We describe the application ESBC to perform the timing analysis of a combinatorial circuit. The circuit is described by formulas of Classical Logic and the delays of propagation of the signals in a gate are represented by a kind of valuation form semantics. ESBC computes the exact stabilization times at which the output signals stabilize.
Introduction
Valuation forms provide an intensional semantics of formulas inspired to the BHK explanation of constructive connectives (see e.g., [3, 8] ). Roughly speaking, a valuation form for a formula A is an "object" providing a constructive justification for the truth of A. In recent years, several families of valuation forms have been devised to formalize different problems in logic and computer science. As an example we cite [6] where valuation forms are studied from a purely logical point of view; [5] where they are used to formalize databases; [4] where valuation forms characterize stabilization bounds in combinatorial circuits and [7] where valuation forms provide the semantics of CML, a Constructive Modeling Language for Object Oriented systems.
One of the interesting aspects of valuation forms is that they are compatible with classical semantics. In the framework of formal methods one can use formulas with the intended classical meaning to formalize the system at hand and valuation forms to characterize some intensional property of the system. As an example, in the context of timing analysis formulas describe the usual functional behavior of the circuit components while valuation forms are the functions describing the delays of the circuit components. We remark that in this context valuation forms provide a partial semantical justification of the truth of the formulas since they only characterize the correctness of the circuit up to stabilization bounds.
All the above mentioned families of valuation forms characterize constructive superintuitionistic logics with constructive negation and any of these logics is a superset of the logic E studied in [6] . This means that the natural deduction calculus Nd E for logic E devised in [6] is valid for all these semantics. This allows us to define a parametric extraction procedure that, selected the family of valuation forms of interest, extracts from an Nd E proof of A 1 , . . . , A n B a function computing the valuation form justifying B, having as inputs the valuation forms for A 1 , . . . , A n .
In this paper we describe the stabilization bound semantics and an application built to compute and evaluate the valuation forms describing stabilization bounds of combinatorial circuits. This application consists of a C++ theorem prover for the propositional logic E based on tableau calculi (fully described in [1] ), a Java package translating tableau proofs into Nd E proofs, a Java package extracting the function computing the stabilization bound from a correctness Nd E -proof of the circuit and the Java package which evaluates the function.
The paper is structured as follows: in Section 2 we discuss the stabilization bounds semantics, in Section 3 we briefly describe the tableau calculus, the theorem prover and the translation into Nd E -proofs and finally in Section 4 we describe the implementation of the valuation form extractor and provide an example.
Exact Stabilization Bounds
In the logical approach to circuit analysis a semantics represents an abstraction from the physical details. To give an example, let us consider the gates INV and NAND of Figure 1 . Their behavior is specified by the following formulas of classical logic
Indeed, the truth table of INV(x, y) represents the input/output behavior of the INV gate having x as input and y as output. Analogously, NAND(x,y,z) represents the NAND gate, where x and y are the inputs and z is the output. Similarly, the classical behavior of the XOR circuit can be specified by the formula
where x and y represent the inputs and z the output. Classical semantics allows us to study the input/output behavior of combinatorial circuits, but does not allow us to represent temporal information about the stabilization properties of the circuits. A more realistic description of the XOR circuit of Figure 1 should consider the instant at which the signals become stable and the delays in the propagation of signals; e.g., an "informal" characterization of the behavior of the above circuit should be as follows:
(a stable to 1 at t1) and (b stable to 0 at t2) or (a stable to 0 at t1) and (b stable to 1 at t2) ⇒ (g stable to 1 at F (t1, t2)) (a stable to 1 at t1) and (b stable to 1 at t2) or (a stable to 0 at t1) and (b stable to 0 at t2)
