We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.

A fundamental difficulty in automatic formal verification of finite-state systems is the state explosion problem -- even relatively simple systems can produce very large state spaces, causing great difficulties for methods that rely on explicit state enumeration. We address the problem by exploiting structural symmetries in the description of the system to be verified. We make symmetries easy to detect by introducing a new data type scalarset, a finite and unordered set, to our description language. The operations on scalarsets are restricted so that states are guaranteed to have the same future behaviors, up to permutation of the elements of the scalarsets. Using the symmetries implied by scalarsets, a verifier can automatically generate a reduced state space, on the fly. We provide a proof of the soundness of the new symmetry-based verification algorithm based on a definition of the formal semantics of a simple description language with scalarsets. The algorithm has been implemented ...

We show how to exploit symmetry in model checking for concurrent systems containing many identical or isomorphic components. We focus in particular on those composed of many isomorphic processes. In many cases we are able to obtain significant, even exponential, savings in the complexity of model checking. 1 Introduction In this paper, we show how to exploit symmetry in model checking. We focus on systems composed of many identical (isomorphic) processes. The global state transition graph M of such a system exhibits a great deal of symmetry, characterized by the group of graph automorphisms of M. The basic idea underlying our method is to reduce model checking over the original structure M, to model checking over a smaller quotient structure M, where symmetric states are identified. In the following paragraphs, we give a more detailed but still informal account of a "group-theoretic" approach to exploiting symmetry. More precisely, the symmetry of M is reflected in the group, Aut M...

PROD is a Pr/T-net reachability analysis tool that supports on-the-fly verification of linear time temporal properties with the aid of the stubborn set method. Branching time temporal properties can be verified, too.

In this paper we describe the use of symmetry for verification of transistor-level circuits by symbolic trajectory evaluation. We show that exploiting symmetry can allow one to verify systems several orders of magnitude larger than otherwise possible. We classify symmetries in circuits as structural symmetries, arising from similarities in circuit structure, data symmetries, arising from similarities in the handling of data values, and mixed structural-data symmetries. We use graph isomorphism testing and symbolic simulation to verify the symmetries in the original circuit. Using conservative approximations, we partition a circuit to expose the symmetries in its components, and construct reduced system models which can be verified efficiently. We have verified Static Random Access Memory circuits with up to 1.5 Million transistors.

Coloured Petri nets are well suited to the modelling of symmetric systems. Model symmetries can be usefully exploited for the sake of analysis efficiency as well as for modelling convenience.

As part of our continuing research on using Petri nets to support automated analysis of Ada tasking behavior, we have investigated the application of Petri net reduction for deadlock analysis. Although reachability analysis is an important method to detect deadlocks, it is in general inefficient or even intractable. Net reduction can aid the analysis by reducing the size of the net while preserving relevant properties. We introduce a number of reduction rules and show how they can be applied to Ada nets, which are automatically generated Petri net models of Ada tasking. We define a reduction process and a method by which a useful description of a detected deadlock state can be obtained from the reduced net's information. A reduction tool and experimental results from applying the reduction process are discussed.

Previously, we proposed a reduction technique [ID93] based on symmetries to alleviate the state explosion problem in automatic verification of concurrent systems. This paper describes the results of testing the technique on a wide range of algorithms and protocols, including realistic multiprocessor synchronization algorithms and cache coherence protocols. Memory requirements were reduced by amounts ranging from 83% to over 99%, and time requirements were often reduced as well. We also consider the effectiveness of the technique on different types of symmetries, such as symmetries in identical system components and symmetries in data values.

This article describes a technique for analyzing relational specifications. The underlying idea is very simple. Both simulation and checking amount to finding models of a relational formula, i.e., assignments for which the formula is true. For simulation the formula is the description of the operation; for checking, the formula is the negation of an assertion about an operation. Models are found by a generate-and-test strategy: the formula is repeatedly evaluated for a series of assignments until one is found for which the formula is true

We describe a prototype extension of the Uppaal real-time model checking tool with symmetry reduction. The symmetric data type scalarset, which is also used in the Mur' model checker, was added to Uppaal's system description language to support the easy static detection of symmetries. Our prototype tool uses state swaps, described and proven sound earlier by Hendriks, to reduce the space and memory consumption of Uppaal. Moreover, under certain assumptions the reduction strategy is canonical, which means that the symmetries are optimally used. For all examples that we experimented with (both academic toy examples and industrial cases), we obtained a drastic reduction of both computation time and memory usage, exponential in the size of the scalar sets used.