The BDD-and SAT-based model checking and verification methods normally require an initial state. Here we are concerned with sequential hardware verification, where an initial state must be one of the reset states. In practice, a reset state is not always given by the designer, and computing a reset state of a circuit is a hard problem. In this paper we propose a method allowing usage of SAT-based verification methods without a need for a user-given or a computed initial state. The idea is to employ a binary encoding of 3-valued modeling of circuits, and use the undefined state X as a reset state.
Introduction
In the theory of Finite State Machines (FSM) [Koh78] , one assumes an initial state (or a set of initial states), from which the machine starts operating. Here we will be concerned with sequential verification of synchronized hardware (circuit) models. In the practice of hardware verification, an initial state s i of a circuit C is a state where all state elements (latches and flip-flops) have a binary value (T or F ), and there is an initializing sequence π i that brings C from the X state to that binary state s i [CA89] . A reset or a synchronization sequence for C, on the other hand, is a sequence π r that brings C from any binary state to a unique state s r , called a reset or a synchronization state (π r and s r are independent from the state from which C starts operating) [Koh78] . Any initializing sequence is clearly a reset sequence, but the converse does not hold [CA89] .
Classic BDD-based model checking and verification algorithms require a reset state [CBM89, CM90, TSLBS90, CCQ96, CC97, McM93] . The same is true for well known SAT-based model checking algorithms such as Bounded Model Checking [BCC99, BCCFZ99] or the induction method [SSS00] . Computation of reset sequences is a hard problem [CJSP93,PB94,PJH94,LP96,KBS96,CPRSS97,RH02].
Therefore in this work we are looking for verification methods that can work without a reset state.
Unlike SAT and BDD-based methods, the ATPG methods do not require a reset state [HCCG96, HCC96, HCC01] . There, one assumes the outputs to differ, and looks for a justifying assignment. The circuit modeling is ternary -besides the two binary values T and F , one considers an unknown value, X (elsewhere also denoted by ⊥ or u). A justified assignment gives an input vector sequence that, if applied to the circuits starting at the unknown state X (or at any binary state), brings them to a state where their outputs differ.
In order to take advantage of the rapidly developing SAT-based verification technology, here we propose a SAT-based method for verifying 3-valued equivalence of sequential circuits without initialization. Our method is based on the dualrail modeling of circuits, where every ternary value is represented with a pair of binary values (see [Bry87, BS94, SB95, KR03] ). Via dual-rail encoding, we can arrive to ordinary (2-valued) propositional logic formulation of the verification problem.
The novelty of our approach is to show that the dual-rail X state can be used as a reset state in the (forward as well as backward) SAT-based algorithms mentioned above (the BMC and induction algorithms). We first present an algorithm for checking 3-valued equivalence which uses the X state as a reset state, and prove its correctness and completeness. We then discuss the applicability of our method to verification with respect to other concepts of sequential equivalence, such as alignability or post-synchronization equivalence [Pix92] , and steady-state equivalence [KMH02] .
The paper is structured as follows. In the next section, we quickly recall some basic definitions used in this work. In Section 3, we recall a backward ATPG based algorithm for verifying 3-valued equivalence [HCCG96,HCC96,HCC01] and explain its drawbacks. In Section 4, we give a light introduction to a binary encoding, called dual-rail encoding, of 3-valued logic into Boolean logic, originally developed for the purpose of efficient symbolic simulation and more direct modeling of circuit operation [BS94] . We also refer to more recent results on usage of the dualrail encoding in SAT-based sequential verification [KR03] . In section 5, we propose a SAT-based method for 3-valued equivalence verification, and discuss how it relates to the ATPG algorithm mentioned above. In Section 6 we discuss how our method can be extended to steady-state and alignability sequential equivalence verification. Experimental results are discussed in Section 7. Conclusions appear in Section 8.
Preliminaries
Without restricting generality, we will assume that any circuit C has exactly one output, o. We denote by C 1 and C 2 our specification and implementation circuits (with outputs o 1 and o 2 , respectively), and assume that they have the same set of inputs (dummy inputs can be added, if necessary). We denote by C xor the combined circuit with shared inputs and XORed output o = o 1 XOR o 2 . And we denote by C xnor the combined circuit (the product machine [HS98] ) with shared inputs and
We consider ternary modeling of circuit node values. The values could be one of the binary values -T or F , or an undefined value -⊥ (elsewhere also denoted by X or u). Given a ternary (or binary) input vector sequence π, n(s, π) will denote the value of node n of a circuit C after 3-valued simulation of C with π, starting at state s. Similarly, C(s, π) denotes the (ternary) state into which π brings C, from state s.
