20th International Workshop on Logic & Synthesis June 3-5, 2011 Efficient Implementation ofProperty Directed Reachability Niklas Een, Alan Mishchenko, Robert Brayton
What is PDR? • PDR (aka IC3) is a new model checking algorithm. • Published by Aaron Bradley on arXiv after being rejected at CAV 2010. • Won third place in HWMCC’10 • Can be viewed as approximate reachability. • Relations to interpolation based model checking: • No proof-logging needed • Never have to start over • Simpler implementation (my opinion) • Faster, stronger, better?
What is our contributition? • Confirm Aaron’s results • Simplify the procedure • No special base case • Simpler cube generalization • Achieve a substantial speedup • Ternary simulation • Detailed pseudo-code
Verification Model Design/FSM is given as a netlist containing: • AND gates • PIs • Flip-flops with complemented edges, a single output for the (safety) property and some definition of the initial states. Property Output Primary Inputs … Combinational Logic Flip- Flops … …
How it works • Reasons on conjunctions of state variables(cubes) • Proves cubes to be unreachable within k steps • Maintains a trace of all such facts • Properties of the trace: 1. F0 = ¬Init 2. F1⊇ F2⊇ ... ⊇ FN (as sets of cubes) 3.img(¬Fi) ⊆¬Fi+1 (¬Fi= potentially reachable states) 4.Fi⊇ Bad (except for the last frame) F0 F1 F2 F3 F4 F5 Init Init Init Init Init Init Bad Bad Bad Bad Bad Bad
How it works (cont.) • Two phases: • recursively block a point in Bad in the last frame • propagate cubes learned during this process forward F3 F2 F1 F0 Init Init Init Init Bad Bad Bad Bad Propagate cubes forward Recursively block Bad Terminates when Fi=Fi+1
Stepping through PDR Find a bad state (SAT) Enlarge it (ternary sim.) SAT? Pre-image blocked? (SAT) Init Init Bad Bad Yes! Generalize cube (many SAT) No more bad states add frame
Stepping through PDR Is the cube blocked in the new frame? (propagation) No more bad states add frame (and propagate) resuming work on this cube SAT? no SAT? Init Init Init Bad Bad Bad 1. Find a bad state (SAT) 2. Enlarge it (ternary sim.) 3. Pre-image blocked? (SAT) 4a. Yes! Generalize cube (many SAT) 4b. No? Get point from SAT model
The Basic SAT query of PDR • Query: Is the pre-image of a cube s’ blocked by Fk? • SAT?[¬Fk∧T∧s’] Fk Bad Combinational Logic … s0 x0 s’0 s’0 … … x1 s1 s’1 =1 s’1 s’2 s’2 s2 s’3 =0 s’3 s3 xm s’n-1 s’n-1 sn-1 s’n sn s’n =1 Blocked cubes ”Fk” are added to the SAT-solver in terms of these state variables Example: s’ = (s’1∧¬s’3∧s’n)
Ternary Simulation • Query: Is the pre-image of a cube s blocked? • If no, the SAT-solver returns a model Fk Bad Combinational Logic … s0 = 0 x0 = 1 s’0 X … … x1 = 0 s’1 =1 s1 = 1 X X X X X s2 = 1 s’2 X X xm= 1 s’3 =0 s3 = 0 X X X X X s’n-1 sn-1=1 X X X s’n =1 sn = 0 New proof-obligation: s = (s2∧¬s3∧¬sn) Example: s’ = (s’1∧¬s’3∧s’n)
The Improved SAT query of PDR • Query: Is the pre-image of a cube s blocked by either Fk or s itself? SAT?[¬Fk∧¬s ∧T∧s’] Init Init Init Init F0 F1 F2 F3 Bad Bad Bad Bad SAT? s s’
Delta Encoding of Trace F0 F1 F2 F3 F4 F5 Init Init Init Init Init Init Init Init Init Init Init Init Bad Bad Bad Bad Bad Bad Bad Bad Bad Bad Bad Bad In the implementation, cubes are only stored in the last frame where they hold.
Demo Running PDR on some industrial benchmarks
Notes on Implementation • PDR can sometimes find very deep counterexamples. • Recursive blockingtakes about 80% of the runtime, propagation 20%. • Most of the time in recursive blocking is spent on cube generalization. • Using activation literals or proof-logging reduces cube generalization significantly. • PDR can be implemented using one or many SAT-instances. • When using one instance, it is natural to add F. • Can be used by other engines. • Can be explicitly strengthend by mutual induction test. • Upon creation, derived cubed are placed in the last frame where they hold.
Concluding Remarks on PDR • Derives interpolants in terms of state cubes. • Because domain so simple: can optimize efficiently • Subsumption and termination becomes syntactic checks • Reasons locally (over one transition only). • Enhances abstraction • Improves chances of finding an inductive invariant. • Never starts over. • Extends the current knowledge at Fk as needed. • Very memory efficient. • This is only the beginning...