In formal verification, we verify that a system is correct with respect to a specification. Even when the system is proven to be correct, there is still a question of how complete the specification is and whether it really covers all the behaviors of the system. The challenge of making the verification process as exhaustive as possible is even more crucial in simulation-based verification, where the infeasible task of checking all input sequences is replaced by checking a test suite consisting of a finite subset of them. It is very important to measure the exhaustiveness of the test suite, and indeed there has been extensive research in the simulation-based verification community on coverage metrics, which provide such a measure. It turns out that no single measure can be absolute, leading to the development of numerous coverage metrics whose usage is determined by industrial verification methodologies. On the other hand, prior research of coverage in formal verification has focused solely on state-based coverage. In this paper we adapt the work done on coverage in simulation-based verification to the formal-verification setting in order to obtain new coverage metrics. Thus, for each of the metrics used in simulation-based verification, we present a corresponding metric that is suitable for the setting of formal verification and describe an algorithmic way to check it.
Introduction
Today's rapid development of complex hardware designs requires reliable verification methods. In formal verification, we verify the correctness of a design with respect to a desired behavior by checking whether a labeled state-transition graph that models the design satisfies a specification of this behavior, expressed in terms of a temporal logic formula or a finite automaton [17] . Beyond being fully automatic and reliable, an additional attraction of formal-verification tools is their ability to accompany a negative answer to the correctness query by a counterexample to the satisfaction of the specification in the design [16] . On the other hand, when the answer to the correctness query is positive, most formalverification tools terminate with no further information to the user. Since a positive answer means that the design is correct with respect to the specification, this seems like a reasonable policy. In the last few years, however, there has been growing awareness of the importance of suspecting the design of containing an error also in the case where verification succeeds. The main justification for such a suspicion is possible errors in the modeling of the design or of the behavior and possible incompleteness in the specification.
Several sanity checks have been suggested for further assessment of the modeling of the design and the specification [31] . One direction is to detect vacuous satisfaction of the specification [4, 30, 36] , where cases like antecedent failure [3] make parts of the specification irrelevant to its satisfaction. For example, the specification "every request is eventually granted" is vacuously satisfied in a design in which no requests are sent. A similar direction is to check the validity of the specification (a specification is valid if it holds for all designs). Clearly, vacuity or validity of the specification suggests some problem. It is less clear how to check completeness of the specification. Indeed, it is only rarely that there is a priori complete specification for the system under design (e.g., the IA-32 architecture). Typically, specifications are written manually, and their completeness depends entirely on the competence of the person who writes them. The motivation for a completeness check is clear: an erroneous behavior of the design can escape the verification efforts if this behavior is not captured by the specification. In fact, it is likely that a behavior not captured by the specification will also escape the attention of the designer, who is often the one to provide the specification.
The challenge of making the verification process as exhaustive as possible is even more crucial in simulation-based verification. Each input vector for the design induces a different execution of it, and a design is correct if it behaves as required for all possible input vectors. Checking all the executions of a design is an infeasible task. Simulation-based verification is traditionally used to check the design with respect to some input vectors [5] . The vectors are chosen so that the verification would be as exhaustive as possible, but still, design errors may escape the verification process. Since simulation-based verification is a heuristic that replaces the infeasible task of checking all input vectors, it is very important to measure the exhaustiveness of the input sequences that are checked. Indeed, there has been extensive research in the simulation-based verification community on coverage metrics, which provide such a measure [38] . Coverage metrics are used in order to monitor progress of the verification process, estimate whether more input sequences are needed, and direct simulation toward unexplored areas of the design. Essentially, the metrics measure the part of the design that has been activated by the input sequences. For example, in code-based coverage metrics, the design is given as a program in some hardware description language (HDL), and one measures the number of code lines executed during the simulation. In Sect. 3, we survey the variety of metrics that are used in simulation-based verification (see also [19, 35, 38, 43] ). Coverage metrics today play an important role in design validation efforts [42] .
Measuring the exhaustiveness of a specification in formal verification ("do more properties need to be checked?") has a similar flavor as measuring the exhaustiveness of the input sequences in simulation-based verification ("do more sequences need to be checked?"). Nevertheless, while for simulation-based verification it is clear that coverage corresponds to activation during the execution on the input sequence, it is less clear what coverage should correspond to in formal verification, as in model checking all reachable parts of the design are visited. Early work on coverage metrics in formal verification [26, 29] suggested two directions. Both directions reason about a finite-state machine (FSM) that models the design. The metric in [26] , later followed by [13, 14, 15] , is based on mutations applied to the FSM. Essentially, a state s in the FSM is covered by the specification if modifying the value of a variable in the state renders the specification untrue. The metric in [29] is based on a comparison between the FSM and a reduced tableau for the specification. See [15] for a discussion of pros and cons of this metric.
Coming up with an exhaustive specification is of great importance and challenge in formal verification. Sanity checks in formal verification have been helpful in detecting design errors that escape the verification process [4, 26, 36] . The main lesson to be learned from several years of research in coverage in simulation-based verification [35, 38] is that coverage is a heuristic that measures the exhaustiveness of the verification effort, but no single measure can be absolute. Consequently, research in simulation-based coverage has identified numerous coverage metrics; their usage is determined by practical verification methodologies. Prior research of coverage in formal verification [13, 14, 15, 26, 29] has focused solely on state-based coverage. In contrast, in simulation-based coverage one finds many other coverage metrics, including several metrics of code coverage, which establish that all syntactic aspects of the design have been covered [35, 38] . Our goal in this paper is to adapt the work done on coverage in simulation-based verification to the formal-verification setting in order to obtain new coverage metrics. Thus, for each of the metrics used in simulationbased verification, we present a corresponding metric that is suitable for the setting of formal verification. In addition, we describe symbolic algorithms for computing each of the new metrics.
The adoption of metrics from simulation-based verification is not straightforward. To see this, consider for example code-based coverage and a check of whether both branches of an if statement have been executed during the simulation. A straightforward adoption would check the satisfaction of the specification in a mutant design, one for each branch, in which the branch is disabled. Such a mutant design, however, has fewer behaviors than the original design and would clearly satisfy all universal specifications (i.e., specifications that apply to all behaviors, as in linear temporal logic or universal branching temporal logic, in which the only allowed path quantifier is universal [21] ) that are satisfied by the original design. In general, the problem we are facing is the need to assess the role a behavior has played in the satisfaction of a universal specification -one that is clearly satisfied in the design obtained by removing this behavior. The way we suggest doing this is to check whether the specification is vacuously satisfied in a mutant design in which this behavior is disabled: a vacuous satisfaction of the specification in such a design (we assume that the specification is not vacuously satisfied in the original design) indicates that the specification does refer to this behavior; on the other hand, a nonvacuous satisfaction of the specification in the mutant design indicates that the specification does not refer to the missing behavior. Accordingly, some of the new metrics we suggest reduce coverage to queries about vacuous satisfaction. On the other hand, a code-based metric that checks whether a particular assignment in the code has been executed may also be reduced to a metric that checks the satisfaction of the specification in a mutant design in which the assignment is changed. Accordingly, some of the metrics we suggest follow the approach in [26] and reduce coverage to queries about satisfaction of the specification in mutant designs. Unlike previous work, however, the mutant designs we consider are not arbitrary and capture the different metrics of coverage used in simulation-based verification.
