## Approximate reachability don’t cares for CTL model checking (1998)

Venue: | In Proceedings of the International Conference on Computer-Aided Design |

Citations: | 16 - 11 self |

### BibTeX

@INPROCEEDINGS{Moon98approximatereachability,

author = {In-ho Moon and Jae-young Jang and Gary D. Hachtel and Fabio Somenzi and Jun Yuan and Carl Pixley},

title = {Approximate reachability don’t cares for CTL model checking},

booktitle = {In Proceedings of the International Conference on Computer-Aided Design},

year = {1998},

pages = {351--358}

}

### OpenURL

### Abstract

RDCs (Reachability Don’t Cares) can have a dramatic impact on the cost of CTL model checking [18]. Unfortunately, RDCs, being a global property, are often much more difficult to compute than the satisfying set of typical CTL formulas. We address this problem through the use of Approximate Reachability Don’t Cares (ARDCs), computed with the algorithms developed for the VERITAS sequential synthesis package [4, 5]. Approximate Reachable states represent an upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don’t Care) states. ARDCs can be 10X to 100X (or much more for very large circuits) cheaper to compute than RDCs, and in some cases have the same dramatic effect on CTL model checking as the real RDCs. We also discuss the application of ARDCs to the problem of exact computation of the RDCs themselves. Experiments on industrial benchmarks show that order of magnitude speedups are possible, and occur frequently. The experimental results presented strongly support our claim that ARDCs play a safe and important way out of a serious dilemma: RDCs are necessary for tractable model checking of many large circuits, but the computation of the RDCs themselves is often intractable. We include, and theoretically justify, significant extensions of the VERITAS algorithms, and show that they can be up to an order of magnitude faster, while computing a virtually identical upper bound. 1

### Citations

222 | Symbolic model checking for sequential circuit verification
- Burch, Clarke, et al.
- 1994
(Show Context)
Citation Context ...oduction Although the effects are well known and intuitive, scant attention has been paid to RDCs (Reachability Don’t Cares) in the prominent literature of traversal techniques for CTL model checking =-=[7, 17, 3, 2, 8]-=-. However, recent quantitative studies have shown that RDCs can have a dramatic impact on the cost of CTL model checking. For example, the Ethernet benchmark was shown [18] to model check more than 10... |

103 |
Verification of sequential machines using boolean functional vectors
- Coudert, Berthet, et al.
- 1990
(Show Context)
Citation Context ...oduction Although the effects are well known and intuitive, scant attention has been paid to RDCs (Reachability Don’t Cares) in the prominent literature of traversal techniques for CTL model checking =-=[7, 17, 3, 2, 8]-=-. However, recent quantitative studies have shown that RDCs can have a dramatic impact on the cost of CTL model checking. For example, the Ethernet benchmark was shown [18] to model check more than 10... |

64 |
High-density reachability analysis
- Ravi, Somenzi
- 1995
(Show Context)
Citation Context ...ow that overlapping subystems in the state space decomposition can be advantageous. Another possibility is the cooperative deployment of other upper bounding techniques such as BDD subsetting methods =-=[16]-=-, which constitute automatic abstraction methods that also have significant impact on verification time and space requirements. Also, despite the relative maturity of BDD dynamic reordering technology... |

60 | Efficient BDD algorithms for FSM synthesis and verification. Presented at IWLS95, Lake Tahoe
- Ranjan, Aziz, et al.
- 1995
(Show Context)
Citation Context ...ately, larger circuits are often the ones for which RDCs are most beneficial. We address this problem through the use of Approximate Reachability Don’t Cares (ARDCs) in the VIS model checking package =-=[15]-=-. Approximate reachable states represent an upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don’t Care) states. ARDCs can be 10X to 100X (or much mor... |

55 | Efficient model checking by automated ordering of transition relation parititons - Geist, Beer - 1994 |

48 |
et al., VIS: A System for Verification and Synthesis
- Brayton, Hachtel
- 1996
(Show Context)
Citation Context ... without. Unfortunately, RDCs, being a global property, are often much more difficult to compute than the satisfying set of typical CTL formulas. In fact, command help in the VIS verification package =-=[1]-=- advises users not to use RDCs for large circuits. Unfortunately, larger circuits are often the ones for which RDCs are most beneficial. We address this problem through the use of Approximate Reachabi... |

35 |
Theories of automata on !-tapes: a simplified approach
- Choueka
- 1974
(Show Context)
Citation Context ...support. This is done by existential abstraction of the non-local present state variables s i ; i 6= j. Then the reachable states sets for each submachine is initialized to tautology(Line 1). 1 Note (=-=[6]-=-) that even nondeterministic machines can be handled in this way by adding extra primary inputs. Then a do-while loop is entered, in which current approximations are refined. This loop is exited only ... |

34 |
Implicit Enumeration of Finite State Machines Using BDDs," ICCAD-90
- Touati, Savoj, et al.
- 1990
(Show Context)
Citation Context ...oduction Although the effects are well known and intuitive, scant attention has been paid to RDCs (Reachability Don’t Cares) in the prominent literature of traversal techniques for CTL model checking =-=[7, 17, 3, 2, 8]-=-. However, recent quantitative studies have shown that RDCs can have a dramatic impact on the cost of CTL model checking. For example, the Ethernet benchmark was shown [18] to model check more than 10... |

32 |
Algorithms for Approximate FSM Traversal Based on State Space Decomposition
- Cho, Hachtel, et al.
- 1996
(Show Context)
Citation Context ...t of typical CTL formulas. We address this problem through the use of Approximate Reachability Don’t Cares (ARDCs), computed with the algorithms developed for the VERITAS sequential synthesis package =-=[4, 5]-=-. Approximate Reachable states represent an upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don’t Care) states. ARDCs can be 10X to 100X (or much mor... |

30 |
CTL model checking based on forward state traversal
- Iwashita, Nakata, et al.
- 1996
(Show Context)
Citation Context ...ay give looser upper bound because generalized cofactor operations depend on variable orders. 4.4 Forward vs. Backward Model Checking with ARDCs We have implemented forward model checking by Iwashita =-=[11, 10]-=- to see the correlation between forward model checking and using don’t cares in model checking, because they are in common in that they try to avoid traversing unreachable states in fixpoint computati... |

28 | Automatic abstraction techniques for propositional -calculus model checking
- Pardo, Hachtel
- 1997
(Show Context)
Citation Context ...rove convergence, we need the following additional lemma. 2 Lemma 2.4 FastMBM is monotonic if in the greatest fixed point computation we correct any non-contractions by a technique similar to that of =-=[14]-=-. Thus we use IteConstant to check whether each successive iterate is contained in the previous one. If this condition is violated, containment is restored by intersecting the new iterate with previou... |

24 |
Automatic state space decomposition for approximate fsm traversal based on circuit analysis
- Cho, Hachtel, et al.
- 1996
(Show Context)
Citation Context ...t of typical CTL formulas. We address this problem through the use of Approximate Reachability Don’t Cares (ARDCs), computed with the algorithms developed for the VERITAS sequential synthesis package =-=[4, 5]-=-. Approximate Reachable states represent an upper bound on the set of true reachable states, and thus a lower bound on the set of unreachable (Don’t Care) states. ARDCs can be 10X to 100X (or much mor... |

22 | Approximate Reachability with BDDs Using Overlapping Projections," DAC
- Govindaraju, Dill, et al.
- 1998
(Show Context)
Citation Context ...he approximations. Approximations from different algorithms can be intersected to produce tighter upper bounds, techniques like those of Warwukiewicz (Berkeley 1994 unpublished) and Govindaraju et al =-=[9]-=- show that overlapping subystems in the state space decomposition can be advantageous. Another possibility is the cooperative deployment of other upper bounding techniques such as BDD subsetting metho... |

21 | On Combining Formal and Informal Verification
- Yuan, Abraham, et al.
- 1998
(Show Context)
Citation Context ...torola Inc., Austin, TX fmooni,jjang,hachtel,fabiog@vlsi.colorado.edu fjun yuan,carl pixleyg@email.mot.com RDCs (Reachability Don’t Cares) can have a dramatic impact on the cost of CTL model checking =-=[18]-=-. Unfortunately, RDCs, being a global property, are often much more difficult to compute than the satisfying set of typical CTL formulas. We address this problem through the use of Approximate Reachab... |

20 | Forward model checking techniques oriented to buggy designs
- Iwashita, Nakata
- 1997
(Show Context)
Citation Context ...ay give looser upper bound because generalized cofactor operations depend on variable orders. 4.4 Forward vs. Backward Model Checking with ARDCs We have implemented forward model checking by Iwashita =-=[11, 10]-=- to see the correlation between forward model checking and using don’t cares in model checking, because they are in common in that they try to avoid traversing unreachable states in fixpoint computati... |

18 |
A conjunctively decomposed boolean representation for symbolic model checking
- McMillan
- 1996
(Show Context)
Citation Context ...aced by its original form as a conjunction inside the image computations of Line 8. Proof. The first image computation of FsmTraversal is the following. (eR j ) 1 = Img(T j ;eI j eR); where eR = From =-=[13]-=- Theorem 6, fA B =(fA)B A , (eR j ) 1 =Img((T j eR ) eI j eR ; 1): Now if A and B are disjoint, fA B =(fA)B.So, Y i6=j (eR j ) 1 = Img((T j eR ) eI j ; 1) = Img(Tj eR ;eI j ) eR i :sTherefore, by indu... |

17 |
Case Study "Production Cell": A Comparative Study
- Lindner
- 1994
(Show Context)
Citation Context ... parameters that can be used to scale up the size of the design. The specification consists of 6 CTL formulas. Production cell is a control circuit for automated manufacturing with 61 memory elements =-=[12]-=-. The specification contains 38 formulas. The circuits of Table 1 with only 1 CTL formula to be checked were circuits that got to us without CTL formulae, like cps. For these circuits, we used the “de... |

15 |
Atpg aspects of fsm verification
- Cho, Hachtel, et al.
- 1990
(Show Context)
Citation Context |

15 |
Ecient model checking by automated ordering of transition relation partitions
- Geist, Beer
- 1994
(Show Context)
Citation Context |

14 | Case Study "Production Cell": A Comparative Study - Lindner - 1994 |