Abstract. The single pulser is a clocked sequential device which generates a unit-time pulse on its output for every pulse on its input. This paper explores how a single-pulser implementation is veri ed by various formal reasoning tools, including the PVS theorem prover for higherorder logic, the SMV model checker for computation tree logic, the DDD design derivation system, and the Oct Tools design environment. By xing a single, simple example, the study attempts to contrast how the underlying formalisms in uence one's perspective on design and verication.
Introduction
One of the problems confronting the transfer to practice of formal veri cation methodology is the confounding variety of formal systems available. This paper is an initial attempt to contrast several mechanized formalisms as applied to a simple common problem, a circuit called a single pulser. The single pulser is arguably the simplest sequential circuit that does anything interesting. Even so, its veri cation exposes interesting issues in each of the studies we have undertaken.
We look at four systems in this paper. The rst and most general is the PVS theorem prover 11], which operates on higher-order logic expressions over inductive types. Next, we look at SMV, a symbolic model checker 10]. The propositional temporal logic on which SMV is founded is far less expressive than the higher-order logic of PVS; and consequently, the proofs are far more automatic. Third, we try DDD, a design derivation system based the algebra of rst-order functional expressions 9] . Finally, we apply the Oct Tools suite of design synthesis tools 13] to the single-pulser problem.
As discussed in the following section, there are many ways of looking at a single pulser. The four studies we have done are not directly comparable because they address di erent facets of the veri cation task. However, there are common impressions resulting from these studies. In each case, there are conceptual, methodological, and representational questions to understand before the system can be applied. In our view, there is also evidence to support the need for more integrated reasoning environments, in which tools such as these can be used in consort to solve design problems.
Our goal in reporting these studies is to gain perspective on the variety of approaches that have been taken to formalize reasoning about hardware. We hope eventually to expand this project to include a greater number of systems. This work illustrates how design aspects are represented in di erent formal systems. It also conveys some of the intuitive feel of working within these systems. We feel that tutorial material such as this will help researchers and practitioners understand how reasoning tools relate to one another. More systematic and rigorous comparisons would certainly be valuable, but are well beyond the scope of these studies. Even if one were to have criteria for comparisons, a more diverse set of examples would be needed to make them meaningful.
More detailed accounts of some of these studies (e.g. transcripts of interactions, script les, etc.) will be made available through 1]. Sections 3 through 6 contain references to more detailed descriptions of the individual systems under study. For a broader view of hardware veri cation systems and methods, Gupta's survey 7] contains an extensive bibliography and a partial taxonomy; it is a good starting point for further reading although it speci cally mentions only one of the systems used in this work, SMV.
Informal Description of the Single Pulser
The single pulser comes from a textbook by Winkel and Prosser on clockedsynchronous design 12]. Their original English speci cation reads:
Problem Statement. We have a debounced pushbutton, on (true) in the down position, o (false) in the up position. Devise a circuit to sense the depression of the button and assert an output signal for one clock pulse. The system should not allow additional assertions of the output until after the operator has released the button.
In all of the studies that follow, there is no attempt to account for debouncing an analog input signal; in fact, we shall also assume that input is synchronous. The single pulser device, SP has a one-bit input and a one-bit output:
Its observable behavior might stated as follows:
\SP emits a single unit-time pulse on o for each pulse received on i." Actually, this sentence is an understatement of the speci cation, if formulated literally, although the necessary details would no doubt be inferred by a designer. The Winkel-Prosser problem statement indirectly says that there is exactly one output pulse for every input pulse. Furthermore, simplicity demands that the output pulse occur in the neighborhood of the input pulse (rather than occuring in independent periodic bursts, for example). Let us take the timing diagram below as a somewhat more rigorous informal speci cation. Ellipses indicate time intervals of undetermined duration. The left region of the diagram is intended to say that there are no extra output pulses and the right region that there is just one output pulse some time during every input pulse.
Any reasonable hardware implementation would pick either the beginning or the end of the interval to generate the output pulse. However, the diagram also admits some impossible implementations, such as one in which the output pulse occurs at the midpoint of the input pulse.
The SP timing diagram is like a requirements speci cation, describing the expected observable properties of the device. Similarly, could call one of the nite-state diagrams below a design speci cation. Each of them describes a synchronous process with, it is claimed, the required behavior.
