Predictive Reachability Using a Sample-based Approach Debashis Sahoo , Jawahar Jain

Predictive Reachability Using a Sample-based Approach
∗
†
‡
§
Debashis Sahoo , Jawahar Jain , Subramanian Iyer , David L. Dill , E. Allen Emerson
ABSTRACT
Unbounded model checking of invariant properties is typically solved using symbolic reachability. However, BDD
based reachability methods suffer from lack of robustness in
performance, whereby it is difficult to estimate which one
should be adopted for a given problem. We present a novel
approach that examines a few short samples of the computation leading to an automatic, robust and modular way of
reconciling the various methods for reachability. Our approach is able to intelligently integrate diverse reachability
techniques such that each method can possibly get enhanced
in efficiency. The method is in many cases orders of magnitude more efficient and it finishes all the invariant checking
properties in VIS-Verilog benchmarks.
1. INTRODUCTION
A common approach to formal verification of hardware is
checking invariant properties of the design. Unbounded
model checking [7, 14] of invariants is usually performed
by doing a reachability analysis. This approach finds all
the states reachable from the initial states and checks if the
invariant is satisfied in these reachable states. These approaches suffer from the so-called state explosion problem
for representing large state sets. Reachability analysis is
typically done using Reduced Ordered Binary Decision Diagrams (OBDDs) [3, 8]. A more compact representation
of boolean functions, Partitioned-OBDDs (POBDDs) [12]
leads to further improvement in reachability analysis [16].
BDD based reachability methods suffer from wild inconsistency in performance, whereby it is difficult to estimate
which method should be adopted for a given problem. We
analyze four different ways of doing reachability analysis,
forward or backward reachability using partitioned or unpartitioned BDDs for state set representation. It is often
the case that though one method can compute reachability
easily, the others find it very difficult. In this paper, we
∗[email protected]; Dept. Electrical Engineering, Stanford University, CA 94305, USA
†[email protected]; Fujitsu Labs of America, Inc.,
Sunnyvale, CA, USA
‡[email protected]; Dept. Computer Sciences, University of Texas at Austin, TX 78712, USA
§Stanford University
¶The University of Texas at Austin
¶
present a completely automatic strategy to determine the
more effective method by running a few short samples of
the above methods. These samples provide a short initial
sampling of the performance of the various methods by observing the initial computations until a predefined cutoff in
BDD size is reached. This approach determines the best direction for reachability analysis as well as the effectiveness of
performing state space partitioning. Note that each method
has its own domain of applicability. We have designed our
approach so that it can benefit from the strengths of each
method. The above intuitive observations are strongly validated empirically as well. The techniques result in a very
robust method which often has dramatic gain in verification time over other approaches. We efficiently and automatically finish all the invariant checking properties of the
VIS-Verilog benchmark suite.
Importantly, at the end of the independently run samples,
we allow all their computation to be shared. This can significantly enhance the performance of each technique. In
many cases the reduction in reachability time for standard
OBDD methods can be dramatic when its reached state set
is augmented using information from POBDD samples.
This approach is modular and other BDD/SAT-based methods can be easily incorporated as part of the samples-centric
analysis, and ultimately as part of our framework. The inherent stability of our method and its reduced sensitivity to
parameters, a well known bˆete noire of BDD based methods, leads us to believe that such an integration was sorely
needed.
1.1
Related Work
In the field of BDD based falsification, the large invariant
checking problems are addressed using approximations, partitioning, guided searches and mixing forward and backward
reachability. An approximation method using overlapping
projections to symbolic backward reachability is proposed in
[9]. The advantage of this method is that it is very fast; but
it doesn’t give an exact solution. A guided search method
using hints is proposed in [2]. This method requires manual intervention; since its efficiency requires good hints from
the user. Several methods to mix forward and backward approximate and exact traversals, guided search are proposed
in [4, 5]. The method presented in [5] uses partitioning of
the state space and prioritizes the partitions based on “their
estimated distance from the target set of states.” It uses approximate forward reachability to improve the exact backward reachability for invariant checking. However, it doesn’t
take advantage of the cases where exact forward reachability
is very effective. If the exact backward reachability becomes
very expensive, then such an approach can become quite
inefficient. There are numerous other reachability methods
that have been proposed in literature, for e.g. [20, 6, 4, 5,
18, 1, 13, 15]. The method in [18] explores both forward
and backward reachable states simultaneously using interleaving approach. The method in [1] connects the forward
and backward reachable states using SAT based approaches.
