Scalable and Scalably-Verifiable Sequential Synthesis Alan Mishchenko UC Berkeley Michael Case UC Berkeley, IBM Robert Brayton Stephen Jang Xilinx Inc.
Overview Introduction Sequential synthesis Sequential verification Experimental results Future work
Introduction Verifiable sequential synthesis is a practical subset of sequential synthesis with the following Practical advantages (does not move registers, etc) Scalability that makes it applicable to large designs Substantial improvements on industrial benchmarks Verification guarantees Integrated sequential verification is a transformation-based approach combining the power of sequential synthesis with verification techniques Extensions to the integrated verifier (command “dprove”) Improved performance and runtimes on industrial problems Directions for future work
Sequential SAT Sweeping Sequential SAT sweeping is similar to combinational one in that it detects node equivalences The difference is, the equivalences are sequential They hold only in the reachable state space Sequential equivalence is proved by K-step induction Efficient implementation of induction is key!
Combinational SAT Sweeping Applying SAT to the output ? SAT Naïve CEC approach – SAT solving Build output miter and call SAT works well for many easy problems Better CEC approach – SAT sweeping based on incremental SAT solving Detects possibly equivalent nodes using simulation Candidate constant nodes Candidate equivalent nodes Runs SAT on the intermediate miters in a topological order Refines the candidates using counterexamples Proving internal equivalences in a topological order A B SAT-1 ? D C SAT-2 SAT-3
Base Case Inductive Case Candidate equivalences: {A,B}, {C,D} ? D C SAT-2 ? Proving internal equivalences in a topological order in frame K A B SAT-1 ? D C SAT-4 ? PIk A B SAT-3 PI1 ? C D D C SAT-2 A ? Assuming internal equivalences to in uninitialized frames 0 through K-1 B A B SAT-1 PI1 PI0 C D Initial state A Proving internal equivalences in initialized frames 0 through K-1 B PI0 Symbolic state
Speculative Reduction Inputs to the inductive case Sequential circuit The number of frames to unroll (K) Candidate equivalence classes One node in each class is designated as the representative node Currently the representatives are the first nodes in a topological order Speculative reduction moves fanouts to the representative nodes Makes 80% of the constraints redundant Dramatically simplifies the resulting timeframes (observed 3x reductions) Leads to saving 100-1000x in runtime during incremental SAT solving A A B B Adding assumptions without speculative reduction Adding assumptions with speculative reduction
Partitioning for Induction A simple output-partitioning algorithm was implemented One person-day of programming CEC and induction became more scalable Typical reduction in runtime is 20x for a 1M-gate design Partitioning is meant to make SAT problems smaller The same partitioning is useful for parallelization! Partitioning algorithm Pre-processing: For all POs, finds PIs they depend on Main loop: For each PO, in a degreasing order of support size Finds a partition by looking at the supports Chooses partition with min linear combination of attraction and repulsion (determined by the number of common and new variables in this PO) Imposes restrictions on the partition size Post-processing: Compacts smaller partitions Complexity: O( numPis(AIG) * numPos(AIG) )
Partitioning Details Currently induction is partitioned only for register correspondence In this case, it is enough to partition only one timeframe! In each iteration of induction The design is re-partitioned Nodes in each candidate equiv class are added to the same partition Constant candidates can be added to any partition Candidates are merged at the PIs and proved at the POs After proving all partitions, the classes are refined The partitioned induction has the same fixed-point as the monolithic induction while the number of iterations can differ (different c-examples lead to different refinements) B A = D C = B’ A’ = ? Partition 1 Illustration for two cand equiv classes: {A,B}, {C,D} B A = D C = D’ C’ = ? B A D C B’ A’ D’ C’ One timeframe of the design Partition 2
Verification Guarantee Theorem Let N1 be a sequential circuit with a given initial state. Suppose some signals in N1 are proved sequentially-equivalent using k-step induction and merged by replacing each signal with the representative of its class. Assume that the logic is not further restructured and denote the resulting circuit by N2. Let M be the sequential miter constructed for N1 and N2. Then, M can be proved equivalent to constant-0 using k-step induction, where k is the same as used during synthesis. X N1 Synthesis problem X … N1 N2 M Equivalence checking problem
Integrated SEC Flow The following is the sequence of transformations currently applied by the integrated SEC in ABC (command “dprove”) creating sequential miter (“miter -c”) PIs/POs are paired by name; if some registers have don’t-care init values, they are converted by adding new PIs and muxes; all logic is represented in the form of an AIG sequential sweep (“scl”) removes dangling logic, stuck-at-constant and combinationally-equivalent registers most forward retiming (“retime –M 1”) moves all registers forward and computes new initial state partitioned register correspondence (“lcorr”) merges sequential equivalent registers (completely solves SEC after retiming) combinational SAT sweeping (“fraig”) merges combinational equivalent nodes before running signal correspondence for ( K = 1; K 16; K = K * 2 ) signal correspondence (“ssw”) // merges seq equivalent signals by K-step induction AIG rewriting (“drw”) // minimizes and restructures combinational logic most forward retiming // moves registers forward after logic restructuring sequential AIG simulation // targets satisfiable SAT instances post-processing (“write_aiger”) if sequential miter is still unsolved, dumps it into a file for future use
Updated Integrated SEC Flow Command “dprove” creating sequential miter (“miter -c”) combinational equivalence checking (“iprove”) bounded model checking (“bmc”) sequential sweep (“scl”) phase-abstraction (“phase”) most forward retiming (“retime –M 1”) partitioned register correspondence (“lcorr”) min-register retiming (“dretime”) combinational SAT sweeping (“fraig”) for ( K = 1; K 16; K = K * 2 ) signal correspondence (“ssw”) // merges seq equivalent signals by K-step induction stronger AIG rewriting (“dc2”) // minimizes and restructures combinational logic min-register retiming (“dretime”) // minimizes the number of registers sequential AIG simulation // targets satisfiable SAT instances interpolation (‘int”) BDD-based reachability (‘reach”) post-processing (“write_aiger”)
Synthesis Results ABC commands were applied to two sets of examples scl (sequential sweep) lcorr (register correspondence) ssw (signal correspondence) were applied to two sets of examples 20 academic benchmarks 20 industrial benchmarks Performed high-effort tech-dependent synthesis and FPGA mapping into 6-LUTs after each run Runtime measured on an Intel Xeon 2-CPU 4-core computer with 8Gb of RAM
ABC Scripts Baseline Register correspondence (Reg Corr) choice; if; choice; if; choice; if // comb synthesis and mapping Register correspondence (Reg Corr) scl –l // structural register sweep lcorr // register correspondence using partitioned induction dsec –r // SEC Signal correspondence (Sig Corr) ssw // signal correspondence using non-partitioned induction
Academic Benchmarks Columns “Baseline”, “Reg Corr” and “Sig Corr” show geometric means.
Industrial Benchmarks In case of multiple clock domains, optimization was applied only to the domain with the largest number of registers.
Verification Results The results of VSS were verified using integrated command “dprove” Verification succeeded for all test-cases, as predicted by theory When combinational restructuring was added to VSS, runtime of verification increased 14x, while several cases timed out after a few hours Command “dprove” was applied to several families of SEC and model checking benchmarks
Conclusion Presented recent work on seq synthesis Reviewed improvements to seq verification Performed experimental evaluation Future work Enhance induction with unique-state constraints Add support for user-specified constraints Use speculative reduction as a stand-alone technique Continue adding new engines Localization, backward reachability, backward interpolation, etc