The Benefit of Concurrent Model Checking BVSRC Berkeley Verification and Synthesis Research Center Baruch Sterin, A. Mishchenko, N. Een, Robert Brayton.

Slides:



Advertisements
Similar presentations
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Advertisements

Exploiting SAT solvers in unbounded model checking
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.
Recording Synthesis History for Sequential Verification Robert Brayton Alan Mishchenko UC Berkeley.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Aaron Bradley University of Colorado, Boulder
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
DAG-Aware AIG Rewriting Alan Mishchenko, Satrajit Chatterjee, Robert Brayton Department of EECS, University of California Berkeley Presented by Rozana.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.
Automated Extraction of Inductive Invariants to Aid Model Checking Mike Case DES/CHESS Seminar EECS Department, UC Berkeley April 10, 2007.
Electrical and Computer Engineering Archana Rengaraj ABC Logic Synthesis basics ECE 667 Synthesis and Verification of Digital Systems Spring 2011.
ABC: An Industrial-Strength Academic Synthesis and Verification Tool (based on a tutorial given at CAV 2010) Berkeley Verification and Synthesis Research.
Modernized Computation Engines for Tomorrow's Formal Verification Robert Brayton Niklas Een Alan Mishchenko Berkeley Verification and Synthesis Research.
Enhancing and Integrating Model Checking Engines Robert Brayton Alan Mishchenko UC Berkeley June 15, 2009.
05/04/06 1 Integrating Logic Synthesis, Tech mapping and Retiming Presented by Atchuthan Perinkulam Based on the above paper by A. Mishchenko et al, UCAL.
Scalable and Scalably-Verifiable Sequential Synthesis Alan Mishchenko Mike Case Robert Brayton UC Berkeley.
Combinational and Sequential Mapping with Priority Cuts Alan Mishchenko Sungmin Cho Satrajit Chatterjee Robert Brayton UC Berkeley.
ABC: A System for Sequential Synthesis and Verification BVSRC Berkeley Verification and Synthesis Research Center Robert Brayton, Niklas Een, Alan Mishchenko,
Cut-Based Inductive Invariant Computation Michael Case 1,2 Alan Mishchenko 1 Robert Brayton 1 Robert Brayton 1 1 UC Berkeley 2 IBM Systems and Technology.
Verification & Validation By: Amir Masoud Gharehbaghi
1 Distributed BDD-based Model Checking Orna Grumberg Technion, Israel Joint work with Tamir Heyman, Nili Ifergan, and Assaf Schuster CAV00, FMCAD00, CAV01,
PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling Aaron Bradley University of Colorado, Boulder University of Colorado,
1 Alan Mishchenko Research Update June-September 2008.
A Semi-Canonical Form for Sequential Circuits Alan Mishchenko Niklas Een Robert Brayton UC Berkeley Michael Case Pankaj Chauhan Nikhil Sharma Calypto Design.
Sequential Verification Overview Robert Brayton UC Berkeley.
Enhancing Model Checking Engines for Multi-Output Problem Solving Alan Mishchenko Robert Brayton Berkeley Verification and Synthesis Research Center Department.
Variable-Time-Frame Gate-Level Abstraction Alan Mishchenko Niklas Een Robert Brayton Alan Mishchenko Niklas Een Robert Brayton UC Berkeley UC Berkeley.
An Integrated Sequential Verification Flow Berkeley Logic Synthesis and Verification Group Presented by Alan Mishchenko.
Modernizing Formal Verification Engines Robert Brayton Niklas Een Alan Mishchenko Berkeley Verification and Synthesis Research Center Department of EECS.
Sequential Equivalence Checking for Clock-Gated Circuits Hamid Savoj Robert Brayton Niklas Een Alan Mishchenko Department of EECS University of California,
Introduction to Formal Verification
Synthesis for Verification
Solving Linear Arithmetic with SAT-based MC
BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley
Enhancing PDR/IC3 with Localization Abstraction
Robert Brayton Alan Mishchenko Niklas Een
New Directions in the Development of ABC
Simple Circuit-Based SAT Solver
Applying Logic Synthesis for Speeding Up SAT
Integrating an AIG Package, Simulator, and SAT Solver
Optimal Redundancy Removal without Fixedpoint Computation
Property Directed Reachability with Word-Level Abstraction
The Synergy between Logic Synthesis and Equivalence Checking
The Synergy between Logic Synthesis and Equivalence Checking
Introduction to Formal Verification
SAT-Based Area Recovery in Technology Mapping
Robert Brayton Alan Mishchenko Department of EECS UC Berkeley
Scalable and Scalably-Verifiable Sequential Synthesis
Automated Extraction of Inductive Invariants to Aid Model Checking
Improvements to Combinational Equivalence Checking
GLA: Gate-Level Abstraction Revisited
Resolution Proofs for Combinational Equivalence
Integrating an AIG Package, Simulator, and SAT Solver
Improvements in FPGA Technology Mapping
Alan Mishchenko UC Berkeley
Recording Synthesis History for Sequential Verification
Alan Mishchenko UC Berkeley
Reinventing The Wheel: Developing a New Standard-Cell Synthesis Flow
Improved Design Debugging using Maximum Satisfiability
Innovative Sequential Synthesis and Verification
Robert Brayton Alan Mishchenko Niklas Een
Fast Min-Register Retiming Through Binary Max-Flow
Robert Brayton Alan Mishchenko Niklas Een
Faster Extraction of High-Level Minimal Unsatisfiable Cores
Integrating AIG Package, Simulator, and SAT Solver
Alan Mishchenko Robert Brayton UC Berkeley
Presentation transcript:

The Benefit of Concurrent Model Checking BVSRC Berkeley Verification and Synthesis Research Center Baruch Sterin, A. Mishchenko, N. Een, Robert Brayton BVSRC UC Berkeley Thanks to: NSF, SRC, NSA, and Industrial Sponsors, IBM, Intel, Synopsys, Mentor, Magma, Altera, Atrenta, Microsemi, Jasper, Oasys, Real Intent, Tabula, Verific

2Overview Overview Overview Model checking engines Model checking engines Example Example Non-concurrent Non-concurrent Hybrid approach Hybrid approach Concurrent verify and refine. Concurrent verify and refine. Flow Flow Example Example Why more powerful Why more powerful Questions and objections addressed Questions and objections addressed Future work Future work

3 Concurrent Model Checking Overview: Employ multiple MC engines using hybrid concurrency on a multi-core server Employ multiple MC engines using hybrid concurrency on a multi-core server Benefits Benefits Faster Faster almost linear speedup almost linear speedup plus does not waste time making a wrong decision. plus does not waste time making a wrong decision. More powerful More powerful can solve harder problems can solve harder problems Makes sequential approach obsolete Makes sequential approach obsolete No reason not to use concurrency No reason not to use concurrency even for 1 core even for 1 core simpler simpler Concurrency controlled by Python front end. Concurrency controlled by Python front end.

4 Model Checking Engines 1. Random simulation 2. Semi-formal simulation 3. Bounded model checking (BMC) [15] 4. BDD-based reachability [7][25] 5. Property directed reachability (PDR) [4] 6. Interpolation [14] 7. Synthesis: 1. rewriting [10] 2. retiming [13] 3. sequential signal correspondence [26] with constraint extraction with constraint extraction 4. phase abstraction [27] 5. temporal decomposition [23] 8. Abstraction: [8] 1. counterexample-based (CB) [19] 2. proof-based (PB) [20][21] 9. Speculation [2][3] Verification engines 1-3 incomplete 4-6 complete Transformation engines 7 equivalence preserving 8-9 abstracting

5 Read_file test_lru_consist_miss_slbc.sixth_sense_style_1sif_prop2_fixed2 PIs = 532, POs = 1, FF = 2389, ANDs = prove quick_verify (try many engines to see if one can prove) Simplifying Number of constraints = 3 Forward retiming, quick_simp, scorr_constr, trm: PIs = 532, POs = 1, FF = 2342, ANDs = Simplify: PIs = 532, POs = 1, FF = 2335, ANDs = Phase abstraction: PIs = 283, POs = 2, FF = 1460, ANDs = 8911 quick_verify (try many engines to see if one can prove) Abstracting Initial abstraction: PIs = 1624, POs = 2, FF = 119, ANDs = 1716, max depth = 39 Testing with BMC bmc3 -C T 50 -F 78: No CEX found in 51 frames Latches reduced from 1460 to 119 Simplify: PIs = 1624, POs = 2, FF = 119, ANDs = 1687, max depth = 51 Trimming: PIs = 158, POs = 2, FF = 119, ANDs = 734, max depth = 51 Simplify: PIs = 158, POs = 2, FF = 119, ANDs = 731, max depth = 51 quick_verify (try many engines to see if one can prove) Speculating Initial speculation: PIs = 158, POs = 26, FF = 119, ANDs = 578, max depth = 51 Fast interpolation: reduced POs to 24 Testing with BMC bmc3 -C T 75: No CEX found in 1999 frames PIs = 158, POs = 24, FF = 119, ANDs = 578, max depth = 1999 Simplify: PIs = 158, POs = 24, FF = 119, ANDs = 535, max depth = 1999 Trimming: PIs = 86, POs = 24, FF = 119, ANDs = 513, max depth = 1999 Verifying (try many engines to see if one can prove) Running reach -v -B F T 75: BDD reachability aborted RUNNING interpolation with conflicts, 50 sec, max 100 frames: 'UNSAT‘ Elapsed time: seconds, total: seconds Example of non- concurrent MC

6 NOTES: 1.The file IE1.aig is first read in and its statistics are reported as 532 primary inputs, 1 output, 2389 flip-flops, and AIG nodes. 2.3 implicit constraints were found, but they were only mildly useful in simplifying the problem. 3.Phase abstraction found a cycle of length 2 and this was useful for simplifying the problem to 1460 FF from 2335 FF. Note that the number of outputs increased to 2 because the problem was unrolled 2 time frames. 4.Abstraction was very successful in reducing the FF count to 119. This was proved valid out to 39 time frames. 5.BMC verified that the abstraction produced is actually valid at least to 51 frames, which gives us good confidence that the abstraction is valid for all time. 6.Trimming reduced the inputs relevant to the abstraction from 1624 to 158 and simplify reduced the number of AIG nodes to Speculate produced a speculative reduced model (SRM) with 24 new outputs to be proved and low resource interpolation proved 2 of them. The SRM model is simpler and has only 578 AIG nodes. The SRM was tested with BMC and proved valid out to 1999 frames. 8.Subsequent trimming and simplification reduced the PIs to 86 and the AIG nodes to The final verification step first tried BDD reachability allowing it 75 sec. and to grow to up to 1M BDD nodes. It could not converge with these resources so it was aborted. Then interpolation was able to prove UNSAT, and hence all 24 outputs are proved. 10.Although quick_verify was applied between simplification and abstraction, and between abstraction and speculation, it was not able to prove anything, so its output is not shown. 11.The total time for this proof was 457 sec. run on a Lenovo X301 laptop.

