# Analysis of Incomplete Circuits using Dependency Quantified Boolean Formulas

Ralf Wimmer, Karina Wimmer, Christoph Scholl, Bernd Becker Institute of Computer Science, Albert-Ludwigs-Universität Freiburg, Germany {wimmer, wimmerka, scholl, becker}@informatik.uni-freiburg.de

Abstract—We consider Dependency Quantified Boolean Formulas (DQBFs), a generalization of Quantified Boolean Formulas (QBFs), and demonstrate that DQBFs are a natural calculus to exactly express the realizability problem of incomplete combinational and sequential circuits with an arbitrary number of (combinational or bounded-memory) black boxes. In contrast to usual approaches for controller synthesis, restrictions to the interfaces of missing circuit parts in distributed architectures are strictly taken into account. We present a solution method for DQBFs together with the extraction of Skolem functions for existential variables, which can directly serve as implementations for the black boxes. First experimental results are provided.

#### I. INTRODUCTION

Solver-based techniques have proven to be successful in many areas in computer-aided design, ranging from formal verification of digital circuits [1], [2], [3], [4] over automatic test pattern generation [5], [6] to circuit synthesis [7]. While research on solving quantifier-free Boolean formulas (the famous SAT-problem [8]) has reached a certain level of maturity, designing and improving algorithms for quantified Boolean formulas (OBFs) is one focus of active research. However, there are applications like the verification of partial circuits [4], [9], [10], the synthesis of safe controllers [7] for which QBF is not expressive enough to provide a compact and natural formulation. The reason is that QBF requires linearly ordered dependencies of the existential variables on the universal ones: Each existential variable implicitly depends on all universal variables in whose scope it is. Relaxing this condition yields so-called dependency quantified Boolean formulas (DQBFs). DQBFs are strictly more expressive than QBFs in the sense that an equivalent QBF formulation can be exponentially larger than a DQBF formulation. This comes at the price of a higher complexity of the decision problem: DQBF is NEXPTIME-complete [11], compared to QBF, which is "only" PSPACE-complete. Encouraged by the success of SAT and QBF solvers and driven by the mentioned applications, research on solving DQBFs has started during the last few years [12], [13], [14], [15], yielding first prototypic solvers like IDQ [13] and HQS [14].

In this paper, we focus on the application of DQBF for analyzing *incomplete combinational and sequential circuits*. Such incomplete circuits appear in early design stages, when only a subset of the system's modules has already been implemented and verification is applied in order to find errors in the available parts as early as possible. Incomplete circuits also result if the complexity of the verification task is too high and therefore some parts, which are supposed not to influence the validity of some properties, e.g., multiplier or memory modules, have been removed to make verification feasible. Analyzing incomplete circuits is also useful if a designer wants to localize errors (then one can remove parts of the design and if for all possible implementations of the removed parts the error does not disappear, the remaining parts must be erroneous). Therefore this problem has received considerable attention in the research community during the last 15 years, see, e. g., [4], [16], [17], [18], [19], [20], [21]. All solver-based approaches are restricted in the sense that they can either only handle a single black box or do not take the interfaces of the black boxes into account, allowing the black boxes to read signals which are not available to them in the actual design.

We show how the realizability problem for incomplete combinational and sequential circuits with an arbitrary number of combinational or bounded-memory black boxes can be expressed as a DQBF. Here we show for the first time a DQBFbased solution for sequential circuits with several boundedmemory black boxes where the exact interface of the black boxes, i. e., the signals entering and leaving the black boxes, can be taken into account. We also show that solving a DQBF has the same complexity as deciding realizability. We not only sketch how DQBFs are solved in our DQBF solver HQS [14], [15], but also how so-called Skolem functions can be obtained from the solution process, provided that the formula is satisfied. These Skolem functions can directly serve as an implementation of the black boxes.

This paper builds on different sources: [9], [10] applies DQBF-based methods to incomplete combinational circuits with combinational black boxes. SAT- and QBF-based techniques for controller synthesis are considered in [7]; there a footnote give hints how DQBF can be used for that purpose. Due to the lack of efficient DQBF solvers at that time, this idea was not investigated further. However the method described there considers only a single black box which can read all primary inputs and the complete state information. The basic techniques implemented in our DQBF solver HQS have been described in [14], and [15] defines preprocessing techniques for DQBF, which speed-up the solution process considerably.

*Structure of the Paper:* In the next section, we introduce dependency quantified Boolean formulas (DQBFs). In Section III we describe, how realizability of incomplete combinational and sequential circuits can be formulated as a DQBF. Section IV presents a method to solve DQBFs and to obtain Skolem functions for satisfied DQBFs. In Section V we give preliminary experimental results, and conclude the paper in Section VI, pointing out challenges which need to be solved.

## II. FOUNDATIONS

Let  $\varphi, \kappa$  be quantifier-free Boolean formulas over the set Vof variables and  $v \in V$ . We denote by  $\varphi[\kappa/v]$  the Boolean formula which results from  $\varphi$  by replacing all occurrences of v (simultaneously) by  $\kappa$ . For a set  $V' \subseteq V$ , we denote by  $\mathcal{A}(V')$  the set of Boolean assignments for V', i.e.,  $\mathcal{A}(V') =$  $\{\nu \mid \nu : V' \to \{0, 1\}\}$ . For each formula  $\varphi$  over V, a variable assignment  $\nu$  to the variables in V induces a truth value 0 or 1 of  $\varphi$ , which we call  $\nu(\varphi)$ .

