A functional approach for formalizing regular hardware structures by Eisenbiegler, Dirk et al.
A Functional Approach for Formalizing Regular
Hardware Structures
 
Dirk Eisenbiegler
 
 Klaus Schneider
 
and Ramayya Kumar

 
Universitat Karlsruhe Institut fur Rechnerentwurf und Fehlertoleranz
Prof D Schmid PO Box 	
 	 Karlsruhe Germany
emailschneideiraukade

Forschungszentrum Informatik HaidundNeustrae 
  Karlsruhe Germany
emailkumarfzide
Abstract An approach for formalizing hardware behaviour is presented
which is based on a small functional programming language called primitive
ML PML Since the basic constructs of PML are simply typed  terms
PML lends itself both to simulation and verication The semantics of PML
is formally embedded in higherorder logic
The formalization scheme is based on PMLfunctions that allow hardware
descriptions from the logical level up to the algorithmic level Besides de
scriptions of real circuits abstract forms of hardware descriptions can also
be dealt with in PML The main emphasis is thereby put on regular hard
ware structures which are described by means of primitive recursion PML
descriptions can easily be converted to syntactic structures called hardware
formulae which can then be veried by the MEPHISTO system
  Introduction
Embedding hardware description languages HDLs in a logic or some calculi is
essential for verication The semantics of such embedded HDLs which correspond
to certain formulae in the underlying formal framework can then be used to
  verify certain properties of an implementation
  prove equivalences of two or more implementations and
  perform correct HDLtoHDL translations
Existing HDLs such as VHDL and ELLA are very powerful and complex The ex
pressive power is an advantage for circuit design but their semantics are not formally
dened due to their complexity Formalizing the semantics of a HDL means bridging
the gap between a high level design language and the simpler elements of the logic
or a particular calculus
Functional HDLs such as ELLA are rather close to logic Those elements which
consist exclusively of  terms can be converted to higherorder logic almost un
changed In contrast to functional languages procedural languages are more di	cult
to be formalized due to their operational semantics For every basic instruction it
 
This work has been partly nanced by a german national grant project Automated
System Design SFB No	
must be described how the execution of the instruction changes the global state
The e
ect of compound instructions must be derived from the e
ect of the basic
instructions and the control structures
There are several research projects about formalizing existing HDLs in higher
order logic BGGH BGHT CaGM or other calculi Hunt BoPS In
contrast to these projects the startingpoint of the approach presented in this paper
is not a given HDL Instead a simple functional language called primitive ML PML
is built on top of the logic such that its semantics is given right away PML will be
the basis for hardware descriptions It can be regarded as a common sublanguage
of HOL and ML gure   its syntax is similar to ML and every construct has a
HOL ML
 

PML
Fig  Relation between HOL ML and PML
corresponding representation in HOL The embedding of PML has been done in a
shallow manner BGGH However both PMLterms and the corresponding HOL
terms are simply typed  terms and there are only very small syntactical di
erences
which could simply be overcome by prettyprinting
Relational descriptions are frequently used for formalizing circuits ie input and
output signals need not be distinguished and signals can a
ect each other in an
arbitrary manner However relational circuit descriptions can be ambiguous or even
contradictory In contrast circuits are described in PML in a functional manner ie
circuits are represented by functions mapping input signals onto output signals
PML cannot be viewed as a hardware description language such as VHDL but as
a general purpose programming language we use for describing hardware In contrast
to VHDL PML has no hardware specic syntactic elements such as signals interfaces
and timing declarations PML programmes can merely describe primitive recursive
and recursive functions and these functions can be regarded as a representation
of the corresponding hardware
In our hardware formalization scheme we will describe two kinds of PMLfunc
tions ones that represent single real circuits and others that describe sets of real
circuits Functions representing exactly one real circuit are called concrete circuits
and functions describing a set of real circuits are called abstract circuits Abstract
circuits do not represent real circuits but correspond to a scheme for describing
regular hardware structures Concrete circuits can be derived from abstract circuits
by type instantiation and variable substitution
In this paper only the formalization of circuits is described PML can be viewed
as a more abstract layer for MEPHISTO KuSK ScKKc The verication of
descriptions using PML is achieved by converting them into formulae which can be
handled by MEPHISTO
After having given a description of PML in section  concrete and abstract
circuits are formalized in section  and  respectively Finally we briey discuss the
use of PML in simulation and verication in section 
 Syntax and Semantics of PML
PML is a sublanguage of ML gure  The syntax is similar but there are less
syntactical constructs  for example there are no exceptions and no side e
ects
Furthermore data types in PML correspond to HOLstyle data types and therefore
they are weaker than ML data types Gunt Although PML has only a small
number of basic elements arbitrary recursive functions can be expressed by PML
functions ie PML is Turingcomplete
 Data Types and Primitive Recursion
In PML only HOLstyle data types are allowed For a detailed explanation of data
types in HOL and the mechanism for dening them see Melh The syntax of a
PML data type declaration is as follows
primitivedatatype string 
The parameter string denes the data type by giving the name of the type the
names of the constructors and the types of their arguments The syntax is the same
as in the HOL function dene type eg
primitivedatatype  bool  T  F  
primitivedatatype  num  Zero  Suc of num  
The semantics of HOLstyle data types is described by a theorem which states that
the primitive recursion over this type is unambiguous In HOL this theorem is de
rived whenever a new data type is introduced by dene type A data type declaration
in PML also introduces a basic function named PRIMREC type which is generated
automatically PRIMREC type is derived from the semantics of the data type and it
can be used for expressing primitive recursion over that data type For example the
data types num and bool lead to the functions PRIMREC bool and PRIMREC num
respectively They have the following semantics
PRIMREC bool T a b  a
PRIMREC bool F a b  b
PRIMREC num Zero a f  a
PRIMREC num Suc n a f  f n PRIMREC num n a f
Arbitrary primitive recursive functions can be expressed by constant denitions
based on PRIMRECfunctions
 Derived Functions
As in ML functions and constants can be added by the language constructs fun and
val respectively However function and constant denitions in PML both correspond
to constant denitions in HOL Therefore function and constant denitions of PML
are less powerful than those in ML The restrictions are
  There must be only one equation within a fun or val denition eg
fun is zero   T j is zeroSuc n  F is not a valid PML denition
  The parameters on the left hand side of the equation may only be variables and
paired variables eg val Suc n  y is not allowed
  The expressions on the right hand side are built up by function applications
f a and  abstractions fn x  a The only basic functions are PRIMREC
functions and WHILE WHILE will be introduced later in section 
  The function being dened must not appear on the right hand side of the equa
tion eg fun odd n  PRIMREC num n F fn a  fn b  notodd a is
not a valid PML denition Recursion can always be expressed by equivalent
denitions which use PRIMRECfunctions and WHILE
  There is no exception handling
  case   of    has not yet been implemented
 Predened Data Types
Some data types are already dened in order to support prettyprinting for them
For example it is possible to write  instead of SucSuc Zero However there is no
prettyprinting for user dened types The predened data types are
 
primitivedatatype  bool  T  F  
primitivedatatype  prod  Comma of a  b  
primitivedatatype  list  Nil  Cons of a  list  
primitivedatatype  num  Zero  Suc of num  
The following syntactic sugar refers to the predened types They can all be put
down to expressions based on data type constructors and PRIMRECfunctions
  a b may be used instead of Comma a b
  fn x y  px y may be used instead of
fn z  PRIMREC prod z fn x  fn y  px y
  let val x  p in qx end may be used instead of fn x  qx p
  numerals      may be used instead of Zero Suc Zero SucSuc Zero   
    a a b   may be used instead of Nil Cons a Nil Cons a Cons b Nil  
 Example
We illustrate the use of the language constructs by a tra	c light controller First a
new data type named state is dened which represents the states of the tra	c light
primitivedatatype  state  Green  Yellow  Red  
This type declaration automatically introduces the function PRIMREC state with
the following semantics
PRIMREC state Green a b c  a
PRIMREC state Yellow a b c  b
PRIMREC state Red a b c  c
 
In PML type variables are expressed by  a  b  c etc whereas the corresponding type
variables in HOL are expressed by    etc It should be noted that the polymorphism
in PML corresponds to that of HOL only
A constant named init containing the initial state Red can be dened as
val init  Red
The function next takes a state as parameter and calculates the successor state In
this simple tra	c light controller the state changes from red directly to green but
changes from green to red via yellow
fun next x  PRIMRECstate x Yellow Red Green
Figure  shows the entire programme and the corresponding HOLformula describing
its semantics
PMLProgram
primitive datatype
state  Green  Yellow  Red
val init  Red
fun next x 
PRIMREC state x Yellow Red Green
Semantics
 a b c 
 
g
g Green  a  g Yellow b 
g Red  c  
 a b c
PRIMREC state Green a b c  a 
PRIMREC state Yellow a b c  b 
PRIMREC state Red a b c  c  
init Red 
 x next x 
PRIMREC state x Yellow Red Green 
Fig  Trac light programme
   Recursion
According to Churchs Thesis there are several equivalent schemes for describ
ing computable functions recursive functions are one means for describing com
putable functions With the elements described until now only primitive recursive
functions can be described while recursive functions cannot Primitive recursive
functions are su	cient for describing hardware implementations but they are too
weak for formalizing algorithmic specications Previous work such as the approaches
followed by the BoyerMoore community are limited to primitive recursive speci
cations that cannot express all kinds of algorithms
Unlike primitive recursive functions recursive functions need not be total In
ML it is possible that the evaluation of a function application does not terminate The
equations of anML function denition can be considered as a constant specication in
HOL where the specied function need not be described unambiguously ie nothing
can be said about the value of a function application where the evaluation does not
terminate In contrast to ML the result of a PML function always has an explicitly
dened value even if the function application does not terminate In this case the
value of the function is explicitly dened to be the constant Undened otherwise
the result is Dened y for a certain y The data type partial is used for describing
values of recursive functions
primitivedatatype  partial  Defined of a  Undefined  
The corresponding function PRIMREC partial has the following semantics
PRIMREC partial Dened x f a  f x
PRIMREC partial Undened f a  a
The function WHILE is the basis for recursion in PML and can be used to create
loops Given functions f and g and a parameter x it iterates f until a value x is
reached with g x  F
 iota f  PRIMREC bool 
 
f Dened f Undened
 terminatesf n  f n  m m  n  f m
 mu f  iota m terminatesfm
 power f n x 
PRIMREC num n Dened x  a bPRIMREC partial b f Undened
 WHILE g f x 
PRIMREC partial
mu nPRIMREC partial power f n x
 yPRIMREC bool g y F T F
 n power f n x
Undened
The semantics ofWHILE is described using four auxiliary constants iota terminates
mu and power The function iota resembles the Hilbert operator But in contrast
to the Hilbert operator its value is Dened y in case the predicate species a
unique value and Undened if it does not The predicate terminatesf n states that
n is the smallest number such that f n becomes true mu is a formalization of the
operator where mu f  Undened corresponds to f

and mu f  Dened k
corresponds to f  k The function power computes the multiple application
of a function ie power f n x computes f
n
x The expression WHILE g f x
calculates f
ngf
n
xF
x

	 Example
The tra	c light example of section  is extended by a recursive function red time
red time is calculating the next time when the tra	c light becomes red The tra	c
light is described by a function f
num state
 that is assigning a state to every time
For a given function f
num state
and a time t
num
 the function red time calculates
the smallest n	 t with f n  Red
Figure  shows an implementation in PML in comparison with an implementation
in ML The implementations in PML and ML are not really equivalent since their
types di
er In PML the result of red time has the type num partial whereas in ML
it is num

f is the smallest element of ffx  TjxNg and f denotes that ffx  TjxNg
is empty

Extending primitive recursive functions by WHILE is equivalent to the extension by
the operator ie both extensions lead to computable functions However WHILE
expressions can be evaluated more eciently by an interpreter than expressions using
the operator
PMLImplementation
fun is not red x 
PRIMREC state x T T F
fun red time f t 
WHILE
fn n  is not redf n
fn n  DefinedSuc n
t
MLImplementation
fun red time f t 
if f t  Red then
t
else
red time f Suc t
Fig  Implementations of red time
 Concrete Circuits
The functions described in this section are called concrete circuits since each of
them corresponds to exactly one real circuit A concrete circuit is represented by
a function that assigns an input signal onto an output signal Hardware structures
are build up by function denitions Expressing a structure by a function denition
is possible if and only if the structure does not have cycles Since structures of
sequential circuits essentially have cycles sequential circuits are represented by a
triple consisting of a combinational transient circuit a combinational output circuit
and an initial state Instead of combining sequential circuits directly their transient
circuits output circuits and initial states are combined
 Combinational Circuits
Individual signals of combinational circuits have type bool Other than individual
signals can be obtained by pairing individual signals Combinational circuits are
represented by functions assigning an input signal to an output signal Figure 
shows a bit fulladder implemented by the circuits and or and xor
and
xor
xor
and
or
a
r
b
r
cin
r
w
w
r
sum
w
cout
fun fulladder cin	a	b 
let val w
  xora	b in
let val w  andb	a in
let val sum  xorcin	w
 in
let val w  andcin	w
 in
let val cout  orw	w in
sum	cout
end end end end end
Fig  Structure of a bit fulladder and the PML representation
 Sequential Circuits
The signals of sequential circuits are time dependent Their type is num
  where
the type num represents the discrete time and  is the type of a time independent
signal Sequential circuits map time dependent input signals onto time dependent
output signals thus they have the following type num
 	 
 num
 

The description style used for combinational circuits does not allow cycles which
are necessary for sequential circuits In order to use this scheme also for sequential
circuits we dene a sequential circuit by a triple f g q consisting of a combina
tional transient circuit f  a combinational output circuit g and an initial state q
Thus sequential structures can be expressed by interconnecting combinational cir
cuits Since structures of Mealy machines might lead to zerodelaycycles in this
paper only Moore circuits will be considered see gure 
f
memory g
r
Fig  Scheme of a Moore circuit
A function named makeseq is introduced which computes a sequential circuit for
a given triple f g q makeseq can be dened by the equations below The func
tion denition given by these equations does not have the form of a PML function
denition It can rather be regarded as a MLstyle function denition or a constant
specication in HOL These equations describe the desired properties of the intended
PML function in a clearer manner
makeseq f g q a   f q
makeseq f g q a Suc t  makeseq f g ga t q  t aSuc t t
The corresponding implementation in PML
fun makeseq 	f
g
q a t 
f 	PRIMRECnum t q 	fn n  fn r  g	a n
r
It shall be demonstrated how structures of sequential circuits can be described in
PML by function denitions Figure  shows an example for a structure consisting
A
B
C
x
y
z
w

w
w
w
fun fD qa	qb	qc 
let val z	w  fB qb in z end
fun gD x	y	qa	qb	qc 
let val w
	z	w	w	w 
fA qa	fB qb	fC qc
in
gAx	w	gBw
	w	gCw	y
end
val qD  qA	qB	qC
Fig  Structure of a sequential circuit and the PML representation
of three sequential circuits A B and C The circuits A B and C are represented by
fA gA qA fB gB qB and fC gC qC The entire circuit is called D and its triple
fD gD qD can directly be extracted from the structure
 Abstract Circuits
In the previous section functions were used for describing single real circuits In
contrast to concrete circuits abstract circuits represent sets of concrete circuits
and are therefore more powerful than concrete circuits Similar to concrete circuits
abstract circuits can also be represented by PMLfunctions Abstract circuits can be
polymorphic and allow parameters which have types that are not restricted to pairs
eg lists and trees may be used for instance Concrete circuits can be obtained
from abstract circuits by type instantiation and variable substitution
The function mux is an example for an abstract circuit
fun mux		sbool
	aa
	ba  PRIMRECbool s b a
Concrete circuits can be derived from mux by instantiating the type variable 	 	
is expressed by a within the PML syntax Figure  shows two instances of mux
mux
bool
mux
bool
boolbool
boolbool
boolbool
bool
bool
bool
mux
P
P
P
P
q
 boolbool





  bool
Fig 	 Instances of a polymorphic multiplexer
Abstract circuits are used for formalizing regular hardware structures which can
f



f
f
Fig 
 Regular circuit
be expressed by means of primitive recursion In general
regular circuit structures lead to regular signal struc
tures If for example a structure is described that con
sists of n combinational circuits connected in parallel
then it would be appropriate to use the type list for
grouping together the input and the output signals
The structure of the input signal determines the struc
ture of the circuit and the structure of the output signal
Grouping signals together by recursive types such as list
is exible since the structure of the signals and espe
cially the number of the individual signals depends on the value
Other types than list can be used for grouping signals In the next example
signals are grouped together by a list and a binary tree
primitivedatatype list  Nil  Cons of a  list
primitivedatatype btree  Bleaf of a  Bnode of btree  btree
The semantics of the corresponding PRIMRECfunctions is
PRIMREC list Nil a f  a
PRIMREC list Cons x y a f  f x y PRIMREC list y a f
PRIMREC btree Bleaf x f g  f x
PRIMREC btree Bnode x y f g 
g x y PRIMREC btree x f g PRIMREC btree y f g
The input of the 
n
multiplexer consists of a group of data inputs and an
address signal for selecting one of the data inputs The data input signals have an
arbitrary type 	 and they are grouped together as 	btree The address signals are
represented by a list of booleans see gure 
 















