Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton

6/5/2011Page 2/16IWLS 2011 — UC San Diego, California, USA What is PDR?  PDR (aka IC3) is a new model checking algorithm.  Published by Aaron Bradley on arXiv after being rejected at CAV  Won third place in HWMCC’10  Can be viewed as approximate reachability.  Relations to interpolation based model checking: − No proof-logging needed − Never have to start over − Simpler implementation (my opinion) − Faster, stronger, better?

6/5/2011Page 3/16IWLS 2011 — UC San Diego, California, USA What is our contributition?  Confirm Aaron’s results  Simplify the procedure − No special base case − Simpler cube generalization  Achieve a substantial speedup − Ternary simulation  Detailed pseudo-code

6/5/2011Page 4/16IWLS 2011 — UC San Diego, California, USA Verification Model Design/FSM is given as a netlist containing: − AND gates − PIs − Flip-flops with complemented edges, a single output for the (safety) property and some definition of the initial states.

6/5/2011Page 5/16IWLS 2011 — UC San Diego, California, USA How it works  Reasons on conjunctions of state variables (cubes)  Proves cubes to be unreachable within k steps  Maintains a trace of all such facts  Properties of the trace: 1. F 0 = ¬ Init 2. F 1 ⊇ F 2 ⊇... ⊇ F N (as sets of cubes) 3.img( ¬ F i ) ⊆ ¬ F i+1 ( ¬ F i = potentially reachable states) 4.F i ⊇ Bad (except for the last frame) Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad F0F0 F1F1 F2F2 F3F3 F4F4 F5F5

6/5/2011Page 6/16IWLS 2011 — UC San Diego, California, USA How it works (cont.)  Two phases: − recursively block a point in Bad in the last frame − propagate cubes learned during this process forward Init Bad Init Bad Init Bad Init Bad F0F0 F1F1 F2F2 F3F3 Recursively block Bad Propagate cubes forward Terminates when F i =F i+1

6/5/2011Page 7/16IWLS 2011 — UC San Diego, California, USA Stepping through PDR Init Bad Init Bad SAT? Find a bad state (SAT) Enlarge it (ternary sim.) Pre-image blocked? (SAT) Yes! Generalize cube (many SAT) No more bad states  add frame

6/5/2011Page 8/16IWLS 2011 — UC San Diego, California, USA Stepping through PDR Init Bad Init Bad Init Bad SAT? 1. Find a bad state (SAT) 2. Enlarge it (ternary sim.) 3. Pre-image blocked? (SAT) 4a. Yes! Generalize cube (many SAT) 4b. No? Get point from SAT model 1. Find a bad state (SAT) 2. Enlarge it (ternary sim.) 3. Pre-image blocked? (SAT) 4a. Yes! Generalize cube (many SAT) 4b. No? Get point from SAT model Is the cube blocked in the new frame? (propagation) SAT? resuming work on this cube No more bad states  add frame (and propagate) no

6/5/2011Page 9/16IWLS 2011 — UC San Diego, California, USA The Basic SAT query of PDR  Query: Is the pre-image of a cube s’ blocked by F k ? − SAT?[ ¬ F k ∧ T ∧ s’] … CombinationalLogic s0s0 s1s1 s2s2 s3s3 s n-1 snsn s’ 0 s’ 1 s’ 2 s’ 3 s’ n-1 s’ n x0x0 x1x1 xmxm Bad Example: s’ = (s’ 1 ∧ ¬ s’ 3 ∧ s’ n ) Blocked cubes ”F k ” are added to the SAT-solver in terms of these state variables FkFk s’ 0 s’ 1 =1 s’ 2 s’ 3 =0 s’ n-1 s’ n =1

6/5/2011Page 10/16IWLS 2011 — UC San Diego, California, USA Ternary Simulation  Query: Is the pre-image of a cube s blocked? − If no, the SAT-solver returns a model … CombinationalLogic s 0 = 0 s 1 = 1 s 2 = 1 s 3 = 0 s n-1 =1 s n = 0 s’ 0 s’ 1 =1 s’ 2 s’ 3 =0 s’ n-1 s’ n =1 x 0 = 1 x 1 = 0 x m = 1 Bad Example: s’ = (s’ 1 ∧ ¬ s’ 3 ∧ s’ n ) FkFk X X X X X X X X X X X X X X X New proof-obligation: s = (s 2 ∧ ¬ s 3 ∧ ¬ s n )

6/5/2011Page 11/16IWLS 2011 — UC San Diego, California, USA The Improved SAT query of PDR  Query: Is the pre-image of a cube s blocked by either F k or s itself? SAT?[ ¬ F k ∧ ¬ s ∧ T ∧ s’] Init Bad Init Bad Init Bad Init Bad F0F0 F1F1 F2F2 F3F3 ss’ SAT?

6/5/2011Page 12/16IWLS 2011 — UC San Diego, California, USA Delta Encoding of Trace Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad Init Bad F0F0 F1F1 F2F2 F3F3 F4F4 F5F5 In the implementation, cubes are only stored in the last frame where they hold.

Demo Running PDR on some industrial benchmarks

6/5/2011Page 14/16IWLS 2011 — UC San Diego, California, USA Experimental Results on IBM Benchmarks

6/5/2011Page 15/16IWLS 2011 — UC San Diego, California, USA Notes on Implementation  PDR can sometimes find very deep counterexamples.  Recursive blocking takes about 80% of the runtime, propagation 20%.  Most of the time in recursive blocking is spent on cube generalization.  Using activation literals or proof-logging reduces cube generalization significantly.  PDR can be implemented using one or many SAT-instances.  When using one instance, it is natural to add F . − Can be used by other engines. − Can be explicitly strengthend by mutual induction test.  Upon creation, derived cubed are placed in the last frame where they hold.

6/5/2011Page 16/16IWLS 2011 — UC San Diego, California, USA Concluding Remarks on PDR  Derives interpolants in terms of state cubes. − Because domain so simple: can optimize efficiently − Subsumption and termination becomes syntactic checks  Reasons locally (over one transition only). − Enhances abstraction − Improves chances of finding an inductive invariant.  Never starts over. − Extends the current knowledge at F k as needed.  Very memory efficient.  This is only the beginning...