Symbolic model checking: an approach to the state explosion problem
- Author:
- Kenneth Lauchlin McMillan
Skip Abstract Section
Abstract
Finite state models of concurrent systems grow exponentially as the number of components of the system increases. This is known widely as the state explosion problem in automatic verification, and has limited finite state verification methods to small systems. To avoid this problem, a method called symbolic model checking is proposed and studied. This method avoids building a state graph by using Boolean formulas to represent sets and relations. A variety of properties characterized by least and greatest fixed points can be verified purely by manipulations of these formulas using Ordered Binary Decision Diagrams.
Theoretically, a structural class of sequential circuits is demonstrated whose transition relations can be represented by polynomial space OBDDs, though the number of states is exponential. This result is born out by experimental results on example circuits and systems. The most complex of these is the cache consistency protocol of a commercial distributed multiprocessor. The symbolic model checking technique revealed subtle errors in this protocol, resulting from complex execution sequences that would occur with very low probability in random simulation runs.
In order to model the cache protocol, a language was developed for describing sequential circuits and protocols at various levels of abstraction. This language has a synchronous dataflow semantics, but allows nondeterminism and supports interleaving processes with shared variables. A system called SMV can automatically verify programs in this language with respect to temporal logic formulas, using the symbolic model checking technique.
A technique for proving properties of inductively generated classes of finite state systems is also developed. The proof is checked automatically, but requires a user supplied process called a process invariant to act as an inductive hypothesis. An invariant is developed for the distributed cache protocol, allowing properties of systems with an arbitrary number of processors to be proved.
Finally, an alternative method is developed for avoiding the state explosion in the case of asynchronous control circuits. This technique is based on the unfolding of Petri nets, and is used to check for hazards in a distributed mutual exclusion circuit.
Cited By
- Dobrikov I and Leuschel M Enabling Analysis for Event-B Proceedings of the 5th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z - Volume 9675, (102-118)
- Lin S, Sun J, Nguyen T, Liu Y and Dong J Interpolation guided compositional verification Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering, (65-74)
- Benito F and Künzle L Timing Analysis of Cyclic Time Petri Net Using Relaxed Unfolding and Global Time Technique Proceedings of the 19th International Symposium on Distributed Simulation and Real Time Applications, (147-154)
Liu L and Vasudevan S (2014). Scaling Input Stimulus Generation through Hybrid Static and Dynamic Analysis of RTL, ACM Transactions on Design Automation of Electronic Systems, 20:1, (1-33), Online publication date: 18-Nov-2014.- Sartor J, Heirman W, Blackburn S, Eeckhout L and McKinley K Cooperative cache scrubbing Proceedings of the 23rd international conference on Parallel architectures and compilation, (15-26)
- Pastore F, Mariani L, Hyvärinen A, Fedyukovich G, Sharygina N, Sehestedt S and Muhammad A Verification-aided regression testing Proceedings of the 2014 International Symposium on Software Testing and Analysis, (37-48)
- Hoogendoorn M, Klein M, Memon Z and Treur J (2013). Formal specification and analysis of intelligent agents for model-based medicine usage management, Computers in Biology and Medicine, 43:5, (444-457), Online publication date: 1-Jun-2013.
- Gunawan L and Herrmann P Compositional verification of application-level security properties Proceedings of the 5th international conference on Engineering Secure Software and Systems, (75-90)
- André É, Choppy C and Klai K (2012). Formalizing non-concurrent UML state machines using colored petri nets, ACM SIGSOFT Software Engineering Notes, 37:4, (1-8), Online publication date: 16-Jul-2012.
- Morse E, Vrvilo N, Mercer E and McCarthy J Modeling asynchronous message passing for c programs Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation, (332-347)
- Khomenko V and Mokhov A An algorithm for direct construction of complete merged processes Proceedings of the 32nd international conference on Applications and theory of Petri Nets, (89-108)
- Rozier K (2011). Survey, Computer Science Review, 5:2, (163-203), Online publication date: 1-May-2011.
- Bosse T and Treur J Patterns in world dynamics indicating agency Transactions on computational collective intelligence III, (128-151)
- Layeb A and Saidouni D (2010). A New Quantum Evolutionary Algorithm with Sifting Strategy for Binary Decision Diagram Ordering Problem, International Journal of Cognitive Informatics and Natural Intelligence, 4:4, (47-61), Online publication date: 1-Oct-2010.