Definition 1 (Syntax of DQBF): Let  $V = \{x_1, \ldots, x_n, y_1, \ldots, y_m\}$  be a set of Boolean variables. A dependency quantified Boolean formula (DQBF)  $\psi$  over V has the form  $\psi := \forall x_1 \ldots \forall x_n \exists y_1(D_{y_1}) \ldots \exists y_m(D_{y_m}) : \varphi$ , where  $D_{y_i} \subseteq \{x_1, \ldots, x_n\}$  for  $i = 1, \ldots, m$  is the dependency set of  $y_i$ , and  $\varphi$  is a Boolean formula over V, called the matrix of  $\psi$ .

 $V_{\psi}^{\forall} = \{x_1, \dots, x_n\}$  denotes the set of universal and  $V_{\psi}^{\exists} =$  $\{y_1, \dots, y_m\}$  the set of existential variables. We often write  $\psi = Q : \varphi$  with the quantifier prefix Q and the matrix  $\varphi$ .  $Q \setminus \{v\}$  denotes the prefix that results from removing a variable  $v \in V$  from Q together with its quantifier. If v is existential, then its dependency set is removed as well; if v is universal, then all occurrences of v in the dependency sets of existential variables are removed. Similarly we use  $Q \cup \{\exists y(D_y)\}$  to add existential variables to the prefix. We sometimes assume that a DQBF  $\psi = Q : \varphi$  as in Def. 1 with  $\varphi$  in conjunctive normal form (CNF) is given. A formula is in CNF if it is a conjunction of (non-tautological) clauses; a clause is a disjunction of literals, and a literal is either a variable v or its negation  $\neg v$ . As usual, we identify a formula in CNF with its set of clauses and a clause with its set of literals. For a formula  $\varphi$  (resp. clause C, literal l),  $var(\varphi)$  (resp. var(C), var(l)) means the set of variables occurring in  $\varphi$  (resp. C, l),  $lit(\varphi)$  (lit(C)) means the set of literals occurring in  $\varphi$  (C).

A quantified Boolean formula (QBF) (in prenex normal form) is a DQBF such that  $D_y \subseteq D_{y'}$  or  $D_{y'} \subseteq D_y$  holds for any two existential variables  $y, y' \in V_{\psi}^{\exists}$ . Then the variables in V can be ordered resulting in a linear quantifier prefix, such that for each  $y \in V_{\psi}^{\exists}$ ,  $D_y$  equals the set of universal variables which are to the left of y.

The semantics of a DQBF is usually defined by so-called Skolem functions.

Definition 2 (Semantics of DQBF): Let  $\psi$  be a DQBF as above. It is *satisfiable*, iff there are functions  $s_y : \mathcal{A}(D_y) \to \mathbb{B}$ for  $y \in V_{\psi}^{\exists}$  such that replacing each  $y \in V_{\psi}^{\exists}$  by (a Boolean expression for)  $s_y$  turns  $\varphi$  into a tautology. The functions  $(s_y)_{y \in V_{\psi}^{\exists}}$  are called *Skolem functions* for  $\psi$ .

Example 1: Consider the following DQBF:

$$\forall x_1 \forall x_2 \exists y_1(x_1) \exists y_2(x_2) : (x_1 \lor \neg y_1) \land (x_2 \lor y_1 \lor y_2)$$

Here the variable  $y_1$  depends only on  $x_1$ , but not on  $x_2$ ;  $y_1$  depends only on  $x_2$ , but not on  $x_1$ . It is satisfiable by



Fig. 1. Sequential circuits with extracted memory



Fig. 2. Notation for incomplete sequential circuits

using the Skolem functions  $s_{y_1}(x_1) = x_1$  and  $s_{y_2}(x_2) = \neg x_2$ . Replacing  $y_1$  and  $y_2$  by their Skolem functions yields  $(x_1 \lor \neg x_1) \land (x_2 \lor x_1 \lor \neg x_2)$ , which is obviously a tautology.

#### **III. ANALYSIS OF INCOMPLETE CIRCUITS**

In this section, we show how DQBFs can be used to analyze incomplete combinational and sequential circuits. In both cases we ask for realizability: Are there implementations of the missing parts ("black boxes") such that the complete circuit satisfies its specification.

We assume that the missing parts are either combinational or contain only a bounded amount of memory. In the latter case, we can put the flipflops of the black boxes into the available circuit part such that the incoming and outgoing signals of these flipflops are written and read only by the black boxes as sketched in Fig. 1.

Then the black boxes themselves are purely combinational. Note that the case of several black boxes with an *unbounded* amount of memory is undecidable [22].

We use the notation for incomplete sequential circuits as sketched in Fig. 2. The primary inputs are denoted by  $\vec{x}$ , the current state by  $\vec{s}$ , and the next state by  $\vec{s}'$ . The missing parts are BB<sub>1</sub>,..., BB<sub>n</sub>, whose interfaces, i. e., the signals entering and leaving the black boxes, are known. The input signals of black box BB<sub>i</sub> are denoted by  $\vec{I}_i$ , its output signals by  $\vec{y}_i$ . The input cone of black box BB<sub>i</sub> ensures the constraint  $\vec{I}_i \equiv$  $F_i(\vec{s}, \vec{x}, \vec{y}_1, \ldots, \vec{y}_{i-1})$ , the next state is described by trans :=  $\vec{s}' \equiv R(\vec{s}, \vec{x}, \vec{y}_1, \ldots, \vec{y}_n)$ . We assume w.l.o.g. that no black box output is directly connected to an input of another black box or a flipflop, i. e.,  $\vec{y}_i \cap \vec{L}_j = \emptyset$  for all i, j and  $\vec{s}' \cap \vec{y}_j = \emptyset$  for all *j*. Otherwise a buffer is inserted between the two black boxes without changing the functionality of the circuit. Additionally we assume that there are no cyclic dependencies between the combinational black boxes, i. e., that  $BB_i$  only depends on the outputs of  $BB_1, \ldots, BB_{i-1}$ .

