# A Novel Formalization of Symbolic Trajectory Evaluation Semantics in Isabelle/HOL 

Yongjian Li*, ${ }^{*}$, William N. N. Hung ${ }^{\text {b }}$, Xiaoyu Song ${ }^{\text {c }}$<br>${ }^{a}$ State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China<br>${ }^{b}$ Synopsys Inc., Mountain View, California 94043, USA<br>${ }^{c}$ Dept. ECE, Portland State University, Portland, Oregon 97207, USA


#### Abstract

This paper presents a formal symbolic trajectory evaluation theory based on a structural netlist circuit model, instead of an abstract next state function. We introduce an inductive definition for netlists, which gives an accurate and formal definition for netlist structures. A closure state function of netlists is formally introduced in terms of the formal netlist model. We refine the definition of defining trajectory and the STE implementation to deal with the closure state function. The close correspondence between netlist structures and properties is discussed. We present a set of novel algebraic laws to characterize the relation between structures and properties of netlists. Finally, the application of the new laws is demonstrated by parameterized verification of properties of content addressable memories.


## 1. Introduction

Symbolic trajectory evaluation (STE) is an efficient formal hardware verification method that has grown from the combination of multi-valued simulation and symbolic simulation [1]. It has shown great promise in verifying medium to large scale industrial hardware designs with a higher degree of automation. STE has been in active use in Intel, Motorola, and IBM. In Intel, for instance, STE was used to verify a floating point arithmetic unit against IEEE standard 754 and a complex IA instruction length decoder unit [2, 3]. In addition, the FORTE formal hardware verification tool, which combines STE and theorem proving in a higher-order logic, has been developed at Intel[4].

In the classical STE literature, a circuit is a set of logical gates and storage element connected by nodes (wires). A state of the circuit is a function from

[^0]its nodes to their values. The behaviors of the circuit is commonly modelled by some abstract next-state function, usually written $\mathrm{Y}[1,5]$. Given a state of the nodes at the current time, the Y function returns the states of the nodes at the next time. For convenience, we informally call these classical semantics Ysemantics. However, this work does not formally explain how a corresponding Y function is derived from a netlist structure. Besides, a next-state function only expresses a relation between nodes in successive points in time, while ignoring the relation between nodes in the circuit at the same time point. Therefore, a semantics based on next-state functions cannot deal with assertions that express a relation between circuit nodes at the same time point.


Figure 1: A netlist example
For instance, consider the 2-bit comparator circuit drawn by Quartus II [6] in Figure. 1. The circuit consists of two XNOR-gates and an AND-gate. Provided that the delay time of all the gates is zero, and input primitives $a_{0}, b_{0}, a_{1}, b_{1}$ of the circuit are driven by new values $0,0,1,1$, then nodes $c_{0}, c_{1}$, out should be $1,1,1$ immediately, not at the next time. Because the above change on values of nodes is finished at the current time, it is very cumbersome for a Y-semantics to cover such information calculation because it only depicts state transition between successive time points.

Recently Roorda and Claessen clarify the semantics of STE model checking by providing closure semantics $[7,8]$. The closure semantics of STE takes as an input a state of the circuit, and calculates all information about the circuit state at the same point in time that can be derived by propagating the information in the input state in a forwards fashion. Subsequently, the definition of defining trajectory and the STE implementation are refined to deal with the closure functions rather than the next-state function. However, they did not formally define the structure of netlist. Their definition is just a sketchy property description of a circuit, that is, there is neither a cycle in the combinational part nor name conflict between two output nodes of two gates in the circuit. However it does not tell us how the circuit is constructed. From such definition, it is very difficult to naturally formalize the closure function of a circuit as a form of primitive recursive function or a total recursive function. In addition, many interesting properties of circuits are closely related with its structures. For example, the output node of an AND-gate will be set low if one of its input
nodes is driven by a low value. A good netlist formalization is a base on which we can conveniently explore these interesting properties. To sum up, a formalization of netlist structures is the base of the STE theory framework which has a netlist computational model.

### 1.1. Our Contribution

The main contributions of this paper are twofold. The first one is to continue to develop a formal STE theory based on a netlist computation model. Our work gives a more formal closure semantics which faithfully explains how STE model checker (or symbolic simulator) work. Here we not only formally explain how a next-state function Y is derived from a netlist structure, but also deal with combinational properties. This semantics has netlist as a solid background, therefore makes STE easier to be understood formally.

- We introduce an inductive definition for netlists. It not only provides us an accurate and constructive formulation for a netlist, but also introduces an effective and rigorous technique of rule induction to prove properties of netlists. In particular, we use the induction principle on the structures of netlists to formally prove that the output of a logical entity in a netlist is uniquely defined.
- We formally define the closure semantics of netlists based on the formal netlist model. The simulation result of a netlist in a driven state is defined as a relation between nodes and values. The relation is formally proved to be single-valued, and naturally used to derive the closure function of the netlist on driven states.
- We refine the definition of defining trajectory and the STE implementation to deal with the newly introduced closure functions.
- We introduce symmetry between netlist structures in our formal netlist model, and relate it with symmetry between STE assertions. We prove the close correspondence between the two kinds of symmetry. This result resembles a similar symmetric reduction methodology shown in [9].
- We show a set of algebraic laws which relates a netlist structure with its properties. These laws can be seen as an algebraic semantics for STE, and used to verify interesting STE trajectory assertions on circuit netlists.

The second contribution is to formalize the STE theory in a theorem prover, with the hope that the theoretical improvement can make it feasible to mechanize the fundamental STE theory based on a netlist circuit model. By using a theorem prover to formalize the meta-theory of STE, we hope to raise the standard of rigor of, and hence our confidence in STE. We formalize our theory in Isabelle/HOL, an instantiation of generic theorem prover Isabelle/HOL to higher-order logic [10]. The formalized theories in Isabelle/HOL are available in [11]. Isabelle/HOL is appropriate because of its support for inductively defined
sets and its automatic tools. However, the fact that we used Isabelle is not especially relevant for the topic, and the formalization proposal in this work can also be implemented by other higher-order theorem provers such as PVS and COQ.

### 1.2. Related Work

Besides the inheritance from the proposal of closure semantics in $[7,8]$, our work is also closely with $[12,13,14,15,16]$. Works in $[12,13,14]$ have demonstrated that higher-order logic is well suited for modelling and reasoning about hardware, so we decide to use higher-order logic to formalize the STE theory. The work in [15] outlined the theoretical foundation for linking the general logic of STE with higher order logic. The main result is a formal translation from trajectory evaluation's temporal operators over lattices to a shallow embedding of the temporal operators over Boolean streams. Any result verified by the trajectory evaluation algorithm will hold in the relational world. In [16], Darbari did the machine based formalization in HOL for a theory whose details were described in [3], and he extended the work by proving the soundness of a symmetry reduction method in his framework [17]. The above work provides a formal framework to formalize the lattice value, the syntax and the semantics of trajectory formulas. These formalizing techniques are still used in our work. But all of this work formalizes a kind of Y-semantics in which a circuit is modelled by an abstract next-state function Y.

In [18, 19, 20, 21, 22], functional program languages have been advocated for hardware verification. Especially, useful insights of using inductive data types to formally describe circuit structures are provided in the work on $\mu \mathrm{fp}$ [18], Hy dra [19, 20], Lava [21]. Other important features of a functional programming language such as Haskell: monads, type classes, polymorphism, and higher order functions are employed to model, verify, and implement a circuit in these work. However, combinational cycles and name conflicting between different entries should be eliminated in a legal netlist structure, it may be not very easy to directly use an inductive data type to formalize the two legal requirements. Instead, we use an inductively defined set to model all legal netlists. The corresponding induction rules formally specifies the legal requirement when a legal netlist is constructed.

Our formalization technique on the closure semantics is inspired by the work by Nipkow and Paulson in [23],[24]. Nipkow proposed an induction approach to formalize the first 100 pages of Winskel's textbook [25], which covers the operational and denotational and axiomatic semantics of an imperative language called IMP. For instance, the natural semantics of IMP is inductively defined by a set of configurations each of which is a triple. We borrow the induction principle to formally specify the closure semantics of a netlist. Namely, we define the simulation result of a netlist by a relation which is also an inductively defined set of pairs between nodes and values. Furthermore, we use the technique proposed in [24] to define the unique closure function in such a relation, and prove that the corresponding function is well-defined because the closure relation is single-valued.

In the classical literature of STE, some laws have already been introduced to decompose a complex STE assertion [1, 17]. However, these laws usually hold for any circuit and can't relate properties of a circuit with their special structure due to the lack of a formalization on circuit structures. Different from their work, a set of novel laws are introduced to formally explore the special structures of a circuit in our formal netlist model. To the best of our knowledge, these laws has never been discussed in previous STE work.

Darbari proposed a symmetry reduction method for STE model checking using a structured model [17]. Our symmetry reduction method is deeply inspired by his work. However, he used Y-semantics, and avoided discussing symmetry between netlist structures directly. He proposed a higher-level design language which allows to record symmetry of a circuit, and make a connection to the theory of STE logic. This connection is made by giving functions that derive a next-state function from the structured models and proving lemmas that guarantee that if the structured models have symmetry, then the corresponding derived next-state function will have symmetry as well. In our theory, the high-level modeling langauge, and the connection is not needed, we directly discuss symmetry between netlist structures in our formal netlist model, and relate it with symmetry between STE properties. Here our motivation is to provide a symmetry reduction method when we face a netlist model which is directly compiled from a popular hardware language such as Verilog and VHDL which still does not support a type system to record symmetry in a design.

### 1.3. Presentation of the paper

As mentioned before, our work involves both developments on the STE theory itself and the formalization of the theory in a theorem prover in order to provide mechanical support for the new STE theory. Because formalization is one of our main objectives in this paper and our implementation is tailored to Isabelle/HOL, we directly use parts of our Isabelle's theories to introduce definitions and lemmas to convey the main idea of the formalization. In order to make the formalized theories readable for the readers who are not familiar with Isabelle, we also try to give a detailed text account for the formalized theories by using usual mathematical notations. Thus our work is interesting not only for the Isabelle/HOL users, but also for those who either are interested in STE theory or in theorem proving work by using other higher-order theorem provers such as HOL.

Isabelle/HOL has a polymorphic type system as in ML [26]. Type inference eliminates the need to specify types in expressions. Lemmas about lists, sets, etc., are polymorphic, and the prover uses the appropriate types automatically. Besides, a function in Isabelle/HOL syntax is usually defined in a curried form instead of a tupled form, that is, we often use the notation $f x y$ to stand for $f(x, y)$. The advantage of a curried function is to allow a partial function application [26]. We use the notation $\llbracket A_{1} ; A_{2} ; \ldots ; A_{n} \rrbracket \Longrightarrow B$ to mean that with assumptions $A_{1}, \ldots, A_{n}$, we can derive a conclusion $B$. For a pair $(a, b)$, fst $(a, b) \equiv a$ and $\operatorname{snd}(a, b) \equiv b$. We write $x \# x s$ for the list that extends $x s$ with $x,\left[x_{1}, . . x_{n}\right]$ for a list $x_{1} \# . . x_{n} \#[], x s @ y s$ for the result list by concatenating
$x s$ with $y s, x s!i$ for the $i^{t h}$ element of the list $x s$ (counting from 0 as the first element), set $x s$ for the set of all the elements in $x s, x$ mem $l s$ for $x \in$ (set $l s$ ) and length $x s$ for the length of the list $x s$. We also need a definite description THE $x . P(x)$ to denote the $x$ such that $P(x)$ is true, provided that there exists a unique such $x$; otherwise, it returns an arbitrary value of the expected type.

In the appendix, we provide detail introduction for Isabelle/HOL notations which formalize the concepts in the paper.

### 1.4. Structure of the Paper

The remainder of this paper is organized as follows: Section 2 formalizes preliminary definitions on the four-valued lattice. Section 3 introduces the structure of a netlist and its formal model. Section 4 formalizes the syntax and semantics of trajectory formulas. Section 5 formalizes the closure function induced from a netlist. Section 6 introduces the most fundamental result of STE: the soundness of using defining trajectories and defining sequence to verify STE assertions. Section 7 discusses sub-netlists of a netlist. Section 8 explores the close correspondence between symmetry in circuit structures and symmetry in circuit properties. Section 9 presents some interesting algebraic laws to explore the close relation between the structure and properties of a circuit. Section 10 demonstrates how to apply symmetry reduction and these new laws to decompose STE assertions by a case study on CAMs, which is a typical example used in STE literature. Section 11 concludes the paper.

