ieee transactions on computer-aideddesign of ......2 ieee transactions on computer-aideddesign of...

IEEETRANSACTIONSON COMPUTER-AIDEDDESIGNOF INTEGRATED CIRCUITSAND SYSTEMS,VOL. XX, NO. Y, MONTH 2002 1

RobustBooleanReasoningfor EquivalenceCheckingandFunctionalPropertyVerification

AndreasKuehlmann,SeniorMember, IEEE, VireshParuthi, FlorianKrohm,andMalayK. Ganai,Member, IEEE

Abstract— Many tasks in CAD, such as equivalencechecking,property checking,logic synthesis,and falsepathsanalysisrequireefficient Boolean reasoningfor problems derived fr om circuits.Traditionally , canonicalrepresentations,e.g., BDDs,or structuralSAT methods,are usedto solve differ ent problem instances.Eachof thesetechniquesoffer specificstrengthsthat makethemefficientfor particular problem structur es. However, neither structuraltechniquesbasedon SAT, nor functional methodsusing BDDs of-fer an overall robust reasoningmechanismthat works reliably fora broad set of applications. In this paper we presenta combina-tion of techniquesfor Boolean reasoningbasedon BDDs, struc-tural transformations, a SAT procedure, and random simulationnatively working on a shared graph representationof the prob-lem. The describedintertwined integration of the four techniquesresultsin a powerful summationof their orthogonal strengths.Thepresentedreasoningtechnique was mainly developed for formalequivalencecheckingand property verification but can equally beusedin other CAD applications. Our experimentsdemonstratetheeffectivenessof the approachfor a broadsetof applications.

Index Terms— Boolean reasoning,BDD, SAT, formal verifica-tion, equivalencechecking,property checking.

I . INTRODUCTION

M ANY tasks in computer-aideddesignsuch as equiva-lenceor propertychecking,logic synthesis,timing anal-

ysis,andautomatictest-patterngenerationrequireBooleanrea-soningon problemsderivedfrom circuit structures.Therearetwo main approachesusedalternatively for suchapplications.First, by converting the problem into a functionally canoni-cal form suchas Binary DecisionDiagrams(BDDs), the so-lution can be obtainedfrom the resultingdiagram. Second,structuralsatisfiability(SAT) proceduresperforma systematicsearchfor a consistentassignmenton the circuit representa-tion. The searcheither encountersa solution or, if all caseshave beenenumerated,concludesthatno solutionexists. Bothapproachesgenerallysuffer from exponentialworst-casecom-plexity. However, they have distinctstrengthsandweaknesseswhich make them applicableto different classesof practicalproblems. A monolithic integration of SAT and BDD-basedtechniquescouldcombinetheir individual strengthsandresult

Manuscriptreceived Month xx, 2001; revisedMonth xx, 2001. This paperwasrecommendedby AssociateEditor NameName.

A. Kuehlmannis with theCadenceBerkeley Labs,Berkeley, CA 94704,USA(e-mail: [email protected]).

V. Paruthiiswith theIBM EnterpriseSystemsGroupAustin,TX 78758,USA(e-mail: [email protected]).

F. Krohm is with theIBM MicroelectronicDivision Hopewell Junction,NY12533,USA (e-mail: [email protected]).

M. K. Ganaiis with theNECC&C ResearchLabsPrinceton,NJ08540,USA(e-mail: [email protected]).

in a powerful solution for a wider rangeof applications.Ad-ditionally, by includingrandomsimulationits efficiency canbefurtherimprovedfor problemswith many satisfyingsolutions.

A largefractionof practicalproblemsderivedfrom theabovementionedapplicationshave a high degree of structural re-dundancy. Thereare threemain sourcesfor this redundancy:First, theprimarynetlistproducedfrom aregistertransferlevel(RTL) specificationcontainsredundanciesgeneratedby lan-guageparsingandprocessing.For example,in industrialde-signs,between30and50%of generatednetlistgatesareredun-dant[1]. A secondsourceof structuralredundancy is inherentto theactualproblemformulation. For example,a miter struc-ture [2], built for equivalencechecking,is globally redundant.It alsocontainsmany local redundanciesin termsof identicalsubstructuresusedin both designsto be compared. A thirdsourceof structuralredundancy originatesfrom repeatedin-vocationsof Booleanreasoningon similar problemsderivedfrom overlappingpartsof thedesign.For example,theindivid-ual pathscheckedduring falsepathsanalysisarecomposedofsharedsub-pathswhich get repeatedlyincludedin subsequentchecks.Similarly, a combinationalequivalencecheckof largedesignsis decomposedinto aseriesof individualchecksof out-put andnext-statefunctionswhich often sharea large part oftheir structure.An approachthat detectsandreusesstructuralandlocal functionalredundanciesduringproblemconstructioncouldsignificantlyreducetheoverheadof repeatedprocessingof identicalstructures.Further, a tight integrationwith theac-tual reasoningprocesscanincreaseits performanceby provid-ing amechanismto efficiently handlelocaldecisions.

In this paperwe presentan incrementalBooleanreasoningapproachthatintegratesstructuralcircuit transformation,BDDsweeping[3], a circuit-basedSAT procedure,andrandomsim-ulationin oneframework. All four techniqueswork onasharedAND/INVERTER graph[3] representationof theproblem.BDDsweepingandSAT searchareappliedin anintertwinedmannerbothcontrolledby resourcelimits thatareincreasedduringeachiteration[4]. BDD sweepingincrementallysimplifiesthegraphstructure,whicheffectively reducesthesearchspaceof theSATsolveruntil theproblemcanbesolved.Thesetof circuit trans-formationsget invokedwhenthe sweepingcausesa structuralchange,potentiallysolving the problemor further simplifyingthegraphfor theSAT search.Furthermore,randomsimulationcanefficiently handleproblemswith densesolutionspaces.

This paperis structuredas follows. SectionII summarizespreviouswork in theareaandcontrastsit to our contributions.SectionIII presentsthe AND/INVERTER graphrepresentation,which is sharedamongall reasoningmechanismsandoutlines

2 IEEE TRANSACTIONSON COMPUTER-AIDEDDESIGNOF INTEGRATED CIRCUITSAND SYSTEMS,VOL. XX, NO. Y, MONTH 2002

the set of transformationsthat are applied for its simplifica-tion. SectionIV presentsthe BDD sweepingalgorithm andSectionV outlinesthe detailsof the circuit-basedSAT proce-dure. The randomsimulationalgorithmandoverall reasoningflow aredescribedin sectionsVI andVIII, respectively. Thelasttwo sectionspresentexperimentalresultsandconclusions.

I I . PREVIOUS WORK

SAT searchhasbeenextensively researchedin multiplecom-munities. Many of the publishedapproachesarebasedon theDavis-Putnamprocedure[5], [6], which executesa system-atic casesplit to exhaustively searchthe solutionspace.Overthe years,many searchtacticsimprovementshave beenpub-lished. Themostnotableimplementationsof CNF-basedSATsolvers are GRASP[7] and Chaff [8]. ClassicalCNF-basedSAT solversaredifficult to integratewith BDD methodsanddynamicallyappliedcircuit transformationsbecausethey useaclause-basedrepresentationof the problem. In this paperwedescribean implementationof a SAT procedurethatworksdi-rectlyonanAND/INVERTER graphallowing a tight interactionwith BDD sweeping,local circuit graphtransformations,andrandomsimulation. We describea modified implementationof non-chronologicalbacktrackingandconflict-basedlearningandpresentanefficientmeansto staticallylearnimplications.

Tradingoff compactnessof Booleanfunctionrepresentationswith canonicityfor efficient reasoningin CAD applicationshasbeenthe subjectof many publications. BDDs [9], [10] mapBoolean functions onto canonicalgraph representationsandthusareoneextremeof thespectrum.Decidingwhetherafunc-tion is a tautologycanbedonein constanttime,at thepossibleexpenseof an exponentialgraphsize. XBDDs [11] proposeto divert from the strict functionalcanonicityby addingfunc-tion nodesto the graph. The nodefunction is controlledbyan attribute on the referencingarc andcanrepresentan AND

or OR operation.Similar to BDDs, thefunctionalcomplementis expressedby a secondarc attribute and structuralhashingidentifiesisomorphicsubgraphson the fly. The proposedtau-tology check is similar to a techniquepresentedin [12] andis basedon recursive inspectionof all cofactors.This schemeeffectively checksthecorrespondingBDD branchingstructuresequentially, resultingin exponentialruntimefor problemsforwhich BDDsareexcessively large.

Anotherform of a non-canonicalfunctiongraphrepresenta-tion are BEDs [13]. BEDs usea circuit graphwith six pos-sible vertex operations. The innovative componentof BEDsis theapplicationof local functionalhashing,which mapsanyfour-input sub-structureonto a canonicalrepresentation.Tau-tology checkingis basedon convertingtheBED structureintoaBDD by moving thevariablesfrom thebottomof thediagramto the top. Similar to many purecutpoint-basedmethods,thisapproachis highly sensitive to the orderingin which the vari-ablesarepushedup. In our approach,we apply an extendedfunctionalhashingschemeto anAND/INVERTER graphrepre-sentation.Sinceour graphpreservesthe AND clustering,thehashingcantake advantageof its commutativity which makesit lesssensitive to the order in which the structureis built. Ifthestructuralmethodfails,weapplyBDD sweepingonthecir-cuit graphfor checkingtautology. Dueto themultiple frontier

approachdescribedlater, it is significantlymorerobustthantheBED to BDD conversionprocess.

Thereareanumerouspublicationsproposingtheapplicationof multiple methodsto solve difficult reasoninginstances.Forexample,in [14] and[3] the authorspresenteda randomsim-ulation algorithmandthe earliermentionedmethodbasedonstructuralhashingandBDDs, respectively, andsuggestedtheirapplicationin a multi-enginesetting. In [15] a comprehensivefilter-basedapproachis describedthatsuccessively appliesmul-tiple enginesincluding structuraldecomposition,BDDs, andATPGto solve combinationalequivalencecheckingproblems.All thesetechniqueshave in commonthat they applymultiple,specializedtechniquesin a sequential,independentmanner. Incontrast,the presentedapproachtighly intertwinesthe useofstructuralmethods,BDD-basedtechniques,anda SAT searchandappliesthemon a singleuniform datarepresentation.Theproposedsettingallows an automaticadaptationof the com-binedalgorithmto matcha givenproblemstructurethatresultsin a significantincreasein theoverall reasoningpower.

Several publicationshave suggestedan integration of SATand BDD techniquesfor Booleanreasoning. Cutpoint-basedequivalencecheckingusesa spatialproblempartitioning andcan be employed as a baseto apply SAT and BDDs in dis-tinct partsof the miter structure. A particularapproach[16]first builds a partialoutputBDD startingfrom thecutsetwhereauxiliary variablesare introduced. It thenenumeratesthe on-setcubesof this BDD andappliesa SAT searchfor justifyingthosecubesfrom the primary inputs. This methodbecomesintractableif the BDD includesmany cubesin its onset. Fur-ther, theactualjustificationof individual cubesmaytimeoutifthecutsetis chosenunwisely. A modificationof this approachsuggeststo searchthroughall co-factorsof theBDD insteadofenumeratingall cubes[17]. Anotherproposalto combineBDDandSAT is basedon partitioningthecircuit structureinto a setof components[18]. As mostcutpoint-basedmethods,all theseapproachesarehighly sensitive to thechosenpartitioning.

A common problem with the mentionedintegration ap-proachesis theinsertionof BDD operationsinto theinnerloopof astructuralSAT search.StructuralSAT is efficient if theun-derlyingproblemstructurecanbe exploited for effective localsearchheuristics.BDDs work well if redundancy of theprob-lem structureeludesan exponentialgrowth during construc-tion. A spatialpartitioningof the applicationspacefor BDDsandSAT blurs their individual global scopeandseparatestheapplicationof their orthogonalstrengthsto differentparts. Inthis paperwe applyBDD sweepingandstructuralSAT search,both working in an interleaved manneron the entireproblemrepresentation.This keepsboth mechanismsfocusedon theglobalstructurewithout beingconstrainedby anarbitrarypre-partitioning. In this setting,BDD sweepingincrementallyre-ducesthe searchspacefor theSAT solver until theproblemissolvedor theresourcelimits areexhausted.Structuraltransfor-mationsareusedto facilitatelocaldecisions.

