

## Data Type Conversion



41

## Formula to BDD



42

## Netlist to BDD



43

## Netlist to BDD

### Example



Topological order:  $\{x_1, x_2, x_3, z_1, z_2\}$   
 variable order:  $x_1 < x_2 < x_3$

$OBDD(z_2) = OBDD(x_3) \cdot OBDD(z_1)$



44

## BDD to Netlist

- MUX-based translation
  - replace each decision node by a MUX
  - replace 0-terminal by GND, and 1-terminal by VDD
  - reverse the direction of every edge
  - specify the root node as the output node



45

## BDD Features

- Strengths
  - ROBDD is a **compact representation** for many Boolean functions
  - ROBDD is **canonical**, given a fixed variable ordering
  - Many Boolean operations are of **polynomial time complexity** in the input BDD sizes

### Weaknesses

- In the worst case, the size of a BDD is  $O(2^n)$  for  $n$ -input Boolean functions

46

## BDD Applications

- Boolean function verification
  - Compare a specification  $f$  to an implementation  $g$ , assuming their ROBDDs are  $F$  and  $G$ , respectively.
    - For fully specified functions  $f$  and  $g$ , the verification is trivial (pointer comparison) because of the **strong canonicity** of the ROBDD
      - Strong canonicity: the representations of identical functions are the same
    - For an incompletely specified function  $I = (f, d, \neg(f+d))$  with onset  $f$ , dc-set  $d$ , and offset  $\neg(f+d)$ . A completely specified function  $g$  correctly implements  $I$  if  $(d + f \cdot g + \neg f \cdot \neg g)$  is a **tautology**, that is,  $f \Rightarrow g \Rightarrow (f+d)$

- Satisfiability checking
  - A Boolean function  $f$  is **satisfiable** if there exists an input assignment for which  $f$  evaluates to '1'
  - Any Boolean function whose ROBDD is not equal to '0' is satisfiable

47

## BDD Applications

- Min-cost satisfiability
  - Suppose that choosing a Boolean variable  $x_i$  to be '1' costs  $c_i$ . Then, the **minimum-cost satisfiability** problem asks to minimize:  $\sum_i c_i \cdot u_i(x_i)$  where  $u_i(x_i) = 1$  when  $x_i = '1'$  and  $u_i(x_i) = 0$  when  $x_i = '0'$ .
  - Solving minimum-cost satisfiability amounts to computing the shortest path in an ROBDD with weights:  $w(v, \eta(v)) = c_i$ ,  $w(v, \lambda(v)) = 0$ , variable  $x_i = \phi(v)$ , which can be solved in linear time
- Combinatorial optimization
  - Many combinatorial optimization problems can also be formulated in terms of the satisfiability problem
  - **0-1 integer linear programming** can be formulated as a minimum-cost satisfiability problem although the translation may not be efficient
    - E.g., the constraint:  $x_1 + x_2 + x_3 + x_4 = 3$  can be written as  $(x_1 + x_2)(x_1 + x_3)(x_1 + x_4)(x_2 + x_3)(x_2 + x_4)(x_3 + x_4)(\neg x_1 + \neg x_2 + \neg x_3 + \neg x_4)$

48

## Outline

### ■ Introduction

### ■ Boolean reasoning engines

- BDD
- SAT

### ■ Equivalence checking

### ■ Property checking

49

## SAT Solving

- SAT problem: Given a Boolean formula  $\varphi$  in CNF, find an input assignment such that  $\varphi$  evaluates to true

- SAT solving is a decision procedure over CNFs

### Example

$\varphi = (a+b'+c)(a'+b+c)(a+b'+c')(a+b+c)$   
is SAT (e.g. under  $a=1, b=1, c=0$ )

- SAT in CNF (POS)  $\Leftrightarrow$  Tautology in DNF (SOP)

- How about Tautology in CNF and SAT in DNF?

