Approximate reachability techniques trade off accuracy for the capacity to deal with bigger designs. Cho et al [4] proposed partitioning the set of state bits into mutually disjoint subsets and doing symbolic forward reachability on the individual subsets to obtain an overapproximation of the reachable state set. Recently [7] this was improved upon by dividing the set of state bits into various subsets that could possibly overlap, and doing symbolic reachability over the overlapping subsets. In this paper, we further improve on this scheme by augmenting the set of state variables with auxiliary state variables. These auxiliary state variables are added to capture some important internal conditions in the combinational logic. Approximate symbolic forward reachability on overlapping subsets of this augmented set of state variables yields much tighter approximations than earlier methods.
Introduction
Binary Decision Diagrams (BDDs) [2] have enabled formal verification to tackle larger hardware designs than before. Using BDDs to represent sets of states has enabled symbolic forward reachability techniques to enumerate the state space of bigger designs. However for many large design examples, even the most sophisticated BDD-based verification methods cannot produce exact results because of BDD-size blowup. Hence, we settle for approximate reachability.
An overapproximation (i.e superset) of the reachable states can still be very useful. If an assertion holds for the approximate reachable states, it is guaranteed to hold in the exact reachable set. It can also be used to simplify symbolic model checking efforts, by preventing [8] the model checking algorithms from 'This work was supported by DARPA contracts DABT63-94-C-0054 and DABT63-96-C-0097.
The content of this oaoer does not necessarily reflect the position or the policy of the G-ov&nment and no official endorsement should be inferred.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. DAC 99. New Orleans, Louisiana 91999 ACM I-581 13-092-9/99/ooo6..%5.00 exploring unreachable states. Further, the approximate reachable set provides don't cares, that can be used in synthesis.
Comparison with Related Work
Various approaches to approximate reachability and verification using BDDs have preceded this work. Cho et al [4, 5] proposed approximate algorithms to do symbolic forward reachability. Their basic idea was to partition the set of state bits into mutually disjoint subsets, and then do a symbolic forward propagation on each individual subset. This was further generalized [7] by allowing for overlapping projections. In this scheme, the set of state bits was divided into various subsets that could overlap.
This paper further generalizes and improves on existing approximate symbolic reachability schemes, by augmenting the set of state variables with some auxiliary state variables. An auxiliary variable is an internal state component that is added to the implementation without affecting the externally visible behavior. These extra state variables typically represent important internal abstractions used by designers.
The idea of augmenting a legal implementation with some extra state components in a way that places no constraints on the behavior of the implementation is not entirely new. Abadi and Lamport [I] introduced a special class of auxiliary variables, history and prophecy variables, to broaden the applicability of refinement mapping techniques. We propose using auxiliary state variables to broaden applicability of approximate reachability techniques.
Consider the simple design shown in figure 1. The design has 96 state variables, denoted by (51, . . . ,296). The Equality Detector checks whether the two input bit vectors are identical and passes its output to the control state machine. Exact reachability would require computing images over the variables (21,. . . ,296 Let w = (WI,... ,wP) be a collection of not necessarily disjoint subsets of x. We define the operator aj(R) which projects a BDD R(x) onto the variables in Wj. Let z consist of all of the Boolean variables in x that are not in wj. We can define 'Yj as aj(R(z,wj)) = %.R(z,wj).
The projection operator (Y projects a BDD R(x) onto the various wj's, and the concretization operator y conjoins the collection of projections.
4R ( The key operation is the approximate image computation: Given an implicit conjunction of BDDs R : (RI,... ,RP), compute a list S : (Sl, . . . , S,) whose implicit conjunction is the set of states than can be approximately reached in one step using the next state functions n. More formally S = cr(lm(y(R), n(x, y))). An efficient algorithm to compute S was proposed in DAC98 [7] , which we also use here.
