 # Generation Of A Complete Set Of Properties

One of the problems of formal verification is that it is not functionally complete. The fact that a set of properties of a specification holds for a design implementation, in general, does not mean that this implementation is bug-free. In testing, this issue is addressed by replacing functional completeness with structural one. The latter is achieved by generating a set of tests probing every piece of a design implementation. We show that a similar approach can be used in formal verification. The idea here is to generate a property of the implementation at hand that is not implied by specification properties. Finding such a property means that the specification is not complete. If this is an unwanted property, then the implementation is buggy. Otherwise, a new specification property needs to be added. Generation of implementation properties related to different parts of the design followed by adding new specification properties produces a structurally-complete specification. Implementation properties are built by partial quantifier elimination, a technique where only a part of the formula is taken out of the scope of quantifiers. An implementation property is generated by applying partial quantifier elimination to a formula defining the "truth table" of the implementation. We show how our approach works on specifications of combinational and sequential circuits.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## I Introduction

One of the problems of formal verification is that it is functionally incomplete. Let us consider this problem by the example of combinational circuits. Suppose a set = of formulas111In this paper, we consider only propositional formulas. We assume that every formula is in conjunctive-normal form (CNF). A clause is a disjunction of literals (where a literal of a Boolean variable is either itself or its negation ). So a CNF formula is a conjunction of clauses: . We also consider as the set of clauses . specify properties of a combinational circuit to be designed. Here and are sets of input and output variables of this circuit respectively222For the sake of simplicity, in the introduction we assume that properties depend on all input/output variables. In Section III, we consider a more general case where a property depends on a subset of . . (A correct implementation has to exclude the input/output behaviors falsifying , .) Let be a combinational circuit implementing the specification . Let be a formula describing the functionality of . The circuit satisfies property , iff .

In general, does not necessarily imply (where the latter specifies the input/output behavior of ). If so, then some input/output behaviors of are not defined by i.e. the latter is incomplete. Note that even checking the completeness of is inherently hard. For instance, verifying the implication above requires performing quantifier elimination (QE) for .

In testing, the incompleteness of functional verification is addressed by using a set of tests that is complete structurally rather than functionally. Structural completeness is achieved by probing every piece of the design under test. In this paper, we use a similar approach for formal verification. This approach is based on two ideas. The first idea is to check the completeness of the specification by generating implementation properties i.e. those satisfied by . Let be a property (and so ). If , then the specification is incomplete. If is an unwanted property, then is buggy (and it should be modified so that it does not satisfy ). Otherwise, a new property should be added to the specification to make the latter imply . A trivial way to achieve this goal is just to add to the property itself.

The second idea is to generate implementation properties by a technique called partial QE (PQE. In terms of formula , PQE takes a subset of clauses of out of the scope of quantifiers. (So QE is special case of PQE where the entire formula is taken out of the scope of quantifiers.) This results in generation of a formula implied by i.e. a property of . Importantly, by taking different subsets of clauses of out of the scope of quantifiers, one builds a structurally complete set of properties. By updating specification properties every time an implementation property proves incomplete, one gets a structurally complete specification. By combining PQE with simple formula transformations (based on splitting clauses on variables), one can generate any property of . Importantly, by varying the size of the subformula taken out of the scope of quantifiers one can control the complexity of PQE and hence that of property generation. The latter ranges from essentially linear (for trivial properties excluding wrong outputs for one particular input of ) to exponential.

Incompleteness of the specification may lead to two kinds of bugs. A bug of the first kind that we mentioned above occurs when has an unwanted property. In this case, excludes some correct input/output behaviors. A bug of the second kind occurs when allows some incorrect input/output behaviors. This type of bugs can be exposed by generating properties that are inconsistent with . (As opposed to the implementation properties that are consistent with by definition.) Such inconsistent properties are meant to imitate the missing properties of that are not satisfied by (if any). Tests falsifying inconsistent properties may expose incorrect input/output behaviors allowed by . These properties can also be generated by PQE. Besides, one can follow the same idea of structural completeness by building a set of inconsistent properties relating to different parts of . However, this topic is beyond the scope of this paper. (It will be covered in .) So here, we consider generation of a specification that is structurally complete only with respect to consistent properties of the implementation at hand.

The contribution of this paper is as follows. First, we show that one can use PQE for generation of implementation properties. Second, we sketch an algorithm for generation of a structurally complete specification. Third, we show that by combining clause splitting with PQE one can generate an arbitrary implementation property of a combinational circuit. In particular, we prove that clause splitting allows one to reduce the complexity of PQE (and hence property checking) to virtually linear. The latter result also shows that QE can be exponentially more complex than PQE.

