# Introduction to Electronic Design Automation 

Jie－Hong Roland Jiang
江介宏
Department of Electrical Engineering National Taiwan University


Spring 2023

# Formal Verification 

Part of the slides are by courtesy of Prof. Y.-W. Chang, S.-Y. Huang, and A. Kuehlmann

## Formal Verification

## -Course contents

$\square$ Introduction
■ Boolean reasoning engines
■ Equivalence checking
$\square$ Property checking
$\square$ Readings
■ Chapter 9

## Outline

## $\square$ Introduction

$\square$ Boolean reasoning engines
$\square$ Equivalence checking
$\square$ Property checking

(1995/1) Intel announces a pre-tax charge of 475 million dollars against earnings, ostensibly the total cost associated with replacement of the flawed processors.

(1996/6) The European Ariane5 rocket explodes 40 s into its maiden flight due tó a software bug.

(2008/9) A major computer failure onboard the Hubble Space Telescope is preventing data from being sent to Earth, forcing a scheduled shuttle mission to do repairs on the observatory to be delayed.

## Design vs. Verification

-Verification may take up to $70 \%$ of total development time of modern systems!

- This ratio is ever increasing
- Some industrial sources show 1:3 head-count ratio between design and verification engineers
$\square$ Verification plays a key role to reduce design time and increase productivity


## IC Design Flow and Verification



## Scope of Verification

$\square$ Design flow

- A series of transformations from abstract specification all the way to layout
$\square$ Verification enters design flow in almost all abstraction levels
- Design verification
$\square$ Functional property verification (main focus)
- Implementation verification
$\square$ Functional equivalence verification (main focus)
$\square$ Physical verificationTiming verification
$\square$ Power analysis
$\square$ Signal integrity check
- Electro-migration, IR-drop, ground bounce, cross-talk, etc.
- Manufacture verification
$\square$ Testing


## Verification

- Design/Implementation Verification

Functional Verification

- Property checking in system level $\square$ PSPACE-complete
- Equivalence checking in RTL and gate level
$\square$ PSPACE-complete
Physical Verification
- DRC (design rule check) and LVS (layout vs. schematic check) in layout level
$\square$ Tractable
ㅁ Manufacture Verification
- Testing
$\square$ NP-complete
- "Verification" often refers to functional
 verification


## Functional Verification



## Functional Verification Approaches

$\square$ Simulation (software)

- Incomplete (i.e., may fail to catch bugs)
- Time-consuming, especially at lower abstraction levels such as gate- or transistor-level
- Still the most popular way for design validation
$\square$ Emulation (hardware)
- FPGA-based emulation systems, emulation system based on massively parallel machines (e.g., with 8 boards, 128 processors each), etc.
- 2 to 3 orders of magnitude faster than software simulation
- Costly and may not be easy-to-use
$\square$ Formal verification
- a relatively new paradigm for property checking and equivalence checking
- requires no input stimuli
- perform exhaustive proof through rigorous logical reasoning


## Informal vs. Formal Verification

$\square$ Informal verification
■ Functional simulation aiming at locating bugs

- Incomplete
- Show existence of bugs, but not absence of bugs
$\square$ Formal verification
- Mathematical proof of design correctness
- Complete
- Show both existence and absence of bugs

We will be focusing on formal verification

## Outline

## $\square$ Introduction

$\square$ Boolean reasoning engines
$\square$ BDD

- SAT
$\square$ Equivalence checking
$\square$ Property checking


## Binary Decision Diagram (BDD)

$\square$ Basic features

- ROBDD
$\square$ Proposed by R.E. Bryant in 1986
$\square$ A directed acyclic graph (DAG) representing a Boolean function $\mathrm{f}: \mathrm{B}^{\mathrm{n}} \rightarrow \mathrm{B}$
- Each non-terminal node is a decision node associated with a input variable with two branches: 0-branch and 1-branch
- Two terminal nodes: 0-terminal and 1-terminal
- Example



## Binary-Decision Diagram (BDD)

- Cofactor of Boolean function:
- Positive cofactor w.r.t. $x_{i}$ :

$$
\begin{aligned}
& f_{x i}=f\left(x_{1}, \ldots, x_{i-1}, 1, x_{i+1}, \ldots, x_{n}\right) \\
& f_{-x i}=f\left(x_{1}, \ldots, x_{i-1}, 0, x_{i+1}, \ldots, x_{n}\right)
\end{aligned}
$$

- Negative cofactor w.r.t. $x_{i}$ :
- Example

$$
\begin{aligned}
& f=x_{1}^{\prime} x_{2}^{\prime} x_{3}^{\prime}+x_{1}^{\prime} x_{2}^{\prime} x_{3}+x_{1} x_{2}^{\prime} x_{3}+x_{1} x_{2} x_{3}^{\prime}+x_{2} x_{3} \\
& f_{x 1}=x_{2}^{\prime} x_{3}+x_{2} x_{3}^{\prime}+x_{2} x_{3} \\
& f_{x 1^{\prime}}=x_{2}^{\prime} x_{3}^{\prime}+x_{2}^{\prime} x_{3}+x_{2} x_{3}
\end{aligned}
$$

$\square$ Shannon expansion: $f=x_{i} f_{x i}+x_{i}^{\prime} f_{x i}$

- A complete expansion of a function can be obtained by successively applying Shannon expansion on all variables until either of the constant functions ' 0 ' or ' 1 ' is reached


## Ordered BDD (OBDD)

- Complete Shannon expansion can be visualized as a binary tree - Solid (dashed) lines correspond to the positive (negative) cofactor



## Reduced OBDD (ROBDD)

$\square$ Reduction rules of ROBDD

- Rule 1: eliminate a node with two identical children
- Rule 2: merge two isomorphic sub-graphs

$\square$ Reduction procedure
■ Input: An OBDD
- Output: An ROBDD
- Traverse the graph from the terminal nodes towards to root node (i.e., in a bottom-up manner) and apply the above reduction rules whenever possible


## ROBDD

$\square$ An OBDD is a directed tree $G(V, E)$
$\square$ Each vertex $v \in V$ is characterized by an associated variable $\phi(v)$, a high subtree $\eta(v)$ (high ( $v$ ), the 1-branch) and a low subtree $\lambda(v)$ (low( $v$ ), the 0-branch)
$\square$ Procedure to reduce an OBDD:

- Merge all identical leaf vertices and appropriately redirect their incoming edges
- Proceed from bottom to top, process all vertices: if two vertices $u$ and $v$ are found for which $\phi(u)=$ $\phi(v), \eta(u)=\eta(v)$, and $\lambda(u)=\lambda(v)$, merge $u$ and $v$ and redirect incoming edges
$\square$ For vertices $v$ for which $\eta(v)=\lambda(v)$, remove $v$ and redirect its incoming edges to $\eta(v)$


