77
Trading-off SAT search and Variable Quantifications for effective Unbounded Model Checking G. Cabodi P. Camurati L. Garcia M. Murciano S. Nocco S. Quer Politecnico di Torino Torino, Italy
Trading-offSAT search and Variable Quantifications
for effectiveUnbounded Model Checking
G. Cabodi P. Camurati L. Garcia
M. Murciano S. Nocco S. Quer
Politecnico di Torino
Torino, Italy
Background Motivations Core
Contribution A: Divide Contribution B: & Conquer Contribution C: Integrated Approach (Bwd + ITP)
Experimental Results Conclusions Future Works
Outline
Background: UMC as a Reachability Problem
Counterexample traceBuggy states
Initial states
Buggy states
Initial states
Rfwd
Rbwd
Rfwd : Reached from (fix-point)
: Can reach (fix-point)
Rbwd
Background: UMC as a Reachability Problem
Background: SAT based UMC
k-induction [Sheeran2000]
All-solution SAT [McMillan2002, Kang2003, Ganai2004]
Circuit based quantification [Williams2000, Abdulla2000]
Abstraction & Refinement Localization reduction [Kurshan1994]
Predicate abstraction [Clarke2003, Jain2004]
Craig Interpolation [Graig1957, McMillan2003]
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'
A' B = 0
A' refers only to common .variables of A and BInterpolant
A' can be derived in linear time from the refutation proof of A B
[Pudlak1997, Krajicek1997]
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'
A' B = 0
A' refers only to common .variables of A and B
A B
Resolution graph
AND-OR circuit
1
One gatefor each
graph nodeNull clause A' = ITP (A,B)
ABis UNSAT
CNFClauses
Interpolant [Craig1957]
Given A B = 0 A' = ITP (A, B)
A A'
A' B = 0
A' refers only to common .variables of A and B
Interpolant [McMillan2003]
Interpolant as Image Operator Over-approximation Variable quantification
Works whenever a representation of backward reachable space is given A From T (forward) B Paths to failure states (backward) A' Over-approximated Image (Img+)
Img+ is called adequate w.r.t. B
Img+
PIV V'
To
From
T
Img+
PIV V'
To+(V') = Img+(From,T)
= Approx[(V,PI)From(V)T(V,PI,V')]
To
From
To+
T
Img+ - Adequate
To+ adequate w.r.t. B whenif To is outside B
then To+ is outside B as well
B
PIV V'
To
From
To+
T
To + = ITP (From T, B)
Fwd approximate reachable statescomputed by adequate Img+
do not intersect Bwd reachable states
RbwdR
IRi
B
Img (Ri,T)
Img+ - Adequate
Img+Adq (Ri,T, Rbwd)
R
IRi
B≤k
Rk, bwd
Img+ - k-Adequate
Img (Ri,T)
When Rbwd it is not knownit is replaced by backward circuit unrolling of
increasing depth k
Img+Adq (Ri,T, Rk,bwd)
Interpolant Model Checkingdo
Cone = CircuitUnroll (B, T, k)
res = FiniteRun (I, T, Cone)
k = k + 1
while (res = undecided)
FiniteRun (I, T, Cone)
if (SAT ( I Λ T Λ Cone)) return (reachable)
R = I
while (true)
Img+ = Img+Adq (T, R, Cone)
if (Img+ = undefined) return (undecided)
if (Img+ R) return (unreachable)
R = R ν Img+
Interpolant Model Checkingdo
Cone = CircuitUnroll (B, T, k)
res = FiniteRun (I, T, Cone)
k = k + 1
while (res = undecided)
Abstraction & Refinement loop
FiniteRun (I, T, Cone)
if (SAT ( I Λ T Λ Cone)) return (reachable)
R = I
while (true)
Img+ = Img+Adq (T, R, Cone)
if (Img+ = undefined) return (undecided)
if (Img+ R) return (unreachable)
R = R ν Img+
Interpolant Model Checkingdo
Cone = CircuitUnroll (B, T, k)
res = FiniteRun (I, T, Cone)
k = k + 1
