ABC: An Academic “Industrial-Strength” Verification Tool (based on a tutorial given at CAV’10) BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley Robert Brayton, Niklas Een, Alan Mishchenko Jiang Long, Sayak Ray, Baruch Sterin Thanks to: NSF, NSA, SRC, and industrial sponsors, Actel, Altera, Atrenta, IBM, Intel, Jasper, Magma, Oasys, Real Intent, Synopsys, Tabula, and Verific

Overview General introduction to ABC Synergy between synthesis and verification Introduction to AIGs Contrast between classical synthesis and ABC synthesis ABC+ - orchestrated verification flow Simplification Extraction of constraints Phase abstraction Forward and minimum FF retimiing K-step induction Abstraction Speculation Last gasp: BMC, BDDs, interpolation Verification example Future work

ABC A synthesis and verification tool under development at Berkeley Started 6 years ago as a replacement for SIS Academic public domain tool “Industrial-strength” Has been employed in commercial offerings of various CAD companies In both synthesis and verification Exploits the synergy between synthesis and verification

A Plethora of ABCs http://en.wikipedia.org/wiki/Abc ABC (American Broadcasting Company) A television network… ABC (Active Body Control) ABC is designed to minimize body roll in corner, accelerating, and braking. The system uses 13 sensors which monitor body movement to supply the computer with information every 10 ms… ABC (Abstract Base Class) In C++, these are generic classes at the base of the inheritance tree; objects of such abstract classes cannot be created… Atanasoff-Berry Computer The Atanasoff–Berry Computer (ABC) was the first electronic digital computing device.[1] Conceived in 1937, the machine was not programmable, being designed only to solve systems of linear equations. It was successfully tested in 1942. ABC (supposed to mean “as simple as ABC”) A system for sequential synthesis and verification at Berkeley

Design Flow ABC - Property Checking System Specification Verification Equivalence checking RTL ABC Logic synthesis Technology mapping Physical synthesis Manufacturing

Areas Addressed by ABC Combinational synthesis Sequential synthesis AIG rewriting technology mapping resynthesis after mapping Sequential synthesis retiming structural register sweep merging seq. equiv. nodes Verification combinational equivalence checking bounded sequential verification unbounded sequential verification equivalence checking using synthesis history property checking (safety and liveness)

Synergy – Two Kinds The algorithms and advancements in verification can be used in synthesis, and vice versa. One enables the other Verification enables synthesis - equivalence checking capability enables acceptance of sequential transformations retiming use of unreachable states sequential signal correspondence, etc Synthesis enables verification Desire to use sequential synthesis operations (shown by superior results) spurs verification developments

Examples of The Synergy Similar solutions e.g. retiming in synthesis / retiming in verification Algorithm migration e.g. BDDs, SAT, induction, interpolation, rewriting Related complexity scalable synthesis <=> scalable verification (approximately) Common data-structures e.g. combinational and sequential AIGs

Evidence of Synergy Between Synthesis and Verification IBM Has a very capable sequential verification engine – SixthSense. Used throughout IBM to verify property and equivalence Designers more willing to consider sequential transformations now. ABC Sequential verification was developed to check that new algorithms were implemented correctly Example of a startup company Had developed sequential methods to reduce power Needed a verification tool to double check if their ideas and implementations were correct. Needed a tool to assure customers that results were correct.

AIG (And-Inverter Graphs) Definition and Examples AIG is a Boolean network composed of two-input ANDs and inverters cdab 00 01 11 10 1 F(a,b,c,d) = ab + d(ac’+bc) b c a d 6 nodes 4 levels F(a,b,c,d) = ac’(b’d’)’ + c(a’d’)’ = ac’(b+d) + bc(a+d) cdab 00 01 11 10 1 a c b d 7 nodes 3 levels

AIGs Before After Structural hashing F = abc G = (abc)’ H = abc’ Performs AIG compaction Applied on-the-fly during construction Propagates constants Makes each node structurally unique F = abc G = (abc)’ H = abc’ Before After

AIGs (And-Inverter Graphs) Why AIGs? Same reasons hold for both synthesis and verification Easy to construct, relatively compact, robust 1M AIG ~ 12Mb RAM Can be efficiently stored on disk 3-4 bytes / AIG node (1M AIG ~ 4Mb file) Unifying representation Used by all the different verification engines Easy to pass around, duplicate, save Compatible with SAT solvers Efficient AIG-to-CNF conversion available Circuit-based SAT solvers work directly on AIG “AIGs + simulation + SAT” works well in many cases

AIG Memory Usage Memory allocation Use fixed amount of memory for each node Can be done by a simple custom memory manager Dynamic fanout manipulation is supported! Allocate memory for nodes in a topological order Optimized for traversal in the same topological order Mostly AIG can be stored in cache – fewer cache misses. Small static memory footprint in many applications Compute fanout information on demand

Quick Overview of “Classical” (technology independent) Logic Synthesis Boolean network in SIS a b c d e x y f z Boolean network in SIS ab x + c a b c d e x y f z Boolean network Network manipulation (algebraic) Elimination (substituting a node into its fanouts) Decomposition (common-divisor extraction) Node minimization (Boolean) Espresso Don’t cares Resubstitution (algebraic or Boolean)

“Classical” Logic Synthesis Boolean network in SIS a b c d e x y f z Equivalent AIG in ABC a b c d f e x y z AIG is a Boolean network of 2-input AND nodes and invertors (dotted lines)

One AIG Node – Many Cuts Combinational AIG AIG can be used to compute many cuts for each node Each cut in AIG represents a different SIS node SIS node logic represented by AIG between cut and root. No a priori fixed boundaries Implies that AIG manipulation with cuts is equivalent to working on many Boolean networks at the same time f a b c d e Different cuts for the same node

Combinational Synthesis AIG rewriting minimizes the number of AIG nodes without increasing the number of AIG levels Rewriting AIG subgraphs Pre-computing AIG subgraphs Consider function f = abc Rewriting node A a b c A Subgraph 1 b c a A Subgraph 2  a b c Subgraph 1 b c a Subgraph 2 a c b Subgraph 3 Rewriting node B b c a B Subgraph 2 a b c B Subgraph 1 a b c  In both cases 1 node is saved

Combinational Rewriting iterate 10 times { for each AIG node { for each k-cut derive node output as function of cut variables if ( smaller AIG is in the pre-computed library ) rewrite using improved AIG structure } Note: For 4-cuts, each AIG node has, on average, 5 cuts compared to a SIS node with only 1 cut Rewriting at a node can be very fast – using hash-table lookups, truth table manipulation, disjoint decomposition

Comparison of Two Syntheses “Classical” synthesis Boolean network Network manipulation (algebraic) Elimination Decomposition (common kernel extraction) Node minimization Espresso Don’t cares computed using BDDs Resubstitution “Contemporary” synthesis AIG network DAG-aware AIG rewriting (Boolean) Several related algorithms Rewriting Refactoring Balancing Node minimization Boolean decomposition Don’t cares computed using simulation and SAT Resubstitution with don’t cares Note: here all algorithms are scalable: no SOP, no BDDs, no Espresso

Sequential Verification D1 Property checking miter p Property checking Create miter from the design and the safety property Special construction for liveness Biere, Artho, Schuppan Equivalence checking Create miter from two versions of the same design Assuming the initial state is given The goal is to prove that the output of the miter is 0, for all states reachable from the initial state. D2 D1 Equivalence checking miter

Integrated Verification Flow Simplification Abstraction Speculation High effort verification

Integrated Verification Flow Simplification Initial fast simplification of the logic Forward retime and do FF correspondence Min FF retime Extract implicit constraints** and use them to find signal equivalences (ABC command scorr –c) Fold back the constraints add a FF so that if ever a constraint is not satisfied, make the output 0 forever after that. Trim away irrelevant inputs (do not fanout to FF or POs) Try phase abstraction (look for periodic signals) Heavy simplify (k-step signal correspondence and deep rewriting) ** (see paper of Cabodi et. al.)

Sequential SAT Sweeping (signal correspondence) Related to combinational CEC Naïve approach Build output miter – call SAT works well for many easy problems Better approach - SAT sweeping based on incremental SAT solving detects possibly equivalent nodes using simulation candidate constant nodes candidate equivalent nodes runs SAT on the intermediate miters in a topological order refines candidates using counterexamples D1 D2 Proving internal equivalences in a topological order A B SAT-1 D C SAT-2 ?

Improved CEC For hard CEC instances Heuristic: skip some equivalences results in 5x reduction in runtime solving previously unresolved problems Given a combinational miter with equivalence class {A, B, A’, B’} Possible equivalences: A = B, A = A’, A = B’, B = A’, B = B’, A’ = B’ only try to prove A=A’ and B=B’ do not try to prove A = B, A’ = B’, A’ = B A = B’ D2 D1 B A A’ B’

Sequential SAT Sweeping (signal correspondence) Similar to combinational SAT sweeping detects node equivalences But the equivalences are sequential guaranteed to hold only on the reachable state space Every combinational equivalence is a sequential one  run combinational SAT sweeping first A set of sequential equivalences are proved by k-step induction Base case Inductive case Efficient implementation of induction is key!

k-step Induction Base Case (just BMC) Inductive Case ? k = 2 ? Proving internal equivalences in a topological order in frame k+1 A B SAT-1 D C SAT-2 Assuming internal equivalences in uninitialized frames 1 through k ? PI0 PI1 PIk Candidate equivalences: {A = B}, {C = D} A B SAT-3 D C SAT-4 SAT-1 SAT-2 ? PI0 PI1 initial state Proving internal equivalences in initialized frames 1 through k k = 2 If proof of any one equivalence fails need to start over arbitrary state

Efficient Implementation Two observations: Both base and inductive cases of k-step induction are combinational SAT sweeping problems Tricks and know-how from the above are applicable base case is just BMC The same integrated package can be used starts with simulation performs node checking in a topological order benefits from the counter-example simulation Speculative reduction Deals with how assumptions are used in the inductive case

Integrated Verification Flow (continued) Abstraction Use new CBA/PBA method* Uses single instance of SAT solver Uses counter-example based abstraction which is refined with proof-based abstraction Checked afterward with BMC, BDDs, and simulation for CEX’s and refined with CBA if found. * N. Een, A. Mishchenko, and N. Amla, "A single-instance incremental SAT formulation of proof- and counterexample-based abstraction". Proc. IWLS'10.

Integrated Verification Flow (continued) Speculation ** Especially useful for SEC Simulation used to find candidate equivalences. These are equivalences that we could not prove by induction (sequential SAT sweeping) These are used to build a “speculative miter” The result is double-checked with BMC, BDDs or simulation for CEX’s and refined if necessary. ** H. Mony, J. Baumgartner, V. Paruthi, and R. Kanzelman, “Exploiting suspected redundancy without proving it”. Proc. DAC’05.

Integrated Verification Flow (continued) Final high-effort verification (prove or disprove) Prove: (give long run-time limits and/or large conflict limits) Try BDD reachability if problem is small enough (< 200 PI, < 200 FFs) Try interpolation Try induction In rare cases, can prove outputs using induction. Disprove: (give large run-time and conflict limits) Try heavy BMC on initial simplified circuit (before abstraction or speculation done).

Interpolation Input: Sequential AIG with single output representing a property Property holds when the output is 0 Method: Over-approximate reachability analysis Using over-approximations, instead of exact sets of reachable states Output: Proof that the property holds, or a real CEX is provided, or “undecided” Implementation: A sequence of SAT calls on unrolled time-frames that is similar to BMC A B ~property inter2 inter1 T1 T2 T3 Tn Ik L interpolant P=1 UNSAT

BDD-Based Reachability Still an important back-end of the verification flow Also useful to find CEX’s during abstraction and speculation refinement Several ideas, old and new, can be put together to implement a new improved engine Long live BDDs! BDD We tried to ban BDDs in ABC

Examples of Running ABC+ Example 1 of simplifying and final proof with interpolation Prove python code

Example (use of prove) Read_file IE1.aig PIs = 532, POs = 1, FF = 2389, ANDs = 12049 prove Simplifying Number of constraints = 3 Forward retiming, quick_simp, scorr_constr, trm: PIs = 532, POs = 1, FF = 2342, ANDs = 11054 Simplify: PIs = 532, POs = 1, FF = 2335, ANDs = 10607 Phase abstraction: PIs = 283, POs = 2, FF = 1460, ANDs = 8911 quick_verify Abstracting Initial abstraction: PIs = 1624, POs = 2, FF = 119, ANDs = 1716, max depth = 39 Testing with BMC bmc3 -C 100000 -T 50 -F 78: No CEX found in 51 frames Latches reduced from 1460 to 119 Simplify: PIs = 1624, POs = 2, FF = 119, ANDs = 1687, max depth = 51 Trimming: PIs = 158, POs = 2, FF = 119, ANDs = 734, max depth = 51 Simplify: PIs = 158, POs = 2, FF = 119, ANDs = 731, max depth = 51 Speculating Initial speculation: PIs = 158, POs = 26, FF = 119, ANDs = 578, max depth = 51 Fast interpolation: reduced POs to 24 bmc3 -C 150000 -T 75: No CEX found in 1999 frames PIs = 158, POs = 24, FF = 119, ANDs = 578, max depth = 1999 Simplify: PIs = 158, POs = 24, FF = 119, ANDs = 535, max depth = 1999 Trimming: PIs = 86, POs = 24, FF = 119, ANDs = 513, max depth = 1999 Verifying Running reach -v -B 1000000 -F 10000 -T 75: BDD reachability aborted RUNNING interpolation with 20000 conflicts, 50 sec, max 100 frames: 'UNSAT‘ Elapsed time: 457.87 seconds, total: 458.52 seconds Example (use of prove) 34

Python Code for prove def prove(a): global x_factor,xfi,f_name max_bmc = -1 K = 0 set_globals() status = pre_simp() if status <= Unsat: return RESULT[status] ABC('trm') ABC('write backup 0’) K = K +1 if ((n_ands() < 30000) and (a == 1) and (n_latches() < 300)): status = quick_verify(0) if ((status == Unsat) or (status == Sat)): return RESULT[status]' status = abstract() status = process_status(status) if ((status <= Unsat) or status == Error): ABC('write backup 1’) if status == Undecided_reduction: status = quick_verify(1) status = process_status(status) if status <= Unsat: if status == Sat: status = final_verify_recur(K-1) return RESULT[status] if n_ands() > 15000: K = 2 else: status = speculate() ABC('trm') if ((status == Unsat) or status == Error): if status == Sat: K = K-1 ABC('write backup 2’) K = K +1 status = final_verify_recur(K)

Verification Engines (Summary) Simplifiers Combinational synthesis Sequential synthesis Retiming Sequential SAT sweeping (k-step induction) Re-parametrization (not implemented yet in ABC currently) Retiming (most forward and minimum FF) Bug-hunters (also part of abstraction methods) random simulation (sequential) bounded model checking (BMC) hybrid of simulation and BMC (“semi-formal”) BDD reachability Provers K-step induction, with and without constraints Interpolation (over-approximate reachability) BDDs (exact reachability) Explicit state space enumeration (‘era’)

Future Work Improved BDD reachability engine (we hope) We have three One is quite weak (HWMCC’08) We have just integrated a better one May have a much better one later. Improved interpolation engine Working on a new version Improved circuit-based SAT solver Currently used in signal correspondence to simplify larger circuits Faster but sometimes limited quality Will be improved to see if it can compete with MiniSat 1.14c

To Learn More Read recent papers http://www.eecs.berkeley.edu/~alanmi/publications Send email alanmi@eecs.berkeley.edu brayton@eecs.berkeley.edu Visit BVSRC webpage www.bvsrc.org

39

end