Software Tools for Technology Transfer manuscript No.
(will be inserted by the editor)
Exploiting Resolution Proofs to Speed Up LTL Vacuity Detection for
BMC
Jocelyn Simmonds
1
, Jessica Davies
1
, Arie Gurfinkel
2
, Marsha Chechik
1
1
Department of Computer Science, University of Toronto
2
Software Engineering Institute, Carnegie Mellon University
The date of receipt and acceptance will be inserted by the editor
Abstract. When model-checking reportsthat a propertyholds
on a model, vacuity detection increases user confidence in
this result by checking that the property is satisfied in the in-
tended way. While vacuity detection is effective, it is a rela-
tively expensive technique requiring many additional model-
checking runs. We address the problem of efficient vacuity
detection for Bounded Model Checking (BMC) of LTL prop-
erties, presenting three partial vacuity detection methodsbased
on the efficient analysis of the resolution proof produced by
a successful BMC run. In particular, we define a character-
istic of resolution proofs – peripherality – and prove that if
a variable is a source of vacuity, then there exists a resolu-
tion proof in which this variable is peripheral. Our vacuity
detection tool, VaqTree, uses these methods to detect vacu-
ous variables, decreasing the total number of model-checking
runs required to detect all sources of vacuity.
1 Introduction
Model-checking [7] is a widely-used automated technique
for verification of both hardware and software artifacts that
checks whether a temporal logic property is satisfied by a
finite-state model of the artifact. If the model does not satisfy
the property, a counterexample, which can aid in debugging,
is produced. If the model does satisfy the property, no infor-
mation about why it does so is provided by the model-checker
alone. A positive answer without any additional information
can be misleading, since a property may be satisfied in a way
that was not intended. For instance, a property “every request
is eventually acknowledged” is satisfied in an environment
that never generates requests.
Vacuity detection [2,18,21,1]is an automatic sanity check
that can be applied after a positive model-checking run in or-
der to gain confidence that the model and the property cap-
ture the desired behaviours. Informally, a property is said to
be vacuous if it has a subformula which is not relevant to
its satisfaction, or if the property itself is a tautology. Con-
versely, a property is satisfied non-vacuously if every part of
the formula is important – even a slight change to the formula
affects its satisfaction.
In this article, we focus on vacuity detection for SAT-
based Bounded Model Checking (BMC). Given a BMC prob-
lem with a particular bound, we wish to determine if the
property holds vacuously on the model up to this bound. In
this context, a naive method for detecting vacuity is to re-
place subformulas of the temporal logic property with un-
constrained boolean variables and run BMC for each such
substitution. If the property with some substitution still holds
on the model, the property is vacuous. This naive approach is
expensive, since in the worst case it requires as many model-
checking runs as there are subformulas in the property. Our
goal is to reduce the number of model-checking runs required
to detect vacuity. We do this by detecting some vacuity through
novel and inexpensive techniques reported in this article, and
complete the method by running the naive algorithm on the
remaining atomic subformulas. The key to our technique is
that SAT-based BMC can automatically provide useful infor-
mation (a resolution proof) beyond a decision whether the
property holds on the model; we exploit such proofs for par-
tial vacuity detection.
In SAT-based BMC, the property and the behavior of the
model are encoded in a propositional theory, such that the
theory is satisfiable if and only if the formula does not hold.
When the property does hold, a DPLL-based SAT solver can
produce a resolution proof that derives false from a subset of
the clauses in the theory called the UNSAT core. Intuitively,
the resolution proof provides an explanation of why the prop-
erty is not falsified by the model, and the UNSAT core deter-
mines the relevant parts of the model and the property [19].
