Transcript slides

Recording Synthesis History for
Sequential Verification
Robert Brayton
Alan Mishchenko
UC Berkeley
Overview


Introduction
Recording synthesis history






Using synthesis history



Retiming
Combinational synthesis
Merging sequentially equivalent nodes
Window-based transformations
Transformations involving observability don’t-cares
Verification
Experiments
Conclusions
Introduction

Sequential synthesis promises to substantially improve
the quality of hardware design – less area, fewer
registers, lower power, BUT


Sequential equivalence checking, even with limited
sequential synthesis, without history is PSPACE-complete
[Jiang/Brayton, TCAD’06]


Efficient verification is needed to ensure wider adoption
But synthesis history can make sequential equivalence checking
“close to linear” in circuit size in many cases
The focus of this presentation


recording a type of synthesis history
using it for sequential equivalence checking
AIGs

Combinational AIG



Boolean network of 2-input ANDs and
inverters
Combinational structural hashing
Sequential AIG

Registers are considered as special type
of nodes



Sequential structural hashing
[Baumgartner/Kuehlmann, ICCAD’01]
Simplified sequential AIG



Each register has an initial state (0, 1, or
don’t-care)
Combinational AIG with registers as
additional PIs/POs
Combinational structural hashing
In this work we use simplified
sequential AIGs
4
Sequential Synthesis
Combinational rewriting
 Retiming
 Register sweeping
 Detecting and merging seq. equivalent
nodes
 Circuit optimization with approximate
unreachable states as external don’t-cares
 Sequential rewriting

Recording a type of Synthesis
History

Two AIG managers are used



Working AIG (WAIG)
History AIG (HAIG)
WAIG
Two node mappings are
supported


Every node in WAIG points to
its copy in HAIG
Some nodes in HAIG point to
other nodes in HAIG that are
believed to be sequentially
equivalent as a result of
synthesis performed in WAIG
HAIG
WAIG and HAIG

WAIG (Working AIG)


New logic nodes are added as synthesis proceeds
Old logic cones are removed and replaced by new logic cones


Nodes without fanout are immediately removed


The fanouts of the old root are transferred to be fanouts of the new root
Maintains accurate metrics (node count, register count, logic depth)
HAIG (History AIG)


As each new node is created in WAIG, a copy is found or is created in
HAIG,
 A link between them is established
Old logic cones are not removed


Fanouts are not transferred
Links between the HAIG nodes are established

Each time a node replacement is made in WAIG, corresponding nodes
are linked as sequentially equivalent in HAIG
Overview


Introduction
Recording synthesis history




Using synthesis history



Retiming
Transformations involving observability don’t-cares
Sequential rewriting
Verification
Experiments
Conclusions
8
Recording History for Retiming
WAIG
Step 1
Create
retimed
node
copy
Step 2
Transfer
fanout
Add pointer
Step 3
Recursively
remove old logic
continue building
new logic

Backward retiming is similar
HAIG
Recording History with ODCs

When synthesis is done with ODCs, the resulting
node is not equivalent to the original node


In HAIG, equivalence cannot be recorded
However, there always exists a scope, outside of
which functionality is preserved, e.g. a window.

equivalence in HAIG can be recorded at the output
boundary of this scope
HAIG
10
Sequential Rewriting
Sequential cut:
{a,b,b1,c1,c}
History AIG
Sequentially
equivalent
rewrite
new
nodes
Sequential Rewriting step.
History AIG after rewriting step.
The History AIG accumulates
sequential equivalence classes.
11
Related AIG Procedures

WAIG






HAIG
createAigManager
deleteAigManager
createNode

replaceNode
deleteNode_recur




createAigManager
deleteAigManager
createNode,
setWaigToHaigMapping
setEquivalentHaigNodes
do nothing
12
Using HAIG for Equivalence
Checking



Sequential depth of a window-based
sequential synthesis transform is the
maximum number of registers on any
path from an input to an output of the
window
Theorem 1: If transforms recorded in
HAIG have sequential depth no more
than k, the equivalence classes of HAIG
nodes can be proved by k-step induction
Theorem 2: If the inductive proof of HAIG
succeeds for all recorded equivalence
classes, then
the original and final designs are
sequentially equivalent

