Abstract: SAT-based Bounded Model Checking (BMC) 
Introduction
To cope with the increasing design complexity and demand to reduce design cycle time, the focus has shifted towards supporting high-level design abstraction, synthesis and verification methodologies. At the Boolean-level of design representation, SAT-based Bounded Model Checking (BMC) [1] [2] [3] [4] due to several advancements -improved DPLL-style SAT solvers [5] , on-the-fly circuit simplification [6, 7] , and SAT-based incremental learning [3, 7, 8 ] -has been gaining wide acceptance as a scalable verification solution compared to BDD-based symbolic model checking [9] . With advent of sophisticated SMT solvers [10] [11] [12] [13] [14] [15] built over DPLL-style SAT solvers, SMT-based BMC [16, 17] is also gaining popularity. Unfortunately, we do not see a similar level of maturity and advancements in verification efforts at higher levels of abstraction. This is mainly due to higher theoretical complexity, and a wide engineering gap between theoretical and practical solutions at the higher levels. To reduce this gap, we propose a framework to efficiently perform high-level BMC using SMT (Satisfiability Modulo Theory) solvers that overcome the inherent limitations of SAT-based Boolean-level BMC, while allowing integration of state-of-the-art techniques adopted for Boolean-level BMC. In this framework, we apply three novel techniques to accelerate high-level BMC (as shown in Figure 1 ):
• efficient extraction of high-level information, • its use to obtain a "BMC friendly" verification model through model transformations, and • its on-the-fly application during BMC to simplify BMC problem instances.
Bounded Model Checking
BMC is a model checking technique where falsification of a given LTL property is checked for a given sequential depth, or bound [1, 2] . Typically, it involves three steps:
• The design with the property f is unrolled for k (bounded) number of time frames.
•
The BMC problem is translated into a propositional formula ϕ such that ϕ is satisfiable iff the property f has counter-example of depth (less than or) equal to k.
• A SAT-solver is used for the satisfiability check.
Boolean-level BMC and its Limitations
In Boolean-level BMC, the translated formula is expressed in propositional logic and a Boolean SAT solver is used for checking satisfiability of the problem. Several state-of-the-art techniques [18] exist for Boolean BMC that have led to its emergence as a mature technology, widely adopted by the industry. However, there are several limitations of a propositional translation and use of a Boolean SAT Solver. Some of these are as follows:
• A propositional translation in the presence of large datapaths leads to a large formula; which is normally detrimental to a SAT-solver due to increased search space.
• Data-path sizes need to be known explicitly a priori, before unrolling of the transition relation. For unbounded datapath, additional range-analysis of the program/design is required to obtain conservative but finite data-path sizes.
• High-level information is lost during Boolean translation and therefore, needs to be re-discovered by the Boolean SAT solver often with a substantial performance penalty.
High-level BMC
High-level BMC overcomes the above limitations of a Booleanlevel SAT-based BMC; wherein, a BMC problem is translated typically into a quantifier-free formula in a decidable subset of first order logic, instead of translating it into a propositional formula; the first order logic formula is then solved by a highlevel solver, such as an SMT solver. In [12] , an expressive logic called CLU (counter arithmetic logic with lambda-expressions and uninterpreted functions) is used to model systems. The decision procedure is based on a hybrid procedure using either a small model instantiation with conservative ranges or a predicate-based encoding. It generates an equi-satisfiable Boolean formula, which is then checked using a Boolean SAT solver. In [16, 17] , the expressive logic used is linear arithmetic (addition and multiplication by constants), arrays, records, lists, bit-vectors; where SMT solvers are used to check the satisfiability. Note that these previous approaches [12, 16, 17] overcome part of the limitations of a Boolean-level SAT-based BMC as discussed above, but lose some or all of the features that state-of-the-art Boolean-level BMC approaches provide.
Outline In Section 2 we give an overview of our contributions, in Section 3 we give relevant background on EFSM and flow graphs; in Section 4 we discuss our approach in detail; in Section 5 and 6 we discuss our experiments; and in Section 7 we conclude with summarizing remarks.
Our Contributions
We propose several methods to efficiently perform high-level BMC using an SMT solver that not only overcome the inherent limitations of SAT-based BMC but also allow integration of state-of-the-art innovations [18] adopted for the latter. Our highlevel problem description uses a decidable quantifier-free fragment of first-order logic, including Presburger arithmetic, uninterpreted functions/predicates, arrays. Specifically, in our high-level BMC framework: 1. We use expression simplification to reduce the size of the unrolled formula not only within a time-frame, but across time-frames also. 2. We efficiently extract high-level information such as control-flow of the program/design. 3. We use the high-level information to simplify and reduce the unrolled formula size. 4. We provide on-the-fly relevant high-level information at each unrolling to the high-level solver, thereby not unduly overburdening the solver. 5. We use incremental learning, i.e, reuse of previously learnt lemmas from overlapping BMC instances to improve SMT solver performance. 6. We transform the model (preserving LTL\X property) using COI reduction, Collapsing, and Balancing Paths and Loops, so as to improve the scope of learning and simplification based on high-level information. 
Preliminaries

Extended Finite State Machine (EFSM) Model
Flow Graphs
A flow graph G(V,E,
Our Approach: High-level BMC
We present the flow of our approach for high-level BMC as shown in Figure 1 . Given an EFSM Model M (discussed in 3.1) and a property P, we perform a series of novel property preserving transformations (Sections 4.3 and 4.6). After that we perform control state reachability on the transformed model (Section 4.4). Using the reachability information, we generate novel simplification constraints on-the-fly at each unroll depth k (Section 4.5). These simplification constraints are used by the expression simplifier (Section 4.1) during unrolling to reduce the formula. These constraints are also used to improve the search on the translated problem. We also propose an incremental learning technique (Section 4.2) i.e., re-use of theory lemmas in high-level BMC framework. We present various innovations in the order of ease of explanation. 
Expression Simplifier
High-level expressions in our framework include Boolean expressions bool-expr and term expressions term-expr. Boolean expressions are used to express Boolean values true or false, Boolean variables (bool-var), propositional connectives (∨,∧,¬) relational operators (<,>,≥,≤,==) between term expressions, and uninterpreted predicates (UP). Term expressions are used to express integer values (integer-const) and real values (realconst), integer variables (integer-var) and real variables (realvars), linear arithmetic with addition (+) and multiplication (*) with integet-const and real-const, uninterpreted funtions (UF), if-then-else (ITE), read and write to model memories. To model behaviour of a sequential system, we also have a next operator to express the next state behavior of the state variables.
Our high-level design description is represented in a semicanonical form using an expression simplifier. The simplifier rewrites expressions using local and recursive transformations in order to remove structural and multi-level functionally redundant expressions, similar to simplifications proposed for Boolean logic [6, 20] and also for first order logic [21] .. Our expression simplifier has a "compose" operator [7] , that can be applied to unroll a high-level transition relation and obtain onthe-fly expression simplification; thereby achieving simplification not only within each time frame but also across time frames during unrolling of the transition relation in BMC.
Incremental Learning in High-level BMC
Learning from overlapping instances of propositional formulas has been proposed previously [3, 7, 8] and found to be useful in Boolean SAT-based BMC [3, 4, 22] . We use incremental learning of theory lemmas across time-frames, and found this technique to be equally beneficial in the context of high-level BMC.
Property-based EFSM Reduction
We perform slicing on EFSM [23] with respect to variables of interest as defined by the property and obtain contributing and non-contributing states and transitions. Slicing away behaviors (and the elements) unrelated to the specific properties can significantly reduce the model size and thereby, improve the verification efforts. We describe two such techniques in the following: cone-of-influence (COI) reduction and collapsing.
COI reduction •
We remove all non-contributing states and their outgoing transitions.
