DISS. ETH Nr.

19443

Coverage, Vacuity, and Interpolation

in Model Checking

D ISSERTATION
submitted to ETH Z URICH
for the degree of

D OCTOR OF S CIENCES
presented by
Mitra Purandare
M.Sc.
University of Colorado Boulder, USA
born August 8 1978
citizen of India
accepted on the recommendation of
Prof. Dr. Jürg Gutknecht
Dr. Daniel Kröning

2010
© Mitra Purandare, 2010

ISBN 978-1-257-03868-8
To my husband, Ishan
Abstract
Model checking is an algorithmic method for ascertaining correct behavior of a model by
checking if the model adheres to its formal properties. This dissertation addresses two impor-
tant sanity checks for increasing confidence in the outcome of model checking, viz.: coverage
analysis (“Is the set of properties adequate to certify correctness of the model?”) and vacuity
detection (“Does the model satisfy the properties for the right reasons?”).
A naive way to perform coverage analysis is to mutate parts of the model and check if the
resulting model still satisfies the properties. Model checking each of the mutated models can
be prohibitively expensive. This dissertation proposes a novel and fast algorithm to compute
coverage of properties. The algorithm uses the proof of correctness and the inductive invari-
ant computed by interpolant-based model checking. The algorithm has been implemented in
the tool EBMC. The algorithm provides a speed improvement of several orders of magnitude
compared to the naive method on a broad range of circuits from the Hardware Model Checking
Competition (2008).
Vacuity detection is typically achieved by identifying subformulas of a property that do not
influence the model checking outcome. This dissertation proposes novel and fast algorithms
for detecting vacuous properties. A subformula of the property is mutated and it is checked
if the resulting property is still satisfied by the model. The algorithms exploit the fact that
the mutated properties form a lattice ordered by implication. Counterexamples generated by
the model checker are also utilised effectively. The algorithms are implemented in the tool
AARDVARK . Evaluation of the algorithms on an extensive set of Verilog benchmarks exposes
vacuity in nearly half of the properties.
Image computation, an essential step in model checking, involves quantifier elimination
which is computationally expensive. A popular technique to avoid quantifier elimination is to
compute approximate images using Craig interpolation. The performance of an interpolant-
based model checker depends on the approximate images obtained. This dissertation shows
that vacuous properties enable computation of coarser approximate images. In particular, it
shows that vacuous properties induce weaker interpolants.
This dissertation relates the semantic notions of vacuity and notions of coverage proving
that vacuity is stronger than coverage. In essence, vacuity of an atomic proposition in a property
implies that coverage of the model with respect to that proposition is zero. Hence, vacuity
detection must precede coverage analysis resulting in improved coverage with less work.
Zusammenfassung
Verifikation ist eine Methode zur Prüfung des Verhaltens eines Systems, wobei das System mit
einer erwünschten Eigenschaft verglichen wird. Model Checking ist eine leistungsfähige und
vollständige Methode für Verifikation. Diese Dissertation adressiert zwei wichtigen Themen
die die Glaubwürdigkeit des Verifikationsergebnisses behandeln: vacuity detection (Wie gut
ein System eine Eigenschaft erfüllt?) und coverage analysis (Wie gut eine Eigenschaft ein
System beschreibt?).
Bei der Coverage-Analyse geht es darum Teile eines Systemmodells zu identifizieren,
welche das Model Checking nicht beeinflussen. Diese Dissertation schlägt einen neuen und
schnellen Algorithmus zur Coverage-Analyse einer bestimmten Eigenschaft vor, wobei der
Korrektheitsbeweis der Eigenschaft und eine induktive Invariante in Interpolanten-basierten
Model Checking wiederverwendet werden. Dieser Algorithmus wurde implementiert in einem
Tool namens EBMC und seine Effektivität wird auf einer breiten Auswahl von Schaltungen aus
der Model Checking Competition (2008) demonstriert. Der Algorithmus zeigt eine Beschleu-
nigung von meheren Zehnerpotenzen gegenüber primitiven Methoden.
Das Ziel bei der Erkennung von Vacuity ist festzustellen ob ein System eine bestimmte
Eigenschaft ungewollt aus trivialen Gründen erfüllt. In dieser Dissertation werden neue, schnelle
Algorithmen für Vacuity-Erkennung vorgestellt. Diese Algorithmen identifizieren Teilformeln
einer Eigenschaft, welche sich auf das Ergebnis des Model Checking nicht auswirken. Eine
modifizierte Methode der Binärsuche auf Verbänden von Eigenschaft wird vorgeschlagen. Die
Elemente des Verbandes sind dabei mutierte Eigenschaften, welche durch Implikation partiell
geordnet sind. Die vom Model Checker generierten Gegenbeispiele werden effizient genutzt
um eine weitere Verbesserung des Verbandsuchalgorithmus zu erreichen. Die vorgeschlage-
nen Algorithmen wurden in einem AARDVARK genannten Tool implementiert und auf einer
grossen Menge von Verilog-Programmen getestet. Das Testergebnis zeigt, dass bei mehr als
den Hälfte der Eigenschaften, Vacuity vorhanden ist.
Diese Dissertation untersucht verschiedene Auffassungen von Vacuity und Coverage, und
erstellt dabei eine Relation zwischen den semantischen Ideen von Vacuity und Coverage, wobei
bewiesen wird dass Vacuity strenger als Coverage ist. Im Wesentlichen impliziert Vacuity
einer atomaren Proposition in einer Eigenschaft, dass die Coverage des Modells bezüglich
dieser Proposition Null ist. Dies wiederum impliziert, dass Vacuity-Erkennung und Coverage-
Analyse miteinander verflochten werden sollten um bessere Coverage mit weniger Aufwand
zu erreichen.
Acknowledgements
This thesis would remain incomplete without the mention of the people who supported and
guided me through the years of my doctoral studies.
My supervisor, Dr. Daniel Kröning provided technical advice, encouragement, and support.
His doors were always open whenever I needed guidance. Discussions (telephonic and in
person) were of immense help. I thank him for all the efforts.
I thank Prof. Jürg Gutknecht at the ETH for being my co-supervisor and providing support
inspite of his busy schedule. I thank him and Lisa Ling Liu from his group for their comments
on this dissertation. I also thank Hana Chockler at the IBM Haifa Research Lab for several
interesting ideas and discussions during our collaboration.
My fellow doctoral students in the verification group at the ETH provided superb com-
pany. I never had a dull moment in the office with my long-time officemate Angelo Brill-
out. Christoph Wintersteiger always had a solution to my programming difficulties. Angelo,
Christoph, Gerard Basler, Nicolas Blanc, Yury Chebiryak, Vijay D’silva, Michele Mazzucchi,
Georg Weissenbacher, and the post-doctoral researcher Thomas Wahl have helped me in many
ways during my doctoral studies.
I cannot forget Hanni Sommer, Ruth Hidalgo, Franziska Mäder, and Martina Wirth who
made my life easier handling most of the administrative work at the ETH.
I thank my parents, parents-in-law, and my sisters for their kind support. I thank my hus-
band, Ishan, without whose encouragement this dissertation would have been impossible.
 Contents

Abstract v

Zusammenfassung vii

Acknowledgements ix

Contents xi

1 Introduction 1
1.1 How to Verify? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Weakness of Testing and Model Checking . . . . . . . . . . . . . . . . . . . . 2
1.3 Evaluating the Quality of the Verification Process . . . . . . . . . . . . . . . . 3
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Background 7
2.1 Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.1 Kripke Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.2 Net-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Computational Tree Logic (CTL) . . . . . . . . . . . . . . . . . . . . 10
2.2.2 Linear Temporal Logic (LTL) . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 CTL* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.4 Expressivity of CTL, LTL and CTL* . . . . . . . . . . . . . . . . . . 13
2.2.5 Safety vs Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.1 Complexity of Model Checking . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Model Checking Techniques . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.3 Symbolic Model Checking . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.4 BDD-based Model Checking . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 SAT-based Model Checking Techniques . . . . . . . . . . . . . . . . . . . . . 16
2.4.1 Propositional Satisfiability . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2 Resolution Refutations . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.3 Bounded Model Checking (BMC) . . . . . . . . . . . . . . . . . . . . 18
2.4.4 Interpolant-based Model Checking . . . . . . . . . . . . . . . . . . . . 18
2.5 Vacuity Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.1 Definitions of Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5.2 Interesting Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5.3 Occurrence Vacuity vs. Subformula Vacuity . . . . . . . . . . . . . . . 22
2.5.4 Mutual Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.5.5 Semantic Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

xi
xii C ONTENTS

2.6 Coverage Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 Coverage in Model Checking 27

3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2 Formalizing Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2.1 Illustrative Example of Coverage Analysis of ALU . . . . . . . . . . . 29
3.2.2 Illustrative Example of Coverage Analysis of a Sequential Circuit . . . 33
3.2.3 Definition of Mutant Net-lists . . . . . . . . . . . . . . . . . . . . . . 34
3.3 Computing Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.3.2 Coverage Analysis with Interpolants . . . . . . . . . . . . . . . . . . . 37
3.3.3 The Unsatisfiable Core Test . . . . . . . . . . . . . . . . . . . . . . . 41
3.3.4 The Counterexample Test . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3.5 Two Induction-based Tests . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4.1 Coverage Analysis of HWMCC’08 circuits . . . . . . . . . . . . . . . 44
3.4.2 Coverage Analysis on IBM Circuits . . . . . . . . . . . . . . . . . . . 45
3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4 Vacuity in Model Checking 51

4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.1.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.2 The Quest for Stronger Formulas . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.3 A Lattice of Formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.3.1 A Naive Exhaustive Lattice Search Strategy . . . . . . . . . . . . . . . 58
4.4 Binary Search through the Lattice . . . . . . . . . . . . . . . . . . . . . . . . 59
4.5 Counterexample-Guided Property Strengthening . . . . . . . . . . . . . . . . . 60
4.5.1 Examples With and Without Counterexample Test . . . . . . . . . . . 62
4.5.2 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.6 Computing More Strengthenings . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.6.1 Computing All Maximal Strengthenings . . . . . . . . . . . . . . . . . 64
4.6.2 Computing a Maximum Strengthening . . . . . . . . . . . . . . . . . . 65
4.7 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.9 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5 Vacuity and Interpolation 77

5.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.2 Comparison of Interpolation Systems . . . . . . . . . . . . . . . . . . . . . . 79
5.2.1 Interpolation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2.2 Interpolant Strength and Model Checking . . . . . . . . . . . . . . . . 81
5.3 Labelled Interpolation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.4 Peripheral Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.5 Peripherality and Interpolation . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.7 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
C ONTENTS xiii

6 Relating Vacuity and Coverage 93

6.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.2 Vacuity Detection by Semantic Perturbation . . . . . . . . . . . . . . . . . . . 94
6.3 Notions of Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.4 Relating Vacuity and Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7 Epilogue 103
7.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
7.2.1 Enhanced Vacuity Detection . . . . . . . . . . . . . . . . . . . . . . . 104
7.2.2 Use of Coverage Information in Error Explanation . . . . . . . . . . . 105
7.2.3 Mutation-based Test Case Generation . . . . . . . . . . . . . . . . . . 106
7.2.4 Vacuity Guided Model Checking using Interpolants . . . . . . . . . . . 107
7.2.5 Vacuity of Gene Regulatory Networks . . . . . . . . . . . . . . . . . . 107

Notation 110

List of Figures 112

List of Tables 113

Bibliography 115
 Introduction
1
The perpetually increasing size and complexity of modern day hardware and software systems
demand fast, automatic, and reliable verification methods to guarantee that these systems be-
have correctly. Given an informal description of the intended behavior of a system (usually
called specification), a system designer implements the specifications as a hardware and/or
software system. The designer may require several iterations to make the implementation be-
have as intended. However, how does the designer know that the system does not have any
faults? The system needs to be verified to confirm that it behaves exactly the way it is intended
to. As an example, consider a synchronous arbiter [86] that controls access to a shared re-
source. For correct operation of the arbiter, it needs to be checked if the arbiter adheres to the
following important specifications:

• At any time access to the shared resource is granted to at most one requestor.

• At some time in future a requestor must be given access to the shared resource.

• An access to the shared resource is never granted to a non-requestor.

Verifying an arbiter such as the one described above with only two requestors could possibly
be done manually. However, if we consider a larger number of requestors, manual verification
would be difficult to achieve. Verification of large systems requires an automatic procedure that
can decide if a system exhibits a desired behavior defined by, for example, the three specifica-
tions given above. The user provides a system and its specifications to the automatic verifier.
The verifier processes the system and the specifications and, for each specification, it returns
YES if the system satisfies the specification. Otherwise, it returns NO.

1.1 How to Verify?

Many procedures for checking whether a system satisfies a given specification have been pro-
posed. Any verification procedure should exhibit two main features:

1
2 C HAPTER 1. I NTRODUCTION

• soundness: A verification procedure is sound if, when it returns YES, the system indeed
behaves according to the given specification.

• completeness: The procedure returns a sound answer in a finite amount of time.

In practice, completeness must be compromised at times in the interest of efficiency. In such

cases, a verifier does not always terminate, or terminates with a don’t know answer.
Verification is commonly done by testing and/or model checking. We discuss these two
verification techniques that are relevant to this dissertation.

Testing In testing, a test engineer writes a set of input sequences (test vectors). The response
of the system to these test vectors is analysed for erroneous behavior. The system is deemed
correct if it behaves as expected for each test vector. Various approaches to testing exist, e.g.,
black-box testing, white-box testing, random testing. Irrespective of the method of testing,
there must be a test case for every possible execution of the system to establish correctness of
the entire system. However, checking all possible executions of a complex system could be
infeasible. Hence, testing suffers a major drawback: test vectors are potentially insufficient to
expose a possible bug in the system.

Model Checking Model checking [41, 97] overcomes this drawback of testing by systemat-
ically exploring all possible paths of the system and by providing a verification engineer with
a mathematical language to precisely express specifications. Model checking is an algorithmic
method that decides whether a property is satisfied by a given model. The property is a complex
mathematical formula describing a desired behavior. Model checking can prove (also disprove)
whether a system satisfies a given property, thereby satisfying the requirement of soundness. If
the system is a finite state system, the requirement of completeness is also satisfied1 .

1.2 Weakness of Testing and Model Checking

The quality of a model and its properties depend, on among others, the competence of the en-
gineer who drafts them. Moreover, properties used in verification are rarely a full specification
of the system. An erroneous behavior of the system can escape the verification effort if this
behavior is not captured by the properties or the test vectors. In fact, these unverified behav-
iors often elude the designer’s attention and therefore, are likely to lower the confidence in the
result of verification. We now discuss the reasons for low confidence in the outcome of testing
and model checking in greater detail.

Confidence in Testing In testing, it is unclear to a test engineer when to stop testing. Addi-
tion of a new test vector may further uncover a new error in the system. Hence, a test engineer
does not know if sufficient test vectors have been written. In order to determine if the test
vectors are adequate, it is necessary to have an estimate of how much of the system has been
tested so far. The more parts of the system the test vectors exercise, the lesser is the need to
write new test vectors, thus increasing the confidence in the outcome of testing. Hence, there
is a need for a measure of exhaustiveness of a given suite of test vectors [16].
1 In the context of this dissertation, only finite state systems are considered.
1.3. E VALUATING THE Q UALITY OF THE V ERIFICATION P ROCESS 3

Confidence in Model Checking If a system does not satisfy a given property, most model
checking tools generate a counterexample (error trace) demonstrating how the property is vio-
lated by the system [40]. However, a counterexample cannot always be succinctly represented.
Consider the property: there is at least one path exhibiting a desired behavior in a given system.
A system violating the property does not contain any path satisfying the respective behavior.
This cannot be demonstrated succinctly as the counterexample consists of all paths in the sys-
tem. If the system satisfies a property, most tools provide no witness. Similar to counterex-
amples, a witness cannot always be represented succinctly, e.g., a witness to the property that
checks for all paths in a system allowing a certain behavior.
The lack of supporting evidence in the form of counterexamples and witnesses decreases a
verification engineer’s confidence in the outcome of model checking. Consider the property: on
all paths in a synchronous arbiter, a request is eventually followed by an acknowledgement. If
the arbiter’s environment never asserts requests, this property is trivially satisfied by the arbiter.
Such trivial satisfaction is likely not intended [13]. Though the model checker returns a positive
answer indicating that the system satisfies the property, the reasons behind the satisfaction are
left unevaluated. The system may satisfy the property for unintended reasons, as in the above
case of antecedent failure.
If all the properties written by a verification engineer are satisfied by a model for the in-
tended reasons, does the model does not have any errors? Should the verification engineer
stop writing more properties? It is likely that the model still contains a bug and the property
that fails uncovering the bug is not yet written. Analogous to testing, a verification engineer
does not know when to stop adding new properties, leaving the engineer uncertain about the
correctness of the system.
The low confidence in the outcome of testing and model checking necessitates means to
evaluate the quality of the verification process. The quality of the verification process in turn
depends on the quality of the model and the properties. The next section describes two impor-
tant sanity checks to assess the quality of the model and its properties.

1.3 Evaluating the Quality of the Verification Process

A shortcoming of existing model checking tools is that they often only provide a Yes/No answer
to the question of whether a system satisfies a property. They do not provide a fine-grained
analysis of the following issues which are central to evaluating the quality of the verification
process:

• coverage – is the set of properties adequate to certify correctness of the model?

• vacuity – does the model satisfy the properties for the right reasons?

We now discuss these issues in detail.

1. Coverage Analysis: Consider the synchronous arbiter discussed at the beginning of this
chapter. One possible implementation of the arbiter is shown in Figure 1.1. Consider
the property: ack is never granted to a non-requestor. Only the AND gate marked “A”
influences the outcome of verification of the property. The rest of the circuit does not
play any role in satisfying the property. We say that the property covers the AND gate.
The use of coverage metrics is commonplace in testing. There has been extensive re-
search in the simulation-based verification community on coverage metrics which pro-
vide a heuristic measure of exhaustiveness of the test suite [103]. The basic approach to
4 C HAPTER 1. I NTRODUCTION

TokenOut
D Q
TokenIn
Q’

req OverOut

D Q

Q’
OverIn

ack
A

GrantOut
GrantIn

Figure 1.1: A cell of a synchronous arbiter [86]

coverage in testing involves recording which parts of the system were exercised during
simulation. In the example above, the test vectors generated to check that ack is never
granted to a non-requestor exercise only the AND gate marked “A”. Hence, the rest of the
circuit is not covered.
Similarly, coverage metrics in model checking address the question “Have I written
enough properties?”. However, the above approach to coverage in testing cannot be used
in model checking because model checking is exhaustive. Model checking performs an
exhaustive exploration of the state space of the model in which all parts of the model are
involved. The earliest research on coverage in model checking suggests coverage metrics
based on mutations, which are small “atomic” changes to the model. A part of the design
is said to be covered by a property if the original design satisfies the property, whereas
mutating that part renders the property invalid [70]. In the example above, mutating any
part of the circuit except the AND gate marked “A”, does not change the model checking
outcome. Hence, only the AND gate marked “A” is covered.
One way to measure mutation coverage is to run a model checker on each of the mutated
designs, checking if the mutated design falsifies the property. Model checking of each
of the mutated designs is prohibitively expensive due to the large number of possible
mutations. This necessitates intelligent methods to alleviate the complexity of computing
mutation coverage.

2. Vacuity Detection: Consider again the synchronous arbiter shown in Figure 1.1 and the
property φ = G(req → F ack), i.e., req is eventually followed by ack. If the arbiter’s
environment never asserts req, φ is trivially satisfied by the arbiter. The property φ is
said to pass vacuously in the arbiter.
Observe that if req is false, the subformula ack of φ , when mutated in any manner, does
not cause the resulting property to fail. If ack is replaced by false in φ , the resulting
property ψ = G ¬req is satisfied by the model. This indicates that the satisfaction of φ
is due to the fact that req is always false and not because req is followed by ack. This
highlights that the model does not satisfy the property for the right reasons.
The observation above leads to a systematic method for detecting vacuity. Invariance of
property satisfaction under mutations to the subformulas of the property is a commonly
1.4. C ONTRIBUTIONS 5

used measure of how well the system satisfies the property. Given a system M and a
property φ satisfied by the system, if all the properties obtained by mutating φ in any
manner are satisfied by M, then M satisfies φ in a vacuous manner.
Note that the mutations that result in a weaker property φ 0 need not be considered for
vacuity detection as M |= φ implies that M |= φ 0 . Only mutations that result in strength-
ening the property need to be checked for vacuity detection. For large properties, model
checking each of the mutated properties can be expensive. Hence, efficiency of a vacu-
ity detection procedure greatly depends on the number of mutated properties that are
verified.

Based on the problems described above, we now present contributions of this dissertation.

1.4 Contributions

Dissertation Statement Two sanity checks, namely, vacuity detection and coverage analysis
form an integral part of any verification process. These sanity checks can be performed with
low overhead, enabling the application of these checks to complex systems.

Contributions This dissertation presents efficient ways to detect vacuous passes of properties
and compute coverage of a system by given properties. In particular, the dissertation makes
the following contributions towards vacuity and coverage analysis in model checking of finite
state systems:

1. Coverage Analysis: A straightforward way to measure mutation-based coverage is to

model check the property on each of the mutated designs. This approach is prohibitively
expensive due to the sheer number of conceivable mutations. We present a novel algo-
rithm that computes coverage of a given property in interpolant-based model checking, a
state-of-the-art technique for model checking [87]. In order to minimize model checking
runs on the mutated systems, the algorithm utilises Craig interpolants, inductive invari-
ants, and counterexamples, speeding up coverage computation.
The algorithm is implemented in the tool EBMC. It is tested on circuits from the Hard-
ware Model Checking Competition 2008. The experimental results demonstrate that the
parts of the design covered by a property can be computed with reasonable cost in re-
lation to the time taken by the model checking run. To the best of our knowledge, this
is the first interpolant-based algorithm for computing coverage. The tool EBMC is avail-
able at http://www.cprover.org/ebmc/. The HWMCC 2008 benchmarks are available at
http://fmv.jku.at/hwmcc08/benchmarks.html.

2. Vacuity Detection: A satisfying formula that is stronger than the one supplied by the
user substantially increases the value of the result of model checking, as it adds to the
certified knowledge about the design. To this end, we present several algorithms, that
given a formula φ and a model M satisfying φ , compute a maximum, a maximal, and
all maximal strengthenings of φ satisfied by M. The proposed search algorithms use a
modified binary search technique over a lattice of properties, wherein the lattice elements
are altered properties obtained by mutating one or more atomic subformulas in the given
property.
The algorithms are implemented in the tool AARDVARK that performs vacuity detection
of LTL properties. The model is expressed in Verilog. We evaluate AARDVARK on the
6 C HAPTER 1. I NTRODUCTION

extensive set of verification benchmarks shipped with the formal verification tool VIS.
The tool AARDVARK can be downloaded from http://www.cprover.org/aardvark/. The
benchmarks can be downloaded from http://vlsi.colorado.edu/˜vis/. Evaluation of the
algorithms on these benchmarks exposes vacuity in nearly half of the properties.
3. Vacuity and Coverage: This dissertation establishes a relationship between notions of
vacuity and coverage. In coverage, the goal is to measure exhaustiveness of properties
by detecting components of the system that do not play a role in the verification process.
The goal of vacuity detection is to detect subformulas of a property that do not influence
the outcome of verification. This dissertation relates the notions of vacuity and coverage,
and proves that vacuity of an atomic proposition in a property implies zero coverage of
the model with respect to that atomic proposition. This suggests that vacuity of prop-
erties must be eliminated before coverage analysis is performed, resulting in improved
coverage with less work.

4. Vacuity and Approximation: In interpolant-based model checking, Craig interpolants

are used as over-approximate image operators. The performance of interpolant-based
model checking depends on the approximate images, i.e., interpolants obtained. This
dissertation shows that vacuous properties enable computation of coarser approximate
images. In particular, it shows that vacuous properties induce weaker interpolants. We
propose an interpolation system that exploits vacuity and generates interpolants weaker
than McMillan’s interpolation system [87].

1.5 Organisation

This dissertation is organised as follows:

• The necessary background material about various model checking techniques for hard-
ware verification, Craig interpolant, vacuity detection, and coverage analysis is explained
in Chapter 2.

• Chapter 3 describes the coverage computation algorithm based on Craig interpolants and
its experimental evaluation.

• The algorithms to detect vacuity of LTL properties and their experimental evaluation
appear in Chapter 4.

• Chapter 5 shows that the presence of vacuity enables computation of interpolants weaker
than the interpolants computed by McMillan’s interpolation system [87].

• Chapter 6 establishes a relationship between various notions of vacuity and coverage

addressed in the literature so far. This chapter also emphasizes that vacuity detection and
coverage analysis must be intertwined for improved coverage.

• Conclusion and directions for future work can be found in Chapter 7.

 Background
2
Model checking [41, 97] is a technique to verify a model of a system against a given property.
Given a system M and its property φ , model checking systematically explores the state space of
the system to decide if the system satisfies the property, i.e., if M |= φ . A property is typically
a temporal logic formula.
In order to provide a basic introduction to model checking, we now review some back-
ground material. Section 2.1 discusses representations commonly used for hardware systems.
Temporal logic for properties appears in Section 2.2. An introduction to three of the most
popular model checking techniques for hardware systems can be found in Section 2.3 and
Section 2.4.
Basics of quality assessment via vacuity detection are discussed in Section 2.5. Background
on coverage analysis is discussed in Section 2.6.

2.1 Reactive Systems

This dissertation considers hardware systems that are reactive [85], i.e., they react with and
continuously respond to their environment. Typical examples of reactive systems are air traffic
controllers and railway signalling systems. We now briefly explain Kripke structures and net-
lists which are commonly used to represent reactive systems.

2.1.1 Kripke Structure

The behavior of finite state reactive systems is best captured by Kripke structures. A Kripke
structure K is defined as a five tuple (S, T, S0 , AP, L). In this definition, S is a finite set of states
of the system and T ⊆ S × S is a set of transitions modeling the actions that the system can
perform. We assume a complete transition relation. The initial states of the system denoted as
S0 are a subset of S. The set of atomic propositions, i.e., atomic facts that describe qualities
of a single state is denoted as AP. The labeling L is a mapping L : S → 2AP , assigning to each

7
8 C HAPTER 2. BACKGROUND

s2 s1 s3 s4
a, b, c a a, b c

Figure 2.1: Kripke structure for Example 2.1.1

state the atomic propositions that are considered true in that state. A path through a Kripke
i=0 such that for all i ≥ 0, (si , si+1 ) ∈ T .
structure is a sequence (si )∞

Example As an illustrative example, consider a Kripke structure defined as below.

S = {s1 , s2 , s3 , s4 }
T = {(s2 , s2 ), (s1 , s1 ), (s1 , s2 ), (s1 , s3 ), (s1 , s4 ), (s3 , s4 ), (s3 , s1 ), (s4 , s1 )}
S0 = {s1 }
AP = {a, b, c}
L(s1 ) = {a}
L(s2 ) = {a, b, c}
L(s3 ) = {a, b}
L(s4 ) = {c}
The resulting transition relation for the Kripke structure is shown pictorially in Figure 2.1.

2.1.2 Net-lists

Hardware designs are most commonly represented as net-lists. A net-list is a collection of

primitive combinational elements, i.e., “and” gates and inverters and memory elements called
registers.

Definition 2.1.1 A net-list N is a directed graph (VN , EN , τN ) where VN is a finite set of vertices,
EN ⊆ VN ×VN is the set of directed edges and τN : VN → {AND, INV, REG, INPUT} maps a node
to its type, where AND is an “and” gate, INV is an inverter, REG is a register, and INPUT is a
primary input. The in-degree of a vertex of type AND is at least two, of type INV and REG is
exactly one and of type INPUT is zero.

As an example, consider the 3-bit counter whose Verilog module is shown in Figure 2.2.
The corresponding net-list is shown in Figure 2.3. The primary input node clk is shown in
square boxes. Each node except the primary input is uniquely numbered. A dotted oval-shaped
node represents a REG. The nodes 1, 2, and 3 represent outputs count[0], count[1], and count[2],
respectively. An oval-shaped node with solid line is an AND gate. An incoming edge of a node
with a dark arrow head indicates direct connection. An incoming edge with a diamond head
indicates a connection through an inverter. The outgoing edge of the node 5 represents cin.
A state of a net-list is a mapping of its registers to the Boolean values B = {0, 1}. A net-list
N with r registers gives rise to a transition system M = (SN , TN ) where SN = Br is the set of
2.1. R EACTIVE S YSTEMS 9

module c o u n t e r ( c l k , c o u n t ) ;

input clk ;
output [ 2 : 0 ] count ;
wire cin ;
reg [ 2 : 0 ] count ;

assign cin = ˜ ( count [0] | count [1] | count [ 2 ] ) ;

i n i t i a l begin
c o u n t = 3 ’ b0 ;
end

always @ ( posedge clk )

begin
c o u n t [ 0 ] <= c i n ;
c o u n t [ 1 ] <= c o u n t [ 0 ] ;
c o u n t [ 2 ] <= c o u n t [ 1 ] ;
end

endmodule

Figure 2.2: Verilog module of a counter

clk

3
4

Figure 2.3: Net-list of the counter in Figure 2.2

10 C HAPTER 2. BACKGROUND

states. The transition relation TN is defined in the obvious way. The set S0 of initial states
is determined by the reset values of the registers. In the example above, S0 = ¬count[0] ∧
¬count[1] ∧ ¬count[2]. The transition relation is shown pictorially in Figure 2.4. Note that SN
for the 3-bit counter consists of 23 = 8 states. Not all of these states are reachable from S0 and
hence, are not shown in the transition relation.

000 001 010 100

Figure 2.4: Transition relation of the counter in Figure 2.2

In the following section, we explain commonly used temporal logics, as these shall be used
in the following chapters for specifying properties.

2.2 Temporal Logic

A first step towards formally verifying a system is to express specifications in a formal math-
ematical way. Consider the synchronous arbiter described in Section 1 where we informally
described three of its most important properties. All these properties express the timing of an
event and have the following general forms:

• a system never manifests a faulty behavior, and

• a system eventually manifests a correct behavior.

In order to formalize such behaviors, a temporal logic which provides operators to reason about
time is needed. Computational Tree Logic (CTL), Linear Temporal Logic (LTL), and CTL*,
which subsumes CTL and LTL, are well-suited for this. We give a formal treatment of these
by specifying their syntax and semantics.

2.2.1 Computational Tree Logic (CTL)

We now specify the syntax of CTL. The logic CTL [39] is defined over an alphabet AP of
atomic propositions as follows: an atomic proposition is a CTL formula. If φ and ϕ are CTL
formulas, then the following are also CTL formulas:

¬φ φ ∧ϕ φ ∨ϕ
EX φ Eφ Uϕ EG φ

The propositional constants true and false can be defined as abbreviations as follows:

true = φ ∨ ¬φ
false = φ ∧ ¬φ
2.2. T EMPORAL L OGIC 11

Given a Kripke structure K, satisfaction of a CTL formula φ by a state sk in K is defined

inductively as follows:

K, sk |= φ iff φ ∈ L(sk ) for φ ∈ AP

K, sk |= ¬φ iff K, sk 6|= φ
K, sk |= φ ∨ϕ iff K, sk |= φ or K, sk |= ϕ
K, sk |= φ ∧ϕ iff K, sk |= φ and K, sk |= ϕ
K, sk |= EX φ iff there is path sk , sk+1 , . . . in K such that K, sk+1 |= φ
K, sk |= EG φ iff there is path sk , sk+1 , . . . in K such that for i ≥ k, K, si |= φ
K, sk |= E φ U ϕ iff there is path sk , sk+1 , . . . in K such that there exists i ≥ k
for which K, si |= ϕ and for k ≤ j < i, K, s j |= φ

A CTL formula φ holds in a Kripke structure K, written as K |= φ , if it is satisfied by all initial

states of K.
An ECTL formula is a CTL formula in which negation is applied only to the atomic propo-
sitions. An ACTL formula is the negation of an ECTL formula. ECTL formulas describe
existential properties and ACTL formulas describe universal properties. The ACTL operators
can be defined in terms of their ECTL counterparts as follows:

AX φ = ¬EX ¬φ
AG φ = ¬E true U ¬φ
Aφ Uϕ = ¬(E ¬ϕ U (¬φ ∧ ¬ϕ)) ∧ ¬EG ¬ϕ

The operators E and A are path quantifiers and X, G, and U are temporal operators. A temporal
operator commonly used but not described above is F. We have:

EF φ = E true U φ
AF φ = ¬EG ¬φ

The logic we have seen so far describes what should happen in future. Past-tense can also
be defined in CTL in various ways [80].

2.2.2 Linear Temporal Logic (LTL)

LTL [93] allows temporal operators, but no path quantifiers. Formally, the syntax of an LTL
formula is inductively defined as below: The base case consists of true, false, and the atomic
propositions which are formulas. If φ and ϕ are formulas, the following are also formulas:

¬φ φ ∧ϕ Xφ
φ Uϕ φ Rϕ

An LTL formula is evaluated over an infinite path within a Kripke structure. A Kripke
structure satisfies an LTL formula if all its paths do so. Given a set of atomic propositions AP,
let φ be an LTL formula, K = (S, T, S0 , AP, L) be a Kripke structure over AP and π = s0 , s1 , . . .
be an infinite path of K. Let π i be the suffix of π beginning at the ith position from the start, i.e.,
12 C HAPTER 2. BACKGROUND

si , si+1 , . . . . Path π is said to satisfy φ , written π |= φ , depending on the form of φ as follows:

π |= true
π 6|= false
π |= φ iff φ ∈ L(s0 ) for φ ∈ AP
π |= ¬φ iff π 6|= φ
π |= φ ∧ϕ iff π |= φ and π |= ϕ
π |= Xφ iff π 1 |= φ
π |= φ U ϕ iff there exists i ≥ 0 such that π i |= ϕ, and for all j, 0 ≤ j < i, π j |= φ

π |= φ R ϕ iff for all i ≥ 0 π i |= ϕ, or there exists j ≥ 0 such that π j |= φ and

for all i, 0 ≤ i ≤ j, π i |= ϕ

The temporal operators G and F, which stand for the always and eventually temporal modali-
ties, respectively, can be written as:

• F φ ≡ true U φ

• G φ ≡ false R φ

A formula is said to be in negation normal form (NNF) if the Boolean negation operator ¬
occurs only immediately in front of atomic propositions. Every LTL formula can be converted
to NNF by “pushing negations inwards”, exploiting the duality of Boolean and temporal oper-
ators, such as the pairs (∧, ∨) and (F, G). The next-time operator X is its own dual; the dual of
U is the release operator (R).

2.2.3 CTL*

The temporal logic CTL* subsumes CTL and LTL. The logic CTL* is the set of formulas
defined over an alphabet AP of atomic propositions as follows: Any atomic proposition is a
state formula, and any state formula is also a path formula. Furthermore,

• if φ and ϕ are state formulas, ¬φ and φ ∧ ϕ are state formulas.

• if φ is a path formula, E φ is a state formula.

• if φ and ϕ are path formulas, ¬φ and φ ∧ ϕ are path formulas.

• if φ and ϕ are path formulas, X φ and φ U ϕ are path formulas.

The connectives R, F, G, and A are defined as abbreviations in terms of ¬, ∧, E, U, and X.

2.2. T EMPORAL L OGIC 13

For a Kripke structure K, satisfaction of a CTL* formula φ by a state s or a path π within

K is defined as follows:
K, s |= φ iff φ ∈ L(s) for φ ∈ AP
K, s |= ¬φ iff K, s 6|= φ
K, s |= φ ∧ϕ iff K, s |= φ and K, s |= ϕ
K, s |= Eφ iff there is path π in K starting at s such that K, π |= φ
K, π |= φ iff s0 |= φ for a state formula φ
K, π |= φ ∧ϕ iff π |= φ and π |= ϕ
K, π |= Xφ iff π 1 |= φ
K, s |= φ U ϕ iff ∃i ≥ 0, π i |= φ , and 0 ≤ j < i → π j |= ϕ
K satisfies φ if and only if φ is satisfied in all initial states of K. Satisfaction of a formula by a
state is as described above.

2.2.4 Expressivity of CTL, LTL and CTL*

There are some formulas that can be expressed in both CTL and LTL, e.g., the formulas G φ
and AG φ are equivalent. Many CTL formulas cannot be expressed in LTL, e.g., formulas
containing existential path quantifiers. As an example, consider the formula AG(ψ1 → EF ψ2 ).
There are some LTL formulas which cannot be expressed in CTL. As an example, consider the
LTL formula F(a ∧ X a). There are formulas in CTL* that cannot be described only using CTL
or LTL, e.g., E(GF p → GF q).

2.2.5 Safety vs Liveness

Towards the beginning of Chapter 1, we described some properties of a synchronous arbiter.

The properties are of the following form:

• safety: something bad should never happen and

• liveness: something good should always happen.

Regarding a property as a set of behaviors, we give some examples of safety and liveness
properties in LTL. Formal definitions appear in [1].

Safety Property A property φ is a safety property if a finite prefix of a path not in φ cannot
be extended to a path in φ . Consider the property G p and a prefix of a path π on which ¬p is
true at some state. This prefix cannot be extended in any way so that π |= G p. Hence, G p is a
safety property.

Liveness Property A property φ is a liveness property if any finite trace can be extended a
trace in φ . F p is a liveness property as it is always possible to extend a finite sequence so that
p is true at some future state.
The property p U q is neither a safety property nor a liveness property. The only property
that is both a liveness property and a safety property is true.
We have thus far discussed representations of systems and temporal logics. We now explain
the basics of model checking, which is central to this thesis.
14 C HAPTER 2. BACKGROUND

2.3 Model Checking

In this section, we describe various techniques used to perform model checking. First, a brief
summary of the complexity bounds for model checking is presented.

2.3.1 Complexity of Model Checking

We state the complexity of model checking when the model is given as a Kripke structure and
the property is in any of the three temporal logics described in the previous section. We give
the results for upper bounds, i.e., there exists some model checking algorithm running inside
the complexity bound.

Theorem 2.3.1 [39, 4] Let K be a Kripke structure with u states and m transitions. Let φ be
a CTL formula. Checking whether K |= φ can be done in time O((u + m) × |φ |).

Early model checkers [97, 39] considered CTL properties. Complexity of model checking
CTL properties is polynomial-time. LTL model checking is more difficult, as pointed out by
the following theorem.

Theorem 2.3.2 [82, 105] Let K be a Kripke structure with u states and m transitions. Let φ
be a LTL formula of length d. Checking whether K |= φ can be done in time O((u + m) × d ×
2O(d) ).

Model checking a CTL* formula is an easy adaptation of model checking an LTL formula [54,
39]. Hence, model checking a CTL* formula can be done in PSPACE.

2.3.2 Model Checking Techniques

Existing model checking techniques fall into two main categories depending on how the state
space of the system is represented: explicit-state model checking and symbolic model check-
ing. In the earliest model checking tools, transition relations were expressed explicitly. This
approach is suitable only for small systems. However, for systems involving many concurrent
processes or components (which is typically the case in industrial systems), explosion in the
size of the state transition graph occurs. The number of states in the explicit state transition
graph may be prohibitively large to search exhaustively. The second approach that can model
check large systems is symbolic model checking, which we describe below.

2.3.3 Symbolic Model Checking

Symbolic model checking [86] uses sets to express states and transitions of a system. In-
stead of operating on individual states and transitions, entire sets of states and transitions are
manipulated as shown below. In the following, we use sets and their characteristic relations in-
terchangeably. For instance, the propositional encoding of T ⊆ S × S is written T (s, s0 ), where
s and s0 are vectors of propositional variables corresponding to current states and next states,
respectively.
Symbolic model checking is based on computation of images, i.e., next states of a set of
states. Image computation can be either exact or approximate.
2.3. M ODEL C HECKING 15

Exact Image Computation Let F denote the set of faulty states. A transition system M =
(S, T ) is correct if no state in F is reachable from any state in S0 . The image operator img :
℘(S) → ℘(S) maps a set of states to its successors:

img(Q) = {s0 ∈ S|s ∈ Q and (s, s0 ) ∈ T }.

Let img0 (Q) = Q and imgi+1 (Q) = img(imgi (Q)). A set of states P is inductive if img(P) ⊆ P.
The set P is an inductive invariant if P is inductive and S0 ⊆ P. Given S0 and F, the strongest
inductive invariant RS0 is the set of states reachable from S0 . If RS0 ∩ F = 0,
/ F is not reachable
from S0 .
Observe that img(Q) = ∃s.Q(s) ∧ T (s, s0 ). The computation of the precise image img(Q) is
expensive as it involves quantifier elimination.

Image Approximation The expensive image computation necessitates an approximate im-

age operator. An over-approximate image operator img ˆ : ℘(S) → ℘(S) satisfies that img(Q) ⊆
ˆ
img(Q) for all Q ∈ ℘(S). An over-approximation of the set of reachable states is the set
ˆ i (S0 ). Observe that if R̂S0 ∩ F = 0,
S
R̂S0 = i≥0 img / then F is not reachable from S0 . Thus, it
suffices to compute an over-approximation R̂S0 to decide correctness. However, if R̂S0 ∩ F 6= 0,
/
it is not known if a state reachable from S0 has a successor in F.
Similarly, an under-approximation R− S0 of the set of reachable states can be computed. If
R−
S0 / F is reachable from S0 . However, if R−
∩ F 6= 0, S0 ∩ F = 0,
/ it is not known if there is a path
−
from S0 to F as RS0 does not contain all reachable states.
Modern hardware systems are complex and hence, it is important to have efficient means
of representing and manipulating the set of states and the set of transitions in a system, e.g, the
image computation described above. We now discuss two popular model checking techniques
that use different representations, namely, BDD-based and SAT-based model checking.

2.3.4 BDD-based Model Checking

Finite state reactive systems can be represented symbolically using Ordered Binary Decision
Diagrams (OBDDs) [20]. OBDDs are a canonical form representation of Boolean formulas.
The variable ordering used while building the BDD has significant impact on the size of the
BDD. Nevertheless, due to canonicity, a BDD can be exponentially more compact than its cor-
responding truth table representation. It is possible to verify systems with a large number of
states– many orders of magnitude larger than the systems that could be handled by explicit-
state model checking. Model checking algorithms based on OBDDs have successfully verified
CTL properties of systems that have more than 1020 states [86, 21]. The state count has been
pushed up to 10100 or even more using techniques from [22, 23]. However, for larger sys-
tems, the BDDs generated during model checking become intractably large. Selecting a good
variable ordering is the key to keep the size of the BDDs small. However, computing a good
variable ordering is time consuming or needs manual intervention. For many examples, no
space efficient variable orderings exist.
A number of state reduction approaches have been proposed to reduce the number of states
in the model. These techniques include symmetry reductions [44, 55, 56], partial order re-
ductions [61, 91], and abstraction techniques [45, 63, 43]. Among these techniques, abstrac-
tion is considered the most general and flexible for handling the state explosion problem. A
popular technique commonly known as Counterexample-Guided Abstraction Refinement (CE-
GAR) [42] is briefly described in Section 4.5.
16 C HAPTER 2. BACKGROUND

In spite of all the methods mentioned above, complete automatic verification of many de-
signs is still beyond the capacity of BDD-based model checkers. We now discuss SAT-based
model checking techniques which have been shown to solve many cases that cannot be solved
by BDD-based techniques.

2.4 SAT-based Model Checking Techniques

Finite sets and their relations can be encoded in propositional logic. Instead of representing
them as BDDs which may grow exponentially, propositional decision procedures (SAT solvers)
can be used. Next, we briefly explain the basics of propositional satisfiability.

2.4.1 Propositional Satisfiability

The Boolean satisfiability problem is a decision problem for determining if a satisfying assign-
ment for a given Boolean formula exists. Propositional SAT solvers [51] operate on Boolean
expressions but do not use canonical forms. They do not suffer from the potential space ex-
plosion of BDDs and can handle problems with thousands of variables. A number of efficient
implementations are available [101, 89, 62, 53].
Modern DPLL-style [50] solvers make decisions on values of variables, and create an im-
plication graph, i.e., record assignments and perform Boolean Constraint Propagation. The
SAT solver either successfully assigns values to all variables or results in a conflict clause
generated through resolution. The conflict clause is added to the set of clauses to avoid repe-
tition of the same assignments again. The solver then performs backtracking to undo some of
the conflicting assignments. In the end, the SAT solver may rule out all possible assignments
and terminate with an unsatisfiable answer. When the SAT-solver terminates with an unsatis-
fiable answer, the resolution steps can be used to produce a proof of unsatisfiability which is
explained in the next section.

2.4.2 Resolution Refutations

When a Boolean formula is unsatisfiable, most SAT solvers generate a proof demonstrating its
unsatisfiability. We formally define a resolution proof below.
Let X be a set of propositional variables. Let x or equivalently ¬x denote the negation of a
variable x. A literal is either a variable or its negation. Hence, the set of literals over variables
in X is {x, x | x ∈ X}. For example, in the propositional formula

(x1 ∧ x2 ) ∨ x3 ∨ (x3 ∧ x4 ) (2.1)

the set of variables is {x1 , x2 , x3 , x4 } and the set of literals is {x1 , x2 , x3 , x3 , x4 }.

A propositional formula is in Conjunctive Normal Form (CNF) if it is a conjunction of
disjunctions of literals. For example, the formula

(x1 ∨ x2 ) ∧ (x3 ∨ x2 ) ∧ x3 ∧ x1 (2.2)

is in CNF. A clause C is a set of literals. In the Formula 2.2, {x1 , x2 }, {x3 , x2 }, {x3 }, and {x1 }
are clauses. A clause is called an empty clause if it contains no literals. The empty clause is
denoted by .
2.4. SAT- BASED M ODEL C HECKING T ECHNIQUES 17

x1 ∨ x2 x3 ∨ x2 x3 x1

x1 ∨ x3

x1

Figure 2.5: Resolution proof of unsatisfiability of Formula 2.2

A propositional formula is in Disjunctive Normal Form (DNF) if it is a disjunction of con-

junctions of literals. The Formula 2.1 is in DNF. There exist polynomial time algorithms [92,
104] to transform an arbitrary propositional formula into a satisfiability equivalent proposi-
tional formula in CNF.
We now state the resolution principle which forms the basis of resolution proofs. The
disjunction of two clauses C and D is their union, denoted as C ∨D, which is further simplified
to C ∨ x if D is the singleton {x}. The resolution principle states that an assignment satisfying
the clauses C ∨ x and D ∨ x also satisfies C ∨ D. Let Res(C , D, x) denote the resolvent of
the clauses C and D with the pivot x. For example, the resolvent of C = (x1 ∨ x2 ) and D =
(x3 ∨ x2 ), denoted as Res(C , D, x2 ) is (x1 ∨ x3 ).

Definition 2.4.1 A resolution proof P is a directed acyclic graph (VP , EP , pivP , `P , sP ),

where VP is a set of vertices, EP is a set of edges, pivP is a pivot function, `P is the
clause function, and sP ∈ VP is the sink vertex. An initial vertex has in-degree 0. All
other vertices are internal and have in-degree 2. The sink has out-degree 0. The pivot func-
tion maps internal vertices to variables. For an internal vertex v and (v1 , v), (v2 , v) ∈ EP ,
`P (v) = Res(`P (v1 ), `P (v2 ), pivP (v)).

A vertex v1 in P is a parent of v2 if (v1 , v2 ) ∈ EP . Note that the value of `P at internal

vertices is determined by that of `P at initial vertices and the pivot function. A proof P is
a resolution refutation if `P (sP ) = . Henceforth, the words proof and refutation connote
resolution proofs and resolution refutations. The set of initial vertices of P is denoted as
Roots(P). An (A, B)-refutation P of an inconsistent CNF pair (A, B) is one in which `P (v)
is an element of A or B for each v ∈ Roots(P). A subset of the clauses from A and B that
appear in an (A, B)-refutation is said to form an UNSAT core.
Figure 2.5 depicts a resolution refutation of Formula 2.2. The labels of initial vertices are
the clauses of Formula 2.2. The two intermediate vertices are labelled as

Res((x1 ∨ x2 ), (x2 ∨ x3 )) = x1 ∨ x3 and

Res((x1 , x3 ), x3 ) = x1 .

The label of the sink vertex is `P (sP ) = Res(x1 , x1 ) = . Hence, the proof in Figure 2.5 is a
resolution refutation.
Next, we discuss two state of the art SAT-based model checking techniques.
18 C HAPTER 2. BACKGROUND

2.4.3 Bounded Model Checking (BMC)

Bounded Model Checking (BMC) leverages the success of fast propositional SAT solvers to
model checking. The basic idea behind verifying a system M using BMC is to check if there
exists a trace in M of a bounded length k that reaches a faulty state. Since LTL formulas
are defined over all paths in the system, finding a counterexample corresponds to checking
whether there exists a trace in M that falsifies the formula. Hence, BMC is well-suited for
checking counterexamples to LTL properties.
Consider a set of states Q, a transition relation T , a set of failure states F, and a constant k ≥
1. A BMCk instance from Q with bound k checks if Q reaches F in k steps. The corresponding
def
formula is BMCk = A(s0 , s1 ) ∧ B(s1 , . . . , sk ), where A and B are as follows.

def
A(s0 , s1 ) = Q(s0 ) ∧ T (s0 , s1 )
def
B(s1 , . . . , sk ) = T (s1 , s2 ) ∧ . . . ∧ T (sk−1 , sk )∧ (2.3)
(F(s1 ) ∨ . . . ∨ F(sk ))

If BMCk is satisfiable, F is reachable from a state in Q in k steps. If BMCk is unsatisfiable, F

is not reachable from a state in Q in ≤ k steps. An instance of the BMC problem, denoted as
BMCk (M, φ ), checks if M |=k φ where |=k is the satisfaction relation from the initial states of
M up to bounded depth k. Details of how to encode the failure states for various LTL properties
can be found in [18, 17].

2.4.4 Interpolant-based Model Checking

If Formula 2.3 is unsatisfiable, RS0 can be computed using BMC and exact image computation
as shown in Algorithm 2.1. In the beginning, Q = S0 . If BMCk is unsatisfiable, we can obtain

Algorithm 2.1 C OMPLETE -MC(M, F, k)

Input: Model M with initial states S0 , set of fault states F, and a bound k
Output: A Yes/No answer to whether F is reachable in M
Q = S0
while BMCk is UNSAT do
if img(Q) → Q then
return No
Q = Q ∨ img(Q)
return Yes

a formula that encodes img(Q) by existential quantification, i.e., img(Q) = ∃s0 .A(s0 , s1 ). In
the next iteration, s1 in img(Q) is replaced by s0 , Q in Formula 2.3 is replaced by Q ∨ img(Q),
and satisfiability of the resulting formula BMCk is checked. If it is satisfiable, a faulty state is
reachable from S0 . Otherwise, image of Q is computed. This is continued until either BMCk is
satisfiable or a fixed point is reached. When a fixed is reached Q = RS0 .
However, the computation of the precise image, img(Q) is expensive, as it involves quanti-
fier elimination. This necessitates an approximate image operator. The image I(s1 ) computed
using an over-approximate image operator is such that ∃s0 .A(s0 , s1 ) → I(s1 ) is valid. An effi-
cient procedure for computing the formula I(s1 ) provides an implementation of img ˆ applicable
to compute R̂S0 . An interpolation system ITP is such a procedure.
2.4. SAT- BASED M ODEL C HECKING T ECHNIQUES 19

Craig Interpolation In 1957, Craig showed that for each inconsistent pair of formulas A, B
in first order logic, there exists a formula I – the Craig interpolant [46] – such that

• A implies I,
• I is inconsistent with B, and
• I refers only to non-logical symbols common to A and B.

Intuitively, the interpolant I can be understood as an abstraction of A. We use a special case of

Craig’s interpolation theorem for the case of propositional logic. For a propositional formula
β , let Var(β ) denote the set of propositional variables occurring in β .

Definition 2.4.2 An interpolant for a pair of inconsistent propositional formulas (A, B) is a

propositional formula I such that

1. A → I,
2. I and B are inconsistent, and
3. Var(I) ⊆ Var(A) ∩ Var(B).

Example Consider unsatisfiable propositional Formula 2.2. Let A = (x1 ∨ x2 ) ∧ x1 and B =

(x3 ∨ x2 ) ∧ x3 . The interpolant for the unsatisfiable pair (A, B) is x2 . Simplifying A and B, we
have A = x1 ∧ x2 and B = x2 ∧ x3 . It is easy to see that A → x2 is valid and B ∧ x2 is false.

Interpolants can be computed efficiently from resolution refutations. Different methods to

compute interpolants from proofs exist [87, 94]. An in-depth discussion of constructing in-
terpolants from resolution refutations can be found in Section 5.2. We very briefly discuss
McMillan’s system of interpolation here.

McMillan’s System of Interpolation Let P be an (A,B)-refutation of an inconsistent CNF

pair (A, B). Let ITPM (P, A, B) be a function that maps a vertex in P to a Boolean formula over
the variables in Var(A) ∩ Var(B) such that ITPM (P, A, B)(sP ) is an interpolant of (A, B). The
formula ITPM (P, A, B)(v) is computed in the following manner: Let g(v) denote disjunction
of literals in `P (v) that appear in B.
For an initial vertex v,

g(v) : if `P (v) ∈ A
ITP M (P, A, B)(v) :=
true : otherwise

For an internal vertex v with parents v1 and v2 ,


ITP M (P, A, B)(v1 ) ∨ ITP M (P, A, B)(v2 ) : if pivP (v) 6∈ B
ITP M (P, A, B)(v) :=
ITP M (P, A, B)(v1 ) ∧ ITP M (P, A, B)(v2 ) : otherwise

When A and B are clear, we write ITPM (P) for ITPM (P, A, B).

Example Consider Formula 2.2 with A and B given in Example 2.4.4. Figure 2.6 shows the
refutation proof P for unsatisfiable Formula 2.2 with ITPM (P)(v) for each vertex shown in
square brackets next to `P (v). The clauses from B are shown in bold. The interpolant for the
unsatisfiable pair (A, B) is ITPM (P)(sP ) = x2 .
20 C HAPTER 2. BACKGROUND

x1 ∨ x2 [x2 ] x3 ∨ x2 [true] x3 [true] x1 [false]

x1 ∨ x3 [x2 ]

x1 [x2 ]

 [x2 ]

Figure 2.6: Resolution proof of unsatisfiability of Formula 2.2 annotated with ITPM (P)(v).
The clauses in bold letters belong to B. The partial interpolants are shown in square brackets
next to each vertex.

Interpolants as Approximation Operators

Interpolant-based model checking is a method for computing an over-approximation R̂S0 as dis-

cussed in Section 2.4.4. An approximate operator img ˆ is implemented using a SAT solver that
is able to generate a refutation and an interpolation system. If the pair (A(s0 , s1 ), B(s1 , . . . , sk ))
in Formula 2.3 is inconsistent, an interpolant I(s1 ) is an approximate image. Successive im-
ages are computed by replacing Q in A by Q(s0 ) ∨ I(s0 ). When I(s0 ) ⊆ Q(s0 ), a fixed point is
reached and R̂S0 = Q(s0 ). At any point in the successive image computation, if Formula 2.3
is satisfiable, the complete procedure is repeated with a higher k. Note that if Formula 2.3 be-
comes satisfiable at any point in COMPLETE - MC, we know definitely that there is a path from
S0 to F. However, when an interpolant is used as an over-approximate image operator, we
know that there is a path from S0 to F only when Q = S0 and BMCk is satisfiable. At all other
times, the procedure is restarted with a higher k.
After summarizing the state of the art model checking techniques, we present background
material on a core issue addressed in this thesis, namely, vacuity detection.

2.5 Vacuity Detection

During formal verification of a 16-bit CISC processor, Beatty and Bryant [13] observed one of
the principal dangers of formal verification in the form of antecedent failure. For an implicative
statement a → b, antecedent failure occurs if a is false, causing the implicative statement to be
trivially true. Such trivial satisfactions are alarming in model checking as the model satisfies
the property for trivial unintended reasons and must be reported. The term vacuity detection
was proposed by Beer et al. for identification of cases in which a property is trivially satisfied
in a model [14, 15].
Intuitively, a formula holds vacuously if it does so for “unintended reasons”, such as the
one in the above case of antecedent failure. Translating this informal idea of vacuity into a
formal definition turned out to be challenging. Numerous strategies have been suggested in the
last few years, starting with [14, 79, 15]. In this section, we cover the most popular definition
of vacuity which is also followed in this thesis.
2.5. VACUITY D ETECTION 21

2.5.1 Definitions of Vacuity

In order to formalize the intuitive notion of vacuity, Beer et al. formalize when a subformula
of a property affects its truth value in a model. Let [ψ ← ξ ] denote replacing ψ by ξ and
φ [ψ ← ξ ] denote a formula obtained from φ by replacing ψ in φ by ξ . The formula ψ is a
subformula or its occurrence in φ .

Definition 2.5.1 [14, 15] The subformula ψ of φ does not affect φ in a system M if for every
formula ξ , M satisfies φ [ψ ← ξ ] iff M satisfies φ .

Using the definition above, vacuity is defined as follows.

Definition 2.5.2 [14, 15] A system M satisfies a formula φ vacuously iff M |= φ and there is
a subformula ψ of φ such that ψ does not affect φ in M.

We give an example to illustrate the above definition.

Example Consider a model M in which q holds in the initial state and an LTL property φ =
p U q. Observe that M |= φ as q holds in the initial state itself. Hence, any mutation to the
subformula p does not change M |= φ .

A subformula can occur multiple times in a formula. For example, consider the property φ =
G(a ∧ b) ∨ F(¬a ∧ ¬b). The subformulas a and b appear twice in φ . Hence, one can talk about
a subformula ψ of φ affecting φ in M or an occurrence of ψ affecting φ in M. Let us assume
for simplicity that all the subformulas of φ occur only once. Every subformula occurrence, ψ,
in a formula φ may be either

• positive in φ , in the case that it is in the scope of an even number of negations, or

• negative in φ , in the case that it is in the scope of an odd number of negations.1

In the property φ = G(a ∧ b) ∨ F(¬a ∧ ¬b), the first occurrence of a is under even (0) number
of negations and the second occurrence of a is under odd (1) number of negations.
For a formula φ and a subformula occurrence ψ in φ , let φ [ψ ← ⊥] denote the formula
obtained from φ by replacing ψ by false, in case ψ is positive in φ , and replacing ψ by true
if ψ is negative in φ . Dually, φ [ψ ← >] replaces ψ by true, in case ψ is positive in φ , and by
false if ψ is negative in φ .
Determining if a subformula ψ affects φ in M requires checking if M |= φ [ψ ← ξ ] for all
ξ . The following lemma implies that true and false are two extreme replacements of ψ in φ .

Lemma 2.5.3 [79] Given a subformula ψ of φ , for every formula ξ , the implications

φ [ψ ← ⊥] → φ [ψ ← ξ ], and φ [ψ ← ξ ] → φ [ψ ← >]

are valid.

Hence, one may only consider these two replacements, i.e, true and false, as these replace-
ments have extreme effects on the strength of the resulting formulas. The following theorem
formalizes this.
1 If we assume φ in Negation Normal Form, ψ is negative in φ if it is in the immediate scope of a negation and ψ

is positive in φ if it is under no negation. Also, the antecedent of an implication is considered to be under negation.
22 C HAPTER 2. BACKGROUND

Theorem 2.5.4 [79] For every formula φ , a subformula ψ of φ and a model M, the following
are equivalent:

• ψ does not affect φ in M

• M |= φ [ψ ← true] iff M |= φ [ψ ← false].

If M satisfies φ , M also satisfies φ [ψ ← >] as the resulting property is weaker than φ . Together
with Lemma 2.5.3, Theorem 2.5.4 suggests that only replacement by ⊥ needs to be checked
against M. The resulting new definition of vacuity is given below.

Definition 2.5.5 [79] A system M satisfies a formula φ vacuously iff M |= φ and there is a
subformula ψ of φ such that M |= φ [ψ ← ⊥].

Complexity The number of subformulas of φ is bounded by |φ |. Hence, vacuity detection

involves model checking of M against at most |φ | formulas. Let CM (|φ |) denote the complexity
of model checking a formula φ as a function of the size of φ . The problem of checking whether
a formula φ is vacuously satisfied in M can be solved in time O(CM (|φ |) × |φ |).

2.5.2 Interesting Witnesses

If a system M does not satisfy a property φ , most model checking tools return a counterexample
which is helpful to fix possible problems in M or in φ . If M satisfies φ , no witness is provided.
However, a witness for satisfaction is useful, particularly when the formula is not satisfied in a
trivial unintended manner.

Definition 2.5.6 [14, 15] For a system M and a formula φ such that M |= φ , a path π of M is
an interesting witness for φ in M if π satisfies φ non-vacuously.

Let cl(φ ) be the set of all subformulas of φ , including φ but excluding true and false. Generat-
ing an interesting linear witness for φ in M amounts to model checking the following formula
witness(φ ) against M. ^
witness(φ ) = φ ∧ ¬φ [ψ ← ⊥].
ψ∈cl(φ )

A path π satisfying witness(φ ) satisfies φ and moreover, π does not satisfy the formula φ [ψ ←
⊥] for all the subformulas of φ . A counterexample to ¬witness(φ ) in M is an interesting
witness for φ in M.

Complexity Deciding whether a CTL formula is linearly witnessable is in 2EXPTIME and

is EXPTIME-hard. Deciding whether a CTL* formula is linearly witnessable is PSPACE-
complete. An interesting witness for φ in M can be generated in PSPACE since the length of
witness(φ ) is quadratic in |φ |.

2.5.3 Occurrence Vacuity vs. Subformula Vacuity

In Section 2.5.1, we had assumed that all subformulas have single occurrences. In practice,
whether the formula is in LTL, CTL, or any other logic with polarity, subformulas with multi-
ple occurrences abound. For subformulas with several occurrences, Theorem 2.5.4 is no longer
2.5. VACUITY D ETECTION 23

valid as different occurrences of a subformula may have different polarities. Hence, Defini-
tion 2.5.5 is not applicable to detecting vacuity of subformulas with multiple occurrences of
mixed polarity, i.e., some occurrences of the subformula are positive and some are negative. In
this case, the problem of deciding whether a subformula ψ of φ affects φ in M is harder than
deciding whether an occurrence of ψ affects φ in M.
In practice, both subformula vacuity and occurrence vacuity are needed to detect trivial
satisfaction. We now present examples in which occurrence vacuity detects trivial satisfaction
whereas subformula vacuity does not and vice versa.
Consider any model M and the CTL formula AG(p → p). One would expect it to hold
vacuously with respect to the subformula p or its occurrence as the property is a tautology.
To check vacuity of the first and second occurrence of p, we need to check if M satisfies
∀ξ .AG(ξ → p) and ∀ξ .AG(p → ξ ), respectively. Using Definition 2.5.5, the check simplifies
to separately replacing the first and second occurrences of p by ⊥ resulting in formulas AG(p)
and AG(¬p), respectively. These formulas may not be satisfied in M, failing to expose vacuity.
However, if we consider subformula vacuity, ∀ξ .AG(ξ → ξ ) is also a tautology and hence
AG(p → p) is vacuous with respect to the subformula p in M. Thus, occurrence vacuity fails
to detect the problem with the above tautology, whereas subformula vacuity detects it.
There are cases in which subformula vacuity fails to detect vacuity but occurrence vacuity
does not. Consider a model M in which q is never asserted and a property p ∧ AG(q → AF p)
satisfied by M. The property φ is vacuous in M with respect to the second occurrence of p as
M |= p∧AG(q → AF false). However, φ is not vacuous in M with respect to the first occurrence
of p as M 6|= false ∧ AG(q → AF p). Hence, φ is not vacuous in M with respect to p.

Complexity It is shown in [79] that detecting subformula vacuity is computationally more ex-
pensive than detecting occurrence vacuity when a subformula is of mixed polarity. In this case,
the problem of deciding whether a subformula ψ does not affect φ in M is co-NP-complete.
Up to this point, we have discussed vacuity of a single subformula or a single occurrence
of a subformula. However, subformulas can be vacuous together. We discuss this in the next
section.

2.5.4 Mutual Vacuity

Vacuity is not monotonic, i.e., if a property φ is vacuous in a model M with respect to subfor-
mulas ψ1 and ψ2 , the property may not be vacuous in M with respect to both the subformulas
together., i.e., M may not satisfy ∀ζ1 ∀ζ2 .φ [ψ1 ← ζ1 , ψ2 ← ζ2 ]. Consider a simple property
G(a ∨ b) and a model in which both a and b are true everywhere. The property is vacuous in-
dividually in a and b. However, if a and b are simultaneously replaced with false, the resulting
property is G(false), which is falsified by the model. Nevertheless, if subformulas are together
vacuous, they establish stronger facts about the system as illustrated by the following example:

Example Let M be a system as shown in Figure 2.7 and the property be φ = G(a ∨ b ∨ c).

s1 s2
a,c b,c

Figure 2.7: System M

24 C HAPTER 2. BACKGROUND

Observe that the property φ is vacuous in M with respect to individual subformulas a, b,

and c, as φa = G(false ∨ b ∨ c), φb = G(a ∨ false ∨ c), and φc = G(a ∨ b ∨ false) are satisfied by
M. Moreover, a and b can be simultaneously replaced with false resulting in G(c) which is also
satisfied in M. Observe that G(c) is stronger than φa and φb .

In the above example, {a, b} is the largest set of literals that can be simultaneously replaced
with false. The formula G(c) successfully identifies redundancy of a and b for satisfying φ .
Referring to [27], the property φ = G(a ∨ b ∨ c) is mutually vacuous in M with respect to its
subformulas a and b. The following definition formally states mutual vacuity.

Definition 2.5.7 [27] Let M be a system. Let φ be a property such that M |= φ and Ψ =
{ψ1 , . . . , ψn } be distinct subformulas of φ . The property φ is said to be mutually vacuous in M
with respect to Ψ if M |= ∀ξ1 , . . . , ∀ξn .φ [ψ1 ← ξ1 , . . . , ψn ← ξn ].

Detecting mutual vacuity with respect to atomic propositions is also sufficient for detecting
mutual vacuity with respect to arbitrary subformulas as shown by the following theorem. Let
Atomic(ψ, φ ) be the set of all occurrences of atomic propositions of ψ that appear in φ .

Theorem 2.5.8 [27] Given a system M and formula φ such that Ψ = {ψ1 , . . . ψ2 } are arbitrary
subformulas of φ , φ is mutually vacuous in M with respect to Ψ iff it is mutually vacuous with
S
respect to ψ∈Ψ Atomic(ψ, φ ).

The theorem above holds only for subformulas of pure polarity or subformula occurrences.
Thus, checking vacuity with respect to all occurrences of literals in φ is equivalent to checking
vacuity of all general occurrences of subformulas.

Complexity Chechik and Gurfinkel [27] describe an exponential time algorithm for comput-
ing the maximal number of literal occurrences that can be simultaneously replaced with ⊥. A
lower bound for computing maximal number of literals occurrences with respect to which a
property is mutually vacuous in a system is FPNP[logn] -hard [36, 37].

2.5.5 Semantic Vacuity

Another notion of vacuity proposed by Armoni et al. [3] considers semantic perturbation. As
usual, let M be a system and φ be its property with a subformula ψ. In semantic perturbation,
the truth value of ψ is arbitrarily perturbed in M to detect vacuity of φ in M with respect ψ. The
arbitrary semantic perturbation can be modeled by a universal quantifier which is open to two
interpretations giving rise to structure semantics and trace semantics for perturbations. The
corresponding notions of vacuity are called structure vacuity and trace vacuity, respectively.
These notions shall be explained in detail in Chapter 6.
After the discussion of vacuity detection, we now review coverage analysis, an important
sanity check in model checking.

2.6 Coverage Analysis

In the case that all the given properties are satisfied by a system, should the system be consid-
ered correct? A model checker might have failed to find a bug in the system if the corresponding
behavior was not specified in the properties. In practice, it is typically the case that the set of
2.6. C OVERAGE A NALYSIS 25

properties is incomplete, i.e., the set does not specify all the behaviors of the system. Hence,
techniques to assess completeness of properties are necessary. This section covers background
material on assessing the completeness of a given set of properties. Note that in the following
discussion, coverage analysis is performed only for properties satisfied by the system.
In general, for evaluating completeness of a set of properties, a coverage metric needs to be
defined that estimates the completeness of a set of properties. In most of the coverage analysis
literature, the coverage metric is based on mutations, which are small atomic changes to the
system. We elaborate on the work of Hoskote et al. [70], which provides a good understanding
of the coverage metrics in model checking.
Given a property, one of the propositions appearing in the property is identified as an ob-
servable signal. An atomic change, in this case, is mutating the observable signal at a reachable
state of the system. If the property fails on the mutated system, the state is said be covered by
the property with respect to the observable signal. The mutation proposed in [70] flips the value
of the observable signal in a state. The following definition states this formally.

Definition 2.6.1 [70] Given a set of atomic propositions AP = {p1 , p2 , . . . , q} in which q is an

observable signal in a Kripke structure M = (S, T, S0 , AP, L), mutating q in s ∈ S is defined by
the dual Kripke structure Mqs = (S, T, S0 , AP, Lqs ) such that for a state s1

L(s1 ) : if s1 6= s
Lqs (s1 ) :=
(L(s1 ) \ q) ∪ ¬q : otherwise

Using the definition of mutation above, coverage is defined as follows.

Definition 2.6.2 [70] Given property φ and a Kripke structure M = (S, T, S0 , AP, L) such
that M |= φ , a set C ⊆ S is a covered set of φ on M for an observable signal q, denoted as
q − cover(M, φ ) iff for a state s ∈ S, the dual structure Mqs satisfies the condition (Mqs 6|= φ ) ↔
(s ∈ C ).

Coverage of a property with respect to an observable signal in a system is computed as the

fraction of reachable states of the system that are covered. A naive way to compute coverage is
to run the model checker on each mutated system. Hoskote et al. efficiently compute coverage
of an ACTL property without explicitly mutating the system. Their experimental results show
that coverage analysis is only slightly more expensive than model checking alone. Details of
the algorithm can be found in [70].
In [31], Chockler et al. suggest alternative notions of coverage which are better suited to
LTL. Instead of performing local mutations in M, the mutations are performed in the infinite
tree obtained by unwinding M. These shall be revisited in detail in Chapter 6 which establishes
a relationship between the notions of vacuity and coverage.
There are several approaches to modelling a system, resulting in a different reference to
an observable signal and its mutation. The approach suggested by Hoskote et al. in [70] is
state-based. When the system is modeled as a circuit, a logic-based approach [32] is necessary.
The value of a signal is not flipped in a particular state, but, it is fixed to zero, one or ’don’t
care’ in the circuit. This metric is the basis of our work presented in Chapter 3.
At this point, we have reviewed all the necessary background material. We now proceed to
the contributions of this dissertation.
 Coverage in Model Checking
3
Due to the ever-growing complexity of modern hardware and ever-decreasing time-to-market,
functional verification has become a major bottleneck in producing correct hardware. Model
checking has become widely popular as a functional verification technique due to its exhaustive
search of the state space of the systems. Formal properties describing certain functionality of
the system are written and a model checker proves if a given system satisfies these properties.
If the model checker proves that all the properties are satisfied by the system, it is guar-
anteed that the system behaves as specified in those properties. However, the behaviors of the
system not specified in the properties are left unverified. It is rarely the case that the proper-
ties are a full specification of the system and hence, an erroneous behavior of the system may
escape the verification effort. Hence, there is a need to expose features of the system not veri-
fied by a model checking run. This necessitates new properties to be written that specify such
features.
Thorough verification requires exhaustive properties (properties that fully describe the sys-
tem), which are usually difficult to write. Hence, a metric to evaluate exhaustiveness of a set of
properties is necessary. A sanity check for the exhaustiveness of a set of properties is to mea-
sure the coverage of the properties. The use of coverage metrics is commonplace in testing. As
testing all conceivable executions of a design could be infeasible, there is a need for a measure
of exhaustiveness of a given suite of test vectors [16]. There has been extensive research in
the simulation-based verification community on coverage metrics, which provide a heuristic
measure of exhaustiveness of the test suite [103]. In this context, coverage metrics answer the
question “Have I written enough tests?”.
The basic approach to coverage in testing is to record which parts of the design are exer-
cised/activated during the execution of the test suite. Such a metric cannot be used in model
checking as model checking performs an exhaustive exploration of the state space of the sys-
tem during which all parts of the design are exercised. In model checking, coverage metrics
accompany a positive answer from the verification process and are used as an indication of
completeness of the specification. The motivation is clear: an erroneous behavior of the design
can escape the verification effort if this behavior is not captured by the specification. Intuitively,

27
28 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

coverage metrics answer the question “Have I written enough properties?”.

