Equivalence Checking By Logic Relaxation by Goldberg, Eugene
Equivalence Checking By Logic Relaxation
Eugene Goldberg
eu.goldberg@gmail.com
Abstract. We introduce a new framework for Equivalence Checking
(EC) of Boolean circuits based on a general technique called Logic
Relaxation (LoR). The essence of LoR is to relax the formula to be
solved and compute a superset S of the set of new behaviors. Namely, S
contains all new satisfying assignments that appeared due to relaxation
and does not contain assignments satisfying the original formula. Set S
is generated by a procedure called partial quantifier elimination. If all
possible bad behaviors are in S, the original formula cannot have them
and so the property described by this formula holds. The appeal of EC
by LoR is twofold. First, it facilitates generation of powerful inductive
proofs. Second, proving inequivalence comes down to checking the pres-
ence of some bad behaviors in the relaxed formula i.e. in a simpler version
of the original formula. We give experimental evidence that supports our
approach.
1 Introduction
1.1 Motivation
Our motivation for this work is threefold. First, Equivalence Checking (EC)
is a crucial part of hardware verification. Second, more efficient EC enables more
powerful logic synthesis transformations and so strongly impacts design quality.
Third, intuitively, there should exist robust and efficient EC methods meant for
combinational circuits computing values in a “similar manner”. Once discovered,
these methods can be extended to EC of sequential circuits and even software.
1.2 Structural similarity of circuits
In this paper, we target EC of structurally similar circuits N ′ and N ′′. Providing
a comprehensive definition of structural similarity is a tall order. Instead, below
we give an example of circuits that can be viewed as structurally similar. Let
v′ be a variable of circuit N ′. Let S(v′) = {v′′i1 , . . . , v′′ik} be a set of variables of
N ′′ that have the following property. The knowledge of values assigned to the
variables of S(v′) in N ′′ under input x is sufficient to find out the value of v′
in N ′ under the same input x. (This means that v′ is a function of variables of
S(v′) modulo assignments to S(v′) that cannot be produced in N ′′ under any
input.) Suppose that for every variable v′ of N ′ there exists a small set S(v′) with
the property above. Then one can consider circuits N ′ and N ′′ as structurally
ar
X
iv
:1
51
1.
01
36
8v
3 
 [c
s.L
O]
  1
1 J
ul 
20
16
similar. The smaller sets S(v′), the closer N ′ and N ′′ structurally. In particular,
if N ′ and N ′′ are identical, for every variable v′ there is a set S(v′) consisting
only of one variable of N ′′. An example of structurally similar circuits where
S(v′) consists of two variables is given in Subsection 7.2.
1.3 EC by logic relaxation
Let N ′(X ′, Y ′, z′) and N ′′(X ′′, Y ′′, z′′) be single-output circuits to be checked
for equivalence. Here X ′ and Y ′ specify the sets of input and internal variables
of N ′ respectively and z′ specifies the output variable of N ′. The same applies
to X ′′, Y ′′, z′′ of circuit N ′′. A traditional way to verify the equivalence of N ′
and N ′′ is to form a two-output circuit shown in Fig. 1 and check if z′ 6= z′′ for
some input assignment (x′,x′′) where x′=x′′. Here x′ and x′′ are assignments to
variables of X ′ and X ′′ respectively. (By saying that p is an assignment to a set
of variables V , we will assume that p is a complete assignment unless otherwise
stated. That is every variable of V is assigned a value in p.)
Formula EQ(X ′, X ′′) relating inputs of N ′ and N ′′ in Fig. 1 evaluates to 1
for assignments x′ and x′′ to X ′ and X ′′ iff x′=x′′. (Usually, N ′ and N ′′ are just
assumed to share the same set of input variables. In this paper, for the sake of
convenience, we let N ′ and N ′′ have separate sets of input variables but assume
that N ′ and N ′′ must be equivalent only for the input assignments satisfying
EQ(X ′, X ′′).)
EC by Logic Relaxation (LoR) presented in this paper is based on the
following idea. Let Out(N ′, N ′′) denote the set of outputs of N ′ and N ′′ when
their input variables are constrained by EQ(X ′, X ′′). For equivalent circuits
N ′ and N ′′ that are not constants, Out(N ′, N ′′) is equal to {(z′ = 0, z′′ =
0), (z′ = 1, z′′ = 1)}. Let Outrlx (N ′, N ′′) denote the set of outputs of N ′ and
N ′′ when their inputs are not constrained by EQ(X ′, X ′′) . (Here rlx stands
for “relaxed”). Outrlx (N ′, N ′′) is a superset of Out(N ′, N ′′) that may contain
an output (z′ = 0, z′′ = 1) and/or output (z′ = 1, z′′ = 0) even when N ′ and
N ′′ are equivalent. Let Dout denote Outrlx (N ′, N ′′) \Out(N ′, N ′′). That is Dout
contains the outputs that can be produced only when inputs of N ′ and N ′′ are
independent of each other.
Fig. 1. Equivalence
checking of N ′ and N ′′
Computing set Dout either solves the equivalence
checking of N ′ and N ′′ or dramatically simplifies
it. (This is important because, arguably, set Dout is
much easier to find than Out(N ′, N ′′).) Indeed, as-
sume that Dout contains both (z
′ = 1, z′′ = 0) and
(z′ = 0, z′′ = 1). Then N ′ and N ′′ are equivalent
because assignments where values of z′ and z′′ are
different are present in Outrlx (N ′, N ′′) but not in
Out(N ′, N ′′). Now, assume that Dout does not con-
tain, say, assignment (z′ = 1, z′′ = 0). This can only
occur in the following two cases. First, N ′ cannot
produce output 1 (i.e. N ′ is a constant 0) and/or N ′′
cannot produce 0 (i.e. N ′′ is a constant 1). Second, both Outrlx (N ′, N ′′) and
Out(N ′, N ′′) contain assignment (z′ = 1, z′′ = 0) and hence N ′ and N ′′ are in-
equivalent. Separating these two cases comes down to checking if N ′ and N ′′ can
evaluate to 1 and 0 respectively. If the latter is true, N ′ and N ′′ are inequivalent.
Set Dout is built in EC by LoR by computing a sequence of so-called bound-
ary formulas H0, . . . ,Hk. Formula Hi depends only on the variables of a cut of
N ′, N ′′ (see Figure 2) and excludes the assignments of DCut i = Cut
rlx
i (N
′, N ′′)\
Cut i(N
′, N ′′). (That is every assignment of DCut i falsifies Hi). Here Cut
rlx
i (N
′, N ′′)
and Cut i(N
′, N ′′) are the sets of all cut assignments produced when inputs of N ′
and N ′′ are unconstrained or constrained by EQ(X ′, X ′′) respectively. Formula
H0 is specified in terms of cut X
′ ∪ X ′′ and is equal to EQ(X ′, X ′′). Formula
Hk is computed in terms of cut {z′, z′′} and so specifies the required set Dout
(as a set of assignments falsifying Hk). Boundary formulas are computed by a
technique called partial quantifier elimination (PQE) introduced in [9]. In PQE,
only a part of the formula is taken out of the scope of quantifiers. So PQE can
be dramatically more efficient than complete quantifier elimination.
1.4 The appeal of EC by LoR
The appeal of EC by LoR is twofold. First, EC by LoR facilitates generation
of very robust proofs by induction via construction of boundary formulas. By
contrast, the current approaches (see e.g. [10,11,16]) employ fragile induction
proofs e.g. those that require existence of functionally equivalent internal points.
The size of boundary formulas depends on the similarity of N ′ and N ′′ rather
than their individual complexity. This suggests that proofs of equivalence in EC
by LoR can be generated efficiently.
Fig. 2. Building boundary
formula Hcut
Second, the machinery of boundary for-
mulas facilitates proving inequivalence. Let
FN ′(X
′, Y ′, z′) and FN ′′(X ′′, Y ′′, z′′) be formulas
specifying N ′ and N ′′ respectively. (We will say
that a Boolean formula FN specifies circuit N if
every assignment satisfying FN is a consistent as-
signment to variables of N and vice versa. We
will assume that all formulas mentioned in this
paper are Boolean formulas in Conjunctive Nor-
mal Form (CNF) unless otherwise stated.)
Circuits N ′ and N ′′ are inequivalent iff for-
mula EQ(X ′, X ′′)∧ FN ′ ∧ FN ′′ ∧ (z′ 6≡ z′′) is sat-
isfiable. Denote this formula as α. As we show in this paper, α is equisatisfiable
with formula β equal to Hcut ∧ FN ′ ∧ FN ′′ ∧ (z′ 6≡ z′′). Here Hcut is a boundary
formula computed with respect to a cut (see Fig. 2.) In general, formula β is
easier to satisfy than α for the following reason. Let p be an assignment sat-
isfying formula β . Let x′ and x′′ be the assignments to variables of X ′ and
X ′′ respectively specified by p. Since variables of X ′ and X ′′ are independent
of each other in formula β, in general, x′ 6= x′′ and so p does not satisfy α.
Hence, neither x′ nor x′′ are a counterexample. They are just inputs producing
cut assignments q′ and q′′ (see Fig. 2) such that a) Hcut(q′, q′′) = 1 and b) N ′
and N ′′ produce different outputs under cut assignment (q′,q′′). To turn p into
an assignment satisfying α one has to do extra work. Namely, one has to find
assignments x′ and x′′ to X ′ and X ′′ that are equal to each other and under
which N ′ and N ′′ produce cut assignments q′ and q′′ above. Then x′ and x′′
specify a counterexample. So the equisatisfiability of α and β allows one to prove
N ′ and N ′′ inequivalent (by showing that β is satisfiable) without providing a
counterexample.
1.5 Contributions and structure of the paper
Our contributions are as follows. First, we present a new method of EC based on
LoR meant for a very general class of structurally similar circuits. This method
is formulated in terms of a new technique called PQE that is a “light” version
of quantifier elimination. Showing the potential of PQE for building new veri-
fication algorithms is our second contribution. Third, we relate EC by LoR to
existing methods based on finding equivalent internal points. In particular, we
show that a set of clauses relating points of an equivalence cut of N ′ and N ′′
is a boundary formula. So boundary formulas can be viewed as a machinery
for generalization of the notion of an equivalence cut. Fourth, we give experi-
mental evidence in support of EC by LoR. In particular, we employ an exist-
ing PQE algorithm whose performance can be drastically improved for solving
non-trivial EC problems. Fifth, we show that interpolation is a special case of
LoR (and interpolants are a special case of boundary formulas.) In particular,
we demonstrate that by using LoR one can interpolate a “broken” implication.