## ROBDD

$\square$ Example
■ $\quad$ = $x^{\prime} y z z^{\prime}+x z$
$\square$ variable order: $x<y<z$
Truth table

| $x y z$ | $f$ |
| :---: | :---: |
| 000 | 0 |
| 001 | 0 |
| 010 | 1 |
| 011 | 0 |
| 100 | 0 |
| 101 | 1 |
| 110 | 0 |
| 111 | 1 |


by rule 2

## ROBDD

- Example (cont'd)



## Canonicity

$\square$ Canonicity requirements

- A BDD representation is not canonical for a given Boolean function unless the following constraints are satisfied:

1. Simple BDD - each variable can appear only once along each path from the root to a leaf
2. Ordered BDD - Boolean variables are ordered in such a way that if the node labeled $x_{i}$ has a child labeled $x_{k}$, then $\operatorname{order}\left(\mathrm{x}_{\mathrm{i}}\right)<\operatorname{order}\left(\mathrm{x}_{\mathrm{k}}\right)$
3. Reduced BDD - no two nodes represent the same function, i.e., redundancies are removed by sharing isomorphic sub-graphs

## ROBDD Properties

$\square$ ROBDD is a canonical representation for a fixed variable ordering
$\square$ ROBDD is compact in representing many Boolean functions used in practice
$\square$ Variable ordering greatly affects the size of an ROBDD
■ E.g., the conjunction of $k$ parity pairs:

$$
f=\prod_{j=1}^{k} x_{2 j-1} \oplus x_{2 j}
$$



## Effects of Variable Ordering

$\square$ BDD size

- Can vary from linear to exponential in the number of the variables, depending on the ordering
$\square$ Hard-to-build BDD
- Datapath components (e.g., multipliers) cannot be represented in polynomial space, regardless of the variable ordering
$\square$ Heuristics of ordering
- (1) Put the variable that influence most on top

■ (2) Minimize the distance between strongly related variables
(e.g., x1x2 $+\times 2 \times 3+x 3 \times 4$ )
$x 1<x 2<x 3<x 4$ is better than $x 1<x 4<x 2<x 3$

## BDD Package

$\square$ A BDD package refers to a software program that supports Boolean manipulation using ROBDDs. It has the following features:
$\square$ It provides convenient API (application programming interface)

- It supports the conversion between the external Boolean function representation and the internal ROBDD representation
$\square$ Multiple Boolean functions are stored in shared ROBDD
$\square$ It can create new functions from existing ones (e.g., $h=f \cdot g$ )


## BDD Data Structure

$\square$ A triplet $(\phi, \eta, \lambda)$ uniquely identifies an ROBDD vertex
$\square$ A unique table (implemented by a hash table) that stores all triplets already processed

```
struct vertex *old_or_new(char * }\phi,\mathrm{ struct vertex * }\eta,*\lambda
{
    if ("a vertex v=( }\phi,\eta,\lambda)\mathrm{ exists")
        return v;
        else{
        v}\leftarrow\mathrm{ "new vertex pointing at ( }\phi,\eta,\lambda)"
        return v;
    }
}
```


## Building ROBDD

```
struct vertex *robdd_build(struct expr f, int i)
{
    struct vertex * }\eta\mathrm{ , * }\lambda\mathrm{ ;
    struct char * }\phi\mathrm{ ;
    if (equal(f,'0'))
        return vo;
    else if (equal(f,'1'))
        return v1;
    else{
        \phi\leftarrow\pi(i);
        \eta\leftarrowrobdd_build( (f}\mp@subsup{f}{\phi}{},i+1)
        \lambda}\leftarrow\mathrm{ robdd_build( ( }\mp@subsup{\mathscr{\phi}}{\overline{\phi}}{,},i+1)
        if ( }\eta=\lambda\mathrm{ )
            return \eta;
    else
        return old_or_new( }\phi,\eta,\lambda)
    }
}
```


## Building ROBDD

## $\square$ Example

cotad builitin $\cdot \overline{x_{3}}+\overline{x_{2}} \cdot x_{3}+x_{1} \cdot x_{2}$, l')
끄 mbith builat $\overline{x_{2}} \cdot x_{3}+x_{2}$, 3)
$\xrightarrow{\eta}$ mbtathild (' ${ }^{\prime \prime}, 3$
汇
$\stackrel{3}{-}$ cotad build $x_{3}, 3$ )

汇

泡

$\mathrm{i} 3=\left\{x_{2}, \mathrm{in}_{1}\right.$, $\left.\mathrm{in}_{2}\right\}$


$\xrightarrow{\eta}$ motad build $\overline{N_{3}}, 3$ ）

河

il

$\underset{\sim}{2}$ rotal build $\left.\overline{x_{3}}+x_{3}, 3\right)$

il

il
让
$\mathrm{i}_{5}=\left(x_{2}, \mathrm{x}_{4}, \mathrm{i}_{1}\right)$


## Recursive BDD Operation

$\square$ Construct the ROBDD $\mathrm{h}=\mathrm{f}$ <op> g from two existing ROBDDs $f$ and $g$, where <op> is a binary Boolean operator (e.g. AND, OR, NAND, NOR)

- A recursive procedure on each variable $x$
$\square h \quad=x \cdot h_{x=1}+\mathrm{x}^{\prime} \cdot \mathrm{h}_{\mathrm{x}=0}$

$$
\begin{aligned}
& \quad=x \cdot(f<o p>g)_{x=1}+x^{\prime} \cdot(f<o p>g)_{x=0} \\
& \quad=x \cdot\left(f_{x=1}<o p>g_{x=1}\right)+x^{\prime}\left(f_{x=0}<o p>g_{x=0}\right) \\
& \text { "(f)<op>g})_{x}=\left(f_{x}<o p>g_{x}\right) \text { for <op> =AND, OR, NAND, } \\
& \text { NOR }
\end{aligned}
$$



## Recursive BDD Operation

- Existential quantification

Let $\exists x_{1}\left[f\left(x_{1}, y_{1}, \ldots, y_{n}\right)\right]=g\left(y_{1}, \ldots, y_{n}\right)$.
Then $g\left(y_{1}, \ldots, y_{n}\right)=1$ iff
$f\left(0, y_{1}, \ldots, y_{n}\right)=1$ or $f\left(1, y_{1}, \ldots, y_{n}\right)=1$

reduction

$$
f=(x 1+x 2) \cdot x 3
$$

$$
\exists x_{1} f=f_{x 1=0}+f_{x 1=1}
$$



## ROBDD Manipulation

- Separate algorithms could be designed for each operator on ROBDDs, such as, AND, NOR, etc. However, the universal if-thenelse operator 'ite' is sufficient.
$z=$ ite $(f, g, h), z$ equals $g$ when $f$ is true and equals $h$ otherwise:
- Example:

$$
\begin{aligned}
& z=\operatorname{ite}(f, g, h)=f \cdot g+\bar{f} \cdot h \\
& z=f \cdot g=\operatorname{ite}\left(f, g,,^{\prime} 0^{\prime}\right) \\
& z=f+g=\operatorname{ite}\left(f,{ }^{\prime} 1^{\prime}, g\right)
\end{aligned}
$$