The earliest research on coverage in model checking suggested metrics based on mutations,
which are small “atomic” changes in the design. A part of the design is said to be covered by
a property if the original design satisfies the property, whereas mutating the part of the model
renders the property invalid [70]. This approach is used in the vast majority of literature on
coverage in model checking [32, 31, 30, 33, 77, 78]. The straightforward way to measure mu-
tation coverage is to run a model checker on each of the mutant designs, checking if the mutant
design satisfies the property. Due to the sheer number of conceivable mutations, this approach
is prohibitively expensive even on medium-size designs. This chapter focuses on alleviating
the complexity of computing mutation coverage in interpolant-based model checking.
In this chapter, we present a novel algorithm that computes coverage of a given property
by means of Craig interpolation, which is the state-of-the-art technique used in model check-
ing [87]. The algorithm performs an analysis of the proof of unsatisfiability and the Craig in-
terpolant generated during model checking. The proof and the interpolant provide hints about
the parts of the system that play a role in satisfying the property. The algorithm is imple-
mented and tested on a broad range of circuits. The experimental results demonstrate that the
parts of the design covered by the property can be computed with reasonable cost in relation
to the time taken by the model checking run. To the best of our knowledge, this is the first
interpolant-based algorithm for computing coverage1 .
This chapter is organized as follows. In Section 3.2, we formally define coverage of circuits
given as net-lists. In Section 3.3, we present our algorithm for computing coverage in an
interpolant-based model checker. Details about the implementation of our algorithm and its
experimental evaluation are presented in Section 3.4.

3.1 Preliminaries

An introduction to net-lists is provided in Section 2.1.2. Basics of Craig interpolants and

interpolant-based model checking appear in Section 2.4.4. Given an (A, B)-refutation P, let
ITP (P, A, B) denote a function that maps vertices of P to Boolean formulas over Var(A) ∩
Var(B) such that ITP(P, A, B)(sP ) is an interpolant for (A, B). We remind the reader that
ITP M (P, A, B) denotes the mapping function for McMillan’s interpolation system [87], dis-
cussed in Section 2.4.4.

3.2 Formalizing Coverage

We restrict the presentation to models that are circuits given as net-lists. The mutations we
consider depend on the representation of the design [33]. Essentially, a mutation is a modi-
fication of the design so that the effect of this change is not masked by any another possible
modification. We begin with two illustrative examples that explain the intuition behind the
coverage notion adopted in this chapter. One is a purely combinational circuit and the second
is a sequential circuit.

1 This chapter extends our work in [29]. Several illustrative examples have been added helping the reader understand

the algorithm.
3.2. F ORMALIZING C OVERAGE 29

11

0 01
M1 M3
1 10

00

1
M2 11
0
01
M4 Y
10

00

6 5 4 3 2 1 0

B A opcode

Figure 3.1: A schematic diagram of an ALU

3.2.1 Illustrative Example of Coverage Analysis of ALU

Consider an arithmetic logic unit (ALU) as shown in Figure 3.1. It has three inputs, namely,
A, B, and opcode. It has one output Y. Depending on the opcode supplied, Y is assigned
the result of some logical operation on A and B. The corresponding Verilog code is shown in
Figure 3.2.
Consider a property that checks whether Y is equal to B when two of the most significant
bits of opcode are zero. The ALU satisfies this property. We now compute which parts of the
ALU affect satisfaction of this property.

Coverage Analysis of the ALU schematic When the 6th and 5th bits of opcode are zero,
the output of multiplexer M4 is the output of multiplexer M1, which in turn is B. Hence, the
multiplexer M1 including the AND gate at its selector and the multiplexer M4 play a role in
deciding the outcome of model checking. The rest of the circuit does not influence the model
checking outcome. Any mutations applied to the rest of the circuit, e.g., multiplexers M2 and
M3 do not affect the result of model checking, indicating that they are not covered by the
property.

Coverage Analysis of the ALU net-list Zooming in even further on the net-list of the ALU
as shown in Figure 3.3, do all the gates in M1 and M4 affect the result of model checking?
The 4-to-1 multiplexer M3 is composed of four 2-to-1 multiplexers, namely, M3-1, M3-2,
M3-3, and M3-4. The 4-to-1 multiplexer M4 is composed of two 2-to-1 multiplexers, namely,
M4-1 and M4-2. The sink of the net-list, i.e., node 48 represents output Y of the ALU.
A careful analysis of the net-list reveals that all the nodes in M1 affect the result of model
checking. Mutating any node of M1 prevents M1 from selecting B as its output. As an example,
30 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

module a l u 3 2 ( i n p u t [ 0 : 0 ] A, B , i n p u t [ 6 : 0 ] opcode ,
output reg [ 0 : 0 ] Y) ;

w i r e [ 0 : 0 ] S , Bout ;

a s s i g n Bout = ( o p c o d e [ 6 ] & ˜ o p c o d e [ 5 ] ) ? ˜B : B ;
always @ ( * )
begin
c a s e ( opcode [ 6 : 5 ] )
2 ’ b00 : Y <= Bout ;
2 ’ b11 : b e g i n
c a s e ( opcode [ 4 : 3 ] )
2 ’ b00 : Y <= A & Bout ;
2 ’ b01 : Y <= A | Bout ;
2 ’ b10 : Y <= A ˆ Bout ;
2 ’ b11 : b e g i n
c a s e ( opcode [ 2 : 0 ] )
3 ’ b001 : Y <= ˜ Bout ;
d e f a u l t : Y <= Bout ;
endcase
end
endcase
end
d e f a u l t : Y <= A;
endcase
end
endmodule

Figure 3.2: Verilog code for the ALU in Figure 3.1

3.2. F ORMALIZING C OVERAGE 31

opcode[5] opcode[6]

M1

B 10 opcode[1] opcode[0]

11 12 25 opcode[2]

A 13 26

M3-4 M2

19 22 21 opcode[4] opcode[3] 27 28

23 A 24 29

M3-3

opcode[3] opcode[4] 31 32

20 33

M3-2

opcode[4] opcode[3] 35 34

18 36

M3-1

38 37 opcode[3] opcode[4]

39 16 17

M4-2

40 41 opcode[5] opcode[6]

42 A 15

M4-1

opcode[5] opcode[6] 43 44

14 45

46 47

48

Figure 3.3: A net-list of the ALU. Each node except the primary input is uniquely numbered
and is an AND gate. An incoming edge of a node with a dark arrow head indicates direct
connection. An incoming edge with a diamond head indicates a connection through an inverter.
32 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Figure 3.4: Coverage analysis of the ALU. Nodes with double-circles are covered by the prop-
erty G((¬opcode[6] ∧ ¬opcode[5]) → (Y == B))
3.2. F ORMALIZING C OVERAGE 33

module s e q ( o u t p u t r e g [ 0 : 0 ] p ,
output reg [ 0 : 0 ] q ,
output reg [ 0 : 0 ] r ) ;

i n i t i a l begin
p= r = 0 ;
q =1;
end

always @ ( posedge clk )

begin
p <= q ;
q <= p ;
r <= q ;
end
endmodule

Figure 3.6: Verilog code of the sequential circuit in Figure 3.5

forcing the value of node 12 to one, makes output of M1 zero. This in turn affects property sat-
isfaction as the zero output of M1 is propagated to Y when opcode[6:5] is zero. Similarly,
node 10 corresponding to the selector of M1 also affects the property satisfaction as forcing the
value of node 10 to one, forces M1 to select ¬B as its output.
Similarly, all nodes in M4-1 affect the outcome of model checking. The multiplexer M4-2
decides the value of Y when opcode[5] and opcode[6] are both one. However, the property
under consideration specifies the behavior when opcode[5] and opcode[6] are zero. Hence,
no node in M4-2 affects the outcome of model checking. Figure 3.4 shows coverage of ALU.
The nodes covered are shown in double circles.

3.2.2 Illustrative Example of Coverage Analysis of a Sequential Circuit

Consider the sequential circuit shown in Figure 3.5. It has three outputs, namely, p, q, and r.
The design has three registers corresponding to each output. The outputs p, q, and r are ini-
tialized to zero, one, and zero, respectively. The Verilog code is shown in Figure 3.6. Observe
that the design satisfies the property G(p ∨ q ∨ r).

p q r
D Q D Q D Q

Q’ Q’ Q’
clk clk clk

Figure 3.5: A sequential circuit N satisfying φN = G(p ∨ q ∨ r)

Since q is initialized to 1, the initial state (p = 0, q = 1, and r = 0) of the circuit satisfies

34 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

the property. At the first positive clock edge, the values of the outputs change to p = 1, q = 0,
and r = 1. At the second positive clock edge, the circuit returns to the initial state.
A careful analysis of the circuit reveals that the register r does not play any role in the sat-
isfaction of the property. If the output of the register r is forced to zero, the property continues
to be satisfied as either of p or q is one. Forcing p to zero, forces the outputs q and r to zero
in the subsequent cycles, falsifying the property. Forcing q to zero has the same effect. Hence,
the registers p and q are covered by the property and the register r is not.
We use this sequential circuit as a running example to explain the algorithm to compute
coverage of a circuit.

3.2.3 Definition of Mutant Net-lists

When a design is modeled as a net-list, the smallest possible modification is changing the type
of a single node. We consider changing the type of a node to INPUT. This new input can be
kept open or fixed to 0 or 1. We do not change a node type to any other type as this may not
always be useful. As an example, consider changing the type of a node from REG to INV.
Formally, the semantics of a mutant net-list is defined by means of a new labeling function
τNv , which replaces a node v by a new primary input:

τ(u) : if u 6= v
τNv (u) :=
INPUT : otherwise

We say that τNv cuts v from N. If a property satisfied by the original net-list fails on the mutant
net-list, we say that the node is NONDET- COVERED. The new input v can also be held to zero
or one. These mutations are known as stuck-at-0 and stuck-at-1 mutations, respectively. The
corresponding coverage notions are called ZERO - COVERAGE and ONE - COVERAGE. Observe
that a node that is ZERO - COVERED or ONE - COVERED is also NONDET- COVERED. A node can
be NONDET- COVERED, but not be ZERO - COVERED or ONE - COVERED.

Lemma 3.2.1 Consider a net-list N and a property φ . If a node v in N is ZERO - COVERED

or ONE - COVERED by φ , v is also NONDET- COVERED by φ . The reverse implication does not
hold: a node NONDET- COVERED by φ may not be ZERO - COVERED or ONE - COVERED by φ .

We do not consider mutations that affect the initial state. Also, changing the values of two or
more nodes simultaneously is ill-advised, because the effect of changing the value of the first
node can be masked by changing the value of the second node.
Our coverage metric for a property φ is defined as the fraction of the mutants discovered
by checking φ , i.e., φ passes on the original net-list, but fails on the mutant net-list. Coverage
of a set of properties can be measured as the fraction of mutants discovered by at least one
property. A naive way to compute coverage is to mutate each node and run a model checker
on each mutated system. This is necessarily expensive. In the next section, we propose a more
efficient algorithm.

3.3 Computing Coverage

This section explains the coverage computation algorithm. We use the sequential circuit from
Section 3.2.2 as an illustrative running example. Let N denote the circuit and φN denote the
 3.3. C OMPUTING C OVERAGE 35

property.2

3.3.1 Overview

Algorithm 3.1 takes a net-list N = (VN , EN , τN ) and a set of failure states F as input. It computes
three maps nc, zc, and oc. These variables track the status of the nodes and map a node
v to C OVERED, N OT C OVERED, or U NKNOWN. Initially, these variables map all nodes to
U NKNOWN.
force vf

vmx
selector vs

Figure 3.7: Mutating v using a multiplexer

In order to force a vertex v in N to zero, one, or to make it non-deterministic, a multiplexer

is introduced in N as shown in Figure 3.7. We further modify the edges of the net-list such that
the tails of all the edges directed from v are changed to vmx . Forcing the selector vertex vs to
one cuts a vertex v. In addition, fixing vf to zero or one causes vmx to be stuck-at-0 or stuck-
at-1, respectively. The vertices vs and vf are called the selector and force of the multiplexer,
respectively.
We write TNmx for the transition relation of this new net-list Nmx . We denote the formula that
constrains the selectors by SEL. The transition relation and the constraints together are denoted
SEL
SEL = TNmx ∧SEL. The resulting net-list is denoted as Nmx and the corresponding transition
as TNmx
system is (SNmx
SEL , TN SEL ). The following example illustrates how we insert multiplexers in N.
mx

Example Consider the sequential circuit N described in Section 3.2.2. We mutate this circuit
by introducing multiplexers at the inputs of all the three registers as shown in Figure 3.8.
The selectors of the multiplexers are named rs , ps , and qs . The corresponding force vertices
are rf , pf , and qf , respectively. Observe that if rs , qs , and ps are tied to zero, the mutated
circuit functions as was designed originally. If ps is tied to one, the output pmx is equal to pf
which can be held to zero, one or a non-deterministic value. The same holds for the other two
multiplexers.

As the first step, the algorithm runs an interpolant-based model checker on the model in which
all selectors are set to zero, i.e., the model is equivalent to the original circuit. This selector
constraint is denoted as SELo . Let vts denote the selector variable of the multiplexer of vertex v
v∈VN ¬vt . The algorithm saves the final proof P
Vk V s
at time t. Thus, for a bound k, SELo = t=0
and the inductive invariant R̂S0 produced by the model checker. The algorithm proceeds with
five tests:

1. C ORE: In the first test, nodes not mentioned in the proof are identified, and the corre-
sponding nodes in the net-list are declared not covered.
2 No conclusions about the complexity of the circuits handled by our algorithm should be made from this example.

This simple example is chosen only for ease of illustration.

36 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Algorithm 3.1 C OVERAGE C HECKS

Input: Net-list N = (VN , EN , τN ) and failure states F
Output: nc, zc, and oc (coverage results)
1: for all v ∈ VN do nc[v] := zc[v] := oc[v] := U NKNOWN ;

2: Check (SN SELo , TN SELo ) |= ¬F using interpolant-based model checking.

mx mx
3: Let P be the final resolution proof, R̂S0 the inductive invariant, k the final bound, m
#(approx. image steps at bound k)
4: Let SELv represent the selector settings corresponding to mutating vertex v of N.
5: for all v ∈ VN do
6: if ∀t.vts 6∈ `P (v p ) for any v p ∈ VP then . C ORE
7: nc[v] := zc[v] := oc[v] := N OT C OVERED
Add S0 (s0 ) ∧ e−1 e
i=0 TNmx (si , si+1 ) ∧ i=0 F(si ) to solver S, where e = k + m
V W
8:
9: for all v ∈ VN do . C OUNTEREXAMPLE
10: for each nc[v], zc[v], and oc[v] = U NKNOWN do
11: Assume SELv and solve S
12: if SATISFIABLE then
13: Mark nc[v], oc[v] or zc[v] as C OVERED.
14: Solve Formula 3.6 and let PI be the resolution proof.
Add v∈VP (`PI (vPI ) | `PI (vPI ) 6∈ B) to solver SI
V
15:
I
16: for all v ∈ VN do . I NDUCTION
17: for each nc[v], zc[v], and oc[v] = U NKNOWN do
18: Assume SELv and solve SI
19: if UNSATISFIABLE then
20: Mark nc[v], oc[v] or zc[v] as N OT C OVERED.
21: Add R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ ¬R̂S0 (s1 ) to solver SR
22: for all v ∈ VN do . I NDUCTION R ESTART
23: for each nc[v], zc[v], and oc[v] = U NKNOWN do
24: Assume SELv and solve SR
25: if UNSATISFIABLE then
26: Mark nc[v], oc[v] or zc[v] as N OT C OVERED.
27: for all v ∈ VN do . I NTERPOLATION
28: for each nc[v], zc[v], and oc[v] = U NKNOWN do
29: Run interpolant-based model checking on the new design
30: Mark nc[v], oc[v] or zc[v] according to the outcome
3.3. C OMPUTING C OVERAGE 37

p pmx q rmx r
D Q 0 D Q 0 D Q
1 1
pf rf
Q’ ps Q’ rs Q’
clk clk clk

0
qmx 1 qf
qs

Figure 3.8: The mutation Nmx of N in Figure 3.5

2. C OUNTEREXAMPLE: For each of the three types of mutations, a BMC run provides a
counterexample which is used to identify some covered nodes in the net-list.
3. I NDUCTION: We check if an inductive argument that a node in the net-list is not covered
can be made, using the inductive invariant supplied by the model checker and only the
nodes mentioned in the proof (not the full net-list).
4. I NDUCTION R ESTART: We check if the inductive argument above can be made using the
inductive invariant and the complete net-list.
5. I NTERPOLATION: Full interpolant-based model checking is applied to all nodes that are
still undecided.

The following subsections elaborate on these tests.

3.3.2 Coverage Analysis with Interpolants

The first step is to apply interpolant-based model checking to Mo = (SN SELo , TN SELo ). We refer
mx mx
the reader to Section 2.4.4 for background on interpolant-based model checking. Recall that
the transition system for the original net-list is (SN , TN ). As the selectors in Nmx are held to
zero, SN SELo = SN . The BMC-style unwinding for Mo with a bound k is shown below:
mx
def
BMCI = Q(s0 ) ∧ TNmx (s0 , s1 )
def Vi=k−1 Wi=k
BMCT = i=1 TNmx (si , si+1 ) ∧ i=1 F(si ) (3.1)
def
BMCS = SELo
Note that the vector variables si include the variables corresponding to the vertices vf and vs of
the multiplexers. For over-approximate image computation using Craig interpolants, let
def
= BMCI ∧ ¬vs0 and
V
A v∈VN
def Vk
= BMCT ∧ ¬vts .
V
B t=1 v∈VN (3.2)

In the beginning, Q = S0 . As described in Section 2.4.4, the interpolant-based model check-

ing procedure successively computes approximate images by interpolating the pair (A, B). As-
sume that it reaches a fixed point after m approximate image steps at the bound k. Let R̂S0
denote the final inductive invariant and P denote the final proof of unsatisfiability.
38 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Seq. Cct. Element Formula CNF

Initial states p0 = 0, q0 = 1, r0 = 0 ¬p0 ∧ q0 ∧ ¬r0
s s f
qmx qmx
0 ↔ ((q0 ∨ q0 ) ∧ (¬q0 ∨ q0 )) (¬q0 ∨ qs0 ∨ qmx s mx
0 ) ∧ (q0 ∨ q0 ∨ ¬q0 )∧
s f mx
(¬q0 ∨ ¬q0 ∨ q0 ) ∧ · · ·
s s f
pmx pmx
0 ↔ ((p0 ∨ p0 ) ∧ (¬p0 ∨ p0 )) (¬p0 ∨ ps0 ∨ pmx s mx
0 ) ∧ (p0 ∨ p0 ∨ ¬p0 ) ∧ · · ·
f
rmx r0mx ↔ ((r0s ∨ q0 ) ∧ (¬r0s ∨ r0 )) (¬q0 ∨ r0s ∨ r0mx ) ∧ (q0 ∨ r0s ∨ ¬r0mx ) ∧ · · ·
q1 ↔ p0 mx (¬q1 ∨ pmx mx
q1 0 ) ∧ (¬p0 ∨ q1 )
p1 p1 ↔ qmx0
mx mx
(¬p1 ∨ q0 ) ∧ (¬q0 ∨ p1 )
r1 r1 ↔ r0mx (¬r1 ∨ r0mx ) ∧ (¬r0mx ∨ r1 )
Faulty States ¬(p1 ∨ q1 ∨ r1 ) ¬p1 ∧ ¬q1 ∧ ¬r1
Selectors ¬ps0 ∧ ¬qs0 ∧ ¬r0s ¬ps0 ∧ ¬qs0 ∧ ¬r0s

Table 3.1: Important CNF formulas in BMC1 (No , φN )

Example Continuing Example 3.3.1, we hold the selectors rs , ps , and qs to zero. We now
show how interpolant-based model checking proves that the property is satisfied by the circuit.
Table 3.1 lists the important clauses of BMC1 (No , φN ).
The resolution proof of BMC1 (No , φN ) for the first iteration with k = 1 and Q = S0 =
¬p0 ∧ q0 ∧ ¬r0 is shown in Figure 3.9. The only clause in the proof that belongs to B is ¬p1 .
Hence, the interpolant for the pair (A, B) is p1 . It is easy to see that p1 over-approximates the
next state (p1 ∧ ¬q1 ∧ r1 ) of the initial state.
In the next iteration, Q = p ∨ (¬p ∧ q ∧ ¬r) = (q ∨ p) ∧ (¬r ∨ p). The resolution refutation
of BMC1 (No , φN ) is shown in Figure 3.10. The interpolant for the new pair (A, B) is p1 ∨ q1 .
Continuing, Q = (p ∨ q) ∨ p ∨ (¬p ∧ q ∧ ¬r) = (p ∨ q) ∨ (¬p ∧ q ∧ ¬r) = p ∨ q. Since Q is
contained in the previous image p ∨ q, a fixed point is reached. An invariant of the circuit, i.e.,
union of all the images computed so far is p ∨ q.

¬qs0 qs0 ∨ ¬q0 ∨ qmx

0 ¬qmx
0 ∨ p1

¬q0 ∨ qmx
0

¬q0 ∨ p1 q0

p1 ¬p1

Figure 3.9: Resolution refutation P1 of BMC1 for the mutated sequential circuit in Figure 3.8
with ps0 , qs0 , and r0s forced to zero with F = ¬p1 ∧ ¬q1 ∧ ¬r1 and Q = ¬p0 ∧ q0 ∧ ¬r0 . The
clauses shown in bold belong to B.

At this point, we compute another interpolant with a different partitioning:

(BMCS , BMCI ∧ BMCT )
3.3. C OMPUTING C OVERAGE 39

¬ps0 ¬p0 ∨ ps0 ∨ pmx

0 ¬qs0 qs0 ∨ ¬q0 ∨ qmx
0 ¬qmx
0 ∨ p1

q1 ∨ ¬pmx ¬p0 ∨ pmx

0 ¬q0 ∨ qmx
0 0

¬p0 ∨ q1 ¬q1 ¬q0 ∨ p1 q0 ∨ p0

¬p0 p1 ∨ p0 ¬p1

p0

Figure 3.10: Resolution refutation P2 for the final iteration during interpolant-based model
checking of Nmx in Figure 3.8 with ps0 , qs0 , and r0s forced to zero, F = ¬p1 ∧ ¬q1 ∧ ¬r1 , and
Q = (q0 ∨ p0 ) ∧ (¬r0 ∨ p0 ). The clauses shown in bold belong to B.

Let I = ITP(P, BMCS , BMCI ∧ BMCT )(sP ) denote the interpolant when a fixed point is
def

reached. The following holds by definition of Craig interpolants:

BMCS → I
BMCI ∧ BMCT → ¬I (3.3)
The following theorem states that the interpolant I consists of conjunctions of negative literals
corresponding to selector variables present in the proof of unsatisfiability.
B0 A 0
z }| { z }| {
Theorem 3.3.1 Let the final proof of unsatisfiability of R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ BMCT ∧ BMCS
during model checking of Mo be P. An interpolant ITP(P, A0 , B0 )(sP ) consists of conjunctions
of `P (vi ) for all initial vertices vi of P with `P (vi ) ∈ BMCS .

Proof We provide a proof in McMillan’s system of interpolation [87].

The formula A0 consists of conjunctions of negative literals corresponding to selector vari-
ables. From this, we know that for an initial vertex v p with `P (v p ) ∈ A0 , `P (v p ) is a single
literal clause corresponding to some ¬vts .
A clause ¬vts of A0 is resolved with a clause containing vts in P. Such clauses are present
only in B0 , as A0 does not contain any positive literal vts . It follows that the variables in `P (v p )
such that `P (v p ) ∈ A0 are also in B0 . Hence, all the variables of A0 that appear in P are global
variables.
For an initial vertex v p ∈ P and `P (v p ) ∈ A0 , the partial interpolant is `P (v p ). For an
initial vertex v p ∈ P and `P (v p ) ∈ B0 , the partial interpolant is true.
At any internal node v p in P, pivP (v p ) belongs to either only B0 or both, A0 and B0 .
According to McMillan’s system of interpolation, the partial interpolants of the parent vertices
are conjoined if the pivot of an intermediate vertex in the proof belongs to B0 . Hence, at any
intermediate vertex in P, partial interpolants are conjoined.

Example Consider the final proof P2 computed in Example 3.3.2. The proof P2 is shown in
Figure 3.10. We have BMCS = ¬ps0 ∧ ¬qs0 ∧ ¬r0s . Out of this, only clauses ¬ps0 and ¬qs0 appear
in the the proof P2 . It is easy to see that ITP(P2 , A0 , B0 ) = ¬ps0 ∧ ¬qs0 .
40 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Note that Theorem 3.3.1 can also be generalised to the following theorem.

Theorem 3.3.2 Let Ai ∧ Bi be an unsatisfiable formula such that Ai = a0 ∧ a1 ∧ · · · and let Pi

be a proof of its unsatisfiability. An interpolant ITP(Pi , Ai , Bi ) consists of conjunctions of ai . It
holds that ai ∈ ITP(Pi , Ai , Bi ) ↔ (`Pi (vi ) = ai and ai ∈ Ai ) where vi is an initial vertex of Pi .

Proof For each ai appearing in Pi , Bi contains ¬ai . Hence, each ai appearing in Pi are
common to Ai and Bi . This satisfies the common vocabulary constraint of Craig interpolants.
Consider a formula Ii which is a conjunction of `Pi (vi ) of all initial vertices vi of Pi such
that `Pi (vi ) ∈ A. It is easy to see that Ai → Ii .
The formula Ii contains conjunctions of only those ai s that appear in the proof Pi . Hence,
we know that Ii ∧ Bi is unsatisfiable from existence of Pi .
Hence, Ii is an interpolant of the unsatisfiable pair (Ai , Bi ).

The following theorem states that the selector settings according to I preserve the inductive
invariant.

Theorem 3.3.3 The inductive invariant R̂S0 of Mo = (SN SELo , TN SELo ) is also an inductive in-
mx mx
variant of MI = (SNmx
I , TN I ).
mx

Proof Remember that for approximate image computation, we create a pair of unsatisfiable
formulas (A, B) as shown in Formula 3.2.
The following formula is unsatisfiable for Mo .

R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ BMCT ∧ BMCS (3.4)

Let Po be the proof of unsatisfiability of Formula 3.4. Let ITP(Po , A, B)(sP ) be denoted as
Io , which is the approximate image of R̂S0 contained in R̂S0 (the fixed point). Hence, Io ⊆ R̂S0 .
For MI , we begin with Q = R̂S0 . From Equation 3.3,

R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ BMCT ∧ I (3.5)

is unsatisfiable. From Theorem 3.3.1, we know that I conjoins only those selector literals from
BMCS that are used in Po . The proof Po is also a proof of unsatisfiability of Formula 3.5. The
interpolant ITP(Po , A, B)(sP ) where A and B are partitions of Formula 3.5 is also Io . Hence,
the approximate image of R̂S0 in MI , i.e., Io is contained in R̂S0 . This indicates that a fixed
point is reached.

Example From Example 3.3.2, we have I = ¬ps ∧ ¬qs . It is easy to see that the inductive
invariant p ∨ q of the circuit is also an inductive invariant of the circuit in which only ps and qs
are set to zero (no mutation) and rs is set to one (mutated) or zero (not mutated). Observe that
¬ps ∧ ¬qs ∧ ¬rs → I is valid and so is ¬ps ∧ ¬qs ∧ rs → I .

Lemma 3.3.4 Let SELv represent the selector settings corresponding to mutating a vertex v of
N according to some coverage criterion. If SELv → I , then v is not covered by that mutation.

Example Continuing Example 3.3.2, we set r0s to one and the rest to zero, i.e., SELr = rs ∧
¬ps ∧ ¬qs . Hence, SELr → (¬ps ∧ ¬qs ). Using Lemma 3.3.4, register r is not covered by the
property φN = G(p ∨ q ∨ r).
3.3. C OMPUTING C OVERAGE 41

Thus, we can run interpolant-based model checking on Mo = (SN SELo , TN SELo ) and compute
mx mx
the interpolant I from the final proof of unsatisfiability. The selectors of the multiplexers
occurring in I when held to zero guarantee that the resulting system does not violate the
property. The following section states that for the purpose of coverage computation, a simple
analysis of the proof of unsatisfiability is enough, and that it is not necessary to compute the
interpolant.

3.3.3 The Unsatisfiable Core Test

The following lemma states that absence of some selector variables in the final proof P during
interpolant-based model checking of Mo can be used to identify which vertices are not covered.

Lemma 3.3.5 Consider a vertex v in the net-list N. For all t such that 0 ≤ t ≤ k if the selector
variables vts do not appear in P, then v is not NONDET- COVERED.

Proof We show that the selector formula corresponding to mutating v into a new primary input
implies I . The selector formula
t=k t=k
vts ∧ {¬wts |w 6= v}
^ ^ ^
SELv =
t=0 t=0 w∈VN

corresponds to this mutation. Using Theorem 3.3.1, we conclude

I =
^
{`P (v p ) | `P (v p ) ∈ SELo }.
v p ∈VP

Each conjunct in SELv is a conjunct in I , except vts as P does not contain vts in any time
frame. Hence, SELv → I .

Thus, a proof-logging SAT solver is not required; a solver able to identify the clauses that
result in a proof is sufficient. Note that even if v is not NONDET- COVERED, it is possible that
vts appears in the proof P under consideration.

Example Consider the final proof P2 shown in Figure 3.10, computed in Example 3.3.2. The
selector variable rs does not appear in the proof in any timeframe indicating that the register r
is not needed to prove the property. Thus, the register r is neither NONDET- COVERED, ONE -
COVERED nor ZERO - COVERED by the property. Although, ps and qs appear in the proof, we
do not know if the registers p and q are NONDET- COVERED.

As indicated by the example above, the core test may fail to detect coverage of some nodes
in the net-list. In the next section, we discuss a BMC-based low cost technique to compute
coverage of the remaining nodes.

3.3.4 The Counterexample Test

A counterexample, i.e., a path from S0 to F in the mutant circuit indicates at least one covered
mutation. It is essential to identify such mutations early before expensive model checking runs
are performed. Counterexamples of a given length can be obtained at moderate cost using
BMC.
42 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Since R̂S0 ⊇ m i
i=0 img (S0 ), there is a path of length ≤ m from S0 to RS0 in the original
S

system. As RS0 does not reach F in k steps, all paths of length ≤ (k + m) from S0 in M do not
reach F. We check if a counterexample of length ≤ (k + m) exists in (SN SELv , TN SELv ). Note
mx mx
that we only mutate one vertex at a time. For each trace obtained from the propositional SAT
solver, the mutations found covered are recorded.

Example Consider the interpolant-based model checking steps worked out in Example 3.3.2.
Note that m = 2 and k = 1.
In the counterexample test, the selector ps is forced to one and the force pf is either tied to
zero, one, or kept non-deterministic. We check if a path of length ≤ 3 exists to faulty states,
i.e., ¬p ∧ ¬q ∧ ¬r.

NONDET- COVERAGE of p: Consider the mutation which forces ps to one and pf to a non-
deterministic value. Note that a non-deterministic pf can assume any value between zero and
f
one in any timeframe. Starting with the initial state ¬p0 ∧ q0 ∧ ¬r0 , ps0 = 1, and p0 = 0, the
next state is p1 ∧ ¬q1 ∧ r1 , the next state of which is in turn ¬p2 ∧ ¬q2 ∧ ¬r2 , which violates
the property φN . Hence, the register p is NONDET- COVERED by the property.

ONE - COVERAGE of p: Consider a stuck-at-1 mutation which forces ps to one and pf to one.
For 0 ≤ i ≤ 3, the value of pmx
i is one, which is shifted to the register q on each positive clock
edge. Hence, there is no counterexample of length ≤ 3 that violates φ . The counterexample
test is inconclusive about whether p is ONE - COVERED by φ .

ZERO - COVERAGE of p: Consider a stuck-at-0 mutation which forces ps to one and pf to

zero. For 0 ≤ i ≤ 3, pmx
i = 0. The image of the initial state is p1 ∧ ¬q1 ∧ r1 , whose next state is
¬p1 ∧ ¬q1 ∧ ¬r1 . As none of p, q, or r are one in this state, this state violates φN . Hence, the
register p is ZERO - COVERED by the property.
Similarly, q is NONDET- COVERED and ZERO - COVERED by the property. The counterex-
ample test is inconclusive about whether q is ONE - COVERED by the property.

As seen in the example above, the core test and the counterexample test may be inconclu-
sive about coverage of some nodes in the net-list. In the next section, we discuss another low
cost technique to compute coverage of the remaining nodes.

3.3.5 Two Induction-based Tests

We exploit the inductive invariant R̂S0 of Mo to analyze the remaining mutations at low cost.
As R̂S0 is an inductive invariant of Mo , the following formula is unsatisfiable:
AI BI
z }| { V z }| {
R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ ¬R̂S0 (s1 ) ∧ v∈VN (¬vs0 ∧ ¬vs1 ) (3.6)
Let PI be the proof of unsatisfiability of Formula 3.6.

Lemma 3.3.6 Let SELv be the selector settings for some mutation of v and
AI 0 =
^
{`PI (v) | `PI (v) 6∈ BI}.
v∈VPI

If SELv ∧ AI 0 is unsatisfiable, v is not covered by the mutation.

3.3. C OMPUTING C OVERAGE 43

Proof Note that `PI (v) 6∈ BI iff `PI (v) ∈ AI. It holds that AI → AI 0 . Thus, if AI 0 and SELv are
inconsistent, AI and SELv are inconsistent. Also, S0 ⊆ R̂S0 , as our mutation does not affect the
initial states. Hence, R̂S0 is an inductive invariant of (SN SELv , TN SELv ).
mx mx

Example The proof P2 computed in Example 3.3.2 is also the resolution proof of unsatisfia-
bility of Formula 3.6 for No . We now check if the clauses in P2 belonging to AI 0 can be reused
to conclude whether q is ONE - COVERED by the property φN .
The AI-clauses from P2 form AI 0 and SELq = ¬ps0 ∧ qs0 ∧ q0f ∧ ¬r0s . It is easy to see that
AI 0 ∧ SEL
q is satisfiable. Hence, the test is inconclusive about whether q is ONE - COVERED by
the property. Similarly, we do not know yet whether p is ONE - COVERED by the property.

If Formula 3.6 is satisfiable, it may be that the remaining clauses from AI are needed to prove
inductiveness. This can be done by checking AI ∧ SELv using the following SAT instance:

R̂S0 (s0 ) ∧ TNmx (s0 , s1 ) ∧ SELv ∧ ¬R̂S0 (s1 ) (3.7)

Lemma 3.3.7 Let SELv be the selector setting for some mutation of v. If Formula 3.7 is unsat-
isfiable, v is not covered by the mutation.

Proof Recall S0 ⊆ R̂S0 . Since Formula 3.7 is unsatisfiable, the image of R̂S0 for the mutated
transition relation is contained in R̂S0 , which is strong enough to prove the property.

Example Consider the mutated sequential circuit Nmx in Figure 3.8 and the property φN . We
check if q is ONE - COVERED by φN . The inductive invariant of No is p ∨ q. The formula (p0 ∨
f
q0 ) ∧ ¬p1 ∧ ¬q1 ∧ ¬ps0 ∧ qs0 ∧ q0 ∧ ¬r0s conjoined with the clauses related to Nmx in Table 3.1
(rows 2-7) is unsatisfiable. Figure 3.11 shows the proof of unsatisfiability. Hence, the register
q is not ONE - COVERED by φN . Similarly, it can be checked that the register p is not ONE -
COVERED by φN .

f
¬qs0 ∨ ¬q0 ∨ qmx
0 qs0

f f
q0 ¬q0 ∨ qmx
0

¬qmx
0 ∨ p1 qmx
0

¬p1 p1

f
Figure 3.11: Proof of unsatisfiability of Formula 3.7 for Nmx and SELq = ¬ps0 ∧ qs0 ∧ q0 ∧ ¬r0s
44 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Interpolant-based Model Checking for Coverage Analysis If Formula 3.7 is satisfiable, a

different inductive invariant for the mutated system may still exist. In this case, we fall back to
interpolant-based model checking of the mutated circuit.
Table 3.2 lists the coverage results for the sequential circuit N and the property φN . In this
example, the coverage tests described above successfully identify coverage of each register and
the algorithm does not resort to interpolant-based model checking for coverage analysis of any
of the registers.

Register NONDET- COVERED ZERO - COVERED ONE - COVERED

p X X ×
q X X ×
r × × ×

Table 3.2: Coverage of the three registers in N. A Xstands for covered and a × stands for not
covered.

3.4 Experiments

We have implemented the proposed algorithm in the tool EBMC. EBMC accepts Verilog as
well SMV files as input. In addition, the tool supports SystemVerilog assertions for specifying
safety properties.

3.4.1 Coverage Analysis of HWMCC’08 circuits

We use the circuits from the Hardware Model Checking Competition 2008 as benchmarks.
Each of these benchmarks is shipped with one property. We ran our tool on 161 benchmarks
that our interpolant-based model checker is able to complete within a timeout of 1800 sec-
onds. The average number of registers/latches in these benchmarks is about 110 with a median
75, and maximum number of latches of 567. About 25% of the benchmarks have a high-
coverage property (an average of 40% of the latches are NONDET- COVERED). The remainder
of the benchmarks have low-coverage properties (an average of 5% of the latches are NONDET-
COVERED ).

We restrict the coverage analysis to the registers. For each register in the design, we check
whether it is ZERO - COVERED, ONE - COVERED, or NONDET- COVERED. Figure 3.12 is a log-
scale scatter plot comparing the time taken by our algorithm with the time it would take to run
model checking on each of the mutated designs.3 The speedup obtained using our method is
several orders of magnitude.
We quantify the success rates of the proposed five methods presented in Section 3.3. We
call a test successful if it is able to classify a given mutation as covered or not covered. The
histogram in Figure 3.13 depicts the relative success rates of each test for computing coverage.
The coverage of a vast majority of mutations is decided by the C ORE and the C OUNTEREX -
AMPLE (CE) tests. Our method is indeed able to avoid most of the expensive calls to the
interpolant-based model checker: in 50% of the benchmarks, we call the model checker in
only 10% of the cases.
3 This time is estimated based on the time spent on model checking some mutated systems, as the full check is

prohibitively expensive for many examples.

3.4. E XPERIMENTS 45

100000

10000
Naive algorithm [sec]

1000

100

10

0.1
0.1 1 10 100 1000
Our algorithm [sec]

Figure 3.12: Comparison of naive vs. C OVERAGE C HECKS

For benchmarks with a low-coverage property, most of the selector constraints are not in
the core. Thus, the C ORE test is frequently successful on this category of benchmarks. On
benchmarks with a high-coverage property, a counterexample for one mutant is often applicable
to many others, which means that the C OUNTEREXAMPLE test is successful. The remaining
tests contribute roughly equal parts.
In most cases, an approximate coverage metric is sufficient. We observe that our algorithm
is very well-suited for obtaining a quick approximation. Figure 3.14 reports the time overhead
in relation to the original model checking run for a given accuracy, averaged over the bench-
mark set. We note that 90% accuracy can be obtained for 90% of the benchmarks analyzed
with an overhead of only 2.

3.4.2 Coverage Analysis on IBM Circuits

We have analyzed 10 industrial designs from IBM with C OVERAGE C HECKS and compared the
results to the naive algorithm. Table 3.3 and Table 3.4 report the success of the proposed tests
on these examples. The timeout is set to 7200 seconds. The column #LAT reports the number
of latches in the design. For each latch, we check if it is ZERO - COVERED, ONE - COVERED, or
NONDET- COVERED . Hence, there are #LAT × 3 coverage tests for each example.

The column #CORE reports the number of successful C ORE tests. Note that if a C ORE
test is successful for a latch, the latch is NOT- NONDET- COVERED, and hence, it is NOT- ONE -
COVERED and NOT- ZERO - COVERED as well. For example, out of the 8 latches in Example 3,
18/3=6 latches do not appear in the proof. Hence, these 6 latches are NOT- ZERO - COVERED,
NOT- ONE - COVERED , and NOT- NONDET- COVERED .

The column #IND reports the number of successful induction tests. In Example 3, out of
the remaining 24 − 18 = 6 tests, the coverage results of two tests are identified by the induction
46 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

100

80
% of successful coverage tests

60

40

20

0
benchmark circuits
Core Induction Interpolation
CE InductionR

Figure 3.13: Histogram of the success rates of the proposed tests in C OVERAGE C HECKS

C OVERAGE C HECKS
Ex #LAT #CORE #IND #CE T1 (sec) #INT T2 (sec) %COVC
1 125 372 1 0 2 2 2.5 100
2 125 372 1 0 2 2 2.5 100
3 8 18 2 2 0.03 2 0.08 100
4 52 156 0 0 0.5 0 0.5 100
5 125 372 1 0 2 2 2.5 100
6 125 372 1 0 2 2 2.5 100
7 42 87 4 0 4.4 1 7200* 73
8 42 87 4 0 6.1 1 7200* 73
9 42 87 4 0 75 1 7200* 73
10 42 87 4 0 6.1 1 7200* 73

Table 3.3: Coverage data on IBM benchmarks. A timeout is indicated by *.

3.4. E XPERIMENTS 47

100

90 90% Ac
curacy

80 curacy
95% Ac

70
Benchmarks in %

60 100
%A
ccura
cy

50

40

30

20

10

0
1 10 100
Overhead

Figure 3.14: Overhead for a given accuracy

test, classifying the corresponding latch as not-covered by that mutation.

The column #CE reports the number of successful counterexample tests. The counterexam-
ple test (CE test) was only successful on Example 3. In Example 3, the coverage results of two
tests are identified by the counterexample test classifying the corresponding latch as covered
by that mutation. It is likely that the low success rate of the counterexample test is due to the
low coverage of the properties on these examples: only 1–2% of the latches are covered.
We need to run the interpolation based-model checking in order to compute coverage of the
remaining latches. The column #INT reports the number of successful (complete) interpolation
runs. In Example 3, coverage results of two tests could be obtained only by means of the
interpolation-based model checker.
The column T2 reports the total running time of C OVERAGE C HECKS. The column T1 re-
ports the running time of C OVERAGE C HECKS without the interpolation-based model checker.
The column #NAIVE reports the number of coverage tests executed by the naive algorithm in
2 hours. The column TN reports the running time of the naive algorithm.
The columns %COVC and %COVN report the percentage of successful coverage tests using
C OVERAGE C HECKS and the naive algorithm, respectively. For the examples in which all the
coverage tests are completed in 2 hours, C OVERAGE C HECKS is 14–26 times faster than the
naive coverage computation algorithm. For the examples in which both the algorithms timed
out, C OVERAGE C HECKS computed approximately 70% of the coverage results (approximate
coverage) in 4–75 seconds. For the same examples, the naive algorithm computed less than
20% of the coverage results in 2 hours.
48 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

Naive
Ex #LAT #NAIVE TN (sec) %COVN
1 125 375 65 100
2 125 375 65 100
3 8 24 0.1 100
4 52 156 7 100
5 125 375 65 100
6 125 375 65 100
7 42 21 7200* 16.6
8 42 20 7200* 15.8
9 42 21 7200* 16.6
10 42 21 7200* 15.8

Table 3.4: Naive Coverage data on IBM benchmarks. A timeout is indicated by *.

3.5 Conclusion

Low coverage indicates possible incompleteness in the specification, which may lead to missed
bugs in the parts of the design not covered by the specification. We present an algorithm for
computing mutation coverage of designs represented as net-lists. Our algorithm is integrated
and implemented in a Craig interpolant-based model checker. The main advantage of our algo-
rithm is that it exploits the information in the final resolution proof, and thus, the model checker
needs to be run only on a very small percentage of mutations. Our tool also allows precision to
be traded for speed. We show that a very accurate coverage measure can be computed with lit-
tle overhead compared to the time taken by the model checking run on the original design. Our
technique provides a speedup of several orders of magnitude compared to the naive method,
and it is well-suited for computing very inexpensive approximations.

3.6 Bibliographic Notes

One of the earliest works on coverage analysis [75] is based on comparing a given system
with a tableau of the property. A tableau of a universal property φ satisfies the property and
subsumes all behaviors allowed by φ . A system is compared with the tableau of φ in order to
detect

• parts of the system that are irrelevant to satisfaction of φ ;

• behaviors of the system that are indistinguishable by φ ;

• behaviors that are allowed by φ but not by the system

implying that φ is incomplete or not sufficiently restrictive. This approach is too strict as a
property passes the criteria iff it is bisimilar to the system. The approach is restricted to ACTL
properties and its complexity is exponential in the property.
The coverage metric proposed by Hoskote et al. [70] is explained in detail in Section 2.6.
We give a brief summary here. According to this metric, for an observable signal q, a state s in
a system M is covered by a property φ if flipping the value of q at s causes φ to fail in M. They
describe an algorithm for computing states covered by ACTL formulas with no disjunctions
3.6. B IBLIOGRAPHIC N OTES 49

and propositional antecedents of implications. The algorithm requires linear time, just like
normal CTL model checking. The algorithm has been improved to support a larger subset of
CTL and increase its accuracy [73].
Extending the mutation proposed by Hoskote et al., flipping can be performed in different
ways. During the execution of the system, one can visit a state several times, each time in a
different context [31]. This gives rise to a distinction between flipping always, flipping once,
and flipping sometimes. The corresponding mutations and coverage metrics shall be explained
in detail in Chapter 6.
A straightforward way to measure coverage is to model check the property for each of
the mutant designs. Due to the sheer number of conceivable mutations, this approach is pro-
hibitively expensive even on medium-size designs. Most of the existing papers on coverage
analysis in model checking attempt to alleviate the complexity of computing coverage by
adding nondeterministic BDD variables for mutations, so that the symbolic encoding of the
design contains both the original and the mutant designs [32, 33, 35]. They exploit similarity
between mutant designs in enumerative model checking algorithms, so that only a (small) part
of the model checking process needs to be repeated for each mutant design [32, 35]. Reducing
the number of variables in the BDDs involved is discussed in [30].
It is also common to combine model checking and testing with the goal of increasing cov-
erage. Variants include symbolic searches from deep states obtained by simulation, and to use
coverage goals from testing as targets for the formal engine. These algorithms have found their
way into industrial practice [72]. Test case generation based on model checking is proposed
in [2]. Use of model checking and various analyses such as property coverage of test cases,
model-coverage of the property, and specification vacuity for test case generation is proposed
in [98, 59]. A game-based approach between the model and its test bench to create intelligent
test cases to cover corner case behaviors is proposed in [6].
Another direction of coverage computation is to check whether each output value is fully
determined by the property given a combination of input values. In [38], this check is per-
formed on a circuit that is synthesized from the property. In [65, 66], a similar check is per-
formed on the design using BMC tools. We note that this check is very different from mutation
coverage and neither one implies the other.
In [33, 34], a new notion of coverage called vacuity coverage is introduced. If the mutant
structure still satisfies the property and does so vacuously, the mutated part is vacuity covered.
Consider a property G(req → ack) and a model in which there is at least one state in which req
holds. If we flip the value of req in that state, the property is still satisfied, but, is now satisfied
vacuously indicating that req should hold at that state to avoid vacuous satisfaction.
There are various types of mutations that can be performed other than the ones mentioned
above. Some metrics have also been borrowed from the simulation community [33]. Given
a control flow graph G and a property φ satisfied by G, a statement of G is covered by φ if
omitting that statement from G causes vacuous satisfaction of φ in the new G. This is similar
to the code coverage metric from simulation. Following this idea, latch coverage and path
coverage are defined as follows. In latch coverage, a latch is covered if fixing the value of
the latch to its initial value causes the property to be satisfied vacuously. In path coverage,
the influence of omitting or mutating a finite path on satisfaction of a property in the design is
checked.
Different from state-based coverage, a transition traversal coverage of circuits for a subset
of CTL properties is proposed in [107, 108, 109]. The idea is to identify transitions that do
not play a role in satisfaction of a given property. Traditionally, model checking of circuits
involves translating a finite state machine of the circuit to a Kripke structure. Each transition
50 C HAPTER 3. C OVERAGE IN M ODEL C HECKING

in the finite state machine of the circuit corresponds to a state in the Kripke structure. In the
proposed transition coverage algorithm, a transition traversal of a Kripke structure to compute
coverage for a subset of CTL properties is defined. The traversal returns a set of states which
represents covered transitions in the finite state machine of the circuit.
In [47], a fault-based notion of coverage using realizability of LTL properties is proposed.
A stuck-at fault on an output or input is covered by a realizable property if and only if it
is impossible to create an implementation that realizes the property and also has the fault.
The complexity of such analysis is 2EXPTIME-complete. In order to make this practical, the
authors propose a limited coverage analysis based on LTL-satisfiability. The main difference
between realizability and satisfiability of LTL properties is that realizability checks distinguish
between inputs and outputs, whereas satisfiability checks make no such distinction. The key
idea is to constrain properties to enable them make such distinction.
A formal coverage estimation methodology for a set of properties of real time systems is
proposed in [81]. The approach is basically the same: a state-graph model is mutated and it is
checked if a given set of properties can distinguish the mutation. Six different mutation models
and corresponding coverage metrics are proposed.
In [106], a method to generate coverage monitors (models) automatically based on the static
analysis of a description in a Hardware Description Language (HDL) of a design under test is
proposed. The output of the method is a set of coverage groups in Vera describing the coverage
model. Each coverage group is a function of a set of signals in the design and is evaluated at
every clock cycle during simulation. Functional coverage is the fraction of coverage groups
that evaluate to true during simulation.
A fault simulation-based approach to coverage analysis is described in [5, 60, 57]. A
model checker is used to generate at least one witness to satisfaction of a property. Faults are
introduced in the model. The faults that are detectable by the witness are covered. In addition,
more valid traces of the model can be generated by using automatic test pattern generation
(ATPG). The approach is inherently incomplete.
In [48, 9, 8, 49], an altogether different notion of coverage called design intent coverage
is proposed. The idea is to compare two formal properties at different levels of abstraction
and find a set of properties that close the coverage gap between the two specifications. One
of the foreseen applications include computing coverage of system-level properties by RTL
properties of component modules.
 Vacuity in Model Checking
4
Given a model of system and a set of its formal properties, a model checker verifies the model
against properties. The model and the properties are formalizations of the specifications which
are susceptible to misinterpretations. Hence, the model and the property may deviate from the
intended behavior. If the model does not satisfy the property, it is clear that the model and
the property are not in agreement and at least one of them is not consistent with the expected
behavior. However, if the model checker returns a positive answer, it is not clear if the model
and the property adhere to the intended behavior. The model may satisfy the property due
to unintended trivial reasons. A trivial satisfaction suggests some unexpected, often undesir-
able properties of the system, e.g., the classic example of antecedent failure [13] discussed in
Chapter 1.
Intuitively, a property holds vacuously if it holds for unintended reasons. Several years
of industrial experience in model checking has shown that vacuity is a serious problem. To
quote some numbers, during formal verification of hardware designs at IBM [15], 20% of the
properties were found to be trivially satisfied. Consequently, numerous strategies have been
investigated to formalize vacuity and to develop techniques to detect it [15, 79, 95, 3, 99, 27].
All of these efforts have a commonality that the satisfaction of the formula is invariant under
certain modifications to the formula (formula vacuity [15]) or the model (trace and structure
vacuity [3]).
In this work, we exploit the observation that invariance of satisfaction under certain modifi-
cations to the formula provides hints to how the formula can be strengthened soundly, i.e. with-
out causing it to fail on the given design. Consider a model M and a property φ . As shown in
Figure 4.1(b), φ strengthened to φ stng results in M |= φ stng , rendering φ vacuous, whereas φ in
Figure 4.1(a) is non-vacuous. A satisfied formula that is stronger than the one supplied by the
user substantially increases the value of the model checking result, as it adds to the certified
knowledge about the design.
We present several algorithms that, given a model M and a formula φ satisfied by M, com-
pute sound strengthenings φ 0 stronger than φ and are obtained by mutating subformulas of φ .
In particular, this chapter introduces algorithms that compute

51
52 C HAPTER 4. VACUITY IN M ODEL C HECKING

φ φ

M φ stng
M
φ stng

(a) Non-Vacuous φ (b) Vacuous φ

Figure 4.1: Vacuity checking by property strengthening

• a sound as well as maximal strengthening,

• all sound and maximal strengthenings, and
• a sound and maximum strengthening1 .

The algorithms are mainly based on two orthogonal techniques:

1. a binary search through the lattice of the properties resulting from mutating various sub-
formulas of the original property and
2. extensive use of the information returned by the model checker, in order to reduce the
lattice size.

Illustrative Example of Vacuity Consider the Arithmetic Logic Unit (ALU) described in
Section 3.2.1. Consider an LTL property that checks if Y is equal to B if all the bits of the
opcode are zero, i.e.,
φ = G(((¬opcode[6] ∧ ¬opcode[5]) ∧
¬opcode[4] ∧ ¬opcode[3] ∧ ¬opcode[2] ∧ (4.1)
¬opcode[1] ∧ ¬opcode[0]) → Y = B).
The property is satisfied by the ALU. From all the 7 conjuncts in the antecedent of φ , only the
conjuncts ¬opcode[6] and ¬opcode[5] are enough to guarantee that Y = B. Hence, the
property
φstng = G((¬opcode[6] ∧ ¬opcode[5]) → Y = B)
is a sound strengthening of φ . A stronger property
φstng1 = G((¬opcode[6] ∧ ¬opcode[5] ∧ ¬opcode[4]) → Y = B)
is also satisfied by the ALU. However, φstng1 is weaker than φstng . The property φstng is the
sound and maximum strengthening of φ . The property φstng is obtained by modifications to φ ,
1 This chapter extends our work in [96]. Algorithms to compute a sound maximum strengthening and all sound

maximal strengthenings have been added. Also, the algorithm is now evaluated on a number of new benchmarks.
4.1. P RELIMINARIES 53

in particular, replacing ¬opcode[i] by true for 4 ≤ i ≤ 0. Hence, the property φ is vacuously

satisfied by M.
This chapter is organised as follows: The next section explains the notations used in this
chapter. Section 4.2 explains how to find a strengthening of a property that is useful in the
context of vacuity detection. Section 4.3 describes a naive search strategy to search through
the lattice of formulas and points out shortcomings of this strategy. A novel binary lattice
search algorithm is proposed in Section 4.4. Section 4.5 advocates use of counterexamples
to reduce the lattice size. Algorithms to find more than one maximal strengthening appear in
Section 4.6. We analyse the performance of the algorithms on a significant set of hardware
benchmarks, and the results of this performance analysis are presented in Section 4.7.

4.1 Preliminaries

Background In this chapter we focus on LTL properties, addressed in detail in Section 2.2.2.
We remind the reader that in the case of a failing LTL property, a model checker can provide a
finitely representable counterexample evidencing the failure. We assume every LTL formula to
be in negation normal form, where the Boolean negation operator ¬ occurs only immediately in
front of atomic propositions. For details on model checking, we refer the reader to Section 2.3.
We now review some basic concepts in lattice theory which will be used in vacuity detection
algorithms appearing in this chapter.

4.1.1 Lattice Theory

Consider a reflexive, transitive, and anti-symmetric binary relation v over a set L, i.e., a binary
relation that satisfies the following for all a, b, c in L:

• a v a (reflexivity),
• if a v b, b v c, then a v c (transitivity), and
• if a v b and b v a, then a = b.

This relation imposes a partial order on L. We call L a partially ordered set (poset) according
to v.

Definition 4.1.1 A partial order v is a reflexive, transitive and anti-symmetric binary relation
v over a set L. The set L is called a partially ordered set (poset) with order v.

For example, the set of subsets of a given set is ordered by inclusion ⊆. Consider the set
{a, b, c}. The set of all its subsets is {{}, {a}, {b}, {c}, {a, b}, {a, c}, {b, c}, {a, b, c}}. Fig-
ure 4.2 illustrates the corresponding poset.
Let B ⊆ L. An element u ∈ L is an upper bound of B if for every s ∈ B, s v u. Further, an
upper bound u of B is least if u v u0 for every upper bound u0 of B. In the poset in Figure 4.2,
an upper bound of {{a}, {b}} is {a, b} as {a} ⊂ {a, b} and {b} ⊂ {a, b}. The upper bound of
{a, b} is {a, b, c} which is also an upper bound of {{a}, {b}} by transitivity. Out of the two
upper bounds of {{a}, {b}}, {a, b} is the least upper bound as {a, b} is a subset of the other
upper bound {a, b, c}. Lower bound and greatest lower bound are defined analogously. In the
poset in Figure 4.2, the lower bound of {{a}, {b}} is {} which is also the greatest lower bound.
Based on the least upper bound and greatest lower bound, a lattice is defined as follows.
54 C HAPTER 4. VACUITY IN M ODEL C HECKING

{a, b, c}

{a, b} {a, c} {b, c}

{a} {b} {c}

{}

Figure 4.2: A poset of set of all subsets of {a, b, c}

{a, c}

{a} {c}

Figure 4.3: A poset that is not a lattice

Definition 4.1.2 A poset (L, v) is a lattice if any two elements of L have a unique least upper
bound and a unique greatest lower bound.

It follows from the above definition that every non-empty finite subset of a lattice has a least
upper bound and a greatest lower bound. The poset in Figure 4.2 is a lattice. Any subset of
this poset has a unique least upper bound and a unique greatest lower bound. The poset in
Figure 4.3 is not a lattice, as the set {{a}, {c}} has no unique greatest lower bound.

Definition 4.1.3 A complete lattice is a poset (L, v) such that every subset B of L has a least
upper bound and a greatest lower bound.

The difference between a (non-complete) lattice and a complete lattice is that for a complete
lattice, every subset must have a least upper bound and a greatest lower bound, while for a
(non-complete) lattice, only non-empty and finite subsets must have a greatest lower bound
and a least upper bound. Hence, all finite lattices are complete. For a better understanding,
we now give an example of a lattice that is not complete. Consider a poset of all integers
Z = {. . . , −2, −1, 0, 1, 2, . . .} ordered by ≤. This poset is infinite and is a lattice as every non-
empty finite subset has a greatest lower bound and a least upper bound. However, the set Z
itself has neither a greatest lower bound nor a least upper bound. Hence, this lattice is not a
complete lattice.
A chain is a subset of a poset such that every pair of elements in the subset is ordered
(comparable). In Figure 4.2, one of the chains is {{}, {a}, {a, b}, {a, b, c}}. An antichain is
a subset of a poset such that all elements of the subset are pairwise incomparable. One of
the anti-chains in the lattice in Figure 4.2 is {{a}, {b}, {c}}. The height of a lattice is the
cardinality of a longest chain in the lattice. The width of a lattice is the cardinality of a longest
antichain in the lattice. The height of the lattice in Figure 4.2 is 4 and its width is 3.
4.2. T HE Q UEST FOR S TRONGER F ORMULAS 55

Given a lattice (L, v) and an element u, the reflexive upward closure of u is the set UC(u) =
{e ∈ L : u v e}; note that u ∈ UC(u). For the element u = {a} in Figure 4.2,
UC(u) = {{a}, {a, b}, {a, c}, {a, b, c}}.
The reflexive downward closure DC of an element d is the set DC(d) = {e ∈ L : e v d}. For
the element u = {a} in Figure 4.2, DC(u) = {{a}, {}}. In the rest of this chapter, we omit the
word “reflexive” when we talk about reflexive downward closure and reflexive upward closure.
Note that downward closure (DC) and upward closure (UC) of an element include the element
itself.

Notation Throughout the chapter, we write C for the set of atomic subformula occurrences
under consideration for replacement in φ . Specifying such a candidate set, as opposed to always
considering all subformula occurrences in φ , is useful with very large formulas to reduce the
number of candidate replacements. We denote the power set of a set A by 2A , as common.
For a subformula occurrence ζ of a formula φ , we write φ [ζ ← ⊥] to mean the result of
replacing ζ in φ by true if ζ is immediately preceded by a negation (which implies that ζ is an
atomic proposition, since φ is in negation normal form), and by false otherwise. Simultaneous
replacements of disjoint subformulas are written as φ [ζ1 ← ⊥, . . . , ζn ← ⊥]. Given a set Y
of disjoint subformula occurrences, we write φY for the formula obtained by replacing the
occurrences in Y by ⊥. Thus, for Y = {y1 , . . . , yn }, we have φY = φ [y1 ← ⊥, . . . , yn ← ⊥]. In
particular, φ0/ = φ . Given a model M and a property φ satisfied by M, we call a strengthening
of φ sound if the strengthening is also satisfied by M.

4.2 The Quest for Stronger Formulas

In this section, we discuss how to obtain a sound strengthening of a given property. We start
with a definition of vacuity followed in most of the literature related to formula vacuity.

Definition 4.2.1 A passing formula φ is vacuous in M if there is a subformula in φ that can be

changed arbitrarily without affecting the satisfaction of φ in M.

In order to check if a property is vacuous, every subformula of the property needs to be re-
placed one by one by all possible formulas. The resulting formulas need to be verified against
the model. However, all the resulting formulas may not be useful in concluding vacuity. The
replacements may result in weaker, stronger, or incomparable formulas. A substitution that
weakens the formula is not useful, since a weaker formula will always pass, given that the
original formula does, and hence, provides no new information. A replacement that results in
an incomparable formula is not useful either as it gives no information about the discrepancy
between the original formula and the model. Instead, mutations that strengthen the original
formula, and moreover, do so in a meaningful way are useful as they likely establish stronger
facts about the system. Note that a formula can always be strengthened by conjoining it with
another, unrelated formula, e.g., strengthening AG p to AG p∧EF q. Such “orthogonal strength-
ening” does not contribute to the user’s understanding of vacuity. Vacuity detection can thus
be seen as the problem of checking whether a given formula can be strengthened to a related
one without causing it to fail.
When are formulas “related”? Kupferman and Vardi [79] present an efficient way to tighten
a formula by replacing a single occurrence of a subformula by ⊥ as shown in Lemma 2.5.3.
Kupferman and Vardi considered replacement of a single occurrence in a formula. Example 4.2
highlights the utility of this lemma.
56 C HAPTER 4. VACUITY IN M ODEL C HECKING

s1 s2 s1 s2
a,c b,c a,b c,d

(a) (b)

Figure 4.4: Example Models

Example Consider the property G(req → ack) and a model in which req is never asserted.
Replacing ack by false, the new property is G(¬req) which is satisfied by the model. Thus,
it suffices to replace ack by ⊥, resulting in the stronger formula G(¬req) still satisfied by the
model.

Only one sound strengthening of the original formula is possible in Example 4.2 and is also
enough to bring the absence of req to the verification engineer’s notice. In general, many sound
strengthenings may exist.

Example Consider a similar model in which req is never asserted and a new property G(req →
(ack1 ∨ ack2)). Replacing ack1 or ack2 by ⊥ results in two sound strengthenings G(req →
ack1) and G(req → ack2), respectively. Both are satisfied by the model. However, there exists
another sound strengthening G(¬req), obtained by replacing ack1 and ack2 simultaneously by
⊥. This strengthening is stronger than the previous strengthenings. This maximal strengthening
exposes the possible problem with req.

Extending Lemma 2.5.3 to replacement of multiple occurrences, we observe that the greater
the number of occurrences replaced by ⊥ in φ , the stronger is the resulting formula. The
following lemma formalizes the observation.

Lemma 4.2.2 Let φ be a formula and C be a set of literal occurrences in φ . For two subsets
W and Y of C such that W ⊆ Y , φY → φW is valid.

Proof We have φW = φ [∀x ∈ W : x ← ⊥]. Let Z = Y \W = {w1 , . . . wm }. Hence,

φY = φW [∀z ∈ Z : z ← ⊥].

Let ψ = φW [w1 ← ⊥]. From Lemma 2.5.3, ψ → φW . Replacing w2 ∈ Z in ψ,

ψ[w2 ← ⊥] → ψ → φW

is valid. Successively replacing each element of W in ψ, it holds that

φW [∀z ∈ Z : z ← ⊥] → φW .

Thus, φY → φW .

In many situations there are several sound and maximal strengthenings. Sometimes these
strengthenings differ in the number of subformulas replaced, and we may want to report the
most succinct of them – the maximum strengthening.
4.3. A L ATTICE OF F ORMULAS 57

Example Consider the model shown in Figure 4.4(a), and the passing formula G(a ∨ b ∨ c).
Two maximal strengthenings exist, namely G(a ∨ b) and G c. The shorter of the two, G c, is
characterized by a maximum number of subformula replacements.

If there is no unique maximum, we may be able to pinpoint vacuity by reporting all possible
maximal strengthenings.

Example Consider the model shown in Figure 4.4(b), and the passing formula G(a ∨ b ∨ c ∨ d).
Four maximal strengthenings exist, namely, G(a∨c), G(a∨d), G(b∨c), and G(b∨d). Pointing
out just one strengthening does not expose the redundancy in the original formula. Pointing
out all four strengthenings exposes the redundancy between a and b and redundancy between
c and d.

Given a model M, a property φ satisfied by M, and a set C of candidate subformula oc-

currences of φ , our overall goal, to soundly strengthen φ , is accomplished by computing the
following formulas:

1. a sound and maximal strengthening of φ : replace a maximal number of subformula

occurrences of φ specified in C such that M satisfies the resulting formula;
2. all sound and maximal strengthenings of φ as described above; and
3. a sound and maximum strengthening of φ : replace a maximum number of subformula
occurrences of φ specified in C such that M satisfies the resulting formula;

The following sections describe different algorithms of varying efficiency to compute the
sound strengthenings described above. The various replacements made in the formula φ result
in formulas which form a lattice. Our algorithms describe various strategies to search through
the formula lattice for the sound strengthenings described above.

4.3 A Lattice of Formulas

Consider an LTL formula φ and a set C of candidate subformula occurrences. The set {φZ : Z ⊆
C} of formulas obtained by replacing, in φ , certain occurrences in C by ⊥ forms a complete
lattice, with the partial order relation given by φY v φX iff Y ⊆ X. Let this formula lattice be
denoted by L.

Properties of the formula lattice The top and bottom elements of L are φC (all occurrences
in C replaced by ⊥) and φ0/ = φ (no occurrences in C replaced by ⊥), respectively.
Given
n
n := |C|, the height of the lattice is n + 1; its width is the binomial coefficient dn/2e . The
upward closure of an element φY of L is {φX ∈ L : X ⊇ Y }. Figure 4.5 shows as an example,
the lattice for the formula FGa ∨ Xb ∨ GF(b ∨ c), with C = {a, b, b ∨ c}.
Lemma 4.2.2 highlights the significance of this lattice for the purpose of strengthening for-
mulas. The top element of L is the strongest formula that can be obtained from φ by replacing
subformula occurrences from C by ⊥. The bottom element is the original formula φ .
We now introduce some lattice terminology that will be used in the next sections. The level
of a formula φY in the lattice is |Y | which is the number of literal occurrences in φ that are
replaced by ⊥. A set of elements with the same level are said to form a neighborhood. Every
neighborhood forms an antichain (but not vice versa). The upward (downward) weight of a
58 C HAPTER 4. VACUITY IN M ODEL C HECKING

3: false

2: FG a Xb GF(b ∨ c)

1: FG a ∨ X b FG a ∨ GF(b ∨ c) X b ∨ GF(b ∨ c)

0: FG a ∨ X b ∨ GF(b ∨ c)

Figure 4.5: Lattice for φ = FG a ∨ X b ∨ GF(b ∨ c) with C = {a, b, b ∨ c}; the element b of C
refers to the occurrence of the atomic proposition b in X b. The lattice level is indicated at the
left.

neighborhood is the number of elements in the lattice L with higher (lower) levels. The upward
(downward) weight of an element is the size of its upward (downward) closure. The absolute
value of the difference between upward and downward weight (of a neighborhood or an ele-
ment) is called weight imbalance. A neighborhood (element) with minimum weight imbalance
among all neighborhoods (elements) is said to be a balanced neighborhood (element).
The overall goal, to soundly strengthen a satisfied formula φ , is accomplished by searching
the formula lattice L for the following elements:

1. a sound and maximal strengthening of φ : an element φA such that M |= φA , and there is

no element φZ such that M |= φZ and Z ) A;

2. all sound and maximal strengthenings of φ ; and

3. a sound and maximum strengthening of φ : an element φU such that M |= φU , and there

is no element φZ such that M |= φZ and |Z| > |U|.

4.3.1 A Naive Exhaustive Lattice Search Strategy

A first approach towards finding φA might be to start from the top of the lattice and verify each
element φY against M. If M |= φY , we have found a strongest solution to the equation M |= φ .
If M 6|= φY , we continue the search with formulas at the same or lower levels. We call this
basic approach the exhaustive search through the lattice. This approach returns a solution with
a maximum (not just maximal) set of literal occurrences replaced by ⊥. That is, the solution
is strongest — no satisfying formula is closer to the top of the lattice. On the other hand, this
technique appears unnecessarily wasteful: the levels of the lattice are totally ordered and can
thus be traversed more quickly in a binary fashion. The next section explains our binary search
strategy.
4.4. B INARY S EARCH THROUGH THE L ATTICE 59

4.4 Binary Search through the Lattice

A formula near the top of L is “likely” to be violated since it is much stronger than the original
formula. A formula near the bottom of L is more likely to be satisfied, but may not be a
strongest element satisfying M. Lacking additional information, it seems reasonable to start
the search for maximally strengthened formulas near the “middle” of the lattice.
More formally, we propose a binary search algorithm that selects a balanced neighborhood
g and a balanced element φY within g. If M satisfies φY , there is a solution in the upward closure
of φY . In this case, the algorithm operates recursively on this closure. If M does not satisfy
φY , it makes no sense to look in the upward closure of φY , as all those formulas are too strong
to hold on M. Our binary strategy deletes the elements in the upward closure, so that they are
not considered next time when looking for a balanced neighborhood in the lattice. Once the
number of elements in the lattice is 1, the algorithm returns the unique element as a solution.
This procedure is summarized in Algorithm 4.1. Note that, as a result of deleting elements,
the lattice usually degenerates to a partial order. To simplify the presentation, however, we still
speak of a “lattice”, which then means the set of remaining elements of the original lattice.

Algorithm 4.1 B INARY-L ATTICE -S EARCH(M, L)

Input: Model M with M |= φ , formula lattice L
Output: a strongest lattice element satisfied by M
while true do
if |L| = 1 then
return the unique element of the lattice
select a balanced neighborhood g ∈ L, and a balanced element φY of g
if M |= φY then
return B INARY-L ATTICE -S EARCH(M, UC(φY ))
else
delete all elements in UC(φY ) (9)

The mathematical justification for the recursive call and the pruning step in Algorithm 4.1 is
given by the following lemma, in which “maximal strengthening” is abbreviated by “max.str.”.

Lemma 4.4.1 The following propositions hold over the formula lattice L.

∀α ∈ L : M |= α → ∃ max.str. φA : φA ∈ UC(α) .
∀α ∈ L : M |6 = α → ∀β ∈ UC(α) : M 6|= β .

Given α such that M |= α, the lemma allows us to restrict attention to α’s upward closure
in the quest for a maximal strengthening φA , which can reduce the set of candidate solutions
drastically. Analogously, given α such that M 6|= α, the upward closure of α can be discarded
in the future search through the lattice.
The exhaustive lattice search, and the binary search strategy offered by Algorithm 4.1, both
exploit only the “yes/no” part of the model checking result. They ignore the counterexample
returned by the LTL model checker in case of failure. As the algorithms verify the given model
M against formulas other than the one specified by the user, reporting a counterexample to the
user is not useful. The counterexample can, however, be leveraged to further reduce the search
space, as we describe in the next section.
60 C HAPTER 4. VACUITY IN M ODEL C HECKING

Original
Model
Conservative
Abstraction

Abstract
Model
Refine
Model
Checking
No
Yes CEX Yes No
"Error!" real? Error? "OK"

Figure 4.6: Flow diagram of model checking with CEGAR

4.5 Counterexample-Guided Property Strengthening

Counterexample-guided property strengthening is inspired by counterexample-guided abstrac-

tion refinement (CEGAR) in model checking. We briefly explain CEGAR-based model check-
ing. Figure 4.6 sketches the idea. After building an initial (and coarse) conservative abstraction
of the original model M, the abstraction is checked against the given LTL formula φ . If no er-
ror is found, one can conclude that M has no error either. Otherwise, the procedure obtains
a counterexample (denoted CEX) that witnesses the failure of φ . Due to the abstraction, the
counterexample may or may not be a valid execution in the original model M. If it is, the
counterexample is a real error in M; the procedure terminates. If it is not, the abstraction must
be refined to eliminate this spurious counterexample. The cycle then continues with another
model checking run using the new abstraction.
A similar strategy can be adopted to utilize counterexamples when a lattice element is not
satisfied by the given model. According to the universal path semantics of LTL, in order for
structure M to satisfy a formula, every path permitted by M must satisfy the formula. As a
consequence, a counterexample path π obtained when model-checking M against some lattice
element φY allows us to rule out not only φY , but any formula in the lattice that is not satisfied
along π.

Observation 1 Consider a formula that is not satisfied by M and thus permits a counterexam-
ple path π. Any lattice element not satisfied by π can be discarded.

A corresponding strategy is sketched in Figure 4.2. When a strengthened formula fails on M,

let π be a counterexample. The formula is weakened so that π satisfies the new formula. This is
continued until the new formula is satisfied by M. Figure 4.5 illustrates the idea. The property
β is an unsound strengthening of φ and hence, there is a path π1 in M that violates β . The
property β is weakened so that π1 satisfies the resulting property. Let γ be the new property.
However, if γ is not sound, M 6|= γ resulting in another counterexample π2 . The property γ is
further weakened to α such that π2 as well as M satisfy α. Hence, α is a sound strengthening
of φ .
Testing whether a (counterexample) path satisfies a formula can be performed very effi-
ciently using a specialized path checker, with a complexity that is worst-case linear, rather than
4.5. C OUNTEREXAMPLE -G UIDED P ROPERTY S TRENGTHENING 61

Algorithm 4.2 PROPERTY-CEGAR(M, φ )

Input: Model M, Formula φ such that M |= φ
Output: Stronger formula φ strong
1: φ strong = S TRENGTHEN(φ )
2: while M 6|= φ strong do
3: Let π = CEX (M, φ strong )
4: φ strong = W EAKEN(φ strong , π)
5: return φ strong

exponential, in the size of the formula. The counterexample test can thus help quickly weed
out many failing candidates from the formula lattice.

φ
α
M
γ
β

Figure 4.7: CEGAR in action when M |= φ

Scheduling Counterexample Tests If some formula φ in the lattice is ruled out as a candi-
date because it is violated along some path, we can in fact discard the entire upward closure
of φ . Therefore, the lower the formula in the lattice to be tested against a given counterexam-
ple path, the more lattice elements can potentially be discarded. This suggests scheduling the
counterexample tests in a bottom-to-top fashion.
On the other hand, formulas near the bottom of the lattice are weak and hard to refute. If the
check of path π against a weak formula φ succeeds, i.e., π |= φ , nothing can be concluded, and
time has been wasted. To counter these antagonistic effects, we again propose a binary-search
strategy to perform the counterexample tests (Algorithm 4.3). Procedure B INARY-E LIMINATE
repeatedly selects balanced lattice elements φY and discards their reflexive (!) upward closure
until one is encountered that is satisfied by path π. Terminating the elimination procedure at this
point is a design decision that we found to work well.2 Procedure B INARY-E LIMINATE can be
used with both lattice traversal schemes presented in Section 4.3 and Section 4.4. Specifically,
line (9) in Algorithm 4.1 can simply be replaced by a call to B INARY-E LIMINATE.

Computing a Balanced Neighborhood and a Balanced Element If M 6|= φY , the algorithm

eliminates the upward closure of φY and uses the counterexample to eliminate further elements.
2 An option is to continue eliminating lattice elements in the upward closure of a φY with π |= φY .
62 C HAPTER 4. VACUITY IN M ODEL C HECKING

Algorithm 4.3 Eliminating lattice elements based on counterexamples

B INARY-E LIMINATE(φY )
Input: lattice element φY such that M 6|= φY
Effect: rule out lattice elements based on a counterexample for φY
let π be a witness for M 6|= φY
repeat
delete all elements in UC(φY )
select a balanced neighborhood g ∈ L
let φY be a balanced element of g
until π |= φY

When an element in the lattice is deleted, the weight imbalance of all neighborhoods has to be
recalculated. This requires tracking the upward weight and downward weight of each neigh-
borhood. The weights are updated for all neighborhoods each time an element in the lattice is
deleted.

4.5.1 Examples With and Without Counterexample Test

We illustrate both lattice search strategies (exhaustive and binary), with and without elimina-
tion based on counterexamples. Consider again the Kripke structure K in Figure 2.1 and the
property FG a ∨ X b ∨ GF(b ∨ c). A formula lattice for the property with C = {a, b, b ∨ c} is
given in Figure 4.5.

Exhaustive lattice search ignoring counterexamples The algorithm refutes false, FG a,

X b, GF(b ∨ c), and FG a ∨ X b. The next candidate, i.e., FG a ∨ GF(b ∨ c) is the solution.
Observe that the solution does not contain the redundant subformula X b, indicating vacuity.

Exhaustive lattice search exploiting counterexamples When the top-most element false
is refuted, let the counterexample π1 to it be (s1 )w . The counterexample test utilizes π1 to
discard more elements. Assume that the algorithm chooses the formula ψ1 = FG a ∨ X b as a
balanced element from the balanced level 1. The element ψ1 is satisfied by π1 , aborting the
counterexample test.
Let the next highest element selected be FG a and the counterexample π2 to it be (s1 s4 )w .
The balanced element ψ1 is violated along π2 . The algorithm deletes UC(ψ1 ). The current
state of the lattice is shown in Figure 4.8. A balanced element in the balanced level 1 is
ψ2 = FG a ∨ GF(b ∨ c). Since the path π2 satisfies ψ2 , the counterexample test is aborted.
The algorithm now selects GF(b ∨ c) for which the counterexample π3 is (s1 )w . The bal-
anced level is still the same. Let the balanced element selected be ψ2 . The element ψ2 is
satisfied along π3 , aborting the counterexample test. The next highest element in the lattice is
ψ2 , which is also the solution. Observe that the number of model checking calls against K is
reduced from six to four with the counterexample test.

Binary lattice search ignoring counterexamples Initially, level 1 and level 2 in the lattice
are balanced. The algorithm selects, say, the level 2. Assume further that the algorithm chooses
the formula FG a as the balanced element. Since K 6|= FG a, the upward closure of FG a is
deleted. The balanced level shifts to level 1, towards the solution.
4.5. C OUNTEREXAMPLE -G UIDED P ROPERTY S TRENGTHENING 63

3:

2: GF(b ∨ c)

1: FG a ∨ GF(b ∨ c) X b ∨ GF(b ∨ c)

0: FG a ∨ X b ∨ GF(b ∨ c)

Figure 4.8: Lattice state after deleting elements of UC(FG a ∨ X b)

2: GF(b ∨ c)

1: FG a ∨ GF(b ∨ c)

Figure 4.9: State of the lattice in Figure 4.8 after retaining UC(FG a ∨ GF(b ∨ c)). Levels 0 and
3 are empty and omitted.

The balanced elements in this level are ψ1 = FG a ∨ X b and ψ2 = FG a ∨ GF(b ∨ c). Let
the algorithm select ψ2 . Since K |= ψ2 , the algorithm now operates on the UC(ψ2 ). The
algorithm selects GF(b ∨ c), which fails in K. Only one element is left in the lattice, namely
FG a ∨ GF(b ∨ c). This formula is also the solution. The binary search requires three calls to
the model checker in total.

Binary lattice search exploiting counterexamples Since K 6|= FG a, the counterexample

to it can be exploited. Let the counterexample π1 be (s1 s4 )w . The current balanced level in
the lattice is 1. Assume that the algorithm selects the element ψ2 = FG a ∨ X b. Formula
ψ2 is violated by π1 . The algorithm deletes UC(ψ2 ). Figure 4.8 illustrates the state of the
lattice. The balanced level continues to be 1. The algorithm selects ψ3 = FG a ∨ GF(b ∨ c) as
a balanced element. Formula ψ3 is satisfied by path π1 , aborting the counterexample test. In
the reduced lattice, ψ3 is still a balanced element. Since K |= ψ3 , the algorithm operates on
UC(ψ3 ). Figure 4.9 illustrates the state of the lattice. Let the balanced element selected be
GF(b ∨ c). This element is not satisfied by K. Thus, the remaining lattice contains only one
element, FG a ∨ GF(b ∨ c), which is the solution. This procedure needs three calls to the model
checker.

4.5.2 Complexity Analysis

We analyze the worst-case and best-case scenarios for the time complexity of our algorithms.
The run time is dominated by the number of model checking runs against M.
The worst-case occurs, for both search techniques, when the property is not vacuous and
no counterexample test eliminates any lattice element. In this case, for the exhaustive search,
64 C HAPTER 4. VACUITY IN M ODEL C HECKING

the number of runs against M is about equal to the size of the lattice. For the binary search, this
log n n
n

number is about equal to ∑i=1 n/2 i , which can be bounded from above by log n · n/2 . This
number is only a small factor larger than the width of the lattice.
The best case for the exhaustive search technique occurs when the top-most formula in
the lattice is satisfied by M, requiring only one model checking run. (Note that the top-most
formula in the lattice is not necessarily false, namely when C does not include all occurrences in
the formulas.) For the binary search algorithm, the best case occurs when none of the elements
to be verified against M fail. The algorithm is recursively called on ever smaller sublattices
with the height halved in each iteration. The algorithm performs about log n model checking
runs against M.
On average, some schedule of failing and satisfying model checking runs will occur. We
can estimate in this case the number of candidate formulas in the lattice that get eliminated.
In the failing case, this number is 2k , for a formula at level k of the lattice, i.e., with k of the
occurrences present: 2k is roughly the size of the upward closure of the lattice element, which
gets eliminated. In the satisfying case, the elimination count is roughly m − 2k , for the current
cardinality m of the lattice, since the upward closure is retained, rather than eliminated.
These estimates ignore the (inexpensive) counterexample tests, whose purpose is to ac-
celerate convergence of the algorithms. The success rate of the tests is hard to predict; in
Section 4.7, we present empirical results to quantify their benefit.

4.6 Computing More Strengthenings

Example 4.2 and Example 4.2 point out that computing one arbitrary maximal strengthening
is not always sufficient to understand the cause of vacuity. In these examples, a maximum
strengthening or all maximal strengthenings, respectively, have been shown to help in precisely
pinpointing vacuity. In this section, we propose algorithms to compute such strengthenings.

4.6.1 Computing All Maximal Strengthenings

Algorithm 4.1 presented in Section 4.4 computes a maximal set of literal occurrences that can
be replaced by ⊥ without compromising satisfaction. We extend this algorithm to compute the
“strengthening frontier” of all maximally strengthened elements in the formula lattice. The al-
gorithm repeatedly calls B INARY-L ATTICE -S EARCH and reports the solution found. A useful
post-condition satisfied by B INARY-L ATTICE -S EARCH is that the upward closure of the solu-
tion φmax has been deleted. Algorithm 4.4 now also deletes the downward closure of φmax , to
prevent any formula that is implied by, or implies, φmax from being examined. The algorithm
terminates when the formula lattice is empty.

Algorithm 4.4 Compute all maximally strong formulas satisfied by M

FRONTIER (M, L)
Input: Model M with M |= φ , formula lattice L
Output: all maximally strong lattice elements satisfied by M
while |L| ≥ 1 do
φmax = BINARY- LATTICE - SEARCH(M, L)
print φmax
delete DC(φmax )
4.7. E XPERIMENTS 65

4.6.2 Computing a Maximum Strengthening

Instead of computing one or all maximally strong elements, we can instead compute a strongest
satisfied formula, i.e. the most succinct and strongest formula in L satisfied by M. One strategy
to compute a maximum strengthening is to compute all maximal strengthenings and select a
strengthening that has a maximum number of occurrences replaced by ⊥. There is, however, a
better strategy. When a balanced lattice element φY is satisfied by M, all the lattice element in
levels below |Y | can be discarded, reducing the size of the lattice by half.
Algorithm 4.5 illustrates our strategy. It is a modification of Algorithm 4.1. When a bal-
anced lattice element φY is satisfied by M, either φY is the solution or the solution lies in the
levels > |Y |. Thus, instead of focusing on UC(φY ) as B INARY-L ATTICE -S EARCH does, the
algorithm deletes all elements in the levels below |Y |. As usual, when M 6|= φY , UC(φY ) is
deleted, and the counterexample is exploited to eliminate more lattice elements. The algorithm
searches the rest of the lattice for a solution.

Algorithm 4.5 Maximum Property Strengthening Using Binary Search

B INARY-L ATTICE -S EARCH -M AX(M, L)
Input: Model M with M |= φ , formula lattice L
Output: a strongest lattice element satisfied by M
while true do
if |L| = 1 then
return the unique element of the lattice
select a balanced neighborhood g ∈ L, and a balanced element φY of g
if M |= φY then
delete all elements except φY in levels ≤ |Y |
else
B INARY-E LIMINATE(φY )

4.7 Experiments

We have implemented the proposed algorithms in a tool called A ARDVARK.3 In this section,
we present experimental results for the algorithms, both with and without the counterexample
test, using the model checker VIS [19] as a back-end. For computing a balanced element
during the binary search through a lattice, we only compute the weight imbalance roughly as
precisely computing UC and DC of each element in the balanced level is expensive. The weight
imbalance of every individual element is estimated on the fly using the difference between the
number of incoming and outgoing edges as a rough indication of the imbalance. We use a
significant subset of the Verilog circuit benchmarks released with VIS. The candidate set C
always contains all literal occurrences in a formula. Since the counterexample path is always
representable in the form of a finite lasso whose size parameters are known, we can use a
bounded model checker [18], available with the VIS tool set, to perform the counterexample
test.
Table 4.1 presents information about the properties used with our benchmarks. The table
is sorted by the latch count of the designs, which is a rough indicator of the hardness of the
benchmarks. The same order is maintained while reporting the results of the proposed algo-
3 A ARDVARK can be downloaded from http://www.cprover.org/aardvark/.
66 C HAPTER 4. VACUITY IN M ODEL C HECKING

Number Benchmark #subf #prop/vacuous #str. level

max:avg:min max:avg:min
1 FIFOs 1:1:1 1/0 –
2 Blackjack 3:3:3 1/0 –
3 Smult 3:3:3 1/0 –
4 Silver-pcu 8:3:2 15/15 4:0:1
5 Matrix 12:12:12 1/0 –
6 Ethernet 5:3:2 6/4 1:0:0
7 NeedhamNS2 6:3:1 9/0 –
8 NullModemLTL1 2:2:2 1/1 2:0:2
9 NeedhamNS1 6:3:1 7/0 –
10 DAIO 10:4:1 3/0 –
11 ProdCellLTL2 3:2:2 38/38 3:0:2
12 GcdLTL2 2:2:2 2/2 2:0:2
13 s1269 5:3:1 9/0 –
14 GoodBakery 2:2:2 9/6 1:0:0
15 Nim 3:2:2 3/0 –
16 Sampleq 13:13:13 1/1 13:0:13
17 Vlunc 12:8:4 2/0 –
18 Coherence 6:4:2 8/3 4:0:0
19 HourGlass 2:2:2 2/0 –
20 Heap 8:3:1 15/5 3:0:0
21 Eisenberg 2:1:1 10/6 1:0:0
22 Silver-mau 13:6:4 10/8 12:0:0
23 TicTacToe 10:3:2 29/1 4:0:0
24 Cups 12:7:4 3/2 3:0:0
25 Rcnum16 15:15:15 1/0 –
26 Chameleon 6:6:6 4/0 –

Table 4.1: Property Characteristics

4.7. E XPERIMENTS 67

Binary Exhaustive
Ex #Lc Lt(sec) Tt(sec) #Lc Lt(sec) Tt(sec)
FIFOs 2 73 73 2 74 74
Blackjack 5 11578 11578 8 18424 18424
Smult 5 28 28 8 29 29
Silver-pcu 66 9 9 228 33 33
Matrix 535 754 771 4096 5772 5840
Ethernet 42 21 21 92 34 34
NeedhamNS2 69 44 44 186 110 110
NullModemLTL1 2 132 132 1 58 58
NeedhamNS1 52 31 31 146 81 81
DAIO 174 87 89 1030 258 262
ProdCellLTL2 76 29 29 38 14 14
GcdLTL2 4 2367 2367 2 2360 2360
s1269 71 832 832 170 953 953
GoodBakery 27 32 32 24 27 27
Nim 11 3 3 16 4 4
Sampleq 4 0 7 1 0 3
Vlunc 542 52 70 4112 403 471
Coherence 62 11 11 142 25 25
HourGlass 6 1880 1880 8 1878 1878
Heap 150 27 27 635 111 112
Eisenberg 29 156 156 26 108 108
Silver-mau 85 6 17 183 11 15
TicTacToe 299 236 238 1565 1258 1262
Cups 466 71 87 4059 649 714
Rcnum16 3194 538 1436 32768 5689 11139
Chameleon 76 5 6 256 19 19

Table 4.2: Performance Comparison of B INARY-L ATTICE -S EARCH and Exhaustive Lattice
Search without B INARY-E LIMINATE. For each example, the total time taken by a method is
shown in bold if the method takes significantly less time compared to the other.
68 C HAPTER 4. VACUITY IN M ODEL C HECKING

Ex #Lc #Cc(%Sc) Lt(sec) Ct(sec) Tt(sec)

FIFOs 2 0(0) 73 0 73
Blackjack 8 6(0) 18414 0 18415
Smult 7 3(33) 29 0 29
Silver-pcu 217 14(42) 31 0 34
Matrix 3042 423(93) 4300 43 4508
Ethernet 92 0(0) 34 0 35
NeedhamNS2 138 56(37) 81 2 85
NullModemLTL1 1 0(0) 58 0 58
NeedhamNS1 111 44(34) 63 1 66
DAIO 64 168(100) 11 94 109
ProdCellLTL2 38 0(0) 14 0 14
GcdLTL2 2 0(0) 2370 0 2370
s1269 100 60(55) 852 10 864
GoodBakery 24 12(0) 27 11 39
Nim 11 8(37) 2 0 3
Sampleq 1 0(0) 0 0 3
Vlunc 2867 476(67) 286 53 487
Coherence 84 65(33) 14 4 19
HourGlass 7 2(50) 949 742 1692
Heap 238 315(38) 40 14 59
Eisenberg 26 12(0) 105 13 119
Silver-mau 183 0(0) 13 0 19
TicTacToe 926 1003(14) 753 86 862
Cups 1443 1873(23) 227 219 519
Rcnum16 32768 0(0) 7720 6 19269
Chameleon 67 101(61) 5 5 11

Table 4.3: Performance of Exhaustive Lattice Search with B INARY-E LIMINATE

4.7. E XPERIMENTS 69

Ex #Lc #Cc(%Sc) Lt(sec) Ct(sec) Tt(sec)

FIFOs 2 0(0) 73 0 73
Blackjack 5 3(0) 11573 0 11573
Smult 4 3(33) 28 0 28
Silver-pcu 64 11(18) 9 0 10
Matrix 218 341(92) 307 21 352
Ethernet 42 0(0) 21 0 22
NeedhamNS2 60 34(26) 38 1 40
NullModemLTL1 2 0(0) 132 0 132
NeedhamNS1 45 27(25) 27 1 28
DAIO 7 167(100) 3 93 100
ProdCellLTL2 76 0(0) 29 0 29
GcdLTL2 4 0(0) 2364 0 2364
s1269 44 46(58) 799 9 810
GoodBakery 27 9(0) 33 9 43
Nim 9 5(40) 2 0 2
Sampleq 4 0(0) 0 0 7
Vlunc 158 452(84) 15 31 71
Coherence 52 43(23) 9 3 13
HourGlass 5 2(50) 951 742 1694
Heap 77 120(60) 13 6 22
Eisenberg 29 9(0) 156 10 167
Silver-mau 85 1(0) 6 0 19
TicTacToe 188 236(47) 149 17 172
Cups 121 460(75) 18 52 92
Rcnum16 3194 0(0) 553 0 1822
Chameleon 40 68(52) 3 3 7

Table 4.4: Performance of B INARY-L ATTICE -S EARCH with B INARY-E LIMINATE

70 C HAPTER 4. VACUITY IN M ODEL C HECKING

Ex #Lc #Cc(%Sc) Lt(sec) Ct(sec) Tt(sec)

FIFOs 2 0(0) 73 0 73
Blackjack 5 3(0) 11562 0 11562
Smult 4 3(33) 28 0 28
Silver-pcu@ 135 23(56) 19 1 22
Matrix 218 341(92) 307 21 356
Ethernet 50 0(0) 26 0 27
NeedhamNS2 60 34(26) 38 1 40
NullModemLTL1 2 0(0) 132 0 132
NeedhamNS1 45 27(25) 27 1 28
DAIO 7 167(100) 3 95 102
ProdCellLTL2 76 0(0) 29 0 29
GcdLTL2 4 0(0) 2362 0 2362
s1269 44 46(58) 800 9 810
GoodBakery 33 9(0) 39 9 49
Nim 9 5(40) 2 0 2
Sampleq 4 0(0) 0 0 17
Vlunc 158 452(84) 15 31 74
Coherence 62 55(27) 11 4 16
HourGlass 5 2(50) 951 742 1694
Heap 102 191(64) 18 13 34
Eisenberg 35 9(0) 171 10 182
Silver-mau 660 93(98) 57 8 211
TicTacToe@ 312 372(34) 249 30 291
Cups@ 203 583(66) 31 69 134
Rcnum16 3194 0(0) 553 0 1860
Chameleon 40 68(52) 3 3 7

Table 4.5: Performance of FRONTIER

4.7. E XPERIMENTS 71

Ex #Lc #Cc(%Sc) Lt(sec) Ct(sec) Tt(sec)

FIFOs 2 0(0) 73 0 73
Blackjack 5 3(0) 11573 0 11573
Smult 4 3(33) 28 0 28
Silver-pcu∗ 121 12(16) 17 0 19
Matrix 218 341(92) 307 21 352
Ethernet 42 0(0) 19 0 19
NeedhamNS2 60 34(26) 38 1 40
NullModemLTL1 2 0(0) 132 0 132
NeedhamNS1 45 27(25) 27 1 28
DAIO 7 167(100) 3 93 100
ProdCellLTL2 76 0(0) 29 0 29
GcdLTL2 4 0(0) 2363 0 2363
s1269 44 46(58) 799 9 810
GoodBakery 27 9(0) 33 9 43
Nim 9 5(40) 2 0 2
Sampleq∗ 6 0(0) 0 0 10
Vlunc 158 452(84) 15 31 71
Coherence 52 51(29) 9 3 14
HourGlass 5 2(50) 951 742 1694
Heap 70 177(72) 12 10 25
Eisenberg 29 9(0) 156 10 167
Silver-mau∗ 136 11(81) 11 0 35
TicTacToe∗ 244 336(37) 196 26 230
Cups∗ 156 535(71) 24 60 108
Rcnum16 3194 0(0) 553 0 1822
Chameleon 40 68(52) 3 3 7

Table 4.6: Performance of B INARY-L ATTICE -S EARCH -M AX

72 C HAPTER 4. VACUITY IN M ODEL C HECKING

rithms. The first column contains the name of the benchmark. The second column presents
maximum, average, and minimum number of subformulas in the properties for that bench-
mark. The third column lists the total number of passing properties that were tested, and the
number of properties reported to be vacuous. The last column reports, if vacuity was found,
the highest, average, and lowest level in the lattice at which a solution was found, indicating
how many literal occurrences were replaced by ⊥ without sacrificing satisfaction.
We found that about 45% of the 216 properties checked contain vacuity. About half of the
properties could be strengthened. These strengthened specifications either point to a potential
bug in the system or give a better specification. The high number of vacuous passes attests the
importance of vacuity detection.
First, we present our experimental results of finding a maximal strengthening using binary
and exhaustive lattice search techniques with and without the counterexample test. Table 4.2
illustrates the performance of exhaustive and binary lattice search techniques without the coun-
terexample test. The CPU times were measured on a 3 GHz Intel Xeon with 16 GB of RAM
running Linux. We use the optimized BDD variable orderings that ship with the benchmarks.
In Table 4.2, #Lc is the number of lattice elements checked against the complete design, i.e.,
calls to the LTL model checker, Lt is the time taken for these calls, and Tt is the total time. The
binary search dramatically outperforms the exhaustive search.
Table 4.3 and Table 4.4 illustrate the effect of counterexample checks on the exhaustive
and binary lattice search techniques. These tables contain additional columns corresponding
to the counterexample test. The number of times the counterexample test was performed is
given in column #Cc. The number of counterexample tests that were successful, i.e., resulted
in eliminating a lattice element, are listed as #Sc. The column Ct lists the time spent on the
counterexample checks. Both tables indicate that the number of successful counterexample
tests is significant. For the exhaustive and binary search techniques, on average about one-
third of the counterexample tests are successful. This causes a reduction in the number of LTL
model checking runs, resulting in improved performance.
Adding the counterexample test to the proposed search techniques has significant benefits
for the examples with a large candidate set C. The counterexample test is effective and inex-
pensive for these benchmarks. The larger the set C, the larger is the lattice and, hence, the
greater are the relative time savings due to a reduced number of LTL model checking calls. On
such benchmarks, an average of 25% time is saved.
Various details about the performance of FRONTIER and B INARY-L ATTICE -S EARCH -M AX
are provided in Table 4.5 and Table 4.6, respectively. On the non-vacuous benchmarks (Ta-
ble 4.1), the performance of the algorithms FRONTIER and B INARY-L ATTICE -S EARCH -M AX
is identical to the performance of B INARY-L ATTICE -S EARCH. In most of the vacuous bench-
marks, the solutions lie in the bottom-half of the lattice. This indicates that a large part the
lattice of formulas is violated by the design. Hence, for these benchmarks, the counterexample
test discards the rest of the lattice. The average overhead of FRONTIER for benchmarks exhibit-
ing vacuity is only about 40%. For B INARY-L ATTICE -S EARCH -M AX, the examples marked
* call LTL model checking more often than B INARY-L ATTICE -S EARCH, incurring some over-
head. When a lattice element is satisfied by a design, focus is shifted to the upper closure
in case of B INARY-L ATTICE -S EARCH, whereas B INARY-L ATTICE -S EARCH -M AX eliminates
all lower levels. In the former case, the number of elements in the lattice is much smaller than
the number of elements in the remaining lattice in B INARY-L ATTICE -S EARCH -M AX.
The examples marked @ in Table 4.5 contain properties for which more than one maximal
strengthening exist. For all but one of these benchmarks, the solutions lie at the same level in
the lattice. For TicTacToe, 4 strengthenings exist for one of the properties: one solution lies at
4.8. C ONCLUSION 73

level 4, and the remaining lie at level 3.

4.8 Conclusion

Vacuity in temporal logic model checking refers to the possibility of a mismatch between the
formula being verified and the property intended to hold on the system under verification.
From a pragmatic point of view, vacuity may indicate an inadequacy of a specification, or may
in fact point to a design flaw. The danger of overlooking such flaws due to vacuous satisfaction
is widely acknowledged as an impediment to the effective use of model checking in industry
today, rather than just a theoretical phenomenon: in our experiments with a large set of circuit
benchmarks, we have observed nearly half of the properties to hold vacuously on the given
design. Vacuity therefore needs to be reported to the user.
In this chapter, we have provided an algorithmic way of exposing vacuity in the form of a
strengthened and shortened formula. We have proposed algorithms to find one or all maximally
strengthened satisfying formulas, and algorithms to find a maximum strengthening. Our algo-
rithms rest on two principles: 1) we define a lattice of candidate formulas and devise a binary
search strategy on this lattice, and 2) we make use of refutations for failed model checking runs
in order to reduce the search space. Both principles combine well, especially on benchmarks
with complex properties. The success of the counterexample test is owed to the low overhead
it incurs.

4.9 Bibliographic Notes

During formal verification of a 16-bit CISC processor, Beatty and Bryant [13] observed one
of the principal dangers of formal verification in the form of antecedent failures. If a logical
proposition a is false, every implication having a as antecedent is trivially true. The approach
taken by Beatty and Bryant to avoid antecedent failure is to rewrite properties enforcing the an-
tecedents to remain true on at least one of the paths. The property AG (req → ack) is conjoined
with EF req to force the antecedent to become true eventually. This approach turns out to be
non-trivial already for relatively straightforward formulas such as AG (p → AX (q → AX r)).
The term vacuous pass was introduced by Beer et al. for the phenomenon of a trivial satis-
faction of a property by a model [14, 15]. Their main contributions are

• a formalization of vacuity. In simple terms, vacuity occurs when one of the operands
does not affect validity of the formula.

• a formalization of the notion of interesting witness (already discussed in detail in Sec-

tion 2.5.2).

• efficient algorithms for detecting vacuity or interesting witnesses for w-ACTL formu-
las [67].

A detailed discussion of these contributions can be found in Section 2.5.

Beer et al.’s method exploits the nature of w-ACTL formulas: for a w-ACTL formula φ ,
there exists a single smallest important subformula ψ which is a subformula of every other
important subformula of φ . Thus, it suffices to check the validity of a new formula φ 0 =
φ [ψ ← false]. If φ 0 fails on M, the resulting counterexample is a witness to the non-vacuity of
the subformula ψ.
74 C HAPTER 4. VACUITY IN M ODEL C HECKING

A general method for detecting vacuity and generating interesting witnesses for formulas
in CTL* (which includes LTL) is presented in [79]. The method amounts to checking if any
of the subformula occurrences affect validity of the formula. This is done by replacing a
subformula occurrence by ⊥, i.e., by true if it occurs under odd number of negations, and
by false otherwise. Thus, vacuity checking can be done in time O(MC (|φ |) · |φ |) where MC is
the complexity of model checking. Note that the number of subformula occurrences is linear in
the size of the formula. The authors distinguish between vacuity of a subformula and vacuity
of an occurrence of a subformula. Detecting the former is coNP-complete and hence, a harder
problem.
An efficient algorithm combining model checking and vacuity detection for formulas in
CTL is proposed in [95]. Instead of checking φ and the witness formulas generated by various
replacements in a sequential fashion, it checks φ and all its replacements in a single bottom-
up pass over the parse tree of φ . At each node in the parse tree, the algorithm exploits the
relationships between the sets of states satisfying the corresponding formulas. Depending on
the number of negations along the path connecting a node to the root of the parse tree, the set of
states satisfying a witness formula is either a lower bound or an upper bound on the satisfying
set of the formula φ . This is experimentally shown to speed up fixed point computations,
enabling vacuity checks with a very little overhead.
A fault simulation based approach to vacuity detection is proposed in [68, 69]. Instead of
replacing a literal occurrence in a formula by ⊥, a stuck-at-0 or stuck-at-1 fault depending on
the polarity of the literal occurrence is injected in the corresponding VHDL checker. The faulty
checker is connected to the model and the resulting system is simulated using test vectors. A
checker failure indicates that the corresponding literal is not vacuous. Absence of a checker
failure does not mean that the corresponding literal is vacuous; it may just be due to the lack of
the particular test vector that exposes the fault. The method is incomplete. Moreover, a checker
cannot even be generated for every LTL formula.
A temporal logic query-based approach called parameterized vacuity detection is presented
in [99]. A formula is vacuous if there is a subformula that can be replaced by a stronger formula
without affecting its satisfaction. Finding such stronger formulas is done by query checking.
A weaker notion of vacuity, namely inherent vacuity is proposed in [58]. A specification is in-
herently vacuous if it can be mutated into a simpler equivalent specification. Deciding whether
an LTL formula is inherently vacuous can be done polynomial space.
Apart from the above methods based on replacing a subformula occurrence by ⊥, other
approaches exist in the literature which we now sketch briefly. Instead of defining vacuity as
insensitivity to syntactic (formula) perturbations, vacuity as insensitivity to semantic pertur-
bations is advocated in [3] for LTL formulas. This notion is claimed to be more robust, i.e.,
insensitive to trivial changes in the logic and in the model. Gurfinkel et al. [26] extend this
notion to CTL*, and Bustan et al. [25] extend it to RELTL, i.e., LTL enhanced by regular
expressions.
A vacuous satisfaction is a problem related to the justification used by the model checker for
deeming the property true. Proof vacuity [90] checks whether a deductive proof of correctness
presenting these justification steps is vacuous. There may exist many proofs of correctness;
existence of at least one vacuous proof is needed. A proof of bounded/partial correctness can
be generated during SAT-based bounded model checking (BMC). The proof can be analyzed to
check partial vacuity [102]. One simple case of such vacuity is an atomic proposition present
in the formula but absent in the proof. A proposition declared vacuous at a certain bound is
only partially vacuous as it can later affect the truth value of the formula.
Closest to our work, Gurfinkel and Chechik present mutual vacuity [27]. They prove that
4.9. B IBLIOGRAPHIC N OTES 75

checking vacuity with respect to all occurrences of literals in φ is equivalent to checking all
occurrences of general subformulas in φ [27]. Thus, one does not need to consider all sub-
formulas but only the atomic propositions, i.e., literals. Their objective is to find a maximum
set of literal occurrences, instead of a single literal occurrence, that can be simultaneously re-
placed by false without causing the property to fail. The authors propose an exponential-time
multi-valued model checking algorithm to detect mutual vacuity. We provide a solution to
this problem that can be implemented using two-valued model checkers, which are typically
available in industry.
Our algorithm is similar in spirit to that proposed by Chockler and Strichman [36, 37]. They
propose an iterative algorithm at the automaton level, which hides literals in the automaton and
iteratively adds back a minimum number of literals that give rise to the counterexample. The
second step requires solving an NP-complete problem (minimum hitting set). In contrast, we
address the problem at the formula level and systematically exploit the relationship between
candidate formulas, which allows for a more cost-effective solution. Moreover, we use coun-
terexample traces to eliminate many candidate formulas without model checking the entire
design.
An approach by Chockler et al. determines vacuity values over paths in M, in order to com-
pute the strongest formula that satisfies M and lies in the Boolean closure of the strengthenings
of the original property [28]. Although the approach finds formulas stronger than mutual vacu-
ity does, its complexity seems impractical for large formulas.
 Vacuity and Interpolation
5
Symbolic model checking techniques manipulate implicit representations of sets of states to
verify correctness properties of transition systems. Image computation and fixed point detec-
tion, two essential steps in model checking, involve quantifier elimination, which is compu-
tationally expensive. The expensive image computation necessitates techniques to compute
approximate images. In this chapter, we address the effect of vacuity on approximate image
computation.
Interpolant-based model checking of finite state systems uses Craig interpolants as approx-
imate image operators to compute an inductive invariant that suffices to show correctness [87].
The performance of an interpolant-based model checker depends on the approximate images
obtained. A coarse approximation typically contains spurious errors and causes the model
checker to restart with a larger formula. Model checking with a larger formula is more resource-
intensive than with a smaller formula. On the other hand, a tight approximation delays con-
vergence to a fixed point. If the property holds, the ideal approximate image is an inductive
invariant that implies the property. If the property does not hold, the ideal approximation is one
which enables the error to be detected efficiently. Thus, rather than strong or weak interpolants,
procedures to compute interpolants of different strengths are required.
An ordered family of linear-time interpolation systems is proposed in [52]. This family
subsumes existing interpolation systems. An interpolation system ITP maps a resolution refu-
tation R to an interpolant ITP(R). The order guarantees interpolant strength; if ITP1  ITP2 then
ITP 1 (R) implies ITP 2 (R) for any refutation R.

