We prove the equivalence between the ternary circuit model and a notion of intuitionistic stabilization bounds. This formalizes in a mathematically precise way the intuitive understanding of the ternary model as a level intermediate between the static Boolean model and the (discrete) real-time behaviour of circuits. We show that if one takes an intensional view of the ternary model then the delays that have been abstracted away can be completely recovered. Our intensional soundness and completeness theorems imply that the extracted delays are both correct and exact; thus we have developed a framework which uni es ternary simulation and functional timing analysis. Our focus is on the combinational behaviour of gate-level circuits with feedback.
Acknowledgements
Michael Mendler is supported by a Deutsche Forschungsgemeinschaft fellowship, and Matt Fairtlough by a grant from the University of She eld research development fund.
Motivation
When a binary digital circuit, say a network composed of and, or, inv gates etc, does not contain feedback loops its static behaviour can be dealt with completely and adequately by standard Boolean two-valued analysis. However, when one is interested in delay-related phenomena such as e.g. hazards, races, glitches, or when feedback loops cannot be avoided, as e.g. in asynchronous circuits, the two-valued Boolean model is no longer adequate. The ternary model has been introduced as a natural extension of the two-valued model to analyse circuits in the presence of propagation delays and oscillations. A third value is added to give a minimum extra capacity for accommodating time-related features of real circuits, without entering the descriptive and algorithmic complexity of a full real-time analysis. Viewed as an extension of classical propositional logic the ternary model occurs already in Kleene's work on partial recursive functions 8]. As a three-valued signal algebra the ternary model was introduced by Yoeli and Rinon 15] to analyse static hazards. Eichelberger 6] extended the method to handle general hazards in combinational circuits, and races and oscillations in sequential circuits. Later the theory and application of ternary simulation has been developed further by numerous authors, e.g. at the gate level by Brzozowski and Yoeli in 14, 5] , and Malik in 10], or at the transistor level by Bryant 4] . While the relationship between the static two-valued model and the physical real-time behaviour of a binary circuit is rather straightforward and well understood, the corresponding relationship for the ternary model is not so obvious. Surely, given it is used in the right way it will recover certain time-related features of real circuits. But just what kind of extra timing information is it that is captured and how can it be formalized? In ternary simulation the three-valued model usually is introduced as a re nement of the abstract Boolean view rather than as an abstraction of real-time behaviour. As long as the concern is more with algorithms and data structures this is the most convenient approach. However, when it comes to correctness and completeness issues this is not su cient. We are forced to cross the t's and dot the i's and nail down the exact relationship the abstract model has to the real-time behaviour. We must make precise the intuitive reading of the new third value, be it one of \oscillation", \transient", \unde ned binary value", \don't care" or all of them. In this paper we take a new look at the ternary circuit model. We present it as a result of reducing realtime information, rather than as a result of enriching an abstract two-valued model. Concretely, we obtain a formal link between ternary simulation and an intuitionistic axiomatics of real-time behaviour. In this approach the third value represents the absence of de nite information about the bounded stabilization of a signal. We interpret the standard ternary function tables of binary gates and binary gate networks both as programs and as logic speci cations. A formal language of ternary function tables is introduced with associated operational and axiomatic semantics. The operational semantics corresponds to a simple form of ternary simulation, while the axiomatic semantics explains the function tables as speci cations of bounded real-time stabilization. We prove that the operational semantics is sound and complete with respect to the axiomatic one, thus establishing a formal link between ternary simulation and real-time behaviour. Moreover, we can show that this correspondence does not only hold in the extensional, i.e. ternary sense, but also in an intensional sense. This means that we can maintain and manipulate exact real-time delay information in the process of ternary simulation, and thus naturally combine, in the ternary model, both functional and timing analysis of binary gate networks. Both aspects are traditionally treated as separate tasks.
Introduction
We are interested in gate-level circuits, i.e. networks built from components like Inv, And, Or, Nand gates, etc.
A signal a is a timed Boolean-valued function a 2 N ! B , time being represented by the natural numbers. For convenience we will x a countably in nite number of signal names S = fa; b; c; c 1 ; c 2 ; : : : ; x; y; zg throughout. A waveform is a mapping V 2 S ! N ! B which assigns to every signal name a concrete signal. When V is understood we may confuse a signal name a 2 S with its associated signal V (a) 2 N ! B . Finally, a circuit is conceived as a subset C S ! N ! B of waveforms which constrains the behaviour on (a nite number of) signals. The elements V 2 C might be called observable behaviours, or executions of C. This nails down our low-level real-time model of behaviours. Compared to the kind of models used in dynamic system theory the model is rather abstract in the sense that it builds on discrete data values and discrete time. On the other hand it does not constrain the behaviour of gates in a lot of ways. For instance, we may model the behaviour of a physical gate as a deterministic function or a nondeterministic relation, we may use transport or inertial delay assumptions and we may have data and input dependent delays or xed delays. In the sequel we will be concerned with ways of abstracting this ne-grained model into a three-valued domain.
