Results 1 
9 of
9
A Framework for Inherent Vacuity
"... Abstract. Vacuity checking is traditionally performed after model checking has terminated successfully. It ensures that all the elements of the specification have played a role in its satisfaction by the design. Vacuity checking gets as input both design and specification, and is based on an indept ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Vacuity checking is traditionally performed after model checking has terminated successfully. It ensures that all the elements of the specification have played a role in its satisfaction by the design. Vacuity checking gets as input both design and specification, and is based on an indepth investigation of the relation between them. Vacuity checking has been proven to be very useful in detecting errors in the modeling of the design or the specification. The need to check the quality of specifications is even more acute in propertybased design, where the specification is the only input, serving as a basis to the development of the system. Current work on property assurance suggests various sanity checks, mostly based on satisfiability, nonvalidity, and realizability, but lacks a general framework for reasoning about the quality of specifications. We describe a framework for inherent vacuity, which carries the theory of vacuity in model checking to the setting of propertybased design. Essentially, a specification is inherently vacuous if it can be mutated into a simpler equivalent specification, which we show to coincide with the fact the specification is satisfied vacuously in all systems. We also study the complexity of detecting inherent vacuity, and conclude that while inherent vacuity leads to specifications that better capture designer intent, it is not more complex than simple propertyassurance checks. 1
Beyond Vacuity: Towards the Strongest Passing Formula (full version
, 2008
"... Abstract—Given an LTL formula ϕ in negation normal form, it can be strengthened by replacing some of its literals with FALSE. Given such a formula and a model M that satisfies it, vacuity and mutual vacuity attempt to find one or a maximal set of literals, respectively, with which ϕ can be strengthe ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract—Given an LTL formula ϕ in negation normal form, it can be strengthened by replacing some of its literals with FALSE. Given such a formula and a model M that satisfies it, vacuity and mutual vacuity attempt to find one or a maximal set of literals, respectively, with which ϕ can be strengthened while still being satisfied by M. We study the problem of finding the strongest LTL formula that satisfies M and is in the Boolean closure of strengthened versions of ϕ as defined above. This formula is stronger or equally strong to any formula that can be obtained by vacuity and mutual vacuity. We present our algorithms in the framework of lattice automata. I.
Property Analysis and Design Understanding in a QualityDriven Bounded Model Checking Flow
"... Abstract—In the design process of digital systems, functional verification is a major issue. Generally, formal methods like bounded model checking (BMC) offer the highest quality of the verification results, especially when used in combination with techniques that check if a set of properties forms ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract—In the design process of digital systems, functional verification is a major issue. Generally, formal methods like bounded model checking (BMC) offer the highest quality of the verification results, especially when used in combination with techniques that check if a set of properties forms a complete specification of a design. However, in contrast to simulationbased methods, like random testing, formal verification requires a detailed knowledge of the design implementation. Formalizing a specification as a set of properties is a tedious and time consuming process. In this paper, we show the application of techniques to aid the verification engineer in writing properties in a qualitydriven BMC flow, that have been introduced in [1]. The first method can be used to remove redundant assumptions from properties and to separate different scenarios. The second technique, here called inverse property checking, takes an expected behavior of a design and automatically generates valid properties that can be checked for conformance with a specification. Both techniques can serve to reduce the number of iterations to obtain full coverage, when integrated with the verification flow. The benefits of the techniques are demonstrated with a memory management unit. I.
Towards a Notion of Unsatisfiable Cores for LTL
, 2010
"... Unsatisfiable cores, i.e., parts of an unsatisfiable formula that are themselves unsatisfiable, have important uses in debugging specifications, speeding up search in model checking or SMT, and generating certificates of unsatisfiability. While unsatisfiable cores have been well investigated for Bo ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Unsatisfiable cores, i.e., parts of an unsatisfiable formula that are themselves unsatisfiable, have important uses in debugging specifications, speeding up search in model checking or SMT, and generating certificates of unsatisfiability. While unsatisfiable cores have been well investigated for Boolean SAT and constraint programming, the notion of unsatisfiable cores for temporal logics such as LTL has not received much attention. In this paper we investigate notions of unsatisfiable cores for LTL that arise from the syntax tree of an LTL formula, from converting it into a conjunctive normal form, and from proofs of its unsatisfiability. The resulting notions are more finegranular than existing ones.
Contradictory antecedent debugging in bounded model checking
 in ACM Great Lakes Symposium on VLSI
, 2009
"... In the context of formal verification Bounded Model Checking (BMC) has shown to be very powerful for large industrial designs. BMC is used to check whether a circuit satisfies a temporal property or not. Typically, such a property is formulated as an implication. In the antecedent of the property ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
In the context of formal verification Bounded Model Checking (BMC) has shown to be very powerful for large industrial designs. BMC is used to check whether a circuit satisfies a temporal property or not. Typically, such a property is formulated as an implication. In the antecedent of the property the verification engineer specifies the assumptions about the design environment and joins the respective expressions by logical AND. However, the overall conjunction may have no solution, i.e. the antecedent is contradictory. Since in this case a property trivially holds this situation has to be avoided. Furthermore, the root cause of a contradictory antecedent has to be identified which is a manual and very timeconsuming process. In this paper we propose a fully automatic approach for presenting all reasons of a contradictory antecedent to the verification engineer, i.e. the approach pinpoints to the subexpressions in the antecedent that form a contradiction. Hence, our approach reduces the debugging time of a contradictory antecedent significantly.
Robust Vacuity for Branching Temporal Logic
"... There is a growing interest in techniques for detecting whether a logic specification is satisfied too easily, or vacuously. For example, the specification “every request is eventually followed by an acknowledgment ” is satisfied vacuously by a system that never generates any requests. Vacuous satis ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
There is a growing interest in techniques for detecting whether a logic specification is satisfied too easily, or vacuously. For example, the specification “every request is eventually followed by an acknowledgment ” is satisfied vacuously by a system that never generates any requests. Vacuous satisfaction misleads users of modelchecking into thinking that a system is correct. It is a serious problem in practice. There are several existing definitions of vacuity. Originally, Beer et al. formalized vacuity as insensitivity to syntactic perturbation (syntactic vacuity). This formulation captures the intuition of“vacuity ” whenappliedto asingleoccurrence ofasubformula. Armonietal. argued thatvacuity must be robust – not affected by semantically invariant changes, such as extending a model with additional atomic propositions. They show that syntactic vacuity is not robust for subformulas of linear temporal logic, and propose an alternative definition – trace vacuity. In this article, we continue this line of research. We show that trace vacuity is not robust for branching time logic. We further refine the notion of vacuity so that it applies uniformly to linear and branching time logic and does not suffer from the common pitfalls of prior definitions. Our new definition – bisimulation vacuity – is a proper and nontrivial extension of both syntactic and trace vacuity. We discuss the complexity of detecting bisimulation vacuity, and identify several practicallyrelevant subsets of CTL ∗ for which vacuity detection problem is reducible to modelchecking. We believe that in most practical applications, bisimulation vacuity provides both the desired theoretical properties and is tractable computationally.
A Framework for Ranking Vacuity Results
"... Abstract. Vacuity detection is a method for finding errors in the modelchecking process when the specification is found to hold in the model. Most vacuity algorithms are based on checking the effect of applying mutations on the specification. It has been recognized that vacuity results differ in the ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Vacuity detection is a method for finding errors in the modelchecking process when the specification is found to hold in the model. Most vacuity algorithms are based on checking the effect of applying mutations on the specification. It has been recognized that vacuity results differ in their significance. While in many cases vacuity results are valued as highly informative, there are also cases in which the results are viewed as meaningless by users. As of today, there is no study about ranking vacuity results according to their level of importance, and there is no formal framework or algorithms for defining and finding such ranks. The lack of framework often causes designers to ignore vacuity information altogether, potentially causing real problems to be overlooked. We suggest and study such a framework, based on the probability of the mutated specification to hold in a random computation. For example, two natural mutations of the specification G(req → F ready) are G(¬req) and GF ready. It is agreed that vacuity information about satisfying the first mutation is more alarming than information about satisfying the second. Our methodology formally explains this, as the probability of G(¬req) to hold in a random computation is 0, whereas the probability of GF ready is 1. From a theoretical point of view, our contribution includes a study of the problem of finding the probability of LTL formulas to be satisfied in a random computation and the existence and use of 0/1laws for fragments of LTL. From a practical point of view, we propose an efficient algorithm for estimating the probability of LTL formulas, and argue that ranking vacuity results according to our probabilitybased criteria corresponds to our intuition about their level of importance. 1
Formal Methods in System Design manuscript No. (will be inserted by the editor) Before and After Vacuity ⋆
"... Abstract In formal verification, we verify that a system is correct with respect to a specification. Cases like antecedent failure can make a successful pass of the verification procedure meaningless. Vacuity detection can signal such “meaningless ” passes of the specification, and indeed vacuity ch ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract In formal verification, we verify that a system is correct with respect to a specification. Cases like antecedent failure can make a successful pass of the verification procedure meaningless. Vacuity detection can signal such “meaningless ” passes of the specification, and indeed vacuity checks are now a standard component in many commercial model checkers. We address two dimensions of vacuity: the computational effort and the information that is given to the user. As for the first dimension, we present several preliminary vacuity checks that can be done without the design itself, which implies that some information can be found with a significantly smaller effort. As for the second dimension, we present algorithms for deriving two types of information that are not provided by standard vacuity checks, assuming M  = ϕ for a model M and formula ϕ: a) behaviors that are possibly missing from M (or wrongly restricted by the environment) b) the largest subset of occurrences of literals in ϕ that can be replaced with FALSE simultaneously without falsifying ϕ in M. The complexity of each of these problems is proven. Overall this extra information can lead to tighter specifications and more guidance for finding errors. 1