Propositional Approximations for Bounded Model Checking of Partial - PowerPoint PPT Presentation

Propositional Approximations for Bounded Model Checking of Partial Circuit Designs Ralf Wimmer (joint work with Bernd Becker, Marc Herbstritt, Natalia Kalinnik, Matthew Lewis, Juri Lichtner, Tobias Nopper) Albert-Ludwigs-University Freiburg im Breisgau, Germany ICCD 2008 Oct. 12–15, 2008

Outline 1 Preliminaries Bounded Model Checking Relational vs. Functional Representation 2 BMC with Black Boxes Black Boxes Three-valued Logic Impact on 01X-BMC 3 Experimental Results

Preliminaries

Invariant Properties x 0 x 1 x 2 x n − 1 Combinational Part Given Sequential circuit Register s 0 s 1 s p − 1 SK = ( x , s , δ, λ ) x inputs s state bits δ 0 δ 1 δ p − 1 δ transition functions λ 0 λ 1 λ 2 λ m − 1 output functions λ Sequential circuit invariant property φ Question Does φ hold in all reachable states?

Bounded Model Checking Method: Formulate the reachability of a state violating the invariant property within k steps as a satisfiability problem: k − 1 BMC ( k ) = I ( s 0 ) · � T ( s i , s i +1 ) · P ( s k ) i =0 I ( s 0 ) = true iff s 0 is the initial state T ( s i , s i +1 ) = true iff there is a transition from state s i to s i +1 . P ( s k ) = true iff s k satisfies the invariant property.

Relational vs. Functional Transition Representation Transition Relation Local transition relation: T i := ( s ′ i ≡ δ i ( s , x )) Global transition relation: n − 1 � T ( s , x , s ′ ) T i ( s , x , s ′ := i ) i =0 n − 1 � � s ′ � = i ≡ δ i ( s , x ) i =0

Relational vs. Functional Transition Representation Transition Function l : B p × ( B n ) k → B δ k that is inductively defined by: δ 0 l ( s 0 ) s 0 := l δ l ( δ k − 1 δ k l ( s 0 , x 0 , . . . , x ( k − 1) ) ( s 0 , x 0 , . . . , x k − 2 ) , := 0 . . . , δ k − 1 ( p − 1) ( s 0 , x 0 , . . . , x k − 2 ) , x k − 1 ) ,

Relational vs. Functional Transition Representation Relational transition representation n − 1 � � s ′ � i ≡ δ i ( s , x ) i =0 ≡ s 1 ≡ s 2 δ ( s k − 1 , x k − 1 ) ≡ s k δ ( s 0 , x 0 ) δ ( s 1 , x 1 ) ... Functional transition representation δ l ( δ k − 1 , . . . , δ k − 1 ( p − 1) , x k − 1 ) 0 δ ( s 0 , x 0 ) δ ( s 1 , x 1 ) δ ( s k − 1 , x k − 1 ) ...

Relational vs. Functional Transition Representation Bounded Model Checking Relational TR: BMC rel ( k ) := I ( s 0 ) · T k ( s 0 , x 0 , s 1 . . . , x k − 1 , s k ) · P ( s k ) Functional TR: BMC func ( k ) := I ( s 0 ) · P ( δ k ( s 0 , x 0 , . . . , x k − 1 )) Both formulae are satisfiability equivalent for circuits.

BMC with Black Boxes

What are Black Boxes? x Blackbox Blackbox Registers s 0 , . . . , s p − 1 λ δ Parts of a digital system are not available (yet): design not finished yet irrelevant parts removed for efficiency reasons fault localization Outputs of a blackbox have an unknown value ( X ) ⇒ Three-valued logic

01X-Logic: Two-valued encoding Most commonly used encoding [Jain et al., 2000]: AND 01X ( a , b ) 0 01X := (1 , 0) b 0 1 X 1 01X := (0 , 1) a X 01X := (0 , 0) 0 0 0 0 1 0 1 X X 0 X X (1 , 1) illegal value AND 01X (( a 0 , a 1 ) , ( b 0 , b 1 )) := ( a 0 + b 0 , a 1 · b 1 ) OR 01X (( a 0 , a 1 ) , ( b 0 , b 1 )) := ( a 0 · b 0 , a 1 + b 1 ) NOT 01X (( a 0 , a 1 ) , ( b 0 , b 1 )) := ( a 1 , a 0 )

Impact on 01X-BMC x y Blackbox FF s 0 init: 0 FF s 1 1 init: 0 Initial state: s 0 = 0, s 1 = 0 Invariant property: AG ( ¬ s 0 ∧ ¬ s 1 ), i. e., P ( s 0 , s 1 ) = s 0 ∨ s 1 Transition functions: δ 0 ( s 0 , s 1 , x ) = X ∨ s 1 δ 1 ( s 0 , s 1 , x ) = 1

Impact on 01X-BMC x y Blackbox FF s 0 init: 0 FF s 1 1 init: 0 Functional TR BMC f (1) = I ( s 0 0 , s 0 1 ) · P ( δ 0 ( s 0 0 , s 0 1 , x 0 ) , δ 1 ( s 0 0 , s 0 1 , x 0 )) 1 · (( s 0 = s 0 0 · s 0 1 + X ) + 1) = s 0 0 · s 0 1 Using 01X-encoding, we obtain: 1 , 0 ) ! BMC f , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 , s 0 0 , 0 · s 0 = 1 01X = (0 , 1)

Impact on 01X-BMC x y Blackbox FF s 0 init: 0 FF s 1 1 init: 0 Relational TR BMC r (1) = I ( s 0 0 , s 0 1 ) · T ( s 0 0 , s 0 1 , x 0 , s 1 0 , s 1 1 ) · P ( s 1 0 , s 1 1 ) 1 · ( s 1 0 ≡ δ 0 ( s 0 0 , s 0 1 , x 0 )) · ( s 1 1 ≡ δ 1 ( s 0 0 , s 0 1 , x 0 )) · P ( s 1 = s 0 0 · s 0 0 , s 1 1 ) � � � � �� s 1 s 0 · s 1 s 1 0 + s 1 s 0 0 · s 0 � � + s 1 s 0 � � = · 0 · 1 + X 0 · 1 + X 1 · 1 1 Using 01X-encoding, we obtain: ! BMC r , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 + s 1 0 , 0 · s 1 0 , 1 + s 1 1 , 0 , s 0 0 , 0 · s 0 1 , 0 · s 1 0 , 1 · s 0 1 , 1 · s 1 1 , 1 ) = 1 01X = (0 , 1)

Relational vs. Functional BMC Functional TR 1 , 0 ) ! BMC f , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 , s 0 0 , 0 · s 0 = (0 , 1) Solution found! s 0 , 0 = s 1 , 0 = 1, s 0 , 1 = s 1 , 1 = 0, i. e. s 0 = 0 , s 1 = 0. Relational TR BMC r , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 + s 1 0 , 0 · s 1 0 , 1 + s 1 1 , 0 , 1 , 1 ) ! s 0 0 , 0 · s 0 1 , 0 · s 1 0 , 1 · s 0 1 , 1 · s 1 = (0 , 1) No solution! In the first part, we would have to set s 0 1 , 1 = 0 and in the second part, s 0 1 , 1 = 1.

Relational vs. Functional BMC Functional TR 1 , 0 ) ! BMC f , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 , s 0 0 , 0 · s 0 = (0 , 1) Solution found! s 0 , 0 = s 1 , 0 = 1, s 0 , 1 = s 1 , 1 = 0, i. e. s 0 = 0 , s 1 = 0. Relational TR BMC r , enc (1) = ( s 0 0 , 1 + s 0 1 , 1 + s 1 0 , 0 · s 1 0 , 1 + s 1 1 , 0 , 1 , 1 ) ! s 0 0 , 0 · s 0 1 , 0 · s 1 0 , 1 · s 0 1 , 1 · s 1 = (0 , 1) No solution! In the first part, we would have to set s 0 1 , 1 = 0 and in the second part, s 0 1 , 1 = 1.

The Cause of the Effect (1) Transition relation: n − 1 � � � s ′ i ≡ δ i ( s , x ) i =0 X 01X ≡ X 01X ? Consider: x ≡ y (short for: s ′ i ≡ δ i ( s , x )) Two-valued encoding: � � ( x 0 · x 1 + x 0 · y 1 + x 1 · y 0 + y 0 · y 1 ) , ( x 0 · y 0 + x 1 · y 1 ) (*) For x = y = X 01X ⇒ ( x 0 , x 1 ) = ( y 0 , y 1 ) = (0 , 0) : (*) results in (0 , 0) = X 01X . Observation Abuse of the equivalence operator ≡ (i. e., ⊕ ) disables propagation of X 01X for latch values

The Cause of the Effect (2) x 01 δ 1 Black x, x x x Box ( BB :1) x δ 0 ( BB :0) 00 x x ( BB :0) ( BB :1) 10 11 s ′ s 0 FF 0 0 x, x s 1 s ′ FF 0 1 x “Fixed edges” : Solid (black) edges exist independently of the content of the blackbox. “Possible edges” : Dashed (blue) edges are an over-approximation of the edges which may exist depending on the blackbox implementation.

The Cause of the Effect (3) Relational TR uses only fixed (= solid) edges. No counterexample found! 01 0 , 1 0 0 ( BB :1) 0 Functional TR uses all edges. ( BB :0) 00 1 1 Counterexample: 10 ( BB :0) 11 ( BB :1) x 0 = 1, x 1 = 0, x 2 = 1. 0 , 1 1 00 1 → { 10 , 11 } 0 → { 01 , 10 } 1 − − − → 11 “Uniform counterexample”

The Cause of the Effect (3) Relational TR uses only fixed (= solid) edges. No counterexample found! 01 0 , 1 0 0 ( BB :1) 0 Functional TR uses all edges. ( BB :0) 00 1 1 Counterexample: 10 ( BB :0) 11 ( BB :1) x 0 = 1, x 1 = 0, x 2 = 1. 0 , 1 1 00 1 → { 10 , 11 } 0 → { 01 , 10 } 1 − − − → 11 “Uniform counterexample”

Experimental Results

Implementation Implementation in C++ And-Inverter-Graphs (AIGs) for composition of transition functions / relations Experiments performed on AMD Opteron Dual Processor, 2.6 GHz, 4 GB main memory

Experimental Results (1) s1269 – VIS prop. #ex. CPU time #CE AIG size rel. func. rel. func. rel. func. MiniSAT Tot. MiniSAT Tot. 1 260 2.01 39.40 0.20 9.83 69 104 7,764,322 898,050 2 450 1.97 41.95 0.10 8.19 96 280 8,740,160 424,063 3 300 0.85 20.85 0.05 4.27 67 217 4,062,166 197,170 4 340 1.32 26.59 0.07 5.96 79 226 6,064,355 319,432 5 650 2.96 64.92 0.17 13.12 145 450 12,675,386 777,909 Functional approach considerably faster Functional approach detects more counterexamples CNF of functional approach is much smaller: Cone-of-influence reduction performed for free.

Experimental Results op 3 src 3 src 3 op 2 op 1 src 1 src 1 op 0 src 0 src 0 dest 3 value 2 dest 2 dest 1 dest 0 1 2 1 2 1 2 Select Select Select Select Select Select FU 2 FU 3 FU 1 FU 0 R 15 . . . R 12 R 11 . . . R 8 R 7 . . . R 4 R 3 . . . R 0 VLIW ALU width #ex. CPU time #CE AIG size rel. func. rel. func. rel. func. MiniSAT Tot. MiniSAT Tot. 2 4 0.003 0.05 0.003 0.04 1 1 7,954 5,032 4 4 0.006 0.09 0.009 0.08 1 1 13,566 8,712 16 4 0.089 0.55 0.265 0.75 1 1 47,238 30,792 24 4 0.070 0.90 0.466 1.45 1 1 69,686 45,512 32 4 0.112 1.48 0.938 2.39 1 1 92,134 60,232 40 4 0.275 2.02 5.469 7.59 1 1 114,582 74,952 48 4 0.340 2.66 5.734 8.56 1 1 137,030 89,672 64 4 0.674 3.16 16.489 18.63 1 1 181,926 119,112

VLIW ALU: Results Both approaches detect a counterexample: Counterexample uses only fixed edges. Relational approach faster: Functional approach gets stuck on paths with possible edges. Difference in size is smaller since the property depends on all outputs.