On Verifying Designs With Incomplete Specification by Goldberg, Eugene
ar
X
iv
:2
00
4.
09
50
3v
1 
 [c
s.L
O]
  2
0 A
pr
 20
20
On Verifying Designs With Incomplete Specification
Eugene Goldberg
eu.goldberg@gmail.com
Abstract—Incompleteness of a specification Spec creates two
problems. First, an implementation Impl of Spec may have some
unwanted properties that Spec does not forbid. Second, Impl may
break some desired properties that are not in Spec. In either
case, Spec fails to expose bugs of Impl. In an earlier paper, we
addressed the first problem above by a technique called Partial
Quantifier Elimination (PQE). In contrast to complete QE, in
PQE, one takes out of the scope of quantifiers only a small piece
of the formula. We used PQE to generate properties of Impl i.e.
those consistent with Impl. Generation of an unwanted property
means that Impl is buggy. In this paper, we address the second
problem above by using PQE to generate false properties i.e
those that are inconsistent with Impl. Such properties are meant
to imitate the missing properties of Spec that are not satisfied
by Impl (if any). A false property is generated by modifying
a piece of a quantified formula describing ’the truth table’ of
Impl and taking this piece out of the scope of quantifiers. By
modifying different pieces of this formula one can generate a
“structurally complete” set of false properties. By generating tests
detecting false properties of Impl one produces a high quality test
set. We apply our approach to verification of combinational and
sequential circuits.
I. INTRODUCTION
One of the drawbacks of formal verification is that the
set of properties describing a design usually does not specify
the latter completely. Incompleteness of a specification Spec
creates two problems. First, an implementation Impl of Spec
may have some unwanted properties that Spec does not forbid.
Second, Impl may break some desired properties that are not
in Spec. In either case, Spec fails to expose bugs of Impl.
In testing, the incompleteness of verification is addressed by
using a set of tests that is complete structurally rather than
functionally. Structural completeness is achieved by probing
every piece of the design under test.
In [5], we used the idea of structural completeness to attack
the first problem above. The idea was to use a technique called
partial quantifier elimination (PQE) to generation properties
consistent with Impl. In contrast to complete quantifier elimi-
nation, PQE takes out of the scope of quantifiers only a small
piece of formula. A property Q(V ) of Impl is produced by
applying PQE to formula ∃W [F (V,W )] defining “the truth
table” of Impl. Here F describes the functionality of Impl
and V,W are sets of external and internal variables of Impl
respectively. If Q is not implied by Spec, then the latter is
incomplete. If Q describes an unwanted property of Impl, the
latter is buggy. Otherwise, a new property is added to Spec
to make it imply Q. By taking different pieces of F out of
the scope of quantifiers, one can build a specification that is
structurally complete.
In this paper, we continue this line of research by addressing
the second problem above. Namely, we use PQE to generate
false properties i.e. those inconsistent with Impl. They are
meant to imitate the missing properties of Spec not satisfied
by Impl (if any). Tests breaking a false property may expose a
bug that was not discovered due to Spec’s lacking a property
not satisfied by Impl. A false property Q(V ) is generated in
two steps. First, a new formula F ∗ is obtained from F by
a slight modification. Then the modified part is taken out of
the scope quantifiers from ∃W [F ∗]. If F ∗∗ and F are not
logically equivalent, this produces a propertyQ that is implied
by F ∗ but not by F . By modifying different parts of F one
can generate a “structurally complete” set of false properties.
By generating tests breaking these properties one can build a
high quality test.
Our contribution is as follows. First, we show that one can
use PQE to generate false properties of Impl for combinational
circuits. Second, we describe an algorithm that, given a
combinational circuit, forms a structurally complete set of false
properties of this circuit. Third, we extend our approach to
sequential circuits. Fourth, to show the high quality of tests
generated off false properties we relate the former to tests
detecting stuck-at faults.
The main body1 of this paper is structured as follows.
Basic definitions are given in Section II. In Section III,
we describe generation of false properties for combinational
circuits. A procedure for building a structurally-complete set
of false properties is given in Section IV. Section V extends
our approach to sequential circuits by showing how one can
generate false safety properties. We relate our approach to
fault/mutation detection in Section VI. Finally, we make some
conclusions in Section VII.
II. BASIC DEFINITIONS
In this paper, we consider only propositional formulas. We
assume that every formula is in conjunctive normal form
(CNF). A clause is a disjunction of literals (where a literal
of a Boolean variable w is either w itself or its negation w).
So a CNF formulaH is a conjunction of clauses: C1∧· · ·∧Ck.
We also consider H as the set of clauses {C1, . . . , Ck}.
Definition 1: Let V be a set of variables. An assignment ~q
to V is a mapping V → {0, 1}.
Definition 2: Let H be a formula. Vars(H) denotes the
set of variables of H .
Definition 3: Let H(V,W ) be a formula where V,W are
sets of variables. The Quantifier Elimination (QE) problem
specified by ∃V [H ] is to find formula H∗(W ) such that
H∗ ≡ ∃V [H].
1Some additional information is given in the appendix.
Definition 4: Let H1(V,W ), H2(V,W ) be formulas
where V,W are sets of variables. The Partial QE (PQE)
problem of taking H1 out of the scope of quantifiers
in ∃V [H1 ∧H2] is to find formula H
∗
1 (W ) such that
∃V [H1 ∧H2] ≡ H
∗
1
∧ ∃X[H2]. Formula H
∗
1 is called a
solution to PQE.
Remark 1: Note that if H∗1 is a solution to the PQE problem
above and a clause C ∈ H∗1 is implied by H2 alone, then
H∗1 \{C} is a solution too. So if all clauses of H
∗
1 are implied
by H2, then an empty set of clauses is a solution too (in this
case, H∗1 ≡ 1).
Let N(X,Y, Z) be a combinational circuit where X,Y, Z
are sets of input, internal and output variables respectively.
Let N consist of gates g1, . . . , gm. A formula F (X,Y, Z)
specifying the functionality of N can be built as G1∧· · ·∧Gm
where Gi, 1 ≤ i ≤ m is a formula specifying gate gi. Formula
Gi is constructed as a conjunction of clauses falsified by
the incorrect combinations of values assigned to Gi. Then
every assignment satisfying Gi corresponds to a consistent
assignment of values to gi and vice versa.
Example 1: Let g be a 2-input AND gate specified by v3 =
v1 ∧ v2. Then formula G is constructed as C1 ∧ C2 ∧ C3
where C1 = v1 ∨ v3, C2 = v2 ∨ v3, C3 = v1 ∨ v2 ∨ v3.
Here, the clause C1, for instance, is falsified by assignment
v1 = 0, v2 = 1, v3 = 1 inconsistent with the truth table of g.
III. GENERATION OF FALSE PROPERTIES
In this section, we describe generation of false properties
of a combination circuit by PQE. Subsection III-A explains
our motivation for building false properties. Subsection III-B
presents construction of false properties by PQE. In Sub-
section III-C, we describe generation of tests breaking these
properties and argue that these tests are of very high quality.
A. Motivation for building false properties
Let P={P1(X,Z), . . . , Pk(X,Z)} be a specification of a
combinational circuit. Here Pi,i = 1, . . . , k are properties
2 of
this circuit and X and Z are the sets of input and output
variables respectively. Let N(X,Y, Z) be an implementation
of the specification P where Y is the set of internal variables.
Let F (X,Y, Z) be a formula describing N (see Section II).
Assume that N satisfies all properties of P i.e. F ⇒ Pi,
i = 1, . . . , k.
The specification P is complete if it fully defines the
input/output behavior of N i.e. if P1 ∧ · · · ∧ Pk ⇒ ∃Y [F ].
Suppose that P is incomplete. As we mentioned in the
introduction, this may lead to overlooking buggy input/output
behaviors of N . In this paper, we address this problem by
generating false properties of N . The latter are meant to
imitate properties absent from P that N does not satisfy.
The idea here is that tests breaking these false properties may
expose the buggy behaviors mentioned above.
2The fact that Pi is a property means that an implementation satisfying Pi
cannot output ~z for an input ~x if Pi(~x, ~z) = 0.
B. Building false properties by PQE
Let F ∗(X,Y, Z) be a formula obtained from F by replacing
a set of clauses G with those of G∗. Let F ′ = F \ G.
(So, F = G ∧ F ′.) Then the formula F ∗ equals G∗ ∧F ′.
Let Ttbl(X,Z) and T
∗
tbl(X,Z) denote the “truth tables” of F
and F ∗ respectively. That is Ttbl = ∃Y [F ] and T
∗
tbl(X,Z) =
∃Y [F ∗]. An informal requirement to G∗ is that it is unlikely to
be implied by F . (Otherwise, the technique we describe below
cannot produce a false property.) One more requirement3 to
G∗ is that for every assignment ~x there exists ~z such that
T ∗tbl(~x, ~z) = 1. (This is trivially true for Ttbl(X,Z) because
the latter is derived from F specifying a circuit.)
Let Q(X,Z) be a solution to the PQE problem of taking
G∗ out of the scope of quantifiers in ∃Y [G∗ ∧ F ′]. That is
∃Y [G∗ ∧ F ′] ≡ Q ∧ ∃Y [F ′]. The proposition below shows
that Q is a false property of N iff the truth tables Ttbl and
T ∗tbl are incompatible i.e. Ttbl 6⇒ T
∗
tbl . (If Ttbl ⇒ T
∗
tbl then
T ∗tbl can be viewed just as a relaxation of Ttbl).
Proposition 1: F 6⇒ Q iff Ttbl 6⇒ T
∗
tbl .
Proof: The “if” part. Let Ttbl 6⇒ T
∗
tbl . Let (~x,~z) be an
assignment to X ∪ Z such that Ttbl(~x, ~z) 6⇒ T
∗
tbl(~x, ~z). (That
is Ttbl(~x, ~z) = 1 and T
∗
tbl(~x, ~z) = 0.) Let ~p=(~x,~y,~z) be the
assignment describing the execution trace in N under the input
~x. Then ~p satisfies F and hence F ′. Assume the contrary,
i.e. F ⇒ Q. Then Q(~x, ~z) = 1. Since ~p satisfies F ′, then
Q∧∃Y [F ′] =∃Y [G∗ ∧ F ′]= ∃Y [F ∗]=T ∗tbl =1 under assignment
(~x,~z). So we have a contradiction.
The “only if” part. Let F 6⇒ Q. Let ~p=(~x,~y,~z) be an
assignment to Vars(F ) that satisfies F and falsifies Q (i.e.
~p breaks F ⇒ Q). Since F (~p) = 1, then Ttbl(~x, ~z) = 1. Since
Q(~x, ~z) = 0, then Q ∧ ∃Y [F ′] = ∃Y [G∗ ∧ F ′] = ∃Y [F ∗] =
T ∗tbl = 0 under assignment (~x,~z). So, Ttbl(~x, ~z) 6⇒ T
∗
tbl(~x, ~z).
C. Test generation
Let Q(X,Z) be a property of N(X,Y, Z) obtained as
described in the previous subsection. We are interested in tests
that break Q. A single test of that kind can be extracted from
an assignment ~p=(~x,~y,~z) that satisfies F and falsifies Q thus
breaking F ⇒ Q. Such an assignment ~p can be found by
running a SAT-solver on F ∧ C where C is a clause of Q.
The ~x part of ~p is a required test.
Intuitively, tests breaking Q should be of high quality. The
reason is that they are supposed to break a property that is
“almost true”. Indeed, the proof of Proposition 1 shows that
an assignment (~x,~z) breaking Q exposes the difference in the
input/output behavior specified by F and F ∗. The latter is not
a trivial task assuming that F and F ∗ are almost identical.
