Bounded Model Checking of Infinite State Systems: Exploiting the ...

Bounded Model Checking of Infinite State Systems: Exploiting the Automata Hierarchy Tobias Schuele and Klaus Schneider Reactive Systems Group Department of Computer Science, University of Kaiserslautem P.O. Box 3049,67653 Kaiserslautern, Germany { Tobias.Schuele,Klaus. Schneider}@informatik.uni-kLde http://rsg.informatik.uni-kl.de

Abstract

To solve this problem, bounded model checking (BMC) [5, 71 (a forerunner is described in [43]) has been proposed as an alternative to symbolic model checking based on fixpoint computations. The idea of BMC is to approximate the fixpoints according to an a priori given bound on the number of iterations. TechnicalIy, this is achieved by unwinding both the specification and the impIementation a finite number of times. In this way, the verification task is reduced to a satisfiability problem of the base logic (usually propositional logic). The obtained formula can then be checked using sophisticated SAT solvers [27,35, 371. Experimental results show that BMC based on SAT solvers can be more efficient than fixpoint computations using BDDs [ I , 171. In general, the bound for unwinding the specification is unclear, just as the number of iterations required for a fixpoint computation is usually not known in advance. As a consequence, BMC is often regarded as an incomplete verification method that can be used to falsify a specification by searching for counterexamples up to a certain length. For finite systems, however, there always exists a maximal bound which is called the conzpkteriess tlzreshnld. Given a bound that is greater or equal than the completeness threshold, BMC is complete for finite systems [6,2 I]. As another problem o f BMC, unwinding temporal logic formulas is an intricate task, at least if one wants to share common subterms that may appear after some unwinding steps. A better solution [21, 22) is to translate a given temporal logic formula to an equivalent w-automaton, since automata naturally have the abiIity to share common parts. Clarke et. al. refer to the use of automata in BMC as the seinantic uppmach [21]. Bounded model checking is mainly used for the verification or falsification of safeq and liiwness properties. Intuitively, a safety property states that a desired property invariantly holds along a computation path. Jn contrast, liveness properties require that a desired properry must hold at least once on a given path. As a result, a liveness property

Wepresent a new upproach to bounded nrodel checking that extends currenf nietlzods in two ways: First13 instead of a reduction to propositional logic, we choose a more POWerful, yet decidable target logic, naniely Presburger arithmetic. Secondly instead of unwinding tenrporal logic formulas, we i i ~ i w i ~corresponding d w -automata. To this end, we eniplny a special technique for translaling safety and liveness properties to w-automata with corresponding acceptance conditions. T12i.s combination allows us to utilize bounded model cliecking rechniques for the eficient verificarion of infinite srare sysrems.

1 Introduction The verification offjltifesture systents is one of the success stories of modern computer science. The breakthrough was achieved in the early nineties, where it was observed that finite sets can be efficiently represented by means of binary decision diagrams (BDDs) [lo]. BDDs are a canonical normal form for propositional logic formulas. The development of BDDs was a cornerstone for syntbolic nzodel ch~ckingprocedures based on fixpoint computations [4, 141 (see [20, 411 for more details). With sophisticated implementations and refinements of symbolic model checking, it became possible to verify systems of industrial size, and to detect errors that can hardly be found using simulation. However, it is well-known that for most propositional formulas BDDs suffer from an exponential blow-up that cannot be avoided 1361. This blow-up occurs not only in theory, but also for some relevant examples like the multiplication function [I l]. As a result, BDD-based model checkers may fail for relatively small systems. Unfonunately, there are almost no criteria for estimating the runrime of symbolic model checkers in advance [31.

