## Boolean Satisfiability (SAT) Algorithms

Chung-Yang (Ric) Huang Dept. EE/GIEE, NTU FLOLAC, 2009

#### **Outline**

| <ul><li>Overview of Hardware Verification</li></ul>                                  | p3          |
|--------------------------------------------------------------------------------------|-------------|
| ♦ Assertion-Based Verification                                                       | p28         |
| ◆ Boolean Satisfiability (SAT) Algorithms                                            | p53         |
| <ul> <li>Logic Implication and its Applications</li> </ul>                           | p72         |
| <ul> <li>DPLL Decision Procedure</li> </ul>                                          | p139        |
| <ul> <li>Conflict-Driven Learning and Non-Chronologic</li> </ul>                     | cal         |
| Backtracking                                                                         | p152        |
| <ul> <li>Decision ordering / Restart</li> </ul>                                      | p174        |
| <ul> <li>Various learning techniques</li> </ul>                                      |             |
| ◆ SAT-Based Verification                                                             | p193        |
| <ul> <li>Bounded and Unbounded Modeling Checking</li> </ul>                          | p198        |
| <ul> <li>Interpolation Technique</li> </ul>                                          | p214        |
| ♦ Future Research Directions                                                         | p245        |
| 300lean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.nt | tu.edu.tw 2 |

#### What is Verification?

- ◆What's the problem?
  - You may have learned that modern IC designs are ---
    - Extremely complex
    - With very high time-tomarket pressure



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



| #Transistors                         | in Intel's CPU Year of Introduction | Transistors                  |
|--------------------------------------|-------------------------------------|------------------------------|
| 4004                                 | 1971                                | 2,250                        |
| 8008                                 | 1972                                | 2,500                        |
| 8080                                 | 1974                                | 5,000                        |
| 8086                                 | 1978                                | 29,000                       |
| 286                                  | 1982                                | 120,000                      |
| 386™ processor                       | 1985                                | 275,000                      |
| 486™ DX processor                    | 1989                                | 1,180,000                    |
| Pentium® processor                   | 1993                                | 3,100,000                    |
| Pentium II processor                 | 1997                                | 7,500,000                    |
| Pentium III processor                | 1999                                | 24,000,000                   |
| Pentium 4 processor                  | 2000                                | 42,000,000                   |
| Itanium® processor                   | 2002                                | 220,000,000                  |
| Itanium II processor                 | 2003                                | 410,000,000                  |
| Boolean SAT Algorithms / FLOLAC 2009 | Prof. Chung-Yang (Ric) Huang        | http://dvlab.ee.ntu.edu.tw 5 |

# A Closer Look at Modern IC Typical hair diameter: 20 ~ 180 um Multi-layer metal connection Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw 6

#### What is Verification?

- ◆What's the problem?
  - You may have learned that modern IC designs are ---
    - Extremely complex
    - With very high time-tomarket pressure



Are you sure your design is correct under all scenarios? (Have you fixed all the bugs?)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Verification: A high stake game

US '02 wireless telecom revenue: \$76B (CNet) •7 M gates

•500K lines of code



•DoCoMo: 23 M consumers with Java based phones.

•Mandatory recall cost: \$4.2B (2001.06)

Kashai/Verisity, HLDVT 2003

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

## And of course, don't forget the infamous Pentium division bug...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### **Pentium FDIV Bug**

- ◆ Pentium CPU
  - Shipped on 03/22/93
  - 5V → 3.3V
  - The name "Pentium" was mainly for better trademark protection
  - Superscalar, 64-bit datapath
  - Better floating point calculation
    - 3 X scalar; 5 X vector
- ◆ A bug was found in floating-point division
  - By Prof. Thomas Nicely, Lynchburg College, Virginia, USA, 10/30/94

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

### Improvement on Floating-Point Execution

- Using SRT instead of "shift-and-subtract" algorithm for division
  - Generate two quotient bits per clock cycle
  - A lookup table to calculate the intermediate quotients necessary for floating-point division
    - 1066 table entries
- ◆ The FDIV bug
  - 5 were not downloaded into the programmable logic array (PLA lookup table)
  - When FPU accesses any of these 5 cells, it fetches zero instead of +2
  - → Less precise result!!

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 11

#### The Probability of the FDIV Bug....

- ◆ At worst, the 4<sup>th</sup> significant digit of a decimal number
  - Probability: 1/ 360 Billions
- ◆ Most common: 9<sup>th</sup> and 10<sup>th</sup> digit
  - Probability: 1 / 9 Billions
- ◆ The occurrence of the problem is highly dependent on the input data
- → This result was quickly verified by other people around the Internet, and became known as the Pentium FDIV bug

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



A 3-D plot of the ratio 4195835/3145727 calculated on a Pentium with FDIV bug. The depressed triangular areas indicate where incorrect values have been computed. The correct values all would round to 1.3338, but the returned values are 1.3337, an error in the fifth significant digit. Byte Magazine, March 1995.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

13

#### Intel's Reaction

- ◆ This report stirred up a huge controversy. Intel at first denied that the problem existed.
- Later, Intel claimed that it was not serious and would not affect most users.
  - However, people who could prove that they were affected would get their processor replaced by Intel
- However, although most independent estimates found the bug to be of little importance and have negligible effect on most users, it has caused a great public outcry.
  - Companies like IBM (whose "586" microprocessor competed at that time with the Intel Pentium line) joined the condemnation.
- Finally, Intel was forced to offer to replace all flawed Pentium processors, at huge potential cost to the company
  - However, it turned out that only a small fraction of Pentium owners actually bothered to get their chips replaced
  - Intel's stock price actually rose the day they finally acknowledged

http://en.wikipedia.org/wiki/Pentium\_FDIV\_bug

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

14

#### Aftermath...

- ◆ Intel hired 1000+ PhDs for strategic CAD research, especially in the design verification area
- ◆ However, there were still several bugs found in later Pentium chips
  - e.g. CMPXCHG8B instruction, Dan-0411, Pentium FO bugs, etc

## Where's the problem? Why is it so difficult?

Let's first review a little bit about the typical design process...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

w 15

#### What is Design Verification?

To verify the correctness of your design



Bugs may exist anywhere in the design...

→ Find as many design bugs as possible !!

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

16

## How do you verify your design ?

Yes, most people verify their designs by simulation and debug by examining the output responses

Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw



#### Let's do some math

- ◆Suppose a circuit has 100 inputs (this is considered tiny in modern design)
  - Total number of input combinations =  $2^{100} = 10^{30} = 10^{24}M = 1.6$  mole Mega
  - Requires (in the worse case) 10<sup>24</sup>M test patterns to exhaust all the input scenarios
  - Let alone the sequential combinations
  - For an 1 MIPs simulator
  - $\rightarrow$  runtime =  $10^{24}$  seconds =  $3 * 10^{16}$  years

Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw

-5



## the mainstream approach in verification?

Then why is simulation still

How can it be useful?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### What is worse, when design gets bigger...

- → Simulation runs much slower (exponential complexity)...
- ◆ e.g. Time to boot VxWorks
  - 1 million instructions, assume 2 million cycles
  - Today's verification choices:
    - 50M cps: 40 msec Actual system HW
    - 5M cps: 400 msec Logic emulator <sup>1</sup> (QT Mercury)
    - 500K cps: 4 sec Cycle-based gate accelerator <sup>1</sup> (QT CoBALT)
    - 50K cps: 40 sec Hybrid emulator/simulator <sup>2</sup> (Axis)
    - 5K cps: 7 min
       Event-driven gate accelerator <sup>2</sup> (Ikos NSIM)
    - 50 cps: 11 hr CPU and logic in HDL simulator 3 (VCS)
    - 1: assumes CPU chip 2: assumes RTL CPU 3: assumes HDL CPU

About VxWorks (http://www.faqs.org/faqs/vxworks-faq/part1/)

source: Kurt Keutzer, UCB

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 22

#### Simulation is useful because...

- 1. In early design cycle, most bugs are easy to find
  - Like something contaminates the ocean...
- 2. Use "design intent" to guide the testbench
  - Guided test pattern generation
  - Real-life stimulus
- 3. Make the DUV smaller
  - Lower level of hierarchy
  - Higher-level of abstraction
  - Design constraint
- 4. And ??

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

And of course, simulation approach is easier to learn, simpler to use,

so it is the most popular.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

But corner-case bugs are still very tough...

Can we do better?

(Speed up the simulation?)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Using hardware to speed up simulation

- 1. Emulation
  - Map the design into FPGA
  - 100x 10000x Speedup; but very expensive
- 2. Hardware Accelators
  - Compared to emulation
  - → lower at cost, but sacrificed in speed
- 3. Rapid Prototyping
  - Prototyping modules
  - FPGA for IP cores
  - Software
  - Debugging interfaces



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

millebilah aa ntu aelu tur

Other than using hardware to speed up the simulation...

Let's look at the difference between design verification and manufacturing testing...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Verification vs. Testing**

|                    | Verification                | Testing              |
|--------------------|-----------------------------|----------------------|
| Objective          | Design (SW)                 | Chip (HW)            |
| Environment        | Simulator, debugger (tools) | Test equipments (HW) |
| Observation points | Any signal in the design    | Chip outputs         |

 Unlike testing, verification does not have the observability problem

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### Observability Problem --- Solved

- ◆Insert "<u>assertions</u>" in the middle of the circuit, and flag the simulator whenever the violation occurs
  - →Increase the observability of the bugs

The difference between hardware and software simulations

But, how to describe assertions? Assertion specification languages?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 31

#### **Observability Problem**

◆ Bugs are detected at the observation points like POs and registers



#### **Complex or Simple Assertions?**

- With the very high expressiveness of some assertion languages, we can describe very complex design properties by using assertion specification languages
  - However, this may scare off many users...
  - Another bigger problem: how do you know you write the correct property?
    - What if the property you wrote is wrong?
- ◆ Assertions should be simple!!
  - The main purpose should be finding bugs
  - Most assertions needed in the design are very simple assertions

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### The Fact

- ◆ More than 90% of properties written for hardware verification are simply "<u>safety (invariance)</u>" properties
  - e.g. assert never(readEn && writeEn);
  - e.g. assert\_next(req, ack);
  - → Easier to write
  - → Higher proof completion percentage
  - → Enough to detect bugs

How to quickly prove all of them is the key issue

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

- 33



#### **ABV Example --- OVL** module assert\_never (clk, reset n, if (test expr == 1'b1) begin test expr); error count = error count + 1; input clk, reset n, test expr; `ifdef parameter severity level = 0; ASSERT MAX REPORT ERROR parameter msg="ASSERT NEVER VIOLATION"; if (error count <= 'ASSERT MAX REPORT ERROR) // ASSERT: PRAGMA HERE `endif //synopsys translate off \$display("%s : severity %0d : `ifdef ASSERT ON time %0t: %m". msq. integer error\_count; severity level, \$time); initial error count = 0; if (severity level == 0) \$finish: always @(posedge clk) begin end 'ifdef ASSERT GLOBAL RESET end if ('ASSERT GLOBAL RESET!= end 1'b0) **begin** `endif `else //synopsys translate\_on if (reset n != 0) begin endmodule // active low reset\_n `endif Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw



#### **Any Problem? Whose Problem?**

"My biggest problem about design verification is that <u>the</u> <u>time is never enough</u>. I can only do my best to run more simulation, but I don't know whether it is sufficient."

--- Broadcom designer (similar comments from many others)

"It is very hard to write the testbenches and assertions for the design, since *I am not a designer*. Ask the designer to do it more? No way!!"

--- Sun Microsystems verification engineer (similar comments from many others)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

"Where am I going to find time to write assertions? I don't even have time to write comments!"

--- Conexant design engineer

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Think ---

- ♦ If you simulate your design for 3 days and 3 nights, and you don't find any new bug. And the "coverage metric" says that the coverage is 100%. What does that mean?
  - Is your design bug-free?
  - Or the quality of your testbench is NOT good?
- ◆ If a miss of a bug in the HW chip may cost you millions of dollars...
  - Can you sleep nice without further seeking any "proof" for the correctness of your design?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 39

Can simulation answer these questions?

Any alternative to simulation/emulation?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang









#### Proving "assert\_always(p)"

- ◆ In later slides, we will mostly focus on how to prove the property "assert\_always(p)", instead of proving a complex temporal logic formula
- ♦ assert\_always(p) = AG (p) =  $\neg$  EF ( $\neg$ p)
- ◆ Either "proving p

"proving p is true for all states on the state transition graph" or

"finding a trace that can disprove p"

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang







#### **Combinational Invariance**

- ◆ It is worthwhile to know that some invariant assertions are actually combinational properties
  - → Properties should hold "no matter what the state is" (reachable or unreachable)
  - e.g. Bus contention



Need to assure bus won't have conflict signals even at random power-on or scan-in states

- e.g. Logic equivalence checking
  - → Most synthesis tools perform combinational optimization only
  - → Just need to make sure combinationally equivalence

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### **Proving Combinational Invariance** ◆No need to perform state reachability analysis → To prove a proposition p, just construct the fanin cone (functions) of p and prove that no input assignment can produce "p = 0" inputs Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw



| ◆ Overview of Hardware Verification                             | p3   |
|-----------------------------------------------------------------|------|
| ◆ Assertion-Based Verification                                  | p28  |
| ◆ Boolean Satisfiability (SAT) Algorithms                       | p53  |
| <ul> <li>Logic Implication and its Applications</li> </ul>      | p72  |
| <ul> <li>DPLL Decision Procedure</li> </ul>                     | p139 |
| <ul> <li>Conflict-Driven Learning and Non-Chronologi</li> </ul> | cal  |
| Packtracking                                                    | n152 |

..... p152 Backtracking Decision ordering / Restart .... p174

• Various learning techniques

**Outline** 

◆ SAT-Based Verification .... p193

• Bounded and Unbounded Modeling Checking ..... p198

• Interpolation Technique .... p214

◆ Future Research Directions ....p245

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 52

#### **Boolean Satisfiability (SAT)**

Fundamental problem in computer science

- $\bullet$  Given a Boolean network F: B<sup>n</sup>  $\rightarrow$  B. where  $B = \{ 0, 1 \}$ , and n is the number of inputs  $I = \{x_1, x_2, \dots, x_n\}$
- ◆ Boolean Satisfiability
  - → Finding an input assignment

A: 
$$\{ x_1 = a_1, x_2 = a_2, ..., x_n = a_n \mid a_i \in B \}$$
  
such that  $F = 1$ .

◆ Exponential complexity...?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### **Boolean Satisfiability Solvers**

- ◆ Boolean SAT solvers have been very successful recent years in the verification area
  - More popular than other techniques (e.g. BDDs)
  - Applications
    - Equivalence checking, property checking, etc
  - Applicable even for million-gate designs
  - For both combinational and sequential problems
- ◆ Most popular ones
  - miniSat, zChaff, BerkMin, Csat, Grasp, SATO,...
  - http://www.satcompetition.org/

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Complexity of SAT solver

- ♦We have learned an efficient logic implication algorithm with watch scheme
- ◆However, the complexity for the Satisfiability problem has been proven to be NPcomplete (S. Cook, 1971)
  - Given n variables, the number of decisions can be as many as 2<sup>n</sup>...
- → How can SAT be useable for million-gate designs?

Boolean SAT Algorithms / FLOLAC 2009

http://dvlab.ee.ntu.edu.tw

#### Think about the Human Search Process

(aka: search for ¬p)

- ♦When you search for something, you usually seek for one clue after another ---
  - Containing a keyword
  - Asking a question
  - By a direction, in a room, etc
- ◆After some steps, if it is surely not there, you will reverse or revise some of the previous guesses/decisions and continue...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang









```
A Typical Combinational SAT Algorithm
1. bool combSat(Gate g, value v)
2. {
     if (logicImplication(g, v) == false)
         return false;
     if (all signals in circuit have been implied)
         return true;
     pick an unassigned signal s
     if (combSat(s, V0) == true)
9.
         return true;
      backtrack(s);
10.
      if (combSat(s, ~V0) == true)
         return true;
      backtrack(s);
      return false;
14.
15.}
Boolean SAT Algorithms / FLOLAC 2009
                       Prof. Chung-Yang (Ric) Huang
                                          http://dylab.ee.ntu.edu.tw
```



#### A Typical Combinational SAT Algorithm 1. bool combSat(Gate g, value v) 2. { if (logicImplication(g, v) == false) return false; if (all signals in circuit have been implied) return true; 7. pick an unassigned signal s 8. if (combSat(s, V0) == true) 9. return true; backtrack(s); if (combSat(s, ~V0) == true) return true; backtrack(s); return false; 14. 15.} Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw



















#### **Logic Implications**

- ◆ Also called "Boolean Constraint Propagation" (BCP)
- Imply values to other gates in both forward and backward directions



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

How to schedule and evaluate these implications??

