Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Using Decision Diagrams to Compactly Representthe State Space for Explicit Model Checking
Hao Zheng, Andrew Price, and Chris Myers
Abstract— The enormous number of states reachable duringexplicit model checking is the main bottleneck for scalability.This paper presents approaches of using decision diagrams torepresent very large state space compactly and efficiently. This ispossible for asynchronous systems as two system states connectedby a transition often share many same local portions. Usingdecision diagrams can significantly reduce memory demand bynot using memory to store the redundant information amongdifferent states. This paper considers multi-value decision di-agrams for this purpose. Additionally, a technique to reducethe runtime overhead of using these diagrams is also described.Experimental results and comparison with the state compressionmethod as implemented in the model checker SPIN show thatthe approaches presented in this paper are memory efficient forstoring large state space with acceptable runtime overhead.
Index Terms— formal verification, model checking, decisiondiagrams, state compression
I. INTRODUCTION
Model checking [7] is an automated formal analysis methodfor verifying hardware and software systems. It systematicallychecks whether a model of a given system satisfies a desiredproperty such as deadlock freedom and request-response prop-erties [5]. However, model checking is computationally veryexpensive as it searches the entire reachable state space of adesign for errors. Typically, all reachable states found duringreachability analysis need to be stored to avoid searchingthe same part of state space multiple times unnecessarily.As the number of states grows exponentially in the sizeof designs under verification, physical memory installed ontypical computers can be exhausted quickly, therefore limitingmodel checking to the designs of small sizes. This problem iswell known as state explosion.
In asynchronous designs, multiple components execute con-currently. When verifying asynchronous designs, generallyinterleaving semantics are used to represent the behavior ofsuch designs. More specifically, when multiple componentsare ready to execute in a state, only one component is selected.This interleaved execution makes sure all possible orderings ofconcurrently enabled executions are considered, thus capturingall possible behavior for verification. The need to considerall possible interleavings of concurrent executions is the main
This material is based upon work supported by the National ScienceFoundation under Grant No. 0546492 and 0930510. Any opinions, findings,and conclusions or recommendations expressed in this material are those ofthe author(s) and do not necessarily reflect the views of the National ScienceFoundation.
Hao Zheng and Andrew Price are with the Dept. of Computer Science andEngineering at the University of South Florida, Tampa, FL. Chris Myers iswith the Dept. of Electrical and Computer Engineering at the University ofUtah, SLC, UT.
cause of state explosion in asynchronous design verification asthe number of interleavings grows exponentially if a design hasa high degree of concurrency, and this leads to an excessivelylarge state space for even a relatively small system.
In the interleaved execution as described above, only onecomponent executes and updates the relative portion of astate, and the remaining portions of the state are unchanged.Therefore, storing the entire states results in unnecessaryoverhead. In model checker SPIN [10], a state compressionmethod is described where the independent parts of the designstates are considered when representing states. Independentparts refer to variables including global and local variablesbelonging to different processes. An unique copy is createdfor each different independent part, and the references to thecopies of independent parts are used to construct the states.
While the above compression method reduces memorysignificantly in representing states, there are still a lot ofredundancies in the state representations. As pointed out inthe previous paragraphs, a global state of a design is in fact atuple of pointers to the local states. Two states connected by astate transition may still share a large number of same pointersin their representations as a state transition typically causesonly a few local changes. Therefore, reducing the redundancyin the state representations further can improve the scalabilityeven more. This paper proposes to use the multi-value decisiondiagrams to represent the reachable states for explicit modelchecking of asynchronous systems. The multi-value decisiondiagrams, similar to the well-known binary decision diagrams(BDD) [3], uses directed acyclic graphs to sets of objectsencoded by typed variables. The compactness of the decisiondiagram representations is due to sharing of common portionsof a large number of different objects.
BDDs are widely used in symbolic model checking [4]where the model checking algorithms and the state represen-tations are both based on the Boolean operations. However, inthe explicit model checking, individual states are created andmanipulated. Adding individual states into a decision diagramrepresentation can incur high runtime overhead, and this wouldcancel largely the benefit of compact memory footprint ofthe decision diagrams. To address this problem, this paperalso proposes to use multi-value decision trees along with thedecision diagrams. Adding states into a decision tree is muchfaster, but it requires more memory than a decision diagram.In this method, a decision tree is used as a buffer where itstores the reachable states until some threshold is exceeded.Then, the decision tree is compressed, and merged with thedecision diagram representing the whole reachable state space.This approach can significantly reduce the runtime overhead
associated with using the decision diagrams, even though itmay increase the average memory required compared to usingthe decision diagrams solely.
In this paper, the multi-value decision diagrams are onlyused to store the states found during the depth-first search thatare generally implemented for the explicit model checking ofasynchronous systems. The algorithms themselves remain thesame. Therefore, the previous results to improve scalabilitysuch as partial order reduction [8], [9] can still be used.
II. BACKGROUND
A. Labeled Petri-Nets
This paper uses Labeled Petri-Nets to model asynchronoussystems. Petri-Nets are a common modeling formalism forasynchronous designs [12], [1]. A Petri-net is a directed graphwith a set of transitions and a set of places. A labeled Petri-Net is a Petri-net where transitions are labeled with variousinformation representing a system’s properties and behavior[15]. Its definition is given as follows.