## 2. Background

Four values ff , tt , X , and $\top$ are used in STE simulation [1]. ff and tt are standard binary values false and true. The third value $X$ stands for an unknown value, while the fourth value $T$ a clash value. Formally, we define $\mathbb{V}={ }_{d f}\{\mathrm{ff}, \mathrm{tt}, \mathrm{X}, \top\}$

It is common to introduce a truth information ordering $\sqsubseteq$ on $\mathbb{V}$ as follows: $\mathrm{X} \sqsubseteq \mathrm{ff}, \mathrm{X} \sqsubseteq \mathrm{tt}$, while ff and tt are incomparable, $\mathrm{ff} \sqsubseteq T$, and $\mathrm{tt} \sqsubseteq T$. Namely, the unknown value $X$ contains no truth information; the mutually incomparable values ff and tt contain sufficient information to determine truth exactly, and the top value $T$ contains inconsistent truth information. We can easily see that $\mathbb{V}$ with the ordering relation $\sqsubseteq$ forms a lattice. We can introduce a join or a least-upper bound operator $\sqcup$ with respect to the ordering $\sqsubseteq$. Its rather routine to check that $a \sqsubseteq b$ if and only if $a \sqcup b=a$. For other operators on the domain $\mathbb{V}$, there are natural definitions for negation $\operatorname{NOT}\left(\neg_{4}\right)$, conjunction $\operatorname{AND}\left(\wedge_{4}\right)$, disjunction $\operatorname{OR}\left(\vee_{4}\right)^{2}$, etc. The classic definitions of these operators are shown in Figure 3.

[^1]

Figure 2: STE lattice

| $a$ | $\neg_{4} a$ |
| :--- | :--- |
| ff | tt |
| tt | ff |
| X | X |
| T | T |
|  |  |


| $a$ | $b$ | $a \wedge_{4} b$ |
| :--- | :--- | :--- |
| ff | $v_{3}$ | ff |
| tt | $v_{4}$ | $v_{4}$ |
| X | ff | ff |
| X | tt | X |
| X | X | X |
| $\top$ | $v_{4}$ | $\top$ |
| $v_{4}$ | $\top$ | $\top$ |


| $a$ | $b$ | $a \vee_{4} b$ |
| :--- | :--- | :--- |
| ff | $v_{4}$ | $v_{4}$ |
| tt | $v_{3}$ | tt |
| X | ff | X |
| X | tt | tt |
| X | X | X |
| $\mathrm{\top}$ | $v_{4}$ | $\top$ |
| $v_{4}$ | T | T |

Figure 3: Operators over four-valued lattice $\left(v_{3} \in\{\mathrm{tt}, \mathrm{ff}, \mathrm{X}\}, v_{4} \in\{\mathrm{tt}, \mathrm{ff}, \mathrm{X}, \top\}\right.$
In order to define the set of four lattice values $\mathbb{V}$, we use strategy of dual-rail encoding $[15,16]$. Thus, we introduce a type boolPairs, and encode the four values in $\mathbb{V}$ as four constants of type boolPairs.

$$
\begin{aligned}
& \text { types boolPairs }=\text { bool } \times \text { bool } \\
& T \equiv(\text { False, False }) \text { tt } \equiv(\text { True, False }) \\
& f f \equiv(\text { False, True }) X \equiv(\text { True }, \text { True })
\end{aligned}
$$

The least-upper bound operator $\sqcup$ and the partial ordering relation $\sqsubseteq$ are defined as follows:

$$
\begin{aligned}
& \mathrm{a} \sqcup \mathrm{~b} \equiv(\text { fst } \mathrm{a} \wedge \text { fst } \mathrm{b}, \text { snd } \mathrm{a} \wedge \text { snd } \mathrm{b}) \\
& \mathrm{a} \sqsubseteq \mathrm{~b} \equiv \mathrm{a} \sqcup \mathrm{~b}=\mathrm{b}
\end{aligned}
$$

Due to limitation of space, more formal definitions of other operators can be found in [11].

## 3. Circuit Netlist Formalization

### 3.1. An informal model of circuit netlists

A circuit is modelled by a netlist, which is a set of nodes connected by logical entities such as I/O devices, gates and one-phase delays. I/O devices are pins connected to its environment. For simplicity, only input devices are
used in this work. Gates describe combinational logics deciding the relationship between values of nodes. Delays refer to all sequential elements which can keep "state". In real-world VLSI designs, there are different types of sequential devices, some of which can be more complex than our delay devices in both structures and behaviors. However, we will see that real-world sequential devices can be modelled by our simple delay elements in later discussion.

In a netlist description language such as BLIF [27], input pins of a circuit are defined as follows:
.inputs x y
A gate is specified by a truth table, as shown below:
.names $\mathrm{in}_{1} \mathrm{in}_{2}$...out
in $_{1_{1} \text { _value }}^{1}$ in $n_{2}$ value $e_{1}$...out_value ${ }_{1}$
in $n_{1}$ value ${ }_{2}$ in $_{2}$ value $_{2}$...out_value ${ }_{2}$
where $\mathrm{in}_{1}, \mathrm{in}_{2}, \ldots$, are names of the inputs of the gate, out is the name of its output. The subsequent lines define the on-off sets:: $i n_{i-v a l u e}^{j}$ is one of 0 , 1 , or - (don't care), and out_value ${ }_{i}$ is one 0 or 1 .

A truth table encapsulates a programmable logical array (PLA), which is expanded to AND gates driving an OR gate. So it is natural for us to associate a truth table with a function on $\mathbb{V}$. For example, the table of the XNOR gate is corresponding to a function $\lambda a b . a \wedge_{4} b \vee_{4} \neg_{4} a \wedge_{4} \neg_{4} b$. Informally we write $F_{t a b}$ for the induced function from the table $t a b$.

For instance, a two-input AND gate with inputs a and b and output foo, and a two-input XNOR gate with the same inputs and output of a netlist could be defined as follows:

. names a b foo \begin{tabular}{l}
.name a b foo <br>
111

$\quad$

001 <br>
111
\end{tabular}

A latch is defined as follows:

## .latch latch_input latch_output.

where a latch has a data input and an output node. As mentioned before, our latch is simply a one-phase delay element. The value of node latch_output in the next time is the value of latch_input in the current time.

Remark 1. In fact, the definition of a latch in BLIF is more complex than ours. In BLIF, a latch is defined as the following statement: . latch latch-input latch-output type control-signal [latch-control-list], where type specifies whether the latch is edge-sensitive or level-sensitive. Latch control constructs specifies the set or reset or enable control signals of the latch. For example, . latch in1 out1 re clk as=set ar=reset en=en1 specifies a flip-flop which is driven at the rising edge of signal clk with an input signal in1, an output signal out1, an asynchronous reset signal reset and a asynchronous set signal set. But any type of latch can be modelled by combinational gates and delay elements. Figure 4 gives an example to show how a rising-edge triggered flipflop is modelled by delay elements and combinational gates, where an inverted triangle stands for a delay element. In Forte, $d$ and d_\#\#- stands for the input and output node of the delay element respectively.


Figure 4: A rising-edge triggered flipflop

### 3.2. Formalization of netlists

We first use the type nat as the type of nodes in our theory.

## types node=nat

To formally define a truth table, we use an enumerating type LIT to specify a literal for defining on or off-sets, a type LINE to specify a line of a table, and PLA to define a table .

```
datatype LIT= One | Zero | DontCare
types LINE=LIT list
types PLA=LINE list
```

Input pins and gates and delays are three kinds of logical entities in a circuit, and are formally defined as follows:

```
datatype entity = Input node| Gate node "node list" PLA | Delay node node
```

Here we assume inp, out are node names, inps is a list of node names, tab is a table of type PLA. Input inp means that $i n p$ is an input pin of a netlist under study which is an interface between the netlist and its environment. Gate out inps tab refers to a gate which has out as its output node, and inps as its input nodes, $t a b$ as its truth table. As does the library function get_node_truth_table in Forte, a PLA in this paper lists clauses for inputs when an output is to go high only. For example, Gate $c_{1}\left[a_{1}, b_{1}\right]$ [[ONE, ONE]] formally defines an AND gate. Delay out inp defines a delay which has inp as its input and out as its output respectively.

For a logical entity $g$, we define a function fanOut to map $g$ to its output node, namely, fanOut $g \equiv \operatorname{inp}$, if $g=$ Input inp, or fanOut $g \equiv$ out if $g=$ Gate out inps tab or $g=$ Delay out inp . Similarly, we also define a function fanln
to map $g$ to the list of all its input nodes, that is, fanln $g \equiv[]$, if $g=\operatorname{Input} i n p$, or fanln $g \equiv$ inps if $g=$ Gate out inps tab, or fanln $g \equiv[i n p]$ if $g=$ Delay out inp.

Consider a node $n$, a logical entity set $n l$, we say isDefinedln $n n l$ if $n$ is defined as an output of a logical entity in the $n l$. More formally, isDefinedln $n n l \equiv l \in$ $n l \wedge$ fanOut $l=n$. The set of all the nodes defined in the $n l$ is denoted by defAsOuts $\mathrm{nl} \equiv\{n$.isDefinedln $n n l\}$.

Now we come to the a crucial point, the formalization of netlists. Intuitively, a netlist is simply a set of logical entities connected by nodes, but adding entities into a netlist should follow some restriction rules to guarantee the legality of the structure of the netlist. Here we introduce an inductive definition for the set of all the netlists, as shown below:

```
consts netlists :: (entity set) set
inductive netlists
intros
nilNetlist: }\varnothing\in\mathrm{ netlists;
addInput:
    |nl \in netlists; ᄀisDefinedIn n nl\rrbracket
    \Longrightarrow \{ \text { Input n\} Unl G netlists;}
addDelay:
    |nl \in netlists; ᄀisDefinedIn n nl】
    \Longrightarrow {Delay n inp} \cupnl G netlists;
addGate:
    |nl \in netlists; \negisDefinedIn n nl;
    \forallnps}\mp@subsup{}{i}{}.(\mp@subsup{\mathrm{ inps }}{i}{}\mathrm{ mem inps) }\longrightarrow\mathrm{ isDefinedIn inps }\mp@subsup{|}{i}{}nl
    \foralll.(l mem tab) \longrightarrow length l = length inps\rrbracket
    \Longrightarrow{Gate n inps tab } \cupnl \in netlists.
```

In the above definition, rule nilNetlist specifies an empty netlist. Other rules specify the order which should be followed to add a logical entity into a netlist. In the last three rules, the condition $\neg$ isDefinedln $n n l$ requires that the output node $n$ of the newly added logical entity should not be an output of the existing entities in $n l$. This resolves the name conflicting of output nodes between two different logical entities in a netlist. In rule addGate, the third condition requires that all the input nodes of the newly added combinational gate must have been defined in the existing netlist. Combining this condition and the condition $\neg$ isDefinedIn $n n l$ can eliminate combinational cycle in a netlist. Unlike rule addGate, addDelay rule allows that the input node of a delay can be used before the node is defined. Formally, when a component Delay $n$ inp is added in the rule, inp is a free variable which is only restricted by its type. If a delay's output node is in the fanin cone of the delay, then a cycle passes the delay. Therefore, a cycle is allowed to pass a delay element.
Example 2. Let xnorTab $=\left[[Z E R O\right.$, ZERO], $[O N E, O N E]]$, xnor $G_{0}=$ Gate $c_{0}$ $\left[a_{0}, b_{0}\right]$ xnorTab, xnor $G_{1}=$ Gate $c_{1}\left[a_{1}, b_{1}\right]$ xnorTab, andTab $=[[O N E, O N E]]$, and $G=$ Gate out $\left[c_{0}, c_{1}\right]$ andTab, then the set

$$
n l=\left\{\text { Input } a_{0}, \text { Input } b_{0}, \text { Input } a_{1}, \text { Input } b_{1}, \text { xnor } G_{0}, \text { xnor } G_{1}, \text { and } G\right\}
$$

stands for the netlist shown in Figure 1. In figure 4, let tab $=$ [ONE, ZERO], $G_{1}=$ Gate sel [clk, clk_\#\#-] tab $b_{1}$, and tab $=$ [[ONE, ONE, DontCare], [ZERO, DontCare, ONE]], $G_{2}=$ Gate $s\left[\right.$ sel, $\left.d_{-} \#_{-} \#_{-}, s_{-} \#_{-} \#_{-}\right] t a b_{2}$, delay $y_{1}=$ Delay $d_{-} \# \#-d$, delay $_{2}=$ Delay $s_{-} \# \#_{-} s, n l_{2}=\left\{G_{1}, G_{2}\right.$, delay $y_{1}$, delay $\left.y_{2}\right\}, n l_{2}$ is also a netlist.

Our netlist model is sound in the sense that for any defined node $n$ in a netlist, there is an unique logical entity in the netlist whose output node is $n$. In Isabelle, unique existence quantifier is denoted by $\exists$ !.

Lemma 3. $\llbracket n l \in$ netlists; isDefinedln $n n l \rrbracket \Longrightarrow \exists!l . l \in n l \wedge$ fanOut $l=n$.
Because of the existence of the one-to-one mapping from a logical entity to its output node name, formally, we define lookUp $n l n \equiv$ THE $g . g \in n l \wedge$ fanOut $g=$ $n$.

