- Things should feel real time
- Solvers should be able to communicate between threads rapidly for clause sharing, solver shutdown etc
- Main thread should be only used for comms between/launching threads, UI/user scripts should run in their own thread so you don't get the case where e.g. you can't load a CEX while a script is running
- Users should have the power to control proof performance in sound and intuitive
ways
- Tooling to safely do case splits, assume-guarantee etc.
- Prefer hints for abstractions/invariants so that the engines can use CEGAR etc. techniques to patch them if they are incorrect in some cases, but report to the user if this is the case
- Scripting should be easy, intuitive and flexible - Python
- There should be strong defaults
- Default engines, abstractions etc. should work out of the box and give reasonable results
- Techniques should compose
- Model checking engines should be oblivious to underlying proof procedure/netlist (whether it is SAT, SMT, gate-level, word-level, has additional abstraction/restriction etc)
- Abstraction/restriction engines should be sound (CEGAR/PROGRESS) and be able to be combined in (relatively) arbitrary fashion
- Composition of techniques should be managed by the environment
- This can be done in a why3 way with a tree of proof obligations
- A node can rely on either the conjunction (e.g. case splitting) or disjunction (e.g. a set of engines racing to prove the property) of its children
- Proof checkers can appear as obligations in this
- Things like case splitting therefore become modifications to the tree
- Verification should be able to compose both functionally (abstractions, case
splitting etc) and structurally (assume guarantee)
- This should apply also to scripts - scripts for individual blocks should compose up to top level
- Engines should be able to bubble up correct and useful information
- Proof bounds
- Invariants
- Useful Abstractions?
- CEXs
- Coverage information
- Witness circuits
- BMC
- Rarity-guided sim
- https://people.eecs.berkeley.edu/~alanmi/publications/2012/iwls12_sec.pdf
- Can we do property directed rarity-guided sim?
- K-Ind
- PDR
- http://alcom.ee.ntu.edu.tw/system/privatezone/meetingfile/201010222258251.pdf
- https://theory.stanford.edu/~arbrad/papers/Understanding_IC3.pdf
- https://people.eecs.berkeley.edu/~alanmi/publications/2011/fmcad11_pdr.pdf
- https://www.cs.utexas.edu/users/hunt/FMCAD/FMCAD13/papers/85-Better-Generalization-IC3.pdf
- https://arxiv.org/pdf/2105.09169.pdf
- https://es-static.fbk.eu/people/griggio/papers/tcad15.pdf
- https://past.date-conference.com/proceedings-archive/2013/PDFFILES/07.2_2.PDF
- https://shufang-zhu.github.io/publications/2017ICCAD.pdf
- https://link.springer.com/chapter/10.1007/978-3-031-37703-7_14
- https://ieeexplore.ieee.org/document/10015642
- https://www.rohitdureja.com/papers/DGIV21.pdf
- Interpolation?
- Semi-formal techniques?
- Liveness
- Localization abstraction
- Syntax guided abstraction
- Array abstraction
- Bitwidth reduction
- Word-level abstraction
- Arithmetic abstraction
- UF abstraction
- Cut-based invariant computation
- Invariants from implications
- https://people.eecs.berkeley.edu/~alanmi/publications/2006/iwls06_inv.pdf
- This is likely too costly to be very useful
- Speculative reduction
- FIFO etc data transport invariants
- https://link.springer.com/chapter/10.1007/978-3-642-14295-6_29
- This suggests transposing assertions about FIFO outputs down the FIFO
- Can we do something like this automatically by searching for this pattern in learnt clauses (at the SAT or IC3 level). Many properties are afaict written one side of a FIFO when they can be translated into an equivalent property at the other end of it, but this isn't clear to the tool
- Fraiging/Strashing
- https://people.eecs.berkeley.edu/~alanmi/publications/2005/tech05_fraigs.pdf
- This is very bit-level, how do we make this work nicely with word-level techniques?
- http://www.perbjesse.com/iccad04.pdf
- Logic synthesis
- Bitwidth reduction
- Phase abstraction
- Reset analysis/Temporal Decomposition
- Retiming
- Sound transformations to reduce bitwidth
- SAT
- Start with glucose like solver
- https://univ-artois.hal.science/hal-03299473v1/file/preprint.pdf
- https://alexeyignatiev.github.io/assets/pdf/kims-sat21-preprint.pdf
- This shows that Glucose 3.0 performs equivalently to modern solvers on a number of incremental problems
- https://twitter.com/ArminBiere/status/1288132283443142661
- This data is likely not super representative for our use cases, EDA favours smaller incremental queries
- Also worth looking at Intel sat solver and isasat
- Isasat is slow but won an EDA competition because it is good at small queries
- This + array/word level abstraction is potentially enough to get close to the performance of SMT
- Should ideally be very interruptible by other threads to add clauses etc.
- Should ideally be parallelisable
- Circuit-SAT?
- Not too convinced it would be much better than using good COI reductions with existing techniques
- https://people.eecs.berkeley.edu/~alanmi/publications/2022/iwls22_sweep.pdf
- SMT?
- EUF abstraction (as used in AVR's SA+UF) requires being able to reason about EUF really which requires congruence closure etc. Pure SA can be done without EUF but is probably ineffective
- Extensions for quantifiers/LRA etc are probably unnecessary, the main thing seems to be EUF
- Arithmetic verification
- https://danielakaufmann.at/wp-content/uploads/2020/11/Kaufmann-PhD-Thesis-2020.pdf
- https://danielakaufmann.at/wp-content/uploads/2020/11/KaufmannBiereKauers-FMSD19.pdf
- https://link.springer.com/article/10.1007/s10009-022-00688-6
- https://ics.jku.at/files/2018ICCAD_PolyCleaner.pdf
- https://ieeexplore.ieee.org/document/9440537
- https://agra.informatik.uni-bremen.de/doc/konf/2020DATE_Towards_formal_verification_of_optimized_and_industrial_multipliers.pdf
- Combinational equivalence checking
- Sequential equivalence checking
- Arithmetic equivalence checking
- Reductions for arithmetic equivalence checking
- https://cas.ee.ic.ac.uk/people/gac1/pubs/TheoDACKC11.pdf
- Can we exploit symmetry? Is it possible to analyse a chunk of datapath,
realise that the operators are commutative (particularly if they are
in a fanout-free cone) and add symmetry constraint
- Could this be hard to proof check? It can probably be viewed as a form of abstraction, and justified by showing that all values downstream of the operator are still possible
- https://macau.uni-kiel.de/servlets/MCRFileNodeServlet/dissertation_derivate_00000669/d669.pdf recommends some symmetry reduction papers in 2.3.3. This seems to have been considered more in explicit state model checking