Recording Synthesis History for Sequential Verification Robert Brayton Alan Mishchenko UC Berkeley
Overview Introduction Recording synthesis history Retiming Combinational synthesis Merging sequentially equivalent nodes Window-based transformations Transformations involving observability don’t-cares Using synthesis history Verification Experiments Conclusions
Introduction Sequential synthesis promises to substantially improve the quality of hardware design – less area, fewer registers, lower power, BUT Efficient verification is needed to ensure wider adoption Sequential equivalence checking, even with limited sequential synthesis, without history is PSPACE-complete [Jiang/Brayton, TCAD’06] But synthesis history can make sequential equivalence checking “close to linear” in circuit size in many cases The focus of this presentation recording a type of synthesis history using it for sequential equivalence checking
4 AIGs Combinational AIG Boolean network of 2-input ANDs and inverters Combinational structural hashing Sequential AIG Registers are considered as special type of nodes Each register has an initial state (0, 1, or don’t-care) Sequential structural hashing [Baumgartner/Kuehlmann, ICCAD’01] Simplified sequential AIG Combinational AIG with registers as additional PIs/POs Combinational structural hashing In this work we use simplified sequential AIGs
Sequential Synthesis Combinational rewriting Retiming Register sweeping Detecting and merging seq. equivalent nodes Circuit optimization with approximate unreachable states as external don’t-cares Sequential rewriting
HAIG Recording a type of Synthesis History Two AIG managers are used Working AIG (WAIG) History AIG (HAIG) Two node mappings are supported Every node in WAIG points to its copy in HAIG Some nodes in HAIG point to other nodes in HAIG that are believed to be sequentially equivalent as a result of synthesis performed in WAIG WAIG
WAIG and HAIG WAIG (Working AIG) New logic nodes are added as synthesis proceeds Old logic cones are removed and replaced by new logic cones The fanouts of the old root are transferred to be fanouts of the new root Nodes without fanout are immediately removed Maintains accurate metrics (node count, register count, logic depth) HAIG (History AIG) As each new node is created in WAIG, a copy is found or is created in HAIG, A link between them is established Old logic cones are not removed Fanouts are not transferred Links between the HAIG nodes are established Each time a node replacement is made in WAIG, corresponding nodes are linked as sequentially equivalent in HAIG
8 Overview Introduction Recording synthesis history Retiming Transformations involving observability don’t-cares Sequential rewriting Using synthesis history Verification Experiments Conclusions
Recording History for Retiming Backward retiming is similar Step 1 Create retimed node copy Step 2 Transfer fanout Add pointer Step 3 Recursively remove old logic continue building new logic WAIG HAIG
10 Recording History with ODCs When synthesis is done with ODCs, the resulting node is not equivalent to the original node In HAIG, equivalence cannot be recorded However, there always exists a scope, outside of which functionality is preserved, e.g. a window. equivalence in HAIG can be recorded at the output boundary of this scope HAIG
11 Sequential Rewriting Sequential cut: {a,b,b 1,c 1,c} rewrite Sequential Rewriting step. Sequentially equivalent History AIG after rewriting step. The History AIG accumulates sequential equivalence classes. new nodes History AIG
12 Related AIG Procedures WAIG createAigManager deleteAigManager createNode replaceNode deleteNode_recur HAIG createAigManager deleteAigManager createNode, setWaigToHaigMapping setEquivalentHaigNodes do nothing
Using HAIG for Equivalence Checking Sequential depth of a window-based sequential synthesis transform is the maximum number of registers on any path from an input to an output of the window Theorem 1: If transforms recorded in HAIG have sequential depth no more than k, the equivalence classes of HAIG nodes can be proved by k-step induction Theorem 2: If the inductive proof of HAIG succeeds for all recorded equivalence classes, then the original and final designs are sequentially equivalent AA’ B B’ AA’ B B’ unsat #1 #2 Sequential depth = 1 HAIG1 HAIG2 k = 1
14 Conceptual Picture of HAIG HAIG is simply a sequential circuit with lots of nodes that are disconnected or redundant. It contains initial circuit A and final circuit B. There are many suggested equalities. If we prove all suggested equalities, then A=B sequentially. B outputs A B Actually B is really smeared throughout the HAIG Registers and PIs
15 Inductive Proof (k = 1) B outputs A B A A Speculative reduction Second time frame First time frame Registers and PIs = constraints Proof obligations All equalities assumed
Discussion Typical comments on verification using a synthesis history incorrect information may be passed from a synthesis tool to a verification tool incorrect information may be passed from a synthesis tool to a verification tool in the proposed methodology, history is a set of hints in the proposed methodology, history is a set of hints every step recorded must be proved every step recorded must be proved the same bugs may exist in both tools, canceling each other out the same bugs may exist in both tools, canceling each other out the inductive prover used in HAIG-based verification must be independent, BUT the inductive prover used in HAIG-based verification must be independent, BUT a HAIG prover is simple a HAIG prover is simple about 100 lines of code, compared to 2000 lines in a general prover about 100 lines of code, compared to 2000 lines in a general prover No need to handle counterexamples No need to handle counterexamples the HAIG size may grow inordinately the HAIG size may grow inordinately not our experience, plus the HAIG can be compacted to 3 bytes per node. not our experience, plus the HAIG can be compacted to 3 bytes per node.
17 Experimental Setup Benchmarks are 20 largest public circuits from ISCAS’89, ITC’97, and Altera QUIP Only 14 are shown in the tables below Runtimes are in seconds on 4x AMD Opteron 2218 with 16GB RAM under x86_64 GNU/Linux One core was used in the experiments Synthesis includes three iterations of the script: B - Balancing algebraic tree restructuring for minimizing delay Rw - Rewriting one pass of combinational AIG rewriting Rt - Retiming a fixed number (3000) of steps of forward retiming Script = (B;Rw;Rt) 3 This script was selected to make the resulting networks hard to verify (Jiang/Hung, ICCAD ’07) It represents a limited synthesis since full implementation is not done.
Synthesis Results Synthesis size and HAIG size
Comparison of verification times Entry indicates a timeout at 1000 seconds. Timeouts are truncated as 1000 seconds in computing runtime ratios.
Conclusions Motivated the use of synthesis history in SEC Presented a particular way of recording history using two AIG managers Experimentally evaluated the use of history in Sequential Equivalence Checking runtime Confirmed savings in runtime reliability Confirmed reliability
21 Future Work Use of HAIG has shown that it can make SEC inductively provable. What subset of history would suffice e.g. do not record each retiming move but only the final result, or the result of one frame. How to handle a sequential transform that includes a loop in the area of change. is it still k-inductive what is k Implement history recording for all transforms
22 Leave a trail of bread crumbs. Moral of Story: