In fhis s u w , we oufline basic SAT-and A P Gprocedures as well ar their applications in formal hardware veriificotion. We attempt to give the reader a trace trough literature and provide a basic orientation concerning the problem formulations and known approaches in this active field of research.
Background
Checking satifiabiliry (SAT) of propositional formulae in conjunctive normal form (CNF) is the classical NPcomplete problem. A formula is in CNF if it is a product of sums of literals. Many hard problems can be hanslated into a SAT problem. This has been the main motivation to work on good heuristics and algorithms. The idea is that once implemented in a generic SAT-solver good heuristics could be used and shared across multiple application domains. Additionally, the abstract framework often allows to find general heuristics more easily than it would be possible with a narrow application paint of view.
The research amund SAT-procedures started in the context of automated theorem proving, where SAT was identified as a simple instance of formally proving theorems. Theorem proving is also regarded as a subfield of artificial intelligence. Most of this work is reviewed in [KB99] . In the last decade many advances in SAT were driven by the electronic design automation (EDA) community with their huge interest in efficiently solving large SAT problems. ' .
Research in automatic testpattern generation (ATPG)
on the other hand was primarily driven by specific applications in circuit testing. It is'the task of ii'ATPGalgorithm to generate a test for every fault in the circuit according to some fault model. If the well-known stuck-at fault model is assumed a test is obtained by finding a set of input assignments such that the fault is controlled at the fault location, i.e., a '0' is produced for a stuck-at-1 and a '1 ' is produced for a stuck-at-0, and the fault is observable, i.e., a signal change at the fault location propagates to at least one ouput of the circuit. We note that the problem formulations of SAT and ATPG arc closely related. The controllability portion of the ATPG problem immediately represents a SAT problem for a given signal (or its inversion) in a gate netlist. Observability can be mapped to Boolean Satisfiability as well by using the notion of Boolean dr@erence [ABgO] . 'ATPG for single stuck-at faults can therefore be solved by a SAT- 
Even for more complicated gates, such as gates with multiple inputs or XOR gates, the translation of the generated equalities into implications and then into CNF is preny straightforward. If we restrict counting gates like XOR to have a constant maximal fanin, then the whole hanslation remains linear in the number of g&es.
replacing implications by disjunctions:
, .
ATPG versits SAT procedures
Both, modem SAT-and ATPG-algorithms approach the decision problem by a backtrack search in the finite Boolean space that is spanned by the.variables of the CNF or the Boolean network, respectively. In SAT, this was first formulated 'in the Davis-Logeman-Loveland (DLL) procedure [DL621 and in VLSI testing. the famous Dalgorithm [Ro66] was the first complete test generation algorithm. Note that not DLL but tbe Davis-pulnrwr procedure [DP60] is the first complete SAT-solving method. The Davis-Putnam procedure is based on resolution which leads to a fundamentally different reasoning scheme compared to backtrack search. Almost all modern solvers are based on backtrack search, however. They exhaust a binary decision tree and employ resolution only as an optional instrument to prune the search space. The first ATPG tool enumerating a binary decision tree is PODEM [Go81] . Efficient heuristics to p m e the search space have further been proposed in [FS83, KM87, GB91, GFOI]. Later work in ATPG mainly concentrated on effective implication procedures [SA89, RC90, KP92, CA93, TGOO, GFOI]. Implications are needed to determine necessary assignments in the search process and help to avoid backtracks. Efficient implication routines are also key in SAT. In the SAT terminology making implications is referred to as Booleon conrtraint propagation (BCP) and many notions of BCP can be related to concepts of implication techniques in ATPG In SAT procedures, the CNF representation facilitates powerful methods to prune the search space based on conflict analysis [MS99, BS97, Zh971. When conflicts occur clauses are added to the clause base and help to avoid these and related conflicts in the future. Such clause recording is quite specific for CNF-based solvers and has been explored only little for ATPG algorithms operating on multi-level gate netlists. Conflict analysis is 0 t h combined with non-chronological backtracking. Nonchronological backbacking deviates from the rigorous scheme of the binary decision tree by analyzing the true causes of a conflict using an implication graph [MW85, Ma86, MS991 . Recent work, incorporates a special form of non-chronological backbacking combined with conflict analysis in an ATPG framework based on the D-algorithm The main differences between SAT and ATPG arise from the slightly different problem formulation and the different representation of the problem as CNF or multilevel netlist. In ATPG-based logic synthesis (see the following paper in these proceedings) the observability part of the ATPG problem is crucial. In many other EDA applications, however, observability is of little relevance and only the controllability part of ATPG is used. 4 Application: combinational equivalence checking SAT and ATPG have proved to be important instruments in combinational equivalence checking. The task of combinational equivalence checking is to check whether or not two combinational circuits implement the same Boolean functions. Given two 0~tputs.y~ and yB of two circuits A and E, it can be verified that yA and yB are. equivalent by showing that yA 8 yB is unsatisfiable. For large circuits, however, this is generally intractable and even sophisticated solvers will fail in practice. Fommately, the problem can be solved in many practical cases if the solving procedure is refined based on the following observation: most synthesis procedures perform many but fairly local circuit transformations: This preserves some of the original circuit structure so that the two designs of comparison contain many equivalent functions at their internal circuit nodes. These internal equivdencies [BT89] can be identified by passing from the circuit inputs to the outputs. A local analysis is usually sufficient to identify many internal equivalences. Previously determined equivalences serve as short cuts in the reasoning process so that more and more equival.ences can bc computed efficiently until the equivalence of the outputs is determined. The first equivalence checkers that showed the practicality of this paradigm were based on ATPG [B193, Ku931. Further work refined the process by also incorporating local BDDs [JM95, Ma96, KK971 and/or SAT [MG99, KGOl] so that modern equivalence checkers can handle circuits with millions.of gates.
