Hierarchical verification of asynchronous circuits using temporal logic  by Mishra, B. & Clarke, E.
Theoretical Computer Science 38 (1985) 269-291 
North-Holland 
269 
HIERARCHICAL VERIFICATION OF ASYNCHRONOUS 
CIRCUITS USING TEMPORAL LOGIC 
B. MISHRA and E. CLARKE* 
Department of Computer Science, Carnegie-Mellon University, Pittsburgh, PA 15213, U.S.A. 
Communicated by M. Nivat 
Received June 1984 
Abstract. Establishing the correctness of complicated asynchronous circuit is in general quite 
difficult because of the high degree of nondeterminism that is inherent in such devices. Nevertheless, 
it is also very important in view of the cost involved in design and testing of circuits. We show 
how to give specifications for circuits in a branching time temporal logic and how to mechanically 
verify them using a simple and efficient model checker. We also show how to tackle a large and 
complex circuit by verifying it hierarchically. 
Introduction 
Verification of the correctness of asynchronous circuits has been considered an 
important problem for a long time. But, a lack of any formal and efficient method 
of verification has prevented the creation of practical design aids for this purpose. 
Since all the known techniques of simulation and prototype testing are time- 
consuming and not very reliable, there is an acute need for such tools. Moreover, 
as we build larger and more complex circuits, the cost of a single design error is 
likely to become even higher. In this paper, we describe an automatic verification 
system for asynchronous circuits, in which the specifications are expressed in a 
propositional temporal logic. We illustrate the use of our system by verifying a 
version of the self-timed queue element given in [7]. 
Bochmann [2] was probably the first to recognize the usefulness of temporal logic 
to describe circuits ; he verified an implementation of a self-timed arbiter using linear 
temporal logic and what he called ‘reachability analysis’. The work of Malachi and 
Owicki [9] identified additional temporal operators required to express interesting 
properties of a circuit and also gave specifications of a large class of modules used 
in self-timed systems. 
Although these researchers have contributed significantly toward developing an 
adequate notation. for expressing the correctness of asynchronous circuits, the 
problem of mechanically verifying a circuit using efficient algorithms still remains 
unsolved. In this paper we show how a simple and efficient algorithm, called a 
* This research was supported by NSF under Grant No. MCS-82-16706. 
0304-3975/85/$3.30 @ 1985, Elsevier Science Publishers B.V. (North-Holland) 
270 B. Mishra, E. Clarke 
model checker, can be used to verify various temporal properties of an asynchronous 
circuit. Roughly speaking, our method works by first building a labelled state- 
transition graph for an asynchronous circuit. This graph can be viewed as a finite 
Kripke Structure. Then by using the model checker we determine the truth of various 
temporal formulae in this Kripke Structure. As a result, it is possible to avoid the 
complexity associated with proof construction. 
Most complex circuits are built out of relatively less complex modules in a 
hierarchical manner. Hence it should be possible to verify these circuits in a 
hierarchical manner, i.e. to verify the correctness of a larger module, given the 
premises that the smaller modules are correct. A hierarchical approach to verification 
is important in practice, because it enables us to verify circuits incrementally, to 
localize faults to small submodules and most importantly, to handle large circuits 
without a large growth in complexity. We show how the hierarchical method can 
be incorporated in a mechanical approach to circuit verification. 
The paper is organized as follows: Section 1 contains a brief description of the 
syntax and semantics of CTL, the temporal logic used in this paper, and also explains 
the algorithms used in the model checker. In Section 2, we give a simple step-by-step 
method used to verify circuits. In Section 3, we illustrate these methods by establish- 
ing some interesting properties of a Self-Timed Queue (FIFO) Element. In Section 
4, we introduce a hierarchical method to be used in verifying large and complex 
circuit and study some of the model-theoretic properties of the operation of ‘restric- 
tion’ on a Kripke Structure. The paper concludes by pointing out the shortcomings 
of our approach and with a discussion of some remaining open problems. 
1. CTL and model checker 
The logic that we use to give the specifications of a circuit is a propositional 
temporal logic of branching time, called CTL (Computation Tree Logic). This logic 
is essentially the same as that described in [ 1, 3, 51. 
The syntax for CTL is given below: 
Let 9 be the set of all the atomic propositions in the language 9. Then 
(1) every atomic proposition P in 9 is a formula in CTL, 
(2) if fi and f2 are CTL formulae, then so are ifi, fi A f2, VXfi, 3Xf,, V(fi U f2) 
and Wi Uf2). 
In this logic the propositional connectives 1 and A have their usual meanings of 
negation and conjunction. The temporal operator X is the nexttime operator. Hence 
the intuitive meaning of VXfi (3Xf,) is that f, holds in every (in some) immediate 
successor state of the current state. The temporal operator U is the until operator. 
The intuitive meaning of V(fi U f2) (3(f, U f2)) is that for every computation path 
(for some computation path), there exists an initial prefix of the path such that f2 
holds at the last state of the prefix and fi holds at all other states along the prefix. 
Hierarchical veri$carion of asynchronous circuits 271 
We also use the following syntactic abbreviations: 
?? fivf2~l(lfihlf2),fi~f2~lfivf2, andf,+4E(_k+.M~(f2+fi), 
?? VFf, = V(true Uf’) which means for every path, there exists a state on the path 
at which fi holds, 
?? 3Ff, = 3(true Ufi) which means for some path, there exists a state on the path 
at which fi holds, 
?? VGfi = -ElFlf, which means for every path, at every node on the pathf, holds, 
?? 3Gf, = lVFlf, which means for some path, at every node on the path f, holds, 
?? V(f, W f2) = 13( (fi A~J U (ifi hf.)) which means that for every computation 
path, and for every initial prefix of the path, if f2 holds at all the states along 
the prefix then fi holds at all the states along the same prefix, 
?? 3(f, W f2) = -IV( (f, A f2) U (ifi hf2)) which means that for some computation 
path, and for every initial prefix of the path, if f2 holds at all the states along 
the prefix then f, holds at all the states along the same prefix. 
In the last two formulae, W is the while operator. The formula V(fi WfJ 
(3(f, W f2)) is read as ‘for every (some) path fi while f2’. 
The semantics of a CTL formula is defined with respect to a labelled state-transition 
graph. A CTL structure is a triple .& = (S, R, I7) where 
(1) S is a finite set of states. 
(2) R is a total binary relation on S (R E S x S) and denotes the possible 
transitions between states. 
(3) 17 is an assignment of atomic proposition to.states, i.e. n: SH 29. 
A path is an infinite sequence of states (s 0, 1, s s 2,. 6 .) such that Vi((s, si+l)E R). 