A circuit C is specified as a collection of next-state functions (NSFs) of the latches as well as of the output. An NSF is a function of current and next-state values of inputs and latches.
1 This collection of NSFs defines a sequential instance corresponding to C, denoted Inst(C). We denote by P ins(C) the set of inputs, latches, and the output of C. Every pin variable p can be viewed as a sequence Proof obligations can be added to an instance. They represent properties whose validity in all (relevant) phases we intend to check. The proof obligations we will be interested in are safety properties related to the validity of o xnor ⇔ T .
Unrolling to depth k of the instance Inst(C) yields a combinational instance, Intuitively, falsification of a proof obligation expressing
to k iterations of an ATPG procedure of finding a counter-example (CE) to the proof obligation o 1 ⇔ o 2 . We will see in the later sections that this correspondence is not as tight as it may seem from the first sight.
The following example clarifies the above definitions. 
A backward ATPG based method for verification without initialization
(That is, when o 1 has a binary value, then o 2 must have the same binary value.)
• Circuits C 1 and C 2 are 3-valued equivalent, written
.
Note that such a π brings C xnor from state ⊥ into a 3-valued differ-state.
To check for 3-valued safe replacement, the authors propose to use an ATPG solver in the following way:
The backward justification for the o xor = T (on C xor ) stops whenever one of the following two conditions is satisfied:
• (Unjustifiable condition): All state requirements generated during the search of a partial test sequence are proven unjustifiable. Then C 2 is 3-valued safe replacement of C 1 .
• (Justified condition): A state requirement that does not have requirements on C 1 is reached. Then a partial test sequence has been found, and C 2 is not a 3-valued safe replacement of C 1 .
Similarly, Huang et al [HCC96] proposed to disprove 3-valued equivalence by generating a state requirement that has no requirements on C 1 or on C 2 ; And to prove 3-valued equivalence by showing that all those state requirements that are generated while searching for a partial test for C 1 and C 2 and for a partial test for C 2 and C 1 , are unjustifiable.
The above algorithm needs a termination criterion, based on some sort of 'diameter' or a fix-point, to be complete (not duscussed in [HCC01] ). For example, let both C 1 and C 2 be negated latches, l 1 and l 2 , with control F (like the circuit C in Example 2.1). Then C xor [0, k] will depend on variables l 1 [0] and l 2 [0] for any k, and neither of the two stopping conditions will ever be satisfied.
There is also another reason why the above algorithm is not complete: If an input vector sequence that can bring C xor from X state to a differ state (with output T ) exists, a partial test for C xor that the backward justification algorithm above is looking for may not exist: Example 3.2 Consider two circuits C 1 and C 2 (see Figure 2) , each consisting of a single latch with clock signal c, with pattern say c = T, F, T, F, . . .. The input of the first latch is constant F , while the input of the other latch is o 2 XOR o 2 . Starting from the X state, o 1 behaves as o 1 = X, F, F, . . ., and o 2 behaves as o 2 = X, X, X, . . .. Thus these circuits are not 3-valued equivalent (and C 2 is not 3-valued safe replacement of C 1 ). However, o xor can never become T in a non-0 phase (the only two concretizations of the sequence o 2 = X, X, X, . . . are o 2 = F, F, F, . . . and o 2 = T, F, F, . . .), thus a partial test doesn't exist neither for C 1 and C 2 nor for C 2 and C 1 . [HCC01] , which states that C 2 is a 3-valued safe replacement of C 1 iff there is no partial test for C 1 and C 2 . While we believe the above example is not a counter-example to Lemma 2 of [HCC01] 2 , the correctness of the lemma does not affect the correctness of the above algorithm or our results below, and we will not elaborate on this issue further.
