#### **Topic X**

## Formal Hardware Verification (III) Sequential Verification Techniques

系統晶片驗證 SoC Verification

Sep, 2004

#### What we will cover in this topic ---

- 1. Introduction to temporal logic
  - CTL\*, CTL, LTL
- 2. CTL Symbolic model checking using BDDs
  - Fixpoint Theorems
  - Basic CTL operators
  - Limitation of BDDs
- 3. Symbolic modeling checking using ATPG/SAT
  - Sequential circuit modeling
  - Bounded model checking
  - Unbounded model checking

SoC Verification

Prof. Chung-Yang (Ric) Huang





In general,

functional verification is dealing with "sequential constraint satisfaction problem"

Sequential constraint

= function (time, logic)

#### **Temporal Logic**

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

5

#### How to describe formula in computation tree

- 1. Path quantifier
  - A --- "for every path"
  - E --- "there exists a path"
- 2. Linear-time operators (State Quantifier)
  - Xp --- p holds next time
  - Fp --- p holds sometime in the future
  - Gp --- p holds globally in the future
  - pUq --- p holds until q holds

SoC Verification

Prof. Chung-Yang (Ric) Huang



#### **Recursive Definition**

◆In an infinite computation tree, any sub-tree is also an infinite computation tree

♦Let Φ1, Φ2 be temporal formulae

→ "Φ1 (Φ2)" means --
"For any state that satisfies
Φ1, its sub-tree should
satisfy the formula Φ2"

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### More examples...

- ◆ AG(EF p)
  - For any state in the computation tree,
     its sub-tree should at least contain a state that satisfies p
  - e.g. AG(EF Restart) → !deadlock
    - From any state it is possible to get to the Restart state
- ◆ AG(AF p)
  - For any state in the computation tree, its sub-tree should have a "cut" that satisfies p
  - e.g. AG(AF DeviceEnabled)
    - From any state, any of its future computation path must see a DeviceEnabled
    - DeviceEnabled holds infinitely often on every computation path

#### Is AG(EF p) the same as AG(AF p)??

SoC Verification

Prof. Chung-Yang (Ric) Huang

9

#### No, a counter-example is...

◆Satisfies AG(EF p), but not AG(AF p)



SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Computation Tree Logic (CTL)**

- ◆ A restricted subset of CTL\* that permits only branching-time operators --- each of the linear-time operators G, F, X, and U must be immediately preceded by a path quantifier
- ◆ Formula

```
<Path_quantifier> e.g. AG(p \rightarrow EF q) ..... OK<br/>
e.g. AGF p ..... Not OK, no A/E between GF<br/>
e.g. AG(p \rightarrow Eq) ..... Not OK, missing state quantifier
```

SoC Verification

Prof. Chung-Yang (Ric) Huang

11

#### **CTL Formula Reduction**

- ◆All CTL formulas can be expressed in terms of EX, EG, and EU
  - AX p = ! EX (!p)
  - AG p = ! EF (!p)
  - AF p = ! EG (!p)
  - EF p = E (true U p)
  - A (p U q) = (! E (!q U ( !p ^ !q) )) 2 types of 6 (! EG (!q)) counter-examples



SoC Verification

Prof. Chung-Yang (Ric) Huang

We will talk about different types of temporal logic later...

Now, let's see how we verify a CTL property

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

13

## Model Checking Problem (for Functional Verification)

- 1. Let *M* be the state-transition graph obtained from the circuit modeling
- 2. Let *f* be the specification (property) expressed in temporal logic
- 3. Find all states s of M, such that

$$M, s = f$$

SoC Verification

Prof. Chung-Yang (Ric) Huang

## CTL Model Checking by Explicit State Enumeration

- ◆Explicit state transition graph is required
- ◆The target formula is decomposed into smaller subformulas for ease of checking
  - e.g. (! AF !a ^ AF b)
    - → (AF !a), (AF b)
- ◆ Starting from the initial state, evaluate the subformulas on each state it reaches
- ◆ Continue until all the states are reached

#### **State Explosion Problem**

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

15

#### **Symbolic Modeling Checking**

- States and state graph are implicitly represented by certain compact data structure
  - e.g. Using BDDs
- ◆Temporal formulas are evaluated based on operations of the above data structure

SoC Verification

Prof. Chung-Yang (Ric) Huang





#### Note: Don't Use BDDs as Container

- ◆When deposit "minterms" or "cubes" into a BDD ---
  - OK to query "membership"
  - NOT OK to retrieve the originally deposited minterms or cubes

Why??

SoC Verification

Prof. Chung-Yang (Ric) Huang

19

#### **BDD to Represent Relations**

♦e.g. 2-bit ring counter

R:  $\{ (0 \rightarrow 1), (1 \rightarrow 2), (2 \rightarrow 3), (3 \rightarrow 0) \}$ 



SoC Verification

Prof. Chung-Yang (Ric) Huang

### **BDD** to Represent State Transitions

- ◆ I : Set of PI variables
  - X: Set of current state variables
  - Y: Set of next state variables
- ♦ Transition Function: Y = T(X, I)
  - For each state variable,  $y_i = T_i(X, I)$





SoC Verification

Prof. Chung-Yang (Ric) Huang

21

Combinational elements

#### **BDD to Prove Assertion Property**

- ◆Assert\_always(P) = AG(P)
- ◆AG(P) = ! EF(!P)
  - Try to witness !P
  - Find a input sequence such that ---



• To prove AG(P), we need to compute ---



SoC Verification

Prof. Chung-Yang (Ric) Huang





## From Transition Function to Transition Relationship



$$Φ δ(Y, X, I) = Π (yi = Ti(X, I))$$

$$= (y0 = T0(X, I)) & (y1 = T1(X, I)) & ...$$

SoC Verification

Prof. Chung-Yang (Ric) Huang

25

#### The Question is...



Erase BDD variables → Existential Quantification

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Remember...

◆Shannon expansion of f

$$\bullet f = x * f_x + \overline{x} * f_{\overline{x}}$$

$$\oint f + g$$

$$= x * (f_{\vee} + g_{\vee}) + \overline{x} * (f_{\overline{\vee}} + g_{\overline{\vee}})$$





◆Operation: perform on cofactors individually

SoC Verification

Prof. Chung-Yang (Ric) Huang

27

#### **BDD Cofactor**

◆ Given a function f, find its positive/negative cofactor  $f_x / f_{\overline{x}}$ 

• e.g. Let 
$$f = a \overline{c} + b c$$

$$\rightarrow$$
 f<sub>c</sub> = b

$$\rightarrow$$
 f<sub>c</sub> = a

$$\rightarrow$$
 f<sub>a</sub> = b c

- ◆If x is top variable → Left and right children
- ♦ Otherwise,



**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

#### **Existential Quantification**

- $\blacklozenge \exists x \ (f) = f_x + f_{\overline{x}}$
- ♦ If x is top variable
  - → Perform an "OR" on its cofactors
- ♦ If x is bottom variable
  - → Replace it with '1'
- ♦ If x is middle variable
  - **→** ???

#### Which one is better??

SoC Verification

Prof. Chung-Yang (Ric) Huang

29

#### **Existential Quantification**

- - e.g.  $f = a \overline{c} + b c$



SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **BDD to Compute Set of Reachable States**

- ◆Let S<sub>0</sub> be the set of initial states
  - $\rightarrow$  The set of states in time 1 (S<sub>1</sub>) can be computed by ---
  - $\bullet \ S_1(Y) = \exists X, I \ (\overline{\delta}(Y, \, X, \, I) \ \& \ S_0(X))$
- ◆Let R<sub>n</sub> be the set reachable states in time n
  - $\rightarrow$  R<sub>n</sub> =  $\bigcup_{i=0}^{n} (S_i)$
- ♦ If  $R_{n+1} = R_n$ , no new state can be reached
  - → Fixed point condition

SoC Verification

Prof. Chung-Yang (Ric) Huang

31

#### **Reachability Analysis for Property Checking**



State space

SoC Verification

Prof. Chung-Yang (Ric) Huang

The above reachability analysis is usually called "forward image computation"

- → May suffer from state space explosion problems (for #variable > 200)
- → i.e. The set of forward reachable states could be very large

Alternative: Can we compute the "backward reachable states from !P"?

→ i.e. which states can lead to !P

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

33

#### **Backward Reachability Analysis**

- **♦**Image
  - $S_{n+1}(Y) = \exists X, I (\delta(Y, X, I) \& S_n(X))$
- ◆Pre-image
  - $S_{n-1}(X) = \exists Y, I (\delta(Y, X, I) \& S_n(Y))$
  - To check the property P
    - Compute the backward reachable states from !P
    - If intersect with initial states
      - → A counter-example is found
    - Otherwise, if reach a backward fixed point
      - → The property is always true

SoC Verification

Prof. Chung-Yang (Ric) Huang

# Remember, All CTL formulas can be expressed in terms of EX, EG, and EU

## How do we prove EGp??

SoC Verification

Prof. Chung-Yang (Ric) Huang

35

#### **Least Fixpoint Theorem**

```
leastFixPoint()
{
    R = False;
    R' = δ(R);
    while (R != R') {
        R = R'
        R' = δ(R');
    }
    return R;
}
```

