Formal Verification of Flow Equivalence in Desynchronized Designs by Paykin, Jennifer et al.
Formal Verification of Flow Equivalence in
Desynchronized Designs
Jennifer Paykin,∗ Brian Huffman,∗ Daniel M. Zimmerman,∗ Peter A. Beerel∗†
∗Galois, Inc, Portland, OR, USA
†Ming Hsieh Department of Electrical and Computer Engineering, USC, Los Angeles, CA, USA
{jpaykin,huffman,dmz}@galois.com, pabeerel@usc.edu
Abstract—Seminal work by Cortadella, Kondratyev,
Lavagno, and Sotiriou includes a hand-written proof that
a particular handshaking protocol preserves flow equiva-
lence, a notion of equivalence between synchronous latch-
based specifications and their desynchronized bundled-data
asynchronous implementations. In this work we identify
a counterexample to Cortadella et al.’s proof illustrating
how their protocol can in fact lead to a violation of flow
equivalence. However, two of the less concurrent protocols
identified in their paper do preserve flow equivalence.
To verify this fact, we formalize flow equivalence in the
Coq proof assistant and provide mechanized, machine-
checkable proofs of our results.
I. INTRODUCTION
Desynchronization is a popular strategy for design-
ing bundled-data (BD) asynchronous latch-based designs
from a synchronous RTL specification. In a desynchro-
nized design, master/slave latches are driven by local
clocks controlled by specific classes of asynchronous
controllers [1]. Because BD latch-based designs are
susceptible to subtle timing assumptions, it is important
to ensure that desynchronization preserves the functional
behavior of the circuit. Le Guernic et al. [2] propose
flow equivalence as a property characterizing when two
circuits, either synchronous or asynchronous, have the
same functional behavior. Cortadella et al. [1] provide a
hand-written proof that a highly concurrent desynchro-
nization controller preserves flow equivalence, and use
that result to claim that two less concurrent controllers,
called rise-decoupled and fall-decoupled, also preserve
flow equivalence.
We identify a subtle flaw in Cortadella et al.’s proof
and provide a counterexample showing that the pro-
posed desynchronization controller fails to guarantee
flow equivalence. Subtle errors in hand-written proofs
are easy to overlook, as evidenced by the wide accep-
tance of Cortadella et al.’s results.
To ensure that our results are correct, we formalize
flow equivalence in the higher-order interactive theorem
prover Coq [3], which codifies high-level mathematics
(such as induction, case analysis, functions, and rela-
tions) in a machine-checkable system. In particular, we
show that the core ideas of Cortadella et al.’s work are
sound by adapting their flow equivalence proof to the
less concurrent fall- and rise-decoupled controllers.
This work illustrates the benefits of applying formal
methods to asynchronous design. Other formal tech-
niques in the literature range from verification of hazard-
freedom (e.g., [4]) and deadlock-freedom (e.g., [5]),
to more general notions of equivalence between gate
level implementations, handshaking-level specifications
[6–9], and abstract asynchronous communication primi-
tives [10]. Several researchers focus on verifying general
properties of asynchronous designs using model checkers
[11–13] and proof assistants, including ACL2 [14, 15].
This paper makes several key contributions. Section II
describes a counterexample to Cortadella et al.’s hand-
written proof in the form of a timing diagram that
satisfies the desynchronization protocol but violates flow
equivalence, motivating our formal analysis. Section III
formalizes the definition of flow equivalence as well
as the marked graph specification of the proposed con-
trollers, and Section IV presents Coq proofs that the
rise-decoupled and fall-decoupled controllers guarantee
flow equivalence.1 Finally, Section V describes some
directions for future research, including extending the
formalization to Cortadella et al.’s liveness results.
II. COUNTEREXAMPLE
Cortadella et al.’s desynchronization protocol [1] de-
fines a set of requirements for asynchronous controllers
of a latch-based circuit. In this section we demonstrate
that the desynchronization protocol fails to preserve flow
equivalence in general; we give a circuit and a set of
clock traces that is valid according to the protocol, but
1All Coq definitions and proofs can be found in our formal-
ization available at https://github.com/GaloisInc/Coq-
Flow-Equivalence.
ar
X
iv
:2
00
4.
10
65
5v
1 
 [c
s.L
O]
  6
 A
pr
 20
20
AB
C
a0 a1 a2 a3
b1 b2 b3
c0 c1 c2 c3
Fig. 1: Three-stage pipeline with synchronous timing. Arrows indicate
timing constraints of the desynchronized protocol.
A
B
C
a0 a1 a2 a3
b1 b2 b3
c0 c1 c3
Fig. 2: Asynchronous circuit timing that obeys the desynchronized
protocol, but violates flow equivalence.
produces different outputs than the synchronous version
of the same circuit.
