of Stanford University for numerous insightful discussions on improving the presentation of this work. We also would like to thank David Dill of Stanford University ...
Appeared in the proceeding of Asynch-94, November 1994
Su�cient Conditions for Correct Gate-Level Speed-Independent Circuits �
Peter A. Beerely Jerry R. Burch Teresa H.-Y. Meng Computer Systems Laboratory Computer Science Department Computer Systems Laboratory Stanford University Stanford University Stanford University Stanford, CA 94305 Stanford, CA 94305 Stanford, CA 94305
Abstract
We describe su�cient conditions for the correctness of speed-independent asynchronous circuits. The circuit speci cations considered are determinate, allowing input choice but not output choice (arbitration). The circuit implementations considered are networks of single-output basic gates. A circuit is de ned to be correct if it is hazardfree and complex-gate equivalent to its speci cation. We show that a circuit is hazard-free if and only if all of its signals are monotonic and acknowledged. This result provides a useful tool for formal reasoning about the correctness of circuits and synthesis techniques. Cubes that approximate sets of reachable circuit states can be used to give su�cient conditions for monotonicity and acknowledgement. These su�cient conditions are the basis of e�cient synthesis and veri cation algorithms.
1 Introduction
Although asynchronous circuits o�er many potential advantages, their design is complicated by the need to ensure that they are free of unwanted signal transitions, hazards, which can lead to circuit malfunction. This inherent complexity of asynchronous design has spurred the development of provably-correct synthesis algorithms and formal veri cation techniques for asynchronous circuits. Several popular asynchronous design styles use the speed-independent delay model, in which gates are modeled as instantaneous functional elements followed by a pure, arbitrarily long delay element. Speed-independent designs rely on the isochronic fork assumption, which requires that wire forks cause only negligible skew. There are two widely used approaches to designing speed-independent circuits. The rst approach compiles a � This research was supported in part by the NSF PYI Program, the Semiconductor Research Corporation, Contract no. 93-DJ-205, and a Philips Fellowship. y Peter A. Beerel is now with the EE-Systems Department, University of Southern California, Los Angeles, CA 90089.
speci cation into an implementation in which every speci ed output signal is implemented with a single component [14, 18]. This approach relies on many specialized components and cannot use commercially available standard cells or gate arrays. The second approach allows a netlist of gates to be used to implement a circuit output [3, 10, 11, 13]. This approach promises more e�cient circuits, but synthesis and veri cation are more di�cult than in the rst approach. The results of this paper can be used to make both synthesis and veri cation easier. Muller [16] originally characterized the class of speedindependent circuits (with no environmental choice) using a behavioral model of circuits. Armstrong et al. [1] de ned delay hazards, which must be avoided by using completion signals to ensure hazard-freedom. However, in the work of Armstrong et al., as well as Unger [17] and Miller [15], the notion of delay hazards was not related to a behavioral model of circuits and was only described for sum-ofproduct computation blocks. We divide the de nition of correctness for speedindependent circuits (with no output choice) into two conditions: � the circuit satis es its speci cation assuming there are no hazards, and � there are no hazards. Our particular formalization of the rst condition is called complex-gate equivalence. The concept of complex-gate equivalence is only applicable to circuits that are externally cut. However, any circuit can be made to be externally cut by simply redesignating some of its internal signals to be outputs. We show that a circuit is hazard-free if and only if all of its signals are monotonic and acknowledged. Our notion of acknowledgement is based on a behavioral model of circuits and is a generalization of the completion signals of Armstrong et al. [1]. The concept of acknowledgement can be used to simplify formal analysis of several methods for synthesizing gate-level speed-independent circuits [3, 10, 11, 13].
v Let s! s and let u 2 ASpec be distinct form v. We say u is disabled by v if u is enabled in s and not in s . The speci cation SG must be determinate speedindependent, which requires that it satisfy the following two conditions. First, in every state transition, an output signal may not disable any signal (no output choice): if v 2 O and s!v s , then 0
1
0
State = [a] 0
Figure 1: A speed-independent SG speci cation of an oscillator.
0
8u 2 ASpec[u = v _ [enabled (u; s) ) enabled (u; s )]]: 0
We present a modi ed model of circuit behavior in which internal signal behavior is not represented exactly, but is instead approximated using annotations on speci cation states and transitions. This modi ed model is used to de ne approximations of our notions of monotonicity and acknowledgment. When substituted for the original de nitions, these give su�cient conditions for hazard freedom and, therefore, correctness. These su�cient conditions give insight into the normal operation of many correct speed-independent circuits, and have lead to e�cient synthesis and veri cation algorithms [2, 6].
2 Notation and terminology
We de ne a behavioral model for speci cations, and both a structural and a behavioral model for circuits.
2.1 Speci cation behavior
A speci cation is modeled with a state graph (SG)
hI; O; �; ?; s0 i. The sets I and O are the sets of input signals and output signals, respectively, of the speci cation. We use ASpec to denote I [ O, the set of external signals.
