## Automatic Abstraction without Counterexamples (2002)

Citations: | 108 - 8 self |

### BibTeX

@MISC{McMillan02automaticabstraction,

author = {K. L. McMillan and Nina Amla},

title = {Automatic Abstraction without Counterexamples },

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

A method of automatic abstraction is presented that uses proofs of unsatisfiability derived from SAT-based bounded model checking as a guide to choosing an abstraction for unbounded model checking. Unlike earlier methods, this approach is not based on analysis of abstract counterexamples. The performance of this approach on benchmarks derived from microprocessor verification indicates that SAT solvers are quite effective in eliminating logic that is not relevant to a given property. Moreover, benchmark results suggest that when bounded model checking successfully terminates, and the problem is unsatisfiable, the number of state variables in the proof of unsatisfiability tends to be small. In all cases tested, when bounded model checking succeeded, unbounded model checking of the resulting abstraction also succeeded.

### Citations

1116 | Chaff: Engineering an Efficient SAT Solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ... [1, 5, 9, 21]. Some of the recent methods pose the construction of a concrete counterexample as a Boolean satisfiability (SAT) problem (or equivalently, an ATPG problem)sand apply modern SAT methods =-=[14]-=- to this problem. A recent approach [6] also applies ILP and machine learning techniques to the problem of choosing which constraints to add to rule out an abstract counterexample in the case when a c... |

708 | Symbolic Model Checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...osing which constraints to add to rule out an abstract counterexample in the case when a concrete counterexample is not found. Another recent and related development is that of bounded model checking =-=[3]-=-. In this method, the question of the existence of a counterexample of no more than k steps, for fixed k, is posed as a SAT problem. In various studies [7, 4], SAT solvers have been found to be quite ... |

603 | Counterexample-guided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...a concrete counterexample, we must find a valuation for the unconstrained variables, such that all the original constraints are satisfied. A number of variations on this basic technique have appeared =-=[1, 5, 9, 21]-=-. Some of the recent methods pose the construction of a concrete counterexample as a Boolean satisfiability (SAT) problem (or equivalently, an ATPG problem)sand apply modern SAT methods [14] to this p... |

603 | Construction of abstract state graphs with PVS
- Graf, Saidi
- 1997
(Show Context)
Citation Context ...nfinite state system is generated using as the abstract states the valuations of a finite set of first order predicates over the concrete state. The key to this method, known as predicate abstraction =-=[18]-=-, is to choose the right predicates. An iterative abstraction method proposed by Henzinger et al. [19] uses a theorem prover to refute counterexamples generated by predicate abstraction. In the case w... |

586 |
An automata-theoretic approach to automatic program verification, in
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...en finite model. However, this problem will be posed in terms of finding an accepting run of a finite automaton. The translation of LTL model checking into this framework has been extensively studied =-=[15, 20, 10]-=-, and will not be described here. We will treat only safety properties here, due to space considerations. Liveness properties are covered in [13]. 3.1 Safety checking algorithm For safety properties, ... |

574 | Symbolic model checking: 10 20 states and beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...en finite model. However, this problem will be posed in terms of finding an accepting run of a finite automaton. The translation of LTL model checking into this framework has been extensively studied =-=[15, 20, 10]-=-, and will not be described here. We will treat only safety properties here, due to space considerations. Liveness properties are covered in [13]. 3.1 Safety checking algorithm For safety properties, ... |

445 | Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ... order predicates over the concrete state. The key to this method, known as predicate abstraction [18], is to choose the right predicates. An iterative abstraction method proposed by Henzinger et al. =-=[19]-=- uses a theorem prover to refute counterexamples generated by predicate abstraction. In the case when the counterexample is proved false, the proof is “mined” for new state predicates to use in predic... |

358 | GRASP – A new search algorithm for satisfiability - Silva, Sakallah - 1996 |

236 |
Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...en finite model. However, this problem will be posed in terms of finding an accepting run of a finite automaton. The translation of LTL model checking into this framework has been extensively studied =-=[15, 20, 10]-=-, and will not be described here. We will treat only safety properties here, due to space considerations. Liveness properties are covered in [13]. 3.1 Safety checking algorithm For safety properties, ... |

154 | Symbolic model checking with partitioned transition relations - Burch, Clarke, et al. - 1991 |

103 | Model checking of safety properties
- Kupferman, Vardi
- 2001
(Show Context)
Citation Context ...me that the problem is given in terms of an automaton on finite words, such that a bad prefix exists exactly when the automaton has an accepting run. Such a construction can be found, for example, in =-=[11]-=-.sAs in symbolic model checking, the automaton itself will be represented implicitly by Boolean formulas. The state space of the automaton is defined by an indexed set of Boolean variables V = {v1, . ... |

