AC/3 V1.00. A tool for automatic error correction of combinatorial circuits by Hoffmann, Dirk W. & Kropf, Thomas
AC V
A Tool for Automatic Error Correction
of Combinatorial Circuits 
Dirk W Homann and Thomas Kropf







AC is a tool for performing automatic error correction in combina
torial circuits Two circuits must be provided to the system where one
serves as the specication circuit and the other one as the current imple
mentation AC tries to prove equivalence between both designs and
performs automatic error correction if equivalence does not hold The tool
is based on the rectication theory developed in 
keywords Automatic error correction equivalence checking BDDs
  Introduction
In recent years formal verication techniques  have become more and more
sophisticated and for several application domains they have already found their
way into industrial environments Boolean equivalence checking  	 
 mostly
based on BDDs   is unquestionably one of these techniques and usually
applied during the optimization process to ensure that an optimized circuit still
exhibits the same behavior as the original golden design Using BDDs for
representing Boolean functions the verication task mainly consists of creating
a BDD for the Boolean function of each outputsignal Then due to the normal
form property of BDDs both signals implement the same function if and only
if they have the same BDD representation Hence equivalence can be decided
by simply comparing both BDDs
A lot of professional tools have been proposed in recent years and they have
already been able to prove their practical usefulness in a short period of time
Many companies are starting to apply equivalence checking and in a few years
this method will undoubtedly be a fully accepted and integrated part of the
design cycle
 This work is supported by the ESPRIT LTR Project 
	
A major requirement of formal methods to be applied successfully in indus
trial environments is that a verication tool provides useful information even if
the verication task fails Then the application domain of formal verication
is no longer restricted to approve correctness of a specic design it can also
serve as a powerful debugging technique and therefore helps speeding up the
whole design cycle
If equivalence checking fails most verication tools only allow to compute a
counterexample in form of a combination of input values for which the output of
the optimized circuit diers from its specication Therefore it often remains
extremely hard to detect the error causing components Counter examples as
produced by most equivalence checkers can only serve as hints for debugging a
circuit and a deeper understanding of the design is still essential
In recent years several approaches have been presented for extending equiv
alence checkers with capabilities not only to compute counter examples but to
locate and rectify errors in the provided design The applicability of such a
method is strongly inuenced by the following aspects
  Which types of errors can be found 
  Does the method scale to large circuits 
  How many changes does the computed solution require 
  Does the method perform well even if both circuits are structurally dif
ferent 
AC is a tool for automatic error localization and rectication of combina
torial circuits and based on the rectication theory developed in  Basically
AC tries to determine the smallest component containing the erroneous parts
in the optimized circuit Once such a component has been localized a circuit
x is computed and suggested to the designer
The rectication method implemented in AC does not assume any error
model and therefore arbitrary design errors can be detected Moreover when
computing a circuit rectication AC tries to incorporate as many subparts
of the circuit as possible in order to minimize the number of modications
The underlying method directly works on BDDs and during the rectication
process only the abstract BDD representation of the specicationcircuit is con
sidered Thus the success of our algorithm does not depend on any structural
similarity between the implementation and the specication
This paper is organized as follows In Section  we provide a quick tutorial
on AC The basic steps for rectifying a circuit are illustrated by a small
example Section  describes the tools in more detail A formal denition of
the input language including a formally dened semantics is given in Section 	
and  Section  provides a complete description of all available commands
The currently supported ags are described in Section  In Section  we
give a brief description of additional tools of AC

 A Tutorial Example
This Section demonstrates the usage of AC with a small tutorial example
A complete and more detailed description of the system will be presented in
Section  To start AC simply type
checker
at the Unix command prompt If the system has been build successfully AC
answers with the following message
CircuitRectifier Vb build on Fri Dec  	

 
Dirk W Hoffmann Copyright  University of Karlsruhe
Type  for help
Rectifier




  this help message
info  about this program
exit  exit program
settings  display current settings
impfile file  select implementation file
specfile file  select specification file
imppin name  select implementation outpin
specpin name  select specification outpin
viewimp  view implementation file
viewspec  view specification file
prove  start equivalence checking
profile  print st about parsed files
solution  select a solution
viewsol  view selected solution
writesol  write rectified circuit to a file
set flag value  set flag






In this tutorial section we will only use some of these commands A complete
description of all commands can be found in Section 

COMPONENT CRADDER aabb  ccc

COMPONENT HADDER ab  sumcarry
sum  a  b
carry  a  b
END
COMPONENT FULLADDER abc  sumcarry
sum  a XOR b XOR c












