BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley

ABC: An Academic “Industrial-Strength” Verification Tool (based on a tutorial given at CAV’10)
BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley Robert Brayton, Niklas Een, Alan Mishchenko Jiang Long, Sayak Ray, Baruch Sterin Thanks to: NSF, NSA, SRC, and industrial sponsors, Actel, Altera, Atrenta, IBM, Intel, Jasper, Magma, Oasys, Real Intent, Synopsys, Tabula, and Verific

Overview General introduction to ABC
Synergy between synthesis and verification Introduction to AIGs Contrast between classical synthesis and ABC synthesis Algorithm example: re-synthesis with don’t cares using SAT and interpolation Equivalence checking Combinational and sequential Recording synthesis history as a way of reducing complexity ABC+ - orchestrated verification flow Simplification Extraction of constraints Phase abstraction Forward and minimum FF retimiing K-step induction Abstraction Speculation Last gasp: BMC, BDDs, interpolation Verification example (super_prove) Future work

ABC A synthesis and verification tool under development at Berkeley
Started 6 years ago as a replacement for SIS Academic public domain tool “Industrial-strength” Has been employed in commercial offerings of various CAD companies In both synthesis and verification Exploits the synergy between synthesis and verification

A Plethora of ABCs http://en.wikipedia.org/wiki/Abc
ABC (American Broadcasting Company) A television network… ABC (Active Body Control) ABC is designed to minimize body roll in corner, accelerating, and braking. The system uses 13 sensors which monitor body movement to supply the computer with information every 10 ms… ABC (Abstract Base Class) In C++, these are generic classes at the base of the inheritance tree; objects of such abstract classes cannot be created… Atanasoff-Berry Computer The Atanasoff–Berry Computer (ABC) was the first electronic digital computing device.[1] Conceived in 1937, the machine was not programmable, being designed only to solve systems of linear equations. It was successfully tested in 1942. ABC (supposed to mean “as simple as ABC”) A system for sequential synthesis and verification at Berkeley

Design Flow ABC - Property Checking System Specification
Verification Equivalence checking RTL ABC Logic synthesis Technology mapping Physical synthesis Manufacturing

Areas Addressed by ABC Combinational synthesis Sequential synthesis
AIG rewriting technology mapping resynthesis after mapping Sequential synthesis retiming structural register sweep merging seq. equiv. nodes Verification combinational equivalence checking bounded sequential verification unbounded sequential verification equivalence checking using synthesis history property checking (safety and liveness)

Synergy – Two Kinds The algorithms and advancements in verification can be used in synthesis, and vice versa. One enables the other Verification enables synthesis - equivalence checking capability enables acceptance of sequential transformations retiming use of unreachable states sequential signal correspondence, etc Synthesis enables verification Desire to use sequential synthesis operations (shown by superior results) spurs verification developments

Examples of The Synergy
Similar solutions e.g. retiming in synthesis / retiming in verification Algorithm migration e.g. BDDs, SAT, induction, interpolation, rewriting Related complexity scalable synthesis <=> scalable verification (approximately) Common data-structures e.g. combinational and sequential AIGs

Evidence of Synergy Between Synthesis and Verification
IBM Has a very capable sequential verification engine – SixthSense. Used throughout IBM to verify property and equivalence Designers more willing to consider sequential transformations now. ABC Sequential verification was developed to check that new algorithms were implemented correctly Example of a startup company Had developed sequential methods to reduce power Needed a verification tool to double check if their ideas and implementations were correct. Needed a tool to assure customers that results were correct.

AIGs (And-Inverter Graphs)
Why AIGs? Same reasons hold for both synthesis and verification Easy to construct, relatively compact, robust 1M AIG ~ 12Mb RAM Can be efficiently stored on disk 3-4 bytes / AIG node (1M AIG ~ 4Mb file) Unifying representation Used by all the different verification engines Easy to pass around, duplicate, save Compatible with SAT solvers Efficient AIG-to-CNF conversion available Circuit-based SAT solvers work directly on AIG “AIGs + simulation + SAT” works well in many cases

AIGs Before After Structural hashing F = abc G = (abc)’ H = abc’
Performs AIG compaction Applied on-the-fly during construction Propagates constants Makes each node structurally unique F = abc G = (abc)’ H = abc’ Before After

AIG Memory Usage Memory allocation
Use fixed amount of memory for each node Can be done by a simple custom memory manager Dynamic fanout manipulation is supported! Allocate memory for nodes in a topological order Optimized for traversal in the same topological order Mostly AIG can be stored in cache – fewer cache misses. Small static memory footprint in many applications Compute fanout information on demand

Quick Overview of “Classical” (technology independent) Logic Synthesis
Boolean network in SIS a b c d e x y f z Boolean network in SIS ab x + c a b c d e x y f z Boolean network Network manipulation (algebraic) Elimination (substituting a node into its fanouts) Decomposition (common-divisor extraction) Node minimization (Boolean) Espresso Don’t cares Resubstitution (algebraic or Boolean)

“Classical” Logic Synthesis
Boolean network in SIS a b c d e x y f z Equivalent AIG in ABC a b c d f e x y z AIG is a Boolean network of 2-input AND nodes and invertors (dotted lines)

