E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the 6th ACM Symposium on Principles of Distributed Computing, pages 294-- 303, August 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....an invariant. In [27] it is shown that, for rings of token passing processes, there exists a k such that the correctness of a ring with k processes implies the correctness of rings of arbitrary size. Extensions to these early results, when a (non trivial) environment process is involved, include [18, 31, 32, 5, 47, 1]. In [44] techniques are presented to automate the construction of abstractions of systems of identical components. An extension of this abstraction technique is implemented within the Mur veri cation system [21] Similarly a fully automated approach for verifying parameterized networks with ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. PODC `87, pp. 294-303, 1987. ACM Press.

....product of the individual automata (AD s) that each enforce a single dependency. However, if there are m individual automata each roughly of size N , then the product automaton has size of the order of N m . This is intractable for all but the smallest m. We avoid this state explosion problem [7], by coordinating the relevant individual automata at run time rather than building a static (and exponentially large) product at compile time, using techniques similar to those of [2] Although the worst case time complexity is still exponential, we have reason to believe that in many interesting ....

E. Clarke and O. Grumberg, "Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms," Proceedings of the 6th Annual ACM Symposium on Principles of Distributed Computing, pp. 294--303, Vancouver, Canada, August 1987.

....although this might be viewed as an asset since the proof instruments can give insight into why a program works. lowever, proponents of the model checking approach have made progress in weakening the fixrite state assumption so that it applies only to certain key parts of the program [Clarke ( rumberg 87] Sistla Oerman 87] 19 The first Buchi automaton based method for extracting first order proof obligations for temporal properties was proposed by us in [Alpem Schneider 85] Alpern 86] That work applied to those properties that can be specified using a single deterministic Buchi ....

Clarke, E.M. and O. (}rtunberg. Avoiding the state explosion problem in temporal logic model checking algorithms. Proc. of the 6th ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, Vancouver, British Columbia, Canada, August 1987, 294-303.

.... in the terminology of this paper, the method requires the program prover to exhibit an invariant I and a variant function v 9 However, proponents of the model checking approach have made progress in weakening the finitestate assumption so that it applies only to certain key parts of the program [4, 32]. ACM Transactions on Programming Languages and Systems, VoL 11, No. 1, January 1989. 164 B. Alpern and F. B, Schneider satisfying AS1: For all x JS( H) x ( qo x Initn) x I; AS2: For all x, y JS( II) x y y I; and AS3: For all x, y JS( II) x y (Pos(y) V v(y) v(x) AS1 and ....

CLARKE, E. M., AND CRUMBERG, O. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the 6th ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing (Vancouver, B.C., Canada, Aug.,

....of the present state) Though both of these are constant for varying formulae, models are often quite large (see It should be noted that much of the paper by Lichtenstein and Pnueli is devoted to extending this simple algorithm to handle the checking of fairness properties. Clarke et al. [CG87]) For example, state machines often contain more than 100 states while such states rarely have more than 10 successors. Thus, even for this simple example, an order of magnitude saving in time is possible. Obviously, though optimisation seems possible for such simple examples, any method taking ....

....the whole state machine must be constructed every time a formula is checked. In real applications of model checking e.g. SMG [GB88] MCB [Bro86] and Hardware verification [BCDM84] the space consumed by the checking procedure during model checking is important. In fact, research is under way [CG87, Ban87] to reduce the size of the state machines that are checked at any one time. Thus, for some specific problems, the standard model checking algorithm is time inefficient and for many other problems it is very space inefficient. This leads us to describe some of the possible solutions to defects ....

[Article contains additional citation context not shown here]

E. M. Clarke and O. Gr umberg. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms. Technical report, Department of Computer Science, Carnegie Mellon University, 1987.

....of a program [Emerson90] However parallel algorithms usually involve a finite but unknown number of processes. Thus the usual verification methods are no more applicable if one wants a parametrized verification. So different approaches have been developed to overcome this problem. In [Clarke87], the basic idea is to find a sufficient number of processes in order to have the full behaviour of the algorithm. Then the usual verification methods are applied. However the search of the correct number is partially automatic. In [Sistla87] automatic verifications are obtained by restricting ....

....verifications are obtained by restricting either the model, or the formulae language. In [Wolper89] an alternative approach is proposed where induction on formulae is used to verify a given invariant. In this paper we present a model for parametrized parallel computations close to the one of [Clarke87]: this model is composed by two synchronized automata one of which represents the behaviour of the processes and the other one the behaviour of the control. The semantics of this model is given for any fixed number of processes. Then we directly build a parametrized graph where each state ....

Clarke E.M., Grfimberg O., Avoiding The State Explosion Problem in Temporal Logic Model Checking Algorithms, Proc. 6th ACM Symposium on Principles of Distributed Computing, Vancouver, British Columbia, August 1987, pages 294- 303.

....verification is undecidable, specifically co RE. Among related work, AK 86, Suzuki 88] show that the problem of automatically checking a specification for every instance of a parameterized system is in general undecidable. Positive results include those of Clarke, Grumberg and Browne [CG 87, BCG 89] however, their method requires the manual construction of bisimulations or that of a closure process which represents computations of an arbitrary number of processes. KM 89] and [WL 89] introduce the related notion of a process invariant. All these methods rely on human ingenuity to ....

.... All of them, however, possess certain limitations, which is perhaps not surprising since the PMCP is undecidable in general (cf. AK 86] Suzuki 88] Many of these methods are only partially automated, requiring human ingenuity to construct, e.g. a process invariant or a closure process (cf. CG 87, BCG 89, KM 89, WL 89] Some could be fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. SG 89] Vernier 93] CGJ 95] Abstract graphs (for asynchronous systems) are considered in [ESr 90] for synthesis, Vernier 93] ....

[Article contains additional citation context not shown here]

Clarke, E. M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....it caters for partial automation, the completeness of the method is not established, and it is not clear that it can be made fully automatic. A semi automated method requiring construction of a closure process which represents 9 computations of an arbitrary number of processes is described in [4]; it is shown that, if for some k; CjjU is appropriately bisimilar to CjjU k 1 , then it suffices to check instances of size at most k to solve the PMCP. But it is not shown that such a cutoff k exists, and the method is not guaranteed to be complete. Kurshan and McMillan [14] introduce the ....

E.M. Clarke and O. Grumberg. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms. In Proceedings of the Sixth Annual ACM Symposium on Principles of Distributed Computing, pages 294-303, 1987.

.... All of them, however, possess certain limitations, which is perhaps not surprising since the PMCP is undecidable in general (cf. AK 86] Su 88] Many of the methods are only partially automated, requiring human ingenuity to construct, e.g. a process invariant or closure process (cf. CG 87] BCG 89] KM 89] WL 89] Some could be fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for ....

.... fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for automatic but incomplete verification, and in [CG 87] where they are called process closures. Interestingly, CG 87] show (in our notation) that if, for some k, C k U k k A is appropriately bisimilar to C k U k 1 k A, then it suffices to model check instances of size at most k to solve the PMCP. However, they do not show that such a cutoff k ....

[Article contains additional citation context not shown here]

Clarke, E.M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....and semi algorithmic procedures to verify parameterized systems. The general problem is known to be undecidable [AK 86] however, algorithms exist for specific types of systems (cf. GS 92, EN 95, EN 96] and semi algorithmic procedures have been proposed to deal with general systems (cf. CG 87, SG 89, KM 89, WL 89, PD 95, CGJ 95] We present here a case study on the verification of an industrial standard parameterized protocol. The protocol is called the SAE J1850 protocol [SAE 92] and is an automobile industry standard for transmitting data between various sensors and controllers in ....

....of parameterized systems is often done by hand, or with the guidance of a theorem prover (cf. MC 88, MP 94, HS 96] Several methods have been proposed that, to various degrees, automate this verification process. Methods based on manual construction of a process invariant are proposed in [CG 87, SG 89, KM 89, WL 89, LSY 94] and have been applied for the verification of the Gigamax cache consistency protocol in [McM 92] These constructions have been partially automated in [RS 93, CGJ 95] cf. V 93, PD 95, ID 96] however, as the general problem is undecidable [AK 86] it is not in ....

