# Introduction to Electronic Design Automation

Jie-Hong Roland Jiang 江介宏

Department of Electrical Engineering National Taiwan University



Spring 2012

# Formal Verification

Part of the slides are by courtesy of Prof. Y.-W. Chang, S.-Y. Huang, and A. Kuehlmann

2

#### Formal Verification

- Course contents
  - Introduction
  - Boolean reasoning engines
  - Equivalence checking
  - Property checking
- Readings
  - Chapter 9

#### Outline

- Introduction
- ■Boolean reasoning engines
- **■**Equivalence checking
- ■Property checking

3



(1995/1) Intel announces a pre-tax charge of 475 million dollars against earnings, ostensibly the total cost associated with replacement of the flawed processors.







# Design vs. Verification

- □ Verification may take up to 70% of total development time of modern systems!
  - This ratio is ever increasing
  - Some industrial sources show 1:3 head-count ratio between design and verification engineers
- Verification plays a key role to reduce design time and increase productivity

IC Design Flow and Verification



9

# Scope of Verification

- Design flow
  - A series of transformations from abstract specification all the way to layout
- Verification enters design flow in almost all abstraction levels
  - Design verification
    - □ Functional property verification (main focus)
  - Implementation verification
    - □ Functional equivalence verification (main focus)
    - Physical verification
    - □ Timing verification
    - □ Power analysis
    - Signal integrity check
      - Electro-migration, IR-drop, ground bounce, cross-talk, etc.
  - Manufacture verification
    - Testing

#### Verification

■ Design/Implementation Verification

#### **Functional Verification**

- Property checking in system levelPSPACE-complete
- Equivalence checking in RTL and gate level
   PSPACE-complete

#### **Physical Verification**

- DRC (design rule check) and LVS (layout vs. schematic check) in layout level
   Tractable
- Manufacture Verification
  - Testina
    - NP-complete
- "Verification" often refers to functional verification



#### Functional Verification



#### Functional Verification Approaches

- Simulation (software)
  - Incomplete (i.e., may fail to catch bugs)
  - Time-consuming, especially at lower abstraction levels such as gate- or transistor-level
  - Still the most popular way for design validation
- Emulation (hardware)
  - FPGA-based emulation systems, emulation system based on massively parallel machines (e.g., with 8 boards, 128 processors each), etc.
  - 2 to 3 orders of magnitude faster than software simulation
  - Costly and may not be easy-to-use
- Formal verification
  - a relatively new paradigm for property checking and equivalence checking
  - requires no input stimuli
  - perform exhaustive proof through rigorous logical reasoning

13

15

14

16

#### Informal vs. Formal Verification

- Informal verification
  - Functional simulation aiming at locating bugs
  - Incomplete
    - Show existence of bugs, but not absence of bugs
- Formal verification
  - Mathematical proof of design correctness
  - Complete
    - ☐ Show both existence and absence of bugs

We will be focusing on formal verification

#### Outline

- ■Introduction
- ■Boolean reasoning engines
  - BDD
  - SAT
- **□** Equivalence checking
- ■Property checking

# Binary Decision Diagram (BDD)

- Basic features
  - ROBDD
    - □ Proposed by R.E. Bryant in 1986
    - □ A directed acyclic graph (DAG) representing a Boolean function f:  $B^n \rightarrow B$ 
      - Each non-terminal node is a decision node associated with a input variable with two branches: 0-branch and 1-branch
      - Two terminal nodes: 0-terminal and 1-terminal
  - Example



17

#### Binary-Decision Diagram (BDD)

- Cofactor of Boolean function:
  - $f_{xi} = f(x_1, ..., x_{i-1}, 1, x_{i+1}, ..., x_n)$ ■ Positive cofactor w.r.t. x<sub>i</sub>:
  - Negative cofactor w.r.t. x<sub>i</sub>:  $f_{-x_i} = f(x_1, ..., x_{i-1}, 0, x_{i+1}, ..., x_n)$
  - Example

$$\begin{split} f &= X_1' \, X_2' \, X_3' \, + \, X_1' \, X_2' \, X_3 \, + \, X_1 \, X_2' \, X_3 \, + \, X_1 \, X_2 \, X_3' \, + \, X_2 \, X_3 \\ f_{x1} &= X_2' \, X_3 \, + \, X_2 \, X_3' \, + \, X_2 \, X_3 \\ f_{x1'} &= X_2' \, X_3' \, + \, X_2' \, X_3 \, + \, X_2 \, X_3 \end{split}$$

- □ Shannon expansion:  $f = x_i f_{xi} + x_i' f_{xi'}$ 
  - A complete expansion of a function can be obtained by successively applying Shannon expansion on all variables until either of the constant functions '0' or '1' is reached

18

# Ordered BDD (OBDD)

- □ Complete Shannon expansion can be visualized as a binary tree
  - Solid (dashed) lines correspond to the positive (negative) cofactor



 $f = \overline{X_1} \overline{X_2} \overline{X_3} + \overline{X_1} \overline{X_2} \overline{$ 

# Reduced OBDD (ROBDD)

- Reduction rules of ROBDD
  - Rule 1: eliminate a node with two identical children
  - Rule 2: merge two isomorphic sub-graphs





- Reduction procedure
  - Input: An OBDD
  - Output: An ROBDD
  - Traverse the graph from the terminal nodes towards to root node (i.e., in a bottom-up manner) and apply the above reduction rules whenever possible