Let K = f0; 1 2 ; 1g be the three-valued domain extending the Booleans B by an additional value 1 2 , which depending on the context, may have di erent intuitive readings. In typical interpretations 1 2 would stand for some or all of \oscillation", \instability", \unde ned", \don't care". The exact meaning usually is left unspeci ed, only implicitly present in the way 1 2 is used. (y)): Though this is compatible with the static Boolean semantics, this is not the most useful way of explaining the meaning of the ternary function table. For it would imply that oscillating inputs necessarily produce an oscillation at the output of the nand. This is rather too strict an account of the nand's real-time behaviour as we may well have oscillating inputs but constant output, provided the inputs are interlaced in the right way: Moreover, in some hardware structures such as dynamic memories the oscillation of a refresh signal is in fact a prerequisite for the memory signal to remain stable. Finally, the presence or absence of oscillation in general depends (among other things) on the relative di erences between the propagation delays in di erent parts of a circuit. So, the attempt to use the ternary function tables to predict and to reason about oscillation algebraically would be quite unnatural. Even for loop-free circuits, or when oscillation is no issue, there does not seem to be a satisfactory real-time interpretation of 1 2 . See, e.g. the paper by Breuer 3] for a discussion of some of the problems. In some sense the di culties seem to stem from the wish to interpret K as representing concrete signal values, signals, or properties of individual signals. A rather di erent way of interpreting K is not as a set of concrete signal behaviours but as a domain of information, in which 1 2 stands for \unknown". The third value is given a special status and is no longer on a par with 0 and 1. This is the original reading of Kleene 8] , which in fact is implicit in most ternary simulation approaches such as 5, 10, 4] . In this view the ternary table speci es a continuous function in the complete partial ordering (K ; ). The ternary simulation of a binary network, then, corresponds to a least xed-point computation. This domain-theoretic interpretation of the ternary function table, however, does not answer our question. It does not assign any concrete real-time meaning to the ternary nand gate. What does the abstract xed-point computation have to do with the real-time executions of the circuit? In this paper we o er one possible connection using a real-time interpretation of ternary function tables, based on a notion of bounded stabilization.
The Ternary Model
To begin with, let us recall the basic elements of the standard ternary extension of binary gate modelling. Building on Kleene's three valued logic it was used originally by Yoeli, Rinon, Eichelberger, and Brzozowski 15, 6, 5] in order to analyse transient circuit behaviour. We follow the notation of these papers closely in this section.
As mentioned, the ternary extension of Boolean functions rests on viewing K = f0; 1; Example The ternary function table of the nand gate in Fig. 1 three stable binary states may be read o , namely r = 0^s = 0^p = 1^q = 1, r = 0^s = 1^p = 1^q = 0 and r = 1^s = 0^p = 0^q = 1. The circuit is combinational (i.e, the outputs are Boolean and uniquely determined by the inputs) for the input states r = 0^s = 0, r = 0^s = 1 and r = 1^s = 0. 
A Language of Ternary Function Tables
To represent ternary function tables we wish introduce a simple and exible formal language. There are several possible ways of concocting such a language, the basic choice being a programming language or a speci cation language. In our case both views actually coincide, but for reasons to become clear later, we have chosen to stress the logical aspect. The grammar of the language, which delineates a fragment of a propositional modal logic, is given by
where a ranges over the set of signal names S. When a is a signal name we will take a to stand for one of the atomic sentences, or atoms, a = 1 and a = 0. Elements of the syntactic class are called (ternary)
states, those of form (ternary) function tables. States specify (ternary) information about the state of some signals. a = 0^b = 1 means \signal a is surely 0 and b is surely 1", those signals not mentioned in a state are given the ternary value 1 logically equivalent to true these are redundant and thus systematically eliminated. The state a = 1^a = 0 is an inconsistent state and equivalent to false. It will be convenient to identify a state = a 1^ ^a m with the set f a j j j m g, since the ordering of atoms and the existence of duplications is not important.
As can be seen the general structure of a function table is =
where n 1 and for all i n, both m i 1 and l i 1. The components i i we call the transitions of . When n = 1 then is a single transition. Such a transition represents the logical statement that state necessarily leads to state , provided this is consistent (with and the context in which the transition takes place). The modal symbol is to indicate this constraint \provided it is consistent", but this will come up again later.