2. PRELIMINARIES
Let B denote the set {0, 1}. Let M = hS, Σ, δ, S0 , λi be a
non-deterministic finite state machine, where S ⊆ B n is the
state space, Σ ⊆ B m is the input space, δ : S × Σ → 2S
is next state function, S0 is the set of initial states and
λ : S → B k is the output function. The number of state elements, number of inputs and number of outputs of the FSM
is n, m, k respectively. The transition relation T (s, e, s′ ) is
defined as a function from S × Σ × S ′ to B, where S ′ ⊆ B n
and T (s, e, s′ ) = 1 iff s′ ∈ δ(s, e). The
relation
Q transition
′
(s
is often represented by T (s, e, s′ ) = n
=
f
(s,
e)) , in
i
i=0 i
which fi (s, e) is the function for ith state element. The next
set of states N (s′ ) reachable from the given states R(s) is
computed as N (s′ ) = ∃s, e R(s) ∧ T (s, e, s′ ). This step is
known as Forward Image Computation. The Backward Image Computation is referred to as the computation of all
the states R(s) whose next states belong to the given set of
states N (s′ ), i.e. R(s) = ∃s′ , e N (s′ ) ∧ T (s, e, s′ ). In BDDbased verification the transition relation T (s, e, s′ ), the state
functions R(s) and N (s′ ) are represented by BDDs. The
image computation is one of the major bottlenecks in verification. Often the transition relation becomes so large that
it may be impossible to do the image computation. Instead
it is represented as a partitioned transition relation, i.e a
set of BDDs whose conjunctions is equal to the transition
relation. These conjunctions are delayed till the image computation. A technique that often reduces the intermediate
BDDs, called early quantification is applied during the image
computation.
Forward reachability is done by repeated application of forward image computation to the initial states until a fixed
point is reached. The given invariant property, P (s), is
checked during the reachability analysis. The invariant passes
if the total reachable states R(s) ⊆ P (s) and fails otherwise. Backward reachability is done by repeated application of backward image computation from the set S − P (s).
The invariant passes if the total backward reachable set of
states doesn’t include any initial states and fails otherwise.
During reachability analysis the BDD that represents the
reachable state set becomes so large that it may be impossible to do image computation. The method of POBDDbased forward reachability [16] addresses this problem by
using POBDDs [12] for disjunctive state space partitioning.
A similar approach can be adopted for doing POBDD-based
backward reachability. Note that this is in addition to the
conjunctive partitioning of the transition relation discussed
earlier. In the rest of this paper, partitioning will refer to
such state space partitioning.
3.
MOTIVATION FOR PREDICTIVE REACHABILITY
The motivation for our approach is as follows. Reachability
is well known to be an exceptionally difficult problem for
a large number of practical cases. Given any reachability
algorithm, there appear to be some practical cases which
are ill-suited to it. Further, we believe that the domain
of effectiveness for different reachability methods are often
disjoint. To understand this in more detail, consider the following characteristics of forward, backward, and partitioned
state space traversal.
Forward Traversal: The forward traversal explores the
state space from a set of initial states. It uses the invariant property for checking whether the new states explored
satisfy it. Forward traversal seems more effective usually if
the reachable states have a very structured representation
or if the state space is sparse. The forward traversal is not
benefited by a simple or complex property. It will find the
total reachable space if there is a passing property.
Backward Traversal: The backward reachability is more
dependent on the property because it starts exploring from
the part of state space that doesn’t satisfy the property. So
it explores the relevant part of the state space that is needed
for the proof. On the other hand many of these states are not
reachable from the initial states. Backward is also believed
to be very effective for inductive invariants. If a system has
too many unreachable states – as is often the case – and
it is very hard to represent it by a BDD, then backward
reachability is not effective.
Partitioned Traversal: The partitioned forward and backward reachability can explore deeper states and large part
of the state space quickly, if it finds a good partition of the
circuit. If there is no good partition of the circuit, then partitioned reachability would be worse than the corresponding
monolithic reachability due to the overhead involved in partitioning.
Now, consider a reachability method M. The invariant checking using M can be categorized using three different axes:
(a) Property passes or fails; (b) Reachability is shallow or
deep; and (c) Involved computations are easy or hard. The
easy cases do not really pose a problem, and are not the
focus of this research. The improvements for the remaining
problems, i.e. hard cases is the focus of our paper. Before
we discuss the same, let us informally consider the notion of
hard reachability problems.
A reachability problem is typically hard when it requires
very large BDDs or very large number of steps. However,
we have noted above that different approaches may have a
very complementary nature. Thus, a problem may generate
BDD blowup or deep reachability calculations in forward
reachability while for the backward reachability it may generate very small BDDs or very small number of image com-
putations before a fixed-point is reached. Due to this very
real possibility of mapping a very hard reachability problem
in method M, to a much simpler instance in an different
reachability method, it may not be wise to stick to the same
method when it continually proves to be very expensive.
More specifically, given method M, if we can somehow monitor the depth and the blowup being generated in a particular
reachability instance, then as soon as we can determine that
the given execution of M is showing potential to prove difficult, we should explore switching to another orthogonal
reachability method. By using a complementary method,
a reachability instance with BDD blowup may often get
mapped to another which requires only small-BDDs. Similarly a deep case may be mapped to a a shallow instance
of reachability. Thus, even though there may be a BDD
blowup, it may remain relatively more tractable due to a
smaller number of BDD computations. Notice, that since
deep cases in both failing and passing cases are problems
for traditional SAT-BMC so this can be a highly attractive avenue for improving the state of the art in unbounded
model checking of formulas.1 Passing cases where the proof
requires very deep traversal for every reachability method
remain a problem to all non-inductive approaches including
ours.
“aborted” methods.
4.1
Selection from various methods
We use a sample-based algorithm to predict the effective
method. A sample for an algorithm is a short initial computation using that algorithm.
The algorithm runs one sample each of the backward and
forward partitioned reachability followed by forward and
backward symbolic monolithic (non-partitioned) reachability. This order is chosen because we find backward reachability and partitioned reachability more suitable for finding bugs. Therefore, if there is a ”easy” bug, then it can
be found during the sampling process. The samples are
run until a predefined size cutoff is exceeded. This cutoff
is small enough to allow efficient performance of symbolic
operations and is set at a fixed multiple of the representation size of the state transition relation. Empirically, we
have found that the range between 4 to 6 times the size of
transition relation leads to a reasonably deep but not very
expensive sample. Note that the cutoffs are based on size
rather than time. In the case of computations where there
is hardly any blowup, a single sample may be enough to
complete the computation.
Hence, though time or space improvements in the basic
reachability calculations of some method M can improve solutions of various unbounded model checking problems, far
more attractive option appears the capability to dynamically
as well as suitably change the method being employed.
If any of the samples is able to determine whether the invariant passes or fails, then obviously the method immediately
terminates. Similarly, if the state sets of a forward and a
backward sample intersect, then the given invariant has been
shown to fail.
In the next section we discuss how to convert these observations into a simple but highly robust as well as efficient
approach. We will consider four different approaches, the
classical monolithic forward reachability, backward monolithic reachability, partitioned forward reachability and partitioned backward reachability. Then we will propose samplebased heuristics to predict which method is effective. In the
next section this approach is described in detail.
If the samples themselves do not finish the computation,
they are used to predict the most effective approach for the
rest of the computation. Firstly, the appropriate direction is
determined from the samples of symbolic forward and backward reachability. Intuitively the number of images completed within a threshold of BDD nodes gives a measure of
how effectively the reachability computation is proceeding.
Therefore, we use the number of images completed as measure for deciding the most effective method. If the difference
between the number of images computed in the two directions is small (+/- 1) then the algorithm cannot distinguish
the preferred method effectively. Then, we have the option
of using the default method (forward reachability) or we can
run the samples again with a larger threshold. If a direction cannot be determined after a few attempts, then the
forward direction can be chosen as the default. Our current
implementation does not repeat the samples.
4. PREDICTION USING SHORT SAMPLES
The first question that arises is which method out of many
should be selected and if multiple methods are being used,
then when should one switch between them. In this case
what happens to the computations already performed for
the “aborted” methods? If this computation is wasted, then
an approach relying on dynamic switching may often prove
very expensive.
Regarding the first question, we discuss in this section a
very simple strategy based on running each method until a
predefined cutoff threshold is exceeded. We then automatically choose the winning method according to certain predefined criteria. For the second question, regarding wastefulness of overlapping redundant computation, our approach
is to enhance the performance of the finally chosen reachability method from the computations performed by the other
1
SAT-based MC can be made complete but appears to be
less effective than BDD based methods for such cases.
After selecting the direction, the algorithm tries to predict
whether partitioned reachability is more effective than the
monolithic approach, where state sets are represented as single BDDs. This is done by considering the number of states
reached by samples run using both approaches in the selected direction. If the total number of reachable states explored by either method is significantly better than that of
the other method, then we have a winner. If this number is
comparable for both approaches, then a meaningful metric
to break the tie seems to be the rate of coverage defined as
number of states covered vs. corresponding time.
In this manner, the samples are used to pick a method that
is likely to be the most effective method.
4.2 Augmenting the state sets
It may seem that the repeated overlapping computations
performed by the various samples are wasted. To avoid
this, after deciding the effective method the algorithm augments the initial states and the invariant by adding the
states reached by all samples. In the forward direction, the
reachability analysis starts from the union of the reached
states using both forward samples. Likewise, the error set,
which is set of states that satisfy the negation of the invariant, is replaced by the union of the sets states reached
by the two backward samples. If the direction of computation is backward, then the error states are the start set and
the augmented initial states are the target. This allows the
computations performed by the samples to be reused.
A schematic of how states are traversed is shown in Figure 1.
The concentric circles represent the forward and backward
monolithic (non-partitioned) samples. The ovals represent
the partitioned forward and backward reachability samples.
The behavior of the algorithm is described below in different
cases.
Partitioned traces
I
E
Failure
Pure BFS traces
State space traversal by multiple traces
(I=Initial States, E=Error States)
Figure 1: samples in forward and backward directions with and without state space partitioning
True
E’
I’
I
E
Failing Properties
For failing invariant properties, the erroneous states are reachable from the initial states. Sometime the forward and backward samples intersect each other as shown in Figure 1. For
this case the algorithm halts and report the failing result.
Otherwise the algorithm runs the selected method till an
intersection with the reachable set of other direction is obtained. Hence, the invariant augmentation is useful for the
failing case.
(a) Augmenting Initial and Error Sets after traces...
Fixpt R
E’
I’
Passing Properties
The frontier augmentation can help improve the performance
of the method on passing properties also as shown in Figure 2. For a passing invariant, all forward reachable states
or all backward reachable states have to be explored to confirm that no violation is detected. This can be done by, for
example, a BFS as shown in fig. 2c. Suppose we augment
the set of initial states I by the states reached by different
methods. Now, the augmented initial set I ′ can have states
that are deeper than the states reached by performing forward reachability. Intuitively, if a significant number of new
states are thus added, then it can happen that the number
of steps required for reachability to converge using a BFS
from this set I ′ can be smaller as shown in Figure 2b or
the reachability itself may become more efficient. We have
observed this in many cases as described later.
In the next section, we describe our experiments and analyze
the results.
5. EXPERIMENTS
We compare the methodology proposed in this paper with
the forward and backward reachability approaches of VIS
and static partitioned reachability analysis. We compute
one sample each in forward and backward directions, using
(b) ... allows reachability to converge faster ...
Fixpt R
I
E
(c)... than Reachability without augmentation
Figure 2: In Fig (a), the circle represents the BFS
sample, the ellipses are the samples of partitioned
reachability. Figs. (b) and (c) have the same set R
of reachable states. Note that for the same set of
states, (b) converges faster than (c).
partitioned as well as non-partitioned data structures for
the state set in reachability. Our current package is not optimized with respect to partitioned exploration of state space.