I I I . PROBLEM REPRESENTATION AND STRUCTURAL

TRANSFORMATIONS

In this sectionwe describethebasicAND/INVERTER graphrepresentationthatis employedasunderlyingdatastructurefor

KUEHLMANN ETAL.: BOOLEAN REASONINGFORFORMAL EQUIVALENCE CHECKING AND FUNCTIONAL PROPERTY VERIFICATION 3

all Booleanreasoningalgorithmsdescribedin the followingsections.We alsopresentseveralhashingschemesthatremovestructuralandlocal functionalredundanciesduringgraphcon-struction.

A. AND/INVERTER Graph Representation and StructuralHashing

A directedacyclic graphis usedasastructuralrepresentationof thefunctionsto bereasonedabout.Therearethreetypesofgraphvertices:A uniqueterminalvertex representstheconstant“0” (“1”) valuewhenit is referencedby a non-complemented(complemented)arc. A secondtypeof vertex hasno incomingarcsandmodelsprimary inputs. Thethird vertex typehastwoincomingarcsandrepresentsthe AND of the vertex functionsreferencedby the two arcs. INVERTER attributeson thegrapharcsindicateBooleancomplementation.Usingthis graphrep-resentation,a reasoningproblemis expressedasan obligationto proveaparticulargraphvertex to beconstant“0” or “1”.

Similar to the constructionof BDDs, the AND/INVERTER

graphis built from the inputs toward the outputsusing a setof constructionoperators.Thereare threebasicconstructors:(1) create_input , (2) create_and2, and(3) create_inverter.Otheroperatorsfor alternativeor morecomplex operationsarecomposedof thesebasicconstructors.Intermediatefunctionsarepassedbetweenconstructorsby archandles,which consistof a referenceto the sourcevertex anda possibleINVERTER

attribute.Thesamehandlesareappliedby thereasoningappli-cationto referto functionsthatarestoredby thegraph.

Algorithm create_and2(�� ) �/* constant folding */if (�� == CONST_0) return CONST_0;if (�� == CONST_0) return CONST_0;if (�� == CONST_1) return �� ;if (�� == CONST_1) return �� ;if (� � == � � ) return � � ;if (�� == �� ) return CONST_0;

/* rank order inputs to catch commutativity */if (rank(�� ) > rank(�� )) swap(�� );/* check for isomorphic entry in hash table */if ((� = hash_lookup(�� )) == NULL)� = new_and_vertex(� � �� );return � ;�

Fig. 1. Algorithm create_and2 for theAND constructor.

The implementation of the construction operationcreate_input is straight forward. It allocatesand initial-izesa correspondingvertex datastructureandreturnsa handlepointingto it. Similarly, theoperationcreate_inverter simplytogglesthe attribute of the handle. Fig. 1 shows the pseudo-codefor the operationcreate_and2. Thealgorithmtakestwoarc handlesasinput parametersandreturnsan arc handlethatrepresentsthe outputof the AND operation. In the code,thesymbol“ � ” denotesBooleancomplementionusingthe proce-durecreate_inverter. Thefirst partof thealgorithmperformsconstantfolding, which automaticallysimplifiesredundantandtrivial expressionsin the graphstructure.Next a hash-lookupidentifiesisomorphicgraphstructuresandeliminatesthemdur-ing construction.For this the procedurehash_lookup checks

whetheranAND vertex with therequestedinput arcshasbeencreatedbefore.If foundtheexistingvertex is reused,otherwisea new vertex is createdusing the function new_and_vertex.Beforeapplyingthe hash-lookupthe two operators�� and ��areorderedusinga uniquerankingcriteria. This assuresthatcommutative expressions,such as �� and �� , aremergedontothesamegraphvertex.

Algorithm new_and_vertex(�� ) �/* reschedule vertex for BDD sweeping */put_on_heap(bdd_fr om_vertex(�� ), � � �"!$# _ %'&�( ! _ )*&�+,&�- );put_on_heap(bdd_fr om_vertex(� � ), � � �"!$# _ %'&�( ! _ )*&�+,&�- );/* learn implication shortcuts for SAT */if (hash_lookup( � � ,� � )) learn(� � �� );if (hash_lookup(�� , �� )) learn(��.�� );� = alloc_vertex(� � �� );add_to_hash_table(�� );return � ;�

Fig. 2. Algorithm new_and_vertex for allocatinganew graphvertex, includ-ing restartingof BDD sweeping(SectionIV) andstaticlearning(SectionV).

Thealgorithmnew_and_vertex is shown in Fig.2. It is usedto allocateanew graphvertex andaddacorrespondingentrytothehashtable.This procedurealsohandlesthere-activationofthe BDD sweepingalgorithmandstatic learningasdescribedin sectionsIV andV, respectively.

Theconstructionof the AND/INVERTER graphfor a simpleexampleis illustratedin Fig. 3. Part (a) representsa circuitbuilt for proving equivalenceof nets / and 0 , which arefunc-tionally identicalbut havedifferentstructuralimplementations.Functionallyequivalentnetsare labeledusing identical num-berswith oneor moreapostrophes.Fig. 3(b) shows theresultof the graphconstructionusingthe algorithmcreate_and2 ofFig. 1. The verticesof the graphsrepresentAND functionsand the filled dots on the arcs symbolizethe INVERTER at-tributes.Notethatin severalcasesstructurallyisomorphicnetsare mappedonto the samegraphvertices. For example, thefunctions 13254 (net 6 of the uppercircuit) and 17� 4 (net 698 8of thelowercircuit) areidentifiedasstructurallyequivalentandrepresentedby a singlevertex.

B. FunctionalHashing

The simple two-level hashing scheme of algorithmcreate_and2 can eliminate structurally isomorphic graphverticesbut cannothandlefunctionally identical verticesthatare implementedby different structures. For example, theequivalenceof vertices/ and 0 of the circuit in Fig. 3 cannotbe shown by simple hashing. In this sectionwe presentageneralizedhashingschemethat identifies functionally iden-tical subcircuitsof boundedsize independentof their actualstructuralimplementation.

A natural way to increasethe scopeof structuralhashingwouldbeto divert from thetwo-inputgraphmodelandusever-ticeswith higher fanin degree. The set of possiblefunctionsof a vertex with morethantwo inputscannotbeencodedeffi-ciently usinguniform vertex operationsandarcattributesonly.Insteadthevertex functionshouldberepresentedby anattributewhich is hashedin conjunctionwith theinput referencesto find


7’

3

67

5’

4’

4

2

1’

1’’

5

1

cd

y

x

84’’

9

10

1’’’

ba

(a)

b

a

c

d

1

4

2

56

3

5’7’

7x

y

810

1’’’9

(b)

b

a

c

d

x

y

3

5

11

7’

7

(c)

b

a

c

d2

4

6

7

1 10

8

95

y

x

3

(d)

Fig. 3. Examplefor the constructionof an AND/INVERTER graph: (a) afunctionally redundantstructuregeneratedto checkfunctionalequivalenceofoutputs: and ; , (b) correspondingtwo-input AND/INVERTER graphbuilt byalgorithmcreate_and2of Fig. 1, (c) alternative graphrepresentationwith four-input vertices,(d) resultingtwo-inputgraphafter functionalhashingusingthealgorithmcreate_and of Fig. 4.

structurallyidenticalcircuit parts.Sincethenumberof possiblevertex functionsgrowsexponentially, this methodis only prac-tical for verticeswith up to four inputs.For thecircuit exampleof Fig. 3(a),part (c) shows the graphmodelbasedon verticeswith a maximumfanin degreeof four. Note that this methodcanidentify theequivalenceof thenetpair <>=�?�="8�@ but still failsto show thesamefor pair <BA?�A"8�@ , andthereforefor / and 0 .

A morecomprehensiveapproachdenotedasfunctionalhash-ing [1] is basedon thepresentedtwo-inputgraphandanexten-sionof thestructuralanalysisthatincludesthetwo graphlevelsprecedinga vertex. As a result the granularityof identifyingfunctionally identicalverticesis comparableto the granularityof the hashingtechniquebasedon four-input vertices. More-over, by applyingthismethodonall intermediateverticesin anoverlappingmanner, this approachcan take advantageof ad-ditional structuralsimilaritiesthatotherwiseremaininternaltofour-inputvertices.

Algorithm create_and(�� ) �/* constant folding */if (� � == CONST_0) return CONST_0;if (�� == CONST_0) return CONST_0;if (�� == CONST_1) return �� ;if (�� == CONST_1) return �� ;if (�� == �� ) return �� ;if (� � == � � ) return CONST_0;

/* rank order inputs */if (rank(� � ) > rank(� � )) swap(� � �� );/* check for isomorphic entry in hash table */if ((� = hash_lookup(� � �� )) == NULL) �/* 3 cases depending on position in graph */

if (is_var(�� ) && is_var(�� ))� = new_and_vertex(�� );else if (is_var(�� ))� = create_and3(�� );else if (is_var(� � ))� = create_and3(� � �� );else � = create_and4(�� );�

return � ;�Fig. 4. Algorithm create_and for an AND constructorthat includeslocalfunctionalhashing.

Fig. 4 outlines the overall flow of the functional hashingscheme. The first part, which performsconstantfolding andstructuralhashing,is identical to the algorithm create_and2of Fig. 1. In caseof a hashmiss, the secondpart includesan extendedtwo-level lookup scheme,which convertsthe lo-cal function of the four grandchildreninto a canonicalrep-resentation.During graphconstructionfrom the primary in-puts, the first level of verticesdoesnot have four grandchil-dren and, thus, must be treatedspecially. If both immediatechildrenareprimary inputs, the algorithm createsa new ver-tex usingthe procedurenew_and_vertex, which is shown inFig. 2. If only oneof thechildrenis a primary input, a canon-ical three-inputsubstructureis createdby applyingthe proce-dure create_and3, and for the remainingcasethe procedurecreate_and4 is called. Sincethealgorithmsof theprocedurescreate_and3 andcreate_and4 arequite similar we limit thedescriptionto thelatter. Its pseudo-codeis givenin Fig. 5. Theprocedureof create_and3 simply implementsa subsetof theshown cases.

Thealgorithmcreate_and4first analyzesthelocalsubstruc-tureusingtheprocedureanalyze_case. It computesasignaturewhich reflects(1) the equality relationshipof the four grand-children and (2) the inverter attributesof the six arcs. Thissignatureis mappedto oneof C"D�= differentcases(for the al-gorithm create_and3, the signatureis mappedto one of E�Ecases). By construction,the topology of the substructureisuniquelyidentifiedby this signature.Its valueis thenmappedontoanimplementationindex suchthatall structureswith iden-


Algorithm create_and4( ) �F# ) �)G) = ) -> ) !�H - ;) # = ) -> # &�I�JK- ;# ) = # -> ) !�H - ;#�# = # -> # &�I�JK- ;&�LM ! : = analyze_case( ) �># );switch( &�LM ! : ) �NON'N

case P Q : /* function I in Fig. 6 */�� = create_and()�) � ) # ); /* recursive */�� = create_and(R)G) � S) # );return create_and2(�� ); /* not recursive */NON'N

case T'U V : /* function J in Fig. 6 */�� = create_and()�) � ) # );�� = create_and(R)G) � S) # );return create_and2(�� );NON'N

case TOW W : /* example of Fig. 7 */return create_and( # ) �F#�# );NON'N�

/* remaining cases with no reduction */return new_and_vertex( ) �X# );�

Fig. 5. Sketchof thealgorithmcreate_and4 which handlesvertex construc-tion for substructureswith four grandchildren.

tical functionsgetprojectedontothesameindex. For eachdis-tinct index a new canonicalimplementationis thengenerated.Becauseof this canonicityandthe appliedvertex hashingthismethodmergesall functionallyequivalentsubstructures,effec-tively removing local functionalredundancies.Fig. 5 providespseudo-codeexamplesto handlecasesY�Z and 69C"D , which rep-resentthe structuresof an XOR andXNOR function asshownin Fig. 6(a).Part (b) of this figuredemonstrateshow functionalhashingmapsboth functionsonto the samevertex referencedby complementedarcs.

a

b2

1

5

g

h

3

4

3

4

a

b2

1

5

6

g

h

(a) (b)

Fig. 6. Examplefor merging the structuresof functions I�[ XOR \�] �F^O_ andJ`[ XNOR \�] �F^O_ usingthealgorithmcreate_and4: (a)resultingstructurewith-out functionalhashing,(b) structurewith functionalhashing.

