An Introduction to Binary Decision Diagrams

Home , Binary decision diagram

Henrik Reif Andersen

y z

1 0

Lecture notes for Efﬁcient Algorithms and Programs, Fall 1999.

E-mail: [email protected]. Web: http://www.itu.dk/people/hra

The IT University of Copenhagen Glentevej 67 2400 Copenhagen NV. 1 2

Preface

This note is a short introduction to Binary Decision Diagrams. It provides some background knowledge and describes the core algorithms. More details can be found in Bryant’s original paper on Reduced Ordered Binary Decision Diagrams [Bry86] and the survey paper [Bry92]. A recent extension called Boolean Expression Diagrams is described in [AH97]. This note is a revision of an earlier version from fall 1996 (based on versions from 1995 and 1994). The major differences are as follows: Firstly, ROBDDs are now viewed as nodes of one global graph with one fixed ordering to reflect state-of-the-art of efficient BDD packages. The algorithms have been changed (and simplified) to reflect this fact. Secondly, a proof of the canonicity lemma has been added. Thirdly, the sections presenting the algorithms have been completely restructured. Finally, the project proposal has been revised.

Acknowledgements

Thanks to the students on the courses of fall 1994, 1995, and 1996 for helping me debug and improve the notes. Thanks are also due to Hans Rischel, Morten Ulrik Sørensen, Niels Maretti, Jørgen Staunstrup, Kim Skak Larsen, Henrik Hulgaard, and various people on the Internet who found typos and suggested improvements. 3 CONTENTS 4

Contents

1 Boolean Expressions 6

2 Normal Forms 7

3 Binary Decision Diagrams 8

4 Constructing and Manipulating ROBDDs 15 4.1 MK ...... 15 4.2 BUILD ...... 16 4.3 APPLY ...... 17 4.4 RESTRICT ...... 19 4.5 SATCOUNT, ANYSAT, ALLSAT ...... 21 4.6 SIMPLIFY ...... 23 4.7 Existential Quantiﬁcation and Substitution ...... 25

5 Implementing the ROBDD operations 26

6 Examples of problem solving with ROBDDs 27 6.1 The 8 Queens problem ...... 27 6.2 Correctness of Combinational Circuits ...... 28 6.3 Equivalence of Combinational Circuits ...... 28

7 Veriﬁcation with ROBDDs 29 7.1 Knights tour ...... 32

8 Project: An ROBDD Package 34

References 35 CONTENTS 5 1 BOOLEAN EXPRESSIONS 6

1 Boolean Expressions

The classical calculus for dealing with truth values consists of Boolean variables ¢¡¤£¥¡§¦¨¦©¦ , the

constants true and false , the operators of conjunction , disjunction , negation , implication , and bi-implication which together form the Boolean expressions. Sometimes the variables are called propositional variables or propositional letters and the Boolean expressions are then known as Propositional Logic.

Formally, Boolean expressions are generated from the following grammar:

where ranges over a set of Boolean variables. This is called the abstract syntax of Boolean expressions. The concrete syntax includes parentheses to solve ambiguities. Moreover, as a

common convention it is assumed that the operators bind according to their relative priority.

The priorities are, with the highest ﬁrst: , , , , . Hence, for example

! "

!# $# $# %¦

A Boolean expression with variables &¡§¦§¦§¦'¡! ( denotes for each assignment of truth values to

the variables itself a truth value according to the standard truth tables, see ﬁgure 1. Truth assign-

-¡ /¡ §¡ &0

.+ ,+ .+

ments are written as sequences of assignments of values to variables, e.g., )* ,+

which assigns to and , to and . With this particular truth assignment the above

-¡ §¡ 2¡ ¤0

)* 1+ .+ ,+ ,+

expression has value , whereas yields .

Figure 1: Truth tables.

3 76

The set of truth values is often denoted . If we ﬁx an ordering( of the variables

3 8 of a Boolean expression we can view as deﬁning a function from 3 to where is the

number of variables. Notice, that the particular ordering chosen for the variables is essential

for what function is deﬁned. Consider for example the expression . If we choose the

:9;£ ¢¡!£=# £

ordering then this is the function < , true if the ﬁrst argument implies the

£@¡" @# £ £>9? second, but if we choose the ordering then it is the function < , true if the second argument implies the ﬁrst. When we later consider compact representations of Boolean

expressions, such variable orderings play a crucial role. BA Two Boolean expressions and are said to be equal if they yield the same truth value for all truth assignments. A Boolean expression is a tautology if it yields true for all truth assignments;

it is satisﬁable if it yields true for at least one truth assignment.

Exercise 1.1 Show how all operators can be encoded using only and . Use this to argue that

any Boolean expression can be written using only , , variables, and applied to variables.

A A

Exercise 1.2 Argue that and are equal if and only if is a tautology. Is it possible to

say whether is satisﬁable from the fact that is a tautology? 2 NORMAL FORMS 7

2 Normal Forms

A Boolean expression is in Disjunctive Normal Form (DNF) if it consists of a disjunction of

conjunctions of variables and negations of variables, i.e., if it is of the form

C HJI JI JI

# #

F&G FLK

ED2D2D. ED2D2D. D2D2D§

(1)

NM O M O M O

where each is either a variable or a negation of a variable . An example is

£Q# £=#

P £

which is a well-known function of and (which one?). A more succinct presentation of (1) is

to write it using indexed versions of and :

FWV

X R

O"YZ

M!S S

Similarly, a Conjunctive Normal Form (CNF) is an expression that can be written as

FWV

X R

M O"YZ

M!S S NM where each O is either a variable or a negated variable. It is not difﬁcult to prove the following proposition:

Proposition 1 Any Boolean expression is equal to an expression in CNF and an expression in DNF.

In general, it is hard to determine whether a Boolean expression is satisﬁable. This is made precise by a famous theorem due to Cook [Coo71]:

Theorem 1 (Cook) Satisﬁability of Boolean expressions is NP-complete.

(For readers unfamiliar with the notion of NP-completeness the following short summary of the pragmatic consequences suffices. Problems that are NP-complete can be solved by algorithms that run in exponential time. No polynomial time algorithms are known to exist for any of the NP-complete problems and it is very unlikely that polynomial time algorithms should indeed exist although nobody has yet been able to prove their non-existence.) Cook’s theorem even holds when restricted to expressions in CNF. For DNFs satisfiability is decidable in polynomial time but for DNFs the tautology check is hard (co-NP complete). Although satisfiability is easy for DNFs and tautology check easy for CNFs, this does not help us since the conversion between CNFs and DNFs is exponential as the following example

shows.

( (

¡§¦/¦§¦" ¡! ¡§¦§¦/¦/¡!

[

Consider the following CNF over the variables [ :

( (

# # #\¦

[ [ [

ED2D2D.

3 BINARY DECISION DIAGRAMS 8 O

The corresponding DNF is a disjunction which has a disjunct for each of the 8 -digit binary

¦/¦§¦ ¦/¦§¦

[

7 1 1 7 7 1 ]

numbers from 1 7 to — the ’th digit representing a choice of either (for

) or (for ): (_^

(

[

[ [ [

D2D2D2

(_^

(

[ [ [

D2D2D2 .

. (_^

(

[

D2D2D2

(_^

(

#\¦

D2D2D§

Whereas the original expression has size proportional to 8 the DNF has size proportional to (

8a` . The next section introduces a normal form that has more desirable properties than DNFs and CNFs. In particular, there are efﬁcient algorithms for determining the satisﬁability and tautology questions.

Exercise 2.1 Describe a polynomial time algorithm for determining whether a DNF is satisﬁ- able.

Exercise 2.2 Describe a polynomial time algorithm for determining whether a CNF is a tautology.

Exercise 2.3 Give a proof of proposition 1.

Exercise 2.4 Explain how Cook’s theorem implies that checking in-equivalence between Boolean expressions is NP-hard.

Exercise 2.5 Explain how the question of tautology and satisﬁability can be decided if we are given an algorithm for checking equivalence between Boolean expressions.

3 Binary Decision Diagrams

>b £ ¡¤£c

Let [ be the if-then-else operator deﬁned by

>b £ ¡¤£c £ # £d"#

[ [

b ¡ [ hence, [ is true if and are true or if is false and is true. We call the test

expression. All operators can easily be expressed using only the if-then-else operator and the constants and . Moreover, this can be done in such a way that all tests are performed only on

(un-negated) variables and variables occur in no other places. Hence the operator gives rise to a

eb ¡ # £ eb £fb ¡ #$¡ £fb ¡ #

new kind of normal form. For example, is , is .

eb ¡

Since variables must only occur in tests the Boolean expression is represented as .

An If-then-else Normal Form (INF) is a Boolean expression built entirely from the

if-then-else operator and the constants and such that all tests are performed only on variables.

3 BINARY DECISION DIAGRAMS 9

If we by )* 1+ denote the Boolean expression obtained by replacing with in then it is

not hard to see that the following equivalence holds:

eb 0h¡ 0,¦ )i ,+

)g .+ (2)

This is known as the Shannon expansion of with respect to . This simple equation has a

lot of useful applications. The ﬁrst is to generate an INF from any expression . If contains

no variables it is either equivalent to or which is an INF. Otherwise we form the Shannon

0 0 )g .+

expansion of with respect to one of the variables in . Thus since )* 1+ and both

contain one less variable than , we can recursively ﬁnd INFs for both of these; call them [ and

. An INF for is now simply

eb $¡ ¦ [

We have proved:

Proposition 2 Any Boolean expression is equivalent to an expression in INF.

£d"# £7&#

Example 1 Consider the Boolean expression . If we ﬁnd an INF of by selecting in order the variables $¡¤£d-¡! 2¡¤£_ on which to perform Shannon expansions, we

get the expressions

mb -¡

[

£cjb ¡

[ [B[

£cjb B$¡

nb $¡

[B[ [B[ [B[B[

B nb BB$¡ B

[

£7ob ¡

[B[B[

£7ob ¡

[B[

B £7ob ¡

[

BB £7ob ¡

Figure 2 shows the expression as a tree. Such a tree is also called a decision tree. p

A lot of the expressions are easily seen to be identical, so it is tempting to identify them. For

B BB

[B[B[ [B[

example, instead of [ we can use and instead of we can use . If we substitute

B B BB B

[ [B[ [B[

[B[B[ for in the right-hand side of and also for , we in fact see that and are

B identical, and in we can replace with [B[ . If we in fact identify all equal subexpressions we end up with what is known as a binary decision diagram (a BDD). It is no longer a tree of Boolean expressions but a directed acyclic graph (DAG).

Applying this idea of sharing, can now be written as:

mb -¡

[

£cjb ¡

[ [B[

£cjb ¡

[B[

nb $¡

[B[ [B[ [B[B[

£7ob ¡

[B[B[

£7ob ¡

[B[

3 BINARY DECISION DIAGRAMS 10

q,r

u/r u/r

q7v q7v

u$v u$v u$v u$v

s t t s t t s t t s

£cL# £_-#

Figure 2: A decision tree for . Dashed lines denote low-branches, solid lines high-branches.

Each subexpression can be viewed as the node of a graph. Such a node is either terminal in the case of the constants and , or non-terminal. A non-terminal node has a low-edge

corresponding to the else-part and a high-edge corresponding to the then-part. See ﬁgure 3. x Notice, that the number of nodes has decreased from w in the decision tree to in the BDD. It is not hard to imagine that if each of the terminal nodes were other big decision trees the savings would be dramatic. Since we have chosen to consistently select variables in the same order in the recursive calls during the construction of the INF of , the variables occur in the same orderings on all paths from the root of the BDD. In this situation the binary decision diagram is

said to be ordered (an OBDD). Figure 3 shows a BDD that is also an OBDD.

Figure 4 shows four OBDDs. Some of the tests (e.g., on in y ) are redundant, since both the low- and high-branch lead to the same node. Such unnecessary tests can be removed: any reference to the redundant node is simply replaced by a reference to its subnode. If all identical nodes are shared and all redundant tests are eliminated, the OBDD is said to be reduced (an ROBDD). ROBDDs have some very convenient properties centered around the canonicity lemma below. (Often when people speak about BDDs they really mean ROBDDs.) To summarize:

3 BINARY DECISION DIAGRAMS 11

z z

s s

{

z\{ z@{

} ~

£c"# £_-# 9£co9 9£7

Figure 3: A BDD for with ordering . Low-edges are

drawn as dotted lines and high-edges as solid lines.

| |

s s

{

~ ~

} ~

a b c d

Figure 4: Four OBDDs: a) An OBDD for . b) Another OBDD for with two redundant tests.

c) Same as y with one of the redundant tests removed. d) An OBDD for with one redundant test.

3 BINARY DECISION DIAGRAMS 12

q q

Figure 5: The ordering and reducedness conditions of ROBDDs. Left: Variables must be ordered. Middle: Nodes must be unique. Right: Only non-redundant tests should be present.

A Binary Decision Diagram (BDD) is a rooted, directed acyclic graph with

one or two terminal nodes of out-degree zero labeled 0 or 1, and

a set of variable nodes of out-degree two. The two outgoing edges are

# #

c©

given by two functions and . (In pictures, these are shown

# as dotted and solid lines, respectively.) A variable 7 is associated with each variable node.

A BDD is Ordered (OBDD) if on all paths through the graph the variables respect

9 9 9 (

a given linear order D2D2D . An (O)BDD is Reduced (R(O)BDD) if

(uniqueness) no two distinct nodes and have the same variable name

and low- and high-successor, i.e.,

# #$¡ # #-¡ # # ¡

7 c© c© 7 implies

and

(non-redundant tests) no variable node has identical low- and high-

successor, i.e.,

# #\¦

c©

The ordering and reducedness conditions are shown in ﬁgure 5. ROBDDs have some interesting properties. They provide compact representations of Boolean

expressions, and there are efﬁcient algorithms for performing all kinds of logical( operations on

3 3 ROBDDs. They are all based on the crucial fact that for any function < there is

exactly one ROBDD representing it. This means, in particular( , that there is exactly one ROBDD

for the constant true (and constant false) function on 3 : the terminal node (and in case of false). Hence, it is possible to test in constant time whether an ROBDD is constantly true or false. (Recall that for Boolean expressions this problem is NP-complete.) To make this claim more precise we must say what we mean for an ROBDD to represent

a function. First, it is quite easy to see how the nodes of an ROBDD inductively deﬁnes

Boolean expressions B : A terminal node is a Boolean constant. A non-terminal node marked with is an if-then-else expression where the condition is and the two branches are the

Boolean expressions given by the low- or high-son, respectively:

[

'¢ /¢

"" /¡ ¤£ ¤B¥¡

#jb ¡ ¡

7 if is a variable node.

3 BINARY DECISION DIAGRAMS 13

n9 9 9 ( D2D2D

Moreover, if is the variable ordering( of the ROBDD, we associate with each

-¡ 2¡/¦§¦§¦/¡ (1#n¦ &¡ §¡§¦§¦/¦/¡ ( (70

< y y y 3 )*y + y + y + node the function that maps to the truth value of . We can now state the key lemma:

Lemma 1 (Canonicity( lemma)

b §9? 9

3 3

For any function < there is exactly one ROBDD with variable ordering

$¡/¦§¦§¦/¡" (,# 9 (

< <

D2D2D such that .