One AIG Node – Many Cuts Combinational AIG
AIG can be used to compute many cuts for each node Each cut in AIG represents a different SIS node SIS node logic represented by AIG between cut and root. No a priori fixed boundaries Implies that AIG manipulation with cuts is equivalent to working on many Boolean networks at the same time f a b c d e Different cuts for the same node

Combinational Synthesis
AIG rewriting minimizes the number of AIG nodes without increasing the number of AIG levels Rewriting AIG subgraphs Pre-computing AIG subgraphs Consider function f = abc Rewriting node A a b c A Subgraph 1 b c a A Subgraph 2  a b c Subgraph 1 b c a Subgraph 2 a c b Subgraph 3 Rewriting node B b c a B Subgraph 2 a b c B Subgraph 1 a b c  In both cases 1 node is saved

Combinational Rewriting
iterate 10 times { for each AIG node { for each k-cut derive node output as function of cut variables if ( smaller AIG is in the pre-computed library ) rewrite using improved AIG structure } Note: For 4-cuts, each AIG node has, on average, 5 cuts compared to a SIS node with only 1 cut Rewriting at a node can be very fast – using hash-table lookups, truth table manipulation, disjoint decomposition

Combinational Rewriting Illustrated
Working AIG n n’ History AIG n n’ AIG rewriting looks at one AIG node, n, at a time A set of new nodes replaces the old fanin cone of n The rewriting can account for a better implementation which can use existing nodes in the network (DAG aware). A synthesis history can be recorded easily with AIGs the old root and the new root nodes are grouped into an equivalence class (more on this later)

Comparison of Two Syntheses
“Classical” synthesis Boolean network Network manipulation (algebraic) Elimination Decomposition (common kernel extraction) Node minimization Espresso Don’t cares computed using BDDs Resubstitution “Contemporary” synthesis AIG network DAG-aware AIG rewriting (Boolean) Several related algorithms Rewriting Refactoring Balancing Node minimization Boolean decomposition Don’t cares computed using simulation and SAT Resubstitution with don’t cares Note: here all algorithms are scalable: no SOP, no BDDs, no Espresso

Example Algorithm: Resubstitution in ABC
Illustrates computation and use of don’t cares Illustrates use of SAT and interpolation. All done in a scalable way

Windowing a Node in a Mapped Network
Window POs X = Window PIs n = 3 m = 3 Mapped network – gates or LUTS is a SIS node, gate, or FPGA LUT A window for a node in the network is the context in which the don’t-cares are computed. It includes: n levels of the TFI m levels of the TFO all re-convergent paths captured in this scope A window with its PIs and POs can be considered as a separate network

Don’t-Care Computation Framework
“Miter” constructed for the window POs C(X) AIG “care” network … n X Y Window n X Y Same window with inverter before fanout X

Resubstitution Resubstitution considers a node in a Boolean network and expresses it using a different set of fanins X X Computation can be enhanced by use of don’t cares

Resubstitution with Don’t-Cares - Overview
Consider all or some nodes in Boolean network. For each node: Create window – and care network Select candidate divisor nodes in non-fanout cone in window For each candidate subset of divisors If possible, rule it out with simulation Check resubstitution infeasibility using SAT If UNSAT, compute resubstitution function using interpolation Update the network if improvement

Resubstitution with Don’t Cares
Given: node function F(x) to be replaced care network C(x) for the node candidate set of divisors {gi(x)} Find: A resubstitution function h(y) such that F(x) = h(g(x)) on the care set Substitution Theorem: A function h(y) exists if and only if for every pair of care minterms, x1 and x2, where F(x1) != F(x2) , there exists k such that gk(x1) != gk(x2) C(x) F(x) g1 g2 g3 C(x) F(x) g1 g2 g3 h(g) = F(x)

Example of Resubstitution
Substitution Theorem: Any minterm pair that needs to be distinguished by F(x) should be distinguished by at least one of the candidates {gk(x)} Example: F(x) = (x1 x2)(x2  x3) Two candidate sets: {g1= x1’x2, g2 = x1 x2’x3}, {g3= x1  x2, g4 = x2 x3} Set {g3, g4} cannot be used for resubstitution while set {g1, g2} can (check all minterm pairs). x F(x) g1(x) g2(x) g3(x) g4(x) 000 001 010 1 011 100 101 110 111

Checking Resubstitution using SAT
Miter for resubstitution check AIG network F F Substitution Theorem: Any minterm pair needed to be distinguished by F(x) should be distinguished by at least one of the candidates {gk(x)} Note use of care set. Resubstitution function exists if and only if problem is unsatisfiable.