50

## SAT Solving

- Given a circuit, suppose we would like to know if some signal is always zero. This can be formulated as a SAT problem if we can convert the circuit to an CNF.



51

## Circuit to CNF

- Naive conversion of circuit to CNF:
  - Multiply out expressions of circuit until two level structure
  - Example:  $y = x_1 \oplus x_2 \oplus x_2 \oplus \dots \oplus x_n$  (Parity function)
    - circuit size is linear in the number of variables



- generated chess-board Karnaugh map
  - CNF (or DNF) formula has  $2^{n-1}$  terms (exponential in #vars)

- Better approach:

- Introduce one variable per circuit vertex
  - Formulate the circuit as a conjunction of constraints imposed on the vertex values by the gates
  - Uses more variables but size of formula is linear in the size of the circuit

52

## Circuit to CNF

### Example

#### Single gate:



#### Circuit of connected gates:



53

## Circuit to CNF

### Circuit to CNF conversion

can be done in linear size (with respect to the circuit size) if intermediate variables can be introduced

may grow exponentially in size if no intermediate variables are allowed

54

## DPLL-Style SAT Solving

SAT(clause set  $S$ , literal  $v$ )

1.  $S := S_v$  //cofactor each clause of  $S$  w.r.t.  $v$
2. If no clauses in  $S$ , return  $T$
3. If a clause in  $S$  is empty (FALSE), return  $F$
4. If  $S$  has a unit clause with literal  $u$ , then return  $SAT(S, u)$  //implication
5. Choose a variable  $x$  with value not yet assigned
6. If  $SAT(S, x)$ , return  $T$
7. If  $SAT(S, \neg x)$ , return  $T$
8. Return  $F$

55

## SAT Solving with Case Splitting

### Example

|   |                              |
|---|------------------------------|
| 1 | $(a + b + c)$                |
| 2 | $(a + b + \neg c)$           |
| 3 | $(\neg a + b + \neg c)$      |
| 4 | $(a + c + d)$                |
| 5 | $(\neg a + c + d)$           |
| 6 | $(\neg a + c + \neg d)$      |
| 7 | $(\neg b + \neg c + \neg d)$ |
| 8 | $(\neg b + \neg c + d)$      |



Source: Karem A. Sakallah, Univ. of Michigan

56

## SAT Solving with Implication

- Implication in a CNF formula are caused by **unit clauses**
  - A unit clause is a clause in which all literals except one are assigned (to be false)
  - The value of the unassigned variable is implied

Example

$$(a + \neg b + c)$$
$$a=0, b=1 \Rightarrow c=1$$

57

## Implications in CNF

- Example


$$a \text{ AND } b \rightarrow c$$
$$(\neg a + \neg b + c) (a + \neg c) (b + \neg c)$$

Implications:  $(\neg a + \neg b + c)$



$(a + \neg c)$



$(b + \neg c)$



58

## SAT Solving with Implication

- Example

|   |                              |
|---|------------------------------|
| 1 | $(a + b + c)$                |
| 2 | $(a + b + \neg c)$           |
| 3 | $(\neg a + b + \neg c)$      |
| 4 | $(a + c + d)$                |
| 5 | $(\neg a + c + d)$           |
| 6 | $(\neg a + c + \neg d)$      |
| 7 | $(\neg b + \neg c + \neg d)$ |
| 8 | $(\neg b + \neg c + d)$      |



Source: Karem A. Sakallah, Univ. of Michigan

59

## SAT Solving with Learning

- Example

|   |                              |
|---|------------------------------|
| 1 | $(a + b + c)$                |
| 2 | $(a + b + \neg c)$           |
| 3 | $(\neg a + b + \neg c)$      |
| 4 | $(a + c + d)$                |
| 5 | $(\neg a + c + d)$           |
| 6 | $(\neg a + c + \neg d)$      |
| 7 | $(\neg b + \neg c + \neg d)$ |
| 8 | $(\neg b + \neg c + d)$      |



Source: Karem A. Sakallah, Univ. of Michigan

60

## Implementation Issues

- ❑ Track sensitivity of clauses for changes (two-literal-watch scheme)
  - clause with all literals but one assigned → implication
  - clause with all literals but two assigned → sensitive to a change of either literal
  - all other clauses are insensitive and need not be observed
- ❑ Learning:
  - learned implications are added to the CNF formula as additional clauses
    - limit the size of the clause
    - limit the “lifetime” of a learned clause, will be removed after some time

61

## Quantification over CNF and DNF

- ❑ Recall a quantified Boolean formula (QBF) is  $Q_1 x_1, Q_2 x_2, \dots, Q_n x_n. \varphi$  where  $Q_i$  is either a existential ( $\exists$ ) or universal quantifier ( $\forall$ ),  $x_i$  is a Boolean variable, and  $\varphi$  is a Boolean formula.
- ❑ Existential (respectively universal) quantification over DNF (respectively CNF) is easy
  - One approach to quantifier elimination is by back-and-forth CNF-DNF conversion!
- ❑ Solving QBFs with QBF-solvers

62

## Outline

- ❑ Introduction
- ❑ Boolean reasoning engines
- ❑ Equivalence checking
- ❑ Property checking

63

## Equivalence Checking in Microprocessor Design



64

## Equivalence Checking in ASIC Design



65

## Equivalence Checking

- ❑ Equivalence checking is one of the most important problem in design verification
  - It ensures logic transformation process (e.g. two-level, multi-level logic minimization, retiming and resynthesis, etc.) does not introduce errors
- ❑ Two types of equivalence checking
  - Combinational equivalence checking
    - ❑ Check if two combinational circuits are equivalent
  - Sequential equivalence checking
    - ❑ Check if two sequential circuits are equivalent

66

## Outline

- ❑ Introduction
- ❑ Boolean reasoning engines
- ❑ Equivalence checking
  - Combinational equivalence checking
  - Sequential equivalence checking
- ❑ Property checking

67

## History of Equivalence Checking

- ❑ SAS (IBM 1978 - 1994):
  - standard equivalence checking tool running on mainframes
  - based on the DBA algorithm ("BDDs in time")
  - verified manual cell-based designs against RTL spec
  - handling of entire processor designs
    - ❑ application of "proper cutpoints"
    - ❑ application of synthesis routines to make circuits structurally similar
    - ❑ special hacks for hard problems
- ❑ Verity (IBM 1992 - today):
  - originally developed for switch-level designs
  - today IBM's standard EC tool for any combination of switch-, gate-, and RTL designs

68

## History of Equivalence Checking

- ❑ Chrysalis (1994 - Avanti - now Synopsys):
  - based on ATPG technology and cutpoint exploitation
  - very weak if many cutpoints present
  - did not adopt BDDs for a long time
- ❑ Formality (1997 - Synopsys)
  - multi-engine technology including strong structural matching techniques
- ❑ Verplex (1998 - now Cadence)
  - strong multi-engine based tool
  - heavy SAT-based
  - very fast front-end

69

## Combinational EC

- ❑ Given two combinational circuits  $C_1$  and  $C_2$ , are their outputs equivalent under any possible input assignment?



70

## Miter for Combinational EC

- ❑ Two combinational circuits  $C_1$  and  $C_2$  are equivalent if and only if the output of their "miter" structure always produces constant 0



71

## Approaches to Combinational EC

- ❑ Basic methods:
  - random simulation
    - good at identifying inequivalent signals
  - BDD-based methods
  - structural SAT-based methods