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### "Omni-directional" in a netlist



#### **Fruitless Implication Checking**

- Checking if a gate can be implied, but usually no implication
- ◆ For example, the all-1's forward implication of an AND gate
  - Only the last '1' can trigger the forward implication
    - The first (n-1) checks are useless
  - Worse case: for n-input AND gate
    - Need to check (1 + 2 + ...+ n) times of fanins



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

## Trying to avoid fruitless implication checking

- ◆ Use a counter to record how many 'x' are in the fanins of a gate (e.g. AND gate)
  - Decrement by 1 when fanin is implied
  - Inccrement by 1 when fanin value is backtracked
  - When no 'x' fanin (x count = 0) → forward implication
- ◆ Although this can avoid fruitless implication checking, but the overhead in maintaining the counts could be an overkill...
  - 'x' count could be:  $5 \rightarrow 4 \rightarrow 3 \rightarrow 4 \rightarrow 5 \rightarrow 4 \rightarrow 5...$

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### Watched-fanin concept

- ◆ In the n-input AND gate case, keep a pointer to one of its fanin that has value 'x' (watched fanin)
  - If other fanin gets implication '1' → no operation
  - If this watched fanin gets implication '1', try to find another 'x' fanin to be new watched fanin
    - If found, update the pointer
    - If not found → imply '1' on the gate output



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### What's the improvement?

- ◆Worse case O(n²) ?? No
- ◆Suppose watched fanin points to the 1<sup>st</sup> fanin in the beginning
  - We always follow the same direction to find the next 'x' fanin
  - Complexity : O(n)



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### Watched fanin vs. Watching list

- ♦ Watched fanin
  - When one fanin gets an implication, check if this fanin is "watched fanin"
  - → Still need to check for every fanin implication
- ◆ Watching list of watched fanin
  - The watched fanin (A) keeps the list of gates it is watching (i.e. { B })
    - When a watched fanin gets an implication
    - → Update the watched fanins of the gates in the watching list (B); remove this watching list
    - → Create the watching lists for the new watched fanins
  - Don't need to evaluate a gate (e.g. C) if it is not in the watching list of any implied fanin (e.g. A → C)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang





Sounds good for all-1's forward implication of an AND gate, but what about 0 implication, backward implication, and other types of gates?

Different watched schemes? (Could be very complex...)

That's why simpler data structure like CNFbased SAT engine can be more efficient sometimes

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### **Logic Implication for CNF-Based SAT**

- Refresh:
  - Boolean function is represented as a CNF (i.e. Product of Sum, POS format)
    - Can arbitrary Boolean function be converted into CNF?
  - e.g. (a+b+c)(a'+b'+c)(a'+b+c')(a+b'+c')
  - To be satisfied, all the clauses should be '1'

Logic implication for CNF-based SAT is simple ---

- ◆ If a literal in a clause gets an implication '1'
  - → The clause is satisfied
- ◆ If a literal in a clause gets an implication '0'
  - → Check: how many literals in the clause have unknown value?
  - >= 2 : no operation
  - = 1: the remaining literal will be implied '1'
  - = 0 : the clause is evaluated to '0' → a conflict !!

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### 2-Watched-Literal Algorithm

H. Zhang, SATO, CADE 97; M. Moskewicz et al, Chaff, DAC 2001

- ◆ For each clause, keep 2 pointers on 2 literals that have "non-0" values
  - If any watched literal gets implication '0'
    - Scan in the clause for another literal with "non-0" value
    - If found, update the watched literal pointer
       Else, imply the other watched literal with value '1'



#### 2-Watched-Literal Algorithm Example

Each clause stores: Each literal stores: 2 watched literal pointers A list of watching clauses



c ← 0

- Update watched literal pointer for C4 (for example, to 'g')
- · Erase c's watching-clause list
- Add 'C4' to g's watching-clause list [Note] Don't need to check 'C1'

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### 2-Watched-Literal Algorithm Example

Each clause: Each literal: 2 watched literal pointers A list of watching clauses

C1: ((a)+(b)+c+(d))C2:  $((\bar{a})+(\bar{d})+(\bar{e})+\bar{f}+g)$ C4: ( c +(e)+(g)+ h + i )

 $a \leftarrow 0$ 

- Update watched literal pointer for C1 (only choice, to 'd')
- Update watched literal pointer for C2 (for example, to 'e')
- Erase a's watching-clause list
- Add 'C1' to d's and 'C2' to e's watching-clause lists

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Caching Effect: Reducing from O(n) to almost O(C)

- ◆ The fact
  - Most of the time, the decision orderings at different parts of the decision tree are quite similar during a proof (or even from proof to proof)
  - → Literals in a clause get the implications almost by the same order every time
- Watched literal
  - → point to the last implied literal
  - → Don't update watched literals after backtrack. After backtracks. no evaluations from the other unwatched literals.

(L1 + L2 + L3 + L4 + L5 + L6)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### 2-Watched-Literal Algorithm Example

Each clause: Each literal:

2 watched literal pointers A list of watching clauses





 $b \leftarrow 0$ 

- No more unknown literal for C1: d = 1
- No more unknown literal for C3: f = 1 [Note] No change on watched literals

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

Logic implication can be very efficient for CNF-based SAT by using "watch" scheme.

Can this idea be applied to circuit-based SAT?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### Difference between circuit and CNF SAT

◆Circuit-based SAT: gates



- ◆CNF-based SAT: clauses, variables, literals
  - n+1 clauses
    - (a1 + f')(a2 + f')...(an + f') ■ (a1' + a2' + ... + an' + f)
  - 1 variable (f)
  - 2 literals (f, f')

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### Converting a Circuit to a CNF

Circuit\_to\_CNF(Circuit c)

- Assign one variable to each gate in the circuit, including Pls
- ◆ For each gate in the circuit, generate the clauses for the characteristic function of this gate
- ◆ Conjunct all the clauses in step 2, return the CNF Write\_CNF(gate g)
- ◆ Enumerate all the forward implications of this gate
- ♦ For each implication, generate a clause by the rule:  $p \rightarrow q \equiv (p' + q)$

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Any problem?

- ◆ Remember there is only one type of implication in CNF SAT
  - Logic implication can be very efficient
- ◆ But implications on an AND gate



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

ttp://dvlab.ee.ntu.edu.tw

#### Can circuit SAT do 2-watch?



- ♦ Watch 2 fanins?
  - What's the watch value?
  - How about gate output?
  - How about OR, NOR, NAND,.. gates?
  - How about XOR, MUX, ... complex gates?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



#### **Direct vs. Indirect Implications**



- 1. Direct implication
  - Corresponding n 2-literal clauses in CNF SAT
  - Single implication source
  - → No need to watch

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### **Direct Implication**

- 1. Single source for each implication
- 2. Only depends on netlist structure; has nothing to do with the proving process (e.g. decisions, etc)
- 3. Should never encounter "CONFLICT" during the proof process (assume circuit is a DAG)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### **Direct Implication**

- → Construct a "*direct implication graph*" in the preprocessing step
- → Apply direct implications whenever a gate is implied to a value



#### **Direct vs. Indirect Implications**









- 1. Direct implication
  - Corresponding n 2-literal clauses in CNF SAT
  - Single implication source
  - → No need to watch
- Indirect implication
  - Corresponding to the same (n+1)-literal clause
  - Only the last implied pin has different value
  - → 2 watches: among all fanins and the gate itself

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### **Indirect Implication (AND gate)**

- ◆ Select 2 pins (fanins or the gate itself) in a gate to watch
  - Almost the same as CNF SAT, except that the "watched value" depends on the gate type and I/O
  - For each gate, two lists of watching gates
    - When a gate gets a value, perform direct implication and/or update watch for the gates on the watching list

watching-0: { a } watching-1: { }





watched pins



watching-0: { } watching-1: { a, b }

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw

#### Watch Scheme for XOR Gate

- ♦ n-input XOR gate
  - 2<sup>n</sup> (n+1)-literal clauses
  - e.g.  $(a + b + \overline{f}) (\overline{a} + b + f) (a + \overline{b} + f) (\overline{a} + \overline{b} + \overline{f})$
- ♦ Implication occurs only when n variables become "known"
  - → 2-watch: watch-known

watching-0: { } watching-1: { } watching-known: { a }



watching-0: { } watching-1: { }

watching-known: { }

watching-0: { } watching-1: { b }

watching-known: { a }

Boolean SAT Algorithms / FLOLAC 2009

http://dvlab.ee.ntu.edu.tw 99

#### **Generic Watch Scheme**

- ◆It can be shown that the watch scheme can be extended to complex gates such as MUXes, Pseudo Boolean gates, etc.
- ◆For more details, please refer to:
  - "QuteSAT: A Robust Circuit-based SAT Solver for Complex Circuit Structure", DATE 2007.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 100

25

#### **Applications of Logic Implication**

- We have learned that logic implication can be very efficient for both CNF and circuitbased SAT solvers
- ◆Logic implication is actually also a powerful approach in exploring signal correlations in the circuit
- ◆Any application?
  Redundancy addition and removal

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 101

#### **Redundancy Addition and Removal (RAR)**

- ◆ Redundancy to a circuit
  - When removing or adding some signal/gate to a circuit, the circuit functionality remains unchanged
- Motivations
  - Removing redundancy in a circuit can gradually lead to small area, timing, power, etc
  - When (deliberately) adding some redundancy to a circuit, we may cause <u>other</u> part of the circuit become redundant
    - Incremental circuit restructuring (rewiring)
    - Can be used for incremental optimization (e.g. timing, area, etc)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 102

#### **Redundancy in a Combinational Circuit**

- ◆Redundancy in a combinational circuit
  - = Single stuck-at fault untestable



#### **Background: Single Stuck-at Fault Untestable**

- Sufficient untestable condition
  - The mandatory assignment (MA) of the stuck-at fault has conflict





Faulty circuit

cuit Good circuit

- Mandatory assignment of a fault
  - Denoted as MA(w) or MA(g), where 'w' or 'g' is the fault location (wire or gate)
  - Implications of
    - 1. Fault sensitization @ fault site
    - 2. Fault propagation @ the side inputs of the dominators
- Dominators of a fault
  - The gates where all the paths from the fault site to the POs must intersect on page 22.1



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang









- → Yes, but the extra wire itself must be redundant
- → Add a redundant wire to make the originally irredundant wire become redundant

Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw 107





## But remember, the added wire must be redundant!!

## RAMBO: Redundancy Addition and removal for Multi-level Boolean Optimization

[Cheng et.al. TCAD 1995]

- Given a target wire, perform its mandatory assignments (MA) for its corresponding s-a fault
- 2. For each gate  $g_m$  in the set of MA,

For each dominator  $g_d$  test the fault on the added wire  $(g_m \rightarrow g_d)$ 

- a. If  $value(g_m) = 0$  and  $g_d$  is an AND  $\rightarrow$  direct connection
- b. If  $value(g_m) = 1$  and  $g_d$  is an AND  $\rightarrow$  add an inverter
- c. If  $value(g_m) = 0$  and  $g_d$  is an OR  $\rightarrow$  add an inverter
- d. If  $value(g_m) = 1$  and  $g_d$  is an OR  $\rightarrow$  direct connection
- 3. If the fault on the added wire in 2.a ~ 2.d is untestable,
  - → the added wire is redundant and can be an alternative wire to remove the target wire

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang





#### **RAMBO Algorithm Complexity**

- ◆ Need to perform (M \* D) redundancy tests
  - M: number of gates in MA
  - D: number of dominators
  - → Could be a BIG number
- ◆ "Perturb and Simplify" (Chang, et. al. TCAD 1996)
  - Propose several rules to filter out impossible candidates

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 114

### Filtering Out Impossible Candidate Wires (Chang, et. al. TCAD 1996)

- "Forced MAs" are the MAs ---
  - To activate the fault site
  - 2. Obtained by setting the side inputs of dominators to non-controlling values
  - 3. Obtained by backward implications of 1 & 2
- If w<sub>a</sub> (n<sub>s</sub> → n<sub>d</sub>) is an alternative wire of wire w<sub>t</sub>, and n<sub>d</sub> is an AND(OR) gate, then for w<sub>t</sub> stuck-at-fault test ---
  - 1. n<sub>s</sub> must have a MA 0(1)
  - 2. n<sub>d</sub> must have a forced MA 1 or D (0 or D)
  - → Still many candidates

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 115

In short, given a target wire, it is easy to add a wire to its dominator to make this wire redundant.

The problem is, need to make sure the added wire is redundant. This may require a large number of fault tests.

So, can we deliberately add something to a circuit, and guarantee that it is redundant?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

## How do we add "something" to a circuit and guarantee it is redundant?

◆ Add a wire



◆Add a gate



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 117

#### **Creating a Redundant Wire**

- lacktriangle e.g. Add to the input of an AND gate  $g_d$ 
  - 1. Test the output s-a-0 fault of this AND gate
  - 2. Perform MA of this fault



3. For each gate  $g_s$  in the MA, there is a corresponding redundant wire (or with inverter) to  $g_d$ 

Why??

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 118

## A Two-Way Redundancy Addition and Removal (2-Way RAR) Algorithm

- 1. Given a target wire on  $g_n$  perform  $MA(g_n)$ 
  - $\bullet$  Adding a wire from a gate  $g_{\rm s}$  in MA( $g_{\rm d}$ ) to any of its dominator  $g_{\rm d}$  can make this target wire redundant
  - e.g. value(g<sub>s</sub>) = 0 → AND gate g<sub>d</sub>



#### 2-Way RAR Algorithm

- 1. Given a target wire on  $g_n$  perform MA( $g_i$ )
  - Adding a wire from a gate  $g_s$  in  $\mathrm{MA}(g_l)$  to any of its dominator  $g_d$  can make this target wire redundant
  - e.g. value( $g_s$ ) = 0  $\rightarrow$  AND gate  $g_d$
- Given a destination gate g<sub>d</sub>(dominator of the target wire g<sub>t</sub>), perform MA(g<sub>d</sub>)
  - $\bullet$  Any wire from a gate  $g_{\rm s}$  in  ${\rm MA}(g_{\rm d})$  to this gate  $g_{\rm d}$  can be redundant
  - e.g. value(g<sub>s</sub>) = 1 → AND gate g<sub>d</sub>







#### 2-Way RAR Algorithm

- 1. Given a target wire on  $g_t$ , perform  $MA(g_t)$
- 2. Given a destination gate  $g_a$ (dominator of the target wire  $g_t$ ), perform MA( $g_a$ )
- 3. Perform an intersection of (1) & (2)
- 4. Any contradiction on a gate  $g_s$ , implies an alternative wire  $(g_s \rightarrow g_d)$  for the target wire on  $g_t$ 
  - Can be generalized for adding a gate or adding a sub-circuit

[ref: Huang ISPD 1998]

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang







#### 2-Way RAR Algorithm

- ◆ Pros
  - No need to perform (M\*D) redundancy test as in RAMBO
  - Potential orders of speed-up
- Cons
  - Only connect to dominators? (Can we connect to fanins of dominators?)
  - Still need to try for each dominator
  - MA on target wire may NOT intersect with MA on dominators
    - → Or just find some trivial alternative wires (e.g. DeMorgan Law)
- → Methods to deriving more MAs (e.g. Recursive learning) are often used (but could be expensive)
- → How can we increase the number of MAs?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 126

#### SAT-Controlled RAR (SatRAR) [Huang, ASPDAC 2009]

- ◆ Problems with previous RAR techniques
  - RAMBO: too many redundancy tests
  - 2-Way RAR: expensive implication technique needed
- ◆ SAT-controlled RAR
  - NOT just take the advantage of the advancements from the modern SAT solvers (covered later)
    - Efficient BCP, conflict-driven learning, etc
  - A seamless integration of SAT and RAR algorithms
  - Extensions for general RAR
    - Alternative wire, gate, sub-circuit identification
  - Options to "control" the RAR optimization quality

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

## Single Wire Replacement Theorem in SatRAR

- ◆ Let MA(w<sub>t</sub>) and MA(g<sub>d</sub>) be the mandatory assignments for the fault tests of the target wire w<sub>t</sub> and its dominator g<sub>d</sub>, respectively.
- ♦ Let  $\langle \mathbf{g}_s, \mathbf{v} \rangle$  belong to  $MA(w_t)$  but not  $MA(g_d)$ , and  $g_s$  be not in the fanout cone of  $g_d$ .
- If we make a decision  $\langle g_s, v \rangle$  on top of  $MA(g_d)$  and encounter a conflict, then

(i) 
$$MA(g_d) \Rightarrow \langle g_s, \neg v \rangle$$

(ii)  $(g_s \rightarrow g_d)$  or  $(g_s \rightarrow g_d)$  must be a valid alternative wire for  $w_t$ 

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang







#### **SRAR-Wire vs. Original RAMBO (FYI)**

- ◆ Similarity (looks like...)
  - For each assignment  $g_s$  in { MA( $w_t$ ) MA( $g_d$ ) }... vs. For each assignment  $g_s$  in MA( $w_t$ )...
- ◆ Difference
  - Incremental SAT vs. Independent redundancy tests
- ◆ Incremental SAT in SatRAR
  - MA(g<sub>s</sub>) is performed on top of MA(g<sub>d</sub>)
    - Sharing of different MA(g<sub>di</sub>)
  - Conflict-driven learning
    - Learning & RAR at the same time
  - Implication filter
    - Reduce #decisions
  - More importantly, can be extended for alternative gate/sub-circuit replacements

