Predictive Reachability Using a Sample-based Approach Debashis Sahoo , Jawahar Jain
Transcription
Predictive Reachability Using a Sample-based Approach Debashis Sahoo , Jawahar Jain
Predictive Reachability Using a Sample-based Approach ∗ † ‡ § Debashis Sahoo , Jawahar Jain , Subramanian Iyer , David L. Dill , E. Allen Emerson ABSTRACT Unbounded model checking of invariant properties is typically solved using symbolic reachability. However, BDD based reachability methods suffer from lack of robustness in performance, whereby it is difficult to estimate which one should be adopted for a given problem. We present a novel approach that examines a few short samples of the computation leading to an automatic, robust and modular way of reconciling the various methods for reachability. Our approach is able to intelligently integrate diverse reachability techniques such that each method can possibly get enhanced in efficiency. The method is in many cases orders of magnitude more efficient and it finishes all the invariant checking properties in VIS-Verilog benchmarks. 1. INTRODUCTION A common approach to formal verification of hardware is checking invariant properties of the design. Unbounded model checking [7, 14] of invariants is usually performed by doing a reachability analysis. This approach finds all the states reachable from the initial states and checks if the invariant is satisfied in these reachable states. These approaches suffer from the so-called state explosion problem for representing large state sets. Reachability analysis is typically done using Reduced Ordered Binary Decision Diagrams (OBDDs) [3, 8]. A more compact representation of boolean functions, Partitioned-OBDDs (POBDDs) [12] leads to further improvement in reachability analysis [16]. BDD based reachability methods suffer from wild inconsistency in performance, whereby it is difficult to estimate which method should be adopted for a given problem. We analyze four different ways of doing reachability analysis, forward or backward reachability using partitioned or unpartitioned BDDs for state set representation. It is often the case that though one method can compute reachability easily, the others find it very difficult. In this paper, we ∗[email protected]; Dept. Electrical Engineering, Stanford University, CA 94305, USA †[email protected]; Fujitsu Labs of America, Inc., Sunnyvale, CA, USA ‡[email protected]; Dept. Computer Sciences, University of Texas at Austin, TX 78712, USA §Stanford University ¶The University of Texas at Austin ¶ present a completely automatic strategy to determine the more effective method by running a few short samples of the above methods. These samples provide a short initial sampling of the performance of the various methods by observing the initial computations until a predefined cutoff in BDD size is reached. This approach determines the best direction for reachability analysis as well as the effectiveness of performing state space partitioning. Note that each method has its own domain of applicability. We have designed our approach so that it can benefit from the strengths of each method. The above intuitive observations are strongly validated empirically as well. The techniques result in a very robust method which often has dramatic gain in verification time over other approaches. We efficiently and automatically finish all the invariant checking properties of the VIS-Verilog benchmark suite. Importantly, at the end of the independently run samples, we allow all their computation to be shared. This can significantly enhance the performance of each technique. In many cases the reduction in reachability time for standard OBDD methods can be dramatic when its reached state set is augmented using information from POBDD samples. This approach is modular and other BDD/SAT-based methods can be easily incorporated as part of the samples-centric analysis, and ultimately as part of our framework. The inherent stability of our method and its reduced sensitivity to parameters, a well known bˆete noire of BDD based methods, leads us to believe that such an integration was sorely needed. 