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Greatest Fixpoint Theorem**

```
GreatestFixPoint()
   R = True;
   R' = \delta(R);
   while (R != R') {
       R = R'
       R' = \delta(R');
   return R;
}
                           monotonic decreasing
SoC Verification
                                                   37
```

Prof. Chung-Yang (Ric) Huang

#### In short,

- 1. All the CTL formulae can be converted to the combinations of EX, EG, or EU
- 2. We can use BDDs to prove the EX, EG and EU properties
- 3. We can use BDDs to prove all kinds of CTL properties

**But Be Aware of the State Explosion Problem** 

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Other Types of Temporal Logic**

- Temporal logics may differ according to how they handle branching in the underlying computation tree
- In a linear temporal logic, operators are provided for describing events along a single computation path
- ◆ In a branching-time logic, the temporal operators quantify over the paths that are possible from a given state

SoC Verification

Prof. Chung-Yang (Ric) Huang

39

#### **Linear Tree Logic (LTL)**

- ◆ Consists of formulas that have the form Af, where f is a path formula in which the only state subformulas permitted are atomic propositions (i.e. no path quantifier)
- ◆Formula

A (ear-time operator>...)

• e.g. A(FGp)

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### The Logic CTL\*

- ◆The computation tree logic CTL\* (CTL-star) combines both branching-time and linear time operators
- **♦**Formula

```
<Path_quantifier> clinear-time operator>... [(CTL* formula)] e.g. A(FG(p \rightarrow EF q))
```

SoC Verification

Prof. Chung-Yang (Ric) Huang

41

#### **Expressive Power**

- ◆CTL\*, LTL, and CTL have different expressive powers
  - No CTL formula that is equivalent to the LTL formula A(FG p)
  - No LTL formula that is equivalent to the CTL formula AG (EF p)
  - The disjunction (A (FG p) V AG(EF p) ) is a CTL\* formula that is not expressible in either CTL nor LTL
- ◆Can you come up with a formula that cannot be expressed by neither CTL\*, CTL, nor LTL?

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **BDD vs. SAT/ATPG**

- **◆**BDD
  - Tend to solve all the solutions at once
  - Memory explosion problems
  - Note: intermediate memory usage may be larger than the end memory
- **♦**SAT/ATPG
  - Find one solution at a time
  - Time complexity
  - Note: decision order matters

SoC Verification

Prof. Chung-Yang (Ric) Huang

43

#### **BDD Solver Techniques**

- ◆ Combinational problems
  - Global BDDs
  - Local cutting (may have false negatives)
- ◆AG (or EF problem)
  - Reachability analysis (least fixpoint)
- ◆AF (or EG problem)
  - Greatest fixpoint

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Using SAT/ATPG as constraint solver

→ Combinational problems

How to use it for sequential problems?

The following slides are mostly from Ken McMillan's CAV 03 tutorial

SoC Verification

Prof. Chung-Yang (Ric) Huang

45

#### **Bounded Model Checking**

BCCZ99

- **♦** Given
  - A finite transition system M
  - A property p
- ◆ Determine
  - Does M allow a counterexample to p of k transitions or fewer?

This problem can be translated to a SAT problem

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Models**

Transition system described by a set of constraints



Model:

$$C = \{$$
 $g = a \land b,$ 
 $p = g \lor c,$ 
 $c' = p$ 

Each circuit element is a constraint note:  $a = a_t$  and  $a' = a_{t+1}$ 

SoC Verification

Prof. Chung-Yang (Ric) Huang

47

#### **Properties**

- ♦ We restrict our attention to safety (AG) properties.
- ◆Characterized by:
  - Initial condition I
  - Final condition F (representing "bad" states)
- ◆A counterexample is a path from a state satisfying I to state satisfying F, where every transition satisfies C.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Unfolding**

◆Unfold the model k times:

$$U_k = C_0 \wedge C_1 \wedge ... \wedge C_{k-1}$$



- Use SAT solver to check satisfiability of  $I_0 \ \wedge \ U_k \ \wedge \ F_k$
- A satisfying assignment is a counterexample of k steps

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

49

#### K is unknown...

- 1. for (k = 0 to infinity)
- 2.  $T = I_0 \wedge C_0 \wedge C_1 \wedge ... \wedge C_{k-1} \wedge F_k$
- 3. if (solve(T = 1) == true)
- 4. return HAS\_SOLUTION;
- 5. if (effort exceeds limit)
- 6. return ABORT;
- 7. endfor

#### Cannot prove "NO\_SOLUTION"

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **BMC** applications

- ◆ Debugging:
  - Can find counterexamples using a SAT solver
- Proving properties:
  - Only possible if a bound on the length of the shortest counterexample is known.
    - I.e., we need a diameter bound. The diameter is the maximum lenth of the shortest path between any two states.
  - Worst case is exponential. Obtaining better bounds is sometimes possible, but generally intractable.

