ITERATIVE CIRCUIT REPAIR AGAINST FORMAL SPEC-IFICATIONS

Abstract

We present a deep learning approach for repairing sequential circuits against formal specifications given in linear-time temporal logic (LTL). Given a defective circuit and its formal specification, we train Transformer models to output circuits that satisfy the corresponding specification. We propose a separated hierarchical Transformer for multimodal representation learning of the formal specification and the circuit. We introduce a data generation algorithm that enables generalization to more complex specifications and out-of-distribution datasets. In addition, our proposed repair mechanism significantly improves the automated synthesis of circuits from LTL specifications with Transformers. It improves the state-of-theart by 6.8 percentage points on held-out instances and 11.8 percentage points on an out-of-distribution dataset from the annual reactive synthesis competition.

1. INTRODUCTION

Sequential circuit repair (Katz & Manna, 1975) refers to the task of given a formal specification and a defective circuit implementation automatically computing an implementation that satisfies the formal specification. Circuit repair finds application especially in formal verification. Examples are automated circuit debugging after model checking (Clarke, 1997) or correcting faulty circuit implementations predicted by heuristics such as neural networks (Schmitt et al., 2021b) . In this paper, we design and study a deep learning approach to circuit repair for linear-time temporal logic (LTL) specifications (Pnueli, 1977) that also improves the state-of-the-art of synthesizing sequential circuits with neural networks. We consider sequential circuit implementations that continuously interact with their environments. For example, an arbiter that manages access to a shared resource interacts with processes by giving out mutually exclusive grants to the shared resource. Linear-time temporal logic (LTL) and its dialects (e.g., STL Maler & Nickovic (2004) 2021)). A typical example is the response property (r → g), stating that it always ( ) holds that request r is eventually ( ) answered by grant g. We can specify an arbiter that manages the access to a shared resource for four processes by combining response patterns for requests r 0 , . . . , r 3 and grants g 0 , . . . , g 3 with a mutual exclusion property as follows: (r 0 → g 0 ) ∧ (r 1 → g 1 ) ∧ (r 2 → g 2 ) ∧ (r 3 → g 3 ) response properties ((¬g 0 ∧ ¬g 1 ∧ (¬g 2 ∨ ¬g 3 )) ∨ ((¬g 0 ∨ ¬g 1 ) ∧ ¬g 2 ∧ ¬g 3 )) mutual exclusion property A possible implementation of this specification is a circuit that gives grants based on a round-robin scheduler. However, running neural reactive synthesis (Schmitt et al., 2021b) on this specification results in a defective circuit as shown in Figure 1a . After model checking the implementation, we observe that the circuit is not keeping track of counting (missing an AND gate) and that the mutual exclusion property is violated (the same variable controls grants g 0 and g 1 ).



or CTL Clarke & Emerson (1981)) are widely used in academia and industry to specify the behavior of sequential circuits (e.g., Godhal et al. (2013); IEEE (2005); Horak et al. (

