Logic. Representation of Indeterministic. Signal. States. ;l. W. (]ambles and P. J. Windley. NASA. Space Engineering. Research. Center for VLSI Systems. Design.
3rd
NASA
Symposium
on VLSI
Design
1991
10.2.1
N94-18372 A Verification Logic of Indeterministic ;l. W. NASA
Space
(]ambles
Engineering
Representation Signal States
and
Research
Center
University
- The
ronments tion
integration
require
logic.
of strength circuit
translation
A signal
tools
hardware
representation is essential
with
Design
both
for
formal
description
including
A higher-order
Systems
83843
CAD
from
indeterminacy
designs.
Idaho
of modern
for VLSI
of Idaho
Moscow, Abstract
P. J. Windley
the
logic
theory
the
complexity
verification
language
unknown
correct
envi-
to
state
verifica-
and
modeling
of
of indeterministic
a degree
many
logic
VLSI
signals
is
number
of
presented.
1 As
Introduction higher
transistor
potential exclusion. are
used
by VLSI
used
in the
reasons design,
implementation entire
system
the
logic
simulation
the
major
that
by
arena benefit
abstract choose
to use
description
may
be used
at
A behavioral
an early
date.
of complex
replacing
circuit
be integrated
of this
integration models
abstract
After
the
systems
can
blocks
with
can circuit
become the
VLSI
CAD
tool
suite
would
allow
these
the
CAD
VLSI
correct.
circuit
are
In
as part
structure
The
will several
a top-down before
the
of a simulation
is designed
slow.
being
designers
understanding
be utilized
fault tools
tools
There
models.
corresponding
with these design approaches is that there model to the abstract behavioral model.
the
value in design alone verification
is that are
very
and
with
behavioral
to simplify
model
circuits
promise stand
must
behavioral
may
is designed.
the
problem structural
One
designer
a behavioral
faster
research
confidence
a VLSI
of VLSI
formal verification methods is accepted by design engineers,
academic
designers.
increased
made
increase
test cases explode, Before verification
that
enjoy
counts
and
modeled,
simulation
behavioral
of
can
model.
be The
is currently no way to relate the circuit Having a verification tool available in
models
to be related
through
mathematical
analysis. The
hardware
link
between
the
CAD
tool
verification the
BOLT
to the
HOL
description
these
and
the
and
this
description
HDL
tool.
This
(Block theorem
languages
tools
paper
Oriented proving
examines Logic
(HDL)
verification can the
Translator)
system.
used
by VLSI
environment. be
automatically
translation HDL,
CAD
of logic used
tools
Engineers
in the
translated signal NOVA
can can
provide design
for
use
representations simulation
the using in the from
engine,
10.2.2
2
HOL
HOL
is a general
based
theorem
on Church's
able
for
specifying
In using
but
not
functions [8].
checker,
falling
HOL
tions
to HOL
BOLT
circuit
inc!udin_g_
are defined logic
circuits.
predicates
both
make
between
predicates
these
requires
that
HOL
Higher-order
both
and
logic, for
logic
is suit-
behavior
[6,8].
primitives
simple
combinational
variables
are allowed
representing
butis
[4,6]
circuit
to represent
it suitable two
of Cambridge
structure
to represent
is well suited
In higher-order
which
University
logic.
is noi a-n-aut--oma;ecl-theorem-prover
in HOL
are
Universal
tification
exists)
(there
represented
implication_
= respectively.
3
predicates
at the
or higher-order
of hardware,
[4]. First-order
somewhere
negation,
expression
developed
to range
sequential
circuit
more_thansimpiy
extremes.
Translat_on_rom
primitives
be
defined
and
a l_roof
_OLT
cIescrlp-
to correspond
to
the
representations.
Symbols junction,
types,
sequential and
behavior
of simple
logic,
definitions
circuits,
system
all aspects
higher-order
behavioral over
theory
proving
b else
The
strings
equality
quantification is ?.
"if a then
by
and
(for
function
of ASCII represented
all)
is symbolized
composition
c" is symbohzed
characters.
are
a => b
by
/\, !
operator
Conjunction,
dis-
V,
and
and
",
==>,
existential
is o and
the
quen-
conditional
I c.