Clarke, E. M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....specifically co RE. 14 7 Related Work and Conclusions Among related work, AK 86, Su 88] show that the problem of automatically checking a specification for every instance of a parameterized system is in general undecidable. Positive results include those of Clarke, Grumberg and Browne [CG 87, BCG 89] however, their method requires the manual construction of bisimulations or that of a closure process which represents computations of an arbitrary number of processes. KM 89] and [WL 89] introduce the related notion of a process invariant. All these methods rely on human ingenuity to ....

Clarke, E. M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....node systems. The two node system is verified using a CTL model checking algorithm, such as [17] Unfortunately, showing bisimulation requires building the state graph of the two node system. The size of the state graph grows exponentially in the size of the transition system. Clarke and Grumberg [18] address this problem through the construction of a closure process. In this method, the user creates a closure process P# so that the product of an n node system with P# bisimulates the product of an n 1 node system with P#. A polynomial algorithm is given for showing bisimulation between ....

....Net [21] Each edge is labeled with a vector. In a VASS representing a parameterized system, the ith entry of a vector label has value a if a nodes are in state i. A model checking algorithm for PTL formulae on VASS models is developed and extended to include certain liveness properties. Both [18] and [15] consider only linear network topologies. Shtadler and Grum 9 berg [22] give an inductive argument for topologies generated by a context free network grammar. In a network grammar, the terminals represent primitive network elements and the productions combine the primitives to form ....

E.M. Clarke and O. Grumberg, "Avoiding the state explosion problem in temporal logic model checking algorithms," in ACM Symposium on Principles of Distributed Computing. ACM, August 1989, pp. 294--303.

....is to develop algorithms and semi algorithmic procedures to verify parameterized systems. The general problem is known to be undecidable [AK 86] however, algorithms exist for specific types of systems (cf. GS 92] EN 95] EN 96] and many semi algorithmic procedures have been proposed (cf. CG 87] SG 89] KM 89] WL 89] PD 95] CGJ 95] We present a case study on the verification of an parameterized industrial standard protocol. The protocol is called the SAE J1850 protocol [SAE 92] and This work was supported in part by NSF grant CCR 941 5496 and SRC Contract 97 DP 388. The ....

....of parameterized systems is often done by hand, or with the guidance of a theorem prover (cf. MC 88] MP 94] HS 96] Several methods have been proposed that, to various degrees, automate this verification process. Methods based on manual construction of a process invariant are proposed in [CG 87] SG 89] KM 89] WL 89] LSY 94] and have been applied for the verification of the Gigamax cache consistency protocol in [McM 92] These constructions have been partially automated in [RS 93] CGJ 95] cf. V 93] PD 95] ID 96] however, as the general problem is undecidable [AK 86] it ....

Clarke, E. M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC, 1987.

....undecidable, specifically co RE. 7 Related Work and Conclusions Among related work, AK 86,Su 88] show that the problem of automatically checking a specification for every instance of a parameterized system is in general undecidable. Positive results include those of Clarke, Grumberg and Browne [CG 87,BCG 89] however, their method requires the manual construction of bisimulations or that of a closure process which represents computations of an arbitrary number of processes. KM 89] and [WL 89] introduce the related notion of a process invariant. All these methods rely on human ingenuity 13 ....

Clarke, E. M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....the correctness of the original protocol therefrom. The appendix also carries a brief description of the hand proof of the protocol. 2 Related Work The general problem of verifying systems with replicated components is known to be undecidable [13, 11] Some induction based approaches proposed in [14, 5, 6, 19] for verifying particular classes of problems require an invariant process or a network invariant. The generation of such invariants is non trivial and it s automation is restricted and expensive [17, 1, 18, 11] The idea of exploiting symmetry to reduce the size of the state space in automatic ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the 6'th Annual ACM Symposium on Principles of Distributed Computing, 1987.

