




The Dissertation Committee for Jun Yuan
Certifies that this is the approved version of the following dissertation:







Martin D. F. Wong
Symbolic Methods in Simulation-based Verification
by
Jun Yuan, B.S., M.S.
DISSERTATION
Presented to the Faculty of the Graduate School of
The University of Texas at Austin
in Partial Fulfillment
of the Requirements
for the Degree of
DOCTOR OF PHILOSOPHY




It is hardly believable that I have finally come to the conclusion of this
seemly endless pursuit of a PhD. But here I am, writing the last few pages of my
dissertation; I’d like to thank the people that have made this possible.
It is my extreme pleasure to thank my advisor, Adnan Aziz. Adnan has
been a great mentor and friend during my extended stay at UT Austin. Besides
his courses on verification and synthesis, which become the topic of this disserta-
tion, Adnan also convinced me to buy my first LATEX book that greatly improved
the quality of my writing. His steadfast devotion to uncompromising standards in
demonstrating scientific ideas has always been a source of inspiration in my aca-
demic life.
I am very happy indeed to thank Carl Pixley for being a highly interactive
and supportive supervisor in my job at Motorola. We managed to find a great match
between my research at UT and my work in the formal verification group that Carl
developed. Carl’s drive to mathematic rigor and insightful conversations have made
this dissertation a less difficult task.
I am also deeply honored to have Jacob Abraham, Vijay Garg, Gustavo de
Veciana, and Martin Wong serving on my committee. I thank them all for giving
me invaluable advice during my qualification process and afterwards.
I would like to take this opportunity to thank my former advisors Daniel
v
Berleant (U. of Arkansas) and Stephen Szygenda. Dan’s precise style in teaching C
programming gave me a sound understanding of software and computer architec-
tures. Steve introduced me to the world of Electronic Design Automation. For the
past eight years, I have made a living by writing EDA tools in C.
Melanie Gulick, our department’s graduate coordinator, deserves a special
thank for her resourceful help in my constant, heroic fight to “come back” after
being deleted from the registration, for having to skip a semester or two once in a
while to keep my day job.
I would also like to thank my current and former colleagues. Jian Shen (UT
Austin) collaborated on my first paper, his microwaved potatoes and beef stews
tasted so delicious those sleepless nights before paper deadlines. Matt Kaufmann
(Motorola) talked me into switching fromvi to emacs: as he put it “Emacs is all
you need for the job.” Nearly so, considering the quantum leap in productivity as a
result. I can’t even imagine how many times I would have to “i” and “Esc” to type
up this document. I thank Kurt Shultz for the initial implementation of SymGen,
and helpful discussions in the course of the tool’s development.
I heartily thank all my soccer buddies, for bringing together a brotherhood in
the games and in the parties thereafter. I enjoyed the passion and artistry in motion
on the field, as well as the free-spirited chats in happy hours at the Double Dave.
Soccerizing has kept me up both physically and emotionally.
I thank my parents for always being supportive and encouraging in my pur-
suit of academic excellence, ever since I was very young. I thank my wife for being
vi
patient with my frequent late returns to home, and for her down-to-earth Sichuan
cuisine, particularly the real “doubly cooked pork” that is extremely rare on the
menus of local Chinese restaurants.
Finally, I owe a most profound debt and thank you to my best friend, Katy,
who has shaped my life more than anyone else. I would not have come to America
for graduate studies, and I could have given up on my doctorate long ago, without
her intellectual inspiration and unwavering support through both good times and
bad.
vii
Symbolic Methods in Simulation-based Verification
Publication No.
Jun Yuan, Ph.D.
The University of Texas at Austin, 2002
Supervisor: Adnan Aziz
This dissertation conducts research in automating the design of digital hard-
ware. Specifically we apply symbolic methods in simulation-based functional ver-
ification. Simulation, due to its simplicity and close coupling with the electronic
design process, has been the prevalent approach to checking the correctness of de-
signs. However, it suffers from several drawbacks. First, simulation verifies only
the portion of design behavior that is exercised by input vectors; in addition, input
vector generation itself is a time-consuming and error-prone process. Both prob-
lems are aggravated by the exponential growth in integrated circuit design com-
plexity.
On the other side, formal verification is “vector-less” in that it certifies cor-
rectness either through mathematically rigorous proofs, or by exhaustive enumera-
tion of design behaviors. Needless to mention, this approach requires either enor-
mous computation resources or a great deal of manual intervention to verify large
viii
designs. The problem, however, is greatly alleviated by the advent of symbolic
methods, particularly the introduction of Binary Decision Diagrams to represent
sets of state and transition dynamics. Symbolic formal verification has since been
adopted in practice, but still limited to simple protocols and small designs.
It is natural to explore ways to leverage symbolic methods in simulation
verification. To this end, we introduce several such applications. We first describe
what we referred to as “saturated simulation” and “retrograde analysis” in checking
invariant properties that are common to electronics designs. State and transition
coverage are used as the guidance for a partial symbolic simulation. Consequently,
a higher level of verification confidence is achieved.
We then present a symbolic input vector generation method, in which state-
dependent constraints and input biases are used to confine the generated vectors to
“legal” and “interesting” cases. The constraints and biases are both of a dynamic
nature, that is, they can depend upon the state of the design. This enables generation
of complicated sequences of vectors.
We also discuss methods of optimizing the vector generation process through
efficient extraction of a special kind of constraints, in which the inputs are fully
specified by the state of the design. In the end, we present an alternative vector gen-
eration method based on constraint synthesis. Beyond its obvious role in simulation,
the method also provides a constraint based interface model for other verification





List of Figures xiv
List of Tables xvi
Chapter 1. Introduction 1
1.1 Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Symbolic Methods in Formal Verification . . .. . . . . . . . . . . . 6
1.4 Scope and Overview of the Dissertation . . . . . . . . . . . . . . . . 7
1.4.1 Saturated Simulation . . .. . . . . . . . . . . . . . . . . . . 8
1.4.2 Retrograde Analysis . . .. . . . . . . . . . . . . . . . . . . 9
1.4.3 Constrained Simulation Vector Generation . .. . . . . . . . 9
1.4.4 Constraint Diagnosis . . .. . . . . . . . . . . . . . . . . . . 10
1.4.5 Simplification of Constraint Solving . .. . . . . . . . . . . . 11
1.4.6 Constraint Synthesis . . .. . . . . . . . . . . . . . . . . . . 11
1.5 Chapter Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2. Preliminaries 13
2.1 Boolean Algebra and Notations . . . . . . . . . . . . . . . . . . . . 13
2.2 Hardware Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3 Reachability Analysis . . . . . .. . . . . . . . . . . . . . . . . . . 18
2.4 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5 Reduced Ordered Binary Decision Diagrams . . . . . . . . . . . . . 24
2.5.1 BDD Representation of Boolean Functions . .. . . . . . . . 25
x
2.5.2 BDD Manipulations . . . . . . . . . . . . . . . . . . . . . 27
2.5.3 The BDD Size Consideration . . . . .. . . . . . . . . . . . 28
2.5.4 BDD-based Reachability Analysis and Model Checking . . . 31
Chapter 3. Saturated Simulation 32
3.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4 Control State Saturated Simulation . . . . . . . . . . . . . . . . . . 36
3.5 BDD Minimization . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.6 Control Edge Saturated Simulation . . . . . . . . . . . . . . . . . . 41
3.7 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 4. Retrograde Analysis 47
4.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2 The Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Chapter 5. Constrained Vector Generation 53
5.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.3 Constraints and Biasing . . . . . . . . . . . . . . . . . . . . . . . . 56
5.3.1 Constraints for Environment Modeling. . . . . . . . . . . . 56
5.3.2 BDD Representation of Constraints . . . . . . . . . . . . 57
5.3.3 Input Biasing. . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3.4 Constrained Probabilities. . . . . . . . . . . . . . . . . . . 59
5.3.5 An Example of Constrained Probability. . . . . . . . . . . . 60
5.4 Simulation Vector Generation . . . . . . . . . . . . . . . . . . . . . 62
5.4.1 TheWeightProcedure . . . . . . . . . . . . . . . . . . . . . 63
5.4.2 TheWalkProcedure . . . . . . . . . . . . . . . . . . . . . . 67
5.4.3 Correctness and Properties. . . . . . . . . . . . . . . . . . . 71
xi
5.4.4 An Example of thep-treeAlgorithm . . . . . . . . . . . . . . 74
5.5 Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.5.1 Variable Ordering . . . . . . . . . . . . . . . . . . . . . . 77
5.5.2 Constraint Partitioning . .. . . . . . . . . . . . . . . . . . . 78
5.5.3 The Overall Flow . . . . . . . . . . . . . . . . . . . . . . . 80
5.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.6.1 Constraint BDDs . . . . .. . . . . . . . . . . . . . . . . . . 83
5.6.2 A Case Study. . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 6. Constraint Diagnosis 91
6.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.2 Static Analysis of DESs . . . . . . . . . . . . . . . . . . . . . . . . 92
6.3 Dynamic Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 7. Simplification of Constraint Solving 97
7.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
7.3 Syntactical Extraction . . . . . . . . . . . . . . . . . . . . . . . . . 100
7.4 Functional Extraction . . . . . . . . . . . . . . . . . . . . . . . . . 101
7.4.1 Condition and Extraction. . . . . . . . . . . . . . . . . . . 101
7.4.2 Constraint Simplification .. . . . . . . . . . . . . . . . . . . 105
7.4.3 Recursive Extraction . . .. . . . . . . . . . . . . . . . . . . 111
7.5 The Overall Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 113
7.6 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.7 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7.7.1 Impact on building conjunction BDDs .. . . . . . . . . . . . 117
7.7.2 Impact on Simulation . .. . . . . . . . . . . . . . . . . . . 121
7.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
xii
Chapter 8. Constraint Synthesis 123
8.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 123
8.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . 125
8.3 The Cascaded Synthesis Method . . . . . . . . . . . . . . . . . . . 126
8.3.1 Cascaded Solution Generation . . . . .. . . . . . . . . . . . 127
8.3.2 The Algorithm . . . . . .. . . . . . . . . . . . . . . . . . . 130
8.3.3 Detection of illegal states. . . . . . . . . . . . . . . . . . . 132
8.4 Comparisons to other synthesis methods . . .. . . . . . . . . . . . 133
8.4.1 Constrain-based Synthesis. . . . . . . . . . . . . . . . . . . 134
8.4.2 BU Based On Boole’s Method . . . . .. . . . . . . . . . . . 138
8.4.3 Shiple and Kukula’s Method . . . . . .. . . . . . . . . . . . 143
8.5 Summary and Discussion . . . . . . . . . . . . . . . . . . . . . . . 144
Chapter 9. Conclusion 146
9.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
9.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Appendix A. Generalized Cofactoring for Multiple Constraints 151





2.1 Example: Netlist .. . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Example: Transition relation and state transition diagram . . . . . . 18
2.3 Reachability Analysis . . . . . .. . . . . . . . . . . . . . . . . . . 20
2.4 ComputingSat(E(p U q)) . . . . . . . . . . . . . . . . . . . . . . 25
2.5 Reducing BDD for functiona  b+ c . . . . . . . . . . . . . . . . . 27
2.6 The BDD Apply operation . . . . . . . . . . . . . . . . . . . . . . 28
2.7 Dependency of BDD size on variable ordering . . . . . . . . . . . . 29
3.1 Partitioning a design into Control and Datapath . . .. . . . . . . . 33
3.2 Thecproject operator . . . . . . . . . . . . . . . . . . . . . . . 37
3.3 Minimal control saturated subsets and reachability . .. . . . . . . . 38
3.4 Control-saturated simulation . . . . . . . . . . . . . . . . . . . . . 39
3.5 Example: A minimal control-edge saturated subset . . . . . . . . . 42
4.1 Retrograde search for Invariant checking . . . . . . . . . . . . . . . 49
4.2 Retrograde Analysis applied toMesh4 . . . . . . . . . . . . . . . . 51
4.3 Effect of Hamming Distance onCube4. . . . . . . . . . . . . . . . 52
5.1 ProcedureWeight . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2 ProcedureWalk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3 A constraint BDD labeled with node weight .. . . . . . . . . . . . 75
5.4 Thep-treealgorithm . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.5 SymGen flow chart . . . . . . . . . . . . . . . . . . . . . . . . . . 82
7.1 Hold-constraint extraction . . . . . . . . . . . . . . . . . . . . . . 114
8.1 SymGen and Synthesized Constraints . . . . . . . . . . . . . . . . 124
8.2 Cascaded synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . 131
8.3 Example: Cascaded synthesis of a 3-input constraint. . . . . . . . 131
xiv
8.4 Boolean Unification . . . . . . . . . . . . . . . . . . . . . . . . . . 139
8.5 Cascaded synthesis — another form . . . . . . . . . . . . . . . . . 140
A.1 Generalized cofactor . . . . . . . . . . . . . . . . . . . . . . . . . 151
A.2 Generalized cofactor with respect to multiple constraints . . . . . . 152
B.1 Generalized cofactor with respect to state-dependent constraints . . 160
B.2 Find the nearest match . . . . . . . . . . . . . . . . . . . . . . . . 161
xv
List of Tables
3.1 Complete BDD based reachability analysis .. . . . . . . . . . . . 45
3.2 Partial reachability analysis using control-state saturated subsets . . 45
3.3 Partial reachability analysis using control-edge saturated subsets . . 46
3.4 Comparing saturated simulation with cycle simulation . . . . . . . . 46
5.1 Example: explicit computation of vector probabilities. . . . . . . . 61
5.2 Example: explicit computation of vector weights under constraints . 61
5.3 Example: constrained probabilities (reset=0) . . . . . . . . . . . . 76
5.4 Statistics of designs . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.5 Building the constraint BDD without partitioning . .. . . . . . . . 84
5.6 Building the constraint BDD with partitioning. . . . . . . . . . . . 85
5.7 Result of biasing . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.8 Overhead of SymGen . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.1 Result of extractions . . . . . . . . . . . . . . . . . . . . . . . . . 118
7.2 Result of building conjunction BDDs (no extraction) . . . . . . . . 118
7.3 Result of building conjunction BDDs (yntactical) . . . . . . . . . . 119
7.4 Result of building conjunction BDDs (functional1) . . . . . . . . . 120
7.5 Result of building conjunction BDDs (functional2) . . . . . . . . . 120




Integrated circuits have been growing rapidly in scale and functionality.
Driving this growth is the relentless advance of technologies in integrated circuit
fabrication, which, as sagely predicted by Moore’s law, has been doubling the tran-
sistor count per chip every eighteen months for the past three decades. Today,
microprocessor designs are implemented using hundreds of millions of transistors;
they involve design technologies ranging from performance boosters such as deep
pipelining and parallelism, to integration endeavors highlighted by the System-on-
Chip movement. On the other hand, time-to-market has been steadily shortening
thanks to the ferocious competition in the industry. This increase in complex-
ity, joined by the lack of verification time, has greatly magnified the likelihood
of “buggy” products being put into customers’ hands. Well-known examples of
such include Intel’s PentiumTM floating point division bug [12], and Toshiba’s disk
drive problem [31]. Both cost the companies hundreds of millions in dollars, and
more in the damage to consumers’ confidence in their products.
In short, there is a clear and present crisis of verification, a crisis that has
changed the balance between design and verification, making the latter the bot-
tleneck in product development cycle. This has prompted research in various di-
1
rections, targeting verifications at all implementation levels, including functional
verifications from behavior level down to transistor level, timing verifications at the
gate and transistor levels, layout versus schematic (LVS) comparison for the cor-
rectness of lithographic masks, and the testing of manufacture faults on Silicon.
One way or another, all forms of verification play an indispensable role in insuring
a functioning product.
The focus of this dissertation will be on functional verification, referring to
the checking of whether the design conforms to a set of specifications, regardless
of power, timing, area, testability, manufacturability, and so forth. All of the latter
are very important considerations and deserve the attention they get. But functional
verification, in its own right, might easily be the most challenging problem in de-
sign practices [93]. This challenge stems from the drive for completeness in an
ideal functional verification. The exploration of the complete design functionality,
under the circumstance of a case-by-case testing, translates indirectly into having
to examine the design on application of all possible execution sequences, with all
combinations of the design inputs. This is a formidable task even for designs of
modest size, say a 256-bit RAM (Random Access Memory), which nevertheless
yields 1080 possible combinations of its contents. Since case-based testing alone
is inadequate, functional verification sometimes resorts to complementary methods
of nonenumerative nature. Consequently, functional verification approaches can be
broadly categorized as being in the domain of case-based testing, which is com-
monly referred to asimulation, or the domain of analytical, i.e.formal, methods.
The latter is often assisted by nonenumerative techniques, such as thesymbolic
2
methods.
The rest of this chapter provides background information on simulation-
based and formal approaches to functional verification. It motivates the synergy
of the two approaches, and the application of symbolic methods to simulation in
particular, in an effort to improve the efficiency and applicability of simulation-
based functional verification. This chapter also outlines the contents, and discusses
in some detail the main contributions of this dissertation.
1.1 Simulation
Simulation is the most common approach to functional verification. The
verification is done by checking that the design has the proper behavior as elicited
by a series of functional vectors [100, 105]. More specifically, the verification con-
sists of three major tasks: generating the functional test vectors, executing the vec-
tors on the design, and monitoring if the design satisfies its specification during the
execution. Simulation-based verification is straightforward, and scales well in the
sense that the amount of CPU time and memory taken to simulate is proportional to
the size of the design. However, the drawbacks of this approach are also apparent:
(1) An exhaustive simulation is impossible for most designs of interests; therefore,
a degree of confidence can only be obtained by simulating with a large number of
vectors. (2) The generation of simulation vectors for large designs can be tedious
and time-consuming.
The situation is aggravated by the lack of good metrics that gauge the qual-
ity of simulation. Roughly speaking, simulation quality metrics fall into two cate-
3
gories: code coverage and function coverage. Code coverage, such as the coverage
on lines and branches in a design description, does allow a sense of completeness
since the description must be finite. The completeness, however, does not extend to
the coverage of functionalities. In fact, code coverage is purely empirical and quite
inadequate in regard to measuring how much of the design behavior is exercised.
A better measurement can be achieved by the function coverage, for example, the
coverage on state or state transitions. Theoretically, any coverage defined over the
structure or functionality of a digital design is finite, including coverage on state
and transitions. In practice, however, full state or transition coverage is usually
unattainable because of the vast state space, or undetectable, due to the possibility
that some states are never reachable and we are not aware of thisa priori.
Therefore, simulation-based verification is left with no feasible stopping
criterion and deemed incomplete. A typical industry practice is to simulate the
design with a relatively small set of vectors created manually by the engineers, then
with random vectors for as long as is feasible.
1.2 Formal Verification
In contrast to simulation, formal verification methods, such as theorem prov-
ing [19, 55, 67, 87] model checking [20, 25, 43, 82, 91], and language containment [8,
71–73, 107], offer complete verification, but require either extensive human exper-
tise or enormous computational resource.
In theorem proving, the design and the properties are expressed as formulas
in some mathematical logic. A property is proved if it can be derived from the
4
design in a logic system of axioms and a complete set of inference rules. The
proof, resembling a combinatorial search, may appeal to intermediate definitions
and lemmas in addition to the axioms and rules. Theorem proving typically requires
a great deal of skilled human guidance and is therefore limited to applications of
higher abstraction levels, such as the communication protocols.
Model checking is a technique that relies on building a finite state model
and checking that the desired properties hold in that model. A property, represented
by a formula in temporal and modal logics [6, 30, 41, 43], corresponds to a set of
states that can be algorithmically obtained by fixpoint analysis of the formula on
the finite state model [44]. The set of states reachable from a designated set of
initial states can also be obtained via a fixpoint analysis, commonly known as the
reachability analysis. The validity of the formula is then established by the inclu-
sion of the reachable states of the design in the set corresponding to the formula.
Model checking is essentially an exhaustive state space search that is guaranteed to
terminate since the state space is finite.
Language containment in spirit is similar to model checking. In language
containment based verification, the property is represented by a deterministic finite
state automata, and the design by a nondeterministic finite state automata. Verifica-
tion is cast in terms of whether the formal language of the former automata contains
that of the latter.
Unlike theorem proving, both model checking and language containment
are fully automatic. However, the two share a major disadvantage — thestate ex-
plosionproblem. In the worst case, exhaustive state exploration requires a memory
5
usage that is exponential to the number storage elements in the design.
1.3 Symbolic Methods in Formal Verification
As we have seen, the applicability of formal verification is hindered by the
problems of usability and state explosion. Recently, the advent of symbolic meth-
ods, particularly the Binary Decision Diagram (BDD) [21], has great alleviated
the problems. BDD is a data structure that can be used to store and manipulate
Boolean functions implicitly. In late 1980s and early 1990s, several researchers
independently realized that BDD can be use to extend the scope of formal verifica-
tion [18, 32, 82, 91]. A BDD-based model checker executes the model checking al-
gorithm symbolically, by representing sets of state as characteristic functions. This
avoids the explicit enumeration of the potentially exponential state space. An initial
effort in applying BDD to model checking achieved the verification of designs with
up to10120 states [25]. As a comparison, a model checker using explicit state enu-
meration [62] usually handles state graphs with a capacity in the order of105 states.
Symbolic simulation, a scaled-down model checking that handles a limited set of
temporal properties, has shown to be effective in memory verification [23, 54] and
validity check of microprocessor’s instruction set architectures [64, 108]. Theorem
proving can also use symbolic evaluation as a decision procedure so that lower level
proof goals can be checked automatically [1, 94]. A symbolic language containment
prover has also shown improvement over its nonsymbolic counterpart [107].
Despite its improvement in usability and capacity, formal verification re-
mains inadequate in the presence of practical designs. For example, symbolic
6
model checking is usually expected to handle designs with up to a few hundred
storage elements; on more complex designs, the graph representation of states can
grow extremely large, resulting in space-outs or severe performance degradations
due to paging. As of today, formal verification is still limited to protocols, simple
algorithms, and sub-blocks of designs.
1.4 Scope and Overview of the Dissertation
This dissertation addresses the major issues in simulation verification by
applying formal and symbolic methods. On the one hand, simulation scales well
for large designs but suffers from low coverage and the vector generation problem,
due to its enumerative nature; on the other hand, formal verification is inherently
complete but expensive, while symbolic methods help improve the capacity but not
enough for practical designs. This contrast leads to our approach of combining
the advantages of formal and symbolic methods and applying them towards the
improvement of simulation.
In the first part of the dissertation, we attack the coverage problem by en-
hancing bug-finding ability in symbolic reachability analysis. Since neither simu-
lation nor formal methods can verify a large design completely, that is, certificate
the absence of design bugs, we may just evaluate a verification tool by its ability of
catching bugs. This concept is also known as “falsification”, in contrast to verifica-
tion. We propose two cases, thesaturated simulationbased on reachability analysis
from model checking, andretrograde analysisbased on a strategy employed in
two-player games. Both are applied in checking invariant properties.
7
Our synergistic approach culminated, as covered in the second part of this
dissertation, in symbolically modeling design interfaces, thus automating the simu-
lation vector generation process. This problem is systematically studied beginning
with the construction of efficient algorithms that generate vectors according to en-
vironment constraints and input biases. We then discuss related issues including
constraint debugging and simplification of constraint solving. This constrained vec-
tor generation method is implemented in a tool calledSymGendeveloped at Mo-
torola, which has been used in the verification of numerous commercial designs.
For completeness, we also present an alternative vector generation method based
on constraint synthesis, which finds applications in model checking and hardware-
accelerated simulation.
For reference, the applications on improving invariant checking are pub-
lished in [7, 116], and the others in [112, 115, 117–120]. The rest of this section
outlines each of these applications and their contributions.
1.4.1 Saturated Simulation
Many hardware designs can be partitioned into datapath and control por-
tions. Saturated simulation exploits this distinction in a partial reachability analysis
that focuses on the control behavior of the design. The designer designates as con-
trol variables a subset of the storage elements, for example, the program counter
and status bits in a micro-processor. At each step of the analysis, symbolic abstrac-
tion techniques are used in the traversal of the full set of control states, as well as all
the control transitions, from the current set. Heuristically, the control portion of the
8
design, while being much smaller than the datapath, is the main source of design
errors. Roughly speaking, saturated simulation attempts to explore as much of the
control behavior as possible, thus increasing the likelihood of finding bugs.
The efficiency of this approach comes from the observation that it is feasible
to compute the symbolic image of a single state even for very large designs, coupled
with the fact that the set of control states is typically much smaller than the entire
state space. Additionally, fast BDD routines exist for generating and manipulating
representative elements of equivalence classes [75].
1.4.2 Retrograde Analysis
Retrograde analysisis a technique used to create endgame databases for
several two-player games. The main idea is to pre-compute a set of positions that
eventually lead to a winning position. The set can then be used as the target of
a winning strategy search, with two advantages: (1) The target is enlarged, and
(2) The search distance is shortened. Following this line of thinking, we enhance
retrograde analysis by enlarging the set of initial states, and heuristically select the
starting states so that the overall search distance is further reduced. This idea is
applied to checking invariant properties.
1.4.3 Constrained Simulation Vector Generation
In saturated simulation and retrograde analysis, symbolic methods are ap-
plied to the execution of simulations. Here we discuss their application to another
aspect of simulation — vector generation.
9
Vector generation is tedious and time-consuming. In the meantime, simu-
lation with a large amount of vectors is the only way to obtain a high degree of
verification confidence. In dealing with the dilemma, we use BDDs to symbolically
generate simulation vectors. The first requirement for any vector generation tool is
to define, and generate within, the legal input space, which often is a function of the
current state of the design. In addition, a robust tool should also provide the ability
to influence the distribution of the generation, thus directing the simulation towards
the “corner” cases, or other test scenarios deemed interesting. We strive to meet
these important requirements, in a unified fashion, using Boolean constraints and
input biases in an efficient algorithm. The algorithm is immune to thebacktracking
problem that is typical to many vector generation tools, as well as independent of
variable orderings, despite of the use of BDDs.
The constraints used in vector generation also provide a formal description
of the design interface. They can be treated as the assumption for the environment
in a formal verification of the design, or the proof obligation in the verification
of the parent module of the design. Thus, constrained simulation generation fits
seamlessly in an assume/guarantee style of hierarchical verification framework [66,
92].
1.4.4 Constraint Diagnosis
Any constraint based programming will have to deal with the diagnosis of
conflicting constraints, which has been well studied in many research disciplines,
for example, in artificial intelligence [36]. Our focus of constraint diagnosis is on a
10
problem unique to the simulation vector generation method, that is, constraint con-
flicts conditioned upon the state of the design. We present methods of identifying
and eliminating these conflicts.
1.4.5 Simplification of Constraint Solving
Complexity of constraints can grow arbitrarily due to their combinatorial na-
ture. Therefore, even implicit representations, in our case, BDDs, will have to face
the efficiency problem. An immediate step toward dealing with the problem is the
disjoint-support partitioning of the constraints [119]. This partition can be further
refined due to the fact that the variables in hardware constraints are not homoge-
neous: all state variables are bounded by the design while some of them may fully
specify some input variables which can be exploited in simplifying the constraints.
To this end, we present efficient methods of extracting and utilizing a special kind
of constraints, called thehold-constraints. The extraction not only simplifies the
involved constraints, but also decomposes partitions which is otherwise impossible.
1.4.6 Constraint Synthesis
It is often of interest to implement constraint based vector generation in
hardware, especially when the verification environment allows no proprietary con-
straint solving capability, for example, in hardware accelerated simulation, or emu-
lation. We present a synthesis algorithm which computes a set of Boolean functions
whose range is exactly the input space defined by a constraint. Although resembling
an equation solving technique, called Boolean Unification, our method takes into
11
the consideration of the heterogeneous nature, again, of the variables in hardware
design constraints. This leads to a fundamental observation that synthesis of such
constraints enjoys an optimization space represented by states for which there are
no satisfying inputs.
1.5 Chapter Structures
The dissertation proper begins, in Chapter 2, with definition of terminology
and preliminaries that will be used throughout this document. Each of the ensuing
chapters covers one of the applications outlined in the preceding section. For better
encapsulation, introductory information including preliminaries and related works
local to a specific application is explained in the corresponding chapter. The final
chapter summarizes the dissertation and gives directions for future work. The ap-





