## Computation of Minimal Counterexamples by Using Black Box Techniques and Symbolic Methods

Citations: | 3 - 2 self |

### BibTeX

@MISC{Scholl_computationof,

author = {Christoph Scholl and Bernd Becker},

title = {Computation of Minimal Counterexamples by Using Black Box Techniques and Symbolic Methods},

year = {}

}

### OpenURL

### Abstract

Abstract — Computing counterexamples is a crucial task for error diagnosis and debugging of sequential systems. If an implementation does not fulfill its specification, counterexamples are used to explain the error effect to the designer. In order to be understood by the designer, counterexamples should be simple, i.e. they should be as general as possible and assign values to a minimal number of input signals. Here we use the concept of Black Boxes — parts of the design with unknown behavior — to mask out components for counterexample computation. By doing so, the resulting counterexample will argue about a reduced number of components in the system to facilitate the task of understanding and correcting the error. We introduce the notion of ‘uniform counterexamples’ to provide an exact formalization of simplified counterexamples arguing only about components which were not masked out. Our computation of counterexamples is based on symbolic methods using AIGs (And-Inverter-Graphs). Experimental results using a VLIW processor as a case study clearly demonstrate our capability of providing simplified counterexamples. I.

### Citations

1301 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...is a method for verifying these properties [1], [2]. In the early nineties, by introducing symbolic model checking, Burch et al. substantially extended the class of systems which can be verified [3], =-=[4]-=-. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) [5] (or more recently And-Inverter Graphs (AIGs) [6], [7], [8]) are used both for state set representation and for state trave... |

710 | Y.: Symbolic model checking without bdds
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...ore recently And-Inverter Graphs (AIGs) [6], [7], [8]) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking (BMC) =-=[9]-=-, [10] have also attracted much interest. BMC applied to certain properties (safety properties or, more generally, LTL formulas) ‘unfolds’ the transition relation for k steps and checks whether there ... |

331 |
The complexity of propositional linear temporal logics
- Sistla, Clarke
- 1985
(Show Context)
Citation Context ...ty of providing simplified counterexamples. I. INTRODUCTION Given a sequential circuit and properties in some temporal logic like CTL or LTL, model checking is a method for verifying these properties =-=[1]-=-, [2]. In the early nineties, by introducing symbolic model checking, Burch et al. substantially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, B... |

323 |
Graph Based Algorithms for Boolean Function Manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...y introducing symbolic model checking, Burch et al. substantially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) =-=[5]-=- (or more recently And-Inverter Graphs (AIGs) [6], [7], [8]) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking ... |

273 |
Automatic verification of finite state concurrent systems using temporal logic specifications, ACMTrans
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ... providing simplified counterexamples. I. INTRODUCTION Given a sequential circuit and properties in some temporal logic like CTL or LTL, model checking is a method for verifying these properties [1], =-=[2]-=-. In the early nineties, by introducing symbolic model checking, Burch et al. substantially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, Binary... |

264 | Symbolic model checking using SAT procedures instead of BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...ecently And-Inverter Graphs (AIGs) [6], [7], [8]) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking (BMC) [9], =-=[10]-=- have also attracted much interest. BMC applied to certain properties (safety properties or, more generally, LTL formulas) ‘unfolds’ the transition relation for k steps and checks whether there is a r... |

228 | CUDD: CU decision diagram package release 2.2.0
- Somenzi
(Show Context)
Citation Context ...ormed experiments for several versions of the VLIW processor with varying bit widths. Whereas the symbolic model checker for incomplete designs that was used in [15] was based on the BDD package CUDD =-=[30]-=- and used relational preimage computation, we used an improved version in which boolean formulas are represented by And-InverterGraphs [8] and that used functional preimage computation [31], [32] for ... |

195 | Interpolation and SAT-based Model Checking
- McMillan
- 2003
(Show Context)
Citation Context .... In this case, BMC ends up with a proof of the property. Since computing the diameter of a system turns out to be difficult however, alternative approaches such as k-induction [11] and interpolation =-=[12]-=- have been proposed for making SAT-based model checking complete. In this paper we address an important feature of unbounded symbolic model checkers, the generation of counterexamples for cases when t... |

158 |
Verification of synchronous sequential machines based on symbolic execution
- Coudert, Berthet, et al.
- 1989
(Show Context)
Citation Context ...oaches a) Straightforward approach: The straightforward approach to generating counterexamples for incomplete designs would consist in an adaption of the standard method for computing counterexamples =-=[24]-=-, meaning that the Black Box outputs could — like inputs — hold arbitrary values in every state. Yet, this allows the counterexample computation to make assumptions about the Black Box output values. ... |

155 |
Checking safety properties using induction and a SAT-solver
- Sheeran, Singh, et al.
- 2000
(Show Context)
Citation Context ...en states in the system. In this case, BMC ends up with a proof of the property. Since computing the diameter of a system turns out to be difficult however, alternative approaches such as k-induction =-=[11]-=- and interpolation [12] have been proposed for making SAT-based model checking complete. In this paper we address an important feature of unbounded symbolic model checkers, the generation of counterex... |

99 | Formal Verification by Symbolic Evaluation of Partially-Ordered Trajectories
- Seger, Bryant
- 1995
(Show Context)
Citation Context ...amples by ‘lifting’ assignments produced by a SAT solver [13], [14] as already mentioned above, there are related methods based on ternary (0, 1, X)-logic such as Symbolic Trajectory Evaluation (STE) =-=[18]-=-, [19]. The most popular applications of STE are also based on properties arguing about bounded time windows. These properties (called ‘simple assertions’ in [18]) have the special form A ⇒ C where A ... |

94 |
Symbolic model checking
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...king is a method for verifying these properties [1], [2]. In the early nineties, by introducing symbolic model checking, Burch et al. substantially extended the class of systems which can be verified =-=[3]-=-, [4]. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) [5] (or more recently And-Inverter Graphs (AIGs) [6], [7], [8]) are used both for state set representation and for state ... |

78 | A theory and implementation of sequential hardware equivalence - Pixley - 1992 |

43 | Combining decision diagrams and SAT procedures for efficient symbolic model checking
- Williams, Biere, et al.
- 2000
(Show Context)
Citation Context ...CUDD [30] and used relational preimage computation, we used an improved version in which boolean formulas are represented by And-InverterGraphs [8] and that used functional preimage computation [31], =-=[32]-=- for our experiments. Our method was able to provide a counterexample for a word width of 64 bits in less than 11 minutes of CPU time. Detailed results for varying word widths can be found in Tab. IV.... |

33 | An industrially effective environment for formal hardware verification
- Seger, Jones, et al.
- 2005
(Show Context)
Citation Context ... by ‘lifting’ assignments produced by a SAT solver [13], [14] as already mentioned above, there are related methods based on ternary (0, 1, X)-logic such as Symbolic Trajectory Evaluation (STE) [18], =-=[19]-=-. The most popular applications of STE are also based on properties arguing about bounded time windows. These properties (called ‘simple assertions’ in [18]) have the special form A ⇒ C where A and C ... |

31 |
An extensible SAT-solver,” in Theory and Applications of Satisfiability Testing
- Eén, Sörensson
- 2004
(Show Context)
Citation Context ...bove may be lifted [25], [26], but QBF problems are harder to solve than SAT formulas and for QBF solving it could not yet be observed such a breakthrough as for SAT solving during recent years [27], =-=[28]-=-. IV. CASE STUDY As a case study, we will consider a simple VLIW ALU with four functional units as illustrated in Fig. 7; the VLIW instruction word (consisting of four parts for the four functional un... |

30 |
A system for verification and synthesis
- Group, “VIS
- 1996
(Show Context)
Citation Context ...un times for lifting only, and the set of functional units the lifted counterexample argues about. For comparison, Tab. II additionally gives the runtimes of bounded model checking using the VIS tool =-=[29]-=-; these runtimes do not include lifting, since a version of VIS including lifting was not at our disposal. Note that BMC followed by lifting may or may not find uniform counterexamples as defined in t... |

29 | B.: Checking equivalence for partial implementations
- Scholl, Becker
- 2001
(Show Context)
Citation Context ...on as a QBF (Quantified Boolean Formula) problem instead of a number of SAT problems it would be possible to check for all possible counterexamples whether the variables mentioned above may be lifted =-=[25]-=-, [26], but QBF problems are harder to solve than SAT formulas and for QBF solving it could not yet be observed such a breakthrough as for SAT solving during recent years [27], [28]. IV. CASE STUDY As... |

27 |
Sat-based unbounded symbolic model checking
- Kang, Park
- 2003
(Show Context)
Citation Context ...bstantially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) [5] (or more recently And-Inverter Graphs (AIGs) [6], =-=[7]-=-, [8]) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking (BMC) [9], [10] have also attracted much interest. BMC... |

26 |
F.: Minimal assignments for bounded model checking
- Ravi, Somenzi
- 2004
(Show Context)
Citation Context ...nd correcting the error. The goals of our work are most closely related to approaches in the Bounded Model Checking (BMC) context which try to improve a counterexample produced by a SAT solver in BMC =-=[13]-=-, [14]. Starting from a single counterexample which specifies all signals at all times prior to the error, the approach from [13] tries to remove (‘lift’) assignments to input signals without losing t... |

21 |
Efficient SAT-based unbounded symbolic Model Checking using circuit cofactoring
- Ganai, Gupta, et al.
- 2004
(Show Context)
Citation Context ...l. substantially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) [5] (or more recently And-Inverter Graphs (AIGs) =-=[6]-=-, [7], [8]) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking (BMC) [9], [10] have also attracted much interest... |

15 |
Functional Extension of Symbolic Model Checking,” Computer-Aided Verification
- Filkorn
- 1991
(Show Context)
Citation Context ...ckage CUDD [30] and used relational preimage computation, we used an improved version in which boolean formulas are represented by And-InverterGraphs [8] and that used functional preimage computation =-=[31]-=-, [32] for our experiments. Our method was able to provide a counterexample for a word width of 64 bits in less than 11 minutes of CPU time. Detailed results for varying word widths can be found in Ta... |

11 | A common approach to test generation and hardware- verification based on temporal logic
- Kropf, Wunderlich
- 1991
(Show Context)
Citation Context ...thods which produce ‘uniform’ counterexamples that do not depend on the behavior implemented by the Black Boxes. Note that in contrast to previous approaches dealing with unknown initial states [16], =-=[17]-=-, we have to cope with different possible behaviors of the system due to different Black Box implementations since the ‘uniform counterexample’ is defined to be a counterexample for all possible Black... |

10 | Approximate symbolic model checking for incomplete designs
- Nopper, Scholl
- 2004
(Show Context)
Citation Context ... only one out of a large number of possible counterexamples). 1 In contrast, our approach to the improvement of counterexamples in symbolic model checking is based on Black Box model checking methods =-=[15]-=- where components of a system are removed and replaced by so-called Black Boxes. If Black Box model checking is able to prove that the property is violated independently from the implementation of the... |

10 |
Efficient Debugging in a Formal Verification Environment
- Copty, Irron, et al.
- 2003
(Show Context)
Citation Context ... approximating transitions in the system. Another interesting approach which is related to our method by giving more information to the user than a single counterexample was presented by Copty et al. =-=[21]-=-: In their approach most insight into the nature of counterexamples has been given given by so-called ‘strong values’: Starting from a specific counterexample Copty et al. are able to show, e.g., that... |

9 | Advanced Unbounded Model Checking Based on AIGs
- Pigorsch, Scholl, et al.
(Show Context)
Citation Context ...tially extended the class of systems which can be verified [3], [4]. In (unbounded) symbolic model checking, Binary Decision Diagrams (BDDs) [5] (or more recently And-Inverter Graphs (AIGs) [6], [7], =-=[8]-=-) are used both for state set representation and for state traversal. In the last few years SAT based techniques like Bounded Model Checking (BMC) [9], [10] have also attracted much interest. BMC appl... |

9 | Minimizing counterexample with unit core extraction and incremental SAT
- Shen, Qin, et al.
- 2005
(Show Context)
Citation Context ...recting the error. The goals of our work are most closely related to approaches in the Bounded Model Checking (BMC) context which try to improve a counterexample produced by a SAT solver in BMC [13], =-=[14]-=-. Starting from a single counterexample which specifies all signals at all times prior to the error, the approach from [13] tries to remove (‘lift’) assignments to input signals without losing the pro... |

9 |
Chaff: Engeneering an efficient SAT solver
- Moskewicz, Madigan, et al.
- 2001
(Show Context)
Citation Context ...oned above may be lifted [25], [26], but QBF problems are harder to solve than SAT formulas and for QBF solving it could not yet be observed such a breakthrough as for SAT solving during recent years =-=[27]-=-, [28]. IV. CASE STUDY As a case study, we will consider a simple VLIW ALU with four functional units as illustrated in Fig. 7; the VLIW instruction word (consisting of four parts for the four functio... |

8 | Automatic refinement and vacuity detection for symbolic trajectory evaluation
- Tzoref, Grumberg
- 2006
(Show Context)
Citation Context ...stem into counterexamples which could be ‘black boxed’ by our method. Introducing symbolic variables for internal signals (other than inputs) can lead to the problem of ‘vacuously failing’ properties =-=[20]-=-, i.e. to the problem that there is no concrete counterexample which is compatible to the abstract counterexample derived from A and C by STE. More general properties for STE arguing about unbounded t... |

5 | Advanced SAT-Techniques for Bounded Model Checking of Blackbox Designs
- Herbstritt, Becker, et al.
- 2006
(Show Context)
Citation Context ...a QBF (Quantified Boolean Formula) problem instead of a number of SAT problems it would be possible to check for all possible counterexamples whether the variables mentioned above may be lifted [25], =-=[26]-=-, but QBF problems are harder to solve than SAT formulas and for QBF solving it could not yet be observed such a breakthrough as for SAT solving during recent years [27], [28]. IV. CASE STUDY As a cas... |

3 | Flexible Modeling of Unknowns in Model Checking of Incomplete Designs
- Nopper, Scholl
- 2005
(Show Context)
Citation Context ...fixed and possible transitions is the most crucial point. For the general case, the characteristic functions χRA and χRE representing the sets RA resp. RE may be computed using symbolic methods [15], =-=[22]-=-. In [15], [22], different possibilities to model the behavior of Black Boxes in their environment are considered. Starting from a symbolic version of ternary (0, 1, X)-simulation [23] where Black Box... |