Efficient symbolic simulation based verification using the parametric form of boolean expressions (rev.) by Gopalakrishnan, Ganesh & Jain, Prabhat
EFFICIENT SYMBOLIC SIMULATION BASED VERIFICATION 
USING THE PARAMETRIC FORM OF BOOLEAN EXPRESSIONS
PR A B H A T JA IN 1 
GANESH G O PA LA K RISH N A N 2
UUCS-91-023
D epartm ent of C om puter Science 1 
U niversity of U tah  
Salt Lake City, U T 84112, USA
(Revised version of Decem ber 6, 1991)
A bstrac t
We present several new techniques to m ake sym bolic simulation based verification efficient. These 
techniques hinge on the use o f the param etric  form  of a boolean expression (e.g. the param etric form for the 
boolean expression x 0 V ->zi is the equivalent expression 3a b . (x0 =  a V b) A (z i =  b), where a and b are the 
param eters). We illustrate several uses o f  the param etric form that reduce the number o f  sym bolic simulation  
vectors as well as the tim e for sym bolic simulation based verification. In the first technique, applicable to the 
verification o f non-regular designs, m inim ally instantiated sym bolic sim ulation vectors are first generated, 
and all these vectors are encoded into one vector using param etric variables. The second technique also 
pertains to  non-regular designs, and offers a way to com pactly encode inpu t constrain ts using the param etric  
form during sym bolic simulation. The third technique relates to the verification o f  regular arrays. It is shown 
that m any regular arrays require input constraints to  be obeyed, and that these constraints can be encoded 
using param etric variables. Experim ental results are obtained using the COSM OS sym bolic sim ulator, and 
are used to  compare the relative m erits o f  the various techniques. In all the exam ples considered, the use 
o f the param etric form enhances the speed o f the sym bolic sim ulation process, m ainly through a favorable 
tradeoff between the number o f  simulation vectors (which are very much reduced) and the average number 
o f sym bolic variables per vector (which go up only by  a sm all amountJ.
S ubm itted  to  the  IEEE Transactions on CAD, and a shorter version to  DAC ’92
S u p p o r te d  in part by the University of U tah G raduate  Research Fellowship
2Supported in p a rt by NSF Award M IP-8902558
Formal Aspects o f  VLSI Research Group 
University o f  Utah, Department o f  Computer Science
Efficient Sym bolic Sim ulation Based Verification U sing the Param etric form of 
Boolean Expressions
PR A B H A TJA IN * (jain@cs.utah.edu)
GANESH GOPALAKRISHNAN^ (ganesh@bliss.utah.edu)
University of Utah 
Dept, of Computer Science 
Salt Lake City, Utah 84112
K e y w o rd s : Symbolic Simulation, Formal Verification of VLSI, Regular Array Verification, Input Constraints, Para­
m etric Boolean Expressions
A b s tr a c t .  We present several new techniques to make symbolic simulation based verification efficient. These tech­
niques hinge on the use o f  the param etric form of a boolean expression fe.g. the parametric form fo r  the boolean 
expression Xo V ->xi is the equivalent expression 3a b . (xo —  a V b) A (xj =  b), where a and b are the param eters^. We 
illustrate several uses of the parametric form that reduce the number of symbolic simulation vectors as well as the time 
for  symbolic simulation based verification. In the first technique, applicable to the verification o f  non-regular designs, 
minimally instantiated symbolic simulation vectors are first generated, and all these vectors are encoded into one vector 
using parametric variables. The second technique also pertains to non-regular designs, and offers a way to compactly 
encode input constraints using the parametric form during symbolic simulation. The third technique relates to the ver­
ification o f  regular arrays. It is shown that many regular arrays require input constraints to be obeyed, and that these 
constraints can be encoded using parametric variables. Experimental results are obtained using the COSMOS symbolic 
simulator, and are used to compare the relative merits o f  the various techniques. In all the examples considered, the 
use of the parametric form enhances the speed of the symbolic simulation process, mainly through a favorable tradeoff 
between the number o f  simulation vectors (which are very much reduced) and the average number of symbolic variables 
per vector (which go up only by a small amount).
1 Introduction
Most digital VLSI circuits are checked for correct operation through scalar valued simulation. 
In this approach, scalar bit vectors—vectors over 0 and 1—are used as inputs to the circuit being 
simulated. Most real-world circuits require an impractically large number of scalar vectors in order 
to check for all possible executions. Hence, scalar simulation alone is insufficient to verify a VLSI 
digital circuit.
Among the alternatives to scalar valued simulation, the first alternative is to employ symbolic 
reasoning using theorem provers (e.g. [1, 14, 25]). We call this formal hardware verification using 
theorem provers. The second alternative is to use boolean symbolic simulation (e.g. [2, 20]). We
‘supported in part by the University of Utah G raduate Research Fellowship.
^Supported in part by NSF Award MIP-8902558
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAMETRIC BOOLEAN EXPRESSIONS 2
call this symbolic simulation based verification. The third alternative called ternary simulation based 
verification is also known [9].
In this paper, we present several new techniques to reduce the number of symbolic simulation 
vectors as well as the computation time for symbolic simulation based verification. These techniques 
hinge on the use of the parametric form of a boolean expression (defined formally in section 1.4). In 
section 1.1, we examine the strengths and weaknesses of formal hardware verification using theorem 
provers. In section 1.2, we discuss the strengths and weaknesses of boolean symbolic simulation based 
verification, and indicate areas of application where the efficiency of boolean symbolic simulation 
based verification is critical. In section 1.3, we discuss a way to combine the strengths of both these 
approaches and avoid many of their individual weaknesses. In section 1.4, we list our contributions, 
and in section 1.5, we provide an outline for the rest of this paper. We do not discuss ternary 
simulation based verification further in this paper.
1.1 Formal Verification using Theorem Provers
The use of theorem provers for formal hardware verification has numerous advantages over other 
approaches, namely the ability to conduct hierarchical verification, handle replicated structures, 
verify generic modules, and even verify synthesis procedures [17]. Some of the disadvantages of 
theorem provers include the required human expertise to operate most theorem provers effectively, 
and more importantly, for the purpose of this paper, the inability to model switch-level behavior in 
the underlying logic of a theorem prover. The latter point is now elaborated.
Formal verification of a module using a theorem prover consists of verifying an implementation 
of the module in terms of an interconnection of simpler modules with their associated behavioral 
descriptions (called a structural description) against the desired behavior (the behavioral description). 
At the leaf level of a structural hierarchy, we have only behavioral descriptions (e.g. the behavior of 
a Nand gate). The behavior of leaf-level modules is realized directly in terms of primitive circuits 
(e.g. a Nand gate circuit).
Designers often overlook possible interactions among the circuit modules that constitute a design. 