In this chapter, we define various notations and terminologies. We first give
a quick review of Boolean algebra and functions, adopted from [83], and show how
digital hardware designs are modeled in them. Then we describe how reachability
analysis, the basis for many formal verification methods, is done in the Boolean
representation of designs. We also touch upon the topic of model checking, the
formal verification method that is most relevant to our work on invariant checking.
Finally, we give a detailed exposition of the symbolic data structure Binary Decision
Diagrams, that is used throughout this dissertation.
2.1 Boolean Algebra and Notations
A Boolean Algebrais defined by the setB = f0; 1g and two Boolean op-
erations, denoted by+, the disjunction, and , theconjunction, which satisfy the
commutativeanddistributive laws, and whose identity elements are 0 and 1, re-
spectively. In addition, any elementa 2 B has a complement, denoted bya, such
thata + a = 1 anda  a = 0.
A Boolean variable is one whose range is the setB. A literal is an instance
of a Boolean variable or of its complement. The multi-dimensional space spanned
13
by n Boolean variables is then-nary Cartesian productB: : :B, denoted byBn.
A point in this Boolean space is represented by avectorof dimensionn. When
Boolean variables are associated with the dimensions, a point can be identified by
the values of the corresponding variables, i.e., by aminterm, the product ofn lit-
erals. Often, products of literals are calledcubessince they can be graphically
represented as hypercubes in the Boolean space.
A Boolean formula is a composition of Boolean variables, the constants 0
and 1, and Boolean operations, that obeys the following rules:
 0, 1, and Boolean variables are Boolean formulas
 if f is a Boolean formula then so isf
 if f andg are Boolean formulas then so aref + g andf  g
Many other Boolean operations can be introduced to abbreviate formulas
generated above; for example,f  g where denotes theexclusive-OR, denoted
by, is a shorthand forf  g + f  g.
Since all Boolean formulas evaluate to either 0 or 1, they define mappings
from Bn to B, wheren is the number of variables in the formula. Such mappings
are called the Boolean functions. In this dissertation, we shall use the terms Boolean
formula, and Boolean function or simplyfunctioninterchangeably, as deemed ap-
propriate by the context.
Given a functionf : Bn 7! B, the set of mintermsf 2 Bn j f() = 1g
is called theonsetof f , denoted byf on, and the setf 2 Bn j f() = 0g is called
14
the offsetof f , denoted byf off . Conventionally, a functionf , when treated as a
set, representsf on. For this reason,f is called thecharacteristic functionof the set
f on. Conversely, a setS, when treated as a function, represents the characteristic
function ofS.
Thecofactorof f(x1; : : : ; xi; : : : ; xn)with respect toxi isf(x1; : : : ; 1; : : : ; xn),
denoted byf jxi=1 or simply fxi; similarly, thecofactorof f(x1; : : : ; xi; : : : ; xn)
with respect toxi is f(x1; : : : ; 0; : : : ; xn), denoted byf jxi=0 or simply fxi. The
notationfc wherec is a cube represents the successive application of cofactoring of
f with respect to the literals inc.
The existential quantificationof f with respect to a variablex is fx + fx,
denoted by9xf ; theuniversal quantificationof f with respect tox is fx fx, denoted
by8xf ; theBoolean differentialof f with respect tox is fx fx+fx fx, abbreviated
asfx  fx or simply@f=@x.
2.2 Hardware Modeling
Digital hardware circuits operate on binary numbers 0 and 1, and can be
analytically reasoned in their mathematical models based on Boolean algebra. The
modeling can be done at thestructurallevel usingnetlists, or at thebehaviorallevel
usingstate transition graphs; Singhal [103] gives a detailed exposition for hardware
modeling.
A netlist consists of an interconnected set of primary inputs, outputs, gates,
and latches. Each gate performs a Boolean operation on signal values of its inputs,
15
and produces the result at its output. A special primary input, called aclock, governs
the latches in a manner such that a latch either maintains the value of its output, or
updates the value to that of its input if a designatedclock eventoccurs, e.g., the
clock changes from 0 to 1. Consequently, a latch is often referred to as astorageor
state holdingelement, and identified by a state variable representing its output.
Let X = fx1; : : : ; xng be the set of variables representing the primary in-
puts, andY = fy1; : : : ; ymg the set of state variables, whereyi is for thei-th latch.




whereci is the valuation ofyi, yi == 1 andyi == 0 correspond to the literalsyi
andyi, respectively.
The valuation ofyi is determined by thetransition functionFi(X; Y ), which
is the composition of gate operations transitively affecting the input of thei- latch.
DefineY 0 = fy01; : : : ; y
0
mg to be the set ofnext statevariables, wherey
0
i represents
the input of thei-th latch. Thetransition relationof y0i is defined as
Ti(y
0
i; X; Y ) = (y
0
i == Fi(X; Y )):
For designs where all latches are synchronized by the same clock thus transition at
the same time, a global transition relation can be defined as





i; X; Y ):






y ’ y y ’ y221 1
x
u
Figure 2.1: Example: Netlist
the composition of gate operations that drive the outputs.
The transition relation and output function can be visualized in the state
transition graph (STG), which provides a behavioral description of the design. An
STG is an edge-labeled directed graphG = fV;E; Lg, where the verticesV corre-
spond to thestates, the edgesE correspond to the state transitions, and the labelsL
represent theinput-outputpairs. More precisely, we have
V = BjYj = Bm
E = f(s; t) j 9x:(t; x; s) 2 T
L = f(s; t; x; u) j (t; x; s) 2 T; u = U(x; s)
That is, if an edges
(x;u)
! t exists in the graph, then applying the inputx at the state
s results in an output ofu, and a transition to the state.
As an example, consider a design whose netlist is given in Figure 2.1. The
design has two latchesL1 andL2, an OR gateG1 and a NOR gateG2. The transi-
tion functions arey01 = x + y1 + y2 andy
0












0/11   1   -
1   0   -
0   1   -
0   0   1
0   0   0
1   1
1   0
0   1
0   0
1   0
x   y   y
1 2 2
y ’  y ’1
. "0/1" means the input is 1, the output is 0."-" means "0 or 1"
Figure 2.2: Example: Transition relation and state transition diagram
The corresponding transition relation and STG are shown in Figure 2.2.
2.3 Reachability Analysis
A common functional verification problem, known asinvariant checking, is
to decide whether some designated “bad” states arereachablefrom a set of initial
states of the design. This kind of problems can often be solved by thereachability
analysis, a method for state space exploration that is the basis of model checking.
Given the STG of a hardware design, a stateis said to be reachable from
s if there is a sequence of transitions that starts froms and ends at. The set of
states reachable froms can be obtained by traversing the STG either depth-first
(DF) or breadth-first (BF). In comparison, a DF traversal explores one successor
state per step, thus requiring less memory, but longer run time in general, than a BF
traversal, which explores all the successor states at each step. A natural compromise
is to always start with a BF traversal if the computation resources allow, otherwise
explore as many states as possible, per step. We therefore give more details only on
18
the BF-based analysis.
In the previous section, we showed that one can build the STG of a design
from its transition relation. The construction is actually a one step BF state traver-
sal, starting from all the states. Similarly, reachability analysis on an STG can be
implicitly done using the transition relation, as in the following.
LetT (Y 0; X; Y ) be the transition relation, whereX, Y andY 0 are the input,
state and next state variables, respectively. The set of states reachable in one step
from the states inR is theimageof R underT , or formally
Img(R(Y )) = 9XY [R(Y )  T (Y
0; X; Y )]: (2.1)
The seriesR0; R1; : : : whereRi+1 = Img(Ri) _Ri increases monotonically. Since
the state space is finite, the series has aleast fixed point(lfp) RK whereK is finite
and for alli  K Ri+1 = Ri. Using thelfp operator () from Mu-Calculus [42, 90],
the computation ofRK can be characterized as
Z: [Img(Ri) _ Z]: (2.2)
Figure 2.3 gives the corresponding algorithm with the optimization thatImg is per-
formed only on states that are “new” inRi.
For a simply illustration of the algorithm, in the STG shown in Figure 2.2(b),
the reachable states of the state11 is computed in the seriesff11g; f11; 01g; f11; 01; 00g;
f11; 01; 00; 10gg.







R = R0 \ :R;
R = R [R;
g while (R 6= ;);
return R;
g
Figure 2.3: Reachability Analysis
analysis, which computes the set of states that reaches, instead of being reachable
from, the bad states. The recursion is based on the followingpre-imageoperator
PreImg(R(Y 0)) = 9XY 0 [R(Y
0)  T (Y 0; X; Y )]; (2.3)
which also leads to alfp computation
Z: [PreImg(Ri) _ Z]: (2.4)
The algorithm implementing the above would be identical to that of the (forward)




Model checking (MC) is a problem of deciding whether a design satisfies,
or models, a property expressed in some temporal logic [30, 43]. In this section, we
give an overview of MC based on the Computational Tree Logic (CTL). Most of
the definitions are taken from Emerson [41]. For other types of MCs, for example,
the ones using CTL or Linear Time Logic (LTL), we also refer the reader to [41].
Let P be the set of atomic propositions, which correspond to the state vari-
ables in hardware designs. LetM be the structure(S; s0; R; L) representing the
design whereS correspond to the set of states,s0 the initial state,R the state tran-
sition relation, andL the mapping fromS to 2P . Then the CTL-based MC is the
problem of checking the validity of
M; s0 j= p (2.5)
wherep is a CTL formula. Intuitively, the problem is to decide ifp holds in the
“computation tree” (the unfolding ofR) of M rooted ats0. CTL formulas can be
thought of as being built up from Boolean combinations and nestings of atomic
propositions, and temporal operators that include:
1. the path quantifiersA (“for all paths”) andE (“for some path”), and
2. the state quantifiersG (“always”), F (“sometimes”),X (“nexttime”), andU
(“until”).
The syntax of CTL is given by two sets of rules, below, that inductively define the
state (rules S1-3) and path (rule P1) formulas.
21
S1 Each atomic proposition inP is a state formula
S2 If p andq are state formulas then so arep ^ q and:p
S3 If p is a path formula thenEp is a state formula
P1 If p andq are state formulas thenXp,Gp, andp U q are path formulas
The set of state formulas generated from the above rules forms the language of
CTL. Note in this context, we use the logic connectives^ (conjunction) and:
(negation), other connectives can be derived in the usual way. Also, the formulas
are in the forms of onlyEX, EG, andEG since all other forms are abbreviations
thereof:EFp stands forE(true U p), AXp for :EX:p, AFp for :EG:p, AGp
for :EF:p, andA(pU q) for :E[:q U(:p ^ :q)] ^ (:EG:q).
Let x = (s0; s1; : : :) denote a path, i.e., a sequence of states in the computa-
tion tree, andxi denote the suffix(si; si+1; : : :). The semantics ofj=, or the validity
of Formula 2.5, is established inductively as follows:
S1 M; s0 j= a; a 2 iff a 2 L(s0)
S2 M; s0 j= p ^ q iff M; s0 j= p andM; s0 j= q
M; s0 j= :p iff it is not the case thatM; s0 j= p
S3 M; s0 j= Ep iff 9x; M; x j= p
P1 M;x j= p iff M;x j= p
P2 M;x j= p ^ q iff M;x j= p andM;x j= q
M; x j= :p iff it is not the case thatM;x j= p
P3 M;x j= p U q iff 9i [M;xi j= q and8j(j < i!M;xj j= p)]
M;x j= Gp iff 8i [M;xi j= p]
22
M;x j= Xp iff M;x1 j= p
For illustration, we give two simple examples of CTL formulas and their meanings:
 AFp : p will be true eventually;
 E(p U q) : there is a path on whichp holds untilq is true.
We now describe the MC algorithms. First, we observe that MC can be
converted to a membership testing:
M; s0 j= p iff s0 2 Sat(p)
whereSat(p) is the set of states that satisfies the CTL formulap. The remaining
task is then to compute this set. Obviously, forp 2 P , Sat(p) is the set of states
predicated byp, that is,L 1(p); for other CTL formulas, we consider onlyEXp,
EGp, andE(p U q), for the reason given previously. By observing the semantic
rules, we have
Sat(EXp) = PreImg(Sat(p))
Sat(E(pU q) = Z: [Sat(q) _ (Sat(p) ^ EX(Z)]
Sat(EGp) = Z: [p ^ EX(Z)]
whereZ:[f ] andZ:[f ] are notations in Mu-Calculus for the least and greatest
fixpoints, respectively, of functionf , andPreImg(f), as we recall, computes the
set of states which can reach in one step some state inf . As an example, the
23
implementation ofSat(E(p U q)) computation is given in Figure 2.4. Computing
Sat(EGp) is similar, and actually simpler.
We would like to stress, if it is not obvious enough, that the invariant check-
ing problem discussed in Section 2.3 is an instance of MC. Specifically, checking
the invariantq can be formulated as model checking the CTL formulaAG(q), thus,
:E(trueU:q). In computingE(true U :q), the MC algorithm in Figure 2.4, let-
ting p = true, matches the backward reachability analysis for:q (Figure 2.3, re-
placeImg byPreImg). Further, as we observe, the complement of the set of states
that can reach:q is equal to the set that can reachq. Therefore, MC ofAG(q) and
invariant checking ofq are identical problems.
As a side-node, the above equivalence will be more evident if MC is imple-
mented with theImg operator, as it can, instead of withPreImg. The performance
tradeoff between these two approaches has been an interesting topic in MC [63].
2.5 Reduced Ordered Binary Decision Diagrams
The Binary Decision Diagram (BDD) was first introduced by Lee [74] in
1959 and Akers [4] in 1978 as a compact representation for Boolean functions. In
the mid-1980s, Bryant [21] proposed Reduced Ordered Binary Decision Diagrams
(ROBDD) by imposing restrictions on BDDs such that the resulting representation
is canonical. He also presented efficient ROBDD algorithms for Boolean opera-
tions. Since Bryant’s work, there has been a blossoming of related research, mainly
in the field of formal verification, but also in logic synthesis. In this chapter, we






Y = p ^ PreImg(Z);
Z = Y ^ (:Z);
Z = Z _Z;
g while (Z 6= ;);
return Z;
g
Figure 2.4: ComputingSat(E(p U q))
2.5.1 BDD Representation of Boolean Functions
A BDD is a rooted, directed acyclic graph wherein each internal node has
two sub-BDDs and the terminal nodes areONEandZERO, representing the Boolean
values 1 and 0, respectively. A BDD indentifies a Boolean functionf of variables
X, for a given mappingl from its nodes toX, as in the following.
1. Letr be the root of
2. If r is ONE, thenf = 1
3. If r is ZERO, thenf = 0
4. If r is an internal node, letv = l(r) be the associated variable,g andh
be the functions identified byr’s right andleft sub-BDDs, respectively, then
f = v  g + v  h
25
Because of the composition in Item 4 above, we sometimes use the adjectivesthen
andelse, in place ofright and left, in distinguishing the two subgraphs of BDD
node.
An ROBDD is an ordered and reduced BDD, as defined in the following:
1. An ordered BDD is a BDD whose variables follow a total ordering such
thatl(s)  l(t) if t is a descendant ofs.
2. An ROBDD is the maximally reduced version of an ordered BDD obtained by
repeatedly applying to the latter the following rules until none is applicable.
(a) If two subgraphs are identical, remove one of them, and let the dangling
edge point to the remaining subgraph
(b) If a node points to the same subgraph, remove the node, and let the
dangling edge point to the subgraph
Figure 2.5 illustrates the derivation of an ROBDD from the “complete”
BDD of function a  b + c. The indexb2 means the node is the second node la-
beled with variableb.
ROBDD is the symbolic data structure used throughout this dissertation.









 0 1 0 1 0 1
(a) Merge identical
      subgraphs c1, c2 and c3
(b) Remove redundant
      nodes b1 and c4
(c) The reduced
      graph
c4
Figure 2.5: Reducing BDD for functiona  b+ c
2.5.2 BDD Manipulations
All Boolean operations on BDDs can be implemented using one procedure
calledApply[21], which is based on the Shannon expansion
g  h = v  (gv  hv) + v  (gv  hv) (2.6)
where is a Boolean operation andv a variable in the support ofg or h. Let
Compose(v; l; r) be the BDD that is a composition of variablev and two BDDsl
andr, such that the root is labeled withv and the left and right sub-BDDs arel andr,
respectively. LetReduce be the reduction procedure given in the previous section.
Applyrecursively constructs a BDD from two operant BDDs and a binary operator,
27
Apply(g  h) f
if (g == 0k h == 0)return ZERO;
if (g == 1)return h;
if (h == 1)return g;
Letv be the higher-ranked variable of variables
labeling the roots ofg andh;
return Reduce(Compose(v;Apply(gv  hv);Apply(gv  hv)));
g
Figure 2.6: The BDD Apply operation
based on the following recursion that is a direct translation of Equation 2.6.
Apply(g  h) = Reduce(Compose(v; Apply(gv  hv); Apply(gv  hv)))
As an optimization,Apply designatesv as the higher-ranked variable of the vari-
ables labeling the roots ofg andh. The terminal cases of the recursion depend upon
the selection of. For instance, Figure 2.6 gives theApply function for the BDD
conjunction operation. Note the complement off is computed asApply(f  1).
2.5.3 The BDD Size Consideration
For a given function, the size of its BDD representation, that is, the number
of nodes in the BDD, varies with the variable ordering. To demonstrate this depen-
dency, we use an example taken from [21]. Assume we are to construction a BDD
for the function


















Figure 2.7: Dependency of BDD size on variable ordering
29
With the orderinga1  b1  a2  b2  a3  b3, i.e., variables appear in the order
a1b1a2b2a3b3 on any path from the root to a terminal node, the BDD representation
of f is shown in Figure 2.7(a). It has 8 nodes. In contrast, witha1  a2  a3 
b1  b2  b3, the BDD representation as shown in Figure 2.7(b) has 16 nodes.
The first ordering is sometimes referred to as theint rleavedordering of thea and
b variables. More generally, for the functiona1  b1 +   + an  bn, the interleaved
ordering yields a BDD with2(n + 1) nodes, whereas the second ordering yields a
BDD with 2n+1 nodes. Evidently, a poor choice of variable orderings can have very
undesirable effects.
Thanks to pioneering works such as the static ([51]) and dynamic ([98])
variable orderings, a variety of techniques and heuristics [9, 17, 26, 39, 47, 49, 52,
88] have since been proposed and shown to be effective in finding good variable
orderings for BDDs. In practice, good variable orderings exist for a large class of
Boolean functions, and their BDDs are much more compact than traditional rep-
resentations such as truth tables, conjunctive and disjunctive normal forms. For
this reason, BDDs are widely used in design automation tools where compact and
canonical representation of functions is in order.
Before we conclude this section, we need to mention another common prob-
lem with BDD sizing, that is, during a BDD operation, the intermediate BDDs can
have a much larger size than the final BDD. This is especially noticeable when there
are many BDD operants, for example, in the conjunction of a large group of BDDs.
Techniques such asconjunctive partitioning[95] andearly quantification[59] have
been developed to handle this problem.
30
2.5.4 BDD-based Reachability Analysis and Model Checking
Reachability analysis, as discussed in Section 2.3, is the fixpoint computa-
tion of a series of monotonically increasing sets of states. The analysis, specifically,
the Img andPreImgoperations, can be performed symbolically using BDDs, since






Many hardware designs can be partitioned intodatapathandcontrol por-
tions: the datapath portion manipulates and transports data among major compo-
nents of the design, while the control portion configures how the data is steered and
handled. For most such designs, the number of latches (memory elements) in the
control portion is usually a small fraction of the total number of latches in the de-
sign. As an example, consider theviper microprocessor as shown in Figure 3.1.
The data is temporarily stored in the register file, waiting to be loaded into the ALU
(Arithmetic and Logic Unit) for computation. The control logic takes an instruc-
tion, and accordingly sets up the ALU and loads data. The ALU later informs the
control about the status of the computation; the latter then updates the program
counter to conclude the operation. In this picture, the data-control partition follows
naturally from the flow of data. This partition ofviper designates 9 latches to
the control logic out of a total of 219 latches. Hence, there are no more than 512
different possible values for the control state, while the full state space can contain
as many as2219 states.