To substantiate our intuition, in the appendix, we show that
stuck-at fault tests (that are tests of a very high quality) are a
special case of tests breaking false properties.
3If this requirement does not hold, F ∗ may imply a non-empty set of
clauses Q(X). Since F 6⇒ Q, the formula Q is a trivial false property that
just excludes some input assignments to X . (So any input falsifying Q is a
counterexample.) In reality, the requirement in question can be ignored if one
also ignores the spurious false properties Q(X).
IV. A COMPLETE SET OF FALSE PROPERTIES
In the previous section, we introduced false properties as a
means to deal with incompleteness of specification. In this sec-
tion, we describe a procedure called CmplSet that constructs
a set of false properties that is structurally complete. Here we
borrow an idea exploited in testing: if functional completeness
is infeasible, run tests probing every design piece to reach
structural completeness. Similarly, structural completeness of
a set of false properties is achieved by generating properties
relating to different parts of the design.
A. Input/output parameters of the CmplSet procedure
In this section, we continue the notation of the previous
section. The pseudocode of CmplSet is shown in Figure 1.
It accepts five parameters: Phrd ,P inf ,N,F, Y . The parameter
Phrd is the set of properties of specification P={P1, . . . , Pk}
that were too hard to prove/disprove. The parameter P inf is
an informal specification that is assumed to be complete4. The
parameter N denotes a combinational circuit implementing
the specification P . The parameter F is a formula describing
the functionality of N . Finally, the parameter Y is the set of
internal variables of N .
CmplSet(Phrd ,P inf , N, F, Y ){
1 T := ∅
2 Pfls := ∅
3 Gates := ExtrGates(N)
4 while (Gates 6= ∅) {
5 g := PickGate(Gates)
6 Gates := Gates \ {g}
7 (G,G∗) := Change(F, g)
8 F ′ := F \G
9 Q := PQE (G∗, F ′, Y )
10 Tst := RunSat(F,Q)
11 if (Tst = nil) continue
12 Pfls := Pfls ∪ {Q}
13 if (BreaksProp(Phrd ,Tst)
14 return(Tst , T ,Pfls )
15 if (BreaksSpec(P inf ,Tst)
16 return(Tst , T ,Pfls )
17 T := T ∪ {Tst}}
18 return(nil ,T ,Pfls)}
Fig. 1. The CmplSet procedure
CmplSet has three output parameters: Tst , T ,Pfls . The
parameter Tst denotes a test exposing a bug of N (if any).
The parameter T consists of tests generated by CmplSet that
has identified any bug. (These tests may still be of value e.g.
for regression testing). The parameter Pfls denotes the set of
false properties generated by CmplSet .
B. The while loop of the CmplSet procedure
The main body of CmplSet consists of a while loop (lines
4-17). This loop is controlled by the set Gates consisting of
gates of N . Originally, Gates is set to the set of all gates of N
(line 3). CmplSet starts an iteration of the loop by extracting a
4One can view P inf as a replacement for the truth table. The role of such
a replacement can be played, for instance, by the designer.
gate g of Gates (lines 5-6). Then CmplSet computes formula
G∗ that replaces the clauses of G (describing the gate g) in
formula F (line 7). After that, CmplSet calls a PQE solver to
find a formula Q(X,Z) such that ∃Y [G∗ ∧ F ′] ≡ Q∧∃Y [F ′]
where F ′ = F \G. The formula Q above represents a property
of N that is supposed to be false5.
CmplSet checks if Q is indeed a false property by running
a SAT-solver that looks for an assignment breaking F ⇒ Q
(line 10). If this SAT-solver fails to find such an assignment, Q
is a true property. In this case, CmplSet starts a new iteration
(line 11). Otherwise, the SAT-solver returns a test Tst and
Q is added to Pfls as a new false property. Then CmplSet
checks if Tst breaks an unproved property of Phrd . If it does,
then CmplSet terminates (lines 13-14). After that, CmplSet
checks if Tst violates the informal specification P inf . If so,
then CmplSet terminates (line 15-16). Finally, CmplSet adds
Tst to T and starts a new iteration.