Definition of netlists itself can not guarantee that each node of a netlist is defined because an input of a delay can be used without being defined. In real circuit designs, an input of a delay needs to be defined. If each input node of each logical entity in a netlist is defined as an output of another logical entity, then we call the netlist closed.

Definition 4. isClosed $n l \equiv \forall m n$.isDefinedln $m n l \longrightarrow n \in$ set (fanins ((lookUp $n l$ $m)$ ) $\longrightarrow$ isDefinedIn $n n l$

Example 5. In Example 2, the netlist nl is closed; $n l_{2}$ is a netlist, but it is not closed because nodes $s$ and $d$ are not defined in $n l_{2}$.

We are mainly interested in closed netlists in our work, so we always assume that $n l \in$ netlists and isClosed $n l$ in the following discussion when we meet a word $n l$. To save space, we omit the two side conditions when we present lemmas about a netlist $n l$.

## 4. Syntax and Semantics of Trajectory Formula

States. A circuit state is an instantaneous snapshot of a circuit behavior given by an assignment of lattice values to nodes of the circuit. Therefore, type state $=$ node $\Rightarrow$ boolPairs is defined. A state sequence assigns a state to a time point. Here we still use nat to define the type time. Thus, we define stateSeq $=$ time $\Rightarrow$ state. Naturally, we extend the ordering relation on the state and stateSeq types. we define $s_{1} \sqsubseteq_{s} s_{2} \equiv \forall n . s_{1} x \sqsubseteq s_{2} x$, and $s q_{1} \sqsubseteq_{s q}$ $s q_{2} \equiv \forall t . s q_{1} t \sqsubseteq_{s} s q_{2} t$.

Trajectory Evaluation Logic. Specifications in STE are symbolic trajectory formulas. In order to formalize the syntax of trajectory formulas, we introduce a datatype trajForm as follows:

```
datatype trajForm \(=\) Is1 node |Is0 node|chaos
    |Next trajForm
    |When bool trajForm (infixr \(\longrightarrow{ }_{T}\) 65)
    |TAND trajForm trajForm (infixr and \(_{\mathrm{T}}\) 65)
```

For convenience in reasoning, we introduce a novel formula chaos in our theory to represent that the values of all the nodes are unknown at all time. In the above definition, the definition of trajectory formulas is naturally symbolic in the sense that the Boolean guard $P$ can be simply defined as a boolean formula in HOL.

The semantics of trajectory formulas is formally defined as a primary recursion function valid on datatype trajForm.

```
consts
valid :: stateSeq \(\Rightarrow\) trajForm \(\Rightarrow\) bool
    ((-₹ -) [80, 80]80)
primrec
\(\mathrm{sq} \vDash(\mathrm{Is} 1 \mathrm{n})=\mathrm{tt} \sqsubseteq(\mathrm{sq} 0 \mathrm{n})\)
\(\mathrm{sq} \vDash(\mathrm{Is} 0 \mathrm{n})=\mathrm{ff} \sqsubseteq(\mathrm{sq} 0 \mathrm{n})\)
\(\mathrm{sq} \vDash\) chaos \(=\) True
\(\mathrm{sq} \vDash\left(\mathrm{A}_{1}\right.\) and \(\left._{\mathrm{T}} \mathrm{A}_{2}\right)=\left(\mathrm{sq} \vDash \mathrm{A}_{1} \wedge \mathrm{sq} \vDash \mathrm{A}_{2}\right)\)
\(\mathrm{sq} \vDash(\mathrm{P} \longrightarrow \mathrm{A})=(\mathrm{P} \longrightarrow \mathrm{sq} \vDash \mathrm{A})\)
\(\mathrm{sq} \vDash(\) Next \(A)=((\operatorname{suffix} 1 \mathrm{sq}) \vDash \mathrm{A})\)
```

where notation $\left(\left(\_{ }_{-}\right)[80,80] 80\right)$ stands for an infix notation $\vDash$ for function valid, and suffix i sq $\equiv \lambda \mathrm{t} . \mathrm{sq}(\mathrm{t}+\mathrm{i})$.

## 5. Formalization of Closure Functions over Netlists

During STE simulation, information is propagated forwards through both a circuit structure and time. By simulation, we mean that a circuit $n l$ takes a stimulating sequence as input and returns a result sequence. We first illustrate the meaning of information propagation forwards through the circuit structure at a time point. Namely, the circuit takes a state of the stimulating sequence at some time point, then calculates all information about the circuit at the same point that can be derived by propagating the information from any combination gate's input nodes to its output. After this propagation is finished, a new state of the circuit is returned as a simulation result of this time point. More specifically, given a state $s$, for an input node $n$ of the circuit, or a delay node, $s n$ is simply the value of $n$ after simulation. For an internal node $n$ which is an output of a gate with a truth table $t a b$, provided that the returned values of inputs of the gate are $v_{1}, \ldots, v_{i}$ after simulation, the value of $n$ is returned as the upperbound of $s n$ and $F_{t a b} v_{1} \ldots v_{i}$.

For instance, suppose that $s a_{0}=\mathrm{tt}, s b_{0}=\mathrm{tt}, s a_{1}=\mathrm{tt}$, and $s n=\mathrm{X}$ for any other nodes, a simulation for the circuit in Figure 1 is started at $s$, then in the end of time point 0 , the result state $s^{\prime}$ after simulation satisfies that $s^{\prime} n=s n$ if $n \in\left\{a_{0}, b_{0}, a_{1}, b_{1}\right\}, s^{\prime} c_{0}=\mathrm{tt}, s^{\prime} c_{1}=\mathrm{X}$, and $s^{\prime}$ out $=\mathrm{X}$. Formally, the information propagation can be represented as a set of value assignments as follows: $\left\{\left(a_{0}, \mathrm{tt}\right),\left(b_{0}, \mathrm{tt}\right),\left(a_{1}, \mathrm{tt}\right),\left(b_{1}, \mathrm{X}\right)\left(c_{0}, \mathrm{tt}\right),\left(c_{1}, \mathrm{X}\right),(\right.$ out, X$\left.)\right\}$.

In order to define the closure semantics of netlists, we need some preliminary formalization on semantics of literals, lines, and truth tables. These are defined
rather straightforward: funOfLit ( $v, l i t$ ) returns the input value $v$ if $l i$ it is on, else if lit is off, then returns the negation of $v$, else just returns $t t$. Here we briefly explain why $t t$ is returned when the literal is DontCare. Because $t t$ is an unit for the operator AND in the four-valued domain, and funOfLine vs line is a conjunction of the values of literals in this line. At a state, if a value of a literal in a line is returned as $t t$, then the value of this line will not be care of the value of this literal. funOfLine vs line returns the conjunction of the values of literals in a line provided that the values assigned to inputs are $v s$. funOfTab tab vs returns the disjunction of the values of lines of a table provided that the values assigned to inputs are $v s$.

```
funOfLit :: boolPairs \(\times\) Lit \(\Rightarrow\) boolPairs
funOfLit \(x \equiv\) if (snd \(x\) ) \(=\) ONE then (fst \(x\) )
                        else if ( snd x ) = ZERO
    then (NOT (fst x\()\) )
    else tt
funOfLine :: boolPairs list \(\Rightarrow\) LINE \(\Rightarrow\) boolPairs
primrec funOfLine bps [] = tt
    funOfLine (bps) \((\mathrm{elO} \mathrm{\# ls})=\)
    AND (funOfLit ((hd bps), el0)) (funOfLine (tl bps) ls)
funOfTab :: PLA \(\Rightarrow\) boolPairs list \(\Rightarrow\) boolPairs
primrec funOfTab [] bps = ff
    funOfTab (line\#tbl) bps =
    OR (funOfLine bps line) (funOfTab tbl bps)
```

    Now we formally introduce a so-called closure relation rclosure, which is de-
    fined on a netlist and a state. rclosure $n l s$ returns the closure set of information
propagated forwards in the simulation of the netlist $n l$ at the state $s$, and for- mally is a pair set and inductively defined as follows:

```
consts rclosure :: entity set }=>\mathrm{ state }=>\mathrm{ (node }\times\mathrm{ boolPairs) set
inductive rclosure nl s
intros
stAddInput:
|Input n \in nl\rrbracket\Longrightarrow(n,s n) E rclosure nl s
stAddLatch:
Delay n inp f nl\rrbracket\Longrightarrow(n, s n) f rclosure nls
stAddGate:
|Gate n inps tab \in nl; length stateLs = length inps;
\foralll.(l mem tab)) }\longrightarrow\mathrm{ length l = length inps;
\forallair.pair mem (zip inps stateLs) }\longrightarrow\mathrm{ pair E rclosure nl s】
\Longrightarrow(n,((funOfTab tab stateLs) }\sqcup(\textrm{s n})))\in\mathrm{ rclosure nl s
```

The relation rclosure nl s is corresponding to a function, namely, for any node $n$ such that isDefinedln $n n l$, there is pair $p$ such that fst $p=n$, furthermore, if both $\left(n, v_{1}\right)$ and $\left(n, v_{2}\right)$ are in rclosure $n l s$, then $v_{1}=v_{2}$. Intuitively, rclosure $n l s$ is single-valued because output node of a logical entity is uniquely defined and the combination logic of a netlist is acyclic. More formally,

Lemma 6. $\llbracket i s D e f i n e d I n ~ n n l \rrbracket \Longrightarrow ~ \exists!$ pair.pair $\in \operatorname{rclosure~} n l s \wedge$ fst pair $=n$
Therefore, we define a function fclosure on a netlist $n l$ and a state $s$. fclosure $n l s$ returns the result state of $n l$ after simulation at the driving state $s$.

```
fclosure nl s n \equiv
if isDefinedIn n nl
then let pair =(THE pair.pair }\in\mathrm{ rclosure nl s ^(fst pair) = n)
    in (snd pair)
else s n
```

In this definition, if $n$ is defined as an output of a logical entity, then the value of $n$ in the result is the second element of the unique element pair which is in the closure set rclosure $n l s$ and fst pair $=n$.

Roughly speaking, "a closure function $f$ " means that applying $f$ once can derive a closure of information in some form. In detail, (1) $f$ is monotonic, $f x \sqsubseteq f y$ if $x \sqsubseteq y$. (2) $f$ is idempotent: $f x=f(f x)$; (3) $f$ is extensive: $x \sqsubseteq f x$. Function fclosure $n l$ is a closure function.

Function fclosure is a closure function. More formally, we have

1. $\llbracket s_{1} \sqsubseteq_{s} s_{2} \rrbracket \Longrightarrow$ fclosure $n l s_{1} n \sqsubseteq$ fclosure $n l s_{2} n$
2. $s n \sqsubseteq$ fclosure $n l s n$
3. fclosure $n l$ (fclosure $n l s$ ) $n=$ fclosure $n l s n$

Now we show how simulation information is propagated forwards through time given a stimulating sequence $\sigma$, i.e., from each time step $t$ to time step $t+1$. Recall that each delay has an output node data_\#\#- and input node data. For the delay, the value of node data at time point $t$ is denoted as data ${ }_{t}$ after the simulation at time $t$, and the information data $_{t}$ will be propagated to node data_\#\#- at time $t+1$, i.e., the simulator initially sets the value of node $d a t a_{-} \# \#_{-}$at time point $t+1$ as the upper bound of $d a t a_{t}$ and $\sigma(t+1)$ (data_\#\#_) , then starts the simulation over the circuit at time point $t+1$. In order to model this forwards propagation of information through time, we define a function of over a logical entity and time fSeq $n l \sigma$, which returns a result sequence after simulation of $n l$ given a stimulating sequence $\sigma$. fSeq $n l \sigma$ is another sequence and defined as a primary recursion on time $t$ basing on the definition of fclosure. In the following discussion, we use isDelayName $x n l$ to denote that $x$ is an output node of a delay in the netlist $n l$.

```
fSeq nl \(\sigma 0=\) fclosure \(\mathrm{nl}\left(\begin{array}{l}\sigma\end{array}\right)\)
fSeq nl \(\sigma(\mathrm{t}+1)\)
\(=(\) let \(\mathrm{s}=\)
    ( \(\lambda \mathrm{n}\).if (isDelayName n nl )
        then (let lo(lookUp nl n) in
                            let inps \(=\) fanins 1 in
                                    \(((\) fSeq nl \(\sigma \mathrm{t})(\mathrm{hd}\) inps \()) \sqcup(\sigma(\mathrm{t}+1) \mathrm{n}))\)
        else \(\sigma(\mathrm{t}+1) \mathrm{n})\)
    in fclosure nl s)
```

Similarly, we also can prove that fSeq is also a closure function, namely,

1. $\llbracket n l \in$ netlists; isClosed $n l ; s q_{1} \sqsubseteq_{s q} s q_{2} \rrbracket$
$\Longrightarrow \mathrm{fSeq} n l s q_{1} \sqsubseteq_{s q} \mathrm{fSeq} n l s q_{2}$
2. $\llbracket n l \in$ netlists; isClosed $n l \rrbracket \Longrightarrow s q \sqsubseteq_{s q} \mathrm{fSeq} n l s q$
3. $\llbracket n l \in$ netlists $\rrbracket \Longrightarrow \mathrm{fSeq} n l(\mathrm{fSeq} n l s q)=\mathrm{fSeq} n l s q$

### 5.0.1. Trajectories

A trajectory is a result state sequence of some circuit netlist $n l$ after a run of simulation. It is a sequence in which no more information can be derived by forwards propagation. Namely, the result sequence returned by a simulation run of $n l$ is the same as the stimulating sequence fed into the simulator. We define trajOfCirc $n l$ as the set of all trajectories of a netlist $n l$ :

```
trajOfCirc :: entity set }=>\mathrm{ stateSeq set
trajOfCirc nl \equiv{sq.fSeq nl sq = sq}
```


## 6. Semantics of STE

Now we define the semantics of a STE assertion $A \leadsto C$, where both $A$ and $C$ are trajectory formulas. $A$ is called the antecedent, which specifies with what values we should drive the simulation. $C$ is called the consequent, which specifies the expected results of the simulation. A circuit $n l$ satisfies a trajectory assertion, written cktSat $n l A \leadsto C$, if for every trajectory $\tau$ of $n l$, it holds that $\tau \models A$ implies $\tau \models C$.

