Abstract. We present a new SAT-based algorithm for Symbolic Trajectory Evaluation (STE), and compare it to more established SAT-based techniques for STE.
with Bounded Model Checking, but with negligible run-times. Singerman et al. showed how SAT-based STE can be used for bug finding in Generalized Symbolic Trajectory Evaluation (GSTE). This bug finding method is called satGSTE. GSTE [10] is a generalization of STE that can verify properties over infinite time intervals. The core of the satGSTE algorithm is a SAT-based algorithm for (non-generalized) STE, as described above. At Intel, satGSTE is used for debugging and refining GSTE assertion graphs, thereby improving user productivity.
Contributions.
We have developed an alternative, more efficient, method of verifying STE properties using SAT. The idea is that, instead of simulating the circuit and creating a symbolic expression for the weakest trajectory satisfying the antecedent but not the consequent, our algorithm generates a constraint problem that represents all trajectories satisfying the antecedent and not the consequent. We argue that this approach is much better suited for use with a SAT-solver. A second contribution is an alternative STE semantics, that is closely related to our algorithm, and more faithfully describes the behaviour of existing STE algorithms.
In the following, we present our STE semantics, and show how to convert the semantic definitions directly into primitive abstract constraints. We then show how to implement these primitive abstract constraints using a SAT-solver, and compare running times on some benchmarks with other SAT-based approaches.
Preliminaries
Circuits. A circuit is modeled by a set of node names N connected by logical gates and delay elements. S ⊆ N is the set of state holding nodes, used to model delay elements. It is assumed that for every node n in S, there is a node n in N that models the value of that node in the next state.
It is common to describe a circuit in the form of a netlist. Here, a netlist is an acyclic list of definitions describing the relations between the values of the nodes. Consider for example the gate-level model of a memory cell circuit in Fig. 1 . The netlist of this circuit is given in Fig. 1 . Inverters are not modeled explicitly in our netlists, instead they occur implicitly for each mention of the negation operator ¬ on the inputs of the gates. Delay elements are not mentioned explicitly in the netlist either. Instead, for a register with output node n in the circuit, the input of the delay element is node n which is mentioned in the netlist. So, from the netlist in Fig. 1 it can be derived that the node reg is the output of a delay element with input reg . The netlists used here do not contain the initial values of delay elements. They are not needed as the STE abstraction assumes that the initial states of delay elements are unknown. For simplicity, we only allow AND-gates and OR-gates in netlists. It is, however, straightforward to extend this notion of netlists to include more operations.
Values. In STE, we can abstract away from specific Boolean values of a node taken from the set B = {0, 1}, by using the value X, which stands for unknown. The set of signal values is denoted V = {0, 1, X}. On this set an information-ordering ≤ is introduced. The unknown value X contains the least information, so X ≤ 0 and X ≤ 1, while 0 and 1 are incomparable. If v ≤ w it is said that v is weaker than w.
A circuit state, written s : State, is a function from N to V, assigning a value from V to each node in the circuit. A sequence σ : N → State is a function from a point in time to a circuit state, describing the behaviour of a circuit over time. The set of all sequences σ is written Seq.
Trajectory Evaluation Logic. STE assertions have the form A =⇒ C. Here A and C are formulas in Trajectory Evaluation Logic (TEL). The only variables in the logic are time-independent Boolean variables taken from the set V of symbolic variables. The language is given by the following grammar:
where n ∈ N and P is a Boolean propositional formula over the set of symbolic variables V . The operator is is used to make a statement about the Boolean value of a particular node in the circuit, and is conjunction, → is used to make conditional statements, and N is the next time operator. Note that symbolic variables only occur in the Boolean propositional expressions on the left-hand side of an implication. The notation n is P , where P is a Boolean symbolic expression over the set of symbolic variables V , is used to abbreviate the formula: (¬P → n is 0) and (P → n is 1).
The meaning of a TEL formula is defined by a satisfaction relation that relates valuations of the symbolic variables and sequences to TEL formulas. Here, the following notation is used: The time shifting operator σ 1 is defined by σ 1 (t)(n) = σ(t + 1)(n). Standard propositional satisfiability is denoted by |= Prop . Satisfaction of a trajectory evaluation logic formula f , by a sequence σ ∈ Seq, and a valuation φ : In STE model-checking two abstractions are used: (1) the value X can be used to abstract from a specific Boolean value of a circuit node, (2) information is only propagated forwards through the circuit (i.e. from inputs to outputs of gates) and through time (i.e. from time t to time t + 1). Given a circuit c, a trajectory is a sequence that meets the constraints of the circuit c, taking these abstractions into account. An STE-assertion A =⇒ C holds if each trajectory that satisfies A also satisfies C.