Definition 2.1: A labeled Petri-net (LPN) is a tuple N =〈V, P, T, F,M0, init, L〉,where
1) V is a set of state variables of the integer type,2) P is a finite set of places,3) T is a finite set of transitions,4) F ⊆ (P × T ) ∪ (T × P ) is a finite set of the flow
relations,5) µ0 ⊆ P is a finite set of initially marked places,6) α0 : V → Z is a labeling function that assigns each
variable an initial value,7) L = 〈Guard,Assign〉 is a pair of labeling functions
for transitions in T , which is defined below.A simple LPN example is shown in Fig 1. Fig.1(a) shows
a simple asynchronous circuit consisting of three components,and Fig. 1(b) shows the LPNs for each component in thecircuit. For each component, its LPN has 2 places and 4 transi-tions. The places are represented as circles, and the transitionsare represented as boxes. Each place is preceded and followedby one or more transitions, and each transition is precededand followed by one or more places. The flow relations arerepresented by the edges connecting the transitions and places[1]. The bullets found in some places are called tokens. Eachplace can have at most one token. A place is marked if it hasa token. A marking of LPN, µ ⊆ P is a set of marked places.
The dynamic behavior of a concurrent system is capturedby LPN transitions with labelings. Each transition t ∈ T hasa preset denoted by •t = {p ∈ P |(p, t) ∈ F}, which isthe set of places connected to t, and a postset denoted byt• = {p ∈ P |(t, p) ∈ F}, which is the set of places to whicht is connected. The preset and postset for places are definedsimilarly.
Before defining the transition labels formally, the grammarused by these labels is introduced first below [15]. Thenumerical portion of the grammar is defined as follows:
χ ::= ci | vi | (χ) | − χ | χ+ χ | χ− χ | χ ∗ χ |χ/χ | χˆχ | χ%χ | NOT(χ) | OR(χ, χ) |AND(χ, χ) | XOR(χ, χ) | INT(φ)
where ci is an integer constant from Z, and vi is an integervariable. The functions NOT, OR, AND, and XOR are bit-wiselogical operations assuming a 2’s complement format witharbitrary precision. INT(φ) returns 1 if the Boolean expressionφ, which is defined below, evaluates to true, or 0 otherwise.The set Pχ is defined to be all formulas that can be constructedfrom the χ grammar.
The Boolean portion of the grammar is as follows:
φ ::= true | false | vi | ¬φ | φ ∧ φ | φ ∨ φ | χ ≡ χ |χ ≥ χ | χ > χ | χ ≤ χ | χ < χ
where the integer vi is regarded as true if its value is nonzero,and false otherwise. In this sense, it is similar to the semanticsof the C language. The set Pφ is defined to be all formulasthat can be constructed from the φ grammar.
As in Definition 2.1, each LPN transition is labeled withan enabling condition and a set of variable assignments. LPNtransition labeling is defined by L = 〈Guard,Assign〉 where• Guard : T → Pφ labels each LPN transition with a
Boolean expression that defines its enabling condition.• Assign : T ×V → Pχ labels each LPN transition t ∈ T
and each variable v ∈ V with an integer assignment madeto v when t fires.
For a large complex design, it usually consists of multiplecomponents. Then, each component is modeled in a LPNmodule, and the LPN for the whole design is the parallelcomposition of the LPN modules. Let N1, . . ., Nn be theLPN modules for the components consisting of a design.The LPN for the design is N = N1‖ . . . ‖Nn where ‖ isthe parallel composition operator for LPNs. In our method,communications among components are represented by theshared variables. Shared variables between components Niand Nj are variables in Vi ∩ Vj . Moreover, no two LPNmodules share any common places. In other words, ∀i,ji 6=j ⇒ Pi ∩ Pj = ∅. In Fig. 1, the design is partitioned intothree components for illustration purpose. These componentsare represented by LPN modules as shown in M1, M2, andM3.
B. Reachability Analysis
A basic approach for analyzing the dynamic behavior of aconcurrent system modeled with LPNs is reachability analysis,which finds all possible state transitions and thus reachablestates for such a system. The reachable state space is typicallyrepresented by a state graph. A state graph is a directedgraph where vertices represent states and edges represent statetransitions.
A state of a LPN module Ni is a pair (µi, σi) where µidenotes a marking of Ni and σi denotes a vector of valuesover variables Vi of Ni. The initial state init of Ni is (µ0, α0).Given a state si of module Ni, M(si) denotes the markingof si and σ(si) denotes the state vector of si. Also, for anyexpression e ∈ Pχ ∪ Pφ, value(e, si) denotes a function thatreturns the value of expression e in state si. As describedin the previous section, the LPN of a design is the parallelcomposition of a set of LPN modules, each of which representsa component in the design. Let N = N1‖ . . . ‖Nn be the LPN
(a) (b)
Fig. 1. (a) A simple asynchronous circuit. (b) The LPNs for module M1, M2, and M3. The initial values of variables u, v, w, x, y, and z are 0, 1, 1, 0,0, and 0, respectively.
of a design where Ni (1 ≤ i ≤ n) is the LPN module forthe ith component of the design. A global state ~s of N is an-tuple (s1, . . . , sn) where each si (1 ≤ i ≤ n) is a local stateof LPN module Ni.
