Journal of Applied Mathematics

Volume 2014, Article ID 702165, 13 pages

http://dx.doi.org/10.1155/2014/702165

## Counterexample-Preserving Reduction for Symbolic Model Checking

School of Computer Science, National University of Defense Technology, Changsha 410073, China

Received 12 February 2014; Accepted 14 April 2014; Published 14 May 2014

Academic Editor: Xiaoyu Song

Copyright © 2014 Wanwei Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The cost of LTL model checking is highly sensitive to the length of the formula under verification. We observe that, under some specific conditions, the input LTL formula can be reduced to an easier-to-handle one before model checking. In such reduction, these two formulae need not to be logically equivalent, but they share the same counterexample set w.r.t the model. In the case that the model is symbolically represented, the condition enabling such reduction can be detected with a lightweight effort (e.g., with SAT-solving). In this paper, we tentatively name such technique “counterexample-preserving reduction” (CEPRE, for short), and the proposed technique is evaluated by conducting comparative experiments of BDD-based model checking, bounded model checking, and property directed reachability-(IC3) based model checking.

#### 1. Introduction

LTL [1] is one of the most frequently used specification languages in model checking (cf. [2]). It designates properties over a linear structure, which can be viewed as an execution of the program. The task of LTL model checking is to search the state space (explicitly or implicitly), with the goal of detecting the existence of feasible traces violating the specification. If such traces exist, the model checker will report one of them as a “counterexample”; otherwise, the model checker will give an affirmative report.

It can be shown that the complexity of LTL model checking for is in ; meanwhile, the nesting depth of temporal operators might be the major factor affecting the cost in compiling LTL formulae. Hence, it is reasonable to simplify the specification before conducting model checking. For example, in [3], Somenzi and Bloem provided a set of rewriting schemas for simplifying LTL specifications, and these rewriting schemas preserve logical equivalence.

One may argue that “a majority of LTL formulae used in real applications are simple, succinct rather than complicated” Nevertheless, we might need to observe the following facts.(i)Some LTL formula, for example , is usually considered to be a “simple” one. Nevertheless, it can be further simplified to , and this fact tends to be ignored (on one hand, implies , and hence implies (i.e., ); on the other hand, implies , and hence implies ).(ii)Indeed, people do use complicated specifications in the real industrial field, as well as in some standard benchmark (cf. [4]).(iii)Last but not least, not all specifications are designated manually. Actually, some formulae are generated by specification-generaton-tools (e.g., PROSPEC). Indeed, one may find that lots of these machine-generated specifications can be simplified.

Symbolic model checking [5] is one of the most significant breakthroughs in model checking, and two major fashions of symbolic model checking are widely used: one is the BDD-based manner [6] and the other is SAT-based manner, such as BMC [7] or PDR [8–11] algorithms.

Instead of using an explicit representation, the symbolic approach represents state space with a series of Boolean formulae. This enables implicit manipulation of the verification process and it usually leads to an efficient implementation [12]. Meanwhile, the symbolic encoding of transitions and invariants of the model provides heuristic information to simplify the specification. For example,(i)the formulae and can be, respectively, reduced as and , if we know that holds everywhere in the model;(ii)each occurrence of in the specification can be replaced with (i.e., logically true), if we can inductively infer that the Boolean formula holds at each reachable state in the model. Actually, we can make sure of these conditions with the following efforts.(i)To ensure that “ holds everywhere in the model',' one possible way is to make sure that is an* invariant* in the model—that is, just to examine if is unsatisfiable (we in the latter denote it as ), where is the Boolean encoding of the model's transition relation.(ii)Likely, to justify that holds at each reachable state (note that a “dead-end” has no infinite path starting from it, and hence we may safely omit dead-ends in the model when doing this), it suffices to ensure that and , where is the initial condition of the model. We could do this because the component should be satisfied at each transition step. Hence, it encloses both “local invariants” and “transitional invariants”. For example, if , then we may consider as a local invariant, whereas is a transitional invariant.

Hence, this provides an opportunity to replace the specification with a simpler one, accompanied with some lightweight extra task of condition detection. Even if such detection fails, the overhead is usually negligible. More importantly, such reductions can be performed before starting model checking. At the same time, such kind of simplification is not always feasible to conduct manually; the reason is that the scale of boolean facilities is too large to be effectively handled by humans. Therefore, it is reasonable of leveraging the SAT-solvers to accomplish this task.

