## Structural symbolic CTL model checking of asynchronous systems (2003)

Venue: | Computer Aided Verification (CAV’03), LNCS 2725 |

Citations: | 18 - 11 self |

### BibTeX

@INPROCEEDINGS{Ciardo03structuralsymbolic,

author = {Gianfranco Ciardo and Radu Siminiceanu},

title = {Structural symbolic CTL model checking of asynchronous systems},

booktitle = {Computer Aided Verification (CAV’03), LNCS 2725},

year = {2003},

pages = {40--53},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. In previous work, we showed how structural information can be used to efficiently generate the state-space of asynchronous systems. Here, we apply these ideas to symbolic CTL model checking. Thanks to a Kronecker encoding of the transition relation, we detect and exploit event locality and apply better fixed-point iteration strategies, resulting in orders-of-magnitude reductions for both execution times and memory consumption in comparison to well-established tools such as NuSMV. 1

### Citations

2601 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...odel checking is concerned with the tasks of representing a system with an automaton, usuallysnite-state, and then showing that the initial state of this automaton satises a temporal logic statement [=-=13-=-]. Model checking has gained increasing attention since the development of techniques based on binary decision diagrams (BDDs) [4]. Symbolic model checking [6] is known to be eective for computation t... |

932 | Symbolic boolean manipulation with ordered binary-decision diagrams
- Bryant
- 1992
(Show Context)
Citation Context ...e initial state of this automaton satises a temporal logic statement [13]. Model checking has gained increasing attention since the development of techniques based on binary decision diagrams (BDDs) [=-=4-=-]. Symbolic model checking [6] is known to be eective for computation tree logic (CTL) [12], as it allows for the ecient storage and manipulation of the large sets of states corresponding to CTL formu... |

837 |
Design and synthesis of synchronization skeletons using branching-time temporal logic
- Clarke, Emerson
- 1982
(Show Context)
Citation Context ... has gained increasing attention since the development of techniques based on binary decision diagrams (BDDs) [4]. Symbolic model checking [6] is known to be eective for computation tree logic (CTL) [=-=12]-=-, as it allows for the ecient storage and manipulation of the large sets of states corresponding to CTL formulae. However, practical limitations still exist. First, memory and time requirements might ... |

630 | Symbolic model checking: 1020 states and beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...ton satisfies a temporal logic statement [13]. Model checking has gained increasing attention since the development of techniques based on binary decision diagrams (BDDs) [4]. Symbolic model checking =-=[6]-=- is known to be effective for computation tree logic (CTL) [12], as it allows for the efficient storage and manipulation of the large sets of states corresponding to CTL formulae. However, practical l... |

326 |
Symbolic Model Checking: 10 States and Beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...aton satises a temporal logic statement [13]. Model checking has gained increasing attention since the development of techniques based on binary decision diagrams (BDDs) [4]. Symbolic model checking [=-=6-=-] is known to be eective for computation tree logic (CTL) [12], as it allows for the ecient storage and manipulation of the large sets of states corresponding to CTL formulae. However, practical limit... |

184 | NuSMV: a new symbolic model verifier
- Cimatti, Clarke, et al.
- 1999
(Show Context)
Citation Context ...improved computation of the basic CTL operators using structural model information. Section 4 gives memory and runtime results for our algorithms implemented in SmArT [7] and compares them with NuSMV =-=[11]-=-. 2 Exploiting the structure of asynchronous models We consider globally-asynchronous locally-synchronous systems specified by a tuple ( ̂ S, S init , E, N ), where the potential state space ̂ S is gi... |

162 | Symbolic Model Checking with Partitioned Transition Relations
- Burch, Clarke, et al.
- 1991
(Show Context)
Citation Context ...generic (global) state is i = (i K ; :::; i 1 ); S init b S is the set of initial states ; E is a set of (asynchronous) events ; the next-state function N : b S ! 2 b S is disjunctively partitioned [14] according to E , i.e., N = S 2E N , where N (i) is the set of states that can be reached when event sres in state i; we say that is disabled in i if N (i) = ;. With high-level models such as P... |

148 |
On the stochastic structure of parallelism and synchronization models for distributed algorithms
- Plateau
- 1985
(Show Context)
Citation Context ...aditional symbolic approaches is our encoding of N [17], inspired by the representation of the transition rate matrix for a continuous-time Markov chain by means of a (real) sum of Kronecker products =-=[-=-5, 18]. This requires a Kronecker-consistent decomposition of the model into submodels, i.e., there must exist functions N ;k : S k ! 2 Sk , for 2 E and Kk1, such that, for any i 2 b S, N (i) = N ;K ... |

