Abstract-Rule-based equivalence checking of system-level design descriptions proves the equivalence of two system-level design descriptions by applying the equivalence rules in a bottom-up manner. Since the previous work derives the equivalence of the internal variables based on their names, the method often fails to prove the equivalence when the variable names are changed. This paper proposes a method for improving the accuracy of the rule-based equivalence checking by identifying potential internal equivalences using random simulation. Experimental results using an example design show that the proposed method can prove the equivalence of the designs before and after a practical design optimization.
I. Introduction
The recent dramatic advance of the semiconductor technologies leads to a large-scale system on a VLSI chip. As a consequence, the design cost and turn-around time have been increasing rapidly. Recently system-level design, which has a higher level of abstraction than register-transfer-level design, attracts more attention as an effective design approach. In the systemlevel design methodology, an entire system is described in a system-level design description language. Since it enables a hardware and software co-design, a design reuse, and a less description effort due to a higher abstraction, a higher design productivity can be achieved. As system-level design description languages, C-based languages such as SpecC [1] and SystemC [2] are widely used. CAD technologies are the key to a successful system-level design, and hence the subjects are being studied actively.
Apart from these advantages of the system-level design, if a design error is found in a later phase of the design flow, a designer needs to fix the design at the system level. This leads to the increase of the design cost and turn-around time. Thus, it is critical to find any design errors in an early phase of the design flow. To this end, formal verification is preferable to simulationbased verification which may fail to find corner-case errors. Although several formal verification techniques for system-level design descriptions have been studied in a number of literatures [3] , [4] , [5] , more efficient methods are always desired. In the current system-level design methodologies [6] , [7] , they provide the tools which interactively support the transformations and refinement of a design. In these methodologies, a design is locally and incrementally refined by transforming the design manually. Thus, design errors can be efficiently found in an early phase of the design flow by checking the equivalences for every local transformation.
For this purpose, an rule-based equivalence checking method for system-level design description has been proposed [8] . The rule-based equivalence checking of system-level design descriptions proves the equivalence of two design descriptions by applying a set of local equivalence rules in a bottom-up manner. By regarding each equivalence rule as a pattern in a graph, the rule-based equivalence checking can be regarded as a graph matching problem. Using the extended system dependence graph ExSDG [9] as an internal representation, an efficient implementation of the equivalence checking method is achieved.
Since the rule-based equivalence checking method proves the equivalences in a bottom-up manner, the equivalences of the variables need to be determined in advance. The equivalences of the variables, called as internal equivalences, are used to prove the equivalences of the expressions and statements using the variables. In [8] , the internal equivalences are determined according to their names. However, the internal equivalences based on the names fail to prove the equivalences in the following cases:
• Variables are swapped • Variable names are changed • Intermediate variables are introduced
The examples in Fig. 1 illustrate these cases. Although the designs in Fig. 1 (a) -(d) are all functionally equivalent, the equivalence checker based on the names cannot prove the equivalence. Since the design modifications illustrated above are typical, it is critically important to prove the equivalence even in the presence of those modifications. This paper proposes a method for improving the accuracy of the rule-based equivalence checking by identifying potential internal equivalences using random simulation. Experimental results using an example design shows that the proposed method can prove the equivalence of the designs before and after a practical design optimization. The remainder of this paper is organized as follows. Section 2 explains the extended system dependence graph ExSDG and the rule-based equivalence checking method. Next, the proposed equivalence checking method based on potential internal equivalences identified by random simulation is shown in Section 3. Finally, experimental results and conclusions are presented. 
II. Preliminaries

A. ExSDG: Extended System Dependence Graph [9]
System Dependence Graph (SDG), proposed by Horwitz et al. [10] , has been used mainly for program slicing. In an SDG, each node corresponds to a statement or an expression in a design description, and each edge represents a dependence relation between a pair of nodes. The dependence relation is categorized into three types: data dependence, control dependence, and declaration dependence.
Data dependence There is a data dependence from a statement s1 to another statement s2 if a variable assigned in s1 is used in s2 without any other assignment to s1. Control dependence There is a control dependence from a statement s1 to another statement s2 if s1 controls the execution of s2. Declaration dependence There is a declaration dependence from a statement s1 to another statement s2 if a variable declared in s1 is used in s2.
Extended System Dependence Graph (ExSDG) is an abstract syntax tree with SDG dependence edges [9] . By representing a system-level design description using ExSDG, the manipulation and analysis of a system-level design can be performed efficiently. An example of an ExSDG is illustrated in Fig. 2 .
