Convergence behaviour of structural FSM traversal by Stoffel, Dominik & Kunz, Wolfgang
Convergence Behaviour of Structural FSM Traversal
Dominik Stoffel Wolfgang Kunz
Dept. of Computer Science, Electronic Design Automation Group
Johann Wolfgang Goethe-Universit¨ at, Frankfurt, Germany
Abstract
We present a theoretical analysis of structural FSM traversal,
whichis thebasisforthesequentialequivalencecheckingalgo-
rithm Record & Play presented earlier [16]. We compare the
convergence behaviour of exact and approximative structural
FSM traversal with that of standard BDD-based FSM traver-
sal. We show that for most circuits encountered in practice
exact structural FSM traversal reaches the ﬁxed point as fast as
symbolicFSM traversal, whileapproximationcansigniﬁcantly
reduce in the number of iterations needed. Our experiments
conﬁrm these results.
1 Introduction
Acentralprobleminveriﬁcationofsequentialcircuitsis reach-
ability analysis. The properties to be checked by an automatic
veriﬁcation tool are required to hold in those states that the
system can assume after starting in a designated start state.
Reachability analysis is the task of ﬁnding this set. Since se-
quential circuits are often modelled as ﬁnite state machines
(FSMs), reachability analysis corresponds to a traversal of the
state transition graph (STG) of an FSM and is therefore often
called FSM traversal.
Standard FSM traversal algorithms [3, 12] are based on im-
plicit representations of state sets using binary decision dia-
grams (BDDs) [2]. Large sets of states can be represented by
constructing the BDD of the characteristic function of a state
set. Because a single BDD represents a set of states, BDD-
based reachability analysis is also called symbolic FSM traver-
sal. An important property of BDDs is that they are a canoni-
cal representation of a Boolean function. This property makes
themespeciallyattractiveforuseinformalveriﬁcation. Forex-
ample, in FSM traversal this property is used to check that two
sets of states are identical by proving the isomorphism of their
BDDs. Despite its usefulness, the canonicity property can lead
to exponential growth of data structures for the state sets even
though the BDD representation is an implicit one. This holds
for sequential as well as for combinational circuit veriﬁcation.
For this reason, research efforts have been made to develop
formal veriﬁcation methods that can operate without the use of
canonical representations of Boolean functions. In the domain
of combinational equivalence checking there has been some
notable success with methods operating directly on the struc-
tural gate netlist of the circuit [9, 1]. Since they are capable
of making efﬁcient use of structural design properties they are
often referred to as structural techniques. These techniques
and their further developments (e.g., [14, 7, 11, 8]) have made
combinational equivalence checking feasible for circuits with
up to one million gates. For sequential equivalence checking
therehavebeenonlya fewapproachesmakinguse ofstructural
techniques ([16, 6]).
In[16], a techniquecalledRecord& Playis presentedwhich
uses a “structural ﬁxed point iteration” for verifying the equiv-
alence of two sequential circuits. The method is based on an
expansion of the product machine of the two circuits into time
frames. Circuit transformations are made to reduce the com-
plexity of the veriﬁcationtask by mergingof logic in each time
frame. These transformations are stored as “instructions” in
an instruction queue and reused in subsequent time frames if
possible. In each time frame, merged logic is cut off. The
algorithm terminates when a sequence of transformations and
cuts is found that can be repeated over and over (“structural
ﬁxed point”). The ﬁxed point iteration of Record & Play can
be interpreted as approximative structural FSM traversal.
In this paper we study the basic propertiesof structural FSM
traversal. In Section 2 we analyze how a time frame expan-
sion can be used to explore the reachable state space of a ﬁnite
state machine in a ﬁxed point iteration and present results on
the convergencebehaviourof this iteration. In Section 3 we re-
view how existential quantiﬁcationcan be performedon a non-
canonical structural representation of the reachable state set.
We formulate the exact algorithm of structural FSM traversal
and give some comments on the approximativealgorithm used
in Record & Play. Section 4 presents experimental results.
2 FSM Traversal by Time Frame Ex-
pansion
The algorithm Record & Play is based on a time frame ex-
pansion of the product machine of the two designs to be com-
pared. In this section we will study how such a time frame
expansion can be used to traverse the state transition graph
of a ﬁnite state machine. A ﬁnite state machine
￿
is a 6-
tuple
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
where
￿
is the input alphabet,
￿
is the set of states,
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
 
￿
is the next-state func-
tion,
￿
!
￿
is a set of initial states,
￿
is the output alphabet and
￿
"
￿
#
￿
$
￿
%
￿
&
￿
!
￿
’
￿
is the output function. For simplicity we
restrict our discussion to a single initial state
￿
(
￿
)
￿
￿
*
￿
+
,
￿
.