89 |
Multi-valued decision diagrams: Theory and applications
- Kam, Villa, et al.
- 1998
(Show Context)
Citation Context ...ectively, and are encoded as BDDs. Our structural approach instead uses MDDs to store sets and (boolean) sums of Kronecker matrix products to store relations. The use of MDDs has been proposed before =-=[15], but thei-=-r implementation through BDDs made them little more than a \user interface". In [17], we showed instead that implementing MDDs directly may increase \locality", thus the eciency of state-spa... |

70 | Efficient Reachability Set Generation and Storage Using Decision Diagrams
- Miner, Ciardo
- 1999
(Show Context)
Citation Context ...745 and ACI-0203971.The present contribution is based on our earlier work in symbolic state-space generation using multivalued decision diagrams (MDDs), Kronecker encoding of the next state function =-=[17, 8]-=-, and the saturation algorithm [9]. This background is summarized in Section 2, which also discusses how to exploit the model structure for MDD manipulation. Section 3 contains our main contribution: ... |

66 | Complexity of memory-efficient Kronecker operations with applications to the solution of Markov models
- Buchholz, Ciardo, et al.
(Show Context)
Citation Context ...aditional symbolic approaches is our encoding of N [17], inspired by the representation of the transition rate matrix for a continuous-time Markov chain by means of a (real) sum of Kronecker products =-=[5, 18]-=-. This requires a Kronecker-consistent decomposition of the model into submodels, i.e., there must exist functions Nα,k : Sk → 2Sk , for α ∈ E and K ≥k ≥1, such that, for any i ∈ ̂ S, Nα(i) = Nα,K(iK)... |

57 | Saturation: An efficient iteration strategy for symbolic state-space generation
- Ciardo, Lüttgen, et al.
- 2001
(Show Context)
Citation Context ...ibution is based on our earlier work in symbolic state-space generation using multivalued decision diagrams (MDDs), Kronecker encoding of the next state function [17, 8], and the saturation algorithm =-=[9]-=-. This background is summarized in Section 2, which also discusses how to exploit the model structure for MDD manipulation. Section 3 contains our main contribution: improved computation of the basic ... |

50 | An algorithm for strongly connected component analysis in n log n symbolic steps
- Bloem, Gabow, et al.
- 2000
(Show Context)
Citation Context ...ingle event at a time and makes local decisions that must be globally correct, it would appear that saturation cannot be used to improve EGtrad . However, Fig. 5 shows an algorithm for EG which, like =-=[2, 20-=-], enumerates the SCCs bysnding forward and backward reachable sets from a state. However, it uses saturation, instead of breadth-rst search. In line 2, Algorithm EGsat disposes of sel oop states in P... |

45 | R.: Saturation unbound
- Ciardo, Marmorstein, et al.
- 2003
(Show Context)
Citation Context ...alongside the construction of the (actual) state space S b S , dened by S = S init [N (S init )[N 2 (S init )[ = N (S init ), where N (X ) = S i2X N (i), is an interesting problem in itself [10]. Here, we assume that each S k is known and ofsnite size n k and map its elements to f0; :::; n k 1g for notational simplicity and eciency. Symbolic model checking manages subsets of b S and relation... |

43 | Efficient symbolic state-space construction for asynchronous systems - Ciardo, Lüttgen, et al. |

36 | Symbolic guided search for CTL model checking
- Bloem, Ravi, et al.
(Show Context)
Citation Context ... convergence. This has spurred work on distributed/parallel algorithms for BDD manipulation and on verication techniques that use only a fraction of the BDD nodes that would be required in principle [=-=3, 19]-=-. Second, symbolic model checking has been quite successful for hardware veri cation but software, in particular distributed software, has so far been considered beyond reach. This is because the stat... |

35 |
E.: A parallel algorithm for constructing binary decision diagrams
- Kimura, Clarke
- 1990
(Show Context)
Citation Context ...q. Duplicate nodes are not allowed but, unlike the (strictly) reduced ordered decision diagrams of [15], redundant nodes where all arcs point to the same node are allowed (both versions are canonical =-=[16]-=-). Let A(hkjpi) be the set of tuples (i K ; :::; i k+1 ) labeling paths from hKjri to node hkjpi, and B(hkjpi) the set of tuples (i k ; :::; i 1 ) labeling paths from hkjpi to h0j1i. In particular, B(... |

26 | P.: Implicit enumeration of strongly connected components and an application to formal verification
- Xie, Beerel
- 2000
(Show Context)
Citation Context ...ingle event at a time and makes local decisions that must be globally correct, it would appear that saturation cannot be used to improve EGtrad . However, Fig. 5 shows an algorithm for EG which, like =-=[2, 20-=-], enumerates the SCCs bysnding forward and backward reachable sets from a state. However, it uses saturation, instead of breadth-rst search. In line 2, Algorithm EGsat disposes of sel oop states in P... |

14 |
NuSMV: a new Symbolic Model Veri
- Cimatti, Clarke, et al.
- 1999
(Show Context)
Citation Context ...oved computation of the basic CTL operators using structural model information. Section 4 gives memory and runtime results for our algorithms implemented in S m A r T [7] and compares them with NuSMV =-=[11-=-]. 2 Exploiting the structure of asynchronous models We consider globally-asynchronous locally-synchronous systems specied by a tuple ( b S ; S init ; E ; N ), where the potential state space b S is g... |

13 |
E±cient reachability set generation and storage using decision diagrams
- Miner, Ciardo
- 1999
(Show Context)
Citation Context ...745 and ACI-0203971. The present contribution is based on our earlier work in symbolic state-space generation using multivalued decision diagrams (MDDs), Kronecker encoding of the next state function =-=[17, 8]-=-, and the saturation algorithm [9]. This background is summarized in Section 2, which also discusses how to exploit the model structure for MDD manipulation. Section 3 contains our main contribution: ... |

10 |
Saturation: An e±cient iteration strategy for symbolic state-space generation
- Ciardo, LÄuttgen, et al.
- 2001
(Show Context)
Citation Context ...ibution is based on our earlier work in symbolic state-space generation using multivalued decision diagrams (MDDs), Kronecker encoding of the next state function [17, 8], and the saturation algorithm =-=[9]-=-. This background is summarized in Section 2, which also discusses how to exploit the model structure for MDD manipulation. Section 3 contains our main contribution: improved computation of the basic ... |

7 |
Efficient fixpoint computation for invariant checking
- Ravi, Somenzi
- 1999
(Show Context)
Citation Context ...convergence. This has spurred work on distributed/parallel algorithms for BDD manipulation and on verification techniques that use only a fraction of the BDD nodes that would be required in principle =-=[3, 19]-=-. Second, symbolic model checking has been quite successful for hardware verification but software, in particular distributed software, has so far been considered beyond reach. This is because the sta... |

6 |
Complexity of memorye cient Kronecker operations with applications to the solution of Markov models
- Buchholz, Ciardo, et al.
- 2000
(Show Context)
Citation Context ...aditional symbolic approaches is our encoding of N [17], inspired by the representation of the transition rate matrix for a continuous-time Markov chain by means of a (real) sum of Kronecker products =-=[-=-5, 18]. This requires a Kronecker-consistent decomposition of the model into submodels, i.e., there must exist functions N ;k : S k ! 2 Sk , for 2 E and Kk1, such that, for any i 2 b S, N (i) = N ;K ... |

4 |
et al., “SMART: Stochastic Model checking Analyzer for Reliability and Timing, User Manual,” available at http://www.cs.ucr.edu/∼ciardo/SMART
- Ciardo
(Show Context)
Citation Context ...tains our main contribution: improved computation of the basic CTL operators using structural model information. Section 4 gives memory and runtime results for our algorithms implemented in S m A r T =-=[7-=-] and compares them with NuSMV [11]. 2 Exploiting the structure of asynchronous models We consider globally-asynchronous locally-synchronous systems specied by a tuple ( b S ; S init ; E ; N ), where ... |

4 |
Ecient computation for invariant checking
- Ravi, Somenzi
- 1999
(Show Context)
Citation Context ... convergence. This has spurred work on distributed/parallel algorithms for BDD manipulation and on verication techniques that use only a fraction of the BDD nodes that would be required in principle [=-=3, 19]-=-. Second, symbolic model checking has been quite successful for hardware veri cation but software, in particular distributed software, has so far been considered beyond reach. This is because the stat... |

2 |
et al. Partial-order reduction in symbolic state space exploration
- Alur
- 1997
(Show Context)
Citation Context ...point iteration interleaves these two phases (see Fig. 3). The following classication of events is analogous to, but dierent from, the visible vs. invisible one proposed for partial order reduction [1]. Denition 1 In a discrete state model ( b S ; S init ; E ; N ), an event is dead with respect to a set of states X if there is no state in X from which itssring leads to a state in X , i.e., N 1 ... |