Sequential Equivalence Checking of Hard Instances with Targeted Inductive Invariants and Efficient Filtering Strategies

Transcription

1 Sequential Equivalence Checking of Hard Instances with Targeted Inductive Invariants and Efficient Filtering Strategies Huy Nguyen and Michael S. Hsiao Bradley Department of Electrical and Computer Engineering Virginia Tech, Blacksburg, VA 24061, USA {huy18, Abstract We propose two approaches to significantly boost the power of sequential equivalence checking: (1) In contrast with invariants involving only two or three signals, we introduce a novel multisignal invariant generation technique that is scalable to large circuits; (2) We utilize static and dynamic filters to reduce the number of potential inductive invariants that need to be proved to further reduce the computational cost. Experimental results show that the proposed method can handle hard SEC instances with little or no internal equivalences that conventional methods fail; in addition, one to three orders of magnitude speedup have been achieved for many instances. I. INTRODUCTION The semiconductor industry has made tremendous progress in delivering reliable, low power, high performance, and smallarea circuits. While there has been great strides made in the verification for combinational circuits such as combinational equivalence checking, sequential equivalence checking (SEC) remains rather rudimentary. Without powerful SEC as a backbone, aggressive sequential synthesis and optimization are often avoided if the optimized design cannot be proved to be equivalent to the original one. Due to the fact that the number of states grows exponentially to the number of state variables (flip-flops), exhaustive simulation is not a feasible solution for even moderate-sized circuits. On the other hand, formal verification also face tremendous challenges when dealing with an exponential number of states. Knowledge of the circuit, such as invariants (static and inductive), plays a critical role to reducing the formal verification cost. However, there are generally enormous numbers of invariants in large circuits, and knowing which ones to apply would be crucial to the verification success. SEC is especially difficult since the state space that we need to consider is now the product machine of the two designs. For circuits where aggressive sequential optimization is applied, existing SEC methods, even with inductive reasoning, often could not reach a conclusion when there are very few internal equivalent points between the two circuits. To tackle this problem, general relations among signals would need to be learned and applied to help constrain the search. Techniques such as mining general potential constraints on flip-flops [1], complex Boolean expressions [2] and cross time-frame states pair [3], have been proposed in that regard. Although these relations can help, they often result in a huge number of potential invariant candidates that need to be proved before they can be useful. In [4], structural techniques for identifying true inductive invariants from an initial set of potential invariants are presented. In [5], the authors investigate the state space constraining power of inductive implications between two nodes of a sequential circuit. The authors then address the exponential number of candidates by a window proof technique and a transitive reduction of implication graph to reduce the candidates that could be derived from the proven ones. In order to reduce computational cost, most of the previous SEC approaches only consider a subset of invariants, such as relations on flip-flops or subset of internal signals. However, as we will show, restricting relations to such subsets is insufficient for hard SEC instances, and specific spaceconstraining invariants are needed. In this paper, we address SEC from two different angles. First, we extract highly effective inductive invariants involving up to 14 signals. We note that the number of these multisignal invariants can grow exponentially with the number of variables involved in an invariant. Thus, it is also in our interest to address this problem by utilizing an intelligent generation scheme. By clever identification of likely candidates that violate small-sized invariants, we were able to identify a small but powerful set of multi-node invariants which reduce significantly the don t care space. Secondly, we reduce the cost of proving general relations between any two arbitrary nodes from circuits in question. We do so by a suite of low-cost static and dynamic filters before and during the invariant checking process. The merit of such filters is to use structural information as the underlying reasoning engine which allows many invocations of the SAT solver to be skipped. With this in place we can handle a much greater number of potential invariants and prove them more efficiently. This work utilizes the notion of sequential hardware equivalence proposed by Pixley [6], in which there is no assumption made on existence of reset state or reset sequence. More recently, compositional reasoning for SEC has also been proposed [7]. We note that our work is orthogonal and can be added on top of compositional reasoning as well. Experimental results show the effectiveness and potential of our method on the SEC of two functionally equivalent circuits with completely different state encodings. The proposed method can handle large, hard SEC instances with little or no internal equivalences which conventional methods fail. In addition, one /12/$ IEEE 1

2 to three orders of magnitude speedup were achieved for many hard SEC instances. The rest of this paper is organized as follows. Section II provides preliminaries. Section III presents the method for extracting multi-node invariants. Section IV details on the filters. Section V discusses the experimental results. Section VI concludes the paper. A. Verification and SEC II. PRELIMINARIES Verification is the process which checks a circuit against a set of properties (its specification). With great advancements in SAT solvers [8, 9], SAT-based formal verification has become more scalable and promising for handling industrysized circuits. We note that SEC is a special case of formal property checking, in which the circuit under verification is the product machine of the two circuits being verified and the property is the miter-output=0, indicating that the two circuits are equivalent. If the property does not hold, we can obtain a counter-example to show that the two circuits are inequivalent. Otherwise, a proof for their equivalence is given by the SAT solver. Figure 1 depicts a miter in which one is checking for the existence of a sequence that can distinguish the two circuits in question. Fig. 1. Miter circuit. When performing formal verification, one of the following schemes may be applied: (i) Unbounded Model Checking (UMC) [10], (ii) Bounded Model Checking (BMC) [11, 12] and (iii) BMC with induction [13, 14]. The advantages of BMC with induction are that with a small unrolling depth and without computing all reached states, it may be possible to prove the target property. Due to nature of this work, only BMC with induction is focused in this section. Let T(s,x,s ) be a transition relation (TR) of the miter circuit that describes the relations between the present state s, input variables x, and the next state s. Let φ be the property under verification (PUV) and S 0 be the initial state or states. When the miter circuit is unrolled k times, within each timeframe of the unrolled instance, T i and φ i represent the TR and PUV at time frame i, respectively, where 1 i k. The simple induction scheme, also a basis of assume-then-verify methodology for validating potential invariants [15, 16], is set up as follow. First, the base case verifies that property φ holds in some valid state S 0 (i.e., S 0 T 1 = φ). Next, the induction step verifies φ 1 T 1 T 2 φ 2. Note that the initial state is left unconstrained in the induction step. In other words, the induction step is a search for a transition from any state in which holds φ in the first state (T 1 ) but falsifies it in the next state (T 2 ). A SAT solver can also be used to perform this check. If the inductive step holds, the property holds in all reachable states from S 0. Otherwise, no conclusion could be drawn about property φ. Strong induction could be derived in which base case verifies φ holds for n time-frames (starting from S 0 ) and induction step verifies φ holds for n + 1 state with an unconstrained initial state. B. Computation of inductive invariants and its application Inductive invariants are relations that hold in all reachable states (but may not hold in unreachable states). The power of inductive invariants is demonstrated in Figure 2. Let there