James H. Kukula

Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT Based Conflict Analysis

We introduce a SAT based automatic abstraction refinement framework for model checking systems with several thousand state variables in the cone of influence of the specification. The abstract model is constructed by designating a large number of state variables as invisible. In contrast to previous work where invisible variables were treated as free inputs we describe a computationally more advantageous approach in which the abstract transition relation is approximated by pre-quantifying invisible variables during image computation. The abstract counterexamples obtained from model-checking the abstract model are symbolically simulated on the concrete system using a state-of-the-art SAT checker. If no concrete counterexample is found, a subset of the invisible variables is reintroduced into the system and the process is repeated. The main contribution of this paper are two new algorithms for identifying the relevant variables to be reintroduced. These algorithms monitor the SAT checking phase in order to analyze the impact of individual variables. Our method is complete for safety properties (AGp) in the sense that - performance permitting - a property is either verified or disproved by a concrete counterexample. Experimental results are given to demonstrate the power of our method on real-world designs.

Formal property verification by abstraction refinement with formal, simulation and hybrid engines

We present RFN, a formal property verification tool based on abstraction refinement. Abstraction refinement is a strategy for property verification. It iteratively refines an abstract model to better approximate the behavior of the original design in the hope that the abstract model alone will provide enough evidence to prove or disprove the property. However, previous work on abstraction refinement was only demonstrated on designs with up to 500 registers. We developed RFN to verify real-world designs that may contain thousands of registers. RFN differs from the previous work in several ways. First, instead of relying on a single engine, RFN employs multiple formal verification engines, including a BDD-ATPG hybrid engine and a conventional BDD-based fixpoint engine, for finding error traces or proving properties on the abstract model. Second, RFN uses a novel two-phase process involving 3-valued simulation and sequential ATPG to determine how to refine the abstract model. Third, RFN avoids the weakness of other abstraction-refinement algorithms-finding error traces on the original design, by utilizing the error trace of the abstract model to guide sequential ATPG to find an error trace on the original design. We implemented and applied a prototype of RFN to verify various properties of real-world RTL designs containing approximately 5,000 registers, which represents an order of magnitude improvement over previous results. On these designs, we successfully proved a few properties and discovered a design violation.

To split or to conjoin: the question in image computation

Image computation is the key step in fixpoint computations that are extensively used in model checking. Two techniques have been used for this step: one based on conjunction of the terms of the transition relation, and the other based on recursive case splitting. We discuss when one technique outperforms the other, and consequently formulate a hybrid approach to image computation. Experimental results show that the hybrid algorithm is much more robust than the “pure” algorithms and outperforms both of them in most cases. Our findings also shed light on the remark of several researchers that splitting is especially effective in approximate reachability analysis.

Symbolic RTL simulation

Symbolic simulation is a promising formal verification technique combining the flexibility of conventional simulation with powerful symbolic methods. Unfortunately, existing symbolic simulators are restricted to gate level simulation or handle just a synthesizable subset of an HDL. Simulation of systems composed of design, testbench and correctness checkers, however, requires the complete set of HDL constructs. We present an approach that enables symbolic simulation of the complete set of RT-level Verilog constructs with full delay support. Additionally, we propose a flexible scheme for introducing symbolic variables and demonstrate how error traces can be simulated with this new scheme. Finally, we present some experimental results on an 8051 micro-controller design which prove the effectiveness of our approach.

A Comparison of Presburger Engines for EFSM Reachability

Implicit state enumeration for extended finite state machines relies on a decision procedure for Presburger arithmetic. We compare the performance of two Presburger packages, the automata-based Shasta package and the polyhedrabased Omega package. While the raw speed of each of these two packages can be superior to the other by a factor of 50 or more, we found the asymptotic performance of Shasta to be equal or superior to that of Omega for the experiments we performed.

Using counter example guided abstraction refinement to find complex bugs

In this paper, we present a method for finding failure traces for safety properties that are out of reach for traditional approaches to counter example generation. We do this by guiding bounded model checking (BMC) with information gathered from counter example guided abstraction refinement. Unlike previously described approaches based on reconstructing abstract counter examples on the concrete machines, we do not limit ourselves to search for failures of the same length as the current abstract counterexample. We also describe a combination of previously known methods for choosing registers to include in the abstraction that we have found works very well together with our technique for finding failures. Our experimental results show that the resulting method can find counter examples that are out of range for both standard BMC and two previously published approaches to abstraction-guided BMC.

Guiding SAT diagnosis with tree decompositions

A tree decomposition of a hypergraph is a construction that captures the graph’s topological structure. Every tree decomposition has an associated tree width, which can be viewed as a measure of how tree-like the original hypergraph is. Tree decomposition has proven to be a very useful theoretical vehicle for generating polynomial algorithms for subclasses of problems whose general solution is NP-complete. As a rule, this is done by designing the algorithms so that their runtime is bounded by some polynomial times a function of the tree width of a tree decomposition of the original problem. Problem instances that have bounded tree width can thus be solved by the resulting algorithms in polynomial time. A variety of methods are known for deciding satisfiability of Boolean formulas whose hypergraph representations have tree decompositions of small width. However, satisfiability methods based on tree decomposition has yet to make an large impact. In this paper, we report on our effort to learn whether the theoretical applicability of tree decomposition to SAT can be made to work in practice. We discuss how we generate tree decompositions, and how we make use of them to guide variable selection and conflict clause generation. We also present experimental results demonstrating that the method we propose can decrease the number of necessary decisions by one or more orders of magnitude.

Non-linear quantification scheduling in image computation

Computing the set of states reachable in one step from a given set of states, i.e. image computation, is a crucial step in several symbolic verification algorithms, including model checking and reachability analysis. So far, the best methods for quantification scheduling in image computation, with a conjunctively partitioned transition relation, have been restricted to a linear schedule. This results in a loss of flexibility during image computation. We view image computation as a problem of constructing an optimal parse tree for the image set. The optimality of a parse tree is defined by the largest BDD that is encountered during the computation of the tree. We present dynamic and static versions of a new algorithm, VarScore, which exploits the flexibility offered by the parse tree approach to the image computation. We show by extensive experimentation that our techniques outperform the best known techniques so far.

Simplifying Circuits for Formal Verification Using Parametric Representation

We describe a new method to simplify combinational circuits while preserving the set of all possible values (that is, the range) on the outputs. This method is performed iteratively and on the fly while building BDDs of the circuits. The method is composed of three steps; 1) identifying a cut in the circuit, 2) identifying a group of nets within the cut, 3) replacing the logic driving the group of nets in such a way that the range of values for the entire cut is unchanged and, hence, the range of values on circuit outputs is unchanged. Hence, we parameterize the circuit in such a way that the range is preserved and the representation is much more efficient than the original circuit. Actually, these replacements are not done in terms of logic gates but in terms of BDDs directly. This is allowed by a new generalized parametric representation algorithm to deal with both input and output variables at the same time. We applied this method to combinational equivalence checking and the experimental results show that this technique outperforms an existing related method which replaces one logic net at a time. We also proved that the previous method is a special case of ours. This technique can be applied to various other problem domains such as symbolic simulation and image computation in model checking.

Checking satisfiability of a conjunction of BDDs

Procedures for Boolean satisfiability most commonly work with Conjunctive Normal Form. Powerful SAT techniques based on implications and conflicts can be retained when the usual CNF clauses are replaced with BDDs. BDDs provide more powerful implication analysis, which can reduce the computational effort required to determine satisfiability.