Towards a verification technique for large synchronous circuits by Gopalakrishnan, Ganesh & Jain, Prabhat
Towards A Verification Technique for Large Synchronous Circuits
P R A B H A T  JA IN 1 
P R A B H A K A R  KU D VA 
GANESH G O P A LA K R IS H N A N 2
UUCS-92-012
Department of Computer Science ' 
University of Utah 
Salt Lake City, U T  84112, USA 
March 30, 1992
Abstract
We present a symbolic simulation based verification approach which can be applied to large synchronous 
circuits. A  new technique to encode the state and input constraints as parametric Boolean expressions over 
the state and input variables is used to make our symbolic simulation based verification approach efficient. 
The constraints which are encoded through parametric Boolean expressions can involve the Boolean con­
nectives (■, + ,  —>), the relational operators (< , < ,  > ,  > ,  = ), and logical connectives (A, V ). This technique 
of using parametric Boolean expressions vastly reduces the number o f symbolic simulation vectors and the 
time for verification, thus making our verification approach applicable to large synchronous circuits. Our 
verification approach can also be applied for efficient modular verification o f large designs; the technique 
used is to verify each constituent sub-module separately, however in the context o f the overall design. Since 
regular arrays are part o f many large designs, we have developed an approach for the verification o f regular 
arrays which combines formal verification at the high level and symbolic simulation at the low level(e.g., 
switch-level). We show the verification o f a circuit called Minmax, a pipelined cache memory system, and an 
LRU array implementation o f the least recently used block replacement policy, to illustrate our verification 
approach. The experimental results are obtained using the COSMOS symbolic simulator.
'Supported in part by the University o f Utah Graduate Research Fellowship
2Supported in part by NSF Award MIP-8902558
Form al Aspects o f  V L S I  Research G roup  
University o f  Utah, D epartm en t o f  C om puter Science
Towards A  Verification Technique for Large Synchronous Circuits
P R A B H A T  JAIN*
P R A B H A K A R  KUD VA 
GANESH G O PA LA K R IS H N A N *
U niversity  o f  Utah 
Dept, o f  C om puter Science  
Salt Lake City, Utah 84112
(jain@cs.utah.edu) 
(pk u d va @cs. u tail. ed u) 
(gan esh @ bliss .utah.edu)
K eyw o rd s : Symbolic Simulation, Formal Verification of VLSI, Regular Array Verification, Input Constraints, Circuit 
State Constraints, Parametric Boolean Expressions, Pipelined Cache Memory
A b s tra c t. We present a symbolic s im u la tion  based verifica tion  approach which can be applied to large synchronous 
circu its . A  new technique to encode the state and input constraints as parametric Boolean expressions over the state 
and input variables is used to make ou r symbolic s im u la tion  based verifica tion  approach effic ien t. The constraints 
which are encoded through param etric Boolean expressions can involve the Boolean connectives the relational
operators (< ,  < , > , > , —),  and logical connectives (A ,V ) .  This technique o f  using param etric Boolean expressions 
vastly reduces the number o f  symbolic s im u la tion  vectors and the tim e fo r  verifica tion , thus making ou r verifica tion  
approach applicable to large synchronous circu its . O ur verifica tion  approach can also be applied f o r  e ffic ien t modular 
verifica tion  o f  large designs; the technique used is to verify each constituen t sub-module separately, however in the 
context o f  the overa ll design. S ince regular arrays are part o f  many large designs, we have developed an approach fo r  
the verifica tion  o f  regular arrays which combines fo rm a l verifica tion  at the high level and symbolic s im u la tion  at the low 
levelfe.g ., sw itch-level). We show the verifica tion  o f  a c ircu it called Minmax, a pipelined cache m em ory system, and an 
L R U  array im p lem en ta tion  o f  the least recently used block replacem ent policy , to illustrate our verifica tion  approach. 
The experim enta l results are obtained using the C O S M O S  symbolic s im ulator.
1 Introduction
Most digital VLS I circuits are checked for correct operation through scalar valued simulation. 
In this approach, scalar bit vectors— vectors over 0 and 1— are used as inputs to the circuit being 
simulated. As most real-world circuits require an impracticably large number of scalar vectors to 
check for all possible execution paths, scalar simulation alone is insufficient to verify a VLSI digital 
circuit.
Several formal verification approaches have been suggested for the verification o f digital VLSI 
circuits. But, current formal hardware verification approaches cannot accurately model low-level 
circuit details (e.g., charge sharing). On the other hand, formal verification at the high level can 
provide useful information (e.g., circuit state invariants) for efficient symbolic simulation at the low
‘ supported in part by the University of Utah Graduate Research Fellowship, 
f  Supported in part by NSF Award MIP-8902558.
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 2
level, in addition to its other advantages. Since the simulators (e.g., switch-level) can model low-level 
circuit details accurately, an approach combining the capabilities of formal verification at the high 
level and symbolic simulation at the low-level can derive the advantages of both the approaches.
Bryant has proposed symbolic switch-level simulation for formal hardware verification [3]. In [3, 1], 
it is shown that a symbolic simulator can be used to verify (check for all possible execution paths) 
many non-trivial circuits. His verification approach has been applied to verify a static RAM , data 
paths, and pipelined circuits [4, 5, 6]. Our verification approach for datapath and control circuits is 
based on a simple hardware specification formalism called HOP [8], a parallel composition algorithm 
called PARCOM P, and a switch-level simulator(COSMOS). In the past, we have studied the problem 
of generating minimally instantiated symbolic simulation vectors for non-regular designs, and also 
developed techniques to integrate the formal verification phase with the symbolic simulation phase. 
The combination of formal verification at the high-level and symbolic simulation based verification at 
the low-level has been proposed in [10, 13]. We have obtained encouraging results in this regard [10, 
12, 11].
In order to reduce the symbolic simulation effort, a new technique to encode the state and input 
constraints as parametric Boolean expressions on the state and input variables is incorporated in 
our verification approach. This technique of using parametric Boolean expressions vastly reduces the 
number o f symbolic simulation vectors and the time for verification, and thus makes our verification 
approach applicable to large synchronous circuits. Parametric forms have also been used in [2, 7] for 
the verification of finite state machines.
Our verification approach can be applied for efficient modular verification of large designs. Para­
metric Boolean expressions can be used to encode the input and state constraints of the sub-modules 
o f the design. Each sub-module is individually verified. When verifying a sub-module, it is assumed 
that its context operates correctly, and so the inputs expected by the sub-module are derived directly 
from the input constraints of the sub-module. (The input constraints o f each sub-module are typi­
cally known to the designer (e.g. a certain internal bus carries only unary values), and can be proved 
to be a consequence o f the design, during high level verification.) The outputs of the sub-module 
being verified are not isolated from its context, and so the sub-module being verified is subject to 
the true electrical loadings.
Since regular arrays are part of many large designs, we have developed an approach for the verifi­
cation of regular arrays which combines formal verification at the high level and symbolic simulation 
at the low level(e.g., switch-level). The verification approach is based on a simple hardware speci­
fication formalism called HOP, a parallel composition algorithm for regular arrays called PC A , and 
a switch-level symbolic simulator(COSMOS). We illustrate our verification approach on the Least 
Recently Used(LRU) page replacement policy implemented as a two-dimensional array o f LRU cells 
in VLSI.
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 3
b l b2 in i in2 in3 in4
0 0 0 0 0 1
0 1 0 0 1 0
1 0 0 1 0 0
1 1 1 0 0 0 .
Parametric Boolean Expressions b l Ab2 b l A -ib2 -■bl Ab2 -■bl A -ib2
Figure 1: Constraints and Parametric Boolean Expressions
1.1 O u tlin e o f  th e P a p e r
In the following section, we present the basic idea o f parametric Boolean expressions and the 
encoding of the state and input constraints as parametric Boolean expressions. In Section 3, 4, and 5 
we present our symbolic simulation based verification approach and the use of parametric Boolean 
expressions through examples. In Section 3, we show the verification of a circuit called Minmax. In 
Section 4, we show the verification of a pipelined cache memory system. In Section 5, we present our 
verification approach for regular arrays with the LRU array verification as an example. In Section 6, 
we summarize the results, report the ongoing effort, and outline the future work.
2 Parametric Boolean Expressions
Every circuit relies on some state and input constraints for its correct operation. The circuit 
is expected to operate correctly when operated under the constraints it is designed for, and may 
malfunction if  its constraints are violated. Thus, a circuit needs to be verified only for the states and 
inputs satisfying the state and input constraints (unless it is required to know the circuit behavior 
under anomalous inputs). For example, a circuit may have an input constraint that exactly one of 
the inputs be 1 or the state constraint (or the state invariant in some cases) that the value in the 
register R\ must be less than or equal to the value in the register R 2, for its correct operation.
The validity of the use of parametric Boolean expressions, encoding the required constraints on 
the state and input variables of the circuit, for symbolic simulation relies on the following property 
o f the symbolic simulator (roughly analogous to the monotonicity property assumed in [3]): suppose 
the circuit in question is simulated with a scalar value i (ground value) that satisfies the required 
constraints, and the simulation results (next-states and outputs) be (s i ,o i ) .  Suppose the same 
circuit is now simulated with the parametric Boolean expressions e on the variables involved in the 
constraints, and the simulation results thus obtained be (52, 02). Then, for the instantiations a such 
that eo =  i, we have (s2<J, o2(?) =  (s i,0 i).
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 4
03 =  Xab ' Vab +  P3
&2 —  %ab ' Vab P2 
d\ =  Xlb • Vab + Pi 
<2(3 —  %ab ' Vab "I-  PO
h  =  ( x a  +  y^b) ■ P3
&2 =  X ab ■ Vab ■ q2 +  X^b ■ P2 '
*^1 —  ®ab ' Ql "I" •Eab ' Vab ' Pi 
bo -  (Xab +  Vab) ■ qo
Figure 2: Parametric Boolean Expressions for A : [ct3, 02, ai, fflo] >  B  :
2 .1  C onstra in ts  on  the S ta te and Inpu t Variab les
To illustrate the technique of generating parametric Boolean expressions for a given constraint on 
the state and input variables, consider a circuit with four inputs in i ,  in2, in3 and in4 and the 
input constraint that exactly one input be 1 at any time for its correct operation. The four valid 
combinations o f values o f the inputs in i ,  in 2 , in3, and in4 are shown in Figure 1. This input 
constraint can be encoded using the two parameter Boolean variables, say, b l and b2 , such that
(in i A ->in2 A ->in3 A iin 4 ) V {^ in l  A in2 A -im3 A - 1inA) V 
A ->in2 A m3 A -im4) V (-u n i A ->in2 A -i«n3 A in4)
=  361 62 .
( ( in i  =  61 A 62) A (ira2 =  61 A ->62) A 
(in3 =  —>61 A 62) A (in4 --- ->61 A -i62))
where T  =  Q means that T  and Q are logically equivalent.
Now, a parametric Boolean expression can be obtained for each of the inputs as shown in Figure 1. 
These parametric Boolean expressions capture the input constraint of the circuit. In general, given 
n variables ii, *2, . . . ,  in, and a constraint on these variables which results in m  valid combinations 
o f values of these variables, the number of parametric Boolean variables required to encode this 
constraint is [log2 m\.
2.2 Constra in ts on  the S ta te  and Inpu t V ectors
In many situations, it is convenient to express the constraints of a circuit as a Boolean expression on 
the state and/or input bit-vectors. For example, a set-associative cache would require all the tags (bit- 
vectors) in a set to be different ( 7^ ) for its correct operation. Here we consider the constraints which
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 5
may involve relational operators (< ,  < , > , > , = )  and logical connectives (A, V). These constraints 
on the bit-vectors can also be expressed as Boolean expressions containing individual bit-variables 
of the bit-vectors, and parametric Boolean expressions can be obtained for these individual bit- 
variables. However, the direct generation of parametric Boolean expressions for bit-vectors, taking 
advantage of the recursive nature of the relations on the bit-vectors (e.g. / o n a n  N  bit vector can 
be expressed using the xor function and ^  on an N  — 1 bit vector) would be computationally more 
efficient.
To illustrate the generation of parametric Boolean expressions for the constraints involving bit- 
vectors, consider two 4-bit vectors A : [03, a2, ai, ao] and B  : [£>3, &o] and the constraint A > B. 
The parametric Boolean expressions for the bit-variables of these two vectors are shown in Figure 2. 
We call x ab and yab control parametric variables. The instantiations o f these variables result in 
minimally instantiated symbolic A  and B  vectors which satisfy the constraint A  >  B. For example, 
with x ab =  0 and yab =  1, we obtain A  : \ps,p2, l,Po] and B  : \ps,pi, 0, g0]-
Boolean expressions on bit-vectors containing the logical connectives A and V can be first simplified 
into a disjunction of conjunctive-forms (or “cubes” ). Then, the parametric Boolean expressions for 
each conjunctive-forms can be obtained and combined to get the parametric Boolean expression for 
the given Boolean expression.
3 Verification of Minmax
In this section, we take a simple example that was also studied in [10]. M in m a x  [14] (Figure 3) has 
three registers, MAXI, MINI, and LASTIN. It implements five operations, I c l r . e n ,  I c l r _ d i s ,  Id is ,  
I re se t ,  and Ien. Here, we consider Ien operation which reads the current input, updates MAXI and 
MINI, with the (running) maximum value so far and the minimum value so far respectively. It also 
causes an output equal to the average of the max-so-far and min-so-far to be produced on the output 
port !0UT. A  formal verification of Minmax was carried out using algebraic/equational reasoning 
techniques [9].
3.1 V erifica tion  w ith  M in im a lly  In stan tia ted  Sym bolic  V ectors
Since every circuit requires some state and/or input constraints to be obeyed for its correct op­
eration, one needs to instantiate the symbolic state and input vectors to the right degree so that 
the state and/or input constraints of the circuit are satisfied in the symbolic simulation based ver­
ification o f that circuit. We refer to these vectors as minimally instantiated symbolic simulation 
vectors. In [10], we approached the verification of M in m a x  by enumerating minimally instantiated 
symbolic simulation vectors; we used Prolog to generate the minimally instantiated symbolic vectors 
for M in m a x . We generated symbolic simulation vectors for each condition o f a data dependent 
conditional branch, augmented with the circuit invariant MINI <  MAXI. Some of the sixteen vectors 
generated, for the case IN >  MAXI (also taking the circuit invariant MINI <  MAXI into account) are
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 6
Figure 3: Schematic of M in m a x
now listed:
MINI.O = [0,0,MINI1,MINI0]  




IN_0 = [1 , IN 2 , IN 1 , IN 0 ] , MAXI.O 
IN_1 = [1 , IN 2 , IN 1 , IN 0 ] , MAXI.l 
IN_2 = [1 , IN 2 , IN 1 , IN 0 ] , MAXI.2
[ 0 , 1 ,MAXI1,MAXI0] 
[0 ,MINI2,1 ,MAXI0] 
[0,MINI2,MINI1,1]
MINI.15 = [IN 3 ,IN 2 ,IN 1 ,0 ], IH.15 = [IN 3 ,IN 2 ,IN 1 ,1 ], MAXI.15 = [IN 3 ,IN 2 ,IN 1 ,0 ]
Here, M INI_i represents the ith vector to be loaded into the register MINI, and so on for the other 
vectors. Verification time using this approach, for the cases (IN  >  MAXI) and (MINI <  IN <  MAXI), 
are listed in Figure 6 under the circuit name Minmax4 and the column “minimal instantiation” .
3.2 V erifica tion  w ith  P ara m etr ic  B oolean  Expressions
Verification o f the M in m a x  circuit for the Ien  operation required the verification of three tran­
sitions whose state and input constraints were: IN <  MINI <  MAXI, MINI <  IN <  MAXI, and
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 7
Figure 4: The Pipelined Cache Memory System
MINI <  MAXI <  IN. We generated parametric Boolean expressions for the state and input vectors 
satisfying these three constraints to verify the three transitions for Ien  operation of the M in m a x  
circuit, using the technique outlined in Section 2.2. The use of parametric Boolean expressions for 
the verification of M in m a x  reduced the number of symbolic simulation vectors to 1 for each of the 
three constraints mentioned above and it also reduced the verification time significantly. The veri­
fication time for M in m a x  using this approach is listed in Figure 6 under the column “ Parametric 
Expressions” .
4 Verification of A  Pipelined Cache Mem ory System
In this section we consider the verification of a pipelined cache memory system to illustrate our 
technique to verify large designs.
4.1 A  P ipelined Cache M em ory  System
The pipelined cache memory considered here has a 2-way set-associative cache with 4 sets in the 
cache. The size of a block in each set is one byte and the tag associated with each block is 3 bits. A  
set is selected by the two higher-order bits of the Read/Write address.
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 8
The least recently used(LRU) block replacement policy is used for the cache miss on a Read or 
Write operation. Since each set has only two blocks, the LRU policy is implemented by one flip-flop 
for each set; output o f the flip-flop indicates the least recently used block in the corresponding set. 
For higher set sizes, an LRU array would be used to implement the LRU block replacement policy. 
Verification of regular arrays, with LRU array as an example, is discussed in Section 5.1.
The main memory is updated using the write-through policy (i.e., for a Write operation, the data 
is written into the main memory and the cache at the same time). Since it takes more time to write 
the data into the main memory than into the cache for a Write operation, pipelining can be achieved 
by allowing more operations on the cache, while the data is being written into the main memory. 
In our pipelined cache system design, pipelining is achieved by allowing one or two Read operations 
(two Read operations, i f  the first Read operation following the Write operation results in a hit in the 
cache), while the data is being written into the main memory for a Write operation.
The block diagram of the pipelined cache memory system is shown in Figure 4. The pipelined 
cache system design consists o f four main modules, as shown in Figure 4. The CACHE module stores 
the data part of all the blocks in the cache. The LRU module contains the data storage and the logic 
necessary to implement the LRU block replacement policy. The CAM  module stores the tag part of 
the addresses currently in the cache. It also contains the logic necessary to implement set selection 
and parallel search for the tag part of the address of a Read/Write operation. The CO NTRO LLER  
module controls the operation of the pipelined cache memory system. This pipelined cache memory 
system was implemented on a Tiny Chip (about 5,700 transistors) and the simulation files necessary 
for switch-level symbolic simulation in COSMOS were derived from the N E T  description o f the 
design.
4.2 V erifica tion  U sing P a ra m etr ic  B oolean  Expressions
Symbolic simulation cannot be naively applied to verify the entire cache memory system. For 
example, if symbolic vectors are applied as the address inputs and the memory is asked to Read, all 
the locations covered by the symbolic address are “simultaneously read” ; this can cause conflicting 
drives o f values on the data output. Therefore, we resort to the technique o f separately verifying 
the sub-modules of the cache memory. Specifically, the following sub-modules have to be separately 
verified: (a ) the CACHE; (b ) the D RAM ; and (c ) all remaining units treated as the third submodule. 
Notice that the D R AM  and the CACHE modules of the pipelined cache memory system can be 
separately verified using the switch-level verification techniques outlined in [4],
To verify the pipelined cache memory system, we wrote the behavioral and structural description 
for the design in HOP. The inferred behavior of the design from the structural description by PAR ­
COM P was used to determine the Read/Write operation sequences necessary to verify the pipelined 
cache memory system. Since our example cache memory system is pipelined, it is necessary to verify 
its operation over the sequences of Reads and Writes listed in the middle of Figure 6. Verification is 
separately carried out for each of these Read/Write sequences. For a particular sequence, the tags
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 9
in the CAM  are initialized to symbolic expressions that satisfy the CAM  invariant (i.e., no two tags 
in a set have the same value). The Read/Write addresses are then set to symbolic expressions that 
cause the particular scenario (e.g. “Write Miss —► Read Hit —*• Read Miss” ) to manifest.
In our first attempt, we used Prolog to encode the constraint among the tags of the CAM  (captured 
by the CAM  invariant) and the constraints on Read/Write addresses required to make each scenario 
manifest, and ran the Prolog description to generate minimally instantiated symbolic values that 
satisfied the constraints. An impracticably large number of symbolic vectors were obtained (e.g., the 
operation sequence Write Miss —*■ Read Hit - »  Read Hit resulted in 191232 symbolic vectors).
We then explored the idea of using parametric Boolean expressions by generating the tags in the 
CAM  and the Read/Write addresses satisfying the constraints as described above. The constraints 
involved the ^  relation and the logical connective A. The use of parametric Boolean expressions 
reduced the number of symbolic vectors required for verification to one for all the Read/Write 
operation sequences beginning with a Write Hit operation and to eight for rest of the Read/Write 
operation sequences beginning with a Write Miss operation. The reason why eight symbolic vectors 
were required for each Read/Write operation sequence beginning with a Write Miss operation is the 
following: since a Write Miss operation would write the address tag in the CAM  and the data in 
the CACHE, the set part o f the Write address and the LRU value for the corresponding set were 
required to be instantiated to scalar values; there are four possible sets, and for each set, there are two 
possible LRU values. The symbolic simulation and verification times required for all the Read/Write 
operation sequences are shown in Figure 6.
We verified the pipelined cache memory system by supplying (using the fr e e z e  command in 
COSMOS symbolic simulator) the expected inputs from the D RAM  and the CACHE module during 
the symbolic simulation of the Read/Write operation sequences, assuming that the D RAM  and 
CACHE operate correctly.
4.3 V erifica tion  o f  La rge  Cache Sizes
We believe that the technique of using parametric Boolean expressions can be applied for the 
verification o f large cache sizes. I f  the number of symbolic variables which can be used in the 
COSMOS symbolic simulator is a limitation for the verification of large cache sizes, the technique 
of using parametric Boolean expressions can be applied in the following way. The set part of the 
Write operation’s address in an operation sequence can be instantiated to the scalar value and the 
tags o f CAM  for the sets in which addresses of the Read/Write operation sequence map to can be 
initialized to contain the parametric Boolean expressions satisfying the required constraints; the tags 
in all the other sets can be kept to the unknown value X. This would reduce the number of symbolic 
variables required in the verification of an operation sequence, but would increase the number of 
symbolic vectors required in the verification of the operation sequence. The number o f symbolic 
vectors required would be proportional to the number o f sets in the cache.





Algorithm: Set row; reset col; find row with all zeros
(c)
Figure 5: LRU Cell and its HOP state diagram; LRU Array
5 Verification of Regular Arrays
Regular arrays form an important class of VLSI circuit designs, and with regular array designs 
being employed in numerous applications, the verification o f regular arrays becomes an important step 
in their design and implementation as VLSI circuits. Also, it is important to develop efficient ways 
to handle state and input constraints for the verification of regular arrays, because many regular 
arrays are designed to operate under input constraints (e.g., “ inputs must be unary” ). In this 
section, we show our verification approach for regular arrays and show the application o f parametric 
Boolean expressions in the verification of regular arrays. The hardware implementation o f LRU page 
replacement policy which we consider here maintains an array of n X n bits, initially all zeros, for a 
machine with n page frames. Whenever page k is referenced, the hardware sets all the bits of the
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 11
row k to 1 and sets all the bits o f the column k to 0. A t any instant, the row with all bits set to 0 
indicates the least recently used row, hence the least recently used page frame.
5.1 T h e  L R U  A r ra y
The LRU array is realized as a two-dimensional regular array of LRU cells. Each LRU cell o f the 
regular array consists of a state bit which can be set to 1 by keeping the row® (read “feed-through 
connection row” ) input to 1 and col® input to 0; the state bit can be set to 0 by keeping the col® 
input to 1. On rising edge o f the clock— indicated by Ic k r is e  (read:“control input c lk r is e ” ) in the 
state diagram— the state bit o f the LRU cell is set to 0 or 1 depending upon row® and col® inputs. 
On falling edge o f the clock— indicated by Ic k f  a l l  in the state diagram— the output ! e is computed 
as logical OR of ?w input of the cell (which is ! e output of the previous cell) and the state bit o f the 
LRU cell. The output o f each row is logical OR of the state bits of the LRU cells in the row.
The functionality of an LRU cell is shown in Figure 5(a) and the corresponding state diagram is 
shown in Figure 5(b). A  4 X 4 LRU array is shown in Figure 5(c). The operation of the LRU array 
relies on the input constraint that only the ith (0 <  i <  3) row® bit and the ith col® bit are 1, when 
page i is referenced.
The LRU array implementation of the LRU policy is verified at two levels. A t the first level, the 
LRU regular array behavior determined by P C A  (a parallel composition algorithm for regular arrays) 
is verified against the abstract specification of the LRU array algorithm. The formal verification at 
this level is based on the homomorphism relation between states of the inferred behavior and the 
states of the abstract specification. We are skipping the details of this proof in this paper.
A t the second level, the transistor level implementation of the LRU array corresponding to the 
structural description in HOP is verified against the behavior inferred by PCA . However, the PCA- 
inferred behavior cannot directly be used as the reference specification because P C A  does not take 
into account the input constraints. Therefore, we first obtain the PCA-inferred behavior and then 
substitute into it the input and initial state values applied during the transistor level symbolic 
simulation; this forms the reference specification.
5.2 V erifica tion  w ith  P a ra m etr ic  B oolean  Expressions at th e Inputs
The LRU array was verified for all combinations of row and column input values, which satisfied 
the input constraint for the LRU array. Each cell in the LRU array was initialized to a distinct 
symbolic variable, to verify the LRU array for all possible state values, (this is possible as the LRU 
array does not have any non-trivial circuit invariants.) We illustrate our technique to handle the 
input constraint on the 4 x 4  LRU array, and report the results for higher sizes. We first used scalar 
values on the row and column inputs, satisfying the input constraint, and verified the resulting new 
state and output values against the expected values. It required four symbolic simulation vectors to 
verify the 4 x 4  LRU array.






























Minmax4 1232 16 4.83 1 2.42 21 6.13 1 3.07
Operation Sequence No. of Vectors Total time
Write Hit —»■ Read Miss 1 12.40
Write Hit —► Read Hit 1 9.58
Write Hit —>■ Read Hit —► Read Hit 1 15.0
Write Hit —»• Read Hit —> Read Miss 1 17.90
Write Miss —► Read Miss 8 70.65
Write Miss —*■ Read Hit 8 70.0
Write Miss —► Read Hit —> Read Hit 8 185.75
Write Miss —► Read Hit —> Read Miss 8 222.03
No. of Scalar Input Parametric Expressions
Transistors Values as Inputs
Circuit Name No. of Total No. of Total
Vectors time Vectors time
LRU 4 x 4 448 4 0.63 1 0.27
LRU 8 x 8 1792 8 6.93 1 2.29
LRU 16 x 16 7168 16 134.63 1 34.68
Figure 6: Experimental Results1 for Minmax, LRU array, and Pipelined Cache Memory System
Then, we encoded the input constraint as parametric Boolean expressions on the row and column 
inputs, with two parameter Boolean variables b l and b2 as described in in Section 2.1(Figure 1). 
W ith the use of this technique, the number of symbolic simulation vectors reduced from four to one. 
In general, log2 n parametric Boolean variables are required to encode the input constraint of an 
n x n LRU array. In the LRU array verification, this technique reduces the number o f symbolic 
simulation vectors to one, independent of the size n o f the LRU array. Symbolic simulation 
and verification times for various sizes of the LRU array are shown in Figure 6 under “parametric 
expressions as inputs” . The improvement in the symbolic simulation and verification time, with the 
use of parametric Boolean expressions, is significant for the large LRU array sizes. We find that the
'T o ta l time is shown in seconds.
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 13
use o f parametric Boolean expressions can lead to significant reduction in the number of symbolic 
vectors and the verification time in the symbolic simulation based verification o f regular arrays.
6 Conclusions and Future W ork
Symbolic simulation based verification is a powerful approach for the verification of hardware 
designs, which can complement formal verification using theorem provers. There is considerable 
incentive to make symbolic simulation based verification scale up to large circuits, as this would 
provide digital system designers with a familiar tool (a  simulator) to verify the designs almost 
automatically. Results reported in this paper indicate that the symbolic simulation based verification 
approach can scale up to large circuit sizes in many cases. The main motivation o f our work has been 
to discover techniques that would help expand the class of circuits, and the circuit sizes that can be 
verified by the symbolic simulation based verification approach. One o f the main observations is that 
the parametric Boolean expressions can be used in variety of ways for efficient symbolic simulation 
based verification o f large synchronous circuits. Even though the generation of the parametric 
Boolean expressions can involve some computational effort, the parametric Boolean expressions, once 
generated, can be re-used during the debugging of the circuit being verified. In all the circuits we have 
verified, the use of parametric Boolean expressions enhanced the speed o f the symbolic simulation 
process, mainly through a favorable tradeoff between the the number o f simulation vectors (which 
is very much reduced) and the average number o f symbolic variables per vector (which goes up only 
by a small amount). We are currently studying the automated generation of parametric Boolean 
expressions for the state and input constraints, given a constraint on these variables as a Boolean 
expression. By studying more examples, we hope to get further insight into the technique(s) that 
would work best for a given example.
References
1. Derek L. Beatty, Randal E. Bryant, and Carl-Johan H.Seger. Synchronous circuit verification by 
symbolic simulation: An illustration. In Sixth M IT  Conference on Advanced Research in VLSI, 
1990. M IT  Press, 1990.
2. Christian Berthet, Olivier Coudert, and Jean-Christophe Madre. New ideas on symbolic manip­
ulations o f finite state machines. In Proceedings of the ICC D , 1990, pages 224-227, 1990.
3. Randal E. Bryant. A  methodology for hardware verification based on logic simulation. Technical 
Report CMU-CS-90-122, Computer Science, Carnegie Mellon University, March 1990. Accepted 
fo r  publication in the JACM .
4. Randal E. Bryant. Formal verification of memory circuits by switch-level simulation. IE E E  
Transactions on Computer-Aided Design, 10(1):94-102, January 1991.
TOWARDS A VERIFICATION TECHNIQUE FOR LARGE SYNCHRONOUS CIRCUITS 14
5. Randal E. Bryant, Derek L. Beatty, and Carl-Johan II. Seger. Formal hardware verification by 
symbolic ternary trajectory evaluation. In Proc. A C M / IE E E  28th Design Automation Confer­
ence, pages 397-402, June 1991.
6. Randal E. Bryant and Carl-Johan II. Seger. Formal verification of digital circuits using ternary 
system models. Technical Report CMU-CS-90-131, School o f Computer Science, Carnegie Mellon 
University, May 1990. Also in the Proceedings o f the Workshop on Computer-Aided Verification, 
Rutgers University, June, 1990.
7. Olivier Coudert, Christian Berthet, and Jean-Christophe Madre. Verification of sequential ma­
chines using boolean functional vectors. In Proceedings of the IM E C -IF IP  Workshop on Applied 
Formal Methods fo r  Correct V L S I Design, Leuven, Belgium , pages 179-196, November 1989.
8. Ganesh Gopalakrishnan. Syntax-directed semantics for synchronous systems. Technical report, 
Dept, o f Computer Science, University of Utah, Salt Lake City, U T 84112, 1992. UUCS-TR-92-
006.
9. Ganesh Gopalakrishnan and Prabhat Jain. A  practical approach to syxichronous hardware ver­
ification. In Proc. V L S I Design ’91: The Fourth C SI/ IEEE  International Symposium on V LS I 
Design, New Delhi, India, January 1991.
10. Ganesh Gopalakrishnan, Prabhat Jain, Venkatesh Akella, Luli Josephson, and Wen-Yan Kuo. 
Combining verification and simulation. In Carlo Sequin, editor, Advanced Research in V L S I : 
Proceedings o f the 1991 University o f California Santa Cruz Conference. The M IT  Press, 1991. 
IS B N  0-262-19308-6.
11. Prabhat Jain and Ganesh Gopalakrishnan. Some techniques for efficient symbolic simulation 
based verification. Technical Report UUCS-TR-91-023, University o f Utah, Department o f Com­
puter Science, October 1991.
12. Prabhat Jain, Ganesh Gopalakrishnan, and Prabhakar Kudva. Verification o f regular arrays by 
symbolic simulation. Technical Report UUCS-TR-91-022, University of Utah, Department of 
Computer Science, October 1991.
13. Carl-Johan H. Seger and Jeffrey Joyce. A  two-level formal verification methodology using 
1IOL and COSMOS. Technical Report 91-10, Dept, o f Computer Science, University of British 
Columbia, Vancouver, B.C., June 1991.
14. D. Verkest and L. Claesen. The minmax system benchmark, November 1989.
