## Fighting state space explosion: Review and evaluation (2008)

Venue: | In Proc. of Formal Methods for Industrial Critical Systems (FMICS’08 |

Citations: | 7 - 3 self |

### BibTeX

@INPROCEEDINGS{Pelánek08fightingstate,

author = {Radek Pelánek},

title = {Fighting state space explosion: Review and evaluation},

booktitle = {In Proc. of Formal Methods for Industrial Critical Systems (FMICS’08},

year = {2008}

}

### OpenURL

### Abstract

Abstract. In order to apply formal methods in practice, the practitioner has to comprehend a vast amount of research literature and realistically evaluate practical merits of different approaches. In this paper we focus on explicit finite state model checking and study this area from practitioner’s point of view. We provide a systematic overview of techniques for fighting state space explosion and we analyse trends in the research. We also report on our own experience with practical performance of techniques. Our main conclusion and recommendation for practitioner is the following: be critical to claims of dramatic improvement brought by a single sophisticated technique, rather use many different simple techniques and combine them. 1

### Citations

585 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...e state space. This basic algorithm can be directly used for verification of simple safety properties; for more complex properties, we have to use more sophisticated algorithms (e.g., cycle detection =-=[72]-=-). Nevertheless, the basic ideas of techniques for fighting state space explosion are similar. For clarity, we discuss these techniques mainly with respect to the basic Explore algorithm. The main pro... |

291 | Partial-Order Methods for the Verification of Concurrent Systems - An Approach to the State-Explosion Problem
- Godefroid
- 1996
(Show Context)
Citation Context ...ctions and therefore have the 3same effect. These reductions try to reduce the number of equivalent interleavings. Examples of such reductions are transition merging [18,48], partial order reduction =-=[27,33,40,63,64]-=-, τ-confluence [11], and simultaneous reachability analysis [55]. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways:... |

271 | Model checking and modular verification
- GRUMBERG, LONG
- 1994
(Show Context)
Citation Context ...methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional generation of the state space [46] and assume-guarantee approach =-=[22,32,66]-=-. 2.2 Storage Size Reductions The main bottleneck of model checking are usually memory requirements. Therefore, we can save some memory at the cost of using more time, i.e., by employing some kind of ... |

189 | Combining partial order reductions with on-the-fly model checking
- Peled
- 1996
(Show Context)
Citation Context ...ctions and therefore have the 3same effect. These reductions try to reduce the number of equivalent interleavings. Examples of such reductions are transition merging [18,48], partial order reduction =-=[27,33,40,63,64]-=-, τ-confluence [11], and simultaneous reachability analysis [55]. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways:... |

185 | Better verification through symmetry
- Ip, Dill
- 1993
(Show Context)
Citation Context ...ne of them. The reduction can be performed either on-the-fly during the exploration or by a static modification of the model before the exploration. Examples of such reductions are symmetry reduction =-=[12,20,43,44,70,74]-=-, live variable reduction [21,69], cone of influence reductions, and slicing [19,35]. Path based reductions Path based reductions exploit observation that sometimes it is sufficient to explore only on... |

114 | An Improvement in Formal Verification
- Holzmann, Peled
- 1994
(Show Context)
Citation Context ...ctions and therefore have the 3same effect. These reductions try to reduce the number of equivalent interleavings. Examples of such reductions are transition merging [18,48], partial order reduction =-=[27,33,40,63,64]-=-, τ-confluence [11], and simultaneous reachability analysis [55]. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways:... |

82 | An analysis of bitstate hashing
- HOLZMANN
- 1998
(Show Context)
Citation Context ...ture, or combining random walk with local breadth-first search, see e.g., [36,45,52,53,60]. Bitstate hashing The algorithm does not store whole states but only one bit per state in a large hash table =-=[37]-=-. In a case of collision some states are omitted by the search. A more involved version of this technique is based on Bloom filters [16,17]. 3 Research Analysis What are the trends in the research lit... |

68 | Thread-modular model checking
- Flanagan, Qadeer
- 2003
(Show Context)
Citation Context ...methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional generation of the state space [46] and assume-guarantee approach =-=[22,32,66]-=-. 2.2 Storage Size Reductions The main bottleneck of model checking are usually memory requirements. Therefore, we can save some memory at the cost of using more time, i.e., by employing some kind of ... |

60 | Distributed-Memory Model Checking with SPIN
- Lerda, Sisto
- 1999
(Show Context)
Citation Context ...te space is partitioned among workstations (i.e., each workstation stores part of the data structure Visited) and workstations exchange messages about states to be visited (Wait structure), see e.g., =-=[23,50,51]-=-. The application of distributed environment for verification of liveness properties is more complicated, because classical algorithms are based on depth-first search, which cannot be easily adapted f... |

57 | Efficient Verification of Realtime Systems: Compact Data Structure and State-space Reduction
- Larsen, Larsson, et al.
- 1997
(Show Context)
Citation Context ...ly on this structure. State compression During the search, each state is represented as a byte vector which can be quite large (e.g., 100 bytes). In order to save space, this vector can be compressed =-=[25,26,30,39,49,56,73]-=- or common components can be shared [38]. Instead of compressing individual states, we can also represent the whole structure Visited implicitly as a minimized deterministic automaton [41]. Caching an... |

51 |
transition from global to modular temporal reasoning about programs. Logics and models of concurrent systems
- In
- 1985
(Show Context)
Citation Context ...methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional generation of the state space [46] and assume-guarantee approach =-=[22,32,66]-=-. 2.2 Storage Size Reductions The main bottleneck of model checking are usually memory requirements. Therefore, we can save some memory at the cost of using more time, i.e., by employing some kind of ... |

50 | Parallel state space construction for model-checking
- Garavel, Mateescu, et al.
- 2001
(Show Context)
Citation Context ...te space is partitioned among workstations (i.e., each workstation stores part of the data structure Visited) and workstations exchange messages about states to be visited (Wait structure), see e.g., =-=[23,50,51]-=-. The application of distributed environment for verification of liveness properties is more complicated, because classical algorithms are based on depth-first search, which cannot be easily adapted f... |

49 | Exploring Very Large State Spaces Using Genetic Algorithms. InTACAS,pages 266–280
- Godefroid, Khurshid
(Show Context)
Citation Context ...an order given by some heuristics, i.e., Wait list is implemented as priority queue [31,47,67]. Different heuristic approach is to use genetic algorithm which tries to ‘evolve’ a path to a goal state =-=[29]-=-. Random walk and partial search Random walk does not store any information and always visits just one successor of a current state [34,60]. This basic strategy can be extended in several ways, e.g., ... |

49 | Heuristic model checking for java programs
- Groce, Visser
- 2004
(Show Context)
Citation Context ...ot assist us in proving correctness. Heuristic search (also called directed or guided search) States are visited in an order given by some heuristics, i.e., Wait list is implemented as priority queue =-=[31,47,67]-=-. Different heuristic approach is to use genetic algorithm which tries to ‘evolve’ a path to a goal state [29]. Random walk and partial search Random walk does not store any information and always vis... |

47 |
Protocol Verification Using Reachability Analysis: The State Space Explosion Problem and Relief Strategies
- Lin, Chu, et al.
- 1987
(Show Context)
Citation Context ...veral ways, e.g., by visiting a subset of all successors (instead of just one state), storing some states in the Visited structure, or combining random walk with local breadth-first search, see e.g., =-=[36,45,52,53,60]-=-. Bitstate hashing The algorithm does not store whole states but only one bit per state in a large hash table [37]. In a case of collision some states are omitted by the search. A more involved versio... |

44 | A sweep-line method for state space exploration
- Christensen, Kristensen, et al.
- 2001
(Show Context)
Citation Context ... – caching [24,28,65], which deletes some currently stored states when the memory is full, – selective storing [9,49], which stores only some states according to given heuristics, – sweep line method =-=[15,54,68]-=-, which uses so called progress function; this function guarantees that some states will not be revisited in the future and hence these states can be deleted from the memory. Use of magnetic disk Simp... |

41 | Distributed LTL Model-Checking in SPIN
- Barnat, Brim, et al.
- 2001
(Show Context)
Citation Context ...hms are based on depth-first search, which cannot be easily adapted for distributed environment. Hence, for verification of liveness properties we have to use more sophisticated algorithms, see e.g., =-=[1,2,3,5,13,14]-=-. Multi-core processors Recently, multi-core processors become widely available. Multi-core processors provide parallelism with shared memory, i.e., the possibility to reduce run-time of the verificat... |

41 | State compression in SPIN: Recursive indexing and compression training runs
- Holzmann
- 1997
(Show Context)
Citation Context ... each state is represented as a byte vector which can be quite large (e.g., 100 bytes). In order to save space, this vector can be compressed [25,26,30,39,49,56,73] or common components can be shared =-=[38]-=-. Instead of compressing individual states, we can also represent the whole structure Visited implicitly as a minimized deterministic automaton [41]. Caching and selective storing Instead of storing a... |