We show several kinds of state-machine diagrams because we are going to adopt perhaps the least familiar one, in the middle. It is the Algorithmic State Machine (ASM) diagram used by Winkel and Prosser. In ASM-diagrams, rectangles represent states, diamonds represent control-ow decisions, and ovals represent conditional (or \Mealy") outputs. There is also a convention that conditions occurring in the diagram are denied unless they are explicitly asserted; thus, \o = 1" is false (i.e., o = 0) on all but one of the paths. ASMs are relatively expressive in practice but more di cult to formalize. A timing diagram for the state machine is:
This diagram satis es (or implements) the SP timing diagram, assuming that we don't care what happens at \time zero," and further, that the output pulse is su ciently \within the neighborhood" of the input pulse. 4 An implementation description of the single pulser is represented by the circuit diagram:
The Reader is invited to jot down an appropriate de nition of \neighborhood" at this point, as this is a topic we shall return to later.
It is easy to work out that this circuit has the timing diagram:
Hence, it is an implementation of both the design and requirements speci cations. Winkel and Prosser make two additional observations about the single pulser which are relevant to its role as a tutorial example. The rst of these remarks has to do with the duality of control and architecture in hardware descriptions. The SP circuit shown earlier is systematically derivable from the ASM speci cation:
However, now that we have the circuit we can look at it (speci cally the delay element) as a piece of architecture under the control of the one-state (i.e., vacuous) ASM:
Similarly, the isolated view we have taken of the single pulser as a separate device overshadows another, equally valid, abstraction of SP as a synchronization protocol. \Being a single pulser" might be taken to mean that a larger circuit contains the same handshake as the abstracted single pulser:
We could also think of SP as being abstract with respect to the kinds of event sequences it recognizes as a \pulse." None of these generalizations arise in the studies we have carried out so far, but it might be good to keep them in mind.
3 Veri cation of a Single Pulser using PVS PVS (Prototype Veri cation System) is a mechanical theorem proving system developed at SRI International 11]. Its speci cation language is based on simplytyped higher-order logic; it provides an interactive proof checker employing sequent calculus proof rules and it has decision procedures for linear arithmetic. One interacts with PVS through an ASCII text editor, but the system also provides formatting facilities for printed reports. Those facilities were used to generate the logic formulas in this section. The proof presented in this section is also discussed in 8].
Since the single pulser is a simple circuit, we bypass the state machine level and directly prove a candidate implementation with respect to a high-level speci cation. A plausible speci cation of a single pulser is the following (i and o`are functions from time to values, where time ranges over the integers and values are taken from f0;1g. Variables m, n, j, and k are of type time):
Pulse(i; n; m)
An English reading of this formula is: Whenever there is a pulse on the input signal i, say from time n to time m, there is a unique time k in the vicinity of the input pulse when the output signal is asserted. A graphical representation of Pulse(f; n; m) is given by: and (a; b; y) : bool = (8 t : (y(t) = ( ? a(t)) b(t))) It is fairly simple to verify that this implementation satis es spec1. A summary of the PVS proof is given in Figure 1 . Each of the subgoal sequents displayed in Figure 1 can be easily veri ed using appropriate instantiations of quanti ed variables in the assumptions.
Unfortunately, spec1 is not su cient. It only speci es the behavior of the circuit in the neighborhood of an input pulse. There are no constraints on the behavior of imp between pulses. As an example, a simple inverter satis es our proposed single pulser speci cation. This is illustrated by There are a number of ways to remedy this situation. One possibility is to modify our de nition of Pulse to extend our notion of neighborhood until the beginning of the next pulse. 5 However, spec1 still does not constrain the behavior for all possible input streams. In the cases where the input has been high forever or remains high forever, the implementation is unconstrained. In addition to spec1, we need to show that the implementation also satis es the following:
See Footnote 4, in Section 2.