We are considering invariant properties  $inv(\vec{s}, \vec{x}, \vec{y}_1, \ldots, \vec{y}_n)$ , defined over the primary inputs  $\vec{x}$ , the current state  $\vec{s}$  and the black box outputs  $\vec{y}_1, \ldots, \vec{y}_n$ , which are required to hold at any time.

### A. Combinational Circuits

The same notation as introduced above is also used for combinational circuits. Here, the state and next state signals  $\vec{s}$  and  $\vec{s}'$  as well as the memory elements are omitted.

Definition 3: The partial equivalence checking problem (PEC) is defined as follows: Given an incomplete circuit  $C_{\text{impl}}$  and a (complete) specification  $C_{\text{spec}}$ , are there implementations of the black boxes in  $C_{\text{impl}}$  such that  $C_{\text{impl}}$  and  $C_{\text{spec}}$  become equivalent?

In the following we assume that (incomplete) implementation  $C_{\rm impl}$  and specification  $C_{\rm spec}$  are combined into a single circuit using a miter construction: Corresponding primary inputs are connected, corresponding outputs are connected via XOR gates. The outputs of the XOR gates are combined via OR gates into a single output signal. This output signal is constantly one iff, for some implementation of the black boxes, the two circuits are equivalent. This can be considered as a kind of invariant property, valid at the primary output of the combined circuit. We now show how DQBF can be used to decide PEC.

Consider a PEC with black boxes BB<sub>1</sub>,..., BB<sub>n</sub>. We first construct the quantifier prefix of the DQBF. The primary inputs  $\vec{x}$  and the black box inputs  $\vec{I}_1, \ldots, \vec{I}_n$  are universally quantified, all other variables are existentially quantified. The dependency set of black box outputs  $\vec{y}_i$  contains exactly the inputs  $\vec{I}_i$  of BB<sub>i</sub>. Hence the quantifier prefix is

$$\forall \vec{x} \forall \vec{I}_1 \dots \forall \vec{I}_n \exists \vec{y}_1(\vec{I}_1) \dots \exists \vec{y}_m(\vec{I}_m) ...$$

If the black boxes are not directly connected to the primary inputs but to internal signals we have to take into account that not all possible combinations of values may arrive at the inputs of the black boxes. Since we use a universal quantification for the black box inputs we have to ensure that our formula is satisfied if the value of the black box inputs  $\vec{I}_i$  deviates from the values obtained as a function  $F_i(\vec{x}, \vec{I}_1, \dots, \vec{I}_{i-1})$ .

$$\varphi(\vec{x}, \vec{I}_1, \dots, \vec{I}_n, \vec{y}_1, \dots, \vec{y}_n) := \begin{pmatrix} \bigwedge_{i=1}^n \vec{I}_i \equiv \vec{F}_i \end{pmatrix} \Rightarrow \operatorname{inv}(\vec{x}, \vec{y}_1, \dots, \vec{y}_n)$$

This formula is not necessarily given in CNF. By applying Tseitin transformation [23], which is essentially introducing auxiliary variables for the internal signals of the circuit, one can obtain a CNF  $\varphi'$  that is satisfiability equivalent to  $\varphi$  and whose size is linear in the size of  $\varphi$ . Let  $\vec{a}$  be the vector of these auxiliary variables, which are existentially quantified in the quantifier prefix. As their values are implied by the

values of the variables in their input cone, we can use as their dependency sets either the universal variables in their input cone or the set of all universal variables. We prefer the latter, because this typically leads to DQBFs that are easier to solve.

The resulting DQBF is:

$$\begin{split} \psi &:= \forall \vec{x} \forall \vec{I}_1 \dots \forall \vec{I}_n \exists \vec{y}_1(\vec{I}_1) \dots \exists \vec{y}_n(\vec{I}_n) \exists \vec{a}(\vec{x}, \vec{I}_1, \dots, \vec{I}_n) :\\ \varphi'(\vec{x}, \vec{I}_1, \dots, \vec{I}_n, \vec{y}_1, \dots, \vec{y}_n, \vec{a}) \;. \end{split}$$

This formula  $\psi$  is satisfied iff we can replace all  $\vec{y}_i(\vec{I}_i)$  with Skolem functions  $s_i(\vec{I}_i)$  such that  $\varphi'$  becomes a tautology. The Skolem functions  $s_i$  exist if and only if there are implementations for the black boxes BB<sub>i</sub> of the PEC, such that the PEC is satisfied. Therefore any PEC can be translated with linear effort into a DQBF and the PEC is satisfied iff the DQBF is satisfied.

It is easy to see that there is also the converse transformation [10]: Each DQBF can be turned into a PEC, having one black box for each existential variable such that the PEC is realizable iff the DQBF is satisfiable. This implies that PEC is NEXPTIME-complete.

## B. Sequential Circuits

For incomplete sequential circuits with multiple combinational or bounded-memory black boxes, we investigate the following problem:

Definition 4: The realizability problem for incomplete sequential circuits (RISC) is defined as follows: Given an incomplete sequential circuit with multiple combinational (or bounded-memory) black boxes and an invariant property, are there implementations of the black boxes such that in the complete circuit the invariant holds at all times?

To decide RISC, one can apply a generalization of ideas described in [7] for the synthesis of controllers (which are in fact single black boxes with access to all state bits and all primary circuit inputs).

According to the notations introduced in the previous section, let  $\vec{s}$  denote the variables encoding the current state of the circuit,  $\vec{s}'$  the next state, and  $\vec{x}$  the primary inputs. The formulas  $F_1, \ldots, F_n$  describe the input cones of the black boxes,  $\vec{I}_1, \ldots, \vec{I}_n$  their inputs,  $\vec{y}_1, \ldots, \vec{y}_n$  their outputs, and Ris the next state function of the circuit. Additionally we assume that init represents the circuit's initial state(s) and inv its states that satisfy the invariant.