40 | Distributed explicit fair cycle detection
- Černá, Pelánek
(Show Context)
Citation Context ...hms are based on depth-first search, which cannot be easily adapted for distributed environment. Hence, for verification of liveness properties we have to use more sophisticated algorithms, see e.g., =-=[1,2,3,5,13,14]-=-. Multi-core processors Recently, multi-core processors become widely available. Multi-core processors provide parallelism with shared memory, i.e., the possibility to reduce run-time of the verificat... |

38 |
State Space Caching Revisited
- Godefroid, Holzmann, et al.
(Show Context)
Citation Context ...ted, we can store only some of these states — this approach can lead to revisits of some states and hence can increase runtime, but it saves memory. Techniques of this type are for example: – caching =-=[24,28,65]-=-, which deletes some currently stored states when the memory is full, – selective storing [9,49], which stores only some states according to given heuristics, – sweep line method [15,54,68], which use... |

38 |
Symmetry Reduction Criteria for Software Model Checking
- Iosif
- 2002
(Show Context)
Citation Context ...ne of them. The reduction can be performed either on-the-fly during the exploration or by a static modification of the model before the exploration. Examples of such reductions are symmetry reduction =-=[12,20,43,44,70,74]-=-, live variable reduction [21,69], cone of influence reductions, and slicing [19,35]. Path based reductions Path based reductions exploit observation that sometimes it is sufficient to explore only on... |

36 | Addressing Dynamic Issues of Program Model Checking. Model Checking Software
- Lerda, Visser
- 2001
(Show Context)
Citation Context ...te space is partitioned among workstations (i.e., each workstation stores part of the data structure Visited) and workstations exchange messages about states to be visited (Wait structure), see e.g., =-=[23,50,51]-=-. The application of distributed environment for verification of liveness properties is more complicated, because classical algorithms are based on depth-first search, which cannot be easily adapted f... |

34 | Using magnetic disk instead of main memory in the murphi verifier
- Stern, Dill
- 1998
(Show Context)
Citation Context ... from the memory. Use of magnetic disk Simple use of magnetic disk leads to an extensive swapping and slows down the computation extremely. So the magnetic disk have to be used in a sophisticated way =-=[7,8,71]-=- in order to minimize disk operations. 2.3 Parallel and Distributed Computation Another approach to manage a large number of states is to use even more brute force — more processors. Networks of works... |

29 | Distributed LTL Model Checking Based on Negative Cycle Detection
- Brim, Černá, et al.
- 2001
(Show Context)
Citation Context ...hms are based on depth-first search, which cannot be easily adapted for distributed environment. Hence, for verification of liveness properties we have to use more sophisticated algorithms, see e.g., =-=[1,2,3,5,13,14]-=-. Multi-core processors Recently, multi-core processors become widely available. Multi-core processors provide parallelism with shared memory, i.e., the possibility to reduce run-time of the verificat... |

29 |
The Design of a Multicore Extension of the SPIN Model Checker
- Holzmann, Bosnacki
(Show Context)
Citation Context ...ecome widely available. Multi-core processors provide parallelism with shared memory, i.e., the possibility to reduce run-time of the verification by parallel exploration of several states, see e.g., =-=[4,42]-=-. 2.4 Randomized Techniques and Heuristics If the memory requirements of the search are too large even after the application of above given techniques, we can use randomized techniques and heuristics.... |

29 | Compositional State Space Generation from LOTOS Programs
- Krimm, Mounier
- 1997
(Show Context)
Citation Context ...ility analysis [55]. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional generation of the state space =-=[46]-=- and assume-guarantee approach [22,32,66]. 2.2 Storage Size Reductions The main bottleneck of model checking are usually memory requirements. Therefore, we can save some memory at the cost of using mo... |

26 | Parallel Breadth-First Search LTL ModelChecking
- Barnat, Brim, et al.
- 2003
(Show Context)
Citation Context |

26 |
de Pol. State space reduction by proving confluence
- Blom, van
- 2002
(Show Context)
Citation Context ...same effect. These reductions try to reduce the number of equivalent interleavings. Examples of such reductions are transition merging [18,48], partial order reduction [27,33,40,63,64], τ-confluence =-=[11]-=-, and simultaneous reachability analysis [55]. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional gene... |

26 |
Algorithms for Automated Protocol Verification
- Holzmann
- 1988
(Show Context)
Citation Context ...veral ways, e.g., by visiting a subset of all successors (instead of just one state), storing some states in the Visited structure, or combining random walk with local breadth-first search, see e.g., =-=[36,45,52,53,60]-=-. Bitstate hashing The algorithm does not store whole states but only one bit per state in a large hash table [37]. In a case of collision some states are omitted by the search. A more involved versio... |

