# **Syntax Rule Summary**

Below we present the syntax of PSL in Backus-Naur Form (BNF).

# **A.1 Conventions**

The formal syntax described uses the following extended Backus-Naur Form (BNF).

a. The initial character of each word in a nonterminal is capitalized. For example:

PSL Statement

A nonterminal is either a single word or multiple words separated by underscores. When a multiple word nonterminal containing underscores is referenced within the text (e.g., in a statement that describes the semantics of the corresponding syntax), the underscores are replaced with spaces.

b. Boldface words are used to denote reserved keywords, operators, and punctuation marks as a required part of the syntax. For example:

**vunit ( ;**

- c. The ::= operator separates the two parts of a BNF syntax definition. The syntax category appears to the left of this operator and the syntax description appears to the right of the operator. For example, item (d) shows three options for a  $Vunit\_Type$ .
- d. A vertical bar separates alternative items (use one only) unless it appears in boldface, in which case it stands for itself. For example:

Vunit Type ::= **vunit** | **vprop** | **vmode**

e. Square brackets enclose optional items unless it appears in boldface, in which case it stands for itself. For example:

Sequence Declaration ::= **sequence** Name [ **(** Formal Parameter List **)** ] DEF SYM Sequence **;**

indicates that ( $Formal_Parameter\_List$ ) is an optional syntax item for Sequence Declaration, whereas

| Sequence **[ \*** [ Range ] **]**

indicates that (the outer) square brackets are part of the syntax, while Range is optional.

f. Braces enclose a repeated item unless it appears in boldface, in which case it stands for itself. A repeated item may appear zero or more times; the repetitions occur from left to right as with an equivalent left-recursive rule. Thus, the following two rules are equivalent:

Formal Parameter List ::= Formal Parameter { **;** Formal Parameter } Formal Parameter List ::= Formal Parameter | Formal Parameter List **;** Formal Parameter

- g. A colon (:) in a production starts a line comment unless it appears in boldface, in which case it stands for itself.
- h. If the name of any category starts with an italicized part, it is equivalent to the category name without the italicized part. The italicized part is intended to convey some semantic information. For example, *vunit*\_Name is equivalent to Name.
- i. Flavor macros, containing embedded underscores, are shown in uppercase. These reflect the various HDLs that can be used within the PSL syntax and show the definition for each HDL. The general format is the term Flavor Macro, then the actual macro name, followed by the  $=$  operator, and, finally, the definition for each of the HDLs. For example:

 $Flavor$  Macro RANGE\_SYM  $=$ SystemVerilog: **:** / Verilog: **:** / VHDL: **to** / GDL: **/ ..**

shows the *range symbol* macro (RANGE\_SYM). See for further details about flavor macros.

The main text uses italicized type when a term is being defined, and monospace font for examples and references to constants such as 0, 1, or x values.

# **A.2 Tokens**

PSL syntax is defined in terms of primitive tokens, which are character sequences that act as distinct symbols in the language.

Each PSL keyword is a single token. Some keywords end in one or two nonalphabetic characters ( $\lq$ ' or  $\lq'$ ' or both). Those characters are part of the keyword, not separate tokens.

Each of the following character sequences is also a token:



Finally, for a given flavor, the tokens of the corresponding HDL are tokens of PSL.

# **A.3 HDL dependencies**

PSL depends upon the syntax and semantics of an underlying hardware description language. In particular, PSL syntax includes productions that refer to nonterminals in SystemVerilog, Verilog, VHDL, or GDL. PSL syntax also includes Flavor Macros that cause each flavor of PSL to match that of the underlying HDL for that flavor.

For SystemVerilog, the PSL syntax refers to the following nonterminals in the IEEE P1800 syntax:

- module or generate item declaration
- module or generate item
- list of variable identifiers
- identifier
- expression
- constant expression

For Verilog, the PSL syntax refers to the following nonterminals in the IEEE Std 1364 syntax:

- module or generate item declaration
- module or generate item
- list of variable identifiers
- identifier
- expression
- constant expression
- task port type

For VHDL, the PSL syntax refers to the following nonterminals in the IEEE Std 1076 syntax:

- block declarative item
- concurrent statement
- $-$  design unit
- identifier
- expression
- entity aspect

For SystemC, the PSL syntax refers to the following nonterminals in the IEEE P1666 syntax:

- simple type specifier
- expression
- event expression
- declaration
- statement
- identifier

For GDL, the PSL syntax refers to the following nonterminals in the GDL syntax:

- module item declaration
- module item
- module declaration
- identifier
- expression

### **A.3.1 Verilog extensions**

For the Verilog flavor, PSL extends the forms of declaration that can be used in the modeling layer by defining two additional forms of type declaration.

Extended Verilog Declaration ::= Verilog module or generate item declaration | Extended Verilog Type Declaration

Extended\_Verilog\_Type\_Declaration ::= Finite Integer Type Declaration | Structure Type Declaration

Finite\_Integer\_Type\_Declaration ::= **integer** Integer Range list of variable identifiers **;**

Structure Type Declaration ::= **struct {** Declaration List **}** list of variable identifiers **;**

Integer Range ::= **(** constant expression **:** constant expression **)**

Declaration List ::= HDL Variable or Net Declaration { HDL Variable or Net Declaration }

 $HDL-Variable-orNet\_Declaration ::=$ net declaration | reg declaration | integer declaration

### **A.3.2 Flavor macros**

Flavor Macro DEF SYM = SystemVerilog:  $=$  / Verilog:  $=$  / VHDL: **is** / SystemC:  $=$  / GDL:  $:=$ 

 $Flavor$  Macro RANGE\_SYM  $=$ SystemVerilog: **:** / Verilog: **:** / VHDL: **to** / SystemC: **:** / GDL: **..**

 $Flavor$  Macro  $AND\_OP =$ SystemVerilog: **&&** / Verilog: **&&** / VHDL: **and** / SystemC: **&&** / GDL: **&**

Flavor Macro  $OR$  OP  $=$ SystemVerilog: || / Verilog: || / VHDL: **or** / SystemC: || / GDL: |

- Flavor Macro NOT  $OP =$ SystemVerilog: **!** / Verilog: **!** / VHDL: **not** / SystemC: **!** / GDL: **!**
- $Flavor Marco MIN VAL =$ SystemVerilog: **0** / Verilog: **0** / VHDL: **0** / SystemC: **0** / GDL: null

Flavor Macro MAX VAL  $=$ SystemVerilog: **\$** / Verilog: **inf** / VHDL: **inf** / SystemC: **inf** / GDL: null

 $Flavor Macro HDL-EXPR =$ 

SystemVerilog: SystemVerilog Expression / Verilog: Verilog Expression

/ VHDL: VHDL Expression

/ SystemC: SystemC Expression

/ GDL: GDL Expression

### $Flavor Macro HDL-CLOCK-EXPR =$

SystemVerilog: SystemVerilog Event Expression

/ Verilog: Verilog Event Expression

/ VHDL: VHDL Expression

/ SystemC: SystemC Event Expression

/ GDL: GDL Expression

### $Flavor$  Macro  $HDL$ -UNIT  $=$

SystemVerilog: SystemVerilog module declaration

/ Verilog: Verilog module declaration

/ VHDL: VHDL design unit

/ SystemC: SystemC class sc module

/ GDL: GDL module declaration

### $Flavor Macro HDL-DECL =$

SystemVerilog: SystemVerilog module or generate item declaration

/ Verilog: Extended Verilog Declaration

/ VHDL: VHDL block declarative item

/ SystemC: SystemC declaration

/ GDL: GDL module item declaration

### $Flavor$  Macro  $HDL_STMT =$

SystemVerilog: SystemVerilog module or generate item

/ Verilog: Verilog module or generate item

/ VHDL: VHDL concurrent statement

/ SystemC: SystemC statement

/ GDL: GDL module item

 $Flavor Macro HDL_VARIABLE_TYPE =$ SystemVerilog : SystemVerilog data type / Verilog : Verilog Variable Type / VHDL : VHDL subtype indication / SystemC:  $SystemC$  simple type specifier / GDL : GDL variable type

 $Flavor Macro HDL RANGE =$ VHDL: range attribute name

 $Flavor Macro LEFT SYM =$ SystemVerilog: **[** / Verilog: **[** / VHDL: **(** / SystemC: **(** / GDL: **(**

```
Flavor Macro RIGHT_SYM =SystemVerilog: ] / Verilog: ] / VHDL: ) / SystemC: ) / GDL: )
```
# **A.4 Syntax productions**

The rest of this appendix defines the PSL syntax.

## **A.4.1 Verification units**

PSL\_Specification ::= { Verification Item }

```
Verification Item ::=
  HDL UNIT | Verification Unit
```

```
Verification_Unit ::=
  Vunit Type PSL Identifier [ ( Hierarchical HDL Name ) ] {
    { Inherit Spec }
    { Vunit Item }
  }
```
Vunit\_Type  $::=$ **vunit** | **vprop** | **vmode**

```
Hierarchical HDL Name ::=
  HDL Module NAME { Path Separator instance Name }
```
 $instance\_Name ::=$ HDL or PSL Identifier

```
HDL Module Name ::=
   HDL_Module_Name [ ( HDL_Module_Name )]
Path_Separator ::=
  . | /
Inherit Spec ::=
  inherit vunit Name { , vunit Name } ;
Vunit Item \mathbf{u}HDL DECL
  | HDL STMT
  | PSL Declaration
  | PSL Directive
```
### **A.4.2 PSL declarations**

```
PSL_Declaration ::=
    Property Declaration
   | Sequence Declaration
   | Clock Declaration
```

```
Property_Declaration ::=
  property PSL Identifier [ ( Formal Parameter List ) ] DEF SYM Property ;
```
Formal\_Parameter\_List ::= Formal Parameter { ; Formal Parameter }

Formal Parameter ::= Param Spec PSL Identifier { , PSL Identifier }

Param\_Spec ::= **const** | [**const**] Value Parameter | **sequence** | **property**

Value Parameter ::= HDL Type | PSL Type Class

 $HDL$  Type  $::=$ 

### **hdltype** HDL VARIABLE TYPE

PSL Type Class ::= **boolean** | **bit** | **bitvector** | **numeric** | **string**

Sequence\_Declaration ::= **sequence** PSL Identifier [ **(** Formal Parameter List **)** ] DEF SYM Sequence **;**

Clock Declaration ::= **default clock** DEF SYM Clock Expression **;**

Clock Expression ::= boolean Name | boolean Built In Function Call | **(** Boolean **)** | **(** HDL CLOCK EXPR **)**

Actual Parameter List ::= Actual Parameter { **,** Actual Parameter }

Actual Parameter ::= AnyType|Number | Boolean | Property | Sequence

### **A.4.3 PSL directives**

 $PSL$ -Directive  $::=$ [Label : ] Verification\_Directive

Label  $::=$ PSL Identifier

HDL or PSL Identifier ::= SystemVerilog Identifier | Verilog Identifier | VHDL Identifier | SystemC Identifier | GDL Identifier | PSL Identifier

Verification\_Directive ::= Assert Directive | Assume Directive | Assume Guarantee Directive | Restrict Directive

| Restrict Guarantee Directive | Cover Directive | Fairness Statement

```
Assert_Directive ::=
   assert Property [ report String ] ;
```
Assume Directive ::= **assume** Property **;**

Assume Guarantee Directive ::= **assume guarantee** Property **[ report** String **] ;**