The set of states � is a subset of the bitvectors over the external signals ASpec ; s0 is the initial, or reset, state. Notice that any two distinct states must di�er in the value of at least one external signal which implies that our state graphs must satisfy the unique state coding property [7, 12]. This is not a limitation because the most general synthesizable state graphs, which satisfy the complete state coding property [7, 12], can trivially be made to satisfy the unique state coding property by folding common speci cation states [6]. The value of a signal u 2 ASpec in a state s is denoted by s(u). The function bitcomp(s;u) returns the state formed from s by complementing the bit corresponding to u. For example, if s = [100] and a is represented by the rst bit of s, bitcomp(s; a) = [000]. The set of state transitions ? is a subset of � � �. If (s; s ) 2 ?, then s and s must di�er in exactly one signal, that is, s = bitcomp(s; u) for some u 2 ASpec . The state s leads to s (denoted s ! s ) if (s; s ) 2 ?. The notation s!u s may be used when s ! s and s = bitcomp(s; u). We say enabled (u; s) for u 2 ASpec if u can change in state s, u that is, if s! s holds for some s . 0
0
0
0
0
0
0
0
0
0
0
Second, an input signal may not disable any output signals but may disable other input signals (input choice): if v 2 I v and s! s , then 0
8u 2 O[enabled (u; s) ) enabled (u; s )]: 0
Figure 1 depicts a determinate speed-independent SG of an oscillator. The SG is hI;O; �; ?; s0 i, where I = ;, O = fag, � = f[0]; [1]g ; ? = f([1]; [0]); ([0]; [1])g ; and s0 = [0]:
2.2 Circuit structure
The structure of a circuit is represented by a labeled directed graph G = hI; O; N; E; F i. The sets I and O are the sets of input signals and output signals, respectively, of the circuit; N is the set of internal signals. The signals in I , O, and N are collectively called the circuit signals and are denoted by AImpl. The set E is a subset of AImpl � AImpl . If (u; v) 2 E , then the signal u is an input to the gate that drives the signal v. The set of fanins of v, denoted FI(v), is the set of all signals u such that (u; v) 2 E . Similarly, the set of fanouts of u, denoted FO(u), is the set of all v such that (u; v) 2 E . If v 2 I , then FI(v) is the empty set. The labeling function F maps each element u of O [ N to a Boolean function f of arity jFI(u)j + 1. The function f represents the function computed by the gate that drives u. The arity of f is one more than the number of fanins of u so that a component that holds state, such as a Celement, can be modeled by a function on its inputs and its output. The above model only allows circuits with single output components. Also, the future behavior of each component is determined by the current values of its inputs and its output; no component has any \hidden state". This paper considers only circuits in which � the output of any memory element (such as a Celement) is a primary output, and � the external signals cut the circuit (the set of edges E is acyclic when restricted to N ). Such circuits are said to be externally-cut. Several proposed synthesis algorithms generate externally-cut circuits [3, 11, 13]. Also, any circuit can be made to be
c
b
a
Figure 2: A 3-inverter ring oscillator. externally cut by simply redesignating some of its internal signals to be outputs. In externally-cut circuits, the level of u 2 AImpl may be inductively de ned. If u 2 I [ O the level of u is 0. Otherwise, the level of u equals one plus the maximum level of any of u's fanins. Since an externallycut circuit is cut by its external signals, this de nition is well-founded. Figure 2 depicts an externally-cut circuit that implements the speci cation SG shown in Figure 1. The circuit is modeled by G = hI; O; N; E; F i, where I = ;; N = fb; cg, and O = fag, and E = f(b; a); (c;b); (a; c)g. The functions that F associates with each internal and output signal are fc(c;a) = INV(a); fb (b; c) = INV(c), and fa (a; b) = INV(b).
2.3 Circuit behavior Let M = hI;O; �; ?; s0 i be a speci cation and G = hI; O; N; E; F i be the structural model of a circuit, as described above. Recall that ASpec = I [ O and AImpl = N [ ASpec . In addition to specifying the correct behavior
of the circuit, the state graph M also represents restrictions on when the environment can transition inputs to the circuit. The implementation state graph of M and G (de ned below) is a state machine that describes the behavior of G as it interacts with the most general environment consistent with M . In the implementation state graph, a state can either be a bit vector over AImpl (called a successful implementation state ) or it can be the special state qfail , which is entered after the occurrence of a hazard. Let q be a successful implementation state of the circuit G. Also, let u be a signal in O [ N such that FI(u) = fv1 ; : : : ; vr g. Recall that the function F (u) associated with u must have arity r +1, since r is the number of fanins of u; call this function fu . We refer to fu (q(u); q(v1 ); : : : ; q(vr )) as the internal evaluation of u in q, and we abbreviate it fu (q). We write proj (ASpec )(q) to denote the speci cation state that a successful implementation state q projects to, which is the unique speci cation state s such that s(u) = q(u) for all u in ASpec . We say an internal signal or primary output u is enabled in any successful implementation state q if u's value does not equal fu (q). We say a primary input u is enabled in any successful implementation state q if u is enabled in the speci cation state proj (ASpec )(q). We say no signal is
enabled in the failure state qfail. In summary, enabled (u; q) holds i�
� fu (q) 6= q(u), if u 2 N [ O and q 6= qfail , � enabled (u; proj (ASpec )(q)), if u 2 I and q 6= qfail, and � false, if q = qfail. For each speci cation state s in an externally-cut circuit, there exists a unique implementation state extend (s),