This extension of interpolation can be used for generation of short versions of
counterexamples.
The structure of this paper is as follows. Section 2 discusses the challenge of
proving EC by induction. In Section 3, we show the correctness of EC by LoR
and relate the latter to partial quantifier elimination. Boundary formulas are
discussed in Section 4. Section 5 presents an algorithm of EC by LoR. Section 6
describes how one can apply EC by LoR if the power of a PQE solver is not suf-
ficient to compute boundary formulas precisely. Section 7 provides experimental
evidence in favor of our approach. In Section 8, some background is given. We
relate interpolation and LoR in Section 9 and make conclusions in Section 10.
The appendix of the paper contains six sections with additional information.
2 Proving Equivalence By Induction
Intuitively, for structurally similar circuits N ′ and N ′′, there should exist a
short proof of equivalence shown in Fig. 3. In this proof, for every set Cut i
forming a cut, only a small set Hi of short clauses relating variables of Cut i is
generated. (A clause is a disjunction of literals. We will use the notions of a CNF
formula C1 ∧ .. ∧ Cp and the set of clauses {C1, . . . , Cp} interchangeably). The
relations of i-th cut specified by Hi are derived using formulas Hj built earlier
i.e. j < i. This goes on until clauses specifying z′ ≡ z′′ are derived. We will refer
to the proof shown in Fig. 3 as a proof by induction (slightly abusing the
term “induction”). A good scalability of the current EC tools is based on their
ability to derive proofs by induction. However, they can find such proofs only
when cut variables have a very tight relation (most commonly, an equivalence
relation). This means that these tools can handle only a very narrow subclass of
structurally similar circuits.
Proving EC by induction is a challenging task because one has to address
the following cut termination problem. When does one stop generating a
set of clauses Hi in terms of variables of Cut i and switch to building formula
Hi+1 relating variables of Cut i+1? Let Mi denote the subcircuit consisting of
the gates of N ′ and N ′′ located below i-th cut (like subcircuit M of Fig. 4). A
straightforward way to build an inductive proof is to make formula Hi specify
the range of Mi i.e. the set of all output assignments that can be produced by
Mi. (We will also refer to the range of circuit Mi as a cut image because it
specifies all assignments that can appear on i-th cut.) Then formula Hi+1 can
be derived from formula Hi and the clauses specifying the gates located between
Cut i and Cut i+1. A flaw of this approach is that a formula specifying the image
of i-th cut can get prohibitively large.
Fig. 3. An inductive proof
of equivalence
A solution offered in EC by LoR is to use the
boundary formulas introduced in Subsection 1.3
as formulas Hi. This solution has at least three
nice qualities. First, boundary formulas have sim-
ple semantics. (Hi excludes the assignments of
i-th cut that can be produced when inputs of
N ′ and N ′′ are independent of each other but
cannot be produced when inputs are constrained
by EQ(X ′, X ′′).) Second, the size of a boundary
formula depends on the structural similarity of
circuits N ′ and N ′′ rather than their individual
complexity. In other words, a boundary formula
computed for a cut is drastically simpler than a
formula specifying the image of this cut in N ′ and N ′′. Third, formula Hi can
be inductively derived from Hi−1, which gives an elegant solution to the cut
termination problem. The construction of formula Hi ends (and that of Hi+1
begins) when adding Hi to some quantified formula containing Hi−1 makes the
latter redundant.
3 Equivalence Checking By LoR And PQE
In this section, we prove the correctness of Equivalence Checking (EC) by Lo-
gic Relaxation (LoR) and relate the latter to Partial Quantifier Elimination
(PQE). Subsection 3.1 introduces PQE. In Subsection 3.2, we discuss proving
equivalence/inequivalence in EC by LoR. Besides, we relate EC by LoR to PQE.
3.1 Complete and partial quantifier elimination
In this paper, by a quantified formula we mean one with existential quantifiers.
Given a quantified formula ∃W [A(V,W )], the problem of quantifier elimina-
tion is to find a quantifier-free formula A∗(V ) such that A∗ ≡ ∃W [A]. Given a
quantified formula ∃W [A(V,W ) ∧B(V,W )], the problem of Partial Quanti-
fier Elimination (PQE) is to find a quantifier-free formula A∗(V ) such that
∃W [A ∧B] ≡ A∗ ∧ ∃W [B]. Note that formula B remains quantified (hence the
name partial quantifier elimination). We will say that formula A∗ is obtained by
taking A out of the scope of quantifiers in ∃W [A ∧B]. Importantly, there is
a strong relation between PQE and the notion of redundancy of a subformula in
a quantified formula. In particular, solving the PQE problem above comes down
to finding A∗(V ) implied by A∧B that makes A redundant in A∗ ∧∃W [A ∧B].
Indeed, in this case, ∃W [A ∧B] ≡ A∗ ∧ ∃W [A ∧B] ≡ A∗ ∧ ∃W [B].
Importantly, redundancy with respect to a quantified formula is much more
powerful than that with respect to a quantifier-free one. For instance, if formula
F (V ) is satisfiable, every clause of F is redundant in formula ∃V [F ]. On the
other hand, a clause C is redundant in a quantifier-free formula F only if C is
implied by F \ {C}.
Let G(V ) be a formula implied by B. Then ∃W [A ∧B] ≡ A∗ ∧ G ∧ ∃W [B]
entails ∃W [A ∧B] ≡ A∗∧∃W [B]. In other words, clauses implied by the formula
that remains quantified are noise and can be removed from a solution to the
PQE problem. So when building A∗ by resolution it is sufficient to use only
the resolvents that are descendants of clauses of A. For that reason, in the case
formula A is much smaller than B, PQE can be dramatically faster than complete
quantifier elimination. Another way to contrast complete quantifier elimination
with PQE is as follows. The former deals with a single formula and so, in a sense,
has to cope with its absolute complexity. By contrast, PQE computes formula A∗
that specifies the “difference” between formulas B and A∧B. So the efficiency of
PQE depends on their relative complexity. This is important because no matter
how high the individual complexity of B and A∧B is, their relative complexity
can be quite manageable. In Section B of the appendix we briefly describe an
algorithm for PQE and recall some relevant results [7,8,9].
3.2 Proving equivalence/inequivalence by LoR
Proposition 1 below shows how one proves1 equivalence/inequivalence of cir-
cuits by LoR. Let formula G denote EQ ∧ FN ′ ∧ FN ′′ and formula Grlx denote
FN ′∧FN ′′ . Recall from Subsection 1.4 that FN ′(X ′, Y ′, z′) and FN ′′(X ′′, Y ′′, z′′)
specify circuits N ′ and N ′′ respectively. Formula EQ(x′,x′′) evaluates to 1 iff
x′=x′′ where x′ and x′′ are assignments to variables of X ′ and X ′′ respectively.
Proposition 1. Let H(z′, z′′) be a formula such that ∃W [EQ ∧Grlx ] ≡ H ∧
∃W [Grlx ] where W = X ′ ∪ X ′′ ∪ Y ′ ∪ Y ′′. Then formula G ∧ (z′ 6≡ z′′) is
equisatisfiable with H ∧Grlx ∧ (z′ 6≡ z′′).
1 The proofs of propositions are given in Section A of the appendix.
Note that finding formulaH(z′, z′′) of Proposition 1 reduces to taking formula
EQ out of the scope of quantifiers i.e. to solving the PQE problem. Proposition 1
implies that proving inequivalence of N ′ and N ′′ comes down to showing that
formula Grlx is satisfiable under assignment (z′ = b′, z′′ = b′′) (where b′, b′′ ∈
{0, 1}) such that b′ 6= b′′ and H(b′, b′′) = 1. Recall that the input variables of N ′
and N ′′ are independent of each other in formula Grlx . Hence the only situation
where Grlx is unsatisfiable under (z′ = b′, z′′ = b′′) is when N ′ is constant b′
and/or N ′′ is constant b′′. So the corollary below holds.
Corollary 1. If neither N ′ nor N ′′ are constants, they are equivalent iff H(1, 0) =
H(0, 1) = 0.
Reducing EC to an instance of PQE also provides valuable information
when proving equivalence of N ′ and N ′′. Formula Grlx remains quantified in
∃W [EQ ∧Grlx ] ≡ H ∧ ∃W [Grlx ]. This means that to obtain formula H, it suf-
fices to generate only resolvents that are descendants of clauses of EQ . The
clauses obtained by resolving solely clauses of Grlx are just “noise” (see Subsec-
tion 3.1). This observation is the basis for our algorithm of generating EC proofs
by induction.
4 Boundary Formulas
In this section, we discuss boundary formulas, a key notion of EC by LoR. Sub-
section 4.1 explains the semantics of boundary formulas. Subsection 4.2 discusses
the size of boundary formulas. In Subsection 4.3, we describe how boundary for-
mulas are built.
4.1 Definition and some properties of boundary formulas
Let M be the subcircuit consisting of the gates of N ′, N ′′ located before a cut
as shown in Fig. 4. As usual, G denotes EQ(X ′, X ′′)∧FN ′ ∧FN ′′ and Grlx does
FN ′ ∧ FN ′′ .
Definition 1. Let formula Hcut depend only on variables of a cut. Let q be an
assignment to the variables of this cut. Formula Hcut is called boundary if
2
a) G→ Hcut holds and
b) for every q that can be extended to satisfy Grlx but cannot be extended to
satisfy G, the value of Hcut(q) is 0.
2 Since formula (z′ 6≡ z′′) constraining the outputs of N ′ and N ′′ is not a part of
formulas Grlx and G, a boundary formula of Definition 1 is not “property driven”.
This can be fixed by making a boundary formula specify the difference between
Grlx ∧(z′ 6≡ z′′) and G∧(z′ 6≡ z′′) rather than between Grlx and G. In this paper, we
explore boundary formulas of Definition 1. The only exception is Section 9 where,
to compare LoR and interpolation, we use “property-driven” boundary formulas.
