Symbolic trajectory evaluation provides a means to formally verify properties of a sequential system by a modi ed form of symbolic simulation. The desired system properties are expressed in a notation combining Boolean expressions and the temporal logic \next-time" operator. In its simplest form, each property is expressed as an assertion A =) C], where the antecedent A expresses some assumed conditions on the system state over a bounded time period, and the consequent C expresses conditions that should result. A generalization allows simple invariants to be established and proven automatically.
Introduction
Verifying a digital system by conventional simulation is feasible only for very small systems, since the large number of possible initial states and input sequences would require massive amounts of case analysis. By exploiting a combination of abstraction and symbolic manipulation, on the other hand, symbolic trajectory evaluation can verify the behavior of complex systems by a modi ed form of simulation. This method exploits abstraction by extending the system state space to include elements representing sets of actual states, yielding a partially-ordered system model. A single simulation sequence can then verify that the system would produce a unique result for a set of initial states or input sequences. It exploits symbolic manipulation by a modi ed form of symbolic simulation. The Boolean expressions appearing in the system speci cation are converted into symbolic patterns for the simulator. Like a conventional simulation, a single run of the trajectory evaluator models the system behavior over a single state sequence, although this sequence is both symbolic and partially-ordered.
Partially-Ordered System Modeling
In earlier work, we demonstrated the utility of ternary modeling for verifying a variety of circuits 9, 10]. Our methodology was based on ternary simulation of VLSI circuits, where a third value X is added to the set f0; 1g of possible signal values, indicating an unknown or indeterminate logic value. Assuming a monotonicity property of the simulation algorithm, one can ensure that any binary (i.e., 0 or 1) values resulting when simulating patterns containing X's would also result when the X's are replaced by any combination of 0's and 1's. Thus, the number of patterns that must be simulated to verify a circuit can often be reduced dramatically by representing many di erent operating conditions by patterns containing X's. For example, we can verify that a particular sequence of actions will yield a 1 (or 0) on some node regardless of the initial state by verifying that this value results when starting from an initial state where all nodes are set to X. This requires far less e ort than analyzing the e ect of the action on all possible initial binary states.
Ternary modeling is a special case of a more general abstraction technique based on partiallyordered system models. That is, the actual state space of the circuit (in this case all possible combinations of binary values) is extended with values representing sets of circuit states, such that the resulting state set is partially ordered. With ternary simulation, a state with some nodes set to X covers those circuit states obtained by replacing the X values with all combinations of 0 and 1. The state with all nodes set to X thus covers all possible actual circuit states. By extending the next-state function of the circuit to one over the expanded state set, we can verify circuit behavior for a set of di erent operating conditions with a single simulation run. By suitable restrictions of the speci cation syntax and the extended next-state function, we can guarantee that any property veri ed on this more abstract form of simulation must also hold for the original circuit.
In this paper we generalize our previous results on ternary simulation to a wider class of partially-ordered system models. This generalization simpli es the presentation by allowing us to focus on the essential properties of the abstraction technique while eliminating artifacts speci c to ternary modeling. It also allows us to apply our methods to more abstract data domains than simple binary-valued signals.
Symbolic Simulation
Although ternary modeling, or its generalization, allows us to cover many conditions with a single simulation sequence, it lacks the analytic power required for complete veri cation, except for restricted classes of circuits such as memories 9] . We have shown that by combining ternary modeling with symbolic simulation 1], we can model even more complex sets of behaviors with a single simulation run. With ternary symbolic simulation, the simulation algorithm designed to operate on scalar values 0, 1, and X, is extended to operate on a set of symbolic values. Each symbolic value indicates the value of a signal for many di erent operating conditions, parameterized in terms of a set of symbolic Boolean variables. In essence, ternary symbolic simulation allows us to combine multiple ternary simulation sequences into a single symbolic sequence.
Simulators that support ternary modeling intentionally err on the side of pessimism for the sake of e ciency. That is, they will sometimes produce a value X even where exhaustive case analysis would indicate that the value should be binary (i.e., 0 or 1). For example, most ternary simulators evaluate logic functions in a ternary algebra created by extending the standard Boolean operators.
This algebra does not obey the law of excluded middle, because X + X = X, where + and are ternary extensions of Boolean sum and complement, respectively. On the other hand, symbolic simulation avoids this pessimism, because it can resolve the interdependencies among signal values, and compute a + a = 1 (the Boolean function that always yields 1). By combining the expressive power of symbolic values with the computational e ciency of ternary values, we can trade o precision for ease of computation.
Symbolic Trajectory Evaluation
Symbolic trajectory evaluation takes the notion of ternary symbolic simulation one step further by providing a concrete means of specifying and verifying the desired behavior of the system operating over time. In earlier papers 7, 11], we introduced the notion of symbolic trajectory evaluation for ternary system models and demonstrated its utility on several actual circuits. In this paper we generalize the technique to a wider class of system models and speci cations. We also make our previous, informal claims more precise and rigorous. Our speci cations take the form of symbolic trajectory formulas mixing Boolean expressions and the temporal next-time operator. The Boolean expressions provide a convenient means of describing many di erent operating conditions in a compact form. By allowing only the most elementary of temporal operators, the class of properties we can express is relatively restricted, as compared to other temporal logics 14, 28] . Nonetheless, we have found that we can readily express many aspects of synchronous digital systems at various levels of abstraction. It is quite adequate for expressing many of the subtleties of system operation, including clocking conventions and pipelining.
Our decision algorithm is based on a generalized symbolic simulation. In its simplest form it tests the validity of an assertion of the form A =) C], where both A and C are trajectory formulas. That is, it determines whether or not every state sequence satisfying A (the \antecedent") must also satisfy C (the \consequent"). It does this by generating a symbolic simulation sequence corresponding to the antecedent, and testing whether the resulting symbolic state sequence satis es the consequent.
A more complex condition of the form A =) C] ; G can also be veri ed, where A and C are trajectory formulas and G is an assertion. Intuitively, the formula is deemed to hold if and only if for every sequence of states the system may go through, if the state sequence satis es some number of iterations of A, then it must also satisfy the same number of iterations of C and furthermore the remaining sequence must satisfy G. Assertions of this form are useful for verifying circuits that may remain in an idle state for an unbounded amount of time, e.g., for a processor held in a \wait-state" by the memory subsystem. Our veri cation method proves invariants of this form by using symbolic simulation to compute a xed-point which intuitively serves as a \summary" of what states the system can be in after it has gone though any number of iterations of A.
