Abstract. Diagrams have been left as an informal tool in hardware reasoning, thus rendering them unacceptable representations within formal reasoning systems. We demonstrate some advantages of formally supporting diagrams in hardware veri cation systems via a simple example and provide a portion of a formal logic that includes hardware diagrams upon which we are constructing a veri cation tool.
Introduction
Diagrams have been treated as second-class citizens within the realm of formal reasoning, despite their steady use as informal design tools. The reasons for this appear to be based more on prejudice against diagrams in logic rather than on any inherent properties that render diagrams inappropriate for formal use. Diagrams o er several potential advantages to hardware reasoning: they o er clear, compact and user-transferable representations, and they lack the high learning overhead associated with the formal logics underlying many state-of-the-art sentential reasoning tools. In fact, it would seem that the only thing precluding the rigorous use of diagrams in formal veri cation is the lack of formalization of diagrammatic representations. This paper presents initial work in a research project aimed at exploring the interactions of diagrams and sentential representations in the context of hardware design and veri cation. The goals of this research project are to develop a heterogeneous logic of interacting sentential and diagrammatic representations and to build a proof-checker based upon the logic. Our logic supports four representations: timing diagrams, circuit diagrams, algorithmic state machine (ASM) charts, and higher-order logic. Rules of inference bridge representations, allowing all four representations to interact during the proof process.
Previous Work
Using visual representations in hardware design frameworks is not a new idea. Various design tools and description languages have employed diagrammatic representations 5] 7] 13], and systems for reasoning about some aspects of systems using diagrammatic representations have appeared over the past year 3] 2] 10] 12]. Many systems provide formalizations of timing diagrams 2] 10] 12] and some even provide formal de nitions of the interaction between timing diagrams and sentential representations 12]; however, none of these support multiple diagrammatic representations. The authors of 3] present a system in which a user can reason about system states using a graphical interval logic, but they translate their visual representations into a sentential logic for purposes of formal manipulation, unlike our logic, which is developed directly at the level of the diagrams. A previous attempt at de ning a heterogeneous logic for hardware, along with more complete arguments supporting the use of diagrams in hardware formal methods, is presented in 8]. The logic presented in 8] is less ne-grained than the one presented here; their logic is based only on behavioral relationships while this work allows for reasoning about structural relationships between components. To the best of our knowledge, this work is the rst to present examples of fully formal reasoning using diagrammatic logic in the hardware and formal methods communities.
The motivation for our research is based largely upon Hyperproof, the heterogeneous logic reasoning tool developed by Barwise and Etchemendy 1]. Hyperproof consists of a proof-checker for a logic of sentential and diagrammatic representations in a blocks world. We envision constructing an initial tool with much of the same avor as Hyperproof.
Veri cation and Diagrammatic Representation
We believe that diagrammatic reasoning o ers two main advantages in hardware veri cation: clarity of representation and conciseness of proof. We will use the single-pulser to demonstrate our arguments. The single-pulser is a good choice for this due to its size and clarity; such a study also complements the studies of single-pulser veri cations given in these proceedings 9]. We use the work of 9] in this discussion as representative of sentential veri cation e orts.
To address the issue of clarity, consider the PVS implementation and specication of the single-pulser proposed by 9]. Their implementation is given below and is based upon the accompanying circuit diagram. The same speci cation could be given in terms of the following:
We claim that the timing diagram is a clearer representation of the intended behavior of a single-pulser than the two sentential speci cations. The meaning of neither sentential speci cation is immediately clear, despite the fact that they are written in a straightforward style of higher-order logic. In fact, the average person might construct a diagrammatic depiction of the speci cations in the process of understanding their full meanings. The advantages of clear speci cation are well known in the veri cation community. Careless interpretation of either speci cations or implementations can lead to lost time in establishing proofs, or worse still, invalid proofs of correctness. Of course, the argument can also be made that there are issues of interpretation involved in using diagrams as well; we agree, but claim that the clarity of properly formalized diagrammatic representations minimizes the problem.
We now turn to comparing the sentential single-pulser veri cation to a possible diagrammatic veri cation. There are two aspects to consider: the time to develop proofs and the conciseness of the resulting proof. The PVS proof referenced in 9] took an estimated half-hour of proof time for a relatively novice PVS user; the main time expenditure was in properly formulating the speci cation, which took considerably longer than the actual veri cation 11]. Although we have no evidence to support this, we believe that speci cations may be easier to state and debug using diagrammatic representations that are more familiar to practicing designers.