For any structure Jbl = (S, R, n) and state so E S, there is an injinite computation tree 
with root labelled so such that s + t is an arc in the tree iff (s, t) E IZ. 
The truth in a structure is expressed by .&, so k=f, meaning that the temporal 
formula f is satisfied in the structure & at state so. The semantics of temporal 
formulae is defined inductively as follows: 
s,b= P iff P E II( 
Soblf iff soBtJ: 
so+f, f'f2 iff so!=fi and sol=f2. 
so != VXfi iff for all states t such that (so, t) E I?, t I= fi. 
sob %fl iff for some state t such that (so, t) E R, t I= fi. 
Sokv(f~ uf2) iff for all paths (SO, Sl, S2,. . .), 3i~o(Si~f2Avo~j<i(Sj~fi)). 
sobii(fluf,) iff Or.sOmepath (So,Sl,S2,...),3i~O(si~f2hVo~j<i(Sj~fi)). 
From these it is quite easy to see that the semantics of U, the until operator, can 
be easily given in terms of a least fixed-point characterization: 
v(fi uf2) = Ps-f2V (fi A vxs). 
g(f, Uf2)=P%f2V(fiA=~). 
272 B. Mishra, E. Clarke 
The model checker for CTL can now be thought of as an algorithm that determines 
the satisfiability of a given temporal formula fi in a model .M, by computing these 
fixed points. A full description of the algorithm is given in [3]. 
In order to determine if a CTL formula f is true in a structure JU = (S, R, Z7), the 
algorithm labels each state of S so that when the algorithm terminates, the label of 
each state s E S, ZabeZ( s), will be equal to {f’ E sub(f) 1 .A, s bf’}, where each element 
of sub(f) is either a subformula off or the negation of the subformula. Hence 
.M, s Ff iff f~ label(s) at the termination of the algorithm. 
The labelling algorithm works in several stages. In the ith stage the algorithm 
labels the states by the subformulae of length i. The labels assigned in the earlier 
stages, corresponding to the subformulae of length less than i are used to perform 
the labelling in this stage. It can be shown that the algorithm makes at most n = Ifl 
stages of computation and that the total amount of the work involved in each stage 
is G(IlSIl+ IIJW. I-4 ence the time complexity of the model checker is O( Ijj . (11 SII + 
II R II)). The algorithm is also fairly simple, since it involves only a few straightforward 
graph theoretic algorithms. 
2. Verification of circuits 
Given a circuit to be verified, the steps involved in using the model checker to 
assert the correctness of the temporal specifications are as follows: 
Step 1. Building the model 
The structure associated with the circuit is essentially a finite state-transition 
graph, with its vertices corresponding to the distinct states and the edges correspond- 
ing to the (possibly nondeterministic) transition between the states. The initial label 
associated with each state is the set of propositions true in that state. This labelled 
state-transition graph can be built using the following simple algorithm. 
Algorithm 2.1. The algorithm to build the Kripke Structure for an asynchronous 
circuit. 
begin 
L := (initial state); 
while L # p1 do 
choose a state, say s from L and delete it from L; 
for all sets of inputs, possible in s do 
simulate s with this set of inputs; 
let L’ be the set of new states; 
for each S’E L’ do 
s’ is a successor of s; 
if s’ has not been visited then add s’ to L; 
Hierarchical verijicacion of asynchronous circuits 
endfor ; 
endfor ; 
endwhile ; 
end. 
273 
Step 2. Giving the specijcations of the circuit in CTL 
It usually involves structural properties (i.e. the specifications for different com- 
ponents of the circuit, specifications of the signalling scheme used for communication 
with various modules, etc.), safeness properties and Ziveness properties. It should be 
pointed out that one need not give the complete specification of the circuit in order 
to verify some selected properties of the circuit using the model checker. 
Step 3. Verifying the circuit using the model checker 
This step involves the model checker which checks the truth of the specification 
(a formula in CTL) in the structure constructed in Step 1. The working of the model 
checker is described in the previous section. 
3. Extended example 
We illustrate the ideas presented so far by verifying some interesting properties 
of an asynchronous circuit. The example chosen for this purpose is one element of 
a Self-timed (FIFO) queue, which originally appeared in an article by Seitz on 
self-timed systems [7]. 
(a) Self-timed FIFO queue element. The electrical circuit shown in Fig. 1 is an 
implementation of a single FIFO queue element combined with some input and 
output logic. This circuit is of very practical importance; in pipeline processes in 
which operation times are variable, increased throughput can be achieved by 
interconnecting the processing elements through queues. The implementation uses 
simple asynchronous control and hence, can be used to build very fast and area- 
efficient queues. 
The inner cell is intended to be replicated as many times as the number of words 
the queue is to be able to store, and the same control will operate a queue of any 
word length. The input cell and the output cell can be thought of as logic circuits 
converting the two-cycle signalling scheme and the input link to afour-cycle signalling 
scheme at the internal link and vice versa. The inner cell can be thought of as a 
latch that stores the state of the cell (i.e. whether the cell is fuZZ or empty), together 
with logic to generate a load signal and a set of static registers to store the bits. 
However, the design shown is not speed-independent, and uses the 3/2-rules. That 
214 B. Mishru, E. Clarke 
I input cell Inner cell. repeated Output cell I I 
Input 
Link 
(20) 
Fig. 1. Queue (FIFO) element. 
is one may expect misoperation if particular sets of three gates have a smaller 
cumulative propagation delay time than other sets of two gates. 
In the following subsections we specify and verify some interesting properties of 
the queue element with a single inner cell. 
(b) Temporal specifications for the self-timed queue element. We give examples of 
the ways in which various properties of a circuit can be given in CTL. In case of 
the queue element some of the structural properties that we might like to specify, 
are that the two-cycle signalling used at the input links and the output links is safe 
and live. Recall that the structural properties are specifications for various com- 
ponents and signalling schemes and thus, may be considered as premises that must 
be true in any CTL structure modelling the circuit. Hence the request signal must 
satisfy the following safeness and Ziveness conditions. (In the following CTL specifi- 
cations we will use symbols Req and Ack for the request and the acknowledgement 
signals respectively.) 
Safeness conditions for the request signal 
0) VG( (1Req A Ack) + V(lReq W Ack)), 
(2) VG( (Req A 1Ack) + V( Req W 1Ack)). 
These two CTL formulae essentially express that if the Req and Ack signals are 
non-equipotential then the Req signal will remain in its stable logic value while Ack 
signal is in its stable value. In other words, Req will not be given unless acknowledge- 
ment to previous request signal has arrived. 