1.1 Related Work In the field of BDD based falsification, the large invariant checking problems are addressed using approximations, partitioning, guided searches and mixing forward and backward reachability. An approximation method using overlapping projections to symbolic backward reachability is proposed in [9]. The advantage of this method is that it is very fast; but it doesn’t give an exact solution. A guided search method using hints is proposed in [2]. This method requires manual intervention; since its efficiency requires good hints from the user. Several methods to mix forward and backward approximate and exact traversals, guided search are proposed in [4, 5]. The method presented in [5] uses partitioning of the state space and prioritizes the partitions based on “their estimated distance from the target set of states.” It uses approximate forward reachability to improve the exact backward reachability for invariant checking. However, it doesn’t take advantage of the cases where exact forward reachability is very effective. If the exact backward reachability becomes very expensive, then such an approach can become quite inefficient. There are numerous other reachability methods that have been proposed in literature, for e.g. [20, 6, 4, 5, 18, 1, 13, 15]. The method in [18] explores both forward and backward reachable states simultaneously using interleaving approach. The method in [1] connects the forward and backward reachable states using SAT based approaches. 2. PRELIMINARIES Let B denote the set {0, 1}. Let M = hS, Σ, δ, S0 , λi be a non-deterministic finite state machine, where S ⊆ B n is the state space, Σ ⊆ B m is the input space, δ : S × Σ → 2S is next state function, S0 is the set of initial states and λ : S → B k is the output function. The number of state elements, number of inputs and number of outputs of the FSM is n, m, k respectively. The transition relation T (s, e, s′ ) is defined as a function from S × Σ × S ′ to B, where S ′ ⊆ B n and T (s, e, s′ ) = 1 iff s′ ∈ δ(s, e). The relation Q transition ′ (s is often represented by T (s, e, s′ ) = n = f (s, e)) , in i i=0 i which fi (s, e) is the function for ith state element. The next set of states N (s′ ) reachable from the given states R(s) is computed as N (s′ ) = ∃s, e R(s) ∧ T (s, e, s′ ). This step is known as Forward Image Computation. The Backward Image Computation is referred to as the computation of all the states R(s) whose next states belong to the given set of states N (s′ ), i.e. R(s) = ∃s′ , e N (s′ ) ∧ T (s, e, s′ ). In BDDbased verification the transition relation T (s, e, s′ ), the state functions R(s) and N (s′ ) are represented by BDDs. The image computation is one of the major bottlenecks in verification. Often the transition relation becomes so large that it may be impossible to do the image computation. Instead it is represented as a partitioned transition relation, i.e a set of BDDs whose conjunctions is equal to the transition relation. These conjunctions are delayed till the image computation. A technique that often reduces the intermediate BDDs, called early quantification is applied during the image computation. Forward reachability is done by repeated application of forward image computation to the initial states until a fixed point is reached. The given invariant property, P (s), is checked during the reachability analysis. The invariant passes if the total reachable states R(s) ⊆ P (s) and fails otherwise. Backward reachability is done by repeated application of backward image computation from the set S − P (s). The invariant passes if the total backward reachable set of states doesn’t include any initial states and fails otherwise. During reachability analysis the BDD that represents the reachable state set becomes so large that it may be impossible to do image computation. The method of POBDDbased forward reachability [16] addresses this problem by using POBDDs [12] for disjunctive state space partitioning. A similar approach can be adopted for doing POBDD-based backward reachability. Note that this is in addition to the conjunctive partitioning of the transition relation discussed earlier. In the rest of this paper, partitioning will refer to such state space partitioning. 3. MOTIVATION FOR PREDICTIVE REACHABILITY The motivation for our approach is as follows. Reachability is well known to be an exceptionally difficult problem for a large number of practical cases. Given any reachability algorithm, there appear to be some practical cases which are ill-suited to it. Further, we believe that the domain of effectiveness for different reachability methods are often disjoint. To understand this in more detail, consider the following characteristics of forward, backward, and partitioned state space traversal. Forward Traversal: The forward traversal explores the state space from a set of initial states. It uses the invariant property for checking whether the new states explored satisfy it. Forward traversal seems more effective usually if the reachable states have a very structured representation or if the state space is sparse. The forward traversal is not benefited by a simple or complex property. It will find the total reachable space if there is a passing property. Backward Traversal: The backward reachability is more dependent on the property because it starts exploring from the part of state space that doesn’t satisfy the property. So it explores the relevant part of the state space that is needed for the proof. On the other hand many of these states are not reachable from the initial states. Backward is also believed to be very effective for inductive invariants. If a system has too many unreachable states – as is often the case – and it is very hard to represent it by a BDD, then backward reachability is not effective. Partitioned Traversal: The partitioned forward and backward reachability can explore deeper states and large part of the state space quickly, if it finds a good partition of the circuit. If there is no good partition of the circuit, then partitioned reachability would be worse than the corresponding monolithic reachability due to the overhead involved in partitioning. Now, consider a reachability method M. The invariant checking using M can be categorized using three different axes: (a) Property passes or fails; (b) Reachability is shallow or deep; and (c) Involved computations are easy or hard. The easy cases do not really pose a problem, and are not the focus of this research. The improvements for the remaining problems, i.e. hard cases is the focus of our paper. Before we discuss the same, let us informally consider the notion of hard reachability problems. A reachability problem is typically hard when it requires very large BDDs or very large number of steps. However, we have noted above that different approaches may have a very complementary nature. Thus, a problem may generate BDD blowup or deep reachability calculations in forward reachability while for the backward reachability it may generate very small BDDs or very small number of image com- putations before a fixed-point is reached. Due to this very real possibility of mapping a very hard reachability problem in method M, to a much simpler instance in an different reachability method, it may not be wise to stick to the same method when it continually proves to be very expensive. More specifically, given method M, if we can somehow monitor the depth and the blowup being generated in a particular reachability instance, then as soon as we can determine that the given execution of M is showing potential to prove difficult, we should explore switching to another orthogonal reachability method. By using a complementary method, a reachability instance with BDD blowup may often get mapped to another which requires only small-BDDs. Similarly a deep case may be mapped to a a shallow instance of reachability. Thus, even though there may be a BDD blowup, it may remain relatively more tractable due to a smaller number of BDD computations. Notice, that since deep cases in both failing and passing cases are problems for traditional SAT-BMC so this can be a highly attractive avenue for improving the state of the art in unbounded model checking of formulas.1 Passing cases where the proof requires very deep traversal for every reachability method remain a problem to all non-inductive approaches including ours. “aborted” methods. 4.1 Selection from various methods We use a sample-based algorithm to predict the effective method. A sample for an algorithm is a short initial computation using that algorithm. The algorithm runs one sample each of the backward and forward partitioned reachability followed by forward and backward symbolic monolithic (non-partitioned) reachability. This order is chosen because we find backward reachability and partitioned reachability more suitable for finding bugs. Therefore, if there is a ”easy” bug, then it can be found during the sampling process. The samples are run until a predefined size cutoff is exceeded. This cutoff is small enough to allow efficient performance of symbolic operations and is set at a fixed multiple of the representation size of the state transition relation. Empirically, we have found that the range between 4 to 6 times the size of transition relation leads to a reasonably deep but not very expensive sample. Note that the cutoffs are based on size rather than time. In the case of computations where there is hardly any blowup, a single sample may be enough to complete the computation. Hence, though time or space improvements in the basic reachability calculations of some method M can improve solutions of various unbounded model checking problems, far more attractive option appears the capability to dynamically as well as suitably change the method being employed. If any of the samples is able to determine whether the invariant passes or fails, then obviously the method immediately terminates. Similarly, if the state sets of a forward and a backward sample intersect, then the