This can cause the behaviors of the individual circuit elements C, to be altered due to second order 
effects such as charge sharing, alteration of the pull-up/pull-down ratios, etc.. In other words, the 
behavior of a primitive circuit C, in isolation is not preserved when the C, are interconnected accord­
ing to the structural description. These kinds of errors are more common in circuits fabricated using 
emerging high-performance technologies. Most low-level interactions can be avoided by adequately 
buffering the circuit outputs at all levels of the structural hierarchy, and also by relying on gate-style 
logic instead of pass-transistor logic. These solutions are, however, not always possible due to con­
straints on the circuit design style (e.g. precharged logic), or desirable (e.g. increased circuit area- 
and time-overheads).
One solution is to model switch-level structures using suitable gate-level abstractions, and then
capture the gate networks formally in the underlying logic of theorem provers. However, finding 
gate-level abstractions for switch-level structures is an error-prone process [7].
Another plausible solution is to consider transistors as the only primitive, and base formal descrip­
tions of transistors on models such as described in [16, 33, 29]. The main feature of these models is 
that the behavior of a transistor is captured in a process algebra, or directly in logic. Such descrip­
tions are more amenable to formal manipulation. This approach is, however, not currently viable 
because formal models for transistors are not developed sufficiently to be used in practical tools.
1.2 Boolean Symbolic Simulation based Verification ‘
In the boolean symbolic simulation approach, the circuit’s state elements are loaded with variables 
such as x , y, etc., and symbolic inputs (e.g., io, ij , . . . )  are applied to the circuit inputs to obtain 
symbolic responses for the outputs and the next-state (e.g., add(x ,i{)) .  These responses are then 
checked against the expected responses for boolean equivalence. Boolean symbolic simulation has 
long been thought to be impractical because of the exponential cost associated with most boolean 
reasoning problems. Recently, however, there has been growing awareness of the practicality of 
boolean reasoning methods amongst hardware designers, largely due to the work of Bryant [6]. One 
example of a simulation tool that embodies these ideas is the COSMOS symbolic simulator [11]. This 
simulator has the ability to automatically analyze transistor level circuits and create Binary Decision 
Diagram graphs representing their next-state functions, and also has the ability to efficiently perform 
boolean reasoning about these graphs. It also has the ability to conduct ternary simulation using 
ternary values (0, 1, and A'), or symbolic simulation, using boolean expressions over a finite number
Modern boolean symbolic simulators employ detailed enough transistor models so that they can 
verify circuits taking into account low-level effects such as poor ratioing, charge sharing, etc. They 
are based on propositional logic, and hence require (relative to theorem provers) very little human 
expertise or intervention for their effective operation. In [9, 2, 8], it is shown that a symbolic 
simulator can be used to verify (check for all possible executions) many non-trivial circuits. We have
The main drawback of symbolic simulation based verification as compared to theorem proving is 
that it does not support hierarchical verification, or the verification of parameterized designs. It also 
does not support the convenience of high level data types that hardware verifiers based on theorem 
provers do. These disadvantages can be overcome by suitably combining the theorem proving and
The efficiency of boolean symbolic simulation based verification is critical in many applications. 
Consider the verification of certain regular arrays, for example. Normally, one would hope that the 
cells of the regular array do not interact with one another; if this were so, one could verify the 
whole regular array as follows: (1) verify that the switch-level behavior of a cell matches its high
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 3
level behavioral description; (2) verify that the behavior of the regular array matches its abstract 
behavioral description (i.e. a behavioral description that is written independent of its structural 
organization); normally, this proof is carried out through induction over the array structure. If, 
however, the cells of the regular array were to interact with one another on a more “global basis” 
(e.g. through the use of precharged busses running throughout the array, through pass-transistor 
chains running over the length of the whole array, etc.), then second-order effects come into play, and 
designers are usually satisfied only by verifying the whole array at the switch level. In such cases, 
the efficiency of symbolic simulation based verification is critical. One way to provide this needed 
efficiency is through the use of parameteric forms, as discussed in the remainder of this paper.
1.3 Our Approach
The approach suggested in this paper is: (1) use theorem provers for high-level verification; (2) use 
symbolic switch-level simulators such as COSMOS for switch-level verification; (3) enhance the effi­
ciency of switch-level verification using the techniques presented in this paper.
Combining verification and simulation has been studied in the past (e.g. [28]). Our goals are to 
integrate the approach used by Bryant et.al. [9, 2, 8, 10, 12, 30] to operate in the framework of a 
simple hardware specification formalism called HOP[23, 22, 21] that we have been developing. In 
[30], a related technique to combine verification using the COSMOS simulator and the higher order 
logic (HOL) verification system is reported. The work of [30] is based on the logic introduced in 
[13]. In this paper, however, we focus on developing techniques to make symbolic simulation based 
verification efficient.
1.4 Contributions of this Paper
We present several techniques to make symbolic simulation based verification efficient. All our 
techniques hinge on the use of parametric forms of boolean expressions in generating symbolic sim­
ulation vectors. The conversion to, and the use of parametric forms of boolean expressions has been 
discussed in [5] (which provides a short historical survey) and [15]. Parametric forms have also been 
used in [3] for the verification of finite state machines. In [4], a discussion on algorithms to construct 
the parametric form of a boolean expression are discussed. The use of parametric expressions to 
make symbolic simulation based verification efficient is believed to be new.
In all the examples we have tried, the use of the parametric form enhanced the speed of the symbolic 
simulation process, mainly through a favorable tradeoff between the the number of simulation vectors 
(which is very much reduced) and the average number of symbolic variables per vector (which goes 
up only by a small amount).
A general definition of the parametric form is now given. Given any boolean expression E  involving 
N  boolean variables vq . . .vn-i>  let # s a t s e t ( E ) denote the cardinality of the satisfying set of E.  
A parametric form for E  using log2( # s a t s e t ( E )) parameters po , . . . ,Piog2(E)-\i  which is logically
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 4
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 5
equivalent to E ,  can be written, as
E  =  ( 3 p o , - - - ,P /oP2(E ) - i  • («0 =  P&o)  A • • • A (uyv_i =  P £ j v _ i ) )
where PE i  are parametric expressions over po, . .  •,Piog2(E)-i- For example, the parametric form for 
the boolean expression Xo V is 3a b . (20 =  a V 6) A (21 =  b), where a and b are the parameters.
We have actually developed a class of techniques based on the parametric form. The most fre­
quently used technique is to encode input constraints, which is now explained through an example 
(used in section 3 also). This example considers a circuit having six input ports inO through in5. 
The input vector applied to these inputs is required to be unary. These inputs are members of the 
satisfying set of
inO A - 1in i A ->in2 A -iin3 A -iin4 A -n'n5 V 
-u'nO A in i A -iin2 A -iin3 A -iin4 A -iin5 V
. . .  V
->inO A -n'nl A ->in2 A -iin3 A -iin4 A inb 
This requirement can be captured by generating the parametric form
3a b c .  inO = (->a A A ->c) A in i =  (-1 a A A c ) A in2 =  (-1 a A b A -ic)
A in3 = (-ia A b A c) A in4 =  (a A -16 A -ic) A in5 =  ((a A 6) V (a A c)) (1)
This parametric form can be arrived at, for example, through the following steps: ( 1 ) write the eight 
minterms over the |7o<72(6)] =  3 variables a ,b and c in some order—call these minterms t o , . . . , h ;
(2) associate with t{, 0 < i < 5, the ith desired combinations of the inputs inO,..  . ,in 5  (call these 
combinations in,-, 0 < i < 5); (3) associate with t{, 6 < i < 7, any of the combinations in,-, 0 < i < 5; 
(4) construct the boolean expressions for the inputs inO,..  .,in 5 .
