A compositional minimization approach for large asynchronous design verification

This paper presents a compositional minimization approach with efficient state space reductions for verifying non-trivial asynchronous designs. These reductions can result in a reduced model that contains the exact same set of observably equivalent behavior in the original model, therefore no false counter-examples result from the verification of the reduced model. This approach allows designs that cannot be handled monolithically or with partial-order reduction to be verified without difficulty. The experimental results show significant scale-up of the compositional minimization approach using these reductions on a number of large asynchronous designs.

A Compositional Minimization Approach for Large Asynchronous Design Verication Hao Zheng1, Emmanuel Rodriguez1, Yingying Zhang1, and Chris Myers2 1 University of South Florida, Tampa FL 33620, USA, zheng@cse.usf.edu, yingyingz@mail.usf.edu> erodrig9@gmail.com 2 University of Utah, SLC UT 84112, USA myers@ece.utah.edu Abstract. This paper presents a compositional minimization approach with ecient state space reductions for verifying non-trivial asynchronous designs. These reductions can result in a reduced model that contains the exact same set of observably equivalent behavior in the original model, therefore no false counter-examples result from the verication of the reduced model. This approach allows designs that cannot be handled monolithically or with partial-order reduction to be veried without dif- culty. The experimental results show signicant scale-up of the compo- sitional minimization approach using these reductions on a number of large asynchronous designs. Keywords: model checking, compositional verication, minimization, abstraction 1 Introduction Compositional verication is essential to address the state explosion problem in model checking large systems. The compositional methods can be roughly classied into compositional reasoning or compositional minimization. Assume- guarantee based compositional reasoning [2, 8, 13, 14, 18] does not construct the global state space. Instead, the verication of a system is broken into separate analyses for each module of the system. The result for the entire system is derived from the results of the veried individual modules. When verifying each module, assumptions about the environments with which the modules interact are needed for sound verication, and must be discharged later. The success of compositional reasoning relies on the discovery of appropri- ate environment assumptions for every module. This is typically done by hand. If the modules have complex interactions with their environments, generating accurate environment assumptions can be challenging. Therefore, the require- ment of manually nding assumptions has been a factor limiting the practical use of compositional reasoning. In recent years, various approaches to auto- mated assumption generation for compositional reasoning have been proposed. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript II In the learning-based approaches, assumptions represented by deterministic - nite automata are generated with the L learning algorithm and analysis of local counter-examples [20, 1, 9, 11, 5]. The learned assumptions can result in orders of magnitude reduction in verication complexity. However, these approaches may generate assumptions with too many states and fail verication in some cases [20, 1]. An automated interface renement method is presented in [23] where the models of the system modules are rened, and the extra behavior is removed by extracting the interface interactions among these modules. Although the ca- pability of these methods has been demonstrated by verifying large examples, it is dicult for them to handle inherently global properties such as deadlock freedom. Compositional minimization [4, 12, 16], on the other hand, iteratively con- structs the local model for each component in a system, minimizes it, and com- poses it with the minimized models of other components. Eventually, a reduced global model is formed for the entire system where verication is performed. To contain the size of the intermediate results, user-provided context constraints are required. The need for the user-provided context constraints may also be a problem because the user-provided constraints may be overly restrictive, thus resulting in real design errors escaping detection. Similar work is also described in [6, 7]. The key to the success of compositional minimization is state space reduction. In the most existing work, reduction is conservative in that more behavior may be introduced, but no essential behavior may be removed during reduction. This is necessary since no real errors can be missed when verifying the reduced model. However, false errors may be introduced by reduction in the same time. When an error is found while verifying such a reduced model, it needs to be checked whether this error is real, typically done on the concrete model. This can be very time-consuming. If reduction is too conservative, the number of false errors may become too excessive, and checking these false errors can become the bottleneck. In [22, 27, 28], methods are described for compositionally verifying asyn- chronous designs based on Petri-net reduction. These methods simplify Petri-net models of asynchronous designs either following the design partitions or directed by the properties to be veried, then verication is done on the reduced Petri- nets. However, these methods are limited to certain types of Petri-nets, and not easily extended to other formalisms. This paper presents a number of state space reductions that can be used with compositional minimization. In this method, a design is modeled as a par- allel composition of state graphs derived from the high-level descriptions of the components in a design. Before composing the component state graphs to form a global model for verication, these