5 Application: property checking More recently checking properties of circuits became an area of intense research. It is regarded as one mean, some insiders even argue the only mean, to keep verification costs at an acceptable level. Another motivation is the increasing interest in reusing. designs, or intellectual propeny (IP), in the context of system-on-chip (SoC). The business model for IP requires that the interface of an IP is specified pricisely as possible, for example with assertions. An interface contract contains assertions about what is required from the environment in which the E' is deployed. Then, the E' will provide certain properties. These properties are most naturally formulated as assertions. Clearly it is a business advantage to be able to formally prove that these assertions always hold.
Assertions come in tivo flavors: combinational and sequential. Checking combinational assertions can easily be formulated as a SAT problem by the Tsetin translation discussed above. A typical example is checking for bus contention combinationally. With "combinationally" we mean that only the combinational logic is taken into account.
For example, if there are two potential drivers of a bus and their write enable signals are el and ex, respectively, assuming two valued signals only, then the SAT problem of checking for bus contention will use the CNF obtained by the Tsetin translation of the whole circuit and two additional sum terms consisting of a single literal each, el and ez, respectively. The addition of these two literals makes the CNF satisfiable if and only if both write signals can be asserted to one at the same time.
A weaker form of bus contention would only require that the write signals are never both asserted to one unless the driving values Y I and y are identical. To derive the required sum terms in this case may not look as easy as in the first case. But in general we can always encode such a
property (e, = ez) + (vi = v2) as an assertion, which in turn can be translated into a circuit itself. The single output of this monitor is 'I' if and only if the pmpery holds. Then we translate this monitor circuit into CNF as before.
Finally it remains to add a single literal, which forces the output of the monitor to become '0' and check again for satisfiability. The CNF is satisfiable if and only if the property fails. One could also check sequential designs for bus contention, where bus contention is only avoided for valid state assignments reachable after a proper reset. Similarly a property which says that a certain vector of signals is a one-hot encoding, can be checked combinationally, for instance if the signal vector is the output of Combinational logic. In this case, we only check whether the vector is one-hot no matter in what state the system is. Sequentially checking the one-hot property means that the property only has two hold after a reset and we have to analyze the state space of the system. Sequential property checking is also called model checking after [CE81, CG991. In addition to checking assertions for all reachable states, model checking targets more involved properties, such as liveness. Liveness properties allow us to formulate the expected behaviour that necessarily will happen, such as a request will always be acknowledged. Even nested properties and relations between propedes can be specified. Typically temporal logic is used for this purpose.
A standard approach for checking temporal properties is similar to the monitor circuit idea discussed above for combinational properties: the temporal formula is translated into a Biichi automata, a type of automata working on infinite execution sequences (traces), which is added to the circuit. The resulting system is checked for traces violating the temporal property.
The first algorithm to find such violating traces worked on the explicit state graph of the system, restricting their usage to circuits with a very small state space and a small set of primary inputs. With the invention Sequential property checking is much harder than combinational property checking. One can actually prove that it is PSPACE complete to check assertions for all reachable states of a design as opposed to NP completeness of combinational property checking. This is also reflected in the maximal size of the largest circuits that can typically checked. In practice model checking is restricted to designs with several hundreds of flip-flops while combinational property checking scales up to millions of gates.
If completeness is dropped and checking is only done to find bugs, similar to simulation, then sequential properties of much larger designs can be checked. This is the approach taken by bounded model checking (BMC) [BC99]. In addition it allows the use of SAT instead of BDDs which makes the checker much more robust. In BMC the sequential circuit is unrolled as in the time frame expansion approach for sequential ATPG. Then an additional monitor like formula is generat4 restricting valid execution traces to be a counter example to the temporal formula being checked.
There are certain ideas to make BMC more complete, such as checking for diameters [BC99, BKOZ], using some type of restricted induction [SSOO] , or using SAT for image computation [McOZ] . In the future it may well happen that for certain applications BMC may replace BDD based model checking. Today BMC is already in widespread use as a fast filter before more costly temporal property checking algorithms based on BDDs are used. Finally it is apparent that some of the ideas that grew out of BMC can well be combined with sequential ATPG using ATPG as a replacement for SAT.