An important property of our algorithm is that it requires a comparatively small amount of simulation and symbolic manipulation to verify an assertion. The restrictions we impose on the formula syntax guarantee that there is a unique weakest symbolic sequence satisfying the antecedent. Furthermore, the symbolic manipulations involve only variables explicitly mentioned in the assertion. Unlike other symbolic circuit veri ers 3], we do not need to introduce extra variables denoting the initial circuit state or possible primary inputs. Finally, the length of the simulation sequence depends only on the depth of nesting of temporal next-time operators in the assertion and the speed of convergence of the xed-point calculations.
Related Work
Our approach to veri cation relates most closely to the symbolic model checking algorithms devised by a number of researchers 3, 13, 17] . Like our program, these algorithms verify that a nite state system, modeled symbolically, obeys a property expressed in temporal logic. Despite these general similarities, however, there are signi cant di erences in the capabilities and complexities of the algorithms. In particular, our method is the most restricted in terms of the class of systems that can be modeled and in the properties that can be veri ed. For example, the method of 13] can model an arbitrary, nondeterministic system, since the system is described by a transition relation. Our method can model some forms of nondeterministic behavior by encoding the set of possible next states with the value corresponding to the greatest lower bound in the partial ordering. This form of modeling would yield overly pessimistic results for highly divergent system behaviors, however. These other algorithms can decide a class of formulas consisting of a complete branching time, propositional temporal logic. Our method can only be used to verify properties of bounded state sequences, intermixed with periods of invariant behavior. What we loose in expressive power, however, we make up for in computational e ciency. The computational e ort required by our veri er is considerably less than theirs. Furthermore, our veri er can operate by a generalized form of simulation, making it possible to use a variety of detailed, simulation-based circuit and timing models. One can view the combined e ect of these research projects as providing a spectrum of checking-based veri ers that trade o between expressiveness and performance.
Most other automated approaches to sequential circuit veri cation are based on testing state machine equivalence 16, 19] . Such methods are useful for comparing two di erent (but hopefully equivalent) representations of the system, such as one at a register-transfer level and one at a gate level. However, they do not work well for verifying the correctness of incompletely speci ed systems, nor for reasoning about systems that employ methods, such as pipelining, that shift the sequencing of activities in time. Furthermore, most of these methods assume that the system starts in some known initial state. In actual circuits, the initial state usually cannot be predicted.
Symbolic simulation has been proposed by others as a hardware veri cation technique. Bose and Fisher have shown that these methods can be applied to complex circuits, including ones with pipelining 2]. Their method, however, requires a complete characterization of the system by binary symbolic simulation. That is, the user identi es each place state is stored in the circuit, either as charge on a node, or as a pair of complementary values within a static memory element. They then symbolically simulate a single clock cycle, where each state variable and each input signal is represented by a distinct Boolean variable, yielding a complete characterization of the next-state functions for every state variable. This process of extracting the explicit next state function can be quite costly. In contrast, our method represents the next state function implicitly as a combination of circuit structure and simulation algorithm. We only compute the next state behavior for the particular patterns required to verify a given assertion. These patterns involve far fewer variables than is required by Bose and Fisher's functional extraction.
Other researchers have suggested symbolic simulation as a means of circuit veri cation 18, 29] . None of this work has presented a clear methodology for sequential circuit veri cation, however.
Outline of Paper
This paper presents the theoretical basis for symbolic trajectory evaluation. Following a summary of the mathematical foundations, we describe the concept of partially-ordered system models and how a system can be represented by the language consisting of all possible compatible state sequences, referred to as trajectories. Next we introduce a \scalar" version of the speci cation notation, where only constant expressions are permitted. We show that any assertion in this notation can be veri ed by simulating the (unique) weakest state sequence satisfying the antecedent and testing adherence to the consequent. We then show that the concepts generalize to the symbolic case, where the speci cations may contain expressions over a set of Boolean variables. One can view a symbolic assertion as simply encoding a number of scalar assertions that can then be evaluated simultaneously through symbolic simulation. Finally, we discuss some of the practical issues of implementing and applying our theory to real-life digital circuits.
Mathematical Background
In this section we give precise de nitions of many concepts that will be used throughout the paper. Our goal here is to establish a mathematical foundation for the following sections. However, the material is presented very concisely, and the reader may wish to refer to some introductory texts for additional information. In general, we use calligraphic letters A; B; : : :, to denote sets and lower case letters, a; b; : : :, to denote individual elements of sets. Unless otherwise stated, all sets are assumed to be nite. 
Structure Example
In order to make the theory easier to follow but also to provide a concrete application for the general theory, we will use switch-level circuit veri cation as a running example throughout the paper. There are several reasons for this. First, there is a historical reason since this work grew out of switch-level simulation and veri cation. Secondly, there is a very close connection between our notion of a model structure and the type of models that are used in switch-level simulation. Nonetheless, the underlying concepts apply to more general classes of systems, examples of which will be given later. In switch-level models it is useful to allow each circuit node to take on one of three distinct values. Let T = f0; 1; Xg denote such a set of values. There are several advantages in extending the domain from f0; 1g to T . As a rst advantage, this extension makes it possible to model an increased range of circuit phenomena. For example, we can deal with circuits in which nondigital voltages are generated in the course of normal circuit operation. This occurs frequently when modeling circuits at the switch-level 6], due to (generally transient) short circuits or charge sharing. We can also deal with circuits in which indeterminate behavior occurs due either to timing hazards or to circuit oscillation. In all of these cases, the modeling algorithm expresses this uncertainty by assigning a value X to the o ending circuit nodes, indicating that the actual digital value cannot be determined 12, 24] . Thus the value X is introduced to denote an \unknown" and possibly indeterminate value.
In order to formalize this concept of an \unknown" value, de ne the partial order on T as follows: a a for all a 2 T , X 0, and X 1. In Fig. 1 we show the Hasse diagram for the partial Thus we now have the rst half of a model structure.