We define a type assertion to formalize the syntax of a STE assertion.

```
datatype assertion =
Leadsto trajForm trajForm (infixr }~50\mathrm{ )
```

We introduce a predicate cktSat that checks the validity of a STE assertion.

$$
\begin{aligned}
& \text { cktSat :: entity set } \Rightarrow \text { assertion } \Rightarrow \text { bool } \\
& \text { primrec cktSat } \mathrm{nl}(\mathrm{~A} \leadsto \mathrm{C})= \\
& (\forall \tau . \tau \in(\text { trajOfCirc } \mathrm{nl}) \longrightarrow(\tau \models \mathrm{A} \longrightarrow \tau \models \mathrm{C}))
\end{aligned}
$$

The key feature of STE logic is that there is a unique weakest sequence that satisfies $f$ for any boolean symbolic variable assignment $\phi$. This sequence is called the defining sequence of $f$. To define the defining sequence of a formula, we introduce a primary recursive function defSqOfTF which operates on a trajectory formula, and returns a symbolic sequence.

Definition 7 (Defining Sequence). Given a trajectory formula $A$, the defining sequence of $A$, written defSqOfTrForm $A$, is defined as a primary recursive function on type trajForm.

```
defSqOfTrForm ::trajForm =stateSeq
primrec
```



```
defSqOfTrForm (Is0 n) = ( }\lambda\textrm{t}m.(if (t=0\wedgem=n) then ff else X)),
defSqOfTrForm (A and
    (\lambdat m.(defSqOfTrForm A t m)\sqcup(defSqOfTrForm B t m))
defSqOfTrForm (P \longrightarrow}\mp@subsup{\textrm{T}}{\textrm{T}}{\textrm{A}})=(\lambda\textrm{t m. let v = (defSqOfTrForm A t m})\mathrm{ in
    (P\longrightarrow(fst v),P\longrightarrow(snd v))
defSqOfTrForm (Next A) = ( \lambdat m. let v=(defSqOfTrForm A (t - 1) m) in
    if (t\not=0) then v else X)
defSqOfTrForm chaos=\lambdat m. X
```

In the above definition of defSqOfTrForm, $\longrightarrow$ denotes the implication operator in Boolean domain in the case of guard trajectory formula.

From the definition of the defining sequence of $A$, we can easily prove that the sequence satisfies $A$ by induction.

Lemma 8. defSqOfTrForm $A \models A$
Furthermore, for any sequence $\sigma$ that satisfies $A$, the defining sequence is the weakest of all.

## Lemma 9.

(1) defSqOfTrForm $A \sqsubseteq_{s q} s q \Longrightarrow s q \models A$.
(2) $s q \models A \Longrightarrow$ defSqOfTrForm $A \sqsubseteq_{s q} s q$

Now we introduce the defining trajectory of trajectory formula $A$ w.r.t. $n l$, which is the weakest trajectory that satisfies $A$. The defining trajectory of $A$ w.r.t. $n l$ is naturally the result sequence by driving $n l$ with the defining sequence of $A$.

Definition 10 (Defining Trajectory). Given a trajectory form A, a netlist $n l$, the defining trajectory of $A$ w.r.t. nl, denoted by $\operatorname{defTrajOfCirc~} A n l$, is defined as follows:
defTrajOfCirc $A n l \equiv \mathrm{fSeq} n l(\operatorname{defSqOfTrForm~} A)$
Similarly, we can prove that a defining trajectory of $A$ w.r.t. $n l$ satisfies $A$.
Lemma 11. (defTrajOfCirc $A n l) \in \operatorname{trajOfCirc} n l \wedge(\operatorname{defTrajOfCirc} A n l) \models A$
The following lemma proves that the defining trajectory of $n l$ is indeed the weakest trajectory of $n l$ that satisfies $A$.

## Lemma 12.

(1) $\llbracket \tau \in \operatorname{trajOfCirc} n l ; \tau \vDash A \rrbracket \Longrightarrow($ defTrajOfCirc $A n l) \sqsubseteq_{s q} \tau$
$\llbracket(\operatorname{defTrajOfCirc~} A n l) \sqsubseteq_{s q} \tau \rrbracket \Longrightarrow \tau \models A$

The following lemma is the most fundamental result of STE theory, which states that (defSqOfTrForm $C) \sqsubseteq_{s q}($ defTrajOfCirc $A n l)$ if and only if cktSat $n l$ $(A \leadsto C)$ for a closed netlist $n l$. This result guarantees an effective way to check validity of a STE assertion. In order to check an STE assertion cktSat $n l(A \sim$ $C$ ), we only need consider whether (defSqOfTrForm $C) \sqsubseteq_{s q}($ defTrajOfCirc $A n l)$ holds.

## Lemma 13.

(1) $\llbracket(\operatorname{defSqOfTrForm} C) \sqsubseteq_{s q}(\operatorname{defTrajOfCirc} A n l) \Longrightarrow \operatorname{cktSat} n l(A \sim C)$

Proof. In order to prove cktSat $n l(A \leadsto C)$, we need fix a trace $t r$ such that (a) $t r \in$ trajOfCirc $n l$ and $\operatorname{tr} \models A$, and we need prove that $t r \models C$. By lemma 9 (1), we only need prove that defSqOfTrForm $C \sqsubseteq_{s q} t r$. From (a), by lemma 12 (1), we have (defTrajOfCirc $A n l) \sqsubseteq_{s q} t r$. From the assumption (defSqOfTrForm $C$ ) $\sqsubseteq_{s q}($ defTrajOfCirc $A n l)$, and the transitivity of $\sqsubseteq_{s q}$, we have defSqOfTrForm $C \sqsubseteq_{s q} t r$.
(2) $\llbracket$ cktSat $n l(A \leadsto C) \rrbracket \Longrightarrow(\operatorname{defSqOfTrForm} C) \sqsubseteq_{s q}($ defTrajOfCirc $A n l)$

Proof. By lemma 11, we have (defTrajOfCirc $A n l) \in \operatorname{trajOfCirc} n l$ and (defTrajOfCirc $A n l) \models A$. From this, by the definition of cktSat $n l(A \leadsto$ $C$ ), we have (a) (defTrajOfCirc $A n l) \models C$. By lemma 9 (2), we easily show efSqOfTrForm $C \sqsubseteq_{s q}($ defTrajOfCirc $A n l)$.

## 7. Sub-netlists

It is interesting to note that the evaluation of a STE assertion in a netlist may be only related with a part of the netlist, and this part is also a netlist itself. Therefore, we introduce the concept of sub-netlist, given two logical entity sets $n l$ and $n l^{\prime}$, usually $n l^{\prime} \subseteq n l$, a sub-netlist derived from $n l^{\prime}$ in $n l$ is an closure set of entities which is defined as follows:

Definition 14. Let $n l, n l^{\prime}$ be two set of devices, a sub-netlist closure function subNet $n l n l^{\prime}$, which is an inductively defined set by the following rules:

```
consts subNet :: entity set }=>\mathrm{ entity set }=>\mathrm{ entity set
inductive subNet nl nl'
intros
subAddself:
|enttr \in nl'; enttr \in nl\rrbracket\Longrightarrow enttr \in subNet nl nl'
subAddLink:
|enttro subNet nl nl'; enttrr }\in\textrm{nl}
```



```
In the rule subAddLink, (fanout (enttr r ) ) \in set (fanins (enttro)) means
that the output node of enttr}\mp@subsup{r}{1}{}\mathrm{ is driving one input node of enttro. This rule
```

guarantees that all the fanin cones of entities in $n l^{\prime}$ is defined in subNet $n l n l^{\prime}$. Obviously, it holds that subNet $n l n l^{\prime} \subseteq n l$ for any $n l^{\prime}$. Infomally we call $n l_{1}$ is a sub-netlist of $n l$ if $n l_{1}=\operatorname{subNet} n l n l_{0}$ for some $n l_{0}$.
Example 15. In Example 2, let $n l^{\prime}=\left\{x n o r G_{0}\right\}$, subNet $n l n l^{\prime}=\left\{\right.$ Input $a_{0}$, Input $\left.b_{0}, x n o r G_{0}\right\}$.

Supposed that $n l^{\prime}$ is a sub-netlist of $n l$. At a time point, if $n$ is a node defined in $n l^{\prime}$, then the same value will be propagated into node $n$ after simulations for $n l$ and $n l^{\prime}$ respectively from a state $s$.

## Lemma 16.

(1)

$$
\llbracket n l^{\prime} \subseteq n l ; \text { isDefinedln } n \in n l^{\prime} \rrbracket \Longrightarrow(n, v) \in\left(\text { rclosure } n l^{\prime} s\right)=(n, v) \in(\text { rclosure } n l s)
$$

(2)

$$
\llbracket n l^{\prime} \subseteq n l ; \text { isDefinedln } n \in n l^{\prime} \rrbracket \Longrightarrow \text { fclosure } n l s n=\text { fclosure } n l^{\prime} s n
$$

Similarly, supposed that $n$ is defined in $n l^{\prime}$, node $n$ will be updated with the same value at any time point after two simulations for $n l$ and $n l^{\prime}$ from a same state $s$.

## Lemma 17.

$$
\llbracket n l^{\prime} \subseteq n l ; \text { isDefinedIn } n \in n l^{\prime} \rrbracket \Longrightarrow \mathrm{fSeq} n l s n=\mathrm{fSeq} n l^{\prime} s n
$$

Using lemma 17, we can prove that two sequences defTrajOfCirc $B n l$ and defTrajOfCirc $B n l^{\prime}$ agree the same value on a node $n$ at any time point if $n$ is defined in $n l^{\prime}$.

## Lemma 18.

$\llbracket n l^{\prime} \subseteq n l ;$ isDefinedIn $n \in n l^{\prime} \rrbracket \Longrightarrow$ defTrajOfCirc $B n l t n=\operatorname{defTrajOfCirc} B n l^{\prime} t n$
Provided that $n l^{\prime}$ is a sub-netlist of $n l$, and all the nodes specified in the consequent $C$ of an STE assertion are defined in $n l^{\prime}$, then it can be safely concluded that cktSat $n l A \leadsto C$ iff cktSat $n l^{\prime} A \leadsto C$.

Lemma 19 (subsetI).

$$
\begin{aligned}
& \llbracket n l^{\prime} \subseteq n l ; \forall n . n \in(\text { onNodes } C) \longrightarrow \text { isDefinedln } n n l^{\prime} \rrbracket \\
& \Longrightarrow \mathrm{cktSat} n l^{\prime} A \leadsto C=\mathrm{cktSat} n l A \leadsto C
\end{aligned}
$$

The proof of this lemma is rather straightforward. We mainly combine Lemma 18 and lemma 13 to prove this result. The key point is that for any node $n \in$ (onNodes C), we have that defTrajOfCirc Anl $t n=\operatorname{defTrajOfCirc} A n l^{\prime} t n$. Therefore, (defSqOfTrForm $C$ ) $t n \sqsubseteq$ (defTrajOfCirc $A n l$ ) $t n$ iff (defSqOfTrForm C) $t n \sqsubseteq_{s q}$ (defTrajOfCirc $\left.A n l^{\prime}\right) t n$ for any $t$, any node $n \in$ (onNodes $C$ ). We are only interested in the evaluation of nodes $n \in$ (onNodes $C$ ) because (defSqOfTrForm C) $t n=\mathrm{X}$ for any node $n \notin($ onNodes $C)$ and $\mathrm{X} \sqsubseteq v$ for any value $v$.