Note that Definition 1 does not specify the value of Hcut(q) if q cannot be
extended to satisfy Grlx (and hence G). As we mentioned in the introduction, for-
mula EQ(X ′, X ′′) and formula H(z′, z′′) of Proposition 1 are actually boundary
formulas with respect to cuts X ′ ∪ X ′′ and {z′, z′′} respectively. We will refer
to H(z′, z′′) as an output boundary formula. Proposition 2 below reduces
building Hcut to PQE.
Proposition 2. Let Hcut be a formula depending only on variables of a cut. Let
Hcut satisfy ∃W [EQ ∧ FM ] ≡ Hcut ∧ ∃W [FM ]. Here W is the set of variables of
FM minus those of the cut. Then Hcut is a boundary formula.
Fig. 4. Building boundary
formula Hcut
Proposition 3 below extends Proposition 1 to
an arbitrary boundary formula.
Proposition 3. Let Hcut be a boundary formula
with respect to a cut. Then G ∧ (z′ 6≡ z′′) is equi-
satisfiable with Hcut ∧Grlx ∧ (z′ 6≡ z′′).
The proposition below estimates the size of
boundary formulas built for N ′ and N ′′ that sat-
isfy the notion of structural similarity introduced
in Subsection 1.2.
Proposition 4. Let Cut ′,Cut ′′ specify the out-
puts of circuits M ′ and M ′′ of Fig. 4 respectively.
Assume that for every variable v′ of Cut ′ there is
a set S(v′) = {v′′i1 , . . . , v′′ik} of variables of Cut ′′
that have the following property. Knowing the values of variables of S(v′) pro-
duced in N ′′ under input x one can determine the value of v′ of N ′ under the
same input x. We assume here that S(v′) has this property for every possible in-
put x. Let Max (S(v′)) be the size of the largest S(v′) over variables of Cut ′. Then
there is a boundary formula Hcut where every clause has at most Max (S(v
′))+1
literals.
Proposition 4 demonstrates the existence of small boundary formulas for
structurally similar circuits N ′,N ′′. Importantly, the size of these boundary for-
mulas depend on similarity of N ′ and N ′′ rather than their individual complexity.
Corollary 2. Let circuits M ′ and M ′′ of Fig. 4 be functionally equivalent. Then
for every variable v′ ∈ Cut ′ there is a set S(v′) = {v′′} where v′′ is the variable of
Cut ′′ that is functionally equivalent to v′. In this case, formula EQ(Cut ′,Cut ′′)
stating equivalence of corresponding output variables of M ′ and M ′′ is a boundary
formula for the cut in question. This formula can be represented by 2∗p two-literal
clauses where p = |Cut′| = |Cut′′|.
Proposition 4 and the corollary above show that the machinery of boundary
formulas allows one to extend the notion of an equivalence cut to the case where
structurally similar circuits have no functionally equivalent internal variables.
4.2 Size of boundary formulas in general case
Proposition 4 above shows the existence of small boundary formulas for a partic-
ular notion of structural similarity. In this subsection, we make two observations
that are applicable to a more general class of structurally similar circuits than
the one outlined in Subsection 1.2.
The first observation is as follows. Let q be an assignment to the cut of Fig. 4.
Assignment q can be represented as (q′,q′′) where q′ and q′′ are assignments to
output variables of M ′ and M ′′ respectively. Definition 1 does not constrain the
value of Hcut(q) if q cannot be extended to satisfy FN ′∧FN ′′ . So, if, for instance,
output q′ cannot be produced by M ′ for any input, the value of Hcut(q) can be
arbitrary. This means that Hcut does not have to tell apart cut assignments that
can be produced by M ′ and M ′′ from those that cannot. In other words, Hcut
does not depend on the individual complexity of M ′ and M ′′. Formula Hcut has
only to differentiate cut assignments that can be produced solely when x′ 6= x′′
from those that can be produced when x′=x′′. Here x′ and x′′ are assignments
to X ′ and X ′′ respectively.
The second observation is as follows. Intuitively, even a very broad defini-
tion of structural similarity of N ′ and N ′′ implies the existence of many short
clauses relating cut variables that can be derived from EQ(X ′, X ′′)∧FM . These
clauses can be effectively used to eliminate the output assignments of M that
can be produced only by inputs (x′,x′′) where x′ 6= x′′. Proposition 4 above
substantiates this intuition in case the similarity of N ′ and N ′′ is defined as in
Subsection 1.2.
4.3 Computing Boundary Formulas
The key part of EC by LoR is to compute an output boundary formula H(z′, z′′).
In this subsection, we show how to build formula H inductively by constructing
a sequence of boundary formulas H0, . . . ,Hk computed with respect to cuts
Cut0, . . . ,Cutk of N
′ and N ′′ (see Fig. 3). We assume that Cut0 = X ′ ∪X ′′ and
Cutk = {z′, z′′} (i.e. H = Hk) and Cut i ∩ Cutj = ∅ if i 6= j.
Boundary formula H0 is set to EQ(X
′, X ′′) whereas formula Hi, i > 0
is computed from Hi−1 as follows. Let Mi be the circuit consisting of the
gates located between the inputs of N ′ and N ′′ and cut Cuti (as circuit M
of Fig. 4). Let FMi be the subformula of G
rlx specifying Mi. Let Wi consist
of all the variables of FMi minus those of Cut i. Formula Hi is built to satisfy
∃Wi[Hi−1 ∧ FMi ] ≡ Hi ∧ ∃Wi[FMi ] and so make the previous boundary formula
Hi−1 redundant in Hi ∧ ∃Wi[Hi−1 ∧ FMi ]. The fact that H1, . . . ,Hk are indeed
boundary formulas follows from Proposition 5.
Proposition 5. Let Wi where i > 0 be the set of variables of FMi minus those of
Cut i. Let Hi−1 where i > 1 be a boundary formula such that ∃Wi−1[H0 ∧ FMi−1 ] ≡
Hi−1∧∃Wi−1[FMi−1 ]. Let ∃Wi[Hi−1 ∧ FMi ] ≡ Hi∧∃Wi[FMi ] hold. Then ∃Wi[H0∧
FMi ] ≡ Hi∧∃Wi[FMi ] holds. (So Hi is a boundary formula due to Proposition 2.)
5 Algorithm of EC by LoR
In this section, we introduce an algorithm called EC LoR that checks for equiv-
alence two single-output circuits N ′ and N ′′. The pseudo-code of EC LoR is
given in Figure 5. EC LoR builds a sequence of boundary formulas H0, . . . ,Hk
as described in Subsection 4.3. Here H0 equals EQ(X
′, X ′′) and Hk(z′, z′′) is an
output boundary formula. Then, according to Proposition 1, EC LoR checks the
satisfiability of formula Hk ∧Grlx ∧ (z′ 6≡ z′′) where Grlx = FN ′ ∧ FN ′′ .
EC LoR(N ′, N ′′){
1 (N ′, N ′′) := Bufferize(N ′, N ′′);
2 Cut0 = X
′ ∪X ′′;
3 Cutk := {z′, z′′};
4 Cut1, ..,Cutk−1 :=BldCuts(N ′, N ′′);
5 H0 := EQ(X
′, X ′′);
−−−−−−−−−−−−−−−−
6 for(i := 1; i ≤ k; i++) {
7 Hi = 1;
8 FMi := SubForm(G
rlx ,Cut i);
9 Wi := Vars(FMi) \Vars(Cut i);
10 while (true) {
11 C :=Redund(Hi∧∃Wi[Hi−1∧FMi ]);
12 if (C = nil) break;
13 Hi := Hi ∧ C;}}
− −−−−−−−−−−−−−−−
14 if (Hk(0, 1) = 1)
15 if (Sat(Grlx ∧ z′ ∧ z′′)) return(No);
16 if (Hk(1, 0) = 1)
17 if (Sat(Grlx ∧ z′ ∧ z′′)) return(No);
18 return(Yes); }
Fig. 5. EC by LoR
EC LoR consists of three parts
separated by the dotted lines in
Figure 5. EC LoR starts the first
part (lines 1-5) by calling procedure
Bufferize that eliminates non-local
connections of N ′ and N ′′ i.e. those
that span more than two consecu-
tive topological levels. (The topolog-
ical level of a gate g of a circuit
K is the longest path from an in-
put of K to g measured in the num-
ber of gates on this path.) The pres-
ence of non-local connections makes
it hard to find cuts that do not over-
lap. To avoid this problem, proce-
dure Bufferize replaces every non-
local connection spanning d topolog-
ical levels (d > 2) with a chain of
d−2 buffers. (A more detailed discus-
sion of this topic is given in Section C
of the appendix.) Then EC LoR sets
the initial and final cuts to X ′ ∪X ′′
and {z′, z′′} respectively and com-
putes the intermediate cuts.
Boundary formulas Hi, 1 ≤ i ≤ k are computed in the second part (lines
6-13) that consists of a for loop. In the third part (lines 14-18), EC LoR uses
the output boundary formula Hk(z
′, z′′) computed in the second part to decide
whether N ′, N ′′ are equivalent. If Hk(b′, b′′) = 1 where b′ 6= b′′ and Grlx is
satisfiable under z′ = b′, z′′ = b′′, then N ′, N ′′ are inequivalent. Otherwise, they
are equivalent (line 18).
Formula Hi is computed as follows. First, Hi is set to constant 1. Then,
EC LoR extracts a subformula FMi of G
rlx that specifies the gates of N ′ and
N ′′ located between the inputs and cut Cut i. EC LoR also computes the set
Wi of quantified variables. The main work is done in a while loop (lines 10-13).
First, EC LoR calls procedure Redund that is essentially a PQE-solver. Redund
checks if boundary formula Hi−1 is redundant in Hi∧∃Wi[Hi−1 ∧ FMi ] (the cut
termination condition). Redund stops as soon as it finds out that Hi−1 is not
redundant yet. It returns a clause C as the evidence that at least one clause must
be added to Hi to make Hi−1 redundant. If no clause is returned by Redund ,
then Hi is complete and EC LoR ends the while loop and starts a new iteration
of the for loop. Otherwise, EC LoR adds C to Hi and starts a new iteration of
the while loop.
6 Computing Boundary Formulas By Current PQE
Solvers
To obtain boundary formula Hi, one needs to take Hi−1 out of the scope of
quantifiers in formula ∃Wi[Hi−1 ∧ FMi ] whose size grows with i due to formula
FMi . So a PQE solver that computes Hi must have good scalability. On the other
hand, the algorithm of [9] does not scale well yet. The main problem here is that
learned information is not re-used in contrast to SAT-solvers effectively re-using
learned clauses. Fixing this problem requires some time because bookkeeping of
a PQE algorithm is more complex than that of a SAT-solver (see the discussion
in Sections B and E of the appendix.) In this section, we describe two methods
of adapting EC by LoR to a PQE-solver that is not efficient enough to compute
boundary formulas precisely. (Both methods are illustrated experimentally in
Section 7.)
One way to reduce the complexity of computing Hi is to use only a subset
of FMi . For instance, one can discard the clauses of FMi specifying the gates lo-
cated between cuts Cut0 and Cutp, 0 < p < i. In this case, boundary formula Hi
is computed approximately. The downside of this is that condition b) of Defini-
tion 1 does not hold anymore and so EC by LoR becomes incomplete. Namely, if
H(b′, b′′) = 1 where b′ 6= b′′, the fact that Grlx is satisfiable under z′ = b′, z′′ = b′′
does not mean that N ′ and N ′′ are inequivalent. Nevertheless, even EC by LoR
with approximate computation of boundary formulas can be a powerful tool for
proving N ′ and N ′′ equivalent for the following reason. If H(1, 0) = H(0, 1) = 0,
circuits N ′ and N ′′ are proved equivalent no matter how intermediate boundary
formulas have been built. Importantly, checking cut termination conditions is a
powerful way to structure the proof even when boundary formulas are computed
approximately. That is, construction of Hi still ends when it makes Hi−1 redun-
dant in formula Hi ∧ ∃Wi[Hi−1 ∧ FMi ]. The only difference from computing Hi
precisely is that formula FMi is simplified by discarding some clauses.
Another way to adapt EC by LoR to an insufficiently efficient PQE solver
is as follows. Suppose that the power of a PQE solver is enough to build one
intermediate boundary formula Hi precisely. From Proposition 3 it follows that
formula α equal to G ∧ (z′ 6≡ z′′) is equisatisfiable with formula β equal to
Hcut ∧ Grlx ∧ (z′ 6≡ z′′). So, to show that N ′ and N ′′ are inequivalent it is
sufficient to find an assignment satisfying β. As we argued in Subsection 1.4,
finding such an assignment for β is easier than for α.
7 Experiments
In the experiments, we used the PQE solver published in [9] in 2014. We will refer
to this solver as PQE-14. As we mentioned in Section 6, PQE-14 does not scale
well yet. So building a full-fledged equivalence checker based on EC LoR would
mean simultaneously designing a new EC algorithm and a new PQE solver. The
latter is beyond the scope of our paper (although the design of an efficient PQE-
solver is discussed in Section B of the appendix). On the other hand, PQE-
14 is efficient enough to make a few important points experimentally. In the
experiments described in this section, we employed a new implementation of
PQE-14.
The experiment of Subsection 7.1 compares computing cut image with build-
ing a boundary formula for this cut. (Recall that the image of a cut is the set of
cut assignments that can be produced in N ′ and N ′′ under all possible inputs.)
This experiment also contrasts complete quantifier elimination employed to com-
pute cut image with PQE. In Subsection 7.2, we apply EC LoR to a non-trivial
instance of equivalence checking that is hard for ABC, a high-quality synthesis
and verification tool [20]. In Subsection 7.3, we give evidence that boundary
formulas can be used to prove inequivalence more efficiently.
In the experiments, circuits N ′ and N ′′ to be checked for equivalence were
derived from a circuit computing an output median bit of a k-bit multiplier. We
will refer to this circuit as Mlpk. Our motivation here is as follows. In many cases,
the equivalence of circuits with simple topology and low fanout values can be
efficiently checked by a general-purpose SAT-solver. This is not true for circuits
involving multipliers. In all experiments, circuits N ′ and N ′′ were bufferized to
get rid of long connections (see Section 5).
7.1 Image computation versus building boundary formulas
Table 1. Computing cut image and
boundary formula. Time limit = 1 hour
#bits #quan. #free cut image boundary for-
vars vars (QE) mula (PQE)
result result
size (s.) size (s.)
8 32 84 3,142 4.0 242 0.1
9 36 104 4,937 13 273 0.2
10 40 126 7,243 51 407 0.3
11 44 150 9,272 147 532 0.5
12 48 176 14,731 497 576 0.6
13 52 206 19,261 1,299 674 0.9
14 56 234 ∗ ∗ 971 1.5
15 60 266 ∗ ∗ 1,218 2.0
16 64 300 ∗ ∗ 1,411 3.0
In this subsection, we compared
computation of a boundary formula
Hcut and that of cut image. We used
two identical copies of circuit Mlpk
as circuits N ′ and N ′′. As a cut of
N ′, N ′′ we picked the set of vari-
ables of the first topological level
(every variable of this level specifies
the output of a gate fed by input
variables of N ′ or N ′′). Computing
cut image comes down to perform-
ing quantifier elimination for for-
mula ∃W [EQ(X ′, X ′′) ∧ FM ]. Here
W = X ′∪X ′′ and formula FM speci-
fies the gates of the first topological level of N ′ and N ′′. Formula Rcut that is logi-
cally equivalent to ∃W [EQ ∧ FM ] specifies the cut image. Computing a boundary
formula comes down to finding Hcut such that ∃W [EQ ∧ FM ] ≡ Hcut ∧∃W [FM ]
i.e. solving the PQE problem.
The results of the experiment are given in Table 1. Abbreviation QE stands
for Quantifier Elimination. The value of k in Mlpk is shown in the first col-
umn. The next two columns give the number of quantified and free variables
in ∃W [EQ ∧ FM ]. To compute formula Rcut above we used our quantifier elim-
ination program presented in [8]. Formula Hcut was generated by PQE-14. To
make this comparison fair, formula Hcut was computed without applying any
EC-specific heuristics (as opposed to computing boundary formulas in the exper-
iments of Subsection 7.2). When computing image formula Rcut and boundary
formula Hcut we recorded the size of the result (as the number of clauses) and
the run time in seconds. As Table 1 shows, formulas Hcut are much smaller than
Rcut and take much less time to compute.
7.2 An example of equivalence checking by EC LoR
Fig. 6. Equivalence checking ofN ′ and
N ′′ derived from Mlpk
In this subsection, we run an implemen-
tation of EC LoR introduced in Sec-
tion 5 on circuits N ′ and N ′′ shown in
Fig. 6. (The idea of this EC example
was suggested by Vigyan Singhal [19].)
These circuits are derived from Mlpk by
adding one extra input h. Both circuits
produce the same output as Mlpk when
h = 1 and output 0 if h = 0. So N ′
and N ′′ are logically equivalent. Note
that the value of every internal vari-
able of N ′ depends on h whereas this
is not the case for N ′′. So N ′ and N ′′
have no functionally equivalent inter-
nal variables. On the other hand, N ′
and N ′′ satisfy the notion of structural
similarity introduced in Subsection 1.2.
Namely, the value of every internal variable v′ of N ′ is specified by that of h′′
and some variable v′′ of N ′′ (So, in this case, for every internal variable v′ of
N ′ there is a set S(v′) introduced in Subsection 1.2 consisting of only two vari-
ables of N ′′.). In particular, if v′ is an internal variable of Mlp′k, then v
′′ is
the corresponding variable of Mlp′′k . Indeed, if h
′′ = 1, then v′ takes the same
value as v′′. If h′′ = 0, then v′ is a constant (in the implementation of Mlpk
we used in the experiments). The objective of the experiment below is to show
that EC LoR can check for equivalence structurally similar circuits that have no
functionally equivalent internal points.
Cuts Cut0, . . . ,Cutm used by EC LoR
were generated according to topological levels. That is every variable of Cut i
specified the output of a gate of i-th topological level. Since N ′ and N ′′ were
bufferized, Cut i ∩ Cutj = ∅ if i 6= j. The version of EC LoR we used in the
experiment was slightly different from the one described in Fig. 5. We will refer
to this version as EC LoR∗. The main change was that boundary formulas were
computed in EC LoR∗ approximately. That is when checking if formula Hj was
redundant in Hj ∧ ∃Wi[Hj−1 ∧ FMi ] (line 11 of Fig. 5) only a subset of clauses
of FMi was used to make the check simpler. Nevertheless, EC LoR
∗ was able to
compute an output boundary formula H(z′, z′′) proving that N ′ and N ′′ were
equivalent. One more difference between EC LoR and EC LoR∗ was as follows.
EC LoR runs a cut termination check every time formula Hi is updated (in the
while loop of Fig. 5, lines 10-13). In EC LoR∗, the number of cut termination
checks was reduced. Namely, derivation of clauses of Hi was modified so that
EC LoR∗ did not run a cut termination check if some cut variable was not
present in clauses of Hi yet. The intuition here was that in that case Hi was still
under-constrained. EC LoR∗ is described in Section D of the appendix in more
detail.
Table 2. EC of N ′ and N ′′ derived from
Mlpk. Time limit = 6 hours
#bits #vars #clauses #cuts EC LoR∗ ABC
(s.) (s.)
10 2,844 6,907 37 4.5 10
11 3,708 8,932 41 7.1 38
12 4,726 11,297 45 11 142
13 5,910 14,026 49 16 757
14 7,272 17,143 53 25 3,667
15 8,824 20,672 57 40 11,237
16 10,578 24,637 61 70 > 21,600
In Table 2, we compare EC LoR∗
with ABC [20]. The first column
gives the value of k of Mlpk used
in N ′ and N ′′. The next two
columns show the size of formu-
las EQ(X ′, X ′′) ∧ FN ′ ∧ FN ′′ ∧
(z′ 6≡ z′′) specifying equivalence
checking of N ′ and N ′′ to which
EC LoR∗ was applied. (Circuits N ′
and N ′′ were fed into ABC as cir-
cuits in the BLIF format.) Here
X = {h, a1, . . . , ak, b1, . . . , bk} de-
notes the set of input variables. The fourth column shows the number of topo-
logical levels in circuits N ′ and N ′′ and so the number of cuts used by EC LoR∗.
