advanced sat-techniques for bounded model checking of ...herbstri/publications/hbs_2006-slides.pdf!...

Advanced SAT-Techniques for BoundedModel Checking of Blackbox Designs

Marc Herbstritt(joint work with Bernd Becker and Christoph Scholl)

Institute of Computer ScienceAlbert-Ludwigs-University

Freiburg im Breisgau, Germany

Presentation at IEEE MTV 2006, Dec 04 2006

www.avacs.org

Overview

1 Introduction

2 Blackbox BMC using 01X-LogicExampleBasic algorithmImprovementsExperimental Results

3 Blackbox BMC using QBFExampleBasic modellingAdditional ConstraintsFinal QBF FormulaExperimental Results

4 Conclusions

Introduction Blackbox BMC using 01X-Logic Blackbox BMC using QBF Conclusions

Background

Formal Verification of Circuits→ Checking correctness between specification and

implementationModel Checking→ Specification given by a set of (temporal) properties→ Model Checking to prove that circuit model fulfills the

properties→ Bounded Model Checking to falsify properties

Blackbox Designs→ describe partial circuit implementations→ occur naturally in early design phase→ can be used for abstraction, e.g. in diagnosis

This work:→ Bounded Model Checking of Blackbox Designs (BB-BMC)→ Improving BB-BMC based on 01X-logic→ More concise formulation for BB-BMC using QBF


Applications of Blackbox Designs: ISCAS c3540

BCD−ADD

MUX

MUX

A

B

Shifter

MUX

MUX

ALU

C3540: ALU with binary and BCD arithmetic, logic and shift operations.

BCD−SUB

(Source: Hansen, Yalcin, Hayes − Unveiling the ISCAS85 Benchmarks, IEEE Design&Test, 1999)

1 Abstraction: Hide components that are not necessary2 Verification of Partial Designs: E.g. in early design stage3 Error Diagnosis: Localisation of error



BCD−ADD

MUX

MUX

A

B

Shifter

MUX

MUX

ALU

BCD−SUB

op(A,B,+,bin) =enc(A,bin) + enc(B,bin) ?




enc(A, ) + enc(B, ) ?

but only on encoding

Blackbox

Blackbox

MUX

MUX

A

B

MUX

MUX

ALUBlackbox

Property is not dependent

bin binbin

on BCD−units and Shifter,

op(A,B,+, ) =

binary




Blackbox

Blackbox

MUX

MUX

A

B

MUX

MUX

ALU

Implementation of Shifter andBCD−SUB unit not finished

BCD−ADD

op(A,B,+,bin) =enc(A,bin) + enc(B,bin) ?




MUX

MUX

A

B

MUX

MUX

ALU

BlackboxBCD−SUB

Shifter

within the blackbox regionCheck whether error lies



Blackbox BMC using 01X-Logic: Example

q0

q1

pbox

Black−

Y

q′0 = q0 + y + Z q′1 = q0 + q1 p = q0 ⊕ q1

Property: AG(¬p)



q0

q1

pbox

Black−

0

0

1

X

Y

step y q0 q1 p0 — 0 1 0



q0

q1

pbox

Black−

01

X

1

1

Y

step y q0 q1 p0 — 0 1 01 1 1 1 0



q0

q1

pbox

Black−

1

1

0

1

X

Y

step y q0 q1 p0 — 0 1 01 1 1 1 02 0 1 1 1


01X-BB-BMC: Basics

1 Blackbox outputs are unknown⇒ use logical value X, i.e., X = unknown whether 0 or 1⇒ use additional variable Z, and assign Z = X

2 01X-LogicNOT01X(a)a0 11 0X X

AND01X(a, b)

ab 0 1 X

0 0 0 01 0 1 XX 0 X X

3 Deciding satisfiability for 01X-BB-BMC (see Herbstritt etal. MTV’05)

1 integrate deduction rules of 01X-logic at high-level intostructural SAT-solver: (f = g · h, g = 1, h = X) ⇒ f = X, or

2 apply two-valued encoding and solve purely propositionalSAT problem


01X-BB-BMC: Two-valued encoding

Two-valued encoding for 01X-Logic (see Jain et al. VTS’00)Mapping of 01X-values to tuples of propositional values

01X-value z encoding (z0, z1)

0 (1,0)1 (0,1)X (0,0)

Synthesis transformation using propositional operationsonly⇒ NOT01X(a) = [a1, a0]⇒ AND01X(a, b) = [a0 + b0, a1 · b1]

Transformation preserves uniform encoding of value X


01X-BB-BMC: Two-valued encoding

Transformation example using AIGs

0x811a678 2 @ DL 0

0x811a5c8 2 @ DL 0

L

0x811a620 2 @ DL 0

R

p-t00002-00x8115dd82 @ DL0

L

0x811a508 2 @ DL 0

R

p-t00002-10x81162982 @ DL0

L

0x811a560 2 @ DL 0

R

0x810fe58 2 @ DL 0

L

0x811a438 2 @ DL 0

R

p-t00000-10x810e3002 @ DL0

L

0x810f860 2 @ DL 0

R

0x81135c0 2 @ DL 0

L0x811a378 2 @ DL 0

R

q0-t00000-10x810ec802 @ DL0

Lq1-t00000-00x810f1402 @ DL0

R

0x8110330 2 @ DL 0

L

0x8113500 2 @ DL 0

R

0x8116f60 2 @ DL 0

L

0x811a2b8 2 @ DL 0

R

0x8110138 2 @ DL 0

L

0x81101f8 2 @ DL 0

R

0x8111478 2 @ DL 0

L

0x81134a8 2 @ DL 0

R

p-t00001-00x810d4c02 @ DL0

L

0x81100e0 2 @ DL 0

R

p-t00001-10x810d9802 @ DL0

L

0x8110088 2 @ DL 0

R

0x810ff08 2 @ DL 0

L

0x810ffb8 2 @ DL 0

R

R

q0-t00000-00x810e7c02 @ DL0

LLq1-t00000-10x810f6002 @ DL0

R

0x810ff60 2 @ DL 0

L

0x8110020 2 @ DL 0

R

L

RR

L

0x8110d08 2 @ DL 0

L

0x8110dc8 2 @ DL 0

R

0x81132d0 2 @ DL 0

L

0x8113380 2 @ DL 0

R

R

q1-t00001-00x81105e82 @ DL0

L R

q1-t00001-10x8110aa82 @ DL0

L

q0-t00001-00x81117302 @ DL0

L0x8113278 2 @ DL 0

R

q0-t00001-10x8111bf02 @ DL0

L0x8113210 2 @ DL 0

R

Z-t00000-00x81120b02 @ DL0

L

0x81131b8 2 @ DL 0

R

L

x-t00000-00x8112a302 @ DL0

R

Z-t00000-10x81125702 @ DL0

L

0x8113150 2 @ DL 0

R

L

x-t00000-10x8112ef02 @ DL0

R

0x8116d78 2 @ DL 0

L

0x8116e38 2 @ DL 0

R

0x8117b40 2 @ DL 0

L

0x811a260 2 @ DL 0

R

L

0x8116d20 2 @ DL 0

R L

0x8116cb8 2 @ DL 0

R

0x81164f8 2 @ DL 0

L

0x81165a8 2 @ DL 0

R

R

L

R

L

0x8116550 2 @ DL 0

L

0x8116c50 2 @ DL 0

R

R

L

R

L

0x8117938 2 @ DL 0

L

0x8117a08 2 @ DL 0

R

0x811a058 2 @ DL 0

L

0x811a128 2 @ DL 0

R

R

q1-t00002-00x81172182 @ DL0

L R

q1-t00002-10x81176d82 @ DL0

L

q0-t00002-00x8117e082 @ DL0

L

0x811a000 2 @ DL 0

R

q0-t00002-10x81182c82 @ DL0

L

0x8119f98 2 @ DL 0

R

Z-t00001-00x81187882 @ DL0

L

0x8119f30 2 @ DL 0

R

L

x-t00001-00x81191082 @ DL0

R

Z-t00001-10x8118c482 @ DL0

L

0x8119ec8 2 @ DL 0

R

L

x-t00001-10x81195c82 @ DL0

R

0x810feb0 2 @ DL 0

L

0x811a4a0 2 @ DL 0

R

p-t00000-00x810de402 @ DL0

L

0x810fdf0 2 @ DL 0

R

0x8113628 2 @ DL 0

L0x811a3e0 2 @ DL 0

R

L

R

0x81102c8 2 @ DL 0

L

0x8113568 2 @ DL 0

R

0x8116f08 2 @ DL 0

L

0x811a320 2 @ DL 0

R

0x8110190 2 @ DL 0

L

0x8110260 2 @ DL 0

R

0x8111420 2 @ DL 0

L

0x8113450 2 @ DL 0

R

LR LR

0x8110d70 2 @ DL 0

L

0x8110e30 2 @ DL 0

R

0x8113328 2 @ DL 0

L

0x81133e8 2 @ DL 0

R

R LR L

L

R

L

R

0x8116de0 2 @ DL 0

L

0x8116ea0 2 @ DL 0

R

0x8117ad8 2 @ DL 0

L

0x811a1f8 2 @ DL 0

R

LRL R

0x81179a0 2 @ DL 0

L

0x8117a70 2 @ DL 0

R

0x811a0c0 2 @ DL 0

L

0x811a190 2 @ DL 0

R

R LRL L RL R

transformed

0x8115b10 2 @ DL 0

p-t000020x8114a902 @ DL0

L

0x8115ab8 2 @ DL 0

R

0x810cc60 2 @ DL 0

L

0x8115a60 2 @ DL 0

R

p-t000000x810b5482 @ DL0

L

0x810cc08 2 @ DL 0

R

0x810cbb0 2 @ DL 0

L0x8115a08 2 @ DL 0

R

q0-t000000x810abe82 @ DL0

Lq1-t000000x810ae482 @ DL0

R

0x810c820 2 @ DL 0

L

0x810cb58 2 @ DL 0

R

0x8115628 2 @ DL 0

L

0x81159a0 2 @ DL 0

R

0x810c760 2 @ DL 0

L

0x810c7b8 2 @ DL 0

R

0x810c938 2 @ DL 0

L

0x810cb00 2 @ DL 0

R

p-t000010x810bc682 @ DL0

L

0x810c708 2 @ DL 0

RL R

0x810c648 2 @ DL 0

L

0x810c6a0 2 @ DL 0

R

L

R

L

R

0x810c878 2 @ DL 0

L

0x810c8d0 2 @ DL 0

R

0x810ca40 2 @ DL 0

L

0x810ca98 2 @ DL 0

R

R

q1-t000010x810ba082 @ DL0

L RL

q0-t000010x810b7a82 @ DL0

L0x810c9e8 2 @ DL 0

R

L

R

Z-t000000x810c3a82 @ DL0

L

0x810c990 2 @ DL 0

R

L

x-t000000x810a9882 @ DL0

R

0x8115568 2 @ DL 0

L

0x81155c0 2 @ DL 0

R

0x8115740 2 @ DL 0

L

0x8115938 2 @ DL 0

R

L

0x8115500 2 @ DL 0

RL R

0x8115440 2 @ DL 0

L

0x8115498 2 @ DL 0

R

R

L

R

L

0x8115680 2 @ DL 0

L

0x81156d8 2 @ DL 0

R

0x8115878 2 @ DL 0

L

0x81158d0 2 @ DL 0

R

R

q1-t000020x81148302 @ DL0

LR L

q0-t000020x81145d02 @ DL0

L

0x8115810 2 @ DL 0

R LR

Z-t000010x81151b02 @ DL0

L

0x81157a8 2 @ DL 0

R

L

x-t000010x81143702 @ DL0

R

not transformed


01X-BB-BMC: Structural SAT-Solver on AIGs

Our implementation relies on a SAT-Solver working withAnd/Inv-Graphs (AIGs) (see Kuehlmann et al. TCAD’02)AIGs: network consisting only of AND-gates andNOT-gatesEfficient DPLL-implementation on top of AIGs:⇒ Boolean Constraint Propagation⇒ Non-chronological backtracking⇒ Conflict learning

Drawback in the context of 01X-logic

Misguiding of the variable selection.


