Acommonvericationproblemforhardwaredesignsistodetermineifevery

OnCombiningFormalandInformalVerication JunYuan? bolicmethodsforthevericationofinvariants.themotivationistwo-fold. conjunctionwithtraditionalsimulationresultsinbetter\coverage"relativetothecomputationalresourcesused.additionally,evenondesigns First,therearedesignswhicharetoocomplextobeformallyveried Abstract.Weproposealgorithmswhichcombinesimulationwithsym- usingsymbolicmethods;howeverbytheuseofsymbolictechniquesin JianShen??JacobAbraham??AdnanAziz?? 1Introduction Inthispaperwewillbeconcernedwiththeproblemofdesignverication;specically,theproblemofinvariantcheckingovergate-leveldesigns.Traditionally, designshavebeenveriedbyextensivesimulation.whileoeringthebenetsof designs,thefractionofthedesignspacewhichcanbecoveredinthismethodo- passedextensivesimulation,butwerestillfoundtocontainbugs[4].thishasled simplicityandscalability,simulationoersnoguaranteesofcorrectness;forlarge simulation. whichcanbesymbolicallyveried,theuseofahybridmethodologyoftendetectsthepresenceofbugsfasterthaneitherformalvericationor totheproposalof\formalmethods"fordesignverication;theadjectiveformal logybecomesvanishinglysmall.indeed,therearemanyexamplesofdesignsthat structures"suchasbinarydecisiondiagrams(bdds)toecientlyrepresentand referstotheunambiguousspecicationofthesystemandthepropertiesbeing manipulatethestatespacesofdesigns[1].theprimarylimitationofbddbased cessfullyverifyalargenumberofcomplexdesignsistheuseof\symbolicdata checked,togetherwiththevalidationstepgeneratingamathematicallyrigorous approachestoinvariantcheckingisthatformanydesigns,thebddsconstructed wellonspecicclassesofdesigns.onemethodwhichhasbeenusedtosuc- proofofcorrectness. inthecourseofvericationcangrowextremelylarge,resultinginspace-outsor tured,andthiscanbeexploitedtodeviseheuristicprocedureswhichperform high;pspace-completetobeprecise.inpractise,manydesignsarewellstruc- Intheorythecomputationalcomplexityofinvariantcheckingonnetlistsis??ECEDept.,Univ.ofTexas,AustinTXfjshenjjaajadnang@ece.utexas.edu severeperformancedegradationduetopaging[12]. ndingbugsinthemasearlyaspossible.ashenzingerhaspointedout,\falsi- Facedwiththetwindilemmasofdiminishedcoveragethroughsimulationand cation"isamoreaccuratedescriptionoftheendeavorcalled"verication".?motorolainc.,austintxyuan@adttx.sps.mot.com Practicingveriersarelessconcernedwithformallyverifyingdesignsthan

asquicklyaspossible. certicateofcorrectnessiftheinvariantpasses,oracounterexampleifitfails. bestressedthatneithermethodiscomplete,i.e.,guaranteedtoprovideaformal askhowbesttocombinesymbolicmethodswithsimulation,soastondbugs theinabilityofsymbolicmethodstoformallyverifylargedesigns,itisnaturalto However,allreportedviolationsoftheinvariantaretruebugs. performsapartialtraversalofthestatespace.ateachstep,symbolictechniques betheprogramcounterandstatusbitsinamicro-processor.theprocedure designatesasubsetofthelatchesasbeing\interesting";thesecould,forexample, Inthispaperweprovidetwoanswerstotheproblemposedabove.Itisto wealsodescribeanextensionthatvisitsallcontrolleredges.heuristically,the areusedtocomputethefullsetofcontrolstatesreachablefromthecurrentset; controlportionofthedesign,whilebeingmuchsmallerthanthedatapath,isthe mainsourceofdesignerrors.saturatedsimulationattemptstoexploreasmuch ofthecontrolstatespace,thusincreasingthelikelihoodofndingbugs. Werstdevelopthemethodofsaturatedsimulation,whereinthedesigner theentirestatespace.additionally,fastbddroutinesexistforgeneratingand