B. Rule-based Equivalence Checking [8]
Rule-based equivalence checking proves the equivalence of two designs by applying a set of pre-defined equivalence rules. Each equivalence rule is defined based on a static dependence relation and control flow. It is assumed that the equivalences of variables and constants in two design descriptions are already known. Given the ExSDG representations of two designs, each equivalence rule can be viewed as a pattern in an ExSDG. Therefore, the problem of the rule-based equivalence checking can be viewed as a matching problem of two ExSDGs. Note that a set of equivalence rules are chosen empirically and hence the proposed method is not guaranteed to prove any equivalences. We explain some important rules below. In the rules, ≡ represents a design equivalence, represents a definition equivalence. L1: x0 -= x1; L2: x8 = x0 + x1; L3: x2 = x1 -(W2 + W6) * x2; L2: x8 = x0 + x1; L1: x0 -= x1; L3: x2 = x1 -(W2 + W6) * x2; L1: x0 -= x1; L3: x2 = x1 -(W2 + W6) * x2; L2: x8 = x0 + x1; (a) (b) (c) Fig. 3 . Examples of equivalence checking using the sequential composition rule. Fig. 3 (a) 
III. Proposed Method
A. Identifying Potential Internal Equivalences Using Random Simulation
As explained in the previous section, the rule-based equivalence checking applies the equivalence rules in a bottom-up manner under the assumption that the equivalences of the variables between two designs, called as internal equivalences, are known. In [8] , the internal equivalences are identified based on the names of the variables, i.e., the variables with the same name are equivalent. However, as explained in Fig. 1 , identifying the internal equivalences based on the variable names often fails the verification of designs before and after typical design modifications. This paper proposes a method which identifies potential internal equivalences using random simulation. After simulating two target designs with randomly-generated input patterns, the variables with the same value are identified as potential internal equivalences. Potential internal equivalence identification methods using random simulation have been commonly used in equivalence checking of gate-level circuits [11] . We formulate a problem of identifying potential internal equivalences of system-level design descriptions as follows:
Problem 1 Find a set of equivalence classes of the nodes corresponding to the variables in the ExSDG representations of two designs.
An equivalence class is defined as a set of nodes which are equivalent to a representative node r:
where N 1 and N 2 are the sets of the nodes in two designs, respectively. Fig. 4 describes the basic procedure for identifying potential internal equivalences using random simulation. We explain each step in this procedure as follows. First, each ExSDG is converted into a static single assignment (SSA) representation. Since every variable in a function is guaranteed to be assigned only once, it enables the identification of more potential equivalences. Next, the primary input ports in the designs are identified and then the input pattern for each primary input port is generated randomly. In this paper, we define a cycle as a period of the execution from accepting an input pattern to generating a set of output values. It is assumed that given designs can be executed on a per-cycle basis. Alternatively, one can specify a cycle as N times of handshake communications or an execution in N unit-time and so on.
Next, a monitor statement is inserted immediate after each assignment statement. This dumps the value of a variable in the left-hand side of the assignment statement. If a function is called multiple times in a cycle, the same variable is assigned multiple times. This also occurs when a module is instantiated multiple times. Though one can perform "elaboration" to duplicate modules and/or functions to distinguish these assignments, it is not efficient. Therefore, different assignments to the same variable in a cycle are distinguished by dumping not only the variable name but also their runtime context information. The runtime context information represents a path from the top-level module to the current function. A variable with such a context information is called as an extended variable. Every extended variable is guaranteed to be assigned only once in a cycle. If an extended variable is not assigned in a cycle, the variable has an invalid value.
Then, a pattern generator module for the random input patterns is created and connected to each design. By compiling the design description, a simulator is generated and executed. Then, the signature for each variable is generated based on the simulated values of the variable. A signature is defined as a vector of the values of an extended variable where the size of the vector is the number of the simulation cycles. In a software implementation, a signature can be represented as a string concatenating the strings of the values with a delimiter character. The variables with the same signature are potentially equivalent, and those with the different signatures are not equivalent. Note that potentially equivalent means that the variables are equivalent for the input patterns. Two extended variables with multiple contexts are potentially equivalent if they have the same signature for every context. Finally, a set of equivalence classes is formed by collecting the variables with the same signature.
