Sequential Verification Overview - PowerPoint PPT Presentation

About This Presentation
Title:

Sequential Verification Overview

Description:

Sequential Verification Overview Robert Brayton UC Berkeley – PowerPoint PPT presentation

Number of Views:121
Avg rating:3.0/5.0
Slides: 29
Provided by: Alan204
Category:

less

Transcript and Presenter's Notes

Title: Sequential Verification Overview


1
Sequential Verification Overview
  • Robert Brayton
  • UC Berkeley

2
Overview
  • Sequential verification
  • Problem representation
  • Verification flow
  • Verification engines
  • Examples
  • Future work

3
Sequential Verification
  • Property checking
  • Create miter from the design and the property
  • Equivalence checking
  • Create miter from two versions of the same design
  • Assuming the initial state is given
  • The goal is to prove that the output of the miter
    is 0, for all states reachable from the initial

4
Comb / Seq Verification
  • Combinational miter
  • Primary inputs
  • Primary output(s)
  • Logic gates
  • Sequential miter
  • Primary inputs
  • Primary output(s)
  • Logic gates
  • FFs with initial state

?
?
y0 for all time
y0
Seq logic
Comb logic
x
x
Logic is represented using AIGs
5
Why AIGs in Verification?
  • Easy to construct, relatively compact, robust
  • 1M AIG 12Mb RAM
  • Can be efficiently stored on disk
  • 3-4 bytes / AIG node (1M AIG 4Mb file)
  • Unifying representation
  • Used by different verification engines
  • Easy to pass around, duplicate, save
  • Compatible with SAT solvers
  • Efficient AIG-to-CNF conversion available
  • AIGs simulation SAT works well in many
    cases

6
AIG Tricks
  • Structural hashing
  • Performs AIG compaction
  • Is applied on-the-fly during AIG construction
  • Propagates constants
  • Makes each node structurally unique
  • Complemented edges
  • Represents inverters as attributes on the edges
  • No memory used for inverters
  • Increases logic sharing using DeMorgans rule
  • Leads to fast, uniform manipulation
  • Memory allocation
  • Uses fixed amount of memory for each node
  • Can be done by a simple custom memory manager
  • Dynamic fanout manipulation is supported!
  • Allocates memory for nodes in a topological order
  • Optimized for traversal in the same topological
    order
  • Small static memory footprint in many
    applications
  • Computes fanout information on demand

Without hashing
With hashing
7
Integrated Verification Flow
  • Initial fast simplification of the logic
  • Forward retime and do FF correspondence
  • Min FF retime
  • Extract implicit constraints and use them to find
    signal equivalences
  • Fold back the constraints
  • If ever a constraint is not satisfied, make the
    output 0 forever.
  • Trim away irrelevant inputs
  • Try phase abstraction

8
Integrated Verification Flow
  • Abstraction
  • Use new CBA/PBA method of N. Een
  • Uses single instance of SAT solver
  • Uses counter-example based abstraction
  • Refined with proof-based abstraction
  • Checked afterward with BMC, BDDs, and simulation
    for CEXs and refined if necessary.

9
Integrated Verification Flow
  • Speculation (IBM Austin)
  • Simulation used to find candidate equivalences.
  • These are used to build a speculative miter
  • All equivalences are used to simplify miter
  • Each equivalence is XORed to produce a new output
    which is a proof obligation
  • If any output is disproved, need to build a new
    speculative miter.
  • The result is checked with BMC, BDDs and
    simulation for CEXs and refined if necessary.

10
Integrated Verification Flow
  • Final high-effort verification check
  • Try BDD reachability if problem small enough
  • Use interpolation
  • In a rare case, can prove outputs using
    induction.
  • As a last effort, check initial simplified
    circuit using heavy BMC to see if it was SAT.