be two inductive invariants, A B and A D. Since all inductive invariants must hold in every reachable state, we deduce that the set of reachable states must be within the intersection of the states that hold either invariant. Thus, by intersecting the state spaces containing the two inductive invariants, we obtain a much tighter over-approximation of the reachable state space (because any state that violates one or both of these invariants is discarded from the search space). In large circuits, there could be a quadratic number of potential two-node invariant candidates. Also, the cost of verifying all these candidates could become expensive. The authors in [4, 5] propose various techniques to reduce this cost. Inductive invariants can be proven using Kth step induction [17] and/or property-strengthening technique [18]. In Kth step induction proof, the setup is modified from simple induction in which the depth is increased from 2 to k: The base case : S 0 T k φ k The inductive step: T k+1 φ k φ k+1 In property strengthening, the target property φ, is verified with the help of other conditional invariants δ,ζ. In short, δ and ζ are true iff φ is true. Thus, they are processed together (given that δ and ζ also passed the base-case check). This helps as the initial state in the induction step now needs to satisfy all three properties instead of just one. Both Kth step induction and property-strengthening are used in an attempt to eliminate the spurious initial state. In all the above methods, the number of signals involved in an invariant was kept low, as the number of invariants would grow exponentially with increasing number of signals involved. C. Static Logic Implications In Sequential Circuits: Static implications are obtained by setting each gate in the Boolean circuit to logic value 1 and 0 independently, and analyzing the result of propagating these values throughout the circuit. This is analogous to Boolean Constraint Propagation in Satisfiability solvers. Figure 3 shows a partial sequential circuit and its partial implication graph. Each node in the implication graph represents a signal carrying a value of logic 0 or 1. If a circuit has N gates, there will be 2N nodes in the graph. The solid directed edges represent direct implications while the dotted 2

3 Fig. 2. Over approximation of reachable state space directed edges represent indirect implications. The weight of an edge represents relative time for each pair of nodes and it is increased or decreased when an edge propagates across a FF. Forexample,inthecircuitshowninFigure3,wecanlearnthat g = 1 implies j = 1 in the previous time-frame. More details on static implications for both combinational and sequential circuits can be found in [19 21]. D. Definitions: Fig. 3. circuit and partial implication graph. Let (g,v) represent a gate g having a logic value v. Then, (g 1,v) (g 2,w) represents an implication in which assigning value v to gate g 1 implies another gate g 2 to logic value w. Let the sequential implication be represented by (g 1,v) (g 2,w,t), where t is the relative time frame from g 1. For example, (g 1,1) (g 2,0,1) means g 1 = 1 in the current time-frame implies g 2 = 0 in the next time frame. Likewise, (g 1,0) (g 2,1, 2) means g 1 = 0 in the current time-frame implies g 2 = 1 two time-frames earlier. impl[g, v]: the set of all implications resulting from assigning logic value v to gate g. This set includes implications from the same as well as different time-frames. Signature: an n-bit stream of logic values for a signal, g, via simulation of n vectors (starting from a fully specified initial state), where each bit corresponds to g s value under each vector that is applied. Constant Invariant Candidate (CIC): any signal g having a constant signature of all 0s (or all 1s) from simulation. Equivalent pair candidate (EPC): a pair of signals, g 1 and g 2, having identical (or complemented) signatures. Implication Invariant Candidate (IIC): a pair of signal assignments, g 1 = v and g 2 = w, holding the property (g 1,v) (g 2,w) within the simulation trace. Potential Invariant candidates list (ICL): the list of potential invariants that needs to be verified. The list could consist of any of the aforementioned invariant candidates CIC, EPC, or IIC. Transitivity: If (g 1,v) (g 2,w,t 1 ) and (g 2,w) (g 3,u,t 2 ), then (g 1,v) (g 3,u,t 1 +t 2 ). Cone of Influence (COI): the COI of