Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aaron Bradley University of Colorado, Boulder

Published byKiana Croxton Modified over 9 years ago

Similar presentations

Presentation on theme: "Aaron Bradley University of Colorado, Boulder"— Presentation transcript:

1 PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling
Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley

2 Outline Motivation Pioneering work of Aaron Bradley
Sequential verification is hard (needs new engines!) Pioneering work of Aaron Bradley A surprise (3d place) winner at HWMCC’10! Remarkable features Efficiently tackles both SAT and UNSAT instances Lends itself to localization abstraction and parallelism Conceptually simple, relatively tuning-free Understanding the algorithm Pseudo-code… Experimental results and conclusions

3 Pioneering Work Aaron Bradley developed this algorithm after several years of work on “inductive generalization” Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07) This work (A. R. Bradley, “k-step relative inductive generalization”, The original version of the tool to enter HWMCC’10 (ic3, ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)

4 Efficient Implementation
Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of MiniSAT: Incremental interface Activation literals to enable/disable clauses Procedure AnalyzeFinal to compute an UNSAT core in terms of the original assumptions Resource-driven recycling of the SAT solver Additionally, Niklas proposed Ternary simulation for quick cube expansion New heuristics for inductive generalization Smart data-structures for clauses and proof obligations Niklas’ implementation runs faster and proves more properties than the original implementation

5 PDR: The Main Idea PDR is a way of computing an inductive invariant that does not overlap with bad states It is similar to interpolation, but the way of deriving the invariant is different PDR has better control of the invariant, and this may explain its good performance State space Inductive invariant is a Boolean function in terms of register variables, such that It is true for the initial states It is inductive (assuming it in one time frame leads to making it true in the next timeframe) Bad Invariant Init Reached

6 PDR: The Main Idea Construct over-approximations (F0, F1, …, Fk) of states reachable after each time step Start with F0 = Init, and compute other over-approximations as sets of CNF clauses Additionally, require that Semantically (as functions): F0→F1→F2→... →Fk Syntactically (as clause sets): F1⊇ F2⊇ ... ⊇ Fk

7 PDR: The Main Idea Termination criteria
If an over-approximation is inductive, return UNSAT If a counter-example is found, return SAT The algorithm constructs over-approximations in a property directed way the property is used to decide what clauses to include with an inductive flavor induction is used to prove that a clause holds in a frame

8 PDR: Illustration T  Time frame Time frame 0 Time frame 1 Comb Logic
Primary inputs Property output Comb Logic Register outputs Register inputs Initial State States where property fails State space of time frame 0 State space of time frame 1 Initial states a1 a2 Bad Bad a3 Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F1 of reachable states at frame 1. T Init Init Reached

9 Inductive Generalization
Assume that, at some point, we have the following over-approximations of reached states: (F0, F1, …, Fk) Suppose we wish to block state s in frame i We can try to find a clause c, such that c  s and add it to the set of clauses for frame i. Clause c can be added if it satisfies condition Fi-1∧T→ c Another possibility is to run a stronger inductive check Fi-1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes

10 State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking) a1 a4 a5 a2 s’ Bad Bad a3 T S Pre-image s’ of s Init Init Reached(k-1) Reached(k-1) Reached(k) Consider the case when s’ is blocked by clauses in frame k-1. We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1∧c’∧T→ c, where Fk-1 is the product of clauses in frame k-1 and T is the transition relation.

11 State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking) a1 a4 a5 a2 Bad Bad a3 T S s’ Pre-image s’ of s Init Init Reach(k-1) Reach(k-1) Reach(k) Consider the case when s’ is NOT blocked by clauses in frame k-1. In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively.

12 Pseudo-code PDR( AIG ) {
k = 0; solver[0] = CreateSatSolver( AIG, init_state ); forever { cube = GetBadState( solver[k] ); if ( cube != NULL ) { if ( !BlockState( cube, solver[0], …, solver[k] ) ) return SAT; // found counter-example } else { k = k+1; solver[k] = CreateSatSolver( AIG, not_init ); if ( PushClauses( solver[1], …, solver[k] ) ) return UNSAT; // found inductive invariant } } }

13 Procedures solver CreateSatSolver( AIG, initialize )
returns a SAT solver with the AIG; optionally initializes it cube GetBadState( solver[k] ) returns a state cube failing property in the k-th frame bool BlockState( cube, solver[0], …, solver[k] ) recursively tries to block cube by adding clauses to solvers returns 1, if the cube could be blocked; 0, otherwise bool PushClauses( solver[0], …, solver[k] ) moves clauses in i-th frame to i+1-th frame, if they hold returns 1, if an inductive invariant is found; 0, otherwise

14 Remarkable Features Efficiently tackles both SAT and UNSAT instances
Often finds counter-examples that cannot be found by bounded model checking Often proves problems that are not proved by interpolation Amenable to localization abstraction PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design Lends itself to parallelism Each process working on some proof obligations and exchange clauses Conceptually simple, relatively tuning-free Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune

15 Example of Inductive Invariant
# Inductive invariant for "hwmcc08\eijkS208" # generated by PDR in ABC on Tue Dec 07 09:36: .i 22 .o 1 .p 43 .e Flop relationships: F8 = F14 F7 = F18 & F19 & F20 & F21

16

17

18 Experiments on Hard Examples (previously unsolved by ABC)
Statistics: number of primary inputs (PI), flip-flops (FF), and AIG nodes (AND) Frame: timeframe where inductive invariant or counter-example was found Clauses: the number of clauses in the inductive invariant Time: runtime of PDR, without preprocessing

19 Conclusion Presented PDR Explained how it works
pioneering work of Aaron Bradley efficient implementation by Niklas Een Explained how it works Discussed its remarkable features Future improvements localization abstraction temporal decomposition signal-clauses instead of register-clauses applications in logic synthesis

Download ppt "Aaron Bradley University of Colorado, Boulder"

Similar presentations

The Synthesis of Cyclic Circuits with SAT and Interpolation By John Backes and Marc Riedel ECE University of Minnesota.

The Synthesis of Cyclic Circuits with SAT and Interpolation By John Backes and Marc Riedel ECE University of Minnesota.
Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.

Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.

Bounded Model Checking EECS 290A Sequential Logic Synthesis and Verification.
Reachability Analysis using AIGs (instead of BDDs?) 290N: The Unknown Component Problem Lecture 23.

Reachability Analysis using AIGs (instead of BDDs?) 290N: The Unknown Component Problem Lecture 23.
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
DAG-Aware AIG Rewriting Alan Mishchenko, Satrajit Chatterjee, Robert Brayton Department of EECS, University of California Berkeley Presented by Rozana.

DAG-Aware AIG Rewriting Alan Mishchenko, Satrajit Chatterjee, Robert Brayton Department of EECS, University of California Berkeley Presented by Rozana.
Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007.

Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007.
7/13/2003BMC 20031 A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.

7/13/2003BMC A SAT-Based Approach to Abstraction Refinement in Model Checking Bing Li, Chao Wang and Fabio Somenzi University of Colorado at Boulder.
SAT-based Model Checking Yakir Vizel Computer Science Department, Technion, Israel Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel.

SAT-based Model Checking Yakir Vizel Computer Science Department, Technion, Israel Based on slides from K.L. McMillan, A.R. Bradley and Yakir Vizel.
Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009.

Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009.
Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.

Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.
Property Directed Reachability (PDR) Using Cubes of Non-state Variables With Property Directed Reachability Using Cubes of Non-state Variables With Property.

Property Directed Reachability (PDR) Using Cubes of Non-state Variables With Property Directed Reachability Using Cubes of Non-state Variables With Property.
On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.
Cut-Based Inductive Invariant Computation Michael Case 1,2 Alan Mishchenko 1 Robert Brayton 1 Robert Brayton 1 1 UC Berkeley 2 IBM Systems and Technology.

Cut-Based Inductive Invariant Computation Michael Case 1,2 Alan Mishchenko 1 Robert Brayton 1 Robert Brayton 1 1 UC Berkeley 2 IBM Systems and Technology.
Boolean Satisfiability Present and Future

Boolean Satisfiability Present and Future

Similar presentations

Ads by Google