SLIDE 1 Propositional Approximations for Bounded Model Checking of Partial Circuit Designs Ralf Wimmer
(joint work with Bernd Becker, Marc Herbstritt, Natalia Kalinnik, Matthew Lewis, Juri Lichtner, Tobias Nopper)
Albert-Ludwigs-University Freiburg im Breisgau, Germany
ICCD 2008
SLIDE 2
Outline
1 Preliminaries
Bounded Model Checking Relational vs. Functional Representation
2 BMC with Black Boxes
Black Boxes Three-valued Logic Impact on 01X-BMC
3 Experimental Results
SLIDE 3
Preliminaries
SLIDE 4 Invariant Properties
Given
Sequential circuit SK = (x, s, δ, λ) x inputs s state bits δ transition functions λ
invariant property φ
Question
Does φ hold in all reachable states?
xn−1 x2 s0 s1 λm−1 λ2 δ1 δ0 Combinational Part Register x1 x0 λ1 λ0 sp−1 δp−1
Sequential circuit
SLIDE 5 Bounded Model Checking
Method: Formulate the reachability of a state violating the invariant property within k steps as a satisfiability problem: BMC(k) = I(s0) ·
k−1
T(si, si+1) · P(sk)
I(s0) = true iff s0 is the initial state T(si, si+1) = true iff there is a transition from state si to si+1. P(sk) = true iff sk satisfies the invariant property.
SLIDE 6 Relational vs. Functional Transition Representation
Transition Relation
Local transition relation: Ti := (s′
i ≡ δi(s, x))
Global transition relation: T(s, x, s′) :=
n−1
Ti(s, x, s′
i)
=
n−1
i ≡ δi(s, x)
SLIDE 7
Relational vs. Functional Transition Representation
Transition Function
δk
l : Bp × (Bn)k → B
that is inductively defined by: δ0
l (s0)
:= s0
l
δk
l (s0, x0, . . . , x(k−1))
:= δl(δk−1 (s0, x0, . . . , xk−2), . . . , δk−1
(p−1)(s0, x0, . . . , xk−2),
xk−1),
SLIDE 8 Relational vs. Functional Transition Representation
Relational transition representation
n−1
i ≡ δi(s, x)
δ(s0, x0) ≡ s1 δ(sk−1, xk−1) ≡ sk ≡ s2 δ(s1, x1)
Functional transition representation
δl(δk−1 , . . . , δk−1
(p−1), xk−1)
...
δ(s0, x0) δ(s1, x1) δ(sk−1, xk−1)
SLIDE 9
Relational vs. Functional Transition Representation
Bounded Model Checking
Relational TR:
BMCrel(k) := I(s0) · T k(s0, x0, s1 . . . , xk−1, sk) · P(sk)
Functional TR:
BMCfunc(k) := I(s0) · P(δk(s0, x0, . . . , xk−1))
Both formulae are satisfiability equivalent for circuits.
SLIDE 10
BMC with Black Boxes
SLIDE 11 What are Black Boxes?
Blackbox Blackbox
λ δ
Registers s0, . . . , sp−1
x
Parts of a digital system are not available (yet):
design not finished yet irrelevant parts removed for efficiency reasons fault localization
Outputs of a blackbox have an unknown value (X) ⇒ Three-valued logic
SLIDE 12
01X-Logic: Two-valued encoding
Most commonly used encoding [Jain et al., 2000]:
AND01X(a, b) a b 1 X 1 1 X X X X
001X := (1, 0) 101X := (0, 1) X01X := (0, 0)
(1, 1) illegal value
AND01X ((a0, a1), (b0, b1)) := (a0 + b0, a1 · b1) OR01X ((a0, a1), (b0, b1)) := (a0 · b0, a1 + b1) NOT01X ((a0, a1), (b0, b1)) := (a1, a0)
SLIDE 13 Impact on 01X-BMC
FF s0 FF s1 1 init: 0 init: 0 y x
Blackbox
Initial state: s0 = 0, s1 = 0 Invariant property: AG(¬s0 ∧ ¬s1), i. e., P(s0, s1) = s0 ∨ s1 Transition functions: δ0(s0, s1, x) = X ∨ s1 δ1(s0, s1, x) = 1
SLIDE 14 Impact on 01X-BMC
FF s0 FF s1 1 init: 0 init: 0 y x
Blackbox
Functional TR
BMC f (1) = I(s0
0, s0 1) · P(δ0(s0 0, s0 1, x0), δ1(s0 0, s0 1, x0))
= s0
0 · s0 1 · ((s0 1 + X) + 1)
= s0
0 · s0 1
Using 01X-encoding, we obtain: BMC f ,enc(1) = (s0
0,1 + s0 1,1, s0 0,0 · s0 1,0) !
= 101X = (0, 1)
SLIDE 15 Impact on 01X-BMC
FF s0 FF s1 1 init: 0 init: 0 y x
Blackbox
Relational TR
BMC r(1) = I(s0
0, s0 1) · T(s0 0, s0 1, x0, s1 0, s1 1) · P(s1 0, s1 1)
= s0
0 · s0 1 · (s1 0 ≡ δ0(s0 0, s0 1, x0)) · (s1 1 ≡ δ1(s0 0, s0 1, x0)) · P(s1 0, s1 1)
=
0 · s0 1
0 ·
1 + X
0 ·
1 + X
1 ·
0 + s1 1
- Using 01X-encoding, we obtain:
BMC r,enc(1) = (s0
0,1+s0 1,1+s1 0,0·s1 0,1+s1 1,0, s0 0,0·s0 1,0·s1 0,1·s0 1,1·s1 1,1) !
= 101X = (0, 1)
SLIDE 16
Relational vs. Functional BMC
Functional TR
BMC f ,enc(1) = (s0
0,1 + s0 1,1, s0 0,0 · s0 1,0) !
= (0, 1) Solution found! s0,0 = s1,0 = 1, s0,1 = s1,1 = 0, i. e. s0 = 0, s1 = 0.
Relational TR
BMC r,enc(1) = (s0
0,1 + s0 1,1 + s1 0,0 · s1 0,1 + s1 1,0,
s0
0,0 · s0 1,0 · s1 0,1 · s0 1,1 · s1 1,1) !
= (0, 1) No solution! In the first part, we would have to set s0
1,1 = 0 and in the second
part, s0
1,1 = 1.
SLIDE 17
Relational vs. Functional BMC
Functional TR
BMC f ,enc(1) = (s0
0,1 + s0 1,1, s0 0,0 · s0 1,0) !
= (0, 1) Solution found! s0,0 = s1,0 = 1, s0,1 = s1,1 = 0, i. e. s0 = 0, s1 = 0.
Relational TR
BMC r,enc(1) = (s0
0,1 + s0 1,1 + s1 0,0 · s1 0,1 + s1 1,0,
s0
0,0 · s0 1,0 · s1 0,1 · s0 1,1 · s1 1,1) !
= (0, 1) No solution! In the first part, we would have to set s0
1,1 = 0 and in the second
part, s0
1,1 = 1.
SLIDE 18 The Cause of the Effect (1)
Transition relation:
n−1
i ≡ δi(s, x)
Consider: x ≡ y (short for: s′
i ≡ δi(s, x))
Two-valued encoding:
- (x0 · x1 + x0 · y1 + x1 · y0 + y0 · y1), (x0 · y0 + x1 · y1)
- (*)
For x = y = X01X ⇒ (x0, x1) = (y0, y1) = (0, 0) : (*) results in (0, 0) = X01X.
Observation
Abuse of the equivalence operator ≡ (i. e., ⊕) disables propagation
SLIDE 19 The Cause of the Effect (2)
00 01 10 11
x, x x, x x x x (BB :0) x (BB :1) x (BB :0) x (BB :1)
s0 s1 s′ s′
1
FF 0 FF 0
Black Box
x δ0 δ1
“Fixed edges”: Solid (black) edges exist independently of the content of the blackbox. “Possible edges”: Dashed (blue) edges are an over-approximation of the edges which may exist depending on the blackbox implementation.
SLIDE 20 The Cause of the Effect (3)
00 01 10 11
0, 1 0, 1 1 (BB :0) (BB :1) 1 (BB :0) 1 (BB :1)
Relational TR uses only fixed (= solid) edges. No counterexample found! Functional TR uses all edges. Counterexample: x0 = 1, x1 = 0, x2 = 1. 00 1 − → {10, 11} 0 − → {01, 10} 1 − → 11 “Uniform counterexample”
SLIDE 21 The Cause of the Effect (3)
00 01 10 11
0, 1 0, 1 1 (BB :0) (BB :1) 1 (BB :0) 1 (BB :1)
Relational TR uses only fixed (= solid) edges. No counterexample found! Functional TR uses all edges. Counterexample: x0 = 1, x1 = 0, x2 = 1. 00 1 − → {10, 11} 0 − → {01, 10} 1 − → 11 “Uniform counterexample”
SLIDE 22
Experimental Results
SLIDE 23
Implementation
Implementation in C++ And-Inverter-Graphs (AIGs) for composition of transition functions / relations Experiments performed on AMD Opteron Dual Processor, 2.6 GHz, 4 GB main memory
SLIDE 24
Experimental Results (1)
s1269 – VIS
prop. #ex. CPU time #CE AIG size rel. func. rel. func. rel. func. MiniSAT Tot. MiniSAT Tot. 1 260 2.01 39.40 0.20 9.83 69 104 7,764,322 898,050 2 450 1.97 41.95 0.10 8.19 96 280 8,740,160 424,063 3 300 0.85 20.85 0.05 4.27 67 217 4,062,166 197,170 4 340 1.32 26.59 0.07 5.96 79 226 6,064,355 319,432 5 650 2.96 64.92 0.17 13.12 145 450 12,675,386 777,909
Functional approach considerably faster Functional approach detects more counterexamples CNF of functional approach is much smaller:
Cone-of-influence reduction performed for free.
SLIDE 25 Experimental Results
R7 . . . R4
Select Select
FU 1 FU 3
R11 . . . R8
Select Select
FU 0
R15 . . . R12
Select Select
src1
1
src1
2
src3
1
src3
2
src0
1
src0
2
dest1 dest2 dest3 dest0
R3 . . . R0
FU 2
value2
VLIW ALU
width #ex. CPU time #CE AIG size rel. func. rel. func. rel. func. MiniSAT Tot. MiniSAT Tot. 2 4 0.003 0.05 0.003 0.04 1 1 7,954 5,032 4 4 0.006 0.09 0.009 0.08 1 1 13,566 8,712 16 4 0.089 0.55 0.265 0.75 1 1 47,238 30,792 24 4 0.070 0.90 0.466 1.45 1 1 69,686 45,512 32 4 0.112 1.48 0.938 2.39 1 1 92,134 60,232 40 4 0.275 2.02 5.469 7.59 1 1 114,582 74,952 48 4 0.340 2.66 5.734 8.56 1 1 137,030 89,672 64 4 0.674 3.16 16.489 18.63 1 1 181,926 119,112
SLIDE 26 VLIW ALU: Results
Both approaches detect a counterexample:
Counterexample uses only fixed edges.
Relational approach faster:
Functional approach gets stuck on paths with possible edges.
Difference in size is smaller since the property depends on all
SLIDE 27 Conclusions
VIS-benchmarks:
Functional TR more accurate (210%) than relational TR Functional TR faster (390%) than relational TR
VLIW ALU:
Relational TR accurate enough (no advantage for functional TR) Relational TR faster (300%) than functional TR
Relational and functional TR are “orthogonal” ⇒ toolbox for 01X-BMC Functional TR inbetween relational TR and QBF-approach
