This paper provides an overview on recently developed model generation techniques for SAT-based property checking. To overcome limitations of SAT-based property checking, we suggest to tailor synthesis procedures in thefrontend of the property checker towards the verification algorithms used in the backend. This paradigm has been applied to two different design categories. As a first example, for control intensive designs with many interacting state machines, appropriate state encoding can facilitate the representation of state sets. As a second example, for arithmetic datapath verification, we suggest to synthesize an arithmetic bit level description to enable normalization techniques in the backend. We demonstrate the usefulness ofour approach by means of industrial test cases.
Introduction
SAT-based property checking has gained increased significance in Electronic Design Automation (EDA). It is used to verify that a digital circuit design meets the specified behavior. In bounded model checking (BMC) [4] , the design of a sequential circuit is unrolled for a finite number of time frames and augmented with the property under verification. This can be translated into a satisfiability (SAT) problem and is thus handled by standard SAT solvers. These solvers will either give a proof of unsatisfiability or a counterexample for the property. Figure 3 illustrates this flow. In the past decade enormous progress on the backend engines has been made, whereas the frontends are more or less the same as they are used for implementation synthesis of the design. However, in the context of property checking this synthesis should follow other optimization goals. For implementation of the design issues like timing, area, number of gates etc. are taken into account. These measures turn out to be inefficient for property checking. The frontend of a property checker should generate models that are easy to verify by the backend of the checker. Therefore we suggest a tighter coupling of frontends with the respective backends. By means of two examples we demonstrate how frontend model generation with respect to a dedicated backend engine enlarges applicability of a property checker. BMC requires that the property can be specified in a bounded time interval. Especially control intensive applications sometimes raise the need to verify safety properties of the design over unbounded time intervals. These properties typically express that certain (unsafe) states will never be reached by the design. Unrolling the circuit up to its diameter will make BMC complete in this case. Unfortunately, in practice, the resulting SAT instances are very large and hence intractable for modern SAT-Solvers. To overcome this limitation k-step induction was introduced in [2] and [7] . However, also these methods are only applicable for small induction depth k. In practice large values for k are reduced by manually adding reachability information to the property. This is a cumbersome and time consuming process. In Section 2 we will describe how an appropriate state encoding [9] for the design facilitates automatic generation of powerful invariants that significantly reduce the induction depth k. Another difficult issue for SAT-based BMC is addressed in Section 3. It is well known that SAT solvers have problems when dealing with instances derived from the verification of arithrmetic circuits, especially, when multiplication is involved. Hence, although SAT-based property checking can often be applied successfully to the control part of a design, it typically fails on data paths with large arithmetic blocks. One may resort to incomplete techniques like bit-slicing in order to find bugs in arithmetic units. However, they cannot prove the absence of a bug. Especially, it is very likely to miss errors in corner cases. We will describe how synthesis of an arithmetic bit level description (ABL) of circuit and property by the frontend facilitates application of ABL-normalization [10] in the backend of the solver.
Induction based property checking
In this section we recall the concept of k-step induction as it was proposed in [2, 7] to verify safety properties. The basic model for sequential circuits is a finite state machine M which is a 6-tuple M -(I, 6, So,o, A) where I is the input alphabet, S is the set of states, d S x I S is the next-state function, So is a set of initial states, 0 is the output alphabet and A: S x I ) 0 is the output function. Given such a machine, we would like to check whether a condition P holds for all reachable states. If this is the case we call the machine P-safe. In the following P is identified with the set of states where P holds. The following Lemma 1 gives necessary and sufficient conditions for the validity of a safety property. In other words the induction depth is determined by the longest loop-free path to an unsafe state. In [9] we demonstrated that the choice of an appropriate state encoding for components of the design under verification together with an approximate reachability analysis significantly reduces induction depth and the proving complexity of this task. For components with small state machines we suggested to choose a one-hot encoding. This encoding enables representation of certain dependencies between the components of the design using implications. The two state diagrams of Figure 2 shall be used to illustrate this effect in the following. Suppose the state machines have a common input x and independent inputs xl, x2. Hence, we can strengthen the property by the following relationship:
(1) i=O Figure 3 shows the overall flow as proposed in [9] . Figure 3 . Overall flow of the proposed method The RTL code of the design is augmented by combinational logic that calculates the property. We create a gate-level representation of our designs using the frontend of Gateprop (a SAT-based property checker from OneSpin Solutions). We choose one-hot encoding for small machines and binary encoding otherwise. Note again that the encoding used for verification can be chosen in the RT-to-gate frontend of the verification tool independently of the encoding used for the actual implementation. The property is strengthened with Equation (1) for the binary encoded machines and with the results of a structural FSM traversal. After this we prove the property by induction starting with induction length 0, increasing the induction length until a proof is found, a counterexample is generated or a user-defined upper bound for the induction length is reached. Experimental results for this approach can be found in [9] . 3 Property checking for arithmetic blocks Interesting properties for arithmetic circuits can be specified in a bounded time interval. Unfortunately, SAT solvers get into complexity problems as soon as arithmetic circuitry comes into play.
