A Practical Approach to Arithmetic Circuit Verification Alan Mishchenko Robert Brayton Department of EECS UC Berkeley
Overview Introduction Half-adder and full-adder Adder tree detection Multiplier detection Applications to equivalence checking Experiments Conclusion 2
Introduction Arithmetic circuit verification is the problem of proving that a given circuit implements a known arithmetic function two circuits containing arithmetic functions are equivalent It is one of the remaining strongholds in the well-studied field of formal verification and equivalence checking Many approaches have been tried, none of them seems to work well in practice This work is motivated by the need to have a reliable practical solution The most general approach is not practical, therefore… Assumption: cut-points between adders are preserved in the circuit structure
Terminology AIG is an And-Inverter Graph simple circuit data-structure only combinational AIGs are considered here AIG variable is a node in the AIG a node can be constant 0, a primary input, a two-input AND gate AIG literal is a AIG variable with a complemented attribute Bit-blasting is a process of translation into an AIG word-level operators such as adders, multipliers, selectors, etc are bit-blasted into equivalent networks composed of AIG nodes and included in the AIG representing the design EC stands for equivalence checking CEC stands for combinational equivalence checking CEC miter is a combinational circuit whose output is equal to 0 iff two circuits are indeed equivalent LHS and RHS are parts of the CEC miter representing two copies of the design being compared
Half Adder XOR = a * !b + !a * b = !(!a * !b + a * b) Sum Carry A, B Carry Sum 00 01 1 10 11 Sum Carry HA Sum Carry XOR = a * !b + !a * b = !(!a * !b + a * b) = !(!a * !b) * !(a * b) 3 AND2 nodes
Full Adder HA FA HA Sum Carry Sum Carry Sum Carry Sum Carry A, B, C Carry Sum 000 001 1 010 011 100 101 110 111 Sum Carry Sum Carry HA FA Sum Carry HA 7 AND2 nodes A B C
Adder Tree Adder is a full-adder or a half-adder Adder tree (AT) is one or more adders feeding into each other, without any intermediate logic gates Example 1: Ripple-carry adder (RCA) Example 2: An array of RCAs adding partial products of a multiplier Example 3: Wallace tree adding partial products of a multiplier s0 s1 s2 s3 cin FA FA FA FA cout a0 b0 a1 b1 a2 b2 a3 b3 Ripple-carry adder Wallace tree of adders
Multiplier Multiplier is composed of the following blocks Product Adder tree Final stage adder (two-argument adder) Partial product accumulator (multi-argument adder) Partial product generator Multiplicants
Observations Observation 1: Consequence 1: Observation 2: If a multiplier is bit-blasted into an AIG, and HAs/FAs are generated using 3 and 7 two-input AND subgraphs, respectively, AIG rewriting in ABC cannot reduce the resulting AIG Consequence 1: AIG rewriting does not destroy the cut-points between adders Observation 2: Constant propagation applied to an FA/HA can create an HA, an inverter, or a buffer Consequence 2: An adder tree remains an adder tree after constant propagation, rehashing, and AIG based synthesis In other words, it is not possible to create new gates that are not adders in the middle of the adder tree
The Proposed Approach Detect adders in the AIG structure Assumption: Cut points between adders are present in the AIG Combine detected adders into adder trees (ATs) Determine arithmetic function of each AT If a multiplier is expected, detect partial products (PPs) Build polynomial representation of the AT (and PPs) If one circuit is being verified, compare the polynomial against the polynomial of the given arithmetic function If two circuits are being verified (equivalence checked), find common parts of polynomials in the LHS and RHS and use them to create shared logic, and then use SAT sweeping to finish verification
Adder Tree Detection Input: AIG with some bit-blasted arithmetic logic in it, possibly surrounded by other logic Output: Adder trees (ATs) detected and isolated in the AIG. The inputs/outputs of each adder tree is a cut represented as a set of AIG literals literal = integer index of an AIG node, possibly with complementation The proposed solution is based on reverse-engineering of adders in the AIG grouping adjacent adders into one AT Assumption: Cut points between adders are present in the AIG
Reverse Engineering of Adders Input: AIG containing bit-blasted adders Output: Inputs and outputs of each FA/HA as a set of five/four AIG literals Solution: Exhaustively enumerate 2-cuts and 3-cuts for all AIG nodes and hash them by their inputs Two cuts with the same input will hash into the same entry Compute truth tables for all cuts and match them with NPN classes of XOR2(a, b), AND2(a, b), XOR3(a, b, c), MAJ3(a, b, c) If two 2-cuts with the same inputs (but different outputs) have NPN classes of XOR2 and AND2, an HA is detected If two 3-cuts with the same inputs (but different outputs) have NPN classes of XOR3 and MAJ3, an FA is detected
Grouping Adders into ATs Input: Inputs and outputs of each FA/HA as a set of five/four AIG literals Output: A structural cover of adders Solution: Find adders whose outputs are not inputs of other adders Perform DFS traversal from these outputs by including one adder at a time Stop traversal when reaching an adder whose inputs are not driven by outputs of another adder
Phase Assignment for ATs Input: Adder tree with adders matched by NPN classes of their output functions (without phase assignment) Inverters can be present between the adders in the AT Output: Correct phase assignment at the cut points between adders of the AT, such that each FA/HA has its exact Boolean function no inverters present between the adders of the AT inverters can be present that inputs/outputs of the AT Solution: See next slide
