Embed Size (px)
Citation preview
PDR: Property Directed ReachabilityPDR: Property Directed ReachabilityAKAAKA
ic3: SAT-Based Model Checking Without Unrollingic3: SAT-Based Model Checking Without Unrolling
Aaron Bradley Aaron Bradley
University of Colorado, BoulderUniversity of Colorado, Boulder
Robert Brayton Niklas Een Alan MishchenkoRobert Brayton Niklas Een Alan Mishchenko
University of California, BerkeleyUniversity of California, Berkeley
22
OutlineOutline MotivationMotivation
Sequential verification is hard (needs new engines!)Sequential verification is hard (needs new engines!) Pioneering work of Aaron BradleyPioneering work of Aaron Bradley
A surprise (3d place) winner at HWMCC’10!A surprise (3d place) winner at HWMCC’10! Remarkable featuresRemarkable features
Efficiently tackles both SAT and UNSAT instancesEfficiently tackles both SAT and UNSAT instances Lends itself to localization abstraction and parallelismLends itself to localization abstraction and parallelism Conceptually simple, relatively tuning-freeConceptually simple, relatively tuning-free
Understanding the algorithmUnderstanding the algorithm Pseudo-code…Pseudo-code…
Experimental results and conclusionsExperimental results and conclusions
33
Pioneering WorkPioneering Work
Aaron Bradley developed this algorithm after Aaron Bradley developed this algorithm after several years of work on “inductive generalization”several years of work on “inductive generalization” Preliminary work (Preliminary work (A. R. Bradley and Z. Manna, A. R. Bradley and Z. Manna,
“Checking safety by inductive generalization of “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07counterexamples to induction”, FMCAD’07))
This work (This work (A. R. Bradley, “k-step relative inductive A. R. Bradley, “k-step relative inductive generalization”, http://arxiv.org/abs/1003.3649generalization”, http://arxiv.org/abs/1003.3649))
The original version of the tool to enter HWMCC’10 The original version of the tool to enter HWMCC’10 ((ic3, ic3, http://ecee.colorado.edu/~bradleya/ic3/http://ecee.colorado.edu/~bradleya/ic3/))
ic3 won the third place and only lost, by a small margin, ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)to two mature, integrated engines (ABC and PdTRAV)
44
Efficient ImplementationEfficient Implementation Niklas Een implemented Aaron Bradley’s algorithm Niklas Een implemented Aaron Bradley’s algorithm
while taking advantage of the strengths of MiniSAT:while taking advantage of the strengths of MiniSAT: Incremental interfaceIncremental interface Activation literals to enable/disable clausesActivation literals to enable/disable clauses Procedure AnalyzeFinal to compute an UNSAT core in terms of Procedure AnalyzeFinal to compute an UNSAT core in terms of
the original assumptionsthe original assumptions Resource-driven recycling of the SAT solverResource-driven recycling of the SAT solver
Additionally, Niklas proposedAdditionally, Niklas proposed Ternary simulation for quick cube expansionTernary simulation for quick cube expansion New heuristics for inductive generalizationNew heuristics for inductive generalization Smart data-structures for clauses and proof obligationsSmart data-structures for clauses and proof obligations
Niklas’ implementation runs faster and proves more Niklas’ implementation runs faster and proves more properties than the original implementationproperties than the original implementation
55
PDR: The Main IdeaPDR: The Main Idea
Inductive invariant is a Boolean function Inductive invariant is a Boolean function in terms of register variables, such thatin terms of register variables, such that It is true for the initial statesIt is true for the initial states It is inductive (assuming it in one time frame It is inductive (assuming it in one time frame
leads to making it true in the next timeframe)leads to making it true in the next timeframe)Init
Reached
BadInvariant
PDR is a way of computing an inductive PDR is a way of computing an inductive invariant that does not overlap with bad statesinvariant that does not overlap with bad states It is similar to interpolation, but the way of deriving It is similar to interpolation, but the way of deriving
the invariant is differentthe invariant is different PDR has better control of the invariant, and this may PDR has better control of the invariant, and this may
explain its good performanceexplain its good performance
State space
66
PDR: The Main IdeaPDR: The Main Idea
Construct over-approximations Construct over-approximations (F(F00, F, F11, …, F, …, Fkk))
of states reachable after each time stepof states reachable after each time step Start with Start with FF00 = Init = Init, and compute other , and compute other
over-approximations as sets of CNF clausesover-approximations as sets of CNF clauses Additionally, require thatAdditionally, require that
Semantically (as functions): Semantically (as functions): FF00→F→F11→F→F22→... →F→... →Fkk
Syntactically (as clause sets): Syntactically (as clause sets): FF11 F⊇ F⊇ 22 ... F⊇ ⊇ ... F⊇ ⊇ kk
77
PDR: The Main IdeaPDR: The Main Idea
Termination criteriaTermination criteria If an over-approximation is inductive, return UNSATIf an over-approximation is inductive, return UNSAT If a counter-example is found, return SATIf a counter-example is found, return SAT
The algorithm constructs over-approximationsThe algorithm constructs over-approximations in a property directed way in a property directed way
the property is used to decide what clauses to includethe property is used to decide what clauses to include
with an inductive flavorwith an inductive flavor induction is used to prove that a clause holds in a frameinduction is used to prove that a clause holds in a frame
88
PDR: IllustrationPDR: IllustrationTime frame Time frame 0 Time frame 1
Property output
Primary inputs
Initi
al S
tate
Register inputs
Register outputs
…
State space of time frame 0
State space of time frame 1
Com
b Lo
gic
Init InitReached
BadBada1 a2a3
Initial states
States where property fails
Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F1 of reachable states at frame 1.
