Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Integrated Sequential Verification Flow Berkeley Logic Synthesis and Verification Group Presented by Alan Mishchenko.

Published byNorah Tate Modified over 7 years ago

Similar presentations

Presentation on theme: "An Integrated Sequential Verification Flow Berkeley Logic Synthesis and Verification Group Presented by Alan Mishchenko."— Presentation transcript:

1 An Integrated Sequential Verification Flow Berkeley Logic Synthesis and Verification Group Presented by Alan Mishchenko

2 2 Overview Sequential verification Sequential verification Integrated verification flow Integrated verification flow Experimental results Experimental results Ongoing and future work Ongoing and future work

3 3 Sequential Verification Motivation Motivation Verifying equivalence after synthesis (equivalence checking) Verifying equivalence after synthesis (equivalence checking) Checking specific sequential properties (model checking) Checking specific sequential properties (model checking) Design analysis and estimation Design analysis and estimation Our research philosophy Our research philosophy Developing scalable solutions aimed at industrial problems Developing scalable solutions aimed at industrial problems Exploiting synergy between synthesis and verification Exploiting synergy between synthesis and verification Experimenting with new research ideas Experimenting with new research ideas Producing public implementations Producing public implementations

4 4 Verification Problems and Solutions Taxonomy of verification Taxonomy of verification Property and equivalence checking Property and equivalence checking Combinational and sequential verification Combinational and sequential verification Satisfiable and unsatisfiable problems Satisfiable and unsatisfiable problems Single-solver and multi-solver approach Single-solver and multi-solver approach Taxonomy of solvers/engines Taxonomy of solvers/engines Bug-hunters, provers, simplifiers, multi-purpose Bug-hunters, provers, simplifiers, multi-purpose Simulation, BDD-, AIG-, SAT-based, hybrid, etc Simulation, BDD-, AIG-, SAT-based, hybrid, etc Fast/slow, weak/strong, etc Fast/slow, weak/strong, etc

5 5 Property / Equivalence Checking Property checking Property checking Takes design and property and makes a miter Takes design and property and makes a miter Equivalence checking Equivalence checking Takes two designs and makes a miter Takes two designs and makes a miter The goal is to prove that the output of the miter is always 0 The goal is to prove that the output of the miter is always 0 D2 D1 Equivalence checking 0 D1 Property checking 0 p

6 6 Comb / Seq Verification Combinational miter Combinational miter Primary inputs Primary inputs Primary output(s) Primary output(s) Logic gates (no FFs) Logic gates (no FFs) y=0 Sequential miter Sequential miter Primary inputs Primary inputs Primary output(s) Primary output(s) Logic gates Logic gates FFs with initial state FFs with initial state ? y=0 ? Comb logic Seq logic xx Logic is represented using AIGs

7 7 Verification Engines Bug-hunters Bug-hunters random simulation random simulation bounded model checking (BMC) bounded model checking (BMC) hybrids of the above two (“semi-formal”) hybrids of the above two (“semi-formal”) Provers Provers K-step induction, with or without uniqueness constraints K-step induction, with or without uniqueness constraints Interpolation (over-approximate reachability) Interpolation (over-approximate reachability) BDDs (exact reachability) BDDs (exact reachability) Transformers Transformers Combinational synthesis Combinational synthesis Retiming Retiming etc etc

8 8 Design Representations for Verification Decision diagrams Decision diagrams Conjunctive normal form Conjunctive normal form Logic networks (circuits) Logic networks (circuits) And-Inverter Graphs And-Inverter Graphs

9 9 And-Inverter Graphs (AIGs) cd ab 00011110 000010 010011 110110 100010 F(a,b,c,d) = ab + d(ac’+bc) F(a,b,c,d) = ac’(b’d’)’ + c(a’d’)’ = ac’(b+d) + bc(a+d) cd a b 00011110000010 010011 110110 100010 6 nodes 4 levels 7 nodes 3 levels bcac a b d acbdbcad AIG is a Boolean network composed of two-input ANDs and inverters.