For instance, for the memory cell given in Fig. 1 , consider the assertion: p is 1 =⇒ reg is 1. The antecedent specifies the value 1 for node p, so each trajectory satisfying the antecedent should give node p value 1. As node reg is the output of an OR-gate with input node p, the node reg is, by forwards propagation, required to have value 1 in each such trajectory. Therefore the assertion is true in STE.
The assertion p is 1 =⇒ set is 1 is, however, not true. Node set is the input to an AND-gate with output node p. But, as there is no backwards propagation of information in STE, a trajectory for the memory cell is allowed to give node p value 1 while giving node set value X at the same time point.
Also the assertion (in is 1) and (reg is 1) =⇒ (reg is 1) is not true in STE. Although for each Boolean value of node set, node reg is, by forwards propagation, required to have value 1, the sequence giving both node set and reg value X is a trajectory that satisfies the antecedent but not the consequent. Semantics. Below we define a new semantics for STE. The reason we give a new semantics here is that the "classic" semantics of STE [7] 
The state 0X0 is in the stable state set, because if p = 0 then r = 0, but no new information about q can be derived. Also, XX1 is in the stable state set; the reason is that from r = 1, we cannot derive information about p or q by means of forwards propagation. The state 11X is not in the stable state set of the circuit; when p = 1 and q = 1, forwards propagation requires that also the output has value 1.
Given the netlist of a circuit, the circuit's stable state set is constructed by taking the intersection of all stable state sets belonging to each of the gates. The stable state sets of AND-and OR-gates with inputs p and q and output r are written F AND (p, q, r) and F OR (p, q, r), respectively. The definition of F AND (p, q, r) is given in Example 1. The set F OR (p, q, r) is defined similarly. Here, note that the stable state set of a gate is a set of states of the whole circuit and not a set of states of only the in-and outputs of the gate. 
Consider the states s 1 , s 2 given in Fig. 3 . State s 1 is in the stable state set F c as all node assignments are consistent and no new information can be derived. State s 2 given in Fig. 3 is also in the stable state set of the memory cell as from the node-assignment p = 0 no information can be derived by forwards propagation of information.
Trajectories.
A trajectory is a sequence in which no more information can be derived by forwards propagation of information. Recall that for every delay element with output n the input to the delay element is called n . Therefore, in a trajectory, the value of node n at time t should be propagated to node n at time t + 1.
So, a sequence σ is a trajectory if for each time point t ∈ N: (1) the state σ(t) is a stable state, and (2) for each state holding node n ∈ S, the value of node n at time t + 1 contains at least the same information as the value of node n at time t. More formally, the set of trajectories of a circuit c, written F → c : Seq, is defined by:
Stable Semantics of STE.
Using the definition of trajectories of a circuit, we can now define the semantics of an STE assertion. A circuit c satisfies a trajectory assertion A =⇒ C, written c |= → A =⇒ C iff for every valuation φ ∈ V → B of the symbolic variables, and for every trajectory τ of c, it holds that:
Counter Examples. A valuation φ together with a trajectory τ that satisfies A but not C form a counter example of the STE assertion. Because any given STE assertion only refers to a finite number of points in time, only a finite part of the trajectory τ contains interesting information about the counter example. We call the depth d of an assertion the maximum number of nested occurrences of the next time operator N. In order to construct a counter example for an assertion of depth d, it is enough to only consider the first d time points of the trajectory. We will use this fact in the next section.
A Constraint-Based Algorithm for STE
In this section, we describe how an STE assertion can be checked using a constraint solver that can solve sets of constraints built-up from a small set of primitive abstract constraints with a well-defined meaning. In the next section, we show how to concretely represent each of these primitive abstract constraints as a set of clauses in a SAT solver.
Constraints. Aconstraint S ∈ Constraint(D) on a domain D is a syntactical object that restricts the elements of D to the set of solutions of the constraint. The semantics of constraints is given by the function sol : Constraint(D) → P(D), yielding all solutions of a given constraint. Constraints can be combined by the conjunction operator &. The solutions of a conjunction of two constraints is the intersection of their sets of solutions, that is:
In the following, we present a constraint-based algorithm for STE. The idea is to translate a circuit c and an STE assertion A =⇒ C into a constraint S, such that the STE assertion holds for the circuit if and only if the constraint S has no solutions. Each solution to S represents a counter example, a valuation φ and a trajectory τ that together satisfy A but not C.