Figure 	 Example A two bit CarryRippleAdder
For this tutorial session we want to rectify a very small circuit implementing
a twobit carryripple adder The implementation circuit is shown in Fig 	
The circuit has four global inputsignals a  a b  b and three output signals
c  c c Using a halfadder component HADDER and a fulladder component
FULLADDER the circuit computes the sum c c c    a a    b b 
The specication is shown in Fig  Unlike the implementation the spec
ication denes its outputsignals by Boolean functions being derived directly
from the truthtable of Boolean addition
To load the implementation circuit and the specication circuit we use the
impfile and specfile command respectively
Rectifier impfile carryrippleimp
Parsing file done
COMPONENT CRADDER aabb  ccc

c  a XOR b
c  a XOR b XOR a  b
c
  a  b  a  b  b  a  a  b
END






carryrippleimp and varryripplespec are the lenames on disk
Now we have to specify a pair of output signals we want to prove equivalent
Output signals can be selected with the imppin and specpin command For
now we choose output c in both circuits
Rectifier imppin c
Rectifier specpin c















bdd caching  on
temporary caching  on
precompute solutions off
solutions formulas reuse signals from  current component
search granularity  low
Before starting the rectication process we change some of the ags Since we
deal with a very small example we set the precomputation ag
Rectifier set precomputation on
This causes the rectier to immediately compute a solution whenever a recti
able subcomponent has been localized If the ag is switched o solution
computation is delayed Precomputation should only be switched on if the
designs to be rectied are not too large since it can considerably slow down the
rectication process We also choose high searchgranularity to nd a maximum
number of solutions
Rectifier set granularity high

To invoke the equivalence checker simply type prove AC now creates the
BDD representation for the selected output signals and checks for equivalence
Rectifier prove
Symbolic simulation in progress
BDD at xcdd  nodes
BDD at xcdd  nodes
CRADDERc of carryripplespec and
CRADDERc of carryrippleimp are equivalent 
Elapsed time  sec
For output c equivalence has been proven without changing the design Sig
nal c
 can also be proven equivalent on the rst try However for signal c 





Symbolic simulation in progress
BDD at xcddb 	 nodes
BDD at xcddb 	 nodes
CRADDERc of carryripplespec and
CRADDERc of carryrippleimp are different 
Elapsed time  sec
Trying to fix circuit
Checking result
Constructing solution
Calling the construct algorithm
Number of signals for reuse 
done 	nodes
Rectify completet
 possible circuit fixes found
Rectification time  sec
Total BDD nodes 	
Garbage collection
done
Total BDD nodes 	
We can now choose a solution with the solution command
Rectifier solution
   changes in CRADDER  sec 
 nodes




   changes in CRADDER  sec 
 nodes
   changes in CRADDERHADDER  sec 
 nodes
	   changes in CRADDERHADDER  sec 	 nodes
   changes in CRADDER  sec 	 nodes
type in number 	
We have selected solution  The viewsol command automatically applies the
selected solution to the circuit and displays the rectied design
Rectifier viewsol
Changes in CRADDER
COMPONENT CRADDER aabb  ccc

COMPONENT HADDER ab  sumcarry
sum  b  a  b  a




COMPONENT FULLADDER abc  sumcarry
sum  a  b  c










The circuit has been modied in component H ADDER by changing the denition
of signal sum
Table 	 shows a complete list of all computed solutions The second and
third column contain name of the subcomponent and name of the signal to be
modied respectively Column  shows the old signal denition while column
 contains the suggested replacement Comparing the rectied circuit with the
original implementation in Fig 	 it turns out that the major design error has
been made in component HADDER Outputsignal sum computes a false value
due to a wrong logical connective Instead of performing an XORoperation
the equivalenceoperator is applied Solution  exactly suggests to replace this
logical connective but all other solutions also x the circuit even if some of them
actually do not reect the designers original intention Since the verication
tool does not have any semantical knowledge about the halfadder it cannot
distinguish between these solutions In general the solution that requires the
minimal number of changes is considered best Solutions 	 to  prove that the
circuit can even be rectied by inserting one additional NOT gate only
Using the writesol command allows to write back the rectied circuit to a
le After saving the circuit AC can be quitted by typing exit

