Abstraction and Refinement for Large Scale Model Checking
Chao Wang
Department of Electrical and Computer Engineering, University of Colorado at Boulder, Email: [email protected]
Fine-Grain Abstraction
Introduction
A big gap exists between the capacity of the
model checkers and the size of the real-world
designs. Abstraction and refinement is a
technique to bridge this gap. The goal of this
thesis is to seek good algorithms based on
abstraction and refinement that enable
model checking techniques on the industrialscale designs.
Efficient Computation in Abs-Ref
Conventional methods: Latch as an “abstraction atom”. Once a
latch is in the abstract model, all the gates in its fan in logic cone are also included.
However, not all these gates might be necessary.
We partition the circuit into cluster of gates and treat each
cluster as an “atom”. Only necessary logics/gates are added to the abstract
model; abstraction granularity can be adjusted by controlling the cluster size.
Experimental Results
Local guidance: single ACE (abstract counter-example).
(1)Fine-Grain Abstraction: Observe cases where 99% of the
fan in cone gates are not necessary for the final proof.
Might lead to biased / sub-optimal refinement result (to the wrong direction).
Iterative process to verify “M  P”. (i.e., property P
We use SORs to capture all the shortest ACEs.
holds on model M.)
An example of SORs: Property (AG p) means “p holds on all the reachable states”.
1
2
3
4
5
6
7
0
3
1
4
2
!p
6
10
7
13
11
8
12
5
(1)
9
14
!p
!p
Current abstraction
2
5
(2)
12
9
(Unnecessarily Including them in the abstract model made even the
abstract model intractable.)
(2)Global guidance (New): More efficient than local guidance
•SORs are the
intersection of the
forward and backward
reachable onion rings.
•SORs are used for
both concretization test
and guidance for
refinement.
•As the refinement
goes on, the number of
abstract edges in the
SORs decreases
monotonically.
8
P
--- a safety property of the form (AG p);
M+ --- an over-approximated abstraction of M.
ACEs --- (Abstract Counter Examples) may or may not be CCE.
CCE --- (Concrete Counter Example) is a real error trace on M.
Model-Check( )
--- symbolic model checking on M+
Concretize-ACEs( )
--- re-construct the ACEs on M
Compute-Refinement( ) --- refine the abstract model
!p
SORs (synchronous onion rings)
Higher abstraction efficiency!
 size of M  for proof/disp roof
  1  
size of M

•Maximum efficiency depends on the locality of the property P on M.
•The job of Abs-Ref is to exploit this locality as much as possible.
A good algorithm can efficiently come close to
or even reach the maximum abstraction
efficiency.
25
20
BDD
BMC
CGKS02
CCK+02
New
15
10
5
0
Completed
Best CPU
Highest efficiency
(3)Carrying information to the next: Speed up the verification
Speed-up in verifying full-LTL
1000
100
Game Theoretic Refinement
f  g
1
Both edges are spurious; f and g are invisible.
Should refine with “g” instead of “f” !
Why? Because if player2 control g ( assign g=1),
Play1 can not go through these edges.
3
f g
4
Add g to abs. model 
Play2 control g
 g ,1
g ,1
f
3
f
4
CPU
Mem
10
Player1 tries to force M+ through the SORs to !p states; Player2 tries to avoid that.
They play by controlling invisible variables – variables abstracted away from M+.



Compare different refinement algorithms
with SCC analysis: Zoom-In and Strength Reduction
We pick refinement variables (latches / gates) by playing a
two-player reachability game on M+.
What “Good” Means?
•To reduce the search space
(Zoom-In)
•To speed up the verification (Strength-Reduction)
•To decompose the search space
(Disjunctively)
Global Guidance for Abs-Ref
Abstraction/Refinement
Abstraction-Refinement(M,P) {
M+ = Initial-Abstraction(M,P)
while (1) {
ACEs = Model-Check(M+,P)
if (ACEs is empty)
return PASS
CCE = Concretize-ACEs(M,ACEs)
if (CCE not empty)
return FAIL
M+ = Compute-Refinement ( )
}}
In the iterative process, verification result from
previous step can be carried to the next
Add f to abs. model 
Play2 control f
f ,1
g
f ,1
g
3
4
1
0.1
b1 b2 b3 b4 b5 e1 e2 l1 n1 p1 h1 h2 h3 s1 s2 s3 t1 t2
Conclusion
With the help of the proposed research (finegrain abstraction, refinement under global
guidance, and efficient computation in AbsRef), model checking techniques can be used
on otherwise intractable industrial-scale circuits
(e.g. with 1000-10000 latches).