11
Example 1
Read_file IE1.aig PIs 532, POs 1, FF 2389,
ANDs 12049 prove Simplifying Number of
constraints 3 Forward retiming, quick_simp,
scorr_comp, trm PIs 532, POs 1, FF
2342, ANDs 11054 Simplify PIs 532, POs
1, FF 2335, ANDs 10607 Phase abstraction
PIs 283, POs 2, FF 1460, ANDs
8911 Abstracting Initial abstraction PIs
1624, POs 2, FF 119, ANDs 1716, max depth
39 Testing with BMC bmc3 -C 100000 -T 50 -F 78
No CEX found in 51 frames Latches reduced from
1460 to 119 Simplify PIs 1624, POs 2, FF
119, ANDs 1687, max depth 51 Trimming
PIs 158, POs 2, FF 119, ANDs 734, max
depth 51 Simplify PIs 158, POs 2, FF
119, ANDs 731, max depth 51 Speculating Initi
al speculation PIs 158, POs 26, FF 119,
ANDs 578, max depth 51 Fast interpolation
reduced POs to 24 Testing with BMC bmc3 -C 150000
-T 75 No CEX found in 1999 frames PIs 158,
POs 24, FF 119, ANDs 578, max depth
1999 Simplify PIs 158, POs 24, FF 119,
ANDs 535, max depth 1999 Trimming PIs
86, POs 24, FF 119, ANDs 513, max depth
1999 Verifying Running reach -v -B 1000000 -F
10000 -T 75 BDD reachability aborted RUNNING
interpolation with 20000 conflicts, 50 sec, max
100 frames 'UNSAT Elapsed time 457.87
seconds, total 458.52 seconds
12
  • NOTES
  • The file IE1.aig is first read in and its
    statistics are reported as 532 primary inputs, 1
    output, 2389 flip-flops, and 12049 AIG nodes.
  • 3 implicit constraints were found, but they were
    only mildly useful in simplifying the problem.
  • Phase abstraction found a cycle of length 2 and
    this was useful for simplifying the problem to
    1460 FF from 2335 FF. Note that the number of
    outputs increased to 2 because the problem was
    unrolled 2 time frames.
  • Abstraction was very successful in reducing the
    FF count to 119. This was proved valid out to 39
    time frames.
  • BMC verified that the abstraction produced is
    actually valid at least to 51 frames, which gives
    us good confidence that the abstraction is valid
    for all time.
  • Trimming reduced the inputs relevant to the
    abstraction from 1624 to 158 and simplify reduced
    the number of AIG nodes to 731.
  • Speculate produced a speculative reduced model
    (SRM) with 24 new outputs to be proved and low
    resource interpolation proved 2 of them. The SRM
    model is simpler and has only 578 AIG nodes. The
    SRM was tested with BMC and proved valid out to
    1999 frames.
  • Subsequent trimming and simplification reduced
    the PIs to 86 and the AIG nodes to 513.
  • The final verification step first tried BDD
    reachability allowing it 75 sec. and to grow to
    up to 1M BDD nodes. It could not converge with
    these resources so it was aborted. Then
    interpolation was able to prove UNSAT, and hence
    all 24 outputs are proved.
  • Although quick_verify was applied between
    simplification and abstraction, and between
    abstraction and speculation, it was not able to
    prove anything, so its output is not shown.
  • The total time for this proof was 457 sec. run on
    a Lenovo X301 laptop.