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 133

## Single Gate Replacement Theorem in SatRAR

- ◆ Let MA(w<sub>t</sub>) and MA(g<sub>d</sub>) be the mandatory assignments for the fault tests of the target wire wt and its dominator gd, respectively.
- ♦ Let both  $\langle \mathbf{g}_s, \mathbf{u} \rangle$  and  $\langle \mathbf{g}_t, \mathbf{v} \rangle$  belong to  $MA(w_t)$ , and be not in the fanout cone of gd.
- ♦ Suppose we make the decision  $\langle g_s, u \rangle$  after MA( $g_d$ ) and result in an implication  $\langle g_t, \neg v \rangle$ .
- ◆ Let a gate  $g_n = AND(\langle g_s, u \rangle, \langle g_t, v \rangle)$ . Then (i)  $MA(g_a) \Rightarrow \neg g_{n'}$ 
  - (ii)  $g_n$  or  $\neg g_n$ , when connected to  $g_d$ , must be a valid alternative gate for  $w_t$

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang







#### **Outline**

| ◆ Overview of Hardware Verification                                                 | p3            |
|-------------------------------------------------------------------------------------|---------------|
| ◆ Assertion-Based Verification                                                      | p28           |
| ◆ Boolean Satisfiability (SAT) Algorithms                                           | p53           |
| Logic Implication and its Applications                                              |               |
| •                                                                                   | p72           |
| DPLL Decision Procedure                                                             | p139          |
| <ul> <li>Conflict-Driven Learning and Non-Chronologic</li> </ul>                    | cal           |
| Backtracking                                                                        | p152          |
| <ul> <li>Decision ordering / Restart</li> </ul>                                     | p174          |
| <ul> <li>Various learning techniques</li> </ul>                                     |               |
| ◆ SAT-Based Verification                                                            | p193          |
| <ul> <li>Bounded and Unbounded Modeling Checking</li> </ul>                         | p198          |
| <ul> <li>Interpolation Technique</li> </ul>                                         | p214          |
| ◆ Future Research Directions                                                        | p245          |
| Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.r | tu.edu.tw 138 |

#### **CNF-Based SAT Algorithm**

- 1. Davis, Putnam, 1960
  - Explicit resolution based
  - May explode in memory
- 2. Davis, Logemann, Loveland, (DLL) 1962
  - · Search based.
  - Most successful, basis for almost all modern SAT solvers
  - Learning and non-chronological backtracking, 1996
- 3. Stålmarcks algorithm, 1980s
  - · Proprietary algorithm. Patented.
  - Commercial versions available
- 4. Stochastic Methods, 1992
  - Unable to prove unsatisfiability, but may find solutions for a satisfying problem quickly.
  - Local search and hill climbing

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 139

#### Resolution

- ◆ Resolution of a pair of clauses with exactly ONE incompatible variable
  - Two clauses are said to have distance 1



Souce: Prof. Sharad Malik, "The Quest for Efficient Boolean Satisfiability Solvers"

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



M .Davis, H. Putnam, "A computing procedure for quantification theory", J. of ACM, Vol. 7, pp. 201-214, 1960 (360 citations in citeseer)

- ◆ Existential abstraction using resolution
- ◆ Iteratively select a variable for resolution till no more variables are left.



#### Potential memory explosion problem!

Souce: Prof. Sharad Malik. "The Quest for Efficient Boolean Satisfiability Solvers"

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 141

#### **Basic DLL Procedure - DFS** (a' + b + c)← Decision (a + c + d) (a + c + d') □ Decision (a + c' + d) □ Decision (a + c' + d')(b' + c' + d)Implication Graph (a' + b + c')Conflict! (a' + b' + c)Boolean SAT Algorithms / FLOLAC 2009 ified from: Brof. Sharad Malikic, The Quest for Efficient Reclean Satisfiability Solvers

#### **Boolean Satisfiability (SAT) Algorithm**

- 1. Davis, Putnam, 1960
  - Explicit resolution based
  - May explode in memory
- 2. Davis, (Putnam), Logemann, Loveland, (D(P)LL) 1962
  - Search based.
  - Most successful, basis for almost all modern SAT solvers
  - Learning and non-chronological backtracking, 1996
- 3. Stålmarcks algorithm, 1980s
  - Proprietary algorithm. Patented.
  - Commercial versions available
- 4. Stochastic Methods, 1992
  - Unable to prove unsatisfiability, but may find solutions for a satisfying problem quickly.
  - · Local search and hill climbing

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang















## Potentially exponential complexity!! Did you see any unnecessary work?

Boolean SAT Algorithms / FLOLAC 2009

#### **SAT Improvements**

- 1. Conflict-driven learning
  - Once we encounter a conflict
    - → Figure out the cause(s) of this conflict and prevent to see this conflict again!!

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 152

















## A Closer Look at the Implication Graph (a conceptual implementation) ◆ Implications are grouped into different decision levels • Level 0: target imp; constants • Level 1+: decisions ◆ Node (gate, value): implications ◆ Incoming edge(s) of a node: implication sources (reasons) • The nodes with no incoming edges are called "root

- The nodes with no incoming edges are called "root implication nodes"
- There should only be ONE root implication node for each decieion level >= 1 (which is the decision in that level)



#### 





#### Which constraint is the best to add?

- ◆[Zhang, et al, ICCAD 2001] Experiment shows that "first-UIP" (1st-UIP) is the best
  - UIP: Unique Implication Point
    - In a cut that there is only one node in the last (where conflict happens) decision level (why UIP cut?)
    - Starting from the conflict gate, the first encountered UIP is namely first UIP
    - The cut with only decision nodes is called the last-UIP
      - In the previous example, (2) is the last UIP, and (3) is the first UIP

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 165

#### **UIP for Non-chronological Backtracking**

- ◆ Since in UIP cut there is only one node with the last decision level...
- ◆ And we add a constraint for the UIP cut





#### Conflict-Driven Non-Chronological Backtracking --- Algorithm

- When conflict occurs, check if the conflict level == 0 (implication level for the SAT target)
  - a) If yes, return unsatisfiability (Why?)
  - b) Else, continue to 2
- 2. Find the 1st-UIP cut as the conflict causes
- Backtrack to the max decision level of the nodes other than UIP in the cut
- The UIP gate will be implied with the opposite value
- 5. Perform the new implication
- 6. If conflict, go to 1, else continue for the next decision

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### A closer look at binary decision tree

In general, is non-chronological backtracking safe?

- May lead to SAT solution ealier
- But some portion of the decision tree may not be covered
  - Not a complete search anymore
  - May also miss some bugs
- → Difficult to record which branches haven't been searched

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw

#### Conflict-Driven Non-Chronological Backtracking --- Completeness

- ◆ But with conflict-driven learning, SAT search is still guaranteed to be complete
- ◆ SAT search is not a binary decision tree anymore...
  - Becomes a decision stack
  - Conflict
    - → Learned clause (gate)
    - → Indicate where to backtrack
    - → Learned implication



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 1

#### Conflict-Driven Non-Chronological Backtracking --- Completeness

- ◆Branch-and-bound algorithm for Constraint Satisfaction Problem (CSP) becomes a "constraint refinement process"
- → Search region is gradually narrowed down
- → At the end, either becomes empty, or finds the solution !!