Domain.
The solution domain D of our constraints consists of pairs (φ, σ) of valuations and sequences. For an STE assertion of depth d, we need only to consider the first d points in time. Therefore, the sequence part of a solution (φ, σ) is a function from time points {0, . . . , d} to states.
Given a circuit c and an assertion A =⇒ C, the final constraint for the STE problem, written CEX(c |= A =⇒ C), consists of 3 parts: (1) constraints that restrict the first d time points of the sequences considered to be the first d time points of trajectories of the circuit c, (2) constraints that restrict the sequences and valuations considered to satisfy the antecedent A, and (3) constraints that restrict the sequences and valuations considered to not satisfy the consequent C. Thus, if we find a solution that satisfies all three parts, we have found a counter example to the STE assertion. If we show that no such solution exists, we have shown that the STE assertion holds.
Trajectory Constraint. Given a circuit c with stable state set F c , we denote the constraint that restricts the first d time steps of the solutions to be trajectories of c by TRAJ (F c , d ). It consists of stable state constraints, denoted STABLE(F c , t), that restrict each point in time t to be a stable state w.r.t. F c , and of transition constraints, denoted TRANS(t, t + 1), that connect the state holding nodes for each point in time t to the next point in time t + 1:
For a given STE assertion of depth d, only the first d points in time of a trajectory are interesting, and thus we only create constraints for the first d steps of the constraint.
The definition of the constraint STABLE(F c , t) makes use of the primitive abstract constraints for the AND-and OR-gates, denoted AND(p t , q t , r t ) and OR(p t , q t , r t ). Here the notation n t refers to the value of node n at time point t. We show how to concretely implement these constraints in the next section. For now, it is only important to know that the solutions to the constraints are exactly the ones allowed by their stable state sets. For example, for the AND-gate constraint it holds:
To build the constraint STABLE(F c , t) for the stable state of the circuit, we simply follow the structure of the netlist and conjoin the constraints for each gate together.
Example 3. The stable state constraint for the memory cell is given by:
For a given point in time t, and a circuit c, the transition constraint TRANS(t, t + 1) is built up from primitive abstract constraints of the form LT(n t1 ≤ m t2 ). The constraint LT(n t1 ≤ m t2 ) demands that the value of node n at time t 1 is weaker than the value of node m at time t 2 . Here, we require:
The definition of the constraint TRANS(t, t + 1) then becomes:
Example 4. For the memory cell, TRAJ(F c , 2) is given by:
Proposition 1. For any circuit c, it holds that:
Antecedent Constraint. In order to build the constraint for the antecedent, we need to define the concept of defining formula. Given an antecedent A, a node name n, a boolean value b ∈ B, and a time point t, we can construct a propositional formula that is true exactly when A requires the node n to have value b at time point t. This formula is called the defining formula, and is denoted by A (t)(n = b).
is the formula a ∧ b, since only when a ∧ b holds, does A require the node in to be 0. However, A (0)(in = 1) is the false formula 0, since A never requires the node in to be 1.
The defining formula is defined recursively as follows:
Note that for an antecedent of the form f 1 and f 2 to require that a node has a value, it is enough that one of the formulas f 1 or f 2 requires this. The third primitive abstract constraint is called an implication constraint, and given a propositional formula P , a node n, time point t, and a boolean value b, is written IMPLIES( P → (n t = b) ). The meaning of this constraint is required to be:
Lastly, the constraint for the antecedent, written SAT(A), is defined by:
In other words, we take the conjunction of all requirements that the antecedent A might have on any node n at any time t with any value b.
Example 6. For the TEL formula A = (in is a):
Consequent Constraint. For the consequent, we should add a constraint that negates the requirements of the consequent on the values of the circuit nodes. In order to do so, we introduce a fresh symbolic variable k n t for each node 1 n ∈ N and time point t ∈ {0, . . . , d}. We force the variable k n t to have value 0 if node n at time t satisfies the requirements of the consequent C. There are three cases when this happens: (1) C requires node n at time t to have value 1 and it has indeed value 1. (2) C requires node n at time t to have value 0 and it has indeed value 0. (3) C has no requirements on node n at time t. Finally, a constraint is introduced that requires that at least one of the k n t has value 1. This constrains the set of solutions to contain only solutions where at least one of the requirements of C is not fulfilled.