Notethat functionalhashingis appliedrecursively asshownin the implementationof the intermediatefunctions� � and � �of casesY�Z and 69C"D of Fig. 5. However, to ensuretermination,thefinal vertex mustbeconstructedwith thenon-recursivepro-cedurecreate_and2shown in Fig. 2. Therecursiveapplicationof functionalhashingoftenresultsin a significantgraphreduc-tion. For example,the two outputsin Fig. 3(a)canbe mergedby functionalhashingresultingin thegraphshown in part(d).

C. LocalRewriting

Functionalhashing,asdescribedin theprevioussubsection,has the potential to compactgraphrepresentationsfor struc-tureswith sharedgrandchildren. However, if all four grand-childrenof the two operandsaredistinct, thehashingdoesnot

resultin any structuralreduction.Still, in somecaseswheretheoperand’s grand-grandchildrenare shared,the local structurecanberearrangedsuchthat they shareat leastonegrandchild.This rearrangementwill enablea following functionalhashingstep.For example,theexpressionacbd<e1�2f4 @g�h<$<e1��i4�@g�cj.@cannotbesimplifiedwith functionalhashingbecauseit hasfourdistinctgrandchildren,k91�?�4l?�1m�n4l?$jKo . However, afterrewritingtheexpressioninto anbp<$<e1�2q4�@ �3<e1��q4�@'@ �qj�@ functionalhashingcansimplify thestructureto arbs1t�u4v�uj . Thecorrespondingstep-wisegraphtransformationsareillustratedin Fig. 7.

a

b

c

g

l

r

a

b

c

grl

rr(a) (b)

c

b

a

g

(c)

Fig. 7. Exampleof local rewriting: (a) original graph that cannotbe re-ducedby functional hashing,(b) result of rewriting usingcase U V w of algo-rithm create_and4 (Fig. 8), (c) resultafterrecursive applicationof caseTOW W ofalgorithmcreate_and4 (Fig. 5).

To handle local rewriting, the algorithm create_and4is enhancedby recognizing more casesin the procedureanalyze_caseandaddingthecorrespondingindicesto the im-plementationcases.In essence,thementionedrewriting mech-anismis applicableif: (1) at leastoneoperandof theAND op-erationis complementedand(2) thegrandchildrenand/orchil-drenof the operandsareshared.Fig. 8 shows a modifiedver-sionof thealgorithmcreate_and4 that includestheadditionalD casesfor local rewriting. Theprocedureshare testswhethertwo givenverticesshareany children. In thegivenexampleofFig. 7, the left child of vertex a is invertedandsharesits chil-drenwith theright-left grandchildof a . HerethedepictedcaseC"D�x of themodifiedalgorithmof Fig. 8 is appliedfor rewriting.During the implementationstepthe procedurecreate_and iscalledrecursively afterwhichcase6.E�E shown in Fig. 5 is appli-cableandsimplifiesthegraphto thestructuregivenin Fig.7(c).

D. SymmetricClusterHashing

Thepreviouslydescribedmethods,includingstructuralhash-ing, functional hashing, and local rewriting restructuretheAND/INVERTER graph only locally by examining a limitednumberof fanin vertices. A further compressionof the graphcanbeachievedby analyzingbiggersymmetricgraphclusters.Theideais thatexpressiontreesutilizing a uniform symmetricvertex function(e.g.,AND or XOR) representthesameBooleanfunction if they have identical setsof sourcevertices. Thisequivalenceis independentof theactualtreestructureandper-mutationof sources.

For identifying identicalsymmetricclusterfunctions,a spe-cial clusterhashingalgorithmis appliedwhenever a new AND

vertex is built. The algorithmtraversesthe transitive fanin of


Algorithm create_and4( ) �e# ) �)�) = ) -> ) !�H - ;) # = ) -> # &�I.JK- ;# ) = # -> ) !�H - ;#�# = # -> # &�I�JK- ;&�LM ! : = analyze_case( ) �F# );switch( &�LM ! : ) �N'NON/* rewriting cases */

case U V y : /* l and r are inverted */N'NONcase U V w : /* only l is inverted */if (share() �F# ) ) || share()G) �># ) ) || share() #��F# ) )) �

return create_and(create_and( ) �F# ) ), #�# ));�if (share() �F#�# ) || share()G) �e#�# ) || share() #��>#�# )) �

return create_and(create_and( ) �F#�# ), # ) ));�if (share()�) �F# ) || share() #��F# )) �

return create_and( create_and( R)G) �e# ), create_and( R) #��e# ));�break;

case U V z : /* only r is inverted */N'NON�/* no reduction or rewriting */return new_and_vertex( ) �># );�

Fig. 8. Sketchof improvedalgorithmcreate_and4 with local rewriting.

thevertex, determinestheboundariesof thesymmetricexpres-siontree,andcollectsthesetof sourcevertices.Thissetis thenhashedusingaspecialclusterhashtable.If identicalentriesarefound, the correspondingverticesaremergedandtheir fanoutstructuresarerebuilt.

The symmetric cluster hashing is done for two functiontypes.AND clustersaresimpleto identify by just traversingthefaninstructureuntil invertedarcsareencountered.Dueto theirduality, OR clustersareautomaticallyhandledby thesameal-gorithm. XOR/XNOR clustersarefoundby recursively search-ing for thecanonicalXOR structure(shown in Fig.6). Only oneof thetwo possibleXOR/XNOR needsto beidentified,sincetheotherstructuregetsrewrittenby functionalhashing.

Note thatanalternative approachto handlesymmetricclus-ters would be to build AND and XOR expressiontreesin acanonicalmanner, for example,by alwaysbuilding a balancedtree structureusing the sourceverticesin somelexicographi-cal order. However, our experienceis thatsuchanapproachisinferior to thepresentedmethodsinceit destroys up-font largepartsof theexisting(empiricallyuseful)circuit structureandasa resultpreventsmany matchingsthatareotherwisepossible.

IV. BDD SWEEPING

In this sectionwe describethe BDD sweepingalgorithm,amethodthat systematicallyidentifiesandmergesfunctionallyequivalentAND/INVERTER graphverticesthatarenot foundtobeequivalentby thepreviouslydescribestructuralmethods.

Thesweepingmethodbuilds BDDs for the individual graphverticesstartingfrom inputsandmultiple cut frontierstowardtheoutputs.By maintainingcross-referencesbetweenthegraphverticesandits BDD nodes,functionally identicalverticescanbefoundconstructivelyduringthesweep.ThereareseveralkeyideasthatmakeBDD sweepingrobustandefficient:

{ As soonastwo functionally equivalentverticesareiden-tified, their outputstructuresaremergedandrehashedus-ing thealgorithmsdescribedin theprevioussection.Theinstantaneousapplicationof structuralsimplification cansolve reasoningproblemswithout building BDDs for theentireproblemstructure,resultingin asignificantincreasein theoverall reasoningpowerandperformance.{ The BDD propagationis prioritized by the actualsizeofthe input BDDs usinga heapasprocessingqueue. As aresult, the sweepingalgorithm focusesfirst on inexpen-sive BDD operationsandavoids theconstructionof largeBDDsunlessthey areneededfor solvinga problem.{ The maximumsizeof the processedBDDs is limited bya threshold,which effectively controlsthe computingre-sourcesandreasoningpower. BDDsthatexceedthesizeofthethresholdare“hidden” in theprocessingheapandwillreappearwhenthesweepingis restartedwith asufficientlylarge limit. This mechanismis usedto interleave BDDsweepingwith structuralSAT search. By incrementallyincreasingthe resourcesof the individual algorithmsdur-ing eachiteration,their reasoningpowercontinuesto growuntil theproblemcanbesolvedby eitheroneof them.{ Multiple BDD frontiersareconcurrentlypropagatedin theheapcontrolledmanner. Thisapproacheffectivelyhandleslocal redundancieswithout theneedto alwaysbuild largeBDDs from thegraphinputs.{ Whenthe BDD processingreachesany of the target ver-tices that representa proof obligation (i.e., it must beshown to be constant,or not) oneof the following stepsis applied: If the correspondingBDD representsa con-stant,thevertex getsmergedwith theconstantgraphver-tex andthereasoningresultis obvious(dependingon theproblemeitherSAT or UNSAT). Otherwise,if thesupportof theBDD containsonly primary input variables,satisfi-ability is provenandany pathsfrom the BDD root to thecorrespondingconstantBDD nodecanserveascounterex-ample.If thesupportcontainsvariablesfrom intermediatecutsets,falsenegativeresolutionis applied.

A. BasicSweepingAlgorithm

Fig. 9 shows the self-explanatorypseudo-codefor the basicBDD sweepingalgorithmbdd_sweep. It doesnot includetheprocessingof multipleBDD frontiers,which is describedin thenext subsection.Theheapstructureis initialized in theoverallprocedure(seeSectionVIII). For this, primary inputsareini-tializedat thebeginningof thereasoningflow usingtheproce-duresweep_init , whereascutsetverticesaredeclaredandini-tializedbetweentheindividual sweepingiterations.

The invocation of the sweepingalgorithm processesallheapBDDs that have a smallersize than the given threshold4 |�| _ }e~l��.� _ �.�X�� _ }��B�5�>� . All largerBDDsremainhiddenin theheapandgetprocessedwhenthealgorithmis calledagainwithasufficiently largethreshold.Duringeachiterationof theinnersweepingloop, thealgorithmremovesthesmallestBDD fromthe heap,processesthe Booleanoperationsfor the immediatefanoutstructureof thecorrespondingcircuit graphvertex, andreenterstheresultingBDDsontotheheap,if theirsizeis belowthethreshold4 |�| _ ��9� _ �.�X�� _ }��B�5�>� .


Algorithm sweep_init( � !'# - ! : ) �J ! ] � = new_heap();for all input vertices �� do �^ M M = create_bdd_variable();

store_vertex_at_bdd( ^ M�M � � �G� );put_on_heap( J ! ] ��F^ M M �>^ M M _ � � �"!$# _ %'&�( ! _ )G&�+�&�- );�

return J ! ] � ;�Algorithm bdd_sweep( J ! ] �� !$# - ! : ) �/* check if there are any BDDs on heap with

size( ^ M M ) � ^ M M _ )G�� !$# _ %O&�( ! _ )*&�+,&�- */while (!is_heap_empty( J ! ] � , ^ M�M _ )G�� !'# _ %O&�( ! _ )*&�+,&�- )) do �^ M M = get_smallest_bdd( J ! ] � );� = get_vertex_fr om_bdd( ^ M M );

/* check if previously encountered */if (get_bdd_fr om_vertex( � )) continue;store_bdd_at_vertex( � �'^ M M );for all fanout_vertices ��'�� of � do �^ M M ��X� � = get_bdd_fr om_vertex( � �'�� -> ) !�H - );^ M M � �G�� = get_bdd_fr om_vertex( ��'�� -> # &�I�JK- );^ M M � �B� = bdd_and( ^ M M ��X� � �>^ M�M � �*�� );� � �B� = get_vertex_fr om_bdd( ^ M M � �B� );

if ( � � �>� ) �merge_vertices( � � �>� � � �'�� );/* return if problem solved */if ( � !'# - ! : == CONST_1) return SAT;if ( � !'# - ! : == CONST_0) return UNSAT;�

else �store_vertex_at_bdd( ^ M M � �B� � � �'�.� );�

/* BDD for � � �B� cannot be constant */if ( � �$�� == � !'# - ! : ) return SAT;put_on_heap( J ! ] ��>^ M M � �B� �>^ M M _ � � �"!$# _ %'&�( ! _ )G&�+,&�- );��

return UNDECIDED;�Fig. 9. Initialization proceduresweep_init andbasicBDD sweepingalgo-rithm bdd_sweepfor deciding �S� �¡\�� !$# - ! : _ .

Usingcross-referencingbetweengraphverticesandthecor-respondingBDD nodes,functionallyequivalentverticescanbeidentified. An equivalentvertex pair is found if theresult ¢"£�¤O¥of a BDD operationalreadyrefersto anothervertex that wasprocessedbefore. In this caseboth verticesare merged im-mediatelyandtheir subsequentpartsof thegrapharerehashedby theproceduremerge_vertices. Therehashingis appliedindepth-firstorderstartingfrom the mergedverticestoward theprimary outputsandstopsif no further reconvergency occurs.As aresult,theforwardrehashingmaymergethereasoningtar-getvertex ¢��9�l�O�9/ with theconstantvertex, effectively decidingthe problem. The correspondingtwo checksin the inner looptestfor thesecases.BeforetheBDD is reenteredontotheheap,anotherchecktestswhetherthe target vertex wasreached.Inthis casethe target vertex must be non-constant,otherwiseitwould have beenmergedwith a constantvertex andoneof theprevioustestswouldhavesucceeded.Therefore,theproblemissatisfiablesincethe BDD supportincludesonly primary inputvariables.

The following remarksfurther explain particulardetailsofthesweepingalgorithm:{ Thesequenceby whichthecross-referencingis performed

andcheckedusingtheprocedureget_bdd_fr om_vertex,store_bdd_at_vertex, get_vertex_fr om_bdd, and

store_vertex_at_bdd, ensures that all vertices arehandledexactlyonce,unlessnew graphverticesareaddedto the fanoutof an alreadyprocessedvertex. In this casethe procedurenew_and_vertex restarts the sweepingprocessfor thesevertices.{ If oneof thetwo BDD operandsis missing,theBDD op-erationis skippedandprocessingcontinueswith thenextBDD from theheap.Note thatassoonasthis operandisavailable,thesameBDD operationwill bere-invoked.{ Themerging of two verticesis donein a forwardmanner,i.e.,thefanoutsof thevertex, whichis topologicallyfartherfrom theprimaryinputsmustbereconnectedto thevertexthat is topologicallycloserto the inputs. Otherwise,themergeoperationmay causestructuralloopsin the graph,whichwould invalidateits semantic.

Fig.10illustratesthemechanismof BDD sweepingfor prov-ing equivalenceof two functionally identical but structurallydifferentcircuit cones.Parts(a)and(b) show themiterstructureof the two cones= and = 8 to be comparedwith an XNOR gateand the correspondingAND/INVERTER graph, respectively.The following figuresshow the progressof thesweepinguntilequivalenceis proven. It is assumedthat the BDDs are pro-cessedin theorderof their correspondingvertices 6�?�CS?$DR?'ER?�D�8�?and C�8 . The first four iterationscreatethe BDDs for vertices6�?�CS?$DR? and E . In the next iteration, the resultingBDD nodefor vertex D�8 alreadypointsto the functionally equivalentver-tex D . Therefore,vertices D�8 and D aremergedasdepictedinFig. 10(c). The next figure shows the graph after vertex C"8hasbeenprocessedandmergedwith vertex C . Thesubsequentforward rehashingidentifiesthat = and = 8 are isomorphicandmergesthem,whichfurthercausesx to bemergedwith thecon-stantvertex. Note that for simplicity we usedonly structuralhashingin thisexample.Theresultinggraphstructureis shownin Fig. 10(e).At thispoint functionalequivalenceis provenandthealgorithmterminateswithout having to build BDDs for theentiremiter structure.

B. EnhancedSweepingAlgorithm with Multiple BDD Fron-tiers

The basicsweepingalgorithm asdescribedin the previoussectionstartstheBDD propagationfrom theinputverticesonly.As a resultthesizethresholdof theBDD processingprecludesa full penetrationof deeperAND/INVERTER graphs. An en-hancedsweepingapproachis basedon a multi-layeredprop-agationof BDDs that start from the primary inputsaswell asintermediatecutfrontiers.Usingthisscheme,thegraphverticesaregenerallyassociatedwith multipleBDDsthatrepresenttheirfunctionfrom differentcutsof their faninlogic.

For themulti-layerBDD propagation,theoverall algorithm,which is describedin SectionVIII, declarescutpointsbetweenindividual sweepingsteps.Thereareseveralheuristicsto iden-tify verticesthatrepresenteffectivecutpoints,includingtheuseof:{ verticesthathavea largefanout,{ verticesthathavemultiple pathsto thereasoningvertex,{ in caseof equivalencechecking,verticesthat areon the

borderof the intersectionof the two conesthat form themiter structure.


ab

c

4

1’2’

3’

2

3

1

5

5’

6

(a)

b

a

c

1

2

35

3’

5’

2’

4

6

(b)

b

a

c

1

2

5

5’

2’

4

63

(c)

b

a

c

1

5

5’

2

4

63

(d)

b

a

c

1 5

2

4

3 CONST_1 6

(e)

Fig. 10. Examplefor BDD sweeping:(a) miter for two functionallyidenticalcircuit cones,(b) original AND/INVERTER graph,(c) BDDs arecomputedforvertices1,2,3,4,3’,which causes3’ and3 to bemerged,(d) BDD is computedfor 2’ which causes2’ and2 to be merged,(e) forward hashingcauses5 and5’ to be merged and 6 be merged with the constantvertex thus solving thereasoningproblem.

Basedon thedeclaredcutpoints,thecut level c_level( ¢ )of acircuit graphvertex ¢ is recursively definedasfollows:

¦ §�¨�© ¨ § \�� _ [ª«¬ «¯® if � is primary input+�] :\ c_level( � -> ) !�H - ) � c_level( � -> # &�I�J"- ))+1

if � is cutpoint+�] :\ c_level( � -> ) !�H - ) � c_level( � -> # &�I�J"- ))otherwise.

The cut level is usedto define cut frontiers and to alignthe BDD propagationwith thesefrontiers. Fig. 11 showsthe modified sweepingalgorithm that supportsthe handlingof multiple BDD frontiers. As shown, the additionsmainlyinvolve a level-specifichandling of BDDs. The procedure

get_bdd_fr om_vertex returnstheBDD storedfor a specifiedlevel at a vertex. If thegivenlevel exceedsthecut level of thevertex, theBDD of themaximallyavailablecut level is taken.

Similar to the basicalgorithm, specialchecksare appliedwhen the BDD processingreachesthe target vertex ¢�9�9�O�9/ .However, since the BDDs of the verticesdo not necessarilyoriginatefrom the primary inputs,it cannotbe decidedimme-diatelyif theproblemis solved. First, falsenegative resolutionattemptsto re-substitutecutpointvariablesof theBDD with theBDDs driving the correspondingvertices(seeSectionIV-C).This maycausethetargetvertex to getmergedwith a constantvertex in which casethe problemis satisfiableor unsatisfiablefor amergerwith theconstant“1” or constant“0”, respectively.Furthermore,if all cutpointvariableshave beenre-substitutedtheresultingBDD originatesonly from theprimaryinputs.Theproblemmustthenbesatisfiable.

Algorithm bdd_sweep( J ! ] �� !'# - ! : ) �while (!is_heap_empty( J ! ] ��>^ M M _ )G�� !$# _ %O&�( ! _ )G&�+,&�- )) do �^ M M = get_smallest_bdd( J ! ] � );� = get_vertex_fr om_bdd( ^ M M );) ! � ! ) = get_level_fr om_bdd( ^ M M );

if (get_bdd_fr om_vertex( � � ) ! � ! ) )) continue;store_bdd_at_vertex( � �O^ M M � ) ! � ! ) );for all fanout_vertices � �'�.� of � do �^ M M ��X� � = get_bdd_fr om_vertex( ��'�.� -> ) !�H - � ) ! � ! ) );^ M M � �*�� = get_bdd_fr om_vertex( � �'�.� -> # &�I.JK- � ) ! � ! ) );^ M M � �>� = bdd_and( ^ M M ��B� � �>^ M M � �G�� );� � �B� = get_vertex_fr om_bdd( ^ M M � �B� );if ( � � �B� ) �

merge_vertices( � � �B� � ��'�.� );if ( � !$# - ! : == CONST_1) return SAT;if ( � !$# - ! : == CONST_0) return UNSAT;�

else �store_vertex_at_bdd( ^ M M � �B� � � �$�� );store_level_at_bdd( ^ M�M � �B� � ) ! � ! ) );�

if ( � �'�� == � !$# - ! : ) �resolve_false_negative( � );if ( � !$# - ! : == CONST_1) return SAT;if ( � !$# - ! : == CONST_0) return UNSAT;

/* non-constant level-0 BDD */if (get_bdd_fr om_vertex( � !'# - ! : � ® )) return SAT;�

put_on_heap( J ! ] ��F^ M M � �>� �B^ M M _ � � ��!'# _ %O&�( ! _ )*&�+,&�- );��return UNDECIDED;�

Fig.11. EnhancedBDD sweepingalgorithmwith multi-layeredBDD frontiersfor deciding �R�°�±\�� !$# - ! : _ .C. FalseNegativeResolution

The algorithm to resolve falsenegatives in shown in Fig-ure 12. To fully explore BDDs constructedfor the differentlevelsof thetargetvertex without memoryexplosion,theelim-inationprocessis alsocontrolledby a heap. In eachiteration,the smallestBDD is taken andits topmostcut variableresub-stitutedby the correspondingdriving function. The resultingBDD is thenchecked for a functionally equivalentvertex thathasbeenprocessedbefore. If found,bothverticesaremergedandthesubsequentpartsof thecircuit grapharerehashed.Oth-erwise,if thesizeof theresultingBDD is smallerthanthegivenlimit, it is reenteredontotheheapfor furtherprocessing.


Algorithm resolve_false_negatives ( � � ) �for ) ! � ! )�[ ® to c_level ( � � ) do �^ M M = get_bdd_fr om_vertex( � � , ) ! � ! ) );

put_on_heap( ²O��+ � � % ! _ J ! ] � , ^ M M );�)G&�+,&�- = ^ M M _ )�� !$# _ %'&�( ! _ )G&�+�&�- ;while (!is_heap_empty( ²'�$+ � � % ! _ J ! ] �� )G&�+,&�- )) do �^ M M = get_smallest_bdd( ²O��+ � � % ! _ J ! ] � );� = get_vertex_fr om_bdd( ^ M M );^ M M�³'´ � = get_cutvar_fr om_bdd( ^ M M );

if ( ^ M M�³'´ � ) �� ³$´ � = get_vertex_fr om_bdd( ^ M M ³$´ � );) ! � ! ) = c_level ( ��³$´ � );^ M M � � �.µ = get_bdd_fr om_vertex( � ³$´ � , ) ! � ! )K¶·T );^ M M � �B� = bdd_compose( ^ M�M , ^ M M�³'´ � , ^ M M�� µ );� � �B� = get_vertex_fr om_bdd( ^ M M � �>� );if ( � � �B� ) �

merge_vertices( � � �B� , � );�else �

store_vertex_at_bdd ( ^ M M � �>� , � );put_on_heap( ²'�$+ � � % ! _ J ! ] � , ^ M M � �B� );��

Fig. 12. Algorithm to eliminatefalsenegatives.

V. STRUCTURAL SAT SOLVER

A. BasicSAT Procedure

ThestructuralSAT solver is basedon theDavis-Putnampro-cedureworking on the presentedAND/INVERTER graph. Itattemptsto find a set of consistentvalueassignmentsfor theverticessuchthat the target vertex evaluatesto a logical “1”.Unsatisfiabilityis provenif anexhaustiveenumerationdoesnotuncoversuchanassignment.

Fig.13providesthetoplevel view of theSAT algorithmcon-sistingof two routines,the proceduresat_init , andthe proce-dure justify , which handlesthe casesplitting and backtrack-ing. The overall SAT searchis basedon a processingqueue¸ ��X�O¹��Xj 1��X�X~lº _»l��9�� that containsall verticesfor which aconsistentassignmentmustbe found. The algorithmattemptsto sequentiallyjustify theseverticesusinga branch-and-boundcaseenumeration.Note that dueto their uniform AND func-tionality, only verticesthatareto be justifiedto “0” needto bescheduledon thatqueue.A requiredlogical “1” atavertex out-put impliesa “1” atbothof its inputsandis handleddirectlybytheprocedureimply . Further, if thevalueof a vertex outputisnotyetspecified(“X”) it doesnotneedto bejustifiedsinceanyvaluesettingat its inputswill leadto aconsistentsetting.

The proceduresat_init first assignsthe targetvertex to “1”andpropagatesall implicationsusingtheprocedureimply . Un-lessthetargetassignmentresultsin animmediateconflict it cre-atesthe first stackentry for the procedurejustify . This entrycontainsall “to-be-justified” verticesthat have beencollectedby imply . The following call of the procedurejustify thenperformsasystematiccasesearchby recursively processingallqueueverticesandenumeratingfor themall valid input assign-ments(two for Booleanlogic). In thecasethattheassignmentsof a searchsubtreeresult in a conflict, a markingmechanismallowsundoingall assignmentsup to thatdecisionlevel.

Thetight integrationof theSAT solverinto theoverallframe-work requiresanexecutioncontrolby providing resourcelimits

Algorithm sat_init( � !'# - ! : ) �%O-�].²O¼ = new_stack();assign( � !'# - ! : � T );if (imply( � !$# - ! : )) �M _ ) ! � ! ) = push_on_stack( %'-�]�²O¼ ,NULL);M _ ) ! � ! ) -> +3] # ¼ = 0;M _ ) ! � ! ) -> ½�� ! � ! = ¾��%'-�& H &�²'] -�&��L _ ½�� ! � ! ;M _ ) ! � ! ) -> � = dequeue_vertex( M _ ) ! � ! ) -> ½�� ! � ! );�return %O-�].²O¼ ;�

Algorithm justify( %'-�]�²O¼ ) �while ( T ) �

if ( ^ ]�²O¼9- # ]�²O¼K% ++ > %']�- _ ^ ]�²O¼9- # ]�²O¼ _ )G&�+�&�- )return UNDECIDED;M _ ) ! � ! ) = pop_fr om_stack( %O-�].²O¼ );

if (! M _ ) ! � ! ) ) return UNSAT; /* exhausted */

label:if (! M _ ) ! � ! ) -> � ) return SAT; /* justified */

/* try all values one by one;continue from last value afterreturning from higher decision level */

for all values for M _ ) ! � ! ) -> ��].)*� ! do �assign( M _ ) ! � ! ) -> � -> ) !�H - � M _ ) ! � ! ) -> ��].)*� ! );if (imply( M _ ) ! � ! ) -> � -> ) !�H - )) �M _ ) ! � ! ) = push_on_stack( %'-�]�²'¼ � M _ ) ! � ! ) );M _ ) ! � ! ) -> +3] # ¼ = tail_pointer( ]9%$%'&�I L�+ ! L�- _ )G&�%'- );M _ ) ! � ! ) -> ½�� ! � ! = ¾ ��%O-�& H &�²O]�-�&��L _ ½�� ! � ! ;M _ ) ! � ! ) -> � = dequeue_vertex( M _ ) ! � ! ) -> ½$� ! � ! );

goto label;�/* failed undo assignments and reset queue */undo_assignments( M _ ) ! � ! ) -> +�] # ¼ );¾ ��%O-�& H &�²O]�-�&��L _ ½�� ! � ! = M _ ) ! � ! ) -> ½�� ! � ! ;��

Fig. 13. GeneralDavis-PutnumSAT procedurefor deciding �S� �¡\�� !$# - ! : _ .suchas the numberof backtracks. If during the currentap-plicationof justify this numberexceedsa giventhreshold,theSAT solver interruptsits searchandreturnscontrol to thecall-ing procedure.This supportsan interleavedapplicationof theSAT searchwith BDD sweepingasdescribedin SectionVIII.Furthermore,by preservingthe stateof the decisionstackbe-tweensubsequentinvocations,theSAT algorithmcancontinueits searchfrom the point it stoppedearlierwithout repeatedlysearchingpreviouslyhandledsubtrees.This reentrantfunction-ality is implementedin the procedurejustify by checkingthebacktracklimit eachtimethesearchreturnsfrom ahigherdeci-sionlevel. If thelimit is exceeded,thecontrolis returnedto thecalling,overallprocessandthebacktrackingis postponeduntiljustify is calledagain.Notethatthesetupof sat_init ensuresacorrectinitializationof thefirst stackentry.

Thedetailsof thealgorithmimply for implicationprocessingareshown in Fig. 14. Its implementationtakesspecificadvan-tageof theunderlyingAND/INVERTER graphstructureby ap-plying an efficient table-lookupschemefor propagatinglogicimplications. The routinesimply and imply_aux iterateovertheAND/INVERTER graphanddetermineateachvertex all im-plied valuesandthedirectionsfor furtherprocessing.

Fig. 15 givesan excerptfrom the implication lookup table.As describedabove, for Booleanlogic only onecase,a justifi-cationrequestfor a logical “0” at theoutputof anAND vertex,


Algorithm imply( � !'# - ! : ) �for all fanout_vertices ��'�� of � !$# - ! : do �

if (! imply_aux( � �$�� )) return 0;�return imply_aux( � !'# - ! : );�

Algorithm imply_aux( � !$# - ! : ) ��]�)G� ! = get_value( � !$# - ! : );)*��].)*� ! = get_value( � !$# - ! : -> ) !�H - );# ��]�)G� ! = get_value( � !$# - ! : -> # &�I�JK- );²X� #�# ! L�- _ %O-�]�- ! = \��].)*� !�� )G��]�)G� ! �># ��]�)G� !�_ ;L ! :K- _ %'-�] - ! = lookup( ²X� #�# ! L�- _ %O-�]�- ! );switch ( ]�²X-�&��L ) �

case STOP:return T ;

case CONFLICT:return ® ;case CASE_SPLIT:enqueue_vertex( � !$# - ! : � ¾ ��%O-�& H &�²O]�-�&��L _ ½�� ! � ! );return T ;

case PROP_FORWARD:assign( � !'# - ! : � L ! :K- _ %'-�] - ! -> ��]�)G� ! );for all fanout_vertices � �'�� of � !$# - ! : do �

if (!imply_aux( � �$�� )) return ® ;�return T ;NON'N

case PROP_LEFT_RIGHT:assign( � !'# - ! : -> ) !�H - � L ! :K- _ %'-�] - ! -> )*�.]�)*� ! );assign( � !'# - ! : -> # &�I�J"- � L ! :K- _ %'-�] - ! -> # �.]�)*� ! );if (!imply( � !$# - ! : -> ) !�H - )) return ® ;if (!imply( � !$# - ! : -> # &�I�JK- )) return ® ;return T ;NON'N�

return T ;�Fig. 14. Implicationprocedureto theAND/INVERTER graph.

requiresschedulinganew vertex onthe¸ ��.�X�O¹��Xj 1��X�B~lº _ »l��.�� .

All otherassignmentsresult in oneof threecases:(1) a con-flict occurred,in which casethe algorithm returnsand back-tracks, (2) further implicationsare triggered,which are pro-cessedrecursively, or (3) the vertex is fully justified, in whichcasetheprocedurereturnsfor processingthenext elementfromthe

¸ ��.�X�O¹��Bj�1��X�X~lº _ »l��9�� .The lookup tableis programmablefor different logics. For

example, using a different table the procedureimply canequallybeappliedto implementa parallel,one-level recursivelearningschemeusingnine-valuedlogic [19]. Due to its uni-formity andlow overhead,thepresentedimplicationalgorithmis highly efficient. As anindication,on a PentiumIII classma-chine it canexecuteseveral hundredthousandbacktrackspersecondon typical circuit structures. For being beneficialforthe overall performance,any gain that is potentiallyachievedthroughadditionalstructuralanalysismustoffset the resultingslowdown of the imply function. In [8] and[20] a similar rea-soningis givenfor efficient implementationsof SAT andATPGalgorithms,respectively.

B. Improvementsfor theSAT Procedure

1) Conflict Analysis: AdvancedSAT solvers useconflictanalysisto skip the evaluationof assignmentswhich aresym-metric to previously encounteredconflicts [7]. Two mecha-nismsareusedfor this purpose:First,non-chronologicalback-

1X

10

X

0

XX

X1

X

1

0X

0X

X

X

XX

00

X

0

11

11

X

X

. . . . . . . . .

action

PROP_LEFT_RIGHT

CONFLICT

CASE_SPLIT

PROP_FORWARD

STOP

current_state next_state

Fig. 15. Excerptof the lookup tablefor fastimplicationpropagationappliedin theprocedureimply of Fig. 14.

trackingskips the evaluationof casealternatives if the corre-spondingcasesplitting vertex wasnot involved in any lower-level conflict. Second,conflict-basedlearning createsaddi-tional implicationshortcuts,which reflecttheassignmentsthatcauseda conflict. Theseredundantstructuresresult in addi-tional implications,which detectsubsequent,symmetriccon-flicts earlier.

Conflictanalysisrequirestrackingthelogical impactof casesplit assignmentson theconflictpoints.Otherimplementations(e.g., [7]) applyanimplicationgraphfor which thenodescor-respondto variablesandedgesreflectsingleimplicationsteps.In the given setting, the conflict graph manipulationduringeachstepof the imply routinewould severely impact its per-formance.To reducethis penalty, we apply a schemethat di-rectly collectstheresponsiblecaseassignmentsasa sidefunc-tion of theimplicationprocess.Thismechanismusesa conflictbit-vectorwhereeachbit representsa casevertex in the deci-sion tree. In otherwords, the bits of this vectorrepresentthesourceverticesfrom which implicationsequenceswerestarted.The tablelookup in function imply is expandedto alsodeter-minethecontrollingsourcesfor thepropagationof theconflictbit-vectors.The actualpropagationis doneby word-wideOR

operationsof thesevectorsduringtheimplicationsequence.Asa result,whena conflict is reached,the active positionsof thebit-vectorreflectthedecisionsverticesthatareresponsibleforthisassignment.Thisschemereducesthespeedof theimplica-tion processby typically lessthan50%,a penaltythat is easilyoffsetby theaveragegain.

Theresultingconflictbit-vectorsareusedto controltheback-trackingmechanism.If all choicesof a decisionlevel resultina conflict, thebacktracklevel is determinedby thelowestlevelthatwasinvolvedin a conflict. This is implementedefficientlyby bit-vectoroperations.The combinedconflict bit-vectorre-flectsall responsibleassignmentsfor that part of the decisiontreeandis passedupwardto thenext backtrackinglevel.

Further, the conflict bit-vector is examined for compactclausesto learn. Its function is directly mappedonto aAND/INVERTER graphstructurerepresentingthat conflict. Toavoid excessively large learnedstructures,we applya variablelimitation similar to [7]. However, insteadof just restrictingthe maximumnumberof conflict variables,we alsotake their


assignmentinto account,effectively estimatingthe sizeof theeliminateddecisionsubtrees.

2) StaticLearning: An effective mechanismto exploit thestructureof theAND/INVERTER graphis illustratedin Fig. 16.By reusingthe vertex hashtable applied during graph con-struction,a pair of verticesthat implementthe functions ��X��and �� canbe detectedusing two hashlookups. This con-figurationoccursquite often in practicaldesigns,for examplein multiplexer-baseddata exchangecircuits that switch datastreamsbetweentwo sourcesandtwo destinations.By addingtwo additional verticesto the graph, an implication shortcutcanutilize theexisting imply function. If a logical ¿ is sched-uledfor bothoutputvertices,theimplicationprocedurecanim-mediatelyjustify the entirestructureandbypassthe two casesplits.Thislearningstructureis createdstaticallyandintegratedinto thevertex allocationalgorithmnew_and_vertex, which isshown in Fig. 2. Note that the learnedverticesarebuilt usingtheregularcreate_and routinewhichmaycauseadditionalcir-cuit restructuringor learningevents.

p2

p1p1

p2

0

(a) (b)

Fig. 16. Learningfor \ �� [ ®_�À \ �� [ ®

_°Á \ �� [ ®_ : (a) original

structure,(b) structurewith learnedimplicationshortcut.

VI. RANDOM SIMULATION

Many probleminstancesof Booleanreasoningaresatisfiableandhave densesolutionspaces.The mosteffective approachfor finding a satisfyingassignmentfor suchproblemis oftenbasedonpurerandomsimulation.Thedesignof arandomsim-ulationalgorithmis straightforward. In this sectionwe brieflydescribethedetailsof its implementationin thegivensetting.

The presentedAND/INVERTER graphis highly suitableforan efficient word-parallelimplementationof randomsimula-tion. Thepseudocodefor thecorrespondingalgorithmicflow isshown in Fig. 17. After assigningrandomvaluesto theprimaryinputvertices,alevelizedprocessingusingword-wideAND andNOT instructionspropagatesthe resultingassignmentstowardthetargetvertices.A checkfor satisfiabilityof a targetvertex issimply doneby a parallelcomparisonof its valuewith thezeroword. Note thatby applyingproperreferencecounting,only asinglevaluefrontier needsto storedduring their propagation,which resultsin a sublinearmemorycomplexity [14].

VI I . INPUT CONSTRAINTS

Many Booleanreasoningproblemsrequireanefficient han-dling of inputconstraints,typically referredto as“don’t cares”.For example, in combinationalequivalencechecking, inputconstraintsexpresstheBooleansubspacefor which thetwo de-signsundercomparisonhave to be functionally identical. Theremaininginput combinationsrepresentdon’t caresfor whichthe functionsmaydiffer. Otherproblemsthat requireefficientprocessingof input constraintsoccurduringsynthesisandver-ificationof incompletelyspecifiedfunctions.

Algorithm simulate( � !$# - ! : ) �for all input vertices �� do �

set_value( � �� ,random_word());�simulate_aux();if (get_value( � !$# - ! : ) != ® ) return SAT;else return UNDECIDED;�

Algorithm simulate_aux() �for all vertices � in topological order do �)G��]�)G� ! = get_value( � -> ) !�H - );# ��].)*� ! = get_value( � -> # &�I�JK- );

if (is_inverted( � -> ) !�H - )) )*��].)*� ! = word_not( )G��]�)G� ! );if (is_inverted( � -> # &�I�JK- )) # ��].)*� ! = word_not( # ��].)*� ! );��].)*� ! = word_and( )*��].)*� !��F# ��].)*� ! );set_value( � � �.]�)*� ! );��

Fig. 17. Randomsimulationalgorithmsimulate.

Input constraintssplit the set of valuesat the primary in-putsinto two parts,the “valid” or “care” setandthe “invalid”or “don’t care” set. The problemof Booleanreasoningunderinput constraintsis to find a consistentassignmentwithin thecareset.A convenientmethodfor expressingandstoringinputconstraintsin thegivensettingis basedon characteristicfunc-tions that canbe storedandmanipulatedaspart of the overallAND/INVERTER graph.Thegraphrepresentationfor thechar-acteristicfunction canbe built using the standardconstructoroperations,which aredescribedin SectionIII. Its resultis thenassertedto be logical “1”, meaningthat all input valuesthatevaluatethis functionto “1” areconsideredto bethecareset.

Thesimplestmethodfor handlinginput constraintsis basedon a schemethatfirst conjoinstheconstraintverticeswith thetarget vertex andthenappliesthe reasoningalgorithmson theresultingAND vertex. However, for structuralsimplification,BDD sweeping,andrandomsimulation,this approachwouldresult in a significant performancedegradation,especiallyifthe fraction of valid assignmentsis very small. A more effi-cientmethodis to keepthecharacteristicfunctionsof theinputconstraintsseparateandto handlethemspecificallyin eachrea-soningalgorithm.In thefollowing sectionsweelaborateonthemechanismsto handleinput constraintsby the individual rea-soningalgorithms.

A. Structural Representation

As mentionedbefore,input constraintsaresimply expressedas characteristicfunctionsand representedas verticesin theAND/INVERTER graph. The resultingconstraintverticesaremarked for specialhandlingfor the SAT solver, BDD sweep-ing, andrandomsimulation.Fig. 18 givesthepseudocodeforthe algorithm that assertsa graphvertex to constant“1”. Asshown, thealgorithmconsistsof two parts:First, a local anal-ysisof the assertedvertex searchesfor XOR andXNOR struc-tures.If found,theinputverticesof thesefunctionsareassertedto beequalby structurallymerging themwith thesamemergefunctionappliedfor BDD sweeping(seeSectionIV). Second,if no XOR or XNOR is found,a structuralconjunctive decom-positionof theassertionfunctionis attempted.This is donebyrecursively traversingtheAND treedriving theassertedvertex.


The resultingindividual conjunctsarethenseparatelymergedwith theconstant“1” vertex. Thismergehastheadvantagethatstructurallyisomorphicfunctions,which arepart of the actualreasoningproblemcanbeidentifiedasconstantwithoutany fur-therprocessing.Theforwardrehashing,which is appliedwhenthis vertex is merged with the constantvertex, automaticallysimplifiesthesubsequentgraphstructure.

Algorithm assert_to_1( � !$# - ! : ) �if (is_var( � !$# - ! : ) � /* leaf vertex */

merge_vertices( � !'# - ! : ,CONST_1);�else if( is_inverted( � !$# - ! : -> ) !�H - ) &&

is_inverted( � !$# - ! : -> # &�I�JK- )) �/* search for XNOR and XOR structures */if ( � !'# - ! : -> ) !�H - -> ) !�H - == �� !'# - ! : -> # &�I�J"- -> ) !�H - &&

( � !'# - ! : -> ) !�H - -> # &�I.JK- == �� !$# - ! : -> # &�I�JK- -> # &�I�JK- ) �if (is_inverted( � !$# - ! : )) � /* XNOR */

merge_vertices( � !'# - ! : -> ) !�H - -> ) !�H - ,� !'# - ! : -> ) !�H - -> # &�I�JK- );�else � /* XOR */

merge_vertices( � !'# - ! : -> ) !�H - -> ) !�H - ,�� !$# - ! : -> ) !�H - -> # &�I�JK- );��return;�

/* recursive conjunctive decomposition */if (!is_inverted( � !'# - ! : )) �

assert_to_1( � !'# - ! : -> ) !�H - );assert_to_1( � !'# - ! : -> # &�I�J"- );�else � /* no further decomposition */merge_vertices( � !'# - ! : ,CONST_1);��

Fig. 18. Algorithm assert_to_1 for assertinga vertex to “1” that representsaninputconstraint.

B. BDD Sweeping

Input constraintscanbeusedduringBDD sweepingto iden-tify additionalsetsof verticesthat are functionally equivalentfor the caresetonly. This is accomplishedby restrictingthevertex BDD to thecaresetbeforeit is checkedfor apre-existingvertex referencesandput onto the heap. The BDD restrictionis doneby ANDing it with the setof BDDs generatedfor theconstraintvertices,which areassertedto “1”. Sincethe con-strainthandlingis conservativeandcannotproducefalsenega-tives,this restrictioncanbedonedynamically. As soonastheBDDs for the individual constraintverticesbecomeavailablethroughtheheapcontrolledprocessing,they canbeusedto re-strict all existingandfuturevertex BDDs.

C. Structural SAT Solver

The existenceof input constraintsimplies for the structuralSAT searchthat the valuesof all assertedconstraintverticesmustbepresetto constant“1”. Furthermore,thesevaluesneedto befully justified,whichis accomplishedby addingthecorre-spondingverticesto the

¸ ��.�X�O¹��Xj 1��X�X~lº _ »l��9�� . Both require-mentsareimplementedin a pre-processingstepbeforetheac-tual SAT searchstarts. Note that for structuralSAT this ap-proachis identical to the methodin which the assertedver-ticesaresimply combinedwith the target vertex by conjunc-tion. For thatmethodthefirst applicationof the imply function

would immediatelyscheduleall assertedverticesto bejustifiedto “1”. The resultingsearchflow would then be identical tothe flow producedby the presentedapproachusinga separatepre-processingstep.

D. RandomSimulation

To achieve high coveragein randomsimulation,it is essen-tial to avoid simulating input valuesthat are don’t cares. Inparticularfor sparsecaresets,a pure randomvalueselectionfrom theentireBooleanspacemayresultin no coverageat all.For generatingvalid input combinationsin the presentedran-dom simulationapproach,the SAT solver is appliedto searchfor satisfyingassignmentsfor all verticesthat are assertedto“1”. However, insteadof stoppingthe searchoncea solutionis found, the SAT procedurecontinuesto traversethe searchtree. For eachencounteredsolution, the input valuesfor thesatisfyingassignmentsarerecordedandlater simulatedin theword-parallelmannerpresentedin SectionVI.

VI I I . OVERALL ALGORITHM

The overall algorithm that combinesstructuraltransforma-tions, BDD sweeping,SAT search,andrandomsimulationisoutlinedin Fig. 19. For eachreasoningquerythealgorithmfirstchecksif the structuralhashingalgorithmsolved the problem.Interestingly, for a largenumberof queriesin practicalapplica-tionsthestructuraltestis successfulandimmediatelysolvestheproblem.For example,in a typical ASIC methodology, equiv-alencecheckingis usedto comparethe logic beforeandafterinsertionof thetestlogic. Sinceno logic transformationshaveactuallychangedthe circuit, a simplestructuralchecksufficesto proveequivalence.

Algorithm check_SAT( � ) �if ( � == CONST_1) return SAT;if ( � == CONST_0) return UNSAT;

/* random simulation */# ! % = simulate( � );if ( # ! % != UNDECIDED) return # ! % ;/* initialize BDD sweeping */J ! ] � = sweep_init( � );/* initialize SAT search */%'-�]�²O¼ = sat_init( � );while (!is_heap_empty( J ! ] ��>^ M�M _ � � ��!'# _ %O&�( ! _ )*&�+,&�- )) do �

/* try to justify */# ! % = justify( %O-�].²O¼ );if ( # ! % != UNDECIDED) return # ! % ;/* BDD sweeping till no more cutpoints found */do � # ! % = bdd_sweep( J ! ] �� );

if ( # ! % != UNDECIDED) return # ! % ;H ��"LM = find_and_init_cutpoints( J ! ] �� );�while ( H �$��L�M );^ M M _ )G�� !$# _ %O&�( ! _ )*&�+,&�- += M ! )G-�] _ ^ M M _ )*&�+,&�- ;%$] - _ ^ ].²O¼9- # ].²O¼ _ )*&�+,&�- += M ! )G-�] _ %$] - _ )G&�+�&�- ;�%$] - _ ^ ].²O¼9- # ].²O¼ _ )*&�+,&�- = +3] : _ %$] - _ ^ ].²O¼9- # ].²O¼ _ )*&�+,&�- ;

return justify( %'-�]�²O¼ );�Fig. 19. Overall reasoningalgorithmintegratingBDD sweeping,SAT searchandrandomsimulation.


Next randomsimulationis appliedto quickly checkfor asat-isfying assignment. If simulationcannotsolve the problem,SAT searchand BDD sweepingare first initialized and theninvoked in an intertwined manner[4]. In the inner loop, acall to the justificationprocedurejustify is alternatedwith aninvocationof multiple sweepingiterations. After eachBDDsweepingstep,thecutpointselectionheuristicimplementedinprocedurefind_and_init_cutpoints is applied to searchforpromisingcutpoints.Newly foundcutpointsareinitializedwithfreshBDD variables,which are thenaddedto the processingheap.As long asnew cutpointsaredetected,BDD sweepingisrestarteduntil theproblemis solvedor thecutpointselectionisexhausted.In the lattercasethereasoningalgorithmreturnstotheSAT solver to searchfor a satisfyingassignment.NotethatBDD sweepingmaymergeverticesthatareon thejustificationqueueof theSAT solver. This artifactis handledby preservingthemergeinformationandexplicitly processingtheSAT impli-cationsfor all mergedvertices.

Duringeachiterationof BDD sweepingandSAT search,thesize limit for sweepingand the backtracklimit for the SATsolverareincreased.In thissetting,thesealgorithmsdonot justindependentlyattemptto solvetheproblem.EachBDD sweep-ing iteration incrementallycompressesthe AND/INVERTER

graphstructurefrom theinputstowardthetargetvertex, whicheffectively reducesthe searchspacefor the SAT solver. Thisinterleaved schemedynamicallydeterminesthe minimum ef-fort neededby thesweepingalgorithmto make theSAT searchsuccessful. If the iterative invocationof BDD sweepingandSAT searchwasnot able to solve the problem,the algorithmappliesthe SAT solver with a maximumbacktrackinglimit asa final attemptto find a solutionin a brute-forcemanner. Notethat in this casethe sweepingprocessis stoppedby the limit4 |�| _ ��9� _ �.�X�� _ }��B�5�B� . This limit preventstheprocessingofexcessively largeBDDs.

IX. EXPERIMENTS

In order to evaluatethe effectivenessof the presentedap-proachwe performedextensive experimentsusing488circuitsrandomlyselectedfrom a numberof microprocessorsdesigns.Thecircuitsrangein sizefrom a few 69¿�¿ to 6.¿�¿�Â gateswith asizedistributiongivenin Fig.20. Thenumberof outputsandin-putspercircuit rangefrom afew 100to morethan10,000.Theexperimentswereperformedon a RS/6000model270 with a64-bit, two-way Power3 processorrunningat 375 MHz and8GBytesof mainmemory.

