Multi-level Bounded Model Checking to detect bugs beyond the bound

Bounded Model Checking is a widely used technique both in hardware and software verification. However, it cannot be applied if the bounds (number of time frames to be analyzed) becomes large. Therefore it cannot detect bugs that can be observed only through very long sequence counter-examples. In this paper, we present a method connecting multiple BMCs by sophisticated uses of inductive approach and symbolic simulation. The proposed method can check unbounded properties by analyzing loop behaviors in the design with decision procedures. In our verification flow, a property is automatically decomposed and refined instead of designs. First, a property is decomposed not to consider the reachability from the initial states of the design. Next, if a counter-example is found, the condition to enter it is generated by symbolic simulation. Finally, the reachability from the initial states to the states where the condition becomes true is checked inductively by another Bounded Model Checking. If they are not reachable from the initial states, then the property is refined not to enter the unreal counter-example. Key observation here is that each BMC does not need to process so many time frames as compared with pure BMC from initial states. Therefore, the proposed method can process much larger bounds. Experimental results with two examples have confirmed this advantage.