72

## BDD-based Combinational EC

### Procedure

1. Construct the ROBDDs  $F_1$  and  $F_2$  for circuits  $C_1$  and  $C_2$ , respectively
  - Variable orderings of  $F_1$  and  $F_2$  should be the same
2. Let  $G = F_1 \oplus F_2$ . If  $G=0$ ,  $C_1$  and  $C_2$  are equivalent; otherwise, they are inequivalent
  - No false negative or false positive
    - False negative: circuits are equivalent; however, verifier fails to tell
    - False positive: circuits are inequivalent; however, verifier says otherwise

73

## SAT-based Combinational EC

### Procedure

1. Convert the miter structure into a CNF
2. Perform SAT solving to verify if the output variable cannot be valued to true under every input assignment (i.e. UNSAT)

74

## Combinational EC

- Pure BDD and plain SAT solving cannot handle all logic cones
  - BDDs can be built for about 80% of the cones of high-speed designs and less for complex ASICs
  - plain SAT blows up in CPU time on a miter structure
- Contemporary method highly exploit **structural similarities** between two circuits to be compared

75

## Combinational EC

- Memory statistics of BDD-based EC on a PowerPC processor design



76

## Combinational EC

- Runtime statistics of BDD-based EC on a PowerPC processor design



77

## Necessity of Structure Similarity

- Pure BDDs are incapable of verifying equivalence of large circuits
  - Even more so for arithmetic circuits (e.g. BDDs blow up in representing multipliers)
- Identifying structure similarity helps simplify verification tasks
  - E.g. structure hashing in AIGs

78

## Combinational EC

- Evidence of vast existence of structure similarities



79

## Structure and Verification

- Structure-independent techniques
  - Exhaustive simulation
  - Decision diagrams
- Structure-dependent techniques
  - Graph hashing
  - SAT based cutpoint identification



80

## Summary

- Combinational EC is considered to be solvable in most industrial circuits (w/ multi-million gates)
  - Computational efforts scale **almost linearly** with the design size
  - Existence of structural similarities
    - Logic transformations preserve similarities to some extent
  - Hybrid engine of BDD, SAT, AIG, simulation, etc.
    - Cutpoint identification
- Unsolved for arithmetic circuits
  - Absence of structural similarities
    - Commutativity ruins internal similarities
  - Word- vs. bit-level verification

81

## Outline

- Introduction
- Boolean reasoning engines
- Equivalence checking
  - Combinational equivalence checking
  - Sequential equivalence checking
- Property checking

82

## Sequential EC

- Given two sequential circuits (and thus FSMs), do they produce the same **output sequence** under any possible **input sequence**?



83

## Miter for Sequential EC

- Two FSMs  $M_1$  and  $M_2$  are equivalent if and only if the output of their **product machine** always produces constant 0



84

## Product Machine

- The product FSM  $M_{1 \times 2}$  of FSMs  $M_1 = (Q_1, I_1, \Sigma, \Omega, \delta_1, \lambda_1)$  and  $M_2 = (Q_2, I_2, \Sigma, \Omega, \delta_2, \lambda_2)$  is a six-tuple  $(Q_{1 \times 2}, I_{1 \times 2}, \Sigma, \Omega, \delta_{1 \times 2}, \lambda_{1 \times 2})$ , where

- State space  $Q_{1 \times 2} = Q_1 \times Q_2$
- Initial state set  $I_{1 \times 2} = I_1 \times I_2$
- Input alphabet  $\Sigma$
- Output alphabet  $\{0, 1\}$
- Transition function  $\delta_{1 \times 2} = (\delta_1, \delta_2)$
- Output function  $\lambda_{1 \times 2} = (\lambda_1 \oplus \lambda_2)$

85

## Sequential EC

- Approaches for combinational EC do not work for sequential EC because two equivalent FSMs need not have the same transition and output functions
  - False negatives may result from applying combinational EC on sequential circuits
- One solution to sequential EC is by **reachability analysis**
  - Two FSMs  $M_1$  and  $M_2$  are equivalent if and only if the output of their product FSM  $M_{1 \times 2}$  is constant 0 under **all input assignments and all reachable states** of  $M_{1 \times 2}$
  - Need to know the set of reachable states of  $M_{1 \times 2}$

86

## Reachability Analysis

- Given an FSM  $M = (Q, I, \Sigma, \Omega, \delta, \lambda)$ , which states are reachable from the initial state set  $I$ ?



