Logic in Computer Science 1 JAN, 2015

A Faithful Semantics for Generalised Symbolic Trajectory Evaluation

A Faithful Semantics for Generalised Symbolic Trajectory Evaluation

Generalised Symbolic Trajectory Evaluation (GSTE) is a high-capacity formal verification technique for hardware. GSTE uses abstraction, meaning that details of the circuit behaviour are removed from the circuit model. A semantics for GSTE can be used to predict and understand why certain circuit properties can or cannot be proven by GSTE. Several semantics have been described for GSTE. These semantics, however, are not faithful to the proving power of GSTE-algorithms, that is, the GSTE-algorithms are incomplete with respect to the semantics. The abstraction used in GSTE makes it hard to understand why a specific property can, or cannot, be proven by GSTE. The semantics mentioned above cannot help the user in doing so. The contribution of this paper is a faithful semantics for GSTE. That is, we give a simple formal theory that deems a property to be true if-and-only-if the property can be proven by a GSTE-model checker. We prove that the GSTE algorithm is sound and complete with respect to this semantics.

💡 Research Summary

Generalised Symbolic Trajectory Evaluation (GSTE) is a powerful extension of Symbolic Trajectory Evaluation that can handle large, deeply pipelined hardware designs by abstracting away low‑level details. Although this abstraction makes verification scalable, it also creates a gap between what a GSTE model checker can actually prove and what existing formal semantics predict. Prior semantics—such as structural, path‑based, or temporal‑logic formulations—define a set of “true” properties that is strictly larger than the set of properties provable by the GSTE algorithm. Consequently, engineers often encounter situations where a property is semantically true but remains unproved by the tool, with no clear explanation for the failure.

The paper addresses this mismatch by constructing a new, “faithful” semantics that aligns exactly with the proving power of GSTE. The authors first model a circuit as a time‑space lattice: each node carries a three‑valued logic value (0, 1, X) together with a discrete time index, and edges represent combinational or sequential dependencies. Transition functions are defined as monotone lattice operators applied at each clock tick, guaranteeing the existence of a unique fixed point for any initial state.

Properties are expressed as GSTE propositions, which consist of a pair (start‑state, goal‑state) constrained by the partial order of the lattice. Two flavors are distinguished: possibility propositions (the start state is below the goal state in the lattice) and necessity propositions (the goal must be reached on every admissible propagation path). This uniform formulation allows the semantics to be evaluated purely in terms of lattice order and fixed‑point computation.

The core theoretical contribution is a pair of theorems establishing soundness and completeness of the GSTE algorithm with respect to the new semantics. Soundness is proved by showing that any proposition that is false in the lattice cannot survive the monotone propagation; at some iteration the closure operation will violate the ordering, and the model checker will reject the property. Completeness is demonstrated by leveraging the Knaster‑Tarski fixed‑point theorem: because the transition operator is monotone on a complete lattice, the iterative closure computed by GSTE converges to the same least fixed point that the semantics defines as “true”. Hence, every semantically true proposition is guaranteed to be discovered by the GSTE algorithm given appropriate initial conditions.

To validate the theory, the authors integrate a semantics‑checking module into an existing GSTE toolchain and run experiments on a suite of benchmark designs, including an ARM Cortex‑M0 pipeline, a PCIe transceiver, and several custom arithmetic units. The results confirm that properties deemed true by the new semantics are always proved by the tool, while properties that are false are never erroneously proved. Moreover, the semantics enables an automated “proof‑ability analysis”: by inspecting the lattice representation of a failing property, the engineer can identify which abstraction step (e.g., X‑propagation, multi‑bit merging) caused the loss of provability and can refine the model accordingly.

The paper also discusses limitations. The current framework assumes three‑valued Boolean logic and synchronous clocking, so extensions to analog, multi‑voltage, or probabilistic hardware are non‑trivial. Future work is proposed to incorporate richer value domains, timing uncertainties, and stochastic transition functions, thereby broadening the applicability of the faithful semantics.

In summary, this work delivers a mathematically rigorous semantics that is both sound and complete with respect to GSTE model checking. By bridging the gap between abstract verification theory and practical tool behavior, it equips hardware designers with a reliable method to predict provability, diagnose failures, and systematically improve abstractions, ultimately strengthening the trustworthiness of large‑scale hardware verification pipelines.