Transcript slides
Optimal Constraint-Preserving Netlist Simplification Jason Baumgartner1, Hari Mony1,2, Adnan Aziz2 IBM Corporation1 Dept of ECE, University of Texas at Austin2 March 2008 Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 2 Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 3 Modeling Design Environments Constraints: environmental assumptions to prevent illegal input scenarios Assumptions in assume-guarantee reasoning Most verification efforts require some form of assumptions 4 Functional verification: inputs adhere to documented protocol • An input vector must be one-hot • Instructions not transferred if instruction buffer is full Sequential Equivalence checking: • Self-test disabled; clocks driven consistently Modeling Design Environments Two fundamental mechanisms to specify assumptions 1. Imperative generator-based approaches Input filters are synthesized, composed with design 2. Declarative constraint-based approaches Utilize language-specific constructs • constraint in SystemVerilog; assume in PSL “Generator-Based Verification” ICCAD03 5 Modeling Design Environments Declarative approaches are popular Simpler to specify; easy to update Enables the checker-assumption duality paradigm Used for case-splitting to decompose complex verification tasks • Constraints may generally refer to design inputs, internals, outputs “Decomposing Refinement Proofs using Assume-Guarantee Reasoning” ICCAD00 6 Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 7 Constraint Semantics Verification problem: Netlist with DUT, environment, assertions Constraint: specially-labelled gate that must evaluate to 1 in every state explored by the verification tool Though without special labelling, may evaluate to 0 or 1 Unlike SDC invariants, constraints thus prune traces Asymmetry between invariants, constraints is an intricate topic 8 Invariants: redundant gates • Useful only to tighten over-approximate analysis Constraints appear redundant, though if removed they no longer hold! Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 9 Redundancy Removal under Constraints Redundancy removal benefits many tasks Essential for sequential equivalence checking Enhances property checking Constraints have a big impact on redundancy removal 1. Constraints prune reachable states => more redundancy Imposes a don’t care condition Need to be exploited for optimality 2. Merging redundant gates may weaken constraint evaluation 10 Constraint-enhanced redundancy removal could lead to overapproximation Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 11 Constraint Pitfalls 12 Constraint pitfalls Simplify logic outside constraint fanin using power of constraints Valid to simplify constraint fanin if not using its constraining power E.g., using SDCs alone, and/or other constraints Disable simplification in constraint fanin if using power of constraints 13 Constraint cones can be fairly large Arbitrarily suboptimal for subsequent verification? Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 14 Assume-then-Prove Redundancy Identification 1. Guess redundancy candidates 2. Create speculatively-reduced model =0? =0? A A B B Miter without spec reduction Miter with spec reduction 3. Attempt to prove suspected equivalence on reduced design 4. If successful, exit with reduced model 5. Else refine unprovable redundancy candidates, goto step 2 Spec-reduction: Key to scalability; enables orders of magnitude speedup 15 Redundancy Identification under Constraints Spec reduction: Key to scalability of redundancy identification Spec reduction may weaken constraint evaluation Causes sub-optimal redundancy identification Validity of candidates unknown during spec-reduction 16 May strengthen constraint evaluation, discarding reachable states Unsound redundancy identification Similar to soundness issues in circular reasoning in assume-guarantee paradigm [HQR00] Redundancy Identification under Constraints 17 Replicate the combinational fanin of each constraint Re-label the replicated gates as constraints Restrict equivalence classing, spec merging to original gates Run typical assume-then-prove framework using this model Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 18 Redundancy Removal under Constraints Once all redundancy is identified, how may we leverage it? Theorem: Merging of redundant gates sound, but maybe incomplete Behaviour may be altered in constraint-violating states Unreachable states may become reachable Theorem: Merging sound and complete if merged-from gate not in combinational fanin of constraints 19 Constraint valuation in reset state unchanged Merges cannot alter next-state; time I + 1 valuation unchanged What about the rest? Redundancy Removal under Constraints Can we further simplify given known equivalences in the combinational fanin of constraints? Yes: using an abstraction-refinement framework 1. 2. 3. 4. 5. 6. 