bit in F is set. Let us begin by specifying this behavior: we formalize each functional sub-unit (addition, subtraction, etc.) and specify the function table by case analysis on the values of s i . The logical sub-units are speci ed straightforwardly using the previously de ned gates. 14 For the remainder of the speci cation, we must develop more arithmetic. We de ne an auxiliary predicate one, which is true when a second-order variable represents the number one, i.e., when only the rst bit is set. Figure 4 . The corresponding M2L formula is encoded analogously to the parameterized adder. The only additional complication is that the description consists of two parts: an initialization block and a repeating ALU block. The rst part, which 
Veri cation We may now verify that the ALU implementation satis es its specication. Namely, when the switches and ports of the ALU take on values consistent with the implementation, the speci cation is satis ed. Note that we proved only that the implementation satis es (implies) the specication. We did not prove an equivalence, as we did with the n-bit adder. The reason is that the speci cation is more abstract than the implementation: it leaves certain port value combinations unspeci ed. Suppose we did not know this, or perhaps did, but we wanted to determine when the converse fails. If we ask Mona to prove the converse it responds that the formula is not a tautology. If we remove the initial quanti ers, i.e., alu spec(s 0 ; s 1 ; s 2 ; A; B; F; cin; cout) ! n alu(s 0 ; s 1 ; s 2 ; A; B; F; cin; cout) ; then the port values are free variables and Mona produces a counter-example and responds:
A counter-example of least length (1) 
The output tells us that there is a counter-example of length n = 1, i.e., consisting of a single 1-bit ALU slice. This counter-example is sensible. The speci cation only states that when the s i are all 1, F is the complement of A. So the speci cation holds for any value of B and any value of cout, in particular cout = 1. However, these values are not consistent with the implementation. 
Sequential Circuits
In the last section, a string represented a sequence of bits, i.e., a word of parameterized length. In this section, a string represents the behavior of a sequential circuit (of xed bit-width) as it evolves over time. Circuit descriptions are similar to those we have previously seen except that gates are now parameterized by time.
Our example is a standard implementation of a D-type ip-op, built from 6 nand gates, as shown in Figure 5 . Although this circuit looks simple, understanding and demonstrating its correctness is di cult. Hanna and Daeche give a thorough and well-written analysis of this ip-op in 16]. 4 They used Veritas, a theorem prover based on a higher-order logic, to give a comprehensive analysis using a partial description of waveforms over the rational numbers. Their analysis is complex, and it took an experienced user a week to construct the proof.
Our starting point is a discrete model of this circuit proposed by Gordon in 12]. He assumed that each gate has a delay of one time unit. Gordon described the behavior of the circuit using formulas in higher-order logic, where rst-order variables denote time instants. The proof that the circuit meets its speci cation, which he notes \is fairly complicated", was done only with pencil and paper. The ip-op and Gordon's speci cation are easily encoded in Mona. To our surprise, Mona calculated a counter-example. We later discovered that Wilk and Pnueli had already reported on the failure of Gordon's speci cation in 31]. They formulated Gordon's informal requirements in a temporal logic with \quantized" tense operators like 3 n , which holds at the present moment if holds at least once within the next n time units.
Temporal logic, in the sense of tense logic, is based on operators that denote modalities like \it will be the case" and \until". Linear tense logic is PSPACEcomplete, and it has been explored intensively 11]. But temporal logic can as well be viewed as simply a rst-order logic of natural numbers (if we are content with the natural numbers as a model of time)|which was essentially also Gordon's approach. To our knowledge, this point of view has not been pursued from a practical point of 18 view in veri cation, maybe because this formulation is non-elementary (as is M2L). We believe that the rst-order formulation is more attractive, since many temporal idioms (including the usual tense operators) can easily be expressed as predicates.
To translate the other way, from the rst-order formulation to the tense formulation, is much more di cult and potentially involves a non-elementary blow-up; this is why Wilk and Pnueli could not directly use Gordon's HOL speci cation, but had to transcribe the informal requirements.
We present next our analysis, which is based on experiments with Mona.
