Advanced Unbounded CTL Model Checking Based on AIGs, BDD

Advanced Unbounded CTL Model Checking Basedon AIGs, BDD Sweeping, And Quantifier

Scheduling

Florian Pigorsch, Christoph Scholl, Stefan Disch

Albert-Ludwigs-Universitat Freiburg, Institut fur Informatik

FMCAD 2006

1 Florian Pigorsch, Christoph Scholl, Stefan Disch MC based on AIGs, BDD Sweeping, and Quantifier Scheduling

Outline

1 Motivation

2 And-Inverter Graphs

3 FRAIGs

4 Quantifier Scheduling

5 BDD Sweeping

6 Experimental ResultsOur Model CheckerFunctional Reduction, Node Selection HeuristicsBDD-Sweeping and Quantifier SchedulingComparison with BDD based model checkers

7 Conclusions


Motivation

Why another data structure for model checking?

BDD based model checking fails on certain problems

e.g. blow-up when representing combinational multipliers...

And-Inverter Graphs have been successfully used in:

Combinational Equivalence Checking (e.g. Mishchenko, Kuehlmann)Bounded Model Checking (e.g. Kuehlmann)Technology mappingVarious other verification/synthesis applications

Use And-Inverter Graphs as the underlying data structure for unboundedsymbolic CTL model checking


Motivation

Why another data structure for model checking?

BDD based model checking fails on certain problems

e.g. blow-up when representing combinational multipliers...

And-Inverter Graphs have been successfully used in:

Combinational Equivalence Checking (e.g. Mishchenko, Kuehlmann)Bounded Model Checking (e.g. Kuehlmann)Technology mappingVarious other verification/synthesis applications

Use And-Inverter Graphs as the underlying data structure for unboundedsymbolic CTL model checking


And-Inverter Graphs

And-Inverter Graphs

And-Inverter Graphs

x y z

f = x · (y + z)

node ≈ and gate

inverted edge ≈ inverter

variables ≈ inputs

Networks of 2-input and gates and inverters

Simple data structure

Every Boolean function can be represented by an AIG

But: possibly redundant and non-canonical (in contrast to BDDs)


And-Inverter Graphs

And-Inverter Graphs

x y z

f = x · (y + z)

node ≈ and gate

inverted edge ≈ inverter

variables ≈ inputs

Networks of 2-input and gates and inverters

Simple data structure

Every Boolean function can be represented by an AIG

But: possibly redundant and non-canonical (in contrast to BDDs)

y x z

f = y · x + x · z


And-Inverter Graphs

Operations

AND by adding a new and node, NOT by adding an inverted edge

Cofactor by propagating constants

Substitution of variables

Quantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)

Equivalence check of two nodes? ⇒ SAT

f g

f · gh¬h


And-Inverter Graphs

Operations






ff |x=c

x = cx


And-Inverter Graphs

Operations






f f |x=g

x = gx

g


And-Inverter Graphs

Operations

AND by adding a new and node, NOT by adding an inverted edgeCofactor by propagating constantsSubstitution of variablesQuantification by cofactoring (∃x .f ≡ f |x=0 + f |x=1) (possiblyexpensive)


x x = 0 x = 1

f

∃x.f

f |x=0 f |x=1


And-Inverter Graphs

Operations






1?

f g


And-Inverter Graphs

Are we ready for model checking?

We already have the needed operations for model checking:

Basic Boolean operators

Quantification

Substitution

Equivalence check for two nodes

But, plain AIGs are not enough:

Too many redundant nodes

Quantification will result in extremely large AIGs

We need to add some things to make model checking with AIGs feasible


And-Inverter Graphs




Quantification

Substitution







And-Inverter Graphs




Quantification

Substitution







Functionally Reduced And-Inverter Graphs: FRAIGs

FRAIGs

FRAIGs

FRAIG (A. Mishchenko)

A functionally reduced AIG does not contain two nodes representing thesame Boolean function.

How to create FRAIGs?

When creating a new node...

Find possibly equivalent candidate nodes using simulation

Solve the equivalence checking problems of the new node andcandidate nodes with a SAT solver (MiniSAT)

When finding an equivalent candidate: delete one of the two nodes

Use the feedback from the solver to strengthen the simulation values

A FRAIG is reduced by removing (functionally) redundant nodes


FRAIGs

FRAIGs



How to create FRAIGs?When creating a new node...







FRAIGs

FRAIGs










FRAIGs

FRAIGs










FRAIGs

FRAIGs










FRAIGs

FRAIGs










FRAIGs

FRAIGs










FRAIGs

How to handle pairs of equivalent nodes?

When we detect a pair of functionally equivalent nodes during FRAIGconstruction, we have to delete one of the two nodes.

Two different simple node selection heuristics:

hkeep: keep the old, existing node and delete the new node

hsize : keep the node with the smaller cone size, delete the other node


FRAIGs

How to handle pairs of equivalent nodes?

When we detect a pair of functionally equivalent nodes during FRAIGconstruction, we have to delete one of the two nodes.Two different simple node selection heuristics:

hkeep: keep the old, existing node and delete the new node

hsize : keep the node with the smaller cone size, delete the other node


Speeding up Quantification

Quantifier Scheduling

Quantifier Scheduling: A Motivating Example

n-bit Carry-Ripple-Adder ( ~s = ~x + ~y )Formula ∃~x .sn · sn−1

quantification order UP: quantify x0 first, then x1, . . .

quantification order DOWN: quantify xn−1 first, then xn−2, . . .

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

0

2500

5000

7500

10000

12500

15000

17500

20000

22500

25000

27500

30000

32500

35000

UP

DOWN

quantifications

nodes

⇒ Quantification order is crucial!







0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

0

2500

5000

7500

10000

12500

15000

17500

20000

22500

25000

27500

30000

32500

35000

UP

DOWN

quantifications

nodes








0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

0

2500

5000

7500

10000

12500

15000

17500

20000

22500

25000

27500

30000

32500

35000

UP

DOWN

quantifications

nodes








0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

0

2500

5000

7500

10000

12500

15000

17500

20000

22500

25000

27500

30000

32500

35000

UP

DOWN

quantifications

nodes




Multiple Quantifications

One quantification operation may double the AIG’s sizex x = 0 x = 1

f

∃x.f

f |x=0 f |x=1

A series of quantifications may lead to an exponential blow-up

How to avoid the blow-up?

Find a good quantification schedule!





f

∃x.f

f |x=0 f |x=1








f

∃x.f

f |x=0 f |x=1








f

∃x.f

f |x=0 f |x=1






A greedy algorithm for quantifier scheduling

Greedy quantification

greedy quantify( f, vars )res ← f;while vars 6= ∅

bestvar ← NULL; bestsize ←∞;for all v ∈ vars

if expected size( res, v ) < bestsizebestsize ← expected size( res, v ); bestvar ← v;

res ← quantify( res, bestvar );vars ← vars \{ bestvar };

return res;



Expected quantification result size?

How to compute the expected size of the quantification result?

One could actually perform quantifications by all variables to get theexact sizes. Too expensive!

Estimate the resulting size of one quantification step by simulatingthe two constant propagations:



















x = c not dep. on x

dep. on x

dep. on xremoved

recreated

f







x = 0 x = 1

∃x.f

f |x=0 f |x=1


Combining AIGs and BDDs: BDD Sweeping

BDD Sweeping

BDD Sweeping: Combining advantages of AIG and BDDrepresentations

“Classical” notion of BDD sweeping by A. Kuehlmann: Detection offunctionally equivalent AIG nodes by BDD construction

Our functionally reduced AIGs don’t contain such nodes (achievedby SAT)!

But: BDD representations of Boolean functions in model checkingare not always large...

Therefore: Use “good” BDD representations to restructure AIGs!


BDD Sweeping







BDD Sweeping







BDD Sweeping







BDD Sweeping

BDD Sweeping Algorithm

AIG cone aBDD b AIG a′CUDD

3 · |b| < |a|

blow-up3 · |b| ≥ |a|

Failure

b ≡ a a′ ≡ a, |a′| < |a|

too big

good BDD

MUX0 1

low high

xx

low high

xlow high


BDD Sweeping

Application of BDD Sweeping

We apply BDD sweeping to the results of quantifications

We limit the number of created BDD nodes to avoid a blow-up

Heuristics ensure that BDD-sweeping is used less frequently if theBDD node limit was reached in the past


Experimental Results

Experimental Results Our Model Checker

Our AIG based Model Checker

We use a standard CTL model checking algorithm based on fix pointiteration

The transition function and the characteristic functions of state setsare represented by AIGs

Alternatives for pre-image computation:

transition relation based:

χSat(EX φ)(~q, ~x) := ∃~q′∃~x ′(χR(~q, ~x , ~q′) · (χSat(φ)|~q←~q′,~x←~x′)(~q′, ~x ′))

transition function based:

χ′Sat(EX φ)(~q, ~x) := ∃~x ′(χSat(φ)|~q←~δ(~q,~x),~x←~x′)(~q, ~x ′))


Experimental Results Functional Reduction, Node Selection Heuristics

Impact of Functional Reduction and Node SelectionHeuristics

No BDD sweeping, no quantifier schedulingam

29

10

.1

am

29

10

.2

am

29

10

.3

am

29

10

.4

am

29

10

.5

am

29

10

.6

barr

el 1

0.4

coh

ere

nce

.1

coh

ere

nce

.2

coh

ere

nce

.3

coh

ere

nce

.4

coh

ere

nce

.5

coh

ere

nce

.6

coh

ere

nce

.7

coh

ere

nce

.8

coh

ere

nce

.9

daio

.1

daio

.2

daio

.3

daio

.4

deca

y.1

6

deca

y.3

2

deca

y.4

8

deca

y.6

4

palu

.12

.4

palu

.14

.4

palu

.16

.4

pic

oja

va/icc

tl

pic

oja

va/b

iu

vip

er.