SinglePulse(o; k) (9 n; m : n k^k m^Pulse(i; n; m)))
This formula states that whenever the output is asserted, it is a single pulse and is in the vicinity of an input pulse. It is fairly simple to show that the output is a single pulse, if it is ever asserted. We can also easily show that the output is asserted after the input transitions from high to low. However, we have no means to show that the input pulse has been low previously. In other words, this circuit actually implements a synchronous falling-edge detector. It can only be a single pulser under the assumption that at some time in the past, the input was low. This is obviously a reasonable assumption; thus, we modify our veri cation condition by adding a clause about the environment in which the circuit is intended to operate, giving the following additional veri cation condition:
The additional assumption about the environment requires some additional reasoning unrelated to the correct operation of the circuit. In particular, it was necessary to establish from env1 that a greatest such time exists. This completes our veri cation of the single pulser using PVS. Our example lacks some characteristics of larger veri cation e orts. In our proofs we expand the de nitions of the circuit elements to their representation and invoke the builtin decision procedures of PVS. In a larger veri cation, we would prove properties about our representation and simplify accordingly, rather than employing the brute force approach shown here.
Veri cation of the Single Pulser Using Temporal Logic
We used the SMV (Symbolic Model Veri er) system 10] to specify and verify the single pulser circuit. An implementation is represented by a nite-state machine and the speci cation is represented by a formula in computation-tree logic (CTL). The system automatically veri es whether the given state-machine satis es that formula, that is, provides a model which makes the formula true.
A CTL formula speci es a possibly in nite computation tree describing the intended behavior of a correct design 4, 3]. Universal and existential quanti ers, A and E, refer to paths in the tree. The modalities F (some future state), G (all states), X (next state) and U (\(strong) until," or an interval between states) refer to the totally ordered set of states along a path. The simple variables of a CTL formula are propositional with`!' (`&',`|',`->') standing for logical negation (conjunction, disjunction, implication). A state is speci ed by the propositions that hold in it.
An SMV description of the single pulser design is given by (and even further once a boolean assignment is made for ready and wait) but we made a direct translation from the diagram, thinking that a more automatic system should tolerate a mechanistic approach. A representation of the implementation circuit is equally straightforward if we associate a state transition with a unit-time interval, so that a clocked register can be represented by the SMV next operator. The need to preset i corresponds to the initial-state assignment in the state machine. However, as was also the case with PVS, this reset assumption obscures some possibly signi cant anomalies that often occur during power-up intervals in physical circuits. We have immediately that the circuit implements the state machine. The keyword SPEC indicates an assertion to be veri ed.
SPEC o = rising_edge SMV con rms this to be true as it does with all of the SPEC statements that follow. In order to express the more general single-pulser speci cation in SMV we must as before settle on an acceptable notion of neighborhood within which to look for an output pulse. In this case, let us de ne neighborhood to be the interval between two successive rising edges on i (Notice above that rising_edge refers not to the transition event on i but to the rst unit-length period thereafter). 6 The single pulser speci cation decomposes into three overlapping properties as follows.
(a) SPEC AG (rising_edge -> (AF (o)))
Whenever there is a rising edge o is 1 some time later. Whenever there is a rising edge, and assuming that the output pulse doesn't happen immediately, there are no more rising edges until that pulse happens.
In other words, there can't be two rising edges on i without a pulse on o between them.
Property (b) is actually not valid because the semantics of the until operator would require rising_edge to become true on all paths|the so-called strong until. However, SMV has a provision called FAIRNESS which asserts that a condition holds in nitely often on all paths. If we assert FAIRNESS rising_edge then Property (b) becomes valid for the single pulser state machine.
We should comment on the di culties and uncertainties we experienced in reaching this form of the speci cation. For the novice users, it took a long period to adjust to the expressive limitations of CTL, and it is still very much a matter of debate when a particular logical representation is \well put." Beginners quite often fell into logical traps, for example, writing formulas like AG(!i) -> AG(!o) to express, \In the case that i is never true, neither is o." This formula is true, but only because AG(!i) is a false premise. Coming up with the de nition of 6 This choice of the interval from rising edge to rising edge was based on the experience of the PVS study. See Footnote 5.
rising_edge seemed to be a key. Without this de nition the CTL would be much more complex. Similarly, one should not try to say too much with a single sentence. Our speci cations improved signi cantly once we decomposed the speci cation into a set of simpler properties.
Once the logical representations are determined, the proofs are immediate and automatic. Failed proofs produce scenarios that are useful in re ning the formulations. However, in this study, invalid theorems always revealed inadequacies in the speci cation, rather than mistakes in the design. 5 Derivation of a Single Pulser using DDD DDD (Digital Design Derivation) is a specialized transformation system for digital system design 9, 2]. It operates on two dialects of rst-order functional expressions concretely represented by Scheme (Lisp) s-expressions. These dialects correspond to behavioral and structural forms of hardware description.