Sequential depth = 1
HAIG2
k=1
HAIG1
unsat
1
unsat
1
A A’
B B’
0
A A’
#2
0
B B’
#1
Conceptual Picture of HAIG
outputs
outputs
Actually B
is really
smeared
throughout
the HAIG
A
B
B
Registers and PIs
HAIG is simply a sequential circuit with lots of nodes that are
disconnected or redundant. It contains initial circuit A and
final circuit B. There are many suggested equalities.
14
If we prove all suggested equalities, then A=B sequentially.
Inductive Proof (k = 1)
outputs
Second
time frame
Proof
obligations
A
Speculative
reduction
First time
frame
B
All equalities assumed
constraints
outputs
outputs
=
A
B
Registers and PIs
15
Discussion
Typical comments on verification using a synthesis history


incorrect information may be passed from a synthesis tool to a
verification tool
in the proposed methodology, history is a set of hints



every step recorded must be proved
the same bugs may exist in both tools, canceling each other out
the inductive prover used in HAIG-based verification must be
independent, BUT

a HAIG prover is simple




about 100 lines of code, compared to 2000 lines in a general prover
No need to handle counterexamples
the HAIG size may grow inordinately
not our experience, plus the HAIG can be compacted to 3 bytes per
node.
Experimental Setup

Benchmarks are 20 largest public circuits from
ISCAS’89, ITC’97, and Altera QUIP


Runtimes are in seconds on 4x AMD Opteron 2218 with
16GB RAM under x86_64 GNU/Linux


One core was used in the experiments
Synthesis includes three iterations of the script:

B - Balancing algebraic tree restructuring for minimizing delay
Rw - Rewriting one pass of combinational AIG rewriting
Rt - Retiming a fixed number (3000) of steps of forward retiming

Script = (B;Rw;Rt)3



Only 14 are shown in the tables below
This script was selected to make the resulting networks
hard to verify (Jiang/Hung, ICCAD ’07)

It represents a limited synthesis since full implementation is not
done.
17
Synthesis Results
Synthesis size and HAIG size
Benchmark
s13207
s35932
s38417
s38584
b14
b15
b17
b18
fpu
jpeg
mem
radar
video
raytracer
Geomean
After synthesis
Reg
Node
Lev
1060
2133
25
2016
9094
11
1833
8161
27
2478
9427
25
587
4893
61
949
7756
94
2271
24386
104
3940
65264
117
997
16294 1876
5788
43712
73
2399
14067
38
7557
58759
91
3422
32852
75
13624 137974
252
0.77
Reg
4763
5046
10636
7731
2630
6377
10415
12320
9659
12972
8781
15001
12549
22079
HAIG
Node
20598
60771
60156
63638
31296
51139
137921
354141
126436
243672
85341
347762
208953
771632
5.13
Lev
36
19
48
43
73
106
127
132
3580
104
45
174
99
338
Runtime,s
0.36
0.71
0.83
0.98
0.32
0.67
1.70
3.99
3.21
6.63
1.79
8.75
4.86
13.65
Comparison of verification times
Benchmark
s13207
s35932
s38417
s38584
b14
b15
b17
b18
fpu
jpeg
mem
radar
video
raytracer
Geomean
HAIG equivalences
Constr Property
Total
10821
7526
16557
10733
3127
41866
24418
7691
47369
21279
5443
46931
12511
6645
22580
21169
6666
38223
40450
20253
91526
79858
57365 217378
44815
19571
94187
63579
40262 188743
25050
11004
60230
72429
58201 253965
59229
42531 157531
154115
130032 548596
0.42
0.19
1.00
Runtime, s
HAIG
SEC
1.47 1000+
2.08
44.67
7.86
63.74
0.60
18.90
9.47
2.18
19.85
21.84
82.02
48.84
100.45 126.94
5.73 1000+
18.07 279.30
4.66
43.83
80.29
52.82
113.00
69.94
800.55 1000+
1.00
4.59+
Entry 1000+ indicates a timeout at 1000 seconds. Timeouts
are truncated as 1000 seconds in computing runtime ratios.
Conclusions
Motivated the use of synthesis history in
SEC
 Presented a particular way of recording
history using two AIG managers
 Experimentally evaluated the use of history
in Sequential Equivalence Checking

Confirmed savings in runtime
 Confirmed reliability

Future Work
Use of HAIG has shown that it can make SEC
inductively provable.
 What subset of history would suffice


How to handle a sequential transform that
includes a loop in the area of change.



e.g. do not record each retiming move but only the
final result, or the result of one frame.
is it still k-inductive
what is k
Implement history recording for all transforms
21
Moral of Story:
Leave a trail of bread crumbs.
22