model_checkers.md

General architecture for a hardware model checking tool

Key Principles

• Things should feel real time
  • Solvers should be able to communicate between threads rapidly for clause sharing, solver shutdown etc
  • Main thread should be only used for comms between/launching threads, UI/user scripts should run in their own thread so you don't get the case where e.g. you can't load a CEX while a script is running
• Users should have the power to control proof performance in sound and intuitive ways
  • Tooling to safely do case splits, assume-guarantee etc.
  • Prefer hints for abstractions/invariants so that the engines can use CEGAR etc. techniques to patch them if they are incorrect in some cases, but report to the user if this is the case
  • Scripting should be easy, intuitive and flexible - Python
• There should be strong defaults
  • Default engines, abstractions etc. should work out of the box and give reasonable results
• Techniques should compose
  • Model checking engines should be oblivious to underlying proof procedure/netlist (whether it is SAT, SMT, gate-level, word-level, has additional abstraction/restriction etc)
  • Abstraction/restriction engines should be sound (CEGAR/PROGRESS) and be able to be combined in (relatively) arbitrary fashion
• Composition of techniques should be managed by the environment
  • This can be done in a why3 way with a tree of proof obligations
  • A node can rely on either the conjunction (e.g. case splitting) or disjunction (e.g. a set of engines racing to prove the property) of its children
  • Proof checkers can appear as obligations in this
  • Things like case splitting therefore become modifications to the tree
• Verification should be able to compose both functionally (abstractions, case splitting etc) and structurally (assume guarantee)
  • This should apply also to scripts - scripts for individual blocks should compose up to top level
• Engines should be able to bubble up correct and useful information
  • Proof bounds
  • Invariants
  • Useful Abstractions?
  • CEXs
  • Coverage information
  • Witness circuits

Algorithms

Model checking

• BMC
  • https://www.cs.cmu.edu/~emc/papers/Books%20and%20Edited%20Volumes/Bounded%20Model%20Checking.pdf)
• Rarity-guided sim
  • https://people.eecs.berkeley.edu/~alanmi/publications/2012/iwls12_sec.pdf
  • Can we do property directed rarity-guided sim?
• K-Ind
  • https://www.di.ens.fr/~pouzet/cours/mpri/bib/sheeran-FMCAD00.pdf
  • https://www.sciencedirect.com/science/article/pii/S1571066105825423
  • https://www.cs.utexas.edu/~hunt/fmcad/FMCAD12/013.pdf
• PDR
  • http://alcom.ee.ntu.edu.tw/system/privatezone/meetingfile/201010222258251.pdf
  • https://theory.stanford.edu/~arbrad/papers/Understanding_IC3.pdf
  • https://people.eecs.berkeley.edu/~alanmi/publications/2011/fmcad11_pdr.pdf
  • https://www.cs.utexas.edu/users/hunt/FMCAD/FMCAD13/papers/85-Better-Generalization-IC3.pdf
  • https://arxiv.org/pdf/2105.09169.pdf
  • https://es-static.fbk.eu/people/griggio/papers/tcad15.pdf
  • https://past.date-conference.com/proceedings-archive/2013/PDFFILES/07.2_2.PDF
  • https://shufang-zhu.github.io/publications/2017ICCAD.pdf
  • https://link.springer.com/chapter/10.1007/978-3-031-37703-7_14
  • https://ieeexplore.ieee.org/document/10015642
  • https://www.rohitdureja.com/papers/DGIV21.pdf
• Interpolation?
  • https://people.eecs.berkeley.edu/~alanmi/courses/2008_290A/papers/mcmillan_cav03.pdf
• Semi-formal techniques?
  • https://picture.iczhiku.com/resource/ieee/WYieEsQfWFsaybXb.pdf
• Liveness
  • https://fmv.jku.at/papers/BiereArthoSchuppan-FMICS02.pdf
  • https://theory.stanford.edu/~arbrad/papers/fair.pdf
  • https://www.cs.utexas.edu/~hunt/fmcad/FMCAD12/013.pdf

Abstraction/Reduction

• Localization abstraction
  • https://people.eecs.berkeley.edu/~alanmi/publications/2017/iwls17_pdr.pdf
• Syntax guided abstraction
  • https://aman-goel.github.io/publications/goel2019model_preprint.pdf
• Array abstraction
  • http://www.perbjesse.com/fmcad08.pdf
• Bitwidth reduction
  • https://cca.informatik.uni-freiburg.de/papers/BrummayerBiere-EUROCAST09.pdf
• Word-level abstraction
  • https://www2.eecs.berkeley.edu/Pubs/TechRpts/2017/EECS-2017-198.pdf
• Arithmetic abstraction
  • https://arxiv.org/pdf/2008.10061.pdf
• UF abstraction
  • https://people.eecs.berkeley.edu/~alanmi/publications/2016/fmcad16_uif.pdf