The underlying model of a switch-level circuit we use is quite simple, as well as general. A circuit is a tuple (N ;ỹ), where N is a set of nodes andỹ is a vector of excitation, or next state, functions. In the mathematical presentation we will refer to the nodes as n 1 ; n 2 ; : : :; n m , whereas in our examples we often will use more descriptive names. Since X is meant to denote an unknown value, a gate with an X on its input must treat this value in a very conservative way. Consequently, the excitation functions are required to be monotone with respect to the partial order . This monotonicity requirement is consistent with our use of information content. If a function is monotone, we cannot \gain" any information by reducing the information content of the arguments to the function. In other words, changing some signals from binary values to X will either have no e ect on the next state values, or it will change some binary values to X.
The excitation functions are de ned in a non-traditional way. We view them as expressing \constraints" on the values the nodes can take on one time unit later given the current values on the nodes. By constraint we mean speci c binary values, whereas the value X indicates that no constraint is imposed. Since the value of an input is controlled by the external environment, the circuit itself does not impose any constraint on the value; hence the excitation of an \input node" is X. More formally, if node n i corresponds to an input to the circuit then y n i (ã) = X for everỹ a 2 T m . Nodes that do not correspond to inputs are called function nodes. For a function node n i the excitation function is a monotone ternary function y n i : T m ! T determined by the circuit topology and functionality.
To illustrate our notion of excitation function, consider the CMOS circuit shown in Fig. 2 . In Fig. 3 we give a graphical representation of the next state function assuming the circuit behavior is analyzed using a unit-delay model. Note that no matter what the current state is, the next state function for the input is X. Also, if the current input is binary, it is easy to see that the output one time unit later will be the complement of this value.
It should be pointed out that the \time unit" referred to above is the smallest period of time that is distinguishable in the circuit model. The minimum delay in any individual component of the circuit can be signi cantly larger. Thus we are not limited to unit delay circuit models. For example, by using the transformation technique described in 30], both nominal delay and bounded delay circuit models can be used. However, to make our example as simple as possible, we will use a unit delay model unless otherwise stated. In order to obtain a model structure, we only need to de ne a monotone next time function mapping C to C. We do this by extendingỹ from T m ! T m to C ! C in the obvious way. Thus Another way of stating Proposition 1 is to say that we assume that every state in S is a possible initial state of the system.
In Fig. 4 we illustrate the set of all trajectories (L(M C )) for the unit delay inverter described earlier. In this gure, the set of labels encountered while traversing any in nite path in the graph denotes a trajectory. Before discussing this graph further, recall that the > state is used to represent overconstrained states. In a matter of speaking, we consider that in is both 0 and 1 at the same time in the state >. A similar remark holds for out. In view of this interpretation, we can draw several conclusions from the graph. For example, we can see that for every trajectory The same statement holds with 0 replaced by 1 and 1 replaced by 0. At its core, our veri cation methodology establishes properties such as these for a given model structure. More speci cally, in the next section we de ne a small logic that allows us to state properties like the ones above in a concise and unambiguous way. We then de ne an e cient way of determining whether the formulas in the logic are valid for a particular model structure. In fact, the main contribution of the paper is the development of a checking algorithm that only needs to explore a tiny fraction of the complete state graph as opposed to how it is shown in Fig. 4 . 
Speci cation Language
The basic speci cation language we use is very simple. In fact, at a rst glance it might appear as if it can only be used to specify rather trivial behaviors. However, this is a bit of an illusion. In particular, we will later in the paper extend the model structure to a symbolic domain and give several examples of how non-trivial behaviors can be speci ed in this language. By keeping the language simple, we gain some very important properties. The most important is that there is a unique weakest trajectory that satis es a formula. By focusing initially on the scalar version, we avoid the added complexity of the symbolic case while building a foundation upon which this more general formulation can be based.
Assume hS; v i is a lattice with universal lower bound ?. Let P denote a set of simple predicates over S. A trajectory formula is de ned recursively as:
1. Simple predicates: p is a trajectory formula if p 2 P. 2. Conjunction: (F 1^F2 ) is a trajectory formula if F 1 and F 2 are trajectory formulas. 3. Domain restriction: (e ! F) is a trajectory formula if F is a trajectory formula and e is either 0 or 1.
Next time: (NF) is a trajectory formula if F is a trajectory formula.
A trajectory formula is said to be instantaneous if it contains no next-time operators. Such a formula expresses system properties at only a single point in time. For convenience, we often drop parentheses when the intended precedence is clear. The domain restriction appears at rst somewhat strange. Its usefulness will not become apparent until later when we extend the trajectory formulas to a symbolic domain.
The set of simple predicates is arbitrary. However, for convenience, we will always assume that the predicate p 0 (s) true is in P. Observe that p 0 is indeed a simple predicate with de ning value ?.
In switch-level veri cation the natural simple predicates are of the following form:
1. (n i is 0) where n i 2 N, and 2. (n i is 1) where n i 2 N.
In other words, our simple predicates ask whether a node in the circuit is known to be 0 or 1. It is easy to see that (n i is 0) and (n i is 1) where the 0 (1) is in position i. The only somewhat strange property of these predicates is that they are both true in the (arti cially introduced) > state. We ask the reader to simply accept this for the time being. We will discuss the rami cations of this later. For our example circuit of Fig. 2 we will use the ve simple predicates: true, in is 0, in is 1, out is 0, and out is 1 with de ning values hXXi, h0Xi, h1Xi, hX0i, and hX1i respectively.
A trajectory formula describes constraints on some pre x of a trajectory. In order to refer to the length of this pre x, we introduce the concept of \depth" for trajectory formulas. The depth of a formula F, written d(F), is de ned recursively.
The depth of a formula is simply the maximum number of nested next time operators plus one.
As a notational convenience, we de ne for any trajectory formula F
where N k F denotes (N(N(: : :(F) : : :))) with k next-time operators. This notation allows us to express a condition that repeats over time. For example, the formula (in is 0) 3] states that node in stays at 0 for 3 consecutive time units. This is more concise than writing out the formula as
For our example circuit of Fig. 2 we can thus write trajectory formulas like:
(in is 0)^N(out is 1) and
The truth semantics of a trajectory formula is de ned relative to a model structure and a trajectory. In particular, given a model structure M and a trajectory , the truth of a trajectory formula F, written j = M F, is de ned recursively. In the following, assume that both and 0~ are members of L(M).
