Symbolic model checking for channel-based component connectors  by Klüppelholz, Sascha & Baier, Christel
Science of Computer Programming 74 (2009) 688–701
Contents lists available at ScienceDirect
Science of Computer Programming
journal homepage: www.elsevier.com/locate/scico
Symbolic model checking for channel-based component connectors
Sascha Klüppelholz ∗, Christel Baier
Technische Universität Dresden, Institut für Theoretische Informatik, Germany
a r t i c l e i n f o
Article history:
Received 29 June 2007
Received in revised form 15 May 2008
Accepted 15 September 2008
Available online 26 February 2009
Keywords:
Constraint automata
Model checking
Branching time logic
Data streams
Binary decision diagrams
Reo
a b s t r a c t
This paper introduces a temporal logic framework to reason about the coordination
mechanisms and data flow of exogenous coordination models. We take a CTL-like
branching time logic, augmented with regular expressions that specify the observable I/O-
operations, as a starting point. The paper provides the syntax and semantics of our logic
and introduces the corresponding model checking algorithm. The second part of the paper
reports an implementation that relies on a symbolic representation of the coordination
network and the connected components by means of binary decision diagrams. A couple
of examples are given to illustrate the efficiency of themodel checking techniques and their
implementation.
© 2009 Elsevier B.V. All rights reserved.
1. Introduction
In the past 15 years, many languages andmodels have been developed for coordination that provide formal descriptions
of the glue code for plugging components together and can also serve as a starting point for formal verification (see e.g. [7]).
In this paper, we address the latter aspect for the exogenous coordination language Reo [2]. In Reo, the glue code is provided
by a network of channels obtained through a series of operations that create channel instances and link them together in
(network) nodes. The semantics of Reo networks has been provided in different, but consistent ways. [2] formalizes the
enabledness and effect of I/O-operations at the network configurations by means of accept and offer predicates that declare
whether andwhich data items can bewritten or read at a node. An operational semantics that specifies the stepwise behavior
of, and possible data flow in, a Reo network has been presented in [6] using a variant of labelled transition systems, called
constraint automata, and shown to be consistent with the timed data stream semantics of [5].
Although Reo is an elegant formalism to synthesize component connectors with simple composition operators, Reo
networks with many channels tend to be hard to understand. Thus, tool support for analyzing the coordination mechanism
specified by a Reo network is a crucial aspect for applying the Reo framework to complex scenarios. Algorithms for verifying
Reo networks on the basis of their constraint automata semantics have been presented in [6] for checking (bi)simulation
and language equivalence and in [3,11] for temporal logic specifications. We follow here the latter approach and deal with
a branching time, time-abstract variant of timed data stream logic (TDSL) introduced in [3] for reasoning about real-time
constraints of Reo networks in the linear time setting. Ignoring some minor differences, our logic, called branching time
stream logic (BTSL), is contained in the logic considered in [11], where the main focus is on the treatment of dynamic
reconfiguration rather thanmodel checking. BTSL combines the standard CTL operators [12,13] with a special path modality
〈α〉 and its dual [α] that allow reasoning about the data streams observable at the network nodes by means of a regular
expression α. For instance, assume C to be a component that is linked to a Reo network by an output port Request. C sends
∗ Corresponding author.
E-mail addresses: klueppel@tcs.inf.tu-dresden.de (S. Klüppelholz), baier@tcs.inf.tu-dresden.de (C. Baier).
0167-6423/$ – see front matter© 2009 Elsevier B.V. All rights reserved.
doi:10.1016/j.scico.2008.09.020
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 689
Fig. 1. Synchronous channel, FIFO1 channel and synchronous drain.
off the request to get access to certain resources and an input port Grant through which C might receive the grant. Then, the
BTSL formula
∃[true∗; Request; (¬Grant)∗] ∀〈true∗;Grant〉 resources_available
states the possibility that each request of C will eventually be granted and the required resources will be available for C.
The purpose of this paper is to report an implementation of a BTSL model checker. The input is a Reo network and a
BTSL formula Φ which has to be checked for the network. The BTSL model checking procedure relies on a combination
of known methods for model checking CTL-like logics [10] and automata-based approaches for linear time logics [20]. A
rough sketch for model checking a BTSL-like logic has been given in [11], which follows the standard CTL∗ model checking
approach [15,13] and uses a reduction to the TDSL model checking problem. However, no details or explanations on an
efficient implementation have been provided in [11]. In fact, for BTSL the reduction to the model checking problem for the
real-time logic TDSL is unnecessary, since simpler techniques suffice. As we will show in this paper, for the treatment of
modalities 〈α〉 and [α] even a reduction to ordinary CTL is possible. Furthermore, we depart from former approaches with
constraint automata by dealing with both infinite and finite runs. The latter are crucial for the treatment of termination and
deadlock configurations that might appear in Reo networks.
Our model checker deals with a symbolic approach where the constraint automaton for a Reo network is represented
by a binary decision diagram (BDD). The first step is the generation of a BDD-representation of the constraint automaton
for the network. This is done in a compositional manner that mimics Reo’s operators to synthesize the network by adding
channels and joining nodes, using their corresponding operators on BDDs. The second step is then to perform the BTSLmodel
checking using appropriate operations for manipulating BDDs. For this, we apply state-of-the-art techniques for symbolic
CTL model checking in combination with a symbolic treatment of the 〈α〉- and [α]-modality.
Organization of the paper. Section 2 gives a brief introduction on the coordination language Reo and constraint automata
that serve as an operational model for Reo networks. In Section 3, we explain the syntax and semantics of the logic BTSL.
Section 4 summarizes the main steps of the BTSLmodel checking algorithm and Section 5 reports our symbolic realization.
Experimental results for the symbolic implementation are presented in Section 6. Section 7 concludes the paper.
2. Reo and constraint automata
In this sectionwe summarize themain concepts of the coordination language Reo and its operational constraint automata
semantics. Further details can be found in [2,6]. Reo is an exogenous coordination language that is based on a channel-
based calculus where complex component connectors are expressed as a network of channels and built in a compositional
manner. Reo networks provide the glue code for the coordination and interactions of the components that are connected
to the network. Reo relies on a very liberal notion of channels and supports any kind of peer-to-peer communication.
The requirement for the channels used in a Reo network is that channels must have two channel ends, declared to be
either sink or source end, and a user-defined semantics. At source ends data items enter their respective channels (by
performing corresponding write operations), while data items are received from channels at their sink ends (by performing
corresponding read operations).