In the above example, we associated the first six minterms in the standard binary counting order 
with the desired input combinations, and then associated the seventh and the eighth minterm with 
the sixth input combination. It can be seen that the parametric form for an expression is not unique. 
Finding out the parametric form that best suits the task at hand is still an open problem. For the 
examples in this paper, however, the required parametric form could easily be generated by hand.
The reasoning that led to our discovery of the use of the parametric form in the context of 
simulation based verification can be summarized by referring to equation 1. From this equation, 
it can be seen that the parametric form of the equation defines boolean expressions that can serve 
as inputs for the input ports in 0 , . . . , in 5 .  Carrying out one symbolic simulation step using these 
expressions as the inputs (e.g. (->a A A ->c) for input inO, and so on for the other inputs) is 
tantamount to simulating the circuit for all the distinct unary patterns, all at once. Starting with 
this observation, we have discovered other uses of the parametric form also; they will be discussed 
under the various techniques presented in this paper.
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 6
Efficient construction of the parametric form of a boolean expression is an interesting problem by 
itself. Arguments in [4], and our own reasoning lead us to believe that the worst-case complexity can 
be exponential. For all the examples we have tried, the construction has been quite easy, and could 
be accomplished by hand. In section 2.4, we provide a discussion on some promising directions for 
future research in generating parametric expressions efficiently.
1.5 O u tlin e  for th e  rest o f  th e  P ap er
Below, we provide an overview of each of the techniques discussed in this paper, and indicate the 
section of the paper in which they are detailed.
T echn ique 1: C o m p o sin g  M in im ally  In sta n tia ted  V ectors
In section 2, we take a simple example that was also studied in [20], called ‘M inmax' .  In [20], we 
approached the verification of M in m ax  by enumerating minimally instantiated symbolic simulation 
vectors. This idea is now explained.
One straight-forward way to minimize the number of symbolic vectors is by loading the bits of the 
system ’s state elements with distinct boolean variables, and also using distinct boolean variables at 
all the inputs of the circuit. This approach does not work in practice, due to several reasons. First 
of all, keeping states and inputs at their most general forms by using un-instantiated vectors is an 
attempt to verify that a circuit operates correctly for all possible states and inputs. Most real-world 
circuits do not operate as desired for all possible states and inputs. For example, an R /S flip-flop 
does not operate meaningfully if its Q and Q state bits are set to distinct boolean variables, because 
this also encodes the condition that Q and Q are the same. The same is true if the R  and 5  inputs 
are kept fully symbolic: the situation R = S  must be avoided. Thus, one needs to instantiate the 
symbolic state and input vectors to the right degree so that the circuits obey the state and input 
constraints that the designers have assumed for their correct operation. We refer to these vectors as 
minimally instantiated symbolic simulation vectors.
In this paper, we redo the M in m ax  example by first obtaining the same set of minimally in­
stantiated vectors as used in [20], but then we go on to encode all these vectors into one vector, by 
using [log2(Ar)] parametric boolean variables, where N  is the total number of minimally instantiated 
vectors. We find that the simulation time drops by doing so.
T echn ique 2: In p u t C on stra in t H and ling  for N on -regu lar  D esig n s
In section 3, we present a technique for handling input constraints of a non-regular design. We 
take a Huffman encoder as an example. Two variations of this technique were explored:
T echn ique 2 (a ) Classify the simulation vectors based on the length of the Huffman codes for the 
various characters handled by the encoder, and for each such class develop encodings based on 
parametric variables; this is reported in section 3.1;
T echn ique 2 (b ) Use one symbolic simulation vector, independent of the size of the encoder (i.e., 
the number of characters encoded)— this is discussed in section 3.3.
Both the techniques reduce the effort involved in simulation based verification significantly. 
T echn ique 3: In p u t C on stra in t H an d lin g  for R egu lar  D esig n s
In section 4, we study the problem of verifying regular array designs through symbolic simulation. 
Two different techniques have been studied in this connection:
T echn ique 3 (a ) Encode the input constraints using parametric boolean variables; we show that 
this technique offers significant speed-ups as the size of the regular array goes up. This is 
discussed in section 4.1.
T ech n iq u e 3 (b )  This technique can be applied to any array circuit that obeys the following prop­
erty: the symbolic response R produced by the array for the most general set of inputs— i.e. 
all distinct boolean variables V{— must be such that the response for any specific set of inputs 
E{ can be obtained by instantiating R  with the substitution £,/*>,- ( “£,• for *;,”)• In other 
words, the response must not degenerate to all “undefined” (X  values) if an attempt is made 
to simulate the array for the most general inputs.
An example of a circuit that cannot be simulated using this technique is a memory array, for 
the read  operation. If this array is provided with a decoded address input that is in its most 
general form, an attempt would be made to read every location of the array simultaneously. 
This will typically result in a conflict of values on the “column wires” of the array, and the final 
output data read would have an X  value for every column wire on which a conflict exists. This 
makes it impossible to tell whether the array is functioning as required for its legal inputs.
For those arrays where this technique can be applied, verification is carried out as follows. 
Instead of applying parametric expressions that encode input constraints, we apply distinct 
boolean variables at the circuit inputs, obtaining the symbolic next-state and output expres­
sions, and then specializing these expressions in accordance with the input constraints. This is 
discussed in section 4.3.
These techniques are illustrated on the regular array design of the least recently used (LRU) algo­
rithm.
2 Technique 1: C om posing M inim ally Instantiated Vectors
This technique is illustrated on the M in m ax  example. In section 2.1, we briefly summarize 
our results from [20] and show how minimally instantiated simulation vectors can be obtained for 
M inm ax.  In section 2.2, we discuss how these vectors can be composed to obtain one symbolic 
simulation vector.
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 7
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAM ETRIC BOOLEAN EXPRESSIONS 8
Figure 1: Schematic of M inm ax
2.1 M in im ally  In sta n tia ted  S im u lation  V ectors for M inm ax
M in m ax[32] (figure 1) has three registers, MAXI, MINI, and LASTIN. It implements five operations, 
I c lr _ e n , I c lr _ d i s ,  I d i s ,  I r e s e t ,  and Ien. Operation I c lr .e n  generates an output of 0, in 
addition to acquiring the input and storing it in register LASTIN. I c l r .d i s  generates an output of 0 
without reading the current input. I d is  makes the value of LASTIN appear on the output. I r e s e t  
reads the current input and stores it in LASTIN, MAXI and MINI registers. Finally, Ien reads the 
current input, updates MAXI and MINI with the (running) maximum value so far, and the minimum 
value so far, respectively. It also causes an output equal to the average of the max-so-far and 
min-so-far to be produced on the output port !0UT.