Consider a three-stage linear pipeline with latches
A, B, and C. Latches A and C are even, and have
valid initial values a0 and c0; latch B is odd, and
is uninitialized. When driven synchronously, values for
cycle n are produced for odd latches first, followed by
even latches. For n > 0 we have bn = FB(an−1)
and cn = FC(bn), where FB and FC represent the
combinational logic before each latch (Figure 1).
The dashed arrows in Figure 1 indicate the tim-
ing constraints of the desynchronized protocol, derived
from Cortadella et al.’s marked graph specification;
asynchronous controllers are allowed to shift the clock
transitions arbitrarily forward and backward in time, as
long as those constraints are preserved.2 We construct a
counterexample by delaying the first transitions for latch
A as long as possible (Figure 2).
Two circuits are flow-equivalent if the sequences of
values stored at their corresponding latches are identical.
The trace of values on latch C in Figure 2 violates flow
equivalence: instead of [c0, c1, c2, c3], the asynchronous
circuit latches [c0, c1, c1, c3]. Crucially, the second clock
pulse of C ends before the first pulse of A begins. At this
2Figure 1 and Cortadella et al.’s proof both assume that all latches
start opaque, contrary to the convention used later in this paper (e.g.,
Figure 4), where odd latches start transparent. It is straightforward to
show that these initial states are mutually reachable from each other
in the marked graph protocols.
point C should have latched c2, but c2 has a transitive
data dependency on a1, which is not yet available.
The error in Cortadella et al.’s proof arises from a
subtle misuse of its induction hypothesis. The proof
states that, immediately before the second fall of an
even latch’s clock (C), its predecessor’s clock (B) must
have risen twice, and therefore the induction hypothesis
implies that B has the value b2. This is not guaranteed;
the induction hypothesis only applies after B− occurs.
It appears that the proof assumes that B’s new value is
available as soon as B+ occurs, which, as our coun-
terexample shows, is not necessarily the case.3
The proof contains a similar statement about even
predecessors of odd latches, and it is easy to construct
a counterexample to illustrate that case. More complex
configurations, including cycles, also give rise to coun-
terexamples.
III. FORMALIZING FLOW EQUIVALENCE
In this section we formalize the definition of flow
equivalence in the Coq proof assistant in a way that is
amenable to verification later on. Each Coq definition
automatically generates an induction principle reflecting
the definition’s structure, so different definitions can
make proofs easier or harder. Though there are many
possible definitions of flow equivalence, the one we
present here yields concise and elegant proofs.
Coq is a dependently-typed functional programming
language and interactive proof assistant that has been
used both to prove significant mathematical theo-
rems [16] and to verify the correctness of realistic soft-
ware systems [17]. Proof engineers interactively write
proof scripts to prove theorems in Coq, from which
the system produces a proof term that the Coq kernel
can check for validity. Because the kernel is small and
trustworthy, the proof scripts used to generate proof
terms can be arbitrarily complex and the user can still
have confidence that their proof is correct.
We develop the definition of flow equivalence in
several stages, illustrating Coq syntax along the way.
The resulting formalization could almost certainly be
replicated in other provers such as ACL2, Isabelle, or F ∗,
but Coq’s interactivity, scriptability, and rich inductive
definitions were particularly useful in this development.
A. Synchronous execution semantics
We first define the synchronous execution of a circuit.
Like Cortadella et al., we model circuits with master-
3In fact, the invariant that a new value is always available as soon
as a latch becomes transparent is true for the less concurrent fall-
decoupled controller, but not for the rise-decoupled or desynchroniza-
tion controllers, as detailed in Section IV.
2
slave latches obtained by decoupling D flip-flops; every
latch is either even (master) or odd (slave), and neigh-
boring latches must have opposite parities.
Let even be a set of even latches and let odd be
a set of odd latches. We define the type latch of all
latches to be made up of both even and odd latches—
mathematically, the disjoint union of odd and even.
Inductive latch := Odd : odd → latch
| Even : even → latch.
In the Coq code, the keyword Inductive indicates that
latch is defined by its constructors, Odd and Even. Odd
is a function of type odd → latch, so takes an argument
drawn from the set odd, and produces a latch.
A state relative to a type A is a function from A to
values, which are either numbers or undefined.
Inductive val := Num : N → val | X : val.
Definition state (A : Type) := A → val.
Definition 1 (Circuits). A circuit consists of lists of
neighboring even-odd and odd-even latches, as well
as, for each latch, a function that computes its value
from the values of its left neighbors. Like Cortadella
et al., we model only closed circuits and assume that
combinational blocks and latches have zero delay. Any
open circuit can be combined with a model of the
environment to obtain a closed circuit.
Record circuit :=
{ eo_nbrs : list (even * odd)
; oe_nbrs : list (odd * even)
; next_e (E : even) :
state {O : odd & In (O,E) oe_nbrs} → val
; next_o (O : odd) :
state {E : even & In (E,O) eo_nbrs} → val}.
