Research Update
June-September 2008
Alan Mishchenko
1
Outline
Improved
command “int”
New
choice computation
command “dch” (not covered in this talk)
New
interpolation
inductive prover
command “scorr”
2
Interpolation: Basics
Input: Sequential AIG with single output representing a property
Method: Over-approximate reachability analysis
Property holds when the output is 0
Using over-approximations, instead of exact sets of reachable states
Output: Proof that the property holds
Implementation: A sequence of SAT calls on unrolled time-frames
that is similar to bounded model checking
Ik
A
B
R1
R2
R3
L
Rn
P=1
Ik+1
3
Interpolation: Experiments
(Done in collaboration with Roland Jiang, National Taiwan University.)
Checking termination using induction
Compare two interpolation algorithms
McMillan’s vs. Pudlak’s
Backward interpolation
Quit, if interpolant is a k-step-inductive invariant
Interpolate the last time frame, instead of the first
Compare two different proofs
Proof logger in ABC vs. proof logger in MiniSat-1.14p
4
Checking Termination by Induction
(This idea was suggested by Ken McMillan, Cadence Research Labs.)
Traditional approach: Check termination by
checking Boolean containment of Ik+1 in Ik
New approach: Check termination by checking
whether Ik is an inductive invariant
If so, a fixed-point is reached
If so, iteration can stop because (i) Ik contains all
reachable states and (ii) the property holds for all
states in Ik
Improvement: Use k-step induction where k
increases proportionally to the effort applied in
the interpolation procedure
5
Two Interpolation Procedures
McMillan’s
Pudlak’s
Root clauses
Clause of A gets OR of
global literals
Clause of B gets
constant 1
Learned clauses
Variable of A gets OR
of interpolants
Variable of B or C gets
AND of interpolants
Root clauses
Clause of A gets
constant 0
Clause of B gets
constant 1
Learned clauses
Variable of A gets OR
of interpolants
Variable B gets AND
of interpolants
Variable of C gets
MUX controlled by
this variable
6
Backward Interpolation
Instead of interpolating init-state and the first
time frame, interpolate negated property and the
last frame
Unroll circuit backward rather than forward
It was found experimentally that backward
interpolation rarely has better runtime
7
Two Proof Logging Procedures
ABC
Uses a sequence of
learned clauses
Is largely independent of
the SAT solver
Doubles the runtime of
SAT solver because the
proof is re-derived using
backward BCP
MiniSat-1.14p
Records the steps of
conflict analysis
SAT solver should be
heavily modified
Has little runtime
overhead but may use
more memory
It was found experimentally that using proof-logging
in ABC results in a faster interpolation procedure
8
Interpolation Results
The table reports runtime of command “int” in ABC, which implements Ken
McMillan’s unbounded model checking procedure. The runtime is in seconds
on an IBM laptop with a 1.6GHz Pentium 4 CPU and 2GB of RAM. Timeout
was set to 300 seconds.
Default interpolation parameters: inductive check (K=2), original transition
relation (no self-loop), forward interpolation, proof-logging engine in ABC.
PicoJava
testcase
005
006
007
008
009
016
017
018
019
Default
params
1.04
0.82
0.68
0.08
0.33
0.67
0.92
9.13
2.04
Inductive
check (K=1)
0.85
9.68
0.66
0.06
0.36
5.69
timeout
7.82
2.02
Boolean
containment
2.55
17.67
0.59
0.37
0.27
7.03
timeout
9.49
24.22
Added
self-loop
1.74
14.22
0.69
0.46
0.20
4.97
timeout
11.54
7.60
Backward
5.09
14.72
0.64
0.19
0.26
16.90
timeout
28.33
timeout
MiniSat 1.14p
0.69
22.18
1.07
0.84
0.30
6.56
timeout
14.24
7.75
9
Inductive Prover: Basics
Inductive Case
Base Case
?
Candidate equivalences: {A,B}, {C,D}
?
SAT-4
D
?
?
Proving internal
equivalences in
a topological
order in frame K
D
SAT-1
A
B
0
SAT-3
A
B
0
D
SAT-2
D
?
C
PIk
C
PI1
PI0
SAT-2
?
C
SAT-1
A
B
Assuming internal
equivalences to in
uninitialized frames
0 through K-1
A
0
B
PI1
0
D
Initial state
Proving internal equivalences in
initialized frames 0 through K-1
C
C
A
PI0
B
Symbolic state
10
Inductive Prover: Experiments
Simulation of additional timeframes
Skipping SAT calls for some cand. equivalences
Counter-examples to induction can be simulated over
several timeframes, resulting in additional refinement
Can skip an equivalence if its cone-of-influence did
not change after the last iteration of refinement
Improved implementation
Better AIG to CNF conversion
Better candidate equivalence class manipulation
More flexible simulation
11
Inductive Prover: Results
Using a large test-case taken at random from
resynthesis/retiming/resynthesis benchmarks
(R. Jiang et al, ICCAD’07)
Running three versions of ABC on a laptop
Old prover (September 2007)
Improved old prover (September 2008)
171 sec
94 sec
New prover (September 2008)
31 sec
12
Inductive Prover: Next Steps
Support external sequential constraints
Add uniqueness constraints on demand
Use constrained instead of random simulation
May increase inductive power for hard properties
Use aggressive filtering of cand. equivalences
May speed up SEC after seq. synthesis when most of
the circuit structure did not change (e.g. clock-gating)
13
Future Work
Incorporate stand-alone speculative reduction
into the verification engine
Bring command “dprove” up to the standards of
industrial model checker
Implement generation of counter-examples after
interpolation and BDD-based reachability
Combine clock-gating and ODC-based synthesis
May extend the scope of hard problems solved
Combines seq. and comb. synthesis to
simultaneously reduce power and area
Re-implement CEC engine using new ideas
Tune for circuits with little or no common structure
14
© Copyright 2025 Paperzz
