Applying Fuzzy Logic to the Design, Verification ... - Semantic Scholar
arXiv:1502.05748v1 [cs.LO] 19 Feb 2015
Applying Fuzzy Logic to the Design, Verification and Analysis of Binary Hardware Circuits Amnon Rosenmann AIT Austrian Institute of Technology [email protected] Abstract We present a novel approach for digital hardware simulation based on many-valued (fuzzy) logic (MVL). Binary designs can be automatically transformed into MVL designs, and simulations performed in the more informative MVL setting may reveal details which are either invisible or hard to detect through binary simulations. Two circuits which are supposed to be binary equivalent may behave differently under MVL simulations, and analyzing these differences may lead to the discovery of a genuine binary nonequivalence, or in some cases, to a qualitative gap between the designs. By performing an MVL simulation, a combinational design becomes a union of trajectories, where each trajectory starts at some input variable and all the nodes along the trajectory are of the same degree of veracity or falsehood. With sequential synchronous designs one can incorporate temporal data into the simulation, so that the state of the design at a given time reports besides the degree of truth of each variable also the place and date of birth of its value. Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, block-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
1
1
Introduction
The verification of digital hardware (HW) circuits [13] has long become a major challenge during the design process. While formal verification methods such as model checking [8] of properties and formal equivalence checking [16], [11] are complete, they can be applied to designs of limited size. The traditional and older method of performing simulations may be applied to larger designs, even to the whole chip, but then suffers from the problem of an incomplete and small coverage of the state-space. There are also hybrid verification methods using concrete or symbolic simulations along with formal methods [2]. We present here a novel approach which extends the simulation methods that are based on binary, ternary or quaternary logics [9] with simulation procedures that are based on many-valued logic (MVL). The extension is simultaneously of a refinement and of an abstraction nature. The refinement comes from the wider domain of values, which enables in equivalence verification on the one hand to distinguish between designs that are binary equivalent but maybe one of them is better designed, and on the other hand may serve as a starting point for searching in the near surrounding for a binary nonequivalence between the designs. The abstraction is in treating some of the values as ‘don’t care’ (which is a valuable information for a SAT solver), however such that the border between the ‘care’ and ‘don’t care’ need not be determined in advance but rather is dynamic and set upon each simulation according to the output value. This property of the MVL that we use (as stated in Theorem 3.4) is a key factor in applying it for the verification of binary designs. Another characteristic of the MVL simulations is that we can incorporate temporal and space information within the domain of values. Thus, whereas in binary logic we normally observe the change in values of a specific variable along time, in MVL we can observe also the change in space of a specific value along time. In the design and verification of HW it is common to extend the domain of values of abstract models of HW units with elements that correspond to many-valued logics. Such extensions include 3-valued logic: in addition to the binary values T (true or 1) and F (f alse or 0) they contain an X value, interpreted sometimes as ‘unknown’ and sometimes as ‘don’t care’. It is also common to include a fourth ‘high-impedance’ Z value, which is ignored in this note as it is not part of the intended logic function. Don’t care values 2
are used in simulation for abstracting symbolic simulations: [23], [24], [2], in the model checking technique Symbolic Trajectory Evaluation (STE) [21]. They appear also in the initialization phase and in equivalence verification [19]. Otherwise, MVL is used in the design stage and in verification in the register-transfer-level (RTL) model abstraction [20], when collections of binary memory elements are treated as a single unit in the form of a word or a register, for better readability (higher level of abstraction) and efficiency reasons. In addition, some memory devices, arithmetic blocks and FPGAs operate with inputs and outputs which are not binary but many-valued. The approach presented here is not to use MVL for treating a collection of binary elements as basic units but rather for performing MVL operations on the binary gate-level elements, extending the ternary-based simulations methodology. The extension is done by adopting the semantics of fuzzy logic: the AND, OR and NOT gates are transformed into Min, Max and Neg and ¯ a ‘completion’ of the set of integers. the binary domain to Z, Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, blocks-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
2
MVL and its Semantics M
The classical propositional logic is defined over a binary domain: {T, F}. Formulas are composed with connectives, or operators in the Boolean algebra B2 , from which we mention: ¬ (negation, NOT), ∧ (conjunction, AND, meet), ∨ (disjunction, OR, join). The implication connective ϕ → ψ is interpreted as ¬ϕ ∨ ψ. There are few extensions of the binary logic B2 to ternary logic and we refer here to three of these extensions: Lukasiewicz’ L3 [14], Kleene’s ‘strong’ logic K3 [12] and Bochvar’s B3 [4] (also known as Kleene’s ‘weak’ logic). Let the additional value be denoted by X. The difference between L3 and K3 is that the value of X → X in L3 is defined to be T, whereas in K3 it is X. So, in L3 the value X represents ‘uncertainty’: it can be either T or F, but since ϕ → ϕ is a tautology in binary logic then the value of X → X is T. In K3 , on the other hand, X is interpreted as some value between T and F, that is, a ‘vague’ value (‘undefined’ in Kleene’s original interpretation). Thus, proceeding this line of thought, ¬X is X and 3
X → X has the same value as ¬X ∨ X, namely X. In B3 any formula that contains an X value is evaluated to X. Our intension is to extract more information about the binary design when performing MVL simulations, but in a way that conforms with the original (binary) behavior of the system. Thus, B3 is not suited for this purpose. In L3 the law of excluded middle does not hold, which means that the two binary equivalent formulas ϕ → ψ and ¬ϕ ∨ ψ are not equivalent in L3 . In K3 they are equivalent. However, since X → X = X in K3 then simulating over K3 may sometimes provide information which is of higher entropy than that of binary simulation. Nevertheless, the logic K3 is the one that prevails in HW verification. We will see that it is possible to apply MVL in way that corresponds both to K3 and to L3 in the following way. When mapping from MVL to B2 , a → a will always be mapped to T, as in L3 . However, as in B2 and unlike L3 , ¬a ∨ a will be equivalent to a → a in MVL. When mapping into ternary logic then it will conform with the logic K3 : if a will be mapped to T or to F then a → a will be mapped to T; and if a will be mapped to X then a → a will also be mapped to X. Many-valued logics are logics with more than 2 values, even infinitelymany values [10], [1]. Such systems were introduced by Lukasiewicz, G¨odel, Post and many others. Chang [6], [7] introduced MV-algebras, which generalize Boolean algebras, in order to study Lukasiewicz’ logics. Zadeh introduced fuzzy sets and fuzzy logic [25], [26], [18], [1], where the domain of values is the unit interval. Since we want the MVL simulations to conform with both B2 and K3 , the algebraic laws of these logics should hold in th chosen MVL. In addition, we need to choose a suitable semantics M for realizing the MVL. So, first we need two designated elements denoted by > and ⊥, corresponding to T and F, and three operators ∧, ∨ and ¬. Then, there should be at least one homomorphism p : M → B2 such that p(>) = T and p(⊥) = F, and at least one homomorphism p : M → K3 with p(>) = T and p(⊥) = F. Recall that a homomorphism is a map that respects the operations: p(a ∧ b) = p(a) ∧ p(b), p(a ∨ b) = p(a) ∨ p(b) and p(¬a) = ¬p(a). A natural demand is that the following set of laws of De Morgan algebras should hold in M (for a minimal set, the first law at each line suffices): 1. Commutativity: a ∧ b = b ∧ a and a ∨ b = b ∨ a; 2. Associativity: a ∧ (b ∧ c) = (a ∧ b) ∧ c and a ∨ (b ∨ c) = (a ∨ b) ∨ c; 4
3. Idempotence: a ∧ a = a and a ∨ a = a; 4. Absorption: a ∧ (a ∨ b) = a and a ∨ (a ∧ b) = a; 5. Distributivity: a∧(b∨c) = (a∧b)∨(a∧c) and a∨(b∧c) = (a∨b)∧(a∨c); 6. Identity: a ∧ > = a and a ∨ ⊥ = a; 7. Consumption: a ∧ ⊥ = ⊥ and a ∨ > = >; 8. Duality: ¬⊥ = > and ¬> = ⊥; 9. Double Negation: ¬¬a = a; 10. De Morgan: ¬(a ∧ b) = ¬a ∨ ¬b and ¬(a ∨ b) = ¬a ∧ ¬b; The laws of B2 hold in MV-algebras with lattice operations. However, since the complementation laws: a ∨ ¬a = > and a ∧ ¬a = ⊥ of Boolean algebras hold also in MV-algebras, these algebras do not extend K3 and are not candidates for our chosen logic. Instead, we replace it with the weaker orthocomplementation law: a ∨ ¬a = > should hold for > and ⊥ but not necessarily for all elements. It is easy to see that this requirement is implied by the combination of identity, duality and double negation laws. Note, however that by the homomorphism p : M → B2 , p(a ∨ ¬a) = T and p(a ∧ ¬a) = F. It is better that the domain of values of M will be a symmetric ordered set (and not just a lattice with partial order), so that any two elements could be compared, with ⊥ the minimal element and > the maximal one. Given a lattice, one defines a ≤ b if and only if a ∧ b = a and a ∨ b = b. Thus, in an ordered set the operator ∧ is defined to be the Minimum and ∨ is the Maximum. By De Morgan law, we have: a ≤ b implies ¬b ≤ ¬a, which implies: 11. For all a, b: a ∧ ¬a ≤ b ∨ ¬b . A system which satisfies the above 11 laws is called a Kleene algebra: Well, there exists a known model providing semantics to all the above requirements: fuzzy logic with set of values in the closed unit interval, with designated values 1 (>) and 0 (⊥) and the operations of Min (∧), Max (∨) and 1−a (¬a). Note that another common semantics for fuzzy logic, in which multiplication comes instead of Max for ∧, is rejected since when mapping 5
to K3 it may happen that a and b will be mapped to > while a ∗ b will be mapped to X - which is not a homomorphism. For convenience, instead of the unit interval of the continuum cardinality we choose for the domain of ¯ = (Z \ {0}) ∪ {−∞, ∞}, with the operations values of M the countable set Z ∧, ∨ and ¬ interpreted as Minimum, Maximum and Negation respectively. In Table 1 we show the behavior of the operators ¬, ∧, ∨ and ⊕ (Exclusive-Or) in M. In addition to interpreting the domain of values with degrees of truth, a b ¬a ¬b a ∧ b a ∨ b a ⊕ b -2 -1 2 1 -2 -1 -1 -2 1 2 -1 -2 1 1 -1 2 1 -2 -1 2 1 1 2 -1 -2 1 2 -1 Table 1: M operators as is the semantics of fuzzy logic, it is possible to store more information in it (like ‘birth date’). The homomorphism p : M → B2 is clear: p(a) = F for a < 0, p(a) = T ¯ we define pn : M → K3 by: for a > 0. Then, for every n > 0 in Z, for a ≤ −n F X for −n < a < n pn (a) = (1) T for a ≥ n .
