Currently it looks like the checker always splits chunks off the end of the pending vecdeque, and then pushes new extensions back on the end. But it doesn't necessarily split off everything pending, and it can often grow the end by more than it tried to consume. When this happens, it ignores (potentially for a very long time, until much later in the run) entries earlier in the deque.

I'm not sure this is a problem (I guess if we're going to explore all states eventually the order might not matter?) but I worry a bit vaguely that there's some possibility that an imbalance in the shape the frontier gets expanded at will wind up costing more work or more memory than if it were more balanced.

Might it make sense to randomize or otherwise permute the pending vector from time to time?

Would it be preferable to update the implementation to maintain order (for single threaded model checking at least)?

I'm not sure! By "maintain order" do you mean like always consuming from the front and pushing on the back?

I opened this one just to, er .. talk about it I guess, ask your thoughts -- I'm not even really sure this is a real issue, I was just looking through the implementation for degrees of freedom in the algorithm, choices that might be made differently that might somehow change the dynamics of the thing. Feel free to close if you don't think there's anything here, or if it seems unlikely to matter..

I’m glad you brought this up as it sounds like a bug. The intent was to push and pop on different ends, so maybe that’s the simplest fix. Good catch!

I may also be misreading it. I'll take another look tomorrow.