We describe symbolic algorithms for computing the new coverage metrics for specifications given by means of LTL formulas. We first show that both vacuity and falsity coverage can be reduced to model checking of mutant specifications and/or mutant designs and then show how symbolic model-checking algorithms can be extended to symbolically maintain mutants that correspond to uncovered parts of the system. We analyze the complexity of our algorithms in terms of the size of the ROBDDs used and the number of symbolic operations required.
Preliminaries

Simulation-based verification
In simulation-based verification, the implementation of a hardware design is executed in parallel with a reference model described at a different level of abstraction or with monitors and assertions that check for certain behavior of the implementation [27] . The execution is done with respect to a selected set of finite input sequences, referred to as tests. Thus, assuming the implementation has a set I of input signals, a test is a finite sequence t = i 0 , i 1 , . . . , i n ∈ (2 I ) * of input assignments. Implementations of hardware designs can be described by different formalisms. We consider two formalisms with respect to which coverage metrics are naturally defined.
The first formalism is that of hardware description languages (HDL). A typical HDL program specifies the input and output variables of the various modules of the design and, using control and assignment statements, the interaction of the modules among themselves and with an environment that provides the input signals. Reasoning about rich HDL such as Verilog involves difficult technical details. 1 We consider here the simplified model of the control flow graph (CFG). Each HDL statement corresponds to a control state and induces a node in the CFG. We refer to CFG nodes as locations. Assignment statements have a single successor, and control statements, such as if or while, have several successors, corresponding to the possible locations to which the control can jump. Transitions from a control statement to its successors are labeled by an expression that guards the transition. Recall that the design interacts with an environment that supplies its input signals. When the design is described as a CFG, the interaction induces a traversal of the CFG. Formally, given a CFG G with a set V of locations and a test t = i 0 , i 1 , . . . , i n ∈ (2 I ) n+1 of input assignments, the execution of G on t is a sequence 
the circuit describes the value of each latch. The circuit starts its interaction with the environment in configuration c 0 . When the circuit is in configuration c and it reads a set i ∈ 2 I of input signals, it moves to configuration c in which the value of each latch l is f l (i, c) and in which it sends to the environment the set of output signals o with g o (i, c) = 1. Accordingly, the execution of a circuit S on a test
that satisfies the conditions above. Both HDL and circuits enable a description of the design at different levels of abstraction [24] , yet abstraction is most naturally supported when the design is modeled as a symbolic finite state machine (FSM). We assume that the design is defined with respect to a set X of state variables, and it is specified by predicates on X and X -a primed version of the variables in X . Formally, an FSM is a tuple F = I, O, X, θ in , θ next , G , where I and O are the input and output variables, X is the set of state variables inducing the state space 2 X , θ in is a predicate on X describing the set of initial states, θ next is a predicate on describing the transition relation (there is a transition from state u to state v iff θ next (u, v )), and G is a family of predicates that associates with each input or output variable s a predicate τ s on X describing the set of states in which s holds. Likewise, predicates on X are used to describe other sets of interest, for example, the set of fair states when the design comes with an unconditional fairness constraint. Formally, a fair FSM F is a tuple F = I, O, X, θ in , θ next , G, α , where α is a predicate on X describing the accepting condition. A behavior π is accepted by F if it satisfies α. The simplest accepting condition is the Büchi condition [8] (called impartiality in [33] ), where α is a predicate on X and a behavior π satisfies α if it visits a state satisfying α infinitely often.
A nonsymbolic FSM for the design is usually created manually by the designer in the early stages of the design. Symbolic FSMs are automatically extracted from HDL programs, which is where abstraction plays an important role [24] . The HDL program typically contains too many variables. The designer then selects a subset X ⊂ X of the state variables, and the predicates that define the FSM are viewed as predicates over X to obtain an abstract FSM. Note that an FSM may be nondeterministic; thus its interaction with the environment may produce several outputs.
Model checking, vacuity, and coverage
In linear-time model checking, we check whether a design has a desired behavior by checking whether a Büchi automaton for the negation of the specification has accepting runs on an FSM describing the design [40] . The specification can be expressed as an LTL formula [25] , as a ForSpec formula [2] , or as a Büchi automaton [22, 32] . A specification ϕ in LTL can be translated to a nondeterministic Büchi automaton A ¬ϕ that accepts all words that do not satisfy ϕ [41] . Given an automaton A ¬ϕ , we check that the product of F with A ¬ϕ , which is a fair FSM F × A ¬ϕ , does not contain accepting paths.
Sanity checks for model checking address the problem of errors in the modeling of the design and the desired behavior, which are not discovered by model checking, for example, incompleteness of the specification. These problems may cause "false positive" results of model checking and conceal errors in the design. Two such checks are vacuity and coverage, which we briefly review below (for the full details, see [4, 14, 26, 30] ).
Intuitively, an FSM F satisfies a formula ϕ vacuously if F satisfies ϕ, yet it does so in a noninteresting way, which is likely to point to some trouble with either F or ϕ. To formalize this intuition, we first say that a subformula ψ of ϕ does not affect ϕ in F if for every formula ξ the FSM F satisfies ϕ[ψ ← ξ ] iff F satisfies ϕ, where ϕ[ψ ← ξ ] denotes the formula obtained from ϕ by replacing ψ with ξ [4] . As shown in [30] , when ψ has a single occurrence in ϕ, instead of checking the replacement of ψ by all formulas ξ , one can check only the replacement of ψ by the formulas true and false. Thus, ψ does not affect ϕ in F whenever F satisfies ϕ[ψ ← true] iff F satisfies ϕ[ψ ← false]. Now, an FSM F satisfies a formula ϕ vacuously iff F | ϕ and there is some subformula ψ of ϕ such that ψ does not affect ϕ in F. Equivalently, F satisfies ϕ vacuously if F | ϕ and there is some subformula ψ of ϕ such that F also satisfies ϕ[ψ ← ⊥], where ⊥ is either false or true, depending on the polarity of ψ in ϕ. It is easy to see that vacuous satisfaction can be detected by a naive algorithm that model checks F with respect to formulas obtained from ϕ. More sophisticated algorithms are suggested in [1, 12, 30, 36] .
