## Partial-order verification in SPIN can be more efficient (1997)

Venue: | In Proceedings of the 3rd International SPIN Workshop on Model Checking of Software (SPIN ‘97 |

Citations: | 1 - 0 self |

### BibTeX

@INPROCEEDINGS{Schoot97partial-orderverification,

author = {Hans Van Der Schoot},

title = {Partial-order verification in SPIN can be more efficient},

booktitle = {In Proceedings of the 3rd International SPIN Workshop on Model Checking of Software (SPIN ‘97},

year = {1997}

}

### OpenURL

### Abstract

Partial-order reduction methods form a collection of state exploration techniques set to relieve the stateexplosion problem in concurrent program verification. One such method is implemented in the verification tool SPIN. Its use often reduces significantly the memory and time needed for verifying local and termination properties of concurrent programs and, moreover, for verifying that concurrent programs satisfy their linear temporal logic specifications (i.e. for LTL model-checking). This paper builds on SPIN's partial-order reduction method to yield an approach which enables further reductions in space and time for verifying concurrent programs. Keywords Concurrency, program correctness, model-checking, partial-order reduction, temporal logic 1 Introduction Partial-order reduction methods [3-5, 8, 11, 20, 21, 25-27] form a collection of state exploration techniques set to relieve the state-explosion problem in concurrent program verification. The main observation underlying these ...

### Citations

769 |
Design and Validation of Computer Protocols
- Holzmann
- 1991
(Show Context)
Citation Context ...ng up the partial-order reduction method in [21, 8]. First, it is implemented as an extension to the model-checker SPIN [8]. SPIN is a verification tool for programs specified in the language Promela =-=[7]-=- and is increasingly being used for teaching and for industrial applications. In addition, this partial-order reduction method is advocated as the most advanced in terms of the properties that can be ... |

264 |
A stubborn attack on state explosion
- Valmari
- 1991
(Show Context)
Citation Context ...er reduction methods have proved adequate for verifying local and termination properties of concurrent programs [3, 4, 11, 25] and, moreover, for verifying linear-time temporal logic (LTL) properties =-=[5, 8, 20, 21, 26]-=-. The latter is usually referred to as LTL model-checking and captures arbitrary safety and liveness properties of concurrent programs [28]. Experiments have indicated that in many cases partial-order... |

236 |
Checking that finite state concurrent programs satisfy their linear specification
- Lichtenstein, Pnueli
- 1985
(Show Context)
Citation Context ...e stuttering equivalent to it. Hence, when a property j is stuttering closed, j holds in all the sequences generated by G iff it holds for all the computations of P. Algorithms for LTL model-checking =-=[13]-=- can then be applied directly to G rather than to the full state graph of P. 3.2 Model-checking on-the-fly When model-checking is performed on-the-fly, a program P is examined during rather than after... |

190 | Combining partial order reductions with on-the-fly model-checking
- Peled
- 1994
(Show Context)
Citation Context ...at this advantage applies equally well to our approach. One simply adopts the same adjustment to C3 and constructs leap sets as before from ample sets that respect the modified condition. We refer to =-=[21]-=- for details, which should convince the interested reader of this claim. Alternative methods exist for partial-order model-checking [5, 26, 27] which vary, among others, in the way they select an appr... |

179 |
What good is temporal logic
- Lamport
(Show Context)
Citation Context ...til) and ` ' (next-time). Without the operator ` ' an LTL formula is called nexttime-free and is then stuttering closed, meaning that it cannot distinguish between two stuttering equivalent sequences =-=[12]-=-. Two sequences are stuttering equivalent (wrt a formula j) if one sequence can be obtained from the other by replacing in it every finite adjacent number of occurrences of the same (wrt j) program st... |

160 |
Using partial orders for the efficient verification of deadlock freedom and safety properties, CAV ’91
- Godefroid, Wolper
- 1992
(Show Context)
Citation Context ... a means for reducing the size of the state space that needs to be analyzed. Partial-order reduction methods have proved adequate for verifying local and termination properties of concurrent programs =-=[3, 4, 11, 25]-=- and, moreover, for verifying linear-time temporal logic (LTL) properties [5, 8, 20, 21, 26]. The latter is usually referred to as LTL model-checking and captures arbitrary safety and liveness propert... |

156 | Stubborn sets for reduced state space generation, in
- Valmari
- 1989
(Show Context)
Citation Context ... a means for reducing the size of the state space that needs to be analyzed. Partial-order reduction methods have proved adequate for verifying local and termination properties of concurrent programs =-=[3, 4, 11, 25]-=- and, moreover, for verifying linear-time temporal logic (LTL) properties [5, 8, 20, 21, 26]. The latter is usually referred to as LTL model-checking and captures arbitrary safety and liveness propert... |

152 | All from one, one for all: on model checking using representatives, in
- Peled
- 1993
(Show Context)
Citation Context ... in space and time for verifying concurrent programs. Keywords Concurrency, program correctness, model-checking, partial-order reduction, temporal logic 1 Introduction Partial-order reduction methods =-=[3-5, 8, 11, 20, 21, 25-27]-=- form a collection of state exploration techniques set to relieve the state-explosion problem in concurrent program verification. The main observation underlying these methods is that in many cases th... |

