The success of model checking is largely based on its ability toe-ciently locate errors in software designs. If an error is found, a model checker produces a trail that shows how the error state can be reached, which greatly facilitates debugging. However, while current modelcheckers nd error states e ciently, the counterexamples are often unnecessarily lengthy, which hampers error explanation. This is due to the use of \naive " search algorithms in the state space exploration. In this paper we present approaches to the use of heuristic search algorithms in explicit-state model checking. We present the class of A* directed search algorithms and propose heuristics together with bitstate compression techniques for the search ofsafetyproperty violations. We achieve great reductions in the length of the error trails, and in some instances render problems analyzable by exploring a much smaller number of states than standard depth- rst search. We then suggest an improvement of the nested depth- rst search algorithm and show how it can be used together with A * to improve the search for liveness property violations. Our approach to directed explicit-state model checking has been implemented in a tool set called HSF-SPIN. We provide experimental results from the protocol validation domain using HSF-SPIN.

We present the explicit state model checker HSF-SPIN which

In this paper we present an algorithm for efficiently computing the minimum cost of reaching a goal state in the model of Uniformly Priced Timed Automata (UPTA). This model can be seen as a submodel of the recently suggested model of linearly priced timed automata, which extends timed automata with prices on both locations and transitions. The presented algorithm is based on a symbolic semantics of UTPA, and an efficient representation and operations based on difference bound matrices. In analogy with Dijkstra's shortest path algorithm, we show that the search order of the algorithm can be chosen such that the number of symbolic states explored by the algorithm is optimal, to be optimal, in the sense that the number of explored states can not be reduced by any other search order. We also present a number of techniques inspired by branch-and-bound algorithms which can be used for limiting the search space and for quickly finding near-optimal solutions. The algorithm has been implemented in the verification tool Uppaal. When applied on a number of experiments the presented techniques reduced the explored state-space with up to 90%.

HSF-SPIN is a Promela model checker based on heuristic search strategies. It utilizes heuristic estimates in order to direct the search for finding software bugs in concurrent systems. As a consequence, HSF-SPIN is able to find shorter trails than blind depth-first search.

We present an approach to reconcile explicit state model checking and heuristic directed search. We provide experimental evidence that the model checking problem for concurrent systems, such as communications protocols, can be solved more efficiently, since finding a state violating a property can be understood as a directed search problem. In our work we combine the expressive power and implementation efficiency of the SPIN model checker with the HSF heuristic search workbench, yielding the HSF-SPIN tool that we have implemented. We start off from the A* algorithm and some of its derivatives and define heuristics for various system properties that guide the search so that it finds error states faster. In this paper we focus on safety properties and provide heuristics for invariant and assertion violation and deadlock detection. We provide experimental results for applying HSF-SPIN to two toy protocols and one real world protocol, the CORBA GIOP protocol.

Abstract. In this paper we study traditional and enhanced BDDbased exploration procedures capable of handling large planning problems. On the one hand, reachability analysis and model checking have eventually approached AI-Planning. Unfortunately, they typically rely on uninformed blind search. On the other hand, heuristic search and especially lower bound techniques have matured in effectively directing the exploration even for large problem spaces. Therefore, with heuristic symbolic search we address the unexplored middle ground between single state and symbolic planning engines to establish algorithms that can gain from both sides. To this end we implement and evaluate heuristics found in state-of-the-art heuristic single-state search planners. 1

Abstract. This article surveys and gives historical accounts to the algorithmic essentials of directed model checking, a promising bug-hunting technique to mitigate the state explosion problem. In the enumeration process, successor selection is prioritized. We discuss existing guidance and methods to automatically generate them by exploiting system abstractions. We extend the algorithms to feature partial-order reduction and show how liveness problems can be adapted by lifting the search space. For deterministic, finite domains we instantiate the algorithms to directed symbolic, external and distributed search. For real-time domains we discuss the adaption of the algorithms to timed automata and for probabilistic domains we show the application to counterexample generation. Last but not least, we explain how directed model checking helps to accelerate finding solutions to scheduling problems. 1

Recently timed automata models have been used to solve realistic scheduling problems. In this paper we want to establish the relation between timed automata and job shop scheduling problems. The timed automata models of the scheduling problems can serve as input for a forward reachability checker. In contrast to job shop algorithms the forward reachability algorithms will usually not yield an optimal solution. There are also only few ways to direct the exploration of the state space. Starting from job shop problem we will describe how forward reachability can be equipped with two concepts from branch and bound methods: heuristics and bounding. This extended algorithm is then applicable to all kinds of timed automata models. Keywords and Phrases: Timed automata, Static Scheduling, Reachability, Model Checking, UPPAAL, Branch and Bound Algorithms, Job Shop, Heuristics AMS Subject Classification: 68M14, 68W20, 90B35, 90B90 CR Subject Classification:D.2.2., D.2.4, F.1.1, F.3...

This thesis presents data structures and algorithms for the analysis of real time systems in various modelling formalisms. Algorithms for reachability analysis (a special case of model checking) and static scheduling analysis are presented. The modeling formalisms range from traditional state/event systems as used in the commercial tool visualSTATE ™ over hierarchical state/event systems and timed automata to linear priced timed automata. Data structures used range from reduced ordered binary decision diagrams (ROBDD) used in symbolic model checking of state/event systems, over clock difference diagrams (CDD) – an ROBDD like data structures for real time systems, to priced zones used for representing the state space of cost annotated timed automata. The thesis is a collection of six papers. The first two papers deal with model checking of visualSTATE ™ models – in fact, the current version of visualSTATE ™ uses the patented techniques proposed in the first paper. The third paper considers alternative data structures for representing the state space of a real time system (CDDs). The remaining three papers deal with how real time model checking techniques like those used for timed automata, can be used to answer static scheduling problems and in particular, how one can specify and find optimal schedules. The techniques presented in the thesis have been experimentally evaluated using either a prototype of the visualSTATE ™ model checker or the academic timed automata verification tool Uppaal.

In this paper, we introduce a framework called state-set branching that combines symbolic search based on the reduced Ordered Binary Decision Diagram (OBDD) with classical heuristic search, such as A* and best-first search. The framework relies on an extension of these algorithms from expanding a single state in each iteration to expanding a set of states. We prove that it is generally sound and optimal for two A* implementations and show how a new OBDD technique called branching partitioning can be used to efficiently expand sets of states. The framework is general. It applies to any heuristic function, any evaluation function, and any transition cost function. Moreover, branching partitioning applies to both disjunctive and conjunctive transition relation partitioning. An extensive experimental evaluation involving several new and classical domains proves state-set branching to be a powerful framework. It consistently outperforms single-state A*, except when the heuristic is very strong. In addition, we show that it can improve the complexity of single-state search exponentially and that it often dominates both single-state A* and blind OBDD-based search by several orders of magnitude. Moreover, it has substantially better performance than BDDA*, the only previous OBDD-based implementation of A*.