Nr Component Signal old denition suggested replacement
	 HADDER sum a b a b
 HADDER sum a b a b
 CRADDER HADDERb b b
 CRADDER HADDERa a a
 HADDER sum a b a  b  a  b
 CRADDER c HADDERsum HADDERsum
Table 	 Complete list of all computed circuit xes for the carryripple adder
Rectifier writesol
Enter file name carryripplefix
Rectifier exit
Have a nice day
 Tool Description
The following description refers to AC V AC has been written in
C and documented via the DOC standard AC should compile on
every UNIXplatform and every C compiler supporting the ANSI standard
DE Longs BDD library is required for compilation and can be downloaded
freely
In particular we have successfully build the system with the following con
guration




BDD lib dated 		
 package by D E Long
DOC 	 for extracting the developerdocumentation
For installing the system please refer to the installation notes that come with
the system To start AC simply type
checker
at the command prompt
In the next section we describe the input language of AC V in more
detail Section  gives a detailed description of the available commands and
Section  describes currently available ags
  The Input Language
A rst impression of the input language of AC has been given in Fig 	 and
Fig  Basically every input le describes a combinatorial circuits in form of
hierarchical net list To achieve a hierarchical description several components

can be declared each consisting of an interface declaration and a component
body Input and output signals are declared in the interface declaration In
the component body subcomponents can be declared together with Boolean
formulas dening the components behavior
Throughout the input le comments can be inserted by typing two slashes
After  everything is ignored until a newline character occurs Spaces tab
ulators and blank lines can occur everywhere and are skipped by the parser
We now give a more precise denition of the inputlanguage using regular
expressions and BNF notation
Identiers are used to specify names An identier can represent a com
ponent name a signal name or a name of an external variable Formally we
dene
ident  azAZ 
We explicitely make the exception that identiers must not be a reserved word
Reserved words are COMPONENT EXTERN END NOT AND OR XOR IMP and EQUIV
References represent names of signals
reference  ident
j ident  ident
The right most identier is the signal name and the optional identier can be
used to specify a distinct component where the signal occurs in
Expressions represent Boolean functions and are dened as follows
expr  true
j false
j reference internal signal
j EXTERN ident external input
j  expr negation
j NOT expr negation
j expr n expr conjunction
j expr AND expr conjunction
j expr n expr disjunction
j expr OR expr disjunction
j expr   expr implication
j expr IMP expr implication
j expr  expr logical equivalence
j expr EQUIV expr logical equivalence
j expr XOR expr exclusiveor
j expr
Expressions can either be a reference to a signal an external input keyword
EXTERN or a combination of one or more expressions with a logical connec
tive
Assignments allow to assign an expression to a signal
assignment  reference  expr 


Components are the core objects of the input language As mentioned before
each component consists of an interface declaration a list of sub components
and a list of assignments Component declarations can be arbitrarily nested





The component interface consists of a component name a declaration of input
signals and a declaration of output signals
interface  COMPONENT ident id list  id list
id list  ident
j ident  id list
Finally a valid input le consists of the declaration of a single component which
is called the main component
inputle  component main component
The input signals of the main component are implicitly considered to be external
inputs In all other components external signals have to be dened using the
EXTERN keyword
  Formal Semantics
In this section we provide a formal semantics for the input language dened in
the previous section The semantics is given in form of a function that maps
a given inputle p onto a corresponding Boolean formula p
A
describing the
outputsignals of p p
A
is called the denotation of p The additional subscript
A is a simple string carrying the componentname where p is dened in If the
subscript is omitted we implicitly assume A to be the empty string
We use a syntax directed semantics which means that the semantics of a
programconstruct is dened in terms of the semantics of its syntactic compo





Note that Aident is the name of a single variable The prex A is added
to the variable name in order to avoid name clashes between variables



















  expr 
A




  expr 
A
 expr  expr 
A
  expr 
A
  expr 
A
 expr AND expr 
A
  expr 
A
  expr 
A
 expr  expr 
A
  expr 
A
  expr 
A
 expr OR expr 
A
  expr 
A
  expr 
A
 expr  expr 
A
  expr 
A
  expr 
A
 expr IMP expr 
A
  expr 
A
  expr 
A
 expr  expr 
A
  expr 
A
  expr 
A
 expr EQUIV expr 
A
  expr 
A
  expr 
A
 expr XOR expr 
A
  expr 
A




  expr 
A

The logical operators     	 stand for logical conjunction dis
junction implication equivalence and exclusiveor respectively and are
dened by their usual truth tables
  Assignments
 reference  expr 
A
  reference 
A
  expr 
A
  Components
 interface cmp list ass list 
A
  cmp list 
Aname
  ass list 
Aname
where name is the componentname specied in the interface
  Lists of components
 empty list 
A
 true
 comp j rest 
A
  comp 
A
  rest 
A
  Lists of assignments
 empty list 
A
 true
 ass j rest 
A
  ass 
A




