An Introduction to Binary Decision Diagrams
Henrik Reif Andersen

x

y

y

z

1

0

Lecture notes for 49285 Advanced Algorithms E97, October 1997. (Minor revisions, Apr. 1998) E-mail: hra@it.dtu.dk. Web: http://www.it.dtu.dk/ hra Department of Information Technology, Technical University of Denmark Building 344, DK-2800 Lyngby, Denmark.

1

2

Preface
This note is a short introduction to Binary Decision Diagrams. It provides some background knowledge and describes the core algorithms. More details can be found in Bryant's original paper on Reduced Ordered Binary Decision Diagrams Bry86] and the survey paper Bry92]. A recent extension called Boolean Expression Diagrams is described in AH97]. This note is a revision of an earlier version from fall 1996 (based on versions from 1995 and 1994). The major di erences are as follows: Firstly, ROBDDs are now viewed as nodes of one global graph with one xed ordering to re ect state-of-the-art of e cient BDD packages. The algorithms have been changed (and simpli ed) to re ect this fact. Secondly, a proof of the canonicity lemma has been added. Thirdly, the sections presenting the algorithms have been completely restructured. Finally, the project proposal has been revised.

Acknowledgements
Thanks to the students on the courses of fall 1994, 1995, and 1996 for helping me debug and improve the notes. Thanks are also due to Hans Rischel, Morten Ulrik S rensen, Niels Maretti, J rgen Staunstrup, Kim Skak Larsen, Henrik Hulgaard, and various people on the Internet who found typos and suggested improvements.

3

CONTENTS

4

1 2 3 4

Contents

Boolean Expressions Normal Forms Binary Decision Diagrams Constructing and Manipulating ROBDDs
4.1 4.2 4.3 4.4 4.5 4.6 4.7
Mk . . . . . . . . . . . . . . . . Build . . . . . . . . . . . . . . Apply . . . . . . . . . . . . . . Restrict . . . . . . . . . . . . SatCount, AnySat, AllSat Simplify . . . . . . . . . . . .

....... ....... ....... ....... ....... ....... Existential Quanti cation and Substitution .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

6 7 8 15

15 17 19 20 22 25 25

5 Implementing the ROBDD operations 6 Examples of problem solving with ROBDDs 7 Veri cation with ROBDDs

6.1 The 8 Queens problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6.2 Correctness of Combinational Circuits . . . . . . . . . . . . . . . . . . . . 29 6.3 Equivalence of Combinational Circuits . . . . . . . . . . . . . . . . . . . . 29 7.1 Knights tour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

27 27 31

8 Project: An ROBDD Package References

35 36

CONTENTS

5

1 BOOLEAN EXPRESSIONS

6

1 Boolean Expressions
The classical calculus for dealing with truth values consists of Boolean variables x; y; :::, the constants true 1 and false 0, the operators of conjunction ^, disjunction _, negation :, implication ), and bi-implication , which together form the Boolean expressions. Sometimes the variables are called propositional variables or propositional letters and the Boolean expressions are then known as Propositional Logic. Formally, Boolean expressions are generated from the following grammar: t ::= x j 0 j 1 j :t j t ^ t j t _ t j t ) t j t , t; where x ranges over a set of Boolean variables. This is called the abstract syntax of Boolean expressions. The concrete syntax includes parentheses to solve ambiguities. Moreover, as a common convention it is assumed that the operators bind according to their relative priority. The priorities are, with the highest rst: :, ^, _, ,, ). Hence, for example :x ^ x _ x ) x = (((:x ) ^ x ) _ x ) ) x : A Boolean expression with variables x ; : : : ; x denotes for each assignment of truth values to the variables itself a truth value according to the standard truth tables, see gure 1. Truth assignments are written as sequences of assignments of values to variables, e.g., 0=x ; 1=x ; 0=x ; 1=x ] which assigns 0 to x and x , 1 to x and x . With this particular truth assignment the above expression has value 1, whereas 0=x ; 1=x ; 0=x ; 0=x ] yields 0.
1 2 3 4 1 2 3 4 1
n

1

2

3

4

1

3

2

4

1

2

3

4

0 1 1 0

:

^ 0 1

_ 0 1 ) 0 1 0 0 0 0 0 1 0 1 1 1 0 1 1 1 1 1 0 1 Figure 1: Truth tables.

, 0 1
0 1 0 1 0 1

The set of truth values is often denoted B = f0; 1g. If we x an ordering of the variables of a Boolean expression t we can view t as de ning a function from B to B where n is the number of variables. Notice, that the particular ordering chosen for the variables is essential for what function is de ned. Consider for example the expression x ) y. If we choose the ordering x < y then this is the function f (x; y) = x ) y, true if the rst argument implies the second, but if we choose the ordering y < x then it is the function f (y; x) = x ) y, true if the second argument implies the rst. When we later consider compact representations of Boolean expressions, such variable orderings play a crucial role. Two Boolean expressions t and t0 are said to be equal if they yield the same truth value for all truth assignments. A Boolean expression is a tautology if it yields true for all truth assignments; it is satis able if it yields true for at least one truth assignment. Exercise 1.1 Show how all operators can be encoded using only : and _. Use this to argue that any Boolean expression can be written using only _, ^, variables, and : applied to variables.
n

2 NORMAL FORMS

7

Exercise 1.2 Argue that t and t0 are equal if and only if t , t0 is a tautology. Is it possible to say whether t is satis able from the fact that :t is a tautology?

2 Normal Forms
A Boolean expression is in Disjunctive Normal Form (DNF) if it consists of a disjunction of conjunctions of variables and negations of variables, i.e., if it is of the form (t ^ t ^
1 1 1 2
j i

^ t 1) _
1
k j i

_ (t ^ t ^
l l

1

2

^ t l)
l k j i

(1)

where each t is either a variable x or a negation of a variable :x . An example is (x ^ :y) _ (:x ^ y) which is a well-known function of x and y (which one?). A more succinct presentation of (1) is to write it using indexed versions of ^ and _:

0j 1 _ @^ A t :
l k j i i=1

j =1

Similarly, a Conjunctive Normal Form (CNF) is an expression that can be written as

0j 1 ^ @_ A t
l k j i i=1

j =1

where each t is either a variable or a negated variable. It is not di cult to prove the following proposition: Proposition 1 Any Boolean expression is equal to an expression in CNF and an expression in DNF. In general, it is hard to determine whether a Boolean expression is satis able. This is made precise by a famous theorem due to Cook Coo71]: Theorem 1 (Cook) Satis ability of Boolean expressions is NP-complete. (For readers unfamiliar with the notion of NP-completeness the following short summary of the pragmatic consequences su ces. Problems that are NP-complete can be solved by algorithms that run in exponential time. No polynomial time algorithms are known to exist for any of the NP-complete problems and it is very unlikely that polynomial time algorithms should indeed exist although nobody has yet been able to prove their non-existence.) Cook's theorem even holds when restricted to expressions in CNF. For DNFs satis ability is decidable in polynomial time but for DNFs the tautology check is hard (co-NP complete). Although satis ability is easy for DNFs and tautology check easy for CNFs,
j i

3 BINARY DECISION DIAGRAMS

8

this does not help us since the conversion between CNFs and DNFs is exponential as the following example shows. Consider the following CNF over the variables x ; : : : x ; x ; : : : ; x : (x _ x ) ^ (x _ x ) ^ ^ (x _ x ) : The corresponding DNF is a disjunction which has a disjunct for each of the n-digit binary numbers from 000 : : : 000 to 111 : : : 111 | the i'th digit representing a choice of either x (for 0) or x (for 1): (x ^ x ^ ^ x ^ x ) _ (x ^ x ^ ^ x ^ x ) _ ... (x ^ x ^ ^ x ^ x ) _ (x ^ x ^ ^ x ^ x ) : Whereas the original expression has size proportional to n the DNF has size proportional to n2 . The next section introduces a normal form that has more desirable properties than DNFs and CNFs. In particular, there are e cient algorithms for determining the satis ability and tautology questions. Exercise 2.1 Describe a polynomial time algorithm for determining whether a DNF is satis able. Exercise 2.2 Describe a polynomial time algorithm for determining whether a CNF is a tautology. Exercise 2.3 Give a proof of proposition 1. Exercise 2.4 Explain how Cook's theorem implies that checking in-equivalence between Boolean expressions is NP-hard. Exercise 2.5 Explain how the question of tautology and satis ability can be decided if we are given an algorithm for checking equivalence between Boolean expressions.
1 0 0
n

1 1

1

n

1 0

1 1

2 0

2 1

n

0

n

1

i

0

i

1

1 0 1 0

2 0 2 0

n

0

1

n

n

0

1

0

n

1

1 1 1 1

2 1 2 1

n

1

n

1

n

1

1

0

n

1

n

Let x ! y ; y be the if-then-else operator de ned by x ! y ; y = (x ^ y ) _ (:x ^ y ) hence, t ! t ; t is true if t and t are true or if t is false and t is true. We call t the test expression. All operators can easily be expressed using only the if-then-else operator and the constants 0 and 1. Moreover, this can be done in such a way that all tests are performed only on (un-negated) variables and variables occur in no other places. Hence the operator gives rise to a new kind of normal form. For example, :x is (x ! 0; 1) , x , y is x ! (y ! 1; 0); (y ! 0; 1). Since variables must only occur in tests the Boolean expression x is represented as x ! 1; 0 .
0 1 0 1 0 1 0 1 0 1

3 Binary Decision Diagrams

3 BINARY DECISION DIAGRAMS
An If-then-else Normal Form (INF) is a Boolean expression built entirely from the if-then-else operator and the constants 0 and 1 such that all tests are performed only on variables.

9

If we by t 0=x] denote the Boolean expression obtained by replacing x with 0 in t then it is not hard to see that the following equivalence holds:

t = x ! t 1=x]; t 0=x] :

(2)

This is known as the Shannon expansion of t with respect to x. This simple equation has a lot of useful applications. The rst is to generate an INF from any expression t. If t contains no variables it is either equivalent to 0 or 1 which is an INF. Otherwise we form the Shannon expansion of t with respect to one of the variables x in t. Thus since t 0=x] and t 1=x] both contain one less variable than t, we can recursively nd INFs for both of these; call them t and t . An INF for t is now simply
0 1

x ! t ;t :
1 0

We have proved:

Proposition 2 Any Boolean expression is equivalent to an expression in INF. Example 1 Consider the Boolean expression t = (x , y ) ^ (x , y ). If we nd an
1 1 2 2 1 1 2 2

INF of t by selecting in order the variables x ; y ; x ; y on which to perform Shannon expansions, we get the expressions

t = t = t = t = t = t = t = t = t =
0 1 00 11 000 001 110 111

x y y x x y y y y

1

1 1 2 2

2 2 2 2

! t ;t ! 0; t ! t ;0 ! t ;t ! t ;t ! 0; 1 ! 1; 0 ! 0; 1 ! 1; 0
1 0 00 11 001 111

000 110

Figure 2 shows the expression as a tree. Such a tree is also called a decision tree. A lot of the expressions are easily seen to be identical, so it is tempting to identify them. For example, instead of t we can use t and instead of t we can use t . If we substitute t for t in the right-hand side of t and also t for t , we in fact see that t and t are identical, and in t we can replace t with t . If we in fact identify all equal subexpressions we end up with what is known as a binary decision diagram (a BDD). It is no longer a tree of Boolean expressions but a directed acyclic graph (DAG).
110 000 111 001 000 110 11 001 111 00 11 1 11 00

3 BINARY DECISION DIAGRAMS
x y x y
1
1

10

1

y

1

2

x y y
1
1 1

2

2

2

2

y
0 0

2

0

0

0
2

0
2

1

1

Figure 2: A decision tree for (x , y ) ^ (x , y ). Dashed lines denote low-branches, solid lines high-branches. Applying this idea of sharing, t can now be written as:

t = t = t = t = t = t =
0 1 00 000 001

x y y x y y

1

1 1 2

2 2

! t ;t ! 0; t ! t ;0 ! t ;t ! 0; 1 ! 1; 0
1 0 00 00 001

000

Each subexpression can be viewed as the node of a graph. Such a node is either terminal in the case of the constants 0 and 1, or non-terminal. A non-terminal node has a low-edge corresponding to the else-part and a high-edge corresponding to the then-part. See gure 3. Notice, that the number of nodes has decreased from 9 in the decision tree to 6 in the BDD. It is not hard to imagine that if each of the terminal nodes were other big decision trees the savings would be dramatic. Since we have chosen to consistently select variables in the same order in the recursive calls during the construction of the INF of t, the variables occur in the same orderings on all paths from the root of the BDD. In this situation the binary decision diagram is said to be ordered (an OBDD). Figure 3 shows a BDD that is also an OBDD. Figure 4 shows four OBDDs. Some of the tests (e.g., on x in b) are redundant, since both the low- and high-branch lead to the same node. Such unnecessary tests can be removed: any reference to the redundant node is simply replaced by a reference to
2

3 BINARY DECISION DIAGRAMS

11

x1 y1 x2 y2 y2 y1

0
1 1 2 2

1
1 1 2 2

Figure 3: A BDD for (x , y ) ^ (x , y ) with ordering x < y < x < y . Low-edges are drawn as dotted lines and high-edges as solid lines.

x1 x1 x1 x2 x2

1

1
a b

1
c

x3

0
d

1
1 3

Figure 4: Four OBDDs: a) An OBDD for 1. b) Another OBDD for 1 with two redundant tests. c) Same as b with one of the redundant tests removed. d) An OBDD for x _ x with one redundant test.

3 BINARY DECISION DIAGRAMS
x y z x<y x<z x x x

12

Figure 5: The ordering and reducedness conditions of ROBDDs. Left: Variables must be ordered. Middle: Nodes must be unique. Right: Only non-redundant tests should be present. its subnode. If all identical nodes are shared and all redundant tests are eliminated, the OBDD is said to be reduced (an ROBDD). ROBDDs have some very convenient properties centered around the canonicity lemma below. (Often when people speak about BDDs they really mean ROBDDs.) To summarize: A Binary Decision Diagram (BDD) is a rooted, directed acyclic graph with one or two terminal nodes of out-degree zero labeled 0 or 1, and a set of variable nodes u of out-degree two. The two outgoing edges are given by two functions low (u) and high (u). (In pictures, these are shown as dotted and solid lines, respectively.) A variable var (u) is associated with each variable node. A BDD is Ordered (OBDD) if on all paths through the graph the variables respect a given linear order x < x < < x . An (O)BDD is Reduced (R(O)BDD) if (uniqueness) no two distinct nodes u and v have the same variable name and low- and high-successor, i.e.,
1 2
n

var (u) = var (v); low (u) = low (v); high (u) = high (v) implies u = v;

and (non-redundant tests) no variable node u has identical low- and high-successor, i.e., low (u) 6= high (u) : The ordering and reducedness conditions are shown in gure 5. ROBDDs have some interesting properties. They provide compact representations of Boolean expressions, and there are e cient algorithms for performing all kinds of logical operations on ROBDDs. They are all based on the crucial fact that for any function f : B ! B there is exactly one ROBDD representing it. This means, in particular, that there is exactly one ROBDD for the constant true (and constant false) function on B : the terminal node 1 (and 0 in case of false). Hence, it is possible to test in constant time whether an ROBDD is constantly true or false. (Recall that for Boolean expressions this problem is NP-complete.)
n n

3 BINARY DECISION DIAGRAMS

13

To make this claim more precise we must say what we mean for an ROBDD to represent a function. First, it is quite easy to see how the nodes u of an ROBDD inductively de nes Boolean expressions t : A terminal node is a Boolean constant. A non-terminal node marked with x is an if-then-else expression where the condition is x and the two branches are the Boolean expressions given by the low- or high-son, respectively:
u

t = 0 t = 1 t = var (u) ! t
0 1
u

high (u)

;t

low (u)

; if u is a variable node.
1 2
n n

Moreover, if x < x < < x is the variable ordering of the ROBDD, we associate with each node u the function f that maps (b ; b ; : : : ; b ) 2 B to the truth value of t b =x ; b =x ; : : : ; b =x ]. We can now state the key lemma:
1 2
n u u

1

1

2

2

n

n

Lemma 1 (Canonicity lemma) For any function f : B ! B there is exactly one ROBDD u with variable ordering x <
n

x <
2

< x such that f = f (x ; : : : ; x ). Proof: The proof is by induction on the number of arguments of f . For n = 0 there are only two Boolean functions, the constantly false and constantly true functions. Any ROBDD containing at least one non-terminal node is non-constant. (Why?) Therefore there is exactly one ROBDD for each of these: the terminals 0 and 1. Assume now that we have proven the lemma for all functions of n arguments. We proceed to show it for all functions of n + 1 arguments. Let f : B ! B be any Boolean function of n + 1 arguments. De ne the two functions f and f of n arguments by xing the rst argument of f to 0 respectively 1:
n u

1

1

n

n+1

0

1

f (x ; : : : ; x ) = f (b; x ; : : : ; x ) for b 2 B .
b

2

n+1

2

n+1

(Sometimes f and f are called the negative and positive co-factors of f with respect to x .) These functions satisfy the following equation:
0 1 1

f (x ; : : : ; x ) = x ! f (x ; : : : ; x ); f (x ; : : : ; x ) :
1
n

1

1

2

n

0

2

n

(3)
u u

Since f and f take only n arguments we assume by induction that there are unique ROBDD nodes u and u with f 0 = f and f 1 = f . There are two cases to consider. If u = u then f 0 = f 1 and f = f 0 = f 1 = f = f . Hence u = u is an ROBDD for f . It is also the only ROBDD for f since due to the ordering, if x is at all present in the ROBDD rooted at u, x would need to be the root node. However, if f = f then f = f 0=x ] = f and f = f 1=x ] = f . Since f = f 0 = f 1 = f by assumption, the low- and high-son of u would be the same, making the ROBDD violate the reducedness condition of non-redundant tests. If u 6= u then f 0 6= f 1 by the induction hypothesis (using the names x ; : : : ; x in place of x ; : : : ; x ). We take u to be the node with var (u) = x , low (u) = u , and high (u) = u , i.e., f = x ! f 1 ; f 0 which is reduced. By assumption f 1 = f and f 0 = f therefore using (3) we get f = f . Suppose that v is some other node with f = f . Clearly, f must depend on x , i.e., f 0=x ] 6= f 1=x ] (otherwise also
0 1 0 1
u

0

u

1

0

1

u

u

0

1

0

1

1

u

0

u

1

low (u)

1

1

u

1

high (u)

0

u

u

1

0

1

u

u

2

n+1

1

n

1

0

1

u

1

u

u

u

1

u

0

u

v

v

1

v

1

v

1

3 BINARY DECISION DIAGRAMS
0
v

14
v

f = f 0=x ] = f 1=x ] = f , a contradiction). Due to the ordering this means that var (v) = x = var (u). Moreover, from f = f it follows that f = f = f 0 and f = f = f 1 , which by the induction hypothesis implies that low (v) = u = low (u) and high (v) = u = high (u). From the reducedness property of uniqueness it follows that u = v. An immediate consequence is the following. Since the terminal 1 is an ROBDD for all variable orderings it is the only ROBDD that is constantly true. So in order to check whether an ROBDD is constantly true it su ces to check whether it is the terminal 1 which is de nitely a constant time operation. Similarly, ROBDDs that are constantly false must be identical to the terminal 0. In fact, to determine whether two Boolean functions are the same, it su ces to construct their ROBDDs (in the same graph) and check whether the resulting nodes are the same! The ordering of variables chosen when constructing an ROBDD has a great impact on the size of the ROBDD. If we consider again the expression (x , y ) ^ (x , y ) and construct an ROBDD using the ordering x < x < y < y the ROBDD consists of 9 nodes ( gure 6) and not 6 nodes as for the ordering x < y < x < y ( gure 3).
1
v

1

1

high (v )

1

low (v )

0

u

1

u

0

1

1

1

2

2

1

2

1

2

1

1

2

2

x1

x2

x2

y1

y1

y1

y1

y2

y2

1
1 1 2 2

0
1 2 1 2

Figure 6: The ROBDD for (x , y )^(x , y ) with variable ordering x < x < y < y .

Exercise 3.1 Show how to express all operators from the if-then-else operator and the
1 1 2 2 3 3 1 2 3 1 2 3 1 1 2 2 3 3

constants 0 and 1. Exercise 3.2 Draw the ROBDDs for (x , y ) ^ (x , y ) ^ (x , y ) with orderings x < x < x < y < y < y and x < y < x < y < x < y .

4 CONSTRUCTING AND MANIPULATING ROBDDS
1 1 2 2 1 2 1 2 1 1 2 2

15

Exercise 3.3 Draw the ROBDDs for (x , y ) _ (x , y ) with orderings x < x <
1 1 2 2 3 3
k k

y < y and x < y < x < y . How does it compare with the example in gures 3 and 6? Based on the examples you have seen so far, what variable ordering would you recommend for constructing a small ROBDD for (x , y ) ^ (x , y ) ^ (x , y ) ^ ^ (x , y )?

nentially bigger decision trees. I.e., if u has size (n) then the decision tree should have size (2 ).
n n

Exercise 3.4 Give an example of a sequence of ROBDDs u ; 0 n which induces expon

Exercise 3.5 Construct an ROBDD of maximum size over six variables.

4 Constructing and Manipulating ROBDDs
In the previous section we saw how to construct an OBDD from a Boolean expression by a simple recursive procedure. The question arises now how do we construct a reduced OBDD? One way is to rst construct an OBDD and then proceed by reducing it. Another more appealing approach, which we follow here, is to reduce the OBDD during construction. To describe how this is done we will need an explicit representation of ROBDDs. Nodes will be represented as numbers 0; 1; 2; : : : with 0 and 1 reserved for the terminal nodes. The variables in the ordering x < x < < x are represented by their indices 1; 2; : : : ; n. The ROBDD is stored in a table T : u 7! (i; l; h) which maps a node u to its three attributes var (u) = i, low (u) = l, and high (u) = h. Figure 7 shows the representation of the ROBDD from gure 3 (with the variable names changed to x < x < x < x ).
1 2
n

1

2

3

4

In order to ensure that the OBDD being constructed is reduced, it is necessary to determine from a triple (i; l; h) whether there exists a node u with var (u) = i; low (u) = l, and high (u) = h. For this purpose we assume the presence of a table H : (i; l; h) 7! u mapping triples (i; l; h) of variable indices i, and nodes l; h to nodes u. The table H is the \inverse" of the table T , i.e., for variable nodes u, T (u) = (i; l; h), if and only if, H (i; l; h) = u. The operations needed on the two tables are:

4.1 Mk

T : u 7! (i; l; h) init(T ) initialize T to contain only 0 and 1 u add(T; i; l; h) allocate a new node u with attributes (i; l; h) var (u); low (u); high (u) lookup the attributes of u in T H : (i; l; h) 7! u init(H ) initialize H to be empty b member(H; i; l; h) check if (i; l; h) is in H u lookup(H; i; l; h) nd H (i; l; h) insert(H; i; l; h; u) make (i; l; h) map to u in H

4 CONSTRUCTING AND MANIPULATING ROBDDS

16

7

x
5

1

x

2

x x
4
3

6
2

x
0

2

4

x
1

3
4

u 0 1 2 3 4 5 6 7

T : u 7! (i; l; h)

var low high 5 5 4 1 0 4 0 1 3 2 3 2 4 0 2 0 4 1 5 6

Figure 7: Representing an ROBDD with ordering x < x < x < x . The numbers inside the vertices are the identities used in the representation. The numbers 0 and 1 are reserved for the terminal nodes. The numbers to the right of the ROBDD shows the index of the variables in the ordering. The constants are assigned an index which is the number of variables in the ordering plus one (here 4+1 = 5). This makes some subsequent algorithms easier to present. The low- and high- elds are unused for the terminal nodes.
1 2 3 4

Mk T; H ](i; l; h)

1: 2: 3: 4: 5: 6:

if l = h then return l else if member(H; i; l; h) then return lookup(H; i; l; h) else u add(T; i; l; h)
insert(H; i; l; h; u)

return u

Figure 8: The function mk T; H ](i; l; h).

4 CONSTRUCTING AND MANIPULATING ROBDDS
Build T; H ](t)

17

1: function build'(t; i) = 2: if i > n then 3: if t is false then return 0 else return 1 4: else v build'(t 0=x ]; i + 1) 5: v build'(t 1=x ]; i + 1) 6: return mk(i; v ; v ) 7: end build' 8: 9: return build'(t; 1) Figure 9: Algorithm for building an ROBDD from a Boolean expression t using the ordering x < x < < x . In a call build'(t; i), i is the lowest index that any variable of t can have. Thus when the test i > n succeeds, t contains no variables and must be either constantly false or true.
0
i

1

i

0

1

1

2

n

We shall assume that all these operations can be performed in constant time, O(1). Section 5 will show how such a low complexity can be achieved. The function mk T; H ](i; l; h) (see gure 8) searches the table H for a node with variable index i and low-, high-branches l; h and returns a matching node if one exists. Otherwise it creates a new node u, inserts it into H and returns the identity of it. The running time of mk is O(1) due to the assumptions on the basic operations on T and H . The OBDD is ensured to be reduced if nodes are only created through the use of mk. In describing mk and subsequent algorithms, we make use of the notation T; H ] to indicate that mk depends on the global data structures T and H , but we leave out the arguments when invoking it as part of other algorithms. The construction of an ROBDD from a given Boolean expression t proceeds as in the construction of an if-then-else normal form (INF) in section 2. An ordering of the variables x < < x is xed. Using the Shannon expansion t = x ! t 1=x ]; t 0=x ], a node for t is constructed by a call to mk, after the nodes for t 0=x ] and t 1=x ] have been constructed by recursion. The algorithm is shown in gure 9. The call build'(t; i) constructs an ROBDD for a Boolean expression t with variables in fx ; x ; : : : ; x g. It does so by rst recursively constructing ROBDDs v and v for t 0=x ] and t 1=x ] in lines 4 and 5, and then proceeding to nd the identity of the node for t in line 6. Notice that if v and v are identical, or if there already is a node with the same i, v and v , no new node is created. An example of using build to compute an ROBDD is shown in gure 10. The running time of build is bad. It is easy to see that for a variable ordering with n variables there will always be generated on the order of 2 calls .
1
n

4.2 Build

1

1

1

1

1

i

i+1

n

0

1

i

i

0

1

0

1

n

4 CONSTRUCTING AND MANIPULATING ROBDDS

18

build'((x1

((0

, 2_
x

d

, 2_
x

g

)

x3 ; 1)

)

x3 ; 2)

((1

, 2_
x

f

)

x3 ; 2)

((0

, _
0)

b

x3 ; 3)

((0

, _
1)

c

x3 ; 3)

((1

, _
0)

e

x3 ; 3)

((1

, _
1)

e

x3 ; 3)

((0

, _
0)

0; 4) ((0

((0

, _
0)

, _
1)

0; 4) ((0 1)

((1

1; 4)

, _

, _
0)

0; 4) ((1

((1

1; 4)

, _
0)

, _
1)

0; 4) ((1

1; 4)

, _
1)

1; 4)

a
x2 x3 x3

1

b

1

c
x2

0

1

d
x2

0
x1

x2 x3

x2 x3

x2 x3

1

e

0

1

f
1

0
2 3 3

1

g

0

Figure 10: Using build on the expression (x , x ) _ x . (a) The tree of calls to build. (b) The ROBDD after the call build'((0 , 0) _ x ; 3). (c) After the call build'((0 , 1) _ x ; 3). (d) After the call build'((0 , x )_x ; 2). (e) After the calls build'((1 , 0)_x ; 3) and build'((1 , 1) _ x ; 3). (f) After the call build'((1 , x ) _ x ; 2). (g) The nal result.
3 2 3 3 3 2 3

4 CONSTRUCTING AND MANIPULATING ROBDDS

19

4.3 Apply
1: init(G) 2: 3: function app(u ; u ) = 4: if G(u ; u ) 6= empty then return G(u ; u ) 5: else if u 2 f0; 1g and u 2 f0; 1g then u op(u ; u ) 6: else if var(u ) = var(u ) then 7: u mk(var(u ); app(low (u ); low (u )); app(high (u ); high (u ))) 8 else if var(u ) < var(u ) then 9 u mk(var(u ); app(low (u ); u ); app(high (u ); u )) 10: else ( var(u ) > var(u ) ) 11: u mk(var(u ); app(u ; low (u )); app(u ; high (u ))) 12: G(u ; u ) u 13: return u 14: end app 15: 16: return app(u ; u )
1 2 1 2 1 2 1 2 1 2 1 2 1 1 2 1 2 1 2 1 1 2 1 2 1 2 2 1 2 1 2 1 2 1 2

Apply T; H ](op; u1; u2 )

Figure 11: The algorithm apply T; H ](op; u ; u ).
1 2

All the binary Boolean operators on ROBDDs are implemented by the same general algorithm apply(op; u ; u ) that for two ROBDDs computes the ROBDD for the Boolean expression t 1 op t 2 . The construction of apply is based on the Shannon expansion (2): t = x ! t 1=x]; t 0=x] : Observe that for all Boolean operators op the following holds: (x ! t ; t ) op (x ! t0 ; t0 ) = x ! t op t0 ; t op t0 (4) If we start from the root of the two ROBDDs we can construct the ROBDD of the result by recursively constructing the low- and the high-branches and then form the new root from these. Again, to ensure that the result is reduced, we create the node through a call to mk. Moreover, to avoid an exponential blow-up of recursive calls, dynamic programming is used. The algorithm is shown in gure 11. Dynamic programming is implemented using a table of results G. Each entry (i; j ) is either empty or contains the earlier computed result of app(i; j ). The algorithm distinguishes between four di erent cases, the rst of them handles the situation where both arguments are terminal nodes, the remaining three handle the situations where at least one argument is a variable node. If both u and u are terminal, a new terminal node is computed having the value of op applied to the two truth values. (Recall, that terminal node 0 is represented by a node with identity 0 and similarly for 1.)
1 2
u u

