Absbact-A new methodology for formal logic vedication of combinational circuits is presented. Specifically, a structural (logic network) approach is used, based on indirect implications derived by recursive learning. It is shown that implications can be used to capture similarity between designs. This is extended to formulate a hybrid approach, this structural (logic network) information is used to reduce the complexity of a subsequent functional method based on OBDD's. We demonstrate that OBDD-based verification can take great advantage of structural preprocessing in a synthesis environment where many small operations are performed that modify the circuit. The experimental results show that an effective combination can be achieved between memory efficient structural methods and powerful functional methods.
I. INTRODUCTION
UCH progress has recently been seen in the automation of the design process for large integrated circuits. Tools for automatic synthesis play a crucial role in the progress of VLSI industry. With increasingly complex algorithms and software involved in VLSI design, the synthesis process can never be guaranteed to be completely free of errors. Any complex software can contain bugs and even a well-debugged tool, having worked correctly for many applications, may introduce unforeseen errors in future applications. Therefore, it is crucial to verify any circuit including those obtained by automatic synthesis tools against the initial specifications.
Design errors can also be introduced by needed interference of the human designer. Designers sometimes resort to manual modifications or incorporate tailor-made software to fulfill the special design requirements. Often, changing a design at a later stage of the process is required, occurring if the specification has been modified slightly, or if a finished product must be updated to satisfy special requests. Such modifications are often referred to as engineering changes (EC's). Because EC's usually are conducted manually, this design process phase is both expensive and prone to errors. The designer must, therefore, have efficient tools enabling checking the functional correctness of designs after EC's.
The subject of this paper is the (formal) logic verification problem for combinational circuits; i.e., identifying whether two circuits are functionally equivalent. The presented approach is useful to verify circuits (or subfunctions of a circuit) after incremental design changes or EC's as they often OCCLK in a synthesis environment. Further, an efficient verification method for such cases is also an important integral part if modifying and updating a given design shall become an automated process (incremental synthesis). Approaches to incremental synthesis and automatic design error corrections have been reported in [6] , [12] , [18] .
Logic verification belongs to the most difficult problems in the field of computer-aided circuit design. Even verification of small designs can lead to enormous computation times, requiring large amounts of memory. The difficulty of the logic verification problem arises from having to explore the full functionality of both designs in order to formally prove their functional equivalence. Logic verification, therefore, usually is approached by functional methods; i.e., methods that try to completely capture the function of a circuit so that a comparison is possible. Much progress has been made with the introduction of Binary Decision Diagrams (BDD's) [2] and Ordered Binary Decision Diagrams (OBDD's) [8] . OBDD's permit a Boolean function to be represented in a compact and canonical form. If the circuits of comparison can be represented by OBDD's, the logic verification problem is solved; the circuits are functionally equivalent iff their OBDD's are isomorphic. Construction of OBDD's, however, is not always easily accomplished. The size of the OBDD's is highly sensitive to variable ordering, and for some circuits (like multipliers), the size of the OBDD's grows exponentially with the size of the circuit.
Structural (logic/circuit) techniques can be considered as an alternative to functional approaches. These techniques exploit the structural information of the given circuit implementations, and their great advantage is that they operate on a structural gate-level netlist description of the circuit exploiting the structural properties of the design. Significant progress has been achieved in applying structural techniques to logic verification. As shown in [5] , [15] , [25] , structural approaches to logic verification can perform extremely well, provided the circuits have some structural similarity. For circuits that are dissimilar, 00 0 1996 IEEE KUNZ et al.: A NOVEL FRAMEWORK FOR LOGIC VERIFICATION 21 design quality at low costs. It is important to note that the design process is of incremental nature as it consists of many small steps. This has important consequences for the verification steps because two successive intermediate designs, as they occur along the synthesis process, can be expected to have some degree of "similarity." The fewer the atomic operations that are packed into a synthesis step, the more similarity exists between the circuits. In particular, it can be expected that manual changes and EC's (they are particularly prone to errors) will let large portions of the circuit remain unaffected. Similarity refers to signal values in one circuit [24] , [25] , thus, it provides for a uniform framework for a wide variety of CAD problems in order to capture the similarity between circuits. Then, it is presented how this structural information can be used to reduce the complexity of functional BDD-based verification, thus exploiting the best properties of these techniques can fail. BDD-based verification, on the other hand, is independent of the structural representation of the individual designs and does not rely on structural similarity. However, these methods too can fail because of exponential memory requirements. Therefore, in this paper, a methodology is proposed to effectively combine structural and functional methods for logic verification to mutually exploit the advantages of both paradigms. Our hybrid approach will be based on the structural method of [IS] and a functional method using the OBDD's of [SI.
THE INCREMENTAL NATURE OF THE DESIGN PROCESS
Because no general verification technique is known, which performs well for all classes of circuits, our interest is to investigate the use of special properties of practical verification problems and identify those that can be exploited in formulating effective procedures. Importantly, the suggested approach to logic verification exploits the general characteristics of a typical design process. A mathematical model describing the design process is presented in [l] , schematically in Fig. 1 .
In [ 11, the design process is viewed as a sequence of "atomic operations" that constitute the different design steps. Such design steps either can be performed manually or automatically by some synthesis tool. Each design step must be followed by an accurate and efficient verification step to achieve high the two paradigms. In general, structural methods perform well when there is some degree of similarity between the two circuits, whereas functional methods perform well for small circuits. As seen later and captured in Fig. l(b) , the proposed hybrid method has the potential to overcome these shortcomings.
REVIEW OF RECURSIVE LEARNING
Recursive learning allows to make precise implications [14] for a set of value assignments on a specified subset of lines in a logic circuit. Making precise implications means identifying all signal values that are uniquely determined as a consequence of the given situation of value assignments. That is, the precise implication procedure determines all signal values that are necessary for the consistency of the given situation of value assignments. To describe the procedure, the two basic notions of unjustc3ed gates and justifications are required [14] . This paper assumes that we operate in a ternary logic alphabet (0, 1, X) where X is the don't care value. A signal is called specified if it is assigned the logic value 0 or 1; it is unspecified if it has the value X .
DeJnition 3.1: Given a gate g in a combinational network that has at least one input or output signal specified, and the value assignments at g are logically consistent: These notations are used to describe a complete implication procedure in a combinational network. Direct implications play an important role in this reasoning. Direct implications, as in [14] , refer to the evaluation of the set of value assignments at every gate that has an event and the propagation of value assignments according to the connectivity in the circuit. Finally, the following definition is needed.
Definition 3.4: Let R be the set of value assignments fi = V, for those variables fi in a combinational network whose value has been changed by making implications for a given set of value assignments S. Further, U is the set of variable assignments at the outputs of those unjustified gates that have an input with a variable assignment contained in R. The 
That is, when performing (e.g., direct) implications for a given set of value assignments S, the event list E contains all variables whose value has been changed, including output signals of new unjustified gates. The output signals of old unjustified gates are also included if their status has changed, i.e., one of their inputs has assumed a different value. The complete implication procedure is given in Table I allows a reasonable tradeoff between the computational complexity and the level of precision of the implication procedure, i.e., its ability to derive all or a portion of all necessary assignments. It should be observed that the procedure in [14] guarantees all necessary assignments using sufficiently large T, , . However, as seen here, T , , of just 1 or 2 will suffice. Note that there is a small difference between recursive learning procedure described here for verification and that described in [14] . When applying recursive learning to logic verification, indirect implications are stored as was done in the static learning procedure of [19] . Therefore, the routine here performs all direct implications along with indirect implications that have been identified and stored before. (It may be noted that there are essential differences between static learning [ 191 and recursive learning. Recursive learning is complete whereas static learning is not. Therefore, given a sufficiently large ymax, recursive learning will always identify all indirect implications whereas static learning can only identify a subset.)
