# 2. Verification by Equivalence Checking | | Page | |---------------------------------------------------|------| | Combinational Circuits Verification | 2.2 | | Propositional Logic (Calculus) | 2.5 | | Propositional Resolution | 2.11 | | Stålmarck's Procedure | 2.19 | | Reduced Ordered Binary Decision Diagrams (ROBDDs) | 2.23 | | Sequential Circuits Verification | 2.56 | | Relational Representation of FSMs | 2.61 | | Relational Product of FSMs | 2.65 | | Reachability Analysis on FSMs | 2.67 | | Equivalence Checking Tools | 2.76 | | References | 2.78 | ### **Combinational Circuits Verification** - Consist of an interconnection of logic gates AND, OR, NOT, NAND, NOR, XOR, XNOR, and blocks implementing more complex logic (Boolean) functions. - No logical loops, i.e., topologically there may be loops, but they are not sensitizable under any (valid) input combination, even such loops may be prohibited / not produced by automated analysis / synthesis tools #### Goal Given two Boolean netlists, check if the corresponding outputs of the two circuits are equal for all possible inputs - Two circuits are equivalent iff the Boolean function representing the outputs of the networks are logically equivalent - Identify equivalence points and implications between the two circuits to simplify equivalence checking - Since a typical design proceeds by a series of local changes, in most cases there are many implications / equivalent subcircuits in the two circuits to be compared - Various tautology/satisfiability checking algorithms based on heuristics (problem is NP-complete, but many work well on "real" applications ...) - In this course we consider three main combinational equivalence checking methods: - Propositional resolution method (tautology/satisfiability checking) - Stålmarck's method (recent patented algorithm, very efficient and popular) - **ROBDD-based method** (Boolean function converted into ROBDD's representation) ## **Combinational Equivalence Checking** ### **Explicit Proof** - Propositional resolution - Stålmarck's procedure - ROBDDs # **Combinational Equivalence Checking (con't)** ### **Implicit Proof** • ROBDDs ## **Propositional Logic (Calculus)** #### **Syntax** ``` P, Q, R,... — propositional symbols (atomic propositions) t: true; f: false — constants \neg P: \text{ not } P \qquad P \land Q: P \text{ and } Q \qquad P \lor Q: P \text{ or } Q; P \rightarrow Q: \text{ if } P \text{ then } Q \quad (\text{proposition equivalent to } \neg P \lor Q) P \leftrightarrow Q: P \text{ if and only if } Q, \text{ i.e., } P \text{ equivalent to } Q (\text{proposition equivalent to } (P \land Q) \lor (\neg P \land \neg Q)) ``` #### **Semantics** Given through the Truth Table: | P | Q | ¬Р | P∧Q | P∨Q | P→Q | P↔Q | |---|---|----|-----|-----|-----|-----| | t | t | f | t | t | t | t | | t | f | f | f | t | f | f | | f | t | t | f | t | t | f | | f | f | t | f | f | t | t | An **interpretation** is a function from the propositional symbols to {t, f} ## Propositional Logic (cont'd) - Formula F is satisfiable (consistent) iff it is true under at least one interpretation - Formula F is **unsatisfiable** (inconsistent) iff it is **false** under **all** interpretations - Formula F is valid iff it is true (consistent) under all interpretations - Interpretation I satisfies a formula F (I is a model of F) iff F is true under I. Notation: I F - **Theorem:** A formula F is valid (a *tautology*) iff $\neg$ F is unsatisfiable. <u>Notation</u>: $\sqsubseteq$ F - The relationship between F to $\neg$ F can be visualized by "mirror principle": #### All formulas in propositional logic | Valid formulas | Satisfiable,<br>but non-valid formulas | Unsatisfiable formulas | | |----------------|----------------------------------------|------------------------|--| | G <b>~</b> | F <b>←→</b> ¬F | – – – → ¬G | | - To determine if F is satisfiable or valid, test finite number $(2^n)$ of interpretations of the n atomic propositions occurring in F - ... but it is an exponential method... satisfiability is an NP-complete problem ## Propositional Logic (cont'd) #### **Proofs** - A proof of a proposition is derived using axioms, theorems, and inference rules (an inference rule permits deducing conclusions based on the truth of certain premises) - A logic formula F is deducible from the set S of statements if there is a finite proof of F starting from elements of S. Notation: S | F #### **Example: A simple proof system** - Axioms: $K: A \to (B \to A)$ $S: (A \to (B \to C)) \to ((A \to B) \to (A \to C))$ $DN: \neg \neg A \to A$ - Inference rule (Modus Ponens): $\{A \rightarrow B, A\} \vdash B$ - A proof of $A \rightarrow A$ $$(1) \vdash (A \rightarrow ((D \rightarrow A) \rightarrow A)) \rightarrow ((A \rightarrow (D \rightarrow A)) \rightarrow (A \rightarrow A)) \qquad \text{by S } ([B \setminus D \rightarrow A], [C \setminus A])$$ $$(2) \vdash A \rightarrow ((D \rightarrow A) \rightarrow A) \qquad \text{by K } ([B \setminus D \rightarrow A])$$ $$(3) \vdash (A \rightarrow (D \rightarrow A)) \rightarrow (A \rightarrow A) \qquad \text{by MP, (1), (2)}$$ $$(4) \vdash A \rightarrow (D \rightarrow A) \qquad \text{by K}$$ $$(5) \vdash A \rightarrow A \qquad \text{by MP, (3), (4).