Definition 5: A subset  $W \subseteq S$  is a winning set if all states in W satisfy the invariant and, for all values of the primary inputs, the black boxes can ensure (by computing appropriate values) that the successor state is again in W.

A given RISC is realizable if there is a winning set that includes the initial state of the circuit. This can be formulated as a DQBF. Similar to the combinational case, we have to take into account that the black boxes are typically not directly connected to the primary inputs, but to internal signals. This is done by restricting the requirement that the successor state is again a winning state to the case when the black box inputs are assigned consistently with the values computed by their input cones.



Fig. 3. Sequential circuit with two black boxes



Fig. 4. The same sequential circuit as in Fig. 3, but with a single black box

*Theorem 1:* Given a RISC as defined above, the following DQBF is satisfied if and only if the RISC is realizable:

$$\forall \vec{s} \,\forall \vec{s}' \forall \vec{x} \,\forall \vec{I}_1 \dots \forall \vec{I}_n \,\exists \vec{y}_1(\vec{I}_1) \dots \exists \vec{y}_n(\vec{I}_n) \,\exists w(\vec{s}) \,\exists w'(\vec{s}'): \\ (\text{init} \Rightarrow w) \wedge (w \Rightarrow \text{inv}) \wedge (\vec{s} \equiv \vec{s}' \Rightarrow w \equiv w') \wedge \\ \left( \left( w \wedge \bigwedge_{i=1}^n \vec{I}_i \equiv \vec{F}_i \wedge \text{trans} \right) \Rightarrow w' \right).$$

Theorem 2: RISC is NEXPTIME-complete.

**Proof:** The reduction to DQBF above shows that RISC is in NEXPTIME. To show the hardness, we give a reduction from DQBF to RISC. First we transform the DQBF into an incomplete combinational circuit as shown in [9] such that the output of the circuit is constantly 1 iff the DQBF is satisfied. We now turn this combinational circuit into a sequential circuit with two states by storing the output of the combinational circuit into a sequential circuit in a 1-bit flipflop s. The initial state is  $s \equiv 1$ , the invariant is given by  $s \equiv 1$ . The original DQBF is satisfied iff the unsafe state 0 can be made unreachable by appropriate black box implementations.

*Example 2:* We illustrate the solution of RISC using two incomplete circuits in Fig. 3 and 4. The circuits are simple, but still illustrate the basic idea. We first start with the circuit in Fig. 3. The sequential circuit in Fig. 3 consists of two parts. The first part on the left can be seen as the specification for a simple sequential circuit: There are two bit streams applied to the inputs bit<sub>1</sub> and bit<sub>2</sub>. The circuit computes the parities of

the bit streams applied to  $bit_1$  and  $bit_2$  and outputs 1 iff the parity for bit stream  $bit_1$  is smaller or equal to the parity for bit stream  $bit_2$ . The right hand side shows a given architecture for an implementation with two black boxes, one reading bit stream  $bit_1$  and the other reading bit stream  $bit_2$ . The outputs of the black boxes are connected by an equivalence gate. Then the output of the overall circuit is computed by an equivalence gate connecting the outputs of specification and incomplete implementation. We require the invariant property that the output of the overall circuit is 1 at all times, i.e., that the black boxes are implemented in a way such that the implementation part agrees with the specification part. For this simple example it is easy to see that a corresponding implementation does not exist, even for black boxes with unbounded memory. Here we use our method where the number of flip flops for each black box is restricted to one. Fig. 3 already shows the transformed circuit where the memory is extracted from the black boxes.

Applying Theorem 1, we obtain the following formula parts:

• initial state:

$$init := (\neg s_1 \land \neg s_2 \land \neg i_1 \land \neg i_2)$$

transition relation:

trans := 
$$(s'_1 \equiv s_1 \oplus \operatorname{bit}_1) \land (s'_2 \equiv s_2 \oplus \operatorname{bit}_1)$$
  
  $\land (i'_1 \equiv y^1_2) \land (i'_2 \equiv y^2_2)$ 

• invariant:

$$\operatorname{inv} := \left(\neg s_1 \lor s_2\right) \equiv \left(y_1^1 \equiv y_2^1\right)$$

Putting these parts together yields the following DQBF:

$$\forall \operatorname{bit}_1 \forall \operatorname{bit}_2 \forall s_1 \forall s_2 \forall s_2 \forall s_2 \forall i_1 \forall i_1 \forall i_2 \forall i_2' \\ \exists y_1^1(i_1, \operatorname{bit}_1) \exists y_2^1(i_1, \operatorname{bit}_1) \exists y_1^2(i_2, \operatorname{bit}_2) \exists y_2^2(i_2, \operatorname{bit}_2) \\ \exists w(s_1, s_2, i_1, i_2) \exists w'(s_1', s_2', i_1', i_2') : \\ (\operatorname{init} \Rightarrow w) \land (w \Rightarrow \operatorname{inv}) \land ((w \land \operatorname{trans}) \Rightarrow w') \\ \land (((s_1 \equiv s_1') \land (s_2 \equiv s_2') \land (i_1 \equiv i_1') \land (i_2 \equiv i_2')) \Rightarrow (w \equiv w')) \end{cases}$$

By applying a DQBF solver, one can verify that this formula is unsatisfiable, meaning that the design in Fig. 3 is not realizable.

Now consider the circuit in Fig. 4. It differs from the design in Fig. 3 only in the black boxes: Both black boxes can read both input signals bit<sub>1</sub> and bit<sub>2</sub>. Thus, the black boxes can equivalently be merged into one as shown in Fig. 4. It is easy to see that this implementation, which does not pay attention to the exact architecture by disregarding the interface of the black boxes, is now realizable. More precisely, it is realizable if we assume that the black box with bounded memory has at least 2 memory cells at its disposal. In Fig. 4 we depict the incomplete circuit with two memory cells extracted from the black box. Using our approach we can indeed prove realizability. The formula differs only in the dependency sets of the black box outputs:  $D_{y_1^1} = D_{y_2^1} = D_{y_1^2} = D_{y_2^2} = \{\text{bit}_1, \text{bit}_2, i_1, i_2\}$ . Now the formula is satisfiable. The following Skolem functions turn the matrix into a tautology:

| Variable    | $y_{1}^{1}$ | $y_2^1$                           | $y_{1}^{2}$         | $y_2^2$                           | w | w' |
|-------------|-------------|-----------------------------------|---------------------|-----------------------------------|---|----|
| Skolem fct. | 1           | $\operatorname{bit}_1 \oplus i_1$ | $\neg i_1 \lor i_2$ | $\operatorname{bit}_2 \oplus i_2$ | 1 | 1  |

Using these Skolem functions, the two flipflops in the right half store the same values as the two flipflops in the left half, i. e.,  $s_1 = i_1$  and  $s_2 = i_2$ . The equivalence  $y_1^1 \equiv y_2^1$  corresponds to  $1 \equiv (\neg i_1 \lor i_2)$ , which is the same as  $i_1 \leq i_2$ . Therefore the design is realizable.

For both incomplete circuits, our solver HQS [14] solved the DQBF in at most 0.1 seconds.

We can conclude that it is necessary to take the precise interfaces of the black boxes into account in order to obtain a valid answer whether the design is realizable.

## IV. SOLVING DQBFs

Elimination-based DQBF solvers like HQS [14], [15] apply a series of transformation steps to the formula until a SAT or QBF problem results, which can be solved by an arbitrary SAT or QBF solver. As a pure yes/no answer is not satisfactory when solving analysis problems as presented in the previous section, we provide the main ideas how Skolem functions can be extracted from the solution process. More details can be found in [24]. This extraction proceeds in the reverse order of transformation, starting with (constant) Skolem functions for the final SAT problem, which correspond to a satisfying assignment.

#### A. Transformation Steps

The central operation of elimination-based solvers is the elimination of existential and universal variables from the formula. QBF solvers can eliminate variables in the order given by the quantifier prefix (starting with the inner-most variable block). Because there is no linear order on the variables in a DQBF, this is typically no longer possible.

Lemma 1: Let  $\psi = Q$ :  $\phi$  be a DQBF and  $y \in V_{\psi}^{\exists}$  an existential variable which depends on all universal variables. Then  $\psi$  is equivalent to  $\psi' := Q \setminus \{\exists y(D_y)\} : \phi[0/y] \lor \phi[1/y].$ 

If  $s_z^{\psi'}$  for  $z \in V_{\psi'}^{\exists}$  are Skolem functions for the formula  $\psi'$ , obtained by eliminating  $y \in V_{\psi}^{\exists}$ , we set  $s_y^{\psi} := \phi[1/y][s_z^{\psi'}/z]$  and  $s_z^{\psi} := s_z^{\psi'}$  for  $z \neq y$ . This yields Skolem functions for  $\psi$ .

The elimination of universal variables in solvers like HQS [14] is done by *universal expansion* [25], [26], [27], [10]. This is applicable even if some existential variables depend upon the expanded universal one.

*Lemma* 2: For a DQBF  $\psi = \forall x_1 \dots \forall x_n \exists y_1(D_{y_1}) \dots \exists y_m(D_{y_m}) : \varphi$  with  $E_{x_i} = \{y_j \in V_{\psi}^{\exists} | x_i \in D_{y_j})\}$ , the *universal expansion* w.r.t. variable  $x_i \in V_{\psi}^{\forall}$ , is defined by

$$(Q \setminus \{x_i\}) \cup \{\exists y'_j(D_{y_j} \setminus \{x_i\}) \mid y_j \in E_{x_i}\} : \varphi[1/x_i] \land \varphi[0/x_i][y'_j/y_j \text{ for all } y_j \text{ with } x_i \in D_{y_i}].$$

That means, when eliminating a universal variable  $x \in V_{\psi}^{\forall}$ , we have to copy all existential variables  $y \in V_{\psi}^{\exists}$  that depend upon x.

Assume that  $s_z^{\psi'}$  for  $z \in V_{\psi'}^{\exists}$  are Skolem functions for  $\psi'$ . Then  $s_y^{\psi} := (x \wedge s_{y'}^{\psi'}) \vee (\neg x \wedge s_y^{\psi'})$  for  $y \in V_{\psi}^{\exists}$  with  $x \in D_y$  and  $s_z^{\psi} := s_y^{\psi'}$  for  $z \in V_{\psi}^{\exists}$  with  $x \notin D_z$  are Skolem functions for  $\psi$ .

In principle, these two operations suffice to turn each DQBF into an (exponentially larger) SAT problem. In order to reduce computation time and memory consumption, pre- and inprocessing steps have turned out to be essential.

Standard operations are the detection of unit and pure literals. A literal  $\ell$  is unit if  $(\ell)$  is a clause in the formula. A literal  $\ell$  is pure if  $\neg \ell$  does not appear in the formula. In both cases  $var(\ell)$  can be replaced by a constant (which is also the Skolem function for that variable). Further preprocessing techniques like blocked clause elimination, the identification of equivalent variables, and structure extraction have been devised for DQBF [15]. All of them are supported when Skolem functions are to be computed.