Figure 3.1: Partitioning a design into Control and Datapath
is regarded as the main source of elusive logic bugs. To grasp the extensity and
complexity of control logics, consider a microprocessor: imagine that a controller,
or a collection of controllers, will have to implement mechanisms such as pipelin-
ing, speculative branching, out-of-order execution, and bus arbitration. Because the
control portion of a design is error-prone, and the verification of datapath can be best
handled by dedicated methods such as BMD (Binary Momentum Diagrams) [22]
for arithmetic logics and STE (Symbolic Trajectory Evaluation) [11, 24] for mem-
ory arrays [89], it is a reasonable and effective abstraction strategy to focus only on
the control behavior in simulation-based functional verification.
“Saturated simulation” attempts to heuristically explore as much of the con-
trol portion of the design as possible, by performing a “partial” reachability analysis
as follows. It explores, in the iterative computation of the reachable states, all the
controlstatesor transitionsavailable in the next step, but just one representing data
33
state from a class in which all the data states incur the same control state or transi-
tion. As a result, the exploration preserves all distinct control states or transitions at
each step while maintaining a minimal data representation. The heuristic is inher-
ently greedy and does not guarantee to cover the whole control space. Nevertheless,
saturated simulation can go deeper in the control space than a full reachability anal-
ysis, thereby obtaining a higher coverage with regard to control behavior.
The efficiency of this approach comes from the observation it is feasible
even for very large designs to compute the image of a small (in the sense of cardi-
nality) set of states. In part, this follows from the fact that the construction of the
BDD for the next-state logic can be restricted to the current set of states. This sug-
gests that it may be possible to perform a “partial” reachability analysis, in which
all distinct control states are preserved at each step. Additionally, fast BDD rou-
tines exist for generating and manipulating representative elements of equivalence
classes [75].
Before we go on, we need to point out that we do not study, in this disser-
tation, the problem of how to separate datapath from the control. This is a subject
that has been studied by others [57, 61, 65]. In general, the separation of datapath
and control is not always as clear as illustrated in the preceding example; user input
is usually required. For example, in [57], the user needs to designate some design
signals as theseed control signalsto start the partitioning.
34
3.2 Previous Work
We were influenced by the dramatic improvements made to cycle simula-
tion by the use of BDDs by Ashar and Malik [5], and McGeert al.[80], who made
clear the importance of making maximum use of the physical memory available on
the machine. Raviet al. [86, 96] attempt to pick subsets of state sets encountered
during reachability analysis which have small BDDs but contain a large number
of states. This is distinct from our approach, wherein a subset is chosen which at-
tempts to maximize the number of distinct controller states. Choet al. [29] pick
nets to abstract into primary inputs, consequently obtaining supersets of the set of
reachable states. The work of Hoet al.[58] and Hoskoteet al.[60] on creating sim-
ulation vectors which excite a large number of transitions on the controller states
of a design suggested the usefulness of using transitions rather than states to obtain
good coverage of controller behavior. However, they used designer supplied “trans-
lation functions”, or test-based techniques to generate simulation input sequences
which excited as much of the control as possible; our approach is rooted in symbolic
methods.
3.3 Preliminaries
LetX = fx1; : : : ; xng be a set of Boolean variables, andX 0 a subset ofX.
Two minterms;  2 Bn of X are said to beindiscernible[78] with respect toX 0
if they agree on the valuation of the variables inX 0. Such pairs of minterms form
an indiscernibility relation, which we denote by(X 0). Let v : BnX 7! B be the
35
function that returns the value of a variable in a minterm inBn, (X 0) is defined as:
(X 0) = f(; ) 2 BnBn j 8xi 2 X
0: v(; xi) = v(; xi)g: (3.1)
The indiscernibility relation is reflexive, symmetric and transitive, thus is an
equivalent relation; for any subsetf of Bn, (X 0) defines a disjunctive partition of
f into equivalent classes of minterms,P (X 0; f), which has as many classes asf
has distinct valuations forX 0.
An abstraction ofP (X 0; f) can be obtained by keeping exactly one repre-
sentative pair from each equivalent class. Given a BDD representation off , this
can be done efficiently via the use of the so calledcproject operator, introduced
by Lin et al. in [75]. Thecproject operator takes the BDD forf and a subsetX 0
of the variables inf , and returns a BDD for a functionf , which is an abstraction
of P (X 0; f) because of the following properties.
1. for any minterm such thatf() = 1, there is exactly one minterm such
thatf () = 1 and(; ) 2 (X 0), and furthermore
2. for all, f () = 1) f() = 1.
A BDD implementation of thecproject operator is given in Figure 3.2.
3.4 Control State Saturated Simulation
Let the variables associated with the control portion of the design beXc
and the variables associated with the datapath beXd. Thus the state of the design
36
/* A --- BDD for set over variables V . */
/* V 0  V --- variables being cprojects. */
BDD t function BDD cproject(A; V 0) f
v = topVar(A);
if (v =2 V 0) f
return v BDD cproject(Av; V 0) + v BDD cproject(Av; V 0);
g
T = 9(V 0   v)Av;
if (BDD Equal(T;BDD ONE) f
return v BDD cproject(Av; V 0);
g
else if(BDD Equal(T;BDD ZERO) f
return v BDD cproject(Av; V 0);
g
elsef
return v BDD cproject(Av; V 0) + v  T BDD cproject(Av; V 0);
g
g




























(a) Example 1: Minimum control
saturated subset A’ of A
First two bits are control
(b) Example 2: Control saturated reachability
Figure 3.3: Minimal control saturated subsets and reachability
is given by an evaluation to, or a minterm of,Xc [ Xd, and a control state is an
evaluation toXc.
Definition 3.1 LetA be a set of states. A subsetA0 of A is control-saturatedwith
respect toA if
8[  2 A ! 9 [  2 A0 ^ (; ) 2 (Xc) ] ]
Intuitively, A0 is a control-saturated subset ofA if every control state oc-
curring inA occurs inA0. Thus a control-saturated subset ofA preserves all the
controller states present inA. An example of a control-saturated subset is given in
Figure 3.3(a).
Since sets can be thought of in terms of characteristic functions, we will
freely apply thecproject operator to sets to compute the control-saturated sub-
set ofA. Observe that this subset isminimal in the sense that it has exactly one
representative state for each of the equivalent classes of control states.
38
/* A --- initialized to the initial states. */
/* G --- is the BDD for the invariant. */
BDD t function Cntrl Sat Sim(A, Cntrl Vars,G) f
if (BDD Intersects(A,G)) /* Invariant fails!! */
assertFAIL;
ImgA = BDD Img(A);
R = BDD Or(A, ImgA );
R = BDD Cproject(R, Cntrl Vars);
if (BDD Equal( R, A))
return R;
return Cntrl SatSim(R, Cntrl Vars,G);
g
Figure 3.4: Control-saturated simulation
39
In Figure 3.4 we sketch a simple symbolic procedure for invariant verifi-
cation. Reachable states are iteratively computed using theImg operator; at each
step, a control-saturated subset of the current reached state is computed using the
cproject operator. This in turn is used as the current reached state set. The
first few steps are illustrated in Figure 3.3. The procedure is incomplete, since it is
greedy: minimal control-saturated subsets of the sets computed by thecproj ct
operator will not necessarily be sufficient to cover all possible controller states.
One simple way of further enhancing the coverage achieved by control-
saturated simulation is to generate several “representative” control states. There
are simple modifications to thecproject operator which can achieve this effect.
Another approach is to applycproject only to the frontier of the reached states
at each iteration.
3.5 BDD Minimization
We specifically point out two modifications to thecproject operator that
not only increase the coverage, but also result in reduction of the BDD size. The
first one is the randomization of the biasing incproject . The implementation of
thecproject operator in Figure 3.2 is “biased towards 1”, i.e., when presented
with a choice for a projection variable, it sets it to 1. This biasing can result in
dropping portions of the state space that may be significant (e.g., branch on zero).
We overcome this by computing the union of two subsets; one biased towards 0, and
one biased towards 1. While no longer minimal, the resulting set has cardinality no
more than twice of the original set computed bycproject . More generally, we
40
can define a randomized cproject operator, wherein at each level of the recursion
the bias for each variable is selected at random. The results of this new operator can
be added to the 0/1 biased subsets to obtain a rich, yet sparse subset.
The second heuristic is the “supersetting” of intermediate results incproject .
Consider the expression for the final case of theBDD cproject function listed in
Figure 3.2:
v BDD cproject(Av; V
0) + v  T BDD cproject(Av; V
0)
ReplacingT by 1 results in a function which computes a superset of the result of
BDD cproject. Intuitively, since the expression is simplified, we reason that the
BDD should also be simpler.
3.6 Control Edge Saturated Simulation
A fundamental extension to obtain enhanced coverage is to perform a partial
reachability analysis and at each step pick a subset of the image which preserves
all “controller transitions” to the image from the current set. Hoet al. [58] and
Abrahamet al. [60] created simulation vectors which excite a large number of con-
trol transitions in designs; the high quality of their results in terms of finding bugs
with these vectors underlines the usefulness of using transitions rather than states
to obtain good coverage.
As an example, consider a microprocessor where the control state is the

























First two bits are control, repetitive transition
(00 001)->(10 001) is eliminated.
Figure 3.5: Example: A minimal control-edge saturated subset
program may both transition the same program line with different data values; in
this case, it is natural to keep the resulting states different.
We now describe how to explore edges in the control state space.
Definition 3.2 LetA be a set of states. A subsetB of Img(A) is said to becontrol-
edge saturatedwith respect toA if
(8:80) [ [ 2 A ^ 0 2 Img() ] !
(9:9 0) [ 2 A ^  0 2 B ^  0 2 Img() ^ (; ) 2 (X 0) ^ (0;  0) 2 (X 0) ] ]
In English, the above definition says thatB is control-edge saturated when
for every transition;  fromA to Img(A), there is a state 0 in B and a state0
in A so that0 ;  0.
Thus in some sense, a control-edge saturated subset ofImg(A) preserve all
the distinct controller transitions originating atA and is as small as possible. Heuris-
42
tically, a minimal control-edge saturated subset ofImg(A) is a good representative
set — it includes all the distinct controller configurations resulting inImg(A) from
transitions fromA, and is as small as possible. An example of a minimal control-
edge saturated subset is given in Figure 3.5.
Minimal control-edge saturated sets can be computed augmenting the de-
sign: for every control latchxC , add a new latchxS which “shadows”xC , that
is, the next state ofxS is the present state ofxC . Denote the set of shadow state
variables thus introduced byXs. Clearly the next-state of the latches indexed by
Xc [Xd is independent of that of the shadow latches.
The following lemma demonstrates that minimal control-edge saturated sets
can be computed from the augmented design.
Lemma 3.1 Let A beA lifted from Xc [ Xd to Xc [ Xd [ Xs. DefineB to be
the existential quantification ofcproject (Img(A); Xc [Xs) byXs. ThenB is
minimal control-edge saturated with respect toA.
Proof: Observing thatcproject ( ; ) is always a subset of , it follows that
cproject (Img(A); Xc [ Xs) is a subset ofImg(A). Since the next state of
nonshadow latches does not depend on the shadow latches, it follows that the exis-
tential quantification ofImg(A) byXs is equal toImg(A), and soB is a subset of
Img(A).
We now showB is control-edge saturated with respect toA. Let (C ; D)
and(C ; D) satisfy the “if” portion of the implication in Definition 3.2. Then there
is a transition from(C ; D) 2 A to (C ; D), i.e.,(C ; D) 2 Img(f(C ; D)g).
43
From the construction of the augmented design,((C ; C); D) is in Img((C ; S); D)
for an arbitrary assignmentS to the shadow latches. Henceproject (Img(A); Xc[
Xs) contains a state of the form((C ; C);  0D). Note((C ; C); D
0) lies inImg(A);
let it lie in the image of((C ; S 0); D 0). Hence, on existentially quantifying theXs
variables fromcproject (Img(A); Xc [ Xs), the resulting set (namelyB) will
contain(C ;  0D). Since(C ; D
0) lies in the image of(C ; D 0), D 0 andD
0 are
existential witnesses for the “then” portion of the implication in Definition 3.2.
Minimality of B follows from the properties ofcproject described in the
previous section.
A minimal control-edge saturated simulation algorithm can be obtained by
substitutingB as in Lemma 3.1 forBDD cproject in the control saturated simu-
lation algorithm shown in Figure 3.4.
3.7 Experimental Results
The saturated simulation described above is implemented as part of the VIS
program [20]. Results are provided on two benchmarks – the8085, andviper mi-
croprocessors. The8085is approximately 4000 gate equivalents, and contains 242
latches, of which 33 were identified as being control. Theviper is also 4000 gate
equivalents, and contains 218 latches of which 9 were from the control. All exper-
iments were conducted on an UltraSPARC 1, with a 170 Mhz processor, and 128
MBytes of main memory. A timeout of 2000 seconds was used for allviper exper-
iments, and 1000 seconds for8085experiments. Sifting-based dynamic reordering
was enabled throughout the experiments.
44
Example jRchd. Statesj Peak BDD jCtrl Statesj jCtrl Edgesj Depth
viper 1:36 1019 2033 23 31 4
8085 1:43 107 275641 1233 3723 10
Table 3.1: Complete BDD based reachability analysis
Example Peak BDD jCtrl Statesj jCtrl Edgesj Depth
viper 160180 246 688 64
8085 81089 1846 4765 43
Table 3.2: Partial reachability analysis using control-state saturated subsets
Table 3.1 presents results on the use of a complete BDD-based reachability
analysis on the two benchmarks. Peak BDD is the number of nodes in the largest
BDD encountered during reachability analysis. (The abnormally low peak BDD
for viper in Table 3.1 stems from the fact that the program timed out after the first
four reachability steps, which were easily performed.) Table 3.2 presents results
on the use of a control-state saturated simulation (as given in Figure 3.4). For
8085, we compute almost twice as many reachable control states and transitions;
for viper, an order of magnitude more. Table 3.3 presents results on the use of
control-edge saturated simulation. In the same time, more edges are visited; this
comes at the expense of higher memory consumption with respect to control-state
saturated simulation. Interestingly, fewer control states are visited; we ascribe this
to the fact that the control-state saturated simulation is faster, and so manages to
go deeper into the state space in the same amount of time; this is seen in the depth
column.
45
Example Peak BDD jCtrl Statesj jCtrl Edgesj Depth
viper 71213 236 705 60
8085 81089 1696 6324 30
Table 3.3: Partial reachability analysis using control-edge saturated subsets
Example Saturated Simulation Cycle Simulation
T (sec) jStatesj jEdgesj T (sec) Size jStatesj jEdgesj
viper 2000 236 705 86616 1000200 121 288
8085 1000 1696 6324 99143 4000200 705 2674
Table 3.4: Comparing saturated simulation with cycle simulation
We compare saturated simulation with fast lookup based cycle simulation [5,
80] in Table 3.4. Forviper, we performed 1000 sets of simulations, each compris-
ing of 200 vectors; for8085we performed 4000 sets of length 200. Even though
we gave cycle simulation two orders of magnitude more time, it still performed far
worse than saturated simulation.
3.8 Summary
We investigated a method of applying symbolic simulation in invariant check-
ing. Symbolic simulation, due to its use of BDDs, has a larger capacity in terms of
design behavior coverage, comparing to a traditional simulation. We also provided
an abstraction mechanism for selectively exploring control states and transitions,





Retrograde Analysis (RA) is an important search technique developed within
the field of Artificial Intelligence. The name characterizes the main ingredient of
the technique — a backward search starting from the goal. In [106], Ken Thomson
employed this technique in the course of analyzing certain chess endgames. He
approached the problem by first marking all positionsW0 where white wins, then
computing the positionsW1 from which there is a move for white following every
move by black that leads to a position inW0; clearly these are also winning posi-
tions for white. Iteratively, he determined the setsW0;W1;W2; : : : and used them
as the new goals in the search of a winning strategy.
The primary benefit of RA is that the set[iWi typically contains many
more positions thanW0; hence, in a heuristic sense, the former offers a much larger
“target” for the search. Furthermore, since the positions inWi is i moves closer
to the starting position than the ones inW0, the search targeting them will span a
shorter distance in the game space. Follow this line of thinking, we can improve
RA by also “enlarging” the set of initial positions. The new set is the union of
the original initial positions and the ones they can reach within certain number of
47
moves. The intention is to further reduce the search distance.
We formulate invariant checking as a RA problem, with the above improve-
ment, by treating the complement of the invariant as the end positions. We also pro-
vide a heuristic for selecting candidate starting states from the enlarged set of initial
states. As we have seen in Section 2.3, this approach is essentially a backward im-
age computation, thus is orthogonal to saturated simulation based on forward image
computation.
4.2 The Implementation
Our RA-based invariant checking consists of two phases, the preparation
phase and the search phase. In the first phase, we iteratively construct the series
B0; B1; : : : whereB0 is the complement of the invariant andBi+1 = PreImg(Bi).
Analogous to the end positions, theBi’s are effectively bad states. SinceBi’s can
grow very large in terms of cardinality, it is natural to resort to BDDs for compact
representations. The BDDs, however, may still exhaust the main memory eventu-
ally. Therefore, we conclude the first phase either right before this happens, for
maximum resource utilization, or simply after a certain number of steps.
In the search phase, we look for an input sequence that takes a starting state
to a state in the target[iBi. Several search strategies with ascending levels of
sophistication are considered. The simplest strategy is the simulation of random
input vectors starting from a random initial state; the search halts if some state
reached in this fashion lies in the target. This approach is illustrated in Figure 4.1(a).
Note that checking if a state lies in the target defined by a BDD can be performed
48



















(b) RA with Hamming; closest states are hatched
Figure 4.1: Retrograde search for Invariant checking
in time proportional to the number of variables in the BDD, which is independent
of the BDD size.
A more involved strategy is to pick an initial state which is “close” to the
target states. We propose the use ofHamming distanceas the measure of closeness.
The Hamming distance between two vectors;  2 f0; 1gn (denoted by
(; )) is the number of positions in which the and vectors differ. Consider
the relationsH0; H1; H2; : : : ; Hn  f0; 1g2n where(; ) 2 Hk iff (; )  k.
The relationH1 can be constructed directly using BDDs. The relationHi+1 satisfies
the following identity:
Hi+1 = Hi [ (9)[(; ) 2 Hi ^ (; ) 2 H1]
Hence, the BDDs forH0; H1; H2; : : : ; Hn  f0; 1g2n can be easily constructed;
furthermore a simple argument based on counting cofactors shows that they are
small for the interleaved variable ordering.
The search for states in the target can be further enhanced by first comput-
ing a series of images of the set of initial states. From the outermost image, pick a
49
state (say) which is closest to the target, and then perform random cycle simula-
tion from . This is illustrated in Figure 4.1(b). Instead of cycle simulation from
, a combination of symbolic forward reachability analysis coupled with the the
Hamming heuristic can be recursively applied. This is illustrated in Figure 4.1(c).
4.3 Experimental Results
Retrograde analysis is coded as part of the VIS program, and experimented
with a number of examples. Representative results are provided on two benchmarks
– Mesh4is a routing algorithm on a 4 by 4 mesh of nodes, andCube4is hypercube
based routing protocol. For both examples, we chose an invariant which fails.
Results onMesh4are reported in Figure 4.2. We plot BDD size and car-
dinality after successive pre-images in Figure 4.2(a); both grow quickly. In Fig-
ure 4.2(b) we plot the number of simulation trials needed to reach a pre-image,
starting from the initial state against the number of pre-image steps taken; each
trial consists of applying 100 random vectors. It is clear from the picture that this
number decreases rapidly.
The effect of Hamming distance is given in Figure 4.3 for theCube4exam-
ple. Figures 4.3(a) and 4.3(b) are as before. In Figure 4.3(c), we show the effect of
taking one forward step, and then picking a state in the image which is close to the
target as opposed to a random state in the image; in Figure 4.3(d) we take two for-
ward steps, and then pick a state which is close to the target. In both cases, there is
an appreciable decrease in the number of simulation trials needed when Hamming











0 1 3 4 5 6 7 8
Number of backward steps









Number of backward steps
(a) (b)
BDD sizeSim_stepsBDD sizeNo. of target states
Figure 4.2: Retrograde Analysis applied toMesh4
performance is actually worse than simply starting at the initial state.
4.4 Summary
We presented a symbolic method based on retrograde analysis, and a heuris-
tic, in the application of invariant checking. Although aimed at the same problem,
this method, and saturated simulation reported in the last chapter, are orthogonal
in their search strategies. Experimental evidence corroborates that both approaches
yield enhanced coverage and robustness. Thus the combination of formal and in-
formal verification offers benefits not available in each independently.
51
BDD size BDD size 

















Number of backward steps



















0 1 2 3 4 5 6 7 8
(d)





0 1 2 3 4 5 6 7 8
Number of backward steps
(a)
0 1 2 3 4 5 6 7 8
Number of backward steps
(b)





While there is a wide range of verification methodologies [93], simulation is
still the prevalent form of functional verification of commercial designs [37, 38, 46,
48, 85, 104]. An important task in simulation is the generation of simulation vectors,
which is time-consuming and error-prone, especially in the presence of complex in-
teractions between the design and its environment. Vector generation methods fall
into two major categories, namely the deterministic and the random-based. The for-
mer refers to the generation of vectors either manually by engineers with detailed
understanding of the design, or automatically by programs using ATPG (Automatic
Test Pattern Generation) techniques. This leaves the method highly sensitive to the
complexity of the design. In practice, a design is usually simulated first with a rel-
atively small set of vectors created deterministically, then with random vectors for
as long as is feasible. Therefore, random vector generation is of great importance
to simulation-based verification.
In this chapter, we describe a symbolic generator of random vectors,Sym-
Gen, using constraints represented by BDDs. The first requirement for any vector
generation tool is to define, and generate within, the legal input space, which of-
53
ten is a function of the state of the design. In addition, a robust tool should also
provide the ability to influence the distribution of the generation, thus directing the
simulation towards the “corner” cases, or other test scenarios deemed interesting.
SymGen strives to meet these important requirements, in a unified fashion, using
Boolean constraints and input biases in an efficient algorithm. The algorithm con-
sists of two procedures: the first computes the weights of vectors, composed from
constraints and biases; the second generates vectors according to probabilities de-
rived from the weights. Both procedures operates symbolically using BDDs. The
algorithm is immune to thebacktrackingproblem that is typical to many vector
generation tools, as well as independent of variable orderings, despite of the use of
BDDs.
The rest of this chapter is organized as follows. Section 5.2 reviews the re-
lated work. Section 5.3 describes how environment constraints and input biases are
represented, and provides a mechanism for combining the effects of the two. The
vector generation algorithm is presented in Section 5.4, while the implementation
issues are discussed in Section 5.5. Experimental results and a case study are given
in Section 5.6. Section 5.7 summarizes this chapter.
5.2 Previous Work
In [50], a tool called RIS implemented a static-biased random generation
technique that allows the user to bias the simulation generation within a restricted
set of choices — all of which satisfy the constraints. However, the biasing is static
in that it is independent of the state of design. To provide more biasing flexibility,
54
Aharon implemented a dynamically-biased test generator for a tool called RTPG [2,
3], which decides the next input based on the current state of the design. The
primary drawback for the simulation generator is the effort required to produce
the functional model. A tool introduced in [28] used various constraint solving
techniques tailored for specific instructions. A problem is that one may need to
backtrackand perform a heuristic search to resolve the “dead end” cases.
BDDs have found many applications in design and verification problems.
The Algebraic Decision Diagram (ADD) [10], which is an extension to the BDD,
was used in [56] to represent the matrix of a state transition graph and compute the
steady-state probabilities for Markov chains. Although simulation generation was
not the concern of that paper, the experiments showed that symbolic methods can
handle very large systems in which direct equation solving methods cannot.
In [15], binary graphs were used to represent Boolean functions, so that the
probability distribution of the output can be computed recursively from the input
probabilities of the function. This technique was used to probabilistically decide
the equivalence of Boolean functions. A similar approach was adopted in [69] to
compute exact fault detection probabilities for some given nets in a design.
Both [15, 69] are related to our work from the point of view that probabilities
are computed recursively using a decision diagram. But this is where the similarity
ends. Specifically, we do not deal with the probability of the output of a function or
a design net. The problem we are facing is to generate input vectors which satisfy
a set of constraints, and are probabilistically influenced by the input distribution, or
biasing. The constraints and biasing we consider can both be state-dependent.
55
5.3 Constraints and Biasing
5.3.1 Constraints for Environment Modeling
Simulation by random vectors is meaningful only if the vectors meet cer-
tain requirements modeling the environment of the design. For example, a design
may prohibit some input combinations, or expect the inputs to follow some patterns
under specific states. These requirements arerelational by nature, thus suggest-
ing the use of constraints. SymGen adopts this approach by generating vectors in
the state-dependlegal input space, defined by the conjunction of environment con-
straints expressed in Boolean functions of input and state variables. As an example,
consider a typical assumption about bus interfaces: the “transaction start” input (ts)
is asserted only if the design is in the “address idle” state. Syntactically, this is
captured in the following SymGen constraint:
$constraint(ts! (addrstate == ADDRIDLE));
SymGen handles a rich class of constraints because of the constraints’ dependency
on state. For example, by adding auxiliary variables to remember past states, Sym-
Gen can constrain the sequential behavior of the inputs; this is discussed in Sec-
tion 5.6.2.
Comparing to thetestbenches, the traditional driver-program approach to
environment modeling, the advantage of constraints is manifold. First, constraints
are declarative, as opposed to the constructive approach of testbenches, and thus
need less effort on the part of the user. This is especially helpful in a prototyping
stage when all that is known about the environment are some abstract specifications
56
in the architecture book. Constraints also form a modular and more formal interface
documentation about design blocks; by contrast, a testbench constitutes an unmain-
tainable and unverifiable documentation of the environment. Finally, constraints
automatically convert to properties to be monitored at a higher level of hierarchy;
thus, in a sense, use of constraints can be viewed as an assume/guarantee method-
ology.
5.3.2 BDD Representation of Constraints
The Boolean functions of constraints in SymGen are implicitly represented
by BDDs. In the sequel, we useconstraint BDDto refer to the conjunction of the
BDDs of all constraints, unless otherwise stated. Recall we showed in Section 2.5
that the BDD as a representation of a Boolean function is automatically a represen-
tation of the onset of that function. Bearing this in mind, we say that the legal input
space defined by a constraint is captured by the set of paths in the corresponding
BDD that lead to the terminal nodeONE, in the following sense: each such path
can be viewed as an assignment to the variables on that path; the state variable as-
signment (acube) represent a set of states, whereas the input assignments represent
a set of input vectors that are legal under each of these states.
The above derivation of the legal input space for a given state is effectively
a computation of the constraint BDD’scofactorrelative to that state. Depending on
the constraint, the legal input space can be empty under certain states, which are
referred to as theillegal states, or more intuitively, the dead-end states, since the
simulation cannot proceed upon entering them. For instance, consider the constraint
57
(s1 + s2 + x1 + x2  1), wheres1 ands2 are state variables, andx1 andx2 are
inputs: the state(s1 = 1; s2 = 1) is an illegal state, since no assignments tox1 and
x2 can satisfy the constraint; states(s1=1; s2=0) and(s1=0; s2=1) has one legal
input vector,(x1 = 0; x2 = 0); and the legal input vectors for state(s1 = 0; s2 = 0)
are the ones satisfying(x1 + x2  1).
Before we move on, we introduce some notations about BDDs that will
facilitate our exposition. We will not distinguish a constraint and its BDD repre-
sentation; we will user(f) to denote the root node of a BDDf , v() to denote
the variable corresponding to the node, andt(), e() to denote thethen and
else nodes of, respectively; we will also use the convention thatX stands for
the input variables, andY for the state variables, and will use them without further
declaration.
5.3.3 Input Biasing
It is often the case that in order to exercise the design in “interesting” sce-
narios, one needs to “bias” the inputs. In SymGen, we express the biases withinput
probabilities.
Definition 5.1 Theinput probabilityof x = 1 is a function of the state with a range
in (0,1), denoted bypx(Y ); theinput probabilityof x = 0 is the function1 px(Y ),
denoted bypx(Y ).
Note we exclude 0 and 1 from possible values of input probabilities since
they impose “hard” constraints and should be expressed as what they are, i.e., by
58
the constraintsx==0 andx ==1, respectively. An input probability can be given
either as a constant, or as a function in a Verilog [27] expression, which can be
evaluated natively in many commercial simulators. The following statement shows
an example of setting the input probabilitypx, which evaluates to 0.2 whenst is
UP , to 0.8 whenst isDOWN , and to0:5 otherwise.
$setprob1(x, st==UP ? 0.2 :st==DOWN ? 0.8 : 0.5);
Input probabilities are “soft” restrictions since they can be “reshaped” by
the constraints, which assume higher priority. In extreme cases, the constraints can
prohibit an input from taking a specific value at all times albeit the input may be
assigned a high probability of doing so.
5.3.4 Constrained Probabilities
To handle the combination of constraints and input probabilities in a unified
way, we introduce the notionconstrained probabilityof an input vector. First, we
define an auxiliary termweight of an input vector.
Definition 5.2 Let  = 12   n be a vector of input variablesx1; : : : ; xn. The




xi(Y ) + (1  i)  pxi(Y )] (5.1)
The constrained probability is then defined in the following:
59
Definition 5.3 Let f be a constraint,s a state, andfs the legal input space which is
the cofactor of with respect tos. Theconstrained probabilityof an input vector
, unders, is 0 if  =2 fs; otherwise, it is given by
(; s)P
2fs (; s)
Conceptually, the constrained probability of an input vector is the weight
of that vector divided by the sum of the weights of all vectors that satisfy the con-
straint; the sum is zero if the given state is an illegal state.
5.3.5 An Example of Constrained Probability
Consider a design with four inputs, cmd[3], cmd[2], cmd[1] and cmd[0],
and with the corresponding input probabilities 1/2, 1/3, 1/4, and 1/5. When there
are no constraints, all vectors are possible and each has the probability that is the
product of input probabilities, as shown in Table 5.1. (Middle vectors are removed
for brevity.) Note that the sum of all the vector probabilities is 1.
Now we add a constraint
$constraint( cmd[3:0]==4’b1000k cmd[3:0]==4’b0100k
cmd[3:0]==4’b0010k cmd[3:0]==4’b0001 );
which restricts our choices to the four vectors shown, enforcing a “one-hot” prop-
erty among the inputs. These vectors and their “probabilities” (actually,weights,
since the sum is less than 1 now) are given in Table 5.2.
60
1/2 1/3 1/4 1/5 probability
cmd[3] cmd[2] cmd[1] cmd[0] of vector
0 0 0 0 1/2  2/3  3/4  4/5 = 24/120
0 0 0 1 1/2  2/3  3/4  1/5 = 6/120
0 0 1 0 1/2  2/3  1/4  4/5 = 8/120
...
...
1 1 0 1 1/2  1/3  3/4  1/5 = 3/120
1 1 1 0 1/2  1/3  1/4  4/5 = 4/120
1 1 1 1 1/2  1/3  1/4  1/5 = 1/120P
= 120/120 = 1
Table 5.1: Example: explicit computation of vector probabilities
1/2 1/3 1/4 1/5 unnormalized
cmd[3] cmd[2] cmd[1] cmd[0] weight of vector
0 0 0 1 1/2  2/3  3/4  1/5 = 6/120
0 0 1 0 1/2  2/3  1/4  4/5 = 8/120
0 1 0 0 1/2  1/3  3/4  4/5 = 12/120
1 0 0 0 1/2  2/3  3/4  4/5 = 24/120P
= 50/1206= 1
Table 5.2: Example: explicit computation of vector weights under constraints
Finally, the constrained probabilities are obtained by normalizing the weights
with regard to the total weights of the legal vectors. The results are 3/25, 4/25, 6/25,
and 12/25, respectively for the vectors in Row 1 through Row 4.
The drawback of the above tableau approach is obvious: the cost is in the
order of2n for n inputs. In the next section we present a method that computes the
constrained probabilities implicitly in BDDs. Its efficiency, hinging on the com-
pactness of BDD representation of Boolean functions, is evident from the experi-
61
ments conducted on commercial designs, as will be reported in Section 5.6.
5.4 Simulation Vector Generation
We now develop a constrained vector generation algorithm based on im-
plicit computation of constrained probabilities. The algorithm, consisting of two
proceduresWeightandWalk, proceeds as follows:Weightcomputes theweights
of the nodes in the constraint BDD for a given state; Depending on the result, the
algorithm either terminates because of the state being illegal, or starts theWalkpro-
cedure to generate an input vector;Walk traverses the constraint BDD according
to branching probabilitiesderived from weights of nodes. The traversed path, to-
gether with random assignments to input variables not on that path, identifies an
input vector that holds the following properties:
Property 1: The vector is a legal vector.
Property 2: The vector can be any legal vectors.
Property 3: The vector is generated with its constrained probability as given in
Definition 5.3.
The first two properties are necessary for an ideal simulation vector generation pro-
cess that producesonly andall the vectors that satisfy the constraint. The third
property provides a utility for controlling the distribution of the generated vectors.




First, we define what we mean by thew ightof a BDD node under a partic-
ular state.
Definition 5.4 Given a constraint and the set of state variablesY , the weight of
node, denoted by!(; Y ), is inductively given by the rules:
1. !(ONE; Y ) = 1, !(ZERO; Y ) = 0
2. LetY be the set of state variables, andv the variable corresponding to!; let
t ande be thethen andelse nodes of!, respectively. Then
!(; Y ) =
8><
>:
pv(Y )  !(t(); Y ) + pv(Y )  !(e(); Y ) if v is an input variable
!(t(); Y ) else ifv = 1
!(e(); Y ) else
(5.2)
TheWeightprocedure, as shown in Figure 5.1, applies the above computa-
tion of node weights recursively to the constraint BDD in a depth-first order. The
following notations are used:node.var represents the variable associated with a
BDD node; node.then andnode.else represent the child nodes ofnode, for the as-
signmentsnode.var=1 andnode.var=0, respectively.
Weightperforms a one-pass computation of node weights through the con-
straint BDD. A straight-forward upper bound on the time complexity ofWeightis
O(n), for a constraint BDD withn nodes. Note, however, that the procedure tra-
verses only a subgraph in the BDD because it explores only one branch of each
state node encountered. Further, we point out that in this subgraph, the nodes with
63
/* s is the current state. */
/* The recursion start with */
/* the root node. */
!(; s) f
if ( == ONE) return 1;
if ( == ZERO) return 0;
if ( is visited)return .weight;
setvisited();
let u be the variablev();




else if(u is a state variable)f











positive (nonzero) weights form yet another subgraph which identifies the current
legal input space; as we showed in Section 5.3.1, the latter subgraph is effectively
the cofactor of the BDD with respect to the current state. This cofactoring is “in-
place” in the sense that it never creates new BDD nodes, thus avoiding potential
BDD size explosions of a normal BDD cofactoring. For these reasons,Weightis
fairly efficient in practice even when the constraint BDD is quite large.
The second function ofWeightis to determine whether the current state is
legal, i.e., allows some satisfying input assignment. If it is, then we continue with
the vector generation process; otherwise, we have to abort the simulation and start
debugging the constraints. The following theorem provides such a test based on the
result ofWeight. Recallr(f) returns the root node of the BDD off .
Theorem 5.1 Given a constraintf , a states is a legal state iff
!(r(f); s) > 0:
Proof: Input probabilities are always greater than 0, so are the weights of any
input vectors. Therefore, the existence of satisfying input vectors which indicates
the state is legal, is equivalent to the sum of weights of satisfying vectors being
positive.
The theorem is then the immediate result of Lemma 5.1, below, which says
that the weight of the root node off is the sum of weights of satisfying input vectors
unders in f .
65





wherefs is the set of legal vectors inf under thes.





If f is a function with no variables, thus a constant, then for anys: (1) If
f = 1, then!(ONE; s) = 1, also,sum(1; s) = 1 since all input vectors are legal;
(2) Similarly, if f = 0, both!(ZERO; s) andsum(0; s) are 0.
If f has one variable, there are also two cases: (1) If the variable is an input,
without loss of generality, letf = x. Then!(x; s) = px(s), which is equal to
sum(x; s) sincex = 1 is the only legal vector; (2) If the variable is a state variable,
without loss of generality, letf = y. Then!(y; y = 1) returns the weight ofONE,
1, andsum(y; y = 1) is also 1 since all vectors are legal; similarly,w(y; y = 0) is
the weight ofZERO, 0, andsum(y; y = 0) is 0 since no vectors are legal.
Now, we prove the induction hypothesis. Let the lemma hold for the two
child BDDs off , g andh, of variablesu1; : : : ; un 1; let un be the new variable in
f , and without loss of generality, letf = un  g + un  h. Again we have two cases.
(1) un is an input variable: From Equation 5.2, we have
!(r(f); s) = pun(s)  !(r(g); s) + pun(s)  !(r(h); s)
66
by induction hypothesis, we get
!(r(f); s) = pun(s)  sum(g; s) + pun(s)  sum(h; s)





























ui(s) + (1  i)  p
ui(s)
i







ui(s) + (1  i)  p
ui(s)
i
















(2)un is a state variable: Ifs0 = s un, thenfs0 = gs, thereforesum(f; s0) =
sum(g; s); further, from Equation 5.2, we have!(f; s0) = !(g; s). Hence, by
induction hypothesis,!(f; s0) = sum(f; s0). The cases0 = s  un can be proved
similarly.
5.4.2 TheWalk Procedure
If the current state is a legal state, we proceed to actually generate a vector.
For a quick intuition, we say that our generation procedure resembles the reverse
67
of evaluating a BDD for a given vector, in the sense that we take branches and
assign values accordingly, whereas the latter uses existing assignments to guide the
branching. So the key to our method is how the branches are taken. Our solution is
to follow thebranching probabilities, built up from the weights just computed, in
the following way.
Definition 5.5 Let  be an input node with a positive weight, andu the associated
variable. Lets be the state. Thebranching probabilitiesof  are given in the
following equations:
.thenprob =[pu(s)  !(t(); s)]=!(; s) (5.3)
.elseprob =[pu(s)  !(e(); s)]=!(; s) (5.4)
Note that
.elseprob+ .elseprob= 1: (5.5)
We intend to use the branching probabilities to guide a random traversal in
the constraint BDD, and generate a vector as follows: the traversal starts from the
root nodes; at a state node, it takes thethen(resp.else) branch if the corresponding
state variable evaluates to 1 (resp. 0) in the current state; at an input node, it takes
a branch according to thebranching probabilitiesof the node, and sets the value of
the corresponding input variable accordingly, i.e., to 1 if athen branch was taken,
to 0 otherwise. This procedure is implemented in Figure 5.2, and is namedWalk.
Two properties, however, need to be proved in order forWalk to be valid.
First, we show that all the nodes that can be visited must have positive weights,
68
Walk(node,st)f
if (node== ONE) return ;
if (node== ZERO) error ;
let v be the variablenode.var;





node.thenprob =p(v)  t / node.weight;
let r = random(0,1);











since these are the only nodes where the branching probabilities are defined. The
following theorem states exactly this.
Theorem 5.2 Under a legal state, ProcedureWalk only visits nodes with positive
weights.
Proof: We use an inductive argument: First, from Lemma 5.1, under any legal state
the weight of the root is greater than 0; further, by Definition 5.4, any node with a
positive weight must have at least one child node with a positive weight, therefore
due to Definition 5.5, at least one of its branching probabilities is greater than 0;
so the traversal inWalk from that node must take a branch with a positive (not a 0)
possibility thus reaching a node with a positive weight. Hence by induction, every
visited node must have a positive weight.
As a result of the above theorem, the last node of the traversal, too, must
have a positive weight, and therefore must be nodeONE.
Corollary 5.1 Under a legal state, ProcedureWalkterminates only at nodeONE.
Since the constraint BDD is satisfied by assignments corresponding to any
path from the root to nodeONE, this corollary asserts the second property we
wanted to show aboutWalk: it generates only the legal vectors. The corollary,
from a different viewpoint, also proves our claim thatp- reedoes not backtrack: if
there exist any legal input vectors, it guarantees to find one in one pass.
One point worth mentioning is that, since the input assignments made dur-
ing Walk have already satisfied the constraint, we are totally free in assigning the
70
variables not visited in the traversal: in our case, we choose to do it according to
their input probabilities. The default0:5 is assumed if an input probability is not
specified.
Finally, regarding the complexity,Walk always terminates in less thank
steps on BDDs withk variables, since that is the length of the longest paths. Overall,
sincek is a much smaller number than the number of nodes, the time and space
complexities ofWeightandWalkcombined are linear to the size of the constraint
BDD.
5.4.3 Correctness and Properties
Recall that our goal was to generate vectors with the three properties given
at the beginning of this section. We now show that theWeightandWalkprocedures
have achieved this goal.
The first property, which saysp-treegenerates only legal vectors, is guaran-
teed by Corollary 5.1, since the constraint BDD is satisfied by assignments corre-
sponding to any path from the root to nodeONE.
The second property, that the algorithm can generate all legal vectors, is
satisfied by the third, which states that the generation follows the constrained prob-
abilities, because of the following: due to Definition 5.3, the set of legal vectors
is exactly the set of vectors with positive constrained probabilities, therefore if the
third property holds, each legal vector will have a greater than 0 chance to be gen-
erated. We restate the third property in the following theorem.
71
Theorem 5.3 ProcedureWalkgenerates input vectors according to their constrained
probabilities.
Proof: First, from Corollary 5.1,Walkalways ends at nodeONE, thus it never gen-
erates illegal input vectors, whose constrained probabilities are 0 by Definition 5.3.
Now consider legal vectors. Letf be the constraint ands the state. Let
1; : : : ; m; m+1 be the sequence of nodes visited in aW lk traversal, where1 is
the root andm+1 the nodeONE. Without loss of generality, assume that the in-
put variables corresponding to this sequence arex1; : : : ; xm, and thatxm+1; : : : ; xn
were not visited. Also, let1   n be the generated vector, wherein the firstm
values correspond to the branches taken in the traversal, and the lastn  m values
correspond to the choices based upon input probabilities. For brevity, letpu;b;s de-
noteb  pu(s) + (1   b)  pu(s). Then, the probability of this vector is given in the
following product:
px1;1;s  !(2; s)
!(1; s)

px2;2;s  !(3; s)
!(2; s)
  

















which, by Definition 5.3, is exactly the branching probabilities of the legal input
vector.
72
Since constrained probabilities are completely determined by the constraint,
the current state, and the input probabilities, a direct result of the above theorem is
the p-treealgorithm’s independence from the BDD variable ordering, which is a
nice property for techniques based on BDDs.
Corollary 5.2 The probability of generating an input vector using the p-tree algo-
rithm is independent of the variable ordering of the constraint BDD.
Finally, we show thatp-treeholds another property that correlates the input
and the branching probabilities.
Lemma 5.2 Using the p-tree algorithm, the probability of generating an input vec-
tor in which an input variablexk equals 1 (resp. 0) monotonically increases aspxk
(resp.pxk) increases.
Proof: There are two cases: (1) Ifxk is not visited inWalk, then it is assigned
according to its input probabilities, to which the probability of the vector is propor-
tional, hence the lemma is true; (2) Ifxk is visited inWalk, let f be the constraint
ands the state, then the probability of the vector, say = 1   n wherek is the
value ofxk, is Qn
i=0(i  p
xi(s) + (1  i)  pxi(s))
!(r(f); s)
:
Because this probability does not depend on variable ordering (Corollary 5.2), we
choosexk to be the variable associated with the root node. Then the probability
becomes Qn
i=1(i  p
xi(s) + (1  i)  p
xi(s))
(pxk(s)  !(t(r(f)); s) + pxi(s)  !(e(r(f)); s))
:
73
Let q denote the product of(i  pxi(s) + (1  i)  pxi(s)) for all i 6= k, wt denote
!(t(r(f); s), andwe denote!(t(r(f); s). Noteq, wt andwe are independent of the
input probabilities ofxk. Letk = 1, the above formula rewrites to
(q  pxk(s)) = (pxk(s)  wt + p
xk(s)  we)
q = (wt + (p
xk(s)=pxk(s))  we)
q = (wt + (1=p
xk(s)   1)  we)
therefore the probability of monotonically increases inpxk . The casek = 0 is
analogous.
5.4.4 An Example of thep-treeAlgorithm
We reuse the example from Section 5.3.5 by making a slight modification
to demonstrate the effect of state in constraints: we qualify the constraint with the





(cmd[3:0] == 4’b0001) );
The resulting constraint BDD is shown in Figure5.3: solid arcs representth


























Figure 5.3: A constraint BDD labeled with node weight
the right of the BDD. To aid the discussion, we usex0; : : : ; x3 to denote the inputs
cmd[0]; : : : ;cmd[3], respectively.
As described in Section 5.4.1, for a given state, only a subgraph in the BDD
involves in the computation: for the state “reset=1”, the subgraph contains only the
ONEnode, meaning that all inputs are possible, therefore the constrained probabil-
ity of a vector = 0   3 is simply the product
Qn
i=0(i  p
xi + (1   i)  pxi);
for the state “reset=0”, the subgraph contains nodesa throughg, which is the BDD
corresponding to the original constraint used in Section 5.3.5. We will work on
the latter case, and show howp-tree implicitly computes the probabilities of legal
inputs, which should match the constrained probabilities obtained in Section 5.3.5,
75
1/2 1/3 1/4 1/5 constrained
cmd[3] cmd[2] cmd[1] cmd[0] probabilities
0 0 0 1 3/25
0 0 1 0 4/25
0 1 0 0 6/25
1 0 0 0 12/25
Table 5.3: Example: constrained probabilities (reset=0)
given again in Table 5.3.
First,Weightis applied to the root noder, which recurs in a depth-first order
in the subgraph rooted at. We illustrate the calculation by considering nodesf
ande. For brevity, we denote the state “reset=0” by “!r”.
!(f; !r) = (1  px0(!r))  !(ONE; !r) + px0(!r)  !(ZERO; !r)
= 4=5  1 + 1=5  0
= 4=5
Similarly, we have!(g; !r) = 1=5. Then,
!(e; !r) = px1(!r)  !(f; !r) + (1  px1(!r))  !(g; !r)
= 1=4  4=5 + 3=4  1=5
= 7=20
The weights ofr anda throughg are shown in Figure 5.3. The probabilities
of legal input vectors are then obtained according to procedureWalk. For example,
76































Note it matches the constrained probability of the same vector, shown in Table 5.3.
5.5 Implementation Issues
In this section, we discuss issues regarding the efficiency of the algorithm,
in particular, the size of the constraint BDDs. We also describe an implementation
of the algorithm in a commercial simulator.
5.5.1 Variable Ordering
As we have seen in the previous sections, thep-treealgorithm takes time
and space linear to the size of the constraint BDD, therefore, minimizing the BDD
size is of a great interest to us.
We can not do without the mentioning of BDD variable ordering, which we
have shown in the introduction chapter can have a dramatic effect on BDD size,
sometimes making an exponential-vs-linear complexity difference. Similar cases
are abundant in hardware constraints, for example, in
$constraint((st != 2’b11) ? (attr == PREVattr) : 1);
if all the variables in “attr” occur before the ones in “PREVattr”, the equation
would give a BDD with a size exponential to the width of ”attr”, whereas an inter-
leaved ordering of the two would result in a linear size.
77
We developed heuristics which identify constructs such as in the above to
obtain a “good” initial order. In many cases we observed that sticking to this initial
order, rather than dynamically reordering the variables, renders faster and leaner
execution of our algorithm.
5.5.2 Constraint Partitioning
When there is a large number of constraints, forming the conjunction BDD
can be very expensive, for two reasons: (1) the computation blows up because of
large intermediate BDDs; (2) the large conjunction BDD can slow down vector
generation. SymGen partitions the constraint BDDs into groups with disjoint input
variable support using the following procedure:
1. for each input variable, create a group
2. for each constraint depending on a variable, add the constraint to the vari-
able’s group
3. merge all groups that share a common constraint until each constraint appears
in at most one group
4. for each constraint that is not in any group yet, add it to a new group. Observe
that these constraints should depend only on state variables
The p-tree algorithm can then be applied to each group separately. The
soundness ofp-tree under constraint partitioning is guaranteed by the following
theorem:
78
Theorem 5.4 Let C be a set of constraints,C1; : : : ; Cn the disjoint-input-support
partition ofC, and1; : : : ; n be the corresponding partial vectors generated by
applyingp-tree to theC1; : : : ; Cn. Let  denote the concatenation1:2 : : : n.
Then under any state, the probability of generating1, 2,: : :, andn is equal to
the constrained probability of generating fromC.
Proof: Let s be the state. Letf be the conjunction of all constraints, andf 1; : : : ; fn
the conjunctions of constraints in the groups. Hence,f =
n̂
i=1


































sincef i andf j wherei 6= j have disjoint input supports, thus 2 f is ^  2 f
j
s iff
: 2 f is ^ f
j









Therefore, we have proved Equation 5.6 for the casen = 2. Sincef 1 ^ f 2 andf i
for i > 2 again have disjoint input supports, by induction, Equation 5.6 holds for
all n.
79
Equation 5.6 implies that
P




0, therefore, an illegal state inf is also an illegal state in the partition and vice versa.
So in both cases, for the same set of illegal states, the probabilities for all (illegal)
vectors are 0.
Now consider legal vectors. From Definition 5.2, we have
nY
i=1
(i; s) = (; s):
So whens is a legal state, dividing each side of the above equation by the corre-




















where the left-hand side is the product of probabilities of generating1; : : : ; n
fromC1; : : : ; Cn, respectively, and the right-hand side is the probability of generat-
ing fromC. Hence the theorem holds also for legal vectors.
5.5.3 The Overall Flow
Thep-treealgorithm is implemented as a library function interfaced to the
Verilog-XL simulator [27]. After an initialization sequence, the simulator callsp-
treeat every clock cycle when it needs a new input vector, for example, right before
the rising edge of the clock, andp-treeperforms a sequence of tasks, as illustrated
in Figure 5.4.
80




