We first wrote the specification of the desired behavior of Minmax in our hardware description 
language, HOP [23, 24]. This specification is called MINMAX. We then wrote the behavioral specifi­
cations for its submodules, and a structural description corresponding to figure 1, also in HOP. We 
then submitted the structural description to PARCOMP, which is a procedure to derive a behavioral
SYMBOLIC SIMULATION BASED VERIFICATION USING PARAMETRIC BOOLEAN EXPRESSIONS
5. Operation Ien
There are three cases for Ien based on the condition ‘‘guards’’. 
Consider then one by one.
5(a). Ien, case (> IN MAXI)
Initialize state
LS = [LS3,LS2,LS1,LSO]
MAXI « [MAXI3, MAXI2, MAXI1, MAXIO]
MINI - [MINI3, MINI2, MINI1, MINIO]
MS - [MS3, MS2, MSI, MSO]
Apply inputs
{ IEN, IPHIA, IN - ?IN, where IN - [IN3, IN2, INI, INO], 
Such that (> IN MAXI) }
Stabilize
Observe 'OUT - [MS3, MS2, MSI, MSO]
Apply inputs { IPHIB } and stabilize 
Observe
!OUT - (SHIFT (+ IN MINI))
LS - [IN3, IN2, INI, INO]
MAXI - [IN3, IN2, INI, INO]
MINI - [MINI3, MINI2, MINI1, MINIO]
MS - (SHIFT (+ IN MINI))
Case 5(b). Ien, case (> MINI IN)
This case is similar to that of 5(a). Provided belos only for sake of 
completeness. Simulation vector generation not illustrated on 5(b).
Figure 2: Transition Assertions of Minmax for operation Ien - 5(a),(b)
S Y M B O L IC  SIM U L A TIO N  B A SE D  VER IF IC A TION  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S 10
description from the given structural description [23, 24]. The output of PARCOMP is a specification 
of the next-state and output of the system for each of its operations, and for each of the sub-cases 
within these operations. In figure 2, we show the inferred behavior for two sub-cases tha t arise within 
the Ien  operation. The third sub-case is not shown.
The derived behavior fragments (such as shown in figure 2) for all the M in m a x  operations, col­
lectively called MM_IABS, were proved to be equivalent to MINMAX using theorem proving techniques 
[18]. In the process, we discovered that the contents of the MAXI register will always be greater than 
or equal to that of the MINI register. This fact is, indeed, exploited by the designer of the M in m ax  
system at the circuit level. Therefore, it is mandatory that every simulation of the M in m a x  system 
must use state values that obey this condition. This condition is known as a circuit invariant. We 
then generated minimally instantiated vectors for each fragment of MM_IABS. Let us consider the case 
5(a) shown in figure 2. The other cases are similar.
2.1.1 Using Prolog to Generate Minimally Instantiated Vectors
In order to generate minimally instantiated vectors for this case, we used the Prolog programming 
language. Given a condition to be satisfied (written as a Prolog program), it is possible to enumerate 
the satisfying set of the condition using a Prolog interpreter. For example, given two unsigned 
bit-vectors of equal length, the following program can enumerate bit-vector pairs such tha t their 
magnitudes satisfy the relation “less than” ( I t ) .
enum(lt([XlXs], [Y|Ys])) bit.lt(X,Y).
emim(lt([X|Xs] , [X|Ys])) enum(lt(Xs,Ys)).
bit_lt(0,l).
Prolog, by nature, finds minimal instantiations. Therefore, given the query shown in the first line 
below ( “generate all minimal instantiations of [A1,A0]  that are less than [ B 1 , B 0 ] ” ), the answers 
that follow the query will be generated.
enun(lt([Al,AO],[Bl.BO])) 
gives
It ( [0, AO] , [1 ,B0] ) 
lt([0,0], [0,1]) 
lt([l,0], [1,1])
2.1.2 Minimally Instantiated Vectors for case 5(a)
Ideally, we would like to simulate case 5(a) keeping the vectors IN, MINI, and MAXI fully symbolic. 
As discussed in [20], this is not possible for two reasons. Firstly, the circuit invariant will be violated.
S Y M B O L IC  SIM U L A T IO N  B A S E D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S 11
Secondly, even if the circuit invariant is not violated, simulating the various data  dependent condi­
tional branches all at once will cause the system to end up in a class of states tha t is not intuitive 
to characterize. For example, if all the different instructions of a microprocessor are symbolically 
simulated all at once, it is not possible to intuitively characterize the state attained by (say) the 
overflow flag.
Thus, we generate symbolic simulation vectors for each condition of a data dependent conditional 
branch, augmented with the circuit invariant:





(MAXI >= MINI) comment: circuit invariant
/ \
(IN > MAXI) comment: branch condition
This generates sixteen symbolic vectors, some of which are shown below:
MINI.O « [0,0,MINI1,MINI0], IN.O * [1,IN2,INI, INO], MAXI.O = [0,1,MAXI1,MAXI0]
MINI.l - [0 ,MINI2,0,MINI0] , IN_1 =• [1,IN2,INI,INO], MAXI.l - [0,MINI2,1 ,MAXI0]
MINI_2 - [0,MINI2,MINI1,0] , IN_2 *= [1,IN2,INI,INO] , MAXI.2 * [0 ,MINI2 ,MINI1,1]
MINI.15 - [IN3,IN2, INI ,0] , IN.15 = [IN3,IN2,INI.1], MAXI.15 = [IN3,IN2,INI,0]
Here, MINI_i represents the zth vector to be loaded into the register MINI, and so on for the other 
vectors. Verification time using this approach is listed in figure 5 under circuit name Minmax4 and 
the heading “minimal instantiation” . Run times in seconds of user time under Unix1, running on a 
SUN workstation Sparc IPC with 24 megabytes of memory (all measurements reported in this paper 
are under these conditions, unless stated otherwise) for the cases (IN > MAXI) and (MINI <  IN < 
MAXI) are both listed.
2.2 Combining the Minimally Instantiated Vectors
A better technique is now reported: instead of simulating the sixteen vectors separately, en­
code them into one vector, using four  (i.e., \log2( N v e cs ) ] ) parametric boolean variables, where 
Nvecs  = 16 is the number of vectors obtained in the previous section. The encoding technique is the 
following (we show the technique on MINI; the vectors for IN and MAXI are similarly encoded). Let 
Vo, • • -iVNvecs-1  be the minterms over the parametric variables. Let MINI_i_j be the symbolic value
'Unix is a trademark of AT&T.
for vector MIN_i, bit position j, where 0 < j <3. For example, MINI_2_3 = 0; MINI_2_2 = MINI2; 
MINI_15_1 = INI, and so on. We encode MINI_0,... ,MINI_15 and obtain one vector MINI:
15 15 15 15
MINI =  M I N I - i - 3  A j/,, ' ^ M I N I . i J l  A y ; ,  ^ M I N I - i A  / \ y it M I N  U . Q  Ay,] .
1 =  0 1 = 0  i = 0  i = 0
where E denotes logical or. Verification time using this approach is listed in figure 5 under the 
heading “Composed Vectors” .
2.3 Summary of Steps for Technique 1
The steps required to carry out technique 1 are:
1. Write routines to enumerate minimally instantiated vectors, as discussed above. In general, 
one such set of vectors, I,  will be generated for the inputs of the circuit, and another set of 
vectors, S,  will be generated for the initial state of the circuit.
2. Encode the set of vectors I  into one vector enc(I)  using the parametric form. Similarly, encode
S into enc(S).
3. Load the circuit description into COSMOS.
4. Initialize the circuit into the symbolic state enc(S),  and apply the single symbolic input enc(I).
5. Take the circuit through as many cycles as necessary in order to produce the circuit responses. 
Note the circuit responses.
6. Obtain the expected circuit responses as follows. First infer the behavior using PARCOMP. 
This inferred behavior will consist of the expected next-state and expected outputs, in the form 
of symbolic expressions. These symbolic expressions will contain the circuit inputs 1  and state 
variables S  as free variables. Substitute enc(I)  f o r i  and enc(S) for S.
7. Verify that the simulation of the circuit under COSMOS produces the same responses as the 
expected responses computed through PARCOMP (obtained in step 6).
2.4 Discussion
As a genera] rule, we have observed that reducing the number of symbolic simulation vectors re­
duces the simulation time, even if it increases the number of variables in each of the vectors. The 
exact tradeoffs may, in general, depend on the example. Nevertheless, the technique of compos­
ing symbolic simulation vectors using parametric boolean variables is an attractive alternative for 
reducing the total simulation time.
In our present example, it was not possible to obtain one symbolic simulation vector naively, as 
discussed in section 2.1.2. However, using the parametric form, we have been able to get back one 
symbolic simulation vector, that also takes into account the circuit invariants as well as the ability
S Y M B O L IC  S IM U L A T IO N  B A SE D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E SS IO N S 12
S Y M B O L IC  SIM U L A TIO N  B A S E D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S 13
to separately specify the next states for each condition of the conditional branch. The verification 
time also drops by doing so.
In [19], we have shown that the number of minimally instantiated simulation vectors for M in m ax  
grows very nearly proportional to N 2, where N  is the width of the internal datapath  of M in max.  
The average number of symbolic variables per simulation vector grows roughly as O (N ) .  (The exact 
distribution of the number of symbolic variables over the vectors was highly unstructured; however, 
O ( N )  seems reasonably accurate.)
To encode these initial vectors into one encoded vector using the parametric form, we require 
log2( N 2) — 0 ( lo g ( N ) )  additional (parametric) variables. Thus, we have a tradeoff:
1. 0 ( N 2) initial vectors, with each bit-position of the initial vector being a single boolean variable 
or a constant, and each initial vector using (on the average) O ( N )  symbolic variables, vs.
2. one encoded symbolic vector, comprised of 0 ( N  +  log(N))  «  O ( N )  symbolic variables, with 
each bit position of the encoded vector being a fairly large boolean expression over these 
variables (given in section 2.2).
The second alternative works better in practice. We explain the result by noting tha t the marginal 
increase in the number of symbolic variables (by a log(N)  factor) can, in the worst case (i.e. assuming 
that the BDD manipulation routines in COSMOS run in exponential time), only have a factor of 
2log-i(N) _  jy jmpact on the execution time, which is offset by the reduction in the number of vectors 
from N  to 1. Thus, ignoring the growth in the complexity of the symbolic expressions tha t are fed 
as input to the circuit, the simulation time should improve (since BDD manipulation runs in better 
than exponential time often), or, in the worst case, stay the same.
One problem that we can readily see with technique 1 is the necessity to first generate minimally 
instantiated vectors and then to encode them. It may actually be more efficient to represent the 
satisfying sets of formulae such as (j4 B),  where A and B  are bit-vectors of equal length and 
7v is a relational operator on bit-vectors, directly in the parametric form. This will avoid having 
to first generate minimally instantiated vectors and then to encode them. For example, in the 
M in max  circuit, vectors corresponding to the condition (MAXI > MINI) A (IN > MAXI) can be 
generated if parametric forms for the conjuncts can be individually arrived at; the conjunction itself 
can be realized by sharing the variables among the conjuncts. Expected advantages of this approach 
include reduced time to generate the parametric form, the ability to systematically handle frequently 
occurring relational operators, and the ability to generate the parametric form for relational operators 
of arbitrary arity. We are in the process of investigating this technique.
3 Technique 2: Input Constraint H andling for Non-regular D esigns
In this section, we illustrate our technique to handle input constraints of non-regular designs using 
the Huffman Encoder circuit for six character inputs, shown in Figure 3.
S Y M B O L IC  SIM U L A TIO N  B A SE D  VER IF IC A TION  USING P A R A M E T R I C  B O O L E A N  E X P R E SSIO N S 14
out A




T "inO ini in2 in3 in4 in5
Figure 3: Huffman Encoder circuit for six characters
Inputs to the Huffman encoder circuit are presented in unary form, i.e., only one of the character 
inputs is 1 at a time. The Huffman codes for the characters are based on the frequency of occurrence 
of these characters and this encoding is implemented in the form of a tree of O R  gates. Outputs 
of the tree of O R  gates form the inputs of the data register [d3, d2 , d l ,  dO] and the sentinel register 
[s3 ,s2 , s i , 50]. Sentinel register indicates which data-register bits are valid. For example, if the 
Huffman code for a character is [1, 0], the O R  tree would generate [1 ,0 ,0 ,0 ] for the data register and 
[1 ,1 ,0 ,0] for the sentinel register. The bits of the data register corresponding to the 0 bits of the 
sentinel register are actually don’t cares.
In control state (CS) 0, the data and sentinel registers are loaded with the outputs of the O R  
tree; when signal go is 1, the values of the data and sentinel registers are shifted left until sentinel 
register shifts out a zero. In Figure 3, the inputs inO, in i ,  in2, in3, in4, and in5, which represent 
five distinct characters, are encoded as 1-, 3-, 4-, 4-, 3-, and 3-bit codes. Symbolic simulation and 
verification of the Huffman Encoder circuit, for each character char , takes length(code(char))  cycles. 
For example, symbolically simulating in3 takes 4 cycles.
3.1 Technique 2(a): One Symbolic Vector for Each Length Group
The overall nature of this approach is to partition the set of valid inputs based on the knowledge of 
the circuit implementation, and apply the input constraint encoding technique to each such partition 
of the valid inputs. This idea is now explained in the context of the the Huffman Encoder circuit. 
This circuit encodes characters using codes of different lengths. Each group of characters with same 
code length requires the same number of cycles to verify.