The last two columns give the run time of EC LoR∗ and ABC.
The results of Table 2 show that equivalence checking of N ′ and N ′′ derived
from Mlpk was hard for ABC. On the other hand, EC LoR
∗ managed to solve
all instances in a reasonable time. Most of the run time of EC LoR∗ is taken by
PQE-14 when checking cut termination conditions. So, PQE-14 is also the reason
why the run time of EC LoR∗ grows quickly with the size of Mlpk. Using a more
efficient PQE-solver should reduce such a strong dependency of the performance
of EC LoR∗ on the value of k.
7.3 Using boundary formulas for proving inequivalence
In the experiment of this subsection, we checked for equivalence a correct and a
buggy version of Mlp16 as circuits N
′ and N ′′ respectively. Since EC LoR∗ de-
scribed in the previous subsection computes boundary formulas approximately,
one cannot directly apply it to prove inequivalence of N ′ and N ′′. In this ex-
periment we show that the precise computation of even one boundary formula
corresponding to an intermediate cut can be quite useful for proving inequiva-
lence. Let α and β denote formulas EQ(X ′, X ′′) ∧ FN ′ ∧ FN ′′ ∧ (z′ ≡ z′′) and
Hi∧FN ′ ∧FN ′′ ∧ (z′ ≡ z′′) respectively. Here Hi is a boundary formula precisely
computed for the cut of N ′ and N ′′ consisting of the gates with topological level
equal to i. According to Proposition 3, α and β are equisatisfiable. Proving N ′
and N ′′ inequivalent comes down to showing that β is satisfiable. Intuitively,
checking the satisfiability of β the easier, the larger the value of i and so the
closer the cut to the outputs of N ′ and N ′′. In the experiment below, we show
that computing boundary formula Hi makes proving inequivalence of N
′ and
N ′′ easier even for a cut with a small value of i.
Bugs were introduced into circuit N ′′ above the cut (so N ′ and N ′′ were
identical below the cut). Let M ′i and M
′′
i denote the subcircuits of N
′ and N ′′
consisting of the gates located below the cut (like circuits M ′ and M ′′ in Fig. 4).
Since M ′i and M
′′
i are identical they are also functionally equivalent. Then Corol-
lary 2 entails that formula Hi equal to EQ(Cut
′
i ,Cut
′′
i ) is boundary. Here Cut
′
i
and Cut ′′i specify the output variables of M
′
i and M
′′
i respectively. Derivation
of EQ(Cut ′i ,Cut
′′
i ) for identical circuits M
′
i and M
′′
i is trivial. However, proving
that Hi equal to EQ(Cut
′
i ,Cut
′′
i ) is indeed a boundary formula is non-trivial
even for identical circuits. (According to Proposition 2, this requires showing
that EQ(X ′, X ′′) is redundant in Hi ∧ ∃W [EQ(X ′, X ′′) ∧ FM ′i ∧ FM ′′i ].) In ex-
periments we used cut with i = 3 i.e. the gates located below the cut had
topological level less or equal to 3. Proving that EQ(Cut ′i ,Cut
′′
i ) is a boundary
formula takes a fraction of a second for i = 3 but requires much more time for
i = 4.
Table 3. Sat-solving of formu-
las α and β by Minisat. Time
limit = 600 s.
formula #solv- total median
type ed time (s.) time (s.)
α 95 > 3,490 4.2
β 100 1,030 1.0
We generated 100 buggy versions of Mlp16.
Table 3 contains results of checking the sat-
isfiability of 100 formulas α and β by Min-
isat 2.0 [6,21]. Similar results were observed
for the other SAT-solvers we tried. The first
column of Table 3 shows the type of formulas
(α or β ). The second column gives the number
of formulas solved in the time limit of 600 s.
The third column shows the total run time on
all formulas. We charged 600 s. to every formula α that was not solved within
the time limit. The run times of solving formulas β include the time required to
build H3. The fourth column gives the median time. The results of this exper-
iment show that proving satisfiability of β is noticeably easier than that of α.
Using formula β for proving inequivalence of N ′ and N ′′ should be much more
beneficial if formula Hi is computed for a cut with a greater value of i. However,
this will require a more powerful PQE-solver than PQE-14.
8 Some Background
The EC methods can be roughly classified into two groups. Methods of the first
group do not assume that circuits N ′ and N ′′ to be checked for equivalence
are structurally similar. Checking if N ′ and N ′′ have identical BDDs [4] is an
example of a method of this group. Another method of the first group is to
reduce EC to SAT and run a general-purpose SAT-solver [14,17,6,2]. A major
flaw of these methods is that they do not scale well with the circuit size.
Methods of the second group try to exploit the structural similarity ofN ′, N ′′.
This can be done, for instance, by making transformations that produce iso-
morphic subcircuits in N ′ and N ′′ [1] or make simplifications of N ′ and N ′′
that do not affect their range [13]. The most common approach used by the
methods of this group is to generate an inductive proof by computing simple
relations between internal points of N ′, N ′′. Usually, these relations are equiva-
lences [10,11,16]. However, in some approaches the derived relations are implica-
tions [12] or equivalences modulo observability [3]. The main flaw of the methods
of the second group is that they are very “fragile”. That is they work only if
the equivalence of N ′ and N ′′ can be proved by derivation of relations of a very
small class.
9 Logic Relaxation And Interpolation
In this section, we compare LoR and interpolation. In Subsection 9.1, we give a
more general formulation of LoR in terms of arbitrary CNF formulas. In Subsec-
tion 9.2, we show that interpolation is a special case of LoR and interpolants are
a special case of boundary formulas. We also explain how one can use LoR to
interpolate a“broken” implication. This extension of interpolation can be used
for generation of short versions of counterexamples. Finally, in Subsection 9.3,
we contrast interpolants with boundary formulas employed in EC by LoR.
So far we have considered a boundary formula specifying the difference in as-
signments satisfying formulas Grlx and G equal to FN ′ ∧FN ′′ and EQ(X ′, X ′′)∧
FN ′ ∧FN ′′ respectively. In the footnote of Section 4, we mentioned that one can
also consider “property driven” boundary formulas. Such formulas specify the
difference in assignments satisfying Grlx∧(z′ 6≡ z′′) and G∧(z′ 6≡ z′′) rather than
Grlx and G. In this section, to simplify explanation, we use “property driven”
boundary formulas. They describe the difference in assignments satisfying a re-
laxed formula and an original formula that is supposed to be unsatisfiable.
9.1 Generalizing LoR to arbitrary formulas
Let S(X,Z) be a formula whose satisfiability one needs to check. Here X and
Z are non-overlapping sets of Boolean variables. In the context of formal ver-
ification, one can think of S as obtained by conjoining formulas G(X,Z) and
Good(Z). Here G(X,Z) specifies the consistent design behaviors, X and Z being
sets of “internal” and “external” variables. Formula Good specifies design be-
haviors that preserve a required property defined in terms of external variables.
Let formula S be represented as S rlx (X,Z) ∧ E(X,Z). Formula S rlx can
be viewed as a relaxation of S that is easier to satisfy. Let H(Z) be a for-
mula obtained by taking E out of the scope of quantifiers in ∃X[E ∧ S rlx ] i.e.
∃X[E ∧ S rlx ] ≡ H ∧∃X[S rlx ]. Then S is equisatisfiable to H ∧S rlx (see Proposi-
tion 6 of the appendix). Checking the satisfiability of H ∧S rlx reduces to testing
the satisfiability of S rlx under assignments to Z for which H evaluates to 1.
So, if formula S is “sufficiently” relaxed in S rlx and Z is much smaller than X,
solving formula H ∧ S rlx can be drastically simply than S.
One can view H as a boundary formula specifying the difference in assign-
ments satisfying S and S rlx . In particular, formula H satisfies the properties
of Definition 1 (see Proposition 7 of the appendix). That is a) S → H and b)
H(z) = 0 for every assignment z to Z that can be extended to satisfy S rlx but
not S.
9.2 Interpolation as a special case of LoR
Let formula S denote A(X,Y )∧B(Y,Z) where X,Y, Z are non-overlapping sets
of variables. Let a relaxed formula S rlx be obtained from S by dropping the
clauses of A i.e. S rlx = B. Let ∃W [A ∧B] ≡ H ∧ ∃W [B] hold for a formula
H(Y ) where W = X ∪ Z. Then, H is a boundary formula in terms of Y for
relaxation Srlx . That is from Proposition 7 it follows that a) S → H and b)
H(y) = 0 for every assignment y to Y that can be extended to satisfy S rlx but
not S.
LetA∧B ≡ 0 andA→ H hold (the latter being a stronger version of S → H).
Then H is an interpolant [5,18,15] for implication A→ B (see Proposition 8 of
the appendix). So an interpolant is a special case of a boundary formula.
Suppose that A→ H and A ∧ B 6≡ 0 (and hence A 6→ B). Then H ∧ B 6≡ 0
and H can be viewed as an interpolant for the broken implication A 6→ B. When
A→ B holds, H → B gives a more abstract version of the former. Similarly, if
A 6→ B, then H 6→ B is a more abstract version of the former. Interpolants of
broken implications can be used to generate short versions of counterexamples.
A counterexample breaking H → B can be extended to one breaking A→ B
(see Proposition 9 of the appendix). So a counterexample for H → B is a short
version of that for A→ B.
9.3 Interpolation and LoR in the context of equivalence checking
Fig. 7. Replacing/Separa-
ting boundary formula
Hcut
In this subsection, we discuss the difference be-
tween boundary formulas and interpolants in the
context of EC. Let formulas FM and FL specify
the gates located below and above a cut as shown
in Fig. 7. Then checking the equivalence of N ′ and
N ′′ comes down to testing the satisfiability of for-
mula S equal to EQ(X ′, X ′′)∧FM∧FL∧(z′ 6≡ z′′).
Below, we contrast two types of relaxation
of formula S called replacing and separating re-
laxation. The former corresponds to interpola-
tion while the latter is the relaxation we stud-
ied in the previous sections. A replacing relax-
ation of S is to drop the clauses of EQ ∧ FM .
That is S rlx = FL ∧ (z′ 6≡ z′′). Let H rcut be a boundary formula com-
puted for replacing relaxation. (Superscript r stands for “replacing”.) That is
∃W [EQ ∧ FM ∧ FL ∧ (z′ 6≡ z′′)] ≡ H rcut ∧ ∃W [FL ∧ (z′ 6≡ z′′)] where W consists
of all the variables of S but cut variables. Note that H rcut replaces all clauses
depending on variables corresponding to gates below the cut, hence the name
replacing relaxation. Let A denote formula EQ ∧ FM and B denote formula
FL ∧ (z′ 6≡ z′′). From Proposition 8 it follows that if A → H rcut and A ∧ B ≡ 0
then H rcut is an interpolant of implication A → B. So an interpolant can be
viewed as a boundary formula for replacing relaxation.
A separating relaxation of S is to drop the clauses of EQ . As we mentioned
above, this kind of relaxation has been the focus of the previous sections. Let
H scut denote a boundary formula for separating relaxation. (Superscript s stands
for “separating”.) Formula H scut satisfies ∃W [EQ ∧FM ∧FL∧(z′ 6≡ z′′)] ≡ H scut∧
∃W [FM∧FL∧(z′ 6≡ z′′)]. Note that adding formula H scut separates input variables
X ′ and X ′′ of N ′ and N ′′ by making formula EQ(X ′,X ′′) redundant, hence the
name separating relaxation. We will refer to H rcut and H
s
cut as replacing and
separating boundary formulas respectively.
Let us assume for the sake of simplicity that a replacing boundary formula
H rcut is an interpolant i.e. it is implied by EQ ∧ FM . We will also assume that
a separating boundary formula H scut satisfies the condition of Proposition 2 and
hence is implied by EQ ∧ FM as well. An obvious difference between H rcut and
H scut is as follows. Adding H
s
cut to formula ∃W [EQ ∧FM ∧FL∧ (z′ 6≡ z′′)] makes
redundant only a subset of clauses that is made redundant after adding H rcut .
The fact that adding H rcut has to make redundant both clauses of EQ and FM
creates the following problem with using interpolants for equivalence checking.
On the one hand, since H rcut is implied by EQ ∧FM , the former can be obtained
by resolving clauses of the latter i.e. without looking at the part of N ′ and N ′′
above the cut. On the other hand, proving that H rcut is indeed an interpolant, in
general, requires checking that H rcut ∧ FL ∧ (z′ 6≡ z′′) ≡ 0 and hence needs the
knowledge of the part of N ′ and N ′′ above the cut.
Informally, the problem above means that one cannot build a small inter-
polant H rcut using only clauses of EQ ∧ FM . By contrast, one can construct a
small separating boundary formula without any knowledge of formula FL. Let
us consider the following simple example. Suppose that the cut of Fig. 7 is an
equivalence cut. That is for for every cut point of N ′ there is a functionally
equivalent cut point of N ′′ and vice versa. From Corollary 2 it follows that for-
mula EQ(Cut ′,Cut ′′) is a separating boundary formula. (Here Cut ′ and Cut ′′
specify the cut points of N ′ and ′′ respectively.) This fact can be established from
formula EQ ∧ FM alone. However, whether EQ(Cut ′,Cut ′′) is an interpolant of
implication A → B (where A = EQ(X ′, X ′′) ∧ FM and B = FL ∧ (z′ 6≡ z′′))
totally depends on formula FL i.e. on the part of N
′ and N ′′ above the cut.
10 Conclusions
We introduced a new framework for Equivalence Checking (EC) based on Lo-gic
Relaxation (LoR). The appeal of applying LoR to EC is twofold. First, EC by
LoR provides a powerful method for generating proofs of equivalence by induc-
tion. Second, LoR gives a framework for proving inequivalence without gener-
ating a counterexample. The idea of LoR is quite general and can be applied
beyond EC. LoR is enabled by a technique called partial quantifier elimination
and the performance of the former strongly depends on that of the latter. So
building efficient algorithms of partial quantifier elimination is of great impor-
tance.
Acknowledgment
I would like to thank Harsh Raju Chamarthi for reading the first version of this
paper. My special thanks go to Mitesh Jain who has read several versions of this
paper and made detailed and valuable comments. This research was supported
in part by NSF grants CCF-1117184 and CCF-1319580.
References
1. H.R. Andersen and H. Hulgaard. Boolean expression diagrams. Inf. Comput.,
179(2):194–212, 2002.
2. A. Biere. Picosat essentials. JSAT, 4(2-4):75–97, 2008.
3. D. Brand. Verification of large synthesized designs. In ICCAD-93, pages 534–537,
1993.
4. R. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE
Transactions on Computers, C-35(8):677–691, August 1986.
5. W. Craig. Three uses of the herbrand-gentzen theorem in relating model theory
and proof theory. The Journal of Symbolic Logic, 22(3):269–285, 1957.
6. N. Ee´n and N. So¨rensson. An extensible sat-solver. In SAT, pages 502–518, Santa
Margherita Ligure, Italy, 2003.
7. E. Goldberg and P. Manolios. Quantifier elimination by dependency sequents. In
FMCAD-12, pages 34–44, 2012.
8. E. Goldberg and P. Manolios. Quantifier elimination via clause redundancy. In
FMCAD-13, pages 85–92, 2013.
9. E. Goldberg and P. Manolios. Partial quantifier elimination. In Proc. of HVC-14,
pages 148–164. Springer-Verlag, 2014.
10. A. Kuehlmann and F. Krohm. Equivalence Checking Using Cuts And Heaps. DAC,
pages 263–268, 1997.
11. A. Kuehlmann, V. Paruthi, F. Krohm, and M. K. Ganai. Robust boolean reasoning
for equivalence checking and functional property verification. IEEE Trans. CAD,
21:1377–1394, 2002.
12. W. Kunz. Hannibal: An efficient tool for logic verification based on recursive
learning. In ICCAD-93, pages 538–543, 1993.
13. H. Kwak, I. MoonJames, H. Kukula, and T. Shiple. Combinational equivalence
checking through function transformation. In ICCAD-02, pages 526–533, 2002.
14. J. Marques-Silva and K. Sakallah. Grasp – a new search algorithm for satisfiability.
In ICCAD-96, pages 220–227, 1996.
15. K. L. Mcmillan. Interpolation and sat-based model checking. In CAV-03, pages
1–13. Springer, 2003.
16. A. Mishchenko, S. Chatterjee, R. Brayton, and N. Een. Improvements to combi-
national equivalence checking. In ICCAD-06, pages 836–843, 2006.
17. M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: engineering
an efficient sat solver. In DAC-01, pages 530–535, New York, NY, USA, 2001.
18. P. Pudlak. Lower bounds for resolution and cutting plane proofs and monotone
computations. Journal of Symbolic Logic, 62(3):981–998, 1997.
19. V. Singhal. Private communication.
20. ABC . http://www.eecs.berkeley.edu/ alanmi/abc/.
21. Minisat2.0. http://minisat.se/MiniSat.html.
Appendix
A Proofs Of Propositions
Proposition 1. Let H(z′, z′′) be a formula such that ∃W [EQ ∧Grlx ] ≡ H ∧
∃W [Grlx ] where W = X ′ ∪ X ′′ ∪ Y ′ ∪ Y ′′. Then formula G ∧ (z′ 6≡ z′′) is
equisatisfiable with H ∧Grlx ∧ (z′ 6≡ z′′).
Proof. A proof of this proposition follows from Propositions 2 and 3 below.
Proposition 2 entails that H(z′, z′′) is a boundary formula. From Proposition 3
it follows that G ∧ (z′ 6≡ z′′) is equisatisfiable with H ∧Grlx ∧ (z′ 6≡ z′′).
Proposition 2. Let Hcut be a formula depending only on variables of a cut. Let
Hcut satisfy ∃W [EQ ∧ FM ] ≡ Hcut ∧ ∃W [FM ]. Here W is the set of variables of
FM minus those of the cut. Then Hcut is a boundary formula.
Proof. ∃W [EQ ∧ FM ] ≡ Hcut ∧ ∃W [FM ] entails EQ ∧FM → Hcut . Let L be the
subcircuit consisting of the gates of N ′ and N ′′ located above the cut. Let FL
be a formula specifying L. Since G = EQ ∧ FM ∧ FL, then G→ Hcut and so
condition a) of Definition 1 is met. Let us prove that condition b) is met as well.
Let q be a cut assignment that can be extended to satisfy Grlx but not G. This
means that q cannot be extended to an assignment p satisfying EQ ∧FM either.
(Otherwise, one could easily extend p to an assignment satisfying EQ ∧FM ∧FL
and hence G by using the values of an execution trace computed for circuit L.
This trace describes computation of output values of L when its input variables
i.e. the cut variables are assigned as in q.) So ∃W [EQ ∧ FM ]=0 under assignment
q. This means that Hcut ∧∃W [FM ] = 0 under assignment q. Taking into account
that q can be extended to an assignment satisfying Grlx and hence FM , one has
to conclude that Hcut(q) = 0.
Proposition 3. Let Hcut be a boundary formula with respect to a cut. Then
G ∧ (z′ 6≡ z′′) is equisatisfiable with Hcut ∧Grlx ∧ (z′ 6≡ z′′).
Proof. Let us show that the satisfiability of the left formula i.e. G ∧ (z′ 6≡ z′′)
implies that of the right formula i.e. Hcut ∧Grlx ∧ (z′ 6≡ z′′) and vice versa.
Left sat. → Right sat. Let p be an assignment satisfying G ∧ (z′ 6≡ z′′).
From Definition 1 it follows that G implies Hcut and so Hcut is satisfied by p.
Since Grlx is a subformula of G, assignment p satisfies Grlx as well. Hence p
satisfies Hcut ∧Grlx ∧ (z′ 6≡ z′′).
Right sat.→ Left sat. Let p be an assignment satisfying Hcut∧Grlx ∧(z′ 6≡
z′′). Let q be the subset of p consisting of the assignments to the cut variables.
Since Hcut(q)=1, Definition 1 entails that q can be extended to an assignment
p∗ satisfying formula G. Since the variables assigned in q form a cut of circuits
N ′ and N ′′, the consistent assignments to the variables of N ′ and N ′′ located
above the cut are identical in p and p∗. This means that p∗ satisfies (z′ 6≡ z′′)
and hence formula G ∧ (z′ 6≡ z′′).
