## Models and logic of MOS circuits

by
Glynn Winskel
University of Cambridge,
Computer Laboratory,
Corn Exchange Street,
Cambridge CB2 3QG.

### Abstract

Various models of hardware have been proposed though virtually all of them do not model circuits adequately enough to support and provide a formal basis for many of the informal arguments used by designers of MOS circuits. Such arguments use rather crude discrete notions of strength—designers cannot be too finicky about precise resistances and capacitances when building a chip—as well as subtle derived notions of information flow between points in the circuit. One model, that of R.E.Bryant, tackles such issues in reasonable generality and has been used as the basis of several hardware simulators. However Bryant's model is not compositional. These lectures introduce Bryant's ideas and present a compositional model for the behaviour of MOS circuits when the input is steady, show how this leads to a logic, and indicate the difficulties in providing a full and accurate treatment for circuits with changing inputs.

#### 0. Introduction.

There are some tricky issues in the verification of hardware. We all know that verification of any device can only be done in terms of a model for its behaviour. However it is very easy to forget that verification depends crucially on the accuracy of the model. The verification of hardware has been very successful when the model assumes there are basic trusted functional devices out of which all other devices are built (see e.g. [Gor1, She, Mos] and the classical work on implementing Boolean functions). The mathematics of functions and functional programs is well-understood so it makes good sense to translate hardware into functions; they can be reasoned about or even run as functional programs to simulate the behaviour of the hardware. Fortunately this kind of model is often appropriate and proofs of properties of hardware amount to large but essentially trivial manipulations of expressions for functions or relations. Sometimes, however, the physical nature of the device intrudes. Designers, generally indifferent to slick proofs of correctness, use their knowledge of the physics of devices to improve performance or layout. Designers in metal oxide semiconductor (MOS) technology can use a variety of techniques. They exploit bidirectionality and the fact that signals do not have uniform strengths to improve their designs. Most approaches model such designs in an ad hoc way; directionality is often imposed, rather than derived, and effects due to signal strength are fudged. In what sense can a verification, based on such a model be trusted? After all directions can only be assigned correctly when the circuit behaviour is understood thoroughly and an incorrect assignment can easily lead to an incorrect prediction about the circuit's behaviour. As a last resort there are the precise models of physics but, even aside from whether these are tractable or not, they are often far too detailed. A designer cannot be finicky about the precise resistance or capacitance to be realised in a VLSI chip; designs should be fairly robust in order to tolerate variations in manufacture. There is a need for a model and proof system for circuits which while close to the logical behaviour of hardware devices also captures the effects used by designers.

In these lectures we shall look at the most striking problems with many of the models in use and attempt to remedy their faults. In addressing these problems we shall make use of the ideas in R.E.Bryant's model of MOS circuits. Bryant's ideas have been developed chiefly with the aim of accurate simulation in mind and they are not directly suitable as a basis for a proof system for circuits. We shall work towards achieving this. Firstly, we illustrate some of the problems that arise in other approaches to modelling circuits.

### 1. Relational models and their problems.

Modelling circuits as functions can often impose an unnatural directionality and lead to inaccurate models which predict the wrong behaviour. Instead we might try to model circuits as some form of relation. This is the course followed in [Gor] and less explicitly in [Mos]. It should be mentioned that although we base our criticism on the work [Gor] this is largely because it is there the problems are shown-up clearly, in their basic form. Essentially the same difficulties arise in the treatments [Mos, Mi]. Incidentally, all the approaches [Gor, Mi, Mos, Sh] seem to cope well at higher levels of abstraction.

#### Consider a CMOS inverter:



The effect of the inverter is to output at  $\beta$  the inverse of the value input at  $\gamma$ . We illustrate for this simple example how one expresses and argues in the framework of [Gor2,3] that the circuit drawn meets this specification.

The circuit is built out of two kinds of transistors. A p-type transistor  $ptran(\alpha, \beta, \gamma)$ , generally drawn as

is a device which, when the voltage value at the gate is low, i.e.  $V\gamma = L$ , connects  $\alpha$  and  $\beta$ , so  $V\alpha = V\beta$ . When the value at  $\gamma$  is high,  $V\gamma = H$ , the points  $\alpha$  and  $\beta$  are disconnected so we cannot say what the relation is between  $\alpha$  and  $\beta$ —it all depends

on what they are connected to. The other kind of transistor, an n-type transistor  $ntran(\beta, \delta, \gamma)$ , drawn

behaves in a converse fashion; when  $V\gamma=H$ ,  $\beta$  and  $\delta$  are connected and  $V\beta=V\delta$ , and when  $V\gamma=L$  they are disconnected. In approaches like [Gor2,3, Mos] a circuit (and hardware in general) is modelled by a relation between values at the significant points of the circuit. This is expressed as an assertion. So in the work [Gor2,3] the assertions associated with the two transistors are

$$ptran(\alpha, \beta, \gamma) \equiv (V\gamma = L \rightarrow V\alpha = V\beta),$$
  
 $ntran(\beta, \delta, \gamma) \equiv (V\gamma = H \rightarrow V\beta = V\delta).$ 

(We use  $\equiv$  to mean definitional equality; the left-hand side stands for the right-hand side.)

Two kinds of sources are used in the CMOS inverter. Power connected at  $\alpha$  is regarded as maintaining the voltage value as high at  $\alpha$  and ground (or earth) at  $\delta$  maintains the value at low. The corresponding assertions are:

Pow 
$$\alpha \equiv (V \alpha = H)$$
,  
Gnd  $\delta \equiv (V \delta = L)$ .

So each component is described by an assertion about values at the points with which it is associated. Their composition, got by joining points in common, meets all the relations of the components, and so satisfies the conjunction:

$$ptran(\alpha, \beta, \gamma) \wedge ntran(\beta, \delta, \gamma) \wedge Pow \alpha \wedge Gnd \delta$$

For the inverter we wish to hide the points  $\alpha$  and  $\delta$  from the environment. This is achieved by existential quantification to give the following assertion for the CMOS inverter:

$$\operatorname{Inv}(\gamma,\beta) \equiv \exists V \alpha \exists V \delta. \ \operatorname{ptran}(\alpha,\beta,\gamma) \wedge \operatorname{ntran}(\beta,\delta,\gamma) \wedge \operatorname{Pow} \alpha \wedge \operatorname{Gnd} \delta$$

The CMOS inverter is intended to implement the specification:

$$\operatorname{Spec}(\gamma,\beta) \equiv (V\gamma = H \to V\beta = L) \land (V\gamma = L \to V\beta = H)$$

A simple proof using well-known rules of logic shows

$$\operatorname{Inv}(\gamma,\beta) \to \operatorname{Spec}(\gamma,\beta).$$

We can prove the assertion  $\operatorname{Inv}(\gamma,\beta)$  implies  $\operatorname{Spec}(\gamma,\beta)$ . In this sense we can prove  $\operatorname{Inv}(\gamma,\beta)$  implements  $\operatorname{Spec}(\gamma,\beta)$ . To recap: We have described the behaviour of circuits by assertions, their composition by conjunction, hiding of points by existential quantification and taken implementation as implication between the assertions for the circuit and its specification.

This general scheme can be followed equally well for dynamically changing circuits subject to voltages which change over time [Gor2, 3]. The only change is to model a

circuit as a relation between histories of voltage values at the points of interest (histories are functions from time  $0, 1, \dots, t, \dots$  to  $\{H, L\}$ ) taking e.g. the assertion for a p-type transistor to be

$$ptran(\alpha, \beta, \gamma) \equiv \forall t. \ V(\gamma, t) = L \rightarrow V(\alpha, t) = V(\beta, t).$$

The approach is noteworthy because it does not impose an unrealistic directionality on devices as would for example be forced in the approach [Sh] were it to tackle such low-level circuits. The model and logic are also compositional; one can reason about the behaviour of circuits in terms of the behaviour of their components. A similar scheme is followed in [Mos], but there assertions in a temporal logic are used instead.

Unfortunately, there is a major deficiency in this approach—natural and useful as it is in many examples. According to this scheme a "short circuit" implements any specification! A short circuit, achieved most simply, by joining power and ground together at a point  $\alpha$  is described by the assertion

Pow 
$$\alpha \wedge Gnd \alpha$$

But  $Pow \ \alpha \land Gnd \ \alpha$  is equivalent to  $V\alpha = H \land V\alpha = L$ , and because H and L are assumed unequal, this is equivalent to ff, the logical value false. Thus  $Pow \ \alpha \land Gnd \ \alpha$ , like ff, implies every assertion and so "implements" any specification whatsoever.

Several ways have been suggested to get around this undesirable situation. Sticking with the above method of modelling circuits by assertions, the only course is to use some other notion of implementation. In some contexts it appears reasonable to say a circuit implements a specification if the associated assertions are equivalent (see [Gor2]). But following that line would, in general, lead to unnecessarily detailed specifications. Another suggestion, discussed in [CGM], is to say a circuit circ( $\iota$ , o) with input values  $V\iota$  and output values Vo, correctly implements a specification spec( $\iota$ , o) iff

$$(\forall V\iota,\ Vo.\ \mathrm{circ}(\iota,o) o \mathrm{spec}(\iota,o))\ \wedge (\forall V\iota\exists Vo.\ \mathrm{circ}(\iota,o)).$$

A circuit meeting such a requirement cannot be equivalent to ff for any particular input value. But this solution depends on having clearly defined input and output points. It is hard to see, if this were so at every stage in constructing a design, how the method of construction could allow short-circuits to be formed, and any method which bans short-circuits outright is too restrictive to provide a general model. Another possibility, suggested in [F], is to use the power of higher order logic and make specifications of higher type than circuit behaviours. This proposal has promise but has not yet led a calculus for reasoning about circuits. Most significant of all, each of these suggestions fails to face the fact that voltage values other than high and low can appear in designs, often quite innocently, without trivialising their behaviour.

We look for a model of circuits which can handle voltage values other than just high and low, and in particular treat short circuits. When a source of power and ground are connected together they give rise to a voltage which has an indeterminate effect when applied to the gates of transistors. We can take a voltage to have value X when it lies

in a region between those corresponding to H and L. Similarly we can take a voltage at a point to have a value  $\emptyset$  when the point is not connected to any significant sources of charge. It will be useful to order the values  $H, L, X, \emptyset$  as



(Note this order is not directly related to the underlying order on voltages, measured as reals.) A point connected just to power takes the value H, just to ground the value L, to both the value X and to no sources the value  $\emptyset$ . Can our earlier ideas be adapted to cope with these extra values? For the composition of assertions to be conjunction we now require

Pow 
$$\alpha \equiv V \alpha \geq H$$
,  
Gnd  $\alpha \equiv V \alpha \geq L$ .

In this way we allow for the effect of the environment on the value at  $\alpha$ . Then the conjunction  $Pow \ \alpha \land Gnd \ \alpha$  is equivalent to  $V\alpha = X$ , as required, and not to ff. Unfortunately hiding can no longer be treated as simple  $\exists$ -quantification. For example, connecting and hiding a power source to the gate  $\gamma$  of an n-type transistor  $ntran(\alpha, \beta, \gamma)$  should yield a circuit equivalent in behaviour to a wire between  $\alpha$  and  $\beta$ . However  $ntran(\alpha, \beta, \gamma)$  is still described by

$$ntran(\beta, \delta, \gamma) \equiv (V\gamma = H \rightarrow V\beta = V\delta),$$

for the same reasons as before, so using \(\exists \)-quantification to hide we obtain

$$\exists V \gamma. \ Pow \ \gamma \wedge ntran(\alpha, \beta, \gamma)$$

which is

$$\exists V \gamma. \ V \gamma \geq H \ \land \ (V \gamma = H \ 
ightarrow V \alpha = V \beta).$$

This does not imply  $V\alpha = V\beta$ , the assertion we would like, because of the possibility that  $V\gamma = X$ .

The above example might suggest that when we hide a node the value associated with the node should be the least possible—to rule out the possibility that  $V\gamma=X$  in the example above. However, there are examples where this does not work. Consider hiding  $\gamma$  in the following circuit:



It is unclear whether we should hide  $\gamma$  with  $V\gamma$  taking the value H, L, X or  $\emptyset$ —all are possible.

One way to manage the new value X and still treat hiding by  $\exists$ -quantification is to impose enough directionality on devices so they can be modelled as functions. Again, this suffers the drawback of leading to an unrealistic model. There is no easy fix without complicating the relational model. We need somehow to express the fact that the values associated with a hidden point are precisely those which are maintained by connections to sources. We shall address this problem and the related one of providing a model which deals correctly with signal strengths.

### 2. Signal strengths.

In NMOS technology p-type transitors are not available so inverters are constructed in a different way. An NMOS inverter has the following design



The design uses a strong resistance

$$\beta$$
- $\checkmark$ 

connected to power. In NMOS this is implemented as a pull-up transistor. The behaviour of the inverter is remarkably subtle for its size (see [MC, MD]). In those environments where the point  $\beta$  is not connected to any other sources, the inverse of the value  $V\gamma$ , input at  $\gamma$ , is output as  $V\beta$  at  $\beta$ , so as a makeshift description of its behaviour we can take:

$$V\gamma = L \rightarrow V\beta = H \wedge V\gamma = H \rightarrow V\beta = L.$$

Later in section 4, after we have given the semantics of circuits and enriched the class of assertions, we can provide a complete description of its behaviour and, in particular, see what value  $V\beta$  takes for input  $V\gamma = X$ . The informal English description of how the inverter works is sometimes given as follows:

When  $\gamma$  is low the *n*-type transistor disconnects so the only voltage contribution to  $\beta$  is from the power source so  $\beta$  is high.

When  $\gamma$  is high the transistor connects so there is a voltage contribution of low from ground and a voltage contribution of high from power, weakened however by the large resistor, so the contribution from ground dominates and the net effect is to make  $\beta$  low.

Though this argument is perhaps not convincing at first, it can be justified by a simple application of Ohm's law. Suppose  $\gamma$  is high. Then  $\alpha$  and  $\beta$  are connected with a very small resistance r relative to the large resistance R between  $\beta$  and  $\delta$ . Let  $v_{\alpha}, v_{\beta}, v_{\delta}$  be the voltage values (real numbers) at the corresponding points. By Ohm's law we see

$$rac{v_{eta}-v_{lpha}}{v_{\delta}-v_{eta}}=rac{Ir}{IR}=rac{r}{R}$$

which we have assumed is very small. Because  $v_{\alpha}$  is safely inside the half-open interval qualifying as high, taking R large enough ensures  $v_{\beta}$  is high too.

It is often convenient to use the inverse notion of conductance instead of resistance. In the literature (e.g. [B, Hay]), sources are pictured as transmitting signals to points of a circuit. The signals not only have a value— $H, L, X, \emptyset$ —but also a strength depending on the conductance strength of the path along which the signal has travelled. These ideas generalise when signals from capacitance, another source of charge, are considered.

The NMOS inverter illustrates a principle used in circuit design:

A signal from power or ground via a strong conductance overrides a signal via a relatively weak conductance.

It is not unusual for designs to use three ranks of conductance strengths, a signal via a conductance in one rank is overridden by a signal via a conductance in a rank strictly above it.