The Record syntax defines a data type with a col-
lection of functions out of that data type. The circuit
record has four such functions: eo_nbrs and oe_nbrs
are functions from a circuit to lists of its even-odd and
odd-even neighbors, respectively; next_e is a function
from a circuit, an even latch E, and a state of the
odd left neighbors of E to the next state of E; next_o
is similar to next_e, but for odd latches.
In the Record, the notation {x : A & P(x)} restricts
the type A to those elements satisfying the predicate P.
For example, the next_e function takes as input a state
restricted to the odd latches O satisfying the predicate
In (O, E) oe_nbrs, where In a ls indicates that the
element a occurs in the list ls.
When a latch l can be either even or odd, we write
next(c, st, l) for the corresponding next-state function.
Definition 2 (Synchronous Execution). The syn-
chronous execution of a circuit c is a function from the
initial state st0 of the circuit to the state at its nth clock
cycle. In this paper, odd latches update first each clock
cycle, followed by even latches.4 That is:5
sync(c, st0, n)(l) =
st0(l) if n = 0 ∧ l is even
X if n = 0 ∧ l is odd
next(c, sync(c, st0, n), l) if n > 0 ∧ l is even
next(c, sync(c, st0, n− 1), l) if n > 0 ∧ l is odd
B. Asynchronous execution semantics
Next, we describe how such a circuit can be ex-
ecuted asynchronously by replacing the shared clock
with a series of local clocks controlled by bundled
data controllers. This section describes the asynchronous
execution semantics with respect to sequences of rising
and falling transitions of the local clocks. The allowable
sequences are constrained by controller specifications
described in Section III-C.
Definition 3 (Events and Traces). An event e is the rise
(written l+) or fall (written l−) of a latch l. A trace is a
list of events—rises and falls of a latch’s clock. When a
latch’s clock rises, the latch becomes transparent; when
it falls, the latch becomes opaque.
Inductive event := Rise : latch → event
| Fall : latch → event.
Definition trace := tail_list event.
A tail_list is either empty, denoted t_empty, or
is an element a appended onto another tail_list t,
denoted t . a.
Definition 4 (Transparency). A transparency charac-
terizes whether a latch is transparent or opaque at a
particular point.
Inductive transparency := Transparent | Opaque.
4Without loss of generality, this ordering could be reversed so that
even latches update first; the initial markings of the protocols in
Figure 4 would need to be updated to reflect that convention.
5Note that this definition is well-founded: the values of even latches
at time n > 0 depend on the values of their odd predecessors at time
n, which themselves depend on the values of their even predecessors
at time n− 1.
3
The function latch_transp computes the transparency
of a latch l after executing a trace t.
latch_transp(t, l) =
Transparent if t = t_empty ∧ l is odd
Opaque if t = t_empty ∧ l is even
Transparent if t = t′ . l+
Opaque if t = t′ . l−
latch_transp(t′, l) if t = t′ . e otherwise
Definition 5 (Asynchronous Execution). Given an ini-
tial state st0, the asynchronous execution of a trace t
on a circuit c is defined by a 5-ary relation, for which
we introduce the syntax 〈c, st0〉 ` t ↓ l 7→ v. Here, l is
a latch and v is the value of l after executing t. When
this relation holds of a 5-tuple, we say that l evaluates
to v by means of t:
• If l is transparent in t and for all left neighbors l′ of
l it is the case that 〈c, st0〉 ` t ↓ l′ 7→ st(l′), then
〈c, st0〉 ` t ↓ l 7→ next(c, st, l).
• If l is opaque in t and t is the empty list, then
〈c, st0〉 ` t_empty ↓ l 7→ st0(l).
• If l is opaque in t and t = t′ .e such that e 6= l−, then
〈c, st0〉 ` t′ ↓ l 7→ v implies 〈c, st0〉 ` t′ . e ↓ l 7→ v.
• Finally, if t = t′ . l− and for all left neighbors l′ of
l it is the case that 〈c, st0〉 ` t′ ↓ l′ 7→ st(l′), then
〈c, st0〉 ` t′ . l− ↓ l 7→ next(c, st, l).
Definition 5 has four cases, depending on both the
transparency of l in t and the structure of t. This
choice of decomposition gives rise to a strong induction
principle based on those four cases, which we will use
in Section IV to prove flow equivalence.
Figure 3 shows the Coq definition of this relation,
extended with an additional parameter O corresponding
to the transparency of l in t. The additional parameter
makes the Coq relation easier to work with, as we
often need to consider only opaque or only transparent
latches. Note that function application in Coq is written
as the function name (e.g. latch_transp) next to its
arguments (e.g. t, l) with whitespace separators.
