400 likes | 421 Vues
Resolution Proofs for Combinational Equivalence. Satrajit Chatterjee Alan Mishchenko Robert Brayton Andreas Kuehlmann. DAC / 6 Jun 2007. Motivation. Modern combinational equivalence checking (CEC) engines are difficult to verify Several thousand lines of code
E N D
Resolution Proofs for Combinational Equivalence Satrajit Chatterjee Alan Mishchenko Robert Brayton Andreas Kuehlmann DAC / 6 Jun 2007
Motivation • Modern combinational equivalence checking (CEC) engines are difficult to verify • Several thousand lines of code • How can we trust a CEC program when it claims that two circuits are equivalent? • When it claims they are different, it produces an input vector to distinguish them — a proof of inequivalence • Solution: Require CEC engine produce a proof of equivalence • The program that checks the correctness of the proof is much simpler than the CEC engine • The proof can be verified without knowledge of the inner workings of the CEC engine • The “language” of our proofs is resolution
Outline • Resolution • Proofs for Naïve CEC • Review of Modern CEC • Proof Generation in Modern CEC • Conclusions
Resolvent A resolvent is a clause implied by two clauses in a SAT instance 1. A SAT instance C 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) 2. Resolvent of clauses 3 and 4 (w.r.t.a)is the clause(p + ~b + ~q) 3. Adding the resolvent to the original set does not alter satisfiability: 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) 12.(p + ~b + ~q) C’ It can be checked that C’ is satisfiable if and only if C is.
Resolution Proofs A resolution proof is a sequence of resolvents until the empty clause 1. Original set of clauses C 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) 2. Sequence of resolvents If the empty clause i.e. () is derived by resolution then the original set of clauses is UNSAT 12. (p + ~b + ~q) (from 3 and 4) 13. (p + ~q) (from 5 and 12) 14. (~p + q + ~a) (from 2 and 6) 15. (~p + q) (from 1 and 14) 16. (~p + ~q) (from 10 and 11) 17. (p + q) (from 7 and 11) 18. (~q) (from 13 and 16) 19. (q) (from 15 and 17) 20. () (from 18 and 19) Thus the sequence of resolution steps 12—20 forms a proof of unsatisfiability of C if () is derived at the end.
Generating Resolution Proofs A SAT solver can be modified to produce a resolution proof if the instance is unsatisfiable • Zhang and Malik (2003) modified zChaff to produce resolution proofs • Goldberg and Novikov (2003) presented an alternative method that needs minimal modification to the SAT solver It is much easier to verify that a sequence of resolution steps is correct than it is to verify that the SAT solver is correct.
Outline • Resolution • Proofs for Naïve CEC • Review of Modern CEC • Proof Generation in Modern CEC • Conclusions
Combinational Equivalence Checking We are given two combinational circuits and asked to check if they are equivalent or not A simple instance of CEC that we will use as a running example p q a b a b circuit 1 circuit 2 The CEC problem: Are outputs pand q functionally equivalent?
A Simple Reformulation The CEC problem is equivalent to checking if the output of the miter of the two circuits is identically 0 or not z p q p q a b a b a b circuit 1 circuit 2 Miter of circuits 1 and 2 Circuits 1 and 2 are equivalent if and only if z is identically 0
z p q a b Naïve CEC The CEC problem is formulated as a SAT instance by adding clauses for each gate and asserting the miter output to be true 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) Corresponding SAT instance C Miter The two circuits are equivalent if and only if C is UNSAT
Proof of Combinational Equivalence A proof of unsatisfiability of the corresponding SAT instance is a proof of combinational equivalence z SAT instance 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) q p a b Proof of UNSAT (from SAT solver) 12. (p + ~b + ~q) (from 3 and 4) 13. (p + ~q) (from 5 and 12) 14. (~p + q + ~a) (from 2 and 6) 15. (~p + q) (from 1 and 14) 16. (~p + ~q) (from 10 and 11) 17. (p + q) (from 7 and 11) 18. (~q) (from 13 and 16) 19. (q) (from 15 and 17) 20. () (from 18 and 19) Proof of combinational equivalence of p and q
Proof Verification Verifying the proof for combinational equivalence is easy z Sequence of resolution steps Original clauses q p Resolve 3 and 4 Resolve 5 and 12 Resolve 2 and 6 … 1. (~p + a) 2. (~p + b) 3. (p + ~a + ~b) … a b Proof Verifier • Proof Verifier does the following: • Ensures that only clauses from miter are in original clauses • Performs the sequence of resolution steps • Ensure that the empty clause is derived at the end
Outline • Resolution • Proofs for Naïve CEC • Review of Modern CEC • Proof Generation in Modern CEC • Conclusions
Modern CEC Modern CEC engines do not construct a monolithic SAT instance • Modern CEC methods are transformational • Detect functional redundancies in the miter • Simplify miter using the detected redundancies • SAT solver may not even be invoked z z z p q q p 0 a b a b Goal: Generate a singleresolution proof for modern CEC just as in the naïve case
Main Techniques in Modern CEC Main Transformational Techniques: • Structural Hashing • Functional Hashing • Logic Re-writing Next: Distill these techniques down to a small set of basic atomic operations
z z p q p q H G a b a b Structural Hashing Structural Hashing = Structural Identification + Fanout transfer H G 1. Since both G and H are And gates and have same inputs, nets p and q are functionally equivalent by structural identification 2. Therefore, fanouts of qcan be driven by p thus simplifying the circuit
z p q a b Functional Hashing Functional Hashing = Functional Identification + Fanout Transfer Functional Identification 1.Use random simulation to detect candidate pairs of nets that may be equivalent 2. Formulate two smaller SAT instances to check that a pair of nets is indeed equivalent Random simulation would indicate p and q may be equivalent 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7.(p)8.(~q) The two SAT instances to check equivalence of p and q. 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7.(~p)8.(q)
z z p q p q a b a b Functional Hashing Functional Hashing = Functional Identification + Fanout Transfer 1. Functional identification provesp and q are equivalent if the two smaller SAT instances are both UNSAT 2. Therefore, fanouts of qcan be driven by p thus simplifying the circuit
Logic Re-writing Re-writing replaces a cone of logic in the miter with a different cone Miter Rewriting can significantly alter the logic structure of the miter and its size
r r r q p q p … p … … Functional Hashing Logic Insertion a c a c b b b c a Rewriting, Conceptually Rewriting = Logic Insertion+ Functional Hashing
Basic Operations Structural Hashing = Structural Identification + Fanout transfer Functional Hashing = Functional Identification + Fanout Transfer Rewriting = Logic Insertion+ Functional Hashing We have 4 basic operations during CEC: 1. Structural Identification 2. Functional Identification 3. Fanout Transfer 4. Logic Insertion Do not modify miter Modify miter The equivalence checking process is thought of as a sequence of these basic operations
Sequence of Basic Operations Transformations on the miter Initial Miter Structural Identification Fanout Transfer Logic Insertion Functional Identification … Structural Identification Miter is reduced to constant zero
Outline • Resolution • Proofs for Naïve CEC • Review of Modern CEC • Proof Generation in Modern CEC • Conclusions
Overview of Proof Generation Maintain correspondence between the miter and proof Initial miter Initial Clauses for the gates in the miter z 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) 8. (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) q p a b As the CEC engine proceeds by executing the basic operations on the miter, it adds new clauses to the proof by using resolution to derive them The derivations corresponding to basic operations are called fragments
Overview of Proof Generation The Resolution Proof Transformations on the miter Initial Miter Initial Clauses Fragment 1 Structural Identification Fanout Transfer Fragment 2 Logic Insertion Fragment 4 Fragment 5 Functional Identification … … Fragment n Structural Identification Miter is reduced to constant zero The empty clause is derived
Overview of Proof Generation For each basic operation we generate a different type of fragment 1. Structural Identification of p and q 2. Functional Identification of p and q 3. Fanout Transfer from q to p 4. Logic Insertion of a new gate g Fragment derives (p + ~q) and (~p + q) Fragment derives new clauses for gates in fanout of q Fragment derives clauses for gate g
z q p a b z q p a b Structural Identification The fragment derives (p + ~q) and (~p + q) from clauses of the gates … C1. (~p + a)C2. (~p + b) C3. (p + ~a + ~b) D1. (~q + a) D2. (~q + b) D3. (q + ~a + ~b) … Structural Identification detects that p = q L1. (p + ~b + ~q) (from C3 and D1) L2. (p + ~q) (from D2 and L1) L3. (~p + q + ~a) (from C2 and D3) L4. (~p + q) (from C1 and L3) Fragment added to the proof (This fragment can be generated from a pre-computed template)
Fanout Transfer • Suppose we transfer fanouts of q to p • For this to be sound, we must already have proved that p and q are equivalent • By structural or functional identification • Therefore, have already derived (p + ~q)and (~p + q) • We use (p + ~q)and (~p + q) to obtain clauses for gates modified by the fanout transfer
z q p a b z q p a b Example of Fanout Transfer Clauses for Xor gate modified by fanout transfer from q to p C1. (p + q + ~z) C2. (p + ~q + z) C3. (~p + q + z) C4. (~p + ~q + ~z) G Clauses asserting equivalence of q and p Already derived through structural or functional identification X. (p + ~q) Y. (~p + q) Transfer fanouts of qto p Eliminate q from C1-C4 using X and Y G’ Fragment added to the proof deriving clauses for G’ L1. (p + ~z) (from C1 and X) L2. (~p + p + z) (from C3 and X) L3. (p + ~p + z) (from C2 and Y) L4. (~p + ~z) (from C4 and Y)
z p q a b Functional Identification Want to derive the clauses (p + ~q) and (~p + q) from the clauses we have so far i.e. C 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) … C Instead we have resolution proofs of UNSAT for the related but different instances C1 and C2 Note that the clauses (p) and (~q) are not present C and furthermore cannot be derived using resolution from C. Therefore, resolution proofs of UNSAT of C1and C2cannot directly be used. 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) X.(p)Y.(~q) C1 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) X.(~p)Y.(q) C2
Proof Lifting Idea: Use proof of UNSAT of C1to obtain proof of (~p + q) from C C1 C 1. (~p + a)2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) X.(p)Y.(~q) 1. (~p + a) 2. (~p + b) 3. (p + ~a + ~b) 4. (~q + a) 5. (~q + b) 6. (q + ~a + ~b) Proof of UNSAT of C1 from solver Fragment deriving (~p + q) from C Unit propagation of X and Y 9. (a) (from X and 1) 10. (b) (from X and 2) 11. (~a + ~b) (from Y and 6) Use9’to refer to 1 i.e. (~p + a) Use10’to refer to 2 i.e. (~p + b) Use11’ to refer to 6 i.e. (q + ~a + ~b) 12’. (~p + q + ~b) (from 9’ and 11’) (i.e. from 1 and 6) 13’. (~p + q) (from 10’ and 12’) (i.e. from 2 and 12’) 12. (~b) (from 9 and 11) 13. () (from 10and 12)
Functional Identification • We obtained a derivation of (~p + q) from proof of unsatisfiability of C1 • Similarly proof of unsatisfiability of C2 yields a derivation of (p + ~q) • Proof of correctness of lifting in paper
r r q p … p … y x x y a c b c a b Logic Insertion Need to add new clauses corresponding to inserted gate • We want to add a clause corresponding to q i.e. want to add (q = x ^ y) • However resolution does not allow us to introduce a new variable q. • Need to upgrade our proof system to extended resolution
Extended Resolution • Allow the introduction of a new variable q by means of a clause such as (q = f(x1, .. xn)) • Sound since if C is a set of clauses and q does not appear in C, then C·(q = f(x1, .. xn)) has a satisfying assignment iff C does • Proof: Since q is free we can always assign it the value f(x1, .. xn) • The proof verifier has to be slightly modified • It has to check that q does not appear so far in the proof
r r q p … p … y x x y a c b c a b Logic Insertion In practice we add three CNF clauses instead of (q = x ^ y) Add the clauses (~q + x), (~q + y) and (q + ~x + ~y) to the proof and modify the verifier to accept this particular template as an extended resolution step. Need such a template for every type of gate that may be introduced
Summary of Proof Generation The Resolution Proof Transformations on the miter Initial Miter Initial Clauses Fragment 1 Structural Identification Fanout Transfer Fragment 2 Logic Insertion Fragment 4 Fragment 5 Functional Identification … … Fragment n Structural Identification Miter is reduced to constant zero The empty clause is derived
Outline • Resolution • Proofs for Naïve CEC • Review of Modern CEC • Proof Generation in Modern CEC • Conclusions
Conclusions • Modern CEC methods can be easily modified to generate proofs of equivalence • A single proof just as in the naïve case • Easy to check proof for correctness • The proof (syntax) is independent of the actual methods used for verification • Extended resolution suffices • Re-writing is a way of constructing extended resolution proofs
Future Work and Applications • Reduce the size of resolution proof • Look for alternate proof systems which are harder to verify but lead to smaller proofs • Goldberg and Novikov’s 2003 paper • Resolution proof “modulo” BCP steps • Proofs leak too much information • Can possibly reconstruct what the CEC engine did • Correct by construction logic synthesis • Synthesis emits a resolution proof as a certificate • Computation of interpolants in model checking • Proofs of Sequential Equivalence • Inductive proofs can be expressed using resolution