# Liudmila CHEREMISINOVA

THE UNITED INSTITUTE OF INFORMATICS PROBLEMS OF NAS OF BELARUS, ul. Surganova 6, 220012 Minsk

# Verification of logical descriptions with functional indeterminacy

#### D.Sc. Liudmila CHEREMISINOVA

DSc. Degree from the United Institute of Informatics Problems of NAS of Belarus (2000). Principal researcher of the Laboratory of Logical Design of the Institute (2002). Scientific results: about 250 publications, ten books. Research interests: VLSI and discrete devices design automation, logical control of concurrent processes, formal verification, topological optimization, low-power synthesis.



e-mail: cld@newman.bas-net.bv

#### Abstract

The problem under discussion is to check whether a given system of incompletely specified Boolean functions is implemented by a logical description with functional indeterminacy that is represented by a system of connected blocks. Each of blocks is specified by a system of completely or incompletely specified Boolean functions. Simulation based and SAT based verification methods is considered. The first method simulates the structure specified by the second description on the domain of the first description. The second method formulates the verification problem as checking satisfiability of a conjunctive normal form. The results of computer investigation of the proposed methods are given.

Keywords: design automation, formal verification, simulation.

# Weryfikacja specyfikacji logicznych z indeterminizmem funkcjonalnym

#### Streszczenie

W artykule omówiono problem sprawdzania, czy dany układ częściowo określonych funkcji Boole'owskich jest realizowany przez specyfikacją logiczną z indeterminizmem funkcjonalnym. Ta specyfikacja jest przedstawiona jako system połączonych bloków, z których każdy odpowiada układowi całkiem albo częściowo określonych funkcji Boole'owskich. Rozpatrzono metodę symulacyjną i metodę bazującą na analizie spełnialności funkcji. Pierwsza z tych metod symuluje strukturę, opisaną przez drugą specyfikację, w dziedzinie pierwszej specyfikacji. Druga metoda sprowadza problem weryfikacji do problemu spełnialności funkcji w postaci iloczynu sum. Przedstawiono wyniki komputerowych badań skuteczności zaproponowanych metod.

Slowa kluczowe: automatyzacja projektowania, formalna weryfikacja, symulacja.

### 1. Introduction

Verification becomes more and more important aspect of the design flow due to the importance of design correctness with growing VLSI design in complexity. Currently, verification takes more than 70% efforts spent in automated electronic design. The objective of verification is to ensure that implemented and specified behaviors are the same. In a typical scenario, there are two structurally similar circuit implementations of the same design, and the problem is to prove their functional equivalence.

In contrast to that in the paper, the verification task is examined for the case, when desired functionality of the system under design is incompletely specified. Such a case usually occurs on early stages of designing when assignments to primary inputs of designed device exist which will never arise during a normal mode of the device usage. Thus when hardware implementing this device, its outputs in response of these inputs may be arbitrary specified. In this case verification methodologies must consider only possible input scenarios to the design under verification and verify that every possible output signal of the implemented behavior has its intended (described in initial specification) value. We consider the verification problem for the case, when desired incompletely specified functionality is given in the form of a system of incompletely specified Boolean functions and the compared functional description represents a multi-block structure with blocks specified by systems of completely or incompletely specified Boolean functions (ISFs). A special case of such a multiblock structure is a combinational network or an ISF system. There is one-to-one correspondence between arguments and functions of both descriptions.

ISFs are specified on intervals (cubes) of values of Boolean input variables, and the intervals are large enough. Such a statement of the verification problem occurs in logical design of combinational part of logical devices when an indeterminacy of an initial large ISF system is gradually decreased from step to step of design process. After each successive step the behaviors of two compared descriptions must be equivalent only on those sets of values of Boolean input variables (elements of Boolean space), where Boolean functions of the first system are specified.

### 2. Preliminaries

An ISF system  $F(\mathbf{x}) = \{f_1(\mathbf{x}), f_2(\mathbf{x}), \dots, f_m(\mathbf{x})\}$  (where  $\mathbf{x} = (x_1, x_2, \dots, x_n)$  is a vector) is represented as a mapping of *n*-dimensional Boolean space  $B^n$  into *m*-dimensional space  $\{0, 1, -\}^m$ , where the symbol "–" denotes don't -care condition. An ISF is specified by off-set  $U_f^0$ , on-set  $U_f^1$  and dc-set  $U_f^{ds}$  as subsets of  $B^n$   $(U_f^1 \cup U_f^0 \cup U_f^{ds} = B^n)$ . Let us specify a system  $F(\mathbf{x})$  as a set  $I_F$  of multiple-output cubes  $(\mathbf{u}, t)$  each of which is a pair of ternary vectors  $\mathbf{u}$  and  $\mathbf{t}$  (or conjunctions) of sizes n and m that further are called its input and output parts. The input part  $\mathbf{u}$  is a cube in  $B^n$  or a set of minterms (elements of  $B^n$ ), the output part  $\mathbf{t}$  is a ternary vector of values of functions for the cube  $\mathbf{u}$ .

The system F(X) of ISFs given by the set  $I_F$  of multiple-output cubes  $(u_i, t_i)$  can be represented in matrix form by a pair of ternary matrices U and T (Fig. 1) or a pair of Boolean B and ternary T matrices (Fig. 2) of the same cardinalities. For example, ISF system  $F(\mathbf{x}) = (U, T)$  (Fig. 1) is specified by the set  $I_F = \{(\overline{x}_1 x_2 \overline{x}_3, \overline{f_1}), (\overline{x}_1 \overline{x}_2 \overline{x}_3 x_4 x_5, f_2 f_3), ...\}$  of multiple-output cubes.

We are focusing on the case in which the first description is an ISF system and the second of the compared descriptions is an implementation of the first one and is represented by some sort of multi-block structure. Further we consider two cases: 1) the structure has no indeterminacy and each its block is represented by CNF system (Fig. 1); 2) the structure has indeterminacy and each its block is represented by ISF system (Fig. 2).



Fig. 1. An example of ISF system and a three-block structure implementing it Rys. 1. Przykład systemu ISF i trzyblokowa struktura implementująca



Fig. 2. An example of ISF system and a three-block structure with indeterminacy Rys. 2. Przykład systemu ISF i trzyblokowa struktura z nieokreślonością

### 3. Simulation based verification: case 1

Logic simulation is the most widely used technique for ensuring the correctness of digital integrated circuits in industry because of its scalability and predictable run-time behavior. This technique is based on verifying a digital system by stimulating inputs of the circuit with binary signal values that propagate in the circuit leading to a corresponding activation of the outputs, whose values must be consistent with the expected ones.

The proposed verification methods are based on parallel simulation of the given multi-block structure (with or without indeterminacy) on the input patterns specified by the set  $I_F$  of multiple-output cubes of the compared ISF system. The multi-block structure is simulated under all possible inputs (corresponding to the elements of the domain of the system  $F(\mathbf{x})$ ) simultaneously, i.e. a state of each primary input and node of the circuit is represented by a Boolean or a ternary vector of the size  $|I_F|$ . The simulation is based on the fast Boolean computations over long binary and/or ternary vectors [1, 2].

In the first considered case (Fig. 1) each block of the multiblock structure realizes a system of disjunctive normal forms. The structure can be easily transformed into a multi-level combinational network which consists of NOT, AND and OR gates. Before simulation the network gates are levelized such a manner that before a gate is evaluated, all its fan-ins would have been evaluated.

In general case the initial ISF system is specified on intervals, i.e. it is represented by a pair of ternary matrices U and T and the simulation based verification can be carried by one of the ways: 1) by transforming the pair of ternary matrices U and T into the a pair of Boolean B and ternary T matrices to have only minterms in the first matrix; 2) by solving the task directly using the interval representation. The first way allows Boolean simulation of the network S under test. The second way should be used, when the number of intervals of the set  $I_F$  having ranks less than n is big and/or these ranks are much less than n. In these cases, the resulting Boolean matrix B can be great. Further we discuss this second way as it is more time and space efficient than the first one [1].

At the beginning of the simulation, the ordered set of *n* ternary vectors (corresponding to the columns of the matrix *U* and having the size  $|I_F|$ ) are taken as network inputs. Then gates of the network *S* are simulated in the predefined topological order. Let a gate implementing the function  $\varphi_i(z_{1i}, z_{2i}, ..., z_{ki})$  is simulated. For each its argument  $z_{ji}$  a ternary vector  $z_{ji}$  corresponds to and the vectors  $z_{ji}$  have been computed already. So the simulation of the gate is reduced to performing the logic operation  $\varphi_i$  over ternary vectors  $z_{1i}, z_{2i}, ..., z_{ki}$  in the bitwise style. The result of the simulation is a new ternary vector  $z_i$  of the same size. The definition of basic operations over ternary variables is given bellow for all combinations of values of two ternary variables:

| <b>a</b> :            | 0 0 | 0 | _ | _ | _ | 1 | 1 | 1 |
|-----------------------|-----|---|---|---|---|---|---|---|
| <b>b</b> :            | 0 - | 1 | 0 | _ | 1 | 0 | _ | 1 |
| <i>a</i> :            | 1 1 | 1 | _ | _ | _ | 0 | 0 | 0 |
| <i>a</i> ∧ <i>b</i> : | 0 0 | 0 | 0 | _ | _ | 0 | _ | 1 |
| <i>a</i> ∨ <i>b</i> : | 0 - | 1 | _ | _ | 1 | 1 | 1 | 1 |