B. Equivalence Checking Based on Potential Internal Equivalences
Once the potential internal equivalences are identified in Section 3-A, the equivalence checking in Section 2-B can be performed even for the examples in Fig. 1 . Since the potential internal equivalences are based on the simulation, they may include false equivalences. In this section, we propose an extension of the rule-based equivalence checking method, which works even in the presence of false internal equivalences.
It is possible that no equivalence is found for a variable because the generated input patterns do not satisfy a condition and hence a portion of the program is not executed during the simulation. This issue is avoided by using an existing technique which generates the input patterns activating a specific portion
Inputs:
ExSDGs of two designs G 1 , G 2 Potential internal equivalences Output: A set of equivalence classes of ExSDG nodes 1: repeat 2:
for all node N 1 in G 1 do 3:
Apply the rule corresponding to the type of N 1 4:
if found an equivalence then 5:
Add N 1 and N 2 ∈ G 2 in an equivalence class 6:
else if found a contradiction in a potential equivalence then 7:
Remove the false equivalence from the equivalence class 8:
Remove any equivalences derived the false equivalence from the equivalence class 9:
end if 10:
end for 11: until any equivalence classes have been updated in the last iteration of a program [12] . Therefore, we assume that the potential equivalences of every variable are identified.
Thus, there are only two possible cases: (a) the internal equivalences are all true and (b) some variables in a equivalence class are not equivalent. Note that no two variables in different equivalence classes are equivalent. The proposed equivalence checking method resolves most of false internal equivalences and can prove the equivalence accurately. Fig. 5 presents the basic procedure for the rule-based equivalence checking based on potential internal equivalences. The inputs to the procedure are two ExSDGs G 1 , G 2 corresponding to the target designs and a set of equivalence classes of the ExSDG nodes corresponding to the variables. For each node N 1 ∈ G 1 , the rule corresponding to the type of N 1 is applied. If two nodes N 1 and N 2 ∈ G 2 are found to be equivalent by the rule, a new equivalence class is introduced for these two nodes. If a contradiction in an internal equivalence is found during applying the rule, the false internal equivalence is removed from the equivalence class and also all the equivalences derived from the false equivalence are removed. This process is repeated until any new equivalence is found in the last iteration. If the equivalences of all nodes in the ExSDGs is found, two designs are proved to be equivalent. Fig. 6 illustrates an example of how a contradiction in a potential internal equivalence is found during the procedure. In this example, b and c in both (a) and (b) are identified to be equivalent unless the input patterns include a=123. In such a case, the equivalence class is identified as:
Without considering a contradiction, the rule-based equivalence checker determines that two designs are equivalent. However, ex5/S3 and ex6/S3' are equivalent only if there are two disjoint equivalence classes:
In contrast, ex5/S2 and ex6/S2 are equivalent only if there are two disjoint equivalence classes: Since (2) and (3) contradict each other, these potential internal equivalences are removed and the procedure terminates the equivalence checking.
IV. Experimental Results
We have implemented the proposed rule-based equivalence checking method by identifying potential internal equivalences in C++. It is implemented on top of a system-level formal verification framework FLEC. FLEC generates an ExSDG by parsing a design description in SpecC language, generating an abstract syntax tree, and performing a dependency analysis. SpecC reference compiler [13] is used for generating a simulator.
Two SpecC descriptions of inverse discrete cosine transform (IDCT) before and after a set of practical design optimizations are used as example designs. The design before the optimization executes the processes for rows and columns sequentially. The design after the optimization executes them in parallel and also the variable names are changed during the parallelization. The previous rule-based equivalence checker based on the variable name could not determine the equivalence of two designs because the it could not find the equivalence of some variables due to the change of their names. The proposed method proved that two designs are equivalent. The runtime was several seconds where most of the time was spent by the compilation of the simulator. From the fact that the runtime of the compilation of simulator is typically proportional to the size of the design and also the rule-based equivalence checking can be regarded as a graph matching problem, the proposed method is applicable to large-scale problems.
V. Conclusions
This paper proposes a method for improving the accuracy of the rule-based equivalence checking by identifying potential internal equivalences using random simulation. Rule-based equivalence checking of system-level design descriptions proves the equivalence of two system-level design descriptions by applying the equivalence rules in a bottom-up manner. Since the previous work derives the equivalence of the internal variables based on their names, the method often fails to prove the equivalence when variable names are changed. The experimental results on an example design demonstrated that the proposed method can prove the equivalence of the designs before and after a practical design optimization.
