### Table 1. Test Sequence Constructed from SMV Counterexample.

"... In PAGE 5: ... The CTL property is an example of a trap property. Table1 illustrates the test sequence that can be constructed from the coun- terexample produced when SMV detects a violation of the above trap property in the SIS specification. In the table, the initial values of WaterPres, Block, Reset, SafetyInjection, and Pressure are shown in step 0, which represents the initial state.... In PAGE 5: ... In the table, the initial values of WaterPres, Block, Reset, SafetyInjection, and Pressure are shown in step 0, which represents the initial state. (Due to lack of space, Table1 omits the term Overridden.) To clarify which variable values change from one state to the next, Table 1 only shows the variable values which change at each step and omits the values that remain the same.... In PAGE 5: ... (Due to lack of space, Table 1 omits the term Overridden.) To clarify which variable values change from one state to the next, Table1 only shows the variable values which change at each step and omits the values that remain the same. Note that the changes in WaterPres from one state to the next never exceed 3 psi and thus satisfy the constraints of the input model.... In PAGE 6: ... The six inputs that lead to the violation of the trap property form the input sequence for the test sequence. Table1 shows that the only change to the SIS output produced by this input sequence is the change at step 4 in the value of SafetyInjection. The test sequence of length six shown in Table 1 may be represented more concisely as lt; (r,Off; --I, (w,5; -1, (w,8; - gt;, (w, 10; s,off), amp;on; -), (w,8; -) gt;, (1) where T, w, and b represent the input variables Reset, WaterPres, and Block; s represents the single output variable Saf etyInjection; and - indicates that no output variable changes.... In PAGE 6: ... Table 1 shows that the only change to the SIS output produced by this input sequence is the change at step 4 in the value of SafetyInjection. The test sequence of length six shown in Table1 may be represented more concisely as lt; (r,Off; --I, (w,5; -1, (w,8; - gt;, (w, 10; s,off), amp;on; -), (w,8; -) gt;, (1) where T, w, and b represent the input variables Reset, WaterPres, and Block; s represents the single output variable Saf etyInjection; and - indicates that no output variable changes. 2 Clearly, checking the software behavior with this test sequence will test whether the software satisfies property P.... In PAGE 6: ... In addition to changes in output values, a test sequence may also include changes in the values of one or more auxiliary variables. For example, the test sequence in (1) could be extended to include changes in the mode class Pressure, which changes (see Table1 ) to Permitted at step 4 and to TooLow at step 6. Although this method can test many critical aspects of the system behavior, it has several weaknesses.... ..."

### Table 1. Translation from Alloy to RML (negation for counterexample extraction included)

"... In PAGE 4: ...oy need to be transformed into compound expressions, i.e., the definition of the notation is inlined. Table1 summarizes the basic Alloy operators that our prototype implementation can currently translate to RML code. Table 1.... ..."

### Table2. Using Logen to speedup model checking

2004

"... In PAGE 15: ... First, xtl can be used in a mode where the counter example trace is not constructed as a Prolog term during the model checking. For technical reasons4 this is more efficient, as can be seen in the No Trace column of Table2 . Note that the counter example can still be extracted from the xsb table structures [4].... In PAGE 16: ....e., we can specialise the model checker for a particular temporal logic formula and for using our OPN interpreter for a particular object Petri net. This is what we have undertaken, and the results can be found in Table2 . Note that we have derived the compiler from the model checker that does not compute traces (but it would have been possible to do so for the model checker that does compute them).... ..."

Cited by 5

### Table 1: Counterexamples

"... In PAGE 21: ...4, whereas the remaining consistency results follow from Proposition 6. Strictness, the absence of further extensions and the inconsistencies follow from the information collected in Table1 , which indicates which of the TSSs P1{P8 given in this paper are meaningful according to each of the solutions. A `? apos; indicates that the TSS is meaningless, a `+ apos; that it has the same meaning as given by Solution 9, and a ` apos; that is has a meaning di erent from the one given by Solution 9.... ..."

### Table 5: Counterexamples To T.19. cent prod stra

1998

"... In PAGE 6: ... end_of_list. Note that both Otter (when trying to prove a con- jecture) and Mace (when trying to disprove it) use exactly the same input- le! After running Mace using a domain size 2 (for exam- ple -n2 -p -m10) we nd the four counterexamples of Table5 .... In PAGE 7: ... Let us analyze the counterexamples more precisely. They have the following form (let Oa denote O1 in the rst two models and O2 in the second two): cent(Oa) lt; cent(Ob) ^ prod(Oa) lt; prod(Ob) ^ stra(Oa) = stra(Ob) An obvious way to implement option 2 is to formal- ize the intended theorem as the weaker the higher the centralization, the higher or equal the strati cation: 8x; y [ cent(x) lt; cent(y) ! stra(x) stra(y) ] This weaker version of the theorem holds in the mod- els of Table5 , turning the former counterexamples into examples. Now, we make a second attempt at prov- ing this (weaker version of the) theorem using Otter.... In PAGE 7: ... Now, we make a second attempt at prov- ing this (weaker version of the) theorem using Otter. Note that, although we have dealt with the (type of) counterexamples in Table5 , this gives no guarantee that there are no other counterexamples. There turns out to be none, because Otter can prove the weaker version of T.... In PAGE 7: ...19 is to add the axiom that a higher pro- duction will imply a higher strati cation (the converse of F.5): 8x; y [ prod(x) lt; prod(y) ! stra(x) lt; stra(y) ] After adding this axiom, the models of Table5 are no longer models of the (modi ed) theory, making these counterexamples disappear. This is con rmed by Ot- ter which can now prove the theorem T.... In PAGE 8: ...mple, it is a model of theorem T.190. We can also check whether theorems are falsi able by constructing a model in which the theorem does not hold (disre- garding the premises). For example, the models in Table5 still prove that theorem T.190 is falsi able.... ..."