$\square$ The ite operator is well-suited for a recursive algorithm based on ROBDDs $(\phi(v)=x)$ :

$$
v=\operatorname{ite}(F, G, H)=\left(x, \operatorname{ite}\left(F_{x}, G_{x}, H_{x}\right), \operatorname{ite}\left(F_{\bar{x}}, G_{\bar{x}}, H_{\bar{x}}\right)\right)
$$

## ITE Operator

$\square \quad$ ITE operator ite $(f, g, h)=f g+f^{\prime} h$ can implement any two variable logic function. There are 16 such functions corresponding to all subsets of vertices of $\mathbf{B}^{2}$ :

| Table | Subset | Expression | Equivalent Form |
| :---: | :---: | :---: | :---: |
| 0000 | 0 | 0 | 0 |
| 0001 | AND(f,g) | fg | ite(f, g, 0) |
| 0010 | $f>g$ | $\mathrm{f} \mathrm{g}^{\prime}$ | ite( $\left.\mathrm{f}, \mathrm{g} \mathrm{g}^{\prime}, 0\right)$ |
| 0011 | $f$ | f | f |
| 0100 | $\mathrm{f}<\mathrm{g}$ | $f^{\prime} \mathrm{g}$ | ite(f, 0, g) |
| 0101 | g | g | g |
| 0110 | XOR(f, g) | $\mathrm{f} \oplus \mathrm{g}$ | ite(f, $\left.\mathrm{g}^{\prime}, \mathrm{g}\right)$ |
| 0111 | OR(f, g) | $f+\mathrm{g}$ | ite(f, 1, g) |
| 1000 | NOR(f, g) | $(\mathrm{f}+\mathrm{g})^{\prime}$ | ite(f, 0, g') |
| 1001 | XNOR(f, g) | $\mathrm{f} \oplus \mathrm{g}^{\prime}$ | ite(f, g, g') |
| 1010 | NOT(g) | $\mathrm{g}^{\prime}$ | ite(g, 0, 1) |
| 1011 | $\mathrm{f} \geq \mathrm{g}$ | $\mathrm{f}+\mathrm{g}^{\prime}$ | ite(f, 1, g') |
| 1100 | $\mathrm{NOT}(\mathrm{f})$ | $f^{\prime}$ | ite(f, 0, 1) |
| 1101 | $\mathrm{f} \leq \mathrm{g}$ | $f^{\prime}+\mathrm{g}$ | ite(f, g, 1) |
| 1110 | NAND(f, g) | $(\mathrm{fg})^{\prime}$ | ite(f, $\left.\mathrm{g}^{\prime}, 1\right)$ |
| 1111 | 1 | 1 | 1 |

## Recursive Formulation of ITE

$\square$ Ite(f,g,h)
$=f g+f^{\prime} h$
$=v\left(f g+f^{\prime} h\right)_{v}+v^{\prime}\left(f g+f^{\prime} h\right)_{v^{\prime}}$
$=v\left(f_{v} g_{v}+f_{v}^{\prime} h_{v}\right)+v^{\prime}\left(f_{v^{\prime}} g_{v^{\prime}}+f_{v^{\prime}} h_{v^{\prime}}\right)$
$=\operatorname{ite}\left(v, \operatorname{ite}\left(f_{v}, g_{v}, h_{v}\right)\right.$, ite $\left.\left(f_{v^{\prime}}, g_{v^{\prime}}, h_{v^{\prime}}\right)\right)$
where $v$ is the top-most variable of BDDs $f$, $g, h$

## ITE Operator

$\square$ Example


$$
\begin{aligned}
\text { I } & =\text { ite }(F, G, H) \\
& =\text { ite }\left(a, \text { ite }\left(F_{a}, G_{a}, H_{a}\right), \text { ite }\left(F_{\bar{a}}, G{ }_{\bar{a}}, H_{\bar{a}}\right)\right) \\
& =\text { ite }(a, \text { ite }(1, C, H), \text { ite }(B, 0, H)) \\
& =\text { ite }\left(a , C , \text { ite } \left(b , \text { ite } ( B _ { b } , 0 _ { b } , H _ { b } ) , \text { ite } \left(B_{\bar{b}}, 0\right.\right.\right. \\
& \left.=\text { ite }\left(a, C, H_{\bar{b}}\right)\right) \\
& =\text { ite }(a, C, \text { ite }(b,(1,0,1), \text { ite }(0,0, D))) \\
& =\text { ite }(a, C, J)
\end{aligned}
$$

Check:

$$
\begin{aligned}
& \mathrm{F}=\mathrm{a}+\mathrm{b} \\
& \mathrm{G}=\mathrm{ac} \\
& \mathrm{H}=\mathrm{b}+\mathrm{d} \\
& \text { ite }(F, G, H)=(a+b)(a c)+a^{\prime} b^{\prime}(b+d)=a c+a^{\prime} b^{\prime} d
\end{aligned}
$$