Hierarchical verijication of asynchronous circuits 275 
Liveness conditions for the request signal 
(1) VG( (Req A Ack) + VF(lReq)), 
(2) VG( (1Req A TAck) + VF( Req)). 
These two CTL formulae express the property that if the Req and Ack signals 
are equipotential then eventually the Req signal will change its logic value, thus 
indicating an arrival of a request. 
In a similar manner, we can specify the properties of the response signal. 
Safeness conditions for the response signal 
(1) VG( (Req A Ack) + V( Ack W Req)), 
(2) VG( (1Req A 1Ack) + V(lAck W -tReq)). 
Informally, they express the fact that Ack will not be given unless there has been 
a Req signal to cause it. 
Liveness conditions for the response signal 
(1) VG( (Req A 1Ack) + VF( Ack)), 
(2) VG( (1Req A Ack) + VF( 1Ack)). 
That is, if there had been a Req signal then eventually there will be an Ack signal 
in response to the request. 
We can also give the safeness and the Ziveness properties of the FIFO queue 
element in CTL. The following is a representative list of some of the properties, 
and by no means, exhaustive and complete. In the CTL formulae given below, 
ReqIn stands for request at the input links, AckIn, for acknowledgement at the input 
links, ReqOut, for request at the output links, AckOut, for acknowledgement at the 
output links and Fulll, for the state of the queue element when it holds some data. 
Some safeness properties of the queue element 
(1) VG( l( ReqIn = AckIn) A l( ReqOut = AckOut) 
+ V(l( ReqIn = AckIn) U (ReqOut = AckOut))). 
This formula states that if there have been a ReqIn and a ReqOut, then AckIn 
will not be given until AckOut has arrived. 
Some liveness properties of the queue element 
(1) VG(l(ReqIn = AckIn) A ~Fulll -j VF(A)). 
This formula states that if there has been a ReqIn, and the memory element was 
empty, then eventually it will be loaded with the input data. 
(2) VG( iFull -j VX( Full1 + VF( l( ReqOut = AckOut)))). 
276 B. Mishra, E. Clarke 
That is the queue element is full then eventually a request at the output links will 
be generated in order to move the data to the next element in the queue. 
(3) VG( Full1 A l( ReqOut = Ackout) -+ 
VX( (ReqOut = AckOut) + VF(lFull1))). 
That is if the acknowledgement arrives at the output Zinks thus indicating that the 
data stored in the current queue element has been moved to the next element, then 
eventually the queue element will mark its state as empty. 
In the next subsection we show how these specifications can be verified automati- 
cally by using a model checker. 
(c) Verification of the circuit. As a first step for the verification of the circuit, we 
build a labelled finite state-transition graph corresponding to the circuit given in 
Fig. 1, using Algorithm 2.1. For this model, we assume that each gate of the circuit 
has one unit dehy. This is done in order to take care of the speed-dependent 
properties of the circuit. This is equivalent to assuming that for any state in the 
graph, any of the successor states is arrived at after one unit gate-delay. The label 
associated with each state is the set of nodes in the circuit which assume the logical 
value 1 in that state. The nodes of the circuit are-AckIn, ReqIn, D, A, FullO, Fulll, 
C, B, El, E2, E3, ReqOut, and AckOut. The initial state corresponds to the situation 
when ReqIn and AckIn as well’as ReqOut and AckOut are equipotential. 
Now, the model checker can take a description of the model and a temporal 
formula specifying some property of the circuit, and determine truth of the formula 
in that model. However the circuit shown does not obey the 3/2-rule as advertised, 
and the model checker determines that the safeness property of the queue element, 
given in the previous subsection is not true. 
Informally, the problem can be described as follows: when an AckOut is received 
in response to the ReqOut signal, the AckOut signal travels via two different electrical 
paths-one involving three inverters and the other involving four gates. This creates 
a race condition and produces a glitch of about one gate delay on the ReqOut bus. 
Though this glitch may not always be able to drive the bus to create a spurious 
ReqOut, it has the potential to do so. However, this problem can be easily rectified 
by making the inverters slow or by putting five inverters on that path instead of 
three. The labelled state-transition graph for the corrected circuit is shown in 
Fig. 2. 
The state-transition graph shown in Fig. 2 is only one portion of the complete 
state-transition graph for the FIFO queue element and corresponds to the initial 
state where both ReqIn and AckIn are both at logical-zero value and both ReqOut 
and AckOut are at logical-zero value. But the state in which both ReqIn and AckIn 
are at logical-zero and both ReqOut and AckOut are at logical-one can not be 
reached from this state-transition graph. In fact the state-graph with this situation 
as the initial condition is symmetric to the one shown and the complete state- 
transition graph consists of both of these components. 
Hierarchical verijcation of asynchronous circuits 277 
Fig. 2. The state-transition graph for the self-timed queue element. 
time: (1453 168) 
bAG(((-ReqIn & AckIn)l(ReqIn & -AckIn)) 8z 
(( - ReqOut & AckOut) 1 (ReqOut & - AckOut)) -.> 
A[((-ReqIn & AckIn)l(ReqIn & -AckIn)) U 
(( ReqOut & AckOut) ( (- ReqOut & - AckOut))]) 
[ <7 sets.] 
t 
time: (2263 300) 
t=‘AG(((-ReqIn & AckIn)((ReqIn & -AckIn)) 8~ (-FullI)->AF(A)) 
[ <8 sets.] 
t 
time: (2694 300) 
I= AG(-Fulll--> AX(Full1 --> AF((-ReqOut & AckOut)j 
(ReqOut & - AckOut)))) 
[ <8 sets.] 
t 
time: (3150 300) 
bAG(Full1 &((-cReqOut&AckOut)) (ReqOut&-AckOut))-> 
AX(((ReqOut&AckOut)~(-ReqOut&-AckOut))-~AF(-Full1))) 
[ <7 sets.] 
t 
Fig. 3. A sample run using the model checker. 
A sample run using the model checker is shown in Fig. 3. In the formula shown 
A stands for V, E for 3, 1 for v, & for A, - for 1 and --> for + . Similarly, G, F, 
U, and W will stand for G, F, U and W, respectively. The first component of ‘time :’ 
is the cumulative time in 60th of a second; the second component is the portion of 
the cumulative time allocated to ‘garbage collection’. The number to the right of 
each formula gives the time taken to determine the truth of the formula. 
