Symbolic trajectory evaluation is a new approach to formal hardware verification combining the circuit modeling capabilities of symbolic logic simulation with some of the analytic methods found in temporal logic model checkers. We have created such an evaluator by extending the symbolic switch-level simulator COSMOS. This program gains added efficiency by exploiting the ability of COSMOS to evaluate circuit operation over a ternary logic model, where the third value X represents an unknown logic value. This program can formally verify systems containing complex features such as switch-level models, detailed timing. and pipelining.
Introduction
Formal verification seeks to overcome the weakness of informal design testing by simulation. Using our verifier, one can prove that a switch-level model of the transistor circuit correctly implements a formal description of the desired behavior for all possible system operations. Formal verification becomes increasingly desirable as system designs become more complex. With the introduction of pipelining and concunentlyoperating subsystems, it becomes increasingly difficult using informal methods to evaluate the many subtle interactions between logically unrelated system activities.
In this paper we describe a new approach to formal verification that augments the circuit modeling capabilities of symbolic, switch-level simulation with some of the analytic capabilities found in temporal logic model checkers. With this increased analytic capability, we can express such temporal aspects of circuit behavior as clocking methodology and the skewing in time caused by pipelining. This paper describes the operation and application of our evaluator using a number of circuit design examples. A detailed presentation of the formal logic is presented in [2].
Most automated approaches to formal verification (as opposed to more manual methods based on theorem proving) are based either on symbolic simulation or on state machine analysis. A symbolic simulator evaluates circuit behavior using symbolic variables (typically Boolean-valued) to encode a range of circuit operating conditions. In one simulation run, a symbolic simulator can compute what would require many runs of a conventional simulator. Symbolic simulation can support detailed circuit models and can handle large circuits. In addition to a method for evaluating circuit operation, however, formal verification requires a methodology for specifying the desired behavior and for checking the correspondence between the desired and realized behaviors. Straightforward symbolic simulation is adequate for verifying combinational circuits or the combinational portion of sequential circuits [5]. For verifying sequential systems where the state storage elements are not identified, or for which the behavioral specification is not based on the explicit state encoding, however, a more powerful methodology is required.
With state machine analysis, the program creates a finite state machine representation of the circuit. The program can then analyze properties of the machine. such as deciding the truth of a temporal logic formula [l] or determining whether two finite state machines are equivalent [4]. These methods are very powerful in their analytic capability. Their major lirnitation is in their performance as the finite state machines become very large. Recent versions of these programs encode the states symbolically and hence can analyze systems having very large numbers of states. For circuits involving large amounts of storage, such as memories, data paths. and processors, the automata become too large to represent even symbolically.
Symbolic Trajectory Evaluation
Symbolic trajectory evaluation extends symbolic simulation with some of the analytic capability of finite state system analyzers. The user specifies the desired behavior of the system by assertions expressed as temporal logic formulas. Our temporal logic is quite restricted; it allows us to express properties of the circuit over trajectories: bounded-length sequences of circuit states. 
Specifying Circuit Behavior

Specification Logic
We model a circuit as operating over logic levels 0, 1, and a third level X representing an indeterminate or unknown level.
These values can be partially ordered by their "information content" as X C 0 and X C 1, i.e.. X conveys no information about the node value, while 0 and 1 are fully defined values.
The only constraint we place on the circuit model-apart from the obvious requirement that it accurately model the physical system-is monotonicity over the information ordering. Intuitively, changing an input from X to a binary value (i.e., 0 or 1) must not cause an observed node to change from a binary value to X or to the opposite binary value. In extending to symbolic evaluation, the circuit nodes can take on arbitrary ternary functions over a set of Boolean variables V. erates until it reaches a stable state. This timing level was chosen to allow more detailed analysis than traditional state machine models, which represent an entire clock cycle as a single state transition. Potentially, our method could be extended to even more detailed timing models, including ones modeling real time.
Our algorithm checks only one basic form, the assertion. in the form of an implication [A C ] ; the antecedent A gives the stimulus and current state, and the consequent C gives the desired response and state transition. System states and stimuli are given as trajectories over fixed length sequences of phases.
We describe each of these trajectories with a temporalfordu. Primitive formulas specify Boolean values for circuit nodes, i.e.. n = 1 or n =O. and express the property that node n has the specified value for the entire phase. The only combining form is conjunction F1 A F2, and the only temporal operator is the "next-phase" operator PF, stating that F must hold in the following phase. This operator is similar to the next-time operator x found in linear temporal logic [6]. In addition, a restriction operator creates a formula B + F stating that the property represented by formula F need only hold for those assignments satisfying Boolean expression B .
The temporal logic supported by our evaluator is far weaker than that of other model checkers. It lacks such basic forms as disjunction and negation, along with temporal operators expressing properties of unbounded state sequences. The logic was designed as a compromise between expressive power and ease of evaluation. It is powerful enough to express the timing and state transition behavior of circuits, while allowing assertions to be verified by an extended form of symbolic simulation.
Specification Example
We illustrate our methodology with the addressable serial parity circuit shown in Figure 1 , designed to maintain the parity of two channels multiplexed onto a single line. On each cycle, the channel to be updated is specified by the Addr input. Setting input Clear to 1 has the effect of setting the previous parity value for the channel to 0. Internally. the circuit consists of The desired behavior of this circuit can be expressed by a single assertion stating that each register should be updated appropriately when it is addressed and should hold its value when it is not. In developing this assertion, we incorporate the timing information illustrated in Figure 2 . Each cycle consists of 4 phases including the nonoverlapping periods of the clock nodes. Inputs are applied during the initial phase, and the output is guaranteed to be valid two phases later. Furthermore, the internal state is held stable during the initial phase. Thus, we must evaluate circuit operation over a trajectory of 5 phasesone full clock cycle plus the first phase of the next. These phases are numbered from 0 to 4 to match the nesting of nextphase operators in the specification. Informally, the assertion states: of the following cycle.
