Resolution Proofs for Combinational Equivalence

1
Resolution Proofs for Combinational Equivalence

• Satrajit Chatterjee
• Alan Mishchenko
• Robert Brayton
• Andreas Kuehlmann

DAC / 6 Jun 2007
2
Motivation

• Modern combinational equivalence checking (CEC)
  engines are difficult to verify
• Several thousand lines of code
• How can we trust a CEC program when it claims
  that two circuits are equivalent?
• When it claims they are different, it produces an
  input vector to distinguish them a proof of
  inequivalence
• Solution Require CEC engine produce a proof of
  equivalence
• The program that checks the correctness of the
  proof is much simpler than the CEC engine
• The proof can be verified without knowledge of
  the inner workings of the CEC engine
• The language of our proofs is resolution

3
Outline

• Resolution
• Proofs for Naïve CEC
• Review of Modern CEC
• Proof Generation in Modern CEC
• Conclusions

4
Resolvent
A resolvent is a clause implied by two clauses in
a SAT instance
1. A SAT instance C
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z) 9.
(p q z) 10. (p q z) 11. (z)
2. Resolvent of clauses 3 and 4 (w.r.t. a) is the
clause (p b q)
3. Adding the resolvent to the original set does
not alter satisfiability
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z)
9. (p q z) 10. (p q z) 11.
(z) 12. (p b q)
C
It can be checked that C is satisfiable if and
only if C is.
5
Resolution Proofs
A resolution proof is a sequence of resolvents
until the empty clause
1. Original set of clauses C
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z) 9.
(p q z) 10. (p q z) 11. (z)
2. Sequence of resolvents
If the empty clause i.e. () is derived by
resolution then the original set of clauses is
UNSAT
12. (p b q) (from 3 and 4) 13. (p
q) (from 5 and 12) 14. (p q a) (from 2
and 6) 15. (p q) (from 1 and 14) 16. (p
q) (from 10 and 11) 17. (p q) (from 7 and
11) 18. (q) (from 13 and 16) 19. (q) (from
15 and 17) 20. () (from 18 and 19)
Thus the sequence of resolution steps 1220 forms
a proof of unsatisfiability of C if () is derived
at the end.
6
Generating Resolution Proofs
A SAT solver can be modified to produce a
resolution proof if the instance is unsatisfiable

• Zhang and Malik (2003) modified zChaff to produce
  resolution proofs
• Goldberg and Novikov (2003) presented an
  alternative method that needs minimal
  modification to the SAT solver

It is much easier to verify that a sequence of
resolution steps is correct than it is to verify
that the SAT solver is correct.
7
Outline

• Resolution
• Proofs for Naïve CEC
• Review of Modern CEC
• Proof Generation in Modern CEC
• Conclusions

8
Combinational Equivalence Checking
We are given two combinational circuits and asked
to check if they are equivalent or not
A simple instance of CEC that we will use as a
running example
p
q
a
b
a
b
circuit 1
circuit 2
The CEC problem Are outputs p and q functionally
equivalent?
9
A Simple Reformulation
The CEC problem is equivalent to checking if the
output of the miter of the two circuits is
identically 0 or not
z
p
q
p
q
a
b
a
b
a
b
circuit 1
circuit 2
Miter of circuits 1 and 2
Circuits 1 and 2 are equivalent if and only if z
is identically 0
10
Naïve CEC
The CEC problem is formulated as a SAT instance
by adding clauses for each gate and asserting the
miter output to be true
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z) 9.
(p q z) 10. (p q z) 11. (z)
Corresponding SAT instance C
Miter
The two circuits are equivalent if and only if C
is UNSAT
11
Proof of Combinational Equivalence
A proof of unsatisfiability of the corresponding
SAT instance is a proof of combinational
equivalence
z
SAT instance
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z) 9.
(p q z) 10. (p q z) 11. (z)
p
q
a
b
Proof of UNSAT (from SAT solver)
12. (p b q) (from 3 and 4) 13. (p
q) (from 5 and 12) 14. (p q a) (from 2
and 6) 15. (p q) (from 1 and 14) 16. (p
q) (from 10 and 11) 17. (p q) (from 7 and
11) 18. (q) (from 13 and 16) 19. (q) (from
15 and 17) 20. () (from 18 and 19)
Proof of combinational equivalence of p and q
12
Proof Verification
Verifying the proof for combinational equivalence
is easy
z
Original clauses
Sequence of resolution steps
p
q
Resolve 3 and 4 Resolve 5 and 12 Resolve 2 and 6

1. (p a) 2. (p b) 3. (p a b)

a
b
Proof Verifier

• Proof Verifier does the following
• Ensures that only clauses from miter are in
  original clauses
• Performs the sequence of resolution steps
• Ensure that the empty clause is derived at the end

13
Outline

• Resolution
• Proofs for Naïve CEC
• Review of Modern CEC
• Proof Generation in Modern CEC
• Conclusions

14
Modern CEC
Modern CEC engines do not construct a monolithic
SAT instance

• Modern CEC methods are transformational
• Detect functional redundancies in the miter
• Simplify miter using the detected redundancies
• SAT solver may not even be invoked

z
z
z
p
q
p
q
0
a
b
a
b
Goal Generate a single resolution proof for
modern CEC just as in the naïve case
15
Main Techniques in Modern CEC

• Main Transformational Techniques
• Structural Hashing
• Functional Hashing
• Logic Re-writing
• Next Distill these techniques down to a
  small set of basic atomic operations

16
Structural Hashing
Structural Hashing Structural Identification
Fanout transfer
H
G
1. Since both G and H are And gates and have
same inputs, nets p and q are functionally
equivalent by structural identification
2. Therefore, fanouts of q can be driven by p
thus simplifying the circuit
17
Functional Hashing
Functional Hashing Functional Identification
Fanout Transfer
Functional Identification 1. Use random
simulation to detect candidate pairs of nets that
may be equivalent 2. Formulate two smaller SAT
instances to check that a pair of nets is indeed
equivalent
Random simulation would indicate p and q may be
equivalent
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p) 8. (q)
The two SAT instances to check equivalence of p
and q.
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p) 8. (q)
18
Functional Hashing
Functional Hashing Functional Identification
Fanout Transfer
1. Functional identification proves p and q are
equivalent if the two smaller SAT instances are
both UNSAT
2. Therefore, fanouts of q can be driven by p
thus simplifying the circuit
19
Logic Re-writing
Re-writing replaces a cone of logic in the miter
with a different cone
Miter
Rewriting can significantly alter the logic
structure of the miter and its size
20
Rewriting, Conceptually
Rewriting Logic Insertion Functional Hashing
21
Basic Operations
Structural Hashing Structural Identification
Fanout transfer
Functional Hashing Functional Identification
Fanout Transfer
Rewriting Logic Insertion Functional Hashing
We have 4 basic operations during CEC 1.
Structural Identification 2. Functional
Identification 3. Fanout Transfer 4. Logic
Insertion
Do not modify miter
Modify miter
The equivalence checking process is thought of as
a sequence of these basic operations
22
Sequence of Basic Operations
Transformations on the miter
Initial Miter
Structural Identification
Fanout Transfer
Logic Insertion
Functional Identification

Structural Identification
Miter is reduced to constant zero
23
Outline

• Resolution
• Proofs for Naïve CEC
• Review of Modern CEC
• Proof Generation in Modern CEC
• Conclusions

24
Overview of Proof Generation
Maintain correspondence between the miter and
proof
Initial miter
Initial Clauses for the gates in the miter
z
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) 7. (p q z) 8. (p q z) 9.
(p q z) 10. (p q z) 11. (z)
p
q
a
b
As the CEC engine proceeds by executing the basic
operations on the miter, it adds new clauses to
the proof by using resolution to derive them
The derivations corresponding to basic operations
are called fragments
25
Overview of Proof Generation
The Resolution Proof
Transformations on the miter
Initial Miter
Initial Clauses
Structural Identification
Fragment 1
Fanout Transfer
Fragment 2
Logic Insertion
Fragment 4
Functional Identification
Fragment 5


Structural Identification
Fragment n
The empty clause is derived
Miter is reduced to constant zero
26
Overview of Proof Generation
For each basic operation we generate a different
type of fragment
1. Structural Identification of p and q 2.
Functional Identification of p and q 3. Fanout
Transfer from q to p 4. Logic Insertion of a new
gate g
Fragment derives (p q) and (p q)
Fragment derives new clauses for gates in fanout
of q
Fragment derives clauses for gate g
27
Structural Identification
The fragment derives (p q) and (p q) from
clauses of the gates
C1. (p a) C2. (p b) C3. (p a
b) D1. (q a) D2. (q b) D3. (q a
b)
Structural Identification detects that p q
L1. (p b q) (from C3 and D1) L2. (p
q) (from D2 and L1) L3. (p q a) (from
C2 and D3) L4. (p q) (from C1 and L3)
Fragment added to the proof
(This fragment can be generated from a
pre-computed template)
28
Fanout Transfer

• Suppose we transfer fanouts of q to p
• For this to be sound, we must already have proved
  that p and q are equivalent
• By structural or functional identification
• Therefore, have already derived (p q) and (p
  q)
• We use (p q) and (p q) to obtain clauses
  for gates modified by the fanout transfer

29
Example of Fanout Transfer
Clauses for Xor gate modified by fanout transfer
from q to p
C1. (p q z) C2. (p q z) C3. (p
q z) C4. (p q z)
G
Clauses asserting equivalence of q and p
Already derived through structural or functional
identification
X. (p q) Y. (p q)
Transfer fanouts of q to p
Eliminate q from C1-C4 using X and Y
G
Fragment added to the proof deriving clauses for
G
L1. (p z) (from C1 and X) L2. (p p
z) (from C3 and X) L3. (p p z) (from C2
and Y) L4. (p z) (from C4 and Y)
30
Functional Identification
Want to derive the clauses (p q) and (p q)
from the clauses we have so far i.e. C
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b)
C
Instead we have resolution proofs of UNSAT for
the related but different instances C1 and C2
Note that the clauses (p) and (q) are not
present C and furthermore cannot be derived using
resolution from C. Therefore, resolution proofs
of UNSAT of C1 and C2 cannot directly be used.
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) X. (p) Y. (q)
C1
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b) X. (p) Y. (q)
C2
31
Proof Lifting
Idea Use proof of UNSAT of C1 to obtain proof of
(p q) from C
C1
C
1. (p a) 2. (p b) 3. (p a b) 4.
(q a) 5. (q b) 6. (q a b) X.
(p) Y. (q)
1. (p a) 2. (p b) 3. (p a
b) 4. (q a) 5. (q b) 6. (q a
b)
Proof of UNSAT of C1 from solver
Fragment deriving (p q) from C
Unit propagation of X and Y
9. (a) (from X and 1) 10. (b) (from X and
2) 11. (a b) (from Y and 6)
Use 9 to refer to 1 i.e. (p a) Use 10 to
refer to 2 i.e. (p b) Use 11 to refer to 6
i.e. (q a b)
12. (p q b) (from 9 and 11)
(i.e. from 1 and 6) 13. (p q)
(from 10 and 12) (i.e. from 2 and 12)
12. (b) (from 9 and 11) 13. () (from 10
and 12)
32
Functional Identification

• We obtained a derivation of (p q) from proof
  of unsatisfiability of C1
• Similarly proof of unsatisfiability of C2 yields
  a derivation of (p q)
• Proof of correctness of lifting in paper

33
Logic Insertion
Need to add new clauses corresponding to inserted
gate

• We want to add a clause corresponding to q i.e.
  want to add (q x y)
• However resolution does not allow us to introduce
  a new variable q.
• Need to upgrade our proof system to extended
  resolution

34
Extended Resolution

• Allow the introduction of a new variable q by
  means of a clause such as (q f(x1, .. xn))
• Sound since if C is a set of clauses and q does
  not appear in C, then C(q f(x1, .. xn)) has a
  satisfying assignment iff C does
• Proof Since q is free we can always assign it
  the value f(x1, .. xn)
• The proof verifier has to be slightly modified
• It has to check that q does not appear so far in
  the proof

35
Logic Insertion
In practice we add three CNF clauses instead of
(q x y)
Add the clauses (q x), (q y) and (q x
y) to the proof and modify the verifier to
accept this particular template as an extended
resolution step.
Need such a template for every type of gate that
may be introduced
36
Summary of Proof Generation
The Resolution Proof
Transformations on the miter
Initial Miter
Initial Clauses
Structural Identification
Fragment 1
Fanout Transfer
Fragment 2
Logic Insertion
Fragment 4
Functional Identification
Fragment 5


Structural Identification
Fragment n
The empty clause is derived
Miter is reduced to constant zero
37
Outline

• Resolution
• Proofs for Naïve CEC
• Review of Modern CEC
• Proof Generation in Modern CEC
• Conclusions

38
Conclusions

• Modern CEC methods can be easily modified to
  generate proofs of equivalence
• A single proof just as in the naïve case
• Easy to check proof for correctness
• The proof (syntax) is independent of the actual
  methods used for verification
• Extended resolution suffices
• Re-writing is a way of constructing extended
  resolution proofs

39
Future Work and Applications

• Reduce the size of resolution proof
• Look for alternate proof systems which are harder
  to verify but lead to smaller proofs
• Goldberg and Novikovs 2003 paper
• Resolution proof modulo BCP steps
• Proofs leak too much information
• Can possibly reconstruct what the CEC engine did
• Correct by construction logic synthesis
• Synthesis emits a resolution proof as a
  certificate
• Computation of interpolants in model checking
• Proofs of Sequential Equivalence
• Inductive proofs can be expressed using resolution

40
Thank You