

# IBM

# RuleBase Parallel Edition: A Massively Parallel Platform for Formal Verification

Rachel Tzoref November, 21st 2004



# Agenda

- Motivation
- RuleBase PE Architecture
  - **♦** GUI
  - Dispatcher
  - Backend
  - Verification Engines
- Experience
- Concluding Remarks

### Motivation: Challenges in Formal Verification

- Current formal verification techniques are lagging behind growing design complexity
- State-space explosion limits the size of the units which formal verification can check
- Implications
  - Specification effort
  - Verification engineers time is mostly spent waiting for answers.
  - Uncertainty in selecting verification algorithms for a given assertion



# RuleBase Parallel Edition - Marry FV with Parallel Computing

- Reduce runtime by distributing verification tasks over a large number of CPUs
- CPUs are relatively cheap comparing to verification engineers time
- Bonus: larger verification tasks can be handled





# The RuleBase Parallel Edition Platform: Two Tiers of Parallel FV

#### Coarse-Grain Parallel FV

- Checking multiple verification units simultaneously
- Engines share runtime information

#### Fine-Grain Parallel FV

Decomposition of a large verification task into smaller, tractable subtasks, which can be run simultaneously on different CPUs



6

User's Perspective: 3. Click Run...



© 2004 IBM Corporation







# Dispatcher – The Verification Unit Manager

Dispatcher

### The Dispatcher: Job Description of VUnit Manager

- Manages the checking of a specific verification unit
- Starts RuleBase backend (the model preprocessor)
- Starts engines when backend is done
- Communicates with engines and GUI
- Continues running until vunit verification is finished
- Can distribute engines across remote machines (possibly by using Load-Balancers)





## RuleBase Backend - Preprocessing the Model

RuleBase Backend

#### The RuleBase Backend

- Parses the PSL assertions and input constraints
- Transforms PSL expressions to invariants with state machines
  - Highly optimized algorithms, based on IBM's PSL Technology



- Merges design and input constraints into a unified state machine
- Executes numerous reductions and abstractions on the merged model

# Reductions – Reduce Model Size While Retaining Behavior A Key Role of the RuleBase PE Backend

- Remove logic that does not affect the assertions
  - ♦ E.g. cone of influence
- Reduce signals to constants
  - ♦ E.g. constant propagation
- Exploit similarity of parts of logic
  - ♦ E.g. identify equivalences
- Other reductions
- All reductions are safe
  - Preserve assertions validity
  - Restore reduced signals values to show a complete trace



## The Verification Engines

Engine1

Engine2

Engine3

Engine4

### Verification Engines – Multiple Types, Parallelization-Driven

- Model Checking (MC) vs. Bounded Model Checking (BMC)
  - ♦ In MC, assertions are evaluated on infinite paths (the entire model)
  - ♦ In BMC assertions are evaluated on finite paths (a truncated model)
- Verification vs. Falsification
  - Some engines are better for proving assertions
  - Some are better for falsifying assertions
  - Some equally handle true and false assertions
- Safety vs. Liveness
  - Safety something bad never happens
  - Liveness something good will finally happen
  - Some engines can only handle safety assertions
- Checking multiple assertions vs. checking a single assertion

### Symbolic Engines in RuleBase PE: Partial Preview

- Classical performs "text-book" model checking using BDDs.
  - All fixpoint calculations are done by performing pre-image calculations (backwards steps)
- The IBM "Discovery" symbolic engine first performs reachability analysis and then uses it to simplify classical model-checking.
  - Reachability analysis BFS search from initial states until fixpoint done by using image calculations (forward steps)
  - Reachability is also used to check safety assertions "on-the-fly"



## Abstraction Refinement in RuleBase PE: The SmartLoc Engine



#### Adaptive Search in RuleBase PE: The Beelzebub Engine

- Performs partial guided forward search towards "bad" states
- Computes image of small sets unlikely to explode
- Clever heuristics carefully determine which small sets to focus upon



# Circuit Unfolding – Parallel Symbolic Simulation Engine Parallelized Version of CHARME03 Algorithm

- Unfolds the circuit into k combinational circuits, one for each cycle
- FFs become wires FF inputs of cycle i are connected to FF outputs of cycle i+1
- The assertions are formulated as part of the combinational circuit
- Use BDD-Based decision procedures to prove the assertions
- Non-deterministic inputs are the variables of the BDDs



18

#### Parallel SAT

Performs bounded model checking by transforming the model into a propositional formula that describes all reachable paths of the model that contain a bug in cycle k

$$I(s0) \land TR(s0, s1) \land TR(s1, s2) \land ... \land TR(sk-1, sk) \land \neg \phi(sk)$$

The propositional formula is translated into conjunctive normal form (CNF) and is given to a SAT solver

$$(x \lor y \lor z) \land (\neg x \lor y) \land (\neg y \lor z) \land (\neg x \lor \neg y \lor \neg z)$$

If the SAT solver finds a satisfying assignment to the CNF, it is a counter example. Otherwise, the model doesn't contain a bug in cycle k

Parallelized version of DPLL algorithm

### FormalSim – Semi Formal Engine

- An explicit model checker that is oriented to find bugs
- Does not attempt to achieve full coverage of the state space
- Uses clever heuristics that guide towards the bad states
- Can address very large designs



## Coverage vs. Model Size



© 2004 IBM Corporation



# Parallel BDD Algorithms - Results

# Average improvement using 3 slaves: 27.85%



### Parallel SAT - Results



# Parallel Circuit Unfolding - Results

♦ Twice faster with 3 slaves



#### Costumer Feedback

"We are very satisfied with RuleBase Parallel Edition; the coarse grain parallelism seems to substantially increase the verification productivity"

FV Engineer, Multinational Semiconductor Company

It is our experience that non formal method with three times the resources will yield lower verification quality than the one we achieve with Rule Base PE. Furthermore the multi-engine parallelization, gave our engineers 2x the productiveness in Formal Verification deployment. Furthermore the new algorithms added to RuleBase PE were very significant in our ability to do the verification so effectively as we did."

IBM Haifa Development Lab