One of the factors that influences the performance of any over-approximation technique is
the quality of the property. As shown in Chapter 4, vacuous properties can be strengthened
without being violated by the model. Such properties are undesirable rendering detection and
elimination of vacuity a must. On the other hand, since vacuous properties describe more
behaviors than the behaviors of M, over-approximation techniques can be applied to make
verification feasible. Consider a model M and a vacuous property φ as depicted in Figure 5.1.
A property φ stng stronger than φ is satisfied by M. The model M can be over-approximated to
M weak to include φ stng \ M such that M weak |= φ , exploiting vacuity of φ .

77
78 C HAPTER 5. VACUITY AND I NTERPOLATION

φ φ

φ stng M weak
M M

(a) Vacuous φ (b) Over-approximating M

Figure 5.1: Vacuity and Over-approximation

Vacuity in the context of BMC can be defined using peripherality of a variable with respect
to formulas A and B in an (A, B)-refutation [102]. Intuitively, peripheral variables are false-
shared variables between A and B in an (A, B)-refutation. As an example, a variable v in an
(A, B)-refutation that is resolved upon using either set of clauses from A and B is a peripheral
variable. The variable v can be replaced with free variables in either set of clauses without
affecting unsatisfiability of A and B. A new interpolation system treating peripheral, i.e., false-
shared variables as local variables can be designed to generate more than one interpolant from
the same proof.
We propose an interpolation system that is a member of the proposed family of interpo-
lation systems. This new system exploits peripheral vacuity to identify true shared variables
between clauses from A and B in an (A, B)-refutation. Given an (A, B)-refutation, the new sys-
tem generates an interpolant that is weaker than the one generated by McMillan’s interpolation
system [87].
This chapter is organised as follows. Existing interpolation systems are presented in Sec-
tion 5.2. The parameterised interpolation system appears in Section 5.3. Background on pe-
ripheral vacuity appears in Section 5.4. Section 5.5 addresses the influence of peripherality on
interpolation. We conclude in Section 5.6.

5.1 Preliminaries

Background material on resolution proofs appears in Section 2.4.2. We remind the reader that
Roots(P) denotes the set of initial vertices of a resolution proof P. We say that a vertex
v belongs to A or B in an (A, B)-refutation, if v ∈ Roots(P) and `P (v) belongs to A or B,
respectively. The background on Craig interpolants, and model checking based on interpolants
is covered in Section 2.4.4. A general introduction to vacuity analysis appears in Section 2.5.
Please refer to Section 2.4.3 for a detailed discussion on BMC. Also, recall that φ [p ← ζ ]
indicates replacing p in φ by ζ .
5.2. C OMPARISON OF I NTERPOLATION S YSTEMS 79

5.2 Comparison of Interpolation Systems

In this section, we highlight issues related to interpolant strength using examples. We recall
two interpolation systems from the literature. The examples show that they produce different
results, that there are interpolants not obtained in either system, and that weaker interpolants
can be beneficial for model checking.

5.2.1 Interpolation Systems

An interpolation system is a procedure for constructing an interpolant from an (A, B)-refutation.

Different linear-time interpolation systems exist. The first system, which we call the symmetric
system, was proposed by Huang [71], Krajı́ček [76] and Pudlák [94]. Another system was
proposed by McMillan [87]. Both systems map vertices in a refutation to a formula called the
partial interpolant.
Formally, an interpolation system ITP is a function that given an (A, B)-refutation P yields
a function, denoted ITP(P, A, B), from vertices in P to formulae over Var(A, B). An inter-
polation system is correct if ITP(P, A, B)(sP ) is an interpolant for (A, B), for every (A, B)-
refutation P with sink sP . We write ITP(P) for ITP(P, A, B)(sP ) when A and B are clear.
Let v be a vertex in an (A, B)-refutation P. The pair (`(v), ITP(P, A, B)(v)) is an anno-
tated clause and is written `(v) [ITP(P, A, B)(v)]. An interpolation system can be presented
as an extension of resolution using annotated clauses. This style of presentation was intro-
duced by McMillan [88]. The inverse of an interpolation system, denoted ITP0 , is defined as
ITP 0 (P, A, B)(v) = ITP (P, B, A)(v) vertices v in P. An interpolation system ITP is symmetric
def

if ITP(P, A, B)(sP ) = ¬ITP0 (P, A, B)(sP ).

Definition 5.2.1 (Symmetric System) The symmetric system, ITPS , maps vertices in an (A, B)-
refutation P to partial interpolants as defined below:

For an initial vertex v with `(v) = C

(A-clause) if C ∈ A (B-clause) if C ∈ B
C [false] C [true]

For an internal vertex v with piv(v) = x, `(v+ ) = C1 ∨ x and `(v− ) = C2 ∨ x

C1 ∨ x [I1 ] C2 ∨ x [I2 ]
C1 ∨C2 [I3 ]

def
(A-Res) if x ∈ Var(A) \ Var(B), I3 = I1 ∨ I2
def
(AB-Res) if x ∈ Var(A) ∩ Var(B), I3 = (x ∨ I1 ) ∧ (x ∨ I2 )
def
(B-Res) if x ∈ Var(B) \ Var(A), I3 = I1 ∧ I2

See [24, 110] for proofs of correctness of symmetric systems. Huang has shown that ITPS is
symmetric [71, Lemma 13].

Definition 5.2.2 (McMillan’s System) McMillan’s interpolation system ITPM maps vertices
in an (A, B)-refutation P as to partial interpolants as defined below.
80 C HAPTER 5. VACUITY AND I NTERPOLATION

For an initial vertex v with `(v) = C

(A-clause) if C ∈ A (B-clause) if C ∈ B
C [C|B ] C [true]

For an internal vertex v with piv(v) = x, `(v+ ) = C1 ∨ x and `(v− ) = C2 ∨ x

C1 ∨ x [I1 ] C2 ∨ x [I2 ]
C1 ∨C2 [I3 ]

def
(A-Res) if x ∈
/ Var(B), I3 = I1 ∨ I2
def
(B-Res) if x ∈ Var(B), I3 = I1 ∧ I2

See [88] for McMillan’s proof of correctness. The following example shows that the inter-
polants obtained from ITPM and ITPS are different and that ITPM is not symmetric.

Example Let A be the formula (a1 ∨ a2 ) ∧ (a1 ∨ a3 ) ∧ a2 and B be the formula (a2 ∨ a3 ) ∧ (a2 ∨
a4 ) ∧ a4 . An (A, B)-refutation P is shown in Figure 5.2. The partial interpolants in McMillan’s
system are shown in Figure 5.2(a) and those in the symmetric system in Figure 5.2(b). We
have that ITPM (P) = a3 ∧ a2 and ITPS (P) = a3 . For the inverse systems, the interpolants
are ITP0M (P) = a2 ∧ a3 and ITP0S (P) = a3 . Observe that ITPM (P) → ITPS (P), ITPS (P) ⇔
¬ITP0S (P), and ¬ITP0S (P) → ¬ITP0M (P).

a1 a2 [a2 ] a1 a3 [a3 ] a2 a3 [>] a2 a4 [>] a4 [>] a1 a2 [⊥] a1 a3 [⊥] a2 a3 [>] a2 a4 [>] a4 [>]

a2 a3 [a2 ∨ a3 ] a2 [a2 ] a2 [>] a2 a3 [⊥] a2 [⊥] a2 [>]

a3 [a3 ∧ a2 ] a3 [>] a3 [⊥] a3 [>]

 [a3 ∧ a2 ]  [a3 ]

(a) McMillan’s System (b) Symmetric System

Figure 5.2: Refutation yielding different interpolants for different systems.

Example 5.2.1 below shows that there are interpolants that cannot be obtained by these
systems and that the interpolants from ITPM and ITPS may coincide.

Example Let A be the formula a1 ∧ (a1 ∨ a2 ) and B be the formula (a1 ∨ a2 ) ∧ a1 . An (A, B)-
refutation P is shown in Figure 5.3. The interpolants computed are:

0
ITP M (P) = a1 ∧ a2 , ITP S (P) = a1 ∧ a2 , ¬ITP M (P) = a1 ∨ a2 .

In addition, a1 is an interpolant for A∧B, as is a2 . However, we cannot obtain these interpolants

from ITPM , ITPS , ITP0M or ITP0S .
5.2. C OMPARISON OF I NTERPOLATION S YSTEMS 81

a1 a2 a1 a2 a1
a2
a1 a1

Figure 5.3: A refutation for a1 ∧ (a1 ∨ a2 ) ∧ (a1 ∨ a2 ) ∧ a1

5.2.2 Interpolant Strength and Model Checking

In Example 5.2.1 and Example 5.2.1, the interpolant obtained from ITPM implies all other
interpolants computed in the respective examples. Stronger interpolants represent more precise
approximations, so one may ask why other interpolation systems should be considered.
We make two arguments for studying other interpolation systems. First, the approximate
image operator realised using interpolation is not monotone. Using a more precise approxi-
mation in one iteration does not guarantee a more precise approximation after two iterations.
Second, a coarse approximation may converge to an inductive invariant faster than a precise
one as illustrated by the following example.

def
J(~a) = (a2 ∧ a1 ∧ a0 )
À a2 a1 a0 T (~a,~a0 )
def
= (a2 ∧ a1 → a02 ∧ a01 ) ∧ À
(a2 ∧ a1 → a02 ∧ a01 ) ∧ Á
a2 a1 a0 Á (a2 ∧ a1 → a02 ∧ a01 ) ∧ Â
a2 a1 a0 (a2 ∧ a1 → a02 ∧ a01 ) ∧ Ã
 (a02 ∧ a01 ∨ a02 ∧ a01 ∨ a02 ∧ a01 ) → a00
def
F(~a) = a0 ∧ (a1 ∨ a2 )

Figure 5.4: A transition system implementing a binary counter.

Example The state machine in this example cycles through the sequence 0, 2, 4. Let S =
{0, . . . , 7} be the set of all states and J = {0} be the initial state set. The formulae J(~a) and
T (~a,~a0 ) over the variables ~a = (a2 , a1 , a0 ) are shown in Figure 5.4. The transitions encoded
by the conjuncts À, Á, and  connect reachable states, whereas the transitions encoded by the
conjunct à connect unreachable states. Failure states, encoded by the formula F(~a), are odd
values less than 6.
Let A1 be J(~a) ∧ T (~a,~a0 ) and B1 be F(~a0 ). An (A1 , B1 )-refutation P1 is shown in Figure 5.5
along with the partial interpolants obtained from ITPM . The formula I1 (~a0 ) = ITPM (P1 ) =
def

a02 ∧ a01 ∧ a00 is equivalent to the exact image ∃~a . J(~a) ∧ T (~a,~a0 ). One can construct a sequence
of pairs (Ai , Bi ) and a sequence of (Ai , Bi )-refutations Pi so that ITPM (Pi ) is the set of states
reachable from J(~a) in i steps.
In the next iteration of the model checker, a formula A2 is constructed by replacing J(~a)
with J(~a) ∨ I1 (~a) in A1 .
The encoding of the initial state J(~a) is replaced with an over-approximation J(~a) ∨ I(~a),
82 C HAPTER 5. VACUITY AND I NTERPOLATION

a2 a1 a01 [a01 ] a1 [⊥] a2 [⊥] a2 a1 a02 [a02 ]

a2 a01 [a01 ] a1 a02 [a02 ]

a02 [a02 ] a02 a01 a00 [a02 ∨ a01 ∨ a00 ]

a01 [a01 ] a01 a00 [a02 ∧ a01 ∨ a02 ∧ a00 ]

J(a) = a2 ∧ a1
0 0
T (a, a ) = (a2 ∨ a1 ∨ a1 ) ∧
0
(a2 ∨ a1 ∨ a2 ) ∧
a00 [a02 ∧ a01 ∧ a00 ] a00 [>]
0 0 0
(a2 ∨ a1 ∨ a0 )
0
F (a )
0
= a0  [a02 ∧ a01 ∧ a00 ]

Figure 5.5: Refutation with McMillan’s interpolant of J(~a) ∧ T (~a,~a0 ) and F(~a0 ). The figure
shows a contradictory subset of the clauses of a CNF encoding of the formulae.

leaving us with the formulas A = (J(~a) ∨ I(~a)) ∧ T (~a,~a0 ) and B = F(~a0 ). In order to obtain an
(A, B)-refutation, we convert A ∧ B into a formula in CNF using Tseitin’s transformation.This
transformation introduces fresh variables and increases the size of the formula by a constant
factor.
The disjunction J(~a) ∨ I(~a) yields

(o0 ∨ o1 ) ∧ (o0 ∨ J(~a)) ∧ (o0 ∨ ¬J(~a))∧

(o1 ∨ I(~a)) ∧ (o1 ∨ ¬I(~a))

and all logical operations in J(~a) and I(~a) are recursively translated into a formula in CNF
using Tseitin’s algorithm. Figure 5.6 shows the relevant fragment of the resulting formula.
Figure 5.6 is one possible (A, B)-refutation R2 of the pair of formulae A = (J(~a) ∨ I(~a)) ∧
T (~a,~a0 ) and B = F(~a0 ). The figure shows the propositional interpolant ITPM (R2 ) = (a02 ∧ a01 ∧
a00 ∨ a02 ∧ a01 ∧ a00 ) obtained using McMillan’s system. Note that all variables introduced by
Tseitin’s algorithm are local to either A or B and do not contribute to the interpolant.
Again, the formula ITPM (R2 ) is the exact image ∃~a.(J(~a) ∨ I(~a)) ∧ T (~a,~a0 ), forcing us to
perform an additional iteration of the model checking process. The interpolant ITPS (R) is once
more a0 , an inductive invariant of the transition system.
In contrast, the symmetric interpolant ITPS (P1 ) = a00 is an inductive invariant. Model
checking with a weaker interpolation system converges more quickly in this case.

We do not claim that proofs similar to those in Example 5.2.2 are generated by the SAT
solvers used in practice. The example only shows that there are situations in which weaker
interpolants lead to better performance.
In the next section, we explain the labelled interpolation system using which we explain
the effect of peripherality on interpolation.

5.3 Labelled Interpolation Systems

In this section, we discuss the labelled interpolation systems presented in [52]. The labelled in-
terpolation systems are strictly more general than the interpolation systems from Section 5.2.1.
5.3. L ABELLED I NTERPOLATION S YSTEMS 83

a2 a1 a01 [a01 ] o0 a1 [⊥] o0 a2 [⊥] a2 a1 a02 [a02 ]

o0 a2 a01 [a01 ] o0 a1 a02 [a02 ]

o0 a02 [a02 ] a02 a01 a00 [a02 ∨ a01 ∨ a00 ]

o0 a01 [a01 ] o0 a01 a00 [a02 ∧ a01 ∨ a02 ∧ a00 ]

o0 a00 [a02 ∧ a01 ∧ a00 ] a00 [>]

0
symmetric
J(a) ∨ I (a) =
o1 o0 [⊥] o0 [a02 ∧ a01 ∧ a00 ]
(o1 ∨ o0 ) ∧
(o1 ∨ a2 ) ∧ (o1 ∨ a1 ) ∧
(o0 ∨ a2 ) ∧ (o0 ∨ a1 ) o1 [a02 ∧ a01 ∧ a00 ] o1 [a02 ∧ a01 ∧ a00 ]

 [a02 ∧ a01 ∧ a00 ∨ a02 ∧ a01 ∧ a00 ]

Figure 5.6: (A, B)-Refutation with McMillan’s interpolant for A = (J(~a) ∨ I(~a)) ∧ T (~a,~a0 ) and
B = F(~a0 ).

Moreover, the labelled interpolation systems can be composed to obtain stronger and weaker
interpolants.

Definition 5.3.1 (Labelling Function) Let S = {⊥, a, b, ab} be a set of symbols. Let (S , v
, u, t) be the lattice below where v, u and t are defined by the Hasse diagram. A labelling
function LP : VP × L → S for a refutation P over a set of literals L satisfies that for all
v ∈ VP and l ∈ L :

1. LP (v, l ) = ⊥ iff l ∈
/ `P (v) ab

2. LP (v, l ) = LP (v+ , l ) t LP (v− , l ) for an internal vertex v and a b

literal l ∈ `P (v). ⊥

Due to condition (2) above, the labelling function for literals at internal vertices is completely
determined by the labels of literals at initial vertices. A variable x is A-local in a pair (A, B)
if x ∈ Var(A) \ Var(B), B-local if x ∈ Var(B) \ Var(A), local if it is either of these, and shared
otherwise.

Definition 5.3.2 (Locality) A labelling function for an (A, B)-refutation P preserves locality
if for any initial vertex v and literal l in P

1. a v L(v, l ) implies that var(l ) ∈ Var(A), and

2. b v L(v, l ) implies that var(l ) ∈ Var(B) .

The locality condition ensures that literals over A-local variables are labelled a and literals over
B-local variables are labelled b. Our system generalises existing ones by permitting arbitrary
labels for literals over shared variables. We refer to locality-preserving labelling functions as
84 C HAPTER 5. VACUITY AND I NTERPOLATION

a a b b b
a1 a2 [⊥] a1 a2 [>] a1 [>]
b
a2 [>]
a a
a1 [⊥] a1 [a2 ]
 [a2 ]

Figure 5.7: A labelled interpolation system ITP(L) that can be used to obtain a different inter-
polant from ITPM , ITPS , ITP0M or ITP0S .

labelling functions. Given a labelling function L, the downward projection of a clause at a

vertex v with respect to c ∈ S is: `(v)c,L = {l ∈ `(v) | L(v, l ) v c}. The upward projection
def

`(v)c,L is similarly defined. The subscript L is omitted if clear.

Definition 5.3.3 (Labelled Interpolation System) Let L be a locality preserving labelling func-
tion for an (A, B)-refutation P. The labelled interpolation system ITP(L) maps vertices in P
to partial interpolants as defined below.

For an initial vertex v with `(v) = C

(A-clause) if C ∈ A (B-clause) if C ∈ B
C [Cb ] C [¬(Ca )]

For an internal vertex v with piv(v) = x, `(v+ ) = C1 ∨ x and `(v− ) = C2 ∨ x

C1 ∨ x [I1 ] C2 ∨ x [I2 ]
C1 ∨C2 [I3 ]

if L(v+ , x) t L(v− , x) = a,
def
(A-Res) I3 = I1 ∨ I2
if L(v+ , x) t L(v− , x) = ab,
def
(AB-Res) I3 = (x ∨ I1 ) ∧ (x ∨ I2 )
if L(v+ , x) t L(v− , x) = b,
def
(B-Res) I3 = I1 ∧ I2

The interpolant obtained from an (A, B)-refutation P with a labelling function L is denoted by
ITP (L, P). Example 5.3 illustrates the use of a labelled interpolation system. The following
example shows that the labelled interpolation systems are strictly more general than existing
systems as demonstrated by the following example.

Example Let A = a1 ∧ (a1 ∨ a2 ) and B = (a1 ∨ a2 ) ∧ a1 . An (A, B)-refutation is shown in

Figure 5.7 with the symbol L(v, l ) above each literal. The interpolant obtained from ITP(L) is
a2 . Recall from Example 5.3 that this interpolant cannot be derived in existing systems.

Theorem 5.3.4 (Correctness) For any (A, B)-refutation P and locality preserving labelling
function L, ITP(L, P) is an interpolant for (A, B).

Lemma 5.3.5, which follows, shows that McMillan’s system and the symmetric system are
instances of labelled interpolation systems. Recall that the labelling function for literals at
internal vertices is determined by the labelling function at initial vertices. Thus, it suffices to
define the labelling functions corresponding to ITPM , ITP0M and ITPS at initial vertices.
5.3. L ABELLED I NTERPOLATION S YSTEMS 85

Lemma 5.3.5 Let P be an (A, B)-refutation. The labelling functions LS , LM and LM0 are
defined for initial vertices v and literals l ∈ `(v) as follows:

var(l ) LM (v, l ) LS (v, l ) LM0 (v, l )

A-local a a a
shared b ab a
B-local b b b

The following equalities hold:

ITP M (P) = ITP (LM , P), ITP S (P) = ITP (LS , P) and ¬ITP0M (P) = ITP(LM0 , P).

The value, at an initial vertex, of each labelling function in Lemma 5.3.5 is determined only
by whether a variable is A-local, B-local or shared. In contrast, other labelling functions may
assign different symbols to different occurrences of the same literal (see, for instance, the literal
a1 in Figure 5.7).
Labelled interpolation systems are useful because they allow different interpolants to be
constructed from a refutation. These interpolants are related by strength. A labelled interpola-
tion system ITP(L) is stronger than ITP(L0 ) if for all refutations P, ITP(L, P) → ITP(L0 , P).
An order, denoted , on labelling functions is defined. This order guarantees an ordering in
strength.

Definition 5.3.6 (Strength Order) Define the total order  on S = {⊥, a, b, ab}, as: b 
ab  a  ⊥. Let L and L0 be labelling functions for an (A, B)-refutation P. The function L is
stronger than L0 , denoted L  L0 , if for all v ∈ VP and l ∈ `(v), L(v, l )  L0 (v, l ).

Lemma 5.3.7 simplifies the comparison of labelling functions by allowing us to compare the
values of labelling functions at initial vertices.

Lemma 5.3.7 Let L and L0 be labelling functions for an (A, B)-refutation P. If L(v, l ) 
L0 (v, l ) for all initial vertices v and literals l ∈ `(v), then L  L0 .

Theorem 5.3.8 shows that if L is a stronger labelling function than L0 , the interpolant
obtained from ITP(L) is stronger than the one obtained from ITP(L0 ).

Theorem 5.3.8 If L and L0 are labelling functions for an (A, B)-refutation P such that L  L0 ,
then ITP(L, P) → ITP(L0 , P).

By applying Theorem 5.3.8, it can be seen that McMillan’s system produces stronger inter-
polants than the symmetric system.

Corollary 5.3.9 Let P be an (A, B)-refutation and LM , LS , LM0 be as in Lemma 5.3.5. It holds
that ITP(LM , P) → ITP(LS , P) and ITP(LS , P) → ITP(LM0 , P).

We now discuss peripheral vacuity which will be shown to weaken interpolants in Sec-
tion 5.5.
86 C HAPTER 5. VACUITY AND I NTERPOLATION

5.4 Peripheral Vacuity

We recall Definition 2.5.2 of formula vacuity. A property φ satisfied by a model M is said to

be vacuous in M with respect to a subformula ψ of φ , if ψ does not affect the satisfiability of
φ in M. In BMC, the satisfiability of φ is checked only up to a depth k in M. It is possible to
define vacuity in a BMC setting.

Definition 5.4.1 Let M be a model, φ be a formula such that M |=k φ , and ψ be a subformula
of φ . Then, φ is k-step vacuous in M with respect to ψ iff M |=k ∀ξ .φ [ψ ← ξ ].

For a variable x in φ , let φ [x ← ζ ] denote a formula obtained from φ by replacing all occur-
rences of x in φ by ζ . Given a model M and property φ such that M |= φ , k-step vacuity is
defined as follows.

Definition 5.4.2 [102] For a model M and a property φ such that M |=k φ , and a variable x, φ
is k-step x-vacuous iff M |=k φ [x ← ζ ] where ζ is a new unconstrained variable not occurring
in either M or φ .

If φ is k-step x-vacuous, x is said to be a k-step vacuous variable of φ . A property is k-step

vacuous iff it contains a k-step vacuous variable.
BMC uses fast propositional solvers to decide if M |=k φ . The propositional resolution
proof generated by the solver can be analyzed to detect k-vacuous variables. If a variable x
does not appear in the refutation proof of BMCk (M, φ ), φ is k-step x-vacuous. The converse is
not true: k-step vacuous variables may appear in the proof of unsatisfiability of BMCk (M, φ ).
This kind of vacuity is called irrelevance in [102]. Checking only for irrelevant variables in a
proof may not be enough to expose vacuity as illustrated by the following example.

Example Consider a model M with initial states p ∧ q and transition relation p → q0 . Let
the property be X(p ∨ (¬p ∧ q)). Consider the formula BMC1 (M, φ ). Fix AM for the set of
formulas corresponding to the model in BMC1 (M, φ ) and Be for the part corresponding to the
faulty states. The partition is shown below:

AM = (p0 ) ∧ (¬p0 ∨ q1 )
(5.1)
Be = (¬p1 ) ∧ (p1 ∨ ¬q1 )

The resolution proof of unsatisfiability of Formula 5.1 is shown in Figure 5.8. The variable p
in timeframe one occurs only in clauses of Be in the UNSAT core and p0 occurs only in clauses
of AM . The variable p1 in Be can be replaced by a new unconstrained variable ζ in Be without
affecting the unsatisfiability of BMC1 (M, φ ). Hence, p is a 1-step vacuous variable even if it
appears in the resolution proof.

The above example suggests one more simple test to detect vacuity. For each time frame i, if a
variable x, is local to either AM clauses or Be clauses appearing in the proof of BMCk (M.φ ), φ
is k-step x-vacuous. This kind of vacuity is referred to as local irrelevance in [102]. However,
local irrelevance fails to detect vacuity in the following case.

Example Consider the partitions as follows:

AM = (¬r0 ) ∧ (r0 ∨ p0 ) ∧ (¬p0 ∨ q0 )

(5.2)
Be = (p0 ) ∧ (¬p0 ∨ q0 )
5.4. P ERIPHERAL VACUITY 87

¬p0 ¬p0 ∨ q1 ¬p1 p1 ∨ ¬q1

q1 ¬q1

Figure 5.8: Resolution proof of unsatisfiability of AM and Be in Formula 5.1. The clauses in
bold belong to Be .

¬r0 r0 ∨ p0 ¬p0 ∨ q0 ¬p0 ∨ ¬q0 p0

p0

q0

¬p0

Figure 5.9: Resolution proof demonstrating peripherality. The clauses in bold belong to Be .

The formula AM ∧ Be in Equation 5.2 is unsatisfiable and its proof of unsatisfiability is given
in Figure 5.9. The variable p0 appears in clauses of AM as well as clauses of Be . Consider
the resolution on p0 that immediately results in an empty clause. The variable p0 in the parent
clauses of  is contributed by the clauses belonging to Be alone. Consider the remaining
resolution on p0 resulting in clause q0 . The variable p0 in the parent clauses of q0 is contributed
by the clauses belonging to AM only. Thus, p0 in either set of clauses, i.e., AM or Be can be
replaced by a new unconstrained variable without affecting unsatisfiability.

Taking into account the above examples, we now explain how to check if a property is k-step
vacuous.
For a given proof P, a variable x, and a vertex v, let S(x, v) denote the set of all initial
vertices that have contributed x to v. S(x, v) is defined recursively as follows:

 0/ if x 6∈ `P (v)
S(x, v) = v if v ∈ Roots(P) ∧ x ∈ `P (v)
S(x, v1 ) ∪ S(x, v2 ) if v1 and v2 are parents of v and x ∈ `P (v)


Using S(x, v), peripherality of a variable is defined as follows:

Definition 5.4.3 [102] Let A and B be disjoint sets of clauses such that A ∪ B is unsatisfiable
and P be a resolution proof corresponding to its unsatisfiability. A variable x is peripheral
with respect to A and B iff for every resolution on x between clauses `P (v1 ) and `P (v2 ) in P,
S(x, v1 ) ∪ S(x, v2 ) ⊆ A or S(x, v1 ) ∪ S(x, v2 ) ⊆ B .
88 C HAPTER 5. VACUITY AND I NTERPOLATION

Let the BMC formula in Equation 2.3 be partitioned as follows:

def
AM (s0 , s1 ) = Q(s0 ) ∧ T (s0 , s1 ) ∧ T (s1 , s2 ) ∧ . . . ∧ T (sk−1 , sk )
def (5.3)
Be (s1 , . . . , sk ) = (F(s1 ) ∨ . . . ∨ F(sk ))
The following theorem relates peripherality and k-step vacuity.

Theorem 5.4.4 [102] Let P be a proof of unsatisfiability of BMCk (M, φ ). The property φ is
k-step x-vacuous, if for each time instance i, xi is peripheral in P with respect to AM and Be .

However, more than one proofs of unsatisfiability of BMCk (M, φ ) could exist. If a variable is
detected peripheral in at least one of them, it is vacuous. The following theorem states this.

Theorem 5.4.5 [102] Assume φ is k-step x-vacuous in M. There exists a resolution proof P
of unsatisfiability of BMCk (M, φ ) such that x is peripheral with respect to AM and Be in P.

The next section explains the effect of peripherality on interpolants.

5.5 Peripherality and Interpolation

In this section, we show that if a variable is peripheral in an (A, B)-refutation proof, multiple
interpolants can be computed from the same proof. The intuition behind this is that a peripheral
variable is a false shared variable and hence, can be treated as local variable, eliminating it from
the interpolant.
A local variable is always peripheral. The converse is not true: a shared variable can also
be peripheral. The following lemma states this.

Lemma 5.5.1 Let P be an (A, B)-refutation proof and l be a literal. If var(l ) is A-local or
B-local, var(l ) is peripheral in P with respect to A and B. The converse is not true: if var(l )
is peripheral in P with respect to A and B, var(l ) may neither be A-local nor B-local.

Proof If a variable var(l ) is A-local, for every resolution on var(l ) between clauses `P (v1 )
and `P (v2 ) in P, S(var(l ), v1 ) ∪ S(var(l ), v2 ) ⊆ A. This is because var(l ) is absent in clauses
belonging to B due to A-locality of var(l ). Similarly, if a variable var(l ) is B-local, for every
resolution on var(l ) between clauses `P (v1 ) and `P (v2 ) in P, S(var(l ), v1 ) ∪ S(var(l ), v2 ) ⊆
B. For the converse, consider the variable p0 in Example 5.4. Let A = AM and B = Be . The
peripheral variable p0 is shared between A and B.

It follows from the above lemma that if a variable x is not peripheral, then it is neither A-local
nor B-local, i.e., x is a shared variable.
Consider a new labelling function LP that determines the labelling of the initial vertices in
an (A, B)-refutation proof P as follows. The labelling function LP is defined for initial vertices
v and literals l ∈ `P (v) as follows:


 a if var(l ) is A-local
b if var(l ) is B-local




 b if var(l ) is not peripheral


LP (v, l ) = a if var(l ) is peripheral, `P (v) ∈ A, (5.4)
and var(l ) is shared




b if var(l ) is peripheral, `P (v) ∈ B,




and var(l ) is shared

5.5. P ERIPHERALITY AND I NTERPOLATION 89

The first condition in LP (v, l ) corresponds to var(l ) being peripheral and A-local, i.e., at all
resolution steps on var(l ) between clauses `P (v1 ) and `P (v2 ) in P, we have

S(var(l ), v1 ) ∪ S(var(l ), v2 ) ⊆ A.

Similarly, the second condition corresponds to var(l ) being peripheral and B-local, i.e., at all
resolution steps on var(l ) between clauses `P (v1 ) and `P (v2 ) in P, we have

S(var(l ), v1 ) ∪ S(var(l ), v2 ) ⊆ B.

The remaining conditions correspond to var(l ) being shared. In particular, the third condition
corresponds to var(l ) being shared but not being peripheral, i.e., there exists a resolution on
var(l ) between clauses `P (v1 ) and `P (v2 ) in P such that S(var(l ), v1 )∪S(var(l ), v2 ) 6⊆ A and
S(var(l ), v1 ) ∪ S(var(l ), v2 ) 6⊆ B. The last two conditions correspond to var(l ) being shared as
well as peripheral. We now show that LP preserves locality.

Theorem 5.5.2 The labelling function LP for an (A, B)-refutation P is preserves locality.

Proof We refer to Definition 5.3.2 of locality. We show that for any vertex v ∈ Roots(P) and
a literal l , a v LP (v, l ) → var(l ) ∈ Var(A).

• The label LP (v, l ) is a if var(l ) is A-local. If var(l ) is A-local, var(l ) ∈ Var(A) \Var(B).
• The label LP (v, l ) is a if `P (v) ∈ A and var(l ) is peripheral and shared, i.e., A-local as
well as B-local. Hence, var(l ) ∈ Var(A).

Thus, it holds that a v LP (v, l ) → var(l ) ∈ Var(A).

For the remaining cases, we show that b v LP (v, l ) → var(l ) ∈ Var(B) holds.

• The label LP (v, l ) is b, if var(l ) is B-local. It follows that var(l ) ∈ Var(B).

• The label LP (v, l ) is b, if var(l ) is not peripheral. From Definition 5.4.3 of peripherality,
it follows that there is a resolution on var(l ) between clause `P (v1 ) and `P (v2 ) such
that S(var(l ), v1 ) ∪ S(var(l ), v2 ) 6⊆ A and S(var(l ), v1 ) ∪ S(var(l ), v2 ) 6⊆ B. It follows
that the root clauses contributing var(l ) belong to A as well as B. Hence, var(l ) ∈ B is
true. This can be proved using Lemma 5.5.1 as well.
• If var(l ) is peripheral and `P (v) ∈ B, LP (v,t) is b. If `P (v) ∈ B, var(l ) ∈ Var(B).

Thus, b v LP (v, l ) → var(l ) ∈ Var(B) holds.

Using LP , we define a new interpolation system ITPP such that ITPP (P) = ITP(LP , P).

Theorem 5.5.3 (Correctness) For an (A, B)-refutation P and labelling function LP , an inter-
polant for (A, B) is ITP(LP , P).

Proof It is proved in Theorem 5.5.2 that LP (v, l ) is preserves locality. It follows from Theo-
rem 5.3.4 that ITPP (P) is an interpolant for (A, B).

The following theorem states that ITPP results in an interpolant weaker than the one ob-
tained from McMillan’s system. We prove this by showing that LP is a weaker labeling func-
tion that LM .
90 C HAPTER 5. VACUITY AND I NTERPOLATION

Theorem 5.5.4 For an (A, B)-refutation P and LP as defined in Equation 5.4, it holds that

ITP (LM , P) → ITP (LP , P).

Proof We use Theorem 5.3.8. If LM  LP , it follows that ITP(LM , P) → ITP(LP , P). Hence,
we need to prove that LM  LP .
It can be easily seen that LM (v, l ) = LP (v, l ) = a if var(l ) is A-local. Similarly, LM (v, l ) =
LP (v, l ) = b if var(l ) is B-local.
The remaining cases in both the interpolation systems define labels of shared variables.
In McMillan’s interpolation system, if var(l ) is shared, LM (v, l ) = b. Following the strength
order given in Definition 5.3.6, we now show that for shared variables, LP (v, l ) is either b or a
which is weaker than b.

• If var(l ) is not peripheral, LP (v, l ) = b. It follows from Lemma 5.5.1 that var(l ) is
neither A-local or B-local, i.e., var(l ) is shared. Thus, LM (v, l ) = LP (v, l ) = b.

• Consider the case that var(l ) is shared and `P (v) ∈ A. We have, LP (v, l ) = a and
LM (v, l ) = b.

• Consider the case that var(l ) is shared and `P (v) ∈ B. We have, LP (v, l ) = LM (v, l ) = b.

Hence, LM (v, l )  LP (v, l ).

Similarly, we can show that ITP(LP , P) is stronger than ITP(LM0 , P).

Theorem 5.5.5 For an (A, B)-refutation P and LP as given in Equation 5.4, it holds that

ITP (LP , P) → ITP (LM 0 , P).

Proof We use Theorem 5.3.8. If LP  LM0 , it follows that ITP(LP , P) → ITP(LM0 , P). We
show that LP  LM0 .
It can be easily seen that LM0 (v, l ) = LP (v, l ) = a if var(l ) is A-local. Similarly, LM0 (v, l ) =
LP (v, l ) = b if var(l ) is B-local.
The remaining cases in both the interpolation systems define labels of shared variables.
If var(l ) is shared, LM0 (v, l ) = a. Following the strength order given in Definition 5.3.6,
we can show that for shared variables, LP (v, l ) is either b or a which is stronger than a.

• If var(l ) is not peripheral, it follows from Lemma 5.5.1 that var(l ) is neither A-local or
B-local, i.e., var(l ) is shared. Thus, LM0 (v, l ) = a and LP (v, l ) = b.

• Consider the case that var(l ) is shared and `P (v) ∈ A. We have,

LP (v, l ) = a and LM0 (v, l ) = a.

• Consider the case that var(l ) is shared and `P (v) ∈ B. We have,

LP (v, l ) = b and LM0 (v, l ) = a.

Hence, LP (v, l )  LM0 (v, l ).

5.6. C ONCLUSION 91

No statement can be made comparing the strength of ITPP and ITPS . For a shared variable,
LS (v, l ) is ab. The label of a shared variable in ITPP can be either b or a. The strength order
is b  ab  a  ⊥. Hence, the labels of all initial vertices in one system need not be either
stronger or weaker than the other system.
In Example 5.2.1, we saw that the interpolant a2 for A = a1 ∧(a1 ∨a2 ) and B = (a1 ∨a2 )∧a1
cannot be obtained from ITPM , ITPS , ITP0M or ITP0S . We now show that ITPP computes the
interpolant a2 .

Example Consider Example 5.3 in which A = a1 ∧ (a1 ∨ a2 ) and B = (a1 ∨ a2 ) ∧ a1 . An (A, B)-
refutation P is shown in Figure 5.3. The following interpolants were obtained: ITPM (P) =
a1 ∧ a2 , ITPS (P) = a1 ∧ a2 , and ¬ITP0M (P) = a1 ∨ a2 . Figure 5.7 shows the same refutation
with the symbol LP (v, l ) above each literal. The resulting interpolant ITPP (P) = ¬a2 is weaker
than ITPM (P) and stronger than ¬ITP0M (P).

In the above example, consider the variable a1 . For the resolution on a1 that results in
clause a2 , the root clauses contributing the variable a1 belong to only B. For the remaining
resolution on a1 , the root clauses that have contributed the variable a1 belong to only A. Thus,
variable a1 is peripheral with respect to A and B in the (A, B)-refutation shown in Figure 5.7.
The variable a2 is not peripheral, as it is contributed by the clauses belonging to A and B for
the only resolution on a2 . The variable a1 which is not central to the proof does not appear in
the interpolant ITPP (P), whereas a2 which is not peripheral does appear in ITPP (P).
In Example 5.5, ITPS (P) → ITPP (P). In general, the interpolants obtained from ITPS may
not be stronger than ITPP . The following example illustrates this.

Example Let A be the formula ¬r0 ∧ (r0 ∨ p0 ) ∧ (¬p0 ∨ q0 ) and B be the formula p0 ∧ (¬p0 ∨
q0 ). An (A, B)-refutation proof P is shown in Figure 5.9. The following interpolants are
obtained: ITPM (P) = p0 ∧ q0 , ITPP (P) = q0 , ITPS (P) = p0 ∨ q0 , and ¬ITP0M (P) = p0 ∨ q0 .
The interpolant ITPM (P) is stronger than ITPP (P) and ITPP (P) is stronger than ITPS (P).

5.6 Conclusion

In this chapter, we have shown the effect of peripheral vacuity on interpolation using the pa-
rameterised interpolation system presented in [52] and in the process, have proposed a new
interpolation system that is able to generate interpolants weaker than McMillan’s interpolation
system.
One important question that still needs to be answered is when and how to strengthen
the interpolants leading to performance improvements in model checking. The generalised
interpolation system can be viewed as constituting a dial for tuning interpolant strength. The
next step is to empirically determine which settings to use for obtaining good performance in
practice.
We envisage an interpolation-based model checker that exploits vacuity resulting in coarser
approximations. If a variable in a formula is vacuous in a design, changing the value of the
variable arbitrarily does not cause the formula to be unsatisfied in the system. This facilitates
computation of weaker approximations.
92 C HAPTER 5. VACUITY AND I NTERPOLATION

5.7 Bibliographic Notes

The trade-off between vacuity and abstraction has been observed in [58]. Samer et al. [99]
focus on the notion of vacuity grounds as the main principle in vacuity detection. Vacuity
grounds are explanations of why a system satisfies a given property. Given a system M and a
property φ , a vacuity ground is formula φground such that

M |= φ and φground |= φ .

Thus, vacuity ground can be viewed as a form of interpolants between M and φ . For a detailed
discussion on computation of vacuity grounds, please see [99].

Interpolation Craig proved the interpolation theorem for first order logic in 1957 [46]. For
a survey of the multitudinous applications and consequences of this theorem in mathematical
logic, see [84]. Though the theorem has been known for a while, the study of interpolation
algorithms is relatively recent. The first such algorithm is implicitly present in Maehara’s con-
structive proof [83] of Craig’s theorem. Maehara constructs interpolants from sequent calculus
proofs and his algorithm does not apply to resolution proofs.
Interpolation algorithms for resolution proofs have been discovered several times. The first
algorithm we are aware of is due to Huang [71], who constructs interpolants in a theorem prover
that uses resolution, paramodulation and factoring [71]. Krajı́ček observed that lower bounds
on interpolation algorithms for propositional proof systems have implications for separating
certain complexity classes [76]. He constructs interpolants from semantic derivations; the latter
being an inference system that subsumes resolution and the propositional sequent calculus.
Pudlák [94] studies a similar problem and constructs a circuit representing the interpolant.
Though the presentations in these papers differ, the interpolation systems are the same. This
can be seen from the exposition of Krajı́ček’s and Pudlák’s methods by Buss [24].
McMillan proposed an interpolation algorithm for resolution refutations and applied it to
obtain a purely SAT-based finite-state model checker [87]. It is shown in [52] that McMillan’s
algorithm is different from and produces stronger interpolants than the existing algorithm.
Interpolant-based model checking has been extended to infinite-state systems [74] and other
logical theories [88, 110]. The impact of interpolant strength on the performance of a model
checker was first highlighted by Jhala and McMillan [74] who proposed two proof transfor-
mations to strengthen interpolants. An analysis of these transformations can be found in [52]
which shows one of them to be redundant.
The labelled interpolation systems proposed in [52] are strictly more general than existing
interpolation systems for resolution. Though much work in interpolant-based model check-
ing uses McMillan’s interpolation system from [87], Yorsh and Musuvathi [110] based their
interpolating decision procedure on Pudlák’s system and gave an elaborate proof of Pudlák’s
system [110].
In [7], proof transformations have been applied to reduce the size of unsatisfiable cores.
These modifications may result in vertices being eliminated from a proof. Understanding the
effect of such transformations on interpolant strength is an open problem.
 Relating Vacuity and Coverage
6
In order to increase the efficacy of model checking as a verification approach, it is essential to
assess the quality of the model and the given properties. Quality of a model and its properties
can be assessed using coverage analysis and vacuity detection, discussed in Chapter 3 and
Chapter 4, respectively.
Most results on coverage analysis in model checking involve mutating a system and check-
ing whether the mutation affects the model checking result. Numerous mutations have been
suggested so far in literature (e.g. [70, 31, 32, 30, 81, 35] and others). A commonly used
mutation is to flip the value of a variable in a state in a system [70]. In [31], Chockler et al.
suggest two different notions of coverage which are well-suited for coverage analysis of LTL
properties. These notions are called node coverage and tree coverage depending on whether a
variable in a state is mutated just once or sometimes, respectively in the infinite tree obtained
by unrolling the transition relation of the system.
Many notions (e.g. [79, 15, 3] and others) have been investigated to formulate vacuity as
trivial satisfaction of a property. All these notions have in common that the satisfaction of the
property is invariant under syntactic [15] or semantic perturbations [3]. The syntactic muta-
tions are mutations to the formula and semantic mutations are mutations to the model. The
former notion suggests mutating a subformula (subformula vacuity) or an occurrence of a sub-
formula (occurrence vacuity). In the former case, satisfaction of the property is invariant under
subformula mutations, whereas in the later case, the satisfaction is invariant under mutations
to an occurrence of a subformula. In vacuity detection through semantic perturbation, the truth
value of a subformula in a given model is mutated arbitrarily.
We observe that semantic perturbations for vacuity detection are similar to perturbations for
coverage analysis: the model is mutated in both of them. This chapter formally relates these
notions of vacuity to notions of coverage and establishes a relation between them. In particular,
vacuity is a stronger notion than coverage. Presence of vacuity in a property results in lower
coverage compared to its non-vacuous counterpart. Thus, in order to get higher coverage, it
is essential to remove vacuity in the property either by fixing the system or by improving the
property. This suggests that coverage analysis and vacuity detection should be intertwined in

93
94 C HAPTER 6. R ELATING VACUITY AND C OVERAGE

the verification flow.

This chapter is organised as follows. Section 6.2 describes vacuity detection by semantic
mutations. Section 6.3 describes node coverage, tree coverage, and structure coverage. Sec-
tion 6.4 relates the notions of vacuity and coverage. Section 6.5 concludes the chapter.

6.1 Preliminaries

Refer Section 2.2.2 for basics of linear temporal logic (LTL). Kripke structures are discussed
in Section 2.1.1. An introduction to vacuity detection appears in Section 2.5. The difference
between subformula vacuity and occurrence vacuity is discussed in Section 2.5.3. The basics
of coverage analysis appear in Section 2.6.

6.2 Vacuity Detection by Semantic Perturbation

Most of the techniques for vacuity detection proposed in the literature detect vacuity with
respect to a subformula occurrence or with respect subformulas of pure polarity. These tech-
niques fail to detect vacuity when a subformula is of mixed polarity, i.e., some of its occur-
rences are of positive polarity and some are of negative polarity. We now discuss techniques
advocated in [31] that detect vacuity of a formula with respect to its subformulas of mixed
polarity.
Following Definition 2.5.1, a subformula ψ of φ does not affect φ in M if M |= ∀ξ .φ [ψ ←
ξ ]. Hence, a subformula ψ affects satisfiability of a formula φ in a model M if ψ, when mutated
changes the truth value of φ in M. This kind of mutation is called syntactic mutation. Another
vacuity notion is to consider semantic perturbation, in which the truth value of the subformula
ψ is mutated arbitrarily in M (not in φ !). The arbitrary semantic perturbation is modeled by
a universal quantifier. The universal quantification gives rise to two notions of vacuity based
on whether the quantification is interpreted with respect to a system (structure semantics) or
with respect to the set of its computations (trace semantics). Semantic perturbation can be
formalized using Universally Quantified LTL, abbreviated as UQLTL, which we discuss below.

UQLTL UQLTL is LTL augmented with universal quantification over propositional vari-
ables. If φ is an LTL formula over AP ∪ X where X is a set of propositional variables, ∀X.φ is a
UQLTL formula. A simple example of a formula in UQLTL is ∀x.GF x. Note that GF ∀x.(x∨ p)
is not in UQLTL. A closed formula is the one in which all its propositional variables are quan-
tified, i.e., no propositional variable is free.
The two different interpretations of the universal quantifier give rise to structure semantics
and trace semantics of UQLTL. In structure semantics, a propositional variable is bound to a set
of states in the model. In trace semantics, a propositional variable is bound to a set of locations
on the trace.
Let K be a Kripke structure (S, T, S0 , AP, L). Let q[i] denote the ith state in a sequence q of
states. Let s0 denote an initial state, i.e., s0 ∈ S0 . As a reminder, a computation trace π in K is
a sequence of states such that π[i] ∈ S, π[0] ∈ S0 , and ∀i.(π[i], π[i + 1]) ∈ T . Let Γ(K) denote
the set of computations in K. Let X be a set of propositional variables. Let σ : X → 2S be a
structure assignment mapping every x ∈ X to a set of states in S. We say K |=s φ if φ is satisfies
by K according to structure semantics. The relation |=s is defined below.

Definition 6.2.1 [31] The relation |=s is defined inductively as follows:

6.2. VACUITY D ETECTION BY S EMANTIC P ERTURBATION 95

• K, π, i, σ |=s x iff π[i] ∈ σ (x) where π[i] is the ith state along π.

• K, π, i, σ |=s ∀x.φ iff K, π, i, σ [x ← S0 ] |=s φ for every S0 ⊆ S.

• K, π, i, σ |=s φ is defined as in LTL for other LTL formulas.

Let α : X → 2N be a trace assignment mapping every propositional variable x ∈ X to a set of

points on a path. We say K |=t φ if φ is satisfies by K according to trace semantics. The relation
|=t is defined below.

Definition 6.2.2 [31] The relation |=t is defined inductively as follows:

• K, π, i, α |=t x iff i ∈ α(x).

• K, π, i, α |=t ∀x.φ iff K, π, i, α[x ← N 0 ] |=t φ for every N 0 ⊆ N.

• K, π, i, α |=t φ is defined as in LTL for other LTL formulas.

A closed UQLTL formula, i.e., a formula with no free propositional variables is said to be
structure satisfied at point i of π ∈ Γ(K), denoted as K, π, i |=s φ , iff K, π, i, σ |=s φ for some σ .
A closed UQLTL formula φ is structure satisfied in K, denoted as K |=s φ iff K, π, 0 |=s φ for
every trace π ∈ Γ(K). Trace satisfaction denoted by |=t is defined similarly. Trace satisfaction
is stronger than structure satisfaction, i.e., K |=t φ implies K |=s φ . For a proof, please see [31].
Next, we give a simple example to illustrate structure and trace semantics. Consider a
Kripke structure K1 with a state s such that s ∈ S0 , (s, s) ∈ T and L(s) = r. Figure 6.1 depicts
K1 . Let the property φ1 be G r ∨ G ¬r. Observe that K1 |= φ1 .

s
r

Figure 6.1: An example model K1 for vacuity and coverage analysis

Example Consider the Kripke structure K1 depicted in Figure 6.1 and a UQLTL formula φ2 =
∀x.(G x ∨ G ¬x). Let us find out if K1 |=s φ2 .
We check if K1 , π, 0 |=s φ2 for all π ∈ Γ(K1 ). For the single computation trace in K1 ,
we have s[i] = s for all i. Let πonly denote this trace. Since there is only one state in K1 ,
S0 ∈ {{s}, {}}. Thus, there are two possibilities: σ (x) = {s} or σ (x) = {}. In the first case,
the state s ∈ σ (x). Thus, K1 , πonly , 0, σ [x ← {s}] |=s G x and hence, K1 , πonly , 0, σ [x ← {s}] |=s
G x ∨ G ¬x. In the second case, s 6∈ σ (x). Thus, K1 , πonly , 0, σ [x ← {}] |=s G ¬x and hence,
K1 , πonly , 0, σ [x ← {}] |=s G x ∨ G ¬x. Thus, K1 |=s φ2 .

Example Consider the Kripke structure K1 depicted in Figure 6.1 and a UQLTL formula φ2 =
∀x.(G x ∨ G ¬x). Let us find out if K1 |=t φ2 .
We check if K1 , π, 0 |=t φ2 for all π ∈ Γ(K1 ). The model K1 has a single trace πonly . Con-
sider a subset N 0 = {0}, i.e., a trace assignment α such that α(r) = {0}. For this assignment
K1 , π, 0, α[x ← {0}] 6|=t φ2 , which implies K1 6|=t φ2 .
96 C HAPTER 6. R ELATING VACUITY AND C OVERAGE

For defining vacuity using these semantics, a notion of does not affect is needed as was
needed for syntactic vacuity, i.e., subformula vacuity.

Definition 6.2.3 [31] Let φ be a formula and M be a model such that M |= φ . Let ψ be a
subformula of φ .

• The subformula ψ of φ does not affect φ in M according to formula vacuity, written as

ψ does not f-affect φ in M, iff for every LTL formula ξ , M |= φ [ψ ← ξ ].

• The subformula ψ of φ does not affect φ in M according to structure semantics, written

as φ does not s-affect φ in M, iff M |=s ∀x.φ [ψ ← x].

• The subformula ψ of φ does not affect φ in M according to trace semantics, written as

ψ does not t-affect φ in M, iff M |=t ∀x.φ [ψ ← x].

Note that if a subformula ψ does not t-affect φ in M, ψ does not f-affect φ in M. Also, if ψ
does not f-affect φ in M, ψ does not s-affect φ in M.
From Example 6.2 and Example 6.2, we see that the subformula r affectst φ1 = G r ∨G ¬r in
K1 as K1 6|=t ∀x.(G x ∨G ¬x) and does not s-affect φ1 in K1 as K1 |=s ∀x.(G x ∨G ¬x). Also, note
that the subformula r does not f-affect φ1 in K1 . We now define vacuity using Definition 6.2.3.

Definition 6.2.4 (Vacuity) A formula φ is said to be formula vacuous, structure vacuous, or

trace vacuous in M with respect its subformula ψ, if ψ does not f-affect φ in M, does not
s-affect φ in M, or does not t-affect φ in M, respectively.

A formula is considered vacuous in a system if it vacuous with respect to at least one of its
subformula. Following this, a formula is non-vacuous in M if it is vacuous with respect to none
of its subformulas.
From Example 6.2 and Example 6.2, we see that the formula φ1 is not trace vacuous in K1 ,
but is structure vacuous in K1 with respect to subformula r. Also, the formula φ1 is formula
vacuous in K1 with respect to subformula r.
Structure vacuity is the weakest and trace vacuity is the strongest. Trace vacuity implies
formula vacuity, which in turn implies structure vacuity. The following lemma states this.

Lemma 6.2.5 If ψ does not t-affect φ in M, ψ does not f-affect φ in M. If ψ does not f-affect
φ in M, ψ does not s-affect φ in M.

It is argued in [31] that trace vacuity is the preferred notion of vacuity, primarily because it
is the only notion for which an efficient decision procedure is known to exist. It has other
advantages like independence from the specification language and insensitivity to changes in
the design.
In Example 6.2 and Example 6.2 described before, the subformula r of φ1 is of mixed
polarity and hence, replacement by ⊥ is not adequate for vacuity detection. If subformulas are
restricted to pure polarity, all the three definitions of vacuity, i.e., formula vacuity, structure
vacuity, and trace vacuity coincide. In this case, replacement of a subformula by ⊥ is adequate
for vacuity detection.
In the next section, we explain three notions of coverage which are similar to the above
mentioned notions of vacuity based on semantic perturbations.
6.3. N OTIONS OF C OVERAGE 97

6.3 Notions of Coverage

Various notions of coverage have been discussed in Section 2.6 and Section 3.6. In this section,
we mainly discuss notions of coverage for properties described in LTL and for systems modeled
as Kripke structures. Recall from Section 2.6 that a dual Kripke structure Mqs is obtained by
flipping the value of the observable signal q in the state s of model M to check if the value of q
in state s is crucial for property satisfaction, i.e., if s is covered with respect to q in M. However,
when the model M is unwound to an infinite tree M , the state s may correspond to many nodes
in M . The value of q in all the nodes corresponding to s in M may not be crucial for property
satisfaction. This gives rise to new notions of coverage. The definitions of coverage that we
see in this section, check if the value of q in a single, some, or all nodes corresponding to s is
crucial for the satisfaction of the property. We now see a formal treatment of these notions.
A Kripke structure can be unwound into an infinite computation tree as follows [31]: For
a finite set γ, a γ-tree T is a set T ⊆ γ ∗ such that if x.v ∈ T where x ∈ γ ∗ and v ∈ γ, then
also x ∈ T . The elements of T are called nodes and the empty word ε is called the root of
T . Each node of T has a direction in γ. The direction of a node x.v is v. The direction of a
node x is denoted as dir(x). The direction of the root node is a member of γ. A node x such
that dir(x) = v is called a v-node. The tree K obtained by unwinding K is the 2AP -labeled
S-tree hT K ,V K i, where ε ∈ T K and dir(ε) ∈ s0 where s0 ∈ S0 , for all x ∈ T K and s ∈ S with
T (dir(x), s), we have x.s ∈ T K , and for all x ∈ T K , we have V K (x) = L(dir(x)).
We now define the dual function used for flipping the value of an observable signal q in a
set of nodes. For a domain Y , a function V : Y → 2AP , an observable signal q ∈ AP, and a set
0 : Y → 2AP is such that
X ⊆ Y , the dual function VX,q

 V (x) : if x 6∈ X
0
VX,q (x) = V (x)\{q} : if x ∈ X and q ∈ V (x)
V (x) ∪ {q} : if x ∈ X and q 6∈ V (x)


0 be a Kripke
For a Kripke structure K, an observable signal q ∈ AP and a state s ∈ S, let Ks,q
0
structure with a new labeling function Ls,q such that

 L(s1 ) : if s1 6= s
0
Ls,q (s1 ) = L(s1 )\{q} : if s1 = s and q ∈ L(s1 )
L(s1 ) ∪ {q} : if s1 = s and q 6∈ L(s1 )


0 is the structure obtained from K by flipping the value of q in s. For

Thus, the new structure Ks,q
0 = hT K ,V 0 K i the tree obtained by flipping the value of q in all the
X ∈ T K , we denote by KX,q X,q
nodes in X.

Definition 6.3.1 [31] Consider a Kripke structure K, a formula φ such that M |= φ , and an
observable signal q ∈ AP.

0 does not satisfy φ .

• A state s of K is structure q-covered by φ iff the structure Ks,q
0
• A state s of K is node q-covered by φ iff there is a s-node x in T K such that K{x},q does
not satisfy φ .
0
• A state s of K is tree q-covered by φ iff there is a set X of s-nodes in T K such that KX,q
does not satisfy φ .
98 C HAPTER 6. R ELATING VACUITY AND C OVERAGE

It is easy to see that if a state is structure q-covered or node q-covered, it is tree q-covered as
well. If a state is node q-covered, it may not be structure q-covered and vice versa. We now
present two examples to illustrate these notions.

Example Consider the Kripke structure K1 depicted in Figure 6.1. Let the property be φ1 =
G r ∨ G ¬r. Let us check if the state s in K1 is structure, node and tree r-covered by φ1 .
We change K1 such that the new label of s, i.e., Ls,r 0 (s) = L(s)\r. In the new structure, φ
1
continues to pass as the state s in the new structure satisfies G ¬r. Hence, the state s in K1 is not
structure r-covered by φ1 . Now, we check if the state s in K1 is node r-covered by φ1 . At any
s-node in T K1 , flipping the value of r causes both G r or G ¬r to be falsified. Hence, the state s
in K1 is node r-covered and hence, tree r-covered by φ1 . Observe that s is node r-covered but
not structure r-covered in K1 by φ1 .

Example Consider again the same Kripke structure K1 depicted in Figure 6.1 and a new prop-
erty φ3 = F r. Let us check if the state s in M is structure, node, and tree r-covered φ3 .
Flipping the value of r at s in K1 , does not satisfy φ3 . Hence, the state s is structure r-
covered as well as tree r-covered by φ3 . For node coverage, the value of r in a single s-node is
flipped. There is no single s-node in K1 such that flipping the value of r at that node falsifies
φ3 . Hence, the state s is not node r-covered by φ3 . Observe that s is structure r-covered but not
node r-covered by φ3 in K1 .

The above mentioned notions of coverage and vacuity are very similar. All the notions
involve perturbing the model. The next section establishes a relationship between these notions
of vacuity and coverage.

6.4 Relating Vacuity and Coverage

The notions of both, coverage and vacuity, defined in the previous sections, mutate the model
to check if the mutation affects the model checking outcome. We now show that the mutations
suggested for vacuity detection are stronger than the mutations suggested for coverage analysis.
Consider the Kripke structure K1 in Figure 6.1 and the formula φ1 = G r ∨ G ¬r. The
subformula r of φ1 is structure vacuous in K1 and no state in K1 structure r-covered by φ1 . The
following theorem states that structure vacuity is stronger than structure coverage.

Theorem 6.4.1 If a propositional variable p in a formula φ does not s-affect φ in M, no state

in M is structure p-covered by φ .

Proof Assume that p does not s-affect φ in M. If a propositional variable p does not s-affect
φ in M, M |=s ∀x.φ [p ← x], i.e., ∀σ .M, π, 0, σ |=s ∀x.φ [p ← x] for all π ∈ Γ(M). Let P be a set
of states such that for each state s in S the following holds:

s ∈ P ↔ p ∈ L(s).

Therefore, for every state si ∈ S, there is a σi such that

• σi (x) = P \si if p ∈ L(si )

• σi (x) = P ∪ si iff p 6∈ L(si ), and

6.4. R ELATING VACUITY AND C OVERAGE 99

• M, π, 0, σi |=s ∀x.φ [p ← x] for all π ∈ Γ(M).

For determining if a state si is structure p-covered, we create Ms0i ,p with a new labeling
function Ls0i ,p such that

• Ls0i ,p (s j ) = L(s j ) if s j 6= si ,
• Ls0i ,p (s j ) = L(s j )\p if p ∈ L(s j ), si = s j , and
• Ls0i ,p (s j ) = L(s j ) ∪ p if p 6∈ Ls0i ,p (s j ), si = s j .

Observe that si ∈ σi (x) ↔ p ∈ Ls0i ,p (si ) and for s j 6= si , s j ∈ σi (x) ↔ p ∈ Ls0i ,p (s j ). Thus, for
each state s, it holds that
s ∈ σi (x) ↔ p ∈ Ls0i ,p (s). (6.1)

For every si , we know that M, π, 0, σi [x ← S0 ] |= φ [p ← x] for all π ∈ Γ(M). From 6.1, we

know that ∀si .Ms0i ,p |= φ . Hence, no state si is structure q-covered.

However, the reverse implication does not hold: Given a model M and a propositional variable
p in a formula φ , if no state in M is structure p-covered by φ , p in φ may s-affect φ . We show
this with an example.

s1 s2
r, ¬g r, g

Figure 6.2: Model K2 for vacuity and coverage analysis

Example Consider the model K2 illustrated in Figure 6.2 and a formula φ3 = F r such that
K2 |= φ3 .
We first check if the state s1 is structure r-covered in K2 with respect to φ3 . The new
0
labeling function for K2r,s 0
is Lr,s 0 (s ) = {¬g} and L 0 (s ) = {r, g}. Observe
such that Lr,s
1 1 1 1 r,s1 2
0
that K2r,s1 |= φ3 . For checking structure r-coverage of the state s2 , the new labeling function
0
for K2r,s 0 such that L 0 (s ) = {g} and L 0 (s ) = {r, ¬g}. The property φ is satisfied
is Lr,s
2 2 r,s2 2 r,s2 1 3
0
by K2r,s as well. Hence, no state in K is structure r-covered by φ .
2
2 3

For detecting structure vacuity of φ3 in K2 with respect to r, we check if K2 |=s ∀x.φ3 [r ← x].
We check if K2 , π, 0 |=s φ3 for all π ∈ Γ(K2 ). For σ (x) = {}, K2 , π, 0, σ [x ← {}] 6|=s F x. Thus,
φ3 is not structure vacuous with respect to r in K2 . Note that there is a single occurrence of r
in F r. Hence, for detecting structure vacuity, we can also replace r in φ3 by false and check if
K2 |= F false. The formula φ3 is not structure vacuous with respect to r in K2 as K2 6|= F false.

Also, note that in Example 6.4, F r is neither trace vacuous nor formula vacuous. Hence,
no state in K2 being structure r-covered by φ3 with variable r as its subformula does not imply
formula vacuity or trace vacuity of φ3 with respect to r. We now establish the relationship
between trace vacuity and tree coverage. We begin with an example.

Example Consider the Kripke structure K1 in Figure 6.1 and the formula φ4 = G(r ∨ ¬r). It is
easy to see that as φ4 is a tautology, the subformula r of φ4 is formula vacuous, trace vacuous,
and structure vacuous in K1 . No state in K1 is tree r-covered by φ4 .
100 C HAPTER 6. R ELATING VACUITY AND C OVERAGE

In the above example, the subformula r of φ4 is trace vacuous in M and no state in M is tree
r-covered by φ4 . The following theorem states that trace vacuity is stronger than tree coverage.

Theorem 6.4.2 If a propositional variable p in a formula φ does not t-affect φ in K, no state

in K is tree p-covered by φ .

Proof Assume that a propositional variable p does not t-affect φ in K and a state s in K is tree
p-covered.
As per our assumption K |=t ∀x.φ [p ← x]. Thus, ∀α.K, α |=t φ [φ ← x] for every trace
π ∈ T K.
0
Consider a set X of s-nodes in hT K ,V K i. Since s in K is tree p-covered by φ , the tree KX,p
K 0 K
= hT ,V X,p i obtained by flipping the value of p in every node in X does not satisfy φ . There
0 that violates φ .
is at least one path in KX,p
For a path π that violates φ , we build an α such that i ∈ α(x) iff

• π[i] ∈ X ∧ p 6∈ V K (π[i]) or

• π[i] 6∈ X ∧ p ∈ V K (π[i]).

It holds that
0K
i ∈ α(x) ↔ p ∈ VX,p (π[i]).

This implies that path the π in KX,p0 falsifies φ [p ← x]. This violates our assumption that
K |=t ∀x.φ [p ← x]. Thus, no state in K is tree p-covered by φ .

However, the reverse implication does not hold: Given a model M and a propositional
variable p in a formula φ , if no state in M is tree p-covered by φ , p in φ may t-affect φ . We
show this with an example.

Example Consider the model K2 illustrated in Figure 6.2 and a formula φ3 = F r such that
K2 |= φ4 .
We first check if the state s1 is tree r-covered in K2 with respect to φ3 . Flipping the value
of r in any set of s1 -nodes does not falsify φ3 in K2 . Similarly, flipping the value of r in any
s2 -nodes does not falsify φ3 in K2 . Thus, no state in K2 is tree r-covered by φ3 .
For detecting trace vacuity of φ3 in K2 with respect to r, we check if K2 |=t ∀x.φ3 [r ← x]. We
check if K2 , π, 0 |=t ∀x.φ3 [r ← x] for all π ∈ Γ(K2 ). For α(x) = {}, K2 , π, 0, α[x ← {}] 6|=t F r.
Hence, φ3 is not trace vacuous with respect to r in K2 .

The following figure pictorially shows the relationship between the three vacuity and coverage
notions.
 6.5. C ONCLUSION 101

trace r vacuous formula r structure r vacuous

vacuous
No state tree r-covered No state structure r-covered

No state node r-covered

Figure 6.3: Vacuity and coverage relations for a model and a formula φ with a variable r as an
atomic subformula

If no state in M is tree r-covered by φ , r may still f-affect φ in M. In Example 6.4, though no

state in K2 is tree r-covered by φ3 , φ3 is not formula vacuous in K2 with respect to r. Similarly,
if no state in M is tree r-covered by φ , r may still s-affect φ in M. In Example 6.4, no state
in K2 is tree r-covered by φ3 . For σ (x) = {}, K2 6|=s ∀x.φ [r ← x]. Hence, φ is not structure
vacuous in K2 with respect to r.

6.5 Conclusion

In temporal logic model checking, vacuity refers to invariance of satisfaction under mutations
to the formula and coverage refers to invariance of satisfaction under mutations to the model.
Vacuity can also be defined as invariance of satisfaction under mutations to the model using
UQLTL. This enabled us to easily relate vacuity and coverage.
In this chapter, we discussed semantic notions of vacuity and notions of coverage. We
established a relation between vacuity and coverage proving that vacuity is stronger than cov-
erage. This implies that vacuity detection must precede coverage analysis resulting in higher
coverage with less work. We envisage a verification flow in which vacuity and coverage are in-
tertwined. Any newly added property to improve coverage must be checked for vacuity before
coverage analysis is performed again.

6.6 Bibliographic Notes

A formal connection between vacuity and coverage when a model and its property are given
as circuits is established in [78]. As the property and the model use the same representation,
the mutations to the property in vacuity detection and the mutations to the model in coverage
analysis can be related. This makes it easy to relate vacuity and coverage. Vacuity and coverage
are dual notions in the sense that vacuity information can be obtained through coverage and
vice versa. For a mutation to a formula, there exists a dual mutation to the model such that
if the mutation is covered, the formula is not vacuous. If the dual mutation is not covered,
the formula is vacuous. Similarly, for a mutation to the model, there exists a dual mutation to
the formula such that corresponding vacuity results imply coverage results. For example, the
mutation that always flips a signal r in a model is dual to the mutation that flips r everywhere
in the property.
In practice, it is often not the case that the model and the property use the same represen-
tation. The property is generally described in a temporal logic and the model is a circuit. In
102 C HAPTER 6. R ELATING VACUITY AND C OVERAGE

this setting, some simple mutations like stuck-at-zero, stuck-at-one, flipping always have dual
mutations. However, for more complex mutations like flipping sometimes, flipping a signal in
a circuit that does not appear in the property, a dual mutation does not exist.
 7
Epilogue

This chapter concludes the dissertation. We briefly revisit the problems addressed in this dis-
sertation and summarise our contributions and findings in Section 7.1. We present directions
for future work in Section 7.2.

7.1 Contributions

Model checking is a powerful technique for verification of hardware and software systems.
Due to the shortcomings of model checking, discussed at length in Chapter 1, confidence in
the outcome of model checking could be low. In order to increase the verification engineer’s
confidence, it is necessary to assess if a property is satisfied for the right reasons and, if a
property suite is exhaustive. Coverage analysis and vacuity detection are two essential steps
in any verification flow. Coverage analysis checks if there are parts of the model that are not
covered by the property suite. Vacuity detection checks if any property is trivially satisfied
by the model. These analyses enable design engineers to fix the design or its environment
and, verification engineers to fix the existing properties and write new properties that increase
coverage of the design.
Interpolant-based model checking is a state-of-the-art technique for model checking. It
uses interpolants as over-approximate image operators. The performance of an interpolant-
based model checker depends on the approximate images obtained. As discussed in Chapter 5,
procedures to compute interpolants of different strengths are required.
This dissertation takes a step towards fast vacuity detection and coverage analysis. It also
makes advances in the direction of computing multiple interpolants of varying strength from a
single resolution proof; one of the interpolation systems proposed exploits vacuity information
resulting in a weaker interpolant. We now summarise our contributions.
Coverage is a means to quantify the quality of a system specification, and is frequently
applied to assess progress in system validation. Computing coverage in a naive way is pro-
hibitively expensive. Chapter 3 presents an efficient algorithm for identifying parts of a system

103
104 C HAPTER 7. E PILOGUE

that are covered by a given property. The algorithm is integrated into an interpolant-based
model checker. The key insight of the algorithm is to re-use previously computed inductive
invariants and counterexamples. This re-use permits a quick conclusion of the vast majority of
tests, and enables computation of a coverage measure with 96% accuracy with only 5 times the
run time of the model checker.
Chapter 4 presents algorithms for detecting vacuous properties. The algorithms compute a
maximal, all maximal, and even a maximum set of atomic subformula occurrences that can be
strengthened without compromising satisfaction. The algorithms return more succinct, stronger
and, hence, generally more valuable properties. The set of subformula occurrences in a prop-
erty form a lattice partially ordered by set inclusion. A binary lattice search technique over the
lattice of subformulas (or the corresponding strengthened properties) is proposed. Counterex-
amples generated by a failing model checking run are exploited to further improve the search.
Evaluation of the algorithms on an extensive set of Verilog benchmarks exposes vacuity of
nearly half of the properties.
Interpolant-based model checking is an approximate method for computing invariants of
transition systems. The performance of an interpolant-based model checker is contingent on
the approximations computed, which in turn depends on the logical strength of the interpolants.
A good approximation is coarse enough to enable rapid convergence, but strong enough to be
contained within the weakest inductive invariant.
Chapter 5 presents an interpolation system that exploits vacuity to generate an interpolant
from a resolution proof. Since vacuous properties describe more behaviors than the behaviors
present in the system, presence of vacuity effects weaker approximations, i.e., interpolants.
Resolution proofs of unsatisfiability obtained in a model checking run can be analysed to detect
vacuity. Using this vacuity information, an interpolation system is proposed that results in
interpolants weaker than the ones computed by McMillan’s interpolation system [87].
Chapter 6 discusses various notions of vacuity and coverage previously proposed in the
literature. It is proved that vacuity is a stronger notion than coverage. Semantic notions of
vacuity are similar to notions of coverage. If a formula is structure (trace) vacuous with respect
to one of its atomic propositions, no state is structure (tree) covered with respect to that atomic
proposition. Hence, a vacuous property should be fixed to eliminate vacuity before a cover-
age check is performed for that property. We emphasize that in any verification flow, vacuity
detection must precede coverage analysis resulting in improved coverage.

7.2 Future Work

This section gives directions for future research based on the contributions of this dissertation.

7.2.1 Enhanced Vacuity Detection

In Chapter 4, we have addressed the problem of generating stronger properties in order to

expose vacuous satisfaction of properties. We have proposed new lattice search algorithms to
find property strengthenings in a lattice of mutated properties. The elements of the lattice are
mutated properties obtained by replacing a subformula occurrence in the original property by
true or false depending on the polarity of the occurrence. However, this may not be always
enough to expose vacuity of all properties. We give an example to illustrate this.

Example Consider a Kripke structure K1 with a single state s such that s ∈ S0 , (s, s) ∈ T and
7.2. F UTURE W ORK 105

s1 s2 s1 s2
r, g r, ¬g r, g ¬g

(a) Correct M (b) Wrong M 0

Figure 7.1: Example models for Error Analysis

L(s) = r. Figure 6.1 depicts K1 . Consider a property φ = F r. Observe that K1 |= φ . The lattice
of properties constructed in Chapter 4, contains only two elements, namely, φ and G false. The
strongest lattice element satisfied by K1 is φ itself. However, a stronger formula φstng = G r
is also satisfied by K1 . The formula φstng indicates that r holds everywhere in K1 as against
eventual satisfaction of r indicated by φ .

The proposed lattice of properties can be extended to include strengthenings of temporal

operators in the properties, e.g., changing F to G. Moreover, mutations that change the Boolean
structure of the formula can also be useful. For example, G(a ∨ b) can be strengthened to
G(a ∧ b). However, we remark that adding new mutations increases the size of the lattice and
not all mutations may be necessary to expose trivial satisfaction of properties. We envisage
a user-guided version of our algorithm in which the user decides which mutations to use to
generate the lattice of mutated properties.

7.2.2 Use of Coverage Information in Error Explanation

Error explanation provides information as to the cause of an error and includes fault localization
by indicating likely problem areas in the source code or specification [64].
We observe that error explanation is related to coverage analysis. In coverage analysis, we
mutate a design and check if the property is satisfied by the mutated design. If the mutated
design satisfies the property, the mutated part of the design is not covered. If the mutated
design falsifies the property, the mutated part is covered by the property. The analogy to error
analysis is that an error can be looked upon as a mutation of some part of the correct design. A
property that covers this part provides a natural explanation of the error. The following example
illustrates the idea.

Example Consider the correct model M and its wrong version M 0 illustrated in figures 7.1(a)
and 7.1(b), respectively. Consider two properties φ1 = F r and φ2 = G(r → X r). Both the
properties are satisfied by M. The first property φ1 is satisfied by M 0 . However, the second
property φ2 is falsified by M 0 . The error in M 0 , i.e., r = false in state s2 can be modeled as an
atomic mutation, in particular flipping, of the observable signal r at state s2 . The state s2 is
r-covered by φ2 , but not by φ1 . The property φ1 does not explain the error, but the property φ2
does.

The above example suggests that coverage information can be successfully employed to
explain and localize an error. We briefly sketch the algorithm. First, the set of properties Ψ that
fail in the wrong model are identified. The small atomic mutations covered by the properties
in Ψ are possible candidates that explain and localize the error.
106 C HAPTER 7. E PILOGUE

7.2.3 Mutation-based Test Case Generation

Model-based testing is an application of model-based design1 for deriving test cases from a
model of the design, which promises better scalability, and is applied before the implementation
phase. In the context of model-based testing, the question of suitable coverage metrics has to be
reconsidered: traditional metrics such as location or branch coverage are no longer meaningful,
since the test cases are not derived from implementation source code.
In mutation testing, the quality of the test suite is assessed by injecting mutations into
the model and by measuring what percentage of these modifications can be detected while
exercising the test cases. A modification is detected if the modified and the original model
generate different output signals. Consider a model M and its mutation M 0 . The following
formula checks if the two models generate different outputs up to a bound k.
k k−1
si .i = s0i .i ∧ S0 (s0 ) ∧
^ ^
T (si , si+1 ) ∧
i=0 i=0
| {z } | {z }
equality of all inputs first model
(7.1)
k−1 k
S00 (s00 ) ∧ 0
(s0i , s0i+1 ) ∧ 6 s0i .o
^ _
T si .o =
i=0 i=0
| {z } | {z }
second model inequality of an output

If Formula 7.1 is satisfiable, the modification is detected and the satisfying assignment is a test
vector. The resulting test vector can be used to check if the model satisfies requirements or can
be applied to an implementation of the design.

Use of C OVERAGE C HECKS

In traditional mutation-based testing, the difficulty to identify mutations without observable

effect on the system outputs is known to be one of the main obstacles. We see that some of the
tests proposed in C OVERAGE C HECKS in Section 3.3 can be applied to identify unobservable
mutations.
Consider a system M and a mutated system Mo in which all the mutations are introduced,
but are disabled. Hence, M and Mo are equivalent and Formula 7.1 is unsatisfiable for all
k. The proof of equivalence of M and Mo can be obtained either through k-induction [100]
or interpolant-based model checking. Our C ORE test can be applied to this proof to identify
unobservable mutations. Similarly, an inductive invariant of the composition of M and Mo can
be obtained and our I NDUCTION test can be applied to detect unobservable mutations.

Use of Lattice of Mutations

In mutation-based testing, a naive way to generate test cases is to introduce each mutation indi-
vidually and generate a test case that detects it. This may result in a large number of test cases
which makes testing slower. A challenge is to minimize the number of test cases generated and
the number of times equivalence of original model and mutated model is checked. This neces-
sitates a test case derived from a mutated model obtained by introducing several mutations, but
still detects individual mutations, too.
1 Model-based design is a development methodology for modern software artifacts, promoting the use of powerful

and specialized modelling languages. The goal is to identify design flaws as early as possible in the development cycle,
thereby avoiding costly late-stage design fixes.
7.2. F UTURE W ORK 107

The set of mutations forms a lattice ordered by set inclusion. We need to find a top-most
set of mutations in this lattice such that

• introducing these mutation in M generates a test case and

• the test case generated individually detects each mutation.

It is interesting to find out how the proposed binary lattice search technique can be applied
to locate a top-most set of mutatations in the lattice that satisfies the above conditions.

7.2.4 Vacuity Guided Model Checking using Interpolants

Two interesting questions not addressed in Chapter 5 are: which strengthening techniques lead
to performance improvements in model checking and, how can one detect situations in which
strengthening techniques are to be applied.
The connection between partial vacuity (vacuity up to a bounded depth or peripheral vacu-
ity discussed in Chapter 5) and interpolant strength is also interesting. We envisage a model
checker based on Craig interpolation that exploits vacuity resulting in coarser approximations.
If a variable in a property is full-vacuous (not only partially vacuous!) in a design, changing the
value of the variable arbitrarily does not cause the property to be falsified in the system. This
facilitates computation of weaker approximations if the variable is peripherally vacuous in the
proof produced by the SAT solver. In case, a variable is not full-vacuous but is only partially
vacuous, the resulting over-approximation will cause a spurious counterexample. One way to
eliminate the spurious counterexample is to make the partially vacuous variable shared and
strengthen the interpolant. An intelligent analysis of the spurious counterexample is needed to
exactly pinpoint which partially vacuous variable caused the counterexample.

7.2.5 Vacuity of Gene Regulatory Networks

Going beyond classical model checking, the lattice search algorithms proposed in Section 4.4
for vacuity detection can be applied to the area of Systems Biology. Gene regulatory networks
are an instance of highly complex transition systems, and model biochemical processes in cells.
Formal methods play an increasingly important role in the field, and numerous applications of
model checking have been reported [10, 12, 11].
There is an abundance of formal models to abstract the behavior of the underlying biochem-
ical reactions. There are two kinds of formal models for gene regulatory networks: Boolean
Glass networks, representing piecewise linear ordinary differential equation systems (PLDE),
and interaction graphs, which focus on two types of interaction between genes, namely, acti-
vation and inhibition.
An abstract, high-level view point on gene interactions is captured by a wiring scheme (also
called interaction graph). Figure 7.2 is a wiring scheme with three nodes, where each node
represents a gene. The edges of wiring schemes indicate two most important kinds of gene
interactions: activation and inhibition. The edges g3 —→g2 and g2 —•g1 indicate an activating
and suppressing edge from vertex g1 to g2 , respectively. The edge g3 —→g2 means the gene g3
activates g2 and the edge g2 —•g1 means the gene g2 suppresses g1 .
Wiring schemes serve as a specification of gene regulatory systems which are best modeled
by Boolean Glass networks. The connection between the trajectories permitted by a given
wiring scheme and those permitted by a Glass network needs to be formalized, as any other
108 C HAPTER 7. E PILOGUE

g2

g1

g3

Figure 7.2: A wiring scheme

kind of specification. In one way, the connection is trivial: it is straight-forward to construct

a precise wiring scheme for a given Glass network. The reverse direction, i.e., obtaining the
Glass network for a given wiring scheme is challenging, but is an invaluable aid for Biologists
trying to infer wiring schemes for experimental observations. Starting from an empty wiring
scheme for a given number of genes, a number of wiring schemes can be generated by adding
activating and inhibiting edges between the genes. These wiring schemes form a lattice and the
lattice search algorithms can be applied to detect the strongest compliant wiring scheme.
 Notation

K -- A Kripke structure
M -- A finite state transition system
S0 -- set of initial states
S -- set of states
T -- transition relation
AP -- a set of atomic propositions
L -- a labelling function that maps a state to 2AP
RS -- set of reachable states from S
R̂S -- over--approximation of RS
φ -- a property to be verified
F -- set of failure states
φ stng -- a property stronger than φ
φ weak -- a property weaker than φ
k -- BMC bound
t -- timeframe
M |=k φ -- M does not violate φ up to bound k
π -- a counterexample trace
ψ -- a subformula of a property
θi -- occurrences of a subformula
ζ -- new unconstrained variable
p ← ζ -- p replaced by ζ
C -- a set of candidate subformula occurrences
n -- |C|, i.e., size of C
W , Z, Y -- a subsets of C
wi , zi , yi -- elements of W , Z, and Y , respectively
φY -- formula φ with elements of Y replaced by ⊥
L -- a lattice
DC -- reflexive downward closure
UC -- reflexive upward closure
N -- a net--list
VN -- a set of vertices in N
EN -- a set of edges in N
τN -- a function mapping vertices of N to the primitive gate types
P -- a resolution proof
VP -- a set of vertices of P
EP -- a set of edges of P
sP -- sink vertex
C , D -- clauses
`P -- a clause function mapping vertices of P to clauses
S -- {⊥, a, b, ab}

109
110 Notation

L -- a labelling function mapping a literal of a proof vertex to an element of S

LP -- set of locality preserving labelling functions over P
L -- a set of literals
l -- a literal
X -- a set of propositional variables
x -- propositional variable
ITP -- an interpolation system
ITP S -- a symmetric interpolation system
ITP M -- McMillan’s interpolation system
ITP P -- an interpolation system based on peripherality
 List of Figures

1.1 A cell of a synchronous arbiter [86] . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 Kripke structure for Example 2.1.1 . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 Verilog module of a counter . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Net-list of the counter in Figure 2.2 . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 Transition relation of the counter in Figure 2.2 . . . . . . . . . . . . . . . . . . 10
2.5 Resolution proof of unsatisfiability of Formula 2.2 . . . . . . . . . . . . . . . . 17
2.6 Resolution proof in Figure 2.5 annotated with ITPM (P)(v) . . . . . . . . . . . 20
2.7 System M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1 A schematic diagram of an ALU . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2 Verilog code for the ALU in Figure 3.1 . . . . . . . . . . . . . . . . . . . . . . 30
3.3 A net-list of the ALU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4 Net-list showing coverage of the ALU . . . . . . . . . . . . . . . . . . . . . . 32
3.6 Verilog code of the sequential circuit in Figure 3.5 . . . . . . . . . . . . . . . . 33
3.5 A sequential circuit N satisfying φN = G(p ∨ q ∨ r) . . . . . . . . . . . . . . . 33
3.7 Mutating v using a multiplexer . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.8 The mutation Nmx of N in Figure 3.5 . . . . . . . . . . . . . . . . . . . . . . . 37
3.9 Resolution refutation P1 of BMC1 for Nmx in Figure 3.8 . . . . . . . . . . . . 38
3.10 Final proof P2 during interpolant-based model checking of Nmx in Figure 3.8 . 39
f
3.11 Proof of unsatisfiability of Formula 3.7 for Nmx and SELq = ¬ps0 ∧ qs0 ∧ q0 ∧ ¬r0s 43
3.12 Comparison of naive vs. C OVERAGE C HECKS . . . . . . . . . . . . . . . . . . 45
3.13 Histogram of the success rates of the proposed tests in C OVERAGE C HECKS . . 46
3.14 Overhead for a given accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4.1 Vacuity checking by property strengthening . . . . . . . . . . . . . . . . . . . 52

4.2 A poset of set of all subsets of {a, b, c} . . . . . . . . . . . . . . . . . . . . . . 54
4.3 A poset that is not a lattice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4 Example Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.5 Lattice for φ = FG a ∨ X b ∨ GF(b ∨ c) with C = {a, b, b ∨ c} . . . . . . . . . . 58
4.6 Flow diagram of model checking with CEGAR . . . . . . . . . . . . . . . . . 60

111
112 L IST OF F IGURES

4.7 CEGAR in action when M |= φ . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4.8 Lattice state after deleting elements of UC(FG a ∨ X b) . . . . . . . . . . . . . 63
4.9 State of the lattice in Figure 4.8 after retaining UC(FG a ∨ GF(b ∨ c)) . . . . . 63

5.1 Vacuity and Over-approximation . . . . . . . . . . . . . . . . . . . . . . . . . 78

5.2 Refutation yielding different interpolants for different systems. . . . . . . . . . 80
5.3 A refutation for a1 ∧ (a1 ∨ a2 ) ∧ (a1 ∨ a2 ) ∧ a1 . . . . . . . . . . . . . . . . . . 81
5.4 A transition system implementing a binary counter. . . . . . . . . . . . . . . . 81
5.5 Refutation with McMillan’s interpolant of J(~a) ∧ T (~a,~a0 ) and F(~a0 ). . . . . . . 82
5.6 (A, B)-Refutation with McMillan’s interpolant for A = (J(~a) ∨ I(~a)) ∧ T (~a,~a0 )
and B = F(~a0 ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.7 A labelled interpolation system ITP(L) . . . . . . . . . . . . . . . . . . . . . . 84
5.8 Resolution proof of unsatisfiability of AM and Be in Formula 5.1 . . . . . . . . 87
5.9 Resolution proof demonstrating peripherality . . . . . . . . . . . . . . . . . . 87

6.1 An example model K1 for vacuity and coverage analysis . . . . . . . . . . . . 95

6.2 Model K2 for vacuity and coverage analysis . . . . . . . . . . . . . . . . . . . 99
6.3 Relation between vacuity and coverage . . . . . . . . . . . . . . . . . . . . . . 101

7.1 Example models for Error Analysis . . . . . . . . . . . . . . . . . . . . . . . 105

7.2 A wiring scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
 List of Tables

3.1 Important CNF formulas in BMC1 (No , φN ) . . . . . . . . . . . . . . . . . . . . 38

3.2 Coverage of the three registers in N . . . . . . . . . . . . . . . . . . . . . . . 44
3.3 Coverage data on IBM benchmarks. A timeout is indicated by *. . . . . . . . . 46
3.4 Naive Coverage data on IBM benchmarks. A timeout is indicated by *. . . . . 48

4.1 Property Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4.2 Performance Comparison of B INARY-L ATTICE -S EARCH and Exhaustive Lat-
tice Search without B INARY-E LIMINATE . . . . . . . . . . . . . . . . . . . . 67
4.3 Performance of Exhaustive Lattice Search with B INARY-E LIMINATE . . . . . . 68
4.4 Performance of B INARY-L ATTICE -S EARCH with B INARY-E LIMINATE . . . . 69
4.5 Performance of FRONTIER . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.6 Performance of B INARY-L ATTICE -S EARCH -M AX . . . . . . . . . . . . . . . 71

113
 Bibliography

[1] Alpern, B., and F. B. Schneider. 1985. Defining Liveness. Inf. Process. Lett. 21:181–
185.

[2] Ammann, P., P. E. Black, and W. Majurski. 1998. Using Model Checking to Generate
Tests from Specifications. In: ICFEM. 46–.

[3] Armoni, R., L. Fix, A. Flaisher, O. Grumberg, N. Piterman, A. Tiemeyer, and M. Y.

Vardi. 2003. Enhanced Vacuity Detection in Linear Temporal Logic. In: Proceedings of
15th International Conference in Computer Aided Verification (CAV), volume 2725 of
LNCS. Springer, 368–380.

[4] Arnold, A., and P. Crubille. 1988. A Linear Algorithm to Solve Fixed-Point Equations
on Transition Systems. Inf. Process. Lett. 29:57–66.

[5] Azzoni, P., A. Fedeli, F. Fummi, G. Pravadelli, U. Rossi, and F. Toto. 2002. An error
simulation based approach to measure error coverage of formal properties. In: ACM
Great Lakes Symposium on VLSI. ACM, 53–58.

[6] Banerjee, A., B. Pal, S. Das, A. Kumar, and P. Dasgupta. 2006. Test generation games
from formal specifications. In: DAC. ACM, 827–832.

[7] Bar-Ilan, O., O. Fuhrmann, S. Hoory, O. Shacham, and O. Strichman. 2008. Linear-time
Reductions of Resolution Proofs. Technical Report IE/IS-2008-02, Technion.

[8] Basu, P., S. Das, A. Banerjee, P. Dasgupta, P. P. Chakrabarti, C. R. Mohan, L. Fix,

and R. Armoni. 2006. Design-Intent Coverage - A New Paradigm for Formal Property
Verification. IEEE Trans. on CAD of Integrated Circuits and Systems 25:1922–1934.

[9] Basu, P., S. Das, P. Dasgupta, P. P. Chakrabarti, C. R. Mohan, and L. Fix. 2004. For-
mal Verification Coverage: Are the RTL-Properties Covering the Design’s Architectural
Intent? In: DATE. IEEE Computer Society, 668–669.

[10] Batt, G., C. Belta, and R. Weiss. 2007. Model checking genetic regulatory networks
with parameter uncertainty. LNCS 4416:61.

[11] Batt, G., D. Bergamini, H. de Jong, H. Garavel, and R. Mateescu. 2004. Model Checking
Genetic Regulatory Networks Using GNA and CADP. In: SPIN. Springer, 158–163.

[12] Batt, G., D. Ropers, H. de Jong, J. Geiselmann, R. Mateescu, M. Page, and D. Schneider.
2005. Analysis and verification of qualitative models of genetic regulatory networks: A
model-checking approach. In: Joint Conference on Artificial Intelligence. 370–375.

[13] Beatty, D. L., and R. E. Bryant. 1994. Formally Verifying a Microprocessor Using a
Simulation Methodology. In: DAC. ACM, 596–602.

115
116 BIBLIOGRAPHY

[14] Beer, I., S. Ben-David, C. Eisner, and Y. Rodeh. 1997. Efficient detection of vacuity
in ACTL formulas. In: Proc. 9th Conference on Computer Aided Verification, volume
1254 of LNCS. 279–290.

[15] ———. 2001. Efficient detection of vacuity in ACTL formulas. FMSD 18:141–162.

[16] Bening, L., and H. Foster. 2000. Principles of verifiable RTL design – a functional
coding style supporting verification processes. Kluwer.

[17] Biere, A., A. Cimatti, E. M. Clarke, O. Strichman, and Y. Zhu. 2003. Bounded Model
Checking. Advances in Computers 58:118–149.

[18] Biere, A., A. Cimatti, E. M. Clarke, and Y. Zhu. 1999. Symbolic Model Checking
without BDDs. In: TACAS. Springer, 193–207.

[19] Brayton, R. K., G. D. Hachtel, A. L. Sangiovanni-Vincentelli, et al. 1996. VIS: A System

for Verification and Synthesis. In: CAV. Springer, 428–432.

[20] Bryant, R. 1986. Graph-based algorithms for Boolean-function manipulation. IEEE

Trans. on Computers C-35.

[21] Burch, J., E. Clarke, K. McMillan, D. Dill, and L. Hwang. 1992. Symbolic model
checking: 1020 states and beyond. Information and Computation 98:142–170.

[22] Burch, J. R., E. M. Clarke, and D. E. Long. 1991. Symbolic Model Checking with
Partitioned Transistion Relations. In: VLSI. 49–58.

[23] Burch, J. R., E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill. 1994. Symbolic
model checking for sequential circuit verification. IEEE Trans. on CAD of Integrated
Circuits and Systems 13:401–424.

[24] Buss, S. R. 1999. Propositional Proof Complexity: An Introduction. In: Computational

Logic, NATO ASI Series F: Computer and Systems Sciences 165. Springer, 127–178.

[25] Bustan, D., A. Flaisher, O. Grumberg, O. Kupferman, and M. Vardi. 2005. Regular
vacuity. In: 13th Advanced Research Working Conference on Correct Hardware Design
and Verification Methods, volume 3725 of LNCS. Springer, 191–206.

[26] Chechik, M., and A. Gurfinkel. 2004. Extending Extended Vacuity. In: Proceedings of
FMCAD, volume 3312 of LNCS. Springer, 306–321.

[27] ———. 2004. How Vacuous is Vacuous? In: Proceedings of TACAS, volume 2988 of
LNCS. Springer, 451–466.

[28] Chockler, H., A. Gurfinkel, and O. Strichman. 2008. Beyond Vacuity: Towards the
Strongest Passing Formula. In: FMCAD. IEEE, 188 – 195.

[29] Chockler, H., D. Kroening, and M. Purandare. 2010. Coverage in interpolation-based

model checking. In: DAC. ACM, 182–187.

[30] Chockler, H., and O. Kupferman. 2002. Coverage of Implementations by Simulating

Specifications. In: Conference on Theoretical Computer Science, IFIP Conference Pro-
ceedings 223. Kluwer, 409–421.

[31] Chockler, H., O. Kupferman, R. Kurshan, and M. Vardi. 2001. A Practical Approach to
Coverage in Model Checking. In: CAV, LNCS 2102. Springer, 66–78.
BIBLIOGRAPHY 117

[32] Chockler, H., O. Kupferman, and M. Vardi. 2001. Coverage Metrics for Temporal Logic
Model Checking. In: TACAS, LNCS 2031. Springer, 528 – 542.

[33] ———. 2003. Coverage Metrics for Formal Verification. In: CHARME, LNCS 2860.
Springer, 111–125.

[34] Chockler, H., O. Kupferman, and M. Y. Vardi. 2006. Coverage metrics for formal veri-
fication. STTT 8:373–386.

[35] ———. 2006. Coverage metrics for temporal logic model checking* . Formal Methods
in System Design 28:189–212.

[36] Chockler, H., and O. Strichman. 2007. Easier and More Informative Vacuity Checks.
In: MEMOCODE. IEEE, 189–198.

[37] ———. 2009. Before and after vacuity. Formal Methods in System Design 34:37–58.

[38] Claessen, K. 2007. A Coverage Analysis for Safety Property Lists. In: FMCAD. IEEE,
139–145.

[39] Clarke, E., E. Emerson, and A. Sistla. 1986. Automatic Verification of Finite-State
Concurrent Systems Using Temporal Logic Specifications. ACM Transactions on Pro-
gramming Languages and Systems 8:244–263.

[40] Clarke, E., O. Grumberg, K. McMillan, and X. Zhao. 1995. Efficient generation of
counterexamples and witnesses in symbolic model checking. In: DAC. IEEE, 427–432.

[41] Clarke, E. M., and E. A. Emerson. 1981. Design and Synthesis of Synchronization
Skeletons Using Branching-Time Temporal Logic. In: Logic of Programs. Springer,
52–71.

[42] Clarke, E. M., O. Grumberg, S. Jha, Y. Lu, and H. Veith. 2003. Counterexample-guided
abstraction refinement for symbolic model checking. J. ACM 50:752–794.

[43] Clarke, E. M., O. Grumberg, and D. E. Long. 1994. Model Checking and Abstraction.
ACM Trans. Program. Lang. Syst. 16:1512–1542.

[44] Clarke, E. M., S. Jha, R. Enders, and T. Filkorn. 1996. Exploiting Symmetry in Temporal
Logic Model Checking. Formal Methods in System Design 9:77–104.

[45] Cousot, P., and R. Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for
Static Analysis of Programs by Construction or Approximation of Fixpoints. In: POPL.
238–252.

[46] Craig, W. 1957. Linear Reasoning. A New Form of the Herbrand-Gentzen Theorem.
The Journal of Symbolic Logic 22:250–268.

[47] Das, S., A. Banerjee, P. Basu, P. Dasgupta, P. P. Chakrabarti, C. R. Mohan, and L. Fix.
2005. Formal Methods for Analyzing the Completeness of an Assertion Suite against a
High-Level Fault Model. In: VLSI Design. IEEE Computer Society, 201–206.

[48] Das, S., P. Basu, A. Banerjee, P. Dasgupta, P. P. Chakrabarti, C. R. Mohan, L. Fix, and
R. Armoni. 2004. Formal verification coverage: computing the coverage gap between
temporal specifications. In: ICCAD. IEEE Computer Society / ACM, 198–203.
118 BIBLIOGRAPHY

[49] Das, S., P. Basu, P. Dasgupta, and P. P. Chakrabarti. 2006. What lies between design
intent coverage and model checking? In: DATE. European Design and Automation
Association, Leuven, Belgium, 1217–1222.

[50] Davis, M., G. Logemann, and D. Loveland. 1962. A machine program for theorem-
proving. Commun. ACM 5:394–397.

[51] Davis, M., and H. Putnam. 1960. A Computing Procedure for Quantification Theory. J.
ACM 7:201–215.

[52] D’Silva, V., D. Kroening, M. Purandare, and G. Weissenbacher. 2010. Interpolant

Strength. In: VMCAI, volume 5944 of Lecture Notes in Computer Science. Springer,
129–145.

[53] Eén, N., and N. Sörensson. 2003. An Extensible SAT-solver. In: SAT. Springer, 502–
518.

[54] Emerson, E. A., and C.-L. Lei. 1987. Modalities for Model Checking: Branching Time
Logic Strikes Back. Sci. Comput. Program. 8:275–306.

[55] Emerson, E. A., and A. P. Sistla. 1996. Symmetry and Model Checking. Formal Methods
in System Design 9:105–131.

[56] Emerson, E. A., and R. J. Trefler. 1999. From Asymmetry to Full Symmetry: New
Techniques for Symmetry Reduction in Model Checking. In: CHARME, volume 1703
of Lecture Notes in Computer Science. Springer, 142–156.

[57] Fedeli, A., F. Fummi, and G. Pravadelli. 2007. Properties Incompleteness Evaluation by
Functional Verification. IEEE Trans. Computers 56:528–544.

[58] Fisman, D., O. Kupferman, S. Sheinvald-Faragy, and M. Y. Vardi. 2008. A Framework

for Inherent Vacuity. In: Haifa Verification Conference. 7–22.

[59] Fraser, G., and F. Wotawa. 2006. Using Model-Checkers for Mutation-Based Test-Case
Generation, Coverage Analysis and Specification Analysis. In: ICSEA. IEEE Computer
Society, 16.

[60] Fummi, F., and G. Pravadelli. 2007. Too Few or Too Many Properties? Measure it by
ATPG! J. Electronic Testing 23:373–388.

[61] Godefroid, P., D. Peled, and M. G. Staskauskas. 1996. Using Partial-Order Methods in
the Formal Validation of Industrial Concurrent Programs. IEEE Trans. Software Eng.
22:496–507.

[62] Goldberg, E., and Y. Novikov. 2002. BerkMin: A Fast and Robust SAT-Solver. In:
DATE. IEEE, 142–149.

[63] Graf, S., and H. Saı̈di. 1997. Construction of Abstract State Graphs with PVS. In: CAV,
volume 1254 of Lecture Notes in Computer Science. Springer, 72–83.

[64] Groce, A., S. Chaki, D. Kroening, and O. Strichman. 2006. Error explanation with
distance metrics. STTT 8:229–247.

[65] Große, D., U. Kühne, and R. Drechsler. 2007. Estimating functional coverage in
Bounded Model Checking. In: DATE. ACM, 1176–1181.
BIBLIOGRAPHY 119

[66] ———. 2008. Analyzing Functional Coverage in Bounded Model Checking. IEEE
Trans. on CAD of Integrated Circuits and Systems 27:1305–1314.

[67] Grumberg, O., and D. E. Long. 1991. Model Checking and Modular Verification. In:
CONCUR. Springer, 250–265.

[68] Guglielmo, L. D., F. Fummi, and G. Pravadelli. 2008. Vacuity Analysis by Fault Simu-
lation. In: MEMOCODE. IEEE, 27–36.

[69] ———. 2010. Vacuity Analysis for Property Quantification by Mutatation of Checkers.
In: DATE. To appear.

[70] Hoskote, Y. V., T. Kam, P.-H. Ho, and X. Zhao. 1999. Coverage Estimation for Symbolic
Model Checking. In: DAC. ACM, 300–305.

[71] Huang, G. 1995. Constructing Craig Interpolation Formulas. In: Computing Combina-
torics (COCOON), volume 959 of LNCS. Springer, 181–190.

[72] Jasper Design Automation Inc. 2008. Reaching 100% Coverage Using Formal. Panel
talk at HVC.

[73] Jayakumar, N., M. Purandare, and F. Somenzi. 2003. Dos and don’ts of CTL state
coverage estimation. In: DAC. ACM, 292–295.

[74] Jhala, R., and K. L. McMillan. 2007. Interpolant-Based Transition Relation Approxi-
mation. Logical Methods in Computer Science (LMCS) 3.

[75] Katz, S., D. Geist, and O. Grumberg. 1999. “Have I written enough properties?” A
method of comparison between specification and implementation. In: 10th Advanced
Research Working Conference on Correct Hardware Design and Verification Methods,
volume 1703 of LNCS. Springer, 280–297.

[76] Krajı́ček, J. 1997. Interpolation Theorems, Lower Bounds for Proof Systems, and Inde-
pendence Results for Bounded Arithmetic. The Journal of Symbolic Logic 62:457–486.

[77] Kupferman, O. 2006. Sanity Checks in Formal Verification. In: Concurrency Theory
(CONCUR), LNCS 4137. Springer, 37–51.

[78] Kupferman, O., W. Li, and S. A. Seshia. 2008. A Theory of Mutations with Applications
to Vacuity, Coverage, and Fault Tolerance. In: FMCAD. IEEE, 1–9.

[79] Kupferman, O., and M. Vardi. 1999. Vacuity detection in temporal model checking.
In: 10th Advanced Research Working Conference on Correct Hardware Design and
Verification Methods, volume 1703 of LNCS. Springer, 82–96.

[80] Laroussinie, F., and P. Schnoebelen. 2000. Specification in CTL+Past for Verification in
CTL. Inf. Comput. 156:236–263.

[81] Lee, T.-C., and P.-A. Hsiung. 2004. Mutation Coverage Estimation for Model Checking.
In: ATVA, volume 3299 of Lecture Notes in Computer Science. springer, 354–368.

[82] Lichtenstein, O., and A. Pnueli. 1985. Checking That Finite State Concurrent Programs
Satisfy Their Linear Specification. In: POPL. 97–107.

[83] Maehara, S. 1961. On the interpolation theorem of Craig (in Japanese). Sûgaku 12:235–
237.
120 BIBLIOGRAPHY

[84] Mancosu, P., editor. 2008. Interpolations. Essays in Honor of William Craig, volume
164:3 of Synthese. Springer.

[85] Manna, Z., and A. Pnueli. 1995. Temporal verification of reactive systems: safety. New
York, NY, USA: Springer-Verlag New York, Inc.

[86] McMillan, K. L. 1994. Symbolic Model Checking. In: Kluwer Academic Publishers,
Boston, M.A.

[87] ———. 2003. Interpolation and SAT-Based Model Checking. In: CAV, LNCS 2725.
Springer, 1–13.

[88] ———. 2005. An interpolating theorem prover. Theor. Comput. Sci. 345:101–121.

[89] Moskewicz, M. W., C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik. 2001. Chaff:
Engineering an Efficient SAT Solver. In: DAC. 530–535.

[90] Namjoshi, K. S. 2004. An Efficiently Checkable, Proof-Based Formulation of Vacuity

in Model Checking. In: CAV, volume 3114 of LNCS. Springer, 57–69.

[91] Peled, D. 1993. All from One, One for All: on Model Checking Using Representatives.
In: CAV, volume 697 of Lecture Notes in Computer Science. Springer, 409–423.

[92] Plaisted, D. A., and S. Greenbaum. 1986. A structure-preserving clause form translation.
J. Symb. Comput. 2:293–304.

[93] Pnueli, A. 1977. The Temporal Logic of Programs. In: FOCS. IEEE, 46–57.

[94] Pudlák, P. 1997. Lower Bounds for Resolution and Cutting Plane Proofs and Monotone
Computations. The Journal of Symbolic Logic 62:981–998.

[95] Purandare, M., and F. Somenzi. 2002. Vacuum cleaning CTL formulae. In: CAV, LNCS
2404. Springer, 485–499.

[96] Purandare, M., T. Wahl, and D. Kroening. 2009. Strengthening properties using abstrac-
tion refinement. In: DATE. IEEE, 1692–1697.

[97] Queille, J.-P., and J. Sifakis. 1982. Specification and verification of concurrent systems
in CESAR. In: Symposium on Programming, volume 137 of LNCS. Springer, 337–351.

[98] Rayadurgam, S., and M. P. Heimdahl. 2001. Coverage Based Test-Case Generation Us-
ing Model Checkers. In: Proceedings of the 8th Annual IEEE International Conference
and Workshop on the Engineering of Computer Based Systems (ECBS 2001). IEEE
Computer Society, 83–91.

[99] Samer, M., and H. Veith. 2007. On the Notion of Vacuous Truth. In: LPAR. Springer,
2–14.

[100] Sheeran, M., S. Singh, and G. Stålmarck. 2000. Checking Safety Properties Using
Induction and a SAT-Solver. In: FMCAD, volume 1954 of Lecture Notes in Computer
Science. Springer, 108–125.

[101] Silva, J. P. M., and K. A. Sakallah. 1996. GRASP - a new search algorithm for satisfia-
bility. In: ICCAD. ACM, 220–227.
BIBLIOGRAPHY 121

[102] Simmonds, J., J. Davies, A. Gurfinkel, and M. Chechik. 2007. Exploiting Resolution
Proofs to Speed Up LTL Vacuity Detection for BMC. In: FMCAD. IEEE Computer
Society, 3–12.

[103] Tasiran, S., and K. Keutzer. 2001. Coverage Metrics for Functional Validation of Hard-
ware Designs. IEEE Design and Test of Computers 18:36–45.

[104] Tseitin, G. S. 1968. On the complexity of derivation in the propositional calculus. Za-
piski nauchnykh seminarov LOMI 8:234–259.

[105] Vardi, M. Y., and P. Wolper. 1986. An Automata-Theoretic Approach to Automatic

Program Verification (Preliminary Report). In: LICS. IEEE Computer Society, 332–
344.

[106] Verma, S., I. G. Harris, and K. Ramineni. 2007. Interactive presentation: Automatic
generation of functional coverage models from behavioral Verilog descriptions. In:
DATE. ACM, 900–905.

[107] Xu, X., S. Kimura, K. Horikawa, and T. Tsuchiya. 2005. Extended abstract: transition
traversal coverage estimation for symbolic model checking. In: MEMOCODE. IEEE,
259–260.

[108] ———. 2006. Coverage Estimation Using Transition Perturbation for Symbolic Model
Checking in Hardware Verification. IEICE Transactions 89-A:3451–3457.

[109] ———. 2006. Transition-based coverage estimation for symbolic model checking. In:
ASP-DAC. IEEE, 1–6.

[110] Yorsh, G., and M. Musuvathi. 2005. A Combination Method for Generating Interpolants.
In: CADE, volume 3632 of LNCS. Springer, 353–368.