PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling Aaron Bradley University of Colorado, Boulder University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley

2 Outline Motivation Motivation Sequential verification is hard (needs new engines!) Sequential verification is hard (needs new engines!) Pioneering work of Aaron Bradley Pioneering work of Aaron Bradley A surprise (3d place) winner at HWMCC’10! A surprise (3d place) winner at HWMCC’10! Remarkable features Remarkable features Efficiently tackles both SAT and UNSAT instances Efficiently tackles both SAT and UNSAT instances Lends itself to localization abstraction and parallelism Lends itself to localization abstraction and parallelism Conceptually simple, relatively tuning-free Conceptually simple, relatively tuning-free Understanding the algorithm Understanding the algorithm Pseudo-code… Pseudo-code… Experimental results and conclusions Experimental results and conclusions

3 Pioneering Work Aaron Bradley developed this algorithm after several years of work on “inductive generalization” Aaron Bradley developed this algorithm after several years of work on “inductive generalization” Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07) Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07) This work (A. R. Bradley, “k-step relative inductive generalization”, This work (A. R. Bradley, “k-step relative inductive generalization”, The original version of the tool to enter HWMCC’10 (ic3, The original version of the tool to enter HWMCC’10 (ic3, ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV) ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)

4 Efficient Implementation Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of MiniSAT: Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of MiniSAT: Incremental interface Incremental interface Activation literals to enable/disable clauses Activation literals to enable/disable clauses Procedure AnalyzeFinal to compute an UNSAT core in terms of the original assumptions Procedure AnalyzeFinal to compute an UNSAT core in terms of the original assumptions Resource-driven recycling of the SAT solver Resource-driven recycling of the SAT solver Additionally, Niklas proposed Additionally, Niklas proposed Ternary simulation for quick cube expansion Ternary simulation for quick cube expansion New heuristics for inductive generalization New heuristics for inductive generalization Smart data-structures for clauses and proof obligations Smart data-structures for clauses and proof obligations Niklas’ implementation runs faster and proves more properties than the original implementation Niklas’ implementation runs faster and proves more properties than the original implementation

5 PDR: The Main Idea Inductive invariant is a Boolean function in terms of register variables, such that Inductive invariant is a Boolean function in terms of register variables, such that It is true for the initial states It is true for the initial states It is inductive (assuming it in one time frame leads to making it true in the next timeframe) It is inductive (assuming it in one time frame leads to making it true in the next timeframe) Init Reached Bad Invariant PDR is a way of computing an inductive invariant that does not overlap with bad states PDR is a way of computing an inductive invariant that does not overlap with bad states It is similar to interpolation, but the way of deriving the invariant is different It is similar to interpolation, but the way of deriving the invariant is different PDR has better control of the invariant, and this may explain its good performance PDR has better control of the invariant, and this may explain its good performance State space

6 PDR: The Main Idea Construct over-approximations (F 0, F 1, …, F k ) of states reachable after each time step Construct over-approximations (F 0, F 1, …, F k ) of states reachable after each time step Start with F 0 = Init, and compute other over-approximations as sets of CNF clauses Start with F 0 = Init, and compute other over-approximations as sets of CNF clauses Additionally, require that Additionally, require that Semantically (as functions): F 0 →F 1 →F 2 →... →F k Semantically (as functions): F 0 →F 1 →F 2 →... →F k Syntactically (as clause sets): F 1 ⊇ F 2 ⊇... ⊇ F k Syntactically (as clause sets): F 1 ⊇ F 2 ⊇... ⊇ F k

7 PDR: The Main Idea Termination criteria Termination criteria If an over-approximation is inductive, return UNSAT If an over-approximation is inductive, return UNSAT If a counter-example is found, return SAT If a counter-example is found, return SAT The algorithm constructs over-approximations The algorithm constructs over-approximations in a property directed way in a property directed way the property is used to decide what clauses to include the property is used to decide what clauses to include with an inductive flavor with an inductive flavor induction is used to prove that a clause holds in a frame induction is used to prove that a clause holds in a frame

8 PDR: Illustration Time frame Time frame 0 Time frame 1 Property output Primary inputs Initial State Register inputs Register outputs … State space of time frame 0 State space of time frame 1 Comb Logic Init Reached Bad a1 a2 a3 Initial states States where property fails Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F 1 of reachable states at frame 1.  T

9 Inductive Generalization Assume that, at some point, we have the following over- approximations of reached states: (F 0, F 1, …, F k ) Assume that, at some point, we have the following over- approximations of reached states: (F 0, F 1, …, F k ) Suppose we wish to block state s in frame i Suppose we wish to block state s in frame i We can try to find a clause c, such that c   s and add it to the set of clauses for frame i. We can try to find a clause c, such that c   s and add it to the set of clauses for frame i. Clause c can be added if it satisfies condition F i-1 ∧ T→ c Clause c can be added if it satisfies condition F i-1 ∧ T→ c Another possibility is to run a stronger inductive check F i-1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables Another possibility is to run a stronger inductive check F i-1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes

10 State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) Init Reached(k-1) Bad a4 a5 Init Reached(k-1) Reached(k) Bad a1 a2 a3  T s’ S Consider the case when s’ is blocked by clauses in frame k-1. We can use inductive generalization to derive a new clause c blocking s in frame k, such that F k-1 ∧ c’ ∧ T→ c, where F k-1 is the product of clauses in frame k-1 and T is the transition relation. Pre-image s’ of s

11 State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) Init Reach(k-1) Bad a4 a5 Init Reach(k-1) Reach(k) Bad a1 a2 a3  T s’ S Consider the case when s’ is NOT blocked by clauses in frame k-1. In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively. Pre-image s’ of s