}$$ ### **Propositional Logic (cont'd)** #### Relation between syntax and semantics - Truth tables provide a means of deciding truth - Propositional logic is: - **complete**: everything that is true may be proven, i.e., if $S \vdash A$ then $S \models A$ - **consistent** (sound): nothing that is false may be proven. i.e., if $S \models A$ then $S \models A$ - **decidable**: there is an algorithm for deciding the truth of any proposition, i.e., test a finite (exponential) number of truth assignments ## False Negative & False Positive Let P be a proposition (a property) and A a verification method (algorithm). - False Negative: (similar to incompleteness) - A(P) reports true $\Rightarrow \forall$ interpretation $\psi$ , $\psi$ (P) = true - A(P) reports false $\Rightarrow \neg(\forall \text{ interpretation } \psi, \psi(P) = \text{true})$ ! $(\exists \psi, \psi(P) = false)$ - False Positive: (similar to inconsistency, unsoundness) - A(P) reports false $\Rightarrow \forall$ interpretation $\psi$ , $\psi$ (P) = false - A(P) reports true $\Rightarrow \neg (\forall \text{ interpretation } \psi, \psi(P) = \text{false})$ ! $(\exists \psi, \psi(P) = true)$ ## **Combinational Equivalence Checking** - Determine if two expressions f1 and f2 denote the same truth table - Application: Determine if two combinational logic circuit designs C1 and C2 implement the same truth table (logic (Boolean) function) - Extract representation of logic expressions f1 and f2 - Verify if (f1 $\leftrightarrow$ f2) is a valid formula, i.e., $\neg$ (f1 $\leftrightarrow$ f2) is unsatisfiable using **satisfiability** algorithms (**Propositional Resolution** methods), or $(f1 \rightarrow f2)$ and $(f2 \rightarrow f1)$ hold (where f1 and f2 are transformed to implication form using **Stålmarck's procedure**), or fl and f2 have the same *canonical form* using, e.g., **Reduced Binary Decision Diagrams** ### **Propositional Resolution** - A Literal L is an atomic proposition A or its negation $\neg A$ - A Clause C is a finite set of disjunctive literals ( $C = L_1 \lor L_2 \lor L_3 \lor ...$ ) C is true iff one of its elements is true. The empty clause $\{ \Box \}$ is always false. Let $A_1, A_2, ...$ be atomic propositions and $L_{i,j}$ literals • Conjunctive Normal Form (CNF): a conjunction of disjunctions of literals F= $$(\bigwedge_{i=1}^{n} (\bigvee_{j=1}^{m_i} L_{i,j}))$$ , where $L_{i,j} \in \{A_1, A_2, ...\} \cup \{\neg A_1, \neg A_2, ...\}$ • **Disjunctive Normal Form** (DNF): a disjunction of conjunctions of literals F=( $$\bigvee_{i=1}^{n} (\bigwedge_{j=1}^{m_i} L_{i,j})$$ ), where $L_{i,j} \in \{A_1, A_2, ...\} \cup \{\neg A_1, \neg A_2, ...\}$ Each $L_{i,j} \in \{A_1,A_2,...\} \cup \{\neg A_1,\neg A_2,...\}$ appears in each disjunct (conjunct) at most once! Theorem: For every logic formula F, there is an equivalent CNF and an equivalent DNF - Canonical Conjunctive Form (CCF): CNF in which each L appears exactly once - Canonical Disjunctive Form (DCF): DNF in which each L appears exactly once - **Resolution** is a proof method underlying some automatic theorem provers based on simple syntactic transformation and *refutation*. - **Refutation** is a procedure to show that a given formula is unsatisfiable #### **Resolution procedure:** - To prove F, we translate ¬F into a set of clauses, each a disjunction of atomic formulae or their negations. - Each resolution step takes two clauses and yields a new one. - The method succeeds if it produces the empty clause (a contradiction), thus refuting $\neg F$ . - Let $F=(L_{1,1}\vee...\vee L_{1,n1})\wedge...\wedge(L_{k,1}\vee...\vee L_{k,nk})$ where literals $L_{i,\,j}\in\{A_1,A_2,...\}\cup\{\neg A_1,\neg A_2,...\}$ F can be viewed as a set of clauses: $F=\{\{L_{1,1},...,L_{1,n1}\},...,\{L_{k,1},...,L_{k,nk}\}\}$ , where - Comma separating two literals within a clause corresponds to ∨ - Comma separating two clauses corresponds to ∧ - Let L be a literal in clause $C_1$ ( $L \in C_1$ ) and its complement $\overline{L}$ in clause $C_2$ ( $\overline{L} \in C_2$ ), Clause R is a **resolvent** of $C_1$ and $C_2$ if: $R = (C_1 \{L\}) \cup (C_2 \{\overline{L}\})$ - Example: $F = \{ \{p, r\}, \{q, \neg r\}, \{\neg q\}, \{\neg p, v\}, \{\neg s\}, \{s, \neg v\} \}.$ - A (resolution) deduction of C from F is a finite sequence $C_1, C_2, ..., C_n$ of clauses such that each $C_i$ is either in F or a resolvent of $C_i$ , $C_k$ , (j, k < i) - $Res(F) = F \cup R$ where R is a resolvent of two clauses in F **Lemma**. F and $F \cup R$ are equivalent • Define Res<sup>0</sup>(F) = F, Res<sup>n+1</sup>(F) = Res( Res<sup>n</sup>(F) ), $$n \ge 0$$ • Let $\operatorname{Res}^*(F) = \bigcup_{n \ge 0} \operatorname{Res}^n(F)$ **Theorem**. F is unsatisfiable iff $\square \in \text{Res}^*(F)$ • Algorithm: to decide satisfiability of formula F in CNF (clause set): #### repeat ``` G:=F; F:=Res(F) until (( \Box \in F) \text{ or } (F = G); if \Box \in F then "F is unsatisfiable" else "F is satisfiable". ``` ### Summary of basic idea: ## **Propositinal Resolution - Example** Two circuits C1 and C2 ### **Propositional Resolution** C1: out1 = $$a \lor b$$ C2: out2 = $$(\neg a \land b) \lor (a \land a)$$ (Mux: out2 = $$(\neg s \land b) \lor (s \land a)$$ ) $$G = (out1 \Leftrightarrow out2)$$ $$G = (\text{out } 1 \land \text{out } 2) \lor (\neg \text{out } 1 \land \neg \text{out } 2)$$ (**DNF**) = true? $F = \neg G = \neg ((\text{out } 1 \land \text{out } 2) \lor (\neg \text{out } 1 \land \neg \text{out } 2))$ = False? (unsatifiable!) #### **CNF** $$F = (\neg out \ 1 \lor \neg out \ 2) \land (out \ 1 \lor out \ 2)$$ $$= (\neg (a \lor b) \lor \neg [(\neg \ a \land b) \lor (a \land a)]) \land ((a \lor b) \lor [(\neg \ a \land b) \lor (a \land a)])$$ $$= .....