Formal Verification of Three-Valued Digital Waveforms

We investigate a formal verification problem (mathematically rigorous correctness checking) for digital waveforms used in practical development of digital microelectronic devices (digital circuits) at early design stages. According to modern methodologies, a digital circuit design starts at high abstraction levels provided by hardware description languages (HDLs). One of the essential steps of an HDL-based circuit design is an HDL code debug, similar to the same step of program development in means and importance. A popular method for an HDL code debug is based on extraction and analysis of a waveform that is a collection of plots for digital signals: functional descriptions of value changes related to the selected circuit places in real time. We propose mathematical means for automation of correctness checking for such waveforms based on concepts and methods of formal verification against temporal logic formulas and focus on such typical features of HDL-related digital signals and corresponding (informal) properties such as real time, three-valuedness, and presence of signal edges. The three-valuedness means that, at any given time, besides basic logical values 0 and 1, a signal may have a special undefined value: one of the values 0 and 1, but which one is either not known or not important. An edge point of a signal is a time point at which the signal changes its value. The main results are mathematical notions, propositions, and algorithms intended to formalize and solve the formal verification problem for considered waveforms including (i) the definitions for signals and waveforms that capture the mentioned typical digital signal features, (ii) the temporal logic suitable for formalization of waveform correctness properties and a related verification problem statement, (iii) a solution technique for the verification problem that is based on reduction to signal transformation and analysis, and (iv) a corresponding verification algorithm together with its correctness proof and “reasonable” complexity bounds.