3
Valuations in M
¯ is a A valuation v of the variables x1 , . . . , xn in M (that is, in the domain Z) mapping [[x1 ]]v = a1 , . . ., [[xn ]]v = an , ai ∈ M. Given a formula ϕ(x1 , . . . , xn ) over M and a valuation v as above, the induced valuation of ϕ is [[ϕ]]v = ϕ(a1 , . . . , an ) ∈ M. Given a valuation v and a representation of ϕ as a Directed Acyclic Graph (DAG) G, we label the leaves of G with a1 , . . . , an , its root with ϕ(a1 , . . . , an ), and each internal node representing a sub-formula ψ with [[ψ]]v . We call G a valuation DAG of ϕ. Proposition 3.1. Let [[x1 ]]v = a1 , . . ., [[xn ]]v = an be a valuation in M and let G be the corresponding valuation DAG of ϕ(x1 , . . . , xn ). Then for some i, 1 ≤ i ≤ n, |ϕ(a1 , . . . , an )| = |ai |, and there exists a path (at least one) from the root of G to a leaf of it such that the label of each node along this path is of absolute value |ai |. 6
Proof. By induction on the composition depth of ϕ and by the fact that the operations of negation, maximum and minimum preserve the absolute value of one of the operands. Theorem 3.2. Let |ϕ(a1 , . . . , an )| = |ai | and suppose, without loss of generality, that |a1 | ≤ · · · ≤ |ai−1 | < |ai | ≤ · · · ≤ |an |. Then, when evaluated in B2 , the value of ϕ(b1 , . . . , bn ), b1 , . . . , bn ∈ {T, F}, does not depend on b1 , . . . , bi−1 as long as for each j, j ≥ i, bj = p(aj ). Proof. If i = 1 then the claim holds trivially, so let i > 1. Let us suppose that ϕ(a1 , . . . , an ) = ai (the case where the result is −ai is similar). Let p : M → K3 be the homomorphism p = p|ai | , hence p(±a1 ) = · · · = p(±ai−1 ) = X. Therefore, ϕ(X, . . . , X, p(ai ), . . . , p(an )) = ϕ(p(a1 ), . . . , p(ai−1 ), p(ai ), . . . , p(an )) = p(ϕ(a1 , . . . , an )) = p(ai ) 6= X. As is known, when a formula over K3 is evaluated to T or to F then the result is invariant to any binary value given to variables of X values. In fact, the above theorem is inferred by the following theorem over M. Lemma 3.3. Let a, b ∈ M. If |a| > |b| then a > b ⇔ a > −b and similarly a < b ⇔ a < −b. Theorem 3.4. Let |ϕ(a1 , . . . , an )| = |ai | and suppose, without loss of generality, that |a1 | ≤ · · · ≤ |ai−1 | < |ai | ≤ · · · ≤ |an |. Then, ϕ(a1 , . . . , an ) is invariant to any change of sign in a1 , . . . , ai−1 : ϕ(a1 , . . . , ai−1 , ai , . . . , an ) = ϕ(±a1 , . . . , ±ai−1 , ai , . . . , an ). Proof. Suppose i > 1. Let a = |ai |. We partition the nodes of G into 3 subsets: (i) those representing operators with operands of absolute value less than a; (ii) those with operands of absolute value more than or equal to a; (iii) the nodes representing operators with one operand of absolute value less than a and another operand of absolute value more than or equal to a. Suppose we change arbitrarily the signs of the input variables of values aj , |aj | < a, or we may even change their absolute values, as long as they remain less than a. Then a node of the first type may change its value, but will remain of absolute value less than a. A node of the second type will keep its original value. Finally, by Lemma 3.3, a node of the third type, representing Max or Min operation, will keep its value if it were of absolute value more than or equal to a, and will stay of absolute value less than a (but perhaps with different value) if so were the case before the change. Since the 7
root is labeled with absolute value a, it will not change its value (induction on the height of G).
4
Verifying Combinational Circuits
Digital binary combinational circuits do not contain memory elements, hence they represent binary formulas. Given a gate-level description of such a circuit, it can be automatically transformed into an MVL description with the M semantics. First, we assume the binary operators are translated to ∧, ∨ and ¬. Then, the data structure of each variable is changed from boolean to integer, ∧ is realized as the Minimum function, ∨ as the Maximum, and ¬ as the negation operator of the integers. Some very large integer N can represent ∞ (with −N representing −∞).
4.1
Functional Verification
When we know the function that the circuit should represent then it is possible to run a number of tests which is sometimes significantly fewer than in the binary setting (of course, on the expense that each test is of higher complexity when working over the integers instead of over the booleans). Let us look at a few simple examples. Example 4.1. (AND): f (x1 , . . . , xn ) = x1 ∧ x2 ∧ · · · ∧ xn . In B2 we need 2n test vectors for verifying f , whereas in M only n + 1 test vectors are needed. When xi is assigned the value −2 and the other variables 1 the result should be −2, and by Theorem 3.2 the values of the other variables are ‘don’t cares’. Having done n such tests, for i = 1, . . . , n, we assign all variables the value 1, and check that the result is indeed 1. By this we cover all possibilities. Example 4.2. (Projection) f (x1 , x2 , . . . , xn ) = xi . To test f in M we need only 2 vectors, compared to 2n in B2 : xi is assigned once the value 2 and then the value −2, while all other variables are assigned the value 1 at both times. Example 4.3. (MUX) f (x1 , . . . , xn , s0 , . . . , sk−1 ) = (x1 ∧ ¬s1 ∧ ¬s2 ∧ · · · ∧ ¬sk ) ∨ · · · ∨ (xn ∧ s1 ∧ s2 ∧ · · · ∧ sk ) is a multiplexer with n = 2k data inputs x1 , . . . , xn and k selectors s0 , . . . , sk−1 . To test and verify the multiplexer we need only 2n vectors in M compared to 2n+k in B2 . We go over all the 2k 8
possibilities of assigning each selector variable si the value ∞ or the value −∞. For each choice of values to s0 , . . . , sk−1 we assign the selected data input xj first the value 2 and then the value −2 while all the other data inputs are assigned the value 1. The multiplexer is the generalization of the If-Then-Else function f (x1 , x2 , s) = (x1 ∧ ¬s) ∨ (x2 ∧ s), and by assigning the selector (or to clock or enable variables) the value ±∞ the output equals the value of the selected data input and not that of the selectors. When the circuits are complex then it is less likely to have outputs of large absolute values (among those in the cone of influence), but this is not a rule. In general, the idea is to assign the input variable values which are of different absolute values in order to gain as much profit as possible from working over MVL. In the case of Exclusive-Or (XOR) (or its generalization to n variables, the notorious Parity function) the output is always of the smaller absolute value among the inputs (see Table 1): |a ⊕ b| = min(|a|, |b|). This makes it more difficult to verify circuits that contain lots of XOR gates (e.g. multipliers). Here, MVL can be used in order to check whether the output is larger (in absolute value) than what is expected. We come now to the use of ‘don’t cares’ in the simulations. Unlike the situation with ternary logic, this decision need not be taken in advance. The border between the ‘don’t care’ and ‘care’ variables is dynamic and set upon each simulation: the values that are less (in absolute value) then the output can be regarded as ‘don’t care’. We then may perform more simulations with circular shifts of the absolute values of some of the variables, without changing their signs, in order to check for more variables which behave as ‘don’t care’ and this procedure is demonstrated in Algorithm 1. But before, some definitions. Definition 4.1. An abstraction of a vector v ∈ Kn3 is a vector v 0 ∈ Kn3 which is obtained from v by assigning X-values to zero or more of the binary components of v. The vector v 0 is a strict abstraction of v if v 0 is an abstraction of v and v 0 6= v. For example, an abstraction of the vector v = (T, F, F, T, F) is the vector v = (T, X, F, X, F), and the vector v 00 = (X, X, F, X, F) is an abstraction of v0. 0
Definition 4.2. Given a binary combinational circuit C on n inputs and a vector v ∈ Bn2 , a maximal abstraction of v with respect to C is a vector 9
v 0 ∈ Kn3 which is an abstraction of v and such that C(v 0 ) 6= X, and for any strict abstraction v 00 of v 0 , C(v 00 ) = X. Definition 4.3. A signed permutation of size n is vector w which is a permutation of {1, . . . , n} augmented with a sign for each number. We refer to w also as a pair (v, σ) ∈ {−1, 1}n × Sn , and denote by w.v and w.σ the binary vector and the permutation respectively that w is comprised of. For example, w = (−3, 1, −2, −4) is a signed permutation which is the (component-wise) product of v = (−1, 1, −1, −1) and σ = (3, 1, 2, 4). Given a permutation σ and a transposition (i, j), the permutation (i, j) ◦ σ (the composition is done by writing σ in cycle notation) is the permutation obtained from σ by replacing i with j. Algorithm 1 computes a maximal abstraction with respect to the circuit C of an input binary vector v that is a component of a signed permutation w = (v, σ). It performs an iterated greedy search for a more abstract vector: if w = w0 , w1 , . . . , wr = w0 is the sequence of computed vectors then |C(wi−1 )| ≤ |C(wi )|, i = 1, . . . , r. The result is projected to K3 , providing a maximal abstraction of v. We use the same notation C for the circuit and the function it represents both in the binary and in the MVL setting. A binary vector is represented over the set {−1, 1}. We assume that at least one input variable reaches the output of C. The computation of maximal abstractions can be used by SAT solvers for the purpose of pruning the search tree by ignoring the ‘don’t care’ variables. Another application is in equivalence verification, as shown in Algorithm 2. Algorithm 1 Computation of a maximal abstraction Input: A combinational design C(x1 , . . . , xn ), a signed permutation w = (v, σ) Output: A maximal abstraction v 0 of v with respect to C 1: i ← 1; j ← n 2: while i < j do 3: i ← |C(w)| 4: w.σ ← (i, j) ◦ σ 5: j ←j−1 6: end while n 7: v 0 ← pi (w) {v 0 is the (component-wise) image of v in K3 , where if |k| < i then pi (k) = X} 8: return v 0 10
Proposition 4.1. Algorithm 1 computes a maximal abstraction. Proof. Because at each iteration we switch the absolute values of variables larger (in absolute value) than the absolute value of the current output then the next output cannot be smaller (in absolute value) than the current one. This means that the number of variables that will be mapped eventually to X does not decrease with each iteration. By the end of the algorithm we get C(v 0 ) = C(pi (w)) = pi (C(w)) = pi (i) (or pi (−i)) 6= X. That is, v 0 is an abstraction of v. Each of the variables xσ−1 (l) , with l ≥ i after the loop terminates, that is, a variable that is not mapped by pi to X (at line 7) had at some point a value which was of the same absolute value as the output of C. Hence, if at that point xl was mapped to X then the output over K3 of C would have been also X, let alone at the end of the algorithm where possibly more X-s were added. This proves that v 0 is a maximal abstraction. We remark that the maximal abstraction can also be computed in K3 but with more iterations (in average).
4.2
Equivalence Verification
In equivalence verification one tries to verify that two designs A and B are equivalent: for the same (binary) inputs they produce the same outputs. We do not refer here to formal equivalence checking but to simulation-based methods. Here, again, the number of input test vectors may be reduced when working over M instead of over B2 . In addition, nonequivalence over M may refer to a circuit which is better designed although binary equivalent to the other design. Let us first explore connections between nonequivalence over M and Disjunctive Normal Form (DNF). Given a formula ϕ in some variables and the connectives ∧, ∨ and ¬, the ten rules of De Morgan algebra given in Section 2 may serve as reduction steps for transforming ϕ into an equivalent formula over M in DNF - a disjunction of conjunctive terms (CTs), where a CT is a conjunction of literals, with each literal being a variable or its negation. Definition 4.4. A formula ϕ is in canonical DNF over M if it is in DNF and cannot be reduced anymore: no CT contains the same literal twice and no CT is a subterm of another CT (in particular, no CT appears more than once). 11
In binary logic there is a unique (up to reordering) minimal canonical DNF called Blake Canonical Form (BCF) which consists of the disjunction of all the prime implicants of the formula ϕ. A CT γ is an implicant of ϕ (or implies ϕ) if for every valuation v, [[c]]v = T implies [[ϕ]]v = T, and it is prime if no subterm of γ implies ϕ. Over M, on the other hand, a term of the form x ∧ ¬x cannot be reduced anymore (or, equivalently the term x ∨ ¬x when computing the Conjunctive normal form CNF). In fact, the only ways by which a CT can be reduced in size is by using the Idempotence and Absorption rules, where the former makes sure that no literal appears twice in a CT, and the latter assures that no CT is a subterm of another. Each formula ϕ over M can be reduced to a unique (up to reordering) canonical DNF. For example, (x ∨ y) ∧ ¬(¬x ∧ y) =⇒ (x∨y)∧(x∨¬y) =⇒ (x∧(x∨¬y))∨(y∧(x∨¬y)) =⇒ x∨(x∧y)∨(y∧¬y) =⇒ x ∨ (y ∧ ¬y) (not all reductions were listed). Another example is the formula (x ∧ ¬y) ∨ y that is in canonical DNF over M but in Boolean algebra it can be reduced to x ∨ y. We remark that Let ϕ¯ be the canonical DNF over M of ϕ. Then we write it as ϕ¯ = ϕ¯imp ∨ ϕ¯cont , where ϕ¯imp is the disjunction of the implicants of ϕ, and ϕ¯cont is the disjunction of the contradictory terms of ϕ¯ - the CTs containing terms of the form x ∧ ¬x. The following theorem gives a connection between valuations and canonical DNF over M, which demonstrates the qualitative nature of valuations over M, a method for distinguishing between HW designs that are B2 -equivalent but not M-equivalent. Theorem 4.2. Let ϕ and ψ be a two formulas which are binary equivalent but not M-equivalent, and let ϕ¯ and ψ¯ respectively be their canonical DNF over M. Then: (i) if there exists an implicant γ ∈ ϕ¯imp which is a strict subterm of an implicant δ ∈ ϕ¯psi then there exists a valuation v in M such that [[ϕ]]v > [[ψ]]v > 0; (ii) if [[ϕ]]v > [[ψ]]v > 0 for some valuation v in M then there exists a (binary) prime implicant of ϕ which is a strict subterm of ¯ an implicant of ψ. Proof. (i) Suppose that γ ∈ ϕ¯imp is a subterm of an implicant δ ∈ ϕ¯psi . Let v be the valuation: [[xi ]]v = 2 for each variable xi appearing as xi in γ, [[xj ]]v = −2 for each variable xj appearing as ¬xj in c, and [[xk ]]v = 1 for each variable xk that does not appear in γ. Then [[ϕ]]v = [[γ]]v = 2 > 1 = [[ψ]]v . This is because [[ϕ]]v = [[ϕ]] ¯ v = [[γ]]v = 2 since [[ϕ]] ¯ v is the maximum of the values of its CTs and it cannot exceed [[γ]]v = 2 because 2 is the maximal 12
absolute value of v. On the other hand, no CT of ϕ¯psi is a subterm of γ, which means that each CT in ψ¯ contains at least one variable which is not ¯ v < 2 and it equals 1 because it is positive. in γ, hence [[ψ]]v = [[ψ]] (ii) Let [[ϕ]]v > [[ψ]]v > 0 and let γ ∈ ϕ¯ such that [[ϕ]]v = [[γ]]v . Let δ be a prime implicant of ϕ which is a subterm of γ, and let η ∈ ψ¯ such that δ is a subterm of η. Then δ is a strict subterm of η because otherwise we would have [[ψ]]v ≥ [[η]]v = [[δ]v ≥ [[γ]]v = [[ϕ]]v , in contradiction to the assumptions. Example 4.4. Let ϕ = (x∧y)∨(x∧¬y) and let ψ = (x∧z)∨(x∧¬z) be two binary-equivalent formulas in x, y, z. For the valuation [[x]]v = 3, [[y]]v = 2, [[z]v = 1 we get [[ϕ]]v = 2 and [[ψ]]v = 1. No CT of ϕ is a subterm of a CT of ψ. However, the BCF of ϕ and ψ is x which is a subterm of e.g. x ∧ z of ψ. Over binary logic, each formula ϕ can be reduced into two extreme canonical DNF. One is BCF, which we already mentioned, and the other is the Full Disjunctive Normal Form (FDNF), which consists of all the minterm implicants, that is, each implicant contains all the variables of ϕ (each variable in a complemented or uncomplemented form). The next theorem shows that formulas that are binary equivalent agree on the M-valuations of the implicant part of their canonical DNF whenever the valuations of the formulas are negative. Theorem 4.3. Let ϕ and ψ be a two formulas which are binary equivalent, and let ϕ¯ and ψ¯ respectively be their canonical DNF over M. Then for each valuation v in M such that [[ϕ]]v < 0 (equivalently, [[ψ]]v < 0): [[ϕ¯imp ]]v = [[ψ¯imp ]]v . Proof. Let ϕ¯BCF and ϕ¯F DN F be the BCF respectively the FDNF canonical forms (over binary logic) of ϕ. For each CT implicant γ of ϕ¯imp there is an implicant δ of ϕ¯BCF which is a subterm of γ, hence [[γ]]v ≤ [[δ]]v for each M-valuation v. Hence, [[ϕ¯imp ]] ≤ [[ϕ¯BCF ]]v (since in DNF we compute the maximum over the CTs). Similarly, for each CT implicant γ of ϕ¯F DN F there is an implicant δ of ϕ¯imp which is a subterm of γ, hence [[ϕ¯F DN F ]]v ≤ [[ϕ¯imp ]] ≤ for each M-valuation v. To finish the proof we need to show that when [[ϕ]]v < 0 then the above inequalities are equalities. Let γ be a CT of ϕ¯BCF such that [[γ]]v < 0. For 13
each variable xk that does not appear in γ let lk = xk or lk = ¬xk according to the condition [[lk ]]v > 0. By the definition of ϕ¯F DN F , there exists a CT δ in ϕ¯F DN F such that γ is a subterm of δ and the other literals of δ are the above lk . Clearly, since [[γ]]v < 0 and for each of the literals lk , [[lk ]]v > 0, then [[γ]]v = [[δ]]v . It follows that [[ϕ¯BCF ]]v ≤ [[ϕ¯F DN F ]]v , and by the other inequality it is an equality. Corollary 4.4. Let ϕ be a formula whose canonical DNF over M is a BCF. Then for any formula ψ which is binary equivalent to ϕ and for any valuation v in M, |[[ϕ]]v | ≥ |[[ψ]]v |. Proof. Let ϕ¯ and ψ¯ respectively be the canonical DNF over M of ϕ and ψ. If [[ϕ]]v > 0 then since for every CT γ ∈ ψ¯imp there exists δ ∈ ϕ¯ which is a subterm of γ then [[ϕ]]v ≥ [[ψ]]v as in the proof of Theorem 4.2. If, on the other hand, [[ϕ]]v < 0 then by Theorem 4.3, [[ϕ]] ¯ v = [[ψ¯imp ]]v . But since ψ¯cont (if exists) can either increase the valuation or leave it as it is ¯ v < 0 and the proof is complete. then [[ϕ]] ¯ v ≤ [[ψ]] Example 4.5. Let ϕ¯ = x ∨ y and let ψ¯ = (x ∧ ¬y) ∨ y be two formulas in canonical DNF over M. Then for the valuation [[x]]v = 2, [[y]]v = −1 we ¯ v = 1. When the valuation produces negative obtain [[ϕ]] ¯ v = 2 whereas [[ψ]] values for the formulas then these values are of the same absolute value, e.g. ¯ v = −1. when [[x]]v = −2, [[y]]v = −1 and [[ϕ]] ¯ v = [[ψ]] o
o x1 ∧ · · · ∧ ¬xn
A x1
···
(x1 ∧ ¬x1)
A xn
x1
spec
···
xn
imp
Figure 1: Equivalence verification Example 4.6. In Fig. 1 we see two circuits, spec and imp, which are identical except for a disjunction of the output variable with some conjunctive term x1 ∧ · · · ∧ xn , which we assume produces a wrong output. Just by binary simulations, treating the circuits as a black boxes we need to check O(2n ) 14
test vectors to find the valuation that causes the faulty behavior. With M, on the other hand, we may find a different behavior of the two designs much faster. Assuming random simulation of signed permutations vectors, if the probability of spec output to be less than −m, 1 ≤ m < n, is p then we need n−m O( 2 p ) test vectors for the output of imp to be greater than the output of spec. The second case is when the extra term in imp is a contradiction x1 ∧ x1 , which makes it a redundant part that cannot be detected by binary simulations. However, with random simulation the term x1 ∧ x1 gets the value −1 with probability n1 , and if the probability of spec output to be less than −1 is p then O( np ) test vectors suffice in order to observe a different behavior of the two circuits. A similar analysis applies to a redundant conjunction with a tautology of the form x1 ∨ ¬x1 . To summarize what we have shown, when two circuits are binary equivalent but show differences in the M simulations then in some cases, especially when the differences occur with positive outputs, these differences are of a qualitative characteristic. 4.2.1
Procedure for Equivalence Verification by Simulation
In Algorithm 2 we describe a simulation procedure for checking the nonequivalence of two binary circuits A and B. The procedure first checks for some binary vector v whether the two circuits agree on it. If not - a counter example was found. Otherwise, the idea is to search in the surrounding of v for a potential counter example by looking for shorter implicants (if the valuation is true), or for a similar shorter non-implicant. We are not trying to find necessarily prime implicants, but follow the direction of approaching them. We may be close to a counter example without knowing it, and the procedure tells us where in the near surrounding there is a better chance to find one. The procedure chooses a corresponding signed permutation w = (v, σ) and by Algorithm 1 two maximal abstractions vA and vB are returned. If vA 6= vB then we found valuations in M on which A and B do not agree. Then, all the relevant combinations of replacing X values by binary ones in vA and vB are checked for binary nonequivalence between the two circuits. If no binary counter example was found then the process repeats itself with other chosen binary vector and signed permutation. 15
Algorithm 2 Simulation procedure for nonequivalence Input: Two combinational designs A, B on inputs x1 , . . . , xn Output: If found - a counter example to the equivalence of A and B 1: while true do 2: Choose a vector v ∈ {1, −1}n 3: if A(v) 6= B(v) then 4: return v 5: end if 6: Choose a signed permutation w ← (v, σ) of size n 7: vA ← a maximal abstraction by Algorithm 1 on A, w 8: vB ← a maximal abstraction by Algorithm 1 on B, w 9: if vA 6= wB then 10: if ∃k > 0 indexes i with vB [i] 6= vA [i] = X then 11: for each of the 2k binary combinations u of flipping the values of v[i] do 12: if B(u) 6= B(v) then 13: return u 14: end if 15: end for 16: end if 17: Similarly for indexes i with vA [i] 6= vB [i] = X 18: end if 19: end while
16
5
Verifying Sequential Circuits
Sequential circuit contain memory elements which introduce cycles and time dependent properties which make the verification problem more complex. However, in bounded model checking and some common model checking methods (see e.g. [3], [22], [17], [15]) the circuit is finitely unrolled and then SAT-based methods are applied to the resulting combinational design. Hence, the approach presented in the previous section applies also here. However, the multi-valued approach can also be applied directly to sequential circuits by adopting it to the temporal nature of sequential circuits as is demonstrated in the following examples.