Starting from the initial state qo, then repeatedly computing approximate images until we reach a fixed point gives an overapproximation of the reachable state set. A more formal treatment was given in DAC98 [7] . (Even though we have a single initial state, the method can be applied to any arbitrary choice of initial states). We make use of auxiliary variables by converting them to state variables. A next state function is assigned to each of them as in the following example. A typical hardware design, as shown in figure 2 , has a set of state holding elements ((~1, x2, x3) in figure 2) and some combinational logic. Each state variable has an associated next state function logic ((nl , n2, n3) in figure 2). Let a be some internal wire in the design, and let a = g(x) be the function that determines the If we let the subscript denote the time stamp, we have: at = g(zt) and ai+1 = g(zt+i).
Using zt+i = n(zt, yt), we get at+1 = g(n(zt, yt)), which is the required next state function for auxiliary state variable a. This transformation is shown in figure 3 . Note that we would not have been able to do the transformation above if g involved some input variables in its support. If a = g(z, y) (where y is the input bits) then at+1 = g(zt+i , gt+i) and we cannot represent the inputs in the next cycle, yt+i , in terms of zt and yt.
We conjecture this limitation can be circumvented by including the inputs as part of the state (as in a Kripke structure). We never used this for any of our results here, but the Mealy machine M = (2, y, ~0, n), can be transformed to another Mealy machine M' = (z', y', Q, n'), where 2' = x U y and the initial condition qh = qo. The y' component is a set with a primed version for each variable in y. The next state function for the z state variables remains the same, but for the y variables, their next state function is the corresponding input variable from y'. Assuming totally unconstrained input environment, the machines M and M' allow the same externally visible behaviors and hence have the same set of reachable states (projected on to the z variables). However M' allows us more flexibility in choosing auxiliary state variables. Our scheme for choosing which internal abstractions to convert to auxiliary state variables is presently manual, and relies on being able to inspect the RTL source. We believe that it helps to look at the RTL source, because designers often create internal abstractions themselves, while coding up their design using a hardware description language (such as Verilog). Hence we can take leverage off this high level information directly by inspecting the RTL description. First, we find the FSMs by inspecting the Verilog source. The next state transition for every FSM was typically encoded as part of an always block in the Verilog source. By inspecting the always block it is possible to extract the internal wires that affect the next state transition of each FSM, and if those internal wires in turn depend on many state variables they are chosen as auxiliary state variables.
However the gate level descriptions of circuits like the ISCAS 89 benchmark circuits are devoid of any high level information.
For such circuits, we look for internal wires which have a high fanin and high fanout, and are at the same time solely determined by the state variables in the design (i.e their fanin cones involve only state variables). The intuition behind our heuristic is that such high fanin internal wires carry some information about the large number of state variables in their fanin cone. Hence including these wires as auxiliary state variables in other subsets of w, allows us to capture some correlation between the state variables in the other subsets and the large number of state variables in the fanin cone of the internal wire.
Experiments
The method was evaluated on a collection of control circuits from the MAGIC chip, a custom node controller ASIC in the Stanford FLASH Multiprocessor [9] . The circuits are control intensive, and the state bits do not include data path bits. Table 2 ). We were unable to find the exact reachable set for any of these control modules. The experimental implementation of the method was in LISP, calling David Long's BDD package (implemented in C) via the foreign function interface. Our approximate algorithm returns a superset of the reachable states. To quantify the size of the superset, we compute the satisfying fraction of the the superset. (Please refer to the appendix for the algorithm that was used to compute an upper bound on the satisfying fraction). Since projection induces an over-approximation, smaller satisfying fraction indicates better results.
We compare our results with the earlier reported numbers obtained with overlapping projections of the usual state variables alone. The same variable ordering was used for both the schemes. The maximum number of nodes for each experiment is preset at Node Limit and we try to get the best results using the two schemes (overlapping projections of usual state variables alone us overlapping projections of augmented set of state variables). Node Count keeps track of the largest number of nodes that existed at a time during the experiment. The Time column lists the cpu time (in seconds) needed to reach the fixed point on a MIPS R4300 with 768MB of RAM. Sat-fr records the size of the approximate reachable state set (a superset) in terms of satisfying fraction. The last column under the heading Relative is the ratio between the satisfying fraction obtained by using usual state variables alone and the satisfying fraction obtained on adding auxiliary variables. Thus, larger figures in the Relative column indicate better results with auxiliary variables.
The results in Table 2 show that the use of overlapping subsets over the augmented set of state variables is very effective at improving over-approximations of the reachable state set. The improvement is at the expense of some increase in the BDD node count. However, it would not be possible to obtain such a tight approximation using overlapping subsets over the usual state variables alone, since that would require prohibitively large subsets, resulting in BDD blowup problems.
ISCAS Benchmarks
We have also tried our algorithm on the larger circuits from ISCAS 89 benchmark suite. We use the partitions used by Cho et al [4] to identify the FSMs in the design. To these partitions, small overlaps were added to report the numbers in DAC98 [7] to show the potential of approximate reachability on overlapping subsets of the usual state variables. Here, we further add some auxiliary state variables to some of the overlapping subsets, and compare with the recently reported results in [7] . Table 3 gives a brief description of the size of the various benchmark circuits used in this work. (We omit ~1238 because it is a small circuit amenable to exact traversal. We are unable to report comparative figures for ~35932 because we could not procure the partitions used by Cho et al for ~35932). We tried our new algorithm on ~1423, but unfortunately could not improve on the results reported in [7] . (We suspect it is because ~1423 has a highly interconnected STG. Some high level insight into the design, which ISCAS benchmark circuits are devoid of, could better guide the choice of auxiliary variables). However for ~13207, ~15850 and ~38584, we report improvement by at least an order of magnitude. Given the large number of state variables in these circuits, and that we allow for overlaps among the various subsets, it is very difficult to compute the size of the approximate reachable set. The numbers in Table  4 under the Sat Fr column for Auxiliary Variables are llpper bounds on the size of the reachable set. (Please refer to the appendix for the algorithm used to compute an upper bound on the size of the approximate reachable set). We believe that the true size of the approximate reachable set using auxiliary state variables, is much smaller than what we report here.
Note that we use TMBM algorithm [4] for these benchmarks. TMBM starts off as TFBF [4] and then switches to MBM [4] after a few iterations. The Iter column in Table 4 lists the number of iterations of doing TFBF + the number of iterations in the outer greatest fixpoint of MBM.
Conclusions
Our experiments show that a few appropriately chosen internal conditions added as auxiliary variables can substantially improve the quality of the overapproximation. We need to look at automatic methods to choose collection of subsets for gate level descriptions. GivenS: (Sr,... , S,) , corresponding to the collection of possibly overlapping subsets w : (WI,. . . , wP), we want to compute sat+-of 'y(S). Let a : (or,. . . , a,) be the set of auxiliary state variables. Corresponding to each auxiliary state variable ai, let gi(z) be the Boolean function (represented as a BDD) which determines the value of the auxiliary state variable ai in time t as a function of the value of the usual state variables at time t. Our algorithm substitutes the function gi for every instance of ai in the elements of the list S. At this point S has only the usual state variables in its support. The algorithm then explicitly computes r(S) and finds its satisfying fraction.
for j=I up to p by 1 do for i=l up to m by 1 do Substitute gi for every instance of ai in Sj endfor endfor Compute fipzalLbdd = A;=~ Sj return sat-fr (finalAdd)
For the larger ISCAS 89 benchmark circuits it is not feasible to explicitly compute f inakbdd = y(S).
Hence we use the conservative algorithm given in [7] and we normalize the result, to compensate for increase in number of state variables. (If m is the number of auxiliary state variables added, we multiply the result obtained from the algorithm in [7] with 2"' to obtain an upper bound on the satisfying fraction for the reachable states over the usual state variables alone). An alternative method, Monte Carlo simulation technique appears to be ineffective because of the extreme sparsity of the state space covered by y(S).