state graphs are reduced to lower the com- plexity. The reductions remove certain state transitions and states from a state graph in such a way that the observable behavior on the interface remains the same. At the end, a reduced state graph for the entire design, which is equivalent to the concrete model of the design in terms of observable behavior, is produced UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript III for verication. This method is sound and complete in that the reduced model is veried to be correct if and only if the concrete model is correct. The reduction method presented in this paper is similar, in some degree, to the partial order reduction method[15] as both try to identify and remove certain transitions to eliminate equivalent paths. Partial order reduction determines the independent transitions such that the order of executing these transitions does not aect the verication results, and it removes all but one independent tran- sition in each state during the state space traversal to avoid generating states and transitions that correspond to some equivalent paths. However, determining which transitions are independent requires the information of the global state space, which is not available during the state space traversal, therefore, the in- dependent transitions are computed conservatively to ensure soundness of the verication results. This causes partial order reduction to be less eective or even useless in some situations. On the other hand, our method can eectively remove all transitions that correspond to equivalent paths in state space models because it considers the generated state space models where the necessary infor- mation is available for such reduction. Furthermore, our method can also remove states that do not aect the observable behavior after the equivalent paths are removed, while partial order reduction only tries to avoid generating the equiv- alent paths. Another dierence is that partial order reduction is applied to the whole design, while the method in this paper builds a reduced global state space model compositionally. This paper is organized as follows. Section 2 gives a brief overview of the mod- eling and verication of asynchronous designs. Section 3 presents the set of state space reductions for our compositional verication method. Section 3.1 describes a state space reduction approach that preserves the same observably equivalent behavior. Section 3.2 describes a set of techniques that remove redundant states and state transitions to augment the reduction presented in Section 3.1. Sec- tion 4 demonstrates our method on a number of non-trivial asynchronous design examples, and it analyzes the obtained results. The last section concludes the paper and points out some future work that can improve this method. 2 Preliminaries 2.1 State Graphs This paper uses state graphs (SGs) to model asynchronous systems. The deni- tion of state graphs is given as follows. Denition 21 (State Graphs) A state graph G is a tuple (A; S;R; init) where 1. A is a nite set of actions, 2. S is a nite non-empty set of states, 3. R S A S is the set of state transitions, 4. init 2 S is the initial state. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript IV For an SG, A = AI [ AO [ AX. AI is the set of actions generated by an environment of a system such that the system can only observe and react. AO is the set of actions generated by a system responding to its environment. AX represents the internal behavior that is invisible at the interface, and it is usually denoted as . In the above denition, S also includes a special state which denotes the failure state of a SG, and it represents violations of some prescribed safety properties. The failure state does not have any outgoing transitions. The set of actions enabled at a state s 2 S is denoted as enb(s) = fa j (s; a; s0) 2 Rg. The set of state transitions leaving a state s, f(s; a; s0) 2 Rg, is denoted by out(s). In the remainder of this paper, R(s; a; s0) also denotes that (s; a; s0) 2 R. A path of G is a sequence of alternating states and actions of G, = (s0; a0; s1; a1; s2; ) such that si 2 S, ai 2 A, and (si; ai; si+1) 2 R for all i 0. A state sj 2 S is reachable from a state si 2 S if there exists a path = (si; ; sj ; ) in G. A state s is reachable in G if s is reachable from the initial state init. The trace of path , denoted by (), is the sequence of actions (a0; a1; ). Given a trace () of a path = (s0; a0; : : : ; si; ai; : : :), its nite prex, denoted by (; i), is (a0; : : : ; ai). Two traces = (a0; a1; ) and 0 = (a0 0; a0 1; ) are equivalent, denoted by = 0, i 8i0 ai = a0 i. The set of all paths of G forms the language of G, denoted by L(G). Given a trace = (a0; a1; : : :), its projection onto A0 A, denoted by [A0], is obtained by removing from all the actions a 62 A0 as shown below. [A0] = a0 0[A0] if a0 2 A0; 0[A0] otherwise: where 0 = (a1; :::), and is the concatenation operator. Given two paths, their equivalence is dened as follows. Denition 22 Let = (s0; a0; s1; a1; ) and 0 = (s0 0; a0 0; s0 1; a0 1; ) be two paths of G. and 0 are equivalent, denoted as 0, i () = (0). The SG of a system is obtained by composing the component SGs asyn- chronously. Asynchronous parallel composition is dened as follows. This de- nition is similar to that in [3] except that more rules are created for situations involving . Given G1 = (A1; S1;R1; init1) and G2 = (A2; S2;R2; init2), the parallel composition of G1 and G2, G1kG2 = (A; S;R; init), is dened as fol- lows. 1. A = A1 [ A2, 2. S S1n S2n [ fg. 3. R S A S such that all the following conditions hold: (a) For each ((s1; s2); a; (s0 1; s0 2)) 2 R, i. a 2 A1 􀀀 A2 ) R1(s1; a; s0 1) ^ s0 2 = s2, ii. a 2 A2 􀀀 A1 ) R2(s2; a; s0 2) ^ s0 1 = s1, iii. a 2 A1 \ A2 ) R1(s1; a; s0 1) ^ R2(s2; a; s0 2), (b) For each ((s1; s2); a; ) 2 R, i. a 2 A1 􀀀 A2 ) R1(s1; a; ), UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript V ii. a 2 A2 􀀀 A1 ) R2(s2; a; ), iii. a 2 A1 \ A2 ) ((R1(s1; a; ) ^ a 2 enb(s2)) _ ((R2(s2; a; ) ^ a 2 enb(s1)), 4. init = (init1; init2). In the above denition, the composite state is the failure state if either com- ponent state is the failure state. When several components execute concurrently, they synchronize on the shared actions, and proceed independently on their in- visible actions. If any individual SG makes a state transition to the failure state, there is a corresponding state transition to the failure state in the composite SG. In the actual implementation, when composing two SGs, a reachability analysis algorithm is performed from the initial composite state following the denition for transition relation R, and therefore, the resulting composite SG contains only the reachable states. 