87

## Symbolic Reachability Analysis

- Reachability analysis can be performed either **explicitly** (over a state transition graph) or **implicitly** (over transition functions or a transition relation)
  - Implicit reachability analysis is also called symbolic reachability analysis (often using BDDs and more recently SAT)
- **Image computation** is the core computation in symbolic reachability analysis

88

## Reachability Onion Ring



89

## Computing Reachable States

- **Input:** Sequential system represented by a **transition relation** and an initial state (or a set of initial states)
  - Transition functions can be converted into a transition relation
- **Computation:** **Image computation** using Boolean operations on characteristic functions (representing state sets)
- **Output:** A characteristic function representing the set of reachable states

90

## Relation

- **Definition.** Relation  $R \subseteq X \times Y$  is a subset of the Cartesian product of two sets  $X$  and  $Y$ . If  $(x, y) \in R$ , then we alternatively write " $x R y$ " meaning  $x$  is related to  $y$  by  $R$ .



Courtesy of A. Mishchenko

| $x_1$ | $x_2$ | $x_3$ | $y_1$ | $y_2$ |              |
|-------|-------|-------|-------|-------|--------------|
| 0     | 0     | 0     | 0     | 0     |              |
| 0     | 0     | 1     | 0     | 1     |              |
| 0     | 1     | 0     | 0     | 1     |              |
| 0     | 1     | 1     | 0     | 1     |              |
| 1     | 0     | 0     | 0     | 0     |              |
| 1     | 0     | 1     | 0     | 1     |              |
| 1     | 1     | 0     | 1     | 1     |              |
| 1     | 1     | 1     | 1     | 1     |              |
|       |       |       |       |       | <b>other</b> |
|       |       |       |       |       | <b>0</b>     |

91

## Characteristic Function

- Relation  $R \subseteq X \times Y$  can be represented by a **characteristic function**: a Boolean function  $F_R(x, y)$  taking value 1 for those  $(x, y) \in R$  and 0 otherwise.

| $x_1$ | $x_2$ | $x_3$ | $y_1$ | $y_2$ | $F$      |
|-------|-------|-------|-------|-------|----------|
| 0     | 0     | 0     | 0     | 0     | <b>1</b> |
| 0     | 0     | 1     | 0     | 1     | <b>1</b> |
| 0     | 1     | 0     | 0     | 1     | <b>1</b> |
| 0     | 1     | 1     | 0     | 1     | <b>1</b> |
| 1     | 0     | 0     | 0     | 0     | <b>1</b> |
| 1     | 0     | 1     | 0     | 1     | <b>1</b> |
| 1     | 1     | 0     | 1     | 1     | <b>1</b> |
| 1     | 1     | 1     | 1     | 1     | <b>1</b> |
|       |       |       |       |       | <b>0</b> |
|       |       |       |       |       | <b>0</b> |

Courtesy of A. Mishchenko



92

## Transition Relation

- Definition. A **transition relation**  $T$  of an FSM  $M = (Q, I, \Sigma, \Omega, \delta, \lambda)$  is a relation  $T \subseteq (\Sigma \times Q) \times Q$  such that  $T(\sigma, q_1, q_2) = 1$  iff there is a transition from  $q_1$  to  $q_2$  under input  $\sigma$ .
  - $\delta: (\Sigma \times Q) \rightarrow Q$
  - $T: (\Sigma \times Q) \times Q \rightarrow \{0,1\}$

Assume  $\delta = (\delta_1, \dots, \delta_k)$ . Then

$$\begin{aligned} T(\bar{x}, \bar{s}, \bar{s}') &= (s_1' \equiv \delta_1(\bar{x}, \bar{s})) \wedge (s_2' \equiv \delta_2(\bar{x}, \bar{s})) \wedge \dots \wedge (s_k' \equiv \delta_k(\bar{x}, \bar{s})) \\ &= \prod_i (s_i' \equiv \delta_i(\bar{x}, \bar{s})) \end{aligned}$$

where  $x, s, s'$  are primary-input, current-state, and next-state variables, respectively.

93

## Transition Relation

- Example



| x     | CS | $s_1 s_2$ | NS | $s_1' s_2'$ | T |
|-------|----|-----------|----|-------------|---|
| 0     | A  | 00        | B  | 10          | 1 |
| 0,1   | A  | 00        | A  | 00          | 1 |
| 0     | B  | 10        | B  | 10          | 1 |
| 1     | B  | 10        | A  | 00          | 1 |
| 0     | C  | 01        | B  | 10          | 1 |
| 1     | C  | 01        | A  | 00          | 1 |
| other |    |           |    |             | 0 |

Courtesy of A. Mishchenko

95

## Quantified Transition Relation

- Definition

Let  $M = (Q, I, \Sigma, \Omega, \delta, \lambda)$  be an FSM

- Quantified transition relation  $T_{\exists}$

$$\begin{aligned} T_{\exists}(\bar{s}, \bar{s}') &= \exists \bar{x}. (s_1' \equiv \delta_1(\bar{x}, \bar{s})) \wedge (s_2' \equiv \delta_2(\bar{x}, \bar{s})) \wedge \dots \wedge (s_k' \equiv \delta_k(\bar{x}, \bar{s})) \\ &= \exists \bar{x}. \prod_i (s_i' \equiv \delta_i(\bar{x}, \bar{s})) \end{aligned}$$

$(p, q) \in T_{\exists}$  if there exists an input assignment bringing the M from state  $p$  to state  $q$

only concerns about the **reachability** of the FSM's transition graph

94

## Transition Relation

- Example



Courtesy of A. Mishchenko

96

## Image Computation

- Given a mapping of one Boolean space (**input space**) into another Boolean space (**output space**)
  - For a set of minterms (**care set**) in the input space
    - The **image** is the set of related minterms from the output space
  - For a set of minterms in the output space
    - The **pre-image** is the set of related minterms in the input space



Courtesy of A. Mishchenko

97

## Image Computation

- Example



Courtesy of A. Mishchenko



98

## Image Computation

- $\text{Image}(C(x), T(x, y)) = \exists x [C(x) \wedge T(x, y)]$
- Implicit methods by far outperform explicit ones
  - Successfully computing images with more than  $2^{100}$  minterms in the input/output spaces
- Operations  $\wedge$  and  $\exists$  are basic Boolean manipulations are implemented using BDDs
- To avoid large intermediate results (during and after the product computation), operation **AND-EXIST** is used, which performs product and quantification in one pass over the BDD

99

## Symbolic Image Computation

- Definition.** Let  $F: B^m \times B^n$  be a projection and  $C$  be a set of minterms in  $B^m$ . Then the **image** of  $C$  is the set  $\text{Img}(C, F) = \{ w \in B^n \mid (v, w) \in F \text{ and } v \in C \}$  in  $B^n$ .

- Characteristic function
  - for reachable next-state computation

$$\begin{aligned}
 N_i(\bar{s}') &= \text{Img}(R_i(\bar{s}), T_{\exists}(\bar{s}, \bar{s}')) \\
 &= \exists \bar{s}. (R_i(\bar{s}) \wedge T_{\exists}(\bar{s}, \bar{s}')) \\
 &= \exists \bar{s}. (R_i(\bar{s}) \wedge (\exists \bar{x}. \prod_i (s_i' = \delta_i(\bar{x}, \bar{s}))))
 \end{aligned}$$



100