called the implementation-state extension, that projects onto s and has no enabled internal signals. The value of signal u in extend (s), is called u's settled value. The uniqueness of extend (s) can be easily proven by induction on the level of each circuit signal. The implementation state graph of M and G is hI; O; N; QReach; R; q0 i, with QReach , R, and q0 as de ned below. The initial state q0 is de ned to be extend (s0 ). This de nition is based on the assumption that after circuit power-up the environment holds the external signals xed until all internal signals have time to settle. A signal u can transition in a implementation state q if enabled (u; q) holds. A transition on u is hazardous if there is some v 2 O [ N such that v 6= u, enabled (v; q) u and :enabled (v; bitcomp(q; u)). We write q! q if u can transition in state q, the transition is not hazardous, and q = bitcomp(q; u). Otherwise, we write q!u qfail if u can transition in state q but the transition is hazardous. We u write q ! q if q! q holds for some u. The requirement that every hazardous transition go to the special state qfail is based on the assumption that any internal hazard can propagate to a primary output. This assumption might be conservative, in general, but has been proven true for a large class of circuits [4]. The set of reachable states QReach is the smallest set of states such that q0 2 QReach and for all states q and q 0
0
0
0
0
[q 2 QReach ^ q ! q ] ) [q 2 QReach]: 0
0
The set of successful states QSucc is the set of reachable states minus qfail. The transition relation R is the subset of QReach � QReach such that (q; q ) 2 R i� q ! q . For each speci cation state s, the value that a signal is driven to is called the the external evaluation of the signal in state s. The external evaluation of an internal or primary output u in state s equals the local evaluation of u in the implementation-state extension of s. The external evaluation of an input signal u in s equals s(u) if the input is not enabled in s and s(u) if u is enabled in s. In summary, the external evaluation of u in state s, denoted ext eval (s)(u), is 0
� fu (extend (s)), if u 2 N [ O,
0
� s(u), if u 2 I and not enabled (u; s), and � s(u), if u 2 I and enabled (u; s).
3 De nition of Correctness
Informally, a correct speed-independent circuit is one whose behavior satis es a given speci cation under all combinations of gate delays. Typically, the most di�cult part of checking whether a speed-independent circuit satis es its speci cation is checking whether hazards are possible. Thus, it can be bene cial to divide our correctness criteria into two parts:
� the circuit satis es its speci cation assuming there are no hazards, and
� there are no hazards. The second condition is satis ed if and only if qfail 62 QReach. Notice that hazard-freedom by itself is not a suf cient check for correctness because a hazard-free circuit might not satisfy its speci cation. Our particular formalization of the rst condition is called complex-gate equivalence. It is based on the idea that if an externally-cut circuit has no internal hazards, then the subnetwork that drives a primary output can be treated as a single complex gate. Such a complex gate is correct when the external evaluation of the primary output agrees with the speci cation in all the speci cation states. To be more precise, let G = hI;O; N;E; F i be the structural model of a circuit and let M = hI; O; �; ?; s0 i be a speci cation. We say G is complex-gate equivalent to M when the external evaluation of all primary outputs agree with the speci cation:
8s 2 � 8u 2 O[[ext eval (s)(u) 6= s(u)] , enabled (u; s)]: Complex-gate equivalence is both a safety and a liveness property. It is a safety property because it can disallow the transition of some primary output in a given speci cation state. It is a liveness property because it ensures that the circuit is capable of performing any output transition allowed by the speci cation, given the appropriate input choices and gate delays. It is similar to the liveness notion completeness with respect to speci cation introduced by Ebergen [9].
4 Necessary and su�cient conditions for correctness
The request/acknowledge handshaking protocol is a generic method of managing the communication between modules. The request part of the protocol can have many forms and many meanings. For example, it can represent a request for exclusive access to a shared resource, such as a bus. Or, it can represent a request for an action, such
as a request to an asynchronous multiply module that signi es to the multiply module to perform a multiplication. The acknowledge part of the protocol can also have different forms but generally signi es that the request has been granted, e.g., exclusive bus access granted, or multiply complete and valid data exists on the outputs. Our necessary and su�cient conditions for correctness are an interpretation of correct behavior in which this protocol is applied to the gates inside a speed-independent circuit. A strongly-connected set of states is a set of states such that any two members have are mutually reachable through an path of member states. We de ne a signal region of a signal u to be a maximal set of strongly-connected speci cation states of the underlying undirected version of the speci cation state graph in which u's external evaluation is constant. We interpret each signal region as a single request for the signal u to change to its external evaluation. An acknowledgement of this request is any primary output transition that cannot occur until the signal reached its new external evaluation. There may be many primary output transitions that can acknowledge the same request. A necessary condition to guarantee hazard-freedom is that every request is acknowledged before a new request is sent to the same signal. Otherwise, the two requests can collide, which causes a hazard. In essence, if some request of a signal is not acknowledged, then a delay hazard [1] exists. Acknowledgement is a necessary, but not su�cient, condition for hazard-freedom. Because signal u that receives the request may be embedded in the logic of the circuit, the request may travel from the external signals through various gates until it reaches the inputs to the gate driving u. In hazardous circuits this path may cause glitches in the request. To ensure this does not happen the request must reach the signal monotonically. Together, monotonicity and acknowledgement form necessary and su�cient conditions for hazard-freedom. The remainder of this section explains these concepts in more detail and relates them to hazard-freedom.
