Modernized Computation Engines for Tomorrow's Formal Verification Robert Brayton Niklas Een Alan Mishchenko Berkeley Verification and Synthesis Research Center Department of EECS UC Berkeley UC Berkeley
Task Overview SRC task ID: SRC task ID: Start date: April 1, 2012 Start date: April 1, 2012 Thrust area: Verification Thrust area: Verification Task leaders: Task leaders: Robert Brayton, Nilkas Een, Alan Mishchenko (Univ. of California/Berkeley) Robert Brayton, Nilkas Een, Alan Mishchenko (Univ. of California/Berkeley) Industrial liaisons: Industrial liaisons: See next slide See next slide Students: Students: Jiang Long, Sayak Ray, Baruch Sterin Jiang Long, Sayak Ray, Baruch Sterin
Industrial Liaisons Freescale Freescale Himyanshu Anand Himyanshu Anand IBM IBM Jason Baumgartner Jason Baumgartner Intel Intel Timothy Kam, Ranan Fraer, Alexander Nadel, Murali Talupur Timothy Kam, Ranan Fraer, Alexander Nadel, Murali Talupur Mentor Graphics Mentor Graphics Jeremy Levitt, Christian Stangier Jeremy Levitt, Christian Stangier (Source:
Anticipated Results Methodology and algorithms for next-generation improvements in formal verification, addressing SAT solving hybrid simulation counter-example handling invariant generation Public software implementation of the above methodology and algorithms. Experimental evaluation on industrial benchmarks.
Task Description We propose to leverage the unique expertise of our group, Berkeley Verification and Synthesis Research Center (BVSRC), and our previous SRC contracts for solving hard industrial problems arising in formal verification. The goal would be a new level in the state-of-the-art of logic formal verification engines, which adds the following to the design flow: We propose to leverage the unique expertise of our group, Berkeley Verification and Synthesis Research Center (BVSRC), and our previous SRC contracts for solving hard industrial problems arising in formal verification. The goal would be a new level in the state-of-the-art of logic formal verification engines, which adds the following to the design flow: Application-specific SAT solvers to improve performance of key verification engines. Two new design decisions will be explored for developing SAT solvers, which are specifically geared to solving numerous, related, and relatively easy problems, on the one hand, and monolithic, large, and hard problems, on the other hand. Application-specific SAT solvers to improve performance of key verification engines. Two new design decisions will be explored for developing SAT solvers, which are specifically geared to solving numerous, related, and relatively easy problems, on the one hand, and monolithic, large, and hard problems, on the other hand. Hybrid simulation based on new heuristics to improve state space coverage. New ideas will be explored for improving bit-level simulation and combining it with symbolic simulation, handled by adding symbolic variables or exhaustively simulating selected input subspaces. Hybrid simulation based on new heuristics to improve state space coverage. New ideas will be explored for improving bit-level simulation and combining it with symbolic simulation, handled by adding symbolic variables or exhaustively simulating selected input subspaces. Counter-example minimization to shorten the counter-examples produced by some algorithms, such as random and hybrid simulation. A counter-example minimizer will be developed based on hybrid simulation and bounded model checking. Another aspect to be explored is the use of concurrency to speed up the minimization process. Counter-example minimization to shorten the counter-examples produced by some algorithms, such as random and hybrid simulation. A counter-example minimizer will be developed based on hybrid simulation and bounded model checking. Another aspect to be explored is the use of concurrency to speed up the minimization process. Various methods for automated inductive invariant generation. Several ways of generating inductive invariants will be explored. One of them is based on using high- level information about the design; another is an extension of a previous method based on the structural analysis of the AIG. Various methods for automated inductive invariant generation. Several ways of generating inductive invariants will be explored. One of them is based on using high- level information about the design; another is an extension of a previous method based on the structural analysis of the AIG. The new methods developed while working on this proposal will be tested on industrial designs in our synthesis and verification tool, ABC, and made available in source code, which can be customized to specific applications. The new methods developed while working on this proposal will be tested on industrial designs in our synthesis and verification tool, ABC, and made available in source code, which can be customized to specific applications.
Task Deliverables 2013 Annual review presentation (27-Mar-2013) Report on a software release of a circuit-based SAT solver. Evaluation on industrial problems (30-Jun-2013) 2014 Annual review presentation (30-Apr-2014) Report on a software release of a counter-example generator. Evaluation on industrial problems (30-Jun-2014) 2015 Report on a software release of a hybrid simulator and invariant generator. Evaluation on industrial problems (30-Apr-2015) Final report summarizing research accomplishments and future direction (30-Jun-2015)
Current State of the Project Covered in this presentation Covered in this presentation Advances in application-specific SAT solving (work in progress) Advances in application-specific SAT solving (work in progress) Advances in simulation (IWLS’12) Advances in simulation (IWLS’12) Counter-example analysis (submitted to IWLS’13) Counter-example analysis (submitted to IWLS’13) Towards new invariant generation (work in progress) Towards new invariant generation (work in progress) Other developments Other developments Semi-canonical form for sequential AIGs (DATE’13) Semi-canonical form for sequential AIGs (DATE’13) Automated gate-level abstraction (DATE’13) Automated gate-level abstraction (DATE’13) Solving multiple-output properties (work in progress) Solving multiple-output properties (work in progress)
Advances in SAT Solving PunySAT: An application-specific SAT solver PunySAT: An application-specific SAT solver Geared to small, hard SAT instances Geared to small, hard SAT instances Similar to MiniSAT in everything, except Similar to MiniSAT in everything, except Clauses are bit-strings, not integer arrays Clauses are bit-strings, not integer arrays BCP can be more efficient (see next slide) BCP can be more efficient (see next slide) Experimental results inconclusive Experimental results inconclusive Tied with MiniSAT on 50 problems from SAT competition Tied with MiniSAT on 50 problems from SAT competition
PunySAT: BCP Using Bit-Strings bool confl( BitVec iclause, BitVec assign ) { return (iclause & ~assign) == 0; return (iclause & ~assign) == 0;} bool bcp (BitVec iclause, BitVec assign, lit_t& prop_lit) { BitVec mask = (iclause & ~assign); BitVec mask = (iclause & ~assign); if ((mask & (mask-1)) == 0) { if ((mask & (mask-1)) == 0) { prop_lit = neg(__builtin_ctz(mask)); return true; prop_lit = neg(__builtin_ctz(mask)); return true; } else } else return false; return false;} cla_id propagate() { while (qhead < trail_sz) { while (qhead < trail_sz) { lit_t q, p = trail[qhead++]; lit_t q, p = trail[qhead++]; for (uint i = 0; i < occurs[p].size(); i++){ for (uint i = 0; i < occurs[p].size(); i++){ cla_id from = occurs[p][i]; cla_id from = occurs[p][i]; BitVec cl = clauses[from]; BitVec cl = clauses[from]; if (cl.confl(assign)) if (cl.confl(assign)) return from; // returns conflicting clause return from; // returns conflicting clause if (cl.bcp(assign, q) && !assign.has(q)) if (cl.bcp(assign, q) && !assign.has(q)) enqueueQ(q, from); enqueueQ(q, from); } } return 0; // returns ”no conflict” return 0; // returns ”no conflict”} BitVec is a bit-vector of the appropriate size for the problem (say, 256 bits). iclause is a clause with all literals inverted. lit_t is a typedef for an unsigned int (mask & (mask-1)) == 0 checks if the mask has at most one bit set __builtin_ctz(mask) returns the index of the lowermost "1" in mask (supported natively by most processors)
PunySAT: Experiment Green: ZZMiniSAT Red: PunySAT Considered 50+ problems from SAT competitions with less than 256 variables, solved by either MiniSAT or PunySAT in less than 5 min Considered 50+ problems from SAT competitions with less than 256 variables, solved by either MiniSAT or PunySAT in less than 5 min MiniSAT solved 48 problems; PunySAT solved 50 problems MiniSAT solved 48 problems; PunySAT solved 50 problems
Advances in Simulation: Key Idea Rarity simulation is random simulation with prioritizing reachable states Rarity simulation is random simulation with prioritizing reachable states Gracefully handles resets by skipping frequently visited states Gracefully handles resets by skipping frequently visited states Visits rare reachable states where hard-to- detect failures may be found Visits rare reachable states where hard-to- detect failures may be found More efficient than naïve random simulation at detecting property failures More efficient than naïve random simulation at detecting property failures
Rarity Simulation: Implementation Divide flops into fixed-size groups in the order of their appearance in the design Divide flops into fixed-size groups in the order of their appearance in the design Groups of 8 flops are used by default Groups of 8 flops are used by default Maintain a record of observed flop values Maintain a record of observed flop values For each group, 256 (=2^8) counters are used For each group, 256 (=2^8) counters are used After simulating a fixed number (by default, 20) frames, recompute the frequency of having a given value in each flop group, and choose next states for simulation based on the rarity of values After simulating a fixed number (by default, 20) frames, recompute the frequency of having a given value in each flop group, and choose next states for simulation based on the rarity of values By default, 1 out of 64 states is chosen By default, 1 out of 64 states is chosen R. Brayton, N. Een, and A. Mishchenko, "Using speculation for sequential equivalence checking", Proc. IWLS'12, pp
Rarity Simulation: Illustration Start with initial state Accumulate info about reached states Decide what next states to simulate from Accumulate info about reached states Decide what next states to simulate from etc Initial state Random PI values
Counter-Example (CE) Analysis CE is a set of PI values in each time frame, which, starting from the initial state, leads to the property failure CE is a set of PI values in each time frame, which, starting from the initial state, leads to the property failure Given a CE, PIs can be divided into three categories Given a CE, PIs can be divided into three categories Essential PIs whose values are needed for the property failure Essential PIs whose values are needed for the property failure Don’t-care PIs whose values are not important Don’t-care PIs whose values are not important Optional PIs (all the remaining ones) Optional PIs (all the remaining ones) We introduce the notion of CE-induced network We introduce the notion of CE-induced network This network, composed of two-input AND-/OR-gates, has unate Boolean function in terms of PI variables, which represents all subsets of the PIs implying the property failure according to the CE This network, composed of two-input AND-/OR-gates, has unate Boolean function in terms of PI variables, which represents all subsets of the PIs implying the property failure according to the CE Applications Applications Design debugging, CE minimization, abstraction refinement Design debugging, CE minimization, abstraction refinement A. Mishchenko, N. Een, and R. Brayton, "A toolbox for counter- example analysis and optimization", Submitted to IWLS'13.
Construction of CE-Induced Network Unfold the original network for the depth indicated by the CE Unfold the original network for the depth indicated by the CE Assign values of primary inputs and internal nodes according to the CE Assign values of primary inputs and internal nodes according to the CE Replace all primary inputs of the unfolding by free variables Replace all primary inputs of the unfolding by free variables Replace each AND of the unfolding by AND, OR or BUF using the rules Replace each AND of the unfolding by AND, OR or BUF using the rules Rehash and sweep dangling nodes Rehash and sweep dangling nodes Unfolding CE-induced network
Experiment: CE Bit Profiling Engine: Formal verification engine that produced counter-example Total bits: The total number of primary inputs in the unrolled testcase DC/Opt/Essen: Percentage of don’t-care, optional, and essential bits Min: Percentage of bits in the minimized counter-example Time: Runtime of bit profiling in seconds
Experiment: Bounded Unfolding vs. CE-Induced Network CE Depth: The timeframe where the property fails according to the CE PI/AND/Level: The number of PIs, AIG nodes, and AIG node levels Time: Runtime of unfolding vs. constructing CE-induced network, in seconds
Rediscovery of High-Level Structure in a Bit-Level AIG via Support Hashing Algorithm Algorithm Input: Sequential AIG Input: Sequential AIG Output: Sequential AIG annotated with high-level information Output: Sequential AIG annotated with high-level information Computation Computation Select a subset of inputs (or internal nodes) with high fanout Select a subset of inputs (or internal nodes) with high fanout Iterate combinational support computation to derive sequential support of every node in the AIG in terms of the selected nodes Iterate combinational support computation to derive sequential support of every node in the AIG in terms of the selected nodes Hash nodes by their support to find their equivalence classes Hash nodes by their support to find their equivalence classes Group equivalence classes of small cardinality and/or with similar support to create well-balanced partitions Group equivalence classes of small cardinality and/or with similar support to create well-balanced partitions (optional) Iterate support hashing to break large partitions into smaller ones (optional) Iterate support hashing to break large partitions into smaller ones Applications Applications Circuits partitioning Circuits partitioning Invariant computation Invariant computation
Support Hashing: Illustration Blocks A, B, and C are structurally different because Blocks A, B, and C are structurally different because Nodes in A depend on X Nodes in A depend on X Nodes in B depend on X and Y Nodes in B depend on X and Y Nodes in C depend on Y Nodes in C depend on Y Block A Block B Block C Support = X- Support = XYSupport = -Y Node XNode Y
Related Publications Hybrid simulation - R. Brayton, N. Een, and A. Mishchenko, "Using speculation for sequential equivalence checking", Proc. IWLS'12, pp Toolbox for counter-example manipulation - A. Mishchenko, N. Een, and R. Brayton, "A toolbox for counter-example analysis and optimization", Submitted to IWLS'13. Gate-level abstraction - A. Mishchenko, N. Een, R. Brayton, J. Baumgartner, H. Mony, and P. Nalla, "GLA: Gate-level abstraction revisited", Proc. DATE'13. Computing canonical form for sequential AIGs - A. Mishchenko, N. Een, R. Brayton, M. Case, P. Chauhan, and N. Sharma, "A semi-canonical form for sequential AIGs", Proc. DATE'13. Novel logic representation for fast synthesis and mapping - A. Mishchenko and R. Brayton, "Faster logic manipulation for large designs", To be submitted to IWLS'13.
Ongoing and Future Work Application-specific SAT solving Run additional experiments with PunySAT Hybrid simulation Combine rarity simulation with BMC Counter-example analysis Develop a CE minimization procedure Invariant detection Develop invariant mining based on the proposed annotation of the AIG with high-level information
Other Work Directions Improving multi-output property solver Exploring new algorithms for abstraction refinement Refine multiple counter-examples Use UNSAT core computationin a seprate SAT solver Handle segments of counter Speeding up isomorphism detection Add incremental signature propagation Avoid separate handling of each PO sequential logic cone New memory-efficient BMC engine based on Constant-memory unfolding engine Low-memory AIG package Fast logic synthesis to reduce logic cloud given to the SAT solver Continuing to release ABC with new features
Conclusions Reviewed the SRC Task (first year) “Modernized Computation Engines for Tomorrow's Formal Verification” Discussed new findings Reviewed recent publications