## 2. Verification by Equivalence Checking

Page
Combinational Circuits Verification ..... 2.2
Propositional Logic (Calculus) ..... 2.5
Propositional Resolution ..... 2.11
Stålmarck's Procedure ..... 2.19
Reduced Ordered Binary Decision Diagrams (ROBDDs) ..... 2.23
Sequential Circuits Verification ..... 2.56
Relational Representation of FSMs ..... 2.61
Relational Product of FSMs ..... 2.65
Reachability Analysis on FSMs ..... 2.67
Equivalence Checking Tools ..... 2.76
References ..... 2.78

## Combinational Circuits Verification

- Consist of an interconnection of logic gates - AND, OR, NOT, NAND, NOR, XOR, XNOR, and blocks implementing more complex logic (Boolean) functions.
- No logical loops, i.e., topologically there may be loops, but they are not sensitizable under any (valid) input combination, even such loops may be prohibited / not produced by automated analysis / synthesis tools


## Goal

Given two Boolean netlists, check if the corresponding outputs of the two circuits are equal for all possible inputs

- Two circuits are equivalent iff the Boolean function representing the outputs of the networks are logically equivalent
- Identify equivalence points and implications between the two circuits to simplify equivalence checking
- Since a typical design proceeds by a series of local changes, in most cases there are many implications / equivalent subcircuits in the two circuits to be compared
- Various tautology/satisfiability checking algorithms based on heuristics (problem is NPcomplete, but many work well on "real" applications ...)
- In this course we consider three main combinational equivalence checking methods:
- Propositional resolution method (tautology/satisfiability checking)
- Stålmarck's method (recent patented algorithm, very efficient and popular)
- ROBDD-based method (Boolean function converted into ROBDD's representation)


## Combinational Equivalence Checking

## Explicit Proof



- Propositional resolution
- Stålmarck's procedure
- ROBDDs


## Combinational Equivalence Checking (con't)

Implicit Proof


- $\mathrm{ROBDD}_{\mathrm{s}}$


## Propositional Logic (Calculus)

## Syntax

$\mathrm{P}, \mathrm{Q}, \mathrm{R}, \ldots$ - propositional symbols (atomic propositions)
t: true; f: false - constants
$\neg \mathrm{P}: \operatorname{not} \mathrm{P} \quad \mathrm{P} \wedge \mathrm{Q}: \mathrm{P}$ and $\mathrm{Q} \quad \mathrm{P} \vee \mathrm{Q}: \mathrm{P}$ or Q ;
$\mathrm{P} \rightarrow \mathrm{Q}:$ if P then $\mathrm{Q} \quad$ (proposition equivalent to $\neg \mathrm{P} \vee \mathrm{Q}$ )
$P \leftrightarrow Q: P$ if and only if $Q$, i.e., $P$ equivalent to $Q$ (proposition equivalent to $(\mathrm{P} \wedge \mathrm{Q}) \vee(\neg \mathrm{P} \wedge \neg \mathrm{Q}))$

## Semantics

Given through the Truth Table:

| P | Q | $\neg \mathrm{P}$ | $\mathrm{P} \wedge \mathrm{Q}$ | $\mathrm{P} \vee \mathrm{Q}$ | $\mathrm{P} \rightarrow \mathrm{Q}$ | $\mathrm{P} \leftrightarrow \mathrm{Q}$ |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| t | t | f | t | t | t | t |
| t | f | f | f | t | f | f |
| f | t | t | f | t | t | f |
| f | f | t | f | f | t | t |

An interpretation is a function from the propositional symbols to $\{\mathrm{t}, \mathrm{f}\}$

## Propositional Logic (cont'd)

- Formula $F$ is satisfiable (consistent) iff it is true under at least one interpretation
- Formula F is unsatisfiable (inconsistent) iff it is false under all interpretations
- Formula F is valid iff it is true (consistent) under all interpretations
- Interpretation I satisfies a formula $F$ ( I is a model of $F$ ) iff F is true under I. Notation: I $\models \mathrm{F}$
- Theorem: A formula F is valid (a tautology) iff $\neg \mathrm{F}$ is unsatisfiable. Notation: $\vDash \mathrm{F}$
- The relationship between F to $\neg \mathrm{F}$ can be visualized by "mirror principle":

All formulas in propositional logic

| Valid formulas | Satisfiable, <br> but non-valid formulas | Unsatisfiable formulas |
| :---: | :--- | :--- |
| $\mathrm{G} \leftarrow \neg \mathrm{F}$ |  |  |
|  | $\mathrm{F} \rightarrow---\rightarrow \mathrm{G}$ |  |

- To determine if F is satisfiable or valid, test finite number $\left(2^{n}\right)$ of interpretations of the $n$ atomic propositions occurring in F
... but it is an exponential method... satisfiability is an NP-complete problem


## Propositional Logic (cont'd)

## Proofs

- A proof of a proposition is derived using axioms, theorems, and inference rules (an inference rule permits deducing conclusions based on the truth of certain premises)
- A logic formula $F$ is deducible from the set $S$ of statements if there is a finite proof of $F$ starting from elements of $S$. Notation: $S \longmapsto F$


## Example: A simple proof system

- Axioms: $\mathrm{K}: \mathrm{A} \rightarrow(\mathrm{B} \rightarrow \mathrm{A})$

$$
\begin{aligned}
& \mathrm{S}:(\mathrm{A} \rightarrow(\mathrm{~B} \rightarrow \mathrm{C})) \rightarrow((\mathrm{A} \rightarrow \mathrm{~B}) \rightarrow(\mathrm{A} \rightarrow \mathrm{C})) \\
& \mathrm{DN}: \neg \neg \mathrm{A} \rightarrow \mathrm{~A}
\end{aligned}
$$

- Inference rule (Modus Ponens): $\{A \rightarrow B, A\} \vdash B$
- A proof of $\mathrm{A} \rightarrow \mathrm{A}$
$\begin{array}{ll}(1) \vdash(\mathrm{A} \rightarrow((\mathrm{D} \rightarrow \mathrm{A}) \rightarrow \mathrm{A})) \rightarrow((\mathrm{A} \rightarrow(\mathrm{D} \rightarrow \mathrm{A})) \rightarrow(\mathrm{A} \rightarrow \mathrm{A})) & \text { by } \mathrm{S}([\mathrm{B} \backslash \mathrm{D} \rightarrow \mathrm{A}],[\mathrm{C} \backslash \mathrm{A}]) \\ (2) \vdash \mathrm{A} \rightarrow((\mathrm{D} \rightarrow \mathrm{A}) \rightarrow \mathrm{A}) & \text { by } \mathrm{K}([\mathrm{B} \backslash \mathrm{D} \rightarrow \mathrm{A}]) \\ (3) \vdash(\mathrm{A} \rightarrow(\mathrm{D} \rightarrow \mathrm{A})) \rightarrow(\mathrm{A} \rightarrow \mathrm{A}) & \text { by MP, (1), (2) } \\ (4) \longmapsto \mathrm{A} \rightarrow(\mathrm{D} \rightarrow \mathrm{A}) & \text { by K } \\ (5) \longmapsto \mathrm{A} \rightarrow \mathrm{A} & \text { by MP, (3), (4). }\end{array}$


## Propositional Logic (cont'd)

Relation between syntax and semantics

- Truth tables provide a means of deciding truth
- Propositional logic is:
- complete: everything that is true may be proven, i.e., if $\mathrm{S} \longmapsto \mathrm{A}$ then $\mathrm{S} \models \mathrm{A}$
- consistent (sound): nothing that is false may be proven. i.e., if $S \models \mathrm{~A}$ then $\mathrm{S} \longmapsto \mathrm{A}$
- decidable: there is an algorithm for deciding the truth of any proposition, i.e., test a finite (exponential) number of truth assignments


## False Negative \& False Positive

Let P be a proposition (a property) and A a verification method (algorithm).

- False Negative: (similar to incompleteness)
$\mathrm{A}(\mathrm{P})$ reports true $\Rightarrow \forall$ interpretation $\psi, \psi(\mathrm{P})=$ true
$\mathrm{A}(\mathrm{P})$ reports false $\Rightarrow \neg(\forall$ interpretation $\psi, \psi(\mathrm{P})=$ true $)$ !
$(\exists \psi, \psi(\mathrm{P})=$ false $)$
- False Positive: (similar to inconsistency, unsoundness)
$\mathrm{A}(\mathrm{P})$ reports false $\Rightarrow \forall$ interpretation $\psi, \psi(\mathrm{P})=$ false
$\mathrm{A}(\mathrm{P})$ reports true $\Rightarrow \neg(\forall$ interpretation $\psi, \psi(\mathrm{P})=$ false $)$ !
$(\exists \psi, \psi(P)=$ true $)$


## Combinational Equivalence Checking

- Determine if two expressions fl and f 2 denote the same truth table
- Application: Determine if two combinational logic circuit designs C1 and C2 implement the same truth table (logic (Boolean) function)
- Extract representation of logic expressions f1 and f2
- Verify if
(f1 $\leftrightarrow \mathrm{f} 2$ ) is a valid formula, i.e., $\neg(\mathrm{f} 1 \leftrightarrow \mathrm{f} 2)$ is unsatisfiable using satisfiability algorithms (Propositional Resolution methods), or
(f1 $\rightarrow \mathrm{f} 2$ ) and ( $\mathrm{f} 2 \rightarrow \mathrm{f} 1$ ) hold (where f 1 and f 2 are transformed to implication form using Stålmarck's procedure), or
f1 and f2 have the same canonical form using, e.g., Reduced Binary Decision Diagrams