In this paper, we systematically investigate the above idea and tentatively name this technique* counter example-preserving reduction* (CEPRE, for short). To justify it, we have extended NuSMV and implemented CEPRE as an upfront option for LTL model checking. Subsequently, we conduct experiments over both industrial benchmarks and randomly generated cases. Experimental results show that CEPRE can improve the efficiency significantly.

This paper is organized as follows. Section 2 revisits some basic notions. Section 3 introduces the details of the CEPRE technique and Section 4 gives a formal treatment of performance analysis. In Section 5, the experimental results over industrial benchmarks and over random generated cases are given. We summarize the whole paper with Section 6.

#### 2. Preliminaries

We presuppose a countable set of* atomic propositions*, ranging over , , and so forth, and for each proposition , we create a* primed version * (not belonging to ) for it. For each set , we define . We use to denote the set of Boolean formulae over . Similarly, we denote by the set of Boolean formulae built up from . The scope of the* prime* operator can be naturally lifted to Boolean formulae over , by defining

An* assignment* is a subset of . Intuitively, it assigns (or true) to the propositions belonging to and assigns (or false) to the other propositions. For each and , we denote by if is evaluated to under the assignment .

A* united assignment* is a pair , where both and are subsets of . It assigns to the propositions belonging to and assigns to the other propositions. Suppose that and ; we also write if is evaluated to under the united assignment .

LTL formulae can be inductively defined as follows.(i) and are LTL formulae.(ii)Each proposition is an LTL formula.(iii)If both and are LTL formulae, so does .(iv)If is an LTL formula, then and are LTL formulae.(v)If and are LTL formulae, then both and are LTL formulae.

Semantics of an LTL formula is defined w.r.t. a* linear structure * (i.e., is an infinite word over the alphabet ) and a position . Inductively:(i) and ;(ii) if and only if (where is the th letter of , which can be viewed as an assignment);(iii) if and only if either or ;(iv) if and only if ;(v) if and only if and ;(vi) if and only if there is some , s.t. , and for each ;(vii) if and only if there is some , s.t. and for each . For the sake of convenience, we may directly write as .

As usual, we employ some derived Boolean connectives such as and derived temporal operators such as

Temporal operators like , , , , and are called* future operators*, whereas , , , , **,** and are called* past operators*. An LTL formula is said to be* pure future* (resp.,* pure past*) if it involves no past (resp., future) operators.

Theorem 1 (see [13]). *Each LTL formula has an equivalent pure future expression.*

Theorem 1 tells the fact that past operators do not add any expressive power to LTL formulae. Nevertheless, with these, we can give a much more succinct description in defining specifications.

Given an LTL formula , we denote by the set constituted with subformulae of . Particularly, we, respectively, denote by and the set consisting of “-subformulae” and “-subfomulae” of , where an -formula (resp., -formula) is a formula rooted at (resp., ). (Note that is also a -formula whereas is not.)

A* model* is a tuple , where(i) is a finite set of atomic propositions,(ii) is the* transition relation*,(iii) is the* initial condition*,(iv) is a set of* fairness constraints*.

A* derived linear structure* of is an infinite word , such that(1);(2) for each ;(3)for each , there are infinitely many 's having .

We denote by the set of derived linear structures of and call it the* language* of .

For a model and an LTL formula , we denote as if for each . Meanwhile, we define
and call it the* counterexample set* of w.r.t. .

#### 3. Counterexample-Preserving Reduction

We describe the CEPRE technique in this section, but first of all, let us fix the components of the model and just let be in the rest of this section. For , we are particularly concerned about formulae having the same counterexample set—we say that and are* interreduceable* w.r.t. if and only if , denoted as . Hence, implies that .

The central part of CEPRE is a series of* reduction rules* being of the form
where “” is called the* additional condition*.

Though the relation is actually symmetric, we always write the reduced formula on the righthand of the “” sign in a reduction rule. Since the model is fixed, in this section, we omit it from the subscript. In addition, if the additional condition trivially holds, we will discard this part and directly write the rule as , and in this case we say that this rule is “*model-independent*”; otherwise, we say that the underlying reduction rule is “*model-dependent.*”

##### 3.1. The Basic Reduction Rules

In this section, we define some basic CEPRE rules. First of all, we have some elementary reduction rules relating to model components, as depicted in Table 1. For the rules (INIT), (IND), and (TRANS), the notation “” occurring in the condition part stands for the “*inferring*” relation in propositional logic ( if and only if is unsatisfiable), and we here require that .

Subsequently, let us define a partial order “” over unary temporal operators (and their combinations) as follows: where and .

Assume that and ; then we have two model-indenpendent rules, as depicted in Table 2. Though these rules seem to be trivial, they are useful in doing combinational reductions (see the example given in Section 3.3).

Table 3 provides some reduction rules that can be used to simplify nested temporal operators.

Since we always stand at the starting point when doing model checking (i.e., the goal is to check if for each ), we can sometimes “erase” the outermost past operators, as depicted in Table 4.

Table 5 introduces a series of rules handling formulae involving adjacent past and future temporal operators.

We let range over and let be arbitrary LTL formulae, and then we have some model-dependent rules. The first group of such rules is listed in Table 6. Table 7 provides another set of model-dependent reduction rules, and these rules are mainly concerned with LTL formulae involving adjacent -operators. Lastly, Table 8 provides some reduction rules that can be used to simplify formulae with mixed usage of and .

##### 3.2. Principles for Rule Generation

Actually, we may acquire more CEPRE rules by applying some* principles* to the existing rules. In this section, we introduce four major principles in our framework.

###### 3.2.1. The Inversion Principle

We say that the temporal opertors “ and **,**” “ and **,**” “ and **,**” and “ and ” are pairwise* inverse operators* (The inverse operator of may be or , which is judged from the context. Fortunately, in this paper, we need not consider this case). Then, for CEPRE rules list in Table 3 and Tables 6–8, we may apply the following principle:
namely,* Inversion Principle*. In detail:(i)if then ; if , then is obtained from by switching the primed and unprimed propositions;(ii) and are obtained from and by swithing the temporal operators with their inverse operators, respectively.

For example, one can apply this principle to and , and then the following two rules are immediately obtained.

###### 3.2.2. The Duality Principle

We say that “ and ,” “ and ,” “ and **,**” “ and **,**” “ and **,**” “ and itself,” “ and **,**” and “ and ” are pairwise the* dual operators*. Then, the* duality principle* could be described as follows:
We require that the condition “” should be either trivial (in this case, the rule is a model-independent one) or of the form , and in the latter case we have . The formulae and are obtained from and by switching the operators with their dual.

For example, apply the duality principle to the rules , , , and , one may get the following new rules:

Note that when applying the duality principle to model-dependent rules, besides switching the operators, we also need to exchange the antecedent and subsequent on the righthand of in the condition part, in the case that the condition is of the form . As an example, we may obtain the reduction rule by applying the duality principle to ().

###### 3.2.3. The Composition Principle

The* composition principle* can be formally described as follows:
that is, if and are interreduceable under the conditin (), then and are also interreduceable. In using this principle, we have the following constraints.(1) must be -free; that is, it must be irrelevant to the initial condition.(2)If the second rule is one of these listed in Table 4 (or the inversion/duality version), then we require that the (designated) occurrences of in must be* temporally outermost*; that is, does not appear in the scope of any temporal operators.(3)Since trivially holds, we have the following special case of the composition principle:
and call it the local application of (the above) CEPRE rule.

To explaint the reason why we need to impose the second constraint, just consider the following fact: we have according to ; yet this does not imply that holds.

###### 3.2.4. The Decomposition Principle

The last principle, which could be corporately used in* modular model checking* [14], is described as follows:
where all constraints imposed to the* composition principle* are still required. is the* synchronized composition* of and ; that is, if .

##### 3.3. Reduction Strategy

We show the usage of CEPRE reduction rules by illustrating the reduction process of ; see Algorithm 1.(1)We may first try with the rule () by inquiring the SAT-solver if holds.(2)If the SAT-solver returns “unsatisfiable” with the input , then it implies that the additional condition is stated, and we may replace the specification with .(3)Otherwise, we will try with another reduction rule, such as ().

Compositional use of reduction rules may lead to a more aggressive reduction. For example,(1)for the task of model checking , we may firstly change the goal as , according to the rule (FO);(2)now, the subformula is a temporally outermost one; hence we may make a local application of (O), and then the goal becomes ;(3)finally, we may change the model checking problem into via the rule (DISJ).

In the real implementation, we perform a “*max-match*” rule-selection strategy, as depicted in Algorithm 1. Note that in this algorithm, only(1)basic rules,(2)rules obtained from the inversion principle or the duality principlecould be directly used (maybe in a local manner). This guarantees the finiteness for rule selection.

In line 15, a rule having simpler condition always has the higher precedence to be chosen. Hence, a model-independent rule always has a higher priority than a model-dependent one.

Lastly, we can see that the reduction can be accomplished within iterations.

#### 4. Performance Analysis of CEPRE

We now try to answer the question “why we can gain a better performance during verification if CEPRE is conducted first.” To give a rigorous explanation, we briefly revisit the implementation of some symbolic model checking algorithms, and we are mainly concerned about the following techniques:(1)the BDD-based model checking technique,(2)the bounded model checking technique (BMC), for both syntactic encoding and semantic encoding approaches,(3)the property directed reachability (alternatively, IC3) algorithm.

##### 4.1. Analysis on BDD-Based Model Checking

The core procedure of BDD-based LTL symbolic model checking algorithm is to construct a* tableau* for the (negated) property. In the following, we refer the tableau of as , and we would give an analysis on its major components affecting the cost of model checking.

*State Space*. The state space of consists of subsets of , and the set can be inductively computed as follows:(i);(ii) if ;(iii);(iv), and ;(v) and . We can see from the definition that holds. With symbolic representation, each formula corresponds to a proposition in building the tableau. Moreover, if , then no new proposition needs to be introduced (since it has already been introduced in building the symbolic representation of ); otherwise, a fresh proposition is required. Hence the total number of newly introduced propositions equals . From an induction over formula's structure, we have the following claim.

Proposition 2. * equals the number of temporal operators in .*

*Transitions*. The transition relation of is a conjunction of a set of constraints, and each constraint is either of the form or , where , and the function can be inductively defined as follows:(i) and ;(ii) for each ;(iii);(iv) and ;(v) and . According to the definition of , we can see that each rooted at a future (resp., past) temporal operator exactly produces one formula (resp., ) in , and hence a new proposition (resp., ) would be introduced. Subsequently, each such (resp., ) adds exactly one constraint to the transition relation. Hence, we have the following claim.

Proposition 3. *The number of constraints in the transition relation of equals the number of temporal operators occurring in (alternatively, ).*

*Fairness Constraints*. According to the tableau construction, each would impose a fairness constraint to . Hence, the number of fairness constraints equals .

With a case-by-case checking, we can show the following theorem.

Theorem 4. *Let “” be a reduction rule; then we have and .*

##### 4.2. Analysis on Bounded Model Checking

In contrast, the cost of BMC is quite sensitive to the encoding approach. In a broad sense, we can categorize the encoding approaches into two fashions.

*Syntactic Encodings*. Such kind of encodings are inductively produced w.r.t. the formula's structure. The very original one is presented in [7], and this is improved in [15] by observing some properties of that encoding. In [16, 17], a linear incremental syntactic encoding is suggested, and see [18] for the translation for ECTL*.

*Semantic Encodings*. In [19], an alternative BMC technique is provided: it mimics the tableau-based model checking process, but it expresses the fair-path detection upon the product model with Boolean formula. (In [20], a “fixpoint”-based encoding is proposed, and it can also be subsumed to semantic encodings.)

For the semantic encodings, the reason that we can benefit from CEPRE is exactly the same as that for BDD-based approach. Because, the encoding is a conjunction of a -step unrolling of and a -step unrolling of (an unrolling is either a partial derived linear structure or one ending with a lasso). The former is usually in a fixed pattern, and for the latter, we need new propositions, and the sizes of Boolean formulae w.r.t the transition and fairness constraints (note that the part w.r.t. fairness constraints can be linearized) are, respectively, and .

For a syntactic BMC encoding, one needs to generate a Boolean formula of the form , where is the unrolling of with steps, and describes that such -step unrolling would cause a violation of . In general, is almost the same in all kinds of syntactic encodings, and the key factor affecting the cost lies in .