Fig. 1 shows the graphical representation of three simple channel types that will be used in our examples. Synchronous
and FIFO channels each have a source and a sink end. In synchronous channels the write and read operations succeed
simultaneously. The picture in the middle shows a FIFO channel with a single buffer cell, briefly called a FIFO1 channel,
where the buffer is initially empty.Writing a data item at the source end is enabled whenever the buffer is empty. The effect
of writing d is that d will be stored in the buffer. Reading at the sink end is enabled if the buffer is filled, in which case the
data item is taken out of the buffer. A very useful channel for the design of complex coordination protocols in Reo is the
synchronous drain. It has two source ends (but no sink end). A data item has to be written on both ends simultaneously for
the write operations to succeed and both data items are lost or destroyed.
The nodes of a Reo network represent sets of channel ends. They arise through Reo’s join operator and can be classified
into source, sink andmixed nodes, depending onwhether all channel ends that coincide on a node A are source ends (then A
is a source node), sink ends (then A is a sink node), or a mix of sink and source ends (then A is a mixed node). Source and sink
nodes represent input and output ports where components may connect to the network. The mixed nodes serve as routers
where data items can be transmitted through the network.
Concurrent I/O-operations. For simplicity of the paper, we assume here a fixed finite and nonempty set Data of data items
that can bewritten or taken from the channels. IfN is a set of network nodes then the observable data flow at somemoment
can be described by a concurrent I/O-operation. This means a pair (N, δ)where N is a nonempty node-set (i.e., ∅ 6= N ⊆ N )
and δ : N → Data. The intuitive meaning of a concurrent I/O-operation (N, δ) is that the nodes A ∈ N synchronize their
I/O-operations such that δ(A) is the data item observed at node A. More precisely, each source node A ∈ N write data item
δ(A) at all channels with a source end on A, while each sink node A ∈ N takes data item δ(A) from one of the channels with
690 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
a sink end on A. The mixed nodes A ∈ N read δ(A) from one of the channels with a sink end on A and simultaneously writes
δ(A) at all channels with a source end on A. In the moment where the concurrent I/O-operation (N, δ) is performed there is
no data flow at the other nodes B ∈ N \ N .
Constraint automata have been introduced to provide a compositional, operational semantics for Reo networks [6]. The
states of the automaton for a Reo network represent the configurations (e.g., contents of the buffers for FIFO channels), while
the transitions model the enabled concurrent I/O-operations. In [6] the transitions have the form q
N,dc−−−−→ pwhere q and p
are the starting and target states, respectively,N is the set of nodes where I/O-operations are performed simultaneously and
dc is a data constraint, i.e., a boolean condition on the data items written or read at the nodes A ∈ N . According to our BDD-
based implementation (see Section 5), we go one step further toward a symbolic representation and deal with transitions
q
g−→ pwhere g is an I/O-constraint, i.e., a condition on both the nodes where I/O-operations will be performed and the data
items exchanged through those nodes. Furthermore, we depart from [6] by dropping the requirement that all runs have to
be infinite. We also deal with finite runs, which are necessary to argue about termination and deadlock configurations.
I/O-constraints.We use a symbolic representation of sets of concurrent I/O-operations by means of boolean conditions on
the nodes A ∈ N and the data items dA written or read at node A. Formally, an I/O-constraint forN is a propositional formula
built by the literals A (where A ∈ N ) and the atomic formulas
‘‘(dA1 , . . . , dAk) ∈ R’’
where k ≥ 1, A1, . . . , Ak are pairwise distinct nodes and R ⊆ Datak. Throughout the paper, we will use intuitive notations
like
‘‘dA = 0’’ for ‘‘dA ∈ {0}’’ or
‘‘dA 6= dB’’ for ‘‘(dA, dB) ∈ {(δA, δB) ∈ Data2 | δA 6= δB}’’.
We write IOC for the set of all I/O-constraints. I/O-constraints are interpreted over concurrent I/O-operations (N, δ) in the
expected way, i.e.,
(N, δ) |= A iff A ∈ N and
(N, δ) |= (dA1 , . . . , dAk) ∈ R iff {A1, . . . , Ak} ⊆ N ∧ (δ(A1), . . . , δ(Ak)) ∈ R.
The propositional logic operators have their standard semantics.
We write [| g |]N for the set of concurrent I/O-operations (N, δ) where ∅ 6= N ⊆ N and (N, δ) |= g . Note that the
semantics of I/O-constraints depends on the underlying node-setN . For example,
[|dA = dB |]N = {(N, δ) | {A, B} ⊆ N ⊆ N , δ(A) = δ(B)} and
[|true|]N = {(N, δ) | ∅ 6= N ⊆ N , δ : N → Data}.
The following denotes that the two I/O-constraints g1 and g2 areN -equivalent:
g1 ≡N g2 ⇐⇒ [|g1 |]N = [|g2 |]N .
If the node-set is clear from the context we simply write [| g |] and ≡, and speak about satisfiability and equivalence of
I/O-constraints.
Definition 1. A constraint automaton (CA) is a tupleA = (Q ,N ,−→,Q0, AP, L), where
• Q is a set of states,
• N a set of nodes, disjointly partitioned intoN = N src unionmultiN snk unionmultiN mix,
• Q0 ⊆ Q the set of initial states,
• −→⊆ Q × IOC× Q the transition relation,
• AP a finite set of atomic propositions, and
• L : Q → 2AP a labeling function.
The nodes in N src (N snk, N mix) are called source nodes (sink nodes and mixed nodes, respectively). The instances of a
transition (q, g, p) are tuples (q,N, δ, p) where (N, δ) ∈ [| g |]N . Throughout the paper, we consider finite constraint
automata only, i.e., we require thatN , Q and−→ are finite. 
In what follows, we use the arrow-notation q
g−→ p for a transition (q, g, p) and q N,δ−−−→ p for its instances. Fig. 2
illustrates the constraint automata for a synchronous channel with source node A and sink node B; a FIFO1 channel with
source node A and sink node B and the data domain Data = {0, 1}; and a synchronous drain with source nodes A and B.
In all three cases the node-set is N = {A, B}. The I/O-constraint ‘‘dA = dB’’ in the automaton for the synchronous channel
indicates the concurrent I/O-operations ({A, B}, δ) where δ(A) = δ(B), while the I/O-constraint A ∧ B in the automaton
for the synchronous drain represents all concurrent I/O-operations of the form ({A, B}, δ). For the FIFO channel one might
use the atomic propositions empty and fullwith the obvious labeling function. Please notice that, whenever dA is part of an
I/O-constraint g this requires data flow at port A, i.e. (N, δ) |= g implies A ∈ N .
