210 likes | 236 Vues
Enhancing and Integrating Model Checking Engines. Robert Brayton Alan Mishchenko UC Berkeley. June 15, 2009. Overview. Sequential verification Integrated verification flow (“dprove”) Extended integrated verification flow (“dprove2”) Experimental results Ongoing and future work.
E N D
Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009
Overview • Sequential verification • Integrated verification flow (“dprove”) • Extended integrated verification flow (“dprove2”) • Experimental results • Ongoing and future work
Sequential Verification • Motivation • Verifying equivalence after synthesis (equivalence checking) • Checking specific sequential properties (model checking) • Design analysis and estimation • Our research philosophy • Developing scalable solutions aimed at industrial problems • Exploiting synergy between synthesis and verification • Experimenting with new research ideas • Producing public implementations
Verification Problems and Solutions • Taxonomy of verification • Property and equivalence checking • Combinational and sequential verification • Satisfiable and unsatisfiable problems • Single-solver and multi-solver approach • Taxonomy of solvers/engines • Bug-hunters, provers, simplifiers, multi-purpose • Simulation, BDD-, AIG-, SAT-based, hybrid, etc • Fast/slow, weak/strong, etc
Equivalence checking Property checking p 0 0 D2 D1 D1 Property / Equivalence Checking • Property checking • Takes design and property and makes a miter • Equivalence checking • Takes two designs and makes a miter • The goal is to prove that the output of the miter is always 0
Verification Engines • Bug-hunters • random simulation • bounded model checking (BMC) • hybrids of the above two (“semi-formal”) • Provers • K-step induction, with or without uniqueness constraints • Interpolation (over-approximate reachability) • BDDs (exact reachability) • Transformers • Combinational synthesis • Retiming • Proving nodes sequentially equivalent • Abstraction • Speculative reduction
Integrated Verification Flow • Preprocessing • Handling combinational problems • Starting with faster engines • Continuing with slower engines • Main induction loop • Last-gasp engines
Command “dprove” Preprocessors • transforming initial state (“undc”, “zero”) • converting into an AIG (“strash”) • creating sequential miter (“miter -c”) • combinational equivalence checking (“iprove”) • bounded model checking (“bmc”) • sequential sweep (“scl”) • phase-abstraction (“phase”) • most forward retiming (“dret -f”) • partitioned register correspondence (“lcorr”) • min-register retiming (“dretime”) • combinational SAT sweeping (“fraig”) • for ( K = 1; K 16; K = K * 2 ) • signal correspondence (“scorr”) • stronger AIG rewriting (“dc2”) • min-register retiming (“dretime”) • sequential AIG simulation • interpolation (“int”) • BDD-based reachability (“reach”) • saving reduced hard miter (“write_aiger”) Combinational solver Faster engines Slower engines Main induction loop Last-gasp engines
Extension 1: Abstraction • Counter-example guided abstraction-refinement • Start • First abstraction - replace all registers by primary inputs • Prove • If the number of remaining registers exceeds K% (default, K=90), return UNDECIDED • Try BMC limited to C conflicts • If unsat after C conflicts, return current abstracted model • If SAT, get counter-example, go to Refinement • Refinement • Use the counter-example to find what registers should be added • Add the registers • Go to Prove
Extension 2: Speculative Reduction • Compute candidate equivalences • Perform reduction by transferring fanout • Record equality constraints as primary outputs • Try BMC with C conflicts • If UNSAT, return speculatively reduced model • If SAT, remove erroneous equivalences and outputs, repeat speculation • Advantages • Restructure the circuit • If can prove UNSAT of speculatively reduced model, then property is proved • Can use any other engines to try to prove 0 0 A A B B Adding assumptions with speculative reduction Adding assumptions without speculative reduction
Command “dprove2” • Initial BMC • If counter-example, return SAT • “dprove” (result is stored in Save1) • If UNSAT, return UNSAT • If SAT, return SAT • If UNDECIDED, restore Save1 • Abstraction • If fails, restore Save1, to go Speculation • Trim PIs/POs • “dprove” (result is stored in Save2) • If UNSAT, return UNSAT • If SAT, restore Save1 // here our abstract model was not good • If UNDECIDED, restore Save2 • Speculation • If Speculation is already tried, go to Final BMC • Else compute and refine equiv classes, perform speculation • Trim PIs/POs • Signal correspondence, combinational synthesis, interpolation, reachability • If UNSAT, return UNSAT • If SAT, to go Final BMC • If UNDECIDED, go to Abstraction // we might get some abstraction now • Final BMC • Restore Save1, set the highest resource limit
Example of dprove2 abc 01> r pdtvisns3p00.aig (unsolved by anyone in HWMCC’08 competition) abc 02> dprove2 Starting BMC... pdtvisns3p00 : pi = 21 po = 1 lat = 117 and = 3985 lev = 56 No output was asserted in 10 frames. Time = 5.45 sec - conflict limit (10000). Starting "dprove"... BDDs blew up during image computation. Time = 0.55 sec Networks are UNDECIDED. Time = 7.88 sec Problem size after dprove: pdtvisns3p00 : pi = 21 po = 1 lat = 88 and = 811 lev = 16 Abstraction... Init : pdtvisns3p00 : pi = 108 po = 1 and = 7 lev = 4 Refining abstraction... Output 0 was asserted in frame 0 (use "write_counter" to dump a witness). Time = 0.02 sec 0 : pdtvisns3p00 : pi = 103 po = 1 lat = 5 and = 122 lev = 11 Output 0 was asserted in frame 2 (use "write_counter" to dump a witness). Time = 0.02 sec 1 : pdtvisns3p00 : pi = 88 po = 1 lat = 21 and = 535 lev = 16 Output 0 was asserted in frame 3 (use "write_counter" to dump a witness). Time = 0.02 sec … Output 0 was asserted in frame 4 (use "write_counter" to dump a witness). Time = 0.02 sec 8 : pdtvisns3p00 : pi = 50 po = 1 lat = 59 and = 719 lev = 16 Output 0 was asserted in frame 7 (use "write_counter" to dump a witness). Time = 0.06 sec 9 : pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 No output asserted in 11 frames. Time = 7.67 sec - conflict limit (25000).
dprove2 example - continued "dprove" pdtvisns3p00 : pi = 35 po = 1 lat = 74 and = 761 lev = 16 BDDs blew up during image computation. Time = 0.47 sec Networks are UNDECIDED. Time = 7.03 sec The unsolved reduced miter is (null) : pi = 35 po = 1 lat = 74 and = 756 lev = 16 Speculation... Performing sequential simulation of 1000 frames with 255 words. Output 27 was asserted in frame 6 (use "write_counter" to dump a witness). Time = 0.14 sec No output was asserted in 13 frames. Time = 11.75 sec Reached local conflict limit (25000). Problem size of speculative reduced circuit after trimming... (null) : pi = 35 po = 39 lat = 74 and = 775 lev = 16 After "scorr"... (null) : pi = 35 po = 39 lat = 65 and = 738 lev = 16 After "dc2"... (null) : pi = 35 po = 39 lat = 65 and = 713 lev = 16 Property proved by interpolation (106 sec). Total Time = 143.69 sec
Experimental Results • Sequential verifier in ABC • First implemented in summer 2007 • Publicly available since September 2007 • Now working on second-generation code • Very active research area - lots of new ideas to try! • Test cases • Generated by applying sequential synthesis in ABC • Public benchmarks from various sources • Industrial problems from several companies
Hardware Model Checking Competition at CAV (HWMCC’08) • Competition organizers • Armin Biere (Johannes Kepler University, Linz, Austria) • Alessandro Cimatti (IRST, Trento, Italy) • Koen Lindström Claessen (Chalmers University, Gothenburg, Sweden) • Toni Jussila (OneSpin Solutions, Munich, Germany) • Ken McMillan (Cadende Berkeley Labs, Berkeley, USA) • Fabio Somenzi (University of Colorado, Boulder, USA) • The total of 16 solvers from 6 universities • The total of 645 benchmarks • 344 old and 301 new • Resource limits per problem (on Intel Pentium IV, 3 GHz, 2 GB) • Runtime limit: 900 sec • Memory limit: 1.5 Gb
Results Courtesy Armin Biere
HWMCC’08: All Benchmarks Courtesy Armin Biere
HWMCC’08: SAT Benchmarks Courtesy Armin Biere
HWMCC’08: UNSAT Benchmarks Courtesy Armin Biere
Summary • Reviewed some basics • Described integrated flow • Described the recent extension of the flow • Reviewed the results of HWMCC’08