SoC Verification

Prof. Chung-Yang (Ric) Huang

51

#### **Unbounded Model Checking**

- We consider a variety of methods to explicit SAT and BMC for unbounded model checking:
  - K-step induction
  - Abstraction
    - Counterexample-based
    - Non-counterexample-based
  - Exact image computations
    - SAT solver tests for fixed point
    - SAT solver computes image
  - Over-approximate image computations

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### K-induction

5552000

♦ Induction:

$$\frac{P(s_0)}{\forall i: P(s_i) \Rightarrow P(s_{i+1})}$$

$$\forall i: P(s_i)$$

k-step induction:

$$\begin{array}{c}
P(s_{0..k-1}) \\
\forall i : P(s_{i..i+k-1}) \Rightarrow P(s_{i+k}) \\
\forall i : P(s_i)
\end{array}$$

SoC Verification

Prof. Chung-Yang (Ric) Huang

53

#### K-induction with a SAT solver

◆Recall:

$$U_k = C_0 \wedge C_1 \wedge ... \wedge C_{k-1}$$

- ◆Two formulas to check:
  - Base case:

$$I_0 \wedge U_{k-1} \Rightarrow P_0...P_{k-1}$$

• Induction step:

$$U_k \wedge P_0...P_{k-1} \Rightarrow P_k$$

- ♦ If both are valid, then P always holds.
- ♦ If not, increase k and try again.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Induction SAT**

```
1. for (k = 0 \text{ to infinity})
2. S = U_k \wedge F_k
3. T = I_0 \wedge S
4. // induciton step
5. if (\text{solve}(S = 1) == \text{false})
6. return NO_SOLUTION;
7. // normal proof: base case for next k
8. if (\text{solve}(T = 1) == \text{true})
9. return HAS_SOLUTION;
10. if (\text{effort exceeds limit})
11. return ABORT;
12. endfor
```

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

55

Does "Induction SAT" guarantee convergence?

i.e. We will either

conclude no solution in induction step
 find a counter-example in normal proof
 with a finite number k ???

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Simple path assumption

- ◆Unfortunately, k-induction is not complete.
  - Some properties not k-inductive for any k.



- ◆Simple path restriction:
  - There is a path to ¬P iff there is a simple path to ¬P (path with no repeated states).

SoC Verification

Prof. Chung-Yang (Ric) Huang

57

#### Induction over simple paths

- ♦ Let simple( $s_{0..k}$ ) be defined as:
  - $\forall i,j \text{ in } 0..k$  :  $(i \neq j) \Rightarrow s_i \neq s_i$
- ◆k-induction over simple paths:

$$\frac{P(s_{0..k-1})}{\forall i: simple(s_{0..k}) \land P(s_{i..i+k-1}) \Rightarrow P(s_{i+k})}$$
$$\forall i: P(s_i)$$

Must hold for k large enough, since a simple path cannot be unboundedly long. Length of longest simple path is called recurrence diameter.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### ...with a SAT solver

◆For simple path restriction, let:

$$S_k = \forall t=0..k$$
,  $t'=t+1..k$ :  $\neg \forall v \text{ in } V : v_t = v_{t'}$  (where V is the set of state variables).

- ◆Two formulas to check:
  - Base case:

$$I_0 \wedge U_{k-1} \Rightarrow P_0...P_{k-1}$$

• Induction step:

$$S_k \, \wedge \, U_k \, \, \wedge \, \, P_0 ... P_{k\text{-}1} \, \Rightarrow \, P_k$$

- ♦ If both are valid, then P always holds.
- ◆If not, increase k and try again.

SoC Verification

Prof. Chung-Yang (Ric) Huang

59

Is the recurrence diameter the same as the diameter (the max of the shortest path between any 2 states)??

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Termination**

◆ Termination condition:

k is the length of the longest simple path of the form

- ◆ This can be exponentially longer than the diameter.
  - example:
    - loadable mod  $2^N$  counter where P is (count  $\neq 2^{N-1}$ )
    - diameter = 1
    - longest simple path = 2<sup>N</sup>
- ◆ Nice special cases:
  - P is a tautology (k=0)
  - P is inductive invariant (k=1)

SoC Verification

Prof. Chung-Yang (Ric) Huang

61

#### Localization abstraction

Kurshan

♦ Property:  $G(c \Rightarrow X c)$ 



Model:

$$\frac{\mathcal{C}' \Rightarrow \mathsf{property}, \ \mathcal{C} \Rightarrow \mathcal{C}'}{\mathcal{C} \Rightarrow \mathsf{property}}$$

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Constraint granularity**

Most authors use constraints at "latch" granularity...



