## Large-scale directed model checking LTL (2006)

### Cached

### Download Links

- [spinroot.com]
- [andorfer.cs.uni-dortmund.de]
- DBLP

### Other Repositories/Bibliography

Venue: | In Model Checking Software (SPIN |

Citations: | 22 - 8 self |

### BibTeX

@INPROCEEDINGS{Edelkamp06large-scaledirected,

author = {Stefan Edelkamp and Shahid Jabbar},

title = {Large-scale directed model checking LTL},

booktitle = {In Model Checking Software (SPIN},

year = {2006},

pages = {1--18}

}

### OpenURL

### Abstract

Abstract. To analyze larger models for explicit-state model checking, directed model checking applies error-guided search, external model checking uses secondary storage media, and distributed model checking exploits parallel exploration on multiple processors. In this paper we propose an external, distributed and directed on-the-fly model checking algorithm to check general LTL properties in the model checker SPIN. Previous attempts restricted to checking safety properties. The worst-case I/O complexity is bounded by O(sort(|F||R|)/p + l · scan(|F||S|)), where S and R are the sets of visited states and transitions in the synchronized product of the Büchi automata for the model and the property specification, F is the number of accepting states, l is the length of the shortest counterexample, and p is the number of processors. The algorithm we propose returns minimal lasso-shaped counterexamples and includes refinements for property-driven exploration. 1

### Citations

2434 | Model checking
- Clarke, Peled, et al.
- 1999
(Show Context)
Citation Context ...uce branching to the overall exploration. The construction assumes that all states in the model are accepting. If arbitrary Büchi automata are intersected, extended acceptance conditions are required =-=[11]-=-. For checking emptiness we have to check that the automaton accepts no word. Accepting runs are present in the automaton if the strongly connected components (SCCs) reachable from the initial state c... |

1001 | Depth-first search and linear graph algorithms
- TARJAN
(Show Context)
Citation Context ...n challenge for distributed and external on-the-fly model checking is that the depth-first traversal of the global state space graph as used in Nested-DFS (an on-the-fly variant of Tarjan’s algorithm =-=[35]-=-) is not efficient. All attempts to solve this problem via variants of breadth-first search [7, 4, 9] arrive at a time complexity that is non-linear in the size of the model. The approach we propose i... |

539 |
The input/output complexity of sorting and related problems
- AGGARWAL, VITTER
- 1988
(Show Context)
Citation Context ...The process is repeated until L(i − 1) becomes empty, or the goal has been found. The total execution time is O(sort(|R|) + scan(|S|)) I/Os. The I/O optimality of External BFS is based on the work of =-=[1]-=-, who gave a matching lower bound for external sorting. External BFS has been successfully applied to fully explore the 15-Puzzle using 1.4 terabytes of hard disk in about three weeks [22]. The algori... |

522 | Pushing the envelope: Planning, propositional logic, and stochastic search
- Kautz, Selman
- 1996
(Show Context)
Citation Context ...n bounded automatabased model checking. Bounded model checking [6] uses a propositional SAT solver for the symbolic exploration of model checking problems. It exploits the SATPLAN exploration idea of =-=[20]-=- using a rising search horizon k to generate Boolean formulae encoding the overall exploration problem up the BFS-level k. In bounded automata-based model checking we use a similar approach, but witho... |

335 |
On a decision method in restricted second order arithmetic
- Büchi
- 1962
(Show Context)
Citation Context ...M) ⊆ L(S) if and only if L(M) ∩ L(S) = ∅. In practice, checking language emptiness is more efficient than checking language inclusion. Büchi automata are closed under intersection and complementation =-=[8]-=-, so that there exists an automaton that accepts L(S) and an automata that accepts L(M) ∩ L(S). It is possible to complement Büchi automaton equivalent to an LTL formula, but the worst-case running ti... |

199 |
Temporal logic can be more expressive
- Wolper
- 1983
(Show Context)
Citation Context ...by automata, and that the LTL formula can be transformed into an equivalent Büchi automaton. The converse is not always possible, since Büchi automata are clearly more expressive than LTL expressions =-=[36]-=-. Checking correctness is reduced to checking language emptiness. More formally, the model checking procedure validates that a model represented by an automaton M satisfies its specification represent... |

131 | The complementation problem for Büchi automata with applications to temporal logic - Sistla, Vardi, et al. - 1987 |

87 | Bounded model checking
- Biere, Cimatti, et al.
- 2003
(Show Context)
Citation Context ...es. Without any heuristic the algorithm executes external breadth-first search, where each iteration can actually be seen as a snapshot in bounded automatabased model checking. Bounded model checking =-=[6]-=- uses a propositional SAT solver for the symbolic exploration of model checking problems. It exploits the SATPLAN exploration idea of [20] using a rising search horizon k to generate Boolean formulae ... |

