The Verilog hardware description language (HDL) is widely used to model the structure and behaviour of digital systems ranging from simple hardware building blocks to complete systems. Its semantics is based on the scheduling of events and the propagation of changes. Different Verilog models of the same device are used during the design process and it is important that these be `equivalent'; formal methods for ensuring this could be commercially significant. Unfortunately, there is very little theory available to help. This self-contained tutorial paper explains the semantics of Verilog informally and poses a number of logical and semantic problems that are intended to provoke further research. Any theory developed to support Verilog is likely to be useful for the analysis of the similar (but more complex) language VHDL.

We show how the second-order monadic theory of strings can be used to specify hardware components and their behavior. This logic admits a decision procedure and counter-model generator based on canonical automata for formulas. We have used a system implementing these concepts to verify, or find errors in, a number of circuits proposed in the literature. The techniques we use make it easier to identify regularity in circuits, including those that are parameterized or have parameterized behavioral specifications. Our proofs are semantic and do not require lemmas or induction as would be needed when employing a conventional theory of strings as a recursive data type.

This article explores a synthesis between two distinct traditions in automated reasoning: resolution and interaction. In particular it discusses Isabelle, an interactive theorem prover based upon a form of resolution. It aims to demonstrate the value of proof tools that, compared with traditional resolution systems, seem absurdly limited. Isabelle's classical reasoner searches for proofs using a tableau approach. The reasoner is generic: it accepts rules proved in applied theories, involving defined connectives. The reasoner works in a variety of domains without reducing them to first-order logic. Resolution systems such as Otter [13], setheo [11] and pttp [34] represent automatic theorem proving at its highest point of refinement. They achieve extremely high inference rates and can run continuously for days without running out of storage. They can crack many of the toughest challenge problems that have been circulated. While they exploit many specialized algorithms, data structures and optimizations, they rely crucially on unification. Interactive systems let the user direct each step of the proof. They can implement complicated formalisms, chosen for maximum expressiveness, and typically based on the typed -calculus. hol [7, 8] and pvs [23] are used for verification of hardware and real-time systems, while Coq [4] is used for formalizing mathematics. Large numbers of axioms --- say, the description of a cpu design --- do not overwhelm them, because finding the proof is the user's job. Partial automation is sometimes provided, but a resolution enthusiast would regret the lack of uniform search procedures based on unification. One procedure provided by most interactive provers is rewriting. Rewrite rules have many advantages. Unlike programmed inference rules, they are ...

The monadic logics M2L-Str and WS1S have been successfully used for verification, although they are nonelementary decidable. Motivated by ideas from bounded model checking, we investigate procedures for bounded model construction for these logics. The problem is, given a formula and a bound k, does there exist a word model for of length k. We give a bounded model construction algorithm for M2L-Str that runs in a time exponential in k. For WS1S, we prove a negative result: bounded model construction is as hard as validity checking, i.e., it is nonelementary. From this, negative results for other monadic logics, such as S1S, follow. We present too preliminary tests using a SAT-based implementation of bounded model construction; for certain problem classes it can find counter-examples substantially faster than automata-based decision procedures.

Ternary system modeling involves extending the traditional set of binary values f0; 1g with a third value X indicating an unknown or indeterminate condition. By making this extension, we can model a wider range of circuit phenomena. We can also efficiently verify sequential circuits in which the effect of a given operation depends on only a subset of the total system state.

. In this article we present a structured approach to formal hardware verification by modelling circuits at the register-transfer level using a restricted form of higher-order logic. This restricted form of higher-order logic is sufficient for obtaining succinct descriptions of hierarchically designed register-transfer circuits. By exploiting the structure of the underlying hardware proofs and limiting the form of descriptions used, we have attained nearly complete automation in proving the equivalences of the specifications and implementations. A hardware-specific tool called MEPHISTO converts the original goal into a set of simpler subgoals, which are then automatically solved by a general-purpose, first-order prover called FAUST. Furthermore, the complete verification framework is being integrated within a commercial VLSI CAD framework. Keywords: hardware verification, higher-order logic 1 Introduction The past decade has witnessed the spiralling of interest within the academic com...

Formal verification using interactive proof-checkers has been used successfully to verify a wide variety of moderate-sized hardware designs. The industry is beginning to look at formal verification as an alternative to simulation for obtaining higher assurance than is currently possible. However, many questions remain regarding its use in practice: Can these techniques scale up to industrial systems, where are they likely to be useful, and how should industry go about incorporating them into practice? This paper describes a project recently undertaken by SRI International and Collins Commercial Avionics, a division of Rockwell International to explore some of these questions. The project formally specified in SRI's PVS language a Rockwell proprietary pipelined microprocessor (the AAMP5, built using almost half a million transistors) at both the instruction-set and register-transfer levels and used the PVS theorem prover to show the microcode correctly implemented the instruction-level ...

. This paper presents a methodology for the verification of speed-independent asynchronous circuits against a Petri net specification. The technique is based on symbolic reachability analysis, modeling both the specification and the gate-level network behavior by means of boolean functions. These functions are efficiently handled by using Binary Decision Diagrams. Algorithms for verifying the correctness of designs, as well as several circuit properties are proposed. Finally, the applicability of our verification method has been proven by checking the correctness of different benchmarks. 1 Introduction During these last few years, asynchronous circuits have gained interest due to their promising advantages, such as local synchronization, elimination of the clock skew problem, faster and less power-consuming circuits, and high degree of modularity. However, the concurrent nature of asynchronous circuits makes them difficult to design because all transitions must be taken into account ...

This document presents an informal description of the language Verdi. Verdi is the interaction language of the EVES (Version 3.0) verification system and consists of components for describing mathematical theories, for general theorem proving, for specifying and implementing programs, for proving consistency between specification and implementation, and for supporting miscellaneous other system capabilities. Acknowledgements The principal designers of Verdi are Mark Saaltink and Dan Craigen, with material assistance from Irwin Meisels. EVES was implemented primarily by Sentot Kromodimoeljo, Bill Pase and Irwin Meisels. Kromodimoeljo and Pase are responsible for the theorem proving component of EVES. The section on EVES system commands is an edited version of documentation prepared by Kromodimoeljo and Pase. Meisels implemented the Verdi interpreter; the section describing the interpreter is an edited version of documentation prepared by Meisels. The hardware, ring theory, and minimum ...

: The expressive power of higher order logic makes it possible to define a wide variety of data types within the logic and to prove theorems that state the properties of these types concisely and abstractly. This paper describes how such defined data types can be used to support formal reasoning in higher order logic about the behaviour of hardware designs. First printed: May 1988 Reprinted with revisions: April 1990 An earlier version of this paper appears in: The Fusion of Hardware Design and Verification, ed. G.J. Milne (North-Holland, 1988), pp. 27--50. Contents Introduction 5 1 Hardware Verification using Higher Order Logic 5 1.1 Notation : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1.2 Specifying Hardware Behaviour : : : : : : : : : : : : : : : : : : 6 1.3 Specifying Hardware Structure : : : : : : : : : : : : : : : : : : 7 1.4 Formulating Correctness : : : : : : : : : : : : : : : : : : : : : : 8 2 Recursive Types in Higher Order Logic 8 2.1 Type Definit...