Suppose the characters corresponding to in i ,  in4, and in5 are in a certain length category. We 
then are required to apply inputs that take in i ,  in4, and in5 only through unary combinations, while
S Y M B O L IC  S IM U L A T IO N  BA SE D  V E R IF IC A T IO N  USING P A R A M E T R IC  B O O L E A N  E X P R E SSIO N S  15 
keeping the remaining inputs zero. Then, for this length category, we form the vector
For any value of a, b, this input satisfies the required input constraint. The result of simulating this 
one vector is tantamount to simulating all the characters in the length category under consideration 
separately. The symbolic results have, therefore, to be compared against “expected results” that also 
involve these parametric variables. This achieves the comparison of the actual responses produced 
by the circuit against the desired responses for all the characters in the length category all at once. 
Symbolic simulation and verification time for a six- and a twenty-six- character Huffman encoder are 
given in Figure 5 under “one vector per group”. Simulation times for scalar inputs are also given for
The advantage of this approach is that the number of cycles for which the circuit is to be simulated, 
which is a data dependent quantity, is known for each length category. Hence, the simulation can be 
run for the requisite number of cycles, and then the results compared against the expected results 
using the ‘v e r i f y ’ command of COSMOS. The disadvantage of this approach is that more than one
We explain the drop in simulation time as follows. Depending upon the nature of the Huffman 
encoding tree (which depends on the relative frequency distribution of the characters encoded), we 
may have one of two extreme forms of Huffman trees: (a) linear; (b) balanced. In case the tree is 
linear, there are N  length categories with one vector per length category; in this case, the performance 
would be similar to that of scalar simulation. In case the tree is balanced, there is one length category, 
and so only one symbolic vector is used; in this case, we end up using 0 ( l og ( N) )  parametric boolean 
variables. In this case, the worst case simulation time increase due to the increased number of boolean 
variables can at most be O( N) ,  which is offset by a proportional drop in the number of simulation
3.3 T echn ique  2 (b ): O ne Sym bolic V ec to r C overing  all V alid In p u ts
In this technique, we symbolically simulated only one symbolic vector; this vector is simulated 
for the number of clock cycles equal to the maximum character code length (to cover all possible 
characters). The vector is obtained by encoding the required unary inputs of the Huffman encoder
The improvement in the symbolic simulation and verification time, with the application of the 
above techniques, for Huffman Encoder circuits, encoding six and twenty-six characters, is shown in










cin = col® 
rin = row®
w = ?w
!e = (Dr w dps)







- 3. - >
t I > !
!e(lru)
Algorithm: Set row; reset col; find row with all zeros
(c)
Figure 4: LRU Cell and its HOP state diagram; LRU Array
3.4 D iscussion
Under this technique, simulation time drops because the number of vectors drops from TV to 1, 
while the number of boolean variables increases only by 0( l og( N) ) .
4 Technique 3: Input Constraint Handling for Regular D esigns
Regular arrays form an important class of VLSI circuit designs, and with regular array designs 
being employed in numerous applications, the verification of regular arrays becomes an important 
step in their design and implementation as VLSI circuits. Also, it is important to develop efficient 
ways to handle input constraints for the verification of regular arrays, because many regular arrays are 
designed to be operated under input constraints (e.g., “inputs must be unary”). In this section, we
show two techniques of handling input constraints of regular arrays, to reduce the symbolic simulation 
and verification effort. We use the Least Recently Used(LRU) priority algorithm, implemented as 
a two-dimensional array of LRU cells in VLSI, as an example to illustrate our techniques to handle 
input constraints. One hardware implementation of LRU algorithm [31] which we consider here 
maintains an array of n X n bits, initially all zeros, for a machine with n page frames. Whenever 
page k is referenced, the hardware sets all the bits of row k to 1 and sets all the bits of column k to
0. At any instant, the row with all bits set to 0 indicates the least recently used row, hence the least 
recently used page frame.
The LRU array is realized as a two-dimensional regular array of LRU cells. Each LRU cell of the 
regular array consists of a state bit which can be set to 1 by keeping the rowQ (read “feed-through 
connection row” ) input to 1 and colQ input to 0; the state bit can be set to 0 by keeping the colQ 
input to 1. On rising edge of the clock—indicated by I c k r is e  (read:“control input c l k r i s e ” ) in the 
state diagram—the state bit of the LRU cell is set to 0 or 1 depending upon rowQ and colQ inputs. 
On falling edge of the clock—indicated by I c k f a l l  in the state diagram—the output !e is computed 
as logical OR of ?w input of the cell (which is !e output of the previous cell) and the state bit of the 
LRU cell. The output of each row is logical OR of the state bits of the LRU cells in the row.
Functionality of the LRU cell is shown in Figure 4(a) and corresponding state diagram is shown 
in Figure 4(b). In this state diagram, we annotate the transitions with the value transfer actions 
to occur. The behavior is: start from control state 0, and data state dps; upon clock-rise, sample 
the values of colQ and rowQ wires, storing them into the variables c in , and r in ,  and go to state 1, 
where the internal data  state of the system is [(And (Or r i n  dps) (Not c in ) ) ] .  The transition 
from control state 1 to 0 samples the value coming on port ?w, produces the port output !e = (Or 
w dps), and the system goes back to control state 0 (but now, the data  state has been modified).
A 4 X 4 LRU array is shown in Figure 4(c). The operation of the LRU array relies on the input 
constraint that only the ith (0 < i < 3) row© bit and the ith  colQ bit are 1, when page i is referenced.
4.1 T echn ique  3 (a): U sing  P a ra m e tr ic  B oolean  E x p ress io n s  a t  th e  In p u ts
The LRU array was to be verified for all combinations of row and column input values, which 
satisfy the input constraint for the LRU array. Each cell in the LRU array was initialized to a 
distinct symbolic variable, to verify the LRU array for all possible state values. (This is possible as 
the LRU array does not have any non-trivial circuit invariants.) We first illustrate our technique for 
handling input constraints on the 4 x 4  LRU array, and report results for higher sizes also.
We first used scalar values satisfying the input constraint on the row and column inputs, and 
verified the resulting new state and output values against the expected values. It required four 
symbolic simulation vectors to verify the 4 x 4  LRU array.
In another approach, we encoded the input constraint as parametric boolean expressions on the 
row and column inputs, with two parameter boolean variables b l and b2. This technique reduced
S Y M B O L IC  S IM U L A T IO N  B A SE D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S  17
S Y M B O L IC  S IM U L A T IO N  B A S E D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S 18
the number of symbolic simulation vectors from four to one. In general, log2 n parametric boolean 
variables are required to encode the input constraint of an n X n LRU array. In the LRU verification, 
this technique reduces the number of symbolic simulation vectors required to one, independent of 
the size n of the LRU array.
4.2 D iscussion
Symbolic simulation and verification times for various sizes of the LRU array is shown in Figure 5 
under “parametric expressions as inputs” . We find tha t the improvement in the symbolic simulation 
and verification time, with the use of the encoding technique, is significant for large LRU array sizes. 