The goal of transformation is to reduce a higher-level algorithmic speci cation into a hierarchical network of processes. A derivation is a sequence of transformations and constructions applied to an initial expression, which is typically a design speci cation. Most DDD transformations preserve functional equivalence, although some are contingent on assumptions about the context (input-output timing, for example); and others add detail to the design (data representations, for example). As a formal object, a derivation together with any side conditions it synthesizes constitutes a proof of \implementation correctness," that is, equivalence between the design speci cation and its circuit implementation.
Typically, there are three phases in a derivation. The rst is to manipulate the behavioral form to achieve certain architectural goals. The second is to construct and re ne the structural expression describing that architecture. The third is to project the design to a concrete data representation, ultimately,a boolean system to which logic synthesis tools are applied.
In the single pulser study, we began with the speci cation SP shown in Fig.2 . SP is a proper Scheme program in which the states of the single pulser ASM represented by a system of tail-recursive functions de nitions, READY and WAIT. This is a standard way to model nite-state control with function expessions. Within each function de nition, the let-bindings for X and I provide a simple input/output interface: SP executes as a Scheme program to animate the speci cation. Thus, the DDD formulation di ers from predicate formulations in that the expressions on which it operates can be directly executed to explore the design behavior. However, the I/O supporting animation contaminates the expressions when considered as a hardware description. The algebra used to transform these expressions into hardware can also be used to isolate and factor out the modeling interface, as is demonstrated in this study.
Fig. 2. DDD design speci cation of a single pulser
A second dialect of functional modeling expression is used to describe circuit structure. The target implementation would be:
The system-letrec expression de nes a network of non-terminating streams representing in nite sequences of values over time. The de ning expression for X uses DDD's delay operator,`!'`to (arbitrarily) initialize sequence X with a zero. Sequence O is obtained by extending the binary operation ANDx element-wise to the streams I and X. Recursion in system-letrec expressions corresponds to feedback in the stream network, but there is no feedback in the single pulser example. Streams are not standard Scheme constructs but are added as a syntactic extension 2]. The rst step in the derivation constructs an initial structural description. The two components of this description are (a) a selection combination, which represents the control structure of the speci cation, and (b) an initial sequential system. 
Essentially, the streams in SP.1 are execution traces of the formal parameters in speci cation SP. The STATE and STATUS streams, together, implement a control automaton. The select combinator contains one other extension of standard Scheme syntax: nested lambda parameters such as ((s p0) v0 v1 v2) make it easier to manipulate multiple-output functions.
The next step is to isolate the single pulser circuit from the artifacts of the modeling interface, namely, the signal X, the subexpression (= (INP IN) 1) , and the \register" represented by the`!' in the de ning expression for O. In order to isolate the O register, we had to expand`O' by its de ning expression in the equation for X, and then identify the common subexpression (SELECT STATUS 0 0 1). Once this was done, DDD was instructed to partition SP into two subsystems, one of which encapsulated the modeling interface. After a term simpli cation, the residual subsystem is the pure single pulser: Once binary values are assigned to WAIT and READY, this system can be projected to logic synthesis. DDD expands and simpli es the occurrence of SELECT in the de ning expression for STATE to get:
(define select-state (lambda* (p0) (if p0 wait ready)))
Thus, if we choose WAIT = 0 and READY = 1 then STATE simpli es to I. Under this state assignment, the Oct Tools logic minimizer also nds a single-gate realization of (SELECT STATUS 0 0 1), and we end up with the desired circuit:
In all, six DDD commands were involved in the derivation, plus a rather cumbersome script of logic-synthesis commands.
6 Synthesis of a single-pulser using Oct Tools A standard CAD system|we use Oct Tools 13] as a readily available example| can automatically synthesize e cient implementations of the single-pulser. We shall not pursue whether a set of CAD tools should be classi ed as a formal system, but it is software that supports a speci c kind of reasoning. This point is discussed further at the end of this section. Within the Oct Tools environment are two hardware description languages, a behavioral HDL called Bdsyn and a structural HDL called Bdnet. Figure 4 shows the control-speci cation fragment of the single-pulser in Bdsyn. An a liated Bdnet structural description, not shown, speci es the kind of storage device used to hold pres state, among other things.
