A symbolic model checking approach in formal verification of distributed systems
 291 Downloads
Abstract
Model checking is an influential method to verify complex interactions, concurrent and distributed systems. Model checking constructs a behavioral model of the system using formal concepts such as operations, states, events and actions. The model checkers suffer some weaknesses such as state space explosion problem that has high memory consumption and time complexity. Also, automating temporal logic is the main challenge to define critical specification rules in the model checking. To improve the model checking weaknesses, this paper presents Graphical Symbolic Modeling Toolkit (GSMT) to design and verify the behavioral models of distributed systems. A behavioral modeling framework is presented to design the system behavior in the forms of Kripke structure (KS) and Labeled Transition System (LTS). The behavioral models are created and edited using a graphical user interface platform in four layers that include a design layer, a modeling layer, a logic layer and a symbolic code layer. The GSMT generates a graphical modeling diagram visually for creating behavioral models of the system. Also, the temporal logic formulas are constructed according to some functional properties automatically. The executable code is generated according to the symbolic model verifier that user can choose the original model or reduced model with respect to a recursive reduced model. Finally, the generated code is executed using the NuSMV model checker for evaluating the constructed temporal logic formulas. The code generation time for transforming the behavioral model is compared to other model checking platforms. The proposed GSMT platform has outperformed evaluation than other platforms.
Keywords
Model checking Temporal logic Reduced model Kripke structure Labeled Transition SystemIntroduction
Today, distributed systems have developed complex components more and more [1, 2]. By increasing performance of complex systems such as service composition [3], task scheduling [4] and fault tolerance [5], simulation analysis cannot evaluate entire of the system levels [6, 7]. Also, the simulation results are rested to some design under test platforms [8] that omit the part of the existing state space of the system [9]. Formal verification is a mathematically correctness provable approach for the complex distributed systems which is wellsuitable for NPhard problems [10, 11]. Recent scientific studies analyzed their case studies using mathematical verification approaches such as model checking [4, 12, 13, 14, 15, 16, 17, 18], process algebra [19, 20, 21, 22, 23, 24], formal concept analysis [25] and theorem proving [26, 27, 28, 29] methods.
Among the mentioned approaches, model checking [30] is a wellknown verification technique to evaluate the functional properties of a distributed system automatically [31, 32]. The main goal of the model checking is to find the property violations and limitations in the system behavior with the counterexamples [33]. However, there are some limitations for model checking such as state space explosion and temporal logic design [34]. For improving these limitations, the symbolic model checking [35, 36] with Binary Decision Diagram (BDD) has been presented by McMillan [34]. Some industrial tools such as NuSMV [37], PAT [38], Spin [39], and UPPAAL [40] are wellknown for analyzing the system behavior correctness [41, 42, 43]. But, these tools have some limitations such as weak graphical user interface, the complexity of programming language and generating the automated temporal specification rules for verifying the system behavior [44, 45, 46, 47]. To illustrate the temporal logic formulas, some model checkers such as NuSMV have supported the generated specification rules in forms of Linear Temporal Logic (LTL) and Computation Tree Logic (CTL) [17, 37, 48, 49, 50]. Also, creating a critical specification rule for checking in the generated state space of the system behavior is an important challenge for model checkers. When the state space increases exponentially, checking and discovering the critical specification rules to measure the correctness of the system is confused [51, 52]. As yet, model checkers do not guarantee automated specification rules generation [53, 54]. In addition, a model checker needs to automated formal design that supports the Kripke structure (KS) and Labeled Transition System (LTS) modeling methods. In model checking, some characteristic points consolidate an irrefrangible relationship between integrated abstract model and the concrete system behavior. The characteristic points include specifying descriptive features, designing precise model, configuring desired feature selection, and generating comprehensive specification rules. This relationship is confident that the correctness of the integrated abstract model using model checking is very reliable to evaluate concrete system behavior. If we emphasize some characteristic points for designing and modeling system behavior [55], then the accurate verification results are obtained from model checking.

Presenting a graphical model checking framework to facilitate the system behavior design.

Providing a modeling platform to support the KS and LTS models.

Generating the LTL and CTL specification rules of the system model according to the functional properties such as deadlock, reachability, and safety conditions.

Presenting a highlevel order of recursive reduced Kripke and labeled models to ameliorate the state space explosion problem.

