We present a novel approach for digital hardware simulation based on many-valued (fuzzy) logic (MVL). Binary designs can be automatically transformed into MVL designs, and simulations performed in the more informative MVL setting may reveal details which are either invisible or hard to detect through binary simulations. Two circuits which are supposed to be binary equivalent may behave differently under MVL simulations, and analyzing these differences may lead to the discovery of a genuine binary nonequivalence, or in some cases, to a qualitative gap between the designs. By performing an MVL simulation, a combinational design becomes a union of trajectories, where each trajectory starts at some input variable and all the nodes along the trajectory are of the same degree of veracity or falsehood. With sequential synchronous designs one can incorporate temporal data into the simulation, so that the state of the design at a given time reports besides the degree of truth of each variable also the place and date of birth of its value. Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, block-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
Introduction
The verification of digital hardware (HW) circuits [13] has long become a major challenge during the design process. While formal verification methods such as model checking [8] of properties and formal equivalence checking [16] , [11] are complete, they can be applied to designs of limited size. The traditional and older method of performing simulations may be applied to larger designs, even to the whole chip, but then suffers from the problem of an incomplete and small coverage of the state-space. There are also hybrid verification methods using concrete or symbolic simulations along with formal methods [2] .
We present here a novel approach which extends the simulation methods that are based on binary, ternary or quaternary logics [9] with simulation procedures that are based on many-valued logic (MVL). The extension is simultaneously of a refinement and of an abstraction nature. The refinement comes from the wider domain of values, which enables in equivalence verification on the one hand to distinguish between designs that are binary equivalent but maybe one of them is better designed, and on the other hand may serve as a starting point for searching in the near surrounding for a binary nonequivalence between the designs. The abstraction is in treating some of the values as 'don't care' (which is a valuable information for a SAT solver), however such that the border between the 'care' and 'don't care' need not be determined in advance but rather is dynamic and set upon each simulation according to the output value. This property of the MVL that we use (as stated in Theorem 3.4) is a key factor in applying it for the verification of binary designs.
Another characteristic of the MVL simulations is that we can incorporate temporal and space information within the domain of values. Thus, whereas in binary logic we normally observe the change in values of a specific variable along time, in MVL we can observe also the change in space of a specific value along time.
In the design and verification of HW it is common to extend the domain of values of abstract models of HW units with elements that correspond to many-valued logics. Such extensions include 3-valued logic: in addition to the binary values T (true or 1) and F (f alse or 0) they contain an X value, interpreted sometimes as 'unknown' and sometimes as 'don't care'. It is also common to include a fourth 'high-impedance' Z value, which is ignored in this note as it is not part of the intended logic function. Don't care values are used in simulation for abstracting symbolic simulations: [23] , [24] , [2] , in the model checking technique Symbolic Trajectory Evaluation (STE) [21] . They appear also in the initialization phase and in equivalence verification [19] .
Otherwise, MVL is used in the design stage and in verification in the register-transfer-level (RTL) model abstraction [20] , when collections of binary memory elements are treated as a single unit in the form of a word or a register, for better readability (higher level of abstraction) and efficiency reasons. In addition, some memory devices, arithmetic blocks and FPGAs operate with inputs and outputs which are not binary but many-valued.
The approach presented here is not to use MVL for treating a collection of binary elements as basic units but rather for performing MVL operations on the binary gate-level elements, extending the ternary-based simulations methodology. The extension is done by adopting the semantics of fuzzy logic: the AND, OR and NOT gates are transformed into Min, Max and Neg and the binary domain toZ, a 'completion' of the set of integers.
Applications include equivalence verification, initialization, assertions generation and verification, stuck-at-values, partial control on the flow of data by prioritizing, blocks-oriented simulations. Some procedures and general directions towards achieving these goals are presented.