INTRODUCTION
This work is a trial of applying the methods of formal verification [1] (the mathematically rigorous correctness checking of system execution) for formalization and automation of one of design stages for microelectronic devices (digital circuits) [2]. According to modern approaches, the starting point for designing a digital circuit is the development of its functionality in some hardware description language (HDL) [2] on a high level of abstraction without accounting for many physical and technological peculiarities of circuits. One of necessary stages of circuit HDL code development is its debugging, which is similar to program debugging, but based on concepts and data types characteristic for circuits. The main concept typical for circuits is a digital signal: a function describing a real-time variation in logic values (1 and 0; true and false; high and low level of voltage in a certain place of a circuit). The signals within an HDL may also take other values, for instance, (i) the unknown value, i.e., one of the values 0 or 1, but it is either unknown or not important which one exactly, (ii) the value of high impedance, i.e., the physically isolated point of the circuit, and (iii) the arithmetic values in the binary notation for collection of signals. In this work, we consider the signals taking three values: 0, 1, and *. We interpret the value * as the unknown value in the above-mentioned sense and as a proper independent third value of signal. We interpret the three-valuedness of signals in the corresponding two-way manner.
One of the popular ways for debugging an HDL description of a circuit is as follows. A sample family of sets of input signal values, i.e., the test coverage, is developed. The circuit is simulated on the coverage elements by an appropriate software tool: the values of output signals are computed according to the special language semantics implemented in this tool. As a result of simulation, a signal waveform is calculated: a set of graphs describing the variation of signal values in the selected places of the circuit in real model time. An expert studies the correctness of the obtained waveform, evaluating whether the circuit behavior corresponds to the anticipated one. The current work is aimed at developing mathematical means appropriate for automatization of such waveform correctness checking.
To illustrate a point, we consider a D flip-flop [2]: a single-bit memory cell used in practically all nontrivial digital circuits. The D flip-flop contains two input signals ( , ) and an output signal ( ), and its operation may be shortly described in the following way: each time when the value is changed from 0 to 1 (i.e., a leading edge of the signal comes), the current value is stored in the trigger; the value always equals to the last stored value. An example of a waveform that may be obtained using program simulation of a correct HDL code of the D flip-flop is shown in Fig. 1. In this waveform, we plot the real-time scale along the horizontal, and different rows depict the plots of signals , , and . The lower, the middle, and the upper levels of the rows correspond to the values 0, *, and 1. The vertical lines correspond to the instantaneous variations in signal values (to the edges). Note that the unknown value of the signal in Fig. 1 appears due to three reasons: before the first leading edge of the signal , the value stored in the flip-flop is arbitrary; if the value of the signal is unknown at a leading edge of , then the stored value is also unknown; if the signal changes its value at a leading edge of , then both the value before the change and the value after it may be stored (this is the well-known circuit effect referred to as the metastability [2]).
The starting point of the formal verification of a signal waveform is the reformulation of the correctness property in a formal language. As seen from the considered example, a suitable formal language need to have the means for reasoning about relations between logic values at different time instants. Such tools are present in the languages of temporal logics [1]. As a rule, the most popular temporal logics belong to one of two wide classes: the discrete-time logics, where the time is described by the set of integer numbers, and the real-time logics, where the time is described by the set of real numbers. When a discrete-time logic is used for the verification, a circuit is usually replaced with a finite automaton which executes transitions at leading edges of the chosen (clock) signal. A wide spectrum of variations of such replacement is often met in studies, and the main ideas of such variations can be found, e.g., in [2][3][4][5] (including those with the use of three-valuedness in [6]). Such replacement without losing completeness of behavior description is only possible for synchronous circuits [2], which change their states only at the mentioned edges of a single clock signal. For the remaining (asynchronous) circuits, the application of this approach is accompanied with additional analysis of the circuit and with the loss in accuracy of its behavior description. The realtime temporal logics based on notions of a signal closest to the ones used in practice in the discussed waveforms are proposed in [7,8]. These works focus on binary signals, and, besides, in the proposed languages there are no means for reasoning about the signal edges. Due to this, the proposed languages are practically inappropriate for verification of the waveforms: the value * is often met in waveforms, and the uncertainty or the arbitrariness is often met in reasoning about the waveform correctness, and, even for such simple circuits as the D flip-flop, the means for reasoning about signal edges are required.
In this work, we propose (i) the formal language (the temporal logic) intended for specification of three-valued waveforms which contains, among others, the means for reasoning about the signal edge instances, (ii) the corresponding set of notions, including the rigorous definitions of a three-valued signal and of a waveform, and (iii) the statement and the constructive algorithmic solution to the waveform verification problem with respect to the formulas of the proposed logic. The work is organized as follows. In Sect. 1, we discuss the concepts and denotations not directly related to the digital signals and to the proposed language. In Sect. 2, we introduce the basic definitions and denotations related to the three-valued signals and waveforms. In Sect. 3, we propose the syntax and the semantics of the formulas of the logic intended for specification of the waveforms and referred to as the three-valued signal logic for clarity, and the formal statement of the waveform verification problem. In Sect. 4, we introduce an alternative semantics of formulas that allows reformulating the waveform verification problem as the problem of signal transformation and analysis. The corresponding decision algorithm with the justification of its correctness and a rough estimation of its complexity is given in Sect. 5. Finally, in Sect. 6, we discuss the set of operations expressible in the three-valued signal logic and provide examples of formulas expressing the correctness of waveforms of simple real circuits.   0  1  2  3  4  5  6  7  8  9  10  1 1  12 1. GENERAL DENOTATIONS By , , and , we denote the sets of all natural numbers, all nonnegative integer numbers, and all real numbers. In this work we use the following types of intervals (the finite intervals of real numbers): , , , and . We also use the ranges of nonnegative integer numbers: .
Consider an arbitrary function . By we denote the set . By , where and is the equality ( ) or the inequality ( ), we denote the following fact: for each element of the set it is true that . We will say that the value of the function is constant on the set , if there exists a value , , such that .
We denote the set {0, 1, *} by . This set will be used in two senses. In the broad sense, is the set of values operated by the three-valued functions [9]. In the narrow sense, is the set of truth values of the Kleene three-valued logic [10,11], according to which 0 is interpreted as false, 1 is regarded as true, and * is treated as an unknown value: true or false, but it is unknown or unimportant what exactly. We call a function of the type a three-valued function ( -ary function, where ). In Fig. 2, we provide the truth tables for the three-valued functions used in Sects. 3 and 6: the negation ( ), disjunction ( ), and equivalence ( ) of the Kleene logic, the equivalence of the three-valued algebra ( ), and the function which means that the left argument may be refined to the right one.

THREE-VALUED DIGITAL SIGNALS
In the following, we assume that the real numbers and are given and determine the domain of definition of the considered signals. We refer to elements of the interval as the time instances and points (of the time axis). We refer to the points of the intervals , , and as the left, right, and internal points.

