500 likes | 650 Views
On Invariants to Characterize the State Space for Sequential Logic Synthesis and Formal Verification. UC Berkeley PhD Defense Student: Mike Case Advisor: Bob Brayton March 31, 2009. Outline. Synergy Between Synthesis and Verification Invariants to Characterize the State Space
E N D
On Invariants to Characterize the State Space for Sequential Logic Synthesis and Formal Verification UC Berkeley PhD Defense Student: Mike Case Advisor: Bob Brayton March 31, 2009
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
p Size n < N Inputs Registers Synthesis For Verification p synthesis Size N Inputs Registers input sequence s.t p(t) = 1 for some t ? Mike Case PhD Defense
A Inputs Registers Verification for Synthesis Prove A=B time B A Inputs Registers Mike Case PhD Defense
Reachable States Unreachable States Reachable States • Verification: Don’t verify unreachable states • Synthesis: Don’t preserve behavior on unreachable states Initial State Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
Candidate Invariant C Reachable State Set Reachable State Set Candidate Invariant C Proved Invariants I If C is proved,R := C R Invariants As Reachability Approximation Reachable State Set If C is proved,R := C [Case et. al., “Inductively Finding a Reachable State Space Over-Approximation,” IWLS 2006] Mike Case PhD Defense
Prove Candidate Invariants (Induction) Approximate Reachability Basic Flow Discover Candidate Invariants (Simulation) Mike Case PhD Defense
Patterns Seen: A B C D 0 0 0 0 A B 1 1 0 0 C D 1 1 0 1 1 0 0 0 1 0 1 1 1 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 Discovering Candidate Invariants Extract “Interesting” Local Properties Find the N “best” candidates and subset C = 0A = B A = B [Case et. al., “Inductively Finding a Reachable State Space Over-Approximation,” IWLS 2006] Mike Case PhD Defense
Constants Very few in number Very crude reachability approximation Equivalences Few in number Crude reachability approximation Implications Very numerous -- O(n2) Ok reachability approximation What Type of Candidate Invariants? • k-Cuts • Managable number of candidates -- O(n) • Local, Ok reachability approximation • Random clauses • Currently use a fixed number of random 3-literal clauses • Not local, can often strengthen reachability [Case et. al., “Invariant-strengthened elimination of dependent state elements,” FMCAD 2008] Mike Case PhD Defense
A2 B2 Frame 2 Inputs A1 B1 Frame 1 Inputs Symbolic Inputs (instead of registers) Induction • Base Case: candidate invariant holds in the initial state(s) • Inductive Step: states where the candidate holds, it also holds in all next states A B Inputs Registers Mike Case PhD Defense
Computation Waves k=1 induction k=2 induction [Case et. al., “Invariant-strengthened elimination of dependent state elements,” FMCAD 2008] Mike Case PhD Defense
a b c d f e g Storing Implications Efficiently • Design with 5k AND nodes, 1k registers can have 100k implication candidates AIG [Case et. al., “Inductively Finding a Reachable State Space Over-Approximation,” IWLS 2006] Mike Case PhD Defense
Implication Graph A D D F F E E G G C B A Transitively Reduced Implication Graph C B Storing Implications Efficiently • Algorithms developed to always maintain an equivalent but reduced set of implications [Case et. al., “Maintaining A Minimum Equivalent Graph In The Presence of Graph Connectivity Changes,” Tech. Rpt. 2007] Mike Case PhD Defense
Storing Implications Efficiently [Case et. al., “Maintaining A Minimum Equivalent Graph In The Presence of Graph Connectivity Changes,” Tech. Rpt. 2007] Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
Direct Vs. Indirect Sequential Synthesis • Direct Sequential Synthesis • Do sequential analysis within synthesis • Can be expensive • Characterizes state space in ways directly applicable to synthesis • Indirect Sequential Synthesis • Find invariants and leverage in combinational synthesis • Invariants can be expensive, combinational synthesis usually cheap. • State space is characterized, but maybe not in the way synthesis needs • Can recycle invariants across multiple runs [Case, previously unpublished work] Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
X g1 g2 g3 Resubstitution Overview X g1 g2 g3 Mike Case PhD Defense
= = = SAT-Based Resubstitution [Lee et. al., “Scalable exploration of functional dependency by interpolation and incremental sat solving,” ICCAD 2007] • Resubstitution exists iff for any two logical assignments: where pairwise equal g’s → equal X’s • Dependency function derived from the interpolant 1 (1) (0) X X g1 g3 g2 g1 g3 g2 Circuit Copy 1 Circuit Copy 2 Mike Case PhD Defense
Focus On Next State Functions Resubstitution Test Function • For a particular state var S, next(S1)=1 next(S2)=0 • For every other state var T, next(T1) = next(T2) Next StateFunctions Next StateFunctions Copy 1 Copy 2 Inputs / Current State Inputs / Current State [Case et. al., “Invariant-strengthened elimination of dependent state elements,” FMCAD 2008] Mike Case PhD Defense
time == 0 A InitialState A B C B C 3) Eliminate latch by separating time 0 and time >0 behavior 2) Re-express next state function 0 1 Register Elimination A B C 1) Original Circuit Mike Case PhD Defense
Invariants Invariants Indirect Sequential Synthesis Resubstitution Test Function • For a particular state var S, next(S1)=1 next(S2)=0 • For every other state var T, next(T1) = next(T2) • Invariants = 1 Next StateFunctions Next StateFunctions Copy 1 Copy 2 Inputs / Current State Inputs / Current State Mike Case PhD Defense
