1 Alan Mishchenko Research Update June-September 2008

2 Outline  Improved interpolation command “int” command “int”  New choice computation command “dch” (not covered in this talk) command “dch” (not covered in this talk)  New inductive prover command “scorr” command “scorr”

3 Interpolation: Basics  Input: Sequential AIG with single output representing a property Property holds when the output is 0 Property holds when the output is 0  Method: Over-approximate reachability analysis Using over-approximations, instead of exact sets of reachable states Using over-approximations, instead of exact sets of reachable states  Output: Proof that the property holds  Implementation: A sequence of SAT calls on unrolled time-frames that is similar to bounded model checking R1R1 R2R2 R3R3 RnRn  I k+1 P=1 IkIk B A

4 Interpolation: Experiments  Checking termination using induction Quit, if interpolant is a k-step-inductive invariant Quit, if interpolant is a k-step-inductive invariant  Compare two interpolation algorithms McMillan’s vs. Pudlak’s McMillan’s vs. Pudlak’s  Backward interpolation Interpolate the last time frame, instead of the first Interpolate the last time frame, instead of the first  Compare two different proofs Proof logger in ABC vs. proof logger in MiniSat-1.14p Proof logger in ABC vs. proof logger in MiniSat-1.14p (Done in collaboration with Roland Jiang, National Taiwan University.)

5 Checking Termination by Induction  Traditional approach: Check termination by checking Boolean containment of I k+1 in I k If so, a fixed-point is reached If so, a fixed-point is reached  New approach: Check termination by checking whether I k is an inductive invariant If so, iteration can stop because (i) I k contains all reachable states and (ii) the property holds for all states in I k If so, iteration can stop because (i) I k contains all reachable states and (ii) the property holds for all states in I k  Improvement: Use k-step induction where k increases proportionally to the effort applied in the interpolation procedure (This idea was suggested by Ken McMillan, Cadence Research Labs.)

6 Two Interpolation Procedures McMillan’s  Root clauses Clause of A gets OR of global literals Clause of A gets OR of global literals Clause of B gets constant 1 Clause of B gets constant 1  Learned clauses Variable of A gets OR of interpolants Variable of A gets OR of interpolants Variable of B or C gets AND of interpolants Variable of B or C gets AND of interpolantsPudlak’s  Root clauses Clause of A gets constant 0 Clause of B gets constant 1  Learned clauses Variable of A gets OR of interpolants Variable B gets AND of interpolants Variable of C gets MUX controlled by this variable

7 Backward Interpolation  Instead of interpolating init-state and the first time frame, interpolate negated property and the last frame  Unroll circuit backward rather than forward It was found experimentally that backward interpolation rarely has better runtime It was found experimentally that backward interpolation rarely has better runtime

8 Two Proof Logging Procedures ABC  Uses a sequence of learned clauses  Is largely independent of the SAT solver  Doubles the runtime of SAT solver because the proof is re-derived using backward BCP MiniSat-1.14p  Records the steps of conflict analysis  SAT solver should be heavily modified  Has little runtime overhead but may use more memory It was found experimentally that using proof-logging in ABC results in a faster interpolation procedure It was found experimentally that using proof-logging in ABC results in a faster interpolation procedure

9 Interpolation Results The table reports runtime of command “int” in ABC, which implements Ken McMillan’s unbounded model checking procedure. The runtime is in seconds on an IBM laptop with a 1.6GHz Pentium 4 CPU and 2GB of RAM. Timeout was set to 300 seconds. Default interpolation parameters: inductive check (K=2), original transition relation (no self-loop), forward interpolation, proof-logging engine in ABC.

10 Inductive Case Proving internal equivalences in a topological order in frame K A B SAT-1 D C SAT-2 A B D C A B D C Assuming internal equivalences to in uninitialized frames 0 through K ? ? Symbolic state PI 0 PI 1 PI k A B SAT-3 D C SAT-4 A B SAT-1 D C SAT-2 ? ? ? ? PI 0 PI 1 Initial state Candidate equivalences: {A,B}, {C,D} Proving internal equivalences in initialized frames 0 through K-1 Inductive Prover: Basics Base Case

11 Inductive Prover: Experiments  Simulation of additional timeframes Counter-examples to induction can be simulated over several timeframes, resulting in additional refinement Counter-examples to induction can be simulated over several timeframes, resulting in additional refinement  Skipping SAT calls for some cand. equivalences Can skip an equivalence if its cone-of-influence did not change after the last iteration of refinement Can skip an equivalence if its cone-of-influence did not change after the last iteration of refinement  Improved implementation Better AIG to CNF conversion Better AIG to CNF conversion Better candidate equivalence class manipulation Better candidate equivalence class manipulation More flexible simulation More flexible simulation

12 Inductive Prover: Results  Using a large test-case taken at random from resynthesis/retiming/resynthesis benchmarks (R. Jiang et al, ICCAD’07)  Running three versions of ABC on a laptop  Old prover (September 2007) 171 sec 171 sec  Improved old prover (September 2008) 94 sec 94 sec  New prover (September 2008) 31 sec 31 sec

13 Inductive Prover: Next Steps  Support external sequential constraints Use constrained instead of random simulation Use constrained instead of random simulation  Add uniqueness constraints on demand May increase inductive power for hard properties May increase inductive power for hard properties  Use aggressive filtering of cand. equivalences May speed up SEC after seq. synthesis when most of the circuit structure did not change (e.g. clock-gating) May speed up SEC after seq. synthesis when most of the circuit structure did not change (e.g. clock-gating)

14 Future Work  Incorporate stand-alone speculative reduction into the verification engine May extend the scope of hard problems solved May extend the scope of hard problems solved  Bring command “dprove” up to the standards of industrial model checker Implement generation of counter-examples after interpolation and BDD-based reachability Implement generation of counter-examples after interpolation and BDD-based reachability  Combine clock-gating and ODC-based synthesis Combines seq. and comb. synthesis to simultaneously reduce power and area Combines seq. and comb. synthesis to simultaneously reduce power and area  Re-implement CEC engine using new ideas Tune for circuits with little or no common structure Tune for circuits with little or no common structure