#### **ROBDD**

- $\square$  An OBDD is a directed tree G(V, E)
- □ Each vertex v ∈ V is characterized by an associated variable  $\phi(v)$ , a *high* subtree  $\eta(v)$  (high(v), the 1-branch) and a *low* subtree  $\lambda(v)$  (low(v), the 0-branch)
- Procedure to reduce an OBDD:
  - Merge all identical leaf vertices and appropriately redirect their incoming edges
  - Proceed from bottom to top, process all vertices: if two vertices u and v are found for which  $\phi(u) = \phi(v)$ ,  $\eta(u) = \eta(v)$ , and  $\lambda(u) = \lambda(v)$ , merge u and v and redirect incoming edges
  - For vertices  $\nu$  for which  $\eta(\nu) = \lambda(\nu)$ , remove  $\nu$  and redirect its incoming edges to  $\eta(\nu)$

**ROBDD** 

Example



■ variable order: x < y < z

Truth table

| xyz | f |
|-----|---|
| 000 | 0 |
| 001 | 0 |
| 010 | 1 |
| 011 | 0 |
| 100 | 0 |
| 101 | 1 |
| 110 | 0 |
| 111 | 1 |
|     |   |



#### **ROBDD**

■ Example (cont'd)





# Canonicity

- Canonicity requirements
  - A BDD representation is not canonical for a given Boolean function unless the following constraints are satisfied:
  - 1. Simple BDD each variable can appear only once along each path from the root to a leaf
  - 2. Ordered BDD Boolean variables are ordered in such a way that if the node labeled  $x_i$  has a child labeled  $x_k$ , then order $(x_i)$  < order $(x_k)$
  - 3. Reduced BDD no two nodes represent the same function, i.e., redundancies are removed by sharing isomorphic sub-graphs

22

# **ROBDD** Properties

- ROBDD is a canonical representation for a fixed variable ordering
- ROBDD is compact in representing many Boolean functions used in practice
- Variable ordering greatly affects the size of an ROBDD
  - E.g., the parity function of *k* bits:





25

# Effects of Variable Ordering

- BDD size
  - Can vary from linear to exponential in the number of the variables, depending on the ordering
- Hard-to-build BDD
  - Datapath components (e.g., multipliers) cannot be represented in polynomial space, regardless of the variable ordering
- Heuristics of ordering
  - (1) Put the variable that influence most on top
  - (2) Minimize the distance between strongly related variables

```
(e.g., x1x2 + x2x3 + x3x4)
 x1 < x2 < x3 < x4 is better than x1 < x4 < x2 < x3
```

26

# BDD Package

- □ A BDD package refers to a software program that supports Boolean manipulation using ROBDDs. It has the following features:
  - It provides convenient API (application programming interface)
  - It supports the conversion between the external Boolean function representation and the internal ROBDD representation
  - Multiple Boolean functions are stored in shared ROBDD
  - It can create new functions from existing ones (e.g.,  $h = f \cdot g$ )

#### BDD Data Structure

- A triplet (φ,η,λ)
   uniquely identifies an ROBDD vertex
- □ A unique table (implemented by a hash table) that stores all triplets already processed

```
struct vertex {
    char *\phi;
    struct vertex *\eta, *\lambda;
    ...
}
```

```
\begin{array}{l} \textbf{struct} \ \text{vertex} \ * \text{old\_or\_new}(\textbf{char} \ * \phi, \textbf{struct} \ \text{vertex} \ * \eta, * \lambda) \\ \{ \\ \textbf{if} \ (\text{``a vertex} \ v = (\phi, \eta, \lambda) \ \text{exists''}) \\ \textbf{return} \ v; \\ \textbf{else} \ \{ \\ v \leftarrow \text{``new} \ \text{vertex} \ \text{pointing} \ \text{at} \ (\phi, \eta, \lambda) \text{''}; \\ \textbf{return} \ v; \\ \} \\ \} \end{array}
```

# Building ROBDD

```
struct vertex *robdd_build(struct expr f, int i)
 struct vertex *\eta, *\lambda;
  struct char *\phi;
  if (equal(f, '0'))
    return v_0;
  else if (equal(f, '1'))
    return v_1:
  else {
    \phi \leftarrow \pi(i);
    \eta \leftarrow \text{robdd\_build}(f_{\phi}, i + 1);
    \lambda \leftarrow \text{robdd\_build}(f_{\overline{A}}, i + 1);
    if (\eta = \lambda)
       return \eta;
       return old_or_new(\phi, \eta, \lambda);
```

- □ The procedure directly builds the compact **ROBDD** structure
- □ A simple symbolic computation system is assumed for the derivation of the cofactors
- $\square$   $\pi(i)$  gives the  $i^{th}$ variable from the top

29

### Building ROBDD

#### Example

```
robdd_bui ld(\overline{x_1} \cdot \overline{x_3} + \overline{x_2} \cdot x_3 + x_1 \cdot x_2, 1)
\frac{\pi}{2} robdd_build(\overline{x_2} \cdot x_3 + x_2, 2).
      \frac{\pi}{2} robdd_build('1', 3)
     \stackrel{\lambda}{
ightarrow} robddLbuild(x_3,3)
            \frac{\pi}{2} robdd_build(* 1*, 4).
           \stackrel{\lambda}{\rightarrow} to bdd_build(101,4).
            v_2 = (x_3, v_1, v_0)
      v_3 = (x_2, v_1, v_2)
```

| $\stackrel{\lambda}{\rightharpoonup}$ robdd_build( $\overline{x_3} + \overline{x_2} \cdot x_3, 2$ ) |
|-----------------------------------------------------------------------------------------------------|
| $\frac{\mathbb{N}}{2}$ robdd_build( $\overline{x_3}$ , 3)                                           |
| $\stackrel{\eta}{\rightharpoonup}$ mobdd_build(*0*, 4)                                              |
| 1,0                                                                                                 |
| $\stackrel{\lambda}{ ightharpoons}$ robdd_build(*1*,4)                                              |
| 91 <u>1</u>                                                                                         |
| $v_4=(x_3,v_0,v_1)$                                                                                 |
| $\stackrel{\lambda}{\rightharpoonup}$ robdd_build $(\overline{x_3} + x_3, 3)$                       |
| $\frac{\eta}{2}$ robdd_build(*1*,4)                                                                 |
| 5,17                                                                                                |
| $\stackrel{\lambda}{ ightharpoons}$ robdd_build(* 1*, 4)                                            |
| SıT                                                                                                 |
| 3,1                                                                                                 |
| $v_5 = (x_2, v_4, v_1)$                                                                             |
| $v_6=(x_1,v_3,v_5)$                                                                                 |
|                                                                                                     |

