Synthesis for Verification

1. Synthesis for Verification Alan Mishchenko UC Berkeley

2. Overview • Synthesis-verification duality • Synthesis-oriented verification • Verification-oriented synthesis • Combinational synthesis • Signal correspondence • Min-area retiming • Speculation • Future work

3. Synthesis-Verification Duality • Enabling each other • Migrating algorithms • Co-evolving efficient solution

4. Equivalence checking miter Property checking miter p 0 0 D2 D1 D1 Sequential Verification • Property checking • Create miter from the design and the property • Equivalence checking • Create miter from two versions of the same design • Assuming the initial state is given • The goal is to prove that the output of the miter is 0, for all states reachable from the initial • Two ways of doing the same • Proving miter to be constant 0 • Synthesizing miter to constant 0

5. Synthesis-Oriented Verification • Verification at the service of synthesis • Comb equivalence checking enabled technology mapping using structural choices • Led in improvement in quality • Interpolation allows resynthesis to be performed without explicitly computing don’t-cares • Led to savings in runtimes • Balanced combination of simulation and SAT replaced BDDs in all known synthesis applications • Led to better scalability

6. Verification-Oriented Synthesis • Synthesis at the service of verification • Combinational synthesis • Signal correspondence • Min-area retiming • Speculation

7. Subgraph 2 Subgraph 1 Subgraph 3 A A a a b c b a c a a c a b b c b c a Subgraph 2 Subgraph 1 B B a c b a c a b a c a b Subgraph 2 Subgraph 1 Combinational Synthesis • AIG rewriting minimizes the number of AIG nodes without increasing the number of AIG levels • Pre-computing AIG subgraphs • Consider function f = abc Rewriting AIG subgraphs Rewriting node A  Rewriting node B  In both cases 1 node is saved

8. Signal Correspondence • Consider registers and nodes of a design • Detect candidate equivalences in this set using random/guided simulation • Prove candidates by K-step induction • Merge the resulting equivalences • This is a subset of sequential synthesis with • Practical advantages (does not move registers, etc) • Scales to large circuits • Offers substantial improvements • Comes with a verification guarantee • Can benefit from sequential constraints

9. The Use of Constraints • Two types of constraints • Inductive invariants (properties of the circuit) • User-specified restriction on reachable states • Constraints can be automatically detected • Leads to ‘unfolded’ and ‘folded’ representation of constraints • Folded representation works in most cases • BMC • Interpolation • Unfolded constraints are also very useful • Signal correspondence

10. 0 P C Unfolded and Folded Constraints Property with folded constraint Property (0=holds) Constraint (0=holds) P C

11. ? SAT Applying SAT to the output ? ? ? SAT-2 SAT-1 C D B SAT-3 A Proving internal equivalences in a topological order Combinational SAT Sweeping • Naïve CEC approach – SAT solving • Build output miter and call SAT • works well for many easy problems • Better CEC approach – SAT sweeping • based on incremental SAT solving • Detects possibly equivalent nodes using simulation • Candidate constant nodes • Candidate equivalent nodes • Runs SAT on the intermediate miters in a topological order • Refines the candidates using counterexamples

12. Sequential SAT Sweeping • Sequential SAT sweeping is similar to combinational one in that it detects node equivalences • The difference is, the equivalences are sequential • They hold only in the reachable state space • Sequential equivalence is proved by K-step induction • Efficient implementation of induction is key!

13. SAT-1 SAT-3 SAT-1 A A A B B B SAT-4 SAT-2 SAT-2 C C C D D D Sequential SAT Sweeping Inductive Case Base Case ? Candidate equivalences: {A,B}, {C,D} ? Proving internal equivalences in a topological order in frame K ? ? PIk 0 0 PI1 C ? D A Assuming internal equivalences to in uninitialized frames 0 through K-1 ? B PI1 0 0 PI0 C D Initial state A B Proving internal equivalences in initialized frames 0 through K-1 PI0 Symbolic state

14. sink sink source source Min-Area Retiming • Temporarily ignore PIs/POs and their transitive fan-in/out • Retiming registers to another location corresponds to finding new cut of the combinational DAG • # registers = # nodes in the cut • Min-cut/Max-flow duality • Can use max-flow to find min-cut • Min-cut is not unique • However, this leads to minimum movement of registers from original cut

15. sink PO Logic PI PI Can’t forward retime source Primary Inputs/Outputs • Treatment depends on application • Synthesis: primary I/Os must be identically synchronized • Verification: synchronization is not necessary

16. Logic Logic Logic Logic Retiming Over Multiple Frames • Solution: Repeat over single frame • Terminate when no further change • Forward and backward retiming are similar, with roles of PIs / POs, sources / sinks reversed

17. Overall Algorithm Start Forward retiming Backward retiming Block Fan-out Cone of PIs Block Fan-in Cone of POs Compute Max-Flow Compute Max-Flow Yes Yes No Improv.? Implement Min-Cut Improv.? Implement Min-Cut No Forward retiming is preferred due to the ease of initial state computation Done

18. Speculative Reduction • Detect candidate sequential equivalences in the miter • Done first by simulation • Refined by BMC • Assume these equivalences are true • Merge fanouts, rehash logic, add XORs to create new POs • The result is a Speculatively Reduced Model (SRM) • SRM is UNSAT iff all candidate equivalences hold! • SRM has a different circuit structure • SRM is often easier to prove 0 0 A A B B Adding assumptions with speculative reduction Adding assumptions without speculative reduction

19. Future Work • Improving old engines • Developing new engines • Tighter integration