10 10 Efficient Implementation of AIGs Structural hashing Structural hashing Makes sure AIG is always stored in a compact form Makes sure AIG is always stored in a compact form Is applied during AIG construction Is applied during AIG construction Ensures each node is structurally unique Ensures each node is structurally unique Can be combined with constant propagation Can be combined with constant propagation Complemented edges Complemented edges Represents inverters as attributes on the edges Represents inverters as attributes on the edges Leads to fast, uniform manipulation Leads to fast, uniform manipulation Does not use memory for inverters Does not use memory for inverters Leads to efficient structural hashing Leads to efficient structural hashing Memory allocation Memory allocation Uses fixed amount of memory for each node Uses fixed amount of memory for each node Can be done by a simple custom memory manager Can be done by a simple custom memory manager Even dynamic fanout manipulation is supported! Even dynamic fanout manipulation is supported! Allocates memory for nodes in a topological order Allocates memory for nodes in a topological order Optimized for traversal in the same topological order Optimized for traversal in the same topological order Small static memory footprint for many applications Small static memory footprint for many applications ab c d ab c d Without hashing With hashing

11 11 Why AIGs in Verification? Easy to construct, relatively compact, robust Easy to construct, relatively compact, robust 1M AIG nodes = 40Mb RAM 1M AIG nodes = 40Mb RAM Can be efficiently stored on disk Can be efficiently stored on disk AIGER: 3-4 bytes / AIG node (1M AIG = 4Mb file) AIGER: 3-4 bytes / AIG node (1M AIG = 4Mb file) Unifying representation for different engines Unifying representation for different engines Used by bug-hunters, provers, transformers Used by bug-hunters, provers, transformers Easy to pass around between the engines Easy to pass around between the engines Compatible with latest SAT solvers Compatible with latest SAT solvers Efficient AIG-to-CNF conversion available Efficient AIG-to-CNF conversion available AIGs + simulation + SAT recently replaced BDDs in most (but not all) applications AIGs + simulation + SAT recently replaced BDDs in most (but not all) applications

12 12 Integrated Verification Flow Preprocessing Preprocessing Handling combinational problems Handling combinational problems Starting with faster engines Starting with faster engines Continuing with slower engines Continuing with slower engines Main induction loop Main induction loop Last-gasp engines Last-gasp engines

13 13 Command “dprove” in ABC transforming initial state (“undc”, “zero”) transforming initial state (“undc”, “zero”) converting into an AIG (“strash”) converting into an AIG (“strash”) creating sequential miter (“miter -c”) creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”) combinational equivalence checking (“iprove”) bounded model checking (“bmc”) bounded model checking (“bmc”) sequential sweep (“scl”) sequential sweep (“scl”) phase-abstraction (“phase”) phase-abstraction (“phase”) most forward retiming (“dret -f”) most forward retiming (“dret -f”) partitioned register correspondence (“lcorr”) partitioned register correspondence (“lcorr”) min-register retiming (“dretime”) min-register retiming (“dretime”) combinational SAT sweeping (“fraig”) combinational SAT sweeping (“fraig”) for ( K = 1; K  16; K = K * 2 ) for ( K = 1; K  16; K = K * 2 ) signal correspondence (“scorr”) signal correspondence (“scorr”) stronger AIG rewriting (“dc2”) stronger AIG rewriting (“dc2”) min-register retiming (“dretime”) min-register retiming (“dretime”) sequential AIG simulation sequential AIG simulation interpolation (“int”) interpolation (“int”) BDD-based reachability (“reach”) BDD-based reachability (“reach”) saving reduced hard miter (“write_aiger”) saving reduced hard miter (“write_aiger”) Preprocessors Combinational solver Faster engines Slower engines Main induction loop Last-gasp engines

14 14 Retiming Engine Uses most-forward retiming to “canonicize” register positions (before register correspondence) Uses most-forward retiming to “canonicize” register positions (before register correspondence) Uses min-register retiming to minimize the number of registers (before signal correspondence) Uses min-register retiming to minimize the number of registers (before signal correspondence) Exposes combinational logic for optimization Exposes combinational logic for optimization Minimizes the size of state-space Minimizes the size of state-space Derives a new register boundary Derives a new register boundary Min-register retiming algorithm is new (A. Hurst, DAC’08) Min-register retiming algorithm is new (A. Hurst, DAC’08) Fast implementation based on max-flow/min-cut Fast implementation based on max-flow/min-cut Trades runtime for optimality Trades runtime for optimality Guarantees existence of initial state Guarantees existence of initial state Minimizes register perturbation Minimizes register perturbation

15 15 Induction Engine Can be used to prove one or more properties Can be used to prove one or more properties Can strengthen them using signal correspondence Can strengthen them using signal correspondence Supports external constraints (under development) Supports external constraints (under development) Supports uniqueness constraints (under development) Supports uniqueness constraints (under development) Only the cone-of-influence of a property is constrained Only the cone-of-influence of a property is constrained Highly-optimized implementation Highly-optimized implementation Speculative reduction Speculative reduction Smart simulation for better filtering of candidate properties Smart simulation for better filtering of candidate properties Aggressive filtering using structural similarity (for SEC) Aggressive filtering using structural similarity (for SEC)

16 16 Interpolation Engine Uses McMillan’s interpolation algorithm for unbounded model checking Uses McMillan’s interpolation algorithm for unbounded model checking Has several improved features Has several improved features Improved termination condition Improved termination condition “Solver-independent” proof-logging “Solver-independent” proof-logging Features experimental implementation of Features experimental implementation of Backward interpolation Backward interpolation Alternative proof-logging algorithms Alternative proof-logging algorithms Alternative interpolant computation methods Alternative interpolant computation methods

17 17 Experimental Results Sequential verifier in ABC Sequential verifier in ABC First implemented in summer 2007 First implemented in summer 2007 Publicly available since September 2007 Publicly available since September 2007 Now working on second-generation code Now working on second-generation code Very active research area - lots of new ideas to try! Very active research area - lots of new ideas to try! Test cases Test cases Generated by applying sequential synthesis in ABC Generated by applying sequential synthesis in ABC Public benchmarks from various sources Public benchmarks from various sources Industrial problems from several companies Industrial problems from several companies

18 18 Hardware Model Checking Competition at CAV (HWMCC’08) Competition organizers Competition organizers Armin Biere (Johannes Kepler University, Linz, Austria) Armin Biere (Johannes Kepler University, Linz, Austria) Alessandro Cimatti (IRST, Trento, Italy) Alessandro Cimatti (IRST, Trento, Italy) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Toni Jussila (OneSpin Solutions, Munich, Germany) Toni Jussila (OneSpin Solutions, Munich, Germany) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Fabio Somenzi (University of Colorado, Boulder, USA) Fabio Somenzi (University of Colorado, Boulder, USA) The total of 16 solvers from 6 universities The total of 16 solvers from 6 universities The total of 645 benchmarks The total of 645 benchmarks 344 old and 301 new 344 old and 301 new Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) Runtime limit: 900 sec Runtime limit: 900 sec Memory limit: 1.5 Gb Memory limit: 1.5 Gb

19 19 Results Courtesy Armin Biere

20 20 HWMCC’08: All Benchmarks Courtesy Armin Biere

21 21 HWMCC’08: SAT Benchmarks Courtesy Armin Biere

22 22 HWMCC’08: UNSAT Benchmarks Courtesy Armin Biere

23 23 Competition Webpage

24 24 Summary Presented basics of formal verification Presented basics of formal verification Described integrated flow in ABC Described integrated flow in ABC Reviewed the results of HWMCC’08 Reviewed the results of HWMCC’08

25 25

26 26 Ongoing and Future Work Improved interpolation Improved interpolation command “int” command “int” New choice computation New choice computation command “dch” (not covered in this talk) command “dch” (not covered in this talk) New inductive prover New inductive prover command “scorr” command “scorr”

27 27 Interpolation: Basics Input: Sequential AIG with single output representing a property Input: Sequential AIG with single output representing a property Property holds when the output is 0 Property holds when the output is 0 Method: Over-approximate reachability analysis Method: Over-approximate reachability analysis Using over-approximations, instead of exact sets of reachable states Using over-approximations, instead of exact sets of reachable states Output: Proof that the property holds Output: Proof that the property holds Implementation: A sequence of SAT calls on unrolled time-frames that is similar to bounded model checking Implementation: A sequence of SAT calls on unrolled time-frames that is similar to bounded model checking R1R1 R2R2 R3R3 RnRn  I k+1 P=1 IkIk B A

28 28 Interpolation: Experiments Checking termination using induction Checking termination using induction Quit, if interpolant is a k-step-inductive invariant Quit, if interpolant is a k-step-inductive invariant Compare two interpolation algorithms Compare two interpolation algorithms McMillan’s vs. Pudlak’s McMillan’s vs. Pudlak’s Backward interpolation Backward interpolation Interpolate the last time frame, instead of the first Interpolate the last time frame, instead of the first Compare two different proofs Compare two different proofs Proof logger in ABC vs. proof logger in MiniSat-1.14p Proof logger in ABC vs. proof logger in MiniSat-1.14p (Done in collaboration with Roland Jiang, National Taiwan University.)

29 29 Checking Termination by Induction Traditional approach: Check termination by checking Boolean containment of I k+1 in I k Traditional approach: Check termination by checking Boolean containment of I k+1 in I k If so, a fixed-point is reached If so, a fixed-point is reached New approach: Check termination by checking whether I k is an inductive invariant New approach: Check termination by checking whether I k is an inductive invariant If so, iteration can stop because (i) I k contains all reachable states and (ii) the property holds for all states in I k If so, iteration can stop because (i) I k contains all reachable states and (ii) the property holds for all states in I k Improvement: Use k-step induction where k increases proportionally to the effort applied in the interpolation procedure Improvement: Use k-step induction where k increases proportionally to the effort applied in the interpolation procedure (This idea was suggested by Ken McMillan, Cadence Research Labs.)

30 30 Two Interpolation Procedures McMillan’s Root clauses Root clauses Clause of A gets OR of global literals Clause of A gets OR of global literals Clause of B gets constant 1 Clause of B gets constant 1 Learned clauses Learned clauses Variable of A gets OR of interpolants Variable of A gets OR of interpolants Variable of B or C gets AND of interpolants Variable of B or C gets AND of interpolantsPudlak’s Root clauses Root clauses A Clause of A gets constant 0 B Clause of B gets constant 1 Learned clauses Learned clauses A Variable of A gets OR of interpolants B Variable B gets AND of interpolants C Variable of C gets MUX controlled by this variable

31 31 Backward Interpolation Instead of interpolating init-state and the first time frame, interpolate negated property and the last frame Instead of interpolating init-state and the first time frame, interpolate negated property and the last frame Unroll circuit backward rather than forward Unroll circuit backward rather than forward It was found experimentally that backward interpolation rarely has better runtime It was found experimentally that backward interpolation rarely has better runtime

32 32 Two Proof Logging Procedures ABC Uses a sequence of learned clauses Uses a sequence of learned clauses Is largely independent of the SAT solver Is largely independent of the SAT solver Doubles the runtime of SAT solver because the proof is re-derived using backward BCP Doubles the runtime of SAT solver because the proof is re-derived using backward BCPMiniSat-1.14p Records the steps of conflict analysis Records the steps of conflict analysis SAT solver should be heavily modified SAT solver should be heavily modified Has little runtime overhead but may use more memory Has little runtime overhead but may use more memory It was found experimentally that using proof-logging in ABC results in a faster interpolation procedure It was found experimentally that using proof-logging in ABC results in a faster interpolation procedure

33 33 Interpolation Results The table reports runtime of command “int” in ABC, which implements Ken McMillan’s unbounded model checking procedure. The runtime is in seconds on an IBM laptop with a 1.6GHz Pentium 4 CPU and 2GB of RAM. Timeout was set to 300 seconds. Default interpolation parameters: inductive check (K=2), original transition relation (no self-loop), forward interpolation, proof-logging engine in ABC.

34 34 Inductive Case Proving internal equivalences in a topological order in frame K A B SAT-1 D C SAT-2 A B D C A B D C Assuming internal equivalences to in uninitialized frames 0 through K-1 0 0 0 0 ? ? Symbolic state PI 0 PI 1 PI k A B SAT-3 D C SAT-4 A B SAT-1 D C SAT-2 ? ? ? ? PI 0 PI 1 Initial state Candidate equivalences: {A,B}, {C,D} Proving internal equivalences in initialized frames 0 through K-1 Inductive Prover: Basics Base Case

35 35 Inductive Prover: Experiments Simulation of additional timeframes Simulation of additional timeframes Counter-examples to induction can be simulated over several timeframes, resulting in additional refinement Counter-examples to induction can be simulated over several timeframes, resulting in additional refinement Skipping SAT calls for some cand. equivalences Skipping SAT calls for some cand. equivalences Can skip an equivalence if its cone-of-influence did not change after the last iteration of refinement Can skip an equivalence if its cone-of-influence did not change after the last iteration of refinement Improved implementation Improved implementation Better AIG to CNF conversion Better AIG to CNF conversion Better candidate equivalence class manipulation Better candidate equivalence class manipulation More flexible simulation More flexible simulation

36 36 Inductive Prover: Results Using a large test-case taken at random from resynthesis/retiming/resynthesis benchmarks (R. Jiang et al, ICCAD’07) Using a large test-case taken at random from resynthesis/retiming/resynthesis benchmarks (R. Jiang et al, ICCAD’07) Running three versions of ABC on a laptop Running three versions of ABC on a laptop Old prover (September 2007) Old prover (September 2007) 171 sec 171 sec Improved old prover (September 2008) Improved old prover (September 2008) 94 sec 94 sec New prover (September 2008) New prover (September 2008) 31 sec 31 sec

37 37 Inductive Prover: Next Steps Support external sequential constraints Support external sequential constraints Use constrained instead of random simulation Use constrained instead of random simulation Add uniqueness constraints on demand Add uniqueness constraints on demand May increase inductive power for hard properties May increase inductive power for hard properties Use aggressive filtering of cand. equivalences Use aggressive filtering of cand. equivalences May speed up SEC after seq. synthesis when most of the circuit structure did not change (e.g. clock-gating) May speed up SEC after seq. synthesis when most of the circuit structure did not change (e.g. clock-gating)

38 38 Future Work Incorporate stand-alone speculative reduction into the verification engine Incorporate stand-alone speculative reduction into the verification engine May extend the scope of hard problems solved May extend the scope of hard problems solved Experiment with several other “fast engines” Experiment with several other “fast engines” May provide better filtering for the problems May provide better filtering for the problems Re-implement CEC engine using new ideas Re-implement CEC engine using new ideas Tune for circuits with little or no common structure Tune for circuits with little or no common structure

Download ppt "An Integrated Sequential Verification Flow Berkeley Logic Synthesis and Verification Group Presented by Alan Mishchenko."

Similar presentations

FRAIGs - A Unifying Representation for Logic Synthesis and Verification - Alan Mishchenko, Satrajit Chatterjee, Roland Jiang, Robert Brayton ERL Technical.

FRAIGs - A Unifying Representation for Logic Synthesis and Verification - Alan Mishchenko, Satrajit Chatterjee, Roland Jiang, Robert Brayton ERL Technical.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley

BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.

Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
Equivalence Checking Sean Weaver.

Equivalence Checking Sean Weaver.
Introduction to Logic Synthesis Alan Mishchenko UC Berkeley.

Introduction to Logic Synthesis Alan Mishchenko UC Berkeley.
1 FRAIGs: Functionally Reduced And-Inverter Graphs Adapted from the paper “FRAIGs: A Unifying Representation for Logic Synthesis and Verification”, by.

1 FRAIGs: Functionally Reduced And-Inverter Graphs Adapted from the paper “FRAIGs: A Unifying Representation for Logic Synthesis and Verification”, by.
DAG-Aware AIG Rewriting Alan Mishchenko, Satrajit Chatterjee, Robert Brayton Department of EECS, University of California Berkeley Presented by Rozana.

DAG-Aware AIG Rewriting Alan Mishchenko, Satrajit Chatterjee, Robert Brayton Department of EECS, University of California Berkeley Presented by Rozana.
Logic Synthesis Primer

Logic Synthesis Primer
7/13/2003BMC 20031 A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.

7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
Electrical and Computer Engineering Archana Rengaraj ABC Logic Synthesis basics ECE 667 Synthesis and Verification of Digital Systems Spring 2011.

Electrical and Computer Engineering Archana Rengaraj ABC Logic Synthesis basics ECE 667 Synthesis and Verification of Digital Systems Spring 2011.
ABC: An Industrial-Strength Academic Synthesis and Verification Tool (based on a tutorial given at CAV 2010) Berkeley Verification and Synthesis Research.

ABC: An Industrial-Strength Academic Synthesis and Verification Tool (based on a tutorial given at CAV 2010) Berkeley Verification and Synthesis Research.
Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009.

Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009.
1 Alan Mishchenko UC Berkeley Implementation of Industrial FPGA Synthesis Flow Revisited.

1 Alan Mishchenko UC Berkeley Implementation of Industrial FPGA Synthesis Flow Revisited.
05/04/06 1 Integrating Logic Synthesis, Tech mapping and Retiming Presented by Atchuthan Perinkulam Based on the above paper by A. Mishchenko et al, UCAL.

05/04/06 1 Integrating Logic Synthesis, Tech mapping and Retiming Presented by Atchuthan Perinkulam Based on the above paper by A. Mishchenko et al, UCAL.
Scalable and Scalably-Verifiable Sequential Synthesis Alan Mishchenko Mike Case Robert Brayton UC Berkeley.

Scalable and Scalably-Verifiable Sequential Synthesis Alan Mishchenko Mike Case Robert Brayton UC Berkeley.
Combinational and Sequential Mapping with Priority Cuts Alan Mishchenko Sungmin Cho Satrajit Chatterjee Robert Brayton UC Berkeley.

Combinational and Sequential Mapping with Priority Cuts Alan Mishchenko Sungmin Cho Satrajit Chatterjee Robert Brayton UC Berkeley.
ABC: A System for Sequential Synthesis and Verification BVSRC Berkeley Verification and Synthesis Research Center Robert Brayton, Niklas Een, Alan Mishchenko,

ABC: A System for Sequential Synthesis and Verification BVSRC Berkeley Verification and Synthesis Research Center Robert Brayton, Niklas Een, Alan Mishchenko,
Logic Synthesis: Past and Future Alan Mishchenko UC Berkeley.

Logic Synthesis: Past and Future Alan Mishchenko UC Berkeley.

Similar presentations

Ads by Google