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 691
Fig. 2. CA for a synchronous channel, FIFO1 channel and synchronous drain.
For state q, the I/O-constraints ioc(q, p) =∨{g | q g−→ p} represents the weakest condition on the I/O-operations at the
nodes that have to be synchronized for moving from q to pwithin one step. Thus, if P ⊆ Q then
ioc(q, P) =
∨
p∈P
ioc(q, p)
stands for the set of all concurrent I/O-operations that are enabled in q and lead to a configuration in P . With P = Q , we get
a boolean characterization ioc(q) = ioc(q,Q ) for the set of all enabled concurrent I/O-operations in q.
State q is called terminal if(
ioc(q) ∧
∧
A∈N src∪N snk
¬A) ≡ false.
This condition means that in all enabled concurrent I/O-operations in q at least one of the sink or source nodes is
involved. These I/O-operations may be refused if the components that connect to these nodes are not willing to provide
the corresponding write or read operations. Thus, data flow might stop in terminal states.
The intuitive operational behavior of a constraint automaton canbe formalized by its runs. Runs in a constraint automaton
are defined as finite or infinite sequences of consecutive transition instances. In the case of finite runs, we allow that they
endwith a special pseudo-transition with the label
√
, denoting the end of data flow, provided that the last state is terminal.
Thus, finite runs have the form
(1) q0
N1,δ1−−−−→ · · · Nk,δk−−−−→ qk or (2) q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk
√
−−→ qk
where qi−1
Ni,δi−−−−→ qi are transition instances (i = 1, . . . , k) and qk is terminal for finite runs ending with a √-transition
(case (2)). For a run θ , its length |θ | ∈ N∪{ω} is defined as the number of transition instances taken in θ (possibly including
the pseudo-transition with label
√
). A maximal run means an infinite run or a finite run that ends with a pseudo-transition
labelled by
√
. We write Runs(q) for the set of all runs starting in q andMaxRuns(q) for all maximal runs starting in q.
If θ = q0 N1,δ1−−−−→ q1 N2,δ2−−−−→ q2 N3,δ3−−−−→ . . . is an infinite or a finite but non-maximal run, then the word
(N1, δ1) (N2, δ2) (N3, δ3) . . . obtained by taking the projection of the sequence of concurrent I/O-operations is called the
I/O-stream of θ .
For a finite maximal run θ = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk
√
−−→ qk, the I/O-stream of θ is the word (N1, δk) . . . (Nk, δk)√.
3. Branching time stream logic
In this sectionwe introduce a branching time temporal logic for reasoning about the control and data flow of a constraint
automaton. The logic, called Branching Time Stream Logic (BTSL), combines features of CTL [12,13], PDL [16] and timed
data stream logic (TDSL) [3,9,4]. As in CTL, formulas may refer to the configurations of a component connector (states of a
constraint automaton) by means of atomic propositions ap ∈ AP and may use the path quantifiers ∃ and ∀. Path properties
are specified by the standard until operator or the PDL/TSDL-like modality 〈α〉 where α is a regular expression specifying
finite sequences of I/O-operations at the nodes.
Branching Time Stream Logic (BTSL). A BTSL signature is a tuple (AP,N ) consisting of a finite nonempty set AP of atomic
propositions and a finite nonempty node-setN . The syntax of BTSL has three levels: state formulas (denoted by capital Greek
lettersΦ ,Ψ ), run formulas (denoted by the small Greek letter ϕ), and regular I/O-stream expressions (denoted by the small
Greek letter α). The abstract syntax of BTSL is given by the following grammar where ap ∈ AP and g ∈ IOC:
Φ := true ∣∣ ap ∣∣Φ1 ∧ Φ2 ∣∣ ¬Φ ∣∣ ∃ϕ ∣∣ ∀ϕ
ϕ := Φ1 UΦ2
∣∣ 〈α〉Φ
α := g ∣∣ stop ∣∣ α∗ ∣∣ ¬α ∣∣ α1;α2 ∣∣ α1 ∪ α2 ∣∣ α1 ∩ α2
The intuitive meaning of the state formulas and the until operator U is as in CTL. In the PDL-like formula 〈α〉Φ , the regular
I/O-stream expression α specifies a set of finite I/O-streams, i.e., finite sequences of concurrent I/O-operations, possibly
692 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
ending with the symbol
√
. Intuitively, 〈α〉Φ holds for a maximal run if it starts with a finite prefix where the data flow
matches the conditions specified by α. Other operators can be derived, e.g.,
eventually : ♦Φ = trueUΦ,
always : ∀Φ = ¬∃♦¬Φ and ∃Φ = ¬∀♦¬Φ.
The dual to the PDL-like modality 〈·〉 is obtained by
∃[α]Φ = ¬∀〈α〉¬Φ and ∀[α]Φ = ¬∃〈α〉¬Φ.
Intuitively, [α]Φ holds for a maximal run if all its finite prefixes θ , where the induced I/O-stream belongs to the language
given by α, end in a state where Φ holds. The next step operator© of LTL/CTL-like logics arises as a special instance of 〈·〉
by©Φ = 〈true〉Φ .
The semantics of a regular data expression α is provided by means of a language LN (α) ⊆ 2IOS where IOS denotes the
set of all finite I/O-streams, i.e., finite sequences of concurrent I/O-operations, possibly ending with the special symbol
√
denoting that there is no further data flow.
We define LN (g) to be the set of all concurrent I/O-operations (N, δ), viewed as words (I/O-streams) of length 1, such
that (N, δ) ∈ [|g |]N . The language LN (stop) is the singleton set {√}. The operators ∪, ∩ and ¬ in the grammar for regular
I/O-stream expressions have the standard meaning, i.e., ∩ stands for intersection, ∪ for union, and¬ for complementation.
(Complementation and intersection can be dropped in the syntax of regular I/O-streams expressions without decreasing the
expressiveness of the logic. We include them in our syntax since there are no closed regular expressions for¬α or α1 ∩ α2.)
The meaning of ; and ∗ agrees with standard concatenation and Kleene closure, except for the special treatment of √. If
L1,L2 ⊆ 2IOS then L1;L2 arises by the pointwise concatenation σ1; σ2 of the elements in σ1 ∈ L1 and the elements σ2 ∈ L2
where σ1; σ2 = σ1 if σ1 ends with√. The Kleene closure is then defined in the standard way by L∗ =⋃Ln where L0 = {ε}
(the language consisting of the empty I/O-stream), L1 = L and Ln+1 = L;Ln.