Coverage in model checking was introduced in [26, 29] . The metric in [26] is based on mutations applied to an FSM. For an FSM F = I, O, X, θ in , θ next , G , a state w ∈ 2 X , and an output variable q ∈ O, a mutant FSMF w,q is obtained from F by dualizing the value of q in state w. Thus, if τ q is the predicate describing the set of states satisfying q in F, then the predicateτ w,q , which describes the set of states satisfying q inF w,q , is satisfied by w iff τ q is not satisfied by w. For all states v = w, the predicateτ w,q is satisfied by v iff τ q is satisfied by v. For an FSM F, a specification ϕ that is satisfied in F, and an output variable q, we say that ϕ q-covers w iffF w,q no longer satisfies ϕ. By [26] , a state is covered if it is q-covered for some output variable q. It is easy to see that the set of states q-covered by ϕ can be computed by a naive algorithm that performs model checking of ϕ inF w,q for each state w of F. More sophisticated algorithms are suggested in [14, 15, 26] .
Chockler et al. also suggest the following refinement of coverage metrics [14] . Instead of performing local mutations in F, we can perform local mutations in the infinite tree T F obtained by unwinding F. A state w of F can appear many (possibly an infinite number of) times in T F . Flipping the value of q in one occurrence of w in T F can have a different effect from flipping the value of q in all or some of the occurrences of w in T F . These differences are captured by the notions of node, structure, and tree coverage. Node coverage of a state w corresponds to flipping the value of q in one occurrence of w in the infinite tree. Structure coverage corresponds to flipping the value of q in all the occurrences of w in the tree. It may seem that node coverage defines more fine-grained mutations than structure coverage. As shown in [14] , the two metrics are incomparable: a state may be node-covered and not structure-covered, and vice versa. Tree coverage generalizes node and structure coverage and corresponds to flipping the value of q in some occurrences of w in the tree. Thus, w is q-tree-covered by ϕ if there exists a subset of occurrences of w in the infinite tree obtained by unwinding F such that flipping q in this subset falsifies ϕ in F. Chockler et al. describe a framework in which node, structure, and tree coverage can be computed by a symbolic algorithm; minor changes are required to capture the different types of coverage [14] . We describe their algorithm in more detail in Sect. 5.
In this paper we introduce new types of mutations and new types of coverage metrics in model checking in order to capture better the different notions of coverage used in simulation-based verification. Coverage in model checking is performed by applying mutations to a given FSM and then examining the resulting mutant FSMs with respect to a given specification. Each mutation is generated in order to check whether a specific element of the design is essential for the satisfaction of the specification. As we explain in more detail in Sect. 4, mutations correspond to omissions and replacements of small elements of the design, which can be given as an HDL program, an FSM, or a sequential circuit. Once we have a mutant FSM, there are two coverage checks we can perform on it. that are based on omission of elements from the original design (as we will see in Sect. 4, such mutations are popular in metrics adopted from simulation-based verification), falsity coverage is useless for universal specifications. Indeed, having fewer behaviors, the mutant design is guaranteed to satisfy all the specifications satisfied by the original design.
Example 1 Consider the FSM F described in Fig. 1 , which abstracts a design with respect to the output signals grant 1 and grant 2 . Let ϕ = G(grant 1 → Fgrant 2 ). Thus, ϕ requires that (in all execution paths) each grant to the first user is followed by a grant to the second user. It is easy to see that ϕ is satisfied in F. Recall that the goal of coverage metrics is to check whether all the elements of the design play some role in the satisfaction of ϕ. Let us see which parts of F are covered by ϕ. We refer only to structure coverage in this example.
-The positive value of grant 2 in w 4 is essential to the satisfaction of ϕ: one way to see this is to observe that changing it to false creates the behavior {} · {grant 1 } · {} ω in which grant 1 is not followed by grant 2 . State w 4 is falsity-covered by ϕ with respect to mutations that flip the value of grant 2 . -The value of grant 1 in w 1 is not essential to the satisfaction of ϕ. On the other hand, the designer had a reason to set it to true in w 1 , as it is essential to the nonvacuous satisfaction of ϕ: indeed, omitting state w 1 or flipping the value of grant 1 there results in a mutant in which grant 2 does not affect the satisfaction of ϕ. State w 1 is vacuitycovered by ϕ with respect to mutations in which w 1 is omitted and with respect to mutations that flip the value of grant 1 . -One may also question negative values of variables. For example, while the negative value of grant 2 in w 0 is not essential to the satisfaction of ϕ, it is essential to its nonvacuous satisfaction: indeed, flipping the value of grant 2 in w 0 to true results in a mutant in which grant 1 does not affect the satisfaction of ϕ. State w 0 is vacuity-covered by ϕ with respect to mutations that flip the value of grant 2 .
-Consider now the value of grant 2 in state w 2 . All the paths of F that pass through w 2 describe a behavior in which two grants -in both w 2 and in w 4 -are given to the second user, after at most one grant was given to the first user. The specification does not require such a behavior, nor does it require a correspondence between the number of grants that each user gets. The labeling of w 2 indeed does not play a role in the satisfaction of ϕ: flipping the value of grant 2 in w 2 or omitting w 2 does not falsify ϕ in F, nor does it cause ϕ to be satisfied vacuously. This information may hint at a possible impreciseness or incompleteness in the definition of ϕ. For example, if the intention of the designer had been for each grant 1 to be followed by a grant 2 in the next step, the correct specification should have been G(grant 1 → X grant 2 ), in which case w 2 would have been falsity-covered with respect to mutations that flip the value of grant 2 . Moreover, if the intention of the design had been to require a correspondence between the number of grants that each user gets, the coverage information would have led to a refinement of the specification, after which an error would have been discovered. Another possibility is that F contains redundancies, in which case state w 2 can be omitted from the FSM without violating ϕ.
Recall that the positive value of grant 2 in w 4 is essential for the satisfaction of ϕ. An execution that reaches w 4 stays there forever, and the second user keeps receiving grants. One may wonder whether all these grants are essential. This is where the difference between structure-based and nodebased coverage appears: while w 4 is structure-covered by ϕ with respect to the mutation that flips the value of grant 2 in w 4 , it is not node-covered by ϕ with respect to the same mutation for both the falsity and vacuous coverage. Indeed, node coverage checks whether the positive value of grant 2 plays a role in all the visits to w 4 .
Coverage metrics in simulation-based verification
In this section we briefly survey coverage metrics in simulation-based verification -metrics we are going to adopt for the setting of formal verification in the next section. Each of the metrics is "tailored" for a specific representation of the design or a specific verification goal. The reader is referred to [38] for a detailed survey. All metrics refer to a set of input sequences (or tests) t ∈ (2 I ) * with respect to which the design is simulated.
Syntactic coverage metrics
Syntactic coverage metrics assume a specific formalism for the description of the design and measure the syntactic part of the design visited in the process of execution of a given input sequence. Commonly [34, 38] , high coverage according to syntactic-based metrics is considered a precondition to moving to other more sophisticated (and time-consuming) coverage metrics.
Code coverage Code-based coverage metrics refer to the HDL program that describes the design or to its CFG. Measuring code coverage requires little overhead, and it is easy to interpret the coverage information. This makes code coverage the most popular metric [39, 38] . The most widely used code-coverage metrics are statement and branch coverage. Essentially, an object is covered if it is visited during the execution of the input sequence. Again, the fully formal definition depends on the particular HDL used, but a semiformal definition is given in terms of the computation of the CFG as follows. Let G be a CFG. For an input sequence t ∈ (2 I ) * such that the execution of G on t, projected on the sequence of locations, is l 0 , . . . , l m , we say that a statement τ is covered by t if there is 0 ≤ j ≤ m such that the control location l j corresponds to τ . We say that a branch l, l between two control locations is covered by t if there is 0 ≤ j ≤ m − 1 such that l j = l and l j+1 = l . More sophisticated metrics measure the way expressions in the guards labeling the CFG's transitions are satisfied. For example, expression coverage checks whether a Boolean expression has been satisfied by all its satisfying assignments (e.g., whether a 1 == a 2 has been satisfied by both an a 1 = a 2 = 0 and an a 1 = a 2 = 1 assignment).
Circuit coverage Circuit-structure-based coverage metrics refer to the circuit that describes the design. Thus they identify the physical parts of the circuit that are covered. Measuring circuit coverage is usually easy, and it is easy to interpret the coverage information. Unlike code coverage, however, it is not easy to use the coverage information in order to generate new tests that direct simulation toward the unexplored areas of the design. The most widely used circuit-coverage metrics are latch and toggle coverage [23, 27] . Essentially, a latch is covered if it changes its value at least once during the execution of the input sequence. Similarly, an output variable is covered if its value has been toggled. Formally, for a circuit S and an input sequence t ∈ (2 I ) n+1 such that the ex-
Note that toggle coverage requires that the value of an output variable be changed at least twice during the execution of t.
Hit count The notion of hit count, introduced in [42] , replaces binary coverage queries with quantitative measurements (how many times an object has been visited). Intuitively, the more times we visit an element, the bigger is our confidence that its functionality is tested.
Semantic-coverage metrics
Semantic-coverage metrics measure the part of the functionality of the design exercised by the set of input sequences. Semantic-coverage metrics require user help and are more sophisticated than syntactic-coverage metrics. We consider the following metrics.
FSM coverage Due to the large size of FSMs for complete systems, FSM-based coverage metrics refer to more abstract FSMs constructed manually by the designer or automatically extracted from the design by projecting its symbolic description on a subset of the state variables, as explained in Sect. 2.1 [38] . Like code coverage, a state or a transition of the abstract FSM is covered if it is visited during the execution of the input sequence. The fact that coverage is checked with respect to an abstract FSM makes the interpretation of the coverage information harder (linking the uncovered parts of the FSM to uncovered parts of the HDL program is not trivial) and has led to the use of more sophisticated metrics.
In particular, limited-path coverage metrics check that important sequences of behavior are exercised [37] . Transition coverage can be viewed as a special case of path coverage, for paths of length 1.
Assertion coverage In assertion coverage, also called "functional coverage" in [11, 38] , the user provides a list of assertions referring to the variables of the design. The assertions describe some conditions that may be satisfied during the execution or a state of the design during the execution. They may be propositional ("snapshot tasks") or temporal (describing a behavior along several clock cycles). A test t covers an assertion a if the execution of the design on t satisfies a. The assertion-coverage metric measures what assertions are covered by a given set of input sequences.
Mutation coverage In mutation coverage, the user introduces a small change (aka "mutation") to the design and checks whether the change leads to an erroneous behavior [9, 18, 43] . The coverage of a test t is measured as the percentage of the mutant designs that fail on t, that is, the percentage of the mutations that t "catches." The list of interesting mutations can be written manually or automatically following some mutation criteria. For example, a local mutation can be flipping a value of one output variable in a circuit. Budd and Angluin [10] define the neighborhood (P) of a program P as a set of all possible mutants obtained from P by a (predefined) local mutation. Similarly, we can define a neighborhood of an FSM F (for example, all FSMs obtained from F by merging two states) or a circuit S. In mutation coverage, the goal is to cover the whole neighborhood of the design, that is, to find a set of input sequences such that for each mutant design there exists at least one test that fails on it (this notion is similar to the notion of local correctness in [10] ). As discussed in Sect. 2.2, mutation coverage is the metric that inspired most of the work on coverage in model checking.
Coverage metrics in model checking
In this section we discuss how the coverage metrics from simulation-based verification can be adopted in model checking. Thus, for each of the metrics described in Sect. 3, we define a metric that can be used in the context of model checking.
Syntactic coverage
In syntactic coverage, we assume that we are given the syntactic representation of the design (an HDL code or a CFG) with respect to which we measure the coverage. Since in the process of model checking we visit the whole reachable part of the design, metrics that measure the part of the design exercised during the simulation cannot be applied directly to model checking. Essentially, we adopt these metrics by replacing the question of whether a part of the design has been visited during the simulation by the question of whether the part plays a role in the success of the verification process, where playing a role means that the part is essential for the satisfaction or the nonvacuous satisfaction of the specification. The latter is checked by reasoning about the behavior of a mutant design in which the part is modified or omitted.
Code coverage Let G be a CFG and ϕ a specification satisfied in G. We say that a statement τ of G is covered by ϕ if omitting τ from G causes vacuous satisfaction of ϕ in the mutant CFG. Similarly, a branch l, l of G is covered if omitting it causes vacuous satisfaction of ϕ. Note that falsity coverage would be meaningless here since omitting a statement or a branch of CFG results in a design with fewer behaviors, which is guaranteed to satisfy the universal specification. Indeed, omission of a statement in the CFG leads to a design in which this statement is unreachable, and thus all the executions that contain this statement no longer exist. Omission of a branch in the CFG leads to a design in which none of the executions in which the branch is taken exist any longer. In both cases, no new executions are added, and executions that stay in the mutant design are not changed. Thus, the mutated design is simulated by the original design (its set of behaviors is a subset of the set of behaviors of the original design). Therefore, the mutant design satisfies all universal specifications that are satisfied by the original design [21] . In expression coverage, we check whether omitting the behaviors in which the variables have a particular satisfying assignment for a particular expression leads to vacuous satisfaction of ϕ. For example, if the expression is a 1 == a 2 and it guards a block B of statements, we check whether the mutant design obtained by skipping B in case a 1 = 0 and a 2 = 0 satisfies the specification vacuously, and similarly for a 1 = 1 and a 2 = 1.
Circuit coverage Recall that latch-and toggle-coverage metrics check whether the value of a specific latch or variable in the circuit changes during the execution of an input sequence. We replace this question by the question of whether disabling the change causes the specification to be satisfied vacuously. Thus, a latch l ∈ L is covered if the specification is vacuously satisfied in the circuit obtained by Hit count Recall that the distinction between structure, node, and tree coverage enable us to choose whether to perform a mutation on every visit of the model checker to the mutated element, on exactly one visit, or on a subset of the visits. We define hit count in model-checking coverage as the minimal number of visits in which we have to perform the mutation (or omit the element) in order to falsify the specification in the design or to make it vacuously satisfied.
Semantic coverage
Among the semantic-coverage metrics, mutation coverage has already been adopted to the setting of model checking.
As discussed in Sect. 2.2, we suggest a strengthening of the adopted metrics by checking the effect of the mutation not only on the satisfaction of the specification but also on its vacuous satisfaction. Below we describe the adoption of the other semantic-coverage metrics.
FSM coverage
In FSM coverage, we are given an abstract FSM F and we check the influence of mutations and omissions in this FSM on the result of model checking of the specification ϕ in the design. In state coverage, for a state w of F we check the influence of omission of w or changing the values of output variables in w on the (nonvacuous) satisfaction of the specification in the design. Clearly, a mutant FSMF w obtained from F by omitting w has fewer behaviors than F, thus for omissions of a state we only check vacuity coverage. On the other hand, a mutant FSMF w,o obtained from F by flipping the value of the output variable o ∈ O in w can also falsify the specification; thus we check falsity and vacuity coverage. In path coverage, we check the influence of omitting or mutating a finite path on the (nonvacuous) satisfaction of the specification in the design. A path π of length c in F is a sequence of states w 1 , . . . , w c of F such that for all 1 ≤ i ≤ c − 1 we have θ next (w i , w i+1 ). Let us first define coverage for omissions of a path. A path π is covered by ϕ if the mutant FSMF π obtained from F by omitting all behaviors that contain π satisfies ϕ vacuously. On the other hand, we can also introduce mutations that replace π with a mutant pathπ in the FSM. Then, the mutant FSM F π,π is obtained from F by replacing π withπ. The mutant FSMF π,π can falsify ϕ or it can satisfy ϕ vacuously; thus for mutations that replace a path with another, mutant, path, we check both falsity and vacuity coverage. We note that all possible mutations in the FSM can be introduced consistently on each occurrence of the mutated element, on exactly
Fig. 2
The automaton M one occurrence, or on a subset of occurrences, thus resulting in structure, node, or tree coverage, respectively. We demonstrate path coverage on an FSM in Fig. 1 . Assume that we want to check the effect of omitting the path π 1 = w 0 , w 2 , w 3 on the (nonvacuous) satisfaction of ϕ = G(grant 1 → Fgrant 2 ). The executions that contain π 1 are the ones that are defined by the ω-regular expression w + 0 w 2 w 3 w ω 4 (we use + to denote a positive number of repetitions of the state). Note that this is not the same as removing the transitions w 0 , w 2 and w 2 , w 3 from the FSM, as removing these transitions would also remove the executions w + 0 w 1 w 2 w 3 w ω 4 . The mutant FSM is the product of F with the automaton M that rejects paths that contain w 0 , w 2 , w 3 as a subpath. The automaton M is presented in Fig. 2 (the unlabeled edges complement the labeled ones to the full alphabet; that is, the self-loop in s 0 is labeled with * \ {w 0 }, and similarly for other unlabeled edges).
The specification ϕ is satisfied nonvacuously in the mutated FSM. Indeed, replacing grant 1 with true we get the specification G Fgrant 2 , which does not hold in the path w ω 0 ; replacing grant 2 with false we get the specification G(grant 1 → Ffalse), which is satisfied only in paths that do not have states labeled with grant 1 and thus is falsified in all paths containing w 1 . Therefore, the path π 1 is uncovered with respect to omissions. Let us now check the effect of replacing the path π 2 = w 0 , w 0 with the pathπ 2 = w 0 , w 4 . It is easy to see that all paths in the mutated FSM now reach a state where grant 2 holds. Indeed, the only path in the original FSM that does not reach a state where grant 2 holds is w ω 0 , and this path does not exist in the mutated FSM. Thus, ϕ is satisfied vacuously in the mutated FSM (grant 1 can be replaced with true without violating the specification), and therefore the mutation that replaces π 2 withπ 2 is covered.
Assertion coverage An input to assertion-coverage check is an FSM F, a specification ϕ that is satisfied nonvacuously in F, and a list of LTL assertions a 1 , . . . , a k . An assertion a i is covered by ϕ in F if the mutant FSMF a i obtained from F by omitting all behaviors that satisfy a satisfies ϕ vacuously. We note that this definition is similar to the definition of FSM path coverage. The only difference is in the description of the mutation: in FSM path coverage we omit behaviors that contain a given finite path π, whereas in assertion coverage we omit behaviors that satisfy a given assertion.
Coverage computation
In Sect. 4 we described new coverage metrics for model checking. In this section we discuss how to compute these metrics. We first show that both vacuity and falsity coverage can be reduced to model checking (possibly of mutant specifications and/or mutant designs). Let F be an FSM, ϕ a specification that is satisfied in F nonvacuously, andF a mutant FSM. IfF does not satisfy ϕ, we say thatF is falsitycovered by ϕ. IfF satisfies ϕ, it still may be vacuity-covered by ϕ if it satisfies ϕ vacuously. Formally,F satisfies ϕ vacuously ifF | ϕ and there exists ψ ∈ cl(ϕ) such thatF satisfies ϕ[ψ ← ⊥]. Thus, like falsity coverage, we check whether a mutant designF satisfies a specification, only that here the specification is also mutated.
Mutation coverage
The algorithm we present for falsitycoverage computation is based on the coverage algorithm described in [14] . That algorithm computes symbolically falsity coverage for mutations that flip the value of a variable q ∈ O in one state w of the FSM. The idea is to look for a fair path in the product of the mutant FSMF and an automaton A ¬ϕ for the negation of ϕ. The state space of the product is 2 X × S, where X is the set of state variables of F, S is the state space of A ¬ψ , and the transitions of the product are induced by the transition relations of F and A ¬ψ . In order to compute the set of covered states, it is suggested in [14] to add |X | new variables that encode the state w in which the value of q is flipped.