• Any non-contributing transition s→ f(x,i) t where s is a contributing state, is replaced by a transition s→ f(x,i) SINK. •
If we are concerned with reachability of a state s∈S from a start state s 0 , we remove the outgoing transition from s since it is non-contributing for the shortest counter-example or proof. For example, the self-loop transition S1→S1 (not shown in Figure 2 (a)) is non-contributing and hence is replaced by S1→SINK as shown in Figure 2 (a).
Collapsing
We define a collapsing condition as that when all states in to(s) are NOP and none of them directly appears in a reachability check. Under such a condition, we collapse all the NOP states and merge them with s. In other words, ∀ t∈to(s) (with t being NOP), we remove the transitions s→ f(x,i) t and t→ TRUE q and add a new transition s→ f(x,i) q.
Extraction: Control State Reachability (CSR)
We now discuss extraction of high-level control-flow information of the design/program which is subsequently used to simplify the unrolled formula (discussed in the next section).
Starting from the initial state S0, we compute control state reachability (CSR) using a breadth first search (BFS 
On-the-Fly Simplification and Learning
For n control states S1…Sn, we introduce n Boolean variables B S1 …B Sn At any unrolling depth d of high-level BMC, we apply the following on-the-fly structural and clausal (learning-based) simplification on the corresponding formula. Note, these simplifications are effective for small |R(d)|. We use a procedure Simplify (BoolExpr e, Boolean v) which constraints a Boolean expression e to a Boolean value v, and also reduces the expressions that use e. Later, we illustrate this with an example.
Unreachable Block Constraint (UBC)
Since the state r is not reachable at depth d, the predicate B r will evaluate to FALSE at depth d. Therefore, simplifying the formula by propagating B r =0 at depth d preserves the behavior of the design.
Reachable Block Constraint (RBC)
Simplify( 
Mutual Exclusion Constraint (MEC)
∀ r,t∈R(d),
Backward Reachable Block Constraint (BRBC)
At any depth d>0, if current state is r i.e. B r d =TRUE, then the previous state at depth d-1, must be among the from(r) set.
Block-Specific Invariant (BSI)
At any depth d, a given invariant C r for a given state r is valid only if r is the current state at depth d.
Note, previous approaches [24] add some of these constraints in the transition relation so as to include them in the formula at every unrolling. In contrast, our approach adds only the relevant constraints at each unrolling, thereby reducing the overall formula size. Thus, ideally we would like a smaller set R(d) to increase the effectiveness of our simplification. Later, we discuss how we transform EFSM model to reduce the set R(d).
Example 1(Contd):
We illustrate simplification constraints at depth, d=4. In particular, we consider the effect of simplification on the unrolled expression for variable is_full. , S7  2  2  S2, S7  2  2  3 S3, S4, S8, S9 4 3 S3, S2a, S8, S7a 4 2 4 S4, S5, S6, S9, S10,S11 6 4 S4, S9 2 2 5 S5, S6,S10, S11, S1 5 5 S5, S6, S10, S11 4 4 .. ….. 6 S1 1 1 15
Saturates with 11 states i Repeats, R(i)=R(i%5)
Algorithm: Given a reducible flow graph G, we present an O(E) algorithm in Sections 4.6.2 and 4.6.3, that identify the edges corresponding to the transitions in T E where inserting certain number of NOP states will balance the re-convergence paths, including those arising due to loops.
Balancing Re-convergence without Loops
Consider the DAG, G(V,E f ,r) corresponding to the reducible flow graph G(V,E,r) with an entry node r and front-edge set E f.
. Let w(e) denote the weight of the edge, e=(a,b)∈E f . As we later see, the weight of the edge (a,b) corresponds to one more than the number of NOP states that need to be inserted between nodes a and b. We define weight for a path p=<s 1 
w(u,v) = t-W(u), where t = (max u∈from(v) W(u))+1
•
Set W(v)=t as for any path p(r,v) through u will have weight W(u)+w(u,v)=W(u)+t-W(u)=t.
We start with an initial set of nodes S which are sink nodes in G(V,E f ,r). Then, we recursively apply the above steps in the procedure BalancePath, as shown in Figure 3 . Termination is guaranteed as the recursive sub-procedure BalanceAux is invoked only once per node. The correctness of the algorithm is also shown easily by an inductive argument. However, in presence of multiple loops, we also have to account for the paths from other loops to loop L i . In particular, if there is a path from entry node r j of some loop L j to r i , then entry r i also re-appears after N j . We define loop clusters LC as sets of disjoint entry nodes such that for any two clusters LC x and LC y ,∀s∈LC x , ∀t∈LC y , P(s,t)=P(t,s)=Φ. Note, a loop in a cluster does not affect the loop in another cluster as far as reachability is concerned. In the following problem statement, we discuss how to prevent loop saturation using suitable transformations. We consider one loop cluster at a time. We define maximum loop period over all loops in the cluster (i.e. whose entry nodes are in the cluster), N = (Max i C i ) + 1. We assign a weight to each back-edge (b i ,r i ) as follows:
For each loop L i in the cluster, the entry node r i ∈ R(W(r i )+nN) where n ∈Z. Thus, the upper bound on
is the control reachability set (including NOP states) on loop L i at a depth t. Similarly, the upper bound on |R
is the control reachability set (of only non-NOP states) on loop L i at a depth t.
Example 2: We illustrate our algorithm for balancing flow graph using an example shown in Figure 4 v 1 ), (v 8 ,v 3 )} is shown in Figure 4 (b). After executing BalancePath algorithm, we obtain edge weights, also shown in Figure 4(b) , that balance all re-convergence paths in E f . Note that the edge with no weight shown has an implicit weight of 1. Also, shown are the W values of each node. For instance, W(v 6 )=5 denotes that all the paths in the set P(v 1 ,v 6 ) have weights equal to 5. Next, we compute the forward loop length of each loop and the weights of the back-edges. The forward loop length of loop with back-edge (v 6 
similarly, with back- edge (v 7 ,v 1 ) is 6, and with back-edge (v 8 ,v 3 ) is 5. Thus, value of N, as defined, is 7. The weight of the back- edges (v 6 ,v 3 ), (v 7 ,v 1 ) and (v 8 ,v 3 ) are 4, 1, and 2 respectively as shown in Figure 4(c) . For each edge with weight w, we insert w-1 nodes corresponding to NOP states as shown as un-shaded circles in the modified flow graph in Figure 4(d) .
Reachability on the original flow graph G(V,E,v 1 ) in Figure  4 (a) saturates at depth 6 with 8 nodes. The reachability on the balanced flow graph in Figure 4 (d) does not saturate. Instead, the set of reachable nodes R(d) at depth d shows a periodic behavior with period, N=7. If we do reachability separately on each loop of the modified flow graph in Figure 4( 
Experiments
We experimented on a public benchmark bc-1.06, a C program for an arbitrary precision calculator language with interactive execution of statements. This has a known array bound access bug (checked as an error-label reachability property). Using our program verification tool F-soft [24] , we first generated an EFSM model M with 36 control states and 24 state variables. The data path elements include 10 adders, 106 if-then-else, 52 constant multipliers, 11 inequalities, and 49 equalities. The corresponding flow graph has two loops, with 4 and 8 nodes (control states) respectively. We also used statically generated invariants [25] to provide block specific invariants. We performed controlled experiments to evaluate the role of various accelerators discussed in improving the performance of high-level BMC. We used our difference logic solver SLICE [14] in the backend. We modified the solver to support incremental learning across time-frames. We translated conservatively each BMC problem instance into a difference logic problem. (A precise translation would have been to a UTVPI − Unit Two Variables Per Inequality − problem.) For understanding the effectiveness of our methods, a conservative translation suffices as long as we do not get false negatives (which was not an issue for this example).
We conducted our experiments on a workstation with dual Intel 2.8 GHz Xeon Processors with 4GB physical memory running Red Hat Linux 7.2, using a 500s time limit for each high-level BMC run. We present the results in Table 2 shows number of calls (#HS) made to the high-level solver when the expression simplifier cannot reduce the problem to a tautology. Column 4 shows the depth D reached by high-level BMC under a given time limit ('*' denote time-out). Column 5 shows the time taken (in seconds) to find the witness; TO denotes that time-out occurred. Column 6 shows whether a witness was found in the given time limit; if so, the witness length is equal to D.