Figure 5.5: SymGen flow chart
Note that procedureWeightis not always necessary in every simulation cy-
cle. In particular, if all state variables occur before the input variables in the con-
straint BDD and the input probabilities are constants, then it suffices to compute the
weights only once at the beginning of the simulation.
Figure 5.5 provides a high level view of SymGen. TheConstraint Com-
piler reads a Verilog [27] model annotated with constraints, and then extracts and
compiles the constraints into BDDs which will be used by theVector Generator.
During simulation, the Verilog-XL simulator evaluates input probabilities under
current state at each clock cycle. TheV ctor Generatorthen samples the current
state and generates an input vector based on the constraint BDDs.
82
name total vars vars in cons num of cons
block1 76 26 13
block2 178 59 10
block3 1437 153 11
block4 446 175 33
block5 407 297 34
Table 5.4: Statistics of designs
5.6 Results
We present experimental results on industrial designs which SymGen has al-
ready been applied to. These designs came with environment constraints developed
by the engineers. We report results of experiments on building constraint BDDs for
five designs in Section 5.6.1. In Section 5.6.2, we give a case study on one of the
designs.
The underlying BDD package is CUDD [45], developed in the University of
Colorado. All experiments were conducted on a 233 MHz UltraSPARC-60 machine
with 512 MB main memory.
5.6.1 Constraint BDDs
Table 5.4 reports the complexity of our benchmark designs. The BDD vari-
ables reported include inputs and latches. Columns 2 through 4 give the total num-
ber of BDD variables, the number of variables used in the constraints, and the num-
ber of constraints, respectively. Note thatblock5 has about 300 variables in its
constraints.
83
example time (sec) peak nodes mem (MB) result nodes
block1 0.0 6312 0.5 54
block2 5.0 5110 3.6 119
block3 26.0 6132 9.3 774
block4 885.5 303534 35.5 110858
block5 727.7 181243 25.0 82405
Table 5.5: Building the constraint BDD without partitioning
The results of building constraint BDDs are shown in Tables 5.5 and 5.6,
respectively for cases without and with constraint partitioning. A sifting-based vari-
able reordering [45] was enabled in all experiments with the same setting.
Without partitioning,block4andblock5each have close to 100k nodes in
the result BDD, as shown in Table 5.5. The number of peak intermediate BDD
nodes grows over 300k forblock4.
Table 5.6 shows the effectiveness of using partitioning. Although the num-
bers of constraints vary from 10 to 34 among designs, the average constraints per
partition is about 3, which is fairly small. As a result, many BDD conjunction oper-
ations are avoided, and the total BDD size is reduced. Partitioning givesblock1, 2
and3 some modest improvement, but reduces both time and space complexity for
block5and6 dramatically. The complexity of the designs (over 1000 variables) and
constraints (close to 300 variables), together with the size of the constraint BDDs
(less than 2000 nodes) demonstrate that our technique is feasible for medium or
even large designs.
84
example time (sec) #pnodes mem(MB) #rnodes #cons #parts
block1 0.0 1022 0.5 43 13 5
block2 4.0 5110 3.4 103 10 7
block3 20.3 6132 8.4 609 11 9
block4 38.0 13286 6.3 1595 33 10
block5 33.4 22484 7.4 1962 34 9
Table 5.6: Building the constraint BDD with partitioning
5.6.2 A Case Study
SymGen was used to construct verification environments for several designs
blocks. In the following we present its application to aPowerPCTM slave block -
namely theblock5in the previous subsection.
The first task is to develop the environment constraints according to a spec-
ification for the block (including its interface) written in English. Because of the
sequential nature of the specification, we needed to introduce auxiliary variables to
remember previous input or state value, and construct abstract state machines of the
design. The expressiveness of SymGen constraints is further strengthened.
Conflicts between constraints occur often because of their complexity and
the number of constraints involved. In such cases, methods such as prioritization
are used to resolve the conflicts. A prioritized constraint looks like the following:
$constraint( st != 2’b11 ? a == PREVa :
(!b & !c) ? u == PREVu :
(!b & c & !(e == 0 k e == 4)) ?
85
((f < 7) & (f > 0)) :
(t == 0 k t == 4 k t == 7) ?
!(z == 6 k z == 5) :
1 );
Note thatPREVa andPREVu are auxiliary variables holding the values of
a andu on the previous clock cycle. Because of the comparator “a == PREV a”,
an interleaved ordering of bits ofa andPREVa should be used.
The constraints for this block were written in about 2 person-days. The
end result was a concise specification of the environment in a 200-line Verilog file,
including 34 constraints, the auxiliary variables and abstract state machines. The
benefit of constraining can not be overemphasized. Unconstrained random simu-
lations generally produce false negative results. We also noticed in unconstrained
simulations that theX value was constantly generated on tri-state buses, indicating
bus contentions, which made the simulations meaningless.
Developing input biasing was mostly straightforward. For instance, we
wanted to limit the frequency of external errors when testing the essential func-
tionality of a design. This was expressed as
$setprob1(error, 0.2);
There were also cases where we needed to consider the more involved dy-
namic biasing. For example, even after we give static biasing to over a dozen
critical input signals, three major state machines stayed mostly idle through trial
86
simulations. After studying the design for about an hour (it should take the original
designer much less time), we were able to find a set of dynamic input probabili-
ties that stimulated many more events in active states, such asreadandwrite. The
following biasing instructs SymGen to give much higher input probability toui in
stateIDLE, which triggers a transition out ofIDLE:
$setprob1(ui, addrstate == IDLE ? 0.9, 0.5);
We wrote a few dynamic biasing commands for each of the state machines.
Note that we did not use constraints to express the condition, because “leaving” the
idle state is not a mandatory action, it just serves our test purpose. Also, using input
biasing instead of constraints can avoid potential constraint contradictions, because
the constraints take priority over input probabilities.
Of course, in general, state transitions are controlled by both state and in-
puts, and justifying an enable condition can be a very hard problem. However, with
the help of automatic tools such as SymGen, this problem can be lessened. Table 5.7
shows the effect of biasing on the number of active states (of three major state ma-
chines) visited during simulations of 1000 cycles each. The dynamically biased
simulation increased the coverage 130 times over that of the unbiased simulation.
Simulations usually run with monitoring processes, or dump the results to
log files for post-processing. Table 5.8 summarizes the run time overhead of Sym-
Gen onblock5, with partitioned constraint BDDs and dynamic biasing. All simula-
tions ran for 10000 cycles each. Row 2 to 5 respectively represent the simulations
with pure random generation, stand alone SymGen, SymGen with Verilog dump,
87
biasing idle states active states total (sec)
none 2977 14 6.8
static 2179 811 6.2
dynamic 1073 1918 6.3
Table 5.7: Result of biasing
setting overall (sec) SymGen overhead
random 44.9 –
SymGen 48.2 21.3%
w. dump 63.6 16.0%
w. monitor 635.6 1.7%
Table 5.8: Overhead of SymGen
and with property monitoring. It can be seen that the overhead of SymGen is fairly
low.
In this specific example, SymGen, together with a simulation monitoring
tool, discovered 30 design bugs, which basically fell into two categories:
1. Bugs caught because the design entered a state where there was no legal input
possible. This implies the design has violated the constraints.
2. Bugs caught because the design entered an illegal state. This is usually man-
ifested as property violations.
88
5.7 Summary
We have described an automated simulation-vector generation method. Con-
straints are used to generate legal vectors which are influenced by input biasing.
Both constraints and biasing can depend on the state of the design, thus providing
robust environment modeling capability. The implementation, SymGen, is based on
an efficient symbolic algorithm which does not backtrack in solving the constraints.
The effectiveness of SymGen is demonstrated in its application to commercial de-
sign verification.
Before the conclusion of this chapter, we would like to briefly mention our
experiment in extending the biasing method in SymGen, which is based upon the
probabilities of individual inputs. We looked at a more general biasing given by
theevent probabilitiesof the formPr(Event) = , whereEvent is a character-
istic function defining a set, for example,In a == In b. Unfortunately, Koller
and Megiddo [68] showed that the problem of deciding whether there exists any
distribution satisfying a set of event probabilities is NP-hard. We described in [113]
a decision procedure using linear programming (LP), which gives a distribution, if
it exists, with minimum number of positive LP variables. However, the number of
variables in the worst case can be exponential to the number of event probabilities.
In [114] we reported a method of directed simulation using event probabilities with-
out actually solving them. In that case, we extracted a finite state machine (FSM)
for each desired property, and treated each state transition as an event. The proba-
bility of each transition is dynamically assigned depending on the current state, i.e.,
the transitions that are most likely to lead to the “bad” state in the FSM are given
89
high probabilities. Experimental results showed that when a transition is possible,
SymGen with the new biasing method has a very high probability of generating a





Any constraint-based programming will have to deal with the diagnosis of
conflicting constraints, which has been well studied in many research disciplines,
for example, in artificial intelligence [36]. In this chapter, we will focus on a prob-
lem unique to our application, that is, constraint conflicts conditioned upon the state
of the design.
Recall in Section 5.4.1, the weight of the root node of the constraint BDD
being zero indicates the design has entered an illegal state, i.e., one for which there
is no input assignment satisfying the constraint. In constraint diagnosis, we refer to
such states as the dead-end states (DES), since the simulation cannot proceed upon
entering them. DES is a practical problem in constraint writing and has implication
on the behavior of the design, thus meriting a closer look. Our constraint diagnosis
will be focusing on DES.
A free-input design can be modeled as a Kripke structure wherein every state
has a next state. Environment constraints modify design behavior by truncating
transitions prohibited by the constraints, giving rise to states (DESs) that do not
have any next states. Although in our definition DES is a property of and can be
91
derived statically from a constraint, not all DESs automatically warrant a debugging
since some of them may be unreachable. Computation of the exact set of reachable
states, however, is intractable for most designs of interest; therefore, the reachability
information in constraint diagnosis is usually given as an approximation, e.g., as
assertions or invariants on important control signals, or by approximate reachability
analysis [86]. Should DESs ruled out by reachability assertions be encountered
in simulation, we have an indication that the design is malfunctioning under the
constraints.
Ideally, environment constraints should not produce any DESs, or all DESs
should be covered by “known” unreachable states. More often than not, however,
this is not the case and the designer either has to modify the constraints or be pre-
pared to catch and debug DESs on-the-fly during simulation.
6.2 Static Analysis of DESs
Let f(X; Y ) be a constraint over the set of input variablesX and state vari-
ablesY , then the set of DESs off , denoted by its characteristic functionD(f), is
computed as:
D(f) = 8X(f) (6.1)
which is a direct derivation of the definition of DES. It follows that DESs of one
constraint are also DESs of the conjunction of all the constraints.
92








fj) = 8X(f1 + : : :+ fn)  8X(fi), 1  i  n.
Also, in a disjoint-input-support partition of constraints, the DESs of all
constraint is the union of DESs of all the components in the partition.












fj) = 8X(f1 + : : :+ fn)
= 8X1(f1) + : : :+ 8Xn(fn)
= 8X(f1) + : : :+ 8X(fn)
= D(f1) + : : :+D(fn)
Suppose we a have a set of assertions on reachable states and we consider
only the DESs that are not covered by these assertions. From Lemma 6.1 and 6.2,
if we “eliminate” DESs from each constraint, and from each component of the
partition, then the resulting constraints are DES-free. Since eliminating DESs is
93
essentially the problem of resolving constraint conflicts, we describe a straightfor-
ward approach that does this by relaxing the constraints, as stated in the following
lemma.
Lemma 6.3 Let f be a constraint,d a subset ofD(f), andX the set of input
variables. Then
1. D(f + c)  D(f), and
2. D(f) D(f + c) = d for all c such that9X(c) = d
Proof: Since
D(f + c) = 8X(f + c)
= 8X(f)  8X(c)
= D(f)  8X(c)
therefore,D(f + c)  D(f), and





= D(f)  d
= d
94
The above lemma shows that a subsetd of the DESs of can be removed
by relaxingf to f + c, wherec allows some input assignments for every state ind.
Further, the relaxation does not introduce new DESs.
6.3 Dynamic Methods
In the static analysis, DESs that are not covered by the reachability asser-
tions are dealt with by relaxing the constraints. However, eliminating DESs, in
whatever manner, will have to maintain the validity of the constraints being a cor-
rect model of the environment; when the constraints or the design are complex
enough, eliminating all DESs can be a insurmountable task. Thus in reality, many
DESs are left unresolved in the hope that they are not reachable by the design. This
assumption, as well as the reachability assertions, however, needs to be validated in
the execution of the design.
A naive approach is the reachability analysis by model checking on the
design whose transition relation and initial states are modified by the constraints.
However, the approach can be computationally expensive.
A reasonable approach is to turn to the static analysis and DESs removal,
and then detect the remaining DESs on-the-fly during simulation. As shown in
Theorem 5.1, Chapter 5, the current state is a DES iff the weight of the root node
of the constraint BDD is zero. Because of constraint partitioning, this detection
conveniently localizes the problem to the current group of constraints that is being
processed by thep-treealgorithm. Furthermore, a minimal conflicting set within the
group can be obtained, in the usual way, by forming the conjunction of constraints in
95
subsets of the group of increasing cardinality, until an empty conjunction is found.
Of course, the constraints are first simplified by substituting in the DES.
There are two scenarios for the treatment of the conflicting constraints de-
tected this way.
1. If the DES is allowed by the reachability assertions, then the constraints need
to be relaxed.
2. If the DES is precluded by the reachability assertions, then either the design
contains a bug, or the constraints are too loose to allow the design to enter
this DES, in which case, the constraints need to be “tightened”.
Whereas the relaxation can be done relatively simply as given in Lemma 6.3,
tightening constraints to avoid a DES is much more involved and heuristic in nature
because the fix must eliminate all transitions that lead to the DES while not over-
doing it to incur new DESs. The topic merits separate research and is outside of the
scope of this dissertation.
96
Chapter 7
Simplification of Constraint Solving
7.1 Introduction
The complexity of constraint solving can grow arbitrarily due to the highly
combinatorial nature of the task. Therefore, even implicit representations (in our
case, BDDs) will have to face the efficiency problem. An immediate step toward
dealing with the problem is disjoint-support partitioning of the constraints, as de-
scribed in Chapter 5. In this chapter, we present a technique calledho d-constraint
extractionwhich is aimed at simplifying the constraints and refining the aforesaid
partition.
The technique is based on the observation that variables in hardware con-
straints are not homogeneous: state variables, unlike the inputs, are bounded by the
design, and often, some inputs can be fully specified under certain state valuations,
regardless the values of other inputs. We refer to the kind of constraint wherein
the inputs only dependent upon the state variables as thehold-constraint, and the
inference thereof from a constraint theold-constraint extraction. The dichotomy
comes from a more specific example of the mentioned dependency, which occurs
frequently in writing constraints for hardware designs — under certain condition, an
input variable maintains its value from the previous clock cycle, or is simply fixed
97
to a constant. A hold-constraint is either instantly solved, assigning constants to its
input variables, or discharged as a tautology. In addition, the disjoint-input-support
partitioning can be further refined due to two facts about the hold-constraints: (1)
they do not need to be conjoined with any other constraints while being solved;
(2) they can be used to simplify the original constraints, and the results often con-
tain fewer input variables. Experiments of applying this simplification to SymGen
on several commercial designs demonstrated significant reduction in the time and
space needed for constructing the conjunction BDDs, and the time spent in vector
generation during simulation.
It is worth mentioning that hold-constraints by themselves contribute to the
speedup of vector generation since they can assign constant values to input variables
once the state evaluation is known. In this regard, the technique is similar to the
derivation of unit clauses in SAT problems [35]. Propagation of constants instantly
simplifies the problem at hand.
We defer a detailed discussion of related works to Section 7.6, in which we
compare hold-constraint extraction to a special type of functional decomposition.
It is shown that our technique subsumes existing decomposition methods that are
potentially useful in extracting hold-constraints.
The rest of the chapter is structured as follows: Section 7.2 gives the prelim-
inaries on hold-constraint extraction. In Section 7.3 we briefly describe a syntac-
tical extraction algorithm. A procedure of complete functional extraction of hold-
constraints and how they are used to simplify the original constraints are given in
Section 7.4. Related works are discussed in Section 7.6. We report experimental
98
results in Section 7.7 and summarize in Section 7.8.
7.2 Preliminaries
Definition 7.1 A constraint is a Boolean functionf0; 1gm+n 7! f0; 1g defined over
input variablesX = fx1; : : : ; xng and state variablesY = fy1; : : : ; ymg.
As described in Chapter 5, the onset of a constraint represents the legal
state-dependent input space regarding this constraint. The overall legal input space
is the intersection of the onsets of all the constraints. In the sequel, we frequently
usef , g, h, k ande as function symbols,y as a state variable,si, sj as states, i.e.,
minterms of state variables,S as a set of states, andx, v as input variables.
Definition 7.2 An input variablex in the support of is positively(resp. nega-
tively) boundedwith respect to a set of statesS if in all minterms inf on  S, x
evaluates to1 (resp. 0).
More intuitively, x is positively boundedwith respect toS if f ! (S !
(x = 1)), andx is negatively boundedwith respect toS if f ! (S ! (x = 0)).
Definition 7.3 A hold-constrainton input variablex is a constrainte(x; Y ) in which
x is positively or negatively bounded with respect to a nonempty set of states.
All hold-constraints can be written in the followingnormalform:
k ! (x = g) (7.1)
99
wherex is the input variable, andk, g are Boolean functions depending only onY
(the state variables), which we call theconditionandassignmentrespectively. Note
bothk andg can be constants with the exception thatk can not be0.
We can infer a hold-constraintk ! (x = g) from f iff the following impli-
cation requirementis met:
f ! (k ! (x = g)) (7.2)
However, it immediately comes to mind that an arbitrary hold-constraint
can meet the requirement as long as the conditionk does not overlapf . For a
meaningful inference, we must also enforce thenonvacuousness requirement:
f  k 6= 0 (7.3)
Definition 7.4 A hold-constraintk ! (x = g) is extractablefrom constraintf if
the two satisfy the implication and nonvacuousness requirements.
In the coming sections, we present how hold-constraints can be extracted
syntactically and functionally.
7.3 Syntactical Extraction
Syntactical hold-constraint extraction consists of two phases — the de-
composition phase in which the constraints are conjunctively decomposed, and the
matching phase in which each of the conjuncts is checked to see if it transforms to
a hold-constraint in the normal form.
100
The syntactical extraction algorithm proceeds as follows:
1. Conjunctively decompose the constraint according to the decomposition rules
2. For each conjunctf , begin
3. If f does not match a pattern that is transformable to a disjunctionk+h, goto
step 2
4. If k depends on input variables, swapk andh
5. If k depends on input variables, goto step 2
6. If h matches a pattern that is transformable tox = g, wherex is an input
variable andg does not depend on input variables, then addk ! (x = g) to
the hold-constraint set, and removef from the set of conjuncts
7. End
The above extraction procedure satisfies the implication and nonvacuous-
ness requirements. Its time and space complexities are both linear to the size of the
constraint formulas. However, it is incomplete due to the limitations imposed by
the finite sets of rules and patterns.
7.4 Functional Extraction
7.4.1 Condition and Extraction
We begin the description of a complete functional extraction with the recog-
nition of primehold-constraints.
101
Definition 7.5 A hold-constraintk ! (x = g) is said to beprimeif g is a constant,
and the onset ofk is a singleton, i.e., contains exactly one state.
The following lemma follows from Definitions 7.2 and 7.5.
Lemma 7.1 For any constraintf , for every input variablex and statesi such thatx
is bounded inf with respect tofsig, the prime hold-constraint below isextractable
from f
si ! (x = bi)
wherebi is 1 if x is positively bounded, and0 otherwise.
The theorem below indicates that the conjunction of the prime hold-constraints
obtained as in Lemma 7.1 on an input variable is a hold-constraint on the same vari-
able, and the converse is also true.
Theorem 7.1 The conjunction of a set of prime hold-constraints onxwith mutually
exclusive conditions is a hold-constraint, and vice versa. That is,
l̂
i=1
(si ! (x = bi)), k ! (x = g) (7.4)
wheresi ^ sj = 0 for i 6= j, bi 2 f0; 1g. Furthermore,k andg can be derived from




si; g 2 [g
on; goff ]; gon =
l_
i=1




(bi  si); (7.5)
and the prime hold-constraints can be derived fromk andg as in the set
f(si; bi) j 1  i jk j; si 2 k; bi = gsig: (7.6)
102
wherejk j is the number of minterms in the onset ofk.
Proof: We prove the theorem by showing that, for both derivations, the valuations
of the two sides of the equivalence in (7.4) under any state are equal.
Denote the state bysj. If sj =2 k, the theorem holds since both sides of (7.4)





(si ! (x = bi))
!
sj
= (x = bj); (7.7)
(k! (x = g))sj = (x = gsj): (7.8)
Now for the derivation in (7.5), ifbj=1, thensj 2gon andgsi=1, therefore
both (7.7) and (7.8) evaluate tox=1; similarly, if bj=0, thensj 2goff andgsi =0,
therefore both (7.7) and (7.8) evaluate tox=0.
For the derivation in (7.6), ifgsj = 1, thenbj = 1, therefore both (7.7) and
(7.8) evaluate tox = 1; similarly, if gsj = 0, thenbj = 0, therefore both (7.7) and
(7.8) evaluate tox=0.
Becausef implies, and intersects with, the condition of every prime hold-
constraint onx as obtained in Lemma 7.1, it must also imply the conjunction of
the said prime hold-constraints and intersect with the union of the said conditions.
Therefore, if all of the prime hold-constraints are extractable fromf , the hold-
constraint conjunctively constructed in Theorem 7.1 is also extractable fromf .
Now we derive the procedure that actually “computes” the construction in
Theorem 7.1. By abuse of notation, we denote theset differenceoperator by “ ”,
103
and the set of input variablesX fxg byx0. The following is true for any constraint
f :
1. (9x0f)x   (9x0f)x is the set of all the states with respect to whichx is posi-
tively bounded
2. (9x0f)x   (9x0f)x is the set of all the states with respect to whichx is nega-
tively bounded
The union of the above two disjoint state sets is the Boolean differential de-
noted by@(9x0f)=@x (ref. Section 2.1, Chapter 2). The conjunction of the prime
hold-constraints conditioned on this set is thecompletehold-constraint onx, since
it includes all the states for whichx is bounded. The derivation of such a hold-
constraint is formalized in the theorem below, which follows naturally from Theo-
rem 7.1 and the above analysis.
Theorem 7.2 The complete hold-constraint off onx is





; gon = k  (9x0f)x; g
off = k  (9x0f)x:





Any function , such that (g; c)  c = g  c, can be used to select ag from
the interval[gon; goff ] for the above extraction. Note the caresetc = gon+ goff = k.
We choose the BDDRestrictfunction [34, 76, 99] since it is efficient and usually
decrease the BDD size and does not introduce new variables from the careset to the
result.
Note the careset forx = g is alsok due to the hold-constraint. However,
sincek  9Xf , functiong does not need to be simplified with respect tof .
It is clear that the above extraction is unique with respect tox andf up to the
selection of . Although the extraction is complete, the BDD representation ofk
can still be optimized with regard tof using BDDRestrict. Sincek  9Xf , and due
to properties of BDDRestrict, the onset ofk only increase in the optimization, and
increment only comes fromf . Thus all the side effect is the addition of “vacuous”
prime hold-constraints, which does not destruct the completeness property of the
extraction.
7.4.2 Constraint Simplification
A hold-constraint can be used to simplify the constraint from which it is
extracted by applying theconditional substitution, as defined below.
Definition 7.6 Let e be a hold-constraintk ! (x = g). Theconditional substitu-
tion of e on a Boolean functionf , written(f; e), is
(f; e) = k  fx:=g + k  f
105
wherefx:=g is the substitution of variablex with functiong.
Conditional substitution often simplifies a function and removes the variable
being substituted. For example, letf = y + x + v and e := y ! x. Then
(f; e) = y  (y + v) + y  (y + x + v) = y + v. On the other hand, BDDRestrict,
although widely used as a simplification function, is sensitive to variable ordering
and may not improve the result: ifx is the top variable, then restrictingf on e
returnsf itself.
It turns out the conditional substitution is a careset optimization function
(i.e., a function (f; g) that returns a function that agrees with the functionf ev-
erywhere in the caresetg), just like BDD Restrict[34], but insensitive to variable
ordering. It also possesses other nice properties:
Property 1: (f; e)  e = f  e, i.e.,(f; e) is a function equal tof over the careset
e.
Property 2: (f; e) decreases the “diversity” ofx in f , i.e.,@f=@x, by the amount
k. This implies that(f; e) is independent ofx iff k  @f=@x
Property 3: If (f; e) is independent ofx andf ! e, then(f; e) = 9xf .
Property 4: If there exists a careset optimization function (f; e) that does not
depend onx then it must be(f; e).
Note the last property makes conditional substitution a better choice than BDD
Restrictin regard to input variable removal.
106
In the following, we give proofs of the above properties. We assumee :=
k ! (x = g) to be the hold constraint andf another constraint.
Proof of Property 1: We need to prove
e  (f; e) = f  e (7.9)
First we compute the two sides of the above equation. The left-hand side is
e  (f; e) = (k ! (x = g))  (k  fx=g + k  f)
= (k + (x = g))  (k  fx=g + k  f)
= k  f + k  fx=g  (x = g):
while the right-hand side is
f  e = f  (k ! (x = g))
= f  (k + (x = g))
= f  (k + k  (x = g))
= k  f + k  f  (x = g):
Then, for Equation (7.9) to hold, we only need to prove
fx=g  (x = g) = f  (x = g) (7.10)
which can be done again by expanding the two sides. Since the left-hand side is
fx=g  (x = g) = (x  fx + x  fx)x=g  (x = g)
= (g  fx + g  fx)  (x  g + x  g)
107
= x  g  fx + x  g  fx;
and the right-hand side is
f  (x = g) = (x  fx + x  fx)  (x = g)
= (x  fx + x  fx)  (x  g + x  g)
= x  g  fx + x  g  fx;
therefore, Equation (7.10) holds, and consequently Equation (7.9) holds.