For example, given the trajectory = h00ih01ihXXihXXi : : : for the circuit shown in Fig. 2 , it is easy to verify that j = M (in is 0)^N(in is 0), but that 6j
Properties of Trajectory Formulas
We can extend the de nition of simplicity from predicates to formulas in the obvious way, i.e., given a model structure M, a formula F is said to be simple i there is a de ning trajectory 2 L(M) such that j = M F i v . In this section we rst show that trajectory formulas are simple.
We then show how the de ning sequence can be constructed. The construction is direct and very e cient. As a result, if the main veri cation task can be phrased in terms of \for every trajectory that satis es the trajectory formula A, verify that the trajectory also satis es the formula C", it becomes obvious how the veri cation can be carried out: compute the de ning trajectory for the formula A and check that the formula C holds for this trajectory.
Before we can continue, we need a monotonicity result for trajectory formulas. The following lemma states that if a trajectory formula holds for some trajectory , then it also holds for every trajectory such that v . Lemma it thus follows that F 1 v~ and thus, by the induction hypothesis, that~ j = M F 1 . Consequently, by the truth semantics, we can conclude that j = M F and the induction goes through and the claim follows.
From the above lemma we know that any trajectory satisfying F must be greater than or equal to its de ning sequence F . Thus computing F and then determining if a trajectory is greater than or equal to F allows us to quickly test whether the trajectory satis es the formula F. However, F is not necessarily itself a trajectory. In the following we will show how to combine the constraints on a state sequence implied by F with those imposed by the system's excitation function to give a trajectory. In fact, we will show that the obtained trajectory is the weakest possible trajectory satisfying F.
It turns out that a slightly more general concept than a de ning trajectory is often useful. of f, it can be seen that f (?) is the smallest trajectory that satis es f and that every other trajectory that satis es f is greater than f (?). This is in fact no coincidence as we now will go on to show.
Before we establish the main properties of F (z), the following monotonicity property will be needed. Lemma 
F (t) and the claim follows.
The second key lemma of this section states that there is a de ning trajectory for every trajectory formula F and start condition z. More formally: Lemma 4 Assume F (z) is de ned as above, then: On the other hand, by the de nition of lub it follows that for i 1,
, and thus Y ( i?1
By the de nition of lub it also follows that 
and the induction step goes through and the lemma follows.
Another way of stating this lemma is that every trajectory formula F is simple with de ning trajectory F (?).
The above lemmas give a simple method for computing the de ning trajectory and the de ning sequence for a trajectory formula. Unfortunately, there is a practical di culty, since both the de ning trajectory and the de ning sequence are theoretically in nite sequences. The following technical lemma will be useful later to show that only a nite pre x of the de ning trajectories and sequences are needed.
Lemma 5 Let 6 Veri cation Methodology
Our speci cation language describes a property of the system M as a \trajectory assertion". Again,
we have chosen a quite limited language in order to gain e ciency. We have three types of constructs: simple assertions, sequences, and iterations. Simple assertions are of the form \if the system ever goes through a sequence of states satisfying trajectory formula A, then the sequence of states better also satisfy the trajectory formula C". Sequences of assertions allow representing system behaviors that shift from one \mode" to another. For example, it is convenient to use in describing the desired behavior during each clock cycle for a microprocessor during the execution of a multi-cycle instruction. Finally, a simple assertion can also be iterated an arbitrary number of times. This construct is primarily useful for, automatically, establishing and proving invariants of the system. For example, a typical use of the iteration construct is when specifying the possibility of an arbitrary number of wait-states in a microprocessor. More speci cally, we may want to verify that the processor works correctly no matter how many wait-states the external memory interface imposes. This could be accomplished by describing the constraints on the inputs during \wait cycles" and iterate this simple assertion an arbitrary number of times. More formally, a trajectory assertion is de ned recursively as: is a trajectory assertion. A trajectory assertion that does not contain any iteration, is said to be iteration-free.
The de nition of a trajectory assertion is somewhat restrictive. For example, it does not allow a trajectory assertion to end with an iteration. The reason for this restriction is to simplify the de nition of the truth semantics of trajectory assertions. In practice, it turns out not to be a serious restriction since one can always append true =) true] to an assertion that otherwise would end with an iteration.
To illustrate trajectory assertions, consider rst our inverter circuit of Fig. 2 . The following two assertions can constitute our speci cation of a unit-delay inverter:
in is 0^Ntrue =) Nout is 1] and in is 1^Ntrue =) Nout is 0] : Note that the Ntrue parts in the antecedents are simply there in order to make the depth of the antecedent equal the depth of the consequent. In a practical system, these \ ller" functions would be added automatically by the veri cation system and thus would not have to be expressed explicitly. However, in order to simplify the presentation of the general theory we have opted to require the depth of the antecedent to be equal to the depth of the consequent. Our next example shows the use of the sequence construct. Consider the switch-level circuit shown in Fig. 5 . Intuitively, n 1 is the input to a latch, n 3 is the clock signal, n 4 is the electrical node that stores the state when the clock is low, and n 5 is the output of the output bu er. If the state of the circuit currently is t 2 T 5 , a typical switch-level analysis of the circuit would derive the excitation functions: y 1 (t) = X y 2 (t) = t 1 y 3 (t) = X y 4 (t) = t 1 t 4 + t 3 t 1 + t 3 t 4 y 5 (t) = t 4 where all operators are assumed to be ternary. That is, nodes n 1 and n 3 , being input nodes, have excitation X. Nodes n 2 and n 5 are the outputs of simple inverters. Depending on the control signal on n 3 , node n 4 will either retain its stored charge (t 3 = 0), or get the value from the rst inverter (t 3 = 1). If t 3 = X, node n 4 will have a binary excitation only if the inverter output matches the value already on the node, and value X otherwise. Such excitation functions can be derived automatically from the transistor representation of the circuit by symbolic circuit analysis 6].
Since the latch is a sequential circuit and the clock signal changes the behavior quite drastically, it is natural to specify the desired behavior as a sequence of sub-behaviors|one for each clock phase. For example, a fairly natural trajectory assertion for the circuit that we may want to check may look like: = F^NF for an instantaneous trajectory formula F.
There is one subtle problem with specifying the desired behavior of the latch in the way shown above. The problem is that we may be over-specifying the required behavior. In general, the desired behavior of a latch can be expressed informally as: \given that the clock cycle is longer than some minimum time the circuit can load an input when the clock is high and retain it when the clock goes low". It is quite natural to use the iteration construct to formulate such a speci cation. For the same operation as above, the more general speci cation would be written as: 2] i ; (n 1 is 1)^(n 3 is 1) =) true] ;
(n 3 is 0) =) (n 5 is 1)] ; true =) true] :
Intuitively, we are here stating that if the clock is high and the input is 1 for at least two time units and then the clock goes low, the output will remain 1. Note that a circuit that passes G 2 will pass G 1 , but the opposite does not necessarily hold.
Before we de ne the truth semantics of a trajectory assertion we need to introduce a function that removes some of the rst elements in a sequence. Let the su x of a sequence be de ned recursively as follows: Intuitively, the su x function applied to some sequence removes the rst n elements in the sequence.
The truth semantics of a trajectory assertion is de ned relative to a model structure and a set of trajectories in this model structure. In particular, given a model structure M and a set L of trajectories, the truth of a trajectory assertion G, written L j = M G, is de ned recursively as follows: Since we often require a trajectory assertion to hold for all possible trajectories, we use the
Returning to our examples of trajectory assertions above, we can easily see from What we will show in this section is how to determine the validity of a trajectory assertion without having to compute the complete state space as was done in Fig. 4 . The following, rather technical, lemma will be useful later.
Lemma 6 Given a model structure M, an initial state z 2 S, and a trajectory formula In view of the properties of de ning sequences and trajectories derived in the previous section, our main veri cation method is captured in the following \satisfaction" predicate for trajectory assertions. The predicate is de ned recursively as: The greatest xed-point above is well de ned and can be computed iteratively since the domain S is a nite lattice and glb(z; d(A) A ( )) is monotone in . Again returning to our inverter example, we will illustrate the computation of To illustrate the computation of SAT for a more complex trajectory assertion, consider again the circuit shown in Fig. 5 and the assertion , and thus i ; (n 1 is 1)^(n 3 is 1) =) true] ;
(n 3 is 0) =) (n 5 is 1)] ; true =) true] : Again for convenience, let A 1 = ((n 1 is 1)^(n 3 is 1)) 2] , C 1 = true 2] , A 2 = ((n 1 is 1)^(n 3 is 1)), C 2 = true, A 3 = (n 3 is 0), and C 3 = (n 5 is 1 A 3 ( )) = hXXX01i. This computation shows that when clock signal n 3 is held low, node n 4 will retain its stored value of 0, and n 5 will remain at 1.
It is easy to verify that
A 3 (w) = hXX001ihXXX01ihXXXX1ihXXXXXihXXXXXi : : : Since C 3 = hXXXX1i?? : : : it thus follows that SAT(w, A 3 =) C 3 ]). Finally, it follows trivially that SAT(w, true =) true]). Altogether, we can conclude that SAT(?, G 2 ) holds.
We now return to the general theory by characterizing the satisfaction function. First we establish the following monotonicity property. Our next theorem is the second major result of this section and provides the basis for our veri cation methodology. It shows that one direction of the claim made in Theorem 1 for iterationfree formulas also holds for general formulas. However, our xed-point method for verifying formulas with iteration can cause overly pessimistic results, and therefore the other direction may not hold. A i] (z)). A i] (z)) j = M G 1 and the third claim follows.
The way we are representing sets of states during the xed point calculation by the greatest lower bound of the states in the set has some undesirable properties. In particular, if the lattice is \too sparse", so that a very general state must be used to represent a set of states, it is quite likely that we will lose too much information and thus may nd that SAT does not hold even though a more accurate calculation would show that the trajectory assertion is valid. Of course, from the above theorems we know that this can only happen if we have iterations in the trajectory assertion.
To illustrate the problem of too sparse lattices, assume we have a circuit that contains a \sticky" 2-bit wait-state counter that sequences through the states h00i, h01i, and h10i, but no further, no matter how many input pulses it receives. Suppose we want to check this counter by using an iteration construct. If we rst use the standard switch-level lattice introduced in Section 3, it is easy to see that the xed point calculation will be forced to set both nodes of the counter to X since hXXi = glbfh00i; h01i;h10ig. Unfortunately, we have now lost information and thus we may erroneously report a circuit failure that only could be triggered if the counter ended up in the state h11i. On the other hand, if we used a more complete lattice the problem would disappear. For example, if we use the power-set of fh00i; h01i; h10i; h11ig ordered by set inclusion as the domain of the counter, we can distinguish between the set fh00i; h01i;h10ig and any set that contains the state h11i.
The above theorem suggests a simple method for verifying a trajectory assertion G: compute SAT(?, G). If G is iteration-free then we will obtain an exact answer in the sense that SAT(?, G) computing the satisfaction function, it is su cient to compute a bounded pre x of the de ning trajectories and the de ning sequences. Hence, we only need to compute a bounded pre x of any trajectory. Furthermore, it is easy to see that we never need to store more than three system states: the current state, the next state, and the xed point state if the assertion contains an iteration. In summary, we can verify trajectory assertions very e ciently. Finally, there is one more, quite subtle, aspect of the veri cation methodology we need to deal with. The problem is that in order to make a non-lattice domain into a complete lattice, we often add \arti cial" top elements. Since every element is less than the top element, we are in a somewhat dangerous situation if, during the computation of the de ning trajectory, we end up in such a top state. To illustrate a typical instance of this problem, consider trying to show that a circuit with in-puts A and B and output Out implements the exclusive-or function. Intuitively, it seems that it would be su cient to prove that circuit satis es the assertion (A is a)^(B is b) =) N(Out is a b)], for all a; b 2 f0; 1g. Unfortunately, this is not the case. For example, this assertion is satis ed by the rather useless circuit of Fig. 6 , where the two inputs are tied together, and the output is always 0.
Whenever a 6 = b the antecedent trajectory will end up in >, because inputs A and B are electrically equivalent. The only values for which the trajectory does not end up in > are ones for which the output should be 0, in which case the consequent is also satis ed.
Any checking based purely on testing implications is prone to this sort of \false implies everything" error. Problems of this sort have been encountered by researchers using other systems for hardware veri cation such as HOL 21] and EMC 14] . A solution to this problem in our context, and in fact the solution we have adapted for our prototype tools, is a two-pronged approach. First, the user can only add new top elements in forming a complete lattice. Thus we do not allow the user to add arti cial bottom or internal states. Secondly, our veri cation system ensures that every state in the de ning trajectory does not contain any arti cially introduced top elements. These two constraints ensures that we are guaranteed that the de ning trajectory is a genuine circuit trajectory and thus that there is at least one circuit trajectory that satis es the antecedent.