A. FunctionalHashing

In thefirst experiment,we evaluatedtheeffectivenessof theAND/INVERTER graphstructureand functional hashing. Forthis we constructedthe circuit graphsfor the designspecifi-cationsand comparedthe sizesgeneratedby simple hashingdescribedin SectionIII-A with the resultsof the functionalmethodpresentedin SectionIII-B. Thehistogramfor thesizereductionof thecircuit graphsis plottedin Fig. 21. As shown,on averagethe given sampleof circuit representationscanbereducedby ="¿ %, the runtimeoverheadfor all runswasnegli-gible. Sinceit is not clear which choiceof recursive branch

2 2.5 3 3.5 4 4.5 5 5.50

5

10

15

20

25

30

35

40

45

Number of vertices (log10 scale)

Num

ber

of e

xam

ples

Distribution of circuit sizes

Fig. 20. Distribution of circuit sizesfor theexperiments.

0 0.5 1 1.5 2 2.5 30

10

20

30

40

50

60

70

80

Ratio of number of vertices (functional hashing / simple hashing)

Num

ber

of e

xam

ples

Circuit graph compression using Functional Hashing

Fig. 21. Comparisonof graphreductionof simpleversusfunctionalhashing.

will leadto morefunctionalmapping,wedo observefew caseswhereenlargementin thecircuit takesplacecomparedto struc-turalhashing.However, this increaseis easilyoffsetby savingsin otherpartsof the circuit. The resultssuggestthat the pre-sentedhashingmethodis notonly usefulfor Booleanreasoningbut canalsobeappliedfor generalnetlistcompression.

B. FormalEquivalenceChecking

1) InterleavedInvocationof BDD SweepingandSAT: First,to demonstratetheeffectof theinterleavedapplicationof BDDsweepingandstructuralSAT search,we chosea miter struc-turefrom a particularequivalencecheckingproblem.Fromtheabovementionedcircuits,weselectedanoutputpair whichhas97 inputs,1322gatesfor the specificationand2782gatesfortheimplementation.

In a seriesof experimentstheBDD sweepingalgorithmwasappliedto theoriginal miter circuit with varying limits for theBDD size. After sweeping,the SAT solver was invoked onthe compressedmiter structureandrun until equivalencewasproven.TableI givestheresultsfor differentlimits ontheBDDsize. As shown, thereis a clear trade-off betweenthe effortspentin BDD sweepingandSAT search.For this exampletheoptimal performancewas achieved with a BDD size limit of


TABLE IPERFORMANCE OF BDD SWEEPING AND SAT SEARCH FOR VARIOUS

BDD SIZE LIMITS (HIGHLIGHTED ENTRIES CORRESPOND TO GRAPHS

SHOWN IN FIG. 22).

BDD BDD Sweeping SAT Search TotalSize Memory[kB] / # Backtracks/ Memory[kB] /Limit Time[sec] Time[sec] Time [sec]�$Ã 342/ 0.00 2407939/ 347.17 342/ 347.17��Ä 347/ 0.64 115/ 7.40 347/ 8.04�$Å 349/ 0.60 115/ 7.47 349/ 8.07�'Æ 358/ 0.66 87 / 6.93 358/ 7.59�$Ç 372/ 0.78 43 / 6.88 372/ 7.66�$È 396/ 1.18 43 / 7.03 396/ 8.21��ÄeÃ 791/ 1.67 43 / 6.57 791/ 8.24��ÄeÅ 2212/ 4.22 43 / 6.30 2212/ 10.52��Ä�Æ 2219/ 6.98 43 / 6.15 2219/ 13.13��ÄeÇ 8381/ 12.14 27 / 5.27 8381/ 17.41��ÄFÉ 8540/ 19.16 0 / 0.00 8540/ 19.16

C"Ê . Theuseof BDD sweepingandSAT searchin thedescribedincrementalandintertwinedmannerheuristicallyadjuststheef-fort spentby eachalgorithmto thedifficulty of theproblem.

Fig. 22 shows the two outputsforming the miter structurefor threeselectedrunsfor which thecorrespondingentriesarehighlightedin TableI. In thedrawings,all inputsarepositionedat thebottom.Theplacementof theAND verticesis donebasedontheirconnectivity to thetwo outputswhicharelocatedat thetop. AND verticesthat feed only oneof the two outputsarealignedontheleft andright sideof thepicture.Verticesthataresharedbetweenboth conesareplacedin the middle. Further,filled circlesandopencirclesareusedto distinguishbetweenverticeswith andwithoutBDDs,respectively.

Part (a) of the picture illustratesthe initial miter structurewithout performingany BDD sweeping. As shown, a num-berof verticesaresharedasaresultof structuralandfunctionalhashing. In order to prove equivalenceat this stage,the SATsolver would needabout2.4 million backtracks. Fig. 22(b)shows the miter structureafter performing a modestBDDsweepwith a sizelimit of 16 BDD nodes.It is clearthatmanymoreverticesaresharedat this point. TheSAT solvercannowprove equivalenceusingonly 87 backtracks.The last part ofthe picture displaysthe miter structurewhen it is completelymerged by BDD sweeping. Here, the equivalenceproof re-quiredbuilding BDDs for all miter vertices.

2) Overall Performancein an Industrial Setting: In afurther experiment,we evaluatedthe overall effectivenessofthecombinationof BDD sweeping,structuraltransformations,structuralSAT, andrandomsimulation.First, to provide anin-tuition of the requiredcomputingresourcesin a typical indus-trial applicationproject,werana full equivalencecheckfor thegivensetof designsusingthepresentedapproach.All designsarecorrect,i.e., thespecificationandimplementationarefunc-tionally equivalent. Fig. 23 providestwo histogramsshowingthedistributionof theruntimesandmemoryuse.As shown, themajority of circuitscanbecomparedwithin a few tensecondsusinglessthan100MBytesof memory.

3) Comparisonof CombinedApproach with SimpleBDDSweeping: Next, we comparethe presentedcomprehensiveapproachwith the original plain BDD sweepingalgorithmasdescribedin [3]. For the former, BDD sizeswerevariedfroma 4 |�| }F~l�,�9� �.�B�� }e�B�Ë�B� of C Ê to a 4 |�| ��9� �.�X�� }��B�5�B� of

BDD builtno BDD built yetVertices right cone only:139

170

87

Number of backtracks:Vertices shared:

2407939

BDD size limit: 2Vertices left cone only:

0

(a)

Vertices right cone only:29196


87


4

56

(b)

Vertices right cone only:0216

0


0


17

(c)

Fig. 22. Examplethe two outputsforming the miter structureat differentstagesof BDD sweeping:(a) nosweepingperformed,(b) sweepingresultwithBDD sizelimit of U Ì , (c) sweepingresultwith BDD sizelimit of U �FÍ .


−2 −1 0 1 2 3 40

5

10

15

20

25

Combined Functional Hashing, BDD−Sweeping and SAT

Time in seconds (log10 scale)N

umbe

r of

exa

mpl

es

(a)

2.5 3 3.5 4 4.5 5 5.5 6 6.50

5

10

15

20

25

30

35

40

45

Num

ber

of e

xam

ples

Memory in KBytes (log10 scale)

Combined Functional Hashing, BDD−Sweeping and SAT

(b)

Fig. 23. Computingresourcesfor equivalencecheckingof thegivensetof 488circuits: (a) runtimedistribution, (b) memorydistribution.

C �$Î , with a |��l}��O1 4 |�| }e�>�5�B� of C � . The �91�� 4 1j�Ï�X�K1j�Ï }e�B�Ë�B�ranged from a low of 1000 to a high of 1000000with a|��l}��O1 �.1�� }e�>�5�B� varying between1000and5000. The resultsaregiven in Fig. 24. As shown, the majority of circuits couldbe comparedusingsignificantly lesstime, sometimestwo or-dersof magnitudeless. The memoryconsumptionremainedaboutthe same. The performancefor a particularlycomplexcircuit is markedin bothdiagrams.Thisdesigncontains55,096gates,302 primary inputs, 2,876 outputs,and 2,200 latches.The verificationrun included5,076comparisonsand231,232consistency checks(checksfor all nets,prohibitingfloatingorcollisoncondition)andcouldbeaccomplishedin 246secondsversus8.3 hoursusing82 MBytes versus357 MBytes for thenew andold method,respectively.

C. FormalPropertyChecking

For evaluatingtheeffectivenessof thepresentedapproachforpropertychecking,we integratedthe algorithmsin a boundedmodelcheckingsetting.Boundedmodelchecking[21] is basedon a sequenceof combinationalpropertychecksusinga finiteunfolding of the designunderverification. By systematicallyincreasingthe unfoldingdepthfrom 6 to a boundedinteger Ï ,this approachcheckswhetherthepropertycanbedisprovedby

10−2

10−1

100

101

102

103

104

105

106

10−2

10−1

100

101

102

103

104

105

106

BDD−Sweeping only

Com

bine

d F

unct

iona

l Has

hing

, B

DD

−Sw

eepi

ng a

nd S

AT

Time in seconds

(30145, 246)

(a)

102

103

104

105

106

107

102

103

104

105

106

107 Memory in KBytes

BDD−Sweeping only

Com

bine

d F

unct

iona

l Has

hing

, B

DD

−Sw

eepi

ng a

nd S

AT

(357335, 82747)

(b)

Fig. 24. Comparisonof the original BDD sweepingalgorithmwith the newalgorithmfor equivalencechecking:(a) runtime,(b) memory.

a counterexampleof length Ï or less. We implementedtheboundedmodel checkingapproachin a transformation-basedtool setting. For proving a particularproperty, the designde-scriptionis convertedinto abit-level netlist.

In ourexperimentalsettingthenetlistis first simplifiedby it-eratively applying a sequenceof reductionenginesincluding(1) a combinationalsimplification enginebasedon the pre-sentedalgorithmand(2) a retiming enginefor sequentialop-timization[22]. Thefirst engineeliminatesfunctionallyequiv-alentcircuit structures,andremovesredundantregisters. Thesecondenginereducesthe numberof registersby applyinganILP-basedmin-arearetiming algorithm. After simplificationthenetlist is verifiedwith theabovementionedboundedmodelcheckingmethodby checkinga sequenceof SAT problems.

In a first experiment,we comparedthe effectivenessof thepresentedapproach,which combinesstructuralandfunctionalhashing,BDD sweeping,andSAT againsta plain applicationof the SAT procedureonly. Both methodswork on the cir-cuit graphthatwascompressedby simplehashingonly (asde-scribedin SectionIII-A). For thisexperimentweused40prop-ertiesfrom the givensetof designsthatareboundedlycorrect(i.e., thetargetstatesarenot reachablewithin thegivenunfold-ing limit). In this experiment,the unfolding lengthvariedbe-tween6 and25 time frames.

Theresultsof thecomparisonaredepictedin Fig. 25. Each


10−2

10−1

100

101

102

103

10−2

10−1

100

101

102

103

Time in seconds

SAT only

Com

bine

d F

unct

iona

l Has

hing

, B

DD

−Sw

eepi

ng a

nd S

AT

(1549.86, 6.65)

Fig.25. Comparisonof theapplicationof plainSAT versusthepresentedcom-binedapproachto prove unreachabilityin aboundedmodelcheckingsetting.

TABLE IIPERFORMANCE OF BOUNDED MODEL CHECKING FOR VARIOUS SWEEPING

LIMITS FOR THE MARKED PROPERTY OF FIG. 25.

BDD GraphSize SAT Search PerformanceSize # Vertices # Backtracks Memory[kB] /Limit Time[sec]Ð�Ñ

1669 967887 924/ 1549.86Ð Ò1228 6563 4494/ 10.21Ð�Ó1228 6563 4496/ 10.43Ð�Ô1228 6563 4497/ 10.51Ð$Õ1222 6221 4498/ 9.43Ð�Ö1211 5590 4501/ 8.59Ð�×1203 4396 4503/ 6.65Ð�Ø1188 4484 4504/ 6.71Ð�Ù1188 4484 4505/ 6.80

marker in thediagramrepresentsa particularpropertyandthepositionindicatestheperformancesof thetwo approaches.Asshown, thecombinedapproachis vastlysuperior, sometimesbyseveralordersof magnitude.This resultis particularlyinterest-ing because,in contrastto anapplicationin equivalencecheck-ing, theunfoldedcircuit structuredoesnot necessarilycontaina largenumberof functionallyidenticalnetsthatcannotbedis-coveredby simplestructuralhashing.Theefficienthandlingofthesecasesdemonstratesthe significantrobustnessandversa-tility of the presentedapproach.As an illustration, the plainapplicationof SAT searchrequired1550secondsfor provingthepropertyhighlightedin Fig.25;in contrastthecombinedap-proachusedonly 7 seconds.TableII shows the performancesfor variousBDD sweepinglimits andgivesthe correspondingcompressionof thegraphstructure.

In a secondexperiment,we evaluatedthe effectivenessofsimulation in the presentedsetting. For this, we comparedtheplain applicationof randomsimulation[14] with animple-mentationthat includeshashing,BDD sweeping,andSAT. Weused396 easy-to-hitpropertiesfrom the given setof designs.In this experiment,the unfolding depthvariedbetween6 and25 time frames,dependingon the depthof the counterexam-ple. We foundthat simulationsignificantlyoutperformsstruc-turedsearchtechniques,suchasSAT, in hitting reachabletargetstates.Fig. 26 illustratesthe run timesfor randomsimulationversusthe combinedapproach.It reaffirms our view of usingsimulationto dischargeeasyto hit targetsandutilizing moreex-

10−2

10−1

100

101

102

10−2

10−1

100

101

102

Time in seconds

Random Simulation

Com

bine

d F

unct

iona

l Has

hing

, B

DD

−Sw

eepi

ng a

nd S

AT

(0.64, 5.43)

Fig. 26. Comparisonof theapplicationof randomsimulationversusthepre-sentedcombinedapproachto prove reachabilityof easy-to-hitpropertiesin aboundedmodelcheckingsetting.

100

101

102

103

104

100

101

102

103

104

Time in seconds

SAT only

Com

bine

d F

unct

iona

l Has

hing

, B

DD

−Sw

eepi

ng a

nd S

AT

(57.67, 92.44)

Fig. 27. Comparisonof the applicationof plain SAT versusthe presentedcombinedapproachto prove reachabilityof hard-to-hitpropertiesin aboundedmodelcheckingsetting.

pensive but exhaustive techniquessuchasBDD sweepingandSAT to hit difficult targets,or to provetargetsunreachable.

In a last experiment,we selected10 deep,hard-to-hitprop-ertiesfrom the given setof designs.Noneof thesepropertiescouldbehandledby thesimulationapproachusedin theprevi-ousexperiment.Heretheunfoldingdepthvariedbetween17 toasmuchas400for someparticularlyhardsatisfiableproperties.Fig.27illustratestheruntimesfor thecombinedapproachcom-paredagainstanapplicationof theSAT-solveralone.Again,thecombinedapproachvastlyoutperformstheuseof SAT alone.

X. CONCLUSIONS

In this paper we presenteda combinationof techniquesfor Booleanreasoningusing structuraltransformations,BDDsweeping,a SAT solver, andrandomsimulationin a tight in-tegration.All four methodswork on a sharedAND/INVERTER

graphrepresentationof theproblemandareinvokedin aninter-twinedmanner. Thisuniqueintegrationresultsin arobustsum-mationof theirnativelyorthogonalstrength.Usinganextensivesetof industrialproblemswe demonstratethe effectivenessofthepresentedtechniquefor a wide rangeof applications.


Theoutlinedapproachis well suitedfor formal equivalencechecking.It is currentlyintegratedin theequivalencecheckingtool Verity [23], which hasbeenusedon numerouspracticalmicroprocessorand ASIC designswithin IBM. Nevertheless,the presentedreasoningmethodis equallyapplicableto otherCAD applications,suchaslogic synthesis,timing analysis,orformalpropertychecking.

REFERENCES

[1] Malay K. GanaiandAndreasKuehlmann, “On-the-fly compressionoflogical circuits,” in International Workshopon Logic Synthesis, May2000.

[2] Daniel Brand, “Verification of large synthesizeddesigns,” in Di-gestof Technical Papers of the IEEE/ACM InternationalConferenceonComputer-AidedDesign, SantaClara,CA, November1993,pp.534–537.

[3] AndreasKuehlmannandFlorian Krohm, “Equivalencecheckingusingcutsandheaps,” in Proceedingsof the34thACM/IEEEDesignAutoma-tion Conference, Anaheim,CA, June1997,pp.263–268.

[4] Viresh Paruthi and AndreasKuehlmann, “Equivalencecheckingcom-bining a structuralSAT-solver, BDDs, andsimulation,” in Proceedingsof theIEEE InternationalConferenceon ComputerDesign, Austin, TX,September2000,pp.459–464.

[5] Martin Davis andHilary Putnam,“A computingprocedurefor quantifica-tion theory,” Journal of of theAssociationof for ComputingMachinery,vol. 7, pp.102–215,1960.

[6] Martin Davis, GeorgeLogeman,andDonaldLoveland,“A machinepro-gram for theoremproving,” Communicationsof the ACM, vol. 5, pp.394–397,July1962.

[7] JoaoP. Marques-Silva andKaremA. Sakallah,“GRASP:a searchalgo-rithm for propositionalsatisfiability,” IEEE Transactionson Computers,vol. 48,no.5, pp.506–521,1999.

[8] Matthew W. Moskewicz, Conor F. Madigan,Ying Zhao, Linto Zhang,and SharadMalik, “Chaff: Engineeringan efficient SAT solver,” inProceedingsof the38thACM/IEEEDesignAutomationConference, LasVegas,Nevada,June2001,pp.530–535.

[9] SheldonB. Akers, “Binary decisiondiagrams,” IEEE TransactionsonComputers, vol. 27,no.6, pp.509–516,June1978.

[10] RandalE. Bryant, “Graph-basedalgorithmsfor Booleanfunctionmanip-ulation,” IEEETransactionsonComputers, vol. 35,pp.677–691,August1986.

[11] Seh-WoongJeong,BernardPlessier, Gary Hachtel,andFabio Somenzi,“ExtendedBDD’s: Tradingoff canonicityfor structurein verificational-gorithms,” in Digestof Technical Papers of theIEEE InternationalCon-ferenceonComputer-AidedDesign, November1991,pp.464–467.

[12] GordonL. Smith,RalphJ.Bahnsen,andHarryHalliwell, “Booleancom-parisonof hardwareandflowcharts,” IBM Journal of Research andDe-velopment, vol. 26,no.1, pp.106–116,January1982.

[13] Henrik Hulgaard,Poul F. Williams, andHenrik R. Andersen, “Equiva-lencecheckingof combinationalcircuits usingBooleanexpressiondia-grams,” IEEE Transactionson Computer-AidedDesign, vol. 18, no. 7,July1999.

[14] FlorianKrohm, AndreasKuehlmann,andArjen Mets, “The useof ran-dom simulationin formal verification,” in Proceedingsof the IEEE In-ternationalConferenceon ComputerDesign, Austin,TX, October1996,pp.371–376.

[15] RajarshiMukherjee,JawaharJain,Koichiro Takayama,MasahiroFujita,JacobA. Abraham,andDonaldS. Fussel, “An efficient filter-basedap-proachfor combinationalverification,” Transactionson Computer-AidedDesign, vol. 18,no.11,pp.1542–1557,November1999.

[16] SubodhM. Reddy, WolfgangKunz,andDhiraj K. Pradhan,“Novel verifi-cationframework combiningstructuralandOBDDmethodsin asynthesisenvironment,” in Proceedingsof the32thACM/IEEEDesignAutomationConference, SanFrancisco,June1995,pp.414–419.

[17] Aarti Gupta and Pranav Ashar, “Integrating a Booleansatisfiabilitychecker andBDDsfor combinationalequivalencechecking,” in Proceed-ingsof theInternationalConferenceonVLSIDesign, 1998,pp.222–225.

[18] JerryR. BurchandVigyanSinghal, “Tight integrationof combinationalverificationmethods,” in Digestof Technical Papers of the IEEE/ACMInternational Conference on Computer-Aided Design, San Jose,CA,November1998,pp.570–576.

[19] Wolfgang Kunz, “HANNIB AL: An efficient tool for logic verifica-tion basedon recursive learning,” in Digestof Technical Papers of theIEEE/ACM InternationalConferenceon Computer-AidedDesign, SantaClara,CA, November1993,pp.538–543.

[20] SandipKundu, LeendertM. Huisman,Indira Nair, Vijay Ivengar, andLakshmiReddy, “A small testgeneratorfor largedesigns,” in Proceed-ingsof theInternationalTestConference, 1992,pp.30–40.

[21] Armin Biere,AlessandroCimatti,EdmundM. Clarke,andYunshanZhu,“Symbolic modelcheckingwithout BDDs,” in 5th InternationalConfer-enceon ToolsandAlgorithmsfor ConstructionandAnalysisof Systems,Amsterdam,TheNetherlands,March1999,pp.193–207.

[22] AndreasKuehlmannandJasonBaumgartner, “Transformation-basedver-ification using generalizedretiming,” in ComputerAided Verification,Paris,France,July2001,pp.104–117.

[23] AndreasKuehlmann,Arvind Srinivasan,andDavid P. LaPotin, “Verity -aformalverificationprogramfor customCMOScircuits,” IBM JournalofResearch andDevelopment, vol. 39,no.1/2,pp.149–165,January/March1995.

PLACEPHOTOHERE

Andr easKuehlmann received theDipl-Ing. degreeandtheDr.-Ing. habil degreein ElectricalEngineer-ing from the University of Technologyat Ilmenau,Germany, in 1986 and 1990, respectively. His re-searchtopicsincludedalgorithmsfor automaticlay-outverificationandsynthesis.After graduation,from1990 to 1991, Andreasworked at the FraunhoferInstitute of Microelectronic Circuits and Systems,Duisburg, on a project to automaticallysynthesizeembeddedmicrocontrollers. In 1991 he joined theIBM T.J. WatsonResearchCenterwherehe worked

until June2000on variousprojectsin high-level andlogic synthesisandhard-wareverification.Amongothers,hewastheprincipalauthorandprojectleaderof Verity, IBM’ s standardequivalencecheckingtool. FromJanuary1998untilMay 1999AndreasvisitedtheDepartmentof ElectricalEngineeringandCom-puterScienceat UC Berkeley. In July 2000he joined the CadenceBerkeleyLabswherehecontinuesto work on synthesisandverificationproblems.

PLACEPHOTOHERE

Viresh Paruthi received the B.Tech(H) degree inComputerScienceandEngineeringfrom the IndianInstituteof Technology, Kharagpurin 1995,andanMS degreein ComputerEngineeringfrom the Uni-versityof Cincinnatiin 1997.His undergraduatetop-icsof interestincludedchannelroutingalgorithmsforVLSI designs,and performancestudy of networks.His Mastersresearchfocusedon functional formalverification,in particularon automaticabstractionofdatapathsfor verificationof large-scaledesigns.In1997 Viresh joined IBM’ s Server Group where he

supportedandappliedtheVerity equivalencechecker to theGigahertzProces-sorproject.Later, hetransitionedintoadevelopmentrolecontributingto theen-hancementof Verity’s corealgorithms.His currentinterestsincludefunctionalformalandsemi-formalverification,abstractionsandequivalencechecking.

PLACEPHOTOHERE

Florian Kr ohm received the Dipl-Ing. degree inElectricalEngineeringfrom the University of Dort-mund,Germany in 1985. He thenjoined the Fraun-hofer Institute of MicroelectronicCircuits and Sys-tems, Duisburg, where he worked on a project toautomaticallysynthesizesoftware developmenten-vironmentsfor embeddedmicrocontrollers. His re-searchfocusedon methodsof retargetablecodegen-eration.In 1992hereceived theDr.-Ing. degreefromthe University of Duisburg, Germany. In 1994 hejoined the IBM T.J. WatsonResearchCenterwhere

he worked on topics of formal verification. In 1997 he took a managementpositionin IBM’ s MicroelectronicDivision. As this wassomewhat boringhedecidedto returnto technicalwork in 1999.His currentinterestsincludestaticanalysisof realworld programs.

PLACEPHOTOHERE

Malay K. Ganai received the M.S. and Ph.D. de-greein ComputerEngineeringfrom theUniversityofTexasatAustin,USA in 1998and2001,respectively.He received the B.Tech. degreein Electrical Engi-neeringfrom IIT Kanpur, India in 1992.His researchinterestsareCAD tools for VLSI, combiningformalandinformalverification,logic synthesis,andformalverification.He workedwith LarsenandToubro,In-dia between1992 and 1995 and with CadenceDe-sign Systems,India between1995and1997. He iscurrentlyworking with NEC ResearchLab, USA on

next generationformalverificationtools.

ieee transactions on computer-aideddesign of ......2 ieee transactions on computer-aideddesign of...

Documents