-
. How-
ever, a set
￿
￿
containing several initial states can be treated in
a similar way. A sequential circuit (Fig. 1) implementing such
a ﬁnite state machine has a set of (primary) inputs
/ , a set of
(present) state variables
+
which are fed by registers, a set of
next-state variables
0 providing the input of the registers and a
set of (primary) output variables
1 .
1s z z
y x l(s,x)
(s,x) d M
Figure 1: Sequential circuit implementing a ﬁnite state ma-
chine
The time frame expansion model of a ﬁnite state machine
￿
is obtained by replicating the combinational logic for each
clock cycle being considered. Each time frame is a copy of
the combinational logic implementing the transition function
￿
￿
+
￿
/
￿
and output function
￿
￿
+
￿
/
￿
of the FSM. The circuit
structure obtained by this time frame expansion is a purely
combinationalstructurecallediterativecircuitarray. Thereare
no storage elements. Instead, the values of the state variables
of the product machine at different points in time are associ-
ated with signal values in different time frames of the iterative
circuit array.
As an example, Figure 2 shows the expansion of an FSM
into three time frames. The initial state,
+
￿
, is injected at the
present state variables,
+
￿ , of the ﬁrst time frame. This circuit
array is a combinational network which calculates for a given
input sequence
￿
/
￿
￿
/
￿
￿
/
￿
￿
the output sequence and next-state
response,
+
￿
, of the FSM. By applying all input sequences of
length
￿
to this circuit we obtain at the state variables
+
￿
all
possible states the machine can assume at
￿
￿
￿
. Obviously,
an expansionof a ﬁnite state machine into
￿ time frames is a an
implicit representation of the set of states,
￿
￿
￿
￿
, the FSM can
assume after exactly
￿ clock ticks.
y
z s
x
y
z s
x
z
y
x
s
s
0
0
0
0
1
1
1
1 2
2
2
2
3
Figure 2: Time frame expansion of a ﬁnite state machine
Deﬁnition 1 (Reachable state set) The set of all states,
￿
￿
￿
￿
,
beingpossible in an FSM at a speciﬁc time
￿ after initialization
is called reachable state set at time
￿ .
Note that this deﬁnition of the reachable state set is different
from the understanding of the reachable state set
￿
￿
￿ in con-
ventional FSM traversal. For comparison, Table 1 shows a
standard forward FSM traversal algorithm using breadth-ﬁrst
search. The img
￿
￿
￿
￿
￿
￿
￿
￿
operation calculates for a set of states,
￿
, the set of their immediate successors in the state transition
graph. In each iteration of the loop, a set unionis formedof the
newlyreachedstates with the states collectedso far. Therefore,
the set
￿
￿
￿ refers to all states that can the FSM can assume at
some time
￿
￿
￿ , with
￿
￿
￿
￿
￿
￿
￿ .
Thesets ofstates thatcan beproducedbythe iterativecircuit
arrayof Figure2 at the state variables
+
￿
￿
￿
+
￿
￿
￿
+
￿
￿
￿
￿
￿
￿
￿
￿
are the sets
ofreachablestates
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
, respectively,as given
reachable state set(
￿ , S0)
*
t := 0;
Rt := S0; /* initial state set */
repeat
t := t + 1;
Rt := Rt-1
￿ img(
￿
, Rt-1);
until (Rt = Rt-1); /* ﬁxed point reached */
return Rt;
-
Table 1: Standard forward FSM traversal using breadth-ﬁrst
search
in Deﬁnition 1. In order to emphasize this difference, different
notations are used for the two notions of reachable state set.
Because the state set of an FSM is ﬁnite, obviously, there
will be a time
￿
￿
￿ for every state
+
of the FSM, such that
+
￿
￿
￿
￿
￿
￿
￿
￿
. In other words, the time series
￿
￿
￿
￿
does somehow
“traverse” the state transition graph of the FSM and “visits”
every state. The questions we are interested in, however, are:
how can a point in time,
￿ ﬁx, be determined for which it is
guaranteed that all states reachable from the initial state have
been visited? How is the convergence behaviour of the time
series
￿
￿
￿
￿
and how is it related to the convergence behaviour
of conventional FSM traversal as shown in Table 1?