278 B. Mishra, E. Clarke 
4. Hierarchical verification of circuits 
The scheme given so far can be practical only for very small circuits. This is 
because it suffers from the problem that the state transition graph may have a 
number of states, exponential in the number of gates. However, this problem can 
be avoided, if circuits are verified in a hierarchical manner. That is, first small 
modules are verified and then the bigger module is verified assuming that the smaller 
modules it is composed of are correct. Since at any hierarchical level, the number 
of small modules that a big module is composed of is relatively small, this method 
is amenable to proving correctness of large circuits without a large growth of the 
time complexity. Moreover, hierarchical verification permits the localization of faults 
to small submodules, thus allowing the designer to rectify the fault by redesigning 
the appropriate submodule. 
In a hierarchical approach, the state-transition graph for a circuit is built out of 
the descriptions of the constituent submodules. We obtain short a description of a 
module by using an operation called ‘restriction’. If 9 is the language for the module 
with a set of atomic propositions 9, corresponding to the input, output and internal 
nodes, then the operation restriction on 2, obtains a 9’ with atomic propositions 
P’, corresponding to the input and the output nodes only. 
Roughly speaking, the effect of restriction is to make the internal nodes invisible, 
since in building the state transition graph for the bigger module, we only require 
input-output behaviour of the constituent submodules. But when the internal nodes 
are made invisible, certain portions of the state graph will have same labelling of 
the atomic (input and output) propositions. The restriction operation defines exactly 
when such states can be collapsed into a single state. 
Unfortunately, when we restrict a CTL structure to obtain a smaller structure, 
some formulae that are true in the former structure may not be true in the restricted 
structure. However, by appropriately constraining CTL, we can show that the 
formulae in the constrained logic have the desirable property that the truth properties 
of such formulae are preserved with respect to the restriction operation. Most of 
the formulae used in Section 3 have the desired syntax. 
Let the CTL structure for 9 be JU = (S, R, n). Let 9 be the set of all atomic 
propositions in the language 9, consisting of 9, the set of atomic propositions 
corresponding to the inputs; 6’, the set of atomic propositions corresponding to the 
outputs and At , the set of atomic propositions corresponding to the internal nodes 
of the circuit. That is 9 = 9 u Ou At . Let 9 be the language with the atomic 
propositions, 9 = 9 u 0’. Define n,,: S-29, to be the restriction of 17 to P’, i.e. 
Vs E S(n,*( s) = n(s) n 9’). Now we can define a relation E (% E S x S) over the 
set of states of A such that s 8s’ iff for some path (so, sl, . . . , s,) of A, n 2 0, s = so 
and s, = S’ and for each predecessor of si, s: (1 s i s n), Lf&s~) = L!pt(si)a 
It is quite easy to see that the relation %’ over S, is reflexive and transitive but not 
symmetric. The transitive closure of Z5’ can be defined as 
~*=8u~2u~3u...u~*u.... 
Hierarchical verification of asynchronous circuits 279 
The ?&closure of a state s is defined by 8?*(s) = { s’l s ‘8’* s’} = {s’l s 8 s’}, since 8 is 
a transitive relation, i.e. 8* = 8. 
For a set of sets {Uj}, max({ Uj}) will denote the set of all distinct sets in { Uj} 
maximal under inclusion. We define a mapping cp: S++2S such that for each s E S, 
i.e. q(s) is the set of maximal %‘-closures containing s. We consider the following 
subsets of S, 
Since every element s E S belongs to at least one subset Hi of A, A is called a 
decomposition of S and the Hi’s are called the blocks of the decomposition We will 
say s dominates s’ if s 8 s’. We define the dominant states of Hi, dom( Hi) as the set 
of states that dominate every other states in Hfi 
A = so(S)= u q(s). 
SES 
The decomposition A naturally leads to a substructure of a model M (notation 
A = (S’, R’, II’) = .M)A). The states of A’ will be the blocks of A. A block Hi of A, 
when considered as an element of S’, will be denoted by Hi- Let R’ (R’c S’ x S’) 
be the total binary relation on S’, corresponding to R and induced by the decomposi- 
tion A, i.e. 
(E?,, Hj) E R’, for i #j, iff for some Si E Hi, Sj E Hj, (si, Sj) E R and sj 6 Hk 
(E?i, Hi) E R’ iff for some si, sj E Hi, sj % si and (xi, sj) E R. 
Similarly, let II’ : S’++ 2 9’ be the mapping corresponding to II! and induced by 
the decomposition A, i.e. 
II’( P’n n II(s). 
SEH, 
The model .M’ = (S’, R’, l7’) is called a restriction of Ju = (S, R, II) with respect 
to !P’c_9. 
In the following theorem, we show that there are CTL formulae whose truth- 
properties are not preserved with respect to restriction. 
Theorem 4.1. There exists a CTL structure JU = (S, R, Ll) and a formula 9 where 9 
is a CTL formula such that 
Ju, s,!= 9 but .M’, r?,# 9, and SEE dom(H,). 
Proof. We give counterexamples involving formulae of the form VXP, 3XP and 
V(3F I’, U I’*). 
We first give a model 44 = (S, R, II) over a language .3 such that Ju, sol= VXP 
and JR, so!= 3XP, but A’, Ho&t VXP and .M’, fiol# 3XP, where A’ is a restriction of 
& and so E dom( Ho). 
280 B. Mishra, E. Clarke 
Define A = (S, R, n) over a language 2 with the set of propositions 9, 9 = 
{Pi”, Pf”, Pint}, by 
s = {so, Sl, 4, R = -Kso:, sd, bl, %A (s*, s2>1, 
and l7 to be U(Q,) = {Pi,, Pint}, n(s,) = {Pin} and n( ~2) = {Pi”, Pint}. Clearly, 
JR, sol== VXPi, and A, sol= 3XPin. Now if we take restriction of JU for language 9’ 
with the set of propositions 9, 
9’ = ipin pfnl, 
then we get A%‘= (S’, R’, II’) where 
and n’ to be n’(R,-,) = {Pi,} and n’( t?,) = {Pi,}. It can be easily seen that 
A’, fioet VXPi, and A’, Gow SIXPi”. 
Similarly, we present a model A = (S, R, n) such that .A, sob -IV( (3FP,) U P2), 
but A’, &,w lV((3FP,) U PJ, where A’ is a restriction of .A% and so E dom( Ho). 
Define A = (S, R, n) over a language A? with the set of propositions Y, .9 = 
{PI, Pz, PintIt Pint*}, by 
s = {so, Sl, s2, s3, d, 
R = {bo, s*>, h, s2>, ts;, s3), ($2, %>, b3, s3), b4, S‘J~, 
and n to be ntso) = {pintI}, n(sJ ~0, fl(s2) ={PintJ, n(s3) = {PI, P2), and n(sJ = 
{P2}. The labellings in Fig. 4 show that A, so!= -M[(3FP,) U P2]. 