given invariant has been shown to fail. In the next section we discuss how to convert these observations into a simple but highly robust as well as efficient approach. We will consider four different approaches, the classical monolithic forward reachability, backward monolithic reachability, partitioned forward reachability and partitioned backward reachability. Then we will propose samplebased heuristics to predict which method is effective. In the next section this approach is described in detail. If the samples themselves do not finish the computation, they are used to predict the most effective approach for the rest of the computation. Firstly, the appropriate direction is determined from the samples of symbolic forward and backward reachability. Intuitively the number of images completed within a threshold of BDD nodes gives a measure of how effectively the reachability computation is proceeding. Therefore, we use the number of images completed as measure for deciding the most effective method. If the difference between the number of images computed in the two directions is small (+/- 1) then the algorithm cannot distinguish the preferred method effectively. Then, we have the option of using the default method (forward reachability) or we can run the samples again with a larger threshold. If a direction cannot be determined after a few attempts, then the forward direction can be chosen as the default. Our current implementation does not repeat the samples. 4. PREDICTION USING SHORT SAMPLES The first question that arises is which method out of many should be selected and if multiple methods are being used, then when should one switch between them. In this case what happens to the computations already performed for the “aborted” methods? If this computation is wasted, then an approach relying on dynamic switching may often prove very expensive. Regarding the first question, we discuss in this section a very simple strategy based on running each method until a predefined cutoff threshold is exceeded. We then automatically choose the winning method according to certain predefined criteria. For the second question, regarding wastefulness of overlapping redundant computation, our approach is to enhance the performance of the finally chosen reachability method from the computations performed by the other 1 SAT-based MC can be made complete but appears to be less effective than BDD based methods for such cases. After selecting the direction, the algorithm tries to predict whether partitioned reachability is more effective than the monolithic approach, where state sets are represented as single BDDs. This is done by considering the number of states reached by samples run using both approaches in the selected direction. If the total number of reachable states explored by either method is significantly better than that of the other method, then we have a winner. If this number is comparable for both approaches, then a meaningful metric to break the tie seems to be the rate of coverage defined as number of states covered vs. corresponding time. In this manner, the samples are used to pick a method that is likely to be the most effective method. 4.2 Augmenting the state sets It may seem that the repeated overlapping computations performed by the various samples are wasted. To avoid this, after deciding the effective method the algorithm augments the initial states and the invariant by adding the states reached by all samples. In the forward direction, the reachability analysis starts from the union of the reached states using both forward samples. Likewise, the error set, which is set of states that satisfy the negation of the invariant, is replaced by the union of the sets states reached by the two backward samples. If the direction of computation is backward, then the error states are the start set and the augmented initial states are the target. This allows the computations performed by the samples to be reused. A schematic of how states are traversed is shown in Figure 1. The concentric circles represent the forward and backward monolithic (non-partitioned) samples. The ovals represent the partitioned forward and backward reachability samples. The behavior of the algorithm is described below in different cases. Partitioned traces I E Failure Pure BFS traces State space traversal by multiple traces (I=Initial States, E=Error States) Figure 1: samples in forward and backward directions with and without state space partitioning True E’ I’ I E Failing Properties For failing invariant properties, the erroneous states are reachable from the initial states. Sometime the forward and backward samples intersect each other as shown in Figure 1. For this case the algorithm halts and report the failing result. Otherwise the algorithm runs the selected method till an intersection with the reachable set of other direction is obtained. Hence, the invariant augmentation is useful for the failing case. (a) Augmenting Initial and Error Sets after traces... Fixpt R E’ I’ Passing Properties The frontier augmentation can help improve the performance of the method on passing properties also as shown in Figure 2. For a passing invariant, all forward reachable states or all backward reachable states have to be explored to confirm that no violation is detected. This can be done by, for example, a BFS as shown in fig. 2c. Suppose we augment the set of initial states I by the states reached by different methods. Now, the augmented initial set I ′ can have states that are deeper than the states reached by performing forward reachability. Intuitively, if a significant number of new states are thus added, then it can happen that the number of steps required for reachability to converge using a BFS from this set I ′ can be smaller as shown in Figure 2b or the reachability itself may become more efficient. We have observed this in many cases as described later. In the next section, we describe our experiments and analyze the results. 5. EXPERIMENTS We compare the methodology proposed in this paper with the forward and backward reachability approaches of VIS and static partitioned reachability analysis. We compute one sample each in forward and backward directions, using (b) ... allows reachability to converge faster ... Fixpt R I E (c)... than Reachability without augmentation Figure 2: In Fig (a), the circle represents the BFS sample, the ellipses are the samples of partitioned reachability. Figs. (b) and (c) have the same set R of reachable states. Note that for the same set of states, (b) converges faster than (c). partitioned as well as non-partitioned data structures for the state set in reachability. Our current package is not optimized with respect to partitioned exploration of state space. For example, it doesn’t implement all the efficient heuristics presented in [11]. It implements a very basic static POBDD approach presented in [16]. However, we believe that current implementation is good enough to show that a good prediction can be made in the early stage of reachability. It is easy to choose between OBDDs and POBDDs by the samples - we only need to compare the number of states covered in a particular direction between OBDDs vs. partitioned approach. We implement the sample-based reachability approach using VIS-2.0, which is a state-of-the-art public domain BDDbased formal verification package. We have chosen VIS for its Verilog support and its powerful OBDD-package (i.e. CUDD [17]). We found that lazy sift reordering method works better for most cases. All the experiments use lazy sift BDD reordering method. All experiments were run on identical dual processor Xeon machines. They were allowed to run for a maximum time of one day, and the memory available to each run was bounded by 500MB. Benchmarks For experiments on reachability and invariant checking, we chose the public domain circuits from the VIS-Verilog [19] benchmark suite. Since the VIS benchmark suite is very large, for sake of brevity, results are omitted for the circuits that takes less than 10 minutes in each of four methods described in the paper. We find that all the invariant checking properties of VIS-Verilog benchmark are solved by at least one of the four methods. In the following, we indicate property number i of circuit named ckt as ckt i. 5.1 Analysis of samples in Reachability Table 1 shows the runtime for checking the invariants of the VIS-verilog benchmark circuits for five methods. The entry ”T” and ”M” in the table represents a timeout limit of 1 day and memory out limit of 500MB. The four sections of the table are the results of one program with only one setting. The program is fully automatic and requires no manual interventions. The last column of the table is the results of our program with the heuristic described in this paper. The First column shows the circuit names. The second column shows whether the invariant pass or fail. The next two columns shows the results of partitioned forward and backward reachability. The next two columns after the above shows the results of standard Vis forward and backward reachability. We observe five main non-trivial results from the table. No Timeouts As can be seen from the table, the first four methods have a lot of timeouts and memouts in their results. However, there are no timeouts in the final result. Inv Time in sec. Res Static Static Vis Vis Trace : Pobdd Pobdd Fwd Bwd Based Pass Fwd Bwd / Fail (a) Advantage