Restrict\_Directive ::= **restrict** Sequence **;**

Restrict Guarantee Directive ::= **restrict guarantee** Sequence [ **report** String ] **;**

 $Cover\_Directive ::=$ **cover** Sequence **[ report** String **] ;**

Fairness Statement ::= **fairness** Boolean **;** | **strong fairness** Boolean **,** Boolean **;**

# **A.4.4 PSL properties**

```
Property ::=
    Replicator Property
  | FL Property
  | OBE Property
```
Replicator ::= **forall** Parameter Definition **:**

```
Index Range ::=
   LEFT SYM finite Range RIGHT SYM
  | ( HDL RANGE )
```

```
Value_Set  ::={ Value Range { , Value Range } }
  | boolean
```
Value Range ::= Value | finite Range Value ::= Boolean | Number FL Property ::= Boolean | **(** FL Property **)** | Sequence [ **!** ] | FL property Name [ **(** Actual Parameter List **)** ] | FL Property **@** Clock Expression | FL Property **abort** Boolean | FL Property **async abort** Boolean | FL Property **sync abort** Boolean | Parameterized\_Property : Logical Operators : | NOT OP FL Property | FL Property AND OP FL Property | FL Property OR OP FL Property : | FL Property **-**> FL Property  $FL_P$  Property  $\langle - \rangle$  FL Property : Primitive LTL Operators : | **X** FL Property | **X!** FL Property | **F** FL Property | **G** FL Property | **[** FL Property **U** FL Property **]** | **[** FL Property **W** FL Property **]** : Simple Temporal Operators : | **always** FL Property | **never** FL Property | **next** FL Property | **next!** FL Property | **eventually!** FL Property : | FL Property **until!** FL Property | FL Property **until** FL Property | FL Property **until!** FL Property | FL Property **until** FL Property :

```
| FL Property before! FL Property
    | FL Property before FL Property
    | FL Property before! FL Property
    | FL Property before FL Property
: Extended Next (Event) Operators :
    | X [ Number ] ( FL Property )
    | X! [ Number ] ( FL Property )
    | next [ Number ] ( FL Property )
    | next! [ Number ] ( FL Property )
   :
    | next a [ finite Range ] ( FL Property )
    | next a! [ finite Range ] ( FL Property )
    | next e [ finite Range ] ( FL Property )
    | next e! [ finite Range ] ( FL Property )
   :
    | next event! ( Boolean ) ( FL Property )
    | next event ( Boolean ) ( FL Property )
    | next event! ( Boolean ) [ positive Number ] ( FL Property )
    | next event ( Boolean ) [ positive Number ] ( FL Property )
   :
    | next event a! ( Boolean ) [ finite positive Range ] ( FL Property )
    | next event a ( Boolean ) [ finite positive Range ] ( FL Property )
    | next event e! ( Boolean ) [ finite positive Range ] ( FL Property )
   | next event e ( Boolean ) [ finite positive Range ] ( FL Property )
: Operators on SEREs :
   | { SERE } ( FL Property )
    | Sequence |−> FL Property
   | Sequence |=> FL Property
```
## **A.4.5 Sequential Extended Regular Expressions (SEREs)**

 $SERE ::=$ Boolean | Sequence | SERE **;** SERE | SERE **:** SERE | Compound SERE Compound SERE ::= Repeated SERE

```
| Braced SERE
| Clocked SERE
| Compound SERE | Compound SERE
```
| Compound SERE **&** Compound SERE | Compound SERE **&&** Compound SERE | Compound SERE **within** Compound SERE | Parameterized SERE

### **A.4.6 Parameterized Properties and SEREs**

Parameterized\_Property ::= **for** Parameters Definition **:** And Or Property OP **(** FL Property **)** Parameterized\_SERE ::=

**for** Parameters Definition **:** And Or SERE OP **{** SERE **}**

Parameters\_Definition ::= Parameter Definition { Parameter Definition }

Parameter\_Definition ::= PSL Identifier [ Index Range ] **in** Value Set

And\_OR\_Property\_OP ::= AND OP | OR OP

```
And Or SERE Op :: =
  && | & | |
```
### **A.4.7 Sequences**

```
Sequence ::=Sequence Instance
   | Repeated SERE
   | Braced SERE
   | Clocked SERE
Repeated SERE ::=
    Boolean [* [ Count ] ]
   | Sequence [* [ Count ] ]
   | [* [ Count ] ]
   | Boolean [+]
    | Sequence [+]
  | [+]
```
| Boolean **[=** Count **]** | Boolean **[-**> [ positive Count ] **]**

Braced SERE ::= **{** SERE **}**

Sequence Instance ::= sequence Name [ **(** Actual Parameter List **)** ]

Clocked SERE ::= Braced SERE **@** Clock Expression

 $Count :=$ Number | Range

Range ::= Low\_Bound RANGE\_SYM High\_Bound

Low\_Bound  $::=$ Number | MIN VAL

 $High_Bound ::=$ Number | MAX VAL

## **A.4.8 Forms of expression**

Any\_Type  $::=$ HDL or PSL Expression

 $Bit ::=$ bit HDL or PSL Expression

Boolean ::= boolean HDL or PSL Expression

BitVector ::= bitvector HDL or PSL Expression

Number ::= numeric HDL or PSL Expression

 $String ::=$ string HDL or PSL Expression HDL or PSL Expression ::= HDL Expression | PSL Expression | Built In Function Call | Union Expression HDL Expression ::= HDL EXPR PSL Expression ::= Boolean **-**> Boolean | Boolean <−> Boolean Built In Function Call ::= **prev (**Any Type [ **,** Number [ **,** Clock Expression ]] **)** | **next (** Any Type **)** | **stable (** Any Type [ **,** Clock Expression ] **)** | **rose (** Bit [ **,** Clock Expression ] **)** | **fell (** Bit [ **,** Clock Expression ] **)** | **ended (** Sequence [ **,** Clock Expression ]**)** | **isunknown (** BitVector **)** | **countones (** BitVector **)** | **onehot (** BitVector **)** | **onehot0 (** BitVector **)** | **nondet (** Value List **)** | **nondet vector (** Number, Value List **)**

Union\_Expression ::= Any Type **union** Any Type

### **A.4.9 Optional Branching Extension**

OBE\_Property ::= Boolean | **(** OBE Property **)** | OBE property Name [ **(** Actual Parameter List **)** ] : Logical Operators : | NOT OP OBE Property | OBE Property AND OP OBE Property

| OBE Property OR OP OBE Property | OBE Property **-**> OBE Property | OBE Property <−> OBE Property : Universal Operators : | **AX** OBE Property | **AG** OBE Property | **AF** OBE Property | **A [** OBE Property **U** OBE Property **]** :Existential Operators : | **EX** OBE Property | **EG** OBE Property | **EF** OBE Property | **E [** OBE Property **U** OBE Property **]**

# **Formal Syntax and Semantics**

This appendix formally describes the syntax and semantics of the temporal layer.

## **B.1 Typed-text representation of symbols**

Table B.1 shows the mapping of various symbols used in this definition to the corresponding typed-text PSL representation, in the different flavors.

|                   | SystemVerilog Verilog VHDL SystemC GDL |                               |                               |                               |                               |
|-------------------|----------------------------------------|-------------------------------|-------------------------------|-------------------------------|-------------------------------|
| $\rightarrow$     | ->                                     | ->                            | $\rightarrow$                 | –>                            | ->                            |
| $\Rightarrow$     | =>                                     | =>                            | =>                            | =>                            | =>                            |
|                   | $\rightarrow$                          | $\rightarrow$                 | $\rightarrow$                 | $\rightarrow$                 | ->                            |
| $\leftrightarrow$ | $\left\langle -\right\rangle$          | $\left\langle -\right\rangle$ | $\left\langle -\right\rangle$ | $\left\langle -\right\rangle$ | $\left\langle -\right\rangle$ |
|                   |                                        |                               | not                           |                               |                               |
|                   | &&                                     | &&                            | and                           | &&                            | &                             |
|                   |                                        |                               | or                            |                               |                               |
|                   |                                        |                               | to                            |                               |                               |
|                   |                                        |                               |                               |                               |                               |

**Table B.1:** Typed-text symbols in the SystemVerilog, Verilog, VHDL, SystemC and GDL flavors

### $NOTE =$

For reasons of simplicity, the syntax given herein is more flexible than the one defined by the extended BNF (given in Appendix A). That is, some of the expressions which are legal here are not legal under the BNF grammar. Users should use the stricter syntax, as defined by the BNF grammar in Appendix A.

# **B.2 Syntax**

The logic PSL is defined with respect to a non-empty set of atomic propositions  $P$  and a given set of boolean expressions  $B$  over  $P$ . We assume two designated boolean expression true and false belong to B.

## **Definition 1 (Sequential Extended Regular Expressions (SEREs))**

- 1. Every boolean expression  $b \in B$  is a SERE.
- 2. If  $r, r_1,$  and  $r_2$  are SEREs, and c is a boolean expression, then the following are SEREs:<br> $\bullet$  {r}
	- $r_1$ ;  $r_2$   $r_1$ :  $r_2$   $r_1 | r_2$ •  $r_1 \&\& \ r_2 \qquad \bullet \ [ *0] \qquad \bullet \ r[*] \qquad \bullet \ r@c$

### **Definition 2 (FL formulas)**

- 1. If b is a boolean expression, then both b and b! are FL formulas.
- 2. If  $\varphi$  and  $\psi$  are FL formulas,  $r, r_1, r_2$  are SEREs, and b a boolean expression, then the following are FL formulas:
	- $(\varphi)$   $\neg \varphi$   $\varphi \wedge \psi$ •  $r \mapsto \varphi$  •  $r!$  •  $r$ •  $X! \varphi$  •  $[\varphi U \psi]$  •  $\varphi \mathcal{Q}b$ •  $\varphi$  async\_abort b •  $\varphi$  sync\_abort b

### $NOTE -$

We define formal semantics for both strong and weak booleans[20]. However, strong booleans are not accessible to the user.

### **Definition 3 (OBE Formulas)**

- 1. Every boolean expression is an OBE formula.
- 2. If f,  $f_1$ , and  $f_2$  are OBE formulas, then so are the following:
	- $a)$   $(f)$  $b) \neg f$ c)  $f_1 \wedge f_2$ d)  $EXf$ e)  $E[f_1 U f_2]$  $f$ )  $EGf$

Additional OBE operators are derived from these as follows:

- $f_1 \vee f_2 = \neg(\neg f_1 \wedge \neg f_2)$ •  $f_1 \to f_2 = \neg f_1 \lor f_2$ •  $f_1 \leftrightarrow f_2 = (f_1 \rightarrow f_2) \land (f_2 \rightarrow f_1)$ •  $E F f = E [true U f]$ •  $AX f = \neg EX \neg f$ •  $A[f_1 \ U \ f_2] = \neg(E[\neg f_2 \ U \ (\neg f_1 \wedge \neg f_2)] \vee EG \neg f_2)$
- $AGf = \neg E[true U \neg f]$

•  $AF f = A[true U f]$ 

### **Definition 4 (PSL Formulas)**

- 1. Every FL formula is a PSL formula.
- 2. Every OBE formula is a PSL formula.

In Section B.4, we show additional operators which provide syntactic sugaring to the ones above.

### **B.3 Semantics**

The semantics of PSL formulas are defined with respect to a model. A model is a quintuple  $(S, S_0, R, P, L)$ , where S is a finite set of states,  $S_0 \subseteq S$  is a set of initial states,  $R \subseteq S \times S$  is the transition relation, P is a non-empty set of atomic propositions, and L is the valuation, a function  $L : S \longrightarrow 2^P$ , mapping each state with a set of atomic propositions valid in that state.

A path  $\pi$  is a finite (or infinite) sequence of states  $\pi = (\pi_0, \pi_1, \pi_2, \cdots, \pi_n)$ (or  $\pi = (\pi_0, \pi_1, \pi_2, \cdots)$ ). A computation path  $\pi$  of a model M is a finite (or infinite) path  $\pi$  such that for every  $i < n$ ,  $R(\pi_i, \pi_{i+1})$  and for no s,  $R(\pi_n, s)$ (or such that for every i,  $R(\pi_i, \pi_{i+1})$ ). Given a finite (or infinite) path  $\pi$ , we define  $\hat{L}$ , an extension of the valuation function L from states to paths as follows:  $\hat{L}(\pi) = L(\pi_0)L(\pi_1)\dots L(\pi_n)$  (or  $\hat{L}(\pi) = L(\pi_0)L(\pi_1)\dots$ ). Thus we have a mapping from states in M to letters of  $2^P$ , and from finite (or infinite) sequences of states in M to finite (or infinite) words over  $2^P$ .

#### **B.3.1 Semantics of FL formulas**

The semantics of FL formulas is interpreted over finite and infinite words over  $\Sigma = 2^P \cup \{\top, \bot\}$ . Let  $\varphi$  be an FL formula, w a word over  $\Sigma$  and M a model. The notation  $w \models \varphi$  means that the FL formula  $\varphi$  holds over the word w. The notation  $M \models \varphi$  means that for all  $\pi$  such that  $\pi$  is computation path of  $M, L(\pi) \models \varphi.$ 

We denote a letter from  $\Sigma$  by  $\ell$  and an empty, finite, or infinite word from  $\Sigma$  by u, v, or w (possibly with subscripts). We denote the length of word v as |v|. A finite non-empty word  $v = (\ell_0 \ell_1 \ell_2 \cdots \ell_n)$  has length  $n + 1$ , the (finite) empty word  $v = \epsilon$  has length 0, and an infinite word has length  $\infty$ . We use i, j, and k to denote non-negative integers. We denote the  $i^{t\tilde{h}}$  letter of v by  $v^{i-1}$  (since counting of letters starts at zero). We denote by  $v^{i...}$  the suffix of v starting at  $v^i$ . That is, for every  $i < |v|$ ,  $v^{i...} = v^i v^{i+1} \cdots v^n$  or  $v^{i...} = v^i v^{i+1} \cdots$ . We denote by  $v^{i..j}$  the finite sequence of letters starting from  $v^i$  and ending in  $v^j$ . That is, for  $j \geq i$ ,  $v^{i..j} = v^i v^{i+1} \cdots v^j$  and for  $j < i$ ,  $v^{i..j} = \epsilon$ . We use  $\ell^{\omega}$  to denote an infinite-length word, each letter of which is  $\ell$ .

We use  $\overline{v}$  to denote the word obtained by replacing every  $\top$  with a  $\bot$  and vice versa. We call  $\overline{v}$  the *dual* of v.

The semantics of FL formulas over words is defined inductively, using as the base case the semantics of *boolean expressions* over *letters* in  $\Sigma$ . The semantics of boolean expression is assumed to be given as a relation  $\models \subset \Sigma \times B$  relating letters in  $\Sigma$  with boolean expressions in B. If  $(\ell, b) \in \mathbb{R}$  we say that the letter l satisfies the boolean expression b and denote it  $\ell \models b$ . We assume the two special letters  $\top$  and  $\bot$  behave as follows: for every boolean expression  $b, \top \Vdash b$ and  $\perp \uplus b$ . We assume that otherwise the boolean relation  $\uplus$  behaves in the usual manner. In particular, that for every letter  $\ell \in 2^P$ , atomic proposition  $p \in P$  and boolean expressions  $b, b_1, b_2 \in B$  (i)  $\ell \Vdash p$  iff  $p \in \ell$ , (ii)  $\ell \Vdash \neg b$  iff  $\ell \not\parallel b$ , and (iii)  $\ell \vDash true$  and  $\ell \not\parallel false$ . Finally, we assume that for every letter  $\ell \in \Sigma$ ,  $\ell \Vdash b_1 \wedge b_2$  iff  $\ell \Vdash b_1$  and  $\ell \Vdash b_2$ .

### **Unclocked Semantics**

### **Semantics of unclocked SEREs**

Unclocked SEREs are defined over finite words over the alphabet  $\Sigma$ . The notation  $v \equiv r$ , where r is a SERE and v a finite word means that v models *tightly r.* The semantics of unclocked SEREs are defined as follows, where  $b$ denotes a boolean expression, and  $r$ ,  $r_1$ , and  $r_2$  denote unclocked SEREs:

1.  $v \equiv \{r\} \Longleftrightarrow v \equiv r$ 2.  $v \equiv b \Longleftrightarrow |v| = 1$  and  $v^0 \Vdash b$ 3.  $v \equiv r_1$ ;  $r_2 \Longleftrightarrow \exists v_1, v_2$  s.t.  $v = v_1v_2, v_1 \models r_1$ , and  $v_2 \models r_2$ 4.  $v \equiv r_1 : r_2 \Longleftrightarrow \exists v_1, v_2$ , and  $\ell$  s.t.  $v = v_1 \ell v_2$ ,  $v_1 \ell \equiv r_1$ , and  $\ell v_2 \equiv r_2$ 5.  $v \equiv r_1 | r_2 \Longleftrightarrow v \equiv r_1 \text{ or } v \equiv r_2$ 6.  $v \equiv r_1 \&\& r_2 \Longleftrightarrow v \equiv r_1 \text{ and } v \equiv r_2$ 7.  $v \equiv [\ast 0] \Longleftrightarrow v = \epsilon$ 8.  $v \not\equiv r[*] \iff$  either  $v \not\equiv[*0]$ or  $\exists v_1, v_2$  s.t.  $v_1 \neq \epsilon$ ,  $v = v_1v_2$ ,  $v_1 \models r$  and  $v_2 \models r[*]$ 

### **Semantics of unclocked FL**

We refer to a formula of FL with no  $\Phi$  operator as an unclocked formula. Let v be a finite or infinite word, b be a boolean expression,  $r, r_1, r_2$  unclocked SEREs, and  $\varphi, \psi$  unclocked FL formulas. We use  $\models$  to define the semantics of unclocked FL formulas: If  $v \models \varphi$  we say that v models (or satisfies)  $\varphi$ .

1.  $v \models (\varphi) \Longleftrightarrow v \models \varphi$ 2.  $v \models \neg \varphi \Longleftrightarrow \overline{v} \not\models \varphi$ 3.  $v \models \varphi \land \psi \Longleftrightarrow v \models \varphi$  and  $v \models \psi$ 4.  $v \models b! \iff |v| > 0$  and  $v^0 \models b$ 

5. 
$$
v \models b \Longleftrightarrow |v| = 0
$$
 or  $v^0 \models b$   
\n6.  $v \models r \mapsto \varphi \Longleftrightarrow \forall j < |v|$  s.t.  $\overline{v}^{0..j} \models r, v^{j..} \models \varphi$   
\n7.  $v \models r! \Longleftrightarrow \exists j < |v|$  s.t.  $v^{0..j} \models r$   
\n8.  $v \models r \Longleftrightarrow \forall j < |v|, v^{0..j} \top \varphi \models r!$   
\n9.  $v \models X! \varphi \Longleftrightarrow |v| > 1$  and  $v^{1..} \models \varphi$   
\n10.  $v \models [\varphi U \psi] \Longleftrightarrow \exists k < |v|$  s.t.  $v^k \cdot \models \psi$ , and  $\forall j < k, v^{j..} \models \varphi$   
\n11.  $v \models \varphi$  async-abort  $b \Longleftrightarrow \text{either } v \models \varphi$   
\nor  $\exists j < |v|$  s.t.  $v^j \models b$  and  $v^{0..j-1} \top \varphi \models \varphi$   
\nor  $\exists j < |v|$  s.t.  $v^j \models b$  and  $v^{0..j-1} \top \varphi \models \varphi$ 

NOTES −

1. The semantics given here for the LTL operators and the async\_abort operator is equivalent to the truncated semantics given in [18] which is interpreted over  $2^P$ 

rather than over  $2^P \cup \{\top, \bot\}$ . Using  $\models_{\bullet}$  for the semantics in [18], the following proposition states the equivalence: Let w be a finite word over  $2^P$ , and let  $\varphi$  be a formula of  $LTL^{trunc}$ . Then, as shown in [19], the three following equivalences hold:

$$
w \vDash_{\bullet} \varphi \Longleftrightarrow w\top^{\omega} \vDash \varphi
$$

$$
w \vDash_{\bullet} \varphi \Longleftrightarrow w \vDash \varphi
$$

$$
w \vDash_{\bullet} \varphi \Longleftrightarrow w\bot^{\omega} \vDash \varphi
$$

- 2. Using  $\models_{\bullet}$  as in the note 1 above, we use *holds strongly* for  $\models_{\bullet}^+$ , *holds* for  $\models_{\bullet}$ , and *holds weakly* for  $\models_{\bullet}$ . The remaining terminology of Section 11.1 is formally defined as follows:
	- $\varphi$  is pending on word w iff  $w \models_{\bullet}^{\bullet} \varphi$  and  $w \not\models_{\bullet}^{\bullet} \varphi$
	- $\varphi$  fails on word w iff  $w \not\models \varphi$
- 3. There is a subtle difference between boolean negation and formula negation. For instance, consider the formula  $\neg b$ . If  $\neg$  is boolean negation, then  $\neg b$  holds on an empty path. If  $\neg$  is formula negation, then  $\neg b$  does not hold on an empty path. Rather than introduce distinct operators for boolean and formula negation, we instead adopt the convention that negation applied to a boolean expression is boolean negation. This does not restrict expressivity, as formula negation of b can be expressed as  $(\neg b)!$ .

### **Clocked Semantics**

We say that finite word v is a clock tick of c iff  $|v| > 0$  and  $v^{|v|-1} \models c$  and for every natural number  $i < |v| - 1$ ,  $v^i \Vdash \neg c$ .

#### **Semantics of clocked SEREs**

Clocked SEREs are defined over finite words from the alphabet  $\Sigma$  and a boolean expression that serves as the clock context. The notation  $v \not\in r$ , where  $r$  is a SERE,  $c$  is a boolean expression and  $v$  a finite word, means that  $v$  models tightly  $r$  in context of clock c. The semantics of clocked SEREs are defined as follows, where b, c, and  $c_1$  denote boolean expressions, and  $r$ ,  $r_1$ , and  $r_2$ denote clocked SEREs:

1. 
$$
v \nvDash \{r\} \Longleftrightarrow v \nvDash r
$$
  
\n2.  $v \nvDash b \Longleftrightarrow v$  is a clock tick of  $c$  and  $v^{|v|-1} \nvDash b$   
\n3.  $v \nvDash r_1$ ;  $r_2 \Longleftrightarrow \exists v_1, v_2$  s.t.  $v = v_1v_2$ ,  $v_1 \nvDash r_1$ , and  $v_2 \nvDash r_2$   
\n4.  $v \nvDash r_1$ :  $r_2 \Longleftrightarrow \exists v_1, v_2$ , and  $\ell$  s.t.  $v = v_1\ell v_2$ ,  $v_1\ell \nvDash r_1$ , and  $\ell v_2 \nvDash r_2$   
\n5.  $v \nvDash r_1 \mid r_2 \Longleftrightarrow v \nvDash r_1$  or  $v \nvDash r_2$   
\n6.  $v \nvDash r_1 \& x_2 \Longleftrightarrow v \nvDash r_1$  and  $v \nvDash r_2$   
\n7.  $v \nvDash [*0] \Longleftrightarrow v = \epsilon$   
\n8.  $v \nvDash r[\ast] \Longleftrightarrow \text{either } v \nvDash [*0]$   
\n $\text{or } \exists v_1, v_2 \text{ s.t. } v_1 \neq \epsilon, v = v_1v_2, v_1 \nvDash r$  and  $v_2 \nvDash r[\ast]$   
\n9.  $v \nvDash r@c_1 \Longleftrightarrow v \nvDash r$ 

#### **Semantics of clocked FL**

The semantics of (clocked) FL formulas is defined with respect to finite/infinite words over  $\Sigma$  and a boolean expression c which serves as the clock context. Let v be a finite or infinite word,  $b, c, c_1$  boolean expressions,  $r, r_1, r_2$  SEREs, and  $\varphi, \psi$  FL formulas. We use  $\vert \stackrel{c}{=}$  to define the semantics of FL formulas. If  $v \stackrel{c}{\models} \varphi$  we say that v models (or satisfies)  $\varphi$  in the context of clock c.

1. 
$$
v \nvDash (\varphi) \Longleftrightarrow v \nvDash \varphi
$$
  
\n2.  $v \nvDash \neg \varphi \Longleftrightarrow \overline{v} \nvDash \varphi$   
\n3.  $v \nvDash \varphi \land \psi \Longleftrightarrow v \nvDash \varphi$  and  $v \nvDash \psi$   
\n4.  $v \nvDash b! \Longleftrightarrow \exists j < |v|$  s.t.  $v^{0..j}$  is a clock tick of  $c$  and  $v^j \nvDash b$   
\n5.  $v \nvDash b \Longleftrightarrow \forall j < |v|$  s.t.  $\overline{v}^{0..j}$  is a clock tick of  $c, v^j \nvDash b$   
\n6.  $v \nvDash r \mapsto \varphi \Longleftrightarrow \forall j < |v|$  s.t.  $\overline{v}^{0..j} \nvDash r, v^{j..} \nvDash \varphi$   
\n7.  $v \nvDash r! \Longleftrightarrow \exists j < |v|$  s.t.  $v^{0..j} \nvDash r$   
\n8.  $v \nvDash r \Longleftrightarrow \forall j < |v|, v^{0..j} \top \omega \nvDash r$   
\n9.  $v \nvDash X! f \Longleftrightarrow \exists j < k < |v|$  s.t.  $v^{0..j}$  and  $v^{j+1..k}$  are clock ticks of  $c$  and  $v^k \dots \nvDash f$   
\n10.  $v \nvDash [\varphi U \psi] \Longleftrightarrow \exists k < |v|$  s.t.  $v^k \nvDash c, v^k \dots \nvDash \psi$ , and  $\forall j < k$  s.t.  $v^j \nvDash c, v^{j..} \nvDash \varphi$ 

11.  $v \models \varphi \mathbf{Q} c_1 \Longleftrightarrow v \models \varphi$ 12.  $v \models \varphi$  async\_abort  $b \Longleftrightarrow$  either  $v \models \varphi$ or  $\exists j < |v|$  s.t.  $v^j \Vdash b$  and  $v^{0..j-1} \top^\omega \not\models \varphi$ 13.  $v \not\models \varphi$  sync\_abort  $b \Longleftrightarrow$  either  $v \not\models \varphi$  or or  $\exists j < |v|$  s.t.  $v^j \Vdash b \wedge c$  and  $v^{0..j-1} \top^\omega \nvDash \varphi$ 

NOTE −

The clocked semantics for the LTL subset follows the clocks paper [20], with the exception that strength is applied at the boolean level rather than at the propositional level.

### **B.3.2 Semantics of OBE formulas**

The semantics of OBE formulas are defined over states in the model, rather than finite or infinite words. Let f be an OBE formula,  $M = (S, S_0, R, P, L)$ a model and  $s \in S$  a state of the model. The notation  $M, s \models f$  means that f holds in state s of model M. The notation  $M \models f$  is equivalent to  $\forall s \in S_0 : M, s \models f$ . In other words, f is valid for every initial state of M.

The semantics of OBE formulas are defined inductively, using as the base case the semantics of *boolean expressions* over *letters* in  $2^P$ . The semantics of boolean expression is assumed to be given as a relation  $\models \subseteq 2^P \times B$  relating letters in  $2^{\tilde{P}}$  with boolean expressions in B. If  $(\ell, b) \in \mathbb{R}$  we say that the letter l satisfies the boolean expression b and denote it  $\ell \models b$ . We assume that the boolean relation  $\models$  behaves in the usual manner. In particular, that for every letter  $\ell \in 2^P$ , atomic proposition  $p \in P$  and boolean expressions  $b, b_1, b_2 \in B$ (i)  $\ell \Vdash p$  iff  $p \in \ell$ , (ii)  $\ell \Vdash \neg b$  iff  $\ell \Vdash \ell$ , (iii)  $\ell \Vdash b_1 \wedge b_2$  iff  $\ell \Vdash b_1$  and  $\ell \Vdash b_2$ , and (iv)  $\ell \Vdash$  true and  $\ell \Vdash$  false.

The semantics of an OBE formula are those of standard CTL. The semantics are defined as follows, where b denotes a boolean expression and  $f, f_1$ , and  $f_2$  denote OBE formulas:

- 1.  $M, s \models b \Longleftrightarrow L(s) \models b$
- 2.  $M, s \models (f) \Longleftrightarrow M, s \models f$
- 3.  $M, s \models \neg f \Longleftrightarrow M, s \not\models f$
- 4.  $M, s \models f_1 \land f_2 \Longleftrightarrow M, s \models f_1 \text{ and } M, s \models f_2$
- 5.  $M, s \models EX f \iff \text{there exists a computation path } \pi \text{ of } M \text{ such that}$  $|\pi| > 1$ ,  $\pi_0 = s$ , and  $M, \pi_1 \models f$
- 6.  $M, s \models E[f_1 \cup f_2] \Longleftrightarrow$  there exists a computation path  $\pi$  of M such that  $\pi_0 = s$  and there exists  $k < |\pi|$  such that  $M, \pi_k \models f_2$  and for every j such that  $j < k$ :  $M, \pi_j \models f_1$
- 7.  $M, s \models EG \; f \iff \text{there exists a computation path } \pi \text{ of } M \text{ such that }$  $\pi_0 = s$  and for every j such that  $0 \leq j < |\pi|$ :  $M, \pi_j \models f$

# **B.4 Syntactic Sugaring**

The remainder of the temporal layer is syntactic sugar. In other words, it does not add expressive power, and every piece of syntactic sugar can be defined in terms of the basic FL operators presented above. The syntactic sugar is defined below.

 $NOTE =$ 

The definitions given here do not necessarily represent the most efficient implementation. In some cases, there is an equivalent syntactic sugaring, or a direct implementation, that is more efficient.

# **B.4.1 Additional SERE operators**

Let i, j, k, and l be integer constants such that  $i \geq 0$ ,  $j \geq i$ ,  $k \geq 1$ ,  $l \geq k$ . Then, additional SERE operators can be viewed as abbreviations of the basic SERE operators defined above, as follows, where b denotes a boolean expression, and r denotes a SERE:

•  $r[+] \stackrel{\text{def}}{=} r; r[*]$ •  $r[*0] \stackrel{\text{def}}{=} [\ast 0]$ •  $r[*k] \stackrel{\text{def}}{=} \overbrace{r;r;...;r}$ k times •  $r[*i..j] \stackrel{\text{def}}{=} r[*i] | ... | r[*j]$ •  $r[*i..] \stackrel{\text{def}}{=} r[*i]; r[*]$ •  $r[*..i] \stackrel{\text{def}}{=} r[*0] | ... | r[*i]$ •  $r[*..] \stackrel{\text{def}}{=} r[*0..]$ •  $[+] \stackrel{\text{def}}{=} true[+]$ •  $[*] \stackrel{\text{def}}{=} true[*]$ •  $[*i] \stackrel{\text{def}}{=} \text{true}[*i]$ •  $[*i..j] \stackrel{\text{def}}{=} true[*i..j]$ •  $[*i...] \stackrel{\text{def}}{=} true[*i.]$ •  $[*..i] \stackrel{\text{def}}{=} true[*..i]$ •  $[*..] \stackrel{\text{def}}{=} true[*..]$ •  $b[=i] \stackrel{\text{def}}{=} {\{\neg b[*];b\}[*i]; \neg b[*]}$ •  $b[i] = i..j] \stackrel{\text{def}}{=} b[i] | ... | b[i]$ •  $b[=i..] \stackrel{\text{def}}{=} b[=i];[*]$ •  $b[=..i] \stackrel{\text{def}}{=} b[=0] \mid ... \mid b[=i]$ •  $b[=...] \stackrel{\text{def}}{=} b[=0..]$ •  $b[\rightarrow] \stackrel{\text{def}}{=} \neg b[*]; b$ •  $b[\rightarrow k] \stackrel{\text{def}}{=} {\{\neg b[\ast] ; b\}[\ast k]}$ 

- $b[\rightarrow k..l] \stackrel{\rm def}{=} b[\rightarrow k] \mid \ldots \mid b[\rightarrow l]$
- $b[\rightarrow k..] \stackrel{\text{def}}{=} b[\rightarrow k] | \{b[\rightarrow k]; [*\]; b\}$
- $b[\rightarrow..k] \stackrel{\text{def}}{=} b[\rightarrow 1] \mid ... \mid b[\rightarrow k]$
- $b[\rightarrow ..] \stackrel{\text{def}}{=} b[\rightarrow 1..]$
- $r_1 \& r_2 \stackrel{\text{def}}{=} {\{r_1\} \& \& \{r_2; true[*]\}} | {\{r_1; true[*]\} \& \& \{r_2\}}$
- $r_1$  within  $r_2 \stackrel{\text{def}}{=} \{[*]; r_1;[*]\}$  &&  $\{r_2\}$

### **B.4.2 Additional FL operators**

Let i, j, k and l be integers such that  $i \geq 0$ ,  $j \geq i$ ,  $k > 0$  and  $l \geq k$ . Then, additional operators can be viewed as abbreviations of the basic operators defined above, as follows, where b denotes a boolean expression,  $r$ ,  $r_1$ , and  $r_2$ denote SEREs, and  $\varphi$ ,  $\varphi_1$ , and  $\varphi_2$  denote FL formulas:

\n- \n
$$
\varphi_1 \vee \varphi_2 \stackrel{\text{def}}{=} \neg(\neg \varphi_1 \wedge \neg \varphi_2)
$$
\n
\n- \n $\varphi_1 \rightarrow \varphi_2 \stackrel{\text{def}}{=} \neg \varphi_1 \vee \varphi_2$ \n
\n- \n $\varphi_1 \leftrightarrow \varphi_2 \stackrel{\text{def}}{=} (\varphi_1 \rightarrow \varphi_2) \wedge (\varphi_2 \rightarrow \varphi_1)$ \n
\n- \n $F\varphi \stackrel{\text{def}}{=} [\text{true } U \varphi]$ \n
\n- \n $G\varphi \stackrel{\text{def}}{=} \neg F\neg \varphi$ \n
\n

•  $X\varphi \stackrel{\text{def}}{=} \neg X! \neg \varphi$ 

• 
$$
[\varphi_1 W \varphi_2] \stackrel{\text{def}}{=} [\varphi_1 U \varphi_2] \vee G \varphi_1
$$

- always  $\varphi \stackrel{\text{def}}{=} G \varphi$
- never  $\varphi \stackrel{\text{def}}{=} G \neg \varphi$
- $next! \varphi \stackrel{\text{def}}{=} X! \varphi$
- $next \varphi \stackrel{\text{def}}{=} X \varphi$
- eventually!  $\varphi \stackrel{\text{def}}{=} F\varphi$
- $\varphi_1$  until!  $\varphi_2 \stackrel{\text{def}}{=} [\varphi_1 \ U \ \varphi_2]$
- $\varphi_1$  until  $\varphi_2 \stackrel{\text{def}}{=} [\varphi_1 \ W \ \varphi_2]$
- $\varphi_1$  until!  $\varphi_2 \stackrel{\text{def}}{=} [\varphi_1 \ U \ \varphi_1 \wedge \varphi_2]$
- $\varphi_1$  until  $\varphi_2 \stackrel{\text{def}}{=} [\varphi_1 W \varphi_1 \wedge \varphi_2]$
- $\varphi_1$  before!  $\varphi_2 \stackrel{\text{def}}{=} [\neg \varphi_2 \ U \ \varphi_1 \wedge \neg \varphi_2]$
- $\varphi_1$  before  $\varphi_2 \stackrel{\text{def}}{=} [\neg \varphi_2 \ W \ \varphi_1 \wedge \neg \varphi_2]$
- $\varphi_1$  before!  $\varphi_2 \stackrel{\text{def}}{=} [\neg \varphi_2 U \varphi_1]$
- $\varphi_1$  before  $\varphi_2 \stackrel{\text{def}}{=} [\neg \varphi_2 W \varphi_1]$

\n- \n
$$
X! [i] \varphi \stackrel{\text{def}}{=} \overbrace{X! X! ... X!} \varphi
$$
\n
\n- \n
$$
X[i] \varphi \stackrel{\text{def}}{=} \overbrace{XX... X} \varphi
$$
\n
\n- \n
$$
next[i] \varphi \stackrel{\text{def}}{=} X! [i] \varphi
$$
\n
\n- \n
$$
next[i] \varphi \stackrel{\text{def}}{=} X[i] \varphi
$$
\n
\n- \n
$$
next[a].j] \varphi \stackrel{\text{def}}{=} (X[i] \varphi) \land ... \land (X[j] \varphi)
$$
\n
\n- \n
$$
next.a[i..j] \varphi \stackrel{\text{def}}{=} (X[i] \varphi) \land ... \land (X[j] \varphi)
$$
\n
\n- \n
$$
next.e![i..j] \varphi \stackrel{\text{def}}{=} (X[i] \varphi) \lor ... \lor (X[j] \varphi)
$$
\n
\n- \n
$$
next.eivent!(b) (\varphi) \stackrel{\text{def}}{=} [\neg b \cup b \land \varphi]
$$
\n
\n- \n
$$
next.event(b) (\varphi) \stackrel{\text{def}}{=} [\neg b \cup b \land \varphi]
$$
\n
\n- \n
$$
next.event(b) [\varphi] \stackrel{\text{def}}{=} [\neg b \cup b \land \varphi]
$$
\n
\n- \n
$$
next.event(b) [\overline{X! next.event(b)} ... (\overline{X! next.event(b)} \varphi)] ...)
$$
\n
\n- \n
$$
next.event(b) [\overline{X[1 \varphi]} \stackrel{\text{def}}{=} \overline{X_1 \times \overline{X_1 \times \overline{X_2 \times \overline{X_3 \times \overline{X_3 \times \overline{X_4 \times \overline{X_5 \times \overline{X_5
$$

• 
$$
r(\varphi) \stackrel{\text{def}}{=} r \mapsto \varphi
$$

• 
$$
r \Rightarrow \varphi \stackrel{\text{def}}{=} \{r; \text{true}\} \mapsto \varphi
$$

•  $\varphi$  abort  $b \stackrel{\text{def}}{=} \varphi$  async\_abort  $b$ 

## **B.4.3 Parameterized SEREs and formulas**

Let r be a SERE, and  $l, m$  be integers. Let S be a set of constants, integers or boolean values and  $p$  an identifier. The left-hand side of the following are SEREs, equivalent to the SEREs on the right-hand side:

• for  $p$  in  $S: |r \stackrel{\text{def}}{=} |$ s∈S  $\{r[p \leftarrow s]\}.$ def

• for 
$$
p\langle l..m \rangle
$$
 in  $S: |r \stackrel{\text{def}}{=} \bigcup_{s_l \in S} \ldots \bigcup_{s_m \in S} \{r[p\langle l..m \rangle \leftarrow \langle s_l..s_m \rangle]\}$ 

• for p in  $S: \&\& r \stackrel{\text{def}}{=} \&\underset{s \in S}{\&} \{r[p \leftarrow s]\}.$ 

• for  $p\langle l..m \rangle$  in  $S: \&\&\ r \stackrel{\text{def}}{=} \&\&\ \ldots \underbrace{\&\&\atop s_l \in S} \ldots \underbrace{\&\&\atop s_m \in S} \{r[p\langle l..m \rangle \leftarrow \langle s_l..s_m \rangle]\}$ 

• for 
$$
p
$$
 in  $S: \& r \stackrel{\text{def}}{=} \& \{r[p \leftarrow s]\}.$ 

• for &  $p\langle l..m \rangle$  in  $S : \& r \stackrel{\text{def}}{=} \underbrace{\&l_{s_l \in S} \cdots \underbrace{\&l_{s_m \in S}} \{r[p\langle l..m \rangle \leftarrow \langle s_l..s_m \rangle] \}}$ 

where  $r[p \leftarrow s]$  is the SERE obtained from r by replacing every occurrence of p by s and  $r[p\langle l..m \rangle \leftarrow \langle s_l..s_m \rangle]$  is the SERE obtained from r by replacing every occurrence of  $p_i$  with  $s_j$  for all j such that  $l \leq j \leq m$ .

Let f be a PSL formula, and  $l, m$  integers. Let S be a set of constants, integers or boolean values and  $p$  an identifier. The left-hand side of the following are PSL formulas equivalent to the PSL formulas on the right-hand side:

 $s_m \in S$ 

• for  $p$  in  $S: \vee f \stackrel{\text{def}}{=} \bigvee$ s∈S  $f[p \leftarrow s]$ • for  $p\langle l..m\rangle$  in  $S:\vee f\stackrel{\mathrm{def}}{=}\bigvee$ . . . V  $f[p\langle l..m\rangle \leftarrow \langle s_l..s_m\rangle]$ 

• for 
$$
p
$$
 in  $S : \wedge f \stackrel{\text{def}}{=} \bigwedge_{s \in S} f[p \leftarrow s]$ 

• for 
$$
p\langle l..m \rangle
$$
 in  $S : \wedge f \stackrel{\text{def}}{=} \bigwedge_{s_l \in S} \cdots \bigwedge_{s_m \in S} f[p\langle l..m \rangle \leftarrow \langle s_l..s_m \rangle]$ 

- forall  $p$  in  $S: f \stackrel{\text{def}}{=}$  for  $p$  in  $S: \wedge f$
- forall  $p\langle l..m\rangle$   $in$   $S: f \stackrel{\text{def}}{=}$  for  $p\langle l..m\rangle$   $in$   $S: \wedge f$

where  $f[p \leftarrow s]$  is the formula obtained from f by replacing every occurrence of p by s and  $f[p\langle l,m \rangle \leftarrow \langle s_l..s_m \rangle]$  is the formula obtained from f by replacing every occurrence of  $p_j$  with  $s_j$  for all j such that  $l \leq j \leq m$ .

## **B.5 Rewriting rules for clocks**

In Section B.3.1, we gave the semantics of clocked FL formulas directly. There is an equivalent definition in terms of unclocked FL formulas, as follows: Starting from the outermost clock, use the following rules to translate clocked SEREs into unclocked SEREs, and clocked FL formulas into unclocked FL formulas.

The rewrite rules for SEREs are:

- 1.  $\mathcal{R}^c({r}) = \mathcal{R}^c(r)$
- 2.  $\mathcal{R}^c(b) = \neg c[*]; c \wedge b$
- 3.  $\mathcal{R}^{c}(r_1 ; r_2) = \mathcal{R}^{c}(r_1) ; \mathcal{R}^{c}(r_2)$

4. 
$$
\mathcal{R}^c(r_1 : r_2) = {\mathcal{R}^c(r_1)} : {\mathcal{R}^c(r_2)}
$$
  
\n5.  $\mathcal{R}^c(r_1 | r_2) = {\mathcal{R}^c(r_1)} | {\mathcal{R}^c(r_2)}$   
\n6.  $\mathcal{R}^c(r_1 \& \& r_2) = {\mathcal{R}^c(r_1)} \& \& {\mathcal{R}^c(r_2)}$   
\n7.  $\mathcal{R}^c([*0]) = [*0]$   
\n8.  $\mathcal{R}^c(r[*]) = {\mathcal{R}^c(r)}{[*]}$   
\n9.  $\mathcal{R}^c(r@c_1) = \mathcal{R}^{c_1}(r)$ 

The rewrite rules for FL formulas are:

1. 
$$
\mathcal{F}^c((\varphi)) = (\mathcal{F}^c(\varphi))
$$
  
\n2.  $\mathcal{F}^c(b!) = [-c U (c \wedge b)]$   
\n3.  $\mathcal{F}^c(b) = [-c W (c \wedge b)]$   
\n4.  $\mathcal{F}^c(\neg \varphi) = \neg \mathcal{F}^c(\varphi)$   
\n5.  $\mathcal{F}^c(\varphi \wedge \psi) = (\mathcal{F}^c(\varphi) \wedge \mathcal{F}^c(\psi))$   
\n6.  $\mathcal{F}^c(X! \varphi) = [-c U (c \wedge X! [-c U (c \wedge \mathcal{F}^c(\varphi))])]$   
\n7.  $\mathcal{F}^c(\varphi U \psi) = [ (c \rightarrow \mathcal{F}^c(\varphi)) U (c \wedge \mathcal{F}^c(\psi)) ]$   
\n8.  $\mathcal{F}^c(r \mapsto \varphi) = \mathcal{R}^c(r) \mapsto \mathcal{F}^c(\varphi)$   
\n9.  $\mathcal{F}^c(r!) = \mathcal{R}^c(r)!$   
\n10.  $\mathcal{F}^c(r) = \mathcal{R}^c(r)$   
\n11.  $\mathcal{F}^c(\varphi \otimes c_1) = \mathcal{F}^{c_1}(\varphi)$   
\n12.  $\mathcal{F}^c(\varphi \text{ async-abort } b) = \mathcal{F}^c(\varphi) \text{ async-abort } b$   
\n13.  $\mathcal{F}^c(\varphi \text{ sync-abort } b) = \mathcal{F}^c(\varphi) \text{ sync-abort } (b \wedge c)$ 

# **Operator Precedence**

The table below gives the order of precedence of the operators as well as their associativity. Here  $\texttt{next*}$  and  $\texttt{next*}$  stand for all the variations of the next and next event operators, and until\* and before\* stand for all the variations of the until and before operators.



# **Quick Reference**

# **D.1 Logical operators**

## **D.1.1 Verilog, SystemVerilog and SystemC flavors**

Here b is a Boolean expression, p, q properties, L a list of values, j, k integers, and x an identifier;  $p(x)$  indicates a property p that uses identifier x.



## **D.1.2 Logical operators in the VHDL flavor**

Here b is a Boolean expression, p, q properties, L a list of values, j, k integers, and  $x$  an identifier;  $p(x)$  indicates a property  $p$  that uses identifier  $x$ .



## **D.1.3 Logical operators in the GDL flavor**

Here b is a Boolean expression, p, q properties, L a list of values, j, k integers, and  $x$  an identifier;  $p(x)$  indicates a property  $p$  that uses identifier  $x$ .



# **D.2 LTL style**

# **D.2.1** always**,** never **and** eventually!

Here p and q are properties.



# **D.2.2 The** next\* **operators**

Here **p** is a property and **m** and **n** are integers such that  $m \ge 1$  and  $n \ge m$ .



## **D.2.3** The next event\* operators

Here  $b$  is a Boolean expression,  $p$  is a property, and  $m$  and  $n$  are integers such that  $m{\geq}1$  and  $n{\geq}m.$ 



## **D.2.4 The** until\* **and** before\* **operators**

Here p and q are properties.



# **D.2.5 Abort operators**

Here b is a Boolean expression and p is a property.



### **D.2.6 LTL operators**

The Foundation Language is based on the temporal logic LTL. PSL supports the LTL operators shown in the table below. Here p and q are properties.



# **D.3 SERE style**

## **D.3.1 Consecutive repetition operators**

Here b is a Boolean expression,  $s$  is a SERE, and  $i, j$  are integers such that  $i \geq 0$  and  $j \geq i$ .



## **D.3.2 Non-consecutive and goto repetition operators.**

Here b is a Boolean expression and  $\mathbf{i}, \mathbf{j}, \mathbf{m}, \mathbf{n}$  are integers such that  $\mathbf{i} \geq 0$ ,  $\mathtt{j}\geq \mathtt{i},\mathtt{m}\geq 1$  and  $\mathtt{n}\geq \mathtt{m}.$ 



## **D.3.3 Other SERE operators**

Here s and t are SEREs, L is a list of values, j and k are integers, and x is an identifier;  $s(x)$  indicates a SERE s that uses the identifier x.



# **D.3.4 Common SERE style properties**

Here s and t are SEREs, and p is a property.



# **D.4 Clocking**

# **D.4.1 Clocking properties**

Here p is a property and c is a Boolean expression.



# **D.4.2 Clocking SEREs**

Here s is a SERE and c is a Boolean expression.



# **D.5 Boolean, modeling and verification layers**

## **D.5.1 Built-in functions concerning time**

Here A is of any type, n is a number, c is a clock expression, b is a bit vector and s is a SERE.



# **D.5.2 Other built-in functions and the union operator**

Here A and B are of any type, n is a number, c is a clock expression, V is a bit vector, and L is a list of values.



# **D.5.3 Verification directives**

Here p is a property, s is a SERE, b and c are Boolean expressions, msg is a string, lname is an identifier and D is a directive.



## **D.5.4 Verification units**

Here name is an identifier and mod is a module or module instance.



# **D.6 Some convenient constructs**

# **D.6.1 Comments and Macros**

Here x is an identifier, L is a statically computable list and  $|L|$  is the size of the list L.



## **D.6.2 Named properties and SEREs**

Here name is an identifier, type\_x,type\_y are formal parameter types,  $\texttt{param1}, \ldots, \texttt{paramN}$  are formal parameters and  $\texttt{actual1}, \ldots, \texttt{actualN}$  are actual parameters.



### **Formal parameter types**

The table below gives a description of the parameter types that can be used in the declaration of a property or SERE.



#### **D.6.3 The** forall **operator**

Here x is an identifier, j and k are integers, and L a list of values;  $p(x)$ indicates a property p that uses the identifier x.



NOTE: In replicated properties using forall, x can be a vector. In such a case, each element of x is treated independently. For example, the property

forall x[0:7] in boolean: always ((read  $& data[0:7] == x[0:7]) \rightarrow$ next\_event(write)(data[0:7]==x[0:7]))

is equivalent to the "and" of 256 properties, one for each possible value of x[0:7]. Similarly x can be a vector in parametrized properties and SEREs as well.

# **Bibliographic Notes**

Below we give a brief history of PSL. Our aim is not to give a complete chronicle of the history of temporal logic, nor a full accounting of the history of assertions in hardware design. Furthermore, we will not list each of the many people who participated in one or more of the Accellera and IEEE committees involved in the development of PSL – their names appear in the Accellera and IEEE standards. Rather, our aim is to touch on the major milestones in the development of the language, and the main personalities and ideas that have influenced PSL from its beginnings as syntactic sugaring of the temporal logic CTL, through the move to an LTL-based paradigm, and concluding with the IEEE standardization in October 2005. For background, we include a few words about the temporal logics CTL and LTL as well.

We have made every effort to refer to all the main relevant works, however we may have missed something. If so, we apologize in advance for the omission and would welcome any corrections and/or comments.

#### **The temporal logics LTL and CTL**

The linear time logic LTL was introduced as propositional temporal logic, or PTL, by Amir Pnueli in 1977 [41], and the computation tree logic CTL was first presented by Ed Clarke and Allen Emerson in 1981 [14]. For many years, a debate as to the relative merits of each was conducted in the literature. Moshe Vardi was one of the main players in that debate – see for instance [45]. One of the main arguments is that LTL is easier to use, while CTL is easier to model check.

In 1983, Pierre Wolper argued in [46] that LTL is not expressive enough: the requirement "p holds on every even cycle" is not expressible in LTL (nor is it expressible in CTL). In fact, LTL has the expressive power of star-free regular expressions – see [21].

### **Development of Sugar at IBM**

PSL began its life as Sugar at the IBM Haifa Research Laboratory in the early 1990's. Ilan Beer, Shoham Ben-David and Avner Landver developed Sugar as a syntactic sugaring of CTL, with the intention of making the specification process easier for users of IBM's RuleBase model checker. For instance, the next event operator dates to the early days of Sugar, and  $next$ -event(b)(f) was at that time defined as  $A[\neg b W b \wedge f]$ . The concept of vacuity, about which much has been written since [8, 37, 9, 16, 42, 6, 28, 29, 44, 13], dates to these early days.

Circa 1995, regular expressions were added to the logic [10] using the syntax  $\{r\}(\rho)$ , where r is a regular expression and p a Sugar property, in a manner reminiscent of PDL [22]. Shortly thereafter, suffix implication – in which both the left- and right-hand sides are regular expressions – was added  $[7]$ , including both weak and strong regular expressions [17]. Although the motivation was usability and not expressive power, Armoni et al. [5] showed that the addition of regular expressions has the side effect of increasing the expressive power to that of omega-regular expressions. As noted in [12], their proof, for the temporal logic ForSpec, holds for PSL as well.

Originally conceived as a language for formal verification [15, 39], 1997 saw the first use of Sugar in simulation [1].

### **From Accellera onwards**

The Accellera FVTC (Formal Verification Technical Committee) started life in 1998 as the VFV (Verilog Formal Verification) committee of OVI (Open Verilog International). When OVI and VI (VHDL International) merged into Accellera in 2000, the charter of the committee was expanded to include VHDL in addition to Verilog. Although the name includes the term "formal verification", a single specification language for both dynamic (simulation) and static (formal) verification soon became the goal of the committee. The two of us participated in the committee from close to its inception as representatives of the candidate language Sugar.

Very important roles were played by Harry Foster and Erich Marschner, chairman and co-chairman of the FVTC. Both Harry and Erich put in an enormous amount of work behind the scenes driving the standardization process – without them it would not have happened. In addition, Erich's endless patience in hearing out the more vocal members of the committee, his care to solicit the input of the more reticent members, and his documentation of everyone's opinion was greatly appreciated by all.

Leading figures from the academic roots of PSL, Ed Clarke, Allen Emerson and Moshe Vardi, took part in the process, as did over 30 industrial representatives, including both potential users of the language as well as EDA vendors. From very early on, it was decided to choose one of a number of

candidate languages as the base language to be modified and enhanced according to requirements identified by the committee. In addition to Sugar, three candidate languages were donated to Accellera for consideration: CBV from Motorola [31], represented by John Havlicek and Hillel Miller, ForSpec from Intel [5], represented by Roy Armoni, and Temporal e from Verisity [40], represented by David Van Campenhout. The committee judged the candidate languages on the basis of an extensive list of 70 requirements, and on the basis of an example document containing 74 example industry properties, expressed in each of the four languages.

The exact selection process was as follows: two candidate languages out of the four were selected by vote, after which the committee identified desired changes. The donors of the two selected languages (CBV and Sugar) then modified their original proposal as per the requested changes. The final vote, taken in April of 2002, chose Sugar (with 71.4% of the votes) to be the Accellera specification language, renamed PSL.

In between the donation of Sugar in November of 2000 and its selection by the FVTC in April of 2002, a huge amount of time was invested in conducting the technical debate in the committee. The IBM team conducting the debate consisted of the two of us as well as Shoham Ben-David. As a result of the debate, and of the changes requested by the committee during the selection process, the language underwent an evolutionary process during this time.

The most visible of the changes was the move from the branching-time semantics of CTL to the linear-time semantics of LTL, as a result of the very persuasive arguments of Moshe Vardi in favor of linear-time semantics. The work of Monika Maidl [38] was instrumental in allowing the move, as it showed that the vast majority of Sugar properties used in practice could be syntactically transformed from CTL into LTL and vice versa. This meant that while the move was deeply significant from a theoretical point of view, there was little or no impact to the user from a practical point of view, for two reasons. First, because the user's view of the language did not change – the fact that next event was now defined in LTL rather than CTL was transparent to the user in the vast majority of cases (which could be ascertained on the basis of a simple syntactic test). And second, because the same tools could be used to check LTL-based Sugar as CTL-based Sugar, providing they passed the same simple syntactic test. The simple subset of PSL, described in Chapter 9, has its roots in Maidl's common fragment (see also [11]).

Two other very visible additions to the language – support for multiple clocks and the abort operator – are the result of requests by Intel, recalling features of its ForSpec temporal logic [5]. Some other important additions dating to this period include the flavor concept, the layered definition of the language (the original definition of Sugar did not include the modeling and verification layers), and the formal definition of finite semantics, augmenting the infinite semantics previously defined. During some of this time, the IBM team was supported by Mike Gordon, whose work on incorporating the formal semantics of PSL into HOL [25, 26, 27] uncovered some subtle bugs in the formal semantics as originally written.

The first Accellera version of PSL (PSL 1.01) [2] was released in June 2003. Accellera version 1.1 [3], released in June 2004, added a SystemVerilog flavor to the original three flavors (Verilog, VHDL, and GDL). In addition, operator precedence was overhauled and labels and report clauses for directives were added. Accellera version 1.1 also corrected three anomalies present in version 1.01. While these anomalies had minimal influence on users of the language (because they involved corner cases that tools could choose to ignore with little or no impact on the user), it was important that they ultimately be solved, because adherence to the standard is determined by adherence to the formal semantics.

The first anomaly was that originally two kinds of clocks, strong and weak, were defined, but the strength of the clock had only a minimal effect. A solution that eliminated the need for two kinds of clocks was presented in [20], and incorporated into the Accellera version 1.1 formal semantics.

The second anomaly was identified in [4], which showed that the complexity of the abort operator as defined in Accellera version 1.01 was problematical. A solution, based on the theory of truncated paths developed in [18], incorporated the semantics suggested by [4] but used a simpler and more elegant notation. This solution was later modified to include SEREs [19], and basic results on the resulting semantics (which were incorporated into the Accellera version 1.1 formal semantics) were documented in [30].

The third anomaly concerned weak SEREs such as  $\{a : b[*] : 'false\}$ (where 'false is an expression that does not hold at any cycle), that do not match any sequence of cycles. In the formal semantics of Accellera version 1.01, such a SERE, when used as a property, would not hold on any trace, whereas the intuition and intention was that  $\{a ; b[*] ; 'false\}$ , being weak, hold on a sequence of cycles in which a is asserted on the first cycle and b on all the rest. The solution was based on the framework developed in [18, 19], and was incorporated into the Accellera version 1.1 formal semantics. However, the solution creates a new anomaly, in that it treats the logical contradiction 'false differently from the *structural contradiction*  ${a}$  &&  ${a; a}$ . A possible solution to this was proposed in [17], which also examines in depth the issue of weak vs. strong temporal operators.

The first IEEE version (IEEE Std 1850-2005) [33] was released in October 2005. In addition to a number of clarifications on various topics, the main changes for IEEE Std 1850-2005 were the addition of a fifth flavor (SystemC), replacement of endpoints with the built-in function ended(), the addition of variations on the abort operator, parameterized properties and SEREs, and the introduction of the keyword hdltype to ease interaction with the underlying HDL.

### **Current status**

Any attempt to list tools supporting PSL would quickly become out of date. See http://www.haifa.il.ibm.com/projects/verification/sugar/tools.html for such a list.

# **References**

- 1. Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, and Y. Wolfsthal. FoCs: Automatic generation of simulation checkers from formal specifications. In Proc. 12th International Conference on Computer Aided Verification (CAV 2000), volume 1855 of LNCS, pages 538–542. Springer, 2000.
- 2. Accellera Property Specification Language Reference Manual (version 1.01). http://www.eda.org/vfv/docs/psl lrm-1.01.pdf.
- 3. Accellera Property Specification Language Reference Manual (version 1.1). http://www.eda.org/vfv/docs/PSL-v1.1.pdf.
- 4. R. Armoni, D. Bustan, O. Kupferman, and M.Y. Vardi. Resets vs. aborts in linear temporal logic. In Proc. 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2003), volume 2619 of LNCS, pages 65–80. Springer, 2003.
- 5. R. Armoni, L. Fix, A. Flaisher, R. Gerth, B. Ginsburg, T. Kanza, A. Landver, S. Mador-Haim, E. Singerman, A. Tiemeyer, M.Y. Vardi, and Y. Zbar. The ForSpec temporal logic: A new temporal property-specification language. In Proc. 8th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2002), volume 2280 of LNCS, pages 296–311. Springer, 2002.
- 6. R. Armoni, L. Fix, A. Flaisher, O. Grumberg, N. Piterman, A. Tiemeyer, and M.Y. Vardi. Enhanced vacuity detection in linear temporal logic. In Proc. 15th International Conference on Computer Aided Verification (CAV 2003), volume 2725 of LNCS, pages 368–380. Springer, 2003.
- 7. I. Beer, S. Ben-David, C. Eisner, D. Fisman, A. Gringauze, and Y. Rodeh. The temporal logic Sugar. In Proc. 13th International Conference on Computer Aided Verification (CAV 2001), volume 2102 of LNCS, pages 363–367. Springer, 2001.
- 8. I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh. Detection of vacuity in ACTL formulas. In Proc. 9th International Conference on Computer Aided Verification  $(CAV 1997)$ , volume 1254 of *LNCS*, pages 279–290. Springer, 1997.
- 9. I. Beer, S. Ben-David, C. Eisner, and Y. Rodeh. Efficient detection of vacuity in temporal model checking. Formal Methods in System Design, 18(2):141–163, 2001.
- 10. I. Beer, S. Ben-David, and A. Landver. On-the-fly model checking of RCTL formulas. In Proc. 10th International Conference on Computer Aided Verification  $(CAV 1998)$ , volume 1427 of *LNCS*, pages 184–194. Springer, 1998.
- 11. S. Ben-David, D. Fisman, and S. Ruah. The safety simple subset. In Proc. 1st International Haifa Verification Conference, volume 3875 of LNCS, pages 14–29. Springer, 2005.
- 12. D. Bustan, D. Fisman, and J. Havlicek. Automata construction for PSL. Technical Report MCS05-04, The Weizmann Institute of Science, May 2005.
- 13. D. Bustan, A. Flaisher, O. Grumberg, O. Kupferman, and M.Y. Vardi. Regular vacuity. In Proc. 13th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2005), volume 3725 of LNCS, pages 191–206. Springer, 2005.
- 14. E.M. Clarke and E.A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Logic of Programs Workshop, volume 131 of LNCS, pages 52–71. Springer, 1981.
- 15. E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.
- 16. Y. Dong, B. Sarna-Starosta, C.R. Ramakrishnan, and S.A. Smolka. Vacuity checking in the modal mu-calculus. In Proc. 9th International Conference on Algebraic Methodology and Software Technology (AMAST 2002), pages 147–162. Springer, 2002.
- 17. C. Eisner, D. Fisman, and J. Havlicek. A topological characterization of weakness. In Proc. 24th Annual ACM SIGACT-SIGOPS Symposium on Principles Of Distributed Computing (PODC 2005), pages 1–8. ACM, 2005.
- 18. C. Eisner, D. Fisman, J. Havlicek, Y. Lustig, A. McIsaac, and D. Van Campenhout. Reasoning with temporal logic on truncated paths. In Proc. 15th International Conference on Computer Aided Verification (CAV 2003), volume 2725 of LNCS, pages 27–39. Springer, 2003.
- 19. C. Eisner, D. Fisman, J. Havlicek, and J. Mårtensson. The  $\top, \bot$  approach for truncated semantics. Technical Report 2006.01, Accellera, May 2006.
- 20. C. Eisner, D. Fisman, J. Havlicek, A. McIsaac, and D. Van Campenhout. The definition of a temporal clock operator. In Proc. 30th International Colloquium on Automata, Languages and Programming (ICALP 2003), volume 2719 of LNCS, pages 857–870. Springer, 2003.
- 21. E.A. Emerson. Temporal and modal logic. In Handbook of Theoretical Computer Science, Volume B, chapter 16, pages 995–1072. Elsevier Science Publishers and The MIT Press, 1994.
- 22. M.J. Fischer and R.E. Ladner. Propositional dynamic logic of regular programs. Journal of Computer and Systems Sciences, 18:194–211, 1979.
- 23. H.D. Foster, A.C. Krolnik, and D.J. Lacey. Assertion Based Design, 2nd Edition. Kluwer Academic Publishers, 2004.
- 24. GDL General Description Language. Available at http://standards.ieee.org/ downloads/1850/1850-2005/gdl.pdf.
- 25. M.J.C. Gordon. Using HOL to study Sugar 2.0 semantics. In Proc. 15th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2002, NASA/CP-2002-211736), pages 87–100. National Aeronautics and Space Administration, 2002.
- 26. M.J.C. Gordon. Validating the PSL/Sugar semantics using automated reasoning. Formal Asp. Comput., 15(4):406–421, 2003.
- 27. M.J.C. Gordon, J. Hurd, and K. Slind. Executing the formal semantics of the Accellera Property Specification Language by mechanised theorem proving. In Proc. 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 2003), volume 2860 of LNCS, pages 200– 215. Springer, 2003.
- 28. A. Gurfinkel and M. Chechik. Extending extended vacuity. In Proc. 5th International Conference on Formal Methods in Computer-Aided Design (FMCAD 2004), volume 3312 of LNCS, pages 306–321. Springer, 2004.
- 29. A. Gurfinkel and M. Chechik. How vacuous is vacuous? In Proc. 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), volume 2988 of LNCS, pages 451–466. Springer, 2004.
- 30. J. Havlicek, D. Fisman, and C. Eisner. Basic results on the semantics of Accellera PSL 1.1. Technical Report 2004.02, Accellera, May 2004.
- 31. J. Havlicek, N. Levi, H. Miller, and K. Shultz. Extended CBV statement semantics, partial proposal presented to the Accellera Formal Verification Technical Committee, April 2002. At http://www.eda.org/vfv/hm/att-0772/01 ecbv statement semantics.ps.gz.
- 32. IEC/IEEE Standard for Verilog Register Transfer Level Synthesis. IEC/IEEE 62142 (IEEE 1364.1<sup>TM</sup>).
- 33. IEEE Standard for Property Specification Language (PSL). IEEE Std 1850TM-2005.
- 34. IEEE Standard for SystemVerilog. IEEE Std 1800TM-2005.
- 35. IEEE Standard for VHDL Register Transfer Level (RTL) Synthesis. IEEE Std  $1076.6^{\rm TM}.$
- 36. IEEE Standard SystemC Language Reference Manual. IEEE Std  $1666^{\text{TM}}$ -2005.
- 37. O. Kupferman and M.Y. Vardi. Vacuity detection in temporal model checking. In Proc. 10th Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME 1999), volume 1703 of LNCS, pages 82–96. Springer, 1999.
- 38. M. Maidl. The common fragment of CTL and LTL. In Proc. 41th Annual Symposium on Foundations of Computer Science (FOCS 2000), pages 643–652. IEEE Computer Society, 2000.
- 39. K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993.
- 40. M.J. Morley. Semantics of temporal e. In Proc. Banff '99 Higher Order Workshop (Formal Methods in Computation), 1999. University of Glasgow, Dept. of Computing Science Technical Report.
- 41. A. Pnueli. The temporal logics of programs. In Proc. of the Annual IEEE Symposium on Foundations of Computer Science (FOCS 1977), pages 46–57. IEEE Computer Society, 1977.
- 42. M. Purandare and F. Somenzi. Vacuum cleaning CTL formulae. In Proc. 14th International Conference on Computer Aided Verification (CAV 2002), volume 2404 of LNCS, pages 485–499. Springer, 2002.
- 43. RuleBase User's Manual. IBM Haifa Research Laboratory.
- 44. M. Samer and H. Veith. Parameterized vacuity. In Proc. 5th International Conference on Formal Methods in Computer-Aided Design (FMCAD 2004), volume 3312 of LNCS, pages 322–336. Springer, 2004.
- 45. M.Y. Vardi. Branching vs. linear time: Final showdown. In Proc. 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2001), volume 2031 of LNCS. Springer, 2001.

46. P. Wolper. Temporal logic can be more expressive. Information and Control, 56(1/2):72–99, 1983.

# **Index**

!, 27, 41 ->, 7, 22, 24, 38, 39, 131–142 :, 47 ;, 47, 133, 134 @, 65–69, 71–81, 161–164, 166–169, 172 [\*], 43 [+], 44 [->], 46, 149 [=], 44 \$, 44 && (SERE length-matching "and"), 52 & (SERE non-length-matching "and"), 52 |->, 36, 39, 56, 131, 132, 137 |=>, 36, 39, 56, 131, 134, 136, 140, 141 | (SERE "or"), 51  $\leftarrow$ , 101 abort, 83, 89 asynchronous, 89 common errors with, 143 confusing with "or", 145 confusing with until, 143 for properties whose outermost operator is not an always, 86 placement of parentheses, 84 synchronous, 89 active-high, 2 active-low, 2 always, 6, 34 "and" confusing with implication, 132 length-matching, 52 non-length-matching, 52

parameterized, 95, 96 assert, 106 assertion, 1, 19 high-level, 124 Java, 1, 19 low-level, 123 VHDL, 1, 19 vs. property, 19 assume, 106 assume guarantee, 107 assumption, 1, 19 async abort, 89 asynchronous abort, 89 asynchronous property embedded in synchronous, 81 before, 14 before!, 32 before! $.32$ before $_$ , 16 binding vunit, 105 bit, 93 bitvector, 93 boolean, 93 Boolean expression repeating, 43 used as clock, 68 Boolean layer, 2, 3, 103 built-in function, 103 ended(), 57, 156, 228 next(), 104, 117 nondet(), 117 nondet vector(), 117

prev(), 104 countones(), 104 fell(), 104 isunknown(), 104 onehot(), 104 onehot0(), 104 rose(), 104 stable(), 104 bus interface, 128 clock, 65 context, 103 cycle, 65, 72 default, 20, 80 edge, 67 expression, 20, 103 inner, 81, 167 interleaved, 161 keyword, 80 multiple, 161 nested, 81 nesting, 167 not well-behaved, 172 operator, 66 outer, 81, 167 placement of, 74 using Boolean expression as, 68, 78 well-behaved, 161 clock, 80 comments, 91 common equivalences, 111, 113 compound SERE, 51 concatenation, 47, 133 confusing with implication, 133, 134 consecutive repetition, 43 const, 93 context clock, 103 countones(), 104 cover, 107 cpp preprocessor, 97 CTL, 115 current cycle, 20, 24, 36, 131, 139 cycle "eating", 49 clock, 20, 65, 72 current, 20, 24, 36, 131, 139 PSL, 65 skipping, 44

cycle-based, 20, 65, 74, 78 trace, simplifying properties for, 78 default, 80 default clock, 20, 80 default vmode, 106 #define, 97 'define, 97 delay, 49 design edge-triggered, 66, 72, 161 glitch-free, 67, 76, 162 level-sensitive, 68, 71, 72, 161 multiply-clocked, 167 multiply-clocked, singly clocked property in, 167 multiply-clocked, vs. multiply-clocked property, 167 singly-clocked, 71, 164, 167 two-phased, 71 design signals overriding, 119 directive, 1, 2, 106 duality of weak and strong operators, 114

edge clock, 67 edge-triggered design, 66, 72, 161 ended(), 57, 156, 228 endpoints, 57, 228 equivalences common, 111, 113 false, 157 event trigger, 68 event-based, 20, 65, 74 event-driven simulation, 74 eventually!, 17, 33 applying to a logical implication, 141 applying to a suffix implication, 142 expression clock, 20, 103 regular, 35 "extraneous" assertions of signals, 150

F, 211 fails, 109 failure reporting, 24 fairness, 107 'false, 3 false "equivalence", 157 fell(), 67, 104 FIFO, 126 finite traces, 109 "first match" operator, 148 FL, see Foundation Language flavor, 3, 91 flavor A, applying to design in flavor B, 122 GDL, 3, 91, 97 SystemC, 3, 91, 97 SystemVerilog, 3, 91, 97 Verilog, 3, 67, 91, 97 VHDL, 3, 91, 97 %for, 97, 127 forall, 12, 94, 116 formal verification, 114 Foundation Language, 5, 20, 115 four levels of satisfaction, 109 four-valued logic, 103 function built-in, 103 fusion, 47

G, 211 GDL flavor, 3, 91, 97 glitch, 74 glitch-free, 67 design, 76, 162 expressing in PSL, 76 goto repetition, 46, 149 granularity of time, 20, 73, 74

hdltype, 93, 228 high-level assertion, 124 holding two degrees of, 109 holds but does not hold strongly, 109 holds strongly, 109

#if, 97 %if, 97 if-then expression, 7, 38, 131, 135 #ifdef, 97 'ifdef, 97 implication logical, 7, 22, 24, 38, 39

logical, applying eventually! to, 141 logical, common errors with, 131 logical, confusing with "and", 132 logical, confusing with concatenation, 133 logical, confusing with suffix implication, 131 logical, incorrect nesting of, 138 logical, negating, 137 logical, nesting of, 139 logical, using with never, 135 suffix, 36, 39, 56 suffix, applying eventually! to, 142 suffix, common errors with, 131 suffix, confusing with concatenation, 134 suffix, confusing with logical implication, 131 suffix, incorrect nesting of, 138 suffix, negating, 137 suffix, nesting of, 139 suffix, non-overlapping, 38 suffix, overlapping, 36 suffix, placement of, 141 suffix, using with never, 136 in, 94 incorrect nesting of logical implications and suffix implications, 138 inf, 44 inherit, 105 inheritance vunit, 105 initial values, 162, 164 inner clock, 81, 167 instances multiple, 21, 84 instantiation, 21, 84 interleaved clocks, 161 isunknown(), 104 Java, 1, 19 labels, 107 layer Boolean, 2, 3, 103 modeling, 3, 105 modeling, example of use, 113, 127, 153, 155 temporal, 2, 3

verification, 2, 3, 80, 105 length-matching "and", 52 level-sensitive design, 68, 71, 72, 161 liveness, 119 logic four-valued, 103 logical iff, 101 logical implication, 7, 22, 24, 38, 39 applying eventually! to, 141 common errors with, 131 confusing with "and", 132 confusing with concatenation, 133 confusing with suffix implication, 131 incorrect nesting of, 138 negating, 137 nesting, 139 using with never, 135 low-level assertion, 123 LTL style, 5, 35, 111, 113 macros, 97 modeling layer, 3, 105 example of use, 113, 127, 153, 155 modularity, 20, 21 multiple clocks, 161 multiply-clocked design, 167 singly-clocked property in, 167 vs. multiply-clocked property, 167 multiply-clocked property, 71, 164, 167–169 vs. multiply-clocked design, 167 named SERE, 91 named property, 91 negating implications, 137 negedge clk, 67 nesting of clocks, 81, 167 of logical implications, 139 of suffix implications, 139 never, 6, 34 aborting, 86 applied to a SERE, 42 incorrectly aborting, 146 using with logical implication, 135 using with suffix implication, 136 next!, 29 next(), 104, 117

next, 7 next![n], 29  $next[n]$ . 8  $next_a![i:i], 30$  $next_a[i:i], 10$  $next_e![i:j], 30$  $next_e[i:j], 10$ next\_event!, 29 next event, 10  $next_events!(b)[n], 29$  $next$ -event $(b)$ [n], 11  $next_events_a!(b)[i:j], 30$  $next\_event_a(b)[i:j](f), 12$  $next\_event_e$ ! (b)  $[i:j]$ , 30  $next_events_e(b)[i:j](f), 13$ non-length-matching "and", 52 non-overlapping suffix implication, 38 nonconsecutive repetition, 44 nondet(), 117 nondet vector(), 117 nondeterministic choice, 116, 117 vs. random choice, 116 not holding two degrees of, 109 numeric, 93

OBE, see Optional Branching Extension one-to-one correspondence, 150 onehot(), 104 onehot0(), 104 operator precedence, 203 operators strong, 27 temporal, 1 weak, 27 Optional Branching Extension, 5, 20, 115  $\mathfrak{a}_{\Omega}$ " confusing with abort, 145 parameterized, 95, 96 outer clock, 81, 167 overlap, 7, 10, 16, 22, 24, 40, 47, 49, 59 overlapping suffix implication, 36 overriding design signals, 119

parameterized SERE, 96 parameterized property, 95 parameterized "and", 95, 96 parameterized "or", 95, 96

pending, 109 placement of suffix implication, 141 placement of the clock, 74 posedge clk, 67 preprocessor cpp, 97 prev(), 104 property, 1, 19 as parameter, 91 asynchronous, embedded in synchronous, 81 clocked, 20 multiply-clocked, 71, 164, 167–169 multiply-clocked, vs. multiply-clocked design, 167 named, 91 parameterized, 95 replicated, 94, 127, 129 singly-clocked, 164, 167 singly-clocked in a multiply-clocked design, 167 vs. assertion, 19 property, 93 PSL cycle, 65

race conditions, 67 random vs. nondeterministic choice, 116 regular expressions, 35 repetition any number, 44 consecutive, 43 goto, 46, 149 non-zero, 44 nonconsecutive, 44 replicated property, 94, 127 replication, 129 report, 107 reporting a failure, 24 reset, 83 restrict, 107 restrict guarantee, 107 rose(), 66, 104 RuleBase, 3 safety, 119 sampling semantics, 73, 74

satisfaction the four levels of, 109 scoping rules

vunit, 105, 118 sequence, 91, 93 SERE, 5, 35 "and", 52 as parameter, 91 compound, 51 how not to use, 62 named, 91 "or", 51 parameterized, 96 repeating, 44 strong, 41 style, 5, 35, 111 weak, 41 simple subset, 24, 36, 38, 101, 114, 138 simplifying properties cycle-based trace, 78 non-cycle-based trace, 79 simulation event-driven, 74 simulator cycle-based, 20, 74 event-based, 20, 74 singly-clocked design, 71, 164, 167 singly-clocked property, 164, 167 in a multiply-clocked design, 167 stable(), 76, 104 state machine, 123 string, 93 strong and weak operators duality of, 114 strong fairness, 107 strong operators, 27, 119 and liveness, 119 suffix implication, 36, 39, 56 applying eventually! to, 142 common errors with, 131 confusing with concatenation, 134 confusing with logical implication, 131 incorrect nesting of, 138 negating, 137 nesting, 139 non-overlapping, 38, 131 overlapping, 36, 132 placement of, 141 using with never, 136 sync abort, 89 synchronous abort, 89

SystemC flavor, 3, 91, 97 SystemVerilog flavor, 3, 91, 97 temporal layer, 2, 3, 5 time granularity of, 20, 73, 74 trace, 20 transparent latch, 69 'true, 3 two-phased design, 71 U, 211 union, 116, 117 until!, 31 until, 13 confusing with abort, 143 until! $, 31$ until.,  $14$ vacuity, 119 vacuous pass, 119 verification formal, 114 verification directive, 2, 106 verification layer, 2, 3, 80, 105

verification units, 2 Verilog, 68, 93, 103 Verilog flavor, 3, 67, 91, 97 VHDL, 1, 19 VHDL flavor, 3, 91, 97 vmode default, 106 vmode, 106 vprop, 106 vunit binding, 105 inheritance, 105 scoping rules, 105, 118

## W, 211

weak and strong operators duality of, 114 weak operators, 27, 119 and safety, 119 well-behaved clocks, 161 within, 55

X, 211 X!, 211