Ground Temporal Logic: A Logic for Hardware Verification David Cyrluk 1. and Paliath Narendran 2 ** 1 Dept. of Computer Science, Stanford University, Stanford CA 94305 and Computer Science Laboratory, SRI International, Menlo Park, CA 94025 cyrluk@cs.stanford.edu 2 SUNY-ALBANY, Albany NY dran@cs, albany.edu Abstract. We present a new temporal logic, GTL, appropriate for spec- ifying properties of hardware at the register transfer level. We argue that this logic represents an improvement over model checking for some nat- ural hardware verification problems. We show that the validity problem for this logic is //11 complete. We then identify a fragment of the logic that is decidable. We show that in this fragment we are still able to en- code many interesting problems, including the correctness of pipelined microprocessors. 1 Introduction Temporal logic is a natural logic for hardware verification. Specifically model checking for various propositional temporal logics has proven to be a very prac- tical tool for the fully automatic verification of many hardware circuits and finite state protocols. However these approaches suffer from various drawbacks. One such drawback is the requirement that hardware implementations be carried out to the bit-level. This can lead to the state explosion problem as the number of states can increase exponentially with the number of bits in the implementation. It also necessitates a bit-level description of alus and adders. To deal with this problem current research relies on tools such as BDD's to encode a large number of states into a small representation [2, 5, 4]. [7] makes use of abstractions to significantly reduce the state space that needs to be explored. However, the correctness argument for many of these circuits does not depend on a bit-level description of the circuit but only on a RTL description of the circuit. In such cases the correct abstraction is to abstract away from the bit- level using uninterpreted function symbols. Thus, perhaps, a first order temporal logic might be more appropriate for this type of hardware verification. The main drawback with using a full first-order temporal logic is that the validity problem now becomes incomplete, thus making automatic verification impossible. * This research was partially supported by SRI International, DARPA contract NAG2- 703, and NSF grants CCR-8917606, CCR-8915663. ~* Much of this research was done while a visiting scientist at SRI International.