84 |
Benefits of Bounded Model Checking in an Industrial Setting
- Copti, Fix, et al.
- 2001
(Show Context)
Citation Context ...evelopment is that of bounded model checking [3]. In this method, the question of the existence of a counterexample of no more than k steps, for fixed k, is posed as a SAT problem. In various studies =-=[7, 4]-=-, SAT solvers have been found to be quite efficient at producing counterexamples for systems that are too large to allow standard model checking. The disadvantage of this approach is that, if a counte... |

66 | D.: Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT based Conflict Analysis
- Chauhan, Clarke, et al.
(Show Context)
Citation Context ...hoosing predicates to define the abstract state space, it merely chooses among the existing constraints to form the abstraction – the encoding of the state remains the same.sAnother related technique =-=[16]-=- uses a SAT solver to derive an abstraction sufficient to refute a given abstract counterexample. The abstraction is generated by tracing the execution of the SAT solver in a way that is similar to th... |

61 | Finding Bugs in an Alpha Microprocessor Using Satisfiability Solvers
- Bjesse, Leonard, et al.
- 2001
(Show Context)
Citation Context ...evelopment is that of bounded model checking [3]. In this method, the question of the existence of a counterexample of no more than k steps, for fixed k, is posed as a SAT problem. In various studies =-=[7, 4]-=-, SAT solvers have been found to be quite efficient at producing counterexamples for systems that are too large to allow standard model checking. The disadvantage of this approach is that, if a counte... |

55 |
An iterative approach to language containment
- Balarin, Sangiovanni-Vincentelli
- 1993
(Show Context)
Citation Context ...a concrete counterexample, we must find a valuation for the unconstrained variables, such that all the original constraints are satisfied. A number of variations on this basic technique have appeared =-=[1, 5, 9, 21]-=-. Some of the recent methods pose the construction of a concrete counterexample as a Boolean satisfiability (SAT) problem (or equivalently, an ATPG problem)sand apply modern SAT methods [14] to this p... |

51 | Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement - Clarke - 2000 |

44 | SAT based abstraction-refinement using ILP and machine learning techniques
- Clarke, Gupta, et al.
- 2002
(Show Context)
Citation Context ...ds pose the construction of a concrete counterexample as a Boolean satisfiability (SAT) problem (or equivalently, an ATPG problem)sand apply modern SAT methods [14] to this problem. A recent approach =-=[6]-=- also applies ILP and machine learning techniques to the problem of choosing which constraints to add to rule out an abstract counterexample in the case when a concrete counterexample is not found. An... |

41 | Property Checking via Structural Analysis
- Baumgartner, Kuehlmann, et al.
- 2002
(Show Context)
Citation Context ...hecker to the appropriate depth. As an additional point of comparison, figure 5 compares the performance of the proof-based abstraction approach with results previously obtained by Baumgartner et al. =-=[2]-=- on a set of benchmark model checking problems derived from the IBM Gigahertz Processor. Their method involved a combination of SAT-based bounded model checking, structural methods for bounding the de... |

40 | Compositional reasoning in model checking - Berezin, Campos, et al. - 1997 |

37 | Formal property verification by abstraction refinement with formal, simulation and hybrid engines
- Wang, Ho, et al.
- 2001
(Show Context)
Citation Context ...a concrete counterexample, we must find a valuation for the unconstrained variables, such that all the original constraints are satisfied. A number of variations on this basic technique have appeared =-=[1, 5, 9, 21]-=-. Some of the recent methods pose the construction of a concrete counterexample as a Boolean satisfiability (SAT) problem (or equivalently, an ATPG problem)sand apply modern SAT methods [14] to this p... |

26 |
A Structure Preserving Clause form Translation
- Plaisted, Greenbaum
- 1986
(Show Context)
Citation Context ...at in general the translation of an arbitrary Boolean formula f into CNF is exponential. In practice, the problem can be solved by adding a fresh variable for the value of each subformula of f, as in =-=[17]-=-. This construction does not affect the satisfiability of the result formula, and produces a CNF formula which is linear size in the size of f. The theory that follows, however, does not depend on the... |

14 |
Automata-TheoreticVerification of Coordinating Processes
- Kurshan
- 1993
(Show Context)
Citation Context ...e state space in turn increases the efficiency of model checking, which is based on exhaustive state space exploration. The first attempt to automate this simple kind of abstraction is due to Kurshan =-=[12]-=-, and is known as iterative abstraction refinement. This method begins with an empty set of constraints (or a seed set provided by the user), and applies model checking to attempt to verify the proper... |

11 | Counterexample-guided choice of projections in approximate symbolic model checking
- Govindaraju, Dill
- 2000
(Show Context)
Citation Context |

2 | Kukula Samir Sapra Helmut Veith Pankaj Chauhan, Ed Clarke and Dong Wang. Automated abstraction refinement for model checking large state spaces using sat based conflict analysis - James - 2002 |