Upload
marco-pegg
View
215
Download
1
Embed Size (px)
Citation preview
Efficient Implementation ofProperty Directed Reachability
Niklas Een, Alan Mishchenko, Robert Brayton
20th International Workshop on Logic & SynthesisJune 3-5, 2011
6/5/2011Page 2/16 IWLS 2011 — UC San Diego, California, USA
What is PDR?
PDR (aka IC3) is a new model checking
algorithm.
Published by Aaron Bradley on arXiv after
being rejected at CAV 2010.
Won third place in HWMCC’10
Can be viewed as approximate reachability.
Relations to interpolation based model
checking:−No proof-logging needed−Never have to start over−Simpler implementation (my opinion)−Faster, stronger, better?
6/5/2011Page 3/16 IWLS 2011 — UC San Diego, California, USA
What is our contributition?
Confirm Aaron’s results
Simplify the procedure−No special base case−Simpler cube generalization
Achieve a substantial speedup −Ternary simulation
Detailed pseudo-code
6/5/2011Page 4/16 IWLS 2011 — UC San Diego, California, USA
Verification Model
Design/FSM is given as a netlist containing:
− AND gates− PIs− Flip-flops
with complemented edges, a single output for the (safety) property and some definition of the initial states.
…… …
CombinationalLogic
Flip-Flops
PrimaryInputs
PropertyOutput
6/5/2011Page 5/16 IWLS 2011 — UC San Diego, California, USA
How it works
Reasons on conjunctions of state variables (cubes)
Proves cubes to be unreachable within k steps Maintains a trace of all such facts
Properties of the trace:1. F0 = ¬Init
2. F1 ⊇ F2 ⊇ ... ⊇ FN (as sets of cubes)
3. img(¬Fi) ⊆ ¬Fi+1 (¬Fi = potentially reachable states)4. Fi ⊇ Bad (except for the last frame)
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
F0 F1 F2 F3 F4 F5
6/5/2011Page 6/16 IWLS 2011 — UC San Diego, California, USA
How it works (cont.)
Two phases:−recursively block a point in Bad in the last frame−propagate cubes learned during this process
forward
Init
Bad
Init
Bad
Init
Bad
Init
Bad
F0 F1 F2 F3
Recursively block BadPropagate cubes forwardTerminates when Fi=Fi+1
6/5/2011Page 7/16 IWLS 2011 — UC San Diego, California, USA
Stepping through PDR
Init
Bad
Init
Bad
SAT?Find a bad state (SAT)
Enlarge it (ternary
sim.)
Pre-image blocked?
(SAT)Yes!
Generalize cube
(many SAT)
No more bad states
add frame
6/5/2011Page 8/16 IWLS 2011 — UC San Diego, California, USA
Stepping through PDR
Init
Bad
Init
Bad
Init
Bad
SAT?
1. Find a bad state (SAT)2. Enlarge it (ternary sim.)3. Pre-image blocked? (SAT)4a. Yes! Generalize cube (many SAT)4b. No? Get point from SAT model
Is the cube blocked in the
new frame? (propagation)
SAT?
resuming work on this cube
No more bad states add frame (and
propagate)
no
6/5/2011Page 9/16 IWLS 2011 — UC San Diego, California, USA
The Basic SAT query of PDR
Query: Is the pre-image of a cube s’ blocked by Fk?−SAT?[¬Fk ∧ T ∧ s’]
……
CombinationalLogic…
s0s1s2s3
sn-1
sn
s’0 s’1s’2s’3
s’n-1
s’n
x0x1
xm
Bad
Example:s’ = (s’1 ∧ ¬s’3 ∧ s’n)
Blocked cubes ”Fk” are added to the SAT-solver in terms of these state variables
Fk
s’0 s’1 =1s’2s’3 =0
s’n-1
s’n =1
6/5/2011Page 10/16 IWLS 2011 — UC San Diego, California, USA
Ternary Simulation
Query: Is the pre-image of a cube s blocked?− If no, the SAT-solver returns a model
……
CombinationalLogic…
s0 = 0s1 = 1s2 = 1s3 = 0
sn-1=1sn = 0
s’0 s’1 =1s’2s’3 =0
s’n-1
s’n =1
x0 = 1x1 = 0
xm= 1
Bad
Example:s’ = (s’1 ∧ ¬s’3 ∧ s’n)
Fk
XX
X
X XX
X
X
XX
X
X XX
X
New proof-obligation:s = (s2 ∧ ¬s3 ∧ ¬sn)
6/5/2011Page 11/16 IWLS 2011 — UC San Diego, California, USA
The Improved SAT query of PDR
Query: Is the pre-image of a cube s blocked by
either Fk or s itself?
SAT?[¬Fk ∧ ¬s ∧ T ∧ s’]
Init
Bad
Init
Bad
Init
Bad
Init
Bad
F0 F1 F2 F3
s s’
SAT?
6/5/2011Page 12/16 IWLS 2011 — UC San Diego, California, USA
Delta Encoding of Trace
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
Init
Bad
F0 F1 F2 F3 F4 F5
In the implementation, cubes are only stored in the last frame where they hold.
DemoRunning PDR on some industrial benchmarks
6/5/2011Page 14/16 IWLS 2011 — UC San Diego, California, USA
Experimental Results on IBM Benchmarks
6/5/2011Page 15/16 IWLS 2011 — UC San Diego, California, USA
Notes on Implementation PDR can sometimes find very deep counterexamples. Recursive blocking takes about 80% of the runtime,
propagation 20%. Most of the time in recursive blocking is spent on cube
generalization. Using activation literals or proof-logging reduces cube
generalization significantly. PDR can be implemented using one or many SAT-instances.
When using one instance, it is natural to add F. − Can be used by other engines.
− Can be explicitly strengthend by mutual induction test.
Upon creation, derived cubed are placed in the last frame where they hold.
6/5/2011Page 16/16 IWLS 2011 — UC San Diego, California, USA
Concluding Remarks on PDR
Derives interpolants in terms of state cubes.−Because domain so simple: can optimize
efficiently−Subsumption and termination becomes syntactic
checks
Reasons locally (over one transition only).−Enhances abstraction− Improves chances of finding an inductive
invariant.
Never starts over.−Extends the current knowledge at Fk as needed.
Very memory efficient.
This is only the beginning...