First, we prove two lemmas: letg andh be two constraints, whereg depends onx













The lemmas are proved as follows:
@(g + h)
@x
= (g + h)x  (g + h)x + (g + h)x  (g + h)x
= (g + hx)  (g + hx) + (g + hx)  (g + hx)
= (g + hx)  g  hx + g  hx  (g + hx)








= (g  h)x  (g  h)x + (g  h)x  (g  h)x
= (g  hx)  (g  hx) + (g  hx)  (g  hx)
= (g  hx)  (g + hx) + (g + hx)  g  hx






(f; e) = k  fx=g + k  f
wherek  fx=g andk are independent ofx, by applying the above lemmas, we have
@(f; e)
@x
= k  fx=g  k 
@f
@x






therefore, the property is true.
Proof of Property 3: We prove that if(f; e) is independent ofx andf ! e, then
(f; e) = 9xf .
Sincef ! e, i.e.,f  k+(x = g), by cofactoring both sides with respect to
xwe getfx  k+g, which implieskfx  kg, thuskgfx = (kg)(kfx) = kfx.
Similarly,k  g  fx = k  fx. Therefore, we have
k  fx=g = k  (g  fx + g  fx) (7.12)
109
= k  (fx + fx) (7.13)
= k  9xf: (7.14)


















= 0, thusk  f is independent ofx too. From this and the result
in (7.14), we have
(f; e) = k  fx=g + k  f
= k  9xf + k  f
= 9x(k  f) + 9x(k  f)
= 9xf
Hence, the property is true.
Proof of Property 4: We prove that for any function (f; e) such that (f; e)  e =
f  e and (f; e) is independent ofx, then (f; e) is (f; e).
Let be a minterm of variables inf ande. If  2 e, then( (f; e)  e)() =
(f  e)(), i.e., (f; e)() = f(). Similarly, since(f; e)  e = f  e (Property 1),
we have(f; e)() = f(). So and agree ine.
110
Now we check the case 2 e, i.e., 2 (k  (x 6= g)). Let0 2 (k  (x = g))
be a minterm which differs from only at variablex. From the definition of(f; e),
we know(f; e)() = f(0). On the other side, for (f; e) to not depend onx, we
must have@( )=@(x) = 0, i.e., x =  x. Therefore, (f; e)() =  (0) (actually
for all ). Now since0 2 (k  (x = g))  e, we have (0) = f(0), thus
 (f; e)() = f(0). Hence, and also agree ine.
7.4.3 Recursive Extraction
Extracted hold-constraints can be used in extracting more hold-constraints
which would otherwise be impossible. The complete and nonvacuous extraction for
a set of constraints can be done using the procedure in Theorem 7.2 on the conjunc-
tion of the constraints. While we exclude conjoining the original constraints due
to efficiency concerns, we can try to extract from the conjunction of the concerned
constraint and the already extracted hold-constraints, whose size is usually small.
In fact, we can even avoid explicitly conjoining a hold-constraint with a constraint
due to the following theorem.
Theorem 7.3 For any hold-constrainte := k ! (x = g), and Boolean functionf ,







wherev0 = X   fvg.
111
Proof: We only need to prove9v0((f; e)) = 9v0(f  e). This equality is shown in
the following computation. Notef  e = (f; e)  e because of Property 1.
9v0(f  e) = 9v0((f; e)  e)
= 9v0((k  fx=g + k  f)  (k + (x = g)))
= 9v0(k  f + k  fx=g  (x = g) + k  f  (x = g))
= 9v0(k  f + k  fx=g  (x = g))
= 9v0 fxg(9x(k  f + k  fx=g  (x = g)))
= 9v0 fxg(9x(k  f) + 9x(k  fx=g  (x = g)))
= 9v0 fxg(9x(k  f) + k  fx=g  9x(x = g))
= 9v0 fxg(9x(k  f + k  fx=g))
= 9v0(f; e)
The above theorem implies that, given a constraint and a hold-constraint,
conditional substitution is an exact method for finding hold-constraints for input
variables other than the one being substituted.
Take the same example from Section 7.4.2. Conditional substitution(f; e) =
y  (y + v) + y  (y + x + v) results iny + v, which is another hold-constraint. As
expected from Theorem 7.3, the conjunctionf  e = y + x  v yields the same two
hold-constraints. Whereasf  e gives a function more complicated than(f; e), and
BDD Restrictof f with respect toe returnsf , which does not allow the extraction
of the second hold-constraint.
112
Unfortunately, Theorem 7.3 cannot be extended to substitution of more than
one hold-constraints. However, extraction preceded by multiple substitutions has
shown in our experiments to be effective in extracting more hold-constraints.
7.5 The Overall Algorithm
We always perform the syntactical extraction first because it is fast, and
it simplifies the constraint formula prior to BDD building. The ensuing functional
extraction is iterative. In the first iteration, the extraction is done for each constraint.
Subsequently, if there are extractions from the last iteration, they are substituted in
to find more extractions for the input variables that do not have an extraction yet.
At the end of each iteration, the new extractions are used to simplify the remaining
constraints. The procedure will terminate because the number of input variables in
each constraint is finite.
7.6 Related Works
The idea of extracting hold-constraints stemmed from our observation of
real-life design constraints in which inputs are constantly assigned values stored in
memory elements. A syntactical extraction was the natural choice at the conception
of this idea. The attempt on a functional extraction was inspired by thestat as-
signment extractionwork by Yang, Simmons, Bryant, and O’Hallaron [111]. The
key result in their work is as follows:
113
extract(C)f





foreachf in C f
f 0=condsubst(f , prevE);
foreach not-yet-extracted input variablex in f 0 f
ex = func extract(f 0; x);
if (ex 6= nil) currE = currE[fexg;
g
g
E = E[ currE;
C = simplify(C, currE);
g while (currE 6= ;)
g
Figure 7.1: Hold-constraint extraction
Theorem 7.4 Let f be a Boolean formula, then
f , (x 2 g)  h
wherex is a variable whose possible values are in the setL, andh = 9xf and
g =  (t; h) —  is a simplification function which uses the careseth to minimize
t. The relationt  hon  L is computed as:
_
l2L
(ITE(fjv l; flg; ;))
114
If t is a partial function (i.e., each minterm inhon correspondents to a unique value
in L), theng is a function, andf , (x = g)  h.
However, there is no distinction of state and input variables in their work and
the assignments are unconditional. We attempted to modify the above approach to
meet our needs in the “natural” way as given by the following theorem.
Theorem 7.5 Let f be a Boolean formula,k = 8xf andh = 9xf . Let  be a
simplification function which uses the careseth to minimizet. Let e = f  k and
g =  (ex; 9xe). Thenf , (k! (x = g))  h:
We needed to make surek andg do not depend on any input variables by applying
careset optimization. Even so, we failed to obtain some obviously extractable hold-
constraints, for example,y1 + x1 in the constraint
f = (y1 + x1)  (y2  x2 + x1) (7.15)
wherey1; y2 are the state variables, andx1; x2 the inputs.
It turns out that the above method works only iff has aconjunctive bi-
decompositionsuch that the intended input variable and the rest of the input vari-
ables belong to different conjuncts. This is an obvious limitation.
Bertacco and Damiani [14] proposed a method to build the decomposition
tree for a Boolean function from its BDD representation. Their method has a similar
restriction that the variable supports of the components be disjoint, and is therefore
not suitable for our application.
115
An earlier work by McMillan [81] gives similar results as that of Yanget al.
His method utilizes the BDDconstrainoperator, and can factor outdependent vari-
ablesfrom Boolean functions. However, because the dependency is unconditional
(i.e., in our case, for all state valuations), the method can not be adopted for a com-
plete extraction, either. The example in ( 7.15) above also showcases the inablility
of this method to extract all hold-constraints.
It can be proved that a hold-constraint onx is extractable fromf iff there
exists a conjunctive bi-decomposition off such that one conjunct depends onx
and some state variables, and the other can depend on all the variables. Our test in
Theorem 7.2 detects exactly such a decomposition.
The closest works on similar decompositions are those of Bochmann, Dresig,
Steinbach [16] and Mishchenco, Steinbach, Perkowski [84], from the synthesis and
optimization community. They proposed a set of criteria for variousgroupabilities,
including one that tests whether two (disjoint) groups of variables can be separated
in a conjunctive bi-decomposition. This seemed to match our need of checking if
an input variable can be factored out from a constraint. However, the grouping also
depends on a third group of variables that is shared by the conjuncts. In our case,
this can be any subset of the set of state variables. Therefore, it can take multiple
(in the worst case, exponential to the number of state variables) groupability tests




7.7.1 Impact on building conjunction BDDs
The experiments are intended to compare the effect of hold-constraint ex-
traction on building BDDs for the partitioned constraints. Six commercial designs
are used in the experiments. Four configurations are compared, namely
no-extraction: with no extraction
syntactical: with the syntactical extraction
functional1: with the nonrecursive functional extraction
functional2: with the recursive functional extraction
First, we demonstrate in Table 7.1 the effect of the three types of extractions.
For this experiment only, the functional extractions are run without first applying
syntactical extraction for sanity check that the former always subsumes the latter.
Columns 1 and 2 gives the number of constraints and input variables of the designs,
respectively. The#e c and#e i columns give the numbers of constraints and input
variables with extractions, respectively. As can be seen, the functional extractions
always perform better, and a recursive extraction is more powerful than a nonrecur-
sive extraction.
Tables 7.2 through 7.5 compare the results of building BDDs for the par-
titioned constraints. The reported times and BDD node counts include times and
BDD nodes used in extraction. Dynamic variable reordering is enabled in all ex-
amples except inrio, where a fixed order is used to avoid BDD blowup. Table 7.2
117
circuit stats syntactical functional1 functional2
circuit #cons #input #e c #e i #e c #e i #e c #e i
mmq 117 207 18 25 42 49 77 53
qbc 93 174 58 169 75 174 75 174
qpag 215 283 149 282 173 282 197 283
qpcu 109 34 75 34 93 34 93 34
rio 198 371 80 283 89 289 96 292
sbs 108 423 95 422 96 423 97 423
Table 7.1: Result of extractions
circuit #conj #part peak result time
mmq 92 26 82782 24535 17.0
qbc 60 34 10220 2689 2.5
qpag 187 29 968856 142943 272.4
qpcu 94 11 14308 4563 1.0
rio 133 66 1299984 375723 3.3
sbs 69 40 12264 2940 1.5
Table 7.2: Result of building conjunction BDDs (no extraction)
shows the results of building conjunction BDDs without any extraction. Column 1
is the number of BDD conjunction operations performed during partitioning. Col-
umn 2 shows the number of resulting parts. Column 3, 4, and 5 show the peak
number of BDD nodes, number of BDD nodes in the result, and the time for build-
ing the BDDs, respectively.
The impact of extractions on BDD building is shown in Table 7.3, 7.4
and 7.5, respectively forsyntactical, functional1and functional2. First, it should
be clarified that the sharp increase of number of parts between the functional and
118
circuit #conj #part peak result time
mmq 80 37 32704 9501 8.9
qbc 19 77 9198 1754 0.1
qpag 65 156 155344 89195 61.4
qpcu 24 84 4088 983 0.0
rio 97 127 1040396 149152 1.5
sbs 10 104 15330 1663 0.1
Table 7.3: Result of building conjunction BDDs (yntactical)
the syntactical extractions is partially due to the fact that the former extracts signals
bit by bit, while the latter can extract bus signals at once. Therefore, the effect of
partition refinement is more proportionally represented in the number of conjunc-
tions performed among the simplified versions of the original constraints (note we
do not conjoin the hold-constraints). It can be seen that as the extraction gets more
powerful, the number of parts increases. Although the number of conjunctions
decreases quickly insyntacticaland more infunctional1, we observed thatfunc-
tional2 does not improve the number further, although it has the most extractions.
As a result, BDD sizes infunctional2increase slightly over those infunctional1.
Obviously, simplification from the extra extractions infunctional2in our examples
did not remove more input variables to refine the partition, although in theory it
could. Overall, functional extractions have large improvement over its syntacti-
cal counterpart. In all examples, extracting hold-constraints has a clear advantage
in time (up to 23 times faster) and space (up to 7 times smaller) usages over not
extracting such constraints.
119
circuit #conj #part peak result time
mmq 72 58 33726 9529 6.2
qbc 10 92 5110 1294 0.0
qpag 60 216 47012 20613 12.3
qpcu 17 136 4088 801 0.0
rio 94 140 1072460 142997 1.5
sbs 10 503 34748 1612 0.1
Table 7.4: Result of building conjunction BDDs (functional1)
circuit #conj #part peak result time
mmq 72 58 33726 9529 6.2
qbc 10 113 6132 1428 0.0
qpag 60 268 79716 28221 26.7
qpcu 17 146 13286 1042 0.0
rio 94 144 1226400 143071 1.6
sbs 10 528 49056 1812 0.1
Table 7.5: Result of building conjunction BDDs (functional2)
120
circuit without extract with extraction speedup
mmq 6.98 4.57 1.53
qbc 1.55 1.24 1.25
qpag 6.46 2.57 2.51
qpcu 0.49 0.55 0.89
rio 302.63 132.00 2.30
sbs 2.12 1.98 1.07
Table 7.6: Impact on simulation generation
7.7.2 Impact on Simulation
As discussed in Section 7.1, simulation directly benefits from finer partition
that results in smaller conjunction BDDs. Hold-constraints by themselves also con-
tribute to the speedup of vector generation since they can produce quick solution to
input variables once the state evaluation is known. Table 7.6, each design is sim-
ulated 3 times, each with 1000 cycles, using randomly generated inputs from the
conjunction BDDs. Nonrecursive extraction was used in this experiment. Column
1 and 2 report the average times spent in simulation generation from BDDs with
and without extraction, respectively. Column 3 gives the ratio of generation time
without extract to that with extraction. The speedup is more proportional to the re-
duction in BDD size when the conjunction BDDs get more complex, for example,
in rio, qpagandmmq. For smaller BDDs, the overhead of handling finer parti-
tions may offsets the size reduction, which results in increase of generation time in
qpcu. Nonetheless, our concern is more with the long generation time from large
conjunction BDDs, in which cases we achieved a speedup ratio of about 2.5.
121
7.8 Summary
We have presented a method for simplifying constraint solving in random
test generation. The source of the simplification is the refining of constraint parti-
tion by extracting deterministic assignments to input variables. The result is a faster
construction and smaller size of BDD representation of the constraints. Simulation
vector generation time is also reduced due the smaller BDD size, and the constant





The algorithms in SymGen provides an efficient way of generating vectors
from constraints and input biases without backtracking. However, as it is tailored
for efficient simulation vector generation, SymGen’s one-vector-at-a-time approach
may not be suitable for other types of verification methods, e.g., model checking,
which explores the design state space by checking all possible input combinations
simultaneously. Similarly, hardware-accelerated simulation (also known as emula-
tion [70]) gives another example of SymGen’s limitation, though from a different
perspective. In emulation, the design is mapped to some programmable hardware,
such as the Field Programmable Gate Arrays (FPGAs); the stimuli are fed in from
a computer, usually in batch mode to save time. Although in theory we can im-
plement the SymGen algorithms in software program on the computer to generate
the stimulus, the overhead of communication between the emulation hardware and
the computer at each simulation cycle would defeat the very purpose of emulation
being a faster simulator. The problems in both examples can be remedied if the vec-
tors are generated as the outputs of a Boolean circuit, instead of directly from the
constraints: combinations of values at these outputs represent the full input space
for a model checker, and the functions can be mapped to the emulation hardware
123
thus eliminating the communication cost. We refer to this approach to vector gen-
eration asconstraint synthesis. Figure 8.1 illustrates synthesized constraints being












Figure 8.1: SymGen and Synthesized Constraints
In this chapter, we present a method of synthesizing hardware constraints,
referred to as thecascaded synthesis. In general, constraint synthesis can be viewed
as the following problem: for a constraintf : Bn 7! B, derive a mappingBn 7! Bn
whose range is the onset off . This formulation is equivalent to theBoolean Unifica-
tion (BU) [34, 79, 110] problem of finding a substitution that unifies the constraint
f and the constant1 , i.e.,(f) = 1. However, our approach is necessarily different
from BU because in the context of synthesizing hardware constraints, we are fac-
ing with the heterogeneousness of the variables, specifically, the fact that the state
variables, unlike the inputs, are bounded by the design. More specifically, when
synthesizing constraints of both state and input variables, the method in [34] would
give wrong results, while the method in [79, 110] would give suboptimal results.
We defer a detailed discussion of this to Section 8.4.
124
The remainder of this chapter is organized as follows: Section 8.2 gives a
formal formulation of the constraint synthesis problem. In Section 8.3, we present
the synthesis method that handles state-dependent constraints. Section 8.4 covers
the related works. We summarize in Section 8.5.
8.2 Problem Formulation
Let f : Bm+n 7! B of input variablesX = fx1; : : : ; xng and state variables
Y = fy1; : : : ; ymg be the constraint of concern. Denote the set ofgr und solutions
to
f(X; Y ) = 1 (8.1)
by S, with
S = ff; g j  2 Bn;  2 Bm; f(; ) = 1g: (8.2)
Let
S = f 2 B
n j 9(f; g 2 S)g (8.3)
be the set of input vectors pertaining to state in S. A state is legal in f iff
S 6= ;. Let
L = f 2 Bm j S 6= ;g (8.4)
be the set of legal states inf . We adopt Rudeanu’s [97] terminology, with modifica-
tions to accommodate states, for describing different kinds of solutions to equations:
A vector of functionsF : Bn+m 7! Bn is called asolutionto (8.1) iff
8 2 L; F (Bnfg)  S; (8.5)
125
F is called ageneral solutioniff
8 2 L; F (Bnfg) = S; (8.6)
andF is called areproductive solutioniff F is a general solution, and
8( 2 L;  2 S); F (; ) = : (8.7)
Reproductive solutions hold an important property: under a legal state, any solution
G of f can be obtained as an instance of a reproductive solutionF .
Theorem 8.1 Let F be a reproductive solution to the equationf(X; Y ) = 1, and
L the set of legal states off(X; Y ). Then for any solutionG of this equation,
G(BnL) = F (G(BnL)):
Since our goal is to be able to generate all possible vectors, constraint syn-
thesis can therefore be formulated as the problem of finding a general or reproduc-
tive solution of the constraint.
8.3 The Cascaded Synthesis Method
We describe a synthesis method which generates values for inputs iteratively
in a “cascaded” fashion wherein the previously generated values are used in the
generation of the next input.
126
8.3.1 Cascaded Solution Generation
Given the constraintf of input variablesX = fx1; : : : ; xng and state vari-
ablesX = fy1; : : : ; ymg, we first define theprojection of f onto the variables
xi; : : : ; xn andy1; : : : ; ym, writtenf i, for 1  i  n+ 1, to be the existential quan-
tification of f with respect to the rest of the variables. Note the two special cases
f 1 = f , andfn+1 = L, whereL is the set of legal states. The notion of projection
is critical to our synthesis procedure because of the following theorem.
Theorem 8.2 Given a constraintf and a state, either all, or none, of the projections
f 1; : : : ; fn+1 are satisfiable.
Proof: The theorem follows directly from the definition of projections, which are
existential quantifications off .
Note by definition projectionf 1 is f . Thus, given a state valuation and
a canonical representation off , such as one in BDD, we can quickly determine
whetherf is satisfiable (in timeO(n + m)), and therefore whether all of its pro-
jections are satisfiable. In addition, if there is a satisfying assignment, say, to
variables inf i, then there exists an assignment toxi 1, which together with sat-
isfiesf i 1. This can be generalized to the following theorem.
Theorem 8.3 Under a legal state, any input assignment satisfyingf i is a suffix of
an input assignment satisfyingf j, for all j < i.
Proof: It suffices to prove for the casej = i   1. Let  be an input assignment
to xi; : : : ; xn and a legal state, such thatf i(; ) = 1. From the definition of
127
projectionsof f , we have
f i(xi; : : : ; xn; Y ) = f
i 1(0; xi; : : : ; xn; Y ) + f
i 1(1; ui; : : : ; un; Y );
plugging in and, we have
f i(; ) = f i 1(0; ; ) + f i 1(1; ; ):
The left-hand side of the above equation is 1, therefore at least one of the terms on
the right-hand side must be true. That is, either(0; ) or (1; ) or both, under the
state, is a solution tof i 1.
The above theorem demonstrates that it is feasible to construct a solution for
f by successively solving for inputs for the projects, fromfn to f 1, and therefore
f . We now give a decision procedure as to how each input is computed.
First we note that all Boolean functions, and in particular the projectionf i,
can be decomposed as in the following.
f i = f ixi  f
i
xi
+ xi  f
i
xi
 f ixi + xi  f
i
xi
 f ixi (8.8)
wheref ixi is the cofactor of
i with respect toxi. This decomposition, over the
orthogonal basisff ixi f
i
xi
; f ixi f
i
xi
; f ixi f
i
xi
g, is obvious from the Shannon decom-
position.
Now we show how to derive the value ofxi from a partial assignment to
xi+1; : : : ; xn. Let be a partial assignment under a legal state such that
f i+1(; ) = 1:
128
Since9xif
i = f i+1, then9xif
i(; ) = 1, wherein by substitutingf i for the right-
hand side of Equation (8.8) and applying the existential quantification, we have
(f ixi  f
i
xi
+ f ixi  f
i
xi
+ f ixi  f
i
xi
)(; ) = 1:
Furthermore, since the above three disjunctive terms are orthogonal, exactly one
of them evaluates to 1. Denote this term byt. An assignment toxi that satisfies
f i(xi; ; ) can then be derived fromt and Equation (8.8): Ift is the first term in
the equation, thenf i is satisfied no matter what valuexi takes, i.e.,xi is a don’t
care; if t is the second (resp. third) term, thenxi has to take the value 1 (resp. 0).





ui if f ixi  f
i
xi
1 if f ixi  f
i
xi
0 if f ixi  f
i
xi




whereui anddi are the two don’t cares.
We now come to a critical observation: the condition ofdi is false iff the
underlying state is legal; therefore, under an illegal state,di actually dictates the
computation ofxi.
Lemma 8.1 The condition fordi in (8.9) is false iff the underlying state is legal.
Proof: From Theorem 8.2, constraintf is satisfiable, i.e., the underlying state is
legal, iff every projectionf i for 1  i  n + 1 is satisfiable; in the meantime, the
don’t care condition in (8.9),f ixi  f
i
xi
, is false iff9xif
i, that isf i+1, is satisfiable.
Therefore the lemma holds.
129
Although the computation ofxi under an illegal state will be voided even-
tually, keepingdi as a don’t care (instead of fixing it to 0, which is valid as well as
intuitive) can simplify (8.9) in general. We will give an example of this simplifica-
tion later.
Up to now we have shown that the above procedure generate a solution; but
will it be possible to generate all solutions? To answer this question, we look at the
only flexibility in the computation ofxi, ui, since we knowdi does not contribute
to xi under a legal state. By checking the condition for whichui determinesxi, we
conclude thatui needs to be a free variable to meet the requirement of a general
solution, i.e., when possible,xi should be able to take both values 1 and 0. From
now on we treatui as a variable, andi still a don’t care, which can be a function.




 f ixi)  ui + (f
i
xi
 f ixi) + (f
i
xi
 f ixi)  di: (8.10)
8.3.2 The Algorithm
In this section, we give an algorithm which finds the substitution in (8.10)
for each input variable. We also prove the set of substitutions form a reproductive
solution to the constraint.
Figure 8.3 illustrates the cascaded synthesis of a 3-input constraint.
Theorem 8.4 Given a constraintf(x; y) and a legal state, the array of substitutions
 returned by the algorithm in Figure 8.2 is a reproductive solution tof ; r more
specifically, is a mappingBn 7! Bn, such that for any; 0 2 Bn, and() = 0
130
/* f  g means applying f after g. */
cascade(f;X; Y ) f
if (X == ;) return ;;
elsef
let X = fx1; : : : ; xng,X 0 = fx2; : : : ; xng;
let fx1 = f(1; X
0; Y ); fx1 = f(0; X
0; Y );
 = cascade(fx1 + fx1 ; X
0; Y );
let   fx1 = f(1; (X
0); Y );   fx1 = f(0; (X
0); Y );
1 = (  fx1)  (  fx1)  u1 + (  fx1)    fx1) +   fx1    fx1  d1;
return f1g [ ;
g

















