Modernized Computation
Engines for Tomorrow's
Formal Verification
Robert Brayton Niklas Een Alan Mishchenko
Berkeley Verification and Synthesis Research Center
Department of EECS
UC Berkeley
Task Overview




SRC task ID: 2265.001
Start date: April 1, 2012
Thrust area: Verification
Task leaders:


Industrial liaisons:


Robert Brayton, Nilkas Een, Alan Mishchenko
(Univ. of California/Berkeley)
See next slide
Students:

Jiang Long, Sayak Ray, Baruch Sterin
Industrial Liaisons




Freescale
 Himyanshu Anand
IBM
 Jason Baumgartner
Intel
 Timothy Kam, Ranan Fraer, Alexander Nadel,
Murali Talupur
Mentor Graphics
 Jeremy Levitt, Christian Stangier
(Source: http://www.src.org/library/research-catalog/2265.001/)
Anticipated Results

Methodology and algorithms for next-generation
improvements in formal verification, addressing






SAT solving
hybrid simulation
counter-example handling
invariant generation
Public software implementation of the above
methodology and algorithms.
Experimental evaluation on industrial
benchmarks.
Task Description

We propose to leverage the unique expertise of our group, Berkeley Verification
and Synthesis Research Center (BVSRC), and our previous SRC contracts for
solving hard industrial problems arising in formal verification. The goal would be a
new level in the state-of-the-art of logic formal verification engines, which adds
the following to the design flow:





Application-specific SAT solvers to improve performance of key verification engines.
Two new design decisions will be explored for developing SAT solvers, which are
specifically geared to solving numerous, related, and relatively easy problems, on the
one hand, and monolithic, large, and hard problems, on the other hand.
Hybrid simulation based on new heuristics to improve state space coverage. New
ideas will be explored for improving bit-level simulation and combining it with symbolic
simulation, handled by adding symbolic variables or exhaustively simulating selected
input subspaces.
Counter-example minimization to shorten the counter-examples produced by some
algorithms, such as random and hybrid simulation. A counter-example minimizer will be
developed based on hybrid simulation and bounded model checking. Another aspect to
be explored is the use of concurrency to speed up the minimization process.
Various methods for automated inductive invariant generation. Several ways of
generating inductive invariants will be explored. One of them is based on using highlevel information about the design; another is an extension of a previous method based
on the structural analysis of the AIG.
The new methods developed while working on this proposal will be tested on
industrial designs in our synthesis and verification tool, ABC, and made available
in source code, which can be customized to specific applications.
Task Deliverables
2013


Annual review presentation (27-Mar-2013)
Report on a software release of a circuit-based SAT solver.
Evaluation on industrial problems (30-Jun-2013)
2014


Annual review presentation (30-Apr-2014)
Report on a software release of a counter-example generator.
Evaluation on industrial problems (30-Jun-2014)
2015


Report on a software release of a hybrid simulator and invariant
generator. Evaluation on industrial problems (30-Apr-2015)
Final report summarizing research accomplishments and future
direction (30-Jun-2015)
Current State of the Project

Covered in this presentation





Advances in application-specific SAT solving (work in progress)
Advances in simulation (IWLS’12)
Counter-example analysis (submitted to IWLS’13)
Towards new invariant generation (work in progress)
Other developments



Semi-canonical form for sequential AIGs (DATE’13)
Automated gate-level abstraction (DATE’13)
Solving multiple-output properties (work in progress)
Advances in SAT Solving

PunySAT: An application-specific SAT solver





Geared to small, hard SAT instances
Similar to MiniSAT in everything, except
Clauses are bit-strings, not integer arrays
BCP can be more efficient (see next slide)
Experimental results inconclusive

Tied with MiniSAT on 50 problems from SAT competition
PunySAT: BCP Using Bit-Strings
bool confl( BitVec iclause, BitVec assign ) {
return (iclause & ~assign) == 0;
}
bool bcp (BitVec iclause, BitVec assign, lit_t& prop_lit) {
BitVec mask = (iclause & ~assign);
if ((mask & (mask-1)) == 0) {
prop_lit = neg(__builtin_ctz(mask)); return true;
} else
return false;
}
cla_id propagate() {
while (qhead < trail_sz) {
lit_t q, p = trail[qhead++];
for (uint i = 0; i < occurs[p].size(); i++){
cla_id from = occurs[p][i];
BitVec cl = clauses[from];
if (cl.confl(assign))
return from; // returns conflicting clause
if (cl.bcp(assign, q) && !assign.has(q))
enqueueQ(q, from);
}
}
return 0; // returns ”no conflict”
}
BitVec is a bit-vector of the
appropriate size for the
problem (say, 256 bits).
iclause is a clause with all
literals inverted.
lit_t is a typedef for an
unsigned int
(mask & (mask-1)) == 0
checks if the mask has at most
one bit set
__builtin_ctz(mask) returns the
index of the lowermost "1" in
mask (supported natively by
most processors)
PunySAT: Experiment


Considered 50+ problems from SAT competitions with less than 256
variables, solved by either MiniSAT or PunySAT in less than 5 min
MiniSAT solved 48 problems; PunySAT solved 50 problems
Green: ZZMiniSAT
Red: PunySAT-2013-03-27
Advances in Simulation: Key Idea

Rarity simulation is random simulation with
prioritizing reachable states
Gracefully handles resets by skipping
frequently visited states
 Visits rare reachable states where hard-todetect failures may be found


More efficient than naïve random
simulation at detecting property failures
Rarity Simulation: Implementation

Divide flops into fixed-size groups in the order of
their appearance in the design


Maintain a record of observed flop values


Groups of 8 flops are used by default
For each group, 256 (=2^8) counters are used
After simulating a fixed number (by default, 20)
frames, recompute the frequency of having a
given value in each flop group, and choose next
states for simulation based on the rarity of values

By default, 1 out of 64 states is chosen
R. Brayton, N. Een, and A. Mishchenko, "Using speculation for
sequential equivalence checking", Proc. IWLS'12, pp. 139-145.
Rarity Simulation: Illustration
Random
PI values
Initial state
Start with initial state
Accumulate info about reached states
Decide what next states to simulate from
Accumulate info about reached states
Decide what next states to simulate from
etc
Counter-Example (CE) Analysis


CE is a set of PI values in each time frame, which, starting
from the initial state, leads to the property failure
Given a CE, PIs can be divided into three categories




We introduce the notion of CE-induced network


Essential PIs whose values are needed for the property failure
Don’t-care PIs whose values are not important
Optional PIs (all the remaining ones)
This network, composed of two-input AND-/OR-gates, has unate
Boolean function in terms of PI variables, which represents all
subsets of the PIs implying the property failure according to the CE
Applications

Design debugging, CE minimization, abstraction refinement
A. Mishchenko, N. Een, and R. Brayton, "A toolbox for counterexample analysis and optimization", Submitted to IWLS'13.
Construction of CE-Induced Network
CE-induced
network
Unfolding





Unfold the original network for the
depth indicated by the CE
Assign values of primary inputs and
internal nodes according to the CE
Replace all primary inputs of the
unfolding by free variables
Replace each AND of the unfolding
by AND, OR or BUF using the rules
Rehash and sweep dangling nodes
1

1 1
0

0 0
0

0 1
Experiment: CE Bit Profiling
Example
Engine
PIs
FFs
Frames
Total bits
DC, %
Opt, %
Essen, %
Min, %
Time, s
6s1
6s5
6s14
SIM
SIM
SIM
45
141
439
291
2519
811
1247
63
869
56115
8883
381491
53.95
60.32
83.16
27.50
37.95
15.25
18.55
1.73
1.59
29.72
25.69
4.38
173.33
11.48
141.72
6s17
6s18
SIM
SIM
450
450
819
819
1084
496
487800
223200
83.50
83.14
15.23
15.41
1.27
1.44
4.43
4.56
213.70
83.53
6s133
6s134
SIM
SIM
450
36
819
571
1084
610
487800
21960
83.50
90.83
15.23
7.02
1.27
2.15
4.44
7.19
209.30
3.83
Bob12s05
bobtuttt
SIM
SIM
437
2807
3956
111
43
1582
18791
4440674
65.60
98.74
31.48
1.24
2.92
0.02
30.09
0.09
28.44
57.50
6s41
6s134
BMC
BMC
19
36
959
571
74
169
1406
6084
58.46
92.11
33.57
5.34
7.97
2.55
23.26
5.85
0.61
0.59
6s162
6s172
BMC
BMC
73
403
156
422
74
46
5402
18538
79.67
66.71
13.16
29.48
7.16
3.81
13.92
10.42
0.42
1.48
6s172
PDR
403
422
111
44733
47.06
49.10
3.83
17.34
7.70
1.000
0.731
0.157
0.021
0.076
Geo
Engine: Formal verification engine that produced counter-example
Total bits: The total number of primary inputs in the unrolled testcase
DC/Opt/Essen: Percentage of don’t-care, optional, and essential bits
Min: Percentage of bits in the minimized counter-example
Time: Runtime of bit profiling in seconds
Experiment: Bounded Unfolding vs.
CE-Induced Network
Example
6s1
6s5
6s14
6s17
6s18
6s133
6s134
bob12s05
bobtuttt
6s41
6s134
6s162
6s172
6s172
Geo
CE Depth
1247
63
869
1084
496
1084
610
43
1582
74
169
74
46
111
PI
AND
Level
Time, s
PI
AND
Level
Time, s
56115
8883
381491
487800
223200
487800
21960
18791
4440674
1406
6084
5402
18538
44733
3514473
1571421
12102021
12906342
5572818
12906261
103586
607028
14682128
103884
21844
67990
120433
389403
43546
2595
318775
330886
151699
330885
6430
743
64774
549
1495
1666
822
2382
1.91
0.55
6.66
7.31
3.17
7.16
0.09
0.38
6.30
0.05
0.02
0.02
0.03
0.11
56115
8883
381491
487800
223200
487800
21960
18791
4440674
1406
6084
5402
18538
44733
575536
548554
2666982
2925648
1292920
2926433
18033
196375
369044
27600
3925
16427
45363
153616
9243
1596
112934
114392
53502
114394
2492
548
13142
259
639
477
484
1472
0.63
0.38
5.78
6.05
2.33
6.14
0.06
0.30
3.34
0.02
0.02
0.06
0.01
0.08
1.000
1.000
1.000
1.000
1.000
0.212
0.397
0.711
CE Depth: The timeframe where the property fails according to the CE
PI/AND/Level: The number of PIs, AIG nodes, and AIG node levels
Time: Runtime of unfolding vs. constructing CE-induced network, in seconds
Rediscovery of High-Level Structure
in a Bit-Level AIG via Support Hashing

Algorithm



Computation






Input: Sequential AIG
Output: Sequential AIG annotated with high-level information
Select a subset of inputs (or internal nodes) with high fanout
Iterate combinational support computation to derive sequential
support of every node in the AIG in terms of the selected nodes
Hash nodes by their support to find their equivalence classes
Group equivalence classes of small cardinality and/or with similar
support to create well-balanced partitions
(optional) Iterate support hashing to break large partitions into
smaller ones
Applications


Circuits partitioning
Invariant computation
Support Hashing: Illustration
Block A
Support = X-
Block B
Support = XY
Node X

Block C
Support = -Y
Node Y
Blocks A, B, and C are structurally different because



Nodes in A depend on X
Nodes in B depend on X and Y
Nodes in C depend on Y
Related Publications

Hybrid simulation
- R. Brayton, N. Een, and A. Mishchenko, "Using speculation for sequential
equivalence checking", Proc. IWLS'12, pp. 139-145.

Toolbox for counter-example manipulation
- A. Mishchenko, N. Een, and R. Brayton, "A toolbox for counter-example
analysis and optimization", Submitted to IWLS'13.

Gate-level abstraction
- A. Mishchenko, N. Een, R. Brayton, J. Baumgartner, H. Mony, and P. Nalla,
"GLA: Gate-level abstraction revisited", Proc. DATE'13.

Computing canonical form for sequential AIGs
- A. Mishchenko, N. Een, R. Brayton, M. Case, P. Chauhan, and N. Sharma,
"A semi-canonical form for sequential AIGs", Proc. DATE'13.

Novel logic representation for fast synthesis and mapping
- A. Mishchenko and R. Brayton, "Faster logic manipulation for large designs",
To be submitted to IWLS'13.
Ongoing and Future Work

Application-specific SAT solving


Hybrid simulation


Combine rarity simulation with BMC
Counter-example analysis


Run additional experiments with PunySAT
Develop a CE minimization procedure
Invariant detection

Develop invariant mining based on the proposed
annotation of the AIG with high-level information
Other Work Directions


Improving multi-output property solver
Exploring new algorithms for abstraction refinement




Speeding up isomorphism detection



Add incremental signature propagation
Avoid separate handling of each PO sequential logic cone
New memory-efficient BMC engine based on




Refine multiple counter-examples
Use UNSAT core computationin a seprate SAT solver
Handle segments of counter
Constant-memory unfolding engine
Low-memory AIG package
Fast logic synthesis to reduce logic cloud given to the SAT solver
Continuing to release ABC with new features
Conclusions



Reviewed the SRC Task 2265.001 (first year)
“Modernized Computation Engines for Tomorrow's
Formal Verification”
Discussed new findings
Reviewed recent publications