Extra signal strengths arise from capacitance. A simple dynamic register takes the form



in which use is made of the high capacitance  $cap^{\alpha}$  at the node  $\alpha$ . The points  $\phi_1$  and  $\phi_2$  are connected to clocks which alternately send pulses of high and low voltage. They are out of phase as shown in the timing diagram below. If a signal, say from power, is present at a pulse of  $\phi_1$ , then the left transistor connects and the right transistor disconnects and whatever charge was stored at  $cap^{\alpha}$  is overridden by the current supplied from  $\iota$ . This assumes the clock pulse of  $\phi_1$  is long enough for the opposite charge stored in  $cap^{\alpha}$  to drain away. Then when  $\phi_1$  goes low both transistors are disconnecting and  $cap^{\alpha}$  stores a high voltage. This is delivered at o at the next rise of the clock  $\phi_2$ . Assuming node  $\alpha$  has a very high capacitance relative to o, the net effect is to produce a high voltage at o. This is illustrated in the timing diagram.



More succinctly we can describe the behaviour by

$$\forall t. \ V(o,t+1) = V(\iota,t)$$

where we take a discrete model of time with the high pulses of  $\phi_1$  and  $\phi_2$  corresponding to alternate numbers.

We used two principles to explain the behaviour of the dynamic register:

A signal from power or ground overrides a signal from a capacitance.

A signal from a large capacitance overrides a signal from a relatively weak capacitance.

A circuit design may involve a range of signal strengths which give a discrete measure of the current driving capability in the analogue circuit. The strength order is derived from a deliberately crude ranking of resistances and capacitances. Two resistances R and R' are assigned conductance strengths g, g' respectively, with g < g', if the ratio R/R' is very large. Then, arguing by Ohm's law, as we did before, if two resistances R and R' of strength g and g' are connected in series the resulting resistance R+R' should be assigned conductance strength  $g\cdot g'$ , the minimum of g and g'. This is because, for example, if R/R' is very large then so is (R+R')/R'. Connected in parallel their resulting resistance, RR'/(R+R'), should be assigned strength q+q', the maximum of g and g'. We would like to conclude that whenever we encounter a chain of resistances, of strengths  $g_1, g_2, \ldots, g_n$ , in series then we can regard it as equivalent to a single resistance of strength  $\Pi\{g_1,\ldots,g_n\}$ , the minimum strength along the chain. We cannot quite do this because "very large" is a vague concept; even though R/R' is very large R/nR' need not be. The point is that with respect to a particular design a very large number L can be chosen (to stand for "very large") so that the number of times resistances are placed in series or parallel in the design has no significant effect. Still, we should bear in mind that such problems can arise through our choosing to work with an abstract strength order, and that without care they can lead to inaccuracies in the model.

In a similar way capacitances are ranked in a total order of capacitance strengths. The signal stored by a capacitance of strength k is overridden by one from a capacitance of strength k' with k < k'. As we have observed, signals from sources override those due to capacitance so we arrive at the concept of a strength order as consisting of two finite sets  $K = \{k_1, \ldots, k_m\}$  and and  $G = \{g_1, \ldots, g_n\}$  in a total order

$$0 < k_1 < \cdots < k_m < q_1 < \cdots < q_n < \infty$$
.

We use 0, zero strength, to stand for a strength of a negligible signal, from zero capacitance or a non-conductance, and  $\infty$  to be the strength of a signal from a source via a perfect conductance. The restriction  $\mathbf{K} = (K \cup \{0\}, \leq)$ , is called the *capacitance order* and its elements are called *capacitance strengths*. The restriction  $\mathbf{G} = (G \cup \{0, \infty\}, \leq)$  is called the *conductance order*, with elements called *conductance strengths*. Often we shall write a strength order as  $\mathbf{S}$ , and sometimes, when we wish to emphasise the conductance and capacitance strengths as  $\mathbf{S}_{K,G}$ . We shall use  $s \cdot s'$  for the minimum and

s+s' for the maximum of two strengths s and s'. We can write the minimum of a set of strengths A as  $\Pi A$  and their maximum as  $\Sigma A$ .

Recall the lattice of values:



The value  $\emptyset$  is associated with points which are at 0 strength so they are not connected to any significant sources of current or charge. Sometimes it is said that such points "float" because they adopt, or float to, the value of whatever they are connected to. We can call the  $\emptyset$  value floating, though sometimes we use it in contexts where the intuition suggesting this name is not appropriate. Values now form a finite lattice. We use U + U' for the join (or least upper bound) of two values  $U, U', U \cdot U'$  for their meet, and  $\Sigma A$ , and  $\Pi A$ , for the join, respectively meet, of a set of values A. (Our notation is thus consistent with that for the strength order considered as a lattice.)

Consider how signals are transmitted through a resistance between  $\alpha$  and  $\beta$  of strength g. Suppose a signal of strength g', a conductance strength, and value  $V \in \{H, L\}$  is applied to one end  $\alpha$  of the resistance. By our earlier observation concerning resistances in series, the resulting signal at  $\beta$  has strength  $g \cdot g'$  and value V.

If instead a signal of strength k, a capacitance strength, and value V is applied at  $\alpha$ , assuming the resistance has negligible capacitance, the resulting signal at  $\beta$  is the same, with strength still k and value V.

In both situations a signal of strength s and value V, applied at  $\alpha$  gives rise to a signal of strength  $s \cdot g$  and value V at  $\beta$ . A signal of strength s > g is cut-down to a signal of strength g while a signal of strength g is unchanged.

Notice that these assumptions are dependent on connections lasting long enough for the charges in capacitances to reach stable levels. We shall have cause to examine this assumption more carefully later in the conclusion.

We have said that directionality in circuits should be derived rather than imposed. Where is this directionality to come from? It comes from the effects of resistance. Consider a resistance of conductance strength g between points  $\alpha$  and  $\beta$  in some environment in which the strength of the signal at  $\alpha$  is  $S\alpha$  and that at  $\beta$  is  $S\beta$ . Assume too

that the associated values are  $V\alpha$  and  $V\beta$  in  $\{H, L, X, \emptyset\}$ . We know from the behaviour of resistances, considering the transmission of signals from  $\alpha$  to  $\beta$  that

$$S\alpha \cdot g \leq S\beta$$

(and similarly that  $S\beta \cdot g \leq S\alpha$ ).

In the case when  $S\alpha \cdot g < S\beta$  the signal from  $\alpha$  is overridden and so has no effect on that at  $\beta$ . On the other hand, if  $S\alpha \cdot g = S\beta$  then the signal from  $\alpha$  is not overridden and has an effect on that at  $\beta$ . Values "flow" from  $\alpha$  to  $\beta$  and so  $V\alpha \leq V\beta$ . In particular if  $V\alpha = H$  then  $V\beta = H$ , or X if  $\beta$  happens also to be connected to ground. There is a connection, possibly one-way, between  $\alpha$  and  $\beta$ , and we can write this suggestively as  $\alpha \rightsquigarrow \beta$ . We have  $\beta \rightsquigarrow \alpha$  as well only if  $S\beta \cdot g = S\alpha$ . It is easy to check that elements of this "flow relation" compose, so if  $\alpha \rightsquigarrow \beta$  and  $\beta \rightsquigarrow \gamma$  then  $\alpha \rightsquigarrow \gamma$ . For this more general understanding of the flow relation we still have

$$\alpha \rightsquigarrow \beta \rightarrow V\alpha \leq V\beta$$
.

It is helpful to think of the strength function S as giving a "height" of each point, and indeed

$$\alpha \rightsquigarrow \beta \rightarrow S\beta < S\alpha$$

so flow is never "uphill". This understanding accounts for the following assignment of flows, strengths and values:



It is the flow relation, rather than the graph of conductances, which plays the central control in analysing the behaviour of circuits.

This exposition has been based largely on Bryant's work (see [B]). The paper [Hay] deals with similar ideas but the model it presents seems only to apply in situations where the components can be understood as functions with definite input and output ports. Our "flow relation" corresponds to Bryant's idea of "unblocked path" in a steady state. Note our subsequent presentation will be markedly different than Bryant's. This is because we shall develop a compositional model, one on which we can base a proof system structured by the way circuits are built-up.

# 3. States of circuits—static configurations.

Assume a particular strength order  $S = S_{K,G}$ .

We explain the intuition behind the definition of static configuration. Imagine a circuit connected to some environment via points  $\Lambda$ . Assume that in this environment the circuit has settled into a steady state. The definition of static configuration is intended to formalise this notion, picking out those features essential for the compositional account of circuit behaviour that follows. Note here we ignore the possibility that a circuit may never settle into a steady state in an environment. This model of circuits can be seen as analogous to those models of programs which only capture their partial correctness.

In a static configuration each point of a circuit is associated with a signal with a certain strength and value. So each point  $\alpha$  is associated with with a strength  $S\alpha \in \mathbf{S}$  and a resultant value  $V\alpha \in \mathbf{V}$ . Some of this signal may be contributed by sources inside the circuit; the internal contribution at  $\alpha$  can be recorded by a value  $I\alpha \in \mathbf{V}$ .

Of course points are connected to each other according to the state of transistors and the connections have certain conductance strengths. This gives rise to a flow relation  $\rightarrow$  between points, though in the rather indirect way we saw in the last section. It is this relation, derived from the more basic and detailed conductance relation between points, which plays the central role in our model of the behaviour of circuits. Intuitively, the relation  $\rightarrow$  captures the flow of information in a circuit; it expresses how the values of signals flow (or are transmitted) from points at high strength to points at lower or equal strength along flows of conductance.

### **3.1 Definition.** Let $\Lambda$ be a set of points. A static configuration of sort $\Lambda$ is a 4-tuple

$$\langle S, V, I, \leadsto \rangle$$

where

 $S: \Lambda \to \mathbf{S}$  (the strength function),

 $V: \Lambda \to \mathbf{V}$  (the value function),

 $I: \Lambda \to \mathbf{V}$  (the internal value function) and

 $\rightarrow$  is a reflexive, transitive relation on  $\Lambda$  (the flow relation),

which satisfy

- (i)  $\alpha \rightsquigarrow \beta \rightarrow S\alpha \geq S\beta$ ,
- (ii)  $\alpha \rightsquigarrow \beta \land S\alpha = S\beta \rightarrow \beta \rightsquigarrow \alpha$ ,
- (iii)  $\alpha \rightsquigarrow \beta \land S\beta \in K \rightarrow S\alpha = S\beta$ ,
- (iv)  $S\alpha = 0 \leftrightarrow V\alpha = \emptyset$ ,
- (v)  $I\alpha \leq V\alpha$ ,
- (vi)  $\alpha \rightsquigarrow \beta \rightarrow I\alpha < I\beta \land V\alpha < V\beta$ .

Write  $sort(\sigma)$  for the sort of a configuration  $\sigma$ . Write  $Sta_S[\Lambda]$  for the set of static configurations of sort  $\Lambda$ . We say a static configuration is *finite* when it has finite sort.

Property (i) says a signal cannot flow from a point at weaker strength to a point at stronger strength. Property (ii) expresses the fact that if  $\alpha \rightsquigarrow \beta$ , so information can

flow from  $\alpha$  to  $\beta$ , and  $\alpha$  and  $\beta$  are at the same strength then  $\beta \leadsto \alpha$ , so information can flow in the other direction too. To justify (ii) assume that  $\alpha \leadsto \beta$  and  $S\alpha = S\beta$ . Then, according to the last section,  $\alpha \leadsto \beta$  arises iff there is a conductance, of strength g say, between  $\alpha$  and  $\beta$  so that  $S\alpha \cdot g = S\beta$ . Hence  $S\beta \cdot g = S\alpha$  too making  $\beta \leadsto \alpha$ . Property (iii) states that if  $\alpha \leadsto \beta$  and  $S\beta$  is a capacitance strength then  $S\alpha$  is the same strength. This follows capacitance strengths are always ranked below those of conductance in the strength order. Assume  $\alpha \leadsto \beta$  and  $S\beta \in K$ . Then  $S\alpha \cdot g = S\beta$  for some conductance strength g for which  $S\beta \le g$ . This can only occur with  $S\alpha = S\beta$ . Property (iv) says a signal of no strength has no content and *vice versa*. Naturally the internal contribution cannot exceed the resultant value—property (v). The final property (vi) formalises the intention that  $\Longrightarrow$  should represent the direction in which information is transmitted through the circuit.

The strength and value functions are used later to specify when two static configurations can sensibly be linked together in parallel. It is necessary to keep track of the internal contribution to the value function and flow relation to give a satisfactory treatment of hiding. They determine when a point may be insulated from the environment without changing its resultant signal.

To make these somewhat abstract ideas a little clearer we present some static configurations of basic devices.

### 3.2 Example. A source:

A source  $Pow^{\alpha}$  supplies an internal contribution of strength  $\infty$  and value H to a point  $\alpha$  which may well receive a contribution of L from the environment to yield a resultant value  $V\alpha = X$ .

$$S\alpha = \infty \wedge V\alpha = X \wedge I\alpha = H$$

### 3.3 Example. A wire:

A resistance of perfect conductance  $res_{\infty}^{\alpha,\beta}$  can be regarded as a wire between  $\alpha$  and  $\beta$  in which signals flow unimpaired between the two points. There are no internal sources.

$$S\alpha = S\beta = s \land V\alpha = V\beta = U \land I\alpha = I\beta = \emptyset \land \alpha \Rightarrow \beta \land \beta \Rightarrow \alpha$$

### **3.4 Example.** A resistance:

A resistance of strength g contains no internal sources. If (in the environment) power and no other source is applied at  $\alpha$  and  $\beta$  is connected to ground via conductance g then the static configuration shown would result.

$$\alpha$$
 $\infty$ ,  $H$ ,  $\emptyset$ 
 $S\alpha = \infty \land S\beta = g \land$ 
 $V\alpha = H \land V\beta = X \land$ 
 $I\alpha = I\beta = \emptyset \land$ 
 $\alpha \Rightarrow \beta \land \neg \beta \Rightarrow \alpha$ 

## **3.5 Example.** A transistor:

If an *n*-type transistor  $ntran^{\alpha,\beta,\gamma}$  is placed in an environment in which positive charge is applied to the gate  $\gamma$  then  $\alpha$  and  $\beta$  are connected and behave like a wire.

$$S\alpha = k \wedge S\alpha = S\beta = s \wedge V$$

$$V\alpha = V\beta = U \wedge I$$

$$I\alpha = I\beta = I\gamma = \emptyset \wedge I$$

$$\alpha \Rightarrow \beta \wedge \beta \Rightarrow \alpha \wedge I$$

$$(\alpha \Rightarrow \gamma \vee \gamma \Rightarrow \alpha) \wedge \neg (\beta \Rightarrow \gamma \vee \gamma \Rightarrow \beta).$$

In a static configuration, two points  $\alpha$  and  $\beta$  may be both in the relation  $\alpha \rightsquigarrow \beta$  and  $\beta \rightsquigarrow \alpha$ . In this case the points  $\alpha$  and  $\beta$  receive the same signals both in value and strength. Sometimes neither  $\alpha \rightsquigarrow \beta$  nor  $\beta \rightsquigarrow \alpha$ —the two points are incomparable—with respect to the flow relation  $\rightsquigarrow$ . Intuitively this means that the signal at one point does not affect the signal at the other. We introduce notation to describe these circumstances.

**3.6 Definition.** Let  $\sigma = \langle S, V, I, \leadsto \rangle$  be a static configuration of sort  $\Lambda$ . For  $\alpha, \beta \in \Lambda$  define

$$\alpha \sim \beta \equiv \alpha \rightsquigarrow \beta \land \beta \rightsquigarrow \alpha$$
 $\alpha \parallel \beta \equiv \neg(\alpha \rightsquigarrow \beta) \land \neg(\beta \rightsquigarrow \alpha).$ 

In the special case where the effects of resistance are negligible there is only only one positive conductance strength  $\infty$ , corresponding to perfect conductance, the flow

relation  $\rightsquigarrow$  coincides with the equivalence relation  $\sim$ . The proof is a little exercise in using the axioms which define a static configuration.