Cited by 4

### Table 2. Comparison of SAT based reparameterization symbolic simulation against plain SAT based simulation as in [CCS+02]. y: Model checking of abstract model timed out, z: Simulation of counterexample failed, and ?: Simulation of counterexample timed out.

2004

"... In PAGE 13: ...5GB. Table2 describes the comparative experiment of the new technique with the results as described in [CCS+02]. The reflnement technique used and all other parameters were the same in both sets of experiments.... ..."

### Table 1 shows results for minimization of counterexamples for several pro- grams. The rst column shows which program is being model checked. The remaining columns give results for the non-minimized counterexample, the greedily minimized counterexample, and the optimally minimized counterex- ample, in groups of three. In each group, the rst column gives the time taken to generate a counterexample (time(s)). The second column ( [x]) in each group gives the sum of the absolute values of the variables and the third 8

### Table 11: Counterexamples to Propositions 4. cons soli nrpd

"... In PAGE 6: ...e use only A.7, A.9, MP.1, and MP.2).3 Similarly, for Table 10: Counterexamples to Propositions 2. soli dlab napm 0 0 0 0 1 1 0 0 0 0 0 1 1 1 0 1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 1 0 0 1 0 1 1 1 0 0 0 1 0 1 1 1 0 gt; 0 1 0 F F 1 T F Proposition 4 in Table11 (w.... In PAGE 6: ... 4MACE finds twelve models on domain size 2. Table11 prints six of Table 11: Counterexamples to Propositions 4. cons soli nrpd... In PAGE 7: ...Proof: OTTER can derive T.2 from A.12 and A.13.) In case of Proposition 4 we must take care of the coun- terexamples in Table11 (after adding Axioms 12 and 13, Proposition 4 is still not derivable, and the same coun- terexamples remain). All counterexamples in Table 11 are of the form cons(1) gt; cons(0) and soli(0) = soli(1), To restore the argumentation for Proposition 4 we only need to add an axiom stating that the greater the consensus, the greater the solidarity (the converse of Axiom 8): A.... In PAGE 7: ...Proof: OTTER can derive T.2 from A.12 and A.13.) In case of Proposition 4 we must take care of the coun- terexamples in Table 11 (after adding Axioms 12 and 13, Proposition 4 is still not derivable, and the same coun- terexamples remain). All counterexamples in Table11 are of the form cons(1) gt; cons(0) and soli(0) = soli(1), To restore the argumentation for Proposition 4 we only need to add an axiom stating that the greater the consensus, the greater the solidarity (the converse of Axiom 8): A.14 8x;y [cons(x) gt; cons(y) ! soli(x) gt; soli(y)] This takes care of all counterexamples, because a new proof attempt of Proposition 4 succeeds.... ..."

### Table 1: Property checking on the abstracted fabric

"... In PAGE 8: ...All the properties in Table1 were checked using the sift algorithm [14] which is a dynamic ordering algorithm. Dynamic ordering provides an optimized order that will drastically decrease the memory usage, nodes allocated, and hence decrease CPU time.... In PAGE 11: ...From previous experiments, we found that property checking is almost impossible using the original fabric, and it is very slow using the abstracted model as shown in Table1 . However, using the abstracted fabric unit, acceptable time of property checking is achieved.... In PAGE 11: ... 3.5 Concluding results on property checking All property checking results in Table1 were obtained by using the abstracted fabric and dynamic ordering, and some results are not satisfactory since they take a long CPU time. By using cascade property division, serial property division and latch reduction, we got satisfactory results (see Table 7).... In PAGE 12: ... These five errors were detected by property checking and VIS generated counterexamples that exhibit the incorrect behavior of the corresponding signals. Experimental results are reported in Table1 0, where the CPU time includes the time for property checking and counterexample generation. 4 Equivalence Checking Besides property checking, VIS supports combinational and sequential equivalence checking of two circuits.... In PAGE 14: ... In addition, we checked the combinational equivalence of the Acknowledgment module. After using dynamic ordering, we checked the equivalence for Dataswitch_i and Arbitration modules, but they consumed too much CPU time (see Table1 0). We failed to verify in VIS the modules Dataswitch, Pause_dataswitch and Switch_fabric.... In PAGE 15: ... Table 10 compares the CPU time of equivalence checking among four similar modules with one, two, three and four DMUX units, respectively. In Table1 0, the Dataswitch_i module (including four DMUX units) has only 4 latches more than the module with three DMUX units, but the CPU time of equivalence checking increased from 9.... In PAGE 15: ... Experimental results are reported in Table 10. Table1 0: Equivalence checking among modules with different DMUX units Components CPU time (seconds) Memory usage (MB) Nodes allocated Number of latches Module with one DMUX 0.7 ? ? 4 Module with two DMUX 6.... In PAGE 15: ...7 ? ? 12 Dataswitch_i (with four DMUX) 1855.8 ? ? 16 Table1 1: Error detection in equivalence checking of submodules Experiments Affected submodules CPU time (seconds) Memory usage (MB) Nodes allocated Error 1 Arbiters 20.6 ? ? Error 2 Priority_decode 24.... In PAGE 18: ...eports No. 328 amp; No. 329, University of Cambridge, Computer Laboratory, March 1994. Table1 2: Summary of human time taken Verification phases Time taken Structural description 3 Behavioral description 10 Simulation 3 Equivalence checking 1 Property checking 3 Total... ..."