Remark 3.3 The above example was pointed out to us as a counter-example to (the sufficiency part of) Lemma 2 of
Note that, intuitively, work with X values in a circuit corresponds to work with QBFs (Quantified Boolean Formulas): latch values are universally quantified in a predicate expressing a stop condition in the ATPG procedure above. Abdulla et al [ABE00] investigated ways to simplify QBF translation into quantifier free propositional formulae to facilitate SAT solvers on QBF, for the purpose of SATbased model checking. Here we pursue a different path: To develop a SAT-based verification algorithm for 3-valued equivalence checking, we consider a dual-rail encoding of the ternary values. In the next section, we give a brief introduction to the subject. We will later explain why this approach can work well with certain SAT solvers, and how it can be extended to verifying sequential equivalence without initialization with respect to other useful concepts of sequential equivalence.
Verification using dual-rail modeling of circuits
Dual-rail modeling of circuits was introduced by Bryant [Bry87] . It was used in [BS94] to enable a more precise modeling of circuit operation, and to enable representation of all ternary values with BDDs via a binary encoding. It resulted in a more efficient symbolic simulator, as more complex behaviors could be modeled with a single simulation run. We refer to [SB95, Jon02] 
(T, T ).
The truth constants are encoded by T = (T, F ) and F = (F, T ). The pair = (F, F ) encodes a contaminated or over-specified value. To avoid any confusion, we use F dr , T dr , and ⊥ dr to denote the dual-rail encoding of T, F and ⊥, respectively. And v dr = (v h , v l ) will denote the dual-rail encoding of a ternary variable v. Sequential logic can be expressed by using Boolean logic connectives such as &, +, and ¬, and a phase-delay or next state operation, . Thus in order to model sequential logic in dual-rail, it is enough to have dual-rail rules for these operations. We overload these logic connectives to denote the corresponding dual-rail counterparts as well. These dual-rail rules are as follows: Let x dr = (x h , x l ) and y dr = (y h , y l ) be dual-rail encoding of ternary variables x and y. Then
Thus a dual-rail NSF is a pair of NSFs of the high and low values. We denote by C dr [0, k] the unrolled, to depth k, dual-rail sequential instance, and denote by
Example 4.1 Let us compute x dr XOR x dr for x dr = ⊥ dr , as in Example 3.2:
We can see that dual-rail computation corresponds to usual 3-valued logic. To ensure that in a sequential instance the inputs are always binary, one needs to add, for any input variable i, an assumption i h = ¬i l . This in particular will guarantee that we do not introduce (F, F ) values in the instance. Further, if (F, F ) values are not introduced in assumptions or in proof obligations, the NSFs cannot introduce them either (because the above four operations cannot result in an (F, F ) value if the arguments are not over-constrained). Thus, for example, overconstrained values should not appear in a satisfying assignment found by a SATsolver. An appearance of (F, F ) in a satisfying assignment indicates a bug (in the design or in the tool), that is why we don't add to the instance an assumption forbidding over-constrained values on all variables.
We demonstrate dual-rail computation on another example:
Example 4.2 Let C be a circuit as in Example 2.1. Then Inst(C) consists of four NSFs:
and o l = l h . Besides, we assume that d, as an input, is always binary, by adding d h = ¬d l as an assumption to Inst(C).
Dual-rail modeling is currently used in an alignability verification engine, Insight, in the formal verification group at Intel. Despite the double number of variables, experimental results show that the dual-rail implementation is 1.5x faster than a single-rail implementation based on the initialization flow reported in [RH02] . Among other factors, this is due to the fact that the dual variables 'behave similarly', and our SAT solver can exploit this similarity without a significant overhead [KR03] . For example, SAT solvers based on the saturation method [SS00] are known to perform well when there are many equivalent (up to negation) variables in the instance.
A SAT-based method for checking 3-valued equivalence
In this section, we show how the BMC algorithm [BCC99, BCCFZ99] and the induction method [SSS00] can be adapted to enable verification without a reset state, by using the dual-rail state ⊥ as an initial state. Unlike the original ATPG based algorithm of Huang et al [HCC01] , our algorithm is (sound and) complete. We will also see that a more direct encoding of the ATPG algorithm into SAT based dual-rail formalism results in an incomplete algorithm.
Algorithm 1 describes our 3-valued equivalence verification procedure without a reset state.
Theorem 5.1 Algorithm 1 is a sound and complete procedure for checking 3-valued equivalence.
Proof. The situations when the proof obligation can be falsified are exactly the situations where the pair (o 1 , o 2 ) is a 3-valued differ-pair:
F , since T XOR T = F XOR F = F . In Algorithm 1, we mainly use induction based algorithms [SSS00], since they perform better when a full proof is sought. (We use the BMC based methods in algorithms that require initialization -the counter-examples become (part of) the initializing or synchronizing sequences [RH02, KR03] .) We recall briefly that in the induction method, unrolling with increasing depths is performed, till a counterexample (to the proof-obligation) is found, or induction step can be proved (see also [BC00] for a nice description on why a simple induction, with depth 1, is not enough). In [SSS00] , termination conditions for induction step are presented that reflect both forward and backward state space traversal methods, thus our algorithm also can be made forward or backward (or combined), depending on which kind of induction is used.
Algorithm 1 SAT-based algorithm for
A direct encoding of the ATPG algorithm of [HCC01] into SAT-based model checking problem would correspond to
• Considering the set of (combined) states where all latches of C 1 or all latches of C 2 are in state ⊥ dr as the set of initial states;
• Considering the states where o xor dr = T dr as the bad states;
• And applying the backward induction scheme of [SSS00] .
Counter-examples found by such an algorithm would be the correct ones, but the algorithm would miss counter-examples in situations like in Example 3.2. We therefore abandon this algorithm in favor of Algorithm 1 above.
In this section, we comment on the applicability of our methods for equivalence checking with respect to some other concepts of equivalence, namely steady-state equivalence and alignability equivalence.
Verifying steady-state equivalence
We recall definition of steady-state equivalence from [KMH02] . In steady-state equivalence, we compare the outputs only in time phases where both outputs have binary values. Values in other time phases are don't cares. Thus circuits that are 3-valued equivalent are also steady-state equivalent, but not vice versa.
Definition 6.1 ([KMH02])
• An input vector sequence π is called a steady-state sequence for a circuit C if o(⊥, π) is binary.
• Circuits C 1 and C 2 with outputs o 1 and o 2 are called steady-state equivalent, written C 1 ∼ = ss C 2 , iff for any input sequence π that is a steady-state sequence for both C 1 and
In order to develop a verification procedure for verifying steady-state equivalence without a reset state, we can simply change the proof obligation in Algorithm 1 to the following one:
where binary(o i ) denotes the property that o i has a binary value (that is, o ih = ¬o il ), i = 1, 2.
Verifying alignability equivalence
We recall definition of alignability or post-synchronization equivalence from [Pix92] . Definition 6.2 • State (s 1 , s 2 ) of the combined circuit C xnor is an equivalent state if for any input sequence π, o 1 (s 1 , π) = o 2 (s 2 , π).
4
• A binary input sequence π is an aligning sequence for a combined state (s 1 , s 2 ) of C xnor if it brings C xnor from state (s 1 , s 2 ) into an equivalent state.
• Circuits C 1 and C 2 are alignable, written C 1 ∼ = aln C 2 , if every state of C xnor has an aligning sequence (or equivalently, there is a sequence, called a universal aligning sequence, that aligns any state of C xnor ).
Lemma 6.3 (i)
If circuits C 1 and C 2 are synchronizable and
Proof. Alignability equivalence is a widely used concept of equivalence. Therefore, to show the importance of our methods, it is important to clarify the relevance of our methods for alignability equivalence verification. Indeed, there are a number of ways allowing to infer alignability or non-alignability of circuits by using the methods of checking steady-state or 3-valued equivalence presented in the early sections. We mention a few of them, based on the above lemma and a result in [HCC01] .
• If our steady-state verification algorithm proves circuits C 1 and C 2 inequivalent, then it returns a counter-example π d that brings C xnor from state ⊥ to binary differ-state. Such a sequence π d is actually a universal counter-example demonstrating that C 1 ∼ = aln C 2 (as it can distinguish any pair of states of C 1 and C 2 ).
• If on the other hand C 1 ∼ = ss C 2 , then from the SAT procedure proving this, it is possible to extract information whether the part binary(o 1 )&binary(o 2 ) becomes true in some phase. Such a procedure depends on the particular strategy used to resolve the sequential instance, and goes beyond the scope of this paper.
