Cut-Based Inductive Cut-Based Inductive Invariant Computation Invariant Computation

Michael CaseMichael Case1,21,2 Alan Mishchenko Alan Mishchenko11

Robert BraytonRobert Brayton11

11 UC Berkeley UC Berkeley22 IBM Systems and Technology Group, Austin, TX IBM Systems and Technology Group, Austin, TX

22

OverviewOverview

MotivationMotivation Previous workPrevious work Inductive invariantsInductive invariants

Selecting invariant candidatesSelecting invariant candidates Proving inductive invariantsProving inductive invariants

Experimental resultsExperimental results Conclusions and future workConclusions and future work

33

MotivationMotivation

Inductive invariants Inductive invariants in verificationin verification Prevent spurious counter-examples to inductionPrevent spurious counter-examples to induction Speed up SAT and improve SAT-based algorithmsSpeed up SAT and improve SAT-based algorithms

Interpolation, functional dependency, etcInterpolation, functional dependency, etc

Inductive invariants Inductive invariants in synthesisin synthesis Represent over-approximation of reachable states Represent over-approximation of reachable states

Can be used as care set during logic optimizationCan be used as care set during logic optimization

44

Preventing Spurious C-ExamplesPreventing Spurious C-Examples

Spurious c-examples are Achilles' heel of inductionSpurious c-examples are Achilles' heel of induction Remedy: Induction strengtheningRemedy: Induction strengthening

For example, property For example, property P P Q Q may be provable by may be provable by induction, even if propertiesinduction, even if properties P P and and QQ are not are not

Q

Q

P Q

complete state space

PP

PP

unreachable

reachable

55

Previous Work on Induction Previous Work on Induction StrengtheningStrengthening

Van Eijk’s approach (TCAD’00)Van Eijk’s approach (TCAD’00) Use candidate equivalencesUse candidate equivalences If not enough, add dangling nodes (nodes after retiming)If not enough, add dangling nodes (nodes after retiming)

Mike Case’s approach (FMCAD’07)Mike Case’s approach (FMCAD’07) Use implications that cover counter-examples Use implications that cover counter-examples

Aaron Bradley’s approach (FMCAD’07)Aaron Bradley’s approach (FMCAD’07) Use minimal clauses derive from counter-examples Use minimal clauses derive from counter-examples

Proposed approachProposed approach Create properties based on groups of signals in the networkCreate properties based on groups of signals in the network

66

Inductive InvariantsInductive Invariants

If property If property PP is hard to prove, the goal is to find a is hard to prove, the goal is to find a new property new property QQ that strengthens that strengthens PP Q Q is an inductive invariantis an inductive invariant

n

P

Q

Y

X

77

Selecting Invariant CandidatesSelecting Invariant Candidates

Perform two rounds of simulation:Perform two rounds of simulation: Combinational (Combinational (CC))

Random primary inputs and register outputsRandom primary inputs and register outputs Sequential (Sequential (SS))

Random primary inputs and reachable states at Random primary inputs and reachable states at register outputsregister outputs

Collect combinations in Collect combinations in YY-space of -space of nn appearing appearing in in CC but not in but not in SS These are likely due to unreachable statesThese are likely due to unreachable states

Consider one combination, say, (0110)Consider one combination, say, (0110) Q(y) = y1 Q(y) = y1 y2 y2 y3 y3 y4 y4 Q(y)Q(y) is likely true only in unreachable states is likely true only in unreachable states

Its complement is a candidate inductive invariantIts complement is a candidate inductive invariant Q(y) = y1 Q(y) = y1 y2 y2 y3 y3 y4 y4

n

P

Q

Y

X

88

a

b c

d

g

f

Cuts of Cuts of aa Cut Cut AssignmentsAssignments

Appears in Appears in Comb. Sim.Comb. Sim.

Appears in Appears in Seq. Sim.Seq. Sim.

Candidate Candidate Seq. InvariantSeq. Invariant

{{bb, , cc}} bcbc

bcbc b+cb+c

……

{{ee, , ff, , gg}} efgefg e+f+ge+f+g

efgefg

efgefg

……

aa bb cc dd ee ff gg

11 11 11 11 00 11 00

00 11 11 11 11 11 11

11 11 00 00 00 11 00

00 11 00 11 11 00 00

11 00 00 00 11 00 00

Combinational Simulation Data

aa bb cc dd ee ff gg

00 11 11 11 11 00 00

00 11 11 00 00 11 11

11 11 11 00 11 00 00

11 00 11 00 11 00 11

11 00 00 00 00 11 00

Sequential Simulation Data

e

Example of Candidate InvariantsExample of Candidate Invariants

99

Proving Inductive InvariantsProving Inductive Invariants

Collecting candidate inductive invariantsCollecting candidate inductive invariants Constants (1-clauses)Constants (1-clauses) Implications (2-clauses)Implications (2-clauses) Values of signals at n-cuts (n-clauses)Values of signals at n-cuts (n-clauses) Values of signals at n randomly selected nodes Values of signals at n randomly selected nodes

(n-clauses)(n-clauses) Proving inductive invariantsProving inductive invariants

Use k-step inductionUse k-step induction Check invariants in the initialized k-framesCheck invariants in the initialized k-frames Assume invariants true in the uninitialized k-frames, Assume invariants true in the uninitialized k-frames,

and prove them in the k+1and prove them in the k+1stst frame frame

1010

Experiment OverviewExperiment Overview

Implemented invariant computation in ABC Implemented invariant computation in ABC and in IBM’s SixthSense tooland in IBM’s SixthSense tool

Used Used in synthesisin synthesis Lead to 1-3% improvement in AIG nodesLead to 1-3% improvement in AIG nodes Overall results are marginalOverall results are marginal

Used Used in verificationin verification Observe strengthening on some propertiesObserve strengthening on some properties Overall results are not impressiveOverall results are not impressive

Used Used to improve several algorithmsto improve several algorithms Interpolation, functional dependency, etcInterpolation, functional dependency, etc Overall results are promisingOverall results are promising

1111

Experimental ResultsExperimental Results

1212

ConclusionsConclusions

Developed a new method for expressing Developed a new method for expressing candidate invariants using n-clausescandidate invariants using n-clauses

Created a scalable hierarchical approach to Created a scalable hierarchical approach to proving the candidate invariants, which trades proving the candidate invariants, which trades off computational effort for the number and off computational effort for the number and expressiveness of invariants generatedexpressiveness of invariants generated

Performed initial experiments to evaluate the Performed initial experiments to evaluate the usefulness of inductive invariantsusefulness of inductive invariants

1313

Future WorkFuture Work

Run further experiments and finetune using Run further experiments and finetune using industrial benchmarksindustrial benchmarks

Integrate the induction strengthening engine Integrate the induction strengthening engine into equivalence checkers and model checkersinto equivalence checkers and model checkers

Use the computed invariant clause sets as Use the computed invariant clause sets as don’t-cares for circuit restructuring in don’t-cares for circuit restructuring in technology-dependent synthesistechnology-dependent synthesis