Abstract: The paper describes a logical notation for reasoning about digital circuits.
§1 Introduction
Computer systems continue to grow in complexity and the distinctions between .hardware and software keep on blurring. Out of this has come an increasing awareness of the need for behavioral models suited for specifying and reasoning about both digital devices and programs. Contemporary hardware description languages (for example [1, 15, 19] ) are not sufficient because of various conceptual limitations:
• Most such tools are intended much more for simulation than for mathematically sound reasoning about digital systems. Many compromises are made so that the descriptions can be executed.
• Difficulties arise in developing circuit specifications that out of necessity must refer to different levels of behavioral abstraction.
• What formal tools there are for such languages cannot in general deal with the inherent parallelism and nondeterminism of circuits.
The formalism presented in this paper overcomes these problems and unifies in a single notation digital circuit behavior that is generally described by means of the following techniques:
• Register transfer operations • Flowgraphs and transition tables • Tables of functions • Timing diagrams • Schematics and block diagrams
The notation is based on discrete time intervals and combines aspects of standard temporal logics [12, 17] with features of dynamic logic [7] . Halpern et al. [6] shows that useful subsets of the logic are decidable and of relatively reasonable computational complexity. This indicates that partial automation of reasoning may be practical. The formalism's applicability is by no means limited to the goals of computer-assisted verification and synthesis of circuits. This type of notation, with appropriate "syntactic sugar," could provide a fundamental and rigorous basis for communicating, reasoning or teaching about digital concepts and devices. Simulation-based languages could for example use such a logic as a vehicle for describing the intended semantics of delays and other features. Thus, semiautomated correctness checking is really only one part of a much bigger picture.
Before outlining the formalism, the paper discusses related work. The temporal logic is then informally introduced by way of sample properties. Following this, the formalism serves as a basis for specifying and reasoning about various aspects of a simple delay element as well as of a hardware multiplication circuit. Quantitative timing as well as algorithm development are discussed. §2 Related Work Gordon's work [4] on register-transfer systems uses a denotational semantics to provide a concise means for reasoning about clocking, feedback, instruction-set implementation and bus communication. No quantitative timing properties are considered and the notation has some difficulties in describing operations occurring over multiple cycles. Wagner [20] presents a semi-automated proof development system for reasoning about signal transitions and register transfer behavior. Unfortunately the notation suffers from a lack of formality that is difficult to remedy. Malachi and Owicki [11] utilize a temporal logic to model self-timed digital systems by giving a set of axioms. No indication is included on how to generalize the work to the entire domain of digital circuits. The work of Bochmann [2] describes and verifies properties of an arbiter, a device for regulating access to shared resources. The presentation, by means of a temporal logic, reveals some tricky aspects in reasoning about such components although the concepts used are not as rigorously developed as they may appear to be and do not easily generalize. As in the previous works, no quantitative timing issues are examined.
Leinwand and Lamdan [9] use a type of Boolean algebra to model signal transitions. Applications include systems with feedback and critical timing constraints. The use of the notation for non-trivial examples is very unintuitive. Patterson [16] explores the verification of firmware. This work views the problem from the sequential programming standpoint without describing the underlying digital circuitry and related issues of concurrency and timing. There is also work by Meinen [13] on register transfer behavior and McWilliams [10] on worst-case time constraints.
Eveking [3] uses predicate calculus with an explicit time variable to explore verification in the Conlan language. Although such an approach can in principle describe circuits, the proliferation of variables representing explicit time points becomes a major hindrance from a practical as well as theoretical standpoint. Many high-level temporal concepts become easily obscured amid all the notation.
A number of people have used temporal logics to describe computer communication protocols [5, 8, 18] . However, the precise connections between protocols and the underlying hardware and software are still rather unclear as are the relative advantages of the different techniques employed. §3 Notational Preliminaries Before the logic is introduced, it is necessary to say a little about the kinds of mathematical entities used here for modelling digital signals.
Data Values
Values are limited to natural numbers, J_ (read "bottom"), and finite-length vectors constructed using these elements. Both 0 and 1 as well as J_ serve as bits, with 0 standing for low voltage, 1 for high voltage and ± representing voltages that are out of range. The temporal logic provides a basis for describing periods of time such as in timing diagrams. Concepts such as signal response and oscillation are readily expressible. Examples serve to introduce the various operators used later in this paper. This presentation has been kept rather informal although the entire logic is explored in detail in Halpern et al. [6] and Moszkowski [14] .
Time is modeled as being discrete and finite. The following figure is a typical timing diagram: Initially Z equals 0 for over 20 units, after which it equals _L. Notice that all times are relative. This approach is used because the properties to be examined depend solely on distances between points, independent of any absolute times.
