We 
Introduction
This work addresses formal hardware verification. The aim of hardware equivalence verification is to check for "functional equivalence" of two design models according to some concept of equivalence. The equivalence of two models does not guarantee that they do what they are designed for, and it is a task of formal property verification and dynamic validation to provide a level of confidence that the designs have the desired functionality. In practice, equivalence verification and property verification are closely related and are often performed under a common methodology umbrella and tool set. To date, however, there has not been any significant research towards providing a unifying theory that would combine equivalence verification with property verification using fully formal, full-proof methods (and not relying on a non-exhausting simulation).
Since verification of complex hardware is not imaginable without employing abstraction and compositional methods, hardware equivalence verification in practice consists in the following steps:
1. Decompose the specification and implementation models using mapped cut points in them.
2. Use boundary constraints to make the corresponding component slices equivalent. 3. Build a reboot sequence that via 3-valued simulation [HC98] brings the models into states satisfying the boundary constraints (and possibly other properties). 4. Check that all properties remain valid post-reboot, using (non-exhaustive, 3-valued) simulation.
The most widespread equivalence verification method in the industry was and still is some form of combinational verification [KvE04] , where the slices are combinational, i.e., they contain no internal state elements. Hardware is represented as a Finite State Machine (FSM) [Koh78, HS96] . In its classical definition, combinationally equivalent FSMs M 1 and M 2 are actually the same FSMs: their transition relations and output functions are defined via the same Boolean functions that may be implemented differently in M 1 and M 2 . In practice, however, a form of assume-guarantee framework is used (like the one outlined above), where the requirement of component equivalence is weakened to a form of conditional equivalence under "don't cares", or under combinational or temporal logic assumptions. Thus, combinational equivalence in practice does not correspond to its classical definition.
For hardware FSMs designed to operate correctly after simulating them with a reboot sequence, several concepts of equivalence have been developed (besides combinational equivalence), such as sequential hardware equivalence, also called alignability equivalence [Pix92] , delayed safe replaceability [SPAB01] , exact 3-valued equivalence [RSSB99] , and steady-state equivalence [KH02] . The latter two forms of equivalence have been used for retiming verification [LS91] , which is the second most widespread form of hardware equivalence verification. Retiming verification of sequential components is often combined with combinational verification of combinational components. It is unclear what kind of equivalence is proved between the specification and implementation FSMs as a result of such a combination of verification methods. Furthermore, step 4 of the above outlined procedure of compositional verification, which relates reboot sequence with the used boundary properties, was never considered as part of formal equivalence verification. Indeed, it is currently based on a non-exhaustive dynamic simulation and thus cannot guarantee a full proof.
The main results of this work are: bit-wise hardware machines, the new equivalence concept is defined in terms of bisimulation, which allows (1) extending the results to (possibly nondeterministic) Labeled Transition Systems, into which both hardware and software can be modeled at higher levels of abstraction, and (2) adapting it to other useful forms of (bi)simulation.
The concept of post-reboot equivalence proposed here is a refinement of alignability equivalence [Pix92] . The compositional verification framework that we propose is based on a more recent work [KSKH04] that proves weak compositionality of alignability via defining a concept of stable decomposition of the specification and implementation FSMs. The latter framework assumes, however, that the two FSMs are weakly synchronizable (WS for short [PR96] ) with the same input sequence, but it does not provide any practical algorithm for formally verifying whether or not a given input vector sequence is a ws-sequence. This makes the methodology proposed in [KSKH04] incomplete. This incompleteness is caused by the fact that the latter work used the alignability equivalence as the basis, and it is unclear how a practical, formal verification method can be proposed for verifying ws-sequences without adopting the post-reboot equivalence concept, as we do here. Furthermore, alignability equivalence is not satisfactory in practice, since it is not enough for a reboot sequence to be a ws-sequence: to make the hardware work properly, the reboot sequence should bring it to a designated set of states that meet some architectural requirements. For example, physical addresses in the memory, initial values of counters, and some states at the internal sub-systems must have specific values. The concept of WS does not capture these requirements. Finally, alignability equivalence is not expressive enough to relate the provability of commonly observable temporal logic formulas in one FSM to their validity in an equivalent FSM. These points will later be clarified in detail.