while (res = undecided)
ApproximatedReachability
loop
FiniteRun (I, T, Cone)
if (SAT ( I Λ T Λ Cone)) return (reachable)
R = I
while (true)
Img+ = Img+Adq (T, R, Cone)
if (Img+ = undefined) return (undecided)
if (Img+ R) return (unreachable)
R = R ν Img+
Interpolant Model Checkingdo
Cone = CircuitUnroll (B, T, k)
res = FiniteRun (I, T, Cone)
k = k + 1
while (res = undecided)
Img+ (Ri,T) k-adequate (T, F)
FiniteRun (I, T, Cone)
if (SAT ( I Λ T Λ Cone)) return (reachable)
R = I
while (true)
Img+ = Img+Adq (T, R, Cone)
if (Img+ = undefined) return (undecided)
if (Img+ R) return (unreachable)
R = R ν Img+
Interpolant Model Checkingdo
Cone = CircuitUnroll (B, T, k)
res = FiniteRun (I, T, Cone)
k = k + 1
while (res = undecided)
FiniteRun (I, T, Cone)
if (SAT ( I Λ T Λ Cone)) return (reachable)
R = I
while (true)
Img+ = Img+Adq (T, R, Cone)
if (Img+ = undefined) return (undecided)
if (Img+ R) return (unreachable)
R = R ν Img+
Bound increment
BMC checkfind a trace
(Overapproximated)Fix-point reached
Motivations
Refutation proofs follow SAT solver runs SAT heuristics do NOT target resolution graph
(and unsatisfiable core) minimization Not unique (depend on SAT heuristics) Difficult UNSAT instances Large interpolants
Interpolant circuits need aggressive optimizations (BDD/SAT sweeping + logic synthesis) Highly redundant AND-OR circuits (just negations on inputs) are
not optimal
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R
2
R
1
R0
R3 R
2
R
1
R0
1 0Circuit View
State Set View
Contribution A/1
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R
2
R
1
R0
Circuit ViewR3 R2 R1 R0
R3 R2 R1 R0
v
PartitionedCircuit View
Contribution A/2
Contributions
Partitioned Adequate Image ComputationA Divide & Conquer Approach Across different methods• Compute partial state sets• Use to restrict search space
Within Partitioned Adequate Image (interpolant)
R3 R2 R1 R0R3 R2 R1 R0v
Partitioned Circuit+
State Set
v R3 R2 R1 R0
Contribution B
Contributions
Backward & InterpolationAn integrated Approach Compute (partial) backward state sets by
• Circuit quantification• SAT- enumeration
Check backward fix point (SAT) Eventually forward interpolant (using partitioned
image)
R3 R
2
R
1
R0
Circuit View
R3 R2 R1 R0
v
R3 R2 R1 R0Circuit + StateView
Contribution C
LazyE (Cone)
G = Cone
forall v ∈ PI
tmp = v G
if (|tmp| < th · |G|)
G = tmp
return (G)
Contribution A/1: Partial Quantification0
1
0
1
0
0
1
1
Quantify variableif size under control
otherwisekeep unquantified
Cone
v1v0Cone
LazyE (Cone)
G = Cone
forall v ∈ PI
tmp = v G
if (|tmp| < th · |G|)
G = tmp
return (G)
Contribution A/1: Partial Quantification
v1v0Cone
Try PICone if (not all quantification
accepted) work not finished
operator on circuitby OR-ing cofactorsexponential blow-up,unless tight sharing
(by SAT/BDD sweeping)
1 0
AIG 2 BDD
1 0
Quantificationon BDDs BDD 2 AIG
LazyEBDD (Cone)
(ConeBdd, CutV, CutF) = AIG2BDD (Cone)
G = ANDEBDD (ConeBdd, CutVari, CutFi)
if (|G| < th · |Cone|)
return (BDD2AIG(G))
else
return (Cone)
Contribution A/1: Partial Quantification Adopting BDDs
Quantify variableif size under control
otherwise keepunquantified
1 0
BDD 2 AIG
LazyEBDD (Cone)
(ConeBdd, CutV, CutF) = AIG2BDD (Cone)
G = ANDEBDD (ConeBdd, CutVari, CutFi)
if (|G| < th · |Cone|)
return (BDD2AIG(G))