Facilitating the verification procedure using NuSMV.
The paper structure is organized as follows, “Related work” section illustrates a brief review of the presented related frameworks and toolsets. In “GSMT framework” section, we address a conceptual explanation of the GSMT framework. Also, this section introduces the current four layers in the automated verification approach. Moreover, the formal descriptions of the system behavior are illustrated to handle the model checking the specification rules. “Experimental analysis” depicts a descriptive case study to evaluate the verification procedure for the proposed framework with the other approaches according to some experimental results. Finally, “Conclusion and future work” provides the conclusion and some open subjects on this topic as the future works.
Related work
In this section, some related studies are discussed briefly which contain modeling and descriptive translators and automated verification frameworks according to some important features and challenges.
Castelluccia et al. [56] presented a formal framework to design web applications according to the UML method. The key feature of this framework is based on LTS model checking and CTL formulas. First, a design of the model is generated in forms of the UMLbased platform with the XMI format. Then, the framework translated the proposed UMLbased platform to the extensible SMV codes.
Li et al. [54] proposed a translator framework to exchange Programmed Logic Controllers (PLC) for executable verification codes using utility block chart language. The framework presented a formal modeling approach to specifying the model structure using a Boolean explanation method. The model is translated to some modules of SMV codes. This translator supports just CTL formulas to embed in code generation. Designing the model structure is not automatic because the extensibility of the model checking approach is covered. Also, this framework supports a commandline authentication to avoid invalid inputs according to its powerful editor environment. The main disadvantages of this framework are as follows: the requirement patterns as the specification rules are input manually; the LTL formulas are not supported; the framework has not illustrated the correctness of the functional properties such as reachability and deadlock.
Abdelsadiq [57] presented a highlevel modeling framework for Contractual BusinesstoBusiness relations (CB2B) to apply econtract models in the ebusiness management system. The CB2B models support a set of the conceptual model that includes truths, actions, responsibilities and exclusions for checking contract agreement. First, the designed model translated to Event–Condition–Action (ECA) structure according to Process Metalanguage (Promela) language. Then, a set of simple LTL formulas is generated manually. Both temporal specifications and ECA model are translated to executable codes for the Spin model checker. The main limitations of this framework are as follows: (1) the design level of the formal modeling is omitted; (2) specification rules are very simple; (3) an editable platform for user interface has not been indicated.
Caltais et al. [58] proposed a framework conversion to interact between the System Modelling Language (SysML)based models and NuSMV symbolic model checker. The SysMLJa is a toolset that translates the structural SysMLbased models in forms of block diagrams and state diagrams to symbolic modules of SMV codes. This translation is retrieved from the LTS model by some events and actions. The relationships between each block/state diagram are converted to a transition command in SMV code. Some specification rules are input at the end of the SMV codes manually. There are some limitations in this framework as follows: (1) the generation of specification rules has not been considered in the structure of the framework; (2) the graphical modeling stage is omitted in this framework.
Furthermore, Deb et al. [59] have presented an inherent sequence state transition modeling transformation framework for concurrent systems. They used the Naive algorithm to handle the rise of the state space. First, requirements are translated to the LTS model with respect to a set of sequences states. In the editor environment, the LTS model is converted according to the Multidimensional Lattice Paths (MLP) to the SMV codes. The framework can add a simple CTL formula to the generated SMV code to verify it. However, when a large model is loaded in this framework, the state space has been increased highly. When the system behavior has a multitenant structure, the translated modules cannot interact with them by transition methods. In addition, the functional properties have not been verified in this framework using NuSMV.
Meenakshi et al. [60] have presented a converter environment between Simulink models and input language of model checkers automatically. The system engineers can develop the structural models in Simulink environments such as MATLAB informally. Hence, this converter tool can be useful to transform the Simulink model as the input to a formal description approach in forms of NuSMV model checker codes. The proposed tool covers all of the block diagrams that organize the structural model of the Simulink. There are some limitations in this tool compared with the other instruments: the LTL specifications are not considered in this tool to translate into SMV codes; a graphical modeling diagram is not illustrated to avoid the state space examination. In addition, the practical feature of this model does not support a complex industrial model for translating to the SMV codes.
Vinárek et al. [61] proposed a translator framework between use case models and NuSMV model checker. The authors described a formal explanation of the Formal verification of Annotated Models (FOAM) framework using a user/actor model. The use case model is converted to a textual behavior automaton based on a priority connection. The textual behavior automaton is translated to a configurable LTS model [62]. The main disadvantages of this tool are as follows: first, this translator has not the editor environment to illustrate code generation; second, this tool has not covered the LTL specifications for checking the correctness of the use case models. There is just a demo environment for this tool rather than a practical translator environment.
Szwed [63] presented a translator plugin to convert a business model to executable model checking code. This plugin specifies all of the direct elements of the business model that connect with each symbolic state in the business layer. In translation procedure, a set of the business processes are specified as the atomic states and the business tasks are specified as the events. The CTL formulas are added by the user manually. A graphical model is presented after translating SMV codes. Some limitations of this plugin are as follow: The verification method is executed without any correctness procedure; also, the LTL formulas are not supported. However, the execution time and reachability states are not compared with the other frameworks.
Jiang and Qiu [64] have proposed an Spin2NuSMV (S2N) converter framework between Spin models and NuSMV codes. This framework presents a conversion procedure for transforming a highlevel model in forms of Promela language into a lowlevel model as a state transition system in SMV code. Each process in the Spin model has been translated to a state with events coverage asynchronously. However, this framework cannot support the temporal logic transformation since NuSMV covers both LTL and CTL logics and Spin just generates LTL logic in the opposite. In addition, when a complex model is transformed into the SMV codes, some channels connection between processes are omitted.
Szpyrka et al. [65] have presented a translator framework to convert state graph of a colored Petrinet model to an executable SMV code. Each net is converted to a state and each guard is transformed into an atomic proposition. The translated model is shown in forms of a Kripke model in NuSMV. A graphical reachability graph is generated after the translation procedure that is very confused and irregular. Also, the translated model is not displayed as a graphical model. This tool has a simple environment that imports a Petrinet model and translates to the SMV code in editor environment. The temporal logic formulas are added to end of the code manually. Also, the timedPetrinet models cannot translate to SMV codes.
Comparison of the related frameworks according to the verification structure
Framework  Case study  Modeling  Design  Temporal logic/generation  Model checker 

WAVer [56]  Web applications  LTS  UML  CTL/manual  NuSMV 
FBD [54]  Industrial controllers  LTS  Not supported  LTL/manual  NuSMV 
PLC [57]  EBusiness system  LTS  Not supported  LTL/manual  Spin 
SysMLja [58]  Concurrent system  LTS  UML  Not supported  NuSMV 
IStar [59]  Concurrent system  LTS  Not supported  CTL/manual  NuSMV 
SimuLink [60]  Concurrent system  LTS  Not supported  CTL/manual  NuSMV 
FOAM [61]  Concurrent system  LTS  UML  CTL/manual  NuSMV 
ArchiMate [63]  Concurrent system  LTS  UML  CTL/manual  NuSMV 
S2Nusmv [64]  Concurrent system  LTS  Not supported  LTL/manual  NuSMV 
Petrinet2smv [65]  Concurrent system  KS  Petri net  CTL/manual  NuMSV 
Our approach  Concurrent system  LTS/KS  UML/graph  LTLCTL/automatic  NuSMV 
To the best of our knowledge, all related frameworks proposed a translator to provide both code generation/execution. Also, editor platforms support just one modeling template such as LTS or KS and one temporal logic formula for the system behavioral model. At complementing with them, our GSMT framework presents (1) automated design approach for formal descriptions of the system, (2) a compositional behavioral modeling for system behavior in forms of LTS and KS models, (3) generating the visual model diagram of the designed behavior, (4) constructing detailed temporal logic formulas in terms of CTL and LTL, and (5) symbolic automated verification approach using NuSMV.
GSMT framework
This section provides a conceptual description of the proposed framework with some key explanations. The important feature of the GSMT is its flexible modeling and checking capability that represents the common collaboration between two main steps of the formal verification approach. This flexibility is the prominent point of a translator framework that supports all technical features of the behavioral correctness of a complex system. In this section, the framework architecture is explained comprehensively. Also, the presented recursive reduction approach is illustrated in this section.
GSMT behavioral models

Specifying design type of the behavioral model in forms of KS or LTS.

Creating the structural features of the behavioral model such as states, actions, and atomic propositions.

Creating the system exploration according to the relationship between the features.
For the KS model, there are some features according to Kripke structure definition [66, 67]. The method is a statebased framework and the states are labeled with a name. The user can input a set of states and atomic propositions for the initialization section.
Definition 1
A Kripke structure is a fivetuple KS = (Q, I, P, R, L) where [68]:

Q is a set of states.

I is the set of initial states: \(I \in Q\).

P is a set of atomic propositions.

R is a set of transition relations \(R \subseteq Q \times Q\).

L is a state labeling function \({\text{L}}:Q \to 2^{\text{p}}\).
In the above definition, a path can be defined on the behavioral model as follow:
Definition 2
A Kripke path KP is a finite sequence of the states and transitions starting from the state q_{1} and finishing at the state q_{n} that \(\left( {q_{1} \;\;{\text{and}}\;\;q_{n} \in Q,\;\;\; {\text{p}} \in P} \right)\) denoted as [69]:
Definition 3
A Labeled Transition System LT is a 4tuple LT = (S, M, A, T) where:

S is a set of states.

M is the set of initial state: \(M \in S\).

A is a set of actions.

T is a total transition relation: \(T \subseteq S \times A \times S\).
This means, the relation \(s_{1} \mathop \to \limits^{a} s_{2} \left( {s_{ 1} , \;s _{2} \in S\;\;{\text{and}}\;\; {\text{a}} \in A} \right)\) is used for stating that \(\left( {s_{1} ,\;{\text{a}},\; s_{2} } \right) \in T\).
Also, in the second method, a path on the behavioral model is described as follow:
Definition 4
By using the Kripke Path KP and the Labeled Path LP, we create the state space exploration for the proposed behavioral models in model checking.

Configuring the transition relations between the expected attributes in the behavioral model.

Translating the configurable relations to the graphbased relation machine.

Generating a graphical state exploration diagram according to the graphbased relation machine.

Extracting the transition relations as a set of specification rules.

Converting the specification rules to a formulabased platform in forms of the LTL and CTL.

Generating the existent permutation temporal formulas for all of the specification rules.
The CTL syntax is described as follows [16]:

True is a true proposition.

The p is an atomic proposition where the \(\alpha\) formula can hold atomic proposition p with a sentence or statement according to following syntax \(\alpha\) (p) which is both true or false value.

The \(\alpha\) is ranged over CTL formulas.

The \(\neg \alpha\) (not), \(\alpha \wedge \alpha^{{\prime }}\) (and) and \(\alpha \vee \alpha^{{\prime }}\) (or) are logical syntaxes on the formulas.

A (always) and E (eventually) are the general quantifiers on all of the paths.

G (globally), X (next state) and F (in the future) are contracted in the entire of each path.

True is a true proposition.

The q is an atomic proposition where a \(\beta\) formula gets atomic proposition q with a declarative statement according to following syntax \(\beta\) (q) which is both true or false value.

The \(\beta\) is a range over LTL formulas.

The \(\neg \beta\) (not), \(\beta \wedge \beta^{\prime }\) (and) and \(\beta \vee \beta^{{\prime }}\) (or) are logical syntaxes on the formulas.

G (globally), X (next state) and F (in the future) are contracted in the entire of each path.

The \(\beta U\beta^{\prime }\) means that \(\beta\) is true and enabled until \(\beta^{{\prime }}\) is activated.

(Deadlock freedom) AG !(state & action);

(Liveness) AG (state & action) → AF (state & action);

(Reachability) AG (EF(state & action → state & action));

Translating the expected attributes to the hierarchically structured programming platform.

