RDCS (Reachability Don't Cares) can have a dramatic impact on the cost of~model checking [18]. Unfortunately, RDCS, being a global property, are often much more difficult to compute than the satisfying set of typical CTL formulas. We address this problem through the use of Approximate Reachabili~Don't Cares (ARDCS), computd with the algorithms developed for the VERITAS sequential synthesis package [4, 5]. Approximate Reachable states represent an upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don't Care) states. ARDCS can be 10X to IOOX(or much more for very large circuits) cheaper to compute than RDCS, and in some cases have the same dramatic effect on CTL model checking as the real RDCS. We also discuss the application of ARDCS to the problem of exact computation of the RDCSthemselves. Experiments on industrial benchmarks show that order of magnitude speedups are possible, and occur frequently. The experimental results presented strongly support our claim that ARDCS play a safe and important way out of a serious dilemma RDCS are necessary for tractable model checking of many large circuits, but the computation of the RDCS themselves is often intractable. We include, and theoretically justify, significant extensions of the VERITAS algorithms, and show that they can be up to an order of magnitude faster, while computing a virtually identical upper bound.
Introduction
Although the effats are well known and intuitive, scant attention has been paid to RDCS @leachability Don't Cares) in the prominent literature of traversal techniques for CTL model chinking [7, 17, 3, 2, 8] . However, rwent quantitative studies have shown that RDCS can have a dramatic impact on the cost of CTL model checking. For example, the Ethernet benchmark was shown [18] to model check more than IOXfaster with the help of RDCS than without. Unfortunately, RDCS, being a global property, are often much more difficult to compute than the satisfying set of typical CTL formulas. In fact, command help in the VIS verification package [1] advises users not to use RDCS for large circuits. Unfortunately, larger circuits are often the ones for which RDCS are most beneficial.
We address this problem through the use of Approximate Reachability Don't Cares (ARDCS) in the VIS model checking package [15] . Approximate reachable states represent an 'This workwassup~rted in partby NSF~t MIP-9422268 and SRC contract96-DJ-560.
Permission to make ti@tal or kd copies of aU or part of ti work for peraonat or &ssroom~is~rrted \vifiout fee protided tit copi= are not made or distrib utd for profit or cornmerti advantage and tit copies bear this notice md the fuU dtation on the fit page. To copy otSrerrvise, to repubSish, to pst on servem or to redktibute to kb, rqties prior S-C pe~lon arrd/or a fm. ICC~8, Sm Jo=, CA USA @ 199S AChi l-58113~8-298/Wl 1..S5.W ttDesign Verification Motorola Inc., Austin, TX fiun-yuan,carl-pixley} @email.mot.com upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don't Care) states. ARDCS can be 10X to IOOX (or much more, simply because exact reachability analysis is intractable on many circuits) cheaper to compute than RDCS, and in some cases have the same dramatic effeet on CTL model chinking as the real RDCS. We further propose to investigate applying the cheaply generatd ARDCS as a means of significantly reducing the cost of computing the (exact) RDCS. Results on several industrial benchmarks, of moderate size @undreds of latches) have demonstrated that speedups of 8X-1OX are attainable in some circuits, whereas ARDCS make the difference between intmctabifity and tractability in other circuits.
The experimental results presented strongly support our claim that ARDCS play a safe, robust, and important way out of a serious dilemma RDCS are necessary for tractable model chuking of large circuits, but the computation of the RDCS themselves is often intractable.
We include, and theoretically justify, significant extensions of the VERITAS algorithms.We demonstrate that our extension of the VERITAS MBM algorithm, which we crdl FastMBM, can be up to an order of magnitude faster, while computing a virtually identical upper bound. We present a comprehensive theory that was able to satisfactorily explain several seemingly anomalous characteristics of our approximations.
In Section 2, we briefly recapitulate the VERITAS ARDC generation algorithms, and our extensions thereof. In Section 3, we discuss the general problem of exploiting RDCS in CTL model checking and reachability analysis (we generally follow the approach of [15] , but show that some departures are neeessary to obtain significant speedup). In Section 4, we discuss our experimental results, and then we conclude with some recommendations for future work.
Preliminaries
The approximate reachability analysis of a large FSM (circuit) M has two steps: (1) State Space Decomposition of Jf into m sub-FSMs MJ, and (2) Approximate Traversal of M, based on exact traversal of the individual MJ, while approximating their interaction. The set of reachable states fij (F") is computed for each submachine, and the upper bound on the set of reachable states for M is taken as the cartesian product of the~~(~.). Large machines maybe treated by increasing the severity of the overapproximation. In the extreme, the submachine don't interact at all. In this case, the upper bound is easily computed even for large m.
We first discuss the state space decomposition [5] . Suppose the overall FSM M is described by transition relation i=l i=l wheres and t are the overall vectors of ns binary state variables (latches),~~is the state transition function for the ith latch, and z is the vector of nX primary inputsl. M may be decomposed into the following product of m sub-FSMs by simply grouping the state variables (latches), as follows. j T(s, z,t) = fiTJ(s, z,#) = fi(fi(~= 6:(s, z))).
Here tJ is a vector of n~state variables, where the n~satisfies j=l j=l
Thus the overall state space {O,l}ns is decomposed into the Cartesian product of m state spaces. We perform state space decomposition with the algorithms of [5] . These algorithms are based on the functional dependencies of the transition functions di (s, z), and on the functional correlations between these functions. So, from a given latch (seed), a latch with bigger dependency and correlation weight is aggregatd. Given the decomposition, we then use modifications of the basic procedures of [4] for computing the ARDCS. One of these modified procedures, called FastMBM (Fast Machine By Machine), is shown in Figure 1 . We refer the reader to [4] for detailed descriptions of MBM and the other associated algorithms. Here, we limit ourselves to briefly characterizing FastMBM, and showing how MBM and a related variant, called TightMBM, are different from Procedure FastMBM.
if (Previou< (<.) # fij (N"))Changed =TRUE } 9 } wti!e (Changed) 10 retum({ Xj(@) }) } Procedure FastMBM begins with a for loop which crdls subprocedure ProjectInitid, for each of the submachine Mj. This projects the initial state set 1(s), with fill support, to the overapproxirnation Z (~'), which has only Iocd support.~Is is done by existential abstraction of the non-locrd present state variables s', i #~. Then the reachable states sets for each submachine is initialized to tautology(Line 1).
INo~~([6]
)fiat evennondetetinistic machines~~h~dl~in tiIs wayby addingextmprimrayinputs.
Then a dmwhile loop is entered, in which current approximations are refined. WIS loop is exited only when two successive passes produce the same overapproximation. Inside this loop @ne 3), a for loop is entered, which performs FSM traversal of the submachine in turn. This is done in a heuristic order determined by a "minimum fdback edge set" heuristic, as part of the state space decomposition step.~Is order tries to closely approximate a serial decomposition for the original overall FSM.
This main for loop begins by recording the previous version of the reachable state set fij (N.) of~j. The boolean variable Changed is processed so that the do-wtile loop is not exited if fij (~.) is changed for any one of the m submachine. In Line 4, the locrd transition relations ?j (s, z, p) are initialized to their original state, and then modified in the for loop of Line 5, which considers every other fanin submachine beside the one being traversed.
In Line 6,~j (s, Z, tj) is restricted to the states reached previously by fanin submachine. The dagger stands for an arbitr~genertilzed cofactor operation. In this paper it will either refer to the down arrow, signifying the CONSTRAIN algorithm,or the double down arrow? signifying the RES~r dgorithm [7] ). Submachine M' is considered to be in the fanin of submachine~~if any of the variables of s' is in the support of any of the JJ of submachine MJ.
In Line 7, all state variables of other submachine behave like pseudo primary inputs and are existentially abstracted. This introduces a further overapproximation when ?j is partitioned transition relation.
