Frontend model generation for SAT-based property checking Markus Wedler, Dominik Stoffel, Wolfgang Kunz Dept. of Electrical & Computer Eng., University of Kaiserslautern/Germany email: wedler@eit.uni-kl.de Abstract This paper provides an overview on recently developed model generation techniques for SAT-based property check- ing. To overcome limitations of SAT-based property check- ing, we suggest to tailor synthesis procedures in the frontend of the property checker towards the verification algorithms used in the backend. This paradigm has been applied to two different design categories. As a first example, for con- trol intensive designs with many interacting state machines, appropriate state encoding can facilitate the representation of state sets. As a second example, for arithmetic datap- ath verification, we suggest to synthesize an arithmetic bit level description to enable normalization techniques in the backend. We demonstrate the usefulness of our approach by means of industrial test cases. 1 Introduction SAT-based property checking has gained increased signif- icance in Electronic Design Automation (EDA). It is used to verify that a digital circuit design meets the specified be- havior. In bounded model checking (BMC) [4], the design of a sequential circuit is unrolled for a finite number of time frames and augmented with the property under verification. This can be translated into a satisfiability (SAT) problem and is thus handled by standard SAT solvers. These solvers will either give a proof of unsatisfiability or a counterexam- ple for the property. HDL design property description frontend synthesis problem representation, e.g. SAT instance backend, e.g. SAT solver solved? counter example Yes property holds No Figure 1. Standard flow for RTL property checking Figure 3 illustrates this flow. In the past decade enormous progress on the backend engines has been made, whereas the frontends are more or less the same as they are used for implementation synthesis of the design. However, in the context of property checking this synthesis should follow other optimization goals. For implementation of the design issues like timing, area, number of gates etc. are taken into account. These measures turn out to be inefficient for prop- erty checking. The frontend of a property checker should generate models that are easy to verify by the backend of the checker. Therefore we suggest a tighter coupling of frontends with the respective backends. By means of two examples we demonstrate how frontend model generation with respect to a dedicated backend engine enlarges appli- cability of a property checker. BMC requires that the property can be specified in a bounded time interval. Especially control intensive appli- cations sometimes raise the need to verify safety properties of the design over unbounded time intervals. These proper- ties typically express that certain (unsafe) states will never be reached by the design. Unrolling the circuit up to its diameter will make BMC complete in this case. Unfortu- nately, in practice, the resulting SAT instances are very large and hence intractable for modern SAT-Solvers. To over- come this limitation k-step induction was introduced in [2] and [7]. However, also these methods are only applicable for small induction depth k. In practice large values for k are reduced by manually adding reachability information to the property. This is a cumbersome and time consuming process. In Section 2 we will describe how an appropriate state encoding [9] for the design facilitates automatic gen- eration of powerful invariants that significantly reduce the induction depth k. Another difficult issue for SAT-based BMC is addressed in Section 3. It is well known that SAT solvers have problems when dealing with instances derived from the verification of arithmetic circuits, especially, when multiplication is in- volved. Hence, although SAT-based property checking can often be applied successfully to the control part of a design, it typically fails on data paths with large arithmetic blocks. One may resort to incomplete techniques like bit-slicing in order to find bugs in arithmetic units. However, they cannot prove the absence of a bug. Especially, it is very likely to miss errors in corner cases. We will describe how synthesis of an arithmetic bit level de- scription (ABL) of circuit and property by the frontend fa- cilitates application of ABL-normalization [10] in the back- end of the solver.