ABC: An Industrial-Strength Academic Synthesis and Verification Tool (based on a tutorial given at CAV 2010) Berkeley Verification and Synthesis Research Center UC Berkeley Robert Brayton, Niklas Een, Alan Mishchenko Jiang Long, Sayak Ray, Baruch Sterin Thanks to: NSA, SRC, and industrial sponsors, Actel, Altera, Atrenta, IBM, Intel, Jasper, Magma, Oasys, Real Intent, Synopsys, Tabula, and Verific

Overview What is ABC? Synthesis/verification synergy Introduction to AIGs Representative transformations Integrated verification flow Verification example Future work

A Plethora of ABCs http://en.wikipedia.org/wiki/Abc ABC (American Broadcasting Company) A television network… ABC (Active Body Control) ABC is designed to minimize body roll in corner, accelerating, and braking. The system uses 13 sensors which monitor body movement to supply the computer with information every 10 ms… ABC (Abstract Base Class) In C++, these are generic classes at the base of the inheritance tree; objects of such abstract classes cannot be created… Atanasoff-Berry Computer The Atanasoff–Berry Computer (ABC) was the first electronic digital computing device. Conceived in 1937, the machine was not programmable, being designed only to solve systems of linear equations. It was successfully tested in 1942. ABC (supposed to mean “as simple as ABC”) A system for sequential synthesis and verification at Berkeley

ABC Started 6 years ago as a replacement for SIS Academic public-domain tool “Industrial-strength” Focuses on efficient implementation Has been employed in commercial offerings of several CAD companies Exploits the synergy between synthesis and verification

Design Flow Property Checking System Specification Verification Equivalence checking RTL ABC Logic synthesis Technology mapping Physical synthesis Manufacturing

Synthesis and Verification Given a Boolean function Represented by a truth table, BDD, or a circuit Derive a “good” circuit implementing it Verification Given a (very large) circuit Prove that its output is always constant

Synthesis/Verification Synergy Similar solutions e.g. retiming in synthesis / retiming in verification Algorithm migration e.g. BDDs, SAT, induction, interpolation, rewriting Related complexity scalable synthesis <=> scalable verification Common data-structures combinational and sequential AIGs

Areas Addressed by ABC Combinational synthesis Sequential synthesis AIG rewriting technology mapping resynthesis after mapping Sequential synthesis retiming structural register sweep merging seq. equiv. nodes Combinational verification SAT solving SAT sweeping combinational equivalence checking (CEC) Sequential verification bounded model checking (BMC) unbounded model/equiv checking (MC/EC) safety/liveness properties exploits synthesis history

Terminology Logic function (e.g. F = ab+cd) Logic network Variables (e.g. b) Minterms (e.g. abcd) Cube (e.g. ab) Logic network Primary inputs/outputs Logic nodes Fanins/fanouts Transitive fanin/fanout cone Cut and window (defined later) Primary inputs Primary outputs Fanins Fanouts TFO TFI

AIG (And-Inverter Graphs) Definition and Examples AIG is a Boolean network composed of two-input ANDs and inverters cdab 00 01 11 10 1 F(a,b,c,d) = ab + d(ac’+bc) b c a d 6 nodes 4 levels F(a,b,c,d) = ac’(b’d’)’ + c(a’d’)’ = ac’(b+d) + bc(a+d) cdab 00 01 11 10 1 a c b d 7 nodes 3 levels

Structural Hashing Propagates constants and merges structural equivalences Is applied on-the-fly during AIG construction Results in circuit compaction Example: F = abc G = (abc)’ H = abc’ Before structural hashing After structural hashing

Why AIGs? Same reasons hold for both synthesis and verification Easy to construct, relatively compact, robust 1M AIG ~ 12Mb RAM Can be efficiently stored on disk 3-4 bytes / AIG node (1M AIG ~ 4Mb file) Unifying representation Used by all the different verification engines Easy to pass around, duplicate, save Compatible with SAT solvers Efficient AIG-to-CNF conversion available Circuit-based SAT solvers work directly on AIG “AIGs + simulation + SAT” works well in many cases

AIG Memory Usage Fixed amount of memory for each node Can be done by a simple custom memory manager Dynamic fanout manipulation is supported! Allocate memory for nodes in a topological order Optimized for traversal in the same topological order Mostly AIG can be stored in cache – fewer cache misses. Small static memory footprint in many applications Compute fanout information on demand

“Classical” Logic Synthesis Boolean network in SIS a b c d e x y f z Equivalent AIG in ABC a b c d f e x y z AIG is a Boolean network of 2-input AND nodes and invertors (dotted lines)

One AIG Node – Many Cuts Combinational AIG Each AIG cut represents a different logic node AIG manipulation with cuts is equivalent to working on many Boolean networks at the same time f a b c d e Different cuts for the same node

Combinational Synthesis AIG rewriting minimizes the number of AIG nodes without increasing the number of AIG levels Rewriting AIG subgraphs Pre-computing AIG subgraphs Consider function f = abc Rewriting node A a b c A Subgraph 1 b c a A Subgraph 2  a b c Subgraph 1 b c a Subgraph 2 a c b Subgraph 3 Rewriting node B b c a B Subgraph 2 a b c B Subgraph 1 a b c  In both cases 1 node is saved

Combinational Rewriting iterate 10 times { for each AIG node { for each k-cut derive node output as function of cut variables if ( smaller AIG is in the pre-computed library ) rewrite using improved AIG structure } Note: For 4-cuts, each AIG node has, on average, 5 cuts compared to a SIS node with only 1 cut Rewriting at a node can be very fast – using hash-table lookups, truth table manipulation, disjoint decomposition

Resubstitution Resubstitution means expressing one function in terms of others Given f(x) and {gi(x)}, is it possible to express f in terms of a subset of functions gi? If so, what is function f(g)? f(g) g1 g2 g3 f(x) x An efficient truth-table-based and SAT-based solution exists Runs in seconds for functions with hundreds of I/Os A. Mishchenko, R. Brayton, J.-H. R. Jiang, and S. Jang, "Scalable don't care based logic optimization and resynthesis", Proc. FPGA'09.

Technology Mapping Input: A Boolean network (And-Inverter Graph) Output: A netlist of K-LUTs implementing AIG and optimizing some cost function a b c d f e a b c d e f Technology Mapping The subject graph The mapped netlist

Library Formats for Tech Mapping GENLIB format Simple format used in academic tools For each gate, lists its name, Boolean function, pin names and order, area, pin-to-pin delays, etc http://www.eecs.berkeley.edu/~alanmi/publications/other/SIS_paper_genlib.pdf LIBERTY format Elaborate format used in industrial tools For each gate, represents all information needed for synthesis, mapping, delay/power computation, etc http://www.opensourceliberty.org/ ABC reads both formats but uses only a subset of available information

Comparison of Two Syntheses “Classical” synthesis Boolean network Network manipulation (algebraic) Elimination Decomposition (common kernel extraction) Node minimization Espresso Don’t cares computed using BDDs Resubstitution “Contemporary” synthesis AIG network DAG-aware AIG rewriting (Boolean) Several related algorithms Rewriting Refactoring Balancing Node minimization Boolean decomposition Don’t cares computed using simulation and SAT Resubstitution with don’t cares Note: here all algorithms are scalable: no SOP, no BDDs, no Espresso

Formal Verification Property checking Equivalence checking D1 Property checking miter p Property checking Create miter from the design and the safety property Special construction for liveness Biere et al, Proc. FMICS’06 Equivalence checking Create miter from two versions of the same design Assuming the initial state is given The goal is to prove that the output of the miter is 0, for all states reachable from the initial. D2 D1 Equivalence checking miter

Outcomes of Verification Success The property holds in all reachable states Failure A finite-length counter-example (CEX) is found Undecided A limit on resources (such as runtime) is reached

Inductive Invariant An inductive invariant is a Boolean function in terms of register variables, such that It is true for the initial state(s) It is inductive assuming that is holds in one (or more) time-frames allows us to prove it in the next time-frame It does not contain “bad states” where the property fails State space Bad Invariant Reached Init

Inductive Invariant (cont.) It does not matter how inductive invariant is derived! If it is available in any form (as a circuit, BDD or CNF), it can be checked for correctness using a third-party tool This way, verification proof can be certified Comment 1: If the property is true, the set of all reachable states is an inductive invariant Comment 2: In practice, computing the set of all reachable states is often impossible. In such cases, an inductive invariant is an over-approximation of reachable states.

Verification Engines Bug-hunters Provers Transformers random simulation bounded model checking (BMC) hybrids of the above two (“semi-formal”) Provers K-step induction, with or without uniqueness constraints BDDs (exact reachability) Interpolation (over-approximate reachability) Property directed reachability (over-approximate reachability) Transformers Combinational synthesis Reparameterization Retiming

Integrated Verification Flow Preprocessing Creating a miter Computing the intial state, etc Handling combinational problems Handling sequential problems Start with faster engines Continue with slower engines Run main induction loop Call last-gasp engines

Command “dprove” in ABC transforming initial state (“undc”, “zero”) converting into an AIG (“strash”) creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”) bounded model checking (“bmc”) sequential sweep (“scl”) phase-abstraction (“phase”) most forward retiming (“dret -f”) partitioned register correspondence (“lcorr”) min-register retiming (“dretime”) combinational SAT sweeping (“fraig”) for ( K = 1; K  16; K = K * 2 ) signal correspondence (“scorr”) stronger AIG rewriting (“dc2”) sequential AIG simulation interpolation (“int”) BDD-based reachability (“reach”) saving reduced hard miter (“write_aiger”) Preprocessors Combinational solver Faster engines Slower engines Main induction loop Last-gasp engines

Typical Run of SEC in ABC abc - > miter –cm r\orig\s38584.1.blif r\rrr\s38584.1_r.blif abc - > dprove –vb Original miter: Latches = 4162. Nodes = 23649. Sequential cleanup: Latches = 3777. Nodes = 22081. Time = 0.07 sec Forward retiming: Latches = 5196. Nodes = 21743. Time = 0.24 sec Latch-corr (I= 15): Latches = 4311. Nodes = 19670. Time = 2.88 sec Fraiging: Latches = 4311. Nodes = 18872. Time = 0.35 sec Min-reg retiming: Latches = 2280. Nodes = 18867. Time = 0.93 sec K-step (K= 1,I= 8): Latches = 2053. Nodes = 16602. Time = 13.19 sec Min-reg retiming: Latches = 2036. Nodes = 16518. Time = 0.14 sec Rewriting: Latches = 2036. Nodes = 14399. Time = 1.64 sec Seq simulation : Latches = 2036. Nodes = 14399. Time = 0.29 sec K-step (K= 2,I= 9): Latches = 1517. Nodes = 10725. Time = 14.81 sec Min-reg retiming: Latches = 1516. Nodes = 10725. Time = 0.14 sec Rewriting: Latches = 1516. Nodes = 10498. Time = 1.09 sec Seq simulation : Latches = 1516. Nodes = 10498. Time = 0.45 sec K-step (K= 4,I= 8): Latches = 0. Nodes = 0. Time = 11.89 sec Networks are equivalent. Time = 48.16 sec

Combinational Equivalence Checking (command ‘cec’) Naïve approach Build output miter – call SAT works well for many easy problems Better approach - SAT sweeping based on incremental SAT solving detect possibly equivalent nodes using simulation candidate constant nodes candidate equivalent nodes run SAT on the intermediate miters in a topological order refine candidates using counterexamples A B SAT-1 D C SAT-2 ? Proving internal equivalences in a topological order

Improved CEC (command ‘&cec’) For hard CEC instances Heuristic: skip some equivalences Results in 5x reduction in runtime Solving previously unresolved problems Given a combinational miter with equivalence class {A, B, A’, B’} Possible equivalences: A = B, A = A’, A = B’, B = A’, B = B’, A’ = B’ only try to prove A=A’ and B=B’ do not try to prove A = B, A’ = B’, A’ = B A = B’ D2 D1 B A A’ B’

CEC Under Permutation CEC CEC Boolean matcher Yes or No (and counterexample) Yes or No (and counterexample) CEC CEC Design1 Design2 Boolean matcher Design1 Design2 A resource-aware combination of graph-based, simulation-based, and SAT-based techniques Works for circuits with 100s of I/Os in about 1 min ABC command ”bm” (developed at U of Michigan) Hadi Katebi and Igor Markov, “Large-scale Boolean Matching”, Proc. DATE’10.

HWMCC 2011 4th Hardware Model Checking Competition Organized by Held at FMCAD’11 in Austin, TX (Oct 30 – Nov 2, 2011) Organized by Armin Biere, Keijo Heljanko, Siert Wieringa, Niklas Soerensson Participants 6 universities submitted 14 solvers + 4 solvers that won previous competitions Benchmarks 465 benchmarks from different sources Resources 15 min, 7Gb RAM, 4 cores Using 32 node cluster, Intel Quad Core 2.6 GHz, 8 GB, Ubuntu

Courtesy Armin Biere

Courtesy Armin Biere

Courtesy Armin Biere

Future Work Exploring new directions Improving bit-level engines Satisfiability Modulo Theories (SMT) Software verification Using concurrency, etc Improving bit-level engines Application-specific SAT solvers A modern BDD package Improved sequential logic simulators combining random, guided and symbolic simulation Improved abstraction refinement … and may be a new engine or two

To Learn More Visit BVSRC webpage www.bvsrc.org Read recent papers http://www.eecs.berkeley.edu/~alanmi/publications Send email alanmi@eecs.berkeley.edu brayton@eecs.berkeley.edu

39