- Jones A and Lomuscio A Distributed BDD-based BMC for the verification of multi-agent systems Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems: volume 1 - Volume 1, (675-682)
- Bosse T, Schut M and Treur J (2009). Formal Analysis of Dynamics within Philosophy of Mind by Computer Simulation, Minds and Machines, 19:4, (543-555), Online publication date: 1-Nov-2009.
- Du D, Liu J, Cao H and Zhang M (2009). BAS, Electronic Notes in Theoretical Computer Science (ENTCS), 243, (69-87), Online publication date: 1-Jul-2009.
- Dalheimer M and Pfreundt F GenLM Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, (132-139)
- Matousek T and Jezek P (2009). DeSpec, Electronic Notes in Theoretical Computer Science (ENTCS), 203:7, (55-69), Online publication date: 1-Apr-2009.
- Hörne T and van der Poll J Planning as model checking Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology, (114-123)
- Anderson H, Ciobanu G and Freitas L UTP and temporal logic model checking Proceedings of the 2nd international conference on Unifying theories of programming, (22-41)
- Gulwani S and Musuvathi M Cover algorithms and their combination Proceedings of the Theory and practice of software, 17th European conference on Programming languages and systems, (193-207)
- Chen Q, Zhang C and Zhang S (2008). Secure transaction protocol analysis, 10.5555/1825499, Online publication date: 1-Jan-2008.
- Brihaye T, Laroussinie F, Markey N and Oreiby G Timed concurrent game structures Proceedings of the 18th international conference on Concurrency Theory, (445-459)
- Aguirre N, Regis G and Maibaum T Verifying temporal properties of community designs Proceedings of the 6th international conference on Integrated formal methods, (1-20)
- Ciardo G, Lüttgen G and Yu A Improving static variable orders via invariants Proceedings of the 28th international conference on Applications and theory of Petri nets and other models of concurrency, (83-103)
- Bosse T, Sharpanskykh A and Treur J On the complexity monotonicity thesis for environment, behaviour and cognition Proceedings of the 5th international conference on Declarative agent languages and technologies V, (175-192)
- Bosse T, Jonker C and Treur J (2007). On the use of organisation modelling techniques to address biological organisation, Multiagent and Grid Systems, 3:2, (199-223), Online publication date: 1-Apr-2007.
- Matousek T and Zavoral F Extracting Zing Models from C Source Code Proceedings of the 33rd conference on Current Trends in Theory and Practice of Computer Science, (900-910)
- Traoré M Analyzing static and temporal properties of simulation models Proceedings of the 38th conference on Winter simulation, (897-904)
- Laroussinie F, Markey N and Oreiby G Model-checking timed ATL for durational concurrent game structures Proceedings of the 4th international conference on Formal Modeling and Analysis of Timed Systems, (245-259)
- Khomenko V, Koutny M and Yakovlev A (2005). Logic synthesis for asynchronous circuits based on STG unfoldings and incremental SAT, Fundamenta Informaticae, 70:1, (49-73), Online publication date: 1-Apr-2006.
- Jarnjak F, Kim J, Jing Y, In H, Jeong D and Baik D TS-U Proceedings of the 2005 international conference on Embedded and Ubiquitous Computing, (161-170)
- Liu C, Ozols M and Orgun M A fibred belief logic for multi-agent systems Proceedings of the 18th Australian Joint conference on Advances in Artificial Intelligence, (29-38)
- Grumberg O Abstraction and refinement in model checking Proceedings of the 4th international conference on Formal Methods for Components and Objects, (219-242)
- Costa U, Campos S, Vieira N and Déharbe D (2005). Explicit-Symbolic Modelling for Formal Verification, Electronic Notes in Theoretical Computer Science (ENTCS), 130, (301-321), Online publication date: 1-May-2005.
- Gopinath K, Pugalia A and Naidu K Formal proof of impossibility of reliability in crashing protocols Proceedings of the 6th international conference on Distributed Computing, (347-352)
- Khomenko V, Koutny M and Yakovlev A (2004). Detecting State Encoding Conflicts in STG Unfoldings Using SAT, Fundamenta Informaticae, 62:2, (221-241), Online publication date: 1-Apr-2004.
- Khomenko V, Koutny M and Yakovlev A (2004). Detecting State Encoding Conflicts in STG Unfoldings Using SAT, Fundamenta Informaticae, 62:2, (221-241), Online publication date: 1-Feb-2004.
- Williams K and Esser R Verification of the Futurebus+ cache coherence protocol Proceedings of the 27th Australasian conference on Computer science - Volume 26, (65-71)
- Basin D, Friedrich S and Gawkowski M (2003). Bytecode Verification by Model Checking, Journal of Automated Reasoning, 30:3-4, (399-444), Online publication date: 5-Aug-2003.
- Schröter C, Schwoon S and Esparza J The model-checking Kit Proceedings of the 24th international conference on Applications and theory of Petri nets, (463-472)
- Robinson W, Pawlowski S and Volkov V (2003). Requirements interaction management, ACM Computing Surveys, 35:2, (132-190), Online publication date: 1-Jun-2003.
- Yang J and Seger C (2003). Introduction to generalized symbolic trajectory evaluation, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 11:3, (345-353), Online publication date: 1-Jun-2003.
- Ibarra O, Dang Z and Pietro P (2003). Verification in loosely synchronous queue-connected discrete timed automata, Theoretical Computer Science, 290:3, (1713-1735), Online publication date: 3-Jan-2003.
- Ibarra O, Su J, Dang Z, Bultan T and Kemmerer R (2002). Counter machines and verification Problems, Theoretical Computer Science, 289:1, (165-189), Online publication date: 23-Oct-2002.
- Raimi R and Lear J (2002). Silicon Debug of a PowerPC™ Microprocessor Using Model Checking, Formal Methods in System Design, 21:1, (79-94), Online publication date: 1-Jul-2002.
- Baldamus M and Schneider K (2002). The BDD Space Complexity of Different Forms of Concurrency, Fundamenta Informaticae, 50:2, (111-133), Online publication date: 1-Apr-2002.
- Baldamus M and Schneider K (2002). The BDD space complexity of different forms of concurrency, Fundamenta Informaticae, 50:2, (111-133), Online publication date: 28-Feb-2002.
- Prasad M, Chong P and Keutzer K (2001). Why is Combinational ATPG Efficiently Solvable for Practical VLSI Circuits?, Journal of Electronic Testing: Theory and Applications, 17:6, (509-527), Online publication date: 1-Dec-2001.
- Iyer S and Ramesh S (2001). Apportioning, IEEE Transactions on Software Engineering, 27:11, (1037-1056), Online publication date: 1-Nov-2001.
- Ray I and Ray I Detecting Termination of Active Database Rules Using Symbolic Model Checking Proceedings of the 5th East European Conference on Advances in Databases and Information Systems, (266-279)
- Kurt Stirewalt R and Dillon L A component-based approach to building formal analysis tools Proceedings of the 23rd International Conference on Software Engineering, (167-176)
- Lüttgen G, von der Beeck M and Cleaveland R A compositional approach to statecharts semantics Proceedings of the 8th ACM SIGSOFT international symposium on Foundations of software engineering: twenty-first century applications, (120-129)
- Lüttgen G, von der Beeck M and Cleaveland R (2000). A compositional approach to statecharts semantics, ACM SIGSOFT Software Engineering Notes, 25:6, (120-129), Online publication date: 1-Nov-2000.
- Kwon G Rewrite rules and operational semantics for model checking UML statecharts Proceedings of the 3rd international conference on The unified modeling language: advancing the standard, (528-540)
- Campos S, Clarke E and Grumberg O (2000). Selective Quantitative Analysis and Interval Model Checking, Formal Methods in System Design, 17:2, (163-192), Online publication date: 1-Oct-2000.
- Yang J and Tiemeyer A Lazy symbolic model checking Proceedings of the 37th Annual Design Automation Conference, (35-38)
- Prasad M, Chong P and Keutzer K Why is ATPG easy? Proceedings of the 36th annual ACM/IEEE Design Automation Conference, (22-28)
- Liu Z and Joseph M (1999). Specification and verification of fault-tolerance, timing, and scheduling, ACM Transactions on Programming Languages and Systems, 21:1, (46-89), Online publication date: 1-Jan-1999.
- Mansouri N and Vemuri R Accounting for various register allocation schemes during post-synthesis verification of RTL designs Proceedings of the conference on Design, automation and test in Europe, (46-es)
- Tyszberowicz S (1998). How to Implement a Safe Real-Time System, Real-Time Systems, 15:1, (61-90), Online publication date: 1-Jul-1998.