4.1 Monotonicity and acknowledgement
To formalize monotonicity and acknowledgement consider a sequence of implementation states q1 ; : : : ; qi ; : : : ; qn that project onto speci cation states within a signal region for signal u. In each of these states qi , the signal is requested to settle to its external evaluation. However, the request does not reach the internal signal until an implementation state is reached in which the signal's local evaluation equals its external evaluation, i.e.,
fu (qi ) = ext eval (proj (ASpec )(qi ))(u):
(1)
Once this implementation state is reached the gate associated with u drives u to its new external evaluation after
some delay. In a correct circuit, once this implementation state is reached, the request is maintained until after the circuit leaves the signal region. In other words, the predicate (1) monotonically increases from false to true through the sequence of implementation states. For example, consider a state transition q!v q within the sequence of implementation states. If in q the internal evaluation of u equals its external evaluation, then in q the internal evaluation should also equal its external evaluation. We denote this condition by monotonic (u; q; q ). Now consider the boundary of a signal region of u. That v is, consider a transition q! q in which the external evaluation of u changes. In this case, u should be at its external evaluation in q, which means that u should complete the 0-to-1 or 1-to-0 change in value before the circuit leaves the region. Otherwise, there exists a sequence of states in which before v res u is enabled, and after v res u is disabled, either directly from v ring or from the ring of signals subsequently enabled. We say u must be acknowledged before its external evaluation changes and denote the condition by acknowledged (u; q; q ). Monotonicity and acknowledgement of all internal signals and primary outputs combined can be shown to be necessary and su�cient conditions that guarantee that the complex-gate equivalent circuit is hazard-free.
It can be shown that QCEA = QReach for correct circuits. For an incorrect circuit, QCEA may be proper subset of the set of reachable, externally aligned states. This is because there may exist reachable, externally aligned states that can only be reached by going through a state that is not externally aligned. If QCEA 6= QReach, then qfail 2 QReach. This result can be easily incorporated into explicit state veri cation algorithms such as used in AVER [8] by altering the veri cation algorithm so that it immediately exits (reporting an incorrect circuit) if it reaches a state which is not externally-aligned, thereby speeding up the analysis of incorrect circuits.
Monotonicity and acknowledgement together ensure that enabled signals are never at their external evaluation, that is, they are enabled to change only in the direction of their external evaluation. These conditions are necessary conditions for correctness because the existence of such a reachable implementation state guarantees that the circuit will be hazardous. This fact allows us to de ne a subset of reachable implementation states from which correctness can be exactly veri ed. A signal u is externally aligned in q if u is not both enabled and at its external evaluation, that is, externally aligned (u; q) holds i�
5.1 The cube approximation
0
0
0
0
0
4.2 Acknowledgement/monotonicity and successful implementation states
:[enabled (u; q) ^ [q(u) = ext eval (proj (ASpec )(q))(u)]]: An implementation state q is externally aligned if all signals are externally aligned in q. We denote the set of externally aligned states in BAImpl by QEA . The failure state qfail, by convention, is not externally aligned.
The subset of externally-aligned states reachable through externally-aligned states, referred to as the core set of externally-aligned states and denoted by QCEA , is the smallest set of states such that extend (s0 ) 2 QCEA and for all states q and q 0
[q 2 QCEA ^ q ! q ^ q 2 QEA ] ) [q 2 QCEA ]: 0
0
5 Su�cient conditions for correctness
The necessary and su�cient conditions developed above formalize the intuitive concepts of monotonicity and acknowledgement. However, checking monotonicity and acknowledgement requires analysis of the reachable state space of the circuit. In this section, we describe approximations of monotonicity and acknowledgement that do not require analysis of the reachable states of the circuit; only the speci cation state graph and the circuit structure need to be analyzed. This gives su�cient conditions or correctness that are more amenable to both automatic and manual reasoning, which is useful for both synthesis and veri cation.
