Approximate reachability techniques trade off accuracy for the capacity to deal with bigger designs. Cho et a2 [4] proposed partitioning the set of state bits into mutually disjoint subsets and doing symbolic forward reachability on the individual subsets to obtain an overapproximation of the reachable state set. Recently [7] this was improved upon by dividing the set of state bits into various subsets that could possibly overlap, and doing symbolic reachability over the overlapping subsets. In this paper, we further improve on this scheme by augmenting the set of state variables with auxiliary state variables. These auxiliary state variables are added to capture some important internal conditions in the combinational logic. Approximate symbolic forward reachability on overlapping subsets of this augmented set of state variables yields much tighter approximations than earlier methods.
Introduction
Binary Decision Diagrams (BDDs) [2] have enabled formal verification to tackle larger hardware designs than before. Using BDDs to represent sets of states has enabled symbolic forward reachability techniques to enumerate the state space of bigger designs. However for many large design examples, even the most sophisticated BDD-based verification methods cannot produce exact results because of BDD-size blowup. Hence, we settle for approximate reachability.
An overapproximation ( i . e superset) of the reachable states can still be very useful. If an assertion holds for the approximate reachable states, it is guaranteed to hold in the exact reachable set. It can also be used to simplify symbolic model checking efforts, by preventing [8] the model checking algorithms from 'This work was supported by DARPA contracts DABT63-94-C-0054 and DABT63-96-C-0097. The content of this paper does not necessarily reflect the position or the policy of the Government and no official endorsement should be inferred. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. DAC 99, New Orleans, Louisiana 01999 ACM 1-581 13-092-9/99/0006..$5.00 exploring unreachable states. Further, the approximate reachable set provides don't cares, that can be used in synthesis.
Comparison with Related Work
Various approaches to approximate reachability and verification using BDDs have preceded this work. Cho et al [4, 51 proposed approximate algorithms to do symbolic forward reachability. Their basic idea was to partition the set of state bits into mutually disjoint subsets, and then do a symbolic forward propagation on each individual subset. This was further generalized [7] by allowing for overlapping projectiow. In this scheme, the set of state bits was divided into various subsets that could overlap.
This paper further generalizes and improves on existing approximate symbolic reachability schemes, by augmenting the set of state variables with some auxiliary state variables. An auxiliary variable is an internal state component that is added to the implementation without affecting the externally visible behavior. These extra state variables typically represent important internal abstractions used by designers.
The idea of augmenting a legal implementation with some extra state components in a way that places no constraints on the behavior of the implementation is not entirely new. Abadi and Lamport [I] introduced a special class of auxiliary variables, history and prophecy variables, to broaden the applicability of refinement mapping techniques. We propose using auxiliary state variables to broaden applicability of approximate reachability techniques.
Consider the simple design shown in figure 1 
Background
We analyze synchronous hardware, given as a Mealy machine h4 = (z,y,qO,n), where x = { q , . .
. ,Xk} is the set of state variables, and y is the set of input signals. 
Let w = (~1 , .
. . , w p ) be a collection of not nec- A typical hardware design, as shown in figure 2 , has a set of state holding elements ((21,22,23) in figure 2 ) and some combinational logic. Each state variable has an associated next state function logic ((nl , n2,n3) in figure 2 ) . Let a be some internal wire in the design, and let a = g(z) be the function that determines the If we let the subscript denote the time stamp, we have: at = g(xt) and at+l = g(xt+l). Using xt+l = n(xt,yt), we get at+l = g(n(xt,yt)), which is the required next state function for auxiliary state variable a. This transformation is shown in figure 3 . Note that we would not have been able to do the transformation above if g involved some input variables in its support. If a = g(x,y) (where y is the input bits) then at+l = g(xt+l, yt+l) and we cannot represent the inputs in the next cycle, yt+l, in terms of xt and yt.
We conjecture this limitation can be circumvented by including the inputs as part of the state (as in a Kripke structure). We never used this for any of our results here, but the Mealy machine M = (x, y, qo, n), can be transformed to another Mealy machine M' = (x',y',qb,n'), where x' = x U y and the initial condition qb = qo. The y' component is a set with a primed version for each variable in y. The next state function for the x state variables remains the same, but for the y variables, their next state function is the corresponding input variable from y'. Assuming totally unconstrained input environment, the machines M and M' allow the same externally visible behaviors and hence have the same set of reachable states (projected on to the x variables). However M' allows us more flexibility in choosing auxiliary state variables.
Initial Condition for Auxiliary State Variables
The auxiliary state variables need to be initialized. 
Heuristics to Choose Auxiliary State Variables
Our scheme for choosing which internal abstractions to convert to auxiliary state variables is presently manual, and relies on being able to inspect the RTL source. We believe that it helps to look at the RTL source, because designers often create internal abstractions themselves, while coding up their design using a hardware description language (such as Verilog). Hence we can take leverage off this high level information directly by inspecting the RTL description.
First, we find the FSMs by inspecting the Verilog source. The next state transition for every FSM was typically encoded as part of an always block in the Verilog source. By inspecting the always block it is possible to extract the internal wires that affect the next state transition of each FSM, and if those internal wires in turn depend on many state variables they are chosen as auxiliary state variables.
However the gate level descriptions of circuits like the ISCAS 89 benchmark circuits are devoid of any high level information. For such circuits, we look for internal wires which have a high fanin and hagh fanout, and are at the same time solely determined by the state variables in the design ( i e their fanin cones involve only state variables). The intuition behind our heuristic is that such high fanin internal wires carry some information about the large number of state variables in their fanin cone. Hence including these wires as auxiliary state variables in other subsets of w, allows us to capture some correlation between the state variables in the other subsets and the large number of state variables in the fanin cone of the internal wire.
Experiments
The method was evaluated on a collection of control circuits from the MAGIC chip, a custom node controller ASIC in the Stanford FLASH Multiprocessor [9]. The circuits are control intensive, and the state bits do not include data path bits. Table 1 gives a brief description of the sizes of various control modules ex-tracted from the 1/0 unit, in terms of the number of state variables, auxiliary state variables and input variables. (IOQlteqD stands for the module obtained by combining the submodules IOInboxQCtl and ReqDecode, whereas ReqS-ReqD stands for the module obtained by combining ReqService and ReqDecode) .
(The results for these modules appear in the same order in Table 2 ). We were unable to find the exact reachable set for any of these control modules.
Module IOQJleqD ReqSJleq PciInterface Given the large number of state variables in these circuits, and that we allow for overlaps among the various subsets, it is very difficult to compute the size of the approximate reachable set. The numbers in Table  4 Table 4 lists the number of iterations of doing TFBF + the number of iterations in the outer greatest fixpoint of MBM.
Conclusions
Our experiments show that a few appropriately chosen internal conditions added as auxiliary variables can substantially improve the quality of the overapproximation. We need to look at automatic methods to choose collection of subsets for gate level descriptions. to obtain an upper bound on the satisfying fraction for the reachable states over the usual state variables alone). An alternative method, Monte Carlo simulation technique appears to be ineffective because of the extreme sparsity of the state space covered by y(S).