gate g is a set of gates, R, that could affect the value of g. Since the gates in a given circuit are already in a topological order, COI analysis can be computed by utilizing backward depth-first or breathfirst search from g. Bounded Cone of Influence (BCOI): BCOI of gate g is a restricted COI of g with a depth d. In the interest of this work, d is set to 1. III. TARGETED MULTI-NODE INVARIANT FRAMEWORK In this section, we investigate inductive invariants involving multiple state elements to constrain the state space in SEC. General multi-node relations on flip-flops can be very powerful in blocking many illegal states. In hard SEC instances, the two circuits have entirely different number of state elements with different state encodings; thus, there are few equivalent flipflop pairs. Moreover, the space of all invariants involving all flip-flops could be extremely large in circuits with many state variables. We wish to find those critical multi-node invariants for SEC without enumerating all flip-flop combinations. To do so, we seek to use those false invariants as a guide, described below. A. Phase 1: Support Trace Generation We start with the set of 2-node relations among state variables obtained from the simulation trace. During the validation of these potential invariants, whenever a candidate invariant is falsified, a BCOI analysis is performed to generate a support trace. Let A B be one of the potential invariants under verification that has been invalidated. The fact that A seems to imply B as observed in simulation indicates that 3

4 it is difficult to obtain values of (A = 1, B = 0) from simulation. We wish to explore this avenue further to identify the reasons. For any potential invariant to be invalidated, there must exist state(s) that were not reached during simulation to break the correlation among the nodes in the potential invariant. However, these states were likely hard to reach by simulation, and the illegal states among the flip-flops can hold key information to proving relations among other signal relations, including the final miter-output. The flip-flops of interest are those in the BCOI of A and B. TABLE I DATABASE FOR MULTI-NODE INVARIANT GENERATION Vector ID FF 1 FF 2 FF 3... FF n v v v v v v v v v v Fig. 4. BCOI analysis on falsified implication A B Let R A = {C,D} and R B = {D,E,F} be the two BCOI sets for flip-flops A and B, respectively. To form a supporting trace ST for invariant A B, the union operation is performed on R A and R B. This results in a new set R T containing flip-flops C, D, E and F. Figure 4 illustrates the formation of R T. If R T has less than a threshold number of flip-flops, we will search for invariants among flip-flops in R T. We note that in general, the size of R T is significantly smaller than the total number of state-elements in the miter. Thus, even exhaustive search in R T would be feasible. The above method is performed for every falsified 2-node potential invariant. The ST list is then sorted in ascending order starting from the one with smallest number of flip-flops. B. Phase 2: Generation of Potential Multi-Node Invariants from ST Similar to data mining, the database of signatures is constructed for every state element in the circuit from the simulation trace. For ease of discussion, Table I is used as an example in which each column represents a binary bit-string signature for each flip-flop via simulation. Let us assume that 10-bit signatures are used. We now use the support traces generated in Phase 1 to help us identify potential multi-node invariants. Let flip-flops FF 1, FF 2, and FF 3 be the flip-flops in some support trace R T. The eight possible assignments on these three flip-flops range from 000 to 111 (0 to 7 in integer). Searching through the signature database shown in Table I, we obtain 5 patterns (0, 1, 2, 4, 6) leaving the other 3 as missing (3, 5, 7). The missing patterns become the potential multi-node invariant candidates. Note that we use our support traces generated in Phase 1 as a guide to construct the database. Without such a guide, we would potentially end up indiscriminately identifying all exponentially large number of potential multi-node invariants, rather than identifying only those that might be most useful and relevant to our problem. IV. OUR FILTERING FRAMEWORK In this section, we present fast filters for reducing (1) the number of potential