else
return (Cone)
Contribution A/1: Partial Quantification Adopting BDDs
Early QuantificationSchedule
1 01 0
1 01 0
1 0
BDDs withCut Points
AIG 2 BDDQuantification
on BDDs
LazyESubset (Cone)
G = Cone
σ = SAT (Cone)
forall v ∈ PI
tmp = v G
if (|tmp| < th · |G|)
G = tmp
else
G = G|Ѡi=σ[vi]
return (G)
0
1
0
1
0
0
1
1
Contribution A/1: Partial Quantification with Subsetting
Quantify variable if size under controlotherwise set to constant 0/1 valueCone
LazyESubset (Cone)
G = Cone
σ = SAT (Cone)
forall v ∈ PI
tmp = v G
if (|tmp| < th · |G|)
G = tmp
else
G = G|Ѡi=σ[vi]
return (G)
1
0
1
0
1
1
Contribution A/1: Partial Quantification with Subsetting
Quantify variable if size under controlotherwise set to constant 0/1 value
Result is subset of a state setR¯k,bwd Rk,bwd = PICone
00Cone
Contribution A/1
If we are very lucky we move from
R3 R2 R1
Circuit unrolling(Cone)
R0
R3 R2 R1 R0
Contribution A/1
R3 R2 R1 R0
1 0
If we are very lucky we move from
toState set
(Back)
Circuit unrolling(Cone)
Contribution A/1
If we are NOT very lucky we move from
R3 R2 R1
Circuit unrolling(Cone)
R0
Contribution A/1
If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
Contribution A/1
Cone
Back¯
If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
Contribution A/1
v
Cone¯
Simplify (Cone, Back¯)(by redundancy removal)
If we are NOT very lucky we move from
to
R3 R2 R1
Circuit unrolling(Cone)
R0
Back¯
Contribution A/2: Cone0 v Cone1
Cone = Cone1 v Cone2 v Cone3 v … v Conen
Contribution A/2: Cone0 v Cone1
Cone = Cone1 v Cone2 v Cone3 v … v Conen
F
F
F
F
V
V
V
Circuit unrollingsare disjunction
of circuit unrollings
Contribution B: How to Conquer
IRi
FT T TT T
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone)
Img (I, T)
Cone
Img+Adq (I, T, Cone)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Disjunction of Cones
Cone
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Img+Adq (I, T, Cone)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone
Conjunction of Images
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone1
Cone2
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone1
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone1
Img+Adq (I, T, Cone1)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone2
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Contribution B: How to Conquer
IRi
FT T TT T
Img (I, T)
Cone2
Img+Adq (I, T, Cone2)
Contribution B: How to Conquer
IRi
TT
Img (I, T)
Img+Adq (I, T, Cone)
Img+Adq (I, T, Cone1)
Img+Adq (I, T, Cone) = Img+
Adq (I, T, Cone1 v Cone2)
= Img+Adq (I,T,Cone1) Img+
Adq (I,T,Cone2)
Img+Adq (I, T, Cone2)
FT TT
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
Contribution C: Backward + Interpolation
BackwardReachability
Section
InterpolantSection
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
Loop by Increasing Back UnrollingBMC checks for Cex
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
Composition
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
I
SAT ? reachable
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR ¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
FP ? unreachable
CheckFP =SAT + All Solution SAT
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
v
Lazy Circuit Quantification(partial and with subsetting)
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
