Abstract. We present an approach to designing veri ed digital systems by a sequence of small local re nements. Re nements in this approach are not limited to a library of prede ned transformations for which theorems have been previously established. Rather, the approach relies on localizing the re nement steps in such a way that they can be veri ed e ciently by model checking. Toward this end, a compositional rule is proposed by which each design re nement may be veri ed independently, in an abstract environment. This rule supports the use of downward re nement maps, which translate abstract behavior detailed behavior. These maps may involve temporal transformations, including delay. The approach is supported by a veri cation tool based on symbolic model checking.
Introduction
Although signi cant progress has been made in automated veri cation of digital systems, most designs are still far too large and complex to be veri ed in a fully automatic way. The classical solution proposed to this problem is compositional reasoning. This means that properties of individual modules or components of a large system are veri ed in isolation, and these properties are then combined to prove properties of the system as a whole. One commonly proposed speci cation language for these properties is temporal logic Pnu85] , and systems of compositional inference rules have been developed to support \assume-guarantee" style proofs Lam83] using various temporal logics (e.g., GL94]). In a compositional proof, one reasons thus: P; j = Q j = P k Q j = Here, P and Q are processes, and is an environment assumption, necessary to prove that P satis es speci cation . Typically, however, the environment assumptions needed to verify interacting processes are interdependent. For example, process P may guarantee to satisfy an invariant up to time t+1 only if Q satisies up to time t, and vice versa. Such an inductive argument cannot be expressed in the above rule. If one attempts it, the result is a circular argument. One way to break the circularity is to model the environment as an abstract process. Kurshan Kur87, Kur94] introduced the following style of reasoning for Moore machines: P k Q 0 ) P 0 P 0 k Q ) Q 0 P k Q ) P 0 k Q 0 where ) can be replaced by any suitable process preorder. Here, the abstract process Q 0 takes the role of environment assumption when verifying P, and P 0 does the same when verifying Q. The circularity is broken inductively, as a result of the delay of one time unit from input to output of the Moore machines. Alur and Henzinger AH96] extended this to the case of Mealy machines where there are no combinational cycles.
A limitation of this kind of proof rule is that the abstract processes P 0 and Q 0 do not typically have the same inputs and outputs as the detailed processes P and Q. In order for P 0 and Q 0 to be simple, they necessarily communicate at a more abstract level. In Kurshan's methology, this problem is approached by using process homomorphisms. This means that the user provides a function that maps detailed signals to abstract signals. One can thus reason compositionally as follows:
Note, however, that we cannot use Q 0 as an environment assumption unless we are able to e ectively invert the function . This is necessary to translate outputs of the abstract process Q 0 into inputs of the detailed process P. On the other hand, downward maps can be used e ectively to provide the both the inputs of P (i.e., its environment) and also the correctness conditions for its outputs, as a function of the abstract behavior of P 0 and Q 0 . This e ectively puts the veri cation of P in an abstract context, an observation has been made in the context of symbolic simulation by Bryant and Beatty BB94] and in the context of theorem provers by Cyrluk Cyr96] .
Note also that upward maps can be very complex. In the case of pipelines, for example, the upward abstraction map involves ushing the entire state of the pipeline, which may contain many instructions. Although in some cases this complexity can be dealt with, using BDD's BF89] or sophisticated decision procedures BD94, JDB95], we would prefer a methodology that decomposes the veri cation problem into small subproblems. In the case of pipelines, for example, downward re nement maps involving delay can yield separate veri cation subproblems for each stage of the pipeline.
To support such a compositional methodology in a model checking context, we present a system based on a generalized compositional rule for Mealy machines. It allows both upward and downward re nement maps, which are represented as arbitrary processes. Hence, maps may involve state and delay, if necessary. Further, the system is exible enough to allow non-hierarchical abstractions. That is, an abstract speci cation may have a di erent structural decomposition from the low level implementation, and many abstract-level components may be multiplexed onto the same collection of low-level components. This exibility to choose an arbitrary decomposition of the speci cation can be used to simplify the resulting veri cation subproblems. The system is implemented on top of the SMV symbolic model checker McM93].
A compositional rule for Mealy machines
We begin by introducing a compositional rule for Mealy machines. For the present purposes, a Mealy machine will be de ned as a collection of recurrence equations involving either zero delay or unit delay. For exibility in speci cation, we allow machines to be underspeci ed, in the sense that there may be many solutions of the equations for any given input sequence. This does not however, imply nondeterminism in the automata theoretic sense, since our \machines" have no notion of internal state.
To be more speci c, let S be a nite collection of signals, and let V be a nite We will tacitly identify a machine with the set of models that satisfy it. We will say that machine Q implements machine P when Q ) P, which is the same as saying that the set of models of Q is contained in the set of models of P. Now, suppose we wish to prove that Q ) P. Since P is a conjunction of assertions P , expressible in temporal logic, we could simply use model checking to verify Q j = P for each . However, this would be unlikely to be e ective in practice, since the state space of Q would be too large. To simplify the model checking problem, we could take only a subset of the components of Q as the \environment" when checking P (a technique called localization), but it still might require a large number of components. Instead, assuming that P is simple and abstract, while Q is complex, we might like to take some other components of P as environment assumptions while proving P . Intuitively, this would put the veri cation of P in a more \abstract" context. Thus, for example, we might assume P 0 is correctly implemented when checking P and vice versa. We can show that this reasoning is sound, provided there are no cycles of \gates".
To be more precise, let < M , the dependency relation of machine M, be the set of pairs ( ; ) such that M is a gate (has zero delay) and is and input of M . Now suppose there are no cycles in the joint dependency relations of machines Q and P. To verify Q ) P , we may instead verify E ) P , where E is an \environment" machine, made up of arbitarily chosen components of P and Q, provided of course we do not chose P itself. Theorem 1. Let P and Q be machines. For all 2 S, let E be a machine such that:
{ for all 0 2 signals: E 0 = P 0 or E 0 = Q 0 , and { E = Q .
Let < be the relation (< P < Q ) . If < is irre exive then the following inference rule is sound:
for all : E ) P Q ) P Proof. De ne a lexical order < over IN S where ( 0 ; 0 ) < ( ; ) i 0 < , or 0 = and 0 < . Further, let P ( ) denote P for t = . Now, consider a model . Assume j = Q and assume by inductive hypothesis that j = E 0 ( 0 ) for all ( 0 ; 0 ) < ( ; ). Note that by de nition, j = E ( ), since E = Q . Now construct a model 0 from by changing only the values 0 ( 0 ) for ( ; ) < ( 0 ; 0 ), such that 0 j = E . This can be done because < containts < E , hence each 0 ( 0 ) can be chosen only as a function of previous values w.r.t. <. Since E ) P it follows in particular that 0 j = P ( ), and hence j = P ( ). By induction over <, it follows that j = P.
We can extend the above result to the case of proving that Q simultaneously implemements a collection of speci cations P 1 ; : : : ; P n . This theorem forms the basis of a system for design re nement, described in the next section. The proof is omitted here, but is along the same lines as the previous theorem.
Theorem 2. Let Q and P 1 : : : P n be machines. For all i = 1 : : : n and 2 S, let E i be a machine such that:
{ for all 0 2 signals: E i 0 = Q 0 or E i 0 = P j 0 for some j, and { E i = Q . Let < be the relation ( S i < P i ) < Q ] . If < is irre exive then the following inference rule is sound:
3 Partial machines and re nement
We now introduce a re nement framework, that makes it possible to de ne a design by a collection of incremental changes to a speci cation machine, and to verify that the resulting machine (called the implementation machine) implies the orignal abstract machine. Each incremental change will be referred to as a layer, and is essentially a partially de ned machine.
Let a layer M be an assertion of the form^ 2S(M) M where S(M) S and the assertions M are either gates or latches, as before. A design is a partial order D = (M; < D ), where M is a set of layers. The intuition behind < D is that Q< D P when Q is intended as an incremental modi cation of P, in which case we say Q re nes P. In order for an implementation to be uniquely de ned, we require that for any signal , there is a unique least layer I w.r.t. < D such that 2 S(I ). The conjunction of these minimal de nitions I is termed the implementation machine of D and is denoted I D . In the simplest case < D will be a linear order over machines M 1 ; : : : ; M n . In this case, the implementation machine is the result obtained by starting with M 1 (the speci cation) and substituting components of M 2 ; : : : ; M n in sequence.
A design D will be said to be correct when I D )^M D that is, when the implementation machine implies every layer of D. In the linear order case, this implies in particular that it implements the original speci cation M 1 .
Note that we can verify correctness of a design compositionally using the inference rule of theorem 2. This requires us to choose an environment machine E M to verify each component M of each layer M in the design, excepting the implementation components. While the environments may be chosen manually, the following two heuristics can be applied automatically: { For each , choose E = M , where M is the maximal layer under < D that de nes .