Computing Dependency Function h - Craig Interpolation
Consider two sets of clauses, A(x, y) and B(y, z), where y are the only variables common to A and B. A Craig interpolant of the pair (A(x, y), B(y, z)) is a function h(y) depending only on the common variables y such that A(x, y)  h(y)  B(y, z) It exists iff A(x, y)  B(y, z) = 0 A(x, y) B(y, z) h(y) Boolean space (x,y,z)

Computing Dependency Function h by Interpolation (Implementation)
Problem: Find function h(y), such that C(x)  [h(g(x))  F(x)], i.e. F(x) is expressed in terms of {gk}. Solution: Prove the corresponding SAT problem “unsatisfiable” Derive unsatisfiability resolution proof [Goldberg/Novikov, DATE’03] Divide clauses into A clauses and B clauses Derive interpolant from the unsatisfiability proof [McMillan, CAV’03] Use interpolant as the dependency function, h(g) Replace F(x) by h(g) if cost function improved A B h A B y Notes on this solution uses don’t cares does not use Espresso is more scalable

Sequential Verification
D1 Property checking miter p Property checking Create miter from the design and the safety property Special construction for liveness Biere, Artho, Schuppan Equivalence checking Create miter from two versions of the same design Assuming the initial state is given The goal is to prove that the output of the miter is 0, for all states reachable from the initial state. D2 D1 Equivalence checking miter

Sequential Equivalence Checking and Sequential Synthesis
Complexity Problem: Although iterated retiming and combinational synthesis (these two methods are scalable) has been shown to be very scalable and effective, sequential equivalence checking for this has been shown to be as hard as general sequential equivalence checking (PSPACE complete) How to make it simpler? leave a trail of synthesis transformations (History)

Recording a History Observation
Each transformation can be broken down into a sequence of small steps Combinational rewriting Sequential rewritng Retiming Using ODC’s obtained from a window How do we easily and uniformly record the history of this?

Easily Recording Synthesis History
Two AIG managers are used Normal Working AIG (WAIG) History AIG (HAIG) Combinational structural hashing is used in both managers Two node-mappings are supported Every node in WAIG points to a node in HAIG Some nodes in HAIG point to other nodes in HAIG that are sequentially equivalent WAIG HAIG

The History AIG accumulates sequential equivalence classes.
Sequential Rewriting Example (combined retiming and combinational rewriting) Sequential cut: {a,b,b1,c1,c} new nodes History AIG History AIG after rewriting step. The History AIG accumulates sequential equivalence classes. Sequentially equivalent rewrite Rewriting step.

Practicality Conceptually this is easy. Just modify each synthesis algorithm with the following Use of HAIG makes SEC easier (only coNP-complete) Practically it is more of a coding effort to record the history than we thought Since little interest so far, not fully implemented in ABC. It still might be of interest to a company that does both synthesis and verification Working AIG createAigManager <---> deleteAigManager <---> createNode <---> replaceNode <---> deleteNode_recur <---> History AIG createAigManager deleteAigManager createNode, setWaigToHaigMapping setEquivalentHaigMapping do nothing

Integrated Verification Flow
Simplification Abstraction Speculation High Effort Verification

Integrated Verification Flow
Simplification Initial fast simplification of the logic Forward retime and do FF correspondence Min FF retime Extract implicit constraints** and use them to find signal equivalences (ABC command scorr –c) Fold back the constraints add a FF so that if ever a constraint is not satisfied, make the output 0 forever after that. Trim away irrelevant inputs (do not fanout to FF or POs) Try phase abstraction (look for periodic signals) Heavy simplify (k-step signal correspondence and deep rewriting) ** (see paper of Cabodi et. al.)

Sequential SAT Sweeping (signal correspondence)
Related to combinational CEC Naïve approach Build output miter – call SAT works well for many easy problems Better approach - SAT sweeping based on incremental SAT solving detects possibly equivalent nodes using simulation candidate constant nodes candidate equivalent nodes runs SAT on the intermediate miters in a topological order refines candidates using counterexamples D1 D2 Proving internal equivalences in a topological order A B SAT-1 D C SAT-2 ?

Improved CEC For hard CEC instances Heuristic: skip some equivalences
results in 5x reduction in runtime solving previously unresolved problems Given a combinational miter with equivalence class {A, B, A’, B’} Possible equivalences: A = B, A = A’, A = B’, B = A’, B = B’, A’ = B’ only try to prove A=A’ and B=B’ do not try to prove A = B, A’ = B’, A’ = B A = B’ D2 D1 B A A’ B’

Sequential SAT Sweeping (signal correspondence)
Similar to combinational SAT sweeping detects node equivalences But the equivalences are sequential guaranteed to hold only on the reachable state space Every combinational equivalence is a sequential one  run combinational SAT sweeping first A set of sequential equivalences are proved by k-step induction Base case Inductive case Efficient implementation of induction is key!

k-step Induction Base Case (just BMC) Inductive Case ? k = 2 ?
Proving internal equivalences in a topological order in frame k+1 A B SAT-1 D C SAT-2 Assuming internal equivalences in uninitialized frames 1 through k ? PI0 PI1 PIk Candidate equivalences: {A = B}, {C = D} A B SAT-3 D C SAT-4 SAT-1 SAT-2 ? PI0 PI1 initial state Proving internal equivalences in initialized frames 1 through k k = 2 If proof of any one equivalence fails need to start over arbitrary state

Efficient Implementation
Two observations: Both base and inductive cases of k-step induction are combinational SAT sweeping problems Tricks and know-how from the above are applicable base case is just BMC The same integrated package can be used starts with simulation performs node checking in a topological order benefits from the counter-example simulation Speculative reduction Deals with how assumptions are used in the inductive case

Speculative Reduction
Assume equivalences are valid add XORs to create new POs merge fanouts, rehash logic A B D C PI0 PI1 PIk A B Adding assumptions without speculative reduction Down stream logic can be simplified. Some down stream equivalences become trivial A B Adding assumptions with speculative reduction

Integrated Verification Flow (continued)
Abstraction Use new CBA/PBA method* Uses single instance of SAT solver Uses counter-example based abstraction which is refined with proof-based abstraction Checked afterward with BMC, BDDs, and simulation for CEX’s and refined with CBA if found. * N. Een, A. Mishchenko, and N. Amla, "A single-instance incremental SAT formulation of proof- and counterexample-based abstraction". Proc. IWLS'10.

Counterexample-Based Abstraction (CBA)
start with set of FF, A = Ø (all flops are PIs) abstraction engine will add flops to A (concretize flops) new flops will refute spurious counterexamples x0 x1 x2 x3 x4 s0 s1 s2 ~Property 1 1 1 &

Proof-Based Abstraction (PBA)
Starts with an UNSAT k-trace Inspects the proof: flops not present are abstracted. Benefit: More precise than CBA. Drawback: Have to unroll the full design. In contrast, CBA starts with a very small design.

Combined Abstraction Use CBA to grow the abstraction bottom up.
Apply PBA only on the current abstraction (not the full design) when k frames is UNSAT Do everything in a single incremental SAT instance. depth 0: SAT, SAT, SAT, SAT, UNSAT depth 1: SAT, UNSAT depth 2: SAT, SAT, SAT, UNSAT … Depth = # frames unrolled.

Incremental SAT Extend the solve() method in MiniSat:
Accept as input a set of literals to be treated as unit clauses for this call only. For UNSAT results, output the subset of those literals used in the proof. Very minor extension of a modern SAT solver Allows PBA to be done without proof-logging (major extension).

a → (f [k+1] ↔ fin[k]), all k
Activation Literals Assumptions to solve() allow selectively activating constraints: a → (f [k+1] ↔ fin[k]), all k where a is an activation literal, f is a flop Every flop in the BMC trace has its own activation literal. All activation literals are passed as assumptions to solve(). The set returned by solve() can be used for PBA.

Speculation ** Especially useful for SEC Simulation used to find candidate equivalences. These are equivalences that we could not prove by induction (sequential SAT sweeping) These are used to build a “speculative miter” The result is double-checked with BMC, BDDs or simulation for CEX’s and refined if necessary. ** H. Mony, J. Baumgartner, V. Paruthi, and R. Kanzelman, “Exploiting suspected redundancy without proving it”. Proc. DAC’05.

Speculative Reduced Miter (SRM)
Assume candidate equivalences are valid Merge fanouts, rehash logic, add XORs to create new POs New POs are proof obligations The result is a Speculatively Reduced Model (SRM) SRM is UNSAT iff all candidate equivalences hold! Equivalences include original outputs (= 0) SRM has a different circuit structure SRM is often easier to prove Can try to prove each output separately. A B Adding assumptions without speculative reduction Adding assumptions with speculative reduction

Speculation Shortcut At any step, have BMC with k frames, where all equivalences that remain, hold for the k frames At next frame some equivalences fail to not hold Can still use old SRM up through frame k No need to remove disproved equivalences Just add clauses topologically up to next equivalence Prove it and merge fanouts or Disprove it and just continue to next equivalence Already learned clauses can be kept Uses only one SAT instance just keep adding clauses to it SRM1 SRM2 SRM3 SRM4 SRM5 SRMk

Final high-effort verification (prove or disprove) Prove: (give long run-time limits and/or large conflict limits) Try BDD reachability if problem small enough (< 200 PI, < 200 FFs) Try interpolation Try induction In rare cases, can prove outputs using induction. Disprove: (give large run-time and conflict limits) Try heavy BMC on initial simplified circuit (before abstraction or speculation done).

Interpolation Input: Sequential AIG with single output representing a property Property holds when the output is 0 Method: Over-approximate reachability analysis Using over-approximations, instead of exact sets of reachable states Output: Proof that the property holds, or a real CEX is provided, or “undecided” Implementation: A sequence of SAT calls on unrolled time-frames that is similar to BMC A B ~property inter2 inter1 T1 T2 T3 Tn Ik L interpolant P=1 UNSAT

BDD-Based Reachability
Still an important back-end of the verification flow Also useful to find CEX’s during abstraction and speculation refinement Several ideas, old and new, can be put together to implement a new improved engine New method for hypergraph partitioning Use of several BDD managers Long live BDDs! BDD We tried to ban BDDs in ABC

Examples of Running ABC+
Example 1 of simplifying and final proof with interpolation Prove python code Example 2 of refinement after speculation Super_prove python code Example 3 of super_prove Example 4 of speculation before abstraction

Example (use of prove) Read_file IE1.aig
PIs = 532, POs = 1, FF = 2389, ANDs = 12049 prove Simplifying Number of constraints = 3 Forward retiming, quick_simp, scorr_constr, trm: PIs = 532, POs = 1, FF = 2342, ANDs = 11054 Simplify: PIs = 532, POs = 1, FF = 2335, ANDs = 10607 Phase abstraction: PIs = 283, POs = 2, FF = 1460, ANDs = 8911 quick_verify Abstracting Initial abstraction: PIs = 1624, POs = 2, FF = 119, ANDs = 1716, max depth = 39 Testing with BMC bmc3 -C T 50 -F 78: No CEX found in 51 frames Latches reduced from 1460 to 119 Simplify: PIs = 1624, POs = 2, FF = 119, ANDs = 1687, max depth = 51 Trimming: PIs = 158, POs = 2, FF = 119, ANDs = 734, max depth = 51 Simplify: PIs = 158, POs = 2, FF = 119, ANDs = 731, max depth = 51 Speculating Initial speculation: PIs = 158, POs = 26, FF = 119, ANDs = 578, max depth = 51 Fast interpolation: reduced POs to 24 bmc3 -C T 75: No CEX found in 1999 frames PIs = 158, POs = 24, FF = 119, ANDs = 578, max depth = 1999 Simplify: PIs = 158, POs = 24, FF = 119, ANDs = 535, max depth = 1999 Trimming: PIs = 86, POs = 24, FF = 119, ANDs = 513, max depth = 1999 Verifying Running reach -v -B F T 75: BDD reachability aborted RUNNING interpolation with conflicts, 50 sec, max 100 frames: 'UNSAT‘ Elapsed time: seconds, total: seconds Example (use of prove) 57

NOTES: The file IE1.aig is first read in and its statistics are reported as 532 primary inputs, 1 output, 2389 flip-flops, and AIG nodes. 3 implicit constraints were found, but they were only mildly useful in simplifying the problem. Phase abstraction found a cycle of length 2 and this was useful for simplifying the problem to 1460 FF from 2335 FF. Note that the number of outputs increased to 2 because the problem was unrolled 2 time frames. Abstraction was very successful in reducing the FF count to 119. This was proved valid out to 39 time frames. BMC verified that the abstraction produced is actually valid at least to 51 frames, which gives us good confidence that the abstraction is valid for all time. Trimming reduced the inputs relevant to the abstraction from 1624 to 158 and simplify reduced the number of AIG nodes to 731. Speculate produced a speculative reduced model (SRM) with 24 new outputs to be proved and low resource interpolation proved 2 of them. The SRM model is simpler and has only 578 AIG nodes. The SRM was tested with BMC and proved valid out to 1999 frames. Subsequent trimming and simplification reduced the PIs to 86 and the AIG nodes to 513. The final verification step first tried BDD reachability allowing it 75 sec. and to grow to up to 1M BDD nodes. It could not converge with these resources so it was aborted. Then interpolation was able to prove UNSAT, and hence all 24 outputs are proved. Although quick_verify was applied between simplification and abstraction, and between abstraction and speculation, it was not able to prove anything, so its output is not shown. The total time for this proof was 457 sec. run on a Lenovo X301 laptop. 58

Python Code for prove def prove(a): global x_factor,xfi,f_name
max_bmc = -1 K = 0 set_globals() status = pre_simp() if status <= Unsat: return RESULT[status] ABC('trm') ABC('write backup 0’) K = K +1 if ((n_ands() < 30000) and (a == 1) and (n_latches() < 300)): status = quick_verify(0) if ((status == Unsat) or (status == Sat)): return RESULT[status]' status = abstract() status = process_status(status) if ((status <= Unsat) or status == Error): ABC('write backup 1’) if status == Undecided_reduction: status = quick_verify(1) status = process_status(status) if status <= Unsat: if status == Sat: status = final_verify_recur(K-1) return RESULT[status] if n_ands() > 15000: K = 2 else: status = speculate() ABC('trm') if ((status == Unsat) or status == Error): if status == Sat: K = K-1 ABC('write backup 2’) K = K +1 status = final_verify_recur(K)

Python Code for pre_simp
def pre_simp(): """This uses a set of simplification algorithms which preprocesses a design. Includes forward retiming, quick simp, signal correspondence with constraints, trimming away PIs, and strong simplify""" set_globals() try_forward() quick_simp() status = try_scorr_constr() if ((n_ands() > 0) or (n_latches()>0)): abc('trm') print 'Forward, quick_simp, scorr_constr,: ', print_circuit_stats() status = process_status(status) if status <= Unsat: return status simplify() print 'Simplify: ', print_circuit_stats() if n_latches() == 0: return check_sat() try_phase() if ((n_ands() > 0) or (n_latches()>0)): abc('trm') status = process_status(status) if status <= Unsat: return status status = try_scorr_constr() return process_status(status)

Python Code for simplify
def simplify(): n=n_ands() abc('scl') if n > 30000: abc('&get;&scl;&put') n = n_ands() if n < : abc("&dc2;&put;dr;&get;&lcorr;&dc2;&put; dr;&get;&scorr;&fraig;&dc2;&put;dr") if n<45000: abc("&get;&scorr -F 2;&put;dc2rs") else: abc("dc2rs") if n <= 30000: if n > 15000: abc("scorr -F 2;dc2rs") n = max(1,n_ands()) if n < 20000: # try deeper k-step induction m = int(min( 60000/n, 16) if m >= 4: j = 4 while j <= m: set_size() abc('scl;dr;dc2;scorr -C F %d'%j) if check_size() == 1: break j = 2*j continue