Before dening the semantics of a complete AC program we introduce
the sigsA function mapping components to sets of variables
sigsA name  i      ino      om cmp list ass list  
fAi      Ain Ao      Aomg 
 sigsAname cmp list 
sigsC collects the names of all signals occurring either in C itself or in
one of its subcomponents We extend the denition to componentlists
as usual
sigsA empty list   
sigsA comp j rest   sigsA comp  
 sigsA rest 
Using the sigs function we dene the semantics of a complete inputle
as
 interface cmp list ass list   s      sk 
 cmp list name
  ass list name
where name is the componentname specied in the interface and
s      sk  sigsname cmp list  In the resulting formula all interme
diate signals are hidden by the  operator denoting standard existential
quantication for Boolean formulas ie
x  f  f x   f x 	
Thus the denotational semantics for an AC program is a Boolean for
mula only containing the input and output signals of the main component
as variables
   Program Commands
After AC has been started the following message comes up
CircuitRectifier Vb build on Fri Dec  	

 
Dirk W Hoffmann Copyright  University of Karlsruhe
Type  for help
Rectifier
This is the text interface of AC A graphical user interface is currently under
development Entering  at the command prompt brings up a summary of all
available commands for driving the equivalence checker and rectication engine























Purpose Loads the specied implementation circuit from disc The in






Purpose Selects a signal in the implementation circuit that is going to












Purpose Shows detailed information about the currently loaded circuits
This function has been implemented for debugging purposes




Purpose This command calls the core algorithms of AC First the
selected output signals in the specication and implementation
circuit are checked for equivalence If equivalence does not
hold the rectication engine is invoked automatically For a
detailed description of the underlying algorithms see 
Requires Former calls to impfile specfile imppin specpin
set
Parameters ag value
Purpose This command allows to set a ag to the specied value A list
of available ags together with a description of their meaning
is provided in Section 




Purpose Shows the current program conguration Displayed items in
clude name of loaded circuits name of selected signals and






Purpose This command displays the list of computed solutions and al
lows the user to choose a specic circuit x which is then ap
plied to the implementation circuit
Requires Former call to prove
specfile
Parameters name
Purpose Loads the specied specication circuit from disc The input





Purpose Selects a signal in the specication circuit that is going to be
compared with the corresponding signal in the implementation
circuit
Example specpin c




Purpose Prints the description of the implementation circuit
Requires Implementation circuit has already been loaded
viewsol
Parameters none
Purpose Prints the rectied implementation circuit This command
may only be used after a solution has been selected
Requires Former call to the solutioncommand
viewspec
Parameters none
Purpose Prints the description of the specication circuit




Purpose Writes the rectied implementation circuit back to a le The
le name must be provided as argument
Example writesol carryripplefixed
Requires Some solution must have been selected see solution
command
  Flags
AC provides various ags which inuence the rectication process At the






The current value of the ags can be displayed with the settings command
and changes with the set command see Section 
We now describe all supported ags in detail For each ag possible values
default value and meaning is described
caching
Possible values on off
Default value on
Purpose This ag enables or disables the global caching mechanism for
BDDs Caching of BDDs is used when traversing the circuit
net list and can dramatically decrease computation time
Since caching does not inuence the computed results it
should only be switched o for debugging purposes This ag
only inuences caching in the rectication engine and does not
inuence caching performed within the underlying BDD pack
age
Warning Disabling the caching mechanism can cause an exponential
blowup in runtime
tempcaching
Possible values on off
Default value on
Purpose This ag enables or disables the temporary caching mechanism
for BDDs A temporary cache is used in addition to the global
cache in some functions of the rectication engine This can
further decrease computation time considerably
	
Since caching does not inuence the computed results it
should only be switched o for debugging purposes This ag
only inuences caching in the rectication algorithm and does
not inuence caching performed within the underlying BDD
package
Warning Disabling the caching mechanism can cause an exponential
blowup in runtime
solution type
Possible values main inputs gate inputs comp inputs
Default value comp inputs
Purpose This ag inuence the structure of the computed circuit recti
cations To keep modications small AC tries to compute
solutions that reuse as many signals of the old circuit as possi
ble The solution type determines the signals that are going to
be reused The user can choose out of three possible solution
types
main inputs The solution formula is constructed out of ex
ternal signals only Thus there is no reuse of any inter
mediate signal This solution type should only be chosen
if the implementation circuit is a at design and does
not exhibit any hierarchy This solution type can also be
used for debugging purposes since it excludes the call to
the constructalgorithm see  for details
gate inputs The solution formula is constructed out of ex
ternal signals and the immediate input signals to the part
of the circuit that is going to be substituted
comp inputs The solution formula is constructed out of
external inputs and the input signals of the component
where the modication occurs
precomputation
Possible values on off
Default value off
Purpose If precomputation is enabled the recticationalgorithm im
mediately computes a solution whenever a rectiable sub
component has been localized If precomputation is disabled
solutioncomputation is delayed and only computed after a spe
cic solution has been selected with the solution command
described in Section  Precomputation can be switched o
for rectifying large designs This can accelerate the rectica
tion process considerably However to estimate the quality of
a solution we have to count the number of modications that
	
have to be applied to the implementation circuit This can
only be done after the solution formulas have explicitely been
computed
granularity
Possible values low medium high
Default value low
Purpose The search granularity determines which parts of the imple
mentation circuit are checked for rectiability We distinguish
three types of dierent circuitrectications
	 rectications that substitute an outputsignal of some
component
 rectications that substitute an inputsignal of some com
ponent
 rectications that substitute an inner part of a compo
nent
According to the selected search granularity only rectications
of a specic type are computed In particular
  low granularity only computes type 	 rectications
  medium granularity only computes type 	 and type 
rectications
  high granularity computes all types of solutions
 Additional Tools
AC provides two additional tools for





Purpose The statistics tool parses the specied input le and rst per
forms some consistency checks Besides searching missing sig
nal denitions the input circuit is checked for loopfreeness
After checking consistency some statistical information is com
puted ie
  the number of logical connectives
  the number of internal references and
  the input cones 
 the set of external input variables occuring in the denition of the observed signal
	
are determined for each output signal of the main component
Converter from ISCAS format
Usage conv file
Purpose Reads in the specied le in ISCAS
 format and prints it in
the input language of AC to stdout See Section 	 for a
detailed description of the input language The ISCAS
 con
verter allows to get access to a broad range of circuits eg











COPYRIGHT NOTICE LICENSE AND DISCLAIMER
Copyright  University of Karlsruhe TH
Permission to use copy modify and distribute this software
and its documentation for any purpose and without fee is hereby
granted provided that the above copyright notice appears in all
copies and that both the copyright notice and this permission
notice and warranty disclaimer appear in supporting
documentation
Permission to use copy modify and distribute files written by
others must be obtained from the authors of those files
Dirk Hoffmann disclaims all warranties with regard to this
software including all implied warranties of merchantability
and fitness In no event shall Dirk Hoffmann be liable for any
special indirect or consequential damages or any damages
whatsoever resulting from loss of use data or profits whether
in an action of contract negligence or other tortious action




	 D Brand Verication of Large Synthesized Designs In IEEEACM Inter
national Conference on Computer Aided Design 	ICCAD
 pages  
Santa Clara California November 	

 ACMIEEE IEEE Computer So
ciety Press
 RK Brayton GD Hachtel CT McMullen and AL Sangiovanni
Vincentelli Logic Minimization Algorithms for VLSI Synthesis The Kluwer
International Series in Engineering and Computer Science Kluwer Acad
emic Publishers 	

 F Brglez and H Fujiwara A neutral netlist of 	 combinatorial bench
mark circuits and a target translator in FORTRAN In Int Symposium
on Circuits and Systems Special Session on ATPG and Fault Simulation
	

 RE Bryant GraphBased Algorithms for Boolean Function Manipulation
IEEE Transactions on Computers C 
	 August 	

 RE Bryant Symbolic boolean manipulation with ordered binary decision
diagrams ACM Computing Surveys 
 	 September 	


 A Gupta Formal Hardware Verication Methods A Survey Journal of
Formal Methods in System Design 			  	


 D W Homann and T Kropf Using BDDbased decomposition for au
tomatic error correction of combinatorial circuits Technical Report 






 Alan J Hu Formal hardware verication with BDDs An introduction In
IEEE Pacic Rim Conference on Communications Computers and Signal
Processing 	PACRIM




 SM Reddy W Kunz and DK Pradhan Novel Verication Framework
Combining Structural and OBDD Methods in a Synthesis Environment In
ACMIEEE Design Automation Conference pages 	 	
 	


	