As soon as the last gate of the network has been simulated the following pairs of vectors are compared: the ternary vector  $t^i$  (i = 1, 2, ..., m) corresponding to the *i*-th column of the matrix T (the column of values of the function  $f_i \in F$ ) and the ternary vector  $y_p$  corresponding to the primary output  $y_p$  of the network S. The following three cases are possible:

- 1. Vectors  $t^i$  and  $y_i$  are orthogonal in some component. Hence, the network *S* does not implement the function  $f_i$ .
- The vector t' covers the vector y<sub>i</sub>, i.e. values of all definite components of t' are the same as the values of the corresponding components of y<sub>i</sub>. The network implements the function f<sub>p</sub>.
- 3. The value of some *j*-th component of the vector  $y_i$  is don't care, while the value of the corresponding component of the vector  $t^i$  (corresponding to the interval  $u_j$  of the matrix U) is equal 1 or 0. In this case, there exists no unambiguous answer whether the network *S* implements the function  $f_i$  or does not.

In the last case, an additional analysis is needed to detect the reason of distinction between the values. The simplest way is to simulate the network *S* once more on all minterms of the interval  $u_j \in U$ . Or to analyze controversial intervals  $u_j$  using SAT based verification method.

For example, simulation of the structure shown in Fig. 1 gives:

The only exception is in the 5-th component of  $f_1$  for which the case 3 takes place. By splitting the interval  $u_5 = 0-101$  into two minterms and simulating the structure on them we find out  $y_1(00101) = y_1(01101) = 0 = t_5^{-1}$ , i.e.  $y_1$  implements  $f_1$ .

#### 4. Simulation based verification: case 2

The second considered case (Fig. 2) when each block of the multi-block structure realizes an ISF system is more complex and it is considered [2] for the case when the verified ISF system is specified on the domain of minterms only (specified by a Boolean matrix B instead of the ternary one).

ISF *f* can be represented by a pair of disjunctive normal forms collecting conjunctions on which the function *f* takes values 1 and 0 correspondingly. So each block can be considered as a two-level multi-output combinational network. The first is formed by multi-input AND gates, implementing conjunctions, and in the second level for each function  $y_i^k$  of the *k*-th block, a pair of multi-input OR gates is used: one of them to implement  $y_i^k$  and the other – to implement its inversion  $y_i^k$ . Inputs of the OR gate implementing function  $y_i^k$  (and  $y_i^k$ ) are fed upon outputs of those AND gates which implement conjunctions on which the function  $y_i^k$  takes value 1 (correspondingly,  $y_i^k = 0$ ).

To get an ISF a pseudo-element is introduced – two input UNITE gate. Such a gate joins signals from two OR gates of the second level for  $y_i^k$  and  $y_i^k$ . Keep in mind, that a pair of completely defined Boolean functions  $y_i^1(X) \bowtie y_i^0(X)$  specifies the ISF  $y_i(X)$  which takes the value 1 on a minterm  $\mathbf{b}_j$ , if  $y_i^{-1}(\mathbf{b}_j) = 1$ , the value 0, if  $y_i^0(\mathbf{b}_j) = 1$ , and the value of  $y_i(X)$  is don't care, if  $y_i^{-1}(\mathbf{b}_j) = y_i^0(\mathbf{b}_j) = 0$ , the UNITE function  $f(x_0, x_1)$  could be specified as follows:

$$\begin{array}{rrrr} x_0 & 0 & 0 & 1 & 1 \\ x_1 & 0 & 1 & 0 & 1 \\ f(x_0, x_1) & -1 & 0 & - \end{array}$$

It should be noted that the last combination takes no place for consistent assignment of ISFs specifying blocks.

Just as in the case 1, the multi-block structure (Fig. 2) is tranformed into a multy-level network consisting of invertors, AND, OR and UNITE gates. The network is levelized and then simulated on the set of Boolean vectors corresponding to the columns of the matrix U. After finishing the simulation, the value  $y_i$  of every *i*-th primary output of the network is compared with the value of the corresponding *i*-th component  $t_j^i$  of the row  $t_j$  of the matrix T for each *j*. The following cases are possible.