The group of signals can be modeled as a finite temporal interval a mapping variables and times to values. The behavior of intervals is concisely expressible by temporal formulas presented below. Given such a formula p, the construct a h p means p is true for the interval a. The notation t= p signifies that the formula p is true of all intervals. Please keep in mind that all operators discussed can be expressed in terms of a small collection of fundamental notions. The properties shown are deducible from a basic set of logical rules.
Initial and Terminal Equality
The formula beg{X 
Temporal Equality
Two signals X and Y are temporally equal in an interval a if they have the same values at all times. This is written I«7 and differs from the constructs for initial and terminal equality, which only-examine signals' values at the extremes of the interval.
Examples:
Concept Formula The signal X is 0 throughout the interval a 1= X pa 0 The bit-and of X and Y everywhere equals 0 a N (X © Y) P=: 0 X agrees everywhere with the complement of Y a NX pa 07
Properties:
^ X^Y => /(x)«/(y)
If two signals are temporally equal, then any function applied to one of them temporally equals the same function applied to the other.
l= XpaO => Z07«O If X temporally equals 0, then the bit-and of it with another signal also equals 0 everywhere.
The pair (X, Y) temporally equals (0,1) exactly if the signal X temporally equals 0 and Y temporally equals 1.
Temporal Stability
A signal X is stable if it has a constant, defined value. The notation used is stbX. In the case of a bit signal, this means that the signal is always 0 or always 1, that is
Example: (this and further examples will omit the symbols "er h")
Concept Formula
The complement of X is stable stb OX Properties: 
Temporal Length
Quantitative timing properties are handled by a special object len whose value for any interval a equals the length of a.
Examples:

Concept Formula
The interval is at least m units in length len > m The signal X is stable -and c measures at least m units stb X A len > m
The predicate empty is true exactly if the interval has length 0. The predicate skip is true if the interval has length exactly 1. Since time is discrete, this is the minimum nonzero width.
Examining Subintervals
For a formula p and interval a, the construct Bp is true if p is true in all subintervals of time contained within a including a itself. Note that the "a" in E simply stands for "all" and is not a variable. The formula <$> p is true if the formula p itself is true in at least one subinterval of a.
Examples:
Concept Formula
In some subinterval of length > m + n, X is stable
t= Ep 3 p If a formula p is true in all subintervals then it is true in the primary interval.
t= < §> p = -> El -"p A formula is true in some subinterval if and only if the formula is not everywhere false.
The logical-and of two formulas p and g is true in every subinterval if and only if both formulas are true everywhere. t= <^p = < §> < §>p A formula is somewhere true exactly if there is some subinterval in which the formula is somewhere true.
If p is true in all subintervals and q is true in some subinterval then both are simultaneously true in at least one.
l= [X^Y] = s(x = y)
Two signals are temporally equal in an interval exactly if they are equal in every subinterval.
N stbX => BstbX If X is stable in the overall interval, X is also stable in every subinterval.
-
Initial Subintervals
The operators CD and O axe similar to El and < §> but only look at initial subintervals starting at time 0.
Example:
Concept " Formula X is initially stable for at least the first m units 0(si6 X A len > m)
Temporal Dependence
It is useful to specify that a signal X remains stable as long as another signal Y does. X is said to depend on Y, written X dep Y. This can be expressed using the temporal formula 
If X initially equals 0, then the bit-and of X and Y depends on X.
The variables X and Y depend on Z exactly if the pair {X,Y) does.
Adjacent Subintervals
Given a time interval, the formula p; q is true if there is at least one way to divide the interval into two adjacent subintervals a and a' such that the formula p is true in the first one, a, and the formula q is true in the second, <r'. In particular, a rising signal can be described by the predicate \X:
This says that X is 0 for a while and then jumps to 1. The gap of quantum length represented by the test skip is necessary here since a signal cannot be 0 and 1 at exactly the same instant. Falling signals are analogously described by the construct IX:
Concept Formula X is stable and Y goes up Examples: .
Concept Formula
The signal Y twice goes.up and down
After a series of n complements, X ends up with the initial value of the exclusive-or of X and (nmod2). For instance, if n is even, X ends up unchanged.
If a formula p is repeated m times within a further repetition of n cycles, the net result is the same as iterating p a total of mn times. §5 Simple Delay Element
Delay is of fundamental importance in digital systems. One of the simplest types of delay elements has the following structure:
InOut n-unit delay
Here In is the input bit signal and Out is the associated output. The variable n is a fixed natural number indicating the time delay between a value appearing on the input and later on the output. The following statement uses intervals to characterize this behavior:
In every subinterval of length exactly n units, the initial input value agrees with the final output one.
The next predicate Delay captures the required interaction:
• A delay element is also a delay element in every subinterval:
t= Delay(In, Out,n) "3 EH Delay (In, Out, n)
• Zero delay is the same as temporal equality:
• Two connected delays result in a combined delay:
=> Delay(Inl, Out2, nl + n2)
Note that the total delay nl + n2 is the sum of the delays nl and n2.
An alternative delay model can be given containing an internal state of n + 1 bits that are shifted as in a queue. The two distinct models are formally equivalent as can be expressed and* demonstrated with the temporal logic.
The object len is used in the definition of Delay to measure time. Actually, other metrics seem possible. For example, some variable might represent the number of clock cycles or machine instructions executed in each interval. The properties of delay remain basically the same. §6 Multiplication Circuit
The hardware multiplier considered here is motivated by one discussed in Wagner's work on hardware verification [20] . The desired device behavior is first described followed by a look at implementation techniques. The multiplier has the following general structure:
The circuit accepts two numbers and after a given number of clock cycles yields the product. The numbers are represented as unsigned n-bit vectors Inland In2 while the output Out is a 2n-bit one. In addition to the vector inputs and output, there are two input bits Ck and Ld which control operation. The signal Ck serves as the clock input and Ld initiates the loading of the vectors to be multiplied. The field count tells how many clock cycles are required. The values cl, c2 and c3 are timing coefficients used in the behavioral description.
Additional Notation
Because the multiplier deals with numbers and their representation as bit vectors, it is convenient to introduce some extra notation before giving the device's formal description: 
Overview of Description Techniques
In what follows, the predicate Multiplier(M) specifies that desired behavior of a multiplication circuit. The device's various inputs, outputs and timing coefficients are represented as fields of the single parameter M. An iterative, timing-independent multiplication algorithm is then presented which computes a product by a series of successive additions. Later, the predicate Implementation^) characterizes a device which computes sums and in fact has the algorithm's steps embedded within it. A logical implication is then given, showing how Implementation(H) realizes Multiplier (M).
Formal Specification of Multiplication Circuit
The predicate Multiplier formally characterizes the circuit's desired structure and behavior. The single parameter M is a tuple representing the multiplier. For example, the expression M.Ck equals the clock input. The predicate's definition makes reference to other predicates given later:
Multiplier{M) =def
MultStructure(M) A S Calculate(M)
The predicate MultStructure presents M's fields. The predicate Calculate gives the control sequencing required to perform a multiplication. The operator 13 indicates that Calculate must be true in all sub'intervals. For brevity, the prefix "M." is omitted when a field is referenced below.
Definition of Calculate:
If the inputs behave as specified by the predicate Control, the output Out ends up with the product of the initial values of Inl and In2. Recall that the function nval converts a bit sequence to the corresponding numerical value.
Calculate(M) =def
Control(M) => [nval(Inl) • nval{In2)] -* nval(Out)
Definition of Control:
The predicate Control describes the required sequencing of the inputs so that a multiplication takes place. The computation first loads the circuit and then keeps the load line inactive while the clock is cycled.
Loading is done as indicated by the predicate Load. The clock is cycled as given by the predicate SingleCycle. The control signal Ld starts with the value 1 and together with the other inputs Inl and In2 remains initially stable as long as the clock input Ck does.
Load{M)
=def
Definition of SingleCycle:
An individual clock cycle consists of a negative pulse:
The clock signal falls from 1 to 0 and then rises back to 1. The three times given indicate the minimum widths of the levels during which the clock is stable.
Definition of Cycling:
The overall cycling of the clock is as follows:
A total of count individual cycles must be performed one after the other, where each is a negative pulse satisfying the predicate SingleCycle.
Variants of the Specification
The predicate Multiplier does not represent the only way to describe the multiplier circuit. Alternative approaches based on an internal state can be shown to be formally equivalent to the one given here. A useful extension to this description specifies that once the output is computed, it remains stable as long as the control inputs do. If desired, additional quantitative timing details can readily be included.
Development of Multiplication Algorithm
The specification predicate Multiplier intentionally makes no reference to any particular technique for multiplying. Since the process of multiplication does not generally depend on any specific circuit timing, it is natural to separate algorithmic issues from other.implementation details. The temporal logic now serves as a basis for deriving a suitable circuit-independent algorithm for determining the product and in the next section as a means for describing hardware that realizes this method. The synthesis process can be viewed as a proof in reverse, starting with the goal and ending with the necessary assumptions to achieve it.