Before describing the reachability analysis, the enablingcondition of the LPN transitions is defined below.
Definition 2.2: Let Ni be a LPN module. A LPN transitiont is enabled in a state s if the following two conditions aremet:
1) •t ⊆ µ(s),2) value(e, s) is true or not zero for e = Guard(t).In Fig 1, every transition has its preset included in the initial
marking. In the initial state, the values of variable u and z are0, Guard(t11), which is u = 0 ∧ z = 0, is evaluated to betrue, therefore transition t11 is enabled in the initial state.
Given a LPN module, the set of transitions enabled ina state s is denoted by enabled(s). Naturally, the enabledtransitions of the whole design LPN is denoted by enabled(~s ).The reachable state space of a LPN model can be foundby exhaustively firing every enabled transition starting at theinitial state. Firing a transition may lead to a new state bygenerating a new marking and a new state vector according tothe assignments labeled for such transition. Detailed definitionof transition firing can be found in [1]. In this paper, s′ = t(s)denotes that a new state s′ is produced by firing transition t instate s in a LPN module. Similarly, ~s ′ = t(~s ) denotes that anew global state ~s ′ is produced by firing transition t in globalstate ~s .
The procedure to find the reachable state space of a givenLPN model is given in Algorithm 1. Reachable states arestored in stateTable. During the reachability analysis, after aLPN transition ti is fired in global state ~s , the local state ofMi is changed to a new one. In other words, if transition ti isfired in state ~s = (s1, . . . , si, . . . , sn), a new global state ~s ′
is generated such that ~s ′ = (s′1, . . . , s′i, . . . , s
′n). Observe that
in ~s and ~s ′, many local states might be exactly the same. Toavoid creating fresh copies of the same local states for ~s ′ inmemory, the actual definitions of the distinct local states arestored in a hash table for each LPN module, and the pointers tothe local states are used to construct the global states. From
Algorithm 1: search((T, P, F,M0))
stateStack.push(~s 0);1
enabledStack.push(enabled(~s 0));2
while stack is not empty do3
~s = stateStack.top();4
E~s = enabledStack.top();5
if E~s = ∅ then6
stateStack.pop();7
enabledStack.pop();8
continue;9
Select t ∈ E~s to fire;10
E~s = E~s \t;11
~s ′ = t(~s );12
if stateTable.contains(~s ) == true then13
stateStack.push(~s ′);14
enabledStack.push(enabled(~s ′));15
stateTable.add(~s ′);16
now on, ~s = (s1, . . . , sn) is viewed as a tuple of pointersto the local states si, . . ., and sn. In this way, a local stateis created only once, and its pointer may be referenced manytimes in different global states. The similar state representationis also implemented in the model checker SPIN [10] and JavaPathFinder [2].
In many existing model checkers, the obvious choice ofthe data structure for stateTable is hash tables. Even thoughinserting and accessing hash tables are usually very efficient,the memory usage increases exponentially as the numberof states found during the reachability analysis increasesexponentially in the size of a design. Therefore, representingand storing reachable states compactly is extremely important.To address this problem, the following sections describe howthe reachable states are represented using graphs, specificallydecision trees and diagrams which may allow very largenumber of states to be stored in a relatively small memoryfootprint.
(0, 0, 0)(0, 0, 1)(0, 1, 0)(0, 1, 1)(1, 1, 1)(1, 1, 2)
0 1
1
1
1
���
���
���
���
01
���
0 2
���
1
0
(a) (b)
Fig. 2. (a) A set of integer triples, (b) The corresponding multi-value decisiontree representation for the set shown in (a).
III. STATE SPACE REPRESENTATIONS
As described above, different global states might have alarge number of pointers to the same local states. To savememory even further by avoiding storing the same local statepointers in different global states, a data structure called multi-value decision diagram (MDD) is implemented in our methodto store global states found during the reachability analysis.The concept of MDD [17] is very close to that of binarydecision diagrams (BDDs) [3] in that both use graphs to repre-sent a set of objects encoded by some variables. The memoryefficiency comes from the sharing of the same variables usedto encode different objects. In BDDs, the variables used for theencoding are binary variables, while integer variables are usedfor the encoding in the case of MDDs. In this sense, BDDscan be regarded as a special case of MDDs. The structuralrepresentation of the global states in our method is naturalfor MDDs. To facilitate the presentation, an unique integerindex is assigned to each local state of a single LPN module.Therefore, a global state ~s = (s1, . . . , sn) can be regarded asa tuple of integers where si is the index to a local state ofmodule i.