Logic States and Strengths
Few modern
VLSI
circuitsare designed using only classicallogic gates [3,10].In designs
using pass-transistor,tri-statc,and pre-chargc logic,it is common
for circuitnodes to bc
driven from multiple circuitelements. These multiple drivers arc designed to have differing drive strengths in order for one to dominate
over another in cases of contention. The drive
strength can be considered to bc closelyrelatedto current drive (charge sourcing) capability [7,2].The
signal values represented in the NOVA
Bryant's latticetheoretic approach in the domMn False,
[7,11].In the latticetheoretic approach
the elements
of signal values represent the combination of logic state,from the set True,
and Unknown;
and a signal strength. These signal values form a partiallyordered
set with their order based on strength dominance While
simulation engine are an extension of
Bryant later abandoned
when
circuitoutput values are combined.
the lattice theoretic approach
[2] stating "while this
approach at firstseems very elegant,it cannot adequately describe the effectsof transistg_rs in the X (Unknown) Unknown
state, " Cameron
and Shovic have shown
state can be corrected by extending the domain
degree of strength indeterminacy
that the problem
with the
of signal values to include some
[3]. Thus, the signal values are extended
to represent
both logic states and a range of signal strength. The I/nknown state can be the result of a node connected to two drivers,one driving to a True
and the other driving to a False, neither driver having su_cient strength to
dominate the other; or simply a node whose voltage isnot yet known. of "invalid" logic level and "valid but not known" the simulation algorithm but may
make
Combining
into a single Unknown
the cases
state simplifies
the simulator pessimistic since it will propagate
.ffi
3rd
NASA
Symposium
the
Unknown
state
We refer
to the
representation number node
when
Representation
Given
the
and
False
represented
b
d is the
weakest
strength
X
possible
bound
3.2
The
For
N strengths
the
can
that
weakest
plus
this
strength,
driving that
driving
of a signal
represents
being
ordered
set
a
driven
by
to the
of strengths
states
True
and
can
which
this
sets
a lower
bound
on
state; which
sets
a upper
bound
on the
overdrive.
state
are represented
as a triple
Xpq
where:
toward can
0 (al overdrive
toward
that
can
_< p _< aN-l)
1 (al overdrive
this
state
which
sets
a lower
sets
a lower
to a 1;
_ q _< aN-l) this
state
which to a 0.
of STATES of True
state
the
and
STATES is:
-
number
of STATES is:
(2)
This
is equal
False
= 2((g
in equation
ajv = Nil.
STATES for N strengths
total
where:
overdrive
state
of a signal
the number
term
a fully
b and
there exists no element z of the partially ordered set such of the elements and covers completely describe a lattice. define
a graph
of the graph
of the
z is higher
4.1
Defining
Given
lattice.
represent
vertex
the
than
and
strength
presented
no
of possible in [7,11],
To extend 1. Add
strength covered
:
If the graph
STATES
Hasse and
by
by X0"tVO'N
and
(Figure
covers
replacing
elements
and the
that
whenever
diagram"
of the
there covers
(lattice) to form
Nil
STATE,
For each
M" = N to 2, by -1, add
z covers lattice
is only and
the
Nil)
a single lattice
_, the
[1].
the
there
value Hasse
axe four
(0"1) within diagram
is as
to N + 1 strengths: a new
X_rN_N,
at the
bottom
diamond
at
adding
0O'N_
of the
the
diagram
00"N0"N and 10.N0.N. 2.
segments
1).
Nil with
placing
such
case of one single
meaning
diagram
four
are the
a "Hasse
are four
diamond
that a > z > b [1]. A list of all The covers can also be used to
Structure
1 is a trivial There
a simple
graph
is drawn
y, it is called
indeterminacy,
strengths.
diagram
of the
Lattice
2 (N
a N strength
three
vertices
vertex
STATES case N :
range
The covers.
the
the base
STATES the
We
_AT]_S
following
STATES and
covers:
bottom and
of the
IO'NO" N
covered
N
each
by both
3rd
NASA
Symposium
on
VLSI
(a)
XdrM-IO'N
covered
by 0ffM_ltTN-1
and
covering
XO'MO"N
(b)
XO'NO'M_I
covered
by lorM_l_rN_l
and
covering
XO'MO'N
(C) OcYM_ldrN covered IO'M-ltYN
(d)
4.2
The
The
total
covered
Number
number
Design
1991
by XO'M_IO'N
and
covering
OO'MO" N
by
and
covering
lO'MtrN
XO'NdrM-1
of Covers
of covers
for N strengths
is equal
COVERS(N)
4.3
The
The
Lattice
NOVA
we may while
(resistive), equation
tool
is shown
yields
understanding
and
HOL
2.
of the
types
and
axioms
[9]. A new of the
type
STATES.
out type,
for signal
is defined
by enumeration
utilize
join
operation.
values,
Properties
theorem, bound.
a case
of the
the
are insured
1. Idempotence. 2.
Commutativity.