By
we denote the set , where is the edge value, . By the signal function we denote the mapping of the form . We will say that the function has the value v to the right from a left point if there exists a point such that and , and has the value v to the left from a right point if there exists a point such that and . We denote the values to the right and to the left from a point by and , respectively. We call a signal function a preform of a three-valued digital signal if the set is finite and the value is constant on each interval such that . Let , where . We refer to the point as the th edge point of the preform . The notation |ρ| denotes the total number of edge points of : . We define the points , , as follows: . By and , , we denote the interval and the value from such that . Note that each value exists and is unique, because the value of the function on each interval is constant and the set is finite. Example 1. In Fig. 3, we plot the graphs of the preforms and on the interval (0,5) defined as follows: , , and , where and , and , , , where , , and . The      To denote the indices and of the last corollary, we will use the notations and instead of the index in the definitions of the points , values , and intervals . We call a three-valued digital signal a preform such that for all , . We refer to the mapping , where is the set of all signals, as the signal waveform over the finite set of variables . In the following, the set is assumed to be given by default.

Example 2.
The preform from Example 1 is not a signal, because . The preform from the same example is a signal.
We order the set : . We call an edge point such that ( ) a leading (trailing) edge point of the signal . We write the fact that is a leading edge point of the signal as . For an arbitrary point , the notation means the leading edge point t' following after in : ; ; . A cycle of the signal is an interval such that ; or ; . The cycle is the cycle of the point if , which we denote by .
3. FORMULAS AND VERIFICATION PROBLEM In this section, we propose the three-valued logic including the syntax and the semantics of the formulas intended for specification of waveforms, and the formal statement of the waveform verification problem. We define the syntax of formulas (over the set of variables Var) by the following Backus-Naur form: where are formulas, , is a -ary three-valued function, is a binary temporal operator, and is the unary reflection operator. We refer to the mentioned functions and operators as the signal operations. In the formulas we sometimes use the infix notation for three-valued functions and omit an outer pair of parentheses and other pairs of parentheses according to the operation priority: the unary operations are of the highest priority; , , and are below them followed by three-valued functions with the common priority.
Note that a signal may be interpreted as a description of a real-time variation in the truth value of a formula: is the truth, falseness, or uncertainty before and after a point , denotes the constancy (stability) of the value in the point if and the inconstancy (instability) if . Moreover, the signal is uniquely determined by the spectrum of truth values to the right of all internal points, which is justified by the following statement.

Statement 2. For any signal , internal point , and right point and for the signal function defined by the identity
, the following is true: 1. If , then ; otherwise .
2. There exists a point such that and . Proof. Item 1 follows from Statement 1 and signal definition.
. According to Statement 1, for any point t' of the interval it is true that . Therefore, , and, besides, . We found the above-mentioned interpretation of signals and the properties formulated in Statement 2 in the logic semantics of formulas. We put each formula ϕ, waveform , and left point in correspondence with the value of the set , which we refer to as the value of the formula ϕ on the waveform to the right from the left point . In the definition we use the auxiliary kinds of values of ϕ on : (1) the value to the left from a right point : (2) the value in an internal point : (3) the value on an interval : for any point of the interval it is true that , where is the equality ( ) or the inequality ( ).
In the description of the formula semantics, we need the generalizations of the notions of leading edge and cycle from the signals to the formulas. For a formula ϕ, a waveform , and an internal point , by we denote the following fact: . An informative interpretation is as follows: the formula ϕ becomes more certain on in or, in other words, is a leading edge point of the formula ϕ on . By , where is an arbitrary point, we denote the leading edge t' of the formula ϕ following after on : ; ; . By a cycle of the formula ϕ on we denote an interval such that: ; or ; or ; . We denote the cycle of the formula ϕ on such that by .
The reflection of a point , a signal , and a waveform is the point , signal , and waveform determined by the identities , , and .

