Verification of switch-level designs with many-valued logic by Haehnle, Reiner & Kernig, Werner
Ve r ic a t io n of Sw it c h L e v e l D e s ig n s w ith
M a n yV a lu e d L o g ic
Reiner Hahnle
 
and Werner Kernig
Institute forLogicComplexityandDeductionSystems
Dept ofComputerScienceUniversityofKarlsruheGermany
fhaehnlekerniggiraukade
Abstract Thispaper is anapproachto automatedvericationof circuits repre
sentedasswitchleveldesignsSwitchlevelmodelsSLMareawellestablished
framework formodelling lowlevel properties of circuitsWe usemanyvalued
propositional logic to represent a suitable variant of SLMLogical properties of
circuits gatelevel canbe expressed in a standardway in the same logic As a
resultwe canexpress soundness of switchleveldesignswrtto gatelevel speci
cations asmanyvalueddeductionproblemsRecent advances inmanyvalued
theoremprovingindicatethatit ispossibletohandlereallifeexamplesWereport
rst resultsobtainedwithanexperimentaltheoremprover
Introduction
Switchlevel models
 
SLM are wellestablished tools for representing a circuit on
the transistor level in considerable detail They can be used to model phenomena like
propagation and resolution of undened values hazard detection degradation effects
varying capacities pullup transistors or depletion mode transistors see 	
 for a very
exhaustive list It is important to note however that all dimensions are symbolic values
Traditionally SLM have been used as a formal basis for the construction of simula
tion tools which can be used for testing the behaviour of a circuit before it is actually
built In this paper we present an approach to automated verication on the switch
level based on automated deduction in propositional manyvalued logics Related work
was done by Bryant  Seger 	 and Buttner et al 	 The relationship between these
approaches and our own is discussed in the conclusion
Propositionalmanyvalued logics are particularlywellsuited for representing SLM
Given the fact that typical SLM of real circuits contain several hundreds of parts there is
no sense in trying full rstorder predicate logic Also the expressivity of full rstorder
predicate logic is not really needed On the other hand mere twovalued propositional
logic is not advisable too since one has to introduce lots of auxiliary variables that
bear no natural meaning such that the logical representation of SLM would become
unreadable and more important unfeasible through its many variables We found that
propositional manyvalued logics are just the right tool for adequate representation of
 
ResearchsupportedbyIBMGermanyandDeutscheForschungsgemeinschaft
 
Switchlevelmodelswere introduced in the late	smainlybyBryant 
 andHayes 
	 
as a formal frameworkformodellinglowlevelpropertiesofcircuits
SLM if truth values are interpreted as different levels of voltage Together with a logical
representation of the intended function of a circuit it becomes possible to establish its
soundness in terms of a formal proof in manyvalued logic
Recent research showed that it is well possible to build generic satisability checkers
for propositionalmanyvalued logics that are quite efcient 	   The logical basis for
manyvalued deduction here is a suitable extension of analytic tableaux 	Moreover
manyvalued tableaux give rise to a reduction of manyvalued deduction problems
to integer programming problems 	 First results suggest that with this technique it
is possible to build manyvalued satisability checking programs whose performance
comes close to stateoftheart satisability checkers for classical logic
We are condent that ultimately it is possible to prove properties of real life circuits
with our approach In this paper we sketch the rst steps towards this task The orga
nization of the paper is as follows in Section  we describe the variant of switchlevel
model we used for our experiments In Section  we introduce amanyvalued deduction
framework based on analytic tableaux Section  presents the link between SLM and
logic in terms of a translation from the former into the latter This is illustrated by an
example Finally we give statistical gures from rst tests we discuss related work and
we point out the next steps
 The Verication Model
   SwitchLevel Representation of Circuits
In SLM we represent a MOS circuit as a set of nodes which are interconnected by
switches transistors In this paper we consider only combinational and asychronous
circuits with zerodelay elements
Denition   SwitchLevel Network A switchlevel network consists of a set N of
nodes fn
 