V. EXTENSION TO SEQUENTIAL CIRCUITS
In this section, we extend our approach to sequential
circuits. Subsection V-A provides some relevant definitions.
In Subsection V-B, we give a high-level view of building a
structurally complete set of false properties for a sequential
circuit (in terms of safety properties). Finally, Subsection V-C
describes generation of false safety properties.
A. Some relevant definitions
Let M(S,X, Y, S′) be a sequential circuit. Here X,Y
denote input and internal combinational variables respectively
and S, S′ denote the present and next state variables re-
spectively. Let F (S,X, Y, S′) be a formula describing the
circuit M . (F is built for M in the same manner as for
a combinational circuit N , see Section II.) Let I(S) be a
formula specifying the initial states ofM . Let T (S, S′) denote
∃X∃Y [F ] i.e. the transition relation of M .
A state ~s is an assignment to S. Any formula P (S) is called
a safety property forM . A state ~s is called a P -state if P (~s) =
1. A state ~s is called reachable in n transitions (or in n-th time
frame) if there is a sequence of states ~s1,. . . ,~sn+1 such that ~s1
is an I-state, T (~si, ~si+1) = 1 for i = 1, . . . , n and ~sn+1=~s.
We will denote the reachability diameter of M with initial
states I as Diam(M, I). That is if n = Diam(M, I), every
state of M is reachable from I-states in at most n transitions.
We will denote asRch(M, I, n) a formula specifying the set
of states ofM reachable from I-states in n transitions. We will
denote as Rch(M, I) a formula specifying all states of M
reachable from I-states. A property P holds forM with initial
states I , if no P -state is reachable from an I-state. Otherwise,
there is a sequence of states called a counterexample that
reaches a P -state.
5Note that any subset of clauses of Q is a property as well. So, to decrease
the complexity of PQE-solving, one can stop it when a threshold number of
clauses is generated. Moreover, from the viewpoint of test generation, one
can stop PQE as soon as a clause C(X,Z) not implied by F is generated.
B. High-level view
In this paper, we consider a specification of the sequential
circuit M above in terms of safety properties. So, when we
say a specification property P (S) of M we mean a safety
property. Let F1,n denote F1 ∧ · · · ∧ Fn where Fi, 1 ≤ i ≤ n
is the formula F in i-th time frame i.e. expressed in terms of
sets of variables Si, Xi, Yi, Si+1. Formula Rch(M, I, n) can
be computed by QE on formula ∃W1,n[I1 ∧ F1,n]. Here I1 =
I(S1) and W1,n = Vars(F1,n) \ Sn+1. If n ≥ Diam(M, I),
then Rch(M, I, n) is also Rch(M, I) specifying all states of
M reachable from I-states.
Let P = {P1, . . . , Pk} be a set of properties forming a
specification of a sequential circuit with initial states defined
by I . Let a sequential circuit M be an implementation of the
specification P . So every property Pi,i = 1, . . . , k holds for
M and I i.e. Rch(M, I) ⇒ Pi , i = 1, . . . , k. Verifying the
completeness of P reduces to checking if P1 ∧ · · · ∧ Pk ⇒
Rch(M, I). Assume that proving this implication is hard or it
does not hold. If P is incomplete, M may be buggy for two
reasons mentioned in the introduction. In particular, M may
falsify a property absent from P . (This means that there is a
reachable state ~s of M that satisfies all properties of P and ~s
is supposed to be unreachable.)
One can deal with the problem above like it was done
in the case of combinational circuits. Namely, one can use
PQE to build false properties that are supposed to imitate
properties that the specification P has missed. By building
counterexamples one generates “interesting” reachable states.
If one of these reachable states is supposed to be unreachable,
M has a bug.
C. Generation of false properties
False properties of a sequential circuit M(S,X, Y, S′) can
be generated as follows. Recall that formula ∃W1,n[I1 ∧ F1,n]
specifies Rch(M, I, n) (see the previous subsection). Here
I1 = I(S1) andW1,n = Vars(F1,n)\Sn+1. Let G be a (small)
subset of clauses of F1,n. Let G
∗ be a set of clauses meant
to replace G. We assume that G∗ satisfies two requirements
similar to those mentioned in Subsection III-B. (In particular,
we impose an informal requirement that G∗ is unlikely to be
implied by I1 ∧ F1,n.)
Let Q(Sn+1) be a solution to the problem of taking G
∗ out
of the scope of quantifiers in ∃W1,n[I1 ∧G
∗ ∧ F ′1,n] where
F ′1,n = F1,n \ G. That is ∃W1,n[I1 ∧G
∗ ∧ F ′1,n] ≡ Q∧
∃W1,n[I1 ∧ F
′
1,n]. By definition, Q is a property M (as a
predicate depending only on variables of S). To show that Q
is a false property one needs to find an assignment breaking
I1 ∧ F1,n ⇒ Q. If such an assignment exists, there is
a counterexample proving that a Q-state is reachable in n
transitions. In this case, Q is indeed a false property.
Using the idea above and a procedure similar to that of
Section IV, one can build a structurally complete set of false
safety properties.
VI. OUR APPROACH AND FAULT/MUTATION DETECTION
Generation of tests breaking false properties is similar to
fault/mutation detection. In manufacturing testing, one gener-
ates tests detecting faults of a predefined set [1], [4]. Often,
these faults (e.g. stuck-at faults) do not simulate real defects
but rather model logical errors. In software verification, one of
old techniques gaining its popularity is mutation testing [3],
[2]. The idea here is to introduce code mutations (e.g. simu-
lating common programmer mistakes) to check the quality of
an existing test suite or to generate new tests.
Our approach has three potential advantages. First, PQE
solving introduces a new way to generate tests detecting
faults/mutations. (In the appendix, we give an example of
using PQE for stuck-at fault testing.) The appeal of PQE here
is that it can take into account subtle structural properties
like unobservability. So PQE-solvers can potentially have
better scalability than tools based purely on identifying logical
inconsistencies (also known as conflicts).
The second advantage of our approach is that it transforms a
fault/mutation into a property i.e. into a semantic notion. This
has numerous benefits. One of them is that a false property
specifies a large number of tests (rather than a single test).
Suppose, for instance, that we need to find a single test
detecting faults φ1 and φ2 of a circuit. An obvious problem
here is that a test detecting one fault may not detect the other.
In our approach, φ1 and φ2 are cast as false properties Q1
and Q2. To break Q1 or Q2 one needs to come up with a test
satisfying Q1 or Q2. To break both properties one just needs
to find a test satisfying Q1 ∧Q2 (if any).
Third, our approach can be applied to abstract formulas that
may not even describe circuits or programs. So, in a sense, the
machinery of false properties can be viewed as a generalization
of fault/mutation detection.
VII. CONCLUSIONS
Having an incomplete specification may lead to a buggy im-
plementation. One of the problems here is that this implemen-
tation may not satisfy a property omitted in the specification.
We address this problem by generating false properties i.e.
those that are not consistent with the implementation. The idea
here is that a test breaking a false property may also expose a
bug in the implementation. False properties are generated by
a technique called partial quantifier elimination (PQE).
Our three conclusions are as follows. First, the machinery
of false properties can be applied to verification of combina-
tional and sequential circuits. The efficiency of this machinery
depends on that of PQE solving. So developing powerful
PQE algorithms is of great importance. Second, the machinery
of false properties can be viewed as a generalization of
fault/mutation detection. On one hand, this implies that tests
breaking false properties are of high quality. On the other
hand, this means that the machinery of false properties can be
applied to abstract formulas. Third, by generating properties
whose falsehood is caused by different parts of the design,
one generates a “structurally complete” set of false properties.
Using tests that break all properties of this set can significantly
increase the quality of testing.
REFERENCES
[1] M. Abramovici, M. Breuer, and A. Friedman. Digital Systems Testing
and Testable Design. John Wiley & Sons, 1994.