coupledwiththefactthatthesetofcontrolstatesistypicallymuchsmallerthan manipulatingrepresentativeelementsofequivalenceclasses[8]. tocomputethesymbolicimageofasinglestateevenforverylargedesigns, Theeciencyofthisapproachcomesfromtheobservationthatitisfeasible somebngrowslargerinsizethana(user-specied)thresholdvalue.cyclesimulationisperformedfromaninitialstate;simulationishaltedifastatewhichlielysis[15].startingfromb,thecomplementoftheinvariant,successivepreimagesb;b1;b2;:::arecomputedsymbolically.thisisdonetillthebddfor Bn,sinceeverystateinBncanreachastateinB.Wedescribegreedysearch strategiesforndingpathstobnfromaninitialstatewhichusehammingdistanceasametrictobeminimized.theprimarybenetofretrogradeanalysisis thattheset[ibiistypicallymuchlarger(inthesenseofcardinality)thanb; Wethendescribeanorthogonalapproachreferredtoasretrogradeana- hence,inaheuristicsense,bnoersamuchlarger\target"forsimulation. givenabove. resultsunderlinetheeectivenessthatissuggestedbytheheuristicarguments rogradeanalysisarenoveltothispaper.wehavebeeninuencedbyanumberof relatedworks.thompson's[15]workonretrogradeanalysisprovidedtheinitial impetus.additionally,wewereinuencedbythedramaticimprovementsmade tocyclesimulationbytheuseofbddsbyasharandmalik[1],andmcgeeret TheseroutineshavebeencodedontopofthetoolVIS[2].Ourexperimental alargenumberofstates.thisisdistinctfromourapproach,whereinasubsetis setsencounteredduringreachabilityanalysiswhichhavesmallbddsbutcontain memoryavailableonthemachine.ravietal.[13]attempttopicksubsetsofstate al.[9],whomadecleartheimportanceofmakingmaximumuseofthephysical Tothebestofourknowledge,theprinciplesofsaturatedsimulationandret- chosenwhichattemptstomaximizethenumberofdistinctcontrollerstates.cho etal.[5]picknetstoabstractintoprimaryinputs,consequentlyobtainingsuper-

setsofthesetofreachablestates.theworkofhoetal.[6]andhoskoteetal.[7] oncreatingsimulationvectorswhichexcitealargenumberoftransitionsonthe thanstatestoobtaingoodcoverageofcontrollerbehavior.however,theyused controllerstatesofadesignsuggestedtheusefulnessofusingtransitionsrather designersupplied\translationfunctions",ortest-basedtechniquestogenerate simulationinputsequenceswhichexcitedasmuchofthecontrolaspossible;our 2Background InvariantVerication approachisrootedinsymbolicmethods. associatedbooleanfunction.anitestatemachinecanberepresentedbyan aninterconnectedsetofprimaryinputs,gates,andlatches.eachgatehasan atthebehaviorallevelusingnitestatemachines(fsms).anetlistconsistsof forcomputationalmodelsforhardware. Inordertobeabletoanalyticallyreasonabouthardware,werstneedtodevelop edge-labeleddirectedgraph,wheretheverticescorrespondtostates,andthe mathematicalmodelsfordigitalsystems.singhal[14]givesadetailedexposition labelsareinput-outputpairs. Hardwaredesignscanbemodeledatthestructurallevelusingnetlists,or implementedsymbolicallyusingreducedorderedbinarydecisiondiagram[3]. thesetofallstateswhichcanbereachedfromabyapplyinganinputsequenceof lengthone.similarly,thepre-imageofa(denotedbypreimg(a))isthesetoall stateswhichcanreachainonestep.theimgandpre-imageprocedurescanbe state/outputfunctionsarederivedbycomposingthegatefunctions. chinefromit;statesareevaluationstothesetoflatchvariables,andthenext- GivenadesignDandasetofstatesA,theimageofA(denotedbyImg(A))is Foragivenanetlist,thereisanaturalwayofderivinganitestatema- alllieintheinvariant.analternateapproachtocheckinginvariantsisbasedon icallycomputeallstatesreachablefromtheinitialstatesanddeterminethatthey backwardanalysis,whereinthesymbolicpreimgoperatorisiterativelyapplied todetermineallstateswhichcanreachthecomplementoftheinvariant;the asinvariantverication,orassertionchecking. of\goodstates"(referredtoastheinvariant).thisproblemisvariouslyknown statereachablefromadesignatedsetofinitialstateslieswithinaspeciedset Onestraightforwardsolutiontotheinvariantcheckingproblemistosymbol- Acommonvericationproblemforhardwaredesignsistodetermineifevery thecourseofimagecomputationscangrowverylarge. 3SaturatedSimulation Manydesignscanbeseparatedinto\control"and\datapath"asillustratedin Figure1;furthermore,thedesignerisawareofthisdichotomy.Formostsuch invariantfailsiftheinitialstateliesinthisset. TheprimarylimitationofbothapproachesisthattheBDDsencounteredin

Inthissection,wedescribeanapproachwerefertoas\saturatesimulation";this totalnumberoflatches;however,thecontrolportioniswherebugsusuallyoccur. designs,thenumberoflatchesinthecontrollerisusuallyasmallfractionofthe PC approachattemptsheuristicallytoexploreasmuchofthecontrolportionofthe Mem Out designaspossible. Fig.1.PartitioningadesignintoControlandDatapath. Mem Logic ALU OP canbenaturallydesignatedcontroland21whicharedata.hence,thereareno R ALU Registers verylargedesignstocomputetheimageofasmall(inthesenseofcardinality) morethan512dierentpossiblevaluesforthecontrolstate.itisfeasibleevenfor Asanexample,considerthevipermicroprocessor.Itcontains9latcheswhich ALU out M setofstates.inpart,thisfollowsfromthefactthattheconstructionofthebdd forthenext-statelogiccanberestrictedtothecurrentsetofstates.thissuggests Mem Addr thatitmaybepossibletoperforma\partial"reachabilityanalysis,inwhichall distinctcontrolstatesarepreservedateachstep. givenbyanevaluationtoxc[xd. respecttoaif(8c:8d)[(c;d)2a!(9d)[(c;d)2a]] thevariablesassociatedwiththedatapathbexd.thusthestateofthedesignis Denition1.LetAbeasetofstates.AsubsetAofAiscontrol-saturatedwith LetthevariablesassociatedwiththecontrolportionofthedesignbeXcand ationsina,andisassmallaspossible(inthesenseofcardinality).anexample ofaisagoodrepresentativeset itincludesallthedistinctcontrollercongur- ofacontrol-saturatedsubsetisgiveninfigure2(a). ofa.letfbeabooleanfunctiononvariablesx=fx1;x2;:::;xng.linet curringinaoccursina.thuscontrol-saturatedsubsetsofapreserveallthe controllerstatespresentina.heuristically,aminimalcontrol-saturatedsubset Intuitively,Aisacontrol-saturatedsubsetofAifeverycontrolstateoc- whichtakesabddforfandasubsetxxofthevariables,andreturnsa BDDforafunctionfwhichhasthepropertythat al.[8]presentedanecientalgorithm(referredtoasthecprojectoperator) Wenowaddresstheproblemofcomputingminimalcontrol-saturatedsubsets Status Bits

BDDtfunctionCntrlSatSim(A,CntrlVars,G)f /*AinitializedtotheBDDfortheresetstates.*/ /*GistheBDDfortheinvariant.*/ Fig.2.Minimalcontrolsaturatedsubsets. cproject cproject Data value 1 1 11 First two bits are control, last three are data 11 A ={(111),(1),(1111), (1),(11),(1)} 1 1 A ={(1),(1),(1)} State Space = 16 (a) Ex. Control saturated gif(bddequal(r,a)) if(bddintersects(a,g))/*invariantfails!!