invariants (static filters) and (2) speeding up the invariant validation process (dynamic filter). Without loss of generality and for ease of discussion, we will assume that the miter consists of only the following gate types: 2- input AND gates, inverters, buffers and DFFs. The assumption is valid for any sequential circuit because any circuit can be converted to having only these gate types. A. Static Filters Given a set of potential invariants in ICL that needs to be verified, the size of this set directly affects the computational cost of the validation process. Because ICL consists of invariants identified from a simulation trace, there often exist many redundant implication invariant candidates (RIIC) within the set. In short, a RIIC is a candidate that does not help to further restrict the reachable state space when added to ICL. Consider anexampleofariicshowninfigure5.letusassumethatwe have an ICL consisting of the following potential invariants: I 1 : IIC((A,1)(C,1)) I 2 : IIC((A,1),(D,0)) I 3 : IIC((A,1),(F,1)) Without the structural knowledge of the circuit, the invariant checker would attempt to prove all three candidates. Instead, we will reduce this ICL before the invariant checking process. By using structural relations between nodes C, D and F, I 3 would be a true invariant whenever I 1 and I 2 are true (even though we currently do not know if any of them is true). Conversely, any state that falsifies either I 1 or I 2 will falsify I 3 as well. In other words, even if I 3 turns out to be a true invariant, it does not constrain the state space formed by the intersection of I 1 and I 2 (Figure 2) any further. Therefore, I 3 is a RIIC and can be removed from ICL without losing state space constraining power. When I 3 is false, either I 1 or I 2 could still be true. Overall, this structural analysis removes redundant implications that would otherwise require many SAT calls to prove them individually. Another static filter we take toward reducing the candidate list is to discard any static relations from ICL. Since static implications hold in all legal and illegal states, they are guaranteed to be true all the time. Thus, any candidate in ICL that can be reasoned by static implications are removed. 4

5 Fig. 5. Implications across circuits B. Dynamic Filters The motivation behind our dynamic filters is to see if a SAT solver call can be skipped for any potential invariant based on those candidates that have been found to be true (or false) in the current iteration. This is achieved again with the help from the static implication graph. Let the statically reduced ICL consist of the following six potential invariants: I 1 : IIC((A,1),(C,1)) I 2 : IIC((A,1),(D,0)) I 3 : IIC((A,1),(X,0)) I 4 : IIC((B,1),(C,1)) I 5 : IIC((B,1),(D,0)) I 6 : IIC((B,1),(X,0)) First, we describe a dynamic filter for the potentially true candidates. Let us assume that the SAT solver returns UNSAT for I 1 and I 2 so far. Normally, we would simply continue to check the validity of I 3 via another SAT solver call. However, suppose there is a static implication (D,0) (X,0). By applying the transitivity relation over I 2 ((A,1) (D,0)) and (D,0) (X,0), we obtain (A,1) (X,0). Hence, I 3 has to be true at the current iteration if I 2 is true. We further extend this filter by bookkeeping the invariants that have been proven at the current iteration. Using the running example, I 1, I 2 and I 3 are true invariants so far in this iteration. The next steps would be to check for I 4, I 5 and I 6. Suppose we have (B,1) (A,1) as a static implication, by transitivity, we do not have to prove any implication of the form (B,1) impl[a,1]. Therefore, we know that I 4, I 5 and I 6 all have to be true. Note that this reasoning engine can be applied for cross time-frame IIC as well. Thus, in this example, only two SAT calls are needed during an iteration rather than six separate calls. Next, we describe a dynamic filter for falsified candidates. For every falsified candidate, the SAT solver would return a satisfying assignment (witness). The same witness may falsify other candidates in ICL as well. Thus, we reduce the number of future SAT calls, and speed up the process. Based on our experiments, the witness-based dynamic filter helps the checker to reduce the size of ICL faster while the proof-based dynamic filter helps the checker to go through each iteration quicker. V. EXPERIMENTAL RESULTS The proposed SEC framework was implemented in C++ and its performance was evaluated on an Intel Core i GHz, 4GB of RAM, running Ubuntu The underlying SAT solver is zchaff [9], but other SAT solvers could be used. We manually generated a set of circuits [22] from the original ITC99 circuit suite with two different state encoding because there is a lack of equivalent sequential benchmarks that have little or no structural similarity. The state encodings chosen were gray-code encoding and one-hot encoding. Hence, we ensure that the two designs have very few or no structural similarities. Consequently, there are few internal equivalent points other than than equivalent output signals. In addition, combinations of different circuits are formed to make benchmarks T1 to T5. For example, T1 is a combination of b06, b08 and b13 in different encodings. Each circuit is flattened such that no structure hierarchy can be derived to divide the individual circuits embedded. A. Results for Static and Dynamic Filters We first report results when only two-signal inductive invariants are used. Note that the two signals involved may span multiple time-frames. Table II shows the results. We include the results of the proposed static and dynamic filters to see how much cost we can reduce. The first and second columns list the miters and number of state variables; for example, there are total of 61 FFs in the miter circuit formed by b03 gray and b03 onehot. The third, fourth and fifth columns report the outcome of the three approaches used to prove the circuit equivalent. In P1, only equivalent FFs and equivalent internal signals are used. In P2, the dprove function from ABC [23] is used. The Ours column represents our approach. For these 5

6 TABLE II SEC RESULTS FOR STATIC AND DYNAMIC FILTERS Benchmark FFs Ours P1 P2 # Pot. Inv. # True Inv. Time Without Filters With Filters Speedup b03 gray hot 61 Y Y Y 8623 / 6442 / - / / - / / - / / - / b04 gray hot 139 Y Y Y / / - / / - / / - / / - / b05 gray hot 66 Y U U / (90000)* / - / / - / - TO / - / / - / - >13.8 b06 gray hot 22 Y U U 1691 / 699 / - / / - / / - / / - / b07 gray hot 106 Y U U / / - / / - / - TO / - / / - / - >53 b08 gray hot 44 Y U U / / / / 3944 / / / / 33.9 / b09 gray hot 58 Y U U / / - / / - / / - / / - / b10 gray hot 41 U U U / / / / 719 / / / / 29.4 / - 11 b11 gray hot 75 Y Y Y / / - / / - / / - / / - / b13 gray hot 63 Y U U / / / / 6746 / / / / 81.5 / T1 132 Y U U / 70790/ / / 8984 / / / / / T2 258 Y U U / / / / / / MO / / / T3 354 Y U U / / - / / - / - MO / - / / - / - - T4 563 U U U / / - / / - / - MO / - / / - / - - T5 626 U U U / / - / / - / - MO / - / / - / - - Avg. Speedup >15.3 P1: Using equiv. FFs and equiv internal signals P2: ABC with -dprove MO: Memory Out (4GB) # Pot Inv.: same time-frame relations before static filter / same time-frame after filter / cross 1 time-frame / cross 2 time-frame # True Inv.: same time-frame relations after dynamic filter / cross 1 time-frame / cross 2 time-frame * : A window of candidates are proved at a time. TO = 5 hrs = 18000s TABLE III SEC RESULTS FOR TARGETED MULTI-NODE INVARIANTS Ours [2] Speedup Benchmark FFs Ours P1 P2 # Pot. / True Inv. k # Multi-node Inv. Time Multi-node Inv. Time b05 gray hot 66 Y U U 9561 / b06 gray hot 22 Y U U 117 / b07 gray hot 106 Y U U / N/A N/A N/A b08 gray hot 44 Y U U 1110 / b09 gray hot 58 Y U U 2169 / b10 gray hot 41 Y U U 442 / b13 gray hot 63 Y U U / T1 132 Y U U 4409 / N/A N/A N/A T2 258 Y U U / N/A N/A N/A T3 354 Y U U / N/A N/A N/A T4 563 Y U U / N/A N/A N/A T5 626 Y U U / N/A N/A N/A P1: Using equiv. FFs and equiv internal signals P2: ABC with -dprove [2]: previous work that has been done on the same circuit. N/A: experiment was not done on the circuit three columns, a U stands for Undecided and a Y stands for successful proving of the 2 circuits being equivalent. The sixth column reports the number of potential invariants in the following format [same time-frame before applying static filter / same time-frame after applying static filter / cross 1 timeframe / cross 2 time-frame]. The seventh column reports the number of true invariants after the validation process in the respective order as column six. The eighth and ninth columns report the total time taken to prove the 2 circuits equivalent in the absence and presence of our filters. The time includes every step from candidates extraction, validation of invariants, and all the way up to the final SEC check. The final column reports the speedup achieved. Consider b09 gray hot as an example. With only the equivalent signal pairs and constant nodes added as constraints to the instance (P1), Undecided is reported. This is because there were few equivalent signal pairs and constant signals. The circuit then undergoes ABC framework to determine their equivalence using option -dprove, which considers a number of different signal relations to constrain the search. In this case, ABC also returns UNDECIDED under the P2 column. By considering all two-node implications and our proposed filters, our framework condenses the total number of candidates needed to be verified from to 22246, out of which 6104 of them are true. In this circuit, sequential invariants were not needed to prove equivalence. A speedup of was achieved. In b07 gray hot, we see a speedup of 53 in achieving the same result! Overall, we could obtain an average speed up of greater than However, note that in a number of instances, such as b10 gray hot, T4 and T5, etc., no technique was able to prove their equivalence. We need additional (multi-node) invariants to help, which is discussed next. B. Results for Targeted Multi-Node Invariants Table III shows the results for our targeted invariants framework, only for those circuits that neither P1 nor P2 was able to prove. The first five columns show the same information as in Table II. The potential and verified 2-node invariants are reported in the sixth column. The seventh column reports the minimal support trace size k in order to generate sufficient candidates to prove equivalence of the designs. For example, k = 7 means all invariants of size 7 or less were generated 6

7 and needed to prove the two designs equivalent. To obtain this value, an incremental step is performed starting from k = 3. For each k, a corresponding set of multi-node invariants is generated as described in Section III-B. The eighth column reports the number of targeted invariants generated. In this instance, the framework iterates till k = 5, and found that k = 5 is sufficient to prove the two circuit in b13 gray hot equivalent. At the beginning of phase 2, from 4277 ( ) falsified 2-node invariants, we obtained 1349 potential multi-node targeted invariants. The ninth column reports the total runtime taken to prove the 2 circuits equivalent. The time consists of both phases of the flow: identification and verification of 2-node relations, generating and verifying multi-node relations. In this case, our framework takes 11.3 seconds to complete. We also compared our results to the work reported in [2], which also was also able to prove many of these circuits equivalent. Both the total potential invariants from [2] and its run-time were reported in the final two columns. For the same instance b13 gray hot, our execution time has a superior advantage. Unlike a small number of potential invariants that we had to consider, invariants were needed in [2]. This is about one order of magnitude more candidates than what we needed. As a result, we achieved a speed up of 727. Note that this is also more than 10 faster than the 150 seconds reported by our method (without targeted invariants) in Table II. Likewise, in T3, with targeted invariants, only seconds were needed to prove equivalence while 4341 seconds were needed in Table II. We also applied our technique on larger circuits b10, T4 and T5, which have many more state variables, to show that our approach is able to determine the equivalence of the two circuits while other techniques were unable. We take note on the time complexity of benchmark b07 gray hot in table III compare to table II. The strength of invariants which compose of internal signals and state elements performs better than just considering state elements alone. Looking at the number of proved invariants in table III, there are only 28 2-node invariants hold true after phase 1. Hence, a much larger support from muti-node invariants is needed to obtain the conclusion and increase the time taken. For practical purpose, we would launch the 2 proposed methods as parallel jobs. Once a conclustion is reached by either one, we can kill the remain running job which then result in better timming optimization. VI. CONCLUSIONS We proposed two novel techniques for sequential equivalence checking of hard SEC instances