A Partial Order Approach to Branching Time Logic Model Checking  by Gerth, Rob et al.
Information and Computation 150, 132152 (1999)
A Partial Order Approach to Branching
Time Logic Model Checking
Rob Gerth* and Ruurd Kuiper
Eindhoven University of Technology, Eindhoven, The Netherlands
Doron Peled
Bell Laboratories, Murray Hill, New Jersey 07974
E-mail: doronresearch.bell-labs.com
and
Wojciech Penczek-
Institute of Computer Science, PAS, Warsaw, Poland
Partial order techniques enable reducing the size of the state space
used for model checking, thus alleviating the ‘‘state space explosion’’
problem. These reductions are based on selecting a subset of the enabled
operations from each program state. So far, these methods have been
studied, implemented, and demonstrated for assertional languages that
model the executions of a program as computation sequences, in parti-
cular the linear temporal logic. The present paper shows, for the first time,
how this approach can be applied to languages that model the behavior
of a program as a tree. We study here partial order reductions for branch-
ing temporal logics, e.g., the logics CTL and CTL* (with the next time
operator removed) and process algebra logics such as HennesyMilner
logic (with { actions). Conditions on the selection of subset of successors
from each state during the state-space construction, which guarantee
reduction that preserves CTL* properties, are given. The experimental
results provided show that the reduction is substantial. ] 1999 Academic Press
1. INTRODUCTION
Partial order (or more accurately, commutativity-based) methods are useful for
tackling the exponential blowup in the memory required for the automated verifica-
tion by model-checking of concurrent programs. They exploit the fact that many
Article ID inco.1998.2778, available online at http:www.idealibrary.com on
1320890-540199 30.00
Copyright  1999 by Academic Press
All rights of reproduction in any form reserved.
* Partially supported by ESPRIT project P6021, ‘‘Building Correct Reactive Systems (REACT).’’
- Partially supported by De stichting informatica-onderzoek in Nederland (SION).
 Part of this research was done when the fourth author was visiting Eindhoven University of Technology.
properties are insensitive to the order in which concurrent operations are executed.
Fixing one out of many such orders can then be used to reduce the memory and
time needed to check such properties. Such methods were studied [7, 18, 19, 22, 23,
26], mostly in conjunction with specifications that assert about the set of inter-
leaved executions of the program, e.g., those that use linear temporal logic without
the next-state operator (LTL).
State-based algorithms for model checking a system are patterned after a search
of the system’s configurations or states, thus generating a state graph that allows
checking whether a concurrent finite state program P satisfies a temporal logic
property .. Partial order reductions are aimed at constructing a reduced state
graph, based on exploring for each visited state only a subset of the enabled opera-
tions, so that only some of the successors of that state are expanded. Hence,
specifications can be verified in less space and time. The correctness of the reduced
state graph generation algorithm is based on employing a set of constraints that
limit the choice of such subsets of operations to those that guarantee that the
correctness of the checked specification(s) is preserved.
The next step is to extend these methods to handle types of specifications other
than sequence-based ones. Natural candidates are specification languages based on
branching models, in particular, branching time temporal logics. Such logics, as
opposed to LTL, can distinguish the state where a nondeterministic choice is made
in the execution of the program. We are guided by three main reasons for our pur-
suit of a reduction that preserves branching-time logics. The first one is achieving
greater expressiveness, e.g., by using a logic such as CTL* (without the nexttime
operator), which, besides being able to distinguish the nondeterministic choices, can
express all LTL-properties. The second one is the existence of some interesting
restricted versions of branching time logics such as CTL. Although CTL does not
include LTL (and vice versa), it can, by virtue of the branching operators, describe
many interesting properties of programs. Moreover, due to its restrictions, it has a
model-checking algorithm that is linear in the size of the checked formula [3], as
opposed to the exponential algorithm for LTL [12]. The third motivation for such
a reduction lies within the fact that branching temporal properties are preserved by
some type of bisimulation [2] that is insensitive to stuttering. Besides basing our
correctness proof on this fact, checking that two structures are equivalent with
respect to that type of bisimulation is itself important for process-algebra style
correctness. We then also obtain, as a consequence of our proof, the preservation
of the HennesyMilner logic with { actions [9]. Our reductions can be used
to improve the time required and the size of the state graph, and they can be
used in conjunction with process-algebra based tools such as PSF and AUTO
[13, 17].