$$ $$= (\neg a) \land (\neg b) \land (a \lor b)$$ **Literals:** $\{\{\neg a\}, \{\neg b\}, \{a, b\}\}$ ### **Theorem Proving** out1 = $$(\neg s \land b) \lor (s \land a)$$ = $(\neg a \land b) \lor (a \land a)$ = $(\neg a \land b) \lor a$ = $(\neg a \lor a) \land (b \lor a)$ = $1 \land (b \lor a)$ = $b \lor a = a \lor b$ $\Rightarrow out2 = out1$ out $$2 = a \lor b$$ ### Stålmarck's Procedure - Transform propositional formula G (in linear time) in a nested implication form, e.g.: $G = (p \rightarrow (q \rightarrow r)) \rightarrow s$ - G is now represented using a set of triplets $\{b_i, x, y\}$ , meaning " $b_i \leftrightarrow (x \rightarrow y)$ ", e.g.: $(p \rightarrow (q \rightarrow r)) \rightarrow s$ becomes $\{(b_1, q, r), (b_2, p, b_1), (b_3, b_2, s)\}$ ; $G = b_3$ - To prove a formula valid, assume that it is *false* and try to find a contradiction (use 0 for *false* and 1 for *true*, as in switching (Boolean) algebra) - Derivation rules: (a/b means "replace a by b") ``` (0, y, z) \Rightarrow y/1, z/0 meaning false \leftrightarrow (y \rightarrow z) implies y = true and z = false r1 meaning x \leftrightarrow (y \rightarrow true) implies x = true r2 (x, y, 1) \Rightarrow x/1 meaning x \leftrightarrow (false \rightarrow z) implies x = true r3 (x, 0, z) \Rightarrow x/1 meaning r4 (x, 1, z) \Rightarrow x/z x \leftrightarrow (true \rightarrow z) implies x = z r5 (x, y, 0) \Rightarrow x/\neg y meaning x \leftrightarrow (y \rightarrow 0) implies x = \neg y r6 (x, x, z) \Rightarrow x/1, z/1 meaning x \leftrightarrow (x \rightarrow z) implies x = true and z = true x \leftrightarrow (y \rightarrow y) implies x = true r7 (x, y, y) \Rightarrow x/1 meaning ``` Example: $G = (p \rightarrow (q \rightarrow p)) : \{(b_1, q, p), (b_2, p, b_1)\}$ , assume $G = b_2 = 0$ , i.e., $(0, p, b_1)$ By r1 : p = 1 and $b_1 = 0$ , substitute for $b_1$ and get (0, q, 1) (which is a terminal triplet) Again by r1 this is a contradiction since 1/0 is derived for z in r1, hence $b_2 = G = 1$ (true) ### Stålmarck's Procedure (cont'd) • Not all formulas can be proved with these rules, need a form of branching: **Dilemma rule** T = a set of triplets, $D_i$ , i = 1, 2, are derivations, results $U[S_1]$ and $V[S_2]$ , conclusion T[S] | | T | | |----------|------|----------| | T[x/1] | | T[x/0] | | $D_1$ | | $D_2$ | | $U[S_1]$ | | $V[S_2]$ | | | T[S] | | Assume x = 0 derive a result, then assume x = 1 and also derive a result. - If either derivation gives a contradiction, the result is the other derivation - If both are contradictions, then T contains a contradiction - Otherwise return the intersection of the result of the two derivations, since any information gained from x = 0 and x = 1 must be independent of that value Example: $T = \{ (1, \neg p, p), (1, p, \neg p) \}$ cannot be resolved using r1 - r7 $T[p/1] = \{(1, 0, 1), (1, 1, 0)\}$ where (1, 1, 0) is a contradiction $T[p/0] = \{(1, 1, 0), (1, 0, 1)\}$ where (1, 1, 0) is again a contradiction Hence T[S] results in a contradiction. ### **Stålmarck's Procedure (cont'd)** #### **Transformation from and-or-not logic to implication form:** **not**: $$G = \neg A \Leftrightarrow A \to 0 \Leftrightarrow \{(x, A, 0)\}$$ , $G = x$ or: $$G = A \lor B \Leftrightarrow \neg A \to B \Leftrightarrow \{(x, y, B), (y, A, 0)\}$$ , $G = X$ and: $$G = A \land B \Leftrightarrow \neg (A \rightarrow \neg B) \Leftrightarrow \{(x, y, 0), (y, A, z), (z, B, 0)\}$$ , $G = x$ #### **Example of equivalence checking:** $$C1 = \{(y, e, x), (e, b, 0), (x, f, 0), (f, a, g), (g, b, 0)\}$$ $$C1 = \{(y, e, x), (e, b, 0), (x, f, 0), C2 = \{(t, h, s), (h, b, 0), (s, u, 0), (u, r, v), (v, c, 0), (f, a, g), (g, b, 0)\}$$ $$(r, w, 0), (w, a, p), (p, b, 0)\}$$ Check $y \rightarrow t$ and $t \rightarrow y$ $y \rightarrow t$ : Form C1 $\cup$ C2 $\cup$ {(0, y, t)} which by r1 yields [y/1, t/0] and after substitution $$\{(1, e, x), (e, b, 0), (x, f, 0), (f, a, g), (g, b, 0), (0, h, s), (h, b, 0), (s, u, 0), (u, r, v), (v, c, 0), (r, w, 0), (w, a, p), (p, b, 0)\}$$ giving by r1 again [h/1, s/0] and... ### Stålmarck's Procedure (cont'd) Example of equivalence checking (cont'd): $\{(1, e, x), (e, b, 0), (x, f, 0), (f, a, g), (g, b, 0), (1, b, 0), (0, u, 0), (u, r, v), (v, c, 0), (r, w, 0), (w, a, p), (p, b, 0)\}$ apply r1 and r5 and get $[u/1, e/\neg b, x/\neg f, g/\neg b, v/\neg c, r/\neg w, p/\neg b]$ which yields $$\{(1, \neg b, \neg f), (f, a, \neg b), (\neg b, b, 0), (1, \neg w, \neg c), (w, a, \neg b)\}$$ Application of Dilemma rule to, say, "b" yields: **b** = 0: $\{(1, 1, \neg f), (f, a, 1), (1, 0, 0), (1, \neg w, \neg c), (w, a, 1)\}$ apply r2 and get [f/1, w/1] yields $\{(1,1,0), (1,a,1), (1,0,\neg c), (1,a,1)\}$ , where (1,1,0) is a contradiction b = 1: $\{(1, 0, \neg f), (f, a, 0), (0, 1, 0), (1, \neg w, \neg c), (w, a, 0)\}$ yields $[f/\neg a, w/\neg a]$ by r5, thus $\{(1, 0, a), (\neg a, a, 0), (0, 1, 0), (1, a, \neg c), (\neg a, a, 0)\}$ , then applying the Dilema rule again on "a" leads to a contradiction again Conclusion: $y \rightarrow t$ holds. Similarly for $t \rightarrow y$ The two circuits are equivalent. ## **Binary Decision Diagrams (BDDs)** Classical representation of logic functions: Truth Table, Karnaugh Maps, Sum-of-Products, critical complexes, etc. - Critical drawbacks: - May not be a canonical form or is too large (exponential) for "useful" functions, - ⇒ Equivalence and tautology checking is hard - Operations like complementation may yield a representation of exponential size Reduced Ordered Binary Decision Diagrams (ROBDDs) - A canonical form for Boolean functions - Often substantially more compact than traditional normal forms - Can be efficiently manipulated - Introduced mainly by R. E. Bryant (1986). - Various extensions exist that can be adapted to the situation at hand (e.g., the type of circuit to be verified) ### **Binary Decision Trees** - A Binary