abstract In this paper , we propose a formal verification method for combinatorial circuits at high level design. The specification is described by both integer and Boolean variables for input and output variables, and the implementation is described by only Boolean variables. Our verification method judges the equivalence between the specification and the implementation by deciding the truth of Presburger sentence. We show experimental results on some benchmarks, such as 4bit ALU, multiplier, by our method.
Introduction
With the rapid increase of size and complexity in VLSI systems, the formal verification method has become essential for their correct designs. For this goal, we have proposed a formal verification method for high level circuits design, and developed a verification support system to evaluate our method by experiments [8] .
In this paper, we propose a verification method for combinatorial circuits at high level design. The specification is described by both integer and Boolean variables for input and output variables. The implementation is described by only Boolean variables for input and output variables. Our verification method judges the equivalence between the specification and the implementation by deciding the truth of Presburger sentence, which consists of integers, variables and the operators belonging to { A , V , , + , -, =, > , v , 3 }. We describe the results of some verification experiments.
Our verification method may be similar to the method [5, 61 with BMDs( Binary Moment Diagrams). However, an integer variable is treated as one variable without decomposed into a set of Boolean variables in [5, 61. Our verification method is more suitable for high level formal verification.
Proposed Verification Method for Combinatorial Circuits
In this session, we first describe the style of specification and implementation of combinatorial circuits. Then we propose the method to decide the equivalence between specification and implementation. We explain them by using an example 74382, a 4bit ALU(standard TIL).
Specification
In specification, 74382 has six inputs, $A, $B, $Cnspec, SO, S1, S2, and has three outputs, $Fspec, $Cn4spec and OVR. $A and $B are integer inputs, $Cnspec is a carry-in, and SO, S1 and S2 are function selecting inputs. $Fspec , $Cn4spec and OVR are an integer data output , a carry-out and an over-flow flag, respectively. For convenience, we use the prefix "$" as the integer variable, and use the suffix "spec" or "imp" as the variable used in specification or implementation, respectively. We show the 74382 specification in 
Implementation
In implementation, 74382 has 12 Boolean inputs AO, .., A3, BO, .., B3, Cnimp, SO, S1, S2, and has seven Boolean Figure   2 . For example, output FO is specified by the logic function which consists of inputs [SO, S1, S2] and Boolean variables such as -TMPOO9. We use the prefix ''-ThfP'' as an internal node.
Inputs AO, .., A3 , Figure 2 
Definition Specification and

Implementation of 74382 of Equivalence between Implementation
We define the equivalence between the specification and the implementation. If the specification and the implementation have the same output value for any common input value, they become equivalent. But corresponding inputs orland outputs may have different data types such as integer and Boolean. We introduce i-to-b and b-to-i functions ( or relations) , which translate integer data into Boolean data and Boolean into integer, respectively. We show these functions in Figure 3 .
We show the outline of verification used these functions in Figure 4 . For example, Figure 4 (a) verifies whether Boolean outputs in specification and implementation are equivalent, and that the results of i-to-b function for integer variables in specification and Boolean outputs in implementation are equivalent, for each common value of all inputs.
There are four deferent combinations on the data type ( integer or Boolean) for inputs and outputs of specification and implementation to be verified. If one of them is verified, the implementation becomes equivalent to the specification. The expression corresponding to each type of terms (or numerical parts) are expressed in list and logical parts are expressed in BDDs [l] . The expression with integer variables is treated as one Boolean variable node. The value of this Boolean variable would be evaluated as truth or false when the numerical parts has no free integer variable (that is, the last integer variable is eliminated). We explain our proposed data structure with an example sentence and its corresponding data structure. Figure 5 denotes a diagram which corresponds to a sentence (2 < x, + x,) A (2 x2 < 3) A ( -1 < x1 -2 x2 ). The meshed area expresses the sentence (or logical part) by BDD. The BDD in this area is the same as BDD corresponding to a, A a, A a,, which is obtained such that each numerical part of the sentence is transformed into a,, a, and a,. The internal nodes of this data structure have three pointers to then node, else node and numerical node which points the numerical part. The numerical part holds the constant integer on the left side and the list of integer variables and integer constants on The order of variables in the diagram decides the size of
We denote this verifier as SYS~. In the data structure in SYSl, generated data structure. In our library, the variables order is fixed by the order in which the variables appear in the syntax analysis of input sentence. Another verifier is able to decide the truth of subclass Presburger sentences given by the prenex normal form of only v , without 3 . situation. We refer to "don't care situations" in 4.
3. Verifier
Experiments
Verification of 74382
We describe the verification result of 74382 in 2. We Sys2 needs the same 0.3 seconds for four types of Figure 5 An example of our proposed data structure show the result in Table 1. verification. Sysl takes longer time for the verification of Boolean inputs and Boolean outputs. The reason is that the verification by Sysl requires three b-to-i functions which result in three large complete binary sub-trees and that Sysl takes much time and space to treat such data structure.
Then, we show the verification result of the equivalence between two different implementations impl and imp2 cif 74382. The BDD data structures corresponding to impl and imp2 are constructed in Sysl, where only pointers to the top node corresponding BDD data structure are compared.
Verification of Multiplier
We describe the verification results of 4bit and Sbit multipliers. These circuits use a sign-magnitude format iis input and output data. Integer "0" is expressed in two ways such as "FFFF" or "TFFF" in the case of 4bit. Thus when data output is "0", sign output does not need to be considered. We use don't care situations expression (2):
Verification of Output nan-res in fp-add
We are challenging the verification of fp-add in HLSynth95, floating point adder. We regard as specification the relation from inputs to outputs, and as implementation the relation among inputs, outputs, internal terminals from VHDL description. All numerical terminals in specification and implementation such as exponent and mantissa are treated as integer.
Using our method in 2 ., the verification for only output nan-res can be performed. Sysl can verify more quickly than Sys2. 
Conclusions
We propose the formal verification method for high-level combinatorial circuits and show the result of verification experiments using our verifier.
Sysl is superior to Sys2 in the verification of nan-res, and there is more prospect in Sysl for the hgh-level verification of combinatorial and sequential circuits. Now we have been improving Sysl and will apply it to more large and high levels, including the sequential circuits verification. Int. Conf. 34nd DAC(1997). Table 1 Results of verifications
