Enhancing and Integrating Model Checking Engines June 15, 2009 Robert Brayton Alan Mishchenko UC Berkeley Overview Sequential verification Integrated verification flow (“dprove”) Extended integrated verification flow (“dprove2”) Experimental results Ongoing and future work 2 Sequential Verification Motivation Verifying equivalence after synthesis (equivalence checking) Checking specific sequential properties (model checking) Design analysis and estimation Our research philosophy Developing scalable solutions aimed at industrial problems Exploiting synergy between synthesis and verification Experimenting with new research ideas Producing public implementations 3 Verification Problems and Solutions Taxonomy of verification Property and equivalence checking Combinational and sequential verification Satisfiable and unsatisfiable problems Single-solver and multi-solver approach Taxonomy of solvers/engines Bug-hunters, provers, simplifiers, multi-purpose Simulation, BDD-, AIG-, SAT-based, hybrid, etc Fast/slow, weak/strong, etc 4 Property / Equivalence Checking Property checking Takes design and property and makes a miter p 0 Equivalence checking Property checking D1 Takes two designs and makes a miter The goal is to prove that the output of the miter is always 0 Equivalence checking 0 D1 D2 5 Verification Engines Bug-hunters Provers random simulation bounded model checking (BMC) hybrids of the above two (“semi-formal”) K-step induction, with or without uniqueness constraints Interpolation (over-approximate reachability) BDDs (exact reachability) Transformers Combinational synthesis Retiming Proving nodes sequentially equivalent Abstraction Speculative reduction 6 Integrated Verification Flow Preprocessing Handling combinational problems Starting with faster engines Continuing with slower engines Main induction loop Last-gasp engines 7 Command “dprove” transforming initial state (“undc”, “zero”) converting into an AIG (“strash”) creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”) bounded model checking (“bmc”) sequential sweep (“scl”) phase-abstraction (“phase”) most forward retiming (“dret -f”) partitioned register correspondence (“lcorr”) min-register retiming (“dretime”) combinational SAT sweeping (“fraig”) for ( K = 1; K 16; K = K * 2 ) signal correspondence (“scorr”) stronger AIG rewriting (“dc2”) min-register retiming (“dretime”) sequential AIG simulation interpolation (“int”) BDD-based reachability (“reach”) saving reduced hard miter (“write_aiger”) Preprocessors Combinational solver Faster engines Slower engines Main induction loop Last-gasp engines 8 Extension 1: Abstraction Counter-example guided abstraction-refinement Start First abstraction - replace all registers by primary inputs Prove If the number of remaining registers exceeds K% (default, K=90), return UNDECIDED Try BMC limited to C conflicts If unsat after C conflicts, return current abstracted model If SAT, get counter-example, go to Refinement Refinement Use the counter-example to find what registers should be added Add the registers Go to Prove 9 Extension 2: Speculative Reduction Compute candidate equivalences Perform reduction by transferring fanout Record equality constraints as primary outputs Try BMC with C conflicts If UNSAT, return speculatively reduced model If SAT, remove erroneous equivalences and outputs, repeat speculation Advantages Restructure the circuit If can prove UNSAT of speculatively reduced model, then property is proved Can use any other engines to try to prove 0 0 A A B Adding assumptions without speculative reduction B Adding assumptions with speculative reduction 10 Command “dprove2” Initial BMC “dprove” (result is stored in Save1) // here our abstract model was not good If Speculation is already tried, go to Final BMC Else compute and refine equiv classes, perform speculation Trim PIs/POs Signal correspondence, combinational synthesis, interpolation, reachability If UNSAT, return UNSAT If SAT, restore Save1 If UNDECIDED, restore Save2 Speculation If fails, restore Save1, to go Speculation Trim PIs/POs “dprove” (result is stored in Save2) If UNSAT, return UNSAT If SAT, return SAT If UNDECIDED, restore Save1 Abstraction If counter-example, return SAT If UNSAT, return UNSAT If SAT, to go Final BMC If UNDECIDED, go to Abstraction // we might get some abstraction now Final BMC Restore Save1, set the highest resource limit 11 Example of dprove2 abc 01> r pdtvisns3p00.aig (unsolved by anyone in HWMCC’08 competition) abc 02> dprove2 Starting BMC... pdtvisns3p00 : pi = 21 po = 1 lat = 117 and = 3985 lev = 56 No output was asserted in 10 frames. Time = 5.45 sec - conflict limit (10000). Starting "dprove"... BDDs blew up during image computation. Time = 0.55 sec Networks are UNDECIDED. Time = 7.88 sec Problem size after dprove: pdtvisns3p00 : pi = 21 po = 1 lat = 88 and = 811 lev = 16 Abstraction... Init : pdtvisns3p00 : pi = 108 po = 1 and = 7 lev = 4 Refining abstraction... Output 0 was asserted in frame 0 (use "write_counter" to dump a witness). Time = 0 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 11 Output 0 was asserted in frame 2 (use "write_counter" to dump a witness). Time = 1 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 16 Output 0 was asserted in frame 3 (use "write_counter" to dump a witness). Time = … Output 0 was asserted in frame 4 (use "write_counter" to dump a witness). Time = 8 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 16 Output 0 was asserted in frame 7 (use "write_counter" to dump a witness). Time = 9 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 No output asserted in 11 frames. Time = 7.67 sec - conflict limit (25000). 0.02 sec 0.02 sec 0.02 sec 0.02 sec 0.06 sec 12 dprove2 example - continued "dprove" pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 BDDs blew up during image computation. Time = 0.47 sec Networks are UNDECIDED. Time = 7.03 sec The unsolved reduced miter is (null) : pi = 35 po = 1 lat = 74 and = 756 lev = 16 Speculation... Performing sequential simulation of 1000 frames with 255 words. Output 27 was asserted in frame 6 (use "write_counter" to dump a witness). Time = 0.14 sec No output was asserted in 13 frames. Time = 11.75 sec Reached local conflict limit (25000). Problem size of speculative reduced circuit after trimming... (null) : pi = 35 po = 39 lat = 74 and = 775 lev = 16 After "scorr"... (null) : pi = 35 po = 39 lat = 65 and = 738 lev = 16 After "dc2"... (null) : pi = 35 po = 39 lat = 65 and = 713 lev = 16 Property proved by interpolation (106 sec). Total Time = 143.69 sec 13 Experimental Results Sequential verifier in ABC First implemented in summer 2007 Publicly available since September 2007 Now working on second-generation code Very active research area - lots of new ideas to try! Test cases Generated by applying sequential synthesis in ABC Public benchmarks from various sources Industrial problems from several companies 14 Hardware Model Checking Competition at CAV (HWMCC’08) Competition organizers The total of 16 solvers from 6 universities The total of 645 benchmarks Armin Biere (Johannes Kepler University, Linz, Austria) Alessandro Cimatti (IRST, Trento, Italy) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Toni Jussila (OneSpin Solutions, Munich, Germany) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Fabio Somenzi (University of Colorado, Boulder, USA) 344 old and 301 new Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) Runtime limit: 900 sec Memory limit: 1.5 Gb 15 Results 16 Courtesy Armin Biere HWMCC’08: All Benchmarks 17 Courtesy Armin Biere HWMCC’08: SAT Benchmarks 18 Courtesy Armin Biere HWMCC’08: UNSAT Benchmarks 19 Courtesy Armin Biere Competition Webpage 20 Summary Reviewed some basics Described integrated flow Described the recent extension of the flow Reviewed the results of HWMCC’08 21
© Copyright 2026 Paperzz