Temporal Concepts
The temporal concepts needed to reason about the ip-op are straightforward to express in Mona: the value of F is stable in t 1 ; t 2 ]: If we call the corresponding predicate for three inputs nand3(I 1 ; I 2 ; I 3 ; O), then the ip-op in Figure 5 is described by dtype imp nand(P 2 ; D; P 1 )^nand3(P 3 ; CK; P 1 ; P 2 )^nand(P 4 ; CK; P 3 )n and(P 1 ; P 3 ; P 4 )^nand(P 3 ; P 5 ; Q)^nand(Q; P 2 ; P 5 ) : 19 
Stability Analysis
In our model, even a simple ip-op may begin to oscillate due to a single negative spike: 6 We see that the simultaneous rise of both the D and CK signals seems to tickle the circuit so that it begins to oscillate despite being stable initially. (Incidentally, this was the problem that Gordon had failed to address in his speci cation.) Note that the quanti cation 9 1 t 0 s must succeed before \time runs out," i.e., before the nite segment of time that the logic is interpreted over ends. In other words, we have made the assumption that the stabilization of the circuit takes place while the inputs are kept stable.
Input Requirements
By experiments that constrain the inputs in di erent ways, we have arrived at the following requirements on the input signals: the clock signal must not form a negative spike of duration less than min clock low or a positive spike of duration less than min clock high. The D signal must be stable for at least setup We have used parameterization to represent both families of combinational circuits and sequential designs. Here we consider the two aspects together: sequential circuits with parametric data-paths. The interesting problem now is that there are two independent parameters: time and word (data-path) length. Both parameters cannot be simultaneously formalized since our second-order variables represent only monadic predicates (which take a single argument). 7 Instead we use here the wellknown idea of reasoning about a sequential circuit in terms of its transition function, which here has only a single parameter. Our solution is an application of the approach used to solve the dining philosophers problem in 17].
The Min-Max signal processor unit was formulated as a benchmark problem for the 1989 IFIP International Workshop on Applied Formal Methods for Correct VLSI Design 8]. Here we study a parameterized version suggested in 26]. This version was speci ed in the CASCADE Hardware Description Language and veri ed by means of a theorem prover. We argue that such descriptions can be straightforwardly translated into Mona provided that the arithmetic used is essentially regular.
The unit is controlled by three Boolean signals; in addition, it has a parameterized integer input and output. In its normal mode of operation, the output value is the mean value of the lowest and highest values encountered in the input since the circuit was reset last.
As an example of the transcription into Mona, we reproduce here a submodule of the high-level speci cation: This submodule is parameterized by N and declares a clock H, a Boolean input signal E, a parameterized input IN L, and a parameterized register OUT L. The submodule declares parameterized data-paths named E N and OUT M, and it instantiates a multiplexer MUX N, whose output is wired to OUT M and whose inputs are E N (which is speci ed as the signal E duplicated N times), the parameterized input IN L, and the current value of the parameterized OUT L register. The submodule also declares that when the clock H rises, the value OUT M is latched into the register OUT L.
23
The corresponding Mona where the parameterized register variable OUT L is modeled by two second-order variables Out L and Out L corresponding to the value before and after a clock tick. Here mux n, fan, and if are Mona predicates de ned elsewhere.
We translate both the circuit description min max low and the high-level description min max high in a similar fashion (which can be automated). The one exception is that in the high-level description, the mean value is described in terms of usual addition and division on values of the parameterized data-path viewed as integers. As with the ALU, we have to specify these operations bit-wise. 
Why does it work?
The complexity of deciding the validity of M2L formulas is determined by the complexity of carrying out the operations that translate formulas to automata. Exponential factors arise in two ways. First, as discussed in x3, the transition function of an automaton is exponential in the number of free variables. This is typically not a problem in practice since BDDs often lead to exponential compression whereby the transition function can be represented in polynomial space. The second source of trouble is that each quanti er requires a projection operation followed by an application of the subset construction to determinize the result. The subset construction can lead to exponentially many more states in an automaton. Formulas with alternating quanti ers require iterating this operation (once for each quanti er alternation) and this is responsible for the non-elementary lower-bound associated with M2L and related logics. In what follows, we look more carefully at these operations and argue why a state explosion rarely happens in practice. Indeed, we show that there are particular syntactic and semantic classes of formulas (see also x8) where we can guarantee that a blow-up will not occur. 24 To illuminate why our approach works in practice, we focus on the add predicate de ned in Section 4. Note that we have here added the precondition $ 0 so as to x the meaning of the formula (to true) for the empty string interpretation; this makes the corresponding automaton easier to understand.
