## Equivalence Checking By Logic Relaxation

#### **Eugene Goldberg**

FMCAD, Mountain View, CA, USA October 3-6, 2016



- Introduction
- Equivalence checking by logic relaxation
- Experimental results and conclusions

#### **Motivation**

- Equivalence Checking (EC) is an important part of formal verification
- Any progress in EC empowers logic synthesis
- Short EC proofs for structurally similar circuits
- Ideas of EC of combinational circuits can be reused in EC of sequential circuits and software

# Solving EC



Prove  $EQ \wedge G_{rlx} \Rightarrow (z' \equiv z''),$ 

where  $G_{rlx} = F_{N'} \wedge F_{N''}$ 

This reduces to proving  $EQ \land G_{rlx} \land \sim (z' \equiv z'')$ UNSAT

## **Cut Image**



Let Img<sub>cut</sub> specify the cut image

 $Img_{cut}(q',q'')=0$ , iff there is no input (x',x''), x' = x'' for which N',N'' produce (q',q'')

Let  $Cut = \{z', z''\}$ . *N*' and *N*'' are equivalent iff  $Img_{cut} \Rightarrow (z' \equiv z'')$ ,

# Problem To Solve: Finding an Inductive Proof Of Equivalence



Given combin. circuits N' and N'', find formulas  $H_i$  such that

- $Img_i \Rightarrow H_i$ ,  $0 \le i < k$
- *H*<sub>i</sub> are as simple as possible
- $H_{\rm i}$  can be derived from  $H_{\rm i-1}$
- $H_{\rm k} \equiv Img_{\rm k}(z',z'')$

A simple inductive proof should exist if *N*' and *N*'' are struct. similar

## **Some Background**

Building inductive proofs of equivalence

- Berman, Trevillyan 1988
- Brand 1993
- Kuehlmann, Krohm 1996
- Goldberg, Prasad, Brayton 2001
- Mishchenko, Chatterjee, Brayton, Een 2006

Proofs are based on derivation of pre-defined relations e.g. equivalences



- Introduction
- Equivalence checking by logic relaxation
- Experimental results and conclusions

## **Structure Of Cut Image**

Assignments excluded from cut image:  $S_{excl} = S_{rlx} U S_{imp}$ 



 $S_{rlx} = \{ (q',q'') \mid only relaxed inputs (x',x'') \\ where x' \neq x'' can produce (q',q'') \}$ 

S<sub>imp</sub> = {(*q*',*q*'') | no input (*x*',*x*'') can produce (*q*',*q*'') }

 $(\boldsymbol{q'}, \boldsymbol{q''}) \in S_{imp}$  iff

- q' cannot be produced in N' and/or
- q" cannot be produced in N"

# Definition Of Boundary Formulas

EC by Logic Relaxation: "replace" Img<sub>cut</sub> with boundary formula H<sub>cut</sub>

Boundary formula  $H_{cut}$ :

- 1. If  $(\boldsymbol{q}', \boldsymbol{q}'') \in S_{rlx}$ , then  $H_{cut}(\boldsymbol{q}', \boldsymbol{q}'') = 0$
- 2. If  $(\mathbf{q}', \mathbf{q}'') \in S_{imp}$ , then  $H_{cut}(\mathbf{q}', \mathbf{q}'')$  can take an arbitrary value

3.  $Img_{cut} \Rightarrow H_{cut}$ 

# Boundary Formula for Cut = {z',z" }



Assume that *N*' and *N*'' are not constants  $S_{imp} = \emptyset \implies S_{excl} = S_{rlx}$  $\downarrow$  $H_{cut} \equiv Img_{cut}$ 

Testing if *N*' is a constant: two easy SAT checks

# **Boundary Formula And Partial** Quantifier Elimination



**Complete** Quantif. Elimin.  $Img_{cut} \equiv \exists W [ EQ \land F_{M} ]$  $W = Vars(F_{M}) \land Vars(Cut)$ 

**Partial** Quantif. Elimin.  $H_{\text{cut}} \land \exists W [F_{\text{M}}] \equiv \exists W [EQ \land F_{\text{M}}]$ 

$$\begin{split} & EQ \wedge G_{\text{rlx}} \wedge \ \ \ \sim (z' \equiv z'') \text{ is equisat. with} \\ & H_{\text{cut}} \wedge G_{\text{rlx}} \wedge \ \ \sim (z' \equiv z'') \\ & \text{where } G_{\text{rlx}} = F_{\mathcal{N}'} \wedge F_{\mathcal{N}''} \end{split}$$

# Contrasting Cut Image And Boundary Formulas



# **Boundary Formulas Of Structurally Similar Circuits**



Suppose,  $\forall v \in Cut'$  $v = g_v(L_v)$  where  $L_v \subseteq Cut''$ 

Let  $Max_{cut}$  be the largest value of  $|L_v|$ ,  $\forall v \in Cut'$ 

Then  $H_{cut}$  can be built from  $(Max_{cut} + 1)$ -literal clauses

## **EC By Logic Relaxation**



 $Cut_0 = X' \cup X'', \dots, Cut_k = \{z', z''\}$ Compute  $H_0, ..., H_k$ where  $H_0 = EQ(X', X'')$  $H_{i} \wedge \exists W_{i} [F_{Mi}] \equiv \exists W_{i} [H_{i-1} \wedge F_{Mi}]$  $W_{i} = Vars(F_{Mi}) \setminus Vars(Cut_{i})$ If  $H_k \Rightarrow (Z' \equiv Z'')$ , N' and N" are equivalent

If, say,  $H_k(z'=0,z''=1)=1$  and N', N''can produce 0 and 1, they are inequivalent



- Introduction
- Equivalence checking by logic relaxation
- Experimental results and conclusions

### **Non-Trivial Example Of EC**



*Mlp*<sub>s</sub> computes a median bit of an s-bit multiplier

Operands A and B where  $A=\{a_1,...,a_s\}, B=\{b_1,...,b_s\}$ 

*h* is an additional input variable

If h=1, then N' and N'' compute  $Mlp_s$ if h=0, then N' and N'' evaluate to 0

# **Comparison With ABC**

- Partial Quantifier Elimination (a variation of HVC-14 algorithm) is based on machinery of D-sequents (FMCAD-12, FMCAD-13)
- *ABC* is a high-quality tool developed at UC, Berkeley

| val. of s<br>in <i>Mlp</i> s | #cuts | EC by<br>LoR (s.) | ABC<br>(s.) |
|------------------------------|-------|-------------------|-------------|
| 10                           | 37    | 4.5               | 10          |
| 11                           | 41    | 7.1               | 38          |
| 12                           | 45    | 11                | 142         |
| 13                           | 49    | 16                | 757         |
| 14                           | 53    | 25                | 3,667       |
| 15                           | 57    | 40                | 11,237      |
| 16                           | 61    | 70                | >6h         |

Formulas *H*<sub>i</sub> were computed approximately

 $H_{i} \wedge \exists W_{i} [F_{Mi}] \equiv \exists W_{i} [H_{i-1} \wedge F_{Mi}]$ 

F<sub>Mi</sub> specifies logic below *i*-th cut

Only a subset of clauses of  $F_{\rm Mi}$  was used

#### **Proving Inequivalence**



Formula  $\alpha$  $EQ(X',X'') \wedge F_{N'} \wedge F_{N''} \wedge \sim (z' \equiv z'')$ 

Formula  $\beta$  $H_3 \wedge F_{N'} \wedge F_{N''} \wedge \sim (z' \equiv z'')$ 

Formula *H*<sub>3</sub> was computed **precisely** 

#### Sat-solver : Minisat 2.0, Time limit. 600 s

| Form.<br>type | #solved | total<br>time (s) | median<br>time (s) |
|---------------|---------|-------------------|--------------------|
| α             | 95      | > 3,490           | 4.2                |
| β             | 100     | 1,030             | 1.0                |

#### Conclusions

- Relative\_complexity(N',N'') << Absolute\_complexity(N',N'')</li>
- EC by logic relaxation gives a general solution
- It can be extended to sequential circuits/programs
- Efficient partial quantifier elimination is of great value