In this paper, we describe a completely automated framework for iterative abstraction refinement that is fully integrated into a formal-verification environment. This environment consists of three basic software tools: Forecast, a BDD-based model checker, Thunder, a SAT-based bounded model checker, and MCE, a technology for multiple-counterexample analysis. In our framework, the initial abstraction is chosen relative to the property under verification. The abstraction is model checked by Forecast; in case of failure, a counterexample is returned. Our framework includes an abstract counterexample analyzer module that applies techniques for bounded model checking to check whether the abstract counterexample holds in the concrete model. If it does, it is extended to a concrete counterexample. This important capability is provided as a separate tool that also addresses one of the major problems of verification by manual abstraction.

An automatic abstraction/refinement algorithm for symbolic CTL model checking is presented. Conservative model checking is thus done for the full CTL language -- no restriction is made to the universal or existential fragments. The algorithm begins with conservative verification of an initial abstraction. If the conclusion is negative, it derives a "goal set" of states which require further resolution. It then successively refines, with respect to this goal set, the approximations made in the sub-formulas, until the given formula is verified or computational resources are exhausted. This method applies uniformly to the abstractions based in over-approximation as well as under-approximations of the model. Both the refinement and the abstraction procedures are based in BDD-subsetting. Note that refinement procedures which are based on error traces, are limited to over-approximation on the universal fragment (or for language containment), whereas the goal set method is applicable to all consistent...

Abstract. This work exploits and extends the game-based framework of CTL model checking for counterexample and incremental abstraction-refinement. We define a game-based CTL model checking for abstract models over the 3-valued semantics, which can be used for verification as well as refutation. The model checking may end with an indefinite result, in which case we suggest a new notion of refinement, which eliminates indefinite results of the model checking. This provides an iterative abstraction-refinement framework. It is enhanced by an incremental algorithm, where refinement is applied only where indefinite results exist and definite results from prior iterations are used within the model checking algorithm. We also define the notion of annotated counterexamples, which are sufficient and minimal counterexamples for full CTL. We present an algorithm that uses the game board of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1

vi List of Tables ix List of Figures x Chapter 1 Introduction 1 1.1 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.1 BDD-Based Approaches . . . . . . . . . . . . . . . . . 3 1.1.2 Test synthesis . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.3 Coverage estimation . . . . . . . . . . . . . . . . . . . 4 1.1.4 Conservative approximations . . . . . . . . . . . . . . . 5 1.1.5 Sequential ATPG . . . . . . . . . . . . . . . . . . . . . 6 1.2 The Case for a Simulation Based Approach . . . . . . . . . . . 6 1.3 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 2 Background 9 2.1 Netlists and FSMs . . . . . . . . . . . . . . . . . . . . . . . . 9 vii 2.2 RTL descriptions and Indicator variables . . . . . . . . . . . . 10 2.3 Invariant Verification . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 3 Augmenting Simulation with ATPG and BDDs 13 Chapter 4 Experiments and Results 21 Bibliography 25 Vita 29 viii List of Tables ix Li...

Blast is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, Blast either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). Blast constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolation-based predicate discovery. This paper gives an introduction to Blast and demonstrates, through two case studies, how it can be applied to program verification and test-case generation. In the first case study, we use Blast to statically prove memory safety for C programs. We use CCured, a type-based memory-safety analyzer, to annotate a program with run-time assertions that check for safe memory operations. Then, we use Blast to remove as many of the run-time checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining run-time checks. In our second case study, we use Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, Blast determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that

Model checking is an automatic verification technique for finite state concurrent systems. In this approach to verification, temporal logic specifications are checked by an exhaustive search of the state space of the concurrent system. Since the size of the state space grows exponentially with the number of processes, model checking techniques based on explicit state enumeration can only handle relatively small examples. This phenomenon is commonly called the "State Explosion Problem". Over the past ten years considerable progress has been made on this problem by (1) representing the state space symbolically using BDDs and by (2) using abstraction to reduce the size of the state space that must be searched. As a result model checking has been used successfully to find extremely subtle errors in hardware controllers and communication protocols. In spite of these successes, however, additional research is needed to handle large designs of industrial complexity. This aim of this paper is to give a succinct survey of symbolic model checking and to introduce the reader to recent advances in abstraction. 1

A state/event model is a concurrent version of Mealy machines used for describing embedded reactive systems. This paper introduces a technique that uses compositionality and dependency analysis to signicantly improve the eciency of symbolic model checking of state/event models. It makes possible automated veri cation of large industrial designs with the use of only modest resources (less than 20 minutes on a standard PC for a model with 1421 concurrent machines). The results of the paper are being implemented in the next version of the commercial tool visualSTATE™.

Localization reduction is an abstraction-refinement scheme for model checking which was introduced by Kurshan [12] as a means for tackling state explosion. It is completely automatic, but despite the work that has been done related to this scheme, it still suffers from computational complexity. In this paper we present algorithmic improvements to localization reduction that enabled us to overcome some of these problems. Namely, we present a new symbolic algorithm for path reconstruction including incremental refinement and backtracking. We have implemented these improvements and compared them to previous work on a large number of our industrial examples. In some cases the improvement was dramatic. Using these improvements we were able to verify circuits that we were not previously able to address.

In this paper we present an efficient technique for symbolic model checking of any CTL formula with respect to a state/event system. Such a system is a concurrent version of a Mealy machine and is used to describe embedded reactive systems. The technique uses compositionality to find increasingly better upper and lower bounds of the solution to a CTL formula until an exact answer is found. Experiments show this approach to succeed on examples larger than the standard backwards traversal can handle, and even in many cases where both methods succeed it is shown to be faster.

BDD-based symbolic techniques of approximate reachability analysis based on decomposing the circuit into acollection of overlapping sub-machines (also referred to as overlapping projections) have been recently proposed. Computing a superset of the reachable states in this fashion is susceptible to false negatives. Searching for real counterexamples in such an approximate space is liable to failure. In this paper, the \hybridization e ect " induced by the choice of projections is identied as the cause for the failure. A heuristic based on Hamming Distance isproposed to improve the choice of projections, that reduces the hybridization e ect and facilitates either a genuine counterexample or proof of the property. The ideas are evaluated onareal large design