A use of second-order quanti cation The formula de ned by add above has the form 9 2 C : . We focus on the computation related to the quanti er 9 2 C, which \guesses" the intermediate carry bits. In theory, the projection and subsequent determinization required to eliminate this quanti er can cause an exponential blow-up in the state space. Here is what happens in practice. The automaton corresponding to the formula inside the quanti er has 8 states (we have not indicated the 32 BDD nodes of this automaton for the sake of clarity):
The automaton reads a string that de nes the interpretations of variables A, B, Out, cin, cout and C. Its shape can be explained as follows. The formula expresses that each component of the result is the sum of the A and B component and the carry C. Thus the automaton counts modulo 2. But it must also remember 25 the value of the carry out cout, which can be checked only after the last position has been read. Thus, the automaton has two modulo-2 counters, each having one accepting and one non-accepting state. Since the empty string is always accepted (due to the $ 0 clause), the four di erent states reached from the initial state upon reading the letter de ning the values of the Boolean variables are all accepting. The rightmost state is the one reached in case the carry C or the output Out is wrong at any point. There is no recovery from such an error so this state acts as a sink.
The automaton for 9 2 C : is obtained by a projection and subset construction that works as follows. Recall that this new automaton reads strings that de ne A; B; Out; cin, and cout, but not C. It must accept if and only if there is some assignment to C that makes the old automaton accept. The rst subset constructed is that containing only the initial state. On any transition out of the initial state, another singleton state is reached since the rst transition only involves the values of Boolean variables. For any of these four states and any input letter, there are exactly two transitions possible: one to the state that would be reached if the correct value of the carry C was part of the input letter and the sink state corresponding to the situation when C was wrong. Thus, all subsets reached from this point on have exactly two elements: a counting state and the sink state (there is one exception: the singleton state consisting of the sink state alone is also reachable, for example, if a letter de nes the wrong value of Out). As a result, two of the four singleton states reached on the rst transition also become two-element states. Thus there are exactly 10 reachable states in the subset automaton.
The arguments above are easily generalized as follows.
Proposition 2 Let be a formula of the form 9 2 P : (P), where P is functionally determined, that is, for any interpretation of the remaining free variables in , there is exactly one interpretation of P making true. Then, the calculation of the subset automaton for is linear in the size of the automaton for .
A use of rst-order quanti cation Recall that each rst-order variable is treated as a second-order variable that ranges over a singleton (one element) set. Thus the automaton for (p 1 ; : : : ; p n ), where p 1 ; : : : ; p n are all the free rst-order variables in , recognizes all strings that have exactly one occurrence of a 1 in each p i -track and that make true with p i interpreted by the position of the 1 in the p i -track.
Returning to the example, we calculate the automaton for We have here omitted the initial transition corresponding to the Boolean variables in , since there are none. Intuitively, this automaton waits until it sees the position p; then it either goes to a terminal non-accepting state (if the mod two predicate does not hold at position p), or it branches (if the mod two predicate holds) to a new state that remembers the value of the at least two predicate at position p. In the latter case, the automaton checks on the next transition, corresponding to position p + 1, that C has the correct value.
In this example, the subset automaton constructed by projecting out p is also small. (This automaton is constructed from an automaton corresponding to the negation of according to the identity 8 1 p :
:9 1 p : : . The automaton for : is the same as the one above, except that accepting and non-accepting states are interchanged and that a few transitions are slightly di erent.) However, instead of studying the subset construction in detail for the automaton above, we tackle a more general situation. Consider a formula that is (or is equivalent to) a Boolean combination of formulas of the form p 2 X i or p < $ ) p 1 2 X i : (2) Then corresponds to an automaton A that looks like: This shape is easy to explain: before p occurs, says nothing about any other variable; when p occurs, a new state (inside the dotted box named \p states") is reached according to the values of the X i s at p (some of these states may be nal, since p might be the last position); and if p is not the last position the truth of is determined by reading the X i s at position p + 1.
The reachable states of A in the subset construction are those of the form fs j for some , s is the state reached when some p-track is added to g;
where determines an interpretation of the X i . It can be seen that any such set contains at most one state from the box in the gure above, namely the state reached by adding a p-track of the form 0 1, i.e., a track where the single occurrence of 1 is in the last position. Therefore, we again only have a linear expansion. This proposition does not directly explain the complexity of the subset construction when there are more than one free rst-order variable in the formula. Often, however, the variable that is projected away is tightly constrained by other variables. For example, if we project away the variable z in a formula that contains the clause x z y, then the subset construction essentially only explores the situation when x z y holds. Thus, if z is otherwise only used as in the proposition above, we would be able to again establish a linear upper bound.
Comparison and Conclusions
Our results constitute a study of automatic veri cation based on regular classes of circuits. For example, a family of n-bit adders is regular in an informal structural 28 sense (n adders are chained together ripple-carry style), as well as in a formal language theoretic sense. Viewing the input/output relation of an n-bit adder as a set of words of length n, we nd that the union of the words for n = 1; 2; : : : is recognizable by a nite-state automaton. The logic of M2L allows us to express regularity in the informal structural sense in a declarative way by stating how an n-bit adder is iteratively built. The decision procedure implemented by Mona reduces analysis of the resulting description of an in nite state space to the analysis of a regular one.
Below we compare our approach with others reported on in the literature.
Inductive Theorem Proving
Most approaches to reasoning about parameterized systems involve explicit theorem proving: the system is formalized as a recursive (or inductive) de nition within a logic like rst-order or higher-order logic and explicitly reasoned about by mathematical induction, cf. 2, 4, 9, 12, 16, 18, 19, 22, 25] . For example, to show that a family of circuits C, parameterized by n, with port values given by the vectors X 1 ; : : :X n satis es a parameterized behavioral speci cation S, one proves 8n; X 1 ; : : : ; X n : C(n; X 1 ; : : : ; X n ) ! S(n; X 1 ; : : : ; X n )
by induction over the parameter n. The parameterized adder and ALU have been used as test-cases by others in inductive theorem proving, in particular by Cantu et al. using the Edinburgh CLAM System 6] and by Cyrluk et al. using PVS 7] . CLAM is a system that generates proofs by induction for a higher-order logic. The development in CLAM of the ALU took over a week and the proof is constructed automatically in 4 minutes and 40 seconds by CLAM, as opposed to 2 seconds by Mona. Their speci cation shares some similarities to ours, but di ers in several important respects. First, they are not limited to speci cations expressible within a decidable logic. As a result, they were able to apply their approach to verify circuits such as parameterized multipliers, which cannot be formalized in M2L. Second, they speci ed the ALU as a recursive function while we speci ed it as a non-recursive relation. Both are valid representation techniques, but note that we cannot write explicit recursive functions in M2L. On the other hand, if Cantu et al. had formalized the ALU as a recursively de ned relation, CLAM would have been unable to construct a proof. 8 The ALU theorem was also veri ed using PVS. PVS is a semi-interactive theorem prover that features built-in simpli ers and decision procedures; for example BDDs are used for propositional reasoning. Users can control proof construction by writing proof strategies (similar to tactics in the LCF sense). In 7] the adder and the ALU are veri ed using the induction, normalization, and BDD features of PVS. The formalization of these circuits is similar to that of Cantu et al. Veri cation by induction of the parameterized adder is stated to last approximately 2 minutes (as opposed to our time of one second) and their proof of the ALU required 90 seconds, as opposed to 2 seconds in our case. 29 The signal-processor circuit was veri ed in NQTHM (the Boyer-Moore theorem prover) and reported on in 26]. The proof required the user to formulate various lemmas. Even with the lemmas, veri cation required several minutes of CPU time, as opposed to 10 seconds in our case.
These examples suggest that when a parameterized system is formalizable in M2L, then there can be real advantages with our approach. Not only are our veri cation times typically one to two orders of magnitude faster, but there is no need for search, heuristics, or user interaction. In practice, no theorem proving system (other than those implementingdecision procedures) is fully automatic. Although some systems use powerful heuristics for automating induction (e.g., CLAM, NQTHM, and PVS) or complete proof procedures for semi-decidable logics (e.g., resolution theorem provers like OTTER are typically refutation complete for rst-order theories) all such systems require, in practice, user guidance such as suggestion of rewrite rules, lemmas, parameter settings, and the like. This is quite di erent from our approach where the only possible parameter the user can in uence is the variable ordering used in building BDDs. In all our examples, this ordering was picked automatically by Mona. 
