Compositional Model Checking with Incremental Counter-Example Construction

  • Anton WijsEmail author
  • Thomas Neele
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10426)


In compositional model checking, the approach is to reason about the correctness of a system by lifting results obtained in analyses of subsystems to the system-level. The main challenge, however, is that requirements, in the form of temporal logic formulae, are usually specified at the system-level, and it is not obvious how to relate these to subsystem-local behaviour. In this paper, we propose a new approach to checking regular safety properties, which we call Incremental Counter-Example Construction (ICC). Its main strong point is that it performs a series of model checking procedures, and that each one only explores a small part of the entire state space. This makes ICC an excellent approach in those cases where state space explosion is an issue. Moreover, it is frequently much faster than traditional explicit-state model checking, particularly when the model satisfies the verified property, and in most cases not significantly slower. We explain the technique, and report on experiments we have conducted using an implementation of ICC, comparing the results to those obtained with other approaches.


  1. 1.
    de Alfaro, L., Henzinger, T.: Interface automata. ACM SIGSOFT Softw. Eng. Notes 26(5), 109–120 (2001)CrossRefGoogle Scholar
  2. 2.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75, 87–106 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Baier, C., Katoen, J.P.: Principles of Model Checking. The MIT Press, Cambridge (2008)Google Scholar
  4. 4.
    Bal, H., Epema, D., de Laat, C., van Nieuwpoort, R., Romein, J., Seinstra, F., Snoek, C., Wijshoff, H.: A medium-scale distributed system for computer science research: infrastructure for the long term. IEEE Comput. 49(5), 54–63 (2016)CrossRefGoogle Scholar
  5. 5.
    Bensalem, S., Bozga, M., Legay, A., Nguyen, T.H., Sifakis, J., Yan, R.: Incremental component-based construction and verification using invariants. In: FMCAD, pp. 257–266. IEEE (2010)Google Scholar
  6. 6.
    Bensalem, S., Bozga, M., Legay, A., Nguyen, T.H., Sifakis, J., Yan, R.: Component-based verification using incremental design and invariants. Softw. Syst. Model. 15(2), 427–451 (2016)CrossRefGoogle Scholar
  7. 7.
    Brookes, S., Hoare, C., Roscoe, A.: A theory of communicating sequential processes. J. ACM 31(3), 560–599 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Camilli, M., Bellettini, C., Capra, L., Monga, M.: CTL model checking in the cloud using MapReduce. In: SYNACS, pp. 333–340. IEEE (2014)Google Scholar
  9. 9.
    Chen, Y.-F., Clarke, E.M., Farzan, A., Tsai, M.-H., Tsay, Y.-K., Wang, B.-Y.: Automated assume-guarantee reasoning through implicit learning. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 511–526. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14295-6_44 CrossRefGoogle Scholar
  10. 10.
    Clarke, E., Long, D., McMillan, K.: Compositional model checking. In: LICS, pp. 353–362. IEEE (1989)Google Scholar
  11. 11.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000). doi: 10.1007/10722167_15 CrossRefGoogle Scholar
  12. 12.
    Cobleigh, J.M., Giannakopoulou, D., Păsăreanu, C.S.: Learning assumptions for compositional verification. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 331–346. Springer, Heidelberg (2003). doi: 10.1007/3-540-36577-X_24 CrossRefGoogle Scholar
  13. 13.
    Cobleigh, J., Avrunin, G., Clarke, L.: Breaking up is hard to do: an evaluation of automated assume-guarantee reasoning. ACM Trans. Softw. Eng. Methodol. 17(2), 7 (2008)Google Scholar
  14. 14.
    Courcoubetis, C., Vardi, M., Wolper, P., Yannakakis, M.: Memory efficient algorithms for the verification of temporal properties. In: Clarke, E.M., Kurshan, R.P. (eds.) CAV 1990. LNCS, vol. 531, pp. 233–242. Springer, Heidelberg (1991). doi: 10.1007/BFb0023737 CrossRefGoogle Scholar
  15. 15.
