In the event that a system does not satisfy a speci cation, a model checker will typically automatically produce a counterexample trace that shows a particular instance of the undesirable behavior.

Given a formula # in quantifier-free Presburger arithmetic, it is well known that, if there is a satisfying solution to #, there is one whose size, measured in bits, is polynomially bounded in the size of #. In this paper, we consider a special class of quantifier-free Presburger formulas in which most linear constraints are separation (di#erence-bound) constraints, and the non-separation constraints are sparse. This class has been observed to commonly occur in software verification problems. We derive a new solution bound in terms of parameters characterizing the sparseness of linear constraints and the number of non-separation constraints, in addition to traditional measures of formula size. In particular, the number of bits needed per integer variable is linear in the number of non-separation constraints and logarithmic in the number and size of non-zero coe#cients in them, but is otherwise independent of the total number of linear constraints in the formula. The derived bound can be used in a decision procedure based on instantiating integer variables over a finite domain and translating the input quantifier-free Presburger formula to an equi-satisfiable Boolean formula, which is then checked using a Boolean satisfiability solver. We present empirical evidence indicating that this method can greatly outperform other decision procedures.

The time required for a backtracking search procedure to solve a problem can be reduced by employing randomized restart procedures. To date,

Recently, it has been found that the cost distributions of randomized backtrack search in combinatorial domains are often heavytailed. Such heavy-tailed distributions explain the high variability observed when using backtrack-style procedures. A good understanding of this phenomenon can lead to better search techniques. For example, restart strategies provide a good mechanism for eliminating the heavy-tailed behavior and boosting the overall search performance. Several state-of-the-art SAT solvers now incorporate such restart mechanisms. The study of heavy-tailed phenomena in combinatorial search has so far been been largely based on empirical data. We introduce several abstract tree search models, and show formally how heavy-tailed cost distribution can arise in backtrack search. We also discuss how these insights may facilitate the development of better combinatorial search methods.

We introduce AVISS, a tool for security protocol analysis that supports the integration of back-ends implementing different search techniques, allowing for their systematic and quantitative comparison and paving the way to their e ective interaction. As a significant example, we have implemented three back-ends, and used the AVISS tool to analyze and find flaws in 36 protocols, including 31 problems in the Clark-Jacob's protocol library and a previously unreported flaw in the Denning-Sacco protocol.

We show a reduction to propositional logic from quantifier-free Presburger arithmetic, and disjunctive linear arithmetic, based on Fourier-Motzkin elimination. While the complexity of this procedure is not better than competing techniques, it has practical advantages in solving verification problems. It also promotes the option of deciding a combination of theories by reducing them to this logic.

1 Introduction Image Computation and Reachability Analysis Computing the set ofstates reachable in one step from a given set of states under a transition relation forms the heart of many symbolic state exploration algorithms, includingreachability analysis, model checking [8, 6, 7], etc. This operation is called image computation. Let us consider a state transition relation T over the set ofstates S. The set of states is defined by the set of valuations over a vector ofstate variables x. We denote a set or a vector of variables in a boldface. The

The paper presents a new tool for automated veri cation of Timed Automata as well as protocols written in the speci cation language Estelle. The current version oers an automatic translation from Estelle speci cations to timed automata, and two complementary methods of reachability analysis, the rst of which is based on Bounded Model Checking (BMC), while the second one is an on-the-y veri cation on an abstract model of the system.

The implementation of efficient Propositional Satisfiability (SAT) solvers entails the utilization of highly efficient data structures, as illustrated by most of the recent state-of-the-art SAT solvers. However, it is in general hard to compare existing data structures, since different solvers are often characterized by fairly different algorithmic organizations and techniques, and by different search strategies and heuristics. This paper aims the evaluation of data structures for backtrack search SAT solvers, under a common unbiased SAT framework. In addition, advantages and drawbacks of each existing data structure are identified. Finally, new data structures are proposed, that are competitive with the most efficient data structures currently available, and that may be preferable for the next generation SAT solvers.

search problems