Generation Of A Complete Set Of Properties by Goldberg, Eugene
ar
X
iv
:2
00
4.
05
85
3v
4 
 [c
s.L
O]
  1
2 O
ct 
20
20
Generation Of A Complete Set Of Properties
Eugene Goldberg
eu.goldberg@gmail.com
Abstract—One of the problems of formal verification is that
it is not functionally complete due the incompleteness of specifi-
cations. An implementation meeting an incomplete specification
may still have a lot of bugs. In testing, where achieving func-
tional completeness is infeasible it is replaced with structural
completeness. The latter implies generation of a set of tests
probing every piece of a design implementation. We show that
a similar approach can be used in formal verification. The
idea here is to generate a property of the implementation at
hand that is not implied by the specification. Finding such a
property means that the specification is not complete. If this is
an unwanted property, the implementation is buggy. Otherwise,
a new specification property needs to be added. Generation
of implementation properties related to different parts of the
design followed by adding new specification properties produces
a structurally-complete specification. Implementation properties
are built by partial quantifier elimination, a technique where only
a part of the formula is taken out of the scope of quantifiers.
An implementation property is generated by applying partial
quantifier elimination to a formula defining the “truth table”
of the implementation. We show how our approach works on
specifications of combinational and sequential circuits.
I. INTRODUCTION
One of the problems of formal verification is that it is
functionally incomplete. Let us consider this problem by
the example of a combinational design. Suppose a set P =
{P1(X,Z), . . . , Pk(X,Z)} of formulas1 specify properties of
a combinational circuit to be designed. Here X and Z are
sets of input and output variables of this circuit respectively2.
(A correct implementation has to exclude the input/output
behaviors falsifying Pi, i = 1, . . . ,k.) Let N(X,Y, Z) be a
circuit implementing the specification P above where Y is
the set of internal variables. Let F (X,Y, Z) be a formula
describing the functionality of N . That is every consistent
assignment to the variables of N corresponds to a satisfying
assignment of F and vice versa (see Section II). The circuit
N satisfies property Pi, 1 ≤ i ≤ k iff F⇒Pi. The circuit N
meets the specification P iff F ⇒ (P1 ∧ · · · ∧ Pk).
Unfortunately, the fact that N satisfies its specification does
not mean that the former is correct. (For instance, if P consists
only of one property P where P ≡ 1, any circuit meets P .)
One also needs to check if P is complete. This comes down
to checking if P1 ∧ · · · ∧ Pk ⇒ ∃Y [F ]. Here ∃Y [F ] specifies
1In this paper, we consider only propositional formulas. We assume that
every formula is in conjunctive-normal form (CNF). A clause is a disjunction
of literals (where a literal of a Boolean variable w is either w itself or its
negation w). So a CNF formula H is a conjunction of clauses: C1∧· · ·∧Ck .
We also consider H as the set of clauses {C1, . . . , Ck}.
2For the sake of simplicity, in the introduction, we assume that properties
Pi(X,Z) depend on all input/output variables. In Section III, we consider a
more general case where a property depends on a subset of X ∪ Z .
the truth table of N . If this implication does not hold, some
input/output behaviors of N are not defined by P i.e. the latter
is incomplete. Note that checking the completeness of P is
inherently hard because it requires some form of quantifier
elimination (QE) for ∃Y [F ].
In testing, the incompleteness of functional verification is
addressed by using a set of tests that is complete structurally
rather than functionally. Structural completeness is achieved
by probing every piece of the design under test. In this paper,
we show that a similar approach can be applied to formal
verification. This approach is based on two ideas. The first
idea is to check the completeness of the specification P by
generating implementation properties i.e. those satisfied by
N . Let Q(X,Z) be a property of N (and so F ⇒ Q). If
P1 ∧ · · · ∧ Pk 6⇒ Q, then the specification P is incomplete.
If Q is an unwanted property, N is buggy (and it should
be modified so that it does not satisfy Q). Otherwise, a new
property should be added to the specification P to make the
latter imply Q. A trivial way to achieve this goal is just to add
to P the property Q itself.
The second idea is to generate implementation properties
by a technique called partial QE (PQE) [4], [5]. In terms of
formula ∃Y [F ], PQE takes a subset of clauses of F out of
the scope of quantifiers. (So QE is special case of PQE where
the entire formula is taken out of the scope of quantifiers.)
This results in generation of a formula Q(X,Z) implied
by F i.e. a property of N . Importantly, by taking different
subsets of clauses of F out of the scope of quantifiers, one
builds a structurally complete set of properties. By updating
specification properties every time an implementation property
proves P incomplete, one gets a structurally complete specifi-
cation. Importantly, by using clause splitting and varying the
size of the subformula taken out of the scope of quantifiers
one can control the complexity of PQE and hence that of
property generation. The latter ranges from essentially linear
(for properties specifying the input/output behavior of N for
a single test) to exponential.
Incompleteness of the specification P may lead to two kinds
of bugs. A bug of the first kind that we mentioned above
occurs when N has an unwanted property. In this case, N
excludes some correct input/output behaviors. (An example
of an unwanted property is given in Appendix A.) A bug
of the second kind occurs when N allows some incorrect
input/output behaviors. This type of bugs can be exposed
by generating properties that are inconsistent with N . (As
opposed to the implementation properties that are consistent
with N by definition.) Such inconsistent properties are meant
to imitate the missing properties of P that are not satisfied
by N (if any). Tests falsifying inconsistent properties may
expose incorrect input/output behaviors allowed by N . These
properties can also be generated by PQE. Besides, one can
follow the same idea of structural completeness by building
a set of inconsistent properties relating to different parts of
N . However, this topic is beyond the scope of this paper.
(It is covered in [3].) So here, we consider generation of a
specification that is structurally complete only with respect to
consistent properties of the implementation at hand.
The contribution of this paper is as follows. First, we
describe generation of implementation properties by PQE.
Second, we show that clause splitting allows to reduce the
complexity of PQE (and hence the complexity of property
generation) to virtually linear. The latter result also shows that
PQE can be exponentially more efficient than QE. Third, we
sketch an algorithm for generation of a structurally complete
specification.
This paper is organized as follows. Basic definitions are
given in Section II. Section III describes generation of im-
plementation properties of combinational circuits by PQE.
Generation of properties specifying the input/output behavior
of a single test is discussed in Section IV. Section V presents
a procedure for making a specification structurally complete.
In Sections VI and VII we extend our approach to sequential
circuits. Some concluding remarks are made in Section VIII.
II. BASIC DEFINITIONS
Definition 1: Let V be a set of variables. An assignment
~v to V is a mapping V ′ → {0, 1} where V ′ ⊆ V . We will
refer to ~v as a full assignment to V if V ′ = V .
From now on, by saying “an assignment to a set of vari-
ables” we mean a full assignment, unless otherwise stated.
Definition 2: Let F be a formula. Vars(F ) denotes the set
of variables of F .
Definition 3: Let H(W,V ) be a formula where W,V are
disjoint sets of Boolean variables. TheQuantifier Elimination
(QE) problem specified by ∃W [H ] is to find a formulaH∗(V )
such that H∗ ≡ ∃W [H].
Definition 4: Let H1(W,V ), H2(W,V ) be Boolean formu-
las where W,V are sets of Boolean variables. The Partial
QE (PQE) problem is to find a formula H∗1 (V ) such that
∃W [H1 ∧H2] ≡ H
∗
1
∧ ∃W [H2]. We will say that H
∗
1
is obtained by taking H1 out of the scope of quantifiers in
∃W [H1 ∧H2] Formula H∗1 is called a solution to PQE.
Remark 1: Note that if H∗1 is a solution to the PQE problem
above and a clause C ∈ H∗1 is implied by H2 alone, then
H∗1 \ {C} is a solution too. If all clauses of H
∗
1 are implied
by H2, an empty set of clauses is a solution too. In this case,
H∗1 ≡ 1 and H1 is redundant in ∃V [H1 ∧H2].
Let N(X,Y, Z) be a combinational circuit where X,Y, Z
are sets of input, internal and output variables respectively.
We will say that a formula F (X,Y, Z) defines N if every
consistent assignment to the variables of N corresponds to a
satisfying assignment of F and vice versa [6]. Let N consist of
gates g1, . . . , gk. The formula F can be built as G1∧· · ·∧Gk
where Gi, 1 ≤ i ≤ k is a formula defining gate gi. Formula
Gi is constructed as a conjunction of clauses falsified by
the incorrect combinations of values assigned to Gi. Then
every assignment satisfying Gi corresponds to a consistent
assignment of values to gi and vice versa.
Example 1: Let g be a 2-input AND gate specified by
v3 = v1 ∧ v2. Then a formula G defining g is constructed
as C1 ∧ C2 ∧ C3 where C1 = v1 ∨ v3, C2 = v2 ∨ v3,
C3 = v1∨v2∨v3. Here, the clause C1, for instance, is falsified
by the assignment (v1 = 0, v3 = 1) that is inconsistent with
the truth table of g.
III. GENERATION OF IMPLEMENTATION PROPERTIES
Let N(X,Y, Z) be a combinational circuit where X,Y, Z
are sets of input, internal and output variables respectively.
Let F (X,Y, Z) be a formula defining N . Let H be a non-
empty subset of clauses of F . Consider the PQE problem of
taking H out of the scope of quantifiers in ∃W [F ] where
Y ⊆ W ⊂ Vars(F ). Let formula Q(V ) be a solution to
this problem i.e. ∃W [F ] ≡ Q∧∃W [F \H ]. (Here V denotes
Vars(F )\W and so V ⊆ (X∪Z).) Since Q is implied by F ,
it is a property of the circuit N . Note that by taking different
subsets of F out of the scope of quantifiers in ∃W [F ] one
gets different properties.