     n
k
g which are interconnected by a set T of transistors ft
 
     t
l
g A
subset Q ofN is called the set of source nodes and the set S   NQ is called the set
of storage nodes
Denition  MOSTransistor AMOStransistor is a bidirectional switch in a switch
level network which has three terminals called gate source and drain
A NMOStransistor is closed conducting iff the voltage at its gate terminal re
presents a logical   The transistor is open nonconducting iff the voltage at its gate
terminal represents a logical  In all other cases the state of the transistor is called
unknown
For a PMOStransistor the conditions for the gate terminal are ipped
From now on we use the more general term value instead of voltage to describe the
state of the nodes and the terminals of a transistor are nothing else than nodes
We follow 	 
 by using a sevenvalued logic in order to model one particular
switch level phenomenon namely degradation effects in CMOS circuits which occur
due to the fact that transistors constitute nonideal switches that degrade the strength of
the signals
Denition SwitchLevel Value The set of switchlevel values SLVs consists of
the elements EDDDU S S SU These are the only possible values at the nodes
of a switchlevel network The meaning of these SLVs is as follows
The strong values S and S are the values associated with the support voltage
vdd and ground gnd
D and D are values which result of a degradation effect that is the property that
a closed transistor passes on the voltage of his drain source terminal diminished
to his source drain terminal
SU and DU are undened values but correspond to a certain strength
E is the value of all nodes which are not connected to a source node via a path
through the network
RemarkIf we consider circuits in ratioed logicwe can split the degraded values further
to distinguish between depletion transistors and normal transistors
To compute the value of a node in the network we rely on
the operator introduced by Hayes 	 The semantics of the
operator  corresponds to the computation of the supremum
in a lattice if we order the SLVs as shown in Figure  For an
exhaustive treatment of this topic see 	 
Compared to SLMused in real simulationtools ourmodel
seems a bit simplicistic however it should be clear that with
more truth values we can achieve a much more negrained
modelTokeep this paper readable we have taken the simplest
SLM which is nontrivial
SU
S S
DU
D D
E
q
q
q
M
M
M
M
M
M
q
q
q
q
q
q
M
M
M
M
M
M
M
q
q
q
q
Fig   SLV lattice
  GateLevel Specication of Circuits
The gatelevel specication of circuits is well known and we restrict ourselves to a short
denition
Denition Gate A gate is the smallest undividable switch element for the processing
of binary signals It is an unidirectional element which computes according to n inputs
an output Common gates are AND OR NOT NAND NOR and XOR
In other words gates realize certain Boolean functions
Denition GateLevel Network A gatelevel network is a directed graph whose
nodes are gates
The modelling of digital systems exclusively with gate networks is regarded as
unsufcient for several reasons
 circuits in ratioed logic cannot be modelled properly at the gate level
 the analysis of circuits on the gate level is too far from the actual layout of the
circuit Connections on the chip for instance the connection with vdd cannot be
represented with the gate model
 gates are unidirectional elements

 a onetoone transformation of circuits described with gates to circuits constructed
with transistors does usually not result in an efcient implementation of the desired
function
  Vertical and Horizontal Verication
In general the meaning of verication is the formal proof of a certain property for
example the correctness of a hardware system Since the construction of a hardware
system is done by several design steps in which the designers lay down what the system
should do and how it should do it we have several tasks for verication
We call the design ofwhat the system should do the specication and the design of
how it should do it the implementation
One possible modeof verication is the proof that a single design level specication
or implementation is correct in itself for example that a specication at the gate level
does not produce hazards or similar kinds of errors In a switchlevel design we can
verify that only proper dened voltage levels occur at the output nodes provided that
the voltages at the input nodes are proper This kind of verication we call horizontal
verication a commonly used term for verications concerning only one design level
In contrast we can also perform vertical verication which includes two levels of
the design hierarchy For instance we can prove soundness of a gatelevel specication
with respect to a switchlevel implementationA complete stratication ranging fromthe
physical level to highlevel functional properties of complex circuits would incorporate
many other formalisms than propositional logic The type of formal systems used is
determined by the complexity of the circuit and the kind of properties which are to be
veried For functional verication of a CPU for instance rstorder or even higher
order logic may be required The drawback of these more complicated formalisms
is that they are not amenable to full automatization If the amount of automatization
within the whole verication task is to be maximized it is crucial that at each level the
most adequate formalism is used For the switch level this is manyvalued temporal
propositional logic
In the eld of hardware verication several meanings of the term verication are in
common use simulation complete testing and formal verication Our understanding
is formal verication which means that the verication is mathematical and not experi
mental Correctness is understood in this paper as a mathematical relation between two
entities for example a specicationimplementation pair Formal verication allows a
general proposition in contrary to simulation where we can only prove the presence of
bugs but never their absence Correctness as a relation can be classied as follows
equality S   I
equivalence S I
logical implication S  I
reverse logical implication I  S
homomorphismMS   MI
We choose in the following the logical implication I  S which denotes that a
specication S is a behavioural abstraction in other words the formal verication that
a switchlevel network realizes the same function as a given gatelevel network
For a more detailed survey on formal verication of hardware correctness see 	