A. Multi-Value Decision Trees
This section describes multi-value decision trees to intro-duce multi-value decision diagrams that are described in thenext section. A multi-value decision tree is a directed acyclicgraph with a single root node, terminal nodes and non-terminalnodes. The root node does not have incoming edges, and theterminal nodes do not have any outgoing edges. Each non-terminal node has a single incoming edge and one or moreoutgoing edges. Each edge is labeled with an integer number.A path is a sequence of edges from the root to one of theterminal nodes, therefore an integer tuple can be formed bycollecting the integers labeled on the edges on the path. Inother words, a path represents or encodes an integer tuple. Anexample of multi-value decision tree is shown in Fig. 2. Notethat a terminal node is drawn for each path in the figure tomake presentation clear. In the actual implementation, only asingle terminal node is used, and all paths converge to thisunique terminal node.
In our implementation, two operations are supported formulti-value decision tree, add and contains. Function addtakes as input an integer tuple, and creates necessary edges in
the decision tree to build a path corresponding to the inputtuple. For example shown in Fig. 2, if a new tuple (1, 1, 3)is given, it can be added to the decision tree by creating anedge from node n21 to the terminal node, and this edge islabeled with 3. If another tuple (1, 1, 1) is given, then no newedge is created as there is a path existing in the decision treecorresponding to the given tuple. Function contains alsotakes as input an integer tuple, and checks if there is a path inthe decision tree that corresponds to the given tuple. It returnstrue if there is, false otherwise. The time complexity of bothfunctions is linear in the size of the tuples.
The memory efficiency of the decision trees depends on thesimilarity of the prefixes of the tuples in the given set. If thereare a large number of tuples with long same prefixes, a lot ofnode sharing can reduce the memory usage significantly. Onthe other hand, the worst case happens when a large number oftuples differ on their first elements. In this case, more memorymay be required compared to using hash tables as an edge isneeded for each element in each tuple.
B. Multi-Value Decision Diagrams
A multi-value decision diagram, similar to the decisiontrees, is a rooted directed acyclic graph where there is anunique root node, an unique terminal node, and non-terminalnodes. In a multi-value decision diagram, the nodes arepartitioned into levels. The number of levels of a decisiondiagram is equal to the size of the integer tuples representingthe global states. The root node is at level 0, which is at thetop of the decision diagram. The node at the bottom is theterminal. Each non-terminal node has a number of outgoingedges connecting nodes at one level higher or the terminal,and a number of incoming edges from nodes including the rootnode from one level lower. Non-terminal nodes in the decisiondiagrams, unlike those in the decision trees, can have multipleincoming and outgoing edges. A path from the root node tothe terminal node in a decision diagram corresponds an integertuple. In the reachability analysis, the decision diagrams areused to replace the hash tables, therefore our implementationonly supports two operations, union and contains. Sincecontains for the decision diagrams is the same as functioncontains for the decision trees, union is described in thissection.
Function union takes as inputs two decision diagrams, andreturns a decision diagram that includes all the paths fromeither of the two input decision diagrams. During the unionoperation, an unique table is maintained to make sure that noequivalent nodes are created. Before the node equivalence isdefined, let (n, i, n′) be an outgoing edge of node n, and theset of all outgoing edges of node n is denoted as outgoing(n).Two nodes n1 and n2 are equivalent, denoted as n1 ≡ n2, if n1
and n2 are the same, or the following conditions are satisfied.• ∀(n1,i,n′
1)∃(n2,i,n′
2)n′1 ≡ n′2.
• ∀(n2,j,n′2)∃(n1,j,n′
1)n′1 ≡ n′2.
Function union creates a new decision diagram for two inputdiagrams as follows. Starting from the root nodes n1 and n2
of the two input decision diagrams, it creates a new node nby following the rules shown below.
1) For each edge (n1, i, n′1) ∈ outgoing(n1), if there
is no (n2, i, n′2) in outgoing(n2), add (n, i, n′1) to
outgoing(n).2) For each edge (n2, i, n
′2) ∈ outgoing(n2), if there
is no (n1, i, n′1) in outgoing(n1), add (n, i, n′2) to
outgoing(n).3) For each edge (n1, i, n
′1) ∈ outgoing(n1), if
there is (n2, i, n′2) in outgoing(n2), add (n, i, n′) to
outgoing(n) where n′ = union(n′1, n′2).
During the union operation, whenever a node is created, theunique table is checked to see if there is an existing node thatis equivalent to the created one. If there exists an equivalentnode, such existing node is returned. Otherwise, the creatednode is returned. Multiple decision diagrams can exist at thesame time, and they share the same unique node table. Thisallows the node sharing among different decision diagrams.
The union operation may need to make a large number ofcalls to function union on different pairs of nodes. To avoidredundant work and improve efficiency, a cache is maintainedto store pairs of nodes where function union has been appliedand their corresponding results from the union operations. Iflater a call to union on the same pair of nodes is made,then the cached result is returned instead of performing theexpensive union operations again.
After the union operation, if the input decision diagramsare no longer needed, their nodes can be removed by callingfunction remove on the root nodes n as follows.
1) Decrement the reference count of n by 1.2) If the reference count of n is 0, remove n from the
unique node table, then for each edge (n, i, n′) ∈outgoing(n), remove(n′).
More detailed description on multi-value decision diagramsand the commonly supported operations can be found in [17].In our method, multi-value decision diagrams are used as amechanism for storing the reachable states compactly, and thedeletion operation for individual paths is not supported as itis not needed for the above purpose.
The example in Fig. 3 shows the same set of integer triplesin Fig 2(a) and the corresponding decision diagram. Each edgeis labeled with an integer denoting the index of some localstate. In the figure, an edge may be labeled with more than oneinteger. In that case, it corresponds to multiple edges, each ofwhich is labeled with an integer. Another multi-value decisiondiagram is shown in Fig. 4(a), and the result from mergingit with the diagram shown in Fig. 3(b) by function union isshown in Fig. 4(b). It is straightforward to verify that all thepaths in diagrams in Fig. 3(b) and 4(a) are included in thediagram shown in Fig. 4(b). The resulting diagram representsa set of nine integer tuples. Note that in the shown diagrams,the labels of the nodes are not used to distinguish nodes fromdifferent diagrams, therefore nodes from different diagramswith the same labels should not be viewed as the same nodes.
C. Using Decision Diagrams in Reachability Analysis
A direct way to use the multi-value decision diagrams inthe reachability analysis shown in Algorithm 1 is to replacethe hash table for stateTable with a decision diagram. First,
(0, 0, 0)(0, 0, 1)(0, 1, 0)(0, 1, 1)(1, 1, 1)(1, 1, 2)
0 1
0, 1
1, 20, 1
1
���
���
���
���
���
(a) (b)
Fig. 3. (a) A set of integer triples, (b) The corresponding MDD representationfor the set shown in (a).
1 2
1
1, 20, 1
1
���
���
���
���
���
0 2
0, 1
1, 20, 1
1
���
���
���
���
���
1
���
���
1
0, 1, 2
(a) (b)
Fig. 4. (a) Another multi-value decision diagram, (b) The result from mergingthe MDD in Fig .4(a) and the MDD in Fig. 3(b) by the union operation.
let mdd create(~s ) be a function that takes an integer tupleand returns a multi-value decision diagram with a singlepath corresponding to ~s . Then, the code in line 16 in Al-gorithm 1 can simply be replaced with the following line.stateTable = union(stateTable, mdd create(~s ′));Directly using the decision diagrams as shown above is
simple, and can be very efficient in memory usage. However, itis not very efficient in runtime. This is due to a large number ofunion calls as one is made for every new state ~s ′. Since eachunion call can incur several operations on node creationsand checks against the unique node table, a large number ofunion calls can lead to very high overhead when the numberof reachable states is large.
To address this problem, multi-value decision trees are usedas buffers for a set of states before adding them together intothe decision diagram stateTable. The basic reason is that itis much more efficient to add a state into a decision tree.On the other hand, a decision tree generally requires morememory to store the same number of states than a decisiondiagram. In this method, a decision tree is used as a buffer.The search algorithm adds states into the decision tree first.When a sufficiently large number of states are added such thata preset memory threshold is exceeded, this decision tree iscompressed to become a decision diagram, and consequently
merged with the decision diagram pointed by stateTableby function union. This is a common idea of trading areasonable amount of memory for higher runtime efficiency.
Decision trees can be compressed into decision diagramsby function compress. This function takes a decision treerooted at node n, and performs the following operationsrecursively.
1) Create a new node n1.2) For each edge (n, i, n′) ∈ outgoing(n),
a) n′′ = compress(n′).b) Add edge (n1, i, n
′′) into outgoing(n1).3) Check if there exists an equivalent node to n1 in the
unique node table. If so, return the equivalent node;otherwise, return n1.
Basically, function compress traverses a decision tree fromthe root node, and merges all equivalent nodes.
IV. EXPERIMENTS
The multi-value decision trees and diagrams described inthis paper are implemented in a package, and integrated intoan asynchronous system verification tool Platu, an explicitmodel checker implemented in Java. Experiments have beenbeen performed on a number of examples. These examples in-clude asynchronous circuit designs from previously publishedpapers [11], [6], [18], [19], [13]. Other examples are selectedfrom the BEEM benchmark suite for explicit model checking[14]. This benchmark includes a large number of models ofcommunication protocols, mutual exclusion algorithms, etc.All the examples used in the experiments have medium or highcomplexity to show the difference in using the hash tables andthe decision diagrams.
In the experiments, all examples are ran by using the samedepth-first search algorithm but with three different waysfor storing reachable states: hash table, multi-value decisiondiagram, and multi-value decision diagram with a decisiontree as buffer to reduce runtime overhead. To have somewhatfair comparison, the model checker SPIN [10] is not usedin the experiments since SPIN is implemented in C whilePlatu is implemented in Java. It is well known that theJava applications generally have serious memory overhead.Instead, the state compression technique implemented in SPINis also implemented in Platu, and used as the base of staterepresentation for all three methods representing reachable setsof states.
Among all the examples, some have very large state space,and it can take enormous amount of time to find all reachablestates. The main purpose of using the decision diagrams forstoring reachable states is to allow much larger number ofstates to be explored in a reasonable amount of time. Hashtables can be accessed very efficiently, but usually exhaustmemory also very quickly. Therefore, for examples with smallstate space, hash tables are a better option. On the other hand,for large examples, the decision diagrams would allow eitherthe whole state space or a much larger portion of it to bestored with some extra runtime. This allows larger examplesto be handled, or improves verification coverage by exploringsignificantly more states. In all experiments, upper bounds on
time and memory are set to 900 seconds and 2 GB. Theresults collected include the actual runtime, memory usage,and the total number of reachable states found at terminationof the search algorithm. In cases of time-out or memory-out,the number of reachable states is recorded. All experiments areperformed on a iMac desktop with a Intel Quad-core processor.Only a single thread is used for all experiments.
The results are shown in Table I. The first column Columnshows the different models. The numbers enclosed in paren-thesis for the first few examples indicate the number of statevariables. Since these examples are asynchronous circuits, thetype of their state variables is boolean. The following examplesare the models of mutual exclusion algorithms from the BEEMbenchmarks [14]. The remaining columns are divided intothree groups, one for results from using each different staterepresentation. Columns under “Base” show results with thehash table is used. Columns “MDD” show the results with theMDD alone used. Finally, the columns under “MDD-Hybrid”show the results with MDD used where a decision tree isused to speed up the search. Among the five columns in eachgroup, “Time” and “Mem” show the total runtime and thepeak memory used during the search. Note that the memorynumbers include those used for storing reachable states andother necessary data structures for the search such as stacks.Column “|S|” shows the total number of states found at thetermination of the search. Note that this number shows allreachable states of an example if the run does not time out(< 900 second) and does not exhaust the allocated memory(< 2000 MB).
The first conclusion that can be drawn from the table isthat the search using a hash table is the fastest for almost allexamples. For examples with low complexity such as at.4 andfischer.3. However, using a hash table also causes the searchto exhaust 2 GB for large number of examples as shown bythe cells in the table under “Mem” filled with 2000. On theother hand, from the columns under “MDD”, the search withMDD used is significantly slower, and it times out for mostexamples. At the same time, using MDD allows more statesto be searched with less memory. Take dmeN5 as an example.using MDD causes the search to time out, but over two timesmore states are found with slightly less memory than 2 GBused. The same conclusion is also observed for anderson.8,lamport.7, and so on. For some other examples, the search withthe MDD finds less number of states due to the overhead fromconverting states into the MDDs as explained before. Finally,from the columns under “MDD-Hybrid”, the search in thismode finds much more states for almost every example withinboth limits of time and memory. This shows the effectivenessof using decision trees as buffer for the MDD representation.
To better compare these three representations, two morevalues are computed from the results for each example: searchspeed (SS) and state space density (SSD). The numbers inthe column under SS show the numbers of states found persecond. This is a rough measure of how fast the search runs.The numbers in the column under SSD show the numbers ofstates per MB of memory. This is a rough measure of theefficiency of different representations for storing states. Forboth measures, it is better and more efficient if the numbers
TAB
LE
IR
ES
ULT
SF
RO
MU
SIN
GD
IFF
ER
EN
TS
TAT
ER
EP
RE
SE
NTA
TIO
NS
ON
AS
ET
OF
AS
YN
CH
RO
NO
US
CIR
CU
ITD
ES
IGN
SA
ND
MO
DE
LS
OF
MU
TU
AL
EX
CL
US
ION
EX
AM
PL
ES.T
IME
ISIN
SE
CO
ND
S,A
ND
ME
MO
RY
ISIN
MB
S.|
S|I
ST
HE
NU
MB
ER
SO
FS
TAT
ES
FO
UN
DA
TT
HE
EN
DO
FR
EA
CH
AB
ILIT
YA
NA
LYS
IS.E
NT
RIE
SFI
LL
ED
WIT
H900
UN
DE
RT
IME
AN
D2000
UN
DE
RM
EM
IND
ICA
TE
TIM
E-O
UT
AN
DM
EM
OR
Y.C
OL
UM
NS
UN
DE
R“B
AS
E”
SH
OW
RE
SU
LTS
US
ING
HA
SH
TAB
LE
S.C
OL
UM
NS
UN
DE
R“M
DD
”S
HO
WR
ES
ULT
SU
SIN
GM
DD
S,W
HIL
ET
HO
SE
UN
DE
R“M
DD
-HY
BR
ID”
SH
OW
RE
SU
LTS
US
ING
MD
DS
CO
MB
INE
DW
ITH
DE
CIS
ION
TR
EE
SA
SB
UFF
ER
S.
Bas
eM
DD
MD
D-H
ybri
dM
odel
sTi
me
Mem
|S|
SSSS
DTi
me
Mem
|S|
SSSS
DTi
me
Mem
|S|
SSSS
Dar
bN5
(44)
4.1
5322
7472
5548
142
925.
332
2274
7242
919
7109
4.3
4522
7472
5290
050
55ar
bN7
(62)
292
2000
1258
2972
4309
262
9154
811
0913
8011
0425
184
1244
544
816
3913
8011
0430
806
8420
arbN
9(8
0)11
320
0090
5241
780
110
4526
320
2000
1589
2574
4966
479
4627
720
0018
2412
5865
853
9121
dmeN
3(3
3)2.