#### **B.** Elimination Sets

Since the expansion of all universal variables leads to an exponentially larger SAT instance, this is typically not feasible. Instead, the solver HQS eliminates variables only until a QBF is obtained, which can be solved by an arbitrary QBF solver. The central problem is to determine a minimum set of universal variables whose elimination turns the DQBF into a QBF [14]. To solve this, we can use the following dependency graph:

Definition 6: Let  $\psi$  be a DQBF. Its dependency graph  $G_{\psi} = (V_{\psi}^{\exists}, E_{\psi})$  is a directed graph with the existential variables as its nodes and edges  $E_{\psi} = \{(y, z) \in V_{\psi}^{\exists} \times V_{\psi}^{\exists} | D_y \not\subseteq D_z\}$ . It can be used to recognize if a DQBF is actually a QBF:

*Lemma 3:* Let  $\psi$  be a DQBF. Its dependency graph  $G_{\psi}$  is acyclic iff  $\psi$  has an equivalent QBF prefix.

That means we have to find a minimum set  $U \subseteq V_{\psi}^{\forall}$  of universal variables whose elimination makes  $G_{\psi}$  acyclic. One can show that for making the graph acyclic by eliminating universal variables, it suffices to consider the cycles of length 2. The selection of variables can be done using a MAXSAT solver: for each universal variable x a variable  $m_x$  is created in the MAXSAT solver such that  $m_x = 1$  means that x needs to be eliminated. Soft clauses are used to get an assignment with a minimum number of variables assigned to 1. Hard clauses enforce that for all  $y, z \in V_{\psi}^{\exists}, y \neq z$ , either all variables in  $D_y \setminus D_z$  or in  $D_z \setminus D_y$  are eliminated.

The variables in U are then eliminated, ordered according to the number of existential variables that depend upon them.

For more details, including formal correctness proofs, we refer the reader to [14].

#### C. Solver Overview

Fig. 5 shows the structure of the solver HQS. The input is a DQBF in CNF. After preprocessing, which is done on the CNF, gate detection is applied, essentially undoing Tseitin transformation and removing the existential variables introduced by the CNF transformation. The result is a representation of the formula as an And-Inverter graph (AIG), on which the further steps are performed. Before the actual elimination loop starts, we determine a minimum elimination set as described above.



Fig. 5. Structure of the solver

Within the elimination loop, we check for unit and pure variables, which can be replaced by constants. This is done on the AIG using syntactic checks. Additionally, all existential variables are eliminated for which this is possible. Otherwise they would double for each eliminated universal variable. Then we check if the dependency graph has already become acyclic. If this is the case we generate the corresponding QBF prefix and solve the formula using the QBF solver AIGsolve [28], which operates directly on AIGs. Otherwise we select the next universal variable to eliminate and expand it.

#### V. EXPERIMENTAL RESULTS

In the following we present preliminary experimental results for incomplete combinational circuits. To solve the DQBFs, we use our elimination-based DQBF solver HQS [14], which was described briefly in the previous section.

We have extended HQS by the possibility to compute Skolem functions for satisfied DQBFs. The computation of Skolem functions works in two phases: During the solution process we collect the necessary data and store it on a stack. When the satisfiability of the formula has been determined, we free the other data structures of the solver and extract the Skolem functions from the collected data. We can apply don't-care minimization to the Skolem functions, based on Craig interpolants [29], and use the tool ABC [30] for further minimization of the Skolem functions' AIG representation.

All experiments were run on one Intel Xeon E5-2650v2 CPU core at 2.60 GHz clock frequency and 64 GB of main memory under Ubuntu Linux as operating system. We aborted all experiments which either took more than 1000 s CPU time or more than 8 GB (=  $2^{30}$  bytes) of main memory. As benchmarks we used 4318 DQBF instances from different sources. Most of them are DQBFs resulting from equivalence checking of incomplete combinational circuits [10], [31], [13]. The remaining ones are controller synthesis problems [7].



Fig. 6. Computation times (in seconds) of HQS and iDQ (both with preprocessing) on PEC instances [14], [31], [13] (left) and instances from controller synthesis [7] (right)

We first compare the efficiency of HQS with the only other available DQBF solver iDQ [13], which solves the formula by iteratively solving SAT instances generated from the DQBF. Both solvers were run after preprocessing the DQBFs. Since iDQ relies on a formula in CNF, while HQS does not, different preprocessing operations had to be applied: besides standard techniques like the detection of unit and pure literals and equivalent variables, preprocessing for HQS applies gate detection, which reverses Tseitin transformation in order to reconstruct the original circuit. This is not possible in case of iDQ. Instead, for iDQ, we apply blocked clause elimination and variable elimination by resolution, which are both not beneficial for HQS. We refer the reader to [15] for more details on DQBF preprocessing.

Figure 6 shows the results for incomplete combinational circuits (left, 3686 instances) and instances from controller synthesis (right, 89 instances) for those instances that could be solved by at least one solver; the remaining 543 instances could not be solved. The controller synthesis instances are incomplete sequential circuits with a single black box that can read all state bits and all primary inputs. We can observe in both cases, that HQS (with few exceptions) is more efficient and solves considerably more instances than iDQ.

In spite of the improvements made during the last few years, the size of the instances that can effectively be solved is smaller by roughly one to two orders of magnitude than solvable QBF instances – strongly dependent on the number of variable copies which are created to obtain an equivalent QBF.

The second set of experiments concerns the computation of Skolem functions for satisfiable DQBFs. We first measured the overhead of collecting the necessary data for computing Skolem functions during the solution process, i.e., until the truth value of the formula has been determined. The results are shown in Figure 7. We can observe that the overhead is in most cases negligible – in a very few cases, the memory consumption is even reduced. The reason for this behavior is that within the AIG package different optimizations like rewriting is triggered when certain thresholds are exceeded. This can lead to smaller AIGs and thus save memory (and computation time for the subsequent operations).



Fig. 7. Overhead of Skolem function computation on memory consumption (left) and running time (right)



Fig. 8. Size of the computed Skolem functions with and without optimizations

For all 720 satisfiable instances we were able to solve without Skolem functions, we could also compute Skolem functions. For these instances we compare the sizes of the Skolem functions with and without optimizations using interpolation and ABC. Figure 8 displays the results. In many cases, we can reduce the sizes of the Skolem functions considerably, sometimes by up to two orders of magnitude.

Because QBFs are a special case of DQBFs, we can use HQS to compute Skolem functions for satisfied QBFs as well. In Fig. 9, we compare the sizes of the Skolem functions generated by HQS with those generated by the state-of-the-art QBF solver DEPQBF 5.0 [32], [33] for a set of satisfiable QBF instances from the QBF Gallery 2013<sup>1</sup> and from partial equivalence checking [4] (with a single black box). Since HQS (and in particular its preprocessor) is not optimized for solving QBF instances, we abstain from a detailed comparison of the running times of HQS and DEPQBF. DEPQBF is often (but not always) faster than HQS. In a few cases, the generation of Skolem functions with DEPQBF failed, because the necessary resolution proof became too large (we aborted DEPQBF when the size of the dumped resolution proof exceeded 20 GB).

Fig. 9 shows the sizes of the Skolem functions computed by DEPQBF and by HQS (with interpolation and ABC). To enable a fair comparison, we also applied ABC with the same commands to the Skolem functions generated using DEPQBF. We can observe that HQS' Skolem functions are in most cases smaller (often significantly) than those obtained from DEPQBF.

In summary, the experiments show that HQS is able to solve



Fig. 9. Comparison of the sizes of Skolem functions from HQS and from DEPQBF on QBF instances. The instances are ordered according to the size of DEPQBF's Skolem functions

the DQBFs resulting from small to medium-sized circuits effectively. We can not only obtain a pure yes/no answer, but also Skolem functions for the satisfiable instances without significant overhead. On satisfiable *QBF* instances, the size of the Skolem functions computed by HQS is similar, in many cases smaller in comparison to Skolem functions computed by DEPQBF.

As a side remark, the example provided in Section III could easily be solved with a DQBF solver. Benchmarks dealing with the synthesis of multiple black boxes in sequential circuits currently do not exist, but would be interesting to have.

## VI. CONCLUSION AND OPEN CHALLENGES

This paper has shown that DQBF formulations allow to express the realizability of invariant properties for incomplete combinational and sequential circuits with multiple black boxes in a natural way. First prototypic solvers allow not only to solve the resulting DQBFs for small to medium-sized circuits, but also to extract Skolem functions, which can serve as implementations of the missing parts.

Still, many challenges remain: The scalability of the solvers has to be improved and might be tuned towards specific applications. More powerful preprocessing techniques are necessary as well as improvements in the solver core. We hope that with the availability of solvers more applications of these techniques become feasible (distributed controller synthesis) or are newly discovered thereby inspiring further improvements of the solvers – just as it was for propositional SAT solving and is for QBF solving.

#### REFERENCES

- A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, and Y. Zhu, "Bounded model checking," *Advances in Computers*, vol. 58, pp. 117–148, 2003.
- [2] E. M. Clarke, A. Biere, R. Raimi, and Y. Zhu, "Bounded model checking using satisfiability solving," *Formal Methods in System Design*, vol. 19, no. 1, pp. 7–34, 2001.
- [3] P. Ashar, M. K. Ganai, A. Gupta, F. Ivancic, and Z. Yang, "Efficient SATbased bounded model checking for software verification," in *Int'l Symp.* on Leveraging Applications of Formal Methods (ISoLA), ser. Technical Report, T. Margaria, B. Steffen, A. Philippou, and M. Reitenspieß, Eds., vol. TR-2004-6. Paphos, Cyprus: Department of Computer Science, University of Cyprus, Oct. 2004, pp. 157–164.
- [4] C. Scholl and B. Becker, "Checking equivalence for partial implementations," in *Proc. of DAC*. Las Vegas, NV, USA: ACM Press, Jun. 2001, pp. 238–243.