Deduction without Induction
An alternative approach to parameterized veri cation is to x the parameter to a particular value n. A nite circuit arises that can be analyzed using BDDs. As shown in 24], the circuits that allow BDD representations whose size is linear in n are those with a bounded amount of information owing through any cross section. Similarly, it is not hard to see that the corresponding parameterized circuit is representable in M2L. The point at which the instantiated description becomes larger than the parameterized description will depend on variable orderings and the chosen representation of automata.
Although replacing a parameter with a constant may be satisfactory for reasoning about circuits whose size is parameterized, it can lead to incorrect results when reasoning about circuits whose behavior should hold over all instants of time. The problem is that one cannot easily bound how many time instances must be reasoned about to establish correctness; the counter-examples produced in our ip-op example provide some evidence of the di culty of this problem. One alternative, discussed above, is to retreat to an undecidable formalism and use induction to explicitly reason about the parameter. Another alternative is to use a decidable temporal logic.
As indicated in x5, both of the above approaches have been pursued in veri cation of ip-ops. Flip-ops have been laboriously veri ed interactively in theorem provers based on higher-order logic. In contrast, our fully-automated veri cation took 2 seconds. A competitive approach is model checking using decidable temporal logics. A temporal logic solution for the ip-op we analyzed was presented in 31]. Veri cation took 20 seconds. We have translated the speci cation given in 31] directly into Mona; our veri cation time is around 2 seconds|a gure comparable 30 to those of the original solution, since computers are now much faster than in 1989, when 31] was published.
Combined Induction/Deduction
It is possible to combine induction with non-inductive methods such as decision procedures like Mona or model checkers. In our work, we combined induction and deduction when reasoning about parameterized sequential circuits: an inductive step was performed (which was not formalized in a formal metalogic) to eliminate a parameter (in our case, time) and thereby reduce the problem to one which can be solved by Mona. Such a reduction can be formalized in an interactive theorem proving environment. For example, Kurshan and Lamport combined COSPAN (a model checking system) with TLP (a theorem prover based on Lamport's Temporal Logic of Actions) and used induction to decompose the veri cation of a parametric multiplier to the veri cation of 8-bit multipliers, which is then veri ed automatically 21]. Other researchers have investigated explicit induction principles for reasoning about networks of processes where the base case and the inductive steps are reduced to decidable problems. Such approaches test su cient conditions for the correctness of the overall system. Kurshan and MacMillan have incorporated reasoning by induction into the COSPAN system 22], which is used to check !-regular properties of processes; this allowed them to verify safety and liveness properties of a nontrivial version of the Dining Philosophers problem that was parameterized by the number of processes. These ideas have been further extended 27] and similar ideas have been developed in other settings, cf. 32].
Linearly Inductive Functions
The work closest to ours is that of Gupta and Fisher 13, 14] who, from a rather di erent starting point, have also developed a BDD-based formalism closely connected to regular languages. They de ne two classes of inductively de ned Boolean functions: Linearly Inductive Functions (LIFs) and Exponentially Inductive Functions (EIFs). Both classes consist of Boolean formulas de ned by restricted forms of recursion. For example, the following equations de ne a family of n-bit adders as two LIFs, one for sum and one for carry. scriptor is essentially a state of a BDD-represented automaton (cf. x3.1), but it is associated with two BDDs: a basis BDD, which is Boolean-valued BDD followed when the last letter in the string is read, and a linear inductive BDD, which is a multi-valued BDD whose value is either a state or a Boolean. A Boolean leaf, which signi es reject or accept, is encountered when the following letters have no signicance as to whether the string is accepted|in the usual automaton, this situation corresponds to a looping state.
As shown in 13], the FD representation is in essence an automaton. A precise relation with our framework can be established as follows: To see that the FD description is linear in the original BDD-represented automaton A recognizing L, we note that every state of this automaton can be converted to a (non-reduced) FD descriptor by letting the inductive part be the original transition function and by letting the base part be the BDD that represents the transition 32 function from the state with every leaf replaced by 0 or 1 according to whether the leaf is labeled with an accepting or non-accepting state.
2) The other direction is proven in a similar manner. To go from an FD descriptor to a state with an associated transition BDD, we must make a BDD product of the base case and inductive case BDD of the FD descriptor. The details are omitted.
The algorithm for translating linearly inductive functions to FD descriptions as described by Fischer and Gupta is based on representing the reverse language. That is, the base case is represented as the last letter in the string. For certain circuits, like shifters, this representation is sometimes exponentially more succinct. Note that the Mona description above can easily be dualized to achieve a representation of the reverse language: simply exchange 0 with $, with , etc. The resulting Mona automaton is then in a relationship with the FD description as explained in the above proposition.
If the FD description is desired as the direct output of the Mona translation, a simple formula for the k + 1-track in the Proposition above could be easily added so that the automaton A 0 is calculated. This trick is an instance of padding regular languages to the languages described so that state spaces decrease in size for the padded representations.
The above demonstrates that Mona generalizes the LIF framework as a succinct representation formalism for regular languages. It is also the case that one does not pay a price, from a computational theory point of view, for using Mona to compute automata for LIFs. In particular, any LIF is translated to a formula with a single rst-order quanti er (for the parameter i), whose quanti er-free matrix is a Boolean formula built using very limited arithmetic (subtraction by 1, and test against zero). An automaton for the matrix can be computed in exponential time in the worst case using arguments as in x7. This bound is similar to that of Gupta and Fisher, where the worst-case complexity of their algorithms is doubly-exponential in the number of LIF variables (as in our case); 15] does not contain an explicit discussion of the size of the FDs in terms of the input size, but it is not hard to see that this explosion is only exponential. Note that it is an open question as to which approach o ers better performance in practice, since the algorithms used to build BDD-represented automata in the two approaches are di erent.
In the LIF framework multiple automata can be speci ed at the same time and their representation can be shared; this idea can lead to compact representations that are currently not supported by Mona. We believe that the Mona approach to specifying hardware is often more natural than the LIF approach since the latter|judging from examples in 13]|sometimes requires substantial amount of reasoning at the meta-level to even see that a circuit can be brought into the form of a LIF. On the other hand, the LIF approach generalizes the Mona approach in that it o ers some interesting ways of attacking the problem of simultaneous induction in more than one parameter|something that goes beyond regularity 13, 15]. . A 2-adic integer is essentially an in nite string of bits that is regarded as a rational number (only certain rational numbers can be represented in this way). In this somewhat abstract setting, Vuillemin showed that synchronous circuits can be synthesized from descriptions in a language named 2Z. The circuits are represented by Synchronous Decision Diagrams or SDDS, which are essentially equivalent to the function descriptor representation of Gupta and Fisher. Vuillemin did not study algorithmic issues such as minimization of SDDS. In 3], the problem of solving equations involving 2-adic integers was studied, and it was noted that SDDS provide another representation of regular languages.
A di erent approach to automatic veri cation based on regularity has been studied by Rho \It turns out, on analysis, that the modus operandi of this circuit is far from simple: in fact, it is unusually complex, and (so the authors found) di cult to understandintuitively. If, like most people, you nd this remark di cult to accept at face value, read the rest of this account, then set it aside, and attempt, within (say) one working day, to come up with a carefully justi ed account of`how' the proposed implementation is intended to function..."
5. We here use + instead of in the formula t + in stable time ? 1 $ , which holds if + and ?
are interpreted in the usual arithmetic sense without \wrap-around". We need the conjunct \t + in stable time ? 1 $" to prevent t from lying too close to the end (in which case there would not be enough remaining time instants to model that the signals are stable for the required amount of time). The semantics of the + operation cannot be explained in terms of M2L. In the recent WS1S formulation of Mona 10] , this problem has disappeared. 6. Note that ts and t i are rst-order position variables. These are actually encoded in Mona as second-order variables ranging over singleton sets. Here ts and t i point to positions 0 and 1 respectively. 7. Logics involving binary-predicates, such as logics on grids, are generally undecidable, since Turing Machine computations can be encoded on the grid. 8. To the best of our knowledge, all systems automating proof by mathematical induction reason about recursively speci ed functions, but not recursively speci ed relations. Indeed, some provers used for hardware veri cation, such as NQTHM, are so biased towards functions that they cannot represent hardware speci ed relationally(e.g., they lack existential quanti cation).