We need two preliminary definitions before we continue.
Definition 20. Let $A$ be a trajectory formula, onNodes $A$, which returns the set of nodes which occur in $A$, is defined as follows:

```
onNodes :: trajForm \(\Rightarrow\) node set
primrec
    onNodes \((\) Is1 \(n)=\{n\}\)
    onNodes \((\) Is0 \(n)=\{n\}\)
    onNodes \(\left(\mathrm{A} \operatorname{and}_{\mathrm{T}} \mathrm{B}\right)=(\) onNodes A\() \cup(\) onNodes B\()\)
    onNodes \((P \longrightarrow T A)=\) onNodes \(A\)
    onNodes \((\) Next A) \(=\) onNodes A
    onNodes chaos \(=\varnothing\)
```

Next definition InducedNet $n l n s$, where $n l$ is a netlist and $n s$ is a node set. InducedNet $n l n s$ return a sub-netlist which includes the logical entities which has a node in $n s$ as an output node.

## Definition 21.

```
InducedNet :: entity set \(\Rightarrow\) node set \(\Rightarrow\) entity set
InducedNet \(\mathrm{nl} \mathrm{ns} \equiv\) subNet \(\mathrm{nl}\{\mathrm{g} . \exists \mathrm{n}\). isDefinedIn \(\mathrm{n} \mathrm{nl} \wedge \mathrm{n} \in \mathrm{ns} \wedge \mathrm{g}=\) lookUp nl n\(\}\)
```

The next lemma says that if an antecedent $B$ has nothing to do with nodes which may affect the nodes in the consequent $C$, more specifically, (onNodes $B$ ) $\cap$ defAsOuts (InducedNet $n l($ onNodes $C))=\varnothing$, then $B$ has nothing with the truth of this assertion.

Lemma 22 (steEqAnt).

$$
\begin{aligned}
& \llbracket(\text { onNodes } B) \cap \operatorname{defAsOuts} \text { (InducedNet } n l(\text { onNodes } C))=\varnothing \text {; } \\
& \forall n . n \in(\text { onNodes } C) \longrightarrow \text { isDefinedIn } n n l \rrbracket \\
& \Longrightarrow \text { cktSat } n l A \leadsto C=\mathrm{cktSat} n l(A \text { and } B) \leadsto C
\end{aligned}
$$

For instance, let $A=\left(\operatorname{ls} 1 a_{0}\right) \operatorname{and}_{\mathrm{T}}\left(\operatorname{ls} 1 b_{0}\right), B=\left(\operatorname{Isb} a_{1} B a_{1}\right) \operatorname{and}_{\mathrm{T}}\left(\operatorname{Isb} b_{1} B b_{1}\right)$, $C=\operatorname{ls} 1 c_{0}, n l$ be the netlist as shown Fig. $1, n l^{\prime}=$ InducedNet $n l$ (onNodes $C$ ), then we have onNodes $B=\left\{a_{1}, b_{1}\right\}$, onNodes $C=\left\{c_{0}\right\}, n l^{\prime}=\left\{\right.$ Input $a_{0}$, Input $b_{0}$, $\left.x n o r G_{0}\right\}$, because (onNodes $\left.B\right) \cap \operatorname{defAsOuts} n l^{\prime}=\varnothing$, cktSat $n l(A$ and $B) \sim C$ is equivalent to cktSat $n l A \leadsto C$. Usually the $(A$ and $B) \leadsto C$ has more symbolic variables than $A \leadsto C$ does, so we often use the following law which tells us the heuristics to simplify an assertion by eliminating unnecessary antecedents.

Lemma 23 (steDelAnt).

```
\(\llbracket(\) onNodes \(B) \cap \operatorname{defAsOuts}(\) InducedNet \(n l(\) onNodes \(C))=\varnothing\);
cktSat \(n l A \leadsto C \rrbracket\)
\(\Longrightarrow \mathrm{cktSat} n l(A\) and \(B) \sim C\)
```

This result tells us the heuristics to simplify an assertion by eliminating some unnecessary antecedents without affecting the truth of the assertion under study.

## 8. Symmetry in Circuit Structure and STE

In this section, we introduce the concept of structure symmetry. Due to formalization on the structure of circuits, it is rather straightforward to formalize structure symmetry.

Definition 24. Let $n l$ and $n l^{\prime}$ be two closed netlists, $n l$ and $n l^{\prime}$ are symmetric w.r.t. a function $f$, written by sym $n l n l^{\prime} f$, which is defined as follows:

```
sym :: (node => node) }=>\mathrm{ entity set }=>\mathrm{ entity set }=>\mathrm{ bool
symf M N 三bij f ^ ff(defAsOuts M)=(defAsOuts N)^
( }\forall\mathrm{ m.isDefinedIn m M }\longrightarrow\mathrm{ isDefinedIn (f m) N }
(let lx = (lookUp M m) in
let ly = (lookUp N (f m)) in
(case (lx) of
    Input x }=>\mathrm{ ly = Input (f x)
    Delay out data }=>\mathrm{ ly = Delay (f out) (f data)
    Gate out inps tab }
    ly=Gate (f out)(map f inps) tab)))
```

Roughly speaking, sym $f n l n l^{\prime}$ says that $f$ is an isomorphism mapping from the structure of $n l$ to that of $n l^{\prime}$. Namely, if $n$ is an output of a logical entity $l$ in $n l$, then $f n$ is an output of a similar logical entity $l^{\prime}$ and the fanins of $l$ is also mapped to those of $l^{\prime}$ under $f$. Informally, $l$ and $l^{\prime}$ are similar in the sense that they are both input devices, or both delays, or both gates with the same truth table.

Usually we need discuss the symmetry between two nodes in one netlist, which is defined by symmetry between sub-netlists induced by the two node sets. The predicate nodeSetSym $f M N n l$ specifies that the subnetlists induced from node sets $M$ and $N$ in a entity set $n l$ are symmetric w.r.t. some function $f$. Informally, we call that node set $M$ and $N$ are symmetric in $n l$ w.r.t $f$.

## Definition 25.

```
nodeSetSym :: (node => node) }=>\mathrm{ node set }=>\mathrm{ node set }=>\mathrm{ entity set => bool
nodeSetSym f M N nl = sym f (InducedNet nl M) (InducedNet nl N)
```

Example 26. Let $n l_{0}=\left\{\right.$ Input $a_{0}$, Input $b_{0}$, xnor $\left.G_{0}\right\}, n l_{1}=\left\{\right.$ Input $a_{1}$, Input $b_{1}$, xnor $\left.G_{1}\right\}, N_{0}=\left\{c_{0}\right\}, N_{1}=\left\{c_{1}\right\}$, and $f=\lambda x$. (if $x=a_{0}$ then $a_{1}$ else if $x=a_{1}$ then $a_{0}$ else if $x=b_{0}$ then $b_{1}$ else if $x=b_{1}$ then $b_{0}$ else if $x=c_{0}$ then $c_{1}$ else if $x=c_{1}$ then $c_{0}$ else $x$ ). InducedNet $n l \quad N_{0}=n l_{0}$, InducedNet $n l \quad N_{1}=n l_{1}$. We have that sym $n l_{0} n l_{1} f$ and nodeSetSym $f N_{0} N_{1} n l$.

Next we define permutations on states, sequences, and formulas. These are similar to their conterparts in [17].

Definition 27. Permutation on states.
appSym2State $::($ node $\Rightarrow$ node $) \Rightarrow$ state $\Rightarrow$ state appSym2State $\mathrm{f} \mathbf{s}=\lambda$ n.s $(\mathrm{f} \mathrm{n})$ )

Definition 28. Permutation on sequences.
appSym2Seq $::($ node $\Rightarrow$ node $) \Rightarrow$ stateSeq $\Rightarrow$ stateSeq appSym2Seq $\mathrm{f} \mathbf{s q \equiv \lambda \mathrm { t } \text { .appSym2State } \mathrm { f } ( \mathrm { sq } \mathrm { t } ) ~}$

Definition 29. Permutation on formulas.

```
applySym2Form :: (node }=>\mathrm{ node) }=>\mathrm{ trajForm }
trajForm
primrec
    appSym2Form f (Is0 n)= Is0 (f n)
    appSym2Form f (Is0 n) = Is1 (f n)
    appSym2Form f (A and T B) = (appSym2Form f A) and (appSym2Form f B)
    appSym2Form f (P \longrightarrow}\mp@subsup{\longrightarrow}{T}{}A)=P\mp@subsup{\longrightarrow}{T}{}(\mathrm{ appSym2Form f A)
    appSym2Form f (Next A) = Next (appSym2Form f A)
    appSym2Form f chaos = chaos
```

Each permutation can be defined in terms of a composition of swap functions. Here we use a predicate isSwap to specify that a function is a swap function: isSwap $f \equiv \forall a b$.f $a=b \longrightarrow f b=a$.

It is equivalent to apply a swap permutation $f$ on a defining sequence of a formula and to compute the defining sequence of the permutation of a formula, provided that $f$ is a swap function.

## Lemma 30.

isSwap $f \Longrightarrow$
appSym2Seq $f(\operatorname{defSqOfTrForm} A)=\operatorname{defSqOfTrForm}(\operatorname{appSym} 2 F o r m f A)$
Suppose that $n l$ and $n l^{\prime}$ are symmetric w.r.t. $f$, then a swap permutation on the defining trajectory of $A$ w.r.t. $n l$ is equivalent to the defining trajectory of appSym2Form $f A$ w.r.t. $n l^{\prime}$.

## Lemma 31.

$\llbracket n l \in$ netlists; $n l^{\prime} \in$ netlists; sym $f n l n l^{\prime}$; isSwap $f \rrbracket$
$\Longrightarrow$ appSym2Seq $f(\operatorname{trajOfCirc} A n l)=\operatorname{trajOfCirc}(\operatorname{appSym} 2 F o r m f A) n l^{\prime}$
With the help of Lemma 13 and 30 and 31, we can derive an important result which encapsulates the relation between symmetric netlists and the symmetric STE assertions.

## Lemma 32.

【sym $f n l n l^{\prime}$; isSwap $f ; \rrbracket \Longrightarrow$
cktSat $n l(A \leadsto C)=$ cktSat $n l^{\prime}(\operatorname{appSym} 2$ Form $f A \leadsto \operatorname{appSym} 2$ Form $f C)$

This result guarantees us that we only need verify one representative STE assertion from an equivalence class, and deduce the correctness of the entire class for symmetric circuits.

Provided that all the nodes in onNodes $C$ and onNodes $(f C)$ are defined in $n l$, and they are symmetric in $n l$ w.r.t $f$, cktSat $n l(A \leadsto C)$ implies cktSat $n l$ (appSym2Form $f A \leadsto$ appSym2Form $f C$ ). The proof of this result needs the combination of Lemma 32 and Lemma 19. Because we often meet the case of symmetry between two subnetlists in a netlist, the following lemma is very useful in our verification.

Lemma 33 (symReduce2).
【isSwap $f ; \forall n . n \in($ onNodes $C) \rightarrow$ isDefinedln $n n l$;
$\forall n . n \in($ onNodes (appSym2Form $f C)) \rightarrow$ isDefinedIn $n n l ;$
nodeSetSym $f$ (onNodes $C$ ) (onNodes (appSym2Form $f C$ )) nl】
$\Longrightarrow$ cktSat $n l(A \sim C)=$ cktSat $n l$ (appSym2Form $f A \leadsto \operatorname{appSym} 2 F o r m f C)$

## 9. Novel Algebraic Laws

In this section, we introduce a set of algebraic laws. The novelty of our laws lies in that they relate properties of some circuits with their special structures. In the classical literature of STE, some laws have already been introduced, and they usually are general in the sense that they are independent in the structures of circuits. For instance, the steConjl rule, $\llbracket n l \in$ netlists; isClosed $n l$; cktSat $n l(A \sim B)$; cktSat $n l(A \sim C) \rrbracket \Longrightarrow$ cktSat $n l A \leadsto\left(B\right.$ and $\left._{\mathrm{T}} C\right)$, has already been introduced in $[1,17]$, and it holds for any netlist $n l$. Different from their laws such as steConjl, our laws, which are introduced below, formally explore the special structures of some circuits in our formal netlist model.

We need some preliminary definitions before we continue. andFormLists $t f s$ returns the conjunction of a list of trajectory formulas:

```
andLists [] = chaos
andLists (A#listA) = A and (andLists listA)
```

Two predicates isFullAndLine :: LINE $\Rightarrow$ bool and isAndTab :: PLA $\Rightarrow$ bool are introduced to define a truth table of an AND-gate:

```
isFullAndLine line \(\equiv \forall 1.1\) mem line \(\longrightarrow 1=0 N E\)
isAndTab tab \(\equiv\) length tab \(=1 \wedge\) isFullAndLine (hd tab)
```

The first lemma says that if all the input nodes of an AND-gate are set high, then its out should be high too.