MVL and its Semantics M
The classical propositional logic is defined over a binary domain: {T, F}. Formulas are composed with connectives, or operators in the Boolean algebra B 2 , from which we mention: ¬ (negation, NOT), ∧ (conjunction, AND, meet), ∨ (disjunction, OR, join). The implication connective ϕ → ψ is interpreted as ¬ϕ ∨ ψ. There are few extensions of the binary logic B 2 to ternary logic and we refer here to three of these extensions: Lukasiewicz' L 3 [14] , Kleene's 'strong' logic K 3 [12] and Bochvar's B 3 [4] (also known as Kleene's 'weak' logic). Let the additional value be denoted by X. The difference between L 3 and K 3 is that the value of X → X in L 3 is defined to be T, whereas in K 3 it is X. So, in L 3 the value X represents 'uncertainty': it can be either T or F, but since ϕ → ϕ is a tautology in binary logic then the value of X → X is T. In K 3 , on the other hand, X is interpreted as some value between T and F, that is, a 'vague' value ('undefined' in Kleene's original interpretation). Thus, proceeding this line of thought, ¬X is X and X → X has the same value as ¬X ∨ X, namely X. In B 3 any formula that contains an X value is evaluated to X.
Our intension is to extract more information about the binary design when performing MVL simulations, but in a way that conforms with the original (binary) behavior of the system. Thus, B 3 is not suited for this purpose. In L 3 the law of excluded middle does not hold, which means that the two binary equivalent formulas ϕ → ψ and ¬ϕ ∨ ψ are not equivalent in L 3 . In K 3 they are equivalent. However, since X → X = X in K 3 then simulating over K 3 may sometimes provide information which is of higher entropy than that of binary simulation. Nevertheless, the logic K 3 is the one that prevails in HW verification.
We will see that it is possible to apply MVL in way that corresponds both to K 3 and to L 3 in the following way. When mapping from MVL to B 2 , a → a will always be mapped to T, as in L 3 . However, as in B 2 and unlike L 3 , ¬a ∨ a will be equivalent to a → a in MVL. When mapping into ternary logic then it will conform with the logic K 3 : if a will be mapped to T or to F then a → a will be mapped to T; and if a will be mapped to X then a → a will also be mapped to X.
Many-valued logics are logics with more than 2 values, even infinitelymany values [10] , [1] . Such systems were introduced by Lukasiewicz, Gödel, Post and many others. Chang [6] , [7] introduced MV-algebras, which generalize Boolean algebras, in order to study Lukasiewicz' logics. Zadeh introduced fuzzy sets and fuzzy logic [25] , [26] , [18] , [1] , where the domain of values is the unit interval.
Since we want the MVL simulations to conform with both B 2 and K 3 , the algebraic laws of these logics should hold in th chosen MVL. In addition, we need to choose a suitable semantics M for realizing the MVL. So, first we need two designated elements denoted by and ⊥, corresponding to T and F, and three operators ∧, ∨ and ¬. Then, there should be at least one homomorphism p : M → B 2 such that p( ) = T and p(⊥) = F, and at least one homomorphism p : M → K 3 with p( ) = T and p(⊥) = F. Recall that a homomorphism is a map that respects the operations:
A natural demand is that the following set of laws of De Morgan algebras should hold in M (for a minimal set, the first law at each line suffices): The laws of B 2 hold in MV-algebras with lattice operations. However, since the complementation laws: a ∨ ¬a = and a ∧ ¬a = ⊥ of Boolean algebras hold also in MV-algebras, these algebras do not extend K 3 and are not candidates for our chosen logic. Instead, we replace it with the weaker orthocomplementation law: a ∨ ¬a = should hold for and ⊥ but not necessarily for all elements. It is easy to see that this requirement is implied by the combination of identity, duality and double negation laws. Note, however that by the homomorphism p : M → B 2 , p(a ∨ ¬a) = T and p(a ∧ ¬a) = F.
It is better that the domain of values of M will be a symmetric ordered set (and not just a lattice with partial order), so that any two elements could be compared, with ⊥ the minimal element and the maximal one. Given a lattice, one defines a ≤ b if and only if a ∧ b = a and a ∨ b = b. Thus, in an ordered set the operator ∧ is defined to be the Minimum and ∨ is the Maximum. By De Morgan law, we have: a ≤ b implies ¬b ≤ ¬a, which implies:
11. For all a, b: a ∧ ¬a ≤ b ∨ ¬b .
A system which satisfies the above 11 laws is called a Kleene algebra:
Well, there exists a known model providing semantics to all the above requirements: fuzzy logic with set of values in the closed unit interval, with designated values 1 ( ) and 0 (⊥) and the operations of Min (∧), Max (∨) and 1−a (¬a). Note that another common semantics for fuzzy logic, in which multiplication comes instead of Max for ∧, is rejected since when mapping to K 3 it may happen that a and b will be mapped to while a * b will be mapped to X -which is not a homomorphism. For convenience, instead of the unit interval of the continuum cardinality we choose for the domain of values of M the countable setZ = (Z \ {0}) ∪ {−∞, ∞}, with the operations ∧, ∨ and ¬ interpreted as Minimum, Maximum and Negation respectively. In Table 1 we show the behavior of the operators ¬, ∧, ∨ and ⊕ (Exclusive-Or) in M. In addition to interpreting the domain of values with degrees of truth, Table 1 : M operators as is the semantics of fuzzy logic, it is possible to store more information in it (like 'birth date').
The homomorphism p : M → B 2 is clear: p(a) = F for a < 0, p(a) = T for a > 0. Then, for every n > 0 inZ, we define p n : M → K 3 by:
for a ≤ −n X for −n < a < n T for a ≥ n .
(1)
Valuations in M
A valuation v of the variables
Given a formula ϕ(x 1 , . . . , x n ) over M and a valuation v as above, the induced valuation of ϕ is [[ϕ]] v = ϕ(a 1 , . . . , a n ) ∈ M. Given a valuation v and a representation of ϕ as a Directed Acyclic Graph (DAG) G, we label the leaves of G with a 1 , . . . , a n , its root with ϕ(a 1 , . . . , a n ), and each internal node representing a sub-formula
] v = a n be a valuation in M and let G be the corresponding valuation DAG of ϕ(x 1 , . . . , x n ). Then for some i, 1 ≤ i ≤ n, |ϕ(a 1 , . . . , a n )| = |a i |, and there exists a path (at least one) from the root of G to a leaf of it such that the label of each node along this path is of absolute value |a i |.
Proof. By induction on the composition depth of ϕ and by the fact that the operations of negation, maximum and minimum preserve the absolute value of one of the operands.
Theorem 3.2. Let |ϕ(a 1 , . . . , a n )| = |a i | and suppose, without loss of generality, that
Proof. If i = 1 then the claim holds trivially, so let i > 1. Let us suppose that ϕ(a 1 , . . . , a n ) = a i (the case where the result is −a i is similar). Let p : M → K 3 be the homomorphism p = p |a i | , hence p(±a 1 ) = · · · = p(±a i−1 ) = X. Therefore, ϕ(X, . . . , X, p(a i ), . . . , p(a n )) = ϕ(p(a 1 ), . . . , p(a i−1 ), p(a i ), . . . , p(a n )) = p(ϕ(a 1 , . . . , a n )) = p(a i ) = X. As is known, when a formula over K 3 is evaluated to T or to F then the result is invariant to any binary value given to variables of X values.
In fact, the above theorem is inferred by the following theorem over M.
Theorem 3.4. Let |ϕ(a 1 , . . . , a n )| = |a i | and suppose, without loss of generality, that |a 1 | ≤ · · · ≤ |a i−1 | < |a i | ≤ · · · ≤ |a n |. Then, ϕ(a 1 , . . . , a n ) is invariant to any change of sign in a 1 , . . . , a i−1 : ϕ(a 1 , . . . , a i−1 , a i , . . . , a n ) = ϕ(±a 1 , . . . , ±a i−1 , a i , . . . , a n ).
Proof. Suppose i > 1. Let a = |a i |. We partition the nodes of G into 3 subsets: (i) those representing operators with operands of absolute value less than a; (ii) those with operands of absolute value more than or equal to a;
(iii) the nodes representing operators with one operand of absolute value less than a and another operand of absolute value more than or equal to a. Suppose we change arbitrarily the signs of the input variables of values a j , |a j | < a, or we may even change their absolute values, as long as they remain less than a. Then a node of the first type may change its value, but will remain of absolute value less than a. A node of the second type will keep its original value. Finally, by Lemma 3.3, a node of the third type, representing Max or Min operation, will keep its value if it were of absolute value more than or equal to a, and will stay of absolute value less than a (but perhaps with different value) if so were the case before the change. Since the root is labeled with absolute value a, it will not change its value (induction on the height of G).
Verifying Combinational Circuits
Digital binary combinational circuits do not contain memory elements, hence they represent binary formulas. Given a gate-level description of such a circuit, it can be automatically transformed into an MVL description with the M semantics. First, we assume the binary operators are translated to ∧, ∨ and ¬. Then, the data structure of each variable is changed from boolean to integer, ∧ is realized as the Minimum function, ∨ as the Maximum, and ¬ as the negation operator of the integers. Some very large integer N can represent ∞ (with −N representing −∞).
Functional Verification
When we know the function that the circuit should represent then it is possible to run a number of tests which is sometimes significantly fewer than in the binary setting (of course, on the expense that each test is of higher complexity when working over the integers instead of over the booleans). Let us look at a few simple examples. . , x n ) = x 1 ∧ x 2 ∧ · · · ∧ x n . In B 2 we need 2 n test vectors for verifying f , whereas in M only n + 1 test vectors are needed. When x i is assigned the value −2 and the other variables 1 the result should be −2, and by Theorem 3.2 the values of the other variables are 'don't cares'. Having done n such tests, for i = 1, . . . , n, we assign all variables the value 1, and check that the result is indeed 1. By this we cover all possibilities.
To test f in M we need only 2 vectors, compared to 2 n in B 2 : x i is assigned once the value 2 and then the value −2, while all other variables are assigned the value 1 at both times.
is a multiplexer with n = 2 k data inputs x 1 , . . . , x n and k selectors s 0 , . . . , s k−1 . To test and verify the multiplexer we need only 2n vectors in M compared to 2 n+k in B 2 . We go over all the 2 k possibilities of assigning each selector variable s i the value ∞ or the value −∞. For each choice of values to s 0 , . . . , s k−1 we assign the selected data input x j first the value 2 and then the value −2 while all the other data inputs are assigned the value 1.
The multiplexer is the generalization of the If-Then-Else function f (x 1 , x 2 , s) = (x 1 ∧ ¬s) ∨ (x 2 ∧ s), and by assigning the selector (or to clock or enable variables) the value ±∞ the output equals the value of the selected data input and not that of the selectors.
When the circuits are complex then it is less likely to have outputs of large absolute values (among those in the cone of influence), but this is not a rule. In general, the idea is to assign the input variable values which are of different absolute values in order to gain as much profit as possible from working over MVL. In the case of Exclusive-Or (XOR) (or its generalization to n variables, the notorious Parity function) the output is always of the smaller absolute value among the inputs (see Table 1 ): |a ⊕ b| = min(|a|, |b|). This makes it more difficult to verify circuits that contain lots of XOR gates (e.g. multipliers). Here, MVL can be used in order to check whether the output is larger (in absolute value) than what is expected.
We come now to the use of 'don't cares' in the simulations. Unlike the situation with ternary logic, this decision need not be taken in advance. The border between the 'don't care' and 'care' variables is dynamic and set upon each simulation: the values that are less (in absolute value) then the output can be regarded as 'don't care'. We then may perform more simulations with circular shifts of the absolute values of some of the variables, without changing their signs, in order to check for more variables which behave as 'don't care' and this procedure is demonstrated in Algorithm 1. But before, some definitions. We refer to w also as a pair (v, σ) ∈ {−1, 1} n × S n , and denote by w.v and w.σ the binary vector and the permutation respectively that w is comprised of. For example, w = (−3, 1, −2, −4) is a signed permutation which is the (component-wise) product of v = (−1, 1, −1, −1) and σ = (3, 1, 2, 4). Given a permutation σ and a transposition (i, j), the permutation (i, j) • σ (the composition is done by writing σ in cycle notation) is the permutation obtained from σ by replacing i with j.
Algorithm 1 computes a maximal abstraction with respect to the circuit C of an input binary vector v that is a component of a signed permutation w = (v, σ). It performs an iterated greedy search for a more abstract vector: if w = w 0 , w 1 , . . . , w r = w is the sequence of computed vectors then |C(w i−1 )| ≤ |C(w i )|, i = 1, . . . , r. The result is projected to K 3 , providing a maximal abstraction of v. We use the same notation C for the circuit and the function it represents both in the binary and in the MVL setting. A binary vector is represented over the set {−1, 1}. We assume that at least one input variable reaches the output of C.
The computation of maximal abstractions can be used by SAT solvers for the purpose of pruning the search tree by ignoring the 'don't care' variables. Another application is in equivalence verification, as shown in Algorithm 2.
Algorithm 1 Computation of a maximal abstraction
Input: A combinational design C(x 1 , . . . , x n ), a signed permutation w = (v, σ) Proof. Because at each iteration we switch the absolute values of variables larger (in absolute value) than the absolute value of the current output then the next output cannot be smaller (in absolute value) than the current one. This means that the number of variables that will be mapped eventually to X does not decrease with each iteration. By the end of the algorithm we get C(v ) = C(p i (w)) = p i (C(w)) = p i (i) (or p i (−i)) = X. That is, v is an abstraction of v.
Each of the variables x σ −1 (l) , with l ≥ i after the loop terminates, that is, a variable that is not mapped by p i to X (at line 7) had at some point a value which was of the same absolute value as the output of C. Hence, if at that point x l was mapped to X then the output over K 3 of C would have been also X, let alone at the end of the algorithm where possibly more X-s were added. This proves that v is a maximal abstraction.
We remark that the maximal abstraction can also be computed in K 3 but with more iterations (in average).
Equivalence Verification
In equivalence verification one tries to verify that two designs A and B are equivalent: for the same (binary) inputs they produce the same outputs. We do not refer here to formal equivalence checking but to simulation-based methods. Here, again, the number of input test vectors may be reduced when working over M instead of over B 2 . In addition, nonequivalence over M may refer to a circuit which is better designed although binary equivalent to the other design.
Let us first explore connections between nonequivalence over M and Disjunctive Normal Form (DNF). Given a formula ϕ in some variables and the connectives ∧, ∨ and ¬, the ten rules of De Morgan algebra given in Section 2 may serve as reduction steps for transforming ϕ into an equivalent formula over M in DNF -a disjunction of conjunctive terms (CTs), where a CT is a conjunction of literals, with each literal being a variable or its negation. Over M, on the other hand, a term of the form x ∧ ¬x cannot be reduced anymore (or, equivalently the term x ∨ ¬x when computing the Conjunctive normal form CNF). In fact, the only ways by which a CT can be reduced in size is by using the Idempotence and Absorption rules, where the former makes sure that no literal appears twice in a CT, and the latter assures that no CT is a subterm of another. Each formula ϕ over M can be reduced to a unique (up to reordering) canonical DNF. For example, (x ∨ y) ∧ ¬(¬x ∧ y) =⇒ (x∨y)∧(x∨¬y) =⇒ (x∧(x∨¬y))∨(y∧(x∨¬y)) =⇒ x∨(x∧y)∨(y∧¬y) =⇒ x ∨ (y ∧ ¬y) (not all reductions were listed). Another example is the formula (x ∧ ¬y) ∨ y that is in canonical DNF over M but in Boolean algebra it can be reduced to x ∨ y. We remark that Letφ be the canonical DNF over M of ϕ. Then we write it asφ = ϕ imp ∨φ cont , whereφ imp is the disjunction of the implicants of ϕ, andφ cont is the disjunction of the contradictory terms ofφ -the CTs containing terms of the form x ∧ ¬x.
The following theorem gives a connection between valuations and canonical DNF over M, which demonstrates the qualitative nature of valuations over M, a method for distinguishing between HW designs that are B 2 -equivalent but not M-equivalent. 
] v is the maximum of the values of its CTs and it cannot exceed [[γ] ] v = 2 because 2 is the maximal absolute value of v. On the other hand, no CT ofφ psi is a subterm of γ, which means that each CT inψ contains at least one variable which is not
] v < 2 and it equals 1 because it is positive.
(
Let δ be a prime implicant of ϕ which is a subterm of γ, and let η ∈ψ such that δ is a subterm of η. Then δ is a strict subterm of η because otherwise we would have Over binary logic, each formula ϕ can be reduced into two extreme canonical DNF. One is BCF, which we already mentioned, and the other is the Full Disjunctive Normal Form (FDNF), which consists of all the minterm implicants, that is, each implicant contains all the variables of ϕ (each variable in a complemented or uncomplemented form).
The next theorem shows that formulas that are binary equivalent agree on the M-valuations of the implicant part of their canonical DNF whenever the valuations of the formulas are negative. 
Proof. Letφ BCF andφ F DN F be the BCF respectively the FDNF canonical forms (over binary logic) of ϕ.
] v (since in DNF we compute the maximum over the CTs).
Similarly
To finish the proof we need to show that when [[ϕ] ] v < 0 then the above inequalities are equalities. Let γ be a CT ofφ BCF such that [[γ] ] v < 0. For each variable x k that does not appear in γ let l k = x k or l k = ¬x k according to the condition [[l k ]] v > 0. By the definition ofφ F DN F , there exists a CT δ inφ F DN F such that γ is a subterm of δ and the other literals of δ are the above l k . Clearly, since [[γ] ] v < 0 and for each of the literals l k , 
A spec imp
A · · · (x 1 ∧ ¬x 1 )
x 1 ∧ · · · ∧ ¬x n x n x 1 · · ·
x n x 1 o o Figure 1 : Equivalence verification Example 4.6. In Fig. 1 we see two circuits, spec and imp, which are identical except for a disjunction of the output variable with some conjunctive term x 1 ∧ · · · ∧ x n , which we assume produces a wrong output. Just by binary simulations, treating the circuits as a black boxes we need to check O(2 n ) test vectors to find the valuation that causes the faulty behavior. With M, on the other hand, we may find a different behavior of the two designs much faster. Assuming random simulation of signed permutations vectors, if the probability of spec output to be less than −m, 1 ≤ m < n, is p then we need O( 2 n−m p ) test vectors for the output of imp to be greater than the output of spec.
The second case is when the extra term in imp is a contradiction x 1 ∧ x 1 , which makes it a redundant part that cannot be detected by binary simulations. However, with random simulation the term x 1 ∧ x 1 gets the value −1 with probability 1 n , and if the probability of spec output to be less than −1 is p then O( n p ) test vectors suffice in order to observe a different behavior of the two circuits.
A similar analysis applies to a redundant conjunction with a tautology of the form
To summarize what we have shown, when two circuits are binary equivalent but show differences in the M simulations then in some cases, especially when the differences occur with positive outputs, these differences are of a qualitative characteristic.
Procedure for Equivalence Verification by Simulation
In Algorithm 2 we describe a simulation procedure for checking the nonequivalence of two binary circuits A and B. The procedure first checks for some binary vector v whether the two circuits agree on it. If not -a counter example was found. Otherwise, the idea is to search in the surrounding of v for a potential counter example by looking for shorter implicants (if the valuation is true), or for a similar shorter non-implicant. We are not trying to find necessarily prime implicants, but follow the direction of approaching them. We may be close to a counter example without knowing it, and the procedure tells us where in the near surrounding there is a better chance to find one.
The procedure chooses a corresponding signed permutation w = (v, σ) and by Algorithm 1 two maximal abstractions v A and v B are returned. If v A = v B then we found valuations in M on which A and B do not agree. Then, all the relevant combinations of replacing X values by binary ones in v A and v B are checked for binary nonequivalence between the two circuits. If no binary counter example was found then the process repeats itself with other chosen binary vector and signed permutation.
Verifying Sequential Circuits
Sequential circuit contain memory elements which introduce cycles and time dependent properties which make the verification problem more complex. However, in bounded model checking and some common model checking methods (see e.g. [3] , [22] , [17] , [15] ) the circuit is finitely unrolled and then SAT-based methods are applied to the resulting combinational design. Hence, the approach presented in the previous section applies also here. However, the multi-valued approach can also be applied directly to sequential circuits by adopting it to the temporal nature of sequential circuits as is demonstrated in the following examples.
Temporal Values
One way we can benefit form using M instead of the binary logic is by incorporating time into the variable values. We may use the k least significant digits for the truth values (the truth part) and the other digits (the temporal part) for expressing the time of 'birth' of that value (this is equivalent to simulating with a pair of values instead of one). At each time step the temporal parts of all the values of the input variables are incremented by 1 while the truth parts may vary. For example, suppose we devote the last 3 digits for the truth part and the other digits for the temporal part. Then the input values may look like this (for 6 input variables): Within this approach of an increasing sequence of temporal values we may still want to make sure that special variables like enable, clock or selector obtain larger values than the variables they interact with. The advantage of having temporal values is that the state of the circuit at a given time reflects directly its history: each value of a non-input variable bears also its 'age' in addition to the truth degree and input variable it originated at. We can then observe the flow of data in the space-time, possibly with animation in which age is expressed by color. Timing considerations in the design stage may also benefit from the information within temporal values.
Initialization.
When trying to find a sequence of input vectors which initializes the circuit one uses ternary logic, starting from an 'all-X' state until there are no more X values to the latches. In M we can generalize this approach. If we apply the above method of increasing temporal values then any simulation we perform may also be seen as an initialization simulation. Moreover, at each time step k we start a new simulation: we just have to observe when the temporal part of each variable is at least k. Since the input values are incremented in absolute values at each time step then by Theorem 3.4, reaching a state in which all temporal values smaller than k already disappeared is equivalent to claiming that the current state is invariant to whatever state was before time step k, or, in other words, that the sequence starting at time step k initializes the circuit.
Stuck at Values.
After applying an increasing sequence of temporal values to the inputs we may at some time step want to change direction and start decreasing the temporal values. If a group of variables retain their large temporal values then we know these values are invariant to any future inputs. By the way, a group of such variables may exhibit a periodic behavior and need not be stuck at the same values, but the above method will detect this, probably faulty, behavior.
Composition of Blocks, Prioritizing.
We can manipulate the flow of data in the design. For example, we know that in XOR gates the absolute value of the output always equals the minimum of the absolute values of the inputs. Then, by playing with the input values we can check whether each of the inputs can indeed be propagated through the XOR gates. That is, we apply here a prioritizing methodology by pushing the desired inputs toward the outputs.
When we have a unit which is composed of several blocks we may use M simulations in a way that reflects this higher order partition. For example, when the blocks have different inputs then the input values may be grouped by absolute values according to the blocks. We may assign smaller absolute values to a block that we want to prioritize, explore dependencies between the blocks, etc. In this way, we shift attention to the hierarchical structure of the design and to the interactions between the blocks rather than to the more detailed structure inside the blocks.
Equivalence Verification.
As mentioned in subsection 4.2, circuits that are supposed to be binary equivalent may produce different M values. If the different values are also of different sign then circuits are not binary equivalent. If the signs are the same but the absolute values differ then it may indicate a potential binary nonequivalence or the existence of a potential redundant part. It may also be the case that non of the above is the case. By Proposition 3.1, we can trace the output values all the way towards the inputs (mostly in one of the previous time steps) and try to analyze why are the values different.
There is no definite answer to the question which of two equivalent circuits is better designed, and considerations of speed, minimization, power, context, etc. play an important role (for a somewhat related work see [5] ). In some cases, as we have seen in subsection 4.2 higher M absolute values refer to a better design.
Generating assertions.
When trying to formally verify sequential circuits, whether for property or for equivalence checking, it is almost unavoidable but to try and break the problem into sub-problems to be verified first. This incremental methodology requires the generation of potential assertions, also referred to as lemmas, and the more refined MVL may be of help here. In equivalence verification we can find correlations between variables, applying probabilistic methods if needed, in a more accurate manner over M since the spread of values is wider and also since the values refer to the input variables of their origin. The designer may also provide refined assertions over M for assertion-based verification and simulation. For example, if the designer knows that some property should hold under an assumption that relies on specific input values then the property may be checked with these input values being of higher absolute value than other input value to make sure that the output does not depend in this case on other inputs. The assertions may also refer to the temporal values of the variables.
Conclusion
Simulation over the many-valued fuzzy logic M is more refined and informative than over binary and ternary logics, thus providing a novel potential approach to the complex task of verification of HW designs. A state of the system is enriched with data that includes degrees of truth and identity stamps like place and date of birth. We gave some algorithms and general directions for applying the many-valued logic to different verification missions. Future goals include implementing and checking this approach on real HW designs and developing specific and detailed strategies and algorithms.