BTSL formulas over the signature (AP,N ) are interpreted over a constraint automaton with the node-set N and the set
AP of atomic propositions. For A = (Q ,N ,−→,Q0, AP, L), the satisfaction relation |=A for BTSL state formulas is defined
in the standard way:
q |=A true
q |=A ap ⇐⇒ ap ∈ L(q)
q |=A ¬Φ ⇐⇒ q 6|=A Φ
q |=A Φ1 ∧ Φ2 ⇐⇒ q |=A Φ1 and q |=A Φ2
q |=A ∃ϕ ⇐⇒ there exists a run θ ∈ MaxRuns(q) s.t. θ |=A ϕ
q |=A ∀ϕ ⇐⇒ for all runs θ ∈ MaxRuns(q): θ |=A ϕ
The meaning of a path formula is as follows.
Formally, if θ is a maximal run then θ |=A 〈α〉Φ iff there exists a finite prefix θ ′ of θ such that p |=A Φ for the last state
p of θ ′ and the I/O-stream of θ ′ belongs to LN (α). The semantics of the until operator is as in CTL. If θ is a maximal run inA
then the satisfaction relation θ |=A ϕ for BTSL run formulas ϕ is defined as follows.
• If θ = q0 N1,δ1−−−−→ q1 N2,δ2−−−−→ q2 N3,δ3−−−−→ . . . is infinite then
θ |=A 〈α〉Φ ⇐⇒ there exists a j ≥ 0 such that qj |=A Φ
and (N1, δ1) . . . (Nj, δj) ∈ LN (α).
• If θ = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk
√
−−→ qk is finite then
θ |=A 〈α〉Φ ⇐⇒ either there exists j ∈ {0, 1, . . . , k} such that qj |=A Φ
and (N1, δ1) . . . (Nj, δj) ∈ LN (α)
or qk |=A Φ and (N1, δ1) . . . (Nk, δk)√ ∈ LN (α).
• For θ to be an infinite or a finite maximal run with the state sequence q0 q1 q2 . . .:
θ |=A Φ1 UΦ2 ⇐⇒ there exists j ∈ {0, 1, . . . , |θ |} such that qj |=A Φ2
and qi |=A Φ2 for all 0 ≤ i < j. 
Let SatA(Φ) = {q ∈ Q | q |=A Φ}. IfA is clear from the context then we skip the subscriptA and simply write |= and
Sat(·). AutomatonA fulfillsΦ , denoted asA |= Φ , if q0 |=A Φ for all initial states q0 ∈ Q0.
Example 2. For a synchronous channel with source node A and sink node B the BTSL formula ∀∀〈stop ∪ (dA = dB)〉true
holds, asserting that all runs in the automaton consist of concurrent I/O-operations where data items are transmitted
synchronously from A to B, and possibly end if the components connected to A or B do not provide the corresponding write
or read operation.
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 693
Fig. 3. Two Reo networks.
Fig. 4. A sequencer.
For the FIFO1 channel with source node A and sink node B, the formulas
∀[true∗; A]full
∀[true∗; B]empty
hold, stating that after A’s write operation the buffer is full, while after B’s read operation the buffer is empty. Also the
formula ∀¬∃〈A ∧ B〉true holds for the FIFO1 channel stating the impossibility of simultaneous data flow at A and B.
For (the constraint automaton of) the network on the left of Fig. 3, the BTSL formulas
∀¬∃〈A ∧ B〉true,
∀[true∗; A]∀〈B〉true,
∀[true∗; B]∀〈A〉true, and
∀〈true∗〉∀〈dA = d ∪ dB = d〉true
hold. (The d in the picture denotes that the upper buffer is filled with the data item d in the initial configuration.) The former
three formulas state that data flow at A and B alternates, while the latter formula asserts that only data item d, observed at
A or B, is possible.
While the network on the left has no terminal states, and thus, data flow is always infinite, the source node C in the
network on the right may write into the upper buffer which yields the configuration where both buffers are filled and data
flow stops. Hence, the network on the right fulfills the formulas
∀[true∗; A]∀〈(B; A) ∪ (C; stop)〉true,
∀[true∗; B]∀〈A〉true, and
∀[true∗; C]both_buffer_full
where both_buffer_full is an atomic proposition with the obvious semantics.
Fig. 4 shows the network for a sequencer, built out of four FIFO1 channels, several synchronous channels and drains,
which allows the Ai’s to send messages to B in the order
A0 A1 A2 A3 A0 A1 A2 A3 . . .
This property can be formalized by the formulas
¬∃〈(true∗; Ai; Aj)〉truewhere 0 ≤ i < j and j 6= i+ 1 (modulo 3).
Other properties that hold for the sequencer are
∀[true∗; (¬stop ∩ ¬B)]false,
∀[true∗; Ai]filled(i+1)
∀(filled(i)→ ∃〈dAi = dB〉true)
where filled(i) is an atomic proposition stating that the ith buffer is filled (modulo 3). The terminal states of a constraint
automaton are characterized by the formulaΦterminal = ∃〈stop〉true. 
694 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
Fig. 5.Model checking schema.
4. BTSL model checking
The BTSL model checking problem takes a Reo network, possibly together with constraint automata that specify the
interfaces of the components that are connected to the source and sink nodes of the network, and a BTSL formula which has
to be checked as input. The automata for the components that are connected to the sink or source nodes of the network
describe the environment in which the network operates. They may restrict the nondeterminism in the automaton for
the network, since certain transition instances (concurrent I/O-operations) might become impossible due to the behavioral
interfaces of the components. After connecting a sink or source node A of the network with a port of a component, A is
treated as a mixed node. Thus, connecting the automata for the component might also decrease the set of terminal states.
In case nothing is known about the potential behaviors of the components that will be coordinated by the network, these
automata can be skipped, in which case all possible interactions of the sink and source nodes will be taken into account for
the analysis.
The schema of our model checker is depicted in Fig. 5. The first step is to generate an appropriate representation of
the constraint automaton associated with the network, possibly within the environment given by the automata for the
components. The goal of the second step is to verify or falsify whether for the generated constraint automaton a given BTSL
formula holds in all initial states. For certain formula types the model checker can return a witness (e.g., a run θ with θ |= ϕ
if the formula to be checked is ∃ϕ) or a counter-example (e.g., a run θ with θ 6|= ϕ if the formula to be checked is ∀ϕ).
Themodel checking algorithm. BTSLmodel checking relies on a combination of the CTLmodel checking algorithm [12]with
automata-based approaches. Given a constraint automatonA and aBTSL state formulaΦ , the idea is an iterative computation
of the satisfaction sets SatA(Ψ ) for the sub-state formulas Ψ ofΦ .