We can represent every binary gate network by a function 
Note that the actual ordering and bracketing of the conjuncts will be of no importance. If G = G 1 ; : : : ; G n is a network of binary gates the associated function table is
Our idea is that ft(G) is a syntactic representation of the ternary behaviour of the network G. We will show in the next sections that this behaviour is determined by ft(G) both in an operational and in an axiomatic sense. In other words, we may view ft ( 
Observe how this formula closely corresponds with the ternary function table of the nand in Fig. 1 . The rule is that every entry in the We allow the interval to be empty, i.e. s > t, in which case the condition becomes trivially true. In other words: in the empty interval V assumes every state. This pathological case could be eliminated arti cially but it makes matters more uniform if we include it. We observe that the interpretation of means the syntactic construct^is construed as logical conjunction: V s; t] j = a 1^a2 i V s; t] j = a 1 and V s; t] j = a 2 .
Example Consider the timing diagram seen in Example With transition formulas we can specify the upper bounds indicated in the timing diagram of Fig. 3 .
The statement that a falling transition on r is followed by a rising transition on p with a maximal delay of 1 1 , and that p must hold 1 at least as long as r remains 0, can be expressed as V j = 1 1 r = 0 (p = 1): Similarly, the property that when both signals s and p become stable 1, signal q must fall to 0 with a maximal delay of 2 , and thereafter keep its value as long as s and p do so, is expressed as V j = 2 (s = 1^p = 1) (q = 0):
We say that V satis es , written V j = , if there exists a such that V j = .
With the existential quanti cation the concrete stabilization, or propagation delay, is abstracted away completely, so that becomes a purely qualitative speci cation. Though the quantitative aspect of the delay is lost for the time being, we will see that it can be recovered in an exact way. This is possible if we take validity not only in the extensional sense, viz. the mere fact that a waveform V satis es a transition When refers to the input state and to the output state of a circuit then would capture a particular aspect of the combinational input-output behaviour of the circuit. When feedback is present, however, and might refer to the same signals, and then speci es a slightly more general form of A weaker way of abstracting from the delay would be the condition 8s: 9 : 8t: V s; t] j = x = 0 ) V s + ; t] j = z = 1; where we have swapped the quanti ers 9 and 8s. In this case the delay is unbounded and may depend on the time s when the input changes. In normal circumstances this is not what we want since we want the delay to be a property of the nand gate not of a particular use of it. In other words, the nand gate's input x may change arbitrarily many times within a waveform, but the maximum propagation delay is xed throughout the whole execution. However, if the ambition or need was to be faithful to subtle physical phenomena such as the metastable operation of circuits 11, 13] this weaker delay model might be more appropriate. Another direction for being more conservative would have been to ignore the data and input dependency of delays and to assume only a single delay for every gate. Also, we could have enforced the stability of non-controlling inputs. In the weakest version the nand gate then might look like 8s: 9 : 8t: 8v; w: V s; t] j = x = v^y = w ) V s + ; t] j = z = v w:
In this case the delay is unbounded, does not depend on input data, and in every observation interval all inputs are required to be stable, regardless whether they functionally determine the output value or not. In the other direction one could also strengthen the delay model to arrive at more powerful descriptions that, for instance, also capture the sequential behaviour of circuits. This could be achieved by introducing inertial delays, which specify how long an output is guaranteed to hold its value after the input has changed, or for how long an input must at least persist in order for the output to respond. Lower bounds can be obtained with negative propagation delays. For instance, 9 : 8s; t: V s; t] j = x = 0 ) V s ? ; t] j = z = 1 implies that whenever (e.g. output) x goes to 0 then (e.g. input) z must have been stable at 1 for at least a period . This is a lower bound on z and an inertiality for the reaction of x to z. Real-time gate models with inertiality can be found in the work of 2] for instance. An example of a rather strong real-time model is the inertial delay model of Brzozowski and Yoeli 14] . In their model a gate has unbounded propagation delay but in nite inertial delay. This means that if a gate is excited through an input transition the output will follow eventually (unboundedly), but does not change at all if the input returns to the stable position before. Each of these choices for a delay model yields a di erent real-time interpretation, and in each case the question arises of how it might relate to the abstract ternary model.
