Safety Model Checking with Complementary Approximations ^{†}^{†}thanks: The full version of the ICCAD 2017 paper.
Abstract
Formalverification techniques, such as model checking, are becoming popular in hardware design. SATbased model checking techniques, such as IC3/PDR, have gained a significant success in the hardware industry. In this paper, we present a new framework for SATbased safety model checking, named Complementary Approximate Reachability (CAR). CAR is based on standard reachability analysis, but instead of maintaining a single sequence of reachablestate sets, CAR maintains two sequences of over and under approximate reachablestate sets, checking safety and unsafety at the same time. To construct the two sequences, CAR uses standard Booleanreasoning algorithms, based on satisfiability solving, one to find a satisfying cube of a satisfiable Boolean formula, and one to provide a minimal unsatisfiable core of an unsatisfiable Boolean formula. We applied CAR to 548 hardware modelchecking instances, and compared its performance with IC3/PDR. Our results show that CAR is able to solve 42 instances that cannot be solved by IC3/PDR. When evaluated against a portfolio that includes IC3/PDR and other approaches, CAR is able to solve 21 instances that the other approaches cannot solve. We conclude that CAR should be considered as a valuable member of any algorithmic portfolio for safety model checking.
I Introduction
Model checking is a fundamental methodology in formal verification and has received more and more concern in the hardware design community [1, 2]. Given a system model and a property , model checking answers the question whether holds for . When is a lineartime property, this means that we check that all behaviors of satisfy , otherwise a violating behavior is returned as a counterexample. In the recent hardware model checking competition (HWMCC) [3], many benchmarks are collected from the hardware industry. Those benchmarks are modeled by the aiger format [4], in which the hardware circuit and properties (normally the outputs of the circuit) to be verified are both included. For safety checking, it answers the question whether the property (output) can be violated by feeding the circuit an arbitrary (finite) sequence of inputs. In this paper, we focus on the topic of safety model checking.
Popular hardware model checking techniques include Bounded Model Checking (BMC) [5], Interpolation Model Checking (IMC) [6] and IC3/PDR [7, 8]. BMC reduces the search to a sequence of SAT calls, each of which corresponds to the checking in a certain step. The satisfiability of one of such SAT calls proves the violation of the model to the given property. IMC combines the use of Craig Interpolation as an abstraction technique with the use of BMC as a search technique. IC3/PDR starts with an overapproximation, gradually then refined to be more and more precise [7, 8]. All of the three approaches have proven to be highly scalable, and are today parts of the algorithmic portfolio of modern symbolic model checkers, e.g. ABC [9].
We present here a new SATbased model checking framework, named Complementary Approximate Reachability (CAR), which is motivated both by classical symbolic reachability analysis and by IC3/PDR as an abstractionrefinement technique. While standard reachability analysis maintains a single sequence of reachablestate sets, CAR maintains two sequences of over and underapproximate reachablestate sets, checking safety and unsafety at the same time. While IC3/PDR also checks safety and unsafety at the same time, CAR does this more directly by keeping an overapproximate sequence for safety checking, and an underapproximate sequence for unsafety checking. To compute these sequences, CAR utilizes offtheshelf Booleanreasoning techniques for computing Minimal Unsat Core (MUC) [10], in order to refine the overapproximate sequence, and Minimal Satisfying Cube (i.e., partial assignment) [11], in order to extend the underapproximate sequences. In contrast, IC3/PDR uses a specialized technique, called generalization, to compute Minimal Inductive Clauses (MIC) [7]. Thus, IC3/PDR computes relativelyinductive clauses to refine the over approximate state sequence, while CAR does not. Because of this difference, CAR and IC3/PDR are complementary, with CAR faster on some problem instances where refining by nonrelativelyinductive clauses is better, and IC3/PDR faster on others where refining by relativelyinductive clauses is better.
To evaluate the performance of CAR, we benchmarked it on 548 problem instances from the 2015 Hardware ModelChecking Competition, and compared the results with IC3/ PDR. The results show that while the performance of CAR does not dominate the performance of IC3/PDR, CAR complements IC3/PDR and is able to solve 42 instances that IC3/PDR cannot solve. When evaluated against a portfolio that includes IC3/PDR, BMC, and IMC, CAR is able to solve 21 instances that the other approaches cannot solve. It is well known that there is no “best” algorithm in model checking; different algorithms perform differently on different problem instances [12], and a stateoftheart tool must implement a portfolio of different algorithms, cf. [9]. Our empirical results also support the conclusion that CAR is an important contribution to the algorithmic portfolio of symbolic model checking.
Ii Preliminaries
Iia Boolean Transition System, Safety Verification and Reachability Analysis
A Boolean transition system is a tuple , where is a set of Boolean variables, and every state of the system is in , the set of truth assignments to . is a Boolean formula representing the set of initial states. Let be the set of primed variables (a new copy) corresponding to the variables of , then is a Boolean formula over , denoting the transition relation of the system. Formally, for two states , is a successor state of , denoted as , iff , where is a primed version of .
A path (of length ) in is a finite state sequence , where each is in . We use the notation to denote a path from to . We say that a state is reachable from a state , or that reaches , if there is a path from to . Moreover, we say is reachable from in steps (resp., within steps) if there is a path from to of length (resp., of length at most ).
Let be a set of states in . We define , i.e., is the set of successors of states in . Conversely, we define , i.e., is the set of predecessors of states in . Recursively, we define and for . The notations of is defined analogously.
Given a Boolean transition system and a safety property , which is a Boolean formula over , the system is called safe if holds in all reachable states of , and otherwise it is called unsafe. The safety checking asks whether is safe. For unsafe systems, we want to find a path from an initial state to some state that violates , i.e., . We call such state reachable to a bad state, and the path from to a counterexample.
In symbolic model checking (SMC), safety checking is performed via symbolic reachability analysis. From the set of initial states, we compute the set of reachable states by computing for increasing values of . We can compute the set of states that can reach states in , by computing for increasing values of . The first approach is called forward search, while the second one is called backward search. The formal definition of these two approaches are shown in the table below.
Forward  Backward  

Basic:  
Induction:  
Terminate:  
Check: 
For forward search, the state set is the set of states that are reachable from in steps. This set is computed by iteratively applying . To find a counterexample, forward search checks at every step whether one of the bad states has been reached, i.e., whether . If a counterexample is not found, the search will terminate when . For backward search, the set is the set of states that can reach in steps. The workflow of backward search is analogous to that of forward search. Note that forward checking of with respect to is equivalent to backward checking of with respect to , where is simply , with primed and unprimed variables exchanged.
IiB Notations
Each variable is called an atom. A literal is an atom or a negated atom . A conjunction of a set of literals, i.e., , for , is called a cube. Dually, a disjunction of a set of literals, i.e., , for , is called a clause. Obviously, the negation of a cube is a clause, and vice versa. Let be a set of cubes (resp., clauses), we define the Boolean formula (resp., . For simplicity, we use to represent when it appears in a Boolean formula; for example, the formulas and , abbreviate and .
A cube (/clause) can be treated as a set of literals, a Boolean formula, or a set of states, depending on the context it is used. If appears in a Boolean formula, for example, , it is treated as a Boolean formula. If we say a set is a subset of , then we treat and as literal sets. If we say a state is in , then we treat as a set of states.
We use / to denote the current/primed version of the state . Similarly, we use / to denote the current/primed version of a Boolean formula . For the transition formula , we use the notation to highlight that it contains both current and primed variables. Consider a Boolean formula whose alphabet is and is in the conjunctive normal form (CNF). If is satisfiable, there is a full assignment such that . Moreover, there is a partial assignment such that for every full assignment it holds that . In the following, we use the notation to represent a partial assignment of , and use to represent the subset of achieved by projecting variables only to . On the other hand, if is unsatisfiable, there is a Minimal Unsat Core (MUC) (here is treated as a set of clauses) such that is unsatisfiable and every is satisfiable. In the following, we use the notation to represent such a MUC of , and use to represent the subset of achieved by projecting clauses only to . Since is a cube, is also a cube.
Iii The Framework of CAR
We present here a variant of standard reachability checking, in which the set of maintained states is allowed to be approximate. The new approach is named Complementary Approximate Reachability, abbreviated as CAR. As in standard reachability analysis, CAR also enables both forward and backward search. In the following, we introduce the forward approach in detail; the backward approach can be derived symmetrically.
Iiia Approximate State Sequences
In standard forward search, described in Section II, each is a set of states that are reachable from in steps. To compute elements in , previous SATbased symbolicmodelchecking approaches consider the formula , and use partialassignment techniques to obtain all states in from (by projecting to the prime part of the assignments). Since the set of reachable states is computed accurately, maintaining a sequence of sets of reachable states from enables to check both safety and unsafety. However in Forward CAR, two sequences of sets of reachable states are necessary to maintain: 1). () is a sequence of overapproximate state sets, which are supersets of reachable states from . 2) () is a sequence of underapproximate state sets, which are subsets of reachable states to . Under the approximation, the first sequence is only sufficient to check safety, and the second one is then required to check unsafety. The two state sequences are formally defined as follows.
Definition 1
For a Boolean system and the safety property , the overapproximate state sequences , which is abbreviated as sequence, and the underapproximate state sequence , which is abbreviated as sequence, are finite sequences of state sets such that:
Basic  
Constraint  –  
Inductive 
For each , we call it a frame. We also define the notation is the set of states in the sequence, and is the set of states in the sequence.
Note that the  and sequence are not required to have the same length. Intuitively, each is an overapproximate set of states that are reachable from in one step, and is an underapproximate set of states that are reachable to in one step. As we mentioned in Section II, we overload notation and consider to represent (1) a set of states, (2) a set of clauses and (3) a Boolean formula in CNF. Analogously, we consider to be (1) a set of states, (2) a set of cubes and (3) a Boolean formula in DNF.
The following theorem shows that, the safety checking is preserved even if becomes overapproximate.
Theorem 1 (Safety Checking)
A system is safe for iff there is and an sequence such that .
IEEEproof 1
() Let . According to Definition 1, if is true, . So contains all reachable states from . Also we know , so holds. That means is empty, and thus all reachable states from , which are included in , are not in . So the system is safe for .
() Assume the system is safe for , then all reachable states from are in . Let be the set of reachable states from . Now let and , and according to Definition 1 we know that is an sequence satisfying .
Theorem 1 is insufficient for unsafety checking, as has to prove false for every . On the other hand, the unsafety checking condition in the standard forward reachability is not correct when becomes overapproximate. Our solution is to benefit from the information stored in the sequence.
Theorem 2 (Unsafety Checking)
For a system and the safety property , is unsafe for iff there is and a sequence such that .
IEEEproof 2
() If and according to Definition 1, we can find a path in such that and for . Hence we have that , which means is a counterexample. So is unsafe for .
() If is unsafe for , there is a path from to . Let the length of be , and state on the path is labeled as . Now we construct the sequence () in the following way: Let and for . So satisfying (because ).
Besides, since CAR maintains two different sequences, exploring the relationship between them can help to establish the framework. The following property shows that, the states stored in  and  sequences are unreachable when the system is safe for the property .
Property 1
For a system and the safety property , is safe for iff there is an sequence such that for every sequence.
IEEEproof 3
() Theorem 1 shows if is safe for there is an sequence and such that . Let . We have proven that , i.e. is the upper bound of . So for all . On the other hand, since we consider arbitrary sequence, we set to its upper bound: the set of all reachable states to . In this situation, . Now if , assume that . So is reachable to . Assume is reachable to and from the definition of we know too. However, this is a contradiction, because is empty based on the constraint . So is true.
() Since both and have an upper bound, we can set them to their upper bounds. That is, set to contain all reachable states from , and to contain all reachable states to . Because has the same upper bound with , indicates that is not reachable to . So is safe for .
Property 1 suggests a direction that how we can refine the sequence and update the sequence. That is to try to make the states in these two sequences unreachable. More details are shown in the next section.
We have established the Forward CAR framework, and presented the theoretical guarantee for both safety and unsafety checking. Note that symmetrically, Backward CAR performs the same framework on with respect to , where is simply with primed and unprimed variables exchanged.
IiiB The Framework
Unlike the standard forward reachability, which computes all states in from the single formula , Forward CAR computes elements of from different SAT calls with different inputs. Each SAT call gets as input a formula of the form , where the cube is in some and is its primed version. If the formula is satisfiable, we are able to find a new state which is in ; otherwise we prove that , which indicates can be refined by adding the clause . The following lemma shows the main idea of computing new reachable states to and new clauses to refine .
Lemma 1
Let () be an sequence, () be a sequence, cube () and the formula be :

If is satisfiable, there is a cube such that every state is a predecessor of some state in and . By updating , the sequence is still a sequence.

If is unsatisfiable, . Moreover, there is a cube such that and . By updating , the sequence is still an sequence.
IEEEproof 4

Since is satisfiable, there exists a partial assignment , which is a set of literals, of . Now by projecting to the part only contains current variables, i.e. , we set . Let and are two states. From the definition of partial assignment, we know that is a full assignment of . So is a predecessor of . Moreover, since consists of only current variables, implies . So is true. Before updating , we know that . And since and , so . Hence, . That is, is underapproximate. Finally, for every other , is true. From Definition 1, the sequence is still a sequence.

From the definition , we know for every state there is a state such that . If there is a state such that , we know that there is such that is an assignment of , making satisfiable. But this is a contradiction. So . Moreover, since is unsatisfiable, there is a cube such that and is still unsatisfiable. So is also true, which implies that , i.e. states represented by includes all those in . So is true, which means is still overapproximate. For every other , they remains overapproximate. As a result, we prove that the sequence is still an sequence.
In the lemma above, Item 1 suggests to add a set of states rather than a single one to the sequence, and similarly Item 2 suggests to refine the sequence by blocking a set of states rather than a single one. In both situations, it will speed up the computation. These two kinds of heuristics can be achieved by partialassignment and MUC techniques. That is, we can set in Item 1, and in Item 2. Now, we provide a general framework of CAR, which is shown in Table I.

The motivation of the computation are simply twofold: 1) Enlarge the lengths of the  and sequences step by step (controlled by in the framework); 2) For each , update both sequences until either the unsafety is detected (Step 3(b)ii) or . From Property 1, is a necessary condition to prove safety (in Step 3c). In Step 3(b)i, we choose the minimal index because CAR aims to find a counterexample, if exists, as soon as possible. The  and sequence are not extended synchronously: In each , the sequence is extended only once (in Step 3a), while the sequence is extended more than once (in Step 3(b)iv and 3(b)vi). In Step 3c, the constraint can be checked by SAT solvers with the input formula (). The constraint holds iff the formula is unsatisfiable. and are updated by default when the  and sequence are updated. The correctness and termination of the framework are guaranteed by the following theorem.
Theorem 3
Given a system and a safety property , the framework terminates with a correct result.
We first show that the assertions in the framework are always true, and then prove the while loop in Step 3b can finally terminate.
IEEEproof 5
Informally speaking, Lemma 2 guarantees that adding to increases strictly the states in (recall that each is in DNF), while adding to decreases strictly the states in ( is in CNF). The assertions help to prove the termination of Step 3b.
Lemma 3
Step 3b in the framework will finally terminate.
IEEEproof 6
Assume that never holds, and in the framework is always true. So there is always a formula such that the  or sequence can be updated (see Step 3(b)vi and 3(b)vii). Moreover, Lemma 2 guarantees that the size of each decreases strictly while the size of increases strictly. However, since the sizes of s and are bounded, they cannot be updated forever. As a result, either must be finally true, or finally holds.
Now we are ready to prove Theorem 3.
IEEEproof 7
First of all, if the framework returns, Lemma 1 guarantees the  and  sequences are preserved under the framework. Hence, the correctness is guaranteed by Theorem 2 and Theorem 1.
Now we prove the framework will finally return. First Theorem 3 guarantees the while loop in the framework can always terminate, with unsafe or is true. As a result, the loop body on each can finally terminate. Now we prove the loop on can also terminate. If is unsafe for with a counterexample of length of greater than one, the framework will return finally according to Item 3(b)ii. It is because the size of is bounded, so the size of is also bounded. Moreover, Lemma 2 guarantees the size of keeps growing in each , thus will finally contain all reachable states to for some , which will include an initial state in . On the other hand, if is safe for , since is also bounded, and Lemma 2 guarantees the size of each keeps decreasing, so will finally contain only the set of reachable states from for some . At that time, our framework will return according to Item 3c based on Theorem 1.