<sup>&</sup>lt;sup>1</sup>see http://www.kr.tuwien.ac.at/events/qbfgallery2013/

- [5] S. Eggersglüß and R. Drechsler, "A highly fault-efficient SAT-based ATPG flow," *IEEE Design & Test of Computers*, vol. 29, no. 4, pp. 63–70, 2012.
- [6] A. Czutro, I. Polian, M. D. T. Lewis, P. Engelke, S. M. Reddy, and B. Becker, "Thread-parallel integrated test pattern generator utilizing satisfiability analysis," *Int'l Journal of Parallel Programming*, vol. 38, no. 3-4, pp. 185–202, 2010.
- [7] R. Bloem, R. Könighofer, and M. Seidl, "SAT-based synthesis methods for safety specs," in *Proc. of VMCAI*, ser. LNCS, K. L. McMillan and X. Rival, Eds., vol. 8318. San Diego, CA, USA: Springer, Jan. 2014, pp. 1–20.
- [8] S. A. Cook, "The complexity of theorem-proving procedures," in *Proc.* of STOC. ACM Press, 1971, pp. 151–158.
- [9] K. Gitina, S. Reimer, M. Sauer, R. Wimmer, C. Scholl, and B. Becker, "Equivalence checking for partial implementations revisited," in *Proc.* of *MBMV*, C. Haubelt and D. Timmermann, Eds. Rostock, Germany: Universität Rostock, ITMZ, Mar. 2013, pp. 61–70.
- [10] —, "Equivalence checking of partial designs using dependency quantified Boolean formulae," in *Proc. of ICCD*. Asheville, NC, USA: IEEE CS, Oct. 2013, pp. 396–403.
- [11] G. Peterson, J. Reif, and S. Azhar, "Lower bounds for multiplayer noncooperative games of incomplete information," *Computers & Mathematics with Applications*, vol. 41, no. 7–8, pp. 957–992, Apr. 2001.
- [12] A. Fröhlich, G. Kovásznai, and A. Biere, "A DPLL algorithm for solving DQBF," in *Int'l Workshop on Pragmatics of SAT (POS)*, Trento, Italy, 2012.
- [13] A. Fröhlich, G. Kovásznai, A. Biere, and H. Veith, "iDQ: Instantiationbased DQBF solving," in *Int'l Workshop on Pragmatics of SAT (POS)*, ser. EPiC Series, D. L. Berre, Ed., vol. 27. Vienna, Austria: EasyChair, Jul. 2014, pp. 103–116.
- [14] K. Gitina, R. Wimmer, S. Reimer, M. Sauer, C. Scholl, and B. Becker, "Solving DQBF through quantifier elimination," in *Proc. of DATE*. Grenoble, France: IEEE, Mar. 2015.
- [15] R. Wimmer, K. Gitina, J. Nist, C. Scholl, and B. Becker, "Preprocessing for DQBF," in *Proc. of SAT*, ser. LNCS, M. Heule and S. Weaver, Eds., vol. 9340. Austin, TX, USA: Springer, Sep. 2015, pp. 173–190.
- [16] T. Nopper and C. Scholl, "Symbolic model checking for incomplete designs with flexible modeling of unknowns," *IEEE Trans. Computers*, vol. 62, no. 6, pp. 1234–1254, 2013.
- [17] M. Herbstritt, B. Becker, and C. Scholl, "Advanced SAT-techniques for bounded model checking of blackbox designs," in *Proc. of MTV*. IEEE, 2006, pp. 37–44.
- [18] W. Damm and B. Finkbeiner, "Automatic compositional synthesis of distributed systems," in *Proc. of FM*, ser. LNCS, C. B. Jones, P. Pihlajasaari, and J. Sun, Eds., vol. 8442. Singapore: Springer, May 2014, pp. 179–193.

- [19] B. Finkbeiner and S. Schewe, "Bounded synthesis," *STTT*, vol. 15, no. 5-6, pp. 519–539, 2013.
- [20] C. H. Seger and R. E. Bryant, "Formal verification by symbolic evaluation of partially-ordered trajectories," *Formal Methods in System Design*, vol. 6, no. 2, pp. 147–189, 1995.
- [21] C. H. Seger, R. B. Jones, J. W. O'Leary, T. F. Melham, M. Aagaard, C. Barrett, and D. Syme, "An industrially effective environment for formal hardware verification," *IEEE Trans. on CAD of Integrated Circuits and Systems*, vol. 24, no. 9, pp. 1381–1405, 2005.
- [22] A. Pnueli and R. Rosner, "Distributed reactive systems are hard to synthesize," in *Annual Symp. on Foundations of Computer Science*. St. Louis, Missouri, USA: IEEE Computer Society, Oct. 1990, pp. 746–757.
- [23] G. S. Tseitin, "On the complexity of derivation in propositional calculus," *Studies in Constructive Mathematics and Mathematical Logic*, vol. Part 2, pp. 115–125, 1970.
- [24] K. Gitina, R. Wimmer, C. Scholl, and B. Becker, "Skolem functions for DQBF," in *submitted for publication*, 2016.
- [25] U. Bubeck and H. K. Büning, "Dependency quantified Horn formulas: Models and complexity," in *Proc. of SAT*, ser. LNCS, A. Biere and C. P. Gomes, Eds., vol. 4121. Seattle, WA, USA: Springer, Aug. 2006, pp. 198–211.
- [26] U. Bubeck, "Model-based transformations for quantified Boolean formulas," Ph.D. dissertation, University of Paderborn, 2010.
- [27] V. Balabanov, H. K. Chiang, and J. R. Jiang, "Henkin quantifiers and Boolean formulae: A certification perspective of DQBF," *Theoretical Computer Science*, vol. 523, pp. 86–100, 2014.
- [28] F. Pigorsch and C. Scholl, "Exploiting structure in an AIG based QBF solver," in *Proc. of DATE*. IEEE, 2009, pp. 1596–1601.
  [29] K. L. McMillan, "Applications of Craig interpolants in model checking,"
- [29] K. L. McMillan, "Applications of Craig interpolants in model checking," in *Proc. of TACAS*, ser. LNCS, N. Halbwachs and L. D. Zuck, Eds., vol. 3440. Edinburgh, UK: Springer, Apr. 2005, pp. 1–12.
- [30] R. K. Brayton and A. Mishchenko, "ABC: an academic industrial-strength verification tool," in *Proc. of CAV*, ser. LNCS, T. Touili, B. Cook, and P. Jackson, Eds., vol. 6174. Edinburgh, UK: Springer, Jul. 2010, pp. 24–40.
- [31] B. Finkbeiner and L. Tentrup, "Fast DQBF refutation," in *Proc. of SAT*, ser. LNCS, C. Sinz and U. Egly, Eds., vol. 8561. Vienna, Austria: Springer, Jul. 2014, pp. 243–251.
- [32] F. Lonsing and A. Biere, "DepQBF: A dependency-aware QBF solver," *Journal on Satisfiability, Boolean Modelling and Computation*, vol. 7, no. 2-3, pp. 71–76, 2010.
- [33] F. Lonsing, F. Bacchus, A. Biere, U. Egly, and M. Seidl, "Enhancing search-based QBF solving by dynamic blocked clause elimination," in *Proc. of LPAR*, ser. LNCS, M. Davis, A. Fehnker, A. McIver, and A. Voronkov, Eds., vol. 9450. Suva, Fiji: Springer, Nov. 2015, pp. 418–433.