Transforming the hierarchically structured platform to the SMV codes.

Adding the generated specification formulas to the end of the code.

Reducing the expected attributes to ameliorate the state space explosion.

Confirming the reduced behavioral model as the optimally generated SMV code.

Generating the executable SMV code for automated verification in NuSMV.
After describing the GSMT architecture, we present the recursive reduction approach for the GSMT.
Recursive reduced model
The reduced model generally is based on a linear reduction in some related approaches [70, 76, 77, 78]. The complex systems have a set of impermissible states that are composed of the parallel relational processes. The similarity of the attributes and transition relations increase the number of state space size. Whatever the number of states and transitions are decreased, the state space is compacted because the size of the state space has been increased exponentially. We use a vicinity matrix for recursive reduced model. To describe the state space reduction, the first step is ordering the vicinity matrix of the state space according to the transition relations. After generating the vicinity matrix, a recursive reduced algorithm is executed for refining the state space. According to the reduction algorithms [76, 77], we have a minimization equivalence method that the model size is defined for comparing the minimality and reduced model [76].
Definition 5
Model size is shown by S_{m} with the number of states and transitions. In other words, we conclude \(\left {{\text{S}}_{\text{m}} } \right \le \left {{\text{S}}_{\text{m}}^{{\prime }} } \right\) if and only if the number of all attributes (states and transitions) of the S_{m} is smaller than \({\text{S}}_{\text{m}}^{{\prime }}\) [79].
Definition 6
The S_{m} is an original model and S_{R} is its reduced model. A minimal equivalence M_{e} is an equal relation, when \(\left {{\text{S}}_{\text{R}} } \right \le \left {{\text{ S}}_{\text{m}} } \right\) (the size of the reduced model is smaller than the original model), then \({\text{S}}_{\text{m}} \equiv {\text{S}}_{\text{R}}\) (the original model is equivalence with reduced model) if and only if the minimal equivalence \({\text{S}}_{\text{R}} \approx M_{e} \approx {\text{S}}_{\text{m}}\) is established. Consequently, the reduced model S_{R} is replaced on the original model S_{m} for ameliorating the state space explosion [67].
The size of the reduced Kripke model is lower than original Kripke model  \({\text{K}}_{\text{Reduced}}^{{\prime }}\)  \(\le\)  K_{Original}  and the original Kripke model is equivalence with reduced Kripke model \({\text{K}}_{\text{Original}} \equiv {\text{K}}_{\text{Reduced}}^{{\prime }}\).
Experimental analysis
This section illustrates some experimental case studies to evaluate the GSMT framework. First, a brief exploration of the GSMT environment is presented. Then, some case studies are illustrated to demonstrate the performance evaluation of the framework. Finally, the verification results are shown in this section.
User interface of GSMT
The framework consists of three main windows that include modeling method selection, KS model window, and LTS model.

Add propose state: the user inputs a set of existing states on Add propose state button. The defined states are listed in the state list manually.

Add initial state: the user should select an initial state from the state list which the initial state is displayed in the First state box manually.

Add transition relation: it shows the transition relations that are constructed in forms of From/To structure. All of the transition relations are listed in transition relation list box. The interaction simplicity is a key point for users and engineers to design and model a complex system using GSMT manually.

Add AP: it specifies the atomic propositions of each state using Add AP button manually.

Generate behavioral model: it consists of a button which generates a graphical state transition diagram in form of the GraphViz output based on own structure codes automatically.

Generate symbolic code: it is a symbolic code generation for constructing the final SMV code in the following textbox. This textbox is an editable platform for copying and modifying the SMV code. When the checkbox reduce is checked, then the model is reduced according to the reduction approach and the reduced final SMV code is generated. Also, the framework generates the new graphical diagram for reduced model automatically.

Specification generators: by selecting the specification rules, the GSMT produces the temporal formulas automatically. In the column of CTL specification generator, there are 4 specification rules for adding to the end of the SMV code automatically.

For example, the deadlock and reachability properties are selected to generate and add in the code. In addition, the LTL specification generator column has three specification rules. In Fig. 9, all of the properties are selected to add the end of the code.
Example 1
This example illustrates a translation procedure for a Kripke model to the SMV code. A verification approach is done based on the NuSMV model checker automatically. According to Definition 1, the formal description of the Kripke structure of Example 1 is as follow:

Set of the states Q = (S1, S2, S3, S4, S5, S6).

The initial state I = S1.

The set of atomic propositions P = (p, q, r).

The set of transition relations R = {(S1, S2), (S2, S3), (S2, S4), (S3, S5), (S4, S6)}.

The state labelling functions L = ((S1, {p}), (S2, {q}), (S3, {q}), (S4, {p, q}), (S5, {p, r}), (S6, {p, r}).

The execution time of this model is 158.5 ms,

Generating 18 deadlockfree properties,

Generating 180 reachability properties,

Generating 180 liveness properties,

Generating 720 safety properties.

Add propose state: the user inputs a set of existing states on Add propose state button. The defined states are listed in the state list manually.

Add initial state: the user should select an initial state from the state list which the initial state is displayed in the First state box manually.

Add action: the user inputs a set of existing actions on Add propose action button manually.

Add initial action: the user selects an initial action from the action list which the initial action is shown in the First action box manually.

Add transition relation: it shows the transition relations that are constructed in forms of From/To/By structure. All of the transition relations are listed in transition relation list box manually.

Generate a behavioral model: it consists of a button which generates a graphical state transition diagram in form of the GraphViz output automatically.

Generate symbolic code: it is a symbolic code generation for constructing the final SMV code in the following textbox. This textbox is an editable platform for copying and modifying the SMV code. When the checkbox reduce is checked, then the model is reduced according to the reduction approach and the reduced final SMV code is generated. Also, the framework generates the new graphical diagram for reduced model automatically.

Specification generators: by selecting the specification rules, the GSMT produces the temporal formulas automatically. In the column of CTL specification generator, there are 4 specification rules for adding to the end of the SMV code automatically.
Example 2
This example illustrates a translation procedure for a labeled model to the SMV code. A modeling and verification approach is done based on the NuSMV model checker automatically. According to Definition 3, the formal description of the LTS of Example 2 is as follow:

Set of the state S = (S1, S2, S3, S4, S5, S6).

The initial state M = S1.

The set of atomic propositoins A = (a1, a2, a3, a4, a5, a6).

The set of transition relations T = {(S1, a1, S2), (S2, a2, S3), (S2, a2, S4), (S3, a3, S5), (S4, a4, S6), (S5, a5, S6), (S5, a3, S3), (S6, a6, S1)}.

The execution time of this model is 328.9 ms;

Generating 42 deadlockfree properties;

Generating 1260 reachability properties;

Generating 1260 liveness properties;

Generating 3450 safety properties.
Performance evaluation
For comparing the performance of GSMT and the other translator frameworks, some test case examples are analyzed. In this experiment, an Intel^{®} Core™ i56200U @ 2.30 GHz CPU, and 8 GB memory in Windows 10 have been used.
Test cases of the GSMT analysis
Test case  No. states  No. Trans 

Case 1  10  8 
Case 2  50  70 
Case 3  100  150 
Case 4  500  650 
Case 5  1000  1250 
Case 6  5000  5700 
Case 7  10,000  13,500 
Case 8  20,000  27,000 
Case 9  50,000  65,000 
Case 10  100,000  155,000 
Comparison of the state space reduction for the test cases in GSMT
Case study  Model  State space reduction %  

Original model  Reduced model  
No. states  No. Trans  No. states  No. Trans  
Case 1  10  8  8  13  17.65 
Case 2  50  70  41  57  18.3 
Case 3  100  150  77  120  23 
Case 4  500  650  410  554  18.5 
Case 5  1000  1250  832  1021  18.25 
Case 6  5000  5700  4078  5287  18.1 
Case 7  10,000  13,500  8268  11,752  18.9 
Case 8  20,000  27,000  16,378  26,274  17.5 
Case 9  50,000  65,000  42,680  61,723  18.2 
Case 10  100,000  155,000  84,727  148,316  18.1 
Discussion
Assessment principles for related frameworks in the verification environment
Factor  Tool  

GSMT  WaVer [56]  FBD [54]  PLC [57]  SysMLja [58]  IStar [59]  SimuLink [60]  FOAM [61]  ArchiMate [63]  S2N [64]  Petrinet2smv [65]  
Code generation  ✓  ✓  ✓  ✓  ✓  ✓  ✓  ✓  ✓  ✓  ✓ 
Editor layer  ✓  ✓  ✓  –  ✓  ✓  ✓  –  ✓  –  ✓ 
Graphical model generation  ✓  –  ✓  –  –  –  –  –  ✓  –  – 
Property generation  ✓  –  –  –  –  –  –  –  –  –  – 
Reduction approach  ✓  –  –  –  –  –  –  –  –  –  – 
Conclusion and future work
In this research, a GSMT is presented with respect to simplifying the behavioral modeling software systems. It consists of the behavioral modeling in form of the LTS and the KS, generating a graphical state exploration diagram of the behavioral model, generating the expected specification rules automatically, translating the behavioral model to the SMV codes, and reduction of the state space. The important functionality of the GSMT is the implementation of the syntactic reduced approach that ameliorates the state space explosion. Also, the framework generates the specification rules for proofing the correctness of the model automatically. In order to use the NuSMV, the GSMT supports both the LTL and CTL formulas to add the final code for execution in the interactive environment. The experimental results of the GSMT shown that this framework has usability and simplicity for behavioral modeling software and hardware systems. In comparison analysis, the reduction approach can significantly decrease the execution time for model verification. In addition, the framework has a sufficient execution time for generating final executable SMV code rather than the other translation model checking frameworks. In checking the generated specification properties for each model in average, the 55% of the generated deadlock properties is true, the 73.5% of the reachability properties is true, the 100% of the liveness properties is true, and the 93% of the safety properties is true. In the future work, we will add some key features such as contracting the formal specification using picalculus and model checking in an integrated framework, improving the specification rules generation according to behavioral model satisfactory, refining the state space reduction percentage for the complex systems, and applying the multiaction transition associations for decreasing the state space complexity.
Footnotes
Notes
Authors’ contributions
All authors read and approved the final manuscript.
Acknowledgements
Not applicable.
Competing interests
The authors declare that they have no competing interests.
Availability of data and materials
Not applicable.
Funding
No funding was received.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
 1.Mitsch S, Passmore GO, Platzer A (2014) Collaborative verificationdriven engineering of hybrid systems. Math Comput Sci 8:71–97CrossRefGoogle Scholar
 2.Li Y, Tao F, Cheng Y, Zhang X, Nee AYC (2017) Complex networks in advanced manufacturing systems. J Manuf Syst 43:409–421CrossRefGoogle Scholar
 3.Vakili A, Navimipour NJ (2017) Comprehensive and systematic review of the service composition mechanisms in the cloud environments. J Netw Comput Appl 81:24–36CrossRefGoogle Scholar
 4.Keshanchi B, Souri A, Navimipour NJ (2017) An improved genetic algorithm for task scheduling in the cloud environments using the priority queues: formal verification, simulation, and statistical testing. J Syst Softw 124:1–21CrossRefGoogle Scholar
 5.Glaßer C, Pavan A, Travers S (2011) The fault tolerance of NPhard problems. Inf Comput 209:443–455MathSciNetCrossRefGoogle Scholar
 6.Higashino WA, Capretz MAM, Bittencourt LF (2016) CEPSim: modelling and simulation of complex event processing systems in cloud environments. Future Gener Comput Syst 65:122–139CrossRefGoogle Scholar
 7.Suh YK, Lee KY (2018) A survey of simulation provenance systems: modeling, capturing, querying, visualization, and advanced utilization. Hum Centric Comput Inf Sci 8:27CrossRefGoogle Scholar
 8.Dill DL (1998) What’s between simulation and formal verification? (extended abstract). In: Presented at the proceedings of the 35th annual design automation conference, San Francisco, California, USAGoogle Scholar
 9.Li K, Liu L, Zhai J, Kosgoftaar TM, Shao M, Liu W (2017) Reliability evaluation model of componentbased software based on complex network theory. Qual Reliab Eng Int 33(3):543–550CrossRefGoogle Scholar
 10.Khan W, Ullah H, Ahmad A, Sultan K, Alzahrani AJ, Khan SD et al (2018) CrashSafe: a formal model for proving crashsafety of Android applications. Hum Centric Comput Inf Sci 8:21CrossRefGoogle Scholar
 11.Kim J, Won Y (2017) Patch integrity verification method using dual electronic signatures. J Inf Process Syst 13Google Scholar
 12.Hu K, Lei L, Tsai WT (2016) Multitenant verificationasaservice (VaaS) in a cloud. Simul Model Pract Theory 60:122–143CrossRefGoogle Scholar
 13.Jafari Navimipour N (2015) A formal approach for the specification and verification of a Trustworthy Human Resource Discovery mechanism in the Expert Cloud. Expert Syst Appl 42:6112–6131CrossRefGoogle Scholar
 14.Jafari Navimipour N, Habibizad Navin A, Rahmani AM, Hosseinzadeh M (2015) Behavioral modeling and automated verification of a Cloudbased framework to share the knowledge and skills of human resources. Comput Ind 68:65–77CrossRefGoogle Scholar
 15.Souri A (2016) Formal specification and verification of a data replication approach in distributed systems. Int J Next Gener Comput 7(1):18–37Google Scholar
 16.Souri A, Jafari Navimipour N (2014) Behavioral modeling and formal verification of a resource discovery approach in Grid computing. Expert Syst Appl 41:3831–3849CrossRefGoogle Scholar
 17.Souri A, Norouzi M, Safarkhanlou A, Sardroud SHEH (2016) A dynamic data replication with consistency approach in data grids: modeling and verification. Balt J Mod Comput 4:546Google Scholar
 18.Shen VRL, Wang YY, Yu LY (2016) A novel blood pressure verification system for home care. Comput Stand Interfaces 44:42–53CrossRefGoogle Scholar
 19.Rezaee A, Rahmani AM, Movaghar A, Teshnehlab M (2014) Formal process algebraic modeling, verification, and analysis of an abstract Fuzzy Inference Cloud Service. J Supercomput 67:345–383CrossRefGoogle Scholar
 20.Ruiz MC, Cazorla D, Pérez D, Conejero J (2016) Formal performance evaluation of the Map/Reduce framework within cloud computing. J Supercomput 72:3136–3155CrossRefGoogle Scholar
 21.Hermanns H, Herzog U, Katoen JP (2002) Process algebra for performance evaluation. Theoret Comput Sci 274:43–87MathSciNetCrossRefGoogle Scholar
 22.Tini S, Larsen KG, Gebler D (2017) Compositional bisimulation metric reasoning with probabilistic process calculi. Log Methods Comput Sci 12(4):2627MathSciNetzbMATHGoogle Scholar
 23.Chen X, Wang L (2017) Exploring fog computing based adaptive vehicular data scheduling policies through a compositional formal methodPEPA. IEEE Commun Lett. 2017Google Scholar
 24.Challenger M, Mernik M, Kardas G, Kosar T (2016) Declarative specifications for the development of multiagent systems. Comput Stand Interfaces 43:91–115CrossRefGoogle Scholar
 25.Hao F, Sim DS, Park DS, Seo HS (2017) Similarity evaluation between graphs: a formal concept analysis approach. JIPS 13:1158–1167Google Scholar
 26.Sardar MU, Hasan O, Shafique M, Henkel J (2017) Theorem proving based formal verification of distributed dynamic thermal management schemes. J Parallel Distrib Comput 100:157–171CrossRefGoogle Scholar
 27.Srikanth A, Sahin B, Harris WR (2017) Complexity verification using guided theorem enumeration. In: Proceedings of the 44th ACM SIGPLAN symposium on principles of programming languages, pp 639–652Google Scholar
 28.Xue T, Ying S, Wu Q, Jia X, Hu X, Zhai X et al (2017) Verifying integrity of exception handling in serviceoriented software. Int J Grid Util Comput 8:7–21CrossRefGoogle Scholar
 29.Copet PB, Marchetto G, Sisto R, Costa L (2017) Formal verification of LTEUMTS and LTE–LTE handover procedures. Comput Stand Interfaces 50:92–106CrossRefGoogle Scholar
 30.Edmund J, Clarke M, Grumberg O, Peled DA (1999) Model checking. MIT Press, CambridgeGoogle Scholar
 31.LeitnerFischer F, Leue S (2013) Causality checking for complex system models. In: Giacobazzi R, Berdine J, Mastroeni I (eds) Proceedings of verification, model checking, and abstract interpretation: 14th international conference, VMCAI 2013, Rome, Italy, January 20–22, 2013. Springer Berlin Heidelberg, Berlin, pp 248–267Google Scholar
 32.Merelli E, Paoletti N, Tesei L (2017) Adaptability checking in complex systems. Sci Comput Program 115–116:23–46Google Scholar
 33.Baier C, Katoen JP (2008) Principles of model checking (representation and mind series). The MIT Press, CambridgezbMATHGoogle Scholar
 34.McMillan KL (1993) Symbolic model checking. Kluwer Academic Publishers, NorwellCrossRefGoogle Scholar
 35.Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1992) Symbolic model checking: 1020 states and beyond. Inf Comput 98:142–170CrossRefGoogle Scholar
 36.Souri A, Norouzi M (2015) A new probable decision making approach for verification of probabilistic realtime systems. In: 2015 6th IEEE international conference on software engineering and service science (ICSESS), pp 44–47Google Scholar
 37.Cimatti A, Clarke E, Giunchiglia F, Roveri M (2000) NuSMV: a new symbolic model checker. Int J Softw Tools Technol Transfer 2:410–425CrossRefGoogle Scholar
 38.Sun J, Liu Y, Dong JS (2008) Model checking CSP revisited: introducing a process analysis toolkit. In: International symposium on leveraging applications of formal methods, verification and validation, pp 307–322Google Scholar
 39.Holzmann GJ (1997) The model checker SPIN. IEEE Trans Softw Eng 23:279–295CrossRefGoogle Scholar
 40.Bengtsson J, Larsen K, Larsson F, Pettersson P, Yi W (1995) UPPAAL—a tool suite for automatic verification of realtime systems. In: International hybrid systems workshop, pp 232–243Google Scholar
 41.Podivinsky J, Cekan O, Lojda J, Zachariasova M, Krcma M, Kotasek Z (2017) Functional verification based platform for evaluating fault tolerance properties. Microprocess Microsyst 52:145–159CrossRefGoogle Scholar
 42.Wang S, Huang K (2016) Improving the efficiency of functional verification based on test prioritization. Microprocess Microsyst 41:1–11CrossRefGoogle Scholar
 43.Balasubramaniyan S, Srinivasan S, Buonopane F, Subathra B, Vain J, Ramaswamy S (2016) Design and verification of CyberPhysical Systems using TrueTime, evolutionary optimization and UPPAAL. Microprocess Microsyst 42:37–48CrossRefGoogle Scholar
 44.Kaufmann P, Kronegger M, Pfandler A, Seidl M, Widl M (2015) Intra and interdiagram consistency checking of behavioral multiview models. Comput Lang Syst Struct 44(Part A):72–88zbMATHGoogle Scholar
 45.LópezFernández JJ, Guerra E, de Lara J (2016) Combining unit and specificationbased testing for metamodel validation and verification. Inf Syst 62:104–135CrossRefGoogle Scholar
 46.Amálio N, Glodt C (2015) A tool for visual and formal modelling of software designs. Sci Comput Program 98(Part 1):52–79CrossRefGoogle Scholar
 47.Holzmann GJ, Joshi R, Groce A (2008) New challenges in model checking. In: Grumberg O, Veith H (eds) 25 years of model checking: history, achievements, perspectives, Springer Berlin Heidelberg, Berlin, pp 65–76Google Scholar
 48.Bozzano M, Villafiorita A (2006) The FSAP/NuSMVSA safety analysis platform. Int J Softw Tools Technol Transfer 9:5CrossRefGoogle Scholar
 49.Głuchowski P (2016) NuSMV model verification of an airport traffic control system with deontic rules. In: Zamojski W, Mazurkiewicz J, Sugier J, Walkowiak T, Kacprzykj (eds) Dependability engineering and complex systems: proceedings of the eleventh international conference on dependability and complex systems DepCoSRELCOMEX. June 27–July 1, 2016, Brunów, Poland, Springer International Publishing, Cham, pp 195–206Google Scholar
 50.Safarkhanlou A, Souri A, Norouzi M, Sardroud SEH (2015) Formalizing and verification of an antivirus protection service using model checking. Procedia Comput Sci 57:1324–1331CrossRefGoogle Scholar
 51.Ngo VC, Legay A (2018) Formal verification of probabilistic SystemC models with statistical model checking. J Softw Evol Process 30:e1890CrossRefGoogle Scholar
 52.Li W, Hayes JH, Antoniol G, Guéhéneuc YG, Adams B (2016) Error leakage and wasted time: sensitivity and effort analysis of a requirements consistency checking process. J Softw Evol Process 28:1061–1080CrossRefGoogle Scholar
 53.Mercorio F (2013) Model checking for universal planning in deterministic and nondeterministic domains. AI Commun 26:257–259Google Scholar
 54.Li J, Qeriqi A, Steffen M, Yu IC. Automatic translation from FBDPLCprograms to NuSMV for model checking safetycritical control systems. 2016Google Scholar
 55.Sharma PK, Ryu JH, Park KY, Park JH, Park JH (2018) LiFi based on security cloud framework for future IT environment. Hum Centric Comput Inf Sci 8:23CrossRefGoogle Scholar
 56.Castelluccia D, Mongiello M, Ruta M, Totaro R (2006) WAVer: a model checkingbased tool to verify web application design. Electron Notes Theor Comput Sci 157:61–76CrossRefGoogle Scholar
 57.Abdelsadiq A (2013) A toolkit for model checking of electronic contractsGoogle Scholar
 58.Caltais G, LeitnerFischer F, Leue S, Weiser J (2016) SysML to NuSMV model transformation via objectorientationGoogle Scholar
 59.Deb N, Chaki N, Ghose A (2016) Extracting finite state models from i* models. J Syst Softw 121:265–280CrossRefGoogle Scholar
 60.Meenakshi B, Bhatnagar A, Roy S (2006) Tool for translating Simulink models into input language of a model checkerGoogle Scholar
 61.Vinárek J, Ŝimko V, Hnĕtynka P (2015) Verification of usecases with FOAM tool in context of cloud providers. In: 2015 41st euromicro conference on software engineering and advanced applications, pp 151–158Google Scholar
 62.Simko V, Hauzar D, Hnetynka P, Bures T, Plasil F (2015) Formal verification of annotated textual usecases. Comput J 58:1495–1529CrossRefGoogle Scholar
 63.Szwed P (2015) Verification of ArchiMate behavioral elements by model checking. In: Saeed K, Homenda W (eds) Computer information systems and industrial management: 14th IFIP TC 8 international conference, CISIM 2015, Warsaw, Poland, September 24–26, 2015, proceedings, Springer International Publishing, Cham, pp 132–144Google Scholar
 64.Jiang Y, Qiu Z (2012) S2N: model transformation from SPIN to NuSMV. In: Presented at the PROCEEDINGS of the 19th international conference on Model Checking Software, Oxford, UKGoogle Scholar
 65.Szpyrka M, Biernacka A, Biernacki J (2014) Methods of translation of petri nets to NuSMV language. In: CS&P, pp 245–256Google Scholar
 66.Browne MC, Clarke EM, Grümberg O (1987) Characterizing Kripke structures in temporal logic. In: presented at the The International Joint Conference on theory and practice of software development on TAPSOFT ‘87, Pisa, ItalyGoogle Scholar
 67.Reniers MA, Willemse TAC (2011) Folk theorems on the correspondence between statebased and eventbased systems. In: Černá I, Gyimóthy T, Hromkovič J, Jefferey K, Králović R, Vukolić M, et al. (eds) SOFSEM 2011: theory and practice of computer science: 37th conference on current trends in theory and practice of computer science, Nový Smokovec, Slovakia, January 22–28, 2011. Proceedings, Springer Berlin Heidelberg, Berlin, pp 494–505Google Scholar
 68.GhobaeiArani M, Rahmanian AA, Souri A, Rahmani AM (2018) A mothflame optimization algorithm for web service composition in cloud computing: simulation and verification. Softw Pract Exp 48:1865–1892Google Scholar
 69.Souri A, Nourozi M, Rahmani AM, Navimipour NJ (2018) A model checking approach for user relationship management in the social network. Kybernetes. https://doi.org/10.1108/K0220180092092 CrossRefGoogle Scholar
 70.Bouneb M, Saidouni DE, Ilie JM (2015) A reduced maximality labeled transition system generation for recursive Petri nets. Formal Aspects Comput 27:951–973MathSciNetCrossRefGoogle Scholar
 71.Sibay GE, Braberman V, Uchitel S, Kramer J (2013) Synthesizing modal transition systems from triggered scenarios. IEEE Trans Softw Eng 39:975–1001CrossRefGoogle Scholar
 72.Souri A, Rahmani AM, Jafari Navimipour N (2018) Formal verification approaches in the web service composition: a comprehensive analysis of the current challenges for future research. Int J Commun Syst 31:1–27CrossRefGoogle Scholar
 73.Rozier KY (2011) Linear temporal logic symbolic model checking. Comput Sci Rev 5:163–203CrossRefGoogle Scholar
 74.Zhao Y, Rozier KY (2014) Formal specification and verification of a coordination protocol for an automated air traffic control system. Sci Comput Program 96(Part 3):337–353CrossRefGoogle Scholar
 75.Bollig B (2016) On the minimization of (complete) ordered binary decision diagrams. Theory Comput Syst 59:532–559MathSciNetCrossRefGoogle Scholar
 76.Sharma A (2012) A two step perspective for Kripke structure reduction. arXiv preprint arXiv:1210.0408
 77.Gradara S, Santone A, Villani ML, Vaglini G (2004) Model checking multithreaded programs by means of reduced models. Electron Notes Theor Comput Sci 110:55–74CrossRefGoogle Scholar
 78.Flanagan C, Godefroid P (2005) Dynamic partialorder reduction for model checking software. In: Presented at the proceedings of the 32nd ACM SIGPLANSIGACT symposium on principles of programming languages, Long Beach, California, USAGoogle Scholar
 79.Reniers MA, Schoren R, Willemse TAC (2014) Results on embeddings between statebased and eventbased systems. Comput. J 57:73–92CrossRefGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.