Edmund Clarke
Orna Grumberg
Skip Abstract Section
Abstract
The state explosion problem remains a major hurdle in applying symbolic model checking to large hardware designs. State space abstraction, having been essential for verifying designs of industrial complexity, is typically a manual process, requiring considerable creativity and insight.In this article, we present an automatic iterative abstraction-refinement methodology that extends symbolic model checking. In our method, the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques that analyze such counterexamples and refine the abstract model correspondingly. We describe aSMV, a prototype implementation of our methodology in NuSMV. Practical experiments including a large Fujitsu IP core design with about 500 latches and 10000 lines of SMV code confirm the effectiveness of our approach.
- Abdulla, P. A., Annichini, A., Bensalem, S., Bouajjani, A., Habermehl, P., and Lakhnech, Y. 1999. Verification of infinite-state systems by combining abstraction and reachability analysis. In Computer-Aided Verification (CAV).]] Google Scholar
- Balarin, F., and Sangiovanni-Vincentelli, A. L. 1993. An iterative approach to language containment. In Computer-Aided Verification (CAV).]] Google Scholar
- Ball, T., Majumdar, R., Millstein, T., and Rajamani, S. K. 2001. Automatic predicate abstraction of C programs. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation (PLDI). ACM, New York.]] Google Scholar
- Bellare, M., Goldreich, O., and Sudan, M. 2003. Free bits, PCPs and non-approximability---towards tight results. SIAM J. Comput. 27, 804--915.]] Google Scholar
- Bensalem, S., Bouajjani, A., Loiseaux, C., and Sifakis, J. 1992. Property preserving simulations. In Computer-Aided Verification (CAV).]] Google Scholar
- Bensalem, S., Lakhnech, Y., and Owre, S. 1998. Computing abstractions of infinite state systems compositionally and automatically. In Computer-Aided Verification (CAV).]] Google Scholar
- Berezin, S., Biere, A., Clarke, E., and Zhu, Y. 1998. Combining symbolic model checking with uninterpreted functions for out-of-order processor verification. In Formal Methods in Computer-Aided Design.]] Google Scholar
- Biere, A., Cimatti, A., Clarke, E., Fujita, M., and Zhu, Y. 1999. Symbolic model checking using SAT procedures instead of BDDs. In Design Automation Conference.]] Google Scholar
- Bjorner, N. S., Browne, A., and Manna, Z. 1997. Automatic generation of invariants and intermediate assertions. Theoret. Comput. Sci. 173, 1, 49--87.]] Google Scholar
- Bruns, G., and Godefroid, P. 1999. Model checking partial state spaces with 3-valued temporal logics. In Computer Aided Verification (CAV).]] Google Scholar
- Bryant, R. E. 1986. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 35, 8, 677--691.]] Google Scholar
- Bryant, R. E. 1991. On the complexity of VLSI implementations and graph representations of boolean functions with application to integer multiplication. IEEE Trans. Comput. 40, 205--213.]] Google Scholar
- Burch, J., and Dill, D. 1994. Automatic verification of pipelined microprocessor control. In Computer-Aided Verification (CAV).]] Google Scholar
- Burch, J. R., Clarke, E. M., and Long, D. E. 1991. Symbolic model checking with partitioned transition relations. In Proceedings of the 1991 International Conference on Very Large Scale Integration, A. Halaas and P. B. Denyer, Eds. Winner of the Sidney Michaelson Best Paper Award.]]Google Scholar
- Burch, J. R., Clarke, E. M., and McMillan, K. L. 1992. Symbolic model checking: 1020 states and beyond. Inf. Comput. 98, 142--170.]] Google Scholar
- Cimatti, A., Clarke, E., Giunchiglia, F., and Roveri, M. 1998. NuSMV: A new symbolic model checker. In Software Tools for Technology Transfer.]]Google Scholar
- Clarke, E., Enders, R., Filkorn, T., and Jha, S. 1996. Exploiting symmetry in temporal logic model checking. Form. Meth. Syst. Des. 9, 1/2, 41--76.]] Google Scholar
- Clarke, E., Jha, S., Lu, Y., and Wang, D. 1999. Abstract BDDs: A technique for using abstraction in model checking. In Correct Hardware Design and Verification Methods (CHARME).]] Google Scholar
- Clarke, E., Lu, Y., Jha, S., and Veith, H. 2001. Counterexamples in model checking. Tech. Rep., Carngie Mellon University. CMU-CS-01-106.]]Google Scholar
- Clarke, E. M., and Emerson, E. A. 1981. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs: Workshop.]] Google Scholar