In this article, we develop three methods of increasing
precision (irrelevance, local irrelevance, and peripherality)
to analyze the resolution proof to achieve partial vacuity de-
tection. These algorithms are used by our vacuity detection
tool, VaqTree,in order to reduce the number of model-checking
runs required to find all sources of vacuity, thus reducing exe-
cution times. Irrelevance and local irrelevance detect vacuity
based on which variables appear in the UNSAT core, and in
which locations. However, as these methods only examine
the UNSAT core, their precision is limited. The periphera-
lity algorithm examines the structure of the resolution proof,
identifying as vacuous those variables that are not necessary
or central to the derivation of false. This method is as pre-
cise as can be achieved through analyzing a single resolution
proof, and its running time is linear in the size of the resolu-
tion proof and the number of variables in the property. Our
experience shows that local irrelevance is the ideal candidate
for speeding up naive vacuity detection.
The remainder of the article is organized as follows. Sec-
tion 2 presents some required background, followed, in Sec-
tion 3 by our definition of vacuity, the naive algorithm for
LTL vacuity detection using BMC, and an overview of work
in the vacuity detection field. Section 4 presents the three al-
gorithms that detect vacuity by analyzing a resolution proof.
Tool support for our approach is described in Section 5. Our
experimental results are presented in Section 6. We conclude
with a summary, additional related work, and suggestions for
future work in Section 7.
2 Background
In this section, we review bounded model-checking and res-
olution proofs.
2.1 Bounded Model-Checking
Bounded model-checking (BMC) [4] is a method for deter-
mining whether a linear temporal logic (LTL) formula ϕ holds
on a finite state system represented by a Kripke structure K
up to a finite number of steps. To solve an instance of the
BMC problem, denoted by BMC
k
(K, ϕ), it is required to de-
termine whether K |=
k
ϕ, where |=
k
is the k-depth satisfac-
tion relation. Below, we give an informal overview of Kripke
structures, LTL formulas and BMC. More detailed definitions
can be found in [7,4].
A Kripke structure K has a finite set of states S, one of
which is considered to be the initial state s
0
. A transition re-
lation R ⊆ S × S relates states to states. Each state is labeled
by the set of propositional formulas (or variables) that hold in
that state. A run of K is a sequence of states starting with s
0
that obeys R. Each run has an associated trace π, where π
i
is simply the set of propositional formulas that label the i
th
state in the run. We write π
i
to denote the suffix of the trace
beginning at i.
LTL formulas are built from propositional variables, the
usual boolean operators (∨, ∧, ¬), and the temporal op-
erators G (“always”), F (“eventually”), U (“until”), and X
(“next”). Their semantics are defined on linear traces, such as
those produced by runs of a Kripke structure. π |= ϕ means
s
0
s
1
{p} {q}
Fig. 1: A Kripke structure.
that the trace π satisfies the LTL formula ϕ. For example,
π |= Fϕ if and only if there exists some i such that ϕ holds
on π
i
. The satisfaction relation |= is defined inductively in
a similar way for all operators and propositional variables in
LTL. We refer the reader to [7] for a detailed description of
the semantics of LTL.
A Kripke structure K satisfies an LTL formula ϕ if and
only if π |= ϕ for all traces π of K. The BMC problem
BMC
k
(K, ϕ) is to determine whether K satisfies ϕ for up to
k steps, i.e., whether K |=
k
ϕ. The k-depth satisfaction rela-
tion |=
k
is defined inductively; for example, π |=
k
Gϕ if and
only if π
i
|=
k−1
ϕ for all i ≤ k.
To determine whether K |=
k
ϕ, the problem is converted
to a propositional formula Φ (see [4,6,5]) which is satisfi-
able if and only if there exists a length-k counterexample to
K |=
k
ϕ. Φ is then given to a SAT solver which decides its
satisfiability. The propositional encoding represents the be-
havior of K up to k steps with a path constraint CL
K
, and
encodes all counterexamples to ϕ of length k in an error con-
straint CL
e
. Therefore, if the theory CL
K
∪ CL
e
is satis-
fiable, there is a path through K which obeys the transition
relation and falsifies ϕ. The value of each variable v of K at
each time step is represented using new boolean variables v
i
(0 ≤ i ≤ k), called timed variables.
The transition relation of a Kripke structure can be repre-
sented symbolically by a propositional formula over the vari-
ables V and primed variables V
′
(which represent the vari-
ables in the next state). For example, in the model in Fig-
ure 1, the transition relation is represented by the formula
R = (p ∧ ¬q ∧ ¬p
′
∧ q
′
) ∨ (¬p ∧ q ∧ ¬p
′
∧ q
′
). The path
constraint is obtained by substituting the timed variables V
i
for V in R, and replacing V
′
by the timed variables for the
next step, V
i+1
. This is repeated for each 0 ≤ i < k, and the
resulting propositional formulas are conjoined along with a
formula representing the initial state [4]. In Figure 1, if k = 1,
CL
K
= (p
0
∧ ¬q
0
) ∧ ((p
0
∧ ¬q
0
∧ ¬p
1
∧ q
1
)
∨(¬p
0
∧ q
0
∧ ¬p
1
∧ q
1
)).
The error constraint CL
e
is encoded according to a recursive
procedure which removes the temporal and logical operators
from the property [4], e.g., the algorithm encodes ϕ = Gp,
where p is a propositional variable, expanded up to k = 2, by
the formula ¬p
0
∨ ¬p
1
∨ ¬p
2
.
After the boolean formulas for the path and error con-
straints are calculated, they are converted to Conjunctive Nor-
mal Form (CNF) before being passed to a SAT solver. If
the solver reports that CL
K
∪ CL
e
is unsatisfiable, it means
that there is no length-k counterexample to ϕ; otherwise, a
(¬r
0
) (r
0
∨ p
0
) (¬p
0
∨ q
0
) (¬p
0
∨ ¬q
0
) (p
0
)
(p
0
)
(q
0
)
(¬p
0
)
()
Fig. 2: A resolution proof for EXAMPLE 2.
satisfying assignment is returned. When a DPLL-based SAT
solver processes an unsatisfiable theory, a resolution deriva-
tion of false (or the empty clause) is implicitly constructed [10,
27]. This resolution proof is used to verify that false can in-
deed be derived from CL
K
∪ CL
e
[28].
2.2 Resolution Proofs
Resolution is an inference rule that is applied to propositional
clauses to produce logical consequences. A clause is a dis-
junction of literals (boolean variables or their negations). For
example, (v
1
∨ ¬v
2
∨ v
5
) is a clause stating that at least one
of v
1
, ¬v
2
or v
5
must be true. The resolution rule takes two
clauses, where one contains a literal v and the other – its nega-
tion ¬v, and produces a clause containing the union of the
two clauses’ literals minus v and ¬v. For example, resolv-
ing (v
1
∨ ¬v
2
∨ v
5
) and (v
2
∨ v
6
) produces the resolvent
(v
1
∨ v
5
∨ v
6
).
A resolution proof Π is a directed acyclic graph whose
nodes are labeled by propositional clauses. Π represents a
tree of resolutions between the clauses labeling its nodes.
Its roots are the nodes with no parents; otherwise, all nodes
have exactly two parents. The nodes with no children are
called the leaves. For example, the roots of resolution proof
Π in Figure 2 are Roots(Π) = {(¬r
0
), (r
0
∨ p
0
), (¬p
0
∨
q
0
), (¬p
0
∨¬q
0
), (p
0
)}, and the leaf of Π is the empty clause,
i.e., Leaf (Π) = false. Given a non-root node labeled by the
clause c, and the labels of its parents, c
1
and c
2
, c is the re-
solvent since it has been produced by resolving c
1
and c
2
on
some variable v. A resolution proof Π is a proof of unsat-
isfiability of a set of clauses A if and only if all roots of Π
belong to A, and one of the leaves of Π is the empty clause.
For example, Figure 2 shows a resolution proof of the unsat-
isfiability of Roots(Π). If a propositional theory in CNF is
unsatisfiable, an UNSAT core is an unsatisfiable subset of its
clauses.
Given two disjoint sets of clauses A and B, a variable v is
said to be local to A if and only if v appears in A but does not
appear in B, and v is said to be global if it appears in both
A and B. In Figure 2, if Roots(Π) = A ∪ B, where A =
{(¬r
0
), (r
0
∨ p
0
), (¬p
0
∨ q
0
)} and B = {(¬p
0
∨ ¬q
0
), (p
0
)},
then r
0
is local to A, and the rest of the variables are global.
3 Defining Vacuity
This article uses the following definition of vacuity.
Definition 1. Let K be a Kripke structure, ϕ be a formula
s.t. K |=
k
ϕ, and p be a variable. ϕ is k-step p-vacuous iff
K |=
k
ϕ[p ← x], where x is a variable not occurring in K or
in ϕ.
If ϕ is k-step p-vacuous, we call p a k-step vacuous vari-
able. A property ϕ is k-step vacuous if and only if ϕ contains
a k-step vacuous variable. Therefore, our techniques aim to
find the k-step vacuous variables of ϕ. The qualifier “k-step”
is omitted in the remainder of the article but should be under-
stood implicitly in the BMC context.
Definition 1 can be generalized to vacuity in arbitrary (not
necessarily atomic) subformulas. This follows from the fact
that a subformulais vacuous iff it is mutually vacuous in all of
its atomic propositions [13, Th. 9], and that the definitions can
be easily extended to mutual vacuity. A set of atomic propo-
sitions {p
1
, ..., p
n
} is mutually vacuous if K |=
k
ϕ[p
1
←
x
1
, ..., p
n
← x
n
], where {x
1
, ..., x
n
} are new variables. For
example, if ϕ contains subformula θ = p ∧ q, and p and q
are mutually vacuous, then we can deduce that θ is vacuous
as well.
Naive Vacuity Detection. Definition 1 suggests a sound and
complete algorithm for vacuity detection: for each proposi-
tional variable p in ϕ, run BMC on ϕ[p ← x], where x is a
variable that does not appear in K and ϕ. If K |=
k
ϕ[p ← x]
for some p, then ϕ is k-step vacuous. We refer to this algo-
rithm as naive. Its drawback is that it may require as many
model-checking runs as there are propositional variables in
ϕ.
We now review some of the alternativedefinitions of vacu-
ity and their algorithms. The first attempt to formulate and
automate vacuity detection is due to Beer et al. [2]. They
consider a property ϕ to be vacuous if ϕ contains a sub-
formula ψ such that replacing ψ by any other formula does
not affect the satisfaction of ϕ. Applying this definition di-
rectly would require an infinite number of subformula re-
placements, precluding a practical implementation. However,
Beer et al. show that to detect vacuity w.r.t. a single occur-
rence of a subformula ψ in w-ACTL, it is sufficient to replace
ψ with only true and false. This was later extended to CTL*
by Kupferman and Vardi [18], and to the modal µ−calculus
by Dong et al. [9]. Purandare and Somenzi [21] showed how
to speed up subformula vacuity by analyzing the parse tree of
a CTL property.
Armoni et al. [1] generalized the above syntactic defini-
tion of vacuity by introducing universal quantification, i.e.,
∀x · ϕ[ψ ← x]. Based on the domain of x, three notions of
vacuity are obtained, the most robust of which being trace
vacuity. Gurfinkel and Chechik [12] extended Armoni’s defi-
nition of vacuity to CTL*, thus uniformly capturing CTL and
LTL. Armoni et al. also analyzed the syntactic structure of
the property in order to avoid checking the operands of sub-
formulas that are known to be vacuous. Such optimizations
complement our techniques, which focus on detecting vacu-
ous atomic subformulas.
In [20], Namjoshi has introduced a proof-based variant
of vacuity. Although it is called proof vacuity in the original
paper, we refer to it as forall-proof vacuity. This definition is
based on the semantic proofs of K |= ϕ for a Kripke structure
K and a formula ϕ. Informally, a formula ϕ is forall-proof
vacuous in a subformula ψ if ψ is not used in any proof of
K |= ϕ. Of course, a formal definition depends on the exact
interpretation of the notion of “proof”. In comparison, we use
an “existential” definition of vacuity: a formula is vacuous
if there exists a proof that does not use a subformula. Inter-
estingly, we rely on syntactic (and not semantic) resolution
proofs that may include “semantically-useless” resolutions.
As a result, it is possible that a formula ϕ is vacuous in ψ in
a model K, yet there is no resolution proof of bounded satis-
faction of K |= ϕ that does not use ψ. More importantly, our
goal is to develop a method to efficiently detect vacuity for
LTL as it was defined by [2,3,1,12], whereas Namjoshi was
looking for an alternative definition of vacuity for branching
time logic.
Our definition of vacuity is syntactic, and in this respect,
it is similar to the original definition of Beer et al. [2]. How-
ever, Definition 1 is stronger, and is equivalent to the seman-
tic definition of Armoni et al. [1], as shown by Gurfinkel and
Chechik [12].
4 Exploiting Resolution Proofs
In Section 3, we discussed the existence of a sound and com-
plete vacuity detection algorithm for BMC, which requires
as many model-checking runs as there are propositional vari-
ables in the property being checked. We propose a new vacu-
ity detection strategy: first detect partial vacuity using inex-
pensive techniques and then complete the analysis using ex-
tra model-checking runs. Since we are interested in replacing
expensive model-checking runs by inexpensive partial vacu-
ity detection methods, we limit ourselves to considering the
output of the original model-checking run on BMC
k
(K, ϕ),
i.e., CL
K
∪ CL
e
. This run provides us with a single reso-
lution proof to analyze. Of course, in general, there may be
many ways to derive the empty clause from different sub-
sets of BMC
k
(K, ϕ). Any method that only examines one of
these derivations is inherently incomplete, in the sense that
a property may be p-vacuous but there is no way of deter-
mining this based on a given resolution proof. For example,
consider a model that is composed of two completely disjoint
sub-models, running in parallel, i.e., K = K
1
k K
2
. Suppose
that K
1
satisfies Gp, K
2
satisfies Gq, and that both do so
non-vacuously. Then the property ϕ = Gp ∨ Gq holds on K
p-vacuously and q-vacuously. However, one of the possible
resolution proofs showing that ϕ holds proves that Gp holds
non-vacuously on K
1
. Thus, it is impossible to determine that
ϕ is vacuous in p from this proof. Any method based on ex-
amining only one resolution proof cannot prove the absence
of vacuity, since another resolution proof, showing the prop-
erty to be vacuous, might exist.
In this section, we introduce three algorithms of increas-
ing precision for partial vacuity detection, based on examin-
ing the UNSAT core (irrelevance and local irrelevance) and
the resolution proof produced by BMC (peripherality).
4.1 Examining UNSAT cores
Given a resolution proof that BMC
k
(K, ϕ) is unsatisfiable,
we can sometimes cheaply determine that the similar theory
BMC
k
(K, ϕ[p ← x]) is also unsatisfiable, and therefore, that
the property is p-vacuous. In this section, we consider how
to determine that BMC
k
(K, ϕ[p ← x]) is unsatisfiable given
that BMC
k
(K, ϕ) is unsatisfiable, using only an UNSAT core.
4.1.1 Irrelevance
Intuitively, any variable that does not appear in the UNSAT
core does not contribute to the reason why ϕ holds on K, so
it can be considered irrelevant.
Definition 2. Let K be a model, and ϕ an LTL formula. As-
sume that Π is an UNSAT core of BMC
k
(K, ϕ) witnessing
that K |=
k
ϕ. Then, p is irrelevant with respect to
BMC
k
(K, ϕ) and Π iff p
i
does not appear in Π for any time
instance i.
If a variable is irrelevant, it is also vacuous, as shown by
the following theorem.
Theorem 1. If p is irrelevant with respect to BMC
k
(K, ϕ)
and Π, then ϕ is k-step p-vacuous.
Proof: Let BMC
k
(K, ϕ) = CL
K
∪ CL
e
and U be the UNSAT
core returned by the SAT solver for BMC
k
(K, ϕ). Assume that
p is irrelevant in BMC
k
(K, ϕ). So U does not contain any p
i
by
Definition 2. Therefore, U ⊆ CL
K
∪ CL
e
implies U ⊆ CL
K
∪
CL
e
[p
i
← x
i
| 0 ≤ i < k]. U is also an UNSAT core of
BMC
k
(K, ϕ[p ← x]) so ϕ[p ← x] holds on K. Thus, ϕ is p-
vacuous.
Definition 2 provides an algorithm to detect some vacu-
ous variables. However, a variable can appear in the UNSAT
core and still be vacuous, as demonstrated by the following
example.
EXAMPLE 1. Consider a Kripke structure K with variables p
and q given by the constraints Init = p ∧ q, R = p ⇒ q
′
,
which mean that the initial state is labeled by {p, q}, and
the transition relation is expressed by the propositional for-
mula p ⇒ q
′
over unprimed and primed variables. Let ϕ =
X(p ∨ q) be the property to check. ϕ is p-vacuous since it is
satisfied simply because q is true in any successor of the ini-
tial state. The CNF encoding of the one-step BMC problem
is CL
K
= {(p
0
∧ q
0
), (p
0
⇒ q
1
)} = {(p
0
), (q
0
), (¬p
0
, q
1
)},
CL
e
= {(¬p
1
), (p
1
, ¬q
1
)}. In this case, the unique minimal
UNSAT core contains all of the clauses of the problem except
for (q
0
). Thus, all p
i
appear in the UNSAT core, and p cannot
be determined vacuous using irrelevance.
(p
0
) (¬p
0
, q
1
) (x
1
, ¬q
1
) (¬x
1
)
q
1
¬q
1
()
Fig. 3: A resolution proof for EXAMPLE 1.
This example shows that even if we are to look at every
UNSAT core of a BMC problem, irrelevance is still unable to
detect existing vacuity.
4.1.2 Local Irrelevance
Variables which do not appear in the UNSAT core are vac-
uous. The converse is not true: vacuous variables may also
appear in the UNSAT core. Intuitively, these variables are
not the central reason why ϕ holds on K. For example, the
clauses of CL
K
may resolve against each other, representing
some simplification and unification of parts of the model, be-
fore resolutions with CL
e
clauses are performed. If a variable
is resolved upon using only the CL
K
clauses or only the CL
e
clauses, it is potentially vacuous. By looking at the UNSAT
core, it is possible to anticipate whether a variable will not
be involved in resolutions between CL
K
and CL
e
using the
following definition.
Definition 3. Let K be a model, and ϕ an LTL formula. As-
sume that Π is an UNSAT core of BMC
k
(K, ϕ) witness-
ing K |=
k
ϕ. Then, p is locally irrelevant with respect to
BMC
k
(K, ϕ) and Π iff for each time instance i, either p
i
does
not appear in Π or p
i
is local to either CL
e
∩Π or CL
K
∩Π.
In EXAMPLE 1, p is locally irrelevant since p
1
only oc-
curs in the clauses of U taken from CL
e
, while p
0
only ap-
pears in U within CL
K
clauses. Moreover, the UNSAT core
of the original problem can be convertedto an UNSAT core of
the new theory, thus proving that p is vacuous. Specifically,
U = {(p
0
), (¬p
0
, q
1
), (¬p
1
), (p
1
, ¬q
1
)} is the UNSAT core
of the original problem, so substituting x for p in the clauses
of U that came from CL
e
gives
U
′
= {(p
0
), (¬p
0
, q
1
), (¬x
1
), (x
1
, ¬q
1
)}.
This is a subset of
BMC
1
(K, ϕ[p ← x]) = {(p
0
), (q
0
), (¬p
0
, q
1
), (¬x
1
),
(x
1
, ¬q
1
)},
so it is a candidate for the new UNSAT core. The substitution
may have prevented the resolutions necessary to derive the
empty clause. However, Figure 3 shows a proof that U
′
is
also unsatisfiable. In this case, it was possible to substitute x
i
for p
i
in the clauses coming from CL
e
in the original UNSAT
core and create an UNSAT core for BMC
k
(K, ϕ[p ← x]). In
fact, this observation applies to all cases of local irrelevance
by Theorem 2. Therefore, Definition 3 specifies an algorithm
to detect some vacuous variables.
Theorem 2. If p is locally irrelevant with respect to
BMC
k
(K, ϕ) and Π, then ϕ is k-step p-vacuous.
Proof: Let BMC
k
(K, ϕ) = CL
K
∪ CL
e
and U be the UN-
SAT core returned by the SAT solver for BMC
k
(K, ϕ). Assume
that p is locally irrelevant in BMC
k
(K, ϕ). So for all p
i
, either
p
i
does not appear in U , or p
i
is local to CL
e
∩ U = U
e
or
to CL
K
∩ U = U
K
by Definition 3. Let U
e
′
be U
e
with each
occurence of p
i
replaced by x
i
. Since each p
i
that has been
replaced is local to U
e
, and U
K
∪ U
e
= U is unsatisfiable, then
U
K
∪ U
e
′
is also unsatisfiable. Since U
e
′
⊆ CL
e
[p
i
← x
i
| 0 ≤
i < k], the set of clauses CL
K
∪ CL
e
[p
i
← x
i
| 0 ≤ i < k] is
unsatisfiable as well. Therefore, K |=
k
ϕ[p ← x] holds, so ϕ
is p-vacuous.
Unfortunately, if a variable p is not locally irrelevant in
an UNSAT core, the formula can still be p-vacuous, as shown
by the following example.
EXAMPLE 2. Consider a Kripke structure with atomic propo-
sitions r, p and q whose initial state is given by the constraint:
Init = ¬r ∧ p ∧ q. The formula ϕ = ¬p ∨ q is p-vacuous in
the initial state. Let us assume that the zero-step BMC prob-
lem is encoded in CNF as follows:
CL
K
= (¬r
0
)(r
0
∨ p
0
)(¬p
0
∨ q
0
)
CL
e
= (p
0
)(¬p
0
∨ ¬q
0
)
There are several resolution proofs that can establish un-
satisfiability of CL
K
∪ CL
e
; one such proof is shown in Fig-
ure 2. In none of the proofs is p locally irrelevant with respect
to CL
e
and CL
K
.
The problem with local irrelevance is that it is impossible
to tell if a variable is going to be used in a resolution joining
CL
K
and CL
e
clauses based on the UNSAT core alone.
4.2 Peripherality
In Section 4.1, two vacuity detection methods based on ex-
amining the variables in the UNSAT core were found to fall
short of completeness. It was seen that even if every possible
resolution proof could be analyzed, irrelevance and local ir-
relevance still might fail to detect existing vacuity. Here, we
extend the analysis to the resolution proof’s structure. The
resulting peripherality algorithm is superior, since it guaran-
tees vacuity will be found if all possible resolution proofs are
considered.
The limitations of detecting vacuity based only on the
UNSAT core were demonstrated in EXAMPLE 2. By exam-
ining the resolution proof in Figure 2, we see that although
p
0
appears both in CL
K
clauses and in CL
e
clauses, it is
always resolved “locally”. That is, if we resolve two clauses
c
1
= (..., p
i
, ...) and c
2
= (..., ¬p
i
, ...), p
i
and ¬p
i
must have
been preserved from their original source in some set of root
clauses. If all the originating root clauses belong to CL
K
or
all belong to CL
e
, then p
i
is being resolved on locally. In this
case, we can replace p
i
in either set of clauses without af-
fecting their unsatisfiability. For example, in Figure 2, p
0
can