2.2 Correctness Denition A path is referred to as a failure if it leads to the failure state . The set of all failures in G is denoted as F(G) such that F(G) L(G) holds. A system is correct if F(G) = ;. Given a failure 0 = (s0 0; a0; ; s0 i; ai; ), the non-failure prex of its trace is (0; i). If another path has the same non-failure prex of 0, is also regarded as a failure. In such cases, path is said to be failure equivalent to 0. Denition 23 Let = (s0; a0; : : :) and 0 = (s0 0, a0 0, : : :) be two paths. If 9i>0 (; i) = (0; i) ^ s0 i+1 = holds, then is failure equivalent to 0, de- noted as F 0. The denition of the abstraction relation between two SGs is given as follows. Denition 24 (Abstraction) Given SGs G and G1, G1 is an abstraction of G, denoted as G G1, if and only if the following conditions hold: 1. AI = AI 1 and AO = AO1 . 2. For every path 2 L(G), there exists a path 1 2 L(G1) such that [A0] 1[A0] or [A0] F 1[A0] where A0 = AI [ AO. The abstraction relation denes that for any path in G, there exists a path in G1 such that they are observably equivalent. For any failure in G, there exists an equivalent failure in G1. The equivalence relation between two SGs is more restricted than the ab- straction relation. Denition 25 (Equivalence) Let G and G1 be SGs. G is equivalent to G1, denoted as G G1, if and only if G G1 and G1 G. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript VI The equivalence relation denes that two SGs contain the same set of ob- servably equivalent paths. Therefore, if G G1, the following property holds. F(G) = ; , F(G1) = ;: (1) Intuitively, the above property states that the concrete model G is correct if G1 is correct, and vice versa. After a SG is generated, model checking can be applied for various properties to decide if they hold. In particular, our method checks the properties of safety and deadlock freedom of an asynchronous design. The correctness of a design is dened as the absence of failures caused by the violations of these properties. The failure state in our method can be used to capture violations of various safety properties. A design is safe if is unreachable. A design is said to deadlock if it cannot make progress in some state. It is dened as follows. Denition 26 (Deadlock) A SG is said to have a deadlock if 9s2S enb(s) = ;. A design is free of deadlock if no deadlock exists. 3 State Graph Reductions In this method, it is assumed that a design consists of n components, the state graphs Gi(1 i n) for these components are obtained using the method described in [25]. The state graph for the whole design is obtained by compos- ing the two component SGs in parallel at a time for all components. However, directly composing Gi for verication defeats the purpose of compositional con- struction in that the interleaving of the invisible state transitions in Gi can explode quickly during the parallel composition. Therefore, this section presents a number of state space reductions to simplify the component SGs and the inter- mediate SGs generated during the composition process before they are composed to control the complexity. The reduced state graphs are observably equivalent to the original ones, which implies that any properties hold or fail in the reduced SGs if, and only if, they hold or fail in the original ones. These reductions remove the redundant paths from the original SG but do not introduce any extra paths that do not exist in the original SG. They play an important role in compo- sitional minimization. The end of this section compares these reductions with another existing state space abstraction approach. 3.1 Observably Equivalent Reduction Given a component, some of its outputs may become invisible to its neighbors when it is plugged into a larger system. In this case, the corresponding state transitions on these outputs in its SG can be converted to invisible transitions. The traditional abstraction techniques collapse the invisible state transitions into single states [6]. This may cause extra behaviors and thus may introduce false failures. This section provides a dierent reduction approach that compresses a UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript VII sequence of invisible state transitions into a single visible state transition. This approach has certain desirable features over the previous approaches. Let (si; ; si+1; ; ; sj􀀀1; ; sj ; aj ; sj+1) be a subpath of a path in a SG G. After reduction, the whole subpath is replaced with state transition (si; aj ; sj+1). This reduction is referred to as an observably equivalent reduction. This reduction is dierent from the previous approaches in the following ways. 1. Since the sequence of invisible state transitions on a path is replaced by a visible state transition, the number of reachable states of the reduced graph G may be reduced if some states have all their incoming state transitions on the invisible action. However, this may not always be the case, and the number of state transitions may be increased signicantly. 2. This reduction shortens the existing paths, but no new paths are created. Therefore, no new failure traces are introduced. 