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 171







(3): 
$$(a2' + c3' + c4') \xrightarrow{} (a2' + b4' + c2' + c3')$$

(4): 
$$(c1 + c3)$$
  $\xrightarrow{\downarrow}$   $(a2' + b4' + c1 + c2')$    
(5):  $(b1 + c1 + c2)$   $\xrightarrow{\downarrow}$   $(a2' + b1 + b4' + c1 + c2')$ 

Boolean SAT Algorithms / FLOLAC 2009 Prof. Chur

Prof. Chung-Yang (Ric) Huang

#### What we have learned on SAT...

- 1. Efficient logic implication using watches
- 2. Conflict-driven learning for nonchronological backtracking
- ◆ More heuristic...
- 3. Decision ordering / Restart
- 4. Various learning techniques

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 173

#### **Impact of Decision Ordering**

- Decision ordering: the order of gates that the corresponding decisions are made
  - 1. Order of gates
  - Decision values
  - → Good and bad decisions can lead to exponential difference (e.g. 2<sup>10</sup> vs. 2<sup>50</sup>)



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

tp://dvlab.ee.ntu.edu.tw 1

#### **Static Decision Ordering**

- Decision order and values are pre-computed in the beginning and remain unchanged
- 1. Topological
  - Depth-first
  - Breadth-first
  - Guided by gate types
- Probability-based
  - Controllability / Observability
  - Signal probability
  - (Weighted) Random
- Influence-based
  - Literal count
  - #fanins / #fanouts
  - Influence of implications

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 175

#### **Dynamic Decision Ordering**

- Decision order and values are dynamically determined based on current implication values, justification frontier, etc.
  - · Use similar criteria as static method
  - But can mix different rules dynamically
- Pros
  - May lead to better decisions
  - Avoid useless decisions
- ♦ Cons
  - Overhead in computing dynamic ordering may be high
  - Effectiveness sometimes is hard to predict
- → However, experiences show that the best is:
  - 1. Has a good initial decision ordering
  - Adaptively adjust the decision order after a certain amount of backtracks

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### zChaff's Variable State Independent Decaying Sum (VSIDS) Decision Heuristic

- (1) Each variable in each polarity has a counter, initialized to 0.
- (2) When a clause is added to the database, the counter associated with each literal in the clause is incremented.
- (3) The (unassigned) variable and polarity with the highest counter is chosen at each decision.
- (4) Ties are broken randomly by default, although this is configurable
- (5) Periodically, all the counters are divided by a constant.

Zhang, et al, DAC 2001

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 177

#### More decision heuristics...

- ◆Variable Move-To-Front (VMTF)
- ◆Clause Based Heuristic (CBH)
- ◆Resolution Based Scoring (RBS)
- **♦**..
- ◆In general, there is no single decision heuristic that works for every case.
  - → How to adaptively move to a good decision heuristic may be the winner...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 179

#### **Berkmin – Decision Making Heuristics**

- E. Goldberg, and Y. Novikov, "BerkMin: A Fast and Robust Sat-Solver", Proc. DATE 2002, pp. 142-149.
- Identify the most recently learned clause which is unsatisfied
- ♦ Pick most active variable in this clause to branch on
- ◆ Variable activities
  - updated during conflict analysis
  - decay periodically
- If all learnt conflict clauses are satisfied, choose variable using a global heuristic
- ◆ Increased emphasis on "locality" of decisions

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 178

#### A closer look at binary decision tree

Should the decision orderings on all branches be the same?



Remember when we talked about conflict-driven learning, we mentioned that by adding a learned clause we can do non-chronological backtracking, while still achieve complete proof

How??

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 181

#### **The Constraint Refinement Process**

- Search region is gradually narrowed down by the learned constraints
- ◆ Learned information is universally true
  - Independent of the target implication, only related to the circuit function
  - The proof efforts between different properties can be shared
    - → Incremental SAT
- ◆ Decision process can "restart" any time any where!!
  - Can use different decision ordering to explore different area in the decision tree
    - Previous efforts will not be wasted

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 182

#### **Various Learning Techniques**

- Other than conflict-driven learning, there are many other learning techniques that can help
  - Derive more implications
     → may help find the conflict earlier
  - Provide information for decision ordering
- 1. Static learning
- 2. By signal correlations
- 3. Recursive learning
- 4. Success-driven learning

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 183

#### **Static Learning**

◆Learn by contrapositive

$$(a \rightarrow b \equiv !b \rightarrow !a)$$

♦e.g.



 $a = 1 \rightarrow b = 1$ Learned  $b = 0 \rightarrow a = 0$ 

The question is: which gate to learn??

Ref: "SOCRATES: A Highly Efficient Automatic Test Pattern Generation System", Schulz et.al, TCAD 1988

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Learned by Signal Correlations**

- ◆ A proof-based approach
  - Since learned information is universally true, we can create some internal interesting properties, and use these properties to derive some interesting learning (by conflict analysis)
- e.g. By simulation, if we find a gate 'g' is very likely to stuck at some value 'v'
  - $\rightarrow$  Witness "g =  $\neg v$ " (should produce many conflicts)
- e.g. By simulation, if two signals respond almost the same
  - → Witness "p!= a"
- ◆ No matter the proof is finished or not
  - We can always learn something

Ref: Feng Lu, et. al, "A Circuit SAT Solver with Signal Correlation Guided Learning", DATE 2003

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dylab.ee.ntu.edu.tw 185

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 197

#### **Recursive Learning**

- ◆ To justify f = 0
  - (a = 0) or (b = 0)
  - Let S<sub>a</sub> and S<sub>b</sub> be the set of implications from (a = 0) and (b = 0), respectively
  - Let S =  $S_a \cap S_b$ 
    - $\rightarrow$  (f = 0) implies S

f = 0

- ◆ A recursive process
- ◆ Deep recursion could be very expensive a = 0



Ref: "HANNIBAL: an efficient tool for logic verification based on recursive learning", Wolfgang Kunz, ICCAD 1993

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 186

#### **Conflict vs. Success-Driven Learning**

Motivation: Traditional SAT approach finds only 1 solution, can we find more (or all) the solutions?

- ◆ How to record the solutions?
  - Hash table? (too expensive)
- ♦ Success-driven learning
  - Similar to conflict learning
  - When we find one solution, say (v1, v2, ..., vn), add a blocking gate "v1 && v2 && ... vn = 0" so that
    - This solution won't be repeated
    - May lead to new implication
    - Can continue the justification process for the next solution
  - At the end, all the solutions are recorded as set of blocking gates (or clauses)

Boolean SAT Algorithms / FLOLAC 2009

#### Conflict vs. Success-Driven Learning

- ◆However, the number of solutions in a SAT problem can be very huge!!
  - → Some solutions may look alike ---

e.g. 1010011, 1100011, 0110011...

s1

s2

s3

Can we predict that the subsolutions under the sub-search tree are already covered?



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Success-Driven Learning**

- ◆ Ref: Shuo, et al. DATE 2003
- ◆ Assume
  - ATPG-based technique (work on circuit)
  - Decisions on PIs only → forward implications
- ◆ Search State Equivalence
  - If two decisions have the same signature
  - → The "sub-solutions" under the sub-search space are the same!!
  - → No need to search
- ◆ Note: they also store the solutions in a "free BDD"



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 189

Although "learning" in general can lead to more implications and possibly lead to conflicts earlier (i.e. bound earlier) ---

- 1. It may slow down the implication process
- 2. It may affect the decision ordering, which may not necessarily reduce the #decisions

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 190

#### What can we do to make the learning useful?

- 1. Use learning to find better decision ordering
  - zChaff uses learned information to refine the decision ordering
  - BerkMin uses learned information to increase emphasis on "locality" of decisions
- 2. With conflict analysis, decision can restart any time
  - Change to different decision ordering heuristic to explore different areas in the input space
- 3. Modify the learned information
  - Remove least-used learned information
  - Simplify or synthesize the learned information
  - Any other idea?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 191

#### **Outline**

| <ul> <li>Overview of Hardware Verification</li> </ul>                               | p3            |  |
|-------------------------------------------------------------------------------------|---------------|--|
| ◆ Assertion-Based Verification                                                      | p28           |  |
| ◆ Boolean Satisfiability (SAT) Algorithms                                           | p53           |  |
| <ul> <li>Logic Implication and its Applications</li> </ul>                          | p72           |  |
| <ul> <li>DPLL Decision Procedure</li> </ul>                                         | p139          |  |
| <ul> <li>Conflict-Driven Learning and Non-Chronological</li> </ul>                  |               |  |
| Backtracking                                                                        | p152          |  |
| <ul> <li>Decision ordering / Restart</li> </ul>                                     | p174          |  |
| <ul> <li>Various learning techniques</li> </ul>                                     |               |  |
| ◆ SAT-Based Verification                                                            | p193          |  |
| <ul> <li>Bounded and Unbounded Modeling Checking</li> </ul>                         | p198          |  |
| <ul> <li>Interpolation Technique</li> </ul>                                         | p214          |  |
| ◆ Future Research Directions                                                        | p245          |  |
| Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.n | tu.edu.tw 192 |  |





#### **SAT-Based Verification**

- We know that SAT engine can work on the "assignment problem"
  - Find an assignment for a set of constraints
  - To prove that the counter-example of an combinational invariance does not exit
- How can we apply SAT on sequential assertion checking?
  - We prove that counter-example does not exist in one timeframe, not in two timeframes, three, four, ... to infinity?
  - How can we assure that ALL the reachable states have been reached?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



♦ However, in the above approach, we are solving one state (cube) at a time.

The number of states is exponential to the number of registers...

SAT seems inefficient...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 197



#### **Bounded Model Checking (BMC) Algorithm**

- ◆ Let 'C' be the set of constraints on the combinational circuit
  - → For an iterative model that unfolds the circuit for n times. let 'C<sub>i</sub>' correspond to the i-th iteration of the circuit constraint  $(0 \le i \le n - 1)$
- ◆ Let 'I<sub>0</sub>' be the initial state value
- ◆ Let 'P' be the property to prove

```
♦ BMC(P) {
       let k = 1;
    loop:
       if (SAT(I_0 \land C_0 \land ... \land C_{k-1} \land !P_{k-1}))
          return "Find a counter-example @ (K-1)";
      k = k + 1;
       goto loop;
Boolean SAT Algorithms / FLOLAC 2009
```

Prof. Chung-Yang (Ric) Huang

#### How far should we go?

- ◆What's the limit of K?
  - (How many iterations do we need before concluding the property is always true?)
  - → Impossible to know in the above BMC algorithm
  - → A loose upper bound is 2<sup>N</sup> (N is the number of registers)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 200

#### **Application of BMC**

- ◆ If the property is false, BMC can find a counter-example with the shortest length
- ◆ However, if the property is true, BMC cannot produce any conclusive result...

(BMC is best used in "bug-finding")

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 201

#### **Extension of BMC for Unbounded Proof**

- ◆ BMC, combined with various techniques, can be extended to unbounded model checking
- 1. K-step Induction
- 2. Simple-path constraint

(Covered in next topic)

- 3. Counter-example-based abstraction
- 4. Proof-based abstraction
- 5. Image computation by SAT
- 6. Over-approximated image computation using interpolation etc...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 202

#### K-induction

5552000

◆Induction:

$$P(s_0)$$

$$\forall i: P(s_i) \Rightarrow P(s_{i+1})$$

$$\forall i: P(s_i)$$

k-step induction:

$$\begin{aligned} & & P(s_{0..k-1}) \\ \forall i : & \underline{P(s_{i..i+k-1})} \Rightarrow P(s_{i+k}) \\ & \forall i : P(s_i) \end{aligned}$$

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 203

#### K-induction with a SAT solver

◆Let:

 $U_{k} = C_{0} \wedge C_{1} \wedge ... \wedge C_{k} \qquad I_{0} \stackrel{?}{\Rightarrow} C_{0}$ 



- ◆Two formulas to check:
  - Base case:

$$I_0 \wedge U_{k-1} \Rightarrow P_0...P_{k-1}$$

• Induction step:

$$U_k \wedge P_0...P_{k-1} \Rightarrow P_k$$

- ♦ If both are valid, then P always holds.
- ♦ If not, increase k and try again.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Induction SAT**

```
for (k = 0 to infinity)
   S = U<sub>k</sub> ∧ F<sub>k</sub> // F<sub>k</sub> = P<sub>0</sub> ∧... ∧ P<sub>k-1</sub> ∧ !P<sub>k</sub>
   T = I<sub>0</sub> ∧ S
   // induciton step
   if (SAT(S) == false)
      return NO_SOLUTION; // i.e. P is true
   // normal proof: base case for next k
   if (SAT(T) == true)
      return HAS_SOLUTION; // i.e. CEX is found
   if (effort exceeds limit)
      return ABORT;
endfor
```

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 205

#### **Induction SAT**

```
♦ In other words, let
```

 $S(k) = U_k \wedge F_k$  // induction step

 $T(k) = I_0 \land S // BMC step$ 

◆ Induction SAT...

if (S(0) == UNSAT) return UNSAT;

if (T(0) == SAT) return SAT;

if (S(1) == UNSAT) return UNSAT;

if (T(1) == SAT) return SAT;

...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 206

Does "Induction SAT" guarantee convergence?

i.e. Will we either

1. conclude no solution in induction step

or 2. find a counter-example in normal proof with a finite number k ???

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 207

#### Simple path assumption

- ◆Unfortunately, k-induction is not complete.
  - Some properties are not k-inductive for any k.



- ◆Simple path restriction:
  - There is a path to ¬P iff there is a simple path to ¬P (path with no repeated states).

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### Induction over simple paths

- ♦ Let simple( $s_{0..k}$ ) be defined as:
  - $\forall i,j \text{ in } 0..k : (i \neq j) \Rightarrow s_i \neq s_i$
- ◆k-induction over simple paths:

$$\frac{P(s_{0..k-1})}{\forall i: simple(s_{0..k}) \land P(s_{i..i+k-1}) \Rightarrow P(s_{i+k})}$$
$$\forall i: P(s_i)$$

Must hold for k large enough, since a simple path cannot be unboundedly long. Length of longest simple path is called recurrence diameter.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 209

Is the recurrence diameter the same as the diameter (the distance from initial state to any state, i.e. depth of fixed point)??

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 211

#### ...with a SAT solver

◆For simple path restriction, let:

 $S_k = \forall t=0..k$ , t'=t+1..k:  $\neg (\forall v \text{ in } V : v_t = v_t)$  (where V is the set of state variables).

- ◆Two formulas to check:
  - Base case:

$$I_0 \wedge U_{k-1} \Rightarrow P_0...P_{k-1}$$

• Induction step:

$$S_k \wedge U_k \wedge P_0...P_{k-1} \Rightarrow P_k$$

- ♦ If both are valid, then P always holds.
- ◆If not, increase k and try again.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 210

#### **Termination**

◆ Termination condition:

k is the length of the longest simple path of the form

- ◆ This can be exponentially longer than the diameter.
  - example:
    - loadable mod  $2^N$  counter where P is (count  $\neq 2^{N}$ -1)
    - diameter = 1
    - longest simple path = 2<sup>N</sup>
- ◆ Nice special cases:
  - P is a tautology (k=0)
  - P is inductive invariant (k=1)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Outline**

◆ Overview of Hardware Verification .... p3 ◆ Assertion-Based Verification .... p28 ◆ Boolean Satisfiability (SAT) Algorithms .... p53 .... p72 Logic Implication and its Applications .... p139 • DPLL Decision Procedure • Conflict-Driven Learning and Non-Chronological Backtracking ..... p152 • Decision ordering / Restart .... p174 Various learning techniques ◆ SAT-Based Verification .... p193 • Bounded and Unbounded Modeling Checking ..... p198 • Interpolation Technique .... p214 ◆ Future Research Directions ....p245 Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee.ntu.edu.tw 213

#### **SAT-Based Verification**

- **♦** BMC
  - Can find the shortest counter-example if it exists
  - But cannot prove invariance
- ◆ BMC + induction
  - Can prove invariance... only for cases that do not have a sequential feedback loop
- ◆ BMC + induction + simple-path constraints
  - Can guarantee convergence... but the overhead induced by the constraints can be very high
- What we are missing for SAT-based sequential proof...
  - An efficient method to "record" reachable states
  - → Not a natural SAT application?

Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 214

#### Symbolic model checking without BDD's

- ◆There are some algorithms to compute the set of reachable states by SAT
- ◆Fixed point characterization

[ref: Abdulla, Bjesse and Een 2000 Williams, Biere, Clarke and Gupta 2000]

- Syntactic quantifier elimination
- Blocking clauses
- CTL Model Checking with SAT
- → Need some background that is beyond the scope of this class...

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 215

#### **SAT-based image**

- May provide a good alternative when other technique (e.g. BDD) fails.
- ◆ Does not take advantage of SAT solver's ability to filter out irrelevant facts, since exact image is computed.
- ◆ Think:
  - Our goal of proof is: (1) Either find "a" counterexample, or (2) Prove that no counter-example can be found in reachable states
  - → Do we really need to compute the "exact" image of the reachable states?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Limitation of Formal Engine**

- ◆ Still bounded by exponential complexity
  - When design gets big, or property becomes complex, it is very often that the formal engine cannot conclude the proof result
  - → We have "coverage metric" for simulation, what about formal method?
- However, property checking by formal engine is somewhat analogous to reversely reasoning on designer's intent
  - Designer's intent should not be too complicated for one local module
  - It's the interaction on the modules that make the problem difficult

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 217

#### **Abstraction and Refinement**

If we can confine our search/reasoning on some boundary (e.g. local module, FF boundary), we can simplify our proof

→ Abstraction

But simplifying something means something is ignored.... the result may not be accurate

→ Refinement

...refined to a bigger search region

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 218



Prof. Chung-Yang (Ric) Huang

#### **Constraint granularity**

Boolean SAT Algorithms / FLOLAC 2009

Most authors use constraints at "latch" granularity...



Model:

$$C = \{ c' = (a \land b) \lor c \}$$

http://dvlab.ee.ntu.edu.tw 219

...however, techniques we will consider can be applied at both "gate" and "latch" granularity.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang



But, how to use SAT to compute the over-approximated image?

You need to understand two key techniques --Unsatisfiability Core
Interpolation

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 222

#### **Remember: Resolution**



When a conflict occurs, the implication graph is used to guide the resolution of clauses, so that the same conflict will not occur again.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 223

#### **Conflict Clauses (cont.)**

- ◆Conflict clauses:
  - Are generated by resolution
  - Are implied by existing clauses
  - Are in conflict in the current assignment
  - Are safely added to the clause set

Many heuristics are available for determining when to terminate the resolution process. (e.g. first UIP)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

#### **Generating refutations**

- ◆ Refutation = a proof of the null clause
  - Also called "proof core" or "UNSAT core"
  - Record a DAG containing all resolution steps performed during conflict clause generation.
  - When null clause is generated, we can extract a proof of the null clause as a resolution DAG.

Original clauses

Derived clauses



Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 225

# Refresh: Implication graph, resolution, and learning Decision level a = 1 b = 0 b = 0 b = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c = 0 c

#### **Extraction of Unsatisfiability Core**

- 1. For each conflict, record the resolution graph for the learned clause
- A learned clause may depend on other learned clause, so does its resolution graph may build upon other's resolution graph
- The root clauses for the last conflict (i.e. conflict at decision level 0) will be the unsatisfiability core

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 227

#### Interpolation

(Craig,57)

♦ If A ∧ B = false, there exists an interpolant A' for (A,B) such that:

$$A \Rightarrow A'$$
 $A' \land B = \text{false}$ 

A' refers only to common variables of A,B

- ◆Example:
  - $\bullet$  A = p  $\land$  q, B =  $\neg$ q  $\land$  r, A' = q
- ◆New result
  - given a resolution refutation of A ∧B,
     A' can be derived in linear time.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

(Pudlak, Krajicek, 97)

#### Some Definitions for Unsatisfiability Proof

- ♦ Let (A,B) be a pair of clause sets and let  $\Pi$  be a proof of unsatisfiability of A  $\cup$  B
  - Π is a DAG (V<sub>Π</sub>, E<sub>Π</sub>)
  - Each vertex c ∈ Π in the graph corresponds to a clause and has exactly 2 predecessors, say c1, c2
    - c is called the "resolvent" of c1 and c2
    - The resolved variable v is called the "pivot" variable
  - Π has exactly 1 leaf vertex which is a False (null clause)
  - $\bullet$  The roots are original clauses in A  $\cup$  B



#### **Some Definitions for Unsatisfiability Proof**

- lacktriangle Let (A,B) be a pair of clause sets and let  $\Pi$  be a proof of unsatisfiability of A  $\cup$  B
  - $\Pi$  is a DAG ( $V_{\Pi}$ ,  $E_{\Pi}$ )
  - Each vertex c ∈ Π in the graph corresponds to a clause and has exactly 2 predecessors, say c1, c2
    - c is called the "resolvent" of c1 and c2
    - The resolved variable v is called the "pivot" variable
  - Π has exactly 1 leaf vertex which is a False (null clause)
  - The roots are original clauses in A ∪ B
- ◆ Global/Local variable/literal
  - With respect to (A,B), a variable/literal is global if it appears in both A and B
  - It is called local to A if it appears only in A

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 230

#### **Interpolants from Proofs**

- ◆ Deriving interpolant from Π
  - → Calling itp(leaf vertex)
- itp(c) { // c ∈ V<sub>II</sub> let p(c) be a
   if c is a root, then
   if c ∈ A then
   itp(c) = the disjunction of the
   global literals in c
   else itp(c) = constant True
   else, let c1, c2 be the predecessors of c
   and let v be their pivot variable
   if v is local to A
   then itp(c) = itp(c1) ∨ itp(c2)
   else itp(c) = itp(c1) ∧ itp(c2)
  }

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang









#### Overapproximation

- ◆ An overapproximate image op. is Img' s.t. for all P, Img(P,C) implies Img'(P,C)
- ◆ Overapprimate reachability:

$$R'_{0} = I$$

$$R'_{i+1} = R'_{i} \lor Img'(R'_{i},C)$$

$$R' = \bigcup R'_{i}$$

- ◆ Img' is adequate (w.r.t.) F, when
  - if P cannot reach F, Img'(P,C) cannot reach F
- ◆ If Img' is adequate, then
  - F is reachable iff R' ∧ F ≠ false

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 235

#### k-adequate image operator

- ◆Img' is k-adequate (w.r.t.) F, when
  - if P cannot reach F,
     Img'(P,C) cannot reach F within k steps
- ◆Note, if k > diameter, then k-adequate is equivalent to adequate.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang









#### Reachability algorithm

```
let k = 0
repeat

if I can reach F within k steps, answer reachable R = I

while Img'(R,C) \wedge F = false

R' = Img'(R,C) \vee R

if R' = R answer unreachable

R = R'

end while
increase k

end repeat
```

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 241

#### **Termination**

◆ Since k increases at every iteration, eventually k > d, the diameter, in which case Img' is adequate, and hence we terminate.

#### Notes:

- don't need to know when k > d in order to terminate
- often termination occurs with k << d
- depth bound for earlier method (Sheeran et al '00) is "longest simple path", which can be exponentially longer than diameter

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 242

#### **Interpolation-based MC**

- ◆Fully SAT-based.
- ◆Avoid computing exact image.
- ◆Inherits SAT solvers ability to concentrate on facts relevant to a property.
  - Maintain SAT solver's advantage of filtering out irrelevant facts.
- ◆ For true properties, appears to converge for smaller k values.

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 243

#### **Outline**

| <ul> <li>Overview of Hardware Verification</li> </ul>                             | p3               |  |
|-----------------------------------------------------------------------------------|------------------|--|
| ◆ Assertion-Based Verification                                                    | p28              |  |
| ◆ Boolean Satisfiability (SAT) Algorithms                                         | p53              |  |
| <ul> <li>Logic Implication and its Applications</li> </ul>                        | p72              |  |
| <ul> <li>DPLL Decision Procedure</li> </ul>                                       | p139             |  |
| <ul> <li>Conflict-Driven Learning and Non-Chronological</li> </ul>                |                  |  |
| Backtracking                                                                      | p152             |  |
| <ul> <li>Decision ordering / Restart</li> </ul>                                   | p174             |  |
| <ul> <li>Various learning techniques</li> </ul>                                   |                  |  |
| ◆ SAT-Based Verification                                                          | p193             |  |
| <ul> <li>Bounded and Unbounded Modeling Checking</li> </ul>                       | g p198           |  |
| <ul> <li>Interpolation Technique</li> </ul>                                       | p214             |  |
| ◆ Future Research Directions                                                      | p245             |  |
| Boolean SAT Algorithms / FLOLAC 2009 Prof. Chung-Yang (Ric) Huang http://dvlab.ee | e.ntu.edu.tw 244 |  |

#### **Conclusion on Boolean SAT Algorithms**

- ◆Traditional NP-complete problem
- ◆With several advanced techniques, modern SAT solvers can be very efficient
  - Able to work on million-gate designs
- Applications
  - SAT-based verification
  - Redundancy addition and removal
  - SAT-assisted logic optimization (e.g. using interpolation technique)
  - In other fields (e.g. OR, AI,...)

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 245

#### **Future Research Directions**

- ◆Word-level SAT engine
  - Able to handle constraints beyond Boolean
    - Bit-vector, integer, uninterpreted function, etc
  - For the future system-level designs
- ◆SAT-assisted logic optimization
  - Interpolation techniques
  - Pseudo Boolean constraint solver

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 246

#### Some popular SAT engines

- ◆ SATO
- http://www.cs.uiowa.edu/~hzhang/sato.html
- ♦ GRASP
  - http://www.eecs.umich.edu/~faloul/Tools/satire/Grasp2.exe
- 01 6
  - http://www.princeton.edu/~chaff/
- ◆ BerkMin
  - http://eigold.tripod.com/BerkMin.html
- **♦** CSAT
  - http://cadlab.ece.ucsb.edu/downloads/CSAT.htm
- miniSA
  - http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/
- PBS
- http://www.eecs.umich.edu/~faloul/Tools/pbs4/
- Pueblo
  - http://www.eecs.umich.edu/~hsheini/pueblo/

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang

http://dvlab.ee.ntu.edu.tw 247

### That's all. Any questions?

Boolean SAT Algorithms / FLOLAC 2009

Prof. Chung-Yang (Ric) Huang