0-7803-8504-8/04/$20.00 0 2004 IEEE

17

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

is satisfied once a state on a path is found that fulfills this property. Analogously, a safety property is falsified as soon as a state is found that violates the property. Besides safety and liveness properties, linear time temporal logic as well as w-automata can express more powerful properties [31, 34, 41, 511. Manna and Pnueli [34] were the first who investigated the hierarchy of teniporul logics in correspondence to the hierarchy of w-automata 131, 41, 48, 511. This hierarchy consists of six classes of temporal properties: safety, liveness, obligation, persistence, recurrence, and reactivity (see Section 3.2). Various translations from linear time temporal logic to equivalent w-automata have been developed [ 19,26,29,32, 40,521. Most of these approaches translate a given formula to an equivalent (generaiized) Biichi automaton, thus ignoring the membership to the classes in the above mentioned hierarchy. However, the acceptance condition of a Biichi automaton requires that some set of states must be visited infinitely often, which is difficult to check using BMC. For this reason, it is desirable to translate safety and liveness properties to other kinds of w-automata where the acceptance conditions are in turn safety and liveness properties. In theory, this can be accomplished as follows: At first, the formula is translated to a Buchi automaton. Then, it must be checked whether the automaton could be converted io a safety or a liveness automaton [30, 31, 33, 411. However, this test is as contplex as the ntodel checking problem itself. A better approach is to follow a syntactic definition of safety and liveness properties. Recently, Schneider extended Manna and Pnueli's work to future time temporal logic formulas [a]. To this end, he defined complete temporal logics that correspond to the six classes of the automata hierarchy. The translations of these sublogics to equivalent symbolic descriptions of w-automata are described in 140,411. All of these transiations run in linear time w.r.t. the length of the given formula. We review the basics of this translation in Section 3.2. In this paper, we employ the translations presented in [40,411 for BMC. For safety and liveness properties, these translations yield w-automata whose acceptance conditions are simple safety or liveness conditions. As a result, they can be unwinded easily in order to generate satisfiability problems. In addition, techniques originally developed for the verification of finite state systems like reniporal induc: tion [43, 461 can be easily applied to automata. Again, this is due to the fact that the temporal properties one has to consider are simple invariant or reachability properties. Since propositional Iogic is limited to the representation of finite sets, we use a more powerful base logic, namely Presburger arirhnzrtic [39]. Presburger arithmetic is a decidable first-order predicate logic [23, 38, 341, and hence, a superset of propositional logic. Presburger arithmetic has already been successfulIy used in global model checking

and symbolic simulation [ 12, 13, 44, 451, Unfortunately, most verification problems are undecidable for infinite state systems'. Thus, it may happen that the verification process does not terminate, In such cases, BMC is often advantageous since its strength is the verification of finite prefixes of a set of computation paths. There is not much other work about BMC of infinite state systems. In [ 2 2 ] ,a combination of SAT checkers with domain-specific theorem provers is described. The proposed method is based on a reduction of Boolean constraint formulas to a satisfiability problem of propositional logic. The obtained formulas are incrementally refined using a theorem prover by generating lemmas on demand. In this way, the approach can be used with various theories such as linear and bitvector arithmetic. However, sophisticated techniques are required to efficiently prune out spurious counterexamples that are generated by the SAT solver, but discarded by the theorem prover, Even though the method presented in [22] also follows the semantic approach, it is based on the construction of Buchi automata. In contrast, our method directly exploits safety and liveness properties as described above. The rest of this paper is organized as follows: In the next section, we describe the representation of infinite state systems by means of Presburger arithmetic. Moreover, we define an appropriate temporal logic and discuss the foundations of BMC. In Section 3, we consider BMC of infinite state systems and present the transIation of temporal logic formulas to automata. Finally, we present experimental results (Section 4) and conclude with a summary (Section 5 ) .

2 Preliminaries 2.1 Presburger Temporal Logic

. .

In this section, we explain how Presburger arithmetic can be used for the representation and specification of infinite state systems. Presburger arithmetic is the first order theory of the natural numbers with addition as the basic operation. In contrast to the original definition, we interpret the logic over the integers rather than over the natural numbers. It is well-known that Presburger arithmetic is decidable [23,25, 38,39,53]. The set of Presburger formulas PA consists of linear equations and inequations closed under the Boolean operators and the quantifiers 3 and V. For example, the formula 3y.(z = 2y) A 5 2 0 is a Presburger formula that holds for every positive even number 2.In general, we interpret Presburger formulas with variable assignments that map the free variables of a formula to integers. The set of assignments that satisfy a formula E PA is denoted as [pl. 'For restricted classes of systems, e.g., pushdown automata, the sirualion is different (see [IS]for a comprehensive survey).

18

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

In 1974, Fischer and Rabin proved that every deterministic decision procedure for PA has at least double exponential time complexity [24]. Four years later, Oppen showed that every formuia can be decided in triple exponential time using quantifier elimination [38].These bounds are given for formulas that may have an arbitrary number of quantifier alternations. There are various other complexity results for restricted classes of formulas 1281. Regarding BMC, it is particularly interesting that deciding the truth of the set of formulas with prefix 3' is NP-complete [50]. An important aspect concerning the implementation of efficient decision procedures is that every Presburger formula can be translated to a finite automaton that encodes its models [S,9, 16, 531. As there exists for every finite automaton an equivalent minimal one, automata can serve as a canonical representation for Presburger formulas. This is very much in the same spirit as binary decision diagrams are used as a canonical normal form for propositional logic [lo]. Hence, automata can be viewed as generalizations of BDDs for representing infinite sets. To model infinite state systems using Presburger arithmetic, we need the notion of integer Kripke structures:

The basic formulas of LTLpAare exactly the formulas of Presburger arithmetic. Hence, LTLpAis the closure of PA under Boolean and temporal operators. LTLpAhas four temc c poral operators: X, X (next and previous) and 4 IJ (until and past-until, often called 'since'). Tntuitively, the formula XF holds iff 9 holds at the next point of time and [pU ~ ] holds iff p holds until $ holds. The operatom and are defined similarly but refer to the past instead of the future. To interpret a formula, we need the notion of paths. Given an IKS K = (S,Z, R),a path P : N + S is a sequence of successive states, i.e., we haveW E N.(T(~), ~ ( t f l ) E) R. The set of paths originating in a state s f S is denoted by PathsK(s) := { T : N --t S I ~ ( 0 = ) s}.

5

Definition 3 (Semantics of LTLpA) Let IC = (S:Z,72) be an iizteger Kripke structure. T a path, and t E N a iiarural nunibel: Then, the semantics of LTLpAis recursisely defined

Definition 1 (Integer Kripke Structure) Giveiz ajiiiite srf of variables V , an integer Kripke structure (IKS) is a transition system K = ( S ,Z, R ) where S is tlie possibly infinite set of stcltes, Z S ure the iizifiulslates, and R & S x S is the transition relation. Every state s E s is a variabk CISsigmnienr s : V -+ %. b r addition, ir is required tliat the set of initial sfam T and the transition relation R are definable in Presburger un'tltmetic. Moreover, R ninst he total.

So far, we only considered the truth of a formula with respect to a given path, but not with respect to a particular state. We use the path quantifiers A and E to obtain state formulas from path formulas. Thus, the semantics of a path formula is a set of states where the formula holds. For an IKS K = (S, 1,R), a state s E S,and a formula p E LTLpA we define:

According to the above definition, a state of an IKS is an assignment for the variables V . Such an assignment describes the current values of the system's variables. As the system proceeds with its execution, it changes some of the variables and therefore, we have a new assignment at the next point of time, Hence, the transition relation can be represented by a Presburger formula over the set of variables V U V' where V and V r are the current and the next state variables, respectively. As the next step, we need an appropriate temporal logic to reason about reactive systems. To this end, we define L T L ~an ~ ,extension of propositional linear temporal logic by Presburger arithmetic, Intuitively, LTLpA formulas are obtained by replacing variables in propositional LTL by formulas of Presburger arithmetic.

(K,s) A p (K,s) E p

:H Vr f Pathsn(s).(.rr, s) 3n E Pathsn(s).(n,s)

:*

+p +p

In the above definitions, we only considered a small set of Boolean and temporal operators. These are sufficient to reach the expressiveness of the first order monadic theory of linear orders [41]. In practice, it is nevertheless convenient to define further temporal operators as syntactic sugar: c

Definition 2 (Syntax of LTLpA) The set of Presburger LTL jomtuias LTLpA is dejiined as follows with 7 E PA and p,$ E LTI!~~ :

e

The formula F p holds along a path iff p eventually holds, and G p holds iff cp holds on all positions of the path. ['p U 4 ~holds ] if either [v U $1 holds or p invariantly holds.

19

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

+ + + The semantics of the past operators F , G , and U are det fined analogously.. U and U are often called weak until t operators, while U and U are the corresponding strong until operators. The distinction of weak and strong operators is the key to defining liveness and safety properties, respectively (see Section 3.2). Although our base logic PA is decidable, neither the satisfiability nor the model checking problem of LTLpAis decidable. The proof is based on the fact that every register machine can be modeled by an IKS, and that the halting problem is expressible as an LTLpAmodel checking problem. As a consequence; there is no an algorithm that is able to prove or disprove every LTLpAformula. For this real son, it is important to have semi-decision procedures such as BMC.

2.2

a

a

It follows from the above theorem that, given a sufficiently large bound k, we can prove existential and universal liveness properties K ,so EFp and K , SO AFp by a reduction to propositional satisfiability problems. Similarly, we can disprove existential and universal safety properties K ,SO i= E G q and K ,SO AGp with a sufficiently Iarge bound k. In practice, BMC is performed by progressively increasing the bound k until a witness or a counterexample is found. However, this only yields a semi-decision procedure since the validity of a formula cannot be iiferred from the absence of bounded length counterexamples. For instance, if K: E G p does not hold, the procedure terminates after k steps where k is length of the shortest counterexample. However, if K EGp holds, the outlined procedure does not terminate. Nevertheless, completeness can be achieved for finite state systems [6, 7, 211. This is due to the fact that for every finite state system, there exists a bound k such that the absence of counterexamples of length k or less implies that the formula holds. This bound is called the conipleteriess rhreshold. In [7], it was suggested that the diameter of the system can be used as the completeness threshold. In 161, this claim was corrected, and it was argued that the diameter is enough only for safety properties Gp. However, there is no discussion on the completeness threshold for other properties. The general problem of completeness for any type of specification was solved in [21].

+

In this section, we briefly describe the basic ideas ofproposirional BMC 15-7, 18, 21, 431. There are some important differences to our approach that are discussed in the next section: In general, the idea of BMC is to consider only a $finite prejx of a path. In this way, the verification task can be reduced to a satisfiability problem of the base logic. We will see in Section 3.2 that it is sufficient to consider formulas of type Fp and Gp with propositional formulas p. Such formulas can be recursively unwinded by the equations fcp = p V XFp and Gcp = p A XGp. This leads us to the following equivalences (similar for past operators):

tT,t)

+ GP e

vzt

+

+

[pn

.(i)

For a propositiond formula cp, [[VI denotes the set of all satisfying variable assignments, just as for a Presburger formula p E PA. Clearly, it is not feasible‘to consider a11 positions along an infinite path. However, given a path 7i and a bound k , it is easy to see that the following implications hold: k .(i) E upn + (.,t) ~9

v~=~

*

+

E UvR ( m , t ) &c. GP 1 A:yt Hence, it suffices to consider finite prefixes of a given path in order to prove a liveness property Fp and to disprove a safety property Gv,respectively. To this end, we define for all Kripke structures K = (S,1, R) and for all formulas p: 0

a

e

. . ,s k ] ) :*A:Ii(st,S,+I) E R Forall([so,. . .,ski; p) :# s, E [p] k Exists( [so, . . . , SA-],CF):e s, E By]

3 BMC of LTLpAby Translation to Automata In this section, we lift the BMC approach from propositional temporal logic to the more powerful first order temporal logic LTLpA.We will see that we still have completeness for existential liveness properties (EFy), but no longer for universal liveness properties (AFp), unless the IKS is only finitely branching. In Section 3.2 we show that considering the four special cases of Theorem 1 (resp. Theorem 2) are sufficient for BMC.

Prefix([so,.

v,=o

+

+

Bounded Model Checking

( n , t )I=~9

+

K2sg EFp holds ifffnr some k , the propositional fiw”la Prefix(ls0, . . . , sk])AExists( [SO, . . . ,~ k ]p) , is satisjia ble. K,so AFq holds i f f o r some k , the propositional fomzula Prefix( [so,. . . ,SI;]) A Forall([so,. . . , s k ] , -9) is nor satisjable. E G p holds iff for all k, rite propositional K,so fomzula Prefix( [so,. . . ,sk])hForall( [so,. . . ,s k ] , cp) is sati.$able. K,SO A G I ~holds igjkr all k, the propositional forniuh Prefix(js0,. . . , s k ] ) A Exists([so,. . . ,sk],-p) is not satisfiable.

