A Single-Instance Incremental SAT Formulation of Proof- and Counterexample-Based Abstraction

This paper presents an efficient, combined formulation of two widely used abstraction methods for bit-level verification: counterexample-based abstraction (CBA) and proof-based abstraction (PBA). Unlike previous work, this new method is formulated as a single, incremental SAT-problem, interleaving CBA and PBA to develop the abstraction in a bottom-up fashion. It is argued that the new method is simpler conceptually and implementation-wise than previous approaches. As an added bonus, proof-logging is not required for the PBA part, which allows for a wider set of SAT-solvers to be used.

💡 Research Summary

The paper introduces a novel, unified approach to bit‑level hardware verification that combines Counterexample‑Based Abstraction (CBA) and Proof‑Based Abstraction (PBA) into a single, incremental SAT formulation. Traditional methods treat CBA and PBA as separate phases: CBA works bottom‑up, starting from an empty abstraction (all flops replaced by primary inputs) and adding flops to eliminate concrete counterexamples, while PBA works top‑down on the full design, removing flops that do not appear in an UNSAT proof. Both have complementary strengths—CBA is fast but may retain unnecessary flops, PBA yields tighter abstractions at higher computational cost.

The authors propose to interleave these two techniques within one SAT instance that is incrementally extended as the verification depth grows. The algorithm proceeds as follows:

1. Initialize with an empty abstraction (all flops are PIs). Insert one time‑frame of the design into a SAT solver.
2. SAT query: ask for a satisfying assignment that makes the bad signal (negated property) true. If SAT, the solver returns a concrete counterexample.
3. CBA refinement: For each flop not yet in the abstraction, temporarily replace its value in the counterexample with an undefined (X) value and perform a three‑valued simulation. If X propagates to the bad signal, the flop is essential for that counterexample and is added to the abstraction; otherwise it remains a PI. This loop continues until the SAT query becomes UNSAT, meaning all counterexamples of the current depth have been refuted.
4. PBA pruning: Each concretized flop is guarded by an activation literal. The SAT solver is invoked again with all activation literals as assumptions. When the problem is UNSAT, the solver returns a conflict clause that contains only the subset of activation literals that participated in the proof. Flops whose activation literals are absent are removed from the abstraction automatically, without requiring explicit proof logging.
5. Depth increase: After a UNSAT result, the algorithm proceeds to the next time‑frame (depth k + 1). The bad signal for the new frame is added to the disjunction of assumptions, ensuring that the SAT solver looks for counterexamples that fail in any frame up to the current depth.
6. Termination: The loop stops either when CBA returns the same set of flops it received (indicating a genuine counterexample and thus a property violation) or when a predefined resource limit (time or memory) is reached. The final abstraction is then handed off to downstream verification tools, such as interpolation‑based proof engines.

Key technical contributions include:

• Single‑instance incremental SAT interface: The method relies only on two SAT solver primitives—addClause and solveSat(assumptions). No proof‑logging infrastructure is needed, which broadens the choice of SAT solvers to any modern incremental solver.
• Activation‑literal based PBA: By guarding each flop with a single literal, the algorithm can extract the exact set of flops used in an UNSAT proof directly from the conflict clause. This eliminates the need for syntactic resolution analysis and dramatically reduces overhead.
• Efficient unrolling: The design is represented as an And‑Inverter Graph (AIG). During incremental unrolling, only logic reachable from the current bad signal is inserted, and only concretized flops cause the insertion of preceding time‑frames. Structural hashing and constant propagation further prune the CNF.
• Hybrid bottom‑up/top‑down refinement: CBA quickly eliminates obvious spurious counterexamples, while PBA later trims away flops that were only incidentally added, yielding a tight abstraction without the long runtimes typical of pure PBA.
• Scalability demonstrated on large benchmarks: Experiments on a 40 k‑flop, 860 k‑gate design show that the abstraction shrinks to a few hundred flops in 4 seconds, after which an interpolation‑based proof engine verifies the property instantly. The same design without abstraction requires about 2 minutes with the same proof engine, highlighting the practical impact of the abstraction step.

The paper’s implementation details are described through a Trace class that manages the original netlist, the current abstraction set, the unrolled netlist, and the SAT solver instance. Private methods handle clause generation (clausify), flop insertion (insertFlop), and activation‑literal management. The main loop (Figure 2) orchestrates SAT queries, CBA refinement (refineAbstraction), and PBA pruning, while respecting resource limits.

In conclusion, the authors present a conceptually simple yet powerful method that merges CBA and PBA into a single incremental SAT workflow. By avoiding proof logging and using activation literals, the approach achieves low implementation complexity, broad solver compatibility, and impressive performance on large hardware designs. This work advances the state of the art in abstraction‑driven verification and offers a practical pathway for integrating abstraction tightly with existing SAT‑based model checking pipelines.