146 |
Using partial orders to improve automatic verification methods
- Godefroid
- 1990
(Show Context)
Citation Context ...st for partial-order model-checking [5, 26, 27] which vary, among others, in the way they select an appropriate subset of the enabled operations at a given program state to determine successor states =-=[3, 25]-=-. Such a set is called a persistent set in [3] and a stubborn set in [25-27]. These different methods are amply compared in [21]. The point here is that the proposed enhancement for partial-order mode... |

127 |
Memory efficient algorithms for verification of temporal properties
- Courcoubetis, Vardi, et al.
- 1992
(Show Context)
Citation Context ...ruction of its state space. This involves in practice computing the synchronous product GsB j of the full state graph G of P and a Bchi automaton B j formalizing the negation of the checked formula j =-=[2, 7, 28]-=-. Each transition of this product is of the form x, ysa , Psx, y, where x asx is an edge/transition of G and y Psy a transition of B j such that proposition P is true in program state x. Its initial s... |

123 |
Trace theory
- Mazurkiewicz
- 1987
(Show Context)
Citation Context ...lation among sequences of operations. First, for finite sequences v and v, v is equivalent to v, denoted by vsD v, iff v can be obtained from v by repeatedly permuting adjacent independent operations =-=[16]. The-=- relationsD is then extended to infinite sequences as follows [21]. Let Pref(w) be the set of finite prefixes of a (finite or infinite) sequence w, and define v p D v iff "u Pref(v) $w Pref(v) $z... |

114 | An Improvement in Formal Verification
- Holzmann, Peled
- 1994
(Show Context)
Citation Context ... in space and time for verifying concurrent programs. Keywords Concurrency, program correctness, model-checking, partial-order reduction, temporal logic 1 Introduction Partial-order reduction methods =-=[3-5, 8, 11, 20, 21, 25-27]-=- form a collection of state exploration techniques set to relieve the state-explosion problem in concurrent program verification. The main observation underlying these methods is that in many cases th... |

113 | A partial approach to model checking
- Godefroid, Wolper
- 1994
(Show Context)
Citation Context ...er reduction methods have proved adequate for verifying local and termination properties of concurrent programs [3, 4, 11, 25] and, moreover, for verifying linear-time temporal logic (LTL) properties =-=[5, 8, 20, 21, 26]-=-. The latter is usually referred to as LTL model-checking and captures arbitrary safety and liveness properties of concurrent programs [28]. Experiments have indicated that in many cases partial-order... |

73 |
Reasoning about infinite computation paths
- Wolper, Vardi, et al.
- 1983
(Show Context)
Citation Context ...ng linear-time temporal logic (LTL) properties [5, 8, 20, 21, 26]. The latter is usually referred to as LTL model-checking and captures arbitrary safety and liveness properties of concurrent programs =-=[28]-=-. Experiments have indicated that in many cases partial-order methods can substantially reduce the space and time needed for verification. Also, these methods have been shown to combine well with veri... |

70 | On nested depth first search
- Holzmann, Peled, et al.
- 1996
(Show Context)
Citation Context ...e cycles, but using a slight modification of the nested DFS algorithm in [2]. The modification increases time efficiency and is further needed to ensure compatibility with the partial-order reduction =-=[9]-=-, i.e. to guarantee that the algorithm indeed finds an acceptance cycle if there exists one in GsB j (this was not yet recognized in [8, 21], but the authors proposed the correction in [9]). The calcu... |

51 |
On-the-fly verification with stubborn sets
- Valmari
- 1993
(Show Context)
Citation Context ...thm used in [17] searches for connected components in an undirected graph whose nodes and edges correspond to program operations and dependencies between these operations, respectively, similar as in =-=[27]-=-. In contrast, the generation of ample sets involves only local computations [21] allowing a simpler algorithm for constructing ample sets and thus leap sets. Other advantages of our approach stem fro... |

32 |
Verification of distributed programs using representative interleaving sequences
- Katz, Peled
- 1992
(Show Context)
Citation Context ... in space and time for verifying concurrent programs. Keywords Concurrency, program correctness, model-checking, partial-order reduction, temporal logic 1 Introduction Partial-order reduction methods =-=[3-5, 8, 11, 20, 21, 25-27]-=- form a collection of state exploration techniques set to relieve the state-explosion problem in concurrent program verification. The main observation underlying these methods is that in many cases th... |

26 | Protocol validation by fair progress state exploration - Gouda, J - 1985 |

21 |
An improved protocol validation technique
- RUBIN, WEST
- 1982
(Show Context)
Citation Context ...he way fairness is treated, and the low overhead and high overall performance of its implementation [8, 21]. The idea of executing sets of concurrent operations was first introduced by Rubin and West =-=[22]-=- for a protocol model, known as the CFSM model, in which processes communicate asynchronously over FIFO queues. They proposed a reduced reachability analysis technique for verifying the absence of dea... |

18 |
A calculus for protocol specification and validation
- Aggarwal, Kurshan
- 1983
(Show Context)
Citation Context ...r altogether by executing leap sets that mimic a truly concurrent execution of these operations. The idea of collectively executing concurrent operations has been used earlier in certain models (e.g. =-=[22, 10, 1, 6, 19, 14, 15, 24]-=-) to reduce the state space for verifying general progress properties of communication protocols. Although the partial-order reduction method in [8, 21] and the proposed enhancement cannot be strictly... |

17 |
Protocol validation by simultaneous reachability analysis
- Özdemir, Ural
- 1997
(Show Context)
Citation Context ...me model to verify protocols with an arbitrary number of processes and arbitrary communication topology, but with restricted process structures. The idea was ultimately generalized by zdemir and Ural =-=[18, 19]-=- to protocols in the CFSM model with no structural constraints at all. The proposed reduction technique is called simultaneous reachability analysis and can be used to verify the absence of deadlocks,... |

16 | Generalized fair reachability analysis for cyclic protocols: decidability for logical correctness problems
- LIU
- 1994
(Show Context)
Citation Context ...ses. This technique has evolved under the name fair reachability analysis for the verification of two additional properties, viz. the absence of non-executable transitions and unbounded communication =-=[6, 14]-=-, and for protocols with more processes in a restricted communication topology [14, 15]. Itoh and Ichikawa [10] similarly employed the execution of sets of concurrent operations in the same model to v... |

8 |
Deadlock detection in CFSM models via simultaneously executable sets
- zdemir, Ural
- 1994
(Show Context)
Citation Context ...me model to verify protocols with an arbitrary number of processes and arbitrary communication topology, but with restricted process structures. The idea was ultimately generalized by zdemir and Ural =-=[18, 19]-=- to protocols in the CFSM model with no structural constraints at all. The proposed reduction technique is called simultaneous reachability analysis and can be used to verify the absence of deadlocks,... |

5 |
Protocol verification using reduced reachability analysis
- Itoh, Ichikawa
- 1983
(Show Context)
Citation Context ...roperties, viz. the absence of non-executable transitions and unbounded communication [6, 14], and for protocols with more processes in a restricted communication topology [14, 15]. Itoh and Ichikawa =-=[10]-=- similarly employed the execution of sets of concurrent operations in the same model to verify protocols with an arbitrary number of processes and arbitrary communication topology, but with restricted... |

4 | Deadlock detection by fair reachability analysis: from cyclic to multi-cyclic protocols (and beyond
- Liu, Miller, et al.
- 1996
(Show Context)
Citation Context ...fication of two additional properties, viz. the absence of non-executable transitions and unbounded communication [6, 14], and for protocols with more processes in a restricted communication topology =-=[14, 15]-=-. Itoh and Ichikawa [10] similarly employed the execution of sets of concurrent operations in the same model to verify protocols with an arbitrary number of processes and arbitrary communication topol... |

4 | On improving simultaneous reachability analysis for the efficient verification of deadlock-freedom
- Schoot, Ural
- 1995
(Show Context)
Citation Context ...ns, unspecified receptions and buffer overflows. An improvement of this technique has already followed as well to further reduce the space and time requirements for verifying the same four properties =-=[23, 24]-=-. zdemir [17] also adapted simultaneous reachability analysis for verifying (on-the-fly) arbitrary safety properties of concurrent programs in which processes synchronize on common actions (i.e. opera... |

3 |
Verifying the safety properties of concurrent systems via simultaneous reachability
- zdemir
- 1995
(Show Context)
Citation Context ...eceptions and buffer overflows. An improvement of this technique has already followed as well to further reduce the space and time requirements for verifying the same four properties [23, 24]. zdemir =-=[17]-=- also adapted simultaneous reachability analysis for verifying (on-the-fly) arbitrary safety properties of concurrent programs in which processes synchronize on common actions (i.e. operations with th... |

2 | A uniform approach to tackle state explosion in verifying progress properties for networks of CFSMs
- Schoot, Ural
- 1996
(Show Context)
Citation Context ...ns, unspecified receptions and buffer overflows. An improvement of this technique has already followed as well to further reduce the space and time requirements for verifying the same four properties =-=[23, 24]-=-. zdemir [17] also adapted simultaneous reachability analysis for verifying (on-the-fly) arbitrary safety properties of concurrent programs in which processes synchronize on common actions (i.e. opera... |

1 |
Verifying the safety properties of concurrent systems via simultaneous reachability
- Özdemir
- 1995
(Show Context)
Citation Context ...ceptions and buffer overflows. An improvement of this technique has already followed as well to further reduce the space and time requirements for verifying the same four properties [22, 23]. Özdemir=-= [16]-=- also adapted simultaneous reachability analysis for verifying (on-the-fly) arbitrary safety properties of concurrent programs in which processes synchronize on common actions (i.e. operations with th... |