It is now possible to define symbolically an augmented product, with state space 2 X × 2 X × S, where the first component of a state w, u, s is the state w that is being considered, and the two other components are as in the usual product automaton. The value of the first component is chosen nondeterministically at initialization and is kept unchanged. The copy of the augmented product with first component w checks whether the mutation of F in which q is flipped in w contains a fair path (in which case flipping q in w violates the specification). Thus, when the augmented product is in a state w, w, s , the set of successor states contains all triples w, u, t such that u is a successor of w and t ∈ δ(s,σ ), whereσ is the label of w inF w,q . The above describes structure coverage, where the value of q is flipped in all visits. Likewise, we can define an augmented product in which the value of q in w is flipped only one time (node coverage) or some of the times (tree coverage). We can now use a symbolic algorithm in order to find the set P of all triples w, u, s from which there exists a fair path in the augmented product automaton (see Fig. 3 for the The covered states are those w such that w, u 0 , s 0 ∈ P for some initial states u 0 of F and s 0 of A ¬ψ . In particular, triples of the form w, u 0 , s 0 in P, for initial states u 0 of F and s 0 of A ¬ψ , correspond to a path ofF w,q that violates the specification. Hence, the set of states covered by the specification can be calculated symbolically by intersecting P with the initial state set of the product automaton and projecting the result on the first component.
Vacuity coverage
Recall that checking whether a system satisfies a specification vacuously involves model checking of a mutant specification. We adjust the symbolic algorithm in [14] to this setting by adding a new variable x that encodes the subformula ψ ∈ cl(ϕ) that is being replaced with ⊥. The variable x is an integer in the range 0, . . . , | cl(ϕ) |, and thus it can be encoded with O(log | ϕ |) Boolean variables. The value 0 of x stands for "no replacement," thus it checks the satisfaction of ϕ in the system. As with mutations, the values of these variables are chosen nondeterministically at initialization and are kept unchanged.
For example, if ϕ = y 1 ∨ y 2 , and 1 encodes y 1 and 2 encodes y 2 , then the value 1 of x corresponds to the replacement of y 1 with false (which is the ⊥ value for y 1 in ϕ), resulting in the formula (
In the automaton A ¬ϕ , each state variable corresponds to a subformula (cf. [7] ); thus the nondeterministic choice of the subformula leads to a mutant automaton A ¬ϕ [ψ←⊥] . The state space of the augmented product now consists of triples x, u, s , where x encodes the subformula replaced with ⊥ and u and s are the components of the product automaton. The successors of x, u, s are the triples x, u , s such that u , s is a possible successor of u, s in a product between the system and the automaton A ¬ϕ [ψ←⊥] , where ψ is the subformula encoded by x.
The subformulas that affect the value of ϕ in the systems are those encoded by a value x for which there are initial states u 0 and s 0 of the system and the automaton, respectively, such that there is a fair path from x, u 0 , s 0 . Let P be the set of triples from which a fair path exists in the augmented product (as above, P can be found symbolically), and let P be the intersection of P with the initial states of the system and the automaton, projected on the first element. Note that x ∈ P iff the subformula associated with x affects the value of ϕ in the system. Thus ψ is satisfied vacuously in the system if 0 ∈ P and P = {1, . . . , cl(ψ)}.
To get a symbolic algorithm for vacuity coverage, we combine the above algorithm with that of [14] . For example, if we want to find the set of states w such that flipping the value of q in w causes the specification to be satisfied vacuously, we augment the state space of the product of F and A ¬ϕ by variables that encode both the state in which we do the mutation and the subformula that is being replaced with ⊥. Thus the state space of the augmented product now consists of 4-tuples w, x, u, s , where w is the state in which we flip q, x encodes the subformula replaced with ⊥, and u and s are the components of the product automaton. The successors of w, x, u, s are the 4-tuples w, x, u , s such that u , s is a possible successor of u, s in a product between the system q flipped in w and the automaton A ¬ϕ [ψ←⊥] , where ψ is the subformula encoded by x.
As above, the initial values of w and x are chosen nondeterministically at initialization and are kept unchanged. The states that are not vacuity-covered are states w such that for all the assignments x, there are initial states u 0 and s 0 of the system and the automaton, respectively, such that there is a fair path from w, x, u 0 , s 0 . Thus, if P is the set of 4-tuples from which a fair path exists in the augmented product (as above, P can be found symbolically), then the set of mutations not covered can be obtained from P as follows. Let P be the intersection of P with the initial states of the system and the automaton, projected on the first two elements. Note that a pair w, x is in P if flipping q in w violates the specification obtained by replacing the subformula associated with x by ⊥. Consider now a set of mutations defined by (∀x)P (w, x). It contains states that lead to failure of φ regardless of what subformula ψ of φ is replaced by ⊥, which means that these mutations do not lead to vacuous satisfaction and therefore are not covered. As we specify below, if we want to check vacuity coverage for other types of mutations, we replace the variables that encode w by variables that encode other types of mutations.
Code coverage Recall that in code coverage we need to check whether the omission of parts of the code causes the specification to be satisfied vacuously. Accordingly, for code coverage it is simpler to define the mutations with respect to the HDL code. Let k be the number of elements in the code we want to check (e.g., the number of lines). We introduce a new variable mut, which is an integer in the in terval [1, . . . , k] . The value i of mut indicates that the mutation is in element l i , which we want to omit, and we need O(log k) Boolean variables to encode it. The HDL code is instrumented using source-to-source translation (see [6] as an example of such instrumentation) so that l i in the code is replaced by the statement "if (mut = i), then l i , else skip." The instrumented code represents all the mutant designs. 3 The product of the FSM induced by the instrumented code and A ¬ϕ subsumes all the mutations of the code. It is now possible to apply the symbolic algorithm described above (instead of the variables that encode w, we now have the variables that encode mut) for detecting the mutations that lead to vacuous satisfaction.
In expression coverage, we do something similar. Let e 1 , . . . , e m be the expressions we want to check, and let V i = {v i 1 , . . . , v i n } be the Boolean variables over which e i is defined. Assume that n bounds the number of variables in every expression. Let "if e i , then B i " be the statement that contains e i as a guard (handling of "while" or "until" statements is similar). Recall that we want to check, for each e i and for each satisfying assignment f ∈ 2 V i , whether skipping B i when the variables have value f causes the specification to be satisfied vacuously. Accordingly, we add a variable mut (encoded by O(log m) Boolean variables) that indicates the expression to be checked and n variables u 1 , . . . , u n that encode assignments to n variables. As usual, the variables get their value nondeterministically at initialization. The HDL code is now instrumented so that "if e i , then B i " in the code is replaced by "if (mut = i) or (e i ∧ 1≤ j≤n v i j = u j ), then B i , else skip." It is now possible to apply the symbolic algorithm described above for detecting the expressions and assignments that lead to vacuous satisfaction.
Circuit coverage In latch coverage, we want to restrict the product of F and A ¬ϕ to paths in which the value of a latch is not allowed to change and check whether this causes vacuous satisfaction. Thus, we augment the product with variables that encode the examined latch and (for the vacuity check) the subformula of ϕ that we replace with ⊥. When the augmented product is in state l, x, u, s , it proceeds to states l, x, u , s such that u , s is a possible successor of u, s in a product between the system with l that is not changed and the automaton A ¬ϕ [ψ←⊥] , where ψ is the subformula encoded by x. The values of l and x are chosen nondeterministically at initialization. Let P be the set of 4-tuples from which a fair path exists in the augmented product, and let P be the intersection of P with the initial states of the system and the automaton, projected on the first two elements. Note that a pair l, x is in P if disallowing l to change violates the specification obtained by replacing the subformula associated with x by ⊥. Thus the set of latches defined by (∀x)P (l, x) contains latches that are not covered. Now, toggle coverage is similar, only that we allow the value of an output variable to be changed only once. For that, we need an additional new Boolean variable f lag that indicates whether the variable has already changed its value once. That is, the state space of the augmented product consists of 5-
When f lag = 0 and the value of o changes, then f lag is assigned the value 1. Then the augmented product continues as in the case of latch coverage, with the value of o unchanging.
FSM coverage State and transition coverage can be computed using the techniques of mutation-based metrics. We now describe the computation of path coverage. We start with mutations that omit all behaviors that contain a given finite path π = w 1 , . . . , w c . Let M π be a monitor that filters away paths that contain π as a subpath. That is, M π is a fair FSM that accepts paths ρ such that π is not a subpath of ρ. Since M π only cares about the values of control variables that encode the states (and not, for example, about the values of output variables in these states), the set of input variables of M π is the set of control variables X of F, and M π does not have output variables. For a given path π, the mutant FSMF π is the product FSM F × M π , which contains only the computations of F that do not have π as a subpath. Then, π is vacuity-covered by ϕ ifF π satisfies ϕ vacuously.
For a set of paths {π 1 , . . . , π k }, we can compute the set of covered paths symbolically using the techniques as described above for vacuity coverage. The state space of the augmented product consists of 5-tuples mut, x, u, r, s , where mut encodes the path π i ∈ {π 1 , . . . , π k }, x encodes the subformula of ϕ that we replace with ⊥, and u, r , and s are the components of the product F × M π mut with A ¬ϕ [ψ←⊥] . The successors of mut, x, u, r, s are the 5-tuples mut, x, u , r , s such that u , r , s is a possible successor of u, r, s in a product between the fair FSM F π mut , which is F × M π mut and the automaton A ¬ϕ [ψ←⊥] , where ψ is the subformula encoded by x. The vacuityuncovered paths are those encoded by values of mut such that for all the assignments x, there are initial states u 0 , r 0 , and s 0 of the FSM and the automaton, respectively, such that there is a fair path from x, mut, u 0 , r 0 , s 0 . As above, the set of 5-tuples P from which a fair path exists in the augmented product can be found symbolically, and the set of vacuity-covered paths can be computed from it.
In a similar way we can define mutations of paths that replace a finite path π with a pathπ of the same length, redirecting the system to another execution. If a mutated path is of length 1, the mutation redirects one transition. For a path π replaced by a mutant pathπ , we use a monitor M π,π . In the productF π of F with M π,π , all the occurrences of π are replaced byπ . Note that for mutated (rather than omitted) paths we can compute both falsity and vacuity coverage. The computation of falsity coverage is similar to falsity coverage of CFG described above, where the state space of the augmented product consists of 4-tuples mut, u, r, s , with mut encoding the mutated path and u, r , and s the components of the product automaton ofF π with A ¬ϕ . Vacuity coverage is computed similarly to the case of omission of paths.
Assertion coverage For an LTL assertion a, a monitor for a is the automaton A ¬a . Given assertions a 1 , . . . , a k , the mutant FSM is the product F × A ¬a 1 × . . . × A ¬a k . Falsity and vacuity coverage of a set of assertions is computed similarly to FSM path coverage, where the variable mut encodes the assertion a mut for 1 ≤ mut ≤ k.
Hit count For a state w ∈ 2 X of F, an output variable q ∈ O, and a specification ϕ that is satisfied in F, the q-hit count of w in F for ϕ is the minimal number of occurrences of w in the infinite tree obtained by unwinding F in which q has to be flipped in order to falsify ϕ in F. The computation of hit count may be hard in the general case. We restrict the computation of hit count to the following easier question: "Given a threshold t, is the q-hit count of w in F for ϕ at least t?" The tree-coverage-computation algorithm of [14] can be modified to decide whether the hit count is below or above the threshold. We introduce a new variable count that counts the number of occurrences of w in which q is flipped. We now proceed as in tree coverage, except that whenever we visit a state w and we choose to flip q we also increment count until we hit the threshold t. When we compute the set of covered states, we return only those whose projection on count is greater than t. This can also be applied to other types of coverage.
A detailed example
In this section we demonstrate our metrics with respect to a simple design and some specifications. The design is described as a part of a Verilog program, an FSM, and a circuit. The design has three registers, which encode the state space. The design is described by means of a Verilog program in Fig. 4 . Figure 5 shows the FSM (each state is labeled by the truth values of o 1 , o 2 , and o 3 ) and the circuit for this design.
Let us compute coverage with respect to the specification ϕ = G(o 2 → Fo 3 ). That is, ϕ requires that, in all execution paths, each positive value of o 2 be eventually followed by a positive value of o 3 . We start with code coverage. The line "assign o1 = o1;" is uncovered by this specification with respect to both omissions and mutations. Indeed, omitting this line from the code or assigning a different value to o1 does not falsify ϕ. Observing the circuit, it is easy to see that the register o 1 is latch uncovered (where the term "latch" refers to a generic sequential circuit element -a register, in this case). Indeed, fixing o 1 to 0 for the whole execution does not affect the satisfaction of ϕ. 2 and o 3 falsifies the specification, it is easy to see that certain modifications of the code do not render ψ untrue. For example, replacing the line "assign o2 = o2 | o3;" with the line "assign o2 = ¬o1;" results in the FSM in which o 2 is positive starting with the second state, and ψ still holds. Thus, the above line is code-uncovered with respect to mutations of the code. We can also see that all transitions are covered with respect to omissions. Indeed, removing a transition results in an empty FSM, which satisfies all specifications vacuously. On the other hand, there are uncovered transitions with respect to mutations. For example, the transition from 011 to 010 can be replaced by a self-loop in 011 without falsifying the specification.
Let us now study latch coverage for this specification. Fixing the value of o 1 to its initial value through the execution does not affect the satisfaction of ψ. On the other hand, fixing either o 2 or o 3 falsifies ψ. Thus, o 1 is latch-uncovered and both o 2 and o 3 are latch-covered with respect to ψ. In toggle coverage, we allow a latch to change its value once during the execution. Then, both o 2 and o 3 are uncovered with respect to ψ, as fixing their value after they become positive does not falsify ψ.
