Fast Illegal State Identification for Improving SATbased Induction

1
Fast Illegal State Identification for Improving
SAT-based Induction

• Vishnu C Vimjam Michael S Hsiao
• ECE Dept, Virginia Tech

Supported in part by NSF and SRC
2
Overview

• Introduction
• SAT-based Induction
• Motivation
• Illegal State Identification
• ATPG based learning
• Unachievability learning
• Experimental Results
• Conclusions

3
Design state-space

• The states in the TSCC can be reached from any
  state
• It represents the complete reachable space
• For F to be invariant, it has to hold in every
  reachable state
• Performing complete reachability analysis often
  impractical
• BDD-based Symbolic Model Checking McMillan,
  SMC93
• SAT-based Bounded Model Checking Biere et al,
  TACAS 99
• Key Use induction!

4
SAT-based Induction

• Sheeran et al FMCAD 00, Bjesse Claessen
  FMCAD 00
• Enables invariant checking without explicit
  state-space traversal
• T(s,s) transition relation, I(s) initial
  state(s), F property
• Simple Induction
• Base case I(s) ? F
• Ind step check (F1 ? T1) ? F2
• Proving strength is limited
• Strong Induction (or) k-induction (or) induction
  with depth
• Base case I1 ? T(1,2,,k) ? F(1,2,,k)
• Ind step F(1,2,,k) ? T(1,2,,k) ? Fk1
• Increment the depth k until a result is seen
• Unique-states induction
• Search in induction runs restricted to simple
  paths for completeness

5
Motivation

• Induction runs lack illegal state information
• SAT engine makes decisions anywhere ? Many poor
  decisions might be made before a infeasible
  region seen
• Prior knowledge of illegal regions can avoid
  unwanted decisions!
• Induction-step runs usually SATisfiable
• Solution at depth k forms a simple path s1, s2,
  , sk1
• However, reachability of s1 is not known
• AIM
• Extract as much illegal state information as
  possible
• Constrain the search close the reachable space
• At the same time, have to be low-cost techniques
• BDD-based reachability analysis might be
  expensive
• We propose techniques using ATPG and static
  implications to obtain (under-approximate)
  illegal state-cubes

6
Terms Notations

• Timeframe ? one unrolled transition (cycle) of a
  design
• B 0, 1 represents Boolean logic values
• Xv.t represents signal X set to value v in frame
  t
• If parameter t is irrelevant, we simply use Xv
• A signal is said to be specified if it attains a
  value v,else it is said to be unspecified/unknown
  
• An assignment Xv is said to be achievable if
  starting from an all unknown initial state, there
  exists a finite input vector sequence that can
  achieve Xv (in some frame t)
• Otherwise, it is termed unachievable
• For an initializable design, at least one of Xv
  or Xvwill be achievable

7
ATPG-based learning

• Definition 1 A state s is said to be
  n-cycle-unreachableif the nth level pre-image of
  s is empty
• Simpler form of induction
• If s is n-cycle-unreachable, it is also
  (n1)-cycle-unreachable .
• ATPG-based Pre-image computation Sheng Hsiao,
  DATE 03
• Can be used to check if a state is
  n-cycle-unreachable
• In the worst case, pre-image computations have
  exponential complexity
• Furthermore, which states to check?
• We employ a state-independent procedure
• Obtain illegal states among groups of related
  flip-flops
• Limit the maximum decision level (MDL) to limit
  costs

8
ATPG-based learning
Circuit unrollment
PPI

• Obtain illegal states among groups of flip-flops
  at PS(n1)
• Start by justifying a flip-flop
• if it is specified, justify the next and so on
• Continue until the decision limit
• Leaves form the range of reachable states
• 000, 101, 111 unreachable
• Initially order using MLP
• and dynamically reorder

I1, I2, I3, I4, I5, I6 PIs or PPIs
9
Algorithm 1 Main ATPG flow
Given n, MDL unroll circuit n times Order
flip-flops at PS(n1) Compute SCOAP
measures While (not done) currDL 0
Initialize all signals to U ModifiedPODEM()
// build a free-bdd Extract Illegal states
and remove flip-flops ModifiedPODEM() if
(currDLMDL) then return else currDL
currDL1 X next unspecified flip-flop in
the order if (C0(X) gt C1(X)) then OBJ0 else
OBJ1 (pi, val) Backtrace(X, OBJ)
logicSim(pival) ModifiedPODEM() //
recurse logicSim(pival)
ModifiedPODEM() // recurse
logicSim(piU) currDL currDL-1
10
Unachievable learning

• Definition 2 An implication Xv.t ?Yw.t-k (kgt0)
  is said to be sufficient if any input sequence I
  that implies Xv.t also implies Yw.t-k
• Theorem 1 A state-assignment F X1v1 ? X2v2 ?
  ? Xnvn, consisting of n flip-flop assignments
  is unachievable, if for any t, the following
  sufficient implication exists
  X1v1.t ? X2v2.t ? ? Xnvn.t ? X1v1.t-k ?
  X2v2.t-k ? ? Xnvn.t-k, kgt0.
• Again, which assignments to check?