Each constructor in the Coq definition is a logical
formula that indicates when the relation is satisfied. For
example, when the trace is empty the circuit is in its
initial state: even latches are opaque and they have their
corresponding initial values. This property is written
〈c, st0〉 ` t_empty ↓ E 7→Opaque st0(E), and the Coq
proof term async_nil E is evidence that it holds.
C. Marked graphs
Cortadella et al. characterize the traces allowed by a
particular instantiation of controllers as a marked graph,
a class of Petri net such that each place has exactly one
input and one output transition.
Definition 6 (Marked Graphs). Given a set T of
transitions, a marked graph is a set of places, each with
associated input and output transitions, with an initial
marking—a function from places to natural numbers.
Record marked_graph T :=
{ place : T → T → Type
; init_marking : ∀ t1 t2, place t1 t2 → N }.
Definition marking (M : marked_graph) :=
∀ t1 t2, place M t1 t2 → N.
Definition 6 is equivalent to the standard definition
of marked graphs as (1) a set of places, (2) a set of
transitions, and (3) a flow relation such that each place
has unique input and output transitions. However, the
type-theoretic Definition 6 enables easier reasoning in
Coq. For example, suppose we have a place p into t
in the standard definition. Knowing t, there are a finite
number of options for p, which can be obtained by
iterating over the flow relation. Definition 6 does not
require this iteration; Coq automatically identifies the
possible options for p by case analysis.
Cortadella et al. describe marked graph protocols with
respect to a circuit’s sets of neighboring latches. For
each even-odd and odd-even pair they specify the places
corresponding to that pair’s rises and falls, as illustrated
in Figure 4. The Coq definition of the desynchronization
protocol (Figure 4a) is shown in Figure 5.
Definition 7 (Enabled Transitions). A transition is
enabled in a marking if all of its input places are positive.
An enabled transition can fire to produce a new marking:
fire(t,M,m)(p) =

m(p)− 1 if p leads into t
m(p) + 1 if p leads out of t
m(p) otherwise
A marked graph M evaluates to the marking m from
a tail-list ls of transitions, written M ` ls ↓ m, if the
following relation holds:
• If ls is empty, then M ` ls ↓ init_marking(M).
• If ls = ls′ . t such that M ` ls′ ↓ m′ and t is
enabled in m′, then M ` ls ↓ fire(t,M,m′).
A crucial property of marked graphs is that they
preserve the markings of cycles. We write p : t1 9 t2
for a path spanning from t1 to t2, and m(p) for the sum
of the markings of the places along the path.
Lemma 1. If p is a cycle in a marked graph M and
M ` ls ↓ m, then m(p) = init_marking(M)(p).
4
Inductive async (c : circuit) (st0 : state latch)
: trace → latch → transparency → val → Prop :=
| async_transparent : ∀ l t st v, transparent t l = Transparent →
(∀ l', neighbor c l' l → 〈c,st0〉` t ↓ l' 7→ {transparent t l'} st l') →
〈c,st0〉` t ↓ l 7→ {Transparent} next c st l
| async_nil : ∀ E,
〈c,st0〉 ` t_empty ↓ Even E 7→ {Opaque} st0 (Even E)
| async_opaque : ∀ l e t' v, transparent (t' . e) l = Opaque →
e <> Fall l →
〈c,st0〉` t' ↓ l 7→ {Opaque} v →
〈c,st0〉` t' . e ↓ l 7→ {Opaque} v
| async_opaque_fall : ∀ l e t' v st,
(∀ l', neighbor c l' l → 〈c,st0〉` t' ↓ l' 7→ {transparent t' l'} st l') →
〈c,st0〉` t' . Fall l ↓ l 7→ {Opaque} next c st l
where "〈 c , st 〉` t ↓ l 7→ { O } v" := (async c st t l O v).
Fig. 3: Coq definition of asynchronous execution of a trace.
E+ O+
E− O−
O+ E+
O− E−
(a) Desynchronization Protocol
E+ O+
E− O−
O+ E+
O− E−
(b) Rise-Decoupled Protocol
E+ O+
E− O−
O+ E+
O− E−
(c) Fall-Decoupled Protocol
Fig. 4: Three marked graph protocols for desynchronization, from Cortadella et al. [1]. A double arrow t ↔ t′ indicates that there are places
in both directions; markings t → t′ are indicated by dots appearing closer to t′ than t. For every pair of even-odd (respectively, odd-even)
neighbors, the marked graph has the places and initial markings indicated by the diagram on the left (respectively, on the right).
Inductive desync_place : event → event → Type :=
| fall (l : latch) : desync_place (Rise l) (Fall l)
| rise (l : latch) : desync_place (Fall l) (Rise l)
| rise_fall : ∀ l l', neighbor c l l' →
desync_place (Rise l) (Fall l')
| fall_rise : ∀ l l', neighbor c l l' →
desync_place (Fall l') (Rise l).
Definition desynchronization : marked_graph event :=
{| place := desync_place
; init_marking := fun _ _ p ⇒ match p with
| rise (Even _) ⇒ 1
| fall (Odd _) ⇒ 1
| rise_fall _ _ _ ⇒ 1
| _ ⇒ 0
end |}.
Fig. 5: Desynchronization protocol defined in Coq. Given a proof p that the pair (E,O) is in the list of even-odd neighbors,
Even_rise_odd_fall E O p is a place from E+ to O−. In the initial marking, the notation fun x ⇒ e defines a function of type
A → B (in this case a marking) by giving a value e of type B for every argument x of type A.
5
This result follows from the following helper lemma:
Lemma 2. If t is enabled in M and p : t1 9 t2, then:
t = t1 = t2 =⇒ fire(t,M,m)(p) = m(p)
t = t1 6= t2 =⇒ fire(t,M,m)(p) = m(p) + 1
t = t2 6= t1 =⇒ fire(t,M,m)(p) = m(p)− 1
t 6= t1 ∧ t 6= t2 =⇒ fire(t,M,m)(p) = m(p)
D. Flow equivalence
Le Guernic et al. [2] define two circuits to be flow-
equivalent if and only if (1) they have the same set of
latches, and (2) for each latch l, the sequence of values
latched by l is the same in both circuits. It need not be
the case that the two circuits have the same state at any
specific point in time, but the projection of the states
onto each latch should be the same. This ensures that,
even if the timing behaviors of the two circuits differ,
their functional behaviors are the same.
In this case, we are interested in comparing the
same circuit under two different execution models: syn-
chronous and asynchronous. For the synchronous model,
the projection of the values latched by a latch l are given
by the function sync(c, st0, i)(l). For the asynchronous
model, we have to consider the execution of every trace
allowed by the asynchronous controller.
Definition 8 (Flow Equivalence). A marked graph M
ensures flow equivalence of a circuit c with initial state
st0 if every trace allowable by the marked graph has the
same synchronous and asynchronous execution. That is,
let t be a trace compatible with M , and let l be a latch,
opaque in t, such that 〈c, st0〉 ` t ↓ l 7→ v. Then v is
the ith value of the synchronous execution of c, where
i = num (l−) t, the number of occurrences of l− in t.
Definition flow_equiv (M : marked_graph event)
(c : circuit) (st0 : state latch) :=
∀ l t v, (exists m, {M}` t ↓ m) →
〈c,st0〉` t ↓ l 7→ {Opaque} v →
v = sync c st0 (num (Fall l) t) l.
IV. VERIFIED FLOW-EQUIVALENT PROTOCOLS
In this section we prove in Coq that the rise-decoupled
and fall-decoupled protocols illustrated in Figure 4 pre-
serve flow equivalence, and revisit the counterexample
of Section II in the context of the formalization.
A. Rise-decoupled protocol
The rise-decoupled protocol, also called fully-
decoupled [18] and illustrated in Figure 4b, preserves
the invariant that when l is latched for the ith time,
A
B
a1 a2 a3
b1 b2 b3
Fig. 6: Valid interleavings of the rise-decoupled protocol. Notice that
the value ai is available by the ith fall of B’s clock.
its predecessors have also been latched the appropriate
number of times (either i or i−1 times); thus, l correctly
latches its ith synchronous value. Figure 6 illustrates
several possible interleavings of neighboring latches that
satisfy the rise-decoupled protocol. Notice that B may
not acquire its correct value by the ith occurrence of
B+, but it will by the ith occurrence of B−.
Fix a circuit c and an initial state st0. The definition
of the rise_decoupled marked graph with respect to
c is omitted here for space, but is similar that of the
desynchronization protocol shown in Figure 5. In the
Coq definition, we add two redundant arcs to ensure that
there are always arcs from l− to l+ and vice versa. Since
there is at most one place between two events e and e′,
we write (e→ e′) for that place when it exists.
To prove that the rise-decoupled protocol preserves
flow equivalence, we first prove several lemmas about
the rise-decoupled marked graph.
Lemma 3. Let rise_decoupled ` t ↓ m. If l has a
right neighbor l′ such that m(l− → l′−) > 0, then l is
opaque in t.
Proof. By induction on t. Using Lemma 1 and some
light automation (about 50 lines of Coq tactics that will
be re-used for other proofs), this lemma is proved in
fewer than 20 lines of Coq proof scripts.
Next, we prove a lemma relating the number of
occurrences of l− in a trace for neighboring latches.
Lemma 4. Let rise_decoupled ` t ↓ m. If l− is
enabled in m, then for all left neighbors l′ of l,
num (l′−) t =
{
num (l−) t if l is odd
1 + num (l−) t if l is even
Proof. The induction hypothesis must be strengthened
to account for three exhaustive cases: m(l− → l′−) >
0; m(l′− → l+) > 0; and m(l+ → l−) > 0. These
cases are exhaustive because of Lemma 1: the sum of
these three values is exactly equal to 1. The proof then
proceeds by induction on t.
