## A note on on-the-fly verification algorithms (2005)

### Cached

### Download Links

Venue: | In Proc. of TACAS’05, LNCS |

Citations: | 25 - 2 self |

### BibTeX

@INPROCEEDINGS{Schwoon05anote,

author = {Stefan Schwoon},

title = {A note on on-the-fly verification algorithms},

booktitle = {In Proc. of TACAS’05, LNCS},

year = {2005},

pages = {174--190},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. The automata-theoretic approach to verification of LTL relies on an algorithm for finding accepting cycles in the product of the system and a B"uchi automaton for the negation of the formula. Explicit-state model checkers typically construct the product space "on the fly " and explore the states using depthfirst search. We survey algorithms proposed for this purpose and propose two improved algorithms, one based on nested DFS, the other on strongly connected components. We compare these algorithms both theoretically and experimentally and determine cases where both algorithms can be useful. 1 Introduction The model-checking problem for finite-state systems and linear-time temporal logic (LTL) is usually reduced to checking the emptiness of a B"uchi automaton, i.e. the product of the system and an automaton for the negated formula [23]. Various strategies exist for reducing the size of the automaton. For instance, symbolic model checking employs data structures to compactly represent large sets of states. This strategy combines well with breadth-first search, leading to solutions whose worst-case time is essentially O(n2) or O(n log n), if n is the size of the product. A survey of symbolic emptiness algorithms can be found in [8]. Explicit-state model checkers, on the other hand, construct the product automaton `on the fly', i.e. while searching the automaton. Thus, the model checker may be able to find a counterexample without ever constructing the complete state space. On-the-fly verification can be combined with partial order methods [18, 15] to reduce the effect of state explosion.

### Citations

2601 | Model Checking
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...emains linear in the size of B, and the memory savings can be significant (see Section 7). In the model-checking world, SCC decomposition is used in CTL for computing the semantics of the EG operator =-=[4]-=- or for adding fairness constraints [3]. Therefore, this algorithm can benefit explicit-state CTL model checkers. 5 Nested DFS vs SCC-based algorithms In Sections 3 and 4 we have shown that the new Ne... |

1237 | Automatic verification of finite-state concurrent systems using temporallogic specificaitons
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ... state on the call stack (e.g., its root). (2) Therefore, if t is in Current when the DFS at state s detects a transition to t, t has a path to its root, from there to s, so both are in the same SCC. =-=(3)-=- Roots have the lowest DFS number within their SCC and are the only states whose DFS number equals their lowlink number. (4) A root r is the first state of its SCC to be added to Current. At the time ... |

1062 | Depth-first search and linear graph algorithms
- Tarjan
- 1972
(Show Context)
Citation Context ...rongly connected component (SCC) that is reachable from the initial state and contains at least one accepting state and at least one transition. SCCs can be identified using, e.g.,sTarjan’s algorithm =-=[21]-=-. Tarjan’s algorithm can easily accomodate generalised Büchi automata, but uses much more memory than Nested DFS. Couvreur [6] and Geldenhuys and Valmari [11] have proposed modifications of Tarjan’s a... |

496 |
The SPIN model checker: Primer and reference manual
- Holzmann
- 2004
(Show Context)
Citation Context ... checks for cycles around accepting states. Holzmann et al’s modification of this algorithm [15] is widely regarded as the state-of-the-art algorithm for on-the-fly model checking and is used in Spin =-=[14]-=-. The advantage of this algorithm is its memory efficiency. On the downside, it tends to produce rather long counterexamples. Recently, Gastin et al [10] proposed two modifications to [5]: one to find... |

283 | Simple onthe-fly Automatic Verification of Linear Temporal Logic
- Gerth, Peled, et al.
- 1995
(Show Context)
Citation Context ...a set of acceptance sets A ⊆ 2 S . Here, a cycle is accepting if it intersects all sets A ∈ A. Generalised Büchi automata arise naturally during the translation of LTL into Büchi automata (see, e.g., =-=[12, 6]-=-). Moreover, fairness constraints of the form G F p can be efficiently encoded with acceptance sets. Generalised Büchi automata can be translated into (normal) Büchi automata, but checking them direct... |

207 |
Automata-theoretic techniques for modal logics of programs
- Vardi, Wolper
- 1986
(Show Context)
Citation Context ...or finite-state systems and linear-time temporal logic (LTL) is usually reduced to checking the emptiness of a Büchi automaton, i.e. the product of the system and an automaton for the negated formula =-=[23]-=-. Various strategies exist for reducing the size of the automaton. For instance, symbolic model checking employs data structures to compactly represent large sets of states. This strategy combines wel... |

194 | Combining partial order reductions with on-the-fly model-checking
- Peled
- 1994
(Show Context)
Citation Context ...hing the automaton. Thus, the model checker may be able to find a counterexample without ever constructing the complete state space. On-the-fly verification can be combined with partial order methods =-=[18, 15]-=- to reduce the effect of state explosion. The best known on-the-fly algorithms use depth-first-search (DFS) strategies to explore the state space; their running time is linear in the size of the produ... |

110 | Efficient Büchi automata from LTL formulae
- Somenzi, Bloem
- 2000
(Show Context)
Citation Context ...e formulas in a well-known specification patterns database lead to weak automata, and propose a method that generates weak automata for a suitably restricted subsetsof LTL formulas. Somenzi and Bloem =-=[20]-=- propose an algorithm for unrestricted formulas that attempts to produce automata that are ‘as weak as possible’. For terminal automata, [2] proposes to use simple reachability checks. For correctness... |

83 | An Analysis of Bitstate Hashing
- Holzmann
- 1998
(Show Context)
Citation Context ...e more significant: the nested algorithm needs only two bits, the SCC algorithm needs an integer. Nested DFS therefore remains the best alternative for combination with the bitstate hashing technique =-=[13]-=-, which allows to analyse very large systems while potentially missing parts of the state space. If traditional, lossless hashing techniques are used, the picture is different: State descriptors even ... |

77 | Directed explicit-state model checking in the validation of communication protocols
- Edelkamp, Leue, et al.
- 2003
(Show Context)
Citation Context ...ks. For correctness, this requires the assumption that every state has a successor. For unrestricted automata, the new nested-DFS algorithm can be combined with the changes proposed by Edelkamp et al =-=[7]-=-, which further exploit structural properties of the system and allow to combine the approach with guided search. 5.2 Handling Generalised Büchi automata The accepting cycle problem can also be posed ... |

75 | Memory-efficient algorithms for the verification of temporal properties
- Courcoubetis, Vardi, et al.
- 1992
(Show Context)
Citation Context ...e size of the product automaton (i.e. the number of states plus the number of transitions). These algorithms can be partitioned into two classes: Nested DFS, originally proposed by Courcoubetis et al =-=[5]-=-, conducts a first search to find and sort the accepting states. A second search, interleaved with the first, checks for cycles around accepting states. Holzmann et al’s modification of this algorithm... |

71 | On nested depth-first search
- Holzmann, Peled, et al.
- 1996
(Show Context)
Citation Context ...hing the automaton. Thus, the model checker may be able to find a counterexample without ever constructing the complete state space. On-the-fly verification can be combined with partial order methods =-=[18, 15]-=- to reduce the effect of state explosion. The best known on-the-fly algorithms use depth-first-search (DFS) strategies to explore the state space; their running time is linear in the size of the produ... |

43 | determinism: From lineartime to branching-time - Freedom - 1998 |

41 | Efficient decision procedures for model checking of linear time logic properties - Bloem, Ravi, et al. - 1999 |

40 | A strong-connectivity algorithm and its application in data flow analysis - Sharir - 1981 |

30 | Is there a best symbolic cycle-detection algorithm
- Fisler, Fraer, et al.
- 2001
(Show Context)
Citation Context ... with breadth-first search, leading to solutions whose worst-case time is essentially O(n 2 ) or O(n log n), if n is the size of the product. A survey of symbolic emptiness algorithms can be found in =-=[8]-=-. Explicit-state model checkers, on the other hand, construct the product automaton ‘on the fly’, i.e. while searching the automaton. Thus, the model checker may be able to find a counterexample witho... |

30 | Path-based depth-first search for strong and biconnected components
- Gabow
- 2000
(Show Context)
Citation Context ...ocedure. To the best of our knowledge, this algorithm is superior to previously known algorithms for identifying SCCs: The advantages over Tarjan’s algorithm [21] have already been pointed out; Gabow =-=[9]-=- avoids computing lowlink numbers, butsstill uses the stack representation of Current. Nuutila and Soisalon-Soininen [17] reduce stack usage in special cases only, and still use lowlink numbers. Shari... |

26 | On finding the strongly connected components in a directed graph,” Information Processing Letters
- Nuutila, Soisalon-Soininen
- 1994
(Show Context)
Citation Context ...he advantages over Tarjan’s algorithm [21] have already been pointed out; Gabow [9] avoids computing lowlink numbers, butsstill uses the stack representation of Current. Nuutila and Soisalon-Soininen =-=[17]-=- reduce stack usage in special cases only, and still use lowlink numbers. Sharir’s algorithm [19] has none of these drawbacks, but requires reversed edges. Surprisingly, the issue of detecting SCCs wa... |

21 |
On-the-fly verification of linear temporal logic
- Couvreur
- 1999
(Show Context)
Citation Context ...nd with less runtime overhead. 5.3 Summary The question of optimised algorithms for specialised classes of Büchi automata has been addressed before in [2], as pointed out in Subsection 5.1. Likewise, =-=[6]-=- and [11] previously raised the point that SCC-based algorithms may be faster than nested DFS, but without addressing the issue of when this was the case. Our results show that these issues are relate... |

12 | Minimization of counterexamples in SPIN
- Gastin, Moro, et al.
- 2004
(Show Context)
Citation Context ... on-the-fly model checking and is used in Spin [14]. The advantage of this algorithm is its memory efficiency. On the downside, it tends to produce rather long counterexamples. Recently, Gastin et al =-=[10]-=- proposed two modifications to [5]: one to find counterexamples faster, and another to find the minimal counterexample. Another problem with Nested DFS is that its extension to generalised Büchi autom... |

9 | Tarjan’s algorithm makes on-the-fly LTL verification more efficient - Geldenhuys, Valmari - 2004 |

5 | Nested emptiness search for generalized buchi automata
- Tauriainen
- 2005
(Show Context)
Citation Context ...utions proposed for this method: Let n be the number of acceptance sets in A. For nested DFS, Courcoubetis et al [5] proposed a method with at worst 2n traversals of each state. Tauriainen’s solution =-=[22]-=- reduces the number of traversals to n + 1. Couvreur’s algorithm [6] works directly on generalised automata; the number of traversals is at most 2, independently of n. This is accomplished by implemen... |

3 | Relating hierarchy of linear temporal properties to model checking
- Černá, Pelánek
(Show Context)
Citation Context ...m in each class, we discuss their relative advantages for specialised classes of automata. It is known that model checking can be done more efficiently for automata with certain structural properties =-=[2]-=-. Our observations sharpen the results from [2] and provide a guideline on which algorithms should be used in which case. – We suggest a modification to the way partial-order reduction can be combined... |