decision Tree (BDT) is a *rooted*, *directed graph* with *terminal* and *nonterminal* vertices - Each nonterminal vertex v is labeled by a variable var(v) and has two successors: - low(v) corresponds to the case where the variable v is assigned 0 - high(v) corresponds to the case where the variable v is assigned 1 - Each terminal vertex v is labeled by $value(v) \in \{0, 1\}$ - **Example**: BDT for a two-bit comparator, $f(a_1,a_2,b_1,b_2) = (a_1 \Leftrightarrow b_1) \land (a_2 \Leftrightarrow b_2)$ ## **Binary Decision Trees (cont'd)** - We can decide if a truth assignment $\underline{\mathbf{x}} = (\mathbf{x}_1, ..., \mathbf{x}_n)$ satisfies a formula in BDT in linear time in the number of variables by traversing the tree from the root to a terminal vertex: - If $var(v) \in \underline{x}$ is 0, the next vertex on the path is low(v) - If $var(v) \in \underline{x}$ is 1, the next vertex on the path is high(v) - If v is a terminal vertex then $f(\underline{x}) = f_v(x_1, ..., x_n) = value(v)$ - If v is a nonterminal vertex with $var(v)=x_i$ , then the structure of the tree is obtained by Shanon's expansion $$f_v(x_1, ..., x_n) = [\neg x_i \land f_{low(v)}(x_1, ..., x_n)] \lor [x_i \land f_{high(v)}(x_1, ..., x_n)]$$ - For the comparator, $(a_1 \leftarrow 1, a_2 \leftarrow 0, b_1 \leftarrow 1, b_2 \leftarrow 1)$ leads to a terminal vertex labeled by 0, i.e., f(1, 0, 1, 1) = 0 - Binary decision trees are redundant: - In the comparator, there are 6 subtrees with roots labeled by b<sub>2</sub>, but not all are distinct - Merge isomorphic subtrees: - Results in a directed acyclic graph (DAG), a binary decision diagram (BDD) ### **Reduced Ordered BDD** #### **Canonical Form property** - A *canonical* representation for Boolean functions is desirable: two Boolean functions are logically equivalent iff they have isomorphic representations - This simplifies checking equivalence of two formulas and deciding if a formula is satisfiable - Two BDDs are **isomorphic** if there exists a bijection h between the graphs such that - Terminals are mapped to terminals and nonterminals are mapped to nonterminals - For every terminal vertex v, value(v) = value(h(v)), and - For every nonterminal vertex *v*: ``` var(v) = var(h(v)), \quad h(low(v)) = low(h(v)), \quad and \quad h(high(v)) = high(h(v)) ``` - Bryant (1986) showed that BDDs are a canonical representation for Boolean functions under two restrictions: - (1) the variables appear in the same order along each path from the root to a terminal - (2) there are no isomorphic subtrees or redundant vertices - ⇒ Reduced Ordered Binary Decision Diagrams (ROBDDs) ## **Canonical Form Property** - Requirement (1): Impose total order "<" on the variables in the formula: if vertex u has a nonterminal successor v, then var(u) < var(v) - Requirement (2): repeatedly apply three transformation rules (or implicitly in operations such as disjunction or conjunction) - **1.Remove duplicate terminals**: eliminate all but one terminal vertex with a given label and redirect all arcs to the eliminated vertices to the remaining one ## Canonical Form Property (cont'd) **2. Remove duplicate nonterminals**: if nonterminals u and v have var(u) = var(v), low(u) = low(v) and high(u) = high(v), eliminate one of the two vertices and redirect all incoming arcs to the other vertex **3. Remove redundant tests**: if nonterminal vertex v has low(v) = high(v), eliminate v and redirect all incoming arcs to low(v) # **Creating the ROBDD for** $(x \oplus y \oplus z)$ ## Canonical Form Property (cont'd) - A canonical form is obtained by applying the transformation rules until no further application is possible - Bryant showed how this can be done by a procedure called *Reduce* in linear time - Applications: - checking equivalence: verify isomorphism between ROBDDs - non-satisfiability: verify if ROBDD has only one terminal node, labeled by 0 - tautology: verify if ROBDD has only one terminal node, labeled by 1 #### **Example:** ROBDD of 2-bit comparator $f(a_1,a_2,b_1,b_2) = (a_1 \Leftrightarrow b_1) \land (a_2 \Leftrightarrow b_2)$ with variable order $a_1 < b_1 < a_2 < b_2$ : # **ROBDD Examples** OR $\begin{array}{c} a \\ b \end{array} \qquad \text{out} = f(a,b) = a \lor b$ # **ROBDD Examples (con't)** **ROBDD** BDD # **ROBDD Examples (con't)** **XOR** $$a$$ $b$ out = $f(a,b) = a \oplus b$ # **ROBDD Examples (con't)** | a | b | out | | |---|---|-----|--| | 0 | 0 | 1 | | | 0 | 1 | 1 | | | 1 | 0 | 1 | | | 1 | 1 | 0 | | | | a | b | out | |-------------|-------|-------------|-------------| | red<br>T.T. | 0 - 1 | -<br>0<br>1 | 1<br>1<br>0 | ## Variable Ordering Problem - The size of an ROBDD depends critically on the variable order - For order $\mathbf{a_1} < \mathbf{a_2} < \mathbf{b_1} < \mathbf{b_2}$ , the 2-bit comparator $f(a_1, a_2, b_1, b_2) = (a_1 \Leftrightarrow b_1) \land (a_2 \Leftrightarrow b_2)$ ROBDD becomes: • For an n-bit comparator: $$a_1 < b_1 < ... < a_n < b_n$$ gives 3n+2 vertices (linear complexity) $$a_1 < ... < a_n < b_1 ... < b_n$$ , gives $3x2^n - 1$ vertices (exponential complexity!) ## Variable Ordering Problem - Example $(x1 \oplus y1) \lor (x2 \oplus y2) \lor (x3 \oplus y3)$ ### Variable Ordering Problem (cont'd) - The problem of finding the *optimal* variable order is NP-complete - Some Boolean functions have exponential size ROBDDs for any order (e.g., multiplier) #### **Heuristics for Variable Ordering** - Heuristics developed for finding a *good* variable order (if it exists) - Intuition for these heuristics comes from the observation that ROBDDs tend to be smaller when related