Figure 8.3: Example: Cascaded synthesis of a 3-input constraint
131
1. 0 satisfiesf , and
2. if  satisfiesf , then0 = .
Proof: We prove the first statement by induction on the length of0. Let 0 =
01 : : : 
0
n. Since we are under a legal state, from the substitution in Equation (8.10),
we know0n satisfiesf
n. Assume we already have a partial solution0i+1 : : : 
0
n
that satisfiesf i+1, by applying this solution to the substitution intended forxi, as
indicated in the algorithm, and from Theorem 8.3, the resulting0i : : : 
0n must
satisfyf i. Eventually we get0 that satisfiesf 1, and thereforef .
The second statement is proved by examining the substitutions. Given a
partial solution,0i has exactly one choice fromui, 1, or 0. In the first choice,
0
i
is equal toui no matter what valueui takes; in the second choice,0i = 1, and1 is
the only possible value for theith position of an that satisfiesf , therefore0i also
takes 1; similarly, both0i and are 0 in the third choice.
8.3.3 Detection of illegal states
We have two options in detecting illegal states. In the first option, we just
need to evaluatef with the current state and the solution (or any input vector). The
current state is illegal iff the result is 0, as is indicated by the definition of a legal
state. We can then pad the solution with this result to indicate the validity of the
solution.
In the second option, we need to modify a substitution functioni, so that
when the condition for the don’t care (the fourth term in Equation (8.10)) is true, an
132
extra output is asserted to indicate an illegal state. Lemma 8.3.1 shows that anyi
can be used for this test.
The second option seems to be more desirable: we can pick ai with small
i whose implementation can be much “simpler” than that off .
8.4 Comparisons to other synthesis methods
In this section, we compare cascaded synthesis toBoolean Unificationwhich
is developed for solving Boolean equations, and to a work on building circuits from
relations [101].
Boolean unification (BU) is a method for finding solutions for equations of
Boolean functions. A solution to equationf = g is a substitution to variables in
f andg, such that  f ,   g. For this reason, is also called aunifierof f and
g. Since the equation can be rewritten asf  g = 0, it suffices for BU to consider
only the formf = 0.
There are several approaches to the BU problem. B¨uttner and Simonis [110]
presented a BU algorithm that computes themost general unifier mgu[102], from
which any other unifier can be derived as an instance. Note the reproductive solu-
tion produced by cascaded synthesis is anmgu. Martin and Nipkow [79] provided a
historical perspective on the algorithm and traced the origin back to Boole himself.
They also presented a second BU algorithm attributed to L¨owenheim [77]. Since
this algorithm in general produces a solution more complex than that of Boole’s
method [79], we will not discuss it further. Fujitaet al. [53] applied the BU al-
133
gorithm based on Boole’s method in several logic synthesis examples, including
minimization of Boolean relations. Coudert and Madre [33] presented an orthogo-
nal approach to BU which utilized a special operator calledConstrain.
Our approach is necessarily different from the BU methods in that hardware
constraints depend on both state and input variables, where the former, being fixed
by the design, are in fact parameters. Specifically, when applied to hardware con-
straint synthesis, the method in [33] can give wrong results because it is based on
a mapping that can alter the values of state variables, and Boole’s method can give
suboptimal results because it does not take the advantage of the optimization space
represented by state valuations for which there are no satisfying inputs. Further-
more, even if we apply our synthesis method to the same problem dealt with in BU,
the same optimization is still valid which can result in a range of solutions, includ-
ing the one based on Boole’s method, and ones that are even simpler. We discuss
the details in the coming subsections.
8.4.1 Constrain-based Synthesis
Coudert and Madre [34] showed that the image of a set can be computed
as the range of the transition functionsConstrainedwith respect to the set. In
addition, the resulting functions form a reproductive solution to the characteristic
function representing that set. This fact is used by Coudert and Madre to generate
“functional vectors” in [33]. TheConstrainoperation, which we will refer to as the
Generalized Cofactoring(GC) as it is also known, is defined below.
GC takes two functionf and g of variablesfx1; : : : ; xng, and returns a
134
function which agrees withf in the onset ofg. The operation is a mapping decided
by g and the variable ordering. The latter determines the “distance” between two
vectors, as defined in the following.
Definition 8.1 Let x1  : : :  xn be the variable ordering. Let = 1 : : : n
and = 1 : : : n be two minterms. The distance between and, in symbols
k    k, is given by:
k   k= ni=1 j i i j  2
n i: (8.11)
This definition of distance reflects the dissimilarity between the two vectors
quantified by the variable ordering. We now define GC precisely.
Definition 8.2 Given functionsf , g, and a variable ordering, GC off with respect
to g, in symbolsf # g, is defined by:
(f # g)() =
(
f() if g() = 1
f() if g() = 0
(8.12)
whereg() = 1 andk   k is minimum under the given variable ordering.
Then image computation in [34] can be summarized in the following theo-
rem.
Theorem 8.5 Let F = [f1; :::; fn] be a vector of Boolean functions, andR(X) a
nonempty set. Define GC off with respect toR(X) as
F # R(X) := [f1 # R(X); :::; fn # R(X)]
135
Then the image ofR underF is equal to the range of the vectorial functionF # R,
i.e.,
Img(R(X); F ) = Img(1; F # R(X)):
Now, let fi = xi for 1  i  n in the above theorem, we obtain the
following corollary:
Corollary 8.1 Let X be a set of Boolean variablesfx1; :::; xng, andR  Bn a
BDD representing a nonempty set. ThenR is the range of the vectorial function
[x1 # R; :::; xn # R].
This result is applicable to constraint synthesis in the following sense: let
R be the constraint, andX the set of input variables; letX 0 = [x01; :::; x
0
n] be such
thatx0i = xi # R, then the evaluations ofX
0 always satisfyR; specifically, for any
 2 R,X 0() = , henceX 0 is a reproductive solution toR. In addition, from the
definition of GC, for any input vector,X 0 generates a vector inR that is “closest”
to.
However, this method may produce wrong results if applied to synthesizing
constraints involving state variables, because GC may change the valuation of the
state variables in its mapping of an vector of both state and input variables from
outside ofR to one inR; as a result, what we have generated is an input vector
that satisfiesR under themappedstate, but may be in conflict with the actual state
asserted by the design.
136
In the appendices, we will report two attempts (prior to our work on cas-
caded synthesis) to modify GC to suit our need. In Appendix A, we describe an
extension to GC for handling multiple constraints without explicitly conjoining the
constraints. In Appendix B, we report another modification to GC which handles
constraints with state variables correctly. However, in both cases, since they in-
volve complicated recursions not suitable for caching, the resulting algorithms are
inefficient in practice.
To conclude the comparison with constrain-based synthesis, we show that
our approach achieves the shortest distance mapping even when state variables are
involved. It also implies that, in the absence of state variables, the two synthesis
methods produce identical results.
Theorem 8.6 The substitution returned by the algorithm in Figure 8.2 maps a vec-
tor  to a vector0 in the constraint that has the shortest distance (as given in
Formula (8.11) from.
Proof: Suppose we have arrived at a partial solution0i+1 : : : 
0
n which is at a dis-
tancel from i+1 : : : n. According to the algorithm, the choice of0i either main-
tains the distance, or increases it tol + 2i 1. If we were to do things differently
and still produce a satisfying partial solution, we could (1) assignui to 0i, or (2)
backtrack and change an0j, j > i, so that
0
i would not be forced to 1 or 0. But (1)
would increase instead of maintainingl, and (2) would increasel by 2j 1, which is
greater than sum of any potential savings at positions< j.
137
8.4.2 BU Based On Boole’s Method
BU based on Boole’s method is summarized in the following theorem [79]:
Theorem 8.7 Let (y) : Bn 1 7! Bn 1, wherey = (x2; : : : ; xn), be amguto
f(0; x2; : : : ; xn)  f(1; x2; : : : ; xn)
Then
F (x) = ((f(0; (y)) f(1; (y)) 1)  x1  f(0; (y)); (y))
is anmguto f(x1; : : : ; xn) = 0.
Note “” is the Exclusive-Or operator. The BU algorithm computes the
substitution recursively using the above theorem. To facilitate a comparison, we
expand the Exclusive-Or’s and list the algorithm in Figure 8.4, and give the variation
of our synthesis method on the problemf = 0, which is the dual of our original
problem (f = 1).
Apparently, there are three differences: (1) We have extra state variables,
z. (2) We do not perform the 0-test when the input variables are exhausted; as
far as the originalf is not a constant zero, i.e., is satisfiable undersomestate and
input, the synthesis always succeeds. (3) last but most importantly, our result differs
from BU at one place in the formula for computing the substitution of an input
variable: whereas we havef(0; (y); z)  f(0; (y); z)  d1 as the third term, BU
hasf(0; (y))  u1. As we have explained in Section 8.3.1, the cascaded synthesis
opts to keep the third term because it handles a second type of variables – the state
138
unify(f(x)) f
if (x == ;) f
if (f(x), 0) return (); elsefail;
g elsef
let x := fx1g [ y;
 = unify(f(0; y)  f(1; y));
return (
f(1; (y))  f(0; (y))  u1+
f(1; (y))  f(0; (y))+





Figure 8.4: Boolean Unification
139
cascade(f(x; z)) f
if (x == ;) return ();
elsef
let x := fx1g [ y;
 = cascade(f(0; y; z)  f(1; y; z));
return
(
f(1; (y); z)  f(0; (y); z)  u1+
f(1; (y); z)  f(0; (y); z)+





Figure 8.5: Cascaded synthesis — another form
140
variables. Further, even if we apply cascaded synthesis to constraints where there
is only one type of variables, our decision to keep the the third (don’t care) term
is still sound as far as there is a solution. Note the substitution, and the don’t care
optimization as a consequence, does not alter the detection of a solution, e.g., the
the 0-test in the case of BU.
Therefore, cascaded synthesis gives a range of reproductive solutions. In
particular, one instance is BU, since for anyd1 in Figure 8.5 (note we omit the state
variablesz) that satisfies
f(1; (y))  f(0; (y))  d1 = f(0; (y))  u1
cascaded synthesis becomes BU. In addition, we can obtain a much simpler substi-
tution,, for BU by assigningd1 to 1:
(x1) = f(0; (y))  f(1; (y))  x1 + (8.13)
f(1; (y))  f(0; (y)) + f(1; (y))  f(0; (y))  1 (8.14)
= f(0; (y))  f(1; (y))  x1 + f(0; (y)) (8.15)
= f(1; (y))  x1 + f(0; (y)): (8.16)
The substitution is again anmgusince all other unifiers can be derived by
applying a substitution to as shown in the following proof.
First, letf(1; (y)) := a andf(0; (y)) := b, i.e.,f = a  x+ b  x. Also let
 be an arbitrary unifier of and0, and pick a substitution(u) := (x).
141
We show that composing and leads to . First, we have
  (x) = a  (u) + b = a  (x) + b: (8.17)
Now since is a unifier off and 0, we have
a  (x) + b  (x) = 0;
hence
a  (x) = 0 andb  (x) = 0;
and furthermore
a  (x) = (x) and(x) + b = (x):
Finally, apply the above equations to (8.17), we have
  (x) = a  (x) + b = tau(x) + b = (x):
Lastly, we acknowledge the work by Fujitaet al. [53] that outlined appli-
cations of BU to logic synthesis problems similar to ours which can involve two
groups of variables; only one group is unified. Nevertheless, they used the original
BU algorithm which unifies all the variables and performs the 0-test. It is thus un-
clear how they dealt with the 0-test, since the test is bound to fail without unifying
all the variables; neither is it likely, from their paper, that they recognized our way
of using the don’t cares. This can lead to sub-optimal result in their application
142
of minimizing Boolean relations; we give a simple example to demonstrate this
limitation.
Let a+ y  z = 0 be the relation of concern, wherey andz are to be unified.
Ignoring the 0-test, and using the BU algorithm as is, they would have the solution
for y andz
(y; z) = (ayz + a  y; az + az) (8.18)
which can not be simplified further; whereas by applying the cascaded synthesis,
we have
(y; z) = (ayz + ad1; az + ad2)
now choosing the don’t caresd1 := y  z andd2 := z, we obtain
(y; z) = (yz; z) (8.19)
which is considerably simpler than the BU solution in (8.18).
8.4.3 Shiple and Kukula’s Method
Shiple and Kukula [101] reported a method of synthesizing Boolean rela-
tions. The synthesis starts from a BDD representation of the relation, and constructs
a gate level logic which can be thought of as the union of two circuits, both of which
are isomorphic, topologically, to the graph of the BDD. The first circuit evaluates
the current state and generates, for each of its nodes, a signal similar to the node
weight in SymGen. Each node in the second circuit, according to the weights, as-
signs to an output to 0, 1, or a random value presented at a free input; however,
143
only one assignment to each output is selected depending the selected assignments
to outputs that are ranked higher in a fixed ordering.
The method can be viewed as a smart implementation of SymGen in hard-
ware. The complexity of their method, as is that of SymGen, is linear in the size
of the BDD, or more precisely, O(k) for a BDD with k nodes, since there are two
circuits isomorphic to the BDD. The cascaded synthesis can be purely algebraic, in
which case, its complexity cannot be measured with respect to BDD node count.
Suppose we perform cascaded synthesis on a BDD withk nodes, its space com-
plexity can then be formulated ask1 +    + kn, whereki is the number of gates
in the ith substitution functioni. Roughly speaking,kn is comparable tok. Note
n; : : : ; 1 depend on descending numbers of inputs. Also, they can be based upon
different BDD variable ordering.
8.5 Summary and Discussion
We have described a method of synthesizing Boolean constraints. Using
constraints is an effective alternative to writing up complicated environment mod-
els in functional verification. Constraint synthesis facilitates the application of this
methodology to areas where no proprietary constraint solving capability is avail-
able, e.g., model checking and emulation.
We have also provided a survey of constraint synthesis methods that are
known to us. Although Boolean Unification is shown to beunitary [110], that is,
if there exists a solution, then there is a uniquemgufrom which all solutions can
be derived as its instances, the uniqueness is nevertheless only up to an equivalence
144
relation [102]. For example, a BU problem can have twoequivalent mgu’s which
can be derived from each other. The fact that there actually can be multiple func-
tionally distinctmgu’s gives rise to the need of optimization. Our application of
don’t cares in cascaded synthesis is such an attempt. It is also obvious that synthe-
sis result varies with variable ordering in both constrain-based BU and the one built
upon Boole’s method. In the latter case, B¨uttner [109] has shown how to decide the
variable ordering in order to obtain anmguwith the minimal number of variables.
An approach that allows maximal optimization should be one in which both
the don’t cares and variable ordering are exploited. In general, we do not have to
follow any particular order in the synthesis, e.g., we can solve variablex forey
on one path of the decision making, and in the reverse order on another. This would
lead us to the departure from the class of “shortest-distance” mappings, which is a
sufficient but not necessary condition for constrained vector generation — all we




This dissertation is a summary of cooperative research works that took place
over six years while the author was a part-time graduate student and a full-time ver-
ification engineer. A colleague of mine once had a remark which I will remember
for a long time to come:“verification is a problem that is easy to understand but hard
to contribute to.” Indeed, as most verification problems are deemed NP-complete or
harder, fundamental breakthroughs have been rare; instead, most advances in this
area are of an applicative nature, for example, employment of new data structures,
and combinations of different methodologies. It is our hope that this dissertation
has contributed to verification problems in these manners. In addition to various
improvements shown in experimental results, we are also encouraged by the fact
that the idea of mixing formal and informal verification techniques, of which our
work on saturated simulation and retrograde analysis is widely recognized as one
of the pioneering works, is being embraced by the design automation community.
It is also a rewarding experience to witness the growth of our vector generation
tool, SymGen, from conception into maturity while being adopted in many design
projects in Motorola throughout the past years.
146
9.1 Summary
We have presented applications of symbolic methods to verification prob-
lems. In Chapter 3, we introduced to invariant checking the concept of “saturated
simulation”, which improves the verification coverage by focusing on the control
behavior of the design. The improvement comes from an abstraction of equivalent
classes of states or state transitions, with the aid of BDD based image computation
and abstraction function. We described in Chapter 4 the technique of “retrograde
analysis”, also applicable to invariant checking. The technique works by enlarging
the set of target states, accomplished with BDD based pre-image computation, and
by using the hamming-distance heuristic in selecting starting states that are “clos-
est” to the target. Consequently, the simulation has a better chance of reaching a
target state in shorter time.
The remaining chapters are devoted to the problem of constrained simula-
tion vector generation. In Chapter 5, we developed an efficient BDD algorithm
that takes a set of constraints and input biases, and generates vectors accordingly.
The algorithm, implemented in SymGen, is linear to the size of the BDD graph
representing the conjunction of the constraints, and requires no backtracking – a
common problem in many constraint based vector generation tools. In the next
chapter, we discussed the problem of diagnosing illegal states. Simplification of
constraint solving, based on hold-constraint extraction, was presented in Chapter 7.
This simplification, together with the disjoint-input-support partitioning given in
Chapter 5, has greatly enhanced the constraint solving capability of SymGen, thus
enabling its handling of nontrivial commercial designs. Lastly in Chapter 8, we
147
described an alternative method of generating constrained vectors. The problem is
formulated as one that derives the “reproductive solution” of the constraints: the
constraints are synthesized into a set of functions, whose inputs consist of the state
variables and auxiliary free variables, and whose outputs represent the full input
vector space in which the constraints are satisfied. Vector generation in this way
can be implemented in gate-level (netlist) Boolean logic, thus enabling the use of
input constraints in other forms of verifications, e.g., model checking and hardware
emulation, where a proprietary constraint solver such as SymGen is not applicable.
9.2 Future Work
There are several areas in which we wish to make improvements. In satu-
rated simulation, the capacity and efficiency can be further enhanced by perform-
ing better abstraction. For example, instead of selecting one or several data states
from each equivalent class arbitrarily, we can select a largest cube so that a maxi-
mum amount of data information is preserved, and a minimum number of next state
functions are needed for the image computation.
In regard to constrained vector generation, a desirable extension is to solve
constraints based onword-leveloperations (e.g.,=, +, and) directly, instead of
first compiling them into Boolean operations. We also envision two extensions
to the partition-based simplification of constraint solving. First, we can lift the
restriction that the partitioning of input variables only comes from a conjunctive
decomposition of the constraints — in fact, SymGen can be generalized to solving
decompositions of arbitrary types. Here is a sketch. Letf 0 be the binary decom-
148
position tree of a constraintf of variablesX; the set of leaf nodes off 0 isX, and
the other nodes, denoted byG, represent the subfunctions. A SymGen-like vector
generation can proceed as in the following:
1. Assign to eachg in G an auxiliary variableag, assign toag a probability
(between 0 and 1).
2. Build BDDs forf 0 and all subfunctions inG usingX and the auxiliary vari-
ables
3. Apply to the BDD off 0 theWeightprocedure augmented with the following
rules:
(a) The weight of a node corresponding to an auxiliary variableg is equal
to
i. the weight of the left child, if the weight ofg is 0
ii. the weight of the right child, if the weight ofg is 1
iii. the sum of weights of the children weighted by the probability of
ag, if the weight ofg is between 0 and 1
(b) In the followingWalkprocedure, treatag as a state variable in the above
first two cases; treat it as an input variable in the last case
4. Apply to the BDD off 0 theWalkprocedure, with the modification that if the
current input node corresponds to an auxiliary variableg, then
(a) If the assignment toag is 0, replace every branching probabilityp in the
BDD of g with 1  p
149
(b) Apply Walkto the BDD ofg
It obvious that the above procedure is insensitive to the types of decompo-
sitions and can be easily extended to handle arbitrary levels of decomposition. It is
shown in [40] thatfully sensitivefunctions, including all Boolean functions, have a
finest decomposition wherein the subfunctions have disjunctive support. Although
in general the cost of finding such a decomposition is exponential in the number of
variables, there are methods for obtaining coarser decompositions, for example, the
algorithms based on BDD in [13, 14]. We conjecture efficient algorithm exists for
finding similar decompositions wherein only theinput supportsare disjoint among
the subfunctions.
An even more aggressive extension is to allow overlaps of input variables
in the support of the subfunctions, which can lead to decompositions finer than that
obtained in [40]. In principle, if there is a partial order among the involved subfunc-
tions such that, for any satisfiable assignments to the overlapping inputs in a sub-
function, there is at least one satisfiable assignment to the same inputs in all lower-
ranked subfunctions, then the given constraints can be solved without backtracking
in the extended SymGen described above. Although finding such a decomposition
poses a nontrivial challenge, it is nevertheless an attractive optimization which has
the potential to outperform the finest disjunctive decomposition.
150
Appendix A
Generalized Cofactoring for Multiple Constraints
For reference, we first give the BDD implementation of GC with respect to
one constraint, as presented by Coudert and Madre [34], in Figure A.1.
f # c f
a1: assert(c 6= 0));
a2: if (c = 1kf = 1kf = 0) return f ;
a3: letxi be the top variable ofc








= 0) return fxi # cxi









Figure A.1: Generalized cofactor
We show how GC with respect to multiple constraints can be achieved with-
out first forming the conjunction of the constraints. Letc = fc1; :::; cmg be a set of
constraint BDDs defined over variablesX = fx1; :::; xng, c # xi be the vectorial
function [c1 # xi; :::; cm # xi], c ' 0 stand for9cj 2 c; cj = 0, andc ' 1 stand for
8cj 2 c; cj = 1. Let c 6' 0 (resp.c 6' 1) mean that it is not the case thatc ' 0 (resp.
c ' 1). Let ĉ denote the conjunction̂
cj2c
cj. Also, let thetop variable of cdenote
151
the one with the highest rank among the top variables ofcj. It is obvious that̂c = 0
if c ' 0, andĉ = 1 iff c ' 1.
f + c f
b1: if (c ' 0) return nil;
b2: if (c ' 1) return f ;
b3: let xi be the top variable ofc;











' 0) return fxi + cxi;
b6: t = fxi + cxi ;









b8: if (t = nil) return e;
b9: if (e = nil) return t;








Figure A.2: Generalized cofactor with respect to multiple constraints
The operator+, defined in Figure A.2, computes the generalized cofactor of
f with respect to all the constraints inc, without explicitly building the conjunction
ĉ. We shall prove thatf + c = f # ĉ. Before we do, we need the following lemmas.
Lemma A.1 ĉ = 0 iff f + c = nil
Proof:
“ ”:
 Base1: c ' 0! ĉ = 0! “ ”
152
 Base2: c ' 1! f + c = f (line b2), which is notnil, hence, “ ”






= nil ! ĉx0
i
= 0
 IS: f + c = nil! ĉ = 0





























fxi + cxi = nil (line b10 6= nil) (A.3)






















Sincecxi ' 0 ! ĉxi = 0 andcx0i = 0 ! ĉx
0
i
= 0, (4) and (5) rewrite to (6),
which is equivalent tôc = 0, hence “ ”.
“!”:
 Base1: c ' 0! f + c = nil ! “!”.
 Base2: c ' 1! ĉ 6= nil ! “!”.
















 IS: ĉ = 0! f + c = nil
Sinceĉ = 0! ĉxi = ĉx0
i
= 0, applyingIH, we get:





Excluding the returns on linesb1 andb2 which are the base cases, the recur-
sionf + c returns only at one of the linesb4, b5, andb8, all of which return
nil.
Lemma A.2 ĉ 6= 0
V
(f = 0kf = 1)! f + c = f
Proof: Assumeĉ 6= 0. Let’s first look at the casef = 1. Since1xi = 1x0i = 1,
all of thef arguments in the successive recursions off + c will be 1, therefore the
final return value will benil (line b1) or 1 (line b2) or the recursive composition of
xi  1 + x
0
i  1, which is also1. Sinceĉ 6= 0, by Lemma A.1,f + c 6= nil, therefore,
f + c = 1. The casef = 0 is similar.
Theorem A.1 ĉ 6= 0! f + c = f # ĉ
Proof: We do induction onf + c to show that the theorem, which we refer to asp,
is true.
 Base1: c ' 0
c ' 0! ĉ = 0! p
154
 Base2: c ' 1
c ' 1! ĉ = 1! f + c = f # ĉ = f ! p.






















 IS: ĉ 6= 0! f + c = f # ĉ
The top variablexi of c can be in or not in the support ofĉ.
– case I: xi is not in the support of̂c




f + c doesn’t return on linesb4 andb5. And from Lemma A.1,t and
e can’t benil at linesb8 andb9. Therefore,f + c returns only at line
b10, i.e.,















) ; ; IH
= (xi #; ĉ)(fxi # ĉ) + (x
0
i #; ĉ)(fx0i
# ĉ) ; ; xi 62 sup(ĉ)
= (xi(fxi)) # ĉ+ (x
0
i(fx0i
)) # ĉ ; ; property of #
= (xifxi + x
0
ifx0i
) # ĉ ; ; property of #
= f # ĉ
Hence,p.
– case II: xi is in the support of̂c
this allowsf + c to return at any line ofb4,5,8,9,10(ref. Figure A.2).
155
Let’s analyze those lines to show thatf + c = f # ĉ in all the cases,
thereforep holds.
 case II(b4): cxi ' 0









, by IH, f + c = f # ĉ.







similar to case II(b4).
















t = nil and Lemma A.1! ĉxi = 0, therefore









f + c = f # ĉ.









similar to case II(b8).