Example 2 (cont.) Refinement after speculation Running speculate
Running &equiv2 with C = , T = sec., F = 200 -S 1 -R 25 Initial speculation: PIs = 587, POs = 52, FF = 111, ANDs = 1880, max depth = 46 RUNNING simulation iteratively Iterating BMC or BDD reachability Running bmc3 -C T F CEX in frame 20 for output 40 Spec. Red. Miter: PIs = 587, POs = 48, FF = 115, ANDs = 1937, max depth = 46 . . . Running bmc3 -C T F CEX in frame 20 for output 34 Spec. Red. Miter: PIs = 587, POs = 47, FF = 115, ANDs = 1938, max depth = 46 ……….. Running bmc3 -C T F CEX in frame 33 for output 9 Spec. Red. Miter: PIs = 587, POs = 28, FF = 116, ANDs = 1898, max depth = 46 No cex found in 91 frames WRITING tst22_smp_abs_spec.aig: PIs = 477, POs = 28, FF = 116, ANDs = 1898, max depth = 91 Verifying backup number 2: PIs = 477, POs = 28, FF = 116, ANDs = 1898, max depth = 91 . . . RUNNING interpolation with conflicts, 50 sec, max 100 frames WRITING tst22_smp_abs_spec_final.aig: PIs = 476, POs = 28, FF = 115, ANDs = 1810, max depth = 91 Total time taken by prove = sec. Out[6]: 'UNSAT'

super_prove If the final result is undecided and there is more than one output caused by speculation: prove easy outputs first (by induction and interpolation) use prove second time on reduced multiple output result use prove on each output separately

super_prove def super_prove():
“””Does initial prove. If after speculation there are multiple outputs left, it will try to prove each output separately in reverse order. It will quit if an output is proved SAT. If still undecided, it will try “deep” proving (Reachability or Interpolation) or disproving (BMC) on original simplified version.""" global max_bmc, init_initial_f_name, initial_f_name init_initial_f_name = initial_f_name max_bmc = -1 x = time.clock() result = prove(0) # Initial prove print result if not result == 'UNDECIDED': print 'Total time taken by super_prove = %f sec.'%(time.clock() - x) return result if n_pos() > 1: result = prove_g_pos(0) # Prove each output separately after #second prove try if result == 'UNSAT': y = time.clock() result = BMC_VER_result(1) # Do deep prove or disprove print 'Total time taken by last gasp verification = %f sec.'%(time.clock() - y) print 'Total time = %f sec.'%(time.clock() - x)

Example 3 Solved by speculation and proving each output separately IE3
PIs = 30, POs = 1, FF = 965, ANDs = 7408 Executing super_prove Initial: PIs = 30, POs = 1, FF = 965, ANDs = 7408 Running pre_simp Forward, quick_simp, scorr_comp, trm: PIs = 30, POs = 1, FF = 776, ANDs = 7073 . . . Simplify: PIs = 30, POs = 1, FF = 688, ANDs = 5362 WRITING IE3_smp.aig: PIs = 30, POs = 1, FF = 688, ANDs = 5362 Running abstract Start: PIs = 30, POs = 1, FF = 688, ANDs = 5362 Abstraction good to 30 frames First abstraction: PIs = 503, POs = 1, FF = 215, ANDs = 2223, max depth = 30 Running simulation iteratively Iterating BMC or BDD reachability New abstraction: PIs = 503, POs = 1, FF = 215, ANDs = 2223, max depth = 30 RUNNING bmc3 -C T F 60 No CEX found in 59 frames Latches reduced from 688 to 215 WRITING IE3_smp_abs.aig: PIs = 213, POs = 1, FF = 215, ANDs = 2223, max depth = 59 Running quick_verify . . . After trimming: PIs = 213, POs = 1, FF = 215, ANDs = 2052, max depth = 59 RUNNING interpolation with conflicts, max 20 sec and 100 frames . . . No success, max_depth = 59

Example 3 (cont.) Running speculate
Running &equiv2 with C = , T = sec., F = 200 -S 1 -R 25 Initial speculation: PIs = 213, POs = 32, FF = 212, ANDs = 2051, max depth = 59 RUNNING simulation iteratively Iterating BMC or BDD reachability Running bmc3 -C T F No cex found in 117 frames WRITING IE3_smp_abs_spec.aig: PIs = 213, POs = 32, FF = 212, ANDs = 2051, max depth = 117 Verifying backup number 2: PIs = 213, POs = 32, FF = 212, ANDs = 2051, max depth = 117 . . . RUNNING interpolation with conflicts, 50 sec, max 100 frames Undecided WRITING IE3_smp_abs_spec_final.aig: PIs = 213, POs = 32, FF = 212, ANDs = 1960, max depth = 117 Time taken = sec.