The trade-off is again between the N  to 1 drop in the number of vectors vs. the 0 ( l o g ( N )) increase 
in the number of variables.
4.3 T echn ique  3 (b ): U sing  D is tin c t B oo lean  V ariab les a t th e  In p u ts
As said before, in order for this technique to be applicable, the array circuit must obey the property 
that the symbolic response produced by the array for the most general set of inputs must be such 
that the response for any specific set of inputs E{ can be obtained by instantiating the response 
with the substitution E{/vj.  The LRU array satisfies this property: simulating it with the most 
general symbolic input vector does not obscure the simulation results by producing all AT s. If these 
symbolic responses are now specialized in such a way that the variables of the most general symbolic 
input vector are forced to obey the unary constraint, then the symbolic response so specialized is 
the actual behavior of the LRU array for the intended input combinations. These responses can be 
checked against the expected responses. Of course, the behavior of the LRU array for other possible 
specializations of the symbolic response (the ones tha t do not satisfy the input unary constraint) are 
of no interest to the verifier.
4 .4  D iscussion
We hoped tha t this technique of deferring the handling of input constraint until after the next 
state and outputs have been generated can potentially result in reduced symbolic simulation effort, 
because the symbolic simulation is done with distinct boolean variables fed through the input ports, 
instead of parametric boolean expressions being fed through the input ports. However, as our results 
show, this is not the case; the technique in the previous section is better! Two main conclusion from 
the results of this technique are: (1) feeding expressions through input ports does not cause any 
noticeable overheads; (2) capturing the input restrictions earlier during simulation can be better.
Symbolic simulation and verification times, using this technique, for various sizes of the LRU array 
are shown in Figure 5 under “symbolic variables as inputs” .
N o te : The results for the 16x16 LRU have entries of the form a/6  where “6” are the results obtained 
on a faster machine which also has more physical memory. All other results, including “a” , were




















































Huffman(6) 284 6 0.58 3 0.3 1 0.13
Huffman(26) 766 26 5.33 6 1.28 1 0.57
No. of Scalar Input Parametric Expressions Symbolic Variables
Transistors Values as Inputs as Inputs
Circuit Name No. of Total No. of Total No. of Total
Vectors time Vectors time Vectors time
LRU 4 x 4 448 4 0.63 1 0.27 1 0.27
LRU 8 x 8 1792 8 6.93 1 2.29 1 4.17
LRU 16 x 16 7168 16 134.63/27.4 1 34.68/7.77 1 n.a./10.62
Figure 5: Experimental Results1 for Minmax, Huffman Encoder, and LRU array
obtained on a 24-Meg Sparc IPC—the same machine used for all the previous experiments. Note 
that the simulation run for the 16 x 16 LRU under technique 3(b) could not be completed under 
case a due to thrashing (n.a. means “not available” ).
5 S u m m a ry  o f Results and Conclusions
Simulation based verification is a powerful approach to the verification of hardware designs, which 
can complement formal verification using theorem provers. The exact boundary between these 
techniques has not been drawn yet, as the former technique is still in its infancy. There is considerable 
incentive to make simulation based verification scale up to larger circuits as this would provide, digital 
system designers with a familiar tool (a simulator) that verifies designs almost automatically.
Results reported in this paper indicate that simulation based verification can scale up to large 
’Total time is shown in seconds.
circuit sizes in many cases. The main motivation of our work has been to discover techniques that 
would help expand the class of circuits, and circuit sizes that can be verified via simulation based 
verification. One of the main conclusions and insights that we would like to report is the usefulness 
of the parametric form of representing boolean expressions, and the variety of ways in which the 
parametric form can be used.
Accurately estimating the exact causes for the reduction in computation time tha t we have observed 
can be difficult. Factors tha t influence the total computation time are more than just the number of 
variables; they include the size of the expressions, the memory overhead, and the time to initialize 
the circuit to the desired starting state prior to simulation. Of these, the initialization time actually 
reduces significantly due to the use of the parametric form, because the number of simulation vectors 
were significantly reduced in each of our experiments. However, the ratio of the initialization time 
to the total symbolic simulation time is very small; much of the reduction in computation time was 
due to the use of the parametric form.
Even though the generation of the parametric form can involve significant amounts of human 
and/or computer effort, the parametric expressions, once generated, can be re-used in the iterative 
loop of debugging a circuit in which errors are first corrected and the circuit is re-verified. Also, 
parametric expressions concerning input constraints can be re-used even for circuits with different 
internal organizations. As discussed in section 2.4, circuit invariants pertaining to circuit states can 
also be handled using the parametric form.
We are also working on combining the verification techniques for regular as well as non-regular 
designs, so tha t large chips containing multiple regular arrays, as well as irregular structures can be 
verified. This technique will involve partitioning the system into its constituent regular arrays as 
well as irregular parts, and verifying these parts separately. The interface constraints of each of the 
partitions can be encoded using parametric boolean expressions, as described earlier.
Input constraints at the inputs of one module Mi  often arise because module M 2 tha t provides 
these inputs is never allowed to go into certain states (due to its circuit state invariants). In such 
cases, while verifying M 2 separately, it would become necessary to initialize M 2 into its allowed states; 
our parametric encoding scheme can lend help here too. Once M 2 is verified, the input constraints 
necessary for Mi  will be known, and can be encoded into the parametric form.
By studying more examples, we hope to get further insight into the technique(s) tha t would work 
best for a given example. This, and the implementation of a unified simulation/verification framework 
would constitute our future work.
A cknow ledgem en ts: Helpful discussions with Prof. Eduard Cerny are gratefully acknowledged. 
R e fe re n c e s
1. Harry G. Barrow. Verify: A program for proving correctness of digital hardware designs. Artifi­
cial Intelligence, 24:437-491, 1984.
S Y M B O L IC  SIM U L A TIO N  B A SE D  VER IF IC A TION  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S  20
2. Derek L. Beatty, Randal E. Bryant, and Carl-Johan Seger. Synchronous circuit verification by 
symbolic simulation: An illustration. In Sixth MIT Conference on Advanced Research in VLSI,
3. Christian Berthet, Olivier Coudert, and Jean-Christophe Madre. New ideas on symbolic manip­
ulations of finite state machines. In Proceedings of the ICCD, 1990, pages 224-227, 1990.
4. Olivier Coudert Christian Berthet and Jean-Christophe Madre. Verification of sequential ma­
chines using boolean functional vectors. In Proceedings of the IMEC-IFIP Workshop on Applied 
Formal Methods for  Correct VLSI Design, Leuven, Belgium, pages 179-196, November 1989.