- Clarke, E. M., Emerson, E. A., and Sistla, A. P. 1983. Automatic verification of finite-state concurrent system using temporal logic. In Proceedings of the 10th Annual ACM Symposium on Principles of Programming Languages (POPL). ACM, New York.]] Google Scholar
- Clarke, E. M., Grumberg, O., and Long, D. E. 1994. Model checking and abstraction. ACM Trans. Prog. Lang. Syst. (TOPLAS) 16, 5 (Sept.), 1512--1542.]] Google Scholar
- Clarke, Jr., E. M., Emerson, E. A., and Sistla, A. P. 1986. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Prog. Lang. Syst. (TOPLAS) 8, 2 (Apr.), 244--263.]] Google Scholar
- Colón, M. A., and Uribe, T. E. 1998. Generating finite-state abstraction of reactive systems using decision procedures. In Computer-Aided Verification (CAV).]] Google Scholar
- Coudert, O., Berthet, C., and Madre, J. C. 1989. Verification of synchronous sequential machines based on symbolic execution. In Proceedings of the 1989 International Workshop on Automatic Verification Methods for Finite State Systems, Grenoble, France, J. Sifakis, Ed. Lecture Notes in Computer Science, vol. 407. Springer-Verlag, New York.]] Google Scholar
- Cousot, P., and Cousot, R. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the ACM Symposium of Programming Language, 238--252.]] Google Scholar
- Cousot, P., and Cousot, R. 1999. Refining model checking by abstract interpretation. Automat. Softw. Eng. 6, 69--95.]] Google Scholar
- Dams, D., Gerth, R., and Grumberg, O. 1997a. Abstract interpretation of reactive systems. ACM Trans. Prog. Lang. Syst. (TOPLAS) 19, 2.]] Google Scholar
- Dams, D. R., Grumberg, O., and Gerth, R. 1993. Generation of reduced models for checking fragments of CTL. In Computer-Aided Verification (CAV).]] Google Scholar
- Dams, D. R., Grumberg, O., and Gerth, R. 1997b. Abstract interpretation of reactive systems: Abstractions preserving ∀CTL*, &exists;CTL*, CTL*. In Proceedings of the IFIP Working Conference on Programming Concepts, Methods and Calculi (PROCOMET 94).]]Google Scholar
- Das, S., and Dill, D. L. 2001. Successive approximation of abstract transition relations. In Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE Computer Society Press, Los Alamitos, Calif.]] Google Scholar
- Das, S., Dill, D. L., and Park, S. 1999. Experience with predicate abstraction. In Computer-Aided Verification (CAV).]] Google Scholar
- Dingel, J., and Filkorn, T. 1995. Model checking for infinite state systems using data abstraction, assumption-commitment style reasoning and theorem proving. In Computer-Aided Verification (CAV).]] Google Scholar
- Dwyer, M. B., Hatcliff, J., Joehanes, R., Laubach, S., Pasareanu, C. S., Robby, Visser, W., and Zheng, H. 2001. Tool-supported program abstraction for finite-state verification. In Proceedings of the 23rd International Conference on Software Engineering (ICSE).]] Google Scholar
- Emerson, E., and Sistla, A. 1996. Symmetry and model checking. Formal Methods in System Design 9(1/2), 105--130.]] Google Scholar
- Emerson, E., and Trefler, R. 1999. From asymmetry to full symmetry: New techniques for symmetry reduction in model checking. In Correct Hardware Design and Verification Methods (CHARME). Lecture Notes in Computer Science, vol. 1703. Springer-Verlag, New York, 142--156.]] Google Scholar
- Feige, U., and Kilian, J. 1996. Zero knowledge and the chromatic number. In Proceedings of the IEEE Conference on Computational Complexity (CCC). IEEE Computer Society Press, Los Alamitos, Calif., 278--287.]] Google Scholar
- Feigenbaum, J., Kannan, S., Vardi, M. Y., and Viswanathan, M. 1999. Complexity of problems on graphs represented as OBDDs. Chic. J. Theoret. Comput. Sci.]] Google Scholar
- Fujitsu. 1996. Fujitsu aims media processor at DVD. MicroProcessor Rep. 11--13.]]Google Scholar
- Fura, D., Windley, P., and Somani, A. 1993. Abstraction techniques for modeling real-world interface chips. In International Workshop on Higher Order Logic Theorem Proving and its Applications, J.J. Joyce and C.-J.H. Seger, Eds. Lecture Notes in Computer Science, vol. 780. University of British Columbia, Springer Verlag, published 1994, Vancouver, Canada, 267--281.]] Google Scholar
- Garey, M. R., and Johnson, D. S. 1979. Computers and interactability: A guide to the theory of NP-Completeness. W. H. Freeman and Company.]] Google Scholar
- Godefroid, P., Peled, D., and Staskauskas, M. 1996. Using partial order methods in the formal verification of industrial concurrent programs. In Proceedings of the ISSTA'96 International Symposium on Software Testing and Analysis. 261--269.]] Google Scholar
- Gottlob, G., Leone, N., and Veith, H. 1999. Succinctness as a source of complexity in logical formalisms. Ann. Pure Appl. Logic 97, 1--3, 231--260.]]Google Scholar
- Govindaraju, S. G., and Dill, D. L. 1998. Verification by approximate forward and backward reachability. In Proceedings of the International Conference of Computer-Aided Design (ICCAD).]] Google Scholar
- Govindaraju, S. G., and Dill, D. L. 2000. Counterexample-guided choice of projections in approximate symbolic model checking. In Proceedings of the International Conference on Computer-Aided Design (ICCAD). 115--119.]] Google Scholar
- Graf, S. 1994. Verification of distributed cache memory by using abstractions. In Proceedings of Computer-Aided Verification (CAV).]] Google Scholar
- Graf, S., and Saïdi, H. 1997. Construction of abstract state graphs with PVS. In Proceedings of Computer-Aided Verification (CAV).]] Google Scholar
- Ho, P.-H., Isles, A. J., and Kam, T. 1998. Formal verification of pipeline control using controlled token nets and abstract interpretation. In Proceedings of the International Conference of Computer-Aided Design (ICCAD).]] Google Scholar
- Hojati, R., and Brayton, R. K. 1995. Automatic datapath abstraction in hardware systems. In Proceedings of Computer-Aided Verification (CAV).]] Google Scholar
- Ip, C., and Dill, D. 1996. Better verification through symmetry. Form. Meth. Syst. Des. 9, 1/2, 41--76.]] Google Scholar
- Jensen, K. 1996. Condensed state spaces for symmetrical colored petri nets. Form. Meth. Syst. Des. 9, 1/2, 7--40.]] Google Scholar
- Jones, R. B., Skakkebak, J. U., and Dill, D. L. 1998. Reducing manual abstraction in formal verification of out-of-order execution. In Form. Meth. Comput.-Aided Des. 2--17.]] Google Scholar
- Karp, R. 1972. Reducibility among combinatorial problems. In Complexity of Computer Computations, R. Miller and J. Thatcher, Eds. 85--103.]]Google Scholar
- Kurshan, R. P. 1994. Computer-Aided Verification of Coordinating Processes. Princeton University Press, Princeton, NJ.]] Google Scholar
- Lee, W., Pardo, A., Jang, J., Hachtel, G., and Somenzi, F. 1996. Tearing based abstraction for CTL model checking. In Proceedings of the International Conference of Computer-Aided Design (ICCAD). 76--81.]] Google Scholar
- Lesens, D., and Saïdi, H. 1997. Automatic verification of parameterized networks of processes by abstraction. In Proceedings of the International Workshop on Verification of Infinite State Systems (INFINITY). Bologna.]]Google Scholar
- Lind-Nielsen, J., and Andersen, H. R. 1999. Stepwise CTL model checking of state/event systems. In Proceedings of Computer-Aided Verification (CAV).]] Google Scholar
- Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., and Bensalem, S. 1995. Property preserving abstractions for the verification of concurrent systems. Form. Meth. Syst. Des., 1--36.]] Google Scholar
- Long, D. E. 1993. Model checking, abstraction and compositional verification. Ph.D. dissertation. School of Computer Science, Carnegie Mellon University, Pittsburgh, Pa. CMU-CS-93-178.]] Google Scholar
- Manna, Z., Coln, M. C., Finkbeiner, B., Sipma, H., and Uribe, T. E. 1998. Abstraction and modular verification of infinite-state reactive systems. In Proceedings of the Requirements Targeting Software and Systems Engineering (RTSE).]] Google Scholar
- McMillan, K. 1996. A conjunctively decomposed boolean representation for symbolic model checking. In Proceedings of Computer-Aided Verification (CAV). 13--25.]] Google Scholar
- McMillan, K. L. 1993. Symbolic Model Checking. Kluwer Academic Publishers.]] Google Scholar
- McMillan, K. L. 1999a. Verification of infinite state systems by compositional model checking. In Proceedings of the Conference on Correct Hardware Design and Verification Methods (CHARME). 219--234.]] Google Scholar
- McMillan, K. L. 1999b. Verification of infinite state systems by compositional model checking. In Proceedings of the Conference on Correct Hardware Design and Verification Methods (CHARME).]] Google Scholar
- Pardo, A. 1997. Automatic abstraction techniques for formal verification of digital systems. Ph.D. dissertation, Dept. of Computer Science, University of Colorado at Boulder, Boulder Colo.]]Google Scholar
- Pardo, A., and Hachtel, G. 1998. Incremental CTL model checking using BDD subsetting. In Design Automation Conference (DAC).]] Google Scholar
- Peled, D. 1993. All from one, one from all: on model checking using representatives. In Proceedings of the 5th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 697. Springer-Verlag, New York (Elounda Crete, Greece). 409--423.]] Google Scholar
- Pixley, C. 1990. A computational theory and implementation of sequential hardware equivalence. In Proceedings of the CAV Workshop (also DIMACS Tech. Report 90-31), R. Kurshan and E. Clarke, Eds. Rutgers University, NJ.]] Google Scholar
- Pixley, C., Beihl, G., and Pacas-Skewes, E. 1991. Automatic derivation of FSM specification to implementation encoding. In Proceedings of the International Conference on Computer Design (Cambridge, Mass.). 245--249.]] Google Scholar
- Pixley, C., Jeong, S.-W., and Hachtel, G. D. 1992. Exact calculation of synchronization sequences based on binary decision diagrams. In Proceedings of the 29th Design Automation Conference. 620--623.]] Google Scholar
- Rushby, J. 1999. Integrated formal verification: using model checking with automated abstraction, invariant generation, and theorem proving. In Theoretical and practical aspects of SPIN model checking: 5th and 6th international SPIN workshops.]] Google Scholar
- Rusu, V., and Singerman, E. 1999. On proving safety properties by integrating static analysis, theorem proving and abstraction. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS).]] Google Scholar
- Sagiv, S., Reps, T. W., and Wilhelm, R. 1999. Parametric shape analysis via 3-valued logic. In Proceedings of the Symposium on Principles of Programming Languages (POPL).]] Google Scholar
- Saïdi, H., and Shankar, N. 1999. Abstract and model checking while you prove. In Proceedings of Computer-Aided Verification (CAV).]] Google Scholar
- Sifakis, J. 1983. Property preserving homomorphisms of transition systems. In Proceedings of the 4th Workshop on Logics of Programs.]] Google Scholar
- Somenzi, F. 2001. CUDD: CU decision diagram package. http://vlsi.colorado.edu/fabio/.]]Google Scholar
- Takayama, K., Satoh, T., Nakata, T., and Hirose, F. 1998. An approach to verify a large scale system-on-chip using symbolic model checking. In Proceedings of the International Conference of Computer Design.]] Google Scholar
- Van Aelten, F., Liao, S., Allen, J., and Devadas, S. 1992. Automatic generation and verification of sufficient correctness properties for synchronous processors. In International Conference of Computer-Aided Design (ICCAD).]] Google Scholar
- Veith, H. 1997. Languages represented by Boolean formulas. Inf. Proc. Lett. 63, 251--256.]] Google Scholar
- Veith, H. 1998a. How to encode a logical structure as an OBDD. In Proceedings of the 13th Annual IEEE Conference on Computational Complexity (CCC). IEEE Computer Society, Press, Los Alamitos, Calif., 122--131.]] Google Scholar
- Veith, H. 1998b. Succinct representation, leaf languages and projection reductions. Inf. Comput. 142, 2, 207--236.]] Google Scholar
- Wolper, P., and Lovinfosse, V. 1989. Verifying properties of large sets of processes with network invariants. In Proceedings of the 1989 International Workshop on Automatic Verification Methods for Finite State Systems. Lecture Notes in Computer Science, vol. 407. Springer-Verlag, New York.]] Google Scholar
- Yang, B., Bryant, R. E., O'Hallaron, D. R., Biere, A., Coudert, O., Janssen, G., and R. K. Ranjan, F. S. 1998. A performance study of BDD-based model checking. In Formal Methods in Computer-Aided Design. Lecture Notes in Computer Science, vol. 1522. Springer-Verlag, New York.]] Google Scholar
Index Terms
- Counterexample-guided abstraction refinement for symbolic model checking
Recommendations
SAT-based counterexample-guided abstraction refinement
We describe new techniques for model checking in the counterexample-guided abstraction-refinement framework. The abstraction phase "hides" the logic of various variables, hence considering them as inputs. This type of abstraction may lead to "spurious" ...
A counterexample-guided abstraction-refinement framework for markov decision processes
The main challenge in using abstractions effectively is to construct a suitable abstraction for the system being verified. One approach that tries to address this problem is that of counterexample guided abstraction refinement (CEGAR), wherein one ...
Counterexample guided abstraction refinement of product-line behavioural models
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software EngineeringThe model-checking problem for Software Products Lines (SPLs) is harder than for single systems: variability constitutes a new source of complexity that exacerbates the state-explosion problem. Abstraction techniques have successfully alleviated state ...
Comments