Example 3 (cont.) ********** Proving each output separately ************ [4, 5, 7, 8, 28, 30] Reduced POs from 32 to 20 Proving output 19 Initial: PIs = 213, POs = 1, FF = 207, ANDs = 1901 Running pre_simp Forward, quick_simp, scorr_comp, trm: PIs = 212, POs = 1, FF = 197, ANDs = 1899 . . . Simplify: PIs = 212, POs = 1, FF = 197, ANDs = 1890 Running abstract Start: PIs = 212, POs = 1, FF = 197, ANDs = 1890 Abstraction good to 332 frames First abstraction: PIs = 353, POs = 1, FF = 56, ANDs = 780, max depth = 332 Running simulation iteratively Iterating BMC or BDD reachability New abstraction: PIs = 353, POs = 1, FF = 56, ANDs = 780, max depth = 332 RUNNING bmc3 -C T F 664 No CEX found in 663 frames Latches reduced from 197 to 56 Running quick_verify . . . After trimming: PIs = 217, POs = 1, FF = 56, ANDs = 744, max depth = 663 RUNNING interpolation with conflicts, max 20 sec and 100 frames Interpolation went to in 663 frames Time for proof = sec. ******** PROVED OUTPUT 19 ******** ….

Example 3 (cont.) … Time for proof = 7.381485 sec.
******** PROVED OUTPUT 1 ******** Proving output 0 Initial: PIs = 213, POs = 1, FF = 207, ANDs = 1902 Forward, quick_simp, scorr_comp, trm: PIs = 212, POs = 1, FF = 197, ANDs = 1900 . . . Simplify: PIs = 212, POs = 1, FF = 197, ANDs = 1891 Running abstract First abstraction: PIs = 385, POs = 1, FF = 24, ANDs = 305, max depth = 230 Running simulation iteratively Iterating BMC or BDD reachability New abstraction: PIs = 385, POs = 1, FF = 24, ANDs = 305, max depth = 230 RUNNING bmc3 -C T F 460 No CEX found in 459 frames Latches reduced from 197 to 24 Running quick_verify . . . After trimming: PIs = 102, POs = 1, FF = 24, ANDs = 293, max depth = 459 RUNNING interpolation with 6387 conflicts, max 12 sec and 100 frames Interpolation went to in 459 frames Time for proof = sec. ******** PROVED OUTPUT 0 ******** Proved all outputs. The problem is proved UNSAT Total time = sec. Total time taken by super_prove = sec. Out[12]: 'UNSAT' Example 3 (cont.)

Example 4 SEC problem - got bad abstraction after ABSTRACT
~/abc/aig/> ~/baruch/pyabc/bin/super_prove_noisy smvhd3_prop0_fixed2.aig Initial: PIs = 97, POs = 1, FF = 972, ANDs = 6199 x_factor = Running pre_simp RUNNING signal correspondence with constraints Forward, quick_simp, scorr_constr, trm: PIs = 97, POs = 1, FF = 845, ANDs = 6056 . . PIs = 97, POs = 1, FF = 813, ANDs = 5661 . Simplify: PIs = 97, POs = 1, FF = 800, ANDs = 5391 WRITING smvhd3_prop0_fixed2_smp.aig: PIs = 97, POs = 1, FF = 800, ANDs = 5391 Running abstract Start: PIs = 97, POs = 1, FF = 800, ANDs = 5391 Neen abstraction params: Bob = 20, Method #3, conflicts, 5 stable, 62 sec., 200 frames Abstraction good to 12 frames First abstraction: PIs = 248, POs = 1, FF = 649, ANDs = 4798, max depth = 12 Running simulation iteratively Iterating BMC or BDD reachability New abstraction: PIs = 248, POs = 1, FF = 649, ANDs = 4798, max depth = 12 RUNNING bmc3 -C T F 18 CEX in frame 12 for output 0 New abstraction: PIs = 235, POs = 1, FF = 662, ANDs = 4868, max depth = 12

::::::::::::::::::::::::::::::::::: repeated many times
New abstraction: PIs = 213, POs = 1, FF = 684, ANDs = 4948, max depth = 12 RUNNING bmc3 -C T F 18 CEX in frame 12 for output 0 New abstraction: PIs = 212, POs = 1, FF = 685, ANDs = 4951, max depth = 12 No CEX found in 14 frames Latches reduced from 800 to 685 WRITING smvhd3_prop0_fixed2_smp_abs.aig: PIs = 207, POs = 1, FF = 685, ANDs = 4951, max depth = 14 Running quick_verify . . PIs = 207, POs = 1, FF = 685, ANDs = 4917, max depth = 14 . After trimming: PIs = 198, POs = 1, FF = 683, ANDs = 4825, max depth = 14 RUNNING interpolation with conflicts, max 20 sec and 100 frames . . PIs = 198, POs = 1, FF = 683, ANDs = 4825, max depth = 14 . No success, max_depth = 14 Running speculate Running &equiv2 with C = , T = sec., F = 200 -S 1 -R 25 Initial speculation: PIs = 198, POs = 569, FF = 370, ANDs = 3803, max depth = 14 RUNNING simulation iteratively

Iterating BMC or BDD reachability
Running bmc3 -C T F CEX in frame 20 for output 273 Spec. Red. Miter: PIs = 198, POs = 576, FF = 371, ANDs = 3842, max depth = 19 . . PIs = 198, POs = 576, FF = 218, ANDs = 1364, max depth = 19 Running bmc3 -C T F CEX in frame 20 for output 329 Spec. Red. Miter: PIs = 198, POs = 575, FF = 371, ANDs = 3839, max depth = 19 . . PIs = 198, POs = 575, FF = 218, ANDs = 1360, max depth = 19 BMC/Reach found true cex: Output = 0, Frame = 21 (Thus ABSTRACT gave bad model) WRITING smvhd3_prop0_fixed2_smp_abs_spec.aig: PIs = 130, POs = 575, FF = 182, ANDs = 1150, max depth = 21, CEX depth = 21 CEX in frame 21 Trying speculate on initial backup number 0: PIs = 97, POs = 1, FF = 800, ANDs = 5391, max depth = 21 Running &equiv2 with C = , T = sec., F = 200 -S 1 -R 25 Initial speculation: PIs = 97, POs = 597, FF = 507, ANDs = 4595, max depth = 21 RUNNING simulation iteratively Running bmc3 -C T F CEX in frame 19 for output 324 Spec. Red. Miter: PIs = 97, POs = 595, FF = 507, ANDs = 4595, max depth = 21

::::::::::::::::::::::::::::::::::::::::::::::::: repeated many times
Spec. Red. Miter: PIs = 97, POs = 585, FF = 512, ANDs = 4677, max depth = 63 . . PIs = 97, POs = 585, FF = 296, ANDs = 1674, max depth = 63 . Running bmc3 -C T F No cex found in 93 frames RUNNING interpolation with conflicts, 50 sec, max 100 frames . . PIs = 97, POs = 585, FF = 276, ANDs = 1536, max depth = 93 Size unchanged in new SRM . Undecided WRITING smvhd3_prop0_fixed2_smp_abs_spec_final.aig: PIs = 47, POs = 585, FF = 276, ANDs = 1526, max depth = 93 Time for proof = sec. UNDECIDED but reduced Beginning prove_g_pos Number of outputs reduced to 5 by induction and fast interpolation

************Trying second level prove****************
Initial: PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 x_factor = Running pre_simp Forward, quick_simp, scorr_constr, trm: PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 . . PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 . Simplify: PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 WRITING smvhd3_prop0_fixed2_smp_abs_spec_final_smp.aig: PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 Running abstract Start: PIs = 47, POs = 5, FF = 276, ANDs = 1524, max depth = 93 Neen abstraction params: Bob = 190, Method #3, conflicts, 5 stable, 62 sec., 1395 frames Abstraction good to 29 frames First abstraction: PIs = 297, POs = 5, FF = 26, ANDs = 190, max depth = 93 Running simulation iteratively Iterating BMC or BDD reachability New abstraction: PIs = 297, POs = 5, FF = 26, ANDs = 190, max depth = 93 RUNNING bmc3 -C T F 139 No CEX found in 93 frames Latches reduced from 276 to 26 (Now ABSTRACT works well) WRITING smvhd3_prop0_fixed2_smp_abs_spec_final_smp_abs.aig: PIs = 93, POs = 5, FF = 26, ANDs = 190, max depth = 93

Running quick_verify . . PIs = 93, POs = 5, FF = 26, ANDs = 181, max depth = 93 Size unchanged in new SRM . After trimming: PIs = 93, POs = 5, FF = 26, ANDs = 181, max depth = 93 RUNNING interpolation with 6004 conflicts, max 12 sec and 100 frames undecided Running reachx -t 12 Reachability went to -1 frames, UNSAT WRITING smvhd3_prop0_fixed2_smp_abs_spec_final_smp_abs_final.aig: PIs = 93, POs = 5, FF = 26, ANDs = 181, max depth = 93 Time for second level prove = sec. Second prove returned UNSAT Total time taken by super_prove = sec.

Verification Engines (Summary)
Simplifiers Combinational synthesis Sequential synthesis Retiming Sequential SAT sweeping (k-step induction) Re-parametrization (not implemented yet in ABC currently) Retiming (most forward and minimum FF) Bug-hunters (also part of abstraction methods) random simulation (sequential) bounded model checking (BMC) hybrid of simulation and BMC (“semi-formal”) BDD reachability Provers K-step induction, with and without constraints Interpolation (over-approximate reachability) BDDs (exact reachability) Explicit state space enumeration (‘era’)

Future Work Improved BDD reachability engine (we hope)
We have three One is quite weak (HWMCC’08) We have just integrated a better one May have a much better one later. Improved interpolation engine Working on a new version Improved circuit-based SAT solver Currently used in signal correspondence to simplify larger circuits Faster but sometimes limited quality Will be improved to see if it can compete with MiniSat 1.14c

To Learn More Read recent papers Send Visit BVSRC webpage

BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley

Similar presentations

Presentation on theme: "BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley

Similar presentations

Presentation on theme: "BVSRC Berkeley Verification and Synthesis Research Center UC Berkeley"— Presentation transcript:

Similar presentations

About project

Feedback