13
Python code
def prove(a) global x_factor,xfi,f_name
max_bmc -1 K 0 set_globals()
status pre_simp() if status lt Unsat
return RESULTstatus ABC('trm')
ABC('write backup 0) K K 1
set_globals() if ((n_ands() lt 30000) and (a
1) and (n_latches() lt 300)) status
quick_verify(0) if ((status Unsat) or
(status Sat)) return
RESULTstatus' status abstract()
ABC('trm') status process_status(status)
if ((status lt Unsat) or status Error)
return RESULTstatus ABC('write backup
1) K K 1
if status Undecided_reduction
status quick_verify(1) status
process_status(status) if status lt
Unsat if status Sat
status final_verify_recur(K-1)
return RESULTstatus if n_ands() gt 15000
K 2 else status
speculate() ABC('trm') status
process_status(status) if ((status
Unsat) or status Error) return
RESULTstatus if status Sat
K K-1 else
ABC('write backup 2) K K 1
status final_verify_recur(K) return
RESULTstatus
14
Example 2
tst22 PIs 532, POs 1, FF 2389, ANDs
12049 In 6 prove() Initial PIs 532, POs
1, FF 2389, ANDs 12049 Running
pre_simp Number of constraints 3 Forward,
quick_simp, scorr_comp, trm PIs 532, POs 1,
FF 2342, ANDs 11054 . . . Simplify PIs
532, POs 1, FF 2335, ANDs 10607 Number of
possible phases 2 . . . Phase abstraction
obtained PIs 282, POs 2, FF 1776, ANDs
9220 WRITING tst22_smp.aig PIs 282, POs 2,
FF 1776, ANDs 9220 Running abstract First
abstraction PIs 1942, POs 2, FF 116, ANDs
2502, max depth 37 Running simulation
iteratively . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. Iterating BMC or BDD reachability RUNNING bmc3
-C 100000 -T 50.000000 -F 74 No CEX found in 46
frames Latches reduced from 1776 to 116 WRITING
tst22_smp_abs.aig PIs 600, POs 2, FF 116,
ANDs 2502, max depth 46 Running
quick_verify . . . After trimming PIs 587,
POs 2, FF 116, ANDs 2380, max depth
46 RUNNING interpolation with 10000 conflicts,
max 20 sec and 100 frames . . . No success,
max_depth 46
15
Example 2 (cont.)
Running speculate Running equiv2 with C
100000, T 25.000000 sec., F 200 -S 1 -R
25 Initial speculation PIs 587, POs 52, FF
111, ANDs 1880, max depth 46 RUNNING
simulation iteratively . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . Iterating BMC or BDD
reachability Running bmc3 -C 150000 -T 75.000000
-F 92.000000 CEX in frame 20 for output 40 Spec.
Red. Miter PIs 587, POs 48, FF 115, ANDs
1937, max depth 46 . . . Running bmc3 -C
150000 -T 75.000000 -F 92.000000 CEX in frame 20
for output 34 Spec. Red. Miter PIs 587, POs
47, FF 115, ANDs 1938, max depth
46 .. Running bmc3 -C 150000 -T 75.000000 -F
92.000000 CEX in frame 33 for output 9 Spec. Red.
Miter PIs 587, POs 28, FF 116, ANDs
1898, max depth 46 Running bmc3 -C 150000 -T
75.000000 -F 92.000000 No cex found in 91
frames WRITING tst22_smp_abs_spec.aig PIs
477, POs 28, FF 116, ANDs 1898, max depth
91 Verifying backup number 2 PIs 477, POs
28, FF 116, ANDs 1898, max depth 91 . .
. RUNNING interpolation with 20000 conflicts, 50
sec, max 100 frames WRITING tst22_smp_abs_spec_fin
al.aig PIs 476, POs 28, FF 115, ANDs
1810, max depth 91 Total time taken by prove
318.884223 sec. Out6 'UNSAT'
16
Super_prove
  • If the final result is undecided and there is
    more than one output caused by speculation, then
    try to prove each output one at a time.

def super_prove() global max_bmc max_bmc
-1 result prove(0) if
resultrange(3) UND' test is result is
undecided if n_pos()gt1
result prove_g_pos(0) prove each output
separately if resultrange(3)
'SAT' we probably had a bad abstraction
result 'UNDECIDED but reduced'
return result
17
Example 3
IE3 PIs 30, POs 1, FF 965, ANDs
7408 Executing super_prove Initial PIs 30,
POs 1, FF 965, ANDs 7408 Running
pre_simp Forward, quick_simp, scorr_comp, trm
PIs 30, POs 1, FF 776, ANDs 7073 . . .
Simplify PIs 30, POs 1, FF 688, ANDs
5362 WRITING IE3_smp.aig PIs 30, POs 1, FF
688, ANDs 5362 Running abstract Start PIs
30, POs 1, FF 688, ANDs 5362 Abstraction
good to 30 frames First abstraction PIs 503,
POs 1, FF 215, ANDs 2223, max depth
30 Running simulation iteratively . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . Iterating BMC or BDD
reachability New abstraction PIs 503, POs
1, FF 215, ANDs 2223, max depth 30 RUNNING
bmc3 -C 100000 -T 50.000000 -F 60 No CEX found in
59 frames Latches reduced from 688 to 215 WRITING
IE3_smp_abs.aig PIs 213, POs 1, FF 215,
ANDs 2223, max depth 59 Running
quick_verify . . . After trimming PIs 213,
POs 1, FF 215, ANDs 2052, max depth
59 RUNNING interpolation with 10000 conflicts,
max 20 sec and 100 frames . . . No success,
max_depth 59
18
Example 3 (cont.)
Running speculate Running equiv2 with C
100000, T 25.000000 sec., F 200 -S 1 -R
25 Initial speculation PIs 213, POs 32, FF
212, ANDs 2051, max depth 59 RUNNING
simulation iteratively . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . Iterating BMC or BDD
reachability Running bmc3 -C 150000 -T 75.000000
-F 118.000000 No cex found in 117 frames WRITING
IE3_smp_abs_spec.aig PIs 213, POs 32, FF
212, ANDs 2051, max depth 117 Verifying
backup number 2 PIs 213, POs 32, FF 212,
ANDs 2051, max depth 117 . . . RUNNING
interpolation with 20000 conflicts, 50 sec, max
100 frames Undecided WRITING IE3_smp_abs_spec_fina
l.aig PIs 213, POs 32, FF 212, ANDs
1960, max depth 117 Time taken 255.318055 sec.
19
Example 3 (cont.)
Proving each output separately
4, 5, 7, 8, 28, 30 Reduced POs
from 32 to 20 Proving output 19 Initial PIs
213, POs 1, FF 207, ANDs 1901 Running
pre_simp Forward, quick_simp, scorr_comp, trm
PIs 212, POs 1, FF 197, ANDs 1899 . . .
Simplify PIs 212, POs 1, FF 197, ANDs
1890 Running abstract Start PIs 212, POs 1,
FF 197, ANDs 1890 Abstraction good to 332
frames First abstraction PIs 353, POs 1, FF
56, ANDs 780, max depth 332 Running
simulation iteratively . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . Iterating BMC or BDD
reachability New abstraction PIs 353, POs
1, FF 56, ANDs 780, max depth 332 RUNNING
bmc3 -C 100000 -T 50.000000 -F 664 No CEX found
in 663 frames Latches reduced from 197 to
56 Running quick_verify . . . After trimming
PIs 217, POs 1, FF 56, ANDs 744, max
depth 663 RUNNING interpolation with 10000
conflicts, max 20 sec and 100 frames Interpolation
went to in 663 frames Time for proof 14.821251
sec. PROVED OUTPUT 19 .
20
Time for proof 7.381485 sec.
PROVED OUTPUT 1 Proving output
0 Initial PIs 213, POs 1, FF 207, ANDs
1902 Forward, quick_simp, scorr_comp, trm PIs
212, POs 1, FF 197, ANDs 1900 . . .
Simplify PIs 212, POs 1, FF 197, ANDs
1891 Running abstract First abstraction PIs
385, POs 1, FF 24, ANDs 305, max depth
230 Running simulation iteratively . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . Iterating BMC or BDD
reachability New abstraction PIs 385, POs
1, FF 24, ANDs 305, max depth 230 RUNNING
bmc3 -C 100000 -T 50.000000 -F 460 No CEX found
in 459 frames Latches reduced from 197 to
24 Running quick_verify . . . After trimming
PIs 102, POs 1, FF 24, ANDs 293, max
depth 459 RUNNING interpolation with 6387
conflicts, max 12 sec and 100 frames Interpolation
went to in 459 frames Time for proof 18.021230
sec. PROVED OUTPUT 0 Proved
all outputs. The problem is proved UNSAT Total
time 560.434390 sec. Total time taken by
super_prove 815.753979 sec. Out12 'UNSAT'
Example 3 (cont.)
21
Verification Engines (Overview)
  • Simplifiers
  • Combinational synthesis
  • Sequential synthesis
  • Reparametrization (not used currently)
  • Retiming
  • Bug-hunters
  • random simulation
  • bounded model checking (BMC)
  • hybrid of simulation and BMC (semi-formal)
  • BDD reachability
  • Provers
  • K-step induction, with or without constraints
  • Interpolation (over-approximate reachability)
  • BDDs (exact reachability)
  • Explicit state space enumeration (era)

22
Verification Engines (Details)
  • Induction
  • Interpolation
  • Abstraction
  • Counterexample guided (CBA)
  • Proof based (PBA)
  • Speculative reduction
  • BDD-based reachability

23
Inductive Case
Induction
Base Case
?
Candidate equivalences A,B, C,D
?
Proving internal equivalences in a topological
order in frame K
?
?
PIk
0
0
PI1
C
?
D
A
Assuming internal equivalences to in
uninitialized frames 0 through K-1
?
B
PI1
0
0
PI0
C
D
Initial state
A
B
Proving internal equivalences in initialized
frames 0 through K-1
PI0
Symbolic state
24
Interpolation
  • Input Sequential AIG with single output
    representing a property
  • Property holds when the output is 0
  • Method Over-approximate reachability analysis
  • Using over-approximations, instead of exact sets
    of reachable states
  • Output Proof that the property holds
  • Implementation A sequence of SAT calls on
    unrolled time-frames that is similar to bounded
    model checking

B
A
T1
T2
T3
Tn
Ik
L
P1
Ik1
25
Abstraction
  • Replace some FFs by primary inputs
  • Produces an abstracted model (more behavior)
  • The abstracted model is often easier to prove
  • If a counter-example (CEX) is detected, the
    abstraction is refined by analyzing CEX and try
    again
  • Use a combination of CBA and PBA
  • Start with the empty set of flops (all made PIs)
  • Add just enough flops to prevent detected
    counter-example (CBA)
  • Remove flops that are not needed in the proof of
    UNSAT (PBA)
  • This approach can be efficiently implemented in a
    single instance of the SAT solver (see ref.)

N. Een, A. Mishchenko, and N. Amla, "A
single-instance incremental SAT formulation of
proof- and counterexample-based abstraction".
Proc. IWLS'10.
26
Speculative Reduction
  • Detect candidate sequential equivalences in the
    miter
  • Done first by simulation
  • Refined by BMC
  • Assume these equivalences are true
  • Merge fanouts, rehash logic, add XORs to create
    new POs
  • The result is a Speculatively Reduced Model (SRM)
  • SRM is UNSAT iff all candidate equivalences hold!
  • SRM has a different circuit structure
  • SRM is often easier to prove

0
0
A
A
B
B
Adding assumptions with speculative
reduction
Adding assumptions without speculative
reduction
27
BDD-Based Reachability
  • BDD-based reachability is an important backend of
    the verification flow
  • Used also to find CEXs
  • Several ideas, old and new, can be put together
    to implement a new improved engine
  • Long live BDDs!

BDD
28
Future Work
  • Vastly improved BDD engine
  • Ours is quite weak at the moment
  • We have a better one but not integrated yet
  • Will have a much better one in a few weeks.
  • Improved interpolation engine
  • Improved speculation engine
  • One SAT solver, with each speculation holding for
    a certain number of time frames
  • Improved circuit-based SAT solver
  • Can work on larger circuits with improved quality
Write a Comment
User Comments (0)
About PowerShow.com