- Raimi R and Lear J Analyzing a PowerPC" 620 Microprocessor Silicon Failure using Model Checking Proceedings of the 1997 IEEE International Test Conference
- Pandey M, Raimi R, Bryant R and Abadir M Formal verification of content addressable memories using symbolic trajectory evaluation Proceedings of the 34th annual Design Automation Conference, (167-172)
- Heintze N, Tygar J, Wing J and Wong H Model checking electronic commerce protocols Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2, (10-10)
- Atlee J and Buckley M A logic-model semantics for SCR software requirements Proceedings of the 1996 ACM SIGSOFT international symposium on Software testing and analysis, (280-292)
- Atlee J and Buckley M (1996). A logic-model semantics for SCR software requirements, ACM SIGSOFT Software Engineering Notes, 21:3, (280-292), Online publication date: 1-May-1996.
- Yoneda T and Yoshikawa T Using Partial Orders For Trace Theoretic Verification Of Asynchronous Circuits Proceedings of the 2nd International Symposium on Advanced Research in Asynchronous Circuits and Systems
- Narayan A, Khatri S, Jain J, Fujita M, Brayton R and Sangiovanni-Vincentelli A A study of composition schemes for mixed apply/compose based construction of ROBDDs Proceedings of the 9th International Conference on VLSI Design: VLSI in Mobile Communication
- Campos S, Clarke E, Marrero W and Minea M Verus Proceedings of the ACM SIGPLAN 1995 workshop on Languages, compilers, & tools for real-time systems, (70-78)
- Campos S, Clarke E, Marrero W and Minea M (1995). Verus, ACM SIGPLAN Notices, 30:11, (70-78), Online publication date: 1-Nov-1995.
- Wing J and Vaziri-Farahani M (1995). Model checking software systems, ACM SIGSOFT Software Engineering Notes, 20:4, (128-139), Online publication date: 1-Oct-1995.
- Wing J and Vaziri-Farahani M Model checking software systems Proceedings of the 3rd ACM SIGSOFT symposium on Foundations of software engineering, (128-139)
- Abowd G, Wang H and Monk A A formal technique for automated dialogue development Proceedings of the 1st conference on Designing interactive systems: processes, practices, methods, & techniques, (219-226)
- Frossl J and Kropf T Verifying real-time properties of MOS-transistor circuits Proceedings of the 1995 European conference on Design and Test
- Clarke E, Grumberg O, McMillan K and Zhao X Efficient generation of counterexamples and witnesses in symbolic model checking Proceedings of the 32nd annual ACM/IEEE Design Automation Conference, (427-432)
- Pong F and Dubois M An Integrated Methodology for the Verification of Directory-Based Cache Protocols Proceedings of the 1994 International Conference on Parallel Processing - Volume 01, (158-165)
- Verlind E, Kolks T, de Jong G, Lin B and De Man H A time abstraction method for efficient verification of communicating systems Proceedings of the 31st annual Design Automation Conference, (609-614)
- Gupta A and Fisher A Representation and symbolic manipulation of linearly inductive Boolean functions Proceedings of the 1993 IEEE/ACM international conference on Computer-aided design, (192-199)
- Ness L (1993). L.0, IEEE Transactions on Software Engineering, 19:4, (410-423), Online publication date: 1-Apr-1993.
Index Terms
- Symbolic model checking: an approach to the state explosion problem
Recommendations
SAT-based unbounded symbolic model checking
DAC '03: Proceedings of the 40th annual Design Automation ConferenceThis paper describes a SAT-based unbounded symbolic model checking algorithm. BDDs have been widely used for symbolic model checking, but the approach suffers from memory overflow. The SAT procedure was exploited to overcome the problem, but it verified ...
Bisimulation Minimization and Symbolic Model Checking
State space minimization techniques are crucial for combating state explosion. A variety of explicit-state verification tools use bisimulation minimization to check equivalence between systems, to minimize components before composition, or to reduce a ...
Symbolic Model Checking without BDDs
TACAS '99: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of SystemsSymbolic Model Checking [3, 14] has proven to be a powerful technique for the verification of reactive systems. BDDs [2] have traditionally been used as a symbolic representation of the system. In this paper we show how boolean decision procedures, like ...