5.1
Temporal Values
One way we can benefit form using M instead of the binary logic is by incorporating time into the variable values. We may use the k least significant digits for the truth values (the truth part) and the other digits (the temporal part) for expressing the time of ‘birth’ of that value (this is equivalent to simulating with a pair of values instead of one). At each time step the temporal parts of all the values of the input variables are incremented by 1 while the truth parts may vary. For example, suppose we devote the last 3 digits for the truth part and the other digits for the temporal part. Then the input values may look like this (for 6 input variables): Time Time Time Time
0: 1: 2: 3:
00 005 −01 004 −02 006 03 002
−00 002 −01 005 02 003 −03 005
−00 003 01 002 02 002 03 001
−00 004 01 001 −02 005 −03 003
00 001 01 006 −02 004 −03 006
00 006 −01 003 02 001 03 004
−40 006
−40 005
40 001
40 002
−40 004
40 003
.. . Time 40:
Within this approach of an increasing sequence of temporal values we may still want to make sure that special variables like enable, clock or selector obtain larger values than the variables they interact with. The advantage of having temporal values is that the state of the circuit at a given time reflects directly its history: each value of a non-input variable bears also its ‘age’ in addition to the truth degree and input variable it originated at. We can then observe the flow of data in the space-time, possibly 17
with animation in which age is expressed by color. Timing considerations in the design stage may also benefit from the information within temporal values. 5.1.1
Initialization.
When trying to find a sequence of input vectors which initializes the circuit one uses ternary logic, starting from an ‘all-X’ state until there are no more X values to the latches. In M we can generalize this approach. If we apply the above method of increasing temporal values then any simulation we perform may also be seen as an initialization simulation. Moreover, at each time step k we start a new simulation: we just have to observe when the temporal part of each variable is at least k. Since the input values are incremented in absolute values at each time step then by Theorem 3.4, reaching a state in which all temporal values smaller than k already disappeared is equivalent to claiming that the current state is invariant to whatever state was before time step k, or, in other words, that the sequence starting at time step k initializes the circuit. 5.1.2
Stuck at Values.
After applying an increasing sequence of temporal values to the inputs we may at some time step want to change direction and start decreasing the temporal values. If a group of variables retain their large temporal values then we know these values are invariant to any future inputs. By the way, a group of such variables may exhibit a periodic behavior and need not be stuck at the same values, but the above method will detect this, probably faulty, behavior. 5.1.3
Composition of Blocks, Prioritizing.
We can manipulate the flow of data in the design. For example, we know that in XOR gates the absolute value of the output always equals the minimum of the absolute values of the inputs. Then, by playing with the input values we can check whether each of the inputs can indeed be propagated through the XOR gates. That is, we apply here a prioritizing methodology by pushing the desired inputs toward the outputs. When we have a unit which is composed of several blocks we may use M simulations in a way that reflects this higher order partition. For example, 18
when the blocks have different inputs then the input values may be grouped by absolute values according to the blocks. We may assign smaller absolute values to a block that we want to prioritize, explore dependencies between the blocks, etc. In this way, we shift attention to the hierarchical structure of the design and to the interactions between the blocks rather than to the more detailed structure inside the blocks. 5.1.4
Equivalence Verification.
As mentioned in subsection 4.2, circuits that are supposed to be binary equivalent may produce different M values. If the different values are also of different sign then circuits are not binary equivalent. If the signs are the same but the absolute values differ then it may indicate a potential binary nonequivalence or the existence of a potential redundant part. It may also be the case that non of the above is the case. By Proposition 3.1, we can trace the output values all the way towards the inputs (mostly in one of the previous time steps) and try to analyze why are the values different. There is no definite answer to the question which of two equivalent circuits is better designed, and considerations of speed, minimization, power, context, etc. play an important role (for a somewhat related work see [5]). In some cases, as we have seen in subsection 4.2 higher M absolute values refer to a better design. 5.1.5
Generating assertions.
When trying to formally verify sequential circuits, whether for property or for equivalence checking, it is almost unavoidable but to try and break the problem into sub-problems to be verified first. This incremental methodology requires the generation of potential assertions, also referred to as lemmas, and the more refined MVL may be of help here. In equivalence verification we can find correlations between variables, applying probabilistic methods if needed, in a more accurate manner over M since the spread of values is wider and also since the values refer to the input variables of their origin. The designer may also provide refined assertions over M for assertion-based verification and simulation. For example, if the designer knows that some property should hold under an assumption that relies on specific input values then the property may be checked with these input values being of higher absolute value than other input value to make sure that the output does not 19
depend in this case on other inputs. The assertions may also refer to the temporal values of the variables.
6
Conclusion
Simulation over the many-valued fuzzy logic M is more refined and informative than over binary and ternary logics, thus providing a novel potential approach to the complex task of verification of HW designs. A state of the system is enriched with data that includes degrees of truth and identity stamps like place and date of birth. We gave some algorithms and general directions for applying the many-valued logic to different verification missions. Future goals include implementing and checking this approach on real HW designs and developing specific and detailed strategies and algorithms.
References [1] Bergmann, M.: An Introduction to Many-Valued and Fuzzy Logic: Semantics, Algebras, and Derivation Systems. Cambridge University Press, 2008 [2] Berttaco, V.: Scalable Hardware Verification with Symbolic Simulation. Springer, 2006 [3] Biere, A., Cimatti, A., Clarke, E. M., Zhu, Y.: Symbolic model checking without BDDs. In TACAS, London, Springer-Verlag, 193–207 (1999) [4] Bochvar, D. A.: Ob odnom Tr´ehznaˇcnom Isˇcisl´enii i ´ego Prim´en´enii k Analizu Paradoksov Klassiˇc´eskogo Rasˇsir´ennogo Funkcional’nogo Isˇcisl´eni´e. Mat´ematˇc´eskij Sbornik 4 (46), 287–308 (1937) (English translation by Bergmann, M.: On a Three-Valued Calculus and Its Application to the Analysis of the Paradoxes of the Classical Extended Functional Calculus. History and Philosophy of Logic 2, 87–112 (1981) ˇ y, P., Henzinger, T. A., Radhakrishna, A.: Simulation distances. [5] Cern´ Theoretical Computer Science 413, 21–35, 2012 [6] Chang, C. C.: Algebraic Analysis of Many Valued Logics. Transactions of the AMS 88, 476–490 (1958) 20
[7] Chang, C. C.: A New Proof of the Completeness of the Lukasiewicz Axioms. Transactions of the AMS 93, 74–80 (1959) [8] Clarke, E. M., Grumberg, O., Peled, D.: Model checking. MIT Press, 2001 [9] Dhande, A. P., Jaiswal, R. C., Dudam, S. S.: Ternary Logic Simulator Using VHDL. In SETIT, 4th International Conference on Sciences of Electronic, Technologies of Information and Telecommunications (2007) [10] Gottwald, S.: A Treatise on Many-Valued Logics. Studies in Logic and Computation, Vol. 9, Baldock, Hertfordshire, Englan. Research Studies Press, 2001 [11] Karfa, C., Sarkar, D., Mandal, C.: Verification and Synthesis of Digital Circuits: High-level Synthesis and Equivalence Checking. LAP LAMBERT Academic Publishing, 2010 [12] Kleene, S. C.: On a notation for ordinal numbers. The Journal of Symbolic Logic 3, pp. 150–155, (1938) [13] Lam, W. K.: Hardware Design Verification: Simulation and Formal Method-Based Approaches. Prentice Hall, 2005 [14] Lukasiewicz, J. Philosophische Bemerkungen zu mehrwertigen Systemen des Aussagenkalk¨ uls. Comptes rendus des s´eances de la Soci´et´e des Sciences et des Lettres de Varsovie 23, cl. iii, 51–77 (1930) (English translation by Weber, H.: Philosophical Remarks on Many-Valued Systems of Propositional Logic. In ed. Storrs McCall, Polish Logic: 19201939, New York: Oxford University Press, 40–65 (1967)) [15] McMillan, K. L.: Interpolation and SAT-based model checking. In CAV, Vol. 2725 of LNCS, Springer, 1–13 (2003) [16] Molitor, P., Mohnke, J.: Equivalence Checking of Digital Circuits. Kluwer Academic Sciences, 2004 [17] Moura, L. D., Ruess, H., and Sorea, M.: Bounded model checking and induction: from refutation to verification. In CAV, Springer-Verlag, 14– 26 (2003)
21
[18] Nov´ ak, V., Perfilieva, I., Mo˘ ckor, J.: Mathematical Principles of Fuzzy Logic. Springer, 1999 [19] Rosenmann, A., Hanna, Z.: Alignability equivalence of synchronous sequential circuits. In High Level Design Validation and Test (HLDVT ‘02), 111–114 (2002) [20] Rozon, C.: On the use of VHDL as a multi-valued logic simulator. 26th International Symposium on Multiple-Valued Logic (ISMVL ’96), 110 (1996) [21] Seger, C.-J., Bryant, R.: Formal verification by symbolic evaluation of partially-ordered trajectories. Formal Methods in System Design, 6 (2), 147–190 (1995) [22] Sheeran, M., Singh, S., St˚ almarck, G.: Checking safety properties using induction and a SAT-solver. In FMCAD, 127–144 (2000) [23] Wilson, C., Dill., D. L.: Reliable verification using symbolic simulation with scalar values. In DAC, Proceedings of Design Automation Conference, 124–129 (2000) [24] Wilson, C., Dill., D. L., Bryant, R. E.: Symbolic simulation with approximate values. In FMCAD, Proceedings of International Conference on Formal Methods in Computer-Aided Design; Vol 1954 of Lecture Notes in Computer Science, 470–485. Springer, 2000 [25] Zadeh, L. A.: Fuzzy sets. Information and Control, Vol. 8 (3), 338–353 (1965) [26] Zadeh, L. A.: Fuzzy Sets, Fuzzy Logic, and Fuzzy Systems: Selected papers. J. Klir, B. Yuan (eds.), World Scientific Publishing Company, 1996
22
Applying Fuzzy Logic to the Design, Verification and Analysis of Binary Hardware Circuits Amnon Rosenmann AIT Austrian Institute of Technology [email protected] Abstract We present a novel approach for digital hardware simulation based on many-valued (fuzzy) logic (MVL). Binary designs can be automatically transformed into MVL designs, and simulations performed in the more informative MVL setting may reveal details which are either invisible or hard to detect through binary simulations. Two circuits which are supposed to be binary equivalent may behave differently under MVL simulations, and analyzing these differences may lead to the discovery of a genuine binary nonequivalence, or in some cases, to a qualitative gap between the designs. By performing an MVL simulation, a combinational design becomes a union of trajectories, where each trajectory starts at some input variable and all the nodes along the trajectory are of the same degree of veracity or falsehood. With sequential synchronous designs one can incorporate temporal data into the simulation, so that the state of the design at a given time reports besides the degree of truth of each variable also the place and date of birth of its value. Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, block-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
1
1
Introduction
The verification of digital hardware (HW) circuits [13] has long become a major challenge during the design process. While formal verification methods such as model checking [8] of properties and formal equivalence checking [16], [11] are complete, they can be applied to designs of limited size. The traditional and older method of performing simulations may be applied to larger designs, even to the whole chip, but then suffers from the problem of an incomplete and small coverage of the state-space. There are also hybrid verification methods using concrete or symbolic simulations along with formal methods [2]. We present here a novel approach which extends the simulation methods that are based on binary, ternary or quaternary logics [9] with simulation procedures that are based on many-valued logic (MVL). The extension is simultaneously of a refinement and of an abstraction nature. The refinement comes from the wider domain of values, which enables in equivalence verification on the one hand to distinguish between designs that are binary equivalent but maybe one of them is better designed, and on the other hand may serve as a starting point for searching in the near surrounding for a binary nonequivalence between the designs. The abstraction is in treating some of the values as ‘don’t care’ (which is a valuable information for a SAT solver), however such that the border between the ‘care’ and ‘don’t care’ need not be determined in advance but rather is dynamic and set upon each simulation according to the output value. This property of the MVL that we use (as stated in Theorem 3.4) is a key factor in applying it for the verification of binary designs. Another characteristic of the MVL simulations is that we can incorporate temporal and space information within the domain of values. Thus, whereas in binary logic we normally observe the change in values of a specific variable along time, in MVL we can observe also the change in space of a specific value along time. In the design and verification of HW it is common to extend the domain of values of abstract models of HW units with elements that correspond to many-valued logics. Such extensions include 3-valued logic: in addition to the binary values T (true or 1) and F (f alse or 0) they contain an X value, interpreted sometimes as ‘unknown’ and sometimes as ‘don’t care’. It is also common to include a fourth ‘high-impedance’ Z value, which is ignored in this note as it is not part of the intended logic function. Don’t care values 2
are used in simulation for abstracting symbolic simulations: [23], [24], [2], in the model checking technique Symbolic Trajectory Evaluation (STE) [21]. They appear also in the initialization phase and in equivalence verification [19]. Otherwise, MVL is used in the design stage and in verification in the register-transfer-level (RTL) model abstraction [20], when collections of binary memory elements are treated as a single unit in the form of a word or a register, for better readability (higher level of abstraction) and efficiency reasons. In addition, some memory devices, arithmetic blocks and FPGAs operate with inputs and outputs which are not binary but many-valued. The approach presented here is not to use MVL for treating a collection of binary elements as basic units but rather for performing MVL operations on the binary gate-level elements, extending the ternary-based simulations methodology. The extension is done by adopting the semantics of fuzzy logic: the AND, OR and NOT gates are transformed into Min, Max and Neg and ¯ a ‘completion’ of the set of integers. the binary domain to Z, Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, blocks-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
2
MVL and its Semantics M
The classical propositional logic is defined over a binary domain: {T, F}. Formulas are composed with connectives, or operators in the Boolean algebra B2 , from which we mention: ¬ (negation, NOT), ∧ (conjunction, AND, meet), ∨ (disjunction, OR, join). The implication connective ϕ → ψ is interpreted as ¬ϕ ∨ ψ. There are few extensions of the binary logic B2 to ternary logic and we refer here to three of these extensions: Lukasiewicz’ L3 [14], Kleene’s ‘strong’ logic K3 [12] and Bochvar’s B3 [4] (also known as Kleene’s ‘weak’ logic). Let the additional value be denoted by X. The difference between L3 and K3 is that the value of X → X in L3 is defined to be T, whereas in K3 it is X. So, in L3 the value X represents ‘uncertainty’: it can be either T or F, but since ϕ → ϕ is a tautology in binary logic then the value of X → X is T. In K3 , on the other hand, X is interpreted as some value between T and F, that is, a ‘vague’ value (‘undefined’ in Kleene’s original interpretation). Thus, proceeding this line of thought, ¬X is X and 3
X → X has the same value as ¬X ∨ X, namely X. In B3 any formula that contains an X value is evaluated to X. Our intension is to extract more information about the binary design when performing MVL simulations, but in a way that conforms with the original (binary) behavior of the system. Thus, B3 is not suited for this purpose. In L3 the law of excluded middle does not hold, which means that the two binary equivalent formulas ϕ → ψ and ¬ϕ ∨ ψ are not equivalent in L3 . In K3 they are equivalent. However, since X → X = X in K3 then simulating over K3 may sometimes provide information which is of higher entropy than that of binary simulation. Nevertheless, the logic K3 is the one that prevails in HW verification. We will see that it is possible to apply MVL in way that corresponds both to K3 and to L3 in the following way. When mapping from MVL to B2 , a → a will always be mapped to T, as in L3 . However, as in B2 and unlike L3 , ¬a ∨ a will be equivalent to a → a in MVL. When mapping into ternary logic then it will conform with the logic K3 : if a will be mapped to T or to F then a → a will be mapped to T; and if a will be mapped to X then a → a will also be mapped to X. Many-valued logics are logics with more than 2 values, even infinitelymany values [10], [1]. Such systems were introduced by Lukasiewicz, G¨odel, Post and many others. Chang [6], [7] introduced MV-algebras, which generalize Boolean algebras, in order to study Lukasiewicz’ logics. Zadeh introduced fuzzy sets and fuzzy logic [25], [26], [18], [1], where the domain of values is the unit interval. Since we want the MVL simulations to conform with both B2 and K3 , the algebraic laws of these logics should hold in th chosen MVL. In addition, we need to choose a suitable semantics M for realizing the MVL. So, first we need two designated elements denoted by > and ⊥, corresponding to T and F, and three operators ∧, ∨ and ¬. Then, there should be at least one homomorphism p : M → B2 such that p(>) = T and p(⊥) = F, and at least one homomorphism p : M → K3 with p(>) = T and p(⊥) = F. Recall that a homomorphism is a map that respects the operations: p(a ∧ b) = p(a) ∧ p(b), p(a ∨ b) = p(a) ∨ p(b) and p(¬a) = ¬p(a). A natural demand is that the following set of laws of De Morgan algebras should hold in M (for a minimal set, the first law at each line suffices): 1. Commutativity: a ∧ b = b ∧ a and a ∨ b = b ∨ a; 2. Associativity: a ∧ (b ∧ c) = (a ∧ b) ∧ c and a ∨ (b ∨ c) = (a ∨ b) ∨ c; 4
3. Idempotence: a ∧ a = a and a ∨ a = a; 4. Absorption: a ∧ (a ∨ b) = a and a ∨ (a ∧ b) = a; 5. Distributivity: a∧(b∨c) = (a∧b)∨(a∧c) and a∨(b∧c) = (a∨b)∧(a∨c); 6. Identity: a ∧ > = a and a ∨ ⊥ = a; 7. Consumption: a ∧ ⊥ = ⊥ and a ∨ > = >; 8. Duality: ¬⊥ = > and ¬> = ⊥; 9. Double Negation: ¬¬a = a; 10. De Morgan: ¬(a ∧ b) = ¬a ∨ ¬b and ¬(a ∨ b) = ¬a ∧ ¬b; The laws of B2 hold in MV-algebras with lattice operations. However, since the complementation laws: a ∨ ¬a = > and a ∧ ¬a = ⊥ of Boolean algebras hold also in MV-algebras, these algebras do not extend K3 and are not candidates for our chosen logic. Instead, we replace it with the weaker orthocomplementation law: a ∨ ¬a = > should hold for > and ⊥ but not necessarily for all elements. It is easy to see that this requirement is implied by the combination of identity, duality and double negation laws. Note, however that by the homomorphism p : M → B2 , p(a ∨ ¬a) = T and p(a ∧ ¬a) = F. It is better that the domain of values of M will be a symmetric ordered set (and not just a lattice with partial order), so that any two elements could be compared, with ⊥ the minimal element and > the maximal one. Given a lattice, one defines a ≤ b if and only if a ∧ b = a and a ∨ b = b. Thus, in an ordered set the operator ∧ is defined to be the Minimum and ∨ is the Maximum. By De Morgan law, we have: a ≤ b implies ¬b ≤ ¬a, which implies: 11. For all a, b: a ∧ ¬a ≤ b ∨ ¬b . A system which satisfies the above 11 laws is called a Kleene algebra: Well, there exists a known model providing semantics to all the above requirements: fuzzy logic with set of values in the closed unit interval, with designated values 1 (>) and 0 (⊥) and the operations of Min (∧), Max (∨) and 1−a (¬a). Note that another common semantics for fuzzy logic, in which multiplication comes instead of Max for ∧, is rejected since when mapping 5
to K3 it may happen that a and b will be mapped to > while a ∗ b will be mapped to X - which is not a homomorphism. For convenience, instead of the unit interval of the continuum cardinality we choose for the domain of ¯ = (Z \ {0}) ∪ {−∞, ∞}, with the operations values of M the countable set Z ∧, ∨ and ¬ interpreted as Minimum, Maximum and Negation respectively. In Table 1 we show the behavior of the operators ¬, ∧, ∨ and ⊕ (Exclusive-Or) in M. In addition to interpreting the domain of values with degrees of truth, a b ¬a ¬b a ∧ b a ∨ b a ⊕ b -2 -1 2 1 -2 -1 -1 -2 1 2 -1 -2 1 1 -1 2 1 -2 -1 2 1 1 2 -1 -2 1 2 -1 Table 1: M operators as is the semantics of fuzzy logic, it is possible to store more information in it (like ‘birth date’). The homomorphism p : M → B2 is clear: p(a) = F for a < 0, p(a) = T ¯ we define pn : M → K3 by: for a > 0. Then, for every n > 0 in Z, for a ≤ −n F X for −n < a < n pn (a) = (1) T for a ≥ n .
3
Valuations in M
¯ is a A valuation v of the variables x1 , . . . , xn in M (that is, in the domain Z) mapping [[x1 ]]v = a1 , . . ., [[xn ]]v = an , ai ∈ M. Given a formula ϕ(x1 , . . . , xn ) over M and a valuation v as above, the induced valuation of ϕ is [[ϕ]]v = ϕ(a1 , . . . , an ) ∈ M. Given a valuation v and a representation of ϕ as a Directed Acyclic Graph (DAG) G, we label the leaves of G with a1 , . . . , an , its root with ϕ(a1 , . . . , an ), and each internal node representing a sub-formula ψ with [[ψ]]v . We call G a valuation DAG of ϕ. Proposition 3.1. Let [[x1 ]]v = a1 , . . ., [[xn ]]v = an be a valuation in M and let G be the corresponding valuation DAG of ϕ(x1 , . . . , xn ). Then for some i, 1 ≤ i ≤ n, |ϕ(a1 , . . . , an )| = |ai |, and there exists a path (at least one) from the root of G to a leaf of it such that the label of each node along this path is of absolute value |ai |. 6
Proof. By induction on the composition depth of ϕ and by the fact that the operations of negation, maximum and minimum preserve the absolute value of one of the operands. Theorem 3.2. Let |ϕ(a1 , . . . , an )| = |ai | and suppose, without loss of generality, that |a1 | ≤ · · · ≤ |ai−1 | < |ai | ≤ · · · ≤ |an |. Then, when evaluated in B2 , the value of ϕ(b1 , . . . , bn ), b1 , . . . , bn ∈ {T, F}, does not depend on b1 , . . . , bi−1 as long as for each j, j ≥ i, bj = p(aj ). Proof. If i = 1 then the claim holds trivially, so let i > 1. Let us suppose that ϕ(a1 , . . . , an ) = ai (the case where the result is −ai is similar). Let p : M → K3 be the homomorphism p = p|ai | , hence p(±a1 ) = · · · = p(±ai−1 ) = X. Therefore, ϕ(X, . . . , X, p(ai ), . . . , p(an )) = ϕ(p(a1 ), . . . , p(ai−1 ), p(ai ), . . . , p(an )) = p(ϕ(a1 , . . . , an )) = p(ai ) 6= X. As is known, when a formula over K3 is evaluated to T or to F then the result is invariant to any binary value given to variables of X values. In fact, the above theorem is inferred by the following theorem over M. Lemma 3.3. Let a, b ∈ M. If |a| > |b| then a > b ⇔ a > −b and similarly a < b ⇔ a < −b. Theorem 3.4. Let |ϕ(a1 , . . . , an )| = |ai | and suppose, without loss of generality, that |a1 | ≤ · · · ≤ |ai−1 | < |ai | ≤ · · · ≤ |an |. Then, ϕ(a1 , . . . , an ) is invariant to any change of sign in a1 , . . . , ai−1 : ϕ(a1 , . . . , ai−1 , ai , . . . , an ) = ϕ(±a1 , . . . , ±ai−1 , ai , . . . , an ). Proof. Suppose i > 1. Let a = |ai |. We partition the nodes of G into 3 subsets: (i) those representing operators with operands of absolute value less than a; (ii) those with operands of absolute value more than or equal to a; (iii) the nodes representing operators with one operand of absolute value less than a and another operand of absolute value more than or equal to a. Suppose we change arbitrarily the signs of the input variables of values aj , |aj | < a, or we may even change their absolute values, as long as they remain less than a. Then a node of the first type may change its value, but will remain of absolute value less than a. A node of the second type will keep its original value. Finally, by Lemma 3.3, a node of the third type, representing Max or Min operation, will keep its value if it were of absolute value more than or equal to a, and will stay of absolute value less than a (but perhaps with different value) if so were the case before the change. Since the 7
root is labeled with absolute value a, it will not change its value (induction on the height of G).
4
Verifying Combinational Circuits
Digital binary combinational circuits do not contain memory elements, hence they represent binary formulas. Given a gate-level description of such a circuit, it can be automatically transformed into an MVL description with the M semantics. First, we assume the binary operators are translated to ∧, ∨ and ¬. Then, the data structure of each variable is changed from boolean to integer, ∧ is realized as the Minimum function, ∨ as the Maximum, and ¬ as the negation operator of the integers. Some very large integer N can represent ∞ (with −N representing −∞).
4.1
Functional Verification
When we know the function that the circuit should represent then it is possible to run a number of tests which is sometimes significantly fewer than in the binary setting (of course, on the expense that each test is of higher complexity when working over the integers instead of over the booleans). Let us look at a few simple examples. Example 4.1. (AND): f (x1 , . . . , xn ) = x1 ∧ x2 ∧ · · · ∧ xn . In B2 we need 2n test vectors for verifying f , whereas in M only n + 1 test vectors are needed. When xi is assigned the value −2 and the other variables 1 the result should be −2, and by Theorem 3.2 the values of the other variables are ‘don’t cares’. Having done n such tests, for i = 1, . . . , n, we assign all variables the value 1, and check that the result is indeed 1. By this we cover all possibilities. Example 4.2. (Projection) f (x1 , x2 , . . . , xn ) = xi . To test f in M we need only 2 vectors, compared to 2n in B2 : xi is assigned once the value 2 and then the value −2, while all other variables are assigned the value 1 at both times. Example 4.3. (MUX) f (x1 , . . . , xn , s0 , . . . , sk−1 ) = (x1 ∧ ¬s1 ∧ ¬s2 ∧ · · · ∧ ¬sk ) ∨ · · · ∨ (xn ∧ s1 ∧ s2 ∧ · · · ∧ sk ) is a multiplexer with n = 2k data inputs x1 , . . . , xn and k selectors s0 , . . . , sk−1 . To test and verify the multiplexer we need only 2n vectors in M compared to 2n+k in B2 . We go over all the 2k 8
possibilities of assigning each selector variable si the value ∞ or the value −∞. For each choice of values to s0 , . . . , sk−1 we assign the selected data input xj first the value 2 and then the value −2 while all the other data inputs are assigned the value 1. The multiplexer is the generalization of the If-Then-Else function f (x1 , x2 , s) = (x1 ∧ ¬s) ∨ (x2 ∧ s), and by assigning the selector (or to clock or enable variables) the value ±∞ the output equals the value of the selected data input and not that of the selectors. When the circuits are complex then it is less likely to have outputs of large absolute values (among those in the cone of influence), but this is not a rule. In general, the idea is to assign the input variable values which are of different absolute values in order to gain as much profit as possible from working over MVL. In the case of Exclusive-Or (XOR) (or its generalization to n variables, the notorious Parity function) the output is always of the smaller absolute value among the inputs (see Table 1): |a ⊕ b| = min(|a|, |b|). This makes it more difficult to verify circuits that contain lots of XOR gates (e.g. multipliers). Here, MVL can be used in order to check whether the output is larger (in absolute value) than what is expected. We come now to the use of ‘don’t cares’ in the simulations. Unlike the situation with ternary logic, this decision need not be taken in advance. The border between the ‘don’t care’ and ‘care’ variables is dynamic and set upon each simulation: the values that are less (in absolute value) then the output can be regarded as ‘don’t care’. We then may perform more simulations with circular shifts of the absolute values of some of the variables, without changing their signs, in order to check for more variables which behave as ‘don’t care’ and this procedure is demonstrated in Algorithm 1. But before, some definitions. Definition 4.1. An abstraction of a vector v ∈ Kn3 is a vector v 0 ∈ Kn3 which is obtained from v by assigning X-values to zero or more of the binary components of v. The vector v 0 is a strict abstraction of v if v 0 is an abstraction of v and v 0 6= v. For example, an abstraction of the vector v = (T, F, F, T, F) is the vector v = (T, X, F, X, F), and the vector v 00 = (X, X, F, X, F) is an abstraction of v0. 0
Definition 4.2. Given a binary combinational circuit C on n inputs and a vector v ∈ Bn2 , a maximal abstraction of v with respect to C is a vector 9
v 0 ∈ Kn3 which is an abstraction of v and such that C(v 0 ) 6= X, and for any strict abstraction v 00 of v 0 , C(v 00 ) = X. Definition 4.3. A signed permutation of size n is vector w which is a permutation of {1, . . . , n} augmented with a sign for each number. We refer to w also as a pair (v, σ) ∈ {−1, 1}n × Sn , and denote by w.v and w.σ the binary vector and the permutation respectively that w is comprised of. For example, w = (−3, 1, −2, −4) is a signed permutation which is the (component-wise) product of v = (−1, 1, −1, −1) and σ = (3, 1, 2, 4). Given a permutation σ and a transposition (i, j), the permutation (i, j) ◦ σ (the composition is done by writing σ in cycle notation) is the permutation obtained from σ by replacing i with j. Algorithm 1 computes a maximal abstraction with respect to the circuit C of an input binary vector v that is a component of a signed permutation w = (v, σ). It performs an iterated greedy search for a more abstract vector: if w = w0 , w1 , . . . , wr = w0 is the sequence of computed vectors then |C(wi−1 )| ≤ |C(wi )|, i = 1, . . . , r. The result is projected to K3 , providing a maximal abstraction of v. We use the same notation C for the circuit and the function it represents both in the binary and in the MVL setting. A binary vector is represented over the set {−1, 1}. We assume that at least one input variable reaches the output of C. The computation of maximal abstractions can be used by SAT solvers for the purpose of pruning the search tree by ignoring the ‘don’t care’ variables. Another application is in equivalence verification, as shown in Algorithm 2. Algorithm 1 Computation of a maximal abstraction Input: A combinational design C(x1 , . . . , xn ), a signed permutation w = (v, σ) Output: A maximal abstraction v 0 of v with respect to C 1: i ← 1; j ← n 2: while i < j do 3: i ← |C(w)| 4: w.σ ← (i, j) ◦ σ 5: j ←j−1 6: end while n 7: v 0 ← pi (w) {v 0 is the (component-wise) image of v in K3 , where if |k| < i then pi (k) = X} 8: return v 0 10
Proposition 4.1. Algorithm 1 computes a maximal abstraction. Proof. Because at each iteration we switch the absolute values of variables larger (in absolute value) than the absolute value of the current output then the next output cannot be smaller (in absolute value) than the current one. This means that the number of variables that will be mapped eventually to X does not decrease with each iteration. By the end of the algorithm we get C(v 0 ) = C(pi (w)) = pi (C(w)) = pi (i) (or pi (−i)) 6= X. That is, v 0 is an abstraction of v. Each of the variables xσ−1 (l) , with l ≥ i after the loop terminates, that is, a variable that is not mapped by pi to X (at line 7) had at some point a value which was of the same absolute value as the output of C. Hence, if at that point xl was mapped to X then the output over K3 of C would have been also X, let alone at the end of the algorithm where possibly more X-s were added. This proves that v 0 is a maximal abstraction. We remark that the maximal abstraction can also be computed in K3 but with more iterations (in average).
4.2
Equivalence Verification
In equivalence verification one tries to verify that two designs A and B are equivalent: for the same (binary) inputs they produce the same outputs. We do not refer here to formal equivalence checking but to simulation-based methods. Here, again, the number of input test vectors may be reduced when working over M instead of over B2 . In addition, nonequivalence over M may refer to a circuit which is better designed although binary equivalent to the other design. Let us first explore connections between nonequivalence over M and Disjunctive Normal Form (DNF). Given a formula ϕ in some variables and the connectives ∧, ∨ and ¬, the ten rules of De Morgan algebra given in Section 2 may serve as reduction steps for transforming ϕ into an equivalent formula over M in DNF - a disjunction of conjunctive terms (CTs), where a CT is a conjunction of literals, with each literal being a variable or its negation. Definition 4.4. A formula ϕ is in canonical DNF over M if it is in DNF and cannot be reduced anymore: no CT contains the same literal twice and no CT is a subterm of another CT (in particular, no CT appears more than once). 11
In binary logic there is a unique (up to reordering) minimal canonical DNF called Blake Canonical Form (BCF) which consists of the disjunction of all the prime implicants of the formula ϕ. A CT γ is an implicant of ϕ (or implies ϕ) if for every valuation v, [[c]]v = T implies [[ϕ]]v = T, and it is prime if no subterm of γ implies ϕ. Over M, on the other hand, a term of the form x ∧ ¬x cannot be reduced anymore (or, equivalently the term x ∨ ¬x when computing the Conjunctive normal form CNF). In fact, the only ways by which a CT can be reduced in size is by using the Idempotence and Absorption rules, where the former makes sure that no literal appears twice in a CT, and the latter assures that no CT is a subterm of another. Each formula ϕ over M can be reduced to a unique (up to reordering) canonical DNF. For example, (x ∨ y) ∧ ¬(¬x ∧ y) =⇒ (x∨y)∧(x∨¬y) =⇒ (x∧(x∨¬y))∨(y∧(x∨¬y)) =⇒ x∨(x∧y)∨(y∧¬y) =⇒ x ∨ (y ∧ ¬y) (not all reductions were listed). Another example is the formula (x ∧ ¬y) ∨ y that is in canonical DNF over M but in Boolean algebra it can be reduced to x ∨ y. We remark that Let ϕ¯ be the canonical DNF over M of ϕ. Then we write it as ϕ¯ = ϕ¯imp ∨ ϕ¯cont , where ϕ¯imp is the disjunction of the implicants of ϕ, and ϕ¯cont is the disjunction of the contradictory terms of ϕ¯ - the CTs containing terms of the form x ∧ ¬x. The following theorem gives a connection between valuations and canonical DNF over M, which demonstrates the qualitative nature of valuations over M, a method for distinguishing between HW designs that are B2 -equivalent but not M-equivalent. Theorem 4.2. Let ϕ and ψ be a two formulas which are binary equivalent but not M-equivalent, and let ϕ¯ and ψ¯ respectively be their canonical DNF over M. Then: (i) if there exists an implicant γ ∈ ϕ¯imp which is a strict subterm of an implicant δ ∈ ϕ¯psi then there exists a valuation v in M such that [[ϕ]]v > [[ψ]]v > 0; (ii) if [[ϕ]]v > [[ψ]]v > 0 for some valuation v in M then there exists a (binary) prime implicant of ϕ which is a strict subterm of ¯ an implicant of ψ. Proof. (i) Suppose that γ ∈ ϕ¯imp is a subterm of an implicant δ ∈ ϕ¯psi . Let v be the valuation: [[xi ]]v = 2 for each variable xi appearing as xi in γ, [[xj ]]v = −2 for each variable xj appearing as ¬xj in c, and [[xk ]]v = 1 for each variable xk that does not appear in γ. Then [[ϕ]]v = [[γ]]v = 2 > 1 = [[ψ]]v . This is because [[ϕ]]v = [[ϕ]] ¯ v = [[γ]]v = 2 since [[ϕ]] ¯ v is the maximum of the values of its CTs and it cannot exceed [[γ]]v = 2 because 2 is the maximal 12
absolute value of v. On the other hand, no CT of ϕ¯psi is a subterm of γ, which means that each CT in ψ¯ contains at least one variable which is not ¯ v < 2 and it equals 1 because it is positive. in γ, hence [[ψ]]v = [[ψ]] (ii) Let [[ϕ]]v > [[ψ]]v > 0 and let γ ∈ ϕ¯ such that [[ϕ]]v = [[γ]]v . Let δ be a prime implicant of ϕ which is a subterm of γ, and let η ∈ ψ¯ such that δ is a subterm of η. Then δ is a strict subterm of η because otherwise we would have [[ψ]]v ≥ [[η]]v = [[δ]v ≥ [[γ]]v = [[ϕ]]v , in contradiction to the assumptions. Example 4.4. Let ϕ = (x∧y)∨(x∧¬y) and let ψ = (x∧z)∨(x∧¬z) be two binary-equivalent formulas in x, y, z. For the valuation [[x]]v = 3, [[y]]v = 2, [[z]v = 1 we get [[ϕ]]v = 2 and [[ψ]]v = 1. No CT of ϕ is a subterm of a CT of ψ. However, the BCF of ϕ and ψ is x which is a subterm of e.g. x ∧ z of ψ. Over binary logic, each formula ϕ can be reduced into two extreme canonical DNF. One is BCF, which we already mentioned, and the other is the Full Disjunctive Normal Form (FDNF), which consists of all the minterm implicants, that is, each implicant contains all the variables of ϕ (each variable in a complemented or uncomplemented form). The next theorem shows that formulas that are binary equivalent agree on the M-valuations of the implicant part of their canonical DNF whenever the valuations of the formulas are negative. Theorem 4.3. Let ϕ and ψ be a two formulas which are binary equivalent, and let ϕ¯ and ψ¯ respectively be their canonical DNF over M. Then for each valuation v in M such that [[ϕ]]v < 0 (equivalently, [[ψ]]v < 0): [[ϕ¯imp ]]v = [[ψ¯imp ]]v . Proof. Let ϕ¯BCF and ϕ¯F DN F be the BCF respectively the FDNF canonical forms (over binary logic) of ϕ. For each CT implicant γ of ϕ¯imp there is an implicant δ of ϕ¯BCF which is a subterm of γ, hence [[γ]]v ≤ [[δ]]v for each M-valuation v. Hence, [[ϕ¯imp ]] ≤ [[ϕ¯BCF ]]v (since in DNF we compute the maximum over the CTs). Similarly, for each CT implicant γ of ϕ¯F DN F there is an implicant δ of ϕ¯imp which is a subterm of γ, hence [[ϕ¯F DN F ]]v ≤ [[ϕ¯imp ]] ≤ for each M-valuation v. To finish the proof we need to show that when [[ϕ]]v < 0 then the above inequalities are equalities. Let γ be a CT of ϕ¯BCF such that [[γ]]v < 0. For 13
each variable xk that does not appear in γ let lk = xk or lk = ¬xk according to the condition [[lk ]]v > 0. By the definition of ϕ¯F DN F , there exists a CT δ in ϕ¯F DN F such that γ is a subterm of δ and the other literals of δ are the above lk . Clearly, since [[γ]]v < 0 and for each of the literals lk , [[lk ]]v > 0, then [[γ]]v = [[δ]]v . It follows that [[ϕ¯BCF ]]v ≤ [[ϕ¯F DN F ]]v , and by the other inequality it is an equality. Corollary 4.4. Let ϕ be a formula whose canonical DNF over M is a BCF. Then for any formula ψ which is binary equivalent to ϕ and for any valuation v in M, |[[ϕ]]v | ≥ |[[ψ]]v |. Proof. Let ϕ¯ and ψ¯ respectively be the canonical DNF over M of ϕ and ψ. If [[ϕ]]v > 0 then since for every CT γ ∈ ψ¯imp there exists δ ∈ ϕ¯ which is a subterm of γ then [[ϕ]]v ≥ [[ψ]]v as in the proof of Theorem 4.2. If, on the other hand, [[ϕ]]v < 0 then by Theorem 4.3, [[ϕ]] ¯ v = [[ψ¯imp ]]v . But since ψ¯cont (if exists) can either increase the valuation or leave it as it is ¯ v < 0 and the proof is complete. then [[ϕ]] ¯ v ≤ [[ψ]] Example 4.5. Let ϕ¯ = x ∨ y and let ψ¯ = (x ∧ ¬y) ∨ y be two formulas in canonical DNF over M. Then for the valuation [[x]]v = 2, [[y]]v = −1 we ¯ v = 1. When the valuation produces negative obtain [[ϕ]] ¯ v = 2 whereas [[ψ]] values for the formulas then these values are of the same absolute value, e.g. ¯ v = −1. when [[x]]v = −2, [[y]]v = −1 and [[ϕ]] ¯ v = [[ψ]] o
o x1 ∧ · · · ∧ ¬xn
A x1
···
(x1 ∧ ¬x1)
A xn
x1
spec
···
xn
imp
Figure 1: Equivalence verification Example 4.6. In Fig. 1 we see two circuits, spec and imp, which are identical except for a disjunction of the output variable with some conjunctive term x1 ∧ · · · ∧ xn , which we assume produces a wrong output. Just by binary simulations, treating the circuits as a black boxes we need to check O(2n ) 14
test vectors to find the valuation that causes the faulty behavior. With M, on the other hand, we may find a different behavior of the two designs much faster. Assuming random simulation of signed permutations vectors, if the probability of spec output to be less than −m, 1 ≤ m < n, is p then we need n−m O( 2 p ) test vectors for the output of imp to be greater than the output of spec. The second case is when the extra term in imp is a contradiction x1 ∧ x1 , which makes it a redundant part that cannot be detected by binary simulations. However, with random simulation the term x1 ∧ x1 gets the value −1 with probability n1 , and if the probability of spec output to be less than −1 is p then O( np ) test vectors suffice in order to observe a different behavior of the two circuits. A similar analysis applies to a redundant conjunction with a tautology of the form x1 ∨ ¬x1 . To summarize what we have shown, when two circuits are binary equivalent but show differences in the M simulations then in some cases, especially when the differences occur with positive outputs, these differences are of a qualitative characteristic. 4.2.1
Procedure for Equivalence Verification by Simulation
In Algorithm 2 we describe a simulation procedure for checking the nonequivalence of two binary circuits A and B. The procedure first checks for some binary vector v whether the two circuits agree on it. If not - a counter example was found. Otherwise, the idea is to search in the surrounding of v for a potential counter example by looking for shorter implicants (if the valuation is true), or for a similar shorter non-implicant. We are not trying to find necessarily prime implicants, but follow the direction of approaching them. We may be close to a counter example without knowing it, and the procedure tells us where in the near surrounding there is a better chance to find one. The procedure chooses a corresponding signed permutation w = (v, σ) and by Algorithm 1 two maximal abstractions vA and vB are returned. If vA 6= vB then we found valuations in M on which A and B do not agree. Then, all the relevant combinations of replacing X values by binary ones in vA and vB are checked for binary nonequivalence between the two circuits. If no binary counter example was found then the process repeats itself with other chosen binary vector and signed permutation. 15
Algorithm 2 Simulation procedure for nonequivalence Input: Two combinational designs A, B on inputs x1 , . . . , xn Output: If found - a counter example to the equivalence of A and B 1: while true do 2: Choose a vector v ∈ {1, −1}n 3: if A(v) 6= B(v) then 4: return v 5: end if 6: Choose a signed permutation w ← (v, σ) of size n 7: vA ← a maximal abstraction by Algorithm 1 on A, w 8: vB ← a maximal abstraction by Algorithm 1 on B, w 9: if vA 6= wB then 10: if ∃k > 0 indexes i with vB [i] 6= vA [i] = X then 11: for each of the 2k binary combinations u of flipping the values of v[i] do 12: if B(u) 6= B(v) then 13: return u 14: end if 15: end for 16: end if 17: Similarly for indexes i with vA [i] 6= vB [i] = X 18: end if 19: end while
16
5
Verifying Sequential Circuits
Sequential circuit contain memory elements which introduce cycles and time dependent properties which make the verification problem more complex. However, in bounded model checking and some common model checking methods (see e.g. [3], [22], [17], [15]) the circuit is finitely unrolled and then SAT-based methods are applied to the resulting combinational design. Hence, the approach presented in the previous section applies also here. However, the multi-valued approach can also be applied directly to sequential circuits by adopting it to the temporal nature of sequential circuits as is demonstrated in the following examples.
