Abstract. We have developed a methodology based on symbolic manipulation of inductive Boolean functions (IBFs) for formal verification of inductively-defined hardware. This methodology combines the techniques of reasoning by induction and symbolic tautologychecking in an automated and potentially efficient way. In this paper, we describe a component of this methodology that regards various mechanisms used to represent inductivelydefined circuits in the form of IBFs. The focus is on general parameterization issues, such as multiple parameter functions, multiple output functions, interaction of different parameters for supporting compositions etc. These mechanisms, which may be useful in other applications involving parametric circuit descriptions, are illustrated through practical circuit examples along with preliminary results. We also describe an application of our formal verification methodology, where a proof by induction is performed by automatic symbolic manipulation of parametric circuit representations.
Introduction
The high level of complexity of current hardware systems has led to an interest in formal methods for proving their correctness. We have developed a methodology based on symbolic manipulation of inductive Boolean functions (IBFs) for formal verification of inductively-defined hardware, i.e. circuits where the structure can be described inductively (iteratively, or recursively) in terms of size parameters. Since reuse of existing designs has become an important issue in practice, use of parametric designs in the form of standard libraries has been emphasized as an emerging trend [12] . By directly addressing the issue of parameterization in our approach, as described in this paper, we provide the necessary framework for representation and verification of such designs. To provide a perspective for the research described in this paper, we start with a brief background description of our verification methodology.
Motivation
Previous verification work with parametric descriptions of circuits includes reasoning by induction both in theorem-proving systems [7, 13, 16, 20] , and within model checking/languagecontainment paradigms [9, 17, 21] (an extended bibliography can be found in a recent survey [14] ). The main advantage with these approaches is that a single proof serves to establish the functional or behavioral correctness of an entire family of circuits. However, most available approaches are semi-automated, typically requiring user guidance and heuristic search for a proof.
On the other hand, verification of non-parametric circuits has been successfully performed by various techniques based on symbolic manipulation of Boolean functions [1, 4, 5, 6, 8, 10, 11, 18] . The success of these techniques is largely due to the availability of automatic symbolic Boolean manipulation algorithms (using canonical Boolean function representations) that are efficient in practice [3, 4] . There have been some recent efforts in applying these techniques for iterative systems [19] , but unlike our approach, they use automata-based methods. The primary motivation for our verification methodology was to combine reasoning by induction and symbolic tautology-checking in a way that would incorporate the advantages of both. Our approach is based on automatic symbolic manipulation of classes of inductive Boolean functions, i.e. Boolean functions that are defined parametrically in terms of induction parameters (formal definitions are given later). Just as symbolic Boolean function manipulation is facilitated by using a canonical representation for Boolean functions -such as Bryant's Binary Decision Diagram (BDD) [4] -our manipulations use canonical representations for inductive Boolean functions. These representations, for different classes of IBFs, can be viewed as inductive extensions of BDDs, where canonicity is ensured by equality checking with a built-in principle of induction. The main idea is that by building in this principle into the IBF representations, a proof by induction is performed automatically through symbolic IBF manipulation. For verification applications, this allows us both to automate an induction proof, and to eliminate the heuristic search usually encountered in proof-theoretic frameworks. Note that we do not claim to address the general problem of induction in a first-order (or higher-order) logic setting, as is done in theorem-proving systems with formal logics [2, 7] .
Overview
Our verification methodology based on symbolic IBF manipulation can be naturally described in terms of the following components:
-characterization of useful classes of IBFs, and a representation schema for each (consisting of a canonical representation and symbolic manipulation algorithms for functions in that class), -representation of inductively-defined circuits and specifications in the form of IBFs, and -translation of induction proofs into appropriate symbolic manipulations on the IBF representations.
The schemata details for the two classes of IBFs we have identified so far -linearly inductive functions (LIFs), and exponentially inductive functions (EIFs) -can be found elsewhere [15] , and are summarized for convenience in Section 2. The main focus of this paper is on representation of parametric circuits in the form of LIFs and EIFs. The emphasis is on general mechanisms addressing important parameterization issues such as multiple parameters (described in Section 3), as well as multiple outputs, composition of descriptions with different parameters etc. (described in Section 4). These mechanisms are illustrated with the help of practical circuit examples (including a serial adder, parallel parity circuit, tree carry lookahead adder, decoder, register file), along with preliminary results for LIF circuit representation. The use of these mechanisms is not limited to our verification methodology, but can potentially extend to other applications involving parametric hardware descriptions. In Section 5, we describe a simple verification task where a proof by induction for a specification property, expressed as a Boolean combination of LIFs, translates to our automated method for tautology-checking of the corresponding specification formula. Finally, our conclusions and directions for future work are presented in Section 6.
