## Symbolic Trajectory Evaluation (STE): Automatic Refinement and Vacuity Detection

### BibTeX

@MISC{Grumberg_symbolictrajectory,

author = {Orna Grumberg},

title = {Symbolic Trajectory Evaluation (STE): Automatic Refinement and Vacuity Detection},

year = {}

}

### OpenURL

### Abstract

Symbolic Trajectory Evaluation (STE) is a powerful technique for hardware model checking. It is based on combining 3-valued abstraction with symbolic simulation, using 0,1 and ("unknown"). The value is used to abstract away parts of the circuit. The abstraction is derived from the user’s specification. Currently the process of refinement in STE is performed manually. This paper presents an automatic refinement technique for STE. The technique is based on a clever selection of constraints that are added to the specification so that on the one hand the semantics of the original specification is preserved, and on the other hand, the part of the state space in which the "unknown " result is received is significantly decreased or totally eliminated. In addition, this paper raises the problem of vacuity of passed and failed specifications. This problem was never discussed in the framework of STE. We describe when an STE specification may vacuously pass or fail, and propose a method for vacuity detection in STE.

### Citations

2934 | Graph-Based Algorithms for Boolean Function Manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...ifferent times , and the consequent expresses requirements that should hold on such nodes . For each node, STE computes a symbolic representation, often in the form of a Binary Decision Diagram (BDD) =-=[8]-=-. The BDD represents the value of the node as a function of the values of the circuit’s inputs. For precise symbolic representation, memory requirements might be prohibitively high. Thus, in order to ... |

1213 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...3. Trajectory Evaluation Logic (TEL) We now describe the Trajectory Evaluation Language (TEL) used to specify properties for STE. This logic is a restricted version of the Linear Temporal Logic (LTL) =-=[23]-=-, where only the next time temporal operator is allowed. A Trajectory Evaluation Logic (TEL) formula is defined recursively over as follows: is where , is a Boolean expression over and is the next tim... |

708 | Symbolic Model Checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...il, namely, , should also constitute a counterexample for . That is, we require that . We propose two different algorithms for vacuity detection. The first algorithm uses Bounded Model Checking (BMC) =-=[6]-=- and runs on the concrete model. The second algorithm uses STE and requires automatic refinement. The algorithm that uses STE takes advantage of the abstraction in STE, as opposed to the first algorit... |

416 |
Computer-aided verification of coordinating processes: the automata-theoretic approach
- Kurshan
- 1994
(Show Context)
Citation Context ...adding more details to it, making it more similar to the concrete model. This iterative process is called Abstraction-Refinement, and has been investigated thoroughly in the context of model checking =-=[14,10,21,15,3]-=-. The work presented in this paper is the first attempt to perform automatic refinement in the framework of STE. In [13], it is shown that the abstraction in STE is an abstract interpretation via a Ga... |

108 | Automatic abstraction without counterexamples - McMillan, Amla |

99 | Formal Verification by Symbolic Evaluation of Partially-Ordered Trajectories
- Seger, Bryant
- 1995
(Show Context)
Citation Context ...nted in [30] and [29]. It presents the framework of Symbolic Trajectory Evaluation (STE) and describes automatic refinement and vacuity detection in this context. Symbolic Trajectory Evaluation (STE) =-=[26]-=- is a powerful technique for hardware model checking. STE combines 3-valued abstraction with symbolic simulation. It is applied to a circuit , described as a graph over nodes (gates and latches). Spec... |

95 | Model checking partial state spaces with 3-valued temporal logics
- Bruns, Godefroid
- 1999
(Show Context)
Citation Context ...it is guaranteed to hold for the concrete model as well. On the other hand, false result may be spurious, meaning that the result in the concrete model may not be false. In the three-valued semantics =-=[7,28]-=-, a third truth value is introduced: the unknown truth value. With this semantics, the true and false truth values in the abstract model are guaranteed to hold also in the concrete model, whereas the ... |

66 | D.: Automated Abstraction Refinement for Model Checking Large State Spaces Using SAT based Conflict Analysis
- Chauhan, Clarke, et al.
(Show Context)
Citation Context ...adding more details to it, making it more similar to the concrete model. This iterative process is called Abstraction-Refinement, and has been investigated thoroughly in the context of model checking =-=[14,10,21,15,3]-=-. The work presented in this paper is the first attempt to perform automatic refinement in the framework of STE. In [13], it is shown that the abstraction in STE is an abstract interpretation via a Ga... |

62 | Vacuity detection in temporal model checking
- Kupferman, Vardi
(Show Context)
Citation Context ...he case in which, given a model and a formula , there exists a sub formula of which does not affect the validity of . Thus, replacing with any other formula will not change the truth value of in . In =-=[19,20]-=- the work of [5] has been extended by presenting a general method for detecting vacuity for specifications in CTL*. Further extensions appear in [2,9]. In the framework of STE, vacuity, sometimes refe... |

34 |
Introduction to generalized symbolic trajectory evaluation
- Yang, Seger
- 2003
(Show Context)
Citation Context ...resented here. The method in [16] is applicable only in the SAT-based STE framework developed there. In [1], a method for automatic abstraction without refinement is suggested. Generalized STE (GSTE) =-=[36]-=- is a significant extension of STE that can verify all -regular properties. Two manual refinement methods for GSTE are presented in [35]. In the first method, refinement is performed by changing the s... |

33 | An industrially effective environment for formal hardware verification
- Seger, Jones, et al.
- 2005
(Show Context)
Citation Context ...the assertion in order to present node values more accurately. STE has been in active use in the hardware industry, and has been very successful in verifying huge circuits containing large data paths =-=[27,25,34]-=-. Its main drawback, however, is the need for manual abstraction and refinement, which can be labor-intensive. In this work we propose a technique for automatic refinement of assertions in STE. In our... |

26 | Enhanced vacuity detection for linear temporal logic
- Armoni, Fix, et al.
- 2003
(Show Context)
Citation Context ...mula will not change the truth value of in . In [19,20] the work of [5] has been extended by presenting a general method for detecting vacuity for specifications in CTL*. Further extensions appear in =-=[2,9]-=-. In the framework of STE, vacuity, sometimes referred to as antecedent failure, is discussed in [18,26]. Roughly speaking, it refers to the situation in which a node is assigned with a value, implyin... |

26 | Formally verifying a microprocessor using a simulation methodology
- Beatty, Bryant
(Show Context)
Citation Context ...re added to . STE is then applied on the enhanced antecedent. Our automatic refinement can be activated at this stage. Vacuity refers to the problem of trivially valid formulas. It was first noted in =-=[4]-=-. Automatic detection of vacuous pass under symbolic model checking was first proposed in [5] for a subset of the temporal logic ACTL called w-ACTL. In [5], vacuity is definedas the case in which, gi... |

23 |
Level Formal Verification of Next-Generation Microprocessors
- Schubert, “High
- 2003
(Show Context)
Citation Context ...the assertion in order to present node values more accurately. STE has been in active use in the hardware industry, and has been very successful in verifying huge circuits containing large data paths =-=[27,25,34]-=-. Its main drawback, however, is the need for manual abstraction and refinement, which can be labor-intensive. In this work we propose a technique for automatic refinement of assertions in STE. In our... |

21 | The Mathematical Foundation of Symbolic Trajectory Evaluation
- Chou
- 1999
(Show Context)
Citation Context ...nd has been investigated thoroughly in the context of model checking [14,10,21,15,3]. The work presented in this paper is the first attempt to perform automatic refinement in the framework of STE. In =-=[13]-=-, it is shown that the abstraction in STE is an abstract interpretation via a Galois connection. However, [13] is not concerned with refinement. In [32], an automatic abstraction-refinement for symbol... |

21 |
Generalized symbolic trajectory evaluation — abstraction in action
- Yang, Seger
- 2002
(Show Context)
Citation Context ...raction without refinement is suggested. Generalized STE (GSTE) [36] is a significant extension of STE that can verify all -regular properties. Two manual refinement methods for GSTE are presented in =-=[35]-=-. In the first method, refinement is performed by changing the specification. In the second method, refinement is performed by choosing a set of nodes in the circuit, whose values and the relationship... |

19 | Regular vacuity
- Bustan, Flaisher, et al.
- 2005
(Show Context)
Citation Context ...mula will not change the truth value of in . In [19,20] the work of [5] has been extended by presenting a general method for detecting vacuity for specifications in CTL*. Further extensions appear in =-=[2,9]-=-. In the framework of STE, vacuity, sometimes referred to as antecedent failure, is discussed in [18,26]. Roughly speaking, it refers to the situation in which a node is assigned with a value, implyin... |

17 | Symbolic localization reduction with reconstruction layering and backtrackin
- Barner, Geist, et al.
- 2002
(Show Context)
Citation Context ...adding more details to it, making it more similar to the concrete model. This iterative process is called Abstraction-Refinement, and has been investigated thoroughly in the context of model checking =-=[14,10,21,15,3]-=-. The work presented in this paper is the first attempt to perform automatic refinement in the framework of STE. In [13], it is shown that the abstraction in STE is an abstract interpretation via a Ga... |

15 |
Comprehensive Functional Verification: The Complete Industry Cycle (Systems on Silicon
- Wile, Goss, et al.
- 2005
(Show Context)
Citation Context ...n the new assertion. We ran AutoSTE on two different circuits, which are challenging for Model Checking: the Content Addressable Memory (CAM) from Intel’s GSTE tutorial, and IBM’s Calculator 2 design =-=[31]-=-. The latter has a complex specification.Therefore, it constitutes a good example for the benefit the user can gain from automatic refinement in STE. All runs were performed on a 3.2 GHz Pentium 4 com... |

10 |
based abstraction-refinement using ilp and machine learning techniques
- SAT
- 2002
(Show Context)
Citation Context |

8 | A new SAT-based algorithm for symbolic trajectory evaluation
- Roorda, Claessen
- 2005
(Show Context)
Citation Context ... trajectory be the value of a node as computed according to the values of its source nodes in . It is required that for all nodes , (strict equality is not is a (symbolic) sequence that is compatible =-=[24]-=-: let required in order to allow external assumptions on nodes values to be embedded into ). A trajectory is concrete if all its states are concrete. A trajectory is an abstraction of a concrete traje... |

8 | Automatic refinement and vacuity detection for symbolic trajectory evaluation
- Tzoref, Grumberg
- 2006
(Show Context)
Citation Context ...or vacuity detection in STE. Keywords. Symbolic Trajectory Evaluation (STE), model checking, abstractionrefinement, vacuity 1. Introduction This paper is an overview of the work presented in [30] and =-=[29]-=-. It presents the framework of Symbolic Trajectory Evaluation (STE) and describes automatic refinement and vacuity detection in this context. Symbolic Trajectory Evaluation (STE) [26] is a powerful te... |

8 | satGSTE: Combining the abstraction of GSTE with the capacity of a SAT solver
- Yang, Gil, et al.
- 2004
(Show Context)
Citation Context ...changing the specification. In the second method, refinement is performed by choosing a set of nodes in the circuit, whose values and the relationship among them are always represented accurately. In =-=[33]-=-, SATbased STE is used to get quick feedback when debugging and refining a GSTE assertion graph. However, the debugging and refinement process itself is manual. An automatic refinement for GSTE has re... |

8 |
GSTE through a case study
- Yang, Goel
- 2002
(Show Context)
Citation Context ...the assertion in order to present node values more accurately. STE has been in active use in the hardware industry, and has been very successful in verifying huge circuits containing large data paths =-=[27,25,34]-=-. Its main drawback, however, is the need for manual abstraction and refinement, which can be labor-intensive. In this work we propose a technique for automatic refinement of assertions in STE. In our... |

7 |
Model checking lattices: Using and reasoning about information orders for abstraction
- Hazelhurst, Seger
- 1999
(Show Context)
Citation Context ... the values or or to symbolic variables. A fourth value, , is used in STE for representing a contradiction between a constraint in on some node and the actual value of node at time in the circuit.In =-=[18]-=-, a 4-valued truth domain is defined for the temporal language of STE, corresponding to the 4-valued domain of the values of circuit nodes. Thus, STE assertions may get one of these four values when c... |

5 | Symbolic Simulation Using Automatic Abstraction of Internal Node Values
- Wilson
- 2001
(Show Context)
Citation Context ...utomatic refinement in the framework of STE. In [13], it is shown that the abstraction in STE is an abstract interpretation via a Galois connection. However, [13] is not concerned with refinement. In =-=[32]-=-, an automatic abstraction-refinement for symbolic simulation is suggested. The main differences between our work and [32] is that we compute a set of sufficient inputs for refinement and that our sug... |

4 | Automatic abstraction in symbolic trajectory evaluation
- Adams, Björk, et al.
- 2007
(Show Context)
Citation Context ...t presented in [12] is based on a notion of responsibility and can be combined with the method presented here. The method in [16] is applicable only in the SAT-based STE framework developed there. In =-=[1]-=-, a method for automatic abstraction without refinement is suggested. Generalized STE (GSTE) [36] is a significant extension of STE that can verify all -regular properties. Two manual refinement metho... |

4 | Automatic abstraction refinement for generalized symbolic trajectory evaluation
- Chen, He, et al.
- 2007
(Show Context)
Citation Context ...get quick feedback when debugging and refining a GSTE assertion graph. However, the debugging and refinement process itself is manual. An automatic refinement for GSTE has recently been introduced in =-=[11]-=-. An additional source of abstraction in STE is the fact that the constraints of on internal nodes are propagated only forward through the circuit and through time. We do not deal with this source of ... |

4 |
Orna Grumberg, and Avi Yadgar. Efficient automatic STE refinement using responsibility
- Chockler
- 2008
(Show Context)
Citation Context ...r refinement and that our suggested heuristics are significantly different from those proposed in [32]. Recently, two new refinement methods have been suggested. The automatic refinement presented in =-=[12]-=- is based on a notion of responsibility and can be combined with the method presented here. The method in [16] is applicable only in the SAT-based STE framework developed there. In [1], a method for a... |

4 |
and Orna Grumberg. A game-based framework for ctl counterexamples and 3-valued abstraction-refinement
- Shoham
(Show Context)
Citation Context ...it is guaranteed to hold for the concrete model as well. On the other hand, false result may be spurious, meaning that the result in the concrete model may not be false. In the three-valued semantics =-=[7,28]-=-, a third truth value is introduced: the unknown truth value. With this semantics, the true and false truth values in the abstract model are guaranteed to hold also in the concrete model, whereas the ... |

4 | Tzoref and Orna Grumberg. Automatic refinement and vacuity detection for Symbolic Trajectory Evaluation - Rachel - 2006 |

3 |
Yoav Rodeh. Efficient detection of vacuity in actl formulaas
- Beer, Ben-David, et al.
- 1997
(Show Context)
Citation Context ... activated at this stage. Vacuity refers to the problem of trivially valid formulas. It was first noted in [4]. Automatic detection of vacuous pass under symbolic model checking was first proposed in =-=[5]-=- for a subset of the temporal logic ACTL called w-ACTL. In [5], vacuity is definedas the case in which, given a model and a formula , there exists a sub formula of which does not affect the validity ... |

2 | Avi Yadgar. 3-Valued Circuit SAT for STE with Automatic Refinement - Grumberg, Schuster - 2007 |

1 | 3-valued circuit SAT for STE with automatic refinement
- Grumberg, Schuster, et al.
- 2007
(Show Context)
Citation Context ...ly, two new refinement methods have been suggested. The automatic refinement presented in [12] is based on a notion of responsibility and can be combined with the method presented here. The method in =-=[16]-=- is applicable only in the SAT-based STE framework developed there. In [1], a method for automatic abstraction without refinement is suggested. Generalized STE (GSTE) [36] is a significant extension o... |