A cube c is a standard representation of a set of minterms or states. For our purposes, a cube is a three-valued vector of length jN j (the number of internal signals). Each element c(u) corresponding to the internal signal u can be 0 (stable low), 1 (stable high) or X (unknown value). In the X case, the internal signal may be rising, falling, or both. Given a cube c and a speci cation state s, the function CtoQ(c; s) produces the set of implementation states that are consistent with both c and s: CtoQ(c; s) = q 2 BAImpl j proj (ASpec )(q) = s ^ 8u 2 N [c(u) = X ] _ [c(u) = q(u)]] : �
�
�
A cube approximation of an implementation state graph consists of several cubes: one for each state in the speci cation state graph (denoted CA(s) and called a state cube ) and one for each transition in the speci cation state graph (denoted CA(s; v) and called a transition cube ). A cube approximation is used to represent an approximation (superset) of QCEA , the core externally-aligned states of the implementation state graph. If only the state cubes are considered, then the set of implementation states represented by a cube approxima-
tion is
QEA \
[ s2�
CtoQ(CA(s); s):
The intersection with QEA , above, is necessary to avoid grossly overestimating QCEA . Since every state in QCEA is externally-aligned, we know that intersection with QEA does not cause any states to be missed. Even when QEA is used in this way, however, the resulting approximation is often too inaccurate to be useful. The transition cubes CA(s; v) are used to further constrain the approximation. Let q be an externally-aligned implementation state such that proj (ASpec )(q) = s. The state q is in the cube approximation i�
� q 2 CtoQ(CA(s);s) and � for all primary outputs v 2 O, if v is enabled in q, then q 2 CtoQ(CA(s; v); s). In other words, q is in the cube approximation i� q 2 QCA (s), where � QCA (s) = QEA \ CtoQ(CA(s); s) \ q 2 BAImpl j 8v 2 O[enabled (v; q) ) q 2 CtoQ(CA(s; v); s)] : The set of all implementation states represented by the cube approximation is
QCA =
[ s2�
QCA (s):
In other words, it starts with a cube approximation without X 's and iteratively changes as many cube elements as possible to X . This corresponds to starting with an initial QCA that contains one implementation state extend (s) for each speci cation state s to which states are iteratively added. When no more unstable signals can be found, the resulting QCA is the smallest set of states for which no more signals can be found unstable and is called the least xpoint. This least xpoint is guaranteed to be a superset of the important implementation states QCEA . The conditions we develop in this section guarantee that the cube approximation contains the implementation state extend (s) for every s 2 � and that the cube approximation is a xpoint. We prove that these conditions guarantee that QCA faithfully approximates QCEA (i.e., QCA � QCEA ). The conditions are only su�cient because they allow QCA to contain unreachable implementation states from which hazards can occur, leading to false negatives. This can happen because the conditions do not guarantee that the cube approximation is the least xpoint and since even the least xpoint may implicitly contain unreachable implementation states. To describe these conditions in more detail, we rst de ne the notions of a required fanin and acknowledges. Given a speci cation state s, a cube c, and a signal u, we consider all implementation states in CtoQ(c; s) in which u's internal evaluation equals its external evaluation. A fanin w of u is required if in all of these states w is at its settled value as de ned as follows:
An example of a cube approximation and the set of states that it represents for the three inverter ring oscillator is given in Figure 3.
required (w; u; s; c) � w 2 FI(u) ^ 8q 2 CtoQ(c;s) [[fu (q) = ext eval (s)(u)] ) [q(w) = extend (s)(w)]] :
This section explains how the cube approximation can yield new su�cient conditions for correctness. Speci cally, it develops su�cient conditions for correctness that can be tested directly on the cube approximation. The overall conditions are two-parted. First, we present su�cient conditions that guarantee that the cube approximation faithfully approximates the important implementation states (i.e., QCA � QCEA ). Second, we present su�cient conditions that guarantee that in the implementation states represented by the cube approximation that the properties of monotonicity and acknowledgement hold.
For example, the output of an AND gate that is supposed to rise in state s cannot rise until all its fanins rise. Hence, all the fanins of this AND gate in state s are required fanins. Similarly, if all but one fanin of an AND gate that is supposed to fall in state s are stable high, then the AND gate cannot fall until that last fanin of the AND gate falls. Hence, in state s, the last fanin is a required fanin of the falling AND gate. Informally, given a speci cation state s and a primary output v which is enabled in s we say the corresponding v state transition s! s acknowledges an internal signal if the internal signal must settle to its external evaluation before the state transition res. From the above paragraph, we know this happens when w is a required fanin of some signal u whose internal evaluation must reach its external evaluation before the enabled primary output v res. This condition on w holds in two signi cant cases. First, it holds when u is identically the primary output v that is enabled to re in s (assuming complex-gate equivalence). Second,
5.2 Using the cube approximation model
5.2.1 Su�cient conditions on the cube approximation
Our su�cient conditions for nding the cube approximation re ect the automated algorithm of nding the cube approximation described in [6]. This algorithm initially assume that all internal signals are always stable and iteratively determine when internal signals may not be stable.
0
CA([1]) = [X X]
ß
1
[101]
CA([1],a) = [1 0]
CA([0],a) = [0 1]
[110]
[100]
A impl
[010] [000] [001]
0 [111]
[011]
CA([0]) = [X X] CtoQ(CA([1],a)[1])
State = [a]
CtoQ(CA([1]),[1])
CA( )= [b c]
(a)
CtoQ(CA([0],a),[0]) CtoQ(CA([0]),[0])
(b)
Figure 3: (a) Depiction of cube approximation, and (b) corresponding state sets. it holds when the u is an internal signal which is stable in s. Summarizing, we have acknowledges (s; v; w) � 9u 2 FO(w) [required (w;u; s; CA(s)) ^ [u = v _ CA(s; v)(u) = ext eval (s)(u)]] :
Using the notion of acknowledgement, we characterize a xpoint of the the cube approximation QCA as one in which the following two production rules cannot be applied. � State production: If s!v s and CA(s; v)(u) 6= CA(s )(u), then set CA(s )(u) to X . 0
0
0
� Transition production: If s!s , CA(s)(u) = X , and not acknowledges (s;v; u), then set CA(s; v)(u) to X . v
0
State productions assert that if in a transition into some state s an internal signal u is unstable, then u must be unstable in s . State productions re ect the fact an internal signal is stable in a state only when it is stable during every transition into the state. Transition productions assert that if an internal signal is unstable in a state cube and the state transition does not acknowledge the internal signal, then the internal signal might still be changing during the transition. Transition productions re ect the fact that an internal signal becomes stable in a transition cube only when the transition acknowledges the internal signal. Notice that after the signal is acknowledged, however, it remains stable until its external evaluation changes. The production rules for the 3-inverter ring oscillator are shown in Figure 4. We have proven that if a cube approximation implicitly contains the implementation state extend (s) for each speci cation state s 2 � and is a xpoint with respect to the above production rules that it represents a superset of 0
0
the core externally-aligned states. This fact is made more explicit in the following theorem.
Theorem 1
Let the circuit G = hI; O; N; E; F i be externally-cut and complex-gate equivalent to the SG hI; O; �; ?; s0 i. Let QCEA be the core set of externally-aligned states of G and M . Let QCA be the set of states represented by the cube approximation CA. If extend (s) 2 QCA for all s 2 � and no state or transition production rule can be applied to CA, then QCA � QCEA .
5.2.2 Testing monotonicity and acknowledgement
We present conditions that test monotonicity and acknowledgement on all internal and output signals in all speci cation states and transitions. All implementation states that project onto a speci cation state (transition) are considered simultaneously and implicitly, thereby avoiding the analysis of an exponential number of implementation states. The cube approximation allows these conditions to consider only the core externally-aligned states and indicates when internal signals are stable. Hence, the su�cient conditions are intuitive and easily veri ed. Consider rst the monotonicity of a particular internal or primary output signal u. Since only fanins of u can a�ect fu (q) and since u's external evaluation is the same in all implementation states that project onto a speci cation state s, the abstraction of monotonicity to speci cation states is easy; We need only consider the e�ects of each fanin w of a signal u in each speci cation state s. We present three su�cient conditions which each guarantee that a fanin w will not cause fu (q) to be non-monotonic during any implementation state transition from a state q 2 QCEA that projects onto s. The rst condition is when a fanin w encourages the expected change on u, that is, when w helps the signal u reach its external evaluation. For example, as depicted
State production rule guard CA([1]; a)(b) 6= CA([0])(b) CA([1]; a)(c) 6= CA([0])(c) CA([0]; a)(b) 6= CA([1])(b) CA([0]; a)(c) 6= CA([1])(c) State production rules
Action set CA([0])(b) to X set CA([0])(c) to X set CA([1])(b) to X set CA([1])(c) to X
Transition production rule guard Action CA([0])(b) = X ^ :acknowledges ([0]; a; b) set CA([0]; a)(a) to X CA([0])(b) = X ^ :acknowledges ([0]; a; c) set CA([0]; a)(b) to X CA([1])(b) = X ^ :acknowledges ([1]; a; b) set CA([1]; a)(b) to X CA([1])(c) = X ^ :acknowledges ([1]; a; c) set CA([1]; a)(c) to X Transition production rules Figure 4: Production rules for the 3-inverter ring oscillator in Figure 5(a), the fanin w3, which is supposed to rise, is an encouraging fanin of an AND gate that is supposed to rise. The rationale behind this is that from core externallyaligned states we know w3 can only change in the direction of its external evaluation; it can only rise. It is easy to see that w3 rising cannot cause u to be non-monotonic. This characteristic of encouraging fanins is made explicit in the following de nition, encouraging (w;u; s) � w 2 FI(u) ^ 8q 2 BAImpl [[q(w) 6= ext eval (s)(w) ^ fu (q) = ext eval (u)(s)] ) [fu (bitcomp(q; w)) = ext eval (u)(s)]] :
The de nition of encouraging fanins depends solely on the gate type and external evaluation of the relevant signals and can be easily hard-coded for basic gates. The second condition is when the signal u is insensitized to the fanin w, in which the behavior of fu is independent of the actions of w. insensitized (w;u; q) � w 2 FI(u) ^ fu (q) = fu (bitcomp(q; w)) insensitized (w;u; s; c) � 8q 2 CtoQ(c; s) [insensitized (w; u; q)]
As Figure 5(b) illustrates, w3 is an insensitized fanin of u since the side-input w1 is 1, a controlling value for the OR gate. Given a cube approximation, it is easy to see how this can be generalized to all basic gates and is very easy to check, taking O(FI(u)) time to compute. The third condition that ensures a fanin w does not violate the monotonicity of the signal u in a speci cation state s is when the fanin of u is stable in s. While cubes indicate when internal signals are stable in speci cation states, external signals are always stable in a speci cation state s, since when they change a new speci cation state is
w1 w2 w3
u
w1 1 w2 w3
ext_eval ( w 3, s ) = 0
u
q ( w1 ) = 1
ext_eval ( u, s ) = 0
w1 w2 w3
u
0
w1 w2 w3
ext_eval ( w 3, s ) = 1
u
q ( w1 ) = 0
ext_eval ( u, s ) = 1
(a)
(b)
Figure 5: (a) Depiction of typical cases in which w3 is an encouraging fanin of u. (b) Depiction of typical cases in which w3 is an insensitized fanin of u. always entered. To express this, given a state or transition cube c, we say a signal is stable if it is xed according to the cube or if it is an external signal, i.e., stable(u; c) � u 2 I [ O _ c(u) 6= X:
Since a stable signal cannot change in any relevant implementation states that project onto s, it cannot cause u to violate monotonicity in this speci cation state. We summarize these conditions in the following de nition of monotonicity in speci cation states. s-monotonic (u; s) � 8w 2 (FI(u) [ fug) [stable(w; CA(s)) _ encouraging (w; u; s) _ insensitized (w; u; s; CA(s))] ; v where s! s. Monotonicity must also hold during the transition bev tween two speci cation states s! s in which u's external 0
0
evaluation does not change. In this case, the transition cube CA(s; v) can be used to check the insensitivity of a fanin w instead of the state cube CA(s). This provides a v tighter condition since the transition s! s could acknowledge some internal signals making them stable in CA(s; v). In addition, only the e�ect of v on u need be analyzed, since this is the only signal that changes in this speci cation transition. Hence, su�cient conditions for monotonicity in speci cation transitions can be given as follows: 0
t-monotonic (u; s; s ) � encouraging (v; u; s) _ insensitized (v; u; s; CA(s; v)) _ v 62 (FI(u) [ fug) ; 0
v where s! s. Guaranteeing that the signal is acknowledged before a particular speci cation state transition res is easy since once any speci cation state transition acknowledges a signal the signal remains stable until its external evaluation is changed. Speci cally, an internal signal u is acknowledged v before the state transition s! s res if u is stable in the transition cube CA(s; v). 0
0
acknowledged (u; s; s ) � stable(u; CA(s; v)); 0
v where s! s. Together, monotonicity and acknowledgement provide the following su�cient conditions for correctness. 0
Theorem 2 (Su�cient conditions for correctness) Let G = hI;O; N;E; F i be an externally-cut circuit implementing SG M = hI; O; �; ?; s0 i. If QCA � QCEA , G is complex-gate equivalent to M , and for all s 2 � and all u 2 N [ O s-monotonic (u; s) and for all (s; s ) 2 ? and all 0
u 2N [O [ext eval (u)(s) = ext eval (u)(s )] ) t-monotonic (u; s; s ) 6 ext eval (u)(s )] ) acknowledged (u; s; s ); [ext eval (u)(s) = 0 0
0
0
then the circuit is correct.
For the veri cation of speed-independent circuits we nd the least xpoint of the cube approximation using an e�cient algorithm described in [6]. When this algorithm is used only very contrived correct circuits do not satisfy these conditions [6], re ecting the fact that these conditions are su�ciently tight in practice.
6 Applications and conclusions
The conditions developed for correctness have a number of applications. First, they give insight into the causes of hazards in complex speed-independent circuits. These insights are su�ciently formalized to provide a theoretical framework for an e�cient veri cation algorithm and facilitate rigorous proofs that synthesis algorithms are correct and logic optimizations are correctness preserving.
The acknowledgement condition formalizes and generalizes the notion of absence of delay hazards rst developed by Armstrong [1] and later used by Unger [17]. The generalization allows the condition to be applied to arbitrary netlists of basic gates rather than only sum-of-products and applies them to arbitrary regions of states that form a request rather than simply a sequence of input states. The results concerning monotonicity highlights useful intuition behind hazards. They state that the only source of violations of monotonicity arises from a hand-o� in the request of a signal. Consider an OR gate that is requested to go high in which the responsibility of driving the OR gate is transferred between two inputs. The initial driving input is requested to go low after a second input is requested to go high. To ensure monotonicity the second input must be ensured to rise before the rst input has a chance to fall. Our su�cient conditions for correctness require that the second input be stable before the rst input is requested to fall. This means that the exchange between inputs must be separated by an output transition that acknowledges the rising input. The reason the condition is su�cient is that in a correct circuit this ordering does not need to be separated by an output transition to be ensured. Our results generalize this basic intuition for fairly arbitrary netlists of gates. We have implemented an e�cient algorithm that nds the smallest cube approximation and checks the su�cient conditions for correctness. The algorithm has linear-time complexity with respect to both the size of the circuit and the implementation for a broad class of circuits [2, 6]. Our empirical results, depicted in Table 1 demonstrated that our tool performed conservative veri cation over three orders of magnitude faster than the current state of the art tool AVER [8] on su�ciently large circuits and allowed veri cation of other signi cantly larger circuits which caused AVER to run out of space. While false-negative veri cation results are theoretically possible using our tool, none were found in our large benchmark of circuits. In addition, our veri cation tool indicates the speci cation states in which problems may occur. This information can guide explicit state exact veri cation algorithms to search essentially only those speci cation states, dramatically reducing the cost of exact veri cation. These results imply that for a broad class of speed-independent circuits, the external signals capture the essential behavior of the circuit. Hence, like traditional synchronous circuits, the state of such a circuit is captured by a small subset of the circuit's signals. Finally, we have used these results to prove that the synthesis algorithm presented in [3] generate correct speedindependent circuits and to show that the logic optimizations described in [5] are correctness preserving [6]. Un-
Comparative Veri cation CPU Time Results Our Tool AVER Circuit jN j jAImplj j�j CPU Time jQj CPU Time mp-forward-pkt 5 18 22 0.03 sec. 70 2.4 sec. ram-read-sbuf 5 22 39 0.04 sec. 148 3.2 sec. sbuf-send-pkt2 8 22 26 0.04 sec. 332 3.2 sec. vbe6a 8 24 192 0.25 sec. 2448 16.2 sec. vbe10b 8 26 256 0.40 sec. 3492 31.1 sec. wrdatab 12 28 216 0.31 sec. 8976 1 min. 8 sec. pe-rcv-ifc 29 47 127 0.13 sec. 27,131 4 min. 42 sec. pe-send-ifc 28 43 117 0.25 sec. 43,296 8 min. 29 sec. tsbmsi 12 40 1,024 2.08 sec. 50,208 13 min. 47 sec. tsbmsi-brk 21 82 4,730 17.1 sec. > 109,000 ??? Table 1: Application of su�cient conditions to an e�cient circuit veri er. like traditional de nitions of hazards, our conditions provide mathematical criterion at essentially the same level of abstraction as our speci cation. Given this, we can provide intuitive and rigorous proofs that our algorithms generate circuits that satisfy these conditions, providing for provably-correct synthesis. These conditions can also be used to prove the correctness of the algorithms presented by Lin et al. [13] and the accuracy of the conditions on correctness developed by Kondratyev et al. [11].
Acknowledgements
We would like to acknowledge Chris Myers and Polly Siegel of Stanford University for numerous insightful discussions on improving the presentation of this work. We also would like to thank David Dill of Stanford University for his steady support and helpful advice.
References
independent circuits, 1993. In collection of papers of the ACM International Workshop on Timing Issues in the Speci cation of and Synthesis of Digital Systems. [6] Peter A. Beerel. CAD Tools for the Synthesis, Veri cation, and Testability of Robust Asynchronous Circuits. PhD thesis, Stanford University, August 1994. [7] T.-A. Chu. Synthesis of Self-Timed VLSI Circuits from Graph-theoretic Speci cations. PhD thesis, Massachusetts Institute of Technology, 1987. [8] D. L. Dill. Trace theory for automatic hierarchical veri cation of speed-independent circuits. ACM Distinguished Dissertations, 1989.
[1] D. B. Armstrong, A.D. Friedman, and P. R. Menon. Design of asynchronous circuits assuming unbounded gate delays. IEEE Transactions on Computers, C18(12):1110{1120, December 1969.
[9] J. C. Ebergen. A veri er for network decompositions of command-based speci cations. In Proc. of the 26th Annual HICSS, pages 310{318. IEEE Computer Society Press, 1993.
[2] P. A. Beerel, J. R. Burch, and T. H.-Y. Meng. Ef cient veri cation of determinate speed-independent circuits. In Proceedings IEEE 1993 ICCAD Digest of Technical Papers, pages 261{267, 1993.
[10] M. A. Kishinevsky, A. Y. Kondratyev, A. R. Taubin, and V. I. Varshavsky. Concurrent Hardware: The Theory and Practice of Self-Timed Design. John Wiley & Sons Ltd., 1993. (To appear).
[3] P. A. Beerel and T. H.-Y. Meng. Automatic gate-level synthesis of speed-independent circuits. In Proceedings IEEE 1992 ICCAD Digest of Technical Papers, pages 581{586, 1992.
[11] A. Kondratyev, M. Kishinevsky, B. Lin, P. Vanbekbergen, and A. Yakovlev. On the conditions for gate-level speed-independence of asynchronous circuits, 1993. In collection of papers of the ACM International Workshop on Timing Issues in the Speci cation of and Synthesis of Digital Systems.
[4] P. A. Beerel and T. H.-Y. Meng. Semi-modularity and testability of speed-independent circuits. INTEGRATION, the VLSI journal, 13(3):301{322, September 1992. [5] P. A. Beerel and T. H.-Y. Meng. Logic transformations and observability don't cares in speed-
[12] L. Lavagno. Synthesis and Testing of Bounded Wire Delay Asynchronous Circuits from Signal Transition Graphs. PhD thesis, University of California, Berkeley, 1992.
[13] K.-J. Lin and C.-S. Lin. Automatic synthesis of asynchronous circuits. In Proc. ACM/IEEE Design Automation Conference, pages 296{301. IEEE Computer Society Press, 1991. [14] A. J. Martin. Programming in VLSI: from communicating processes to delay-insensitive VLSI circuits. In C.A.R. Hoare, editor, UT Year of Programming Institute on Concurrent Programming. Addison-Wesley, 1990. [15] R. E. Miller. Switching Theory, Volume II: Sequential Circuits and Machines. Wiley, New York, 1965. [16] David E. Muller and W. S. Bartky. A theory of asynchronous circuits. In Proceedings of an International Symposium on the Theory of Switching, pages 204{ 243. Harvard University Press, April 1957. [17] S. H. Unger. Asynchronous Sequential Switching Circuits. New York: Wiley-Interscience, 1969. (re-issued by R. E. Krieger, Malabar, 1983). [18] C.H. (Kees) van Berkel. Handshake Circuits: An Intermediary between Communicating Processes and VLSI. PhD thesis, Eindhoven University of Technology, 1992.