1.  $t_j^i = \sigma$  and  $y_i(\mathbf{b}_j) = \overline{\sigma}$  or  $y_i(\mathbf{b}_j) = \text{``-''}$  ( $\sigma \in \{1, 0\}$ ) for some *j*. In this case, the structure does not implement the function  $f_i$ .

2.  $t_j^i =$  "-" or  $y_i(\boldsymbol{b}_j) = \boldsymbol{t}_j^i$  for all j. In this case, the structure implements the function  $f_i$ .

For example, the result of simulation of the structure shown in Fig. 2 allows to conclude that it implements the tested ISF system:

 $\begin{array}{c} f_1: 0 - 0 - 0 \ 1 \ 1 \ 0 \ 0 - 1 \ \ \ f_2: - - 1 \ 1 - 0 \ 0 \ 1 - 1 - \ \ \ f_3: - 1 \ 0 - 0 \ 1 \ 1 - 0 - 0 \\ y_1: 0 \ 1 \ 0 \ 0 \ 1 \ 1 \ 0 \ 0 \ 0 \ 1 \ \ y_2: - 0 \ 1 \ 1 - 0 \ 0 \ 1 - 1 \ \ \ y_3: - 1 \ 0 \ 1 \ 0 \ 1 \ 1 - 0 - 0 \end{array}$ 

# 5. SAT based approach to verification

The past ten years have seen efforts in developing commercial formal verification tools that provide more general results than traditional simulation methods: it is possible to guarantee that a specific property holds for a design under all possible input stimuli. In a typical scenario, there are two structurally similar implementations of the same design, and the problem is to prove their functional equivalence [3]. In a modern combinational equivalence checking flow based on formal verification approach, both networks to be verified are transformed into a single comparing circuit. It is derived by combining the pairs of inputs with the same names and feeding the pairs of outputs with the same names into EXOR gates, which are ORed to produce the single output of the comparing circuit. There is constant 0 on the output if and only if the two original circuits are equivalent.

A conjunctive normal form (CNF) represents a Boolean function as conjunction of one or more clauses, each being in its turn a disjunction of literals. The SAT problem is concerned with finding a truth assignment of literals which simultaneously satisfies each of CNF clauses. If such an assignment exists the CNF is referred to as satisfiable, and the assignment is known as a satisfying assignment.

To test whether the circuit output be 1 or 0, the transformation is applied to it for producing its conventional CNF. Once the overall problem is formulated in CNF, a SAT solver can be used to solve it [3, 4]. A circuit-to-CNF conversion uses as many variables as there are primary inputs and gates in the circuit: for output of each gate its own internal Boolean variable is introduced. And a local CNF is associated with each gate, the CNF captures the consistent assignments between its inputs and output. Then local CNFs are joined in the overall network CNF C(S) by the conjunction operation (Fig. 3).



Fig. 3. An example of combinational circuit and its conventional CNF
 Rys. 3. Przykład układu kombinacyjnego i jego konwencjonalna spójna forma normalna C

The derivation of CNF for a gate representing a local function  $y = f(z_1, z_2, ..., z_k)$  is based on defining a new Boolean function  $\varphi(y, f) = y \sim f$  [3], that is true in the only case when both functions y and f assume the same value. Here are the conventional CNF representations of NOT, *n*-input AND and OR functions:

$$\begin{array}{l} (z \lor y)(z \lor y);\\ (z_1 \lor y)(z_2 \lor y)\dots(z_n \lor y)(\overline{z_1} \lor \overline{z_2} \lor \dots \lor \overline{z_n} \lor y);\\ (\overline{z_1} \lor y)(\overline{z_2} \lor y)\dots(\overline{z_n} \lor y)(z_1 \lor z_2 \lor \dots \lor z_n \lor \overline{y}). \end{array}$$

Note, that the above traditional approach which constructs comparing circuit can not be applied for the case considered in the paper because of both given forms of functional representation can be specified incompletely.

#### 6. SAT based verification: case 1

A problem under discussion is to verify if a given network implements the ISF system. It is true if it takes place for each multiple-output cube. In terms of network CNF this condition could be reformulated as follows [5]. For every multiple-output cube  $(u_i, t_i) \in I_F$  a partial value assignment satisfying the conjunction  $u_i t_i$  should satisfy the network CNF.

In other words, a network implements ISF system  $F(\mathbf{x})$ , if for every multiple-output cube  $(\mathbf{u}_i, \mathbf{t}_i) \in I_F$  a partial value assignment satisfying the conjunction  $\mathbf{u}_i \ \mathbf{t}_i$  (i.e. contradicting to  $\mathbf{u}_i, \mathbf{t}_i$ ) is unsatisfying assignment for the network CNF. If  $\mathbf{u}_i = x_1^{-1} x_2^{-1} \dots x_{n_i}^{n_i}$ and  $\mathbf{t}_i = f_1^{-1} f_2^{-1} \dots f_{m_i}^{-1}$  then the CNF  $P_i$  specifying the contradiction of the multiple-output cube  $(\mathbf{u}_i, \mathbf{t}_i)$ , called as the cube-prohibitive CNF, consists of the following  $n_i + 1$  clauses:

$$P_i(\mathbf{x}, \mathbf{f}) = x_1^i x_2^i \dots x_{ni}^i (\overline{f_1}^i \vee \overline{f_2}^i \vee \dots \vee \overline{f_{mi}}^i).$$

For example, the prohibitive CNF for the multiple-output cube  $s_6 = (x_1 x_2, f_1 \overline{f_2})$  from  $F(\mathbf{x}) = (U, T)$  (Fig. 4) has three clauses:  $P_6(\mathbf{x}, f) = (x_1) (x_2) (\overline{f_1} \lor f_2)$ .

Appending clauses of  $P_i$  to the network CNF C(S) results in CNF  $C(P_i) = C(S) \land P_i$ . It is not difficult to prove that CNF  $C(P_i)$  is satisfiable if the network does not implement the *i*-th multiple-output cube. As to the whole ISF system it is not implemented by the network if at least one its multiple-output cube is not implemented by the network, i.e. if the following CNF is satisfiable:

$$C = C(S) \wedge P(F) = C \wedge (P_1 \vee P_2 \vee \ldots \vee P_l), \tag{2}$$

where P(F) is the ISF system prohibitive CNF.



Fig. 4. An example of ISF system (U, T) and its encoded prohibitive CNF  $P^{e}$ Rys. 4. Przykład systemu ISF (U, T) i jego zakodowana wersja zakazana

To apply any SAT-solver to check whether for the CNF *C* a satisfying assignment exists it is necessary to convert the formula P(F) to a CNF form. Theoretically this could be done always, but it is NP-hard problem. We are interested in a method of construction of ISF system prohibitive CNF P(F) having linear complexity. Next the method is proposed that is based on encoding multiple-output cubes and their prohibitive CNFs using coding variables  $w_i \in w$ . After encoding, prohibitive CNFs  $P_i(x, f)$  are transformed into encoded prohibitive CNFs  $P_i^i(x, f, w)$  and the formula (2) into

$$= C \wedge (P_1^k \wedge P_2^k \wedge \ldots \wedge P_l^k) \wedge O(w), \tag{3}$$

where Q(w) provides that the CNF  $C^*$  will be satisfiable if at least one CNF  $P_i \in P(F)$  is satisfiable. From now on Q is called as alternative CNF.

When transforming the formula (2) into the CNF form (3) each cube-prohibitive CNF  $P_i$  is encoded by a code in the form of a disjunction  $d_i = w_{i1}^{\sigma i1} \vee w_{i2}^{\sigma i2} \vee \ldots \vee w_{ir}^{\sigma ir}$  ( $\sigma_{ir} \in \{0,1\}$ ,  $w_{ir}^{-1} = w_{ir}$  and  $w_{ir}^{0} = \overline{w}_{ir}$ , and  $w_{ij} \in w$ :

$$P_i^k(\mathbf{x}, \mathbf{f}, \mathbf{w}) = (x_1^i \lor d_i) \dots (x_{ni}^i \lor d_i) (\overline{f}_1^i \lor \dots \lor \overline{f}_{mi}^i \lor d_i).$$
(4)

To formulate the conditions the alternative CNF Q(w) in (3) must satisfy for the chosen cube-prohibitive CNF encoding, let us denote by  $f_Q$  and  $f_{di}$  the functions represented by Q(w) and  $d_i(w)$  and by  $U_Q^{1}$  and  $U_{di}^{1}$  – their on-sets.

Assertion [6]. Any alternative CNF Q(w) for a given encoding of cube-prohibitive CNFs must satisfy the following conditions:

1) 
$$(\bigwedge_{i} f_{di}) \land f_{Q} = 0$$
 or  $(\bigcap_{i} M_{di}^{-1}) \cap M_{Q}^{-1} = \emptyset;$   
2)  $(\bigwedge_{i \neq i} f_{di}) \land f_{Q} \neq 0$  or  $(\bigcap_{i \neq i} M_{di}^{-1}) \cap M_{Q}^{-1} \neq \emptyset$  for all  $j$ .

The first condition ensures the CNF  $P(\mathbf{x}, \mathbf{f}, \mathbf{w}) = (P_1^k \land P_2^k \land ... \land P_i^k) \land Q$  be unsatisfiable when the circuit implements the analyzed ISF system, i.e. when all cube-prohibitive CNFs  $P_i(\mathbf{x}, \mathbf{f})$  are unsatisfiable. The second condition ensures the CNF  $P(\mathbf{x}, \mathbf{f}, \mathbf{w})$  be satisfiable when the circuit do not implement the analyzed ISF system, i.e. there exists at least one multiple-output cube, for example *j*-th one, that is not realized by it. Thus, a variable assignment can be found satisfying the cube-prohibitive CNF  $P_j(\mathbf{x}, \mathbf{f})$  (and  $P_j^k(\mathbf{x}, \mathbf{f}, \mathbf{w})$  too). Fulfillment of the second condition guaranties that there exists at least one assignment of coding variables that ensures satisfiability of  $Q(\mathbf{w})$  and all cube prohibitive CNFs  $P_i^k$  except the *j*-th one (that is satisfiable by the assumption).

Two basic methods of encoding multiple-output cubes (satisfying the above Assertion) have been investigated: encoding by codes of unit [5] and logarithmic length [7]. The first method supposes to introduce as many coding variables  $w_i$  as there exist multiple-output cubes in the ISF system specification  $I_F$ . The second method introduces the minimal number of coding variables that is  $r = \lceil log_3 I_F \rceil$ . The method of encoding by codes of logarithmic length allows to reduce substantially the number of coding variables as compared with the method of encoding by unary codes, but codes (and CNF clauses) are dense enough.

Further we focus upon increasing efficiency of verification process using unary encoding of multiple-output cubes. Using it  $P_i^k(\mathbf{x}, \mathbf{f}, \mathbf{w})$  (4) changes for the following encoded form:

$$P_i^{\kappa} = (x_1^{i} \vee w_i)(x_2^{i} \vee w_i) \dots (x_{ni}^{i} \vee w_i)(\overline{f}_1^{i} \vee \dots \vee \overline{f}_{mi}^{i} \vee w_i),$$

and the alternative CNF Q satisfying the above Assertion can be:

$$Q = \overline{w}_1 \vee \overline{w}_2 \vee \cdots \vee \overline{w}_l.$$

For example, the fragment of the prohibitive CNF for the ISF system in the matrix form is shown in Fig. 4. If we combine the circuit conventional CNF (Fig. 3) and the prohibitive CNF (identifying  $y_1, y_2$  with  $f_{1,f_2}$ ) and then carry out the satisfiability test of the resulting CNF, we may make sure that it is nonsatisfiable. Therefore, the circuit (Fig. 3) implements the ISF system (Fig. 4).

Three verification methods are proposed [8]: based on successive, simultaneous and group testing multiple-output cubes from  $I_F$ . The first method formulates as many SAT problems as the number of cubes are there, the second formulates verification task as the only SAT problem (using coding the cubes as shown above), the third divides the overall set  $I_F$  of multiple-output cubes into groups and formulates as many SAT problems as the number of groups are there. The group method is more effective because it

allows 1) to achieve trade-offs between expenses on forming data for SAT-solver and SAT-solver performance; and thereby 2) to reduce overall verification time [8].

# 7. SAT based verification: case 2

Here we consider the verification problem for the case, when both compared descriptions are incompletely specified. For example, we have a multi-block structure S with indeterminacy such as one in Fig. 2 and an ISF system F(x) such as one in Fig. 4. Just as in the previous section we formulate the verification problem as verifying whether CNF  $C = C(S) \wedge P$  is satisfiable. Here P is the ISF system F(x) prohibitive CNF, C(S) is some sort of the conventional CNF but only for a multi-block structure with indeterminacy or for a ISF system (that can be considered instead of one-block structure). To distinguish it from the conventional CNF let call it further as the permissible CNF. The CNF describes the set of admissible combinations of signals on all the nodes of structure blocks; i.e., each set of values satisfying the CNF is admissible for this structure. The permissible CNF C(S) is the conjunction of permissible CNFs  $C(B_i)$  of its blocks or permissible CNFs  $C(F_i)$  their ISF systems.