We construct the antecedent by 6rst defining the operation of the clocks. As shorthand, define formulas representing the possible signals applied to the clocks:
Define Clocks as describing the clocking behavior over the entire trajectory:
where Pi denotes i repetitions of the next-phase operator.
We can then write the specification as:
We use several abbreviations to keep the specification concise.
The notation n = a stands for the formula:
Verifying Circuits
Evaluation Algorithm
The constraints we place on assertions make it possible to verify an assertion by a single evaluation of the circuit over a number of phases determined by the deepest nesting of the next-phase operators. In essence, we simulate the circuit over the unique weakest (in information content) trajectory allowed by the antecedent, while checking that the resulting behavior satisfies the consequent. In this process we compute a Boolean function OK expressing those assignments for which the assertion holds. For a correct circuit, this function should equal 1; otherwise, we can determine which cases failed by examining it.
More precisely, we first rewrite the antecedent into a form 
X O l X
Entries labeled '-' indicate cases where the operation is overconstrained, i.e., we are attempting to assign opposite binary values to a single node. As the evaluation progresses, the program keeps track of the assignments that do not have overconstrained behavior, represented by a Boolean function ?'raj.
Unlike a simulator, the evaluator will set an input node to X whenever it is not constrained by the antecedent. In this way, the evaluator makes no assumptions about input values except those explicit in the antecedent.
The consequent component C, defines some checks that should be made of the circuit state during phase i. We require that each component of the observed circuit state remain greater or equal to the corresponding element of ZC, throughout the phase. Thus, the program keeps track of the assignments that satisfy these checks, represented by a Boolean function Check. The program also computes function OKA (respectively, OKc),
representing the assignments where the antecedent (resp., con- One key property of our evaluation algorithm is that it involves symbolic manipulation only over those variables explicit in the assertion. In contrast, symbolic state machine analyzers must perform manipulations involving as many variables as there are bits of state in the circuit. This difference can be quite significant.
Implementation
We constructed our verifier by extending the COSMOS 
Verifying Complex Circuits
We now illustrate verification of more complex sequential circuits, including pipelining. Consider the addressable accumulator shown in Figure 3 . This circuit can maintain the sum of signals form different channels, storing the sums in its register array. Timing is similar to that of the parity circuit. is held in some abstract register 3. The mapping between the abstract state and the actual circuit state is specified by defining this predicate in terms of values on the circuit nodes.
For the circuit illustrated in Figure 3 . the circuit register array RMem is in, exact correspondence with the abstract system registers. Thus, we can define the state mapping as
, using a vector extension of the indexing notation introduced earlier. 
Pipelined Circuits
Pipelining enhances circuit performance by increasing the amount of concurrent activity. Most pipelined systems are designed to be transparent to the outside. That is, interlock and bypass circuitry makes the system appear to be unpipelined. The difficulty of designing such systems makes them an important class for formal verification. In verifying such a system, we want to prove that the pipelined system realizes an unpipelined specification, and hence the behavior specification in terms of abstract system state should not reflect the pipeline structure. Instead, we include this information in the state mapping.
Consider, for example, a pipelined version of the addressable accumulator illustrated in Figure 4 . This circuit exhibits the same external behavior as the one illustrated in Figure 3 . but achieves greater performance by overlapping the adder and register write operations. That is, on each cycle a value is first read from the register file. Then, while the adder is computing the sum for the current cycle, the value from the previous cycle is written into the register array. When the same address is used in succession, the previous adder output, stored in register Adding quantified variables to our assertion logic is straightforward. The quantifiers map directly into operations on the OBDDs. Table 1 shows the performance of our verifier running on a SUN4110 for some of the circuits discussed above. As the table indicates, we separately verified the adder and register file (implemented with a static RAM) before assembling the accumulators. In our experience, verification is much more manageable when conducted as the designs are constructed. Attempting to verify existing designs created by other people without precise information about interface timing and state encoding tends to be time-consuming and frustrating. Often, a fair amount of reverse engineering is required.
Experimental Results and Observations
As the figures indicate, these circuits me well within the capabilities of our program. As the circuits grow larger by in- Our specification of the data path consists of two kinds of assertions. First, we separately specified each ALU operation, and second, we specified that the NO-OP instruction should preserve register state. Space precludes a more detailed description of this specification.
Performance of our prototype verifier on the data path example is shown in Table 2 . Note that execution time scales less than quadratically with word size and less than linearly with the number of registers. The memory requirement scales even more gradually. Attempting to verify larger data paths overloaded the Scheme interpreter we were using to implement the front end interface. Our experience to date indicates that this is a promising approach for verifying circuits viewed as state transformation systems. It can operate on detailed switch-level models and verify timing at the phase level. It can be used to verify pipelined systems using high-level specifications that express the desired behavior without explicitly referencing the pipeline structure. It requires the definition of both assertions and implementation mappings.
For future work. we plan to extend our program, improve its performance, and test it on more ambitious circuit designs such as microprocessors. Although we have found an embedded language to provide powerful abstraction mechanisms for con- Table 2 Verifier Performance for Pipelined Data Paths.
Measured on DECstation 3100.
structing behavioral specifications and state mappings hierarchically, our current configuration of running two separate programs is not ideal. The command files produced by the front end can be extremely large, and it is difficult to relate errors from the verifier back to the part of the original specification that failed. Furthermore, some form of graphical interface to specify the input, output, and clock timing would be helpful.