IiiC Related Work
There are two main differences between CAR and IC3/PDR. First, IC3/PDR requires the sequence to be monotone, while CAR does not. Because CAR keeps the sequence nonmonotone, it does not require the push and propagate processes, which are necessary in IC3/PDR. A drawback for CAR is that additional SAT calls are needed to check safety, i.e. to find such that holds. In IC3/PDR, since the sequence is monotone, it is easy to find such that syntactically.
Another main difference between CAR and IC3/PDR is the way they refine the sequence. CAR utilizes the offtheshelf MUC techniques, while IC3/PDR puts more efforts to compute MIC such that the refined sequence is still monotone. Moreover, MIC are relatively inductive, while clauses from MUC cannot guarantee. As a result, CAR and IC3/PDR refines the sequence by different kinds of clauses, and thus perform differently. Although computing relativelyinductive clauses is proved to be efficient in IC3/PDR, we show in the experiments that, CAR complements IC3/PDR on the instances that computing relatively inductive clauses is not conducive for efficient checking.
It is trivial to apply the framework of CAR in both forward and backward directions by simply reversing the direction of the model. Indeed, our implementation of CAR runs the forward and backward modes in parallel. Although in theory it is also possible to run IC3/PDR in backward mode, there is a technical issue that must be addressed. In most IC3/PDR implementations, the initial states is considered as a single cube. This helps to save a lot of SAT calls in the process of generalization, in which the computed clause must satisfy is unsatisfiable. (When is a cube it is reduced to checking the containment of .) But usually the set of unsafe states cannot be expressed by a single cube, which makes it more complex to run IC3/PDR in a backward mode. Indeed, the evaluation of IC3/PDR in the backward mode is still an open topic.
CAR also maintains an underapproximate state sequence (Bsequence) to check unsafety, while IC3/PDR checks unsafety “onthefly”. Other papers also introduced multiple state sequences. The approach of “Dual Approximated Reachability” maintains two overapproximate state sequences to check safety in both forward and backward directions [13]. In contrast, we maintain two complementary (over and under) approximate state sequences to check safety and unsafety at the same time. In [14], states reachable from initial states are maintained to help to handle proofobligation generation. In contrast, the sequence keeps states that reach bad states. In PDKIND[15], the idea of keeping both over and under approximate (F and B) state sequences is also introduced, and the Bsequence is used to refine the Fsequence as well. However, CAR utilizes the Fsequence for safety checking and Bsquence for unsafey checking, while PDKIND utilizes the Fsequence for unsafety checking and another “induction frame” has to be introduced for the safety checking. Moreover, CAR and PDKIND use very different underlying techniques: CAR uses MUC and partial assignment, while PDKIND uses interpolation and generalization.
Iv Experiments
Experimental Setup In this section, we report the results of the empirical evaluation. Our (C++) model checker CARchecker^{1}^{1}1 https://github.com/lijwen2748/CARchecker runs CAR in both Forward and Backward modes, using Minisat [16] and Muser2 [10] as the SAT and MUC engines. The tool implements the algorithm from [11] to extract partial assignments. The performance of CARchecker is tested by evaluating it on the 548 safety benchmarks from the 2015 HardwareModelChecking Competition [3].
We first compared the performance of CAR with that of IC3/PDR, as implemented in the stateoftheart model checker ABC [9] (the “pdr” command in ABC with default parameters). It should be noted that, there are many variants of IC3/PDR implementations currently, in which many heuristics are applied to the original one [17]. We choose ABC as the reference implementation for comparison because it is a standard model checker integrating several kinds of SATbased model checking techniques. Moreover, a portfolio of modern model checkers consists of IC3/PDR, BMC (Bounded Model Checking), and IMC (Interpolation Model Checking), so we also run the experiments of BMC and IMC in ABC to explore the contribution of CAR compared to an existing portfolio (we used the “bmc2” and “int” commands in ABC with default parameters).
We run the experiments on a compute cluster that consists of 2304 processor cores in 192 nodes (12 processor cores per node), running at 2.83 GHz with 48GB of RAM per node. The operating system on the cluster is RedHat 6.0. When we run the experiments, each tool is run on a dedicated node, which guarantees that no CPU or memory conflict with other jobs will occur. Our tool CARchecker can run CAR in Forward mode, Backward mode or combined mode, which returns the best result from either of the approaches. In our experiments, memory limit was set to 8 GB and time limit (CPU time) to 1 hour. Instances that cannot be solved within this time limit are considered unsolved, and the corresponding time cost is set to be 1 hour. We compare the modelchecking results from CARchecker with those from ABC on all benchmarks, and no discrepancy is found.
Experimental Results We show first overall performance comparison among different approaches in Fig. 1. Neither Forward CAR nor Backward CAR by itself is currently competitive with IC3/PDR. The reasons are as follows. First, the implementation of CARchecker does not utilize the power of incremental SAT computing, since the clauses to be added to the SAT solver are from the output of MUC solvers; We do not know of a way to combine them incrementally. In contrast, incremental SAT calling is an important feature in IC3/PDR. Secondly, ABC is a mature tool, incorporating many heuristics, while CARchecker has only been in development for a few months so it is not be surprising that ABC performs better. We believe that the performance of CARchecker can be improved in the future.
Nevertheless, CAR is able to compete with IC3/PDR when combining the Forward and Backward modes. In Fig. 1, the plotted line for “Combined CAR” is obtained from the best results which selected from either Forward or Backward CAR: Combined CAR solves a total number of 288 instances, while IC3/PDR solves a total number of 271 instances. Moreover, 42 instances are solved only by Combined CAR. We view the advantage of running CAR in both directions as one of the contributions of this paper; it remains to be seen whether this would also be an advantage for IC3/PDR.
A major point we wish to demonstrate in this section, is that Forward CAR complements IC3/PDR. In Fig. 1, the plotted line for “Forward CAR + IC3/PDR” shows the best results from Forward CAR and IC3/PDR. This combination outperforms IC3/PDR by solving 21 more instances. These 21 instances are solved by Forward CAR on checking safe models, see the results in Fig 3. In contrast, in Fig. 2 we see that the portfolio of Forward CAR combined with IC3/PDR does not win more instances than IC3/PDR on checking unsafe models (the two lines are plotted together), while in Fig. 3 the improvement is obvious.
As a concrete example, consider a real instance “6s24.aig” in the benchmark, which is solved quickly by Forward CAR but times out by IC3/PDR. Forward CAR adds the clause (2956 is an input id in the model) into in Frame 1 because the cube is detected to represent a set of dead states. Moreover, it also detects the clause must be added to , as the states represented by the cube are one step unreachable from . As a result, Forward CAR quickly decides in Frame 1 that this model is safe, because both clauses and cannot meet in (recall that ). For IC3/PDR, although it can detect that the clause should be added to , it cannot add the clause into , because it is not a relatively inductive clause, i.e. is not true. As a result, computing relativelyinductive clauses is less conductive than computing nonrelativelyinductive clauses to check this benchmark. So Forward CAR is able to complement IC3/PDR in such similar instances.
Furthermore, if we consider important parameters that influence the performance, e.g., number of clauses and number of frames, we get more positive results. Note that comparing the number of SAT calls between Forward CAR and PDR is not too informative, since Forward CAR also contains MUC calls. So fewer SAT calls in Forward CAR does not mean lower cost. Fig. 4 and Fig. 5 shows respectively the scatter plots between Forward CAR and IC3/PDR on number of clauses and number of frames. From the figures, Forward CAR does not generate more clauses or more frames than IC3/PDR. In detail, 172 (175) instances are solved with fewer clauses (frames) by Forward CAR than IC3/PDR, comparing with that 121 (118) instances are solved with fewer clauses (frames) by IC3/PDR than Forward CAR. Generally speaking, the number of clauses and frames are positively correlated to the overall performance, which indicates that Forward CAR should be competitive with IC3/PDR, once CARchecker is as optimized as ABC.
Backward CAR complements both Forward CAR and IC3/ PDR on unsafe models. As shown in Fig. 2, Backward CAR solves more unsafe cases (80) than IC3/PDR (72) and Forward CAR (51). Moreover, the combination of the three approaches solves 17 more unsafe cases than Forward CAR and IC3/PDR. It is surprising to see that the performance of Forward CAR is much worse than that of Backward CAR (51 vs 80), and all solved cases by Forward CAR are also solved by Backward CAR. Forward CAR searches from bad states () and the goal states are in , while Backward CAR searches from and the goal states are in . A conjecture is that the state space of is much larger than that of , thus causing the overapproximate search to the states in to be easier. Although Backward CAR solves more unsafe cases than IC3/PDR, there are several cases that can be solved by IC3/PDR but cannot be solved by Backward CAR. We leave further comparison between IC3/PDR and Backward CAR to future work.
Finally, we explore the contribution of CAR to the current SATbased modelchecking portfolio, which includes BMC, IMC and IC3/PDR. Fig. 1 shows the plots on the combinations IC3/PDR+BMC+IMC, IC3/PDR+BMC+IMC+Forward CAR, and IC3/PDR+BMC+IMC+Combined CAR. Forward CAR adds 19 solved instances (all safe models) to the combination of IC3/PDR+BMC+IMC, and Backward CAR solves another two (1 safe and 1 unsafe model). Although BMC solves the most unsafe cases (116), there are three unsafe instances solved only by IC3/PDR and one unsafe instance solved only by Backward CAR. For safe models, the number of solved instances only by IC3/PDR, IMC, Forward CAR and Backward CAR are 13, 12, 19, 1, respectively.
In summary, we conclude from our experimental results that 1) Forward CAR complements IC3/PDR on checking safe models; 2) Backward CAR complements IC3/PDR on checking unsafe models; 3) Running CAR in both directions improves the performance, and 4) CAR contributes to the current portfolio of model checking strategies. We expect these conclusions to be strengthened as the development of CARchecker matures.
V Concluding Remarks
CAR is inspired by IC3/PDR, but it differs from it in some crucial aspects. A main difference between CAR and IC3/PDR is that CAR does not require the sequence to be monotone. Also CAR uses a different strategy (MUC) to refine the sequence than IC3/PDR. Furthermore, CAR combines its overapproximate and underapproximate searches in both forward and backward modes. Due to these differences, CAR and IC3/PDR have different performance profiles. Our experiments show that IC3/PDR and CAR complement each other. The fact that our new tool, after a few months of development, outperforms mature tools that have been under development for many years over a nonnegligible fraction of the benchmark suite, speaks to the merit of the new approach.
Furthermore, the area of SATbased model checking is still a very active research topic. Many improvements to IC3/PDR have been proposed since the first published paper [7]. For example, a recent development is the combination of IC3/PDR with IMC in the Avy tool [18]. We believe that beyond the CAR tool, the CAR framework is an important contribution to this research area and will stimulate further research. For example, it may be easier to combine IMC with CAR than to combine IMC with IC3/PDR, as currently Avy has to pay extra effort to convert the generated interpolation invariants to be monotone, meeting the requirement to the state sequence maintained by IC3/PDR, while CAR does away with this monotonicity requirement.
To conclude, we presented here Complementary Approximate Reachability (CAR), a new framework for SATbased safety model checking. CAR checks at the same time for both safety and unsafety in a more general way than IC3/PDR, and uses a different technique to refine the overapproximate state sequence. Experiments show that CAR complements IC3/PDR and contributes to the current portfolio, which consists of IC3/PDR, BMC and IMC. We argue therefore CAR is a promising approach for safety model checking.
Vi Acknowledgement
The authors thank anonymous reviewers for the helpful comments, and also thank Yakir Vizel and Alexander Ivrii for fruitful discussions. Jianwen Li is partially supported by China HGJ Project (No. 2017ZX0 1038102002), and NSFC Project No. 61532019. Geguang Pu is supported by NSFC Project No. 61572197. Moshe Y. Vardi is supported in part by NSF grants CCF1319459 and IIS1527668, and by NSF Expeditions in Computing project ”ExCAPE: Expeditions in Computer Augmented Program Engineering”.
References
 [1] A. Bernardini, W. Ecker, and U. Schlichtmann, “Where formal verification can help in functional safety analysis,” in Proceedings of the 35th International Conference on ComputerAided Design. New York, NY, USA: ACM, 2016, pp. 85:1–85:8.
 [2] A. Golnari, Y. Vizel, and S. Malik, “Errortolerant processors: Formal specification and verification,” in 2015 IEEE/ACM International Conference on ComputerAided Design (ICCAD), Nov 2015, pp. 286–293.
 [3] A. Biere and K. Claessen, “Hardware model checking competition,” .http://fmv.jku.at/hwmcc15/.
 [4] A. Biere, “Aiger format,” http://fmv.jku.at/aiger/FORMAT.
 [5] A. Biere, A. Cimatti, E. Clarke, M. Fujita, and Y. Zhu, “Symbolic model checking using SAT procedures instead of BDDs,” in Proc. 36st Design Automation Conf. IEEE Computer Society, 1999, pp. 317–320.
 [6] K. McMillan, “Interpolation and SATbased model checking,” in Computer Aided Verification, ser. Lecture Notes in Computer Science, J. Hunt, WarrenA. and F. Somenzi, Eds. Springer Berlin Heidelberg, 2003, vol. 2725, pp. 1–13.
 [7] A. Bradley, “SATbased model checking without unrolling,” in Verification, Model Checking, and Abstract Interpretation, ser. Lecture Notes in Computer Science, R. Jhala and D. Schmidt, Eds. Springer Berlin Heidelberg, 2011, vol. 6538, pp. 70–87.
 [8] N. Een, A. Mishchenko, and R. Brayton, “Efficient implementation of property directed reachability,” in Proceedings of the International Conference on Formal Methods in ComputerAided Design, 2011, pp. 125–134.
 [9] R. Brayton and A. Mishchenko, “ABC: An academic industrialstrength verification tool,” in Computer Aided Verification, CAV. Springer Berlin Heidelberg, 2010, pp. 24–40.
 [10] J. MarquesSilva and I. Lynce, “On improving MUS extraction algorithms,” in Theory and Applications of Satisfiability Testing  SAT 2011, ser. Lecture Notes in Computer Science, K. Sakallah and L. Simon, Eds. Springer Berlin Heidelberg, 2011, vol. 6695, pp. 159–173.
 [11] Y. Yu, P. Subramanyan, N. Tsiskaridze, and S. Malik, “AllSAT using minimal blocking clauses,” in 2014 27th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems, 2014, pp. 86–91.
 [12] N. Amla, X. Du, A. Kuehlmann, R. Kurshan, and K. McMillan, “An analysis of SATbased model checking techniques in an industrial environment,” in Proc. 13th IFIG Advanced Research Working Conference on Correct Hardware Design and Verification Methods, ser. Lecture Notes in Computer Science, vol. 3725. Springer, 2005, pp. 254–268.
 [13] Y. Vizel, O. Grumberg, and S. Shoham, “Intertwined forwardbackward reachability analysis using interpolants,” in Tools and Algorithms for the Construction and Analysis of Systems, 2013, pp. 308–323.
 [14] A. Gurfinkel and A. Ivrii, “Pushing to the top,” in Formal Methods in ComputerAided Design., 2015, pp. 65–72.
 [15] D. Jovanovic and B. Dutertre, “Propertydirected kinduction,” in Formal Methods in ComputerAided Design., 2016, pp. 86–92.
 [16] N. Eén and N. Sörensson, “An extensible SATsolver,” in SAT, 2003, pp. 502–518.
 [17] A. Griggio and M. Roveri, “Comparing different variants of the IC3 algorithm for hardware model checking,” IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems, vol. 35, no. 6, pp. 1026–1039, June 2016.
 [18] Y. Vizel and A. Gurfinkel, “Interpolating property directed reachability,” Computer Aided Verification: 26th International Conference, CAV 2014, pp. 260–276, 2014.