Topic 09

Unbounded Model Checking

系統晶片驗證
SoC Verification

2021.05.07

Extension of BMC for Unbounded Proof

u BMC, combined with various techniques, can be

extended to unbounded model checking
1. K-step Induction
2. Simple-path constraint
3. Counter-example-based abstraction
4. Proof-based abstraction
5. Image computation by SAT
6. Over-approximated image computation using
interpolation
etc...

SoC Verification Prof. Chung-Yang (Ric) Huang 2

1
 Limitation of Formal Engine
u Still bounded by exponential complexity
l When design gets big, or property becomes
complex, it is very often that the formal engine
cannot conclude the proof result
è We have “coverage metric” for simulation, what
about formal method?
u However, property checking by formal engine is
somewhat analogous to reversely reasoning on
designer’s intent
l Designer’s intent should not be too complicated for
one local module
l It’s the interaction on the modules that make the
problem difficult

SoC Verification Prof. Chung-Yang (Ric) Huang 3

Abstraction and Refinement

If we can confine our search/reasoning on
some boundary (e.g. local module, FF
boundary), we can simplify our proof
è Abstraction

But simplifying something means something is

ignored.... the result may not be accurate
è Refinement
...refined to a bigger search region

SoC Verification Prof. Chung-Yang (Ric) Huang 4

2
 Localization abstraction
u Property: G (c ⇒ X c)

free variable Model:

a g C'= {
b p c g = a ∧ b,
p = g ∨ c,
c' = p
}

C' ⇒ property, C ⇒ C'

C ⇒ property
SoC Verification Prof. Chung-Yang (Ric) Huang 5

Constraint granularity
Most authors use constraints at "latch" granularity...

a g Model:
b p c
C={
c' = (a ∧ b) ∨ c
}

...however, techniques we will consider can be applied at

both "gate" and "latch" granularity.

SoC Verification Prof. Chung-Yang (Ric) Huang 6

3
 Localization, cont
u C' may refer to fewer state variables than C
l reduction in the state explosion problem

u Key issue: how to choose constraints in C'

l counterexample-based
l proof-based

SoC Verification Prof. Chung-Yang (Ric) Huang 7

Terminologies in the following slides

u Model check: formal proof by BDD
reachability analysis

u BMC: bounded model checking by SAT

SoC Verification Prof. Chung-Yang (Ric) Huang 8

4
 Counter-example based Abstraction

Choose initial C'

Model check true, done

abstraction C'
Cex

SAT uses Can extend Cex yes, Cex

from C'to C?
no
Add constraints
to C' Kurshan
SoC Verification Prof. Chung-Yang (Ric) Huang 9

Creating Initial C’
u e.g. Cut at FF boundary
¬p ¬p
PIs POs
Combinational
elements
t=0 PIs FFs FFs
PPIs
seq elm

C ¬p t=1 PIs FFs FFs

PPIs

PIs POs
PPIs C’
t=2
seq elm

SoC Verification Prof. Chung-Yang (Ric) Huang 10

10

5
 Counter-example based Abstraction

Choose initial C'

Model check true, done

abstraction C'
Cex

SAT uses Can extend Cex yes, Cex

from C'to C?
no
Add constraints
to C' Kurshan
SoC Verification Prof. Chung-Yang (Ric) Huang 11

11

Counterexample extension
u Abstract counterexample A' satisfies:
I0 ∧ U'k ∧ Fk where U'k = C'0 ∧ C'1 ∧ ... ∧ C'k-1

u Find A consistent with A', satisfying:

I0 ∧ U k ∧ Fk where U k = C 0 ∧ C 1 ∧ ... ∧ C k-1

u That is, A is any satisfying assignment to:

A' ∧ I0 ∧ U k ∧ Fk

i.e., to extend an abstract counterexample, we just

apply it as a constraint in BMC. If unsat, abstract
counterexample is "false".
SoC Verification Prof. Chung-Yang (Ric) Huang 12

12

6
 Abstraction refinement
u Refinement = adding constraints to C' to
eliminate false counterexamples.
u Many heuristsics used for this.

l Too many to cover here.

l Remember: SAT solver can produce a

resolution-based refutation in the UNSAT
case....
è To refute the false counter-example

SoC Verification Prof. Chung-Yang (Ric) Huang 13

13

Refutation Refinement for Counter-example

Based Abstraction
u Recall, to extend abstract Cex A', we check:
A' ∧ I0 ∧ U k ∧ Fk

u If UNSAT, we obtain refutation proof R

l Proof that A' cannot be extended to a concrete Cex
u Let E be set of constraints used in proof R:
E = { c ∈ C | some ci occurs in R }

u A' cannot be extended to a Cex for E

l R is the proof of this.

Thus, add E to C' and continue...

SoC Verification Prof. Chung-Yang (Ric) Huang 14

14

7
 Refutation Refinement for Counter-example
Based Abstraction

I A’ C’ A’ C’ A’ C’ F
C’’ refutation
C

SoC Verification Prof. Chung-Yang (Ric) Huang 15

15

In other words...
The refutation of the formula:
A' ∧ I0 ∧ Uk ∧ Fk

gives us a sufficient set of constraints to rule

out the abstract counterexample.

We continue ruling out counterexamples until either the

abstraction C' proves the property or we can extend an
abstract counterexample to a concrete one.
SoC Verification Prof. Chung-Yang (Ric) Huang 16

16

8
 Counter-example based Abstraction

Choose initial C'

Model check true, done

abstraction C'
Cex

SAT uses Can extend Cex yes, Cex

from C'to C?
no
Add constraints
to C' Kurshan
SoC Verification Prof. Chung-Yang (Ric) Huang 17

17

Weakness of Cex-based approach

u Arbitrarily chosen abstract Cex may be
refutable for many reasons not related to
property.
l Thus, may add irrelevant constraints.
l To remedy, may try to characterize a set of
Cex's rather than just one (e.g., GKM-
HFV,TACAS03).

Alternative: don't use counterexamples

SoC Verification Prof. Chung-Yang (Ric) Huang 18

18

9
 Proof-based abstraction MA,TACAS03
Cex?
BMC done
at depth k
No Cex?
Use refutation to
Increase k

choose abstraction

True?
MC abstraction done

False?

SoC Verification Prof. Chung-Yang (Ric) Huang 19

19

BMC phase
u Unfold the model k times:
Uk = C0 ∧ C1 ∧ ... ∧ Ck

• Use SAT solver to check satisfiability of

I0 ∧ Uk ∧ Fk

• If unsatisfiable:
• property has no Cex of length k
• produce a refutation proof R

SoC Verification Prof. Chung-Yang (Ric) Huang 20

20

10
 Abstraction phase
u Let C' be set of constraints used in proof R:
C' = { c ∈ C | some ci occurs in R }
u C' admits no counterexample of length k
l Let U' = C'0 ∧ C'1 ∧ ... ∧ C'k
l R is a refutation of I0 ∧ U' ∧ Fk

u Model check property on C'

l Property true for C' implies true for C
l else Cex of length k' > k (why?)
§ restart for k = k‘ (instead of k+1)

SoC Verification Prof. Chung-Yang (Ric) Huang 21

21

Proof-Based Abstraction Algorithm

Cex?
BMC done
C at depth k
No Cex?
Refutation P induces
abstraction C'
let k = k'

True?
Model check C' done

Cex of depth k'

Notice: MC counterexample is thrown away!

SoC Verification Prof. Chung-Yang (Ric) Huang 22

22

11
 Termination
u Depth k increases at each iteration
u Eventually k > d, diameter of C'
u If k > d, no counterexample is possible

In practice, termination uses occurs when k ≈ d/2

Usually, diameter C' << diameter of C

SoC Verification Prof. Chung-Yang (Ric) Huang 23

23

Weakness of proof-based abs

u BMC must refute all counterexamples of
length k, while in Cex-based, BMC must
refute only one (partial) counterexample.
è The refinement can be too big for model
checker to handle.

SoC Verification Prof. Chung-Yang (Ric) Huang 24

24

12
 Inference
u SAT solver seems to be very effective at
narrowing down the proof to relevant facts.

In most cases,
it did better than manual abstraction.

SoC Verification Prof. Chung-Yang (Ric) Huang 25

25

Comparing CBA and PBA

u Apples-apples comparison
l same SAT solver
l same model checker
l only differences are:
§ For CBA previous A' is kept as a constraint for BMC,
C' is cumulative.
§ For PBA previous A' and C' are thrown away each
iteration.

“Note these are my implementations. This says nothing

about performance of specific tools!”, by Ken McMillan
SoC Verification Prof. Chung-Yang (Ric) Huang 26

26

13
 Run time comparison

SoC Verification Prof. Chung-Yang (Ric) Huang 27

27

Abstraction comparison

SoC Verification Prof. Chung-Yang (Ric) Huang 28

28

14
 Possible explanation
u Internally, SAT solver is really doing CBA

a=0
b=1 decision stack
c=0 = abstract Cex A'
d=1

refutation of A'

decision heuristic
moves proof variables
up, into A'
SoC Verification Prof. Chung-Yang (Ric) Huang 29

29

Bounded vs. Unbounded SAT

u Most of the time if bounded model checking
succeeds, unbounded model checking also
succeeds using abstraction.
l No need to settle for time bounded result
u Bounded model checking may be
applicable only to localizable properties

SoC Verification Prof. Chung-Yang (Ric) Huang 30

30

15
 Flashback
Cex-based Proof-based

true cex
BDD on C’ T BMC(k) F
cex unsat / abstract
cex true
BMC F BDD on C’ T

refine increase k

è BDD is used for unbounded proof (MC)

è Can we use SAT instead?
(i.e. a pure SAT approach?)

SoC Verification Prof. Chung-Yang (Ric) Huang 31

31

Symbolic model checking without BDD's

u Fixed point characterization
[ref: Abdulla, Bjesse and Een 2000
Williams, Biere, Clarke and Gupta 2000]
Syntactic quantifier elimination
l
l Blocking clauses

l CTL Model Checking with SAT

u Overapproximate reachability analysis
[ref: McMillan, 2002]
l Interpolation-based MC

SoC Verification Prof. Chung-Yang (Ric) Huang 32

32

16
 Fixed point characterization by SAT
u Recall: Fixed point characterizaion of CTL:
EFp = µ. Q (p ∨ EX Q)
u Reverse image: (what are the states that lead to p?)

EXp = $W. p < di / si >

state variable
input variables
transition function

SoC Verification Prof. Chung-Yang (Ric) Huang 33

33

Syntactic expansion of quantifiers

u By definition:
l $w. p = p<0/w> ∨ p<1/w>
u Thus, we can compute reverse image by
syntactic expansion and simplification.
l note: exponential in number of inputs.
u Fixed-point series (for EFp):
R0 = false // null
Ri+1 = p ∨ EX Ri

Terminates when Ri+1 ⇒ Ri

(SAT problem)
SoC Verification Prof. Chung-Yang (Ric) Huang 34

34

17
 In other words, to compute pre-image

u $w. Rn< d / Y> W

d Rn
= $w0,w1,w2… Rn< d / Y> X
Y
(let Rn< d / Y> = F0)
= $w1,w2… ( F0 <0/w0> ∨ F0 <1/w0> )
(let ( F0 <0/w0> ∨ F0 <1/w0> ) = F1)
= $w2,w3… ( F1 <0/w1> ∨ F1 <1/w1> )
è Quantifier-free formula
è Solved by SAT

SoC Verification Prof. Chung-Yang (Ric) Huang 35

35

Limitations
u Syntactic quantifier elimination is
exponential
l Method limited to circuits with very few
inputs
l E.g., sequential arithmetic circuits

SoC Verification Prof. Chung-Yang (Ric) Huang 36

36

18
 Direct image computation
u Adapt SAT methods for image computation
in symbolic model checking
l Recall: this is essentially quantifier
elimination
u Idea: reduce formula to CNF or DNF
l Make quantifier elimination easy
l Essentially, enumerate all satisfying
assignments, but in an efficient way (i.e., by
covering them with clauses or cubes).

SoC Verification Prof. Chung-Yang (Ric) Huang 37

37

CNF Characterization

Instead of checking validity of p, we now want

to derive a CNF formula over the input variables
VI that is logically equivalent to the circuit (of p).

Idea: each time a satisfying assignment is

found, add a new “blocking clause” that rules
out this satisfying assignment.

The blocking clauses form our characterization

of p.

SoC Verification Prof. Chung-Yang (Ric) Huang 38

38

19
 CNF characterization algorithm
A = ∅, c = ∅

empty y return
clause? c
n
y
Deduce conflict?
Infer blocking
clause c’ from p.
is A y Add c’ to f, c.
Branch
total?

SoC Verification Prof. Chung-Yang (Ric) Huang 39

39

Direct image computation

u The above approach (CNF characterization
of p) can compute the set of all the “states
+ PIs” that can lead to p, and represent it
as CNF
I
u What if we want to I p
prove a CTL property X
like AXp? S0

SoC Verification Prof. Chung-Yang (Ric) Huang 40

40

20
 CTL Model Checking with SAT
AXp p

AXp = "W. p < di / si >

state variable
input variables
transition function

SoC Verification Prof. Chung-Yang (Ric) Huang 41

41

Universal Quantifier Elimination

Given
• a circuit p, and
• a subset W of the input variables,
we want to compute a CNF formula equivalent to
"W.p

Idea: Eliminating " in CNF formulas is trivial.

e.g.: "a. (a ∨ b) ∧ (¬a ∨ ¬c ∨ d) = (b) ∧ (¬c ∨ d)

... just push " inside ∧ ...

SoC Verification Prof. Chung-Yang (Ric) Huang 42

42

21
 " - elimination algorithm
A = ∅, c = ∅

empty y return
clause? c
n
y
Deduce conflict?
Infer blocking
clause c’ from p.
is A y Add "W.c’ to f, c.
Branch
total?

SoC Verification Prof. Chung-Yang (Ric) Huang 43

43

Recent related work

u Sheng, Hsiao (DATE 2003)
Uses ATPG methods
l
u Chauhan, Clarke, Kroenig
l Computes forward rather than backward
image

SoC Verification Prof. Chung-Yang (Ric) Huang 44

44

22
 SAT-based image
u May provide a good alternative when
BDD's fail.
u Does not take advantage of SAT solver's
ability to filter out irrelevant facts, since
exact image is computed.

u Can we trade off the image accuracy with

the efficiency?

SoC Verification Prof. Chung-Yang (Ric) Huang 45

45

Over-approximated reachability
u Define an over-approximated image op. Img' s.t.
for all S, Img(S,C) implies Img'(S,C)
Img’(S,C)
u Over-approximated reachability:
R'0 = I S Img(S,C)
R'i+1 = R'i ∨ Img'(R'i,C)
R' = È R'i
u Img' is adequate w.r.t. F, when
l if S cannot reach F, Img’(S,C) cannot reach F
u If Img' is adequate, then
l F is reachable iff R' ∧ F ≠ false

SoC Verification Prof. Chung-Yang (Ric) Huang 46

46

23
 Adequate image
overapprox. img

Img(S,C)

S Img’(S,C) F

Reached from S Can reach F

But how do you get an adequate Img'?
SoC Verification Prof. Chung-Yang (Ric) Huang 47

47

k-adequate image operator

u Img' is k-adequate (w.r.t.) F, when
l if S cannot reach F,
Img’(S,C) cannot reach F within k steps
u Note, if k > diameter, then k-adequate is
equivalent to adequate.

SoC Verification Prof. Chung-Yang (Ric) Huang 48

48

24
 Image over-approximation
u BMC and Craig interpolation allow us to
compute image over-approximation relative
to property.
l Avoid computing exact image.
l Maintain SAT solver's advantage of filtering
out irrelevant facts.

SoC Verification Prof. Chung-Yang (Ric) Huang 49

49

(Craig,57)
Interpolation
u If A ∧ B = false, there exists an interpolant I for
(A,B) such that:
A⇒I A I B
I ∧ B = false
I refers only to common variables of A,B
u Example:
l A = p ∧ q, B = ¬q ∧ r, A' = q
u New result
l given a resolution refutation of A ∧ B,
A' can be derived in linear time.
(Pudlak,Krajicek,97)
SoC Verification Prof. Chung-Yang (Ric) Huang 50

50

25
 Another Example of Interpolation
SAT target: A ∧ B
A: (¬x∧z) ∨ (x∧ ¬y∧ ¬z )
B: (x∧y) ∨ (¬x∧ ¬z) A B
g1 g4
A B
z
g2 g3 g5 g6
A
y B B

B A x x y z

SoC Verification Prof. Chung-Yang (Ric) Huang 51

51

Another Example of Interpolation

A: (¬x∧z) ∨ (x∧ ¬y∧ ¬z ) I = (¬x ∧ z) ∨ (x ∧ ¬y)

B: (x∧y) ∨ (¬x∧ ¬z)

A B
z
A
y B B

B A x z x y

SoC Verification Prof. Chung-Yang (Ric) Huang 52

52

26
 Some Definitions for Unsatisfiability Proof
u Let (A,B) be a pair of clause sets and let Π be a proof of
unsatisfiability of A ∪ B
l Π is a DAG (VΠ, EΠ)
l Each vertex c ∈ Π in the graph corresponds to a clause
and has exactly 2 predecessors, say c1, c2
§ c is called the “resolvent” of c1 and c2
§ The resolved variable v is called the “pivot” variable
l Π has exactly 1 leaf vertex which is a False (null clause)
l The roots are original clauses in A ∪ B
A B
c1 c2 Π

c
Null clause
SoC Verification Prof. Chung-Yang (Ric) Huang 53

53

Some Definitions for Unsatisfiability Proof

u Let (A,B) be a pair of clause sets and let Π be a
proof of unsatisfiability of A ∪ B
l Π is a DAG (VΠ, E Π)
l Each vertex c ∈ Π in the graph corresponds to a
clause and has exactly 2 predecessors, say c1, c2
§ c is called the “resolvent” of c1 and c2
§ The resolved variable v is called the “pivot” variable
l Π has exactly 1 leaf vertex which is a False (null
clause)
l The roots are original clauses in A ∪ B
u Global/Local variable/literal
l With respect to (A,B), a variable/literal is global if it
appears in both A and B
l It is called local to A if it appears only in A

SoC Verification Prof. Chung-Yang (Ric) Huang 54

54

27
 Again, Implication graph, resolution, and learning
Decision level
a=1 a=1 a1 = 0 a2 = 1 a3 = 1 1

b=0 b=0 b1 = 0 b2 = 1 b3 = 0 b4 = 1 2

c=0 c=0 c1 = 0 c2 = 1 c3 = 1 c4 = 0 g=0 g=1 3

5 4 3 2 1

(1): (c2’ + g)
(2): (b4’ + c4 + g’) (b4’ + c2’ + c4)
(3): (a2’ + c3’ + c4’) (a2’ + b4’ + c2’ + c3’)
(4): (c1 + c3) (a2’ + b4’ + c1 + c2’)
(5): (b1 + c1 + c2) (a2’ + b1 + b4’ + c1)
SoC Verification Prof. Chung-Yang (Ric) Huang 55

55

Again, Resolution Graph Original clause

Temporary clause
u A conflict is encountered
Learned clause
l A learned clause is
generated NULL clause

u More conflicts are

resolved...

u A conflict is encountered
in decision level 0
l Problem is proven
UNSAT
Proof core

SoC Verification Prof. Chung-Yang (Ric) Huang 56

56

28
 Interpolants from Proofs (McMillan)
u Deriving interpolant from Π
è Calling itp(leaf vertex)
u itp(c) { // c ∈ VΠ let p(c) be a
if c is a root, then
if c ∈ A then
itp(c) = the disjunction of the
global literals in c
else itp(c) = constant True
else, let c1, c2 be the predecessors of c
and let v be their pivot variable
if v is local to A
then itp(c) = itp(c1) ∨ itp(c2)
else itp(c) = itp(c1) ∧ itp(c2)
}
SoC Verification Prof. Chung-Yang (Ric) Huang 57

57

Interpolants from Proofs (McMillan)

A = (p)(¬p∨q) B = (¬q ∨ r) (¬ r)

(p) (¬p ∨ q) (¬q ∨ r)(¬r) (p) is root and ∈ A (¬p ∨ q) is root and ∈ A
but global literals = ∅ global literals = {q}
(q) False (q)

(r) (q) is not root (¬q ∨ r) is root,

True
p is local to A but ∉ A
()
(r) is not root True (¬r) is root,
itp(c) { // c ∈ VΠ let p(c) be a
if c is a root, then
q is not local but ∉ A
if c ∈ A then
itp(c) = the disjunction of the
global literals in c
else itp(c) = constant True
else, let c1, c2 be the predecessors of c
() is not root
and let v be their pivot variable
if v is local to A
r is not local
then itp(c) = itp(c1) ∨ itp(c2)

}
else itp(c) = itp(c1) ∧ itp(c2)
q èA’
SoC Verification Prof. Chung-Yang (Ric) Huang 58

58

29
 How can interpolation help SAT-based
unbounded model checking?
u Remember:
SAT doesn’t compute nor record exact
image, and it is not a good idea to use SAT
for exact image computation
u In BMC:
A = S 0 ∧ C0 B = C1 ∧ C2 ∧... ∧ Ck ∧ Fk

S0 C0 C1 C2 Ck-1 Ck Fk
UNSAT
t=0 t=k
What does A mean?
What’s the image(S0) here? What does B means?
What does their interpolant I mean?
SoC Verification Prof. Chung-Yang (Ric) Huang 59

59

Using interpolation for over-approximated

image computation
A = S 0 ∧ C0 B = C1 ∧ C2 ∧... ∧ Ck ∧ Fk

S0 C0 Y C1 C2 Ck-1 Ck Fk
UNSAT
t=0 t=k

u A = S0 ∧ C0
l Characterize S1 (not computed), the image of S0, on the variables Y
u B = C1 ∧ C2 ∧... ∧ Ck ∧ Fk
l Characterize the set of states on variables Y that can witness (reach)
Fk in k timeframes
u I = interpolation of A and B
l AèI
l I∧B=∅
l I refers to A’s and B’s common variables (Who are they???)
è I is an over-approximated image of S1 on Y
è The states in I cannot reach Fk in k timeframes

SoC Verification Prof. Chung-Yang (Ric) Huang 60

60

30
 Interpolation-based image
u Idea -- use unfolding to enforce k-adequacy
A = S 0 ∧ C0 B = C1 ∧ C2 ∧... ∧ Ck ∧ Fk

S0 C0 Y C1 C2 Ck-1 Ck Fk
UNSAT
t=0 t=k

Let I = Img'(S0),
where I is an interpolant for (A,B)...
- remember: I contains the
Img' is k-adequate!
common variables of (A, B)

SoC Verification Prof. Chung-Yang (Ric) Huang 61

61

Intuition
A = S 0 ∧ C0
I B = C1 ∧ C2 ∧... ∧ Ck ∧ Fk

S0 C0 Y C1 C2 Ck-1 Ck Fk
UNSAT
t=0 t=k

u I tells everything the SAT solver deduced

about the image of S0 in proving it can't
reach F in k steps.
u Hence, I is in some sense an abstraction of
the image relative to the property.
u Note: I is undefined if A ∧ B is SAT.
SoC Verification Prof. Chung-Yang (Ric) Huang 62

62

31
 Interpolation-based UBMC
let k = 0
repeat_1
if BMCk(S0, F) = SAT, answer reachable
R = S0
let i = 0
repeat_2
Si+1 = Img’(Si,C)
if (BMCk(Si+1, F) = SAT) break repeat_2
R' = R ∨ Si+1
if R' = R answer unreachable
R = R‘
increase i
end repeat_2
increase k
end repeat_1

SoC Verification Prof. Chung-Yang (Ric) Huang 63

63

Interpolation-based UBMC
S0 C0 F0 A = S1’ ∧ C0 B = C1 ∧ F1
SAT
F@0 NO S1’ C0 C 1 F1
t=0 SAT
K++
UNSAT t=0 S2’ t=1
S0 C0 C 1 F1 UNSAT
SAT
F@1
R2 = R1 ∨ S2’ YES Fixed
t=0 t=1 R2 == R1 ? point
R0 = S0 UNSAT NO
A = S 0 ∧ C0 B = C 1 ∧ F1
Fixed point A = S2’ ∧ C0 B = C1 ∧ F1

YES S2’ C0 C 1 F1
S0 C0 C 1 F1 SAT
R1 = R0 ∨ S1’ K++
R1 == R0 ? t=0 S3’ t=1
t=0 S1’ t=1
SoC Verification Prof. Chung-Yang (Ric) Huang
UNSAT 64

64

32
 Termination
u Since k increases at every iteration,
eventually k > d, the diameter, in which
case Img' is adequate, and hence we
terminate.
Notes:
l don't need to know when k > d in order to
terminate
l often termination occurs with k << d
l depth bound for earlier method (Sheeran et
al '00) is "longest simple path", which can
be exponentially longer than diameter

SoC Verification Prof. Chung-Yang (Ric) Huang 65

65

Interpolation-based UBMC
u Fully SAT-based.
u Inherits SAT solvers ability to concentrate
on facts relevant to a property.
u Like CBA, PBA, most effective when
l Very large set of facts is available
l Only a small subset are relevant to property
u For true properties, appears to converge for
smaller k values.

SoC Verification Prof. Chung-Yang (Ric) Huang 66

66

33
 Is the above intp-UBMC complete?
u Given the diameter d unknown, does interpolation-
UBMC always terminate for certain k?
l No, similar to induction SAT, if there exists a state
that (1) is unreachable from init state, (2) can go
to !p, (3) is involved in a loop, and (4) is reachable
by the img’ operator, then the interpolation-UBMC
may not converge for any k.
l How to resolve this??

S0 Img’(S0,C) P ¬P
unreachable
from I, but can
reach ¬P
SoC Verification Prof. Chung-Yang (Ric) Huang 67

67

Discussion on intp-based UBMC

u Should we put one !p at the last timeframe (of
B), or put an OR(!p... !p) for all timeframes of B?
l Efficiency issue
u If the intp-based UBMC is not running
efficiently on some testcases, what will be the
possible reasons?
l Any idea to solve them?
u Should we make img’ closer to img (i.e. more
accurate)?
l For example, perform intp(S0 ∧ C0, ¬S1’) as
new S1’
u Backward intp-based UBMC?
l How? Will it be more efficient?
SoC Verification Prof. Chung-Yang (Ric) Huang 68

68

34