The treatment of the propositional logic fragment is obvious. The satisfaction sets for formula ∃(Φ1 UΦ2) or ∀(Φ1 UΦ2)
are obtained as in CTL with only slight modifications that are necessary for the correct treatment of terminal states.
For formulas of the form1 ∃〈α〉Ψ or ∃[α]Ψ , we first apply standard algorithms to generate a nondeterministic finite
automaton (NFA) Z for the regular I/O-stream expression α. The alphabet of Z, i.e., the range of the transition labels in A,
is IOC∪ {√}. In fact, besides the special√-transitions,Z can be viewed as a constraint automatonZ = (Z,N ,−→, Z0, ZF )
with an additional set ZF of final (accept) states. The atomic propositions and labeling function are irrelevant for Z. By the
special role of the end symbol
√
, we may assume that Z’s state space Z contains a subset Z√ such that
(1) z
√
−−→ z ′ implies z ′ ∈ Z√,
(2) z
g−→ z ′ ∈ Z√ implies g = √ and
(3) the states in Z√ have no successors.
GivenA andZ, we then build the productA×Zwhere the states are pairs (q, z) consisting of a state q inA and a state
z in Z. The transitions inA× Z are obtained by the following rules:
q
g1−−→A q′ ∧ z g2−−→Z z ′ ∧ g1, g2 ∈ IOC
(q, z)
g1∧g2−−−−−→A×Z (q′, z ′)
q is terminal inA ∧ z
√
−−→Z z ′
(q, z)
√
−−→A×Z (q, z ′)
where we use the subscriptsA,Z orA×Z for the transition relations inA,Z andA×Z, respectively. The productA×Z
is equipped with two atomic propositions sat(Ψ ) and final and the labeling function that assigns sat(Ψ ) to all states (q, z)
where q |=A Ψ and final to all states (q, z)where z ∈ ZF . The following proposition provides a reduction to CTL.
Proposition 3 (Reduction to CTL). (a) q |=A ∃〈α〉Ψ iff there exists z0 ∈ Z0 with (q, z0) |=A×Z ∃♦(sat(Ψ ) ∧ final)
(b) If Z is deterministic then q |=A ∃[α]Ψ iff (q, z0) |=A×Z ∃(sat(Ψ ) ∨ ¬final) where z0 is the initial state of Z.
1 We explain here an algorithm for ∃[α]Ψ . The treatment of formula ∀〈α〉Ψ is obtained by the duality law ∀〈α〉Ψ ≡ ¬∃[α]¬Ψ .
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 695
Proof. To simplify the notation, we treat the pseudo-symbol
√
as a concurrent I/O-operation and use the notation (N, δ)
for both the concurrent I/O-operations and the special symbol
√
. In other words, we identify
√
with (∅,√) and assume
that (N, δ) ranges over the elements of
{(N, δ) | ∅ 6= N ⊆ N , δ : N → Data} ∪ {(∅,√)}.
(a) If q |=A ∃〈α〉Φ then there exists a run q = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk inA such that
(N1, δ1) . . . (Nk, δk) ∈ LN (α) and qk |=A Ψ .
Let z0
N1,δ1−−−−→ · · · Nk,δk−−−−→ zk be an accepting run in Z for (N1, δ1) . . . (Nk, δk), i.e., zk ∈ ZF and z0 ∈ Z0. Then,
(q0, z0)
N1,δ1−−−−→ · · · Nk,δk−−−−→ (qk, zk)
is a run inA× Z. Hence, (q, z0) |=A×Z ∃♦(sat(Ψ ) ∧ final).
Let us now assume that (q, z0) |=A×Z ∃♦(sat(Ψ ) ∧ final)where z0 ∈ Z0. Then, there exists a run
(q0, z0)
N1,δ1−−−−→ · · · Nk,δk−−−−→ (qk, zk)
inA× Zwith (q0, z0) ∈ Q0 × Z0 and (qk, zk) |=A×Z (sat(Ψ ) ∧ final), i.e., qk |=A Ψ and zk ∈ ZF . Thus,
z0
N1,δ1−−−−→ · · · Nk,δk−−−−→ zk
is an accepting run for (N1, δ1) . . . (Nk, δk) in Z. This yields (N1, δ1) . . . (Nk, δk) ∈ LN (α). Since qk |=A Ψ ,
q = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk
is a run inAwhere 〈α〉Ψ holds.
(b) Let Z be deterministic and z0 the initial state of Z. If q |=A ∃[α]Φ then there exists a maximal run θ of the form
q = q0 N1,δ1−−−−→ q1 Nk,δ2−−−−→ q2 N3,δ3−−−−→ . . .
such that θ |= [α]Ψ . Let us consider a prefix q = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk of θ and let
z0
N1,δ1−−−−→ · · · Nk,δk−−−−→ zk
be the unique run for (N1, δ1) . . . (Nk, δk) inZ. Then, zk ∈ ZF implies qk |=A Ψ . Thus, θ can be lifted to a maximal run in
A× Zwhere (sat(Ψ ) ∨ ¬final) holds. This yields (q, z0) |=A×Z ∃(sat(Ψ ) ∨ ¬final).
Let us now assume that (q, z0) |=A×Z ∃(sat(Ψ ) ∨ ¬final) and let
θ ′ = (q0, z0) N1,δ1−−−−→ (q1, z1) N2,δ2−−−−→ . . .
be a maximal run inA× Zwhere q = q0 and θ ′ |=A×Z (sat(Ψ ) ∨ ¬final).
The projection of θ ′ to theA-components yields a maximal run θ inA starting in q. We now show that θ |=A [α]Ψ .
Let
q = q0 N1,δ1−−−−→ · · · Nk,δk−−−−→ qk
be a prefix of θ . Then, z0
N1,δ1−−−−→ · · · Nk,δk−−−−→ zk is the (unique) run in Z for the word (N1, δ1) . . . (Nk, δk). Since
θ ′ |= (sat(Ψ ) ∨ ¬final), we have: zk ∈ ZF implies qk |=A Ψ . This yields the claim. 
Part (a) of Proposition 3 allows us to compute Sat(∃〈α〉Ψ ) by means of a backward reachability analysis in A × Z as
shown in Algorithm 1, where PreA×Z(V ) returns the set of all predecessor states of V inA× Z.
Algorithm 1 Computation of Sat(∃〈α〉Ψ )
construct an NFA Z for α and build the productA× Z;
V := {(q, z) ∈ Q × Z | q ∈ Sat(Ψ )) ∧ z ∈ ZF };
repeat
V ′ := V ;
V := V ∪ PreA×Z(V );
until (V ′ = V );
return {q ∈ Q | ∃z0 ∈ Z0 s.t. (q, z0) ∈ V };
Note that part (b) of Proposition 3 becomes wrong if Z is nondeterministic. For an NFA Z, there may exist two runs
θ = z0 N1,δ1−−−−→ z1 N2,δ2−−−−→ . . . and θ ′ = z ′0
N1,δ1−−−−→ z ′1
N2,δ2−−−−→ . . .
696 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
Fig. 6. Constraint automatonA and NFA Z for α = ({A}, dA = 1)∗ .
Fig. 7. Product automatonA× Z.
in Z for the same sequence of concurrent I/O-operations, where only one of them is accepting. This fact may induce two
different runs in the product automatonA×Z (corresponding to a single run inA), one of them satisfying(sat(Ψ )∨¬final)
while this property does not hold for the other run. The problem is that the non-accepting run yields a witness for
∃(Sat(Ψ ) ∨ ¬final)
in the product (as ¬final holds). The following example illustrates this phenomenon.
Example 4. Fig. 6 shows a constraint automatonA and an NFA Z for
α = ({A}, dA = 1)∗
where the boxed state is accepting. Assuming that q0 |= Ψ and q1 6|= Ψ it becomes obvious thatA 6|= ∃[α]Ψ .
When building the product as shown in Fig. 7 it turns out that
A× Z |= ∃(Sat(Ψ ) ∨ ¬final)
holds, since
(q0, z0)
{A},dA=1−−−−−−−−→ (q1, z1) {A},dA=1−−−−−−−−→ (q1, z1) · · ·
is a possible run within the product automaton.
For Sat(∃[α]Ψ ), part (b) of Proposition 3, therefore, suggests to switch from Z to an equivalent deterministic finite
automaton (DFA) and a fixpoint computation on the product ofA and the DFA Z. Algorithm 2 computes Sat(∃[α]Ψ ).
Algorithm 2 Computation of Sat(∃[α]Ψ )
construct an DFA Z = (Z,N ,−→, Z0, ZF ) for α;
V := {(q, S) ∈ Q × 2Z | S ∩ ZF 6= ∅ implies q |= Φ};
T := {(q, S) ∈ V | q is terminal};
V ′ := ∅;
repeat
V ′ := V ;
V := T ∪ {(q, S) ∈ V | ∃(N, δ) : q (N,δ)−→ q′ and (q′,∆Z(S, (N, δ))) ∈ V };
until (V ′ = V );
return {q ∈ Q | (q, Z0) ∈ V };
We use the function∆Z(S, (N, δ)) to indicate the set of all (N, δ)-successors of a state in S:
∆Z(S, (N, δ)) :=
⋃
z∈S
{z ′ ∈ Z | z (N,δ)−→ z ′}.
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 697
Fig. 8. Symbolic model checking schema.
The complexity of the algorithms to compute the satisfaction sets of ∃〈α〉Ψ and ∀[α]Ψ is polynomial in the size ofA and
DFAZ for α. Thus, the overall time complexity of BTSLmodel checking is polynomial in the size ofA and exponential in the
length of the input formulaΦ .
5. Symbolic implementation
This section summarizes themain aspects of our symbolic BTSLmodel checking implementation based on binary decision
diagrams (BDDs), see e.g. [8,18,17,21]. BDDs form a data structure for switching functions
f : Eval(x1, . . . , xn)→ {0, 1}
where x1, . . . , xn are boolean variables and Eval(x1, . . . , xn) denotes the set of evaluations for x1, . . . , xn.
Therefore, we have to represent the constraint automata (for A and Z), namely states, transition relation and labeling
function, in terms of switching functions. This section gives a brief overview of the encoding and, moreover, shows that BDD
operators are capable of handling composition of constraint automata as well as allowing to specify a symbolic version of
the previously introduced algorithms for model checking BTSL properties. Fig. 8 depicts the induced changes to the model
checking schema.
To represent a constraint automaton A = (Q ,N ,−→,Q0, AP, L) by a BDD, we fix a binary encoding of the states, i.e.,
we embed Q into {0, 1}n by an injective function
bin : Q → {0, 1}n
where n = dlog |Q |e. We choose boolean state variables q1, . . . , qn and then identify each state q with the evaluation for
q1, . . . , qn given by bin(q). In the same way, wemay encode the data items by bit tuples. For simplicity, we assume here the
boolean data domain Data = {0, 1} and treat the symbols dA and nodes A ∈ N as boolean variables.
In what follows, let N = {A1, . . . , Ak} and di = dAi , i = 1, . . . , k. We write A¯ and d¯ for the variable tuples (A1, . . . , Ak)
and (d1, . . . , dk), respectively.
The transition relation−→ can be identified with its characteristic function and viewed as a switching function
TA : Eval(q¯, A¯, d¯, q¯′)→ {0, 1},
where the variable tuple q¯ = (q1, . . . , qn) encodes the starting state, q¯′ = (q′1, . . . , q′n) the target state, while A¯ and d¯ serve to
represent the concurrent I/O-operations. For instance, the transition relations of the constraint automata for a synchronous
channel and a synchronous drain with source node A and sink node B are given by:
Tsync_channel(q1, A, B, dA, dB, q′1)= q1 ∧ A ∧ B ∧ (dA ↔ dB) ∧ q′1
Tsync_drain(q1, A, B, dA, dB, q′1) = q1 ∧ A ∧ B ∧ q′1.
For a FIFO1 channel we have to encode three states, say
bin(q) = 00, bin(q(1)) = 11 and bin(q(0)) = 10,
and then may represent the automaton by
(¬q1 ∧ ¬q2 ∧ A ∧ ¬B ∧ (q′2 ↔ dA) ∧ q′1) ∨ (q1 ∧ ¬A ∧ B ∧ (q2 ↔ dB) ∧ ¬q′1 ∧ ¬q′2).