v
False Result (Easy to check)
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
vRedundancy removalwith partial state sets
as don’t care
Undecided Result(Hard to check)
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
v
Interpolation withpartial state sets as don’t care
Partitioned cones-images
Contribution C: Backward + Interpolation
IntegratedMC (I, T, F)
set initial values
do
res = undecided
Conek = Conek−1(T)
if (SAT(I (Conek v BckR¯ ))) return (reachable)
fp = CheckFP (Conek, BckR¯, Cone0..k−1)
if (fp = true) return (unreachable)
(Conek, BckR¯) = LazyE/BDD/Subset (Conek, BckR¯)
if (fp = undecided)
Cone¯ = Simplify (Cone, ¬BckR¯)
res = FiniteRun2 (I, T, Cone¯, BckR¯)
increase bound
while (res = undecided)
v
When backward analysis incomplete, do forward interpolants Use partitioned adequate image
Whenever state sets (complete or subset) are computed, keep them
Contribution C: … To Sum up
F
R-k,bwd
Use as don’t carefor next steps
Home made software on top of CUDD and Minisat
Experiments With a Dual Core Pentium, 3 GHz, 3 GB On Model Ckecking Competition Benchmarks plus
some ISCAS, VIS and IBM
Results to compare Standard Interpolant-based Verification (mainly)
and others techniques Presented Algorithm
Experimental Results
Statistics on Partitioning: Two Examples
1 Iteration on eijkbs3271.blif• 37820 10383 11779 7551 6219 4937 3599 2222 1057 357
351 348 351 351 351 351 349 349 348 351 341 346 341 346 12 12 100 3 3 3 3 3 3 3 3 3 3 3 3 5 1 3 3 3 3 3 3 3 3 3 3 3 3 10 96 98 96 98 84 102 99 103 100 100 100 100 100 92 103 100 100 100 92 99 100 334 334 313 313 353 353 1617 9000
(over: 1.794527, peak: 0.311449)
1 Iteration on Industrial_D1 (query19.blif)• 106591 14408 13728 13130 12478 11893 11256 9415
8711 6321 5697 4392 3826 2544 125 1 3 346 746 2135 3212 5000 6902 7535 8158 10007 10636
(over: 1.619321, peak: 0.135171)
Statistics on Partitioning: Cone Size
11 cones with300000 nodes
Statistics on Partitioning: # Partition
In 19 caseswe partition the cone
in 10 sub-cones
Statistics on Partitioning: Over Size
In 567 casesall partitions were
from 10 to 20% largerthan the original cone
Statistics on Partitioning: Peak Size
In 87 cases the size of the largest partition is 50 - 60% of the original cone
Standard Interpolant vs New Algorithm
Standard Interpolant vs New Algorithm
Time limit: 900 seconds
Standard Interpolant vs New Algorithm
Winning Experiments(below main diagonal)
Standard Interpolant vs New Algorithm
Easy Benchmarks
Standard Interpolant vs New Algorithm
20 Properties not solved before
Termination Obtained by Interpolation
Model #PI #FF #Nodes Original Method New Method Time [s] Method Bound Time [s] Bound
intel_006 345 350 3265 195,80 ITP 9 197,72 9intel_024 352 357 5710 6344,47 ITP 15 454,47 15intel_029 559 564 8816 - 620,09 18vis.blackjack-inv 5 103 3979 3359,29 BDD 10 110,02 11nusmv.tcas^3.B 146 169 2914 87,38 ITP 6 37,02 7vis.coherence^3.E 6 29 1214 2439,24 INV 10 236,7 11vis.pm.palu 14 220 2347 - 390,14 5vis.ns31 21 103 3598 606,45 ITP 7 83,75 7vis.ns32 21 103 3598 1004,25 ITP 7 149,92 7IndustrialB1 12 190 3324 - 17,08 17IndustrialB2 12 193 6782 - 154,21 11IndustrialB3 15 309 1592 1341,60 ITP 9 49,76 9IndustrialB4 18 416 5409 - 265,49 5IndustrialB5 18 425 4391 - 457,17 9IndustrialC1 21 116 1098 91,27 BDD 12 98,10 12IndustrialC2 67 351 2021 950,08 ITP 15 98,55 15IndustrialC3 96 359 3692 - 719,24 15IndustrialD1 119 76 1075 478,90 ITP 37 375,25 37IndustrialD2 138 97 2172 7157,35 ITP 35 378,91 35IndustrialD5 96 355 6360 - 507,27 10IndustrialD6 91 353 6348 5408,67 ITP 10 771,49 10
Termination Obtained by Interpolation
Model #PI #FF #Nodes Original Method New Method Time [s] Method Bound Time [s] Bound
intel_006 345 350 3265 195,80 ITP 9 197,72 9intel_024 352 357 5710 6344,47 ITP 15 454,47 15intel_029 559 564 8816 - 620,09 18vis.blackjack-inv 5 103 3979 3359,29 BDD 10 110,02 11nusmv.tcas^3.B 146 169 2914 87,38 ITP 6 37,02 7vis.coherence^3.E 6 29 1214 2439,24 INV 10 236,7 11vis.pm.palu 14 220 2347 - 390,14 5vis.ns31 21 103 3598 606,45 ITP 7 83,75 7vis.ns32 21 103 3598 1004,25 ITP 7 149,92 7IndustrialB1 12 190 3324 - 17,08 17IndustrialB2 12 193 6782 - 154,21 11IndustrialB3 15 309 1592 1341,60 ITP 9 49,76 9IndustrialB4 18 416 5409 - 265,49 5IndustrialB5 18 425 4391 - 457,17 9IndustrialC1 21 116 1098 91,27 BDD 12 98,10 12IndustrialC2 67 351 2021 950,08 ITP 15 98,55 15IndustrialC3 96 359 3692 - 719,24 15IndustrialD1 119 76 1075 478,90 ITP 37 375,25 37IndustrialD2 138 97 2172 7157,35 ITP 35 378,91 35IndustrialD5 96 355 6360 - 507,27 10IndustrialD6 91 353 6348 5408,67 ITP 10 771,49 10
Standard Interpolant
Inductive Invariant
BDD-based Reachability
Time limit: 7200 seconds
Termination Obtained with Bwd Reached
Model #PI #FF #Nodes
Original Method New Method
Time [s]
Method
Bound
Time [s]
Bound
vis.vsaR 17 66 2321 1131,25 BDD 12 371,66 6vis.pm.am2901 26 136 2416 1764,57 CBQ 3 83,40 2vis.pm.FPMult 17 215 1347 1865,51 ITP 3 85,49 2vis.feistel 68 296 6821 392,09 INV 15 749,65 13eijk.bs3271 26 305 2546 1391,00 ITP 17 327,33 13eijk.bs6669 83 506 4879 - 132,04 5eijk.bs3384 43 689 3069 - 532,07 7IndustrialA1 5 99 2657 1761,86 ITP 11 71,92 7IndustrialA2 37 250 4521 1192,51 CBQ 7 517,21 4IndustrialA3 51 333 1275 1933,09 CBQ 8 470,07 8IndustrialC4 105 377 5279 - 415,62 19IndustrialC5 138 608 1003 720,15 CBQ 6 315,63 6IndustrialD3 25 88 498 7124,54 ITP 45 25,55 67IndustrialD4 21 116 3879 795,25 ITP 9 103,41 9
Termination Obtained with Bwd Reached
Model #PI #FF #Nodes
Original Method New Method
Time [s]
Method
Bound
Time [s]
Bound
vis.vsaR 17 66 2321 1131,25 BDD 12 371,66 6vis.pm.am2901 26 136 2416 1764,57 CBQ 3 83,40 2vis.pm.FPMult 17 215 1347 1865,51 ITP 3 85,49 2vis.feistel 68 296 6821 392,09 INV 15 749,65 13eijk.bs3271 26 305 2546 1391,00 ITP 17 327,33 13eijk.bs6669 83 506 4879 - 132,04 5eijk.bs3384 43 689 3069 - 532,07 7IndustrialA1 5 99 2657 1761,86 ITP 11 71,92 7IndustrialA2 37 250 4521 1192,51 CBQ 7 517,21 4IndustrialA3 51 333 1275 1933,09 CBQ 8 470,07 8IndustrialC4 105 377 5279 - 415,62 19IndustrialC5 138 608 1003 720,15 CBQ 6 315,63 6IndustrialD3 25 88 498 7124,54 ITP 45 25,55 67IndustrialD4 21 116 3879 795,25 ITP 9 103,41 9
Circuit-basedQuantification
Domain Unbounded Model Checking
Target Improve Interpolant Verification
Method Divide and Conquer (Backward Cone versus
Backward State Sets) Integration of Interpolant and Backward
Verification
Conclusions
More tuning for the partitioning procedure More understanding of pros and cons of the
method Better experimental setting and results
analysis
Future Works
Thank you !
