Exploiting Symmetry When Verifying Transitor-Level Circuits by Symbolic Trajectory Evaluation

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 1Exploiting symmetry when verifying transistor-levelcircuits by symbolic trajectory evaluationManish Pandey, Randal E. BryantAbstract|We describe the use of symmetry for veri�cationof transistor-level circuits by Symbolic Trajectory Evalua-tion (STE). We present a new formulation of STE which al-lows a succint description of symmetry properties in circuits.Symmetries in circuits are classi�ed as structural symmetries,arising from similarities in circuit structure, data symmetries,arising from similarities in the handling of data values, andmixed structural-data symmetries. We use graph isomor-phism testing and symbolic simulation to verify the symme-tries in the original circuit. Using conservative approximations,we partition a circuit to expose the symmetries in its com-ponents, and construct reduced system models which canbe veri�ed e�ciently. Introducing X-drivers into switch-levelcircuits simpli�es the task of creating conservative approxi-mations of switch-level circuits. Our empirical results showthat exploiting symmetry with conservative approximationscan allow one to verify systems several orders of magnitudelarger than otherwise possible. We present results of veri-fying Static Random Access Memory circuits with up to 1.5Million transistors.Keywords|Formal Veri�cation, Symbolic Trajectory Eval-uation, Transistor-Level, Switch-Level, Memory Arrays,Symmetry. I. IntroductionMany high performance hardware designs are custom de-signed at the transistor-level to optimize their area and per-formance. This makes it necessary to verify them directlyat the transistor-level. Veri�cation at this level of abstrac-tion allows one to handle many low-level circuit modelingissues such as bidirectional pass transistors, transistor sizes,node capacitances, and charge sharing. Common examplesof such custom-designed hardware units include memoryarrays which are found in instruction and data caches ofmicroprocessors, cache tags, and TLBs. Many of thesehardware units consist of components which have consid-erable regularity in their structure, or in the way they han-dle data. This paper focuses on formalizing this regularityas symmetry and shows how symmetry can be used withsymbolic trajectory evaluation (STE) to e�ciently veritylarge designs.Past e�orts on verifying memory arrays using STE havebeen quite successful. Results have been presented on theveri�cation of large systems containing over 105 transis-tors, and over 104 memory bits [19], [6]. However, theseapproaches do not scale up well for much larger systems.As results in this paper show, switch-level analysis can be-come a serious bottleneck in a STE veri�cation ow thatdoes not utilize symmetry.By exploiting symmetry with the use of STE, it is pos-Manish Pandey is a research sta� member in IBM Austin ResearchLaboratory, IBM Austin, TX-78758. Randal E. Bryant is the Pres-ident's Professor of Computer Science in the School of ComputerScience at Carnegie Mellon University, Pittsburgh, PA-15213.

sible to verify systems that are orders of magnitude largerthan previously possible. We present empirical results forthe veri�cation of static random access memory (SRAM)circuits of varying sizes, including one with over 1.5 mil-lion transistors. Furthermore, empirical results show thatour techniques scale up linearly or sub-linearly with SRAMsize, indicating that one could verify circuits much largerthan our benchmarks.Our veri�cation approach builds on three ideas: circuitpartitioning, structural analysis, and conservative model-ing. Many systems, viewed as a whole, do not possesssymmetries that can easily be exploited, but they are madeup of smaller components which can. One can exploit thesymmetry in the components by partitioning the larger sys-tem, verifying the smaller components, and composing theveri�cation results.We describe two forms of symmetries. Structural sym-metries arise from similarities in the structure of a system,e.g., by replication of system components. Data symme-tries arise from similarities in handling of data values inthe system. Previous work exploiting symmetry in formalveri�cation in [7], [12] has focussed only on aspects of struc-tural symmetry. Work in in [16] handles structural and aform of data symmetry. Aggarwal et. al describe a form ofdata symmetry in [1]. Our work contributes a new formu-lation of data symmetry, and the idea of mixed structural-data symmetry. We have found these other forms of sym-metry useful in verifying many common digital buildingblocks. Consider for example an address decoder, whichwhen given an input address selects the output word havingthis address. Changing the value of a single decoder inputresults in a symmetric exchange in the values at the di�er-ent decoder outputs. Such instances of mixed symmetrycannot be expressed by the other approaches. Structuralsymmetries in a transistor-level circuit can be detected andveri�ed through a purely structural analysis of the systemby doing circuit graph isomorphism checks. Other forms ofsymmetries can be veri�ed through symbolic simulation.Symmetry in a system imposes a partitioning of the sys-tem state space, where permutations of the same state ap-pear in the same partition class. Once symmetry has beenchecked, one need verify the system for only one represen-tative from each partition class. We exploit this propertyby constructing a conservative model of the system whichprovides full functionality only for the representative case.This approximation results in large savings in the systemexcitation function representation size.In the remainder of this paper, Section II describes pastwork on applications of symmetry to veri�cation. Sec-tion III presents our new formulation of STE, together

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 2with the necessary mathematical background. This sec-tion also describes how excitation functions are generatedfrom switch-level circuits. Section IV describes our notionof symmetry as an excitation function preserving transfor-mation. The next three sections describe how symmetrywith conservative approximations, and circuit partitioningcan be employed to e�ciently verify circuits. The applica-tion of these techniques to verify a SRAM circuit has beenshown in Section VIII. The SRAM veri�cation results arepresented in Section IX.II. Previous WorkPetri nets have long been used to describe systems con-sisting of communicating concurrent processes. Huber etal. presented early work on exploiting symmetry in petrinets [15]. In [20], Starke proposes an algorithm to com-pute the generators of the symmetry group for petri nets.Jensen [17] describes the application of symmetry to con-struct condensed versions of state spaces of concurrent sys-tems described by colored petri nets. The work shows thatfor reachability properties, the unreduced state space satis-�es a property, if and only if the condensed state space sat-is�es the property. Typically the work in this area focusseson reachability analysis, rather than more general tempo-ral properties, and does not consider the added complexity(and the concomitant payo�) of symbolic state space rep-resentations.Work on exploiting symmetry for automated formal veri-�cation techniques is quite recent. Emerson and Sistla [12],[11] show how to exploit symmetry in model checking withthe CTL* temporal logic. In a system M consisting ofmany isomorphic processes, the symmetry in the system iscaptured in the group of permutations of process indicesde�ning graph automorphisms ofM. Similarly, symmetryin a speci�cation formula f is captured by the group of per-mutations of process indices that leave f invariant. Givena permutation group G, which is contained in both groups,one can construct a quotient structure M, such that for astart state s, and the equivalent state s inM,M; s j= f i�M; s j= f holds. This is the correspondence theorem, whichis the central result of their work. This work, however, doesnot address the complexities that arise from symbolic rep-resentations of the state space. Furthermore, this workconsiders only structural symmetries.The work by Clarke et al. [7], [8] takes a slightly moregeneral approach than that by Emerson. It views sym-metry as a transition relation preserving permutation, notjust permutation of indices of identical processes. Givena symmetry group G acting on a Kripke structure M , onecan construct a reduced structure MG. The correspondencetheorem in this work shows that if there is a CTL* formulaf , such that all the atomic propositions in f are invariantunder G, the f is true in M if and only if it is true inMG. This work discusses the construction of the reducedtransition relation which is represented symbolically.There are a number of di�erences between our work andthat by Clarke et al., or Emerson et al. We represent thesystem transition by means of an \excitation function".

Naturally, when we consider symmetry in a system, we ex-amine the symmetry in the excitation function. We modelthe state of a circuit by associating two \atoms" with eachcircuit node, a positive atom, and a negative atom (sec-tion III-A). Having two atoms for each circuit node allowsus to model and exploit a richer set of symmetries in cir-cuits. This contrasts with these other symmetry-based ver-i�cation approaches which have only one \atom" (atomicproposition) associated with each state holding element ina circuit. Our formulation of symmetry allows us to de-�ne structural and data symmetries in a system. We verifythat these symmetry properties exist in the system, andthen we construct a reduced model from a conservativeapproximation of the circuit. This avoids the need to con-struct a model of the complete system and then reducing itby forming a quotient structure. Such an approach allowsus to verify huge systems, including one with 262144 stateholding elements (or 2262144 states). Emerson or Clarkeview symmetry as a permutation on a state graph withsome desired properties, like preserving the transition rela-tion, or a permutation of process indices which a transitiongraph automorphism. This approach imposes a signi�cantlimitation { capturing phenomena like the symmetrical be-havior on the outputs of a decoder is extremely tedious, ifnot impossible, with their process oriented point of view.Also, in both the approaches outlined above, to be e�ec-tively exploited, symmetry must be present in both thestate transition graph, and the temporal logic formula be-ing veri�ed | the atomic propositions should be invariantunder the action of the symmetry group.In [16], Ip and Dill discuss the veri�cation of large con-current systems, where the symmetry in the system is iden-ti�ed by a special scalar-set datatype in the system descrip-tion language. They view symmetry as an automorphismon the state transition graph. They describe an on-the- yconstruction of the reduced state transition graph. Theyshow that safety and liveness properties which hold in thereduced state graph also hold in the original system. Ourapproach contrasts with this, in that we start with a tran-sistor netlist without any special attributes or datatypes.Of course, once we have this netlist, we manually iden-tify symmetries in the design, and the parts that shouldbe reduced. After this identi�cation, is done, the sym-metry checks and the construction of the reduced modelare automated. By concentrating on a single instance ofthe assertion to be veri�ed, we use conservative approxi-mations to aggressively reduce the state space and verifysafety properties. In the work by Ip and Dill, the quotientstate graph is an exact model that can be used for safetyand liveness properties with fairness constraints.In comparing our work with these previous approaches,one must also take into account the expressiveness of thelogic of STE described in this paper with other temporallogic such as CTL. The STE next-time temporal operatorallows one to express properties over a �nite time period,which equals the maximum depth of the next-time opera-tor. This precludes the speci�cation of liveness propertiesof systems, which can be speci�ed in CTL. Of course, this

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 3Set of atoms =

a b

, , ,{a a- b+ b-+ }Fig. 1. Set of atoms for an inverter circuit.expressiveness comes at a price in terms of the size of sys-tems that can be veri�ed.Aggarwal, Kurshan and Sabnani have exploited sym-metry for the veri�cation of the alternating bit proto-col, a standard benchmark for protocol veri�cation tech-niques [1]. Applying reduction techniques speci�c to thisproblem, and some simplifying assumptions, they reducethe large state space using machine homomorphisms. Theyshow that for verifying properties about the given statemachine, it su�ces to verify the desired properties on thereduced machine. This approach to a some degree approxi-mates our notion of data symmetry by considering the datasymmetry between 0 and 1 in the transmitted messages.However, the approach does not consider many importantissues like detecting, and verifying symmetry, and the au-tomated construction of symmetry reduced state space.III. BackgroundA. Model structure and State DomainOur view of circuits is quite abstract. We view circuits asconsisting of a set of nodes and an excitation function whichdetermines how the circuit nodes get updated at every timestep. This abstract viewpoint can capture behavior at var-ious levels of abstraction ranging from detailed switch-levelmodels to register transfer level and high-level behavioralmodels. This section describes the domain of values cir-cuits operate over, and the structure of this domain. Sec-tion III-B how the excitation functions are generated andrepresented.Intuitively, knowledge about about the state of a circuitis built up of information atoms. The state of a circuit con-sists of values at the circuit nodes. Thus, we need to de�neatoms associated with every circuit node, as described be-low.De�nition 1: Let N denote the set of nodes of a circuit.For every node n of a circuit, we de�ne two atoms, n+ andn�, indicating that node n has value 1 or 0 respectively.Let A denote the set of all the atoms of a circuit.Figure 1 shows the set of atoms for a two node circuit.An atom for a node restricts the value of the node. A set ofatoms of a circuit restricts the values on the circuit nodes.For example, the atom set fa+; b�g indicates a is 1, andb is 0. This motivates the following de�nition of a circuitstate.De�nition 2: Given the set of all the atoms of a circuit,A, we de�ne a circuit state S to be any subset of A, and Sto be the set of all possible states, i.e., S = 2A.State set S, together with the subset ordering � forms

b a bb a a b baa

b b a a

a a b b

a b

a

a

CONFLICTING

bb a abb aba

b

COMPLETE

PARTIALFig. 2. Structure of State Lattice for Two Node Circuita complete lattice, where states are ordered according totheir \information content," i.e., how much they restrictthe values of the circuit nodes. For example, the structureof the state domain for the circuit in Figure 1 is illustratedin Figure 2. In this diagram we indicate the set of atomsin each state. As the shaded regions indicate, states can beclassi�ed as being \partial", \complete", or \con icting".In a partial state, some nodes have no corresponding atomswhile others have at most one. In a complete state, thereis exactly one atom for each node. In a con icting state,there is some node n for which both atoms n� an n+ arepresent. Such a state is physically unrealizable|it requiresa signal to be both 0 and 1 simultaneously. Con ictingstates are added to the state domain only for mathematicalconvenience. They extend the semilattice derived from aternary system model into a complete lattice. Our statelattice has the empty set ; as its least element and the setof all atoms A as its greatest element. The set union andintersection operations are the lub and the glb operations,respectively, in the lattice.Most traditional presentations of switch-level models de-scribe circuit operation over the ternary domain T . Eachcircuit node takes on one of the three distinct values fromthe set T = f0; 1; Xg, where the X value denotes anunknown or an indeterminate value. Associated with T isthe partial order vT , where 8a 2 T : avT a, XvT 0 andXvT 1. The partial order vT is consistent with the infor-mation conveyed by the values in T since a 0 or a 1 conveysmore information than an X in a circuit.The atom representation of the state domain is closelyrelated to the ternary domain. If a circuit state containsn+, but not n�, then node n has a value of 1. Similarly, thepresence of n�, and the absence of n+ implies that n hasa value of 0. If the circuit state contains neither n+, norn�, then n has a value of X. For example, in the circuitof Figure 1, the set of atoms ;, fa+g, fb�g, and fb�; a�g,represent the circuit states (a = X; b = X), (a = 1; b = X),(a = X; b = 0), and, (a = 0; b = 0), respectively. A circuitstate such as fb+; b�g is a con icting state. Such con ictingstates are mapped to a top element, >, which is added tohT ;vT i to extend it to a lattice [22].The behavior of a circuit is de�ned by its excitation func-

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 4a

a

b

a b

a bb

a

b

a b

a b

ba b

a a

b

a a b

b

a a b b baa

b Fig. 3. Excitation function of inverter.tion Y :S!S. This function serves a role similar to thetransition relation or next-state functions of temporal logicmodel checkers. We require this function to be monotonicover the information ordering, i.e., if two states are or-dered s1 � s2, then their excitations must also be ordered:Y (s1) � Y (s2). Intuitively, we can view a state as de�ninga set of constraints on the signal values. We require the ex-citation function to remain consistent as more constraintsare applied. Since input nodes in a circuit are not con-strained by the circuit itself, for any state s 2 S, Y (s) doesnot contain any atoms corresponding to the input nodes.Figure 3 shows the excitation function for the inverter ofFigure 1. Each oval in Figure 3 is a circuit state. An ar-row from one circuit state to another indicates the leastconstrained new state a circuit can be in after a transi-tion from a previous state. A circuit model is de�ned byits lattice-structured state-set, and a monotonic excitationfunction over this state-set. Formally,De�nition 3: A circuit modelM is a tupleM = hS; Y i,where Y : S ! S is a monotonic excitation function.The behavior of a circuit can be represented as an in�-nite sequence of states. We de�ne a circuit trajectory to beany state sequence � = �0�1 : : : such that Y (�i) � �i+1for all i � 0. That is, the state sequence obeys the con-straints imposed by the circuit excitation function. Below,the sequences �1, and �2, where (s)� indicates an in�niterepetition of state s, are both trajectories of the inverter ofFigure 1.�1 = ; fa+g fa�; b�g (fb+; a�g)��2 = fa�g fa+; b+g fb�g (;)�As can be seen, these trajectories always obey the con-straints imposed by the excitation function of Figure 3 |any state that contains the atom a+ (a�, resp.) constrainsthe succeeding state to contain the atom b� (b+, resp.).L(M) denotes the set of all trajectories of a circuit modelM. L(M; z) denotes the set of all trajectories � = �0�1 : : :ofM such that z � �0, i.e., all trajectories which start witha state which is more constrained than z. The set L(M; ;)equals L(M).We can extend the � ordering on elements of S, to se-quences of elements of S. This extended ordering is de-noted as v. If �1 = �01�11 : : :, and �2 = �02�12 : : :, then�1 v �2 i� for all i � 0, �i1 � �i2.

B. Creation and Representation of Excitation FunctionsThe switch-level model [3] abstracts digital metal-oxidesemiconductor (MOS) circuits as a network of nodes con-nected together by bidirectional transistor \switches." Weemploy the technique of symbolic switch-level analysis togenerate excitation functions from transistor netlists [4],[5]. This model expresses transistor conductances and nodecapacitances by discrete strength and size values, and nodevoltages by discrete states f0; 1; Xg. It can capture manyof the important low-level features in MOS circuits such asratioed, complementary, and precharged logic, and bidirec-tional pass transistors. Since memory arrays are designedat the transistor-level, switch-level models are particularlyappropriate for modeling this class of circuits.B.1 The Switch-level modelIn the switch-level model, a MOS transistor network con-sists of a set of nodes connected together by transistorswitches. Nodes are of two types: input, and storage. Aninput node provides strong signals from sources external tothe network, like power, ground and data inputs. Storagenodes are internal to the circuit. They have states whichare determined by the operation of the network and canretain these states in the absence of applied signals. Eachstorage node is assigned a size in the set f0,...,kg to indi-cate in a highly idealized way its capacitance relative toother nodes with which it may share charge. The state ofa node is represented by one of three logic values: 0, whichindicates a low, 1 which indicates a high, and an X whichrepresents an unknown or uninitialized value. Input nodesare assigned a size w. w is greater than the size of all thenodes as well as the strengths of all the transistors in thenetwork.A MOS transistor is a three terminal device with nodeconnections gate, source, and drain. This device acts likea voltage controlled switch, depending on the value at itsgate. Normally, there is no distinction between source anddrain terminals { the transistor is a symmetric, bidirec-tional device. We distinguish between three types of tran-sistors: n-type, p-type, and n-type depletion. A transistoracts as a switch between source and drain controlled bythe state of its gate node. This switch may be open orclosed, or it may have a conductance of unknown value.These three conduction states, open, closed and unknownare represented by the values 0, 1, and X respectively.Each transistor has a strength in the set fk + 1,...,w� 1g.The strength of a transistor indicates its conductance whenturned on relative to other transistors which may form partof a ratioed path.Figure 4 shows a switch level circuit, consisting of thenodes a, b, c, k, s, t, p, Vdd, and GND, and the tran-sistors T1, through T8. The node sizes and the transistorstrengths are indicated by the numbers in parenthesis. Thestorage nodes in the circuit are s and t, which have sizesof 1, and 2, respectively. All transistors have a size of 3,except T6, which has a size of 4. The input nodes in thecircuit, a, b, c, k, Vdd, and GND have a size of 5. The

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 5k

(5)Vdd

T3 T4

T2

T1

T5

T6

T8

T7a

a b ct

b

p(2)

s

(3)

GND (5)

(3)

(3)(3)

(3)

(4)

(3)

(3)(1)Fig. 4. Example of a switch-level network.states of input nodes Vdd, and GND are �xed at 1, and 0,respectively.Nodes in a switch-level network are connected togetherby directed paths of conducting transistors. Each path orig-inates at a source node, and terminates at a destinationnode. The path has a strength, which roughly indicates theapproximate amount of charge that can be supplied alongthe path from the source to the destination. In case of apath from an input node to a storage node, the strengthof the path equals that of the weakest transistor in thepath. In case of a path connecting two storage nodes, thestrength of the path equals the size of the source node. Thestate of a node depends on the states of the source nodesof the strongest paths to this node.C. The behavior of switch-level circuitsMost switch-level analysis and simulation tools partitionthe transistor-level network into a set of communicatingcomponents, termed channel connected subnetworks (CC-SNs). Each CCSN consists of a set of storage nodes thatcan share charge, together with the transistors that connectthem. Behavior within a CCSN can be di�cult to analyzebecause of the bidirectional nature of transistors, and themultiple signal strengths. The interaction between the CC-SNs is simpler. Each CCSN may be viewed as a �nite statemachine, with inputs, internal state, and outputs. The in-puts consist of the transistor gate nodes, and input nodesconnected to transistor source or drains. The storage nodeshold the CCSN state, and a subset of the CCSN nodes con-stitute the set of observable outputs of the CCSN. Givenits initial state, and the present inputs, this sequential ma-chine computes a new state, and new outputs. The entiretransistor network is thus modeled as a system of commu-nicating sequential machines. Figure 5 shows the circuit of�gure 4 partitioned into CCSNs CCSN1, and CCSN2.The steady-state response function of a CCSN describesits sequential behavior. This function speci�es how the newCCSN node states are computed, given the initial storagenode states, and the values at the inputs and the gates ofthe CCSN, and given that the transistor states are �xedlong enough for the nodes to stabilize.The excitation function of a CCSN gives the steady-stateresponse of the CCSN nodes, when the transistors are held�xed in states determined by the initial storage node statesand the inputs. An important property of the excitationfunction is its monotonicity over the f0; 1; Xg values. This

T7a

a b c

s k

t

CCSN 1

CCSN 2b

p

T2

T5

T8T3

T1

T4

T6Fig. 5. Circuit partitioned into CCSNs CCSN1 and CCSN2.x x:H x:L0 0 11 1 0X 1 1TABLE IDual rail encoding of x.property implies that if some inputs of this function wereset to X, and a given output were 0 or 1, then changingthe X inputs to 0 or 1 does not alter the output. Thisproperty is particularly important for veri�cation, in viewof the \information-content" ordering of the three values.We use the unit-delay model to describe circuit delays.In this approach, a change in the state of a transistor gateis re ected as a change in the state of the transistor aftera delay of one time-step. This time-step is used as theunit of time. In each CCSN, given the logic levels at theinputs, and the storage nodes, a new logic level is computedfor each storage node according to the CCSN excitationfunction. Then, after a delay of one time-step, the storagenodes are assigned the new logic levels just computed.D. Computing the steady-state responseThe steady-state response of a switch-level network canbe obtained by a symbolic Boolean analysis of the net-work [5], [4]. In this approach, the problem of determin-ing the network response is cast in terms of determiningpaths through the channel graph of a CCSN. The resultof the analysis is a number of Boolean expressions whichstate how the ternary state of the CCSN is updated in eachtime-step.To express and compute ternary quantities in the switch-level model in terms of Boolean operations, a \dual rail"encoding is used. Each ternary quantity x, is representedby a pair of Boolean values, x:L, and x:H , as shown in Ta-ble I. For each node n, we introduce two Boolean variables,n:L, and n:H . The analysis problem can be speci�ed as:for each node n in the circuit, derive the Boolean formu-las N:H , and N:L, which represent the encoded value ofthe steady-state response at the node as a function of theinitial node states.The goal of symbolic analysis of a network is to deriveBoolean expressions indicating the conditions under whichconducting paths are formed in the network. To express

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 6(5) Vdd

p4(4)

(3)

(3)

(3)

(3)

s t

GND

p

(3)

GND

(1)(3)

p1

p2

p3Fig. 6. Rooted paths in channel graph.these concepts more precisely, we �rst de�ne a channelgraph, which has a vertex for each circuit node, and an edgefor the channel of each transistor in a switch-level circuit.The CCSN de�ned earlier in section III-C, is a connectedcomponent in this graph. The analysis process examinesone CCSN at a time. The discussion ahead pertains to theanalysis of a single CCSN.A rooted path in the channel graph is a directed pathbetween two nodes. A rooted path p originates at root(p),and it terminates at dest(p). Paths have a length, equalto the number of edges in it. A path can have a lengthof 0. The strength of a path re ects its relative chargetransfer capacity. Figure 6 illustrates paths of di�erenttypes in the channel graph for the circuit of Figure 4. p1is a path of zero length, with a strength of 5. p2 is apath of strength 3 from the input node Vdd to the storagenode t. p3 is a path of strength 1 from s to t. Note that thedi�erence in strengths of p2, and p3 arises from the fact thatp2 conveys charge froman input node which can potentiallysupply unlimited amount of charge, whereas node s canonly convey the stored charge it has through path p3.A rooted path is termed a de�nite path, if none of thetransistors in the path are in the X state. The steady-state response of a node depends only on the paths to thenode that are not blocked. Informally, a path is blocked ifsome intermediate node in the path is the destination of astronger de�nite path. The charge from the stronger pathoverrides the charge from the weaker path. For example, ifthe transistor corresponding to path p4 in Figure 6 is on,then, p2 and p3, the weaker paths to node t, do not a�ectthe steady-state response of t. If all the unblocked sourcesof charge to a node drive it to 0 (or 1), then the steady-stateresponse equals 0 (or 1). Otherwise, if unblocked sourcesdrive a node to con icting values, then the node's responseequals X. Let fm1;m2; :::;mkg be the the set of nodeswhich are the origin of unblocked paths to node n. Letm1:H , m1:L, . . .mk:H , and mk:L be the pairs of Booleanvariables to encode the states of these nodes. If N is thesteady state response of node n then, given the dual railencoding, it may be encoded asN:H = m1:H _m2:H _ : : :_mk:HN:L = m1:L _m2:L _ : : :_mk:LThe analyzer works with signals of one strength level ata time. It starts with the input signals, which are of the

a.H b.H k.H c.H

s.L

t.L

b.L

k.H

c.H t.L k.L c.L

t.H

k.L c.L t.H c.H

s.H

a.LFig. 7. Results of switch-level analysis.highest strength and works downward, each time adding inthe e�ects of the paths at the next lower strength. For eachstrength level w > s � 1, the analyzer sets up and solvesusing Gaussian elimination three systems of Boolean equa-tions which yield formulas N:Hs, N:Ls, and clears(n) forevery storage node n. N:Hs and N:Ls express the steadystate response at the node, when all paths of strengths sand higher have been accounted for. clears(n) expressesthe condition when node n is not the destination of a def-inite path greater than or equal to s. It is used to set upequations for the next lower strength level. Thus, in thelast iteration, expressions N:H1 and N:L1 are obtained,and these equal the steady state response of n.The Boolean expressions generated in the process of sym-bolic analysis are represented by directed acyclic graphs(DAGs), where leaves denote Boolean variables and con-stants, and nodes denote Boolean operations. Each nodeof the DAG represents a Boolean formula, and often there isconsiderable amount of sharing in a DAG structure for thesteady-state expressions for the storage nodes of a CCSN.Figure 7 shows the steady state expressions for nodes s,and t in component CSSN1 of the circuit in Figure 4.Section III-A describes the behavior of systems by anexcitation function Y :S!S over sets of atom. The systemresponse obtained by the analysis above can be easily con-verted to our \atomcentric" point of view by a simple trans-formation. To ensure consistency between the two repre-sentations, this transformation ensures that if the high-railn:H (low-rail n:L) value of a node is 1, then the corre-sponding circuit state does not include n� (n+). Since thepresence of n� precludes the hi-rail from being 1, (dual truefor lo-rail, and n+), the transformation below converts thedual-rail DAGs to an atomcentric DAG.1. Transform every x:L to x+, and every x:H to x�.2. Convert AND nodes to OR, and OR nodes to AND.Figure 8 illustrates this transformation on Figure 7.E. Trajectory EvaluationIn Symbolic Trajectory Evaluation (STE), the speci�-cation language consists of a set of trajectory assertions.The simplest form of trajectory assertion has the form[A =) C], where A, and C are trajectory formulas. A, theantecedent of the trajectory assertion describes the stimu-lus to the circuit over time, and C describes the expected

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 7t+

-k

c+k+t +-c

-a -k-cb-

s+

-t

k+ c+ -t -c

a+ b+

-sFig. 8. Atomcentric view of analysis results.response.Trajectory formulas (TFs) have the following recursivede�nition:1. Atoms: For any node n, atoms n+ and n� are TFs.2. Conjunction: (F1 ^F2) is a TF if F1 and F2 are TFs.3. Domain restriction: (E ! F ) is a TF if F is a TFand E is a Boolean expression.4. Next time: (NF ) is a TF if F is a TF.The Boolean expressions occurring in domain restrictionoperators, having the form E ! F , give these formulas asymbolic character. They can be thought of as \guards,"i.e., F must hold for the cases where E evaluates to true.For the theoretical development, however, it is convenientto �rst consider the form where E is restricted to be either0 (false) or 1 (true). A scalar trajectory formula obeys thisrestriction throughout its recursive structure. The exten-sion to the symbolic case then simply involves consideringthe valuation of the expressions for each variable assign-ment. [22] describes this in greater detail. N is the nexttime temporal operator which causes advancement of timeby one unit.The truth of a scalar trajectory formula F is de�nedrelative to a model structure and a trajectory. Let s and s0~sboth be members of L(M). sj=MF , the truth of F relativeto modelM, and a trajectory s is recursively de�ned as:1. (a) s0~sj=Ma+ i� a+ 2 s0.(b) s0~sj=Ma� i� a� 2 s0.2. sj=M(F1 ^ F2) i� sj=MF1 and sj=MF2.3. (a) sj=M(1! F ) i� sj=MF(b) sj=M(0! F ) holds for every s.4. s0~sj=MNF i� ~sj=MF .A de�ning sequence of a trajectory formula F , denotedby �F , is the weakest possible sequence of states \consis-tent" the restrictions speci�ed by F . We clarify this below.The recursive de�nition of this sequence is given as:1. (a) �+a = fa+g;;; : : :(b) ��a = fa�g;;; : : :2. �F1^F2 = lub(�F1 ; �F2)3. (a) �0!F = ;;; : : :(b) �1!F = �F4. �NF = ;�FWhile �F is not necessarily a trajectory, it can be shownthat sj=MF i� � v s. A de�ning trajectory is the weakestsequence of states that can be constructed, given the con-

straints speci�ed in a trajectory formula. For example, inthe de�nition above, the de�ning trajectory for a formulaconsisting only of a+, is a sequence, the �rst element ofwhich is the set fa+g, and the remaining elements are theempty set ;.While �F is not a trajectory, we may combine it with thesuccessor function Y , to get the de�ning trajectory, �F , ofF. It can be shown that �F is the unique weakest trajectorysatisfying F . We outline the construction of �F ahead.Let �F = �0F �1F : : :. Let �F = �0F �1F : : : be the de�ningtrajectory. Then, the successive elements of �F are givenby the following construction:� iF = � �0F if i = 0�iF [ Y (� i�1F ) otherwiseThe truth of a trajectory assertion [A =) C] is de�nedwith respect to a modelM, and a set of trajectories L ofM. Expressed as, Lj=M[A =) C], it is de�ned to holdi� for all s 2 L, sj=MA implies sj=MC. Often, L equalsL(M), the complete set of trajectories of modelM. That[A =) C] is true for every trajectory in this set is denotedas j=M[A =) C]. Intuitively, j=M[A =) C] means thatif there is a sequence of states of M consistent with theexcitation function of the system, and A is true with re-spect to this sequence, then C is also true with respect tothis sequence. Alternately, this may be interpreted as Ade�nes a behavior (subset of trajectories) of the system,and C holds true for this behaviour of the system. Theexistence of a de�ning trajectory for every trajectory for-mula considerably simpli�es the test for determining thetruth of an assertion. A de�ning trajectory �A essentiallyserves as a representative of the set of trajectories of thesystem for which the trajectory formula A is true. Givenan assertion [A =) C], we can verify that it holds for allelements of L(M) by performing the test �C v �A. Below,the key result of STE, states how the truth of an assertionmay be determined. This has been proved by Bryant andSeger in [22].Theorem 1: j=M[A =) C] i� �C v �A.Thus, to verify the truth of an assertion, all we need todo is construct a de�ning sequence, and a de�ning trajec-tory, and check that the former is weaker than the latter.Furthermore, we need check only an initial pre�x of the twosequences, which is equals the \depth" of C. The depth ofa formula F, denoted by d(F ), equals the maximumnestingof the next time N operator. This is stated as corollary 1.Corollary 1: �C v �A i� �iC v � iA for 0 � i < d(C).IV. Symmetries of a circuitWe express both circuit operation and the speci�cationsin terms of sets of atoms. We can therefore express symme-tries in a circuit and the corresponding transformations ofthe speci�cation in terms of bijective mappings over atoms,named state transformations.De�nition 4: A state transformation, �, is a bijectionover the set of atoms: � : A ! A. We can extend � tobe a bijection over states by de�ning �(s) for state s as[a2sf�(a)g.

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 8As the term suggests, a state transformation � takes asystem state s and alters it to a new state �(s). Since� is bijective, ��1 exists. Also, if �1, and �2 are statetransformations, then their composition �1�2 is also a statetransformation.Two types of state transformations, which alter circuitstate in a \structured"manner are particularly interesting.These are the structural, and data transformations. Below,s[a1=b1; :::; an=bn] denotes the state obtained by simultane-ously substituting atoms a1,. . . ,an for the atoms b1,. . . ,bn,respectively, in state s.De�nition 5: A structural transformation is a statetransformation which swaps the atoms for two di�erentnodes. For nodes n1 and n2, we write n1 $ n2 to denotethe transformation consisting of the swappings: n+1 withn+2 and n�1 with n�2 . Given � = n1 $ n2, and a circuitstate s, �(s) = s[n+1 =n+2 ; n�1 =n�2 ; n+2 =n+1 ; n�2 =n�1 ]De�nition 6: A data transformation involves swappingthe two atoms for a single node. For node n, we write n�to denote the transformation consisting of the swapping ofn+ with n�. Given � = n�, and circuit state s, �(s) =s[n+=n�; n�=n+]Intuitively, a structural transformation exchanges twonodes of a circuit (by swapping their atoms), and a datatransformation complements the value at a circuit node byaltering a positive atom of a node to a negative atom, andvice versa. Thus, these transformations provide us witha convenient mechanism to express circuit structure andcircuit data handling related issues. Composing structuraland data transformations allows us to express a variety ofcircuit transformations. To simplify notation, we will de-note more complex transformations as a list of elementarytransformations.Our uni�ed view of state transformations and excita-tions as functions mapping states into states allows us tosuccinctly express symmetry in a circuit as an excitationpreserving transform. This closely parallels the de�nitionof symmetry in [7] as a transition relation preserving statepermutation.De�nition 7: A state transformation � is a symmetryproperty of a circuit with excitation function Y when�(Y (s)) = Y (�(s)) for every state s.That is, the excitation of the circuit on the transformedstate �(s) matches the transformation of the excitation ofs. Lemma 1: Symmetry transformations have the followingproperties.1. If � is a symmetry property, and Y is an excitation func-tion then Y = �Y ��1 = ��1Y �.2. � is a symmetry property if and only if its inverse ��1is a symmetry property.3. If �1 and �2 are symmetry properties, then their com-position �1�2 is also a symmetry property.Proof: 1. Since � is a symmetry property, for everystate s, �(Y (s)) = Y (�(s)), i,e, �Y = Y �. Therefore��1�Y = ��1Y �, i.e., Y = ��1Y �.

in.0outH.0

outL.0LATCH 0

outL.k-1

outH.k-1

LATCH k-1

in.k-1

outL.1

outH.1

LATCH 1

in.1Fig. 9. Illustration of the symmetries of a circuit2. Since � is a symmetry property, �Y = Y �. Therefore,��1(�Y )��1 = ��1(Y �)��1, which reduces to Y ��1 =��1Y . The other direction can be proved similarly.3. �1 and �2 are symmetry properties. Therefore, Y =��11 Y �1, and Y = ��12 Y �2. Substituting ��11 Y �1 for Yin the second equation yields Y = ��12 (��11 Y �1)�2, i.e.,Y = (�1�2)�1Y �1�2, i.e., �1�2 is a symmetry property. 2Depending on their constituent state transformations,symmetry properties may be classi�ed into one of the fol-lowing three categories:� Structural symmetry | consists entirely of structuraltransformations.� Data symmetry | consists entirely of data transforma-tions.� Mixed symmetry | consists of both structural and datatransformations.Consider, for example, the circuit shown in Figure 9.This circuit consists of k identical latches. In each latchoutL is a complement of the input, and outH has the samevalue as the input. Since the latches are identical, this cir-cuit has a structural symmetry corresponding to the swap-ping of any pair of latches i and j, such that 0 � i; j < k:[in.i$ in:j; outL.i$ outL.j; outH.i$ outH.j] : (1)Each individual latch also stores data values 0 and 1 in asymmetric way, expressed for Latch 0 by the data symme-try: �in.0�; outL.0�; outH.0�� : (2)Finally, each latch can also be viewed as a one-bitdecoder|it sets one of its outputs high based on its inputdata. Such behavior for Latch 0 is expressed by a mixedsymmetry: �in.0�; outL.0$ outH.0� : (3)V. Verification under symmetryVerifying a circuit involves checking a family of assertionsagainst the circuit model. The presence of symmetry prop-erties in the circuit often allows us to dramatically reducethe number of assertions that need to be veri�ed. This isbecause if an assertion G holds, and � is a symmetry prop-erty of the circuit, then the assertion �(G) also holds. Thisis elaborated below.

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 9We can extend � to be a bijection over state sequences byapplying � to each state in the sequence. We can also ex-tend state transformation � to be a bijection over temporalformulas. First we de�ne the extension of � to Trajectoryformulas(TFs).De�nition 8: If F is a TF, then �(F ) is recursively de-�ned as1. If F is the atom a, then �(F ) is the transformed atom�(a).2. �(F1^F2) = (�(F1)^�(F2)), where F1 and F2 are TFs.3. �(E ! F ) = (E ! �(F )), where F is a TF and E is aBoolean expression.4. �(NF ) = (N�(F )) where F is a TF.The e�ect of applying � to a TF F is to replace everyatom a in F by �(a). This idea is carried further, where �may be applied to an assertion. The result of applying � tothe assertion [A =) C] is the assertion [�(A) =) �(C)],which is also denoted by �([A =) C]).Since a symmetry property is an excitation function pre-serving transformation, it follows fairly intuitively that thestructure of the de�ning sequence and the de�ning trajec-tory of a TF F should remain invariant with respect to �.This is formalized below in lemma 2, and lemma 3.Lemma 2: If temporal formula F has de�ning sequence�F , then its transformation �(F ) will have de�ning se-quence ��(F ) = �(�F ).Proof: This can be proved by induction over the struc-ture of TFs. Details are shown in [18].Lemma 3: If � is a symmetry property of a circuit modelM, then its de�ning trajectories for any temporal formulaF will obey the symmetry: ��(F ) = �(�F ).Proof: We can prove this result by induction on thesequence of elements in the de�ning trajectory �F =�0F �1F : : : � iF � i+1F : : :. Details are shown in [18].This brings us to the central theorem of this paper, whichis stated below.Theorem 2: For an assertion [A =) C], and a symmetryproperty � of model M, j=M [A =) C] if and only ifj=M [�(A) =) �(C)].Proof: The proof follows directly from the de�nition ofa symmetry property, lemma 2, and lemma 3.j=M [A =) C], �A � �C (Theorem 1), �(�A) � �(�C ) (Bijection � preserves subset relation), ��(A) � �(�C ) (Lemma 3), ��(A) � ��(C) (Lemma 2),j=M [�(A) =) �(C)] (Theorem 1)2Thus, proving that � is a symmetry property of a circuitallows us to infer the validity of a transformed assertiononce we verify the original. For example, suppose we verifythat Latch 0 in Figure 9 operates correctly for input value1, and also prove that the transformations de�ned by Equa-tions 1 and 2 are indeed symmetry transformations. Thenwe can infer from Equation 1 that for all j, Latch j oper-ates correctly for input value 1, and from Equation 2 thatLatch 0 operates correctly for input value 0. Furthermore,

by composing these two transformations, we can infer thatfor all j, Latch j will operate correctly for input value 0.VI. Verification of symmetry propertiesTo exploit symmetry, we verify an assertion [A =)C], and given a set of symmetry properties, S =f�1; �2; : : : ; �ng, we can conclude that [�1(A) =) �1(C)],[�2(A) =) �2(C)], . . . [�3(A) =) �3(C)] all hold. How-ever, before drawing this conclusion, one must verify thatevery element of S is actually a symmetry property. Thetypical set of symmetry properties we work with is a group.Below, we give two basic de�nitions from group theorywhich we use ahead.De�nition 9: Set S is a symmetry group for a modelstructure M = hS; Y i i� every element of S is a symmetryproperty ofM, and the following properties hold:1. The identity element �e is in S, where �e(a) = a.2. Every element of � 2 S has an inverse ��1 2 S suchthat ��1 = ��1� = �eDe�nition 10: A set hSi is termed a generator of a sym-metry group S if repeated compositions of the elements inhSi can generate every element of S.The de�nitions above imply that rather than test everyelement of a set S for the symmetry property, it su�cesto check only the generators of S. Thus, it is possibleto prove the correctness of an entire set of assertions bysimply verifying that each member of a set of generatorsfor a group of transformations is a symmetry property.For example, (1) in section IV represents a total ofk(k�1)=2 symmetry transformations, corresponding to thepairwise exchange of any two latches. In general, one couldargue that this circuit would remain invariant for any per-mutation � of the latches. Consider the transformation ��mapping the 6 atoms for each Latch i (two each for nodesin.i, outL.i and outH.i) to their counterparts in Latch �(i).We could prove that each such transformation is a symme-try property, but this would require k! tests. Instead, wecan exploit the fact that any permutation � can be gen-erated by composing a series of just two di�erent permu-tation types. The \exchange" permutation swaps values 0and 1, while the \rotate" permutation maps each value i toi+ 1 mod k. Thus, proving that the state transformationsgiven by these two permutations are symmetry propertiesallows us to infer that �� is a symmetry property for anarbitrary permutation �.So, once the generators of a symmetry group are identi-�ed, the next step is to verify that they are indeed symme-try properties. We verify structural symmetries of a circuitby circuit graph isomorphism checks, and we verify dataand mixed symmetries using symbolic simulation basedtechniques. We describe these techniques in sections VI-A, and VI-B.A. Structural symmetry property veri�cationWe can verify structural symmetries in our circuit mod-els by checking for isomorphisms in the circuit-graph net-work. Since the circuit analysis tool we use (Anamos [5])derives its representation of the excitation function from