F,G,H,I,J,B,C,D are pointers

## ITE Operator

```
struct vertex *apply_ite(struct vertex *F, *G, *H, int i)
{
    char x;
    struct vertex * \eta,*\lambda;
    if (F=\mp@subsup{v}{1}{})
        return G;
    else if (F=\mp@subsup{v}{0}{})
        return H;
    else if (G=\mp@subsup{v}{1}{}&&H=\mp@subsup{v}{0}{})
        return F;
    else{
        x\leftarrow\pi(i);
        \eta\leftarrowapply_ite(F}(\mp@subsup{F}{X}{},\mp@subsup{G}{x}{},\mp@subsup{H}{x}{},i+1)
        \lambda\leftarrow\operatorname{apply_ite( (F}}\overline{\overline{x}},\mp@subsup{G}{\overline{x}}{},\mp@subsup{H}{\overline{x}}{},i+1)
        if ( }\eta=\lambda\mathrm{ )
            return \eta;
        else
            return old_or_new (x, \eta, \lambda);
    }
}

\section*{ITE Operator}

\section*{\(\square\) Example}

\[
\begin{aligned}
& \underset{\rightarrow}{\operatorname{apply} \text { _ite }\left(v_{8}, v_{0}, v_{1}, 1\right)} \\
& \xrightarrow{\text { apply_ite }\left(v_{7}, v_{0}, v_{1}, 2\right)} \\
& \xrightarrow[\rightarrow]{\eta} \text { apply_ite }\left(v_{0}, v_{0}, v_{1}, 3\right) \\
& \quad v_{1} \\
& \xrightarrow[\rightarrow]{\lambda} \text { apply_ite }\left(v_{1}, v_{0}, v_{0}, 3\right) \\
& \quad v_{0} \\
& v_{9}=\left(x_{2}, v_{1}, v_{0}\right) \\
& \xrightarrow[\rightarrow]{\lambda} \operatorname{apply\_ ite}\left(v_{0}, v_{0}, v_{1}, 2\right) \\
& \quad v_{1} \\
& v_{10}=\left(x_{1}, v_{9}, v_{1}\right)
\end{aligned}
\]

\section*{ITE Operator}
\(\square\) Example (cont'd)

\[
\begin{aligned}
H & =F \oplus G \\
& =\operatorname{ite}(F, G, \bar{G})
\end{aligned}
\]
\[
\begin{aligned}
& \text { apply_ite }\left(v_{6}, v_{10}, v_{8}, 1\right) \\
& \xrightarrow{\eta} \text { apply_ite }\left(v_{3}, v_{9}, v_{7}, 2\right) \\
& \xrightarrow{\eta} \text { apply_ite }\left(v_{1}, v_{1}, v_{0}, 3\right) \\
& v_{1} \\
& \xrightarrow{\lambda} \text { apply_ite }\left(v_{2}, v_{0}, v_{1}, 3\right) \\
& \rightarrow \text { apply_ite }\left(v_{1}, v_{0}, v_{1}, 4\right) \\
& v_{0} \\
& \xrightarrow{\lambda} \text { apply_ite }\left(v_{0}, v_{0}, v_{1}, 4\right) \\
& v_{1} \\
& v_{4}=\left(x_{3}, v_{0}, v_{1}\right) \\
& v_{11}=\left(x_{2}, v_{1}, v_{4}\right) \\
& \xrightarrow{\lambda} \text { apply_ite }\left(v_{5}, v_{1}, v_{0}, 2\right) \\
& v_{5} \\
& v_{12}=\left(x_{1}, v_{11}, v_{5}\right)
\end{aligned}
\]

\section*{BDD Memory Management}
\(\square\) Ordering
- Finding the best ordering minimizing ROBDD sizes is intractable
■ Optimal ordering may change as ROBDDs are being manipulated
\(\square\) An ROBDD package may reorder the variables at different moments
\(\square\) It can move some variable closer to the top or bottom by remembering the best position, and repeat the procedure for other variables
\(\square\) Garbage collection
- Another important technique, in addition to variable ordering, for memory management

\section*{Data Type Conversion}


\section*{Formula to BDD}


\section*{Netlist to BDD}


\section*{Netlist to BDD}
- Example



OBDD(x1)

OBDD(x2)


OBDD(x3)


Topological order: \(\{x 1, x 2, x 3, z 1, z 2\}\) variable order: x1<x2<x3
\(\operatorname{OBDD}(z 2)=\operatorname{OBDD}(x 3) \cdot \operatorname{OBDD}(z 1)\)


\section*{BDD to Netlist}
\(\square\) MUX-based translation
- replace each decision node by a MUX
- replace 0 -terminal by GND, and 1-terminal by VDD
- reverse the direction of every edge
- specify the root node as the output node


\section*{BDD Features}
\(\square\) Strengths
\(\square\) ROBDD is a compact representation for many Boolean functions
\(\square\) ROBDD is canonical, given a fixed variable ordering
■ Many Boolean operations are of polynomial time complexity in the input BDD sizes
\(\square\) Weaknesses
\(\square\) In the worst case, the size of a BDD is \(\mathrm{O}\left(2^{n}\right)\) for n-input Boolean functions

\section*{BDD Applications}

ㅁ Boolean function verification
- Compare a specification \(f\) to an implementation \(g\), assuming their ROBDDs are \(F\) and \(G\), respectively.
\(\square\) For fully specified functions \(f\) and \(g\), the verification is trivial (pointer comparison) because of the strong canonicity of the ROBDD
- Strong canonicity: the representations of identical functions are the same
\(\square\) For an incompletely specified function \(I=\left(f_{1} d_{f} \neg(f+d)\right.\) ) with onset \(f_{\text {, }}\) dc-set \(d\), and offset \(\neg(f+d)\). A completely specified function \(g\) correctly implements \(I\) if \((\mathrm{d}+\mathrm{f} \cdot \mathrm{g}+\neg \mathrm{f} \cdot \neg \mathrm{g})\) is a tautology, that is, \(f\) \(\Rightarrow g \Rightarrow(f+d)\)
\(\square\) Satisfiability checking
- A Boolean function \(f\) is satisfiable if there exists an input assignment for which \(f\) evaluates to ' 1 '
- Any Boolean function whose ROBDD is not equal to ' 0 ' is satisfiable

\section*{BDD Applications}
\(\square\) Min-cost satisfiability
- Suppose that choosing a Boolean variable \(x_{i}\) to be ' 1 ' costs \(c_{i}\). Then, the minimum-cost satisfiability problem asks to minimize: \(\sum_{i} \mathrm{c}_{\mathrm{i}} \cdot \mathrm{u}_{\mathrm{i}}\left(\mathrm{x}_{\mathrm{i}}\right)\)
where \(\mu\left(x_{i}\right)=1\) when \(x_{i}=\) ' 1 ' and \(\mu\left(x_{i}\right)=0\) when \(x_{i}=\) ' 0 '.
- Solving minimum-cost satisfiability amounts to computing the shortest path in an ROBDD with weights: \(w(v, \eta(v))=c_{i} w(v\), \(\lambda(v))=0\), variable \(x_{i}=\phi(v)\), which can be solved in linear time
\(\square\) Combinatorial optimization
- Many combinatorial optimization problems can also be formulated in terms of the satisfiability problem
- 0-1 integer linear programming can be formulated as a minimum-cost satisfiability problem although the translation may not be efficient
- E.g., the constraint: \(x_{1}+x_{2}+x_{3}+x_{4}=3\) can be written as \(\left(x_{1}+x_{2}\right)\left(x_{1}+x_{3}\right)\left(x_{1}+x_{4}\right)\left(x_{2}+x_{3}\right)\left(x_{2}+x_{4}\right)\left(x_{3}+x_{4}\right)\left(\neg x_{1}+\neg x_{2}+\neg x_{3}+\neg x_{4}\right)\)

\section*{Outline}

\section*{\(\square\) Introduction}
\(\square\) Boolean reasoning engines
- BDD
- SAT
\(\square E q u i v a l e n c e ~ c h e c k i n g ~\)
\(\square\) Property checking

\section*{SAT Solving}
\(\square\) SAT problem: Given a Boolean formula \(\varphi\) in CNF, find an input assignment such that \(\varphi\) valuates to true
\(\square\) SAT solving is a decision procedure over CNFs Example
\(\varphi=\left(a+b^{\prime}+c\right)\left(a^{\prime}+b+c\right)\left(a+b^{\prime}+c^{\prime}\right)(a+b+c)\)
\(\square\) is SAT (e.g. under \(a=1, b=1, c=0\) )
\(\square\) SAT in CNF (POS) \(\Leftrightarrow\) Tautology in DNF (SOP)
- How about Tautology in CNF and SAT in DNF?

\section*{SAT Solving}
\(\square\) Given a circuit, suppose we would like to know if some signal is always zero. This can be formulated as a SAT problem if we can covert the circuit to a CNF.


Is output always 0 ?
an AIG

\section*{Circuit to CNF}
- Naive conversion of circuit to CNF:
- Factoring out expressions of circuit until two level structure

■ Example: \(\mathrm{y}=\mathrm{x}_{1} \oplus \mathrm{x}_{2} \oplus \mathrm{x}_{3} \oplus \ldots \oplus \mathrm{x}_{\mathrm{n}}\) (Parity function)
\(\square\) circuit size is linear in the number of variables
\(\oplus\)

\(\square\) generated chess-board Karnaugh map
\(\square\) CNF (or DNF) formula has \(2^{\mathrm{n}-1}\) terms (exponential in \#vars)
\(\square\) Better approach:
■ Introduce one variable per circuit vertex
- Formulate the circuit as a conjunction of constraints imposed on the vertex values by the gates
■ Uses more variables but size of formula is linear in the size of the circuit

\section*{Circuit to CNF}

\section*{\(\square\) Example}
- Single gate:

- Circuit of connected gates:


\section*{Circuit to CNF}
-Circuit to CNF conversion
\(\square\) can be done in linear size (with respect to the circuit size) if intermediate variables can be introduced
- may grow exponentially in size if no intermediate variables are allowed

\section*{DPLL-Style SAT Solving}

SAT (clause set \(S\), literal v)
1. \(\mathrm{S}:=\mathrm{S}_{\mathrm{v}} \quad / /\) cofactor each clause of S w.r.t. v
2. If no clauses in \(S\), return \(T\)
3. If a clause in \(S\) is empty (FALSE), return F
4. If \(S\) has a unit clause with literal u, then return \(\operatorname{SAT}(S, u)\) //implication
5. Choose a variable \(x\) with value not yet assigned
6. If \(\operatorname{SAT}(S, x)\), return \(T\)
7. If \(\operatorname{SAT}(S, \neg x)\), return \(T\)
8. Return F

\section*{SAT Solving with Case Splitting}

\section*{- Example}
\begin{tabular}{lll}
1 & \((a+b+c)\) \\
2 & \((a+b+\neg c)\) \\
3 & \((\neg a+b+\neg c)\) \\
4 & \((a+c+d)\) \\
5 & \((\neg a+c+d)\) \\
6 & \((\neg a+c+\neg d)\) \\
7 & \((\neg b+\neg c+\neg d)\) \\
8 & \((\neg b+\neg c+d)\)
\end{tabular}


\section*{SAT Solving with Implication}
-Implication in a CNF formula are caused by unit clauses
- A unit clause is a clause in which all literals except one are assigned (to be false)
-The value of the unassigned variable is implied
Example
\[
\begin{aligned}
& (a+\neg b+c) \\
& a=0, b=1 \Rightarrow c=1
\end{aligned}
\]

\section*{Implications in CNF}

\section*{\(\square\) Example}


Implications:

\((b+\neg c)\)


\section*{SAT Solving with Implication}
- Example
1) \((a+b+c)\)
\(2(a+b+\neg)\)
3) \((\neg a+b+\neg c)\)
\(4(a+c+d)\)
5 . \((\neg a+c+c)\)
6 ) \((\neg a+c+\neg)\)
\(7(\neg b+\neg c+\neg)\)
\(8)(\neg b+\neg c+c)\)
\[
\text { (a) }-4
\]

\section*{SAT Solving with Learning}

\section*{- Example}
\(1 \quad(a+b+c) \quad 9 \quad(\neg b+\neg c)\)
\(2(a+b+7 c) 10(7 a+40\)
3 ( \(3 a+b+\neg) 11\)
\(4(a+c+d)\)
\(5(7 a+c+c)\)
6 ( \(\quad\) a \(a+c+\neg\) )
7 ( \(7 b+\neg c+\neg c) 11-(a) 4\)
\(8(\neg b+\neg c+c)\)


\section*{Implementation Issues}
\(\square\) Track sensitivity of clauses for changes (two-literal-watch scheme)
- clause with all literals but one assigned \(\rightarrow\) implication
- clause with all literals but two assigned \(\rightarrow\) sensitive to a change of either literal
- all other clauses are insensitive and need not be observed
\(\square\) Learning:
■ learned implications are added to the CNF formula as additional clauses
- limit the size of the clause
- limit the "lifetime" of a learned clause, will be removed after some time

\section*{Quantification over CNF and DNF}
\(\square\) Recall a quantified Boolean formula (QBF) is
\(\mathrm{Q}_{1} x_{1}, \mathrm{Q}_{2} x_{2}, \ldots, \mathrm{Q}_{n} x_{n} . \varphi\)
where \(\mathrm{Q} i\) is either a existential ( \(\exists\) ) or universal quantifier \((\forall), x_{i}\) is a Boolean variable, and \(\varphi\) is a Boolean formula.
\(\square\) Existential (respectively universal) quantification over DNF (respectively CNF) is easy
■ One approach to quantifier elimination is by back-andforth CNF-DNF conversion!
\(\square\) Solving QBFs with QBF-solvers

\section*{Outline}

\section*{\(\square\) Introduction}
\(\square\) Boolean reasoning engines
\(\square\) Equivalence checking
\(\square\) Property checking

\section*{Equivalence Checking in Microprocessor Design}


\section*{Equivalence Checking in ASIC Design}


\section*{Equivalence Checking}
\(\square\) Equivalence checking is one of the most important problems in design verification
■ It ensures logic transformation process (e.g. two-level, multi-level logic minimization, retiming and resynthesis, etc.) does not introduce errors
\(\square\) Two types of equivalence checking
- Combinational equivalence checking
-Check if two combinational circuits are equivalent
■ Sequential equivalence checking
\(\square\) Check if two sequential circuits are equivalent

\section*{Outline}

\section*{\(\square\) Introduction}
\(\square\) Boolean reasoning engines
\(\square\) Equivalence checking
■ Combinational equivalence checking
■ Sequential equivalence checking
\(\square\) Property checking

\section*{History of Equivalence Checking}
\(\square\) SAS (IBM 1978-1994):
- standard equivalence checking tool running on mainframes
- based on the DBA algorithm ("BDDs in time")
- verified manual cell-based designs against RTL spec
- handling of entire processor designs
-application of "proper cutpoints"
\(\square\) application of synthesis routines to make circuits structurally similar
\(\square\) special hacks for hard problems
\(\square\) Verity (IBM 1992 - today):
■ originally developed for switch-level designs
- today IBMs standard EC tool for any combination of switch-, gate-, and RTL designs

\section*{History of Equivalence Checking}
\(\square\) Chrysalis (1994 - Avanti - now Synopsys):
- based on ATPG technology and cutpoint exploitation
- very weak if many cutpoints present
- did not adopt BDDs for a long time
- Formality (1997 - Synopsys)
- multi-engine technology including strong structural matching techniques
\(\square\) Verplex (1998-now Cadence)
- strong multi-engine based tool
- heavy SAT-based