The aim here is to obtain an algorithm describing some way for doing the multiplication. The variables n, Inl, In2 and Out are represented as fields of a variable A. The predicate Goal below specifies the desired result:
If the data inputs Inl and In2 are initially defined, the output Out should end up with their product. The presentation given here reduces the problem of multiplying the two n-bit vectors to that of using repeated additions to determine successively larger partial products. The algorithm consists of initialization followed by n successive iterations. After i iterations of the loop, for i < n, the initial product of Inl and the least significant i bits of In2, that is,
is computed and available in the upper n + i bits of Out. Neither Inl nor In2 is guaranteed to remain stable once initialization is complete. However, their initial values must be used throughout the calculation. The lower n -i bits of Out hold the unexamined bits of In2 (i.e., In2{n -1 to {}). In addition, an extra n-bit variable Temp is introduced in order to remember the original value of Inl. The following figure informally depicts the situation after i steps:
Out:
Temp:
n + i bits value of Inl n -i bits Thepredicate Assert below precisely specifies this behavior over * iterations for t < n. Note that both inputs Inl and In2 must be initially defined for the operations to properly take place.
After n steps, the product must be computed. For t = n, Assert indeed observes this requirement:
Expressed in the logic, the algorithm takes the following form:
In the next two subsections, the predicates Mt and
Step are given in detail. Both Init and
Step are derived so as to maintain Assert after looping i times for any i < n:
The properties (*) and (**) together ensure that n iterations of the loop calculate the product:
Deriving the Predicate Init
The initialization requirement can be obtained by making sure Init satisfies
Assert for i = 0:
Simplification of Assert yields the constraint
This can be achieved by the definition
Deriving the Predicate Step
The iteration step should be constructed so that after i iterations for any * < n, Step can inductively widen the scope of the assertion to i + 1 increments:
Step(A)] 3 Asserf(A, t + 1) Each step achieves this by selectively adding Temp's n bits to Out, depending on Out's least bit, Out{0}. Only the top n bits of Out are actual inputs for the sum. The top n + 1 bits store the result. The remaining n -1 bits of Out are simply shifted right. For Temp the requirement reduces to the formula
This guarantees that Temp continues to remember the initial value of In 1.
The constraint for Out is
Step(A) 3
Thus the overall incremental step can be realized by the definition
Step(A) =def
Description of Implementation
The circuit specified below performs the iterative algorithm just given. The definition includes relevant timing information and is broken down into parts describing the implementation's physical structure and behavior. The primary predicate Implementation overviews operation. The device's fields are shown by ImpStructure. The predicate LoadPhase specifies device operation for initially loading the inputs. Once this is achieved, the predicate MultPhase indicates how to perform the individual multiplication steps.
Implementation[H) =def
ImpStructure(H)
The structure of the implementation differs from that of the original specification by the addition of the internal state Temp for maintaining the value of Inl and by the omission of a count field giving the required number of clock cycles for computing a product. The body of LoadPhase specifies how to load the inputs as described in the algorithm:
ImpStructure{H
LoadPhase(H) =def
Load(H) 3 Init{H)
The predicate Load, gives the required loading sequence for the circuit inputs. The predicate Init refers to algorithm's initialization predicate. The definition of Load is identical to that of its namesake in Multiplier:
Load(H) =def
SingleCycle{H) A beg{Ld = 1) A (Ld, Inl, In2) dep Ck
Individual clock cycles are also defined as in Multiplier:
SingleCycle{H) = def |T cI ' c2 ' c3 C/;
Definition of MultPhase:
When the load signal is inactive at 0, the circuit can be clocked to perform a single iteration. The algorithm's predicate Step takes place over two clock cycles.
MultPhase(H) =def
[Ld « 0 A {SingleCycle{H)f\ 3 Step(H)
22
•
Implementation Theorem
The correspondence between the implementation Implementation and the original multiplier device specification Multiplier is now given by the theorem The value of M. count corresponds to the 2n clock cycles needed for doing the iterative computation.
The behavioral description Implementation can itself be realized by some even lower-level specification containing further details about the timing and using a still more concrete algorithm. For example, the iterative steps are decomposible into separate adds and shifts. If desired, the development ultimately examines such things as propagation through gates. §7 Conclusion and Future Plans Compared with conventional hardware description languages, the approach used here permits direct reasoning about signal, device and algorithm behavior at various levels of detail. ' In addition, the concepts relating specifications with implementations and hardware with register-transfer operations can be rigorously expressed within a single mathematical framework. A disadvantage arises from the inability to directly execute arbitrary descriptions.
Standard temporal logics and other such notations have not been designed to concisely handle the kinds of quantitative timing properties and signal transitions found in the examples considered. The intervals of time provide a unifying means for presenting various features.
The material presented only scratches the formalism's surface. Halpern et al. [6] and Moszkowski [14] cover many details of the logic, describing and comparing devices ranging from delay elements up to the Am2901 ALU bit slice developed by Advanced Micro Devices, Inc. Future work will examine microprocessors, buses and protocols, DMA, firmware and instruction sets, as well as the combined semantics of hardware and software. 