due to intersection of Forward and Backward vsa16a 7 F 2610 808 2146 458 77 vsaR 1 F M 124 24558 56 54 (b) Advantage due to POBDD State Space Representation am2901 1 F T 67 T 431 68 ball 6 F 175 T T T 103 ball 7 F 22 T 3530 T 45 palu 1 F 1.0 684 714 4630 1.8 sp product 1 P 50 T 740 507 52 (c) Addition of Partitioned Traces Makes Subsequent Unpartitioned Reachability Easier FIFOs 1 P M M 2986 T 1973 blackjack 1 P 5750 T 2273 T 1234 blackjack 2 P 6268 T 20565 T 979 blackjack 4 P 5795 T 2259 T 1307 ns3 1 P 43569 T 16840 19166 5269 ns3 5 P T T 14696 T 6456 ns3 6 P 48721 M 28063 T 4938 ns3 7 P M T 22612 T 7220 (d) Robust Predictive Capability: Timeouts Avoided am2910 1 F 660 5.3 T 2.0 5.8 b12 1 F 48 9528 48 2561 77 b12 2 F T T T 8019 25535 b12abs 2 F 2977 449 163 536 446 blackjack 3 F 1054 T 3371 T 1337 blackjack 5 P 62752 T 2614 T 13259 crc 1 F 20459 1.5 T 0.9 1.5 eight 1 P 4.5 1194 1.1 173 5.8 eight 2 P 4.6 2466 1.1 344 6.2 mm product 1 P 600 T 49 352 154 ns3 2 P M 8895 21602 16454 24903 ns3 3 P T 85851 T 2050 4751 ns3 4 P M 24477 24539 3770 6263 ns3 8 P 71494 T 6268 29196 50938 ns3 9 P 81048 3174 18247 479 9373 ns3 10 P 75011 2834 9518 604 12946 ns3 11 P 60490 10.9 51166 8.2 10.9 ns3 12 P 65219 27.3 49968 8.2 25.7 rotate32 1 F 53033 1.5 51078 0.7 1.5 s1269b 1 P 3351 1.3 12994 0.7 1.3 s1269b 5 P 3379 3.5 13677 0.6 3.5 soapLTL4 1 P 254 T 80.1 T 408 soap 1 P 176 T 45.6 T 181 soap 2 P 77.3 T 30.1 T 81.9 soap 3 P 47.8 T 46.4 T 80.9 spinner32 1 F 33356 8.3 43264 1.9 9.5 vsa16a 1 P M 43.0 T 18.4 42.6 vsa16a 2 P T 27.6 T 16.8 27.4 vsa16a 4 P T 41.5 T 19.2 41.3 vsa16a 5 P M 42.1 T 18.8 41.6 vsa16a 6 F 2499 60.5 1387 25.5 61.0 vsa16a 8 F 2498 61.7 1387 27.4 59.8 ckt inv “T” is Timeout of 86,400 s; “M” is Memory out of 500 MB. Table 1: Invariant Checking on ALL Vis-Verilog benchmarks that take more than 10 minutes in at least one of the methods. Benefit of Intersection There are some failing circuits where the algorithm benefit due to the intersection of forward and backward reachability. This result can be found in Table 1 (a). In this case the final results are better than the first four methods. Advantage of Partitioning These are the cases where a partitioned representation of the state space helps significantly towards the invariant checking. Such cases can be found in Table 1 (b). Note that for such cases the final result is very close to or better than the best partitioning approach. We explain the analysis of an example later in this section. Improved Unpartitioned Reachability These are cases where the state space augmentation from the samples significantly help the unpartitioned reachability, as discussed in the section 4.2. This result can be found in Table 1 (c). Again, note that the final result is considerably better than the first four methods. Robust Predictive Capability These are cases where the program is able to predict one of the best methods and finish the invariant checking, as shown in Table 1 (d). Except for four cases the final result is always close to the best or the next best methods. We now analyze the results obtained in some detail and discuss multiple scenarios in which the samples are found to benefit reachability, and give some examples for each. We organize the results into four different categories as shown in the Table 1. 5.1.1 Intersection of Forward and Backward As an example consider vsa16a 7. The partitioned backward reachability sample requires 62 seconds. The partitioned forward reachability in 14 seconds reaches states which upon intersection with backward frontier yields an error state. Total time required, including building the transition relation, is 77 seconds, a significant gain over all other methods. 5.1.2 The advantage of partitioning We analyze ball 6 in this section. This circuit has an error at more than 2000 depth. Therefore, unpartitioned methods find the reachability computation very hard. Only static forward POBDD method is able to find error in this case. In our method the backward partitioned sample requires 40 seconds although it cannot locate the error, yet the states it provides to the forward partitioned sample are very helpful as intersecting the two samples locates the error faster than just the static forward partitioned reachability. 5.1.3 Partitioned sample improves Unpartitioned Reachability Note the discussion earlier on augmentation of state sets from all samples. This enables reachability begun on the augmented set of initial states to reach much deeper and faster than otherwise possible. We discuss how augmentation helps in blackjack 2 in this section. In blackjack 2 the sample based method decides to run unpartitioned forward reachability after the samples are finished. After augmenting the forward monolithic sample with the partitioned sample, the time of full forward reachability is drastically reduced from more than 20,000 seconds to about 979 seconds. 