For the definition of negation of the consequent, two more primitive abstract implication constraints are introduced:
IMPLIES( (P and (n
The meaning of these constraints is given by:
sol(IMPLIES( (P and (n
Furthermore, a primitive abstract constraint that demands that at least one of the k n t has value 1, written EXISTS(k n t = 1) is needed. The meaning of this constraint is given by:
Finally, the constraint for the negation of the consequent C, written NSAT(C), is defined below. Here, the first three constraints match the three cases given above.
Example 7. For C = (a → (reg is 0)) and (b → (reg is 1)), NSAT(C) is given by:
Proposition 3. For every TEL-formula C:
The Constraint for an STE Assertion. is written CEX(c |= A =⇒ C) and is defined by combining the trajectory constraint, the constraint for antecedent, and the constraint for the negation of the consequent.
CEX(c |= A =⇒ C) = TRAJ(F c , d) & SAT(A) & NSAT(C)
The correctness of the constraint formulation follows from Propositions 1,2 and 3.
Proposition 4. For each circuit c and STE-assertion
A =⇒ C: c |= → A =⇒ C ⇔ sol(CEX(c |= A =⇒ C)) = ∅
Reducing Constraints to SAT-Problems
In this section, we show how we can instantiate the abstract constraints of the previous section to concrete SAT problems using a dual-rail encoding. First, we briefly restate the concept of a SAT-problem.
SAT Problems. A SAT-problem consists of set of variables W and a set of clauses.
A literal is either a variable v or a negated variablev. An assignment is a mapping a : W → {0, 1}. For a negated variablev, we define a(v) = ¬a (v) . A clause, written c = v 1 ∨ v 2 ∨ ... ∨ v n , is said to be satisfied by an assignment a, if there exists an i such that 1 ≤ i ≤ n and a(v i ) = 1. A SAT-problem S is satisfied by an assignment a, written a |= S, if a satisfies every clause of S. The set of all satisfying assignments of a SAT-problem S is denoted sa(S).
SAT Problem for an STE Assertion. Given an STE assertion A =⇒ C for a circuit c the SAT problem for the assertion is denoted CEX SAT (c |= A =⇒ C). This concrete SAT-problem is build up from concrete primitive constraints in the same way as the abstract constraint CEX(c |= A =⇒ C) is built up from primitive abstract constraints in the previous section. So, in this section we only need to show how the primitive abstract constraints can be instantiated to concrete SAT problems.
The SAT-problem generated for an STE-assertion of depth d contains a SAT-variable v for each variable v in the set of symbolic variables V . Furthermore, for each node n in the set of nodes N of the circuit c, and for each time point 0 ≤ t ≤ d two SAT-variables are introduced, written n 0 t and n 1 t . The two variables n 0 t and n 1 t encode the ternary value of node n at time t using a dual-rail encoding. If both variables are false, the value of node n t is X. If n 0 t is true, and n 1 t is false, the node has value 0, if n 0 t is false, and n 1 t is true, the node has value 1. We exclude the possibility that both n 0 and n 1 are true by adding a clause n 0 t ∨n 1 t to the SAT-problem for each n and t. The function mapping a dual-rail encoded ternary value to the ternary value itself, written tern, is defined by: tern(0, 0) = X, tern(1, 0) = 0, and tern(0, 1) = 1.
Concrete SAT-Problems for Comparing Node
Values. The SAT-problem for the constraint LT(n t1 ≤ m t2 ) is defined below. The first clause makes sure that if node n has value 0 at time t, node m at time t 2 has that value as well. The next clause states the same requirement for value 1.
. For all t 1 , t 2 ∈ N and n, m ∈ N :
Concrete SAT-Problems for Implications. Methods to convert an arbitrary Boolean propositional formula to clauses are well-known. Typically, these methods introduce a fresh SAT-variable for each subexpression of the formula. Here, we abstract away from the details of such a method, and assume the existence of functions, cnf and lit that convert a Boolean propositional formula P on a set the set of variables V to a set of clauses cnf(P ) on the set of variables V ⊇ V and a corresponding literal lit(p) such that (1) for all assignments a : V → {0, 1} there exists an assignment a : V → {0, 1} extending a such that a |= cnf(P ), and (2) for all assignments a : V → {0, 1} holds:
Here a(P ) stands for the valuation of the expression P w.r.t. the assignment a. Using these functions, the concrete SAT-problems for the implication constraints are defined. Given a Boolean propositional expression P , node n ∈ N , time point t ∈ N, the SAT problems for implications are defined as:
For each Boolean propositional expression P , node n ∈ N , time point t ∈ N and b ∈ {0, 1}, the following holds:
Finally, the concrete SAT-problem for the abstract constraint EXISTS(k n t = 1) is needed. The constraint is constructed as a disjunction of all k n t where n ranges over the set of nodes of the circuit, and t over the time points 0 to d.