Now if we take restriction of .A for language 9’ with the set of propositions 
9’= {PI, P2}, then we get .A?’ = (S’, R’, l7’) where 
S’= (jFs,, Is,, R2}, R’ = {(Ho, &A (Ho, H2), (4, HA W2, Jf2)1, 
and A!’ to be n’(H,) = 0, 17’(fi,) = { P2} and n’( fi2) = {PI, P2}. Now the labellings 
in Fig. 4 show that A’, HoI= V((3FP,) U P2). Cl 
However, there exists a large subclass of CTL formulae with the desirable property 
that if a formula in this subclass is satisfiable in the unrestricted CTL structure, .A, 
then it is satisfiable in the CTL structure, A’, obtained by restriction. We call this 
subclass CTL-. 
Given a set of atomic propositions 9: 
(1) Every atomic proposition P E 9 is a propositional formula in CTL-. 
(2) If f, and f2 are propositional formula in CTL-, then so are 7fi,fi off. 
(3) If fi is a propositional formula and f2 is a CTL- formula, then V(f, Uf2) and 
3(f, U f2) are CTL- formulae. 
Theorem 4.2. Let 9 be a CTL- formula in 2’. Then 
Ju,sol=~ if.d’,~ol=9 wheres,Edom(H,). 
Hierarchical verification of asynchronous circuits 281 
lP,, pz, 
13FP,, 
V(3F P, U Pz) 
1p,, lP2, lP1, lpzl 
=P,, =P,, 
lV(3F P, U fz) lV(3F P, U P2) 
lP,, lpz. 
+FP,, 
-M(3F P, U Pz) 
lS, pz, 
13FP,, 
V(3F P, U PI) 
3FP,, 
V(3F P, U P2) 
Fig. 4. Counterexample for Theorem 4.1. 
Before we give the proof of the Theorem 4.2, we need the following technical 
lemmas. 
Lemma 4.3. If Al’= (S’, R’, lT), is a restriction of .A = (S, R, l7), with respect to 9”, 
then 
(i) For all Hi, Hj E S’, ( i # j), (Hi, l?j) E R’ ifl there exists a path from S: to sj 
(s: E dom( Hi), si E Hi) such that (s: = sk, . . . , ~1, s~+~, . . . , s, = si) in .4X and for some 
k<l<m,S,,..., SI E Hi, sI-+~ g Hi and s/+1, . . . , S, E Hj 
(ii) For all ITi E S’, (I?i, Ri) E R’ ifl there is a cycle in the block Hi. 
(iii) For all s such that s E H, lI’( I?) = n(s) n 9”‘. 
282 B. Mishra, E. Clarke 
Proof Sketch. (i) (t) Suppose there is a path, then SI E Hi, s1+1 E Hj and SI+I e Hi 
and (sh sI+J E R. Hence by definition, (fii, Rj) E R’. 
(3) Suppose (Hi, Z?j) E R’ then there exist ~2 E Hi, sI+~ E Hj such that sI+~ !Z Hi and 
( sl, s~+~) E R Then we claim that s I+1 E dom( Hj). (Assume the contrary. Let S, E Hj 
dominate s~+~. Then sI % s~+~. Hence, for each predecessor of s/+~, si,,, n&s;+,) = 
nsf(sl+1). Hence, sl gs~+~ and ;1+1 E g*(sl). SI+~ E Hti A contradiction.) Now given 
si E dom( Hi) and SI E Hi we can find a path by concatenating the path from si to SI 
and s~+~ to sJ. Such paths exist since s: E dom( Hi) and s~+~ E dom( Hj). 
(ii) (+) Suppose (Hi, Hi) E R’. Then for some si, sj E Hi, sj 8 si and hence there 
is a path from sj to si. Moreover (Si, Sj) E R. Hence, there is a cycle in HP 
(+I Suppose Csj, Sj+l, - - - , Sip Sj) is a cycle in H+ Then there are two cases to 
consider. In the first case, the cycle contains a state in dom(Hi). Let Sj be such a 
state. Then sj 8 q. On the other hand, if the cycle does not contain a dominating 
state, since there is a path from sj to si and all the states on the path are nondominating 
states of Hi, Sj %’ si. Moreover, since si, sj appear consecutively in the cycle, (Si, Sj) E R. 
Hence by definition, (Hii, Ri) E R’. 
(iii) Follows directly from the definitions of n& and II’. 0 
We extend the operation of restriction to a path in a CTL structure. Let p = 
(s0, - - * , %I, %+1, * * * ) be a path in JX. Then define 
I;io%!eB’(~n+l,. . .) if (so,. . . , s,) is a finite prefix of p such that 
%:(P) = so, - - * 9 s, E Ho and s,,+~ GZ Ho; 
Go, ilo, . . . otherwise, and so,. . . , E Ho. 
Lemma 4.4. Let (so, . . . , s,, s,,+~, . . .) be a path in A. Then 9Er(so, . . . , s,, s,,+~, . . .) 
is a path in At’. 
Proof. The proof follows from the definition and Lemma 4.3(i) and (ii). Cl 
The exact converse of Lemma 4.4 is not true. But for our purpose, a somewhat 
weaker version of the converse will suffice. 
Lemma 4.5. Let (Ho, H1, . . .) be a path in A’ such that it satis$es one of the following 
two conditions: 
(1) Hi#Ri+l for all OSi, 
(2) Ri # Ri+l f or all 0~ i< k and l?j= @+I for all ksj. 
Let so E dom( Ho). Then there is a path (so, sl, . . .) in A and s%& so, s,, . . .) = 
(Ro, H,, . . .). 
Proof. The proof follows from the definition and Lemma 4.3(i) and (ii). El 
Hierarchical verification of asynchronous circuits 283 
Lemma 4.6. Let 9 be a CTL- formula in 2”. Then 
A’, ITi+ 9 + A, sit= 9 where si E dom(Hi). 
Proof. The proof follows by induction on the structure the CTL- formula 9’. 
Basis Step: .5 is an atomic proposition P in 9”. Then 
A’,rlikS * di!‘,ETi+P 
* PE If’(ITi) 
* P E n( si) n 9’ (Lemma 4.3(iii)) 
Induction Step: We only show the cases for VU and 3U. Other cases, involving 
propositional connectives, are rather simple and hence omitted. 