For example, it doesn’t implement all the efficient heuristics
presented in [11]. It implements a very basic static POBDD
approach presented in [16]. However, we believe that current implementation is good enough to show that a good
prediction can be made in the early stage of reachability. It
is easy to choose between OBDDs and POBDDs by the samples - we only need to compare the number of states covered
in a particular direction between OBDDs vs. partitioned
approach.
We implement the sample-based reachability approach using VIS-2.0, which is a state-of-the-art public domain BDDbased formal verification package. We have chosen VIS for
its Verilog support and its powerful OBDD-package (i.e.
CUDD [17]). We found that lazy sift reordering method
works better for most cases. All the experiments use lazy sift
BDD reordering method.
All experiments were run on identical dual processor Xeon
machines. They were allowed to run for a maximum time of
one day, and the memory available to each run was bounded
by 500MB.
Benchmarks
For experiments on reachability and invariant checking, we
chose the public domain circuits from the VIS-Verilog [19]
benchmark suite. Since the VIS benchmark suite is very
large, for sake of brevity, results are omitted for the circuits
that takes less than 10 minutes in each of four methods described in the paper. We find that all the invariant checking
properties of VIS-Verilog benchmark are solved by at least
one of the four methods. In the following, we indicate property number i of circuit named ckt as ckt i.
5.1 Analysis of samples in Reachability
Table 1 shows the runtime for checking the invariants of the
VIS-verilog benchmark circuits for five methods. The entry ”T” and ”M” in the table represents a timeout limit of
1 day and memory out limit of 500MB. The four sections
of the table are the results of one program with only one
setting. The program is fully automatic and requires no
manual interventions. The last column of the table is the
results of our program with the heuristic described in this
paper. The First column shows the circuit names. The second column shows whether the invariant pass or fail. The
next two columns shows the results of partitioned forward
and backward reachability. The next two columns after the
above shows the results of standard Vis forward and backward reachability. We observe five main non-trivial results
from the table.
No Timeouts As can be seen from the table, the first four
methods have a lot of timeouts and memouts in their
results. However, there are no timeouts in the final
result.
Inv
Time in sec.
Res
Static Static Vis
Vis
Trace
:
Pobdd Pobdd Fwd Bwd Based
Pass Fwd Bwd
/
Fail
(a) Advantage due to intersection of Forward and Backward
vsa16a 7
F
2610 808
2146 458
77
vsaR 1
F
M
124
24558 56
54
(b) Advantage due to POBDD State Space Representation
am2901 1
F
T
67
T
431
68
ball 6
F
175
T
T
T
103
ball 7
F
22
T
3530 T
45
palu 1
F
1.0
684
714
4630 1.8
sp product 1
P
50
T
740
507
52
(c) Addition of Partitioned Traces Makes Subsequent
Unpartitioned Reachability Easier
FIFOs 1
P
M
M
2986 T
1973
blackjack 1
P
5750 T
2273 T
1234
blackjack 2
P
6268 T
20565 T
979
blackjack 4
P
5795 T
2259 T
1307
ns3 1
P
43569 T
16840 19166 5269
ns3 5
P
T
T
14696 T
6456
ns3 6
P
48721 M
28063 T
4938
ns3 7
P
M
T
22612 T
7220
(d) Robust Predictive Capability: Timeouts Avoided
am2910 1
F
660
5.3
T
2.0
5.8
b12 1
F
48
9528 48
2561 77
b12 2
F
T
T
T
8019 25535
b12abs 2
F
2977 449
163
536
446
blackjack 3
F
1054 T
3371 T
1337
blackjack 5
P
62752 T
2614 T
13259
crc 1
F
20459 1.5
T
0.9
1.5
eight 1
P
4.5
1194 1.1
173
5.8
eight 2
P
4.6
2466 1.1
344
6.2
mm product 1 P
600
T
49
352
154
ns3 2
P
M
8895 21602 16454 24903
ns3 3
P
T
85851 T
2050 4751
ns3 4
P
M
24477 24539 3770 6263
ns3 8
P
71494 T
6268 29196 50938
ns3 9
P
81048 3174 18247 479
9373
ns3 10
P
75011 2834 9518 604
12946
ns3 11
P
60490 10.9
51166 8.2
10.9
ns3 12
P
65219 27.3
49968 8.2
25.7
rotate32 1
F
53033 1.5
51078 0.7
1.5
s1269b 1
P
3351 1.3
12994 0.7
1.3
s1269b 5
P
3379 3.5
13677 0.6
3.5
soapLTL4 1
P
254
T
80.1
T
408
soap 1
P
176
T
45.6
T
181
soap 2
P
77.3
T
30.1
T
81.9
soap 3
P
47.8
T
46.4
T
80.9
spinner32 1
F
33356 8.3
43264 1.9
9.5
vsa16a 1
P
M
43.0
T
18.4
42.6
vsa16a 2
P
T
27.6
T
16.8
27.4
vsa16a 4
P
T
41.5
T
19.2
41.3
vsa16a 5
P
M
42.1
T
18.8
41.6
vsa16a 6
F
2499 60.5
1387 25.5
61.0
vsa16a 8
F
2498 61.7
1387 27.4
59.8
ckt inv
“T” is Timeout of 86,400 s; “M” is Memory out of 500 MB.