For analyzing the evolution of the reachable state set
￿
￿
￿
￿
over time, it is helpful to imagine
￿
￿
￿
￿
as a set of states in the
state transition graph with a special mark that is passed on to
successor states in the next time step. Consider a set of marked
states,
￿
￿
￿
￿
, at time
￿ . One time step later, at
￿
￿
￿
￿
, these
states pass their marks on to all of their immediate successor
states. Their own mark is erased, unless they receive a new
one from an immediate predecessor state. Now, all marked
states form the reachable state set
￿
￿
￿
 
￿
￿
￿
. As we proceed
in time, the states in the STG become repeatedly marked and
unmarked as described. Intuitively, since the FSM has a ﬁnite
set of states, and its next-state behaviour is deterministic, the
time series
￿
￿
￿
￿
must at some point in time enter a stationary
behaviour. Either there will be a single ﬁnal set
￿
"
! or
￿
￿
￿
￿
will periodically cycle through a set of state sets. If
￿
￿
￿
￿
con-
verges to a ﬁnal set
￿
￿
! , this set corresponds to a pattern of
marks which beginning at a certain time
￿ ﬁx does not change
any more, i.e., it becomes a static pattern. If
￿
￿
￿
￿
exhibits a
periodic long-term behaviour, this corresponds to periodically
repeating patterns of marks in the STG, beginning at a certain
time
￿ ﬁx. As we will see, whetherwe have an aperiodicor a pe-
riodic behaviour is determined by certain structural properties
of the STG.
For the following analysis we need the following recursive
deﬁnition:
Deﬁnition 2 (Recurrent State) A state in the state transition
graph
# is called recurrent state if it lies on a cycle in
# , or if
it has a predecessor which is a recurrent state.
Recurrent states are containedin the reachablestate set
￿
￿
￿
￿
inﬁnitely often, and they appear periodically. This is easy to
2see for recurrent states which are lying on a cycle (called cy-
cle states in the sequel), by observing the
￿
￿
￿
￿
–marks they are
sending and receiving. The length of the cycle determines how
manytime steps it takes until a markthat has beensent outby a
state returns back to it and is sent again. This time is called the
state’s period of recurrence and it is equal to the length of the
cycle. However, there are also states which are not involved in
a cycle but are nevertheless recurrent. Such states are reach-
able from cycle states, and therefore they receive, with some
delay, all
￿
￿
￿
￿
–marks which the cycle states send out. We say,
a state inherits the recurrence periods of the states from which
it can be reached. Note that in a particular run of the machine,
a recurrent state that is not a cycle state can occur only once.
However, for different runs of the machine it may occur at dif-
ferent times. The reachable state set
￿
￿
￿
￿
contains information
about all possible runs of the machine. Therefore, a recurrent
but non-cycle state is an element of
￿
￿
￿
￿
periodically just like
a “true” cycle state.
Deﬁnition 3 (Transient State) A state which is not recurrent
is a transient state.
Transient states are not reachable by recurrent states. They
occuronlyoncein the reachablestate set
￿
￿
￿
￿
. Transientstates
are only possible if the initial state of the FSM is a transient
state. They are usually part of the initialization process for the
machine and do not belong to the normal mode of operation.
Note that ourdeﬁnitions of recurrentand transientstates dif-
fer from literature concerned with a probabilistic analysis of
ﬁnite state machines such as [4]. The objective there is to de-
termine the long-run probability for an FSM to be in a certain
state. In that context, for example, a state is deﬁned transient
if there is a non-zero probability that the FSM will not return
to it. Our deﬁnition requires that it is impossible to return to
a transient state. In case there is a possibility that the FSM re-
turns to a state, we call it a recurrent state, because it will be
an element of the reachable state set, even if the probability for
this to happen may be zero.
Since transient states occur only once, they cannot be part
of the reachable state set in the ﬁxed point we are seeking. So
we can focus the analysis of our FSM traversal solely on the
recurrent states.
As discussed above, a recurrent state may inherit recurrence
periods from its predecessor states. It also has periods of re-
currence associated with the cycles on which it is located. The
following lemma tells us how these different recurrences inter-
act.
Lemma 1 Consider an arbitrary state
+
lying on a cycle of the
state transition graph of length
￿ . Furthermore, let
+
have a
recurrence period
￿ . Then, after a ﬁnite number of time steps,
state
+
also has a recurrence period
￿
￿
￿ which is the greatest
common divisor of
￿ and
￿ .
For a proof of this lemma and all following lemmas and the-
orems, please refer to [15].
The state transition graph of an FSM can be decomposed
into its “cyclic” parts, the strongly connected components
(SCCs) [5]. All states in an SCC are reachable from each
other, i.e., they are lying on cycles. The FSM can be in these
statesarbitrarilyoften,thereforetheSCCs determinethe“long-
run”or “steady-state”behaviourofthe machine. By collapsing
the SCCs into single vertices, we obtain a direct acyclic graph
called the SCC graph.
The recurrenceperiod
￿ in the lemma may be inheritedfrom
a predecessor state. Or it may be due to another cycle of
length
￿ that state
+
is lying on. We can apply Lemma 1 suc-
cessively to all pairs of periods
￿ and
￿ that a state has due to
period inheritance and the cycles in which it is involved. This
leads us to an interesting lemma for the states of an SCC:
Lemma 2 After a ﬁnite transition time, the smallest recur-
rence period,
￿ SCC, is the same for all states in an SCC. This
period
￿ SCC is given by the greatest common divisor of all cy-
cle lengths in the SCC and of all recurrence periods for states
in the SCC that have been inherited from predecessor states
outside the SCC.