T
99
Inductive GeneralizationInductive Generalization
Assume that, at some point, we have the following over-Assume that, at some point, we have the following over-approximations of reached states: approximations of reached states: (F(F00, F, F11, …, F, …, Fkk))
Suppose we wish to block state Suppose we wish to block state ss in frame in frame ii We can try to find a clause We can try to find a clause cc, such that , such that c c s s and add it and add it
to the set of clauses for frame to the set of clauses for frame ii.. Clause Clause cc can be added if it satisfies condition can be added if it satisfies condition FFi-1i-1 T→ c∧T→ c∧ Another possibility is to run a stronger Another possibility is to run a stronger inductive inductive checkcheck
FFi-1 i-1 c’ T→ c∧ ∧ c’ T→ c∧ ∧ where where c’c’ is clause is clause cc expressed in terms of expressed in terms of
the current state variablesthe current state variables We can also try to We can also try to generalizegeneralize (or strengthen) clause (or strengthen) clause cc, by , by
removing literals, as long as the inductive check passesremoving literals, as long as the inductive check passes
1010
State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking)
InitReached(k-1)
Bad
a4 a5
InitReached(k-1)
Reached(k)
Bad
a1a2
a3
T
s’
S
Consider the case when s’ is blocked by clauses in frame k-1.
We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1 c’ T→ c,∧ ∧ where Fk-1 is the product of clauses in frame k-1 and T is the transition relation.
Pre-image s’ of s
1111
State space of time frame k-1 (all bad states are blocked by clauses)
State space of time frame k (there is a bad state s that needs blocking)
InitReach(k-1)
Bad
a4 a5
InitReach(k-1)
Reach(k)
Bad
a1a2
a3
Ts’ S
Consider the case when s’ is NOT blocked by clauses in frame k-1.
In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively.
Pre-image s’ of s
1212
Pseudo-codePseudo-codePDRPDR( AIG )( AIG ){{
k = 0; solver[0] = k = 0; solver[0] = CreateSatSolverCreateSatSolver( AIG, init_state ); ( AIG, init_state );
foreverforever { {
cube = cube = GetBadStateGetBadState( solver[k] );( solver[k] );
if if ( cube != NULL ) {( cube != NULL ) {
if ( !if ( !BlockStateBlockState( cube, solver[0], …, solver[k] ) )( cube, solver[0], …, solver[k] ) )
returnreturn SAT SAT; ; // found counter-example// found counter-example
} } elseelse { {
k = k+1; solver[k] = k = k+1; solver[k] = CreateSatSolverCreateSatSolver( AIG, not_init );( AIG, not_init );
if ( if ( PushClausesPushClauses( solver[1], …, solver[k] ) )( solver[1], …, solver[k] ) )
returnreturn UNSAT UNSAT; ; // found inductive invariant// found inductive invariant } }
} }
}}
1313
ProceduresProcedures
solver solver CreateSatSolverCreateSatSolver( AIG, initialize )( AIG, initialize )
returns a SAT solver with the AIG; optionally initializes itreturns a SAT solver with the AIG; optionally initializes it
cube cube GetBadStateGetBadState( solver[k] )( solver[k] )
returns a state cube failing property in the k-th framereturns a state cube failing property in the k-th frame
boolbool BlockState BlockState( cube, solver[0], …, solver[k] )( cube, solver[0], …, solver[k] )
recursively tries to block cube by adding clauses to recursively tries to block cube by adding clauses to solverssolvers
returns 1, if the cube could be blocked; 0, otherwisereturns 1, if the cube could be blocked; 0, otherwise
boolbool PushClauses PushClauses( solver[0], …, solver[k] )( solver[0], …, solver[k] )
moves clauses in i-th frame to i+1-th frame, if they holdmoves clauses in i-th frame to i+1-th frame, if they hold
returns 1, if an inductive invariant is found; 0, otherwisereturns 1, if an inductive invariant is found; 0, otherwise
1414
Remarkable FeaturesRemarkable Features Efficiently tackles both SAT and UNSAT instancesEfficiently tackles both SAT and UNSAT instances
Often finds counter-examples that cannot be found by bounded Often finds counter-examples that cannot be found by bounded model checkingmodel checking
Often proves problems that are not proved by interpolationOften proves problems that are not proved by interpolation Amenable to localization abstractionAmenable to localization abstraction
PDR solver can work in-place and increase its scope on-demand, PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the designwithout traversing all registers and logic gates of the design
Lends itself to parallelismLends itself to parallelism Each process working on some proof obligations and exchange Each process working on some proof obligations and exchange