) ; ; IH (A.8)
Now check whatf # ĉ can return (ref. Figure A.1):
 a2: ĉ = 1 iff c ' 1, while c ' 1 is the base case already
discussed, thereforêc 6= 1, anda2 returnsf; f = 0=1. By
Lemma A.2, “f + c = f , whenf = 0=1”, hence,f + c = f #
ĉ.
156
 a4: sincet; i:e:; fxi + cxi, is notnil, by Lemma A.1,̂cxi 6= 0,
thereforea4doesn’t return.
 a5: similar toa4, a5doesn’t return.
 a6: the line is exactly (14) above, therefore,f + c = f # ĉ.
157
Appendix B
Generalized Cofactoring for State-dependent
Constraints
In Section 8.4.1, we described Coudert and Madre’s method of generating
simulation vectors through generalized cofactoring for constraints that depends only
on input variables. Here, we extend the method by introducing a new generalized
cofactoring operator, written#s, to handle state-dependent constraints. We will
restrict us to the line of thinking in Section 8.4.1, where the functions to which#s
is applied are in the formfi = ui whereui is an input variable.
The operator#s takes six argumentsf , c, f 0, c0, , and. Respectively,
the first two arguments are the function and constraint for the current recursion; the
next two are the original function and constraint; and the last two are input and state
cubes corresponding to the path leading to the current recursion.
Figure B.1 gives the definition of#s, wherein functionFind Closest Match,
given in Figure B.2, is used to find a match0 for the input cube that is legal (satis-
fying the constraint in the current recursion) under the state, and that the distance
between0 and, as given in Definition 8.1, is minimum. The function returns the
cofactors ofc0 andf 0 with respect to the new path(0; ). Such matches do not
exist under illegal states, for which we are not obligated to generate any vectors;
158
this is reflected by the two don’t care assignments on linesc13andc17.
Theorem B.1 For any legal state, #s (f; c; f; c; 1; 1) computes the generalized
cofactor off with respect toc.
Proof: (Sketch) The key difference between#s and# (generalized cofactor) is that
when the current path(; ) does not satisfyc, the former finds the “shortest-
distance” match for in c, instead of a match for the whole path inc. Therefore,
the functionality of generalized cofactoring is preserved for the input vectors only,
for all legal states.
Since illegal states can be easily detected by checking if the constraint eval-
uates to zero under the current state, the operator#s can be used in place of# in
Lemma 8.1 to generate input vectors from state-dependent constraints. However,
due to multiple arguments that need to be carried along the recursions, as required
by theFind nearest match function, cache hit rate will be very low for the above
algorithm, making it computationally expensive.
159
#s c(f; c; f
0; c0; ; ) f
c1: assert(c 6= 0);
c2: if (c = 0kf = 0kf = 1) return f ;
c3: if (c = f ) return 1;
c4: if (c = :f ) return 0;
c5: let xi be the top variable ofc
c6: if (xi is an input variable)f
c7: if (cxi = 0) return #s (fx0i; cx
0
i







= 0) return #s (fxi; cxi; f
0; c0; xi; );
c9: return xi #s (fxi; cxi; f






; f 0; c0; x
0
i; );
c10: gelsef //xi is a state variable
c11: if (cxi = 0) f
c12: fd; gg = Find Closest Match(f 0; c0xi; );
c13: if (d = 0) t = dc1;












c17: if (d = 0) e = dc2;




c20: t = #s (fxi; cxi; f
0; c0; ; xi);













Figure B.1: Generalized cofactor with respect to state-dependent constraints
160
Find nearest match(f; c; ) f
d1: if (c = 1) return ff; cg;
d2: if (c = 0) return f0; 0g;
d3: let l be the top literal of;
d4: if ((cl 6= 0)
d5: return Find nearest match(fl; cl; l);
d6: else
d7: return Find nearest match(f:l; c:l; :l);
d8: g
Figure B.2: Find the nearest match
161
Bibliography
[1] M. Aagaard, R. B. Jones, and C.-J. H. Seger. Combining theorem proving
and trajectory evaluation in an industrial environment. InProceedings of the
Design Automation Conference, pages 538–541, 1998.
[2] A. Aharon, A. Bar-David, B. Dorfman, E. Gofman, M. Leibowitz, and V. Schwartzburd.
RTPG-A Dynamic Biased Pseudo-Random Test Program Generator for Pro-
cessor Verification.IBM Technical Report 88.290, July 1990.
[3] A. Aharon, A. Bar-David, B. Dorfman, E. Gofman, M. Leibowitz, and V. Schwartzburd.
Verification of the IBM RISC System/6000 by a Dynamic Biased Pseudo-
random Test Program Generator.IBM Systems Journal, 30(4):527–538, July
1991.
[4] S. B. Akers. Binary Decision Diagrams.IEEE Transactions on Computers,
C-37:509–516, June 1978.
[5] P. Ashar and S. Malik. Fast Functional Simulation Using Branching Pro-
grams. InProceedings of International Conference on Computer-Aided De-
sign, November 1995.
[6] A. Aziz, F. Balarin, V. Singhal, R. K. Brayton, and A. L. Sangiovanni-
Vincentelli. The Temporal Logic of Stochastic Systems. InProceedings
of the Computer Aided Verification Conference, July 1995.
162
[7] A. Aziz, J. Kukula, T. Shiple, and J. Yuan. Efficient Control State Space
Search. IEEE Transactions on Computer-Aided Design of Integrated Cir-
cuits and Systems, 2, October 2001.
[8] A. Aziz, V. Singhal, G. M. Swamy, and R. K. Brayton. Minimizing Inter-
acting Finite State Machines: A Compositional Approach to the Language
Containment Problem. InProceedings of International Conference on Com-
puter Design, pages 255–261, October 1994.
[9] A. Aziz, S. Tasiran, and R. K. Brayton. BDD Variable Ordering for In-
teracting Finite State Machines. InProceedings of the Design Automation
Conference, June 1994.
[10] R. I. Bahar, E. A. Frohm, C. M. Gaona, G. D. Hachtel, E. Macii, A. Pardo,
and F. Somenzi. Algebraic Decision Diagrams and their Applications . In
Proceedings of International Conference on Computer-Aided Design, pages
188–192, 1993.
[11] D. L. Beatty. A methodology for formal hardware verification with appli-
cation to microprocessors. InPh.D Thesis, published as technical report
CMU-CS-93-190, School of Computer Science, Carnegie Mellon University,
August 1993.
[12] B. Beizer. The pentium bug, an industry watershed. InTesting Techniques
Newsletter On-Line Edition, September 1995.
163
[13] T. Bengtsson, A. Martinelli, and E. Dubrova. A Fast Heuristic Algorithm for
Disjoint Decomposition of Boolean Functions.Proceedings of International
Workshop on Logic Synthesis, pages 51–55, 2002.
[14] V. Bertacco and M. Damiani. The Disjunctive Decomposition of Logic
Functions. Proceedings of International Conference on Computer-Aided
Design, pages 78–82, 1997.
[15] M. Blum, A. Chandra, and M. Wegman. Equivalence of Free Boolean
Graphs Can Be Decided Probabilistically in Polynomial Time. InInfor-
mation Processing Letters, pages 10:80–82, 1980.
[16] D. Bochmann, F. Dresig, and B. Steinbach. A New Decomposition Method
for Multilevel Circuit Design.Proceedings of European Design Automation
Conference, pages 374–377, 1991.
[17] B. Bollig, M. Löbbing, and I. Wegener. Simulated annealing to improve
variable orderings for OBDDs.Proceedings of International Workshop on
Logic Synthesis, pages 5b:5.1–5.10, 1995.
[18] S. Bose and A. Fisher. Verifying Pipelined Hardware using Symbolic Logic
Simulation. InProceedings of International Conference on Computer De-
sign, pages 217–221, 1989.
[19] R. S. Boyer and J. S. Moore.A Computational Logic Handbook. Academic
Press, New York, 1988.
164
[20] R. K. Brayton, G. D. Hachtel, A. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz,
S.-T. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, S. Qadeer, R. K.
Ranjan, S. Sarwary, T. R. Shiple, G. Swamy, and T. Villa. VIS: A system for
Verification and Synthesis. InProceedings of the Computer Aided Verifica-
tion Conference, July 1996.
[21] R. Bryant. Graph-based Algorithms for Boolean Function Manipulation.
IEEE Transactions on Computers, C-35:677–691, August 1986.
[22] R. Bryant and Y.A. Chen. Verification of Arithmetic Circuits with Binary
Moment Diagrams. InProceedings of the Design Automation Conference,
pages 535–541, June 1995.
[23] R. E. Bryant. Formal verification of memory circuits by switch level sim-
ulation. In IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, volume 10, No. 1, pages 94–102, January 1991.
[24] R. E. Bryant, D. L. Beatty, and C.-J. H. Seger. Formal hardware verification
by symbolic ternary trajectory evaluation. InProceedings of the Design
Automation Conference, pages 397–402, June 1991.
[25] J. R. Burch, E. M. Clarke, K. L. McMillan, and D. L. Dill. Symbolic
Model Checking:1020 States and Beyond.Information and Computation,
98(2):142–170, 1992.
[26] K. M. Butler, D. E. Ross, R. Kapur, and M. R. Mercer. Heuristics to com-
pute variable ordering for the efficient manipulation of binary decision dia-
165
grams. Proceedings of the Design Automation Conference, pages 417–420,
June 1991.
[27] CADENCE. InVerilog-XL User Reference.
[28] A. K. Chandra and V. S. Iyengar. Constraint Solving for Test Case Gener-
ation - A Technique for High Level Design Verification. InProceedings of
International Conference on Computer Design, pages 245–248, 1992.
[29] H. Cho, G. D. Hachtel, E. Macii, M. Poncino, and F. Somenzi. A Struc-
tural Approach to State Space Decomposition for Approximate Reachability
Analysis. InProceedings of International Conference on Computer Design,
October 1994.
[30] E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronization
Skeletons Using Branching Time Logic. InProceedings of Workshop on
Logic of Programs, volume 131 ofLecture Notes in Computer Science, pages
52–71. Springer-Verlag, 1981.
[31] Toshiba Corporation. http://www.toshiba.com.
[32] O. Coudert, C. Berthet, and J. C. Madre. Verification of Sequential Ma-
chines Based on Symbolic Execution. In J. Sifakis, editor,Proceedings of
the Workshop on Automatic Verification Methods for Finite State Systems,
volume 407 ofLecture Notes in Computer Science, pages 365–373, June
1989.
166
[33] O. Coudert and J. C. Madre. Verification of Sequential Machines Using
Functional Boolean Vectors. InProceedings of the IFIP International Work-
shop, Applied Formal Methods for Correct VLSI Design, November 1989.
[34] O. Coudert and J. C. Madre. A Unified Framework for the Formal Verifica-
tion of Sequential Circuits. InProceedings of International Conference on
Computer-Aided Design, pages 126–129, November 1990.
[35] M. Davis and H. Putman. A Computing Procedure for Quantification The-
ory. In Journal of the Association for Computing Machinery, pages 201–
215, July 1960.
[36] R. Davis. Diagnostic reasoning based on structure and behavior.Artificial
Intelligence, 24:347–410, 1984.
[37] S. Devadas, A. Ghosh, and K Keutzer. An observablity-based code coverage
metric for functional simulation. Proceedings of the Design Automation
Conference, pages 418–425, 1996.
[38] D.Geist, G.Brian, T.Arons, M.Slavkin, Y.Nustov, M.Farkas, K.Holtz, A.Long,
D.king, and S.Barret. A Methodology For the Verification of a ”System On
Chip”. Proceedings of the Design Automation Conference, pages 574–579,
1999.
[39] R. Drechsler, B. Becker, and G’́ockel. A genetic algorithm for variable
ordering of OBDDs.Proceedings of International Workshop on Logic Syn-
thesis, pages 5c:5.55–5.64, 1995.
167
[40] E. V. Dubrova, J. C. Muzio, and B. von Stengel. Finding Composition
Trees for Multiple-valued Functions.Proceedings of the 27th International
Symposium on Multiple-Valued Logic (ISMVL ’97), pages 19–26, 1997.
[41] E. A. Emerson. Temporal and Modal Logic. In J. van Leeuwen, editor,For-
mal Models and Semantics, volume B ofHandbook of Theoretical Computer
Science, pages 996–1072. Elsevier Science, 1990.
[42] E. A. Emerson and E. M. Clarke. Characterizing Correctness Properties of
Parallel Programs as Fixpoints. (85), 1981.
[43] E. A. Emerson and C. L. Lei. Modalities for Model Checking: Branching
Time Strikes Back. InProceedings of ACM Symposium on Principles of
Programming Languages, pages 84–96, 1985.
[44] E. A. Emerson and C. L. Lei. Efficient model checking in fragments of
the propositional mu-calculus(extended abstract). InProceedings of IEEE
Symposium on Logic in Computer Science, pages 267–278, 1986.
[45] F. Somenzi et al. CUDD: CU Decision Diagram Package. Inftp://vlsi.colorado.edu/pub/.
[46] A. Evans, A.Silburt, G.Vrckovnik, T.Brown, M.Dufresne, G.Hall, T.Ho, and
Y.liu. Functional Verification of Large ASICs. InProceedings of the Design
Automation Conference, pages 650–655, 1998.
[47] Karem A. Sakallah Fadi A. Aloul, Igor L. Markov. Mince: A static global
variable-ordering for sat and bdd. InProceedings of International Workshop
on Logic Synthesis, June 2001.
168
[48] F.Casaubieilh, A.McIsaac, M.Benjamin, M.Bartly, F.Pogodalla, F.Rochetean,
M.Belhadj, J.Eggleton, G.Mas, G.Barrett, and C.Berthet. Functional Verifi-
cation Methodology of Chameleon Processor. InProceedings of the Design
Automation Conference, 1996.
[49] E. Felt, G. York, R. K. Brayton, and A. L. Sangiovanni-Vincentelli. Dy-
namic variable reordering for BDD minimization.Proceedings of European
Conference on Design Automation, pages 130–135, 1993.
[50] J. Freeman, R. Duerden, C. Taylor, and M. Miller. The 68060 micropro-
cessor functional design and verification methodology. InOn-Chip Systems
Design Conference, pages 10.1–10.14, 1995.
[51] Steven J. Friedman and Kenneth J. Supowit. Finding the optimal variable
ordering for binary decision diagrams.IEEE Transactions on Computers,
39(5):710–713, May 1990.
[52] H. Fujii, G. Ootomo, and C. Hori. Interleaving Variable Ordering Methods
for Ordered Binary Decision Diagrams. InProceedings of International
Conference on Computer-Aided Design, pages 38–41, November 1993.
[53] M. Fujita, Y. Tamiya, Y. Kukimoto, and K.-C. Chen. Application of Boolean
Unification to Combinational Logic Synthesis.Proceedings of International
Conference on Computer-Aided Design, pages 510–513, 1991.
[54] N. Ganguly, M. S. Abadir, and M. Pandey. Powerpc(tm) array verification
methodology using formal techniques. InProceedings of International Test
169
Conference, pages 857–864, 1996.
[55] M. Gordon. HOL: A Proof Generating System for Higher-order Logic. In
G. Birwistle and P. A. Subrahmanyam, editors,VLSI Specification, Verifica-
tion and Synthesis, pages 73–127. Academic Press, Boston, 1988.
[56] G. D. Hachtel, E. Machii, A. Pardo, and F. Somenzi. Symbolic Algorithms
to Calculate Steady-State Probabilities of a Finit State Machine. InThe
European Design and Test Conference, pages 214–218, 1994.
[57] P.-H. Ho, A. J. Isles, and T. Kam. Formal verification of pipeline control
using controlled token nets and abstract interpretation. InProceedings of
International Conference on Computer-Aided Design, pages 529–536, 1998.
[58] Richard C. Ho, C. Han Yang, Mark A. Horowitz, and David L. Dill. Ar-
chitectural Validation for Processors. InProceedings of the International
Symposium on Computer Architecture, June 1995.
[59] R. Hojati, S. C. Krishnan, and R. K. Brayton. Early Quantification and
Partitioned Transition Relations.Proceedings of International Conference
on Computer Design, pages 12–19, October 1996.
[60] Y. Hoskote, D. Moundanos, and J. Abraham. Automatic Extraction of the
Control Flow Machine and Application to Evaluating Coverage of Verifi-
cation Vectors. InProceedings of International Conference on Computer
Design, Austin, TX, October 1995.
170
[61] Y. Hoskote, D. Moundanos, and J. A. Abraham. Automatic Extraction of the
Control Flow Machine and Application to Evaluating Coverage of Verifica-
tion Vectors.Proceedings of International Conference on Computer Design,
pages 532–537, October 1995.
[62] C. Norris Ip and David L. Dill. Verifying systems with replicated compo-
nents in mur. In Conference on Computer-Aided Verification, volume 1102
of Lecture Notes in Computer Science, pages 147–158. Springer-Verlag, July
1996.
[63] H. Iwashita, T. Nakata, and F. Hirose. CTL Model Checking Based on For-
ward State Traversal.Proceedings of International Conference on Computer-
Aided Design, pages 82–87, 1996.
[64] Robert B. Jones, David L. Dill, and Jerry R. Burch. Efficient validity check-
ing for processor verification. InInternational Conference on Computer-
Aided Design (ICCAD), pages 2–6. IEEE Computer Society Press, Novem-
ber 1995.
[65] G. Kamhi, O. Weissberg, and L. Fix. Automatic datapath extraction for
efficient usage of hdd. InProceedings of the Computer Aided Verification
Conference, pages 95–106, 1997.
[66] M. Kaufmann, A. Martin, and C. Pixley. Design Constraints in Symbolic
Model Checking. InProceedings of the Computer Aided Verification Con-
ference, 1998.
171
[67] M. Kaufmann and J. S. Moore. Acl2: An industrial strength version of
nqthm. InProceedings of the 11th Annual Conference on Computer Assur-
ance, IEEE Computer Society press, pages 23–34, June 1996.
[68] D. Koller and N. Megiddo. Constructing small sample spaces satisfying
given constraints.SIAM Journal on Discrete Mathematics, pages 260–274,
1994.
[69] R. Krieger, B. Becker, and R. Sinkovic. A BDD-based Algorithm for Com-
putation of Exact Fault Detection Probabilities. InInternational Symposium
on Fault-Tolerant Computing, pages 186–195, 1993.
[70] J. Kumar, N. Strader, J. Freeman, and M. Miller. Emulation Verification of
the Motorola 68060. InProceedings of International Conference on Com-
puter Design, 1995.
[71] R. P. Kurshan. Reducibility in Analysis of Coordination. InDiscrete
Event Systems: Models and Applications, volume 103 ofLNCS, pages 19–
39. Springer-Verlag, 1987.
[72] R. P. Kurshan.Automata-Theoretic Verification of Coordinating Processes.
Princeton University Press, 1993.
[73] R. P. Kurshan. Computer-aided verification of coordinating processes: The
automata-theoretic approach. InPrinceton University Press, 1994.
172
[74] C. Y. Lee. Representation of switching circuits by binary-decision programs.
In Bell System Technical Journal, volume 38, No. 4, pages 985–999, July
1959.
[75] B. Lin and R. Newton. Implicit Manipulation of Equivalence Classes Using
Binary Decision Diagrams. InProceedings of International Conference on
Computer Design, Cambridge, MA, October 1991.
[76] B. Lin, H. J. Touati, and A. R. Newton. Don’t Care Minimization of Multi-
level Sequential Logic Networks. InProceedings of International Confer-
ence on Computer-Aided Design, pages 414–417, November 1990.
[77] L. Löwenheim. Über das Auflösungsproblem im logischen Klassenkalk¨ul.
In Sitzungsber. Berl. Math. Gessel. 7, pages 89–94, 1908.
[78] T. Luba and H. Selvaraj. A Gneral Approach to Boolean Function Decom-
position and its Application in FPGA-based Synthesis.VLSI Design, Special
Issue on Decompositions in VLSI Design, 3(3-4):289–300, 1995.
[79] U. Martin and T. Nipkow. Boolean unification - the story so far. InJournal
of Symbolic Computation, volume 7, pages 275–293, 1989.
[80] P. McGeer, K. McMillan, A. Saldanha, A. Sangiovanni-Vincentelli, and P. Scaglia.
Fast Discrete Function Evaluation. InProceedings of International Confer-
ence on Computer-Aided Design, November 1995.
173
[81] K. L. McMillan. A conjunctively decomposed boolean representation for
symbolic model checking.Proceedings of the Computer Aided Verification
Conference, 1996.
[82] Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Pub-
lishers, 1993.
[83] Giovanni De Micheli. Synthesis and Optimization of Digital Circuits. Mc-
Graw Hill, 1994.
[84] A. Mishchenco, B. Steinbach, and M. Perkowski. An Algorithm for Bi-
Decomposition of Logic Functions.Proceedings of the Design Automation
Conference, 2001.
[85] J. Monaco, D. Holloway, and R. Raina. Functional Verification Method-
ology for the PowerPC 604 Microprocessor. InProceedings of the Design
Automation Conference, 1996.
[86] I. Moon, J. Jang, G. D. Hachtel, F. Somenzi, J. Yuan, and C. Pixley. Ap-
proximate Reachability Don’t Cares for CTL Model Checking.Proceedings
of International Conference on Computer-Aided Design, November 1998.
[87] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verificatino
for fault-tolerant architectures: Prolegomena to the design of pvs. InIEEE
Transaction on Software Engineering, volume 21(2), pages 107–125, Febru-
ary 1995.
174
[88] S. Panda and F. Somenzi. Symmetry Detection and Dynamic Variable Or-
dering of Decision Diagrams.Proceedings of International Conference on
Computer-Aided Design, 1994.
[89] M. Pandey, R. Raimi, R. E. Bryant, and M. S. Abadir. Formal verification of
content addressable memories using symbolic trajectory. InProceedings of
the Design Automation Conference, pages 167–172, 1997.
[90] D. Park. Fixpoint Induction and Proof of Program Semantics. 5:59–78,
1970.
[91] C. Pixley. A Theory and Implementation of Sequential Hardware Equiva-
lence. IEEE Transactions on Computer-Aided Design of Integrated Circuits
and Systems, 11(12):1469–1494, December 1992.
[92] C. Pixley, K. Shultz, and J. Yuan. Integrated Formal and Informal Design
Verification of Commercial Integrated Circuits. International Confer-
ence on Parallel and Distributed Processing Techniques and Applications
(PDPTA), pages 1061–1067, June 1999.
[93] C. Pixley, N. R. Strader, W. C. Bruce, J. Park, M. Kaufmann, K. Shultz,
M. Burns, J. Kumar, J. Yuan, and J. Nguyen. Commercial Design Verifica-
tion: Methodology and Tools. InProceedings of International Test Confer-
ence, 1997.
[94] S. Rajan, N. Shankar, and M.K. Srivas. An integration of model-checking
with automated proof checking. InProceedings of the Computer Aided
175
Verification Conference, pages 84–97, July 1995.
[95] R. K. Ranjan, A. Aziz, B. Plessier, C. Pixley, and R. K. Brayton. Efficient
BDD Algorithms for FSM Synthesis and Verification.Proceedings of Inter-
national Workshop on Logic Synthesis, May 1995.
[96] K. Ravi and F. Somenzi. High Density Reachability Analysis. InProceed-
ings of International Conference on Computer-Aided Design, Santa Clara,
CA, November 1995.
[97] S. Rudeanu. Boolean Functions and Equations. 1974.
[98] R. Rudell. Dynamic Variable Ordering for Binary Decision Diagrams. In
Proceedings of International Conference on Computer-Aided Design, pages
42–47, November 1993.
[99] H. Savoj, R. K. Brayton, and H. Touati. Extracting Local Don’t Cares
for Network Optimization. InProceedings of International Conference on
Computer-Aided Design, pages 514–517, November 1991.
[100] J. Shen and J. A. Abraham. Native Mode Functional Test Generation for
Microprocessors with Applications to Self Test and Design Validation.Pro-
ceedings of International Test Conference, pages 990–999, October 1998.
[101] T. Shiple and J. Kukula. Building Circuits From Relations. InProceedings
of the Computer Aided Verification Conference, 2000.
176
[102] J. H. Siekmann. Universal unification. In7th International Conference
on Automated Deduction, Lecture Notes in Computer Science, pages 1–42,
1984.
[103] Vigyan Singhal.Design Replacements for Sequential Circuits. PhD thesis,
University of California Berkeley, Electronics Research Laboratory, College
of Engineering, University of California, Berkeley, CA 94720, 1996.
[104] S. Taylor, M. Quinn, D. Brown, N.Bohm, S. Hildebrandt, J. Huggins, and
C. Ramey. Functional Verification of a Multiple-issue, Out-of-Order, Super-
scalar Alpha Processor. InProceedings of the Design Automation Confer-
ence, pages 638–643, 1998.
[105] S. M. Thatte and J. A. Abraham. Test Generation for Microprocessors.
IEEE Transactions on Computers, C-29:429–441, June 1980.
[106] K. Thompson. Retrograde analysis of certain endgames.ICCA Journal,
9(3):131–139, 1986.
[107] H. Touati, R. K. Brayton, and R. P. Kurshan. Checking Language Contain-
ment using BDDs. InProceedings of International Workshop on Formal
Methods in VLSI Design, Miami, FL, January 1990.
[108] M. N. Velev and R. E. Bryant. Superscalar processor verification using
efficient reductions of the logic of equality with uninterpreted functions to
propositional logic. InCHARME, pages 37–53, 1999.
177
[109] W. Büttner. Unification in finite algebras is unitary. InProceedings of
CADE-9, volume 310 ofLecture Notes in Computer Science, pages 368–
377, 1988.
[110] W. Büttner and H. Simonis. Embedding boolean expressions into logic pro-
gramming. InJournal of Symbolic Computation, volume 4, pages 191–205,
1987.
[111] B. Yang, R. Simmons, R.R. Bryant, and D.R. O’Hallaron. Optimizing Sym-
bolic Model Checking for Constraint-rich Models.Proceedings of the Com-
puter Aided Verification Conference, 1999.
[112] J. Yuan, K. Albin, A. Aziz, and C. Pixley. Simplifying constraint solving
in random simulation generation. InProceedings of International Workshop
on Logic Synthesis, pages 185–189, June 2002.
[113] J. Yuan and A. Aziz. Random vector generation using event probabilities.
Technical report, 2000.
[114] J. Yuan, A. Aziz, and K. Albin. Enhancing simulation coverage through
guided vector generation.Technical report, 2002.
[115] J. Yuan, A. Aziz K. Albin, and C. Pixley. Simplifying boolean constraint
solving for random simulation-vector generation.Proceedings of Interna-
tional Conference on Computer-Aided Design, 2002. to appear.
[116] J. Yuan, J. Shen, J. A. Abraham, and A. Aziz. On Combining Formal and
Informal Verification. InProceedings of the Computer Aided Verification
178
Conference, Lecture Notes in Computer Science, pages 376–387. Springer-
Verlag, June 1997.
[117] J. Yuan, K. Shultz, J. Havlicek, K. Albin, and A. Aziz. A method for syn-
thesizing boolean constraints. InProceedings of International Workshop on
Logic Synthesis, pages 351–353, June 2002.
[118] J. Yuan, K. Shultz, C. Pixley, and H. Miller. A tool for Automatically Gen-
erating Simulation Environments from Constraints.Proceedings of the ITC
Microprocessor Test and Verification Workshop, October 1998.
[119] J. Yuan, K. Shultz, C. Pixley, H. Miller, and A. Aziz. Modeling Design
Constraints and Biasing in Simulation Using BDDs.Proceedings of Inter-
national Conference on Computer-Aided Design, pages 584–589, 1999.
[120] J. Yuan, K. Shultz, C. Pixley, H. Miller, and A. Aziz. Automatic Simulation
Generation Using Constraints and Biasing.Journal of Electronic Testing:
Theory and Applications, pages 107–120, 2000.
179
Vita
Jun Yuan was born in Chongqing, China, the son of Wei Yuan and Ping
Lin. He received the degree of Bachelor of Science in Engineering at Tsinghua
University, Beijing, China in 1989, in the area of Automotive Engineering. He
received the degree of Master of Science in Engineering at University of Texas at
Austin in 1995, in the area of Computer Engineering. From 1989 to 1991, he was
employed by Sichuan Biomedical Engineering R&D Center in Chengdu, China.
From 1994 to 1995, he worked in Advanced Micro Devices Inc. in Austin, Texas.
He has been employed by the Motorola Corporation, in Austin, Texas, since 1995.
Permanent address: 6911 Gentle Oak Drive
Austin, TX 78749
This dissertation was typeset with LATEX
y by the author.
yLATEX is a document preparation system developed by Leslie Lamport as a special version of
Donald Knuth’s TEX Program.
180