....may have a particular behavior. The problem is to find the abstraction. One cannot always decide the existence of an abstraction. It depends on the set of possible abstractions we consider. In [15] the set is finite therefore the method fails if it does not find one abstraction in the set. In [1, 4, 9, 14, 19], the set of possible abstractions is not limited. The methods that are described in [4, 9, 19] are not fully automated. In [8] only properties that refer to the behavior of a single process can be verified. All these methods do not allow to represent reachable states and execution sequences of ....

....the existence of an abstraction. It depends on the set of possible abstractions we consider. In [15] the set is finite therefore the method fails if it does not find one abstraction in the set. In [1, 4, 9, 14, 19] the set of possible abstractions is not limited. The methods that are described in [4, 9, 19] are not fully automated. In [8] only properties that refer to the behavior of a single process can be verified. All these methods do not allow to represent reachable states and execution sequences of the instantiated programs. They give no intermediate results if it is impossible to build the ....

Clarke E.M., Grumberg O., "Avoiding The State Explosion Problem in Temporal Logic Model Checking Algorithms", Proceedings of the 6th ACM Symposium on Principles of Distributed, Vancouver, British Columbia, pp 244-303, 1987.

....de transiciones tiene un tama no exponencial en el n umero de las variables de sincronizaci on y los dominios de estas variables. Incluso frecuentemente es imposible tener el grafo total en la memoria. Por eso han desarrollado tratamientos para comprimir y descomponer el grafo de transiciones ([CGB86, CG87]) Browne modifica en [BCDM86] el algoritmo de Clarke, Emerson y Sistla de modo que puede trabajar con grafos cuyas transiciones est an marcadas con condiciones. Para aplicar el algoritmo original hace falta un grafo que realica condiciones a nadiendo un propio estado para cada combinaci on ....

E. M. Clarke, O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. Technical report, Department of Computer Science, Carnegie Mellon University, 1987.

....paper is not quite the CSP standard one of [9, 14] We remark that this provides a completely different combination of data independence and induction to the one we will shortly describe. Other approaches for proving properties of systems of arbitrary size have included the use of temporal logic [1, 2, 8, 16]. Just because a property is true of all the systems constructed by set of structural rules does not guarantee that it can be proved inductively. Ideas such as strengthening the hypothesis frequently help, but can require considerable ingenuity. The main limitation on this method is that it can ....

E.M. Clarke and O. Grumberg, Avoiding The State Explosion Problem In Temporal Logic Model Checking Algorithms, Proceedings of the 6th Annuak ACM Symposium on Principles of Distributed Computing, Vancouver, Canada, August 1987.

....paper is not quite the CSP standard one of [9, 14] We remark that this provides a completely di erent combination of data independence and induction to the one we will shortly describe. Other approaches for proving properties of systems of arbitrary size have included the use of temporal logic [1, 2, 8, 16]. Just because a property is true of all the systems constructed by a set of structural rules does not guarantee that it can be proved inductively. Ideas 4 such as strengthening the hypothesis frequently help, but can require considerable ingenuity. The main limitation on the induction method, ....

E.M. Clarke and O. Grumberg, Avoiding The State Explosion Problem In Temporal Logic Model Checking Algorithms, Proceedings of the 6th Annuak ACM Symposium on Principles of Distributed Computing, Vancouver, Canada, August 1987. 14

.... of variables (e.g. register values transformed by an ALU) have been represented very efficiently using BDDs [3] and a different technique for analyzing systems with counters is given in [13] Systems with an arbitrary number of identical tasks have been verified using analyst specified closures [5] or more recently by a fully automatic technique described in [10] Both of these techniques use a form of induction to prove properties of systems with an arbitrary number of identical tasks. While our technique can only prove properties of a system with a specific number of copies (i.e. K must ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the Sixth Anual ACM Symposium on the Principles of Distributed Computing, pages 294--303, 1987.

....programs (with respect to a specification expressed in some temporal logic) that exploit process similarity are presented. Clarke et al. 1986] require the manual construction of a bisimulation between the two process and K process programs, and their method is therefore not completely mechanical. Clarke and Grumberg [1987] attempt to automate the method of Clarke et al. 1986] but require an intermediate construction that is exponentially large in the size of a single process. The method is also incomplete in the same sense that ours is: there is no guarantee that the required technical assumptions will be ....

Clarke, E. M. and Grumberg, O. 1987. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the 6th Annual ACM Symposium on Principles of Distributed Computing. ACM, New York, 294--303.

....states fall beyond their capabilities. Recently, algorithmic verification methods have been developed for some classes of infinite state systems, such as certain types of real time systems that operate on clocks [5, 32, 25] data independent systems [24, 34] systems with many identical processes [13, 17, 29], context free processes [10, 12, 11] relational automata [33] and Petri nets [23] A particular class of infinite state systems which has been important in the analysis of e.g. communication protocols consists of finite state processes that communicate via unbounded FIFO channels [8, 7] Such ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....[VW94, BVW94] Hence, in the worst case we might need to traverse the exceedingly large state space introduced by the parallel composition. Coping with the state explosion problem is one of the most important issues in computer aided verification and is the subject of much active research (cf. CG87, BCM 90] What about implementation specification verification Is the state explosion problem unavoidable there too This is the subject of our work. We first describe implementationspecification verification in more detail. Consider an implementation and a specification. Both describe ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....particularly in representing large systems consisting of numerous similar interacting components. Even though the computational complexity can be polynomial in the number of system states, it grows exponentially with the number of components. This phenomenon, called the state explosion problem [2], can be 1 The research described in this paper was supported in part by the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Fonds pour la formation de chercheurs et l aide a la recherche (FCAR) overcomed by partitioning the components into a small number of ....

E. M. Clarke and O. Grumberg, "Avoiding the state explosion problem in temporal logic model checking algorithms, " Proceedings of the Sixth Annual ACM Symposium on the Principles of Distributed Computing, 1987, 294-303.

.... All of them, however, possess certain limitations, which is perhaps not surprising since the PMCP is undecidable in general (cf. AK 86] Su 88] Many of the methods are only partially automated, requiring human ingenuity to construct, e.g. a process invariant or closure process (cf. CG 87] BCG 89] KM 89] WL 89] Some could be fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for ....

.... fully automated but do not appear to have a clearly defined class of protocols on which they are guaranteed to succeed (cf. ShG 89] V 93] CGJ 95] Abstract graphs (for asynchronous systems) were considered in [ESr 90] for synthesis, V 93] for automatic but incomplete verification, and in [CG 87] where they are called process closures. Interestingly, CG 87] show (in our notation) that if, for some k, C k U k k A is appropriately bisimilar to C k U k 1 k A, then it suffices to model check instances of size at most k to solve the PMCP. However, they do not show that such a cutoff k ....

[Article contains additional citation context not shown here]

Clarke, E.M., Grumberg, O. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, PODC 1987.

....particularly in representing large systems consisting of numerous similar interacting components. Even though the computational complexity can be polynomial in the number of system states, it grows exponentially with the number of components. This phenomenon, called the state explosion problem [1], can be overcomed by partitioning the components into a small number of equivalence classes so that all components in a given class are essentially similar. This paper makes a contribution in this direction and presents an algorithm that reduces the complexity of the supervisory control problem ....

E. M. Clarke and O. Grumberg, "Avoiding the state explosion problem in temporal logic model checking algorithms, " Proceedings of the Sixth Annual ACM Symposium on the Principles of Distributed Computing, 1987, 294-303.