12 Pseudo-code PDR( AIG ) { k = 0; solver[0] = CreateSatSolver( AIG, init_state ); k = 0; solver[0] = CreateSatSolver( AIG, init_state ); forever { forever { cube = GetBadState( solver[k] ); cube = GetBadState( solver[k] ); if ( cube != NULL ) { if ( cube != NULL ) { if ( !BlockState( cube, solver[0], …, solver[k] ) ) if ( !BlockState( cube, solver[0], …, solver[k] ) ) return SAT; // found counter-example return SAT; // found counter-example } else { } else { k = k+1; solver[k] = CreateSatSolver( AIG, not_init ); k = k+1; solver[k] = CreateSatSolver( AIG, not_init ); if ( PushClauses( solver[1], …, solver[k] ) ) if ( PushClauses( solver[1], …, solver[k] ) ) return UNSAT; // found inductive invariant } } return UNSAT; // found inductive invariant } }}

13 Procedures solver CreateSatSolver( AIG, initialize ) returns a SAT solver with the AIG; optionally initializes it cube GetBadState( solver[k] ) returns a state cube failing property in the k-th frame bool BlockState( cube, solver[0], …, solver[k] ) recursively tries to block cube by adding clauses to solvers returns 1, if the cube could be blocked; 0, otherwise returns 1, if the cube could be blocked; 0, otherwise bool PushClauses( solver[0], …, solver[k] ) moves clauses in i-th frame to i+1-th frame, if they hold moves clauses in i-th frame to i+1-th frame, if they hold returns 1, if an inductive invariant is found; 0, otherwise returns 1, if an inductive invariant is found; 0, otherwise

14 Remarkable Features Efficiently tackles both SAT and UNSAT instances Efficiently tackles both SAT and UNSAT instances Often finds counter-examples that cannot be found by bounded model checking Often finds counter-examples that cannot be found by bounded model checking Often proves problems that are not proved by interpolation Often proves problems that are not proved by interpolation Amenable to localization abstraction Amenable to localization abstraction PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design Lends itself to parallelism Lends itself to parallelism Each process working on some proof obligations and exchange clauses Each process working on some proof obligations and exchange clauses Conceptually simple, relatively tuning-free Conceptually simple, relatively tuning-free Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune

15 Example of Inductive Invariant # Inductive invariant for "hwmcc08\eijkS208" # generated by PDR in ABC on Tue Dec 07 09:36: i 22.o 1.p e Flop relationships: F8 = F14 F7 = F18 & F19 & F20 & F21

16 Experiments on Hard Examples Previously Unsolved by ABC Statistics PI: number of primary inputs FF: number of flip-flops AND: number of AIG nodes

17 Experiments on Hard Examples (without simplification) Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found) Clauses: the number of clauses in the inductive invariant Time: runtime of PDR

18 Experiments on Hard Examples (after simplification with ‘dprove’) Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found) Clauses: the number of clauses in the inductive invariant Time: runtime of PDR, without simplification

19 Conclusion Presented PDR Presented PDR pioneering work of Aaron Bradley pioneering work of Aaron Bradley efficient implementation by Niklas Een efficient implementation by Niklas Een Explained how it works Explained how it works Discussed its remarkable features Discussed its remarkable features Future improvements Future improvements localization abstraction localization abstraction temporal decomposition temporal decomposition signal-clauses instead of register-clauses signal-clauses instead of register-clauses applications in logic synthesis applications in logic synthesis

20

21 Abstract This talk presents a new sequential verification algorithm pioneered by Aaron Bradley from University of Colorado, Boulder, and efficiently implemented by Niklas Een from University of California, Berkeley. The tool "ic3" based on this algorithm won the third place in Hardware Model Checking Competition at CAV 2010, only losing by a small margin to mature multi-engine systems such as PdTrav (University of Torino, Italy) and ABC (UC Berkeley). The new algorithm is elegant and straight-forward to implement. Its memory requirements are modest. There are few parameters to tune, and yet it can detect deep counter-examples beyond the scope of bounded model checking, and prove hard properties that cannot be solved by interpolation and induction. The algorithm lends itself naturally to parallelization and localization abstraction. This talk presents a new sequential verification algorithm pioneered by Aaron Bradley from University of Colorado, Boulder, and efficiently implemented by Niklas Een from University of California, Berkeley. The tool "ic3" based on this algorithm won the third place in Hardware Model Checking Competition at CAV 2010, only losing by a small margin to mature multi-engine systems such as PdTrav (University of Torino, Italy) and ABC (UC Berkeley). The new algorithm is elegant and straight-forward to implement. Its memory requirements are modest. There are few parameters to tune, and yet it can detect deep counter-examples beyond the scope of bounded model checking, and prove hard properties that cannot be solved by interpolation and induction. The algorithm lends itself naturally to parallelization and localization abstraction.

22 Speaker’s Bio Alan Mishchenko graduated from Moscow Institute of Physics and Technology (Moscow, Russia) in 1993 and Glushkov Institute of Cybernetics (Kiev, Ukraine) in From 1998 to 2002 he was an Intel-sponsored researcher at Portland State University. In 2002, he joined the EECS Department at UC Berkeley, where he is currently an associate researcher. Alan is interested in developing efficient methods for synthesis and verification. Alan Mishchenko graduated from Moscow Institute of Physics and Technology (Moscow, Russia) in 1993 and Glushkov Institute of Cybernetics (Kiev, Ukraine) in From 1998 to 2002 he was an Intel-sponsored researcher at Portland State University. In 2002, he joined the EECS Department at UC Berkeley, where he is currently an associate researcher. Alan is interested in developing efficient methods for synthesis and verification.