variables are close together in the order (e.g., ripple-carry adder) - Variables appearing in a subcircuit are related: they determine the subcircuit's output - ⇒ should usually be close together in the order #### **Dynamic Variable Ordering** - Useful if no obvious static ordering heuristic applies - During verification operations (e.g., reachability analysis) functions change, hence initial order is not good later on - Good ROBDD packages periodically internally reorder variables to reduce ROBDD size - Basic approach based on neighboring variable exchange ... < a < b < ... $\Rightarrow$ ... < b < a < ... Among a number of trials the best is taken, and the exchange is repeated ### **Logic Operations on ROBDDs** • Residual function (cofactor): $b \in \{0, 1\}$ $$f \mid x_i \leftarrow b \ (x_1,...,x_n) = f(x_1,...,x_{i-1},b,x_{i+1},...,x_n)$$ • ROBDD of $f|_{X_i \leftarrow b}$ computed by a depth-first traversal of the ROBDD of f: For any vertex v which has a pointer to a vertex w such that $var(w) = x_i$ , replace the pointer by low(w) if var(w) i If not in canonical form, apply *Reduce* to obtain ROBDD of $f \mid_{X_i \leftarrow b}$ . • All 16 two-argument logic operations on Boolean function implemented efficiently on ROBDDs in linear time in the size of the argument ROBDDs. ### Logic Operations on ROBDDs (cont'd) • Based on Shannon's expansion $$f = [\neg x \land f | x \leftarrow 0] \lor [x \land f | x \leftarrow 1]$$ - Bryant (1986) gave a uniform algorithm, *Apply*, for computing all 16 operations: f\*f': an arbitrary logic operation on Boolean functions f and f' v and v': the roots of the ROBDDs for f and f', x = var(v) and x' = var(v') - Consider several cases depending on v and v' - (1) v and v' are both terminal vertices: f \* f' = value(v) \* value(v') - (2) x = x: use Shannon's expansion $$f * f' = [\neg x \land (f | x \leftarrow 0 * f' | x \leftarrow 0)] \lor [x \land (f | x \leftarrow 1 * f' | x \leftarrow 1)]$$ to break the problem into two subproblems, each is solved recursively The root is v with var(v) = x Low(v) is $$(f | x \leftarrow 0 * f' | x \leftarrow 0)$$ $$High(v)$$ is $(f \mid x \leftarrow 1 * f' \mid x \leftarrow 1)$ # Logic Operations on ROBDDs (cont'd) (3) x < x': $f'|_{X \leftarrow 0} = f'|_{X \leftarrow 1} = f'$ since f' does not depend on x. In this case the Shannon's expansion simplifies to $$f * f' = [\neg x \land (f \mid x \leftarrow 0 * f')] \lor [x \land (f \mid x \leftarrow 1 * f')], \text{ similar to } (2)$$ and compute subproblems recursively, (4) x' < x: similar to the case above #### Improvement using the *if-then-else* (ITE) operator: ITE(F, G, H) = F . $$G + F'$$ . H where F, G and H are functions Recursive algorithm based on the following, *v* is the top variable (lowest index): $$ITE(F, G, H) = v.(F.G + F'.H)_{v} + v'.(F.G + F'.H)_{v'}$$ $$= v.(F_{v}.G_{v} + F'_{v}.H_{v}) + v'.(F_{v'}.G_{v'} + F'_{v'}.H_{v'})$$ $$= (v, ITE(F_{v}, G_{v}, H_{v}), ITE(F_{v'}, G_{v'}, H_{v'}))$$ With terminal cases being: F = ITE(1, F, G) = ITE(0, G, F) = ITE(F, 1, 0) = ITE(G, F, F) we define $$NOT(F) = ITE(F, 0, 1)$$ $AND(F, G) = ITE(F, G, 0)$ $OR(F, G) = ITE(F, 1, G)$ $XOR(F, G) = ITE(F, \neg G, G)$ $$LEQ(F, G) = ITE(F, G, 1)$$ etc. # Logic Operations on ROBDDs (cont'd) - By using *dynamic programming*, it is possible to make the ITE algorithm polynomial: - (1) The result must be reduced to ensure that it is in canonical form; - record constructed nodes (unique table); - before creating a new node, check if it already exists in this unique hash table - (2) Record all previously computed functions in a hash table (computed table); - must be implemented efficiently as it may grow very quickly in size; - before computing any function, check table for solution already obtained - Complement edges can reduce the size of an ROBDD by a factor of 2 - Only one terminal node is labeled 1 - Edges have an attribute (dot) to indicate if they are inverting or not - To maintain canonicity, a dot can appear only on *low(v)* edges - Complementation achieved in O(1) time by placing a dot on the function edge - F and F' can share entry in *computed* table - Adaptation of ITE easy - Test for F ≤ G can be computed by a specialized ITE\_CONSTANT algorithm # **BDD Operators - Example** **Task:** compute ROBDD for f (a,b) 1) $$f = x \wedge y = (a \vee b) \wedge (a \wedge b)$$ | a | b | out | |---|---|-----| | 0 | 0 | 0 | | 0 | 1 | 0 | | 1 | 0 | 0 | | 1 | 1 | 1 | order a,b. ### **BDD Operators - Examples (con't)** 2) $$f = x \wedge y$$ $BDD_f = "BDD_x \wedge BDD_y"$ $= Conj (BDD_x, BDD_y)$ $$x \wedge 0 = 0$$ $$x \wedge 1 = x$$ $$a = 1:$$ 1 $\wedge$ $b = b$ $a = 0:$ $b$ $\wedge$ $0 = 0$ $b = 1:$ 1 $\wedge$ 1 = 1 $b = 0:$ 0 $\wedge$ 0 = 0 ### **Other Decision Diagrams** - Multiterminal BDD (MTBDD): Pseudo-Boolean functions $B^n \to N$ , terminal nodes are integers - Binary Moment Diagrams (BMD): for representing and verifying arithmetic operations, word-level representation - Ordered Kronecker Functional BDDs (OKFBDD): Based on XOR operations and OBDD - Free BDDs (FBDD): Different variable order along different paths in the graph - Zero suppressed BDDs (ZBDD) - Combination of various forms of DDs integrated in DD software packages: Drechsler *et al* (U. Freiburg, Germany), Clarke *et al* (Carnegie Mellon U., USA) - Extension to represent systems of linear and Boolean constraints (DTU) - Multiway Decision Diagrams (MDG): Representation for a subset of equational first-order logic for modeling state machines with abstract and concrete data (U. of Montreal) #### Well known ROBDD packages: - CMU (as used in SMV from Carnegie Mellon U.) - CUDD, U. of Colorado at Boulder (as used in VIS from UC at Berkeley) - Industrial packages: Intel, Lucent, Cadence, Synopsys, Bull Systems, etc. ### **Applications of ROBDDs** #### **ROBDD:** - Construction DD from circuit description: - Depth-first vs. breadth-first construction (keep only few levels in memory, rest on disk; problem with dynamic reordering) - Partitioning of Boolean space, each partition represented by a separate graph - Bottom-up vs. top-down, introducing decomposition points - Internal correspondences in the two circuits equivalent functions, or complex relations #### **ATPG-based:** - Combine circuits with an XOR gate on the outputs, show inexistence of test for a fault s-a-0 on the output (i.e., the output would have to be driven to 1 meaning that there is a difference in the two circuits) - Use ATPG and learning to determine equivalent circuit nodes #### **Fast random simulation:** Detect quickly easy differences #### **Real tools:** • Use a combination of techniques, fast and less powerful first, slow but exact later # **Combinational Equivalence Chequing - Example** Two circuits C1 and C2 C1: $a \lor b$ C2: if a then a else b MUX: if c then a else b # Combinational Equivalence Checking – Multiplexor Example **Specification:** if $$c = 1$$ then out = a else out = b #### **Build ROBBD for Spec:** | c | a | b | out | |---|---|---|-----| | 1 | 1 | - | 1 | | 1 | 0 | - | 0 | | 0 | - | 1 | 1 | | 0 | _ | 0 | 0 | | | | | | ROBDD1: order: c, a, b ### **Implementation**: out = $$(c \land a) \lor (\neg c \land b)$$ | c | a | b | out | |---|---|---|-----| | 1 | 1 | 0 | 1 | | 1 | 1 | 1 | 1 | | 1 | 0 | 0 | 0 | | 1 | 0 | 1 | 0 | | 0 | 1 | 0 | 0 | | 0 | 1 | 1 | 1 | | 0 | 0 | 0 | 0 | | 0 | 0 | 1 | 1 | # Multiplexor Example (con't) ### **Build ROBDD for Imp:** # Multiplexor Example (con't) Alternative way to build ROBDD2: $$out = (c \land a) \lor (\neg c \land b)$$ order: c, a, b # **Comparator Example** Spec: $f(\hat{a}, \hat{b}) = 1$ if $\hat{a} = \hat{b}$ Refinement: $$f(a_1, a_2, b_1, b_2) = 1$$ if $(a_1 = b_1) \land (a_2 = b_2)$ $$\hat{a} = a_1 a_2$$ $$\hat{b} = b_1 b_2$$ Implicit: ### **Comparator Example (cont'd)** $$y = -z$$ : $z = (x \wedge y) \vee (\neg x \wedge \neg y)$ $$f = [(a1 \land b1) \lor (\neg a1 \land \neg b1)] \land$$ $$[(a2 \land b2) \lor (\neg a2 \land \neg b2)]$$ $$T4 T3$$ # **Comparator Example (cont'd)** <u>disj:</u> T1, T2, T12 disj: T3, T4, T34 # **Comparator Example (cont'd)** conj. $$T_{12}$$ , $T_{34}$ , $a_1$ , $a_2$ $b_1$ , $b_2$ ) independent order: $a_1, b_1, a_2, b_2$ Isomorph to the spec ### **Equivalence Checking in Practice** - Usually, combinational circuits implement arithmetic and logic operations, and next-state and output functions of finite-state machines (sequential circuits) - Verifying the behavior of the gate-level implementation against the RTL design of digital systems can often be reduced to verifying the combinational circuits - Equivalence comparison between the next-state and output functions (combinational circuits) - Requires that both have the same state space (and of course inputs and outputs), knowing the mapping between states helps... - Can also be used to verify gate-level implementation against gate-level model extracted from layout - This kind of verification is useful for confirming the correctness of manual changes or synthesis tools - If the state space is not the same, sequential (behavioral equivalence) of FSM must be considered ... # **Cutpoint-based Equivalence Checking** ### Cutpoint guessing: - Compute net signature with random simulator - Sort signatures + select cutpoints - Iteratively verify and refine cutpoints - Verify outputs # Sequential Equivalence Checking - If combinational verification paradigm fails (e.g. we have no name matching) - Two options: - Try to match registers automatically - functional register correspondence - structural register correspondence - Run full sequential verification based on state traversal - very expensive but most general ### **Basic Model Finite State Machines** $M(X,Y,S,S_0,\delta,\lambda)$ : X: Inputs Y: Outputs S: Current State S<sub>0</sub>: Initial State(s) δ: X × S → S (next state function) $\lambda: X \times S \rightarrow Y$ (output function) ### Delay element: - Clocked: synchronous - single-phase clock, multiple-phase clocks - Unclocked: asynchronous ### Finite State Machines Equivalence #### **Definition:** $M_1$ and $M_2$ are functionally equivalent iff the product machine $M_1 \times M_2$ produces a constant 0 for all valid input sequences $\{X_1, ..., X_n\}$ . ### Illustrative Example ### **Product Machine:** $${s^1,s^2,s^3} \cup {s^4,s^5}$$ #### **Transition Relations:** $$(s^1)' = s^1 \oplus x$$ $$(s^2)' = \neg (s^1 \land s^3)$$ $$(s^3)' = \neg s^1 \lor \neg s^2$$ $$(s^4)' = s^4 \oplus x$$ $$(s^5)' = \neg (s^4 \land s^5)$$ ### Sequential Circuits and Finite State Machines $\mathbf{r} = (\mathbf{r}_1, ..., \mathbf{r}_s)$ a vector of memory bits — state variables, memorize encoded states $\mathbf{y} = (y_1, ..., y_s)$ a vector of present state values $\mathbf{y}' = (y'_1, ..., y'_s)$ a vector of next state values $\mathbf{x} = (x_1, ..., x_m)$ a vector of input bits — encode input symbols $\mathbf{z} = (z_1, ..., z_n)$ a vector of output bits — encode output symbols $\mathbf{f} = \text{output function}, \mathbf{f}(\underline{x}, \underline{y}) = \text{Mealy}, \mathbf{f}(\underline{y}) = \text{Moore}$ $\mathbf{g} = \text{next-state function}$ Here we consider FSM synchronized on clock transitions — synchronous sequential circuits - To verify the behavior of such circuits we need efficient representation for the manipulation of next-state and output functions and sets of states - Using characteristic functions of relations and sets ### Relational Representation of FSM #### Representation of Relations and Sets - If R is n-ary relation over $\{0,1\}$ then R can be represented by (the ROBDD of) its characteristic function: $f_R(v_1,...,v_n) = 1$ iff $(v_1,...,v_n) \in R$ - Same technique can be used to represent sets of states - Transition relation N of a sequential circuit is represented by its Boolean characteristic function over inputs and state variables: $$N(\mathbf{x}, y_1, ..., y_s, y_1', ..., y_s')$$ • Example: synchronous modulo 8 counter, $N(\underline{\mathbf{y}},\underline{\mathbf{y}}') = N_0(\underline{\mathbf{y}},y_0') \wedge N_1(\underline{\mathbf{y}},y_1') \wedge N_2(\underline{\mathbf{y}},y_2')$ ### Relational Representation of FSM (cont'd) #### **Quantified Boolean Formulas (QBF)** - Needed to construct complex relations and manipulate FSMs - $V=\{v_1,v_2,...,v_n\}$ = set of Boolean (propositional) variables - QBF(V) is the smallest set of formulas such that - every variable in V is a formula - if f and g are formulas, then $\neg f, f \land g, f \lor g$ are formulas - if f is a formula and $v \in V$ , then $\forall v.f$ and $\exists v.f$ are formulas - A truth assignment for QBF(V) is a function $\sigma: V \to \{0,1\}$ If $a \in \{0,1\}$ , then $\sigma[v \leftarrow a]$ represents $\sigma[v \leftarrow a](w) = a \text{ if } v = w$ $\sigma[v \leftarrow a](w) = \sigma(w) \text{ if } v \neq w$ - f is a formula in QBF(V) and $\sigma$ is a truth assignment: $\sigma \models f$ if f is true under $\sigma$ . ### Relational Representation of FSM (cont'd) #### Quantified Boolean Formulas (cont'd) - QBF formulas have the same expressive power as ordinary propositional formulas; however, they may be more concise - QBF Semantics: relation $\models$ is defined recursively: ``` o \models v \text{ iff } \sigma(v)=1; o \models \neg f \text{ iff } \sigma \not\models f; o \models f \lor g \text{ iff } \sigma \models f \text{ or } \sigma \models g; o \models f \land g \text{ iff } \sigma \models f \text{ and } \sigma \models g; \sigma \models \exists v.f \text{ iff } \sigma[v \leftarrow 0] \models f \text{ or } \sigma[v \leftarrow 1] \models f; \sigma \models \forall v.f \text{ iff } \sigma[v \leftarrow 0] \models f \text{ and } \sigma[v \leftarrow 1] \models f. ``` - Every QBF formula can represent an n-ary Boolean relation consisting of those truth assignments for the variables in V that makes the formula true: Boolean characteristic function of the relation - $\exists x. \ f = f \mid_{x \leftarrow 0} \lor f \mid_{x \leftarrow 1}, \ \forall x. \ f = f \mid_{x \leftarrow 0} \land f \mid_{x \leftarrow 1}$ In practice, special algorithms needed to handle quantifiers efficiently (e.g., on ROBDD) # Sequential Equivalence Checking #### **Basic Idea:** To prove the equivalence of two FSMs $M_1$ and $M_2$ (with the same input and output alphabet), a *product machine* is formed which tests the equality of outputs of the two individual machines in every state $M_1$ and $M_2$ are equivalent iff the product machine produces Flag = *true* output in every state reachable from the initial state - Coudert *et al.* were first to recognize the advantage of representing set of states with ROBDD's: Symbolic Breadth-First Search of the transition graph of the product machine - Their technique was initially applied to checking machine equivalence and later extended by McMillan, et al. to symbolic model checking of temporal logic formulas (in CTL) ### **Relational Product of FSMs** #### **Relational Products** — implementation using ROBDD • A typical task in verification: compute relational products with abstraction of variables: $$\exists v.[f(v) \land g(v)]$$ - Algorithm *RelProd* computes it in one pass over ROBDDs f(v) and g(v), instead of constructing $f(v) \land g(v)$ - RelProd uses a computed table (result cache), and is based on Shannon's expansion - Entries in the cache have the form (f, g, E, h), where E is a set of variables that are existentially qualified out and f, g and h are (pointers to) ROBDDs - If an entry indexed by f, g and E is in the cache, then a previous call to RelProd (f, g, E) has returned h, it is not recomputed - Algorithm works well in practice, even if it has theoretical exponential complexity ### Relational Representation of FSMs (cont'd) ``` Relational Product Algorithm RelProd (f, g: ROBDD, E: set of variables) if f=false v g=false then return false else if f=true ∧ g=true then return true else if (f, g, E, h) is cached then return h let x and y be the top variables of f and g, respectively else let z be the topmost of x and y, h0 := RelProd(f|_{z=0}, g|_{z=0}, E) h1 := RelProd(f|_{z=1}, g|_{z=1}, E) if z \in AE then h:=Or(h0, h1) {ROBDD: h0\lor h1} else h:=IFThenElse(z, h1, h0) endif ``` insert (f, g, E, h) in cache return h endif ### Reachability Analysis on FSMs #### **Computing Set of Reachable States** - Reachable state computation (state enumeration) is needed for FSM equivalence and model checking - $S_0 = a$ set of states, represented by the ROBDD $S_0(V)$ Find those states $S_1$ reachable in at most one transition from $S_0$ : $$S_1 = S_0 \cup \{ s' \mid \exists s [s \in S_0 \land (s, s') \in N] \}$$ ROBDD's $S_0(\underline{\mathbf{y}})$ and $N(\underline{\mathbf{y}},\underline{\mathbf{y}}')$ , compute an ROBDD representing $S_{:1}$ $$S_1(\underline{\mathbf{y}}') = S_0(\underline{\mathbf{y}}') \vee \exists y_i \left[ S_0(\underline{\mathbf{y}}) \wedge N(\underline{\mathbf{y}},\underline{\mathbf{y}}') \right]$$ $$y_i \in \underline{\mathbf{y}}$$ $$S_0$$ $S_1$ $S_2$ $S_1$ $S_2$ $$S_2 = S_0 \cup \{s' \mid \exists s \ [s \in S_1 \land (s, s') \in N \ ]\}$$ $$S_2(\underline{\boldsymbol{y}}') = S_0(\underline{\boldsymbol{y}}') \vee \exists y_i \left[ S_1(\underline{\boldsymbol{y}}) \wedge N(\underline{\boldsymbol{y}},\!