5.1
Temporal Values
One way we can benefit form using M instead of the binary logic is by incorporating time into the variable values. We may use the k least significant digits for the truth values (the truth part) and the other digits (the temporal part) for expressing the time of ‘birth’ of that value (this is equivalent to simulating with a pair of values instead of one). At each time step the temporal parts of all the values of the input variables are incremented by 1 while the truth parts may vary. For example, suppose we devote the last 3 digits for the truth part and the other digits for the temporal part. Then the input values may look like this (for 6 input variables): Time Time Time Time
0: 1: 2: 3:
00 005 −01 004 −02 006 03 002
−00 002 −01 005 02 003 −03 005
−00 003 01 002 02 002 03 001
−00 004 01 001 −02 005 −03 003
00 001 01 006 −02 004 −03 006
00 006 −01 003 02 001 03 004
−40 006
−40 005
40 001
40 002
−40 004
40 003
.. . Time 40:
Within this approach of an increasing sequence of temporal values we may still want to make sure that special variables like enable, clock or selector obtain larger values than the variables they interact with. The advantage of having temporal values is that the state of the circuit at a given time reflects directly its history: each value of a non-input variable bears also its ‘age’ in addition to the truth degree and input variable it originated at. We can then observe the flow of data in the space-time, possibly 17
with animation in which age is expressed by color. Timing considerations in the design stage may also benefit from the information within temporal values. 5.1.1
Initialization.
When trying to find a sequence of input vectors which initializes the circuit one uses ternary logic, starting from an ‘all-X’ state until there are no more X values to the latches. In M we can generalize this approach. If we apply the above method of increasing temporal values then any simulation we perform may also be seen as an initialization simulation. Moreover, at each time step k we start a new simulation: we just have to observe when the temporal part of each variable is at least k. Since the input values are incremented in absolute values at each time step then by Theorem 3.4, reaching a state in which all temporal values smaller than k already disappeared is equivalent to claiming that the current state is invariant to whatever state was before time step k, or, in other words, that the sequence starting at time step k initializes the circuit. 5.1.2
Stuck at Values.
After applying an increasing sequence of temporal values to the inputs we may at some time step want to change direction and start decreasing the temporal values. If a group of variables retain their large temporal values then we know these values are invariant to any future inputs. By the way, a group of such variables may exhibit a periodic behavior and need not be stuck at the same values, but the above method will detect this, probably faulty, behavior. 5.1.3
Composition of Blocks, Prioritizing.
We can manipulate the flow of data in the design. For example, we know that in XOR gates the absolute value of the output always equals the minimum of the absolute values of the inputs. Then, by playing with the input values we can check whether each of the inputs can indeed be propagated through the XOR gates. That is, we apply here a prioritizing methodology by pushing the desired inputs toward the outputs. When we have a unit which is composed of several blocks we may use M simulations in a way that reflects this higher order partition. For example, 18
when the blocks have different inputs then the input values may be grouped by absolute values according to the blocks. We may assign smaller absolute values to a block that we want to prioritize, explore dependencies between the blocks, etc. In this way, we shift attention to the hierarchical structure of the design and to the interactions between the blocks rather than to the more detailed structure inside the blocks. 5.1.4
Equivalence Verification.
As mentioned in subsection 4.2, circuits that are supposed to be binary equivalent may produce different M values. If the different values are also of different sign then circuits are not binary equivalent. If the signs are the same but the absolute values differ then it may indicate a potential binary nonequivalence or the existence of a potential redundant part. It may also be the case that non of the above is the case. By Proposition 3.1, we can trace the output values all the way towards the inputs (mostly in one of the previous time steps) and try to analyze why are the values different. There is no definite answer to the question which of two equivalent circuits is better designed, and considerations of speed, minimization, power, context, etc. play an important role (for a somewhat related work see [5]). In some cases, as we have seen in subsection 4.2 higher M absolute values refer to a better design. 5.1.5
Generating assertions.
When trying to formally verify sequential circuits, whether for property or for equivalence checking, it is almost unavoidable but to try and break the problem into sub-problems to be verified first. This incremental methodology requires the generation of potential assertions, also referred to as lemmas, and the more refined MVL may be of help here. In equivalence verification we can find correlations between variables, applying probabilistic methods if needed, in a more accurate manner over M since the spread of values is wider and also since the values refer to the input variables of their origin. The designer may also provide refined assertions over M for assertion-based verification and simulation. For example, if the designer knows that some property should hold under an assumption that relies on specific input values then the property may be checked with these input values being of higher absolute value than other input value to make sure that the output does not 19
depend in this case on other inputs. The assertions may also refer to the temporal values of the variables.
6
Conclusion
Simulation over the many-valued fuzzy logic M is more refined and informative than over binary and ternary logics, thus providing a novel potential approach to the complex task of verification of HW designs. A state of the system is enriched with data that includes degrees of truth and identity stamps like place and date of birth. We gave some algorithms and general directions for applying the many-valued logic to different verification missions. Future goals include implementing and checking this approach on real HW designs and developing specific and detailed strategies and algorithms.
References [1] Bergmann, M.: An Introduction to Many-Valued and Fuzzy Logic: Semantics, Algebras, and Derivation Systems. Cambridge University Press, 2008 [2] Berttaco, V.: Scalable Hardware Verification with Symbolic Simulation. Springer, 2006 [3] Biere, A., Cimatti, A., Clarke, E. M., Zhu, Y.: Symbolic model checking without BDDs. In TACAS, London, Springer-Verlag, 193–207 (1999) [4] Bochvar, D. A.: Ob odnom Tr´ehznaˇcnom Isˇcisl´enii i ´ego Prim´en´enii k Analizu Paradoksov Klassiˇc´eskogo Rasˇsir´ennogo Funkcional’nogo Isˇcisl´eni´e. Mat´ematˇc´eskij Sbornik 4 (46), 287–308 (1937) (English translation by Bergmann, M.: On a Three-Valued Calculus and Its Application to the Analysis of the Paradoxes of the Classical Extended Functional Calculus. History and Philosophy of Logic 2, 87–112 (1981) ˇ y, P., Henzinger, T. A., Radhakrishna, A.: Simulation distances. [5] Cern´ Theoretical Computer Science 413, 21–35, 2012 [6] Chang, C. C.: Algebraic Analysis of Many Valued Logics. Transactions of the AMS 88, 476–490 (1958) 20
[7] Chang, C. C.: A New Proof of the Completeness of the Lukasiewicz Axioms. Transactions of the AMS 93, 74–80 (1959) [8] Clarke, E. M., Grumberg, O., Peled, D.: Model checking. MIT Press, 2001 [9] Dhande, A. P., Jaiswal, R. C., Dudam, S. S.: Ternary Logic Simulator Using VHDL. In SETIT, 4th International Conference on Sciences of Electronic, Technologies of Information and Telecommunications (2007) [10] Gottwald, S.: A Treatise on Many-Valued Logics. Studies in Logic and Computation, Vol. 9, Baldock, Hertfordshire, Englan. Research Studies Press, 2001 [11] Karfa, C., Sarkar, D., Mandal, C.: Verification and Synthesis of Digital Circuits: High-level Synthesis and Equivalence Checking. LAP LAMBERT Academic Publishing, 2010 [12] Kleene, S. C.: On a notation for ordinal numbers. The Journal of Symbolic Logic 3, pp. 150–155, (1938) [13] Lam, W. K.: Hardware Design Verification: Simulation and Formal Method-Based Approaches. Prentice Hall, 2005 [14] Lukasiewicz, J. Philosophische Bemerkungen zu mehrwertigen Systemen des Aussagenkalk¨ uls. Comptes rendus des s´eances de la Soci´et´e des Sciences et des Lettres de Varsovie 23, cl. iii, 51–77 (1930) (English translation by Weber, H.: Philosophical Remarks on Many-Valued Systems of Propositional Logic. In ed. Storrs McCall, Polish Logic: 19201939, New York: Oxford University Press, 40–65 (1967)) [15] McMillan, K. L.: Interpolation and SAT-based model checking. In CAV, Vol. 2725 of LNCS, Springer, 1–13 (2003) [16] Molitor, P., Mohnke, J.: Equivalence Checking of Digital Circuits. Kluwer Academic Sciences, 2004 [17] Moura, L. D., Ruess, H., and Sorea, M.: Bounded model checking and induction: from refutation to verification. In CAV, Springer-Verlag, 14– 26 (2003)
21
[18] Nov´ ak, V., Perfilieva, I., Mo˘ ckor, J.: Mathematical Principles of Fuzzy Logic. Springer, 1999 [19] Rosenmann, A., Hanna, Z.: Alignability equivalence of synchronous sequential circuits. In High Level Design Validation and Test (HLDVT ‘02), 111–114 (2002) [20] Rozon, C.: On the use of VHDL as a multi-valued logic simulator. 26th International Symposium on Multiple-Valued Logic (ISMVL ’96), 110 (1996) [21] Seger, C.-J., Bryant, R.: Formal verification by symbolic evaluation of partially-ordered trajectories. Formal Methods in System Design, 6 (2), 147–190 (1995) [22] Sheeran, M., Singh, S., St˚ almarck, G.: Checking safety properties using induction and a SAT-solver. In FMCAD, 127–144 (2000) [23] Wilson, C., Dill., D. L.: Reliable verification using symbolic simulation with scalar values. In DAC, Proceedings of Design Automation Conference, 124–129 (2000) [24] Wilson, C., Dill., D. L., Bryant, R. E.: Symbolic simulation with approximate values. In FMCAD, Proceedings of International Conference on Formal Methods in Computer-Aided Design; Vol 1954 of Lecture Notes in Computer Science, 470–485. Springer, 2000 [25] Zadeh, L. A.: Fuzzy sets. Information and Control, Vol. 8 (3), 338–353 (1965) [26] Zadeh, L. A.: Fuzzy Sets, Fuzzy Logic, and Fuzzy Systems: Selected papers. J. Klir, B. Yuan (eds.), World Scientific Publishing Company, 1996
22
