Efficient Implementation ofProperty Directed Reachability

Niklas Een, Alan Mishchenko, Robert Brayton

20th International Workshop on Logic & SynthesisJune 3-5, 2011

6/5/2011Page 2/16 IWLS 2011 — UC San Diego, California, USA

What is PDR?

PDR (aka IC3) is a new model checking

algorithm.

Published by Aaron Bradley on arXiv after

being rejected at CAV 2010.

Won third place in HWMCC’10

Can be viewed as approximate reachability.

Relations to interpolation based model

checking:−No proof-logging needed−Never have to start over−Simpler implementation (my opinion)−Faster, stronger, better?

6/5/2011Page 3/16 IWLS 2011 — UC San Diego, California, USA

What is our contributition?

Confirm Aaron’s results

Simplify the procedure−No special base case−Simpler cube generalization

Achieve a substantial speedup −Ternary simulation

Detailed pseudo-code

6/5/2011Page 4/16 IWLS 2011 — UC San Diego, California, USA

Verification Model

Design/FSM is given as a netlist containing:

− AND gates− PIs− Flip-flops

with complemented edges, a single output for the (safety) property and some definition of the initial states.

…… …

CombinationalLogic

Flip-Flops

PrimaryInputs

PropertyOutput

6/5/2011Page 5/16 IWLS 2011 — UC San Diego, California, USA

How it works

Reasons on conjunctions of state variables (cubes)

Proves cubes to be unreachable within k steps Maintains a trace of all such facts

Properties of the trace:1. F0 = ¬Init

2. F1 ⊇ F2 ⊇ ... ⊇ FN (as sets of cubes)

3. img(¬Fi) ⊆ ¬Fi+1 (¬Fi = potentially reachable states)4. Fi ⊇ Bad (except for the last frame)

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

F0 F1 F2 F3 F4 F5

6/5/2011Page 6/16 IWLS 2011 — UC San Diego, California, USA

How it works (cont.)

Two phases:−recursively block a point in Bad in the last frame−propagate cubes learned during this process

forward

Init

Bad

Init

Bad

Init

Bad

Init

Bad

F0 F1 F2 F3

Recursively block BadPropagate cubes forwardTerminates when Fi=Fi+1

6/5/2011Page 7/16 IWLS 2011 — UC San Diego, California, USA

Stepping through PDR

Init

Bad

Init

Bad

SAT?Find a bad state (SAT)

Enlarge it (ternary

sim.)

Pre-image blocked?

(SAT)Yes!

Generalize cube

(many SAT)

No more bad states

add frame

6/5/2011Page 8/16 IWLS 2011 — UC San Diego, California, USA

Stepping through PDR

Init

Bad

Init

Bad

Init

Bad

SAT?

1. Find a bad state (SAT)2. Enlarge it (ternary sim.)3. Pre-image blocked? (SAT)4a. Yes! Generalize cube (many SAT)4b. No? Get point from SAT model

Is the cube blocked in the

new frame? (propagation)

SAT?

resuming work on this cube

No more bad states add frame (and

propagate)

no

6/5/2011Page 9/16 IWLS 2011 — UC San Diego, California, USA

The Basic SAT query of PDR

Query: Is the pre-image of a cube s’ blocked by Fk?−SAT?[¬Fk ∧ T ∧ s’]

……

CombinationalLogic…

s0s1s2s3

sn-1

sn

s’0 s’1s’2s’3

s’n-1

s’n

x0x1

xm

Bad

Example:s’ = (s’1 ∧ ¬s’3 ∧ s’n)

Blocked cubes ”Fk” are added to the SAT-solver in terms of these state variables

Fk

s’0 s’1 =1s’2s’3 =0

s’n-1

s’n =1

6/5/2011Page 10/16 IWLS 2011 — UC San Diego, California, USA

Ternary Simulation

Query: Is the pre-image of a cube s blocked?− If no, the SAT-solver returns a model

……

CombinationalLogic…

s0 = 0s1 = 1s2 = 1s3 = 0

sn-1=1sn = 0

s’0 s’1 =1s’2s’3 =0

s’n-1

s’n =1

x0 = 1x1 = 0

xm= 1

Bad

Example:s’ = (s’1 ∧ ¬s’3 ∧ s’n)

Fk

XX

X

X XX

X

X

XX

X

X XX

X

New proof-obligation:s = (s2 ∧ ¬s3 ∧ ¬sn)

6/5/2011Page 11/16 IWLS 2011 — UC San Diego, California, USA

The Improved SAT query of PDR

Query: Is the pre-image of a cube s blocked by

either Fk or s itself?

SAT?[¬Fk ∧ ¬s ∧ T ∧ s’]

Init

Bad

Init

Bad

Init

Bad

Init

Bad

F0 F1 F2 F3

s s’

SAT?

6/5/2011Page 12/16 IWLS 2011 — UC San Diego, California, USA

Delta Encoding of Trace

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

Init

Bad

F0 F1 F2 F3 F4 F5

In the implementation, cubes are only stored in the last frame where they hold.

DemoRunning PDR on some industrial benchmarks

6/5/2011Page 14/16 IWLS 2011 — UC San Diego, California, USA

Experimental Results on IBM Benchmarks

6/5/2011Page 15/16 IWLS 2011 — UC San Diego, California, USA

Notes on Implementation PDR can sometimes find very deep counterexamples. Recursive blocking takes about 80% of the runtime,

propagation 20%. Most of the time in recursive blocking is spent on cube

generalization. Using activation literals or proof-logging reduces cube

generalization significantly. PDR can be implemented using one or many SAT-instances.

When using one instance, it is natural to add F. − Can be used by other engines.

− Can be explicitly strengthend by mutual induction test.

Upon creation, derived cubed are placed in the last frame where they hold.

6/5/2011Page 16/16 IWLS 2011 — UC San Diego, California, USA

Concluding Remarks on PDR

Derives interpolants in terms of state cubes.−Because domain so simple: can optimize

efficiently−Subsumption and termination becomes syntactic

checks

Reasons locally (over one transition only).−Enhances abstraction− Improves chances of finding an inductive

invariant.

Never starts over.−Extends the current knowledge at Fk as needed.

Very memory efficient.

This is only the beginning...