7749
2679
9996
751
5469
4.3
2126
7999
6232
512
762
2.4
2926
7999
1116
6692
41dm
eN4
(44)
199
1725
1569
2028
7885
490
9732
215
515
6920
2848
733
1012
3915
256
015
6920
2810
3237
2802
1dm
eN5
(55)
149
2000
1259
0803
8450
262
9590
018
8138
8233
4343
137
2064
090
020
0066
7460
0774
162
3337
3fif
oN8
(34)
119
653
3572
036
3001
754
7090
092
432
6885
036
3235
3810
268
935
7203
635
020
5184
fifoN
10(4
2)29
220
0094
8167
332
471
4741
900
301
3344
6037
211
1176
720
0013
1641
8817
163
6582
mm
u(5
5)90
015
2882
8488
592
0554
2290
075
754
9249
661
0372
5690
017
0190
5702
410
063
5325
pipe
ctrl
(50)
168
2000
1048
5516
6241
452
4337
620
0014
4447
2638
417
7222
398
2000
2208
2395
5548
311
041
tagu
nit
(48)
269
2000
3302
662
1227
816
5190
019
1925
4680
528
3013
2790
017
5226
6898
529
6615
23an
ders
on.6
141
2000
1201
3290
8520
160
0789
717
2418
2069
1720
298
1056
134
817
5118
2069
1752
319
1039
8an
ders
on.8
4120
0090
2287
922
0070
4511
187
2000
1222
2460
6536
161
1119
220
0016
1415
2584
070
8071
at.4
102
1018
6597
246
6467
964
8190
076
261
5911
468
4380
8312
216
2465
9724
654
076
4062
at.5
154
2000
1048
9013
6811
052
4590
010
2836
5188
740
5835
5290
017
5212
5812
1913
979
7181
at.6
167
2000
1010
0451
6048
250
5090
011
0936
5188
740
5832
9390
017
5211
6018
6012
891
6622
at.7
361
2000
1258
3081
3485
662
9290
050
636
5188
740
5872
1790
017
5117
6867
1219
652
1010
1ba
kery
.821
420
0017
0428
1179
639
8521
900
754
5182
0580
5757
868
728
900
1751
7668
0860
8520
143
793
driv
ing
phils
.31
1343
643
634
114
436
436
311
1443
643
631
driv
ing
phils
.420
420
0014
0398
5968
823
7020
900
576
5217
462
5797
9058
900
1752
2867
2594
3185
816
366
driv
ing
phils
.578
2000
3599
664
4615
018
0090
052
022
6854
025
2143
6323
017
5035
9966
315
651
2057
fisch
er.3
5240
928
9670
555
706
7082
900
329
2363
979
2627
7185
6689
728
9670
543
889
3229
fisch
er.4
2534
212
7225
450
890
3720
471
461
1272
254
2701
2760
4711
3512
7225
427
069
1121
fisch
er.5
340
2000
1078
0321
3170
753
9090
055
225
0549
827
8445
3990
017
5251
9954
457
7729
68fis
cher
.629
920
0082
3731
627
550
4119
900
533
2022
330
2247
3794
900
1751
3811
183
4235
2177
fisch
er.7
365
2000
1063
3261
2913
253
1790
049
727
1750
630
1954
6890
017
5279
9679
088
8545
64la
mpo
rt.5
1013
510
6679
910
6680
7902
1951
1066
799
5614
720
918
10.2
110
1066
799
1045
8896
98la
mpo
rt.6
111
519
519
471
1451
951
937
112
519
519
43la
mpo
rt.7
252
2000
1807
5514
7172
890
3890
031
033
9540
9537
727
1095
2949
717
5138
7178
4577
903
2211
2la
mpo
rt.8
111
5050
51
1150
505
111
5050
5m
cs.5
127
2000
1204
1513
9481
560
2190
018
0115
1066
9416
785
8388
363
2000
2301
5234
6340
311
508
pete
rson
.411
147
1119
559
1017
7876
1621
6811
1955
953
312
1646
411
161
1119
559
1017
7869
54pe
ters
on.5
109
2000
1258
3035
1154
4162
9272
720
0023
9986
6333
011
1199
951
720
0042
2004
0381
626
2110
0pe
ters
on.6
8820
0011
1106
3912
6257
5555
486
2000
1382
0828
2843
869
1030
920
0023
8972
9777
338
1194
9pe
ters
on.7
222
2000
1597
5060
7196
079
8890
069
211
9574
6213
286
1728
090
017
5264
0623
6671
180
3656
5ph
ils.6
*2.
515
924
1660
9666
415
2014
141
2416
6017
261
1714
461
724
1660
6041
539
2ph
ils.7
4420
0069
2703
615
7433
3464
900
1715
1025
3596
1139
359
7926
120
0010
4861
7740
177
5243
phils
.87.