that can reduce the computation cost as well as to reach a conclusion on the designs under verification quickly. We first introduce a new, scalable multi-node inductive invariant generation scheme. We avoid exhaustive enumeration of partial illegal states by utilizing the falsified 2-node invariants to guide the search for useful invariants. With such an approach, the number of multinode invariants generated is significantly smaller compared in large circuits since we only target those relevant signals. We also proposed a suite of low-cost static and dynamic filters to remove candidates that are not helpful in state space constraining, and hence reduce the runtime for invariant checking. All SEC instances (circuits with different state encodings) were proved by the proposed technique, with orders of magnitude speedup over previous methods in many instances. REFERENCES [1] W. Wu and M. Hsiao, Mining Global Constraints For Improving Bounded Sequential Equivalence Checking, in Proc. Design Automation Conf., 2006, pp [2] N. Goel, M.S. Hsiao, N. Ramakrishnan, and M.J. Zaki, Mining complex boolean expressions for sequential equivalence checking, in Proc. Asian Test Test Symp., 2011, p [3] C. L. Chang, C. H. P. Wen, and J. Bhadra, Speeding up Bounded Sequential Equivalence Checking with Crosstime Frame State-pair Constraints from Data Learning, in Proc. Int. Test Conf., 2009, pp [4] F. Lu and K.-T. Cheng, Ichecker: An efficient checker for inductive invariants, in Proc. IEEE Int l High-level Design Validation and Test Workshop, [5] M.L.Case,A.M.Robert,andK.Brayton, Inductively Finding a Reachable State Space Over-Approximation, in Proc. Int. Wkshp. Logic & Synthesis, [6] C. Pixley, A theory and implementation of sequential hardware equivalence, in IEEE Transactions on CAD of Integrated Circuits and Systems, 1992, vol. 11, pp [7] P. Bjesse I.-H. Moon and C. Pixley, A compositional approach to the combination of combinational and sequential equivalence checking of circuits without known reset states, in Proc. Design Aut and Test in Europe Conf., 2007, pp [8] N. Een and N. Sörensson, An Extensible SAT-solver [ver 1.2], [9] M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik, Chaff: Engineering an Efficient Sat Solver, in Proc. Design Automation Conf., 2001, pp [10] K. L. McMillan, Applying SAT Methods in Unbounded Symbolic Model Checking, in Proc. Int. Conf. Computer-Aided Verification, 2002, pp [11] A. Biere, A. Cimatti, E. M. Clarke, M. Fujita, and Y. Zhu, Symbolic Model Checking using SAT Procedures Instead of BDDs, in Proc. Design Automation Conf., 1999, pp [12] Andreas Kuehlmann, Dynamic Transition Relation Simplification for Bounded Property Checking, in Proc. Int. Conf. Computer-Aided Design, 2004, pp [13] M. Sheeran, S. Singh, and G. Stȧlmarck, Checking Safety Properties Using Induction and a SAT-Solver, in Proc. Int. Conf. Formal Methods in CAD, 2000, pp [14] L. D. Moura, H. Rue, and M. Sorea., Bounded Model Checking and Induction: From Refutation to Verification, in Proc. Int. Conf. Computer-Aided Verification, 2003, pp [15] C.A. Eijk and J.A. Jess, Detection of Equivalent State Variables in Finite State Machine Verification, in Proc. Int. Wkshp. Logic & Synthesis, 1995, pp [16] S.-Y. Huang, K.-T. Cheng, and K.-C. Chen, Aquila: An Equivalence Checking System for Large Sequential Designs, in IEEE Trans. Computers, 2000, pp [17] F. Lu and K. T. Cheng, SEChecker: A Sequential Equivalence Checking Framework Based on Kth Invariants, in IEEE Trans. Very Large Scale Integration Systems, 2009, pp [18] V. C. Vimjam and M. Hsiao, Explicit Safety Property Strengthening in SAT-based Induction, in Proc. Int. Conf. VLSI Design, [19] J. Zhao, M. Rudnick, and J. Patel, Static logic implication with application to fast redundancy identification, in Proc. VLSI Test Symp., 1997, pp

8 [20] R. Arora and M. Hsiao, Using Global Structural Relationships of Signals to Accelerate SAT-based Combinational Equivalence checking, in Journal of Universal Computer Science, 2004, pp [21] J. Zhao, M. Rudnick, and J. Patel, A graph traversal based framework for sequential logic implication with an application to c-cycle redundancy identification, in Proc. Int. Conf. VLSI Design, 2001, pp [22] Sequential Equivalence Checking Benchmarks ( mhsiao/sec/),. [23] Berkeley Logic Synthesis and CA Verification Group, Berkeley, Abc: A System For Sequential Synthesis and Verification,