Adder Tree Phase Assignment AdderTreeTraverse_rec( node N, int Rank, bool Polar ) { set rank of N to be Rank; set polarity of N to be Polar; G = MAJ3 gate driving N; if ( G == NULL ) { // there is no MAJ3 driver label N as input of the adder tree; return; } for each fanin A of G { if ( A is to be complemented for the cut to match MAJ3 ) PolarFanin = NOT(Polar); else PolarFanin = Polar; AdderTreeTraverse_rec( A, Rank-1, PolarFanin ); AdderTreeTraverse( array TopMajGates ) { int Rank = max length of a MAJ3 chain in the adder tree; for output N of each gate in the array TopMajGates { AdderTreeTraverse_rec( N, Rank, 1 );
Multiplier Detection Input: Arithmetic component with AT detected Output: Detected multiplier (if it is a multiplier) Array/Booth multiplier has a characteristic AT shape and PP types Once the multiplier type is detected, PPs are examined to determine multiplier inputs (corresponding AIG nodes, their polarities, and ranks)
Applications in Equivalence Checking Input: ATs detected for LHS and RHS of the CEC miter Output: The CEC miter restructured to contain more shared logic Solution: Identify functionally-equivalent inputs for each pairs of ATs in LHS and RHS using SAT sweeping Consider one AT pair at a time Construct a shared AT in terms of common inputs Construct two new “difference ATs” using leftover inputs Embed the new ATs into the miter to create more shared logic Apply SAT sweeping to the simplified miter
Handling Truncated Circuits Truncated circuits have some output bits missing Typically one or more MSBs are missing Many practical designs contain truncated multipliers For example, every implementation of a Booth multiplier that we have seen, is truncated by construction The proposed approach handles truncated circuits natively (unlike polynomial construction, which fails) The last bit whose XOR tree is missing MAJ gates is detected by a dedicated procedure
Handling Signed Circuits Unsigned/signed logic results in identical ATs The same algorithm handles both Unsigned/signed multipliers are different Some partial products of a signed array multiplier are complemented Some partial products of a Booth multiplier have different functions Leads to some changes in detecting multiplier logic
Handling Carry Look-Ahead Logic Input: AT with CLA on top Output: AT with CLA on top replaced by RCA Often arithmetic components use fast CLA on top of the AT This adder cannot be represented using FAs and HAs In other words, a CLA is a RCA with carry chain collapsed Adder detection algorithm produces an adder tree with more than one output of each rank These outputs are treated as inputs to an RCA, which is “inlined” into the AT logic, and ECed by a dedicated run of SAT sweeping This is functional handling of CLAs, which do not require examining specific structure of the collapsed carry-chain (prefix adder, etc)
Experiments A new EC procedure has been developed It performs AT detection and normalization, followed by a run of SAT sweeping It can handle “easy” test-cases when all AT inputs (PPs) in LHS and RHS are functionally equivalent and arithmetic logic differs only in AT structure After AT normalization, EC is proved by AIG structural hashing Examples: A*B=B*A, A*B=A*(B_low + B_high), etc It can handle “harder” test-cases when (in addition to different AT structure) some AT inputs (PPs) are not functionally equivalent After AT normalization, SAT sweeping is needed to prove EC Examples: Equivalent Booth multipliers with different PP matrices A*B-C*D= A*B+(~C-1)*D
Different PP Matrices for Equivalent 8-bit Signed Booth Multipliers 0 : { 146 70 } 1 : { 234 192 24 } 2 : { 378 342 } 3 : { 534 516 478 28 } 4 : { 696 680 642 } 5 : { 888 858 842 804 32 } 6 : { 1082 1054 1038 1000 } 7 : { 1270 1242 1226 1196 } 8 : { 1460 1432 1388 1226 32 32 } 9 : { 1652 1624 1568 1226 32 } 10 : { 1828 1800 1569 1227 32 } 11 : { 1984 1956 32 1 } 12 : { 2128 1957 32 } 13 : { 2247 } 0 : { 172 146 128 120 102 32 28 24 } 1 : { 234 198 102 102 102 102 } 2 : { 384 342 326 102 102 } 3 : { 534 516 478 462 102 102 32 } 4 : { 696 680 642 102 102 32 } 5 : { 888 858 842 804 102 102 32 32 } 6 : { 1082 1054 1038 1000 102 32 32 } 7 : { 1270 1242 1226 1196 102 32 32 } 8 : { 1460 1432 1388 1226 102 102 32 32 32 } 9 : { 1652 1624 1584 1226 32 32 } 10 : { 1828 1800 1568 1226 102 102 102 32 32 } 11 : { 1984 1956 1568 1226 102 102 32 32 } 12 : { 2128 1956 1568 1226 102 102 102 32 } 13 : { 2242 1956 1568 1226 102 102 102 32 }
Conclusion A practical approach to arithmetic circuit verification has been presented with applications in verification (both equivalence checking and model checking) synthesis (arithmetic logic restructuring) The method is based on detecting adder cut-points It recovers from failure to detect a few cut-points Procedures are being implemented in ABC and tested on industrial designs Future work includes making the method more “tolerant” of missing adder cut-points investigating the impact of logic synthesis on adder tree detection extending the method to work for dividers and square-rooters
Abstract This paper presents a practical approach for arithmetic logic verification. Arithmetic verification proves that a gate-level circuit (such as multiplier) is equivalent to the specification, or verifies that two gate-level circuits with arithmetic components, are equivalent. The proposed approach is based on structural analysis and reverse-engineering of adder-trees. The approach is fast and does not require polynomial construction. An important assumption made: the gate-level circuits contain the cut-points representing inputs/outputs of full-adders and half-adders constituting adder-trees. Future work will include investigating the impact of synthesis on successful reverse-engineering attempts to lift the assumption about availability of adder cut-points extending the method to work for dividers and square-roots