Dependency Graphs and Their Application to Model Checking

. Dependency graphs, invented by Liu and Smolka in 1998, are oriented graphs with hyperedges that represent dependencies among the values of the vertices. Numerous model checking problems are reducible to a computation of the minimum ﬁxed-point vertex assignment. Recent works successfully extended the assignments in dependency graphs from the Boolean domain into more general domains in order to speed up the ﬁxed-point computation or to apply the formalism to a more general setting of e.g. weighted logics. All these extensions require separate correctness proofs of the ﬁxed-point algorithm as well as a one-purpose implementation. We suggest the notion of abstract dependency graphs where the vertex assignment is deﬁned over an abstract algebraic structure of Noetherian partial orders with the least element. We show that existing approaches are concrete instances of our general framework and provide an open-source C++ library that implements the abstract algorithm. We demonstrate that the performance of our generic implementation is comparable to, and sometimes even outperforms, dedicated special-purpose algorithms presented in the literature.


Introduction
Dependency Graphs (DG) [1] have demonstrated a wide applicability with respect to verification and synthesis of reactive systems, e.g.checking behavioural equivalences between systems [2], model checking systems with respect to temporal logical properties [3][4][5], as well as synthesizing missing components of systems [6].The DG approach offers a general and often performance-optimal way to solve these problem.Most recently, the DG approach to CTL model checking of Petri nets [7], implemented in the model checker TAPAAL [8], won the gold medal at the annual Model Checking Contest 2018 [9].
A DG consists of a finite set of vertices and a finite set of hyperedges that connect a vertex to a number of children vertices.The computation problem is to find a point-wise minimal assignment of vertices to the Boolean values 0 and 1 such that the assignment is stable: whenever there is a hyperedge where all children have the value 1 then also the father of the hyperedge has the value 1.The main contribution of Liu and Smolka [1] is a linear-time, on-the-fly algorithm to find such a minimum stable assignment.
Recent works successfully extend the DG approach from the Boolean domain to more general domains, including synthesis for timed systems [10], model checking for weighted systems [3] as well as probabilistic systems [11].However, each of these extensions have required separate correctness arguments as well as ad-hoc specialized implementations that are to a large extent similar with other implementations of dependency graphs (as they are all based on the general principle of computing fixed points by local exploration).The contribution of our paper is a notion of Abstract Dependency Graph (ADG) where the values of vertices come from an abstract domain given as an Noetherian partial order (with least element).As we demonstrate, this notion of ADG covers many existing extensions of DG as concrete instances.Finally, we implement our abstract algorithms in C++ and make it available as an open-source library.We run a number of experiments to justify that our generic approach does not sacrifice any significant performance and sometimes even outperforms existing implementations.
Related Work.The aim of Liu and Smolka [1] was to find a unifying formalism allowing for a local (on-the-fly) fixed-point algorithm running in linear time.In our work, we generalize their formalism from the simple Boolean domain to general Noetherian partial orders over potentially infinite domains.This requires a non-trivial extension to their algorithm and the insight of how to (in the general setting) optimize the performance, as well as new proofs of the more general loop invariants and correctness arguments.
Recent extensions of the DG framework with certain-zero [7], integer [3] and even probabilistic [11] domains generalized Liu and Smolka's approach, however they become concrete instances of our abstract dependency graphs.The formalism of Boolean Equation Systems (BES) provides a similar and independently developed framework [12][13][14][15] pre-dating that of DG.However, BES may be encoded as DG [1] and hence they also become an instance of our abstract dependency graphs.

Preliminaries
A set D together with a binary relation ⊆ D × D that is reflexive (x x for any x ∈ D), transitive (for any x, y, z ∈ D, if x y and y x then also x z) and anti-symmetric (for any x, y ∈ D, if x y and y x then x = y) is called a partial order and denoted as a pair (D, ).We write x y if x y and x = y.A function f : D → D from a partial order (D, ) to a partial order (D , ) is monotonic if whenever x y for x, y ∈ D then also f (x) f (y).We shall now define a particular partial order that will be used throughout this paper.We can notice that any finite partial order with a least element is a NOR; however, there are also such relations with infinitely many elements in the domain as shown by the following example.

Definition 1 (NOR). Noetherian Ordering
Example 1.Consider the partial order D = (N 0 ∪ {∞}, ≥, ∞) over the set of natural numbers extended with ∞ and the natural larger-than-or-equal comparison on integers.As the relation is reversed, this implies that ∞ is the least element of the domain.We observe that D is NOR.Consider any infinite sequence d 1 ≥ d 2 ≥ d 3 . . . .Then either d i = ∞ for all i, or there exists i such that d i ∈ N 0 .Clearly, the sequence must in both cases eventually stabilize, i.e. there is a number k such that d k = d k+j for all j > 0.
New NORs can be constructed by using the Cartesian product.Let In the rest of this paper, we consider only NOR (D, , ⊥) that are effectively computable, meaning that the elements of D can be represented by finite strings, and that given the finite representations of two elements x and y from D, there is an algorithm that decides whether x y.Similarly, we consider only functions f : D → D from an effectively computable NOR (D, , ⊥) to an effectively computable NOR (D , , ⊥ ) that are effectively computable, meaning that there is an algorithm that for a given finite representation of an element x ∈ D terminates and returns the finite representation of the element f (x) ∈ D .Let F(D, n), where D = (D, , ⊥) is an effectively computable NOR and n is a natural number, stand for the collection of all effectively computable functions f : D n → D of arity n and let F(D) = n≥0 F(D, n) be a collection of all such functions.
For a set X, let X * be the set of all finite strings over X.For a string w ∈ X * let |w| denote the length of w and for every i, 1 ≤ i ≤ |w|, let w i stand for the i'th symbol in w.

Abstract Dependency Graphs
We are now ready to define the notion of an abstract dependency graph.

Definition 2 (Abstract Dependency Graph
).An abstract dependency graph (ADG) is a tuple G = (V, E, D, E) where -V is a finite set of vertices, -E : V → V * is an edge function from vertices to sequences of vertices such that E(v) i = E(v) j for every v ∈ V and every 1 ≤ i < j ≤ |E(v)|, i.e. the co-domain of E contains only strings over V where no symbol appears more than once,

each edge E(v) is labelled by an effectively computable function f of arity that corresponds to the length of the string E(v).
Example 2. An example of ADG over the NOR D = ({0, 1}, {(0, 1)}, 0) is shown in Fig. 1a.Here 0 (interpreted as false) is below the value 1 (interpreted as true) and the monotonic functions for vertices are displayed as vertex annotations.For example , and E(B) = (empty sequence of vertices) such that E(B) = 1 is a constant labelling function.Clearly, all functions used in our example are monotonic and effectively computable.
Let us now assume a fixed ADG G = (V, E, D, E) over an effectively computable NOR D = (D, , ⊥).We first define an assignment of an ADG.

Definition 3 (Assignment). An assignment on G is a function
The set of all assignments is denoted by A. For A, A ∈ A we define A ≤ A iff A(v) A (v) for all v ∈ V .We also define the bottom assignment A ⊥ (v) = ⊥ for all v ∈ V that is the least element in the partial order (A, ≤).The following proposition is easy to verify.

Proposition 2. The partial order
Finally, we define the minimum fixed-point assignment A min for a given ADG G = (V, E, D, E) as the minimum fixed point of the function F : A → A defined as follows: In the rest of this section, we shall argue that A min of the function F exists by following the standard reasoning about fixed points of monotonic functions [16].

Let us define the notation of multiple applications of the function F by
) for all i ≤ j, and there exists a number k such that We can now finish with the main observation of this section.Theorem 1.There exists a number k such that F j (A ⊥ ) = A min for all j ≥ k.
Example 3. The computation of the minimum fixed point for our running example from Fig. 1a is given in Fig. 1b.We can see that starting from the assignment where all nodes take the least element value 0, in the first iteration all constant functions increase the value of the corresponding vertices to 1 and in the second iteration the value 1 propagates from the vertex B to A, because the function B ∨ (C ∧ D) that is assigned to the vertex A evaluates to true due to the fact that F (A ⊥ )(B) = 1.On the other hand, the values of the vertices D and F keep the assignment 0 due to the cyclic dependencies between the two vertices.As F 2 (A ⊥ ) = F 3 (A ⊥ ), we know that we found the minimum fixed point.
As many natural verification problems can be encoded as a computation of the minimum fixed point on an ADG, the result in Theorem 1 provides an algorithmic way to compute such a fixed point and hence solve the encoded problem.The disadvantage of this global algorithm is that it requires that the whole dependency graph is a priory generated before the computation can be carried out and this approach is often inefficient in practice [3].In the following section, we provide a local, on-the-fly algorithm for computing the minimum fixed-point assignment of a specific vertex, without the need to always explore the whole abstract dependency graph.