Intuitively, the smaller H , the easier taking H out of the
scope of quantifiers. So, the simplest case of the PQE problem
above is when a single clause of F is taken out of the scope of
quantifiers. However, the complexity of PQE can be reduced
much more by using clause splitting to transform F .
Definition 5: Let R = {v1, . . . , vm} be a subset of Vars(F ).
Let l(v1), . . . , l(vm) be a set of literals. Let C be a clause of
F such that R∩Vars(C) = ∅. The splitting of C on variables
of R is to replace C with clauses C ∨ l(v1),. . . , C ∨ l(vm),
C ∨ l(v1) ∨ · · · ∨ l(vm).
The idea here is to take the clause C∨l(v1)∨· · ·∨l(vm) out
of the scope of quantifiers instead of C. In the next section,
we show that such replacement can reduce the complexity of
PQE to essentially linear. This also proves that PQE can be
exponentially simpler than QE.
IV. GENERATION OF SINGLE-TEST PROPERTIES
In this section, we use clause splitting to make the following
two points. First, by using clause splitting and PQE one can
generate very weak properties e.g. properties specifying the
input-output behavior of a circuit for a single test. Second,
by using clause splitting one can reduce the complexity of
PQE and, hence, that of property generation. (Of course, this
complexity reduction is achieved at the expense of the property
strength.) In particular, for the single-test properties mentioned
above, this complexity reduces to essentially linear.
A. A single-test property
In this section, we continue using the notation of the
previous section. In particular, we assume that a formula
F (X,Y, Z) defines a combinational circuit N(X,Y, Z) where
X,Y, Z are sets of input, internal and output variables respec-
tively.
Definition 6: Let ~x ′ be a test (i.e. an assignment to X). Let
~z ′ be the output assignment produced for ~x ′ by N . We will
call formula Q(X,Z) a single-test property of N if
1) Q(~x, ~z) = 1 for every ~x different from ~x ′ regardless of
the value of ~z;
2) Q(~x ′, ~z ′) = 1;
3) Q(~x ′, ~z) = 0 for at least one ~z different from ~z ′.
Informally, Q is a single-test property of N if it (partially)
specifies the input/output behavior of N for a single test
~x ′. Namely, Q excludes (some) output assignments that are
not produced for ~x ′ by N . In Subsection IV-C, we describe
a procedure called QuickPQE that generates a single-test
property.
B. The PQE problem we consider in this section
For the sake of simplicity, in our exposition, we use a
particular clause of the formula describing an AND gate of
N . (However, we explain how to extend this exposition to an
arbitrary clause of the formula describing an arbitrary gate of
N ). Let g be an AND gate of a circuit N whose functionality
is described by v3 = v1 ∧ v2 (see Example 1). Let clause
C ∈ F be equal to v1∨v2∨ v3. This clause forces assigning
the output variable v3 of g to 1 when the input variables v1
and v2 of g are assigned 1. (In the general case, C ∈ F is one
of the clauses specifying a gate g of N . The clause C has one
variable specifying the output of g. The remaining variables
of C correspond to the input variables of g.)
Assume for the sake of simplicity that Vars(C) ∩X = ∅.
Consider splitting C on the variables of X = {x1, . . . , xm}.
That is C is replaced in F with m+1 clauses C ∨ l(x1),. . . ,
C ∨ l(xm), C ∨ l(x1)∨ · · · ∨ l(xm). Denote the last clause as
C′ (i.e. C′ = C∨l(x1)∨· · ·∨l(xm)). Let F ′ denote F \{C′}.
The PQE problem we solve in the next subsection is to take
C′ out of the scope of quantifiers in ∃Y [C′ ∧ F ′].
C. QuickPQE procedure
Now we present a procedure called QuickPQE that takes
C′ out of the scope of quantifiers in ∃Y [C′ ∧ F ′]. Since
QuickPQE solves only a particular subset of instances of the
PQE problem, it is incomplete. Our intention here is just to
show that this subset of instances can be solved efficiently.
One can easily incorporate QuickPQE into a complete PQE
algorithm. This simply requires adding a procedure for check-
ing if the current instance of PQE satisfies the definition of
Subsection IV-B and if so, calling QuickPQE.
Let ~x ′ denote the assignment to X falsifying the literals
l(x1), . . . , l(xm) of C
′. QuickPQE starts with applying ~x ′ to
N . Let ~z ′ be the output assignment produced by N for ~x ′.
Suppose that v1 and/or v2 are assigned 0 when computing ~z
′.
(In the general case, this means that the clause C and hence the
clause C′ is satisfied by an assignment to an input variable of
the gate g.) Then QuickPQE declares C′ redundant claiming
that ∃Y [C′ ∧ F ′] ≡ ∃Y [F ′].