Discussion of results
Note that fewer calls (#HS) made to the SMT solver directly translates into performance improvement, as the expression simplifier structurally solves the remaining D-#HS SMT problems more efficiently. We discuss the effect of various learning scheme in improving the structural simplifications. CSR on Model M saturates at depth 13 with 36 control states. Although Unreachable Block Constraint (UBC) allows deeper search with fewer solver calls, the simplification scope is very limited due to a large set R(d). This also prevents other simplification strategies from being useful. As shown in Column 6, none of the strategies is able to find the witness in the given time limit. When we apply the procedure As shown in Column 6, all simplification strategies C-G are able to find the witness in the given time limit. Except for FRBC, all simplification strategies seem useful in reducing the search time; though only UBC can reduce the number of calls to the highlevel solver as shown in Column 3. Block Specific Invariants added on-the-fly are also found to be useful. Note, although strategy B with only incremental learning does not find the witness, it still helps to search deeper compared to strategy A. =2 , further increasing the scope of simplification as indicated by a decreased number of calls to the high-level solver. This is indicated by the reduced solve time (=19s) using strategy F, although there is a small performance degradation with strategy G. Not surprisingly, the witness length has gone up to 205. Overall, we see progressive and cumulative improvements with various learning techniques and strategies.
Comparison with Boolean-level BMC
To compare with Boolean-level BMC, we used our state-of-theart Boolean-level BMC framework DiVer [4] on a Boolean translation of the model M (with 654 latches, 6K gates) to witness the bug, and used an identical experimental setup as discussed. Note, like in [24], we add high-level information such as mutual exclusion constraint and backward reachable block constraints in the transition relation beforehand. Thus, all these constraints get included in every unrolled BMC instance automatically, unlike the proposed approach here, where only the relevant constraints are added to a BMC instance. The Boolean-level BMC is able to find a witness at depth 143 in 723s. Not surprisingly, the number of instances solved by structural simplification is merely 15 to the SAT-solver. Thus, a reduced scope of simplification can greatly affect the performance of BMC, further supporting the case for synthesizing "BMC friendly" models [26] .
Experiments on Industry Software
We also experimented on industry software written in "C" with about 17K lines of code. We first generated an EFSM We consider reachability properties P1-P6 corresponding to six control states. CSR on M saturates at depth 84. After transforming M using path and loop balancing algorithms, we obtain a model M'' with 439 control states and max loop period N=4. Using a similar experimental setup (discussed earlier), we ran high-level BMC (HBMC) for 500s on each of P1-P6 on: (I) Model M with strategy A (using only expression simplification), (II) Model M using strategy F (all simplifications), and (III) transformed Model M" using F. We present our results in Table  3 . Column 1 gives the property checked; Column 2-4 give BMC depth reached (* denotes depth at time out, TO), time taken (in sec) and whether witness was found (Y/N) respectively for combination (I). Similarly, Columns 5-7 and 8-10 present information for combinations (II) and (III) respectively. The results clearly show that combination (III) is superior to (II) and (I), with significant improvement in the performance, though at increased witness depth. 
Conclusions and Future Work
The current trend of designing at higher levels of abstraction using high-level languages and specifications has challenged the verification community to lift the maturity and advancements of BMC from the Boolean-level to the higher levels. Although high-level BMC overcomes several inherent limitations of Boolean-level BMC, higher theoretical complexity of the associated logics and decision procedures makes the approach even more challenging. We provide an engineering framework for high-level BMC with several state-of-the-art innovations based on extraction and efficient use of high-level information to improve the performance and scalability. This framework also allows easy integrations of the state-of-the-art techniques available for Boolean-level BMC. We believe that our proposed framework is a step towards reducing the gap between theory and practice of such techniques. 