3.
Associativity.
about analysis
join
function
by formal
obligations For
For
designers
can be used (3)
yields and
of covers
to represent
22 STATES and covers
required
also
_r2 = r
for
NOVA
to define
provides
a quick,
the
visual
package properties are the
new
type
The
than
in I-IOL each join
new
package
a new
simply
type
postulating into
the
logic
by enumeration The
is defined consistency
theoretic
define
type
for
value
theorem.
is complete,
lattice
type.
to
of inconsistency
include
function
user
required
rather
induction) the
of the
proven,
the
proof
is defined
new
and
formal
introduction
strength, the
allows
of the
necessary type
that
obligations
being
of all
distinct,
STATES
an
lattice
to be the
least
of proofs
that
[11] for the
join
are:
all a STATES, For
list
VLSI
_rl = a (active),
STATES
diagram
so that
in HOL
definition
proof
> Nil and
for the
Hasse
(perfect
covers
nonacademic
N = 4 and
float
the
the
to avoid called
proven
and
Once
These
essential of the
in order
by
for this research
N = 4, equation
definition
new
selected
STATES.
about the
been
diagram
of joined
much
about
induction upper
Hasse
a type
theorems
new
that
For
STATES
Theorems for the
Note
logic,
(4)
+ 8
written
to identifying
resolution
carries
definition.
The
verification
includes
prove
automatically
have
In NOVA,
nodes.
In addition
in the
system
HDL designs
cr4 = Nil.
capacitive
Implementing
The
BOLT
10N
NOVA
is developed.
32 covers.
in figure structure
5
to HOL
at charged
(4)
for
and
to:
= 4N 2 -
to commercial-scale
_rs = f (float)
levels
lattice
engine
access
a translation
signal
Structure
simulation
have
10.2.5
join
a a = a.
all a and
b STATES,
join
a b = join
all a, b and
c STATES,
join
a (join
b a.
b c) = join
(join
a b) c.
!0.2.6
Xaa
Oaa
g
Xar
Xra
Z
i Oar
lrr
\/\/\/ \/\/ \/ Off
far
Xff
Off
Irf
iff
Nil
Figure
2: Signal
Lattice
for N=4
(NOVA)
3rd
NASA
Symposium
on VLSI
Design
1991
10.2.7
g
± d __Y-7
q
M1
Inv2
Figure
4. Existence
5.1
of bottom.
STATES
Typically
to relate
Cell
all a STATES,
Schematic
Diagram
join
= a.
a Nil
Function
specification
is required
STATES_ABS
For
Abstraction
a behavioral
function
3: Memory
is defined
STATES, used
in terms
of boolean
in structural
values.
specifications,
An abstraction
to boolean
values.
chosen
boolean
sig = ((sig=laa)\/(sig=lar)\/(sig=lrr)\/ (sigflaf)\/(sigflrf)\/(sig=lff))
=> T
I
((sig=0aa)V(sig=0ar)V(sigf0rr)\/ (sig=0af)\/(sigf0rf)\/(sig=0ff))
The
Unknown
STATES are
assigned
a value
=> F I ARB
ARB, defined
to be an arbitrarily
value.
6
Theory
A static
Demonstration
memory
circuit
used
to demonstrate
that
realizes
the
operation
the
output
is True
STATES theory
(Figure
3).
dominance
this
of this
circuit
is that
Inv2
to force
voltage).
The
feedback
(high
6.1
The
The
memory
after
the
Circuit cell
elements,
circuit
gate
of inverter
pass-transistor
and
with
the
output
the
inverter
cell, implemented
signals
the node
cannot output nl
inverter
goes
False,
and
Without
pass
a signal
be correctly strength
to the Inv2
primitives,
value
modeled.
acts
of the
input
to store
the
the
transistor
and the
includes JOIN
defined
three
predicate
operation. to be functions
Time
definitions; is represented
of type
Fundamental
to
M1 dominates d while
state,
the
gate
by dominating
off.
a pass-transistor as a number
num to type
is
representation
of pass-transistor
state
turning
transistor
Primitives
structure
are
gate
circuit
level
strength.
element, (hum)
stream
g
!0.2.8
The state.
behavioral
model
A simplified
is equal
to the
!
cell is not defined
pass-transistor
signal
NTRAN (g,,,d)
of the
at the
model
source
for the
is used
if the gate
that
gate
input
defines
is True,
else
being
that
the
at an unknown
signal
at the
drain
it is Nil.