If we view again the set of reachable states,
￿
￿
￿
￿
, as a set of
states in the STG carrying a mark, then this lemma says that
after a sufﬁcient amount of time each state in an SCC will be
marked periodically. If the period is, for example,
￿ SCC
￿
￿
￿
,
then, a state will be marked in every ﬁfth time step and will
be unmarked during the remaining four time steps. Since at
every time step at least one state of the SCC is marked, we
can partition the states in the SCC into equivalence classes of
simultaneously marked states:
Lemma 3 The set of states of an SCC with a recurrence pe-
riod
￿ SCC canbepartitionedinto
￿ SCC disjointsubsets
￿
￿
￿ with
￿
￿
*
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿ SCC
￿
￿
￿
￿
-
, suchthat
￿
￿
￿
￿
￿
￿
￿ SCC
￿
￿
￿
￿
￿
￿ SCC
￿
￿
￿
, for all integers
￿
￿
￿
￿
.
This is an interesting ﬁrst result. Let us consider the spe-
cial case of a ﬁnite state machine that has all its states includ-
ing the initial state within one strongly connected component.
Suchsystems aresometimescallednon-decomposablesequen-
tial systems, because the SCC graph of their state transition
graph consists of only a single vertex. In this case, the set of
reachable states,
￿
￿
￿
￿
, converges to a series of ﬁnal sets
￿
￿
￿
that oscillate with a period
￿ SCC related to the structure of the
STG.
It is possible, however, that
￿ SCC is equal to 1, in yielding
a single ﬁnal set
￿
￿
!
￿
￿
￿
to which
￿
￿
￿
￿
converges. This
happens if there is a state in the SCC which has a self-edge or
if there are cycles with lengths whose greatest common divi-
sor is 1. In fact, such an aperiodic behaviour is very typical
for FSMs implemented by practical systems. This is also con-
ﬁrmed by our experiments (Section 4).
One way of obtaining a non-decomposable system is by
modellingthe process of initialization within the FSM descrip-
tion itself. The FSM can then be put into its initial state by ap-
plying a special input sequence called initializing or synchro-
nizing sequence.
Deﬁnition 4 A synchronizing sequence of a ﬁnite state ma-
chine
￿
is an input sequence that brings
￿
to a known state
+
￿
regardless of the initial state or the output sequence. The
state
+
,
￿
is called synchronization state of
￿
.
3If a ﬁnite state machine has a synchronizing sequence, then
the synchronization state
+
￿
and all states reachable from it
must be located within one terminal strongly connected com-
ponent (TSCC). The reason is that from all states reachable
from
+
￿
the machine can be put back into
+
￿
by applying the
synchronizing sequence. In other words,
+
￿
is reachable from
all states which are reachable from
+
￿
. Hence, machines with
synchronizing sequences are non-decomposable.
In the special case of a non-decomposable system, the ba-
sic deﬁnitions of transient and recurrent states of an FSM and
those of a Markov chain are equivalent. Therefore, the fol-
lowing lemma which was originally derived in [4] for homo-
geneous discrete-parameter Markov chains with a ﬁnite state
space can also be formulated in this context.
Lemma 4 If a ﬁnite state machine has a synchronizing se-
quence, then the ﬁxed point recurrence period of all its states
is 1.
Lemma 5 If a ﬁnite state machine has a synchronizing se-
quence of length
￿ and if
￿ is the sequential depth of the ma-
chine, then it takes at most
￿
￿
￿
￿ time steps until all states of
the machine are in
￿
￿
￿
￿
and have a recurrence period of 1.
Note that the sequential depth of a ﬁnite state machine is
given by the longest path among all shortest paths from the
initial state to all nodesinthe state transitiongraphofthe FSM.
In conventional symbolic FSM traversal, the sequential depth
is equal to the number of iterations needed to reach the ﬁxed
point.
Although most ﬁnite state machines encountered in practice
actually fall into the category of non-decomposable systems
[13], it is generally possible that the SCC graph contains more
than one SCC. Also, the initial state does not have to be a re-
current state. We therefore need to discuss the general case of
an arbitrarily structured SCC graph.
If the SCC graph of a state transition graph has more than
one SCC vertex, the periods are inherited along the directed
edges between the SCCs. According to Lemma 2, the recur-
renceperiodof an SCC is a properdivisor of all its predecessor
SCCs. Therefore, the largest periods of recurrence are found
in the “earliest” SCCs after initialization of the FSM. We call
them entry SCCs (ESCCs).
Deﬁnition 5 (Entry SCC) An SCC in the state transition
graph which is entered by initialization or reached exclusively
via transient states after initialization is called entry SCC
(ESCC).