    Cranen, S., Groote, J.F., Keiren, J.J.A., Stappers, F.P.M., de Vink, E.P., Wesselink, W., Willemse, T.A.C.: An overview of the mCRL2 toolset and its recent advances. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 199–213. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36742-7_15 CrossRefGoogle Scholar
  16. 16.
    Crouzen, P., Lang, F.: Smart reduction. In: Giannakopoulou, D., Orejas, F. (eds.) FASE 2011. LNCS, vol. 6603, pp. 111–126. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19811-3_9 CrossRefGoogle Scholar
  17. 17.
    Elkader, K.A., Grumberg, O., Păsăreanu, C.S., Shoham, S.: Automated circular assume-guarantee reasoning. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 23–39. Springer, Cham (2015). doi: 10.1007/978-3-319-19249-9_3 CrossRefGoogle Scholar
  18. 18.
    Abd Elkader, K., Grumberg, O., Păsăreanu, C.S., Shoham, S.: Automated circular assume-guarantee reasoning with N-way decomposition and alphabet refinement. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 329–351. Springer, Cham (2016). doi: 10.1007/978-3-319-41528-4_18 Google Scholar
  19. 19.
    Evangelista, S., Pradat-Peyre, J.-F.: Memory efficient state space storage in explicit software model checking. In: Godefroid, P. (ed.) SPIN 2005. LNCS, vol. 3639, pp. 43–57. Springer, Heidelberg (2005). doi: 10.1007/11537328_7 CrossRefGoogle Scholar
  20. 20.
    Finkbeiner, B., Peter, H.-J., Schewe, S.: RESY: requirement synthesis for compositional model checking. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 463–466. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78800-3_35 CrossRefGoogle Scholar
  21. 21.
    Finkbeiner, B., Schewe, S., Brill, M.: Automatic synthesis of assumptions for compositional model checking. In: Najm, E., Pradat-Peyre, J.-F., Donzeau-Gouge, V.V. (eds.) FORTE 2006. LNCS, vol. 4229, pp. 143–158. Springer, Heidelberg (2006). doi: 10.1007/11888116_12 CrossRefGoogle Scholar
  22. 22.
    Flanagan, C., Freund, S., Qadeer, S., Seshia, S.: Modular verification of multithreaded programs. TCS 338(1–3), 153–183 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Garavel, H., Lang, F., Mateescu, R.: Compositional verification of asynchronous concurrent systems using CADP. Acta Inform. 52(4–5), 337–392 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Garavel, H., Lang, F., Mateescu, R., Serwe, W.: CADP 2011: a toolbox for the construction and analysis of distributed processes. STTT 15(2), 89–107 (2013)CrossRefzbMATHGoogle Scholar
  25. 25.
    Geldenhuys, J.: State caching reconsidered. In: Graf, S., Mounier, L. (eds.) SPIN 2004. LNCS, vol. 2989, pp. 23–38. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24732-6_3 CrossRefGoogle Scholar
  26. 26.
    Groote, J.F., Wijs, A.: An \(O(m\log n)\) algorithm for stuttering equivalence and branching bisimulation. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 607–624. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49674-9_40 CrossRefGoogle Scholar
  27. 27.
    Grumberg, O., Meller, Y.: Learning-based compositional model checking of behavioral UML systems. In: Dependable Software Systems Engineering, NATO Science for Peace and Security Series - D: Information and Communication Security, vol. 45, pp. 117–136. IOS Press (2016)Google Scholar
  28. 28.
    Gupta, A., McMillan, K.L., Fu, Z.: Automated assumption generation for compositional verification. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 420–432. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73368-3_45 CrossRefGoogle Scholar
  29. 29.
    Gupta, A., Popeea, C., Rybalchenko, A.: Threader: a constraint-based verifier for multi-threaded programs. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 412–417. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22110-1_32 CrossRefGoogle Scholar
  30. 30.
    Henzinger, T.A., Qadeer, S., Rajamani, S.K.: You assume, we guarantee: methodology and case studies. In: Hu, A.J., Vardi, M.Y. (eds.) CAV 1998. LNCS, vol. 1427, pp. 440–451. Springer, Heidelberg (1998). doi: 10.1007/BFb0028765 CrossRefGoogle Scholar
  31. 31.
    Holzmann, G.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley, Boston (2003)Google Scholar
  32. 32.
    Lang, F., Mateescu, R.: Partial model checking using networks of labelled transition systems and Boolean equation systems. Logical Methods Comput. Sci. 9(4:1) (2013)Google Scholar
  33. 33.
    Mateescu, R., Wijs, A.: Hierarchical adaptive state space caching based on level sampling. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 215–229. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00768-2_21 CrossRefGoogle Scholar
  34. 34.
    Mendoza, L.E., Capel, M.I., Pérez, M., Benghazi, K.: Compositional model-checking verification of critical systems. In: Filipe, J., Cordeiro, J. (eds.) ICEIS 2008. LNBIP, vol. 19, pp. 213–225. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00670-8_16 CrossRefGoogle Scholar
  35. 35.
    Molnár, V., Vörös, A., Darvas, D., Bartha, T., Majzik, I.: Component-wise incremental LTL model checking. Formal Aspects Comput. 28(3), 345–379 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Nam, W., Alur, R.: Learning-based symbolic assume-guarantee reasoning with automatic decomposition. In: Graf, S., Zhang, W. (eds.) ATVA 2006. LNCS, vol. 4218, pp. 170–185. Springer, Heidelberg (2006). doi: 10.1007/11901914_15 CrossRefGoogle Scholar
  37. 37.
    Pelánek, R.: BEEM: benchmarks for explicit model checkers. In: Bošnački, D., Edelkamp, S. (eds.) SPIN 2007. LNCS, vol. 4595, pp. 263–267. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73370-6_17 CrossRefGoogle Scholar
  38. 38.
    Păsăreanu, C., Giannakopoulou, D., Bobaru, M., Cobleigh, J., Barringer, H.: Learning to divide and conquer: applying the L* algorithm to automate assume-guarantee reasoning. Formal Methods Syst. Des. 32(3), 175–205 (2008)CrossRefzbMATHGoogle Scholar
  39. 39.
    Siirtola, A., Tripakis, S., Heljanko, K.: When do we (not) need complex assume-guarantee rules? In: ACSD, pp. 30–39. IEEE (2015)Google Scholar
  40. 40.
    Sudkamp, T.: Languages and Machines - An Introduction to the Theory of Computer Science. Addison-Wesley, Boston (1988)Google Scholar
  41. 41.
    Verstoep, K., Bal, H., Barnat, J., Brim, L.: Efficient large-scale model checking. In: IPDPS, pp. 1–12. IEEE (2009)Google Scholar
  42. 42.
    Wijs, A.: The HIVE tool for informed swarm state space exploration. In: PDMC Electronic Proceedings in Theoretical Computer Science, vol. 72, pp. 91–98. Open Publishing Association (2011)Google Scholar
  43. 43.
    Wijs, A.: Towards informed swarm verification. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 422–437. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20398-5_30 CrossRefGoogle Scholar
  44. 44.
    Wijs, A., Bošnački, D.: Many-core on-the-fly model checking of safety properties using GPUs. STTT 18(2), 169–185 (2016)CrossRefGoogle Scholar
  45. 45.
    Wijs, A., Engelen, L.: REFINER: towards formal verification of model transformations. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2014. LNCS, vol. 8430, pp. 258–263. Springer, Cham (2014). doi: 10.1007/978-3-319-06200-6_21 CrossRefGoogle Scholar
  46. 46.
    Wijs, A.J., Lisser, B.: Distributed extended beam search for quantitative model checking. In: Edelkamp, S., Lomuscio, A. (eds.) MoChArt 2006. LNCS (LNAI), vol. 4428, pp. 166–184. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74128-2_11 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Eindhoven University of TechnologyEindhovenThe Netherlands

Personalised recommendations