Circuit Based Quantification: Back to State Set Manipulation within Unbounded Model Checking by Cabodi, Gianpiero et al.
Circuit Based Quantification:
Back to State Set Manipulation within Unbounded Model Checking
Gianpiero Cabodi Marco Crivellari Sergio Nocco Stefano Quer 
Politecnico di Torino
Dip. di Automatica e Informatica
Turin, ITALY
Abstract
In this paper a non-canonical circuit-based state set rep-
resentation is used to efficiently perform quantifier elimina-
tion. The novelty of this approach lies in adapting equiva-
lence checking and logic synthesis techniques, to the goal of
compacting circuit based state set representations resulting
from existential quantification. The method can be efficiently
combined with other verification approaches such as induc-
tive and SAT-based pre-image verifications.
1. Introduction
In the Unbounded Model Checking domain, quantifier elimi-
nation within Quantified Boolean Formulas is of uttermost im-
portance. Traditional methodologies resort to BDD, or BDD-
like, representations. These suffer the well known memory ex-
plosion problem, due to their canonicity.
In our work we select circuit-based state set representations
based on And Inverted Graphs [3] (AIGs) as underlying struc-
ture. Performing quantifier elimination on this representation
implies, in the worst case, doubling the formula size. Since
post-image and pre-image computations involve existential
quantification of input and state variables, we risk an expo-
nential memory blow-up. To aggressively fight circuit size ex-
plosion, we resort to combinational equivalence checking and
logic synthesis optimization techniques. Given a quantifying
variable and its two cofactors, we divide the existential quan-
tification of that variable in two subtasks:
1. A merge phase, in which we resort to equivalence proofs
to maximize sub-circuit sharing between the circuit rep-
resentations of the two cofactors.
2. An optimization phase, in which we exploit logic synthe-
sis based transformations (such as redundancy removal,
factorizations, and simplifications under don’t care con-
ditions) on the resulting circuit.
 Contact person; e-mail: stefano.quer@polito.it.
2. Circuit Based Quantification
Let us work on a given function   , represented by a single
output Boolean Circuit (an AIG in our implementation). Let
us existentially quantify variable  in the support of   . We
call  
 
and  

the two cofactors of   w.r.t. , i.e.,  
 
   
  
,
and  

   
 
. We perform existential quantification as  
 
   
 
 
  

. Let us discuss now how we fight the size explo-
sion of  
 
  

.
2.1. Node Merging by Equivalence Checks
The goal of this phase is to merge together as many inter-
nal nodes of  
 
and  

as possible. This is essentially a com-
binational equivalence checking problem, as we need to find
equivalent nodes in  
 
and  

. We rely on three steps:
1. We exploit AIG semi-canonicity and hashing scheme to
early detect functionally equivalent map points.
2. We operate BDD sweeping [4] as a further enhancement
of merge points detection.
3. We switch to SAT based checks for the non merged com-
pare points. We presently rely on a general SAT solver,
i.e., ZChaff, but we plan to experiment with circuit-SAT
in the future.
During the third step, several SAT problems, which share
most of their initial clause database, are generated. In or-
der to exploit history information and avoid restarting at any
new check, we implemented our SAT-merge routine on top
of ZChaff. We load the clause database once and for-all, and
we factorize several checks together within a single ZChaff
run. Any SAT solver solution thus potentially rules-out sev-
eral non matching couples, whereas an un-SAT verdict cov-
ers many matching points. Furthermore, we have experienced
(recursive) backward and forward techniques. Backward pro-
cessing is generally better in case of high merge probability
(similar cofactors), as few checks on the output region can
quickly find equivalence and merge points, and stop recur-
sion. Forward processing is more similar to the BDD sweep-
ing technique, as we start merging from primary inputs and
propagate checks to the primary outputs. In this case as long
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1530-1591/05 $20.00 © 2005 IEEE 
as we find equivalent points, we can learn them, thus simpli-
fying successive equivalence checks.
As a final remark, let us notice that the procedure is not
far from testing stuck-at-faults on comparison gates over the
product machine of the combined  
 
and  

cofactors. Any-
way, as our main goal is finding merge points, we are more
interested in finding redundancies, than good test patterns for
faults, with implications in the comparison routines.
2.2. Synthesis based Optimizations
Once sub-circuit merging is complete, there is still a margin
for size reduction, because we do not need individual repre-
sentations for  
 
and  

, but we must represent their disjunc-
tion  
 
  

. In principle, we look for any transformation
 
 
  

  
 
 
 

 
 

, such that    
 

 
 

    
 
  

, and
the circuit size is reduced. It is worth distinguishing two cate-
gories of transformations:
1. Optimizations concentrating on the two cofactors ( 
 
and
 

) with the goal of mutually simplify each other.
2. Optimization focusing on  
 
  

, with the purpose of
minimizing, factorizing, rewriting, etc, the final resulting
function.
We presently dedicate most of our effort to the former cat-
egory. More specifically, we address possible simplifica-
tions/optimizations of the  
 
( 

) cofactor whenever the
 

( 
 
) cofactor evaluates to . Let us take  
 
as refer-
ence cofactor, and let us use its onset as input don’t care
set to transform  

. Let us consider the generic node 

 


of  

. Then our task is to guess a proper node transfor-
mation such that  
 
 


 
 

   

 

, i.e., the
transformed node is required to match the original one out-
side the don’t care set (the offset of  
 
). The above check
can be easily achieved by a SAT solver trying to sat-
isfy the function 


 
 

   

 

, within  
 
. Among
the possible guesses for 


 
 

, we select two straightfor-
ward choices: Constant value, i.e., redundancy, and merge,



 
 

   

 
 
, modulo complementation.
Taking into account observability don’t cares for 

adds a fur-
ther optimization degree. We allow 


 
 

   

 

 within
the input care set, provided that the difference is not observ-
able on the output of  
 
 

. We implemented this extra step
by an additional equivalence check,  
 
     
 
 
  , where  
 
 
 
is the function after the transformation on 

. The above prob-
lem can also be seen as a check for redundancy of the EXOR
gate comparing 

and  

.
3. Traversal Routine
We modify standard breadth–first reachability in order to ex-
ploit circuit based quantification. Given an invariant property
P we start reachability from its complement and we terminate
as soon as no newly reached states are found (fix-point) or we
intersect the initial state set, delivering a counter-example. In
our implementation all state sets are represented and manipu-
lated using AIGs instead of BDDs. Operations on AIGs, e.g.,
equivalence, are performed using a SAT engine. Pre-image
adopts quantification by substitution (also called in-lining):
 
 
        
 
. The applicability of this transfor-
mation relies on the fact that the formulas occurring in back-
ward reachability often have a structure that matches the rule.
In fact, in backward reachability, the transition relation is a
conjunction of next state variables defined in terms of current
state set variables, i.e.,




  Æ

 .
4. Compatibility with Previous Methods
A possible drawback of our methodology is given by the fact
that some variable quantifications can cause size explosion.
To solve this problem, our methodology adopt “partial quan-
tification”, i.e., it accepts effective quantification and aborts
the expensive ones (in term of size). As a result, the technique
can be combined with other SAT-based (time intensive) ap-
proaches. We specifically address all solution SAT pre-image,
as described in [2], where our approach could dramatically
decrease the amount of decision (input) variables to be pro-
cessed by SAT based pre-image. Similar considerations could
be applied to BMC [1], as well as induction based Unbounded
Model Checking [5]. Both these techniques can benefit from
reducing the amount of primary input variables by quantifica-
tion as a preprocessing of SAT procedures.
5. Conclusions
This paper attacks the Quantified Boolean Formula problems
in the Unbounded Model Checking domain. Preliminary ex-
perimental results show the efficacy of the methodology on
hard-to-verify circuits and properties.
References
[1] A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, and Y. Zhu. Sym-
bolic Model Checking using SAT procedures instead of BDDs.
In Proc. 36th Design Automat. Conf., pages 317–320, New Or-
leans, Louisiana, June 1999.
[2] M. K. Ganai, A. Gupta, and P. Ashar. Efficient SAT-based Un-
bounded Symbolic Model Checking Using Circuit Cofactoring.
In Proc. Int’l Conf. on Computer-Aided Design, San Jose, Cali-
fornia, Nov. 2004.
[3] A. Kuehlmann, M. K. Ganai, and V. Paruthi. Circuit-based
Boolean Reasoning. In Proc. Design Automat. Conf., Las Ve-
gas, Nevada, June 2001.
[4] A. Kuehlmann and F. Krohm. Equivalence Checking Using Cuts
and Heaps. In Proc. 34th Design Automat. Conf., pages 263–
268, Anaheim, California, June 1997.
[5] M. Sheeran, S. Singh, and G. Sta˚lmarck. Checking Safety Prop-
erties Using Induction and SAT Solver. In W. A. Hunt and S. D.
Johnson, editors, Proc. Formal Methods in Computer-Aided De-
sign, volume 1954 of LNCS, pages 108–125. Springer-Verlag,
Nov. 2000.
