1

Using Decision Diagrams to Compactly Representthe State Space for Explicit Model Checking

Hao Zheng, Andrew Price, and Chris Myers

Abstract— The enormous number of states reachable duringexplicit model checking is the main bottleneck for scalability.This paper presents approaches of using decision diagrams torepresent very large state space compactly and efficiently. This ispossible for asynchronous systems as two system states connectedby a transition often share many same local portions. Usingdecision diagrams can significantly reduce memory demand bynot using memory to store the redundant information amongdifferent states. This paper considers multi-value decision di-agrams for this purpose. Additionally, a technique to reducethe runtime overhead of using these diagrams is also described.Experimental results and comparison with the state compressionmethod as implemented in the model checker SPIN show thatthe approaches presented in this paper are memory efficient forstoring large state space with acceptable runtime overhead.

Index Terms— formal verification, model checking, decisiondiagrams, state compression

I. INTRODUCTION

Model checking [7] is an automated formal analysis methodfor verifying hardware and software systems. It systematicallychecks whether a model of a given system satisfies a desiredproperty such as deadlock freedom and request-response prop-erties [5]. However, model checking is computationally veryexpensive as it searches the entire reachable state space of adesign for errors. Typically, all reachable states found duringreachability analysis need to be stored to avoid searchingthe same part of state space multiple times unnecessarily.As the number of states grows exponentially in the sizeof designs under verification, physical memory installed ontypical computers can be exhausted quickly, therefore limitingmodel checking to the designs of small sizes. This problem iswell known as state explosion.

In asynchronous designs, multiple components execute con-currently. When verifying asynchronous designs, generallyinterleaving semantics are used to represent the behavior ofsuch designs. More specifically, when multiple componentsare ready to execute in a state, only one component is selected.This interleaved execution makes sure all possible orderings ofconcurrently enabled executions are considered, thus capturingall possible behavior for verification. The need to considerall possible interleavings of concurrent executions is the main

This material is based upon work supported by the National ScienceFoundation under Grant No. 0546492 and 0930510. Any opinions, findings,and conclusions or recommendations expressed in this material are those ofthe author(s) and do not necessarily reflect the views of the National ScienceFoundation.

Hao Zheng and Andrew Price are with the Dept. of Computer Science andEngineering at the University of South Florida, Tampa, FL. Chris Myers iswith the Dept. of Electrical and Computer Engineering at the University ofUtah, SLC, UT.

cause of state explosion in asynchronous design verification asthe number of interleavings grows exponentially if a design hasa high degree of concurrency, and this leads to an excessivelylarge state space for even a relatively small system.

In the interleaved execution as described above, only onecomponent executes and updates the relative portion of astate, and the remaining portions of the state are unchanged.Therefore, storing the entire states results in unnecessaryoverhead. In model checker SPIN [10], a state compressionmethod is described where the independent parts of the designstates are considered when representing states. Independentparts refer to variables including global and local variablesbelonging to different processes. An unique copy is createdfor each different independent part, and the references to thecopies of independent parts are used to construct the states.

While the above compression method reduces memorysignificantly in representing states, there are still a lot ofredundancies in the state representations. As pointed out inthe previous paragraphs, a global state of a design is in fact atuple of pointers to the local states. Two states connected by astate transition may still share a large number of same pointersin their representations as a state transition typically causesonly a few local changes. Therefore, reducing the redundancyin the state representations further can improve the scalabilityeven more. This paper proposes to use the multi-value decisiondiagrams to represent the reachable states for explicit modelchecking of asynchronous systems. The multi-value decisiondiagrams, similar to the well-known binary decision diagrams(BDD) [3], uses directed acyclic graphs to sets of objectsencoded by typed variables. The compactness of the decisiondiagram representations is due to sharing of common portionsof a large number of different objects.

BDDs are widely used in symbolic model checking [4]where the model checking algorithms and the state represen-tations are both based on the Boolean operations. However, inthe explicit model checking, individual states are created andmanipulated. Adding individual states into a decision diagramrepresentation can incur high runtime overhead, and this wouldcancel largely the benefit of compact memory footprint ofthe decision diagrams. To address this problem, this paperalso proposes to use multi-value decision trees along with thedecision diagrams. Adding states into a decision tree is muchfaster, but it requires more memory than a decision diagram.In this method, a decision tree is used as a buffer where itstores the reachable states until some threshold is exceeded.Then, the decision tree is compressed, and merged with thedecision diagram representing the whole reachable state space.This approach can significantly reduce the runtime overhead

associated with using the decision diagrams, even though itmay increase the average memory required compared to usingthe decision diagrams solely.

In this paper, the multi-value decision diagrams are onlyused to store the states found during the depth-first search thatare generally implemented for the explicit model checking ofasynchronous systems. The algorithms themselves remain thesame. Therefore, the previous results to improve scalabilitysuch as partial order reduction [8], [9] can still be used.

II. BACKGROUND

A. Labeled Petri-Nets

This paper uses Labeled Petri-Nets to model asynchronoussystems. Petri-Nets are a common modeling formalism forasynchronous designs [12], [1]. A Petri-net is a directed graphwith a set of transitions and a set of places. A labeled Petri-Net is a Petri-net where transitions are labeled with variousinformation representing a system’s properties and behavior[15]. Its definition is given as follows.

Definition 2.1: A labeled Petri-net (LPN) is a tuple N =〈V, P, T, F,M0, init, L〉,where

1) V is a set of state variables of the integer type,2) P is a finite set of places,3) T is a finite set of transitions,4) F ⊆ (P × T ) ∪ (T × P ) is a finite set of the flow

relations,5) µ0 ⊆ P is a finite set of initially marked places,6) α0 : V → Z is a labeling function that assigns each

variable an initial value,7) L = 〈Guard,Assign〉 is a pair of labeling functions

for transitions in T , which is defined below.A simple LPN example is shown in Fig 1. Fig.1(a) shows

a simple asynchronous circuit consisting of three components,and Fig. 1(b) shows the LPNs for each component in thecircuit. For each component, its LPN has 2 places and 4 transi-tions. The places are represented as circles, and the transitionsare represented as boxes. Each place is preceded and followedby one or more transitions, and each transition is precededand followed by one or more places. The flow relations arerepresented by the edges connecting the transitions and places[1]. The bullets found in some places are called tokens. Eachplace can have at most one token. A place is marked if it hasa token. A marking of LPN, µ ⊆ P is a set of marked places.

The dynamic behavior of a concurrent system is capturedby LPN transitions with labelings. Each transition t ∈ T hasa preset denoted by •t = {p ∈ P |(p, t) ∈ F}, which isthe set of places connected to t, and a postset denoted byt• = {p ∈ P |(t, p) ∈ F}, which is the set of places to whicht is connected. The preset and postset for places are definedsimilarly.

Before defining the transition labels formally, the grammarused by these labels is introduced first below [15]. Thenumerical portion of the grammar is defined as follows:

χ ::= ci | vi | (χ) | − χ | χ+ χ | χ− χ | χ ∗ χ |χ/χ | χˆχ | χ%χ | NOT(χ) | OR(χ, χ) |AND(χ, χ) | XOR(χ, χ) | INT(φ)

where ci is an integer constant from Z, and vi is an integervariable. The functions NOT, OR, AND, and XOR are bit-wiselogical operations assuming a 2’s complement format witharbitrary precision. INT(φ) returns 1 if the Boolean expressionφ, which is defined below, evaluates to true, or 0 otherwise.The set Pχ is defined to be all formulas that can be constructedfrom the χ grammar.

The Boolean portion of the grammar is as follows:

φ ::= true | false | vi | ¬φ | φ ∧ φ | φ ∨ φ | χ ≡ χ |χ ≥ χ | χ > χ | χ ≤ χ | χ < χ

where the integer vi is regarded as true if its value is nonzero,and false otherwise. In this sense, it is similar to the semanticsof the C language. The set Pφ is defined to be all formulasthat can be constructed from the φ grammar.

As in Definition 2.1, each LPN transition is labeled withan enabling condition and a set of variable assignments. LPNtransition labeling is defined by L = 〈Guard,Assign〉 where• Guard : T → Pφ labels each LPN transition with a

Boolean expression that defines its enabling condition.• Assign : T ×V → Pχ labels each LPN transition t ∈ T

and each variable v ∈ V with an integer assignment madeto v when t fires.

For a large complex design, it usually consists of multiplecomponents. Then, each component is modeled in a LPNmodule, and the LPN for the whole design is the parallelcomposition of the LPN modules. Let N1, . . ., Nn be theLPN modules for the components consisting of a design.The LPN for the design is N = N1‖ . . . ‖Nn where ‖ isthe parallel composition operator for LPNs. In our method,communications among components are represented by theshared variables. Shared variables between components Niand Nj are variables in Vi ∩ Vj . Moreover, no two LPNmodules share any common places. In other words, ∀i,ji 6=j ⇒ Pi ∩ Pj = ∅. In Fig. 1, the design is partitioned intothree components for illustration purpose. These componentsare represented by LPN modules as shown in M1, M2, andM3.

B. Reachability Analysis

A basic approach for analyzing the dynamic behavior of aconcurrent system modeled with LPNs is reachability analysis,which finds all possible state transitions and thus reachablestates for such a system. The reachable state space is typicallyrepresented by a state graph. A state graph is a directedgraph where vertices represent states and edges represent statetransitions.

A state of a LPN module Ni is a pair (µi, σi) where µidenotes a marking of Ni and σi denotes a vector of valuesover variables Vi of Ni. The initial state init of Ni is (µ0, α0).Given a state si of module Ni, M(si) denotes the markingof si and σ(si) denotes the state vector of si. Also, for anyexpression e ∈ Pχ ∪ Pφ, value(e, si) denotes a function thatreturns the value of expression e in state si. As describedin the previous section, the LPN of a design is the parallelcomposition of a set of LPN modules, each of which representsa component in the design. Let N = N1‖ . . . ‖Nn be the LPN

(a) (b)

Fig. 1. (a) A simple asynchronous circuit. (b) The LPNs for module M1, M2, and M3. The initial values of variables u, v, w, x, y, and z are 0, 1, 1, 0,0, and 0, respectively.

of a design where Ni (1 ≤ i ≤ n) is the LPN module forthe ith component of the design. A global state ~s of N is an-tuple (s1, . . . , sn) where each si (1 ≤ i ≤ n) is a local stateof LPN module Ni.

Before describing the reachability analysis, the enablingcondition of the LPN transitions is defined below.

Definition 2.2: Let Ni be a LPN module. A LPN transitiont is enabled in a state s if the following two conditions aremet:

1) •t ⊆ µ(s),2) value(e, s) is true or not zero for e = Guard(t).In Fig 1, every transition has its preset included in the initial

marking. In the initial state, the values of variable u and z are0, Guard(t11), which is u = 0 ∧ z = 0, is evaluated to betrue, therefore transition t11 is enabled in the initial state.

Given a LPN module, the set of transitions enabled ina state s is denoted by enabled(s). Naturally, the enabledtransitions of the whole design LPN is denoted by enabled(~s ).The reachable state space of a LPN model can be foundby exhaustively firing every enabled transition starting at theinitial state. Firing a transition may lead to a new state bygenerating a new marking and a new state vector according tothe assignments labeled for such transition. Detailed definitionof transition firing can be found in [1]. In this paper, s′ = t(s)denotes that a new state s′ is produced by firing transition t instate s in a LPN module. Similarly, ~s ′ = t(~s ) denotes that anew global state ~s ′ is produced by firing transition t in globalstate ~s .

The procedure to find the reachable state space of a givenLPN model is given in Algorithm 1. Reachable states arestored in stateTable. During the reachability analysis, after aLPN transition ti is fired in global state ~s , the local state ofMi is changed to a new one. In other words, if transition ti isfired in state ~s = (s1, . . . , si, . . . , sn), a new global state ~s ′

is generated such that ~s ′ = (s′1, . . . , s′i, . . . , s

′n). Observe that

in ~s and ~s ′, many local states might be exactly the same. Toavoid creating fresh copies of the same local states for ~s ′ inmemory, the actual definitions of the distinct local states arestored in a hash table for each LPN module, and the pointers tothe local states are used to construct the global states. From

Algorithm 1: search((T, P, F,M0))

stateStack.push(~s 0);1

enabledStack.push(enabled(~s 0));2

while stack is not empty do3

~s = stateStack.top();4

E~s = enabledStack.top();5

if E~s = ∅ then6

stateStack.pop();7

enabledStack.pop();8

continue;9

Select t ∈ E~s to fire;10

E~s = E~s \t;11

~s ′ = t(~s );12

if stateTable.contains(~s ) == true then13

stateStack.push(~s ′);14

enabledStack.push(enabled(~s ′));15

stateTable.add(~s ′);16

now on, ~s = (s1, . . . , sn) is viewed as a tuple of pointersto the local states si, . . ., and sn. In this way, a local stateis created only once, and its pointer may be referenced manytimes in different global states. The similar state representationis also implemented in the model checker SPIN [10] and JavaPathFinder [2].

In many existing model checkers, the obvious choice ofthe data structure for stateTable is hash tables. Even thoughinserting and accessing hash tables are usually very efficient,the memory usage increases exponentially as the numberof states found during the reachability analysis increasesexponentially in the size of a design. Therefore, representingand storing reachable states compactly is extremely important.To address this problem, the following sections describe howthe reachable states are represented using graphs, specificallydecision trees and diagrams which may allow very largenumber of states to be stored in a relatively small memoryfootprint.

(0, 0, 0)(0, 0, 1)(0, 1, 0)(0, 1, 1)(1, 1, 1)(1, 1, 2)

0 1

1

1

1

���

���

���

���

01

���

0 2

���

1

0

(a) (b)

Fig. 2. (a) A set of integer triples, (b) The corresponding multi-value decisiontree representation for the set shown in (a).

III. STATE SPACE REPRESENTATIONS

As described above, different global states might have alarge number of pointers to the same local states. To savememory even further by avoiding storing the same local statepointers in different global states, a data structure called multi-value decision diagram (MDD) is implemented in our methodto store global states found during the reachability analysis.The concept of MDD [17] is very close to that of binarydecision diagrams (BDDs) [3] in that both use graphs to repre-sent a set of objects encoded by some variables. The memoryefficiency comes from the sharing of the same variables usedto encode different objects. In BDDs, the variables used for theencoding are binary variables, while integer variables are usedfor the encoding in the case of MDDs. In this sense, BDDscan be regarded as a special case of MDDs. The structuralrepresentation of the global states in our method is naturalfor MDDs. To facilitate the presentation, an unique integerindex is assigned to each local state of a single LPN module.Therefore, a global state ~s = (s1, . . . , sn) can be regarded asa tuple of integers where si is the index to a local state ofmodule i.

A. Multi-Value Decision Trees

This section describes multi-value decision trees to intro-duce multi-value decision diagrams that are described in thenext section. A multi-value decision tree is a directed acyclicgraph with a single root node, terminal nodes and non-terminalnodes. The root node does not have incoming edges, and theterminal nodes do not have any outgoing edges. Each non-terminal node has a single incoming edge and one or moreoutgoing edges. Each edge is labeled with an integer number.A path is a sequence of edges from the root to one of theterminal nodes, therefore an integer tuple can be formed bycollecting the integers labeled on the edges on the path. Inother words, a path represents or encodes an integer tuple. Anexample of multi-value decision tree is shown in Fig. 2. Notethat a terminal node is drawn for each path in the figure tomake presentation clear. In the actual implementation, only asingle terminal node is used, and all paths converge to thisunique terminal node.

In our implementation, two operations are supported formulti-value decision tree, add and contains. Function addtakes as input an integer tuple, and creates necessary edges in

the decision tree to build a path corresponding to the inputtuple. For example shown in Fig. 2, if a new tuple (1, 1, 3)is given, it can be added to the decision tree by creating anedge from node n21 to the terminal node, and this edge islabeled with 3. If another tuple (1, 1, 1) is given, then no newedge is created as there is a path existing in the decision treecorresponding to the given tuple. Function contains alsotakes as input an integer tuple, and checks if there is a path inthe decision tree that corresponds to the given tuple. It returnstrue if there is, false otherwise. The time complexity of bothfunctions is linear in the size of the tuples.

The memory efficiency of the decision trees depends on thesimilarity of the prefixes of the tuples in the given set. If thereare a large number of tuples with long same prefixes, a lot ofnode sharing can reduce the memory usage significantly. Onthe other hand, the worst case happens when a large number oftuples differ on their first elements. In this case, more memorymay be required compared to using hash tables as an edge isneeded for each element in each tuple.

B. Multi-Value Decision Diagrams

A multi-value decision diagram, similar to the decisiontrees, is a rooted directed acyclic graph where there is anunique root node, an unique terminal node, and non-terminalnodes. In a multi-value decision diagram, the nodes arepartitioned into levels. The number of levels of a decisiondiagram is equal to the size of the integer tuples representingthe global states. The root node is at level 0, which is at thetop of the decision diagram. The node at the bottom is theterminal. Each non-terminal node has a number of outgoingedges connecting nodes at one level higher or the terminal,and a number of incoming edges from nodes including the rootnode from one level lower. Non-terminal nodes in the decisiondiagrams, unlike those in the decision trees, can have multipleincoming and outgoing edges. A path from the root node tothe terminal node in a decision diagram corresponds an integertuple. In the reachability analysis, the decision diagrams areused to replace the hash tables, therefore our implementationonly supports two operations, union and contains. Sincecontains for the decision diagrams is the same as functioncontains for the decision trees, union is described in thissection.

Function union takes as inputs two decision diagrams, andreturns a decision diagram that includes all the paths fromeither of the two input decision diagrams. During the unionoperation, an unique table is maintained to make sure that noequivalent nodes are created. Before the node equivalence isdefined, let (n, i, n′) be an outgoing edge of node n, and theset of all outgoing edges of node n is denoted as outgoing(n).Two nodes n1 and n2 are equivalent, denoted as n1 ≡ n2, if n1

and n2 are the same, or the following conditions are satisfied.• ∀(n1,i,n′

1)∃(n2,i,n′

2)n′1 ≡ n′2.

• ∀(n2,j,n′2)∃(n1,j,n′

1)n′1 ≡ n′2.

Function union creates a new decision diagram for two inputdiagrams as follows. Starting from the root nodes n1 and n2

of the two input decision diagrams, it creates a new node nby following the rules shown below.

1) For each edge (n1, i, n′1) ∈ outgoing(n1), if there

is no (n2, i, n′2) in outgoing(n2), add (n, i, n′1) to

outgoing(n).2) For each edge (n2, i, n

′2) ∈ outgoing(n2), if there

is no (n1, i, n′1) in outgoing(n1), add (n, i, n′2) to

outgoing(n).3) For each edge (n1, i, n

′1) ∈ outgoing(n1), if

there is (n2, i, n′2) in outgoing(n2), add (n, i, n′) to

outgoing(n) where n′ = union(n′1, n′2).

During the union operation, whenever a node is created, theunique table is checked to see if there is an existing node thatis equivalent to the created one. If there exists an equivalentnode, such existing node is returned. Otherwise, the creatednode is returned. Multiple decision diagrams can exist at thesame time, and they share the same unique node table. Thisallows the node sharing among different decision diagrams.

The union operation may need to make a large number ofcalls to function union on different pairs of nodes. To avoidredundant work and improve efficiency, a cache is maintainedto store pairs of nodes where function union has been appliedand their corresponding results from the union operations. Iflater a call to union on the same pair of nodes is made,then the cached result is returned instead of performing theexpensive union operations again.

After the union operation, if the input decision diagramsare no longer needed, their nodes can be removed by callingfunction remove on the root nodes n as follows.

1) Decrement the reference count of n by 1.2) If the reference count of n is 0, remove n from the

unique node table, then for each edge (n, i, n′) ∈outgoing(n), remove(n′).

More detailed description on multi-value decision diagramsand the commonly supported operations can be found in [17].In our method, multi-value decision diagrams are used as amechanism for storing the reachable states compactly, and thedeletion operation for individual paths is not supported as itis not needed for the above purpose.

The example in Fig. 3 shows the same set of integer triplesin Fig 2(a) and the corresponding decision diagram. Each edgeis labeled with an integer denoting the index of some localstate. In the figure, an edge may be labeled with more than oneinteger. In that case, it corresponds to multiple edges, each ofwhich is labeled with an integer. Another multi-value decisiondiagram is shown in Fig. 4(a), and the result from mergingit with the diagram shown in Fig. 3(b) by function union isshown in Fig. 4(b). It is straightforward to verify that all thepaths in diagrams in Fig. 3(b) and 4(a) are included in thediagram shown in Fig. 4(b). The resulting diagram representsa set of nine integer tuples. Note that in the shown diagrams,the labels of the nodes are not used to distinguish nodes fromdifferent diagrams, therefore nodes from different diagramswith the same labels should not be viewed as the same nodes.

C. Using Decision Diagrams in Reachability Analysis

A direct way to use the multi-value decision diagrams inthe reachability analysis shown in Algorithm 1 is to replacethe hash table for stateTable with a decision diagram. First,

(0, 0, 0)(0, 0, 1)(0, 1, 0)(0, 1, 1)(1, 1, 1)(1, 1, 2)

0 1

0, 1

1, 20, 1

1

���

���

���

���

���

(a) (b)

Fig. 3. (a) A set of integer triples, (b) The corresponding MDD representationfor the set shown in (a).

1 2

1

1, 20, 1

1

���

���

���

���

���

0 2

0, 1

1, 20, 1

1

���

���

���

���

���

1

���

���

1

0, 1, 2

(a) (b)

Fig. 4. (a) Another multi-value decision diagram, (b) The result from mergingthe MDD in Fig .4(a) and the MDD in Fig. 3(b) by the union operation.

let mdd create(~s ) be a function that takes an integer tupleand returns a multi-value decision diagram with a singlepath corresponding to ~s . Then, the code in line 16 in Al-gorithm 1 can simply be replaced with the following line.stateTable = union(stateTable, mdd create(~s ′));Directly using the decision diagrams as shown above is

simple, and can be very efficient in memory usage. However, itis not very efficient in runtime. This is due to a large number ofunion calls as one is made for every new state ~s ′. Since eachunion call can incur several operations on node creationsand checks against the unique node table, a large number ofunion calls can lead to very high overhead when the numberof reachable states is large.

To address this problem, multi-value decision trees are usedas buffers for a set of states before adding them together intothe decision diagram stateTable. The basic reason is that itis much more efficient to add a state into a decision tree.On the other hand, a decision tree generally requires morememory to store the same number of states than a decisiondiagram. In this method, a decision tree is used as a buffer.The search algorithm adds states into the decision tree first.When a sufficiently large number of states are added such thata preset memory threshold is exceeded, this decision tree iscompressed to become a decision diagram, and consequently

merged with the decision diagram pointed by stateTableby function union. This is a common idea of trading areasonable amount of memory for higher runtime efficiency.

Decision trees can be compressed into decision diagramsby function compress. This function takes a decision treerooted at node n, and performs the following operationsrecursively.

1) Create a new node n1.2) For each edge (n, i, n′) ∈ outgoing(n),

a) n′′ = compress(n′).b) Add edge (n1, i, n

′′) into outgoing(n1).3) Check if there exists an equivalent node to n1 in the

unique node table. If so, return the equivalent node;otherwise, return n1.

Basically, function compress traverses a decision tree fromthe root node, and merges all equivalent nodes.

IV. EXPERIMENTS

The multi-value decision trees and diagrams described inthis paper are implemented in a package, and integrated intoan asynchronous system verification tool Platu, an explicitmodel checker implemented in Java. Experiments have beenbeen performed on a number of examples. These examples in-clude asynchronous circuit designs from previously publishedpapers [11], [6], [18], [19], [13]. Other examples are selectedfrom the BEEM benchmark suite for explicit model checking[14]. This benchmark includes a large number of models ofcommunication protocols, mutual exclusion algorithms, etc.All the examples used in the experiments have medium or highcomplexity to show the difference in using the hash tables andthe decision diagrams.

In the experiments, all examples are ran by using the samedepth-first search algorithm but with three different waysfor storing reachable states: hash table, multi-value decisiondiagram, and multi-value decision diagram with a decisiontree as buffer to reduce runtime overhead. To have somewhatfair comparison, the model checker SPIN [10] is not usedin the experiments since SPIN is implemented in C whilePlatu is implemented in Java. It is well known that theJava applications generally have serious memory overhead.Instead, the state compression technique implemented in SPINis also implemented in Platu, and used as the base of staterepresentation for all three methods representing reachable setsof states.

Among all the examples, some have very large state space,and it can take enormous amount of time to find all reachablestates. The main purpose of using the decision diagrams forstoring reachable states is to allow much larger number ofstates to be explored in a reasonable amount of time. Hashtables can be accessed very efficiently, but usually exhaustmemory also very quickly. Therefore, for examples with smallstate space, hash tables are a better option. On the other hand,for large examples, the decision diagrams would allow eitherthe whole state space or a much larger portion of it to bestored with some extra runtime. This allows larger examplesto be handled, or improves verification coverage by exploringsignificantly more states. In all experiments, upper bounds on

time and memory are set to 900 seconds and 2 GB. Theresults collected include the actual runtime, memory usage,and the total number of reachable states found at terminationof the search algorithm. In cases of time-out or memory-out,the number of reachable states is recorded. All experiments areperformed on a iMac desktop with a Intel Quad-core processor.Only a single thread is used for all experiments.

The results are shown in Table I. The first column Columnshows the different models. The numbers enclosed in paren-thesis for the first few examples indicate the number of statevariables. Since these examples are asynchronous circuits, thetype of their state variables is boolean. The following examplesare the models of mutual exclusion algorithms from the BEEMbenchmarks [14]. The remaining columns are divided intothree groups, one for results from using each different staterepresentation. Columns under “Base” show results with thehash table is used. Columns “MDD” show the results with theMDD alone used. Finally, the columns under “MDD-Hybrid”show the results with MDD used where a decision tree isused to speed up the search. Among the five columns in eachgroup, “Time” and “Mem” show the total runtime and thepeak memory used during the search. Note that the memorynumbers include those used for storing reachable states andother necessary data structures for the search such as stacks.Column “|S|” shows the total number of states found at thetermination of the search. Note that this number shows allreachable states of an example if the run does not time out(< 900 second) and does not exhaust the allocated memory(< 2000 MB).

The first conclusion that can be drawn from the table isthat the search using a hash table is the fastest for almost allexamples. For examples with low complexity such as at.4 andfischer.3. However, using a hash table also causes the searchto exhaust 2 GB for large number of examples as shown bythe cells in the table under “Mem” filled with 2000. On theother hand, from the columns under “MDD”, the search withMDD used is significantly slower, and it times out for mostexamples. At the same time, using MDD allows more statesto be searched with less memory. Take dmeN5 as an example.using MDD causes the search to time out, but over two timesmore states are found with slightly less memory than 2 GBused. The same conclusion is also observed for anderson.8,lamport.7, and so on. For some other examples, the search withthe MDD finds less number of states due to the overhead fromconverting states into the MDDs as explained before. Finally,from the columns under “MDD-Hybrid”, the search in thismode finds much more states for almost every example withinboth limits of time and memory. This shows the effectivenessof using decision trees as buffer for the MDD representation.

To better compare these three representations, two morevalues are computed from the results for each example: searchspeed (SS) and state space density (SSD). The numbers inthe column under SS show the numbers of states found persecond. This is a rough measure of how fast the search runs.The numbers in the column under SSD show the numbers ofstates per MB of memory. This is a rough measure of theefficiency of different representations for storing states. Forboth measures, it is better and more efficient if the numbers

TAB

LE

IR

ES

ULT

SF

RO

MU

SIN

GD

IFF

ER

EN

TS

TAT

ER

EP

RE

SE

NTA

TIO

NS

ON

AS

ET

OF

AS

YN

CH

RO

NO

US

CIR

CU

ITD

ES

IGN

SA

ND

MO

DE

LS

OF

MU

TU

AL

EX

CL

US

ION

EX

AM

PL

ES.T

IME

ISIN

SE

CO

ND

S,A

ND

ME

MO

RY

ISIN

MB

S.|

S|I

ST

HE

NU

MB

ER

SO

FS

TAT

ES

FO

UN

DA

TT

HE

EN

DO

FR

EA

CH

AB

ILIT

YA

NA

LYS

IS.E

NT

RIE

SFI

LL

ED

WIT

H900

UN

DE

RT

IME

AN

D2000

UN

DE

RM

EM

IND

ICA

TE

TIM

E-O

UT

AN

DM

EM

OR

Y.C

OL

UM

NS

UN

DE

R“B

AS

E”

SH

OW

RE

SU

LTS

US

ING

HA

SH

TAB

LE

S.C

OL

UM

NS

UN

DE

R“M

DD

”S

HO

WR

ES

ULT

SU

SIN

GM

DD

S,W

HIL

ET

HO

SE

UN

DE

R“M

DD

-HY

BR

ID”

SH

OW

RE

SU

LTS

US

ING

MD

DS

CO

MB

INE

DW

ITH

DE

CIS

ION

TR

EE

SA

SB

UFF

ER

S.

Bas

eM

DD

MD

D-H

ybri

dM

odel

sTi

me

Mem

|S|

SSSS

DTi

me

Mem

|S|

SSSS

DTi

me

Mem

|S|

SSSS

Dar

bN5

(44)

4.1

5322

7472

5548

142

925.

332

2274

7242

919

7109

4.3

4522

7472

5290

050

55ar

bN7

(62)

292

2000

1258

2972

4309

262

9154

811

0913

8011

0425

184

1244

544

816

3913

8011

0430

806

8420

arbN

9(8

0)11

320

0090

5241

780

110

4526

320

2000

1589

2574

4966

479

4627

720

0018

2412

5865

853

9121

dmeN

3(3

3)2.

7749

2679

9996

751

5469

4.3

2126

7999

6232

512

762

2.4

2926

7999

1116

6692

41dm

eN4

(44)

199

1725

1569

2028

7885

490

9732

215

515

6920

2848

733

1012

3915

256

015

6920

2810

3237

2802

1dm

eN5

(55)

149

2000

1259

0803

8450

262

9590

018

8138

8233

4343

137

2064

090

020

0066

7460

0774

162

3337

3fif

oN8

(34)

119

653

3572

036

3001

754

7090

092

432

6885

036

3235

3810

268

935

7203

635

020

5184

fifoN

10(4

2)29

220

0094

8167

332

471

4741

900

301

3344

6037

211

1176

720

0013

1641

8817

163

6582

mm

u(5

5)90

015

2882

8488

592

0554

2290

075

754

9249

661

0372

5690

017

0190

5702

410

063

5325

pipe

ctrl

(50)

168

2000

1048

5516

6241

452

4337

620

0014

4447

2638

417

7222

398

2000

2208

2395

5548

311

041

tagu

nit

(48)

269

2000

3302

662

1227

816

5190

019

1925

4680

528

3013

2790

017

5226

6898

529

6615

23an

ders

on.6

141

2000

1201

3290

8520

160

0789

717

2418

2069

1720

298

1056

134

817

5118

2069

1752

319

1039

8an

ders

on.8

4120

0090

2287

922

0070

4511

187

2000

1222

2460

6536

161

1119

220

0016

1415

2584

070

8071

at.4

102

1018

6597

246

6467

964

8190

076

261

5911

468

4380

8312

216

2465

9724

654

076

4062

at.5

154

2000

1048

9013

6811

052

4590

010

2836

5188

740

5835

5290

017

5212

5812

1913

979

7181

at.6

167

2000

1010

0451

6048

250

5090

011

0936

5188

740

5832

9390

017

5211

6018

6012

891

6622

at.7

361

2000

1258

3081

3485

662

9290

050

636

5188

740

5872

1790

017

5117

6867

1219

652

1010

1ba

kery

.821

420

0017

0428

1179

639

8521

900

754

5182

0580

5757

868

728

900

1751

7668

0860

8520

143

793

driv

ing

phils

.31

1343

643

634

114

436

436

311

1443

643

631

driv

ing

phils

.420

420

0014

0398

5968

823

7020

900

576

5217

462

5797

9058

900

1752

2867

2594

3185

816

366

driv

ing

phils

.578

2000

3599

664

4615

018

0090

052

022

6854

025

2143

6323

017

5035

9966

315

651

2057

fisch

er.3

5240

928

9670

555

706

7082

900

329

2363

979

2627

7185

6689

728

9670

543

889

3229

fisch

er.4

2534

212

7225

450

890

3720

471

461

1272

254

2701

2760

4711

3512

7225

427

069

1121

fisch

er.5

340

2000

1078

0321

3170

753

9090

055

225

0549

827

8445

3990

017

5251

9954

457

7729

68fis

cher

.629

920

0082

3731

627

550

4119

900

533

2022

330

2247

3794

900

1751

3811

183

4235

2177

fisch

er.7

365

2000

1063

3261

2913

253

1790

049

727

1750

630

1954

6890

017

5279

9679

088

8545

64la

mpo

rt.5

1013

510

6679

910

6680

7902

1951

1066

799

5614

720

918

10.2

110

1066

799

1045

8896

98la

mpo

rt.6

111

519

519

471

1451

951

937

112

519

519

43la

mpo

rt.7

252

2000

1807

5514

7172

890

3890

031

033

9540

9537

727

1095

2949

717

5138

7178

4577

903

2211

2la

mpo

rt.8

111

5050

51

1150

505

111

5050

5m

cs.5

127

2000

1204

1513

9481

560

2190

018

0115

1066

9416

785

8388

363

2000

2301

5234

6340

311

508

pete

rson

.411

147

1119

559

1017

7876

1621

6811

1955

953

312

1646

411

161

1119

559

1017

7869

54pe

ters

on.5

109

2000

1258

3035

1154

4162

9272

720

0023

9986

6333

011

1199

951

720

0042

2004

0381

626

2110

0pe

ters

on.6

8820

0011

1106

3912

6257

5555

486

2000

1382

0828

2843

869

1030

920

0023

8972

9777

338

1194

9pe

ters

on.7

222

2000

1597

5060

7196

079

8890

069

211

9574

6213

286

1728

090

017

5264

0623

6671

180

3656

5ph

ils.6

*2.

515

924

1660

9666

415

2014

141

2416

6017

261

1714

461

724

1660

6041

539

2ph

ils.7

4420

0069

2703

615

7433

3464

900

1715

1025

3596

1139

359

7926

120

0010

4861

7740

177

5243

phils

.87.

243

791

4351

1269

9320

9214

437

391

4351

6350

2451

1317

0791

4351

7033

553

6sz

yman

ski.4

20.4

282

2313

863

1134

2582

0546

7823

1386

350

301

2966

521

204

2313

863

1101

8411

342

szym

ansk

i.515

520

0015

9086

5510

2636

7954

900

527

4852

6313

5391

892

080

867

1751

7951

4858

9171

345

411

Ave

rage

6987

552

2022

155

1626

949

263

1071

2

are larger. The averages of these two measurements are shownin the last row for every group. From the average numbers, itcan be seen alternatively that using the hash tables leads to thehighest search speed but the least memory efficiency. UsingMDD alone leads to the highest memory efficiency, but it isthe slowest to use. The MDD with the decision tree bufferingachieves good balance between runtime and memory as it isslight slower than using hash tables, and slightly less memoryefficient than using the MDDs alone. This good balance allowsthe search to find much more states for many examples. Takeszymamski.5 as an example, the search exceeds the memorylimits by finding a little over 15 million states when the hashtable is used, while the search runs out of time after findingabout 2 times more states with only 527 MB memory usedwhen the MDDs alone are used. However, the MDDs withbuffering allow all reachable states to be found under bothtime and memory limits.

From the experiments, for examples that take long time torun for the search using hash tables, using the MDDs wouldlead to less number of states to be found as it is more expensiveto use the MDDs even with faster buffering techniques. Onthe other hand, for examples that have large state space,the MDDs are much more efficient. Furthermore, bufferingseems a very promising approach for handling larger designs.Since the MDDs implemented in Platu are not intensivelyoptimized, there might be more potential for making themeven more efficient. Meanwhile, it would be interesting toinvestigate if using the existing BDD packages such as CUDD[16] could bring more efficiency as they commonly supportvariable recording, which is well known critical for efficiencyand compactness of BDD representations.

One last point to note is that in the work described in thispaper, these different approaches are experimented to find outhow states can be stored efficiently. The depth-first searchalgorithm itself remains the same. This indicates that partialorder reduction can be naturally integrated with the MDDsto allow much larger designs to be handled. However, partialorder reduction is not used in this paper.

V. CONCLUSION

This paper shows how the multi-value decision diagramsare used to store reachable states efficiently and compactly,which allows larger designs to be verified, or more statesto be explored thus improving the verification coverage. Byusing the decision trees as a buffering technique, the overheadof using the multi-value decision diagrams is significantlyreduced. In the future, it is interesting to find out how thebinary decision diagrams compare against the multi-valuedecision diagrams in the same context. Moreover, combiningthe decision diagrams and partial order reduction will also beinvestigated.

REFERENCES

[1] J. Ahrens. A compositional approach to asynchronous design verificationwith automated state space reduction. Master’s thesis, Univ. of SouthFlorida, 2007.

[2] G. Brat, K. Havelund, S. Park, and W. V. Java. Pathfinder c a secondgeneration of a java model-checker. In Workshop on Advances inVerification, 2000.

[3] R. E. Bryant. Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293–318, 1992.

[4] J. Burch, E. Clarke, D. Long, K. McMillan, and D. Dill. Symbolicmodel checking for sequential circuit verification. IEEE Transactions onComputer-Aided Design of Integrated Circuits and Systems, 13(4):401–424, 1994.

[5] C.Baier and J.-P.Katoen. Principles of Model Checking. MIT Press,2008.

[6] D. Dill. Trace Theory for Automatic Hierarchical Verification of SpeedIndependent Circuits. PhD thesis, Carnegie Mellon University, 1988.

[7] E.M.Clarke, O.Grumberg, and D.Peled. Model Checking. MIT Press,2000.

[8] G.J.Holzmann and D.Peled. An improvement in formal verification. Inroc. Seventh FORTE Conf. Formal Description Techniques, 1994.

[9] P. Godefroid. Partial-Order Methods for the Verification of ConcurrentSystems: An approach to the State-Explosion Problem. PhD thesis,University of Liege, 1995.

[10] G. J. Holzmann. The model checker SPIN. Software Engineering,23(5):279–295, 1997.

[11] A. J. Martin. Self-timed fifo: An exercise in compiling programs intovlsi circuits. Technical Report 1986.5211-tr-86, California Institute ofTechnology, 1986.

[12] T. Murata. Petri nets: Properties, analysis, and applications. InProceedings of the IEEE 77(4), pages 541–580, 1989.

[13] C. J. Myers. Computer-Aided Synthesis and Verification of Gate-LevelTimed Circuits. PhD thesis, Stanford University, 1995.

[14] R. Pelanek. Beem: Benchmarks for explicit model checkers. In Proc.of SPIN Workshop, volume 4595 of LNCS, pages 263–267. Springer,2007.

[15] R.A.Thacker, K.R.Jones, C.J.Myers, and H. Zheng. Automatic abstrac-tion for verification of cyber-physical systems. In 1st InternationalConference on Cyber-Physical Systems, 2010.

[16] F. Somenzi. Cudd: Cu decision diagram package.[17] A. Srinivasan, T. Ham, S. Malik, and R. Brayton. Algorithms for discrete

function manipulation. In Proceedings of Computer-Aided Design,1990. ICCAD-90. Digest of Technical Papers., 1990 IEEE InternationalConference on, pages 92–95, Nov 1990.

[18] K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In Proc. In-ternational Symposium on Advanced Research in Asynchronous Circuitsand Systems, pages 208–218, 1999.

[19] T. Yoneda and T. Yoshikawa. Using partial orders for trace theoreticverification of asynchronous circuits. In Proc. of Second InternationalSymposium on Advanced Research in Asynchronous Circuits and Sys-tems, pages 152–163, 1996.