21 |
Probabilistic State Space Search
- Kuehlmann, McMillan, et al.
- 1999
(Show Context)
Citation Context ...ot assist us in proving correctness. Heuristic search (also called directed or guided search) States are visited in an order given by some heuristics, i.e., Wait list is implemented as priority queue =-=[31,47,67]-=-. Different heuristic approach is to use genetic algorithm which tries to ‘evolve’ a path to a goal state [29]. Random walk and partial search Random walk does not store any information and always vis... |

21 | On the random walk method for protocol testing
- Mihail, Papadimitriou
- 1994
(Show Context)
Citation Context ...veral ways, e.g., by visiting a subset of all successors (instead of just one state), storing some states in the Visited structure, or combining random walk with local breadth-first search, see e.g., =-=[36,45,52,53,60]-=-. Bitstate hashing The algorithm does not store whole states but only one bit per state in a large hash table [37]. In a case of collision some states are omitted by the search. A more involved versio... |

21 |
Guided invariant model checking based on abstraction and symbolic pattern databases
- Qian, Nymeyer
- 2004
(Show Context)
Citation Context ...ot assist us in proving correctness. Heuristic search (also called directed or guided search) States are visited in an order given by some heuristics, i.e., Wait list is implemented as priority queue =-=[31,47,67]-=-. Different heuristic approach is to use genetic algorithm which tries to ‘evolve’ a path to a goal state [29]. Random walk and partial search Random walk does not store any information and always vis... |

20 | Property Driven Distribution of Nested DFS
- Barnat, Brim, et al.
- 2002
(Show Context)
Citation Context |

20 |
To Store or Not to Store
- Behrmann, Larsen, et al.
- 2003
(Show Context)
Citation Context ...hence can increase runtime, but it saves memory. Techniques of this type are for example: – caching [24,28,65], which deletes some currently stored states when the memory is full, – selective storing =-=[9,49]-=-, which stores only some states according to given heuristics, – sweep line method [15,54,68], which uses so called progress function; this function guarantees that some states will not be revisited i... |

20 | A minimized automaton representation of reachable states
- Holzmann, Puri
- 1998
(Show Context)
Citation Context ...,30,39,49,56,73] or common components can be shared [38]. Instead of compressing individual states, we can also represent the whole structure Visited implicitly as a minimized deterministic automaton =-=[41]-=-. Caching and selective storing Instead of storing all states in the structure Visited, we can store only some of these states — this approach can lead to revisits of some states and hence can increas... |

18 | Scalable Multi-core LTL Model-Checking
- Barnat, Brim, et al.
- 2007
(Show Context)
Citation Context ...ecome widely available. Multi-core processors provide parallelism with shared memory, i.e., the possibility to reduce run-time of the verification by parallel exploration of several states, see e.g., =-=[4,42]-=-. 2.4 Randomized Techniques and Heuristics If the memory requirements of the search are too large even after the application of above given techniques, we can use randomized techniques and heuristics.... |

17 | Fast and Accurate Bitstate Verification for SPIN
- Dillinger, Manolios
- 2004
(Show Context)
Citation Context ...e whole states but only one bit per state in a large hash table [37]. In a case of collision some states are omitted by the search. A more involved version of this technique is based on Bloom filters =-=[16,17]-=-. 3 Research Analysis What are the trends in the research literature about techniques for fighting state space explosion? Is the quality of experimental evidence improving? How significant is the impr... |

17 | Virtual symmetry reduction
- Emerson, Havlicek, et al.
- 2000
(Show Context)
Citation Context ...ne of them. The reduction can be performed either on-the-fly during the exploration or by a static modification of the model before the exploration. Examples of such reductions are symmetry reduction =-=[12,20,43,44,70,74]-=-, live variable reduction [21,69], cone of influence reductions, and slicing [19,35]. Path based reductions Path based reductions exploit observation that sometimes it is sufficient to explore only on... |

17 |
Protocol validation by simultaneous reachability analysis
- Özdemir, Ural
- 1997
(Show Context)
Citation Context ...the number of equivalent interleavings. Examples of such reductions are transition merging [18,48], partial order reduction [27,33,40,63,64], τ-confluence [11], and simultaneous reachability analysis =-=[55]-=-. Compositional methods Systems are often specified as a composition of several components. This structure can be exploited in two ways: compositional generation of the state space [46] and assume-gua... |

15 |
Principles of the SPIN Model Checker
- Ben-Ari
- 2008
(Show Context)
Citation Context ... approach is illustrated by large number of available tools (e.g., Spin, CADP, mCRL2, Uppaal, Divine, Java PathFinder, Helena) and widespread availability of courses and textbooks on the topic (e.g., =-=[10]-=-). The main obstacle in applying explicit model checking in practice is the state space explosion problem. Hence, the research focuses mainly on techniques for fighting state space explosions — during... |

15 |
State space reduction based on live variables analysis
- Fernandez, Bozga, et al.
- 2003
(Show Context)
Citation Context ...ther on-the-fly during the exploration or by a static modification of the model before the exploration. Examples of such reductions are symmetry reduction [12,20,43,44,70,74], live variable reduction =-=[21,69]-=-, cone of influence reductions, and slicing [19,35]. Path based reductions Path based reductions exploit observation that sometimes it is sufficient to explore only one of two sequences of actions bec... |

15 | Enhancing random walk state space exploration, 10th international workshop on Formal methods for industrial critical systems
- Pelánek, Hanïl, et al.
- 2005
(Show Context)
Citation Context ...enetic algorithm which tries to ‘evolve’ a path to a goal state [29]. Random walk and partial search Random walk does not store any information and always visits just one successor of a current state =-=[34,60]-=-. This basic strategy can be extended in several ways, e.g., by visiting a subset of all successors (instead of just one state), storing some states in the Visited structure, or combining random walk ... |

15 | Symmetry and reduced symmetry in model checking
- Sistla, Godefroid
(Show Context)
Citation Context |

14 | Exploiting transition locality in automatic verification of finite state concurrent systems
- Penna, Intrigila, et al.
(Show Context)
Citation Context ...ted, we can store only some of these states — this approach can lead to revisits of some states and hence can increase runtime, but it saves memory. Techniques of this type are for example: – caching =-=[24,28,65]-=-, which deletes some currently stored states when the memory is full, – selective storing [9,49], which stores only some states according to given heuristics, – sweep line method [15,54,68], which use... |

13 | Evaluating the effectiveness of slicing for model reduction of concurrent object-oriented programs
- DWYER, HATCLIFF, et al.
- 2006
(Show Context)
Citation Context ...ic modification of the model before the exploration. Examples of such reductions are symmetry reduction [12,20,43,44,70,74], live variable reduction [21,69], cone of influence reductions, and slicing =-=[19,35]-=-. Path based reductions Path based reductions exploit observation that sometimes it is sufficient to explore only one of two sequences of actions because they are just different linearizations of “ind... |

12 |
State caching reconsidered
- Geldenhuys
(Show Context)
Citation Context ...ted, we can store only some of these states — this approach can lead to revisits of some states and hence can increase runtime, but it saves memory. Techniques of this type are for example: – caching =-=[24,28,65]-=-, which deletes some currently stored states when the memory is full, – selective storing [9,49], which stores only some states according to given heuristics, – sweep line method [15,54,68], which use... |

12 | Improving Partial Order Reductions for Universal Branching Time Properties. Fundamenta Informaticae
- Penczek, Szreter, et al.
- 2000
(Show Context)
Citation Context |

12 | Memory efficient state storage in SPIN
- Visser
- 1996
(Show Context)
Citation Context ...ly on this structure. State compression During the search, each state is represented as a byte vector which can be quite large (e.g., 100 bytes). In order to save space, this vector can be compressed =-=[25,26,30,39,49,56,73]-=- or common components can be shared [38]. Instead of compressing individual states, we can also represent the whole structure Visited implicitly as a minimized deterministic automaton [41]. Caching an... |

10 | Revisiting Resistance Speeds Up I/O-Efficient LTL Model Checking
- Barnat, Brim, et al.
(Show Context)
Citation Context ... from the memory. Use of magnetic disk Simple use of magnetic disk leads to an extensive swapping and slows down the computation extremely. So the magnetic disk have to be used in a sophisticated way =-=[7,8,71]-=- in order to minimize disk operations. 2.3 Parallel and Distributed Computation Another approach to manage a large number of states is to use even more brute force — more processors. Networks of works... |

10 | Bloom filters in probabilistic verification
- Dillinger, Manolios
- 2004
(Show Context)
Citation Context ...e whole states but only one bit per state in a large hash table [37]. In a case of collision some states are omitted by the search. A more involved version of this technique is based on Bloom filters =-=[16,17]-=-. 3 Research Analysis What are the trends in the research literature about techniques for fighting state space explosion? Is the quality of experimental evidence improving? How significant is the impr... |