 Automatic Proof Search in ManyValued Logic
In this section we give a very brief introduction into the logical formalism underlying
our verication approach For more details we refer the reader to 	 
  ManyValued Logic
Denition Syntax	 Truth Values Let L be a propositional language with proposi
tional variables L

and connectives F Let N be the set of truth values for deniteness
take equidistant rational numbers ie N  
n

 
n  
    
n 
n  
 
o
and dene n to be
the cardinality of N 
Denition
 Semantics	 ManyValued Logic Connectives F  F are interpreted as
functions with nite range and domain in other words if k is the arity ofF we associate
a function f  N
k
 N with F which we call the interpretation of F  Let f be the
family of functions over N associated with connectives in F Then we call f nvalued
matrix for L and the triple hL f  N i nvalued propositional logic
In practice we take always the same symbols for f and F 
Denition Valuation Let L   hL f  N i be a nvalued propositional logic A va
luation for L is a function v  L

 N  As usual v can be uniquely extended to a
homomorphism from L to N via
vF 
 
     
k
   fv
 
     v
k

where f is the interpretation of F 
Denition SSatisable	 STautology For S  N and a nvalued propositional
logic L call a formula   L Ssatisable iff there is a valuation such that v  S
Call  a Stautology iff  v  S for all valuations
 Analytic Tableaux
Analytic Tableaux are a sound and complete proof procedure for classical rstorder
predicate logic introduced in the s a standard reference is 	 The version we
present here is modied for the efcient treatment of manyvalued logics cf 	 
Denition  Signed Formula Let   L S  N  Then we call the expression S  
signed formula The set of signed formulas is denoted with L


Signed formulas are a device for talking about manyvalued logics with only two
truth values on the metalevel In 	 we introduced systematically truth value sets as
signs in order to achieve an adequate representation of themanyvalued search spaceWe
coined this setsassigns approach In 	 it is demonstrated that using setsassigns
in some way is crucial for the efciency of anymanyvalued proof procedure
Analytic tableaux are a refutation procedure For our purposes it is sufcient to
visualize a tableau proof as a nite labelled tree whose node labels are signed formulas
To proof validityof a formulaS  we beginwith a tableauwhose single node is labelled
with the complement N S   Now this formula is analysed following its syntactic
structure in a topdown manner to the atomic level If we arrive at a contradiction in
any case we have proved that no valuation can satisfy the root in other words  is a
Stautology Rather than giving the formal denitions we illustrate the process with a
small example from classical logic
Example We prove that the formula p  p  p is a classical tautology that is
fg  p  p  p holds The initial tableau consists of the complemented theorem
fg  p  p  p
Next we analyze the truth conditions for fg and the top connective  For each
combination of signs and connectives there is a rule that characterizes it In the present
case we need the following rules
fg   
fg   fg  
fg    
fg  
fg  
Rule application to a formulaS   in the tree means
 
 


fg  p  p  p
fg  p  p
fg  p
fg  p
fg  pfg  p
that we can append to any of the paths containing it
as many new branches as there are extensions in the
conclusion of the rule whose premise matches S  
The new branches contain the formulas from the rule
extensions In our example we apply rst the rule on
the right and then on the rst of the resulting formulas
the rule on the left Formulas within the same branch
are conjunctively connected while formulas in different
branches are disjunctively connected We notice that
each branch in the example contains a complementary
pair of formulas that is S
 
  S

  with S
 
	 S

  
 Such branches are called
closed A tableau represents a proof iff all its branches are closed
The extension of this framework to manyvalued logics is more or less straight
forward To prove that  is a Stautology we simply construct a manyvalued tableau
with root N  S   Manyvalued tableau rules can be stated very much like
their twovalued counterparts For instance if we dene manyvalued conjunction as
i  j   mini j where min is the natural minimumon N  we nd the following rule
for f
 

g     in threevalued logic
f
 

g    
f
 

g   f
 

g  
One difference between the twovalued and the manyvalued case is that in the
latter more than two extensions in the rules may become necessary Another important
difference is the slightly more general notion of branch closure
Denition   ManyValued Closure A branch in a manyvalued tableau is closed iff
i either it contains signed formulasS
 
 
 
     S
m
 
m
such that S
 
	   	S
m
  

or ii a single signed formula S  F 
 
     
k
 such that rgf 	 S   
 where
rgf   fiji   fj
 
     j
k
 i j
 
     j
k
 Ng
For some logics including classical logicm    is sufcient for completeness and
ii never occurs 	 Then of course we have the old notion of closure
RemarkIt is in general not necessary to have all 
n
possible signs present to achieve a
sound and complete system see 	 for necessary conditions on the set of signs On the
other hand the more signs are present the fewer extensions the rules tend to have and
consequently the shorter the proofs become
RemarkVarious improvements of analytic tableaux known from the twovalued case
such as lemma generation structure sharing selection heuristics etc carry over to the
manyvalued case
In 	 it is demonstrated that manyvalued tableaux with a certain extension of the
syntax can be naturally translated into integer programming IP problems which can
then be solved quite efciently with various algorithms First results indicate that it is
well possible to handle formulaswith up to several hundred propositional variables and
more than one thousand connectives that way
 Verication with ManyValued Logic
In this section we provide the connection between SLM and manyvalued logic The
basic idea is to treat switchlevel values as truth values and to represent nodes and
transistors as manyvalued connectives Thus we dene a manyvalued propositional
logic L
SLM
called switchlevel logic as follows
Denition  L
SLM
 Let L
SLM
be the sevenvalued propositional logic with
truth values N   fEDDDU S S SUg
binary connectives
fntrsptrsntrdptrdANDORXORNANDNORimpspecm impg
unary connectives fdefinitevddgndNOTg
and with the truth table semantics as given in Table  to 

The meaning of the connectives should be clear for example ntrs computes the
value of the source terminal according to the given values at the gate and drain terminals


ptrs andptrd as well as ntrs andntrd have identical denitions in the currentmodel
Thisis likelytochangewhenmodelsbecomemorenegrainedMoreoverthebinaryconnec
tives suggest a unidirectional behaviour of transistors A bidirectionalmodel couldbe easily
attainedby taking ternary predicates ptrGateSourceDrain insteadof binaryones
cf 
howeverwewantedtokeepthedenitionsas simpleaspossible
TableTruthtables forNOT AND OR NAND NOR andXOR
NOT
 
 	
AND  
 	 	
 	 
OR  
 	 
  
NAND  
  
  	
NOR  
  	
 	 	
XOR  
 	 
  	
Table Truthtables forntrs andptrs In the tables for the latter rows correspondto the
gate terminalandcolumns todrain
 E D D DUS S SU
E E D D DUS S SU
D D D DUDUS S SU
D D DUD DUS S SU
DU DUDUDUDUS S SU
S S S S S S SU SU
S S S S S SU S SU
SU SU SU SU SU SU SU SU
ntrs E D D DUS S SU
E E E E E E E E
D E E E E E E E
D E D D DUS D SU
DU EDUDUDUSU DUSU
S E S E E E E E
S E D D DUS D SU
SU EDUDUDUSU DUSU
ptrs E D D DUS S SU
E E E E E E E E
D E D D DUD S SU
D E E S E E E E
DU EDUDUDUDUSU SU
S E D D DUD S SU
S E E E E E E E
SU EDUDUDUDUSU SU
m impIS corresponds to I  S and impIout is true iff the value of I equals
the value of out

