A constructive approach towards correctness of synthesis - application within retiming by Eisenbiegler, Dirk et al.
A Constructive Approach towards Correctness of Synthesis 
Application within Retiming
 
Dirk Eisenbiegler Ramayya Kumar and Christian Blumenrohr
Institute for Circuit Design and Fault Tolerance Prof DrIng D Schmid University of Karlsruhe Germany
email eisen	iraukade kumar	fzide blumen	iraukade
Abstract This paper is dedicated to correct synthe
sis By correct synthesis we mean that there is a math
ematical proof telling us that the output circuit de
scription fullls the input circuit description There are
several ways to achieve correct synthesis In this paper
we present a novel approach which integrates conven
tional synthesis algorithms thus guaranteeing the same
quality of designs Our approach is fully automatic al
though it is based on rule applications within a theorem
prover We compare our results in the area of retiming
to other approaches
I Introduction
Performing synthesis steps by hand is critical as
far as correctness is concerned Nowadays most syn
thesis steps are fully automated and the synthesis re
sults have become much more reliable than hand de
signs However the correctness of synthesis now de
pends on the correctness of the synthesis programs
One could think of verifying synthesis programs and
thereby guarantee the correctness of all synthesis re
sults But in general synthesis programs are far too
complex to apply formal software veri
cation tech
niques
There are several reasons why automated synthesis
may be error prone
  Synthesis tools have become more and more com
plex with an increasing number of people being
involved in the design of the synthesis tool
  Synthesis tools employ complex data types and
procedures for representing and transforming cir
cuits
  Synthesis tools are frequently combined As inter
mediate formats HDLs are used Very often the
semantics of HDLs are not de
ned as precisely as
they should be and hence the circuit descriptions
are interpreted dierently by dierent tools
There are several methods for increasing the reliability
of synthesis results     See   for a
survey on related work In this paper we present our
formal synthesis approach HASH Higher order logic
Applied to Synthesis of Hardware and compare our
approach to other approaches
The paper is structured as follows We 
rst give an
overview of techniques for verifying synthesis results
Then we will describe our formal synthesis approach
HASH as a general method for achieving correct syn
thesis Afterwards we apply this concept to retim
ing Finally some experimental results achieved with
HASH are compared with other approaches
 
This work has been partly nanced by the Deutsche For
schungsgemeinschaft Project SCHM 	