[2] P. Ammann and J.Offutt. Introduction to Software Testing. Cambridge
University Press, USA, 2008.
[3] A. Budd. Mutation Analysis of Program Test Data. PhD thesis, USA,
1980.
[4] R. Drechsler, T. Juntilla, and I.Niemela¨. Non-Clausal SAT and ATPG.
In Handbook of Satisfiability, volume 185, chapter 21, pages 655–694.
IOS Press, 2009.
[5] E. Goldberg. Generation of a complete set of properties. Technical
Report arXiv:2004.05853 [cs.LO], 2020.
[6] E. Goldberg. Partial quantifier elimination by certificate clauses. Tech-
nical Report arXiv:2003.09667 [cs.LO], 2020.
[7] E. Goldberg and P. Manolios. Quantifier elimination via clause redun-
dancy. In FMCAD-13, pages 85–92, 2013.
[8] T. Larrabee. Test pattern generation using boolean satisfiability. IEEE
Transactions on Computer-Aided Design, 11:4–15, 1992.
[9] J. Marques-Silva and K. Sakallah. Grasp – a new search algorithm for
satisfiability. In ICCAD-96, pages 220–227, 1996.
[10] M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff:
engineering an efficient sat solver. In DAC-01, pages 530–535, New
York, NY, USA, 2001.
[11] J. Roth. Diagnosis of automata failures: A calculus and a method. IBM
Journal of Research and Development, 10(4):278–291, 1966.
APPENDIX
STUCK-AT FAULT TESTS AND FALSE PROPERTIES
In this appendix, we relate stuck-at faults tests and those
breaking false properties built by PQE. This relation suggests
that tests breaking false properties are of high quality. Subsec-
tion A briefly recalls stuck-at fault testing. In Subsection B,
we consider a special case of Proposition 1 where a false
property is generated by modifying the original circuit to
another circuit. Subsection C describes how stuck-at faults
are modeled in our approach. Finally, in Subsection D, we
discuss generation of stuck-at fault tests by PQE.
A. Recalling stuck-at fault testing
A stuck-at fault is an abstract model of a fault in a
combinational circuit where a line is stuck either at value 0
(stuck-at-0 fault) or 1 (stuck-at-1 fault). In current technology,
a stuck-at fault does not simulate an actual defect but rather
serves as a logical fault model. Tests detecting stuck-at faults
are typically used in manufacturing testing. However, they can
also be employed in design verification. The appeal of the
stuck-at model is in the high-quality of tests detecting stuck-
at faults. It can be attributed to probing corner input/output
behaviors by these tests.
B. A special case of false properties built by PQE
In this section, we continue the notation of Section III. Let
N(X,Y, Z) be a combinational circuit and F (X,Y, Z) be a
formula specifyingN . Let G be a subset of clauses of F . Then
formula F can be represented as G ∧ F ′ where F ′ = F \G.
Let F ∗ be a formula obtained from F by replacing G with a
set of clauses G∗ i.e. F ∗ = G∗ ∧ F ′.
In Subsection III-B, we considered generation of property
Q(X,Z) by taking G∗ out of the scope of quantifiers in
∃Y [G∗ ∧ F ′]. There, we imposed the requirement that for
every assignment ~x there was ~z such that T ∗tbl (~x,~z)=1 where
T ∗tbl = ∃Y [F
∗]. In this section, we strengthen this requirement
by claiming that for every ~x there exists exactly one ~z such
that T ∗tbl (~x,~z)=1. Then one can formulate a stronger version
of Proposition 1 (recall that Ttbl denotes ∃Y [F ]).
Proposition 2: F 6⇒ Q iff Ttbl 6≡ T
∗
tbl .
Proof: Since we consider a special case, Proposition 1 holds
and so F 6⇒ Q iff Ttbl 6⇒ T
∗
tbl . Let us show that under the new
requirement to T ∗tbl above, Ttbl ⇒ T
∗
tbl entails Ttbl ≡ T
∗
tbl .
(Since Ttbl ≡ T
∗
tbl trivially implies Ttbl ⇒ T
∗
tbl , this means
that Ttbl 6≡ T
∗
tbl entails Ttbl 6⇒ T
∗
tbl .) Assume the contrary
i.e. Ttbl 6≡ T
∗
tbl . The only possibility here is that there exists
an assignment (~x,~z) to X ∪ Z such that Ttbl(~x, ~z) = 0 and
T ∗tbl(~x, ~z) = 1. Let ~z
′ be the output produced by circuit N for
the input ~x. Then Ttbl (~x,~z
′)=1. Since Ttbl ⇒ T
∗
tbl then T
∗
tbl
(~x,~z ′)=1 too. But this violates the strengthened requirement
on T ∗tbl because T
∗
tbl(~x, ~z) and T
∗
tbl(~x, ~z
′) are equal to 1 for
the same ~x.
Remark 2: The strengthened requirement imposed on T ∗tbl
holds if, for instance, F ∗ specifies a circuit N∗ obtained by a
modification of N . Proposition 2 implies that a test breaking
the propertyQ also makesN andN∗ produce different outputs
and vice versa. So, if N∗ describes a faulty version of N , a
test breaking Q detects this fault and vice versa.
C. An example of modeling a stuck-at fault
Let g be a gate of circuit N given in Example 1. That
is g is a 2-input AND gate specified by v3 = v1 ∧ v2. The
functionality of g is described by C1 ∧ C2 ∧ C3 where C1 =
v1 ∨ v3, C2 = v2 ∨ v3, C3 = v1 ∨ v2 ∨ v3. Here C1, C2, C3
are clauses of the formula F specifying N .
Let N∗ denote the circuit obtained from N by introducing
the stuck-at-0 fault at the output of g. A formula F ∗ specifying
N∗ is obtained from F by replacing C3 with the clause C
∗
3 =
v1 ∨ v2 ∨ v3. (It is not hard to check that by resolving clauses
C1,C2 and C
∗
3 on v1 and v2 one obtains the clause v3.) So
F ∗ = C∗3 ∧F
′ where F ′ = F \{C3}. By taking C
∗
3 out of the
scope of quantifiers in F ∗ = C∗3 ∧ F
′ one obtains a property
Q(X,Z). That is ∃Y [C∗3 ∧ F
′] ≡ Q ∧ ∃Y [F ′]. Assume that
Q is a false property i.e. there exists an assignment ~p=(~x,~y,~z)
breaking F ⇒ Q. Then ~x makes N and N∗ produce different
outputs i.e. ~x is a test detecting the stuck-at fault at hand.
D. Finding stuck-at fault tests by PQE
If one needs to find a single test detecting a stuck at-fault,
there is no need to generate the entire false property Q above.
For instance, in the previous subsection, one can stop taking
C∗3 out of the scope quantifiers, as soon as a clause B(X,Z)
not implied by F is generated. Then a test can be extracted
from an assignment satisfying F ∧B (i.e. breaking F ⇒ B).
So, PQE can be used for generation of fault-detecting tests.
Modern tools for generation of fault detecting tests are a
combination of dedicated ATPG methods pioneered by the D-
algorithm [11] and SAT-based algorithms [9], [10]. To make
a generic SAT-solver work in the ATPG setting, some extra
work is done. For instance, extra variables and clauses are
added to simulate signal propagation [8]. The appeal of ATPG
by PQE-solving is that the latter takes the best of both worlds.
On one hand, like a SAT-solver with conflict clause learning,
a PQE-algorithm employs powerful methods of learning [6].
(In reality, the learning of a PQE-solver is more powerful
since in addition to deriving conflict clauses, a PQE-solver also
learns non-conflict clauses.) On the other hand, the machinery
of clause redundancy [7], can take into account some subtle
structural properties of the circuit at hand (e.g. observability).
In particular, the redundancy based reasoning of a PQE-solver
makes simulating signal propagation quite effortless and does
not require adding new variables and clauses.