Statement 3. For any signal there exists a unique signal .
Proof. Uniqueness follows from the fact that, for any signal and any internal point , the value is uniquely determined. . Thus, is a signal such that for any internal point is valid, that is, . We define the semantics of formulas (the value ) by the following rules: The informative interpretation of the temporal operators is as follows: means that eventually becomes true, and until that ϕ is true; means that ϕ is true on the current cycle of the formula ; means that ϕ becomes true at the next leading edge of the formula ; means that the formula ϕ is true if we swap the roles of future and past (reflect the time axis and all signals with respect to the current point). The rigorous semantics and the informative interpretation of the operator combines the semantics and the interpretation of the homonym operator of the real-time binary logics [1,7] and discrete-time three-valued logics [12,13]. The real-time temporal logics known to us contain no operators somehow similar to the operators and . The discrete-time temporal logics known to us contain no operators similar to and often contain an unary operator ("at the next time instance"; in some systems of denotations ) [1,13] remotely similar to the operator of the three-valued logic, but, due to absence of real time and edge points, significantly different both in the interpretation and in the rigorous definition.
We use the notation (a formula ϕ is satisfied by a waveform ) as a synonym of the notation . The verification problem studied in this work is formulated as follows: for given waveform and formula ϕ, check whether the relation holds.

SIGNAL SEMANTICS OF FORMULAS
The solution to the verification problem is based on the approach to the definition of the semantics of formulas, according to which each formula ϕ and waveform is put in correspondence to a signal describing the real-time variation of the formula value. For arbitrary formula ϕ and waveform , we determine the function by the identity . The signal semantics of formulas is determined by this function. In the following, in this section we justify the correctness of signal semantics: we prove that the function is a signal and the values of the signal and of the formula ϕ on to the left from the right point and to the right from the left point are always equal. To solve the verification problem, we reduce the checking of the relation to the construction and analysis of the signal . By , where and are signal functions, we denote the set of all internal points such that . We call the functions and almost equal if the set is finite.
if , , and , , and, according to Statement 2, (contradiction). Therefore, the supposition is false, that is, at least one of the inequalities and is true. Hence, it follows from Lemma 1 that the signals and are not almost equal.
On the basis of Lemma 2, we denote the (existing and unique) signal almost equal to the preform by . For the given formulas ϕ and waveform , we call the function correct if, for any left point and right point , the equalities and hold. In the statements of the next lemmas 3-10, for brevity's sake we omit the common initial phrase, "for any waveform , formula ϕ, preform , and signal , the following is true." Proof. is a signal almost equal to . According to Lemma 1, for any left point it is true that . Therefore, the signal fits into the condition of Lemma 3.

Lemma 5. If
, then is a correct signal. Proof. Case 1: . Consider a signal taking the value in each point. For any left point it is true that . Case 2: . Consider a signal . For any left point it is true that .
Result: according to Lemma 3, in both cases is a correct signal.
For a -ary three-valued function and signals , we denote the following preform by the notation : If is a three-valued function, and are correct signals, then is a correct signal.
Proof. Let . According to Lemma 4, it is sufficient to show that for any left point it is true that .
Let . It follows from Statement 1 and the definition of that the equalities are true: . According Result: the equivalences and are true. Therefore, because , the equality is also true. For signals and we denote the following preform by the notation : Proof. By Lemma 3, it is sufficient to show that for any left point is true. According to the condition of the lemma and the definitions of reflections of signal, point, and signal values at the right and left, the chain of equalities is true: .

Theorem 1. For any formula ϕ and waveform , the function
is a correct signal. Proof. We apply induction on the construction of the formula. The base of induction is justified by Lemma 5. The induction step , where , or is justified by Lemmas 6-10.

ALGORITHM FOR VERIFICATION OF WAVEFORMS
We call a preform rational if all numbers of the set are rational. We call a waveform rational if all the signals of its range are rational. In the algorithms working with signals, we consider only rational points, preforms, signals, and waveforms. This limitation is typical for real-time models [1,8] and is related to the following: (i) the set of real numbers is continuous, (ii) the variety of input data of the algorithm and the set of rational numbers are countable, and (iii) any real number can be approximated by a rational number with any given accuracy. Note that we may use the broader (but, nevertheless, countable) sets of numbers than the rational numbers in algorithms; however, it is usually not required in practice and is not so important in the description of algorithms.
As the finite representation of the preform in algorithms, we use the pair , where and . Due to the structure of this representation of , in algorithms we use the notations |ρ|, , and , where and , meaning the size of the set , the corresponding points and values of representation, and the points and under it. We represent the waveform in the form of finite mapping which puts each variable in correspondence with the pair . By |D| we denote the total number of edge points of the images of : . By , where ϕ is the formula, we denote the total number of signal operations in ϕ.
We describe the verification algorithm (of checking the relation ) in the procedural style. We denote the result of execution of a procedure on input data by the notation . We refer to the procedures with two possible results, 0 (failure) and 1 (success), as the tests. The procedure complexity in the subsequent estimations is the total number of comparisons and assignments for the values from and points. The estimations of complexity discussed further are not optimal, but sufficient for justification the polynomial decidability of the studied problem.
The algorithm is identified with the main procedure described after all auxiliary procedures. In the descriptions of procedures, we assume that is a rational preform, are rational signals, , , and are rational left, right, and internal points, respectively, and .

Procedure
: . The structure of the procedure is as follows: (1) Using exhaustive search, compute an index of the range such that .
(2) Give the result . The correctness of the procedure is justified by Statement 1. The complexity of the procedure is .

Procedure
: . The structure of the procedure is as follows: (1) Using exhaustive search, compute an index of the range such that .
(2) Give the result . The correctness of the procedure is justified by Statement 1. The complexity of the procedure is .

Procedure
: . The structure of the procedure is as follows: (1) Compute the values and .
(2) Give the result: if , then ; otherwise, . The correctness of the procedure is justified by Statement 2 and the correctness of the procedures and . The complexity of the procedure is and is determined by the calls of and .

Procedure
: . The structure of the procedure is as follows: (1) Using exhaustive search, compute all indices of the range such that in the ascending order.
The correctness of the procedure is justified in the proof of Lemma 2. The complexity of the procedure is . Test : . The structure of the test is as follows: (1) If , then give the result . Otherwise, continue the test.
(2) Using exhaustive search, compute an index of the range such that .
(3) Give the result and . The correctness of the test is justified by Statement 1: the test is successful iff or for some it is true that and .
The complexity of the test is .

Test :
. The structure of the test is as follows: (1) If , then give the result . Otherwise, continue the test.
(2) Using exhaustive search, compute an index of the range such that .
(3) Using exhaustive search, compute an index of the range such that .
(4) Give the result: at least one of the values , , is equal to v. The correctness of the test is justified by Statement 1: the test is successful iff and the interval intersects with at least one interval such that . The complexity of the test is .

Test :
. The structure of the test is as follows: (1) Compute the values and .
(2) Give the result . The correctness of the test is justified by the definition of a leading edge point of a signal, Statement 2, and correctness of the procedures and . The complexity of the test is determined by the calls of and .

Procedure :
The structure of the procedure is as follows: (1) Using exhaustive search, compute the lowest index of the range such that and the test is successful. If such index is not detected by the search, then set .
(2) Give the result . The correctness of the procedure is justified by the definition of the subsequent edge point of and by correctness of the test .
The complexity of the procedure is determined by |s| calls of the test .

Procedure
: is a pair of points such that . The structure of the procedure is as follows: (1) Using exhaustive search, compute the largest index of the range so that and the test is successful. If there exists no such index, then set . (2) Compute the index .
The correctness of the procedure is justified by the definition of the cycle of a point and by correctness of the test and procedure .
The complexity of the procedure is determined by |s| calls of the procedure .

Procedure :
. The structure of the procedure is as follows: (1) Give the results .
The correctness of the procedure is justified in the proof of Statement 3. The complexity of the procedure is .
The correctness of the procedure is justified by the definition of the waveform reflection and by correctness of the procedure .
The complexity of the procedure is determined by the complexity of the procedure .

Spectrum of procedures :
, where is a -ary three-valued function. The structure of each such procedure is as follows: (1) Using exhaustive search of points containing in , compute the sequence of all such points without repetitions in the ascending order. Set .
(2) Compute the value for each index of the range .
The correctness of the procedure is justified by the definition of the preform and by correctness of the procedure . The complexity of the procedure , where , is determined by calls of the procedure .

Procedure :
. The structure of the procedure: ( (3) Give the results .
The correctness of the procedure is justified by the definition of the preform and by correctness of the procedures and . The complexity of the procedure , where , is determined by calls of the procedures and .

