# SAT-based Approaches for Test & Verification of Integrated Circuits

Albert-Ludwigs-Universität Freiburg

Dr. Tobias Schubert Chair of Computer Architecture Institute of Computer Science Faculty of Engineering schubert@informatik.uni-freiburg.de

Summer School on Verification Technology, Systems & Applications 2015

#### Just a very short CV

- Studied computer science & microsystems engineering at the University of Freiburg
- Made my PhD working on efficient parallel SAT solving at the University of Freiburg
- Member of the Transregional Collaborative Research Center 14 AVACS – Automatic Verification and Analysis of Complex Systems
- Principal investigator within the cluster of excellence BrainLinks-BrainTools
- Member of the part-time distance learning program Intelligent Embedded Microsystems

# About Me

#### My research interests include

- Efficient (parallel) algorithms for SAT and related domains
- Real-world applications using
  - SAT,
  - #SAT,
  - MaxSAT,
  - QBF, and
  - SMT solvers

as the underlying backend

- Embedded & cyber-physical systems
- Industrial internet & internet of things
- E-learning, blended learning, distance teaching



BURG

# Collaborators

## University of Freiburg

- Bernd Becker
- Jan Burchard
- Alejandro Czutro
- Linus Feiten
- Karina Gitina
- Paolo Marin
- Sven Reimer
- Matthias Sauer
- Karsten Scheibler
- Christoph Scholl
- Ralf Wimmer

## University of Bremen

- Rolf Drechsler
- University of Oldenburg
  - Martin Fränzle
- University of Passau
  - Ilia Polian
- University of Potsdam
  - Torsten Schaub
- MPI Saarbrücken
  - Christoph Weidenbach

# Motivation: Embedded Systems

## Embedded Systems

 Information processing systems embedded into a "larger" product

### Without Embedded Systems

- No cars would drive today
- No planes would fly today
- No factory would work today
- No mobile communication would be possible



# Motivation: Embedded Systems

## Embedded Systems

 Information processing systems embedded into a "larger" product

## Without Embedded Systems

- No cars would drive today
- No planes would fly today
- No factory would work today
- No mobile communication would be possible
- Verifying designs and testing produced chips are mandatory tasks, in particular for safety-critical applications!



# Motivation: Automotive Area



- Many functions controlled by embedded systems
- Multiple networks / system busses
- Up to 70 different processors within one car

VTSA'15

6 / 192

BURG

#### Consequences

- Increasing system complexity
- Increasing number of dependencies between different subsystems
- Up to 40% of the total costs are caused by electronics & software
- Up to 90% of the innovations are driven by electronics & software
- 40–50% of all car breakdowns are caused by electronics & software
- Errors related to electronics or software are responsible for more than 40% of all call-backs
- Reliable function is of outmost importance, because otherwise human lives can be endangered!
- ⇒ Safety-critical application of embedded systems!

7 / 192

# Verifying Integrated Circuit Designs

#### Focus is on detecting design errors

- Errors which occur during the translation of a specification into the final integrated circuit (~> implementation)
- Errors in the design make all produced chips erroneous
- ⇒ Formal methods to avoid design errors before producing any chip



8 / 192

VTSA'15

Tobias Schubert - SAT-based Test & Verification

# **Testing Integrated Circuits**

#### Focus is on production errors

- Defects which are caused during the production of single chips and which change their functionality
- Causes are contaminations, shifted exposure masks, wrong doping, ...
- $\Rightarrow$  Formal methods to ensure that all production errors can be found





BURG

9/192

- Tremendous performance improvements within the last 15 years
- Nowadays SAT solvers (and their extensions) are able to ...
  - solve problems coming from real-world applications (e.g., large industrial circuits)
  - handle optimization & enumeration problems, multi-valued domains, hybrid systems

0,1,×

Tobias Schubert - SAT-based Test & Verification

# Typical SAT-based Flow



Tobias Schubert - SAT-based Test & Verification

11/192

## Outline



## Outline



# Boolean Satisfiability Problem (SAT)



VTSA'15

Tobias Schubert - SAT-based Test & Verification

14 / 192

# Overview of SAT Algorithms

#### Focus here is on complete methods

- Due to a systematic procedure complete solvers are able to prove the unsatisfiability of a CNF formula
- DP algorithm
  - M. Davis, H. Putnam, 1960
  - Based on resolution
- DLL algorithm
  - M. Davis, G. Logemann, D. Loveland, 1962 <---</p>
  - Based on depth-first search

## Modern SAT algorithms

- Based on the DLL algorithm, but enriched with efficient data structures and several acceleration & optimization techniques
- zChaff, MiniSat, MiraXT, lingeling, antom, Glucose

Tobias Schubert - SAT-based Test & Verification

## Definition (Empty Clause)

The empty clause, denoted with  $\Box$ , describes the empty set of literals, and it is unsatisfiable by definition.

## Definition (Empty Formula)

The empty formula describes an empty set of clauses and it is satisfiable by definition.



VTSA'15

Tobias Schubert - SAT-based Test & Verification

## Definition (Pure Literal)

Let *F* be a CNF formula and *L* be a literal contained in *F*. *L* is called a pure literal iff *L* occurs in *F* only positive or only negative.

## Steps in order to simplify a CNF formula F

Delete from F all clauses in which a pure literal L occurs, because these ones will be satisfied by an appropriate assignment to L F = (25, 16) (25, 16)

Remark

As it is rather time consuming, pure literal detection is applied by modern SAT solvers during pre-/inprocessing only

~ (a---





( bvc)

## Definition (Subsumption)

Let  $C_1$  and  $C_2$  be two clauses.  $C_1$  subsumes  $C_2$  iff all literals occurring in  $C_1$  also occur in  $C_2$ :  $C_1 \subseteq C_2$ .

#### Steps in order to simplify a CNF formula F

Delete all clauses from F that are subsumed by at least one other clause of F

#### Remark

Typically, modern SAT solvers apply subsumption checks during pre-/inprocessing only



## Lemma (Resolution Lemma)

Let *F* be a CNF formula and *R* be the resolvent of two clauses  $C_1$  and  $C_2$  from *F*. Then *F* and  $F \cup \{R\}$  are equivalent:  $F \equiv F \cup \{R\}$ .

## Definition



 $Res(F) = F \cup \{R | R \text{ is the resolvent of two clauses in } F\}$ .

Moreover, let us define:

 $Res^{0}(F) = F$  $Res^{t+1}(F) = Res(Res^{t}(F))$  for  $t \ge 0$  $Res^{*}(F) = \lim_{t>0} Res^{t}(F)$ 

Theorem (Resolution Theorem)

A CNF formula F is unsatisfiable iff  $\Box \in \text{Res}^*(F)$ .

Tobias Schubert – SAT-based Test & Verification

21 / 192

## Definition

Let *F* be a CNF formula and  $x_i$  a variable occurring in *F* with  $L = x_i$ and  $\neg L = \neg x_i$ . The we define *P*, *N* and *W* as follows:

 $P = \{C \in F \mid L \in C\}$ 

**N** is the set of clauses in F which contain  $\neg L$ :

 $N = \{C \in F \mid \neg L \in C\}$ 

■ *W* is the set of clauses in *F* which contain neither *L* nor ¬*L*:  $W = \{C \in F \mid L \notin C \land \neg L \notin C\}$ 

Obviously, we have  $F = P \cup N \cup W$ .

VTSA'15

BURG

# Definition (Pairwise Resolution) Using this partitioning of the clauses we define $P \otimes_{x_i} N$ as the set of clauses, which can be constructed by resolution of all pairs $(p,n) \in P \times N$ : $P \otimes_{x_i} N = \{R | (R = C_1 \otimes_{x_i} C_2) \land (C_1 \in P) \land (C_2 \in N)\}.$

Theorem (Variable Elimination)

Let *F* be a formula in CNF and  $x_i$  a variable which appears both positive and negative in *F*. Further let the sets *P*, *N*, and *W* be the partition of *F* as defined before. Then  $F = P \cup N \cup W$  and  $F' = (P \otimes_{x_i} N) \land W$  are satisfiability equivalent.

VTSA'15

BURG

- Main idea: If a CNF formula *F* is satisfiable, then for an arbitrary variable  $x_i$  occuring in *F* either  $x_i = 1$  for  $x_i = 0$  must hold  $\Rightarrow$  Try both cases one after the other
  - $\Rightarrow$  Depth-first search
- Applying unit clause & pure literal rule to accelerate the search
- Recursive algorithm, in particular the given formula gets modified when going from recursion level r to r + 1
- In the literature both "DLL" and "DPLL" can be found





VTSA'15

Tobias Schubert - SAT-basd Test & Verification

25 / 192

$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$$



VTSA'15

Tobias Schubert - SAT-based Test & Verification



$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$$
  
Case distinction  $x_1 = 1$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192

' x1 1

$$( ,\neg x_2,\neg x_3) \land ( ,\neg x_2,x_3) \land ( ,x_2,\neg x_3) \land ( ,x_2,x_3) \land Case distinction x_1 = 1$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$(,\neg x_2,\neg x_3) \land (,\neg x_2,x_3) \land (,x_2,\neg x_3) \land (,x_2,x_3) \land$$
  
Case distinction  $x_2 = 1$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$( \ , \ , \neg x_3) \land ( \ , \ , x_3) \land \land \land \land$$
  
Case distinction  $x_2 = 1$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$( , , \neg x_3) \land ( , , x_3) \land \land \land \land$$
  
Unit clauses  $x_3 = 0$  and  $x_3 = 1$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$(,,,\neg x_3) \land (,,x_3) \land \land \land$$
  
Contradiction/conflict

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$( ,\neg x_2,\neg x_3) \land ( ,\neg x_2,x_3) \land ( ,x_2,\neg x_3) \land ( ,x_2,x_3) \land ( ,x_3,x_3) \land ( ,x_3$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$\land \qquad \land ( \quad , \quad , \neg x_3) \land ( \quad , \quad , x_3) \land$$
 Case distinction  $x_2 = 0$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192



$$\land \qquad \land ( , , \neg x_3) \land ( , , x_3) \land$$
  
Unit clauses  $x_3 = 0$  and  $x_3 = 1$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192


$$\wedge \qquad \wedge ( , , \neg x_3) \land ( , , x_3) \land$$
  
Contradiction/conflict

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192

UNI FREIBURG



$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (\mathbf{x_1}, \neg x_2, \neg x_3)$$
  
Case distinction  $x_1 = 0$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

26 / 192

UNI FREIBURG





VTSA'15









Tobias Schubert - SAT-based Test & Verification

26 / 192





#### Overall

### DLL algorithm

- Recursive procedure
- For the transition from recursion level *r* to level *r* + 1 the given formula gets modified
- For backtracking from level r + 1 to r the original (sub)formula at level r has to be restored
- Modern SAT algorithms
  - Non-recursive implementation
  - Apart from special cases (preprocessing), the CNF remains unmodified
  - Typically, the pure literal rule is not applied



Unit propagation to determine all implications forced by a variable assignment

- DLL algorithm
  - Repeated application of the unit clause rule on successsive recursion levels until the rule cannot be applied anymore
- Modern SAT algorithms
  - Done non-recursively, also called Boolean Constraint Propagation (BCP)
  - Example: For the CNF  $F = (x_1, \neg x_2) \land (x_1, x_2, x_3) \land (\neg x_2, x_4), x_1 = 0$  leads to the implications  $x_2 = 0, x_3 = 1, x_4 = 1$

#### Contradiction/conflict

- DLL algorithm
  - Empty clause
- Modern SAT algorithms
  - Unsatisfied clause
  - Example: Valuation  $x_1 = 0, x_2 = 1, x_3 = 0$  makes  $(x_1, \neg x_2, x_3)$  unsatisfied, and so the whole CNF formula containing it cannot be satisfied anymore



#### Conflict analysis & backtracking

- DLL algorithm
  - The combination of the decisions done before will always be considered as the origin of a conflict
  - Backtracking to the recursion level of the last "branching" in which one case for a variable assignment has not been explored yet
  - If such a recursion level does not exist, the given CNF formula is unsatisfiable

#### Conflict analysis & backtracking

- Modern SAT algorithms
  - Complex analysis of the conflict setting, because not all "branchings" done before have to be involved in the current conflict
  - Learning of a conflict clause via resolution to avoid running into the same conflict again
  - (Non-)chronological backtracking according to the derived conflict clause
- If a conflict occurs on decision level 0, the given CNF formula is unsatisfiable

#### Main techniques of today's SAT solvers

- Preprocessing
- In turn
  - Choose the next decision variable
  - Boolean constraint propagation / unit propagation
  - If necessary, conflict analysis & backtracking
- At some fixed points during the search process
  - Unlearning (of some conflict clauses) Restarts

  - Inprocessing
- In case of a satisfiable CNF formula
  - Output the satisfying variable assignment  $\Rightarrow$  model

# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

34 / 192

VTSA'15

# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

35 / 192

VTSA'15

Goal

- Reduce the formula's size in terms of clauses and literals to speed up the search process
- Observation from the experience
  - As a rule of thumb, the size of a formula is related to the time necessary for the SAT algorithm to solve it
- Identification & preprocessing of unit clauses within the original set of clauses belong to the common operations done in modern SAT algorithms
- It is very important to find a good compromise between the additional effort required by preprocessing and the expected saving during the search process

#### Unit Propagation Lookahead (UPLA)

Fix a variable  $x_i$  to 0, check implications; then change its value to  $x_i = 1$ , check implications. Simplify the formula exploiting the following consequences:

$$(x_i = 0 \rightarrow conflict) \land (x_i = 1 \rightarrow conflict) \Rightarrow UNSAT$$
$$(x_i = 0 \rightarrow conflict) \Rightarrow x_i = 1$$
$$(x_i = 1 \rightarrow conflict) \Rightarrow x_i = 0$$
$$(x_i = 0 \rightarrow x_j = 1) \land (x_i = 1 \rightarrow x_j = 1) \Rightarrow x_j = 1$$
$$(x_i = 0 \rightarrow x_j = 0) \land (x_i = 1 \rightarrow x_j = 0) \Rightarrow x_j = 0$$
$$(x_i = 0 \rightarrow x_j = 0) \land (x_i = 1 \rightarrow x_j = 1) \Rightarrow x_i \equiv x_j$$

**192** 

## Unit Propagation Lookahead (UPLA)

- Advantage
  - Built on top of the components already available in the solver
- Disadvantages
  - Requires binary clauses in the original formula
  - Necessary to extend the model when e.g. x<sub>i</sub> = x<sub>j</sub> is detected and all the occurrences of x<sub>i</sub> are substituted with x<sub>j</sub>
  - In general quite time consuming, in particular if all the variables are tested

#### Application of resolution

- Advantages
  - No particular kind of clauses necessary in the original formula
  - Usually, simplifies effectively within a manageable time
- Disadvantages
  - In case of a satisfiable CNF formula, model extension required
- Techniques (SatELite)
  - Self-subsuming resolution
  - Elimination by clause distribution
  - Variable elimination by substitution
  - Forward subsumption
  - Backward subsumption



#### Self-subsuming resolution

Original formula

$$F = (x_1 \lor \neg x_3) \land (x_1 \lor x_2 \lor x_3) \land \dots$$

Resolution applied to the first two clauses

$$(x_1 \lor \neg x_3) \otimes_{x_3} (x_1 \lor x_2 \lor x_3) = (x_1 \lor x_2)$$

- $\Rightarrow$  ( $x_1 \lor x_2$ ) subsumes ( $x_1 \lor x_2 \lor x_3$ )
- $\Rightarrow$  Replace  $(x_1 \lor x_2 \lor x_3)$  with  $(x_1 \lor x_2)$
- Simplified formula

$$F' = (x_1 \vee \neg x_3) \wedge (x_1 \vee x_2) \wedge \dots$$

Saving

1 literal

40 / 192

## Preprocessing

#### Elimination by clause distribution

- Sometimes also called variable elimination
- Original formula
  - $\blacksquare F = (x_1 \lor x_2) \land (x_1 \lor \neg x_3) \land (\neg x_1 \lor x_3) \land (\neg x_1 \lor \neg x_2)$
- Variable elimination abelied to x leads to

$$\blacksquare F' = (x_2 \lor x_3) \land (\neg x_3 \lor \neg x_2)$$

- Saving
  - 1 variable, 2 clauses, 4 literals
- Applied only if it leads to a reduction of the formula's size

# Preprocessing Variable elimination by substitution Original formula $F = (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_4 \lor \neg x_5) \land (\neg x_4 \lor x_5 \lor x_6)$

The first three clauses represent an AND gate (~> Tseitin transformation)

 $[(\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2)] \leftrightarrow [x_5 \equiv x_1 \land x_2]$ 

Removing the first three clauses, and replacing the occurrences of x<sub>5</sub> by x<sub>1</sub> ∧ x<sub>2</sub> in the other clauses leads to

$$F' = (x_4 \lor \neg (x_1 \land x_2)) \land (\neg x_4 \lor (x_1 \land x_2) \lor x_6)$$

Transformation into CNF

 $\blacksquare F'' = (x_4 \lor \neg x_1 \lor \neg x_2) \land (\neg x_4 \lor x_1 \lor x_6) \land (\neg x_4 \lor x_2 \lor x_6)$ 

- Saving: 1 variable, 2 clauses, 3 literals
- Applied only if it leads to a reduction of the formula's size
- Procedure for OR, NAND, other "basic gates" quite similar

42 / 192

#### Forward subsumption

Test if a clause generated during one of the preprocessing techniques described before is already subsumed by one clause of the current CNF formula

#### Backward subsumption

Test if a clause generated during one of the preprocessing techniques described before subsumes one (or more) clauses of the current CNF formula

 $\Rightarrow$  Remove all the clauses subsumed

# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

44 / 192

BURG

VTSA'15



- Central data structure of modern SAT algorithms
- Decision stack stores the order of the executed assignments
- If a model for a CNF formula could be found, the decision stack stores the satisfying assignment

45 / 192

BURG

## Decision Stack

decision Voriables in Level 5 Level 4 Level 3  $x_{19} = 1$  $x_4 = 1$  $x_2 = 1$  $x_{10} = 1$ appropriately Level 2  $x_{13} = 0$  $k_8 = 1$  $x_{6} = 0$ Level 1  $x_{17} = 0$ decisions Level 0  $x_{23} = 1$  $x_7 = 1$ 

associated decision level Occision level gets initialized with 0; before a decision is made, it is incremented by one; backtracking decrements the decision level

- Decision level 0 plays a special role: It stores only implications from unit clauses in the original formula, but no
- A conflict on decision level 0 means that the CNF is unsatisfi



$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$$



$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$$



$$(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$$



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$ 



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$ 



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$ 



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (\mathbf{x}_1, \neg x_2, \neg x_3)$   $\forall TSA'15 \qquad Tobias Schubert - SAT-based Test & Verification \qquad 47/192$ 



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$ UNI FREIBURG 47 / 192

VTSA'15



 $(\neg x_1, \neg x_2, \neg x_3) \land (\neg x_1, \neg x_2, x_3) \land (\neg x_1, x_2, \neg x_3) \land (\neg x_1, x_2, x_3) \land (x_1, \neg x_2, \neg x_3)$ UNI FREIBURG

47 / 192



 $\Rightarrow$  Formula satisfiable with, e.g.,  $x_1 = 0, x_2 = 0, x_3 = 1$ 




$$(x_1, x_2) \land (x_1, \neg x_3) \land (\neg x_1, x_3) \land (\neg x_1, \neg x_2) \land (x_3, \neg x_2) \land (\neg x_3, x_2) \land (x_7)$$





$$(x_1, x_2) \land (x_1, \neg x_3) \land (\neg x_1, x_3) \land (\neg x_1, \neg x_2) \land (x_3, \neg x_2) \land (\neg x_3, x_2) \land (x_7)$$

Tobias Schubert - SAT-based Test & Verification



Tobias Schubert – SAT-based Test & Verification





VTSA'15

Tobias Schubert - SAT-based Test & Verification





VTSA'15

Tobias Schubert - SAT-based Test & Verification





VTSA'15

Tobias Schubert – SAT-based Test & Verification





VTSA'15

Tobias Schubert - SAT-based Test & Verification



VTSA'15

Tobias Schubert – SAT-based Test & Verification



 $\Rightarrow$  Formula unsatisfiable due to a conflict on decision level 0



VTSA'15

Tobias Schubert - SAT-based Test & Verification

# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

VTSA'15

Tobias Schubert - SAT-based Test & Verification

- Have the role of choosing the next decision variable
- Comparable with "case distinction" in the DLL algorithm
- Affects the search process significantly
- Modern SAT algorithms do not test whether the CNF formula is already satisfied during the search, rather it is indirectly guaranteed from assigning all variables without running into a conflict
  - Example:  $F = (x_1, x_2, x_3) \land (\neg x_1, x_4)$
  - $\Rightarrow$  A satisfying assignment is for example  $x_1 = 1, x_4 = 1$
  - ⇒ Today's solvers do no test whether  $x_1 = x_4 = 1$  already satisfies all the clauses, but assign the remaining variables without generating a conflict (e. g.,  $x_2 = x_3 = 0$ ) before they conclude that the CNF is satisfiable

50 / 192

BURG

# **Decision Heuristics**

### Classical decision heuristics

- Several flavors
  - Dynamic Largest Individual/Combined Sum
  - Maximum Occurrences on Clauses of Minimal Size
- Choice criteria
  - "How often does a still unassigned variable occur in currently unresolved clauses?"
  - Among the unassigned variables, choose the one that occurs most frequently in unresolved clauses
  - In most cases also weighted with the length of those clauses
- These heuristics are quite time consuming, because both the status of each clause and the distribution of the variables within the set of clauses have to be computed and kept up to date
  - ⇒ Computation complexity defined over #clauses

BURG

## **Decision Heuristics**

### Variable State Independent Decaying Sum (VSIDS)

- Today's standard method used by almost every SAT solver
- Computation complexity defined over #variables
- No update is mandatory during the backtrack phase
- Each variable  $x_i$  has two activity counters  $P_{x_i}$  and  $N_{x_i}$
- For each literal L in a learned clause C the activity is incremented as follows:

$$P_{x_i} = P_{x_i} + 1$$
, if  $L = x_i$   
 $N_{x_i} = N_{x_i} + 1$ , if  $L = \neg x_i$ 

- The unassigned variable  $x_i$  with the highest activity  $(P_{x_i} \text{ or } N_{x_i})$  is chosen as the next decision variable
- Polarity depends on whether  $P_{x_i} > N_{x_i}$  holds or not

#### Variable State Independent Decaying Sum (VSIDS)

- Periodically, the activities are "normalized", i. e., divided by a constant factor
  - ⇒ After the normalization, the recently learned clauses have a higher weight in comparison to the clauses learned before the last normalization process
  - $\Rightarrow\,$  Takes into account the "history" of the search process
- Several optimizations possible
  - By which amount should the activities be incremented?
  - How often should the normalization take place?
  - By which factor should the activity scores be divided?



# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

54 / 192

RURG

Tobias Schubert - SAT-based Test & Verification

#### Tasks

- Detect all implications forced by a variable assignment
- Detect conflicts
- Comparable to the repeated application of the unit clause rule of the DLL algorithm
- Efficient implementation mandatory, because roughly 80% of the runtime of a SAT algorithm is spent by the BCP routine



### General flow

- After every variable assignment, identify the implications that have arisen, and push them into the implication queue
- As long as there are items in the implication queue...
  - 1 Remove the first element from the queue
  - 2 Assign to each implied variable its forced truth value
  - 3 Check which consecutive implications arise, and push them into the implication queue
  - 4 Check for conflicts





















### Approaches for the implementation of a BCP routine

- Counter-Based Schemes
- Watched Literals / 2-Literal Watching Scheme



#### **Counter-Based Schemes**

- 2-Counter Scheme
  - Two counters for each clause
    - One counter for the literals which satisfy the clause
    - One counter for the unassigned literals
- 1-Counter Scheme
  - One counter for each clause to count the number of not falsifying literals
- Disadvantages
  - "Unnecessary" counter updates
  - Adjustment of the counter values during backtrack
  - Requires a list for each variable and polarity to store all the clauses where the "related literal" (variable having that polarity) occurs



#### Watched Literals

- For each clause mark two different literals
- Invariant
  - Watched literals of a clause are either unassigned or satisfy the clause
- Advantages in comparison to counter-based schemes
  - Update operations only when necessary, i. e., when an assignment "breaks" the invariant
  - One list for each variable and polarity (like before), but containing only the clauses currently watched by that literal
- Disadvantage
  - Literals of a clause are checked several times

### Watched Literals



Tobias Schubert - SAT-based Test & Verification

61 / 192

UNI FREIBURG

### Possible optimizations

- Always store the watched literals in the first two positions of a clause
  - Allows for a fast access to the "second" watched literal of a clause
  - If the second watched literal satisfies the clause, it is not necessary to find a replacement for the first one (in case the status of the first one switches from unresolved to false)

Nowadays, the BCP procedures of almost all modern SAT solvers are based on watched literals!

# Modern SAT Algorithms



Not explicitly stated: Inprocessing, unlearning, restarts, model output

RURG

VTSA'15

Tobias Schubert - SAT-based Test & Verification

### DLL algorithm

- The combination of the decisions done before will always be considered as the origin of a conflict
- Backtracking to the recursion level of the last "branching" in which one case for a variable assignment has not been explored yet (chronological backtracking)
- If such a recursion level does not exist, the given CNF formula is unsatisfiable





VTSA'15

Tobias Schubert - SAT-based Test & Verification



iBURG

#### Modern SAT algorithms

- Complex analysis of the conflict setting, because not all "branchings" done before have to be involved in the current conflict
- Learning of a conflict clause via resolution to avoid running into the same conflict again
- (Non-)chronological backtracking according to the derived conflict clause
- If a conflict occurs on decision level 0, the given CNF formula is unsatisfiable


#### Implication graph

- Data structure for performing the conflict analysis in today's SAT solvers
- Directed, acyclic graph
- Nodes represent assignments to variables
- Edges represent which set of assignments have caused an implication
- Implication graph gets updated after every variable assignment and after every backtrack operation





VTSA'15

Tobias Schubert - SAT-based Test & Verification

68 / 192

BURG

NUN NUN

- During the conflict analysis the implication graph gets traversed backwards (in reverse order of the assignments stored by the decision stack) starting from the conflicting point, to allow to compute the succession of resolution steps which finally lead to the conflict clause
- Different termination criteria for interrupting the resolution steps lead to different conflict clauses
- Implementations
  - 1UIP (standard technique explained in the following)
  - RelSat
  - Grasp

...

Tobias Schubert - SAT-based Test & Verification

First Unque Implication



 $F = (x_{23}) \land (x_7, \neg x_{23}) \land (x_6, \neg x_{17}) \land (x_6, \neg x_{11}, \neg x_{12}) \land (x_1, x_8) \land (\neg x_{11}, x_{13}, x_{16}) \land (x_{12}, \neg x_{16}, \neg x_2) \land (x_2, \neg x_4, \neg x_{10}) \land (\neg x_{19}, x_4) \land (x_{10}, \neg x_5) \land (x_{10}, \neg x_8, x_1) \land (\neg x_{19}, \neg x_{18}, \neg x_3) \land (x_{17}, \neg x_{1,x_{18}}, \neg x_{3,x_{5}}) \land \dots$ 

70 / 192



 $F = (x_{23}) \land (x_7, \neg x_{23}) \land (x_6, \neg x_{17}) \land (x_6, \neg x_{11}, \neg x_{12}) \land (x_{13}, x_8) \land (\neg x_{11}, x_{13}, x_{16}) \land (x_{12}, \neg x_{16}, \neg x_2) \land (x_2, \neg x_4, \neg x_{10}) \land (x_{13}, \neg x_{16}) \land (x_{13}, \neg x_{16}) \land (x_{12}, \neg x_{16}, \neg x_{16}) \land (x_{13}, \neg x_{16}) \land (x_{16}, \neg x_{16}) \land (x_{16},$  $(\neg x_{19}, x_4) \land (x_{10}, \neg x_5) \land (x_{10}, x_3) \land (x_{10}, \neg x_8, x_1) \land (\neg x_{19}, \neg x_{18}, \neg x_3) \land (x_{17}, \neg x_{1}, x_{18}, \neg x_{3}, x_{5}) \land \dots$ 

$$R_1 = (x_{17}, \neg x_1, x_{18}, \neg x_3, x_5) \otimes_{x_{18}} (\neg x_{19}, \neg x_{18}, \neg x_3) = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19})$$

70 / 192

BURG

VTSA'15



 $F = (x_{23}) \land (x_7, -x_{23}) \land (x_6, -x_{17}) \land (x_6, -x_{11}, -x_{12}) \land (x_{13}, x_8) \land (-x_{11}, x_{13}, x_{16}) \land (x_{12}, -x_{16}, -x_{2}) \land (x_2, -x_4, -x_{10}) \land (-x_{19}, x_4) \land (x_{10}, -x_{5}) \land (x_{10}, -x_{3}) \land (x_{10}, -x_{8}, x_{1}) \land (-x_{19}, -x_{18}, -x_{3}) \land (x_{17}, -x_{1}, x_{18}, -x_{3}, x_{5}) \land \dots$ 

$$\begin{split} R_1 &= (x_{17}, \neg x_1, x_{18}, \neg x_3, x_5) \otimes_{x_{18}} (\neg x_{19}, \neg x_{18}, \neg x_3) = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \\ R_2 &= (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \otimes_{x_1} (x_1, x_{10}, \neg x_8) = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \end{split}$$

70 / 192

BURG

VTSA'15



 $F = (x_{23}) \land (x_7, \neg x_{23}) \land (x_6, \neg x_{17}) \land (x_6, \neg x_{11}, \neg x_{12}) \land (x_{13}, x_8) \land (\neg x_{11}, x_{13}, x_{16}) \land (x_{12}, \neg x_{16}, \neg x_2) \land (x_2, \neg x_4, \neg x_{10}) \land (\neg x_{19}, x_4) \land (x_{10}, \neg x_5) \land (x_{10}, \neg x_8, x_1) \land (\neg x_{19}, \neg x_{18}, \neg x_3) \land (x_{17}, \neg x_{1,x_{18}}, \neg x_{3,x_{5}}) \land \dots$ 

$$\begin{split} &R_1 = (x_{17}, \neg x_1, x_{18}, \neg x_3, x_5) \otimes_{x_{18}} (\neg x_{19}, \neg x_{18}, \neg x_3) = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \\ &R_2 = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \otimes_{x_1} (x_1, x_{10}, \neg x_8) = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \\ &R_3 = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \otimes_{x_3} (x_{10}, x_3) = (x_{17}, x_5, \neg x_{19}, x_{10}, \neg x_8) \end{split}$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

70 / 192

UNI FREIBURG



 $F = (x_{23}) \land (x_7, \neg x_{23}) \land (x_6, \neg x_{17}) \land (x_6, \neg x_{11}, \neg x_{12}) \land (x_{13}, x_8) \land (\neg x_{11}, x_{13}, x_{16}) \land (x_{12}, \neg x_{16}, \neg x_2) \land (x_2, \neg x_4, \neg x_{10}) \land ((\neg x_{19}, x_4) \land (x_{10}, \neg x_5) \land (x_{10}, \neg x_8, x_1) \land (\neg x_{19}, \neg x_{18}, \neg x_3) \land (x_{17}, \neg x_{1,x_{18}}, \neg x_{3,x_{5}}) \land \dots$ 

$$\begin{split} &R_1 = (x_{17}, \neg x_1, x_{18}, \neg x_3, x_5) \otimes_{x_{18}} (\neg x_{19}, \neg x_{18}, \neg x_3) = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \\ &R_2 = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \otimes_{x_1} (x_1, x_{10}, \neg x_8) = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \\ &R_3 = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \otimes_{x_3} (x_{10}, x_3) = (x_{17}, x_5, \neg x_{19}, x_{10}, \neg x_8) \\ &R_4 = (x_{17}, x_5, \neg x_{19}, x_{10}, \neg x_8) \otimes_{x_5} (x_{10}, \neg x_5) = (x_{17}, \neg x_{19}, x_{10}, \neg x_8) \end{split}$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

70 / 192

UNI FREIBURG



 $F = (x_{23}) \land (x_7, \neg x_{23}) \land (x_6, \neg x_{17}) \land (x_6, \neg x_{11}, \neg x_{12}) \land (x_{13}, x_8) \land (\neg x_{11}, x_{13}, x_{16}) \land (x_{12}, \neg x_{16}, \neg x_2) \land (x_2, \neg x_4, \neg x_{10}) \land (\neg x_{19}, x_4) \land (x_{10}, \neg x_5) \land (x_{10}, \neg x_8, x_1) \land (\neg x_{19}, \neg x_{18}, \neg x_3) \land (x_{17}, \neg x_{1}, x_{18}, \neg x_{3}, x_{5}) \land \dots$ 

$$\begin{split} &R_1 = (x_{17}, \neg x_1, x_{18}, \neg x_3, x_5) \otimes_{x_{18}} (\neg x_{19}, \neg x_{18}, \neg x_3) = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \\ &R_2 = (x_{17}, \neg x_1, \neg x_3, x_5, \neg x_{19}) \otimes_{x_1} (x_{1,} x_{10}, \neg x_8) = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \\ &R_3 = (x_{17}, \neg x_3, x_5, \neg x_{19}, x_{10}, \neg x_8) \otimes_{x_3} (x_{10}, x_3) = (x_{17}, x_5, \neg x_{19}, x_{10}, \neg x_8) \\ &R_4 = (x_{17}, x_5, \neg x_{19}, x_{10}, \neg x_8) \otimes_{x_5} (x_{10}, \neg x_5) = (x_{17}, \neg x_{19}, x_{10}, \neg x_8) \leftarrow \text{Final conflict clause} \end{split}$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

70 / 192

BURG



VTSA'15

Tobias Schubert – SAT-based Test & Verification

71 / 192

BURG

NUN NUN

#### Observations

- Conflict analysis according to the 1UIP scheme (First Unique) Implication Point) terminates as soon as the computed resolvent contains exactly one literal at the current decision level (the so-called UIP), whereas all other literals were assigned at lower decision levels
- Conflict clauses represent combinations of variables that will inevitably lead to a conflict
- Resolution Lemma allows to insert a conflict clause into the CNF formula, and consequently to "prune" the whole search tree by preventing the solver from running into the same conflict again
- Compared to others, the 1UIP scheme turned out to be the most powerful one (shorter conflict clauses, more effective pruning, faster runtime)



#### (Non)-chronological backtracking

- In today's SAT algorithms the backtrack level is determined by the derived conflict clause only
- The backtrack level matches the maximum decision level among all the literals in the conflict clause except the UIP, which becomes an implication after backtracking
- Idea: "What would have happened if the conflict clause had already been contained into the original CNF formula?"

### (Non-)chronological backtracking

- Procedure
  - 1 Backtrack down to the given backtrack level
  - Assign the truth value implied by the UIP (after backtracking, the conflict clause will be automatically a unit clause)
  - Proceed with the search process
- If a conflict appears at decision level 0, the CNF formula is unsatisfiable



# Other Features of modern SAT Solvers

- Unlearning of conflict clauses
- Inprocessing
- Restarts
- Termination guarantees
- Unsatisfiability certificates
- Assumptions
- Incremental SAT solving
- Parallel SAT algorithms
- Incomplete SAT algorithms

# Outline



# Combinational Equivalence Checking

### Given

- Specification and implementation of a combinatorial circuit
- Question
  - Are specification and implementation equivalent?
- Approach for SAT-based equivalence checking
  - Generate a so-called Miter from specification and implementation
  - Build a CNF formula from the Miter representation
  - Solve the formula with a SAT algorithm
  - Specification and implementation of a combinatorial circuit are equivalent iff the CNF formula generated from the Miter is unsatisfiable





 $\Rightarrow \text{Connect corresponding inputs}$ 



VTSA'15



 $\Rightarrow$  Link corresponding outputs by EXOR gates



VTSA'15



 $\Rightarrow$  Miter circuit



VTSA'15



 $\Rightarrow$  *M* = 1  $\Leftrightarrow$  Specification & implementation not equivalent

VTSA'15

### Remarks

Drafted method can be extended to combinatorial circuits having multiple outputs



■ Usually, SAT-algorithms take as input only CNF formulas, that means the Boolean function of the Miter circuit must be translated into a CNF representation → Tseitin transformation

In order to avoid the exponential size of the CNF form obtained from the formula created from the function F of the circuit, some alternative techniques can be applied:

- Define a satisfiability equivalent CNF F' equivalent to F that is satisfiable iff F is satisfiable
- For each gate output insert an additional variable ⇒ in general the CNF F' will have variables which do not occur in F
- For each gate realize a "characteristic function" in CNF which evaluates to 1 for every possible consistent signal configuration
- Put together the individual gates using an AND connection to obtain the final CNF formula
- $\Rightarrow$  Tseitin transformation

BURG



VTSA'15

Tobias Schubert - SAT-based Test & Verification

82 / 192



$$F_{SK} = (x_1 \wedge x_2) \vee \neg x_3$$

$$F_{SK}^{CNF} = (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6)$$

83 / 192

UNI FREIBURG

VTSA'15



$$F_{SK} = (x_1 \wedge x_2) \lor \neg x_3$$

$$F_{SK}^{CNF} = (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6)$$

83 / 192

UNI FREIBURG

VTSA'15



$$F_{SK} = (x_1 \wedge x_2) \lor \neg x_3$$

$$F_{SK}^{CNF} = (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6)$$

83 / 192



$$F_{SK} = (x_1 \wedge x_2) \vee \neg x_3$$

$$F_{SK}^{CNF} = (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6)$$

83 / 192

VTSA'15

#### Important property

As long as for the CNF representation of each single gate only a constant number of clauses is required, the number of clauses in the final CNF will be linear in the number of gates in the circuit



# Combinational Equivalence Checking – Example

Let the specification and the implementation of a combinatorial circuit be defined as follows:



#### Question: Are the specification and the implementation equivalent?

FREIBURG

VTSA'15

Tobias Schubert - SAT-based Test & Verification

85 / 192

# Combinational Equivalence Checking - Example



VTSA'15

Tobias Schubert - SAT-based Test & Verification

 $(\neg M \lor x_4 \lor x'_4) \land (M \lor \neg x_4 \lor x'_4) \land (M \lor x_4 \lor \neg x'_4) \land (M)$ 

86 / 192

BURG



$$\begin{split} F_{M} &= (\neg x_{5} \lor x_{1}) \land (\neg x_{5} \lor x_{2}) \land (x_{5} \lor \neg x_{1} \lor \neg x_{2}) \land (x_{6} \lor x_{3}) \land (\neg x_{6} \lor \neg x_{3}) \land \\ & (x_{4} \lor \neg x_{5}) \land (x_{4} \lor \neg x_{6}) \land (\neg x_{4} \lor x_{5} \lor x_{6}) \land (\neg x_{7} \lor x_{1}) \land (\neg x_{7} \lor x_{2}) \land \\ & (x_{7} \lor \neg x_{1} \lor \neg x_{2}) \land (x_{7} \lor x_{8}) \land (\neg x_{7} \lor \neg x_{8}) \land (\neg x_{9} \lor x_{3}) \land (\neg x_{9} \lor x_{8}) \land \\ & (x_{9} \lor \neg x_{3} \lor \neg x_{8}) \land (x_{9} \lor x_{4}') \land (\neg x_{9} \lor \neg x_{4}') \land (\neg M \lor \neg x_{4} \lor \neg x_{4}') \land \\ & (\neg M \lor x_{4} \lor x_{4}') \land (M \lor \neg x_{4} \lor x_{4}') \land (M \lor x_{4} \lor \neg x_{4}') \land (M) \end{split}$$

 $F_M$  is unsatisfiable  $\Rightarrow$  Implementation and specification are equivalent!

VTSA'15

Tobias Schubert - SAT-based Test & Verification

86 / 192

BURG

Nowadays SAT solvers can handle problems with millions of clauses. But how to compare (large) combinatorial circuits for which SAT methods still fail?  $\Rightarrow$  Structural methods

- Solve several "small" problems instead of one "large" problem
- Various options
  - Compute equivalent gates inside the miter circuit
  - And-Inverter-Graphs (AIGs)

...

#### Observation from real-world instances

- In most cases circuits which have to be compared show structural similarities
  - Example: Only small changes in later design phases
  - In many cases logic optimizations respect hierarchy boundaries
  - Thus, changes are not fundamental in most cases



#### Observation from real-world instances

- In most cases circuits which have to be compared show structural similarities
  - Example: Only small changes in later design phases
  - In many cases logic optimizations respect hierarchy boundaries
  - Thus, changes are not fundamental in most cases

How can we exploit structural similarities?

### Approach

- 1 Traverse the circuits which have to be compared from inputs to outputs
  - Identify equivalences at the internal signals of the miter
  - If there are any equivalences, replace equivalent nodes by one (shared) representative
- 2 Check satisfiability of the simplified miter circuit




## Starting point



Tobias Schubert - SAT-based Test & Verification

90 / 192

UNI FREIBURG





BURG



#### Parts of the miter which are relevant for the proof of $d \equiv e$



VTSA'15



Local analysis is sufficient to show that  $d \equiv e$ 





### Simplified miter

Tobias Schubert - SAT-based Test & Verification

90 / 192

JNI Reiburg



#### Are the internal signals *h* and *j* equivalent?





Parts of the miter which are relevant for the proof of  $h \equiv j$ 

90 / 192

VTSA'15



90 / 192



## More simplified miter



VTSA'15



Does z = 0 hold? Are specification and implementation equivalent?





Parts of the miter which are relevant for the proof of z = 0

90 / 192

VTSA'15



#### Local analysis is sufficient to show that z = 0



VTSA'15



Detect potential candidates for pairs of equivalent nodes by simulation with random patterns

- By an (incomplete) simulation of a restricted number of patterns we can only show "non-equivalence"
- Use simulation to partition the nodes into equivalence classes which consist of the nodes with identical simulation results
- Use a complete method (e.g. SAT) to detect equivalent nodes within the computed equivalence classes

## Using SAT to prove equivalences

- In order to keep the miter circuit "small", the inputs of the SAT problem are not necessarily primary inputs, but rather equivalent internal nodes which have already been detected to be equivalent
- Two nodes are equivalent, if the SAT instance representing the corresponding miter is unsatisfiable
- If two nodes are proved to be equivalent, then one of the nodes may be replaced by its equivalent counterpart
- Be careful: If the SAT instance is satisfiable, then this does not necessarily mean that the corresponding nodes are not equivalent!

False Negatives

# Structural Methods – Detection of Equivalences

Equivalent nodes can be used as so-called cut points after they have been replaced by a common representative

- Cut points will be new input variables during miter construction and thus keep the miter "small"
- If the resulting circuits are equivalent, then the original circuits have already been equivalent

Tobias Schubert – SAT-based Test & Verification

problem mae

Equivalent nodes can be used as so-called cut points after they have been replaced by a common representative

- Cut points will be new input variables during miter construction and thus keep the miter "small"
- If the resulting circuits are equivalent, then the original circuits have already been equivalent

Problem: Using cut points may lead to so-called "false negatives", i.e., two equivalent nodes are not classified to be equivalent!







#### Note: Specification and implementation are equivalent

94 / 192

BURG

\_ \_ 7 H

VTSA'15



Try to show equivalence of  $y_1$  and  $y_2$  using cut points

VTSA'15

Tobias Schubert - SAT-based Test & Verification

94 / 192

- -



VTSA'15

Tobias Schubert - SAT-based Test & Verification

94 / 192

BURG





#### Compute the miter depending on "cut variables"



BURG

VTSA'15





VTSA'15



⇒ Specification and implementation not equivalent

 $\Rightarrow$  But it is a False Negative!



BURG

## Problem

New variables at cut points may be assigned to arbitrary values

But...

The "rightmost" parts of the circuit need only to be equivalent for values at the cut points which can be produced by the "leftmost" parts



## Do not use cut points

Makes proofs of equivalence for two nodes much more difficult in many cases, since the corresponding SAT problems become significantly "larger"

## SAT sweeping

- In a first step stop at cut points when constructing the miter
- If necessary (satisfiable CNF) include more parts of the circuit into the SAT problem to check for false negative results



# Outline



## Motivation

- Post-production test is a crucial step
  - Have there been problems during production?
  - Does the circuit contain faults?
- In particular when used in safety-critical applications, every produced chip has to be tested
- Testing comprises more than 40% of costs in semiconductor industry



# Automatic Test Pattern Generation

## Testing: Experiment on real manufactored chips

- Goal is to check whether the chip behaves correctly
- 1. step: Apply an appropriate test pattern
- 2. step: Analyse the response of the circuit under test





BURG

- Physical defects are modeled on the Boolean level according to a fault model
- Fault models are an abstract representation of real defects
  - Single stuck-at
  - Bridging faults
  - Interconnect opens
  - Path delay faults
  - • •
- Automatic Test Pattern Generation (ATPG)
  - Given: Circuit CUT and fault model FM
  - Goal: Determine test patterns for (all) faults in CUT wrt. FM



Single stuck-at fault model (s@)

- s@0: One line is always at logic 0
- s@1: One line is always at logic 1
- In total only (2 × number\_of\_signals\_CUT) faults to be checked
- High amount of real defects detected by the s@ fault model!
































Redundant faults: s@0 at  $x_3$  is redundant

- Justifying the error requires  $x_1 = 1$  and  $x_2 = 1$
- But propagating the error to output  $x_4$  requires  $x_1 = 0$



















104 / 192







#### Several ATPG-Approaches

- Structural methods
  - D-algorithmPODEM
  - FAN
- SAT-based methods



# SAT-based ATPG

#### Main flow

- Construct the miter containing the correct and the faulty circuit
- Encode the miter as CNF & solve the SAT problem
- If the SAT formula is satisfiable we have found a test pattern for the particular fault under consideration
- Otherwise, the fault is redundant





BURG



107 / 192

UNI FREIBURG

VTSA'15

Tobias Schubert - SAT-based Test & Verification





107/192

VTSA'15









VTSA'15



107 / 192



Tobias Schubert - SAT-based Test & Verification

107 / 192



$$\begin{aligned} F_M &= (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land \\ (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6) \land \\ (x'_4 \lor \neg x'_5) \land (x'_4 \lor \neg x_6) \land (\neg x'_4 \lor x'_5 \lor x_6) \land (\neg M \lor x_4 \lor x'_4) \land \\ (\neg M \lor \neg x_4 \lor \neg x'_4) \land (M \lor \neg x_4 \lor x'_4) \land (M \lor x_4 \lor \neg x'_4) \land \\ (M) \land (\neg x_5) \land (x'_5) \end{aligned}$$

$$F'_{\mathcal{M}} = (\neg x_1 \lor \neg x_2) \land (x_3) \land (\neg x_6) \land (x'_4) \land (\neg x_4) \land (\mathcal{M}) \land (\neg x_5) \land (x'_5)$$

VTSA'15

Tobias Schubert - SAT-based Test & Verification

107 / 192

UNI FREIBURG



$$\begin{aligned} F_M &= (\neg x_5 \lor x_1) \land (\neg x_5 \lor x_2) \land (x_5 \lor \neg x_1 \lor \neg x_2) \land (x_6 \lor x_3) \land \\ (\neg x_6 \lor \neg x_3) \land (x_4 \lor \neg x_5) \land (x_4 \lor \neg x_6) \land (\neg x_4 \lor x_5 \lor x_6) \land \\ (x'_4 \lor \neg x'_5) \land (x'_4 \lor \neg x_6) \land (\neg x'_4 \lor x'_5 \lor x_6) \land (\neg M \lor x_4 \lor x'_4) \land \\ (\neg M \lor \neg x_4 \lor \neg x'_4) \land (M \lor \neg x_4 \lor x'_4) \land (M \lor x_4 \lor \neg x'_4) \land \\ (M) \land (\neg x_5) \land (x'_5) \end{aligned}$$

$$F'_{M} = (\neg x_{1} \vee \neg x_{2}) \land (x_{3}) \land (\neg x_{6}) \land (x'_{4}) \land (\neg x_{4}) \land (M) \land (\neg x_{5}) \land (x'_{5})$$

Test set:  $(x_1, x_2, x_3) = \{(0, 0, 1), (1, 0, 1), (0, 1, 1)\}$ 

VTSA'15

Tobias Schubert - SAT-based Test & Verification

107 / 192

EIBURG





Tobias Schubert - SAT-based Test & Verification

BURG -= 



UNI FREIBURG





Add  $(x_7, x_8)$  to the CNF



Add  $(x_7, x_8)$  to the CNF

# SAT-based ATPG - Cone-of-Influence Reduction






### Which inputs might be relevant for justifying the fault?



VTSA'15



### Which outputs might be on the propagation path?





### What about side-effects?



VTSA'15



 $\Rightarrow$  Only the "brown" parts have to be transformed into CNF!



VTSA'15

## SAT-based ATPG - Testing of Sequential Circuits



# SAT-based ATPG – Testing of Sequential Circuits

### Problems specific wrt. test of sequential circuits

- Initialization
  - Circuit's state at the beginning of test application might be unknown
- Counters
  - Setting a counter to a specific value might take a lot of clock cycles
- Complexity of test generation
  - Finding a sequence to distinguish between a faulty and a fault-free chip might require a large number of state transitions

# SAT-based ATPG – Testing of Sequential Circuits

### Problems specific wrt. test of sequential circuits

- Initialization
  - Circuit's state at the beginning of test application might be unknown
- Counters
  - Setting a counter to a specific value might take a lot of clock cycles
- Complexity of test generation
  - Finding a sequence to distinguish between a faulty and a fault-free chip might require a large number of state transitions
- $\Rightarrow$  Practical methods reduce sequential to combinatorial ATPG
- $\Rightarrow$  Solution: "Design for Testability"-techniques within the chips
- $\Rightarrow$  Example: Scan-based designs

BURG

### SAT-based ATPG - Scan-based Designs



112/192

INI Reiburg

### SAT-based ATPG - Scan-based Designs



### Test flow

- 1 Scan in data into SFFs
- 2 Apply test vector to PIs
- 3 Perform the test
- 4 Check POs
- 5 Scan out & check the data available at SFFs

BURG

### Outline



# Sequential Equivalence Checking





# Sequential Equivalence Checking







114 / 192

### What can we do with equivalence checking of sequential circuits?

- Functional equivalence of two sequential circuits (in general) provable
- We cannot prove with equivalence checking whether a circuit satisfies a more abstract specification, which is not given as a sequential circuit or a deterministic finite automaton!

Examples for such abstract specifications are

- Safety properties
- Liveness properties
- ⇒ New specification language(s) for timed properties and in connection with that new proof methods are necessary!



## Preliminaries – Kripke Structure

To model computational runs of a sequential circuit, Kripke structures (also referred to as temporal structures) can be used:

#### Definition (Kripke structure, temporal structure)

A Kripke structure *M* is a 4-tuple M := (S, I, R, L) consisting of

- a finite set S of states
- a set  $\emptyset \neq I \subseteq S$  of initial states
- a transition relation  $R \subseteq S \times S$ with  $\forall s \in S \exists t \in S : (s,t) \in R$ , and
- a labeling function  $L: S \to 2^V$ , where V is a set of propositional variables (atomic formulas, atomic propositions).
- Atomic propositions are observable elementary properties of states, like "a timeout has occured", "a request has been made"
- Using such a temporal structure, we can derive all possible computational runs. They are obtained by "unrolling" the Kipke structure according to its transition relation R

UNI FREIBURG

Temporal propositional logic = Propositional logic + Temporal operators



Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

#### Path quantifiers



Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

 Gφ: Formula φ holds in every state on the path ("globally" or "always")

#### Path quantifiers



Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

- Gφ: Formula φ holds in every state on the path ("globally" or "always")
- Fφ: Formula φ holds in some state on the path ("finally" or "eventually")

#### Path quantifiers



Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

- Gφ: Formula φ holds in every state on the path ("globally" or "always")
- Fφ: Formula φ holds in some state on the path ("*finally*" or "*eventually*")
- Xφ: Formula φ holds in the second state on the path ("next")

#### Path quantifiers



Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

- Gφ: Formula φ holds in every state on the path ("globally" or "always")
- Fφ: Formula φ holds in some state on the path ("*finally*" or "*eventually*")
- Xφ: Formula φ holds in the second state on the path ("next")
- φ**U**ψ: Formula φ holds in every state on the path until a state is reached where ψ holds ("until")

#### Path quantifiers

Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

- Gφ: Formula φ holds in every state on the path ("globally" or "always")
- Fφ: Formula φ holds in some state on the path ("*finally*" or "*eventually*")
- Xφ: Formula φ holds in the second state on the path ("next")
- φ**U**ψ: Formula φ holds in every state on the path until a state is reached where ψ holds ("until")

#### Path quantifiers

They make statements about properties of states:

 Aφ: Formula φ holds on all paths starting in this state ("for all paths")

Temporal propositional logic = Propositional logic + Temporal operators

#### Linear temporal operators

They make statements about a single path of the computation tree:

- Gφ: Formula φ holds in every state on the path ("globally" or "always")
- Fφ: Formula φ holds in some state on the path ("*finally*" or "*eventually*")
- Xφ: Formula φ holds in the second state on the path ("next")
- φ**U**ψ: Formula φ holds in every state on the path until a state is reached where ψ holds ("until")

#### Path quantifiers

- Aφ: Formula φ holds on all paths starting in this state ("for all paths")
- Eφ: Formula φ holds on some path starting in this state ("there exists a path")

## Property/Model Checking in a Nutshell



118 / 192

JNI FREIBURG

### Property/Model Checking in a Nutshell



Tobias Schubert - SAT-based Test & Verification

118 / 192

### Idea

Formulate the existence of paths with certain properties as satisfiability problem

- Only properties which require the existence of paths
  - Certificate or counterexample depending on context
  - E.g.: Counterexamples for safety and liveness
- In general, arbitrarily long paths necessary, but this is not possible in SAT!
- Restriction to finite path lengths ⇒ bounded model checking



### Given

- Kripke structure M
- Temporal formula  $\varphi$  "suited for BMC"
- Maximum unrolling depth k

### Model Checking

$$\blacksquare M \models \varphi?$$

### **Bounded Model Checking**

- $\blacksquare M \models_k \varphi?$
- $\models_k$  means in this context that from the initial states in *M*, the outgoing paths are considered only up to a maximum length *k*





121 / 192

VTSA'15



Let  $\varphi$  be a temporal formula and k = 1.  $M \models_1 \varphi$ ?





Let  $\varphi$  be a temporal Formula and k = 2.  $M \models_2 \varphi$ ?





VTSA'15

Tobias Schubert - SAT-based Test & Verification

121 / 192

BURG

- -

### General flow

- Generate a propositional logic formula from the given Kripke structure *M*, property  $\varphi$ , and unrolling depth *k*, which is satisfiable iff  $M \models_k \varphi$
- 2 Translate the formula generated above into CNF
- 3 Solve it with a SAT solver
  - CNF satisfiable  $\Rightarrow$  *M*  $\models_k \varphi \Rightarrow$  certificate/counterexample
  - CNF unsatisfiable  $\Rightarrow M \not\models_k \varphi \Rightarrow$  no statement can be made regarding  $M \models \varphi$

Repeat the steps from 1 to 3 with increasing values for k until either a counterexample is found, or a fixed stopping criterion is met



# Construction of the propositional logic formula

### Definition

Let M = (S, I, R, L) be a Kripke structure,  $\varphi$  a property, and k an unfolding depth. Then the characteristic function  $[\![M, \varphi]\!]_k$  corresponding to M,  $\varphi$ , and k is defined as

$$I(s_0) \wedge \left[ \bigwedge_{i=0}^{k-1} R(s_i, s_{i+1}) \right] \wedge \left[ \bigwedge_{s_j \in S} (s_j \to L(s_j)) \right] \wedge P_k(\varphi)$$

with

- $I(s_0)$ : characteristic fct. of the initial states,
- **R** $(s_i, s_{i+1})$ : characteristic fct. of the transition relation,
- $L(s_j)$ : characteristic fct. of the label function L,
- $P_k(\varphi)$ : characteristic fct. of  $\varphi$  at depth k.

BURG

### Safety

Specify invariants of the system:

### AGsafe

■ BMC-formulation for refuting safety (= proving **EF**¬*safe*):

$$I(s_0) \wedge \bigwedge_{i=0}^{k-1} T(s_i, s_{i+1}) \wedge \neg safe(s_k)$$

124 / 192

# Types of Properties - Liveness

Liveness

Specified in temporal logic:

AF good

- Refutation of liveness (= proving EG¬good) requires infinitely long paths!
- If AF good is violated, there is a "lasso" on which all states satisfy ¬good
- BMC-formulation:

$$I(s_0) \wedge \bigwedge_{i=0}^k T(s_i, s_{i+1}) \wedge \bigwedge_{i=0}^k \neg \texttt{good}(s_i) \wedge \bigvee_{l=0}^k (s_l = s_{k+1})$$

VTSA'15

Tobias Schubert – SAT-based Test & Verification

URG

### BMC Example Safety – 2-Bit Counter

Requirement: State (1,1) may not reached, or later an overflow will occur, i.e. the following must hold:

 $AG(\neg(b \land a)) \Leftrightarrow \neg EF(b \land a)$ 




#### BMC Example Safety – 2-Bit Counter

Requirement: State (1,1) may not reached, or later an overflow will occur, i.e. the following must hold:

 $AG(\neg(b \land a)) \Leftrightarrow \neg EF(b \land a)$ 

Possible query: Can one reach (1,1) from the initial state (0,0) in  $\leq$  2 steps?





## BMC Example Safety – 2-Bit Counter

Requirement: State (1,1) may not reached, or later an overflow will occur, i.e. the following must hold:

 $AG(\neg(b \land a)) \Leftrightarrow \neg EF(b \land a)$ 

Possible query: Can one reach (1,1) from the initial state (0,0) in  $\leq$  2 steps?

 $\Rightarrow$   $M \models_2 \varphi$  with  $\varphi = \mathbf{EF}(b \land a)$ ?

$$\Rightarrow I(s_0) = \neg b_0 \wedge \neg a_0$$

$$\Rightarrow R(s_0,s_1) = (b_1 \leftrightarrow (b_0 \oplus a_0)) \land (a_1 \leftrightarrow \neg a_0)$$

$$\Rightarrow R(s_1,s_2) = (b_2 \leftrightarrow (b_1 \oplus a_1)) \land (a_2 \leftrightarrow \neg a_1)$$

$$\Rightarrow P_2(\varphi) = (b_0 \wedge a_0) \vee (b_1 \wedge a_1) \vee (b_2 \wedge a_2)$$

$$\Rightarrow \ \llbracket M, \varphi \rrbracket_2 = I(s_0) \land R(s_0, s_1) \land R(s_1, s_2) \land P_2(\varphi)$$

$$\Rightarrow \llbracket M, \varphi \rrbracket_2 = 0$$

Starting from (0,0), (1,1) cannot reached in max. 2 steps  $\Rightarrow M \not\models_2 \phi!$ 





VTSA'15



# BMC Example Safety - 2-Bit Counter

Requirement: State (1,1) may not reached, or later an overflow will occur, i.e. the following must hold:

 $AG(\neg(b \land a)) \Leftrightarrow \neg EF(b \land a)$ 

Possible query: Can one reach (1,1) from the initial state (0,0) in  $\leq$  2 steps?

 $\Rightarrow$  *M*  $\models_2 \varphi$  with  $\varphi = \mathbf{EF}(b \land a)$ ?

$$\Rightarrow I(s_0) = \neg b_0 \wedge \neg a_0$$

$$\Rightarrow R(s_0,s_1) = (b_1 \leftrightarrow (b_0 \oplus a_0)) \land (a_1 \leftrightarrow \neg a_0)$$

$$\Rightarrow R(s_1,s_2) = (b_2 \leftrightarrow (b_1 \oplus a_1)) \land (a_2 \leftrightarrow \neg a_1)$$

$$\Rightarrow P_2(\varphi) = (b_0 \wedge a_0) \vee (b_1 \wedge a_1) \vee (b_2 \wedge a_2)$$

$$\Rightarrow \llbracket M, \varphi \rrbracket_2 = I(s_0) \land R(s_0, s_1) \land R(s_1, s_2) \land P_2(\varphi)$$

$$\Rightarrow \llbracket M, \varphi \rrbracket_2 = 0$$

⇒ Starting from (0,0), (1,1) cannot reached in max. 2 steps ⇒  $M \not\models_2 \varphi!$ 

But: 
$$M \not\models \mathbf{AG}(\neg (b \land a)) \Leftrightarrow M \not\models \neg \mathbf{EF}(b \land a)!$$



Tobias Schubert - SAT-based Test & Verification

126 / 192

#### BMC Example Liveness - Modified 2-Bit counter

Requirement: State (1,1) must be reachable from every state, i.e. the following must hold:

 $AF(b \land a) \Leftrightarrow \neg EG(\neg (b \land a))$ 





#### BMC Example Liveness - Modified 2-Bit counter

Requirement: State (1,1) must be reachable from every state, i.e. the following must hold:

 $AF(b \land a) \Leftrightarrow \neg EG(\neg (b \land a))$ 

Counterexample exists iff from the initial state (0,0) there exists a path of length *k* that belongs to a cycle, and in no state of this path  $(b \land a)$  holds. Given k = 2 and  $\varphi = \mathbf{EG}(\neg (b \land a))$ :



#### BMC Example Liveness - Modified 2-Bit counter

Requirement: State (1,1) must be reachable from every state, i.e. the following must hold:

 $AF(b \land a) \Leftrightarrow \neg EG(\neg (b \land a))$ 

Counterexample exists iff from the initial state (0,0) there exists a path of length *k* that belongs to a cycle, and in no state of this path  $(b \land a)$  holds. Given k = 2 and  $\varphi = \mathbf{EG}(\neg (b \land a))$ :

$$\Rightarrow l(s_0) = \neg b_0 \wedge \neg a_0$$

$$\Rightarrow R(s_i, s_{i+1}) = ((b_{i+1} \leftrightarrow (b_i \oplus a_i)) \land (a_{i+1} \leftrightarrow \neg a_i)) \lor (b_{i+1} \land \neg a_{i+1} \land b_i \land \neg a_i) \text{ with } i = 0, 1, 2$$

$$P_2(\varphi) = (\neg b_0 \lor \neg a_0) \land (\neg b_1 \lor \neg a_1) \land (\neg b_2 \lor \neg a_2)$$

$$[s_3 \equiv s_i] = (b_3 \leftrightarrow b_i) \land (a_3 \leftrightarrow a_i) \text{ with } i = 0, 1, 2$$

$$[[M, \varphi]]_2 = I(s_0) \land \left[\bigwedge_{i=0}^2 R(s_i, s_{i+1})\right] \land \left[\bigvee_{i=0}^2 [s_3 \equiv s_i]\right] \land P_2(\varphi)$$

$$[\![M, \varphi]\!]_2 = \neg b_0 \land \neg a_0 \land \neg b_1 \land a_1 \land b_2 \land \neg a_2 \land b_3 \land \neg a_3$$

⇒ Counterexample found!

Tobias Schubert - SAT-based Test & Verification





- BMC can be used to disprove invariants  $\mathbf{AG}\varphi$ 
  - ... by proving  $\mathbf{EF} \neg \varphi$  considering paths of length k
  - If paths longer than k are needed for the proof, then BMC fails
- BMC can be used to disprove liveness properties like AF \u03c6
  - ... by proving **EG** $\neg \phi$  considering "lassos" of length *k*
  - If lassos longer than k are needed for the proof, then BMC fails
- In the following we restrict ourselves to invariants / safety properties



# Usage of BMC to falsify Safety Properties

Idea: Restrict system behavior to runs of some given bounded length, i.e. runs with a bounded number of transition steps





VTSA'15

# Usage of BMC to falsify Safety Properties

Idea: If the restricted system is unsafe (i.e. violates some safety property, state invariant) then the original system is unsafe, too



### Usage of BMC in the Verification Domain



- Initial state I, transition relation T, property P
- lterative unrolling of the system for k = 0, 1, ..., K up to a given maximal unrolling depth K

$$\mathsf{BMC}_k = I^0 \wedge \bigwedge_{i=0}^{k-1} T^{i,i+1} \wedge \neg P^k$$

- Convert BMC<sub>k</sub> into CNF by Tseitin transformation and solve it using a SAT solver
  - **CNF** satisfiable  $\Rightarrow$  Invariant condition *P* violated after *k* steps
  - **CNF** unsatisfiable  $\Rightarrow$  no conclusion, next iteration step

VTSA'15

RURG

- Typically, BMC is used as an efficient means to find errors in a system *M*, i.e. is there a k > 0 such that we can reach a state violating φ for a given invariant AGφ?
- BMC is really efficient if there is a short error path
- Without extensions it is not possible to prove that φ holds for all reachable states
- Bounded Model Checking  $\rightarrow$  Model Checking
  - Computing the "radius" of the Kripke structure
  - k-induction
  - Craig interpolation

132/192

#### Observation



$$k = i: \quad I^0 \wedge T^{0,1} \wedge T^{1,2} \wedge \dots \wedge T^{i-1,i} \wedge \neg P^i$$

 $k = i + 1: \quad I^0 \wedge T^{0,1} \wedge T^{1,2} \wedge \dots \wedge T^{i-1,i} \wedge T^{i,i+1} \wedge \neg P^{i+1}$ 

- The main part of the formula remains unchanged
- $\blacksquare \neg P^i$  has to be removed
- $T^{i,i+1} \land \neg P^{i+1}$  has to be added
- How to profit from the similarity between those problems?

VTSA'15

Tobias Schubert - SAT-based Test & Verification

133 / 192

- In many practical applications not only in the area of BMC often several SAT instances are generated to solve a real-world problem
- Generated SAT instances are often very similar and contain identical subformulas
- Idea: Instead of constructing and solving each instance separately, the SAT formula is processed incrementally
- Knowledge learnt so far (conflict clauses, variable activity, ...) can be re-used in later instances
- Standard feature of all modern SAT solvers

#### Main idea

Make use of the knowledge learnt in the previous instance by re-using the learnt conflict clauses

#### Question

Is this always allowed?



- Idea: Make use of the knowledge learnt in the previous instance by re-using the learnt conflict clauses.
- Question: Is this always allowed?
- Observation
  - If *c* is a conflict clause for SAT instance *A* with CNF *CNF*<sub>*A*</sub>, then  $CNF_A \Rightarrow c$
  - If instance *B* results from *A* just by adding clauses (i.e.  $CNF_B \supseteq CNF_A$ ), then  $CNF_B \Rightarrow c$  holds as well
  - Conflict clauses be may re-used then
- But what if  $CNF_B \supseteq CNF_A$  does not hold?

- General case: CNF<sub>A</sub> contains clauses that do not occur in CNF<sub>B</sub> anymore
- Now we need for each conflict clause c the information about the set of original clauses it was derived from
- Remember: Conflict clauses result from original and/or conflict clauses by resolution (~> implication graph)
- ⇒ Conflict clauses which are derived from original clauses in  $CNF_A \setminus CNF_B$  are not allowed to be added to  $CNF_B$ !



#### Illustration: Re-using Clauses



VTSA'15

Tobias Schubert - SAT-based Test & Verification

138 / 192

#### Illustration: Re-using Clauses



#### Illustration: Re-using Clauses



Tobias Schubert - SAT-based Test & Verification

# Incremental SAT Solving with Assumptions

In general, storing which conflict clause depends on which original clauses is too expensive! Here is the most common approach to solve the problem:

#### Activation variables and assumptions

- Use "special" new de-activation variables d<sub>i</sub>
- For clauses *c* which should be removable from the clause set, a positive de-activation literal is added:  $c := c \cup d_i$
- There are only positive occurrences of de-activation variables!

#### Turning *c* on and off:

- Turning on by  $d_i = 0$
- Turning off by  $d_i = 1$



# Incremental SAT Solving with Assumptions

In general, storing which conflict clause depends on which original clauses is too expensive! Here is the most common approach to solve the problem:

#### Activation variables and assumptions

- Use "special" new de-activation variables d<sub>i</sub>
- For clauses *c* which should be removable from the clause set, a positive de-activation literal is added:  $c := c \cup d_i$
- There are only positive occurrences of de-activation variables!

#### Turning *c* on and off:

- Turning on by  $d_i = 0$
- Turning off by  $d_i = 1$

#### Example

| $\varphi = (a \lor b) \land (\neg c \lor d)$                                                        | Initial formula |
|-----------------------------------------------------------------------------------------------------|-----------------|
| $\varphi_{0/\neg d_0} = (a \lor b) \land (\neg c \lor d) \land (b \lor d_0)$                        | incr. step 0    |
| $\varphi_{1/d_0,\neg d_1} = (a \lor b) \land (\neg c \lor d) \land (b \lor d_0) \land (d \lor d_1)$ | incr. step 1    |

141 / 192

BURG

# Incremental SAT Solving with Assumptions

#### Activation variables and assumptions

- De-activation variables are assigned by assumptions before SAT solving (activating / de-activating clauses)
- Assumptions can not be changed during SAT solving (Note: Unit clauses and assumptions are not the same!)
- Important observation: All conflict clauses resulting from  $c \cup d_i$  by resolution contain literal  $d_i$
- ⇒ If  $c \cup d_i$  is turned off in the next run, i.e.,  $d_i$  is set to 1 by assumption, then all conflict clauses depending on  $c \cup d_i$  are turned off as well!

. . . .

### Incremental SAT Solving and BMC



$$k = i: \quad I^{0} \wedge T^{0,1} \wedge T^{1,2} \wedge \dots \wedge T^{i-1,i} \wedge \neg \mathbf{P}^{i}$$
  
$$k = i+1: \quad I^{0} \wedge T^{0,1} \wedge T^{1,2} \wedge \dots \wedge T^{i-1,i} \wedge T^{i,i+1} \wedge \neg \mathbf{P}^{i+1}$$

- Add de-activation literal  $d_i$  for each clause representing  $\neg P^i$
- For k = i activate  $\neg P^i$  by assumption  $d_i = 0$
- For k > i de-activate  $\neg P^i$  by assumption  $d_i = 1$
- All knowledge / conflict clauses learnt for k = i can be re-used (except the knowledge depending on  $\neg P^i$ )



VTSA'15

#### Outline



#### Hybrid Systems

Typically, embedded systems are characterized by the combination of discrete and continuous variables

#### iSAT

Satisfiability and BMC checker for quantifier-free Boolean combinations of arithmetic constraints over the reals and integers



#### iSAT

#### Not a "pure" SAT-Modulo-Theory solver



Can be seen as a generalization of a SAT solver

- Branch-and-deduce framework inherited from SAT
- Deduction rule for clauses
  - Unit propagation
- Deduction rules for arithmetic operators
  - Interval constraint propagation



#### Satisfiability Modulo Theory – ICP

Interval Constraint Propagation (ICP)

$$h_1 = z^2, z \in [3,7], h_1 \in [-2,25]$$



Tobias Schubert - SAT-based Test & Verification

### Satisfiability Modulo Theory – BMC Mode of iSAT



VTSA'15

Tobias Schubert - SAT-based Test & Verification

148 / 192

#### iSAT

- All acceleration techniques known from modern SAT solvers also apply to arithmetic constraints
  - Conflict-driven learning
  - Non-chronological backtracking
  - 2-watched-literal scheme
  - Restarts
  - Conflict clause deletion
  - Efficient decision heuristics

- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4$ :  $\land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \wedge h_2 = -2 \cdot y$
- $c_8: \wedge h_3 = h_1 + h_2$

- Use Tseitin-style transformation to rewrite input formula into a conjunction of constraints
  - ▷ *n*-ary disjunctions of bounds ('clauses')
  - Arithmetic constraints having at most one operation symbol
- Boolean variables are regarded as 0-1 integer variables. Allows identification of literals with bounds on Booleans

 $b \equiv b \ge 1$  $\neg b \equiv b \le 0$ 

• Auxiliary variables  $h_1, h_2, h_3$  are used for decomposition of complex constraint  $x^2 - 2y \ge 6.2$ .

BURG

150 / 192



- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \wedge (\neg c \vee \neg d)$
- $c_4$ :  $\land$  ( $b \lor x \ge -2$ )
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6: \wedge h_1 = x^2$
- $c_7: \wedge h_2 = -2 \cdot y$
- $c_8: \wedge h_3 = h_1 + h_2$





- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4: \land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \wedge h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \wedge \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$





- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4: \wedge (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \wedge \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$





Tobias Schubert - SAT-based Test & Verification

- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4: \land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6: \wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \wedge \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$





- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4: \wedge (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \wedge \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$





- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4: \land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \wedge \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$



Tobias Schubert - SAT-based Test & Verification

150 / 192

UNI Freiburg
## Satisfiability Modulo Theory - iSAT

- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \wedge (\neg c \vee \neg d)$
- $c_4$ :  $\land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \quad \wedge \ \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$
- $c_{10}: \land (x < -2 \lor y < 4 \lor x > 3)$



Conflict clause = symbolic description of a rectangular region of the search space which is excluded from future search



### Satisfiability Modulo Theory - iSAT

- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4$ :  $\land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6$ :  $\wedge h_1 = x^2$
- $c_7: \quad \wedge \ h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \quad \wedge \ \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$
- $c_{10}: \land (x < -2 \lor y < 4 \lor x > 3)$





### Satisfiability Modulo Theory - iSAT

- $c_1: (\neg a \lor \neg c \lor d)$
- $c_2: \land (\neg a \lor \neg b \lor c)$
- $c_3: \land (\neg c \lor \neg d)$
- $c_4$ :  $\land (b \lor x \ge -2)$
- $c_5: \land (x \ge 4 \lor y \le 0 \lor h_3 \ge 6.2)$
- $c_6: \wedge h_1 = x^2$
- $c_7: \wedge h_2 = -2 \cdot y$
- $\boldsymbol{c_8}: \quad \wedge \ \boldsymbol{h_3} = \boldsymbol{h_1} + \boldsymbol{h_2}$
- $c_9: \land (\neg a \lor \neg c)$
- $c_{10}: \land (x < -2 \lor y < 4 \lor x > 3)$



- Continue do split and deduce until either
  - ▷ formula turns out to be UNSAT (unresolvable conflict),
  - ▷ formula turns out to be SAT (point interval),
  - solver is left with 'sufficiently small' portion of the search space for which it cannot derive any contradiction.
- Avoid infinite splitting and deduction
  - Minimal splitting width
  - Discard a deduced bound if it yields small progress on

150 / 192

Tobias Schubert - SAT-based Test & Verification

### Remarks

- All variables have to be bounded initially
- Reliable results due to outward rounding
- Further features
  - Clever normalization rules
  - Continue search after "unknown"
  - Proof of unsatisfiability
  - Unbounded model checking using interpolants
  - Handling of stochastic constraint systems
  - Parallelization based on message passing



#### Example: Train Separation in Absolute Braking Distance

- Part of the forthcoming European Train Control Standard
- Minimal distance between two trains equals braking distance plus safety margin



- First train reports position of its end to the second train every 8 seconds
- Controller of the second train automatically initiates braking to maintain safety margin



Top-level view of the Matlab/Simulink model for two trains



### Example: Train Separation in Absolute Braking Distance



Model of controller and train dynamics

Safety property to be checked: Does the controller guarantee that collisions aren't possible?



VTSA'15

#### Example: Train Separation in Absolute Braking Distance



Tobias Schubert - SAT-based Test & Verification

#### Example: Train Separation in Absolute Braking Distance



-- relay block: when the relay is on, it remains on until the input -- drops below the value of the switch off point parameter. When the -- relay is off, it remains off until the input exceeds the value of -- the switch on point parameter. (!is.on and h >= param.on ) -> ( is.on' and brake); (!is.on and h < param.off) -> (!is.on' and !brake); ( is.on and h <= param.off) -> (!is.on' and !brake); ( is.on and h > param.off) -> ( is.in' and brake);

155 / 192

BURG

#### Example: Train Separation in Absolute Braking Distance



#### Example: Train Separation in Absolute Braking Distance



VTSA'15

Tobias Schubert - SAT-based Test & Verification

157 / 192

BURG

ZW

### Outline



Tobias Schubert - SAT-based Test & Verification



#### Max-SAT

Given a CNF  $\varphi$ , find a truth assignment for all variables that satisfies the maximum number of clauses within  $\varphi$ 

Variants of Max-SAT

- Partial Max-SAT
  - $\varphi$  consists of hard and soft clauses
  - All hard clauses must be satisfied
  - Maximize number of satisfied soft clauses
- Weighted Max-SAT
- Weighted Partial Max-SAT

### Solving (Partial) Max-SAT using SAT Algorithms

- Each soft clause gets extended by a fresh "trigger" variable:  $(x_1 \lor x_2) \rightsquigarrow (t_1 \lor x_1 \lor x_2)$
- By construction, after adding trigger variables all soft clauses can be satisfied simultaneously
- Now, Max-SAT corresponds to minimizing k in  $\sum_{c=1}^{m} t_c \le k$  with m representing the number of soft clauses
- Encode  $\sum_{c=1}^{m} t_c \le k$  with a bitonic sorting network (unary representation), convert it to CNF, and add it to the formula
- Solve the Max-SAT problem by using incremental SAT solving, iterating over k

## **Bitonic Sorting Network**





BURG

#### Production of circuits is erroneous

- Various types and sources of faults
- Covered here: Small-delay faults



### Sensitizable Paths and Small Delay Faults



Sensitizable path: Transition from input to output

Length of a path according to sum of gate delays



VTSA'15

### Sensitizable Paths and Small Delay Faults



- Small delay faults: Assume additional delay for one gate
- Output transition too late for clock
- The longer the path the higher the detection quality
- Two-pattern delay test

VTSA'15

RURG

#### Production of circuits is erroneous

- Various types and sources of faults
- Covered here: Small-delay faults
- General workflow
  - Predefined paths obtained from path analysis tool
  - Sensitize all target paths using as less patterns as possible to reduce overall test overhead
  - Test pattern relaxation
- Approach
  - SAT-based maximization of sensitized target paths

### Maximization of Sensitized Target Paths using Partial Max-SAT



- $s^{P_i}$  indicates whether a path *p* is sensitized or not
- $< s^{P_i}, \dots, s^{P_n} >$  gets sorted by 1's and 0's
- $\blacksquare < SO_1, \dots, SO_n > \, = \, < 1, \dots, 1, 0, \dots, 0 >$
- Setting SO<sub>i</sub> to 1 forces the solver to sensitize at least i paths

VTSA'15

Tobias Schubert - SAT-based Test & Verification

166 / 192

BURG

#### Production of circuits is erroneous

- Various types and sources of faults
- Covered here: Small-delay faults
- General workflow
  - Predefined paths obtained from path analysis tool
  - Sensitize all target paths using as less patterns as possible to reduce overall test overhead
  - Test pattern relaxation
- Approach
  - SAT-based maximization of sensitized target paths
- Results
  - Applicable to large industrial circuits
  - Significantly reduced number of test patterns compared to other state-of-the-art approaches

UNI FREIBURG

### Outline







- Semantics (for this particular example)
  - $\Psi$  is satisfied iff there exists one assignment for  $x_1$  such that for every assignment of  $x_2$  and  $x_3$ , there exists one assignment for  $x_4, \ldots, x_n$ , such that  $\varphi$  is satisfied

Tobias Schubert – SAT-based Test & Verification

#### Motivation

- Parts of the pattern get unspecified (don't care) → test cube
- Test properties still hold
- Reduced overall test overhead
- Focus of this work: Test cube generation with maximum number of don't cares ~→ optimal test cube

### Fault model considered here

Again, small-delay Faults

170 / 192

## Modeling Don't Cares with QBF



- $\Rightarrow$  *F* can be set to 1, even if *B* is unspecified!
- $\Rightarrow$  Don't cares can be represented by  $\forall$  variables





# Test Pattern Relaxation using QBF



Identifying small-delay faults requires two timeframes

- Test cube with maximum number of unspecified inputs using QBF
- Quantify unspecified inputs universally, specified ones existentially
- If a path for small-delay fault is sensitizable: Universally quantified inputs: Excluded from test cube Existential quantified inputs: Test cube
- But: The quantifier of a variable cannot be changed in QBF
- ⇒ Unspecified inputs are not known a-priori
- $\Rightarrow$  Which inputs have to be quantified universally?

VTSA'15

172 / 192

BURG

# Test Pattern Relaxation using QBF



 $\Psi = \exists SO_1, \dots, SO_n, S_1, \dots, S_n, E_1, \dots, E_n \forall A_1, \dots, A_n \exists \dots \varphi_{circ.} \land \varphi_{prop.} \land \varphi_{mux} \land \varphi_{bsn} \land SO_k$ 

- Dynamic choice of (un-)specified inputs using multiplexers
- Select input  $S_i$  switches between specified  $(S_i = 0 \rightsquigarrow \exists E_i)$  and unspecified  $(S_i = 1 \rightsquigarrow \forall A_i)$  for any primary input  $I_i$
- Find the maximum number of multiplexer select inputs that can be set to 1
- Search for k, such that: Path is sensitizable with k unspecified inputs ( $SO_k = 1$ ), but not with k + 1 ( $SO_{k+1} = 0$ )
- ⇒ Optimal test cube, i.e., maximum number of don't cares

VTSA'15

Tobias Schubert - SAT-based Test & Verification

173 / 192

BURG

### Outline



### Motivation - Equivalence Checking



Are implementation and specification equivalent?



### Motivation - Partial Equivalence Checking



Realizability, i.e. are there implementations of the black boxes (BBs) such that implementation and specification are equivalent?

BURG

VTSA'15

Tobias Schubert - SAT-based Test & Verification

# QBF vs. Dependency-QBF (DQBF)





# QBF vs. Dependency-QBF (DQBF)



- Expressible with QBF
- $\Rightarrow$  Approximation
- BBs read all inputs

VTSA'15

Tobias Schubert - SAT-based Test & Verification

BURG

# QBF vs. Dependency-QBF (DQBF)



- Expressible with QBF
- $\Rightarrow$  Approximation
- BBs read all inputs

- Expressible with DQBF
- $\Rightarrow \ \text{More precise}$ 
  - BBs read actual inputs



VTSA'15

Tobias Schubert - SAT-based Test & Verification

### QBF

- Linear quantifier-order
- Existentially quantified variables depend on all universally quantified variables left of it

### DQBF

- Non-linear quantifier-order
- Dependencies between variables are explicitly expressible

$$\psi_{DQBF} = \overbrace{\forall x_1 \forall x_2 \exists y_1}^Q \underbrace{\exists y_2}_{\{x_1\}} \exists y_2 \underbrace{\{x_2\}}_{\{x_2\}} : \varphi$$

178 / 192

1.75

$$\psi_{QBF} = \overbrace{\forall x_1 \forall x_2 \exists y_1 \exists y_2}^Q : \varphi$$

 $\psi_{DQBF} = \forall x_1 \forall x_2 \exists y_{1\{x_1\}} \exists y_{2\{x_2\}} : \varphi$ 

Additional constraints compared to QBF

- For the same assignment of all ∀ variables u ∈ dep(e) the assignment of the ∃ variable e has to be the same
- For different assignments of at least one ∀ variable u ∈ dep(c) the assignment of the ∃ variable e is allowed to change

# QBF and DQBF for Partial Equivalence Checking

DQBF

### QBF

- Does not take dependencies between BBs into account
- BBs read all circuit inputs
- UNSAT  $\Rightarrow$  unrealizability
- SAT ⇒ realizability

- BBs read only affecting signals
- UNSAT ⇒ unrealizability
- SAT ⇒ realizability

### For one black box QBF is as accurate as DQBF!



Tobias Schubert – SAT-based Test & Verification

### DQBF-based Partial Equiv. Checking - Example



VTSA'15

Tobias Schubert - SAT-based Test & Verification

181 / 192






Tobias Schubert - SAT-based Test & Verification

























# Henkin Quantified Solver (HQS)



182 / 192

BURG

## Main Idea behind HQS - Acyclic Dependency Graph



VTSA'15

183 / 192

BURG

#### Outline



#### #SAT

- Given a CNF  $\varphi$ , count how many disjoint truth assignments satisfy  $\varphi$
- #SAT solver have to continue search after one solution has been found
- With *n* variables,  $\varphi$  can have up to  $2^n$  satisfying assignments
- #SAT corresponds to model counting, not enumerating all satisfying assignments
- Accelerating techniques differ from classical SAT solving
  - Caching of already analyzed sub-formulae:  $[\phi', M_{\phi'}]$

Component analysis:  $\varphi = \varphi' \land \varphi'' \Rightarrow M_{\varphi} = M_{\varphi'} \cdot M_{\varphi''}$ 

Different approaches: Exact vs. approximate model counting



$$\varphi = (v_1 \lor \neg v_2) \land (v_1 \lor v_2 \lor v_3) \land (\neg v_4 \lor v_5) \land (\neg v_3 \lor v_5)$$



VTSA'15

Tobias Schubert - SAT-based Test & Verification







186 / 192







186 / 192

VTSA'15

Tobias Schubert - SAT-based Test & Verification





Tobias Schubert - SAT-based Test & Verification

186 / 192

- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice



- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice

$$\varphi = (v_1 \lor v_2 \lor v_3) \land (\neg v_1 \lor v_2 \lor v_3)$$

- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice



- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice



- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice



- Store model counts of sub-formulas in a cache
- Do not compute the result for the same sub-formula twice



The formula might split into disjoint sub-formulas



The formula might split into disjoint sub-formulas



The formula might split into disjoint sub-formulas

- Assignment:  $p_2 = false$



The formula might split into disjoint sub-formulas

- Assignment:  $p_2 = false$
- Sub-formulas:

The formula might split into disjoint sub-formulas

- Assignment: p<sub>2</sub> = false
- Sub-formulas:

$$\varphi_1 = (a_1 \lor a_2 \lor a_3)$$
  
$$\varphi_2 = (b_1) \land (\neg b_3 \lor b_4) \land (\neg b_2)$$

Model count is computed by multiplying results for sub-formulas:

$$mc(\varphi|_{p_2=false}) = mc(\varphi_1) \cdot mc(\varphi_2) = 7 \cdot 3 = 21$$

# Security Issues - Fault Injection

- Extract secret information from a security circuit (AES, ...)
- Inject fault by increasing the clock frequency
- Incorrect output allows for calculation of secret



# Security Issues - Fault Injection

- Extract secret information from a security circuit (AES, ...)
- Inject fault by increasing the clock frequency
- Incorrect output allows for calculation of secret





# Security Issues - Fault Injection

- Extract secret information from a security circuit (AES, ...)
- Inject fault by increasing the clock frequency
- Incorrect output allows for calculation of secret


## Security Issues - Fault Injection

- Extract secret information from a security circuit (AES, ...)
- Inject fault by increasing the clock frequency
- Incorrect output allows for calculation of secret



Flip-flops store value on rising clock edge



## Security Issues - Fault Injection

- Extract secret information from a security circuit (AES, ...)
- Inject fault by increasing the clock frequency
- Incorrect output allows for calculation of secret



- Flip-flops store value on rising clock edge
- Successful injection: flip-flops store an incorrect value
- How likely is a successful injection for unknown input?

VTSA'15

Tobias Schubert - SAT-based Test & Verification

BURG

- 1 Encode combinational circuit and its timing as CNF formula  $\varphi$  with the tool WaveSAT<sup>1</sup>
- 2 Make  $\varphi$  satisfiable iff at least one fault is injected
- 3 Add conditions for outputs that must be correct



<sup>1</sup> M. Sauer et al. "Small-Delay-Fault ATPG with Waveform Accuracy". In: ICCAD 2012.

- 1 Encode combinational circuit and its timing as CNF formula  $\varphi$  with the tool WaveSAT<sup>1</sup>
- 2 Make  $\varphi$  satisfiable iff at least one fault is injected
- 3 Add conditions for outputs that must be correct
- 4 Calculate number of satisfying assignments  $mc(\varphi)$
- 5  $P(Successful \ Injection) = \frac{mc(\varphi)}{2^{\#circuit \ inputs}}$

<sup>1</sup> M. Sauer et al. "Small-Delay-Fault ATPG with Waveform Accuracy". In: ICCAD 2012.

VTSA'15

Tobias Schubert - SAT-based Test & Verification

190 / 192



## Some Papers...

[Abraham, Schubert, Becker, Fränzle, Herde. Parallel SAT Solving in BMC. Logic & Computation, 2011]

[Burchard, Schubert, Becker. Laissez-Faire Caching for Parallel #SAT Solving. SAT, 2015]

[Feiten, Sauer, Schubert, Czutro, Boehl, Polian, Becker. #SAT-Based Vulnerability Analysis of Security Components – A Case Study. IEEE DFTS, 2012]

[Fränzle, Herde, Teige, Ratschan, Schubert. Efficient Solving of Large Non-linear Arithmetic Constraint Systems with Complex Boolean Structure. JSAT, 2007]

[Gitina, Wimmer, Reimer, Sauer, Scholl, Becker. Solving DQBF Through Quantifier Elimination. DATE, 2015]

[Kalinnik, Schubert, Abraham, Wimmer, Becker. Picoso - A Parallel Interval Constraint Solver. PDPTA, 2009]

[Lewis, Marin, Schubert, Narizzano, Becker, Giunchiglia. *Parallel QBF Solving with Advanced Knowledge Sharing*. Fundamenta Informaticae, 2011]

[Lewis, Schubert, Becker. Multithreaded SAT Solving. ASP-DAC, 2007]

[Reimer, Sauer, Schubert, Becker. Incremental Encoding and Solving of Cardinality Constraints. ATVA, 2014]

[Reimer, Sauer, Schubert, Becker. Using MaxBMC for Pareto-Optimal Circuit Initialization. DATE, 2014]

[Sauer, Czutro, Schubert, Hillebrecht, Polian, Becker. SAT-based Analysis of Sensitisable Paths. IEEE Design & Test of Computers, 2013]

[Sauer, Reimer, Schubert, Polian, Becker. *Efficient SAT-Based Dynamic Compaction and Relaxation for Longest Sensitizable Paths*. DATE, 2103]

[Sauer, Reimer, Polian, Schubert, Becker. Provably Optimal Test Cube Generation Using Quantified Boolean Formula Solving. ASP-DAC, 2013]

[Schubert, Lewis, Becker. Parallel SAT Solving with Threads and Message Passing. JSAT, 2009]

REIBURG