6
Finally, we can prove the main result, that
rise_decoupled satisfies flow equivalence.
Theorem rise_decoupled_flow_equiv :
flow_equiv rise_decoupled c st0.
Recall that we have already fixed the circuit c and initial
state st0 and that the definition of the rise_decoupled
marked graph depends on c.
Unfolding the definition of flow equivalence, we can
write out the statement of the theorem in English:
Theorem 5. If 〈c, st0〉 ` t ↓ l 7→ v such that l is
opaque in t and rise_decoupled ` t ↓ m, then
v = sync(c, st0, num (l−) t)(l).
Proof. By induction on the asynchronous evaluation
judgment 〈c, st0〉 ` t ↓ l 7→ v. The structure of that
definition leads to an induction principle with four cases.
1) The first case, where l is transparent in t, is vacuous.
2) If t is the empty trace it suffices to consider only
even latches, for which the result is immediate.
3) If t = t′ . e such that e 6= l−, the result follows
immediately from the induction hypothesis.
4) Finally, the only non-trivial case is when t = t′ . l−.
Since l− is enabled, its left neighbors are all opaque and
so have already acquired their correct values.
In this case, v = next(c, st, l) where, for all left
neighbors l′ of l, 〈c, st0〉 ` t′ ↓ l′ 7→ st(l′). Since l− is
enabled in rise_decoupled ` t′ ↓ m′, l′ is opaque in
t′ (Lemma 3). Thus the induction hypothesis applies:
st(l′) = sync(c, st0, num (l′−) t′)(l′).
Unfolding definitions,
sync(c, st0, num (l−) t)(l) = next(c, st′, l)
where, for all left neighbors l′ of l,
st′(l′) =
{
sync(c, st0, 1 + i)(l
′) if l is odd
sync(c, st0, i)(l
′) if l is even
and where i = num (l−) t′. The fact that st(l′) = st′(l′)
follows from Lemma 4.
Note that we could have performed induction on the
trace t here, but that would not be sufficient for the fall-
decoupled proof, which requires us to reason about both
transparent and opaque latches.
B. Fall-decoupled protocol
The rise-decoupled protocol of the previous section
allows the rises of clocks to interleave arbitrarily as long
as the falls of those clocks obey the inductive invariant.
In the fall-decoupled protocol (Figure 4b), the situation
A
B
a1 a2 a3
b1 b2 b3
Fig. 7: Timing diagram illustrating valid interleavings of the fall-
decoupled protocol. Notice that the value ai is always available by
the rise of B’s clock.
is reversed—a clock may fall either before or after its
predecessors’ clocks fall, as long as its rise occurs after
its predecessors’ clocks rise, as illustrated in Figure 7.
Under the zero-delay assumption, the model preserves
the invariant that each latch will obtain its correct value
as soon as it goes transparent, and that value will be
stable until it goes opaque again.
For the proof of flow equivalence, we build on the
same structure of lemmas as for the rise-decoupled
protocols, proving variants of Lemmas 3 and 4 adapted
to the fall-decoupled protocol. For example:
Lemma 6. Let fall_decoupled ` t ↓ m. If l is
opaque in t, then
num (l−) t =
{
1 + num (l+) t if l is odd
num (l+) t if l is even.
If l is transparent in t, then for all left neighbors l′ of l:
num (l+) t =
{
num (l′+) t if l is odd
1 + num (l′+) t if l is even.
In the rise-decoupled protocol, the proof of flow
equivalence relies on the fact that, whenever the event
l− is enabled, all of l’s left neighbors are opaque,
so are guaranteed to have their correct values. This is
not the case in the fall-decoupled protocol, where l’s
left neighbors might be either transparent or opaque.
Therefore, it is necessary to strengthen the statement of
flow equivalence to account for the values of both opaque
and transparent latches.
Theorem 7. If fall_decoupled ` t ↓ v and 〈c, st0〉 `
t ↓ l 7→ v, then v = sync(c, st0, i)(l), where
i =
{
1 + num (l+) t if l is odd
num (l+) t if l is even.
Proof. By induction on the relation 〈c, st0〉 ` t ↓ l 7→ v.
1) First, if l is transparent in t, then v is equal to
next(c, st, l) such that, for all left neighbors l′ of l,
〈c, st0〉 ` t ↓ l′ 7→ st(l′).
7
Notice that i > 0: for l odd this follows immediately
from the definition; for l even there is at least one
occurrence of l+ in t since even latches are initially
opaque. Thus, sync(c, st0, i)(l) = next(c, st′, l) where
st′ = sync(c, st0, num (l+) t).