Given a subformula of , if we use to denote the maximum length of the Boolean formula describing that is initially satisfied upon a -step unrolling, then it can be inductively computed as follows:(i); (this is just for the case when or appears as a subformula in the specification and hence can be optimized; otherwise, we have ;(ii) for each ;(iii);(iv);(v). (Note that this case does not imply that further blowup would be caused with deeper nesting of temporal operators. For example, in [17], by introducing fresh propositions and reusing, it still leads to a linear encoding for the whole formula.) Here, is some polynomial about , related to the encoding approach. For example, with the technique proposed in [7, 15], we have , whereas in [16, 17]. This partly explains the reason that we tend to change temporal nestifications with Boolean combinations, as done in and so forth.

Another feature affecting the cost is the scale of propositions required for the encoding. If we denote by the set of additional propositions which only takes part in the encoding of , then we have the following conclusions.(i)For the techniques proposed in [7, 15], we have . i.o.w.; all propositions required in encoding can be shared with those for .(ii)In term of the encoding presented in [17], we need to add new propositions to for each -subformula and for each -subformula.

Theorem 5. *Let “” be a reduction rule; then we have and in syntactic encodings.*

##### 4.3. Analysis on Property Directed Reachability Algorithm

Property directed reachability (PDR or IC3) is probably the most significant breakthrough in SAT based model checking. The aim of PDR is to show that the system is* safe* w.r.t. the property ; that is, each reachable state satisfies the boolean constraint .

The process of PDR retains a sequence of clause sets fulfilling the following.(1); and for each we have(2);(3);(4). This process stops and reports an affirmative answer if there exists some having ; and it reports failure when some reachable “unsafe” state is detected. Therefore, it intends to find a (intermediate) reachable-closure enclosed (or* inductive set*) with , as described in Algorithm 2.

This algorithm employees two important subroutines—the strengthen process (Line 7) and the propagate process (Line 10):(i)The process strengthen aims to disprove the reachability of the point which violates . If it succeeds, some new constraints would be added to some specific clause sets; if this process fails, then it implies that we have a feasible path which leads to an “unsafe” state. In [21], an effective strengthen algorithm is provided, and it results in a linear complexity in time w.r.t. the size of variable set.(ii)The process propagate is used to “compact” the clause sets and to accelerate the termination. Its purpose is to “push out” the clauses in a set as possible as they can. Suppose that there is a clause , in the case that holds; since we have , it implies that also holds. In such situation, the clause could be definitely propagated to .

Since the PDR algorithm could not directly handle general temporal properties, we need to first translate the LTL model checking problem to PDR solving, via the following steps.(1)Build the tableau from the LTL formula , as describled in Section 4.1.(2)Thus, the problem is boiled down to a fair-circle detection problem on the production of and .(3)This problem could be further translated to PRD-solving problems, where is the number of fairness constraints in the production. Interested readers may refer to [22] for the translation details.

It could be seen that the features affecting the overhead of PDR-solving boiled from LTL input are the following:(1)the scale of product system, which is determined by the number of variables in the tableau and model,(2)the size (or number of clauses) of the transition relation, which is a summation of these of the tableau and the model,(3)the number of fairness constrains in the product, which is also the summation of constraint numbers of the model and the tableau.

For two LTL formulae and such that , since the model is the same, the “variable number,” “number of clauses in the transition relation,” and “the number of fairness contraints” are determined by the tableaux and . Precisely like the analysis we have done in Section 4.1, we have the same conclusions shown in Propositions 2 and 3 and Theorem 4, and these would explain why we can also benefit from CEPRE when using PDR as underlying checking approach.

#### 5. Experimental Results

We have implemented CEPRE as an upfront option in NUSMV (the tool is available on http://sourceforge.net/projects/nusmvwithcepre/), and we have also conducted experiments upon both industrial benchmarks and randomly generated cases in terms of BDD-based model checking, bounded model checking, and PDR-based model checking.

The BMC encoding approach we adopt here is that proposed in [15], which is the current BMC implementation of NUSMV. Since PDR verifiers could not directly take SMV models and/or LTL formulae as input, and they use AIGs (the And-Inverter Graphs) as standard input format, we first use the SMVTOAIG tool [23] to convert SMV-scripts into AIGs and then use IIMC [24] to perform the PDR-based verification.