 btree
z  
bool list
mux
mux
r
mux
r



mux
r






mux

Fig  
n
multiplexer
The structure of the 
n
multiplexer depends on the structure of the input
signals ie it depends on the length of the boolean list and it also depends on
the shape of the binary tree The PML function representing the 
n
multiplexer
function is total and so the 
n
multiplexer has to be designed for arbitrary lists
and arbitrary binary trees even though after instantiation the binary tree has a
constant depth which is equal to the length of the list
Figure  illustrates how the the structure of the 
n
multiplexer bmux is de
ned For a given structure of the input signals a circuit structure describes how
the 
n
multiplexer can recursively be put down to other 
n
multiplexers having
smaller input structures in the sense of a canonical termordering
The following equations give a formal denition of the description in gure  The
equations correspond to the circuit structures of the gure in a onetoone manner
bmuxxBleaf a  a
bmuxNilBnode b c  bmuxNil b
bmuxCons h tBnode b c  muxh bmuxt b bmuxt c
Obviously bmux is a primitive recursive function but these equations cannot directly
be used for the PML implementation To implement bmux in PML the denition has
to be transformed the interlocking primitive recursions over list and btree have to
be broken up
bmuxxBleaf a  a
bmuxNilBnode b c  bmuxNil b
bmuxCons h tBnode b c  muxh bmuxt b bmuxt c

bmux
y
x
z
y  Bleaf a






y  Bnode b c
x  Nil
Q
Q
Q
Q
Qs
x  Cons h t





Q
Q
Q
Q
Q
Qs
a z
x
bmux
z
b
c
Nil
bmux
bmux
mux z
c
b
t
h
r
Fig  Recursive description of the structure of the 
n
multiplexer
bmuxNilBleaf a  a
bmuxNilBnode b c  bmuxNil b
bmuxCons h tBleaf a  a
bmuxCons h tBnode b c  muxh bmuxt b bmuxt c

bmuxNil y  PRIMREC btree y   a a   a b v w v
bmuxCons h t y  PRIMREC btree y   a a
  a b v wmuxh bmuxt v bmuxt w

bmuxx y  PRIMREC list x
  s PRIMREC btree s   a a   a b v w v
 h t r s
PRIMREC btree s   a a   b c v wmuxh r b r c 
y
The corresponding implementation in PML is
fun bmux 	x
	ya btree 
PRIMREClist x
	fn s 
PRIMRECbtree s 	fn a  a
	fn a  fn b  fn v  fn w  v 
	fn h  fn t  fn r  fn s 
PRIMRECbtree s 	fn a  a
	fn b  fn c  fn v  fn w  mux	h
r b
r c 
y
Up to now merely regular structures of combinational circuits were considered Reg
ular structures of sequential circuits can also be described since sequential circuits
can be put down to combinational circuits Figure  shows a regular structure
A A
  
A
 z 
n
Fig  A series of Moore circuits
based on a Moore circuit called A The function series has been implemented in
PML It takes A and n as parameters and calculates the entire circuit as shown in
gure  Both the parameter A and the result of the function application are Moore
circuits that are represented by the triple as described in the previous section
 Simulation and Verication
 An Interpreter for PML
PML programmes can simply be executed by a ML interpreter however the ML
environment has to be extended by some functions and data types The type dec
laration construct primitive datatype has to be implemented as a MLfunction the
predened data types of PML have to be declared and the function WHILE has to
be implemented
As all PML programmes are also ML programmes and the extended ML inter
preter still accepts ML programmes it is not tested whether the input is a PML
programme or more general a ML programme
 Simulation Tools
Some general tools for simulating circuits have been implemented in the extended
ML interpreter These tools are not PML functions but they take PML functions
which describe circuits as arguments Moreover they display values of output signals
during the simulation of combinational and sequential circuits
For this reason output functions called type to string have been implemented
for all predened data types These output functions convert a value of a certain
PML type to a string When a new data type is added a corresponding output
function should also be implemented Output functions are used as parameters of
the following simulation tools
A function called function table has been implemented for combinational circuits
for performing the simulation and displaying the results as a table
Sequential circuits that are represented by triples f g q could be simulated
using the function makeseq However if the output is considered over a period
the use of make seq would be very ine	cient because for every single output the
calculation would start from the beginning The simulation function for sequential
circuits that has been implemented does not have this disadvantage The circuit is
simulated only once until the last point of time of the considered period is reached
The parameters for a sequential simulation are the circuit represented by f g q 
a time dependent input signal a condition for terminating the simulation and an
output function for converting the circuits output to a string
 Verication
A function called extend theory by pml is implemented for converting a PML pro
gramme to HOL Some tools are provided for reasoning about PML functions They
are concerned with extending constant abbreviations evaluation and induction
For concrete circuits and some classes of abstract circuits a more direct approach
for verication is used The PMLterms can be converted into certain formulae
called hardwareformulae ScKKc which can be automatically veried within
the MEPHISTO system KuSK see gure  Thus PML descriptions can also
be used as a frontend specication language within this verication framework
fun fulladder cinab 
let val w  xorab in
let val w  andba in
let val sum  xorcinw in
let val w  andcinw in
let val cout  orww in
sumcout
end end end end end
 
 cin a b sumcout
fulladdercin a b sum cout 
www
xora bw 
andb a w 
xorcinw sum 
andcinww 
orw w cout
Fig  Converting PML circuit descriptions to hardwareformulae
 Conclusion and Future Work
We have presented a general purpose programming language that is formally em
bedded in higherorder logic and we have also demonstrated how this language can
be used for formalizing both combinational and sequential circuits The main em
phasis has been put on demonstrating how regularity can be expressed by means of
primitive recursion
PML is a very simple language and writing PML programmes can be rather tough
since all function denitions have to be broken up to the primitive recursion and
recursion constructs It is intended to improve the applicability of PML by adding
a more comfortable MLstyle mechanism for expressing recursive functions
In future research it shall be analyzed how PML descriptions of circuits can be
used for hardware design PML descriptions shall be used in several elds veri
cation simulation symbolic simulation synthesis and optimization HDLtoHDL
transformations
References
BGGH R Boulton A Gordon M Gordon J Herbert and J van Tassel Experiences
with Embedding hardware description languages in HOL In V Stavridou
TF Melham and R Boute editors Conference on Theorem Provers in Circuit
Design IFIP Transactions A
 pages  NorthHolland 
BGHT R Boulton M Gordon J Herbert and J van Tassel The HOL verication of
ELLA designs In International Workshop on Formal Methods in VLSI Design
January 
BoPS D Borrione L Pierre and A Salem Formal verication of VHDL descriptions
in BoyerMoore First results In J Mermet editor VDHL for Simulation
Synthesis and Formal Proofs of Hardware pages  Kluwer Academic
Press 
CaGM	 A Camilleri MJC Gordon and Th Melham Hardware verication using
higher order logic In D Borrione editor From HDL Descriptions to Guaran
teed Correct Circuit Designs pages  NorthHolland 	
Cami		 J Camilleri Executing behavioural denitions in higher order logic Technical
Report 
 University of Cambridge Computer Laboratory 		
Cami J Camilleri Symbolic compilation and execution of programs by proof a case
study in HOL Technical Report 
 University of Cambridge Computer Lab
oratory 
Gunt E Gunter Why we cant have SMLstyle datatype declarations in HOL In
LJM Claesen and MJC Gordon editors Higher Order Logic Theorem Prov
ing and its Applications volume A
 of IFIP Transactions pages 	
Leuven Belgium  NorthHolland
Hunt	 WA Hunt The mechanical verication of a microprocessor design In
D Borrione editor From HDL Descriptions to Guaranteed Correct Circuit De
signs pages 	 NorthHolland 	
Jone	 SLP Jones The Implementation of Functional Programming Languages
Prentice Hall 	
KuSK R Kumar K Schneider and Th Kropf Structuring and automating hard
ware proofs in a higherorder theoremproving environment Journal of Formal
Methods in System Design  
Melh		 T F Melham Automating recursive type denitions in higher order logic
Technical Report  University of Cambridge Computer Laboratory Septem
ber 		
ScKKc K Schneider R Kumar and Th Kropf Eliminating higherorder quanitifers
to obtain decision procedures for hardware verication In International Work
shop on HigherOrder Logic Theorem Proving and its Applications Vancouver
Canada August 
Shee		 M Sheeran Retiming and slowdown in Ruby In GJ Milne editor The fu
sion of Hardware Design and Verication pages 	
	 Glasgow 		 North
Holland
This article was processed using the L
a
T
E
X macro package with LLNCS style