=
t.
d t
= ((g
t
=laa)\/(g
t
=1at)\/
(g
t
=lrr)\/(g
t
=laf)\/
(g
t
=lrf)k/(g
t
=lff))
=> stl Nil
The
inverter
predicate
strength
and
for a True
output,
The
define
Unknown
fourth
the
and fifth
INV
ls
0s
value
arguments input
Xs
five
possible
second
output
is the {nverter
has
the
arguments.
first
three
output
STATES.
for a False
output,
and the third
is derived
from
are signal
functions
and the
The
inverter
fifth
the
str?ngest
True
of type
arguments
The first the
are
is the Unknown
and
False
hum to type
of type
output
STATES
state
output.
strengths.
The
The
fourth
strength.
is the output.
(in,out)
! t. out
t
t
=laa)
\ICin
t =i_)\I
(in
t
=lrr)
\/(in
t =laf)\l
(in
t
=lrf)
\/(in
t =1_z))
\/(in
=(((in
((in
t
=Can)
t
=O_r)\/
(in
t
=9rr) \/(in
t
=0a_)\/
(in
t
=Orf) \/(in
t
=0f_))
=> os
I
=> I,
I
x, ) 6.2
JOIN
The
JOIN
combining to the
performs
circuit
sequential
in a time the
predicate
delay
strength
two
operations.
outputs
by applying
behavior
of a charge
when
of the
the
node
driving
the
delay
values
diagram.
All
for
bands.
lower
times
the
for individual
STATES within For
diagram
cases
can
demonstration
cell
transistor
is turned
on,
the
is defined
to be
the
zero.
right
have
level.
signal
operation
delay
behavior
value
of
is related
of a node
The
from
the
at the
them
into
same
delay
the
to model
as having
node
When
second
capacitance
sequential
segregating
band
is modeled storage
resulting
time
may
result
increases
is modeled
as
as having
on the strength of the join function result. [5,7]. strength of STATES and can be used to abstract
it is desired
be segregated
The delay
a common
The
The signal
This
STATES by where
the
function.
node.
to a new
decreases.
a variable delay, whose length is based The Hasse diagram shows the relative the
j oin
storage
is driven
signal
It determines
left
horizontal and
different
bands
the
delays
delay
on
the
is longer
for rise
and
fall
also. two
join
pass-transistor
possible is driven
delays. by
is turned
an
When active
off,
the
the
strength storage
passand node
3rd
NASA
Symposium
is driven
by the
on VLSI
resistive
Design
strength
1991
of the
10.2.9
feed-back
inverter
and
the
delay
is defined
to be
output
strength
of that
One.
JOIN
(s',s'_,s:num->strength)
' t.
let
sig = join
((Sig
=
(s _ t)
0aa)
\/
(sig
= laa)
V
(sig
=
\/
Xaa)
= (s'' t) in
(sig = Xar) \/ (sig
6.3
=
The
A BOLT
Xra))
=>
t
(s
(t+l)
Structural
description
MODULE
(s
Q .CELL
=
sig)
= sig)
Description
of the
cell is:
G D;
BEGIN N1
.NTRAN
G D;
Q
.INVR
NI;
NI
.INVR
Q
(STR='RR');
END; The
STR= ' 1_'
inverter
parameter
as resistive.
structural
specification
cell_IMP
(d,g,q)
? nl
nl'
in the
The
second
default
of the
(nl,q)
INV Irr
0rr Xrr
(q,nl'')
Behavioral gate
of the
q, follows
as the inverse
The
behavioral
HOL
the
is writing
the
invocation
is active.
The
HOL
/\ /\ /\
(nl',nl'',nl)
The the
first
nl'':num->strength 0aa Xaa
When
defines
for the
=
INV laa
6.4
used
cell is:
NTRAN (g,d,nl')
JOIN
INVR invocation
value
Description
pass-transistor
is True
of d. When description
is:
the
gate
cell
is False
the
the input
cell is storing
and the the previous
output, data.
10.2.!0
cell_SPEC
(d,_,q)
(g t)
=> (q t = "d t) (q
6.5
The
Because
=
(t+l)
Cell
the
-
q t)
Verification
operation
of the
cell requires
that
the
output
the resistive strength output of INV2 and the pass-transistor validity condition that the signal applied to input d must condition
is required
Valid!
for proper
circuit
operation
and
of the
pass-transistor
dominate
is not an amplifier: there is a be stronger than resistive. This
is not
simply_
Veri_c_at_o_n _tif_Ct.