3. Non-determinism may be introduced into the SG after reduction. Consider two subpaths (si;; ; sj􀀀1;;sj;aj;sj+1) and (si;; ;sk􀀀1; ; sk; aj ; sk+1). They are reduced to (si; aj ; sj+1) and (si; aj ; sk+1), respectively. This causes nondeterminism even though the original SG is deterministic. However, the nondeterministic transitions may be eliminated if sj+1 or sk+1 is redundant as described in the next section. Let reduce(G) be a procedure for the observably equivalent reduction on a SG G as shown in Algorithm 1. The SG produced by reduce(G) in Algo- rithm 1 inherits every element of G except the updated R and S. The algorithm reduce(G) checks each invisible state transition (s1; a1; s2) in G, and calls an- other function oer(G; s1; s2) if the start state s1 of that invisible state transition has at least one incoming state transition that is visible. Function oer(G; s1; s2), as shown in Algorithm 2, searches forward bypassing each invisible state tran- sition from s2 in the depth-rst manner until a visible transition or the failure state is encountered. Then, new visible transitions are created to replace the sequences of invisible state transitions, and they are added into R. After all in- visible transitions are handled, they are removed from G. Consequently, some other states and transitions may become unreachable, and they are also removed from G. Fig. 1 shows an example how a SG in Fig. 1(a) is reduced by the observably equivalent reduction to become the one as shown in Fig. 1(b). In this example, suppose all invisible transitions are denoted by . Then, for each visible transition in states si+1, sj+1, and sk+1, a new transition on the same action is created for states si, sj , and sk, respectively. Four new state transitions are added to preserve the same observable behavior. In this case, only three invisible transitions are removed. Therefore, without further reduction, the reduced SGs can actually be more complex with more transitions added. In the next section, redundancy in the SGs is dened, and algorithms are described to identify and remove the redundancy to actually reduce the complexity of the SGs. The following lemma asserts that reduce(G) is equivalent to G. Lemma 1. Given a SG G, G reduce(G). UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript VIII Algorithm 1: reduce (G) 1 foreach (s1; a1; s2) 2 R do 2 if a1 = ^ s2 = then 3 foreach (s; a; s1) 2 R do 4 R = R [ f(s; a; )g; 5 else if a1 = ^ s2 6= then 6 if 9(s;a;s1)2R a 6= then 7 oer(G; s1; s2); 8 Remove all invisible state transitions from G; 9 Remove unreachable states and state transitions from G; Algorithm 2: oer (G; s1; s2) foreach (s2; a2; s0 1 2) 2 R do if a2 = ^ s0 2 2 6= then oer(G; s1; s0 3 2); 4 else R = R [ f(s1; a2; s0 5 2)g; Proof: The proof is based on how procedure reduce(G) works. It is straightfor- ward to see that for every path in G that does not include any invisible transi- tions, the same path also exists in reduce(G). For a path = (s1; a1; : : : ; si; ; si+1; ai+1; : : :), there exists a path 0 = (s1; a1; : : : ; si; ai+1; : : :) in reduce(G), and 0 or F 0. Conversely, for every path 0 = (s1; a1; : : : ; si; ai+1; : : :) in reduce(G), either the same path exists in G, or it is reduced from a path = (s1; a1; : : : ; si; ; si+1; ai+1; : : :) in G, and 0 or 0 F . This satises the conditions of the equivalence relation, therefore G reduce(G). 3.2 Redundancy Removal From the example shown in the last section, it can be seen that the observably equivalent reduction can introduce nondeterminism. Nondeterminism exists if there are two state transitions (s; a; s1) and (s; a; s2) such that s1 6= s2. This is a result from reduction while preserving observable equivalence. However, the introduced nondeterminism can potentially contain redundancy, and removing the redundancy can simplify the complexity of SGs. If the failure state is involved in nondeterminism, redundant state transitions are identied based on the following understanding: if an action in a state may or may not cause a failure nondeterministically, it is always regarded as causing a failure. It is formalized as failure equivalent state transitions in the following denition. Denition 31 Given two state transitions (s; a1; s1) and (s; a2; ) of a SG, (s; a1; s1) is failure equivalent to (s; a2; ) if a1 = a2. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript IX si s j sk si+1 s j+1 sk+1 ak ak a j ai ai a j ζ ζ ζ ai+1 a j+1 ak+1 (a) (b) Fig. 1. (a) An example SG with invisible state transitions. (b) The SG from (a) after the observably equivalent reduction. The failure equivalent transitions are redundant in that their existence does not aect the verication results, therefore, they can simply be removed. After removing the failure equivalent state transitions, it is possible that some other states become unreachable leading to more reduction. The following lemma states that the SG resulting from removing failure equivalent transitions is equivalent to the original SG. Lemma 2. Let G and G0 be a SG and the one after removing failure equivalent transitions. G G0. Proof: The following proof is drawn based on how the failure equivalent reduc- tion works. First, all paths in G also exist in G0 except for paths = (s1; a1; : : : ; si; ai; si+1; : : :) in G such that there also exists a (si; ai; ) in G. In other words, for every path = (s1; a1; : : : ; si; ai; si+1; : : :) in G, if (si; ai; ) is also in G, there exists a path 0 = (s1; a1; : : : ; si; ai; ), and we can see F 0. This shows G G0. Now, for every path 0 in G0, the path also exists in G if it does not end in the failure state. If 0 ends in the failure state, the same path also exists in G. This shows that G0 G. Therefore, G G0 holds. Fig. 2 shows an example of failure equivalent transitions. Fig. 2(a) is an example SG. After observably equivalent reduction is applied, the reduced SG is shown in Fig. 2(b). In this reduced SG, transition (sj ; aj ; sk) is failure equivalent to (sj ; aj ; ). After removing this failure equivalent transition, state sk becomes unreachable, and it is also removed including all its outgoing transitions. The nal reduced SG is shown in Fig. 2(c). Next, a restricted case of redundancy is described. Let incoming(s) be the set of state transitions (s0; a; s) such that R(s0; a; s) holds. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript X si s j sk si+1 s j+1 a j ai ai a j ζ ζ π si s j sk si+1 s j+1 a j a ai i a j π a j ai si s j si+1 s j+1 a j aa i i π a j ai (a) (b) Fig. 2. (a) An example SG. (b) The SG from (a) after the observably equivalent reduc- tion. (c) The SG from (b) after removing the failure equivalent transition (sj ; aj ; sk) and the unreachable state. Denition 32 Let G be a SG, and s; s1, and s2 be states of G. If the following conditions hold, then one of s1 and s2 is redundant. { For every (s; a; s1) 2 incoming(s1), there exists a (s; a; s2) 2 incoming(s2). { For every (s; a; s2) 2 incoming(s2), there exists a (s; a; s1) 2 incoming(s1). If such redundant states exist, one of them and its incoming and outgoing tran- sitions can be removed as follows. Suppose s1 is selected to remove. { For each (s1; a1; s0 1) 2 outgoing(s1), add (s2; a1; s0 1) into R. { Remove all state transitions in incoming(s1) and outgoing(s1). { Remove s1. Therefore, removing redundant states always results in a smaller number of states and state transitions. It is also obvious to see that G G0 where G0 is the SG after redundant states are removed from G. In the remaining part of this section, a more general denition of redundancy is given by checking all possible behaviors originating from two states. Basically, if all possible behaviors originating from these two states are equivalent, these two states are regarded as equivalent. Therefore, one of them is redundant, and can be removed. The state equivalence is formally dened as follows. Denition 33 Let s and s0 be two states of a SG. s and s0 are equivalent, denoted as s s0, if the following conditions hold. { For each path = (s0; a0; s1; a1; : : : ; ) such that s0 = s, there exists another path 0 = (s0 0; a0; s0 1; a1; : : : ; ) such that s0 0 = s0, 0 or F 0. { For each path 0 = (s0 0; a0; s0 1; a1; : : : ; ) such that s0 0 = s0, there exists another path = (s0; a0; s1; a1; : : : ; ) such that s0 = s, 0 or F 0. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XI al ak a0 a0 ak Si Sl S0 l S0i S0 al S0 l a0 ai aj a0 ai aj S0 Sj Sl S0j Sk (a) (b) Fig. 3. Examples of equivalent states that can be resulted from reductions. States si and s0 i in (a) and s0 and sk in (b) are equivalent since the paths coming out of these states are equivalent. Fig. 3 shows two examples of SGs which contain equivalent states that pos- sibly result from the reduction described in the previous section. In Fig.3(a), there are two loops. State si on one loop is equivalent to state s0 i on the other loop since the paths out of these states are equivalent. Similarly, the successor states of these two states are also equivalent. It can be shown that every state in one loop is equivalent to a corresponding state in the other loop. Fig. 3(b) shows a dierent case where equivalence exists. It can be shown that state s0 is equivalent to sk since each of these two states is the starting state of a path, and these two paths are equivalent. The above observation directly leads to an algorithm to nd equivalent states. To simplify the presentation, assume a SG with AX = ; after observably equiva- lent reduction is applied. The algorithm works as follows. Initially, the set Eq of all pairs of states is found such that for each (s; s0) 2 Eq, the following conditions hold. { 8(s;a;s1)2outgoing(s) 9(s0;a0;s0 1)2outgoing(s0) a = a0. { 8(s0;a0;s0 1)2outgoing(s0) 9(s;a;s1)2outgoing(s) a = a0. Two states are obviously not equivalent if one has some enabled action that is not enabled in another state. This step excludes these obviously inequivalent states, and keeps the pairs that are potentially equivalent. Then, the algorithm iteratively removes from the set Eq any pairs (s; s0), until a xpoint is reached, if one of the following conditions holds 9s12succ(s)8s0 12succ(s0) (s1; s0 1) 62 Eq (2) 9s0 12succ(s0)8s12succ(s) (s1; s0 1) 62 Eq (3) UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XII al ak a0 S0 Si Sl aj ai Sj Sj S0 a0 (a) (b) Fig. 4. SGs for the examples with redundant states in Fig. 3 after being reduced. where succ(s) includes all states that are reachable in one transition from s. Finally, if Eq is not empty, then states in every pair (s; s0) 2 Eq are equivalent. The correctness of the above algorithm is stated and proved in the following lemma. Lemma 3. For each pair (s; s0) 2 Eq, s s0. Proof: Suppose (s; s0) is an arbitrary pair in Eq. Let = (s0; a0; s1; a1; : : :) be an arbitrary path such that s0 = s. Since (s; s0) 2 Eq, there exists (s0; a0; s0 1) 2 outgoing(s0) corresponding to (s; a0; s1). Additionally, (s1; s0 1) 2 Eq because (s; s0) 2 Eq. Repeat the above argument for (s1; s0 1) and their successors recursively, we can construct another path 0 = (s0; a0; s0 1; a1; : : :), and it is straightforward to see that for any path from s, there is another path 0 such that 0. Next, let 0 = (s0 0; a0; s0 1; a1; : : :) be an arbitrary path such that s0 0 = s0. By following the above steps similarly, we can conclude that for any path from s0, there is another path such that 0. Therefore, for every pair (s; s0) 2 Eq, s s0 by Denition 33. If Eq(s; s0) is not empty, for every pair (s; s0) in the set, either s or s0 and its outgoing transitions can be safely removed, and its incoming transitions are re-directed to s0 or s. In this case, the interface behavior of the transformed SG remains the same as that of the original one according to the denition of the state equivalence. The examples shown in Fig. 3 after being reduced are shown in Fig. 4. 3.3 Comparison Between Reduction and Abstraction Ecient and eective state space reductions are key to the success of composi- tional minimization. In [26], a dierent abstraction technique is presented. This section brie y compares it with the presented reductions in this paper. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XIII π ζ π π (a) (b) (c) Fig. 5. Comparison of a traditional state space abstraction technique with the ob- servably equivalent reduction. (a) An example SG. (b) The SG after the state space abstraction. (c) The SG after the observably equivalent reduction. The state-based abstraction in [26] removes every invisible state transition (si; ; sj) 2 R from an SG, and merges si and sj to form a merged state sij . All state transitions entering si and sj now enter sij , and all state transitions leaving si or sj now leave sij . To preserve failure traces, if sj is the failure state , then the merged state sij is also the failure state. This abstraction can remove all invisible state transitions from an SG, which is illustrated in Fig. 5. It is ecient to simply remove one invisible transition at a time without checking any conditions as required in the paper. However, it may introduce a lot of extra behavior including failures. In Fig. 5(b), there is a path = (: : : ; ak; sij ; ai; : : :) that does not exist in the SG in Fig. 5(a). This extra path causes a false failure in the nal reduced SG. The observably equivalent reduction presented in this paper removes invis- ible state transitions while keeping the exact same set of observable paths in the original SG. Another example of this reduction is shown in Fig. 5(c). For an invisible state transition (si; ; sj) 2 R, this reduction adds a new state tran- sition (si; aj ; sh) into R for every (sj ; aj ; sh) 2 outgoing(sj ). Then, it removes (si; ; si+1). In Fig. 5(a), there exists a path = (: : : ; si; ; sj ; aj ; sh; : : :), and in Fig. 5(c) there exists a path 0 = (: : : ; si; aj ; sh; : : :), and [A0] 0[A0] where A0 = AI [AO. For all other paths that do not involve (si; ; si+1), they are pre- served after the reduction. This reduction does not introduce any extra paths that do not exist in the original. On the other hand, it may introduce a large number of redundant paths that may cause the reduced SG to be much larger than the original one. Fortunately, the redundancy removal techniques presented in this paper can help to remove a lot of these redundancy introduced by the observably equivalent reduction to signicantly simplify the complexity of SGs. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XIV Table 1. Comparison of the results from using the monolithic, partial-order reduction and the reduction methods. Time is in seconds, and memory is in MBs. jSj is the numbers of states found. For the results under CompMin, jSj is the number of states of the largest SG encountered during the whole course of compositional minimization. Designs Monolithic SPIN CompMin Name jV j Time Mem jSj Time Mem jSj Time Mem jSj g3a 6 0:044 2:7 20 0 2:195 20 0:037 3:14 10 arbN3 26 0:315 2:4 3756 0:015 2:781 3756 0:087 3:89 52 arbN5 44 8:105 61:538 227472 1:65 71:695 227472 0:18 4:3 52 arbN7 62 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:46 6:61 52 arbN9 80 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:89 7:43 52 arbN15 134 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 1:33 9:87 52 foN3 14 0:119 4:8 644 0 2:195 644 0:015 3:39 20 foN5 22 0:733 16:253 20276 0:08 6:593 20276 0:017 3:62 20 foN8 34 199:353 845 3572036 30:2 1087:211 3572036 0:11 4:03 20 foN10 42 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:08 4:38 20 foN20 82 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:11 4:7 20 foN50 202 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:35 6:14 20 foN100 402 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:76 7:67 20 foN200 802 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 1:56 11:1 20 foN300 1202 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 3:02 14:3 20 dmeN3 33 3:589 26:1 267; 999 0:265 19:706 117270 0:71 4:44 248 dmeN4 44 1235 1032 15:7M 15:5 553:421 4678742 0:8 5:74 248 dmeN5 55 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 2:23 10:19 248 dmeN8 88 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 3:57 16:4 447 dmeN9 99 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 5:86 20:9 900 dmeN10 110 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 58:9 46:6 3211 TU 48 􀀀 􀀀 􀀀 4:37 144:984 786672 0:219 5:085 278 PC 50 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:842 7:567 864 MMU 55 􀀀 􀀀 􀀀 􀀀 􀀀 􀀀 0:688 10:143 2071 UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XV 4 Experimental Results We have implemented a prototype of the automated compositional verication with the reductions described in this paper in a concurrent system verication tool Platu, an explicit state model checker. This model checker is programmed in Java, and can perform traditional depth-rst search and compositional veri- cation. Experiments have been performed on several non-trivial asynchronous circuit designs obtained from previously published papers. To verify a design us- ing the compositional minimization method in this paper, all components in the design need to be converted to SGs rst. The component SGs can be obtained using a compositional reachability analysis method as shown in [25]. Detailed de- scription of this method is out of scope of this paper. In this paper, it is assumed that the component SGs are already obtained somehow. The rst three designs are a self-timed rst-in-rst-out (FIFO) design [17], a tree arbiter (ARB) of multiple cells [10], and a distributed mutual exclusion element (DME) consisting of a ring of DME cells [10]. Despite all these designs having regular structures to be scaled easily, the regularity is not exploited in our method, and all components are treated as black boxes. The fourth example is a tag unit circuit (TU) from Intel's RAPPID design [21]. This example is an un- optimized version of the actual circuit used in RAPPID with higher complexity, which is more interesting for experimenting with our methods. The fth example is a pipeline controller (PC) for an asynchronous processor TITAC2 [24]. The last example is a circuit implementation of a memory management unit (MMU) from [19]. All examples are too large for traditional monolithic approaches to complete on a typical workstation. In the experiments, DME, arbiter, and FIFO examples are partitioned ac- cording to their natural structures. In other words, each cell is a component. For the TU example, it is partitioned into three components, where the middle ve blocks form a component, and gates on the sides of the component in the middle form the other two. The PC example is partitioned into ve components, each of which contains ten gates. The MMU example is partitioned by following the structure provided in [19] such that each component denes an output that are used by other components. All experiments are performed on a Linux workstation with an Intel dual- core CPU and 2 GB memory. The results are shown in Table 1. In Table 1, the rst two columns show the design names and the number of variables used in the corresponding models. Since all examples are asynchronous circuits, the type of the variables used in the models is Boolean. Three dierent methods are used in the experiments for better comparison. The columns under Monolithic show the results from using the traditional DFS search method on the whole designs. The columns under SPIN show the results from using the SPIN model checker with the partial-order reduction turned on. The last three columns under CompMin show the results from using the compositional minimization method described in this paper. In these columns, Time is the total runtime, Mem is the total memory used, and jSj shows the total number of states found. Specically, the column jSj under CompMin shows the total number of states in the largest SG UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XVI found during the entire course of the compositional minimization process. The largest SGs are recorded because their sizes in general determine whether the whole process of compositional minimization can be nished or not, therefore, their sizes need to be carefully controlled. For examples which use too much memory, the corresponding entries are lled with 􀀀. From Table 1, it can be seen that the traditional monolithic search method fails to nish quickly for most of the designs. This is understandable due to the state explosion problem. However, it is surprising to see that SPIN with partial- order reduction does not do any better. For all ARB and FIFO examples, SPIN cannot nd any reduction, and the numbers of states found by SPIN are exactly the same as those found by the monolithic approaches for ARB and FIFO. For DME and TU, SPIN does slightly better in terms of reduction in of the number of states found. On the other hand, SPIN quickly blows up the 2 GB memory for most of the examples too. One possible explanation is that the partial-order reduction implemented in SPIN relies on the information about the independence among transitions, and this information is obtained by examining the structures of the Promela models. Since these examples are asynchronous circuit designs, the models for these examples are connections of descriptions of basic logic gates, and they may be dicult for SPIN to extract sucient independence information for eective reduction. On the other hand, the compositional minimization approach with all reduc- tions described in this paper can nish all examples in the table quickly. For ARB and FIFO examples, the total runtime and memory usage grow polynomially in the number of components in the examples. For DME examples, the runtime and memory usage show a similar growth curve until the examples become too large. For dmeN10, there is a big jump on runtime and memory usage. This growth is due to an intermediate SG that contains too many state transitions after the equivalent reduction, and it takes a big part of total runtime to identify the equivalent states. The results for dmeN11 are not shown as the runtime for this example exceeds the 5 minute threshold. On the other hand, the memory usage still grows polynomially as the design size grows. For the three irregular designs, TU, PC and MMU, where SPIN also fails, they are nished with com- positional minimization using very small amount of runtime and memory. For the PC example, a safety failure is found. The same safety failure is also found by the monolithic approach after about 30 minutes on a much more powerful machine. From these results, one may conclude that compositional minimization works much better than partial-order reduction. This is true to some degree. For designs that do not contain any aws, compositional minimization can prove the cor- rectness very eciently. On the other hand, for designs that contain one or more bugs, compositional minimization can also nish and return counter-examples quickly. However, as a lot of design details are removed during the minimization process, the returned counter-examples are very abstract, therefore not very use- ful for users to understand the causes of the bugs. In this case, concrete counter- examples corresponding to those returned by compositional minimization need UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XVII to be generated. This can be done by the traditional search on the whole de- sign guided by the returned counter-examples. Since these counter-examples are so abstract, the step of generating the concrete counter-examples may, in some cases, be as dicult as searching the state space of the whole design. 