Let 9= V[fr U f2]. First we show that if for all paths (I?i, Ri+r, . . .) of .A%‘, 
3ka i(.&‘, I&!=fz~Vi< I< k(A’, alI=fI)), 
then, for all paths (Si, si+,, . . .) of JU, 
Let Z=(Si, Si+r,. . .) be any path in JU with Si E dom( Hi) and 9?& I) = I’ = 
tgii, Hi+l, - * .) be the corresponding path in .A’. By above, 3 k 3 i - A’, I& I= fi. Let 
p 2 i be the smallest index such that sP E Hk. Hence sP E dom( Hk). By the induction 
hypothesis, A, sp I= f2. Since Vi < q < p 3i < I< k( s, E H,), and Vi s I< k(A’, I!& t= fi), 
and fi is a propositional formula, we have Vi 6 q <p(A, ss I= fi). Hence using the 
semantics of the U operator, we get 
A’, Hi+ 9 * At’, fiikV(fi U f2) 
+ for all paths (Ri, Ifi+*, . . .) of A’, 
3ka i(&‘, I&l=S,/rVic I< k(.M’, R,l=fi)) 
+ for all paths (si, si+l, . . .) of A, (Si E dom( Hi)) 
3p~i(A,s~I=f,~Vi~q<p(.d,s,I=f,)) 
* 4 si k v(fi Uf2) 
* A, Si b $w 
Let .Y= 3(f, Uf2). First we claim that if for some path (ai, I?:+r, . . .) of A’, 
Elma i(.A!‘, Bkl=fihViG I< m(,&‘, fi;t=fi)), 
284 B. Mishra, E. Clarke 
then there is some path (Rip fii+r,. . .) of 4’ satisfying one of the conditions of 
Lemma 4.5 such that 
3kz i(&‘, k?&t=S,~Vi< I< k(&‘, fl,!=f,)). 
The new path (Ri, Hi+r, . . .) is obtained by the following step: if 
(t?,!, q+1,. . . , tTjJ!+,) is a maximal finite subpath of (RI, I?i+r, . . .) such that Ri = 
~;+,=...= fi;‘,,, then the subpath is replaced by a single state HI. This operation 
is done for all such subpaths. It is easy to convince onself that the path obtained 
by this operation is a path in A’ and satisfies the claim. 
Next, we show that if for some paths (Ri, Ri+l,. . .) of A’ satisfying one of the 
conditions of the Lemma 4.5, 
3ka i(A’, l$i=S,AVis Z< k(&‘, I?,l=f,)), 
then, for some paths (s, Si+l, . . .) of JU, 
3p 2 i 0% sp kf2 A Vi d q < p(.fU, sq I=&)). 
By Lemma 4.5 there is a path I= (S, Si+l, . . .) in & with Si E dom( Hi) and %! yp.( I) = 1’ = 
(Hi9 Hi+l9 * - .), the path in A’. By the above, 3k 2 i(A’, I& l=fJ. Let p 2 i be the 
smallest index such that sP E Hk. Hence sP E dom( Hk). By the induction hypothesis, 
A, sPI=f2. Since Viaq<p 3isZ<k(s,E H,), and Vi<l<k(.A’, I!$t=f,) and fi is 
a propositional formula, we have Vi d q < p(.N, sq b-f,). Hence using the semantics 
of the U operator, we get 
A’, Rib 9 * A’, I-li+Zl(fi Uf*) 
3 for some path (Hi, fii,,, . . .) of .&‘, 
~m~i(~‘,R:,~f2AVi~Z<rn(~‘,H~~f,)) 
+ for some path (Ni, Hi+,, . . .) of A’, satisfying one of 
the conditions of Lemma 4.5, 
+ for some path (Si, Si+l, . . .) of A, (si E dom( Hi)) 
In the next lemma we will make use of following simple facts about a CTL- 
formulae and blocks H,_ which we state without proof. 
Fact 4.7. If a state of Hk satisfies a propositional formula g, then all the states of Hk 
must satisfy g. 
Hierarchical verijication of asynchronous circuits 285 
Fact 4.8. Any quantijed CTL- formula f can be written in an expanded form 
Qh U Q&2 U - - - Q&n U gn+A - - -I), 
whereQl,Q2,..., Qn are path quantijiers V or 3, and g,, g,, . . . , g,+, are propositional 
formulae. 
Fact 4.9. If g,+l holds in any state, so do the formulae 
Qj(gj U Qj+l(gj+l U * * - Q,(g, U g,,+I)- - a)) for all lajs n. 
Similarly, if Qi(gi U Qi+l(gi+l U * - * Q,(g, U gn+I) - - -)) holds in any state SO do the 
formulae 
Qj(gjUQj+,(gj+l U* . * Qn(g,, U g,+I)- - -)) for all 1 <Jo i. 
Conversely, if QlWJQ2k2U - - -Q&, Ug,+,)- - +)) holds in some state, then, for 
some 1 ~js n, gj and Qj(gi U Qj+l(gj+l U - - - Q,(g, U gn+l) - * -)) hold in that state 
or g,+, holds in that state. 
Lemma 4.10. Let 9 be a CTL- formula in 2’. Then 
Ju,sik9 j A’,Hil=S wheresiEdom(H,). 
Proof. We prove this by a complete induction over a labelled computation tree, 
rooted at si and with branches corresponding to transitions in .A. The labelling of 
the states of the computation tree is done with respect to the CTL- formula 9. 
Since 9 is in CTL-, it is of the form g, or 
where g’s are propositional formulae. We label the tree as follows: if 9 = g, then 
label Si with g and halt. On the other hand, if 
then depending on whether Q1 is V (a), for all (some) computation paths starting 
from Si, there exists a finite initial prefix of the path, such that 
holds at the last state of the prefix and g, at all other states along the prefix. Label 
the states corresponding to the prefix with g,. Continue the labelling procedure for 
all the last states of the prefix, in a similar fashion, until a state is labelled with 
g ?I+19 and halt. Without loss of generality, assume that A, Sit= g,. Notice that if s’ 
is any state, labelled with gj by this process, then, A, s’t= gj and 
J&S’+ Qj(gjUQj+l(gj+l I-J* * * Qn(gn Ugn+,). . *))- 
Let l(s’) stand for the length of the longest prefix of a computation path starting 
from s’ such that every state of the prefix has the same label as s’. We say c(s)) =j 
286 B. Mishra, E. Clarke 
is the characteristic index and Z(s’) the characteristic length of si with respect to the 
formula S. 
If q and Tk are two computation trees rooted at the dominating states Sj and Sk, 
respectively, then we say Tj < Tk, if C(Sj) > C(sk), or if C( Sj) = C( Sk) but I( sj) < I(&). 
This defines a well-ordering among the trees. 
Consider an initial finite portion of the tree with the root at si, with branches 
corresponding to the transitions in block Hi and leaves corresponding to the 
dominating states of the blocks. 
Case 1: Either the formula 9 is of the form g or 9 is of the form 
and some non-leaf state of the initial portion of the computation tree satisfies g,+i. 
In the first case, since .M, si != g and g is a propositional formula, it is easy to 
show that A’, Hi l= g. In the second case, by Fact 4.7 &, Si ‘F g,+i, and as in the first 
case, JU’, Hi I= g,+i. By Fact 4.9 
A’, Ri I= Q,(g, U Qz(g2 U * * * Qn(gn U gn+l) * . * 1). 
Hence Jt!‘, Hi b S. 
Case 2: Formula 9 is of the form 
and g,+l does not hold in any non-leaf state. Let k be the maximum over the 
characteristic indices of the leaves. Then there are two cases to consider: 
Subcase A: Q,, Q2,. . . Qk-l are all V quantifiers. 
In this case all the leaves must satisfy 
Qj(gj U Qj+l(gj+l U * * . Q,(g, U g,+i) . . a)) for some 1 ~j d k. 
By induction on computation tree, we have for the corresponding blocks H, 
A’, IT+ Qj(gjUQj+l(Sj+lU*. * Qn(gnUgn+l)* * * )- 
By Fact 4.9 
But in the restricted structure JU’, each of these J? is a successor of .Ri (by Lemma 
4.3(i)). Hence 
Hence Jt’, Hi I= S. 
Subcase B: Q1,Q2,. . . , Qk_-l are not all V quantifiers. Assume Qi,, Q+ . . . , Qi, 
(1 di,di,S-- * d ip d k - 1) are 3 quantifiers. 
We consider stages of labelling of the initial portion of the computation tree. By 
assumption Qi, . . . , Qi,-i are all V quantifiers. In the first stage consider the labellings 
associated with Q,, . . . , Qi,_l- Now all the last states of the prefixes of all the 
Hierarchical verification of asynchronous circuits 287 
computation paths (starting from Si) that are labelled in this state, must satisfy 
Qi,(Si, U Qi,+l(gi,+l U * * * Qn(gn U gn+l) * * *I)* 
At this point we stop if there is a state among these that satisfies gi, and 
Qi,(gi, UQi,+~(gi,+l U * . * Qn(gn U gn+1)* * '1). 
If not, we consider the next stage of labellings associated with Qi,+l, . . . Qi,_l. 
Continuing in this fashion, we may 
we have found a state that satisfies 
gi, and Qu(gij U Qij+l(gij+l U s -*Qn(gnUg,+l)-**)) for some fjE{il,...,ip), 
encounter one of the two situations: (i) either 
(ii) or all the leaves must satisfy 
QjCgj U Qj+l(gj+, U * * . Q,(g, U g,+I). * s)) for some 1 sjs k. 
The second situation is handled in a manner similar to Subcase A. Hence we consider 
the first situation only. 
Let s be the non-leaf state satisfying gil and 
Qi;(Sij UQij+~(gij+, U * * * Qn(gn Ugn+l). * *>I* 
Then theI-> is a computation path from the root passing through the non-leaf s and 
a leaf s,, where s, E dom( I&) and s, satisfies 
Qmkm U Qm+dgm+~ U - - -Q&n Ugn+k - 3, b+m<k). 
Since s is a non-leaf state and gij is a propositional formula, A, Si I= gi, (Fact 4.7) 
and JU ‘, KIi C= gij. 
But 
J&S,+ Qmkm uQm+hn+J - - - Qnkn Ugn+k - 9). 
Hence by Fact 4.9 
J% sm’ Qij(gij U Qi,+l(gi,-+, U . * * Qn(gn U gn+l) * . *)I, 
and by the induction on the computation tree 
J% nmb Qij(gijUQi,+l(gij+l U * . . Qn(gn JJg,+l)* * s)). 
But in the restricted structure A’, I?,,, is a successor of Ri (Lemma 4.3(i)) and hence 
d’, Rib Qij(gij U Qi;+l(gi,+l U . * * Qn(gn U gn+1). * a))- 
By Fact 4.9 
From the above technical lemmas, we easily deduce the proof of the Main Theorem 
(Theorem 4.2). 
288 B. Mishra, E. Clarke 
Proof of Theorem 4.2. The proof directly follows from Lemmas 4.6 and 4.10. U 
Now, we show how to build .&’ from A in the following three steps. 4 is 
essentially a restriction of A with additional optimizations and labelling of the 
transitions of the state-transition graph. 
Step 1. Relabel the vertices and the edges of the CTL structure Ju. (a) Label each 
state by the subset of the propositions involving only the inputs and the outputs of 
the module. (b) Label the edges between two states with the same set of atomic 
propositions, by E. 
Step 2. Construct the blocks of A, by first determining the dominant states using 
a depth first search over the underlying graph. Build JU’ by replacing each block 
by a single state. 
Step 3. Label the edges of the graph by the set of input signals that causes the 
transition and the set of output signals associated with the transition. 
This construction is illustrated by taking the 
graph for the FIFO queue element shown in Fig. 
the blocks constructed in Step 2. The resulting 
shown in Fig. 5. 
restriction of the state-transition 
1. The states shown in groups are 
labelled state-transition graph is 
Fig. 5. The restricted state transition graph. 
It should be mentioned that since we combine successive states in the operation 
of Step 2, the restricted model may not be a unit-delay model even if the original 
unrestricted model was so. This 
4.2. 
notion is essentially captured in Theorems 4.1 and 
However, this does not pose a problem, since good design methodology forces 
the designer not to make the modules at higher level in the hierarchy speed- 
dependent. Moreover, since a speed-dependent circuits must be small enough to fit 
in an equipotential region and equipotential regions must be small enough that the 
potential on any wire in this area will equalize in a ‘short’ time for any large circuit, 
the modules at higher level have to be speed-independent [7]. 
Hierarchical verijication of asynchronous circuits 289 
As the first step for verifying the correctness of a circuit using a hierarchical 
approach, we construct a CTL structure for a module at some hierarchical level, 
using the CTL structures for the submodules at the immediately lower level. In 
order to avoid building large-sized CTL structures, we use the restriction operation 
on the CTL structures of the submodules and obtain smaller descriptions of these. 
Moreover, the transitions of the state-transition graph are additionally labelled with 
the associated set of input signals and set of output signals, as explained earlier in 
this section. 
Given two submodules A and B which are used to build a module C at a higher 
level by connecting the inputs and outputs of A and B, we show how to build a 
CTL structure for the module C using an operation called ‘composition’. It can be 
shown that the composition operation is commutative and associative and hence 
can be generalized easily to the case where a module consists of more than two 
submodules. The reader may note a close analogy between the operations we define 
and the operations defined in [8]. 