Note that an entry SCC need not necessarily be a source of
the SCC graph. Only if the initial state is a recurrentstate there
is a unique entry SCC which is also the source of the acyclic
SCC graph. If, however, the initial state is a transient state,
then there can be several entry SCCs.
Figure 3 shows an example of such a state transition graph.
This STG is composed of four SCCs:
￿
￿
￿
*
￿
￿
-
,
￿
￿
￿
*
￿
￿
￿
￿
￿
￿
￿
-
,
￿
￿
￿
*
￿
￿
￿
￿
￿
￿
#
￿
￿
￿
-
and
￿
￿
￿
￿
*
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
-
.
￿
￿
is an SCC without cycles. It contains only the initial state
￿
which is a transient state.
￿
￿ and
￿
￿
are entry SCCs according
to Deﬁnition 5.
￿
￿
is a terminal SCC.
S1
S3
S4
S2
initial state
D C
B
A
I
J
K
L
H
E
G
F
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
0
￿
￿
￿
￿
￿ —
1
￿
￿
 
"
!
$
#
￿
￿ —
2
￿
￿
!
&
%
’
!
$
(
)
￿ —
3
￿
￿
*
+
!
-
,
"
!
$
#
’
!
$
.
/
￿ —
4
￿
￿
 
0
!
$
1
￿
!
-
%
’
!
$
(
)
￿ —
5
￿
￿
!
$
,
"
!
$
2
3
!
$
#
’
!
$
.
/
￿
￿
￿
4
6
￿
￿
*
5
!
$
1
￿
!
$
6
7
!
-
%
’
!
$
(
￿
￿
￿
￿
8
7
￿
￿
 
0
!
$
,
3
!
$
2
"
!
9
#
’
!
$
.
/
￿
￿
￿
:
8
￿
￿
!
$
1
￿
!
$
6
7
!
-
%
’
!
$
(
)
￿
￿
￿
;
9
￿
￿
*
+
!
$
,
3
!
-
2
3
!
$
#
’
!
$
.
/
￿
￿
=
<
10
￿
￿
 
"
!
$
1
￿
!
$
6
7
!
>
%
’
!
$
(
￿
￿
￿
￿
?
11
￿
￿
!
$
,
"
!
$
2
3
!
$
#
’
!
$
.
/
￿
￿
4
12
￿
￿
*
5
!
$
1
￿
!
$
6
7
!
-
%
’
!
$
(
￿
￿
￿
8
13
￿
￿
 
0
!
$
,
3
!
$
2
"
!
9
#
’
!
$
.
/
￿
￿
:
... ... ...
Figure 3: A state transition graph and the ﬁrst values of its
reachable state set
￿
￿
￿
￿
Also shown in Figure 3 are the ﬁrst values of the time series
of the reachable state set,
￿
￿
￿
￿
. The initial state is contained in
￿
￿
￿
￿
only once for
￿
￿
￿
. The remaining states are recurrent,
and we can easily verify that Lemma 1 and Lemma 2 are cor-
rect. In SCC
￿
￿ there is a unique cycle of length 3. Therefore,
the states
￿
,
￿ and
￿
are contained in
￿
￿
￿
￿
alternately every
three time steps. In SCC
￿
￿
there are several cycles whose
lengths all are multiples of 2. Hence, the states in
￿
￿
recur in
￿
￿
￿
￿
in two alternating sets,
*
￿
￿
￿
￿
￿
￿
-
and
*
@
￿
￿
￿
￿
-
. The SCC
￿
￿
contains only one cycle of length 4. However, the recurrence
period of its states is 2. The reason for this is that whenever
state
￿
(of SCC
￿
￿
) is in
￿
￿
￿
￿
, state
￿
will be in
￿
￿
￿
￿
￿
￿
, one
time step later. State
￿
inherits state
￿
’s recurrence period.
The greatest common divisor of the inherited period of
￿
and
the cycle length of
A is
￿
.
Obviously, after a sufﬁcient amount of time (
￿
￿
￿
), all re-
currence “interferences” have taken place and a stationary os-
cillation has evolved. In this example, there are six different
values for the set of reachable states,
￿
￿
￿
￿
, which are repeated
in the same orderwith a periodof six time steps. These six sets
together form a cover of the set of all recurrent states.
Theorem 6 Let
B be the set of all recurrent states of a ﬁnite
state machine. There always exists a cover
*
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
7
C
￿
D
￿
-
of
B with
￿
+
E
￿
￿
G
F
, and there is a time
￿
￿
￿ ﬁx
￿
I
H , such that
￿
￿
￿ ﬁx
￿
K
J
￿
M
L
￿
￿
￿
￿
￿
E
￿
￿
￿
N
J
￿
￿
￿
￿
P
O
N
L
L is equal to the least common multiple of the recurrence
periods of the entry SCCs of the FSM.
L is called ﬁxed point
oscillation period.
