Embed Size (px)
DESCRIPTION
PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling. Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley. Outline. Motivation - PowerPoint PPT Presentation
Citation preview
PDR: Property Directed ReachabilityPDR: Property Directed ReachabilityAKAAKA
ic3: SAT-Based Model Checking Without Unrollingic3: SAT-Based Model Checking Without Unrolling
Aaron Bradley Aaron Bradley
University of Colorado, BoulderUniversity of Colorado, Boulder
Robert Brayton Niklas Een Alan MishchenkoRobert Brayton Niklas Een Alan Mishchenko
University of California, BerkeleyUniversity of California, Berkeley
22
OutlineOutline MotivationMotivation
Sequential verification is hard (needs new engines!)Sequential verification is hard (needs new engines!) Pioneering work of Aaron BradleyPioneering work of Aaron Bradley
A surprise (3d place) winner at HWMCC’10!A surprise (3d place) winner at HWMCC’10! Remarkable featuresRemarkable features
Efficiently tackles both SAT and UNSAT instancesEfficiently tackles both SAT and UNSAT instances Lends itself to localization abstraction and parallelismLends itself to localization abstraction and parallelism Conceptually simple, relatively tuning-freeConceptually simple, relatively tuning-free
Understanding the algorithmUnderstanding the algorithm Pseudo-code…Pseudo-code…
Experimental results and conclusionsExperimental results and conclusions
33
Pioneering WorkPioneering Work
Aaron Bradley developed this algorithm after Aaron Bradley developed this algorithm after several years of work on “inductive generalization”several years of work on “inductive generalization” Preliminary work (Preliminary work (A. R. Bradley and Z. Manna, A. R. Bradley and Z. Manna,
“Checking safety by inductive generalization of “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07counterexamples to induction”, FMCAD’07))
This work (This work (A. R. Bradley, “k-step relative inductive A. R. Bradley, “k-step relative inductive generalization”, http://arxiv.org/abs/1003.3649generalization”, http://arxiv.org/abs/1003.3649))
The original version of the tool to enter HWMCC’10 The original version of the tool to enter HWMCC’10 ((ic3, ic3, http://ecee.colorado.edu/~bradleya/ic3/http://ecee.colorado.edu/~bradleya/ic3/))
ic3 won the third place and only lost, by a small margin, ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)to two mature, integrated engines (ABC and PdTRAV)
44
Efficient ImplementationEfficient Implementation Niklas Een implemented Aaron Bradley’s algorithm Niklas Een implemented Aaron Bradley’s algorithm
while taking advantage of the strengths of MiniSAT:while taking advantage of the strengths of MiniSAT: Incremental interfaceIncremental interface Activation literals to enable/disable clausesActivation literals to enable/disable clauses Procedure AnalyzeFinal to compute an UNSAT core in terms of Procedure AnalyzeFinal to compute an UNSAT core in terms of
the original assumptionsthe original assumptions Resource-driven recycling of the SAT solverResource-driven recycling of the SAT solver
Additionally, Niklas proposedAdditionally, Niklas proposed Ternary simulation for quick cube expansionTernary simulation for quick cube expansion New heuristics for inductive generalizationNew heuristics for inductive generalization Smart data-structures for clauses and proof obligationsSmart data-structures for clauses and proof obligations
Niklas’ implementation runs faster and proves more Niklas’ implementation runs faster and proves more properties than the original implementationproperties than the original implementation
55
PDR: The Main IdeaPDR: The Main Idea
Inductive invariant is a Boolean function Inductive invariant is a Boolean function in terms of register variables, such thatin terms of register variables, such that It is true for the initial statesIt is true for the initial states It is inductive (assuming it in one time frame It is inductive (assuming it in one time frame
leads to making it true in the next timeframe)leads to making it true in the next timeframe)Init
Reached
BadInvariant
PDR is a way of computing an PDR is a way of computing an inductive inductive invariantinvariant that does not overlap with bad states that does not overlap with bad states It is similar to interpolation, but the way of deriving It is similar to interpolation, but the way of deriving
the invariant is differentthe invariant is different PDR has better control of the invariant, and this may PDR has better control of the invariant, and this may
explain its good performanceexplain its good performance
State space
66
PDR: The Main IdeaPDR: The Main Idea
Construct over-approximations Construct over-approximations (F(F00, F, F11, …, F, …, Fkk))
of states reachable after each time stepof states reachable after each time step Start with Start with FF00 = Init = Init, and compute other , and compute other
over-approximations as sets of CNF clausesover-approximations as sets of CNF clauses Additionally, require thatAdditionally, require that
Semantically (as functions): Semantically (as functions): FF00→F→F11→F→F22→... →F→... →Fkk
Syntactically (as clause sets): Syntactically (as clause sets): FF11 F⊇ F⊇ 22 ... F⊇ ⊇ ... F⊇ ⊇ kk
77
PDR: The Main IdeaPDR: The Main Idea
Termination criteriaTermination criteria If an over-approximation is inductive, return UNSATIf an over-approximation is inductive, return UNSAT If a counter-example is found, return SATIf a counter-example is found, return SAT
The algorithm constructs over-approximationsThe algorithm constructs over-approximations in a property directed way in a property directed way
the property is used to decide what clauses to includethe property is used to decide what clauses to include
with an inductive flavorwith an inductive flavor induction is used to prove that a clause holds in a frameinduction is used to prove that a clause holds in a frame
88
PDR: IllustrationPDR: IllustrationTime frame Time frame 0 Time frame 1
Property output
Primary inputs
Initi
al S
tate
Register inputs
Register outputs
…
State space of time frame 0
State space of time frame 1
Com
b Lo
gic
Init InitReached
BadBada1 a2a3
Initial states
States where property fails
Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F1 of reachable states at frame 1.