The theoretical contribution of our work can briefly be summarized as follows: We introduce a concept of postreboot bisimulation as a pair (π, B), where B is a bisimulation between compatible FSMs M 1 and M 2 (i.e. the FSMs have the same inputs and outputs) and π brings any pair of states of M 1 ×M 2 into a pair in B. We formalize the concept of post-reboot combinational equivalence and show that it is a post-reboot bisimulation. We show that alignability is a post-reboot bisimulation, too. We also show that the set of all post-reboot bisimulations (when it is non-empty) forms a complete lattice [DP90] . Its top element corresponds to bisimulations formed from all wsstates, and the bottom element corresponds to the bisimulations formed from the states in sink strongly connected components [PR96] of M 1 and M 2 . Post-reboot combinational verification and compositional alignability verification correspond to building post-reboot bisimulations that are between the top and bottom bisimulations, and therefore these forms of verification are feasible in practice.
Further, we define an upper semi-lattice [DP90] of weak-synchronizing sequences. It is in fact this order that allows us to demonstrate how "the strength" of a reboot sequence can affect the post-reboot validity of a temporal specification of the design -and this indeed clarifies the subtle differences between post-reboot equivalence and alignability: Since a reboot sequence π must bring any state pair of M 1 ×M 2 into a non-empty bisimulation B, the sequence π must be a ws-sequence for both M 1 and M 2 . The converse need not be true: some of the ws-sequences cannot serve as useful reboot sequences because they may not meet some non-functional requirements that should be satisfied during the post-reboot operation of the circuit. Examples of non-functional requirements (for the FSM formalism) are power and timing constraints, as well as the architectural requirements mentioned above, which may be satisfied in some but not all ws-states. Non-functional requirements can also be temporal logic specifications that were not encoded into the circuit design as observable output behaviors. Thus, post-reboot bisimulation can be viewed as a useful refinement of alignability equivalence, especially when equivalence verification is considered in a wider context of formal verification of hardware designs, and may be combined with verification of temporal properties and validation of (candidate) reboot sequences.
In the next section, we recall the FSMs and concepts related to alignability and introduce Hardware Machines. In section 3, we introduce post-reboot bisimulation, relate it to alignability, and give its lattice-theoretic characterization. In Section 4, we propose a revised definition of combinational equivalence. We discuss the advantages of post-reboot bisimulation for verification of hardware machines in Section 5. Our conclusions appear in Section 6.
Hardware Machines
In this section, we introduce Hardware Machines, to reflect the fact that the set of operation states of a hardware design is a subset, usually proper, of the WS-states. If an FSM is not weakly-synchronizable, for any input sequence ρ, there always exist power-up states s 1 and s 2 such that the states O(s 1 , ρ) and O(s 2 , ρ) are not equivalent. This means that, whatever the ρ, the FSM exhibits a non-deterministic observational (output-) behavior after ρ. Therefore, in the alignability equivalence, weak synchronization is a necessary condition for an FSM to be equivalent to another FSM (or to itself). Below in the discussion, we will only consider such FSMs.
Since alignability equivalence is only concerned with the output behavior, and equivalent states of an FSM cannot be distinguished by observing the outputs, Pixley states, up-to ≈, is always the same -it coincides with the set of equivalence classes of WS(M). Thus, for alignability equivalence, the set of all ws-states is (implicitly) considered as the set of operation states.
In practice, equivalence verification between FSMs M 1 and M 2 is usually combined with verifying that the specification model M 1 (written in a hardware description language) satisfies its temporal logic specification, say P. In this wider context, working with equivalence classes of states is inadequate, as if a state s satisfies P, its equivalent states need not to. And for ws-states, it is no longer valid that there is a transition path between any pair of ws-states. Therefore, it does make a difference which ws-sequence is chosen to weakly synchronize the FSMs -the resulting sets of post-ws operation states may be different. For one wssequence π, the respective post-ws operation states of M 1 may satisfy P while for another ws-sequence ρ, the resulting post-ws operation states might not satisfy P. A simple example of this is given in Section 5. This observation led us to introduce the following concept: In the above definition, R must be understood as a set of states into which a ws-sequence ρ brings H from any state. We could have chosen to make ρ a part of definition of an HM. We will see below that R can be defined as a set of constraints on the boundaries of component slices of a suitable decomposition of M, thus we found it more natural to use R than ρ as part of the HM definition.
Post-reboot equivalence
In this section, we introduce post-reboot bisimulation (PRB) and post reboot equivalence, and construct the lattice of PRBs. We show how PRB is related to alignability and discuss how the two differ (theoretically), by defining an upper-semi-lattice on ws-sequences. We also relate PRB with FSM bisimulation as defined in [AGM01] .
