ABSTRACT
INTRODUCTION
Due to the increase in the complexity of design automation tools and the circuits they manipulate, such tools cannot in general be assumed to be correct. Instead of attempting to formally verify the design automation tools, a more practical approach is to formally check that a circuit generated by a design automation tool functionally corresponds to the original input. This paper presents a technique for formally verifying that two hierarchical combinational circuits implement the same Boolean functions. The presented technique can also be used to check manual modifications of a circuit to ensure that the designer has not introduced errors. Furthermore, the technique can be used to solve sub-problems of other (higher-level) verification problems. For example, verifying arithmetic circuits by checking that they satisfy a given recurrence equation [6] or verifying the equivalence of two state machines without performing a state traversal [ 161 In this paper we use a hierarchical model of combinational circuits. Based on this model, we show how to propagate a cut through two circuits from the inputs to the outputs. The key new feature of the method is its ability to reuse previously calculated results in the verification. Consider the 4-bit adder in Figure 1 . The description consists of two cells; a full-adder cell, fa. and a 4-bit adder cell, Cbitodder, containing four instantiations of the full-adder cell and a description of how they are interconnected. The traditional way of verifying hierarchical combinational circuits is to flatten them into a single block of combinational logic on which the verification is performed. In case of complex circuits, this method is not feasible. Our method attempts to work on one cell, and then reuse information about this cell whenever possible.
The 4-bit adder circuit described above corresponds to the top circuit in Figure 2 . The bottom circuit in the figure is also a 4-bit adder, but with two instantiations of two different full-adder cells which negate either the inputs or the outputs.
Our method compares the full-adder from the top circuit with each of the two different full-adders in the bottom circuit and combines the results to prove that the two 0-7803-5682-9/99/$10.0001999 IEEE.
circuits are indeed identical (except for some negated inputs and outputs). The method is automatic as it requires no human interaction during the verification process. If the adders in Figure 2 were larger, our method would still only considers two comparisons between Culladders. The rest of the verification would reuse the comparisons to prove the equivalence. described by a relation between the inputs and the outputs of the cell. Using a sweep strategy, they move either forwards or backwards through the circuits calculating the relations between the circuits along a cut.
Related Work
Another approach is a structural method which exploits similarities between the two circuits that are compared by identifying related nodes in the circuits and using this information to simplify the verification problem (' 2, 121. Such techniques rely on the observation that if two circuits are structurally similar, they will have a large number of internal nodes that are functionally equivalent. Eijk and Janssen [17] [14] , introducing more general learning methods based on OBDDs and better heuristics for finding cuts in the circuits to split the verification problem into more manageable sizes.
The main differences between a11 the methods above and our proposed method is that they use a flat circuit description while we usc a hierarchical one, and they cannot reuse previously calculated results. For examplc, Figure I describes an I-ICC (C, c). where C = {ja,4bitadder} and c = 4lritadder.
HIERARCHICAL COMBINATIONAL CIRCUITS

Definition 2 (Cell)
A cell c has tlze following attributes: Container cells have the Inst attribute while logic cells have the Fct attribute. In the 4-bit adder circuit in Figure I there are two cells; the full-adder cell, fa, and the 4-bit adder cell, 4bitadder. Vam(fa) is the set {~u , ~~,~~, u u , u~) .
In ( 
Definition 3 (Instantiation) An instantiation i of a cell
c has the following attributes: The iustanriatioii i must further. fulrfl the reqriirements:
The topmost instantiation of a full-adder cell i n the 4-
The outputs of a hierarchical combinational circuit are determined by the inputs. In the case of the 4-hit adder, the outputs are the sum of two 4-bit numbers on the inputs. We use a relation Rel(c) to capture this relalion bctween the inputs and the outputs of ii cell c. For a logic cell, Rel is determined by the logic of the gates (the Fct attribute):
(We use characteristic functions to represent relations.) The subscript k indicates the kth element in a list. For example, Rel(fa) is the relation:
For container cells, Rel is determined as:
where V is the set variables which arc neither inputs nor outputs, i.e., 1 ' = Vars(c)\(In(c)~Oiit(~)), and [ M q ] is a renaming of In(cell(i)) and Out(cell(i)) variables to in(i) and out(i) variablcs, respectively. Thc notation 3w,v for V = {wl,'u2,. . . , u k } is shorthand for For an IICC (C, c), the relation over the primary inWe now dcline apnth and a cot in a cell.
i € I I w t ( C )
32J1.302, ' ' ' .3Wn.
puts and the primary outputs is Rel(c).
Definition 4 (Path) Fur a container cell c, a path p = (PI,. . . , pn) is U sequence of variables ,from Vurs(c) such that for all k, 1 5 k < n, there exists ail ill- A cut-relation over the input cuts of the two circuits in Figure 2 could he: (cell(i1) ). In(ccll(i2)), Oat(cell(il)), and Out(cell(i2)) variables, respectivcly.
Definition 5 (Cut)
A( s i @ ti) A r\ (si H -ti), (1) i=O,1
CUT PROPAGATION
Given two hierarchical combinational circuits I-ICC, ( C I ,~) and HCC2 (C2,cz), and an input relation Hin, the verification problem we consider is to determine whether the outputs satisfy a desired rclation H,,,,. Typically, Hi,, and fI0,, would represent "the circuits have identical inputs and outputs."
The verilication algorithm works by propagating a cut-relation from the inputs to the outputs. Let HO be the input relation Hipa, a cut-relation bctween the input cuts of c1 and ca. We move lheir cut-relation past instantiations of cells in cL and c2 (assuming that c1 and c2 are container cells). In each step we calculate a new cutrelation, Irk+,, based on the prcvious one, H k . When the cut-relation has reached the outputs, the resulting cut-relation, U,,, relatcs the outputs of c1 to the outputs ofcz. If H,, is a subset of Ha,,,, PIn C H,,,t, the circuits have the desired output relation.
Example
Before describing the algorithm in detail, we give an example to illustrate the basic ideas. Considcr again the two different implementations of 4-bit adders in Figure 2. The 4-bit adders are dcscribed using s and t variables, respectively. The full-adders in the top circuit are described using z (input) and U (output) variables, while the full-adders in the bottom circuit use 1~ and w variables. The H ' s represent the cut-relations and the vertical lines indicate the cuts. Figure 2 is given by (I). We decide to move the cuts from the inputs to the outputs one fulladder at a time and to move the cuts in the two circuits simultaneously. First we calculate the input relation Rin,] between the Ieftmost full-adder cell in each of the two circuits using (2):
Assume Ifo in
= (20 @ UO) A (%I @ V I ) A ( 2 2 @ 212). (3) Notice the use of cell variables x and 21 and not instantiation variables s and t , which is important in order to recognize this situation in the Future.
Given R+,,l and the inputloutput relation Re1 for the two full-adders, we can determine the relation between the outputs (we will show later how to do this):
rout,^ (uo U 7210) A (01 U l u 1 ) .
(4)
We move the cuts and determine the new cut-relation H I based on Rout,l (again, we will show later how to do this): Ai=3, 4, 7, 8, 9 ,1o(~i * -ti) .
In a similar way we propagate the cuts one step further getting I i 2 :
In the third step, we start by finding the input relation Ri, , , 3: Rin,3 = (20 e ?/o) A (2, e ?/I) A ( 2 1 ?/z). This is identical to the relation R j < % , l from the lirst step. The full-adders in the third step are also identical to the full-adders in the first step, and thus we can immediately reuse the output relation Ra.,i,,L instead of calculating Rout,3. We update the H2 relation using Rout.l and obtain U,:
Similarly in the fourth step the input relation is found to be identical to that of the second step and the full-adders in the second and the fourth step are identical. We update the relation IIs. and get the final output relation I{4;
We observe that the sun-bits of the. first and third pair of adders have opposite values while the sum-bits of the second and fourth pair of adders are pairwise equivalent.
Moving Cuts
We distinguish between two ways of moving cuts: Build and Propagate. B u i l d determines tlic inputloutput relation Re1 for a cell c and uses it to calculate the new cut-relation by moving the cut past an instantiation of cell e. Propagate moves cuts past two cells simultaneous by calculating the input relation Rirl between the inputs of the two cells and from that calculate the output relation no,,$ for the same pair of cells. In the example above we only used Propagate. considers two cell instantiations at a time; one in each circuit. Propagate takes five arguments: two instantiations i l and i z . two cuts I<, and Ka, and a cut-relation H over the cuts. The result is il new cut-relation and two new cuts. It is assumed that the input variables of the cell instantiations il and ia belong to the cuts IC1 and K z , respectively.