Enumeration and reasoning in recursive learning differ greatly from conventional searching schemes for solving design automation problems. Conventional methods are based on exploring the Boolean space defined by the variables z = o of the given Boolean functions. Such variable enumeration is often visualized by a decision tree or related concepts. Importantly, the search in recursive learning as illustrated in Fig. 3 cannot be described by conventional enumeration schemes like decision tree-based backtracking, exhaustive simulation or binary decision diagrams. In fact, the search in recursive learning can be viewed by AND/OR [22] trees that are common to describe the structure in automatic theorem proving procedures for predicate logic.
Techniques in theorem proving do not completely exhaust the variable space because the variable space is usually infinite. However, they are still ~~re~utat~on-comp~ete,~~ i.e., a wrong theorem is rejected if the problem is decidable. Note that this the (infinite) variable space. When dealing with Boolean and represent sets of value assignments being injected in the circuit; the other nodes are called OR nodes and represent represent value assignments obtained by direct implications. would not be possible if they were based on enumerating the logic consequences derived from such sets; i.e., they functions, the variable space is finite and can be completely enumerated. Therefore, conventional methods in CAD can prove the satisfiability of a function by enumerating through the variable space until a set of value assignments has been assignments to unjustified gates are marked mark* In level 0, ( 2 = o} is the initial set is the Only unjustified gate, and = In [141, it was also shown that the unjustified gate x in level 0, is inconsistent. Note that this recursive learning is complete in identifying logic implications can be concluded although no inconsistency has occurred for the unjustified gate with 23 = 0 in level 1. This is because both between signal values. This is important in many applications like the one described in this paper. While the reasoning in unjustified gates 23 = 0 and 2 2 = 0 have to be consistently recursive learning is similar to theorem-proving techniques, justified. In the graph of Fig. 3 , the justification z l = 0 is therefore represented by an AND node. After encountering the it is formulated such that it can be based on the same conflict recursive learning returns into level 0 and searches the "mechanics" as traditional simulation methods or standard space under c = 0. No new unjustified gates are formed, and implication techniques in the field of design automation. For the implications are consistent. In level 0, it is apparent that this reason, however, it should not be confused with these the common signal for all consistent justifications (in this case, methods.
it is only one) is c = 0. Hence, this becomes the implication The search in recursive learning is illustrated by the
AND/OR tree of Fig. 3 . It is beyond the scope of this paper to Similarly, just as a conventional branch-and-bound search discuss the various properties of AND/OR trees constructed does not actually have to build a memory-consuming decision by the notions of recursive learning. The interested reader tree, the procedure in Table I simply enumerates through may refer to 1221.
the AND/OR tree in Fig. 3 without actually building it. All The procedure of Table I and the reasoning in recursive operations are performed by injecting and reversing signal learning is briefly illustrated by the example shown in Fig. values , performing event-driven direct implications, and by 2. The gate whose output is z is the only unjustified gate extracting signal values if they fulfill certain conditions as present in the circuit. Let U denote the set of unjustified given in Table I . Therefore, the memory consumption of gates, let J be a justification, and let C be a complete set recursive learning, as pointed out in [14] , grows linearly with of justifications, as defined above. No implications can be the number of recursions performed.
performed for the signal x = 0 with conventional implication routines. It is now illustrated how makeall_implications() as given in Table I , identifies the necessary assignment, c = 0. The tree in Fig. 3 schematically demonstrates the enumeration to obtain this implication. The tree in Fig. 3 
is used to identify subcircuits by partitioning the original circuits based on the partitioning criterion stated below. This is coupled with a functional, OBDD-based approach to prove the equivalence of these subcircuits. Fig. 4 briefly outlines the approach to be presented.
Let A and B be the circuits to be verified. Assume that both circuits are cut vertically so that A is split into A, and A, and B is split into B, and B,. The portion indexed "i" represents the circuit partition at the primary inputs; the portion indexed ''0'' represents the circuit partition at the primary outputs of the original circuit.