Ternary Simulation As a Formal Calculus
The essence of traditional ternary simulation methods can be captured by proofs or derivations in a formal calculus on ternary function tables. We de ne a derivation relation 1` 2 between function tables to formalise an abstract understanding of ternary simulation. The calculus can be seen not only as a logical calculus but also as an operational semantics. From the logic point of view it constitutes a fragment of the sequent calculus for Propositional Lax Logic 7] . The relation`is the smallest relation closed under the rules shown in Fig. 6 . In the rules L and id it is to be understood that one or both of the left and right side contexts 1 , 2 may not be present, and similarly in the rule L the side contexts 1 , 2 may be missing. Strictly speaking, the system consists of two derivation relations. One is 1` 2 where both 1 The analogy breaks down, however, with rule contr, which is special to our calculus. It formalizes a notion of inconsistency, saying that if a function table ( starting from state ) is shown to lead to an inconsistent response a = 1^a = 0, then we can derive any response b = v for it. Thus, the state a = 1^a = 0 has the same role as the formula false in logic. This means that our notion of simulation also involves keeping track of inconsistencies. As a consequence the relation ; ` must be read as the constrained assertion that starting from initial state leads to the response , provided can be maintained for long enough without producing an inconsistency. This relativization is crucial to cope with oscillations.
The relationship between the two relations 1` 2 and ; ` is given by Prop. 7.1 below. to obtain an equivalent calculus. This new calculus has the property that for every end sequent there are only a nite number of nite derivations, if there are any at all. Thus, we could mechanize the calculus directly in Prolog to obtain an executable, albeit naive, implementation. The direct implementation of the calculus is not our primary concern, however. The purpose of the calculus is to act as a reference system for reasoning about about correctness and completeness of real-time semantics, and as an interface between the logic and algebraic viewpoints.
Ternary Simulation
Let us see how our calculus provides an operational semantics of the ternary behaviour of binary gate networks. We rst consider a single gate G In other words, we are interested in the set R(G;ṽ) := f b j ft(G); (ṽ)` bg; which we will abbreviate temporarily by R(ṽ). There are three possibilities: R(ṽ) = fb = 1g. This is the case if the resulting output value for b is 1, i.e. g (ṽ) = 1. R(ṽ) = fb = 0g. This is the dual case indicating that the output value for b is 0, i.e. g (ṽ) = 0. R(ṽ) = ;. This means that nothing de nite can be inferred about the output value, corresponding to
One can show that the case R(ṽ) = fb = 1; b = 0g is excluded because b 6 2 I and the fact that ft(G) does not contain con icting transitions for b. We can sum up the situation as follows: The situation becomes more complicated when feedback is allowed. Consider again a single gate G = (I; b; g), but this time we allow b 2 I, say I = fa 1 ; : : : ; a m ; bg. If the goal is to capture the behaviour of G as a combinational device, then we view G as a function from the primary inputs fa 1 ; : : : ; a m g to output signal b, i.e. as a function G 2 K m ! K . As mentioned before this function is obtained by taking G (ṽ) = : ( w: g (ṽ; w)); by xed point construction. Again, we may recover G in our calculus from R(G;ṽ) de ned exactly as above.
Proposition 7.5 Let G = (I; b; g) be a single gate with I = fa 1 ; : : : ; a m ; bg, and g not constant. Then for all v 2 K m and e 2 B , G (ṽ) = e i b = e 2 R(G;ṽ). The proposition generalizes to any binary network G = G 1 ; : : : ; G n , where fa 1 ; : : : ; a m g is the set of all its primary inputs and b one of its gate outputs. In this manner we have included the essence of Malik's ternary combinational analysis in a logical framework. For instance, we can give a characterization of Malik's notion of \combinational" circuits as follows: Proposition 7.6 A binary gate network G = G 1 ; : : : ; G n with primary inputs fa 1 ; : : : ; a m g is combinational for a given output b, in the sense of Malik 10] , i for all binary input statesṽ 2 B m , either b = 1 2 R(G;ṽ) or b = 0 2 R(G;ṽ).
In other words, G is combinational for output b if for every Boolean assignment to its primary inputs our simulation calculus allows us to derive a de nite Boolean response for b. The de nition of R is based on derivability, and because of the niteness of our calculus (with rule L ) it can be computed e ectively in a nite number of steps. Obviously, there are many ways of actually performing this computation. For instance, we could simply enumerate all derivations in a systematic way. A more sophisticated solution is given by an iterative process as follows: suppose that ft(G) = We de ne R(G;ṽ) = S k R k . Obviously, the sequence R k must become stationary, so that R can be computed in a nite number of steps. Note however that the delay information that we will nd embedded in the full calculus is not recorded in this bottom-up construction of R, although it would not be di cult to amend the construction to record this information.
