Recording Synthesis History for Sequential Verification

Robert Brayton Alan Mishchenko

UC Berkeley

Overview Introduction Recording synthesis history

Retiming Combinational synthesis Merging sequentially equivalent nodes Window-based transformations Transformations involving observability don’t-cares

Using synthesis history Verification

Experiments Conclusions

Introduction Sequential synthesis promises to substantially improve

the quality of hardware design – less area, fewer registers, lower power, BUT Efficient verification is needed to ensure wider adoption

Sequential equivalence checking, even with limited sequential synthesis, without history is PSPACE-complete [Jiang/Brayton, TCAD’06] But synthesis history can make sequential equivalence checking

“close to linear” in circuit size in many cases

The focus of this presentation recording a type of synthesis history using it for sequential equivalence checking

44

AIGs Combinational AIG

Boolean network of 2-input ANDs and inverters

Combinational structural hashing Sequential AIG

Registers are considered as special type of nodes

Each register has an initial state (0, 1, or don’t-care)

Sequential structural hashing [Baumgartner/Kuehlmann, ICCAD’01]

Simplified sequential AIG Combinational AIG with registers as

additional PIs/POs Combinational structural hashing

In this work we use simplified sequential AIGs

Sequential Synthesis

Combinational rewritingRetimingRegister sweepingDetecting and merging seq. equivalent

nodesCircuit optimization with approximate

unreachable states as external don’t-caresSequential rewriting

HAIG

Recording a type of Synthesis History

Two AIG managers are used Working AIG (WAIG) History AIG (HAIG)

Two node mappings are supported Every node in WAIG points to

its copy in HAIG Some nodes in HAIG point to

other nodes in HAIG that are believed to be sequentially equivalent as a result of synthesis performed in WAIG

WAIG

WAIG and HAIG WAIG (Working AIG)

New logic nodes are added as synthesis proceeds Old logic cones are removed and replaced by new logic cones

The fanouts of the old root are transferred to be fanouts of the new root Nodes without fanout are immediately removed

Maintains accurate metrics (node count, register count, logic depth)

HAIG (History AIG) As each new node is created in WAIG, a copy is found or is created in

HAIG, A link between them is established

Old logic cones are not removed Fanouts are not transferred

Links between the HAIG nodes are established Each time a node replacement is made in WAIG, corresponding nodes

are linked as sequentially equivalent in HAIG

88

Overview

Introduction Recording synthesis history

Retiming Transformations involving observability don’t-cares Sequential rewriting

Using synthesis history Verification

Experiments Conclusions

Recording History for Retiming

Backward retiming is similar

Step 1

Create retimed node

copyStep 2

Transfer fanout

Add pointer

Step 3

Recursively remove old logic

continue building new logic

WAIG HAIG

1010

Recording History with ODCs

When synthesis is done with ODCs, the resulting node is not equivalent to the original node In HAIG, equivalence cannot be recorded

However, there always exists a scope, outside of which functionality is preserved, e.g. a window. equivalence in HAIG can be recorded at the output

boundary of this scope

HAIG

1111

Sequential Rewriting

Sequential Sequential cut: cut: {a,b,b{a,b,b11,c,c11,c},c}

rewriterewrite

Sequential Rewriting step.

Sequentiallyequivalent

History AIG after rewriting step.History AIG after rewriting step.

The History AIG The History AIG accumulates sequential accumulates sequential

equivalence classesequivalence classes..

new new nodesnodes

History AIG

1212

Related AIG Procedures

WAIG createAigManager deleteAigManager createNode

replaceNode deleteNode_recur

HAIG createAigManager deleteAigManager createNode,

setWaigToHaigMapping setEquivalentHaigNodes do nothing

Using HAIG for Equivalence Checking

Sequential depth of a window-based sequential synthesis transform is the maximum number of registers on any path from an input to an output of the window

Theorem 1: If transforms recorded in HAIG have sequential depth no more than k, the equivalence classes of HAIG nodes can be proved by k-step induction

Theorem 2: If the inductive proof of HAIG succeeds for all recorded equivalence classes, then the original and final designs are

sequentially equivalent

A A’ B B’

A A’ B B’

11

0 0

unsat unsat

#1

#2

Sequential depth = 1

HAIG1

HAIG2

k = 1

1414

Conceptual Picture of HAIG

HAIG is simply a sequential circuit with lots of nodes that are disconnected or redundant. It contains initial circuit A and final circuit B. There are many suggested equalities.

If we prove all suggested equalities, then A=B sequentially.

BB

outputs

AA

outputs

BB

Actually B is really smeared throughout the HAIG

Registers and PIs

1515

Inductive Proof (k = 1)

B

outputs

A

outputs

BA

outputs

A

outputsSpeculative reduction

Second time frame

First time frame

Registers and PIs

=constraints

Proof obligations

All equalities assumed

DiscussionTypical comments on verification using a synthesis history Typical comments on verification using a synthesis history

incorrect information may be passed from a synthesis tool to a incorrect information may be passed from a synthesis tool to a verification toolverification tool

in the proposed methodology, history is a set of in the proposed methodology, history is a set of hintshints every step recorded must be provedevery step recorded must be proved

the same bugs may exist in both tools, canceling each other outthe same bugs may exist in both tools, canceling each other out the inductive prover used in HAIG-based verification must be the inductive prover used in HAIG-based verification must be

independentindependent, BUT , BUT a HAIG prover is simple a HAIG prover is simple

about 100 lines of code, compared to 2000 lines in a general proverabout 100 lines of code, compared to 2000 lines in a general prover No need to handle counterexamplesNo need to handle counterexamples

the HAIG size may grow inordinatelythe HAIG size may grow inordinately not our experience, plus the HAIG can be compacted to 3 bytes per not our experience, plus the HAIG can be compacted to 3 bytes per

node.node.

1717

Experimental Setup Benchmarks are 20 largest public circuits from ISCAS’89,

ITC’97, and Altera QUIP Only 14 are shown in the tables below

Runtimes are in seconds on 4x AMD Opteron 2218 with 16GB RAM under x86_64 GNU/Linux One core was used in the experiments

Synthesis includes three iterations of the script: B - Balancing algebraic tree restructuring for minimizing delay Rw - Rewriting one pass of combinational AIG rewriting Rt - Retiming a fixed number (3000) of steps of forward retiming

Script = (B;Rw;Rt)3

This script was selected to make the resulting networks hard to verify (Jiang/Hung, ICCAD ’07) It represents a limited synthesis since full implementation is not done.

Synthesis ResultsSynthesis size and HAIG size

Bench- After synthesis HAIG Run- mark Reg Node Lev Reg Node Lev time,s

s13207 1060 2133 25 4763 20598 36 0.36 s35932 2016 9094 11 5046 60771 19 0.71 s38417 1833 8161 27 10636 60156 48 0.83 s38584 2478 9427 25 7731 63638 43 0.98 b14 587 4893 61 2630 31296 73 0.32 b15 949 7756 94 6377 51139 106 0.67 b17 2271 24386 104 10415 137921 127 1.70 b18 3940 65264 117 12320 354141 132 3.99 fpu 997 16294 1876 9659 126436 3580 3.21 jpeg 5788 43712 73 12972 243672 104 6.63 mem 2399 14067 38 8781 85341 45 1.79 radar 7557 58759 91 15001 347762 174 8.75 video 3422 32852 75 12549 208953 99 4.86 raytracer 13624 137974 252 22079 771632 338 13.65 Geomean 0.77 5.13

Comparison of verification timesBench- HAIG equivalences Runtime, s mark Constr Property Total HAIG SEC

s13207 10821 7526 16557 1.47 1000+ s35932 10733 3127 41866 2.08 44.67 s38417 24418 7691 47369 7.86 63.74 s38584 21279 5443 46931 0.60 18.90 b14 12511 6645 22580 9.47 2.18 b15 21169 6666 38223 19.85 21.84 b17 40450 20253 91526 82.02 48.84 b18 79858 57365 217378 100.45 126.94 fpu 44815 19571 94187 5.73 1000+ jpeg 63579 40262 188743 18.07 279.30 mem 25050 11004 60230 4.66 43.83 radar 72429 58201 253965 80.29 52.82 video 59229 42531 157531 113.00 69.94 raytracer 154115 130032 548596 800.55 1000+ Geomean 0.42 0.19 1.00 1.00 4.59+

Entry 1000+ indicates a timeout at 1000 seconds. Timeouts are truncated as 1000 seconds in computing runtime ratios.

Conclusions

Motivated the use of synthesis history in SEC

Presented a particular way of recording history using two AIG managers

Experimentally evaluated the use of history in Sequential Equivalence Checking Confirmed savings in runtimeruntime Confirmed reliabilityreliability

2121

Future Work

Use of HAIG has shown that it can make SEC inductively provable.

What subset of history would suffice e.g. do not record each retiming move but only the

final result, or the result of one frame. How to handle a sequential transform that

includes a loop in the area of change. is it still k-inductive what is k

Implement history recording for all transforms

2222

Leave a trail of bread crumbs.

Moral of Story: