Efficient Implementation of Property Directed Reachability

# Efficient Implementation of Property Directed Reachability

## Efficient Implementation of Property Directed Reachability

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. 20th International Workshop on Logic & Synthesis June 3-5, 2011 Efficient Implementation ofProperty Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton

2. What is PDR? • PDR (aka IC3) is a new model checking algorithm. • Published by Aaron Bradley on arXiv after being rejected at CAV 2010. • Won third place in HWMCC’10 • Can be viewed as approximate reachability. • Relations to interpolation based model checking: • No proof-logging needed • Never have to start over • Simpler implementation (my opinion) • Faster, stronger, better?

3. What is our contributition? • Confirm Aaron’s results • Simplify the procedure • No special base case • Simpler cube generalization • Achieve a substantial speedup • Ternary simulation • Detailed pseudo-code

4. Verification Model Design/FSM is given as a netlist containing: • AND gates • PIs • Flip-flops with complemented edges, a single output for the (safety) property and some definition of the initial states. Property Output Primary Inputs … Combinational Logic Flip- Flops … …

5. How it works • Reasons on conjunctions of state variables(cubes) • Proves cubes to be unreachable within k steps • Maintains a trace of all such facts • Properties of the trace: 1. F0 = ¬Init 2. F1⊇ F2⊇ ... ⊇ FN (as sets of cubes) 3.img(¬Fi) ⊆¬Fi+1 (¬Fi= potentially reachable states) 4.Fi⊇ Bad (except for the last frame) F0 F1 F2 F3 F4 F5 Init Init Init Init Init Init Bad Bad Bad Bad Bad Bad

6. How it works (cont.) • Two phases: • recursively block a point in Bad in the last frame • propagate cubes learned during this process forward F3 F2 F1 F0 Init Init Init Init Bad Bad Bad Bad Propagate cubes forward Recursively block Bad Terminates when Fi=Fi+1

7. Stepping through PDR Find a bad state (SAT) Enlarge it (ternary sim.) SAT? Pre-image blocked? (SAT) Init Init Bad Bad Yes! Generalize cube (many SAT) No more bad states  add frame

8. Stepping through PDR Is the cube blocked in the new frame? (propagation) No more bad states  add frame (and propagate) resuming work on this cube SAT? no SAT? Init Init Init Bad Bad Bad 1. Find a bad state (SAT) 2. Enlarge it (ternary sim.) 3. Pre-image blocked? (SAT) 4a. Yes! Generalize cube (many SAT) 4b. No? Get point from SAT model

9. The Basic SAT query of PDR • Query: Is the pre-image of a cube s’ blocked by Fk? • SAT?[¬Fk∧T∧s’] Fk Bad Combinational Logic … s0 x0 s’0 s’0 … … x1 s1 s’1 =1 s’1 s’2 s’2 s2 s’3 =0 s’3 s3 xm s’n-1 s’n-1 sn-1 s’n sn s’n =1 Blocked cubes ”Fk” are added to the SAT-solver in terms of these state variables Example: s’ = (s’1∧¬s’3∧s’n)

10. Ternary Simulation • Query: Is the pre-image of a cube s blocked? • If no, the SAT-solver returns a model Fk Bad Combinational Logic … s0 = 0 x0 = 1 s’0 X … … x1 = 0 s’1 =1 s1 = 1 X X X X X s2 = 1 s’2 X X xm= 1 s’3 =0 s3 = 0 X X X X X s’n-1 sn-1=1 X X X s’n =1 sn = 0 New proof-obligation: s = (s2∧¬s3∧¬sn) Example: s’ = (s’1∧¬s’3∧s’n)

11. The Improved SAT query of PDR • Query: Is the pre-image of a cube s blocked by either Fk or s itself? SAT?[¬Fk∧¬s ∧T∧s’] Init Init Init Init F0 F1 F2 F3 Bad Bad Bad Bad SAT? s s’