8 Proof: The proof is by induction on the number of arguments of < . For there are only two Boolean functions, the constantly false and constantly true functions. Any ROBDD containing

at least one non-terminal node is non-constant. (Why?) Therefore there is exactly one ROBDD

for each of these: the terminals and . 8

Assume now that we have proven the lemma for all functions(§«@ of arguments. We proceed

3 < 3

to show it for all functions of 8©ª arguments. Let be any Boolean function of

[

< < 8

8© arguments. Define the two functions and of arguments by fixing the first argument

of < to respectively :

2¡§¦§¦/¦'¡! (§«@!# ¡" 2¡§¦§¦§¦$¡! (2«@!# ¦

< y y 3

<.¬ for .

[

< < (Sometimes < and are called the negative and positive co-factors of with respect to .)

These functions satisfy the following equation:

-¡/¦§¦§¦/¡" (,# mb §¡/¦§¦§¦/¡" (,#-¡ 2¡§¦§¦§¦'¡! (1#\¦

[

< <

< (3)

[

< 8

Since < and take only arguments we assume by induction that there are unique ROBDD

[ [

< < < <

nodes and with and .

G G

'n 'o

[ [

< < < < < < <

There are two cases to consider. If then and .

[

< <

Hence is an ROBDD for . It is also the only ROBDD for since due to the ordering,

if is at all present in the ROBDD rooted at , would need to be the root node. However, if

'¢ '¢ $

£ ¤J¥¡ "¯W§¡

B0 J0

[ [

< < < )i ,+ < < < )® 2+ < < < <

< then and . Since

< by assumption, the low- and high-son of would be the same, making the ROBDD violate

the reducedness condition of non-redundant tests.

2¡§¦§¦/¦'¡! (§«@

[

< <

If then by the induction hypothesis (using the names in

$¡§¦§¦/¦/¡! ( # # #

[

7 c©

place of ). We take to be the node with , , and

G G

$ $°

b ¡

[

< < < < < < <

, i.e., which is reduced. By assumption and therefore

< <¥² < <¥²

using (3) we get < . Suppose that is some other node with . Clearly, must

J0³ 0 0 J0

[

<²1)g .+ < <²1)i ,+ <¥²_)g .+ <

depend on , i.e., <¥²_)i ,+ (otherwise also , a

# #

contradiction). Due to the ordering this means that 7 . Moreover, from

¢ $ ¢

£ ¤J¥¡ "¯W/¡

[

² ² ²

< < < < < < <

< it follows that and , which by the induction

# # # #

[

c© c©

hypothesis implies that and . From the

p reducedness property of uniqueness it follows that .

An immediate consequence is the following. Since the terminal is an ROBDD for all variable orderings it is the only ROBDD that is constantly true. So in order to check whether an ROBDD

is constantly true it sufﬁces to check whether it is the terminal which is deﬁnitely a constant

time operation. Similarly, ROBDDs that are constantly false must be identical to the terminal . In fact, to determine whether two Boolean functions are the same, it sufﬁces to construct their ROBDDs (in the same graph) and check whether the resulting nodes are the same! 3 BINARY DECISION DIAGRAMS 14

The ordering of variables chosen when constructing an ROBDD has a great impact on the

£d"# £_-#

size of the ROBDD. If we consider again the expression and construct 9´ f9µ£c¨9µ£_

an ROBDD using the ordering the ROBDD consists of w nodes (ﬁgure 6) n9£c°9 9?£7

and not x nodes as for the ordering (ﬁgure 3).

{ {

| |

z z z z

s s s s

z@{ z@{

£d"# £_-# n9 9?£d°9?£7

Figure 6: The ROBDD for with variable ordering .

Exercise 3.1 Show how to express all operators from the if-then-else operator and the constants

and .

£cL# £7&# £7&#

Exercise 3.2 Draw the ROBDDs for with orderings n9£co9 ¶9£79 9?£7

n9 9 9?£do9£79£7 and .

£d"# £_-# o9 9?£co9£_

Exercise 3.3 Draw the ROBDDs for with orderings and o9?£co9 9£7 . How does it compare with the example in ﬁgures 3 and 6? Based on the

examples you have seen so far, what variable ordering would you recommend for constructing

£ # £d"# £7-# £7-#

F F

ED2D2D.

a small ROBDD for ?

(Q¡ ¸·¹8

Exercise 3.4 Give an example of a sequence of ROBDDs which induces exponen-

( #

º 8

tially bigger decision trees. I.e., if has size then the decision tree should have size

(

# ` º .

Exercise 3.5 Construct an ROBDD of maximum size over six variables. 4 CONSTRUCTING AND MANIPULATING ROBDDS 15

b ¡&¾B¡-¿#

½¼ ]

c©

var À

5 6

` Á

4 Á

Â Â

Á `

À ` Á

2 3

x ` Á

À x

Figure 7: Representing an ROBDD with ordering §9Ä 9? ¶9? . The numbers inside the vertices are the identities used in the representation. The numbers and are reserved for the terminal nodes. The numbers to the right of the ROBDD shows the index of the variables in the

ordering. The constants are assigned an index which is the number of variables in the ordering

À plus one (here Á©ª ). This makes some subsequent algorithms easier to present. The low- and high-ﬁelds are unused for the terminal nodes.

4 Constructing and Manipulating ROBDDs

In the previous section we saw how to construct an OBDD from a Boolean expression by a simple recursive procedure. The question arises now how do we construct a reduced OBDD? One way is to ﬁrst construct an OBDD and then proceed by reducing it. Another more appealing approach, which we follow here, is to reduce the OBDD during construction.

To describe how this is done we will need an explicit representation of ROBDDs. Nodes

¡ ¡ ¡§¦§¦/¦

will be represented as numbers with and reserved for the terminal nodes. The

E9Å 9 9Å ( ¡ ¡§¦/¦§¦'¡

` 8

variables in the ordering D2D2D are represented by their indices .

b ¡&¾B¡-¿#

]

The ROBDD is stored in a table Æ¼ which maps a node to its three attributes

# # ¾ # ¿

] c© 7 , , and . Figure 7 shows the representation of the ROBDD from ﬁgure 3 (with the variable names changed to 9 ¶9 ¶9 ).

4.1 MK

In order to ensure that the OBDD being constructed is reduced, it is necessary to determine from

¡&¾B¡-¿# # ¡ # ¾ # ¿

7 ] c©

a triple ] whether there exists a node with , and .

¡&¾B¡-¿# b ¡&¾B¡-¿#

] ¼ ]

For this purpose we assume the presence of a table Ç mapping triples of

¾B¡-¿

variable indices ] , and nodes to nodes . The table is the “inverse” of the table , i.e., for

# ¡&¾B¡-¿# ¡¤¾J¡&¿¥#

] Ç ] variable nodes , , if and only if, . The operations needed on the

4 CONSTRUCTING AND MANIPULATING ROBDDS 16

¡ 0 ¡&¾B¡-¿#

Ç ]

MK )

¿ ¾

1: if ¾ then return

¡ ¡&¾B¡-¿# ]

2: else if member Ç then

¡ ¡¤¾J¡&¿¥# ]

3: return lookup Ç

¡ ¡&¾B¡-¿# ]

4: else >É add

¡ ¡&¾B¡-¿¡ #

] 5: insert Ç

6: Ê.ËdÌ2ÍÎÊÏe

¡ 0 ¡&¾B¡-¿#

Ç ] Figure 8: The function MK ) .

two tables are:

b ¡&¾B¡-¿#

>¼ ]

» »

init initialize to contain only and

¡ ¡&¾B¡-¿# ¡&¾B¡-¿#

] ]

>É add allocate a new node with attributes

#$¡ #$¡ #

c©

7 lookup the attributes of in

¡&¾B¡-¿# b

Ç ] ¼

# Ç

init Ç initialize to be empty

¡ ¡&¾B¡-¿# ¡&¾B¡-¿#

Ç ] ] Ç

yÉ member check if is in

¡ ¡&¾B¡-¿# ¡¤¾J¡&¿¥#

Ç ] Ç ]

>É lookup ﬁnd

¡ ¡&¾B¡-¿¡ # ¡¤¾J¡&¿¥#

] ] Ç

insert Ç make map to in

We shall assume that all these operations can be performed in constant time, Ð . Section 5

will show how such a low complexity can be achieved.

¡ 0 ¡¤¾J¡&¿¥#

Ç ] Ç

The function MK ) (see ﬁgure 8) searches the table for a node with variable ¾B¡-¿

index ] and low-, high-branches and returns a matching node if one exists. Otherwise it Ç

creates a new node , inserts it into and returns the identity of it. The running time of MK

Ç is Ð due to the assumptions on the basic operations on and . The OBDD is ensured to

be reduced if nodes are only created through the use of MK. In describing MK and subsequent

¡ 0 Ç

algorithms, we make use of the notation ) to indicate that MK depends on the global data »

structures and Ç , but we leave out the arguments when invoking it as part of other algorithms.

4.2 BUILD

The construction of an ROBDD from a given Boolean expression proceeds as in the con-

struction of an if-then-else normal form (INF) in section 2. An ordering of the variables

¨b J0W¡ J0 Ñ9 9 (

)® 2+ )* ,+

D2D2D is ﬁxed. Using the Shannon expansion , a node for

J0 B0 )g .+

is constructed by a call to MK, after the nodes for )i ,+ and have been constructed

¡ #

by recursion. The algorithm is shown in ﬁgure 9. The call BUILD’ ] constructs an ROBDD

O O

¡! «@-¡§¦/¦§¦/¡! (

for a Boolean expression with variables in 6 . It does so by ﬁrst recursively

O O

0 0

[

)i ,+ )g .+

constructing ROBDDs and for and in lines 4 and 5, and then proceeding

[

to ﬁnd the identity of the node for in line 6. Notice that if and are identical, or if there

[

already is a node with the same ] , and , no new node is created.

4 CONSTRUCTING AND MANIPULATING ROBDDS 17

¡ 0 # Ç

BUILD )

¡ #

1: function BUILD’ ] =

2: if ]Ò8 then

3: if is false then return 0 else return 1

0h¡ #

[

É )* 1+ ]@©ª

4: else BUILD’

0h¡ #

É )® .+ ]¥©ª

5: BUILD’

¡ ¡ !#

[

] 6: ÊË,Ì.Í¢ÊÏ MK 7: end BUILD’

¡ #

9: return BUILD’

Figure 9: Algorithm for building an ROBDD from a Boolean expression using the

9; Ó9 9ª ( ¡ #

D2D2D ]

ordering . In a call BUILD’ ] , is the lowest index that any

variable of can have. Thus when the test ]ÒÔ8 succeeds, contains no variables and must be either constantly false or true.

An example of using BUILD to compute an ROBDD is shown in ﬁgure 10. The running

time of BUILD is bad. It is easy to see that for a variable ordering with 8 variables there will (

always be generated on the order of ` calls .

4.3 APPLY

All the binary Boolean operators on ROBDDs are implemented by the same general algorithm

NÕ-Ö

¡ &¡ -#

APPLY that for two ROBDDs computes the ROBDD for the Boolean expression

B Õ&ÖÑB'×

. The construction of APPLY is based on the Shannon expansion (2):

eb 0h¡ 0,¦

)g .+ )i ,+

Observe that for all Boolean operators op the following holds:

A A A A

Õ-Ö> Õ&ÖØ Õ&ÖÑ

eb -¡ $# eb ¡ # >b ¡

(4)

If we start from the root of the two ROBDDs we can construct the ROBDD of the result by recursively constructing the low- and the high-branches and then form the new root from these. Again, to ensure that the result is reduced, we create the node through a call to MK. Moreover, to avoid an exponential blow-up of recursive calls, dynamic programming is used. The algorithm

is shown in ﬁgure 11.

¡BÚc# ]

Dynamic programming is implemented using a table of results Ù . Each entry is either

¡BÚc# empty or contains the earlier computed result of APP ] . The algorithm distinguishes between four different cases, the ﬁrst of them handles the situation where both arguments are terminal

nodes, the remaining three handle the situations where at least one argument is a variable node.

If both and are terminal, a new terminal node is computed having the value of op

applied to the two truth values. (Recall, that terminal node is represented by a node with identity and similarly for .) 4 CONSTRUCTING AND MANIPULATING ROBDDS 18

Û®Ûæà¤çQÞ>à!áNâ$ãà!äBå â BUILD’

d f

v r v

Û®ÛÝÜßÞ>à!áNâ$ãà!äBå â Û®Û Þeà!áNâ$ã\à!äJå â

b c e e

r r r r

Û®Û*ÜQÞ½ÜWâ'ãà"äJå¨èhâ Û®ÛÝÜßÞ â$ãà"äJå¨èWâ Û®Û Þ½ÜWâ$ãà!äBåèhâ Û®Û Þ â'ãà"äJå¨èhâ

r r r r

Û®Û*ÜQÞ½ÜWâ'ã\ÜLå©é â Û®Û*ÜQÞ â$ã\Ü"å©é â Û®Û Þ½Ü â$ã\Ü"å©é â Û®Û Þ â$ã\Ü"å©é â

r r r r r r r r

Û®Û*ÜßÞ½Ü â$ã å©é â Û®Û*ÜcÞ â$ã å©é â Û®Û Þ½ÜWâ/ã å¨é â Û®Û Þ â'ã å©é â

| |

} }

~ ~ ~

b c d

{ { { { {

| | | | |

| | |

} } }

~ ~ ~

e f g

Figure 10: Using BUILD on the expression . (a) The tree of calls to BUILD. (b)

Â Â

! "

# .¡ # # .¡ #

The ROBDD after the call BUILD’ Ñ . (c) After the call BUILD’ .

! !

$# 2¡ # # 2¡ #

(d) After the call BUILD’ ± . (e) After the calls BUILD’ and

" !

# 2¡ # $# 2¡ #

` BUILD’ . (f) After the call BUILD’ . (g) The ﬁnal result.

4 CONSTRUCTING AND MANIPULATING ROBDDS 19

hÕ&Ö

¡ 0 ¡ §¡ -#

APPLY )

1: init Ù

-¡ ¤#

3: ê Í%ÏÎë7Ì.ìCí@Ï APP

-¡ &# -¡ -#

Ì.î¢ËßÏeÊ.Ë,Ì.ÍÎÊÏ±Ù

4: ìCêÙ empty

4 4 Õ-Ö¢

o¦ ¡ §¦ ¡ -¡ -#

_6òÏÎóô 76oÌ.îÎËcÏ É

5: Ëcïhð'ËñìCêo u

"# -#

Ì.îÎËcÏ

6: Ëcïhð'ËñìCê var var

"#-¡ "#$¡ -#!#-¡ "#-¡ &#!#"#

c© c©

7: u É MK var APP APP

"#n9 -#

Ì.îÎËcÏ

8 Ëcïhð'ËñìCê var var

"#-¡ "#$¡ -#-¡ "#-¡ -#!#

c©

9 u É MK var APP APP

õ õ

"# -# #

10: Ëcïhð'Ë var var

-#-¡ -¡ -#!#-¡ -¡ &#!#!#

c©

11: u É MK var APP APP

-¡ -#

É 12: Ù u

13: Ê.Ë,Ì.ÍÎÊÏ u

14: ËcÏÎó APP

15:

-¡ -#

16: return APP

hÕ&Ö

¡ 0 ¡ &¡ ¤#

Figure 11: The algorithm APPLY ) .

If at least one of and are non-terminal, we proceed according to the variable index. If the nodes have the same index, the two low-branches are paired and APP recursively computed on them. Similarly for the high-branches. This corresponds exactly to the case shown in equation (4). If they have different indices, we proceed by pairing the node with lowest index with

the low- and high-branches of the other. This corresponds to the equation

O O

b $¡ -# b ¡ op op op (5)

which holds for all . Since we have taken the index of the terminals to be one larger than the

"#n9 -# "# -#

7 7 ÒÔ7 index of the non-terminals, the last two cases, 7 and , take account of the situations where one of the nodes is a terminal. Figure 12 shows an example of applying the algorithm on two small ROBDDs. Notice how

pairs of nodes from the two ROBDDs are combined and computed.

To analyze the complexity of APPLY we let denote the number of nodes that can be Ù reached from in the ROBDD. Assume that can be implemented with constant lookup and

insertion times. (See section 5 for details on how to achieve this.) Due to the dynamic program-

§2 _

ming at most calls to APPLY are generated. Each call takes constant time. The total

/2 _¯#

running time is therefore Ð .

4.4 RESTRICT

The next operation we consider is the restriction of a ROBDD . That is, given a truth as-

2¡ ö§¡ ÷!0

.+ 2+ signment, for example )i ,+ , we want to compute the ROBDD for under this

4 CONSTRUCTING AND MANIPULATING ROBDDS 20

ü ý G

8 ø 5 9 ø

6 7 × 7 8 ø-ù 5 6 5 3 4

3 4 3 4 ø-ú

2 2 ø$û 2

1 0

0 1 0 1 G

8,5 ø ø

6,3 7,4 × ù 5,3 0,3 0,4 5,4 ø

3,2 4,0 0,2 0,0 0,1 0,2 3,0 4,2 ø-ú

2,2 0,2 0,0 2,0 2,0 0,1 0,2 2,2 ø$û

1,1 0,0 0,1 0,0 1,0 0,0

Figure 12: An example of applying the algorithm APPLY for computing the conjunction of the two ROBDDs shown at the top left. The result is shown to the right. Below the tree of arguments to the recursive calls of APP. Dashed nodes indicate that the value of the node has previously been computed and is not recomputed due to the use of dynamic programming. The solid ellipses show calls that ﬁnishes by a call to MK with the variable index indicated by the variables to the right of the tree.

4 CONSTRUCTING AND MANIPULATING ROBDDS 21

¡ 0 ¡BÚ1¡ #

Ç y

RESTRICT ) =

1: function res =

# Ú

Ò Ì2îÎËcÏeÊË,Ì.Í¢ÊÏ>

2: ìNê7

#o9Ú #$¡ #"#$¡ #"#!#

Ì.î¢ËcÏ±Ê.Ë,Ì.Í¢Ê_Ï 7 c©

3: ËßïNð/ËÓìCê¶7 MK res res

# Ú #!#

7 ìCêy §Ì.îÎËcÏeÊ.ËdÌ2ÍÎÊÏ

4: ËßïNð/Ë (* *) res

# Ú1¡ #"#

7 y Ê.Ë,Ì.ÍÎÊÏ c© 5: ËßïNð/Ë (* *) res

6: end res

7: return res

¡ 0 ¡ Ú1¡ # Ú 0

Ç y ) +7y

Figure 13: The algorithm RESTRICT ) which computes an ROBDD for .

§¡ ö§¡ ÷!0

2+ .+

restriction, i.e., ﬁnd the ROBDD for )i ,+ . As an example consider the ROBDD

of ﬁgure 10(g) (repeated below to the left) representing the Boolean expression .

¤0 -#

Restricting it with respect to the truth assignment )i ,+ yields an ROBDD for . It is constructed by replacing each occurrence of a node with label by its left branch yielding the ROBDD at the right:

x2 x2 x1

x3 x3

1 0 1 0

The algorithm again uses MK to ensure that the resulting OBDD is reduced. Figure 13 shows the

0 ¦ ¡

y 76

algorithm in the case where only singleton truth assignments ( )*y$+ , ) are allowed.

¡BÚ1¡ # Ú

y 7 Intuitively, in computing RESTRICT we search for all nodes with and replace

them by their low- or high-son depending on y . Since this might force nodes above the point of replacemen to become equal, it is followed by a reduction (through the calls to MK). Due to the two recursive calls in line 3, the algorithm has an exponential running time, see exercise 4.7 for an improvement that reduces this to linear time.

4.5 SATCOUNT, ANYSAT, ALLSAT

In this section we consider operations to examine the set of satisfying truth assignments of a

þ )iþ

node . A truth assignment satisﬁes a node if can be evaluated to using the truth

tables of the Boolean operators. Formally, the satisfying truth assignments is the set sat :

G£¢¥¤¥¤¥¤ ¢

ø ø§¦©¨

ÿ4

# ¦ ¡ 0

þ 3¡ 6

sat )iþ is true

G ¢¥¤¥¤¥¤ ¢

ø ø ¨

-¡/¦§¦§¦/¡" (

where 3 denotes the set of all truth assignments for variables , i.e., func-

4 4

$¡§¦§¦§¦$¡! ( ¡

6 76

tions from to the truth values 3 . The ﬁrst algorithm, SATCOUNT, com-

# putes the size of sat , see ﬁgure 14. The algorithm exploits the following fact. If is a node

4 CONSTRUCTING AND MANIPULATING ROBDDS 22

0 #

SATCOUNT )

1: function count

2: if then res

3: else if then res

^ ^

'¢©¢ '¢ õ

¡¨£ ¤B¥¡ ¡

#"#

4: else res É count

^ ^

'¢©¢ '¢ õ

¡®" §¡ ¡

#!#

£ c© ©;` count 5: return res 6: end count

'¢ õ

£ 8: return ` count

Figure 14: An algorithm for determining the number of valid truth assignments.

Recall, that the “variable index” 7 of and in the ROBDD representation is

8 8

8©Ä when the ordering contains variables (numbered through ). This means

# #

8 ©;

that var and var always gives .

7 <

with variable index then two sets of truth assignments can make true. The ﬁrst set

has 7_ equal to , the other has equal to . For the ﬁrst set, the number is found by ﬁnd-

#"# #

ing the number of truth assignments count making true. All variables between

# #!#

7 7

7 and in the ordering can be chosen arbitrarily, therefore in the case of

^ ^

'¢¨¢ '¢ õ

¡¨£ ¤B¥¥¡ ¡

#"#

` £ £ being , a total of count satisfying truth assignments exists. To

be efﬁcient, dynamic programming should be applied in SATCOUNT (see exercise 4.10).

ANYSAT

1: if then Error

)

2: else if then return

# b ¡ #"#J0

'¢

) ¼ c©

3: else if then return ANYSAT

b ¡ #!#J0

'¢

4: else return ) ANYSAT £ Figure 15: An algorithm for returning a satisfying truth-assignment. The variables are assumed to be $¡§¦§¦/¦/¡! ( ordered in this way.

The next algorithm ANYSAT in figure 15 finds a satisfying truth assignment. Some irrelevant variables present in the ordering might not appear in the result and they can be assigned any value whatsoever. ANYSAT simply finds a path leading to 1 by a depth-first traversal, prefering somewhat arbitrarily low-edges over high-edges. It is particularly simple due to the observation that if a node is not the terminal 0, it has at least one path leading to 1. The running time is clearly linear in the result.

ALLSAT in ﬁgure 16 ﬁnds all satisfying truth-assignments leaving out irrelevant variables

from the ordering. ALLSAT ﬁnds all paths from a node to the terminal . The running

time is linear in the size of the result multiplied with the time to add the single assignments

b 0 b 0

/¢ '¢

¡ ¡

¼ ) ¼ 8

) and in front of a list of up to elements. However, the result can be

8 Ð ` exponentially large in , so the running time is the poor .

4 CONSTRUCTING AND MANIPULATING ROBDDS 23

ALLSAT

1: if then return

) 2: else if then return

3: else return

b 0

'¢

)

4: add ¼ in front of all

#!#-¡

5: truth-assignments in ALLSAT

b 0

'¢

6: add ) in front of all

#!#

7: truth-assignments in ALLSAT c©

Figure 16: An algorithm which returns all satisfying truth-assignments. The vari-

$¡§¦§¦§¦L (

LD2D2D ables are assumed to be ordered in this way. We use to denote

sequences of truth assignments. In particular, is the empty sequence of truth

) assignments, and is the sequence consisting of the single empty truth assign-

ment.

¡ ¡ "# #

[

MK ]

(

# # `

BUILD Ð

hÕ&Ö

¡ 2¡ ¤# §2 _i#

APPLY Ð

¡BÚ1¡ # i#

y Ð

RESTRICT See note

# i#

SATCOUNT See note

Ö Ö½ ' Ö

# ¯# £ # #

Ð 8 Ð

ANYSAT ,

õ '

# # ¾C¾ # #

Ð 8 Ð `

ALLSAT ,

! !

¡ # i#

Ð SIMPLIFY See note Note: These running times only holds if dynamic programming is used (exercises 4.7, 4.10, and 4.12).

Table 1: Worst-case running times for the ROBDD operations. The running times are the expected running times since they are all based on a hash-table with expected constant time search and insertion operations.

4.6 SIMPLIFY

The ﬁnal algorithm called SIMPLIFY is shown in ﬁgure 17. The algorithm is used to simplify

an ROBDD by trying to remove nodes. The simpliﬁcation is based on a domain ! of inter- !

est. The ROBDD is supposed to be of interest only on truth assignments that also satisfy . (This occurs when using ROBDDs for formal veriﬁcation. Section 7 shows how to do formal

veriﬁcation with ROBDDs, but contains no example of using SIMPLIFY.)

! A

To be precise, given and , SIMPLIFY ﬁnds another ROBDD , typically smaller than ,

§#

" 5" such that . It does so by trying to identify sons, and thereby making some nodes redundant. A more detailed analysis is left to the reader.

The running time of the algorithms of the previous sections is summarized in table 1.

4 CONSTRUCTING AND MANIPULATING ROBDDS 24

¡ #

SIMPLIFY

¡ #

1: function sim

!Ñ

2: if then return

3: else if P·µ then return

!Ñ

4: else if then

! !

#$¡ ¡ #"#$¡ ¡ #"#!#

c©

5: return MK 7 sim sim

# #

6: else if 7 then

$! $!

# #-¡ #!#

c© c©

7: if then return sim

$! $!

# #-¡ #"#

8: else if c© then return sim

#$¡

9: else return MK 7

#$¡ #!#$¡

10: sim

#-¡ #!#"#

c©

11: sim c©

#o9 #

12: else if 7 then

$! ! !

#$¡ #-¡ #$¡ #-¡ #!#

c© 13: return MK 7 sim sim

14: else

! !

#$¡ ¡ #"#$¡ ¡ #"#!#

c© 15: return MK 7 sim sim 16: end sim

17:

¡ #

18: return sim

Figure 17: An algorithm (due to Coudert et al [CBM89] ) for simplifying an ROB- !

DD y that we only care about on the domain . Dynamic programming should be applied to improve efﬁciency (exercise 4.12) 4 CONSTRUCTING AND MANIPULATING ROBDDS 25

4.7 Existential Quantiﬁcation and Substitution

When applying ROBDDs often existential quantiﬁcation and composition is used. Existential

¢¦ quantiﬁcation is the Boolean operation % . The meaning of an existential quantiﬁcation of a

Boolean variable is given by the following equation:

¢¦ 0 0,¦

)i ,+ )® 2+ % (6)

On ROBDDs existential quantiﬁcation can therefore be implemented using two calls to RE- STRICT and a single call to APPLY.

Composition is the ROBDD operation performing the equivalent of substitution on Boolean

0 +

expression. Often the notation ) is used to describe the result of substituting all free oc-

BA currences of in by . (An occurrence of a variable is free if it is not within the scope of a quantiﬁer.)1 To perform this substitution on ROBDDs we observe the following equation,

which holds if contains no quantiﬁers:

A A A

b 0W¡ 0W¦ b ¡ 0 0

)® 2+ )* ,+ ,+ + )

) (7)

CBA HBA BA

b 0W¡ 0 # 0H# 0H#

)® .+ )i ,+ )® 2+

)* 1+

Since we can compute this with two

applications of RESTRICT and three applications of APPLY (with the operators , , ). However, by essentially generalizing APPLY to operators op with three arguments we can do better (see exercise 4.13).

Exercises

$# §9? 9Ä

Exercise 4.1 Construct the ROBDD for with ordering using the algorithm BUILD in ﬁgure 9.

Exercise 4.2 Show the representation of the ROBDD of ﬁgure 6 in the style of ﬁgure 7. C Exercise 4.3 Suggest an improvement BUILDCONJ # of BUILD which generates only a linear number of calls for Boolean expressions that are conjunctions of variables and negations of

variables.

Exercise 4.4 Construct the ROBDDs for and using whatever ordering you want.

Compute the disjunction of the two ROBDDs using APPLY.

Exercise 4.5 Construct the ROBDDs for and using BUILD with the ordering

-# -# n9 9

. Use APPLY to ﬁnd the ROBDD for .

¡ ¡ #

Exercise 4.6 Is there any essential difference in running time between ﬁnding RESTRICT y

¡ ¡ # 9 ¶9 9 (

y 8 and RESTRICT when the variable ordering is D2D2D ?

Exercise 4.7 Use dynamic programming to improve the running time of RESTRICT.

Since ROBDDs contain no quantiﬁers we shall not be concerned with the problems of free variables of &('

being bound by quantiﬁers of & .

5 IMPLEMENTING THE ROBDD OPERATIONS 26

O O O O O

¦§¦§¦

G G

× ×

) y

Exercise 4.8 Generalise RESTRICT to arbitrary truth assignments y , , ,

O O O O

9 9 9 0

¦ ¦

× D2D2D y . It might be convenient to assume that . Exercise 4.9 Suggest a substantially better way of building ROBDDs for (large) Boolean expressions than BUILD.

Exercise 4.10 Change SATCOUNT such that dynamic programming is used. How does this change the running time? Exercise 4.11 Explain why dynamic programming does not help in improving the running time of ALLSAT.

Exercise 4.12 Improve the efﬁciency of SIMPLIFY with dynamic programming.

.¡! ¢¡ -# 0

)i + Exercise 4.13 Write the algorithm COMPOSE for computing the ROBDD of efﬁciently along the lines of APPLY. First generalize APPLY to operators op with three arguments (as for example the if-then-else operator), utilizing once again the Shannon expansion. Then use equation 7 to write the algorithm.

5 Implementing the ROBDD operations

There are many choices that have to be taken in implementing the ROBDD operations. There is no obvious best way of doing it. This section gives hints for some reasonable solutions. First, the node table » is an array as shown in ﬁgure 7. The only problem is that the size of the array is not known until the full BDD has been constructed. Either a ﬁxed upper bound could be assumed, or other tricks must be applied (for example dynamic arrays [CLR90, sec. 18.4]).

The table Ç could be implemented as a hash-table using for instance the hash function

¿ ¡ ¡ # ¡ ¡ #"#

ß ] c ) ] pair pair mod

where pair is a pairing function that maps pairs of natural numbers to natural numbers and ) is

a prime. One choice for the pairing function is

Úc# Ú #

]¥© ]@© ©ª

¡ Úß#

pair ] `

which is a bijection, and therefore “perfect”: it produces no collisions. As usual with hash-tables Ç

we have to decide on the size as a prime ) . However, since the size of grows dynamically )

it can be hard to ﬁnd a good choice for ) . One solution would be to take very large, for

2À_Á*,À+*7x example ) (which is the 1000000’th prime number), and then take as the hashing

function

¡ ¡ # ¿ ¡ ¡ # ¿

] ß ] c

mod `

F ,

using a table of size ` . Starting from some reasonable small value of we could increase the

F , table when it contains ` elements by adding one to , construct a new table and rehash all

elements into this new table. (Again, see for example [CLR90, sec. 18.4] for details.) For such

# a dynamic hash-table the amortized, expected cost of each operation is still Ð .

The table Ù used in APPLY could be implemented as a two-dimensional array. However,

it turns out to be very sparsely used – especially if we succeed in getting small ROBDDs –

¡ #

¥ c

and it is better to use a hash-table for it. The hashing function used could be -

¡ #

c ) Ç ] mod and as for a dynamic hash-table could be used. 6 EXAMPLES OF PROBLEM SOLVING WITH ROBDDS 27

6 Examples of problem solving with ROBDDs

This section will describe various examples of problems that can be solved with an ROBDD- package. The examples are not chosen to illustrate when ROBDDs are the best choice, but simply chosen to illustrate the scope of potential applications.

6.1 The 8 Queens problem A classical chess-board problem is the 8 queens problem: Is it possible to place 8 queens on a

chess board so that no queen can be captured by another queen? To be a bit more general we

. .0/1. could ask the question for arbitrary . : Is it possible to place queens safely on a chess board?

To solve the problem using ROBDDs we must encode it using Boolean variables. We do

¡ M

this by introducing a variable for each position on the board. We name the variables as ñ·

¡BÚ Ú

·2. ] ] where is the row and is the column. A variable will be 1 if a queen is placed on the corresponding position.

2 1

1 2 3 4 5 6 7 8

The capturing rules for queens require that no other queen can be positioned on the same ¡BÚ

row, column, or any of the diagonals. This we can express as Boolean expressions: For all ] ,

O O

3 354

I I76

S,M

M M

3 354

F ¢ F

O O

« ^

F8¢ F

M M

O O

3 354 3 « ^ 354

F ¢ F ¢ F

M S

O O

« ^

F8¢ F

M M

O O

3 354 3 « ^ 354

F ¢ F ¢ F

M S

Moreover, there must be a queen in each row: For all ] ,

O O O

:D2D2D§

6 EXAMPLES OF PROBLEM SOLVING WITH ROBDDS 28

| z :

xor

;=<

: ;+>

xor ?

Figure 18: A full-adder

A@ \# Taking the conjunction of all the above requirements, we get a predicate Sol 4 true at exactly

the conﬁgurations that are solutions to the . queens problem.

A@ \#

Exercise 6.1 (8 Queens Problem) Write a program that can ﬁnd an ROBDD for Sol 4 when

. .

given . as input. Make a table of the number of solutions to the queens problem for

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡§¦§¦§¦

` Á À x * When there is a solution, give one.

6.2 Correctness of Combinational Circuits

A full-adder takes as arguments two bits and and an incoming carry bit B . It produces as

output a sum bit C and an outgoing carry bit . The requirement is that ,

¢¡!£

B C

in other words B§D is the most signiﬁcant bit of the sum of , and , and the least signiﬁcant C

bit. The requirement can be written down as a table for B§D and a table for in terms of values of

¢¡¤£

B§D C , and B . From such a table it is easy to write down a DNF for and . At the normal level of abstraction a combinational circuit is nothing else than a Boolean expression. It can be represented as an ROBDD, using BUILD to construct the trivial ROBDDs

for the inputs and using a call to APPLY for each gate. C Exercise 6.2 Find DNFs for BGD and . Verify that the circuit in ﬁgure 18 implements a one bit full-adder using the ROBDD-package and the DNFs.

6.3 Equivalence of Combinational Circuits As above we can construct an ROBDD from a combinational circuit and use the ROBDDs to show properties. For instance, the equivalence with other circuits. 7 VERIFICATION WITH ROBDDS 29

Exercise 6.3 Verify that the two circuits in ﬁgure 19 are not equivalent using ROBDDs. Find an input that returns different outputs in the two circuits.

7 Veriﬁcation with ROBDDs

One of the major uses of ROBDDs is in formal veriﬁcation. In formal veriﬁcation a model of a I

system H is given together with some properties supposed to hold for the system. The task I is to determine whether indeed H satisfy . The approach we take, in which we shall use an algorithm to answer the satisfaction problem, is often called model checking. We shall look at a concrete example called Milner’s Scheduler (taken from Milner’s book

[Mil89]). The model consists of . cyclers, connected in a ring, that co-operates on starting and

detecting termination of . tasks that are not further described. The scheduler must make sure

that the . tasks are always started in order but they are allowed to terminate in any order. This is one of the properties that has to be shown to hold for the model. The cyclers try to fulﬁll this by passing a token: the holder of the token is the only process allowed to start its task.

All cyclers are similar except that one of them has the token in the initial state. The cyclers

] ·J.

cyc , · are described in a state-based fashion as small transition systems over the

O O O O

¡-¿

]

Boolean variables , and B . The variable is when task is running and when it is

O O

] B ]K¸

terminated; is when cycler has a token, otherwise; is when cycler has put down

the token and cycler ] not yet picked it up. Hence a cycler starts a task by changing from to

, and detects its termination when is again changed back to ; and it picks up the token by

O O

«@

B changing B from to and puts it down by changing from to . The behaviour of cycler

] is described by two transitions:

O O O O O

¡ ¡-¿ ¡ ¡

if B then :=

O O

¿ ¡-¿ ¡

4 «@

B if then mod := The meaning of a transition “if condition then assignment” is that, if the condition is true in

some state, then the system can evolve to a new state performing the (parallel) assignment.

O O O

Hence, if the system is in a state where B is and is then we can simultaneously set to ,

O O

B to and to . The transitions are encoded by a single predicate over the value of the variables before the

transitions (the pre-state) and the values after the transition (the post-state). The variables in

O O O

¡-¿ ¡ ¡

¸· ]Ø·L.

the pre-state are the B which we shall collectively refer to as and in the

O O O

BA @ A A A

¡-¿ ¡ ¡

B 2. post-state ¨·;]· , which we shall refer to as . Each transition is an atomic action

that excludes any other action. Therefore in the encoding we shall often have to say that a lot

of variables are unchanged. Assume that is a subset of the unprimed variables . We shall

@ @ A

Î¡ use a predicate unchanged M over which ensures that all variables in are unchanged. It is

deﬁned as follows:

unchanged M def

ø©N

øGP

# # M

It is slightly more convenient to use the predicate assigned unchanged M which express

] that every variable not in is unchanged. We can now deﬁne I , the transitions of cycler over

7 VERIFICATION WITH ROBDDS 30

9 z

s nor

{

9 {

z nor

{

{ z

Figure 19: Two circuits used in exercise 6.3

7 VERIFICATION WITH ROBDDS 31

V U V

G ×

U V V

ù ú

B B

Figure 20: Milner’s Scheduler with 4 cyclers. The token is passed clockwise from B to to

to B and back to

the variables Î¡ as follows:

O O O

BA A A

¿ #

¢ Y ¢ Z

B ¸ PB

I def assigned

A A

W$X X X

¿ ¿ #

4 «@

¢ Z

B P ¢ ¡ assigned

mod mod \^]`_

W [ X

The signalling of termination of task ] , by changing from to performed by the environment

a Ó·;]m·2.

is modeled by . transitions :

O O

a def assigned

O O

expressing the transitions if then . Now, at any given state the system can perform

O O a one of the transitions from one of the I ’s or the ’s, i.e., all possible transitions are given by

the predicate » :

( (n¦

:D2D2D2 bI ca :D2D2D2 ba def I

In the initial state we assume that all tasks are stopped, no cycler has a token and only place

B d

( ) has a token. Hence the initial state can be characterized by the predicate over the @

unprimed variables given by:

¿ 4P¦

ô cB PeB :D2D2D. ôeB

d def

(Here applied to a vector means the conjunction of applied to each coordinate .) The predicates describing Milner’s Scheduler are summarized in ﬁgure 21. Within this setup we could start asking a lot of questions. For example,

1. Can we ﬁnd a predicate f over the unprimed variables characterizing exactly the states f that can be reached from d ? is called the set of reachable states.

2. How many reachable states are there?

3. Is it the case that in all reachable states only one token is present?

7 VERIFICATION WITH ROBDDS 32

ø©N

M M

unchanged def g

øGP

# # M

assigned M def unchanged

O O O

A A A

¿ #

¢ Y ¢ Z

I ôB ô

def B assigned

A A

W(X X X

# ¿ ¿

4 «@

¢ Z

B ¸ assigned

mod mod \^_

O O

X W

a def assigned

O O

def I

3 354

¿ 4

¸ cB PB D2D2D§ ¸B d def

Figure 21: Milner’s Scheduler as described by the transition predicate » and the initial-state

predicate d .

O O

4. Is task always only started after ^ ?

5. Does Milner’s Scheduler possess a deadlock? I.e., is there a reachable state in which no

transitions can be taken? f

To answer these questions we ﬁrst have to compute f . Intuitively, must be the set of states

» d that either satisfy d (are initial) or within a ﬁnite number of transitions can be reached from .

This suggest an iterative algorithm for computing f as an increasing chain of approximations

[

¡ ¡/¦§¦§¦/¡ ¡§¦§¦/¦

f f , ,

f Step of the algorithm ﬁnd states that with less than transitions can be

«@

[

f f

reached from d . Hence, we take the constantly false predicate and compute as the

» f disjunction of d and the set of states which from one transition of can be reached from .

Figure 22 illustrates the computation of f .

How do we compute this with ROBDDs? We start with the ROBDD f 0 . At any »

point in the computation the next approximation is computed by the disjunction of d and A

composed with the previous approximation f . We are done when the current and the previous

approximations coincide:

@ @

¡ ¡ ¡ #

REACHABLE-STATES d ´É 1: f 0

2: repeat

É f

3: f

@ @ @ A

¢¦ # 0

´Éhd % bf ) +

4: f

A= f 5: until f

6: return f

7.1 Knights tour

Using the same encoding of a chess board as in section 6.1, letting denote the presence

¡BÚc#

of a Knight at position ] we can solve other problems. We can encode moves of a Knight as

¡BÚc#

transitions. For each position, 8 moves are possible if they stay on the board. A Knight at ]

¡BÚ #$¡ ¡BÚ #

i i:` ]i:` i can be moved to any one of ] assuming they are vacant and within the 7 VERIFICATION WITH ROBDDS 33

Full state space

jlknm

{

. . m

Figure 22: Sketch of computation of the reachable states

4ß

¡BÚ ¡¤¾ ¡&¾ ¡&¾N#n¦ ¡BÚ #$¡ ¡BÚ #

, Ó·, ·2. , ]Giô i½` ]Gi½` iô 6

board boundary. For all ] and with and :

O O O

A A A

O O

¢ F F8¢

# #

I I

M M M

H ¸ P

# #

I M

def M

O O

¢ ¢ ¢ FG¢

N ¨

¢ ¢ ¢

¡ ¡ ¡

# # 6 I

M M

©@ @

Hence, the transitions are given as the predicate ¢¡ :

©@ @

¢¡ #

¢ F

I M

def H

O Opo Opo o o

3 354

¢ ¢ F8¢ ¢ FG¢ ¢ ¢ ¢

N ¨

¢ ¢ ¢

¡ ¡ ¡

I I

M M M

Exercise 7.1 (Knight’s tour) Write a program to solve the following problem using the ROBDD- package: Is it possible for a Knight, positioned at the lower left corner to visit all positions on an

.q/r. board? (Hint: Compute iteratively all the positions that can be reached by the Knight.)

Try it for various . .

Exercise 7.2 Why does the algorithm REACHABLE-STATES always terminate?

Á Exercise 7.3 In this exercise we shall work with Milner’s Scheduler for . . It is by far be the most convenient to solve the exercise by using an implementation of an ROBDD package.

a) Find the reachable states as an ROBDD f . b) Find the number of reachable states. 8 PROJECT: AN ROBDD PACKAGE 34

c) Show that in all reachable states at most one token is present on any of the

$¡§¦§¦/¦/¡ 4

B I

placeholders B by formulating a suitable property and prove that

Ô I f . d) Show that in all reachable states Milner’s Scheduler can always perform a transition, i.e., it does not possess a deadlock.

Exercise 7.4 Complete the above exercise by showing that the tasks are always started in se-

¡ ¡§¦§¦/¦'¡ ¡ ¡ ¦§¦/¦

` . ` quence

Exercise 7.5 Write a program that given an . as input computes the reachable states of Mil-

ner’s Scheduler with . cyclers. The program should write out the number of reachable states

¡ ¡ ¡ ¡ ¡§¦§¦/¦

` Á x * 2 (using SATCOUNT). Run the program for . Measure the running times and

draw a graph showing the measurements as a function of . . What is the asymptotic running time of your program?

8 Project: An ROBDD Package

This project implements a small package of ROBDD-operations. The full package should con-

tain the following operations:

INIT 8

Initialize the package. Use 8 variables numbered through .

Print a representation of the ROBDD on the standard output. Useful for debugging.

¡&¾B¡-¿#

MK ]

# ¡ # ¾J¡ # ¿

7 ] c© Return the number of a node with . This could be an existing node, or a newly created node. The reducedness of the ROBDD should not be

violated. C BUILD #

Construct an ROBDD from a Boolean expression. You could restrict yourself to the

expressions or or ﬁnite conjunctions of these. (Why?)

¡ -¡ -#

APPLY op

Construct the ROBDD resulting from applying op on and .

¡BÚ1¡ # y

RESTRICT

M )iy$+

Restrict the ROBDD according to the truth assignment .

SATCOUNT

Return the number of elements in the set sat . (Use a type that can contain very large

numbers such as ﬂoating point numbers.)

ANYSAT

Return a satisfying truth assignment for REFERENCES 35

Sub-project 1 »

Implement the tables and Ç with their operations listed in section 4. On top of these imple-

# # ¡¤¾J¡&¿¥#

] ment the operations INIT 8 , PRINT , and MK .

Sub-project 2

# ¡ &¡ &# Continue implementation of the package by adding the operations BUILD and APPLY op .

Sub-project 3

¡BÚ1¡ # #

Finish your implementation of the package by adding RESTRICT , SATCOUNT , and

ANYSAT .

References

[AH97] Henrik Reif Andersen and Henrik Hulgaard. Boolean Expression Diagrams. In Proceedings, Twelfth Annual IEEE Symposium on Logic in Computer Science, pages 88–98, Warsaw, Poland, June 29–July 2 1997. IEEE Computer Society.

[Bry86] Randal E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, 8(C-35):677–691, 1986.

[Bry92] Randal E. Bryant. Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293–318, September 1992.

[CBM89] Olivier Coudert, Christian Berthet, and Jean Christophe Madre. Veriﬁcation of syn- chronous sequential machines based on symbolic execution. In J. Sifakis, editor, Automatic Veriﬁcation Methods for Finite State Systems. Proceedings, volume 407 of LNCS, pages 365–373. Springer-Verlag, 1989.

[CLR90] Thomas H. Cormen, Charles E. Leiserson, and Ronald L. Rivest. Introduction to Algorithms. McGraw-Hill, 1990.

[Coo71] S.A. Cook. The complexity of theorem-proving procedures. In Proceedings of the Third Annual ACM Symposium on the Theory of Computing, pages 151–158, New York, 1971. Association for Computing Machinery.

[Mil89] Robin Milner. Communication and Concurrency. Prentice Hall, 1989.