*/ ImgA:=BDDImg(A); R:=BDDOr(A,ImgA); returncntrlsatsim(r,cntrlvars,g); R:=BDDCproject(R,CntrlVars); assertfail; returnr; subset (b) Ex. Control reachability Sincesetscanbethoughtofintermsofcharacteristicfunctions,wewillfreely 1.foranyassignmentvtothevariablesinX,sothatf(v)=1,thereisexactly 2.forallu,f(u)=1)f(u)=1. onevaluationvwhichagreeswiththevaluationvoverthevariablesinx sothatf(v)=1,andfurthermore Fig.3.Control-saturatedsimulation. cprojectoperator.thisinturnisusedasthecurrentreachedstateset.the ReachablestatesareiterativelycomputedusingtheImgoperator;ateachstep, controlsaturatedsubsetofa. rstfewstepsareillustratedinfigure2.theprocedureisincomplete,sinceitis acontrol-saturatedsubsetofthecurrentreachedstateiscomputedusingthe greedy:minimalcontrol-saturatedsubsetsofthesetscomputedbythecproject applythecprojectoperatortosets.observethatcproject(a;xc)isaminimal operatorwillnotnecessarilybesucienttocoverallpossiblecontrollerstates. InFigure3wesketchasimplesymbolicprocedureforinvariantverication. Onesimplewayoffurtherenhancingthecoverageachievedbycontrol-saturated Control value

simulationistogenerateseveral\representative"controlstates.therearesimple modicationstothecprojectoperatorwhichcanachievethiseect.another iteration. Afundamentalextensiontoobtainenhancedcoverageistoperformapartial 3.1Control-edgeSaturatedSimulation approachistoapplycprojectonlytothefrontierofthereachedstatesateach reachabilityanalysisandateachsteppickasubsetoftheimagewhichpreserves all\controllertransitions"totheimagefromthecurrentset.hoetal.[6]and Abrahametal.[7]createdsimulationvectorswhichexcitealargenumberof bugswiththesevectorsunderlinestheusefulnessofusingtransitionsratherthan statestoobtaingoodcoverage.asanexample,consideramicroprocessorwhere controltransitionsindesigns;thehighqualityoftheirresultsintermsofnding thecontrolstateisthevalueoftheprogramcounter.twostateswhichcorrespond withdierentdatavalues;inthiscase,itisnaturaltokeeptheresultingstates todierentlinesintheprogrammaybothtransitionthesameprogramline Denition2.LetAbeasetofstates.AsubsetBofImg(A)issaidtobe dierent. control-edgesaturatedwithrespecttoaif (8c:8d:8c:8d)[(c;d)2A^(c;d)2Img(f(c;d)g)]! (9d:9d)[(c;d)2B^(c;d)2A^(c;d)2Img(f(c;d)g)] Wenowdescribehowtoexploreedgesinthecontrolstatespace. inbandastate(c;d)inasothat(c;d)!(c;d). everytransition(c;d)!(c;d)fromatoimga,thereisastate(c;d) InEnglish,theabovedenitionsaysthatBiscontrol-edgesaturatedwhenfor foreverycontrollatchxc,addanewlatchxswhich\shadows"xc,thatis, subsetisgiveninfigure4. thenextstateofxsisthepresentstateofxc.denotethesetofshadowstate andisassmallaspossible.anexampleofaminimalcontrol-edgesaturated distinctcontrollercongurationsresultinginimg(a)fromtransitionsfroma, thecontrollertransitionsoriginatingata.heuristically,aminimalcontrol-edge saturatedsubsetofimg(a)isagoodrepresentativeset itincludesallthe Minimalcontrol-edgesaturatedsetscanbecomputedaugmentingthedesign: Thusinsomesense,control-edgesaturatedsubsetsofImg(A)preserveall variablesthusintroducedbyxs.clearlythenext-stateofthelatchesindexed byxc[xdisindependentofthatoftheshadowlatches.thefollowinglemma demonstratesthatminimalcontrol-edgesaturatedsetscanbecomputedfrom theaugmenteddesign. Lemma3.LetAbeAliftedfromXc[XdtoXc[Xd[Xs.DeneBtobe minimalcontrol-edgesaturatedwithrespecttoa. theexistentialquanticationofcproject(img(a);xc[xs)byxs.thenbis

