Enhancing and Integrating Model Checking Engines
21
Enhancing and Enhancing and Integrating Model Integrating Model Checking Engines Checking Engines Robert Brayton Alan Mishchenko Robert Brayton Alan Mishchenko UC Berkeley UC Berkeley June 15, 2009
description
Enhancing and Integrating Model Checking Engines. Robert Brayton Alan Mishchenko UC Berkeley. June 15, 2009. Overview. Sequential verification Integrated verification flow (“dprove”) Extended integrated verification flow (“dprove2”) Experimental results Ongoing and future work. - PowerPoint PPT Presentation
Transcript of Enhancing and Integrating Model Checking Engines
Enhancing and Integrating Enhancing and Integrating Model Checking EnginesModel Checking Engines
Robert Brayton Alan MishchenkoRobert Brayton Alan Mishchenko
UC BerkeleyUC Berkeley
June 15, 2009
22
OverviewOverview
Sequential verificationSequential verification Integrated verification flow (“dprove”)Integrated verification flow (“dprove”) Extended integrated verification flow (“dprove2”)Extended integrated verification flow (“dprove2”) Experimental resultsExperimental results Ongoing and future workOngoing and future work
33
Sequential VerificationSequential Verification
Motivation Motivation Verifying equivalence after synthesis (equivalence checking)Verifying equivalence after synthesis (equivalence checking) Checking specific sequential properties (model checking)Checking specific sequential properties (model checking) Design analysis and estimationDesign analysis and estimation
Our research philosophyOur research philosophy Developing scalable solutions aimed at industrial problems Developing scalable solutions aimed at industrial problems Exploiting synergy between synthesis and verificationExploiting synergy between synthesis and verification Experimenting with new research ideas Experimenting with new research ideas Producing public implementationsProducing public implementations
44
Verification Problems and SolutionsVerification Problems and Solutions
Taxonomy of verificationTaxonomy of verification Property and equivalence checkingProperty and equivalence checking Combinational and sequential verificationCombinational and sequential verification Satisfiable and unsatisfiable problemsSatisfiable and unsatisfiable problems Single-solver and multi-solver approachSingle-solver and multi-solver approach
Taxonomy of solvers/enginesTaxonomy of solvers/engines Bug-hunters, provers, simplifiers, multi-purposeBug-hunters, provers, simplifiers, multi-purpose Simulation, BDD-, AIG-, SAT-based, hybrid, etcSimulation, BDD-, AIG-, SAT-based, hybrid, etc Fast/slow, weak/strong, etcFast/slow, weak/strong, etc
55
Property / Equivalence CheckingProperty / Equivalence Checking
Property checkingProperty checking Takes design and property Takes design and property
and makes a miterand makes a miter Equivalence checkingEquivalence checking
Takes two designs and makes Takes two designs and makes a miter a miter
The goal is to prove that the The goal is to prove that the output of the miter is always 0output of the miter is always 0
D2D2D1D1
Equivalence checkingEquivalence checking
0
D1D1
Property checkingProperty checking
0
pp
66
Verification EnginesVerification Engines Bug-huntersBug-hunters
random simulation random simulation bounded model checking (BMC)bounded model checking (BMC) hybrids of the above two (“semi-formal”)hybrids of the above two (“semi-formal”)
ProversProvers K-step induction, with or without uniqueness constraintsK-step induction, with or without uniqueness constraints Interpolation (over-approximate reachability)Interpolation (over-approximate reachability) BDDs (exact reachability)BDDs (exact reachability)
TransformersTransformers Combinational synthesisCombinational synthesis RetimingRetiming Proving nodes sequentially equivalentProving nodes sequentially equivalent AbstractionAbstraction Speculative reductionSpeculative reduction
77
Integrated Verification FlowIntegrated Verification Flow
PreprocessingPreprocessing Handling combinational problemsHandling combinational problems Starting with faster enginesStarting with faster engines Continuing with slower enginesContinuing with slower engines Main induction loopMain induction loop Last-gasp enginesLast-gasp engines
88
Command “dprove”Command “dprove” transforming initial state (“undc”, “zero”)transforming initial state (“undc”, “zero”) converting into an AIG (“strash”)converting into an AIG (“strash”) creating sequential miter (“miter -c”)creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”)combinational equivalence checking (“iprove”) bounded model checking (“bmc”)bounded model checking (“bmc”) sequential sweep (“scl”)sequential sweep (“scl”) phase-abstraction (“phase”)phase-abstraction (“phase”) most forward retiming (“dret -f”) most forward retiming (“dret -f”) partitioned register correspondence (“lcorr”)partitioned register correspondence (“lcorr”) min-register retiming (“dretime”)min-register retiming (“dretime”) combinational SAT sweeping (“fraig”)combinational SAT sweeping (“fraig”) for ( K = 1; K for ( K = 1; K 16; K = K * 2 ) 16; K = K * 2 )
signal correspondence (“scorr”)signal correspondence (“scorr”) stronger AIG rewriting (“dc2”)stronger AIG rewriting (“dc2”) min-register retiming (“dretime”)min-register retiming (“dretime”) sequential AIG simulationsequential AIG simulation
interpolation (“int”)interpolation (“int”) BDD-based reachability (“reach”)BDD-based reachability (“reach”) saving reduced hard miter (“write_aiger”)saving reduced hard miter (“write_aiger”)
Preprocessors
Combinational solver
Faster engines
Slower engines
Main induction loop
Last-gasp engines
99
Extension 1: AbstractionExtension 1: Abstraction Counter-example guided abstraction-refinementCounter-example guided abstraction-refinement StartStart
First abstraction - replace all registers by primary inputsFirst abstraction - replace all registers by primary inputs ProveProve
If the number of remaining registers exceeds K% (default, K=90), If the number of remaining registers exceeds K% (default, K=90), return UNDECIDEDreturn UNDECIDED
Try BMC limited to Try BMC limited to CC conflicts conflicts If unsat after If unsat after CC conflicts, return current abstracted model conflicts, return current abstracted model If SAT, get counter-example, go to RefinementIf SAT, get counter-example, go to Refinement
RefinementRefinement Use the counter-example to find what registers should be added Use the counter-example to find what registers should be added Add the registersAdd the registers Go to ProveGo to Prove
1010
Extension 2: Speculative ReductionExtension 2: Speculative Reduction Compute candidate equivalencesCompute candidate equivalences Perform reduction by transferring fanoutPerform reduction by transferring fanout Record equality constraints as primary outputsRecord equality constraints as primary outputs Try BMC with Try BMC with CC conflicts conflicts
If UNSAT, return speculatively reduced modelIf UNSAT, return speculatively reduced model If SAT, remove erroneous equivalences and outputs, repeat speculationIf SAT, remove erroneous equivalences and outputs, repeat speculation
Advantages Advantages Restructure the circuitRestructure the circuit If can prove UNSAT of speculatively reduced model, then property is provedIf can prove UNSAT of speculatively reduced model, then property is proved Can use any other engines to try to proveCan use any other engines to try to prove
AB
Adding assumptions without speculative reduction
0
AB
Adding assumptions with speculative reduction
0
1111
Command “dprove2”Command “dprove2” Initial BMCInitial BMC
If counter-example, return SATIf counter-example, return SAT ““dprove”dprove” (result is stored in Save1) (result is stored in Save1)
If UNSAT, return UNSATIf UNSAT, return UNSAT If SAT, return SATIf SAT, return SAT If UNDECIDED, restore Save1If UNDECIDED, restore Save1
AbstractionAbstraction If fails, restore Save1, to go SpeculationIf fails, restore Save1, to go Speculation
Trim PIs/POsTrim PIs/POs ““dprove”dprove” (result is stored in Save2) (result is stored in Save2)
If UNSAT, return UNSATIf UNSAT, return UNSAT If SAT, restore Save1 If SAT, restore Save1 // // here our abstract model was not goodhere our abstract model was not good If UNDECIDED, restore Save2If UNDECIDED, restore Save2
SpeculationSpeculation If Speculation is already tried, go to Final BMCIf Speculation is already tried, go to Final BMC Else compute and refine equiv classes, perform speculationElse compute and refine equiv classes, perform speculation
Trim PIs/POsTrim PIs/POs Signal correspondence, combinational synthesis, interpolation, reachabilitySignal correspondence, combinational synthesis, interpolation, reachability
If UNSAT, return UNSATIf UNSAT, return UNSAT If SAT, to go Final BMCIf SAT, to go Final BMC If UNDECIDED, go to Abstraction If UNDECIDED, go to Abstraction // // we might get some abstraction nowwe might get some abstraction now
Final BMCFinal BMC Restore Save1, set the highest resource limitRestore Save1, set the highest resource limit
1212
Example of dprove2Example of dprove2abc 01> r pdtvisns3p00.aig abc 01> r pdtvisns3p00.aig ((unsolved by anyone in HWMCC’08 competitionunsolved by anyone in HWMCC’08 competition))abc 02> dprove2abc 02> dprove2Starting BMC...Starting BMC...pdtvisns3p00 : pi = 21 po = 1 lat = 117 and = 3985 lev = 56pdtvisns3p00 : pi = 21 po = 1 lat = 117 and = 3985 lev = 56No output was asserted in 10 frames. Time = 5.45 sec - conflict limit (10000).No output was asserted in 10 frames. Time = 5.45 sec - conflict limit (10000).Starting "dprove"...Starting "dprove"...BDDs blew up during image computation. Time = 0.55 secBDDs blew up during image computation. Time = 0.55 secNetworks are UNDECIDED. Time = 7.88 secNetworks are UNDECIDED. Time = 7.88 secProblem size after dprove:Problem size after dprove:pdtvisns3p00 : pi = 21 po = 1 lat = 88 and = 811 lev = 16pdtvisns3p00 : pi = 21 po = 1 lat = 88 and = 811 lev = 16Abstraction...Abstraction...Init : pdtvisns3p00 : pi = 108 po = 1 and = 7 lev = 4Init : pdtvisns3p00 : pi = 108 po = 1 and = 7 lev = 4Refining abstraction...Refining abstraction...Output 0 was asserted in frame 0 (use "write_counter" to dump a witness). Time = 0.02 secOutput 0 was asserted in frame 0 (use "write_counter" to dump a witness). Time = 0.02 sec 0 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 110 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 11Output 0 was asserted in frame 2 (use "write_counter" to dump a witness). Time = 0.02 secOutput 0 was asserted in frame 2 (use "write_counter" to dump a witness). Time = 0.02 sec 1 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 161 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 16Output 0 was asserted in frame 3 (use "write_counter" to dump a witness). Time = 0.02 secOutput 0 was asserted in frame 3 (use "write_counter" to dump a witness). Time = 0.02 sec……Output 0 was asserted in frame 4 (use "write_counter" to dump a witness). Time = 0.02 secOutput 0 was asserted in frame 4 (use "write_counter" to dump a witness). Time = 0.02 sec 8 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 168 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 16Output 0 was asserted in frame 7 (use "write_counter" to dump a witness). Time = 0.06 secOutput 0 was asserted in frame 7 (use "write_counter" to dump a witness). Time = 0.06 sec 9 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 169 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16No output asserted in 11 frames. Time = 7.67 sec - conflict limit (25000).No output asserted in 11 frames. Time = 7.67 sec - conflict limit (25000).
1313
dprove2 example - continueddprove2 example - continued
"dprove" "dprove" pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16BDDs blew up during image computation. Time = 0.47 secBDDs blew up during image computation. Time = 0.47 secNetworks are UNDECIDED. Time = 7.03 secNetworks are UNDECIDED. Time = 7.03 secThe unsolved reduced miter is The unsolved reduced miter is (null) : pi = 35 po = 1 lat = 74 and = 756 lev = 16(null) : pi = 35 po = 1 lat = 74 and = 756 lev = 16Speculation...Speculation...Performing sequential simulation of 1000 frames with 255 words.Performing sequential simulation of 1000 frames with 255 words.Output 27 was asserted in frame 6 (use "write_counter" to dump a witness). Time = Output 27 was asserted in frame 6 (use "write_counter" to dump a witness). Time =
0.14 sec0.14 secNo output was asserted in 13 frames. Time = 11.75 secNo output was asserted in 13 frames. Time = 11.75 secReached local conflict limit (25000).Reached local conflict limit (25000).Problem size of speculative reduced circuit after trimming...Problem size of speculative reduced circuit after trimming...(null) : pi = 35 po = 39 lat = 74 and = 775 lev = 16(null) : pi = 35 po = 39 lat = 74 and = 775 lev = 16After "scorr"...After "scorr"...(null) : pi = 35 po = 39 lat = 65 and = 738 lev = 16(null) : pi = 35 po = 39 lat = 65 and = 738 lev = 16After "dc2"...After "dc2"...(null) : pi = 35 po = 39 lat = 65 and = 713 lev = 16(null) : pi = 35 po = 39 lat = 65 and = 713 lev = 16Property proved by interpolation (106 sec). Total Time = 143.69 secProperty proved by interpolation (106 sec). Total Time = 143.69 sec
1414
Experimental ResultsExperimental Results
Sequential verifier in ABCSequential verifier in ABC First implemented in summer 2007First implemented in summer 2007 Publicly available since September 2007Publicly available since September 2007 Now working on second-generation codeNow working on second-generation code Very active research area - lots of new ideas to try!Very active research area - lots of new ideas to try!
Test casesTest cases Generated by applying sequential synthesis in ABCGenerated by applying sequential synthesis in ABC Public benchmarks from various sourcesPublic benchmarks from various sources Industrial problems from several companiesIndustrial problems from several companies
1515
Hardware Model Checking Hardware Model Checking Competition at CAV (HWMCC’08)Competition at CAV (HWMCC’08)
Competition organizersCompetition organizers Armin Biere (Johannes Kepler University, Linz, Austria)Armin Biere (Johannes Kepler University, Linz, Austria) Alessandro Cimatti (IRST, Trento, Italy)Alessandro Cimatti (IRST, Trento, Italy) Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden)Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) Toni Jussila (OneSpin Solutions, Munich, Germany)Toni Jussila (OneSpin Solutions, Munich, Germany) Ken McMillan (Cadende Berkeley Labs, Berkeley, USA)Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) Fabio Somenzi (University of Colorado, Boulder, USA)Fabio Somenzi (University of Colorado, Boulder, USA)
The total of 16 solvers from 6 universitiesThe total of 16 solvers from 6 universities The total of 645 benchmarksThe total of 645 benchmarks
344 old and 301 new344 old and 301 new Resource limits per problem (on Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB)Intel Pentium IV, 3 GHz, 2 GB)
Runtime limit: 900 secRuntime limit: 900 sec Memory limit: 1.5 GbMemory limit: 1.5 Gb
1616
ResultsResults
Courtesy Armin Biere
1717
HWMCC’08: All BenchmarksHWMCC’08: All Benchmarks
Courtesy Armin Biere
1818
HWMCC’08: SAT BenchmarksHWMCC’08: SAT Benchmarks
Courtesy Armin Biere
1919
HWMCC’08: UNSAT BenchmarksHWMCC’08: UNSAT Benchmarks
Courtesy Armin Biere
2020
Competition WebpageCompetition Webpage
2121
Summary Summary
Reviewed some basicsReviewed some basicsDescribed integrated flowDescribed integrated flowDescribed the recent extension of the flowDescribed the recent extension of the flowReviewed the results of HWMCC’08Reviewed the results of HWMCC’08