Symbolic Formulation
In the previous section we proved that to determine the validity of a trajectory assertion G it su ces to compute SAT(?, G). Unfortunately, when verifying all but a limited class of systems (including many memory designs 9]) we would need to write down and verify an exponentially large number of assertions. The coverage of multiple cases by the partially-ordered system model lacks su cient precision to reliably verify the many distinct operating conditions.
In this section we rst extend the trajectory formulas by introducing symbolic trajectory formulas. Each symbolic trajectory formula can express a large number of assertions that the behavior of the system must obey. We then introduce a method of verifying such a collection of assertions via symbolic simulation. The key idea is to preserve the symbolic structure of the formulas in the veri cation algorithm. By doing so, we can replace the need for large amounts of case analysis with algebraic manipulation. In essence, we will perform the case analysis implicitly rather than explicitly.
Symbolic Expressions
Let V be a set of symbolic Boolean variables. For convenience, let B denote the set f0; 1g. An assignment, , is a mapping : V ! B assigning a binary value to each variable. Let be the set of all possible assignments, i.e., = f : V ! Bg. A domain constraint, D
, de nes a restriction on the values assigned to the variables. We will denote such domain constraints by Boolean expressions. That is, let E be a Boolean expression over elements of V The set of all assignments is denoted by the constant function _ 1, de ned as yielding 1 for all assignments. Expressing domain constraints by Boolean expressions allows us to compactly specify many di erent circuit operating conditions with a single formula. 
Symbolic Trajectory Formulas and Assertions
A (scalar) trajectory formula expresses a constraint on a trajectory. We now extend this idea by introducing symbolic trajectory formulas. A symbolic trajectory formula expresses a set of constraints on a trajectory by representing a set of (scalar) trajectory formulas. More speci cally, a symbolic trajectory formula will be a function mapping an assignment 2 to a trajectory formula. Trajectory formulas can be extended to symbolic trajectory formulas in several ways. We will present one particular de nition here that is intuitively simple, yet powerful enough to make speci cations of desirable system properties fairly natural. Assume hS; v i is a lattice, V is a set of symbolic Boolean variables, and P is a set of simple predicates over S. A symbolic trajectory formula is de ned recursively as:
1. Simple predicates: p is a symbolic trajectory formula if p 2 P. Note that the only change from the de nition of trajectory formulas is that the domain constraint can now be a Boolean expression rather than only 1 or 0.
For the case of switch-level circuits, we introduce the notation (n i is E) as a shorthand for the formula (E ! (n i is 1))^(E ! (n i is 0)). That is, we constrain node n i to have the particular symbolic Boolean value denoted by the expression E.
The concept of depth is extended to the symbolic domain in the natural way, i.e., the depth of a symbolic trajectory formula is one greater than the number of nested next time operators.
A symbolic trajectory assertion is de ned recursively as:
1. Simple assertions: With the above development, including our shorthand notation, we can now combine our two trajectory assertions that constitute our speci cation of the unit-delay inverter circuit of Fig. 2 into one symbolic trajectory assertion as follows. Assume V = fxg, then (in is x)^Ntrue =) N(out is x)] :
As a more complex example, consider the following symbolic trajectory assertion for the latch circuit of Fig. 5 . Here, assume that V = fc; ag. We have the symbolic assertion
Informally, the antecedent states that depending on the c (\clock") variable we either load value a into the latch (by setting n 3 to 1 and n 1 to a) or we assume that a is already stored in the latch (with n 3 set to 0 and n 4 to a). The consequent states that value a is stored in the latch on the third time unit. Given a symbolic trajectory formula _ F and an assignment 2 , the corresponding trajectory formula, written _ F( ), is de ned recursively as:
, where e is the Boolean function denoted by E. Similarly, given a symbolic trajectory assertion _ G and an assignment 2 , the corresponding trajectory assertion, written _ G( ), is de ned recursively as:
Given the above, we can now extend the j = M relation to the symbolic domain in the standard way, i.e., if _ F is a symbolic trajectory formula then for every 2 L(M) we have
Similarly, if _ G is a symbolic trajectory assertion then for any set L of trajectories we have
Now, given a model structure M and a symbolic assertion _ G, the task of our checking algorithm is to compute the Boolean function expressing the set of assignments under which the assertion is true. For most veri cation problems, this should simply be the constant function 1, i.e., the assertion should hold under all variable assignments.
Checking Symbolic Trajectory Assertions
In Section 5, we showed how scalar trajectory assertions can be veri ed very e ciently by computing the satisfaction predicate. By extending the functions and relations used in this process to the symbolic domain, we can perform the same algebraic manipulations. Rather than a true/false answer, we obtain a Boolean function denoting those assignments for which the assertion holds.
De Now, given a symbolic trajectory assertion _ G de ne its symbolic satisfaction predicate _ SAT as follows: Assume we want to check this formula for the model structure corresponding to the circuit of Fig. 5 . We will show the computation of the symbolic de ning sequence and the symbolic de ning trajectory. In order to do so, however, we must introduce an expression syntax for symbolic ternary values, i.e., functions mapping Boolean assignments to ternary values. Following our earlier convention, we will let _ X denote the constant function for value X. We will use Boolean expressions to denote cases where all assignments yield binary node values. Finally, for Boolean expression E t , and symbolic ternary expressions E 1 , and E 0 we will use the notation E t _
Extensions to the Logic
The base logic, as described above, is convenient for deriving the underlying theory. Unfortunately, expressing \interesting" assertions about real systems using only the constructs given in Section 4 is very tedious. Two shortcomings make using the logic cumbersome: the ne granularity of the timing, and the lack of more powerful logical constructs. We have already introduced several shorthand notations that take partial steps in remedying these limitations. In general, one can increase the expressive power of the logic greatly by introducing further shorthands. The semantics of each such extension is de ned by a syntactic translation into the base logic, and hence has a well-de ned semantics and implementation. In order to de ne a language for writing speci cations we need to de ne three entities: the syntax of the language, the semantics of the language, and a compilation algorithm that can translate the high-level constructs to the core logic. Furthermore, in order not to get astray in the process, a properly de ned compiler function should also be proven correct in the sense that the semantics of the higher-level constructs are preserved by the compilation process. Although we will describe the extensions we have made in fairly informal terms, Joyce and Seger 23, 31] has in fact formalized a very similar language in higher-order logic and there proven that the compilation algorithm is correct. Also, as a side e ect of properly formalizing the semantics of the added constructs, we open up the possibility of reasoning about the speci cations themselves 31].
Timing Extensions
We have already introduced the notation F k] to denote that property F should hold for k successive time intervals, where each interval has duration given by the depth d(F Each of these constructs has a straightforward de nition in terms of our existing notation. As an illustration, the duration construct, written during (s; e; F), has as arguments a start time s, an end time e and an instantaneous trajectory formula F that is to hold over this interval. This can be translated simply as true for e < s, or N s F e?s+1] for e s.
We have also seen that for most sequential circuits, reasoning at the unit step level is far too tedious. Instead, we would like to write and verify speci cations at a more abstract timing level. For example, with phase-level timing, we view each period when the clocks are held at xed values to be a phase, and assume that each phase has some minimum length k 5]. For simplicity, we will rst assume that all phases have the same duration. A naive approach to phase-level timing would be to translate an instantaneous phase formula F into F k] , and introduce A \next phase" operator N p de ned simply as N k . That is, any property F should hold throughout the phase, and each successive phase starts exactly k time units from its predecessor.
Although the above attempt at phase-level timing frees us from describing the desired behaviors for every basic time unit, it has a serious drawback. The problem lies in the fact we must specify the precise length of the phase. As a result, we overspecify the desired behavior. In fact, we only show that the system works when all phases are exactly k basic time units long. Instead, we would like to verify that the system works correctly as long as each phase is at least k time units long.
As was shown in Section 6 this can be accomplished by using the iteration construct of trajectory assertions.
To illustrate the problem with xed length phases and how it can be remedied, consider the switch-level circuit of Fig. 7 . Intuitively, n 1 is the (inverted) input to a latch, n 3 is the clock signal, n 4 is the electrical node that stores the state when the clock is low, and n 6 is the output of the output bu er. Suppose we are trying to determine whether a 0 stored in the latch will remain to the end of the phase even if the clock goes high. Clearly, this is a property that a latch should not satisfy, but if we assume that each phase is exactly 2 time units long, we could arrive at this false conclusion. In order to check the validity of the statement by our naive model, the following assertion would be used: =) (n 6 is 0) 3] i ;
it is easy to see that the circuit in Fig. 7 does not satisfy the assertion. In order to avoid this apparently \non-monotonic" behavior, it is preferable to check an assertion like: =) (n 6 is 0) 2] i ; (n 3 is 1) =) (n 6 is 0)] true =) true] :
where we have used the iteration construct to make sure the property we are checking holds no matter how long the phases are. It is easy to see that this assertion will fail for the circuit shown in Fig. 7 . In particular, the last iteration assertion will fail. We can generalize the above approach by de ning a \stable phase assert" command. Assume we would like to check some assertion A =) C], where A and C are instantaneous formulas, during a phase. Assume furthermore that phases are at least k basic time units long. The \stable phase" assert command would simply be a shorthand for h A k] =) C k] i ; A =) C] . In essence, we allow the circuit to take k basic time units to reach a stable state. After these k units, we then prove that A =) C] is an invariant of the system and we also nd a state containing as much information as possible but guaranteed to be smaller than or equal every state the system can be in after any number basic time units in which A holds. We then would continue the veri cation of further properties from this state. Interestingly, this phase-level timing implements a form of \oscillation control" that was included in the original cosmos simulator 5]. In the simulator, the user speci es a limit on the phase length k. When simulating a phase, the simulator computes new states for nodes until it reaches a stable state. Once the limit k on unit steps is taken, however, any node changing state is set to X rather than to its excitation. This procedure matches exactly the xed-point implementation of the iteration construct for the ternary domain. In fact, our symbolic simulator implements the xed-point approach in its full generality.
Data Handling Extensions
There are several extensions that simplify the task of writing speci cations. One powerful approach is to use symbolic indexing, where a vector of Boolean functions is interpreted as the symbolic representation of a bounded integer. This symbolic integer is then used to index into an array of nodes 1, 7] . This notation provides a powerful technique for specifying and verifying the addressing operations of a memory where the symbolic integer represents an address, and the vector of nodes represents the di erent memory elements.
For example, the e ect of a write operation for a random-access memory can be speci ed by an assertion: h
In this assertion,Ãd is a vector of the p nodes forming the address inputs to the memory, whileÃ is a vector of p Boolean variables.M is a vector of 2 p nodes forming the memory elements. Informally, the assertion states: \given address and data values A and d on the inputs, a write operation will cause data d to be stored in memory location A. Note that we have interpreted the \next-time"
operator as denoting a complete cycling of the memory. In practice we actually operate the memory at a phase-level, and use the phase-level timing model described above. Memory veri cation illustrates the e ciencies our method gains by partially-ordered system modeling. To verify the above assertion, the veri er would execute a simulation with all memory locations initialized to X, and with the address and data inputs set to Boolean variables, requiring a total of p + 1 Boolean variables to verify the behavior of a 2 p -bit memory. To check the consequent, it would compare the resulting state of each memory location i with the function (i p?1 A p?1 ) (i 0 a 0 )] _ ?d, where i j is the jth bit in the binary representation of i, A j is the jth element of the vector of variablesÃ, and represents the Exclusive-Nor operation, i.e., the complement of Exclusive-Or. For example, for a 4-bit memory (p = 2), the veri cation conditions for each memory location would be:
Full veri cation of a memory also requires verify the read operation, and verifying that neither operation a ects the data in any location other than the one being addressed. All of the operations can be veri ed by 3 symbolic simulations, none involving more than 2p + 1 variables. We can exploit the large number of \don't care" conditions that arise in the operation of a memory. In verifying memory behavior for a given location, we don't generally care what values were stored in other memory locations. Similar methods can be used to e ciently verify more complex systems containing embedded memories and register arrays, such as microprocessors and data paths.