• D1 ? E0 (not suff)
• D0 ? E0 (suff)
• B0 ? E0 (not suff)
• B1 ? E0 (not suff)
• A1 ? E0 (suff)
• C1 ? E0 (suff)

11
Exploit Logic Implications

• Extended backward learning (EBL) Zhao et al, VTS
  97
• Case-splitting on each justification scenario for
  an unjustified gate to learn implications
• Two advantages
• Captures non-trivial implications globally true
• Apply Theorem1 during EBL computation
• Since, only necessary assignments are propagated,
  implications are indeed sufficient.
• An invariant cannot sufficiently imply itself in
  a previous time-frame
• Otherwise, it cannot be an invariant

EBL Xv ? (Xv A0) ? (Xv B0)
12
Algorithm 2 Unachievable learning
Given N(odd), unroll circuit N times
n(N1)/2 Order signals (bfs) in frame n from PIs
to Pos For each signal X, for each v in (0,1)
logicSim(Xv) UG set of unjustified gates
due to Xv for each gate G in UG with
controlling value cv for each
unspecified fanin Fi of G Si set
of assignments due to logicSim(Xv, Ficv)
if (Xv ? Ficv) hold Thm1, add
(Xv)?(Ficv) add
(xv)?(intersection of all Si) // EBL step
if (xv) holds Thm1, store Xv as an
invariant

• Complexity of EBL quadratic in circuit size
• Checking for unachievability takes only a
  fraction of EBL time

13
Learning Example
X1
frame n
frame n-1
0
0
1
1
J
X2
0
E
C
A
1
0
0
B
0
1
F
0
1
F
1
0
I
0
D
1
1
E
0
0
K
0
X3

• We learn E1 ? F0 as unachievable since it
  satisfies Theorem1
• Encoding it as a clause rejects all states that
  can cause it
• Here, X10 ? X21 ? X31 is one such illegal state
• Further, add this as an implication to the
  implication graph
• Enables more learning as algorithm progresses

14
Unified Framework

• First, we use the info from the free-BDDs of ATPG
  analysis
• Let F1 be a partial state (at leaf) and F2 be the
  partial-state (of PPIs) along the path that
  caused F1
• F3 intersection of assignments in F1 and F2
• Check if F3 satisfies Theorem 1 If so, store it
  as a clause
• After the end of ATPG analysis, we obtain groups
  of flip-flops and illegal states among these
• Use this information and the implications
  computed via Algo 2
• Enumerate a decision-tree for each group
• Let X1, X2, X3 be in a group
• Propagate implications and logic simulate
• Check each path for legality
• Conflicts in sim and Theorem 1
• CA, CS, CU are illegal paths
• NR No result

15
Clause Simplification

• We employ simple binary resolution to remove
  redundancies among all the learned clauses
• Maximize the strengths of constraints
• Previous example
• Three clauses (X1 X2 X3), (X1 X2 X3) and (X1
  X2)
• Resolve X1 from first two clauses
• Resulting final clauses (X2 X3) and (X1 X2)
• Other recent developments such as Niver
  Subbarayan Pradhan, BMC04 can also be used
  for resolution as well
• Not currently employed in our framework

16
Experimental Setup

• zChaff (version 2004.11.15) used as the
  underlyingSAT solver
• For smaller circuits (lt5000 gates), ATPG and
  implication unroll depths set to 3 and 5
  respectively.
• Induction runs increased by a step of 25 up to
  250 max
• For larger circuits (gt5000 gates), ATPG and
  implicationunroll depths set to 2 and 5
  respectively.
• Induction runs increased by a step of 10 up to
  100 max
• Compare with other learning techniques
• Extended Backward Learning Zhao et al, VTS 97
• Seq. Implications for BMC, Simp2C Arora Hsiao,
  VLSI 04
• Incremental learning techniques Een Sorenson,
  BMC 03

17
Results Num Constraints
Conducted on 3.2GHz 1GB RAM Linux machine All
times in seconds
18
Induction Results
Conducted on 3.2GHz 1GB RAM Linux machine All
times in seconds using zchaff
19
Cumulative induction times
For property instance b14.2

• At smaller depths, all the techniques are
  comparable
• More distinction seen as the depth is increased

20
Conclusions

• Induction runs lack illegal state information
• Learning them before-hand can help constraining
  the searchwithin the reachable space
• We have proposed new, low-cost techniques to
  identifyillegal state-cubes of a design
• Experiments have shown that our learning can
  prove properties atearly depths while
  conventional runs fail
• More than an order of magnitude speed-up
  achievedfor several properties
• Whereas our learning can improve induction runs
  for true properties, it is not beneficial for
  false ones
• In the future, we like to explore in this
  direction
• Can be applied to other areas such as
  Pseudo-functional testing, Sequential equivalence
  checking etc.