7 Same example of with concurrent MC without PDR test_lru_consist_miss_slbc.sixth_sense_style_1sif_prop2_fixed2.aig PIs=532,POs=1,FF=2389,ANDs=12049 ***Executing super_prove ['INTRP', 'BMC', 'pre_simp'] For_Retime: PIs=532,POs=1,FF=2365,ANDs=11064 Number of constraints = 2, frames = 1 PIs=529,POs=1,FF=2342,ANDs=10611 Simplify: PIs=529,POs=1,FF=2265,ANDs=10068 ***Trying temporal decomposition - for max 15.0 sec. No reduction ***Trying phase abstraction - Max phase = 2 [1, 2] Reparam: PIs 1056 => 264 Simplify with 2 phases: PIs=264,POs=2,FF=1462,ANDs=8319 Method pre_simp ended first in 89 sec. PIs=264,POs=2,FF=1462,ANDs=8319 ***Running abstract ['INTRP', 'BMC3', 'initial_abstract'] Method initial_abstract ended first in 106 sec. Initial abstraction: PIs=1621,POs=2,FF=105,ANDs=1427,max depth=42 ***Iterating abstraction refinement PIs=1621,POs=2,FF=105,ANDs=1427,max depth=42 Latches reduced from 1462 to 105 ***Running pre_simp Reparam: PIs 330 => 328 PIs=328,POs=2,FF=105,ANDs=1184,max depth=42 Min_Retime: PIs=328,POs=2,FF=98,ANDs=1164,max depth=42 Reparam: PIs 328 => 299 Simplify: PIs=299,POs=2,FF=98,ANDs=1064,max depth=42 Reparam: PIs 299 => 266 Trying temporal decomposition - for max 15.0 sec. No reduction Reparam: PIs 266 => 261 ***Running speculate ['INTRP', 'BMC3', 'initial_speculate'] Method initial_speculate ended first in 38 sec. Initial speculation: PIs=261,POs=38,FF=96,ANDs=833,max depth=42 ***Iterating speculation refinement BMC3: -- cex in 0.17 sec. at depth 22 => PIs=261,POs=37,FF=96,ANDs=830,max depth=42 INTRP: UNSAT in 1.4 sec. Total clock time taken by super_prove = sec.

8 test_lru_consist_miss_slbc.sixth_sense_style_1sif_prop2_fixed2 PIs=532,POs=1,FF=2389,ANDs=12049 ***Executing super_prove ['PDR', 'INTRP', 'BMC', 'PDRm', 'pre_simp'] PIs=532,POs=1,FF=2389,ANDs=12049 For_Retime: PIs=532,POs=1,FF=2365,ANDs=11064 Number of constraints = 2, frames = 1 Reparam: PIs 532 => 529 PIs=529,POs=1,FF=2342,ANDs=10611 Simplify: PIs=529,POs=1,FF=2265,ANDs=10068 PDRm proved UNSAT in 42 sec. Total clock time taken by super_prove = sec. Same example of with concurrent MC but with PDR

9 Hybrid Approach c_refine REACH and REACHm optional depending on size (#PIs, #FFs) PDR || PDRmBMC || INTRPREACHxBMCmREACHm || SIM || SAT, UNSAT, TIMEOUT PDR || PDRmBMC || INTRPREACHxBMCmREACHm || SIM || CEX SAT, UNSAT, TIMEOUT refine c_verify

10 c_prove c_verify1 || simplify c_verify2 || c_abstract c_verify3 || c_speculate || k (c_prove output k )

11 Concurrent Prover Flow - hybrid c_prove || (c_prove output k ) c_verify || pre_simpc_verify || initial_abstractc_verify || initial_speculate c_refine UNSAT SAT UNSAT undecided UNSAT SAT UNSAT SAT undecided UNSAT SAT undecided CEX End with a definitive answer || means runs concurrently Start SAT c_refine backup SAT kill pause pause

12 Multiple output variation on c_refine If there are more than X outputs group outputs and use poor man’s concurrency (PMC) group outputs and use poor man’s concurrency (PMC) repeatedly take a group of X outputs at a time repeatedly take a group of X outputs at a time start with time-out of 2 sec. start with time-out of 2 sec. after all output groups done, double time-out and repeat after all output groups done, double time-out and repeat if cex found if cex found refine and start at last time-out value and refine and start at last time-out value and last group of X where cex was found. last group of X where cex was found.