{ Drop any signal de nitions that topologically cannot in uence .
If we use these rules when verifying a sequence of local modi cations, the verication of any given modi cation does not see the other modi cations, since the environment is selected from the earliest, most abstract de nitions.
Implementation in SMV
The veri cation framework described in the previous two sections has been implemented on top of the SMV model checker. The system has a simple language for describing Mealy machines. In this language, a gate is described by a statement of the form: The language also includes some \syntactic sugar" over the basic gates and latches, including nested conditional statements, and a method of specifying default values when one branch of a conditional is unspeci ed.
Each layer of the design is given a name, and is introduced by the keyword \layer". The partial order < D is speci ed by statements of the form: For each such component an evironmeont E M is selected, using user input and the above described heuristics. This environment is used as a model for model checking the temporal formula. The system also veri es the side condition of the compositional rule, requiring that the joint dependency relation be acyclic.
Example
As an example of compositional veri cation using the system, consider a \re-source manager" circuit, which is used to allocate and free a collection of resources (say a collection of packet bu ers). The module maintains a vector of status bits that indicate, for each resource, whether it is currently allocated or not. When an \allocate" request is received, the module may output the index of some free resource (changing the status of this resource to \allocated") or it may output a negative acknowledgement (NACK). When a \free" request is received, the module inputs a resource index and changes the status of that resource to \free". Allocation requests have either high or low priority. A low priority request must result in a NACK if fewer than k bu ers are currently free (where k is a xed constant).
A na ve and somewhat underspeci ed original speci cation of the resource manager is shown in gure 1. When an allocate request is received, it chooses a resource arbitrarily. If that resource is currently allocated, it produces a NACK. To check whether a low priority request is allowed, it simply sums up the vector of \allocated" bits and compares the result to k. Notice the \dafault" construct in the de nition of \allocated". The meaning of this construct is that the rst statement provides the default value for any given element of the vector when the second statement does not de ne it. For a latch, the default in case neither statement de nes it is to keep the old value.
There are two re nements we would like to make to this speci cation. First, it is too time consuming to sum up the vector of \allocated" bits on every cycle. We would prefer to use an up/down counter to maintain a running total the number of \allocated" bits that are set. This re nement is shown in gure 2. Second, we need to choose a policy for selecting a resource to allocate. To do this, we will use a priority encoder to choose the unallocated resource of lowest index. To compute the NACK signal more quickly, we simply test the \sum" 1 Note, this requires a minor extension to CTL that allows the \next" value of a variable to be expressed. This does not increase the complexity of the model checking problem over ordinary CTL. Note that these two re nements are mutually dependent. That is, if the re ned \sum" logic computes its value incorrectly, then the NACK signal we produce may be incorrect. On the other hand, if the re ned \NACK" logic is incorrect, causing an already allocated bu er to be allocated, then the \sum" counter will be corrupted. These two parts of the circuit are, in e ect, engaged in a protocol, where each part guarantees to produce a correct output only if all its previous inputs have been correct. Despite this circularity, we can use the compositional rule to verify the two re nements separately, where each renement uses the original speci cation as its environment. This simpli es the veri cation process, since the original speci cation has fewer latches than the re ned version. Note also, that if the resource manager is used as part of the system, we can use the simple original speci cation as part of the enviroment when verifying other parts of the system, and need not take into account the re nements.
Hiding internal state of speci cations
Typically, a speci cation contains some intermediate signals that are not intended to be part of the implementation per se, but are used only for specication purposes. For example, we might want to specify that a machine counts, producing a one at its output for every n ones occurring at the input. To do this, we could introduce a signal representing, for example, a binary modulo-n counter:
init(count) := 0; next(count) := count + inp mod n; out := inp & (count = n -1);
There is, however, no reason why \count" should appear in the implementation, as it would be perfectly valid for the implementation to use, for example, a \one hot" encoded counter. What we would actually like to specify is that, for any implementation behavior, there exists a valuation for the signal \count" that makes it a legal behavior of the speci cation. In other words, we would like to be able to hide certain signals in the speci cation, in order to specify only externally visible behavior. Toward this end, we de ne a notion of \projected design" that makes it possible to write speci cations with hidden internal state. 
Re ning internal signals { witness functions
An internal signal that is underspeci ed may be thought of as representing a nondeterministic choice. By re ning this signal, we can in e ect provide a \wit-ness" that shows why any given execution of the implementation satis es the speci cation. Note that neither the original speci cation nor the re nement of an internal signal is part of the implementation. The witness function merely serves as part of the proof of correctness of the design.
As an example, gure 3 shows an abstract speci cation for a two-way synchronous arbiter. An underspeci ed signal called \choice" determines which of the two requesters will be acknowledged. This is an internal signal, declared elsewhere using the keyword \abstract". Note that \choice" is nondeterministic when both request simultaneously. Figure 3 also shows a re nement of this speci cation, in which a latched signal called \turn" is used to break ties in a fair manner. The signal \choice" is rede ned to be a function of \turn". This de nition is not part of the implementation, but is simply used to prove that there exists a valuation of \choice" that makes the speci cation true in all cases. 
Re nement maps
One important use of re nements is in specifying the downward re nement maps that give the detailed signals in terms of abstract signals. In the present framework, a re nement map is simply an itermediate layer in the design. To use a re nement map, one creates a sequence of two layers. The rst de nes the renement maps, giving some implementation signals as a function of speci cation signals. Each component of the re nement map must be veri ed. When verifying one component, we can we can choose to use any other re nement map components in the environment. Thus, when verifying that the outputs of a given module are correct, we can use the re nement maps to generate the inputs to that module as a function of the abstract speci cation. In fact, the signal \sum" in the example of gure 1 can be viewed as playing the role of a re nement map. Notice how it divides the re nement veri cation problem into two parts, where each can be veri ed in the environment of the abstract speci cation. Note also that when we specify re nement maps, we can use any function that can be de ned by a Mealy machine. In particular, this allows us to use re nement maps that involve delay. This is useful for hardware structures that have \latency", such as pipelines. The re nement maps may also include arbitrary nite state machines.
Example
As an example, suppose we would like to design a tranmitter/receiver pair that sends n-bit bytes (for xed n) serially over a single wire. The original speci cation might look something like the code of gure 4. A \send" signal indicates that input data are ready to be sent, \NACK" indicates that the transmitter is busy, \DAV" indicates that data are available at the receiving end, and \received" indicates the the receiving end is ready for new data. Notice that \DAV" is underspeci ed, in the sense that when data are available, it may be either true or false. This is intended to allow for arbitrary delay in the actual transmission of the data. Notice also the conditional in the de nition of \output data". Because this is a gate, the default in case the condition is false is that the signal is unspeci ed. This means the implementation may output any data value in the case when \DAV" is false. The next step in the design is to formulate a re nement map that de nes the sequence of bits seen on the serial line as a function of the abstract speci cation signals. To do this, we need to introduce some state, in the form of a counter that keeps track of the bit number being transmitted. The re nement map is shown in gure 5.
Given this re nement map, we can now design and verify the receiver and transmitter separately. The actual implementation of these components might use shift registers, as shown in gure 6. The enviromnent for verifying each of these two component re nements includes the re nement map and the abstract speci cation, but not the other component. The purpose of the re nement map is to de ne the interface between two components, and thus allow separate design and veri cation of the two components. In general, re nement maps can provide a way of managing the complexity of interfaces between modules, by de ning interface signals, which may be encoded in fairly complex ways, in terms of simpler, more abstract data streams. 
Conclusions
We have described a compositional framework for the veri cation of hardware designs. It is designed to allow the expression of downward re nement masps as Mealy machines, and to support design by a sequence of incremental modi cations that may be veri ed independently. The framework has been implemented on top of the SMV symbolic model checking system. Although it is not discussed here, the system also supports assume-guarantee style reasoning using linear time temporal logic. This is intended mainly for reasoning about eventualities.
One extension to the system that is planned is to support a notion of streams (such as streams of intructions of memory transactions) that are ordered, but are not assigned speci c times in the implementation. Each element of such a stream could be de ned as a nite state machine representing the di erent stages of execution of the given operation in the machine. By making each abstract operation a distinct \layer" of the speci cation, one could verify in a modular way that a single operation is processed through the system correctly, and then deal separately with other issues such as ordering guarantees and liveness. Finally, it is also possible that a hybrid approach could be taken, where some re nement obligations are handled by a model checker and others by a general-purpose proof assistant, or a collection of prede ned transformations. This might be particularly useful for handling large, regular structures such as memories, and hardware that manipulates large data items, such as packets. A compositional framework of this sort could provide a practical way of integrating model checking and theorem proving.