A B X Direct Sequential Synthesis • Resubstitution exists iff: • (A = A’) (B = B’) → (X = X’) (A = A’) (B = B’) 1 0 X A B A’ B’ X’ 2 2 2 2 2 2 (A ≠ A’) (B ≠ B’) (X = X’) A’ B’ X’ 1 1 1 1 1 1 var var var var [Case, previously unpublished work] Mike Case PhD Defense
Results +28% regs removed Combinational Formulation Invariant-Strengthened Combinational +31% regs removed -4% runtime +27% regs removed Invariant-Strengthened k=1 (SXS Default) k=1 Induction +447% regs removed +205% runtime +21% regs removed Invariant-Strengthened k=2 k=2 Induction Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
B Node Merging • Definition: merging signals A and B means replacing one by the other • Simple yet powerful operation • Basis for many successful synthesis algorithms merge(A,B) B A Mike Case PhD Defense
CombinationalLogic CombinationalLogic Correct Values Incorrect Values Combinational Observability Visualization CombinationalLogic CombinationalLogic Arbitrary Inputs [Zhu et. al., “Sat sweeping with local observability don’t care,” DAC 2006] Mike Case PhD Defense
Next State CombinationalLogic CombinationalLogic Current State Unreachable State Sequential Observability Visualization Ok to change unreachable state behavior CombinationalLogic CombinationalLogic [Case et. al., “Merging nodes under sequential observability,” DAC 2008] Mike Case PhD Defense
== ?? == ?? Combinational Case Mike Case PhD Defense
Invariants = 1 Invariants = 1 Indirect Sequential Synthesis == ?? == ?? [Case, previously unpublished work] Mike Case PhD Defense
== ?? == ?? Direct Sequential Synthesis [Case et. al., “Merging nodes under sequential observability,” DAC 2008] Mike Case PhD Defense
Summarized Experimental Results • 6 synthesis benchmarks from IBM • Combinational reduced ANDs by 1%, registers by 2.1% • Indirect Sequential reduced ANDs by 1.2%, registers by 2.5% • Direct Sequential reduced ANDs by 4%, registers by 1% • 83 Property checking benchmarks from IBM • Combinational reduced ANDs by 5%, registers by 0.4% • Indirect Sequential reduced ANDs by 6.3%, registers by 1.1% • 28 ISCAS89 (academic) benchmarks • Combinational techniques gave no reductions • Direct Sequential reduced ANDs by 10%, registers by 0% Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
Constrained Interpolation • Interpolation explores an approximation to the reachable state space • Invariants can bound this approximation, and eliminate spurious counterexamples Invariants [Case et. al., “A hybrid model checker,” Tech. Rpt. 2006] Mike Case PhD Defense
Summarized Experimental Results • Experiments run inside IBM • Started with 91 hard property checking benchmarks • 1-hour BMC → 83 benchmarks • 1-hour induction • 1-hour interpolation → 78 benchmarks • 10-minute invariant generation • 1-hour interpolation → 74 benchmarks Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
Invariants Constrained Induction • properties not provable with induction • Unreachable “induction leaks” • Invariants can bound the explored states and help inductivity p p ¬p [Case, previously unpublished work] Mike Case PhD Defense
Summarized Experimental Results • Started with 91 hard property checking benchmarks • 1-hour BMC → 83 benchmarks • 1-hour induction • 1-hour interpolation → 78 benchmarks • 10-minute invariant generation • 1-hour induction → 77 benchmarks Mike Case PhD Defense
Outline • Synergy Between Synthesis and Verification • Invariants to Characterize the State Space • Synthesis Applications • Resubstitution • ODCs • Verification Applications • Interpolation • Induction • Targeted Invariants Mike Case PhD Defense
S S 0 0 { C } { C } { C } 0 0 0 1 3 2 S S 2 3 { C } { C } 2 3 S 1 Invariants { C } 1 Targeted Invariants p p ¬p [Case et. al., “Automated extraction of inductive invariants to aid model checking,” FMCAD 2007] Mike Case PhD Defense
Conclusion • Invariants provide info about the state space • Invariants are efficient to: 1) discover, 2) prove, and 3) use • Beneficial in synthesis by providing enabling Indirect Sequential Synthesis • Beneficial in verification by bounding the state space Mike Case PhD Defense
Backup Material Mike Case PhD Defense
Taxonomy of Merge-Based Transformations Does Not Change NS Logic (Combinational) Preserves Reachable NS Logic (Sequential) Sequential ObservabilityMerges (Direct Sequential Synth) Combinational ObservabilityMerges Computational Complexity SequentialRedundancies CombinationalRedundancies SequentialEquivalences CombinationalEquivalences Ability to Modify the Logic / FSM Mike Case PhD Defense
Bit Parallel Sim A out B Result Vectors to Simulate Machine Word View A B Other nodes out A = 0111… 0 0 … 0 B = 0011… & 1 0 … 0 out = 0011… 1 … 1 1 (all vectors simulated in 1 machine instruction) … 1 1 1 Mike Case PhD Defense
Effective At Aiding Unbounded Verification • “Hybrid model checker” class project: strength interpolation with implications • Comparison not 100% fair – Time to derive invariants not counted [Case et. al., “A Hybrid Model Checker,” Berkeley Technical Report 2006] Mike Case PhD Defense
S S 0 0 { C } { C } { C } 0 0 0 1 3 S S 2 3 { C } { C } 2 3 S 1 Invariants { C } 1 Targetted Invariants 2 p p ¬p Mike Case PhD Defense
Targeted Invariant Generation [Case et. al., “Automated Extraction of Inductive Invariants to Aid Model Checking,” FMCAD 2007] Mike Case PhD Defense