Proof.Observingthatcproject(?;)isalwayssubsetof?,itfollowsthat non-shadowlatchesdoesnotdependontheshadowlatches,itfollowsthatthe subsetofimg(a). existentialquanticationofimg(a)byxsisequaltoimg(a),andsobisa cproject(img(a);xc[xs)isasubsetofimg(a).sincethenextstateof (namelyb)willcontain(c;d).since(c;d)liesintheimageof(c;d), tifyingthexsvariablesfromcproject(img(a);xc[xs),theresultingset Img(A);letitlieintheimageof((C;S);D).Hence,onexistentiallyquan- Xs)containsastateoftheform((C;C);D).Note((C;C);D)liesin foranarbitraryassignmentstotheshadowlatches.hencecproject(img(a);xc[ Fromtheconstructionoftheaugmenteddesign,((C;C);D)isinImg((C;S);D) atransitionfrom(c;d)2ato(c;d),i.e.,(c;d)2img(f(c;d)g). (C;D)satisfythe\if"portionoftheimplicationinDenition2.Thenthereis WenowshowBiscontrol-edgesaturatedwithrespecttoA.Let(C;D)and previoussection. indenition2. DandDareexistentialwitnessesforthe\then"portionoftheimplication WecodedtheroutinesdescribedintheprevioussectionaspartoftheVISprogram[2].Resultsareprovidedontwobenchmarks{the885,andvipermicroprocessors.The885isapproximately4gateequivalents,andcontains242 MinimalityofBfollowsfromthepropertiesofcprojectdescribedinthe 3.2ExperimentalResults{SaturatedSimulation latches,ofwhich33wereidentiedasbeingcontrol.theviperisalso4gate 128MBytesofmainmemory.Atimeoutof2secondswasusedforallviperexperiments,and1secondsfor885experiments.Sifting-baseddynamic reorderingwasenabledthroughouttheexperiments. perimentswereconductedonanultrasparc1,witha17mhzprocessor,and equivalents,andcontains218latchesofwhich9werefromthecontrol.allex- theuseofacontrol-statesaturatedsimulation(asgiveninfigure3).for885,we fourreachabiltysteps,whichwereeasilyperformed.)table2presentsresultson forviperintable1stemsfromthefactthattheprogramtimedoutaftertherst anorderofmagnitudemore.table3presentsresultsontheuseofcontrol-edge BDDencounteredduringreachabilityanalysis.(TheabnormallylowpeakBDD computealmosttwiceasmanyreachablecontrolstatesandtransitions;forviper, saturatedsimulation.inthesametime,moreedgesarevisited;thiscomesatthe analysisonthetwobenchmarks.peakbddisthenumberofnodesinthelargest Table1presentsresultsontheuseofacompleteBDD-basedreachability expenseofhighermemoryconsumptionwithrespecttocontrol-statesaturated simulation.interestingly,fewercontrolstatesarevisited;weascribethistothe factthatthecontrol-statesaturatedsimulationisfaster,andsomanagestogo deeperintothestatespaceinthesameamountoftime;thisisseeninthedepth column. 9]inTable4.Forviper,weperformed1setsofsimulations,eachcomprising Wecomparesaturatedsimulationwithfastlookupbasedcyclesimulation[1,

ExamplejRchd.StatesjPeakBDDjControlStatesjjControlEdgesjdepth viper1:36119233 8851:4317275641 ExamplePeakBDDjControlStatesjjControlEdgesjdepth viper1618 Table1.CompleteBDDbasedreachabilityanalysis. 2461233 6883723 31641 4 worsethansaturatedsimulation. of2vectors;for885weperformed4setsoflength2.eventhoughwe gavecyclesimulationtwoordersofmagnitudemoretime,itstillperformedfar Table2.Partialreachabilityanalysisusingcontrol-statesaturatedsubsets. 8858189 1846 4765 43 4RetrogradeAnalysis RetrogradeAnalysis(RA)isanimportantsearchtechniquedevelopedwithin theeldofarticialintelligence.initssimplestform,rarstmarksallend determiningthegametheoreticvaluesofallpositionsinthesearchspace. positions(e.g.,checkmate),andthenbymakingunmovesfromtheendpositions worksitswaybacktothepositionsfarthestfromtheendposition,ontheway B;B1;:::whereBisthecomplementoftheinvariantandBi+1=PreImg(Bi). Bl,searchforaninputsequencewhichtakesaninitialstatetoastateinBl. AnalogouslytotheWi'sabove,theBi'sareeectivelybadstates.TheB'scan themcompactly.finally,whenmainmemoryisnearlyexhausted,sayattheset growverylargeintermsofcardinality;itisnaturaltousebddstorepresent RAcannaturallybeappliedtoinvariantchecking:constructthesetsofstates tothenumberofbitsinthestate,andisindependentofthesizeofthebdd. ifastateliesinthesetdenedbyabddisveryfast ittaketimeproportional fashionliesinbl.thisapproachisillustratedinfigure5(a).notethatchecking ingfromarandominitialstate;thesearchhaltsifsomestatereachedinthis Thesimplestsearchstrategyisthesimulationofrandominputvectorsstart- Table3.Partialreachabilityanalysisusingcontrol-edgesaturatedsubsets. ExamplePeakBDDjControlStatesjjControlEdgesjdepth viper71213 8858189 1696 236 6324 75 6 3

ExampleSaturatedSimulation viper2 885116966324991434275 Time(sec)jCtlStatesjjCtlEdgesjTimeSizejCtlStatesjjCtlEdgesj Table4.Comparingsaturatedsimulationwithcyclesimulation. 236 758661612121 CycleSimulation2674 288 tothetargetstates,i.e.,tobl.weproposetheuseofhammingdistanceasa measureofcloseness. isthenumberofpositionsinwhichtheandvectorsdier.considertherelationsh;h1;h2;:::;hnf;1g2nwhere(;)2hki,(;)k.the RecallthattheHammingdistancebetween;2f;1gn(denotedby(;)) Amoresophisticatedsearchstrategyistopickaninitialstatewhichis\close" Fig.4.Aminimalcontrol-edgesaturatedsubset. thefollowingidentity: relationh1canbeconstructeddirectlyusingbdds.therelationhi+1satises thresholdsize.fromtheoutermostring,pickastate(say)whichisclosest reachabilityfromtheinitialstatestillthebddforreachedstatesreachesa Hence,theBDDsforH;H1;H2;:::;Hnf;1g2ncanbeeasilyconstructed; smallfortheinterleavedvariableordering. furthermoreasimpleargumentbasedoncountingcofactorsshowsthattheyare ThesearchforstatesinBlcanbeenhancedbybyrstperformingforward Hi+1=Hi[(9)[(;)2Hi^(;)2H1] tobl,andthenperformrandomcyclesimulationfrom.thisisillustrated recursivelyapplied.thisillustratedinfigure5(c). infigure5(b).insteadofcyclesimulationfrom,acombinationofsymbolic forwardreachabilityanalysiscoupledwiththethehammingheuristiccanbe A (1) (1111) (11) Input 1 1 1 Img(A) (1) (111) (1111) (11) (111) (1) (1) (111) (1111) (11) (111) First two bits are control, last three are data Same control values, but correspond to different controller transitions => keep both

4.1ExperimentalResults{RetrogradeAnalysis areprovidedontwobenchmarks{mesh4isaroutingalgorithmona4by4mesh WecodedtheroutinesdescribedintheprevioussectionaspartoftheVISprogram[2],andexperimentedwithanumberofexamples.Representativeresults ofnodes,andcube4ishypercubebasedroutingprotocol.forbothexamples,we Fig.5.RetrogradesearchforInvariantchecking A init A1 A2 Ai A1 A2 A Ai A1 A2 A Bl Ai B4 choseaninvariantwhichfails. B3 Bl B2 B1 B B2 B1 B B2 B1 B State Space State Space State Space plotthenumberofsimulationtrialsneededtoreachapre-image,startingfrom aftersuccessivepre-imagesinfigure6(a);bothgrowquickly.infigure6(b)we theinitialstateagainstthenumberofpreimagestepstaken;eachtrialconsists ResultsonMesh4arereportedinFigure6.WeplotBDDsizeandcardinality Vanilla RA (b) RA Hamming; closest states hatched (c) Enhanced RA Hamming decreasesrapidly. Figures7(a)and7(b)areasbefore.InFigure7(c),weshowtheeectoftaking ofapplying1randomvectors.itisclearfromthepicturethatthisnumber oneforwardstep,andthenpickingastateintheimagewhichisclosetothetarget asopposedtoarandomstateintheimage;infigure7(d)wetaketwoforward distanceisused.interestingly,whenastateintheimageispickedatrandom, appreciabledecreaseinthenumberofsimulationtrialsneededwhenhamming steps,andthenpickastatewhichisclosetothetarget.inbothcases,thereisan theperformanceisactuallyworsethatsimplystartingattheinitialstate. TheeectofHammingdistanceisgiveninFigure7fortheCube4example. 5Conclusion Weinvestigatedwaysinwhichtocombinesymbolicvericationwithsimulation. Specically,wegaveheuristicjusticationforsaturatedsimulationandretrogradeanalysis.Experimentalevidencecorroboratesthattheseapproachesyield enhancedcoverageandrobustness.thusthecombinationofformalandinformal vericationoersbenetsnotavailableineachindependently. controllers. formalmethods,particularlytheproblemofvalidatingsoftwareforembedded Inthefutureweintendtobuilduponthethemeofrelatingformalandin-

BDD size Number of target states Simulation steps BDD size 8 4 64 4 References 7 35 56 35 6 3 48 3 1.P.AsharandS.Malik.FastFunctionalSimulationUsingBranchingPrograms.In Fig.6.RetrogradeAnalysisappliedtoMesh4 5 25 4 25 4 2 32 2 3 15 24 15 2 1 16 1 1 5 8 5 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 No. of backward steps No. of backward steps 4.B.Chen,M.Yamazaki,andM.Fujita.BugIdenticationofaRealChipDesign 2.R.K.Brayton,G.D.Hachtel,A.Sangiovanni-Vincentelli,F.Somenzi,A.Aziz,S.- 3.R.Bryant.Graph-basedAlgorithmsforBooleanFunctionManipulation.IEEE TransactionsonComputers,C-35:677{691,August1986. jan,s.sarwary,t.r.shiple,g.swamy,andt.villa.vis:asystemforveri- cationandsynthesis.inproc.ofthecomputeraidedvericationconf.,july T.Cheng,S.Edwards,S.Khatri,Y.Kukimoto,A.Pardo,S.Qadeer,R.K.Ran- 1996. Proc.Intl.Conf.onComputer-AidedDesign,November1995. (a) (b) 5.H.Cho,G.D.Hachtel,E.Macii,M.Poncino,andF.Somenzi.AStructuralApproachtoStateSpaceDecompositionforApproximateReachabilityAnalysis.In FlowMachineandApplicationtoEvaluatingCoverageofVericationVectors.In Proc.Intl.Conf.onComputerDesign,Austin,TX,October1995. turalvalidationforprocessors.inproceedingsoftheinternationalsymposiumon DecisionDiagrams.InProc.Intl.Conf.onComputerDesign,Cambridge,MA, ComputerArchitecture,June1995. 6.RichardC.Ho,C.HanYang,MarkA.Horowitz,andDavidL.Dill.Architec- 7.Y.Hoskote,D.Moundanos,andJ.Abraham.AutomaticExtractionoftheControl bysymbolicmodelchecking.inproc.europeanconf.ondesignautomation, Proc.Intl.Conf.onComputerDesign,October1994. pages132{136,march1994. 8.B.LinandR.Newton.ImplicitManipulationofEquivalenceClassesUsingBinary 1.KennethL.McMillan.SymbolicModelChecking.KluwerAcademicPublishers, 9.P.McGeer,K.McMillan,A.Saldanha,A.Sangiovanni-Vincentelli,andP.Scaglia. November1995. October1991. FastDiscreteFunctionEvaluation.InProc.Intl.Conf.onComputer-AidedDesign, 1993.

1 Target state number Simulation steps without Hamming 8 BDD size 4 BDD size 7 7 35 6 6 3 6 5 5 25 5 4 4 2 4 3 3 15 3 2 Fig.7.EectofHammingDistanceonCube4 2 1 2 1 1 5 1 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 No. of backward steps No. of backward steps (a) (b) BDD size Simulation steps Simulation steps 4 BDD size without Hamming 4 without Hamming Simulation steps Simulation steps with Hamming with Hamming 35 35 12.R.Ranjan,J.Sanghavi,R.K.Brayton,andA.L.Sangiovanni-Vincentelli.High 11.R.MotwaniandP.Raghavan.RandomizedAlgorithms.CambridgeUniversity 3 6 3 6 25 5 25 5 13.K.RaviandF.Somenzi.HighDensityReachabilityAnalysis.InProc.Intl.Conf. 2 4 2 4 15 3 15 3 14.VigyanSinghal.DesignReplacementsforSequentialCircuits.PhDthesis,Uni- Press,1995. 1 2 1 2 5 1 5 15.K.Thompson.Retrogradeanalysisofcertainendgames.ICCAJournal,9(3):131{ PerformanceBDDPackageBasedonExploitingMemoryHierarchy.InProc.of thedesignautomationconf.,lasvegas,nv,june1996. oncomputer-aideddesign,santaclara,ca,november1995. eering,universityofcalifornia,berkeley,ca9472,1996. versityofcaliforniaberkeley,electronicsresearchlaboratory,collegeofengin- 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 139,1986. No. backward steps No. backward steps (c) (d) ThisarticlewasprocessedusingtheLATEXmacropackagewithLLNCSstyle