## Memory Efficient State Storage in SPIN (1996)

Venue: | In Proceedings of the 2nd SPIN Workshop |

Citations: | 12 - 0 self |

### BibTeX

@INPROCEEDINGS{Visser96memoryefficient,

author = {Willem Visser},

title = {Memory Efficient State Storage in SPIN},

booktitle = {In Proceedings of the 2nd SPIN Workshop},

year = {1996},

pages = {21--35}

}

### Years of Citing Articles

### OpenURL

### Abstract

The use of an Ordered Binary Decision Diagram (OBDD) to store all visited states during on-thefly model checking (or reachability analysis) is investigated. To improve the time and space efficiency a state compression technique is introduced. This compression technique is safe, in the sense that no two unique states will have the same compressed representation. A number of examples are used to evaluate an experimental implementation of the OBDD state store within the SPIN validation tool. In all the examples a reduction in space is achieved when using the OBDD state store as opposed to the more traditional hash table state store. The memory and time usage when combining partial orders with the OBDD state store is also considered. 1 Introduction Temporal logics can express changes over time without introducing time explicitly and is therefore suitable for specifying many correctness properties of concurrent systems. Since many interesting programs can be modelled as finite-state system...

### Citations

2921 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...symbolic model checking[16]. In symbolic model checking the transition relation is no longer represented explicitly, but rather implicitly by encoding it with ordered binary decision diagrams (OBDDs) =-=[4]-=-. The temporal logic formula to be checked is translated into its fixed point representation. The model checking algorithm proceeds by calculating these fixed points by performing operations on the OB... |

1294 |
Symbolic Model Checking
- McMillan
- 1993
(Show Context)
Citation Context ...plored during state generation [20, 11, 17, 15]. Arguably the biggest advancement in reducing the limitations imposed by the state explosion problem was made with the advent of symbolic model checking=-=[16]-=-. In symbolic model checking the transition relation is no longer represented explicitly, but rather implicitly by encoding it with ordered binary decision diagrams (OBDDs) [4]. The temporal logic for... |

1175 | Sistla A- P: Automatic verification of finitestate concurrent system using temporal Iogic specifications
- Emerson
- 1986
(Show Context)
Citation Context ...he Kripke structure satisfies (is a model of) the temporal formula specifying the required behaviour. Surveys of model checking techniques can be found in [23] and [5]. Early model checking algorithms=-=[7]-=- required the complete state graph be generated before-hand and kept in memory throughout the model checking process. Due to the so-called state explosion problem (the number of reachable states grow ... |

873 | Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams
- Bryant
- 1992
(Show Context)
Citation Context ...rdering of the boolean variables within it. An even bigger disadvantage of OBDDs is that certain boolean functions will always have an exponentially sized OBDD regardless of the variable ordering used=-=[3]-=-. Integer multiplication is an example of such a function. The size of the OBDD representing the transition relation can therefore cause the symbolic model checking to become impractical. In this pape... |

766 |
Design and validation of computer protocols
- Holzmann
- 1991
(Show Context)
Citation Context ...ion 2 will introduce the basic on-the-fly algorithm used during state generation. The next two sections will be devoted to explaining our use of OBDDs (section 3) and how it is combined with the SPIN =-=[13]-=- on-the-fly validation system (section 4). In section 5 a novel way of state compression will be introduced to allow more efficient OBDD representations. In sections 5.2 and 6, the results achieved by... |

583 |
An automata-theoretic approach to automatic program verification
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...required to validate (or invalidate) the given temporal logic requirement. This technique is commonly referred to as on-the-fly model checking, since the state graph is generated during model checking=-=[21, 1]-=-. On-the-fly algorithms generate the state space in a depth first manner and keeps track of all reached states to avoid doing unnecessary work. The boundaries of on-the-fly techniques were advanced co... |

299 | An automata-theoretic approach to branchingtime model checking
- Bernholtz, Vardi, et al.
- 1994
(Show Context)
Citation Context ...required to validate (or invalidate) the given temporal logic requirement. This technique is commonly referred to as on-the-fly model checking, since the state graph is generated during model checking=-=[21, 1]-=-. On-the-fly algorithms generate the state space in a depth first manner and keeps track of all reached states to avoid doing unnecessary work. The boundaries of on-the-fly techniques were advanced co... |

270 |
Automatic Verification of Finite State Concurrent Systems Using Temporal Logic
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...Since many interesting programs can be modelled as finite-state systems, it was a significant development when algorithmic methods were discovered to verify temporal properties of finite-state systems=-=[6]-=-. Since that time a variety of concurrent systems have been modelled and automatically verified in this fashion, these include, communication protocols, hardware designs and operating system kernels. ... |

264 |
A stubborn attack on state explosion
- Valmari
- 1990
(Show Context)
Citation Context ...itions in different concurrent components. Partial order reduction techniques were therefore introduced to ensure that many of these unnecessary interleavings are not explored during state generation =-=[20, 11, 17, 15]-=-. Arguably the biggest advancement in reducing the limitations imposed by the state explosion problem was made with the advent of symbolic model checking[16]. In symbolic model checking the transition... |

189 | Combining partial order reductions with on-the-fly model checking
- Peled
- 1996
(Show Context)
Citation Context ...itions in different concurrent components. Partial order reduction techniques were therefore introduced to ensure that many of these unnecessary interleavings are not explored during state generation =-=[20, 11, 17, 15]-=-. Arguably the biggest advancement in reducing the limitations imposed by the state explosion problem was made with the advent of symbolic model checking[16]. In symbolic model checking the transition... |

160 |
Using partial orders for the efficient verification of deadlock freedom and safety properties, CAV ’91
- Godefroid, Wolper
- 1992
(Show Context)
Citation Context ...itions in different concurrent components. Partial order reduction techniques were therefore introduced to ensure that many of these unnecessary interleavings are not explored during state generation =-=[20, 11, 17, 15]-=-. Arguably the biggest advancement in reducing the limitations imposed by the state explosion problem was made with the advent of symbolic model checking[16]. In symbolic model checking the transition... |

117 | Verification tools for finitestate concurrent systems. This volume
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ...cker is then used to check whether the Kripke structure satisfies (is a model of) the temporal formula specifying the required behaviour. Surveys of model checking techniques can be found in [23] and =-=[5]-=-. Early model checking algorithms[7] required the complete state graph be generated before-hand and kept in memory throughout the model checking process. Due to the so-called state explosion problem (... |

82 | An analysis of bitstate hashing
- HOLZMANN
- 1998
(Show Context)
Citation Context ...asing the number of hashing functions used or using more than one bit to hash into (hashcompact [24]). A summary of bitstate hashing as well as comparisons with the hashcompact method can be found in =-=[14]-=-. In the next section we will introduce OBDDs as a possible alternative to the above mentioned representations of VisitedStates. After implementing the OBDD to record visited states in the SPIN valida... |

63 | Reliable hashing without collision detection
- Wolper, Leroy
- 1993
(Show Context)
Citation Context ...Depth-first State Generation during Model Checking. the stack and previous state on the stack becomes the current state. The representation of the set VisitedStates has been the focus of much research=-=[12, 10, 24]-=-. This is not surprising since this is the part of on-the-fly model checking that will determine its tractability when checking large designs. The most commonly used method is to represent the set as ... |

55 | AMULET1: A micropipelines ARM
- Furber, Day, et al.
- 1993
(Show Context)
Citation Context ...56929 pftp 48 600 ?36 ?10 6 ?60000 928 439895 Table 1: Comparison between an OBDD and a (hash) table for storing visited states in SPIN. Interface is a model of part of an asynchronous microprocessor =-=[9]-=-. The comparison is done on the memory used in megabytes and the time 4 taken in seconds for the two methods. The number of nodes in the largest OBDD required, the number of bits in the state vector a... |

52 | An improved protocol reachability analysis technique
- Holzmann
- 1988
(Show Context)
Citation Context ...Depth-first State Generation during Model Checking. the stack and previous state on the stack becomes the current state. The representation of the set VisitedStates has been the focus of much research=-=[12, 10, 24]-=-. This is not surprising since this is the part of on-the-fly model checking that will determine its tractability when checking large designs. The most commonly used method is to represent the set as ... |

50 | Efficient on-the-fly model checking for ctl
- Bhat, Cleaveland, et al.
- 1995
(Show Context)
Citation Context ...ciently model checked by only generating relevant parts of a state graph[21], it is has only comparatively recently been shown that the same is true of the branching time temporal logics CTL and CTL* =-=[1, 2]-=-. Here we will only concentrate on efficient state storage during on-the-fly model checking and therefore not be concerned about the temporal logic being used. In Figure 1 the standard depth-first sea... |

38 |
State Space Caching Revisited
- Godefroid, Holzmann, et al.
(Show Context)
Citation Context ...Depth-first State Generation during Model Checking. the stack and previous state on the stack becomes the current state. The representation of the set VisitedStates has been the focus of much research=-=[12, 10, 24]-=-. This is not surprising since this is the part of on-the-fly model checking that will determine its tractability when checking large designs. The most commonly used method is to represent the set as ... |

16 | Automatic Veri cation of Finite-State Concurrent Systems using Temporal Logic Speci cations - Clarke, Emerson, et al. - 1986 |

10 | E cient on-the- y model checking for ctl - Bhat, Cleaveland, et al. - 1995 |

9 |
and Doron Peled. An improvement in formal verification
- Holzmann
- 1994
(Show Context)
Citation Context |

9 | State space compression in Spin with GETSs - Gr'egoire - 1996 |

9 | Design and Validation of Computer Protocols. Prentice-Hall, Englewood Cli s - Holzmann - 1991 |

7 | Veri cation tools for nite-state concurrent systems - Clarke, Grumberg, et al. - 1994 |

6 | Automatic Veri - cation of Finite State Concurrent Systems Using Temporal Logic Speci cations: A Practical Approach - Clarke, Emerson, et al. - 1983 |

5 |
A Reusable Kernel for the Development of Control Software
- Fouch'e, Villiers
- 1991
(Show Context)
Citation Context ...is a protocol model and snoopy a cache coherence model that are both available with the SPIN system. Scheduler is a model of a process scheduler that form part of a commercially available micro-kernel=-=[8]-=- and Address 1 If n is the number of variables in a boolean function then there are 3s2 n 2 \Gamma 2 nodes when n is even and 2s(2 d n 2 e \Gamma 1) nodes if n is odd in the largest possible OBDD for ... |

5 |
Toupie = -calculus + constraints
- Rauzy
- 1995
(Show Context)
Citation Context ...OBDD functions used and experimenting with heuristics for finding better variable orderings will be the focus of future work. Another future extension is to use ordered n-ary decision diagrams (ONDDs)=-=[18]-=- instead of OBDDs. The main difference between ONDDs and OBDDs is that an ONDD node is n-ary, where n is the cardinality of the domain of the variable it is labelled with. Every node in an ONDD can th... |

3 |
Improved probilistic verification by hash compaction
- Stern, Dill
- 1995
(Show Context)
Citation Context ...interleave" all their possible values. Finding ways of reducing the state vector size, without losing information, would therefore seem a worthwhile pursuit. Strangely, however, probabilistic met=-=hods [14, 24, 19]-=- are attracting more attention than safe reduction methods[22] in the research community. Probabilistic methods allow the state vector to be compressed in such a fashion that different states might ha... |

3 | A Run-Time Environment for a Validation Language
- Visser
- 1993
(Show Context)
Citation Context ... conflicts, this method is not very efficient when a large number of states must be stored. An optimisation on this method, was to allow table entries to be over-written when the table became too full=-=[11, 22]-=-. The intuition was that the chance of a state being revisited after it was over-written would be small in practice. However, empirical results showed in many cases as soon as the table entries were o... |

2 |
On the relation of programs and computations to models of temoral logic
- Wolper
- 1987
(Show Context)
Citation Context ...model checker is then used to check whether the Kripke structure satisfies (is a model of) the temporal formula specifying the required behaviour. Surveys of model checking techniques can be found in =-=[23]-=- and [5]. Early model checking algorithms[7] required the complete state graph be generated before-hand and kept in memory throughout the model checking process. Due to the so-called state explosion p... |

2 | and Doron Peled. An improvement in formal veri cation - Holzmann - 1994 |

1 | A Reusable Kernel for the Development ofControl Software - Fouche, Villiers - 1991 |

1 | Using Partial Orders for the E cient Veri cation - Godefroid, Wolper - 1993 |

1 | Improved probilistic veri cation by hash compaction - Stern, Dill - 1995 |

1 | A Run-Time Environment foraValidation Language - Visser - 1993 |