An even more sophisticated method would be not to construct R(G;ṽ) point-wise for everyṽ but to compute the function R(G) :ṽ 7 ! R(G;ṽ) as a whole. This can be done by symbolic means, using BDDs and in a dual-rail coding of the ternary information involved. This solution is applied by the ternary simulation approaches of Malik 10] or Bryant 4 ].
Soundness and Completeness, Intensionally
As in ordinary logic we can de ne a semantical consequence relation between function tables, 1 j = 2 , abbreviating the condition 8V: V j = 1 ) V j = 2 , i.e. the condition that every model of 1 is a model also of 2 . In this section we will make explicit the intensional contents of the operational and axiomatic semantics of ternary function tables, and prove the equivalence 1 j = 2 , 1` 2 in the strong sense, showing that the underlying quantitative delay information is preserved in both directions as well. But before we can state the theorems we need to uncover the intensional contents of j = and`. where is de ned component-wise.
Our soundness and completeness theorems now state that the delay-enriched versions of`and j = are equivalent. More precisely, if N 0 = N n f0g is the set of positive numbers, then for all~ 1 property. So, in order to get the minimal delay we can compute all proofs and take the minimum of the extracted delays. This is always possible since there are only a nite number of di erent derivations 1 .
We should remark that completeness, in general, need not hold for delays~ 1 Example Consider the RS-ip op of (p = 1^q = 0). Note that 1 1 + 2 is a data-dependent stabilization bound that picks out precisely those delays from the nand-gates' transitions that are actually relevant to produce the input-output response (r = 0^s = 1) (p = 1^q = 0) for the RS-ip op.
Theorem 8.3 ensures that ternary simulation provides safe timing information. But does it also provide complete, i.e. exact, information about real-time delays? The answer is yes, by the following intensional completeness theorem. Thus, the ternary calculus is \tight" with respect to delay bounds, which applies not only to the derivation of proper combinational behaviour but also to the derivation of bounds for oscillations. On the syntactic side our results imply that ternary function tables can be seen as a fragment of a speci c intuitionistic modal logic, Propositional Lax Logic. The operational semantics of function tables in this setting comes down to a formal logical calculus. The intuitionistic nature of the calculus makes it possible to extract data-dependent stabilization delays from derivations in the calculus. The intensional versions of our soundness and completeness theorems then guarantee that the extracted delays are both correct and exact, relative to the chosen real-time semantics. This shows that ternary simulation and functional timing analysis, which so far have been treated as unrelated methods (see e.g. 10]) can be uni ed in a single framework. The more general importance of this work lies in capturing a low level real-time model by a simple formal calculus that may be used as a convenient reference system to substitute the real-time model. We can develop circuit simulation and synthesis techniques, and reason about their correctness and completeness, relative to this calculus, without every time having to go through the details of quanti er reasoning and temporal inequations again. A particular advantage of our logical setting, as opposed to e.g. an algebraic approach, is that it obtains a quite natural separation of the intensional aspect of timing from the extensional aspect of function in a mathematically very precise sense: The timing is part of the derivations or proofs, and the function is part of the formulas. We can deal with the intensional structure by standard prooftheoretic methods, and with the extensional structure by standard model-theoretic means. We believe that the correspondence Calculus Real-Time Semantics
Extensional Aspect Formula $ Function
Intensional Aspect
Proof $ Timing brought up in this work is a useful concept that can be used in many other situations as well. We aim to extend our results to more powerful logical calculi and to richer real-time semantics. As a rst step we will consider full Propositional Lax Logic with special focus on higher-order function tables, i.e. formulas with arbitrary nesting of implications. In another direction it would appear natural to introduce Boolean expressions to arrive at a (restricted) rst-order logical system, in which symbolic simulation can be represented. Concerning the semantics we will investigate more sophisticated delay models, involving upper as well as lower bounds. Our hope is that this would lead to a general framework for the extraction of timing constraints, such as set-up and hold times, for asynchronous sequential circuits in fundamental mode operation. This paper in the rst place aims at a logical and semantical investigation of ternary simulation, not at making a contribution to the algorithmic side of the matter. Though our simulation calculus can be implemented it operates at too low a level to be e cient. The main disadvantage is that it manipulates concrete bits of binary information rather than a compact symbolic representation of ternary states, as done by other published simulation algorithms (like Bryant's). However, as our calculus is a calculus of logic, it can be made arbitrarily symbolic, simply by enriching the logical formalism. In this way it should be possible to extend our results to full ternary symbolic simulation, and in fact further to cover large amounts of rst-order and higher-order intuitionistic theorem proving.