**3.7 Proposition.** Assume there are only the two conductance strengths  $0 < \infty$ . Then for any static configuration  $\sigma$  the relation  $\rightarrow$  is symmetric and so an equivalence relation on points with  $x \sim y$  iff  $x \sim y$  for all points x, y of  $\sigma$ .

**Proof.** Suppose  $\alpha \rightsquigarrow \beta$ .

Assume  $S\beta = 0$ . Then  $S\alpha = 0$  by (iv) and (vi). Assume  $S\beta \in K$ . Then  $S\alpha = S\beta$  by (iii). Assume the remaining case that  $S\beta = \infty$ . Then  $S\alpha = \infty$  by (i). Therefore, as in all cases  $S\alpha = S\beta$ , we see  $\beta \rightsquigarrow \alpha$  by (ii).

Thus  $\alpha \rightsquigarrow \beta$  implies  $\beta \rightsquigarrow \alpha$ , making  $\rightsquigarrow$  symmetric. By definition  $\rightsquigarrow$  is reflexive and transitive, so  $\rightsquigarrow$  is an equivalence relation. Hence the relations  $\rightsquigarrow$  and  $\sim$  are equal.

Proposition 3.7 may increase our level of confidence in the axioms proposed for a static configuration. Still there are sufficiently many axioms, and the idea of static configuration sufficiently complicated, to raise the question of their completeness. We have used arguments from physics for the soundness of the axioms. To show completeness we need an argument showing that there are no properties shared by all static configurations of real (or buildable) circuits which do not follow from those written down in the definition? Afterall, axiom (ii) does not spring to mind immediately from idea of static configuration or the examples we have considered. Later in proposition 4.4 we shall show that every structure  $\langle S, V, I, \rightsquigarrow \rangle$  on a finite set of points which satisfies all the axioms of 3.1 can be realised as the static configuration of a circuit built-up from resistances and sources connected to those points. Then any property of structures  $\langle S, V, I, \rightsquigarrow \rangle$  which holds of all static configurations of circuits must also hold of all finite structures in 3.1.

We make the static configurations with sorts  $\Lambda$  a subset of some universe of points  $\Pi$  into a partial algebra with operations associated with composition and hiding.

**3.8 Notation.** Let L be a complete lattice ordered by  $\leq$  with binary join + and arbitrary join  $\Sigma$ . Let M and  $\Lambda$  be sets. Let  $f: M \to L$  and  $g: \Lambda \to L$  be functions to the lattice. We define their join  $f+g: M \cup \Lambda \to L$  by

$$(f+g)(x) = egin{cases} f(x) & ext{if } x \in M \setminus \Lambda \ g(x) & ext{if } x \in \Lambda \setminus M \ f(x) + g(x) & ext{if } x \in M \cap \Lambda. \end{cases}$$

for  $x \in M \cup \Lambda$ .

If  $f: M \to L$  we write  $f \lceil \Lambda$  for the restriction of f to the subset  $M \cap \Lambda$ . If R is a binary relation on M we write  $R \lceil \Lambda = R \cap (\Lambda \times \Lambda)$  for its restriction.

Let R be a binary relation on M. Let  $f: \Lambda \to L$  be a function from  $\Lambda \subseteq M$  to the lattice L. Define the application of relation R to f to be the function  $(R \cdot f): M \to L$  given by

$$(R \cdot f)(x) = \Sigma \{f(z) \mid z \in \Lambda \& (z, x) \in R\}.$$

We shall use this operation to transmit the values at a subset of points in a static configuration to other points in accord with the flow relation  $\rightarrow$ .

Assume  $\sigma_0$  is a static configuration of a circuit  $c_0$  and  $\sigma_1$  is a static configuration of a circuit  $c_1$ . When can  $\sigma_0$  and  $\sigma_1$  be composed to give a static configuration of  $c_0$  and  $c_1$ ? When their strengths and values agree at common points; only then do  $\sigma_0$  and  $\sigma_1$  make consistent assumptions about the environment. Then the resulting flow relation should be the transitive closure of the flow relations in the components and the internal contribution should be spread out accordingly.

**3.9 Definition.** Let  $\sigma_0 = \langle S_0, V_0, I_0, \leadsto_0 \rangle$  be a static configuration of sort  $\Lambda_0$  and  $\sigma_1 = \langle S_1, V_1, I_1, \leadsto_1 \rangle$  be a static configuration of sort  $\Lambda_1$ . Define their composition to be

$$\sigma_0 ullet \sigma_1 = \left\{ egin{array}{ll} \langle S, V, I, 
ightharpoonup 
angle & ext{if } S_0 \lceil \Lambda_1 = S_1 \lceil \Lambda_0 ext{ and } \ V_0 \lceil \Lambda_1 = V_1 \lceil \Lambda_0 \end{aligned} 
ight. \ ext{undefined} \qquad ext{otherwise} 
ight.$$

where

$$S = S_0 + S_1,$$
  
 $V = V_0 + V_1,$   
 $\Rightarrow = (\Rightarrow_0 \cup \Rightarrow_1)^*$  and  
 $I = \Rightarrow_- (I_0 + I_1).$ 

Suppose  $\sigma$  is a static configuration of a circuit c. When does  $\sigma$  restrict to a configuration of a circuit like c but in which all points but those in  $\Lambda$  are hidden? When all the points to be hidden have values (and strengths) which result from the combined effect of internal sources and the contribution from unhidden points  $\Lambda$ . More precisely when for all points  $\alpha$  to be hidden we have  $V\alpha = I\alpha + (\rightsquigarrow V \cap \Lambda)\alpha$ . Then the hiding of points not in  $\Lambda$  will make no difference.

**3.10 Definition.** Let  $\sigma = \langle S, V, I, \rightsquigarrow \rangle$  be a static configuration of sort M and  $\Lambda$  a set of points. Define the restriction of  $\sigma$  to  $\Lambda$  to be

$$\sigma \lceil \Lambda = \left\{ \begin{array}{ll} \langle S \lceil \Lambda, \ V \lceil \Lambda, \ I \lceil \Lambda, \leadsto \lceil \Lambda \rangle & \text{if } V = I + (\leadsto. \ V \lceil \Lambda) \\ \text{undefined} & \text{otherwise.} \end{array} \right.$$

**3.11 Notation.** We indicate  $\sigma_0 \bullet \sigma_1$  and  $\sigma \lceil \Lambda$  are defined by writing  $\sigma_0 \bullet \sigma_1 \downarrow$  and  $\sigma \lceil \Lambda \downarrow$ .

#### 4. The semantics of static circuits.

Assume the strength order is  $S = S_{K,G}$ . Also assume a countably infinite set of point names  $\Pi$ .

### 4.1 Definition. A little language for static circuits—circ.

The syntax of circ is given by:

$$c ::= Pow \ \alpha \mid Gnd \ \alpha \mid cap_{kU}\alpha \mid res_q(\alpha, \beta) \mid ntran(\alpha, \beta, \gamma) \mid ptran(\alpha, \beta, \gamma) \mid c \bullet c \mid c \lceil \Lambda \rceil$$

where  $k \in K$ ,  $\emptyset \neq U \in \mathbf{V}$ ,  $g \in G \cup \{\infty\}$  and  $\alpha, \beta, \gamma$  are distinct point names in  $\Pi$  and  $\Lambda \subseteq \Pi$ .

The constant terms  $Pow \ \alpha$  and  $Gnd \ \alpha$  stand for sources providing a signal of strength  $\infty$  at point  $\alpha$  with values H and L respectively. Another kind of source arises through charge storage, when the strength s is an element of K. A term  $cap_{kU}\alpha$  represents a capacitance of strength k, charged up with value U. The constant term  $res_g(\alpha,\beta)$  stands for a resistance connecting points  $\alpha$  and  $\beta$  with conductance  $g \in G$ . The constant  $ntran(\alpha,\beta,\gamma)$  stands for an n-type transistor with a gate  $\gamma$  which when it is high connects points  $\alpha$  and  $\beta$  with perfect conductance. The constant term  $ptran(\alpha,\beta,\gamma)$  stands for a p-type transistor with a gate  $\gamma$  which connects points  $\alpha$  and  $\beta$ , again with perfect conductance, when the gate  $\gamma$  is low. Of course, should the effect of resistance be significant we can insert a suitable resistance between  $\alpha$  and  $\beta$ .

We take the behaviour of a circuit in circ to be the set of possible static configurations it can settle into in some static environment. For compactness, in the following definition we assume that a static configuration  $\sigma$  is  $\langle S, V, I, \rightsquigarrow \rangle$ .

## 4.2 Definition. The semantics of circ.

Let  $Sta = \bigcup_{\Lambda \subseteq \Pi} Sta[\Lambda]$ , the set of static configurations with sorts which are subsets of  $\Pi$ .

Define the semantic function  $[\![\ ]\!]: \mathbf{circ} \to P(\operatorname{Sta})$  to be the map defined by the structural induction

$$egin{aligned} \llbracket Pow \ lpha 
Vert &= \{\sigma \in \operatorname{Sta}[lpha] \mid Slpha = \infty \land Ilpha = \operatorname{H} \} \end{aligned}$$
  $egin{aligned} \llbracket Gnd \ lpha 
Vert &= \{\sigma \in \operatorname{Sta}[lpha] \mid Slpha = \infty \land Ilpha = \operatorname{L} \} \end{aligned}$   $egin{aligned} \llbracket cap_{kU}lpha 
Vert &= \{\sigma \in \operatorname{Sta}[lpha] \mid Slpha \geq k \land \\ &= \{Slpha = k \to Ilpha = U\} \land \{Slpha > k \to Ilpha = \emptyset \} \} \end{aligned}$ 

$$\llbracket res_{g}(\alpha,\beta) \rrbracket = \{ \sigma \in \operatorname{Sta}[\alpha,\beta] \mid I\alpha = \emptyset \land I\beta = \emptyset \land \\ S\alpha \cdot g \leq S\beta \land S\beta \cdot g \leq S\alpha \land \\ (S\alpha \cdot g = S\beta \leftrightarrow \alpha \nsim \beta) \land (S\beta \cdot g = S\alpha \leftrightarrow \beta \nsim \alpha) \}$$
 
$$\llbracket ntran(\alpha,\beta,\gamma) \rrbracket = \{ \sigma \in \operatorname{Sta}[\alpha,\beta,\gamma] \mid I\alpha = \emptyset \land I\beta = \emptyset \land I\gamma = \emptyset \land \\ \gamma \parallel \alpha \land \gamma \parallel \beta \land (\alpha \parallel \beta \lor \alpha \sim \beta) \land \\ (V\gamma = H \to \alpha \sim \beta) \land (V\gamma = L \to \alpha \parallel \beta) \}$$
 
$$\llbracket ptran(\alpha,\beta,\gamma) \rrbracket = \{ \sigma \in \operatorname{Sta}[\alpha,\beta,\gamma] \mid I\alpha = \emptyset \land I\beta = \emptyset \land I\gamma = \emptyset \land \\ \gamma \parallel \alpha \land \gamma \parallel \beta \land (\alpha \parallel \beta \lor \alpha \sim \beta) \land \\ (V\gamma = L \to \alpha \sim \beta) \land (V\gamma = H \to \alpha \parallel \beta) \}$$
 
$$\llbracket c \bullet d \rrbracket = \{ \sigma \bullet \rho \mid \sigma \in \llbracket c \rrbracket \& \rho \in \llbracket d \rrbracket \& \sigma \bullet \rho \downarrow \}$$

Further terms can be defined. For example, we can define a wire  $wre(\alpha, \beta)$  between  $\alpha$  and  $\beta$ , with denotation

$$\llbracket \mathit{wre}(lpha,eta)
rbracket = \{\sigma\in\mathrm{Sta}[lpha,eta]\mid Ilpha = \emptyset \wedge Ieta = \emptyset \wedge lpha \sim eta\},$$

which can be realised by a resistance with perfect conductance, i.e.

 $\llbracket c \lceil \Lambda \rrbracket = \{ \sigma \lceil \Lambda \mid \sigma \in \llbracket c \rrbracket \& \sigma \lceil \Lambda \downarrow \}.$ 

$$\llbracket \mathit{wre}(\alpha,\beta) \rrbracket = \llbracket \mathit{res}_{\infty}(\alpha,\beta) \rrbracket.$$

More interestingly, We can define a general source  $sce_{sU}\alpha$ , at  $\alpha$ , of strength s and value  $U \in \mathbf{V}$ , to have denotation

$$\llbracket \mathit{sce}_{sU} \alpha 
Vert = \{ \sigma \in \operatorname{Sta}[lpha] \mid Slpha \geq s \land \ (Slpha = s 
ightarrow Ilpha = U) \land (Slpha > s 
ightarrow Ilpha = \emptyset) \}$$

Such a source only makes a contribution at  $\alpha$  if the strength of  $\alpha$  is exactly s. We only consider sources  $sce_{sU}\alpha$  for which  $s=0 \Leftrightarrow U=\emptyset$ —any others could have no static configurations. If s is a capacitance strength k then such a weakened source can be realised by the charged capacitance  $cap_{kU}^{\alpha}$ . If s is a conductance strength g it can be realised by passing signals from ground or power through a resistance of strength g. For example, if U=H, we have

$$\llbracket \mathit{sce}_{\mathit{gH}} \alpha \rrbracket = \llbracket (\mathit{Pow} \ \beta \bullet \mathit{res}_{\mathit{g}}(\beta, \alpha)) \lceil \alpha \rrbracket.$$

The one remaining case,  $sce_{00}\alpha$  can be realised as a single connection point standing alone, and this can be made by hiding one end of a resistance, *i.e.* 

$$\llbracket \mathit{sce}_{0\emptyset} \alpha 
rbracket = \llbracket \mathit{res}_g(\alpha, \beta) \lceil \alpha 
rbracket.$$

It is helpful to explain the ways sources combine using an ordering between pairs sU, where  $s \in S$  and  $U \in V$  and s = 0 iff  $U = \emptyset$ . On such pairs define

$$sU \le s'U'$$
 iff  $s < s'$  or  $(s = s' \& U \le U')$ .

This forms a finite distributive lattice (meet  $\cdot$  and join +), mentioned in [B1] and [Hay], which may be drawn as:



Now we can list some basic equivalences between circuit terms, which can be proved from the denotational semantics.

## 4.3 Proposition. Some equivalences on circuits

Write c = c' iff  $[\![c]\!] = [\![c']\!]$ , for circuit terms c, c'.

Realising sources: If k is a capacitance strength and g a conductance strength then

$$egin{aligned} sce_{0\emptyset}lpha &= res_g(lpha,eta)\lceillpha,\ sce_{kU}lpha &= cap_{kU}lpha,\ sce_{gH}lpha &= (Pow\ eta ullet res_g(eta,lpha))\lceillpha,\ sce_{gL}lpha &= (Gnd\ eta ullet res_g(eta,lpha))\lceillpha,\ sce_{gX}lpha &= sce_{gH}lpha ullet sce_{gL}lpha. \end{aligned}$$

Composing sources:  $sce_{sU}\alpha \bullet sce_{s'U'}\alpha = sce_{sU+s'U'}\alpha$ .

Resistances in series and parallel:

$$(res_g(\alpha, \beta) \bullet res_{g'}(\beta, \gamma)) \lceil \{\alpha, \gamma\} = res_{g \cdot g'}(\alpha, \gamma).$$
  
 $(res_g(\alpha, \beta) \bullet res_{g'}(\alpha, \beta)) = res_{g+g'}(\alpha, \beta).$ 

Wires, resistances and transistors:

$$wre(\alpha, \beta) = res_{\infty}(\alpha, \beta)$$
  
=  $(Pow \ \alpha \bullet ntran(\alpha, \beta, \gamma)) \lceil \{\alpha, \beta\} \}$   
=  $(Gnd \ \alpha \bullet ptran(\alpha, \beta, \gamma)) \lceil \{\alpha, \beta\} \}$ .

