Counterexample-guided abstraction refinement for symbolic model checking

The state explosion problem remains a major hurdle in applying symbolic model checking to large hardware designs. State space abstraction, having been essential for verifying designs of industrial complexity, is typically a manual process, requiring considerable creativity and insight.In this article, we present an automatic iterative abstraction-refinement methodology that extends symbolic model checking. In our method, the initial abstract model is generated by an automatic analysis of the control structures in the program to be verified. Abstract models may admit erroneous (or "spurious") counterexamples. We devise new symbolic techniques that analyze such counterexamples and refine the abstract model correspondingly. We describe aSMV, a prototype implementation of our methodology in NuSMV. Practical experiments including a large Fujitsu IP core design with about 500 latches and 10000 lines of SMV code confirm the effectiveness of our approach.

[1]  Somesh Jha,et al.  Abstract BDDs: A Technique for Using Abstraction in Model Checking , 1999, CHARME.

[2]  G. Hachtel,et al.  Tearing based automatic abstraction for CTL model checking , 1996, ICCAD 1996.

[3]  Alberto L. Sangiovanni-Vincentelli,et al.  An Iterative Approach to Language Containment , 1993, CAV.

[4]  Mahesh Viswanathan,et al.  The Complexity of Problems on Graphs Represented as OBDDs , 1998, Chic. J. Theor. Comput. Sci..

[5]  Randal E. Bryant,et al.  On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Application to Integer Multiplication , 1991, IEEE Trans. Computers.

[6]  Armin Biere,et al.  Combining Symbolic Model Checking with Uninterpreted Functions for Out-of-Order Processor Verification , 1998, FMCAD.

[7]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[8]  David L. Dill,et al.  Verification by approximate forward and backward reachability , 1998, 1998 IEEE/ACM International Conference on Computer-Aided Design. Digest of Technical Papers (IEEE Cat. No.98CB36287).

[9]  Joseph Sifakis,et al.  Property preserving abstractions for the verification of concurrent systems , 1995, Formal Methods Syst. Des..

[10]  Kenneth L. McMillan,et al.  A Conjunctively Decomposed Boolean Representation for Symbolic Model Checking , 1996, CAV.

[11]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[12]  Helmut Veith,et al.  Languages Represented by Boolean Formulas , 1997, Inf. Process. Lett..

[13]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[14]  Edmund M. Clarke,et al.  Model checking and abstraction , 1994, TOPL.

[15]  Matthew B. Dwyer,et al.  Tool-supported program abstraction for finite-state verification , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[16]  David L. Dill,et al.  Experience with Predicate Abstraction , 1999, CAV.

[17]  Parosh Aziz Abdulla,et al.  Verification of Infinite-State Systems by Combining Abstraction and Reachability Analysis , 1999, CAV.

[18]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[19]  Orna Grumberg,et al.  Abstract interpretation of reactive systems , 1997, TOPL.

[20]  Kurt Jensen Condensed state spaces for symmetrical Coloured Petri Nets , 1996, Formal Methods Syst. Des..

[21]  A. Prasad Sistla,et al.  Automatic verification of finite state concurrent system using temporal logic specifications: a practical approach , 1983, POPL '83.

[22]  Jae-Young Jang,et al.  Tearing based abstraction for CTL model checking , 1996, ICCAD 1996.

[23]  Srinivas Devadas,et al.  Automatic generation and verification of sufficient correctness properties for synchronous processors , 1992, ICCAD.

[24]  Susanne Graf,et al.  Verification of a Distributed Cache Memory by Using Abstractions , 1994, CAV.

[25]  Henrik Reif Andersen,et al.  Stepwise CTL Model Checking of State/Event Systems , 1999, CAV.

[26]  Olivier Coudert,et al.  Verification of Synchronous Sequential Machines Based on Symbolic Execution , 1989, Automatic Verification Methods for Finite State Systems.

[27]  Helmut Veith,et al.  Succinct representation, leaf languages, and projection reductions , 1996, Proceedings of Computational Complexity (Formerly Structure in Complexity Theory).

[28]  Edmund M. Clarke,et al.  Model checking, abstraction, and compositional verification , 1993 .

[29]  David L. Dill,et al.  Counterexample-guided choice of projections in approximate symbolic model checking , 2000, IEEE/ACM International Conference on Computer Aided Design. ICCAD - 2000. IEEE/ACM Digest of Technical Papers (Cat. No.00CH37140).

[30]  Jürgen Dingel,et al.  Model Checking for Infinite State Systems Using Data Abstraction, Assumption-Commitment Style reasoning and Theorem Proving , 1995, CAV.

[31]  Hassan. Saidig Automatic Veriication of Parameterized Networks of Processes by Abstraction , 1997 .

[32]  Doron A. Peled,et al.  Using partial-order methods in the formal validation of industrial concurrent programs , 1996, ISSTA '96.

[33]  Pierre Wolper,et al.  Verifying Properties of Large Sets of Processes with Network Invariants , 1990, Automatic Verification Methods for Finite State Systems.

[34]  Mihir Bellare,et al.  Free bits, PCPs and non-approximability-towards tight results , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[35]  David L. Dill,et al.  Successive approximation of abstract transition relations , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[36]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[37]  Abelardo Pardo,et al.  Incremental CTL model checking using BDD subsetting , 1998, Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175).

[38]  Helmut Veith,et al.  How to encode a logical structure by an OBDD , 1998, Proceedings. Thirteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat. No.98CB36247).

[39]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[40]  Robert K. Brayton,et al.  Automatic Datapath Abstraction In Hardware Systems , 1995, CAV.

[41]  David L. Dill,et al.  Reducing Manual Abstraction in Formal Verification of Out-of-Order Execution , 1998, FMCAD.

[42]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[43]  Doron A. Peled,et al.  Using partial-order methods in the formal validation of industrial concurrent programs , 1996, ISSTA '96.

[44]  Somesh Jha,et al.  Exploiting symmetry in temporal logic model checking , 1993, Formal Methods Syst. Des..

[45]  Mihir Bellare,et al.  Free Bits, PCPs, and Nonapproximability-Towards Tight Results , 1998, SIAM J. Comput..

[46]  Carl Pixley Introduction to a Computational Theory and Implementation of Sequential Hardware Equivalence , 1990, CAV.

[47]  Seh-Woong Jeong,et al.  Exact calculation of synchronization sequences based on binary decision diagrams , 1992, [1992] Proceedings 29th ACM/IEEE Design Automation Conference.

[48]  John M. Rushby,et al.  Integrated Formal Verification: Using Model Checking with Automated Abstraction, Invariant Generation, and Theorem Proving , 1999, SPIN.

[49]  Kenneth L. McMillan,et al.  Verification of Infinite State Systems by Compositional Model Checking , 1999, CHARME.

[50]  Bernd Finkbeiner,et al.  Abstraction and Modular Verification of Infinite-State Reactive Systems , 1997, Requirements Targeting Software and Systems Engineering.

[51]  Tomás E. Uribe,et al.  Generating Finite-State Abstractions of Reactive Systems Using Decision Procedures , 1998, CAV.

[52]  Carl Pixley,et al.  Automatic derivation of FSM specification to implementation encoding , 1991, [1991 Proceedings] IEEE International Conference on Computer Design: VLSI in Computers and Processors.

[53]  Doron A. Peled,et al.  All from One, One for All: on Model Checking Using Representatives , 1993, CAV.

[54]  Patrick Cousot,et al.  Refining Model Checking by Abstract Interpretation , 2004, Automated Software Engineering.

[55]  Orna Grumberg,et al.  Generation of Reduced Models for Checking Fragments of CTL , 1993, CAV.

[56]  Saharon Shelah,et al.  Toward Categoricity for Classes with no Maximal Models , 1999, Ann. Pure Appl. Log..

[57]  Yassine Lakhnech,et al.  Computing Abstractions of Infinite State Systems Compositionally and Automatically , 1998, CAV.

[58]  Georg Gottlob,et al.  Succinctness as a Source of Complexity in Logical Formalisms , 1999, Ann. Pure Appl. Log..

[59]  Patrice Godefroid,et al.  Model Checking Partial State Spaces with 3-Valued Temporal Logics , 1999, CAV.

[60]  A. Prasad Sistla,et al.  Symmetry and model checking , 1993, Formal Methods Syst. Des..

[61]  Abelardo Pardo Sanchez,et al.  Automatic Abstraction Techniques For Formal Verification Of Digital Systems , 1997 .

[62]  Olivier Coudert,et al.  A Performance Study of BDD-Based Model Checking , 1998, FMCAD.

[63]  Vlad Rusu,et al.  On Proving Safety Properties by Integrating Static Analysis, Theorem Proving and Abstraction , 1999, TACAS.

[64]  Uriel Feige,et al.  Zero Knowledge and the Chromatic Number , 1998, J. Comput. Syst. Sci..

[65]  Masahiro Fujita,et al.  Symbolic model checking using SAT procedures instead of BDDs , 1999, DAC '99.

[66]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[67]  Carl Pixley A Computation Theory and Implementation of Sequential Hardware Equivalence , 1990, CAV.

[68]  Fumiyasu Hirose,et al.  An approach to verify a large scale system-on-a-chip using symbolic model checking , 1998, Proceedings International Conference on Computer Design. VLSI in Computers and Processors (Cat. No.98CB36273).

[69]  Abelardo Pardo-Sanchez,et al.  Automatic abstraction techniques for formal verification of digital systems , 1998 .

[70]  Joseph Sifakis,et al.  Property Preserving Simulations , 1992, CAV.

[71]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[72]  Zohar Manna,et al.  Automatic Generation of Invariants and Intermediate Assertions , 1997, Theor. Comput. Sci..

[73]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[74]  Joseph Sifakis,et al.  Property Preserving Homomorphisms of Transition Systems , 1983, Logic of Programs.

[75]  Arun K. Somani,et al.  Abstraction Techniques for Modeling Real-World Interface Chips , 1993, HUG.

[76]  Orna Grumberg,et al.  Abstract Interpretation of Reactive Systems: Abstractions Preserving 'I1CTL *. 3CTL * and CTL * , 1994 .

[77]  Adrian J. Isles,et al.  Formal verification of pipeline control using controlled token nets and abstract interpretation , 1998, 1998 IEEE/ACM International Conference on Computer-Aided Design. Digest of Technical Papers (IEEE Cat. No.98CB36287).

[78]  E. Allen Emerson,et al.  From Asymmetry to Full Symmetry: New Techniques for Symmetry Reduction in Model Checking , 1999, CHARME.

[79]  Edmund M. Clarke,et al.  Symbolic Model Checking with Partitioned Transistion Relations , 1991, VLSI.

[80]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[81]  David L. Dill,et al.  Automatic verification of Pipelined Microprocessor Control , 1994, CAV.