This paper is structured as follows. Basic definitions are given in Section II. In Section III, we describe generation of implementation properties of combinational circuits by PQE. A procedure for making a specification structurally complete is presented in Section IV. In Sections V and VI we extend our approach to sequential circuits. Some concluding remarks are made in Section VII.

## Ii Basic Definitions

###### Definition 1

Let be a set of variables. An assignment to is a mapping where . We will refer to as a full assignment to if .

From now on, by saying “an assignment to a set of variables” we mean a full assignment, unless otherwise stated.

###### Definition 2

Let be a formula. denotes the set of variables of .

###### Definition 3

Let be a formula where are sets of Boolean variables. The Quantifier Elimination (QE) problem specified by is to find formula such that .

###### Definition 4

Let , be Boolean formulas where are sets of Boolean variables. The Partial QE (PQE) problem of taking out of the scope of quantifiers in is to find formula such that . Formula is called a solution to PQE.

###### Remark 1

Note that if is a solution to the PQE problem above and a clause is implied by alone, then is a solution too. So if all clauses of are implied by , then an empty set of clauses is a solution too (in this case, ).

Let be a combinational circuit where are sets of input, internal and output variables respectively. Let consist of gates . A formula specifying the functionality of can be built as where is a formula specifying gate . Formula is constructed as a conjunction of clauses falsified by the incorrect combinations of values assigned to . Then every assignment satisfying corresponds to a consistent assignment of values to and vice versa.

###### Example 1

Let be a 2-input AND gate specified by . Then formula is constructed as where , , . Here, the clause , for instance, is falsified by assignment that is inconsistent with the truth table of .

## Iii Generation Of Implementation Properties

In this section, we describe generation of properties of by PQE and discuss how one can control the complexity of those properties. Let be a combinational circuit where are sets of input, internal and output variables. Let be a formula specifying .

Let be a non-empty subset of clauses of . Let denote (and so ). Consider the PQE problem of taking out of the scope of quantifiers in where . Let formula where be a solution to this problem i.e. . Since is implied by , it is a property of the circuit . Note that by taking different subsets of out of the scope of quantifiers in one gets different properties. From now on, we will assume that all the clauses implied by are removed from (see Remark 1).

Intuitively, the smaller the size of is, the simpler PQE becomes. So, the simplest case of the PQE problem above is when a single clause of is taken out of the scope of quantifiers. However, the complexity of PQE can be reduced much more by using clause splitting to transform .

###### Definition 5

Let be a subset of . Let be a set of literals where is either itself of . Let be a clause of such that . The splitting of on variables of is to replace with clauses ,, , .

The idea here is to take the clause out of the scope of quantifiers instead of . In Appendix A, we show that such replacement can reduce the complexity of PQE to essentially linear. This also proves that PQE can be exponentially simpler than QE. In addition to making property generation simpler, clause splitting also helps to derive a richer set of properties. In Appendix B, we show that by applying PQE and clause splitting to one can derive any given property where .

## Iv Producing Complete Set Of Properties

In this section, we give an example of a procedure called that generates a structurally complete specification. The pseudocode of is shown in Figure 1. accepts

• a specification (i.e. a set of properties )

• an “informal” specification used to decide if a property of is unwanted

• an implementation defining a circuit

• the set of variables on which implementation properties will depend on.

returns an unwanted property of exposing a bug (if any) or a structurally complete specification .

starts with initializing a copy Cls of formula (lines 1). Then runs a ’while’ loop until Cls is empty. starts an iteration of the loop by extracting a clause from Cls (lines 3-4). Then it builds an implementation property as a solution to the PQE problem where and (line 5). That is . One can view as a property ’probing’ the part of represented by . Then calls the procedure called Clean (line 6) to remove the clauses implied by from (see Remark 1). At this point consists only of clauses whose derivation depends on the clause .

Then checks if (line 7). If so, then a new iteration starts. Otherwise, the current specification is incomplete, which requires either modification of implementation or specification . If is an unwanted property returns it as a proof that is buggy (line 8). (In this case, excludes some correct input/output behaviors. To decide whether is unwanted, one needs some kind of an informal specification that is complete.) If is a desired property, generates a new specification property such that and adds it to (lines 9-10). A trivial way to update is just to use as a new specification property . If terminates the loop without finding a bug, it returns as a structurally complete specification.

## V Extending Idea To Sequential Circuits

In this section and Section VI, we extend our approach to sequential circuits. Subsections V-A and V-B provide some definitions. Subsection V-C gives a high-level view of building a structurally complete specification for a sequential circuit (in terms of safety properties).

### V-a Some definitions

Let be a sequential circuit. Here denote input and internal combinational variables respectively and denote the present and next state variables respectively. Let be a formula describing the circuit . ( is built for in the same manner as for a combinational circuit , see Section II.) Let be a formula specifying the initial states of . Let denote i.e. the transition relation of .

A state is an assignment to . Any formula is called a safety property for . A state is called a -state if . A state is called reachable in transitions (or in -th time frame) if there is a sequence of states ,…, such that is an -state, for and =.

We will denote the reachability diameter of with initial states as . That is if , every state of is reachable from -states in at most transitions. We will denote as a formula specifying the set of states of reachable from -states in transitions. We will denote as a formula specifying all states of reachable from -states. A property holds for with initial states , if no -state is reachable from an -state.

### V-B Stuttering

In the following explanation, we assume that the circuit above has the stuttering feature. This means that =1 for every state and so can stay in any given state arbitrarily long. If does not have this feature, one can introduce stuttering by adding a combinational input variable . The modified circuit works as before if and remains in its current state if .

On one hand, introduction of stuttering does not affect the reachability of states of . On the other hand, stuttering guarantees that the transition relation of has two nice properties. First, , since for every next state , there is a “stuttering transition” from to where = . Second, if a state is unreachable in in transitions it is also unreachable in transitions if . Conversely, if a state is reachable in in transitions, it is also reachable in transitions where .

###### Remark 2

Note that for a circuit with the stuttering feature, formula specifies not only the states reachable in transitions but also those reachable in at most transitions.

### V-C High-level view

In this paper, we consider a specification of the sequential circuit above in terms of safety properties. So, when we say a specification property of we mean a safety property. Let denote where , is the formula in -th time frame i.e. expressed in terms of sets of variables . Formula can be computed by QE on formula . Here and . If , then is also specifying all states of reachable from -states.

Let be a set of properties forming a specification of a sequential circuit with initial states defined by . Let a sequential circuit be an implementation of the specification . So every property , holds for and . Verifying the completeness of reduces to checking if . Assume that computing is hard. So one does not know if the specification is complete. Then one can use the approach described in the previous sections to form a specification that is complete structurally rather than functionally.

We exploit here the same idea of using PQE to compute properties of i.e. implementation properties. Let be such a property. If , then the specification is incomplete. If some states of falsifying (and hence unreachable from -states) should be reachable, then is buggy and must be modified. Otherwise, one needs to update by adding a specification property to guarantee that . The simplest way to achieve this goal is just to add to . Using a procedure similar to that shown in Fig. 1 one can construct a structurally complete specification.

## Vi Generation Of Safety Properties

In this section, we continue using the notation of the previous section. Here, we discuss generation of properties for a sequential circuit , i.e. implementation properties. Subsection VI-A considers the case where the reachability diameter is known. (In  we showed that one can use PQE to find without generation of all reachable states.) Subsection VI-B describes an approach to generation of properties when is not known.

### Vi-a The case of known reachability diameter

As we mentioned in Subsection V-C, formula can be obtained by QE on where . Here , , and .

Below we show how one can build a property of by PQE. Let be a clause of . Let be a solution to the PQE problem of taking out of the scope of quantifiers in where . That is . Let us show that is a property of . Let be a state falsifying i.e. in unreachable from an -state in transitions. On one hand, since has the stuttering feature, cannot be reached in transitions where . On the other hand, since , cannot be reached in transitions where . So all states falsifying are unreachable and thus is a property of . By taking different clauses of out of the scope of quantifiers one can generate different implementation properties. Following a procedure similar to that of Fig. 1, one can generate a specification of that is structurally complete.

### Vi-B The case of unknown reachability diameter

Suppose that the reachability diameter of is unknown. Then one needs to modify the procedure of the previous subsection as follows. Let be a solution to the PQE problem of taking out of the scope of quantifiers in where . Assume that . Then is not a property of . One can only guarantee that the states falsifying cannot be reached in at most transitions.

One can turn into a property by using procedure MakeInv shown in Figure 2. MakeInv runs a while loop (lines 1-5). First, MakeInv calls a model checker MC (e.g. IC3 ) to prove property . If MC succeeds, MakeInv returns as a property of . Otherwise, MC finds a counterexample Cex. This means that a state falsifying (and thus unreachable in at most transitions) is reachable in transitions where . Then one needs to relax by replacing it with a property implied by but not falsified by .

One way to relax is to replace it with a solution to the PQE problem of taking out of the scope of quantifiers where . That is . Since the circuit has the stuttering feature, . So just specifies the set of states reachable from -states in one transition. If still falsifies one can use PQE to find the set of states reachable from -states and so on. If does not falsify , the latter is used as a new formula (line 4). If relaxation ends up with a trivial property, MakeInv terminates (line 5). Otherwise a new iteration starts.

By taking different clauses of out of the scope of quantifiers in one can generate different properties of the circuit .

## Vii Conclusions

Incompleteness of a specification Spec creates two problems. First, an implementation Impl of Spec may have some unwanted properties that Spec does not ban. Second, Impl may break some desired properties that are not in Spec. In either case, Spec fails to expose bugs of Impl. In testing, the problem of functional incompleteness is addressed by running a test set that is complete structurally rather than functionally. This structural completeness is achieved by generating tests probing every piece of Impl. We apply this idea to formal verification. Namely, we show that by using a technique called partial quantifier elimination (PQE) one can generate properties probing different parts of Impl. By checking that no property of Impl generated by PQE is unwanted one addresses the first problem above. By updating Spec to make it imply the desired properties of Impl generated by PQE one builds a specification that is structurally complete. One can use a similar approach to address the second problem above .

## References

•  A. R. Bradley (2011) SAT-based model checking without unrolling. In VMCAI, pp. 70–87. Cited by: §VI-B.
•  E. Goldberg and P. Manolios (2014) Partial quantifier elimination. In Proc. of HVC-14, pp. 148–164. Cited by: §I.
•  E. Goldberg On verifying designs with incomplete specification. Note: To be published Cited by: §I, §VII.
•  E. Goldberg (2016) Property checking without invariant generation. Technical report Technical Report arXiv:1602.05829 [cs.LO]. Cited by: §VI.

## Appendix A Generation Of Simple properties

In this appendix, we show that clause splitting can reduce the complexity of PQE and, hence, property generation to essentially linear. For the sake of simplicity, in our exposition, we use a particular clause of an AND gate of (also explaining how this exposition can be extended to an arbitrary clause of an arbitrary gate).

Let be an AND gate of a combinational circuit whose functionality is described by (see Example 1). Let clause be equal to . This clause forces assigning the output variable of to 1 when the input variables and of are assigned 1. Let . (In the general case, is one of the clauses specifying a gate of . The clause has one variable specifying the output of . The remaining variables of correspond to the input variables of .) Consider splitting on the variables of . That is is replaced in with clauses ,, , .

Let denote the clause above. Let denote . Consider the PQE problem of taking out of the scope of quantifiers in . Now we describe a procedure called QuickPQE that solves the PQE problem above. (The proposition below proves QuickPQE correct.) Let denote the assignment to falsifying the literals of .

QuickPQE starts with applying to . Let be the output assignment produced by for . Suppose that and/or are assigned 0 when computing . (In the general case, this means that the clause and hence the clause is satisfied by an assignment to an input variable of the gate .) Then QuickPQE declares redundant claiming that .

If both and are assigned 1, then QuickPQE performs one more run. (In the general case, this means that the literals of corresponding to the input variables of the gate are falsified.) In this run, QuickPQE also applies input but modifies the operation of the gate . Namely, produces the output value 0 (instead of the value 1 implied by assignment ). Note that in the second run, the clause is falsified. One can view the second run as applied to the circuit whose functionality is modified by removing the clause . If the second run produces the same output assignment , then QuickPQE again declares redundant. Now, suppose that outputs an assignment different from . Then, QuickPQE produces a solution consisting of clauses ,…, where

• = (i.e. is the longest clause falsified by );

• are the output variables of assigned differently in and ;

• are literals satisfied by (and falsified by ).

###### Proposition 1

Let be one the clauses specifying a gate of . Let . Let be replaced with with the clauses ,, , obtained by splitting on . Denote the last clause as and the formula as . Consider the PQE problem of taking out of the scope of quantifiers in . Let denote the number of literals of . The QuickPQE procedure above has complexity and produces a correct result.

Proof: The complexity of QuickPQE is linear in because the former performs two test runs, each run having linear complexity in the number of literals of . The term is due to the fact that the solution produced by QuickPQE may consist of clauses of literals (see above).

Now, let us show that QuickPQE produces a correct solution. Let denote the output variable of the gate . Assume for the sake of clarity that contains the positive literal of . So, in the second run of QuickPQE (where and are falsified) the value of is set to 0.

Denote the solution produced by QuickPQE as and so . We prove this equivalence by showing that and are equisatisfiable for every assignment (,) to . (Recall that and specify the input and output variables of the circuit .) Below, we consider the three possible cases.