(d)
! t. (d
t
=
laa
\/
)
(d t
= 0aa)
Because thebehaver oftheceUis there
is a validity
condition
yields
consider
only
Valid2 ! t.
(g)
=
(g t
=
laa)
(g
t
(g (g
a 12 way
for the case
two
cases
\/
(g
t
=
_ !af)
\/
(g
t
t
=
0aa)
\/
(g
t
"
Oaf)
\/
(g
The
the
condition
verification
validity
1- (Valid!
The BOLT !.
theory
cult,
steps but
proof,
but
and
\/
(g
t
= lff)
\/
t
,,
Oar)
\/
(g
t
=
0rr)
\/
t
=
0rf)
\1
(g
t
=
Off)
cell
entails
proving
the
behavioral
imply
irr)
is easily
reduced
state.
This
to needing
to
that
\/
the
STATES_ABS
cell
specification.
(g) /\ cell_IMP(d,g,q)) o d,
nas-at-the gate,
or False
storing.
= lrf)
lattices
Future
presented
steps
structural The
description
theorem
proven
and is:
==>
o g,STATES_ABS
o q)
a formal
semantics
BOLT's
do not include
necessary
task.
in this
paper
is an important
first
step
in linking
include:
Developing and validating a set ponents in the NOVA library.
3. Embedding These
in the
a True
Work
HOL.
2. Writing
either
=
logically
of signal
and
it be
(g t
(d) /\ Valid2
Future
that
\/
lar)
celI_SPEC(STATES_ABS
7
analysis
of writing
of the
conditions
forAo-o-lean va- e-
gate
formal work
of HOL theories
corresponding
to the
primitive
com-
to HOL,
a diffi-
for BOLT. se__m_antics in HOL. on translating
NOVA
behavioral
models
3rd NASA
8
Symposium
on VLSI
Design
1991
10.2.11
Conclusion
The
first
step
translation ory
has
based
been on
joining The
integration
HDL
approach.
cell.
combining
signal
The
lattice
different
work
values
is necessary
with
suitable
for
presented
indeterminate
the
value
for
environment.
verification
provides
the-
algorithm
logic
the
is the
logic
representation
previous
a verification
quickly
tool
A verification
signal
through
also
a verification
logic.
because
is demonstrated
diagram
valued
tools
verification
an indeterministic
is not
approach
design
the
about
This
of the lattice
VLSI into
for reasoning
indeterministic suitability
of CAD
representations
presented
a lattice
memory
9
in the
of the
of a static
to users
the
result
of
signals.
Acknowledgements
This
research
was
supported
by NASA
under
Space
Engineering
Research
grant
NAGW-
1406.
References [1] Birkhoff,
G., £attice
[2] Bryant,
R. E.,
Transactions [3] Cameron, for
[4] CamiUeri, Order
No.
Birtwistle Synthesis, No.
pp.
A.,
Gordon,
115,
[6] Gordon,
Kluwer
M. J. C.,
Birtwistle
and
Synthesis,
Kluwer
103,
University
[7] Hayes, ceedings
J. P., of the
and
editor,
Systems,"
IEEE
Logic
State
Requirements
" 1987
IEEE
International
Sz Processors,
IEEE
Publishers,
Computer
Switching Vol.
pp.
Generating
70, No.
pp.
Also
Report
Technical 1986.
Design
Specification,
293-321,
1988.
Also
Technical
August,
System
for Higher-Order
73-128,
Laboratory, with
10, pp.1140-1151,
Also
August,
Applications October
in
G. and
Report
1987.
Specification, 1988.
Style,"
Verification,
Laboratory,
VLSI
Higher Correct
Circuit
VLSI
editors,
Theory
1987.
Using
to Guaranteed
September
Integrated
Computer
Computer
43-67,
Laboratory,
editors,
Publishers,
Verification
Descriptions
pp.
of An
Subrahmanyam,
of Cambridge
IEEE,
1984.
"Hardware
HDL
Computer
A Proof
Academic
T.,
From
Validation
"HOL:
"A Unified
Digital
Simulators,
Publishers,
of Cambridge
P. A.
for MOS February
in Computers
Melham,
Subrahmanyam,
Academic
University
1948.
Minimum
Logic
VLSI
Scientific
"Formal
"Calculating
MOS
of Cambridge
P. A.
Simulator
pp.160-177,
Society,
1987.
M.
Elsevier
I. S., and
J. C.,
in D. Borrione,
Designs,
and
C-33,
Design:
672-675,
91, University
[5] Dhingra,
Shovic,
on Computer
Logic,"
Circuit
Vol.