The properties ϕ and ψ together cover a large part of the design. At the same time, some parts are uncovered by both specifications. For example, both specifications are still satisfied in a mutant design in which states 001 and 010 are merged into the single state 010. One possible way to solve this problem is to add a specification X ¬o 2 . Another possibility is that the designer overlooked the fact that merging states 001 and 010 results in a smaller correct design.
Complexity of computing coverage
In Sect. 5 we described ways to compute the coverage metrics suggested in Sect. 4 . In this section we measure the complexity of computing these metrics. All metrics can be computed symbolically, so the complexity estimations are in terms of the number of ROBDD 4 (Boolean) variables and the number of symbolic operations required for the computation. The computation is based on the symbolic modelchecking algorithms. The number of the ROBDD variables required for encoding the state space of the verified FSM is logarithmic in the size of the state space. For different coverage algorithms we need a different number of additional ROBDD variables. Let n be the number of ROBDD variables required for encoding the state space of the FSM F, and m the number of ROBDD variables required for encoding the state space of A ¬ϕ . To encode the transition relation, symbolic algorithms use two copies of the ROBDD variables that encode the state space: one untagged copy for the current state, and one tagged copy for the next state.
Mutation coverage Recall that the algorithm for computing mutation coverage computes the set P of all triples w, u, s from which there exists a fair path in the augmented product automaton. The set of mutation-covered states is then easily extracted from P, as this is the set of those w such that w, u 0 , s 0 ∈ P for some initial states u 0 of F and s 0 of A ¬ψ .
We need 2n+m ROBDD variables in order to encode the triples; thus the straightforward implementation yields 4n + 2m variables. We note, however, that the values of the first n variables, which encode the mutated state of F, are chosen nondeterministically at initialization and are kept unchanged during the execution. Therefore, there is no need to keep two copies of these variables. Thus, the total number of ROBDD variables is 3n + 2m, and the complexity of the computation is O(| F | 3/2 | A ¬ϕ |). As has been shown in [28, 29] , the techniques of early quantification and variable interleaving in the ROBDD can be used in order to further reduce the number of required variables.
Vacuity coverage Vacuity coverage is computed similarly to mutation coverage. Here, the set P consists of 4-tuples w, x, u, s , where w is the state in which we flip q, x encodes the subformula replaced by ⊥, and u and s are the components of the product automaton. As above, the initial values of w and x are chosen nondeterministically at initialization and are kept unchanged. Thus we need only one copy of the ROBDD variables that encode the mutated state and the mutated subformula, and therefore the total number of ROBDD variables needed for the computation is 3(n + m). The complexity of the computation is therefore O((|F| · |A ¬ϕ |) 3/2 ).
Code coverage Let k be the number of elements in the code we want to check (e.g., the number of lines). Encoding the omitted line of code requires log k ROBDD variables, and so the mutated FSM can be encoded using n + log k variables. The complexity of model checking of the mutated FSM is then O(|F| · k · |A ¬ϕ |).
Circuit coverage Circuit coverage is a special case of vacuity coverage, where we study the effect of mutations that fix the value of one latch during the whole execution on the (nonvacuous) satisfaction of the specification. The set P consists of 4-tuples l, x, u, s , where l encodes the latch that is kept unchanged, x encodes the subformula replaced by ⊥, and u and s are the components of the product automaton. The first two components are chosen nondeterministically at initialization and are kept unchanged. Thus the number of ROBDD variables needed for the computation is O(| L | · | F | · | A ¬ϕ | 3/2 ), where L is the number of latches. Toggle coverage is computed similarly to circuit coverage, with the addition of the single Boolean variable that indicates whether the latch has already changed its value once.
FSM coverage For path coverage we compute the set P of 5-tuples mut, x, u, r, s , where mut encodes the path π i ∈ {π 1 , . . . , π k }, x encodes the subformula of ϕ that we replace with ⊥, and u, r , and s are the components of the product F × M π mut with A ¬ϕ [ψ←⊥] . Thus, compared with mutation coverage, we need additional m + log k ROBDD variables, so the total number of ROBDD variables is 3n + 4m + log k, leading to the complexity of O(k|F| 3/2 |A ¬ϕ | 2 ).
Assertion coverage Assertion coverage is computed similarly to FSM path coverage, where the variable mut encodes the assertion a mut for 1 ≤ mut ≤ k, and thus has the similar complexity.
Hit count Let t be the threshold of the hit count. We need O(log t) new variables to encode the variable count that increases from 0 to at most t. The algorithm computes the set of 4-tuples count, w, u, s from which there exists a fair path in the augmented product automaton, where w encodes the mutated state. The value of w is chosen nondeterministically at initialization and is kept unchanged during the execution. The value of count is increased nondeterministically on transitions in which we choose to flip the value of the q. Thus we need n + O(log t) additional variables, and therefore the complexity of hit count computation for tree coverage is the complexity of mutation-coverage computation multiplied by the threshold t.
Summary In Fig. 6 we summarize the complexity of computing different coverage metrics in terms of the number of ROBDD variables required by the symbolic algorithms. We denote by n and m the number of variables required for encoding the state space of F and A ¬ϕ , respectively. Also, l denotes the number of latches in the circuit, k denotes the metric complexity mutation coverage 3n + 2m vacuity coverage 3n + 3m code coverage 2n + 2m + log k circuit coverage 2n + 3m + log l FSM path coverage 3n + 4m + log p assertion coverage 3n + 4m + log k hit count 3n + 2m + log t Fig. 6 The complexity of calculating different coverage metrics in terms of the number of variables required for the symbolic algorithms number of assertions for assertion coverage or the number of lines in the code for code coverage, p stands for the length of the path in path coverage, and t is the threshold of the hit count.
Conclusions and future work
In this paper we have shown how work done on coverage in simulation-based verification can be adapted to formal verification. We have also described symbolic algorithms to compute coverage in the formal-verification setting. We have not discussed the issue of how the coverage information that the algorithm generates should be presented and used. One straightforward possibility is to simply list the parts of the design that are not covered. A better possibility, which is a subject of future research, is to develop algorithms that use this information to generate new specifications that should be checked. In simulation-based verification, the choice of the most suitable coverage metrics is done individually for each application. Most researchers agree that high code coverage (almost or exactly 100%) is desirable (cf. [35] ). As for more complicated metrics, it is up to the designer to choose the most appropriate ones. We believe that this should also be the case in formal verification. While it is (almost always) clear that the specifications should cover the whole code of the system, more subtle metrics are useful for hinting at unchecked parts, but high coverage is not always necessary. Clearly, coverage computation incurs costs beyond the costs already incurred by formal-verification algorithms. As in simulation-based verification, the use of our algorithms will be determined by practical verification methodologies developed in industry.