The MBM algorithm maybe obtained from FastMBM by deleting the existential abstraction of Line 7, and assigning the dagger to the down arrow and not allowing dynamic BDD -. variable ordering in Line 6 when TJ is partitioned transition relation, whereas FastMBM allows. TightMBM can be made by using the initial states) of totrd machine instead of Projecflnitird(fi (N')) from MBM, in order to get tighter upper bound. Since Z (d") of jtk submachine is not always subset of the reachable states(~) of ith submachine(i # j), we may have extra reachable states. Therefore, by using I(s) we can get tighter upper bound. All of these flgoritbms are greatest fixed point procedures, with the embedded, essentirdly standard least fixed point of FsmTraversd.
We now present a theory which shows that rdl two nested fixed point procedures converge to valid overapproximations of the actual reached set of the given FSM. 
Le~~2.2 r C(s) G R(s), th~lmg(T(s, Z, t), C(s)) = lmg(T(s, z, t), C(s)), where T(s, z, t) =~(Ti(s, z, t)R (s)).
Proof. LetT(s,x,t) be original partition transition relation, and~(s,x,t) be minimizd transition relation with reachable states as follows. Again the dagger stands for generalized cofactor.~(
Img(T(s,z, t), C(s))= 3S,Z[T(S, x, t) . C(s)] = 3~,z[T(s, X, t) t C(s)]
B = q~,s[[ (Ti(s, Z, t) t c(s))]. c(s)] ..... (a) =~.,z[[ (Ti(s, x,t)~R(s))] . C(S)] ..... (b) = 3,,Z[TJ, X,
t) .c(s)] = lmg(T(s, X, t),C(S))
The reason for @) from (a) is that if h > g, then 9.(ft9)=9.
(ft~).
Lemma 2.3 bt M = lmg(T, g.h), andF = lmg(Ttg, h).
Then Af~F.~h~g, M = F.
Proof. Img(T,g -h) = lmg(T t g, g. h) < lmg(T t g, h)
, since g.h < h, and Img is monotonic. Now if h~g,g.h = h, so in tils case F = M.
u We now show how this lemma can be developed into a proof that FastMBM converges to an upper bound of the result of MBM, which is in turn an upper bound on true set of reachable states. First however, note that Wls means that any generafizd cofactor operation, in particular RES~~, and not just CON-STRAIN, can be used to minimize the transition relation while (conservatively) preserving the image. If h~g, the image is exactly preserved. This may not have been previously known. Further, it proves that this holds in the presence of dynamic BDD reordering, which again was not previously known. Proof. We first consider the case where the abstraction of Line 7 is excluded. By Lemma 2.3, and Lemma 2.1, it follows that each fi~computed in Line 8 is a valid upper bound of R, regardless of whether t =$ or t =$. For the same reason, it follows that the bound produced is an upper bound if that is produced by FastMBM. Now, consider the case where the abstraction of Line 7 is included. In W]s case a firtber upper bound approximation is imposed on the transition relation, which in turns leads to a further upper bound on the final result~=~j~j.
Finally, we have to prove convergence, considering the aforementioned two upper bound effects, due to use of RE-S~~(without satisfying h~g in the application of bmma 2.3), and due to the abstraction of Line 7. Since these were not part of MBM, the convergence proof for MBM does not carry over directly.
In fact, we have observed experimentally that the functional of the greatest fixd point is not monotonic in general, although it is in a strong majority of cases. Thus to prove convergence, we n~the following additiond lemma. Proof.~ls "RestoreContainment" operation is guaranteed to produce a contraction by the elementary properties of conjunction.
u Note that Wls is somewhat inforrnd in the sense that a contraction would be produced independent of rdl other previous considerations.
As a finrd point, note that the pseudo code of Figure 1 oversimphfies what was actually implemental in two respects. First, instead of updating every submachine on each pass through the refinement loop, the acturd code implements an "event driven" procedure in which only the fanout machines of submachine whose reached sets have changed are scheduled for updating.~Is is the technique used in VEMTAS, and significantly reduces the number of cflls to FsmTraversal (Line 8).
Another oversimplification is the fact that the Tj have b~n treated as if they were monolithic transition relation blocks. In fact, the VIS "~9Y' heuristic was used, in which each submachine is scheduld for early quantification in the partition transition relation approach [15] . So in actuality, thẽ~~o perations are done to the individual transition subrelations of the submachine.
Exploitation of ARDCS in CTL Model
ChecKng and Reachability Analysis
In this section we discuss the deployment of ARDCS in both exact reachability analysis and~model checking. Since reachability analysis, often called FSM traversrd, is acturdly "past tense"~model checking we will present just one procedure, even though VIS actually has separate procedures for these two activities. VIS uses syntactic identities to parse arbitrary~for-mulas into parse trees containing calls to either EXp, EGp or EU@, q). The~formula EFp is interpreted as EU~UE,p).
However, for our purposes it suffices, and is most expedient, to discuss only EFp. In VIS, the actual procdures implemental use the ARDCS in exactly the way we show here.
The basic procedure for model checking with ARDCS is shown in Figure 2 . The procedure we used for exact reacha-bility analysis is just the very same procedure, with the PreImg subprocedure of Line 6 replaced by an Img subprocedure. In Line 1, the partitioned transition relation clusters are restricted with respect to the reached states of each submachine formed by state space dwomposition.~ls BDD minimization is responsible for a large part of the savings compared to model checking without reachability don't cares. The dm while loop of Lines 3-9 compute the least fixed point of the EFp predicate transformer, using the method of [15] .
Notice that the Approximate rechable states are passed as a care set to the PreImg computation of Line5. Thus unreachable states can be used as Don't Cares in the PreImg computation. The call to BddBetwmn tries to return the smallest Bdd among all sets which contain New and are contained in
Current.
exact reachability analysis and the "a" suffix denotes with approximate reachability analysis. In both "f' and "a" cases, the unreachable states are used as don't cares in the fixed point computations of model checking. Here we use the FastMBM method as the reference method for ARDC computations.
The data was compild on the following machines. An Ultra Spare 1 (167Mhz, with 192MB RAM) was used for circuits cps, ethernet, examl, model Table 1 . A Pentium-pro (200Mhz, with 256MB W was used for cps in Table 3 . A DEC Alpha (300Mhz, with 256MB RAM, using 32-bit pointers) was used for fabric and hw-top in Table 1 , and for s3271 and s3330 in Table 3 . Finrdly, in Table 2 , a second Ultra Spare 1 (167Mhz, with 128MB RAM) was used for designl, design2, design3, and design4.
Most model checking examples are industrid examples, and they are divided into two groups. Those of the first group cable 1) were obtained and run at our site @ut most are not redistributable), whereas those of the second group~able 2) were propriet~and run on-site by our industrial co-authors. This rquired us to write a BLIF-MV translator from the internals of the industrial verifier. Thus the Verilog description was translated into an intermdlate form by the industrkd verifier, and then the intermediate form was translated into BLIF-MV for input into VIS.
We can say something about some of the Group 1 examples. Circuit cps is a model of the control circuitry of the landing gear of an aircraft. The ethernet circuit is a model of the Ethernet protocol to communication between a set of processors. The definition of this system includes seved parameters that carsbe used to scale up the size of the design. The specification consists of 6 CTL formulas. Production cell is a control circuit for automatd manufacturing with 61 memory elements [12] . The specification contains 38 formulas.
The circuits of Table 1 with only 1~formula to be chwked were circuits that got to us without CTL formulae, like cps. For these circuits, we used the "dead-lock free" property AG@Freset). However, rdl the circuits of Table 2 had "Industriti CTL formulas.
The salient features of this table are illustrated in Figure 3 . Here the two data series represent TmCvIs/TmCARDG with Table 1 and Table 2 show the result of model checking with ARDCS. In these two tables, the column headers maybe understood as follows. #Latches is the number of latches in each design, -s is the number of fi formulas, and #ARDCs is the number of approximate unreachable states, Weached is the number of exactor approximate reachable states depending on dcLevel option in VIS, #baldis the size of the bdd of exact or approximate reachable states, @ak is the peak bdd size during model checking, Trch is the time for exactor approximate reachability analysis, Tmc is the time for model checking.
Experimental Results

ARDC-Accelerated Model Checting
For each circuit we decomposed the originrd machine into submachine with 8 latches each.~Is is arbitrary, and indicates that we have not tried to tune the state space decomposition to the particular problems at hand.
In the data tables that follow, the circuit names are qurdified by a suffix indicating the VIS runtime options used to obtain the data. The "n", "f', and "a" suffixes indicate the VIS model-check command don't care options. The circuit name followed by the letter "n" signifies VIS computations without DCs(Don't Cares), wherm the"~suffix denotes with totrd time that is the sum of Trch and Tmc, the last two columns in tables. The series are for VIS model checking with and without DCS. Note that 2 of the 10 cases results in spaceout (256MB), 4 of 10 had a s-up of more than 10X, and 6 of 10 had a speed up of more than 6X.
In only 2 of the 10 cases (cps and hw-top without DCS), VIS without DCS was faster in toti time. In circuit cps, model Circuit ethernet was similar in this respect but the resulw ere very different. Of the 27s = 3e + 23 totrd states, extremely few, only 862, were reachable. This means that virtually every state was unreachable, and therefore don't care. Thus it is not surprising that model checking with RDCS (suffix "r") is three orders of magnitude faster than without (suffix "n"). Even though model chinking with RDCS is 20X faster than with ARDCS, model checking with ARDCS is still 70X faster than without DCS.
In terms of circuit examl, model chaking with ARDCS is the best, by almost an order of magnitude. Note that though RDC reachd only on the order of 1017 states (out of 4e+34), ARDC obtaind a superset that was about 10 orders of magrtitude larger.
In case of "production cel~', model checking with ARDCS is very comparable to model checking with RDCS. Both with RDCS and with ARDCS is 15X faster than without Don't Cares.
Circuits fabric and hw-top highlight the operational dilemma faced by verification engineers. If they have s~n circuits Kke ethernet or production cell, they might be seriously inclined to keep the RDC option on. But then they get hammered on circuits like fabric and hw-top for which reachability analysis is essentially intractable.~ls gives verification a bad name. In fact the VIS help facility advises designers not to use reachabili~don't cares for large circuits. Clearly ARDCS provide a way out of this dilemma. Table 2 Model Checking with ARDCs4roup 2 Industrial Designs Table 2 has similar results. For designs 1-3, reachability analysis is intractable. For designs 1 and 2 model checking is tractable without RDCS, but the results with ARDCS are faster. For design 3, model checking is intractable without RDCS (128MB memory out), and, exact reachability analysis is also intractable for the same reason. But model checking with ARDCS completes in under 10 minutes on an UltraSprtrc 1. This result is to be emphasized, because the circuits of Group 2 are not the full scale circuits but "reduced' versions, for which exact reachability analysis is much more intractable.
Comparing designs 3 and 4, note the aforementioned dilemma re-emerging. Design4 cries out forreachabitity don't cares, while design 3 suggests the impossibility of obtaining them exactly. Again, ARDCS offer a robust way out of the dilemma. --m Figure 4 Accelerating Model Checking for Group 2 Industrial Designs.
The satient features of this table are illustrate in Figure 4 and Figure 5 . These are ratio tables, with the 1 @reakeven) tines indicated in bold for each series. In the acceleration table, 5 out of the 8 cases show spaceout or timeout, and hence could be regarded as an infinite speedup. However the figure . . just truncates these to show a 10X speedup. In only 1 case, Des4, does VIS (with exact RDCS) beat VIS with ARDCS, in this case by about a factor of 2 in total time. The minimum speedup in the remaining 7 out of 8 cases was 1.8. In the compression table we compare the ratio of peak overall memory requirements The results were roughly similar to those for acceleration. ARDC won in every case, except for 2 narrow losses (.88 and .95).
ARDC-Accelerated Reachability Analysis
In this section we present some results of using ARDCS to accelerate exact reachability analysis. The results are similar to those obtained for ARDC accelerate model cbwking. While this may seem surprising, similar results should actually be expected because the dominant mabanism for improvement derives from the BDD minimization in inner for-loop of Line 1 in Procedure EFp. The only difference between reachability analysis (past tense EFp) and model chinking eventualities (future tense EFp) is the substitution of Img computations for PreImg computations. We might ex~t some degradation because we usually think of reachability don't cares in terms of PreImg computations, which routinely try to bring large numbers of unreachable states into the fixed point computations.~ls effect doesn't really occur in Img computations (all image states are by definition reachable), and could affwt and limit the degree of speedup in cases when exact reachability analysis is tractable. However, the results show that ARDCS can definitely make the difference between tractability and intractability. Table 3 shows the results of exact reachability analysis with ARDCS. In this table, Depth is FSM depth of d~iger, #Latches is the number of latches in each design, #Reached is the number of reachable states, #ARDCs is the number of approximate unreachable states, #BddAr is the bdd size of approximate reachable states, #BddEx is the bdd size of exact reachable states, #BddPk is the peak bdd size duting reachabili~anrd-ysis, Tarch is the time for computing approximate reachable states, Trch is the time for computing exact reachable states. Here cps is as discussd above, and s1269, s3271 and s3330 are ISCAS89 FSM benchmarks.
The salient features of this table are ilhrstratd in Figure 6 . The data of Table 3 shows s~dups of almost a factor of 2 for cps and a factor of 3 for s1269. Reachability analysis was intractable for s3330 and s3271 within the available memory. So in the large circuits, the data for exact reachability analysis Figure 6 Accelerating Exact Reachability Analysis.
using ARDCS is quite analogous to the the results for mode checking with ARDCS.~Is was to be expated. However, in a separate investigation, it was found that by using non-standard BDD techniques in VIS (enabling variable reordering only after the partitioning step, which is not consistent with standard usage), s3330 could be traversal exactly. ls emphasizes again the gross dependence of the quality of the results on the vagaries of dynamic reordering. It is clear that verification engin=rs need robust tools that do not require the user to fiddle combinatonally with rdl the options, parameters and operation sequences that are possible. Table 4 shows the comparison between MBM and FastMBM. In the table, Am2901 is~bit ALU slice, Am2910 is a microprogram sequencer, soap is a model of a token-passing mutu~exclusion dgoritbm for networks with arbitrary topology, and s5378, s13207, and s 15850 are ISCAS89 FSM benchmarks. According to this table, FastMBM is up to 9X faster than MBM without losing much accuracy. There were a few accuracy degradations in only 2 desigrrs(cps and S13207) out of 13. This spedup and some accuracy degradations come from Line 7 in Procedure FastMBM, using RESTRICT operation instead of CONSTRAIN, and enabling variable reordering during Line 6 in Procedure FastMBM. However, in some designs, FastMBM was slightly(less than 1.4X) slower tbart MBM. This might be because RESTRI~operations are not rdways faster than CONSTRAIN. In terms of peak BDD size, FastMBM uses mostly less peak BDD nodes than MBM, even when FastMBM loses in time.~ls is mainly because of We also have experimented~ghtMBM for dl examples in Table 4 . We got the reachable states(and time) bỹ ghtMBM as follows: 1.88265e+53(3479.9 sees) in cps(43% decreased), 4.67157e+l 16(2017.1 sees) in s13207(48% decreasd), 5.21505eM6(l 13.1 sees) in s5378(16Yoincreased), and the rest got the same upper bound. However, as in s5378, this method may give looser upper bound because generalized cofactor o~rations depend on variable orders.