(Of course initializability of C 1 and C 2 can be checked separately.) If yes, we have actually proven C 1 ∼ = aln C 2 as well. If not, we cannot claim C 1 ∼ = aln C 2 , as synchronizing but not initializing sequence may exist that brings C xnor into an equivalent state. For such not 3-valued initializable circuits [HCC01] we use a formal initialization method, briefly discussed in [RH02] , to find an aligning sequence when it exists.
• It is shown in [HCC01] that if both C 1 and C 2 are initializable, then C 1 ∼ = 3 C 2 implies C 1 ∼ = aln C 2 . Actually, it is enough to show that one of the circuits is initializable and the other one is its 3-valued safe replacement [HCC01] .
• Since 3-valued equivalence requires o 1 and o 2 to match in all time phases, the above sufficient condition may not be practical to infer alignability from 3-valued equivalence. Instead, a (k−) delayed 3-valued equivalence can be used, which requires o 1 and o 2 to match from phase k onward. Still, usage of delayed 3-valued equivalence in proving alignability is limited. 
Experimental results
We have implemented Algorithm 1 and its modified version for checking 3-valued and steady-state equivalences. Most of our circuits are resetable, thus in practice this algorithms performs alignability check as well.
Experiments reported below were performed on 550MHz dual CPU Linux machine with 2GB memory. A timeout of 300 seconds was used in the SAT solver. Experimental results show that say the steady-state equivalence algorithm is 1.5x faster than a dual-rail alignability equivalence algorithm that first performs synchronization of the specification and implementation circuits (see Table 1 ; there, numbers of latches and gates represent an average per output). And as already mentioned, the latter in turn is 1.5x faster than a corresponding single-rail implementation of alignability checking engine (despite the fact that dual-rail modeling requires twice as much NSFs) [KR03] . Furthermore, the counter-examples returned by the steady-state engine are in average 2x shorter than those found by the alignability engine, which is much more important (for debugging) than the above reported speed-up (see Table 2 , where circuits C 1 -C 7 contain loops, while circuits C 8 -C 14 are loop-free; all data is given per single outputs).
Conclusions
Thus far, SAT-based verification methods have been mainly concentrated on property checking, and for the good reason: It is well understood that circuit equivalence verification can be performed by the model-checking of properties that express equivalence of the circuit outputs. Indeed, in this work, we have demonstrated how SAT-based methods (such as the BMC or the induction method) can be used for proving sequential equivalence in accordance with a number of important sequential equivalence concepts.
In particular, we have developed SAT-based verification methods for verifying sequential circuits with respect to 3-valued, steady-state and (partly) alignability equivalence. The novelty of our approach is that it does not require a reset state. Instead, we can use the undefined state as a reset state, after encoding the latter into a binary representation. Unlike the ATPG-based method of [HCC01] , from which our approach emerged, our algorithms for checking 3-valued and steadystate equivalence are complete. We hope that our work sheds further light on the relationship between the ATPG-and SAT-based sequential verification.
An advantage of our approach is that the verification procedure becomes relatively simple conceptually, thus it is easy to implement and maintain it. Our method compliments earlier methods for which synchronization is an essential part of verification, as our algorithms outperform (in a number of dimensions) similar algorithms that need to compute reset states. Clearly, this does not decrease the importance of initialization based methods. In particular, synchronization methods when initializing sequences do not exist are indispensable.
Actually, because of the importance of short counter-examples for debugging at early stages of design, steady-state verification is entering a default flow in our verification methodology, which was previously based on initialization. We remark also that the ability to find counter-examples quickly is important in the framework of model abstraction refinement (see e.g. [CGJLV00] ). There, because one works with pruned models, there is a higher probability of (false) negatives, till a right pruning is found. And synchronization can be checked on correctly pruned models only, when the pruned models are steady-state equivalent.
Despite the rapid development and success of SAT-based model checking, there is still a long way to go. As an example, we mention that, on loop-free circuits, SAT-based equivalence methods (both with or without initialization) perform very poorly compared to the method developed in [KMH02] for loop-free circuits. Both steady-state and alignability checks time out after thousands of seconds on tests that can be verified in less than a minute with the method in [KMH02] . SAT-based model checking will profit from the development of alternative ways of translating model-checking problems into SAT problems.
