Presentation is loading. Please wait.

Presentation is loading. Please wait.

Resolution Proofs for Combinational Equivalence

Published byLanny Yulia Kusuma Modified over 5 years ago

Similar presentations

Presentation on theme: "Resolution Proofs for Combinational Equivalence"— Presentation transcript:

1 Resolution Proofs for Combinational Equivalence
Satrajit Chatterjee Alan Mishchenko Robert Brayton Andreas Kuehlmann DAC / 6 Jun 2007

2 Motivation Modern combinational equivalence checking (CEC) engines are difficult to verify Several thousand lines of code How can we trust a CEC program when it claims that two circuits are equivalent? When it claims they are different, it produces an input vector to distinguish them — a proof of inequivalence Solution: Require CEC engine produce a proof of equivalence The program that checks the correctness of the proof is much simpler than the CEC engine The proof can be verified without knowledge of the inner workings of the CEC engine The “language” of our proofs is resolution

3 Outline Resolution Proofs for Naïve CEC Review of Modern CEC
Proof Generation in Modern CEC Conclusions

4 Resolvent A resolvent is a clause implied by two clauses in a SAT instance 1. A SAT instance C 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) 2. Resolvent of clauses 3 and 4 (w.r.t. a) is the clause (p + ~b + ~q) 3. Adding the resolvent to the original set does not alter satisfiability: This is not a definition of resolvent, but a property 1. (~p + a) (~p + b) (p + ~a + ~b) 4. (~q + a) (~q + b) (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) (~p + q + z) 10. (~p + ~q + ~z) 11. (z) (p + ~b + ~q) C’ It can be checked that C’ is satisfiable if and only if C is.

5 Resolution Proofs A resolution proof is a sequence of resolvents until the empty clause 1. Original set of clauses C 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) 2. Sequence of resolvents 12. (p + ~b + ~q) (from 3 and 4) 13. (p + ~q) (from 5 and 12) 14. (~p + q + ~a) (from 2 and 6) 15. (~p + q) (from 1 and 14) 16. (~p + ~q) (from 10 and 11) 17. (p + q) (from 7 and 11) 18. (~q) (from 13 and 16) 19. (q) (from 15 and 17) 20. () (from 18 and 19) If the empty clause i.e. () is derived by resolution then the original set of clauses is UNSAT A resolution step indicates which clauses were resolved Empty clause can only be derived from two contradictory clauses such as (q) and (~q) Therefore, if the empty clause is derived, then the instance is UNSAT Thus the sequence of resolution steps 12—20 forms a proof of unsatisfiability of C if () is derived at the end.

6 Generating Resolution Proofs
A SAT solver can be modified to produce a resolution proof if the instance is unsatisfiable Zhang and Malik (2003) modified zChaff to produce resolution proofs Goldberg and Novikov (2003) presented an alternative method that needs minimal modification to the SAT solver It is much easier to verify that a sequence of resolution steps is correct than it is to verify that the SAT solver is correct.

7 Outline Resolution Proofs for Naïve CEC Review of Modern CEC
Proof Generation in Modern CEC Conclusions

8 Combinational Equivalence Checking
We are given two combinational circuits and asked to check if they are equivalent or not A simple instance of CEC that we will use as a running example p q a b a b circuit 1 circuit 2 The CEC problem: Are outputs p and q functionally equivalent?

9 A Simple Reformulation
The CEC problem is equivalent to checking if the output of the miter of the two circuits is identically 0 or not z p q p q a b a b a b circuit 1 circuit 2 Miter of circuits 1 and 2 Circuits 1 and 2 are equivalent if and only if z is identically 0

10 Naïve CEC The CEC problem is formulated as a SAT instance by adding clauses for each gate and asserting the miter output to be true a b p q z 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) 11. (z) Clauses for each gate in the miter Unit clause asserting the output is 1 i.e. p and q are different Miter Corresponding SAT instance C The two circuits are equivalent if and only if C is UNSAT

11 Proof of Combinational Equivalence
A proof of unsatisfiability of the corresponding SAT instance is a proof of combinational equivalence z SAT instance 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) (z) p q a b Proof of UNSAT (from SAT solver) 12. (p + ~b + ~q) (from 3 and 4) 13. (p + ~q) (from 5 and 12) 14. (~p + q + ~a) (from 2 and 6) 15. (~p + q) (from 1 and 14) 16. (~p + ~q) (from 10 and 11) 17. (p + q) (from 7 and 11) 18. (~q) (from 13 and 16) 19. (q) (from 15 and 17) 20. () (from 18 and 19) Proof of combinational equivalence of p and q

12 Sequence of resolution steps
Proof Verification Verifying the proof for combinational equivalence is easy z Original clauses Sequence of resolution steps p q 1. (~p + a) 2. (~p + b) 3. (p + ~a + ~b) Resolve 3 and 4 Resolve 5 and 12 Resolve 2 and 6 a b Proof Verifier Proof Verifier does the following: Ensures that only clauses from miter are in original clauses Performs the sequence of resolution steps Ensure that the empty clause is derived at the end

13 Outline Resolution Proofs for Naïve CEC Review of Modern CEC
Proof Generation in Modern CEC Conclusions

14 Modern CEC Modern CEC engines do not construct a monolithic SAT instance Modern CEC methods are transformational Detect functional redundancies in the miter Simplify miter using the detected redundancies SAT solver may not even be invoked z z z p p q q a b a b Goal: Generate a single resolution proof for modern CEC just as in the naïve case

15 Main Techniques in Modern CEC
Main Transformational Techniques: Structural Hashing Functional Hashing Logic Re-writing Next: Distill these techniques down to a small set of basic atomic operations

16 Structural Hashing Structural Hashing = Structural Identification + Fanout transfer a b p q z a b p q z G H G H 1. Since both G and H are And gates and have same inputs, nets p and q are functionally equivalent by structural identification 2. Therefore, fanouts of q can be driven by p thus simplifying the circuit

17 Functional Hashing Functional Hashing = Functional Identification + Fanout Transfer Functional Identification 1. Use random simulation to detect candidate pairs of nets that may be equivalent 2. Formulate two smaller SAT instances to check that a pair of nets is indeed equivalent a b p q z Random simulation would indicate p and q may be equivalent SAT solver is not called on the whole miter, but only on a portion of the miter. 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p) (~q) The two SAT instances to check equivalence of p and q. 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (~p) (q)

18 Functional Hashing Functional Hashing = Functional Identification + Fanout Transfer a b p q z a b p q z SAT solver is not called on the whole miter, but only on a portion of the miter. 1. Functional identification proves p and q are equivalent if the two smaller SAT instances are both UNSAT 2. Therefore, fanouts of q can be driven by p thus simplifying the circuit

19 Re-writing replaces a cone of logic in the miter with a different cone
Logic Re-writing Re-writing replaces a cone of logic in the miter with a different cone Miter Rewriting can significantly alter the logic structure of the miter and its size

20 Rewriting, Conceptually
Rewriting = Logic Insertion + Functional Hashing a b c p r a b c p q r a b c p q r Functional Hashing Logic Insertion

21 Basic Operations We have 4 basic operations during CEC:
Structural Hashing = Structural Identification + Fanout transfer Functional Hashing = Functional Identification + Fanout Transfer Rewriting = Logic Insertion + Functional Hashing We have 4 basic operations during CEC: 1. Structural Identification 2. Functional Identification 3. Fanout Transfer 4. Logic Insertion Do not modify miter Modify miter The equivalence checking process is thought of as a sequence of these basic operations

22 Sequence of Basic Operations
Transformations on the miter Initial Miter Structural Identification Fanout Transfer Logic Insertion Functional Identification Structural Identification Miter is reduced to constant zero

23 Outline Resolution Proofs for Naïve CEC Review of Modern CEC
Proof Generation in Modern CEC Conclusions

24 Overview of Proof Generation
Maintain correspondence between the miter and proof Initial miter Initial Clauses for the gates in the miter z 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) 7. (p + q + ~z) (p + ~q + z) 9. (~p + q + z) 10. (~p + ~q + ~z) (z) p q a b As the CEC engine proceeds by executing the basic operations on the miter, it adds new clauses to the proof by using resolution to derive them The derivations corresponding to basic operations are called fragments

25 Overview of Proof Generation
Transformations on the miter The Resolution Proof Initial Miter Initial Clauses Structural Identification Fragment 1 Fanout Transfer Fragment 2 Logic Insertion Fragment 4 Functional Identification Fragment 5 Structural Identification Fragment n Miter is reduced to constant zero The empty clause is derived

26 Overview of Proof Generation
For each basic operation we generate a different type of fragment 1. Structural Identification of p and q 2. Functional Identification of p and q 3. Fanout Transfer from q to p 4. Logic Insertion of a new gate g Fragment derives (p + ~q) and (~p + q) Fragment derives new clauses for gates in fanout of q Fragment derives clauses for gate g

27 Structural Identification
The fragment derives (p + ~q) and (~p + q) from clauses of the gates a b p q z C1. (~p + a) C2. (~p + b) C3. (p + ~a + ~b) D1. (~q + a) D2. (~q + b) D3. (q + ~a + ~b) Structural Identification detects that p = q a b p q z L1. (p + ~b + ~q) (from C3 and D1) L2. (p + ~q) (from D2 and L1) L3. (~p + q + ~a) (from C2 and D3) L4. (~p + q) (from C1 and L3) Fragment added to the proof (This fragment can be generated from a pre-computed template)

28 Fanout Transfer Suppose we transfer fanouts of q to p
For this to be sound, we must already have proved that p and q are equivalent By structural or functional identification Therefore, have already derived (p + ~q) and (~p + q) We use (p + ~q) and (~p + q) to obtain clauses for gates modified by the fanout transfer

29 Example of Fanout Transfer
Clauses for Xor gate modified by fanout transfer from q to p a b p q z C1. (p + q + ~z) C2. (p + ~q + z) C3. (~p + q + z) C4. (~p + ~q + ~z) G Clauses asserting equivalence of q and p Already derived through structural or functional identification X. (p + ~q) Y. (~p + q) Transfer fanouts of q to p Eliminate q from C1-C4 using X and Y Added fragment derives the right set of clauses for gates that were modified as a result of the fanout transfer operation a b p q z G’ Fragment added to the proof deriving clauses for G’ L1. (p + ~z) (from C1 and X) L2. (~p + p + z) (from C3 and X) L3. (p + ~p + z) (from C2 and Y) L4. (~p + ~z) (from C4 and Y)

30 Functional Identification
Want to derive the clauses (p + ~q) and (~p + q) from the clauses we have so far i.e. C a b p q z 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) C Instead we have resolution proofs of UNSAT for the related but different instances C1 and C2 Note that the clauses (p) and (~q) are not present C and furthermore cannot be derived using resolution from C. Therefore, resolution proofs of UNSAT of C1 and C2 cannot directly be used. 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) X. (p) Y. (~q) C1 1. (~p + a) (~p + b) 3. (p + ~a + ~b) 4. (~q + a) (~q + b) 6. (q + ~a + ~b) X. (~p) Y. (q) C2

31 Proof Lifting Idea: Use proof of UNSAT of C1 to obtain proof of (~p + q) from C C1 C 1. (~p + a) 2. (~p + b) (p + ~a + ~b) 4. (~q + a) 5. (~q + b) (q + ~a + ~b) X. (p) Y. (~q) 1. (~p + a) (~p + b) (p + ~a + ~b) 4. (~q + a) (~q + b) (q + ~a + ~b) Proof of UNSAT of C1 from solver Fragment deriving (~p + q) from C Unit propagation of X and Y 9. (a) (from X and 1) 10. (b) (from X and 2) 11. (~a + ~b) (from Y and 6) Use 9’ to refer to 1 i.e. (~p + a) Use 10’ to refer to 2 i.e. (~p + b) Use 11’ to refer to 6 i.e. (q + ~a + ~b) 12. (~b) (from 9 and 11) 13. () (from 10 and 12) 12’. (~p + q + ~b) (from 9’ and 11’) (i.e. from 1 and 6) 13’. (~p + q) (from 10’ and 12’) (i.e. from 2 and 12’)

32 Functional Identification
We obtained a derivation of (~p + q) from proof of unsatisfiability of C1 Similarly proof of unsatisfiability of C2 yields a derivation of (p + ~q) Proof of correctness of lifting in paper

33 Logic Insertion Need to add new clauses corresponding to inserted gate
b c p r x q y We want to add a clause corresponding to q i.e. want to add (q = x ^ y) However resolution does not allow us to introduce a new variable q. Need to upgrade our proof system to extended resolution

34 Extended Resolution Allow the introduction of a new variable q by means of a clause such as (q = f(x1, .. xn)) Sound since if C is a set of clauses and q does not appear in C, then C·(q = f(x1, .. xn)) has a satisfying assignment iff C does Proof: Since q is free we can always assign it the value f(x1, .. xn) The proof verifier has to be slightly modified It has to check that q does not appear so far in the proof

35 Logic Insertion In practice we add three CNF clauses instead of (q = x ^ y) a b c p r x q y Add the clauses (~q + x), (~q + y) and (q + ~x + ~y) to the proof and modify the verifier to accept this particular template as an extended resolution step. Need such a template for every type of gate that may be introduced

36 Summary of Proof Generation
Transformations on the miter The Resolution Proof Initial Miter Initial Clauses Structural Identification Fragment 1 Fanout Transfer Fragment 2 Logic Insertion Fragment 4 Functional Identification Fragment 5 Structural Identification Fragment n Miter is reduced to constant zero The empty clause is derived

37 Outline Resolution Proofs for Naïve CEC Review of Modern CEC
Proof Generation in Modern CEC Conclusions

38 Conclusions Modern CEC methods can be easily modified to generate proofs of equivalence A single proof just as in the naïve case Easy to check proof for correctness The proof (syntax) is independent of the actual methods used for verification Extended resolution suffices Re-writing is a way of constructing extended resolution proofs

39 Future Work and Applications
Reduce the size of resolution proof Look for alternate proof systems which are harder to verify but lead to smaller proofs Goldberg and Novikov’s 2003 paper Resolution proof “modulo” BCP steps Proofs leak too much information Can possibly reconstruct what the CEC engine did Correct by construction logic synthesis Synthesis emits a resolution proof as a certificate Computation of interpolants in model checking Proofs of Sequential Equivalence Inductive proofs can be expressed using resolution

40 Thank You

Download ppt "Resolution Proofs for Combinational Equivalence"

Similar presentations

Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
ECE 667 - Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.

ECE Synthesis & Verification 1 ECE 667 Synthesis and Verification of Digital Systems Formal Verification Combinational Equivalence Checking.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
USING SAT-BASED CRAIG INTERPOLATION TO ENLARGE CLOCK GATING FUNCTIONS Ting-Hao Lin, Chung-Yang (Ric) Huang Graduate Institute of Electrical Engineering,

USING SAT-BASED CRAIG INTERPOLATION TO ENLARGE CLOCK GATING FUNCTIONS Ting-Hao Lin, Chung-Yang (Ric) Huang Graduate Institute of Electrical Engineering,
Nattee Niparnan. Easy & Hard Problem What is “difficulty” of problem? Difficult for computer scientist to derive algorithm for the problem? Difficult.

Nattee Niparnan. Easy & Hard Problem What is “difficulty” of problem? Difficult for computer scientist to derive algorithm for the problem? Difficult.
On Bridging Simulation and Formal Verification Eugene Goldberg Cadence Research Labs (USA) VMCAI-2008, San Francisco, USA.

On Bridging Simulation and Formal Verification Eugene Goldberg Cadence Research Labs (USA) VMCAI-2008, San Francisco, USA.
Advanced Topics in Propositional Logic Chapter 17 Language, Proof and Logic.

Advanced Topics in Propositional Logic Chapter 17 Language, Proof and Logic.
European Test Symposium, May 28, 2008 Nuno Alves, Jennifer Dworak, and R. Iris Bahar Division of Engineering Brown University Providence, RI 02912 Kundan.

European Test Symposium, May 28, 2008 Nuno Alves, Jennifer Dworak, and R. Iris Bahar Division of Engineering Brown University Providence, RI Kundan.
On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.
Generating High-Quality Tests for Boolean Circuits by Treating Tests as Proof Encoding Eugene Goldberg, Pete Manolios Northeastern University, USA TAP-2010,

Generating High-Quality Tests for Boolean Circuits by Treating Tests as Proof Encoding Eugene Goldberg, Pete Manolios Northeastern University, USA TAP-2010,
The NP class. NP-completeness Lecture2. The NP-class The NP class is a class that contains all the problems that can be decided by a Non-Deterministic.

The NP class. NP-completeness Lecture2. The NP-class The NP class is a class that contains all the problems that can be decided by a Non-Deterministic.
Enhancing Model Checking Engines for Multi-Output Problem Solving Alan Mishchenko Robert Brayton Berkeley Verification and Synthesis Research Center Department.

Enhancing Model Checking Engines for Multi-Output Problem Solving Alan Mishchenko Robert Brayton Berkeley Verification and Synthesis Research Center Department.
On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.

On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.
Sequential Equivalence Checking for Clock-Gated Circuits Hamid Savoj Robert Brayton Niklas Een Alan Mishchenko Department of EECS University of California,

Sequential Equivalence Checking for Clock-Gated Circuits Hamid Savoj Robert Brayton Niklas Een Alan Mishchenko Department of EECS University of California,
Reducing Structural Bias in Technology Mapping

Reducing Structural Bias in Technology Mapping

Similar presentations

Ads by Google