Earlier we pointed out the problem of knowing whether or not we had written down sufficient axioms for static configurations. From the remarks in the last section it is sufficient to show every finite static configuration can be realised as a static configuration of a circuit term. This is established in the following proposition.

**4.4 Proposition.** Any static configuration  $\sigma$  of sort  $\Lambda$  a finite subset of  $\Pi$  is the static configuration of some circuit c i.e.  $\sigma \in [c]$ .

**Proof.** We sketch the proof. Given  $\sigma$ , we define the required circuit to be the composition of the following finite set of components:

$$\begin{aligned} & \{ sce_{S\alpha U}\alpha \mid \alpha \in \Lambda \ \& \ I\alpha = U \neq \emptyset \} \cup \\ & \{ res_g(\alpha,\beta) \mid \alpha \rightsquigarrow \beta \ \& \ g \text{ is the minimum conductance strength s.t. } S\alpha \cdot S\beta \leq g \}. \end{aligned}$$

This uses our knowledge of how to build all sources  $sce_{sU}\alpha$  as circuits. From the definition of sources, resistances and composition, it can be seen  $\sigma \in [c]$ .

Now we can see how to give a more accurate specification of the NMOS inverter of section 2. Its circuit is constructed by the term

$$c \equiv (ntran(\alpha, \beta, \gamma) \bullet res_g(\beta, \delta) \bullet Pow \ \delta \bullet Gnd \ \alpha) \lceil \{\alpha, \beta\}.$$

Informally, its output  $\beta$  behaves like a direct connection to ground when its input  $\gamma$  is high and like a weakened power source when  $\gamma$  is low. Formally, if we define

$$Sce_{sU}x \equiv Sx \geq s \land Sx = s \rightarrow Ix = U \land Sx = s \rightarrow Ix = U,$$

then we can say c satisfies the assertion

$$V \Upsilon = H \rightarrow Sce_{\infty L} \beta \wedge V \Upsilon = L \rightarrow Sce_{qH} \beta.$$

This illustrates how the model is closely associated with assertions for specifying the behaviour of circuits. Of course we should give a more rigorous treatment of their syntax and semantics. This is done in the next section where a complete proof system is presented for proving a circuit satisfies an assertion.

Technically, it will be simpler to work with more basic predicates than Vx and Ix. Say  $\sigma$  satisfies  $H\alpha$  if  $H \leq V\alpha$ , meaning  $\alpha$  is connected to a source of positive charge (either in the environment or internal). Similarly, say  $\sigma$  satisfies  $L\alpha$  if  $L \leq V\alpha$ . The assertion  $V\alpha = H$  can then be expressed equivalently by  $H\alpha \wedge \neg L\alpha$ , while  $V\alpha = X$  is equivalent to  $H\alpha \wedge L\alpha$ . For internal signals say  $\sigma$  satisfies  $h\alpha$  if  $H \leq I\alpha$  and  $I\alpha$  if  $L \leq V\alpha$ . Then, for instance,  $\sigma$  satisfies  $h\alpha$  if  $\alpha$  is connected to an internal source of positive charge.

To conclude this section, we note we have not completely eliminated the kind of problems raised in the section 1. Certainly we now have an adequate treatment of short circuits. In particular

$$[\![ \textit{Pow } \alpha \bullet \textit{Gnd } \alpha]\!] \neq \emptyset,$$

and so, when we come to the logic, the circuit  $Pow \ \alpha \bullet Gnd \ \alpha$  will not satisfy ff. However, there are other circuit terms which do denote  $\emptyset$  and so will satisfy ff. Roughly speaking,

these are terms which represent circuits whose only possible behaviour is to oscillate. For example the term

$$c \equiv (ntran(\alpha, \beta, \mathcal{F}) \bullet res_q(\beta, \delta) \bullet Pow \ \delta \bullet Gnd \ \alpha \bullet wre(\mathcal{F}, \beta)) \lceil \emptyset,$$

with g a conductance strength strictly between 0 and  $\infty$ , "ties-back" the output of an NMOS inverter to its input, and then insulates all points from the environment. It can be drawn as:

The circuit c denotes the emptyset,  $[\![c]\!] = \emptyset$ . (The circuit is a little peculiar in that it has an empty sort. A trivial modification—connecting the wire to the gate of another transistor—produces a term with nonempty sort and empty denotation.) The logic of circuits will thus be akin to the logic of partial correctness assertions (Hoare logic); a purely oscillating circuit will satisfy any assertion just as a diverging program satisfies all partial correctness assertions.

### 5. A proof system.

We show how to construct a proof system for circuits. In this section we highlight its main features, and refer to the appendix for the full syntax, semantics and proof rules. The proof system consists of a complete set of rules to prove formally that a circuit, described by a term c, satisfies a property described by an assertion A. It is compositional in that proving an assertion holds of a compound circuit of the form  $c \mid \Lambda$  or  $c_0 \bullet c_1$  reduces to proving assertions about the components, c of  $c \mid \Lambda$ , and  $c_0$ and  $c_1$  of  $c_0 \cdot c_1$ . Assertions describe the possible static configurations the circuit can settle into. We have seen several examples where a static configuration satisfies some particular logical assertion. Of course, an assertion determines all those configurations which satisfy it, and in the formal treatment we take the meaning, or denotation, of an assertion A, written ||A||, to be the set of all those static configurations which satisfy it. Thus we seek a way to prove relations  $[c] \subseteq [A]$ , which we write as  $c \models A$ , hold between circuit terms c and assertions A. In order to establish such relations it is useful to treat circuit terms as just another kind of assertion in our semantics and proof rules. We write  $\sigma \models c$  to mean  $\sigma$  is a static configuration of the circuit c, just as we do for more usual assertions. We make use of relations  $\Gamma \models A$  between a set  $\Gamma$  and A where  $\Gamma$  and A are circuit-assertions (see L.1 in the appendix) which may include, or be built out of circuit terms. The relation  $\Gamma \models A$  means any static configuration  $\sigma$  which satisfies all of  $\Gamma$  satisfies A too. Such relations have their syntactic counterpart in the proof system. The proof rules are written in a natural-deduction style, keeping track of the assumptions in sequents of the form  $\Gamma \vdash A$ .

We settle on a countably infinite set of point names  $\Pi$ , with typical members  $\alpha, \beta, \dots$ , and a fixed strength order S. It is simplest to assume that point names are in 1-1 correspondence with points, so two distinct names cannot be associated with the same point (we shall axiomatise the equality relation between points accordingly). Our previous work suggests the form assertions should take. A static configuration  $\sigma$ , with sort  $\Lambda \subset \Pi$ , is a structure  $\langle S, V, I, \leadsto \rangle$  over individuals  $\Lambda$ . We could treat  $\sigma$  as a structure for a first order logic with function symbols S, V, I and relation symbols  $\rightarrow$ and =. We do not quite follow this course. There is first of all the problem that the sorts are not all the same, and in particular we allow the trivial empty static configuration—a source of trouble should we follow a traditional treatment where it is usual to ban empty structures. We could use a family of logics, one for each sort, but instead it is much more convenient and much less messy to use a free logic in which it is not necessary that terms are defined, or denote existing things. In the free logic a static configuration  $\sigma$  satisfies  $\forall x.A$  when  $A[\alpha/x]$  holds for all points  $\alpha$  in sort( $\sigma$ ), and similarly  $\sigma$  satisfies  $\exists x.A$  if for some  $\alpha$  in sort( $\sigma$ ) the assertion  $A[\alpha/x]$  is satisfied by  $\sigma$ ; quantification is only taken to be over existing, or defined, elements. On the other hand, all variables are understood to range over all potential individuals  $\Pi$ . Our style of free logic is based on [S] and includes an existence predicate E;  $E\alpha$  holds in a static configuration precisely when  $\alpha \in \operatorname{sort}(\sigma)$ . We have constant symbols from  $\Pi$ , a function symbol S, as well as relations  $\rightarrow$  and = in the logical language. Instead of using functions V and I we use the predicates Hx, Lx and hx, lx mentioned in the last section 4.

The point relations, prel, have the form

$$H\pi \mid L\pi \mid h\pi \mid l\pi \mid \pi_0 = \pi_1 \mid \pi_0 \rightsquigarrow \pi_1 \mid E\pi$$

where  $\pi, \pi_0, \pi_1$  range over points and variables.

To reason formally about strengths we need strength expressions of the form

$$s | S\pi | e_0 \cdot e_1 | e_0 + e_1$$

where  $s \in S$ ,  $\pi$  is a point or variable and  $e_0, e_1$  are strength expressions. Note we need an existence predicate for strength expressions as well as points. This is because  $S\alpha$  only makes sense, with respect to a static configuration  $\sigma$ , if  $\alpha \in \text{sort}(\sigma)$ . Define the strength relations, srel, to have the form

$$Ee \mid e_0 \leq e_1 \mid e_0 = e_1$$

where e,  $e_0$  and  $e_1$  are strength expressions.

Now the first order assertions of our free logic are:

$$A ::= prel \mid srel \mid tt \mid ff \mid A \wedge A \mid A \vee A \mid A \rightarrow A \mid \exists x.A \mid \forall x.A$$

with atoms which are point and strength relations. The full semantics and proof system can be seen in the appendix (for the moment ignore the second order assertions and rules). Notable, special to a free logic, are the quantifier rules which must take account of existence and the rule (refl) the axiom for existence—the equality  $\alpha = \alpha$  only holds of an existing point  $\alpha$ . The paper [S] gives an excellent discussion of the axioms and rules.

**5.1 Theorem.** A first-order assertion is provable using the proof system in the appendix iff it is satisfied by all static configurations.

Proof. The proof is omitted. Unfortunately, I do not know an adequate reference for a completeness result in the form we want it, though completeness can be proved rather indirectly from results in [FS] and [Gr]. More direct proofs can be got by following the lines of Henkin's completeness proof for the predicate calculus.

It is as well to get a basic fact about strength relations out of the way. It will be useful to observe that any strength relation can be reduced to ones of a special form, described in the following.

**5.2 Proposition.** Let R be a strength relation. There is a propositional assertion A which includes strength assertions solely of the form  $S\pi = s$  such that  $\vdash R \leftrightarrow A$ .

Proof.

By structural induction,

$$\vdash Ee \leftrightarrow \bigwedge_{\pi} E\pi$$

for any strength expression e, where  $\pi$  ranges over the variables or points mentioned in e. This establishes the proposition for strength relations of the form Ee.

By structural induction,

$$\vdash Ee \leftrightarrow \bigvee_{s \in S} e = s$$

for any strength expression e. It follows from the axioms that

$$\vdash e_{0} \cdot e_{1} = s \leftrightarrow \bigvee_{s_{0}, s_{1} \in S} (e_{0} = s_{0} \wedge e_{1} = s_{1} \wedge s_{0} \cdot s_{1} = s)$$

$$\vdash e_{0} + e_{1} = s \leftrightarrow \bigvee_{s_{0}, s_{1} \in S} (e_{0} = s_{0} \wedge e_{1} = s_{1} \wedge s_{0} + s_{1} = s)$$

$$\vdash e_{0} \leq e_{1} \leftrightarrow \bigvee_{s_{0}, s_{1} \in S} (e_{0} = s_{0} \wedge e_{1} = s_{1} \wedge s_{0} \leq s_{1})$$

$$\vdash e_{0} = e_{1} \leftrightarrow \bigvee_{s_{0}, s_{1} \in S} (e_{0} = s_{0} \wedge e_{1} = s_{1} \wedge s_{0} = s_{1}).$$

Whence, by structural induction on expressions, any strength relation of the form  $e_0 \le e_1$  or  $e_0 = e_1$  is provably equivalent to a propositional assertion of the required form.

We are still left with the major problem of how to incorporate rules for reasoning about circuit terms in the logic. As mentioned we can include them in the logic, treating them much the same way as assertions. They are built-up using restrictions  $\lceil \Lambda$  and composition  $\bullet$  from atoms like  $Pow\ \alpha$  and  $ntran(\alpha, \beta, \gamma)$ . It is a simple matter to incorporate atoms. For example, the rules (L.10) include an elimination rule of the form

(Pow E) 
$$Pow \alpha \vdash S\alpha = \infty \land h\alpha \land \neg l\alpha \land \forall x.x = \alpha$$

whose role is to replace proving a property of a power source  $Pow\ \alpha$  to proving a consequence of an assertion expressing its behaviour. But how are we to treat compound terms? Our approach is to associate modal operations, analogous to weakest liberal preconditions, with the operators  $\lceil \Lambda$  and  $\bullet$ . This line was inspired by the general treatment in [A], though, of course, their specific use in the semantics of imperative programming language is well known, largely due to [D]. We also extend the logic to include second-order quantifiers, to obtain the following syntactic category of second-order assertions:

$$A ::= prel \mid srel \mid tt \mid ff \mid A \land A \mid A \lor A \mid A \rightarrow A \mid \exists x.A \mid \forall x.A \mid \{x : A\}\pi \mid P\pi \mid \exists P.A \mid \forall P.A \mid$$

Though the reason for this will not become clear until we deal with the preconditions for composition.

The treatment of the restriction operator  $\lceil \Lambda \rceil$ , for a finite subset  $\Lambda$  of  $\Pi$ , is easier to explain first. The use of preconditions arises naturally from the requirement that the proof system be compositional. The requirement of compositionality begs the question:

What has to be true of a circuit c in order to be guaranteed that  $c \cap \Lambda$  satisfies an assertion A?

And this question amounts to:

What must be true of a static configuration  $\sigma$  so that if  $\sigma \upharpoonright \Lambda$  is defined then  $\sigma \upharpoonright \Lambda$  satisfies A?

Rather tautologously, we can answer that  $\sigma$  must satisfy the  $\lceil \Lambda$ -precondition of A, written  $^{\Lambda}A$ , which has the denotation

$$\llbracket ^{\Lambda}A \rrbracket = \{ \sigma \mid \sigma \lceil \Lambda \downarrow \Rightarrow \sigma \lceil \Lambda \models A \}.$$

We might instead of  ${}^{\Lambda}A$  write  $[{}^{\Lambda}]A$  because  $[\![{}^{\Lambda}A]\!]$  could have been written equally well as

$$\{\sigma \mid \forall \sigma'. \ \sigma \lceil \Lambda = \sigma' \Rightarrow \sigma' \models A\},\$$

making the precondition look even more like a modal operator of the kind used in dynamic logic [Ha]. This precondition is analogous to weakest liberal preconditions because if  $\sigma \lceil \Lambda$  is undefined then  $\sigma$  satisfies  $^{\Lambda}A$ . We could have worked instead with the analogue of weakest precondition. We temporarily introduce it as  $\langle \lceil \Lambda \rangle A$  with the meaning

$$\llbracket \langle \lceil \Lambda \rangle A \rrbracket = \{ \sigma \mid \exists \sigma'. \ \sigma \lceil \Lambda = \sigma' \& \ \sigma' \models A \},\$$

but do not make any further use of it. It turns out to be definable in terms of  ${}^{\Lambda}A$ , and is not quite as directly useful. For  ${}^{\Lambda}A$  we have the following fact:

## 5.3 Proposition.

Let c be a circuit term and A a second-order assertion. Then

$$c \lceil \Lambda \models A \text{ iff } c \models^{\Lambda} A.$$

Proof.

1

$$c\lceil \Lambda \models A \text{ iff } \llbracket c\lceil \Lambda \rrbracket \subseteq \llbracket A \rrbracket$$

$$\text{iff } \forall \sigma'. \ \sigma' \models c\lceil \Lambda \Rightarrow \sigma' \models A$$

$$\text{iff } \forall \sigma. \ (\sigma \models c \& \sigma\lceil \Lambda \downarrow) \Rightarrow \sigma\lceil \Lambda \models A$$

$$\text{iff } \forall \sigma. \ \sigma \models c \Rightarrow (\sigma\lceil \Lambda \downarrow \Rightarrow \sigma\lceil \Lambda \models A)$$

$$\text{iff } \forall \sigma. \ \sigma \models c \Rightarrow \sigma \models^{\Lambda} A$$

$$\text{iff } \llbracket c \rrbracket \subseteq \llbracket^{\Lambda} A \rrbracket$$

$$\text{iff } c \models^{\Lambda} A.$$

We extend the second-order assertions by preconditions and call the resulting syntactic category simply assertions. Proposition 5.3 suggests an obvious elimination rule for preconditions:

$$\frac{c \vdash {}^{\Lambda}A}{c \lceil \Lambda \vdash A}$$

in which the semantic relation of satisfaction has been replaced by the syntactic one of entailment in a sequent calculus. Standing alone this proof rule would not get us very far. True we can eliminate an occurrence of the restriction operator, but only at the expense of introducing a precondition. Fortunately it is a purely mechanical process, captured mainly in the distribution laws for  $^{\Lambda}($ ), listed in L.6, to eliminate all occurrences of  $\lceil \Lambda$ -preconditions; an assertion containing them can be proved equivalent to an assertion without any.

We explain the rules for  $^{\Lambda}($ ), leaving the detailed proofs of soundness to the reader. Regarding preconditions as modal operators suggests the introduction rule

$$\frac{\vdash A}{\vdash {}^{\Lambda}A}$$

familiar from proof systems with modal operators. The other introduction rule for such preconditions accompanies the fact that if  $\sigma[\Lambda]$  is undefined then  $\sigma \models {}^{\Lambda}A$ . Take

$$G \equiv orall x. \ 
eg \Lambda x 
ightarrow [\operatorname{H} x 
ightarrow hx \lor (\exists y: \Lambda. \ \operatorname{H} y \land y 
ightharpoonup x)] \land [\operatorname{L} x 
ightarrow lx \lor (\exists y: \Lambda. \ \operatorname{L} y \land y 
ightharpoonup x)].$$

The assertion G expresses definedness in the sense that

$$\sigma \models G \text{ iff } \sigma \lceil \Lambda \downarrow .$$

The other introduction rule for preconditions is

$$\neg G \vdash {}^{\Lambda}A$$
.

The remaining  $^{\Lambda}($ ) rules say how the operator distributes over logical operators. Their role is to enable preconditions to be pushed through and finally eliminated from assertions. Using them we can for instance derive the rule

$$\frac{\Gamma \vdash A}{{}^{\Lambda}\Gamma \vdash {}^{\Lambda}A}$$

where by  ${}^{\Lambda}\Gamma$  we mean  $\{{}^{\Lambda}B \mid B \in \Gamma\}$ , for a finite set of assumptions  $\Gamma$ . From  $\Gamma \vdash A$  we derive  $\vdash M\Gamma \to A$  and hence  $\vdash {}^{\Lambda}(M\Gamma \to A)$ . Using the distribution rules we deduce  $G \vdash M{}^{\Lambda}\Gamma \to {}^{\Lambda}A$ . This gives  $G, M{}^{\Lambda}\Gamma \vdash {}^{\Lambda}A$  which combined with  $\neg G \vdash {}^{\Lambda}A$  yields  $M{}^{\Lambda}\Gamma \vdash {}^{\Lambda}A$ , and finally  ${}^{\Lambda}\Gamma \vdash {}^{\Lambda}A$ . In particular using this we can for instance show  $\vdash {}^{\Lambda}A \to {}^{\Lambda}B$  if  $\vdash A \to B$ ; equivalent assertions have equivalent preconditions. This means that preconditions of strength relations can be replaced by preconditions of assertions of the form given in proposition 5.2 from which all preconditions can be eliminated using the distribution rules.

## 5.4 Theorem.

Let A be an assertion, which may include restriction preconditions. There is an assertion B, which does not contain any preconditions, such that  $\vdash A \leftrightarrow B$ .

Proof. By the remarks above, using the distribution laws, we obtain

$$G \vdash {}^{\Lambda}A \leftrightarrow C$$

where C contains no preconditions. But  $\neg G \vdash {}^{\Lambda}A$ . Therefore  $\vdash {}^{\Lambda}A \leftrightarrow (G \to C)$ , with  $B \equiv (G \to C)$  an assertion of the required form.

Proving c 
cap A reduces to proving c 
cap A which, by the metatheorem and modus ponens, reduces to proving c 
cap B where B contains no preconditions—and this

can be done formally in the proof system. We have reduced the problem of proving an assertion A holds of  $c \lceil \Lambda$  to proving an assertion B holds of c. We have achieved compositionality for restriction.

The term c may well contain compositions using  $\bullet$ . For our proof system to be compositional we must "decompose" the proof that an assertion A is satisfied by a composition  $c_0 \bullet c_1$  to proofs that assertions  $A_0$  and  $A_1$ , are satisfied by the components  $c_0$  and  $c_1$ , respectively. Problems like this have received a great deal of attention recently (see e.g. [deR, OH, St, W]) and our approach throws some light on the problem of obtaining compositional proof systems for parallel processes, and even suggests a general approach. Again the use of a modal operator plays a central role, this time associated with composition. Composition  $\bullet$  is a binary operator so the  $\bullet$ -precondition of an assertion A is satisfied by those pairs of static configurations  $(\sigma, \rho)$  whose composition  $\sigma \bullet \rho$ , when defined, satisfies A, i.e.

$$\llbracket {}^{\bullet}A \rrbracket = \{ (\sigma, \rho) \mid \sigma \bullet \rho \downarrow \Rightarrow \sigma \bullet \rho \models A \}.$$

Thus the assertion  ${}^{\bullet}A$  is of a different type than those we have encountered previously. It is satisfied by pairs of static configurations. To emphasise that it has a different type we call it, and other assertions satisfied by pairs of configurations, product assertions. It is useful to define another operator for forming atomic product assertions. For assertions A and B, take  $A \times B$  to be satisfied by those pairs  $(\sigma, \rho)$  where  $\sigma$  satisfies A and  $\rho$  satisfies B, i.e. so

$$[\![A\times B]\!]=[\![A]\!]\times[\![B]\!].$$

The full syntactic category of product assertions is:

$$D ::= A \times B \mid {}^{\bullet}A \mid E\pi \mid \pi_0 = \pi_1$$

$$\text{tt} \mid \text{ff} \mid D_0 \wedge D_1 \mid D_0 \vee D_1 \mid D_0 \rightarrow D_1 \mid \exists x.D \mid \forall x.D \mid$$

$$\{x : D\}\pi \mid \exists P.D \mid \forall P.D$$

which includes the apparatus of first and second order free logic with equality.

We can treat circuit terms similarly, and with the obvious definition of  $\models$  between product assertions, obtain the following proposition relating the  $\bullet$ -precondition to composition.

### 5.5 Proposition.

Let  $c_0$  and  $c_1$  be circuit terms and A an assertion. Then

$$c_0 \bullet c_1 \models A \text{ iff } c_0 \times c_1 \models {}^{\bullet}A.$$

Proof.

$$c_0 ullet c_1 \models A ext{ iff } \llbracket c_0 ullet c_1 
rbracket \subseteq \llbracket A 
rbracket$$
 $ext{iff } orall \sigma'. \ \sigma' \models c_0 ullet c_1 \Rightarrow \sigma' \models A$ 
 $ext{iff } orall \sigma, 
ho. \ (\sigma \models c_0 \& \ 
ho \models c_1 \& \ \sigma ullet 
ho \downarrow) \Rightarrow \sigma ullet 
ho \models A$ 
 $ext{iff } orall \sigma, 
ho. \ (\sigma, 
ho) \models c_0 \& \ 
ho \models c_1 \Rightarrow (\sigma ullet 
ho \downarrow \Rightarrow \sigma ullet 
ho \models A)$ 
 $ext{iff } orall \sigma, 
ho. \ (\sigma, 
ho) \models c_0 \times c_1 \Rightarrow (\sigma, 
ho) \models {}^{ullet} A 
rbracket$ 
 $ext{iff } \llbracket c_0 \times c_1 \rrbracket \subseteq \llbracket {}^{ullet} A 
rbracket$ 
 $ext{iff } c_0 \times c_1 \models {}^{ullet} A.$ 

The proposition asserts the soundness of the elimination rule for composition:

$$\frac{c_0 \times c_1 \vdash {}^{\bullet}A}{c_0 \bullet c_1 \vdash A}$$

We want the proof of  $c_0 \times c_1 \models {}^{\bullet}A$  to "factor" into proving

$$c_0 \models A_0 \& c_1 \models A_1 \& A_0 \times A_1 \models {}^{\bullet}A.$$

The key to a compositional proof system for  $\bullet$  is to obtain such assertions so that we can prove formally the relation between assertions, that  $A_0 \times A_1 \vdash {}^{\bullet}A$ . Then we have reduced proving a property holds of a composition  $c_0 \bullet c_1$  to proving properties hold of its components  $c_0$  and  $c_1$ : If there are such assertions then by the rules  $(\times \vdash)$  and (tran), and provided  $c_0 \vdash A_0$  and  $c_1 \vdash A_1$ , we can deduce  $c_0 \times c_1 \vdash {}^{\bullet}A$  and so  $c_0 \bullet c_1 \vdash A$ . Obtaining suitable assertions  $A_0$  and  $A_1$  is quite involved.

The rules for  $\bullet$ -preconditions are like those for  $\lceil \Lambda$ -preconditions and are presented in L.9. There are two introduction rules, one of which makes use of a definedness assertion D, with

$$egin{aligned} D \equiv orall x. & ([Ex imes \mathbf{t}] \wedge [\mathbf{t} imes Ex]) 
ightarrow \ & ([Hx imes \mathbf{t}] \leftrightarrow [\mathbf{t} imes Hx] \wedge \ & [Lx imes \mathbf{t}] \leftrightarrow [\mathbf{t} imes Lx] \wedge \ & igwedge_{s \in S} [Sx = s imes Sx = s]), \end{aligned}$$

so  $(\sigma, \rho) \models D$  iff  $\sigma \bullet \rho \downarrow$ . This is where the cost of making assertions second-order paysoff. Because we can quantify over subsets (or properties), we can reduce  ${}^{\bullet}A$  to a provably equivalent product assertion which contains no preconditions. The quantification over sets is used to express the fact that the flow relation in a composition  $\sigma \bullet \rho$ , assumed defined, is the transitive closure of the flow relations contributed by the components  $\sigma$  and  $\rho$ . This is the role of axiom  $(d^{\bullet} \leadsto)$ . Suppose  $\sigma \bullet \rho$  is defined. Then  $(\sigma, \rho) \models \bullet (\alpha \leadsto \beta)$  means simply that  $\sigma \bullet \rho \models \alpha \leadsto \beta$  for  $\alpha, \beta \in \operatorname{sort}(\sigma \bullet \rho)$ . Let  $\Lambda \subseteq \operatorname{sort}(\sigma \bullet \rho)$ . Note we can represent the set  $\Lambda$  as the term  $\Lambda$  which is  $\{x : \bigvee_{\lambda \in \Lambda} x = \lambda\}$  in the logic. Say  $\Lambda$  is closed, with respect to  $\sigma, \rho$ , if

$$\sigma \bullet \rho \models \Lambda \gamma \& (\sigma \models \gamma \leadsto \delta \text{ or } \rho \models \gamma \leadsto \delta) \Rightarrow \sigma \bullet \rho \models \Lambda \delta$$

for all  $\gamma, \delta \in \text{sort}(\sigma \bullet \rho)$ . Now, the flow relation in  $\sigma \bullet \rho$  is characterised as being the transitive closure of the flow relations of the components, and this is expressed by the property that

$$\Lambda \alpha \& \Lambda \text{ is closed } \Rightarrow \Lambda \beta$$

for all  $\alpha, \beta \in \operatorname{sort}(\sigma \bullet \rho)$  and for any  $\Lambda$ . This gives the gist of axiom  $(d^{\bullet} \leadsto)$ . Notice it depends on quantifying over subsets. Once we have gone second-order, the distribution axioms for  $\bullet$ () enable us to eliminate occurrences of  $\bullet$ -preconditions from product assertions.

#### 5.6 Theorem.

Let A be a product assertion which may include composition preconditions. There is a product assertion B, which does not contain any preconditions such that  $\vdash A \leftrightarrow B$ .

Proof. The proof follows the same lines as for restriction preconditions.

But, of course, this was at the expense of making our logic second-order and it is well-known that there is no complete effective axiomatisation of second-order logic. Fortunately we can use the fact that circuits are finite to get around this difficulty. In contexts where it is assumed that all points lie within some finite set we can reduce second-order assertions to provably equivalent first-order or even propositional assertions. (An assertion is propositional if it contains no quantifiers or preconditions.)

It is easy to define the sort of circuit term by structural induction:

$$\operatorname{sort}(Pow \ \alpha) = \operatorname{sort}(Gnd \ \alpha) = \{\alpha\}$$
  
 $\operatorname{sort}(res_g(\alpha, \beta)) = \{\alpha, \beta\}$   
 $\operatorname{sort}(ntran(\alpha, \beta, \gamma)) = \operatorname{sort}(ptran(\alpha, \beta, \gamma)) = \{\alpha, \beta, \gamma\}$   
 $\operatorname{sort}(c \bullet d) = \operatorname{sort}(c) \cup \operatorname{sort}(d)$   
 $\operatorname{sort}(c \lceil \Lambda) = \operatorname{sort}(c) \cap \Lambda.$ 

In the logic, the fact that a circuit term c has sort  $\Lambda$ , a finite set, is expressed by

$$c \models \bigwedge_{\lambda \in \Lambda} E\lambda \wedge \forall x.\Lambda x$$

where  $\Lambda x$  abbreviates  $\{y: \bigvee_{\lambda \in \Lambda} y = \lambda\} x$  and so is equivalent to  $\bigvee_{\lambda \in \Lambda} x = \lambda$ . This can be proved in the formal system, though all we need to show completeness is the following.

#### 5.7 Proposition.

- (i) Let c be a circuit term of sort  $\Lambda$ . Then  $c \vdash \forall x.\Lambda x$ .
- (ii) Let  $c_0, c_1$  be circuit terms of sort  $\Lambda_0$  and  $\Lambda_1$  respectively. Then  $c_0 \times c_1 \vdash \forall x. \ (\Lambda_0 \cup \Lambda_1)x.$

Proof. The proof of (i) is by structural induction on circuit terms.

For basic components, like transistors the sorts are specified in their associated assertions so for a basic component c we have  $c \vdash \forall x$ .  $(\operatorname{sort}(c))x$ .

Assume we already know  $c \vdash \forall x.Mx$  where M is the sort of c. Then  $c \vdash Ex \to Mx$ . Hence  $c \vdash \Lambda x \to \Lambda x \wedge Mx$ . But this yields  $c \vdash {}^{\Lambda}(Ex \to (\Lambda \cap M)x)$  from which we derive  $c \lceil \Lambda \vdash Ex \to (\Lambda \cap M)x$ . Therefore  $c \lceil \Lambda \vdash \forall x.(\Lambda \cap M)x$  and, of course,  $\Lambda \cap M$  is the sort of  $c \lceil \Lambda$ .