The BDD-representation for the transition relation of a Reo network can be constructed in a compositional manner,
by mimicking Reo’s composition operators using the corresponding operators on constraint automata and applying the
analogous symbolic operations formanipulating switching functions.Wewill briefly consider the join operatorwhich allows
us to collapse twonodes into a single node. Using some appropriate renaming of nodes, Reo’s join operator can be reduced on
698 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
the automata level to a product construction that ‘‘synchronizes’’ the data flow at the common nodes of the given constraint
automata (see [6]). If A1 and A2 are constraint automata with node-sets N1 and N2, respectively, then the concurrent
I/O-operations in the productA1×A2 are given by the transition instances obtained by the following synchronization rule
and two interleaving rules:
q1
g1−−→A1 p1, q2
g2−−→A2 p2
(q1,q2)
g1∧g2−−−−−→A1×A2 (p1,p2)
q1
g1−−→A1 p1
(q1,q2)
g1∧¬N2−−−−−−−→A1×A2 (p1,q2)
q2
g2−−→A2 p2
(q1,q2)
g2∧¬N1−−−−−−−→A1×A2 (q1,p2)
where¬Ni stands short for ∧
A∈Ni
¬A.
These rules can be expressed symbolically
TA1×A2 = (TA1 ∧ TA2) ∨ (TA1 ∧ ¬N2 ∧ idA2) ∨ (TA2 ∧ ¬N1 ∧ idA1),
where idA = ∧
q∈Q
(q↔ q′) and Q is in the state space ofA.
Besides the transition relation, we also need a BDD-representation of the labeling function. This can be done by
representing the characteristic function of
Sat(ap) = {q ∈ Q | ap ∈ L(q)}
by a BDD for the induced function fap : Eval(q¯) → {0, 1}. BDD-representations fΨ for the satisfaction sets Sat(Ψ ) of the
subformulas Ψ of Φ are obtained by reformulating the BTSL model checking algorithm in a symbolic way with boolean
operators and applying the corresponding BDD synthesis algorithms.
A symbolic reformulation of Algorithm 1 is shown in Algorithm 3 where it is assumed that the BDD fΨ for Sat(Ψ ) has
already been constructed. We use the variable tuple q¯ = (q1, . . . , qn) to encode the states inA and z¯ = (z1, . . . , zm) for the
states in Z. Subsets V of Q × Z are encoded by the variables in q¯ and z¯. The notation V (q¯′, z¯′)means that the variables of V
are renamed into their primed copies. The sets Z0, ZF and Z√ are represented by BDDs with the variables z¯.
Algorithm 3 Symbolic computation of Sat(∃〈α〉Ψ )
construct an NFA Z for α and generate BDD-representations TZ for the transition relation of Z and for the sets Z0, ZF and
Z√;
TA×Z := TA ∧ TZ;
V := fΨ ∧ ZF ;
repeat
V ′ := V ;
V := V ∨ ∃(q¯′, z¯′) ∃A¯ ∃d¯. [TA×Z ∧ V ((q¯′, z¯′))];
until (V ′ = V );
return ∃z¯. [V ∧ Z0]; (* symbolic representation of Sat(∃〈α〉Ψ ) by f∃〈α〉Ψ *)
6. Examples and results
We applied the symbolic BTSL model checker to a couple of examples. We will report here two case studies. All results
were achieved on a Pentium IV, 1.8 GHz, 1.5 GB RAM with Mandriva Linux and kernel 2.6.12. The tool was written in C++,
compiled with GCC4.0.3 and uses JINC [19] as the library for binary decision diagrams.
Example 5 (Dining Philosophers). The first example describes the well-known dining philosophers’ scenario, modeled in
Reo as in [1], see Fig. 9.
The interface of philosopher i has four output ports
take_lefti, take_righti, return_lefti and return_righti
that serve to take and return the chopsticks on the left and right of the philosopher. The chopsticks are each modeled by a
FIFO1 channel and a synchronous drain. The constraint automata for the interfaces of the philosophers and the chopsticks
are shown in Fig. 10.
Table 1 illustrates the efficiency of the symbolic approach to construct the BDD-representation of the constraint
automatonA for thewhole systemby the symbolic join operation. The first column ‘‘size’’ shows thenumber of philosophers.
The second column ‘‘time’’ shows the time needed for the synthesis phase, while the last column ‘‘reachable time’’ refers to
the time needed to compute the reachable fragment ofA. The other two columns refer to the size of the generated BDD for
A and the maximal size of the BDDs generated during the symbolic computation.
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 699
Fig. 9. Dining philosophers.
Fig. 10. CA for a philosopher and a chopstick.
Table 1
Synthesis results for the dining philosophers’ example.
Size Time (s) BDD nodes Peak Reach time (s)
100 0.45 16446 142023 0.13
200 0.98 33146 285523 0.24
400 2.18 66546 572523 0.45
800 4.97 133346 1146523 0.86
1600 12.69 266946 2294523 1.81
3200 35.12 534146 4590523 3.96
6400 112.21 1068546 9182523 8.53
Table 2
Model checking results for the dining philosophers’ example.
Size Formula Steps Time (s) Peak
200 ∀(¬(eat100 ∧ eat101)) 199 17.78 5169232
200 ∀∃〈true∗; take_righti〉true 798 135.04 34762951
3200 ∃〈true∗; takei; take(i+1)mod n〉eati 5 16.56 9303687
To give an impression of the size of the state space, observe that the reachable part of the CA for 800 philosophers consists
of about 10306 states. Several properties have been checked for this model of the dining philosophers. Table 2 shows the
results for three BTSL formulas. The columns refer to the number of philosophers, number of steps in the model checking
procedure, namely, the number of iterations within the fixpoint computation, and the total amount of time needed to verify
(or falsify) the given formula.
The second formula does not hold since there is a run where all philosophers take their left chopsticks and then wait
forever for the missing right chopstick. This deadlock situation has been found with 798 iterations by means of a backward
analysis. Computing the reachable part first by means of a forward analysis, the deadlock can be found in 403 steps within
only 13.92 s.
Example 6 (Mutual Exclusion). Our second example is the component connector shown in Fig. 11 which realizes a mutual
exclusion protocol for n parallel processes (P1, . . . , Pn) where at each time instance at most k of them may perform their
critical actions.
700 S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701
Fig. 11.Mutual exclusion and CA for one process.
Table 3
Synthesis results for the mutual exclusion network.
n k Time (s) BDD nodes Peak Reach time (s)
200 5 4.34 9617 1735363 0.15
200 20 5.74 11907 2295538 0.89
200 60 9.38 17986 3789338 9.64
400 5 17.17 18617 5933461 0.29
400 20 20.14 20907 7045636 1.64
400 60 28.64 26986 10011436 11.77
800 5 62.99 36617 20508457 0.58
800 20 69.26 38907 22724632 3.07
800 60 85.99 44986 28634432 20.58
We assume here that the behavioral interface of each component Pi is represented by the constraint automaton also
depicted in Fig. 11.
Table 3 summarizes the results for the generation of the BDD-representation, where n is the number of processes and
k the maximum number of processes allowed to be in their critical section at the same time. For 200 processes and k = 60,
this CA consists of more than 5 · 10119 reachable configurations.
We performed the analysis with several BTSL formulas. Table 4 shows the results for the following three properties. The
first formula
Φ1 = ∀[request∗]
( ∧
1≤i≤n
¬criti
)
states that as long as only requests appear, none of the processes is allowed to be in its critical section, while the second
formula
Φ2 = ∃〈α〉(crit1 ∧ crit2 ∧ crit3) with
α = true∗; enter1; A1; (enter2 ∧ A2); A1; (enter3 ∧ A3)
asks for the existence of runs at the end of which the first three processes have entered their critical section. The third
formula, given by
Φ3 = ∀[α]¬∃〈(¬release)∗; enterk+1〉true with
α = true∗; enter1; (¬release)∗; . . . ; enterk; (¬release)∗
ensures thatwhenever kprocesses enter their critical sectionswithout exiting, no other process is allowed to enter its critical
section.
7. Conclusion
The purpose of this paper is to explain the functionality and the foundations of our model checker for Reo networks.
Its efficiency has been illustrated by two examples which show that our model checking approach can handle even very
large networks with up to 101200 configurations, in a reasonable amount of time. Given the wide range of applications of the
Reo framework, see e.g. [14,22,9], we believe that our model checker yields an important contribution for formal reasoning
about exogenous coordination models. Besides further optimizations to increase efficiency and case studies, we will extend
our implementation to reason about alternating time aspects to deal with the controller synthesis problem. Also, real-time
constraints should be taken into account with the logic TDSL [3] or a branching time version thereof. Another important
aspect is dynamic reconfiguration by means of the logic considered in [11] or other formal frameworks for Reo’s dynamic
reconfiguration operations.
S. Klüppelholz, C. Baier / Science of Computer Programming 74 (2009) 688–701 701
Table 4
Model checking results for the mutual exclusion.
Processes (n) Semaphores (k) Time (Φ1) (s) Time (Φ2) (s) Time (Φ3) (s)
200 5 0.80 0.15 0.68
200 20 0.86 0.19 0.82
200 60 0.82 0.38 1.89
400 5 1.74 0.31 1.47
400 20 1.82 0.35 1.58
400 60 1.43 0.53 2.53
800 5 4.57 0.62 3.69
800 20 4.58 0.65 3.63
800 60 3.62 0.87 4.61
Acknowledgements
The authors are supported by the DFG-NWO-project SYANCO and the EU-project CREDO.
References
[1] F. Arbab, Abstract behavior types: A foundation model for components and their composition, In [7] 2003, pp. 33–70.
[2] F. Arbab, Reo: A channel-based coordination model for component composition, Mathematical Structures in Computer Science 14 (3) (2004) 1–38.
[3] F. Arbab, C. Baier, F. de Boer, J. Rutten, Models and temporal logics for timed component connectors, in: Proc. SEFM’04, IEEE CS Press, 2004.
[4] F. Arbab, C. Baier, F. de Boer, J. Rutten, Models and temporal logics for timed component connectors, Software and System Modeling 6 (1) (2007)
59–82.
[5] F. Arbab, J.J.M.M. Rutten, A coinductive calculus of component connectors, in: Proc. 16th WADT, in: LNCS, vol. 2755, 2003, pp. 35–56.
[6] C. Baier, M. Sirjani, F. Arbab, J.J.M.M. Rutten, Modeling component connectors in Reo by constraint automata, Science of Computer Programming 61
(2006) 75–113.
[7] F.S. de Boer, M.M. Bonsangue, S. Graf, W.-P. de Roever, Formal Methods for Components and Objects, in: LNCS, vol. 2852, Springer, 2003.
[8] R. Bryant, Graph-based algorithms for Boolean function manipulation, IEEE Transactions on Computers C-35 (1986).
[9] D. Clarke, D. Costa, F. Arbab, Modeling Coordination in Biological Systems, in: Proc. ISoLA 2004, in: LNCS, vol. 4313, 2006, pp. 9–25.
[10] E.M. Clarke, E.A. Emerson, A.P. Sistla, Automatic verification of finite-state concurrent systems using temporal logic specifications, ACM Transactions
on Programming Languages 8 (2) (1986) 244–263.
[11] Dave Clarke, Reasoning about Connector Reconfiguration II: Basic reconfiguration Logic, in: Proc. FSEN’05, in: LNCS, vol. 159, 2006, pp. 61–77.
[12] E. Clarke, E. Emerson, A. Sistla, Automatic verification of finite-state concurrent systems using temporal logic specifications, ACM Transactions on
Programming Languages and Systems 8 (2) (1986) 244–263.
[13] E. Clarke, O. Grumberg, D. Peled, Model Checking, MIT Press, 1999.
[14] N. Diakov, F. Arbab, Compositional Construction ofWeb Services Using Reo, in: Proc. InternationalWorkshop onWeb Services:Modeling, Architecture
and Infrastructure, ICEIS 2004, Porto, Portugal, April 13–14, 2004.
[15] E. Emerson, C. Lei,Modalities formodel checking: Branching time strikes back (extended abstract), in: Proc. 12thAnnual ACMSymposiumonPrinciples
of Programming Languages, POPL, in: SIGPLAN, ACM Press, 1985, pp. 84–96.
[16] M. Fischer, J. Ladner, Propositional dynamic logic of regular programs, Journal of Computer and Systems Sciences 18 (1979) 194–211.
[17] G. Hachtel, F. Somenzi, Logic Synthesis and Verification Algorithms, Kluwer Academic Publishers, 1996.
[18] K. McMillan, Symbolic Model Checking, Kluwer Academic Publishers, 1993.
[19] J. Ossowski, C. Baier, A uniform framework for weighted decision diagrams and its implementation, STTT 10 (5) (2008) 425–441.
[20] M.Y. Vardi, P. Wolper, An automata-theoretic approach to automatic program verification, in: Proc. 1st Symposium on Logic in Computer Science,
Cambridge, June 1986, pp. 322–331.
[21] I. Wegener, Branching Programs and Binary Decision Diagrams, in: Theory and Applications, Monographs on Discrete Mathematicsand Applications,
SIAM, 2000.
[22] Z. Zlatev, N. Diakov, S. Pokraev, Construction of negotiation protocols for E-commerce applications, ACM SIGecom Exchanges 5 (2) (2004) 11–22.