Multi-Value
Press,
Mathematical
Model
Computers,
K. B. and
Conference
American
"A Switch-Level on
Multi-Strength
Society
Theory,
Logic,"
in G.
Verification,
and
Technical
Report
No.
1987. to VLSI 1982.
Design,"
Pro-
!0.2,12
[8] Melham, a_d
T. F.,
"Abstraction
Mechanisms
P, A- Subrahmanyam,
K1ywer yersity [9] Melham, Technical
Academic
Publishers,
of Cambridge T.
F.,
Report
editors,
No.
[11]
U l!man,
J. D.,
Laboratory,
Recursive
Types
135, University
[I0] Miles, L', Prins, P:, Camer0n, Simulator," 2nd NASA
VLSI
pp. 267-291,
Computer
"Using
SERC
Computational
for Hardw_e
Verification,"
Specification, 1988.
Also
May,
Verification, Technical
About Computer
K., and Shovic, J., "NOVA: Symposium Aspect_
on VLS!
o.f VLSI,
and
Report
SyntheJi_,
No. !06,
Um-
1987.
to Re_son
of Cambridge
in G. ]3irtwistle
Hardware L,_boratory, A New
Verification," May,
1988.
Multi'Level Logic
Design, pp. 4.1.1-4.1.13,1990.
Computer
Science
Press,
1984.
3nd
NASA
SERC
Symposium
on VLSI
Design
1991
10.3.1
Formal Verification State Machines M. Alahmad NASA
Space
and
Research
System
University
- A
invariant logical tion
formal
of any an
implement
the
ification
and
state
proving
circuit
structure
With
the
method the
advancement correctness
in use,
desired
but,
recently,
that
a stated
behavioral
interest
description
of the
as stated.
This
machine.
The
behavioral
definition
circuit, paper
i.e.,
specification
grown
involves
that
a formal
is a logical
using
the
the
for new
Simulation
remains
formal
theorem-proving
is a logical structure
and
and
representation
forces state
machine.
that
the
ing
system
any
state
2 As
known
specification
implies
the
behavioral
as HOL
Hence,
the
VLSI
[1].
specification
architecture
is capable
The
a particular Invariant connected
shows, using
state
by
Arand
analysis,
a theorem
prov-
of implementing
machine.
The described
_higher logic
structural
it to behave
Using
verification
The
structural
machine.
state
machine.
to verify
of a general
of the
built
of the
to show
of the
verification
of a state
dominant
techniques
circuit
structure
of en-
analysis
consequence of the
specification behavior
logical
on the Sequence components are
operation
that
the
description based clearly specifies how
the
in HOL_
methods
design in VLSI technology, a structural chitecture is described. The structure to achieve
verand/or
analytically
need
in using
of a circuit
describes
to
future
is done
shows
the
prominent.
has
proving
presents
specification
for
machines
machine
verification
technology,
more
correctness of digital systems. Formal verification of hardware
state
specificatechnology
a tool
dedicated
a
behavior.
circuit
is becoming
the
a sequence represents
VLSI
becomes using
of the
on
structural
using
specification
HOL_
of integrated
The
developed
verification
the
based description
machine.
machines
Using
has
Introduction
design
The
system.
1
suring
This
machines
behavioral
state
of state
technologies.
a theorem
state
architecture
machine.
83843
The
synchronous
specification
alternative
of VLSI
adoptive
Design
Idaho
is presented.
description represents
the
specification
architecture
Center
of Idaho
Moscow, Abstract
P. Windley
Engineering
for VLSI
of
order
in which
HOL by
System
Birtwistle
logic')
and Subrahmanyam
is designed
problems
to facilitate
can be expressed
[3], the the
interactive
is interfaced
HOL
system
generation
to a programndng
('HOL'
standing
of formal language
for
proofs. in which
A
10.3.2
proof procedures and strategies can be encoded.
The combination
enables deduction in
logic (in the sense of chains of pfimitiveinference steps) to be produced programming The
constructs
logic
axioms
can
part
of HOL
be introduced
language of HOL only way
at a higher
of abs_iacthess.
is conventional by the
is ML
level
user,
by invocation of
hlgher-order
and
organized
logic.
New
in logic
types,
theories.
(for 'recta-language').The type disciplineof ML
to create theorems in the object logic is by performing
constants
The
and
programming
ensures that the
proofs; theorems
have
the ML type thin, objects of which can only be constructed by the application of interface rules to other theorems or axioms.