Constraint vs. Simulation Based SAT-STE
The main difference between simulation-based SAT-STE and constraint-based SAT-STE is that the first generates a SAT problem representing the set of weakest trajectories satisfying the antecedent but not the consequent, while the latter generates a SATproblem that represents all such trajectories. For this reason, simulation based SAT-STE generates much larger SAT-problems.
The difference in generated SAT-problems can be illustrated by considering a single AND-gate with input nodes p and q and output r. This AND-gate is assumed to be part of a larger circuit, but here we consider only the clauses generated for the AND-gate. In constraint based SAT-STE, clauses are generated that make sure that the solutions represent all trajectories. In simulation-based SAT-STE however, the set of solutions to the SAT-problem represents only the set of weakest trajectories. Therefore, the clauses for the AND-gate do not only contain the clauses mentioned in Sect. 5, but also require the following: if forward propagation cannot derive a Boolean value for the output, then the output has value X. The following extra requirements are thus generated: if p = q = X then r = X, if p = X and q = 1 then r = X, and if p = 1 and q = X then r = X. So, for an AND-gate, simulation-based SAT-STE requires twice as many clauses as constraint-based STE. A similar result holds for other gates. Therefore, simulationbased SAT-STE generates much larger SAT-problems than constraint-based STE.
Optimization. An advantage of STE is that when model checking a small part of a large circuit (for instance an adder within a complete microprocessor) we can set the inputs to the irrelevant parts of the circuit to X. Then, during simulation, all node values of the irrelevant parts receive value X, and only the values of the nodes in the part of interest are represented in the resulting symbolic expressions for the weakest trajectory.
In our algorithm, we represent all trajectories. Therefore, in the pure form of the algorithm, constraints are generated for all gates, even for the gates for which the output node would directly receive value X in a simulation based algorithm. Therefore, we apply a simple and light-weight optimization to our algorithm: if symbolic simulation yields a scalar value (0, 1 or X) for a node, the node receives this value in our algorithm and no constraints are generated for the gates driving the node. For all other gates constraints are generated as described in Sect. 5.
Results
We have implemented two algorithms: CON-SAT STE, performing constraint-based SAT-STE, and SIM-SAT STE, performing simulation-based SAT-STE. We compare the CON-SAT algorithm and SIM-SAT algorithms with each other.
As a reference point, we also compare with Bounded Model Checking (BMC) [2] . BMC can be used to verify STE assertions by interpreting the assertion as an LTL formula; the completeness threshold [2] is simply the depth of the assertion. Note that BMC solves a different problem, as it does not use STE's three-valued abstraction.
To make the comparison between the algorithms fair, the same SAT-solver (the latest version of MiniSAT [8] ) is used for all methods. The benchmarks were run on a cluster of PCs with AMD Barton XP2800+ processors and each with one gigabyte of memory. First, we performed benchmarks on instances of generically-sized circuits, designed by ourselves. The properties we consider for these circuits are: (1) shifter-w; for a variable shifter of width w, full correctness using symbolic indexing [5] , (2) (tree-)mem-a-d; for a (tree shaped) memory with address width a and data width w, the property that reading an address after writing a value to it yields the same value, and (3) con-c-a-d; for a memory controller with a cache of address width c, a memory of address width a and data width d, the property that reading an address after writing yields the same value, both for the cache and the memory. The times needed to solve the problems and the numbers of variables and clauses in each SAT-problem are given in Fig. 4 .
The results show, as expected, that the number of SAT variables for CON-SAT-STE and SIM-SAT-STE are about equal -two variables are introduced for each relevant node and time point. Also as expected, the number of clauses is much larger for SIM-SAT-STE, as explained in Sect. 6. Furthermore, CON-SAT-STE solves the the STE problems much faster than SIM-SAT-STE, something we believe is caused by the reduction in problem size.