From this description, an intermediate boolean system description (blif le) was generated (using the bdsyn/bdnet translation tools). A minimizer and technology mapper were applied to the intermediate le (using misII). Physical placement (oct atten) and routing (wolfe) tools were then used to create the VLSI layout shown in Fig. 3 . When targeted to standard-cell technology, this process resulted in an implementation containing just one ip op and one gate, as we would hope. There was no manual intervention beyond writing the speci cation and choosing the appropriate synthesis libraries and tactics. A Bdsyn/Bdnet description of the stateless version of the single-pulser (discussed in Sec. 2) resulted in an apparently identical VLSI layout, as did Oct Tools synthesis of the implementation derived in DDD.
The Bdsyn speci cation in Figure 4 includes an explicit assignment of boolean values to the state labels READY and WAIT. This assignment did a ect the standardcell layout. The opposite assignment READY = 1, WAIT = 0 introduced an inverter, which did not change the net number of transistors in the realization but did enlarge the layout area by 12%. The inverter might have been eliminated by a re-timing tool, but this avenue was not explored.
We believe it would be hard to di erentiate between the kind of user-tool negotiation employed in the previous paragraph, and that seen when using (say) a general purpose theorem prover. For this reason, we are inclined to include a CAD environment among the other reasoning systems we are exploring, even if it does broaden the sense of the term \reasoning."
Conclusion
The four studies presented in this paper address distinct aspects of the verication task, as illustrated in Fig.5 . They involved four modes of description, three of which are formal. We likened the single-pulser timing diagram to a true speci cation because it details the observable properties of interest. The state-machine representation should be called a design description; among other things, it determines the particular wave form used to satisfy the speci cation. The circuit diagram, then, is an implementation description, detailing how this wave from is generated. Finally, there is a realization of the implementation in the form of a VLSI layout. Although diagrams are used informally in this paper, e orts are underway to make their meaning precise, with the goal of extending formal-reasoning systems to be more visually oriented 8, 5] .
In PVS, the most general of the formal systems used, a proof directly establishes that the implementation satis es the requirements of the speci cation. in PVS would typically use the design description. We had di culties getting the speci cation right. It was never di cult to prove that a correct circuit met the speci cation, but the proof process exposed pathologies that would make unacceptable circuits correct. In particular, our notion of neighborhood had to be strengthened before we could reject unacceptable implementations, and we had to explicitly exclude the pathological case of an in nite pulse. In the SMV study, temporal logic formulas were found to represent the timing-diagramspeci cation, and SMV de nitions and assignments were used to represent the state machine and circuit descriptions. We made many unsuccessful attempts at specifying a single pulser's behavior. As was the case in the PVS study, a bad speci cation usually resulted in a valid but inadequate theorem. In other words, SMV would a rm that the implementation was correct, but cross examination showed that the speci cation was too weak or simply wrong. Typically, our failures abused implication in some way, and the model checker would nd a path that falsi ed the premise. The limited expressiveness of CTL made it more challenging to produce an acceptable form of the speci cation, but the proofs were always automatic and immediate.
DDD applies to the problem of deriving an implementation from a design. In the DDD environment, the boolean optimization is done by logic synthesis tools. Since the DDD algebra is specialized for manipulating sequential system descriptions, we did not encounter the kinds of logical pathologies found in PVS and SVM. The derivation study actually focused on isolating the design description from its interface to a modeling environment. This was a good exercise of the algebra, and also showed how other modeling tasks can interfere with formal reasoning processes. Nevertheless, We had to use some very round-about tactics to get the DDD algebra to do exactly what we wanted.
Synthesis of the single pulser was straightforward for an experienced Oct Tools user. Experimenting with minor variations, such as changing the state assignment, led to a pattern of reasoning that we found quite similar to the interaction with the other systems.
In each of the studies, application of the tool is complicated by some aspect of problem representation, but it is a di erent aspect in each case. In PVS a re nement of environmental constraints|no in nite pulses|was needed to carry the proofs through. In the SMV study, there were similar problems with pathalogical cases, and while the proofs were automatic, we found it hard to represent the speci cation in the less expressive CTL. In DDD, the modeling context interferred, as discussed earlier. Finally, the complexity in using a design synthesis environment lies in understanding what tools to apply and when to be satis ed with the outcome.
We plan to continue collecting and comparing studies of the single pulser, and will maintain the results in 1].
