# Coquet: a Coq library for verifying hardware\*

Thomas Braibant\*\*

LIG, UMR 5217, INRIA

Abstract. We propose a new library to model and verify hardware circuits in the Coq proof assistant. This library allows one to easily build circuits by following the usual pen-and-paper diagrams. We define a deep-embedding: we use a (dependently typed) data-type that models the architecture of circuits, and a meaning function. We propose tactics that ease the reasoning about the behavior of the circuits, and we demonstrate that our approach is practicable by proving the correctness of various circuits: a text-book divide and conquer adder of parametric size, some higher-order combinators of circuits, and some sequential circuits: a buffer, and a register.

### Introduction

Formal methods are widely used in the verification of circuit design, and appear as a necessary alternative to test and simulation techniques. Among them, model checking methods have the advantage of being fully automated but can only deal with circuits of fixed size and suffers from combinatorial explosion. On the other hand, circuits can be formally specified and certified using theorem provers [10,9,14]. For instance, the overall approach introduced in [9,17] to model circuits in higher-order logic is to use predicates of the logic to express the possible behaviour of devices.

We present a study for specifying and verifying circuits in Coq. Our motivations are two-fold. First, there has been a lot of work describing and verifying circuits in logic in the HOL and ACL2 family of theorem provers. However, Coq features dependent types that are more expressive. The Veritas language experiment [10] hinted that these allow for specifications that are both clearer and more concise. We also argue that dependent types are invaluable for developing circuits reliably: some errors can be caught early, when type-checking the circuits or their specifications. Second, most of these works model circuits using a shallow-embedding: circuits are defined as predicates or functions in the logic of the theorem prover, with seldom, if any, way to reason about the devices inside the logic: for instance, functions that operate on circuits must be built at the meta-level [21], which precludes one from proving their correctness. We define a data-type for circuits and a meaning function: we can write (and reason about) Coq functions that operate on the structure of circuits.

<sup>\*</sup> To appear in Proc. CPP, volume 7086 of LNCS, Springer-Verlag, 2011.

 $<sup>^{\</sup>star\star}$  The author has been partially funded by the French projects "Choco", ANR-07-BLAN-0324 and "PiCoq", ANR-10-BLAN-0305.

Circuit diagrams describe the wire connections between gates and have nice algebraic properties [5,15]. While we do not prove algebraic laws, our library features a set of basic blocks and combinators that allows one to describe such diagrams in a hierarchic and modular way. We make precise the interconnection of circuits, yet, we remain high-level because we make implicit the low-level diagram constructs such as wires and ports. Circuit diagrams are also used to present recursive or parametric designs. We use Coq recursive definitions to generate circuits of parametric size, e.g., to generate an n-bit adder for a given n. Then, we reason about these functions rather than on the tangible (fixed-size) instantiations of such generators. Circuits modelled by recursion have already been verified in other settings [14,17]. The novelty of our approach is that we derive circuit designs in a systematic manner: we structure circuits generators by mimicking the usual circuit diagrams, using our combinators. Then, the properties of these combinators allow us to prove the circuits correct.

We are interested in two kinds of formal dependability claims. First, we want to capture some properties of well-formedness of the diagrams. Second, we want to be able to express the *functional correctness* of circuits – the fact that a circuit complies to some specification, or that it implements a given function. Obviously, the well-formedness of a circuit is a prerequisite to its functional correctness. We will show that using dependent types, we can get this kind of verification for free. As an example, the type-system of Coq will preclude the user to make invalid compositions of circuits. Hence, we can focus on what is the intrinsic *meaning* of a circuit, and prove that the meaning of some circuits entails a high-level specification, e.g., some functional program.

Our contributions can be summarized as follows: we propose a new framework to model and verify circuits in Coq that allows us to define circuits in a systematic manner by following the usual diagrams; we provide tactics that allow to reason about circuits; we demonstrate that our approach is practicable on practical examples: text-book *n*-bit adders, high-level combinators, and sequential circuits.

Outline. In §1, we give a small overview of all the basic concepts underlying our methodology to present how the various pieces fit together. We present the actual definitions we use in §2. Then, in §3 and §4, we demonstrate the feasibility of our approach on some examples. We analyse some benefits of using a deepembedding in §5. Finally, we compare our study to other related work in §6.

# 1 Overview of our system

We give a global overview of the basic concepts of our methodology first, before giving a formal Coq definition to these notions in the next section. We take this opportunity to illustrate the use of our system to represent parametrized systems through the example of a simple n-bit adder: it computes an n-bit sum and a 1-bit carry-out from two n-bit inputs and a 1-bit carry-in. The recursive construction scheme of this adder is presented in Fig. 1 (data flows from left to right), using a full-adder, i.e., a 1-bit adder, as basic building block.



Fig. 1: A recursive *n*-bit ripple-carry adder

Circuit interfaces. Informally, we want to build circuits that relate n input wires to m output wires, where n, m are integers. For instance, the door AND has two inputs and one output. However, using integers to number the wires does not give much structure: how are grouped the 2n+1 input wires of the n-bit adder? Hence, we use arbitrary finite-types as indexes for the wires rather than integers [11]. A circuit that relates inputs indexed by n to outputs indexed by m has type  $\mathbb{C}$  n m, where n and m are types. For instance, the full-adder, a circuit with three inputs and one output, has type  $\mathbb{C}$   $(1 \oplus (1 \oplus 1))$   $(1 \oplus 1)$ , where  $\oplus$  is the disjoint sum (associative to the left) and n is a singleton type. Hence, the n-bit adder has type  $\mathbb{C}$   $(1 \oplus \text{sumn } 1 \text{ n} \oplus \text{sumn } 1 \text{ n})$  (sumn n n n is a n-ary disjoint sum.

Circuits combinators. The *n*-bit adder is made of several sub-components that are composed together. We use *circuit combinators* (or combining forms [19]) to specify the connection layout of circuits. For instance, in Fig. 1, the dashed-box is built by composing in parallel two HL circuits that are then composed serially with a combinator that reorders the wires. These combinators leave implicit the connection points in the circuits and focus on how information flow through the circuit: the wire names given in Fig. 1 do not correspond to variables, and are provided for the sake of readability.

In our "nameless" setting, wires have to be forked and reordered using *plugs*: a plug is a circuit of type  $\mathbb{C}$  n m, defined using a map from m to n that defines how to connect an output wire (indexed by m) to an input wire (indexed by n). Since we use functions rather than relations, this definition naturally forbids short-circuits (two input wires connected to the same output wire).

**Meaning of a circuit.** We now depart from the syntactic definitions of circuits to give an overview of their semantics. We assume a type  $\mathbb{T}$  of what is carried by the wires, for instance booleans  $(\mathbb{B})$  or streams of booleans  $(\mathsf{nat} \to \mathbb{B})$ . Let x be a circuit of type  $\mathbb{C}$  n m. The inputs (resp. outputs) of x are a finite function ins of type  $n \to \mathbb{T}$  (resp. outs of type  $m \to \mathbb{T}$ ). The meaning of x is a relation  $x \vdash_m^n ins \bowtie outs$  between ins and outs that we define by induction on x.

This is an abstract mathematical characterization, which may or may not be computational (we will come back to this point later).

Abstracting from the implementation. The meaning of a circuit is defined by induction on its structure: this relation may be complex and may give information about the internal implementation of a circuit. Thus, we want to move from the definition of this relation, for instance, to give high-level specifications, or to abstract their behavior. These abstractions can be expressed through the following kind of entailment [17]:

```
\forall ins, \forall outs, \texttt{RIPPLE} \ \texttt{n} \vdash ins \bowtie outs \rightarrow R \ outs \ ins
```

We use data-abstraction [17] to be more elegant. Indeed, a value of type  $\mathbf{1} \oplus \mathbf{sumn} \ \mathbf{1} \ \mathbf{n} \oplus \mathbf{sumn} \ \mathbf{1} \ \mathbf{n} \to \mathbb{B}$  is isomorphic to a value of type  $\mathbb{B} \times \mathbb{W}_n \times \mathbb{W}_n$  (where  $\mathbb{W}_n$  is the type of integers from 0 to  $2^n$ ). We use type-isomorphisms to give tractable specifications for circuits: we prove that the parametric n-bit adder depicted in Fig. 1 implements the addition with carry function on  $\mathbb{W}_n$ .

# 2 Formal development

We now turn to define formally the concepts that were overviewed in the previous section. We use Coq type-classes to structure and parametrize our development.

#### 2.1 Circuit interfaces

We use arbitrary finite types (types with finitely many elements) as interfaces for the circuits, i.e., as indexes for the wires. One can create such finite types by using the disjoint-sum operator  $\oplus$  and the one-element type 1. This construction can be generalized to n-ary disjoint sums written sumn A n, for a given A. However, using a single singleton type for all wires can be confusing: there is no way to distinguish one 1 from another, except by its position in the type (which is frustrating). Hence, we use an infinite family of singleton types  $\mathbf{1}_x$  where x is a tag. Circuits are parametrised by some tags, which allows the Coq type-system to rule out some ill-formed combinations. This tagging discipline makes it easy to follow circuit diagrams to define circuits in Coq, without much room for mistakes.

```
Inductive tag (t : string) : Type := \_tag : tag t. (** we write 1_t for tag t*)
```

Finite types are defined as a class Fin A that packages a duplicate-free list of all the elements of the type A, defined along the lines of [8].

#### 2.2 Type isomorphisms

We use type-isomorphisms as "lenses" to express the specification of circuits in user-friendly types, without loss of information. In a nutshell, we define in Coq

an isomorphism between two types A and B as a pair of functions  $iso: A \to B$  and  $uniso: B \to A$  that are proved to be inverse of each other. We use the notation  $A \cong B$  for an isomorphism between A and B, and we define some notations for operations (or instances) that allow us to build such isomorphisms in Fig. 2. The most important instance states the duality between disjoint-sums in the domain of the finite functions to a cartesian product.

### 2.3 Plugs

Rewiring circuits of type  $\mathbb{C}$  n m are defined by mapping output wires indexed by m to input wires indexed by n. We define plugs using usual Coq functions to get small and computational definition of maps. (Note that, since we map the indexes of the wires, there is no way to embed an arbitrary function inside our circuits to compute, e.g., the addition of the value carried by two input wires.)

We give three examples: (a) is a circuit that forgets its first input (types must be read bottom-up on diagrams); (b) is a circuit that duplicates its inputs; (c) implements some re-ordering and duplication of the wires. (We leave implicit the associativity of wires on the diagrams.)



A possible implementation for (a) is  $\operatorname{fun} x \Rightarrow \operatorname{inr} x$  and (b) can be implemented as  $\operatorname{fun} x \Rightarrow \operatorname{match} x$  with  $\operatorname{inl} e \Rightarrow e \mid \operatorname{inr} e \Rightarrow e$  end. If the type of the circuit gives enough information, like the examples above, it is possible to define such plugs using proof-search. Indeed, plugs that deal with the associativity of the wires, or even re-orderings, are completely defined by their type, and we use tactics to write the map between wires (it amounts to some case splitting and little automation). Hence, in the formal definition of circuits, we omit the plugs that deal with associativity or re-orderings of the wires, not only for the sake of readability, but also because we do so in the actual Coq code: we leave holes in the code (thanks to the Coq Program feature) that will be filled automatically.

$$\bullet \bullet \frac{A \to \mathbb{T} \cong \sigma \qquad B \to \mathbb{T} \cong \tau}{A \oplus B \to \mathbb{T} \cong (\sigma \times \tau)} \qquad \iota_{\mathbf{x}} \frac{A \to \mathbb{T} \cong \sigma}{\mathbf{1}_{x} \to \mathbb{T} \cong \mathbb{T}} \qquad \frac{A \to \mathbb{T} \cong \sigma}{\mathrm{sumn} \ A \ n \to \mathbb{T} \cong \mathrm{vector} \ \sigma \ \mathbf{n}}$$

Fig. 2: Isomorphisms between types

```
\begin{array}{l} \textbf{Context \{tech: Techno}\} \\ \textbf{Inductive } \mathbb{C} : \textbf{Type} \to \textbf{Type} \to \textbf{Type} := \\ | \textbf{Atom} : \forall \; \{n \; m: \textbf{Type}\} \; \{ \texttt{Hfn} : \textbf{Fin} \; n \} \; \{ \texttt{Hfm} : \textbf{Fin} \; m \}, \; \texttt{techno} \; n \; m \to \mathbb{C} \; n \; m \\ | \texttt{Plug} : \forall \; \{n \; m: \textbf{Type}\} \; \{ \texttt{Hfn} : \textbf{Fin} \; n \} \; \{ \texttt{Hfm} : \textbf{Fin} \; m \} \; (\texttt{f} : \texttt{m} \to \texttt{n}), \; \mathbb{C} \; n \; m \\ | \texttt{Ser} : \forall \; \{n \; m \; p: \textbf{Type}\}, \; \mathbb{C} \; n \; m \to \mathbb{C} \; m \; p \to \mathbb{C} \; n \; p \\ | \texttt{Par} : \forall \; \{n \; m \; p \; : \textbf{Type}\}, \; \mathbb{C} \; n \; p \to \mathbb{C} \; m \; q \to \mathbb{C} \; (n \oplus \texttt{m}) \; (p \oplus \texttt{q}) \\ | \texttt{Loop} : \forall \; \{n \; m \; p: \textbf{Type}\}, \; \mathbb{C} \; (n \oplus \texttt{p}) \; (m \oplus \texttt{p}) \to \mathbb{C} \; n \; m. \end{array}
```

Fig. 3: Syntax

### 2.4 Abstract syntax

In the following, we use some basic gates from which all other circuits are defined. Hence, we parametrize the definition of circuits by the type of the gates:

```
Class Techno := techno : Type \rightarrow Type \rightarrow Type.
```

Fig. 3 presents the dependent type that models circuits, as defined in Coq. This abstract syntax is strongly typed: it ensures that circuits built using the provided combinators are well-formed: dimensions have to agree, and it is not possible to connect circuits in the wrong direction. (Note that this is not anecdotal: if we were to describe circuits with ports and wires, ensuring these properties would require some boilerplate.) We denote serial composition (Ser) with the infix > symbol, and parallel composition (Par) with &. (Note that these definitions do not deal with what transits in the wires.)

#### 2.5 Structural specifications

Let  $\mathbb{T}$  be the type of what is carried in the wires. We now define the meaning relation for circuits. For a given circuit of type  $\mathbb{C}$  n m, we build a relation between two functions of type  $n \to \mathbb{T}$  and  $m \to \mathbb{T}$ . We define several operations on such functions, in order to express the meaning relation in a legible manner:

```
\label{eq:context} \begin{array}{l} \text{Context } \{\mathbb{T}: \text{Type}\}. \\ \text{Definition left } \{n\} \ \{m\} \ (\texttt{x}: (\texttt{n} \oplus \texttt{m}) \to \mathbb{T}): \texttt{n} \to \mathbb{T} := \texttt{fun e} \Rightarrow (\texttt{x (inl \_e)}). \\ \text{Definition right } \{n\} \ \{m\} \ (\texttt{x}: (\texttt{n} \oplus \texttt{m}) \to \mathbb{T}): \texttt{m} \to \mathbb{T} := \texttt{fun e} \Rightarrow (\texttt{x (inr \_e)}). \\ \text{Definition lift } \{n\} \ \{m\} \ (\texttt{f}: \texttt{m} \to \texttt{n}) \ (\texttt{x}: \texttt{n} \to \mathbb{T}): \texttt{m} \to \mathbb{T} := \texttt{fun e} \Rightarrow \texttt{x (f e)}. \\ \text{Definition app } \{\texttt{n m}\} \ (\texttt{x}: \texttt{n} \to \mathbb{T}) \ (\texttt{y}: \texttt{m} \to \mathbb{T}): \texttt{n} \oplus \texttt{m} \to \mathbb{T} := \\ \text{fun e} \Rightarrow \texttt{match e with inl e} \Rightarrow \texttt{x e} \ | \ \texttt{inr e} \Rightarrow \texttt{y e end}. \\ \end{array}
```

We define the semantics of a given set of basic gates tech: Techno by defining instances of the following type-class, (typically, one instance for the boolean setting, and one instance for the boolean stream setting):

```
Class Technology_spec (tech : Techno) \mathbb{T} :=  spec : \forall {a b: Type}, tech a b \rightarrow (a \rightarrow \mathbb{T}) \rightarrow (b \rightarrow \mathbb{T}) \rightarrow Prop.
```

The meaning relation for circuits is generated by this parameter and rules for each combinator. These rules are presented on Fig. 4 using inference rules rather than the corresponding Coq inductive, for the sake of readability.

#### 2.6 Abstractions

The meaning relation defines precisely the behavior of a circuit, but cannot be used as it is. First, it may be too precise, e.g., by leaking some internal details or imposing constraints between the inputs and the outputs of a circuit that are not relevant from an external point of view. Second, it defines a constraint between the inputs and outputs of a circuit as a relation between two functions  $n \to \mathbb{T}$  and  $m \to \mathbb{T}$ , which is not user-friendly. In his book [17], Melham defines two kinds of abstractions that are relevant here: behavioral abstraction (expressed through the logical entailment of a weak specification R by the meaning relation) and data-abstraction (when the specification is expressed in terms of higher-level types than the above function types).