Proposition 4. Let Cut ′,Cut ′′ specify the outputs of circuits M ′ and M ′′ of
Fig. 4 respectively. Assume that for every variable v′ of Cut ′ there is a set S(v′) =
{v′′i1 , . . . , v′′ik} of variables of Cut ′′ that have the following property. Knowing the
values of variables of S(v′) produced in N ′′ under input x one can determine
the value of v′ of N ′ under the same input x. We assume here that S(v′) has
this property for every possible input x. Let Max (S(v′)) be the size of the largest
S(v′) over variables of Cut ′. Then there is a boundary formula Hcut where every
clause has at most Max (S(v′)) + 1 literals.
Proof. Let q be an assignment to the cut variables that can be extended to
satisfy formula Grlx but not formula G. To prove the proposition at hand, one
needs to show that there is a clause C consisting of cut variables such that
• C is implied by formula G
• C(q) = 0
• C consists of at most Max (S(v′)) literals
(Using clauses satisfying the three conditions above one can build a required
boundary formula Hcut .)
Let p be an assignment satisfying formula Grlx that is obtained by extending
q. Let x′ and x′′ be the assignments of p to variables of X ′ and X ′′ respectively.
Note that x′ 6= x′′ (otherwise p would satisfy formula G as well). Cut assignment
q can be represented as (q′,q′′) where q′ and q′′ are assignments of q to Cut ′
and Cut ′′ respectively. Assignment q′ (respectively q′′) is produced by circuit
M ′ (respectively M ′′) under input x′ (respectively x′′).
Let v′ be a variable of Cut ′. The value of v′ is uniquely specified by assignment
q′′ to S(v′). So the value of every variable of Cut ′ is specified by assignment q′′
to Cut ′′. Denote by s′ the assignment to Cut ′ specified by q′′. Let us show that
s′ 6= q′. Assume the contrary i.e. s′ = q′ and show that then one can extend
q to an assignment p∗ satisfying formula G and so we have a contradiction.
Assignment p∗ is constructed as follows. The variables below the cut are assigned
in p∗ as in the execution trace obtained by applying x′′ to M ′ and M ′′. Note
that by assumption, applying input x′′ to M ′ will produce cut assignment s′
equal to q′. The variables above the cut are assigned in p∗ as in p. Since p
satisfies Grlx and X ′ and X ′′ are assigned the same input x′′ in p∗, the latter
satisfies G. Besides, the cut assignment specified by p∗ is q i.e. the same as the
one specified by p.
Since q′ 6= s′, there is a variable v′ of Cut ′ that is assigned in q′ inconsistently
with the assignment of q′′ to the variables of S(v′). Let C ′′ be the clause of
variables of S(v′) falsified by q′′. Let l(v′) be the literal of v′ falsified by q′.
Then clause l(v′) ∨ C ′′ is falsified by q. The fact that assignment q′ to S(v′)
determines the value of v′ means that clause l(v′) ∨ C ′′ is implied by formula
FM ′ ∧ FM ′′ . Hence l(v′) ∨ C ′′ is implied by G. Finally, the number of literals in
l(v′)∨C ′′ is |S(v′)|+ 1. So clause l(v′)∨C ′′ satisfies the three conditions above.
Proposition 5. Let Wi where i > 0 be the set of variables of FMi minus those of
Cut i. Let Hi−1 where i > 1 be a boundary formula such that ∃Wi−1[H0 ∧ FMi−1 ] ≡
Hi−1∧∃Wi−1[FMi−1 ]. Let ∃Wi[Hi−1 ∧ FMi ] ≡ Hi∧∃Wi[FMi ] hold. Then ∃Wi[H0∧
FMi ] ≡ Hi∧∃Wi[FMi ] holds. (So Hi is a boundary formula due to Proposition 2.)
Proof. Let φ denote formula ∃Wi[H0 ∧ FMi ]. Let Fi−1,i be the set of clauses equal
to FMi\FMi−1 . Formula φ can be represented as ∃Wi−1∃Wi−i,i[H0 ∧ FMi−1 ∧ Fi−1,i]
where Wi−1,i = Wi \Wi−1. Taking into account that formula Fi−1,i does not
depend on variables of Wi−1, one can rewrite formula φ as ∃Wi−1,i[Fi−1,i ∧
∃Wi−1[H0 ∧ FMi−1 ]]. Using the assumption imposed on Hi−1 by the proposition
at hand, one can transform formula φ into ∃Wi−1,i[Fi−1,i∧Hi−1∧∃Wi−1[FMi−1 ]].
After putting Fi−1,i and Hi−1 back under the scope of quantifiers, φ becomes
equal to ∃Wi−1,i[∃Wi−1[Hi−1 ∧ FMi−1 ∧ Fi−1,i]] and hence to ∃Wi[Hi−1 ∧ FMi ].
Since ∃Wi[Hi−1 ∧ FMi ] ≡ Hi ∧ ∃Wi[FMi ] holds we get that the original formula
φ equal to ∃Wi[H0 ∧ FMi ] is logically equivalent to Hi ∧ ∃Wi[FMi ].
Proposition 6. Let S(X,Z), S rlx (X,Z), E(X,Z) and H(Z) be Boolean for-
mulas where X,Z are non-overlapping sets of variables. Let S = E ∧ S rlx and
∃X[E ∧ S rlx ] ≡ H ∧ ∃X[S rlx ] hold. Then S is equisatisfiable with H ∧ S rlx .
Proof. By assumptions of the proposition, ∃X[S] ≡ ∃X[H ∧ S rlx ]. So if formula
S is satisfiable, there is an assignment z to the variables of Z for which ∃X[S]
evaluates to 1. Since formula ∃X[H ∧ S rlx ] also evaluates to 1 for z, formula
H ∧ S rlx is satisfiable too. Similarly, one can show that the satisfiability of
∃X[H ∧ S rlx ] means that that S is satisfiable too.
Proposition 7. Let formula S(X,Z) be represented as E(X,Z) ∧ S rlx (X,Z)
where X,Z are non-overlapping sets of Boolean variables. Let ∃X[E ∧ S rlx ] ≡
H ∧∃X[S rlx ] hold for a formula H(Z). Then H is a boundary formula in terms
of Z for relaxation S rlx (see Definition 1). That is
a) S → H and
b) for every assignment z to Z that can be extended to satisfy S rlx but not S,
the value of H(z) is 0.
Proof. ∃X[E ∧ S rlx ] ≡ H ∧ ∃X[S rlx ] entails E ∧ S rlx → H. So condition a) is
met. Let us show that condition b) holds as well. Let z be an assignment to Z
that can be extended to satisfy S rlx but not S. This means that ∃X[E ∧ S rlx ]
and ∃X[S rlx ] evaluate to 0 and 1 respectively under assignment z. Hence H(z)
has to be equal to 0 to preserve ∃X[E ∧ S rlx ] ≡ H ∧ ∃X[S rlx ].
Proposition 8. Let A(X,Y ) and B(Y,Z) be formulas where X,Y, Z are non-
overlapping sets of variables. Let A∧B ≡ 0. Formula H(Y ) is an interpolant of
implication A→ B iff A→ H and ∃W [A ∧B] ≡ H ∧∃W [B] where W = X ∪Z.
Proof. If part. Suppose that A→ H holds and ∃W [A ∧B] ≡ H ∧ ∃W [B]. Since
A→ B holds, then A ∧ B ≡ 0 and so H ∧ B ≡ 0. Hence H → B and H is an
interpolant of implication A→ B.
Only if part. Suppose that H is an interpolant and so A→ H and H → B
hold. Assume that ∃W [A ∧B] 6≡ H∧∃W [B]. Since H → B and hence H∧B ≡ 0,
this means that A ∧B 6≡ 0. So we have a contradiction.
Proposition 9. Let A(X,Y ) ∧B(Y, Z) 6≡ 0 where X,Y, Z are non-overlapping
sets of variables. Let H(Y ) be a formula such that ∃W [A ∧B] ≡ H ∧ ∃W [B]
where W = X∪Z. Let y and z be assignments to Y and Z respectively such that
(y,z) satisfies H ∧ B. Then (y,z) can be extended to an assignment satisfying
A ∧B.
Proof. The fact that ∃W [A ∧B] ≡ H ∧ ∃W [B] holds and H ∧ B is satisfied by
(y,z) means that y can be extended to an assignment (x∗,y,z∗) satisfying A∧B.
Then assignment (x∗,y,z) satisfies A∧B as well. Indeed, (x∗,y) satisfies A and
(y,z) does B.
B Algorithm For Partial Quantifier Elimination
In this section, we discuss Partial Quantifier Elimination (PQE) in more detail.
In Subsection B.1, we give a high-level description of a PQE-solver. This PQE-
solver is based on the machinery of Dependency sequents (D-sequents) that we
recall in Subsection B.2.
B.1 A PQE solver
In this subsection, we describe our algorithm for PQE introduced in [9] in 2014.
We will use the same name for this algorithm as in Section 7, i.e. PQE-14. Let
A(V,W ), B(V,W ) be Boolean formulas where V ,W are non-overlapping sets of
variables. As we mentioned in Subsection 3.1, the PQE problem is to find formula
A∗(V ) such that ∃W [A ∧B] ≡ A∗ ∧∃W [B]. We will refer to a clause containing
a variable of W as a W -clause. PQE-14 is based on the three ideas below.
First, finding formula A∗ comes down to generation of clauses depending only
on variables of V that make the W -clauses of A redundant in A∗ ∧ ∃W [A ∧B].
Second, the clauses of A∗ can be derived by resolving clauses of A ∧ B. The
intermediate resolvents that are W -clauses need to be proved redundant along
with the original W -clauses of A. However, since formula B remains quantified,
there is no need to prove redundancy of W -clauses of B or W -clauses obtained
by resolving only clauses of B.
Third, since proving redundancy of a clause is a hard problem it makes sense
to partition this problem into simpler subproblems. To this end, PQE-14 employs
branching. After proving redundancy of required clauses in subspaces, the results
of branches are merged. The advantage of branching is that for every W -clause
C one can always reach a subspace where C can be trivially proved redundant.