Let the restricted models of the submodules A and B be &A = (S,, &, U,) and 
JH~ = (SD, RB, nB), respectively. We assume that the propositions associated with A 
and B are renamed so that the input and output nodes of A and B that are connected 
have a corresponding pair of propositions, i.e., if input a of A is derived from the 
output 6 of B, then the proposition associated with a is Pb corresponding to the 
proposition Pb associated with b in B. Furthermore, we make the important assump- 
tion that these connections are made using ‘short’ bilateral wires. 
The CTL structure of C = A0 B is given by ./UC = AAOB = ( SAOB, RAoa, Ll,+s), where 
SAOB E SA x S,. The assignment function HAOB: SA,,B ++28~“9~ is defined by n( sAOB) =
n(s,) u n(s,) where the state s&B = (SA, sg). The initial state of & is &,(AOB) = 
(S OA, sOB). A state is stable if every pair of propositions assigned to the state has the 
same truth value and is unstable otherwise, with a set of transitions 8 corresponding 
to the unmatched pair associated with it. 
The transition relation RAoB (R,+,B E SAoB X S,+B) is defined as follows. Assume 
that there is a transition (sIA, S& E RA such that (s IA, SZA) has associated with it, 
the input set (Y and the output set p. Similarly, assume that there is a transition 
(S lB, sZB) E RB such that (s lB, sZB) has associated with it the input set y and the 
output set S. Furthermore, assume that a! is partitioned into disjoint subsets CY’ and 
cy” such that (Y’ is associated with the inputs of C (i.e. the input transitions for (Y’ 
are generated externally and the transitions for my” are generated internally). 
Similarly, assume that y is partitioned into disjoint subsets y’ and y”. Then in the 
CTL structure for C, there will be following transitions: Let 8 be the set of transitions 
associated with (s *A, sIB), if it is unstable. (i) If (Y” Z 6, then there is a transition 
Us lA, SIB), (%A, %d) E RAG with associated input cy’ and output p, (ii) if y” c_ 6, then 
there is a transition ((SIA, qB), ($A, sZB)) E R ,+B with associated input y’ and output 
S, and (iii) if (Y”U 7”s b, then there is a transition ((sIA, slB), (SPA, sZB)) E RAoB with 
associated input cy’u y’ and output p u S. 
290 B. Mishra, E. Clarke 
The step of constructing the successor states for &, slB) can be thought of as 
simulating C at ( s,~, s 1B ) for all possible sets of inputs and can be easily incorporated 
into Algorithm 2.1. Now various properties of C with respect to the model .& can 
be determined using the model checker algorithm, as explained in the earlier sections. 
5. Cooclusion 
We have shown that it is possible to do automatic verification of asynchronous 
circuits efficiently. We have also indicated how this method can be extended to do 
hierarchical verification of large and complex circuits. We believe that this approach 
may eventually turn out to be quite practical. 
However, there are many problems that need to be addressed before this approach 
is made feasible in practice. In this paper we have used a unit-delay model for the 
circuit. Similarly, it is quite easy to use a steady-state model, in which each state 
in the state-transition graph corresponds to a stable state and only in response to 
an input change does a state change occur. While the steady-state model is useful 
for speed-independent self-timed circuits, the unit-delay model is needed to model 
properties of a speed-dependent circuit. Unfortunately, even for the speed-dependent 
circuits the assumption that each gate has one unit gate-delay is rather unrealistic, 
because two similar gates may have different delays depending on process variations, 
fan-outs of a gate, etc. Moreover, because of various capacitive effects, the delay 
associated with a O-to-l transition is not equal to the one associated with a l-to-0 
transition. It is felt that it is necessary to find models that capture these properties 
better. Also, we do not know how to handle the effect of large fan-out, charge 
sharing, etc. In addition, we felt that CTL is rather weak for succinctly expressing 
many properties of circuits. A notation based on temporal intervals [6] may be more 
suitable for this purpose. 
An interesting area for future research is the usefulness of restriction operation 
in the context of hierarchical verification. We have defined a ‘restriction’ operation 
and shown that the truth-properties of the CTL- formulae are preserved with respect 
to the operation of restriction. It appears that any weaker version of ‘restriction’ 
will not result in any substantial reduction of the size of the CTL structures and 
hence will make hierarchical verification rather expensive. On the other hand, it 
seems any stronger version of ‘restriction’, will severely limit the class of CTL 
formulae that will be preserved with respect to restriction. 
Acknowledgment 
We wish to thank Larry Rudolph of Carnegie-Mellon University, and Chuck Seitz 
of Caltech for helpful discussions. 
Hierarchical verification of asynchronous circuits 291 
References 
[l] M. Ben-Ari, Z. Manna and A. Pnueli, The logic of nexttime, 8th ACM Symposium on Principle of 
Programming Languages, Williamsburg, VA, 1981. 
[2] G.V. Bochmann, Hardware specification with temporal logic: An example, IEEE Trans. Comput. 
C-31 (3) (1982). 
[3] E.M. Clarke, E.A. Emerson and A.P. Sistla, Automatic verification of finite-state concurrent systems 
using temporal logic specifications: A practical approach, Z&h ACM Symp. on Principles ofZ+ogram- 
ming Languages, Austin, TX, 1983. 
[4] E. Clarke and B. Mishra, Automatic verification of asynchronous circuits, in: E. Clarke and D. 
Kozen, eds., Proc. C-M. U. Workshop on Logics of Programs, Pittsburgh, PA, 1983 ; Lecture Notes in 
Computer Science 164 (Springer, Berlin, 1984). 
[5] E.A. Emerson and E.M. Clarke, Characterizing properties of parallel programs as fixpoints, Proc. 
7th Znternat. Coil. on Automata, Languages and Programming, Lecture Notes in Computer Science 
85 (Springer, Berlin, 1981). 
[6] J. Halpern, Z. Manna and B. Moszkowski, A hardware semantics based on temporal intervals, Report 
STAN-CS-83-963, Department of Computer Science, Stanford University, Stanford, 1983. 
[7] C.A. Mead and L.A. Conway, Introduction to VLSI Systems (Addison-Wesley, Reading, MA, 1980) 
Chapter 7. 
[8] R. Milner, A Calculus of Communicating Systems, Lecture Notes in Computer Science 92 (Springer, 
Berlin, 1980). 
[9] Y. Malachi and S.S. Owicki, Temporal specifications of self-timed systems, in: H.T. Kung, Bob Sproull 
and G. Steele, eds., VLSI Systems and Computations (Computer Science Press, Rockville, MD, 1981). 