T
99
Inductive GeneralizationInductive Generalization
Assume that, at some point, we have the following over-Assume that, at some point, we have the following over-approximations of reached states: approximations of reached states: (F(F00, F, F11, …, F, …, Fkk))
Suppose we wish to block state Suppose we wish to block state ss in frame in frame ii We can try to find a clause We can try to find a clause cc, such that , such that c c s s and add it and add it
to the set of clauses for frame to the set of clauses for frame ii.. Clause Clause cc can be added if it satisfies condition can be added if it satisfies condition FFi-1i-1 T→ c∧T→ c∧ Another possibility is to run a stronger Another possibility is to run a stronger inductive inductive checkcheck
FFi-1 i-1 c’ T→ c∧ ∧ c’ T→ c∧ ∧ where where c’c’ is clause is clause cc expressed in terms of expressed in terms of
the current state variablesthe current state variables We can also try to We can also try to generalizegeneralize (or strengthen) clause (or strengthen) clause cc, by , by
removing literals, as long as the inductive check passesremoving literals, as long as the inductive check passes
1010
State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking)
InitReached(k-1)
Bad
a4 a5
InitReached(k-1)
Reached(k)
Bad
a1a2
a3
T
s’
S
Consider the case when s’ is blocked by clauses in frame k-1.
We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1 c’ T→ c,∧ ∧ where Fk-1 is the product of clauses in frame k-1 and T is the transition relation.
Pre-image s’ of s
1111
State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking)
InitReach(k-1)
Bad
a4 a5
InitReach(k-1)
Reach(k)
Bad
a1a2
a3
Ts’ S
Consider the case when s’ is NOT blocked by clauses in frame k-1.
In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively.
Pre-image s’ of s
1212
Pseudo-codePseudo-codePDRPDR( AIG )( AIG ){{
k = 0; solver[0] = k = 0; solver[0] = CreateSatSolverCreateSatSolver( AIG, init_state ); ( AIG, init_state );
foreverforever { {
cube = cube = GetBadStateGetBadState( solver[k] );( solver[k] );
if if ( cube != NULL ) {( cube != NULL ) {
if ( !if ( !BlockStateBlockState( cube, solver[0], …, solver[k] ) )( cube, solver[0], …, solver[k] ) )
returnreturn SAT SAT; ; // found counter-example// found counter-example
} } elseelse { {
k = k+1; solver[k] = k = k+1; solver[k] = CreateSatSolverCreateSatSolver( AIG, not_init );( AIG, not_init );
if ( if ( PushClausesPushClauses( solver[1], …, solver[k] ) )( solver[1], …, solver[k] ) )
returnreturn UNSAT UNSAT; ; // found inductive invariant// found inductive invariant } }
} }
}}
1313
ProceduresProcedures
solver solver CreateSatSolverCreateSatSolver( AIG, initialize )( AIG, initialize )
returns a SAT solver with the AIG; optionally initializes itreturns a SAT solver with the AIG; optionally initializes it
cube cube GetBadStateGetBadState( solver[k] )( solver[k] )
returns a state cube failing property in the k-th framereturns a state cube failing property in the k-th frame
boolbool BlockState BlockState( cube, solver[0], …, solver[k] )( cube, solver[0], …, solver[k] )
recursively tries to block cube by adding clauses to recursively tries to block cube by adding clauses to solverssolvers
returns 1, if the cube could be blocked; 0, otherwisereturns 1, if the cube could be blocked; 0, otherwise
boolbool PushClauses PushClauses( solver[0], …, solver[k] )( solver[0], …, solver[k] )
moves clauses in i-th frame to i+1-th frame, if they holdmoves clauses in i-th frame to i+1-th frame, if they hold
returns 1, if an inductive invariant is found; 0, otherwisereturns 1, if an inductive invariant is found; 0, otherwise
1414
Remarkable FeaturesRemarkable Features Efficiently tackles both SAT and UNSAT instancesEfficiently tackles both SAT and UNSAT instances
Often finds counter-examples that cannot be found by bounded Often finds counter-examples that cannot be found by bounded model checkingmodel checking
Often proves problems that are not proved by interpolationOften proves problems that are not proved by interpolation Amenable to localization abstractionAmenable to localization abstraction
PDR solver can work in-place and increase its scope on-demand, PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the designwithout traversing all registers and logic gates of the design