71 | Directed explicit-state model checking in the validation of communication protocols
- Edelkamp, Leue, et al.
- 2004
(Show Context)
Citation Context ...nsiderably good performances in the large-scale breadth-first and guided exploration of games [22, 12] and in the analysis of model checking problems [24] 1 . A Directed explicit-state model checking =-=[13]-=- enhances the error-reporting capabilities of model checkers. The application of guided search for checking liveness properties is restricted to the reduction of trails [14]. Distributed explicit stat... |

69 | I/O complexity of graph algorithms
- Munagala
- 1999
(Show Context)
Citation Context ...l result in Θ(|S|) I/Os for unstructured accesses to the adjacency lists, and Θ(|R|) I/Os for finding out whether neighboring nodes have already been visited. The explicit external graph algorithm of =-=[27]-=- improves on the latter complexity for the case of undirected graphs, in which duplicates are constrained to be located in adjacent levels. After the preprocessing step the graph is stored in adjacenc... |

53 |
Depth-first search is inherently sequential
- Reif
- 1984
(Show Context)
Citation Context ...n based on DFS appears to be an inappropriate choice for distributed model checking. For distributed model checking the core reason is that in contrast to BFS, DFS appears to be inherently sequential =-=[29]-=-. Different attempts have been suggested to allow an efficient parallelization for model checking liveness. Unfortunately, none of the approaches guarantee a linear time complexity. 3.1 Breadth-First ... |

48 | Divide-and-conquer frontier search applied to optimal sequence alignment
- Korf, Zhang
- 2000
(Show Context)
Citation Context ...has been successfully applied to fully explore the 15-Puzzle using 1.4 terabytes of hard disk in about three weeks [22]. The algorithm shares similarities with the internal frontier search algorithms =-=[23]-=- that were usedsfor solving multiple sequence alignment problem, an idea that goes back to Hirschberg [16]. 4.2 External A* External A* [12] maintains the search space on disk. The priority queue data... |

42 |
Large-scale parallel breadth-first search
- Korf, Schultze
- 1385
(Show Context)
Citation Context ...ess to secondary memory. Originally designed for explicit graphs, external search algorithms have shown considerably good performances in the large-scale breadth-first and guided exploration of games =-=[22, 12]-=- and in the analysis of model checking problems [24] 1 . A Directed explicit-state model checking [13] enhances the error-reporting capabilities of model checkers. The application of guided search for... |

40 | Distributed explicit fair cycle detection
- Černá, Pelánek
(Show Context)
Citation Context ...or-reporting capabilities of model checkers. The application of guided search for checking liveness properties is restricted to the reduction of trails [14]. Distributed explicit state model checking =-=[9, 25]-=- uses several processors working in parallel to enhance the exploration of larger models. In [18] we have given a first report on combining directed, parallel and external explicit-state model checkin... |

37 |
Best-first frontier search with delayed duplicate detection
- Korf
- 2004
(Show Context)
Citation Context ...t successor generation. An implicit variant of the above algorithm algorithm [27] for explicit BFSsearch in implicit graphs has been coined to the term delayed duplicate detection for frontier search =-=[21]-=-. It assumes an undirected search graph. The algorithm maintains BFS layers on disk. Layer L(i−1) is scanned and the set of successors are put into a buffer of size close to the main memory capacity. ... |

37 | On the complexity of omega -automata - SAFRA - 1988 |

26 | Parallel Breadth-First Search LTL ModelChecking
- Barnat, Brim, et al.
- 2003
(Show Context)
Citation Context ...rsal of the global state space graph as used in Nested-DFS (an on-the-fly variant of Tarjan’s algorithm [35]) is not efficient. All attempts to solve this problem via variants of breadth-first search =-=[7, 4, 9]-=- arrive at a time complexity that is non-linear in the size of the model. The approach we propose in this paper is based on a translation procedure of liveness problems into safety problems [32]. The ... |

24 |
Simˇsa, Accepting Predecessors are Better than Back Edges
- Brim, Černá, et al.
(Show Context)
Citation Context ...rsal of the global state space graph as used in Nested-DFS (an on-the-fly variant of Tarjan’s algorithm [35]) is not efficient. All attempts to solve this problem via variants of breadth-first search =-=[7, 4, 9]-=- arrive at a time complexity that is non-linear in the size of the model. The approach we propose in this paper is based on a translation procedure of liveness problems into safety problems [32]. The ... |

23 | Efficient reduction of finite state model checking to reachability analysis
- Schuppan, Biere
(Show Context)
Citation Context ... [7, 4, 9] arrive at a time complexity that is non-linear in the size of the model. The approach we propose in this paper is based on a translation procedure of liveness problems into safety problems =-=[32]-=-. The translation approach has the advantage that the underlying algorithm design to detect safety errors has not to be changed. More crucially, the approach includes a rich state description which al... |

21 |
External memory graph algorithms
- Chiang, Goodrich, et al.
- 1995
(Show Context)
Citation Context ...nts is needed. Insertion and deletion take 1/B I/Os in the amortized sense. The I/O complexity for external DFS for explicit (possible directed) graphs has been shown to be O(|S| + |S|/M · scan(|R|)) =-=[10]-=-. There are |S|/M stages where the internal buffer for the visited state set becomes full, in which case it is flushed and duplicates are eliminated from the external adjacency list representation by ... |

20 | Property Driven Distribution of Nested DFS
- Barnat, Brim, et al.
- 2002
(Show Context)
Citation Context ... the size of the intersected state transition graph, but it is capable of reporting counter-examples before the entire state space has been seen. Property-driven or improved nested-depth-first search =-=[3, 25]-=- partitions the never-claim into SCCs. The main observation is that cycles in the state transition graph of the intersection of the system M and the never-claim automaton N is accepting only if the co... |

20 | Parallel External Directed Model Checking with Linear I/O
- Jabbar, Edelkamp
- 2006
(Show Context)
Citation Context ...al solution path, so that we can recur. As generating the predecessor state can be problematic in software model 3 For a full treatment of the parallel execution of External A* we refer the reader to =-=[19]-=-. As the paper is not printed yet, the reviewers can obtain a copy of the work at http://ls5-www.cs.uni-dortmund.de/∼jabbar/vmcai06.pdfschecking domains, we may store with each state its predecessor o... |

19 | External A
- Edelkamp, Jabbar, et al.
- 2004
(Show Context)
Citation Context ...ess to secondary memory. Originally designed for explicit graphs, external search algorithms have shown considerably good performances in the large-scale breadth-first and guided exploration of games =-=[22, 12]-=- and in the analysis of model checking problems [24] 1 . A Directed explicit-state model checking [13] enhances the error-reporting capabilities of model checkers. The application of guided search for... |

13 |
Algorithms for Memory Hierarchies
- Meyer
- 2003
(Show Context)
Citation Context ...ntroduction The core limitation to the exploration of systems are bounded main memory resources. Relying on virtual memory slows down the exploration due to excessive page faults. External algorithms =-=[31]-=- exploit hard disk space and organize the access to secondary memory. Originally designed for explicit graphs, external search algorithms have shown considerably good performances in the large-scale b... |

10 | I/O efficient directed model checking
- Jabbar, Edelkamp
- 2005
(Show Context)
Citation Context ...properties is restricted to the reduction of trails [14]. Distributed explicit state model checking [9, 25] uses several processors working in parallel to enhance the exploration of larger models. In =-=[18]-=- we have given a first report on combining directed, parallel and external explicit-state model checking to enhance the search for minimal counterexamples for safety errors. Under certain assumptions ... |

9 |
Directed search for the verification of communication protocols
- Lluch-Lafuente
- 2003
(Show Context)
Citation Context ...the never-claim automaton N is included as follows H ′ M (s, s ′ ) = max {HM (s, s ′ ), DN (pc N (s), pc N (s ′ ))} . As the product of different processes is asynchronous, it is not difficult to see =-=[26]-=- that the FSM distance is monotone, i.e., HM (s)−HM (s ′ ) ≤ 1 for each pair (s, s ′ ) with s ′ being the direct successor of s. Monotone heuristics guarantee the optimality of counterexample paths in... |

8 | Efficient path finding with the sweep-line method using external storage
- Kristensen, Mailund
- 2003
(Show Context)
Citation Context ...t graphs, external search algorithms have shown considerably good performances in the large-scale breadth-first and guided exploration of games [22, 12] and in the analysis of model checking problems =-=[24]-=- 1 . A Directed explicit-state model checking [13] enhances the error-reporting capabilities of model checkers. The application of guided search for checking liveness properties is restricted to the r... |

7 | From Distributed Memory Cycle Detection to Parallel LTL Model Checking
- Barnat, Brim, et al.
- 2005
(Show Context)
Citation Context ...one of the approaches guarantee a linear time complexity. 3.1 Breadth-First LTL Model Checking A line of research tries to avoid nested depth-first search by studying variants of breadth-first search =-=[5, 4, 7]-=-. The approach presented in [5, 4] invokes a secondary search for detecting cycles from BFS backward edges, i.e., transitions encountered in the overall state space that link states in larger, togethe... |

7 | Liveness checking as safety checking for infinite state spaces
- SCHUPPAN, BIERE
- 2005
(Show Context)
Citation Context ...xploration algorithms themselves have not (or only minorly) to be changed. For example, in [32] the authors show how to extend models using so-called observers and applying the same model checker. In =-=[33]-=- the authors showed that for fairness constraints of the form Fp we have that ρ = (S1 . . . Sl−1)(Sl . . . Sk−1) ω is a run in the state space S if and only if ρ ′ = (S0, S0, 0, 0) . . . (Sl−1, Sl−1, ... |

5 |
On nested depth-first search, in The Spin Verification System
- Holzmann, Peled, et al.
- 1996
(Show Context)
Citation Context ...eded in order to check the desired property. For checking the synchronous product graph of the model and the specification for accepting cycles on-the-fly, nested-depth-first search has been proposed =-=[17]-=-. It explores the state space in a depth-first manner, stores visited states in a visited list, marks states which are on the current search stack, and invokes a secondary DFS starting at accepting st... |

4 |
A.: Partial order reduction and trail improvement in directed model checking
- Edelkamp, Leue, et al.
- 2004
(Show Context)
Citation Context ...licit-state model checking [13] enhances the error-reporting capabilities of model checkers. The application of guided search for checking liveness properties is restricted to the reduction of trails =-=[14]-=-. Distributed explicit state model checking [9, 25] uses several processors working in parallel to enhance the exploration of larger models. In [18] we have given a first report on combining directed,... |

4 |
A Linear Space Algorithm For Computing Common Subsequences
- Hirschberg
- 1975
(Show Context)
Citation Context ...ee weeks [22]. The algorithm shares similarities with the internal frontier search algorithms [23] that were usedsfor solving multiple sequence alignment problem, an idea that goes back to Hirschberg =-=[16]-=-. 4.2 External A* External A* [12] maintains the search space on disk. The priority queue data structure is represented as a list of buckets. In the course of the algorithm, each bucket L(i, j) will c... |

4 |
Liveness checking as safety checking for infinite state spaces
- Schuppan, Biere
- 2006
(Show Context)
Citation Context ...ion algorithms themselves have not (or only in a minor way) to be changed. For example, in [32] the authors show how to extend models using so-called observers and applying the same model checker. In =-=[33]-=- the authors showed that for fairness constraints of the form Fp we have that ρ = (S1 . . . Sl−1)(Sl . . . Sk−1) ωsis a run in the state space S if and only if ρ ′ = (S0, S0, 0, 0) . . . (Sl−1, Sl−1, ... |

2 | Model checking operator procedures
- Zhang
- 1999
(Show Context)
Citation Context ...ored nodes for Nested-DFS is much smaller as compared to blind BFS and A* LTL property search. The established counterexample is longer. In the second experiment we take a larger protocol, as used in =-=[37]-=-, a Promela model of a procedure with related processes. In Table 2 we see an opposite behavior as compared to the previous experiment. External search performed 7 Without the predefined bound on the ... |

2 |
From distribution memory cycle detection to parallel model checking
- Schuppan, Biere
(Show Context)
Citation Context ... [7, 4, 9] arrive at a time complexity that is non-linear in the size of the model. The approach we propose in this paper is based on a translation procedure of liveness problems into safety problems =-=[32]-=-. The translation approach has the advantage that the underlying algorithm design to detect safety errors has not to be changed. More crucially, the approach includes a rich state description which al... |

1 |
Is there a best symbolic cycle detection algorithm
- Fisler, Fraer, et al.
- 2001
(Show Context)
Citation Context ... partial order reduction. In [7], instead of backward edges, predecessor acceptance is chosen for an O(|R| 2 + |S|) algorithm. 3.2 Explicit Fair Cycle Detection In [9], the symbolic OWCTY 2 algorithm =-=[15]-=- is converted into an explicit one. Similar to Tarjan’s algorithm, the approach computes the entire reachability set before extracting the cycle. Unlike Tarjan’s algorithm, the order of the exploratio... |

1 |
Simplified distributed ltl model checking by localizing cycles
- Lluch-Lafuente
- 2002
(Show Context)
Citation Context ...or-reporting capabilities of model checkers. The application of guided search for checking liveness properties is restricted to the reduction of trails [14]. Distributed explicit state model checking =-=[9, 25]-=- uses several processors working in parallel to enhance the exploration of larger models. In [18] we have given a first report on combining directed, parallel and external explicit-state model checkin... |