.... [CES86, EL85b, EL85a, Bro86] and temporal calculi [EL86, Var88, Cle90, SW89] It has been extended to probabilistic [Var85, PZ86, VW86, CY90] as well as realtime programs and logics [ACD90, AH90, HLP90] It has been adapted to programs containing arbitrary numbers of identical processes [CGB86, CG87, GS87, WL89, KM89] Methods for making it applicable to very large systems have been investigated [BCM 90, CMB90, CVWY90, GS90] Moreover, the results from its experimental use have been very encouraging [RRSV87, BCD85] What more can be said about it In spite of all its success, almost all ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....check that the propositional temporal logic formula that specifies that behavior is true in the program, modeled as a finite Kripke structure; in other words, the program has to be a model of the formula. Hence the name model checking for the verification methods derived from this viewpoint (see [CG87, Wol89, CGL93]) though we prefer to use the term truth checking in this paper. Note that the formula that specifies the desired behavior clearly should be neither valid nor unsatisfiable, which entails that a computer aided verification system has to have the capacity for validity checking in addition to truth ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....Related Work Algorithmic verification methods have recently been developed for several classes of infinite state systems. Examples include certain types of real time systems that operate on clocks [ACD90, Yi91, C92] data independent systems [JP93, Wol86] systems with many identical processes [CG87, GS92, SG90] context free processes ( BS92, CHS92, CHM93] and Petri nets ( Jan90] Considerable attention has been paid to the problem of analyzing systems that communicate over perfect unbounded FIFO channels. All interesting verification problems for these systems are in general ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....resulted in numerous highly nontrivial algorithms for the verification of different classes of such systems. Examples include timed automata [ACD90, AH89, C92a] hybrid automata [Hen95] relational automata ( BBK77, C92b, C94] Petri nets ( Jan90, JM95] systems with many identical processes [CG87, PP92] and lossy channel systems [AJ93, AK95] As the interest in this area increases, it will be important to extract common principles that underlie these and related results. Our goal is to develop general mathematical structures which could serve as sufficient conditions for achieving ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....the network with a large number of processes. However, the step of establishing the correspondence is manual and could be difficult enough to defeat the original purpose of avoiding manual analysis. Our aim in this research is to minimize human involvement during the analysis. In their later paper[Clarke 87] they define a notion of closure of a process P denoted as P . Using this notion, they show that if two systems with r and r 1 processes are equivalent under P , then any system containing more than r processes will also be equivalent for formulas expressed in ICTL. Again, the process of ....

E.M.Clarke, O. Grumberg, "Avoiding The State Explosion Problem in Temporal Logic Model Checking Algorithms," Proc. Symposium on Principles of Distributed Computing, 1987 pp 294-303.

....= 4 Claude Jard, Thierry J eron , Jean Claude Fernandez et Laurent Mounier 10 Gamma4 seconds, and trees are binary trees, the time needed is in the order T 6 minutes. In order to master the state explosion , different complementary works have been conducted to reduce the size of the graph [5, 30, 3, 12, 13, 11]. Obviously, reduction must be performed during the graph generation. The other constraint is that the validity of properties to be verified must not be changed. For that reason, we do not consider simulation methods which provide only partial verification [32, 27, 21, 17] 1.3 State of the art ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. 6 th ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, Vancouver, Canada, 1987.

....of verifying systems with replicated components is known to be undecidable [AK86, GS92] A number of approaches has been proposed for verifying particular classes of problems. Some of them use induction over the replicated components and require an invariant process or a network invariant [KMOS94, CG87, CGJ95, WL89] Coming up with a proper invariant is not easy, and automatic generation of network invariants for certain classes of systems are restricted and expensive [RS93, BSV94, SG87, GS92] There are also approaches that do not use induction. Shibata et al. SHTO93] presented an algorithm ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. Proceedings of the 6th Annual ACM Symp. on Priniciple of Distributed Computing, 1987.

