Synthesis for Verification Alan Mishchenko UC Berkeley

Overview Synthesis-verification duality Synthesis-oriented verification Verification-oriented synthesis Combinational synthesis Signal correspondence Min-area retiming Speculation Future work

Synthesis-Verification Duality Enabling each other Migrating algorithms Co-evolving efficient solution

Sequential Verification D1 Property checking miter p Property checking Create miter from the design and the property Equivalence checking Create miter from two versions of the same design Assuming the initial state is given The goal is to prove that the output of the miter is 0, for all states reachable from the initial Two ways of doing the same Proving miter to be constant 0 Synthesizing miter to constant 0 D2 D1 Equivalence checking miter

Synthesis-Oriented Verification Verification at the service of synthesis Comb equivalence checking enabled technology mapping using structural choices Led in improvement in quality Interpolation allows resynthesis to be performed without explicitly computing don’t-cares Led to savings in runtimes Balanced combination of simulation and SAT replaced BDDs in all known synthesis applications Led to better scalability

Verification-Oriented Synthesis Synthesis at the service of verification Combinational synthesis Signal correspondence Min-area retiming Speculation

Combinational Synthesis AIG rewriting minimizes the number of AIG nodes without increasing the number of AIG levels Rewriting AIG subgraphs Pre-computing AIG subgraphs Consider function f = abc Rewriting node A a b c A Subgraph 1 b c a A Subgraph 2  a b c Subgraph 1 b c a Subgraph 2 a c b Subgraph 3 Rewriting node B b c a B Subgraph 2 a b c B Subgraph 1 a b c  In both cases 1 node is saved

Signal Correspondence Consider registers and nodes of a design Detect candidate equivalences in this set using random/guided simulation Prove candidates by K-step induction Merge the resulting equivalences This is a subset of sequential synthesis with Practical advantages (does not move registers, etc) Scales to large circuits Offers substantial improvements Comes with a verification guarantee Can benefit from sequential constraints

The Use of Constraints Two types of constraints Inductive invariants (properties of the circuit) User-specified restriction on reachable states Constraints can be automatically detected Leads to ‘unfolded’ and ‘folded’ representation of constraints Folded representation works in most cases BMC Interpolation Unfolded constraints are also very useful Signal correspondence

Unfolded and Folded Constraints Property with folded constraint P C Property (0=holds) Constraint (0=holds) P C

Combinational SAT Sweeping Applying SAT to the output ? SAT Naïve CEC approach – SAT solving Build output miter and call SAT works well for many easy problems Better CEC approach – SAT sweeping based on incremental SAT solving Detects possibly equivalent nodes using simulation Candidate constant nodes Candidate equivalent nodes Runs SAT on the intermediate miters in a topological order Refines the candidates using counterexamples Proving internal equivalences in a topological order A B SAT-1 ? D C SAT-2 SAT-3

Sequential SAT Sweeping Sequential SAT sweeping is similar to combinational one in that it detects node equivalences The difference is, the equivalences are sequential They hold only in the reachable state space Sequential equivalence is proved by K-step induction Efficient implementation of induction is key!

Sequential SAT Sweeping Base Case Inductive Case ? Candidate equivalences: {A,B}, {C,D} D C SAT-2 ? Proving internal equivalences in a topological order in frame K A B SAT-1 ? D C SAT-4 ? PIk A B SAT-3 PI1 ? C D D C SAT-2 A ? Assuming internal equivalences to in uninitialized frames 0 through K-1 B A B SAT-1 PI1 PI0 C D Initial state A Proving internal equivalences in initialized frames 0 through K-1 B PI0 Symbolic state

Min-Area Retiming Temporarily ignore PIs/POs and their transitive fan-in/out Retiming registers to another location corresponds to finding new cut of the combinational DAG # registers = # nodes in the cut Min-cut/Max-flow duality Can use max-flow to find min-cut Min-cut is not unique However, this leads to minimum movement of registers from original cut source sink source sink

Primary Inputs/Outputs Treatment depends on application Synthesis: primary I/Os must be identically synchronized Verification: synchronization is not necessary Logic source sink PI Can’t forward retime PO PI

Retiming Over Multiple Frames Solution: Repeat over single frame Terminate when no further change Forward and backward retiming are similar, with roles of PIs / POs, sources / sinks reversed Logic Logic Logic Logic

Overall Algorithm Start Forward retiming Backward retiming Block Fan-out Cone of PIs Block Fan-in Cone of POs Compute Max-Flow Compute Max-Flow Yes Yes Improv.? No Implement Min-Cut Improv.? Implement Min-Cut No Forward retiming is preferred due to the ease of initial state computation Done

Speculative Reduction Detect candidate sequential equivalences in the miter Done first by simulation Refined by BMC Assume these equivalences are true Merge fanouts, rehash logic, add XORs to create new POs The result is a Speculatively Reduced Model (SRM) SRM is UNSAT iff all candidate equivalences hold! SRM has a different circuit structure SRM is often easier to prove A A B B Adding assumptions without speculative reduction Adding assumptions with speculative reduction

Future Work Improving old engines Developing new engines Tighter integration