The following concept of bisimulation for compatible FSMs is induced by the bisimulation concept for LTSs [Par81, Mil89] . Recall that an FSM can be viewed as an LTS by considering a pair (a, λ(s,a)) as the label for transition s δ(s,a), where a is an input [HS96] . Let (π,B) be a PRB between M 1 and M 2 ; then one can associate with π a smallest bisimulation B π such that (π,B π ) is a PRB; B π is the intersection of all B i such that (π, B i ) is a PRB. Therefore, we can define a (strict) order on input sequences as follows: π 1 p π 2 iff B π1 ⊃ B π2 ; that is, π 1 cannot transfer all state pairs of M 1 ×M 2 into B π2 , whereas π 2 can; therefore, we call π 2 a stronger reboot sequence than π 1 . We write π 1 ≡ π 2 iff B π1 = B π2 . When M 1 =M 2 , the order p is in fact an order on the ws-sequences of M 1 . The order p has upper bounds but need not have a bottom element, thus need not be a lattice. Indeed, consider the FSM M ∴ in Figure 1 . Note that s 1 ≈ s 4 and s 2 ≈ s 3 . Therefore, input sequences 1 and 0 are both ws-sequences of M ∴ and so is 10. Note that 1 ≡ 11 ≡ 111 …; 0 ≡ 00 ≡ 000…; and 01 ≡ 10 ≡ 100…. Thus, quotient p / ≡ has three elements in M ∴ , ordered as in Figure 1 .a. The deep analysis of weak synchronization via strongly connected components (or SCCs) of the state transition graphs presented in [PR96] is closely related to our latticetheoretic characterization of PRB: Recall that an SCC is a set of states where between any two states there is a state transition path. A sink SCC is one from which there is no exiting transition. Then, in any smallest PRB (π, B), states in B belong to sink SCCs of M 1 and M 2 and π is a strongest ws-sequence. This follows easily from the construction of ws-sequences that bring any state into a sink SCC, in [PR96] , and from Corollary 3.1.
Post 
Combinational equivalence as post-reboot equivalence
In this section, we examine combinational verification of state-matching FSMs, expose the verification holes in its current formalism, and relate it to post-reboot equivalence in an attempt to come up with a satisfactory formalism.
To do this, we explain in an example the compositional alignability verification framework proposed in [KSKH04] . The specification and implementation FSMs M 1 and M 2 are decomposed into components, as in Figure 2 below. A 1-1 correspondence between the component slices of M 1 and M 2 is defined via mapping the corresponding slice boundaries, where the boundary signals are latches. For example, the boundary signals of components A 1 and A 2 are mapped (they have the same names), and so are the boundary signals of B 1 and B 2 . FSM decomposition is needed to reduce equivalence verification for M 1 and M 2 to equivalence verification of the components, and for this to work, boundary properties are added to the components to eliminate behaviors of the components that will never happen during a post-reboot behavior of the FSMs. For example, by using the constraint l 1 = ¬l 2 , it is possible to prove that the conditional FSMs obtained from B 1 and B 2 by restricting the allowed input sequences are alignable. To make usage of such a constraint sound, one must insure that the constraint is valid in all post-reboot operation states. Indeed, in this example it is enough to use any ws-sequence as a reboot sequence to ensure the constraint. Since the constraint is actually the output constraint for components A 1 and A 2 , its validity in all post-reboot states of M 1 and M 2 is proved locally in the components A 1 and A 2 -the constraint is valid in all post-ws states of A 1 and A 2 .
There is another condition for a safe usage of boundary properties -the resulting conditional FSMs must be stable [KSKH04] . The intuition is that, in stable conditional FSMs, an input vector is allowed in a state transition path iff it is allowed in all state transition paths. Such a conditional FSM can be mapped to an equivalent (nonconditional) FSM whose input signature is a subset of that of the conditional FSM, therefore, the alignability theory is valid for stable conditional FSMs. Components B 1 and B 2 constrained with l 1 = ¬l 2 are stable conditional FSMs, because input vectors l 1 = l 2 = 0 and l 1 = l 2 = 1 are never allowed while the remaining two input vectors are always allowed.
Only a subset of boundary properties is used for the assume-guarantee compositional proofs. Such properties are called verification properties. Now recall that two FSMs are called state-matching if there is a 1-1 mapping between their latches. Often, for state-matching FSMs, it is allowed that a latch in one model is mapped to more than one latch in the other model. Sometimes, a mapping may have a polarity: a latch in one model may be mapped on a negation of a latch in the other model. This slightly more general treatment can easily be reduced to a situation where the latch mapping is 1-1, and no polarity is involved, and we adopt these assumptions.
When performing combinational equivalence verification, a mismatch in functionality of a component pair is allowed if the supporting components (or the supporting logic) in M 1 and M 2 can never generate a value combination that produces the mismatch. As already explained on an example above, by allowing the properties on component boundaries, one actually assumes a reboot sequence, and expects the FSMs' behaviors to match post-reboot. Therefore, unless M 1 ×M 2 can be driven from an arbitrary state into a state satisfying R D , combinational equivalence w.r.t. D is meaningless -it is vacuous. Hence the following definition: The problem of verifying that a reboot sequence will bring the circuits into a bisimulation has not been addressed by formal methods and traditionally this was not considered as part of combinational equivalence verification, which is a verification gap. In Section 5, we will discuss how to formally verify whether a pair (π, B) is a PRB, implying that π is a legal reboot sequence for bisimulation B. As already mentioned, combinational verification is often combined with retiming verification on the same design. For weakly synchronizable FSMs, steady-state equivalence, used as the semantics for retiming verification, implies alignability [KH03], thus post-reboot equivalence. Therefore, the retiming verification with steady-state semantics can be safely used as part of compositional postreboot equivalence verification, provided the retimed components are first proven to be weakly-synchronizable.
Verification of Hardware Machines
Now, we consider verification of hardware machines in a wider context, where equivalence verification is combined with assertion verification and reboot sequence validation. We do not intend to cover all methodological aspects; however, we demonstrate the advantages and adequacy of post-reboot equivalence for this task. Clearly, one has 0 ≡ 01 ≡ 010 p 011 p 0111 ≡ 0110. If the designer wants M PR to operate in states {D, E, F} after reboot, he/she can choose a strongest reboot sequence, e.g. 0111, which transfers any state into the sink SCC {D, E, F}. Assume P is a property that is not valid at state C and is valid in {D, E, F}. P can be seen as a behavioral specification for a design that the designer wants to implement. Then, M PR meets its behavioral specification with respect to the post-reboot semantics (for the reboot sequence 0111, for instance) but it does not meet its behavioral specification relative to the alignability semantics (e.g. when 0 is chosen as the ws-sequence). In this respect, adopting post-reboot semantics has a significant impact on the verification methodology: since alignability does not distinguish between ws-sequences, adopting the alignability semantics forces the designer to modify the implementation of M PR because of a "failing" property P. Here is the data from a chip design project that we supported: 75% of the logic bugs discovered by postreboot simulation, after the equivalence verification was completed, were caused by the initialization issues.
For an FSM M, adopting the alignability semantics implies the need to prove for a property P the derived property s∈WS(M) ⇒ P(s) for any state s of M. On the other hand, adopting post-reboot equivalence for a Hardware Machine (M,R) implies instead proving property s∈R ⇒ P(s). We have seen that relation R can be computed (and is computed in practice) as the relation R D associated to a stable decomposition of M (or M×M), while WS(M) cannot be computed for industrial designs, and it is unclear how a property WS ⇒ P can be verified in general for a weakly-synchronizable FSM.
Let P be a CTL * formula written using the common (i.e., mapped) variables of M 1 and M 2 as the atomic propositions; such a formula is observable in both FSMs. Note that when we build a PRB (ρ,R D ) based on a stable decomposition D of (M 1 ,M 2 ), the HMs (M 1 ,R 1 ) and (M 2 ,R 2 ) are equivalent, where R 1 and R 2 are the projections of R D on S(M 1 ) and S(M 2 ), respectively. Further, P is valid in (M 1 ,R 1 ) iff it is valid in (M 2 ,R 2 ) (cf. [Ch. 11, CGP99]). However, based on M 1 ≈ aln M 2 alone, it is no longer possible to infer the validity of P on the ws-states of M 2 from its validity on ws-states of M 1 . Indeed, let M' PR be the same FSM as the FSM M PR in Figure 3 , except now on input 0 the states A and B transition to D (rather than its equivalent state A). Then M' PR ≈ aln M PR and {D, E, F} is the set of ws-states of M' PR and, therefore, the property P (from the same example) is valid in all ws-states of M' PR while it is not valid in the ws-state C of M PR. That is, alignability equivalence for FSMs is not informative enough to allow inferring common observable properties from one model to its equivalent model. Note that considering the boundary latches as outputs and thereby strengthening alignability equivalence (by ensuring that the atomic propositions have the same values in M 1 and M 2 ) does not help us resolve the validity preservation problem with alignability, because the boundary properties are also used in proving the common observable properties.
In Tables 1 and 2 , we present information on the verification of 5 assertions on the specification model. In both experiments, the boundaries of the cones on which the properties are checked are built using mapped latches (at this point, the equivalence of corresponding components of specification and implementation is already proven using the verification properties). If verification fails because of a spurious counter-example, the cone is expanded and verification is rerun. The use of the (boundary) verification properties as assumptions is allowed in the experiment in Table 1 and not allowed in the experiment in Table 2 . In both cases, a SAT-based initialization algorithm is used to weakly synchronize the cones [RH02] . Thus, the first experiment closely corresponds to post-reboot equivalence verification with respect to the post-reboot bisimulation defined by the stable decomposition employed in the equivalence verification. Since we weakly synchronize the cones before verifying the properties, the second experiment is only an approximation of proving WS ⇒ P, because the computed synchronization sequence may reset the cone into a proper subset of the WS states. (We do not know how to prove WS ⇒ P for large FSMs.)
In the tables, we present the highest level of expansion iterations (EI), the size of the cones, the number of boundary properties (BP) used in assertion verification, and the runtimes. All properties in Table 1 are verified using a SAT-based model checker, whereas the same properties in Table 2 cannot be verified. Some of them cannot be verified because of failures to weakly synchronize the cones, and some because of the resulting spurious counterexamples. As expected, the use of boundary properties as assumptions helps confine verification to smaller cones. Now let us turn to the question of verifying whether or not a sequence π is a ws-sequence for an FSM M. Since it is impossible to symbolically simulate [Jon02] a full-chip design, an over-approximation of states into which a reboot sequence brings a design is computed using 3-valued simulation, often also called X-simulation [HC98] . At the beginning of simulation, all latch values are set to the X value, and all inputs except a few reset signals are simulated with X. Propagation of reset signal values forces assignment of binary values to most of the latches, and the first part of the reboot sequence ends as soon as a fix-point of simulation is reached. Reboot sequence then continues to initialize counters, memory addresses, and other latches to specific values. To the best of our knowledge, no practical, formal methods exist for checking whether the overapproximation set of states of a combined full-chip design M 1 ×M 2 , built, as above, using 3-valued simulation, is indeed a subset of ws-states of M 1 ×M 2. Such a method would involve model checking on a huge state space.
The above question is actually irrelevant for achieving compositional post-reboot equivalence verification. Suppose a stable decomposition D of M 1 ×M 2 has been built. Let S be the 3-valued state obtained by simulating M 1 ×M 2 with π, starting from state X, let OS be the set of (binary) states of M 1 ×M 2 induced by S (latches with X values are assigned all possible binary value combinations), and let OS* denote the closure of OS under the transition relation. Then it is enough to prove that (π, OS*) is a PRB. The latter is a model-checking problem on the components of the decomposition (which are within the capacity of the model checker): for each component pair (A 1 ,A 2 ) of M 1 ×M 2 , the state pair (t 1 ,t 2 ) induced by any state of OS must be an equivalence state of A 1 ×A 2 , and the verification properties on the outputs of (A 1 ,A 2 ) must be valid for (t 1 ,t 2 ) and any state pair reachable from it by any input sequence of (A 1 ,A 2 ) satisfying its input properties.
Conclusions
We have proposed a new, finer formalism for modeling hardware -Hardware Machines, where the set of postreboot operation states is a key component of the definition. This led us to introduce post-reboot equivalence, where, unlike alignability equivalence, the operation states play an important role in the semantics. Indeed, we could refine the alignability equivalence into a complete lattice of postreboot bisimulations, and refine the homogeneous class of ws-sequences into an upper semi-lattice of reboot sequences. This new view of hardware also led us to a revision of the existing widespread equivalence concepts and the way they are employed in practice. We gain a new insight into compositional hardware verification, where the construction of a set of operation states is a by-product of building a stable decomposition of specification and implementation models. As a result of this revision, we were able to point to verification gaps in the existing methods, and propose a unified theory that bridges the verification practice to the Hardware Machine formalism.
We have briefly touched on the subject of assertion verification for Hardware Machines, demonstrating that the shift from FSMs to Hardware Machines implies important differences in the semantics of temporal logic assertions. We presented experimental evidence on how such a change in assertion semantics affects assertion verification in practice. We leave it to future work to come up with a comprehensive assertion verification theory and methodology that will be fully aligned with compositional equivalence verification and reboot sequence verification.
For non-state-matching designs, there are too many options to decompose the design into sub-circuits, and, at present, building stable decompositions is semi-automatic: heuristic latch mapping algorithms are used to define decomposition to start with, and then abstraction refinement methods [CGP99] are used to adjust the sub-circuit boundaries and add properties. Defining a fully automatic algorithm for building stable decompositions is a challenging direction for future work.
