REASONING ABOUT DIGITAL
S. BAPAT*
**
* Dept. of Computer
Solid
State Electronics
SYSTEMS USING TEMPORAL LOGIC
-
G. VENKATESH**
SC. & Engg.,
Indian
Institute
of Technology,
Bombay.
Group, Tata Institute
of Fundamental
Research,
Bombay.
ABSTRACT
Temporal
logic
is proposed
as a medium
to describe
the timing
behaviour
of digital systems.
Queries
on the timing
properties
of the digital
systems can then
be answered by testing
the satisfiability
of appropriately
constructed
temporal
formulae.
Ue suggest
waqis of improving
the standard
tableau
method of testing
the satisfiability
of these formulae,
and discuss
results
obtained
from an
We claim
implementation
of this method.
that this
can serve as a designers
assistant
to debug designs.
INTRODUCTION
The objective
of analysing
a design
for errors
before
committing
it to hardware has always been a major goal of
design
automation.
The immediate
solution which has been in use so far,
is
simulation.
While a simulator
can detect
errors
in the design,
it can not convince
the designer
that his/her
design
is error
free.
To be so convinced,
he/she has to
simulate
the design
over all possible
input
streams,
which even for reasonably
small
designs
is prohibitively
large.
The issues
of modelling
a design
and validating
its behaviour
strongly
resemble
the problems
of specification
and
verification
of program behaviour.
The
success
of formal
techniques
in analysing
the behaviour
of programs
leads one to
believe
that hardware
systems can benefit
from a more formal
approach
to the
understanding
of their
behaviour.
The last
few
years have seen a growth
in the use of
formal
methods notably
temporal
++;,fn
the analysis
of digital
systems
Temporal
logic
is a special
branch
of logic
that
deals with
the development
of situations
in time.
Whereas ordinary
propositional
logic
is adequate
for describing
a static
situation,
propositional
temporal
logic
enables
us to discuss
how
a situation
changes due to the passage of
time.
The medium of temporal
logic
is
used to make assertions
about the system,
which are verified
against
the model of
which
is typically
a state
the system,
The model is obtained
either
diagram.
by simulation'
or from a specification
in another
language3.
A much better
approach
is to model
the s stem behaviour
itself
in temporal
x
logic
. This leads to a more precise
formulation
of the problem
and has the
added advantage
that different
models can
be analysed
before
they are used.
we explore
the use of
In this
paper,
propositional
linear
time temporal
logic6
in the specification
of digital
systems.
The behaviour
of the system is represented by a temporal
formula,
say f and an
assertion
about the system by another
formula
say g.
The verification
problem
then
reduces
to checking
if
f AQg ( and not g) has
a model or not.
A model for this
formula
is a counter
example which can be used to
debug the system.
Thus the key to analysis
lies
in an
efficient
procedure
for checking
if a
temporal
formula
is satisfiable
(i.e.
if
it has a model)
To this
end, we modify
the tableau
procedure
for deciding
satisfiability,
so that in one depth-first
pass, a
model is extracted
if it exists.
PROPOSITIONAL TEMPORAL LOGIC
Propositional
linear
time temporal
logic
is an extension
of the classical
propositional
logic
(Boolean
Algebra)
with
the following
temporal
operators
added to reason about time:
0 (next),11
(henceforth),
<> (eventually),
and U (until).
Temporal
formulae
are constructed
from propositional
variables,
boolean
23rd Design Automation
Conference
Paper 12.1
0738-100X/86/0000/0215$01.00
01986 IEEE
215
connectives
A (and),
V (or),
'L (not),
and the temporal
-+ (implies),
operators.
variable
e.g. Pa is a propositional
which stands
for "node a has the value
1" . Assuming
two-valued
logic,%
Pa
then stands
for "node a has the value
0."
The meaning
of the operators
is as
follows:
Of
means at the next instant
of
time f
is true.
[I f means f is true from now onwards
<> f means f is true at some time
in the future.
means g is true at some time in
ftlg
the future
and f is true from now on till
then.
Using these operators
one can model
complex
timing
behaviour
of digital
systems.
e.g. A specification
that "node a
going
from low to high forces
node b
to go from high to low after
a finite
delay"
can be stated
as
[I ( ( %Pa A 0 Pa) + <>(Pbh 0% Pb ))
an AND gate with unit
delay
(with
inputs
a, b and output
c) can be specified
as
[]
((Pal\ Pb,)'. 0 Pc)h []((~7?aV~Pb)+o~P,)
llore complex constructs
like
'while',
'latched
while'
'unless',
and finite
length
time intervals
can easily
be specified
from the
simple
temporal
operators.
e.g.
'f while
g'
is
specified
f U (ag)V[l(fA
' f latched
while
g'
(f + (f while
by
g) and
by
g) )
Consider
the following
constraints
an (FIFO) queue element5".
for
-
A new request
should not be given
unless
the acknowledgement
to the
previous
signal
has arrived.
-
If a request
is
acknowledgement
provided.
Paper12.1
516
given
then an
will
eventually
be
These are specified
by
[I ( ( ReqhqjAcYk)+ Req while
Ack) )
and
[ 1 ( ( Reqh%Ac:k)
+<z Ack)
respectively.
To model more complex
systems
like
finite
state
machines,
we may use new
auxiliary
propositional
variables,
qS,to
stand for
'the system is in
state
s'.
A transition
on inputs
a propositional
formula
s to state
t is specified
[I
( (
9e.A
f)
f,
+ 0
THE VERIFICATION
determined
by
from state
by
q,)
PROBLEM
Suppose a system S is composed of
subsystem
Sl,, S2 . . . ..S . 4f fi is a
temporal
formula
descr-L -F-mg Si,i=1,2,...n,
and f is an assertion
about S then
the verification
problem
can be stated
as checking
the validity
of the formula
g, given by
fl A...
A fn
+
f.
//
This can be achieved
by checking
the unsatisfiability
of% g:
Since,
if there
are no examples
of cases
satisfying
g, then g should be true
for all
cases and is hence valid.
But
sg is% (% flV.*=
Vz,
fnv f 1
which is equivalent
to
flh
. ..A fnA%f.
Hence
the verification
problem
reduces
to
checking
the unsatisfiability
of
a conjunction
of formulae.
The standard
method of testing
satisfiability
of a temporal
formula
is the
tableau
methodl'.
This method relies
on the fact
that a temporal
formula
corresponds
to a state
diagram.
We make
this more clear
in the following.
dePSuppose we are given
a temporal
formula
say [I ( P +c>Q). Since CJ f is
equivalent
to saying
that " f is true
now and f is true from the next instant
we have the identity.
onwards",
[]fZ
fA
O[I
f
/
we have for
Similarly,
variable
P
<> P ZPV('LPAO<>P)
propositional
(fVp)
P is true now
Which stands
for " either
or P is false
now but P is true sometime in the future"
Using these identities,
we can reduce
[] (P+ <>Q)= (P+<>Q)
A0 [I (F-+<’ Q>
*('LP V Q V (%QA O<>Q))AO [](p+<>Q)
=( (Q PV Q)AO[](P+<>Q))V
('LQAO(<>QA [I (P -+<>Q>))
Also,
<>QA[l
(B<>Q)
= ( QV(sQAO<'Q))
A [I (p”‘Q)
= (Q A [I (2 +<' Q))V
(qAPAO(<>QA[l
(pt<'Q)))
So we have the
diagram'
for
following
[I
'State
(P +<>Q).
Note that all
infinite
paths
starting
from state
1 are not necessarily
models of [I ( P-t<> Q).
The path ending with
the infinite
loop
on the lebelled
edge PA% Q will
not
satisfy
the <>Q in state
2.
Hence
a model in the state
diagram
is an
infinite
path such that whenever
it
has a node containing
<>Q, it passes
through
an edge lebelled
with Q
afterwards.
We will
denote this
path
condition
by(*)
For formulae
containing
subformulae
of the from h wherehisnot
propositional
or subformulae
of the form g U b', we
first
' rename'
these subformulae
by new
auxiliary
propositonal
variables
and add
new conjuncts
to the whole formula
which represent
the meaning of these
variables.
For example consider
the
formula
f V
occurs
replace
variable
(fv
(g U h)
in which
g U h
as a subformula.
We first
g U h by a new propositional
p to obtain
p)iz[l(p+<>h)A
[l(p+
and then
variable
(h V (gAOp)))
replace
h by a new propositional
q to obtain
A [I@+<>q,
A [I
[I (q-t<‘h)
Cp’(hV
(gAOp)))
It is easy to see that
these renamings do not change the meaning of the
formulaeg.
THE ALGORITHM
Since we need find
only one infinite
path satisfying
the path condition(*)
to obtain
a counter
example,
we need not
generate
the whole state
diagram
beforehand.
The idea is to do one
depth first
pass in which
the temporal
formulae
in a node are expanded,
one
descendent
node is chosen which is
expanded and so on.
The depth first
expansion
terminates
in a loop when
a node previously
created
is obtained
through
expansion.
The procedure,
then backtracks
collecting
all
the
propositional
formulae
on the edges
of the strongly
connected
component
(SCC) that
is being created.
We keep
track
of the strongly
connected
components by the usual method of numbering
As soon as we reach a
nodes"
.
node where all
eventuals
are satisfied
by the accumulated
propositional
we stop and report
a model
formulae,
the user can then see the model,
save
or continue
generation
it and stop,
of the next model if he is not satisfied
with
this
one.
To increase
efficiency
the propositional
formulae
are stored
in sum of
product
form as integer
strings,
and
all boolen
operations
are do;ysEy
integer
bit manipulations.
the
formulae
appearing
in the scope bf a
0 (i.e.
those f occurring
as
[I or
[] f or
0 f ) are stored,
after
so that
later
references
to
expansion,
these can simply
be retrieved
from
storage.
The informal
algorithm
is as follows:
Create
a node
labelled
with% g,
where g is the temporal
formula
whose
validity
is to be checked.
'Expand'
returns
a list
of pairs
(I!i , Ki) Where
formula
and
fi in a propositional
ni is a temporal
formula
corresponding
to descendent
node.
Paper 12.1
217
The edges and nodes corresponding
to
Ti and iii are fi and ni respectively.
The global
variable
fscc accumulates
all
the propositional
formulae
on edges
in a strongly
connected
component,
and g is the disjunction
of all propositional
formulas
on edges leading
. to nodes in the same strongly
Z&ZtZl
component
as ni.
A node is
called
the root-node
of a strongly
connected
component
if its
depth-first
number is the smallest
of all nodes in
the strongly
connected
component".
proc
dfs
(n:
node)
;
begin
1tExpand
(n);
If 1 = nil
then delete
node n;
all
elements
ni in 1 -do
-with
bepin
If- ni exists
then
create
an edge
lebelled
??i
from n to ni
to a
-If ni belongs
strongly
connected
component
other
than
n itself
and the
eventualities
in
the strongly
connected component
are satisfied
then
report
a model
else
fSCC
f fi
endif
else
create
a new node for
ni and an edge labelled
Fi from n to tli
dfs(ni)
fscc +fscc
u g
endif
If
is a root node then
YZcc+ nil
end
RESULTS AND CONCLIJSIONS
---The above algorithm
has been implemented
in Pascal
on VAX 11/780 at
TIFR.
The program (called
VALID
(Verification
and Analysis
of Logic
Design)
takes between
10 to 25
seconds to verify
each constraint
of the FIFO queue element"
7.
It is generally
noticed
that
the
order
in which
the conjuncts
are given
is
A 'L f
flA *..Af
crucial
P or obtaining
quick
results,
and a preprocessor
which uses some
'refinement'
techniques3
to reorder
the conjuncts
can be very useful.
The method is general
and can be
used for answering
queries
about a
digital
system by appropriately
constructing
a temporal
formula
to
represent
the query.
REFERENCES
G.V. Bochman, "Hardware
[ll
Specification
with
Temporal Logic:
An example,
" IEEE
Transactions
on Computers,
Vol C-31, No. 3, March 1982
[21
M. Browne,
E. Clarke,
D. Dill
and B. Mishra,
" Automatic
Verification
of Sequential
Circuits
using
Temporal
" technical
report
Logic,
CMU-CS-85-100,
Department
of Computer
Science,
CarnegieMellon
University,
1985.
[31
M. Fujita,
H. Tanaka,
and T.
Moto-oka,
"Verification
with Prolog
and Temporal
Logic,"
Proc. Computer Hardware
Description
languages
and their
Applications,
North Holland,
Amsterdam,
1983.
t41
Kurt Mehlhorn,
" Data Structures
and Algorithms
2 : Graph
Algorithms
and NP-Completeness,"
Sg;pger-Verlag,
Berlin,
t51
‘il. Malachi
and S. S. Owicki,
"Temporal
Specifications
of
Self-Timed
System,"
in VLSI
Systems and Computations,
H. T. Kung et al.,
eds.,
Computer
Science
Press,
Rockville,
Md., 1981,pp.
203-212.
end
Paper 12.1
218
161
2. Manna and A. Pnueli,
"Verification
of Concurrent
Programs:
The Temporal
Framework,"
in The Correctness
Problem in
Computer Science,
R. S. Boyer
and J.S. Moore, eds.,
Academic
Press,
New York,
1981,pp.215-273.
171
C.A.Mead and L. A. Conway,
"Introduction
to VLSI Systems,”
Reading,
MA, Addison-Wesley,
1980, Ch. 7.
181
B. Moszkowski,
" Reasoning
About
Digital
Circuits,
"tech.
report
STAN-CS-83-970.
Stanford
University,
1983.
[91
G. Venkatesh,
"A Decision
Method for Temporal
Logic
based on Resolution,
"Proc.
Foundations
of Software
Technology
and Theoretical
Computer
Science,
New Delhi,
Dec.1985,
Lecture
Notes in Computer
Science
- 206, Springer-Verlag,
Berlin,
1985.
1101
P. Wolper,
"Temporal
Logic Can
Be More Expressive,"
Information
and Control,
Vol. 56, No.1/2,
Jan/Feb,
pp. 72-95.
Paper12.1
219