- very fast front-end

\section*{Combinational EC}
\(\square\) Given two combinational circuits \(C_{1}\) and \(C_{2}\), are their outputs equivalent under any possible input assignment?


\section*{Miter for Combinational EC}
\(\square\) Two combinational circuits \(C_{1}\) and \(C_{2}\) are equivalent if and only if the output of their "miter" structure always produces constant 0


\section*{Approaches to Combinational EC}
\(\square\) Basic methods:
- random simulation
\(\square\) good at identifying inequivalent signals
- BDD-based methods
- structural SAT-based methods


\section*{BDD-based Combinational EC}

\section*{\(\square\) Procedure}
1. Construct the ROBDDs \(F_{1}\) and \(F_{2}\) for circuits \(C_{1}\) and \(\mathrm{C}_{2}\), respectively
\(\square\) Variable orderings of \(F_{1}\) and \(F_{2}\) should be the same
2. Let \(\mathrm{G}=\mathrm{F}_{1} \oplus \mathrm{~F}_{2}\). If \(\mathrm{G}=0, \mathrm{C}_{1}\) and \(\mathrm{C}_{2}\) are equivalent; otherwise, they are inequivalent
\(\square\) No false negative or false positive
- False negative: circuits are equivalent; however, verifier fails to tell
- False positive: circuits are inequivalent; however, verifier says otherwise

\section*{SAT-based Combinational EC}
\(\square\) Procedure
1. Convert the miter structure into a CNF
2. Perform SAT solving to verify if the output variable cannot be valuated to true under every input assignment (i.e. UNSAT)

\section*{Combinational EC}
\(\square\) Pure BDD and plain SAT solving cannot handle all logic cones
\(\square\) BDDs can be built for about 80\% of the cones of high-speed designs and less for complex ASICs
\(\square\) plain SAT blows up in CPU time on a miter structure
\(\square\) Contemporary method highly exploit structural similarities between two circuits to be compared

\section*{Combinational EC}
\(\square\) Memory statistics of BDD-based EC on a PowerPC processor design


\section*{Combinational EC}
\(\square\) Runtime statistics of BDD-based EC on a PowerPC processor design


\section*{Necessity of Structure Similarity}
\(\square\) Pure BDDs are incapable of verifying equivalence of large circuits
\(\square\) Even more so for arithmetic circuits (e.g. BDDs blow up in representing multipliers)
\(\square\) Identifying structure similarity helps simplify verification tasks
■ E.g. structure hashing in AIGs

\section*{Combinational EC}
\(\square\) Evidence of vast existence of structure similarities


\section*{Structure and Verification}
\(\square\) Structure-independent techniques
- Exhaustive simulation
- Decision diagrams
- Structure-dependent techniques

■ Graph hashing
- SAT based cutpoint identification


\section*{Cutpoint-Based EC}
\(\square\) Cutpoints are used to partition the miter


\section*{Summary}
\(\square\) Combinational EC is considered to be solvable in most industrial circuits (w/ multi-million gates)
- Computational efforts scale almost linearly with the design size
- Existence of structural similarities
\(\square\) Logic transformations preserve similarities to some extent
\(\square\) Hybrid engine of BDD, SAT, AIG, simulation, etc.
\(\square\) Cutpoint identification
\(\square\) Unsolved for arithmetic circuits
- Absence of structural similarities
\(\square\) Commutativity ruins internal similarities
■ Word- vs. bit-level verification

\section*{Outline}

\section*{\(\square\) Introduction}
\(\square\) Boolean reasoning engines
\(\square\) Equivalence checking
■ Combinational equivalence checking
- Sequential equivalence checking
\(\square\) Property checking

\section*{Sequential EC}
\(\square\) Given two sequential circuits (and thus FSMs), do they produce the same output sequence under any possible input sequence?


\section*{Miter for Sequential EC}
\(\square\) Two \(\mathrm{FSMs} \mathrm{M}_{1}\) and \(\mathrm{M}_{2}\) are equivalent if and only if the output of their product machine always produces constant 0


\section*{Product Machine}
-The product FSM \(M_{1 \times 2}\) of FSMs \(M_{1}=\left(Q_{1}, I_{1}\right.\), \(\left.\sum, \Omega, \delta_{1}, \lambda_{1}\right)\) and \(M_{2}=\left(Q_{2}, I_{2}, \sum, \Omega, \delta_{2}, \lambda_{2}\right)\) is a six-tuple \(\left(\mathrm{Q}_{1 \times 2}, \mathrm{I}_{1 \times 2}, \sum, \Omega, \delta_{1 \times 2}, \lambda_{1 \times 2}\right)\), where
\(\square\) State space \(\mathrm{Q}_{1 \times 2}=\mathrm{Q}_{1} \times \mathrm{Q}_{2}\)
\(\square\) Initial state set \(I_{1 \times 2}=I_{1} \times I_{2}\)
\(\square\) Input alphabet \(\Sigma\)
■ Output alphabet \(\{0,1\}\)
\(\square\) Transition function \(\delta_{1 \times 2}=\left(\delta_{1}, \delta_{2}\right)\)
■ Output function \(\lambda_{1 \times 2}=\left(\lambda_{1} \oplus \lambda_{2}\right)\)

\section*{Sequential EC}
\(\square\) Approaches for combinational EC do not work for sequential EC because two equivalent FSMs need not have the same transition and output functions
- False negatives may result from applying combinational EC on sequential circuits
\(\square\) One solution to sequential EC is by reachability analysis
- Two FSMs \(M_{1}\) and \(M_{2}\) are equivalent if and only if the output of their product FSM \(M_{1 \times 2}\) is constant 0 under all input assignments and all reachable states of \(M_{1 \times 2}\)
■ Need to know the set of reachable states of \(M_{1 \times 2}\)

\section*{Reachability Analysis}
\(\square\) Given an FSM M = (Q, I, \(\left.\sum, \Omega, \delta, \lambda\right)\), which states are reachable from the initial state set I ?


\section*{Symbolic Reachability Analysis}
\(\square\) Reachability analysis can be performed either explicitly (over a state transition graph) or implicitly (over transition functions or a transition relation)
- Implicit reachability analysis is also called symbolic reachability analysis (often using BDDs and more recently SAT)
-Image computation is the core computation in symbolic reachability analysis

\section*{Reachability Onion Ring}


\section*{Computing Reachable States}
\(\square\) Input: Sequential system represented by a transition relation and an initial state (or a set of initial states)
- Transition functions can be converted into a transition relation
\(\square\) Computation: Image computation using Boolean operations on characteristic functions (representing state sets)
\(\square\) Output: A characteristic function representing the set of reachable states

\section*{Relation}
\(\square\) Definition. Relation \(R \subseteq X \times Y\) is a subset of the Cartesian product of two sets \(X\) and \(Y\). If \((x, y) \in R\), then we alternatively write " \(x R y\) " meaning \(x\) is related to \(y\) by \(R\).


\section*{Characteristic Function}
\(\square\) Relation \(R \subseteq X \times Y\) can be represented by a characteristic function: a Boolean function \(F_{R}(x, y)\) taking value 1 for those \((x, y) \in R\) and 0 otherwise.
\begin{tabular}{|ccc|cc|c|}
\hline \(\mathrm{x}_{1}\) & \(\mathrm{x}_{2}\) & \(\mathrm{x}_{3}\) & \(\mathrm{y}_{1}\) & \(\mathrm{y}_{2}\) & F \\
\hline 0 & 0 & 0 & 0 & 0 & 1 \\
0 & 0 & 1 & 0 & 1 & 1 \\
0 & 1 & 0 & 0 & 1 & 1 \\
0 & 1 & 1 & 0 & 1 & 1 \\
1 & 0 & 0 & 0 & 0 & 1 \\
1 & 0 & 1 & 0 & 1 & 1 \\
1 & 1 & 0 & 1 & 1 & 1 \\
1 & 1 & 1 & 1 & 1 & 1 \\
\hline \multicolumn{5}{|c|}{ other } & \\
\hline
\end{tabular}


\section*{Transition Relation}
\(\square\) Definition. A transition relation \(T\) of an \(\operatorname{FSM} M=(\mathrm{Q}, \mathrm{I}, \Sigma, \Omega\), \(\delta, \lambda)\) is a relation \(T \subseteq(\Sigma \times \mathrm{Q}) \times \mathrm{Q}\) such that \(\mathrm{T}\left(\sigma, \mathrm{q}_{1}, \mathrm{q}_{2}\right)=1\) iff there is a transition from \(\mathrm{q}_{1}\) to \(\mathrm{q}_{2}\) under input \(\sigma\).
- \(\delta:(\Sigma \times Q) \rightarrow Q\)
- \(\mathrm{T}:(\Sigma \times \mathrm{Q}) \times \mathrm{Q} \rightarrow\{0,1\}\)

Assume \(\delta=\left(\delta_{1}, \ldots, \delta_{k}\right)\). Then
\[
\begin{aligned}
T\left(\vec{x}, \stackrel{\rightharpoonup}{s}, \vec{s}^{\prime}\right) & =\left(s_{1}^{\prime} \equiv \delta_{1}(\vec{x}, \stackrel{\rightharpoonup}{s})\right) \wedge\left(s_{2}^{\prime} \equiv \delta_{2}(\vec{x}, \stackrel{\rightharpoonup}{s})\right) \wedge \cdots \wedge\left(s_{k}^{\prime} \equiv \delta_{k}(\vec{x}, \stackrel{\rightharpoonup}{s})\right) \\
& =\prod_{i}\left(s_{i}^{\prime} \equiv \delta_{i}(\vec{x}, \stackrel{\rightharpoonup}{s})\right)
\end{aligned}
\]
where \(\mathrm{x}, \mathrm{s}, \mathrm{s}\) ' are primary-input, current-state, and next-state variables, respectively.

\section*{Quantified Transition Relation}

\section*{\(\square\) Definition}

Let \(M=(Q, I, \Sigma, \Omega, \delta, \lambda)\) be an FSM
■ Quantified transition relation \(\mathrm{T}_{\exists}\)
\[
\begin{aligned}
T_{\exists}\left(\stackrel{\rightharpoonup}{s}, \vec{s}^{\prime}\right) & =\exists \vec{x} \cdot\left(s_{1}{ }^{\prime} \equiv \delta_{1}(\vec{x}, \vec{s})\right) \wedge\left(s_{2}{ }^{\prime} \equiv \delta_{2}(\vec{x}, \stackrel{\rightharpoonup}{s})\right) \wedge \cdots \wedge\left(s_{k}{ }^{\prime} \equiv \delta_{k}(\vec{x}, \vec{s})\right) \\
& =\exists \vec{x} \cdot \prod_{i}\left(s_{i}^{\prime} \equiv \delta_{i}(\vec{x}, \stackrel{\rightharpoonup}{s})\right)
\end{aligned}
\]
\(\square(p, q) \in T_{\exists}\) if there exists an input assignment bringing M from state p to state \(q\)
\(\square\) only concerns about the reachability of the FSM's transition graph

\section*{Transition Relation}

\section*{-Example}

\begin{tabular}{|c|c|c|c|c|c|}
\hline \(\mathbf{x}\) & \(\mathbf{C S}\) & \(\mathbf{s}_{1} \mathbf{s}_{\mathbf{2}}\) & \(\mathbf{N S}\) & \(\mathbf{s}_{\mathbf{1}}{ }^{\prime} \mathbf{S}_{\mathbf{2}}{ }^{\prime}\) & \(\mathbf{T}\) \\
\hline \(\mathbf{0}\) & A & 00 & B & 10 & 1 \\
\(\mathbf{0 , 1}\) & A & 00 & A & 00 & 1 \\
0 & B & 10 & B & 10 & 1 \\
1 & B & 10 & A & 00 & 1 \\
0 & C & 01 & B & 10 & 1 \\
1 & C & 01 & A & 00 & 1 \\
\hline \multicolumn{6}{|c|}{ other } \\
\hline
\end{tabular}

\section*{Transition Relation}

\section*{-Example}


\section*{Image Computation}
\(\square\) Given a mapping of one Boolean space (input space) into another Boolean space (output space)
- For a set of minterms (care set) in the input space
\(\square\) The image is the set of related minterms from the output space
- For a set of minterms in the output space
\(\square\) The pre-image is the set of related minterms in the input space

\section*{Image Computation}
-Example



\section*{Image Computation}
\(\square\) Image \((C(x), T(x, y))=\exists x[C(x) \wedge T(x, y)]\)
\(\square\) Implicit methods by far outperform explicit ones
- Successfully computing images with more than \(2^{100}\) minterms in the input/output spaces
\(\square\) Operations \(\wedge\) and \(\exists\) are basic Boolean manipulations and are implemented in BDD packages
- To avoid large intermediate results (during and after the product computation), BDD AND-EXIST operation performs product and quantification in one pass over the BDD

\section*{Symbolic Image Computation}
\(\square\) Definition. Let \(F\) : \(B^{m} \times B^{n}\) be a projection and \(C\) be a set of minterms in \(B^{m}\). Then the image of \(C\) is the set \(\operatorname{Img}(C, F)=\left\{w \in B^{n} \mid(v, w) \in F\right.\) and \(\left.v \in C\right\}\) in \(B^{n}\).
\(\square\) Characteristic function
- for reachable next-state computation
\[
\begin{aligned}
& N_{i}\left(\vec{s}^{\prime}\right)=\operatorname{Img}\left(R_{i}(\stackrel{\rightharpoonup}{s}), T_{\exists}\left(\vec{s}, \vec{s}^{\prime}\right)\right) \\
& =\exists \vec{s} \cdot\left(R_{i}(\stackrel{\rightharpoonup}{s}) \wedge T_{\exists}\left(\stackrel{\rightharpoonup}{s}, \stackrel{\rightharpoonup}{s}^{\prime}\right)\right) \\
& =\exists \stackrel{\rightharpoonup}{s} \cdot\left(R_{i}(\stackrel{\rightharpoonup}{s}) \wedge\left(\exists \vec{x} \cdot \prod_{i}\left(s_{i}^{\prime} \equiv \delta_{i}(\stackrel{\rightharpoonup}{x}, \stackrel{\rightharpoonup}{s})\right)\right)\right)
\end{aligned}
\]


\section*{Symbolic Pre-Image Computation}
\(\square\) Definition. Let \(\mathrm{F}: \mathrm{B}^{\mathrm{m}} \times \mathrm{B}^{n}\) be a projection and C be a set of minterms in \(\mathrm{B}^{\mathrm{m}}\). Then the pre-image of C is the set PreImg \((C, F)=\left\{v \in B^{m} \mid(v, w) \in F\right.\) and \(\left.w \in C\right\}\) in \(B^{n}\).
\(\square\) Characteristic Function
■ for reachable previous-state computation
\[
\begin{aligned}
& N_{i}(\vec{s})=\operatorname{PreImg}\left(R_{i}\left(\vec{s}^{\prime}\right), T_{\exists}\left(\vec{s}, \vec{s}^{\prime}\right)\right) \\
& =\exists \vec{s}^{\prime} .\left(R_{i}\left(\vec{s}^{\prime}\right) \wedge T_{\exists}\left(\vec{s}, \vec{s}^{\prime}\right)\right) \\
& =\exists \vec{s}^{\prime} .\left(R_{i}\left(\vec{s}^{\prime}\right) \wedge\left(\exists \vec{x} \cdot \prod_{i}\left(s_{i}^{\prime} \equiv \delta_{i}(\vec{x}, \vec{s})\right)\right)\right)
\end{aligned}
\]


\section*{Reachability Analysis}
```

ForwardReachability( Transition Relation T, Initial State I )
{
i := 0
Ri}:=
repeat
R new }=\mathrm{ Image( }\mp@subsup{R}{}{i},T)
i := i + 1
Ri}:=\mp@subsup{R}{}{i-1}\vee R R new
until R R }=\mp@subsup{R}{}{i-1
return R }\mp@subsup{}{}{i
}

```The procedures can be realized using BDD package.
\(\square\) Backward reachability analysis can be done in a similar manner with preimage computation and starting from final states to see if they can be reached from initial states.

\section*{Sequential Equivalence Checking}
\(\square\) Let \(R(s)\) be the characteristic function of the reachable state set of the product FSM \(M_{1 \times 2}\) obtained from forward reachability analysis. Then FSMs \(M_{1}\) and \(M_{2}\) are equivalent if and only if
\[
R(s) \rightarrow\left(\lambda_{1 \times 2}(x, s) \equiv 0\right)
\]
is valid for all valuations on input variables \(x\) and state variables \(s\).
■ This can be checked in constant time for BDD

\section*{Sequential Equivalence Checking}
- Example

■ Are M1 and M2 equivalent ?


\section*{Sequential Equivalence Checking}
\(\square\) Example (cont'd)
- Product FSM of M1 and M2


\section*{Sequential Equivalence Checking}
\(\square\) Example (cont'd)
- Forward reachability analysis
\[
\operatorname{Img}(C, T)=\left[\exists \vec{x}, \vec{s} . T\left(\vec{x}, \vec{s}, \vec{s}^{\prime}\right) \wedge C(\vec{s})\right]_{\bar{s}^{\prime}<\bar{s}}
\]


\section*{Sequential Equivalence Checking}
- Example (cont'd)

■ Backward reachability analysis \(\operatorname{PreImg}(C, T)=\exists \vec{x}, \vec{s}^{\prime} \cdot T\left(\vec{x}, \stackrel{\rightharpoonup}{s}, \vec{s}^{\prime}\right) \wedge C\left(\vec{s}^{\prime}\right)\)


\section*{Remarks on Sequential EC}
\(\square\) Industrial equivalence checkers almost exclusively use an combinational EC paradigm even for sequential EC
- Sequential EC is too complex and can only be applied to design with a few hundred state bits
- Structure similarity should be identified to simplify sequential EC
\(\square\) Besides sequential equivalence checking, reachability analysis is useful in sequential circuit optimization
- In sequential optimization, unreachable states can be used as sequential don't cares to optimize a sequential circuit

\section*{Outline}

\section*{\(\square\) Introduction}
\(\square\) Boolean reasoning engines
\(\square\) Equivalence checking
\(\square\) Property checking
\(\square\) Safety property checking

\section*{Model Checking}
\(\square\) A specific model-checking problem is defined by

"satisfies", "implements", "refines" (satisfaction relation)

\section*{Model Checking}
\(\square \mathrm{M} \mid=\varphi\)
- Check if system model \(M\) satisfies a system property \(\varphi\)
- System model M is described with a state transition system
\(\square\) finite state or infinite state
- Temporal property \(\varphi\) can be described with three orthogonal choices:
1.operational vs. declarative: automata vs. Iogic
2.may vs. must: branching vs. linear time
3. prohibiting bad vs. desiring good behavior: safety vs.

Different choices lead to different model checking problems.

\section*{Property Checking}
- Safety property: Something "bad" will never happen
- Safety property violation always has a finite witness
\(\square\) if something bad happens on an infinite run, then it happens already on some finite prefix
- Example
\(\square\) Two processes cannot be in their critical sections simultaneously
- Liveness property: Something "good" will eventually happen
- Liveness property violation never has a finite witness
\(\square\) no matter what happens along a finite run, something good could still happen later
- Example
\(\square\) Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually

For finite state systems, liveness can be converted to safety!

\section*{Safety Property Checking}
\(\square\) Safety property checking can be formulated as a reachability problem
\(\square\) Are bad states reachable from good states?
\(\square\) Sequential equivalence checking can be considered as one kind of safety property checking
\(\square\) M : product machine
\(\square \varphi\) : all states reachable from initial states has output 0

\section*{Model Checking}
\(\square\) Data structure evolution
■ State graph (late 70s-80s)
-Problem size \(\sim 10^{4}\) states
■ BDD (late 80s-90s)
-Problem size \(\sim 10^{20}\) states
\(\square\) Critical resource: memory
■ SAT (late 90s-)
■GRASP, SATO, chaff, berkmin
\(\square\) Problem size \(\sim 10^{100}\) (?) states
\(\square\) Critical resource: CPU time

\section*{Remarks on Model Checking}
\(\square\) Model checking is a very rich subject developed since early 1980's
-It is a variant of mathematical logic and is concerned with automatic temporal reasoning
\(\square\) Reference
M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.```