30

#### Recursive BDD Operation

- $\square$  Construct the ROBDD h = f < op > g from two existing ROBDDs f and g, where <op> is a binary Boolean operator (e.g. AND, OR, NAND, NOR)
  - A recursive procedure on each variable x

$$□h = x \cdot h_{x=1} + x' \cdot h_{x=0} 
= x \cdot (f < op > g)_{x=1} + x' \cdot (f < op > g)_{x=0} 
= x \cdot (f_{x=1} < op > g_{x=1}) + x' (f_{x=0} < op > g_{x=0}) 
• (f < op > g)_x = (f_x < op > g_x) for < op > = AND, OR, NAND, NOR$$







# Recursive BDD Operation

■ Existential quantification Let  $\exists x_1 [f(x_1, y_1, ..., y_n)] = g(y_1, ..., y_n).$ Then  $g(y_1,...,y_n) = 1$  iff  $f(0, y_1, ..., y_n) = 1$  or  $f(1, y_1, ..., y_n) = 1$ 

 $f = (x1+x2) \cdot x3$ 









 $\exists x_1 f = f_{x_1=0} + f_{x_1=1}$ 

#### ROBDD Manipulation

- Separate algorithms could be designed for each operator on ROBDDs, such as AND, NOR, etc. However, the universal if-thenelse operator 'ite' is sufficient.
  - z = ite(f,g,h), z equals g when f is true and equals h otherwise:
  - Example:

$$z = ite(f, g, h) = f \cdot g + \overline{f} \cdot h$$
  

$$z = f \cdot g = ite(f, g, '0')$$
  

$$z = f + g = ite(f, '1', g)$$

□ The *ite* operator is well-suited for a recursive algorithm based on ROBDDs  $(\phi(v) = x)$ :

$$v = ite(F, G, H) = (x, ite(F_x, G_x, H_x), ite(F_{\overline{x}}, G_{\overline{y}}, H_{\overline{y}}))$$

#### 33

### ITE Operator

□ ITE operator ite(f,g,h) = fg + f'h can implement any two variable logic function. There are 16 such functions corresponding to all subsets of vertices of  $\mathbf{B}^2$ :

| Table | Subset     | Expression    | Equivalent Form |
|-------|------------|---------------|-----------------|
| 0000  | 0          | 0             | 0               |
| 0001  | AND(f, g)  | fg            | ite(f, g, 0)    |
| 0010  | f > g      | f g'          | ite(f, g', 0)   |
| 0011  | f          | f             | f               |
| 0100  | f < g      | f′g           | ite(f, 0, g)    |
| 0101  | g          | g             | g               |
| 0110  | XOR(f, g)  | $f \oplus g$  | ite(f, g', g)   |
| 0111  | OR(f, g)   | f + g         | ite(f, 1, g)    |
| 1000  | NOR(f, g)  | (f + g)'      | ite(f, 0, g')   |
| 1001  | XNOR(f, g) | $f \oplus g'$ | ite(f, g, g')   |
| 1010  | NOT(g)     | g'            | ite(g, 0, 1)    |
| 1011  | $f \ge g$  | f + g'        | ite(f, 1, g')   |
| 1100  | NOT(f)     | f′            | ite(f, 0, 1)    |
| 1101  | $f \leq g$ | f' + g        | ite(f, g, 1)    |
| 1110  | NAND(f, g) | (f g)'        | ite(f, g', 1)   |
| 1111  | 1          | 1             | 1               |

34

#### Recursive Formulation of ITE

```
□ Ite(f,g,h)

= f g + f' h

= v (f g + f' h)<sub>v</sub> + v' (f g + f' h)<sub>v'</sub>

= v (f<sub>v</sub> g<sub>v</sub> + f'<sub>v</sub> h<sub>v</sub>) + v' (f<sub>v'</sub> g<sub>v'</sub> + f'<sub>v'</sub> h<sub>v'</sub>)

= ite(v, ite(f<sub>v'</sub> g<sub>v'</sub> h<sub>v</sub>), ite(f<sub>v'</sub> g<sub>v'</sub> h<sub>v'</sub>))
```

where v is the top-most variable of BDDs f, g, h

# ITE Operator

Example



```
 \begin{aligned} &1 &= ite \ (F, G, H) \\ &= ite \ (a, ite \ (F_a, G_a, H_a), ite \ (F_{\bar{a}}, G_{\bar{a}}, H_{\bar{a}})) \\ &= ite \ (a, ite \ (1, C, H), ite \ (B, 0, H)) \\ &= ite \ (a, C, ite \ (b, ite \ (B_b, 0_b, H_b), ite \ (B_{\bar{b}}, 0_{\bar{b}}, H_{\bar{b}})) \\ &= ite \ (a, C, ite \ (b, ite \ (1, 0, 1), ite \ (0, 0, D))) \\ &= ite \ (a, C, ite \ (b, 0, D)) \\ &= ite \ (a, C, ite \ (b, 0, D)) \end{aligned}
```

34

F,G,H,I,J,B,C,D

are pointers

#### ITE Operator

```
struct vertex *apply_ite(struct vertex *F, *G, *H, int i) \square ITE algorithm processes
  char x:
  struct vertex *\eta, *\lambda;
 if (F = v_1)
     return G;
  else if (F = v_0)
    return H;
  else if (G = v_1 \&\& H = v_0)
    return F:
  else {
    x \leftarrow \pi(i);
    \eta \leftarrow \text{apply\_ite}(F_x, G_x, H_x, i + 1);
    \lambda \leftarrow \text{apply\_ite}(F_{\overline{X}}, G_{\overline{X}}, H_{\overline{X}}, i+1);
    if (\eta = \lambda)
       return \eta;
     else
       return old_or_new(x, \eta, \lambda);
```

- the variables in the order used in the BDD package
  - $\blacksquare$   $\pi(i)$  gives the  $i^{th}$  variable from the top;  $\pi^{-1}(x)$ gives the index position of variable x from the
- □ Cofactor: Suppose *F* is the root vertex of the function for which  $F_{\nu}$  should be computed. Then

```
F_{\nu} = \eta(F) if \pi^{-1}(\phi(F)) = i
 F_{v'} can be calculated
    símilarly
```

■ The time complexity of the algorithm is  $O(|F| \cdot |G| \cdot |H|)$ 

# ITE Operator

#### Example



 $\overline{G}$  = ite(G, 0, 1)



38

# ITE Operator

#### ■ Example (cont'd)



```
apply_ite(v_6, v_{10}, v_8, 1)
\stackrel{\eta}{\rightarrow} apply_ite(v_3, v_9, v_7, 2)
      \stackrel{\eta}{\rightarrow} \text{apply\_ite}(v_1, v_1, v_0, 3)
      \stackrel{\lambda}{\rightarrow} apply_ite(v_2, v_0, v_1, 3)
            \stackrel{\eta}{\rightarrow} apply_ite(v_1, v_0, v_1, 4)
            \stackrel{\lambda}{
ightarrow} apply_ite(v_0,v_0,v_1,4)
            v_4 = (x_3, v_0, v_1)
      v_{11} = (x_2, v_1, v_4)
\stackrel{\lambda}{\rightarrow} apply_ite(v_5, v_1, v_0, 2)
      v_5
v_{12}=(x_1,v_{11},v_5)
```

# BDD Memory Management

#### Ordering

- Finding the best ordering minimizing ROBDD sizes is intractable
- Optimal ordering may change as ROBDDs are being manipulated
  - □ An ROBDD package may reorder the variables at different moments
  - ☐ It can move some variable closer to the top or bottom by remembering the best position, and repeat the procedure for other variables

#### □ Garbage collection

Another important technique, in addition to variable ordering, for memory management

# Data Type Conversion



#### Formula to BDD



#### Netlist to BDD



#### Netlist to BDD



#### BDD to Netlist

- MUX-based translation
  - replace each decision node by a MUX
  - replace 0-terminal by GND, and 1-terminal by VDD
  - reverse the direction of every edge
  - specify the root node as the output node





#### **BDD** Features

#### Strengths

- ROBDD is a compact representation for many Boolean functions
- ROBDD is canonical, given a fixed variable ordering
- Many Boolean operations are of polynomial time complexity in the input BDD sizes

#### ■ Weaknesses

■ In the worst case, the size of a BDD is O(2<sup>n</sup>) for n-input Boolean functions

46

# **BDD** Applications

- Boolean function verification
  - Compare a specification f to an implementation g, assuming their ROBDDs are F and G, respectively.
    - ☐ For fully specified functions *f* and *g*, the verification is trivial (pointer comparison) because of the strong canonicity of the ROBDD
      - Strong canonicity: the representations of identical functions are the same
    - □ For an incompletely specified function  $I = (f, d, \neg(f+d))$  with onset f, dc-set d, and offset  $\neg(f+d)$ . A completely specified function g correctly implements I if  $(d + f \cdot g + \neg f \cdot \neg g)$  is a tautology, that is,  $f \Rightarrow g \Rightarrow (f+d)$
- Satisfiability checking
  - A Boolean function *f* is satisfiable if there exists an input assignment for which *f* evaluates to '1'
  - Any Boolean function whose ROBDD is not equal to '0' is satisfiable

# BDD Applications

- Min-cost satisfiability
  - Suppose that choosing a Boolean variable  $x_i$  to be '1' costs  $c_i$ . Then, the minimum-cost satisfiability problem asks to minimize:  $\sum_i c_i \cdot u_i(x_i)$

where  $\mu(x_i) = 1$  when  $x_i = 1$  and  $\mu(x_i) = 0$  when  $x_i = 0$ .

- Solving minimum-cost satisfiability amounts to computing the shortest path in an ROBDD with weights:  $w(v, \eta(v)) = c_{j_i} w(v, \lambda(v)) = 0$ , variable  $x_i = \phi(v)$ , which can be solved in linear time
- Combinatorial optimization
  - Many combinatorial optimization problems can also be formulated in terms of the satisfiability problem
  - 0-1 integer linear programming can be formulated as a minimum-cost satisfiability problem although the translation may not be efficient
    - □ E.g., the constraint:  $x_1 + x_2 + x_3 + x_4 = 3$  can be written as  $(x_1+x_2)(x_1+x_3)(x_1+x_4)(x_2+x_3)(x_2+x_4)(x_3+x_4)(-x_1+-x_2+-x_3+-x_4)$

#### Outline

- Introduction
- ■Boolean reasoning engines
  - BDD
  - SAT
- **□** Equivalence checking
- ■Property checking

# **SAT Solving**

- $\hfill \square$  SAT problem: Given a Boolean formula  $\phi$  in CNF, find an input assignment such that  $\phi$  valuates to true
- □ SAT solving is a decision procedure over CNFs Example

$$\phi = (a+b'+c)(a'+b+c)(a+b'+c')(a+b+c)$$
  
is SAT (e.g. under a=1, b=1, c=0)

- □ SAT in CNF (POS) ⇔ Tautology in DNF (SOP)
  - How about Tautology in CNF and SAT in DNF?

49

50

# SAT Solving

☐ Given a circuit, suppose we would like to know if some signal is always zero. This can be formulated as a SAT problem if we can covert the circuit to an CNF.



Is output always 0?

an AIG

#### Circuit to CNF

- Naive conversion of circuit to CNF:
  - Multiply out expressions of circuit until two level structure
  - Example:  $y = x_1 \oplus x_2 \oplus x_2 \oplus ... \oplus x_n$  (Parity function) □ circuit size is linear in the number of variables

- generated chess-board Karnaugh map
- □ CNF (or DNF) formula has 2<sup>n-1</sup> terms (exponential in #vars)
- Better approach:
  - Introduce one variable per circuit vertex
  - Formulate the circuit as a conjunction of constraints imposed on the vertex values by the gates
  - Uses more variables but size of formula is linear in the size of the circuit

#### Circuit to CNF

#### Example

■ Single gate:

a AND 
$$(\neg a + \neg b + c)(a + \neg c)(b + \neg c)$$

Circuit of connected gates:



#### Circuit to CNF

#### □ Circuit to CNF conversion

- can be done in linear size (with respect to the circuit size) if intermediate variables can be introduced
- may grow exponentially in size if no intermediate variables are allowed

54

# **DPLL-Style SAT Solving**

SAT(clause set S, literal v)

- 1.  $S := S_v$  //cofactor each clause of S w.r.t. v
- 2. If no clauses in S, return T
- 3. If a clause in S is empty (FALSE), return  $\mbox{\sc F}$
- 4. If S has a unit clause with literal u, then return SAT(S, u) //implication
- Choose a variable x with value not yet assigned
- 6. If SAT(S, x), return T
- 7. If  $SAT(S, \neg x)$ , return T
- 8. Return F

# SAT Solving with Case Splitting



# SAT Solving with Implication

- ■Implication in a CNF formula are caused by unit clauses
  - A unit clause is a clause in which all literals except one are assigned (to be false)
    - ■The value of the unassigned variable is implied Example

$$(a+\neg b+c)$$
  
  $a=0, b=1 \Rightarrow c=1$ 

### Implications in CNF

■ Example

a AND c 
$$(\neg a+\neg b+c)(a+\neg c)(b+\neg c)$$

57

58

# SAT Solving with Implication

Example



# SAT Solving with Learning

■ Example



Source: Karem A. Sakallah, Univ. of Michigan

#### Implementation Issues

- ☐ Track sensitivity of clauses for changes (two-literal-watch scheme)
  - clause with all literals but one assigned → implication
  - clause with all literals but two assigned → sensitive to a change of either literal
  - all other clauses are insensitive and need not be observed
- Learning:
  - learned implications are added to the CNF formula as additional clauses
    - □ limit the size of the clause
    - □ limit the "lifetime" of a learned clause, will be removed after some time

#### Quantification over CNF and DNF

- □ Recall a quantified Boolean formula (QBF) is  $Q_1 x_1$ ,  $Q_2 x_2$ , ...,  $Q_n x_n$ .  $\varphi$  where  $Q_i$  is either a existential ( $\exists$ ) or universal quantifier ( $\forall$ ),  $x_i$  is a Boolean variable, and  $\varphi$  is a Boolean formula.
- Existential (respectively universal) quantification over DNF (respectively CNF) is easy
  - One approach to quantifier elimination is by back-andforth CNF-DNF conversion!
- □ Solving QBFs with QBF-solvers

62

#### Outline

■Introduction

■ Boolean reasoning engines

■ Equivalence checking

■Property checking

# Equivalence Checking in Microprocessor Design



#### Equivalence Checking in ASIC Design



**Equivalence Checking** 

- Equivalence checking is one of the most important problem in design verification
  - It ensures logic transformation process (e.g. two-level, multi-level logic minimization, retiming and resynthesis, etc.) does not introduce errors
- Two types of equivalence checking
  - Combinational equivalence checking
    - □ Check if two combinational circuits are equivalent
  - Sequential equivalence checking
    - □ Check if two sequential circuits are equivalent

66

#### Outline

- ■Introduction
- ■Boolean reasoning engines
- Equivalence checking
  - Combinational equivalence checking
  - Sequential equivalence checking
- ■Property checking

# History of Equivalence Checking

- □ SAS (IBM 1978 1994):
  - standard equivalence checking tool running on mainframes
  - based on the DBA algorithm ("BDDs in time")
  - verified manual cell-based designs against RTL spec
  - handling of entire processor designs
    - □application of "proper cutpoints"
    - application of synthesis routines to make circuits structurally similar
    - □ special hacks for hard problems
- □ Verity (IBM 1992 today):
  - originally developed for switch-level designs
  - today IBMs standard EC tool for any combination of switch-, gate-, and RTL designs

00

# History of Equivalence Checking

- □ Chrysalis (1994 Avanti now Synopsys):
  - based on ATPG technology and cutpoint exploitation
  - very weak if many cutpoints present
  - did not adopt BDDs for a long time
- □ Formality (1997 Synopsys)
  - multi-engine technology including strong structural matching techniques
- Verplex (1998 now Cadence)
  - strong multi-engine based tool
  - heavy SAT-based
  - very fast front-end

#### Combinational EC

☐ Given two combinational circuits C<sub>1</sub> and C<sub>2</sub>, are their outputs equivalent under any possible input assignment?



70

#### Miter for Combinational EC

■ Two combinational circuits C<sub>1</sub> and C<sub>2</sub> are equivalent if and only if the output of their "miter" structure always produces constant 0



71

# Approaches to Combinational EC

- ■Basic methods:
  - random simulationgood at identifying inequivalent signals
  - BDD-based methods
  - structural SAT-based methods



#### BDD-based Combinational EC

#### Procedure

- 1. Construct the ROBDDs  $F_1$  and  $F_2$  for circuits  $C_1$  and  $C_2$ , respectively
  - ■Variable orderings of F<sub>1</sub> and F<sub>2</sub> should be the same
- 2.Let  $G = F_1 \oplus F_2$ . If G = 0,  $C_1$  and  $C_2$  are equivalent; otherwise, they are inequivalent
  - ■No false negative or false positive
    - False negative: circuits are equivalent; however, verifier fails to tell
    - False positive: circuits are inequivalent; however, verifier says otherwise

#### SAT-based Combinational EC

#### Procedure

- 1. Convert the miter structure into a CNF
- 2.Perform SAT solving to verify if the output variable cannot be valuated to true under every input assignment (i.e. UNSAT)

74

#### Combinational EC

- Pure BDD and plain SAT solving cannot handle all logic cones
  - BDDs can be built for about 80% of the cones of high-speed designs and less for complex ASICs
  - plain SAT blows up in CPU time on a miter structure
- ☐ Contemporary method highly exploit structural similarities between two circuits to be compared

#### Combinational EC

Memory statistics of BDD-based EC on a PowerPC processor design



#### Combinational EC

☐ Runtime statistics of BDD-based EC on a PowerPC processor design



77

79

# Necessity of Structure Similarity

- ■Pure BDDs are incapable of verifying equivalence of large circuits
  - Even more so for arithmetic circuits (e.g. BDDs blow up in representing multipliers)
- □ Identifying structure similarity helps simplify verification tasks
  - E.g. structure hashing in AIGs

78

#### Combinational EC

■ Evidence of vast existence of structure similarities



#### Structure and Verification

- Structure-independent techniques
  - Exhaustive simulation
  - Decision diagrams
- Structure-dependent techniques
  - Graph hashing
  - SAT based cutpoint identification



#### Summary

- □ Combinational EC is considered to be solvable in most industrial circuits (w/ multi-million gates)
  - Computational efforts scale almost linearly with the design size
  - Existence of structural similarities
    - □ Logic transformations preserve similarities to some extent

81

83

- Hybrid engine of BDD, SAT, AIG, simulation, etc.
  - Cutpoint identification
- Unsolved for arithmetic circuits
  - Absence of structural similaritiesCommutativity ruins internal similarities
  - Word- vs. bit-level verification

#### Outline

- ■Introduction
- Boolean reasoning engines
- Equivalence checking
  - Combinational equivalence checking
  - Sequential equivalence checking
- ■Property checking

# Sequential EC

☐ Given two sequential circuits (and thus FSMs), do they produce the same output sequence under any possible input sequence?



# Miter for Sequential EC

■ Two FSMs M<sub>1</sub> and M<sub>2</sub> are equivalent if and only if the output of their product machine always produces constant 0



82

#### **Product Machine**

- The product FSM  $M_{1\times 2}$  of FSMs  $M_1=(Q_1, I_1, \Sigma, \Omega, \delta_1, \lambda_1)$  and  $M_2=(Q_2, I_2, \Sigma, \Omega, \delta_2, \lambda_2)$  is a six-tuple  $(Q_{1\times 2}, I_{1\times 2}, \Sigma, \Omega, \delta_{1\times 2}, \lambda_{1\times 2})$ , where
  - State space  $Q_{1\times 2} = Q_1 \times Q_2$
  - Initial state set  $I_{1\times 2} = I_1 \times I_2$
  - Input alphabet ∑
  - Output alphabet {0,1}
  - Transition function  $\delta_{1\times 2} = (\delta_1, \delta_2)$
  - Output function  $\lambda_{1\times 2} = (\lambda_1 \oplus \lambda_2)$

#### Sequential EC

- Approaches for combinational EC do not work for sequential EC because two equivalent FSMs need not have the same transition and output functions
  - False negatives may result from applying combinational EC on sequential circuits
- □ One solution to sequential EC is by reachability analysis
  - Two FSMs M<sub>1</sub> and M<sub>2</sub> are equivalent if and only if the output of their product FSM M<sub>1×2</sub> is constant 0 under all input assignments and all reachable states of M<sub>1×2</sub>
  - Need to know the set of reachable states of M<sub>1×2</sub>

85

86

# Reachability Analysis

□ Given an FSM M =  $(Q, I, \Sigma, \Omega, \delta, \lambda)$ , which states are reachable from the initial state set I?



# Symbolic Reachability Analysis

- Reachability analysis can be performed either explicitly (over a state transition graph) or implicitly (over transition functions or a transition relation)
  - Implicit reachability analysis is also called symbolic reachability analysis (often using BDDs and more recently SAT)
- ■Image computation is the core computation in symbolic reachability analysis

# Reachability Onion Ring



### Computing Reachable States

- □ Input: Sequential system represented by a transition relation and an initial state (or a set of initial states)
  - Transition functions can be converted into a transition relation
- □ Computation: Image computation using Boolean operations on characteristic functions (representing state sets)
- □ Output: A characteristic function representing the set of reachable states

#### Relation

 $\square$  Definition. Relation R  $\subseteq$  X×Y is a subset of the Cartesian product of two sets X and Y. If  $(x,y) \in \mathbb{R}$ , then we alternatively write "x R y" meaning x is related to y by R.



| <b>X</b> <sub>1</sub> | X <sub>2</sub> | <b>X</b> <sub>3</sub> | <b>y</b> <sub>1</sub> | <b>y</b> <sub>2</sub> |
|-----------------------|----------------|-----------------------|-----------------------|-----------------------|
| 0                     | 0              | 0                     | 0                     | 0                     |
| О                     | 0              | 1                     | 0                     | 1                     |
| О                     | 1              | 0                     | 0                     | 1                     |
| 0                     | 1              | 1                     | 0                     | 1                     |
| 1                     | 0              | 0                     | 0                     | 0                     |
| 1                     | 0              | 1                     | 0                     | 1                     |
| 1                     | 1              | 0                     | 1                     | 1                     |
| 1                     | 1              | 1                     | 1                     | 1                     |

#### Characteristic Function

 $\square$  Relation R  $\subset$  X×Y can be represented by a characteristic function: a Boolean function  $F_p(x,y)$  taking value 1 for those  $(x,y) \in R$  and 0 otherwise.

| <b>X</b> <sub>1</sub> | <b>X</b> <sub>2</sub> | <b>X</b> <sub>3</sub> | <b>y</b> <sub>1</sub> | <b>y</b> <sub>2</sub> | F |
|-----------------------|-----------------------|-----------------------|-----------------------|-----------------------|---|
| О                     | 0                     | 0                     | 0                     | 0                     | 1 |
| 0                     | 0                     | 1                     | 0                     | 1                     | 1 |
| О                     | 1                     | 0                     | 0                     | 1                     | 1 |
| 0                     | 1                     | 1                     | О                     | 1                     | 1 |
| 1                     | 0                     | 0                     | О                     | 0                     | 1 |
| 1                     | 0                     | 1                     | 0                     | 1                     | 1 |
| 1                     | 1                     | 0                     | 1                     | 1                     | 1 |
| 1                     | 1                     | 1                     | 1                     | 1                     | 1 |
| other                 |                       |                       |                       |                       | 0 |



Courtesy of A. Mishchenko Courtesy of A. Mishchenko

#### Transition Relation

- □ Definition. A transition relation T of an FSM M =  $(Q, I, \Sigma, \Omega, \delta, \lambda)$  is a relation T ⊆  $(\Sigma \times Q) \times Q$  such that T $(\sigma, q_1, q_2) = 1$  iff there is a transition from  $q_1$  to  $q_2$  under input  $\sigma$ .
  - $\delta$ : ( $\Sigma \times Q$ )  $\rightarrow Q$
  - T:  $(\Sigma \times Q) \times Q \rightarrow \{0,1\}$

Assume  $\delta = (\delta_1, ..., \delta_{\kappa})$ . Then

$$T(\vec{x}, \vec{s}, \vec{s}') = (s_1' \equiv \delta_1(\vec{x}, \vec{s})) \wedge (s_2' \equiv \delta_2(\vec{x}, \vec{s})) \wedge \dots \wedge (s_k' \equiv \delta_k(\vec{x}, \vec{s}))$$
$$= \prod_i (s_i' \equiv \delta_i(\vec{x}, \vec{s}))$$

where x, s, s' are primary-input, current-state, and next-state variables, respectively.

#### Quantified Transition Relation

Definition

Let M =  $(Q, I, \Sigma, \Omega, \delta, \lambda)$  be an FSM

■ Quantified transition relation T<sub>¬</sub>

$$T_{\exists}(\vec{s}, \vec{s}') = \exists \vec{x}. (s_1' \equiv \delta_1(\vec{x}, \vec{s})) \land (s_2' \equiv \delta_2(\vec{x}, \vec{s})) \land \dots \land (s_k' \equiv \delta_k(\vec{x}, \vec{s}))$$
$$= \exists \vec{x}. \prod_i (s_i' \equiv \delta_i(\vec{x}, \vec{s}))$$

- $\square(p,q) \in T_{\exists}$  if there exists an input assignment bringing M from state p to state q
- □only concerns about the reachability of the FSM's transition graph

93

94

#### Transition Relation

■Example



| х   | cs    | s <sub>1</sub> s <sub>2</sub> | NS | s <sub>1</sub> 's <sub>2</sub> ' | Т |
|-----|-------|-------------------------------|----|----------------------------------|---|
| 0   | Α     | 00                            | В  | 10                               | 1 |
| 0,1 | Α     | 00                            | Α  | 00                               | 1 |
| О   | В     | 10                            | В  | 10                               | 1 |
| 1   | В     | 10                            | Α  | 00                               | 1 |
| 0   | С     | 01                            | В  | 10                               | 1 |
| 1   | С     | 01                            | Α  | 00                               | 1 |
|     | other |                               |    |                                  |   |

#### Transition Relation

Example



x
s<sub>1</sub>
s<sub>1</sub>'
s<sub>2</sub>'



# Image Computation

- ☐ Given a mapping of one Boolean space (input space) into another Boolean space (output space)
  - For a set of minterms (care set) in the input space
    - ☐ The image is the set of related minterms from the output space
  - For a set of minterms in the output space
    - ☐ The pre-image is the set of related minterms in the input space

Courtesy of A. Mishchenko



### Image Computation

**□**Example



Courtesy of A. Mishchenko

Courtesy of A. Mishchenko

# Image Computation

- $\square \operatorname{Image}(C(x),T(x,y)) = \exists x [C(x) \land T(x,y)]$
- □ Implicit methods by far outperform explicit ones
  - Successfully computing images with more than 2<sup>100</sup> minterms in the input/output spaces
- □ Operations ∧ and ∃ are basic Boolean manipulations and are implemented in BDD packages
  - To avoid large intermediate results (during and after the product computation), BDD AND-EXIST operation performs product and quantification in one pass over the BDD

# Symbolic Image Computation

- Definition. Let F: B<sup>m</sup>×B<sup>n</sup> be a projection and C be a set of minterms in B<sup>m</sup>. Then the image of C is the set Img(C, F) = { w ∈ B<sup>n</sup> | (v, w) ∈ F and v ∈ C} in B<sup>n</sup>.
- Characteristic function
  - for reachable next-state computation

$$N_{i}(\vec{s}') = Img(R_{i}(\vec{s}), T_{\exists}(\vec{s}, \vec{s}'))$$

$$= \exists \vec{s}. (R_{i}(\vec{s}) \land T_{\exists}(\vec{s}, \vec{s}'))$$

$$= \exists \vec{s}. (R_{i}(\vec{s}) \land (\exists \vec{x}. \prod_{i} (s_{i}' \equiv \delta_{i}(\vec{x}, \vec{s}))))$$



# Symbolic Pre-Image Computation

- □ Definition. Let F: B<sup>m</sup>×B<sup>n</sup> be a projection and C be a set of minterms in B<sup>m</sup>. Then the pre-image of C is the set PreImg(C, F) = {  $v \in B^m \mid (v, w) \in F \text{ and } w \in C$ } in  $B^n$ .
- Characteristic Function
  - for reachable previous-state computation

$$\begin{split} N_{i}(\vec{s}) &= PreImg(R_{i}(\vec{s}'), T_{\exists}(\vec{s}, \vec{s}')) \\ &= \exists \vec{s}' . (R_{i}(\vec{s}') \land T_{\exists}(\vec{s}, \vec{s}')) \\ &= \exists \vec{s}' . (R_{i}(\vec{s}') \land (\exists \vec{x}. \prod (s_{i}' \equiv \delta_{i}(\vec{x}, \vec{s})))) \end{split}$$



101

#### Reachability Analysis

```
ForwardReachability( Transition Relation T, Initial State I )
    i := 0
    R^i := I
    repeat
         R_{new} = Image(R^i, T);
         i := i + 1
         R^{i} := R^{i-1} \vee R_{new}
    until R^i = R^{i-1}
    return Ri
```

- ☐ The procedures can be realized using BDD package.
- Backward reachability analysis can be done in a similar manner with preimage computation and starting from final states to see if they can be reached from initial states.

102

# Sequential Equivalence Checking

□ Let R(s) be the characteristic function of the reachable state set of the product FSM  $M_{1\times2}$  obtained from forward reachability analysis. Then FSMs M₁ and M₂ are equivalent if and only if

$$R(s) \rightarrow (\lambda_{1\times 2}(x,s)\equiv 0)$$

is valid for all valuations on input variables x and state variables s.

■ This can be checked in constant time for BDD

# Sequential Equivalence Checking

Example

Are M1 and M2 equivalent ?









# Sequential Equivalence Checking

- ■Example (cont'd)
  - Product FSM of M1 and M2



# Sequential Equivalence Checking



# Sequential Equivalence Checking

- Example (cont'd)
  - Backward reachability analysis  $PreImg(C,T) = \exists \vec{x}, \vec{s} ' T(\vec{x}, \vec{s}, \vec{s}') \land C(\vec{s}')$





# Remarks on Sequential EC

- □ Industrial equivalence checkers almost exclusively use an combinational EC paradigm even for sequential EC
  - Sequential EC is too complex and can only be applied to design with a few hundred state bits
  - Structure similarity should be identified to simplify sequential EC
- Besides sequential equivalence checking, reachability analysis is useful in sequential circuit optimization
  - In sequential optimization, unreachable states can be used as sequential don't cares to optimize a sequential circuit

107

#### Outline

- Introduction
- Boolean reasoning engines
- Equivalence checking
- Property checking
  - Safety property checking

# Model Checking

□A specific model-checking problem is defined by



"satisfies", "implements", "refines" (satisfaction relation)

109 110

# Model Checking

- $\square$  M  $|= \varphi$ 
  - Check if system model M satisfies a system property o
  - System model M is described with a state transition system
    - ☐ finite state or infinite state
  - Temporal property φ can be described with three orthogonal choices:
    - 1.operational vs. declarative: automata vs. logic
    - 2.may vs. must: branching vs. linear time
    - 3.prohibiting bad vs. desiring good behavior: safety vs.

Different choices lead to different model checking problems.

111

# Property Checking

- Safety property: Something "bad" will never happen
  - Safety property violation always has a finite witness
    - if something bad happens on an infinite run, then it happens already on some finite prefix
  - Example
    - Two processes cannot be in their critical sections simultaneously

- Liveness property: Something "good" will eventually happen
  - Liveness property violation never has a finite witness
    - no matter what happens along a finite run, something good could still happen later
  - Example
    - Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually

112

For finite state systems, liveness can be converted to safety!

# Safety Property Checking

- □ Safety property checking can be formulated as a reachability problem
  - Are bad states reachable from good states?
- □ Sequential equivalence checking can be considered as one kind of safety property checking
  - M: product machine
  - lacksquare  $\phi$  : all states reachable from initial states has output 0

#### Model Checking

- Data structure evolution
  - State graph (late 70s-80s)
    - □Problem size ~10<sup>4</sup> states
  - BDD (late 80s-90s)
    - □Problem size ~10<sup>20</sup> states
    - ■Critical resource: memory
  - SAT (late 90s-)
    - □GRASP, SATO, chaff, berkmin
    - □Problem size ~10<sup>100</sup> (?) states
    - □Critical resource: CPU time

113

#### Remarks on Model Checking

- Model checking is a very rich subject developed since early 1980's
- ■It is a variation of mathematical logic and is concerned with automatic temporal reasoning
- □ ReferenceM. Clarke, O. Grumberg, and D. Peled.Model Checking. MIT Press, 1999.