II PostSynthesisVerification Approaches
Since it is practically impossible to verify the cor
rectness of conventional synthesis programs designers
normally validate synthesis results by simulating both
input and output circuit descriptions thus increas
ing reliability If one is lucky one might 
nd errors
quickly However the absence of errors can only be
guaranteed by exhaustive simulation which is applica
ble only to very small sized circuits
Tautology Checkers Model Checkers
Formal veri
cation techniques are an advanced ap
proach towards guaranteeing correctness There are
fully automated veri
cation techniques as well as
veri
cation techniques that require user interaction
Within the circuit designer community veri
cation
techniques will only be accepted if they are fully auto
matic However full automation can only be achieved
at lower levels of abstraction There are two automatic
veri
cation techniques that are frequently used tau
tology checkers and model checkers
Boolean tautology checkers  can only be applied
to pure combinatorial circuits and to sequential cir
cuits with same state representation The timing com
plexity increases exponentially with the size of the cir
cuits In order to also verify general synchronous cir
cuits model checkers  are applied Model checkers
perform a breadth 
rst state traversal on the prod
uct circuit The set of states that have been reached
so far are represented by BDDs Step by step the
set of states is increased by states that can directly
be reached starting from one of the states in the
current set Each traversal step is performed by a
BDDtransformation The algorithm terminates if no
further states are found ie the BDD remains un
changed There are two aspects that have a major
impact on the duration of model checking the size of
the BDDs and the number of traversal steps Both
the number of traversal steps and the size of the BDD
grow exponentially with the number of state variables
Specialized Verication Techniques
A major handicap for general veri
cation tech
niques is that they just get the input and the result
of the synthesis process but they cannot exploit the
knowledge of how the result was derived Veri
cation
can be performed much more eciently if one knows
that only speci
c steps have been performed
The approach presented in  is based on a model
checker and increases performance by exploiting func
tional dependencies For speci
c synthesis domains
retiming state minimization this technique can
reduce the veri
cation time signi
cantly as compared
to conventional model checking
Another specialized veri
cation technique that is
designed for retiming synthesis steps only is described
in  During retiming the overall shape of the struc
ture is not changed entirely It is only the registers
that have been shifted The program tries to match
the former and the retimed circuit description This
can be performed pretty fast In contrast to  this
approach is limited to pure retiming
There are two major drawbacks of these spezial
ized veri
cation techniques complexity and combin
ability As regards the complexity the general prob
lem of proving the equivalence of two circuits is NP
complete For some synthesis steps there do exist
some powerful veri
cation techniques  In  it has
been exploited that the implementation was derived
by retiming the original circuit Nevertheless the in
formation about how the retiming was performed has
to be extracted by matching the two descriptions
The overall scenario synthesisveri
cation could be
signi
cantly speeded up if one fed the information
on how the retiming was performed directly from the
synthesis step to the veri
cation step However ex
ploiting the information about how synthesis was per
formed eases veri
cation but is impossible for complex
synthesis procedures consisting of various single steps
This motivates us to tightly bind synthesis and ver
i
cation for obtaining an integrated formal synthesis
step
With respect to the combinability a specialized ver
i
cation technique can only be applied to its corre
sponding synthesis step For example there are spe
cialized veri
cation techniques for logic minimization
tautology checkers as well as retiming   but
there is no ecient technique for a compound retim
inglogic minimization step and one would have to
resort to a general veri
cation technique It shows
that splitting synthesis into very basic synthesis steps
and combining them with specially adapted veri
ca
tion techniques increases veri
cation performance 
divide and conquer
III The Formal Synthesis Approach 
HASH
A Concept
HASH Higher order Logic Applied to Synthesis
of Hardware is a toolbox for implementing formal
synthesis programs HASH provides a set of ba
sic hardware transformations implemented as logical
derivation steps within the theorem prover HOL 
HASH provides means for embedding existing synthe
sis heuristics logical transformations that are para
metrized by control information describing how the
synthesis step is to be performed This leads us to
formal synthesis programs where the transformational
aspect inside HOL is clearly separated from the de
sign space explorational aspects conventional synthe
sis heuristics outside HOL
With respect to the complexity problem mentioned
in the previous section HASH circumvents it by pro
viding forward derivational steps instead of post
synthesis veri
cation Searching for the proof of equiv
alence for two circuits is NPcomplete  formally
transforming one to the other is not
In HASH  as well as in specialized veri
cation
techniques  synthesis is split into a series of basic
transformation steps whose correctness aspects can be
handled eciently HASH also furnishes the means for
combining these basic transformation steps towards
complex synthesis programs If for example one for
mal synthesis step leads to the theorem  a  b and
the succeeding synthesis step leads to  b  c the
compound synthesis step  a  c can eciently be
derived by means of a simple transitivity rule in HOL
The 
rst step could be eg a retiming step and the
second a logic minimization step Since the complexity
of the transitivity step in HOL is constant pointers 
no copying the overall complexity of the compound
synthesis step is the sum of its two parts
B Security Aspects
Theorem provers such as HOL provide a set of func
tions for constructing destructing and manipulating
terms formulae and theorems Terms formulae and
theorems have speci
c data types These types are
encapsulated There is a xed set of basic functions
for producing values having these types There is no
other way to produce terms formulae and theorems
Theorem provers guarantee safety The only way
to derive a theorem is by deriving it from axioms
and rules ie applying basic functions So theo
rem provers are as safe as the implementation of their
core of basic functions Usually these cores are pretty
small The HOL calculus  for example consists of 
rules and  axioms This makes theorem provers very
reliable
Tautology checkers and model checkers on the other
hand do not have such a core They are nothing but
programs that somehow decide whether or not some
formula holds In general the implementation of such
programs result in large source codes and each pro
gramming error may lead to false veri
cation results
C Conventional vs Formal Synthesis
The formal synthesis approach HASH derives the
output circuit description within a theorem prover
rather than just computing it as in conventional syn
thesis The major dierence is the result Conven
tional synthesis programs only map the input circuit
description to the output circuit description Formal
synthesis programs map the input circuit description
to a theorem stating that some implementation which
has been derived during formal synthesis ful
lls the
input circuit description Formal synthesis however
presumes that all circuit descriptions are represented
within logic
The advantage of a formal synthesis program is
its implicit correctness Whenever it produces a re
sult this result is also correct Formal synthesis pro
grams are as reliable as the core of the theorem prover
that they are based on This makes them much more
reliable than conventional synthesis programs where
there is no such core and one would have to verify
the entire program in order to ensure correctness We
will use the simple retiming synthesis step in order to
describe the bene
ts of formal synthesis as compared
to other approaches towards synthesis correctness
IV Retiming by Means of Logical
Transformations
The implementation of our retiming procedure is
based on the theory Automata  which we im
plemented in the HOL theorem prover Automata was
designed for synthesis purposes Automata provides
means for representing synchronous circuits and is also
the base for synthesis speci
c transformations such as
state minimization state encoding logic optimization
and retiming
A The Procedure
The retiming procedure in HOL is based on a uni
versal retiming theorem This theorem represents a
general pattern which can be instantiated for various
retiming transformations It can be applied in both di
rections forwardbackward retiming Figure  infor
mally sketches the meaning of this theorem Hereby
s denotes the initial state x the auxiliary variables
within the combinatorial part and s