It suffices to show that for all left neighbors l′, st(l′) =
st′(l′). By induction, st(l′) = sync(c, st0, i′)(l′) where
i′ =
{
1 + num (l′+) t if l′ is odd
num (l′+) t if l′ is even.
By Lemma 6 we know that num (l+) t = i′, which
completes the proof.
2) If l is opaque in the empty trace, it must be odd, and
the result is trivial.
3) If l is opaque in t = t′ . e where e 6= l−, the result
is straightforward from the induction hypothesis on t′.
4) Finally, if t = t′ . l−, then v = next(c, st, l) where
〈c, st0〉 ` t′ ↓ l′ 7→ st(l′) for all left neighbors l′ of l.
Furthermore, sync(c, st0, i)(l) is equal to next(c, st′, l)
where st′ = sync(c, st0, num (l+) t′). So it suffices to
show that, for all left neighbors l′, st(l′) = st′(l′). By the
induction hypothesis st(l′) = sync(c, st0, i′)(l′), where
i′ =
{
1 + num (l′+) t′ if l′ is odd
num (l′+) t′ if l′ is even.
By Lemma 6 we know i′ = num (l+) t′, as required.
Finally, we must show that Theorem 7 implies flow
equivalence.
Corollary 8. Whenever 〈c, st0〉 ` t ↓ l 7→ v such that
l is opaque in t and fall_decoupled ` t ↓ m, then
v = sync(c, st0, i)(l) where i = num (l−) t.
Proof. It suffices to show that
num (l−) t =
{
1 + num (l+) t if l is odd
num (l+) t if l is even,
which follows from Lemma 6.
C. Less concurrent protocols
Cortadella et al. also discuss three other protocols that
are even less concurrent than the rise-decoupled and fall-
decoupled protocols, and claim they are flow equivalent
since every trace they accept is also accepted by a
known flow-equivalent protocol. Because they are all
three subsumed by the rise- and fall-decoupled protocols,
this is still true in our case. The formal proofs of this
result depend only on the proof that one marked graph
refines another. As an exercise, we proved this fact for
the semi-decoupled protocol in our Coq repository.
Program Definition c : circuit even odd :=
{| eo_nbrs := [ (A,SRC); (A,B); (C,SNK) ]
; oe_nbrs := [ (SRC,A); (B,C); (SNK,C) ]
; next_e := fun E ⇒ match E with
| A ⇒ fun st ⇒ st (SRC)
| C ⇒ fun st ⇒ inc_val (st B)
end
; next_o := fun O ⇒ match O with
| SRC ⇒ fun st ⇒ inc_val (st A)
| B ⇒ fun st ⇒ inc_val (st A)
| SNK ⇒ fun _ ⇒ Num 0
end |}.
Fig. 8: A circuit subject to the desynchronization counterexample.
D. Counterexample, revisited
Finally, we revisit the counterexample to desynchro-
nization described in Section II in the formal setting,
providing a concrete circuit and a trace compatible
with desynchronization such that, after executing the
trace, there is a latch whose value is not equal to
sync(c, st0, num (l−) t)(l). The proof of flow equiv-
alence fails in this case because neither of the induc-
tive invariants described in the rise-decoupled or fall-
decoupled protocols are satisfied—the desynchronization
protocol allows latches to go opaque before all of their
left neighbors have gone opaque, which can result in an
entire value being dropped, as in Figure 2.
Theorem 9. There exists a circuit c for which the desyn-
chronization protocol does not ensure flow equivalence.
Proof. Figure 8 shows a three-stage pipeline, similar to
the one in Section II but with two additional latches SRC
and SNK representing the input and output environments
respectively. In the initial state, all latches have value X ,
and with each pulse, the source environment SRC sends
integers of increasing value to A. Each pipeline stage
increments its input by one (denoted inc_val v), and
the output environment SNK consumes the output of C.
We take a prefix of the trace illustrated in Figure 2 up
until the second fall of C’s clock. It is at this point that
flow equivalence is violated—the second value latched
by C is still sync(c, st0, 1)(C).
tc = [SNK−, C+, B−, C−, SNK+, SNK−, C+, B+, C−]
It is easy to check that there exists a marking m such
that desynchronization ` tc ↓ m, and that 〈c, st0〉 `
tc ↓ C 7→ sync(c, st0, 1)(C). To complete the proof
that flow equivalence is violated, it suffices to check that
sync(c, st0, 1)(C) 6= sync(c, st0, 2)(C).
8
V. SUMMARY AND FUTURE WORK
This paper makes three contributions: we identify a
mistake in a hand-written proof, carefully formalize the
relevant definitions, and adapt the proof to two variants
of the original protocol. This research highlights the
benefits of formal theorem proving to verify that a design
satisfies desirable properties.