In line I Propagate calculates, using (Z), the input relation Ri, between il and i 2 based on the cut-relation In the example, we calculated (4) in line 6 and we calculated the updated cut-relation H I ( 5 ) in line 10.
Build vs. Propagate
Build works by constructing a representiition of thc inputhutput relation for a cell which is used to update the cut-relation H . Such a relation captures thc functioniility of the cell. Using Build on the top cell corresponds to the standard verification mcthod of building the OBDD for the entire circuit. While this works wcll for smaller circuils, the OBDDs tend to become quite l u g e for more complex circuits.
Propagate works by moving a relation between input variables of two cells to a relation bctween output variablesof thesaine two cells. In caseofcontainercells, Propagate moves thc cuts one step at a time past instantiations of cells in thc container cells. It avoids constructing ail OBDD for the functionality of a cell as long as possible. For logic cells it is necessary to construct such an OBDD. However, this OBDD rcpresenls only the functionality of a parl of the circuit, no1 the whole circuit, and it is therefore more manageable.
The use of Propagate may cause loss of information since it q u i r e s contruction of thc input relation Rin between the cell inputs. Consider the two equivalent circuits in Figure 3 . The input cut for the top circuit is K1 = {so,.sl} and for the bottom circuit it is Ii2 = {tll,tl), Let Ho be the cut-relation (so # to) A (si . 3 t~) whencalling Propagate. We want to move the cuts pas1 the negation cells. 
EXPERIMENTAL RESULTS
To test the proposed method, we have iinplcmented it LISing OBDDs to rcpresent the characteristic functions of relations. The canonicity allows us tci recognizc memorized results (linc 2 in algorithm 3) in constant time.
We have built hierarchical adder and multiplier circuits ofdiffcrcnt sizes. Each n-bit adder coiisists of two n / 2 -bit adders. We built one series of adders using the fulladder cells from Figure 1 , and another series of adders using two different typcs of full-adder cclls: onc fulladdcr outputting a negated carry-out, and onc receiving a negated carry-in signal. The verification task is to verify that given idcntical inputs, the iiddcrs from the two series have identical outpuls. Thc left parl of' Table I shows the runtimes fur this experimcnt. The strategy for moving cuts was to use Propagate whcnever II can be written as in (6), otherwise we use B u i l d . Because of the reuse of previously calculated results, we only apply Propagate a number of times proportional to log,(n,) for la-bit adders.
Using standard OBDD techniques, it is possible to get results comparable to those in Table I for the verification of adders since the addition function has a small OBDD representation (when using an appropriate variable order). However, OBDDs arc very sensitive to the chosen variable ordering, and using a bad variable order rcsults in OBDDs of size exponential inn making it infeasiblc to build the OBDDs for the adders. Our proposed method is no1 sensitive to the variable ordering of the adders as we never build OBDDs representating the functionality of the circuits. We tested the sensitivity to errors of the cutpropagation method by introducing errors into the adders by switching wires around close to the leaves and close to the root in the hierarchy -errors typically arising if wrong parameter lists are given in the circuit descriptions. None of the modilications cause the runtimes to increase significantly.
While adders are easy to handle using OBDDs, multipliers are notoriously difficult. We construct multipliers as series of adders and shifters. From thc two different types of adders in thc previous experiment, we create two different types of' multipliers. The verification task is to vcrify the pairwise equivalence of outputs given the pairwise equivalence of inputs. One complication is that the outputs o f a multiplier are not unrelated. For example, it is not possible fur all outputs to be 1 simultaneously '. When calculating the cut-relations, such restrictions are included in the relations. This means that the cut-relations contain more information than we need. Repeated use of Propagate, even whcn the cutrelation cannot be written as 6 and thus Propagate causes loss of information, turns out to be exaclly what is needed to "forget" this extra information. The right part of Table 1 shows the results from running the multiplier experiments.
CONCISJSION
Wc have presented a method based on cut-propagation for obtaining a rclation between the outputs of two hierarchically specified combinational circuits. The key new feature of the method is it ability to exploit the hierarchy in the circuit description to reuse previously calculated results in thc verification. We have demonstrated the power of the method by verifying large adders and multipliers.