Criterion for circuit partitioning:
A cut through circuit A and B is permissible if the equivalence of circuits A, and B, implies the equivalence of circuits A and B.
One simple means of obtaining a partitioning that fulfills this criterion is to cut in each circuit only through nodes that have an equivalent node in the other circuit, illustrated in Fig. 5 . It is obvious that the two circuits on the left side are equivalent. Now, consider the dashed line indicating a cut in both circuits that satisfies our criterion of circuit partitioning. This simple case demonstrates that the cut lines marked 'X' in both circuits are equivalent. The resulting subcircuit A, and B, is shown on the right of Fig. 5 . Clearly, since the new pseudo-input X in circuits A, and B, is a functionally equivalent signal in the original circuits A and B; the equivalence of the circuits A, and B, implies the equivalence of the original circuits A and B. It is important to note, however, that the opposite is not true; if circuits A, and B, are not functionally equivalent, this does not imply the nonequivalence of A and B . As can be noted in Fig. 5 , functions yi and yk are not equivalent although the original circuits are. This phenomenon shall be referred to as the false negative problem, according to [ 3 ] , and represents an unavoidable difficulty if functional and structural methods are to be combined. That is why much of what follows tackles this problem.
Note that cutting through equivalent nodes is not the only possibility to obtain circuit partitions that fulfill the above cutting criterion. The abobe cutting criterion does not require 4 summarizes our hybrid approach to logic verification. First, a structural analysis is performed to determine a good circuit partitioning, described in detail in Section V. Once the circuits are cut, the smaller partitioned circuits are compared for equivalence. To build OBDD's, the package described in [4] was used. Experiments suggest that false negatives are not uncommon, the reason being that the created pseudo-inputs are not always independent. The BDD's so formed may contain some combinations of pseudo-inputs that are inconsistent in the original circuit; hence, they represent a don't care set for the partitioned circuit. A method to tackle this problem appears in Section VI. Note that other functional 'methods, e.g., [lo] , [20] could also be used for the functional portion of our verification tool.
V. PREPROCESSING: STRUCTURAL ANALYSIS BY HANNIBAL
The tool HANNIBAL implements recursive learning [ 141 applying knowledge about implications to logic verification [15] and logic optimization [16]. The work described here uses HANNIBAL to derive equivalent nodes in the circuits to be verified to partition the circuit. As a special case, HANNIBAL may complete the verification task alone, if it can establish the functional equivalence of the primary output nodes. Fig. 6 illustrates how HANNIBAL proceeds to verify the functional equivalence of two combinational circuits A and B. For simplicity, assume that the two circuits have only one output. Obviously, by combining the two circuits in the way shown, the logic verification problem is reduced to solving the Boolean satisfiability problem for the output signal e. The circuit shown in Fig. 6 has been termed miter by Brand [5] .
The Algorithm
In principle, the complete implication procedure of Table I represents a simple method to check the Boolean satisfiability of e. If the precise implications for e = 1 produce a conflict, then it follows that e = 0 , and the two circuits are equivalent. If no conflict occurs, the precise implication procedure determines all value assignments necessary to generate a distinguishing vector. However, what maximum depth of recursion is required in order to solve the problem? As pointed out in [14], the maximum depth of recursion required to identify all necessary assignments is related to the size of the redundancies in the circuit. In practical circuits, i.e., circuits that realize a certain function, usually the redundant structures are rather small, so that only few recursions are needed to perform precise implications. In Fig. 6 though, there is an "artificial" circuit that does not serve any practical function. If circuits A and B are functionally equivalent, then the resulting circuit represents a large redundancy and in this case, generally it seems intractable to perform precise implications. As mentioned, recursive learning can make use of a special aspect. In many cases, "similarities" exist between the two circuits under consideration. Logically, these similarities can usually be expressed as indirect implications between signals of different circuits, schematically depicted in Fig.  6 . Recursive learning is a powerful technique that identifies these implications, if they exist. Note that these implications immediately indicate the functional equivalence of internal nodes (as a special case). Fig. 7 shows a flow chart of the algorithm. At first, HAN-NIBAL reads the description of the two circuits and combines their networks as shown in Fig. 6 . Essentially, the verification process consists of two phases that can be repeatedly called. In Phase 1, HANNIBAL passes through both circuits to identify and store indirect implications. At every gate, the algorithm assigns the logic signal value that makes the gate unjustified (e.g., "0" at AND) such that more than one justification exists at this gate. Note that if "1" is assigned at the output of an AND gate, direct implications can be performed. Since our only interest is in storing indirect implications at gates where the direct implications "get stuck, " "0" is assigned at the output of AND and NOR gates and "1" at the outputs of OR and NAND gates. For XOR gates, both values are assigned after each other. After the assignment, make_all_implications() is called to perform the implications. If signal values are learned, i.e., if indirect implications exist, these implications are stored at the respective gate. This procedure is repeated for every gate in both circuits; possessing two aspects, very important for the efficiency of this preprocessing phase:
1) The gates gz must be selected in an appropriate order. Before some gate gz is analyzed in the described way, it must be guaranteed that all gates in the cone of influence of gz have been treated beforehand. This ordering is necessary in order to make maximum use of prestored indirect implications. 2) In Phase 1, makeallLimplications() is not only used to learn and store indirect implications for later reference in Phase 2, but it is crucial that makeall-implications(), itself, makes use of previously stored indirect implications, as given in Table I . internal equivalencies, and a circuit partitioning can be derived as described in Section 111. (A detailed description of Phase 2 appears in Section V). If the verification problem remains too complex and the base algorithm for logic verification has to abort the problem, Phase 1 is repeated with higher depth of recursion to identify more indirect implications. This continues until either a distinguishing vector is generated, or the circuits are proven equivalent, or the search is aborted because a userdefined maximum recursion depth for the preprocessing phase is exceeded. Note that both Phase 1 and 2 each represent a complete algorithm for logic verification, which complement each other. In [13] , it has been suggested to use OBDD's for identifying implications in Phase 1. This allows to exploit the power inherent to OBDD's already in Phase 1. However, if OBDD's are used to prove that certain implications are valid, additional heuristics are needed to detennine a priori what nodes and values could be candidates for an implication. Further, in order to avoid building OBDD's for the full circuit, the method in [13] builds OBDD's in terms of internal circuit nodes. This however neglects the interdependence between these nodes, and implications can be missed. This is related to the false negative problem described in [3] and Section IV. Therefore, in order to make the learning method of [13] complete one would have to check for each learning operation whether an implication has been missed due to the interdependence of the BDD variables. In our approach, the circuit is partitioned only a single time when switching from the structural to the iN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 15, NO. 1, JANUARY 1996 functional phase. Therefore, in our approach, techniques to solve false negatives like described in Section VI only need to be employed once after the functional comparison of Phase 2.
Examples
Example 5. I . To illustrate how HANNIBAL performs logic verification, as well as for comparison with [3] , the example circuits of [3] are used, as shown in Fig. 8 . In Phase 1, HANNIBAL derives indirect implications between the two circuits to be compared. The procedure is as follows for the above example:
CIRCUIT 1: Assign the appropriate value at every output signal of a gate (with at least two input signals) and use mkeallimplications (0,l) The circuit is represented as a directed acyclic graph (DAG) in the usual way, the gates being nodes in the graph. All standard limitations that apply in representing a circuit as DAG are applicable. "Node" and "gate" are used interchangeably, and "BDD node" is always explicitly stated. A satisJable set for the partitioned circuit with a single output y refers to a set of value assignments at the inputs of the partitioned circuits A, (pseudo-inputs) for which y evaluates to 1. If these value assignments do not produce an inconsistency in the original circuit, it is called a consistent satisJable set.
[41. Fig. 9 . Indirect implications after typical synthesis operation. In this example, Phase 1, with recursion depth 1, has been sufficient to prove that the circuits are equivalent. Illustrations of the implication procedure at higher recursion depths can be found in [14]. It is straightforward to derive the equivalent nodes from the prestored indirect implications. Note that only one pass is performed from the inputs towards the outputs, identifying all internal equivalencies without any a priori knowledge or heuristics to identify promising candidates, representing a key advantage of the described method.
Functional Comparison
Example 5.2. It is interesting to observe that even in circuits with no structural similarity or any internal equivalencies, still it is possible to identify logic implications between signals, illustrated in Fig. 9 .
The upper circuit results from the lower circuit by a simple factorization step as it can occur many times during the synthesis process. It is interesting to observe that many indirect implications exist between signals in the upper and lower circuits although the two do not contain internal equivalencies and are of an entirely different structure. Recursive learning's Fig. 10 shows the flow of the verification process as in Fig.  7 , however, with a more detailed description of phase 2. The routines includedon 't-cares() and consistentsatisfy() will be described in Section 6.3.
First, we need to identify the subcircuits by partitioning the original circuits into smaller subcircuits. For this, we use a simple tracing procedure from the outputs towards the inputs. Using a depth-first search from the outputs, we trace until an equivalent node or primary input is encountered, and it is marked. All these marked signals are treated as independent pseudo-inputs to the traced part of the circuit containing the outputs, i.e., these marked signals provide the desired partitions. This is performed on one circuit, and the partition is mapped into the other circuit to the corresponding equivalent nodes. In some cases, this mapping may not result in a complete cut in the other circuit. In these cases, the outputs whose cone does not contain a complete cut is traced in a similar fashion, and the cut is made complete.
The OBDD's for the outputs are calculated for each circuit in terms of these pseudo-inputs that identify the respective circuit's partition. The OBDD's are built, using the apply operation [4] by traversing the circuit from the pseudo-inputs towards primary outputs and building intermediate temporary OBDD's at each node's output. The OBDD's of the respective outputs are compared for equivalence. If they are isomorphic, the circuits are proved to be equivalent and if they are not isomorphic, then a new OBDD is formed by first XOR-ing the OBDD's for the respective outputs and then forming an OR of all these XOR-ed OBDD's. 
Pseudo-Input Justification:
The procedure is listed in Table 11 . This is a process where first a satisfiable set is found by traversing the XOR-ed OBDD and next an attempt is made to find an input vector at the primary inputs of the original circuit to justify this satisfiable set. If it cannot be justified, OBDD traversal is continued, and a new satisfiable set is found, and the process is repeated until, either it is found that there is no satisfiable set which can be justified, which means that the circuits are equivalent, or a distinguishing vector is generated.
The recursive function consistentsatisfy() takes an OBDD node as an argument and finds a consistent satisfiable set. This function is called with the root node of the XOR-ed OBDD. We use the same notation as used in [4] in listing our pseudocode. If a vur is a BDD node, then the BDD node pointed to, by the "one" branch of var is represented as var.high, and the BDD node pointed to by the "zero" branch is represented as var.Zow. First, it checks the argument for a constant one or a constant zero. If it is a constant one, then function justzh() is called to justify the value assignments forming the satisfiable set, and if it cannot be Justified, it is not a consistent satisfiable set, and the OBDD traversal is continued. A signal value one is assigned, and if its implications produce inconsistency, it is erased, and signal value zero is tried. If this produces a conflict, no consistent satisfiable set can be found along this path, and the function returns. If the signal assignment does not produce any inconsistency, the traversal is continued by calling consistentsatisfy with var.high or var.low as the argument, depending on the signal assignment.