01X-BB-BMC: Misguiding variable selection

AND

*

00

*0

1

AND

*

00

*0

1

AND

*

00

*0

1

01X-value ’0’ at01X-AIG-nodes has encoding(0,1)due to encoding of AND01X:two propositionaljustificationswhen SAT-solver is not awareof encoding, justification of01X-value can be delayed


01X-BB-BMC: Improvements

*

001

X−A

ND

* *

0 1

0 0

left right

En

cod

ed−0

1X−A

ND

referencesemantical cross

Adding semantical cross-reference between AIG-nodesthat correspond to an encoded 01X-AIG-node

Improved Variable Selection

⇒ whenever left and right have to be justified, after justifyingleft, immediately try to justify right (and vice versa)

⇒ merge this scheme with greedy selection of deepestjustifications



AND

*

0

*

1

AND

**

AND

**

0



AND

*

0

*

10

AND

*

0

*

AND

*

0

*

1 10



AND

*

0

*

10

AND

*

0

*

AND

*

0

*

10

10



AND

*

0

*

10

AND

*

0

*

1AND

*

0

*0

10 0



AND

*

0

*

10

AND

*

0

*0

1AND

*

0

*0

10 0



AND

*

0

*0

10

AND

*

0

*0

10AND

*

0

*0

10


01X-BB-BMC: Experimental Results

TimeSolverSolved Total #Solved / #Total

blind 01X-BB-BMC (MTV’05) 964 17165 2712 / 2730improved 01X-BB-BMC 386 12084 2717 / 2730

2730 different BB-BMC problems derived from s1269 andPicoJava/biu from VIS benchmark suiteblackboxes of different size (5%, 10%, and 20% of circuitarea)multiple blackboxes (1, 2, and 3)CPU time improvement by a factor of ∼ 2.5more instances solved: 5


Blackbox BMC using QBF: Example

Black−box

q0

q2

q1

q3

p1_

Y

q′0 = q0 + Zq′1 = q0 · Zq′2 = 1q′3 = q2

p′ = y · q3 · (q1 + q0)

Property: AG(¬p)



Black−box

q0

q2

q1

q3

p1_0

0

0

X 0

0

Y

step y q0 q1 q2 q3 p0 — 0 0 0 0 0



Black−box

q0

q2

q1

q3

p1_

0

0

X X

0

1

Y

step y q0 q1 q2 q3 p0 — 0 0 0 0 01 — X 0 1 0 0



Black−box

q0

q2

q1

q3

p1_

0

X X

X

1

1Y

step y q0 q1 q2 q3 p0 — 0 0 0 0 01 — X 0 1 0 02 1 X X 1 1 0



Black−box

q0

q2

q1

q3

p1_

X X

X

1

1

X?

Y

step y q0 q1 q2 q3 p0 — 0 0 0 0 01 — X 0 1 0 02 — X X 1 1 03 1 X X 1 1 X

⇒ No counterexample can befound using 01X-logic!



Black−box

q0

q2

q1

q3

p1_

X X

X

1

1

X?

Y

. . . but a counterexample can befound when using a more conciseformalism⇒ Quantified Boolean Formulas

Let’s see how this works . . .