5 Conclusion This paper presents a compositional minimization approach with a number of state graph reductions to lower the verication complexity while not introducing extra paths that might cause false failures nor reducing any essential behaviors. In other words, the reduction methods are sound and complete. Based on initial experimental results, these reductions work well on a number of asynchronous circuit examples. In the future, it is necessary to experiment on more diverse examples including communication protocols and multithreaded programs to fully demonstrate its potential. Additionally, it is necessary to develop ecient approaches that make abstract counter-examples in the reduced SG be concrete by recovering the reduced information for better debugging. Acknowledgment This material is based upon work supported by the National Science Foundation under Grant No. 0930510 and 0930225. Any opinions, ndings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily re ect the views of the National Science Foundation. References 1. R. Alur, P. Madhusudan, and W. Nam. Symbolic compositional verication by learning assumptions. In Proc. Int. Conf. on Computer Aided Verication, volume 3576 of LNCS, pages 548 { 562. Springer-Verlag, 2005. 2. S. Berezin, S. Campos, and E. Clarke. Compositional reasoning in model checking. In COMPOS, volume 1536 of LNCS, pages 81{102. Springer-Verlag, Sept. 1998. 3. M. Bobaru, C.S.Pasareanu, and D. Giannakopoulou. Automated assume-guarantee reasoning by abstraction renement. In Proc. Int. Conf. on Computer Aided Ver- ication, LNCS. Springer-Verlag, 2008. 4. D. Bustan and O. Grumberg. Modular minimization of deterministic nite-state machines. In Proceedings the 6th International workshop on Formal Methods for Industrial Critical Systems (FMICS'01), July 2001. 5. S. Chaki, E. Clarke, N. Sinha, and P. Thati. Automated assume-guarantee reason- ing for simulation conformance. In Proc. Int. Conf. on Computer Aided Verica- tion, LNCS, pages 534 { 547. Springer-Verlag, 2005. 6. S. Cheung and J. Kramer. Context constraints for compositional reachability analysis. ACM Transations on Software Engineering and Methodology, 5(4):334{ 377, 1996. 7. S. Cheung and J. Kramer. Checking safety properties using compositional reach- ability analysis. ACM Trans. Softw. Eng. Methodol., 8(1):49{78, 1999. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XVIII 8. E. Clarke, D. Long, and K. McMillan. Compositional model checking. In Proceed- ings of the 4th Annual Symposium on Logic in computer science, pages 353{362, Piscataway, NJ, USA, 1989. IEEE Press. 9. J. Cobleigh, D. Giannakopoulou, and C. Pasareanu. Learning assumptions for compositional verication. In Proc. Int. Conf. on Tools and Algorithms for Con- struction and Analysis of Systems (TACAS), volume 2619 of LNCS, pages 331{346. Springer-Verlag, 2003. 10. D. Dill. Trace Theory for Automatic Hierarchical Verication of Speed Independent Circuits. PhD thesis, Carnegie Mellon University, 1988. 11. D. Giannakopoulou, C.S.Pasareanu, and H. Barringer. Component verication with automatically generated assumptions. Automated Software Engineering, pages 297{320, 2005. 12. S. Graf, B. Steen, and G. Luttgen. Compositional minimization of nite state systems using interface specications. Formal Aspects of Computation, 8(5):607{ 616, 1996. 13. O. Grumberg and D. Long. Model checking and modular verication. ACM Trans- actions on Programming Languages and Systems, 16(3):843{871, May 1994. 14. T. Henzinger, S. Qadeer, and S. Rajamani. You assume, we guarantee: methodol- ogy and case studies. In Proc. Int. Conf. on Computer Aided Verication, pages 440{451. Springer, 1998. 15. G. J. Holzmann and D. Peled. An improvement in formal verication. In Pro- ceedings of the 7th IFIP WG6.1 International Conference on Formal Description Techniques VII, pages 197{211, London, UK, UK, 1995. Chapman & Hall, Ltd. 16. J. Krimm and L. Mounier. Compositional state space generation from lotos pro- grams. In Proc. Int. Conf. on Tools and Algorithms for Construction and Analysis of Systems (TACAS), pages 239{258, London, UK, 1997. Springer-Verlag. 17. A. J. Martin. Self-timed fo: An exercise in compiling programs into vlsi circuits. Technical Report 1986.5211-tr-86, California Institute of Technology, 1986. 18. K. L. Mcmillan. A methodology for hardware verication using compositional model checking. Technical report, Cadence Berkeley Labs, 1999. 19. C. J. Myers. Computer-Aided Synthesis and Verication of Gate-Level Timed Circuits. PhD thesis, Stanford University, 1995. 20. W. Nam and R. Alur. Learning based symbolic assume-guarantee reasoning with automatic decomposition. In Proc. Int. Symposium on Automated Technology for Verication and Analysis (ATVA), volume 4218 of LNCS, 2006. 21. K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In Proc. International Symposium on Advanced Research in Asynchronous Circuits and Systems, pages 208{218, 1999. 22. R. A. Thacker, K. R. Jones, C. J. Myers, and H. Zheng. Automatic abstraction for verication of cyber-physical systems. In Proceedings of the 1st ACM/IEEE Inter- national Conference on Cyber-Physical Systems, ICCPS '10, pages 12{21, 2010. 23. H. Yao and H. Zheng. Automated interface renement for compositional veri- cation. IEEE Transaction on Computer-aided Design of Integrated Circuits and Systems, 28(3):433{446, 2009. 24. T. Yoneda and T. Yoshikawa. Using partial orders for trace theoretic verication of asynchronous circuits. In Proc. International Symposium on Advanced Research in Asynchronous Circuits and Systems. IEEE Computer Society Press, Mar. 1996. 25. H. Zheng. Compositional reachability analysis for ecient modular verication of asynchronous designs. IEEE Transactions on COMPUTER-AIDED DESIGN of Integrated Circuits and Systems, 29(3), March 2010. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript XIX 26. H. Zheng, J. Ahrens, and T. Xia. A compositional method with failure- preserving abstractions for asynchronous design verication. IEEE Transactions on COMPUTER-AIDED DESIGN of Integrated Circuits and Systems, 27, 2008. 27. H. Zheng, E. Mercer, and C. Myers. Modular verication of timed circuits using au- tomatic abstraction. IEEE Transactions on Computer-Aided Design, 22(9):1138{ 1153, 2003. 28. H. Zheng, C. Myers, D. Walter, S. Little, and T. Yoneda. Verication of timed circuits with failure directed abstractions. IEEE Transactions on Computer-Aided Design, 25(3):403{412, 2006. UU IR Author Manuscript UU IR Author Manuscript University of Utah Institutional Repository Author Manuscript