3
Sequential
Circuits
Sequential circuits whether
or not
operation
are categorized the
behavior
of synchronous
synchronizing
pulse
Sequential tables).
signal
of the
called are
table
as either
has
a column
corresponding
to
represents
the
produced
I shows
a flow
flow
table
assignment
Karnaugh
encoding
from
SISM
the
techniques. the
flow
states
the
next
input.
circuit
state
state
of the
equations
We
can
also
derive
table
with the
derived an
and
from
equation
qi and
the that
state
Once
variables assignment the
architecture has been developed
trol inputs 2",without a knowledge
[2],that enables the designer to
With the $iSM
(SISM)
realization,any flow table can be implemented
configuration. That is given _0,and I, a hardware any state machine that has a maximum
states.
Architecture
And
of con-
about the sequence to be incorporated. This adaptive
architecture is called a Sequence Invariant State Machine
3.2
output
table.
design any sequential circuitbased on the width of the machine w, and the number
can implement
using
Overview
adaptive hardware
hardware
the
A state
assignment
describes
I,_
ql. Table
state
entries
and
column
inputs.
internal state
(flow
machine
is in state
three
the
bya
tables
is performed.
next
The
..... of the
in row
assignment
and
_
machine
six-states
flow are
the
of times.
or state
state
entry
Upon
is controlled
_
diagrams
internal
a state
assignment
paper)
a cloc_k.
The
depending
instants
of this
when
with
circuit,
discrete
by state
if Im is applied
of the
2 shows
topic
to every
possible
a given
at
puls e or simply
corresponding
arbitrary
for
(the
represented
every
for an
Table
1. Finally, map
behavior
An
table
is the
for Table
state
is constructed
(Y_,Y2, .... ,y,,).
3.1
next
a clock
or asynchronous,
is clocked
circuits
usually
a row
synchronous
circuit
Sequenilal
machines
A flow
Overview
Operation
design. without a change in the
circuitis easilyderived, that
of 2-control inputs, and 2`0internal
3nd
NASA
SERC
Symposium
on VLSI
Design
I1
Table yl 0
y2 0
10.3.3
12
I3
A
C, 1]B,I
A, 0
B
D, 0
C, 1
B, 0
C
E, 0
D, 0
C, 0
D
F, 1
E,I
D, 1
E
A, 0
F, 0
E, 1
F
B, 0
A,I
1: General
'_
6-states,
I
3-input
flow
I,
y3 0
A
0
1
table.
I_
13
0, 1
0
0
1
1
0
0
0
1
0
1
0
0
10
0
0
0
1
B
0
1
1,0
0
0
1
0
C
1
0
0,0
0
1
1 0
0
1
00
0
1
1
D
1
0
I,I
1
0
0
1
0
1
1
1
1
0
0
E
0
0
0, 0
1
0
1 0
1
0
0
1
0
0 1
1
0
1
1 0
1
0
1
F
0
0
1,0
0
1
1
0
G
0
0
0, 0
0
0
0 0
0
0
0
1
1
1
H
0
0
0, 0
0
0
0 0
0
0
0, 0
Table
Figure 1 shows one of the next
1991
2: State
Assignment
a general SISM architecture, state variables in Table 2.
this
for Table
architecture
I
can
be used
to implement
Y
i
Destination
1.
]
All Next States
Input Codes State
architecture
• The
contains
destination
assignment and
state
table
state
variable
destination
state
and
variables
constants, could
that
1: General
the
following
codes
are
by inspection. y_ are the codes
(yl;y2;y3)
For
for state
SISM
B are
ones the
Architecture.
from
example,
state
respectively. into
Yi
components:
derived
next
is, presenting
be programmed
Next Logic State
...._-'-][
Figure
The
yi
I
Switch Matrix
i
bits
and
the
next
zeros
way
with under
input
various
entries
of the memory
in the
state
codes
state
B. Therefore,
control
to implement
at the
using
state
destination
Yi associated
(000,110,101) One
structure
the
for state
inputs
those devices
B the
(/1; 12; I3)
codes
structure.
state
is to use Also,
[3].
they
10.3.4
* The
input
state
switch
entries
• The next the
state
state
• The
present will
4
of the
next
state
assume
at the
The previous
control
consists flow
of an independent
is a D-FF
that select
next
the
that
that
path
preserves
the
is as follows.
circuit
the
clock
logic
produces
all the
possible
next
input. for each
of the present
states
in
table.
architecture
states
variables
Formal
section cation
logic
element
The operation
is combinational
current
assignment
storage
of potential
matrix
for each
The current
can assume
exact
next
present
(input
state
(row
state. control
column
in the
iiow
input
in the table)
selects
the set
flow table). that
the
The circuit
pulse.