In our example of Figure 3 there are two entry SCCs,
￿
￿
and
￿
￿
, with periods
￿
￿
￿
￿
and
￿
￿
￿
￿
. The least common
multiple of these two numbers is
L
￿
R
Q
. This is the ﬁxed point
oscillation period of the reachable state set that we have found
also empirically for this state transition graph.
It is interesting to note that for the ﬁxed point oscillation
period only the ESCCs of the state transition graph are rele-
vant. All other SCCs including the TSCCs (unless they are, at
the same time, ESCCs) do not inﬂuence the oscillation period
L . (It should be noted, however, that the cycle lengths of non-
entry SCCs determine how long it takes until the ﬁxed point
is reached.) This observation again points out the difference
4between a possibilistic state space analysis such as the charac-
terizationofthetimeseries
￿
￿
￿
￿
, andaprobabilisticstatespace
analysis [4], where the terminal SCCs play the important role
in the analysis.
Theorem 6 justiﬁes the formulation of a structural FSM
traversal based on a time frame expansion of a ﬁnite state ma-
chine. By considering the states that can be produced by the
state vectors
+
￿ of the iterative circuit array we are able to
traverse the state transition graph of the machine, visiting all
states reachable from the set of initial states. For most prac-
tical systems (e.g., systems with synchronous resets or initial-
izing sequences), the set of reachable states grows monotoni-
cally from time frame to time frame and the ﬁxed point of the
iteration consists of a single set,
￿
"
! . For these systems, the
number of iterations needed to reach the ﬁxed point is only
slightly larger (by the length of the initializing sequence) than
in conventional FSM traversal.
3 Existential Quantiﬁcation
In order to formulate an FSM traversal algorithm based on a
time frame expansion of a ﬁnite state machine, it is necessary
to have a means of recognizing the ﬁxed point of the expan-
sion. The sets of reachable states,
￿
￿
￿
￿
, are represented by
the iterative circuit array in a non-canonical form. Consider,
for example, a ﬁxed point oscillation period of
L
￿
￿
. After
reaching the ﬁxed point, i.e., for
￿
￿
￿
￿ ﬁx, attaching a new time
frame to the end of the circuit array yields the same state set,
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
￿
! , but in a different structural represen-
tation.
NotethatinBDD-basedFSMtraversalit iseasytorecognize
the ﬁxed point, because sets of states and their images under
the transition function are stored canonically as BDDs. The
BDDs representing
￿
￿ and
￿
￿
&
D
￿ in Table 1 simply have to be
checkedforisomorphismtodetecttheﬁxedpoint. Theiterative
circuit array, however, represents state sets non-canonically as
the range of a multi-output Boolean function implemented as
a combinational circuit. In order to detect the ﬁxed point, it is
necessary to check that the ranges of the Boolean functions of
two time frame expansionsof lengths
￿ and
￿
￿
L , respectively,
are equal.
To accomplish this, a structural form of existential quantiﬁ-
cation was introduced in [16], which is based on a functional
decompositionoftheiterativecircuitarrayandanetworkcutas
shown in Figure 4. The upper part of Figure 4 shows the itera-
tive circuit array representing the set of reachable states,
￿
￿
￿
￿
,
at the state variables
+
￿ at time
￿ . This combinational circuit
comprises the complete functional information relating input
sequences of length
￿ to the resulting states of the FSM (and
canbequitelargeforlargevaluesof
￿ ). Theinformationweare
interestedin, however,is onlywhat states are possible, nothow
they can be producedin the machine. We are only interested in
the range of the multi-output function given by the state vari-
ables
+
￿ . Therefore, the circuit array is decomposed into two
parts: a so-called stub circuit and the remaining circuitry (de-
noted “R” in Figure 4). The stub circuit has the same range
as the original circuit array. By cutting the remaining circuitry
off along the indicated cut line, the functional dependency of
s
.
.
.
.
. t
s
x
x
t-1
t-2
.
.
.
.
.
.
.
.
.
.
.
.
x
x
t-1
t-2
.
.
.
.
.
.
.
.
.
.
.
.
circuit
stub
.
.
.
.
. t
.
.
.
.
.
R
circuit array
decomposition
network cut
Figure 4: Structural form of existential quantiﬁcation
the state variables,
+
￿ , on the input variables,
/
￿
￿
/
￿
&
D
￿
￿
￿
￿
￿
￿
￿
￿
, is
removed. We have existentially quantiﬁed the structural set
representation given by the circuit array with respect to these
input variables. This greatly simpliﬁes the set representation,
and, most importantly, it allows us to detect the ﬁxed point. If
￿
￿
￿
￿
and
￿
￿
￿
￿
L
￿
are equal, it must be possible to decompose
the circuit arrays of length
￿ and of length
￿
￿
 
￿
R
L
￿
such that
identical stub circuits are produced in both cases. This means
that the ﬁxed point check amounts to checking the identity of
thedecompositionsteps usedfortheexistentialquantiﬁcations.
InRecord&Play,aninstructionqueueis usedforthispurpose.
The decomposition is performed by synthesizing the stub cir-
cuit using implicant-based network transformations [10]. For
reasons of space, the details of the stub circuit synthesis cannot
be reviewed here. The interested reader may refer to [15] for
an in-depth treatment of these concepts including examples.
Usingthis structuralformofexistentialquantiﬁcation,struc-
tural FSM traversal can be described by the pseudo-code of
Table 2. The image computation operation img() consists of
attaching a new time frame to the current circuitry which rep-
resents the state set
￿
￿
￿
￿
￿
￿
and then performing existential
quantiﬁcation as described. The until condition corresponds to
checking whether a previously recorded instruction queue was
played successfully, i.e., it could be applied for creating the
stub circuit during quantiﬁcation without any modiﬁcation.
structural FSM traversal(
￿ , S0)
*
t := 0;
R(t) := S0; /* initial state set */
repeat
t := t + 1;
R(t) := img(
￿
, R(t
￿
"
￿
)) ;
until (exists T such that R(t) = R(t-T));
-
Table 2: Structural FSM traversal
As pointedout in [16], the algorithmRecord & Play is based
on an approximativestructural FSM traversal. The approxima-
tion occurs during the synthesis of the stub circuit. The net-
work transformationswhich synthesize the approximativestub
5circuit are equivalence transformations,i.e., before cutting, the
original circuit array and the decomposed network are func-
tionally equivalent and hence have identical ranges. After cut-
ting, the range of an exact stub circuit is still identical with that
of the original network, while the range of an approximated
stub is a superset of the original range. Additional state vec-
tors may be introduced by the cut which can be modelled by
a set,
￿
￿
￿
￿
, being added to the set of reachable states,
￿
￿
￿
￿
, in
each iteration of the traversal of Table 2.
As a consequence, not only the states reachable from the
initial state will be visited during traversal but also all states
“injected” by the approximation and all states reachable from
these. For the application of approximative structural FSM
traversal, it is necessary that the properties to be checked hold
in all these states. Otherwise, false negatives may occur.
On the other hand, the over-approximation of the reachable
state set has a very beneﬁcial effect: if the additional states,
￿
￿
￿
￿
, contain states of the reachable state set, then the ﬁxed
point iteration is accelerated, because these states and their
successors are visited earlier than in the exact traversal. Re-
fer to [15] for an example illustrating this effect.
4 Experimental Results for Sequential
Equivalence Checking
The algorithm Record & Play for sequential equivalence
checking is based on approximative structural FSM traversal.
Time frame expansion of the product machine of two designs
to be compared allows very effectively the use of structural
information when calculating the (approximative) stub circuit.
Table3 presentsresults forcheckingthe equivalenceofcircuits
of the ISCAS 89 benchmarkset against their optimized and re-
timed versions. The experiments were conducted on a SUN
Ultra I workstation. The circuits were veriﬁed with Record &
Play and, for comparison, also with an equivalence checker
based on a standard BDD-based FSM traversal (VIS-1.3).
The column labelled
L gives the ﬁxed point oscillation pe-
riod encountered. As can be seen, there were no oscillations
encountered in the experiments. The third column shows the
number of iterations needed for the traversal. As can be ob-
served, the over-approximation signiﬁcantly accelerates the
traversal. The last column shows the sequential depth of the
state transition graph of the original circuit, i.e., the number
of iterations of a standard (BDD-based) FSM traversal. In
mostcases wherestandardtraversaldidnotfail, Record& Play
neededfeweriterations. False negativescouldbe avoidedin all
experiments.
5 Conclusion
We compared structural FSM traversal with standard symbolic
FSM traversal. Our theoretical analysis as well as the exper-
imental results show that structural FSM traversal is a practi-
cal base algorithm for formal veriﬁcation applications. For the
circuits encountered in practice it has the same convergence
behaviour as symbolic traversal. While not suffering from the
memory problems encountered with canonical set representa-
record and play() seq verify
circuit (HANNIBAL) (VIS-1.3)
name CPU time CPU time sequ.
h:min:sec # iter.
L h:min:sec depth
s208 0:00:08 15 1 0:00:04 255
s298 0:00:09 10 1 0:00:03 18
s344 0:00:11 9 1 0:00:12 6
s349 0:00:11 9 1 0:00:12 6
s382 0:00:17 16 1 0:01:55 150
s386 0:00:48 9 1 0:00:03 7
s420 0:00:43 27 1 unable 65536
s444 0:00:18 16 1 0:01:59 150
s510 0:00:35 12 1 0:00:26 46
s526 0:00:35 21 1 0:01:35 150
s635 0:01:32 37 1 unable —
s641 0:00:12 9 1 0:00:04 6
s713 0:00:12 9 1 0:00:03 6
s820 0:36:50 17 1 unable 10
s832 0:26:37 16 1 unable 10
s838 0:08:13 51 1 unable —
s953 0:01:09 11 1 unable 10
s1196 0:00:40 6 1 0:00:10 2
s1238 0:00:46 6 1 0:00:11 2
s1423 0:03:31 14 1 unable —
s1512 0:04:09 16 1 unable —
s3271 0:21:17 19 1 unable —
s3330 0:11:33 9 1 unable —
s3384 0:31:24 17 1 unable —
s4863 0:36:52 8 1 unable —
s5378 0:55:23 36 1 unable —
s6669 0:47:15 11 1 unable —
Table 3: Veriﬁcation of optimized and retimed circuits
6tions, it allows to exploit structural circuit propertiesand effec-
tive approximations, by which the traversal of the state transi-
tion graph can be greatly accelerated.
References
[1] D. Brand, “Veriﬁcation of Large Synthesized Designs,”
in Proc. Intl. Conf. on Computer-Aided Design (ICCAD-
93), pp. 534–537, 1993.
[2] R. Bryant, “Graph-based Algorithms for Boolean Func-
tion Manipulation,” IEEE Transactions on Computers,
vol. 35, pp. 677–691, August 1986.
[3] O. Coudert, C. Berthet, and J.-C. Madre, “Veriﬁcation
of Synchronous Sequential Machines Based on Sym-
bolic Execution,” Lecture Notes on Computer Science,
vol. 407, pp. 365–373, June 1989.
[4] G. D. Hachtel, E. Macii, A. Pardo, and F. Somenzi,
“Markovian Analysis of Large Finite State Machines,”
IEEE Transactions on Computer-Aided Design, vol. 15,
pp. 1479–1493,Dec. 1996.
[5] G. D. Hachtel and F. Somenzi, Logic Synthesis and Veri-
ﬁcation Algorithms. Boston: Kluwer Academic Publish-
ers, 1996.
[6] S. Huang, K. Cheng, K. Chen, and U. Gl¨ aser, “An ATPG-
Based Frameworkfor VerifyingSequential Equivalence,”
in Proc. Intl. Test Conference (ITC-96), 1996.
[7] J. Jain, R. Mukherjee, and M. Fujita, “Advanced Veri-
ﬁcation Techniques Based on Learning,” in Proc. 32nd
ACM/IEEE Design Automation Conference (DAC-95),
pp. 420–426, June 1995.
[8] A. K¨ uhlmann and F. Krohm, “Equivalence Checking Us-
ing Cuts and Heaps,” in Proc. Design Automation Con-
ference (DAC-97), pp. 263–268, Nov. 1997.
[9] W. Kunz, “An Efﬁcient Tool for Logic Veriﬁcation Based
on Recursive Learning,” in Proc. Intl. Conference on
Computer-AidedDesign (ICCAD-93), pp. 538–543,Nov.
1993.
[10] W. Kunz and D. Stoffel, Reasoning in Boolean Networks
- Logic Synthesis and Veriﬁcation Using Testing Tech-
niques. Boston: Kluwer Academic Publishers, 1997.
[11] Y. Matsunaga, “An Efﬁcient Equivalence Checker for
Combinational Circuits,” in Proc. Design Automation
Conference (DAC-96), pp. 629–634, June 1996.
[12] K. McMillan, Symbolic Model Checking. Boston:
Kluwer Academic Publishers, 1993.
[13] C. Pixley, “A Theory and Implementation of Sequen-
tial Hardware Equivalence,” IEEE Transactions on
Computer-Aided Design, vol. 11, pp. 1469–1478, Dec.
1992.
[14] S. Reddy, W. Kunz, and D. Pradhan, “A Novel Veriﬁca-
tion Framework Combining Structural and OBDD Meth-
ods in a Synthesis Environment,” in Proc. Design Au-
tomation Conference (DAC-95),pp. 414–419,June 1995.
[15] D. Stoffel, Formal Veriﬁcation of Sequential Circuits Us-
ing Reasoning Techniques. PhD thesis, Johann Wolf-
gang Goethe - Universit¨ at, Frankfurt am Main, Germany,
http://www.em.informatik.uni-frankfurt.de,1999.
[16] D. Stoffel and W. Kunz, “Record & Play: A Struc-
tural Fixed Point Iteration for Sequential Circuit Veriﬁca-
tion,” in Proc. Intl. Conference on Computer-Aided De-
sign (ICCAD-97), pp. 394–399, Nov 1997.
[17] C. van Eijk, “Sequential Equivalence Checking with-
out State Space Traversal,” in Proc. Conference on De-
sign, Automation and Test in Europe (DATE-98), (Paris,
France), pp. 618–623, March 1998.
7