We conduct the experiments under such platform: CPU-Intel Core Duo2 E4500 2.2 GHz, Mem-2 G Bytes, OS-Ubuntu 10.04 Linux, Cudd-v2.4.1.1, Zchaff-v2007.3.12.

##### 5.1. Experiments upon Industrial Benchmarks

The benchmarks we choose in this paper are suggested in [4], and most of them come from real hardware verification.

Table 9 provides the experimental results for BDD-based LTL symbolic model checking. The field time is the executing time totally elapsed, and the field R.S. refers to the number of reachable states. For the experiments “with CEPRE,” both the overheads of time and space are the summations of preprocessing and model checking. For Table 9, we have the following remarks.(1)8 out of 16 specifications could be reduced with CEPRE (and these specifications are marked with ).(2)For the specifications that can be reduced, considerable improvements are made during verification. For example, for the specification Pit.g.ltl, with CEPRE, the number of BDD nodes is decreased to of that without using CEPRE.(3)When a specification cannot be reduced with CEPRE, it spends a very low extra overhead for doing preprocessings.(4)Something noteworthy we do not provide here is that in the case that a violated LTL specification can be reduced, the newly generated counterexample is usually shorter than that of before. Among 8 specifications that can be reduced, counterexample lengths of Pti.nuv.ltl, Pit.g.ltl, P0.ltl, and Seq.ltl are, respectively, shortened to , , and , opposing to the original values , , and . Meanwhile, counterexample lengths of others are kept unchanged.

Table 10 gives the experimental results for BMC-based model checking, and we here give some comments on that.(1)With NUSMV, we need to preset a max-bound when doing bounded model checking. The column max-bound gives such values—a “star mark” means that this bound does not reach the completeness threshold. The field N.O.C. designates the number of clauses generated during model checking.(2)From Table 10, we can see that without CEPRE the specification Pti.gnv.ltl generates 2101 clauses when the verification stops; in contrast, it only produces 299 clauses if CEPRE is switched on.(3)Another comparison is for P0.ltl upon dme3: If we do not do any reduction, the SAT solver reports a SEGMENTATION FAULT at Step 35. In contrast, using CEPRE, a counterexample could be found at Step 62.(4)Since the encoding approach we use is taken from [15], propositions used in the encoding are only determined by the model and the bound; thus the number of required propositions does not change. For this reason, the corresponding experimental results on proposition numbers are not provided.

Experimental results of PDR-based model checking are shown in Table 11.(1)For PDR-based model checking, we are mainly concerned about the time-overhead. Since that the PDR algorithm consumes memory evenly during verification, we do not provide the space-overhead here.(2)Because the CEPRE process is done in an individual phase in the PDR-based verification, we here also list the overhead for doing CEPRE.(3)We can see that a significant performance improvement could be made if we use CEPRE in PDR-based model checking, and the extra overhead for preprocessing is still relatively negligible.

Note that both model-independent and model-dependent rules contribute to the reductions. For example, for the model srg5 and the specification Pti.g.ltl, the rules (FS) and (S) are applied; meanwhile, for the model msi_wtrans and the specification Seq.ltl, the application of is invoked.

##### 5.2. Experiments w.r.t. Random Models and Specifications

We have also performed experiments upon randomly generated models and specifications with the tool LBTT [25] and with the methodology suggested in [17].

For BDD-based MC and bounded model checking, we conduct the comparison in the following manner. For each , we randomly generate specifications having length . Subsequently, for each specification, we generate two models, respectively, for the BDD-based model checking and for BMC. Hence, we totally have specifications and models.

For the BDD-based model checking, we give the comparative results on (1) the scale of BDD-nodes, (2) the number of reachable states, and (3) the time consumed, and the experimental results are, respectively, shown in Figures 1, 2, and 3. For bounded model checking, we have set the maximum bound to and we have compared (1) the number of clauses and (2) the executing time; the results are, respectively, shown in Figures 4 and 5. Each value here we provide is the average of the executions.

For the BDD-based model checking, there are (out of ) specifications that can be reduced, whereas for bounded model checking, the number of specifications that can be reduced is . Note that in this experiment, when CEPRE is switched on, extra overheads (such as time) have also been taken into account.

For the PDR-based model checking, the experiments are conducted as follows. We first generate SMV models with LBTT and then we randomly generate LTL specifications for each model and each designated length. Next, we batchly do CEPRE upon one group of specification copies and then obtain the product models (for each model and each specification). Subsequently, we convert the product models into AIG format with SMVTOAIG.

We here compare the number of verfication obligations that could be accomplished within the preset time bound (i.e., sec.), and the results are shown in Figure 6. From that, we can see that with the increment of the specification's length, the ratio (that could be done with CEPRE to without CEPRE) also monotonically increases.

#### 6. Concluding Remarks

In this paper, we present a new technique to reduce LTL specifications' complexity towards symbolic model checking, namely, CEPRE. The novelty in this technique is that the reduced formula needs not be logically equivalent with the original one but just preserves the counterexample set. Moreover, the condition enabling such a reduction can be usually detected with lightweight approaches, such as SAT-solving. Hence, this technique could leverage the power of SAT-solvers.

The central part of CEPRE is a set of reduction rules, and soundness of these reduction rules is fairly easy to check. For the model-dependent rules, additional conditions mainly concern the invariants and transitions, and we do not make a sufficient use of other features, such as fairness. In this paper, the rules are given by enumerating all possible combinations of (at most two) temporal operators. Indeed, there might be some other reduction schemas we are not aware of.

From the experimental results, we can see that in a statistical perspective, a better performance and lower overhead can be achieved with CEPRE. For the future work, we would consider how to extend our idea to symbolic model checking upon rich assertional languages, such as PSL.

#### Conflict of Interests

A conference version of this paper [26] is firstly published in the proceeding of ICTAC 2013, and a corresponding unpublished version is put on CoRR (http://arxiv.org/abs/1301.3299). The authors have extended more than new material in this submission. The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This paper is the extension of [26], and the authors would to thank the anonymous reviewers for the helpful comments of their conference version. This work is supported by NSFC (No. 61103012), the 973 Project (no. 2014CB340703), NSFC (nos. 61379054 and 61120106006), and the Program for New Century Excellent Talents in University.

#### References

- A. Pnueli, “The temporal logic of programs,” in
*Proceedings of the 18th Annual Symposium on Foundations of Computer Science (FOCS '77)*, pp. 46–57, IEEE Computer Society, 1977. View at Google Scholar · View at MathSciNet - M. Y. Vardi, “Branching vs. linear time: final showdown,” in
*Tools and Algorithms for the Construction and Analysis of Systems*, vol. 2031 of*Lecture Notes in Computer Science*, pp. 1–22, Springer, 2001. View at Publisher · View at Google Scholar - F. Somenzi and R. Bloem, “Efficient B üchi automata from LTL formulae,” in
*Computer Aided Verification*, E. A. Emerson and A. P. Sistla, Eds., vol. 1855 of*Lecture Notes in Computer Science*, pp. 53–65, Springer, 2000. View at Google Scholar - A. Biere, K. Heljanko, T. Junttila, T. Latvala, and V. Schuppan, “Linear encodings of bounded LTL model checking,”
*Logical Methods in Computer Science*, vol. 2, no. 5, pp. 1–64, 2006. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - K. L. McMillan,
*Symbolic model checking, an approach to the state explosion problem [Ph.D. thesis]*, Carnegie Mellon University, Kluwer Academic Publishers, 1993. - E. M. Clarke, O. Grumberg, and K. Hamaguchi, “Another look at LTL model checking,” in
*Formal Methods in System Design*, vol. 818 of*Lecture Notes in Computer Science*, pp. 415–427, Springer, 1994. View at Google Scholar - A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, “Symbolic model checking without BDDs,” in
*Proceedings of the 5th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS '99)*, vol. 1579 of*Lecture Notes in Computer Science*, pp. 193–207, Springer, 1999. - A. R. Bradley, “SAT-based model checking without unrolling,” in
*Verification, Model Checking, and Abstract Interpretation*, vol. 6538 of*Lecture Notes in Computer Science*, pp. 70–87, Springer, 2011. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - F. Somenzi and A. R. Bradly, “IC3: where monolithic and incremental meet,” in
*Proceedings of the International Conference on Formal Methods in Computer-Aided Design (FMCAD '11)*, P. Bjesse and A. Sloodova, Eds., pp. 3–8, FMCAD, 2011. - N. Een, A. Mishchenko, and R. Brayton, “Efficient implementation of property directed reachability,” in
*Proceedings of the Formal Methods in Computer-Aided Design (FMCAD '11)*, pp. 125–134, Austin, Tex, USA, November 2011. View at Scopus - A. R. Bradley, “Understanding IC
_{3},” in*Theory and Applications of Satisfiability Testing—SAT 2012*, vol. 7317 of*Lecture Notes in Computer Science*, pp. 1–14, Springer, 2012. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang, “Symbolic model checking: ${10}^{20}$ states and beyond,”
*Information and Computation*, vol. 98, no. 2, pp. 142–170, 1992. View at Publisher · View at Google Scholar · View at MathSciNet - D. Gabbay, “The declarative past and imperative future. Executable temporal logic for interactive systems,” in
*Temporal Logic in Specification*, vol. 398 of*Lecture Notes in Computer Science*, pp. 409–448, Springer, 1989. View at Publisher · View at Google Scholar · View at MathSciNet - O. Kupferman and M. Y. Vardi, “Modular model checking,” in
*Compositionality: The Significant Difference*, vol. 1536 of*Lecture Notes in Computer Science*, pp. 381–401, Springer, 1998. View at Publisher · View at Google Scholar · View at MathSciNet - A. Cimatti, M. Pistore, M. Roveri, and R. Sebastiani, “Improving the encoding of LTL model checking into SAT,” in
*Verification, Model Checking, and Abstract Interpretation*, vol. 2294 of*Lecture Notes in Computer Science*, pp. 196–207, Springer. - T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple bounded LTL model checking,” in
*Formal Methods in Computer-Aided Design*, A. Hu and A. Martin, Eds., vol. 3312 of*Lecture Notes in Computer Science*, pp. 186–200, Springer, 2004. View at Google Scholar - T. Latvala, A. Biere, K. Heljanko, and T. Junttila, “Simple is better: efficient bounded model checking for past LTL,” in
*Verification, Model Checking, and Abstract Interpretation*, vol. 3385 of*Lecture Notes in Computer Science*, pp. 380–395, Springer, 2005. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - A. Zbrzezny, “A new translation from ETCL* to SAT,” in
*Proceedings of the International Workshop CS&P*, M. Szczuka, Ed., pp. 589–600, September 2011. - E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman, “Completeness and complexity of bounded model checking,” in
*Verification, Model Checking, and Abstract Interpretation*, vol. 2937 of*Lecture Notes in Computer Science*, pp. 85–96, Springer, 2004. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - A. Frisch, D. Sheridan, and T. Walsh, “A fixpoint encoding for bounded model checking,” in
*Formal Methods in Computer-Aided Design*, vol. 2517 of*Lecture Notes in Computer Science*, pp. 238–255, 2002. View at Google Scholar - A. R. Bradley and Z. Manna, “Checking safety by inductive generalization of counterexamples to induction,” in
*Proceedings of the Formal Methods in Computer Aided Design (FMCAD '07)*, pp. 173–180, November 2007. View at Publisher · View at Google Scholar · View at Scopus - A. R. Bradley, F. Somenzi, Z. Hassan, and Y. Zhang, “An incremental approach to model checking progress properties,” in
*Proceedings of the Formal Methods in Computer-Aided Design (FMCAD '11)*, pp. 144–153, November 2011. View at Scopus - AIGER, the SMVtoAIG toolkit, 2007, http://fmv.jku.at/aiger/.
- The IIMC tool, 2013, http://ecee.colorado.edu/wpmu/iimc/.
- H. Taurainen and K. Heljanko, “Testing LTL formula translation into Büchi automata,”
*International Journal on Software Tools For Technology Transfer*, vol. 4, no. 1, pp. 57–70, 2002. View at Google Scholar - W. Liu, R. Wang, X. Fu et al., “Conterexamplepreserving reduction for symbolic model checking,” in
*Proceedings of the 10th International Colloquium on Theoretical Aspects of Computing (ICTAC '13)*, Z. Liu, J. Woodcock, and H. Zhu, Eds., vol. 8049 of*Lecture Notes in Computer Science*, pp. 249–266, Springer, Shanghai, China, 2013.