Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009

2 Overview Sequential verification Sequential verification Integrated verification flow (“dprove”) Integrated verification flow (“dprove”) Extended integrated verification flow (“dprove2”) Extended integrated verification flow (“dprove2”) Experimental results Experimental results Ongoing and future work Ongoing and future work

3 Sequential Verification Motivation Motivation Verifying equivalence after synthesis (equivalence checking) Verifying equivalence after synthesis (equivalence checking) Checking specific sequential properties (model checking) Checking specific sequential properties (model checking) Design analysis and estimation Design analysis and estimation Our research philosophy Our research philosophy Developing scalable solutions aimed at industrial problems Developing scalable solutions aimed at industrial problems Exploiting synergy between synthesis and verification Exploiting synergy between synthesis and verification Experimenting with new research ideas Experimenting with new research ideas Producing public implementations Producing public implementations

4 Verification Problems and Solutions Taxonomy of verification Taxonomy of verification Property and equivalence checking Property and equivalence checking Combinational and sequential verification Combinational and sequential verification Satisfiable and unsatisfiable problems Satisfiable and unsatisfiable problems Single-solver and multi-solver approach Single-solver and multi-solver approach Taxonomy of solvers/engines Taxonomy of solvers/engines Bug-hunters, provers, simplifiers, multi-purpose Bug-hunters, provers, simplifiers, multi-purpose Simulation, BDD-, AIG-, SAT-based, hybrid, etc Simulation, BDD-, AIG-, SAT-based, hybrid, etc Fast/slow, weak/strong, etc Fast/slow, weak/strong, etc

5 Property / Equivalence Checking Property checking Property checking Takes design and property and makes a miter Takes design and property and makes a miter Equivalence checking Equivalence checking Takes two designs and makes a miter Takes two designs and makes a miter The goal is to prove that the output of the miter is always 0 The goal is to prove that the output of the miter is always 0 D2 D1 Equivalence checking 0 D1 Property checking 0 p

6 Verification Engines Bug-hunters Bug-hunters random simulation random simulation bounded model checking (BMC) bounded model checking (BMC) hybrids of the above two (“semi-formal”) hybrids of the above two (“semi-formal”) Provers Provers K-step induction, with or without uniqueness constraints K-step induction, with or without uniqueness constraints Interpolation (over-approximate reachability) Interpolation (over-approximate reachability) BDDs (exact reachability) BDDs (exact reachability) Transformers Transformers Combinational synthesis Combinational synthesis Retiming Retiming Proving nodes sequentially equivalent Proving nodes sequentially equivalent Abstraction Abstraction Speculative reduction Speculative reduction

7 Integrated Verification Flow Preprocessing Preprocessing Handling combinational problems Handling combinational problems Starting with faster engines Starting with faster engines Continuing with slower engines Continuing with slower engines Main induction loop Main induction loop Last-gasp engines Last-gasp engines

8 Command “dprove” transforming initial state (“undc”, “zero”) transforming initial state (“undc”, “zero”) converting into an AIG (“strash”) converting into an AIG (“strash”) creating sequential miter (“miter -c”) creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”) combinational equivalence checking (“iprove”) bounded model checking (“bmc”) bounded model checking (“bmc”) sequential sweep (“scl”) sequential sweep (“scl”) phase-abstraction (“phase”) phase-abstraction (“phase”) most forward retiming (“dret -f”) most forward retiming (“dret -f”) partitioned register correspondence (“lcorr”) partitioned register correspondence (“lcorr”) min-register retiming (“dretime”) min-register retiming (“dretime”) combinational SAT sweeping (“fraig”) combinational SAT sweeping (“fraig”) for ( K = 1; K  16; K = K * 2 ) for ( K = 1; K  16; K = K * 2 ) signal correspondence (“scorr”) signal correspondence (“scorr”) stronger AIG rewriting (“dc2”) stronger AIG rewriting (“dc2”) min-register retiming (“dretime”) min-register retiming (“dretime”) sequential AIG simulation sequential AIG simulation interpolation (“int”) interpolation (“int”) BDD-based reachability (“reach”) BDD-based reachability (“reach”) saving reduced hard miter (“write_aiger”) saving reduced hard miter (“write_aiger”) Preprocessors Combinational solver Faster engines Slower engines Main induction loop Last-gasp engines

9 Extension 1: Abstraction Counter-example guided abstraction-refinement Counter-example guided abstraction-refinement Start Start First abstraction - replace all registers by primary inputs First abstraction - replace all registers by primary inputs Prove Prove If the number of remaining registers exceeds K% (default, K=90), return UNDECIDED If the number of remaining registers exceeds K% (default, K=90), return UNDECIDED Try BMC limited to C conflicts Try BMC limited to C conflicts If unsat after C conflicts, return current abstracted model If unsat after C conflicts, return current abstracted model If SAT, get counter-example, go to Refinement If SAT, get counter-example, go to Refinement Refinement Refinement Use the counter-example to find what registers should be added Use the counter-example to find what registers should be added Add the registers Add the registers Go to Prove Go to Prove

10 Extension 2: Speculative Reduction Compute candidate equivalences Compute candidate equivalences Perform reduction by transferring fanout Perform reduction by transferring fanout Record equality constraints as primary outputs Record equality constraints as primary outputs Try BMC with C conflicts Try BMC with C conflicts If UNSAT, return speculatively reduced model If UNSAT, return speculatively reduced model If SAT, remove erroneous equivalences and outputs, repeat speculation If SAT, remove erroneous equivalences and outputs, repeat speculation Advantages Advantages Restructure the circuit Restructure the circuit If can prove UNSAT of speculatively reduced model, then property is proved If can prove UNSAT of speculatively reduced model, then property is proved Can use any other engines to try to prove Can use any other engines to try to prove A B Adding assumptions without speculative reduction 0 A B Adding assumptions with speculative reduction 0

11 Command “dprove2” Initial BMC Initial BMC If counter-example, return SAT If counter-example, return SAT “dprove” (result is stored in Save1) “dprove” (result is stored in Save1) If UNSAT, return UNSAT If UNSAT, return UNSAT If SAT, return SAT If SAT, return SAT If UNDECIDED, restore Save1 If UNDECIDED, restore Save1 Abstraction Abstraction If fails, restore Save1, to go Speculation If fails, restore Save1, to go Speculation Trim PIs/POs Trim PIs/POs “dprove” (result is stored in Save2) “dprove” (result is stored in Save2) If UNSAT, return UNSAT If UNSAT, return UNSAT If SAT, restore Save1 // here our abstract model was not good If SAT, restore Save1 // here our abstract model was not good If UNDECIDED, restore Save2 If UNDECIDED, restore Save2 Speculation Speculation If Speculation is already tried, go to Final BMC If Speculation is already tried, go to Final BMC Else compute and refine equiv classes, perform speculation Else compute and refine equiv classes, perform speculation Trim PIs/POs Trim PIs/POs Signal correspondence, combinational synthesis, interpolation, reachability Signal correspondence, combinational synthesis, interpolation, reachability If UNSAT, return UNSAT If UNSAT, return UNSAT If SAT, to go Final BMC If SAT, to go Final BMC If UNDECIDED, go to Abstraction // we might get some abstraction now If UNDECIDED, go to Abstraction // we might get some abstraction now Final BMC Final BMC Restore Save1, set the highest resource limit Restore Save1, set the highest resource limit

12 Example of dprove2 abc 01> r pdtvisns3p00.aig (unsolved by anyone in HWMCC’08 competition) abc 02> dprove2 Starting BMC... pdtvisns3p00 : pi = 21 po = 1 lat = 117 and = 3985 lev = 56 No output was asserted in 10 frames. Time = 5.45 sec - conflict limit (10000). Starting "dprove"... BDDs blew up during image computation. Time = 0.55 sec Networks are UNDECIDED. Time = 7.88 sec Problem size after dprove: pdtvisns3p00 : pi = 21 po = 1 lat = 88 and = 811 lev = 16 Abstraction... Init : pdtvisns3p00 : pi = 108 po = 1 and = 7 lev = 4 Refining abstraction... Output 0 was asserted in frame 0 (use "write_counter" to dump a witness). Time = 0.02 sec 0 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 11 0 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 11 Output 0 was asserted in frame 2 (use "write_counter" to dump a witness). Time = 0.02 sec 1 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 16 1 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 16 Output 0 was asserted in frame 3 (use "write_counter" to dump a witness). Time = 0.02 sec … Output 0 was asserted in frame 4 (use "write_counter" to dump a witness). Time = 0.02 sec 8 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 16 8 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 16 Output 0 was asserted in frame 7 (use "write_counter" to dump a witness). Time = 0.06 sec 9 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 9 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 No output asserted in 11 frames. Time = 7.67 sec - conflict limit (25000).

13 dprove2 example - continued "dprove" pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 BDDs blew up during image computation. Time = 0.47 sec Networks are UNDECIDED. Time = 7.03 sec The unsolved reduced miter is (null) : pi = 35 po = 1 lat = 74 and = 756 lev = 16 Speculation... Performing sequential simulation of 1000 frames with 255 words. Output 27 was asserted in frame 6 (use "write_counter" to dump a witness). Time = 0.14 sec No output was asserted in 13 frames. Time = sec Reached local conflict limit (25000). Problem size of speculative reduced circuit after trimming... (null) : pi = 35 po = 39 lat = 74 and = 775 lev = 16 After "scorr"... (null) : pi = 35 po = 39 lat = 65 and = 738 lev = 16 After "dc2"... (null) : pi = 35 po = 39 lat = 65 and = 713 lev = 16 Property proved by interpolation (106 sec). Total Time = sec

14 Experimental Results Sequential verifier in ABC Sequential verifier in ABC First implemented in summer 2007 First implemented in summer 2007 Publicly available since September 2007 Publicly available since September 2007 Now working on second-generation code Now working on second-generation code Very active research area - lots of new ideas to try! Very active research area - lots of new ideas to try! Test cases Test cases Generated by applying sequential synthesis in ABC Generated by applying sequential synthesis in ABC Public benchmarks from various sources Public benchmarks from various sources Industrial problems from several companies Industrial problems from several companies

15 Hardware Model Checking Competition at CAV (HWMCC’08) Competition organizers Competition organizers Armin Biere (Johannes Kepler University, Linz, Austria) Armin Biere (Johannes Kepler University, Linz, Austria) Alessandro Cimatti (IRST, Trento, Italy) Alessandro Cimatti (IRST, Trento, Italy) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Toni Jussila (OneSpin Solutions, Munich, Germany) Toni Jussila (OneSpin Solutions, Munich, Germany) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Fabio Somenzi (University of Colorado, Boulder, USA) Fabio Somenzi (University of Colorado, Boulder, USA) The total of 16 solvers from 6 universities The total of 16 solvers from 6 universities The total of 645 benchmarks The total of 645 benchmarks 344 old and 301 new 344 old and 301 new Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) Runtime limit: 900 sec Runtime limit: 900 sec Memory limit: 1.5 Gb Memory limit: 1.5 Gb

16 Results Courtesy Armin Biere

17 HWMCC’08: All Benchmarks Courtesy Armin Biere

18 HWMCC’08: SAT Benchmarks Courtesy Armin Biere

19 HWMCC’08: UNSAT Benchmarks Courtesy Armin Biere

20 Competition Webpage

21 Summary Reviewed some basics Reviewed some basics Described integrated flow Described integrated flow Described the recent extension of the flow Described the recent extension of the flow Reviewed the results of HWMCC’08 Reviewed the results of HWMCC’08