Model:

$$C = \{ c' = (a \wedge b) \vee c \}$$

...however, techniques we will consider can be applied at both "gate" and "latch" granularity.

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

63

#### Localization, cont

- ◆C' may refer to fewer state variables than C
  - reduction in the state explosion problem
- ◆Key issue: how to choose constraints in C'
  - counterexample-based
  - proof-based

SoC Verification

Prof. Chung-Yang (Ric) Huang



#### **Abstract counterexamples**

- ◆ Assume simple safety property:
  - initial condition I and final condition F
  - w.l.o.g., assume I and F are atomic formulas
    - to make this true, add constraints in C:

$$v_{I} \Leftrightarrow I \qquad v_{F} \Leftrightarrow F$$

- ◆ Abstract variables V' = support(C',I,F)
- ◆ Abstract counterexample A' is a truth assignment to:

$$\{v_t \mid v \text{ in V'}, t \text{ in 0..k}\}$$

where k is the number of steps.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Counterexample extension**

**CGJLV 2000** 

◆ Abstract counterexample A' satisfies:

$$I_0 \wedge U'_k \wedge F_k$$
 where  $U'_k = C'_0 \wedge C'_1 \wedge ... \wedge C'_{k-1}$ 

◆ Find A consistent with A', satisfying:

$$I_0 \wedge U_k \wedge F_k$$
 where  $U_k = C_0 \wedge C_1 \wedge ... \wedge C_{k-1}$ 

◆ That is, A is any satisfying assignment to:

$$A' \wedge I_0 \wedge U_k \wedge F_k$$

I.e., to extend an abstract counterexample, we just apply it as a constraint in BMC. If unsat, abstract counterexample is "false".

SoC Verification

Prof. Chung-Yang (Ric) Huang

67

#### **Abstraction refinement**

- ◆ Refinement = adding constraints to C' to eliminate false counterexamples.
- ◆Many heuristsics used for this.
  - Too many to cover here.
  - SAT solver can produce a resolution-based refutation in the UNSAT case....

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **DPLL-style SAT solvers**

SATO, GRASP, CHAFF, BERKMIN

- ◆Objective:
  - Check satisfiability of a CNF formula
    - literal: v or ¬v
    - clause: disjunction of literalsCNF: conjunction of clauses
- ◆Approach:
  - Branch: make arbitrary decisions
  - Propagate implication graph
  - Use conflicts to guide inference steps

SoC Verification

Prof. Chung-Yang (Ric) Huang

69

#### The Implication Graph (BCP)



Assignment:  $a \wedge b \wedge \neg c \wedge d$ 

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Resolution



When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.

SoC Verification

Prof. Chung-Yang (Ric) Huang





Assignment:  $a \wedge b \wedge \neg c \wedge d$ 

SoC Verification

Prof. Chung-Yang (Ric) Huang

### **Conflict Clauses (cont.)**

- ◆Conflict clauses:
  - Are generated by resolution
  - Are implied by existing clauses
  - Are in conflict in the current assignment
  - Are safely added to the clause set

Many heuristics are available for determining when to terminate the resolution process.

SoC Verification

Prof. Chung-Yang (Ric) Huang

73

### **Generating refutations**

- ◆Refutation = a proof of the null clause
  - Record a DAG containing all resolution steps performed during conflict clause generation.
  - When null clause is generated, we can extract a proof of the null clause as a resolution DAG.

Original clauses

Derived clauses

Null clause

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### **Proof-based refinement**

◆ Recall, to extend abstract Cex A', we check:

$$A' \wedge I_0 \wedge U_k \wedge F_k$$

- ◆ If UNSAT, we obtain refutation proof P
  - proof that A' cannot be extended to concrete Cex
- ◆ Let E be set of constraints used in proof P:

 $E = \{ c \in C \mid some c_i occurs in P \}$ 

- ◆ A' cannot be extended to a Cex for E
  - P is the proof of this.

Thus, add E to C' and continue...

SoC Verification

Prof. Chung-Yang (Ric) Huang

75

#### In other words...

The refutation of the formula:

$$A' \wedge \ I_0 \wedge U_k \, \wedge \, F_k$$

gives us a sufficient set of constraints to rule out the abstract counterexample.

We continue ruling out counterexamples until either the abstraction  $\mathcal{C}'$  proves the property or we can extend an abstract counterexample to a concrete one.

SoC Verification

Prof. Chung-Yang (Ric) Huang

### **CCKSVW** approach (FMCAD02)

◆ Find the shortest prefix of Cex A' that cannot be extended.



◆That is,

$$A' \wedge I_0 \wedge U_k \wedge F_k$$

is feasible for all k < i, but not for k=i.

SoC Verification

Prof. Chung-Yang (Ric) Huang

77

### **CCKSVW** approach cont.

◆ Let P be a refutation of

$$A' \wedge \ I_0 \wedge U_i \ \wedge \ F_i$$

 Let E be set of constraints used in proof P only on state s<sub>i-1</sub>:



## Weakness of Cex-based approach

- Arbitrarily chosen abstract Cex may be refutable for many reasons not related to property.
  - Thus, may add irrelevant constraints.
  - To remedy, may try to characterize a set of Cex's rather than just one (e.g., GKM-HFV,TACAS03).

Alternative: don't use counterexamples

SoC Verification

Prof. Chung-Yang (Ric) Huang



## **BMC** phase

◆Unfold the model k times:

$$U = C_0 \wedge C_1 \wedge ... \wedge C_{k-1}$$

· Use SAT solver to check satisfiability of

$$I_0 \wedge U \wedge F_k$$

- · If unsatisfiable:
  - property has no Cex of length k
  - · produce a refutation proof P

SoC Verification

Prof. Chung-Yang (Ric) Huang

21

### **Abstraction phase**

◆Let C' be set of constraints used in proof P:

 $C' = \{ c \in C \mid some c_i occurs in P \}$ 

- ◆C' admits no counterexample of length k
  - let U' =  $C'_0 \wedge C'_1 \wedge ... \wedge C'_{k-1}$
  - $\bullet$  P is a refutation of I<sub>0</sub>  $\wedge$  U'  $\wedge$  F<sub>k</sub>
- ◆ Model check property on C'
  - property true for C' implies true for C
  - else Cex of length k' > k (why?)

■ restart for k = k'

SoC Verification

Prof. Chung-Yang (Ric) Huang



#### **Termination**

- ◆ Depth k increases at each iteration
- ◆Eventually k > d, diameter of C'
- ◆ If k > d, no counterexample is possible

In practice, termination uses occurs when  $k \approx d/2$ 

Usually, diameter  $C' \ll \text{diameter of } C$ 

SoC Verification

Prof. Chung-Yang (Ric) Huang

## Weakness of proof-based abs

◆BMC must refute all counterexamples of length k, while in Cex-based, BMC must refute only one (partial) counterexample.

SoC Verification

Prof. Chung-Yang (Ric) Huang

85

#### Inference

◆SAT solver seems to be *very* effective at narrowing down the proof to relevant facts.

In most cases, it did better than manual abstraction.

SoC Verification

Prof. Chung-Yang (Ric) Huang

## **Comparing CBA and PBA**

- ◆Apples-apples comparison
  - same SAT solver
  - same model checker
  - only differences are:
    - For CBA previous A' is kept as a constriaint for BMC, C' is cumulative.
    - For PBA previous A' and C' are thrown away each iteration.

Note these are my implementations. This says nothing about performance of specific tools!

SoC Verification

Prof. Chung-Yang (Ric) Huang







## A (fuzzy) hypothesis

SAT-based BMC "succeeds" when number of relevant variables is small, and fails otherwise.

"success" is BMC for k = diameter of relevant logic

 Parameterized models allowing no abstraction

| Model           | Max state vars |
|-----------------|----------------|
| German protocol | 42             |
| "swap"          | 21             |

SoC Verification Prof. Chung-Yang (Ric) Huang 91

### **Implications**

- Most of the time if bounded model checking succeeds, unbounded model checking also succeeds using abstraction.
- ◆No need to settle for time bounded result
- Bounded model checking may be applicable only to localizable properties

SoC Verification Prof. Chung-Yang (Ric) Huang 95

### Image computation methods

- ◆Symbolic model checking without BDD's
  - Use SAT solver just for fixed-point detection
    - Abdulla, Bjesse and Een 2000
    - Williams, Biere, Clarke and Gupta 2000
  - Adapt SAT solver to compute image directly
    - McMillan, 2002

SoC Verification

Prof. Chung-Yang (Ric) Huang

93

### Symbolic model checking

◆ Recall: Fixed point characterization of CTL:

EFp = 
$$\mu$$
. Q p  $\vee$  EX Q

◆Reverse image:

EXp = 
$$\exists W.p < \delta_i / \delta_i$$

state variable input variables transition function

SoC Verification

Prof. Chung-Yang (Ric) Huang

### Syntactic expansion of quantifiers

- ◆By definition:
  - •∃w. p = p<0/w>  $\vee$  p<1/w>
- ◆Thus, we can compute reverse image by syntactic expansion and simplification.
  - note: expontential in number of inputs.
- ◆ Fixed-point series:

$$\begin{aligned} R_0 &= \text{false} \\ R_{i+1} &= p \vee \text{EX } R_i \\ &\quad \text{Terminates when } R_{i+1} \Rightarrow R_i \\ &\quad \text{(SAT problem)} \end{aligned}$$

SoC Verification

Prof. Chung-Yang (Ric) Huang

95

#### Limitations

- ◆ Syntactic quantifier elimination is exponential
  - Method limited to circuits with very few inputs
  - E.g., sequential arithmetic circuits

SoC Verification

Prof. Chung-Yang (Ric) Huang

### **Direct image computation**

- ◆Adapt SAT methods for image computation in symbolic model checking
  - Recall: this is essentially quantifier elimination
- ◆Idea: reduce formula to CNF or DNF
  - Make quantifier elimination easy
  - Essentially, enumerate all satisfying assignments, but in an efficient way (i.e., by covering them with clauses or cubes).

SoC Verification

Prof. Chung-Yang (Ric) Huang



#### **CNF** Characterization

Instead of checking validity of p, we now want to derive a CNF formula over the input variables  $V_{\rm I}$  that is logically equivalent to the circuit.

Idea: each time a satisfying assignment is found, add a new "blocking clause" that rules out this satisfying assignment.

The blocking clauses form our characterization of p.

SoC Verification

Prof. Chung-Yang (Ric) Huang

99

### **Blocking clauses**

- ◆Blocking clauses must:
  - be implied by p
  - be in conflict in the current assignment
  - involve only input variables (in V<sub>I</sub>)

Can we use conflict clauses as blocking clauses?

Not quite...

SoC Verification

Prof. Chung-Yang (Ric) Huang

### An example



Want to characterize p in CNF:

•Test satisfiability of CNF(p)  $\land \neg p$ 

Guess the assignment A = a

Implication graph:



Problem:

We can't infer anything from p, because  $\neg p$  is already a root of the graph.

Satisfying!

SoC Verification

Prof. Chung-Yang (Ric) Huang

101

## Alternate implication graph



Construct a new implication graph rooted at the input variables.



Now we can always generate a conflict clause from p using only input variables.

SoC Verification

Prof. Chung-Yang (Ric) Huang





### **Universal Quantifier Elimination**

Given

- a circuit p, anda subset W of the input variables,

we want to compute a CNF formula equivalent to

$$\forall W.p$$

Idea: Eliminating in CNF formulas is trivial.

e.g.: 
$$\forall a. (a \lor b) \land (\neg a \lor \neg c \lor d) = (b) \land (\neg c \lor d)$$

... just push  $\forall$  inside  $\land$  ...

SoC Verification

Prof. Chung-Yang (Ric) Huang









SoC Verification

Prof. Chung-Yang (Ric) Huang

107

#### Recent related work

- ♦ Sheng, Hsiao (DATE 2003)
  - Uses ATPG methods
- ◆ Chauhan, Clarke, Kroenig
  - Computes forward rather than backward image

SoC Verification

Prof. Chung-Yang (Ric) Huang

### **SAT-based image**

- May provide a good alternative when BDD's fail.
- ◆ Does not take advantage of SAT solver's ability to filter out irrelevant facts, since exact image is computed.

SoC Verification

Prof. Chung-Yang (Ric) Huang

109

### Image over-approximation

- ◆BMC and Craig interpolation allow us to compute image over-approximatino relative to property.
  - Avoid computing exact image.
  - Maintain SAT solver's advantage of filtering out irrelevant facts.

SoC Verification

Prof. Chung-Yang (Ric) Huang

### Interpolation

(Craig, 57)

◆ If A ∧ B = false, there exists an interpolant A' for (A,B) such that:

$$A \Rightarrow A'$$
  
A'  $\wedge$  B = false

A' refers only to common variables of A,B

- ◆Example:
  - $\bullet$  A = p  $\land$  q, B =  $\neg$ q  $\land$  r, A' = q
- ◆New result
  - given a resolution refutation of A ∧B,
     A' can be derived in linear time.

(Pudlak,Krajicek,97)

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

# Interpolation-based MC

- ◆Interpolation gives us
  - SAT-based algorithm for over-approximate image computation, using interpolation
  - SAT-only symbolic model checking

SoC Verification

Prof. Chung-Yang (Ric) Huang

## Reachability

- ◆ Is there a path from I to F satisfying transition constraint C?
- ◆ Reachability fixed point:

$$R_0 = I$$

$$R_{i+1} = R_i \vee Img(R_i, C)$$

$$R = \bigcup R_i$$

◆ Image operator:

$$Img(P,C) = \lambda V'. \exists V. (P \wedge C)$$

 $\blacklozenge$  F is reachable iff R  $\land$  F  $\neq$  false

**SoC Verification** 

Prof. Chung-Yang (Ric) Huang

113

### Overapproximation

- ◆ An overapproximate image op. is Img' s.t. for all P, Img(P,C) implies Img'(P,C)
- ◆ Overapprimate reachability:

$$R'_{0} = I$$

$$R'_{i+1} = R'_{i} \lor Img'(R'_{i},C)$$

$$R' = \bigcup R'_{i}$$

- ◆ Img' is adequate (w.r.t.) F, when
  - if P cannot reach F, Img'(P,C) cannot reach F
- ◆ If Img' is adequate, then
  - F is reachable iff  $R' \wedge F \neq false$

SoC Verification

Prof. Chung-Yang (Ric) Huang



# k-adequate image operator

- ◆Img' is k-adequate (w.r.t.) F, when
  - if P cannot reach F,
     Img'(P,C) cannot reach F within k steps
- ◆Note, if k > diameter, then k-adequate is equivalent to adequate.

SoC Verification

Prof. Chung-Yang (Ric) Huang

### Interpolation-based image

◆Idea -- use unfolding to enforce k-adequacy

$$A = P_{-1} \wedge C_{-1}$$

$$\mathsf{B} = \mathsf{C}_0 \wedge \mathsf{C}_1 \wedge ... \wedge \mathsf{C}_{k\text{-}1} \wedge \mathsf{F}_k$$



Let  $Img'(P)_0 = A'$ , where A' is an interpolant for (A,B)...

Img' is k-adequate!

SoC Verification

Prof. Chung-Yang (Ric) Huang

117

#### Huh?



- $A \Rightarrow A'$ 
  - $Img(P,C) \Rightarrow Img'(P,C)$
- ◆A' ∧ B = false
  - Img'(P,C) cannot reach F in k steps
- ◆Hence Img' is k-adequate overapprox.

But note, Img' is partial -- not defined if  $A \land B$  is sat.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Intuition



- ◆A' tells is everything the SAT solver deduced about the image of P in proving it can't reach F in k steps.
- ◆Hence, A' is in some sense an abstraction of the image relative to the property.

SoC Verification

Prof. Chung-Yang (Ric) Huang

119

### Reachability algorithm

```
let k = 0
   repeat
    if I can reach F within k steps, answer
    reachable
    R = I
    while Img'(R,C) \wedge F = false
        R' = Img'(R,C) \vee R
        if R' = R answer unreachable
        R = R'
    end while
soc Verification
```

Prof. Chung-Yang (Ric) Huang

#### **Termination**

◆ Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.

#### Notes:

- don't need to know when k > d in order to terminate
- often termination occurs with k << d</li>
- depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter

SoC Verification

Prof. Chung-Yang (Ric) Huang

121

#### Interpolation-based MC

- ◆Fully SAT-based.
- ◆Inherits SAT solvers ability to concentrate on facts relevant to a property.
- ◆Like CBA, PBA, most effective when
  - Very large set of facts is available
  - Only a small subset are relevant to property
- ◆For true properties, appears to converge for smaller k values.

SoC Verification

Prof. Chung-Yang (Ric) Huang

#### Conclusion

- ◆ SAT solvers are very effective at ignoring irrelevant facts
  - Can think of decision heuristic as a form of CBA
- ◆ SAT solvers can produce refutations
- ◆ We can exploit in a number of ways:
  - BMC
  - Abstraction for UMC (either CBA or PBA)
  - Abstract image computations using interpolation

This makes it possible to model check *localizable* properties large systems.

SoC Verification

Prof. Chung-Yang (Ric) Huang

123

#### Conclusion cont.

- ◆ Approaches that compute exact images sacrifice this quality of SAT solvers.
  - still useful as alternative to BDD's
- ◆ For non-localizable properties, SAT-based BMC and UMC do not perform well.
- ◆ The capacity of SAT-based UMC is comparable to BMC.
  - no need to settle for bounded results!

SoC Verification

Prof. Chung-Yang (Ric) Huang