the successor
state
f
g
f
g
Dq Df(q)
=
Clock
i i oo
s
x x
s s’s’
Clock
Fig
 	
 General Pattern for Rewriting
For forward retiming the combinatorial part is split
into two one part f over which the registers are
shifted and the other part g which is not aected
There is one compound register named D with q as an
initial value In the retimed circuit the initial state of
the new compound register becomes fq The theo
rem  RETIMINGTHM states that the original and the
retimed circuit are equivalent
 RETIMING THM
	








  automaton
 i s let x  fs in let o s  gix in o s 
q


automaton
 i s let ox  gi s in let s  fx in o s 
fq

Backward retiming is more complex since one has to

nd the q s corresponding to some expression repre
senting fq We will not discuss this issue in this
paper
In the Automata theory circuits are unambigu
ously represented by pairs consisting of a compound
function and an initial state This compound func
tion describes the output and the nextstate behavior
The registers are formalized implicitly The constant
automatonmaps such pairs to functions that map time
dependent input signals to time dependent output sig
nals
The output and state transition functions in lines
 and  of the theorem correspond to the structures
of the combinatorial parts of the circuits 
gure 
These functions map the pair consisting of input i and
the current state s onto the pair consisting of output
o and next state s

 Lines  and  correspond to the
initial states of the two circuits
Using an automaton as a formal representation the
overall retiming procedure consists of four steps
 First the combinatorial part is split into f and g
Assigning combinatorial components to f or g can
either be performed by hand or some arbitrary
external program
 Then the general retiming theorem is applied
The current circuit description is matched with
the left hand side of the equation and one pro
ceeds with the right hand side
 Then f and g are joined to a single combinatorial
part
 Finally the new initial values of the shifted reg
isters fq are determined via evaluation
Figure  shows a retiming example and 
gure  de
scribes how it is matched to our retiming theorem
In our example there are three combinatorial parts
  and MUX When applying our synthesis proce
dure f consists of the component only and g con
sists of  and MUX
n
n n
n
n
n
n
MUX
0
1
D
D0
0a
b
+1
D0
y
Clock
D1
MUX
0
1
n
n
n
n n
n
+1
a
Clock
D0 y
b
Fig
 
 Retiming Example
B Where are Logical Skills Needed
To answer this question one has to distinguish be
tween the designer of the formal synthesis tool and the
circuit designer who uses this tool Proving the cor
rectness of theorems such as  RETIMINGTHM and im
plementing corresponding transformations four steps
of the retiming procedure requires a thorough under
standing of logic hardware and underlying theorem
prover HOL The formula in  RETIMINGTHM is true
higher order logic universal quanti
cation over func
tions f and g polymorphism Its proof is tedious
 g
D
D
D
+1
 f MUX
0
1
0
0
0
 D
b
a y
Clock
D
D
0
Clock
1
a
b
+1
MUX
0
1
y
 g
f
D
Fig
 