-

Theorem 1 (Bounded Model Checking of LTL) Given a Kripke stnicture K = ( S , Z , R ) ,a state SO E S, and a p~pc~sitionalforrlrula p, we lwve rlzefollowing reductions:

20

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

3.1 BMC of Infinite Sbte Systems

module IncompleteAF : input z : integer; output Tdy;

As the semantics of the temporal operators is the same for LTL and LTLpA,the same recursion equations hold, i.e., we can still use Fp = cp V XFq and Gq = p A XGp for unwinding the temporal operators F and G. However, due to the presence of infinitely many states, we lose completeness for universal liveness and existential safety properties:

while 2 # 0 do if z > 0 then next(z) := x - 1 else next(s) := s + 1 end if: pause end while; emit r d y end loop end module

Theorem 2 (Bounded Model Checking of LTLpA) Given a Kripke srructure K = (S:Z,R),a state SO E S, and a Presburger foniiuln cp E PA, we haw the following reductions: e

K ,so t= EFp holds i f f o r some k, the Presburger forniula Prefix([so,. . . : s k ] ) A Exists((s0,. . . sk],p) i~ !

a

e

Figure 1. Program illustrating incompleteness of 8MC for universal liveness properties

satisfiable. Ifthere exists a number k, such that the Presburgerfornzirlu Prefix( [so,. . .! s k ] ) A Forall( [so) . . . ,s k ] ,-9)is not satisfiable, then K,SO k AFy holds. The converse need not necessarily hold. ljtlio-e exists a riumber k, such that the Presburger5)rniulu Prefix([so,. . . , s k ] ) Exists([so:. . . , s k ] , i y ) is not satisjable, then E , S O E G p does lZQt hold. ?lie connlvrse need not necessarily hold. K , s o k AGp does not hold ifffor ~ o n i ek, the forniuh Prefix([so, . . . ; s k ] ) + Forall( [so,. , . ~ k ] p) , is not sutisjiable.

be proved by BMC, since for every bound k E N,there are inputs that require more than k steps for termination. Interestingly, this phenomenon does not occur when proving existential liveness properties and disproving universal safety properties. The reason for the completeness of existential liveness properties is that for a particular path where Fp holds, we must reach a position where q holds after finitely many steps.

-

i

3 2 Exploiting the Temporal Logic Hierarchy As a first observation, everything is similar to the finite case: Estimating a sufficiently large bound k , we can reduce the problems K i SO EFp, IC, SO AFp, IC, SO EGp, and K ,so AGq to equivalent Presburger satisfiability problems. Moreover, we can progressively generate these satisfiability problems by increasing the bound k. EFp and K,SO AGp can be If the problems K,so answered to the positive, this procedure terminates after a finite number of steps with the desired proof. Otherwise. still analogously to the finite case, the procedure diverges without further knowledge of completeness thresholds. In contrast to the finite case, however, we lose completeness for the reductions of K ,SO AFp and IC, SO EGy. It may be the case that our procedure will terminate with a proof with a bound IC, but even if the problems could be answered positively, this need not necessarily happen. The reason for this is that, in general, there are no completeness thresholds for such problems, An instructive example is the following: Consider an IKS that models the program given in Figure 1. The program reads an integer 5 and either increments or decrements it until it equals to zero. Certainly, this will happen for every input, so that after finitely many steps, the output r d y will be emitted. However, the specification AFrdy cannot

In the previous sections, we described BMC of very simple safety and liveness properties. We only considered four classes of problems, namely the formulas EFp, AFp, EGq, and AGp. In this section, we will see t h a this is sufficient for reducing genera1 safety and liveness properties to corresponding w-automata. Using these automata offers a new method for performing BMC (see Section 3.3). To this end, we have to consider the transration of LTL formulas to equivalent U-automata. Similar to mode! checking procedures, there are two different approaches to these trandations: procedures that construct the automata explicitly like [26, 32, 521, and others that derive a symbolic description of the automata like [19, 29, 40, 421. The latter have the advantage that they run with linear time and space requirements w.r.t. the length of the formulas. Moreover, they can be directly used for symbolic model checking, and even more important for this paper, for unwinding in order to implement a reduction to satisfiability problems. In the following, we use symbolic descriptions’ of finite state w-automata of the form dj ( Q T RI , F),where 2Symbolic descriptions of nondeterministic auiomala are essentially alternating automata. Hence, the de.scribed technique ia related to the translation of LTL to alternating r;-automata 1491.

21

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

Figure 2. Syntactic characterization of the six classes of the temporal logic hierarchy

Theorem 3 Given a formula @ with sonze occurrences ofa variable x,and propositioiral forinulas and 6.the following equutiuions are valid :

Q is the finite set of state variables of the automaton. 1 is a formula that encodes the set of initial states and R is a formula with X operators that represents the transition relation. Finally, F is the acceptance condition given as an LTL formula. Moreover, we write @(p) for the formula that is

obtained by replacing all occurrences of the subformula q!~ in by the formula p. All of the mentioned vanslation procedures construct generalized Biichi auruniura (a special form of Streett automata 1481). The acceptance conditions of these automata are defined by a set of sets of states {Ql, . .., Qn}:an infinite input sequence is accepted by such an automaton iff there is a run through the state transition system that visits each Q2infinitely often. In the following, the QZ’s are called fairness consrruinrs. It is well-known that the translation of arbitruv temporal formulas is not possible without fairness constraints. Nevertheless, there are a lot of specifications, that can be translated to simpler classes of w-automata 131, 41, 48, 511. Consequently, some of the fairness constraints introduced by simple translations are unnecessary, and others can be repIaced with simpler liveness constraints. Let us briefly explain, why these fairness constrains are (sometimes) necessruy. To this end, we have to consider the elemenrary subformulas o f a given formula @ which are those subformulas of @ that start with a temporal operator. The states of the w-automaton that is to be constructed consist of the different truth values of these elementary formulas. For example, if @ has the elementary formulas (p 1 , . . . ,vn},we need n state variables (41, . . , , qT2)to encode the state set. As the introduced state variables qEare used to abbreviate elementary subformulas, we want for any run through the automaton that q1 pzholds. For this reason, the transition relation of the automaton must respect the semantics of the temporal operators that occur in p2. However, the following equivalences show that it is not sufficient to only follow the recursion laws of the operators [40, 411:

The above equivalences intuitively state that (1) strong and weak operators fulfill exactly the same recursion laws, and (2) no other formulas satisfy these laws. If all occurrences of 2 in @ are positive (i.e. they occur under an even number of negations), then is monotonic in 5 and since [vU$] implies [p U 341, we then have

In general, we need some further means to distinguish between the strong and weak operators. The next theorem shows that this can be done by adding either suitable initialization conditions or fairness constraints (for past and future operators, respectively) [40,41].

-

22 Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on March 16, 2009 at 07:35 from IEEE Xplore. Restrictions apply.

3.3 BMC of LTLpAwith Automata

The above equations can be recursively applied to abbreviate all temporal operators of a formula by new state formulas with corresponding transition relations, initialization conditions, and fairness constraints. This is the heart of symbolic translations like [19,29,42] that can translate the formulas in linear time. In [40,41], two powerful improvements that still retain the linear translation time have been presented: The first improvement, based on exploiting the above mentioned monotonicity of temporal operators, allows one to neglect thosefairness constraints that stemfrom positivehegofive occurrences of weakhung temporal uperators. The reason for this is that the automaton is then allowed to satisfy the property either with the strong or the weak operator. As we know that strong operators imply the weak ones, this is a correct simplification (see [40, 411 for more explanations). The second improvement allows one to replace some of the remaining faimess cowstruints by simpler reachability constraints. This improvement can be used as long as only strong temporal future operators are nested into each other, followed only by nestings of weak temporal future operators. Based on these improvements, the following subclasses TL, of LTL have been defined in [40,41]:

In thus section, we combine the techniques of the previous sections and describe our main result on BMC of infinite state systems represented by Presburger arithmetic. AH automata of the classes n E {G. f, Prefix, FG, GF, Streett} can be made deterministic [41]. Hence, we can assume without loss of generality that the transition relation and the initial condition are given as equation systems: Assume the automaton has state variables Q = ( q l , . . . ,Q}, then the initid condition is of the form 4' = 3 E (0,l)Id, and the transition relation is of the form X a = !?, where 6 is a vector of Presburger formulas where only the input variables and the state variables 4' may occur. The meaning of a vector equation is logically equivalent to the conjunction of its components. Unwinding these deterministic automata is straightforward and does neither require a product computation with the Kripke structure nor the introduction of new instances of state variables. Instead, we can use the following definition of unwinding:

Definition 5 (Unwinding Deterministic Automata) For

(