190 likes | 196 Views
PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling. Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley. Outline. Motivation
E N D
PDR: Property Directed ReachabilityAKAic3: SAT-Based Model Checking Without Unrolling Aaron Bradley University of Colorado, Boulder Robert Brayton Niklas Een Alan Mishchenko University of California, Berkeley
Outline • Motivation • Sequential verification is hard (needs new engines!) • Pioneering work of Aaron Bradley • A surprise (3d place) winner at HWMCC’10! • Remarkable features • Efficiently tackles both SAT and UNSAT instances • Lends itself to localization abstraction and parallelism • Conceptually simple, relatively tuning-free • Understanding the algorithm • Pseudo-code… • Experimental results and conclusions
Pioneering Work • Aaron Bradley developed this algorithm after several years of work on “inductive generalization” • Preliminary work (A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction”, FMCAD’07) • This work (A. R. Bradley, “k-step relative inductive generalization”, http://arxiv.org/abs/1003.3649) • The original version of the tool to enter HWMCC’10 (ic3, http://ecee.colorado.edu/~bradleya/ic3/) • ic3 won the third place and only lost, by a small margin, to two mature, integrated engines (ABC and PdTRAV)
Efficient Implementation • Niklas Een implemented Aaron Bradley’s algorithm while taking advantage of the strengths of MiniSAT: • Incremental interface • Activation literals to enable/disable clauses • Procedure AnalyzeFinal to compute an UNSAT core in terms of the original assumptions • Resource-driven recycling of the SAT solver • Additionally, Niklas proposed • Ternary simulation for quick cube expansion • New heuristics for inductive generalization • Smart data-structures for clauses and proof obligations • Niklas’ implementation runs faster and proves more properties than the original implementation
PDR: The Main Idea • PDR is a way of computing an inductive invariant that does not overlap with bad states • It is similar to interpolation, but the way of deriving the invariant is different • PDR has better control of the invariant, and this may explain its good performance • Inductive invariant is a Boolean function in terms of register variables, such that • It is true for the initial states • It is inductive (assuming it in one time frame leads to making it true in the next timeframe) State space Bad Invariant Init Reached
PDR: The Main Idea • Construct over-approximations (F0, F1, …, Fk) of states reachable after each time step • Start with F0 = Init, and compute other over-approximations as sets of CNF clauses • Additionally, require that • Semantically (as functions): F0→F1→F2→... →Fk • Syntactically (as clause sets): F1⊇ F2⊇ ... ⊇ Fk
PDR: The Main Idea • Termination criteria • If an over-approximation is inductive, return UNSAT • If a counter-example is found, return SAT • The algorithm constructs over-approximations • in a property directed way • the property is used to decide what clauses to include • with an inductive flavor • induction is used to prove that a clause holds in a frame
PDR: Illustration Time frame Time frame 1 Time frame 0 Property output Primary inputs Comb Logic … Register outputs Register inputs Initial State States where property fails State space of time frame 0 State space of time frame 1 Initial states a1 a2 Bad Bad a3 T Cubes (a1, a2, a3) are covering bad states and not including reached states. The product of their complements is a property-directed over-approximation F1 of reachable states at frame 1. Init Init Reached
Inductive Generalization • Assume that, at some point, we have the following over-approximations of reached states: (F0, F1, …, Fk) • Suppose we wish to block state s in frame i • We can try to find a clause c, such that c s and add it to the set of clauses for frame i. • Clause c can be added if it satisfies condition Fi-1∧T→ c • Another possibility is to run a stronger inductive checkFi-1 ∧ c’ ∧ T→ c where c’ is clause c expressed in terms of the current state variables • We can also try to generalize (or strengthen) clause c, by removing literals, as long as the inductive check passes
State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) a4 a1 a5 s’ a2 Bad Bad S a3 T Pre-image s’ of s Init Init Reached(k-1) Reached(k-1) Reached(k) Consider the case when s’ is blocked by clauses in frame k-1. We can use inductive generalization to derive a new clause c blocking s in frame k, such that Fk-1∧c’∧T→ c, where Fk-1 is the product of clauses in frame k-1 and T is the transition relation.
State space of time frame k-1 (all bad states are blocked by clauses) State space of time frame k (there is a bad state s that needs blocking) a4 a1 a5 a2 Bad Bad S a3 T s’ Pre-image s’ of s Init Init Reach(k-1) Reach(k-1) Reach(k) Consider the case when s’ is NOT blocked by clauses in frame k-1. In this case, we schedule a proof obligation to block s’ in frame k-1. We treat s’ as a bad state in frame k-1 and try to block it recursively.
Pseudo-code PDR( AIG ) { k = 0; solver[0] = CreateSatSolver( AIG, init_state ); forever { cube = GetBadState( solver[k] ); if ( cube != NULL ) { if ( !BlockState( cube, solver[0], …, solver[k] ) ) return SAT; // found counter-example } else { k = k+1; solver[k] = CreateSatSolver( AIG, not_init ); if ( PushClauses( solver[1], …, solver[k] ) ) return UNSAT; // found inductive invariant } } }
Procedures solver CreateSatSolver( AIG, initialize ) returns a SAT solver with the AIG; optionally initializes it cube GetBadState( solver[k] ) returns a state cube failing property in the k-th frame bool BlockState( cube, solver[0], …, solver[k] ) recursively tries to block cube by adding clauses to solvers returns 1, if the cube could be blocked; 0, otherwise bool PushClauses( solver[0], …, solver[k] ) moves clauses in i-th frame to i+1-th frame, if they hold returns 1, if an inductive invariant is found; 0, otherwise
Remarkable Features • Efficiently tackles both SAT and UNSAT instances • Often finds counter-examples that cannot be found by bounded model checking • Often proves problems that are not proved by interpolation • Amenable to localization abstraction • PDR solver can work in-place and increase its scope on-demand, without traversing all registers and logic gates of the design • Lends itself to parallelism • Each process working on some proof obligations and exchange clauses • Conceptually simple, relatively tuning-free • Unlike, for example, BDD-based reachability that takes lots of time to develop and leaves lots of parameters to tune
Example of Inductive Invariant # Inductive invariant for "hwmcc08\eijkS208" # generated by PDR in ABC on Tue Dec 07 09:36:36 2010 .i 22 .o 1 .p 43 -------------0---1---- 1 -------------1---0---- 1 ------------0-----1--- 1 ------------1-----0--- 1 -----------0-------1-- 1 -----------1-------0-- 1 ----------0-----1----- 1 ----------1-----0----- 1 ---------0-----1------ 1 ---------1-----0------ 1 --------0-----1------- 1 --------1-----0------- 1 -------0-------------1 1 -------0------------1- 1 -------0-----------1-- 1 -------0----------1--- 1 -------1----------0000 1 ------0--------------1 1 ------0-------------1- 1 ------0------------1-- 1 ------0-----------1--- 1 ------1-----------0000 1 -----0---------------1 1 -----0--------------1- 1 -----0-------------1-- 1 -----0------------1--- 1 -----1------------0000 1 ----0----------------1 1 ----0---------------1- 1 ----0--------------1-- 1 ----0-------------1--- 1 ----1-------------0000 1 ---0-------11--------- 1 ---1--------0--------- 1 ---1-------0---------- 1 --0-----------------1- 1 --1-----------------0- 1 -0-------------------1 1 -1-------------------0 1 0-----------------1111 1 1--0------------------ 1 1-0------------------- 1 10-------------------- 1 .e --------0-----1------- 1 --------1-----0------- 1 -------0-------------1 1 -------0------------1- 1 -------0-----------1-- 1 -------0----------1--- 1 -------1----------0000 1 Flop relationships: F8 = F14 F7 = F18 & F19 & F20 & F21
Experiments on Hard Examples(previously unsolved by ABC) Statistics: number of primary inputs (PI), flip-flops (FF), and AIG nodes (AND) Frame: timeframe where inductive invariant or counter-example was found Clauses: the number of clauses in the inductive invariant Time: runtime of PDR, without preprocessing
Conclusion • Presented PDR • pioneering work of Aaron Bradley • efficient implementation by Niklas Een • Explained how it works • Discussed its remarkable features • Future improvements • localization abstraction • temporal decomposition • signal-clauses instead of register-clauses • applications in logic synthesis