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 10the network, any isomorphisms in the network graph im-ply structural symmetries in the excitation function. Whileit is also possible to verify structural symmetries usingsymbolic simulation, such an approach requires perform-ing switch-level analysis on the circuit. This analysis canbe prohibitively expensive (Table II) for circuit componentssuch as array cores with their large CCSNs.Consider the problem of determining if n1 $ n2 is a sym-metry property in Circuit 1 (Figure 10). If this symmetrywere to hold in the circuit, Circuit 2 which is obtained fromCircuit 1 by swapping the labels of nodes n1, and n2 shouldbe isomorphic to Circuit 1. To perform this isomorphismtest we use a graph coloring based algorithm described in[10], [9]. This algorithm,which is described below, convertsa circuit graph network into a pseudo-canonical form. Thisallows a fast and e�cient test for isomorphism between twonetworks.Given the circuit graph for a switch-level circuit, we �rstconstruct a coloring graph which contains a transistor ver-tex for each transistor in the circuit, and a node vertex foreach node and primary inputs in the circuit. The edgesof this graph connect transistor vertices and node vertices,and they correspond to the node-transistor interconnec-tions in the circuit. Since there are no edges which connectonly two node vertices, or two transistor vertices, the col-oring graph is bipartite. Once the coloring graph is con-structed, the vertices of the graph are \colored" with in-tegers. Based on isomorphism invariant vertex propertiessuch as the number of edges incident on a vertex, all thevertices in the graph are assigned an initial color. Verticesare recolored repeatedly using a hashing function whichcombines the colors of the neighboring vertices, until all thevertices are colored uniquely. Then the nodes and transis-tors of the circuit are sorted to yield what is termed as thequasi-canonical form of the circuit network. This coloringand sorting technique guarantees that two networks thatare not isomorphic will be colored di�erently. However,in some remote cases, it is also possible that two isomor-phic networks may not be colored uniquely within a given�xed number of coloring iterations. However, we have notencountered this problem in our experiments (Section IX).The problem we need to solve is slightly di�erent fromthe one solved above. We need to swap two nodes in thecircuit, and test if the two circuits, before and after theswap, are isomorphic. This does not work directly, as theisomorphism checks work purely on the structure of thenetwork, and they ignore the node names. So the two cir-cuits, before and after the node name swap will still reduceto the same quasi-canonical form. We work around this byusing structural labels.A structural label is a circuit graph (or an interconnec-tion of nodes and transistors) which satis�es the followingtwo properties:� The structural label is not isomorphic to any subgraphof the original circuit.� The label is not isomorphic to any other structural label.These properties allow us to use these labels to physi-cally tag circuit nodes. Structural labels serve to uniquely

ID1 1

ID2

n ID2

2 ID1

n2

n1n

Reordering

CIRCUIT 2CIRCUIT 1

Test for equality S2

Node exchange

S1

Quasi-CanonicalReordering

Quasi-CanonicalFig. 10. Veri�cation of structural symmetry n1 $ n2tag a node in the circuit being tested for symmetry proper-ties. So, structural labels are attached not only to the setof nodes being swapped, but also to some of the remain-ing circuit nodes. While verifying symmetry properties bygraph isomorphism checks, it is necessary to attach struc-tural labels to all the input and output nodes of a circuit.However, it is not necessary to consider the state nodesduring our symmetry tests. If the circuit being veri�ed sat-is�es all the assertions, then it has the desired IO behavior,and no further tests are necessary for the internal nodes.Of course, if some assertion fails, then further checks arenecessary, and we may well discover a problem related tothe state nodes.Thus, to solve the problem of determining whether n1 $n2 holds in Circuit 1, we can attach structural labels ID1and ID2 to nodes n1 and n2 in Circuit 1, and then ip theselabels in Circuit 2. We then can reduce the two circuits tothe quasi-canonical form, and compare them (Figure 10).The worst case time complexity for the graph coloringalgorithm for a circuit with n transistors is O(n2log(n)).However, in practice we have seen both the time and mem-ory scale nearly linearly with n. (Table III).B. Data and mixed symmetry property veri�cationData and mixed symmetries can be veri�ed by symbolicsimulation. Data symmetries involve \switching polarities"of values on a node. Mixed symmetries involve \switchingpolarities" of the value on a node, and \exchanging" thevalues of two di�erent nodes. To verify these symmetries itis necessary to check whether for every combination of cir-cuit node values, the exchange and the polarity switchingof the input node values results in changes in the outputnode values as speci�ed by the symmetry property. Sym-bolic simulation is the ideal tool for such checks involv-ing all possible combination of Boolean values. One sym-bolic Boolean variable is introduced for each circuit node.The circuit is simulated with these Boolean variables, andthen with new Boolean values corresponding to the changesspeci�ed by the symmetry property. The results of the twosimulations are compared to verify if the circuit obeys thesymmetry property.Consider, for example, the symmetry of Latch 0 speci�ed

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 11in equation 2:�in.0�; outL.0�; outH.0�� :We symbolically simulate the circuit with the symbolicvalue a at the input in.0, and inspect the values at theoutput nodes outL.0, and outH.0. If the above symmetryholds for the latch, then complementing the value at nodein.0, should result in the values at circuit nodes outL.0, andoutH.0 being complemented.Consider also the mixed symmetry of Latch 0, speci�edin equation 2: �in.0�; outL$ outH.0� :This symmetry can also be veri�ed by symbolically sim-ulating the circuit with a symbolic value a at the inputin.0, and observing the outputs, outL.0, and outH.0. Theequation above speci�es that complementing the value atin.0 should result in the values at nodes outL.0, and outH.0being exchanged, which can be easily checked.VII. Conservative approximations of circuitsIntuitively, a conservative approximation of a circuit isa \reduced" version of the circuit which, given any currentcircuit state, imposes fewer constraints on the next statethe circuit can take. In terms of values, on circuit nodes,the reduced circuit produces more Xs than the originalcircuit, i.e., fewer atoms in the next state. We formalizethis concept below.De�nition 11: LetM0 andM be circuit models over thesame state set, having excitation functions Y 0 and Y , re-spectively. We say thatM0 is a conservative approximationofM if for every state s, Y 0(s) � Y (s). We denote this byM0 �M.We exploit conservative approximations to perform twoimportant tasks:� Create reduced models which take less memory to repre-sent.� Partition circuits to expose symmetric regions of a de-sign.Proving an assertion for a reduced circuit model, allowsus to infer that the assertion holds for the original circuit.Theorem 3 below justi�es this. The advantage of this is re-duced circuit models are often a fraction of the size of theoriginal circuit model, which results in smaller veri�cationmemory requirements. Conservative approximations pro-vide a systematic way to reason about partitioned circuits,allowing us to verify the complete circuit by proving prop-erties about each partition. This is particularly useful whenthe partitioning can expose highly symmetric regions of thecircuit. In addition, if we can prove that a circuit has somestructural symmetry, then we can create a \weakened" ver-sion of the circuit containing just enough circuitry to verifythe behavior for one representative of the symmetry group.A. Veri�cation of Reduced ModelsBelow, we show that for any trajectory assertion [A =)C], and models M, and M0, such that M0 � M, if the

assertion [A =) C] holds for M0, then it should also holdfor M. We start with the proof of a simple result on thetrajectories of M0 and M.Lemma 4: If F is any trajectory formula, and modelsM, and M0 are such that M0 � M, then the de�ningtrajectories for the two models, � 0F and �F , must be ordered� 0F v �F .Proof: Let �F = �0F �1F �2F : : :, and � 0F = � 00F � 01F � 01F : : :.Using induction we can show that for all i � 0, � iF � � 0iF .Details are in given in [18].Therefore, as expected, \weakening" the model alsoweakens the trajectories of the model, and this immedi-ately leads to the theorem below.Theorem 3: For any assertion [A =) C], and M0 �M,if j=M0 [A =) C], then j=M [A =) C].Proof: Since j=M0 [A =) C], �C v � 0F (Theorem 1).This result, when combined with � 0F v �F (follows fromlemma 4 above), gives �C v �F , i.e., j=M [A =) C]. 2Thus, proving an assertion for a conservative approxima-tion to a circuit model allows us to infer that the assertionholds for the original circuit.B. Partitioning circuits via conservative approximationsWe can view the partitioning of a circuit into di�erentcomponents as a process of creating multiple conservativeapproximations. For example, suppose we partition a cir-cuit with nodes N into components having nodes N1 andN2, respectively, as illustrated in Figure 11. The set ofnodes forming the interface between the components com-prise the set N1\N2. In this example, we assume the com-munication is purely unidirectional|N1 generates signalsfor N2. Suppose we wish to prove a property described byan assertion [A =) C], where the atoms of C are containedonly in N2. We could then create conservative modelsM1andM2 using the subset construction given by Equation 4below. Taken individually, each of the two models is tooweak to prove the assertion. Using the technique of wave-form capture described ahead, we can record the outputvalues generated by model M1 and use them in verifyingthe assertion with model M2. We describe this techniquein greater detail below.We start with the idea of creating conservative approxi-mations by removing nodes of a circuit. Let N 0 be a subsetof the set of circuit nodes N , and A0 be the correspondingset of atoms. Then we can view the removal of those nodesnot in N 0 as yielding a conservative approximation to thecircuit with an excitation function Y 0 such that:Y 0(s) = Y (s \A0) \A0: (4)Intuitively, s\A0 eliminates atoms of all nodes other than inN 0, i.e., sets all the excluded nodes to X. The intersectionof Y (s\A0) with A0 ensures that in the response, Y 0, atomsof all nodes other than in N 0 are eliminated.Below, we �rst discuss the idea of waveform capture, andshow how to construct a trajectory formula correspondingto the signal waveforms on a set of nodes.Let N 0 be a subset of nodes in a circuit M. Let�A = �0A�1A�2A : : : be the de�ning trajectory for the circuit

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 12M for a trajectory formula A. The technique of waveformcapture records the occurrence of atoms on the nodes inN 0 as speci�ed by the elements of the sequence �A, and itcreates a temporal formula WA describing this occurrenceof atoms.Let AN 0 be the set of atoms corresponding to the nodesin N 0. By eliminating all atoms from �A that are not inN 0, we construct a new sequence,(�0A \AN 0 ) (�1A \AN 0 ) (�2A \AN 0 ) : : : :From this sequence, we construct a trajectory formulaWA = W 0A ^ (NW 1A) ^ (N2W 2A) : : : (5)such that W iA = a1 ^ a2 ^ : : :^ ak, where ai 2 (� iA \AN 0 ).The lemma below states the obvious consequence of sucha construction.Lemma 5: Let A be a trajectory formula, and let N 0 bea subset of nodes of the circuit described by M. If WA isthe trajectory formula constructed from �A, as describedabove, then j=M [A =) WA].Proof: Consider �WA = �0WA�1WA�2WA : : :, the de�ning se-quence of WA. From the construction above, and the def-inition of de�ning trajectories, �iWA = �W iA , i.e., �iWA =(� iA \ AN 0 ). Obviously, (� iA \ AN 0) � � iA. Therefore,�WA v �A, which proves j=M [A =) WA]. 2.Now we discuss the use of waveform capture to verifya property [A =) C] for a larger design by partitioningit into smaller components and verifying these componentsindividually. Prior to the discussion however, we prove the-orem 4, which justi�es waveform capture and combination.To simplify the proof of the theorem, we �rst show someuseful results in lemma 6, 7, and 8. Lemma 7 and 8 alsoappear in a modi�ed form in [14].Lemma 6: If j=M [A) C], then j=M [A) A ^C].Proof: Since, j=M [A ) C], therefore, ) �C v �A, i.e.,for i � 0, �iC � � iA. From de�nition of �A, for i = 0,�0A = �0A, and for i > 0, � iA = lub(�iA; Y (� i�1A )), i.e., fori � 0, �iA v � iA. Therefore, for i � 0, (�iA [ �iC) � � iA, i.e.,�A [ �C � �A. Therefore, j=M [A) A ^C].Lemma 7: If A and B are trajectory formulas, then �B v�A ) �B v �AProof: This can be proved by induction on elements ofthe sequences �A = �0A�1A�2A : : : and �B = �0B�1B�2B : : : [18].Lemma 8: If j=M [A ) B], and j=M [B ) C], thenj=M [A) C].Proof: From j=M [B ) C], and j=M [A) C], we knowthat �B � �A, and �C � �B are true. From �B � �A,and lemma 7, we can conclude that �B � �A. Therefore,�C � �B � �A, i.e., j=M [A) C]. 2Theorem 4: If MC and MD are conservative approxi-mations ofM, and j=MC [A) F ], and j=MD [A^F ) C],then j=M [A) C].Proof: If j=MC [A ) F ], then j=M [A ) F ] (fromTheorem 3), and thus j=M [A) A ^ F ] (from Lemma 6).Similarly, if j=MD [A ^ F ) C], then j=M [A ^ F ) C](Theorem 3). From this, using Lemma 8, we can concludethat j=M [A) C].

Interface Nodes

2NN1Fig. 11. Illustration of Circuit Partitioning.Let �1A be the de�ning trajectory generated by modelM1 for antecedent A. We construct a trajectory formulaWA describing the occurrence of the atoms correspondingto the nodes in N1\N2 as described above. One re�nementthat should be performed is to record the values up to themaximum depth of the next-time operators in C (Corol-lary 1). Our construction ensures that j=M1 [A =) WA],and therefore, j=M [A =)WA]. Using modelM2, we thenverify the assertion [A^WA =) C], and if it holds, we knowthat j=M [A^WA =) C] also holds. E�ectively, we \playback" the waveforms on the interface nodes. Using theo-rem 4, we show that for any model M and any temporalformula F , if j=M [A =) F ] and j=M [A^F =) C], thenj=M [A =) C], and therefore this pair of veri�cations issu�cient to prove the desired property. An extension ofthis technique can handle partitioning with bidirectionalcommunication[18].C. Veri�cation of partitioned designsConsider a circuit M. FromM we create two conserva-tive approximationsM1, andM2, with the set of nodes N1,andN2, respectively. We assume thatM1 generates signalsfor M2. Given a trajectory formula A, we perform wave-form capture over the nodes at the interface ofM1, andM2to construct a trajectory formula WA. From lemma 5 weknow that j=M1 [A =) WA] holds. If j=M2 [A^WA =) C]is true, then theorem 4 states that [A =) C] holds for theentire designM. From these properties of individual com-ponents, and the symmetry in the components, we can infera family of properties for the entire design, as shown below.Let �1 and �2 be symmetries ofM1 andM2 respectively.If j=M1 [A =) WA], and j=M2 [A ^WA =) C] are bothtrue, then the following hold (theorem 2):j=M1 [�1(A) =) �1(WA)] (6)j=M2 [�2(A) ^ �2(WA) =) �2(C)] (7)To compose the results of equations 6 and 7 by applyingtheorem 4, the assertions and the symmetry transforma-tions need to obey the following two constraints:� Interface constraint: The signals at the interface of M1and M2 should match, i.e., �1(WA) = �2(WA).� Antecedent constraint: The trajectory formula A shouldbe invariant under the symmetry transformations �1, and�2, i.e., �1(A) = �2(A).

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 13Given these constraints, equations 6 and 7 may be writ-ten as j=M1 [�1(A) =) �1(WA)] and j=M2 [�1(A) ^�1(WA) =) �2(C)] respectively, which leads to the fol-lowing: j=M [�1(A) =) �2(C)] (8)Thus, given symmetry properties �1 and �2, and the twoconstraints, we have established a new assertion. In thismanner, one can establish a family of properties for the en-tire design by using symmetries on individual components.It should be noted that in general for a trajectory formulaF , �1(F ) = �2(F ) does not imply �1 = �2.The antecedent constraint, �1(A) = �2(A) requires that�1 and �2 transform atoms in A identically. This require-ment is easy to satisfy. For instance, let all the atoms in Acome from the nodes ofM1 and not fromM2. Given this,�2, should also include those structural and data transfor-mations in �1 which transform atoms of A. If �2 does notcontain these transformations, then it can be trivially ex-tended to �02 = [�2; �a1; :::; �ak] by composing �2 with thestructural and data transformations �a1 ; :::; �ak in �1 whichact on A, but are not present in �2. Since these additionaltransformations �a1 ; :::; �ak do not alter the state of M2,�02 is also a symmetry ofM2. Thus, from equations 6 and7 we can establish that j=M [�1(A) =) �02(C)]. In gen-eral, we have to handle the case where A includes atomsof nodes from both M1 and M2. In such a case, both �1and �2 may be extended to �01 and �02 as described aboveto ensure that �01(A) = �02(A), while remaining symmetriesof M1 and M2, respectively. This allows one to establishj=M [�01(A) =) �02(C)] for the overall design. In somecases, the antecedent constraint is not required. The sub-section ahead describes this case.C.1 A special case of verifying partitioned designsLetM1, andM2 be conservative approximations ofM.Let �1 and �2 be the symmetries of M1 and M2 respec-tively. When the assertions and the circuit have a speci�cstructure, one verify partitioned designs by imposing onlythe interface constraint.Consider the problem of verifying an assertion of theform [A1 ^ A2 ^ A0 ) C] for M. Let A1 contain atomsonly fromM1, and A2 contain atoms only fromM2. Fur-thermore, let A0 contain only those atoms which are nottransformed by the symmetries under consideration for thedesign. Common examples of such atoms are those corre-sponding to clock inputs, control signals, scan signals etc.As earlier, Given the trajectory formulaA1Â0, we per-form waveform capture forM1 over the nodes at the inter-face of M2 to construct a trajectory formula WA. Usingthis waveform, and the trajectory formulas A0, and A2,one can establish that [WA ^ A2 Â0 ) C] holds for M2.These assertions on M1, and M2 allow one to prove that[A1 Â2 Â0 ) C] holds for M. Below, theorem 5 statesthis.Theorem 5: Let M1 and M2 be conservative approx-imations of M. If j=M1 [A1 ^ A0 ) WA], and j=M2[A0 ^WA Â2 ) C], then j=M [A1 Â2 Â0 ) C].

Proof: From the de�nition of a trajectory, and theorem 1it is easy to that if j=M1 [A1 ^ A0 ) WA] is true, thenj=M1 [A1 Â0 )WA Â0] is also true.Also, j=M [P ) Q] implies j=M [P ^R) Q^R] (resultfrom [14]). Applying this result to j=M1 [A1 Â0 )WA Â0] with trajectory formula A2, we obtain j=M1 [A1 Â0 Â2 )WA Â2 Â0].This result and j=M2 [A0^WAÂ2 ) C], upon applica-tion of theorem 3, and lemma 8 yield j=M [A1Â2 Â0 )C]. 2Since �1, and �2 are symmetries ofM1 andM2, respec-tively, given j=M1 [A1 Â0 ) WA], and j=M2 [A0 ^WA Â2 ) C], the following holds:j=M1 [�1(A1) ^ �1(A0)) �1(WA)] (9)j=M2 [�2(A0) ^ �2(WA) ^ �2(A2)) �2(C)] (10)If A0 is not transformed by �1 and �2, and the signalsat the interface of M1 and M2 match, i.e., �1(WA) =�2(WA), then applying theorem 5 to equations 9, and 10yields the following:j=M [�1(A1) ^ �2(A2) Â0 ) �2(C)] (11)Thus, from the individual component symmetries, wehave established a new property of the system.D. Creation of conservative approximationsCreation of a conservative approximation of a circuit in-tuitively means creating a reduced version of the circuitwhich produces more Xs than does the original circuit.The limiting case of the conservative approximation of acircuit is one whose every node produces only an X forevery input sequence. Such a \strict" approximation is oflittle use, however. We would like to create conservativeapproximations in a more controlled manner, so that wecan selectively disable desired portions of the circuit. Thefollowing two techniques are our means of doing so:� Attach \X-drivers" to internal circuit nodes.� Strengthen transistors which are adjacent to X-drivers.An X-driver is a strong source of Xs. Attaching an X-driver to a node is equivalent to converting the node to aninput node set to the constant value X. The X-driver isanalogous to the Vdd and ground nodes, which are strongsources of 1 and 0, respectively. An accompanying tech-nique we employ to create a conservative approximation isstrengthening transistors adjacent to X-drivers. Intuitively,this strengthening aids the propagation of Xs through thecircuit. As will be shown later, both these techniquesmonotonically move all the circuit nodes towards X.As an example, suppose we wish to create a reducedmodel for the circuit in Figure 5 by eliminating nodes a,b, and s. Then we could describe the remaining portionsof CCSN1 by the excitation expressions shown in Figure12. One can see that these expressions were obtained fromthose of Figure 5 by simplifying the result of setting the

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 14-k t +-c

t +

k+ c+

-c

-t

k+ c+ -t

XX-drivera

b c

s

t

b

T2

T5

T3

T1

T4

T6 kp

T8

T7

a Fig. 12. Conservative approximation of CCSN1.X q

dest

srcn

p

p’Fig. 13. Paths in a switch-level circuit conservative approximationleaves for all eliminated atoms to false. This conserva-tive approximation could be used to verify circuit operationfor the cases where node c is set to 0. We have modi�edAnamos to generate these simpli�ed expressions directly,avoiding the need to ever generate a complete model. Inparticular, we would replace node s in the example circuitby a X-driver.One �nal task which remains is to show that the twocircuit transformation techniques discussed above actuallycreate a conservative approximation. As mentioned in sec-tion III-D, the steady state response of a node in a switch-level network depends on all the unblocked paths to thatnode. In �gure 13, consider the path p from src to dest.If the path were unblocked before the X-driver is attachedto node n, then, two possibilities arise after the X-driveris introduced. The �rst is that the path still remains un-blocked, and the node response stays the same. The secondis that a stronger path q from n blocks p, i.e., jqj > jp0j,where p0 is a pre�x of p originating at the root. In thiscase, the stronger path q will dominate the response atdest, i.e., dest will monotonically move towards X. Thee�ect of strengthening transistors adjacent to a X-driver issimilar | stronger paths from the X-driver may dominateexisting paths, sending their destination towards X. Notethat the argument above also accounts for the case when nis on p. In such a case, the length of path q is 0.VIII. Putting it together: Verifying a SRAMcircuitConsider the 16-bit (1 bit/word) SRAM circuit shown inFigure 14. This circuit consists of the the following majorcomponents | row decoder, column address latches, col-umnmultiplexer (Mux) and the memory cell array core. Tosimplify the discussion here, many essential SRAM compo-nents like precharge column, write-drivers etc. have notbeen shown in the �gure. This is a standard organization

Mcell Mcell Mcell Mcell


Mcell

wl.0

Mcell Mcell Mcell


Row

wl.1

wl.2

wl.3

bl.0 blb.0 bl.1 blb.1 bl.2 blb.2 bl.3 blb.3

aL.1

aL.0a.0

a.1

a.2

aH.0

aH.1

a.3

Column Address

Column Address Latches Column Multiplexer

Memory Cell Array

Row Address

Decoder Fig. 14. SRAM circuitfollowed in many larger industrial SRAM arrays [13].To verify this circuit we must show that the read andwrite operations work correctly. To verify the write opera-tion, one must show that if we write data to a memory loca-tion, then the correct memory location gets updated. Letdin be the input node,m[0]; :::;m[15]be the memory storagenodes, and read and write be the control signals. For sim-plicity, we ignore all clocks and we assume that from settingdata, address and control signals to memory location up-date takes only two time steps. Let (din = d) be the short-hand for the trajectory formula (d! din+)^(:d! din�),where d is a symbolic Boolean variable. The assertion be-low states that if we write data d at address 0 (all addresslines are held low), it ends up at m[0], the node for memorylocation 0 two time steps later.[(din = d) ^ a:3� ^ a:2� ^ a:1� ^ a:0� ^write+ ^ read�=)NN(m[0] = d)]Details on introducing symbolic Boolean variables for ad-dresses to write compact assertions may be found in [19],[18]. Other properties of interest, such as if a memory lo-cation is addressed and read from, then the correct valuemust appear at the output, and that non-addressed mem-ory locations do not change can be expressed with STEassertions. [19], [18] describe these in more detail.The machinery we have built in the previous sectionsallows us to verify the read or write operation for onlyone location and, from the symmetry in the SRAM circuit,conclude that the operation works for every location. Weexpand on this below, starting with a discussion of SRAMsymmetries.A. Symmetries of a SRAMConsider the decoder in Figure 15. For any memoryoperation, the value of the row address assigned to nodesa.2 and a.3, causes one of the word lines wl.0, wl.1, wl.2 andwl.3 to be active. The �gure shows that wl.0 is active forrow address 00. The same waveform occurs on the activeword line regardless of the address. This mixed symmetry

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 15Row

wl.0

wl.1

wl.2

wl.3

Time

(active)Decoder

a.3a.2Fig. 15. Row decoder and signal waveforms on word lines for rowaddress 00.




aH.1


Symmetry

Row 0

Row1

Row 2

Row 3

Row swap

Col0 Col1 Col2 Col3

Col. swap Col. swap

Row Symmetry

Column-Mux

Addressline pairswap

aL.0

aH.0aL.1Fig. 16. Structural symmetries of the SRAM core.of the decoder is expressed by the group of transformationsgenerated by transformations �0 and �1:�0 = [a.2�;wl.0$ wl.1;wl.2$ wl.3]�1 = [a.3�;wl.0$ wl.2;wl.1$ wl.3]Transformation �i indicates that complementing bit i ofthe row address causes an exchange of signal waveforms foreach pair of word lines j and k such that the binary repre-sentations of j and k di�er at bit position i. The columnaddress latches obey the \decoder" symmetry expressed byEquation 3.The mixed symmetries of the decoder and the column ad-dress latches can be veri�ed by symbolic simulation, wherea single run of the simulator with n symbolic Boolean val-ues at the circuit inputs is equivalent to 2n runs of a con-ventional simulator with 0-1 values. For example, to verifythat �0 is a symmetry of the decoder, we symbolically sim-ulate the decoder with symbolic values s0 and s1 at thedecoder inputs a.2, and a.3 in Figure 15. As the simula-tion proceeds, we check that a substitution of s0 for s0 inthe symbolic waveform for wl.0 (resp., wl.2) matches thesymbolic waveform on wl.1 (resp., wl.3).Figure 16 illustrates the two structural symmetries ofthe SRAM core and column Mux combination. The rowsymmetry arises from the invariance of the core-mux cir-cuit structure under permutations of the rows of the core.The column-mux symmetry arises from the invariance ofthe circuit structure under a swap of column address latchoutput pairs accompanied by a corresponding exchange ofcolumns. For example, in Figure 16, a swap of aH.0 and

CELLMEM. XX

X X X X

X X X X

Disabled memory cells

X X X X

X X X X

XDecoderRow

Row Addressa.3a.2

Column Address Latches

Column Address

Conservative approximation 1

Reduced Circuit

a.1

a.0

Conservative approximation 2

CircuitReduced

Location 0

Fig. 17. Conservative approximations of the SRAM.aL.0 accompanied by a swap of column 0 with 1, and aswap of column 2 with 3 is a symmetry of the circuit.We verify the core-Mux symmetries in two parts. Firstwe verify that arbitrary row and column permutations aresymmetries of the core. Veri�cation that the exchange androtate permutation generators for rows and columns aresymmetries su�ces for this. This gives a total of 4 sym-metry checks for the core. Next we verify the column-muxsymmetry for the Mux. In the �gure, the generators of thefour di�erent column address line pair permutations arethe two permutations associated with each column addresslatch output pair. Therefore, two symmetry checks verifythe column-mux symmetry. In general n symmetry checksmust be done for the Mux in a SRAM with n column ad-dress line pairs.B. Veri�cation stepsIn order to verify the SRAM circuit we go through thefollowing sequence of steps.1. Circuit partitioning| We partition the SRAM cir-cuit into two parts. The �rst part consists of the decoderwith the column address latches. The second part consistsof the memory core and the column Mux.2. Symmetry veri�cation | Using symbolic simula-tion we verify the symmetries of the decoder and columnlatches. Using circuit graph isomorphism checks we verifythe symmetries of the core and the column Mux.3. Conservative approximations|We create two con-servative approximations of the SRAM (Figure 17). In the�rst model, the memory core and the column Mux are\disabled". In the second model, the decoder, the col-umn address latches are disabled, and all the memory cellsexcept that for location 0 are disabled. Figure 18 showshow we conservatively disable a SRAM cell by attachingX-drivers, and strengthening transistors adjacent to the X-drivers. The �gure also shows the optimization that chainsof N or P transistors from Vdd or ground to an X-drivermay be eliminated from the circuit | their presence doesnot alter circuit behavior.4. Waveform capture | Given the assertion [A =) C]specifying an operation for memory location 0, we use theantecedent A to symbolically simulate conservative approx-imation 1. During the process of symbolic simulation werecord the signal waveforms on the outputs of the decoder

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 16d db

T1

T2

T3

T4

T5T6

bl blbarwordline

SRAM CELL

TransformationsApproximationConservative

X

StrengthenedTransistor

blwordline

d dbT1 T6

X

REDUCED SRAM CELL

blbarFig. 18. Creation of a conservative approximation of a SRAM Celland the column address latches. We construct a trajectoryformula W , which captures the signal values on the out-puts recorded above. As discussed earlier, it can be shownthat [A =) W ] is true.5. Veri�cation of SRAM core | Finally, with conser-vative approximation 2, we show that given the waveformW , and the antecedent A, the consequent C is true, i.e.,[A ^W =) C]. From the earlier discussion in section VII,if [A =) W ] and [A ^W =) C] are both true, then wecan conclude that [A =) C] is true, i.e., the memory op-eration is veri�ed for location 0. Given the symmetries ofthe circuit we can then conclude that the operation workscorrectly for every memory location.IX. Experiments and ResultsAll the time and memory �gures in this section havebeen measured on a Sun SparcStation-20. We used theAnamos switch-level analyzer to generate switch-level mod-els [5]. We modi�ed Anamos to make it possible to at-tach X-drivers to circuit nodes to generate reduced models(conservative approximations) of switch-level circuits. Ta-ble II shows the results of model generation for SRAM cir-cuits of varying sizes for the full and reduced circuit mod-els. The full circuit model contains about 73 operationsfor each memory bit. However, for circuits larger than16K, it was not possible to generate the full circuit modelwithin reasonable time or memory bounds (empty table en-tries). Conservative approximations of SRAM circuits, onthe other hand, can be generated for much larger circuitsfor a miniscule fraction of the cost of the full model. Thereduced model size grows proportional to the square rootof the SRAM size, and its generation time and memory isproportional to the SRAM size.To verify a structural symmetries, we do graph isomor-phism checks as outlined in section VI. We have modi�edthe isomorphism checking code [2] from Anamos for ourpurpose. Table III reports the running time and memorytaken for converting one instance of the memory core orcolumn mux permutation into a canonical circuit, and thetotal time to do all the isomorphism checks. The total timeand memory requirements scale linearly with the SRAMsize. Table III reports the resources required to check thestructural symmetries. The memory core has four symme-try generators. We verify that each of these is a symmetry(columns 2,3,4). Column 4 indicates the number of sym-metry checks that are required. The column multiplexer

SRAM Size Time Memory(bits) (CPU Secs.) (MB)1K 1.7 0.694K 2.1 0.7416K 2.5 0.8864K 3.2 1.10256K 4.2 1.52TABLE IVDecoder and col. latch symmetry checks.has a number of symmetry generators equal to the num-ber of column address lines. We also verify each of thesegenerators (columns 5,6,7). The total time is reported incolumn 8. Table IV shows the time and memory requiredto check the decoder and column address latch symmetriesby symbolic simulation.We used the Voss veri�cation system [21] to verify thereduced SRAM circuit. Table V shows the running timeand the memory required for verifying the write operationfor location 0. In addition, we verify two other properties| that the read operation reads the value stored at location0 (Table VI), and that operations at other addresses donot change the data in location 0 (Table VII). The timeand memory required to verify these other operations issimilar to that of the write. Much of the veri�cation timeand memory is taken to read in the reduced circuit modeland representing it. So, it is not surprising that the timeand memory requirements grow roughly proportional to thesquare root of the memory size.The total veri�cation time for a SRAM circuit is the sumof the times in tables II, III, IV and V. For example, toverify a 64K SRAM, 170.7 secs. are required to generate thereduced circuit model, a total of 952.4 + 3.2 secs. are re-quired to verify the circuit symmetries, and an additional6.0 + 6.6 + 6.1 secs. are required to verify the reducedmodel for all the operations. This gives a total veri�cationtime of 1145.0 secs. It is interesting to note that symme-try checks dominate much of this time. In the veri�cationprocess, the only time we ever work with the complete cir-cuit is the symmetry check phase. This partially explainsthe reason for the relatively large time and memory require-ments of this phase. However, the circuit isomorphism codewe have used is a simple modi�cation of that in Anamos.There is considerable scope for reducing time and mem-ory by developing a specialized circuit isomorphism checkerwithout the baggage from Anamos. Circuit netlist compar-ison programs such as schematic-layout checkers routinelyuse these isomorphism algorithms to handle graphs withtens of millions of nodes and edges.X. ConclusionWe show that exploiting symmetry allows one to ver-ify systems several orders of magnitude larger than other-wise possible. We have veri�ed memory arrays with multi-million transistors. The techniques we have developed also

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 17SRAM size No. of Model Size Anamos Time Anamos Memory(bits) Transistors (Bool. ops) (CPU Secs.) (MB)Full Reduced Full Reduced Full Reduced1K 6690 79951 2781 120 4.1 9.6 0.94K 25676 307555 5462 863 14.1 36.8 2.116K 100566 1205239 10895 7066 43.2 144.2 6.064K 397642 | 21960 | 170.7 | 22.0256K 1581494 | 44545 | 732.7 | 80.0TABLE IIGeneration of SRAM model: Full vs. Reduced model.SRAM Size Memory Core Column Multiplexer Total Isomorph.(bits) CPU Time Memory No. of CPU Time Memory No. of Check Time(Secs.) (MB) checks (Secs.) (MB) checks (Secs.)1K 2.6 1.6 4 0.3 0.19 5 11.94K 11.1 6.5 4 0.5 0.38 6 47.416K 51.2 26.0 4 1.3 0.74 7 214.164K 232.1 104.0 4 3.0 1.44 8 952.4256K 1135.6 416.0 4 6.6 3.50 9 4601.8TABLE IIISymmetry checks for memory core and column multiplexer.SRAM Size Verif. Time Verif. Memory(bits) (CPU Secs.) (MB)1K 1.5 0.794K 2.0 1.0516K 3.0 1.8064K 6.0 2.84256K 18.5 4.26TABLE VVerification of reduced SRAM writes.SRAM Size Verif. Time Verif. Memory(bits) (CPU Secs.) (MB)1K 1.7 0.794K 2.2 1.0516K 3.0 1.8064K 6.2 2.84256K 18.7 4.26TABLE VIVerification of reduced SRAM reads.successfully overcome the switch-level analysis bottleneckfor such circuits. We believe that with our work the prob-lem of SRAM veri�cation is solved. With more compu-tational resources, and some �ne-tuning of our programs,the results of our experiments indicate that we can ver-ify multi-megabit SRAM circuits. The techniques we have

SRAM Size Verif. Time Verif. Memory(bits) (CPU Secs.) (MB)1K 1.8 0.874K 2.2 1.1216K 3.1 1.8264K 6.6 2.90256K 19.6 4.35TABLE VIIVerification that unaddressed location unchanged.presented can be used in a rather straightforward mannerto exploit symmetries in other hardware units like set asso-ciative cache tags, where every set is identical in structure.One direction for future work in the short run would be toextend these ideas to verify content addressable memories.In the longer run, it would be interesting to apply theseideas to verify hardware units other than memory arrays.Candidates for such an application include a processor dat-apath, where one can �nd the presence of structural sym-metries because of bit-slice repetition, and data symmetriesarising from the datapath operations.References[1] S. Aggarwal, R. P. Kurshan, and K. Sabnani. A calculus forprotocol speci�cation and validation. In H. Rudin and C. H.West, editors, Protocol Speci�cation, Testing and Veri�cation,volume 3, pages 91{34. IFIP, Elsevier Science Publishers B.V.(North Holland), 1983.[2] Derek L. Beatty and Randal E. Bryant. Fast incremental circuitanalysis using extracted hierarchy. In 25th ACM/IEEE Design

IEEE TRANSACTIONS ON COMPUTER AIDED DESIGN, VOL. XX, NO. Y, MONTH 1999 18Automation Conference, pages 495{500, June 1988.[3] Randal E. Bryant. A switch-level model and simulator for MOSdigital systems. IEEE Transactions on Computers, C-33(2):160{177, Feb. 1984.[4] Randal E. Bryant. Algorithmic aspects of symbolic switch net-work analysis. IEEE Transactions on Computer-Aided Design,CAD-6(4):618{633, July 1987.[5] Randal E. Bryant. Boolean analysis of MOS circuits. IEEETransactions on Computer-Aided Design, CAD-6(4):634{649,July 1987.[6] Randal E. Bryant. Formal veri�cation of memory circuits byswitch-level simulation. IEEE Transactions on Computer-AidedDesign, CAD-10(1):94{102, January 1991.[7] Edmund M. Clarke, Robert Enders, Thomas Filkorn, andSomesh Jha. Exploiting symmetry in temporal logic modelchecking. Formal Methods in System Design, 9:77{104, 1996.[8] Edmund M. Clarke, Thomas Filkorn, and Somesh Jha. Exploit-ing symmetry in temporal logic model checking. In Proceedingsof 5th International Conference on Computer Aided Veri�ca-tion, pages 450{462, 1993.[9] C. Ebeling. GeminiII: A second generation layout validation pro-gram. In Proceedings of the International Conference on Com-puter Aided Design, 1992.[10] C. Ebeling and O. Zazicek. Validating VLSI circuit layout bywirelist comparison. In Proceedings of the International Confer-ence on Computer Aided Design, pages 172{173, 1982.[11] E. Allen Emerson and A. Prasad Sistla. Symmetry and modelchecking. In Proceedings of 5th International Conference onComputer Aided Veri�cation, pages 463{478, 1993.[12] E. Allen Emerson and A. Prasad Sistla. Symmetry and modelchecking. Formal Methods in System Design, 9:105{131, 1996.[13] Stephen T. Flannagan, Perry H. Pelley, Norman Herr, Bruce E.Engles, Taisheng Feng, Scott G. Nogle, John W. Eagan,Robert J. Dunnigan, Lawrence J. Day, and Robert I. Kung. 8-ns CMOS 64k � 4 and 256k � 1 SRAMs. IEEE Journal ofSolid-State Circuits, pages 1049{1054, October 1990.[14] Scott Hazelhurst and Carl-Johan H. Seger. A simple theoremprover based on symbolic trajectory evaluation and OBDDs.Technical Report 93-41, Department of Computer Science, Uni-versity of British Columbia, 1993.[15] P. Huber, A. M. Jensen, L. O. Jepsen, and K. Jensen. Reachabil-ity trees for high-level Petri nets. Theoretical Computer Science(Netherlands), 45(3):94{102, 1986.[16] C. Norris Ip and David L. Dill. Better veri�cation through sym-metry. Formal Methods in System Design, 9:41{75, 1996.[17] Kurt Jensen. Condensed state spaces for symmetrical coloredpetri nets. Formal Methods in System Design, 9:7{40, 1996.[18] Manish Pandey. Formal veri�cation of memory arrays. Techni-cal Report CMU-CS-97-162, Department of Computer Science,Carnegie Mellon University, August 1997. PhD Thesis.[19] Manish Pandey, Richard Raimi, Derek L. Beatty, and Randal E.Bryant. Formal veri�cation of PowerPC(TM) arrays using sym-bolic trajectory evaluation. In 33rd ACM/IEEE Design Au-tomation Conference, pages 649{654, June 1996.[20] P.H.Starke. Reachability analysis of Petri nets using Symme-tries. Systems Analysis - Modeling - Simulation (Germany),8(4-5):293{303, 1991.[21] Carl-Johan H. Seger. Voss|a formal hardware veri�cation sys-tem: User's guide. Technical Report 93-45, Department of Com-puter Science, University of British Columbia, 1993.[22] Carl-Johan H. Seger and Randal E. Bryant. Formal veri�cationby symbolic evaluation of partially-ordered trajectories. FormalMethods in System Design, 6:147{189, 1995.

Exploiting Symmetry When Verifying Transitor-Level Circuits by Symbolic Trajectory Evaluation

Documents

Transcript of Exploiting Symmetry When Verifying Transitor-Level Circuits by Symbolic Trajectory Evaluation