Future work will apply this framework to verify the
correctness of gate-level implementations of the con-
trollers by checking that they satisfy the rise- or fall-
decoupled protocols. In addition, we plan to extend our
Coq framework to account for more abstract design
specifications such as FF-based synchronous designs and
CSP-like specifications, as well as more realistic delay
models. A long-term goal is to develop a comprehen-
sive assurance framework for desynchronization-based
design flows, which would account for the correctness
of retimed datapaths and liveness. These extensions may
require bridging disparate formal frameworks, including
static timing analysis, equivalence, and model checking.
ACKNOWLEDGMENT
Thanks to Marly Roncken, Ivan Sutherland, Tynan McAuley,
Flemming Anderson, and the anonymous reviewers for their helpful
feedback. This material is based upon work supported by the Defense
Advanced Research Projects Agency (DARPA) under Contract No.
HR0011-19-C-0070. The views, opinions, and/or findings expressed
are those of the authors and should not be interpreted as representing
the official views or policies of the Department of Defense or the U.S.
Government. DARPA Distribution Statement “A” (Approved for Public
Release, Distribution Unlimited).
REFERENCES
[1] J. Cortadella, A. Kondratyev, L. Lavagno, and C. P. Sotiriou,
“Desynchronization: Synthesis of asynchronous circuits from
synchronous specifications,” IEEE TCAD, vol. 25, no. 10, pp.
1904–1921, Oct 2006.
[2] P. Le Guernic, J.-P. Talpin, and J.-C. Le Lann, “Polychrony for
system design,” Journal of Circuits, Systems and Computers,
vol. 12, no. 3, pp. 261–303, 2003.
[3] The Coq Development Team, “The Coq proof assistant, version
8.10.0,” Oct. 2019, DOI: 10.5281/zenodo.3476303.
[4] C. Nelson, C. Myers, and T. Yoneda, “Efficient verification of
hazard-freedom in gate-level timed asynchronous circuits,” IEEE
TCAD, vol. 26, no. 3, pp. 592–605, 2007.
[5] F. Verbeek, S. Joosten, and J. Schmaltz, “Formal deadlock
verification for Click circuits,” in Proc. ASYNC, May 2013, pp.
183–190.
[6] P. A. Cunningham, “Verification of asynchronous circuits,” Uni-
versity of Cambridge, Tech. Rep. UCAM-CL-TR-587, 2004.
[7] H. Park, A. He, M. Roncken, X. Song, and I. Sutherland, “Mod-
ular timing constraints for delay-insensitive systems,” Journal
of Computer Science and Technology, vol. 31, pp. 77–106, Jan.
2016.
[8] S. Longfield and R. Manohar, “Inverting Martin Synthesis for
verification,” in Proc. ASYNC, 2013, pp. 150–157.
[9] A. A. Sakib, S. C. Smith, and S. K. Srinivasan, “Formal modeling
and verification of PCHB asynchronous circuits,” IEEE TVLSI,
pp. 1–14, 2019.
[10] A. Saifhashemi, H. Huang, P. Bhalerao, and P. A. Beerel,
“Logical equivalence checking of asynchronous circuits using
commercial tools,” in Proc. DATE, March 2015, pp. 1563–1566.
[11] T. Bui, T. Nguyen, and A.-V. Dinh-Duc, “Experiences with
representations and verification for asynchronous circuits,” in
Proc. ICCE, 2012, pp. 459–464.
[12] D. Borrione, M. Boubekeur, E. Dumitrescu, M. Renaudin, J.-
B. Rigaud, and S. Sirianni, “An approach to the introduction
of formal validation in an asynchronous circuit design flow,” in
Proc. HICCS, 2003.
[13] A. Bouzafour, M. Renaudin, H. Garavel, R. Mateescu, and
W. Serwe, “Model-checking synthesizable SystemVerilog de-
scriptions of asynchronous circuits,” in Proc. ASYNC, May 2018,
pp. 34–42.
[14] Y. Peng and M. Greenstreet, “Verifying timed, asynchronous
circuits using ACL2,” in Proc. ASYNC, May 2019, pp. 96–104.
[15] C. Chau, W. A. Hunt, M. Kaufmann, M. Roncken, and I. Suther-
land, “A hierarchical approach to self-timed circuit verification,”
in Proc. ASYNC, May 2019, pp. 105–113.
[16] G. Gonthier, “Formal proof–the four-color theorem,” Notices of
the AMS, vol. 55, no. 11, pp. 1382–1393, 2008.
[17] X. Leroy et al., “The CompCert verified compiler,” Documen-
tation and user’s manual. INRIA Paris-Rocquencourt, vol. 53,
2012.
[18] S. B. Furber and P. Day, “Four-phase micropipeline latch control
circuits,” IEEE TVLSI, vol. 4, no. 2, pp. 247–253, June 1996.
9