Three methods of construction of a permissible CNF for an ISF system are proposed: one based on the paraphrased representation of ISFs [9], and two based on the application of implicative conditions: implication [10] and implication with condition coding [11] methods. Here we dwell on the implication method.

Assertion [10]. The permissible CNF C(G) of an ISF system  $G(\mathbf{x})$  defined by a set of its multiple-output cubes  $s_i = (\mathbf{u}_i, \mathbf{t}_i)$  (i = 1, 2, ..., r) is generated by the formula:

$$(\boldsymbol{u}_1 \rightarrow \boldsymbol{t}_1) \wedge (\boldsymbol{u}_2 \rightarrow \boldsymbol{t}_2) \wedge \ldots \wedge (\boldsymbol{u}_r \rightarrow \boldsymbol{t}_r).$$

The permissible CNF for a multiple-output cube  $s_i^g = (\boldsymbol{u}_i, \boldsymbol{t}_i)$ with  $\boldsymbol{u}_i = x_1^i x_2^i \dots x_{ni}^i$  and  $\boldsymbol{t}_i^g = y_1^i y_2^i \dots y_{mi}^i$  consists of as many clauses as the size of the term  $\boldsymbol{t}_i$  is:

$$C_i = (\boldsymbol{u}_i \rightarrow \boldsymbol{t}_i) = \boldsymbol{\bar{u}}_i \lor \boldsymbol{t}_i = \boldsymbol{\bar{x}}_1^i \lor \boldsymbol{\bar{x}}_2^i \lor \dots \lor \boldsymbol{\bar{x}}_{ni}^i \lor (\boldsymbol{y}_1^i \boldsymbol{y}_2^i \dots \boldsymbol{y}_{ni}^i) =$$
  
=  $(\boldsymbol{\bar{x}}_1^i \lor \boldsymbol{\bar{x}}_2^i \lor \dots \lor \boldsymbol{\bar{x}}_{ni}^i \lor \boldsymbol{y}_1^i) \land \dots \land (\boldsymbol{\bar{x}}_1^i \lor \boldsymbol{\bar{x}}_2^i \lor \dots \lor \boldsymbol{\bar{x}}_{ni}^i \lor \boldsymbol{y}_{ni}^i).$ 

For example, the permissible CNF for the first block of the structure (Fig. 2) consists of five clauses:  $(x_1 \lor \overline{x}_2 \lor z_1) \land (x_1 \lor \overline{x}_2 \lor \overline{z}_2) (x_1 \lor x_2 \lor z_1) (x_1 \lor x_2 \lor z_2) (\overline{x}_2 \lor \overline{x}_3 \lor \overline{z}_1)$ .

The key idea of the proposed method of checking whether an ISF system F(x) is implemented by a multi-block structure *S* with indeterminacy is as follows. We obtain the prohibitive CNF P(F) and the permissible CNF C(S).

Assertion. A multi-block structure S with indeterminacy implements an ISF system  $F(\mathbf{x})$  if the CNF  $P(F) \wedge C(S)$  is unsatisfiable.

One can make sure after constructing  $P(F) \wedge C(S)$  for the ISF system in Fig. 4 and three-block structure in Fig.2 that there is no satisfying assignment for the CNF. Thus the structure implements by the ISF system.

# 8. Experimental results

All the mentioned verification methods have been implemented on C++ programming language. Then the programs were investigated on the sets of pseudo-random pairs of descriptions: ISF system and multi-block structure implementing it (with or without indeterminacy). MiniSat solver [4] has been used in our experiments. The goal of experiments was 1) to compare the competitive methods solving the same task on the same set of examples; 2) to investigate experimentally domains of preferable usage of the proposed methods; 3) to find out the most effective value of group size for group testing verification methods. The experiments have shown that:

 $C^{\kappa}$ 

- simulation based verification methods have 60 times greater speed on average than SAT based methods solving the same task;
- the group size about 200 gives good enough results: group methods gain stably in efficiency compared with the methods of successive and simultaneous testing of multiple-output cubes, the win gain is about 35% over the method of simultaneous testing;
- substantial reduction of variables when using logarithmic encoding of multiple-output cubes did not bring about substantial speedup of the solution of verification problem;
- 4) despite the fact that the implication method is simpler than that of implication with condition coding and gives shorter CNFs, it has smaller speed.

# 9. References

- Cheremisinova L., Novikov D.: International Journal "Information Theories & Applications". FOI ITHEA, Bulgaria, V. 15, No. 3, 2008.
- [2] Cheremisinova L.D., Novikov D.Ya.: Proceedings of the NAS of Belarus, physical-technical series, Minsk, No 2, 2009 (in Russian).

- [3] Kunz W., Marques Silva J., Malik S.: Logic synthesis and Verification (Ed. S.Hassoun, T.Sasao and R.K.Brayton). Kluwer Academic Publishers, 2002.
- [4] The MiniSat Page / http://minisat.se/MiniSat.html
- [5] Cheremisinova L., Novikov D.: Proceedings of 8th Intern. Workchop on Boolean problems, Freiberg (Sachsen), Sept. 18–19, 2008.
- [6] Cheremisinova L., Novikov D.: Proc. of IEEE East-West Design and Test Symposium (EWDTS'09), Moscow, Russia, Sept. 18–21, 2009.
- [7] Cheremisinova L., Novikov D.: International book series "Information science and computing". FOI ITHEA, Bulgaria, No 15, 2009.
- [8] Cheremisinova L.D., Novikov D.Ya.: Automatic Control and Computer Sciences. Allerton Press, Inc., Vol. 44, No. 1, 2010.
- [9] Novikov D.Ya., Cheremisinova L.D.: Informatika. The United Institute of Informatics Problems of NAS of Belarus, No. 3, 2010 (in Russian).
- [10][10] Cheremisinova L., Novikov D.: Proc. of 9th Int.. Workshop on Boolean problems, Freiberg (Sachsen), Sept. 16–17, 2010.
- [11] Cheremisinova L.D., Novikov D.Ya.: Automatic Control and Computer Sciences, Allerton Press, Inc., Vol. 45, No. 4, 2011.

otrzymano / received: 15.03.2012 przyjęto do druku / accepted: 01.05.2012

# INFORMACJE

# **Newsletter PAK**

Wydawnictwo PAK wysyła drogą e-mailową do osób zainteresowanych Newsletter PAK, w którym są zamieszczane:

- spis treści aktualnego numeru miesięcznika PAK,
- kalendarz imprez branżowych,
- ważniejsze informacje o działalności Wydawnictwa PAK.

Newsletter jest wysyłany co miesiąc do osób, które w jakikolwiek sposób współpracują z Wydawnictwem PAK (autorzy prac opublikowanych w miesięczniku PAK, recenzenci, członkowie Rady Programowej, osoby które zgłosiły chęć otrzymywania Newslettera).

Celem inicjatywy jest umocnienie w środowisku pozycji miesięcznika PAK jako ważnego i aktualnego źródła informacji naukowotechnicznej.

- Do newslettera można zapisać się za pośrednictwem:
- strony internetowej: www.pak.info.pl, po dodaniu swojego adresu mailowego do subskrypcji,
- adresu mailowego: wydawnictwo@pak.info.pl, wysyłając swoje zgłoszenie.

Otrzymywanie Newslettera nie powoduje żadnych zobowiązań ze strony adresatów. W każdej chwili można zrezygnować z otrzymywania Newslettera.

Tadeusz SKUBIS Redaktor naczelny Wydawnictwa PAK

# Nowy dział "Niepewność wyników pomiarów" na stronie internetowej Wydawnictwa PAK

Uprzejmie informuję, że na stronie internetowej Wydawnictwa PAK (WWW.pak.info.pl) został utworzony dział "Niepewność wyników pomiarów". Na p.o. redaktora działu został powołany dr inż. Paweł Fotowicz.

Dr P. Fotowicz jest ekspertem w zakresie problematyki niepewności, autorem szeregu wartościowych publikacji w czasopismach krajowych i zagranicznych. Prezentował swoje prace na licznych konferencjach i warsztatach szkoleniowych.

W dziale " Niepewność wyników pomiarów", obok dostępu do aktualnych wybranych opracowań dotyczących niepewności jest możliwość zadawania "Pytań do eksperta". Pytania powinny być konkretne i szczegółowo sprecyzowane.

Pytania i odpowiedzi o istotnym znaczeniu dla szerszego grona metrologów będą archiwizowane i dostępne dla użytkowników strony internetowej Wydawnictwa PAK. Zapraszam do odwiedzania działu "Niepewność wyników pomiarów" i do udziału w jego rozwoju.

Tadeusz SKUBIS Redaktor naczelny Wydawnictwa PAK

artykuł recenzowany / revised paper