1

vip

er.

2

vip

er.

3

0

200

400

600

800

1000

1200

1400

1600

1800

2000

2200

2400

2600

2800

3000

3200

3400

3600

plain AIGs

FRAIGs, keep heur.

FRAIGs, size heur.

benchmark

run

tim

e


Experimental Results BDD-Sweeping and Quantifier Scheduling

Impact of BDD Sweeping and Quantifier Scheduling

am

29

10

.1

am

29

10

.2

am

29

10

.3

am

29

10

.4

am

29

10

.5

am

29

10

.6

barr

el 1

0.4

coh

ere

nce

.1

coh

ere

nce

.2

coh

ere

nce

.3

coh

ere

nce

.4

coh

ere

nce

.5

coh

ere

nce

.6

coh

ere

nce

.7

coh

ere

nce

.8

coh

ere

nce

.9

daio

.1

daio

.2

daio

.3

daio

.4

deca

y.1

6

deca

y.3

2

deca

y.4

8

deca

y.6

4

palu

.12

.4

palu

.14

.4

palu

.16

.4

pic

oja

va/icc

tl

pic

oja

va/b

iu

vip

er.

1

vip

er.

2

vip

er.

3

0

200

400

600

800

1000

1200

1400

1600

1800

2000

2200

2400

2600

2800

3000

3200

3400

3600

FRAIGs, size heur.

FRAIGs. BDD-Sweep.

FRAIGs, BDD-Sweep., Quant. Sched.

benchmark

run

tim

e


Experimental Results Comparison with BDD based model checkers

Comparison with BDD based model checkers

VIS: VIS 2.1, sifting, no reachability analysisBDDMC: our model checker with AIGs replaced by BDDs

am

29

10

.1

am

29

10

.2

am

29

10

.3

am

29

10

.4

am

29

10

.5

am

29

10

.6

barr

el 1

0.4

coh

ere

nce

.1

coh

ere

nce

.2

coh

ere

nce

.3

coh

ere

nce

.4

coh

ere

nce

.5

coh

ere

nce

.6

coh

ere

nce

.7

coh

ere

nce

.8

coh

ere

nce

.9

daio

.1

daio

.2

daio

.3

daio

.4

deca

y.1

6

deca

y.3

2

deca

y.4

8

deca

y.6

4

palu

.12

.4

palu

.14

.4

palu

.16

.4

pic

oja

va/icc

tl

pic

oja

va/b

iu

vip

er.

1

vip

er.

2

vip

er.

3

0

200

400

600

800

1000

1200

1400

1600

1800

2000

2200

2400

2600

2800

3000

3200

3400

3600

FRAIGs, BDD-Sweep., Quant. Sched.BDDMC

VIS 2.1

benchmark

run

tim

e


Conclusions

Summary

Successful unbounded CTL model checking based on And-InverterGraphs (up to 2000 quantifications)

Made possible by using

Functionally Reduced And-Inverter GraphsSimple node selection heuristicsBDD sweepingand Quantifier Scheduling

Outperforms BDD based MCs on various benchmarks...

and has comparable runtimes on most other benchmarks


Conclusions

Summary







Conclusions

Summary







Conclusions

Future and Related Work

Optimize heuristics (node selection, application of BDD sweeping)

Lazier AIG compression instead of complete functional reduction

Time limited SAT to skip hard SAT instances

Evaluate recent AIG rewriting techniques

Try structural SAT instead of CNF based SAT

At ATVA06 we presented a hybrid model checker based on AIGs andlinear constraints over the reals


Conclusions

Future and Related Work

Optimize heuristics (node selection, application of BDD sweeping)

Lazier AIG compression instead of complete functional reduction

Time limited SAT to skip hard SAT instances

Evaluate recent AIG rewriting techniques

Try structural SAT instead of CNF based SAT

At ATVA06 we presented a hybrid model checker based on AIGs andlinear constraints over the reals


Thank you for your attention!

Documents

Advanced Unbounded CTL Model Checking Based on AIGs, BDD