User De ned Constructs
With the above extensions, it is more convenient to write speci cations. However, any non-trivial speci cation would still be much too large and obscure to be practical. What is needed is some way of structuring the speci cation. In the prototype tools we have developed 11, 32] this is accomplished by using a meta-language 20]. In other words, we use a general purpose language to build up the various constructs that our speci cation language contain.
In our original prototype system 11] we used a dialect of Lisp as meta-language. When the Lisp program was run, it wrote to a le the veri cation conditions expressed in a slightly enriched version of the core logic that resulted in the translation of the higher level constructs. This text le was then fed to a modi ed version of the cosmos symbolic simulator. In a more recent system, called Voss 32] , developed at the University of British Columbia, the meta language is a dialect of ML 27] . Here, the modi ed version of the symbolic simulator is incorporated directly in the language and thus the user interacts directly with the evaluator through the ML language. For more details of this system, the reader is referred to 32].
Given that the veri cation system is embedded in a general purpose language, and the user actually writes code in this language, it is easy to de ne new extensions. In fact, by writing new functions and procedures it becomes very natural to express the trajectory assertions in a hierarchical way, improving the readability of|and consequently the con dence in|the assertions.
Veri cation Over Other Domains
So far, all our examples have been related to switch-level (and gate-level) veri cation. On the other hand, the theory was developed using a very general model of systems. The question arises whether there are other domains for which trajectory evaluation is useful. In this section we will discuss one such domain and an application that can bene cially be modeled in the domain. Consider verifying the circuit shown in Fig. 8 Fig. 8 can clearly be modeled at a switch-level and be veri ed using the switchlevel model we have used throughout the paper. However, for very wide data paths, this could be quite expensive. Also, if the circuit contained a multiplier, rather than an adder, we would very quickly encounter di culties in carrying out the symbolic evaluation since we would most likely represent the values on the nodes as some kind of ordered binary decision diagram which has di culties in representing multiplication 8].
What makes the above dependency on the word size unfortunate is that, in some sense, the width of the data path is unrelated to the functionality of the circuit. In particular, the control logic is likely to be independent of the width of the data path. The question arises how to verify the control part for an arbitrary width of the data path. The natural way of verifying the controller by writing a speci cation in terms of internal control lines is both cumbersome and error prone. What we would like to do is to replace the detailed implementation of the data path with a more abstract, and computationally cheaper, version. If we do so, we split up the veri cation task into verifying that the abstract version of the data path correspond to the actual data path and that the controller together with the abstract data path works as intended. The rst task is quite straightforward since the structure of the abstract data path will likely correspond very closely with the structure of the actual data path. Thus we will focus on the second task. This approach is conceptually similar to the abstraction techniques used in temporal logic model checking 15, 34]. In order to illustrate the idea of using a more abstract domain and corresponding abstract version of the data path, consider the at domain whose Hasse diagram is shown in Fig. 9 . Intuitively, u and v are used to represent arbitrary values and s is used to represent the sum of u and v. The value B is used to denote an unknown value. A possible next-state function for the adder and a possible next state function (R i ) for one of the of the register words when the write enable signal (W) is 0, 1, and X respectively, are shown in Fig. 10 . It is easy to convince oneself that the next state function is monotone.
The complete lattice for the circuit can now be formed in the same way as for the switch-level model discussed in Section 3, i.e., we form the cross product of all the subcomponents' domains and then add an arti cial top element. Also, the next state function can be derived by extending the individual excitation functions to this extended domain. It is easy to verify that the obtained lattice and next state function indeed satis es our requirements for being a model structure. The only remaining missing piece is now some simple predicates for this domain. We will use the obvious ones: n i is u, n i is v, and n i is s, where n i is a node name in the circuit. Note that \node" in this Here we have actually assumed a unit-delay for the complete cycle. An obvious generalization would adapt the veri cation conditions to more realistic timing. Note that the complete veri cation only requires 3 log(n) Boolean variables for a register le with n words. Also, the veri cation is independent of the actual width of the data path. In many ways, the idea of using a at domain in carrying out the veri cation is similar to the idea of \generic" speci cations 22]. In generic speci cations, which relies on using higher-order logic, the actual computation performed by the ALU and the other components in the data path, are simply provided as functions that are not instantiated during the proof of the control logic. In fact, the high-level correctness proof for the circuit of Fig. 8 would be of the form \for every possible function f of proper type, the circuit will read the contents of registers A and B, apply f to these two values, and write the result into register D. Our approach of using a at domain and using a conservative next state function can be viewed as Skolemizing the universal quanti cation in the generic speci cation and incorporating the computation in the value domain. Thus, the value s we added to the domain, corresponds to f(u; v).
In general, this use of a at domain for parts of the circuit works well for circuits in which there is a clear distinction between data path and control. The di cult task of verifying the control logic can thus be carried out independently of the width of the data path. Of course, in using higher-level models such as this, one must generate more abstract system models than does our current switch-level circuit analyzer. We leave this task as future research.
Conclusions
In terms of mathematical sophistication, the problem solved by our veri cation algorithm is far less ambitious than what is attempted by full-edged temporal logic model checkers. However, we believe that our language is rich enough to be able to describe many important properties of a system and to provide a direct path by which such properties may be automatically veri ed. By keeping the goals of our veri er simple, we obtain an algorithm that is capable of dealing with much larger circuits.
One interesting property of our algorithm, in fact, is that its computational complexity is relatively insensitive to the system size. That is, the complexity is determined largely by the complexity of the assertion to be veri ed, measured in terms of the number of symbolic variables, and the depth of nesting of next time operators. We have found that in many circuits, properties can be expressed in terms of a surprisingly small number of variables. For example, our formulas providing a complete speci cation of of a k-bit random access memory involve only 2 + 2 log k variables. Thus, we can perform the veri cation in polynomial time irrespective of the heuristic e ciency of the Boolean manipulator.
An interesting question that still is unanswered is whether this type of combination of abstraction and symbolic manipulation can be used in more traditional model checking algorithms. For example, is there some suitable domain for which we can approximate the powerset of the real system by a much smaller complete lattice in such a way that the validity of some temporal formula in the approximate lattice implies the validity of the formula in the real system.
Another open question is how to develop a practical veri cation methodology using the type of abstract domain veri cation as was discussed in Section 9. In fact, the general question of what kinds of methodologies can be used for this type of formal veri cation is largely unanswered.
