Template-based Circuit Understanding

Transcription

1 Template-based Circuit Understanding Adrià Gascón 1 Pramod Subramanyan 2 Bruno Dutertre 1 Ashish Tiwari 1 Dejan Jovanović 1 Sharad Malik 2 1 SRI International 2 Princeton University

2 Motivation Verify/reverse-engineer a digital circuit EXTRACT and UNDERSTAND subcomponents

3 Verify/reverse-engineer a digital circuit EXTRACT and UNDERSTAND subcomponents FSM extraction [Shi et. al.] Functional aggregation and matching [Subramanyan et. al.] Word identification and propagation [Li et. al.] Identification of repeated structures [Hansen et. al.]

4 Verify/reverse-engineer a digital circuit EXTRACT and UNDERSTAND subcomponents FSM extraction [Shi et. al.] Functional aggregation and matching [Subramanyan et. al.] Word identification and propagation [Li et. al.] Identification of repeated structures [Hansen et. al.] Most of these techniques do not the find the right permutations in word components

5 Verify/reverse-engineer a digital circuit EXTRACT and UNDERSTAND subcomponents

6 What does it mean to understand a combinational circuit C? Find an equivalent higher-level definition Flatten verilog netlist High-level Verilog Basic Boolean logic Boolean Logic + Words and operations on Words

7 What does it mean to understand a combinational circuit C? Find an equivalent higher-level definition Flatten verilog netlist High-level Verilog Basic Boolean logic Boolean Logic + Words and operations on Words Goal Given purely Boolean Formula C, produce equivalent Formula F over the theory of bitvectors.

8 A Combinational Boolean circuit C(I, O) is (a) a list of input Boolean variables I = x 1,..., x n and (b) a list O = f 1,..., f m of single-output Boolean formulas with inputs I. For x {0, 1} n, y {0, 1} m, by C( x, y) we denote that C produces output y on input x

9 The library aproach Check functional equivalence against a library of known components. C( x 1,..., x n, f 1,..., f m ) C lib ( x 1,..., x n, g 1,..., g m ) Fixed permutations σ, θ i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x)

10 The library aproach Check functional equivalence against a library of known components. C( x 1,..., x n, f 1,..., f m ) C lib ( x 1,..., x n, g 1,..., g m ) Fixed permutations σ, θ i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x) Limitation: Permutations σ, θ must be known.

11 Permutation-independent equivalence checking C( x 1,..., x n, f 1,..., f m ) C lib ( x 1,..., x n, g 1,..., g m ) To be determined permutations σ, θ σ, θ : i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x)

12 Permutation-independent equivalence checking C( x 1,..., x n, f 1,..., f m ) C lib ( x 1,..., x n, g 1,..., g m ) To be determined permutations σ, θ σ, θ : i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x) Limitation: Still too restrictive. 1. C usually does not have a standard functionality. 2. C s functionality must be fully matched.

13 Template-based synthesis Instead of a reference circuit, our approach requires a template of a specific form.

14 How do our templates look like? A template T of a combinational circuit C(I, O) is: A subset O T O, a partition I = (I C n i=1 (W i)), and a conjuntion of guarded assignments of the form a i : ψ i (I C ) ( θ(o T ) := φ i (σ(w i1 ), τ(w i2 )) ) where ψ i is a to be determined assignment on I C, θ, σ, τ are to be determined permutations, and φ i is a binary function over words. i 1, i 2 {1,..., n}.

15 1. Circuit C(I, O) 2. Subset outputs := O 3. Partition I := control inputsa inputsb 4. Template with (a) To be determined assignments v1, v2 (b) To be determined permutations p, q (and (=> (value v1 control) (= outputs (bv-add (permute p inputsa) (permute q inputsb) ) ) ) (=> (value v2 control) (= outputs (ite (bv-slt (permute p inputsa) (permute q inputsb) ) (mk-bv 32 1) (mk-bv 32 0) ) ) ) )

16 1. Circuit C(I, O) 2. Subset outputs := O 3. Partition I := control inputsa inputsb 4. Template with (a) To be determined assignments v1, v2 (b) To be determined permutations p, q p, q, v1, v2 : x {0, 1} n, y {0, 1} m : C( x, y) T (p, q, v1, v2, x, y) (and (=> (value v1 control) (= outputs (bv-add (permute p inputsa) (permute q inputsb) ) ) ) (=> (value v2 control) (= outputs (ite (bv-slt (permute p inputsa) (permute q inputsb) ) (mk-bv 32 1) (mk-bv 32 0) ) ) ) )

17 Check validity of Boolean formulas over the theory of bit-vectors with two levels of quantification ( QF BV): x : C( x) y : A( x, y) 1. High-level preprocessing and simplifications [Wintersteiger et. al.] 2. Counterexample-refinement loop, similar to the approach used in 2QBF solvers [Ranjan et. al., Janota et. al.] 3. Functional signatures [Mohnke et. al.]

18 (1) Miniscoping: x : A B x : A x : B x : A B x : A x : B (2) Equality resolution: x : C( x) y : ( i (y i = x i ) B( y)) x : E( x) y : i ({y i x i })(B( y)) (3) Distinguishing signatures.

19 Distinguishing Signatures An output signature s out is a function s out : B n D such that, for every function f and permutation τ: s out (f (x 1,..., x n )) = s out (f (τ(x 1 ),..., τ(x n ))))

20 Distinguishing Signatures An output signature s out is a function s out : B n D such that, for every function f and permutation τ: s out (f (x 1,..., x n )) = s out (f (τ(x 1 ),..., τ(x n )))) σ, θ : i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x)

21 Distinguishing Signatures An output signature s out is a function s out : B n D such that, for every function f and permutation τ: s out (f (x 1,..., x n )) = s out (f (τ(x 1 ),..., τ(x n )))) σ, θ : i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x) x, y : s out (f x ) s out (g y ) θ(y) x

22 Distinguishing Signatures An output signature s out is a function s out : B n D such that, for every function f and permutation τ: s out (f (x 1,..., x n )) = s out (f (τ(x 1 ),..., τ(x n )))) σ, θ : i {1,..., m}, x {0, 1} m : f θ(i) (σ( x)) = g i ( x) θ(y) x x, y : s out (f x ) s out (g y ) θ(y) x

23 We consider one input signature and one output signature. Input dependency Output dependency Signatures can be computed independently in the circuit and the template.

24 Benchmarks (40 Sat/40 Unsat): Reverse engineering benchmarks generated from high-level (behavioral) Verilog using the Synopsys Compiler. Experiments From ISCAS, an academic processor implementation, and synthetic examples. ALUs, multipliers, shifters, counters... Tools: Yices Z3 Bloqqer + DepQBF Bloqqer + RareQs Bloqqer + skizzo Cir-CEGAR (Mini-SAT) Variants: (Yices format) (SMT2 format) (QDimacs) (QDimacs) (QDimacs) (QDimacs + top titeral) Considered two simple encodings for permutations Studied effect of preprocessing, encodings, and signatures

25 Conclusion and further work Yices and Z3 are sensitive to the encoding of permutations Preprocessing and signatures are harmless and crucial in many cases Benchmarks are available in SMT2, YICES, QBF and (soon) QCIR Just putting together two SAT/SMT solvers is not enough QDIMACS encoding is not suitable for this kind of synthesis Integrate signature computation in the Exist-Forall loop Compare to other synthesis algorithms

26 Questions? Comments? Suggestions?

27

28

29