Lemma 34 (andTabPropT).
$\llbracket$ isAndTab tab; Gate out inps tab $\in n l ;$
$\forall l .(l$ mem $t a b) \longrightarrow$ length $l=$ length inps $\rrbracket \Longrightarrow$
cktSat $n l(($ andLists $($ map $(\lambda n$. Is1 $n)$ inps $)) \leadsto($ Is1 out $))$

The second lemma says that if one input node of an and-gate are set low, then its out turns low.

## Lemma 35 (andTabPropF).

$\llbracket$ isAndTab tab; Gate out inps tab $\in$ nl; inps $_{i}$ mem inps;
$\forall l .(l$ mem tab $) \longrightarrow$ length $l=$ length inps $\Longrightarrow$
cktSat $n l(\operatorname{Is} 0$ inps $i)) \leadsto(\operatorname{Is} 0$ out $))$

Naturally a table, whose length is greater than 1 , is a disjunction of lines. We need not deliberately define an OR-gate. However, we need formally define a function which specifies value assignments of all inputs in a line before we go on. The function posAssertOfLine inps lits returns a list of trajectory formulas, each of which specifies a special value of each node inps $i_{i}$ according to the literal lits $_{i}$. If lits $_{i}$ is ZERO, then inps $_{i}$ is specified as ff by an Is0 formula, else if lits $_{i}$ is ONE, then inps $_{i}$ is specified as tt by an Is1 formula, otherwise it is set as X by chaos. Let inps $=\left[i_{1}, i_{2}\right]$, line $=[\mathrm{ONE}, \mathrm{ONE}]$, then posAssertOfLine inps line $=\left[\operatorname{ls} 1 i_{1}\right.$, Is1 $\left.i_{2}\right]$.

```
posAssertOfLine :: node list }=>\mathrm{ Literal list }=>\mathrm{ trajForm list
primrec
    posAssertOfLine inps [] = []
    posAssertOfLine inps (l#line) =
    let otherAss = posAssertOfLine (tl inps) line in
    (case l of ZERO }=>\mathrm{ (Is0 (hd inps))#otherAss|
        ONE = (Is1 (hd inps))#otherAss
        DONTCARE }=>\mathrm{ chaos#otherAss)
```

Obviously, if there exists a line $l$ in the table $t a b$ of a gate, and the values assigned to the inputs of the gate satisfy the formula posAssertOfLine inps $l$, then the output of the line is tt , thus the output of the gate is also set tt .

## Lemma 36 (orTabPropT).

$$
\begin{aligned}
& \llbracket \text { Gate out inps } \operatorname{tab} \in n l ; l \text { mem } \text { tab; } \\
& \forall l .(l \text { mem } \text { tab }) \longrightarrow \text { length } l=\text { length inps } \Longrightarrow \\
& \text { cktSat } n l(\text { andLists }(\text { posAssertOfLine inps } l)) \leadsto(\text { Is1 out }))
\end{aligned}
$$

Next we introduce a function isNegAssOfLine $A$ line inps, the function returns true if a formula $A$ specifies a proper value for some node $i n p s_{i}$ according to the literal lits $_{i}$, if $A$ is Is1 $n$, then the literal is ZERO, else if $A$ is Is1 $n$, then the literal is ONE. For simplicity, isNegAssOfLine $A$ line inps is defined to be False for any other formula.

```
isNegAssOfLine :: trajForm \(\Rightarrow\) node list \(\Rightarrow\) Literal list \(\Rightarrow\) bool
primrec
    isNegAssOfLine (Is1 n) inps line \(=\mathrm{n}\) mem inps \(\wedge\)
    \(\exists\) pair.(pair \(\in\) zip inps line \(\wedge\) fst pair \(=n \wedge\) snd pair \(=\) ZERO)
    isNegAssOfLine (Is0 n) inps line \(=\mathrm{n}\) mem inps \(\wedge\)
    \(\exists\) pair.(pair \(\in\) zip inps line \(\wedge\) fst pair \(=\mathrm{n} \wedge\) snd pair \(=0 N E)\)
    isNegAssOfLine A inps line = False,
    for any other formula A
```

For a trajectory formula list asList, for any line $l$ in the table tab of a gate, it holds that there exists a formula $A$ which is a member of asList and isNegAssOfLine A line inps, then the value of the output of each line is ff , thus the output of the gate is set ff. For instance, let $t a b=[[O N E, ~ O N E],[Z E R O, Z E R O]]$, and asList $=\left[\operatorname{ls} 1 i_{1}\right.$, Is0 $\left.i_{2}\right]$, we have $\exists A$. $(A$ mem asList $) \wedge$ isNegAssOfLine $A$ inps $l$ for any $l$ such that $l$ mem tab.

Lemma 37 (orTabPropF).
$\llbracket$ Gate out inps $t a b \in n l ; \forall l .(l$ mem $t a b) \longrightarrow$ length $l=$ length $\mathrm{inps} ;$ $\forall l .(l$ mem tab $) \longrightarrow(\exists A .(A$ mem asList $) \wedge i s N e g A s s O f L i n e ~ A ~ i n p s l) \rrbracket \Longrightarrow$ cktSat $n l$ (andLists asList) $\leadsto($ Is0 out $))$

For convenience, we define a syntactical abbreviation: Isb $n a \equiv\left(a \longrightarrow{ }_{\mathrm{T}} \operatorname{ls} 1 n\right)$ $\operatorname{and}_{\mathrm{T}}\left(\neg a \longrightarrow_{\mathrm{T}} \mathrm{Is} 0 n\right)$. Roughly speaking, Isb $n a$ means that node $n$ is set a boolean value $a$. If an input node $n$ of a delay is set a boolean value $a$ at time 0 , then the output of the delay will be set $a$ at the next time point.

## Lemma 38.

$\llbracket$ Delay out data $\in n l ; n l \in$ netlists; isClosed $n l \rrbracket \Longrightarrow$ cktSat $n l($ Isb $n a) \sim$ Next (Isb out $a)$ )

## 10. Illustrative Case Studies

In this section, we use illustrative examples to demonstrate the power of our new laws. We choose content addressable memories (CAMs), which is a classical example used in STE literature. CAMs are widely used wherever fast parallel search operations are required. Pandey used symbolic indexing techniques to verify CAMs, which is regarded as a classical work in STE literature [28]. He reported a logarithmic reduction in the number of variables required if the symbolic indexing encoding style is adopted. Darbari took advantage of a type-checking approach for symmetry detection based on a high-level HDL description, where he used a richer type system to record the symmetry $[9,17]$. Using the symmetry type information, he combined symmetry reduction with other decomposition rules. CAMs could be verified using a fixed number of BDD variables since he only had to verify one line at a time, and the other lines
can be verified by symmetry reduction. The amount of time used in verification is linear with respect to the tag width, number of CAM lines and the number of CAMs.

The structure and property of a CAM circuit is rather complex, and the core of a CAM is a list of comparators whose outputs are driving an OR-gate. So we start from a $N$-bits comparator.

### 10.1. N-bits Comparator

The structure of a $N$-bits comparator is a natural extension of 2-bits comparator, which is shown in Figure 1. For convenience, we need define some syntactical abbreviation: $[0 . .<N] \equiv[0, \ldots, N-1]$ if $N>0$. Let $f$ be a function over natural number, $[f i . i<N] \equiv \operatorname{map} f[0 . .<N]$. In this work, we usually call such $f$ a vector, $f i$ is denoted by $f_{i}$. If $f_{i}$ is still a vector, we write $f_{i j}$ for $f i j$.

Let $a, b, c$ be three vectors of nodes. $a_{i}$ is a node. Let $N>1, x n o r T a b=$ [[ONE, ONE], [ZERO, ZERO]], andLine $=[(\lambda j$.ONE) i. $i<N]$, xnorGLs $=$ $\left\{\right.$ Gate $c_{i}\left[a_{i}, b_{i}\right]$ xnorTab. $\left.i<N\right\}, c s=\left[c_{i} . i<N\right]$, and $G=$ Gate out $c s$ [andLine]. Let $n l$ be a closed netlist such that $x n o r G L s \cup\{a n d G\} \subseteq n l$. To make our results more general, we only require that $n l$ has the gate $a n d G$ and all the XNOR-gates in xnorGLs.

Let $b v O f A s$ and $b v O f B s$ be two vectors of boolean variables to model symbolic values of nodes, $b v O f A s_{i}$ is a boolean variable. antOf $A s=\left[\operatorname{lsb} a_{i} b v O f A s_{i}\right.$. $i<N]$, antOfBs $=\left[\operatorname{lsb} b_{i} b v O f B s_{i} . i<N\right], G p_{0}=\exists i . i<N \wedge b v O f A s_{i} \neq$ $b v O f B s_{i}, G p_{1}=\forall i . i<N \longrightarrow b v O f A s_{i}=b v O f B s_{i}$. Let ant $=$ andLists $\left(\right.$ antOfAs@antOfBs), cons ${ }_{0}=G p_{0} \longrightarrow_{\mathrm{T}}$ Is0 out, cons ${ }_{1}=G p_{1} \longrightarrow_{\mathrm{T}}$ Is1 out, cons $=$ cons $_{0}$ and $_{\mathrm{T}}$ cons $_{1}$. Here we want to prove an assertion cktSat nl (ant $\sim$ cons). Intuitively, ant specifies the symbolic values of the nodes to be compared, cons $_{0}$ says that out is low when $a$ and $b$ do not agree on a bit $i$, and cons $s_{1}$ says out is high when $a$ and $b$ agree on all bits $i<N$. Due to space limitation, we only give key auxiliary results for the main lemma. Refer to the Isabelle proof scripts [11] for the details.

## Lemma 39.

(1) $\llbracket i<N ; \neg b v O f A s_{i} \wedge b v O f B s_{i} \rrbracket \Longrightarrow$ cktSat $n l$ ant $\leadsto$ andLists $\left[1 s 0 a_{i}\right.$, Is1 $\left.b_{i}\right]$
(2) $\llbracket i<N ; b v O f A s_{i} \wedge \neg b v O f B s_{i} \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto$ andLists $\left[\operatorname{ls} 1 a_{i}\right.$, Is0 $\left.b_{i}\right]$
(3) $\llbracket i<N \rrbracket \Longrightarrow \mathrm{cktSat} n l\left(\right.$ andLists $\left.\left[\operatorname{ls} 0 a_{i}, \mathrm{ls} 1 b_{i}\right]\right) \leadsto \operatorname{ls} 0 c_{i}$
(4) $\llbracket i<N \rrbracket \Longrightarrow \mathrm{cktSat} n l\left(\right.$ andLists $\left.\left[\operatorname{ls} 1 a_{i}, \operatorname{ls} 0 b_{i}\right]\right) \sim \operatorname{ls} 0 c_{i}$
(5) $\llbracket i<N ; b v O f A s_{i} \neq b v O f B s_{i} \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto \mathrm{Is} 0 c_{i}$
(6) $\llbracket i<N \rrbracket \Longrightarrow \mathrm{cktSat} n l \mathrm{Is} 0 c_{i} \leadsto \mathrm{Is} 0$ out
$\llbracket i<N ; b v O f A s_{i} \wedge b v O f B s_{i} \rrbracket \Longrightarrow$
cktSat $n l$ ant $\leadsto\left(\right.$ andLists $\left(\right.$ posAssertOfLine $\left[a_{i}, b_{i}\right]$ [ONE, ONE]) $)$

```
\(\llbracket i<N \rrbracket \Longrightarrow\) cktSat \(n l\)
(andLists (posAssertOfLine \(\left.\left.\left[a_{i}, b_{i}\right][\mathrm{ONE}, \mathrm{ONE}]\right)\right) \leadsto \mathrm{Is} 1 c_{i}\)
\[
\begin{align*}
& \llbracket i<N ; \neg b v O f A s_{i} \wedge \neg b v O \text { f } B s_{i} \rrbracket \Longrightarrow \text { cktSat } n l \text { ant } \leadsto \\
& \left(\text { andLists }\left(\text { posAssertOfLine }\left[a_{i}, b_{i}\right][\text { ZERO }, \text { ZERO }]\right)\right) \tag{9}
\end{align*}
\]
```

$$
\begin{align*}
& \llbracket i<N \rrbracket \Longrightarrow \text { cktSat } n l \\
& \left(\text { andLists }\left(\text { posAssertOfLine }\left[a_{i}, b_{i}\right][\text { ZERO, ZERO }]\right)\right) \sim \operatorname{ls} 1 c_{i} \tag{10}
\end{align*}
$$

$$
\begin{equation*}
\llbracket i<N ; b v O f A s_{i}=b v O f B s_{i} \rrbracket \Longrightarrow \mathrm{cktSat} n l \text { ant } \leadsto \mathrm{Is} 1 c_{i} \tag{11}
\end{equation*}
$$

$$
\begin{equation*}
\llbracket G p_{1} \rrbracket \Longrightarrow \mathrm{cktSat} n l \text { ant } \leadsto\left(\text { andLists }\left[\operatorname{ls} 1 c_{i} . i<N\right]\right) \tag{12}
\end{equation*}
$$

(13) cktSat $n l\left(\right.$ andLists $\left.\left[\operatorname{ls} 1 c_{i} . i<N\right]\right) \sim \mathrm{Is} 1$ out

In Lemma 39, (1)-(5) prove that the value of node $c_{i}$ will be set low if there is a bit $i$ such that nodes $a_{i}$ and $b_{i}$ are set by different values, and rule orTabPropF is the main rule used to prove these results. (6) says that once $c_{i}$ is set low, then the output out is set low. (6) is proved by law andTabPropF. (7)-(11) prove that the value of node $c_{i}$ will be set high if nodes $a_{i}$ and $b_{i}$ agree on the value of a bit $i$ such that $i<N$, and rule orTabPropT is the main rule used to prove these results. From these, (12) can be easily proved. (13) can be proved by law andTabPropT.

Lemma 40. cktSat $n l$ (ant $\sim$ cons).
Proof. For the main goal, we use rule steconjl to decompose it two subgoals: (a) cktSat $n l$ ant $\leadsto$ cons $_{0}$ and (b) cktSat $n l$ ant $\leadsto$ cons $_{1}$.

In order to prove (a), by rule stelmpl, we assume that (c) $G p_{0}$, and need show cktSat $n l$ ant $\leadsto \operatorname{Is} 0$ out. From (c), we obtain $i$ where $i<N$ and (d) bvOfAsi$\neq$ $b v O f B s_{i}$. From this and Lemma 39 (5), we have (e) cktSat $n l$ ant $\leadsto \operatorname{ls} 0 c_{i}$. With Lemma 39 (6), by rule steTrans, we show cktSat $n l$ ant $\leadsto \mathrm{Is} 0$ out.

In order to prove (b), by rule stelmpl, we assume that (f) $G p_{1}$, and need show cktSat $n l$ ant $\leadsto$ Is1 out.From (f) and Lemma 39 (12), we have (g) cktSat $n l$ ant $\leadsto$ (andLists [ls1 $\left.c_{i} . i<N\right]$ ). With Lemma 39 (13), by rule steTrans, we can show cktSat $n l$ ant $\sim$ Is1 out.

## 10.2. $M-N-C A M$

Figure 5 shows a part of a $M-N-$ CAMs circuit. It stores $M$ lines of tags, and the width of each tag is $N$. Let $T$ and $c$ be a vector of vectors of nodes, $T_{i j}$ be a node, $T a g$ and match be a vector of nodes. Let $M>1, N>1$, xnorTab and andLine be defined as in subsection 10.1, css $=\left[\left[c_{i j} . j<N\right] . i<\right.$ $M]$, xnorGs $=\left\{\right.$ Gate $c_{i j}\left[T_{i j}, T a g_{j}\right]$ xnorTab. $\left.j<N, i<M\right\}$, matches $=$ $\left[\right.$ match $\left._{i} . i<M\right]$, andGs $=\left\{\right.$ Gate match ${ }_{i}$ css $_{i}$ [andLine]. $\left.i<M\right\}$, orLine $=$ $\lambda i .[(\lambda j$.if $(j=i)$ then ONE else DontCare $) j . j<M]$, orTab $=[$ orLine $i . i<M]$, or $G=$ Gate hit matches orTab. Let $n l$ be a closed netlist such that xnor $G s \cup$ and $G s \cup\{o r G\} \subseteq n l$.


Figure 5: A $M-N-\mathrm{CAM}$

Let $b v O f T s$ be a vector of vectors of of boolean variables to model symbolic values of stored tags, bvOfTag is a vector of boolean variables to model the symbolic value of input tag. antOfTag $=\left[\operatorname{Isb} \operatorname{Tag}_{j} b v O f T a g_{j} . j<N\right]$, antOfTs $=\left[\left[\operatorname{lsb} T_{i j}\right.\right.$ bvOfBs $\left.\left.s_{i j} . j<N\right] . i<M\right]$, GpOfUnHitI $=\lambda i .(\exists j . j<$ $\left.N \wedge b v O f T a g_{j} \neq b v O f T_{i j}\right), G p O f H i t I=\lambda i .\left(\forall j . j<N \longrightarrow b v O f T a g_{j}=\right.$ $\left.b v O f T_{i j}\right), G p O f U n H i t=\forall i . i<M \longrightarrow G p O f U n H i t I \quad$ i, GpOfHit $=\exists i . i<$ $M \wedge G p O f H i t I$ i. Let ant $=$ andLists $($ antOfTag@ $($ flat antOfTs $))$, cons $_{0}=$ GpOfUnHit $\longrightarrow \mathrm{T}$ Is0 hit, cons ${ }_{1}=$ GpOfHit $\longrightarrow{ }_{\mathrm{T}}$ Is1 hit, cons $=$ cons $_{0}$ and $_{\mathrm{T}}$ cons $_{1}$. Here we want to prove an assertion cktSat $n l($ ant $\sim$ cons). In this assertion, ant still specifies that the symbolic values of the nodes of the input tag and the stored tags, cons $s_{0}$ says that the node hit is set low if no line matches the input tag, and cons $s_{1}$ says that the node hit is set high if there exists one line which matches the input tag.

## Lemma 41.

(1) $\llbracket i<M ; G p O f U n H i t I ~ i \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto \mathrm{Is}^{2}$ match $_{i}$
(2) $\llbracket G p O f U n H i t \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto\left(\right.$ andLists $\left[\right.$ Is0 match $\left.\left._{i} . i<M\right]\right)$
(3) cktSat $n l$ (andLists $\left[\mathrm{ls} 0\right.$ match $\left.\left._{i} . i<M\right]\right) \leadsto \mathrm{Is} 0$ hit
(4) $\llbracket G p O f U n H i t \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto \mathrm{Is} 0$ hit
(5) $\llbracket i<M ; G p O f H i t I ~ i \rrbracket \Longrightarrow \mathrm{cktSat} n l$ ant $\leadsto \mathrm{Is} 1$ match $_{i}$
(6) $\llbracket i<M \rrbracket \Longrightarrow \mathrm{cktSat} \mathrm{nl}\left(\mathrm{Is} 1\right.$ match $\left._{i}\right) \leadsto$
(andLists (posAssertOfLine matches (orLine i)))
$\llbracket i<M \rrbracket \Longrightarrow$ cktSat $n l$
(andLists (posAssertOfLine matches (orLine i)) $\sim \mathrm{Is} 1$ hit)
(8) $\llbracket i<M ; G p O f H i t I ~ i \rrbracket \Longrightarrow c k t S a t ~ n l ~ a n t ~ \leadsto ~ s s 1 ~ h i t ~$

In Lemma 41, (1) and (2) are simply derived by the results of a $N$-bits comparator when its output match $h_{i}$ is set low, as is shown in Lemma 39. Here the antecedent GpOfUnHitI $i$ specifies that the value of $i$-th stored tag $T_{i}$ does not match with that of the input tag Tag. (3) can be proved by law orTabPropF. (4) can be proved by combining (2) and (3). (5) is the result of a $N$-bits comparator when its output match ${ }_{i}$ is set high, as is shown in Lemma 39. Here the antecedent GpOfHitI i specifies that the value of $i$ th stored tag $T_{i}$ matches with that of the input tag Tag. (6) can be simply proved by unfolding the definitions of andLists and posAssertOfLine. The assertion (andLists posAssertOfLine matches (orLine $i$ )) is a list of trajectory formulas in which the $i$-th element is ( $\mathrm{I} \mathbf{s} 1$ match $_{i}$ ) and any other one is chaos. (7) can be proved by law orTabPropT. (8) can be proved by combing (5), (6) and (7). From these results, it is rather easy to derive the following result by using rules stelmpl, steConjl, and steTrans.

Lemma 42. cktSat $n l$ ant $\leadsto$ cons
Proof. For the main goal, we use rule steconjl to decompose it two subgoals: (a) cktSat $n l$ ant $\leadsto$ cons $_{0}$ and (b) cktSat $n l$ ant $\leadsto$ cons $_{1}$.

In order to prove (a), by rule stelmpl, we assume that (c) GpOfUnHit, and need show cktSat $n l$ ant $\leadsto$ Is 0 hit. This can be easily proved by Lemma 41 (4).

In order to prove (b), by rule steImpI, we assume that (f) GpOfHit, and need show cktSat $n l$ ant $\leadsto$ Is1 hit. From (f), we can obtain a $i$ such that $i<M$ and GpOfHitI $i$. From this, by Lemma 41 (8), we can easily prove that cktSat $n l$ ant $\leadsto$ Is1 hit.

Our proofs are purely algebraic reductions without any symbolic simulation. A distinguishing feature of our approach is the use of laws andTabPropT(andTabPropF) or orTabPropT(orTabPropF) to decompose one assertion on the output of an AND-gate or OR-gate to assertions on each branch input node of the gate. This explains why we call the laws the algebraic semantics of STE. Note that any combinational parts of a circuit is combined by AND-gates or OR-gates, therefore, our laws andTabPropT(andTabPropF) or orTabPropT(orTabPropF) is proposed for general-purpose in the sense that they can be combined together to analyze any combination parts of a circuit. Second, our proof is a parameterized verification of CAMs, where $M$ and $N$ are parameters which are arbitrary positive natural numbers. Based on the results of $N$-bits comparator, our parameterized proof is clean deductions which are involved in simple applications of rules orTabPropT(orTabPropF) and those on quantifiers, and does not suffer from any state explosion problem.

## 11. Conclusion

The key contribution of our work is to introduce the inductive approach to formalize both the structure and simulation semantics of a netlist. Because the legal structure of a netlist requires the following condition: the conflict between output nodes of two logical entities should be eliminated, and a cycle should not
occur in the combinational part of the netlist, but a cycle is allowed to pass a delay element. It is difficult to simply use a datatype to define the structure because such a cycle exists. The inductive definition of a netlist formally specifies these requirements by a set of intuitive introduction rules.

The inductive approach also provides a satisfying answer to formalize the information propagation through netlist structure in the simulation semantics of a netlist. Essentially such a propagation is a process of value assignments to nodes which spreads from each gate's inputs to its outputs, and this process is started from the primitive input nodes of the netlists and state-holding nodes of delay entities. The three inductive rules in rclosure accurately capture the semantics of the information propagation process. Furthermore, we can formally derive function fclosure and fSeq. Here the function fSeq can be seen as a concrete version of the abstract next-state Y-function used in classical STE literature. It is sound in the sense that fSeq is monotonic. Therefore our work not only proves the existence of a special next-state Y-function, but also shows its formal construction by deriving fSeq.

Not only does the inductive approach help us to formally define the structure and simulation semantics of a netlist, but also provides an effective inductive principle to prove useful properties of a netlist. Especially, we use the induction principle to prove two unique-existence results which prove the soundness of the semantical model. The first one says that for any defined node $n$, there is an unique logical entity in the netlist whose output is $n$. The second proves a relation rclosure $n l s$ is single-valued, thus the function rclosure $n l s$ can be formally induced.

The advantage of introducing a formal netlist model is to explicitly explore the close relation between properties of a circuit and its structure. Two main results of ours are symmetry reduction and a set of novel algebraic laws, and they are introduced to decompose a STE assertion. In our case study, we show how to combine some of our laws for parameterized verification of content addressable memories (CAMs). This experience has demonstrated both theoretical and practical benefits because it provides an alternative effective way - algebraic reduction for STE assertion verification.

In the future, we will extend our research in two directions. (1) We will make our reduction method as automatic as possible. In facts, there is strong heuristics to use some laws. For instance, if the consequent of an assertion specifies that the output node of an AND-gate is set positive value, then rules ste Trans and andTabPropT should be applied, and a new assertion is introduced to specifies that the values of all the input nodes should also be set positive values if the antecedent of the original assertion holds, as shown in Lemma 40. (2) We look into combining our reduction method with STE model-checking. Using our reduction method, we decompose a complex assertion into small assertions, then use a STE tool like Forte to directly model-check the small assertions. The key to combining the two techniques is to select a proper interface and development environment to integrate them.

## References

[1] C.-J. H. Seger, R. E. Bryant, Formal verification by symbolic evaluation of partially-ordered trajectories, Formal Methods in System Design 6 (2) (1995) 147-189. doi:http://dx.doi.org/10.1007/BF01383966.
[2] J. O'Leary, X. Zhao, R. Gerth, C.-J. H. Seger, Formally verifying IEEE compliance of floating-point hardware, Intel Technology Journal Q1 (1999) 147-190.
[3] M. D. Aagaard, R. B. Jones, C.-J. H. Seger, Combining theorem proving and trajectory evaluation in an industrial environment, in: DAC '98: Proceedings of the 35th annual conference on Design automation, ACM, New York, NY, USA, 1998, pp. 538-541. doi:http://doi.acm.org/10.1145/277044.277189.
[4] Technical Publications and Training, Intel Corporation, Forte/fl user guide, 2003rd Edition.
[5] C.-T. Chou, The mathematical foundation for symbolic trajectory evaluation, in: CAV '99: Proceedings of the 11th International Conference on Computer Aided Verification, Springer-Verlag, London, UK, 1999, pp. 196-207.
[6] Altera corporation, Quartus II quick start guide, http://www.altera. com/literature/manual/mnl_qts_quick_start.pdf.
[7] J.-W. Roorda, K. Claessen, Explaining symbolic trajectory evaluation by giving it a faithful semantics, in: D. Grigoriev, J. Harrison, E. A. Hirsch (Eds.), Computer Science - Theory and Applications, First International Computer Science Symposium in Russia, CSR 2006, St. Petersburg, Russia, June 8-12, 2006, Proceedings, Vol. 3967 of Lecture Notes in Computer Science, Springer, 2006, pp. 555-566.
[8] J.-W. Roorda, Symbolic trajectory evaluation using a satisability solver, Ph.D. thesis, Department of Computer Science and Engineering Chalmers University of Technology and Goteborg University (2005).
[9] A. Darbari, Symmetry reduction for STE model checking, in: FMCAD, IEEE Computer Society, 2006, pp. 97-105.
[10] T. Nipkow, L. C. Paulson, M. Wenzel, Isabelle/HOL - a proof assistant for higher-order logic, LNCS 2283, Springer, 2002.
[11] Y. Li, Formalization of symbolic trajectory semantics, http://lcs.ios. ac.cn/~lyj238/steSymmetry.html (2009).
[12] M. J. C. Gordon, Why higher-order logic is a good formalism for specifying and verifying hardware, in: G. Milne, P. Subrahmanyam (Eds.), Formal Aspects of VLSI Design, Elsevier Science Publishers, 1986.
[13] T. F. Melham, Formalizing abstraction mechanisms for hardware verification in higher order logic, Ph.D. thesis, University of Cambridge (August 1989).
[14] T. Melham, Higher order logic and hardware verification, Vol. 31 of Cambridge Tracts in Theoretical Computer Science, Cambridge University Press, 1993.
URL http://www.comlab.ox.ac.uk/tom.melham/pub/ Melham-1993-HOL.html
[15] M. Aagaard, T. F. Melham, J. W. O'Leary, Xs are for trajectory evaluation, booleans are for theorem proving, in: CHARME '99: Proceedings of the 10th IFIP WG 10.5 Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Springer-Verlag, London, UK, 1999, pp. 202-218.
[16] A. Darbari, Formalization and execution of STE in HOL (extended version), Tech. Rep. RR-03-17, Oxford University Computing Laboratory (March 2003).
[17] A. Darbari, Symmetry reduction for STE model checking using structured models, Ph.D. thesis, University of Oxford (2006).
[18] M. Sheeran, $\mu \mathrm{FP}$, a language for VLSI design, in: LISP and Functional Programming, 1984, pp. 104-112.
[19] J. T. O'Donnell, Hydra: Hardware description in a functional language using recursion equations and high order combining forms, in: G. J. Milner (Ed.), The Fusion of Hardware Design and Verification, North-Holland, 1988, pp. 309-328.
[20] J. T. O'Donnell, Generating netlists from executable circuit specifications, in: J. Launchbury, P. M. Sansom (Eds.), Functional Programming, Workshops in Computing, Springer, 1992, pp. 178-194.
[21] P. Bjesse, K. Claessen, M. Sheeran, S. Singh, Lava: hardware design in Haskell, in: ICFP, 1998, pp. 174-184.
[22] J. Grundy, T. Melham, J. O'Leary, A reflective functional language for hardware design and theorem proving, Journal of Functional Programming 16 (2) (2006) 157-196. doi:10.1017/S0956796805005757.
URL http://www.comlab.ox.ac.uk/tom.melham/pub/ Grundy-2006-RFL.pdf
[23] T. Nipkow, Winskel is (almost) right: Towards a mechanized semantics textbook, in: Proceedings of the 16th Conference on Foundations of Software Technology and Theoretical Computer Science, Springer-Verlag, London, UK, 1996, pp. 180-192.
[24] T. Nipkow, L. C. Paulson, Proof pearl: defining functions over finite sets, in: J. Hurd (Ed.), Theorem Proving in Higher Order Logics (TPHOLs 2005), Vol. 3603 of LNCS, Springer, 2005, pp. 385-396.
[25] G. Winskel, Formal semantics of programming languages, MIT Press, Cambridge, Massachusetts, 1993.
[26] L. C. Paulson, ML for the working programmer, University of Cambridge Press, 1996.
[27] University of California, Berkeley, Berkeley logic interchange format (BLIF), http://www.cs.uic.edu/~jlillis/courses/cs594/spring05/ blif.pdf (February 22 2005).
[28] M. Pandey, R. Raimi, R. E. Bryant, M. S. Abadir, Formal verification of content addressable memories using symbolic trajectory evaluation, in: DAC '97: Proceedings of the 34th annual Design Automation Conference, ACM, New York, NY, USA, 1997, pp. 167-172. doi:http://doi.acm.org/10.1145/266021.266056.

## A. Isabelle Notations

We briefly present some Isabelle notations and commands used in this work. For more details, we refer to [10].

Types. There are basic types such as bool, the type of truth values - True and Flase; nat, the type of natural numbers. Standard boolean operators $\wedge$ and $\vee$ and $\rightarrow$ are defined as usual. Function types are denoted by $\Rightarrow$, and product types by $\times$. Types can also be constructed by type constructors such as list and set. For instance, nat list declares the type of lists whose members are natural numbers.

Terms. Forms of terms used in this paper are rather simple. It is simply a constant or variable identifier, or a function application such as $f t$, where $f$ is a function of type $\tau_{1} \Rightarrow \tau_{2}$, and $t$ is a term of type $\tau_{1}$.

Introducing new types. There are three kinds of commands for introducing new types. typedecl name introduces new "opaque" type name without definition; types name $=\tau$ introduces an abbreviation name for type $\tau$. datatype command can introduce a recursive data type. A general datatype definition is of the form

$$
\text { datatype }\left(\alpha_{1}, \ldots, \alpha_{n}\right)=C_{1} \tau_{11} \ldots \tau_{1 k_{1}}|\ldots| C_{m} \tau_{m 1} \ldots \tau_{m k_{m}}
$$

where $\alpha_{i}$ are distinct type variables (the parameters), $C_{i}$ are distinct constructor names and $\tau_{i j}$ are types. Note that $n$ can be 0 , i.e., there is no type parameters in datatype declaration.

Definition commands. consts command declares a function's name and type. defs gives the definition of a declared function. constdefs combines the effect of consts and defs. For instance, the following commands define a square function on nat.

Combining a consts and inductive commands, we can give an inductive definition for a set. An inductively defined set $S$ is typically of the following form:
consts $S:: \tau$ set inductive $S$ intros
rule $_{1}:\left[\left|a_{11} \in S ; \ldots ; a_{1 k_{1}} \in S ; A_{11}, \ldots, A_{1 i_{1}}\right|\right] \Longrightarrow a_{1} \in S \ldots$ rule $_{n}:\left[\mid a_{n 1} \in\right.$ $\left.S ; \ldots ; a_{n k_{n}} \in S ; A_{n 1}, \ldots, A_{n i_{n}} \mid\right] \Longrightarrow a_{n} \in S$

Lemmas. Lemmas are presented by the notation $\llbracket A_{1} ; A_{2} ; \ldots ; A_{n} \rrbracket \Longrightarrow B$, which means that with assumptions $A_{1}, \ldots, A_{n}$, we can derive a conclusion $B$.

## B. Other Laws

In this part, we introduce some other laws which are used in our work. Many of these laws have been introduced in previous STE work. They are general in the sense that they are independent in the structure of a netlist.

The first one is the Reflexivity rule.
Lemma 43 (steRefl).

$$
\text { cktSat } n l(A \leadsto A)
$$

Next is the transitivity rule. It allows us to combine together STE assertions in a transitive way.

Lemma 44 (steTrans).

$$
\llbracket c k t S a t \quad n l(A \sim B) ; \text { cktSat } n l(B \sim C) \rrbracket \Longrightarrow \text { cktSat } n l(A \sim C)
$$

Next rule steconjl splits the consequent of an STE assertion into individual conjuncts, which can be verified separately.

Lemma 45 (steconjI).
$\llbracket$ cktSat $n l(A \leadsto B) ;$ cktSat $n l(A \leadsto C) \rrbracket \Longrightarrow \operatorname{cktSat} n l\left(A \leadsto B \operatorname{and}_{T} C\right)$
Rule stelmpl takes out the boolean guard $g$ in the consequent of an STE assertion, and turns it into a boolean assumption.

Lemma 46 (steImpI).

$$
\llbracket g \Longrightarrow \mathrm{cktSat} n l(A \sim B) \rrbracket \Longrightarrow \mathrm{cktSat} n l\left(A \leadsto g \longrightarrow_{\mathrm{T}} C\right)
$$

Rule steEnStrenAnt says that if defSqOfTrForm $A^{\prime} \sqsubseteq_{s q}$ defSqOfTrForm $A$, then assertions $A^{\prime} \leadsto B$ imples $A \leadsto B$ because the antecedent $A$ is stronger than $A^{\prime}$.

Lemma 47 (steEnStrenAnt).
$\llbracket c k t S a t \operatorname{nl}\left(A^{\prime} \leadsto B\right)$; defSqOfTrForm $A^{\prime} \sqsubseteq_{s q}$ defSqOfTrForm $A \rrbracket \Longrightarrow$ cktSat $n l(A \leadsto B)$
Rule steWeakenCons says that if defSqOfTrForm $B \sqsubseteq_{s q}$ defSqOfTrForm $B^{\prime}$, then assertions $A \leadsto B^{\prime}$ implies $A \leadsto B$ because the consequent $B$ is weaker than $A^{\prime}$. .

Lemma 48 (steWeakenCons).
$\llbracket c k t S a t n l\left(A \leadsto B^{\prime}\right)$; defSqOfTrForm $B \sqsubseteq_{s q}$ defSqOfTrForm $B^{\prime} \rrbracket \Longrightarrow \mathrm{cktSat} n l(A \leadsto B)$
Lemma steAndComm and steAndAssoc say that operator $\operatorname{and}_{\mathrm{T}}$ satisfies commutative and associative laws.

Lemma 49 (steAndComm). defSqOfTrForm $\left(A \operatorname{and}_{\mathrm{T}} B\right)=\operatorname{defSqOfTrForm}\left(B \operatorname{and}_{\mathrm{T}} A\right)$
Lemma 50 (steAndAssoc). defSqOfTrForm $\left(\left(A \operatorname{and}_{\mathrm{T}} B\right)\right.$ and $\left._{\mathrm{T}} C\right)=$ defSqOfTrForm $\left(A \operatorname{and}_{T}\left(B\right.\right.$ and $\left.\left._{T} C\right)\right)$

A conjunct (False $\longrightarrow_{\mathrm{T}} B$ ) can be safely eliminated from a trjectory formula.
Lemma 51 (elimFalseGuard). defSqOfTrForm $\left(A \operatorname{and}_{\mathrm{T}}\left(\right.\right.$ False $\left.\left.\longrightarrow{ }_{\mathrm{T}} B\right)\right)=$ defSqOfTrForm A

A trajectory formula $\operatorname{True} \longrightarrow_{\mathrm{T}} A$ is equivalent to $A$.
Lemma 52 (simpTrueGuard). defSqOfTrForm $\left(\operatorname{True} \longrightarrow_{\mathrm{T}} A\right)=\operatorname{defSqOfTrForm~A}$ chaos is the unit of the operator $\operatorname{and}_{\mathrm{T}}$.

Lemma 53 (andChaosId). defSqOfTrForm $\left(A \operatorname{and}_{\mathrm{T}}\right.$ chaos) $=\operatorname{defSqOfTrForm} A$ defSqOfTrForm is congruent for operator and ${ }_{T}$.

Lemma 54 (steAndCong). defSqOfTrForm $\left(A \operatorname{and}_{T} B\right)=$ defSqOfTrForm $\left(A \operatorname{and}_{\mathrm{T}} B^{\prime}\right)$ if defSqOfTrForm $B=$ defSqOfTrForm $B^{\prime}$.


[^0]:    * Corresponding author

    Email addresses: lyj238@ios.ac.cn (Yongjian Li), william_hung@alumni.utexas.net (William N. N. Hung), song@ece.pdx.edu (Xiaoyu Song)
    ${ }^{1}$ The first author is supported by grants (No. 60833001, 60496321, 60421001) from National Natural Science Foundation of China.

[^1]:    ${ }^{2}$ Here we use the subcript 4 to distinguish the x -symbols of these operators from their counterparts in boolean domain.