Circuit Representation with IBF Schemata

Linearly Inductive Functions (LIFs)
Informally, an inductive Boolean function is defined in terms of an induction parameter, with the arguments of the function also parameterized accordingly. Formally, 
In the LIF schema, each LIF f is identified with a function descriptor, consisting of the following two structures :
1. a standard BDD representing the 1-instance of f, called the Basis BDD for f. -They are canonical in terms of the parametric inputs (with respect to a given variable ordering). -Their size complexity, and complexity of symbolic manipulation algorithms, is independent of the parameter of inductive description. Thus, we have a fixed-sized representation for all size instances of a parametric circuit.
Our method for enforcing canonicity of function descriptors involves checking equality of pairs of LIF function descriptors using a built-in principle of induction [15] . This automatic built-in induction is at the heart of our verification methodology, as it allows automatic incorporation of all useful basis cases and hypotheses. This not only results in automation of the induction proof, but also eliminates the associated heuristic search. 
-Condition 3: For all i; j > 0, B i B j .
Space restrictions do not permit us to describe the details of EIF representation and symbolic manipulation, which are similar to those for LIFs. Instead, we give the following examples for EIF representation of practical circuits.
Example 2:
Consider an i-instance tree parity circuit with parameterized input a, represented as a 2 i -bit vectorã 2 i ]. We can express the parity output function p i as:
Its EIF representation is shown in Figure 2 (where double circles denote super-nodes that are allowed to point to function descriptors, and "L"/"R" denote substitutions on pointers from super-nodes indicating the left/right half of inputs respectively). The following EIFs p and g, represent the carry-propagate and carry-generate functions of a typical log-tree carry lookahead adder with data inputs x and y.
Multiple Parameter Representation Framework
In this section, we describe a canonical representation for a multiple parameter function. This representation can work in conjunction with any schema for canonical representation of a single parameter function, and is not restricted to the single parameter IBF schemata described above. However, we can currently handle descriptions involving independent parameters only, i.e. where the function corresponding to any point in the parameter hyperspace can be obtained by inductively applying the parametric definitions, one parameter at a time, to the basis case. As for canonicity, note that the leaf nodes of the decision tree can be made canonical using IBF schemata (or any other schema for canonical representation of a single parameter function). For rest of the decision tree, we impose a total ordering on the comparison nodes, specified as a global user-given ordering on the induction parameters. For example, the decision tree of Figure 4 is consistent with a user-given ordering i < j, but is in conflict with j < i (and would therefore be unacceptable for this ordering). An ordered decision tree can be reduced by elimination of redundant nodes and isomorphic subgraphs, to obtain a canonical dag (in a manner similar to BDDs). Note that since an induction trajectory implicitly specifies an ordering on the underlying parametric variables (X (i;j) ), the resulting representations are canonical only with respect to a given ordering of the comparison nodes (as with standard BDDs). Also, as a matter of convention we place non-parametric control variables before parametric control/data variables in the variable ordering. This allows us to use non-parametric variables for steering the choice of an appropriate inductive function.
Multiple Circuit Outputs
With the representation machinery developed so far, we can represent a single i-instance output of an inductively-defined circuit as an i-instance IBF. Therefore, a circuit with a fixed number of outputs for each i-instance description can be represented easily as a set of IBFs, one corresponding to each output. However, in many cases, the number of outputs of an i-instance circuit is also a function of the induction parameter i. In such cases, it is not possible to explicitly represent each output as an IBF. Fortunately, there is usually some kind of inductive structure among related multiple outputs, which can be exploited in representing them parametrically using an output index. In other words, we use a single IBF to parametrically represent a multiple output function, and provide access to a particular output of interest through explicit use of an output index. We have explored two different alternatives for representation of an output index, as described in the remainder of this section. Note again, that both these alternatives can be used in conjunction with any general schema for canonical representation of a single output function.
Output Index as a Parameter:
We use the multiple parameter framework described in Section 3, such that each circuit output is regarded as an appropriate projection of an IBF defined over a multi-dimensional parameter hyperspace. However, we now extend it such that comparison nodes are allowed to involve comparison of output index parameters against partitions in their range. Each path through comparison nodes in a decision tree identifies a particular region of the parameter hyperspace, and the leaf node points to the function description corresponding to that region. Since we use IBF-style function descriptions, we obtain canonical representations of the leaf nodes as before. The remaining task is to represent the decision tree with comparison nodes in a canonical form, and to represent only non-null regions in the parameter hyperspace. The essential idea is to restrict ourselves to a set of totally ordered partitions for each output index parameter. Comparison nodes for different parameters can then be ordered by additionally utilizing the user-given ordering on parameters. Again, the resulting ordered decision tree can be reduced by eliminating isomorphic subgraphs and redundant nodes, to obtain reduced ordered dags that are canonical. Typically, both the range and partitions for output index parameters are specified as functions of size parameters of the circuit (and numerical constants). For an n-dimensional parameter hyperspace, we consider partitions formed by hyperplanes only, i.e. each partition can be represented as a linear equation (with real coefficients) in n parameters. We have explored the following two alternatives for ordering the partitions, based on whether or not intersection of hyperplanes is allowed:
-Non-intersecting hyperplanes -The partitions can be totally ordered according to the range of integral values taken by the parameter on each side of the hyperplane. -Intersecting hyperplanes -Any ordering based strictly on the syntactic representation of the hyperplanes can be used. However, in order to detect non-null regions, a linear programming problem corresponding to each path in the decision tree may need to be solved.
All the circuit examples we have encountered so far, can be handled by non-intersecting hyperplane partitions (e.g. Example 6 in Section 4.5).
Output Index as a Binary-encoded Argument:
Another technique for representation of an output index is to encode it as a parameterized Boolean-valued argument of a function. In this respect, it is treated identically as a parameterized Boolean-valued circuit input, along with the same syntactic restrictions in the case of IBF representations. A typical application of this method is for an i-instance circuit with 2 i outputs, such that an i-bit argument encodes the output index for an i-instance IBF. Note that the i th bit of j (denoted j i ) is used for choosing the appropriate half in the range of j, and the remaining (i ? 1) bits are passed as an implicit argument to the (i ? 1)-instance function dec i?1 . This exactly matches an LIF description, and its LIF representation is shown in Figure 5 .
We have found this mechanism particularly useful for circuits that are organized inductively in the form of a tree, e.g. prefix parity circuits, carry outputs of a carry lookahead adder etc. Essentially, the vector of outputs at depth i can be divided into halves, such that the j th output within each half depends upon the j th output at depth (i ? 1). It is the binary-encoding of the output index that allows the exponential nature of a tree circuit to be captured in a linear form. 
Vectors of Outputs
The focus of the previous section was on representation of an individual output of a multiple output circuit, where the range of the output index implicitly defines a vector of outputs. However, in some cases we may be interested in representing explicit subvectors of this vector of outputs. This is particularly useful in handling compositions of inductively-defined hardware units, where an output vector from one unit is used as the input vector for another unit. Our current approach is the same as we use for denoting subvectors of inputs, i.e. we identify a subvector of outputs by specifying its length and offset of its first element (with respect to the underlying output vector). We represent both of these components as separate parameters of our inductive description. Similar to the output index, an explicit subvector index is used to represent each output within the range of the subvector, as described in the previous section.
Composition of Inductively-defined Circuits
With most verification approaches, while correctness of individual hardware units can be proved by induction, no mechanisms are provided to reason about a composition of inductively-defined units. In our methodology, we provide support for handling compositions by automatically obtaining representation of a circuit from representations of its components. Since the component descriptions are themselves parametric, this typically involves resolution of various kinds of parameter interactions as follows:
-Single-instance composition -for a given i, f i is substituted as an i-instance input x i in g i (denoted g i j x i =f i ). This can be represented by Boolean operations and restriction [4] as:
These operations are easily handled by symbolic LIF manipulation algorithms. Note that the substitution for x i does not affect any (i ? 1)-instance functions appearing in the definition of g i . -All-instance composition with same parameters -for all i 1, f i is substituted as an i-instance input x i in g i , e.g. composition of an i-bit serial parity circuit inputs with outputs from an i-bit serial adder. This case is an extension of the previous one, where substitution for all <-i-instances is implicitly represented by applying this operation on all (i ? 1)-instance functions also.
-All-instance composition with different parameters -for all i 1; j 1, f (i;j) is substituted as an i-instance input x i in g i , e.g. the read/write ports of a (2 i j)-bit register file (Example 6) can be composed with the inputs/outputs, respectively of an i-bit serial adder (Example 1).
This case is more interesting as it requires introduction of an extra parameter in the composed description for g. It is handled by representing explicit vectors of outputs (described in Section 4.3) to capture dependence of the x inputs on the extra parameter. Currently, we simply substitute in the canonical representation for f in the Basis BDD for g.
Results for Practical Circuit Examples
Consider the following circuit example which illustrates an interesting combination of the various representation mechanisms described so far.
Example 6:
A schematic for a 3-port register file, with i-bit address lines (a; b;c), j-bit data lines (in; OutA;OutB), and clock/write control signals (p1; p2; w), is shown in Figure 6 , Part(a). The new register file contents (after a clock cycle) can be represented using a multiple output LIF Reg, where the 2 i j outputs are indexed by using a binary-encoded i-bit argument k and the parameter j itself (with comparison against the basis partition). The LIF representation of Reg is shown in Figure 6 , Part(b) (where r denotes the parametric inputs representing the old register cell contents).
In Table 1 we report the memory usage and the CPU time required to obtain canonical LIF representations for the circuits described in this paper. 
A Formal Verification Example
Consider the task of verifying the functional correctness of a decoder as described in Example 5 (Section 4.2.2). The property we wish to verify is mutual exclusion of its outputs, i.e for every i-instance decoder, only one of its 2 i outputs is true, rest are all false. In conventional (non-LIF) notation, this specification property can be stated as follows:
8i:9n:(dec i n]^(8m 6 = n::dec i m])),
where dec i n] represents the n th output of an i-instance decoder (1 n 2 i ).
Recall from our LIF representation of the decoder outputs (shown in Figure 5 Figure 7 . Furthermore, a proof of the original specification property by induction on i, translates to tautology-checking of spec i (i.e. checking that spec i is true for all i 1) [15] . Again, this is performed automatically by our method for maintaining canonical LIF representations. For spec i , the tautology-check is very simple as follows:
-The Basis BDD is equal to '1' (truth), signifying that spec 1 is true. -The LIBDD is also equal to '1' (truth), since its leaf node immediately provides the induction hypothesis. In other words, the LIBDD structure implies that spec i is true if spec i?1 is true. Since spec i?1 is true due to the induction hypothesis, spec i is true by induction.
Thus the positive tautology-check establishes the correctness of the decoder circuit for all sizes i 1.
Conclusions and Future Directions
We have presented several general mechanisms for canonical representation of parametric circuits. Of particular interest is the use of a geometric hyperspace framework to capture both induction trajectories and hyperspace regions for representation of multiple parameter functions. BDDstyle node ordering and reduction principles are used to argue about canonicity of the decision tree (reduced to dag) representations. In fact, the ordering requirement is an important factor affecting the potential efficiency and expressive power of this framework, e.g. comparison against parameter basis values for simple induction trajectories, and use of non-intersecting hyperplanes for partitioning into regions. Another interesting technique is the use of binary-encoding for representation of an output index. This turned out to be useful both for representation of an exponential size tree circuit in a linear form, and for changing the domain of quantification from integers to Boolean-valued variables in a specification property. Used in conjunction with IBF representation schemata, we have given several examples and preliminary results for representation of practical circuits in the form of IBFs. These representations form an essential component of our verification methodology based on automatic symbolic manipulation of IBFs. Though a complete description of the verification process is beyond the scope of this paper, our simple decoder example demonstrates the essential ideas of automatic incorporation of the basis and hypotheses in an induction proof. In terms of future directions, development of a formal logic for specification using IBFs is potentially useful. We also plan to examine other interesting inductive circuits, e.g. multipliers. This may require characterization of additional classes of IBFs (other than LIFs and EIFs), though our main ideas and algorithms can probably be generalized. Another interesting direction is the use of our representations to reason about functional equivalence of different inductive descriptions, e.g. equivalence of a serial parity circuit and a parallel tree parity circuit. Preliminary work indicates that by deliberate manipulation of the two representations, it may be possible to automate a proof of their equivalence. Such proofs are of practical importance in verification of correctness preserving transformations, an essential component of most automated tools for hardware design.