Namely, C is trivially redundant in the current subspace if a) C is satisfied in the
current branch; b) C is implied by some other clause; c) there is an unassigned
variable y of C where y ∈ W , such that C cannot be resolved on y with other
clauses that are not satisfied or proved redundant yet.
B.2 Dependency sequents
PQE-14 branches on variables of V ∪W until the W -clauses that are descendants
of W -clauses of A are proved redundant in the current subspace. To keep track
of conditions under which a W -clause becomes redundant in a subspace, PQE-14
uses the machinery of Dependency sequents (D-sequents) developed in [7,8]. A
D-sequent is a record of the form (∃W [A ∧B], q) → {C}. It states that clause
C is redundant in formula ∃W [A ∧B] in subspace q. Here q is an assignment to
variables of V ∧W and A is the current formula that consists of the initial clauses
of A and the resolvent clauses. When a W -clause C is proved redundant in a
subspace, this fact is recorded as a D-sequent. If q = ∅, the D-sequent is called
unconditional. Derivation of such a D-sequent means that clause C is redundant
in the current formula ∃W [A ∧B] in the entire space.
The objective of PQE-14 is to derive unconditional D-sequents for all W -
clauses of A and their descendants that are W -clauses. A new D-sequent can be
obtained from two parent D-sequents by a resolution-like operation on a variable
y. This operation is called join. When PQE-14 merges the results of branching
on variable y it joins D-sequents obtained in branches y = 0 and y = 1 at
variable y. So the resulting D-sequents do not depend on y. If formula A ∧B is
unsatisfiable in both branches, a new clause C is added to formula A. Clause C
is obtained by resolving a clause falsified in subspace y = 0 with a clause falsified
in subspace y = 1 on y. Adding C makes all W -clauses redundant in the current
subspace. By the time PQE-14 backtracks to the root of the search tree, it has
derived unconditional D-sequents for all W -clauses of the current formula A.
Algorithms based on D-sequents (including PQE solving) is work in progress.
So they still lack some important techniques like D-sequent re-using. In the
current algorithms based on D-sequents, the parent D-sequents are discarded as
soon as they produce a new D-sequent by the join operation. Although D-sequent
re-using promises to be as powerful as re-using learned clauses in SAT-solving,
it requires more sophisticated bookkeeping and so is not implemented yet [9].
C Generation Of Cuts That Do Not Overlap
An important part of EC LoR described in Section 5 is to build non-overlapping
cuts. These cuts are used to generate a sequence of boundary formulas converging
to an output boundary formula. As we mentioned there, the presence of non-
local connections makes it hard to find cuts that do not overlap. In this section,
we consider this issue in more detail. First, we give the necessary definitions
and describe the problem. Then we explain how one can get rid of non-local
connections by buffer insertion.
Let M be a multi-output circuit. The length of a path from an output of a
gate to an input of another gate is measured by the number of gates on this
path.The topological level of a gate g is the longest path from an input of M
to g. We treat the inputs of M as special gates that are not fed by other gates.
We will denote the topological level of gate g as TopLvl(g). It can be computed
recursively as follows. If g is an input, then TopLvl(g) = 0. Otherwise, TopLvl(g)
is equal to the maximum topological level among the gates feeding g plus 1.
Fig. 8. A circuit
We will call gates gi and gj topologically independent if
there is no path from an input to an output of M going
through both these gates. For instance, gates g1 and g2 in
Fig. 8 are topologically independent. We will call a set S of
gates a cut, if every path from an input to an output of M
goes through a gate of S. A cut S is minimal, if for every
gate g ∈ S, set S \ {g} is not a cut. EC LoR employs only
minimal cuts. In this section, we use the notion of a gate
and the variable specifying its output interchangeably. For
example, the topological level of a variable v specifying the
output of gate g (denoted as TopLvl(v)) is equal to TopLvl(g).
If gate gi of M feeds gate gj and TopLvl(gj) >
TopLvl(gi) + 1, then gi and gj are said to have a non-local
connection. Non-local connections make topologically dependent gates appear
on the same cut. Consider the circuit of Fig 8. The input gate x3 feeds gates g2
and g3. Since TopLvl(x3)=0 and TopLvl(g3)=2, the connection between x3 and
g3 is non-local. This leads to appearance of cut {y1, y2, x3} where variables y2
and x3 are topologically dependent. If gate gi feeds gate gj and this connection
is non-local, gate gi appears in every cut that separates gi and gj and does not
include gj . So the presence of a large number of non-local connections leads to
the heavy overlapping of cuts.
There are a few techniques for dealing with non-local connections of N ′ and
N ′′ in the context of EC by LoR. The simplest one is to insert buffers. A buffer is
a single-input and single-output gate that copies its input to the output. Let gi
and gj be gates of N
′ such that a) gi feeds gj and b) TopLvl(gj) > TopLvl(gi)+1.
By inserting TopLvl(gj)−TopLvl(gi)−1 buffers between gi to gj , this non-local
connection is replaced with TopLvl(gj)− TopLvl(gi) local connections.
D Version of EC LoR Used In Experiments
In the experiments of Subsection 7.2, we used a version of EC LoR that was
modified in comparison to the description given in Fig. 5. We will refer to this
version as EC LoR∗. In this section, we describe EC LoR∗ in more detail.
Boundary formula Hi was computed in EC LoR
∗ as follows. If there was a
variable specifying the output of a cut gate g′ that was not present in a clause of
Hi, EC LoR
∗ called the procedure below. That procedure generated short clauses
relating the output variable of g′ and those of its “relatives” from N ′′. This way,
EC LoR∗ avoided running a cut termination check before every variable of i-th
cut was present in a clause of Hi.
Clauses of Hi constraining variable of g
′ were generated as follows. First,
EC LoR∗ identified the relatives g′′1 , . . . , g
′′
m of gate g
′ in N ′′. A gate g′′j was
considered a relative of g′ if there was a clause of formula Hi−1 relating input
variables of g′ and g′′j . Finally, a set of clauses A
∗ relating the output variable of
gate g′ and those of its relatives was generated and added to formula Hi. The
clauses of A∗ were obtained by taking formula A out of the scope of quantifiers
in ∃W [A ∧B]. Here A is the set of clauses of formulas Hi−1 containing the input
variables of gate g′ and its relatives. Formula B contains the clauses specifying
gate g′ and its relatives. Set W consists of the variables of A ∧B minus output
variables of g′ and its relatives.
Another modification of EC LoR∗ was that boundary formulas were com-
puted approximately. In line 11 of Fig 5, formula FMi specifying the gates lo-
cated between inputs of N ′ and N ′′ and i-th cut is used to compute a new clause
of Hi. In EC LoR
∗ only the subset of clauses of FMi specifying the gates located
between (i− 1)-th and i-th cuts was used when computing Hi.
E Computing Boundary Formulas Efficiently
Computation of a boundary formula is based on PQE solving. In turn, a PQE-
solver is based on derivation of D-sequents (see Subsection B.2 of the appendix).
As we showed in Subsection 4.3, boundary formula Hi is obtained by taking Hi−1
out of the scope of quantifiers in formula ∃Wi[Hi−1 ∧ FMi ]. Here FMi specifies
the gates located between inputs of circuits N ′, N ′′ and i-th cut and Wi is the
set of variables of FMi minus those of the i-th cut. Since the size of formula FMi
grows with i, a PQE-solver that computesHi precisely must have high scalability.
PQE-14 (see Section B) does not scale well yet because it does not re-use D-
sequents. In this section, we argue that once D-sequent re-using is implemented,
efficient computation of boundary formulas becomes quite possible.
Consider the scalability problem in more detail. Formula Hi is obtained by
generating a set of clauses that make the clauses of Hi−1 redundant. Let C ∈
Hi−1 be a clause whose redundancy one needs to prove. PQE-14 is a branching
algorithm. Clause C is trivially redundant in every subspace where C is satisfied.
Proving redundancy is non-trivial only in the subspace where C is falsified. To
prove C redundant in such a subspace, PQE-14 uses the machinery of local
proofs of redundancy described below. (For the sake of simplicity we did not
mention this aspect of PQE-14 in Section B.)
Suppose clause C above contains the positive literal of variable v. Suppose,
in the current branch, literal v is unassigned and all the other literals of C are
falsified. So C is currently a unit clause. Then PQE-14 marks all the clauses
containing literal v that can be resolved with C as ones that have to be proved
redundant in branch v = 1 i.e. locally. This is done even for clauses of FMi (that
do not have to be proved redundant globally because FMi remains quantified).
The obligation to prove redundancy of clauses with literal v is made to prove
redundancy of C in the branch where v = 0 and C is falsified. This obligation is
canceled immediately after PQE-14 backtracks to the node w of the search tree
that precedes node v. When exploring branch v = 1 one of the two alternatives
occurs. If formula is UNSAT in this branch, a new clause is generated that sub-
sumes C in node w. Adding this clause to ∃Wi[Hi−1 ∧ FMi ] makes C redundant
in node w. Otherwise, clauses with literal v are proved redundant in node w and
so C is redundant in node w because it cannot be resolved on v in the current
subspace. (This also means that C is redundant in branch v = 1 where C is
falsified.)
To prove that a clause B with literal v is redundant in branch v = 1 one may
need to make obligations to prove redundancy of some other clauses that can
be resolved with B on one of its variables and so on. So proving redundancy of
one clause C makes PQE-14 prove local redundancy of many clauses. Currently
PQE-14 discards a D-sequent as soon as it is joined at a branching variable of
the search tree (with some other D-sequent). Moreover, the D-sequent of a clause
that one needs to prove only locally is discarded after the obligation to prove
redundancy of this clause is canceled. This cripples the scalability of PQE-14
because one has to reproduce D-sequents seen before over and over again. As the
size of formula FMi grows, more and more clauses need to be proved redundant
locally and the size of the search tree blows up.
Re-using D-sequents should lead to drastic reduction of the search tree size
for two reasons. First, when proving redundancy of clause C one can immediately
discard every clause whose D-sequent states the redundancy of this clause in the
current subspace. Second, one can re-use D-sequents of clauses of FMj , j < i that
were derived when building formula Hj . Informally, D-sequent re-using should
boost the performance of a PQE algorithm like re-using learned clauses boosts
that of a SAT-solver.