....undecidable. However, algorithmic verification methods have recently been developed for several classes of infinite state systems, such as certain types of real time systems that operate on clocks [ACD90, C92a, LY93] data independent systems [JP93, Wol86] systems with many identical processes [CG87, GS92, SG90] relational automata ( BBK77, C92b, C94] and lossy channel systems [AJ93, AJ94, AK95] In [ACJYK96] we give general criteria which explain several of these decidability results. Classes of infinite state systems to which considerable research effort has been devoted are those of ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....behavior, one only has to check that the program, modeled as a finite Kripke structure, is a model of (satisfies) the propositional temporal logic formula that specifies that behavior. Hence the name model checking for the verification methods derived from this viewpoint. Surveys can be found in [CG87, Wol89, CGL93]. We distinguishbetween two types of temporal logics: linear and branching [Lam80] In linear temporal logics, each moment in time has a unique possible future, while in branching temporal logics, each moment in time may split into several possible futures. For both types of temporal logics, a ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....of the present state) Though both of these are constant for varying formulae, models are often quite large (see 3 It should be noted that much of the paper by Lichtenstein and Pnueli is devoted to extending this simple algorithm to handle the checking of fairness properties. Clarke et al. [CG87]) For example, state machines often contain more than 100 states while such states rarely have more than 10 successors. Thus, even for this simple example, an order of magnitude saving in time is possible. Obviously, though optimisation seems possible for such simple examples, any method taking ....

....the whole state machine must be constructed every time a formula is checked. In real applications of model checking e.g. SMG [GB88] MCB [Bro86] and Hardware verification [BCDM84] the space consumed by the checking procedure during model checking is important. In fact, research is under way [CG87, Ban87] to reduce the size of the state machines that are checked at any one time. Thus, for some specific problems, the standard model checking algorithm is time inefficient and for many other problems it is very space inefficient. This leads us to describe some of the possible solutions to defects in ....

[Article contains additional citation context not shown here]

E. M. Clarke and O. Gr umberg. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms. Technical report, Department of Computer Science, Carnegie Mellon University, 1987.

.... this shortcoming (cf. 8] Unfortunately, theorem proving systems are semi automated at best, and their success at dealing with real life protocols is not as impressive as that of reachability analysis (cf. 7] A new approach that emerged in the 1980 s is the so called modelchecking approach [5, 4, 14, 16]. Model checking is based on the idea that verifying a propositional temporal logic property of a finite state program amounts to evaluating that formula on the program viewed as a temporal interpretation. The algorithms for doing this are quite efficient, since their time complexity is a linear ....

....ability to explore only limited size state spaces. This problem, called the state explosion problem, is the most basic limitation of both approaches. It has been the subject of extensive research both in the context of reachability analysis (cf. 15, 17] and in the context of model checking (cf. [4]) A recent development [9] has substantially pushed back the state explosion limit for reachability analysis. The main idea behind this development is that, at the price of possibly missing part of the state space, the amount of randomly accessed memory necessary for exploring a state space of a ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....behavior, one only has to check that the program, modeled as a finite Kripke structure, satisfies (is a model of) the propositional temporal logic formula that specifies that behavior. Hence the name model checking for the verification methods derived from this viewpoint. Surveys can be found in [CG87,CGL93,Wol89]. For linear temporal logics, a close and fruitful connection with the theory of automata over infinite words has been developed [VW86,VW94,Var96] The basic idea is to associate with each linear temporal logic formula a finite automaton over infinite words that accepts exactly all the ....

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model-checking algorithms. In Proc. 6th ACM Symposium on Principles of Distributed Computing, pages 294--303, Vancouver, British Columbia, August 1987.

....Supported in part by the Swedish Board for Industrial and Technical Development (NUTEK) as part of ESPRIT BRA project No. 6021 (REACT) and by the Swedish Research Council for Engineering Sciences (TFR) under contract No. 92 814. systems [JP89, Wol86] and systems with many identical processes [CG87, GS92, SG90] In order to extend the applicability of algorithmic verification, we consider it important to investigate whether automatic verification techniques can be developed also for other classes of infinite state systems. Recently, the authors considered the class of finite state systems ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....a logic with a strong, rather than a weak, until operator. The weak since, past henceforth and past eventually operators are similarly defined. There is neither a next nor a previous operator in SUTL, as in the logics of [7, 10, 12, 15, 16] It is widely recognized by computer scientists [1, 2, 3, 6, 8, 9] that the next operator is not necessary and, moreover, is not conducive to good specifications. Although a This work was partially supported by NSF grant CCR 9014382 with cooperation from DARPA. next operator is potentially useful when describing a single sequential program at the statement ....

E. M. Clarke and O. Grumberg, Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms, in: Proc. 6th ACM Symp. on Principles of Distributed Computing, Vancouver, BC (August 1987), pp. 294-303.

....start with a brief background description of our verification methodology. 1. 1 Motivation Previous verification work with parametric descriptions of circuits includes reasoning by induction both in theorem proving systems [7, 13, 16, 20] and within model checking languagecontainment paradigms [9, 17, 21] (an extended bibliography can be found in a recent survey [14] The main advantage with these approaches is that a single proof serves to establish the functional or behavioral correctness of an entire family of circuits. However, most available approaches are semi automated, typically ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the Sixth Annual ACM Symposium on Principles of Distributed Computing, pages 294--303. ACM, New York, August 1987.

....product of the individual automata (AD s) that each enforce a single dependency. However, if there are m individual automata each roughly of size N , then the product automaton has size on the order of N m . This is intractable for all but the smallest m. We avoid this state explosion problem [CG87], by coordinating the relevant individual automata at run time rather than building a static (and exponentially large) product at compile time. This is achieved using techniques similar to those introduced in [AE89] The software that does this is the scheduler. 5.1 The Execution Model Figure 6 ....

E. Clarke and O. Grumberg. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms. Carnegie Mellon University, Pittsburgh, 1987.

....product of the individual automata (AD s) that each enforce a single dependency. However, if there are m individual automata each roughly of size N , then the product automaton has size of the order of N m . This is intractable for all but the smallest m. We avoid this state explosion problem [CG87], by coordinating the relevant individual automata at run time rather than building a static (and exponentially large) product at compiletime, using techniques similar to those of [AE89] Although the worst case time complexity is still exponential, we have reason to believe that in many ....

E. Clarke and O. Grumberg. Avoiding the State Explosion Problem in Temporal Logic Model Checking Algorithms. Carnegie Mellon University, Pittsburgh, 1987.

....problems are undecidable. However, algorithmic verification methods have recently been developed for some classes of infinite state systems. Examples include certain types of real time systems that operate on clocks [3, 18] dataindependent systems [15, 19] systems with many identical processes [11, 13, 17], Supported in part by the Swedish Board for Industrial and Technical Development (NUTEK) as part of ESPRIT BRA project No. 6021 (REACT) and as part of grant No. 5321 93 3061 (on Feature Interaction) context free processes [8, 10, 9] Petri nets [14] and systems communicating over ....

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. 6 th ACM Symp. on Principles of Distributed Computing, Vancouver, Canada, pages 294--303, 1987.

....of replicated components is known to be undecidable [1, 15] recent advances in formal techniques have enabled automatic verification of certain constrained instances of this problem. Some of them use induction over the replicated components and require an invariant process or a network invariant [6, 7, 24, 25, 39]. Coming up with a proper invariant is not easy. Although automatic generation of network invariants for certain classes of systems has been explored, they are very expensive and only apply to a very narrow range of designs [2, 15, 34, 36] There are also approaches that do not use induction. ....

....a concurrent program by collapsing all reachable states into a fixed number of metastates, in which the number of processes is denoted as N with an unspecified value. Dijkstra [10] verified a ring network by representing classes of similar states in regular expressions. Clarke and Grumberg [6] verified an alternating bit protocol by constructing an invariant process that records only the existence of components in a certain state. Pong et al. 31, 32, 33] verified many cache coherence protocols by representing classes of similar states using a set of repetition constructors, recording ....

[Article contains additional citation context not shown here]

E.M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. 6th Annual ACM Symposium on Principle of Distributed Computing, pages 294--303, 1987.

No context found.

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proceedings of the 6th ACM Symposium on Principles of Distributed Computing, pages 294-- 303, August 1987.

No context found.

E. M. Clarke and O. Grumberg. Avoiding the state explosion problem in temporal logic model checking algorithms. In Proc. of the 6th ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, pages 294--303, 1987.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC