Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.

Published byMatthew Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa."— Presentation transcript:

1 Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa

2 Formal verification (hardware) DesignSpec Verification tool Pass / Fail Effective, but computationally expensive In many scenarios, similar verification tasks are performed repetitively: Regression verification Update to design Update to specifications Coverage verification Can we store and reuse information to reduce amount of redundant computation?

3 Incremental formal verification DesignSpec Verification tool Pass / Fail DB hardware safety propertie s ic3 extract relevant part of previously saved information store reusable information

4 ● inductive proofs and inductive strengthening ● saving information – ic3 overview – what is saved? ● reusing saved information – extracting relevant parts (w.r.t. new design/spec) – checking if verification can be concluded – injecting into ic3 ● conclusion and experimental results Outline

5 ● x 1,x 2,…,x n – state variables (latches) ● I – initial states ● T – transition relation ● R – all reachable states ● R i – states reachable within i steps from I ● P – (safety) property FSMs and safety properties I R2R2 R1R1 R All states … R k-1 ┐P┐P T(s,t)

6 Inductive proofs (for R  P) ● Simple induction: – I  P, P ^ T  P‘ Sufficient but not necessary. Almost never holds in practice.. ● Solution: find G such that: – I  G – G ^ T  G‘ – G  P  G is over-approximation of R I R G All states ┐P┐P !

7 ic3 - basic properties ● Complete – always terminates with correct result ● SAT based, no unrolling ● If P is invariant, produces a CNF formula G, s.t.: – I  G – G ^ T  G’ – G  P ● If not, produces a (generalized) CEX α 0, α 1,…, α k s.t.: – all α 0 states belong to I – all α i states lead to some α i+1 state – α k is in ┐ P I a0a0 a1a1 ┐P┐P akak … I R G All states ┐P┐P

8 ● Clause sets/CNF formulas F 1,...,F k ● Initially: k=1, F 1 = P (assume I  P and Img(I)  P) ● Invariants: – I  F 1 ...  F k  P (furthermore, for all i, F i+1 is a subset of F i ) – Img(F i )  F i+1 – R i  F i (bounded) inductive invariants in ic3 F 0 =I F1F1 F k-1 P … Img(F 0 ) Img(F k-2 )Img(F k-1 ) FkFk ● If F i = F i+1 for some i<k, then F i is an inductive strengthening that proves R  P

9 ic3 progress and termination ● Inductive clauses that block “bad state predecessors” are added to the sets F i, in a way that maintains the containment invariants ● Once in a while, clauses are “pushed” to higher F i ’s ● ic3 terminates when either: – F i =F i+1 for some i  we save the inductive invariant F i – it finds a CEX: chain of bad state predecessors that starts at I  we generalize and save the CEX + we save the absolute invariants * Absolute inductive invariants are those clauses that were “pushed” beyond F k

10 How to reuse saved invariants? Finding maximal inductive invariant ● Input: I, T, P and C = {c 1,…,c m } - candidate invariant clauses ● Output: PASS or maximum subset Q of C such that I  Q and Q ^ T  Q‘ * Note: if Q 1 ^ T  Q’ 1 and Q 2 ^ T  Q‘ 2 then (Q 1 U Q 2 ) ^ T  (Q’ 1 U Q’ 2 ) Once such Q is found, we can “inject” it into ic3 by conjoining Q with all sets F i This saves ic3 the effort of “rediscovering” the invariants from Q

11 Finding Q using a SAT solver * that supports SolveWithAssumptions(a 1,...,a k ) 1. cnfize T and I, set Q:=C 2. remove from Q all clauses that are not implied by I 3. for every c i in Q, introduce two auxiliary vars: x i and y’ i 4. for every i, cnfize x i  c i and y’ i  ┐ c’ i 5. SolveWithAssumptions ( x 1,..., x |Q|, (y’ 1 v... v y’ |Q| ) ) 6. if unsat: Q is invariant if sat: remove from Q each c i with assign(y’ i )=1 and goto 5 7. if Q  P output PASS, ow return Q

12 Overall approach DesignSpec Verification tool Pass / Fail DB inductive invariants / generalize d CEXes inject maximal inductive-invariant into ic3 save inductive invariant / CEX maximal invariant/ CEX extraction

13 Experimental results (accumulated runtimes in seconds) From scratchAfter originalAfter mutated Original30,59740210,070 Mutated50,29437,3482,091 From scratchAfter originalAfter mutated Original36,6051,23811,710 Mutated54,16024,447883 758 designs from HWMCC’10 17 IBM designs

14 Concluding remarks ● ic3 can be used to save small inductive proofs, and generalized CEXes ● the technique is robust since ic3 invariants and CEXes involve only state variables ● makes coverage and regression verification almost immediate ● parts from inductive proofs can be used even if design/spec has significantly changed ● saved information is reusable even when verification result changes

15 The End

16 Generalizing assignments ● Input: circuit C and assignment a such that C(a)=y ● Output: partial assignment a’ such that C(b)=y for all extensions b of a’ * a’ is obtained by subst. some of the 0,1 values in a with x (don’t cares) Standard algs: start from root and propagate “cares” start from leaves and propagate “don’t cares”

17 Generalizing assigns. with solver ● Input: circuit C and assignment a such that C(a)=y ● Output: partial assignment a’ such that C(b)=y for all extensions b of a’ 1. cnfize C 2. SolveWithAssumptions ( ┐ (C(a)=y), a 1,..., a n ) * must return unsat (BCP) 3. if a i participates in the conflict set a’ i = a i else set a’ i = x

18 Generalizing assigns. with solver 1. cnfize C 2. SolveWithAssumptions ( ┐ (C(a)=y), a 1,..., a n ) * must return unsat (BCP) 3. if a i participates in the conflict set a’ i = a i else set a’ i = x Advantages: 1. easy to enforce additional constraints (e.g. learnt clauses and invars) 2.can order the variables in the assumptions acc. to some priority 3. can run after standard algs 4. no real solving – just BCP 5. shrinks by additional 30-40% after ternary simulation (like in PDR)

Download ppt "Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.

Efficient Implementation of Property Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Aaron Bradley University of Colorado, Boulder

Aaron Bradley University of Colorado, Boulder
IBM Labs in Haifa © 2005 IBM Corporation Adaptive Application of SAT Solving Techniques Ohad Shacham and Karen Yorav Presented by Sharon Barner.

IBM Labs in Haifa © 2005 IBM Corporation Adaptive Application of SAT Solving Techniques Ohad Shacham and Karen Yorav Presented by Sharon Barner.
© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.

© Anvesh Komuravelli IC3/PDR Overview of IC3/PDR Anvesh Komuravelli Carnegie Mellon University.
Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.

Reduction of Interpolants for Logic Synthesis John Backes Marc Riedel University of Minnesota Dept.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
On-The-Fly Resolve Trace Minimization Ohad Shacham and Karen Yorav IBM Haifa Research Laboratory.

On-The-Fly Resolve Trace Minimization Ohad Shacham and Karen Yorav IBM Haifa Research Laboratory.
IBM Labs in Haifa Software and Verification Technologies Supporting SAT based BMC on Finite Path Models Daniel Geist Mark Ginzburg Yoad Lustig Ishai Rabinovitz.

IBM Labs in Haifa Software and Verification Technologies Supporting SAT based BMC on Finite Path Models Daniel Geist Mark Ginzburg Yoad Lustig Ishai Rabinovitz.
Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.

Formal Verification Group © Copyright IBM Corporation 2008 IBM Haifa Labs SAT-based unbounded model checking using interpolation Based on a paper “Interpolation.
Pruning techniques for the SAT-based Bounded Model-Checking problem Ofer Shtrichman Weizmann Institute of Science & IBM - HRL.

Pruning techniques for the SAT-based Bounded Model-Checking problem Ofer Shtrichman Weizmann Institute of Science & IBM - HRL.
11.7.2005 Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.

Similar presentations

Ads by Google