where F and G are functions from N 2 to N and N represents discrete time. To formalize these aspects, we recall the main notions introduced in [4] . A signal is a discrete timed boolean function σ ∈ N → B. A circuit is characterized by a set of observables S = {a, b, c 1 , c 2 , . . . } (the atomic formulas of our language); for instance, to represent the XOR circuit of Figure 1 , we need the set of observables {a, b, c, d, e, f, g} representing the connections between the gates of the circuit. A waveform is a map V ∈ S → (N → B) associating with every observable a signal. A waveform represents an observable property of a circuit C, whereas an observable behavior of C is described by a set of waveforms. A signal V (a) is stable to 1 at time t iff V (a)(k) = 1 for all k ≥ t; similarly, V (a) is stable to 0 at t iff V (a)(k) = 0 for all k ≥ t. We only consider eventually stable waveforms V , namely: for every a ∈ S, there is t such that the signal V (a) is stable at time t (to 0 or to 1). Figure 2 describes a possible eventually stable waveform for the NAND circuit. Here, the input signal V (x) stabilizes to 1 at time t 4 , while the input signal V (y) stabilizes to 1 at time t 5 ; the output signal V (z) stabilizes to 0 at time t 6 , with a certain delay with respect to the time t 5 where both the inputs are stable to 1. To express stabilization properties of waveforms and behaviors we use a propositional language L S based on a denumerable set of observables S. Formulas of L S are inductively defined as follows: for every a ∈ S, a is an atomic formula of L S ; if A, B ∈ L S , then A ∧ B, A ∨ B, A → B and ∼ A belong to L S . Temporal information is represented by stabilization bounds which is a variant of the valuation form semantics introduced in [6] . Let A be a formula of L S ; the set of stabilization bounds A for A is inductively defined on the structure of A as follows:
• If A = a or A =∼ a, with a ∈ S, then A = N.
• B ∧ C = B × C .
• ∼ (B ∨ C) = ∼ B × ∼C .
• ∼ (B → C) = B × ∼C .
• ∼∼ B = B .
Intuitively, a stabilization bound α ∈ A intensionally represents a set of waveforms that validate A for the "same reasons" and with the "same delay bounds". The main concern of timing analysis is to determine the exact time instant where an output signal of a circuit becomes stable, and this is performed by computing exact stabilization bounds. Let A be a formula, let α ∈ A and let V be an eventually stable waveform; α is exact for V and A if one of the following conditions holds:
-A = a and α = min{t | V (a) is stable to 1 at t}.
-A =∼ a and α = min{t | V (a) is stable to 0 at t}.
-A =∼ (B 1 ∧ B 2 ), α = (i, β i ), with i ∈ {1, 2}, and β i is exact for V and ∼ B i .
-A =∼ (B ∨ C), α = (β, γ), β is exact for V and ∼ B, γ is exact for V and ∼ C.
-A =∼ (B → C), α = (β, γ), β is exact for V and B, γ is exact for V and ∼ C.
-A =∼∼ B and α is exact for V and B.
To give an example, let us consider the above INV and NAND gates. A stabilization bound for INV(x, y) is a pair of functions from N to N. Let us assume that the INV gate has the following observable behavior: if the signal V (x) stabilizes to 1 at t, then the signal V (y) stabilizes to 0 at t + δ 0 ; if V (x) stabilizes to 0 at t, then V (y) stabilizes to 1 at t + δ 1 . In our semantical framework, this is described by the exact stabilization bound (f which formalizes the fact that, if V (x) stabilizes to 1 at t 4 and V (y) stabilizes to 1 at t 5 , then V (z) stabilizes to 0 at t 6 .
To give a picture of our extraction algorithm, let C be a circuit consisting of the gates G 1 , . . . , G n , where each G i is described by a formula A i , and let B ∼ Ai Table 1 The negation rules of the calculus NdE be the formula describing the input/output behavior of C (see the examples above). A formal correctness verification of the circuit amounts to providing a classical proof π : A 1 , . . . , A n B, where A 1 , . . . , A n are the open assumptions of π and B is the proved formula. Moreover, let V i (1 ≤ i ≤ n) be the waveform corresponding to the observable behavior of G i and let α i be an exact stabilization bound for A i and V i (namely, α i describes the behavior of G i ); finally, let V be the waveform corresponding to the observable behavior of C (V describes the temporal information about the input/output signals of the whole circuit). To determine V , it suffices to compute an exact stabilization bound for V and B. As fully described in [4] , this can be accomplished by considering proofs of the constructive calculus Nd E obtained by adding to the usual natural deduction calculus for intuitionistic logic the rules of Table 1 , where we put between square brackets the discharged assumptions.
As a matter of fact, the main result of [4] states:
Theorem 2.1 Let π : A 1 , . . . , A n B be a proof of the calculus Nd E . There is a recursive function F π : A 1 ×· · ·× A n → B such that, for all α 1 ∈ A 1 , . . . , α n ∈ A n and for every eventually stable waveform V , if α 1 is an exact stabilization bound for V and A 1 , . . . , α n is an exact stabilization bound for V and A n , then F π (α 1 , . . . , α n ) is an exact stabilization bound for V and B.
The function F π is defined according to the structure of π. Here we only provide some cases. If π : A A only consists of an assumption introduction, F π is the identity function. If π is the proof
Building Nd E proofs
To apply our extraction procedure, we need a Nd E proof of correctness of the circuit. However, it is well-known that natural deduction calculi are not adequate for proof search. For this reason we use a tableau based theorem prover to build up the correctness proof and then we translate it into a Nd E proof. In this section we give a quick overview of both the tableau calculus and the translation rules. Our theorem prover implements the tableau calculus Tab of [1] which has the "same deductive power" of Nd E . Differently from natural deduction, tableaux are goal-oriented calculi; this feature makes them suitable for automated deduction (see [2] for an account of the wide of applicability of tableau systems).
The tableau calculus Tab uses an object language with the signs T, F, F c and T c and is equivalent to Nd E in the following sense:
• π : A 1 , . . . , A n B ∈ Nd E iff there exists a tableau proof in Tab of {TA 1 , . . . , TA n , FB}.
The depth of every proof table is linearly bounded by the length of the input formulas, moreover there exists an "efficient" strategy in the application of the rules which strongly bounds the backtracking. The theorem prover described in [1] implements an O(n 2 )-SPACE proof search procedure for proofs of Tab. To simplify the translation from tableau proofs into natural deduction proofs, we add to the calculus Nd E the following cut-rules
Here we give two examples of translation. Let Γ = {H 1 , . . . , H n } and let S = {TH 1 , . . . , TH n }.
The rule S,FC,T(A∧B) S,FC,TA,TB T∧, is translated as
The rule
S,FD,T(A∧B→C) S,FD,T(A→(B→C))
T→∧ is translated as
In the above proofs, the number beside the rule name indicate the points where the assumptions are discharged. The translation of the proof generated by the tableau theorem prover (implemented in C++ language) is performed by a JAVA package of the application.
The system ESBC
In this section we discuss the implementation issues. The system software ESBC performs all the steps to compute stabilization bounds of combinatorial circuits discussed in the previous sections. It consists of the following independent modules: (i) the tableau theorem prover, (ii) the translator from proofs of Tab into proofs of Nd E , (iii) the tool which computes stabilization bounds exploiting proofs produced by (ii).
As The behavior of AND, OR and XOR gates are specified by the formulas:
The input/output behavior of the signals of the circuit is specified by the formula: Firstly, we search for a proof π : C S of Nd E , by using modules (i) and (ii) of ESBC. Then, (iii) uses π to compute stabilization bounds of the circuit. We have to provide the stabilization bound of the elementary gates. As discussed in Section 2, a stabilization bound for AND(x, y, z) is a pair of functions (f We compute the exact stabilization bounds of output signals assuming that input signals are stable at time 0. By applying the above exact stabilization bounds to the function F π associated with π, ESBC produces the results given in the following table where for every input we put in evidence the truth value of the signal and for every output both the truth value and the stabilization bounds are provided. For instance, if the signals V (x), V (y) and V (z) stabilizes to 1 at time 0, we have that V (s) stabilizes to 1 at time 6 and V (r) stabilizes to 1 at time 12 (see the last row of the table). 