 Example for Applying the Retiming Scheme
and cannot be automated induction over time etc
However it has only to be proved once and for all
The above mentioned procedure for retiming has
a clean interface for integrating heuristics that pro
duce the control information ie the cut between f
and g This demonstrates the clear division between
the design space exploration and transformation in our
concept The heuristic has nothing to do with logic
and as a consequence switching from one heuristic to
another requires no change in the theorem or in the
retiming procedure
From the circuit designer s point of view synthe
sis tools based on HASH are the same as conventional
synthesis tools During synthesis everything is per
formed automatically the transformational procedure
adapts the theorem to the current task Logic related
user interaction proof search is not required from the
circuit designer s part
C Faulty Heuristics
The determination of the cut in step  may be per
formed arbitrarily It is possible to do it by hand
and it is also possible to invoke some program This
allows us to reuse existing techniques   The
decision on how to cut does not violate correctness
If a cut was given that does not match our pattern
then our transformation would fail since the general
retiming theorem could not be matched and an excep
tion will be raised implicitly An incorrect theorem
however cannot be derived due to the principle of the
orem provers
To illustrate this point let us choose f to consist of
the comparator and the multiplexer and g to consist
of the incrementer 
g  During the 
rst step of the
retiming procedure the output and transition function
is transformed into an equivalent output and transi
tion function consisting of two subfunctions f and g
It is not possible to 
nd such a split and therefore
trying to derive such circuit will fail at some point
in HOL In our implementation the algorithm tries
to cut the combinatorial block as described in 
gure
 As can be seen the original function has a triple
representing the state variables and the falsely split
function has  state variables The equality of the old
and the new combinatorial block cannot be derived 
it is even impossible to express the equality due to the
fact that the left and the right hand side would have
dierent types In HOL this results in an exception
when trying to build the equality expression
0
MUX
1+1
a
b
y
+1
MUX
0
1
y
a
b
g
f
Fig
 
 False Cut of the Combinatorial Part
V Experimental Results
We applied the formal retiming step to the example
given in 
gure  and to the sequential circuits from
the IWLS  benchmarks set The results are listed
in table I and table II respectively
n ipops gates SIS SMV HASH
	   
 
	 

   
 
	 

  	 
 
	 

 	 	 
 
	 

 	  	
 
	 

 	  
 
 

 	  
 
 

   
 	
 

   
 	
 

	   	
  

 	 	   	

     

	     

	     

     

     

TABLE I
Example from Figure 
name ipops gates Eijk	 Eijk SIS HASH
s
	  	 
 
 	
 

s 	 		 
 	
 	
 	

s
	 	 	 
 
 	
 	

s	  		 
 
 
 

s 	 	 	
 		
 
 

s
	      

s		 	    
	 	
	
s	      	

s	   	
 
 	
 	
	
s	     	
 	

TABLE II
IWLS Benchmarks
The example in 
gure  is scalable with the
bitwidth n of the data signals We compared our re
sults to the veri
cation results achieved with dierent
postsynthesisveri
cation approaches The synthesis
environment SIS provides a 
nite state machine com
parison technique  SMV is a multipurpose model
checker  Van Eijk presented a model checker in
dicated with Eijk and an advanced version that ex
ploits functional dependencies indicated with Eijk

All times are given in seconds The benchmarks
have been run on an Ultra Sparc with  Mb ex
cept for the results in the columns Eijk and Eijk
which have been taken from the paper  and were
run on an HP  The dash  indicates that the
benchmark could not be processed in reasonable time
and the question mark indicates that no results were
reported in 
We found out that in our approach the time con
sumption depends on the size of the circuit but is quite
independent from the cut Due to step  see section
IVA it becomes a little slower for large sized func
tions f  In table I and table II we performed a retim
ing with f covering a maximum number of retimable
gates ie the worst case for our approach
The complexity of model checking depends on the
size of the combinatorial part and on the maximum
number of steps needed to reach all states In general
the size of the BDDs for representing the currently
covered states and transforming this set increases ex
ponentially with the size of the combinatorial part see