5. Frank M. Brown. Reduced solutions of boolean equations. IEEE Transactions on Computers,
6. Randal Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions
7. Randal E. Bryant. A survey of switch-level algorithms. IEEE Design and Test of Computers,
8. Randal E. Bryant. Verifying a static RAM design by logic simulation. In Jonathan Allen 
and F. Thomson Leighton, editors, Advanced Research in V L S I : Proceedings of the Fifth MIT
9. Randal E. Bryant. A methodology for hardware verification based on logic simulation. Technical 
Report CMU-CS-90-122, Computer Science, Carnegie Mellon University, March 1990. Accepted
10. Randal E. Bryant. Formal verification of memory circuits by switch-level simulation. IEEE
11. Randal E. Bryant, Derek L. Beatty, Karl Brace, Kyeongsoon Cho, and T. Sheffler. Cosmos: A 
compiled simulator for mos circuits. In Proc. AC M /IEEE 24th Design Automation Conference,
12. Randal E. Bryant, Derek L. Beatty, and Carl-Johan H. Seger. Formal hardware verification by 
symbolic ternary trajectory evaluation. In Proc. AC M /IEEE 28rd Design Automation Confer-
13. Randal E. Bryant and Carl-Johan Seger. Formal verification of digital circuits using ternary 
system models. Technical Report CMU-CS-90-131, School of Computer Science, Carnegie Mellon 
University, May 1990. Also in the Proceedings of the Workshop on Computer-Aided Verification,
S Y M B O L IC  SIM U L A TIO N  B A SE D  V E R IF IC A TIO N  USING P A R A M E T R I C  B O O L E A N  E X P R E S S IO N S  21
14. Albert Camilleri, Michael C. Gordon, and Tom Melham. Hardware specification and verification 
using higher order logic. In Processings of the IFIP WG 10.2 Working Conference on “From HDL 
Descriptions to Guaranteed Correct Circuit Designs”, Grenoble, August 1986. North-Holland, 
1986.
15. Eduard Cerny and Miguel A. Marin. A computer algorithm for the synthesis of memoryless logic 
circuits. IEEE Transactions on Computers, C-23(5):455-465, May 1974. *
16. Zhou Chaochen and C.A.R. Hoare. A model for synchronous switching circuits and its theory 
of correctness, 1990. Proceedings of the D C C  Workshop, Oxford, September, 1990, published in 
Springer’s new series ‘Workshops in Computing’.
17. Shiu-Kai Chin and Edward P. Stabler. Synthesis of arithmetic hardware using hardware m eta­
functions. IEEE Transactions on Computer-Aided Design, 9(8):793-803, August 1990.
18. Ganesh Gopalakrishnan and Prabhat Jain. A practical approach to synchronous hardware ver­
ification. In Proc. VLSI Design ’91: The Fourth CSI/IEEE International Symposium on VLSI 
Design, New Delhi, India, January 1991.
19. Ganesh Gopalakrishnan, Prabhat Jain, and Venkatesh Akella. Combining verification and simu­
lation. Technical Report UUCS-TR-90-021, Dept, of Computer Science, University of Utah, Salt 
Lake City, UT 84112, 1991. Submitted to the IEEE Design & Test of  Computers.
20. Ganesh Gopalakrishnan, Prabhat Jain, Venkatesh Akella, Luli Josephson, and Wen-Yan Kuo. 
Combining verification and simulation. In Carlo Sequin, editor, Advanced Research in VLSI : 
Proceedings of the 1991 University of California Santa Cruz Conference. The MIT Press, 1991. 
ISBN 0-262-19308-6.
21. Ganesh C. Gopalakrishnan. Specification and verification of pipelined hardware in HOP. In Proc. 
Ninth International Symposium on Computer Hardware Description Languages, pages 117-131, 
1989.
22. Ganesh C. Gopalakrishnan. The semantics of hop: A simple transition system model for the spec­
ification driven design of synchronous hardware. Technical report, Dept, of Computer Science, 
University of Utah, Salt Lake City, UT 84112, 1990. UUCS TR 90-004.
23. Ganesh C. Gopalakrishnan, Richard Fujimoto, Venkatesh Akella, and Narayana Mani. HOP: 
A process model for synchronous hardware, semantics, and experiments in process composition. 
Integration: The VLSI Journal, pages 209-247, August 1989.
24. Ganesh C. Gopalakrishnan, Narayana Mani, and Venkatesh Akella. A design validation system 
for synchronous hardware based on a process model: A case study. In Proceedings of the IMEC-  
IFIP Workshop on Applied Formal Methods for Correct VLSI Design, Leuven, Belgium, pages 
721-740, November 1989.
S Y M B O L IC  SIM U L A TIO N  B A S E D  VER IF IC A TION  USING P A R A M E T R I C  B O O L E A N  E X P R E S SIO N S  22
S Y M B O L IC  S IM U L A TIO N  B A SE D  VER IF IC A TION  USING P A R A M E T R I C  B O O L E A N  E X P R E S SIO N S 23
25. Warren A. Hunt Jr. The mechanical verification of a microprocessor design. In D. Borrione, 
editor, From HDL Descriptions to Guaranted Correct Circuit Designs. Elsevier Science Publishers 
B.V. (North Holland), 1987. (Proc of the IFIP WG 10.2 Working Conference with the same 
title.).
26. Prabhat Jain and Ganesh Gopalakrishnan. Some techniques for efficient symbolic simulation 
based verification. Technical Report UUCS-TR-91-023, University of Utah, Department of Com­
puter Science, October 1991. Submitted to the 1992 Design Automation Conference.
27. Prabhat Jain, Ganesh Gopalakrishnan, and Prabhakar Kudva. Verification of regular arrays by 
symbolic simulation. Technical Report UUCS-TR-91-022, University of Utah, Department of 
Computer Science, October 1991. Submitted to the Brown/MIT Advanced VLSI Workshop.
28. George J. Milne. Simulation and Verification: Related techniques for hardware analysis. In Pro­
ceedings of the Seventh International Conference on Computer Hardware Description Languages, 
pages 404-417. North-Holland, 1985.
29. David Musser, Paliath Narendran, and William Premerlani. Bids: A method for specifying and 
verifying bidirectional hardware. In Graham Birtwistle and P.A.Subrahmanyam, editors, VLSI 
Specification, Verification and Synthesis, pages 217-233. Kluwer Academic Publishers, Boston, 
1988. ISBN-0-89838-246-7.
30. Carl-Johan Seger and Jeffrey Joyce. A two-level formal verification methodology using HOL and 
COSMOS. Technical Report 91-10, Dept, of Computer Science, University of British Columbia, 
Vancouver, B.C., June 1991.
31. Andrew S. Tanenbaum. Operating Systems: Design and Implementation. Prentice Hall, Engle­
wood Cliffs, NJ, 1987. ISBN 0-13-637406-9.
32. D. Verkest and L. Claesen. The minmax system benchmark, November 1989.
33. Glynn Winskel. A compositional model of mos circuits. In Graham Birtwistle and 
P.A.Subrahmanyam, editors, VLSI Specification, Verification and Synthesis, pages 323-348. 
Kluwer Academic Publishers, Boston, 1988. ISBN-0-89838-246-7.