clausesclauses Conceptually simple, relatively tuning-freeConceptually simple, relatively tuning-free
Unlike, for example, BDD-based reachability that takes lots of Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tunetime to develop and leaves lots of parameters to tune
1515
Example of Inductive InvariantExample of Inductive Invariant# Inductive invariant for "hwmcc08\eijkS208"# Inductive invariant for "hwmcc08\eijkS208"# generated by PDR in ABC on Tue Dec 07 09:36:36 2010# generated by PDR in ABC on Tue Dec 07 09:36:36 2010.i 22.i 22.o 1.o 1.p 43.p 43-------------0---1---- 1-------------0---1---- 1-------------1---0---- 1-------------1---0---- 1------------0-----1--- 1------------0-----1--- 1------------1-----0--- 1------------1-----0--- 1-----------0-------1-- 1-----------0-------1-- 1-----------1-------0-- 1-----------1-------0-- 1----------0-----1----- 1----------0-----1----- 1----------1-----0----- 1----------1-----0----- 1---------0-----1------ 1---------0-----1------ 1---------1-----0------ 1---------1-----0------ 1--------0-----1------- 1--------0-----1------- 1--------1-----0------- 1--------1-----0------- 1-------0-------------1 1-------0-------------1 1-------0------------1- 1-------0------------1- 1-------0-----------1-- 1-------0-----------1-- 1-------0----------1--- 1-------0----------1--- 1-------1----------0000 1-------1----------0000 1------0--------------1 1------0--------------1 1------0-------------1- 1------0-------------1- 1------0------------1-- 1------0------------1-- 1------0-----------1--- 1------0-----------1--- 1------1-----------0000 1------1-----------0000 1-----0---------------1 1-----0---------------1 1-----0--------------1- 1-----0--------------1- 1-----0-------------1-- 1-----0-------------1-- 1-----0------------1--- 1-----0------------1--- 1-----1------------0000 1-----1------------0000 1----0----------------1 1----0----------------1 1----0---------------1- 1----0---------------1- 1----0--------------1-- 1----0--------------1-- 1----0-------------1--- 1----0-------------1--- 1----1-------------0000 1----1-------------0000 1---0-------11--------- 1---0-------11--------- 1---1--------0--------- 1---1--------0--------- 1---1-------0---------- 1---1-------0---------- 1--0-----------------1- 1--0-----------------1- 1--1-----------------0- 1--1-----------------0- 1-0-------------------1 1-0-------------------1 1-1-------------------0 1-1-------------------0 10-----------------1111 10-----------------1111 11--0------------------ 11--0------------------ 11-0------------------- 11-0------------------- 110-------------------- 110-------------------- 1.e.e
--------0-----1------- 1--------0-----1------- 1--------1-----0------- 1--------1-----0------- 1-------0-------------1 1-------0-------------1 1-------0------------1- 1-------0------------1- 1-------0-----------1-- 1-------0-----------1-- 1-------0----------1--- 1-------0----------1--- 1-------1----------0000 1-------1----------0000 1
Flop relationships:
F8 = F14
F7 = F18 & F19 & F20 & F21
1616
1717
1818
Experiments on Hard ExamplesExperiments on Hard Examples(previously unsolved by ABC)(previously unsolved by ABC)
Circuit Statistics Original examples Preprocessed examples name PI FF AND Frame Clauses Time, s Frame Clauses Time, s
106 313 111 2813 15 827 22.33 15 552 15.88 107 313 118 2860 20 1191 37.13 19 1079 41.16 112 38 166 746 43/102 sat 60.30 40/88 sat 63.17 666 1329 879 4622 21/36 sat 475.48 11/40 sat 14.44 667 8024 2152 11094 14 2727 262.27 13 777 73.80 668 8024 2135 11037 9 365 15.22 6 60 1.88 669 8024 2143 11105 11 2749 175.17 8 1230 38.34 687 645 501 2300 21 1236 49.03 20 577 15.63 688 645 508 2299 17 576 21.48 19 1114 37.84 827 38 178 818 42/117 sat 881.06 38/81 sat 833.44 Total 1989.07 1136.11
Statistics: number of primary inputs (PI), flip-flops (FF), and AIG nodes (AND)Frame: timeframe where inductive invariant or counter-example was foundClauses: the number of clauses in the inductive invariantTime: runtime of PDR, without preprocessing
1919
ConclusionConclusionPresented PDRPresented PDR
pioneering work of Aaron Bradleypioneering work of Aaron Bradleyefficient implementation by Niklas Eenefficient implementation by Niklas Een
Explained how it worksExplained how it worksDiscussed its remarkable featuresDiscussed its remarkable featuresFuture improvementsFuture improvements
localization abstractionlocalization abstraction temporal decompositiontemporal decompositionsignal-clauses instead of register-clausessignal-clauses instead of register-clausesapplications in logic synthesisapplications in logic synthesis