A brief discussion of our rules of inference is in order; our intent is to design the logic such that diagrammatic rules of inference mimic the informal reasoning steps used by designers in practice. The inference rules relating and gates and timing diagrams appear below; other inference rules on and gates, such as one where a low input yields a low output, can be derived from these three primitive rules. Sect. 4 presents the portion of the logic necessary to support these rules. Merge, 5d, 6d
Comparing this proof to the PVS proof trace given in 9], it seems reasonable to argue that the diagrammatic proof is easier to follow and quite possibly easier to produce than the one required to verify spec1 in PVS. The steps taken in the diagrammatic proof are also at a lower granularity (for sake of example) than those we expect to be taken in practice, thus compacting the proof even further. Though we have no measured results to support this, empirical evidence using Hyperproof indicates that proofs are often substantially shorter than their purely sentential equivalents 4].
The above presentation argues the bene ts of using diagrammatic representations in formal veri cation, but it does not adequately address our particular approach of developing a logic of hardware diagrams. Certainly it would seem reasonable to merely provide a diagrammatic interface to an existing sentential logic, thereby allowing us to rely on existing tools for veri cation. There are certain obvious immediate bene ts to such an approach, such as the timeliness with which diagrams could be used to aid in formal veri cation.
We believe, however, that this approach is not the correct one to take for three reasons. By using diagrams merely as an interface tool, we leave them as secondclass citizens to sentential logic in the realm of formal reasoning. We believe that diagrams are as valid a representation as sentential forms in reasoning and we are interested in the creation of logics that put diagrams on equal par as a valid representation. In addition, using diagrams merely in an interface capacity sidesteps our belief that there are logical relationships between di erent diagrammatic hardware representations. Identifying these relationships may lead us to even stronger frameworks for veri cation, but to do so requires closer examination of the diagrams themselves as rst-class citizens.
Finally, we are not convinced that translation is a desirable approach. Any formal system that uses translation needs to prove that the translation is done correctly; such an argument will require some level of proof that operates on the diagrams, so translation does not save us from needing to formally consider diagrams in proof. In addition, manipulations might be made on the translated representation that do not naturally translate back up to the diagrammatic representation; this problem would be critical for a system that implements inferences on diagrams. Lastly, there may exist natural rules of inference on diagrams that become less natural, perhaps even unwieldy, at the sentential level; this seems at odds with our goal of providing natural diagrammatic inferences.
The Heterogeneous Logic
The logic uses a model of physical components to provide a commonsemantics for the four representations. We present this model and the syntax and semantics of timing diagrams in this section; the de nitions for the remaining representations may be found in 6].
Physical Devices
Physical devices are captured in two mathematical constructs: abstract devices, which capture the physical structure of a device, and concrete devices, which capture devices in computation states. Devices are assumed to be purely synchronous. Wires and ports are taken to be primitive objects in the logic. The term assignment refers to a function from ports in the device to values in the set f0; 1g. In de ning abstract devices, we use the notion of a basic component hI; O; F; Di containing the input and output interface ports, function, and time delay per output port respectively, where a gate is a basic component with delay equal to 0 for all output ports. We also refer to a wiring, a function c from wires to sets of ports of cardinality at least two; ports which are elements of c(w) for a single wire w are said to be wired together by w. Non-interface ports in a device are referred to as internal ports. Paths between ports in a device are analogous to paths in directed graphs where gates and delay elements are treated as nodes and wires as edges within the device, with direction provided by electric ow. We would like to restrict the logic to handle only circuits with certain properties that make them what we call well-connected; by this we mean that the device is a single connected component, that every port has a connecting path to an output interface port, and that every cycle in a device passes through a delay element. In addition, two abstract devices will be isomorphic if there is a graph-theoretic isomorphism between them that maps equivalent basic components to one another.
De nition 1 An
De nition 2 A concrete device is an ordered pair hD; ii where D is an abstract device and i is an assignment to the ports of D such that for all gates g in D, the value of i on the output port of g is consistent with the values of i for the input ports of g and the function associated with g. Lemma 1. Given a well-connected concrete device C = hD; ii and an assignment a to the input ports of D, there is a unique assignment i 0 called the derived assignment for C given a, (written C a]) satisfying the following conditions. Concrete device hD; C a]i is said to follow from C, given a.
1. hD; i 0 i is a concrete device.
If p is an interface input port of D, then i 0 (p) = a(p).
3. If p is an output port to a delay element with input port p in , then i 0 (p) = i(p in ). 4. If p is an output port of some gate g, then i 0 (p) is F p applied to the restriction of i 0 to the input ports of g. 5. If p is any other port, let w be the wire connected to p and let q be the unique internal output port or input interface port in c(w). Then i 0 (p) = i 0 (q). The above de nitions are su cient for observing the behavior of a device as one set of input values is applied to the input ports, but it will often be desirable to observe how a device behaves over time. The term assignment sequence refers to a sequence of assignments to the interface input ports of a device. Given an assignment sequence and an initial concrete device, we will also talk about a sequence of concrete devices called the run of a device, where each concrete device in the run follows from the previous one under the assignments in the sequence, 
Timing Diagrams
Syntax. Our model of an individual waveform needs to take into account the signal levels depicted at each time tick; in our notation, there are three valid signal levels, high, low, and unknown. There are also two line styles, solid and dotted, used to distinguish between the levels that a signal can and cannot have at a time tick, respectively. We will use color on waveforms to classify them as representing input, output or internal signals. In addition, intervals may be speci ed both for purposes of naming portions of a diagram but also for specifying repetitions of segments.
De nition 3 A timing pattern is a tuple hK; v; x; ci where 3. K is an ordered set of time ticks represented by integers such that K contains the ticks of each timing pattern in the range of P. 4. I is a subset of K K D where D is a set of duration markers for intervals.
The rst two elements are called the start tick and end tick of the interval, respectively; the last element is called the duration of the interval.
We will often want to take an interval of variable duration and instantiate it with a particular duration for purposes of proofs; this was demonstrated in the proof of the single-pulser. We will call a timing diagram fully instantiated if it contains no non-numeric interval duration labels. Given a fully instantiated timing diagram C with k time ticks and a waveform map from C to device D, the generated assignment sequence for D under C and is an assignment sequence a 1 ; : : :; a k such that if P(n) v is low at tick i, a i ( (n)) = 0, if P(n) v is high at tick i, a i ( (n)) = 1, and if P(n) v is unknown or unde ned at tick i, a i ( (n)) can be either 0 or 1. Given an assignment a to the ports of a device D, a time tick k in a timing diagram C, and a waveform map from C to D, a matches k if for all names n in the domain of , if P(n) x is non-excluding at tick k, then a( (n)) must correspond to P(n) v at k, and if P(n) x is excluding at tick k, then a( (n)) must not correspond to P(n) v at k.
De nition 5 Let D be a device, C be a fully instantiated timing diagram, and be a waveform map from C to D. Let a 1 ; : : :; a k be the generated assignment sequence for D under C and . C and D are said to be compatible under if there exists a concrete device for D such that for each R i in its run under a 1 ; : : :; a k , the generated assignment of R i matches tick i in C.
De nition 6 Let C be a timing diagram and let D be a device. Lemma 3. There exist timing diagrams that cannot be described by any wellconnected device.
We are presently investigating characterizations of which non-fully instantiated timing diagrams may be described by well-connected devices; in addition we are investigating the validity of the following conjecture adapted from 8] to our semantic de nitions in the context of our timing diagram notations:
Conjecture 4. Given a timing diagram C, the set of all timing diagrams that are instantiations of C can be captured by a 1 1 formula.
De ning Rules of Inference
There are two types of inference rules in the logic: those that operate within a single representation and those that operate across multiple representations. The former are based upon behavioral modelling relationships while the latter rest on structural modelling relationships. We can de ne the conditions under which rules of inference may be developed in the logic; additional treatment of this material is given in 6]. In the following formulation, we use the generic j = to represent one of j = s or j = b , depending upon the types of diagrams involved.
Consider two diagrams G 1 and G 2 which may or may not be diagrams of the same type. If it is the case that whenever D j = G 1 , then D j = G 2 for every device D, then a rule can be formulated to infer G 2 from G 1 . Similarly, given a set S of diagrams (not necessarily all of the same type), if whenever a device D models every diagram in S then D also models some diagram G 1 , then G 1 can be inferred from S.
Although not presented here, the soundness of the rules presented earlier can be established in the logic.
Conclusions and Future Work
We have presented a portion of a logic that combines hardware diagrams with higher-order logic, thus demonstrating that diagrammatic representations can be formalized and used e ectively in proof. The proposed system is simple and likely to be ine ective for current veri cation needs; we claim this is a result of the early stage of research into diagrammatic formalisms and do not expect this to be a lasting issue. We do not envision scalability to be a problem as modules can be used as easily in diagrammatic representations as in sentential representations. Finally, although our logic seems complex and larger than many current veri cation logics, this is necessitated by the use of multiple representations and the non-standard semantic models.
We are in the process of completing the de nition of the logic presented here; this includes presenting rules of inference and establishing soundness and completeness results for the logic. The current status of this work is available in 6]. A prototype implementation of a simple proof-checker based upon our logic is in an early development stage. We have yet to apply the logic to a substantial veri cation e ort, but plan to do so in the near future. What is presented here is merely an initial attempt to formalize the interactions between these various diagrammatic representations. There is still much research to do both in understanding the role of diagrams in veri cation and in developing tools that use such formalizations.
Acknowledgements
The author would like to thank Jon Barwise, Steve Johnson, Gerry Allwein, and Shriram Krishnamurthi for their helpful comments in both the research and the preparation of this paper.