In the following we use a property language called interval temporal logic (ITL) [11] The first issue is addressed in Sections 3.1. We will develop a normalization process that transforms both, property and design, in such a way that structural similarity is created and used for globally simplifying the SAT instance.
The second issue is addressed in Section 3.2 where it is discussed how normalization can be used to generate abstracted problems to verify the interplay of arithmetic and control.
ABL Description and normalization
In this section we will recall the arithmetic bit level description (ABL) of a circuit as it was proposed in [10] . An ABL models three kinds of objects: partial products, addition networks and comparators. * A column k > 0 ofNi exists such thatfor each column j > k the result rj is an addend ofcolumn j -k of N2.
* A column k > 0 ofN2 exists such thatfor each column i of N1 the result ri is an addend of column i + k of N2.
A column i of an addition network N1 can be merged with a column j of an addition network N2 if the results of i is an addend ofj.
Two addition networks can be merged in linear time in the number of addends. This is done by adding all the addends of N1 to the appropriate addend sets of N2 and redefining the weight functions and constant offsets accordingly. can check the condition of the above lemma in linear time.
Hence the complexity of the merge routine can be bounded by O(n log n).
Definition 5. Let P be a partial product generator and N be an addition network with (N, P) e E. P can be distributed through N iff there is a partial product generator P' and addition networks Nl' . . . Nk/ that add up the partial products of P' such that replacing N and P by N1 ... Nk.
and P' yields an equivalent ABL.
Lemma 4. Let P be a partial product generator and N be an addition network with (N, P) E E and (N, X) e E :# X = P. P can be distributed through N if one of the operand sets of P equals the set of results of N.
Note that the conditions of Lemma 4 can always be fulfilled by duplicating the addition network (in the case of fanout) and extending the partial product generator such that all results of the addition network are operands on P. Figure 4 visualizes the distribution of a 2 x 1 partial product generator through a halfadder. Distributing partial product generators replicates the addition network k times if k is the size of the second operand of the partial product generator. Note that this is a potential source of memory blowup. In practice it turns out that the new addition networks can usually be merged to some other addition network immediately. Figure 4 . Distribution of partial products With these operations we are now able to move all partial product generators in front of all addition networks, i.e., we can normalize and reduce an ABL. This is done by the following process:
1. merge addition networks 2. merge partial products 3. distribute partial products 4. merge addition networks 5. determine equivalent partial products 6. remove common addends from each pair of addition networks feeding a common comparator
Handling difficult cases by abstraction
There are practically relevant properties where the commitment is not a pure arithmetic expression. These properties contain a small portion of control. An example for this kind of problem is multiplication with saturation. Saturation means that the output of a circuit is set to a specific constant when an arithmetic result exceeds a certain threshold value.
In these cases, we can use normalization to obtain a word level abstraction for the arithmetic part of the design. Figure  5 illustrates a situation where normalization is useful for word-level abstraction. Figure 5 . SAT-problem before abstraction Suppose a design is composed of a hard-coded arithmetic circuit and a saturation detection unit. For performance reasons the saturation unit also uses inputs to estimate the saturation condition such that only part of the result is needed to obtain a correct saturation condition. However, in the property part of the problem (below the dotted line) the saturation condition is calculated directly on the result of an expression. In this situation a SAT solver implicitly has to verify equivalence of the design and the expression in the property and this causes an exponential blowup. With normalization it is easily verified that the arithmetic circuit portion implements an arithmetic word-level expression. The problem is then simplified by sharing the wordlevel expression and removing the unrolled circuitry.
In essence, we have abstracted the arithmetic circuit portion in the design by the word-level expression. This abstracted instance can then be handled using hybrid solvers like [3, 5] . In our experiments we even solved 32-bit instances of this kind of problem after abstraction using Gateprop. CNF and handed over to the SAT solver [6] . Using this flow, we verified a representative subset of arithmetic instructions with multiplication. Each of the properties was proven in a few minutes using ABL normalization whereas non of the properties could be proven without this technique. For those instructions that performed saturation we used normalization to prove that a certain internal signal can be replaced by an expression calculating the unsaturated result of the instruction. With this abstraction the OneSpin Solution bounded model checker Gateprop was able to prove that the saturation is performed correctly.
Conclusion
We suggested to exploit certain degrees of freedom in the frontend of a SAT-based property checker to generate models suitable for a dedicated backend and demonstrated this in two application domains. For induction-based property checking we observed that state encoding can be used to enable generation of powerful invariants that effectively reduce induction depth. For verification of arithmetic circuits we suggested generation of an ABL in the frontend. By normalization of these ABLs our backend was able to prove properties derived from an industrial verification project.