Invariant hunting

• Cut-based invariant computation
  • https://people.eecs.berkeley.edu/~alanmi/publications/2008/iwls08_ind.pdf
• Invariants from implications
  • https://people.eecs.berkeley.edu/~alanmi/publications/2006/iwls06_inv.pdf
  • This is likely too costly to be very useful
• Speculative reduction
  • https://people.eecs.berkeley.edu/~alanmi/publications/2012/iwls12_sec.pdf
• FIFO etc data transport invariants
  • https://link.springer.com/chapter/10.1007/978-3-642-14295-6_29
  • This suggests transposing assertions about FIFO outputs down the FIFO
  • Can we do something like this automatically by searching for this pattern in learnt clauses (at the SAT or IC3 level). Many properties are afaict written one side of a FIFO when they can be translated into an equivalent property at the other end of it, but this isn't clear to the tool

Pre-processing

• Fraiging/Strashing
  • https://people.eecs.berkeley.edu/~alanmi/publications/2005/tech05_fraigs.pdf
  • This is very bit-level, how do we make this work nicely with word-level techniques?
  • http://www.perbjesse.com/iccad04.pdf
• Logic synthesis
  • https://people.eecs.berkeley.edu/~alanmi/publications/2007/sat07_map.pdf
• Bitwidth reduction
  • https://dl.acm.org/doi/10.1007/s10703-009-0080-2
• Phase abstraction
  • http://www.perbjesse.com/iccad05.pdf
• Reset analysis/Temporal Decomposition
  • https://fmv.jku.at/fmcad09/slides/fmcad09-MikeCase.pdf
  • https://ieeexplore.ieee.org/document/5351146
  • https://www.aspdac.com/aspdac2007/pdf/archive/3C-1.pdf
  • https://ieeexplore.ieee.org/document/4196049
• Retiming
  • https://people.eecs.berkeley.edu/~alanmi/publications/2007/fmcad07_min.pdf
  • https://link.springer.com/chapter/10.1007/3-540-44585-4_10
  • https://ieeexplore.ieee.org/document/855382
• Sound transformations to reduce bitwidth
  • http://www.perbjesse.com/cav08.pdf
  • https://macau.uni-kiel.de/servlets/MCRFileNodeServlet/dissertation_derivate_00000669/d669.pdf

Decision Procedure

• SAT
  • Start with glucose like solver
  • https://univ-artois.hal.science/hal-03299473v1/file/preprint.pdf
  • https://alexeyignatiev.github.io/assets/pdf/kims-sat21-preprint.pdf
    • This shows that Glucose 3.0 performs equivalently to modern solvers on a number of incremental problems
  • https://twitter.com/ArminBiere/status/1288132283443142661
    • This data is likely not super representative for our use cases, EDA favours smaller incremental queries
  • Also worth looking at Intel sat solver and isasat
    • Isasat is slow but won an EDA competition because it is good at small queries
  • This + array/word level abstraction is potentially enough to get close to the performance of SMT
  • Should ideally be very interruptible by other threads to add clauses etc.
  • Should ideally be parallelisable
• Circuit-SAT?
  • Not too convinced it would be much better than using good COI reductions with existing techniques
  • https://people.eecs.berkeley.edu/~alanmi/publications/2022/iwls22_sweep.pdf
• SMT?
  • EUF abstraction (as used in AVR's SA+UF) requires being able to reason about EUF really which requires congruence closure etc. Pure SA can be done without EUF but is probably ineffective
  • Extensions for quantifiers/LRA etc are probably unnecessary, the main thing seems to be EUF
• Arithmetic verification
  • https://danielakaufmann.at/wp-content/uploads/2020/11/Kaufmann-PhD-Thesis-2020.pdf
  • https://danielakaufmann.at/wp-content/uploads/2020/11/KaufmannBiereKauers-FMSD19.pdf
  • https://link.springer.com/article/10.1007/s10009-022-00688-6
  • https://ics.jku.at/files/2018ICCAD_PolyCleaner.pdf
  • https://ieeexplore.ieee.org/document/9440537
  • https://agra.informatik.uni-bremen.de/doc/konf/2020DATE_Towards_formal_verification_of_optimized_and_industrial_multipliers.pdf

Equivalence checking

• Combinational equivalence checking
  • https://people.eecs.berkeley.edu/~alanmi/publications/2006/iccad06_cec.pdf
• Sequential equivalence checking
  • https://people.eecs.berkeley.edu/~alanmi/publications/2007/tech07_ssv.pdf
  • https://people.eecs.berkeley.edu/~alanmi/publications/2008/fmcad08_haig.pdf
  • https://people.eecs.berkeley.edu/~alanmi/publications/2009/iwls09_iso.pdf
  • https://people.eecs.berkeley.edu/~alanmi/publications/2012/iwls12_sec.pdf
• Arithmetic equivalence checking
  • https://arxiv.org/pdf/2308.00431.pdf
  • https://people.eecs.berkeley.edu/~alanmi/publications/2018/lpar18_polyn.pdf
• Reductions for arithmetic equivalence checking
  • https://cas.ee.ic.ac.uk/people/gac1/pubs/TheoDACKC11.pdf
  • Can we exploit symmetry? Is it possible to analyse a chunk of datapath, realise that the operators are commutative (particularly if they are in a fanout-free cone) and add symmetry constraint
    • Could this be hard to proof check? It can probably be viewed as a form of abstraction, and justified by showing that all values downstream of the operator are still possible
    • https://macau.uni-kiel.de/servlets/MCRFileNodeServlet/dissertation_derivate_00000669/d669.pdf recommends some symmetry reduction papers in 2.3.3. This seems to have been considered more in explicit state model checking