Lends itself to parallelismLends itself to parallelism Each process working on some proof obligations and exchange Each process working on some proof obligations and exchange
clausesclauses Conceptually simple, relatively tuning-freeConceptually simple, relatively tuning-free
Unlike, for example, BDD-based reachability that takes lots of Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tunetime to develop and leaves lots of parameters to tune
1515
Example of Inductive InvariantExample of Inductive Invariant# Inductive invariant for "hwmcc08\eijkS208"# Inductive invariant for "hwmcc08\eijkS208"# generated by PDR in ABC on Tue Dec 07 09:36:36 2010# generated by PDR in ABC on Tue Dec 07 09:36:36 2010.i 22.i 22.o 1.o 1.p 43.p 43-------------0---1---- 1-------------0---1---- 1-------------1---0---- 1-------------1---0---- 1------------0-----1--- 1------------0-----1--- 1------------1-----0--- 1------------1-----0--- 1-----------0-------1-- 1-----------0-------1-- 1-----------1-------0-- 1-----------1-------0-- 1----------0-----1----- 1----------0-----1----- 1----------1-----0----- 1----------1-----0----- 1---------0-----1------ 1---------0-----1------ 1---------1-----0------ 1---------1-----0------ 1--------0-----1------- 1--------0-----1------- 1--------1-----0------- 1--------1-----0------- 1-------0-------------1 1-------0-------------1 1-------0------------1- 1-------0------------1- 1-------0-----------1-- 1-------0-----------1-- 1-------0----------1--- 1-------0----------1--- 1-------1----------0000 1-------1----------0000 1------0--------------1 1------0--------------1 1------0-------------1- 1------0-------------1- 1------0------------1-- 1------0------------1-- 1------0-----------1--- 1------0-----------1--- 1------1-----------0000 1------1-----------0000 1-----0---------------1 1-----0---------------1 1-----0--------------1- 1-----0--------------1- 1-----0-------------1-- 1-----0-------------1-- 1-----0------------1--- 1-----0------------1--- 1-----1------------0000 1-----1------------0000 1----0----------------1 1----0----------------1 1----0---------------1- 1----0---------------1- 1----0--------------1-- 1----0--------------1-- 1----0-------------1--- 1----0-------------1--- 1----1-------------0000 1----1-------------0000 1---0-------11--------- 1---0-------11--------- 1---1--------0--------- 1---1--------0--------- 1---1-------0---------- 1---1-------0---------- 1--0-----------------1- 1--0-----------------1- 1--1-----------------0- 1--1-----------------0- 1-0-------------------1 1-0-------------------1 1-1-------------------0 1-1-------------------0 10-----------------1111 10-----------------1111 11--0------------------ 11--0------------------ 11-0------------------- 11-0------------------- 110-------------------- 110-------------------- 1.e.e
--------0-----1------- 1--------0-----1------- 1--------1-----0------- 1--------1-----0------- 1-------0-------------1 1-------0-------------1 1-------0------------1- 1-------0------------1- 1-------0-----------1-- 1-------0-----------1-- 1-------0----------1--- 1-------0----------1--- 1-------1----------0000 1-------1----------0000 1
Flop relationships:
F8 = F14
F7 = F18 & F19 & F20 & F21
1616
Experiments on Hard ExamplesExperiments on Hard Examples Previously Unsolved by ABC Previously Unsolved by ABC
Circuit Statistics name PI FF AND
106 313 111 2813 107 313 118 2860 112 38 166 746 666 1329 879 4622 667 8024 2152 11094 668 8024 2135 11037 669 8024 2143 11105 670 1330 680 3299 687 645 501 2300 688 645 508 2299 827 38 178 818 Total
StatisticsPI: number of primary inputs FF: number of flip-flops AND: number of AIG nodes
1717
Experiments on Hard ExamplesExperiments on Hard Examples(without simplification)(without simplification)
Circuit PDR1 PDR2a PDR2b name Frame Clauses Time, s Frame Clauses Time, s Frame Clauses Time, s
106 22(18) 1056 88 20(16) 701 20 22(20) 1024 40 107 23(19) 1454 102 24(20) 1034 35 29(16) 685 31 112 43(98) - 436 39(106) - 77 43(97) - 110 666 26(40) - 1900 23(38) - 199 22(44) - 116 667 16(15) 1788 191 18(17) 2997 154 16(14) 2352 76 668 7(6) 279 15 10(9) 368 7 10(9) 428 6 669 10(8) 2298 219 13(12) 2769 83 14(13) 2752 95 670 51(45) 44985 22539 50(37) 33069 11885 61(57) 31975 13806 687 22(21) 1049 87 19(18) 835 17 27(18) 1053 29 688 21(20) 1685 86 26(23) 1821 34 22(17) 2510 68 827 42(94) - 4576 43(112) - 549 42(94) - 631 Total 1.00 0.29 0.32
Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found)Clauses: the number of clauses in the inductive invariantTime: runtime of PDR
1818
Experiments on Hard ExamplesExperiments on Hard Examples(after simplification with ‘dprove’)(after simplification with ‘dprove’)
Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found)Clauses: the number of clauses in the inductive invariantTime: runtime of PDR, without simplification
Circuit PDR1 PDR2a PDR2b name Frame Clauses Time, s Frame Clauses Time, s Frame Clauses Time, s
106 21(16) 904 37 21(15) 562 22 18(15) 587 21 107 13(11) 586 49 19(16) 812 24 18(14) 602 20 112 37(96) 251 38(85) - 45 38(94) - 42 666 12(41) 31 12(40) - 16 16(36) - 142 667 14(11) 725 30 15(12) 486 7 14(13) 1687 26 668 9(6) 112 1 8(6) 76 1 8(6) 76 1 669 9(7) 1096 15 9(7) 1227 8 9(7) 1204 8 670 41(33) 38515 17900 30(29) 19770 2564 32(26) 20509 3015 687 28(18) 1103 46 24(20) 625 21 25(20) 679 21 688 25(18) 1525 62 22(18) 623 12 19(17) 854 21 827 40(82) - 1650 38(104) - 17317 32(?) - - Total 1.00 0.36 0.54
1919
ConclusionConclusionPresented PDRPresented PDR
pioneering work of Aaron Bradleypioneering work of Aaron Bradleyefficient implementation by Niklas Eenefficient implementation by Niklas Een
Explained how it worksExplained how it worksDiscussed its remarkable featuresDiscussed its remarkable featuresFuture improvementsFuture improvements
localization abstractionlocalization abstraction temporal decompositiontemporal decompositionsignal-clauses instead of register-clausessignal-clauses instead of register-clausesapplications in logic synthesisapplications in logic synthesis
2020
2121
AbstractAbstract This talk presents a new sequential verification algorithm pioneered This talk presents a new sequential verification algorithm pioneered
by Aaron Bradley from University of Colorado, Boulder, and by Aaron Bradley from University of Colorado, Boulder, and efficiently implemented by Niklas Een from University of California, efficiently implemented by Niklas Een from University of California, Berkeley. The tool "ic3" based on this algorithm won the third place Berkeley. The tool "ic3" based on this algorithm won the third place in Hardware Model Checking Competition at CAV 2010, only losing in Hardware Model Checking Competition at CAV 2010, only losing by a small margin to mature multi-engine systems such as PdTrav by a small margin to mature multi-engine systems such as PdTrav (University of Torino, Italy) and ABC (UC Berkeley). The new (University of Torino, Italy) and ABC (UC Berkeley). The new algorithm is elegant and straight-forward to implement. Its memory algorithm is elegant and straight-forward to implement. Its memory requirements are modest. There are few parameters to tune, and requirements are modest. There are few parameters to tune, and yet it can detect deep counter-examples beyond the scope of yet it can detect deep counter-examples beyond the scope of bounded model checking, and prove hard properties that cannot be bounded model checking, and prove hard properties that cannot be solved by interpolation and induction. The algorithm lends itself solved by interpolation and induction. The algorithm lends itself naturally to parallelization and localization abstraction.naturally to parallelization and localization abstraction.
2222
Speaker’s BioSpeaker’s Bio
Alan Mishchenko graduated from Moscow Alan Mishchenko graduated from Moscow Institute of Physics and Technology (Moscow, Institute of Physics and Technology (Moscow, Russia) in 1993 and Glushkov Institute of Russia) in 1993 and Glushkov Institute of Cybernetics (Kiev, Ukraine) in 1997. From 1998 Cybernetics (Kiev, Ukraine) in 1997. From 1998 to 2002 he was an Intel-sponsored researcher at to 2002 he was an Intel-sponsored researcher at Portland State University. In 2002, he joined the Portland State University. In 2002, he joined the EECS Department at UC Berkeley, where he is EECS Department at UC Berkeley, where he is currently an associate researcher. Alan is currently an associate researcher. Alan is interested in developing efficient methods for interested in developing efficient methods for synthesis and verification.synthesis and verification.