## Propositional Resolution

- A Literal L is an atomic proposition A or its negation $\neg \mathrm{A}$
- A Clause $C$ is a finite set of disjunctive literals ( $C=L_{1} \vee L_{2} \vee L_{3} \vee \ldots$ )

C is true iff one of its elements is true. The empty clause $\square$ is always false.
Let $\mathrm{A}_{1}, \mathrm{~A}_{2}, \ldots$ be atomic propositions and $\mathrm{L}_{\mathrm{i}, \mathrm{j}}$ literals

- Conjunctive Normal Form (CNF): a conjunction of disjunctions of literals

- Disjunctive Normal Form (DNF): a disjunction of conjunctions of literals


Each $\mathbf{L}_{\mathbf{i}, \mathbf{j}} \in\{\mathrm{A} 1, \mathrm{~A} 2, \ldots\} \cup\{\neg \mathrm{A} 1, \neg \mathrm{~A} 2, \ldots\}$ appears in each disjunct (conjunct) at most once!
Theorem: For every logic formula $F$, there is an equivalent CNF and an equivalent DNF

- Canonical Conjunctive Form (CCF): CNF in which each L appears exactly once
- Canonical Disjunctive Form (DCF): DNF in which each L appears exactly once


## Propositional Resolution (cont'd)

- Resolution is a proof method underlying some automatic theorem provers based on simple syntactic transformation and refutation.
- Refutation is a procedure to show that a given formula is unsatisfiable


## Resolution procedure:

- To prove F , we translate $\neg \mathrm{F}$ into a set of clauses, each a disjunction of atomic formulae or their negations.
- Each resolution step takes two clauses and yields a new one.
- The method succeeds if it produces the empty clause (a contradiction), thus refuting $\neg \mathrm{F}$.


## Propositional Resolution (cont'd)

- Let $\mathrm{F}=\left(\mathrm{L}_{1,1} \vee \ldots \vee \mathrm{~L}_{1, \mathrm{nl}}\right) \wedge \ldots \wedge\left(\mathrm{L}_{\mathrm{k}, \mathrm{l}} \vee \ldots \vee \mathrm{L}_{\mathrm{k}, \mathrm{nk}}\right)$ where literals $\mathrm{L}_{\mathrm{i}, \mathrm{j}} \in\left\{\mathrm{A}_{1}, \mathrm{~A}_{2}, \ldots\right\} \cup\left\{\neg \mathrm{A}_{1}, \neg \mathrm{~A}_{2}, \ldots\right\}$ F can be viewed as a set of clauses: $\mathrm{F}=\left\{\left\{\mathrm{L}_{1,1}, \ldots, \mathrm{~L}_{\mathrm{l}, \mathrm{n} 1}\right\}, \ldots,\left\{\mathrm{L}_{\mathrm{k}, 1}, \ldots, \mathrm{~L}_{\mathrm{k}, \mathrm{nk}}\right\}\right\}$, where
- Comma separating two literals within a clause corresponds to $\vee$
- Comma separating two clauses corresponds to $\wedge$
- Let $L$ be a literal in clause $C_{1}\left(L \in C_{1}\right)$ and its complement $\bar{L}$ in clause $C_{2}\left(\bar{L} \in C_{2}\right)$, Clause $R$ is a resolvent of $C_{1}$ and $C_{2}$ if: $R=\left(C_{1}-\{L\}\right) \cup\left(C_{2}-\{L \overline{\}})\right.$
- Example: $\mathrm{F}=\{\{\mathrm{p}, \mathrm{r}\},\{\mathrm{q}, \neg \mathrm{r}\},\{\neg \mathrm{q}\},\{\neg \mathrm{p}, \mathrm{v}\},\{\neg \mathrm{s}\},\{\mathrm{s}, \neg \mathrm{v}\}\}$.



## Propositional Resolution (cont'd)

- A (resolution) deduction of C from F is a finite sequence $\mathrm{C}_{1}, \mathrm{C}_{2}, \ldots, \mathrm{C}_{\mathrm{n}}$ of clauses such that each $\mathrm{C}_{\mathrm{i}}$ is either in F or a resolvent of $\mathrm{C}_{\mathrm{j}}, \mathrm{C}_{\mathrm{k}},(\mathrm{j}, \mathrm{k}<\mathrm{i})$
- $\operatorname{Res}(\mathrm{F})=\mathrm{F} \cup \mathrm{R}$ where R is a resolvent of two clauses in F

Lemma. F and $\mathrm{F} \cup \mathrm{R}$ are equivalent

- Define

$$
\begin{aligned}
& \operatorname{Res}^{0}(\mathrm{~F})=\mathrm{F} \\
& \operatorname{Res}^{\mathrm{n}+1}(\mathrm{~F})=\operatorname{Res}\left(\operatorname{Res}^{\mathrm{n}}(\mathrm{~F})\right), \mathrm{n} \geq 0
\end{aligned}
$$

- Let $\operatorname{Res}^{*}(F)=\underset{\mathrm{n} \geq 0}{\cup} \operatorname{Res}^{\mathrm{n}}(\mathrm{F})$

Theorem. F is unsatisfiable iff $\square \in \operatorname{Res}^{*}(\mathrm{~F})$

- Algorithm: to decide satisfiability of formula F in CNF (clause set):

```
    repeat
        G:=F;
        F:=Res(F)
    until (( }\square\in\textrm{F})\mathrm{ or ( }\textrm{F}=\textrm{G})\mathrm{ ;
    if }\square\inF\mathrm{ then "F is unsatisfiable" else "F is satisfiable".
```


## Propositional Resolution (cont'd)

Summary of basic idea:


## Propositinal Resolution - Example

Two circuits C 1 and C 2


$$
\begin{aligned}
& \mathrm{C} 1 \\
&=\text { ? }
\end{aligned}
$$



C2

Propositional Resolution
C1: out1 $=\mathrm{a} \vee \mathrm{b}$
C2: out2 $=(\neg a \wedge b) \vee(a \wedge a)$
(Mux: out $2=(\neg s \wedge b) \vee(s \wedge a))$
$\mathrm{G}=($ out $1 \Leftrightarrow$ out 2$)$

$$
\begin{aligned}
\mathrm{G} & =(\text { out } 1 \wedge \text { out } 2) \vee(\neg \text { out } 1 \wedge \neg \text { out } 2) \quad(\text { DNF }) \\
& =\text { true } ? \\
\mathrm{~F} & =\neg \mathrm{G}=\neg((\text { out } 1 \wedge \text { out } 2) \vee(\neg \text { out } 1 \wedge \neg \text { out } 2)) \\
& =\text { False } ?(\text { unsatifiable! })
\end{aligned}
$$

## CNF

$$
\begin{aligned}
\mathrm{F} & =(\neg \text { out } 1 \vee \neg \text { out } 2) \wedge(\text { out } 1 \vee \text { out } 2) \\
& =(\neg(\mathrm{a} \vee \mathrm{~b}) \vee \neg[(\neg \mathrm{a} \wedge \mathrm{~b}) \vee(\mathrm{a} \wedge \mathrm{a})]) \wedge((\mathrm{a} \vee \mathrm{~b}) \vee[(\neg \mathrm{a} \wedge \mathrm{~b}) \vee(\mathrm{a} \wedge \mathrm{a})]) \\
& =\ldots . \\
& =(\neg \mathrm{a}) \wedge(\neg \mathrm{b}) \wedge(\mathrm{a} \vee \mathrm{~b})
\end{aligned}
$$

Literals: $\{\{\neg \mathrm{a}\},\{\neg \mathrm{b}\},\{\mathrm{a}, \mathrm{b}\}\}$

$\Rightarrow$ derive empty clause $\{\square\}$

## Theorem Proving



$$
\begin{aligned}
& \text { out } 1=(\neg \mathrm{s} \wedge \mathrm{~b}) \vee(\mathrm{s} \wedge \mathrm{a}) \\
&=(\neg \mathrm{a} \wedge \mathrm{~b}) \vee(\mathrm{a} \wedge \mathrm{a}) \\
&=(\neg \mathrm{a} \wedge \mathrm{~b}) \vee \quad \mathrm{a} \\
&=(\neg \mathrm{a} \vee \mathrm{a}) \wedge(\mathrm{b} \vee \mathrm{a}) \\
&= 1 \wedge \wedge(\mathrm{~b} \vee \mathrm{a}) \\
&= \mathrm{b} \vee \mathrm{a}=\mathrm{a} \vee \mathrm{~b} \\
& \Rightarrow \quad \text { out } 2=\mathrm{out} 1
\end{aligned}
$$



## Stålmarck's Procedure

- Transform propositional formula G (in linear time) in a nested implication form, e.g.: $\mathrm{G}=(\mathrm{p} \rightarrow(\mathrm{q} \rightarrow \mathrm{r})) \rightarrow \mathrm{s}$
- G is now represented using a set of triplets $\left\{b_{i}, x, y\right\}$, meaning " $b_{i} \leftrightarrow(x \rightarrow y)$ ", e.g.: $(\mathrm{p} \rightarrow(\mathrm{q} \rightarrow \mathrm{r})) \rightarrow \mathrm{s} \quad$ becomes $\left\{\left(\mathrm{b}_{1}, \mathrm{q}, \mathrm{r}\right),\left(\mathrm{b}_{2}, \mathrm{p}, \mathrm{b}_{1}\right),\left(\mathrm{b}_{3}, \mathrm{~b}_{2}, \mathrm{~s}\right)\right\} ; \mathrm{G}=\mathrm{b}_{3}$
- To prove a formula valid, assume that it is false and try to find a contradiction (use 0 for false and 1 for true, as in switching (Boolean) algebra)
- Derivation rules: (a/b means "replace a by b")

| $\mathbf{r 1}$ | $(0, \mathrm{y}, \mathrm{z}) \Rightarrow \mathrm{y} / 1, \mathrm{z} / 0$ | meaning | false $\leftrightarrow(\mathrm{y} \rightarrow \mathrm{z})$ implies $\mathrm{y}=$ true and $\mathrm{z}=$ false |
| :--- | :--- | :--- | :--- |
| $\mathbf{r 2}$ | $(\mathrm{x}, \mathrm{y}, 1) \Rightarrow \mathrm{x} / 1$ | meaning | $x \leftrightarrow(\mathrm{y} \rightarrow$ true $)$ implies $\mathrm{x}=$ true |
| $\mathbf{r 3}$ | $(\mathrm{x}, 0, \mathrm{z}) \Rightarrow \mathrm{x} / 1$ | meaning | $x \leftrightarrow($ false $\rightarrow \mathrm{z})$ implies $\mathrm{x}=$ true |
| $\mathbf{r 4}$ | $(\mathrm{x}, 1, \mathrm{z}) \Rightarrow \mathrm{x} / \mathrm{z}$ | meaning | $x \leftrightarrow($ true $\rightarrow \mathrm{z})$ implies $\mathrm{x}=\mathrm{z}$ |
| $\mathbf{r 5}$ | $(\mathrm{x}, \mathrm{y}, 0) \Rightarrow \mathrm{x} / \neg y$ | meaning | $x \leftrightarrow(y \rightarrow 0)$ implies $\mathrm{x}=\neg y$ |
| $\mathbf{r 6}$ | $(\mathrm{x}, \mathrm{x}, \mathrm{z}) \Rightarrow \mathrm{x} / 1, \mathrm{z} / 1$ | meaning | $x \leftrightarrow(\mathrm{x} \rightarrow \mathrm{z})$ implies $\mathrm{x}=$ true and $\mathrm{z}=$ true |
| $\mathbf{r 7}$ | $(\mathrm{x}, \mathrm{y}, \mathrm{y}) \Rightarrow \mathrm{x} / 1$ | meaning | $x \leftrightarrow(\mathrm{y} \rightarrow \mathrm{y})$ implies $\mathrm{x}=$ true |

Example: $\mathrm{G}=(\mathrm{p} \rightarrow(\mathrm{q} \rightarrow \mathrm{p})):\left\{\left(\mathrm{b}_{1}, \mathrm{q}, \mathrm{p}\right),\left(\mathrm{b}_{2}, \mathrm{p}, \mathrm{b}_{1}\right)\right\}$, assume $\mathrm{G}=\mathrm{b}_{2}=0$, i.e., $\left(0, \mathrm{p}, \mathrm{b}_{1}\right)$ By $\mathrm{rl}: \mathrm{p}=1$ and $\mathrm{b}_{1}=0$, substitute for $\mathrm{b}_{1}$ and get $(0, \mathrm{q}, 1)$ (which is a terminal triplet) Again by rl this is a contradiction since $1 / 0$ is derived for z in r 1 , hence $\mathrm{b}_{2}=\mathrm{G}=1$ (true)

## Stålmarck's Procedure (cont'd)

- Not all formulas can be proved with these rules, need a form of branching: Dilemma rule $T=$ a set of triplets, $D_{i}, \mathrm{i}=1,2$, are derivations, results $U\left[S_{l}\right]$ and $V\left[S_{2}\right]$, conclusion $T[S]$

| $T$ |  |  |
| :---: | :---: | :---: |
| $\mathrm{~T}[\mathrm{x} / 1]$ |  | $\mathrm{T}[\mathrm{x} / 0]$ |
| $\mathrm{D}_{1}$ |  | $\mathrm{D}_{2}$ |
| ${\mathrm{U}\left[\mathrm{S}_{1}\right]}^{c}$ |  | $\mathrm{~V}^{2}\left[\mathrm{~S}_{2}\right]$ |
| $\mathrm{T}[\mathrm{S}]$ |  |  |
|  |  |  |

Assume $\mathrm{x}=0$ derive a result, then assume $\mathrm{x}=1$ and also derive a result.

- If either derivation gives a contradiction, the result is the other derivation
- If both are contradictions, then $T$ contains a contradiction
- Otherwise return the intersection of the result of the two derivations, since any information gained from $\mathrm{x}=0$ and $\mathrm{x}=1$ must be independent of that value

Example: $\mathrm{T}=\{(1, \neg \mathrm{p}, \mathrm{p}),(1, \mathrm{p}, \neg \mathrm{p})\}$ cannot be resolved using $\mathrm{rl}-\mathrm{r} 7$
$\mathrm{T}[\mathrm{p} / 1]=\{(1,0,1),(1,1,0)\}$ where $(1,1,0)$ is a contradiction
$\mathrm{T}[\mathrm{p} / 0]=\{(1,1,0),(1,0,1)\}$ where $(1,1,0)$ is again a contradiction
Hence T[S] results in a contradiction.

## Stålmarck's Procedure (cont'd)

Transformation from and-or-not logic to implication form:
not: $\mathrm{G}=\neg A \Leftrightarrow A \rightarrow 0 \Leftrightarrow\{(\mathrm{x}, \mathrm{A}, 0)\}, \mathrm{G}=\mathrm{x}$
or: $\mathrm{G}=A \vee B \Leftrightarrow \neg A \rightarrow B \Leftrightarrow\{(\mathrm{x}, \mathrm{y}, \mathrm{B}),(\mathrm{y}, \mathrm{A}, 0)\}, \mathrm{G}=\mathrm{x}$
and: $\mathrm{G}=A \wedge B \Leftrightarrow \neg(A \rightarrow \neg B) \Leftrightarrow\{(\mathrm{x}, \mathrm{y}, 0),(\mathrm{y}, \mathrm{A}, \mathrm{z}),(\mathrm{z}, \mathrm{B}, 0)\} \quad, \mathrm{G}=\mathrm{x}$

## Example of equivalence checking:



$$
\begin{aligned}
C 1= & \{(\mathrm{y}, \mathrm{e}, \mathrm{x}),(\mathrm{e}, \mathrm{~b}, 0),(\mathrm{x}, \mathrm{f}, 0) \\
& (\mathrm{f}, \mathrm{a}, \mathrm{~g}),(\mathrm{g}, \mathrm{~b}, 0)\}
\end{aligned}
$$



$$
\mathrm{C} 2=\{(\mathrm{t}, \mathrm{~h}, \mathrm{~s}),(\mathrm{h}, \mathrm{~b}, 0),(\mathrm{s}, \mathrm{u}, 0),(\mathrm{u}, \mathrm{r}, \mathrm{v}),(\mathrm{v}, \mathrm{c}, 0),
$$

$$
(\mathrm{r}, \mathrm{w}, 0),(\mathrm{w}, \mathrm{a}, \mathrm{p}),(\mathrm{p}, \mathrm{~b}, 0)\}
$$

Check $\mathrm{y} \rightarrow \mathrm{t}$ and $\mathrm{t} \rightarrow \mathrm{y}$
$\mathrm{y} \rightarrow \mathrm{t}:$ Form $\mathrm{C} 1 \cup \mathrm{C} 2 \cup\{(0, \mathrm{y}, \mathrm{t})\}$ which by r 1 yields $[\mathrm{y} / 1, \mathrm{t} / 0]$ and after substitution
$\{(\mathbf{1}, \mathbf{e}, \mathbf{x}),(e, b, 0),(x, f, 0),(f, a, g),(g, b, 0),(\mathbf{0}, \mathbf{h}, \mathbf{s}),(h, b, 0),(s, u, 0),(u, r, v),(v, c, 0)$, $(\mathrm{r}, \mathrm{w}, 0),(\mathrm{w}, \mathrm{a}, \mathrm{p}),(\mathrm{p}, \mathrm{b}, 0)$ \} giving by rl again $[\mathrm{h} / 1, \mathrm{~s} / 0]$ and...

## Stålmarck's Procedure (cont'd)

Example of equivalence checking (cont'd):
$\{(\mathbf{1}, \mathbf{e}, \mathbf{x}),(\mathrm{e}, \mathrm{b}, 0),(\mathrm{x}, \mathrm{f}, 0),(\mathrm{f}, \mathrm{a}, \mathrm{g}),(\mathrm{g}, \mathrm{b}, 0),(\mathbf{1}, \mathbf{b}, \mathbf{0}),(\mathbf{0}, \mathbf{u}, \mathbf{0}),(\mathrm{u}, \mathrm{r}, \mathrm{v}),(\mathrm{v}, \mathrm{c}, 0),(\mathrm{r}, \mathrm{w}, 0)$, ( $\mathrm{w}, \mathrm{a}, \mathrm{p}$ ), ( $\mathrm{p}, \mathrm{b}, 0)\}$ apply rl and r 5 and get $[\mathrm{u} / 1, \mathrm{e} / \neg \mathrm{b}, \mathrm{x} / \neg \mathrm{f}, \mathrm{g} / \neg \mathrm{b}, \mathrm{v} / \neg \mathrm{c}, \mathrm{r} / \neg \mathrm{w}, \mathrm{p} / \neg \mathrm{b}]$ which yields
$\{(1, \neg \mathrm{~b}, \neg \mathrm{f}),(\mathrm{f}, \mathrm{a}, \neg \mathrm{b}),(\neg \mathrm{b}, \mathrm{b}, 0),(1, \neg \mathrm{w}, \neg \mathrm{c}),(\mathrm{w}, \mathrm{a}, \neg \mathrm{b})\}$
Application of Dilemma rule to, say, b yields:
$\mathrm{b}=0:\{(1,1, \neg \mathrm{f}),(\mathrm{f}, \mathrm{a}, 1),(1,0,0),(1, \neg \mathrm{w}, \neg \mathrm{c}),(\mathrm{w}, \mathrm{a}, 1)\}$ yields $[\mathrm{f} / 1, \mathrm{w} / 1]$ by r 2 , thus $\{(\mathbf{1}, \mathbf{1}, \mathbf{0}),(1, \mathrm{a}, 1),(1,0, \neg \mathrm{c}),(1, \mathrm{a}, 1)\}$ i.e., $(\mathbf{1}, \mathbf{1}, \mathbf{0})$ is a contradiction
$\mathrm{b}=1:\{(1,0, \neg \mathrm{f}),(\mathrm{f}, \mathrm{a}, 0),(1,1,0),(1, \neg \mathrm{w}, \neg \mathrm{c}),(\mathrm{w}, \mathrm{a}, 0)\}$ a contradiction again
Conclusion: $\mathrm{y} \rightarrow \mathrm{t}$ holds.
Similarly for $\mathrm{t} \rightarrow \mathrm{y}$
The two circuits are equivalent.

## Binary Decision Diagrams (BDDs)

Classical representation of logic functions: Truth Table, Karnaugh Maps, Sum-of-Products, critical complexes, etc.

- Critical drawbacks:
- May not be a canonical form or is too large (exponential) for "useful" functions,
$\Rightarrow$ Equivalence and tautology checking is hard
- Operations like complementation may yield a representation of exponential size

Reduced Ordered Binary Decision Diagrams (ROBDDs)

- A canonical form for Boolean functions
- Often substantially more compact than traditional normal forms
- Can be efficiently manipulated
- Introduced mainly by R. E. Bryant (1986).
- Various extensions exist that can be adapted to the situation at hand (e.g., the type of circuit to be verified)


## Binary Decision Trees

- A Binary decision Tree (BDT) is a rooted, directed graph with terminal and nonterminal vertices
- Each nonterminal vertex $v$ is labeled by a variable $\operatorname{var}(v)$ and has two successors:
- low(v) corresponds to the case where the variable $v$ is assigned 0
- high(v) corresponds to the case where the variable $v$ is assigned 1
- Each terminal vertex $v$ is labeled by value $(v) \in\{0,1\}$
- Example: BDT for a two-bit comparator, $\mathrm{f}\left(\mathrm{a}_{1}, \mathrm{a}_{2}, \mathrm{~b}_{1}, \mathrm{~b}_{2}\right)=\left(\mathrm{a}_{1} \Leftrightarrow \mathrm{~b}_{1}\right) \wedge\left(\mathrm{a}_{2} \Leftrightarrow \mathrm{~b}_{2}\right)$



## Binary Decision Trees (cont'd)

- We can decide if a truth assignment $\underline{x}=\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)$ satisfies a formula in BDT in linear time in the number of variables by traversing the tree from the root to a terminal vertex:
- If $\operatorname{var}(v) \in \underline{\mathrm{x}}$ is 0 , the next vertex on the path is $\operatorname{low}(v)$
- If $\operatorname{var}(v) \in \underline{\mathrm{x}}$ is 1 , the next vertex on the path is $\operatorname{high}(v)$
- If $v$ is a terminal vertex then $\mathrm{f}(\underline{\mathrm{x}})=\mathrm{f}_{\mathrm{v}}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)=\operatorname{value}(v)$
- If $v$ is a nonterminal vertex with $\operatorname{var}(v)=\mathrm{x}_{\mathrm{i}}$, then the structure of the tree is obtained by Shanon's expansion

$$
\mathrm{f}_{\mathrm{v}}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)=\left[\neg \mathrm{x}_{\mathrm{i}} \wedge \mathrm{f}_{\text {low(v) }}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)\right] \vee\left[\mathrm{x}_{\mathrm{i}} \wedge \mathrm{f}_{\text {high(v) }}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)\right]
$$

- For the comparator, $\left(\mathrm{a}_{1} \leftarrow 1, \mathrm{a}_{2} \leftarrow 0, \mathrm{~b}_{1} \leftarrow 1, \mathrm{~b}_{2} \leftarrow 1\right)$ leads to a terminal vertex labeled by 0 , i.e., $f(1,0,1,1)=0$
- Binary decision trees are redundant:
- In the comparator, there are 6 subtrees with roots labeled by $b_{2}$, but not all are distinct
- Merge isomorphic subtrees:
- Results in a directed acyclic graph (DAG), a binary decision diagram (BDD)


## Reduced Ordered BDD

## Canonical Form property

- A canonical representation for Boolean functions is desirable:
two Boolean functions are logically equivalent iff they have isomorphic representations
- This simplifies checking equivalence of two formulas and deciding if a formula is satisfiable
- Two BDDs are isomorphic if there exists a bijection $h$ between the graphs such that
- Terminals are mapped to terminals and nonterminals are mapped to nonterminals
- For every terminal vertex $v$, value(v) $=\operatorname{value}(h(v))$, and
- For every nonterminal vertex $v$ :

$$
\operatorname{var}(v)=\operatorname{var}(h(v)), \quad h(\operatorname{low}(v))=\operatorname{low}(h(v)), \text { and } h(\operatorname{high}(v))=\operatorname{high}(h(v))
$$

- Bryant (1986) showed that BDDs are a canonical representation for Boolean functions under two restrictions:
(1) the variables appear in the same order along each path from the root to a terminal
(2) there are no isomorphic subtrees or redundant vertices
$\Rightarrow$ Reduced Ordered Binary Decision Diagrams (ROBDDs)


## Canonical Form Property

- Requirement (1): Impose total order " $<$ " on the variables in the formula:
if vertex $u$ has a nonterminal successor $v$, then $\operatorname{var}(u)<\operatorname{var}(v)$
- Requirement (2): repeatedly apply three transformation rules (or implicitly in operations such as disjunction or conjunction)
1.Remove duplicate terminals: eliminate all but one terminal vertex with a given label and redirect all arcs to the eliminated vertices to the remaining one



## Canonical Form Property (cont'd)

2. Remove duplicate nonterminals: if nonterminals $u$ and $v$ have $\operatorname{var}(u)=\operatorname{var}(v)$, $\operatorname{low}(u)=\operatorname{low}(v)$ and $\operatorname{high}(u)=\operatorname{high}(v)$, eliminate one of the two vertices and redirect all incoming arcs to the other vertex

3. Remove redundant tests: if nonterminal vertex $v$ has $\operatorname{low}(v)=\operatorname{high}(v)$, eliminate $v$ and redirect all incoming arcs to low(v)


## Creating the ROBDD for $(x \oplus y \oplus z)$

(a)

(b)

(c)


## Canonical Form Property (cont'd)

- A canonical form is obtained by applying the transformation rules until no further application is possible
- Bryant showed how this can be done by a procedure called Reduce in linear time
- Applications:
- checking equivalence: verify isomorphism between ROBDDs
- non-satisfiability: verify if ROBDD has only one terminal node, labeled by 0
- tautology: verify if ROBDD has only one terminal node, labeled by 1


## Example:

ROBDD of 2-bit Comparator with variable order $\mathrm{a}_{1}<\mathrm{b}_{1}<\mathrm{a}_{2}<\mathrm{b}_{2}$ :


## ROBDD Examples

OR


## ROBDD Examples (con't)



BDD


ROBDD

## ROBDD Examples (con't)

## XOR



## ROBDD Examples (con't)

NAND


| a | b | out |
| :---: | :---: | :---: |
| 0 | 0 | 1 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |



## Variable Ordering Problem

- The size of an ROBDD depends critically on the variable order
- For order $\mathrm{a}_{1}<\mathrm{a}_{2}<\mathrm{b}_{1}<\mathrm{b}_{2}$, the comparator ROBDDbecomes:

- For an n-bit comparator:

$$
\begin{aligned}
& \mathrm{a}_{1}<\mathrm{b}_{1}<\ldots<\mathrm{a}_{\mathrm{n}}<\mathrm{b}_{\mathrm{n}} \text { gives } 3 \mathrm{n}+2 \text { vertices (linear complexity) } \\
& \mathrm{a}_{1}<\ldots<\mathrm{a}_{\mathrm{n}}<\mathrm{b}_{1} \ldots<\mathrm{b}_{\mathrm{n}} \text {, gives } 3 \times 2^{\mathrm{n}}-1 \text { vertices (exponential complexity!) }
\end{aligned}
$$

## Variable Ordering Problem - Example

$$
(x 1 \oplus y 1) \vee(x 2 \oplus y 2) \vee(x 3 \oplus y 3)
$$



## Variable Ordering Problem (cont'd)

- The problem of finding the optimal variable order is NP-complete
- Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier)


## Heuristics for Variable Ordering

- Heuristics developed for finding a good variable order (if it exists)
- Intuition for these heuristics comes from the observation that ROBDDs tend to be smaller when related variables are close together in the order (e.g., ripple-carry adder)
- Variables appearing in a subcircuit are related: they determine the subcircuit's output
$\Rightarrow$ should usually be close together in the order


## Dynamic Variable Ordering

- Useful if no obvious static ordering heuristic applies
- During verification operations (e.g., reachability analysis) functions change, hence initial order is not good later on
- Good ROBDD packages periodically internally reorder variables to reduce ROBDD size
- Basic approach based on neighboring variable exchange ... $<\mathrm{a}<\mathrm{b}<\ldots \Rightarrow$... $<\mathrm{b}<\mathrm{a}<\ldots$ Among a number of trials the best is taken, and the exchange is repeated


## Logic Operations on ROBDDs

- Residual function (cofactor): $\mathrm{b} \in\{0,1\}$
$\mathrm{f} \mid \mathrm{x}_{\mathrm{i}} \leftarrow \mathrm{b}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)=\mathrm{f}\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{i}-1}, \mathrm{~b}, \mathrm{x}_{\mathrm{i}+1}, \ldots, \mathrm{x}_{\mathrm{n}}\right)$
- ROBDD of $\mathrm{f} \mid \mathrm{x}_{\mathrm{i}} \leftarrow \mathrm{b}$ computed by a depth-first traversal of the ROBDD off:

For any vertex v which has a pointer to a vertex w such that $\operatorname{var}(w)=x_{i}$, replace the pointer by $\operatorname{low}(w)$ if b is 0 and by $\operatorname{high}(w)$ if b is 1 .

If not in canonical form, apply Reduce to obtain ROBDD of $\mathrm{f} \mid \mathrm{x}_{\mathrm{i}} \leftarrow \mathrm{b}$.

- All 16 two-argument logic operations on Boolean function implemented efficiently on ROBDDs in linear time in the size of the argument ROBDDs.


## Logic Operations on ROBDDs (cont'd)

- Based on Shannon's expansion

$$
\mathrm{f}=[\neg \mathrm{x} \wedge \mathrm{f} \mid \mathrm{x} \leftarrow 0] \vee\left[\left.\mathrm{x} \wedge \mathrm{f}\right|_{\mathrm{x} \leftarrow 1}\right]
$$

- Bryant (1986) gave a uniform algorithm, Apply, for computing all 16 operations:
$f * f^{\prime}:$ an arbitrary logic operation on Boolean functions $f$ and $f^{\prime}$
v and $\mathrm{v}^{\prime}$ : the roots of the ROBDDs for $f$ and $f^{\prime}, x=\operatorname{var}(v)$ and $x^{\prime}=\operatorname{var}\left(v^{\prime}\right)$
- Consider several cases depending on v and v ,
(1) $v$ and $v^{\prime}$ are both terminal vertices: $f * f^{\prime}=$ value(v) $*$ value $\left(v^{\prime}\right)$
(2) $x=x$ ': use Shannon's expansion

$$
\mathrm{f} * \mathrm{f}^{\prime}=\left[\neg \mathrm{x} \wedge\left(\mathrm{f}\left|\mathrm{x} \leftarrow 0 * \mathrm{f}^{\prime}\right| \mathrm{x} \leftarrow 0\right)\right] \vee\left[\mathrm{x} \wedge\left(\mathrm{f}\left|\mathrm{x} \leftarrow 1 * \mathrm{f}^{\prime}\right| \mathrm{x} \leftarrow 1\right)\right]
$$

to break the problem into two subproblems, each is solved recursively
The root is $v$ with $\operatorname{var}(v)=x$
$\operatorname{Low}(v)$ is $\left(\mathrm{f}\left|\mathrm{x} \leftarrow 0 * \mathrm{f}^{\prime}\right| \mathrm{x} \leftarrow 0\right)$
$\operatorname{High}(v)$ is $\left(\mathrm{f}\left|\mathrm{x} \leftarrow 1 * \mathrm{f}^{\prime}\right| \mathrm{x} \leftarrow 1\right)$

## Logic Operations on ROBDDs (cont'd)

(3) $x<x^{\prime}: \mathrm{f}^{\prime}\left|\mathrm{x} \leftarrow 0=\mathrm{f}^{\prime}\right| \mathrm{x} \leftarrow 1=\mathrm{f}^{\prime}$ since $\mathrm{f}^{\prime}$ does not depend on x

In this case the Shannon's expansion simplifies to

$$
\mathrm{f} * \mathrm{f}^{\prime}=\left[\neg \mathrm{x} \wedge\left(\mathrm{f} \mid \mathrm{x} \leftarrow 0 * \mathrm{f}^{\prime}\right)\right] \vee\left[\mathrm{x} \wedge\left(\mathrm{f} \mid \mathrm{x} \leftarrow 1 * \mathrm{f}^{\prime}\right)\right] \text {, similar to (2) }
$$

and compute subproblems recursively,
(4) $x$ ' $<x$ : similar to the case above

Improvement using the if-then-else (ITE) operator:

$$
\operatorname{ITE}(\mathrm{F}, \mathrm{G}, \mathrm{H})=\mathrm{F} \cdot \mathrm{G}+\mathrm{F} \cdot \mathrm{H} \quad \text { where } \mathrm{F}, \mathrm{G} \text { and } \mathrm{H} \text { are functions }
$$

Recursive algorithm based on the following, $v$ is the top variable (lowest index):

$$
\begin{aligned}
\operatorname{ITE}(\mathrm{F}, \mathrm{G}, \mathrm{H}) & =\mathrm{v} \cdot\left(\mathrm{~F} . \mathrm{G}+\mathrm{F}^{\prime} \cdot \mathrm{H}\right)_{\mathrm{v}}+\mathrm{v}^{\prime} \cdot\left(\mathrm{F} . \mathrm{G}+\mathrm{F}^{\prime} \cdot \mathrm{H}\right)_{\mathrm{v}^{\prime}} \\
& =\mathrm{v} \cdot\left(\mathrm{~F}_{\mathrm{v}} \cdot \mathrm{G}_{\mathrm{v}}+\mathrm{F}^{\prime}{ }_{\mathrm{v}} \cdot \mathrm{H}_{\mathrm{v}}\right)+\mathrm{v}^{\prime} \cdot\left(\mathrm{F}_{\mathrm{v}^{\prime}} \cdot \mathrm{G}_{\mathrm{v}^{\prime}}+\mathrm{F}^{\prime}{ }_{\mathrm{v}}, \cdot \mathrm{H}_{\mathrm{v}^{\prime}}\right) \\
& =\left(\mathrm{v}, \operatorname{ITE}\left(\mathrm{~F}_{\mathrm{v}}, \mathrm{G}_{\mathrm{v}}, \mathrm{H}_{\mathrm{v}}\right), \operatorname{ITE}\left(\mathrm{F}_{\mathrm{v}^{\prime}}, \mathrm{G}_{\mathrm{v}^{\prime}}, \mathrm{H}_{\mathrm{v}^{\prime}}\right)\right)
\end{aligned}
$$

With terminal cases being: $\mathrm{F}=\operatorname{ITE}(1, \mathrm{~F}, \mathrm{G})=\operatorname{ITE}(0, \mathrm{G}, \mathrm{F})=\operatorname{ITE}(\mathrm{F}, 1,0)=\operatorname{ITE}(\mathrm{G}, \mathrm{F}, \mathrm{F})$
we define $\quad \operatorname{NOT}(\mathrm{F})=\operatorname{ITE}(\mathrm{F}, 0,1)$

$$
\begin{aligned}
& \operatorname{OR}(\mathrm{F}, \mathrm{G})=\operatorname{ITE}(\mathrm{F}, 1, \mathrm{G}) \\
& \operatorname{LEQ}(\mathrm{F}, \mathrm{G})=\operatorname{ITE}(\mathrm{F}, \mathrm{G}, 1)
\end{aligned}
$$

$\operatorname{AND}(\mathrm{F}, \mathrm{G})=\operatorname{ITE}(\mathrm{F}, \mathrm{G}, 0)$
$\operatorname{XOR}(\mathrm{F}, \mathrm{G})=\operatorname{ITE}(\mathrm{F}, \neg \mathrm{G}, \mathrm{G})$
etc.

## Logic Operations on ROBDDs (cont'd)

- By using dynamic programming, it is possible to make the ITE algorithm polynomial:
(1) The result must be reduced to ensure that it is in canonical form;
- record constructed nodes (unique table);
- before creating a new node, check if it already exists in this unique hash table
(2) Record all previously computed functions in a hash table (computed table);
- must be implemented efficiently as it may grow very quickly in size;
- before computing any function, check table for solution already obtained
- Complement edges can reduce the size of an ROBDD by a factor of 2
- Only one terminal node is labeled 1
- Edges have an attribute (dot) to indicate if they are inverting or not
- To maintain canonicity, a dot can appear only on low(v) edges
- Complementation achieved in $\mathrm{O}(1)$ time by placing a dot on the function edge
- F and F' can share entry in computed table
- Adaptation of ITE easy
- Test for $\mathrm{F} \leq \mathrm{G}$ can be computed by a specialized ITE_CONSTANT algorithm



## BDD Operators - Example



Task: compute ROBDD for $\mathrm{f}(\mathrm{a}, \mathrm{b})$

1) $f=x \wedge y=(a \vee b) \wedge(a \wedge b)$
order $\mathrm{a}, \mathrm{b}$.

| a | b | out |
| :---: | :---: | :---: |
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |


| a | b | out |
| :---: | :---: | :---: |
| 0 | - | 0 |
| - | 0 | 0 |
| 1 | 1 | 1 |



## BDD Operators - Examples (con't)

2) $f=x \wedge y$

$$
\begin{aligned}
\mathrm{BDD}_{\mathrm{f}} & =" \mathrm{BDD}_{\mathrm{x}} \wedge \mathrm{BDD}_{\mathrm{y}} " \\
& =\operatorname{Conj}\left(\mathrm{BDD}_{\mathrm{x}}, \mathrm{BDD}_{\mathrm{y}}\right)
\end{aligned}
$$

$\mathrm{BDD}_{\mathrm{x}}$


$$
\begin{aligned}
& x \wedge 0=0 \\
& x \wedge 1=x
\end{aligned}
$$

$$
\begin{array}{ll}
\mathrm{a}=1: & 1 \\
\mathrm{a}=0: & \mathrm{b} \\
\mathrm{~b}=1: & 1 \\
\mathrm{~b}=0: & 0
\end{array}
$$

$$
\begin{aligned}
& \wedge \\
& \wedge \\
& \wedge \\
& \wedge
\end{aligned}
$$

$$
\begin{aligned}
& \mathrm{b}=\mathrm{b} \\
& 0=0 \\
& 1=1 \\
& 0=0
\end{aligned}
$$



## Other Decision Diagrams

- Multiterminal BDD (MTBDD): Pseudo-Boolean functions $\mathrm{B}^{\mathrm{n}} \rightarrow \mathrm{N}$, terminal nodes are integers
- Binary Moment Diagrams (BMD): for representing and verifying arithmetic operations, word-level representation
- Ordered Kronecker Functional BDDs (OKFBDD): Based on XOR operations and OBDD
- Free BDDs (FBDD): Different variable order along different paths in the graph
- Zero suppressed BDDs (ZBDD)
- Combination of various forms of DDs integrated in DD software packages: Drechsler et al (U. Freiburg, Germany), Clarke et al (Carnegie Mellon U., USA)
- Extension to represent systems of linear and Boolean constraints (DTU)
- Multiway Decision Diagrams (MDG): Representation for a subset of equational firstorder logic for modeling state machines with abstract and concrete data (U. of Montreal)


## Well known ROBDD packages:

- CMU (as used in SMV from Carnegie Mellon U.)
- CUDD, U. of Colorado at Boulder (as used in VIS from UC at Berkeley)
- Industrial packages: Intel, Lucent, Cadence, Synopsys, Bull Systems, etc.


## Applications of ROBDDs

## ROBDD:

- Construction DD from circuit description:
- Depth-first vs. breadth-first construction (keep only few levels in memory, rest on disk; problem with dynamic reordering)
- Partitioning of Boolean space, each partition represented by a separate graph
- Bottom-up vs. top-down, introducing decomposition points
- Internal correspondences in the two circuits - equivalent functions, or complex relations


## ATPG-based:

- Combine circuits with an XOR gate on the outputs, show inexistence of test for a fault s-a-0 on the output (i.e., the output would have to be driven to 1 meaning that there is a difference in the two circuits)
- Use ATPG and learning to determine equivalent circuit nodes


## Fast random simulation:

- Detect quickly easy differences


## Real tools:

- Use a combination of techniques, fast and less powerful first, slow but exact later


## Combinational Equivalence Chequing - Example

Two circuits C 1 and C2


C1

$=$ ?
C2

$$
\mathrm{C} 1: \mathrm{a} \vee \mathrm{~b} \quad \mathrm{C} 2: \text { if } \mathrm{a} \text { then } \mathrm{a} \text { else } \mathrm{b} \quad \text { MUX: if } \mathrm{c} \text { then } \mathrm{a} \text { else } \mathrm{b}
$$



## Combinational Equivalence Checking Multiplexor Example

Specification: if $c=1$ then out $=a$ else out $=b$

Build ROBBD for Spec:

| c | a | b | out |
| :---: | :---: | :---: | :---: |
| 1 | 1 | - | 1 |
| 1 | 0 | - | 0 |
| 0 | - | 1 | 1 |
| 0 | - | 0 | 0 |

ROBDD1:
order: $\mathrm{c}, \mathrm{a}, \mathrm{b}$


## Implementation:



$$
\text { out }=(c \wedge a) \vee(\neg c \wedge b)
$$

| c | a | b | out |
| :---: | :---: | :---: | :---: |
| 1 | 1 | 0 | 1 |
| 1 | 1 | 1 | 1 |
| 1 | 0 | 0 | 0 |
| 1 | 0 | 1 | 0 |
| 0 | 1 | 0 | 0 |
| 0 | 1 | 1 | 1 |
| 0 | 0 | 0 | 0 |
| 0 | 0 | 1 | 1 |

## Multiplexor Example (con't)

Build ROBDD for Imp:


> ROBDD2
> order: $\mathrm{c}, \mathrm{a}, \mathrm{b}$


## Multiplexor Example (con't)

Alternative way to build ROBDD2:

out $=(c \wedge a) \vee(\neg c \wedge b)$
order: $\mathrm{c}, \mathrm{a}, \mathrm{b}$


isomorph to ROBDD1

## Comparator Example



Spec: $f(\hat{a}, \hat{b})=1$ if $\hat{a}=\hat{b}$


Refinement: $f\left(a_{1}, a_{2}, b_{1}, b_{2}\right)=1$ if $\left(a_{1}=b_{1}\right) \wedge\left(a_{2}=b_{2}\right)$

$$
\begin{gathered}
\hat{a}=a_{1} a_{2} \\
\hat{b}=b_{1} b_{2}
\end{gathered}
$$

Implicit:


## Comparator Example (cont'd)

$$
\begin{aligned}
& \mathrm{x}-=\mathrm{z} \quad: \quad z=(x \wedge y) \vee(\neg x \wedge \neg y)) \\
& \mathrm{y} \neg-\quad \mathrm{z}
\end{aligned}
$$



## Comparator Example (cont'd)



T2:

disj: T1, T2, T12


T3:


T4:

disj: T3, T4, T34


## Comparator Example (cont'd)

conj. \(\left.T_{12,}, T_{34}, \begin{array}{c}a_{1}, a_{2}<br>b_{1}, b_{2}\end{array}\right)\) independent

order: $\mathrm{a}_{1}, \mathrm{~b}_{1}, \mathrm{a}_{2}, \mathrm{~b}_{2}$


Isomorph to the spec

## Equivalence Checking in Practice

- Usually, combinational circuits implement arithmetic and logic operations, and next-state and output functions of finite-state machines (sequential circuits)
- Verifying the behavior of the gate-level implementation against the RTL design of digital systems can often be reduced to verifying the combinational circuits
- Equivalence comparison between the next-state and output functions (combinational circuits)
- Requires that both have the same state space (and of course inputs and outputs), knowing the mapping between states helps...
- Can also be used to verify gate-level implementation against gate-level model extracted from layout
- This kind of verification is useful for confirming the correctness of manual changes or synthesis tools
- If the state space is not the same, sequential (behavioral equivalence) of FSM must be considered ...


## Cutpoint-based Equivalence Checking

Cutpoints are used to partition the Design


Cutpoint guessing:

- Compute net signature with random simulator
- Sort signatures + select cutpoints
- Iteratively verify and refine cutpoints
- Verify outputs


## Sequential Equivalence Checking

- If combinational verification paradigm fails (e.g. we have no name matching)
- Two options:
- Try to match registers automatically
- functional register correspondence
- structural register correspondence
- Run full sequential verification based on state traversal
- very expensive but most general


## Basic Model Finite State Machines


$M\left(X, Y, S, S_{0}, \delta, \lambda\right):$
$X:$ Inputs
$Y:$ Outputs
$S:$ Current State
$S_{0}:$ Initial State(s)
$\delta: X \times S \rightarrow S$ (next state function)
$\lambda: X \times S \rightarrow Y$ (output function)

Delay element:

- Clocked: synchronous
- single-phase clock, multiple-phase clocks
- Unclocked: asynchronous


## Finite State Machines Equivalence

Build Product Machine $M_{1} \times M_{2}$ :


Definition:
$M_{1}$ and $M_{2}$ are functionally equivalent iff the product machine
$M_{1} \times M_{2}$ produces a constant 0 for all valid input sequences $\left\{X_{1}, \ldots, X_{n}\right\}$.

## Illustrative Example



Product Machine:
$\left\{s^{1}, s^{4}\right\} \cup\left\{s^{2}, s^{3}, s^{5}\right\}$

Transition Relations:

$$
\begin{aligned}
& \left(s^{1}\right)^{\prime}=s^{1} \oplus x \\
& \left(s^{2}\right)^{\prime}=\neg\left(s^{1} \wedge s^{3}\right) \\
& \left(s^{3}\right)^{\prime}=\neg s^{1} \vee \neg s^{2} \\
& \left(s^{4}\right)^{\prime}=s^{4} \oplus x \\
& \left(s^{5}\right)^{\prime}=\neg\left(s^{4} \wedge s^{5}\right)
\end{aligned}
$$

## Sequential Circuits and Finite State Machines


$\mathbf{r}=\left(r_{1}, \ldots, r_{s}\right)$ a vector of memory bits

- state variables, memorize encoded states
$\mathbf{y}=\left(\mathrm{y}_{1}, \ldots, \mathrm{y}_{\mathrm{s}}\right)$ a vector of present state values
$\underline{\mathbf{y}}^{\prime}=\left(\mathrm{y}^{\prime}, \ldots, \mathrm{y}_{\mathrm{s}}\right)$ a vector of next state values
$\mathbf{x}=\left(\mathrm{x}_{1}, \ldots, \mathrm{x}_{\mathrm{m}}\right)$ a vector of input bits
- encode input symbols
$\underline{\underline{\mathbf{Z}}}=\left(\mathrm{z}_{1}, \ldots, \mathrm{z}_{\mathrm{n}}\right)$ a vector of output bits
- encode output symbols
$\mathbf{f}=$ output function, $\mathbf{f}(\underline{\mathrm{x}}, \underline{\mathbf{y}})=$ Mealy, $\mathbf{f}(\mathrm{y})=$ Moore $\mathbf{g}=$ next-state function
Here we consider FSM synchronized on clock transitions - synchronous sequential circuits
- To verify the behavior of such circuits we need efficient representation for the manipulation of next-state and output functions and sets of states
- Using characteristic functions of relations and sets


## Relational Representation of FSM

## Representation of Relations and Sets

- If R is n -ary relation over $\{0,1\}$ then R can be represented by (the ROBDD of) its characteristic function: $\mathrm{f}_{\mathrm{R}}\left(\mathrm{v}_{1}, \ldots, \mathrm{v}_{\mathrm{n}}\right)=1$ iff $\left(\mathrm{v}_{1}, \ldots, \mathrm{v}_{\mathrm{n}}\right) \in \mathrm{R}$
- Same technique can be used to represent sets of states
- Transition relation N of a sequential circuit is represented by its Boolean characteristic function over inputs and state variables:

$$
\mathrm{N}\left(\mathbf{x}, \mathrm{y}_{1}, \ldots, \mathrm{y}_{\mathrm{s}}, \mathrm{y}_{1}{ }^{\prime}, \ldots, \mathrm{y}_{\mathrm{s}}{ }^{\prime}\right)
$$

- Example: synchronous modulo 8 counter, $\mathrm{N}\left(\mathbf{y}, \mathbf{y}^{\prime}\right)=\mathrm{N}_{0}\left(\mathbf{y}, \mathrm{y}_{0}{ }^{\prime}\right) \wedge \mathrm{N}_{1}\left(\mathbf{y}, \mathrm{y}_{1}{ }^{\prime}\right) \wedge \mathrm{N}_{2}\left(\mathbf{y}, \mathrm{y}_{2}{ }^{\prime}\right)$



## Relational Representation of FSM (cont'd)

## Quantified Boolean Formulas (QBF)

- Needed to construct complex relations and manipulate FSMs
- $\mathrm{V}=\left\{\mathrm{v}_{1}, \mathrm{v}_{2}, \ldots, \mathrm{v}_{\mathrm{n}}\right\}=$ set of Boolean (propositional) variables
- $\mathrm{QBF}(\mathrm{V})$ is the smallest set of formulas such that
- every variable in V is a formula
- if $f$ and $g$ are formulas, then $\neg f, f \wedge g, f \vee g$ are formulas
- if $f$ is a formula and $v \in V$, then $\forall v . f$ and $\exists v . f$ are formulas
- A truth assignment for $\operatorname{QBF}(\mathrm{V})$ is a function $\sigma: \mathrm{V} \rightarrow\{0,1\}$

If $\mathrm{a} \in\{0,1\}$, then $\sigma[\mathrm{v} \leftarrow \mathrm{a}]$ represents

$$
\begin{aligned}
& \sigma[v \leftarrow a](w)=a \text { if } v=w \\
& \sigma[v \leftarrow a](w)=\sigma(w) \text { if } v \neq w
\end{aligned}
$$

- f is a formula in $\mathrm{QBF}(\mathrm{V})$ and $\sigma$ is a truth assignment: $\sigma \models \mathrm{f}$ if f is true under $\sigma$.


## Relational Representation of FSM (cont'd)

## Quantified Boolean Formulas (cont'd)

- QBF formulas have the same expressive power as ordinary propositional formulas; however, they may be more concise
- QBF Semantics: relation $\models$ is defined recursively:
$\mathrm{o} \vDash \mathrm{v}$ iff $\sigma(\mathrm{v})=1$;
$o \vDash \neg \mathrm{f}$ iff $\sigma \mid \neq \mathrm{f}$;
o $\models \mathrm{f} \vee \mathrm{g}$ iff $\sigma \models \mathrm{f}$ or $\sigma \models \mathrm{g}$;
$\mathrm{o} \vDash \mathrm{f} \wedge \mathrm{g}$ iff $\sigma \models \mathrm{f}$ and $\sigma \models \mathrm{g}$;
$\sigma \models \exists \mathrm{v} . \mathrm{f}$ iff $\sigma[\mathrm{v} \leftarrow 0] \models$ for $\sigma[\mathrm{v} \leftarrow 1] \models \mathrm{f}$;
$\sigma \models \forall$ v.f iff $\sigma[\mathrm{v} \leftarrow 0] \vDash \mathrm{f}$ and $\sigma[\mathrm{v} \leftarrow 1] \vDash \mathrm{f}$.
- Every QBF formula can represent an $n$-ary Boolean relation consisting of those truth assignments for the variables in V that makes the formula true: Boolean characteristic function of the relation
- $\exists \mathrm{x} . \mathrm{f}=\left.\left.\mathrm{f}\right|_{\mathrm{x} \leftarrow 0} \vee \mathrm{f}\right|_{\mathrm{x} \leftarrow 1}, \forall \mathrm{x} . \mathrm{f}=\left.\left.\mathrm{f}\right|_{\mathrm{x} \leftarrow 0} \wedge \mathrm{f}\right|_{\mathrm{x} \leftarrow 1}$

In practice, special algorithms needed to handle quantifiers efficiently (e.g., on ROBDD)

## Sequential Equivalence Checking

## Basic Idea:

To prove the equivalence of two $\mathrm{FSMs} \mathrm{M}_{1}$ and $\mathrm{M}_{2}$ (with the same input and output alphabet), a product machine is formed which tests the equality of outputs of the two individual machines in every state

$\mathrm{M}_{1}$ and $\mathrm{M}_{2}$ are equivalent iff the product machine produces Flag = true output in every state reachable from the initial state

- Coudert et al. were first to recognize the advantage of representing set of states with ROBDD's: Symbolic Breadth-First Search of the transition graph of the productmachine
- Their technique was initially applied to checking machine equivalence and later extended by McMillan, et al. to symbolic model checking of temporal logic formulas (in CTL)


## Relational Product of FSMs

## Relational Products - implementation using ROBDD

- A typical task in verification: compute relational products with abstraction of variables:

$$
\exists \mathrm{v} \cdot[\mathrm{f}(\mathrm{v}) \wedge \mathrm{g}(\mathrm{v})]
$$

- Algorithm RelProd computes it in one pass over ROBDDs $f(v)$ and $g(v)$, instead of constructing $\mathrm{f}(\mathrm{v}) \wedge \mathrm{g}(\mathrm{v})$
- RelProd uses a computed table (result cache), and is based on Shannon's expansion
- Entries in the cache have the form ( $\mathrm{f}, \mathrm{g}, \mathrm{E}, \mathrm{h}$ ), where E is a set of variables that are existentially qualified out and $\mathrm{f}, \mathrm{g}$ and h are (pointers to) ROBDDs
- If an entry indexed by $f, g$ and $E$ is in the cache, then a previous call to RelProd (f, g, E) has returned h , it is not recomputed
- Algorithm works well in practice, even if it has theoretical exponential complexity


## Relational Representation of FSMs (cont'd)

## Relational Product Algorithm

$\operatorname{RelProd}(\mathrm{f}, \mathrm{g}: R O B D D, \mathrm{E}$ : set of variables)
if $\mathrm{f}=$ false $\vee \mathrm{g}=$ false then return false
else if $\mathrm{f}=$ true $\wedge \mathrm{g}=$ true
then return true
else if (f, g, E, h) is cached
then returnh
else let x and y be the top variables of f and g , respectively let z be the topmost of x and y ,
$\mathrm{h} 0:=\operatorname{RelProd}\left(\mathrm{f}_{\mathrm{z}=0},\left.\mathrm{~g}\right|_{\mathrm{z}=0}, \mathrm{E}\right)$
$\mathrm{h} 1:=\operatorname{RelProd}\left(\mathrm{f}_{\mathrm{z}=1},\left.\mathrm{~g}\right|_{\mathrm{z}=1}, \mathrm{E}\right)$
if $\mathrm{z} \in \Delta \mathrm{E}$
then $\mathrm{h}:=\mathrm{Or}(\mathrm{h} 0, \mathrm{~h} 1)\{$ ROBDD: $\mathrm{h} 0 \vee \mathrm{~h} 1\}$
else h:=IFThenElse(z, h1, h0)
endif
insert (f, g, E, h) in cache
return h
endif

## Reachability Analysis on FSMs

## Computing Set of Reachable States

- Reachable state computation (state enumeration) is needed for FSM equivalence and model checking
- $\mathrm{S}_{0}=$ a set of states, represented by the ROBDD $\mathrm{S}_{0}(\mathrm{~V})$

Find those states $\mathrm{S}_{1}$ reachable in at most one transition from $\mathrm{S}_{0}$ :

$$
\mathrm{S}_{1}=\mathrm{S}_{0} \cup\left\{\mathrm{~s}^{\prime} \mid \exists \mathrm{s}\left[\mathrm{~s} \in \mathrm{~S}_{0} \wedge\left(\mathrm{~s}, \mathrm{~s}^{\prime}\right) \in \mathrm{N}\right]\right\}
$$

ROBDD's $\mathrm{S}_{0}(\underline{\mathbf{y}})$ and $\mathrm{N}\left(\underline{\mathbf{y}}, \mathbf{y}^{\prime}\right)$, compute an ROBDD representing S: ${ }_{1}$

$$
\mathrm{S}_{1}\left(\mathbf{y}^{\prime}\right)=\mathrm{S}_{0}\left(\mathbf{y}^{\prime}\right) \vee \underset{\mathrm{yi} \in \mathbf{y}}{\exists \mathrm{y}_{\mathrm{i}}}\left[\mathrm{~S}_{0}(\mathbf{y}) \wedge \mathrm{N}\left(\mathbf{y}, \mathbf{y}^{\prime}\right)\right]
$$



## Reachability Analysis on FSMs (cont'd)

## Reachability Analysis (cont'd)

- In general, the states reachable in at most $\mathrm{k}+1$ steps are represented by:

$$
\mathrm{S}_{\mathrm{k}+1}\left(\mathbf{y}^{\prime}\right)=\mathrm{S}_{0}\left(\mathbf{y}^{\prime}\right) \underset{\mathrm{yi} \in \mathbf{y}}{\vee} \underset{\mathrm{y}}{ } \mathrm{y}_{\mathrm{i}}\left[\mathrm{~S}_{\mathrm{k}}(\mathbf{y}) \wedge \mathrm{N}\left(\mathbf{y} \cdot \mathbf{y}^{\prime}\right)\right]
$$

- As each set of states is a superset of the previous one, and the total number of states is finite, at some point, we must have $\mathrm{S}_{\mathrm{k}+1}=\mathrm{S}_{\mathrm{k}}, \mathrm{k} \leq 2^{\mathrm{s}}$ the number of states
- Reachability computation can be viewed as finding "least fixpoint"
- What about inputs $\underline{\mathbf{x}}$ ? Existentially quantify them out in the relational product (equivalent to closing the system with a non-deterministic source of values for $\mathbf{x}$ )


## BDD Encoding



Basic idea:

1) connect both machines to equality check of outputs
2) compute set of reachable states

2a) representing set of states using ROBDD
2b) computing "images" of BDDs of all next states (using transition relations)
2c) reachability iteration (using images starting from one initial state until sequence emerges)

$$
\begin{aligned}
& R_{0}=\text { initial } B D D \\
& \cdots . . . \\
& R_{i+1}=R_{i} \vee \operatorname{Image}\left(R_{i}\right) \rightarrow \text { convergence }
\end{aligned}
$$

## ROBDD Encoding (cont'd)

Representing set of states using ROBDDs


## ROBDD Encoding (cont'd)

Representing set of states using ROBDDs


## Sequential Equivalence Checking Example

1) Connect both machines to equality check of outputs


## Sequential Equivalence Checking Example (con't)

2a) Representing set of states using ROBDD

$$
\begin{array}{cc}
\text { Initial State: } & x 0=0 \\
x 1=1 \\
x 2=0 \\
& \{010\} \\
\hline & \text { set }
\end{array}
$$

$$
\frac{\neg x 0 \wedge x 1 \wedge \neg x 2}{\text { formula }}
$$

ROBDD


## Sequential Equivalence Checking Example (cont'd)

2b) Compute images of set $\{010\}$
Tansition
Relation $\left\{\begin{array}{ll}y 0=x 0 \oplus i & \left(\begin{array}{ll}x 0=0) \\ y 1=(\neg i \wedge x 1) \vee(i \wedge x 2) \\ y 2=(\neg i \wedge x 2) \vee(i \wedge x 1) & (\mathrm{i}=0) \\ =1 & (\mathrm{i}=1)\end{array}\right. \\ \binom{x 1=1}{x 2=0}=1 & (\mathrm{i}=0) \\ =0 & (\mathrm{i}=1)\end{array}\right)$

$$
\begin{array}{c|cc|ccc}
\underline{x} 0: 0 & \underline{i}=0 & \underline{0} & \underline{i}=1 & \underline{1} \\
\underline{x 1}: 1 & & \underline{1} & \underline{0} & \{010,101\} \\
\underline{x 2}: 0 & \underline{0} & \underline{1} & \downarrow
\end{array}
$$

image: $\quad(\neg x 0 \wedge x 1 \wedge \neg x 2) \vee(x 0 \wedge \neg x 1 \wedge x 2)$
BDD1

disj. (BDD1, BDD2)


## Example (cont'd)

2c) Reachability iteration

$$
\begin{aligned}
& R_{0}=\neg x 0 \wedge x 1 \wedge \neg x 2 \\
& R_{1}=(\neg x 0 \wedge x 1 \wedge \neg x 2) \vee(x 0 \wedge \neg x 1 \wedge x 2) \vee R_{0}=1 \\
& R_{2}=1 \vee R_{0}=1 \\
& \rightarrow R_{2}=R_{1}
\end{aligned}
$$

In terms of sets:

$$
\begin{aligned}
& \mathbf{R}_{\mathbf{0}}=\{010\} \\
& \mathbf{R}_{\mathbf{1}}=\{010,101\} \\
& \mathbf{R}_{\mathbf{2}}=\{010,101\} \\
& \rightarrow \mathbf{R} \mathbf{2}=\mathbf{R} \mathbf{1}
\end{aligned}
$$

$\Rightarrow$ Converged
$\Rightarrow$ all states reached!

## Equivalence Checking Tools

## Commercial tools:

- Chrysalis: Design Verifier
- Synopsys: Formality
- Cadence: Conformal
- Verysys: Tornado
- AHL: ChekOff-E


## Application:

- Used to prove equivalence of two sequential circuits that have the same state variables (or at least the same state space and a known mapping between states) by verifying that they have the same next-state and output functions
- Used in place of gate vs. RTL verification by simulation


## Recommendations:

- Use modular design, relatively small modules, 10k - 20k gates
- Maintain hierarchy during synthesis (not flattening) and before layout: equivalence can be proven hierarchically much faster, especially for arithmetic circuits


## Equivalence Checking Tools (cont'd)

## CheckOff-E

- Commercial product by Abstract Hardware Ltd. (UK) and Siemens AG (Germany)
- Performs behavioral comparison of two Finite State Machines
- Input EDIF netlist + library or VHDL
- VHDL subset (superset of synthesizable synchronous VHDL)
- no real time clauses (after, wait for), no conditional loop statements
- Interprets VHDL simulation semantics to build a Micro FSM
- Converts to Macro FSM by merging transition until stabilization at each time t
- Macro FSM is starting point for any verification; representation in ROBDD
- Product discontinued!


## References

1. V. Sperschneider, G.Antoniou. Logic: A Foundation for Computer Science. AddisonWesley, 1991.
2. S. Reeves, M. Clarke. Logic for Computer Science. Addison-Wesley, 1991.
3. Alan J. Hu, Formal Hardware Verification with BDDs: An Introduction, IEEE Pacific Rim Conference on Communications, Computers, and Signal Processing, pp.677-682, 1997.
4. J. Jain, A. Narayan, M. Fujita, and A. Sangiovanni-Vincentelli, Formal Verification of Combinational Circuits, VLSI Design, 1997.
5. R.E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers, C-35(8), pp. 677-691, August 1986.
6. R.E. Bryant. Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams. ACM Computing Surveys, 24(3), 1992, pp. 293-318.
7. R.E. Bryant. Binary Decision Diagrams and Beyond: Enabling Technologies for Formal Verification. International Conference on Computer-Aided Design, pp. 236-243, 1995.
8. S. Minato. Binary Decision Diagrams and Applications for VLSI CAD. Kluwer Academic Publishers, 1996.
9. M. Sheeran, G. Stålmarck. A tutorial on Stålmarck's proof procedure for propositional logic. Formal Methods in Systems Design, Kluwer, 1999.
10.O. Coudert and J.C. Madre, A Unified Framework for the Formal Verification of Sequential Circuits, Int. Conference on Computer-Aided Design, pp. 126-129, 1990.
11.H. Touati, H. Savoj, B. Lin, R.K. Brayton, and A. Sangiovanni-Vincentelli, Implicit State Enumeration of Finite State Machines Using BDD's, Int. Conference on Computer-Aided Design, pp. 130-133, 1990.