Procedure :
. The structure of the procedure is as follows: (1) Using exhaustive search of points containing in and , compute the sequence of all such points without repetitions in the ascending order. Set . (2) Compute the value for each index of the range : (i) compute the pair of points ; (ii) if the test is successful, then ; otherwise, continue computing ; and (iii) if the test is successful, then ; otherwise, .
The correctness of the procedure is justified by the definition of the preform and by correctness of the procedures , , and . The complexity of the procedure , where , is determined by calls of the procedure .

Procedure :
. The structure of the procedure is as follows: (1) Using exhaustive search of points containing in and , compute the sequence of all such points without repetitions in the ascending order. Set . = , , = π , , v (ii) if and , then ; otherwise, .
The correctness of the procedure is justified by the definition of the preform and by correctness of the procedures and . The complexity of the procedure , where , is determined by calls of the procedure .

Procedure :
. The structure of the procedure is as follows: (1) Give the following result dependent on the structure of the formula ϕ: , then ; (ii) if , then ; (iii) if , where is a three-valued function, then ; (iv) if , where , then ; and (v) if , then .
The correctness of the procedure is justified by induction following the proof of Theorem 1, Lemmas 5-10, and by correctness of the procedures , , , , , , and .
The complexity of the procedure is determined by the complexities of the used procedures, by the way recursion is organized, and by the fact that all points of the computed representations are contained in the images and .

Test :
. The structure of the test is as follows: (1) Compute the signal determined by the signal semantics: .
The correctness of the check is justified by correctness of the procedure and by the following: (i) by definition of the satisfiability of the formulas: ; (ii) by Theorem 1, according to which the computed signal is correct; (iii) by definition of the correct signal: ; and (iv) by Statement 1: .
The complexity of the check is determined by calling the procedure .
The correctness and complexity of the procedure imply the following theorem. Theorem 2. The verification problem for rational waveforms against formulas of the three-valued signal logic is polynomially decidable.
Example 3. Suppose that and . Consider the formula and the waveform whose values are the signals plotted in the first four lines of Fig. 4. The principle of reading the figure has been given in Example 1. According to the algorithm , the stages of test of the relation are organized as follows: (1) The signals depicted in Fig. 4 and corresponding to the subformulas of the formula ϕ, including the formula ϕ itself, are successively computed. In the computation of the signal corresponding to the subformula , the signals and are used. These signals are drawn in fifth and sixth lines of Fig. 4.
(2) The equality is checked for the signal .

EXPRESSIVE POWER OF FORMULAS
Using the operator in the common manner [1], we may define other temporal operators. In the future, ϕ eventually becomes true: . In the future, ϕ is always true: . Using the operator , we may determine the analogs of the available temporal operators characterizing the past [1,8,14]. In the past, was true, and, since that, ϕ is true: . In the past, ϕ was true at some point: . In the past, ϕ was always true: . By combining the available operations, we may determine other operators useful for writing the waveform properties. During the next trailing edge of the formula , ϕ is true: . During the previous leading edge of the formula , ϕ is true: . The formula ϕ is true on the following cycle of the formula : . The value ϕ varies only at leading edges of the formula : . In the following, we provide two simple yet demonstrative examples that show the application of the three-valued logic for writing the correctness properties of "real" waveforms. We point out that, in the context of the logics proposed in all works we know, including those mentioned in this text, it is impossible to express even such uncomplicated properties accurately and completely. The informative interpretation of the last formula is as follows: if the value at the last leading edge of is determined, then it is equal to the current value . This formula takes into account, among others, the arbitrariness of the value until the first leading edge of the signal in the waveform and the metastability effect [2]: if the value varies at the leading edge of , then the arbitrary (uncertain) value is stored. Parity counter. Consider the circuit with the input signals and and the output signal which operates as follows: if the signal has the value 1 at a leading edge of the signal , then the value changes to the opposite one; in other time instances the value does not change. The correctness property of a waveform of such circuit may be written as the following two formulas: The informative interpretation of the last formula: if the current value and the value at the next leading edge of the signal are determined, then the value at the next cycle of the signal is equal to the modulo 2 sum of these two values.

CONCLUSIONS
In the work, we proposed a system of notions, statements, and algorithms intended to formalize and automatically check the correctness properties of waveforms for three-valued digital signals. This system includes the definitions of a three-valued signal and a waveform, the logical language for specification of waveforms (the