Case 1. In the first run of QuickPQE, an input variable of the gate is assigned the value satisfying the clause (and hence the clause ). In this case . So one needs to show that for every assignment (,) formulas and are equisatisfiable. Consider the following two subcases.

1. . Then is satisfied by and so and are logically equivalent in subspace (,).

2. = . In this case, is satisfied by an assignment to an input variable of the gate . The latter is true because the execution trace of under input can be obtained by Boolean Constraint Operation (BCP) in subspace over formula . The fact that BCP leads to satisfying means that a clause implying in subspace can be derived by resolving333Let clauses , have opposite literals of exactly one variable . Then clauses , are called resolvable on . The clause having all literals of but those of is called the resolvent of , on . The clause is said to be obtained by resolution on . clauses of . This means that is implied by formula in subspace . So and are logically equivalent in subspace (,).

Case 2. In the first run of QuickPQE, all input variables of the gate are assigned values falsifying . In the second run of QuickPQE, outputs the same assignment as in the first run. In this case, like in the first case, . So one needs to show that for every assignment (,) formulas and are equisatisfiable. Consider the following three subcases.

1. . Then is satisfied by and so and are logically equivalent in subspace (,).

2. and . Let us show that in this case both and are unsatisfiable in subspace (,). Let be a variable assigned differently in and . Let be the literal of falsified by (and satisfied by ). The fact that outputs under input means that implies the clause . So is falsified in subspace (,). The fact that outputs in both runs means that implies clauses and . (Recall that the variable specifies the output of the gate . The variable is assigned 1 in the first run to satisfy because the literals of all other variables of are falsified. The variable is assigned 0 in the second run.) So implies the resolvent of these two clauses equal to . Hence is falsified in subspace (,) too.

3. and . Let us show that in this case and are both satisfiable in subspace (,). Let be the assignment to the variables of produced in the first run of QuickPQE. By definition, the assignment to in is the same as in (,) and hence in (,). Besides, satisfies and hence .

Case 3. In the first run of QuickPQE, all input variables of the gate are assigned values falsifying . In the second run of QuickPQE, outputs an assignment that is different from the assignment output in the second run of QuickPQE. In this case, the solution consists of the clauses ,…, where is the set of variables assigned differently in and . So one needs to show that for every assignment (,) formulas and are equisatisfiable. Consider the following four subcases. (We denote the set of variables where and have the same value as .)

1. . Then and are satisfied by . So and are logically equivalent in subspace (,).

2. and there is a variable that is assigned in differently than in . Then both and are unsatisfiable in subspace (,). This can be shown as in case 2b above.

3. and all variables of are assigned the same value in and and there is a variable that is assigned in as in (i.e. differently from ). Let us show that in this case both and are unsatisfiable in subspace (,). The formula is falsified because it implies the clause that is falsified by (,). The formula is falsified by (,) because it contains the clause .

4. and . Let us show that in this case and are both satisfiable in subspace (,). Let be the assignment to the variables of produced in the first run of QuickPQE. By definition, agrees with assignment (,) and hence with (,). Besides, satisfies and hence . Since also satisfies it satisfies as well.

## Appendix B Any Property Can Be Generated By PQE

Let be a formula specifying a combinational circuit . In this appendix, we prove that by combining clause splitting with PQE one can generate any property of . The procedure used in this proof is not very realistic because it requires an exponential blow-up of the formula. Nevertheless, our result has some practical meaning, which is twofold. First, clause splitting significantly extends the set of properties that can be generated by PQE. Second, there is a set of properties natural to that can be efficiently produced by clause splitting and PQE. Those are the properties that can be generated without an exorbitant amount of clause splitting.

Let be a property of where . So . Let us show that can be obtained by applying PQE to formula where and is obtained from by clause splitting. (So .) Formula is obtained by splitting the clauses of on variables of that is different from that of Definition 5. Namely, a clause is replaced with clauses where is an assignment to and is the longest clause falsified by . Note that if and have opposite literals of a variable then the clause is tautologous and can be removed from the formula . Denote by (respectively ) the clauses where falsifies (respectively satisfies) the property .

###### Proposition 2

The property above is a solution to the PQE problem of taking out of the scope of quantifiers in . That is .

Proof: One needs to show that for every assignment to formulas, and are equisatisfiable in subspace . Consider the following two cases.

• . By construction, is logically equivalent to . The fact that entails that is unsatisfiable in subspace . So both and are unsatisfiable in subspace .

• . By construction, every clause of is satisfied by (because ). So and are logically equivalent in subspace .