If both v1 and v2 are assigned 1, then QuickPQE performs
one more run. (In the general case, this means that the literals
of C corresponding to the input variables of the gate g are
falsified.) In this run, QuickPQE also applies input ~x ′ but
modifies the operation of the gate g. Namely, g produces the
output value 0 (instead of the value 1 implied by assignment
v1 = 1, v2 = 1). Note that in the second run, the clause
C′ is falsified. One can view the second run as applied to
the circuit N whose functionality is modified by removing
the clause C′. If the second run produces the same output
assignment ~z ′, then QuickPQE again declares C′ redundant.
Now, suppose that N outputs an assignment ~z∗ different from
~z ′. Then QuickPQE produces the solution Q(X,Z) consisting
of clauses B~x
′
∨ l(z1),. . . ,B~x
′
∨ l(zp) where
• B~x
′
= l(x1) ∨ · · · ∨ l(xm) (i.e. B~x
′
is the longest clause
falsified by ~x ′);
• z1, . . . , zp are the output variables of N assigned differ-
ently in ~z ′ and ~z∗;
• l(z1), . . . , l(zp) are literals satisfied by ~z ′ (and falsified
by ~z∗).
Proposition 1: Let Nlits(F ) denote the number of literals
of F . Let QuickPQE be applied to the PQE problem of taking
C′ out of the scope of quantifiers in ∃Y [C′ ∧ F ′] (described in
Subsection IV-B). Then QuickPQE produces a correct result
and the complexity of QuickPQE is O(Nlits(F ) + |X | ∗ |Z|).
The proofs of propositions are given in Appendix B.
Proposition 2: Let C′ be non-redundant in ∃Y [C′ ∧ F ′].
Then the formulaQ(X,Z) generated by QuickPQE is a single-
test property of N .
V. PRODUCING A STRUCTURALLY COMPLETE SET OF
PROPERTIES
In this section, we give an example of a procedure called
CmplSet that generates a structurally complete specification.
The pseudocode of CmplSet is shown in Figure 1. CmplSet
accepts
• a specification P (i.e. a set of properties P1,. . . ,Pk)
• an “informal” specification P inf that is used to tell if a
property of N is unwanted
• an implementation F (X,Y, Z) defining a circuit N
• the set of variables V ⊆ (X ∪Z) on which implementa-
tion properties will depend on.
CmplSet returns an unwanted property of N exposing a
bug (if any) or a structurally complete specification P . The
existence of an informal specification P inf is based on the
assumption that, for every input, the designer is able to tell if
the output produced by N is incorrect.
CmplSet starts with initializing a copy Cls of formula F
(line 1). Then CmplSet runs a ’while’ loop until Cls is empty.
CmplSet starts an iteration of the loop by extracting a clause
C from Cls (lines 3-4). Then it builds an implementation
property Q(V ) as a solution to the PQE problem ∃W [C ∧ F ′]
where F ′ = F \ {C} and W = Vars(F ) \ V (line 5). That is
∃W [C ∧ F ′] ≡ Q ∧ ∃W [F ′]. One can view Q as a property
“probing” the part of N represented by C. Then CmplSet
calls the procedure called Clean (line 6) to remove the clauses
implied by F ′ fromQ (see Remark 1). At this point,Q consists
only of clauses whose derivation involved the clause C.
CmplSet(P,P inf , F, V ){
1 Cls := F
2 while (Cls 6= ∅) {
3 C := PickCls(Cls)
4 Cls := Cls \ {C}
5 Q := PQE (F,C, V )
6 Clean(Q,F, C)
7 if (Impl(P , Q)) continue
8 if (Unwanted(P inf , Q)) return(Q,nil)
9 P := SpecProp(P,P inf , F,Q)
10 P := P ∪ {P}}
11 return(nil ,P)}
Fig. 1. The CmplSet procedure
Then CmplSet checks if P1 ∧ · · · ∧Pk ⇒ Q (line 7). If so,
then a new iteration starts. Otherwise, the current specification
P is incomplete, which requires modification of N or P . If
Q is an unwanted property, CmplSet returns it as a proof
that N is buggy (line 8). In this case, Q excludes some
correct input/output behaviors. To decide if this is the case, the
informal specification P inf mentioned above is applied. If Q
is a desired property, CmplSet generates a new specification
property P such that P1 ∧ · · · ∧ Pk ∧ P ⇒ Q and adds it
to P (lines 9-10). A trivial way to update P is just to use
Q as a new specification property (i.e. P = Q). If CmplSet
terminates the loop without finding a bug, it returns P as a
structurally complete specification.
VI. EXTENDING IDEA TO SEQUENTIAL CIRCUITS
In this section and Section VII, we extend our approach
to sequential circuits. Subsections VI-A and VI-B provide
some definitions. Subsection VI-C gives a high-level view of
building a structurally complete specification for a sequential
circuit (in terms of safety properties).
A. Some definitions
Let M(S,X, Y, S′) be a sequential circuit. Here X,Y
denote input and internal combinational variables respectively
and S, S′ denote the present and next state variables respec-
tively. (For the sake of simplicity, we assume that M does not
have any combinational output variables.) Let F (S,X, Y, S′)
be a formula describing the circuit M . The formula F is built
for M in the same manner as for a combinational circuit
(see Section II). Let I(S) be a formula specifying the initial
states ofM . Let T (S, S′) denote ∃X∃Y [F ] i.e. the transition
relation of M .
A state ~s is an assignment to S. Any formula P (S) is
called a safety property for M . A state ~s is called a P -state if
P (~s) = 1. A state ~s is called reachable in n transitions (or in
n-th time frame) if there is a sequence of states ~s1,. . . ,~sn+1
such that ~s1 is an I-state, T (~si, ~si+1) = 1 for i = 1, . . . , n
and ~sn+1=~s.
We will denote the reachability diameter of M with initial
states I as Diam(M, I). That is if n = Diam(M, I), every
state of M is reachable from I-states in at most n transitions.
We will denote as Rch(M, I, n) a formula specifying the
set of states of M reachable from I-states in n transitions.
We will denote as Rch(M, I) a formula specifying all states
ofM reachable from I-states. A property P holds forM with
initial states I , if no P -state is reachable from an I-state.
B. Stuttering
In the following explanation, for the sake of simplicity, we
assume that the circuit M above has the stuttering feature.
This means that T (~s, ~s)=1 for every state ~s and so M can
stay in any given state arbitrarily long. IfM does not have this
feature, one can introduce stuttering by adding a combinational
input variable v. The modified circuit works as before if v = 1
and remains in its current state if v = 0.
On one hand, introduction of stuttering does not affect the
reachability of states of M . On the other hand, stuttering
guarantees that the transition relation of M has two nice
properties. First, ∃S[T (S, S′)] ≡ 1, since for every next state
~s ′, there is a “stuttering transition” from ~s to ~s ′ where ~s =
~s ′. Second, if a state is unreachable in M in n transitions it
is also unreachable in i transitions if i < n. Conversely, if a
state is reachable in M in n transitions, it is also reachable in
i transitions where i > n.
Remark 2: Note that for a circuit M with the stuttering
feature, formula Rch(M, I, n) specifies not only the states
reachable in n transitions but also those reachable in at most
n transitions.
C. High-level view
In this paper, we consider a specification of the sequential
circuit M above in terms of safety properties. So, when we
say a specification property P (S) of M we mean a safety
property. Let F1,i denote F1 ∧ · · · ∧ Fi where Fj , 1 ≤ j ≤ i
is the formula F in j-th time frame i.e. expressed in terms of
sets of variables Sj , Xj , Yj , Sj+1. Formula Rch(M, I, n) can
be computed by QE on formula ∃W1,n[I1 ∧ F1,n]. Here I1 =
I(S1) and W1,n = Vars(F1,n) \ Sn+1. If n ≥ Diam(M, I),
then Rch(M, I, n) is also Rch(M, I) specifying all states of
M reachable from I-states.
Let P = {P1, . . . , Pk} be a set of properties forming a
specification of a sequential circuit with initial states defined
by I . Let a sequential circuit M be an implementation of the
specification P . So, every property Pi,i = 1, . . . , k holds for
M and I . Verifying the completeness of P reduces to checking
if P1 ∧ · · · ∧ Pk ⇒ Rch(M, I). Assume that computing
Rch(M, I) is hard. So, one does not know if the specification
P is complete. Then one can use the approach described in
the previous sections to form a specification that is complete
structurally rather than functionally.
We exploit here the same idea of using PQE to compute
properties of M i.e. implementation properties. Let Q be such
a property. If P1 ∧ · · · ∧ Pk 6⇒ Q, then the specification P is
incomplete. If some states falsifying Q (and hence unreachable
from I-states) should be reachable, M is buggy and must be
modified. Otherwise, one needs to update P by adding a spec-
ification property P to guarantee that P1 ∧ · · · ∧Pk ∧P ⇒ Q.
The simplest way to achieve this goal is just to add Q to P .
Using a procedure similar to that shown in Fig. 1 one can
construct a structurally complete specification.
VII. GENERATION OF SAFETY PROPERTIES
In this section, we continue using the notation of the
previous section. Here, we discuss generation of properties
for a sequential circuit M(S,X, Y, S′), i.e. implementation
properties. Subsection VII-A considers the case where the
reachability diameter Diam(M, I) is known. (In [2], we
showed that one can use PQE to find Diam(M, I) without
generation of all reachable states.) Subsection VII-B describes
an approach to generation of properties when Diam(M, I) is
not known.
A. The case of known reachability diameter
As we mentioned in Subsection VI-C, formula Rch(M, I)
can be obtained by QE on ∃W1,n[I1 ∧ F1,n] where n ≥
Diam(M, I). Here I1 = I(S1), F1,n = F1 ∧ · · · ∧ Fn, and
W1,n = Vars(F1,n) \ Sn+1.