5.2 Robust Combination of multiple methods Many of the circuits time-out on one or other direction of reachability and some abort even when using partitioning. Interestingly, we find that the circuits aborted by backward are finished by forward and vice-versa in many cases. Note, the samples enable one to automatically select the appropriate method and the performance of the sample-centric approach is very robust and always significantly better than the worst. Such cases are shown in Table 1 (d). The table shows that the completely automatic sample-based approach is able to pick the right method from a set of different methods by using short samples of their initial reachability computation. In a few cases, the wrong method may be picked, but even so, the sample-based approach is able to complete, due to the information available from the other samples. 6. CONCLUSION In this paper, we presented an automatic self-tuning samplebased approach to address the inconsistency in performance of the BDD based reachability techniques. Our approach, without any manual intervention, combines the advantages of reachability analysis in both forward and backward directions, using both unpartitioned as well as partitioned state space representations. This approach efficiently and automatically completes invariant checking on all circuits of VIS-Verilog benchmark. Further the sample-based approach is fully modular and can easily be enhanced to include other verification approaches, for e.g., satisfiability based approaches like bounded model checking. In general, reachability is an intractable problems and our sample-centric method is not a panacea. However, in our experience it has been the most stable reachability approach we know so far. Due to the augmentation of image-frontier and invariant sets by all the other samples, it is able to integrate the benefits of multiple methods. 7. REFERENCES [1] Mohammad Awedh and Fabio Somenzi. Increasing the robustness of bounded model checking by computing lower bounds on the reachable states. In Hu and Martin [10], pages 230–244. [2] Roderick Bloem, Kavita Ravi, and Fabio Somenzi. Symbolic guided search for ctl model checking. In DAC, 2000. [3] R. Bryant. Graph-based Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers, C-35:677–691, 1986. [4] Gianpiero Cabodi, P. Camurati, and Stefano Quer. Symbolic exploration of large circuits with enhanced forward/backward traversals. In EuroDAC, 1994. [5] Gianpiero Cabodi, Sergio Nocco, and Stefano Quer. Mixing forward and backward traversals in guided-prioritized bdd-based verification. In CAV, 2002. [6] P. P. Chauhan. et. al., Non-linear quantification scheduling in image computation. In ICCAD, 2001. [7] E.M. Clarke and E.A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. volume 131 of LNCS. [8] O. Coudert, C. Berthet, and J. C. Madre. Verification of sequential machines based on symbolic execution. In Proc. of the Workshop on Automatic Verification Methods for Finite State Systems, 1989. [9] Shankar G. Govindaraju and David L. Dill. Verification by approx. forward and backward reachability. In ICCAD, 1998. [10] Alan J. Hu and Andrew K. Martin, editors. Formal Methods in Computer-Aided Design, 5th International Confrence, FMCAD 2004, Austin, Texas, USA, November 15-17, 2004, Proceedings, volume 3312 of Lecture Notes in Computer Science. Springer, 2004. [11] S. Iyer, D. Sahoo, C. Stangier, A. Narayan, and J. Jain. Improved symbolic Verification Using Partitioning Techniques. In Proc. of CHARME 2003, volume 2860 of Lecture Notes in Computer Science, 2003. [12] J. Jain. et. al., Functional Partitioning for Verification and Related Problems. Brown/MIT VLSI Conference, 1992. [13] Sharon Keidar and Yoav Rodeh. Searching for counter-examples adaptively. In Joseph M. Morris, Benjamin Aziz, and Fr´ed´eric Oehl, editors, IWFM, Workshops in Computing. BCS, 2003. [14] Kenneth L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993. [15] In-Ho Moon. et. al., To split or to conjoin: the question in image computation. In DAC, 2000. [16] A. Narayan. et. al., Reachability Analysis Using Partitioned-ROBDDs. In ICCAD, pages 388–393, 1997. [17] Fabio Somenzi. CUDD: CU Decision Diagram Package ftp://vlsi.colorado.edu/pub, 2001. [18] Christian Stangier and Thomas Sidle. Invariant checking combining forward and backward traversal. In Hu and Martin [10], pages 414–429. [19] VIS. Verilog Benchmarks http://vlsi.colorado.edu/˜ vis/. [20] Chao Wang, Gary D. Hachtel, and Fabio Somenzi. The compositional far side of image computation. In ICCAD, 2003.