Specification section
presentecl
presents the is introduced
a_description
of the S_IVI
formal specii_cation of the first and then a structural W
architecture
SISM architecture. implementation
C
and operation.
The behavioral is described.
This specifi-
CS(T)
DATA
CS(T+I) SM DEVICE
T CLR Figure
4.1
The Behavioral
A general
behavioral
icate
relates
that
a general by
state
the
variables responding
input
signals
data
and
and
state
of all state outputs
and
device. cir, ld;
machine
device
Specification
inputs
5ism-spec,
w, g, data,
2: General
description
machine
a predicate
LD
The
that and
behavior
is true the
output
signals
as explained
below.
machines
and
only
state of the
can be specified
defines
the
of the
state
when
the
variable device.
state
machine combination
cs is one The
by defining
transition.
that
variables
device
can
of the could
a pred_
Figure
2 shows
be specified values
occur
are references
of the
on the
cor-
to actual
3nd NASA
SERC
Symposium
'w', "(:num)". This represents
the
on
width
VLSI
Design
of the state
1991
10.3.5
machine,
i.e.,
the number
of next
state
vari-
ables. 'g', "(: time --4 hum)". This is the control input to time. from
That
zero
to the
is at time
to I. Where
state
(t),
machine.
the
I is the
input
It is represented
(g)
maximum
is the
of the •
associated next
'clr',"(:
with
state
time
the
input
of control
'data', "(: hum ---+ hum -_ hum ---+ boot)". This is the destination state codes for the entire function
control
number
as function
state
of the
state
machine
will forces
the
output
values
is a number
inputs.
machine.
width
which
associated
and
It is represented the
llst
of data
as a for each
variables.
_
bool)".
This
signal
when
enabled
'ld', This
"(: time ---* bool)". signal when enabled
will load
the
input
data
to be cleared
to the
D-ff
to low.
and
present
it to the
output. 'cs', This
"(: time --* num ---* boot)". is the current state value. It is represented
is at time The
overall
sism--spec l-de!
(t)
this
value
behavior
will enable
of the
state
one
as function
path
machine
from
is given
the
associated
input
by the
to the
following
to time.
That
output. logic
term:
=
sisn_spec
v
g
data
elr Id (es :num-->num-->bool)
:
es (t+l) : (¢1r t -_
(V t:num,
ld
t
-_
data
(g
t)
ZEROS ,,[ (val
.
(cs
t))
I
cs t))"
The
predicates
to the time
way (t+l)
sism-spec
the
state
The
An
implementation
sented.
machine
is a function
4.2
asserts works
of the
Structural
Using
value
the
relationship
in practice. of the
between
That
data
is, the
input
and
those
next the
values
state
of the
current
state
corresponds machine at time
at (t).
Specification
of state tools
that
machines
available
based
in HOL
the
on the
sequence
structure
of the
invariant SISM
architecture can
be
is pre-
described
by
specifying high level descriptions of the major pieces them so that they correspond to the actual structure.
of the SISM device and combining The structure of the SISM can be
represented
as follows:
by a predicate
sism-imp
with
a definition
10.3.6
(sisa_imp= w g data
sism_imp
The
predicate
clx
ldcs
=
defines
sism-±mp-rec
fiued recurslvely on its width is defined as follows:
(sism_imp_rec
(sism_inrp_re¢
the
indicating
the
clr
idcs)"
circuit.
The
of the
circuit.
w w g data
structure iterative
of the structure
predicate The
is depredicate
=
"(sism_imp_rec
0 w g data
clr
ldcs
=
block clr
0
w g
data
ldcs)
A (sism_$mp_rec
(n+l)
w g data
((sisaimprec
n
(block
(n+l)
w g
w g
clr
data
data
ldcs clr
clr
=
ldcs)
A
ldcs
)))"
The predicate block gives the structure of a single by conjoln_ng t_he predicates that speedy the behaviors connective
(A)
following
and
logic
block
=
Fd,!
block (3 outl
using
term
id
existential
describes
w out2.
g
data
In this
definition
clr
(sel
id
(mux
v
values those
the
using
which
the
which
satisfy
from next.
which
The
Selector
The
predicates
w g
data
outl out2
two
module
outl
cs
out2
ld
clr
defines
id
w g data
V (t:time) (line
