Abstract
Temporal logic model checking is an automatic technique for verifying finite-state concurrent systems. Specifications are expressed in a propositional temporal logic, and the concurrent system is modeled as a state-transition graph. An efficient search procedure is used to determine whether or not the state-transition graph satisfies the specification. When the technique was first developed ten years ago, it was only possible to handle concurrent systems with a few thousand states. In the last few years, however, the size of the concurrent systems that can be handled has increased dramatically. By representing transition relations and sets of states implicitly using binary decision diagrams, it is now possible to check concurrent systems with more than 10120 states. In this paper we describe in detail how the new implementation works and give realistic examples to illustrate its power. We also discuss a number of directions for future research. The necessary background information on binary decision diagrams, temporal logic, and model checking has been included in order to make the exposition as self-contained as possible.
This research was sponsored in part by the Avionics Laboratory, Wright Research and Development Center, Aeronautical Systems Division (AFSC), U.S. Air Force, Wright-Patterson AFB, Ohio 45433-6543 under Contract F33615-90-C-1465, ARPA Order No. 7597 and in part by the National Science foundation under Grant No. CCR-9217549 and in part by the Semiconductor Research Corporation under Contract 92-DJ-294. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied of the U.S. government.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
References
A. V. Aho, J. E. Hopcroft, and J. D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974.
R. Alur, C. Courcourbetis, and D. Dill. Model-checking for real-time systems. In Proceedings of the 5th Symp. on Logic in Computer Science, pages 414–425, 1990.
R. Alur and T. A. Henzinger. Logics and models of real-time: A survey. In Lecture Notes in Computer Science, Real-Time: Theory in Practice. Springer-Verlag, 1992.
D. L. Beatty, R. E. Bryant, and C.-J. Seger. Formal hardware verification by symbolic ternary trajectory evaluation. In Proceedings of the 28th ACM/IEEE Design Automation Conference. IEEE Computer Society Press, June 1991.
M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branching time. Acta Informatica, 20:207–226, 1983.
C. Berthet, O. Coudert, and J. C. Madre. New ideas on symbolic manipulations of finite state machines. In IEEE International Conference on Computer Design, 1990.
G. V. Bochmann. Hardware specification with temporal logic: An example. IEEE Transactions on Computers, C-31(3), March 1982.
S. Bose and A. L. Fisher. Automatic verification of synchronous circuits using symbolic logic simulation and temporal logic. In L. Claesen, editor, Proceedings of the IMEC-IFIP International Workshop on Applied Formal Methods for Correct VLSI Design, November 1989.
K. S. Brace, R. L. Rudell, and R. E. Bryant. Efficient implementation of a BDD package. In DAC90 [36].
M. C. Browne and E. M. Clarke. Sml: A high level language for the design and verification of finite state machines. In IFIP WG 10.2 International Working Conference from HDL Descriptions to Guaranteed Correct Circuit Designs, Grenoble, France. IFIP, September 1986.
M. C. Browne, E. M. Clarke, and D. Dill. Checking the correctness of sequential circuits. In Proceedings of the 1985 International Conference on Computer Design, Port Chester, New York, October 1985. IEEE.
M. C. Browne, E. M. Clarke, and D. Dill. Automatic circuit verification using temporal logic: Two new examples. In Formal Aspects of VLSI Design. Elsevier Science Publishers (North Holland), 1986.
M. C. Browne, E. M. Clarke, D. L. Dill, and B. Mishra. Automatic verification of sequential circuits using temporal logic. IEEE Transactions on Computers, C-35(12):1035–1044, 1986.
R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8), 1986.
R. E. Bryant. On the complexity of vlsi implementations and graph representations of boolean functions with application to integer multiplication. IEEE Transactions on Computers, 40(2):205–213, 1991.
R. E. Bryant. Symbolic boolean manipulation with ordered binary decision diagrams. ACM Computing Surveys, 24(3):293–318, September 1992.
R. E. Bryant and C.-J. Seger. Formal verification of digital circuits using symbolic ternary system models. In Kurshan and Clarke [53].
J. R. Burch. Trace Algebra for Automatic Verification of Real-Time Concurrent Systems. PhD thesis, Carnegie Mellon University, 1992.
J. R. Burch, E. M. Clarke, and D. E. Long. Symbolic model checking with partitioned transition relations. In A. Halaas and P. B. Denyer, editors, Proceedings of the 1991 International Conference on Very Large Scale Integration, August 1991. Winner of the Sidney Michaelson Best Paper Award.
J. R. Burch, E. M. Clarke, D. E. Long, K. L. McMillan, and D. L. Dill. Symbolic model checking for sequential circuit verification. To appear in IEEE Transactions on Computer-Aided Design of Integrated Circuits.
J. R. Burch, E. M. Clarke, K. L. McMillan, and D. L. Dill. Sequential circuit verification using symbolic model checking. In DAC90 [36].
J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Information and Computation, 98(2):142–170, June 1992.
S. Campos. The priority inversion problem and real-time symbolic model checking. to appear, April 1993.
E. M. Clarke and I. A. Draghicescu. Expressibility results for linear time and branching time logics. In Linear Time, Branching Time, and Partial Order in Logics and Models for Concurrency, volume 354, pages 428–437. Springer-Verlag: Lecture Notes in Computer Science, 1988.
E. M. Clarke, I. A. Draghicescu, and R. P. Kurshan. A unified approach for showing language containment and equivalence between various types of ω-automata. In A. Arnold and N. D. Jones, editors, Proceedings of the 15th Colloquium on Trees in Algebra and Programming, volume 407 of Lecture Notes in Computer Science. Springer-Verlag, May 1990.
E. M. Clarke and E. A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of Programs: Workshop, Yorktown Heights, NY, May 1981, volume 131 of Lecture Notes in Computer Science. Springer-Verlag, 1981.
E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986.
E. M. Clarke, O. Grumberg, and M. C. Browne. Reasoning about networks with many identical finite-state processes. In Proceedings of the Fifth Annual ACM Symposium on Principles of Distributed Computing., pages 240–248. ACM, August 1986.
E. M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D. E. Long, K. L. McMillan, and L. A. Ness. Verification of the Futurebus+ cache coherence protocol. In L. Claesen, editor, Proceedings of the Eleventh International Symposium on Computer Hardware Description Languages and their Applications. North-Holland, April 1993.
E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abstraction. In Proceedings of the Nineteenth Annual ACM Symposium on Principles of Programming Languages, January 1992.
E. M. Clarke, S. Kimura, D. E. Long, S. Michaylov, S. A. Schwab, and J. P. Vidal. Symbolic computation algorithms on shared memory multiprocessors. In Suzuki [75].
E.M. Clarke, T. Filkorn, and S. Jha. Exploiting symmetry in temporal logic model checking. In Courcoubetis [35].
O. Coudert, C. Berthet, and J. C. Madre. Verification of synchronous sequential machines based on symbolic execution. In Sifakis [73].
O. Coudert, J. C. Madre, and C. Berthet. Verifying temporal properties of sequential machines without building their state diagrams. In Kurshan and Clarke [53].
C. Courcoubetis, editor. Proceedings of the Fifth Workshop on Computer-Aided Verification, June/July 1993.
Proceedings of the 27th ACM/IEEE Design Automation Conference. IEEE Computer Society Press, June 1990.
J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors. Proceedings of the REX Workshop on Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, volume 430 of Lecture Notes in Computer Science. Springer-Verlag, May 1989.
D. L. Dill and E. M. Clarke. Automatic verification of asynchronous circuits using temporal logic. IEE Proceedings, Part E 133(5), 1986.
P. Dixon. Multilevel cache architectures. Minutes of the Futurebus+ Working Group meeting, December 1988.
E. Emerson and A. P. Sistla. Symmetry and model checking. In Courcoubetis [35].
E. A. Emerson and J. Y. Halpern. “Sometimes” and “Not Never” revisited: On branching time versus linear time. Journal of the ACM, 33:151–178, 1986.
E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasen. Quantitative temporal reason. In Kurshan and Clarke [53].
E.A. Emerson and Chin Laung Lei. Modalities for model checking: Branching time strikes back. Twelfth Symposium on Principles of Programming Languages, New Orleans, La., January 1985.
M. Fujita, H. Fujisawa, and N. Kawato. Evaluation and improvements of boolean comparison method based on binary decision diagrams. In Proceedings of the 1988 Proceedings of the IEEE International Conference on Computer Aided Design. IEEE Computer Society Press, November 1988.
M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979.
P. Godefroid. Using partial orders to improve automatic verification methods. In Kurshan and Clarke [53].
O. Grumberg and D. E. Long. Model checking and modular verification. In J. C. M. Baeten and J. F. Groote, editors, Proceedings of CONCUR '91: 2nd International Conference on Concurrency Theory, volume 527 of Lecture Notes in Computer Science. Springer-Verlag, August 1991.
Z. Har'El and R. P. Kurshan. Software for analytical development of communications protocols. AT&T Technical Journal, 69(1):45–59, Jan.–Feb. 1990.
G. E. Hughes and M. J. Creswell. Introduction to Modal Logic. Methuen, London, 1977.
IEEE Computer Society. IEEE Standard for Futurebus+-Logical Protocol Specification, March 1992. IEEE Standard 896.1-1991.
B. Josko. Verifying the correctness of AADL-modules using model checking. In de Bakker et al. [37].
R. P. Kurshan. Analysis of discrete event coordination. In de Bakker et al. [37].
R. P. Kurshan and E. M. Clarke, editors. Proceedings of the 1990 Workshop on Computer-Aided Verification, June 1990.
R. P. Kurshan and K. L. McMillan. A structural induction theorem for processes. In Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing. ACM Press, August 1989.
L. Lamport. “Sometimes” is sometimes “Not Never”. In Annual ACM Symposium on Principles of Programming Languages, pages 174–185, 1980.
O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear specification. In Proceedings of the Twelfth Annual ACM Symposium on Principles of Programming Languages, January 1985.
D. L. Long. Model Checking, Abstraction, and Compositional Reasoning. PhD thesis, Carnegie Mellon University, 1993.
Y. Malachi and S. S. Owicki. Temporal specifications of self-timed systems. In H. T. Kung, B. Sproull, and G. Steele, editors, VLSI Systems and Computations. Computer Science Press, 1981.
S. Malik, A. Wang, R. Brayton, and A Sangiovanni-Vincenteli. Logic verification using binary decision diagrams in a logic synthesis environment. In International Conference on Computer-Aided Design, pages 6–9, 1988.
R. Marelly and O. Grumberg. GORMEL—Grammar ORiented ModEL checker. Technical Report 697, The Technion, October 1991.
K. L. McMillan. Symbolic Model Checking: An Approach to the State Explosion Problem. PhD thesis, Carnegie Mellon University, 1992.
K. L. McMillan and J. Schwalbe. Formal verification of the Gigamax cache consistency protocol. In Suzuki [75].
B. Mishra and E.M. Clarke. Hierarchical verification of asynchronous circuits using temporal logic. Theoretical Computer Science, 38:269–291, 1985.
P.Huber, A. Jensen, L. Jepsen, and K. Jensen. Towards reachability trees for high-level petri nets. In G. Rozenberg, editor, Advances on Petri Nets, 1984.
C. Pixley. A computational theory and implementation of sequential hardware equivalence. In R. Kurshan and E. Clarke, editors, Proc. CAV Workshop (also DIMACS Tech. Report 90-31), Rutgers University, NJ, June 1990.
C. Pixley, G. Beihl, and E. Pacas-Skewes. Automatic derivation of FSM specification to implementation encoding. In Proceedings of the International Conference on Computer Desgin, pages 245–249, Cambridge, MA, October 1991.
C. Pixley, S.-W. Jeong, and G. D. Hachtel. Exact calculation of synchronization sequences based on binary decision diagrams. In Proceedings of the 29th Design Automation Conference, pages 620–623, June 1992.
A. Pnueli. A temporal logic of concurrent programs. Theoretical Computer Science, 13:45–60, 1981.
D. K. Probst and H. F. Li. Using partial order semantics to avoid the state explosion problem in asynchronous systems. In Kurshan and Clarke [53].
J.P. Quielle and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Proceedings of the Fifth International Symposium in Programming, 1981.
R. Rudell. Dynamic variable ordering for ordered binary decision diagrams. In Intl. Conf. on Computer Aided Design, Santa Clara, Ca., November 1993.
R. Schlor and W. Damm. Specification and verification of system-level hardware designs using timing diagrams. In EDAC 93, 1993.
J. Sifakis, editor. Proceedings of the 1989 International Workshop on Automatic Verification Methods for Finite State Systems, Grenoble, France, volume 407 of Lecture Notes in Computer Science. Springer-Verlag, June 1989.
A. P. Sistla and E.M. Clarke. Complexity of propositional temporal logics. Journal of the ACM, 32(3):733–749, July 1986.
N. Suzuki, editor. Shared Memory Multiprocessing. MIT Press, 1992.
A. Tarski. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math, 5:285–309, 1955.
H. J. Touati, R. K. Brayton, and R. P. Kurshan. Testing language containment for ω-automata using BDD's. In Proceedings of the 1991 International Workshop on Formal Methods in VLSI Design, January 1991.
A. Valmari. A stubborn attack on the state explosion problem. In Kurshan and Clarke [53].
M. Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proceedings of the First Annual Symposium on Logic in Computer Science. IEEE Computer Society Press, June 1986.
P. Wolper and V. Lovinfosse. Verifying properties of large sets of processes with network invariants. In Sifakis [73].
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1994 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Clarke, E., Grumberg, O., Long, D. (1994). Verification tools for finite-state concurrent systems. In: de Bakker, J.W., de Roever, W.P., Rozenberg, G. (eds) A Decade of Concurrency Reflections and Perspectives. REX 1993. Lecture Notes in Computer Science, vol 803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-58043-3_19
Download citation
DOI: https://doi.org/10.1007/3-540-58043-3_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-58043-0
Online ISBN: 978-3-540-48423-3
eBook Packages: Springer Book Archive