1

2

1

2

1

1

2

2

1

2

4 CONSTRUCTING AND MANIPULATING ROBDDS
1 2

20

If at least one of u and u are non-terminal, we proceed according to the variable index. If the nodes have the same index, the two low-branches are paired and app recursively computed on them. Similarly for the high-branches. This corresponds exactly to the case shown in equation (4). If they have di erent indices, we proceed by pairing the node with lowest index with the low- and high-branches of the other. This corresponds to the equation (x ! t ; t ) op t = x ! t op t; t op t (5) which holds for all t. Since we have taken the index of the terminals to be one larger than the index of the non-terminals, the last two cases, var (u ) < var (u ) and var (u ) > var (u ), take account of the situations where one of the nodes is a terminal. Figure 12 shows an example of applying the algorithm on two small ROBDDs. Notice how pairs of nodes from the two ROBDDs are combined and computed. To analyze the complexity of apply we let juj denote the number of nodes that can be reached from u in the ROBDD. Assume that G can be implemented with constant lookup and insertion times. (See section 5 for details on how to achieve this.) Due to the dynamic programming at most ju j ju j calls to Apply are generated. Each call takes constant time. The total running time is therefore O(ju j ju j).
i

1

2

i

1

2

1

2

1

2

1

2

1

2

The next operation we consider is the restriction of a ROBDD u. That is, given a truth assignment, for example 0=x ; 1=x ; 1=x ], we want to compute the ROBDD for t under this restriction, i.e., nd the ROBDD for t 0=x ; 1=x ; 1=x ]. As an example consider the ROBDD of gure 10(g) (repeated below to the left) representing the Boolean expression (x , x ) _ x . Restricting it with respect to the truth assignment 0=x ] yields an ROBDD for (:x _ x ). It is constructed by replacing each occurrence of a node with label x by its left branch yielding the ROBDD at the right:
3 5 6
u u

4.4 Restrict

3

5

6

1

2

3

2

1

3

2

x1

x2

x2

x1

x3

x3

1

0

1

0

The algorithm again uses mk to ensure that the resulting OBDD is reduced. Figure 13 shows the algorithm in the case where only singleton truth assignments ( b=x ], b 2 f0; 1g) are allowed. Intuitively, in computing restrict(u; j; b) we search for all nodes with var = j and replace them by their low- or high-son depending on b. Since this might force nodes above the point of replacemen to become equal, it is followed by a reduction (through the calls to mk). Due to the two recursive calls in line 3, the algorithm has an exponential running time, see exercise 4.7 for an improvement that reduces this to linear time.
j

4 CONSTRUCTING AND MANIPULATING ROBDDS

21

^
8
x

=
5

1 2 3 4 5
0 3

9 7 5 3 2 8 6 4

6

7

x

5

x

4

3

4

x

2

x

2

0

1

1

1

0

8,5

x

1 2 3 4 5

6,3

7,4

x

5,3

0,3

0,4

5,4

x

3,2

4,0

0,2

0,0

0,1

0,2

3,0

4,2

x

2,2

0,2

0,0

2,0

2,0

0,1

0,2

2,2

x

1,1

0,0

0,1

0,0

1,0

0,0

Figure 12: An example of applying the algorithm apply for computing the conjunction of the two ROBDDs shown at the top left. The result is shown to the right. Below the tree of arguments to the recursive calls of app. Dashed nodes indicate that the value of the node has previously been computed and is not recomputed due to the use of dynamic programming. The solid ellipses show calls that nishes by a call to mk with the variable index indicated by the variables to the right of the tree.

4 CONSTRUCTING AND MANIPULATING ROBDDS
Restrict T; H ](u; j; b) =

22

1: function res(u) = 2: if var (u) > j then return u 3: else if var (u) < j then return mk(var (u); res(low (u)); res(high (u))) 4: else (* var (u) = j *) if b = 0 then return res(low (u)) 5: else (* var (u) = j; b = 1 *) return res(high (u)) 6: end res 7: return res(u) Figure 13: The algorithm restrict T; H ](u; j; b) which computes an ROBDD for t j=b].
u

In this section we consider operations to examine the set of satisfying truth assignments of a node u. A truth assignment satis es a node u if t ] can be evaluated to 1 using the truth tables of the Boolean operators. Formally, the satisfying truth assignments is the set sat(u): sat(u) = f 2 B f 1 ng j t ] is true g; where B f 1 ng denotes the set of all truth assignments for variables fx ; : : : ; x g, i.e., functions from fx ; : : : ; x g to the truth values B = f0; 1g. The rst algorithm, SatCount, computes the size of sat(u), see gure 14. The algorithm exploits the following fact. If u is a node with variable index var (u) then two sets of truth assignments can make f true. The rst set has var u equal to 0, the other has var u equal to 1. For the rst set, the number is found by nding the number of truth assignments count(low (u)) making low (u) true. All variables between var (u) and var (low (u)) in the ordering can be chosen arbitrarily, therefore in the case of var u being 0, a total of 2 count(low (u)) satisfying truth assignments exists. To be e cient, dynamic programming should be applied in SatCount (see exercise 4.10). The next algorithm AnySat in gure 15 nds a satisfying truth assignment. Some irrelevant variables present in the ordering might not appear in the result and they can be assigned any value whatsoever. AnySat simply nds a path leading to 1 by a depthrst traversal, prefering somewhat arbitrarily low-edges over high-edges. It is particularly simple due to the observation that if a node is not the terminal 0, it has at least one path leading to 1. The running time is clearly linear in the result. AllSat in gure 16 nds all satisfying truth-assignments leaving out irrelevant variables from the ordering. AllSat(u) nds all paths from a node u to the terminal 1. The running time is linear in the size of the result multiplied with the time to add the single assignments x 7! 0] and x 7! 1] in front of a list of up to n elements. However, the result can be exponentially large in juj, so the running time is the poor O(2j jn).
u x ;:::;x u x ;:::;x

4.5 SatCount, AnySat, AllSat

1

n

1

n

u

var (low (u))

var (u)

1

var (u)

var (u)

u

4 CONSTRUCTING AND MANIPULATING ROBDDS
1: 2: 3: 4:
SatCount T ](u)

23

function count(u) if u = 0 then res 0 else if u = 1 then res 1 else res 2
var (low (u))

var (u)

1

5: return res 6: end count 7: 8: return 2 count(u) Figure 14: An algorithm for determining the number of valid truth assignments. Recall, that the \variable index" var of 0 and 1 in the ROBDD representation is n +1 when the ordering contains n variables (numbered 1 through n). This means that var (0) and var (1) always gives n + 1.
var (u)

+2

var (high (u))

var (u)

1

count(low (u)) count(high (u))

1

1: if u = 0 then Error 2: else if u = 1 then return ] 3: else if low (u) = 0 then return x 7! 1; AnySat(high (u))] 4: else return x 7! 0; AnySat(low (u))] Figure 15: An algorithm for returning a satisfying truth-assignment. The variables are assumed to be x ; : : : ; x ordered in this way.
var (u) var (u)

AnySat(u)

1

n

AllSat(u) 1: if u = 0 then return h i 2: else if u = 1 then return h ] i 3: else return 4: hadd x 7! 0] in front of all 5: truth-assignments in AllSat(low (u)); 6: add x 7! 1] in front of all 7: truth-assignments in AllSat(high (u))i Figure 16: An algorithm which returns all satisfying truth-assignments. The variables are assumed to be x ; : : : x ordered in this way. We use h i to denote sequences of truth assignments. In particular, h i is the empty sequence of truth assignments, and h ] i is the sequence consisting of the single empty truth assignment.
var (u) var (u)

1

n

4 CONSTRUCTING AND MANIPULATING ROBDDS

24

1: function sim(d; u) 2: if d = 0 then return 0 3: else if u 1 then return u 4: else if d = 1 then 5: return mk(var (u); sim(d; low (u)); sim(d; high (u))) 6: else if var (d) = var (u) then 7: if low (d) = 0 then return sim(high (d); high (u)) 8: else if high (d) = 0 then return sim(low (d); low (u)) 9: else return mk(var (u); 10: sim(low (d); low (u)); 11: sim(high (d); high (u))) 12: else if var (d) < var (u) then 13: return mk(var (d); sim(low (d); u); sim(high (d); u)) 14: else 15: return mk(var (u); sim(d; low (u)); sim(d; high (u))) 16: end sim 17: 18: return sim(d; u) Figure 17: An algorithm (due to Coudert et al CBM89] ) for simplifying an ROBDD b that we only care about on the domain d. Dynamic programming should be applied to improve e ciency (exercise 4.12)

Simplify(d; u)

4 CONSTRUCTING AND MANIPULATING ROBDDS
O(1) O(2 ) O (ju j ju j) O(juj) See note O(juj) See note O ( j pj ) p = AnySat(u), jpj = O(juj) O(jrj n) r = AllSat(u), jrj = O(2j j) O(jdjjuj) See note Note: These running times only holds if dynamic programming is used (exercises 4.7, 4.10, and 4.12).
n

25

mk(i; u0 ; u1) Build(t) Apply(op; u1; u2 ) Restrict(u; j; b) SatCount(u) AnySat(u) AllSat(u) Simplify(d; u)

1

2

u

Table 1: Worst-case running times for the ROBDD operations. The running times are the expected running times since they are all based on a hash-table with expected constant time search and insertion operations.

4.6 Simplify

The nal algorithm called Simplify is shown in gure 17. The algorithm is used to simplify an ROBDD by trying to remove nodes. The simpli cation is based on a domain d of interest. The ROBDD u is supposed to be of interest only on truth assignments that also satisfy d. (This occurs when using ROBDDs for formal veri cation. Section 7 shows how to do formal veri cation with ROBDDs, but contains no example of using Simplify.) To be precise, given d and u, Simplify nds another ROBDD u0, typically smaller than u, such that t ^ t = t ^ t . It does so by trying to identify sons, and thereby making some nodes redundant. A more detailed analysis is left to the reader.
d u d u
0

The running time of the algorithms of the previous sections is summarized in table 1.

4.7 Existential Quanti cation and Substitution

When applying ROBDDs often existential quanti cation and composition is used. Existential quanti cation is the Boolean operation 9x:t. The meaning of an existential quanti cation of a Boolean variable is given by the following equation: 9x:t = t 0=x] _ t 1=x] : (6) On ROBDDs existential quanti cation can therefore be implemented using two calls to Restrict and a single call to Apply. Composition is the ROBDD operation performing the equivalent of substitution on Boolean expression. Often the notation t t0 =x] is used to describe the result of substituting all free occurrences of x in t by t0. (An occurrence of a variable is free if it is not within the scope of a quanti er.) To perform this substitution on ROBDDs we observe the
1
1

Since ROBDDs contain no quanti ers we shall not be concerned with the problems of free variables of t0 being bound by quanti ers of t.

4 CONSTRUCTING AND MANIPULATING ROBDDS

26

following equation, which holds if t contains no quanti ers: t t0 =x] = t t0 ! 1; 0=x] = t0 ! t 1=x]; t 0=x]: (7) Since (t0 ! t 1=x]; t 0=x]) = (t0 ^ t 1=x]) _ (:t0 ^ t 0=x]) we can compute this with two applications of restrict and three applications of apply (with the operators ^, (: ) ^ , _). However, by essentially generalizing apply to operators op with three arguments we can do better (see exercise 4.13).

Exercise 4.1 Construct the ROBDD for :x ^ (x , :x ) with ordering x < x < x using the algorithm Build in gure 9.
1 2 3 1 2

Exercises

3

Exercise 4.2 Show the representation of the ROBDD of gure 6 in the style of gure 7. Exercise 4.3 Suggest an improvement BuildConj(t) of Build which generates only a
linear number of calls for Boolean expressions t that are conjunctions of variables and negations of variables.

Exercise 4.4 Construct the ROBDDs for x and x ) y using whatever ordering you
want. Compute the disjunction of the two ROBDDs using apply.
1 3 2 3 1 2 3 1

<x ? Exercise 4.7 Use dynamic programming to improve the running time of Restrict. Exercise 4.8 Generalise restrict to arbitrary truth assignments x 1 = b 1 ,x 2 = b 2 ,: : :,x n = b n ]. It might be convenient to assume that x 1 < x 2 < < x n . Exercise 4.9 Suggest a substantially better way of building ROBDDs for (large) Boolean expressions than build. Exercise 4.10 Change SatCount such that dynamic programming is used. How does this change the running time? Exercise 4.11 Explain why dynamic programming does not help in improving the running time of AllSat. Exercise 4.12 Improve the e ciency of Simplify with dynamic programming. Exercise 4.13 Write the algorithm Compose(u ; x; u ) for computing the ROBDD of u u =x] e ciently along the lines of apply. First generalize apply to operators op with three arguments (as for example the if-then-else operator), utilizing once again the Shannon expansion. Then use equation 7 to write the algorithm.
1 2
n i i i i i i i i i

Exercise 4.5 Construct the ROBDDs for :(x ^ x ) and x ^ x using build with the ordering x < x < x . Use apply to nd the ROBDD for :(x ^ x ) _ (x ^ x ). Exercise 4.6 Is there any essential di erence in running time between nding restrict(b; 1; 0)
3 2 3

and restrict(b; n; 0) when the variable ordering is x < x <

1

2

1

2

5 IMPLEMENTING THE ROBDD OPERATIONS

27

5 Implementing the ROBDD operations
There are many choices that have to be taken in implementing the ROBDD operations. There is no obvious best way of doing it. This section gives hints for some reasonable solutions. First, the node table T is an array as shown in gure 7. The only problem is that the size of the array is not known until the full BDD has been constructed. Either a xed upper bound could be assumed, or other tricks must be applied (for example dynamic arrays CLR90, sec. 18.4]). The table H could be implemented as a hash-table using for instance the hash function

h(i; v0; v1) = pair(i; pair(v0; v1)) mod m where pair is a pairing function that maps pairs of natural numbers to natural numbers and m is a prime. One choice for the pairing function is (i + j )(i + j + 1) + i pair(i; j ) = 2 which is a bijection, and therefore \perfect": it produces no collisions. As usual with hash-tables we have to decide on the size as a prime m. However, since the size of H grows dynamically it can be hard to nd a good choice for m. One solution would be to take m very large, for example m = 15485863 (which is the 1000000'th prime number), and then take as the hashing function h0(i; v0; v1) = h(i; v0; v1) mod 2 using a table of size 2 . Starting from some reasonable small value of k we could increase the table when it contains 2 elements by adding one to k, construct a new table and rehash all elements into this new table. (Again, see for example CLR90, sec. 18.4] for details.) For such a dynamic hash-table the amortized, expected cost of each operation is still O(1). The table G used in Apply could be implemented as a two-dimensional array. However, it turns out to be very sparsely used { especially if we succeed in getting small ROBDDs { and it is better to use a hash-table for it. The hashing function used could be g(v0; v1) = pair(v0; v1) mod m and as for H a dynamic hash-table could be used.
k k k

6 Examples of problem solving with ROBDDs
This section will describe various examples of problems that can be solved with an ROBDD-package. The examples are not chosen to illustrate when ROBDDs are the best choice, but simply chosen to illustrate the scope of potential applications. A classical chess-board problem is the 8 queens problem: Is it possible to place 8 queens on a chess board so that no queen can be captured by another queen? To be a bit more

6.1 The 8 Queens problem

6 EXAMPLES OF PROBLEM SOLVING WITH ROBDDS

28

general we could ask the question for arbitrary N : Is it possible to place N queens safely on a N N chess board? To solve the problem using ROBDDs we must encode it using Boolean variables. We do this by introducing a variable for each position on the board. We name the variables as x ; 1 i; j N where i is the row and j is the column. A variable will be 1 if a queen is placed on the corresponding position.
ij

8 7 6 5 4 3 2 1 1 2 3 4 5 6 7 8

The capturing rules for queens require that no other queen can be positioned on the same row, column, or any of the diagonals. This we can express as Boolean expressions: For all i; j , ^ :x x )
ij

x )
ij

1

l

^6

il

N;l=j

x )
ij

1

k

N;k =i

6

x )
ij

1

k

N;1

^ ^

:x

kj

j +k

i

N;k =i

6

:x
6

k;j +k

i

:x

k;j +i

k

1

k

N;1

j +i

k

N;k =i

Moreover, there must be a queen in each row: For all i,

x _x _
i1 i2

_x

iN

Taking the conjunction of all the above requirements, we get a predicate Sol (~ ) true at x exactly the con gurations that are solutions to the N queens problem.
N

x Sol (~ ) when given N as input. Make a table of the number of solutions to the N queens problem for N = 1; 2; 3; 4; 5; 6; 7; 8; : : : When there is a solution, give one.
N

Exercise 6.1 (8 Queens Problem) Write a program that can nd an ROBDD for

6 EXAMPLES OF PROBLEM SOLVING WITH ROBDDS
x y

29

^

xor
co

_

^

ci

xor
s

Figure 18: A full-adder

6.2 Correctness of Combinational Circuits
o i o i

A full-adder takes as arguments two bits x and y and an incoming carry bit c . It produces as output a sum bit s and an outgoing carry bit c . The requirement is that 2 c + s = x + y + c , in other words c is the most signi cant bit of the sum of x; y, and c , and s the least signi cant bit. The requirement can be written down as a table for c and a table for s in terms of values of x; y, and c . From such a table it is easy to write down a DNF for c and s. At the normal level of abstraction a combinational circuit is nothing else than a Boolean expression. It can be represented as an ROBDD, using Build to construct the trivial ROBDDs for the inputs and using a call to Apply for each gate.
i o o i o

one bit full-adder using the ROBDD-package and the DNFs.

Exercise 6.2 Find DNFs for c and s. Verify that the circuit in gure 18 implements a
o

6.3 Equivalence of Combinational Circuits

As above we can construct an ROBDD from a combinational circuit and use the ROBDDs to show properties. For instance, the equivalence with other circuits.

Exercise 6.3 Verify that the two circuits in gure 19 are not equivalent using ROBDDs.
Find an input that returns di erent outputs in the two circuits.

6 EXAMPLES OF PROBLEM SOLVING WITH ROBDDS

30

x1

^ _

y1 x2

nor
^ ^ _
a

y2 x1 y1

nor
^ : : : ^ _
b

x2

^ ^

y2

Figure 19: Two circuits used in exercise 6.3

7 VERIFICATION WITH ROBDDS
t1

31

c1

h1

c2

t4

h4

h2

t2

c4

h3

c3

t3

Figure 20: Milner's Scheduler with 4 cyclers. The token is passed clockwise from c to c to c to c and back to c
1 3 4 1

2

7 Veri cation with ROBDDs
One of the major uses of ROBDDs is in formal veri cation. In formal veri cation a model of a system M is given together with some properties P supposed to hold for the system. The task is to determine whether indeed M satisfy P . The approach we take, in which we shall use an algorithm to answer the satisfaction problem, is often called model checking. We shall look at a concrete example called Milner's Scheduler (taken from Milner's book Mil89]). The model consists of N cyclers, connected in a ring, that co-operates on starting and detecting termination of N tasks that are not further described. The scheduler must make sure that the N tasks are always started in order but they are allowed to terminate in any order. This is one of the properties that has to be shown to hold for the model. The cyclers try to ful ll this by passing a token: the holder of the token is the only process allowed to start its task. All cyclers are similar except that one of them has the token in the initial state. The cyclers cyc , 1 i N are described in a state-based fashion as small transition systems over the Boolean variables t ; h , and c . The variable t is 1 when task i is running and 0 when it is terminated; h is 1 when cycler i has a token, 0 otherwise; c is 1 when cycler i 1 has put down the token and cycler i not yet picked it up. Hence a cycler starts a task by changing t from 0 to 1, and detects its termination when t is again changed back to 0; and it picks up the token by changing c from 1 to 0 and puts it down by changing c from 0 to 1. The behaviour of cycler i is described by two transitions: if c = 1 ^ t = 0 then t ; c ; h := 1; 0; 1 if h = 1 then c mod ; h := 1; 0 The meaning of a transition \if condition then assignment" is that, if the condition is true in some state, then the system can evolve to a new state performing the (parallel) assignment. Hence, if the system is in a state where c is 1 and t is 0 then we can simultaneously set t to 1, c to 0 and h to 1.
i i i i i i i i i i i+1 i i i i i i

(i

N )+1

i

i

i

i

i

i

7 VERIFICATION WITH ROBDDS

32

The transitions are encoded by a single predicate over the value of the variables before the transitions (the pre-state) and the values after the transition (the post-state). The variables in the pre-state are the t ; h ; c ; 1 i N which we shall collectively refer to as ~ and in the post-state t0 ; h0 ; c0 ; 1 i N , which we shall refer to as ~ 0. Each transition x x is an atomic action that excludes any other action. Therefore in the encoding we shall often have to say that a lot of variables are unchanged. Assume that S is a subset of the unprimed variables ~ . We shall use a predicate unchanged over ~ ; ~ 0 which ensures that x xx all variables in S are unchanged. It is de ned as follows:
i i i i i i S

unchanged =def
S

^
2

x = x0 :
S0 ~ S0 x

x

S

It is slightly more convenient to use the predicate assigned = unchanged n which express that every variable not in S 0 is unchanged. We can now de ne P , the transitions of cycler i over the variables ~ ; x0 as follows: x~
i

P =def
i

(c ^ :t ^ t0 ^ :c0 ^ h0 ^ assignedf i i ig) _ (h ^ c0 mod ^ :h0 ^ assignedf (i mod N )+1 ig)
i i i i i c ;t ;h i

(i

N )+1

i

c

;h

The signalling of termination of task i, by changing t from 1 to 0 performed by the environment is modeled by N transitions E ; 1 i N :
i i

E =def t ^ :t0 ^ assignedf i g;
i i i t

expressing the transitions if t = 1 then t := 0. Now, at any given state the system can perform one of the transitions from one of the P 's or the E 's, i.e., all possible transitions are given by the predicate T :
i i i i

T =def P _
1 1

_P _E _
n

1

_E :
n

In the initial state we assume that all tasks are stopped, no cycler has a token and only place 1 (c ) has a token. Hence the initial state can be characterized by the predicate I over the unprimed variables ~ given by: x I =def :~ ^ :~ ^ c ^ :c ^ ^ :c : t h
1 2
N

(Here : applied to a vector ~ means the conjunction of : applied to each coordinate t .) t The predicates describing Milner's Scheduler are summarized in gure 21. Within this setup we could start asking a lot of questions. For example, 1. Can we nd a predicate R over the unprimed variables characterizing exactly the states that can be reached from I ? R is called the set of reachable states. 2. How many reachable states are there? 3. Is it the case that in all reachable states only one token is present? 4. Is task t always only started after t ?
i i i

1

7 VERIFICATION WITH ROBDDS
0 unchanged =def 2 x=x assigned =def unchanged n P =def (c ^ :t ^ t0 ^ :c0 ^ h0 ^ assigned i i i ) _ (h ^ c0 mod +1 ^ :h0 ^ assigned i mod N +1 i ) E =def t _:t0 ^ assigned i ^ T =def P _E
S x S S0 ~ S0 x i i i i i i c ;t ;h c i i N i ;h i i i t i i

33

V

I

=def :~ ^ :~ ^ c ^ :c ^ t h
i N

1

1

2

^ :c

N

Figure 21: Milner's Scheduler as described by the transition predicate T and the initialstate predicate I . 5. Does Milner's Scheduler possess a deadlock? I.e., is there a reachable state in which no transitions can be taken? To answer these questions we rst have to compute R. Intuitively, R must be the set of states that either satisfy I (are initial) or within a nite number of T transitions can be reached from I . This suggest an iterative algorithm for computing R as an increasing chain of approximations R ; R ; : : : ; R ; : : : Step k of the algorithm nd states that with less than k transitions can be reached from I . Hence, we take R = 0 the constantly false predicate and compute R as the disjunction of I and the set of states which from one transition of T can be reached from R . Figure 22 illustrates the computation of R. How do we compute this with ROBDDs? We start with the ROBDD R = 0 . At any point in the computation the next approximation is computed by the disjunction of I and T composed with the previous approximation R0 . We are done when the current and the previous approximations coincide: Reachable-States(I; T; ~ ; ~ 0 ) xx 1: R 0 2: repeat 3: R0 R 4: R I _ (9~ : T ^ R) ~ =~ 0 ] x xx 0=R 5: until R 6: return R
0 1
k

0

k +1

k

Using the same encoding of a chess board as in section 6.1, letting x = 1 denote the presence of a Knight at position (i; j ) we can solve other problems. We can encode moves of a Knight as transitions. For each position, 8 moves are possible if they stay on the board. A Knight at (i; j ) can be moved to any one of (i 1; j 2); (i 2; j 1) assuming they are vacant and within the board boundary. For all i; j and k; l with 1 k; l N and (k; l) 2 f(i 1; j 2); (i 2; j 1)g: ^ M =def x ^ :x ^ :x0 ^ x0 ^ x = x0 :
ij ij;kl ij k;l ij kl

7.1 Knights tour

(i0 ;j 0 )

62f(

i;j );(k;l)

g

i0 j 0

i0 j 0

7 VERIFICATION WITH ROBDDS
Full state space

34

I

= R1
R2 R3

. . .

R

Figure 22: Sketch of computation of the reachable states Hence, the transitions are given as the predicate T (~ ; ~ 0): xx

T (~ ; ~ 0) =def xx
1
i;j;k;l

_
i

N;(k;l)

2f(

1;j

2);(i

2;j

1)

g

M

ij;kl

Exercise 7.1 (Knight's tour) Write a program to solve the following problem using Exercise 7.2 Why does the algorithm Reachable-States always terminate? Exercise 7.3 In this exercise we shall work with Milner's Scheduler for N = 4. It is by

the ROBDD-package: Is it possible for a Knight, positioned at the lower left corner to visit all positions on an N N board? (Hint: Compute iteratively all the positions that can be reached by the Knight.) Try it for various N .

far be the most convenient to solve the exercise by using an implementation of an ROBDD package. a) Find the reachable states as an ROBDD R. b) Find the number of reachable states. c) Show that in all reachable states at most one token is present on any of the placeholders c ; : : : ; c by formulating a suitable property P and prove that R ) P .
1
N

8 PROJECT: AN ROBDD PACKAGE

35

transition, i.e., it does not possess a deadlock. Exercise 7.4 Complete the above exercise by showing that the tasks are always started in sequence 1; 2; : : : ; N; 1; 2 : : : Exercise 7.5 Write a program that given an N as input computes the reachable states of Milner's Scheduler with N cyclers. The program should write out the number of reachable states (using SatCount). Run the program for N = 2; 4; 6; 8; 10; : : : Measure the running times and draw a graph showing the measurements as a function of N . What is the asymptotic running time of your program?

d) Show that in all reachable states Milner's Scheduler can always perform a

8 Project: An ROBDD Package
This project implements a small package of ROBDD-operations. The full package should contain the following operations: Init(n) Initialize the package. Use n variables numbered 1 through n. Print(u) Print a representation of the ROBDD on the standard output. Useful for debugging. Mk(i; l; h) Return the number u of a node with var (u) = i; low (u) = l; high (u) = h. This could be an existing node, or a newly created node. The reducedness of the ROBDD should not be violated. Build(t) Construct an ROBDD from a Boolean expression. You could restrict yourself to the expressions x or :x or nite conjunctions of these. (Why?) Apply(op; u ; u ) Construct the ROBDD resulting from applying op on u and u . Restrict(u; j; b) Restrict the ROBDD u according to the truth assignment b=x ]. SatCount(u) Return the number of elements in the set sat(u). (Use a type that can contain very large numbers such as oating point numbers.) AnySat(u) Return a satisfying truth assignment for u
1 2 1 2
j

Sub-project 1

Implement the tables T and H with their operations listed in section 4. On top of these implement the operations Init(n), Print(u), and Mk(i; l; h).

REFERENCES

36

Sub-project 2
1 2

Continue implementation of the package by adding the operations Build(t) and Apply(op; u ; u ). Finish your implementation of the package by adding Restrict(u; j; b), SatCount(u), and AnySat(u).

Sub-project 3

References
AH97] Henrik Reif Andersen and Henrik Hulgaard. Boolean expression diagrams. In Proceedings, Twelfth Annual IEEE Symposium on Logic in Computer Science, pages 88{98, Warsaw, Poland, June 29{July 2 1997. IEEE Computer Society. Bry86] Randal E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Transactions on Computers, 8(C-35):677{691, 1986. Bry92] Randal E. Bryant. Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293{318, September 1992. CBM89] Olivier Coudert, Christian Berthet, and Jean Christophe Madre. Veri cation of synchronous sequential machines based on symbolic execution. In J. Sifakis, editor, Automatic Veri cation Methods for Finite State Systems. Proceedings, volume 407 of LNCS, pages 365{373. Springer-Verlag, 1989. CLR90] Thomas H. Cormen, Charles E. Leiserson, and Ronald L. Rivest. Introduction to Algorithms. McGraw-Hill, 1990. Coo71] S.A. Cook. The complexity of theorem-proving procedures. In Proceedings of the Third Annual ACM Symposium on the Theory of Computing, pages 151{158, New York, 1971. Association for Computing Machinery. Mil89] Robin Milner. Communication and Concurrency. Prentice Hall, 1989.