Suppose we already know  $c_0 \vdash \forall x.\Lambda_0 x$  and  $c_1 \vdash \forall x.\Lambda_1 x$  where  $\Lambda_0$  and  $\Lambda_1$  are the sorts of  $c_0$  and  $c_1$ . Thus

$$c_0 \vdash Ex \rightarrow \Lambda_0 x \text{ and } c_1 \vdash Ex \rightarrow \Lambda_1 x.$$

By the  $(\times \vdash)$  rule,  $c_0 \times c_1 \vdash [(Ex \to \Lambda_0 x) \times (Ex \to \Lambda_1 x)]$ . From the rule  $(\times E)$  for product assertions we derive

$$c_0 \times c_1 \vdash Ex \rightarrow ([\Lambda_0 x \times \mathrm{tt}] \vee [\mathrm{tt} \times \Lambda_1 x])$$

from which

$$c_0 \times c_1 \vdash Ex \rightarrow (\Lambda_0 \cup \Lambda_1)x$$

follows. We get

$$c_0 \times c_1 \vdash \forall x. (\Lambda_0 \cup \Lambda_1) x$$

directly, and from the \*( ) rules we obtain

$$c_0 \times c_1 \vdash {}^{\bullet}(\forall x.(\Lambda_0 \cup \Lambda_1)x).$$

Now we see  $c_0 \bullet c_1 \vdash \forall x. (\Lambda_0 \cup \Lambda_1)x$ , as required.

This completes the structural induction, to show (i). It also makes clear how (ii) follows.  $\blacksquare$ 

In contexts where we know every point belongs to some finite set we can eliminate all quantifiers, both first and second order, to obtain an equivalent propositional assertion (without any quantifiers).

**5.8 Proposition.** Let  $\Lambda$  be a finite set of points.

- (ia)  $\forall x.\Lambda x \vdash \exists x.A \leftrightarrow \bigvee_{\lambda \in \Lambda} (E\lambda \land A[\lambda/x]).$
- (ib)  $\forall x.\Lambda x \vdash \forall x.A \leftrightarrow \bigwedge_{\lambda \in \Lambda} (E\lambda \to A[\lambda/x]).$
- (iia)  $\forall x.\Lambda x \vdash \exists P.A \leftrightarrow \bigvee_{M \subseteq \Lambda} A[M/P].$
- $(iib) \ \forall x. \Lambda x \vdash \forall P. A \leftrightarrow \bigwedge_{M \subseteq \Lambda}^{M \subseteq \Lambda} A[M/P].$

Proof.

(ia) Clearly

As  $\forall x. \Lambda x \vdash \bigvee_{\lambda \in \Lambda} x = \lambda$ ,

$$\exists x.A, \forall x.\Lambda x \vdash (Ex \land A) \land \bigvee_{\lambda \in \Lambda} x = \lambda.$$

Hence

$$\exists x.A, \forall x.\Lambda x \vdash \bigvee_{\lambda \in \Lambda} (Ex \land A \land x = \lambda).$$

Now, using (eq),

$$\exists x.A, \forall x.\Lambda x \vdash \bigvee_{\lambda \in \Lambda} (E\lambda \wedge A[\lambda/x]).$$

Thus

$$\forall x.\Lambda x \vdash \exists x.A \to \bigvee_{\lambda \in \Lambda} (E\lambda \wedge A[\lambda/x]). \tag{2}$$

Combining (1) and (2) we obtain (ia).

(ib) The proof is similar to that of (ia), but using  $\forall$  in place of  $\exists$  rules.

(iia) Let P = Q abbreviate  $\forall x.Px \leftrightarrow Qx$ , where P and Q are second-order variables or terms. By structural induction on A the following substitution property for second-order terms:

$$\vdash P = Q \land A[P/R] \rightarrow A[Q/R].$$

For any finite set  $\Lambda$ , we know

$$\vdash \bigwedge_{\lambda \in \Lambda} (P\lambda \land \neg P\lambda).$$

By the distribution of  $\bigwedge$  over  $\vee$  (a metaresult about the proof system),

$$\vdash \bigvee_{M\subseteq \Lambda} ([\bigwedge_{\lambda\in M} P\lambda] \wedge [\bigwedge_{\lambda\in \Lambda\setminus M} \neg P\lambda]),$$

or better,

$$\vdash \bigvee_{M \subset \Lambda} \bigwedge \bigwedge_{\lambda \in \Lambda} (P\lambda \leftrightarrow M\lambda).$$

Hence by part (i),

$$\forall x.\Lambda x \vdash \bigvee_{M \subset \Lambda} P = M.$$

Now (iia) and (iib) follow by proofs on the same lines as in part (i).

It now follows that for a circuit term c and possibly second-order assertion A that

$$c \vdash A \leftrightarrow B$$

where B is purely first-order. The second-order quantifiers may be useful but they are not essential, and can be provably eliminated. Indeed, this is also true for the first order quantifiers, but having already a complete proof system for the underlying first-order free logic there is no need to eliminate them in our earlier work on restriction. However at present obtaining a complete system of proof rules for composition seems to require a stronger elimination for product assertions.

**5.9 Corollary.** Let  $\Lambda$  be a finite set of points. Let A be an assertion. There is a propositional assertion p such that

$$\forall x.\Lambda x \vdash A \leftrightarrow p.$$

Let c be a circuit term, and A an assertion. There is a propositional assertion p such that

$$c \vdash A \leftrightarrow p$$

Proof. By theorem 5.4 we can eliminate preconditions. Then the first part is proved by successively applying the results above. The second part, for circuits, follows by 5.7(i) because entailment is transitive.

It follows from corollary 5.9 that product assertions of interest can be reduced to provably equivalent propositional assertions, in the context of reasoning about circuits. Just as before we can eliminate first-order quantifiers, and second-order quantifiers can be eliminated at least for the product assertions of concern, those of the form  ${}^{\bullet}A$ .

**5.10 Proposition.** Let  $\Lambda$  be a finite set of points.

For product assertions C,

- (a)  $\forall x.\Lambda x \vdash \exists x.C \leftrightarrow \bigvee_{\lambda \in \Lambda} (E\lambda \land C[\lambda/x]).$
- (b)  $\forall x.\Lambda x \vdash \forall x.C \leftrightarrow \bigwedge_{\lambda \in \Lambda} (E\lambda \to C[\lambda/x]).$

For an assertion A,

 $\forall x. \Lambda x \vdash {}^{\bullet}A \leftrightarrow p \text{ where } p \text{ is a propositional product assertion }.$ 

Proof.

Parts (a) and (b) follow as earlier.

Arguing in the same way as we did for restriction preconditions, we can derive the rule

$$\frac{\Gamma \vdash A}{\bullet \Gamma \vdash \bullet A},$$

from which we observe it follows that if  $\Gamma \vdash A \leftrightarrow B$  then  ${}^{\bullet}\Gamma \vdash {}^{\bullet}A \leftrightarrow {}^{\bullet}B$ . By corollary 5.9,  $\forall x.\Lambda x \vdash A \leftrightarrow r$  where r is a propositional assertion. By the observation, we see

$$^{\bullet}\forall x.\Lambda x\vdash ^{\bullet}A\leftrightarrow ^{\bullet}r.$$

From the distribution rules for •(),

$$D, {}^{\bullet} \forall x. \Lambda x \vdash {}^{\bullet} A \leftrightarrow q,$$

where q is propositional. Hence

$$\forall x.\Lambda x \vdash {}^{\bullet}A \leftrightarrow (D \rightarrow q),$$

and now by (a) we can eliminate all the quantifiers in D to obtain the required propositional product assertion p.

**5.11 Corollary.** Let  $c_0$  and  $c_1$  be circuit terms. Let A be a second order assertion. Then there is a propositional product assertion p such that

$$c_0 \times c_1 \vdash {}^{\bullet}A \leftrightarrow p.$$

Proof. By the transitivity of entailment using 5.7(ii). ■

Product assertions which are propositional can be put into a useful normal form. The purpose of the distribution rules for product (L.8) is to enable this to be done formally in the proof system.

**5.12 Proposition.** Let A be a product assertion which is propositional. Then

$$\vdash A \leftrightarrow \bigvee_{i \in I} B_i \times C_i$$

where I is a finite set, indexing assertions  $B_i$  and  $C_i$ .

Proof.

Firstly the logic is classical so  $\vdash (A \to B) \leftrightarrow (\neg A \lor B)$  and so we can eliminate occurrences of  $\to$  in favour of  $\neg$  and  $\lor$ . Thus without loss of generality we can assume that A is built up solely using  $\land, \lor, \lnot$ . The proposition now follows by structural induction on A using basic distributivity properties of the logical connectives. For example, to deal with the hardest case of the induction, we show if we assume the proposition holds for assertion D then it holds for assertion  $\neg D$ .

Suppose  $\vdash D \leftrightarrow \bigvee_{i \in I} B_i \times C_i$ . Then

$$\vdash \neg D \leftrightarrow M_{i \in I} \neg [B_i \times C_i],$$

and so

$$\vdash \neg D \leftrightarrow \bigwedge_{i \in I} ([\neg B_i \times \mathsf{tt}] \vee [\mathsf{tt} \times \neg C_i]).$$

But then  $\vdash \neg D \leftrightarrow \bigvee W$  where W is the set of product assertions

$$\{ [\bigwedge_{i \in I} B_i^* \times \bigwedge_{i \in I} C_i^*] |$$

$$(B_i^* \equiv \neg B_i \& C_i^* \equiv \mathsf{tt}) \text{ or } (B_i^* \equiv \mathsf{tt} \& C_i^* \equiv \neg C_i), \text{ all } i \in I \},$$

making D provably equivalent to an assertion of the right form.

Now the problem of proving  $c_0 \cdot c_1 \models A$  has reduced to proving  $c_0 \times c_1 \models \bigvee_{i \in I} B_i \times C_i$ . To achieve compositionality we would like to reduce this further, to proving assertions hold of  $c_0$  and  $c_1$ . We need to show:

**5.13 Lemma.** Let  $c_0$  and  $c_1$  be circuit terms such that

$$c_0 \times c_1 \models \bigvee_{i \in I} B_i \times C_i$$

for indexed assertions  $B_i, C_i$ . Then there are assertions  $A_0$  and  $A_1$  for which

$$c_0 \models A_0 \& c_1 \models A_1 \& A_0 \times A_1 \vdash \bigvee_{i \in I} B_i \times C_i.$$

**Proof.** It is simpler to argue that  $A_0$  and  $A_1$  exist in a nonconstructive way which shows there exists a proof, so  $A_0 \times A_1 \vdash \bigvee_{i \in I} B_i \times C_i$ , without giving it explicitly. Of course, this is all that is needed to show completeness. We know  $c_0 \times c_1 \models \bigvee_{i \in I} B_i \times C_i$ . Hence there is a function  $i \mid , \mid$  so that for any  $\sigma \models c_0$  and  $\rho \models c_1$  there is  $i \mid \sigma, \rho \mid \in I$  such that

$$\sigma \models B_{i[\sigma,\rho]} \& \rho \models C_{i[\sigma,\rho]}.$$

(Note this does not determine i[ , ] uniquely). Now

$$\sigma \models \bigwedge_{\rho \models c_1} B_{i[\sigma,\rho]} \& \rho \models \bigwedge_{\sigma \models c_0} C_{i[\sigma,\rho]}$$

for any  $\sigma \models c_0$  and  $\rho \models c_1$ . We use  $e.g. \bigwedge_{\rho \models c_1} B_{i[\sigma,\rho]}$  to mean the finite conjunction

$$\bigwedge \{B_{i[\sigma,\rho]} \mid \rho \models c_1\}.$$

Clearly

$$igwedge_{
ho\models c_1} B_{i[\sigma,
ho]} dash B_{i[\sigma,
ho]} \ ext{ for } \sigma \models c_0 ext{ and } 
ho \models c_1, ext{ and } \ igwedge_{\sigma\models c_0} C_{i[\sigma,
ho]} dash C_{i[\sigma,
ho]} \ ext{ for } \sigma \models c_0 ext{ and } 
ho \models c_1,$$

as e.g. the conjunction  $\bigwedge_{\rho \models c_1} B_{i[\sigma,\rho]}$  contains  $B_{i[\sigma,\rho]}$  as a conjunct. Thus

$$\bigwedge\!\!\!\bigwedge_{\rho \models c_1} B_{i[\sigma,\rho]} \times \bigwedge\!\!\!\bigwedge_{\sigma \models c_0} C_{i[\sigma,\rho]} \vdash B_{i[\sigma,\rho]} \times C_{i[\sigma,\rho]}$$

for any  $\sigma \models c_0$  and  $\rho \models c_1$ . Write

$$A_0 \equiv \bigvee_{\sigma \models c_0} \bigwedge_{\rho \models c_1} B_{i[\sigma, \rho]} \quad ext{and} \quad A_1 \equiv \bigvee_{\rho \models c_1} \bigwedge_{\sigma \models c_0} C_{i[\sigma, \rho]}.$$

By  $(\times \vee)$ ,

$$A_0 \times A_1 \vdash \bigvee_{(\sigma,\rho) \models c_0 \times c_1} [\bigwedge_{\rho \models c_1} B_{i[\sigma,\rho]} \times \bigwedge_{\sigma \models c_0} C_{i[\sigma,\rho]}].$$

Also, obviously,

Therefore 
$$A_0 \times A_1 \vdash \bigvee_{i \in I} B_i \times C_i$$
. Clearly  $c_0 \models A_0$  and  $c_1 \models A_1$ .

Now we can tidy up all the loose ends and prove soundness and completeness.

**5.14 Theorem.** The proof system is sound i.e.

$$\Gamma \vdash A \Rightarrow \Gamma \models A$$

for a finite set  $\Gamma$  of circuit-assertions and circuit-assertion A. It is complete in the restricted sense that

$$c \models A \Rightarrow c \vdash A$$

for a circuit term c and assertion A.

*Proof.* We omit the proof of soundness which is routine if tedious. The proof of completeness follows by structural induction on c.

Suppose the case where c is an atomic circuit term, so suppose for example  $c \equiv ntran(\alpha, \beta, \gamma)$ . The rule  $(ntran \ E)$  has the form  $ntran(\alpha, \beta, \gamma) \vdash NT$ , where NT is a first order assertion describing the behaviour of  $ntran(\alpha, \beta, \gamma)$ . In fact  $[ntran(\alpha, \beta, \gamma)] = [NT]$ . Suppose  $ntran(\alpha, \beta, \gamma) \models A$  for an assertion A. Then, as we have shown,  $ntran(\alpha, \beta, \gamma) \vdash A \leftrightarrow B$  where B is a first-order assertion. Thus  $NT \models B$ , so by the completeness theorem 5.1,  $NT \vdash B$ . Hence  $ntran(\alpha, \beta, \gamma) \vdash A$ . The other atomic cases are similar.

In the case of restriction suppose  $c \lceil \Lambda \mid = A$  and inductively assume that  $c \models B$  iff  $c \vdash B$  for any assertion B. Then  $c \models {}^{\Lambda}A$ . By the metatheorem 5.4, we can eliminate all preconditions to obtain

$$\vdash {}^{\Lambda}A \leftrightarrow B$$

for some assertion B. But  $c \models B$  and by the inductive assumption  $c \vdash B$ . This gives  $c \vdash {}^{\Lambda}A$  so  $c \upharpoonright \Lambda \vdash A$ , as required in this case.