QBF-BB-BMC: Basic Modelling

Use propositional variable Z(i,j) for output j of blackbox BBi

Counterexample has to be valid for all possible blackboxbehaviours

⇒ variables Z(i,j) are universally quantified (∀)

Counterexample states the existence of a series of inputassignments leading to a state that violates the property

⇒ primary inputs x0, x1, . . . , xn are existentially quantified (∃)


QBF-BB-BMC: Input-Output-Consistency

IOC(β, d) is a predicate that assures that timed instantiations ofall combinational blackboxes behave uniform within differenttime frames (for β-many blackboxes and unfolding depth d).

010

01

01

01

0

. . . . . . . . . . . .

BB

xin−1xi

1xi

0sik−1si

0 si1

BB

xjn−1xj

1sj0 sj

1sj

k−1 xj0


QBF-BB-BMC: Final QBF Formula

ϕCEd := ∃x0

∃s0∃χ0

0 ∀γ00 . . . ∃χ0

β−1 ∀γ0β−1

∃x1∃s1

∃χ10 ∀γ1

0 . . . ∃χ1β−1 ∀γ1

β−1

. . .

∃xd−1∃sd−1

∃χd−10 ∀γd−1

0 . . . ∃χd−1β−1 ∀γd−1

β−1

∃sd :

IOC(β, d) →(

I(s0) · TB(s0, sd−1) · (¬P(sd)))



Sequence of input assignments

ϕCEd := ∃x0

∃s0∃χ0

0 ∀γ00 . . . ∃χ0

β−1 ∀γ0β−1

∃x1∃s1

∃χ10 ∀γ1

0 . . . ∃χ1β−1 ∀γ1

β−1

. . .

∃xd−1∃sd−1

∃χd−10 ∀γd−1

0 . . . ∃χd−1β−1 ∀γd−1

β−1

∃sd :

IOC(β, d) →(

I(s0) · TB(s0, sd−1) · (¬P(sd)))



Sequence of states

ϕCEd := ∃x0

∃s0∃χ0

0 ∀γ00 . . . ∃χ0

β−1 ∀γ0β−1

∃x1∃s1

∃χ10 ∀γ1

0 . . . ∃χ1β−1 ∀γ1

β−1

. . .

∃xd−1∃sd−1

∃χd−10 ∀γd−1

0 . . . ∃χd−1β−1 ∀γd−1

β−1

∃sd :

IOC(β, d) →(

I(s0) · TB(s0, sd−1) · (¬P(sd)))



Blackbox input assignments (dependent on current state andprimary inputs)

ϕCEd := ∃x0

∃s0∃χ0

0 ∀γ00 . . . ∃χ0

β−1 ∀γ0β−1

∃x1∃s1

∃χ10 ∀γ1

0 . . . ∃χ1β−1 ∀γ1

β−1

. . .

∃xd−1∃sd−1

∃χd−10 ∀γd−1

0 . . . ∃χd−1β−1 ∀γd−1

β−1

∃sd :

IOC(β, d) →(

I(s0) · TB(s0, sd−1) · (¬P(sd)))



Universal quantification of blackbox outputs (due tofalsification of realizability)

ϕCEd := ∃x0

∃s0∃χ0

0 ∀γ00 . . . ∃χ0

β−1 ∀γ0β−1

∃x1∃s1

∃χ10 ∀γ1

0 . . . ∃χ1β−1 ∀γ1

β−1

. . .

∃xd−1∃sd−1

∃χd−10 ∀γd−1

0 . . . ∃χd−1β−1 ∀γd−1

β−1

∃sd :

IOC(β, d) →(

I(s0) · TB(s0, sd−1) · (¬P(sd)))


QBF-BB-BMC: Example revisited

Black−box

q0

q2

q1

q3

p1_

Y

ϕCE2 is true (depth=2), i.e.,

(y0, y1, y2) = (−,−, 1) is acounterexample.

. . . how come?



Tuples are (q0, q1, q2, q3, p). All traces reach a state with p = 1.Left edges: Zj

i = 0, i.e., BB output j at time step i is 0 (right edges: Zji = 1).