As can be seen we have four kinds of connectives Connectives associated with
the gate level connectives associated with the switch level  ntrs ptrs ntrd
ptrd connectives used as a link between these two levels imp spec m imp and
connectives used for expressing facts at the switch level definite vdd gnd which
have sevenvalued input and Boolean output
In our rst approach only the connectives associated with the switch level have a
sevenvalued semantic whereas all others have a Boolean one One can imagine our
verication model consisting of several components each with its own associated logic
Each logic can be embedded into the most general one with a suitable reinterpretation
of the truth values Hence each of the component logics can be altered easily without

imp stands for implements not for implies in contrast to m imp which is material
implication
TableTruthtables form imp imp andspec
m imp 	 
	  
 	 
imp 	 
	  	
 	 
spec 	 
	  	
 	 
TableTruthtables fordefinite vdd andgnd
definite vdd gnd
E 	 	 	
D  	 	
D  	 	
DU 	 	 	
S  	 
S   	
SU 	 	 	
changing the whole verication model This can occur if for example one wants to
analyze the gate level with a manyvalued logic In L
SLM
we use only the SLVs as
truth values Boolean values are mapped to the SLVs So the SLVs S and D are both
mapped to the Boolean  S and D are mapped to the Boolean  and for the other
SLVs the mapping is not dened
Example Interpretation of Truth ValuesTake the signed formulafSDg  NOT
its Boolean equivalent is fg  NOT A signed formula fSUDUg  NOT never
occurs during the proof procedure because it has no Boolean equivalent and is therefore
not generated by any of the rules
Example Tableau Rules cf Section The upper left rule shown below is the one
we always need for the initial tableau The upper right rule is one of the rules for
the  connective The lower rule expresses the fact that the variable value has no
undened or unknown value This rule demonstrates the interconnection between the
different logics the premise has a Boolean semantic it is true that value has a denite
value the conclusion has a valued semantic value has a truth value from the set
fSSDDg
fSDgm impIS
fSDgI
fSDgS
fSgAB
fSgA fEDDDUgAfSgA
fEDDDUgB fSgB fSgB
fSDgdefinitevalue
fSSDDgvalue
ee
u
u
u
u
u
u
in
n
n
n
in
e
e
u
u
u
u
u
u
in
n
n
n
in
FigAcorrectandanincorrectNOR implementation
A simple example illustrates our ideas Figure  shows a correct on the left and an
incorrect on the right implementationof a NOR gateWe want to prove in the rst case
fSDgm impimpptrsinptrsinn
ntrdinn	
ntrdinn	out
specNORininout
and in the second case
fSDgm impimpntrsinptrsinn
ntrdinn	
ptrdinn	out
specNORininout
In standard syntax this would amount to prove validity of
fin in  out  gin in  out
where fin in is the switchlevel design and gin in the gate level design
of a circuit The reasons not to use this notation are that  we wanted to use the same
set of truth values for all levels and  the denitions of impspec etc are very likely
to change when the verication model gets more negrained
e start our proof procedure with the complemented theorem together with the fol
lowing axioms
fSDg vddn
fSDg gndn	
fSDg definitin
fSDg definitin
we have our initial database for an automatic theorem prover Figure  shows the
rst two rule applications of the proof procedure to the initial tableau corresponding to
the correct implementation
fSDgvddn
fSDggndn
fSDgdefinitein
fSDgdefinitein
fSDgm impimp     outspecNORininout
 fromfSDgimp     out
 fromfSDgspecNORininout



FigTableauforvericationofNOR after therst tworuleapplications
 Conclusion
With an experimental tableaubased manyvalued theorem prover implemented in Pro
log 	 we have veried the correct NOR implementationwithin  seconds and have
shown the incorrectness of the second implementation within  seconds on a SUN

Among the larger problemswe have veried a fulladder for twobinary variables
with a specication consisting of  gates and an implementation using 
 transistors
There we have separated the computation of the sum and the computation of the carry
To verify the computation of the sum of two variables we need  seconds and for the
verication of the carry computation we need  seconds Other experiments have
shown that up to  transistors can be handled
Sequential circuits ie with feedback can either be handled as in 	 using nite
automata or by extending the manyvalued reasoner to a temporal model checker
These gures seem not very impressive however they show that the approach is
viable As already noted recent experiments with a manyvalued propositional satis
ability checker based on integer programming techniques 	 showed that a speedup
by a factor of several hundred may be obtained by using sophisticated implementation
techniques As demonstrated in 	 most inference techniques can be extended from
classical to manyvalued logic in an efcient way We expect that switchlevel circuits
consisting of several hundered parts can be handled this way without modularizing the
input
The main contribution of this paper is to show that manyvalued theorem proving
on the propositional level is a promising tool for hardware verication of SLM This
is the rst time that a genuine manyvalued theorem proving approach is used for this
purpose In 	 a similar verication problem is reduced to unication in a certain class of
functionally complete nite algebras and from there to unication in Boolean algebras
In 	 it is pointed out that the possibility of handling a single class of functionally
complete logics is not sufcient for manyvalued theorem proving in practice Also the
reduction of manyvalued logic to twovalued logic as done in 	 creates too much
redundancy to be efcient We argue that genuine manyvalued proof procedures based
on setsassigns 	  and integer programming 	 are potentiallymore efcient and
more general than reduction techniques
The next steps would be to i implement a highperformance satisability checker
for manyvalued logics ii to develop manyvalued logics for a more negrained
modellingof switchlevel designs iii to verify larger circuits taken fromreal hardware
designs and iv to extend the theorem prover for the treatment of sequential circuits
References
 R E BryantandCJ H Seger Formalvericationofdigital circuitsusingsymbolic ternary
systemmodels In E M Clarke andR P Kurshan editorsComputerAidedVerication
Procof thendInternationalConferenceCAVpages Springer
 R Y Bryant A switchlevelmodelandsimulator forMOSdigitalsystems IEEETransac
tionsonComputersC	 
 W Buttner K Estenfeld R SchmidHA Schneider andE Tiden Symbolic constraint
handlingthroughunicationinnitealgebrasApplicableAlgebra inEngineering	Commu
nicationandComputing  	
 H Eveking Verikationdigitaler Systeme	 eineEinf


uhrungindenEntwurfkorrekter digi
talerSysteme LMITeubnerStuttgart
 R Hahnle Towards an efcient tableau proof procedure for multiplevalued logics In
ProcWorkshoponComputerScienceLogic	Heidelbergpages 	SpringerLNCS
	
 R Hahnle Uniformnotation of tableaux rules for multiplevalued logics In Proc In
ternational SymposiumonMultipleValuedLogic	 Victoria pages   IEEEPress

 R Hahnle A newtranslationfromdeduction into integerprogramming InProc Conf on
ArticialIntelligenceandSymbolicMathematicalComputations	KarlsruheSpringerLNCS

 R Hahnle AutomatedProof Search inMultipleValuedLogics OxfordUniversity Press
forthcoming
 R Hahnle B Beckert S Gerberding andWKernig TheManyValuedTableauBased
TheoremProver

T
A
P  IWBSReport Wissenschaftliches ZentrumHeidelberg IWBS
IBMDeutschlandJuly
	 J P Hayes A unied switching theorywith applications to VLSI design Proceedings of
theIEEE 			 October
 J P Hayes PseudoBooleanlogiccircuits IEEETransactionsonComputersC	
 jul
 R Smullyan FirstOrderLogic SpringerNewYork
ThisarticlewasprocessedusingtheL
a
T
E
XmacropackagewithLLNCSstyle