20 Merge all equivalent gates Verify resulting simplified design If proof is computed, exit with this result If counterexample is obtained, validate on original design If consistent, exit with this result Else refine abstraction; goto step 2 Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 21 Optimal Redundancy Removal under Constraints Refinement algo w.r.t. counterexample p 1. Identify set of merged gates whose behaviour was altered in p 2. In place of each merge of step 1, inject a conditional merge A mux selected by an auxiliary variable, which drives either the original or merged value 3. Cast a max-SAT problem to see how many merges may be preserved while avoiding a counterexample under p 22 The rest will be eliminated upon refinement Optimal Redundancy Removal under Constraints Refinement procedure is optimal w.r.t. single iteration Suboptimality may occur across iterations due to compatibility issues, non-uniqueness of max-SAT solution Solution: refine w.r.t. original maximally-merged design using all counterexamples, vs. refining w.r.t. prior refinement 23 Incremental max-SAT instance can take into account all spurious behaviours to be eliminated Redundancy Removal Results Design Info Name Gates Constraint-Safe Merging (Mo05) Constraint-Enhanced Merging Tgts Gates Merged Unsolved Tgts Resource (s: MB) Gates Merged Refined Merges Improv . Resource (s : MB) FPU 115037 1 2022 1 5465: 690 4928 0 143.7 % 1140: 384 IBUFF 19230 303 222 14 77: 91 831 20 260.8 % 144: 160 IBM_FV 24 13391 1 313 0 70: 119 793 7 151.1 % 83: 137 IBM formal / semi-formal toolset SixthSense Constraint-Safe Merging: No merging in constraint fanin using power of constraints Constraint-enhanced merging solves every target Enables 2X merges 24 Outline Introduction to Constraints Modeling Design Environments Constraint Semantics Redundancy Removal under Constraints Constraint Pitfalls Redundancy Identification Challenges Redundancy Removal Challenges Optimal Redundancy Removal Simulation under Constraints Conclusion 25 Simulation under Constraints Sequential constraints can result in dead-end states States for which no valuation to inputs will satisfy constraints E.g., is_instr_buffer_full checks if instruction buffer is full Consider (not is_instr_buffer_full) as a constraint State with instruction buffer filled is a dead-end state Dead-end states complicate simulation If encountered, simulation must backtrack Sequential constraints readily expressible; less manual effort Simulation is critical for various algos 26 Semi-formal bug-hunting Obtaining simulation signatures for forming initial equiv-class candidates Simulation under Constraints With dead-end states need look-ahead based SAT-solving At every time-step i of sim, solve constraints for i,…,i+k 27 Simulation under Constraints Min input delay: earliest time any input can affect constraint valuation Max input delay: the earliest all inputs has affected the valuation Windowed log-2 search between min and max delays SimGen [YPA 99] fails with 57 cycles Windowed search ~400X than pure SAT-based solution 28 Conclusion Constraints may increase reduction potential Care must be taken to ensure that identified redundancy is optimal and correct Once identified, some merges may be safely performed; others may entail spurious failures • Similarities & differences with constraints vs. invariants Optimal abstraction-refinement procedure presented Enables maximal merging Sound and complete verification procedure 29 Backup Slides… 30 Aside: Constraints vs. ODCs Possible to emulate constraints by adding ODC condition on properties Though doing so is computationally unattractive: lose corresponding unreachability invariants 31 Sequential Constraint Challenges 32 Only Valid instructions with legal opcodes at Execute Add constraint illegal opcodes => invalid instr Fetch and Decode ensures that invalid instr => illegal opcode Redundant gates: valid and illegal are complements Merging valid and illegal weakens the constraint Constraint Pitfalls Redundancy removal, if enhanced by constraints, may entail overapproximation in subsequent verification We could preserve constraint cone (disable merging therein) • • 33 Though doing so may be arbitrarily suboptimal for subsequent verification To what extent can we safely optimize constraint cones? Redundancy Identification under Constraints Consider that we have identified a set of gate pairs that are equivalent in the constrained reachable states Theorem: Merging any set of equivalent gate pairs is sound and incomplete, if the merged-from gates are not in the combinational fanin of constraints 34 Time-0 constraint evaluation is unchanged by such merges Since merged gates are equivalent, cannot alter next-state function evaluation; time i+1 constraint evaluation unchanged by the merges Redundancy Identification under Constraints Theorem enables a modification of assume-then-prove framework to identify every equivalent gate 1. 2. 3. 4. 35 Key idea: miter assertability for incorrect candidates is strictly preserved Replicate the combinational fanin of each constraint Re-label the replicated gates as constraints Restrict equivalence classing, spec merging to original gates Run typical assume-then-prove framework using this model