Table 1: Invariant Checking on ALL Vis-Verilog
benchmarks that take more than 10 minutes in at
least one of the methods.
Benefit of Intersection There are some failing circuits where
the algorithm benefit due to the intersection of forward
and backward reachability. This result can be found
in Table 1 (a). In this case the final results are better
than the first four methods.
Advantage of Partitioning These are the cases where a
partitioned representation of the state space helps significantly towards the invariant checking. Such cases
can be found in Table 1 (b). Note that for such cases
the final result is very close to or better than the best
partitioning approach. We explain the analysis of an
example later in this section.
Improved Unpartitioned Reachability These are cases
where the state space augmentation from the samples
significantly help the unpartitioned reachability, as discussed in the section 4.2. This result can be found in
Table 1 (c). Again, note that the final result is considerably better than the first four methods.
Robust Predictive Capability These are cases where the
program is able to predict one of the best methods and
finish the invariant checking, as shown in Table 1 (d).
Except for four cases the final result is always close to
the best or the next best methods.
We now analyze the results obtained in some detail and
discuss multiple scenarios in which the samples are found to
benefit reachability, and give some examples for each. We
organize the results into four different categories as shown
in the Table 1.
5.1.1
Intersection of Forward and Backward
As an example consider vsa16a 7. The partitioned backward
reachability sample requires 62 seconds. The partitioned forward reachability in 14 seconds reaches states which upon
intersection with backward frontier yields an error state. Total time required, including building the transition relation,
is 77 seconds, a significant gain over all other methods.
5.1.2
The advantage of partitioning
We analyze ball 6 in this section. This circuit has an error
at more than 2000 depth. Therefore, unpartitioned methods
find the reachability computation very hard. Only static
forward POBDD method is able to find error in this case.
In our method the backward partitioned sample requires 40
seconds although it cannot locate the error, yet the states it
provides to the forward partitioned sample are very helpful
as intersecting the two samples locates the error faster than
just the static forward partitioned reachability.
5.1.3
Partitioned sample improves Unpartitioned
Reachability
Note the discussion earlier on augmentation of state sets
from all samples. This enables reachability begun on the
augmented set of initial states to reach much deeper and
faster than otherwise possible. We discuss how augmentation helps in blackjack 2 in this section.
In blackjack 2 the sample based method decides to run unpartitioned forward reachability after the samples are finished. After augmenting the forward monolithic sample with
the partitioned sample, the time of full forward reachability is drastically reduced from more than 20,000 seconds to
about 979 seconds.
5.2
Robust Combination of multiple methods
Many of the circuits time-out on one or other direction of
reachability and some abort even when using partitioning.
Interestingly, we find that the circuits aborted by backward
are finished by forward and vice-versa in many cases. Note,
the samples enable one to automatically select the appropriate method and the performance of the sample-centric
approach is very robust and always significantly better than
the worst. Such cases are shown in Table 1 (d). The table shows that the completely automatic sample-based approach is able to pick the right method from a set of different
methods by using short samples of their initial reachability
computation.
In a few cases, the wrong method may be picked, but even
so, the sample-based approach is able to complete, due to
the information available from the other samples.
6.
CONCLUSION
In this paper, we presented an automatic self-tuning samplebased approach to address the inconsistency in performance
of the BDD based reachability techniques. Our approach,
without any manual intervention, combines the advantages
of reachability analysis in both forward and backward directions, using both unpartitioned as well as partitioned
state space representations. This approach efficiently and
automatically completes invariant checking on all circuits
of VIS-Verilog benchmark. Further the sample-based approach is fully modular and can easily be enhanced to include other verification approaches, for e.g., satisfiability
based approaches like bounded model checking.
In general, reachability is an intractable problems and our
sample-centric method is not a panacea. However, in our
experience it has been the most stable reachability approach
we know so far. Due to the augmentation of image-frontier
and invariant sets by all the other samples, it is able to
integrate the benefits of multiple methods.
7.
REFERENCES
[1] Mohammad Awedh and Fabio Somenzi. Increasing the
robustness of bounded model checking by computing
lower bounds on the reachable states. In Hu and
Martin [10], pages 230–244.
[2] Roderick Bloem, Kavita Ravi, and Fabio Somenzi.
Symbolic guided search for ctl model checking. In
DAC, 2000.
[3] R. Bryant. Graph-based Algorithms for Boolean
Function Manipulation. IEEE Transactions on
Computers, C-35:677–691, 1986.
[4] Gianpiero Cabodi, P. Camurati, and Stefano Quer.
Symbolic exploration of large circuits with enhanced
forward/backward traversals. In EuroDAC, 1994.
[5] Gianpiero Cabodi, Sergio Nocco, and Stefano Quer.
Mixing forward and backward traversals in
guided-prioritized bdd-based verification. In CAV,
2002.
[6] P. P. Chauhan. et. al., Non-linear quantification
scheduling in image computation. In ICCAD, 2001.
[7] E.M. Clarke and E.A. Emerson. Design and synthesis
of synchronization skeletons using branching time
temporal logic. volume 131 of LNCS.
[8] O. Coudert, C. Berthet, and J. C. Madre. Verification
of sequential machines based on symbolic execution.
In Proc. of the Workshop on Automatic Verification
Methods for Finite State Systems, 1989.
[9] Shankar G. Govindaraju and David L. Dill.
Verification by approx. forward and backward
reachability. In ICCAD, 1998.
[10] Alan J. Hu and Andrew K. Martin, editors. Formal
Methods in Computer-Aided Design, 5th International
Confrence, FMCAD 2004, Austin, Texas, USA,
November 15-17, 2004, Proceedings, volume 3312 of
Lecture Notes in Computer Science. Springer, 2004.
[11] S. Iyer, D. Sahoo, C. Stangier, A. Narayan, and
J. Jain. Improved symbolic Verification Using
Partitioning Techniques. In Proc. of CHARME 2003,
volume 2860 of Lecture Notes in Computer Science,
2003.
[12] J. Jain. et. al., Functional Partitioning for Verification
and Related Problems. Brown/MIT VLSI Conference,
1992.
[13] Sharon Keidar and Yoav Rodeh. Searching for
counter-examples adaptively. In Joseph M. Morris,
Benjamin Aziz, and Fr´ed´eric Oehl, editors, IWFM,
Workshops in Computing. BCS, 2003.
[14] Kenneth L. McMillan. Symbolic Model Checking.
Kluwer Academic Publishers, 1993.
[15] In-Ho Moon. et. al., To split or to conjoin: the
question in image computation. In DAC, 2000.
[16] A. Narayan. et. al., Reachability Analysis Using
Partitioned-ROBDDs. In ICCAD, pages 388–393,
1997.
[17] Fabio Somenzi. CUDD: CU Decision Diagram Package
ftp://vlsi.colorado.edu/pub, 2001.
[18] Christian Stangier and Thomas Sidle. Invariant
checking combining forward and backward traversal.
In Hu and Martin [10], pages 414–429.
[19] VIS. Verilog Benchmarks http://vlsi.colorado.edu/˜
vis/.
[20] Chao Wang, Gary D. Hachtel, and Fabio Somenzi.
The compositional far side of image computation. In
ICCAD, 2003.