For the shifter-n and mem-a-d benchmarks, CON-SAT STE performs better than BMC. For the tree-mem-a-d and con-c-a-d benchmarks the two methods perform comparably. So, in some cases the abstractions used in STE can be beneficial when using SAT-based methods. The reader should, however, realize that the point of this paper is not to advocate the usage of SAT-based STE over BMC or BDD-based STE. Bjesse et al. and Singerman et al. have already shown that SAT-based STE is a useful complement to BDD-based STE and BMC in industrial settings [3, 9] . The point of this paper is to present an algorithm that improves upon the algorithms used by Bjesse and Singerman.
The second set of circuits have been supplied to us by Intel Strategic CAD Labs. The circuits are part of a tutorial for GSTE. In Fig. 5 [5] . The CAM contains 16 entries, has a data-width of 64 bits and a tag-width of 8 bits. For the memory, the property that reading address D after writing value V to address D yields value V is verified. Standard symbolic indexing is used. The memory has an address-width of 6 bits, and a data-width of 128 bits. Pandey et al. show in [5] that verifying the associative read property of CAMs using BDD-based STE is highly non-trivial. The problem is that the straight-forward specification (which they call the full encoding) of the property leads to a BDD blowup. They present an improved specification, called the plain encoding, that results in smaller BDDs, but that still causes a BDD blow up. Only the most efficient (and complex) specification they introduce, called the cam encoding, yields small enough BDDs to make verification of the property go through.
Also for these benchmarks, CON-SAT-STE produces smaller and easier to solve SAT-problems then SIM-SAT-STE. Moreover, the experiments confirm the results of Pandey et al: BDD-based STE cannot be used to verify CAMs using the full or plain encoding. In these experiments, the performance of SAT-based STE is more robust. No matter which encoding is used for verifying the associative read property of the CAM, the SAT-based methods manage to verify the property. This can be explained as follows. The efficiency of a BDD-based STE verification run is highly dependent on the number of variables in the BDDs involved. BDD-based verification methods are usually not able to handle problems with more than several hundred variables. Therefore, symbolic indexing methods minimizing the number of symbolic variables in an STE-assertion are crucial to the efficiency of BDD-based STE. SAT-solvers, on the other hand, have proved to be much less dependent on the number of variables. Therefore, symbolic indexing techniques, minimizing the number of variables, are much less relevant for SAT-based STE.
Reflection. Constraint-based SAT-STE generates smaller problems that are easier to solve than simulation-based SAT-STE, on all our benchmarks. We realize that the problem set we used is quite limited, but we believe it nevertheless indicates the usefulness of our approach.
Plain BMC sometimes outperforms SAT-based STE. Although this is an interesting observation, BMC cannot replace SAT-based STE because it implements a different semantics. For instance, at Intel, the satGSTE tool is used to help develop specifications in GSTE model checking [9] . Here, SAT-based STE is used to get quick feedback when debugging or refining a GSTE assertion graph. In this setting, it is essential to have a model checking method that implements the same semantics as BDD-based STE, but is not as sensitive to BDD-blow up . This is where SAT-based STE comes in.
Conclusions and Future Work
Bjesse et al. and Singerman et al. have shown that SAT-based STE is a useful complement to BDD-based STE and BMC in industrial settings [3, 9] . Their algorithms are based on simulation, and generate a SAT-problem that represents the set of weakest trajectories satisfying the antecedent but not the consequent of an STE assertion.
We have presented a new constraint-based SAT-algorithm for STE. Instead of generating a SAT-problem that represents the set of weakest trajectories satisfying the antecedent but not the consequent, our algorithm generates a SAT problem whose solutions represent all trajectories satisfying the antecedent but not the consequent. The advantage of representing the set of all such trajectories in the SAT problem (instead of just the weakest trajectories) is that smaller SAT-problems are generated.
Benchmarks, both on circuits designed by ourselves and on circuits taken from Intel's GSTE tutorial, show that our constraint based SAT algorithm for STE performs significantly better than current simulation based algorithms.
Future Work. Intel's satGSTE tool [9] is a bug finding method for GSTE, it implements a bounded version of GSTE: only a finite subset of all finite paths in a GSTE assertion graph is considered. Currently the core of the satGSTE tool is a simulationbased SAT-STE algorithm. We conjecture that replacing the tool with a constraint-based SAT-STE algorithm might significantly improve the performance of the tool.
Furthermore, we would like to investigate whether we can use SAT for doing full (unbounded) GSTE model checking. Finally, in (G)STE finding the right specification can be very time consuming. Therefore, we would like to investigate whether SAT can be used to implement a form of automatic specification refinement for (G)STE.
