Trace theory for automatic hierarchical verification of speed-independent circuits

A theory of automatic hierarchical verification of speed-independent circuits is developed and implemented. The theory models circuits as trace structures. Trace structures represent the behaviors of circuits as sets of traces, which are sequences of transitions on the circuit's input and output wires. Trace structures form a compositional semantics for circuits: two trace structures can be composed to model connecting the corresponding circuits and transitions can be hidden to model unobservable internal wires. Trace structures express requirements on the behavior of the environment in addition to describing the behavior of a circuit. It is noted that, for composition to work properly, a trace structure must model all possible actions of the environment. This property, called receptiveness, is precisely characterized. Trace structures can also be used as specifications. If one trace structure can be safely substituted for another in all contexts, the first is an implementation of the second. This relationship can be tested by using a decision procedure based on finding the most demanding environment with which a trace structure can be composed. The use of a single formalism for descriptions and specifications greatly simplifies the theory. More importantly, the resulting verification methodology is naturally hierarchical, because specifications at one level of abstraction can be used as descriptions at higher levels of abstraction. Two distinct theories are proposed: prefix-closed trace structures, which can model and specify safety properties, and complete trace structures, which can also deal with liveness and fairness properties. The theory of prefix-closed trace structures has been implemented in an interactive program which has verified and detected bugs in published circuit designs. Complete trace structures are based on regular languages of infinite sequences. The definitions and results pertaining to complete trace structures are very similar to those for prefix-closed trace structures. It is relatively difficult to define and test receptiveness for complete trace structures. The definition of this property is presented in terms of infinite two-player games. The problem of receptiveness is proved to be decidable, by reduction to Church's solvability problem.