Comparison be~een MBM and FastMBM
Forward vs. Bac~ard Model Checting with ARDCS
We have implemented forward model checking by Iwashita [11, 10] to sw the correlation betw=n forward model checking and using don't cares in model checking, bwause they are in common in that they try to avoid traversing unreachable states in fixpoint computation of model checking. Forward model checking is based on forward state traversal, while backward model checking is based on backward state traversal. Table 5 compares the performance of forward model checking with the one of backward. In the methods of the table, ndc means not using don't cares, rdc means using exact don't cares, and ardc means using approximate don't cares.
The design ethernet and production cell show tils correlation clearly. The exact reachable states of the two designs are very small compared to total state space of those.~ls means that most states of the designs are unreachable. Therefore, the forward model checking of the two designs is always very fast no matter what method was used. In case of ethernet, the sped of forward model checking is very same as the best case of backward model checking, and even much faster than the best of backward model checking in production cell. However, forward model checking is much slower than backward in cps and examl, and we observed tils case in more designs not shown in this table. Therefore, forward model checking is not always faster than backward, however according to our experiment forward model checking is the way to go when the exact reachable states are relatively small compared to toti state space, and ARDCS seem more important in backward model checking than in forward.
By using the Iwashita's conversion method from future tense CTLS to his past tense forward operators such as FwdUntil and FwdGlobal, the first operation of all properties we have used was FwdUntil(init,ture) that is to compute all reachable states from initial states. This means that forward model checking is available only when reachabihty analysis is tractable, while ARDCS can be used regardless of reachabiliã nalysis. 
Conclusions and Future Work
Our basic conclusion is that ARDCS pay their way for both reachability analysis and model checking. Although not a uniform win in every case, the data clearly show that for many mdlum circuits, ARDCS will be an outright winner, and that a package with ARDC capability will be significantly more robust than one without it. The experimented results presented strongly support our claim that ARDCS offer a safe and important way out of a serious dilemma RDCS are necessary for tractable model checking of large circuits, but the computation of the RDCS themselves is often intractable. Throughout our experiments there has been a persistent and complex interplay between BDD reordering and minimization, and the deployment of ARDC techniques. The results show that our approach is convergent and gives good quality abstractions.
The absence of redly large circuits from our data tables indicate that there is much more to be done before circuits with thousands of latches can be handled routinely. However, our results to date, both published and too raw too publish, show that very large circuits will require RDCS, and that exact RDCS will be too expensive for large circuits. Unfortunately, to address large problems, the verification and BDD packages have to be improved across the board, and not just with respect to model checking or reachability analysis.
Fortunately, there is still much room for improvement in ARDC technology. For example, in cases where the RDC computation is intractable, and yet the~formulas are strongly aidd by the RDCS, we could combine ARDC accelerated RDC with model checking for possible further improvements. There is much room left for improving the accuracy of the approximations. Approximations from different algorithms can be intersected to produce tighter upper bounds, techniques like those of Warwukiewicz @erkeley 1994 unpublished) and Govindaraju et al [9] show that overlapping subystems in the state space decomposition can be advantageous.
Another possibility is the cooperative deployment of other upper bounding techniques such as BDD subletting methods [16] , which constitute automatic abstraction methods that also have significant impact on verification time and space requirements.
Also, despite the relative maturity of BDD dynamic reordering technology, we befieve that new methods will emerge that will be necessary and productive for deting with very large circuits. We foresee that decomposition and factorization methods will need to be incorporated into sifting and other ordering optimization strategies. We have yet to try static BDD orderings in which the BDD variables in the respective subsystems are non-interleaved. Similarly, CUDD supports group constrained sifting. This offers the possibility of significantly reducing reordering times (which are, quite consistently, the dominant component of the cpu consumption profile).
We also included the results of experiments which supported the hypothesis that ARDC effects offer the same beneficial effects as converting~formulae from the future tense to the past tense. Our experiments show that in a mature system, both of these effects should be exploited.