We combine these two notions to specify that a given circuit realises a specification R up to two type isomorphisms, and to get more concise specifications, we also define the fact that a circuit implements a function  ${\tt f}$  up to isomorphisms:

```
\begin{array}{l} \operatorname{Context} \ \{ \mathtt{n} \ \mathtt{m} \ \mathtt{N} \ \mathtt{M} : \mathsf{Type} \} \ (\mathtt{Rn} : (\mathtt{n} \to \mathbb{T}) \cong \mathtt{N}) \ (\mathtt{Rm} : (\mathtt{m} \to \mathbb{T}) \cong \mathtt{M}). \\ \operatorname{Class} \ \mathsf{Realise} \ (\mathtt{c} : \mathbb{C} \ \mathtt{n} \ \mathtt{m}) \ (\mathtt{R} : \mathtt{N} \to \mathtt{M} \to \mathtt{Prop}) := \mathtt{realise} \colon \forall \ \mathtt{ins} \ \mathtt{outs}, \\ c \vdash_{\mathtt{m}}^{\mathtt{n}} \mathtt{ins} \bowtie \mathtt{outs} \to \mathtt{R} \ (\mathtt{iso} \ \mathtt{ins}) \ (\mathtt{iso} \ \mathtt{outs}). \\ \operatorname{Class} \ \mathsf{Implement} \ (\mathtt{c} : \mathbb{C} \ \mathtt{n} \ \mathtt{m}) \ (\mathtt{f} : \mathtt{N} \to \mathtt{M}) := \mathtt{implement} \colon \forall \ \mathtt{ins} \ \mathtt{outs}, \\ c \vdash_{\mathtt{m}}^{\mathtt{n}} \mathtt{ins} \bowtie \mathtt{outs} \to \ \mathtt{iso} \ \mathtt{outs} = \mathtt{f} \ (\mathtt{iso} \ \mathtt{ins}). \end{array}
```

#### 2.7 Atoms and modular proofs

We develop circuits in a modular way: to build a complex circuit, we define a functor that takes as an argument a module that packages the implementations of the sub-components, and the proofs that they meet some specification. This means that our proofs are hierarchical: we do not inspect the definition of the sub-components when we prove a circuit. These functors can then be applied to a module that contains a set of basic doors (of type Techno) and its meaning relation (of type Technology\_spec).

$$\begin{split} \operatorname{KSer} & \frac{x \vdash_m^n ins \bowtie middle}{x \vartriangleright y \vdash_p^n ins \bowtie outs} \\ \operatorname{KPAR} & \frac{x \vdash_p^n \operatorname{left} ins \bowtie \operatorname{left} outs}{x \& y \vdash_{p \oplus q}^n \operatorname{ins} \bowtie \operatorname{outs}} \\ \\ \operatorname{KPAR} & \frac{x \vdash_p^n \operatorname{left} ins \bowtie \operatorname{left} outs}{x \& y \vdash_{p \oplus q}^{n \oplus m} \operatorname{ins} \bowtie \operatorname{outs}} \\ \\ \operatorname{KPLUG} & \frac{x \vdash_p^n \operatorname{ins} \bowtie \operatorname{lift} f \operatorname{ins}}{\operatorname{Plug} f \vdash_m^n \operatorname{ins} \bowtie \operatorname{lift} f \operatorname{ins}} \end{split} & \operatorname{KLoop} & \frac{x \vdash_{m \oplus p}^{n \oplus p} \operatorname{app} \operatorname{ins} r \bowtie \operatorname{app} \operatorname{outs} r}{\operatorname{Loop} x \vdash_m^n \operatorname{ins} \bowtie \operatorname{outs}} \end{split}$$

Fig. 4: Meaning of circuits (omitting the rule for Atom)



Fig. 5: Definition of a half-adder

# 3 Proving some combinatorial circuits

In this section, we focus on acyclic combinational circuits, and implement some arithmetic circuits. We assume a set of basic gates (AND, XOR among others, that can all be defined and proved correct starting from NOR only). Wires carry booleans, i.e., the meaning relation is defined on booleans for the basic gates. We first illustrate our proof methodology on a half-adder. Then, we present operations on n-bits integers that will be used to specify n-bit adders.

### 3.1 Proving a half-adder

A half-adder adds two 1-bit binary numbers together, producing a 1-bit number and a carry-out. However, they cannot be chained together since they have no carry in-input. We present a diagram of this circuit, along with its formal definition, in Fig. 5. The left-hand side of the following Coq excerpt is the statement we prove: the circuit HADD implements the function hadd on booleans (defined as  $\lambda(a,b).(a\oplus b,a\wedge b)$ , where  $\oplus$  is the boolean exclusive-or, and  $\wedge$  is the boolean and) up to isomorphisms (we use the notations from Fig. 2 for isos). The Coq system ask us to give evidence of the right-hand side.

We have developed several tactics that help to prove these kind of goals. First, we automatically invert the derivation of the meaning relation in the hypothesis H, following the structure of the circuit, to get rid of parallel and serial combinators. This leaves the user with one meaning relation hypothesis per sub-component in the circuit (plugs included). Second, we use the type-class Implement as a dictionary of interesting properties. We use it to make fast-forward reasoning by applying implements in any hypothesis stating a meaning relation for a sub-component. The type-class resolution mechanism will look for an instance of Implement for this sub-component, and transform the "meaning relation" hypothesis into an equation. (Note that at this point, the user may have to interact with the proof-assistant, e.g., to choose other Implement instances than the ones that are picked automatically, but in many cases, this step is automatic.) At this point, the goal looks like the left-hand side of the following excerpt:

Third, we move to the right-hand side of the excerpt: we massage the goal to make some iso commute with the left, right and app operations, in order to generalize the goal w.r.t. the isos. (Note that the user may be required to interact with Coq if different isos are applied to the same term in different equations.) Finally, the proof context deals only with high-level data-types, and functions operating on these. The user may then prove the "interesting" part of the lemma.

# 3.2 n-bits integers

From now, we use a dependently typed definition of n-bits integers, along the lines of the fixed-size machine integers of [16]. We omit the actual definitions of functions when they can be infered from the type. In the following, we prove that various (recursive) circuits implement the carry\_add function (that adds two n-bit numbers and a carry).

```
Record word (n:nat) := mk_word {val : Z; range: 0 \le val < 2^n}. (* \mathbb{W}_n *) Definition repr n (x : Z) : \mathbb{W}_n := ... Definition high n m (x : \mathbb{W}_{(n+m)}) : \mathbb{W}_m := ... Definition low n m (x : \mathbb{W}_{(n+m)}) : \mathbb{W}_n := ... Definition combine n m (low : \mathbb{W}_n) (high : \mathbb{W}_m) : \mathbb{W}_{(n+m)} := ... Definition carry_add n (x y : \mathbb{W}_n) (b : \mathbb{B}) : \mathbb{W}_n * \mathbb{B} := let e := val x + val y + (if b then 1 else 0) in (e mod 2^n, 2^n \le e) Definition \Phi_x^n: Iso (sumn \mathbf{1}_x n \to \mathbb{B}) (\mathbb{W}_n) := ...
```

### 3.3 Two specifications of a 1-bit adder

A full-adder adds two 1-bit binary numbers with a carry-in, producing a 1-bit number and a carry-out, and is built from two half-adders. We present a diagram of this circuit, along with its formal definition in Fig. 6.

From this circuit, we can derive two specifications of interest. First, the meaning of the full-adder can be expressed in terms of a boolean function that mimics the truth-table of the circuit. Second, we can prove that this circuit actually implements the carry\_add function up-to isomorphism. Both these specifications are proved using the aforementioned tactics, only the interesting parts differ.

```
\begin{array}{lll} \text{Instance FADD\_1: Implement} & \text{Instance FADD\_2: Implement} \\ (\iota_{\text{cin}} \bullet (\iota_a \bullet \iota_b)) \; (* \; \text{iso on inputs} \; *) & (\iota_{\text{cin}} \bullet (\Phi_a^1 \bullet \Phi_b^1)) \; (* \; \text{iso on inputs} \; *) \\ (\iota_{\text{sum}} \bullet \iota_{\text{cout}}) \; (* \; \text{iso on outputs} \; *) & (\varPhi_{sum}^1 \bullet \iota_{\text{cout}}) \; (* \; \text{iso on outputs} \; *) \\ \text{FADD } (\text{fun } (\texttt{c}, (\texttt{x}, \texttt{y})) \Rightarrow & (\texttt{x} \oplus (\texttt{y} \oplus \texttt{c}), (\texttt{x} \wedge \texttt{y}) \vee \texttt{c} \wedge (\texttt{x} \oplus \texttt{y}))). & \text{carry\_add } 1 \; \texttt{x} \; \texttt{y} \; \texttt{c}). \end{array}
```

```
Context a b cin sum cout : string. Program Definition FADD : \mathbb{C} \ (\mathbf{1}_{cin} \oplus (\mathbf{1}_a \oplus \mathbf{1}_b)) \ (\mathbf{1}_{sum} \oplus \mathbf{1}_{cout}) := \\ (\text{ONE } \mathbf{1}_{cin} \& \text{ HADD a b "s1" "c1"}) \\ \rhd \dots \ (* \text{ associativity plug } *) \\ \rhd \text{ (HADD cin "s1" sum "c2" } \& \text{ ONE } \mathbf{1}_{"c1"}) \\ \rhd \dots \ (* \text{ associativity plug } *) \\ \rhd \text{ (ONE } \mathbf{1}_{sum} \& \text{ OR "c2" "c1" cout)}.
```

Fig. 6: Definition of a full-adder

```
\begin{array}{c} \text{Program Fixpoint RIPPLE cin a b cout sum n}: \\ \mathbb{C} \left(\mathbf{1}_{\text{cin}} \oplus \text{sumn } \mathbf{1}_{\text{a}} \ n \oplus \text{sumn } \mathbf{1}_{\text{b}} \ n\right) \left(\text{sumn } \mathbf{1}_{\text{sum }} \ n \oplus \mathbf{1}_{\text{cout}}\right) := \\ \text{match n with} \\ \mid 0 \Rightarrow ... \left(* \text{Associativity } *\right) \\ \mid \text{S p} \Rightarrow ... \rhd \left(\text{ONE } (\mathbf{1}_{\text{cin}}) \ \& \text{ HIGHLOWS a b 1 p}\right) \\ \rhd ... \rhd \left(\text{FADD a b cin sum "c"} \ \& \text{ ONE } \left(\text{sumn } \mathbf{1}_{\text{a}} \ p \oplus \text{sumn } \mathbf{1}_{\text{b}} \ p\right)\right) \\ \rhd ... \rhd \left(\text{ONE } \left(\text{sumn } \mathbf{1}_{\text{sum }} \ 1\right) \ \& \text{ RIPPLE "c" a b cout s p}\right) \\ \rhd ... \rhd \left(\text{COMBINE sum 1 p } \& \text{ ONE } \left(\mathbf{1}_{\text{cout}}\right)\right) \\ \text{end.} \end{array}
```

Fig. 7: Implementation of the ripple-carry-adder from Fig. 1

# 3.4 Ripple-carry adder

We present in Fig. 7 the formal definition of the ripple-carry adder from Fig. 1 (we omit the rewiring plugs). This definition is based on two new circuits to split wires, and combine them. Indeed, to build a 1 + n-bit adder, the lowest-order wire of each parameter is connected to a full-adder, while the n high-order wires of each parameter are connected to another ripple-carry adder. Conversely, the wires corresponding to the sum must be combined together. We use two plugs to define the HL and the COMBINE circuits.

```
\begin{array}{l} \text{Definition HL } x \ n \ p : \mathbb{C} \ (\text{sumn } \mathbf{1}_x \ (n+p)) \ (\text{sumn } \mathbf{1}_x \ n \oplus \text{sumn } \mathbf{1}_x \ p) := \text{Plug } \dots \\ \text{Definition COMBINE } x \ n \ p : \mathbb{C} \ (\text{sumn } \mathbf{1}_x \ n \oplus \text{sumn } \mathbf{1}_x \ p) \ (\text{sumn } \mathbf{1}_x \ (n+p)) := \text{Plug } \dots \end{array}
```

Then, we prove that these functions on wires implement their counterparts on words. These gates are then easily combined two-by-two to build HIGHLOWS and COMBINES that work with two sets of wires at the same time to get more economical designs (i.e., designs with fewer sub-components).

Finally, we prove by induction on the size of the circuit that it implements the high-level carry\_add addition function on words. (Note that this is a high-level

specification of the circuit: the carry\_add function is not recursive and discloses nothing of the internal implementation of the device.) This boils down to the proof of lemma add\_parts.

```
Lemma add_parts n m (xH yH: word m) (xL yL: word n) cin: let (sumL,middle) := carry_add n xL yL cin in let (sumH,cout) := carry_add m xH yH middle in let sum := combine n m sumL sumH in carry_add (n + m) (combine n m xL xH)(combine n m yL yH) cin = (sum,cout). Instance RIPPLE_Spec cin a b cout sum n : Implement (RIPPLE cin a b cout s n)  (\iota_{\text{cin}} \bullet (\Phi_a^n \bullet \Phi_b^n)) \quad (\Phi_{sum}^n \bullet \iota_{\text{cout}}) \quad (\text{fun } (c,(x,y)) \Rightarrow \text{carry_add c x y}).
```

This design is simple (a linear chain of 1-bit adders) and slow (each full-adder must wait for the carry-in bit from the previous full-adders). In the next subsection, we address the case of a more efficient adder, which is incidentally more complicated, and a better benchmark for our methodology.

### 3.5 Divide and conquer adder

A text-book [1] solution to improve on the delay of the previous ripple-carry adder is to use a divide and conquer scheme, and to compute both the sum when there is a carry-in, and the sum when there is no carry-in. It is then possible to compute at the same time the sum for the high-order bits, and the sum for the low order bits. Hence, we build a circuit that computes four pieces of data: s (resp. t), the n-bit sum of the inputs, assuming that there is no carry-in (resp. assuming that there is a carry-in); p the carry-propagate bit (resp. g) the carry-generate bit), which is true when there is a carry-out of the circuit, assuming that there is a carry-in (resp. that there is no carry-in).

We provide a diagram in Fig. 8 that depicts the base case and the recursive case, but we omit the actual Coq implementation for the sake of readability. We prove that this circuit implements the following Coq function:

```
Definition dc n: \mathbb{W}_{2^n} * \mathbb{W}_{2^n} \to \mathbb{B} * \mathbb{B} * \mathbb{W}_{2^n} * \mathbb{W}_{2^n} := \text{fun } (\mathbf{x},\mathbf{y}) \Rightarrow
let (\mathbf{s},\mathbf{g}) := \text{carry\_add } 2^n \times \mathbf{y} \text{ false in }
let (\mathbf{t},\mathbf{p}) := \text{carry\_add } 2^n \times \mathbf{y} \text{ true in } (\mathbf{g},\mathbf{p},\mathbf{s},\mathbf{t}).
```

Again, this is a high-level specification w.r.t. the definition of the circuit: it does not disclose how the circuit compute its results (for instance, the dc function is not recursive). In a nutshell, the circuit computes in parallel the 4-uple of results for the high-order and low-order part of the inputs. Then, the propagate and generate bits for both parts can be combined by the PG circuit to compute the propagate and generate bits for the entire circuit. In parallel, the FIX circuit is made of two  $2^{n-1}$ -bit multiplexers (easily defined with a fixpoint using 1-bit multiplexers), and updates the high-order parts of the sum, w.r.t. the propagate and generate carry-bits of the low-order adder.



Fig. 8: Divide and conquer adder

# 4 Sequential circuits: time and loops

While we have focused our case studies on combinational circuits, our methodology can be applied to sequential circuits, with or without the loops that were allowed in the syntax of circuits in  $\S 2.4$ . In this section, the wires carry streams of booleans (of type  $\mathtt{nat} \to \mathbb{B}$ ), and we assume a basic gate DFF that implements the  $\mathtt{pre}$  function (in the particular case of booleans):

```
Definition pre {A} (d:A): Instance DFF_Realise_stream {a out}: stream A \rightarrow stream A := fun f t \Rightarrow Implement (DFF a out) (\iota_a) (\iota_{out}) match t with |0 \Rightarrow d|S p \Rightarrow f p end. (pre false).
```

A buffer. A DFF delays one wire by one unit of time; a FIFO buffer generalizes this behavior in two dimensions, by chaining layers of DFF one after another. This circuit is simple, but is a good example for the use of high-level combinators.

These combinators capture the underlying regularity in some common circuit pattern, for instance replicating a sub-component in a serial or parallel manner.

```
\begin{array}{lll} \text{Variable CELL} : \mathbb{C} \ n \ n. & \text{Variable CELL} : \mathbb{C} \ n \ m. \\ \text{Fixpoint COMPOSEN } \mathbf{k} : \mathbb{C} \ n \ n := & \text{Fixpoint MAP } \mathbf{k} : \mathbb{C} \ (\text{sumn n } \mathbf{k}) \text{ (sumn m } \mathbf{k}) := \\ \text{match } \mathbf{k} \ \text{with} & \text{match } \mathbf{k} \ \text{with} \\ \mid \mathbf{0} \Rightarrow \text{Plug id} & \mid \mathbf{0} \Rightarrow \text{Plug id} \\ \mid \mathbf{S} \ \mathbf{p} \Rightarrow \text{CELL} \rhd (\text{COMPOSEN p}) & \mid \mathbf{S} \ \mathbf{p} \Rightarrow \text{CELL} \ \& \ (\text{MAP p}) \\ \text{end.} & \text{end.} \end{array}
```

We prove that the COMPOSEN combinator implements a higher-order iteration function, up-to isomorphism: if CELL implements a given function  ${\tt f}$ , then COMPOSEN  ${\tt k}$  implements the iteration of  ${\tt f}$ . Respectively, we prove that the MAP circuit implements the higher-order map function on vectors. Hence, we define a FIFO buffer in one-line, and we prove that it implements the function below.

```
\begin{array}{l} \text{Definition FIFO x n } k: \mathbb{C} \text{ (sumn } \mathbf{1}_x \text{ k) } \text{ (sumn } \mathbf{1}_x \text{ k) } := \text{COMPOSEN (MAP (DFF x x) k) n.} \\ \text{Definition fifo n k } (v: \text{stream (vector } \mathbb{B} \text{ k)}) : \text{stream (vector } \mathbb{B} \text{ k)} := \\ \text{fun } t \Rightarrow \text{if n} < t \text{ then v } (t-n) \text{ else Vector.repeat k false.} \\ \text{Remark useful\_iso} : \text{ sumn } \mathbf{1} \text{ n} \rightarrow \text{stream } \mathbb{B} \cong \text{stream (vector } \mathbb{B} \text{ n)} := \dots \end{array}
```

The proof of this specification relies on the above useful isomorphism between groups of wires that carries streams of booleans, and a stream of vectors of

```
 \begin{array}{c} \text{Context a load out : string.} \\ \text{Program Definition REGISTER:} \\ \mathbb{C} \ (\mathbf{1}_{load} \oplus \mathbf{1}_a) \ \mathbf{1}_{out} := \\ \text{@Loop} \ (\mathbf{1}_{load} \oplus \mathbf{1}_a) \ \mathbf{1}_{out} \ \mathbf{1}_{out} \\ (... \rhd \text{MUX2 a out load "in_dff"} \\ \rhd \ \text{DFF "in_dff" out} \rhd \ \text{Fork2 } \mathbf{1}_{out}). \end{array}
```

Fig. 9: A memory element

booleans. The proof that the circuit implements a function on streams is done in the same fashion as the proofs from the previous section.

A memory element. Our next goal is to demonstrate how we deal with state-holding structures. Hence, we turn to the implementation of a 1-bit memory element, as implemented in Fig. 9. The register is meant to hold 1-bit of information through time, which does not fit nicely in the Implement framework (we cannot easily express the meaning of the register in terms of a stream transformer). Hence, we use a relational specification through the use of Realise:

```
 \begin{array}{l} \text{Instance Register\_Spec} : \text{Realise} \\ (...: \ \mathbf{1}_{\texttt{load}} \oplus \mathbf{1}_{\texttt{a}} \to \texttt{stream} \ \mathbb{B} \cong \texttt{stream} \ \mathbb{B} * \mathbb{B}) \ (\iota_{\texttt{out}}) \ \texttt{REGISTER} \\ (\texttt{fun (ins}: \texttt{stream} \ (\mathbb{B} * \mathbb{B})) \ (\texttt{outs}: \texttt{stream} \ \mathbb{B}) \Rightarrow \\ \texttt{outs} = \texttt{pre false} \ (\texttt{fun t} \Rightarrow \texttt{if fst (ins t) then snd (ins t) else outs t)}). \end{array}
```

Here, the state of the register is stored inside the history of the stream (the previous values that were taken by the output). While we do not advocate that this is the nicest way to reason about state holding devices, we were able to prove this specification in the same fashion as the previous combinatorial devices. We leave a more thorough investigation of state-holding devices to future work.

# 5 Interesting corollaries

We now turn on to investigating some interesting consequences of the use of a concrete data-type to represent circuits. First, we prove that the behavior of combinatorial circuits without delay can be lifted to the stream setting. Second, we build some functions (or interpretations [2]) that operates on circuits.

Lifting combinatorial circuits. The meaning relation is parametrized by the semantics of the basic gates. This can be put to good use to prove the functional correctness of some designs in the boolean setting, and then, to mechanically lift this proof of functional correction to the boolean stream setting (for the same set of gates). For instance, if a loop-less and delay-less circuit implements a function f in the boolean setting, we can prove that the very same circuit implements the function Stream.map f in the boolean stream setting.

Simulating and checking designs. One feature of our first-order encoding of circuits in Coq is that designs can be checked by simulation before attempting to prove them. This verification is done on the definition that will be proved later, allowing a seamless approach, and remains a valuable help to avoid dead-ends even if we cannot simulate circuit parametrized by a size. We define a simulation function sim that works on loop-free circuits, if the user provides a computational interpretation of each basic gate. For instance, we can simulate the adders of §3.

Delay and pretty-printing. Using the same ideas, we can build functions that compute the list of gates of circuits (with or without loops), or compute the length of the critical path in combinatorial circuits. While this is more anecdotal, and less directly useful than the previous simulation function, these functions are still interesting: one could, for instance, prove that some complex designs meet some time (or gate-count) complexity properties. (Note that is the only place where we exploit the finiteness of types.)

# 6 Comparisons with related work

Verifying circuits with theorem provers. There has been a substantial amount of work on specification and verification of hardware in HOL. In [9,17], HOL is used as a hardware description language and as a formalism to prove that a design meets its specification. They model circuits as predicates in the logic, using a shallow-embedding that merges the architecture of a circuit and its behavior. Building on the former methodology, [21] defines a compiler from a synthetisable subset of HOL that creates correct-by-construction clocked synchronous hardware implementations of mathematical functions specified in HOL. This methodology allows the designer to focus on high-level abstraction instead of reasoning and verifying at the gate level, admitting the existence of some base low-level circuits (like the addition on words [13]). By contrast, our work complements their behavioral "correct by design" synthesis from a subset of the high-level language of the theorem-prover with structural verification of circuits.

In the Boyer-Moore theorem prover (untyped, quantifier-free and first-order), Brock and Hunt proved the correctness of functions that generate correct hardware designs. They studied the correctness of an arithmetic and logic unit, parametrised by a size [14]. This verified synthesis approach was used to verify a microprocessor design [4]. While our proofs are not as automated, and our examples are less ambitious, we are able to prove higher-order circuits. Moreover, the dependent-types we use are helpful when defining complex circuits.

In Coq, Paulin-Mohring [18] proved the correctness of a multiplier unit, using a shallow-embedding similar to the methodology used in HOL: circuits are modelled as functions of the Coq language. More recently, [6] investigated how to take advantage of dependent types and co-inductive types in hardware verification: they use a shallow embedding of Mealy automata to describe sequential circuits. By contrast with both works, we use a deep-embedding of circuits in

Coq, that makes explicit the definition of circuits. We still need to investigate the examples of sequential circuits studied in these papers.

Algebraic definitions of circuits. Circuit diagrams have nice algebraic properties. Lafont [15] studied the algebraic theory of boolean circuits and Hinze [12] studied the algebra of parallel prefix circuits. Both settings are close to ours: however the former focused on the algebraic structure of circuits, while the latter defined combinators that allows one to model (and prove correct using algebraic reasoning) all standard designs of a restricted class of circuits.

Functional languages in hardware design. Sheeran [20] made a thorough review of the use of functional languages in hardware design, and of the challenges to address. Our work is a step towards one of them: the design and verification of parametrized designs, through the use of circuit combinators. Lava [2] is a language embedded in Haskell to describe circuits, allowing one to define parametric circuits or higher-order combinators. While much of our goals are common, one key difference is that our encoding of circuits in Coq avoids the use of bound variables (we use only combinators). Moreover, we use dependent types, that are required to deal precisely with parametric circuits. Finally, we prove the correctness of these parametric circuits in Coq, while verification in Lava is reduced to the verification of finite-size circuits.

# 7 Conclusion and future works

We have presented a deep-embeding of circuits in the Coq proof-assistant that allows to build and reason about circuits, proving high-level specifications through the use of type-isomorphism. We have demonstrated that dependent types are useful to prove automatically some well-formedness conditions on the circuits, and help to avoid time consuming mistakes. Then, we proved by induction the correctness of some arithmetic circuits of parametric size: this could not have been possible without mimicking the structure of the usual circuit diagrams to define circuit generators in Coq. The formal development accompanying this paper is available from the author's web-page [3].

In the immediate future, we plan to continue the case studies described in §3. In particular, we would like to investigate how to construct parallel prefix circuits in our framework [12,20], and to investigate combinational multipliers. In the more distant future, it would be interesting to study some front-ends to automatically generate some circuits: this could range to the reduction of the boilerplate inherent to the definition of plugs, to the compilation of circuits from automaton. A major inspiration on behavioral synthesis is the work of Ghica [7]. We also look forward to studying how our methodology applies to other settings than booleans or streams of booleans. For instance, if we move from booleans to the three-valued Scott's domain (unknown, true, false), we may interpret circuits in the so-called constructive semantics. We also hope that some of our methods could be applied to the probabilistic setting.

**Acknowledgements.** We thank D. Pous for his precious supervision; the reviewers who made useful comments; J. Alglave, P. Boutillier, J. Planul, M. Hague who commented a draft; and J. Vuillemin for his encouragements.

# References

- A. V. Aho and J. D. Ullman. Foundations of Computer Science. Computer Science Press, W. H. Freeman and Company, 1992.
- P. Bjesse, K. Claessen, M. Sheeran, and S. Singh. Lava: Hardware Design in Haskell. In Proc. ICFP, pages 174–184. ACM Press, 1998.
- 3. T. Braibant. http://sardes.inrialpes.fr/~braibant/coquet, June 2011.
- 4. B. Brock and W. A. Hunt Jr. The DUAL-EVAL Hardware Description Language and Its Use in the Formal Specification and Verification of the FM9001 Microprocessor. Formal Methods in System Design, 11(1):71–104, 1997.
- C. Brown and G. Hutton. Categories, allegories and circuit design. In *Proc. LICS*, pages 372–381. IEEE Computer Society, 1994.
- S. Coupet-Grimal and L. Jakubiec. Certifying circuits in type theory. Formal Asp. Comput., 16(4):352–373, 2004.
- D. R. Ghica. Geometry of synthesis: a structured approach to VLSI design. In Proc. POPL, pages 363–375, 2007.
- 8. G. Gonthier and A. Mahboubi. An introduction to small scale reflection in Coq. *Journal of Formalized Reasoning*, 3(2):95–152, 2010.
- M. Gordon. Why Higher-Order Logic is a Good Formalism for Specifying and Verifying Hardware. Technical Report UCAM-CL-TR-77, Cambridge Univ., Computer Lab., 1985.
- 10. F. K. Hanna, N. Daeche, and M. Longley. Veritas<sup>+</sup>: A Specification Language Based on Type Theory. In *Hardware Specification, Verification and Synthesis*, LNCS, pages 358–379. Springer, 1989.
- 11. J. R. Harrison. A HOL theory of Euclidean space. In *Proc. TPHOLs*, volume 3603 of *LNCS*, pages 114–129. Springer, 2005.
- 12. R. Hinze. An Algebra of Scans. In MPC, LNCS, pages 186-210. Springer, 2004.
- 13. J. Iyoda. Translating HOL functions to hardware. Technical Report UCAM-CL-TR-682, Cambridge Univ., Computer Lab, April 2007.
- 14. W. A. Hunt Jr. and B. Brock. The Verification of a Bit-slice ALU. In *Hard-ware Specification, Verification and Synthesis*, volume 408 of *LNCS*, pages 282–306. Springer, 1989.
- Y. Lafont. Towards an algebraic theory of boolean circuits. Journal of Pure and Applied Algebra, 184:257–310, 2003.
- 16. X. Leroy. A formally verified compiler back-end. *Journal of Automated Reasoning*, 43(4):363–446, 2009.
- 17. T. Melham. Higher Order Logic and Hardware Verification, volume 31 of Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1993.
- 18. C. Paulin-Mohring. Circuits as Streams in Coq: Verification of a Sequential Multiplier. In *TYPES*, pages 216–230, 1995.
- 20. M. Sheeran. Hardware Design and Functional Programming: a Perfect Match. J. UCS, 11(7):1135-1158, 2005.
- K. Slind, S. Owens, J. Iyoda, and M. Gordon. Proof producing synthesis of arithmetic and cryptographic hardware. Formal Asp. Comput., 19(3):343–362, 2007.