243
791
4351
1269
9320
9214
437
391
4351
6350
2451
1317
0791
4351
7033
553
6sz
yman
ski.4
20.4
282
2313
863
1134
2582
0546
7823
1386
350
301
2966
521
204
2313
863
1101
8411
342
szym
ansk
i.515
520
0015
9086
5510
2636
7954
900
527
4852
6313
5391
892
080
867
1751
7951
4858
9171
345
411
Ave
rage
6987
552
2022
155
1626
949
263
1071
2
are larger. The averages of these two measurements are shownin the last row for every group. From the average numbers, itcan be seen alternatively that using the hash tables leads to thehighest search speed but the least memory efficiency. UsingMDD alone leads to the highest memory efficiency, but it isthe slowest to use. The MDD with the decision tree bufferingachieves good balance between runtime and memory as it isslight slower than using hash tables, and slightly less memoryefficient than using the MDDs alone. This good balance allowsthe search to find much more states for many examples. Takeszymamski.5 as an example, the search exceeds the memorylimits by finding a little over 15 million states when the hashtable is used, while the search runs out of time after findingabout 2 times more states with only 527 MB memory usedwhen the MDDs alone are used. However, the MDDs withbuffering allow all reachable states to be found under bothtime and memory limits.
From the experiments, for examples that take long time torun for the search using hash tables, using the MDDs wouldlead to less number of states to be found as it is more expensiveto use the MDDs even with faster buffering techniques. Onthe other hand, for examples that have large state space,the MDDs are much more efficient. Furthermore, bufferingseems a very promising approach for handling larger designs.Since the MDDs implemented in Platu are not intensivelyoptimized, there might be more potential for making themeven more efficient. Meanwhile, it would be interesting toinvestigate if using the existing BDD packages such as CUDD[16] could bring more efficiency as they commonly supportvariable recording, which is well known critical for efficiencyand compactness of BDD representations.
One last point to note is that in the work described in thispaper, these different approaches are experimented to find outhow states can be stored efficiently. The depth-first searchalgorithm itself remains the same. This indicates that partialorder reduction can be naturally integrated with the MDDsto allow much larger designs to be handled. However, partialorder reduction is not used in this paper.
V. CONCLUSION
This paper shows how the multi-value decision diagramsare used to store reachable states efficiently and compactly,which allows larger designs to be verified, or more statesto be explored thus improving the verification coverage. Byusing the decision trees as a buffering technique, the overheadof using the multi-value decision diagrams is significantlyreduced. In the future, it is interesting to find out how thebinary decision diagrams compare against the multi-valuedecision diagrams in the same context. Moreover, combiningthe decision diagrams and partial order reduction will also beinvestigated.
REFERENCES
[1] J. Ahrens. A compositional approach to asynchronous design verificationwith automated state space reduction. Master’s thesis, Univ. of SouthFlorida, 2007.
[2] G. Brat, K. Havelund, S. Park, and W. V. Java. Pathfinder c a secondgeneration of a java model-checker. In Workshop on Advances inVerification, 2000.
[3] R. E. Bryant. Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293–318, 1992.
[4] J. Burch, E. Clarke, D. Long, K. McMillan, and D. Dill. Symbolicmodel checking for sequential circuit verification. IEEE Transactions onComputer-Aided Design of Integrated Circuits and Systems, 13(4):401–424, 1994.
[5] C.Baier and J.-P.Katoen. Principles of Model Checking. MIT Press,2008.
[6] D. Dill. Trace Theory for Automatic Hierarchical Verification of SpeedIndependent Circuits. PhD thesis, Carnegie Mellon University, 1988.
[7] E.M.Clarke, O.Grumberg, and D.Peled. Model Checking. MIT Press,2000.
[8] G.J.Holzmann and D.Peled. An improvement in formal verification. Inroc. Seventh FORTE Conf. Formal Description Techniques, 1994.
[9] P. Godefroid. Partial-Order Methods for the Verification of ConcurrentSystems: An approach to the State-Explosion Problem. PhD thesis,University of Liege, 1995.
[10] G. J. Holzmann. The model checker SPIN. Software Engineering,23(5):279–295, 1997.
[11] A. J. Martin. Self-timed fifo: An exercise in compiling programs intovlsi circuits. Technical Report 1986.5211-tr-86, California Institute ofTechnology, 1986.
[12] T. Murata. Petri nets: Properties, analysis, and applications. InProceedings of the IEEE 77(4), pages 541–580, 1989.
[13] C. J. Myers. Computer-Aided Synthesis and Verification of Gate-LevelTimed Circuits. PhD thesis, Stanford University, 1995.
[14] R. Pelanek. Beem: Benchmarks for explicit model checkers. In Proc.of SPIN Workshop, volume 4595 of LNCS, pages 263–267. Springer,2007.
[15] R.A.Thacker, K.R.Jones, C.J.Myers, and H. Zheng. Automatic abstrac-tion for verification of cyber-physical systems. In 1st InternationalConference on Cyber-Physical Systems, 2010.
[16] F. Somenzi. Cudd: Cu decision diagram package.[17] A. Srinivasan, T. Ham, S. Malik, and R. Brayton. Algorithms for discrete
function manipulation. In Proceedings of Computer-Aided Design,1990. ICCAD-90. Digest of Technical Papers., 1990 IEEE InternationalConference on, pages 92–95, Nov 1990.
[18] K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In Proc. In-ternational Symposium on Advanced Research in Asynchronous Circuitsand Systems, pages 208–218, 1999.
[19] T. Yoneda and T. Yoshikawa. Using partial orders for trace theoreticverification of asynchronous circuits. In Proc. of Second InternationalSymposium on Advanced Research in Asynchronous Circuits and Sys-tems, pages 152–163, 1996.