## Interpolation and SAT-based model checking (2003)

### Cached

### Download Links

Citations: | 223 - 10 self |

### BibTeX

@INPROCEEDINGS{Mcmillan03interpolationand,

author = {K. L. Mcmillan},

title = {Interpolation and SAT-based model checking},

booktitle = {},

year = {2003},

pages = {1--13},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We consider a fully SAT-based method of unbounded symbolic model checking based on computing Craig interpolants. In benchmark studies using a set of large industrial circuit verification instances, this method is greatly more efficient than BDD-based symbolic model checking, and compares favorably to some recent SAT-based model checking methods on positive instances. 1

### Citations

3153 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...l checking [8, 9] is a method of verifying temporal properties of finite (and sometimes infinite) state systems that relies on a symbolic representation of sets, typically as Binary Decision Diagrams =-=[7]-=- (BDD’s). By contrast, bounded model checking [4] can falsify temporal properties by posing the existence of a counterexample of k steps or fewer as a Boolean satisfiability (SAT) problem. Using a mod... |

1206 | Chaff: Engineering an efficient SAT solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...t c is the resolvent of c1 and c2, and – the empty clause is the unique leaf. Theorem 1. If there is a proof of unsatisfiability for clause set C, then C is unsatisfiable. A SAT solver, such as CHAFF =-=[17]-=-, or GRASP [22], is a complete decision procedure for clause sets. In the satisfiable case, it produces a satisfying assignment. In the unsatisfiable case, it can produce a proof of unsatisfiability [... |

770 | Symbolic model checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...al properties of finite (and sometimes infinite) state systems that relies on a symbolic representation of sets, typically as Binary Decision Diagrams [7] (BDD’s). By contrast, bounded model checking =-=[4]-=- can falsify temporal properties by posing the existence of a counterexample of k steps or fewer as a Boolean satisfiability (SAT) problem. Using a modern SAT solver, this method is efficient in produ... |

648 | L.J.: Symbolic model checking: 10 20 states and beyond. Inf Comput 98(2
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ... is greatly more efficient than BDD-based symbolic model checking, and compares favorably to some recent SAT-based model checking methods on positive instances. 1 Introduction Symbolic model checking =-=[8, 9]-=- is a method of verifying temporal properties of finite (and sometimes infinite) state systems that relies on a symbolic representation of sets, typically as Binary Decision Diagrams [7] (BDD’s). By c... |

621 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...hall see. s k s ks3.1 Basic model checking algorithm The LTL model checking problem can be reduced to finding an accepting run of a finite automaton. This translation has has been extensively studied =-=[18, 23, 14]-=-, and will not be described here. Moreover, we need consider only the problem of finding finite counterexamples to safety properties. Liveness properties can then be handled by the method of [1]. We a... |

388 | Grasp - a new search algorithm for satisfiability
- Silva, Sakallah
- 1996
(Show Context)
Citation Context ...lvent of c1 and c2, and – the empty clause is the unique leaf. Theorem 1. If there is a proof of unsatisfiability for clause set C, then C is unsatisfiable. A SAT solver, such as CHAFF [17], or GRASP =-=[22]-=-, is a complete decision procedure for clause sets. In the satisfiable case, it produces a satisfying assignment. In the unsatisfiable case, it can produce a proof of unsatisfiability [16, 25]. This, ... |

253 | BerkMin: A Fast and Robust SAT-Solver
- Goldberg, Novikov
- 2002
(Show Context)
Citation Context ...essor and 512MB of available memory. Unbounded BDD-based symbolic model checking was performed using the Cadence SMV system. SAT solving was performed using an implementation of the BerkMin algorithm =-=[12]-=-, modified to produce proofs of unsatisfiability. No property could be verified by standard symbolic model checking, within a limit of 1800 seconds. On the other hand, of the 20 properties, 19 were su... |

247 | Checking that Finite State Concurrent Programs Satisfy their Specifica- tions
- Lichtenstein
- 1985
(Show Context)
Citation Context ...hall see. s k s ks3.1 Basic model checking algorithm The LTL model checking problem can be reduced to finding an accepting run of a finite automaton. This translation has has been extensively studied =-=[18, 23, 14]-=-, and will not be described here. Moreover, we need consider only the problem of finding finite counterexamples to safety properties. Liveness properties can then be handled by the method of [1]. We a... |

167 |
Checking safety properties using induction and a SAT-solver
- Sheeran, Singh, et al.
- 2000
(Show Context)
Citation Context ...ompositions for BDD-based image computations [13]. Here, BDD’s are not used. Another approach is based on unfolding the transition relation to the length of the longest simple path between two states =-=[21]-=-. The fact that this length has been reached can be verified using a SAT solver. The longest simple path can, however, be exponentially longer than the diameter of the state space (for example, the lo... |

165 | Verification of synchronous sequential machines based on symbolic execution,” in Automatic Verification Methods for Finite State Systems
- Coudert, Berthet, et al.
- 1989
(Show Context)
Citation Context ... is greatly more efficient than BDD-based symbolic model checking, and compares favorably to some recent SAT-based model checking methods on positive instances. 1 Introduction Symbolic model checking =-=[8, 9]-=- is a method of verifying temporal properties of finite (and sometimes infinite) state systems that relies on a symbolic representation of sets, typically as Binary Decision Diagrams [7] (BDD’s). By c... |

139 | Lower bounds for resolution and cutting planes proofs and monotone computations
- Pudlak
- 1997
(Show Context)
Citation Context ... model. In particular, given a partition of a set of clauses into a pair of subsets (A, B), and a proof by resolution that the clauses are unsatisfiable, we can generate an interpolant in linear time =-=[20]-=-. An interpolant [11] for the pair (A, B) is a formula P with the following properties: – A implies P , – P ∧ B is unsatisfiable, and – P refers only to the common variables of A and B. Using interpol... |

117 | Automatic abstraction without counterexamples. Cadence Berkeley Labs, Cadence Design Systems
- McMillan, Amla
- 2002
(Show Context)
Citation Context ...], or GRASP [22], is a complete decision procedure for clause sets. In the satisfiable case, it produces a satisfying assignment. In the unsatisfiable case, it can produce a proof of unsatisfiability =-=[16, 25]-=-. This, in turn, can be used to generate an interpolant by a very simple procedure [20]. This procedure produces a Boolean circuit whose gates correspond to the vertices (i.e., resolution steps) in th... |

116 |
Linear reasoning. A new form of the HerbrandGentzen theorem
- Craig
- 1957
(Show Context)
Citation Context ..., given a partition of a set of clauses into a pair of subsets (A, B), and a proof by resolution that the clauses are unsatisfiable, we can generate an interpolant in linear time [20]. An interpolant =-=[11]-=- for the pair (A, B) is a formula P with the following properties: – A implies P , – P ∧ B is unsatisfiable, and – P refers only to the common variables of A and B. Using interpolants, we obtain a com... |

111 | Validating sat solvers using an independent resolution-based checker: Practical implementations and other applications
- Zhang, Malik
- 2003
(Show Context)
Citation Context ...], or GRASP [22], is a complete decision procedure for clause sets. In the satisfiable case, it produces a satisfying assignment. In the unsatisfiable case, it can produce a proof of unsatisfiability =-=[16, 25]-=-. This, in turn, can be used to generate an interpolant by a very simple procedure [20]. This procedure produces a Boolean circuit whose gates correspond to the vertices (i.e., resolution steps) in th... |

107 | Model Checking of Safety Properties
- Kupferman, Vardi
- 1999
(Show Context)
Citation Context ...ication is posed in terms of a one-letter automaton on finite words, such that the property is false exactly when the automaton has an accepting run. Such a construction can be found, for example, in =-=[15]-=-. The automaton itself will be represented implicitly by Boolean formulas. The state space of the automaton is defined by an indexed set of Boolean variables V = {v1, . . . , vn}. A state S is a corre... |

87 |
Benefits of bounded model checking at an industrial setting
- Copty, Fix, et al.
- 2001
(Show Context)
Citation Context ... properties by posing the existence of a counterexample of k steps or fewer as a Boolean satisfiability (SAT) problem. Using a modern SAT solver, this method is efficient in producing counterexamples =-=[10, 6]-=-. However, it cannot verify properties unless an upper bound is known on the depth of the state space, which is not generally the case. This paper presents a purely SAT-based method of unbounded model... |