Below we show how one can build a property of M by
PQE. Let C be a clause of F1,n. Let Q(Sn+1) be a solution to
the PQE problem of taking C out of the scope of quantifiers
in ∃W1,n[I1 ∧ C ∧ F
′
1,n] where F
′
1,n = F1,n \ {C}. That is
∃W1,n[I1 ∧ C ∧ F ′1,n] ≡ Q∧ ∃W1,n[I1 ∧ F
′
1,n]. Let us show
that Q is a property of M . Let ~s be a state falsifying Q i.e. ~s
in unreachable from an I-state in n transitions. On one hand,
since M has the stuttering feature, ~s cannot be reached in
i transitions where i ≤ n. On the other hand, since n ≥
Diam(M, I), ~s cannot be reached in i transitions where i > n.
So all states falsifying Q are unreachable and thus Q is a
property of M . By taking different clauses of F1,n out of the
scope of quantifiers one can generate different implementation
properties. Following a procedure similar to that of Fig. 1, one
can generate a specification ofM that is structurally complete.
B. The case of unknown reachability diameter
Suppose that the reachability diameter of M is unknown.
Then one needs to modify the procedure of the previous
subsection as follows. Let Q(Sn+1) be a solution to the
PQE problem of taking C out of the scope of quantifiers in
∃W1,n[I1 ∧ C ∧ F ′1,n] where F
′
1,n = F1,n \ {C}. Assume that
n < Diam(M, I). Then Q is not a property of M . One can
only guarantee that the states falsifying Q cannot be reached
in at most n transitions.
MakeInv(F, I,Q){
1 while (true) }
2 (Cex , Q) := MC (F, I,Q)
3 if (Cex = nil) return(Q)
4 Q := Relax(Q,Cex)
5 if (Q ≡ 1) return(Q)}}
Fig. 2. The MakeInv procedure
One can turn Q into a property by using procedureMakeInv
shown in Figure 2.MakeInv runs a ’while’ loop. First,MakeInv
calls a model checker MC (e.g. IC3 [1]) to prove property
Q. If MC succeeds, MakeInv returns Q as a property of M .
Otherwise, MC finds a counterexample Cex. This means that
a state ~s falsifying Q (and thus unreachable in at most n
transitions) is reachable in i transitions where i > n. Then
one needs to relax Q by replacing it with a property implied
by Q but not falsified by ~s.
One way to relax Q is to replace it with a solution R to
the PQE problem of taking ∃W [Q(S) ∧ F (S,X, Y, S′)] out
of the scope of quantifiers where W = X ∪ Y ∪ S. That
is ∃W [Q ∧ F ] ≡ R ∧ ∃W [F ]. Since the circuit M has the
stuttering feature, ∃W [F ] ≡ 1. So R just specifies the set
of states reachable from Q-states in one transition. If ~s still
falsifies R, one can use PQE to find the set of states reachable
from R-states and so on. If ~s does not falsify R, the latter is
used as a new formula Q (line 4). If relaxation ends up with a
trivial property, MakeInv terminates (line 5). Otherwise a new
iteration starts.
By taking different clauses of F1,n out of the scope of
quantifiers in ∃W1,n[I1 ∧ F1,n] one can generate different
properties of the circuit M .
VIII. CONCLUSIONS
Incompleteness of a specification Spec creates two prob-
lems. First, an implementation Impl of Spec may have some
unwanted properties that Spec does not ban. Second, Impl
may break some desired properties that are not in Spec. In
either case, Spec fails to expose bugs of Impl. In testing, the
problem of functional incompleteness is addressed by running
a test set that is complete structurally rather than functionally.
This structural completeness is achieved by generating tests
probing every piece of Impl. We apply this idea to formal
verification. Namely, we show that by using a technique
called partial quantifier elimination (PQE) one can generate
properties probing different parts of Impl. By checking that no
property of Impl generated by PQE is unwanted one addresses
the first problem above. By updating Spec to make it imply
the desired properties of Impl generated by PQE one builds
a specification that is structurally complete. One can use a
similar approach to address the second problem above [3].
REFERENCES
[1] A. R. Bradley. Sat-based model checking without unrolling. In VMCAI,
pages 70–87, 2011.
[2] E. Goldberg. Property checking without invariant generation. Technical
Report arXiv:1602.05829 [cs.LO], 2016.
[3] E. Goldberg. On verifying designs with incomplete specification. Tech-
nical Report arXiv:2004.09503 [cs.LO], 2020.
[4] E. Goldberg. Partial quantifier elimination by certificate clauses. Techni-
cal Report arXiv:2003.09667 [cs.LO], 2020.
[5] E. Goldberg and P. Manolios. Partial quantifier elimination. In Proc. of
HVC-14, pages 148–164. Springer-Verlag, 2014.
[6] G. Tseitin. On the complexity of derivation in the propositional calculus.
Zapiski nauchnykh seminarov LOMI, 8:234–259, 1968. English transla-
tion of this volume: Consultants Bureau, N.Y., 1970, pp. 115–125.
APPENDIX A
UNWANTED PROPERTY DERIVED BY PQE
In this appendix, we give an example of an unwanted prop-
erty derived by PQE. Consider the design of a combinational
circuit called a sorter. It accepts r-bit numbers ranging from
0 to 2r−1, sorts them, and outputs the result. Let X and Z
be sets of input and output variables of the sorter respectively.
Assume that the sorter acceptsm numbers. Let x1, . . . , xm and
z1, . . . , zm be the numbers specified by input ~x and output ~z
respectively. The properties P ′(X) and P ′′(X,Z) below form
a complete specification of the sorter.
• P ′(~z) = 1 iff z1 ≤ · · · ≤ zm,
• P ′′(~x, ~z)=1 iff z1,. . . ,zm is a permutation of x1,. . . ,xm.
Let the designer use an incomplete specification P consisting
only of the property P ′. Let N(X,Y, Z) be an implementation
of the sorter and F (X,Y, Z) be a formula describing the
functionality of N . Assume F ⇒ P ′ i.e. N satisfies the
specification P . Suppose N is buggy. Namely, let z1 =0 for
every input ~x of N . (This does not contradict F⇒P ′, since
zi≥ 0, 1< i≤m.) Then N has a property Q falsified by the
outputs ~z where z1=b and b is a constant 1 ≤ b ≤ 2
r−1.
Suppose Q is obtained by taking C ∈ F out of the scope
of quantifiers in ∃Y [F ] i.e. by PQE. On one hand, P ′ 6⇒ Q.
Indeed, P ′ is satisfied by an assignment ~z where z1, . . . , zm
are sorted and z1 = b. So derivation ofQ provesP incomplete.
On the other hand, Q is an unwanted property of N . In a
correct sorter, z1 can take any value from 0 to 2
r− 1. So
derivation of Q exposes a hole in P and proves N buggy.
APPENDIX B
PROOF OF PROPOSITION 1
Proposition 1: Let Nlits(F ) denote the number of literals
of F . Let QuickPQE be applied to the PQE problem of taking
C′ out of the scope of quantifiers in ∃Y [C′ ∧ F ′] (described in
Subsection IV-B). Then QuickPQE produces a correct result
and the complexity of QuickPQE is O(Nlits(F ) + |X | ∗ |Z|).
Proof: The complexity of QuickPQE is linear in Nlits(F )
because the former performs two test runs, each run having
linear complexity in the number of literals of F . The term
|X | ∗ |Z| is due to the fact that the solution produced by
QuickPQE may consist of |Z| clauses of |X |+ 1 literals.
Now, let us show that QuickPQE produces a correct solu-
tion. Let w ∈ Y ∪ Z denote the output variable of the gate
g. Assume for the sake of clarity that C contains the positive
literal of w. So, in the second run of QuickPQE (where C′
and C are falsified) the value of w is set to 0.
Denote the solution produced by QuickPQE as Q(X,Z) and
so ∃Y [C′ ∧ F ′] ≡ Q∧ ∃Y [F ′]. We prove this equivalence by
showing that C′ ∧F ′ and Q∧F ′ are equisatisfiable for every
assignment (~x,~z) to X ∪ Z . (Recall that X and Z specify
the input and output variables of the circuit N .) Below, we
consider the three possible cases.
Case 1. In the first run of QuickPQE, an input variable
of the gate g is assigned the value satisfying the clause C
(and hence the clause C′). In this case Q ≡ 1. So one needs
to show that for every assignment (~x,~z) to X ∪ Z , formulas
C′∧F ′ and F ′ are equisatisfiable. Consider the following two
sub-cases.
(a) ~x 6= ~x ′. Then C′ is satisfied by ~x and so C′ ∧ F ′ and F ′
are logically equivalent in subspace (~x,~z).
(b) ~x = ~x ′. In this case, C′ is satisfied by an assignment to
an input variable of the gate g. The latter is true because
the execution trace of N under input ~x can be obtained
by Boolean Constraint Operation (BCP) in subspace ~x
over formula C′∧F ′. The definition of an execution trace
entails that this BCP satisfies all clauses of F . The fact that
BCP leads to satisfying C′ means that a clause implying
C′ in subspace ~x can be derived by resolving3 clauses
of F ′. This means that C′ is implied by formula F ′ in
subspace ~x. So C′ ∧F ′ and F ′ are logically equivalent in
subspace (~x,~z).
Case 2. In the first run of QuickPQE, all input variables
of the gate g are assigned values falsifying C. In the second
run of QuickPQE, N outputs the same assignment ~z ′ as in
the first run. Then, like in the first case, Q ≡ 1. So one needs
to show that for every assignment (~x,~z) to X ∪ Z , formulas
C′ ∧ F ′ and F ′ are equisatisfiable. Consider the following
three sub-cases.
(a) ~x 6= ~x ′. Then C′ is satisfied by ~x and so C′ ∧ F ′ and F ′
are logically equivalent in subspace (~x,~z).