In the case of composition, suppose  $c_0 \bullet c_1 \models A$  and inductively assume  $c_0 \models A_0$  iff  $c_0 \vdash A_0$  and  $c_1 \models A_1$  iff  $c_1 \vdash A_1$  for any assertions  $A_0$  and  $A_1$ . Then  $c_0 \times c_1 \models {}^{\bullet}A$ . Our earlier results show that

$$c_0 \times c_1 \vdash {}^{\bullet}A \leftrightarrow \bigvee_{i \in I} B_i \times C_i$$

and, the above lemma, that in such a case there are  $A_0$  and  $A_1$  with

$$c_0 \models A_0 \& c_1 \models A_1 \& A_0 \times A_1 \vdash \bigvee_{i \in I} B_i \times C_i$$

precisely what is needed to conclude  $c_0 \times c_1 \vdash {}^{\bullet}A$  and hence  $c_0 \bullet c_1 \vdash A$ .

### 6. Conclusion.

We have presented a compositional model for the behaviour of MOS circuits in a static environment. Certainly such a model is necessary for a satisfactory treatment of dynamically changing circuits. Their behaviour can often be viewed as going through a sequence of static configurations as data changes in synchrony with one or several clocks. The data and the clock pulses are held long enough for the circuit to settle into a static configuration. It seems natural therefore to represent a possible history for such a circuit as a sequence of static configurations. Copying the approach in [Gor2,3] we could try to extend our work to the dynamic case by simply including a time parameter  $t \in \omega$ , and associating devices with assertions expressing time dependencies between static configurations at different times. For example, then we could express facts like a capacitance would contribute a charge at time t+1 if it was precharged at time t. Although it is not hard to push through this programme, it is disappointing that there are difficulties in making the model accurate. A main problem it seems is that shortterm capacitance effects influence the physical behaviour but are not captured easily in any extension of our model. The strength orders we use assume that the environment is stable long enough for sources of current to override charges stored by capacitance. This assumption breaks down in some stages needed to explain the behaviour of devices like the following register:



When enable is high, a strong signal at in overrides that already present, and its value is established, after two inversions, at out. When enable becomes low the value is preserved at out (the input value is stored). Speaking loosely, the latter stage relies on capacitance to maintain the value at in until the feedback loop takes over. This occurs over a very short time when the assumptions behind the strength order are violated. I cannot, at present, see how to extend the model to account for effects over such a short time. Through failing to cope adequately with such short—term effects, the models I have developed allow more possibilities than are physically possible. By the way, the work of Bryant does not address this problem; a simulator need only generate one possible course of behaviour and Bryant does this by making a unit—delay assumption. (In his simulators all transistors switch with the same delay after their gates change.)

It is unfortunate that the logic is so complicated even for static circuits. This may be in the nature of things. If so it makes even more pressing the task of relating models of the kind here to the models and logic like [Gor2,3] which are relatively simple to work with. There must be "correspondence principles" which express how and when one model reduces to another. In general relations between models may be quite complex. A physical model implements a discrete model only provided certain conditions are met.

So far there have been several successful attempts at relating the physical and the logical levels for specific pieces of hardware, e.g. [GH, HD], and carrying through the thesis proposal [Me] should lay bare some of the key issues.

## Acknowledgements

I am grateful to many people for help at various times. I owe a debt to the thesis work of Luca Cardelli [Car]; there Luca attempted to give a semantics to circuits on roughly similar lines to section 4 though his model was not sufficiently detailed to support a satisfactory treatment of hiding. His approach and mine were guided by work on CCS and CSP. Mike Gordon's course on hardware verification exposed the problems which led to this work. I would like to thank him and members of the hardware verification group here for help and encouragement on many occasions in an area where I'm still finding my feet. Special thanks are due to Inder Dhingra, Edmund Ronald and Edmund Robinson, all of whom contributed ideas. The work [A] of Samson Abramsky provided a vital hint on how to make the proof system, and the work in [S] and [P] gave useful leads. Many thanks to Mogens Nielsen for his patient reading of this and his constructive criticism. Thanks too to Randy Bryant for encouragement.

Appendix. The logic of static circuits.

## L.1 The assertion language for circuits.

Assume a particular strength order S (with typical members  $s, s', \cdots$ ), a countably infinite set of point names  $\Pi$  (with typical members  $\alpha, \beta, \gamma, \cdots$ ) and Var a set of variables, ranging over points (with typical members  $x, y, z, \cdots$ ) and Pvar a set of second order variables ranging over sets (or properties) of points (with typical members  $P, Q, R, \cdots$ ).

Define a strength expression, by induction, to have the form

$$s \mid S\pi \mid e_0 \cdot e_1 \mid e_0 + e_1$$

where  $s \in \mathbf{S}$ ,  $\pi \in \Pi \cup \text{Var}$  and  $e_0, e_1$  are strength expressions.

Define a point relation to have the form

$$H\pi \mid L\pi \mid h\pi \mid l\pi \mid \pi_0 = \pi_1 \mid \pi_0 \Rightarrow \pi_1 \mid E\pi$$

where  $\pi, \pi_0, \pi_1 \in \Pi \cup \text{Var}$ .

Define a strength relation to have the form

$$Ee \mid e_0 \leq e_1 \mid e_0 = e_1$$

where e,  $e_0$  and  $e_1$  are strength expressions.

Define a circuit-assertion, by induction, to have the form

$$\begin{array}{l} \textit{circ} \mid \textit{srel} \mid \textit{prel} \mid \\ \texttt{tt} \mid \texttt{ff} \mid A \wedge B \mid A \vee B \mid A \rightarrow B \mid \exists x.A \mid \forall x.A \mid \\ \{x:A\}\pi \mid P\pi \mid \exists P.A \mid \forall P.A \mid \\ & \land_A \end{array}$$

where *srel* is a strength relation, *prel* is a point relation, *circ* is a circuit term, and  $\Lambda$  is a finite subset of ports with  $x \in \text{Var}$  and  $P \in \text{Pvar}$ .

#### L.2 Notation.

We shall take the treatment of free and bound variables, and open and closed strength expressions and assertions as understood. Write FV(A) for the set of free variables (first and second order) of an assertion A. We write  $A[\pi/x]$  for the result of substituting  $\pi$  for all free occurrences of the variable x in A, and similarly A[T/P] for the result of substituting a term denoting a property for the second order variable P—we assume changes are made in the naming of bound variables to avoid the binding of free variables in the substituted terms.

Take  $\neg A$  to abbreviate the assertion  $A \to ff$ , for an assertion A. Take  $A \leftrightarrow B$  to abbreviate  $A \to B \land B \to A$ .

Let  $\Gamma = \{A_0, \dots, A_n\}$  be a finite set of assertions. We use  $\bigwedge \Gamma$  to abbreviate their conjunction  $A_0 \wedge \dots \wedge A_n$  and  $\bigvee \Gamma$  to abbreviate their disjunction  $A_0 \vee \dots \vee A_n$ . We identify  $\bigwedge \emptyset$  with tt and  $\bigvee \emptyset$  with ff.

We use  $\forall x : Q$ . A to abbreviate  $\forall x. \ Qx \to A$  and  $\exists x : Q$ . A to abbreviate  $\exists x. \ Qx \land A$ . If  $\Lambda$  is a finite set we use  $\Lambda$  in the logic to abbreviate the term  $\{x : \bigvee_{\lambda \in \Lambda} x = \lambda\}$ .

### L.3 Semantics of the assertion language

We take the set of points to be  $\Pi$ , and static configurations to have sorts a subset of these. A point name  $\alpha$  is thus associated with a corresponding point.

## Semantics of strength expressions

Define  $[\![\,]\!]$  from closed strength expressions to subsets of pairs of static configurations and strengths by the following induction, with the understanding that static configurations  $\sigma$  have the form  $\sigma = \langle S, V, I, \rightsquigarrow \rangle$ .

$$\begin{aligned}
&[\![s]\!] = \{(\sigma, s) \mid \sigma \in \text{Sta}\} \\
&[\![s\alpha]\!] = \{(\sigma, s) \mid \alpha \in \text{sort}(\sigma) \& S\alpha = s\} \\
&[\![e_0 \cdot e_1]\!] = \{(\sigma, s_0 \cdot s_1) \mid (\sigma, s_0) \in [\![e_0]\!] \& (\sigma, s_1) \in [\![e_1]\!]\} \\
&[\![e_0 + e_1]\!] = \{(\sigma, s_0 + s_1) \mid (\sigma, s_0) \in [\![e_0]\!] \& (\sigma, s_1) \in [\![e_1]\!]\}
\end{aligned}$$

## Semantics of circuit assertions

We firstly define the semantics of point relations, with the understanding that static configurations  $\sigma$  have the form  $\sigma = \langle S, V, I, \rightsquigarrow \rangle$ . Define [ ] from closed point relations to the subsets of static configurations which satisfy them by

$$\begin{split} \llbracket H\alpha \rrbracket &= \{\sigma \mid \alpha \in \operatorname{sort}(\sigma) \And H \leq V\alpha \} \\ \llbracket L\alpha \rrbracket &= \{\sigma \mid \alpha \in \operatorname{sort}(\sigma) \And L \leq V\alpha \} \\ \llbracket h\alpha \rrbracket &= \{\sigma \mid \alpha \in \operatorname{sort}(\sigma) \And H \leq I\alpha \} \\ \llbracket l\alpha \rrbracket &= \{\sigma \mid \alpha \in \operatorname{sort}(\sigma) \And L \leq I\alpha \} \\ \llbracket \alpha = \beta \rrbracket &= \{\sigma \mid \alpha = \beta \in \operatorname{sort}(\sigma) \} \\ \llbracket \alpha \leadsto \beta \rrbracket &= \{\sigma \mid \alpha, \beta \in \operatorname{sort}(\sigma) \And \alpha \leadsto \beta \} \\ \llbracket E\alpha \rrbracket &= \{\sigma \mid \alpha \in \operatorname{sort}(\sigma) \}. \end{aligned}$$

Now we define the semantics of strength relations:

Now we have defined the semantics of point and strength relations, we extend the semantics to all closed assertions by the following induction on the length of assertions:

$$\begin{split} \llbracket \mathbf{t} \rrbracket &= \mathsf{Sta} \\ \llbracket \mathbf{f} \rrbracket &= \emptyset \\ \llbracket A \wedge B \rrbracket &= \llbracket A \rrbracket \cap \llbracket B \rrbracket \\ \llbracket A \vee B \rrbracket &= \llbracket A \rrbracket \cup \llbracket B \rrbracket \\ \llbracket A \to B \rrbracket &= \{\mathsf{Sta} \setminus \llbracket A \rrbracket \} \cup \llbracket B \rrbracket \\ \llbracket A \to B \rrbracket &= \{\mathsf{Sta} \setminus \llbracket A \rrbracket \} \cup \llbracket B \rrbracket \\ \llbracket \exists x.A \rrbracket &= \{\sigma \mid \exists \alpha \in \mathsf{sort}(\sigma). \ \sigma \in \llbracket A[\alpha/x] \rrbracket \} \\ \llbracket \forall x.A \rrbracket &= \{\sigma \mid \forall \alpha \in \mathsf{sort}(\sigma). \ \sigma \in \llbracket A[\alpha/x] \rrbracket \} \\ \llbracket \{x : A \} \alpha \rrbracket &= \llbracket E \alpha \ \& \ A[\alpha/x] \rrbracket \\ \llbracket \exists P.A \rrbracket &= \{\sigma \mid \exists \Lambda \subseteq \mathsf{sort}(\sigma). \ \sigma \in \llbracket A[\Lambda/P] \rrbracket \} \\ \llbracket \forall P.A \rrbracket &= \{\sigma \mid \forall \Lambda \subseteq \mathsf{sort}(\sigma). \ \sigma \in \llbracket A[\Lambda/P] \rrbracket \}, \\ \llbracket ^{\Lambda} A \rrbracket &= \{\sigma \mid \sigma \cap \Lambda \downarrow \Rightarrow \sigma \cap \Lambda \in \llbracket A \rrbracket \}. \end{aligned}$$

We have already seen how to define the denotations of circuit terms in section 4.

## L.4 Satisfaction, validity and entailment

For a closed circuit assertion A we write

$$\sigma \models A \text{ iff } \sigma \in \llbracket A \rrbracket,$$

and say  $\sigma$  satisfies A.

Let A be an assertion with free variables  $x_0, \ldots, P_0, \ldots$  Define

$$\models A \quad \text{iff} \quad \sigma \models A[\alpha_0/x_0,\ldots,\Lambda_0/P_0,\ldots] \text{ for all } \sigma \in \operatorname{Sta}$$

for any substitution with  $\alpha_0, \ldots \in \Pi$  and  $\Lambda_0, \ldots \subseteq \Pi$ . When  $\models A$  we say A is valid.

More generally, letting  $\Gamma$  be a set of assertions and A an assertion, define  $\Gamma \models A$  iff for every substitution  $\vartheta$  of the free variables in  $\Gamma$  and A every static configuration which satisfies each assertion  $B[\vartheta]$ , for B in  $\Gamma$ , also satisfies  $A[\vartheta]$ .

## L.5 Proof rules for circuit assertions

The proof rules follow a natural deduction style [Pr], with extra axioms special to static configurations and circuits.

Structural rules

Propositional logic

First-order rules

$$(\operatorname{sub}) \quad \frac{\Gamma \vdash A}{\Gamma \vdash A[\pi/x]} \quad (x \notin \operatorname{FV}(\Gamma))$$

$$(\forall \operatorname{I}) \quad \frac{\Gamma \vdash Ex \to A}{\Gamma \vdash \forall x. \ A} \quad (x \notin \operatorname{FV}(\Gamma)) \quad (\forall \operatorname{E}) \quad \frac{\Gamma \vdash \forall x. \ A}{\Gamma \vdash Et \to A[t/x]}$$

$$(\exists \operatorname{I}) \quad \frac{\Gamma \vdash Et \land A[t/x]}{\Gamma \vdash \exists x. \ A} \quad (\exists \operatorname{E}) \quad \frac{\Gamma \vdash \exists x. \ A \quad \Gamma, Ex \land A \vdash B}{\Gamma \vdash B} \quad (x \notin \operatorname{FV}(\Gamma, B))$$

Rules for second-order quantifiers and abstraction

$$(\operatorname{sub}^{2}) \qquad \frac{\Gamma \vdash A}{\Gamma \vdash A[T/P]} \ (P \notin \operatorname{FV}(\Gamma))$$

$$(\forall^{2}\operatorname{I}) \qquad \frac{\Gamma \vdash A}{\Gamma \vdash \forall P. A} \ (P \notin \operatorname{FV}(\Gamma)) \qquad (\forall^{2}\operatorname{E}) \qquad \frac{\Gamma \vdash \forall P. A}{\Gamma \vdash A[T/P]}$$

$$(\exists^{2}\operatorname{I}) \qquad \frac{\Gamma \vdash A[T/P]}{\Gamma \vdash \exists P. A} \qquad (\exists^{2}\operatorname{E}) \qquad \frac{\Gamma \vdash \exists P. A \quad \Gamma, A \vdash B}{\Gamma \vdash B} \ (P \notin \operatorname{FV}(\Gamma, B))$$

$$(\operatorname{ab} \ \operatorname{I}) \qquad \frac{\Gamma \vdash Ey \land A[y/x]}{\Gamma \vdash \{x : A\}y} \qquad (\operatorname{ab} \ \operatorname{E}) \qquad \frac{\Gamma \vdash \{x : A\}y}{\Gamma \vdash Ey \land A[y/x]}$$

$$(\operatorname{strict}) \qquad \Gamma \vdash Px \to Ex$$

**Remark.** A word on the second-order logic: The idea is that in a particular static configuration  $\sigma$ ,  $\{x:A\}$  denotes the set of points in  $\operatorname{sort}(\sigma)$  which satisfy A. So unlike first-order terms for points or strengths, set abstractions are always defined, and the second-order rules do not need to invoke an existence predicate. Although set abstractions only appear within assertions in the form  $\{x:A\}\pi$ , their use enable a simpler account of the rules for second-order quantifiers—e.g. try writing the  $(\exists^2 I)$  rule without!

## Proof rules for point relations

We assume that point names are in 1-1 correspondence with points, so we have the following basic axioms.

$$\vdash \alpha = \beta$$
 iff  $\models \alpha = \beta$  (i.e.  $\alpha$  and  $\beta$  are the same point name).  
 $\vdash \neg \alpha = \beta$  iff  $\models \neg \alpha = \beta$  (i.e.  $\alpha$  and  $\beta$  are different point names).

The following axioms are essentially a reformulation of the axioms for static configurations which we have seen earlier.

$$(\text{refl}) \qquad \vdash Ex \leftrightarrow x = x \\ \vdash x = y \land A[x/z] \rightarrow A[y/z]$$

$$(\text{str}) \qquad \vdash Hx \rightarrow Ex \\ \vdash Lx \rightarrow Ex \\ \vdash hx \rightarrow Ex \\ \vdash lx \rightarrow Ex \\ \vdash x \rightsquigarrow y \rightarrow Ex \land Ey$$

$$\vdash Ex \rightarrow x \rightsquigarrow x \\ \vdash x \rightsquigarrow y \land y \rightsquigarrow z \rightarrow x \rightsquigarrow z \\ \vdash x \rightsquigarrow y \land Sx = Sy \rightarrow y \rightsquigarrow x \\ \vdash x \rightsquigarrow y \land Sx = Sy \rightarrow y \rightsquigarrow x \\ \vdash x \rightsquigarrow y \land W_{k \in K} Sy = k \rightarrow Sx = Sy \\ \vdash Sx = 0 \leftrightarrow \neg Hx \land \neg Lx \\ \vdash hx \rightarrow Hx \land lx \rightarrow Lx \\ \vdash Hx \land x \rightsquigarrow y \rightarrow Hy \\ \vdash Lx \land x \rightsquigarrow y \rightarrow ly$$

 $\vdash Ex \leftrightarrow x = x$ 

# Proof rules for strength relations

$$\vdash Ee \leftrightarrow e = e$$
 $\vdash e = e' \rightarrow e' = e$ 

$$\begin{array}{l} \vdash e = e' \land e' = e'' \to e = e'' \\ \\ \vdash Ex \to \bigvee_{s \in S} Sx = s \\ \\ \vdash E(Sx) \to Ex \\ \\ \vdash E(e_0 \cdot e_1) \leftrightarrow Ee_0 \land Ee_1 \\ \\ \vdash E(e_0 + e_1) \leftrightarrow Ee_0 \land Ee_1 \\ \\ \vdash e_0 \leq e_1 \to Ee_0 \land Ee_1 \\ \\ \vdash e_0 = e'_0 \land e_1 = e'_1 \to e_0 \cdot e_1 = e'_0 \cdot e'_1 \\ \\ \vdash e_0 = e'_0 \land e_1 = e'_1 \to e_0 + e_1 = e'_0 + e'_1 \\ \\ \vdash e_0 = e'_0 \land e_1 = e'_1 \land e_0 \leq e_1 \to e'_0 \leq e'_1 \end{array}$$

# L.6 Rules for restriction preconditions

Let

$$G \equiv orall x. \ 
eg \Lambda x 
ightarrow [\operatorname{H} x 
ightarrow hx \lor (\exists y: \Lambda. \ \operatorname{H} y \land y 
ightarrow x)] \land [\operatorname{L} x 
ightarrow lx \lor (\exists y: \Lambda. \ \operatorname{L} y \land y 
ightarrow x)]$$

Introduction rules for  $\Lambda$ ():

$$\frac{\vdash A}{\vdash \Lambda \land A}$$
  $\neg G \vdash \Lambda \land A$ 

Distribution rules for  $^{\Lambda}($  ):

$$G \vdash^{\Lambda}(Sx = s) \leftrightarrow (Sx = s \land \Lambda x)$$

$$G \vdash^{\Lambda}(Hx) \leftrightarrow (Hx \land \Lambda x)$$

$$G \vdash^{\Lambda}(hx) \leftrightarrow (hx \land \Lambda x)$$

$$G \vdash^{\Lambda}(hx) \leftrightarrow (hx \land \Lambda x)$$

$$G \vdash^{\Lambda}(x \Rightarrow y) \leftrightarrow (x \Rightarrow y \land \Lambda x \land \Lambda y)$$

$$G \vdash^{\Lambda}(Ex) \leftrightarrow \Lambda x$$

$$G \vdash^{\Lambda}(Ex) \leftrightarrow \Lambda x$$

$$G \vdash^{\Lambda}(A \land B) \leftrightarrow (^{\Lambda}A \land ^{\Lambda}B)$$

$$G \vdash^{\Lambda}(A \land B) \leftrightarrow (^{\Lambda}A \land ^{\Lambda}B)$$

$$G \vdash^{\Lambda}(A \rightarrow B) \leftrightarrow (^{\Lambda}A \rightarrow ^{\Lambda}B)$$

$$G \vdash^{\Lambda}(\forall x.A) \leftrightarrow (\forall x: \Lambda \land ^{\Lambda}A)$$

$$G \vdash^{\Lambda}(\{x:A\}y) \leftrightarrow (\{x: ^{\Lambda}A\}y \land \Lambda y)$$

$$G \vdash^{\Lambda}(\forall P.A) \leftrightarrow \forall P. ^{\Lambda}A$$

$$G \vdash^{\Lambda}(\exists P.A) \leftrightarrow \exists P. ^{\Lambda}A$$

### L.7 Product circuit-assertions

Product circuit-assertions are defined inductively to have the form

$$A \times B \mid {}^{ullet}A \mid E\pi \mid \pi_0 = \pi_1$$
 $\operatorname{tt} \mid \operatorname{ff} \mid D_0 \wedge D_1 \mid D_0 \vee D_1 \mid D_0 \rightarrow D_1 \mid \exists x.D \mid \forall x.D \mid \{x:D\}\pi \mid \exists P.D \mid \forall P.D$ 

where A, B are circuit-assertions and  $D, D_0, D_1$  are product assertions.

# L.8 Semantics of product assertions:

$$\begin{split} & \llbracket A \times B \rrbracket = \llbracket A \rrbracket \times \llbracket B \rrbracket \\ & \llbracket \ ^{\bullet}A \rrbracket = \{ (\sigma,\rho) \mid \sigma \bullet \rho \downarrow \Rightarrow \sigma \bullet \rho \in \llbracket A \rrbracket \} \\ & \llbracket E\alpha \rrbracket = \{ (\sigma,\rho) \mid \alpha \in \operatorname{sort}(\sigma) \cup \operatorname{sort}(\rho) \} \\ & \llbracket \alpha = \beta \rrbracket = \{ (\sigma,\rho) \mid \alpha = \beta \in \operatorname{sort}(\sigma) \cup \operatorname{sort}(\rho) \} \\ & \llbracket \{x:D\}\alpha \rrbracket = \llbracket E\alpha \wedge D[\alpha/x] \rrbracket \\ & \llbracket \exists P.D \rrbracket = \{ (\sigma,\rho) \mid \exists \Lambda \subseteq \operatorname{sort}(\sigma) \cup \operatorname{sort}(\rho). \ (\sigma,\rho) \in \llbracket D[\Lambda/P] \rrbracket \} \\ & \llbracket \forall P.D \rrbracket = \{ (\sigma,\rho) \mid \forall \Lambda \subseteq \operatorname{sort}(\sigma) \cup \rho. \ (\sigma,\rho) \in \llbracket D[\Lambda/P] \rrbracket \} \end{aligned}$$

The semantics for the remaining clauses follow those for circuit assertions. The proof rules for product assertions include those for for second order logic, with the understanding that terms T substituted in the second order quantifier rules are first-order set abstractions, *i.e.* of the form  $\{x:A\}$  with A first-order. We include, in addition, the following.

Proof rules for product assertions:

$$(\times \vdash) \qquad \frac{A \vdash A' \quad B \vdash B'}{A \times B \vdash A' \times B'}$$

$$(\times E) \qquad \vdash Ex \leftrightarrow ([Ex \times tt] \lor [tt \times Ex])$$

$$(\times =) \qquad \vdash x = y \leftrightarrow ([x = y \times tt] \lor [tt \times x = y])$$

$$(eq) \qquad \vdash x = y \land C[x/z] \rightarrow C[y/z]$$

$$(\times tt) \qquad \vdash tt \leftrightarrow [tt \times tt]$$

$$(\times ff) \qquad \vdash ff \leftrightarrow ([ff \times tt] \lor [tt \times ff])$$

$$(\times \land) \qquad \vdash ([A \times B] \land [A' \times B']) \leftrightarrow ([A \land A'] \times [B \land B'])$$

$$(\times \lor) \qquad \vdash [(A \lor A') \times B] \leftrightarrow ([A \times B] \lor [A' \times B])$$

$$\vdash [A \times (B \lor B')] \leftrightarrow ([A \times B] \lor [A \times B'])$$

$$(\times \lnot) \qquad \vdash \lnot [A \times B] \leftrightarrow ([\lnot A \times tt] \lor [tt \times \lnot B])$$

# L.9. Rules for composition precondition

Let

$$egin{aligned} D \equiv orall x. & ([Ex imes \mathbf{t}] \wedge [\mathbf{tt} imes Ex]) 
ightarrow \ & ([Hx imes \mathbf{tt}] \leftrightarrow [\mathbf{tt} imes Hx] \wedge \ & [Lx imes \mathbf{tt}] \leftrightarrow [\mathbf{tt} imes Lx] \wedge \ & \bigvee_{s \in S} [Sx = s imes Sx = s]) \end{aligned}$$

Introduction rules for •():

$$\begin{array}{c}
\vdash A \\
\vdash \bullet A
\end{array}$$

$$\neg D \vdash \bullet A$$

Distribution rules for ():

 $(d \cdot \exists^2) D \vdash (\exists P.A) \leftrightarrow \exists P. A$ 

## L.10. Elimination rules for circuit terms

$$\frac{c \vdash {}^{\Lambda}A}{c \lceil \Lambda \vdash A}$$

$$\frac{c_0 \times c_1 \vdash {}^{\bullet}A}{c_0 \bullet c_1 \vdash A}$$

The elimination rules for the basic components obtained directly from their semantics in 4.2, with equations such as  $I\alpha = H$  being understood as abbreviating assertions in the logic, in this case  $hx \wedge \neg lx$ . For example, the elimination rule for a resistance  $res_g(\alpha, \beta)$  takes the form:

$$egin{aligned} \mathit{res}_g(lpha,eta) & dash Elpha \wedge Eeta \wedge (orall x.\ x = lpha ee x = eta) \wedge \ & orall x.\ (
eg hx \wedge 
eg lx) \wedge \ & Slpha \cdot g \leq Seta \wedge Seta \cdot g \leq Slpha \wedge \ & (Slpha \cdot g = Seta \leftrightarrow lpha 
ightarrow lpha) \wedge (Seta \cdot g = Slpha \leftrightarrow eta 
ightarrow lpha) \} \end{aligned}$$

#### References

- [A] Abramsky, S., An intuitionistic logic of computable functions. Copy of slides 1984.
- [B1] Bryant, R.E., A switch-level model of MOS circuits. In VLSI '81, Ed. J. Gray, Academic Press 1981.
- [B] Bryant, R.E., A switch-level model and simulator for MOS digital systems. IEEE Transactions on Computers C-33 (2) pp. 160-177, February 1984.
- [C] Cardelli, L., An algebraic approach to hardware description and verification. Ph.D. thesis, Comp.Sc.Dept., University of Edinburgh (1982).
- [CGM] Camilleri, A., Gordon, M., and Melham, T., Hardware verification using higher order logic. To appear in the proceedings of the IFIP International working conference, Grenoble, France, September 1986. Also available as a report 91 of the Computer Laboratory, University of Cambridge (1986).
- [D] Dijkstra, E.W., A discipline of programming. Prentice-Hall (1976).
- [F] Fourman, M.P., Verification using higher-order specifications and transformations. Department of Electrical Engineering, Brunel University (1986).
- [FS] Fourman, M.P., and Scott, D.S., Sheaves and logic. In proc. of Durham conference on Applications of Sheaves 1977, Lecture notes in Math., Springer-Verlag 1979.
- [Gor1] Gordon, M.J.C., LCF-LSM. Report no. 41 of the Computer Laboratory, University of Cambridge (1983).
- [Gor2] Gordon, M.J.C., How to specify and verify hardware using higher order logic. Lecture notes, Computer Laboratory, University of Cambridge (1984).
- [Gor3] Gordon, M.J.C., Why higher order logic is a good formalism for specifying and verifying hardware. Report no.77 of the Computer Laboratory, Cambridge University 1985.
- [GH] Gordon, M.J.C., and Herbert, J., A formal methodology and its approach to a network interface chip. Report no.84 of the Computer Laboratory, Cambridge University 1985.
- [Gra] Grayson, R., Heyting-valued semantics. Proc. logic colloquium '82, North-Holland (1984).
- [Ha] Harel, D., First-order dynamic logic. Springer Verlag Lecture Notes in Comp.Sc., vol. 68 (1979).
- [HD] Hanna, F.K., and Daeche, N., Specification and verification using higher-order logic. Proc. IFIP WG 10.2, 7th. international conference on computer hardware

description languages and their applications, Tokyo, Japan 1985, Koomen & Moto-oka (eds.), North-Holland (1985)

[Hay] Hayes, J., A unified switching theory with applications to VLSI design. Proc. IEEE 70 (10) pp. 1140-1155 Oct. 1982.

[KB] Bergstra, J.A., and Klop, J.W., A proof rule for restoring logic circuits. Integration 1 pp.161-178 (1983).

[MC] Mead, C., and Conway, L., Introduction to VLSI systems. Addison-Wesley (1980).

[MD] Mavor, J., and Denyer, P.B., Introduction to MOS design. Addison Wesley 1983.

[Me] Melham, T., Abstraction in hardware verification. Progress report and thesis proposal, Computer Laboratory, University of Cambridge (1985).

[Mi] Milne, G., CIRCAL, TOPLAS April 1985.

[Mos] Moszkowski, B., Executing temporal logic programs. Report no.71 of the Computer Laboratory, Cambridge University 1985.

[OH] Olderog, E., and Hoare, C.A.R., Specification-oriented semantics for communicating processes. ICALP 83, Springer Lecture Notes in Comp. Sc. vol. 154 (1983).

[P] Plotkin, G.D., Types and partial functions. Lecture notes, Computer Science Dept., University of Edinburgh 1985.

[Pr] Prawitz, D., Natural deduction. Almqvist and Wiksell 1985.

[deR] de Roever, W.P., The quest for compositionality. In the proceedings of the IFIP working conference, January 1985, North-Holland (1985).

[S] Scott, D.S., Identity and existence in intuitionistic logic. In proc. of Durham conference on Applications of Sheaves 1977, Lecture notes in Math., Springer-Verlag 1979.

[She] Sheeran, M.,  $\mu$ FP an algebraic VLSI description language. D.Phil. thesis, Oxford 1983.

[St] Stirling, C., Modal logics for communicating systems. Report CSR-193-85 of the Computer Science Dept., Univ. of Edinburgh (1985).

[W] Winskel, G., A complete proof system for SCCS with modal assertions. In the proceedings of Foundations of Software Technology, Springer lecture notes in Comp.Sc. (1985).