For the justification process (justify()), we use test generation techniques based on FAN'S [ 111 multiple backtrace procedure and implicit enumeration. The prestored indirect im- plications are used to speed up the process similar to that done in [19] . Our experimental results show that consistentsatisfy() is generally reasonably efficient to solve the false negative problem. However, in many cases, the process can be speeded up considerably by the following technique, which allows to decrease the size of the OBDD that has to be traversed by consistentsatisfy().
Incolporating Don't Cares:
We do an implication analysis to incorporate a partial information of the don't care information into the OBDD's. The procedure is listed in Table III . As pointed out, the cause of false negatives is the interdependency of the pseudo-inputs which means, if the equivalent nodes are independent, then no false negatives can occur. Consider the function f of the XOR-ed partitioned cut in the circuit, i.e., they represent pseudo-inputs of the circuit partition for which OBDD's have been built. Function f is represented as OBDD. First, f is divided into two cofactors fz and fz-based on a variable i E (x1,22, .... xn}. 
1
This procedure is however not complete, i.e., it does not find all don't care sets, but experimental results show that this reduces the OBDD sizes considerably.
Example
Consider the two circuits shown in Fig. 11 . The output functions Yl and Yz are equivalent. The ROBDD for this function is shown in Fig. 12 . Note that in all the examples that show OBDD's, the right edges of the BDD node represent a one, and its left edge represents a zero. HANNIBAL with one depth of recursion identifies the internal equivalent signals EQ1, EQ2, EQ3, as shown in Fig. 11 . Based on these internal equivalencies, the circuits are partitioned and these partitioned circuits are shown in Fig. 13 , with their respective ROBDD's. These OBDD's are not isomorphic. An XOR of these OBDD's results in an OBDD shown in Fig. 14 . Now the procedure consistentsatisfy is called with this XOR-ed OBDD as argument. This procedure traverses the OBDD until a terminal one is reached. In this particular example, there is only one path to the terminal one; the procedure finds this path and assigns the variable values to the corresponding nodes in the original circuits. The implications of these values lead to an inconsistency in the original circuit. The traversal is continued, but since there are no more paths that lead to a one, the two circuits are proved to be equal. Note that the OBDD's for the cut circuits in Fig. 13 are considerably smaller than the OBDD's of the full circuits. 
VII. EXPERIMENTAL RESULTS
In order to examine the performance of our hybrid approach, we conducted a series of verification experiments on the ISCAS-85 benchmarks. The ISCAS-85 benchmarks were verified against their prime and irredundant versions [23] that are also available from MCNC. This verification experiment reflects the range of applications we have in mind for our hybrid verification method. The circuits have been modified at several different locations, but there is still "similarity" between them. This can be expected to be the case for many practical verification problems. The goal is to show that this similarity can be identified by the structural phase 1 and be used to reduce the complexity of the functional phase 2. The prestored indirect implications (the internal equivalent nodes) are read from a file generated by HANNIBAL [lS] in phase 1. No special variable ordering techniques are used for our BDD formation. BDD variables are created for each equivalent node based on their output distance. The ordering is fixed for all the outputs of the circuits. The results are presented in Tables IV and V. Table IV compares thefinal OBDD sizes for the whole and the partitioned circuits, respectively. The variables used for creating OBDD's for the whole circuit were also ordered based on their output distance. In Table V , the CPU time in seconds is listed. The recursion depth used in phase 1 is also listed for each circuit in Table V. The sizes are the aggregate sizes for all the outputs taking sharing into account [4] . Importantly, in all examined cases, the BDD sizes shrink drastically after the structural preprocessing phase. For some circuit marked by an *, structural analysis could complete the job alone [lS] . For circuit ~3540, we could not build a BDD for a preprocessing recursive depth of one, so the preprocessing phase is done with a recursion depth of two. In this way, more internal equivalencies are generated which in turn makes the partitioned circuit smaller, causing the BDD sizes to shrink. This aptly demonstrates the fact that structural and functional techniques can complement each other to provide more efficient means to solve the verification problem. Note that our results can further be improved by applying more sophisticated ordering techniques as have been reported in literature. The BDD sizes for the examined circuits were very small compared to all conventional functional techniques. Consider the multiplier c6288, as was proved [SI, any OBDD for a multilpier grows exponentially with the number of circuit inputs so that OBDD-based verification for c6288 is not practical. In this case, the preprocessing itself has proved that the circuits are equivalent, without a need for building an OBDD. Table VI lists the number of false negatives encountered for the benchmark circuit. The second column gives the number of outputs of each circuit. The number of outputs proved to be equal in the structural analysis alone are shown in the third column of this table. The fourth and the fifth columns represent the number of outputs with isomorphic OBDD's and outputs with different OBDD's (i.e., false negatives), respectively. As the results suggest the percentage of the total number of outputs that result in false negatives is fairly low. However, efficient methods have to be incorporated to effectively deal with this problem. The method presented in Section VI performed very well for all cases of false negatives but one. The fairly large CPU time for circuit c7552 is due to the occurrence of one out of the ten false negatives encountered for this circuit. Some fine-tuning or an improved variable ordering for this circuit may have fixed this problem, however, we chose to present this result because it reflects the limitation of the hybrid approach induced by the occurrence of false negatives. Fortunately, for all other cases of false negatives, also in c7552, the technique presented in Section VI proved very efficient and contributed only little to the total CPU time.
The results so far presented were only for the circuits that were equivalent. It is interesting to see, how our methods fare when the circuits are not equivalent. For this reason, we changed a gate in one version of the benchmark circuits and verified it against the other version. Table VI1 presents the results for these true negatives, which compares OBDD sizes and CPU time between the OBDD-based pure functional method and our hybrid approach. For all the cases, the depth of recursion was one. In the majority of the cases, the inequivalence was proved in the structural stage itself. This is because, the structural techniques are particularly powerful in generating a distinguishing vector without completely enumerating the search space. In the cases where OBDD's had to be created, the required sizes were very small, and in all cases, the CPU time is relatively low.
Our research clearly demonstrates that functional and structural methods can be combined efficiently. The complexity of functional approaches is reduced drastically if internal equivalencies can be identified. Only in the worst case, i.e., if no internal equivalencies exist at all, the BDD's have to be constructed to their full sizes.
In summary, structural methods perform well when there is some degree of similiarity between the two circuits, whereas functional methods perform well for small circuits. As seen above and illustrated earlier in Fig. l(b) , the proposed hybrid method has the potential to overcome these shortcomings.
VIII. CONCLUSION-FUTURE WORK
Formal logic verification is an extremely difficult problem. No single technique is known that performs well for all classes of circuits and provides satisfactory results in all practical situations. Previous approaches to logic verification can be divided roughly into functional and structural approaches. This paper proposes a novel framework for logic verification based on the combination of structural and functional techniques. These two paradigms are of totally different nature, but they can complement each other. Although the combination is generally beneficial, it can create an overhead in form of false negatives. Summarizing, this research suggests that there are the following three ingredients to a powerful logic verification tool:
1) Structural techniques like ATPG and recursive leaming: the task of these techniques is to capture the similarity of designs and to express them, e.g., in terms of implications or internal equivalencies. This has been presented in Section V. As pointed out in Section IV, further improvements over the approach presented here may be obtained by using observability don't cares to have a looser requirement on partitioning the circuit. This can be accomplished by the ATPG concepts of [5] or by using D-implications as in [16] . Furthermore, similarity between designs can be captured in an even more general way using the notions of [22] . VOL 15, NO 1, JANUARY 1996 Our experimental results show that the presented techniques and general framework provide a means for effective &a&-off between time and memory. It is clearly demonstrated how the complexity of OBDD-based verification can be reduced by using internal, structural similarity of designs. Our framework, as we have presented, combines the advantages of the useful in a logic synthesis environment. In summary, we have demonstrated the overall potential of hybrid methods as it was illustrated in Fip. l(h\