(b) ~x = ~x ′ and ~z 6= ~z ′. Let us show that in this case both
C′∧F ′ and F ′ are unsatisfiable in subspace (~x,~z). Let zi ∈
Z be a variable assigned differently in ~z and ~z ′. Let l(zi)
be the literal of zi falsified by ~z (and satisfied by ~z
′). The
fact thatN outputs ~z ′ under input ~x ′ means that F implies
the clause B~x
′
∨ l(zi). So C′ ∧F ′ is falsified in subspace
(~x,~z). The fact that N outputs ~z ′ in both runs means that
F ′ implies clauses B~x
′
∨ l(zi) ∨ w and B
~x′ ∨ l(zi) ∨ w.
(Recall that the variable w specifies the output of the gate
g. The variable w is assigned 1 in the first run to satisfy
C′ because the literals of all other variables of C′ are
falsified. The variable w is assigned 0 in the second run.)
So F ′ implies the resolvent of these two clauses on w
equal to B~x
′
∨ l(zi). Hence F ′ is falsified in subspace
(~x,~z) too.
(c) ~x = ~x ′ and ~z = ~z ′. Let us show that in this case C′ ∧F ′
and F ′ are both satisfiable in subspace (~x,~z). Let ~p be the
assignment to the variables of N produced in the first run
of QuickPQE. By definition, the assignment to X ∪ Z in
~p is the same as in (~x ′,~z ′) and hence in (~x,~z). Besides, ~p
satisfies C′ ∧ F ′ and hence F ′.
Case 3. In the first run of QuickPQE, all input variables of
the gate g are assigned values falsifying C. In the second run
of QuickPQE, N outputs an assignment ~z∗ that is different
from the assignment ~z ′ output in the second run of QuickPQE.
In this case, the solutionQ(X,Z) consists of the clauses B~x
′
∨
l(z1),. . . ,B
~x′ ∨ l(zp) where {z1, . . . , zp} is the set of variables
assigned differently in ~z ′ and ~z∗. So one needs to show that
for every assignment (~x,~z) to X ∪ Z , formulas C′ ∧ F ′ and
Q ∧ F ′ are equisatisfiable. Consider the following four sub-
3Let clauses C′,C′′ have opposite literals of exactly one variable w ∈
Vars(C′)∩Vars(C′′). Then clauses C′,C′′ are called resolvable on w. The
clause C having all literals of C′, C′′ but those of w is called the resolvent
of C′,C′′ on w. The clause C is said to be obtained by resolution on w.
cases. (We denote the set of variables where ~z ′ and ~z∗ have
the same value as Z∗.)
(a) ~x 6= ~x ′. Then C′ and Q are satisfied by ~x. So C′ ∧ F ′
and Q ∧ F ′ are logically equivalent in subspace (~x,~z).
(b) ~x = ~x ′ and there is a variable zi ∈ Z∗ that is assigned in
~z differently than in ~z ′. Then both C′ ∧ F ′ and Q ∧ F ′
are unsatisfiable in subspace (~x,~z). This can be shown as
in case 2b above.
(c) ~x = ~x ′ and all variables of Z∗ are assigned the same
value in ~z and ~z ′ and there is a variable zi ∈ (Z \ Z∗)
that is assigned in ~z as in ~z∗ (i.e. differently from ~z ′).
Let us show that in this case both C′ ∧ F ′ and Q ∧ F ′
are unsatisfiable in subspace (~x,~z). The formula C′ ∧ F ′
is falsified because it implies the clause B~x
′
∨ l(zi) that
is falsified by (~x,~z). The formula Q ∧ F ′ is falsified by
(~x,~z) because it contains the clause B~x
′
∨ l(zi).
(d) ~x = ~x ′ and ~z = ~z ′. Let us show that in this case C′ ∧F ′
and Q∧F ′ are both satisfiable in subspace (~x,~z). Let ~p be
the assignment to the variables of N produced in the first
run of QuickPQE. By definition, ~p agrees with assignment
(~x ′,~z ′) and hence with (~x,~z). Besides, ~p satisfies C′ ∧F ′
and hence F ′. Since ~p also satisfies Q, it satisfies Q∧F ′
as well.
Proposition 2: Let C′ be non-redundant in ∃Y [C′ ∧ F ′].
Then the formulaQ(X,Z) generated by QuickPQE is a single-
test property of N .
Proof: Let D be a clause of Q(X,Z) i.e. D = B~x
′
∨ l(zi)
where zi ∈ Z and B~x
′
is the longest clause falsified by ~x ′.
The clause D is satisfied by any assignment ~x to X that is
different from ~x ′. ThenD and henceQ meet the first condition
of Definition 6. Let ~z ′ denote the output assignment produced
by N for ~x ′. By definition of Q, the literal l(zi) is satisfied by
~z ′. So D is satisfied by (~x ′,~z ′). Then D and hence Q meet
the second condition of Definition 6. Finally, D is falsified
by the assignment (~x ′, ~z∗) where ~z∗ is obtained from ~z ′ by
flipping the value of zi. Then Q meets the third condition of
Definition 6, because it excludes the output assignment ~z∗ that
is wrong for the input assignment ~x′.