86 | Symbolic reachability analysis based on SAT–solvers
- Abdulla, Bjesse, et al.
- 2000
(Show Context)
Citation Context ...e quantifier elimination required for image computations is performed by other means (e.g., by expansion of the quantifier as ∃v.f = f〈0/v〉 ∨ f〈1/v〉, followed by simplification). Such methods include =-=[5, 2, 24]-=-. Because of the expense of quantifier elimination, this approach is limited to models with a small number of inputs (typically zero or one). By contrast, the present approach is based entirely on SAT... |

62 | Finding Bugs in an Alpha Microprocessor Using Satisfiability Solvers
- Bjesse, Leonard, et al.
- 2001
(Show Context)
Citation Context ... properties by posing the existence of a counterexample of k steps or fewer as a Boolean satisfiability (SAT) problem. Using a modern SAT solver, this method is efficient in producing counterexamples =-=[10, 6]-=-. However, it cannot verify properties unless an upper bound is known on the depth of the state space, which is not generally the case. This paper presents a purely SAT-based method of unbounded model... |

49 | Liveness checking as safety checking
- Biere, Artho, et al.
- 2002
(Show Context)
Citation Context ..., 23, 14], and will not be described here. Moreover, we need consider only the problem of finding finite counterexamples to safety properties. Liveness properties can then be handled by the method of =-=[1]-=-. We assume that the problem of safety property verification is posed in terms of a one-letter automaton on finite words, such that the property is false exactly when the automaton has an accepting ru... |

46 | Combining decision diagrams and SAT procedures for efficient symbolic model checking
- Williams, Biere, et al.
- 2000
(Show Context)
Citation Context ...e quantifier elimination required for image computations is performed by other means (e.g., by expansion of the quantifier as ∃v.f = f〈0/v〉 ∨ f〈1/v〉, followed by simplification). Such methods include =-=[5, 2, 24]-=-. Because of the expense of quantifier elimination, this approach is limited to models with a small number of inputs (typically zero or one). By contrast, the present approach is based entirely on SAT... |

42 | Property checking via structural analysis
- BAUMGARTNER, KUEHLMANN, et al.
(Show Context)
Citation Context ... , while the diameter is 1). The present method does not require unfolding beyond the diameter of the state space, and in practice often succeeds with shorter unfoldings. Finally, Baumgartner, et al. =-=[3]-=-, use SAT-based bounded model checking with a structural method for bounding the depth of the state space. This requires the circuit in question to have special structure and does not always give usef... |

27 | Sat-based image computation with application in reachability analysis
- Gupta, Yang, et al.
- 2000
(Show Context)
Citation Context ...ot limited in the number of inputs (examples with thousands of inputs have been verified). SAT algorithms have also been used to generate a disjunctive decompositions for BDD-based image computations =-=[13]-=-. Here, BDD’s are not used. Another approach is based on unfolding the transition relation to the length of the longest simple path between two states [21]. The fact that this length has been reached ... |

26 |
A structure preserving clause form translation
- Plaisted, Greenbaum
- 1986
(Show Context)
Citation Context ...U. Cnf(f, U)) ≡ f. That is, the satisfying assignments of Cnf(f, U) are exactly those of f, if we ignore the fresh variables. A suitable translation that is linear in the formula size can be found in =-=[19]-=-. What follows, however, does not depend on the precise translation function. A procedure to check the existence of a finite run of M is shown in Figure 3. In the figure, U1 and U2 are assumed to be s... |

7 |
a fast and robust sat-solver
- Berkmin
- 2002
(Show Context)
Citation Context ...essor and 512MB of available memory. Unbounded BDD-based symbolic model checking was performed using the Cadence SMV system. SAT solving was performed using an implementation of the BerkMin algorithm =-=[12]-=-, modified to produce proofs of unsatisfiability. No property could be verified by standard symbolic model checking, within a limit of 1800 seconds. On the other hand, of the 20 properties, 19 were su... |

3 | Symbolic model checking with sets of states represented as formulas
- Bjesse
- 1999
(Show Context)
Citation Context ...e quantifier elimination required for image computations is performed by other means (e.g., by expansion of the quantifier as ∃v.f = f〈0/v〉 ∨ f〈1/v〉, followed by simplification). Such methods include =-=[5, 2, 24]-=-. Because of the expense of quantifier elimination, this approach is limited to models with a small number of inputs (typically zero or one). By contrast, the present approach is based entirely on SAT... |