PDR Property Directed Reachability AKA ic 3 SATBased
PDR: Property Directed Reachability AKA ic 3: SAT-Based Model Checking Without Unrolling Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley
Outline l Motivation l l Pioneering work of Aaron Bradley l l Efficiently tackles both SAT and UNSAT instances Lends itself to localization abstraction and parallelism Conceptually simple, relatively tuning-free Understanding the algorithm l l A surprise (3 d place) winner at HWMCC’ 10! Remarkable features l l Sequential verification is hard (needs new engines!) Pseudo-code… Experimental results and conclusions 2
Pioneering Work l Aaron Bradley developed this algorithm after several years of work on “inductive generalization” l l Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’ 07) This work (A. R. Bradley, “k-step relative inductive generalization”, http: //arxiv. org/abs/1003. 3649) The original version of the tool to enter HWMCC’ 10 (ic 3, http: //ecee. colorado. edu/~bradleya/ic 3/) ic 3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and Pd. TRAV) 3
Efficient Implementation l Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of Mini. SAT: l l l Additionally, Niklas proposed l l Incremental interface Activation literals to enable/disable clauses Procedure Analyze. Final to compute an UNSAT core in terms of the original assumptions Resource-driven recycling of the SAT solver Ternary simulation for quick cube expansion New heuristics for inductive generalization Smart data-structures for clauses and proof obligations Niklas’ implementation runs faster and proves more properties than the original implementation 4
PDR: The Main Idea l PDR is a way of computing an inductive invariant that does not overlap with bad states l l It is similar to interpolation, but the way of deriving the invariant is different PDR has better control of the invariant, and this may explain its good performance State space l Inductive invariant is a Boolean function in terms of register variables, such that l l It is true for the initial states It is inductive (assuming it in one time frame leads to making it true in the next timeframe) Bad Invariant Init Reached 5
PDR: The Main Idea l l l Construct over-approximations (F 0, F 1, …, Fk) of states reachable after each time step Start with F 0 = Init, and compute other over -approximations as sets of CNF clauses Additionally, require that l l Semantically (as functions): F 0→F 1→F 2→. . . →Fk Syntactically (as clause sets): F 1⊇ F 2⊇. . . ⊇ Fk 6
PDR: The Main Idea l Termination criteria l l l If an over-approximation is inductive, return UNSAT If a counter-example is found, return SAT The algorithm constructs over-approximations l in a property directed way l l the property is used to decide what clauses to include with an inductive flavor l induction is used to prove that a clause holds in a frame 7
PDR: Illustration Register outputs Time frame 1 Time frame 0 Property output Register inputs Initial State Primary inputs Comb Logic Time frame States where property fails Initial states Cubes (a 1, a 2, a 3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F 1 of reachable states at frame 1. … State space of time frame 0 State space of time frame 1 a 1 Bad Init T Bad a 3 a 2 Init Reached 8
Inductive Generalization l l l Assume that, at some point, we have the following overapproximations of reached states: (F 0, F 1, …, Fk) Suppose we wish to block state s in frame i We can try to find a clause c, such that c s and add it to the set of clauses for frame i. Clause c can be added if it satisfies condition Fi-1∧T→ c Another possibility is to run a stronger inductive check Fi -1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes 9
State space of time frame k-1 (all bad states are blocked by clauses) a 1 Bad State space of time frame k (there is a bad state s that needs blocking) a 4 a 2 s’ a 3 Pre-image s’ of s Init Reached(k-1) T a 5 Bad S Init Reached(k-1) Reached(k) Consider the case when s’ is blocked by clauses in frame k-1. We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1∧c’∧T→ c, where Fk-1 is the product of clauses in frame k-1 and T is the transition relation. 10
State space of time frame k-1 (all bad states are blocked by clauses) a 1 Bad a 3 State space of time frame k (there is a bad state s that needs blocking) a 4 a 2 s’ Pre-image s’ of s Init Reach(k-1) T a 5 Bad S Init Reach(k-1) Reach(k) Consider the case when s’ is NOT blocked by clauses in frame k-1. In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively. 11
![Pseudo-code PDR( AIG ) { k = 0; solver[0] = Create. Sat. Solver( AIG,](http://slidetodoc.com/presentation_image/7da9171c0b455d51fca647842dd68fe7/image-12.jpg "Pseudo-code PDR( AIG ) { k = 0; solver[0] = Create. Sat. Solver( AIG,")
Pseudo-code PDR( AIG ) { k = 0; solver[0] = Create. Sat. Solver( AIG, init_state ); forever { cube = Get. Bad. State( solver[k] ); if ( cube != NULL ) { if ( !Block. State( cube, solver[0], …, solver[k] ) ) return SAT; // found counter-example } else { k = k+1; solver[k] = Create. Sat. Solver( AIG, not_init ); if ( Push. Clauses( solver[1], …, solver[k] ) ) return UNSAT; // found inductive invariant } } } 12
Procedures solver Create. Sat. Solver( AIG, initialize ) returns a SAT solver with the AIG; optionally initializes it cube Get. Bad. State( solver[k] ) returns a state cube failing property in the k-th frame bool Block. State( cube, solver[0], …, solver[k] ) recursively tries to block cube by adding clauses to solvers returns 1, if the cube could be blocked; 0, otherwise bool Push. Clauses( solver[0], …, solver[k] ) moves clauses in i-th frame to i+1 -th frame, if they hold 13 returns 1, if an inductive invariant is found; 0, otherwise
Remarkable Features l Efficiently tackles both SAT and UNSAT instances l l l Amenable to localization abstraction l l PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design Lends itself to parallelism l l Often finds counter-examples that cannot be found by bounded model checking Often proves problems that are not proved by interpolation Each process working on some proof obligations and exchange clauses Conceptually simple, relatively tuning-free l Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune 14
Experiments on Hard Examples Previously Unsolved by ABC Statistics PI: number of primary inputs FF: number of flip-flops AND: number of AIG nodes 16
Experiments on Hard Examples (without simplification) Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found) Clauses: the number of clauses in the inductive invariant Time: runtime of PDR 17
Experiments on Hard Examples (after simplification with ‘dprove’) Frame: timeframes covered by PDR (timeframe where inductive invariant or counter-example was found) Clauses: the number of clauses in the inductive invariant Time: runtime of PDR, without simplification 18
Conclusion l Presented PDR l pioneering work of Aaron Bradley l efficient implementation by Niklas Een Explained how it works l Discussed its remarkable features l Future improvements l l localization abstraction l temporal decomposition l signal-clauses instead of register-clauses l applications in logic synthesis 19
20
Abstract l This talk presents a new sequential verification algorithm pioneered by Aaron Bradley from University of Colorado, Boulder, and efficiently implemented by Niklas Een from University of California, Berkeley. The tool "ic 3" based on this algorithm won the third place in Hardware Model Checking Competition at CAV 2010, only losing by a small margin to mature multi-engine systems such as Pd. Trav (University of Torino, Italy) and ABC (UC Berkeley). The new algorithm is elegant and straight-forward to implement. Its memory requirements are modest. There are few parameters to tune, and yet it can detect deep counter-examples beyond the scope of bounded model checking, and prove hard properties that cannot be solved by interpolation and induction. The algorithm lends itself naturally to parallelization and localization abstraction. 21
Speaker’s Bio l Alan Mishchenko graduated from Moscow Institute of Physics and Technology (Moscow, Russia) in 1993 and Glushkov Institute of Cybernetics (Kiev, Ukraine) in 1997. From 1998 to 2002 he was an Intel-sponsored researcher at Portland State University. In 2002, he joined the EECS Department at UC Berkeley, where he is currently an associate researcher. Alan is interested in developing efficient methods for synthesis and verification. 22
- Slides: 22