gures I and II
It turns out that our approach can be applied to
circuits with sizes that are beyond what can be han
dled using model checking or related techniques Our
approach indicated with HASH requires a higher
basic time consumption This makes HASH slower
for small sized circuits For larger sized circuits how
ever the time consumption increases in a moderate
manner One comes to the same result when deal
ing with the IWLS  benchmarks Circuits s
s and s are all fractional multipliers with
dierent bitwidths   and  respectively None
of the model checkers where able to verify the Bit
version From the Bit version towards the Bit
version the time consumption increased rapidly fac
tor  for SIS and Eijk and factor  for Eijk
The corresponding factor for our approach is  and
it is even possible to handle the Bit version in a
reasonable time
The results achieved with HASH for the example
from 
gure  are much better than those achieved for
the IWLS  benchmarks This is due to the fact
that we chose to perform the retiming on an RTlevel
representation which consists of nbit circuits whereas
the model checking techniques are based on simple
temporal logic and can therefore only handle !at bit
level descriptions at the gate level In our approach
operating at the RTlevel reduces the complexity of
steps  However the complexity of the initial state
evaluation step step  is not aected
VI Summary and Conclusions
We introduced a formal synthesis approach HASH
where all basic transformation steps are performed by
rule applications within a theorem prover and applied
this approach to retiming HASH also provides var
ious other synthesis related transformations on syn
chronous circuits such as state encoding signal encod
ing and the elimination of redundant parts encoding
see also 
This approach increases the reliability of the syn
thesis program since the correctness only depends on
the core of the theorem prover whereas in conventional
synthesis programs there is no such core and every er
ror in the synthesis tool may aect the correctness of
synthesis results We have shown that it is possible
to write formal synthesis programs without really in
venting new algorithms but by exploiting conventional
synthesis programs and giving them a formal basis
This implies that the quality of designs produced us
ing HASH is the same as that of a conventional syn
thesis tool Furthermore since the interaction within
HASH is the same as that of a conventional synthesis
tool its acceptance among designers is eased
References
	 S
D
 Johnson R
M
 Wehrmeister and Bhaskar Bose On
the interplay of synthesis and verication In Claesen 	
pp
 

 AHL Lambda Reference Manual 	

 J
R
 Burch E
M
 Clarke D
E
 Long K
L
 MacMillan and
D
L
 Dill Symbolic model checking for sequential circuit
verication IEEE Transactions on ComputerAided De
sign of Integrated Circuits and Systems vol
 	 no
  pp

	 Apr
 	

 J
C
 Madre Benchmarks for tautology checking  ex
perimental results In Claesen 	 pp
 

 A
 Gupta Formal hardware verication methods A sur
vey Formal Methods in System Design vol
 	 no
 
pp
 		 	

 R
 Kumar C
 Blumenrohr D
 Eisenbiegler and D
 Schmid
Formal synthesis in circuit design  A classication and
survey in Formal Methods in ComputerAided Design
FMCAD Palo Alto USA 	

 C
A
J
 van Eijk and J
A
G
 Jess Exploiting functional
dependencies in nite state machine verication in The
European Design  Test Conference Paris France Mar

	 IEEE Computer Society and ACMSIGDA pp
 
	 IEEE Computer Society Press

 Huang Cheng and Chen On verifying the correctness
of retimed circuits in Great Lakes Symposium on VLSI
Ames USA Mar
 	

 M
J
C
 Gordon and T
F
 Melham Introduction to HOL
A Theorem Proving Environment for Higher Order Logic
Cambridge University Press 	

	 D
 Eisenbiegler and R
 Kumar An automata theory ded
icated towards formal circuit synthesis in 	th Interna
tional Workshop on Higher Order Logic Theorem Proving
and its Applications E
T
 Schubert P
J
 Windley and J

AlvesFoss Eds
 Aspen Grove Utah USA Sept
 	
number 	 in Lecture Notes in Computer Science pp

		 SpringerVerlag

		 C
 Leisersohn F
 Rose and J
 Saxe Optimizing syn
chronous circuits by retiming in Caltech Conference on
VLSI 	 pp
 		

	 S
 Malik E
 Sentovich R
 Brayton and A
 Sangiovanni
Vinentelli Retiming and resynthesis Optimizing se
quential circuits with combinatorial techniques in IEEE
Transactions on CAD Jan
 		 pp
 	

	 E
 M
 Sentovich K
 J
 Singh L
 Lavagno and C
 Moon
et al SIS A system for sequential circuit synthesis
Tech
 Rep
 UCBERL M	 University of California
Berkeley 	

	 K
L
 McMillan The SMV system symbolic model check
ing  an approach Tech
 Rep
 CMUCS		 Carnegie
Mellon University 	

	 Luc J
 M
 Claesen Ed
 Applied Formal Methods For
Correct VLSI Design vol
 
 IMECIFIP Elsevier Science
Publishers 	