13 l2snfsm_prop11_fixed2 PIs=38,POs=1,FF=372,ANDs=2150 Executing super_prove Initial: PIs=38,POs=1,FF=372,ANDs=2150 Running Simplification ['PDR', 'INTRP', 'BMC', 'PDRm', 'pre_simp'] these run in parallel PIs=38,POs=1,FF=371,ANDs=2150 Fwd_Retime: PIs=38,POs=1,FF=349,ANDs=2056 No constraints found Simplify: PIs=38,POs=1,FF=336,ANDs=1951 Trying temporal decomposition - for max 15.0 sec. No reduction Method pre_simp ended first in 9 sec. PIs=38,POs=1,FF=336,ANDs=1951 Example of Concurrent Flow

14 ***Running abstract Start: PIs=38,POs=1,FF=336,ANDs=1951 ['PDR', 'INTRP', 'BMC3', 'PDRm', 'initial_abstract'] Running initial_abstract with bob=10,stable=6,time=100,depth=20 Method initial_abstract ended first in 103 sec. PIs=38,POs=1,FF=336,ANDs=1951,max depth=11 Initial abstraction: PIs=116,POs=1,FF=258,ANDs=1576,max depth=11 Iterating abstraction refinement Verify time set to 125 PIs=116,POs=1,FF=258,ANDs=1576,max depth=11 Reparam: PIs 116 => 59changes inputs to be smaller number ….many iterations here SIM: -- cex in sec. at depth 104 => cex_po = 0 PIs=45,POs=1,FF=329,ANDs=1925,max depth=11 Reparam: PIs 45 => 39 Latches reduced from 336 to 329 simplify PIs=39,POs=1,FF=329,ANDs=1924,max depth=11 Min_Retime: PIs=39,POs=1,FF=329,ANDs=1914,max depth=11 No constraints found Simplify: PIs=39,POs=1,FF=328,ANDs=1900,max depth=11 Trying temporal decomposition - for max 15.0 sec. No reduction

15 ***Running speculate ['PDR', 'INTRP', 'BMC3', 'PDRm', 'initial_speculate'] Method initial_speculate ended first in 39 sec. Initial speculation: PIs=39,POs=241,FF=178,ANDs=1335,max depth=11 Iterating speculation refinement PDRM: -- cex in 5.64 sec. at depth 40 => PIs=39,POs=239,FF=178,ANDs=1332,max depth=11 BMC3: -- cex in 1.84 sec. at depth 22 => PIs=39,POs=235,FF=178,ANDs=1326,max depth=22 …many iterations here BMC3: -- cex in sec. at depth 25 => PIs=39,POs=204,FF=191,ANDs=1350,max depth=25 BMC3: -- cex in sec. at depth 25 => PIs=39,POs=203,FF=195,ANDs=1381,max depth=25 BMC: -- cex in sec. at depth 25 => PIs=39,POs=204,FF=195,ANDs=1390,max depth=25 BMC: -- cex in sec. at depth 26 => PIs=39,POs=203,FF=195,ANDs=1389,max depth=25 Find_cex_par turned onpoor man’s concurrency turned on here Verify time set to 148 Number of POs: 203 => 69 t_poor = 2 *** PDRM: UNSAT in 0.08 sec. PDRM: UNSAT in 0.07 sec. …many iterations here PDR: UNSAT in 0.25 sec. PDRM: UNSAT in 0.02 sec. all outputs processed => 69 outputs proved Number of POs reduced to 0 Total clock time taken by super_prove = sec. Out[7]: 'UNSAT'

16 Why is concurrent more powerful? Example of Iterating speculation refinement verify time set to 50 Initial size: PIs=171,POs=41,FF=255, ANDs=2275 SIMULATION: cex sec, frame 911 SIMULATION: cex sec, frame 17 BMC: cex sec, frame 17 SIMULATION: cex sec, frame 1363 SIMULATION: cex sec, frame 391 BMC: cex sec, frame 17 SIMULATION: cex sec, frame 984 SIMULATION: cex sec, frame 444 PDRM: cex sec, frame 18 BMC: cex sec, frame 17 SIMULATION: cex sec, frame 81 SIMULATION: cex sec, frame 22 SIMULATION: cex sec, frame 40 SIMULATION: cex sec, frame 58 PDRM: cex sec, frame 20 BMC: cex sec, frame interleavings of PDR PDRM and BMC.... PDR: cex sec, frame 29 PDR: cex sec, frame 76 BMC: cex sec, frame 23 PDRM: UNSAT in 66 sec. Final size: PIs=171, POs=17, FF=260, ANDs=2346

17 Why is concurrent more powerful? refine Initial abstraction/ speculation Final abstraction/ speculation cex

18 Hard HWMCC’10 Examples NamePrim. Inputs Flip flops And nodes ResultTime ( sec.) bobsmhdlc Unsat434 bobsmhdlc Unsat450 bobsmhdlc Unsat1002 bobsmhdlc Unsat1245 Pdtrod6x8p Unsat1224 Pdtpmsudc Unsat48 Bobpcihm none- Bobsminiuart none- Bobsmcodic none- Nusmvqueue none- Pdtpmsudc none- Notes: 0 not solved by anyone 1 solved only by pdtrav 2 solved only by pdtrav and ABC Hard examples - academic

19 NamePrimary Inputs Flip flops And nodes ResultTime (sec) bypass Unsat 84 GCT_ Unsat 188 pmu_wr_ Unsat 875 tp_p_w_ Unsat 601 KML_M_21 * Unsat 353 test_hit_ Unsat 153 two_back Sat 173 bypass_28_ Unsat 9 MCS_MCS_ Unsat 30 sc_sc_0 * none - DA_DA_ Unsat 37 p3_d_n_ Sat 180 pclem_ Unsat 193 assert_p_7_ Unsat 396 MCA_MCA_ Unsat 24 MCS_rand Unsat 441 mcx_z_ none - sc_ver2_ Sat 433 symm_ Sat 56 Erat_ Unsat720 * Had multiple outputs; all but the first were folded in as constraints Hard examples - Industrial ** At the time, the IBM SixSense program did not have a PDR engine, so we eliminated those problems that were made easier because of PDR in our code. A subset of the IBM benchmarks, not solved by SixthSense using its default Expert System flow in two hours **

20 Multiple output variation on c_refine How long does it take? Let O = # POs, E = #MC engines used concurrently, C = # cores, T = final time-out, X = #outputs grouped together Let O = # POs, E = #MC engines used concurrently, C = # cores, T = final time-out, X = #outputs grouped together Final sweep (with no cex’s and assuming no memory conflicts) Final sweep (with no cex’s and assuming no memory conflicts) with using full concurrency – time = T*(O*E)/C with using full concurrency – time = T*(O*E)/C with grouping and full concurrency – time = T*(O/X)*(X*E)/C = T*(O*E)/C with grouping and full concurrency – time = T*(O/X)*(X*E)/C = T*(O*E)/C with grouping and PMC – time = T*2* (O/X)*(X*E)/C = 2*T(O*E)/C with grouping and PMC – time = T*2* (O/X)*(X*E)/C = 2*T(O*E)/C Why not do full concurrency and no grouping? Why not do full concurrency and no grouping? Grouping done to lessen memory conflicts. Grouping done to lessen memory conflicts. at most X*E processes are concurrent on server at most X*E processes are concurrent on server choose X so that little memory conflict (why not choose X = C/E?) choose X so that little memory conflict (why not choose X = C/E?) PMC done to find cex early when doing grouping. PMC done to find cex early when doing grouping. easy cex’s across all outputs are found early easy cex’s across all outputs are found early When cex’s found (some heuristics) When cex’s found (some heuristics) refine and start PMC at last time-out value (instead of 2 sec.) refine and start PMC at last time-out value (instead of 2 sec.) heuristic that expects next cex will take at least that time to find heuristic that expects next cex will take at least that time to find first try the last set of X where cex was found. first try the last set of X where cex was found. heuristic that expects that last group where cex was found is most likely to yield the next cex. heuristic that expects that last group where cex was found is most likely to yield the next cex. Number of concurrent engines running per coren

21 Questions addressed Memory Use and Conflicts? Memory Use and Conflicts? experiments run on 2 processor 4-core each, 24 Gb, 64K L1, 256K L2, 4 Mb server experiments run on 2 processor 4-core each, 24 Gb, 64K L1, 256K L2, 4 Mb server grouping designed to alleviate severe memory conflicts. grouping designed to alleviate severe memory conflicts. did not observe slowdown due to memory conflicts, but more experiments need to be done did not observe slowdown due to memory conflicts, but more experiments need to be done Run-time speedup? Run-time speedup? linear up to # cores linear up to # cores concurrency alleviates wasting time due to wrong decisions concurrency alleviates wasting time due to wrong decisions solving problems not solved by sequential flow solving problems not solved by sequential flow Wasting processor power – trying many things but throw away all but one? Wasting processor power – trying many things but throw away all but one? wastage if some cores sitting idle wastage if some cores sitting idle alternative is to run wrong engine for a longer time alternative is to run wrong engine for a longer time Use SOTA algorithm? Use SOTA algorithm? too many MC algorithms too many MC algorithms expert system proposed which learns which algorithms are best for a given design project (Z. Nevo - IBM) expert system proposed which learns which algorithms are best for a given design project (Z. Nevo - IBM)

22 Future Work More and better engines More and better engines Improved BDD reachability engine (we hope) Improved BDD reachability engine (we hope) We have 4 We have 4 We had a quite weak (HWMCC’08) in ’08 We had a quite weak (HWMCC’08) in ’08 Now have two reasonably good ones. Now have two reasonably good ones. May have a much better one in a few months. May have a much better one in a few months. Improved circuit-based SAT solver Improved circuit-based SAT solver Currently used in signal correspondence to simplify larger circuits Currently used in signal correspondence to simplify larger circuits Faster but sometimes limited quality Faster but sometimes limited quality Will be improved to see if it can compete with MiniSat 1.14c Will be improved to see if it can compete with MiniSat 1.14c New specialized techniques for SEC New specialized techniques for SEC More use of concurrency More use of concurrency e.g. exchange information between engines. e.g. exchange information between engines. will not work on parallelizing individual engines will not work on parallelizing individual engines

23 To Learn More Recent papers IWLS IWLS N. Een, A. Mishchenko, and R. Brayton, “Efficient implementation of property directed reachability". IWLS'11. N. Een, A. Mishchenko, and R. Brayton, “Efficient implementation of property directed reachability". IWLS'11. B. Sterin, N. Een, A. Mishchenko and R. Brayton, “The Benefit of Concurrency in Model Checking”, IWLS’11. B. Sterin, N. Een, A. Mishchenko and R. Brayton, “The Benefit of Concurrency in Model Checking”, IWLS’11. S. Ray and R. Brayton, “Proving Stabilization Using Liveness-to-Safety Conversion”, IWLS’11 S. Ray and R. Brayton, “Proving Stabilization Using Liveness-to-Safety Conversion”, IWLS’11 Other Other R. Brayton and A. Mishchenko, "ABC: An academic industrial-strength verification tool", Proc. CAV'10, LNCS 6174, pp R. Brayton and A. Mishchenko, "ABC: An academic industrial-strength verification tool", Proc. CAV'10, LNCS 6174, pp N. Een, A. Mishchenko, and N. Amla, "A single-instance incremental SAT formulation of proof- and counterexample-based abstraction". Proc. FMCAD’10. N. Een, A. Mishchenko, and N. Amla, "A single-instance incremental SAT formulation of proof- and counterexample-based abstraction". Proc. FMCAD’10. H. Savoj, D. Berthelot, A. Mishchenko, and R. Brayton, “Combinational techniques for sequential equivalence checking". Proc. FMCAD’10, pp H. Savoj, D. Berthelot, A. Mishchenko, and R. Brayton, “Combinational techniques for sequential equivalence checking". Proc. FMCAD’10, pp Send Send Visit BVSRC webpage Visit BVSRC webpage

24

25 end

26 Why is concurrent more powerful? Iterating speculation refinement verify time set to 50 SIMULATION: cex 4.26 sec, frame 911 => PIs=171,POs=41,FF=255,ANDs=2275,max depth=28 SIMULATION: cex 0.09 sec, frame 17 => PIs=171,POs=43,FF=255,ANDs=2280,max depth=28 BMC: cex 9.50 sec, frame 17 => PIs=171,POs=43,FF=255,ANDs=2282,max depth=28 SIMULATION: cex 6.43 sec, frame 984 => PIs=171,POs=47,FF=255,ANDs=2292,max depth=28 SIMULATION: cex 1.21 sec, frame 444 => PIs=171,POs=49,FF=255,ANDs=2302,max depth=28 PDRM: cex 4.33 sec, frame 18 => PIs=171,POs=48,FF=255,ANDs=2304,max depth=28 BMC: cex 9.85 sec, frame 17 => PIs=171,POs=55,FF=256,ANDs=2346,max depth=28 SIMULATION: cex 6.33 sec, frame 81 => PIs=171,POs=55,FF=256,ANDs=2347,max depth=28 SIMULATION: cex 4.59 sec, frame 22 => PIs=171,POs=55,FF=257,ANDs=2366,max depth=28 SIMULATION: cex 4.59 sec, frame 40 => PIs=171,POs=54,FF=257,ANDs=2363,max depth=28 BMC: cex 6.96 sec, frame 17 => PIs=171,POs=51,FF=258,ANDs=2377,max depth=28 PDRM: cex 5.84 sec, frame 22 => PIs=171,POs=51,FF=259,ANDs=2385,max depth=28 BMC: cex 7.11 sec, frame 17 => PIs=171,POs=47,FF=259,ANDs=2377,max depth=28 PDRM: cex 3.58 sec, frame 19 => PIs=171,POs=46,FF=259,ANDs=2374,max depth=28 PDRM: cex 6.04 sec, frame 19 => PIs=171,POs=45,FF=259,ANDs=2371,max depth=28 PDRM: cex 8.89 sec, frame 20 => PIs=171,POs=44,FF=259,ANDs=2372,max depth=28 BMC: cex 7.50 sec, frame 17 => PIs=171,POs=41,FF=260,ANDs=2366,max depth=28 PDRM: cex 4.59 sec, frame 20 => PIs=171,POs=40,FF=260,ANDs=2363,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=37,FF=260,ANDs=2358,max depth=28 PDRM: cex sec, frame 22 => PIs=171,POs=36,FF=260,ANDs=2359,max depth=28 PDR: cex sec, frame 23 => PIs=171,POs=35,FF=260,ANDs=2356,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=40,FF=260,ANDs=2368,max depth=28 PDRM: cex 9.69 sec, frame 38 => PIs=171,POs=40,FF=260,ANDs=2369,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=38,FF=260,ANDs=2368,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=36,FF=260,ANDs=2364,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=34,FF=260,ANDs=2362,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=34,FF=260,ANDs=2368,max depth=28 BMC: cex 9.65 sec, frame 18 => PIs=171,POs=32,FF=260,ANDs=2376,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=33,FF=260,ANDs=2381,max depth=28 PDRM: cex sec, frame 19 => PIs=171,POs=32,FF=260,ANDs=2378,max depth=28 BMC: cex sec, frame 18 => PIs=171,POs=30,FF=260,ANDs=2376,max depth=28 BMC: cex sec, frame 19 => PIs=171,POs=29,FF=260,ANDs=2373,max depth=28 PDRM: cex sec, frame 24 => PIs=171,POs=28,FF=260,ANDs=2374,max depth=28 …