(0,0,0,0,0)





i0 =0Z i

0 =1Z0 = dcy

(0,0,0,0,0)





i0 =0Z i

0 =1Z0 = dcy

(0,0,0,0,0)

(1,0,1,0,0)(0,0,1,0,0)





i0 =0Z i

0 =1Z

= dcy1 = dcy1

0 = dcy

(0,0,0,0,0)

(0,0,1,1,0)

(1,0,1,0,0)(0,0,1,0,0)

(1,0,1,1,0) (1,0,1,1,0) (1,1,1,1,0)





i0 =0Z i

0 =1Z

= dcy1 = dcy1

= 1y2 = 1y2 = 1y2 = 1y2

0 = dcy

(0,0,0,0,0)

(0,0,1,1,0)

(1,0,1,0,0)

(1,0,1,1,1)

(0,0,1,0,0)

(1,0,1,1,0) (1,0,1,1,0) (1,1,1,1,0)

(0,0,1,1,1) (1,0,1,1,1) (1,1,1,1,1) (1,0,1,1,1) (1,1,1,1,1) (1,0,1,1,1) (1,1,1,1,1)



Input-Output-Consistency must be taken into account!

i0 =0Z i

0 =1Z

= dcy1 = dcy1

= 1y2 = 1y2 = 1y2 = 1y2

0 = dcy

(0,0,0,0,0)

(0,0,1,1,0)

(1,0,1,0,0)(0,0,1,0,0)

(1,0,1,1,0) (1,0,1,1,0) (1,1,1,1,0)

(0,0,1,1,1) (1,1,1,1,1) (1,0,1,1,1) (1,0,1,1,1) (1,1,1,1,1)! IOC ! IOC ! IOC


QBF-BB-BMC: Experimental Results

Solver Time #Solved/#Total2clsQ 16828 0 / 28GRL 16220 1 / 28openQbf 16826 0 / 28preQuantor 571 0 / 28Qbfl 16792 0 / 28Quaffle 16380 0 / 28QUANTOR 906 0 / 28QUANTOR hc 900 0 / 28qube3.0 16216 1 / 28qube4.0 15828 1 / 28qube5.0 20 28 / 28semprop 16229 1 / 28sKizzo-0.9-abs 9183 0 / 28sKizzo-0.9-grn 2191 0 / 28sKizzo-0.9.std 10761 0 / 28SQBF 11359 0 / 28sSolve 16808 0 / 28ssolve+ut 16809 0 / 28ssolve-ut 16809 0 / 28WalkQSAT 16227 1 / 28yQuaffle 16699 0 / 28

28 hard instances sent toQBFEVAL’06.Only qube5.0 was able tosolve the instances:⇒ transformation into

non-prenex QBF⇒ efficient pre-processing


Conclusions and Future Work

ConclusionsOverview of different approaches for BB-BMC problemsImproved BB-BMC using 01X-logicProvided more concise counterexample formulation usingQBFResulting QBF formulas are hard-to-handle forstate-of-the-art QBF solvers

Future WorkCombining 01X-Logic and QBF formulationProviding a taxonomy of QBF formulations to trade offexpressiveness vs. computational complexityBetter testbench using semantic components forblackboxing


Questions ⇒ Answers


Acknowledgements and References

Acknowledgements

Massimo Narizzano, Luca Pulina and Armando Tacchella for providing theshort track results of the QBF Evaluation 2006Tobias Nopper and Stefan Disch for fruitful discussions

References

Jain et al., “Testing, Verification, and Diagnosis in the Presence of Unknowns”,VTS’00Kuehlmann et al., “Robust Boolean Reasoning for Equivalence Checking andFunctional Property Verification”, TCAD’02Scholl, Becker, “Checking Equivalence for Partial Implementations”, DAC’01Herbstritt, Becker, “On SAT-based Bounded Invariant Checking of BlackboxDesigns”, MTV’05

advanced sat-techniques for bounded model checking of ...herbstri/publications/hbs_2006-slides.pdf!...

Documents