\underline{\boldsymbol{y}}') \right]$$ $$y_i \in \underline{\boldsymbol{y}}$$ ### Reachability Analysis on FSMs (cont'd) #### Reachability Analysis (cont'd) • In general, the states reachable in at most k+1 steps are represented by: $$S_{k+1}(\underline{\mathbf{y}}') = S_0(\underline{\mathbf{y}}') \vee \exists y_i [ S_k(\underline{\mathbf{y}}) \wedge N(\underline{\mathbf{y}}.\underline{\mathbf{y}}')]$$ $$y_i \in \underline{\mathbf{y}}$$ - As each set of states is a superset of the previous one, and the total number of states is finite, at some point, we must have $S_{k+1} = S_k$ , $k \le 2^s$ the number of states - Reachability computation can be viewed as finding "least fixpoint" - What about inputs $\underline{\mathbf{x}}$ ? Existentially quantify them out in the relational product (equivalent to closing the system with a non-deterministic source of values for $\underline{\mathbf{x}}$ ) ### **BDD Encoding** #### Basic idea: - 1) connect both machines to equality check of outputs - 2) compute set of reachable states - 2a) representing set of states using ROBDD - 2b) computing "images" of BDDs of all next states (using transition relations) - 2c) reachability iteration (using images starting from one initial state until sequence converges) $$R_0 = initial BDD$$ .... $$R_{i+1} = R_i \vee Image(R_i) \rightarrow convergence;$$ ### ROBDD Encoding (cont'd) ### Representing set of states using ROBDDs ### ROBDD Encoding (cont'd) ### Representing set of states using ROBDDs # Sequential Equivalence Checking Example 1) Connect both machines to equality check of outputs # Sequential Equivalence Checking Example (con't) ### 2a) Representing set of states using ROBDD #### **ROBDD** ### Sequential Equivalence Checking Example (cont'd) #### 2b) Compute images of set {0 1 0} ROBDD 2.74 (of 78) ### Example (cont'd) ### 2c) Reachability iteration $$R_0 = \neg x \cdot 0 \land x \cdot 1 \land \neg x \cdot 2$$ $$R_1 = (\neg x \cdot 0 \land x \cdot 1 \land \neg x \cdot 2) \lor (x \cdot 0 \land \neg x \cdot 1 \land x \cdot 2) \lor R_0 = 1$$ $$R_2 = 1 \lor R_0 = 1$$ $$\rightarrow R_2 = R_1$$ In terms of sets: $$R_0 = \{010\}$$ $$\mathbf{R}_1 = \{010, 101\}$$ $$\mathbf{R}_2 = \{010, 101\}$$ $$\rightarrow R_2 = R_1$$ - $\Rightarrow$ Converged - $\Rightarrow$ all states reached! ### **Equivalence Checking Tools** #### **Commercial tools:** Chrysalis: Design Verifier • Synopsys: Formality Cadence: Conformal • Verysys: Tornado • AHL: ChekOff-E #### **Application:** - Used to prove equivalence of two sequential circuits that have the same state variables (or at least the same state space and a known mapping between states) by verifying that they have the same next-state and output functions - Used in place of gate vs. RTL verification by simulation #### **Recommendations:** - Use modular design, relatively small modules, 10k 20k gates - Maintain hierarchy during synthesis (not flattening) and before layout: equivalence can be proven hierarchically much faster, especially for arithmetic circuits ### **Equivalence Checking Tools (cont'd)** #### CheckOff-E - Commercial product by Abstract Hardware Ltd. (UK) and Siemens AG (Germany) - Performs behavioral comparison of two Finite State Machines - Input EDIF netlist + library or **VHDL** - VHDL subset (superset of synthesizable synchronous VHDL) - no real time clauses (after, wait for), no conditional loop statements - Interprets VHDL simulation semantics to build a Micro FSM - Converts to Macro FSM by merging transition until stabilization at each time t - Macro FSM is starting point for any verification; representation in ROBDD - Product discontinued! ### References - 1. V. Sperschneider, G. Antoniou. *Logic: A Foundation for Computer Science*. Addison-Wesley, 1991. - 2. S. Reeves, M. Clarke. Logic for Computer Science. Addison-Wesley, 1991. - 3. Alan J. Hu, Formal Hardware Verification with BDDs: An Introduction, *IEEE Pacific Rim Conference on Communications, Computers, and Signal Processing*, pp.677-682, 1997. - 4. J. Jain, A. Narayan, M. Fujita, and A. Sangiovanni-Vincentelli, Formal Verification of Combinational Circuits, *VLSI Design*, 1997. - 5. R.E. Bryant. Graph-Based Algorithms for Boolean Function Manipulation. *IEEE Transactions on Computers*, C-35(8), pp. 677-691, August 1986. - 6. R.E. Bryant. Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams. *ACM Computing Surveys*, 24(3), 1992, pp. 293-318. - 7. R.E. Bryant. Binary Decision Diagrams and Beyond: Enabling Technologies for Formal Verification. *International Conference on Computer-Aided Design*, pp. 236-243, 1995. - 8. S. Minato. *Binary Decision Diagrams and Applications for VLSI CAD*. Kluwer Academic Publishers, 1996. - 9. M. Sheeran, G. Stålmarck. A tutorial on Stålmarck's proof procedure for propositional logic. Formal Methods in Systems Design, Kluwer, 1999. - 10.O. Coudert and J.C. Madre, A Unified Framework for the Formal Verification of Sequential Circuits, *Int. Conference on Computer-Aided Design*, pp. 126-129, 1990. - 11.H. Touati, H. Savoj, B. Lin, R.K. Brayton, and A. Sangiovanni-Vincentelli, Implicit State Enumeration of Finite State Machines Using BDD's, *Int. Conference on Computer-Aided Design*, pp. 130-133, 1990.