On-the-Fly Algorithm for ADGs
The idea behind the algorithm is to progressively explore the vertices of the graph, starting from a given root vertex for which we want to find its value in the minimum fixed-point assignment.To search the graph, we use a waiting list that contains configurations (vertices) whose assignment has the potential of being improved by applying the function E. By repeated applications of E on the vertices of the graph in some order maintained by the algorithm, the minimum fixed-point assignment for the root vertex can be identified without necessarily exploring the whole dependency graph.
To improve the performance of the algorithm, we make use of an optional user-provided function Ignore(A, v) that computes, given a current assignment A and a vertex v of the graph, the set of vertices on an edge E(v) whose current and any potential future value no longer effect the value of A min (v).Hence, whenever a vertex v is in the set Ignore(A, v), there is no reason to explore the subgraph rooted by v for the purpose of computing A min (v) since an improved assignment value of v cannot influence the assignment of v.The soundness property of the ignore function is formalized in the following definition.As before, we assume a fixed ADG G = (V, E, D, E) over an effectively computable NOR D = (D, , ⊥).

for any two assignments A, A ∈ A where A ≤ A and every
From now on, we shall consider only sound and effectively computable ignore functions.Note that there is always a trivially sound Ignore function that returns for every assignment and every vertex the empty set.A more interesting and universally sound ignore function may be defined by that returns the set of all vertices on an edge E(v) once A(v) reached its maximal possible value.This will avoid the exploration of the children of the vertex v once the value of v in the current assignment cannot be improved any more.Already this can have a significant impact on the improved performance of the algorithm; however, for concrete instances of our general framework, the user can provide more precise and case-specific ignore functions in order to tune the performance of the fixed-point algorithm, as shown by the next example.The following lemma formalizes the fact that once the ignore function of a vertex contains all its children and the vertex value has been relaxed by applying the associated monotonic function, then its current assignment value is equal to the vertex value in the minimum fixed-point assignment.

Lemma 3. Let A be an assignment such that
In Algorithm 1 we now present our local (on-the-fly) minimum fixed-point computation.The algorithm uses the following internal data structures: -A is the currently computed assignment that is initialized to A ⊥ , -W is the waiting list containing the set of pending vertices to be explored, -Passed is the set of explored vertices, and -Dep : V → 2 V is a function that for each vertex v returns a subset of vertices that should be reevaluated whenever the assignment value of v improves.
Input: An effectively computable ADG G = (V, E, D, E) and v0 ∈ V .Output: Amin (v0) "break out of the while loop" The algorithm starts by inserting the root vertex v 0 into the waiting list.In each iteration of the while-loop it removes a vertex v from the waiting list and performs a check whether there is some other vertex that depends on the value of v.If this is not the case, we are not going to explore the vertex v and recursively propagate this information to the children of v.After this, we try to improve the current assignment of A(v) and if this succeeds, we update the waiting list by adding all vertices that depend on the value of v to W , and we test if the algorithm can early terminate (should the root vertex v 0 get its final value).Otherwise, if the vertex v has not been explored yet, we add all its children to the waiting list and update the dependencies.We shall now state the termination and correctness of our algorithm.mimicking the computation in dependency graphs.For the efficiency of fixedpoint computation in abstract dependency graphs it is important to provide an Ignore function that includes as many vertices as possible.We shall use the following one meaning that once there is a hyperedge with all the target vertices with value 1 (that propagates the value 1 to the root of the hyperedge), then the vertices of all other hyperedges can be ignored.This ignore function is, as we observed when running experiments, more efficient than this simpler one because it avoids the exploration of vertices that can be ignored before the root v is picked from the waiting list.Our encoding hence provides a generic and efficient way to model and solve problems described by Boolean equations [18] and dependency graphs [17].

Certain-Zero Dependency Graphs
Liu and Smolka's on-the-fly algorithm for dependency graphs significantly benefits from the fact that if there is a hyperedge with all target vertices having the value 1 then this hyperedge can propagate this value to the source of the hyperedge without the need to explore the remaining hyperedges.Moreover, the algorithm can early terminate should the root vertex v 0 get the value 1.On the other hand, if the final value of the root is 0 then the whole graph has to be explored and no early termination is possible.Recently, it has been noticed [19] that the speed of fixed-point computation by Liu and Smolka's algorithm can been considerably improved by considering also certain-zero value in the assignment that can, in certain situations, propagate from children vertices to their parents and once it reaches the root vertex, the algorithm can early terminate.
We shall demonstrate that this extension can be directly implemented in our generic framework, requiring only a minor modification of the abstract dependency graph.Let G = (V, H) be a given dependency graph.We consider now a NOR D = ({⊥, 0, 1}, , ⊥) where ⊥ 0 and ⊥ 1 but 0 and 1, the 'certain' values, are incomparable.We use the labelling function so that it rephrases the method described in [19].In order to achieve a competitive performance, we use the following ignore function.
Our experiments presented in Sect.6 show a clear advantage of the certainzero algorithm over the classical one, as also demonstrated in [19].

Weighted Symbolic Dependency Graphs
In this section we show an application that instead of a finite NOR considers an ordering with infinitely many elements.This allows us to encode e.g. the model checking problem for weighted CTL logic as demonstrated in [3,20].The main difference, compared to the dependency graphs in Sect.5.1, is the addition of cover-edges and hyperedges with weight.
A weighted symbolic dependency graph, as introduced in [20], is a triple G = (V, H, C), where V is a finite set of vertices, H ⊆ V × 2 (N 0 ×V ) is a finite set of hyperedges and C ⊆ V × N 0 × V a finite set of cover-edges.We assume the natural ordering relation > on natural numbers such that ∞ > n for any n ∈ N 0 .An assignment A : V → N 0 ∪ {∞} is a mapping from configurations to values.A fixed-point assignment is an assignment A such that where we assume that max ∅ = 0 and min ∅ = ∞.As before, we are interested in computing the value A min (v 0 ) for a given vertex v 0 where A min is the minimum fixed-point assignment.
In order to instantiate weighted symbolic dependency graphs in our framework, we use the NOR D = (N 0 ∪ {∞}, ≥, ∞) as introduced in Example 1 and define an abstract dependency graph G = (V, E, D, E).We let E : V → V * be defined as (w,vi)∈T {v i } is the set (in some fixed order) of all vertices that are used in hyperedges and {c 1 , . . ., c n } = (v,w,u)∈C {u} is the set (in some fixed order) of all vertices connected to cover-edges.Finally, we define the labelling function E as In our experiments, we consider the following ignore function.

Fig. 2. The C++ interface
This shows that also the formalism of weighted symbolic dependency graphs can be modelled in our framework and the experimental evaluation documents that it outperforms the existing implementation.

Implementation and Experimental Evaluation
The algorithm is implemented in C++ and the signature of the user-provided interface in order to use the framework is shown in Fig. 2. The structure ADG is the main interface the algorithm uses.It assumes the definition of the type Value that represents the NOR, and the type VertexRef that represents a light-weight reference to a vertex and the bottom element.The type aliased as VRA contains both a Value and a VertexRef and represents the assignment of a vertex.The user must also provide the implementation of the functions: initialVertex that returns the root vertex v 0 , getEdge that returns ordered successors for a given vertex, compute that computes E(v) for a given assignment of v and its successors, and updateIgnored that receives the assignment of a vertex and its successors and sets the ignore flags.
We instantiated this interface to three different applications as discussed in Sect. 5.The source code of the algorithm and its instantiations is available at https://launchpad.net/adg-tool/.
We shall now present a number of experiments showing that our generic implementation of abstract dependency graph algorithm is competitive with single-purpose implementations mentioned in the literature.The first two experiments (bisimulation checking for CCS processes and CTL model checking of Petri nets) were run on a Linux cluster with AMD Opteron 6376 processors running Ubuntu 14.04.We marked an experiment as OOT if it run for more than one hour and OOM if it used more than 16 GB of RAM.The final experiment for WCTL model checking required to be executed on a personal computer as the tool we compare to is written in JavaScript, so each problem instance was run on a Lenovo ThinkPad T450s laptop with an Intel Core i7-5600U CPU @ 2.60 GHz and 12 GB of memory.

Bisimulation Checking for CCS Processes
In our first experiment, we encode using ADG a number of weak bisimulation checking problems for the process algebra CCS.The encoding was described in [2] where the authors use classical Liu and Smolka's dependency graphs to solve the problems and they also provide a C++ implementation (referred to as DG in the tables).We compare the verification time needed to answer both positive and negative instances of the test cases described in [2]. Figure 3 shows the results where DG refers to the implementation from [2] and ADG is our implementation using abstract dependency graphs.It displays the verification time in seconds and peak memory consumptions in MB for both implementations as well as the relative improvement in percents.We can see that the performance of both algorithms is comparable, slightly in favour of our algorithm, sometimes showing up to 103% speedup like in the case of nonbisimilar processes in leader election of size 8.For nonbisimilar processes modelling alternating bit protocol of size 5 we observe a 19% slowdown caused by the different search strategies so that the counter-example to bisimilarity is found faster by the implementation from [2].Memory-wise, the experiments are slightly in favour of our implementation.
We further evaluated the performance for weak simulation checking on task graph scheduling problems.We verified 180 task graphs from the Standard Task Graph Set as used in [2] where we check for the possibility to complete all tasks In Fig. 5 we present an analogous table for the peak memory consumption of the two algorithms.In the middle experiment ParamProductionCell-PT-4:13 we use 42% extra memory compared to VerifyPN.Hence we have a trade-off between the verification speed and memory consumption where our implementation is faster but consumes more memory.We believe that this is due to the use of the waiting list where we store directly vertices (allowing for a fast access to their assignment), compared to storing references to hyperedges in the VerifyPN implementation (saving the memory).Given the 16 GB memory limit we used in our experiments, this results in the fact that we were able to solve only 144 instances, compared to 218 answers provided by VerifyPN and we run 102 times out of memory while VerifyPN did only 45 times.

Weighted CTL Model Checking
Our last experiment compares the performance on the model checking of weighted CTL against weighted Kripke structures as used in the WKTool [3].We implemented the weighted symbolic dependency graphs in our generic interface and run the experiments on the benchmark from [3].The measurements for a few instances are presented in Fig. 6 and clearly show significant speedup in favour of our implementation.We remark that because WKTool is written in JavaScript, it was impossible to gather its peek memory consumption.

Conclusion
We defined a formal framework for minimum fixed-point computation on dependency graphs over an abstract domain of Noetherian orderings with the least element.This framework generalizes a number of variants of dependency graphs recently published in the literature.We suggested an efficient, on-the-fly algorithm for computing the minimum fixed-point assignment, including performance optimization features, and we proved the correctness of the algorithm.On a number of examples, we demonstrated the applicability of our framework, showing that its performance is matching those of specialized algorithms already published in the literature.Last but not least, we provided an open source C++ library that allows the user to specify only a few domain-specific functions in order to employ the generic algorithm described in this paper.Experiential results show that we are competitive with e.g. the tool TAPAAL, winner of the 2018 Model Checking Contest in the CTL category [9], showing 78% faster performance on the median instance of the model checking problem, at the expense of 42% higher memory consumption.
In the future work, we shall apply our approach to other application domains (in particular probabilistic model checking), develop and test generic heuristic search strategies as well as provide a parallel/distributed implementation of our general algorithm (that is already available for some of its concrete instances [7,23]) in order to further enhance the applicability of the framework.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits use, sharing, adaptation, and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material.If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Relation with least element (NOR) is a triple D = (D, , ⊥) where (D, ) is a partial order, ⊥ ∈ D is its least element such that for all d ∈ D we have ⊥ d, and satisfies the ascending chain condition: for any infinite chain d 1 d 2 d 3 . . .there is an integer k such that d k = d k+j for all j > 0.

Example 4 .
Consider the ADG from Fig. 1a in an assignment where the value of B is already known to be 1.As the vertex A has the labelling function B ∨ (C ∧ D), we can see that the assignment of A will get the value 1, irrelevant of what are the assignments for the vertices C and D. Hence, in this assignment, we can move the vertices C and D to the ignore set of A and avoid the exploration of the subgraphs rooted by C and D.