Antti Valmari

A stubborn attack on state explosion

This article presents theLTL-preserving stubborn set method for reducing the amount of work needed in the automatic verification of concurrent systems with respect to linear-time temporal logic specifications. The method facilitates the generation ofreduced state spaces such that the truth values of linear temporal logic formulas are the same in the ordinary and reduced state spaces. The only restrictions posed by the method are 1) the formulas must be known before the reduced state-space generation is commenced; 2) the use of the temporal operator “next state” is prohibited; and 3) the (reduced) state space of the system must be finite. The method cuts down the number of states by utilizing the fact that in concurrent systems the net result of the occurrence of two events is often independent of the order of occurrence.

Stubborn sets for reduced state space generation

The “stubborn set” theory and method for generating reduced state spaces is presented. The theory takes advantage of concurrency, or more generally, of the lack of interaction between transitions, captured by the notion of stubborn sets. The basic method preserves all terminal states and the existence of nontermination. A more advanced version suited to the analysis of properties of reactive systems is developed. It is shown how the method can be used to detect violations of invariant properties. The method preserves the liveness (in Petri net sense) of transitions, and livelocks which cannot be exited. A modification of the method is given which preserves the language generated by the system. The theory is developed in an abstract variable/transition framework and adapted to elementary Petri nets, place/transition nets with infinite capacity of places, and coloured Petri nets.

The State Explosion Problem

State space methods are one of the most important approaches to computer-aided analysis and verification of the behaviour of concurrent systems. In their basic form, they consist of enumerating and analysing the set of the states the system can ever reach. Unfortunately, the number of states of even a relatively small system is often far greater than can be handled in a realistic computer. The goal of this article is to analyse this state explosion problem from several perspectives. Many advanced state space methods alleviate the problem by using a subset or an abstraction of the set of states. Unfortunately, their use tends to restrict the set of analysis or verification questions that can be answered, making it impossible to discuss the methods without some taxonomy of the questions. Therefore, the article contains a lengthy discussion on alternative ways of stating analysis and verification questions, and algorithms for answering them. After that, many advanced state space methods are briefly described. The state explosion problem is investigated also from the computational complexity point of view.

On-the-Fly Verification with Stubborn Sets

A new on-the-fly verification method is presented. The method uses a generalization of Buchi automata called “tester processes” for representing and detecting illegal behaviour. To reduce the number of states that are constructed the method applies the stubborn set theory in a new way. The method can be used in connection with the “Supertrace” memory-saving technique. A simple algorithm is suggested for efficient detection of violations of an important subclass of liveness properties during the construction of the reduced state space.

Compositional State Space Generation

Compositional state space generation means the generation of a condensed version of the state space of a system in a compositional manner. The system is divided to parts. The state spaces of the parts are generated, condensed and composed to get a state space of the system. The method may be applied recursively; that is, the state spaces of the parts may have been generated compositionally. The generated condensed state space is in a certain sense equivalent with the ordinary state space, thus it can be used for the analysis of certain properties of the system.

The Weakest Compositional Semantic Equivalence Preserving Nexttime-less Linear temporal Logic

Temporal logic model checking is a useful method for verifying properties of finite-state concurrent systems. However, due to the state explosion problem modular methods like compositional minimisation based on semantic congruences are essential in making the verification task manageable. In this paper we show that the so-called CFFD-equivalence defined by initial stability, infinite traces, divergence traces and stable failures is exactly the weakest compositional equivalence preserving nexttimeless linear temporal logic with an extra operator distinguishing deadlocks from divergences. Furthermore, a slight modification of CFFD, called the NDFD-equivalence, is exactly the weakest compositional equivalence preserving standard nexttimeless linear temporal logic.

Compositional failure-based semantic models for Basic LOTOS

A systematic analysis of trace- and failure-based compositional semantic models for Basic LOTOS is presented. The analysis is motivated by the fact that the weakest known equivalences preserving sufficient information for several typical verification tasks are failure-based, and the weakness of an equivalence can be advantageous for verification. Both the equivalences and the preorders corresponding to the semantic models are covered. The analysis yields in a natural way two compositional semantic models, which are particularly suited for the verification of a general class of liveness properties, a task which cannot be performed with most established models.

Tarjan’s Algorithm Makes On-the-Fly LTL Verification More Efficient

State-of-the-art algorithms for on-the-fly automata-theoretic LTL model checking make use of nested depth-first search to look for accepting cycles in the product of the system and the Buchi automaton. Here we present a new algorithm based on Tarjan’s algorithm for detecting strongly connected components. We show its correctness, describe how it can be efficiently implemented, and discuss its interaction with other model checking techniques, such as bitstate hashing. The algorithm is compared to the old algorithms through experiments on both random and actual state spaces, using random and real formulas. Our measurements indicate that our algorithm investigates at most as many states as the old ones. In the case of a violation of the correctness property, the algorithm often explores significantly fewer states.

Simple O(m log n) time Markov chain lumping

In 2003, Derisavi, Hermanns, and Sanders presented a complicated O(m logn) time algorithm for the Markov chain lumping problem, where n is the number of states and m the number of transitions in the Markov chain. They speculated on the possibility of a simple algorithm and wrote that it would probably need a new way of sorting weights. In this article we present an algorithm of that kind. In it, the weights are sorted with a combination of the so-called possible majority candidate algorithm with any O(k logk) sorting algorithm. This works because, as we prove in the article, the weights consist of two groups, one of which is sufficiently small and all weights in the other group have the same value. We also point out an essential problem in the description of the earlier algorithm, prove the correctness of our algorithm in detail, and report some running time measurements.

The weakest deadlock-preserving congruence

Abstract In his 1989 book Robin Milner wrote that the failures equivalence of CSP theory “appears to be the weakest equivalence which never equates a deadlocking agents with one which does not deadlock.” This guess was almost correct, but not completely. In this note we present the weakest equivalence (actually, congruence) with the above-mentioned property, prove that it has these properties, and compare it to failures equivalence.