The paper starts out investigating the proper constraints on the subset that is
chosen to be explored at each visited state. Not unexpectedly, the set of constraints
turns out to be strictly stronger than the one needed for LTL. Indeed, CTL* has
greater distinguishing power than LTL, so that branching points due to nondeter-
ministic choices should be preserved in the reduced graph. Of course, this also
means that reduction for LTL can produce smaller state graphs and, thus, be more
efficient in space and time. This is compensated by the fact that some branching
133BRANCHING TIME LOGIC MODEL CHECKING
time logics such as CTL have model-checking algorithms that are linear, rather
than exponential, in the size of the checked property.
The proof of the correctness of our algorithm is novel in that it is rather different
from the one used for LTL reductions [18]; instead of using traces [14], i.e., equiv-
alence classes of sequences, we show stuttering bisimilarity between the full and the
reduced state graph [2]. This equivalence was proved in [2] to be a necessary and
sufficient condition for ensuring that the two stuttering bisimilar structures satisfy
the same CTL* formulas.
Experimental results show that, even with the additional constraint on selecting
subsets of the enabled operations, the reduction is still substantial. We demonstrate
the reduction on various algorithms and protocols and compare it to the reduction
obtained for LTL. The simplicity of the reduction algorithm, and the small over-
head in time and memory it incurs, suggest that one can obtain significant improve-
ment for state-based model-checking by using the suggested reduction algorithm
with a relatively small investment.
We also investigate using our algorithm as part of a weak bisimulation or
branching bisimulation checker. Experiments indicate that it is more efficient to use
our reduction strategy to generate a state graph to be checked than it is to generate
and check the full state graph. The rest of the paper is organized as follows: In
Section 2 we give some preliminary definitions, including a family of bisimulations
that will be used later. Section 3 presents the partial order reduction algorithm and
its correctness proof. Section 4 gives experimental results. Finally, Section 5
concludes the paper.
2. BASIC NOTIONS
2.1. Programs and Logic
Programs, State Graphs and Independence
For purposes of state graph generation and model checking, the specific syntactic
structure of programs is not important. Instead, a finite-state program P can be
viewed as a 4-tuple (S, T, @, D) , where S is a finite set of states, T is a finite set of
operations as defined below, @ # S is the initial state, and D is a so-called dependency
relation on the program’s operations as defined below.
The enabling condition en(s)T is the set of operations that can be executed
from a state s. Each operation a # T is identified with a partial function a: S  S
that needs to be defined at least for each s such that a # en(s).
Definition 2.1. A dependency relation is a reflexive and symmetric relation
DT_T such that for each pair of operations (a, b)  D (called independent opera-
tions), for each s # S:
v If a, b # en(s) (i.e., a is enabled from s), then b # en(a(s)).
v If a, b # en(s) then a(b(s)=b(a(s)).
134 GERTH ET AL.
Partial order reductions exploit concurrency in programs and the fact that truth
of specifications is often insensitive to the order in which so-called independent
operations from different concurrent components occur in computations. Such
independent operations can be obtained by observing various types of operations
in programming languages. For example, a pair of assignments to local variables in
different processes would satisfy the above conditions.
An execution sequence of a program P=(S, T, @, D) is a maximal (finite or
infinite) sequence of states s0s1s2 } } } satisfying that s0=@, and for each adjacent
states si , si+1 on the sequence there exists an operation a such that a # en(si) and
a(si)=si+1 . A state is reachable if it appears on some execution sequence.
Let PV be a finite set of propositions. A state graph, GP , for a program P is a
directed, rooted, and edge-labeled graph (S, E, @, L) , with a finite set of states S,
a set of labeled edges ES_T_S, an initial state @ # S, and an interpretation func-
tion L: S  2PV assigning subsets of the propositional variables PV to the states.
We denote an edge from u to v that is labeled by a by u wa v.
Hence, the paths of a state graph that start with the initial state @ correspond to
execution sequences of P. Because the operations themselves are deterministic,
paths in a state graph that start in the initial state are uniquely determined by the
sequence of operations that occur along them. Observe that not every possible state
of the corresponding program needs to be reachable from the initial state @.
Syntax of CTL*
The set of state formulas and the set of path formulas are defined inductively:
S1. Every member of PV is a state formula.
S2. If . and  are state formulas, then so are c. and . 7 .
S3. If . is a path formula, then A. is a state formula.
P1. Any state formula . is also a path formula.
P2. If . are path formulas, then so are . 7  and c..
P3. If .,  are path formulas, then so are U(., ) and X..
CTL* consists of the set of all state formulae. The modal operator A has the
intuitive meaning ‘‘for all paths.’’ The modal U denotes the standard until and X
denotes the modal nexttime. The following abbreviations will be used: true=p 6
cp, for some p # PV, E. =def Ac., . 6  =def c((c.) 7 (c)), F. =def U(true, .),
G. =def cFc..
Sublogics of CTL*
CTL. The state modalities E and A and the path modalities U, F, and G may
only appear paired, i.e., in the combinations EU, EF, EG, AU, AF and AG.
LTL. Restriction to formulas of the form A., where . does not contain A
and E. We usually write . instead of A. if confusion is unlikely.
135BRANCHING TIME LOGIC MODEL CHECKING
The versions of the logics without the nexttime operator (X) will be denoted by
CTL&X , CTL*&X and LTL&X .
Semantics of CTL*
A CTL* structure is a state graph (S, E, @, L) . Intuitively, L(s) is the set of
propositions that hold in state s. The labels on the edges in the definition of the
graph are only used in the sequel for the benefit of the description of the suggested
algorithm, but they are ignored by the interpretation of the temporal logics.
Let M=(S, E, @, L) be such a structure and let ?=(s0 , s1 , ...) be a maximal
(finite or infinite) path such that si w
ai si+1 with ai # T for i0. Let ? i denote the
suffix (si , si+1 , ...) of ?. Satisfaction of a formula . in a state s of M (written
M, s < . or just s < .), is defined inductively as follows:
S1. s < p iff p # L(s) for p # PV,
S2. s < c. iff not s < ., s < . 7  iff s < . and s < ,
S3. s < A. iff ? < . for every path ? starting at s,
P1. ? < . iff s0 < . for any state formula .,
P2. ? < c. iff not ? < ., ? < . 7  iff ? < . and ? < ,
P3. ? < U(., ) iff there is an i0 such that ?i <  and ?j < . for all
0 j<i,
? < X. iff ?1 < ..
We say that M satisfies ., and denote M < . exactly when M, @ < ..
2.2. Behavioral Equivalences
We consider here several notions of bisimulations that are preserved under our
partial order reduction. Some connections between bisimulations and logics allow
adopting the reduction for various logical formalisms, including CTL*&X . To give
the notions of bisimulations, the following definition of invisibility is needed.
Definition 2.2. An operation a # T is invisible if for every pair of reachable
states s, s$ # S such that a # en(s) and a(s)=s$, L(s)=L(s$).
That is, an operation is invisible if by executing it from any given state it does
not change the values of the propositions PV. Denote the set of invisible operations
by Invis, and let Vis=T"Invis be the set of visible operations. In process algebra,
the invisible operations are readily given and marked as { operations.
Since calculating the exact set of invisible operations is, in general, not easier
than the original model-checking problem, some estimates are in place. In what
follows it will be clear that a pessimistic estimate, where operations are considered
visible, even when they are not, would preserve the correctness of our reduction
algorithm. In particular, it is legitimate to omit the word ‘‘reachable’’ from Defini-
tion 2.2, obtaining a simpler condition that may be calculated effectively using
syntactic analysis of the program operations. Notice, however, that an over-
pessimistic estimate may eliminate the reduction altogether.
136 GERTH ET AL.
Definition 2.3 (Stuttering bisimulation [2]). A relation $sbS_S$ is a
stuttering simulation between two structures M=(S, E, @, L) and M$=(S$, E$, @$, L$)
if the conditions hold:
1. @$sb @$,
2. if s$sb s$, then L(s)=L$(s$) and for every maximal path ? of M that starts
at s, there is a maximal path ?$ in M$ that starts at s$, a partition B1 , B2 , ... of ?,
and a partition B$1 , B$2 , ... of ?$ such that for each j0, Bj and B$j are nonempty and
finite, and every state in Bj is related by $sb to every state in B$j .
A relation $sb is a stuttering bisimulation if both $sb and $Tsb (the transpose of
$sb) are stuttering simulations.
The following theorem connects CTL*&X and stuttering bisimulation:
Theorem 2.4 (see [2]). Let . be a CTL*&X formula with the set of atomic
propositions PV. Let M and M$ be two structures, where the range of the labeling
functions L and L$ is the subsets of atomic propositions PV. Let the relation $sb be
a stuttering bisimulation between M and M$. Then for every pair of stuttering bisimilar
states s$sb s$ it holds that M, s < . iff M$, s$ < . iff M$, s$ < ..
Definition 2.5 (Branching bisimulation [6, 16]). A relation $bb S_S$ is a
branching simulation between two structures M=(S, E, @, L) and M$=(S$, E$,
@$, L$) if it stisfies the conditions:
1. @$bb @$ and
2. if s$bb s$ and s w
b t, then either b={ and t$bb s$, or there exists a path
s$=s0 w
{ s1 w
{
} } } w
{ sn w
b t$ in M$ such that s$bb s i for 0in and t$bb t$.
A relation $bb is a branching bisimulation if both $bb and $Tbb are branching
simulations.
Let M=(S, E, @, L) be a structure. Denote s Oa s$ if there exists path s=s0 w
{
s1 w
{
} } } w
{ si w
a si+1 w
{
} } } w
{ sn=s$. When a is {, the path can be empty,
whence s equals s$.
Definition 2.6 (Weak bisimulation [15]). A relation $wb S_S$ is a weak
simulation between structures M=(S, E, @, L) and M$=(S$, E$, @$, L$) if it satis-
fies the conditions:
1. @$wb @$ and
2. if s$wb s$ and s w
b t, then there exists t$ such that s$ Ob t$ in M$ and t$wb t$.
A relation $wb is a weak bisimulation if both $wb and $Twb are weak simulations.
Notice that the interpretation functions L and L$ are irrelevant and, hence, can
be omitted in both branching and weak bisimulation. We define now a bisimulation
that includes conditions on both states and edges. To tie together stuttering bisimu-
lation, which observes states but ignores operations, and branching bisimulation,
which observes operations and ignores states, we define the following relation.
137BRANCHING TIME LOGIC MODEL CHECKING
Definition 2.7. A relation $vb S_S$ is a visible simulation between the
structures M and M$ if for the initial states, @$vb @$, and when s$vb r, the following
conditions hold:
1. L(s)=L$(r).
2. Let s wa s$ # E. There are two cases (See Fig 1):
v a is invisible and s$ vb r, or
v there exists a path r0 w
c0 r1 w
c1 } } } w
cn&1 rn w
cn rn+1 in M$, where r=r0
and s$ vb rn+1 , such that s$vb ri for 0in and ci is invisible for 0i<n.
Furthermore, if a is visible, then cn=a. Otherwise, cn is invisible.
3. If there is an infinite path s=s0 w
a0 s1 w
a1 } } } in M, where ai is invisible
and si $vb r for i0, then there exists an edge r w
c r$ such that c is invisible, and
for some j>0, sj $vb r$ (see Fig. 2).
A relation $vb is a visible bisimulation if both $vb and $Tvb are visible simulations.
Visible bisimulation between two structures implies stuttering bisimulation between
these structures as shown below.
Theorem 2.8. Let M and M$ be two structures, and let $vb be a visible bisimula-
tion between them. Then the relation $vb is also a stuttering bisimulation between the
two structures.
Proof. By Definition 2.7, @$vb @$, and if s$vb r, then L(s)=L$(r). Let s$vb r and
let _ be a maximal path of M, starting at state s. We construct a maximal path
\=r0 w
c0 r1 w
c1 } } } , where r0=r. We partition the states of _ and \ into corre-
sponding stuttering blocks, as required in Definition 2.3. We describe now how to
construct the next one or two blocks, depending on the case. Our construction is
inductive and is based on having already constructed the following:
v A finite prefix \$=r0 w
c0 r1 w
c1 } } } w
cl&1 rl of \.
v finite prefix _$=s0 w
a0 s1 w
a1 } } } w
ak&1 sk of _ such that sk $vbrl , and a par-
tition of the states s0s1 } } } sk&1 and r0r1 } } } rl&1 into corresponding blocks.
Let _k be the suffix of the path _ that starts with the state sk . There are two cases.
Case 1. Either (a) there is a visible operation in _k, or (b) not all the states of
_k are related by $vb to the state rl . Let j be the maximal number such that for
FIG. 1. The two cases of Definition 2.7, item 2.
138 GERTH ET AL.
FIG. 2. The case of Definition 2.7, item 3.
ki< j, ai is invisible, and for ki j, si $vb rl . When either (a) or (b) holds
there must exist such j. Thus, we know that either aj is visible or sj+1 $3 vb rl .
Now, according to item 2 of Definition 2.7, there is a sequence rl w
cl rl+1 w
cl+1
} } } w
cn&1 rn w
cn rn+1 such that for lmn, sj $vbrm and for lm<n, cm is
invisible. Furthermore, sj+1 $vb rn+1. Figure 3 depicts the case, where j>k and
n>l. In this case, we can select the matching blocks:
B=sk , sk+1 , ..., sj&1 with B =rl .
B$=sj with B $=rl+1 , rl+2 , ..., rn .
By the above construction, the states in B are related by $vb to the single state
in B , and the single state in B$ is related to all the states in B $.
In the case of l=n, we construct only one pair of matching blocks,
B=sk , sk+1 , ..., sj with B =rl .
In the case of k= j, we construct again only one pair of matching blocks,
B=sk with B =rl , rl+1 , ..., rn .
In all of the above cases, we also have that sj+1 $vb sn+1.
FIG. 3. Newly constructed blocks.
139BRANCHING TIME LOGIC MODEL CHECKING
Case 2. All the states in _k are related by $vb to rl , and all the operations in
_k are invisible. Again, there are two cases:
Case 2.1. _k is infinite. In this case, according to item 3 of Definition 2.7,
there is a prefix sk w
ak sk+1 w
ak+1 } } } w
aj&1 sj w
aj sj+1 of _k and an edge r l w
cl r l+1 ,
with cl invisible, such that for ki j, si $vb rl . Furthermore, sj+1 $vb rl+1 . Thus,
we can select the matching blocks
B=sk , sk+1 , ..., sj with B =r l .
Case 2.2. _k is finite. Let _k=sk w
ak sk+1 w
ak+1 } } } w
aj&1 sj . If rl does not have
any successors, we can select the matching blocks as in Case 2.1,
B=sk , sk+1 , ..., sj with B =r l .
If sk is the last state in _k , then there is a finite path rl w
cl } } } w
cn&1 rn in M$ such
that sk $vb rm for lmn and cm is invisible for lm<n. Furthermore, rn has no
successors. To see this, notice that if there was a visible operation out of rn , then
according to item 2 of Definition 2.7, sk must also have some successor. If there was
an infinite path that includes invisible operations and states that are related to sk ,
then by item 3 of Definition 2.7, sk must also have some successor. Thus, we can
select the matching blocks,
B=sk with B =rl , rl+1 , ..., rn .
Finally, if both sk and sl have successors, using the same argument, there is a path
rl w
cl } } } w
cn&1 rn , such that rn does not have successors, and we can select the
matching blocks,
B=sk , sk+1 , ..., sj&1 with B =rl .
B$=sj with B $=rl+1 , rl+2 , ..., rn .
Notice that if _ is infinite, then \ is also infinite. If _ is finite, Case 2.2 must be
eventually used, and \ ends with a state with no successors. Thus, in both cases, \
is maximal.
The blocks that are defined inductively as described above partition the states
of _ and \. Let B be a block of _ and B$ the matching block of \. Then, by the
construction for s in B and r in B$ we have that s$vb r.
In a symmetric way, we can construct for each path \ in M$ that starts with r,
a path _ in M that starts with s, such that \ and _ have corresponding matching
blocks. Thus, the conditions of Definition 2.3 hold and $vb is also a stuttering
bisimulation. K
Hence from Theorems 2.8 and 2.4 we conclude that M and M$ satisfy the same
CTL*&X properties over the propositions PV. When all invisible operations are
labeled as {, visible bisimulation is stronger than branching bisimulation, which in
140 GERTH ET AL.
FIG. 4. Connections between bisimulations and logics.
turn is stronger than weak bisimulation. By the connection between weak bisimula-
tion and HennessyMilner logic (HML) with { operations [9], two structures that
are weak bisimulation equivalent satisfy the same HML specification. This interac-
tion between bisimulations and logics is depicted in Fig. 4.
3. THE ALGORITHM
The reduction algorithm is based upon a modified depth-first-search algorithm.
It generates a reduced-state graph G$ for the checked program P such that the
correctness of the checked property . under G$ is the same as under the full state
graph G of P. This is guaranteed by ensuring that there is a visible bisimulation
and, hence, also stuttering bisimulation between the graph G and the graph G$ (see
Theorem 2.4).
The idea of the reduction is that from each state in the reduced state graph the
set of enabled operations is examined and only a subset of it is used to generate
successors. This contrasts with the construction of the full state graph, where all of
the enabled operations are explored.
3.1. Preserving LTL&X Properties
Several restrictions are imposed on the allowed subsets of operations (the ample
sets) ample(s)en(s) that are expanded from a state s in the reduced state graph.
The restrictions guarantee that there is a visible bisimulation between the reduced
model M$ and the full model M and, therefore, the truth value of the checked property
is preserved by the reduced state graph.
C1. No operation a # T"ample(s) that is dependent on an operation in
ample(s) can be executed in P before an operation from ample(s) is executed.
Condition C1 exploits the commutativity between program operations. It
enforces that any finite sequence of operations taken from s that does not contain
an operation from ample(s) can be extended by such an operation.
141BRANCHING TIME LOGIC MODEL CHECKING
C2. For every cycle in the constructed state graph, for at least one state s of
the cycle ample(s)=en(s), i.e., all the successors of s are expanded.
Without condition C2 there can exist a cycle, where from each state s, a is
enabled but not included in ample(s). One way of checking that condition C2 holds
is using a somewhat stronger condition. This condition C2S takes advantage of the
fact that during a depth-first search, cycles are closed when reaching a state that is
already on the search stack.
If ample(s) is a proper subset of en(s), then for no operation a # ample(q)
does it hold that a(q) is on the search stack of the expansion algorithm.
Albeit slightly stronger, the alternative condition allows a simple, low overhead
implementation. (A previous work on a reduction that preserves LTL&X properties
[19] considers C2S rather than C2.)
C3. If ample(s){en(s), the operations in ample(s) are not visible.
Condition C3 disallows selecting only one order out of several possible orders of
execution for a pair of visible independent operations. If the operations a and b are
independent and executable in either order from a state s, then it is guaranteed that
a(b(s))=b(a(s)) and, thus, L(a(b(s)))=L(b(a(s))); i.e., executing them in either
order results in the same state. However, if both are visible, it can turn out that
L(s), L(b(s)), L(a(s)), and L(a(b(s))) are all distinct. On the other hand, if at most
one of them is visible, then either L(a(s))=L(s) and L(b(s))=L(a(b(s))) or
L(b(s))=L(s), and L(a(s))=L(a(b(s))), which amounts to stuttering.
Conditions C1, C2, C3 are actually sufficient to guarantee that the reduced state
graph will preserve any checked LTL&X property . [19].
Preserving CTL*&X Properties
Preserving properties based on branching semantics, where execution sequences
are embedded in a tree, requires an additional constraint. The reason is that with
branching properties one can observe the points where execution sequences depart
from each other.
The left structure of Fig. 5 contains an example of a full state graph M for a
system with a set of operations T=[a, b, c, d, e] such that D=(T_T )"[(a, b),
(b, a), (a, c), (c, a)]. This structure does not satisfy the CTL&X formula .=
AG(( p 7 cq)  (AFq 6 AFcp)). The reduced state graph M$ on the right of
Fig. 5 obtained by obeying conditions C1C3 satisfies ..
C4. ample(q) contains either all the operations enables in state q, or exactly
one of them. That is, if reduction is possible at q, then ample(q) is a singleton.
Conditions C1, C2, C3, together with condition C4, enforce that the branching
structures of the reduced state graph and of the full state graph are indistinguish-
able from each other. Consider the left-hand side structure of Fig. 6, depicting a
part of the full state graph. Let bi , 1in, be invisible operations satisfying condi-
tion C1 at state si . Then the operations enabled at each state si , besides bi , would
be also enabled at si+1 . It turns out that without the nexttime operator, the logic
142 GERTH ET AL.
FIG. 5. Example where C1C3 do not suffice to preserve CTL&X .
CTL*&X cannot distinguish between the left structure in Fig. 6 and the reduced,
right structure. A formal proof of this fact appears in Section 3.3.
The reduced state graph generation program is given in Fig. 7. The construction
starts with the initial state @ of the program. The main program consists of a depth-
first search (lines 619). Each new state is marked by the flag open (lines 3 and 14),
and when its expansion is finished (i.e., it is removed from the search stack), it is
marked by the flag closed (line 18). For each new state, the subset of successors to
be used is calculated by the procedure ample (the procedure call is at line 7, the
procedure body is at lines 2027). This procedure returns either a single (invisible)
operation that satisfies conditions C1 to C4 (line 24) or the set of all enabled opera-
tions (line 26). For simplicity C2S, which is the stronger version of condition C2,
is used. This requires ample(s) to be equal to the set of all the operations enabled
FIG. 6. Full and reduced substructure.
143BRANCHING TIME LOGIC MODEL CHECKING
FIG. 7. A reduced state graph expansion algorithm.
at s when closing a cycle. A weaker version can be implemented [22] but it requires
an additional overhead.
Checking that the singleton set [a] satisfies condition C1 is not detailed in the
algorithm given in Fig. 7. It is easy to see that checking this condition is as hard
as checking reachability, hence, as hard as the original model-checking problem.
This is in PSPACE-complete for a standard representation of the program as a
family of communicating automata (an alternative measurement of the complexity
w.r.t. the size of global state graph gives an NLOGSPACE-complete complexity).
However, one can benefit from substantial reduction even when using a pessimistic
heuristic algorithm that in some cases considers [a] not to satisfy C1 when it actually
does.
Such heuristics are based on checking the type of the operation a (e.g., a local
assignment, a synchronous receive operation, etc.), some conditions on the rest of
the program, and the current state s: according to the type of the operation, there
are certain conditions whose satisfaction in the current state s guarantee that [a]
satisfies C1. For example, the simplest condition is that a is a local assignment and
is not within a nondeterministic choice with other operations. A slightly more com-
plicated condition applies when a is an asynchronous receive. Then C1 is guaran-
teed if there is no other receive operation from the same queue in any other process
(this holds vacuously when a communication queue can be shared only by a pair
of processes). A more complete description of checking C1 appears in [11]. Such
practical checks of condition C1 can be performed in constant time.
144 GERTH ET AL.
Hence, even in the worst case, where no reduction at all is obtained (e.g., in the
case where there is no independence in the program, or that the property checked
forces all the operations to be visible), the complexity of the algorithm is no worse
than that of the standard full depth-first search. The tables at Section 4 show that
in some interesting cases one can obtain considerable reduction.
3.3. Correctness of the CTL*&X Reduction
Let M=(S, E, @, L) be the full state graph of some system. In order to obtain
a visible bisimulation between the full state graph and a reduced state graph, define
the following relation.
Definition 3.1. Let t S_S be such that sts$ iff there exists a path
s0 w
a0 s1 w
a1 } } } w
an&1 sn=s$, with s0=s such that ai is invisible and [ai] satisfies
condition C1 from state si for 0i<n. Such a path will be called a forming path;
The length of a shortest forming path between s and s$ will be called the distance
between s and s$. It is easy to see that the relation t is transitive and reflexive (but
not necessarily symmetric).
Let M$=(S$, E$, @$, L$) be a reduced state graph generated by our partial order
reduction algorithm. Then S$S and @=@$.
Definition 3.2. Let r =t & (S_S$).
By definition, r t. Our goal is to show that r is a visible bisimulation. We
will use a number of simple lemmas.
Lemma 3.3. Let s wa r be an edge of E such that [a] satisfies condition C1 from
the state s. Let s wb s$ be another edge of E, with a{b. Then [a] satisfies condition
C1 from s$.
Proof. By condition C1, b must be independent of a. By the definition of
independence, a is enabled from s$. Any finite path that starts with s$ that invali-
dates condition C1 for [a] from s$ can be extended by affixing the edge s wb s$ in
front of it. The resulted path contradicts the fact that [a] satisfies condition C1
from s. K
Lemma 3.4. Let s=s0 w
a0 s1 w
a1 } } } w
an&1 sn=r be a forming path and
s wb s$ # E. Then there are exactly two possibilities (see Fig. 8):
FIG. 8. Two cases of Lemma 3.4.
145BRANCHING TIME LOGIC MODEL CHECKING
1. b is independent of ai for 0i<n. Then there exists a forming path
s$=t0 w
a0 t1 w
a1 } } } w
an&1 tn , with sj w
b tj for 0 jn.
2. There exists j<n such that b is independent of ai for 0i< j and b=ai .
There exists a forming path s$=t0 w
a0 t1 w
a1 } } } w
aj&1 tj , where tj=sj+1 and si w
b ti
for 0i j. Therefore, there is a forming path of length n&1 from s$ to r.
Proof. Notice that b is independent of ai for 0i<n in item 1, since [ai]
satisfies C1 in si . The same holds for 0i< j in item 2. We can now apply a simple
induction using Lemma 3.3. K
Corollary 3.5. Let str and s wb s$ # E. Then there exists an edge r wb r$ # E
such that s$tr$ in each one of the following cases:
1. b does not appear on some forming path from s to r (in particular, this must
be the case when b is visible), or
2. s$t% r.
It is easy to see that the reduction algorithm with conditions C0C4 guarantees
the following.
Lemma 3.6. Let s be a state in the reduced state graph M$. Then there is a
forming path in M$ from s to some fully expanded state s$.
Theorem 3.7. The relation r is a visible bisimulation.
Proof. First, observe that @=@$ and @ # S$. Hence @r@$. Let srr. Thus, str.
Item 1 of Definition 2.7 is satisfied since, according to Definition 3.1, there is a
path of invisible operations from s to r. Hence, by the definition of invisibility,
L(s)=L(r). Thus, also L(s)=L$(r).
We show that item 2 of Definition 2.7 holds. Let s wb s$ # E. We argue by cases:
Case 1. s$tr and b is invisible. Then item 2 follows immediately.
Case 2. s$t% r or b is visible. According to Corollary 3.5, in both cases there is
an edge r wb r$ in E such that s$tr$. Notice that by the definition of r , r # S$, but
it is not necessarily the case that r$ # S$. By Lemma 3.6, there is a forming path in
M$ from r to some fully expanded state t. Hence, strtt, which implies by trans-
itivity of t that stt. Since t # S$, also srt. Again there are two cases (see Fig. 9):
Case 2.1. r$tt and b is invisible. Then s$tr$tt; hence s$tt and also s$rt.
Thus, the path required by item 2 consists of the forming path from r to t.
FIG. 9. Cases 2.1 and 2.2 of Theorem 3.7.
146 GERTH ET AL.
Case 2.2. r$t% t or b is visible. Then, according to Corollary 3.5, there is an
edge t wb t$ with r$tt$. Thus s$tr$tt$; hence s$tt$. Since t is fully expanded,
t$ # S$; thus s$rt$. Thus the path required in item 2 consists of the forming path
from r to t, followed by the edge t wb t$.
Conversely, let r wb r$ # E$. Since str, there is a forming path s=s0 w
a1 s1 w
a2
} } } w
an sn=r. To satisfy item 2 of Definition 2.7, we need only to append to this
path the edge r wb r$.
For proving item 3 of Definition 2.7, let s0 w
a0 s1 w
a1 } } } be an infinite path,
where s0=s and with ai invisible and si rr for i0. Consider now two cases. In
the first case, there is a single edge r wc r$, with c invisible, in M$, with [c] satisfy-
ing condition C1 from r. In this case, rtr$, and since s1 tr, we have s1 tr$. Since
r$ is in S$ then s1 rr$.
In the second case, r is fully expanded. We will show that there exists a forming
path from some sj to r, where j0, such that aj does not occur on it. To show this,
we will construct a sequence of forming paths li from si to r for 0i j with l0 a
path from s=s0 to r. Observe that by Lemma 3.4, if ai appears on li , then we can
construct a path li+1 from sj+1 that is shorter than li . Since there are infinitely
many states si , and l0 has a finite length, this construction must terminate with
some j as above. Now, according to Corollary 3.5, there is an edge r waj r$ # E such
that sj+1 tr$. Since r is fully expanded, also sj+1 rr$.
For the other direction, let r0 w
c0 r1 w
c1 } } } be an infinite path in M$ such that
for i0, ci is invisible and s$vb ri . Thus, for i0 there is a forming path from s
to ri . If s{r, then the first edge on the forming path from s to r1 can be used to
satisfy the condition of item 3. Item 3 holds trivially if s=r. K
4. EXPERIMENTAL RESULTS
4.1. Reduced State Space for Various Algorithms and Protocols
The algorithm described in this paper was implemented by Gerard Holzmann in
SPIN [10] and run on several examples. The table in Fig. 10 below contains the
FIG. 10. CTL&X versus LTL&X reductions.
147BRANCHING TIME LOGIC MODEL CHECKING
number of states and edges, memory used in bytes, and time in seconds of generat-
ing full state graphs and reduced state graphs for both LTL&X and CTL*&X . The
reduction for CTL*&X contains an additional restriction, namely C4, on selecting the
subset of successors. This restricts the subsets of successors to be either the full set
of the enabled operations, or a singleton set. In order not to make the comparison
biased towards a particular model-checking algorithm, the comparison is between
the constructed state graphs. Hence, it assumes an off-line generation of the state
graph before applying the model-checking, unlike on-the-fly model-checking. Due
to condition C3, the propositional variables in an assertion can refer only to objects
changed by visible operations. In our tests, these can be any LTL&X or CTL*&X
assertions referring to a boolean variable reachable. This variable is set initially to
0 and then at some point of the code of each one of our examples is set to 1.
All measurements were made on an SGI Challenge machine with 12 processors
and 1.28 gigabytes of random access memory. The runtimes are the sum of system-
time and user-time in seconds. The algorithms checked are as follows: sieve is the
sieve of Eratosthenes algorithm for finding prime numbers using a pipeline network
(checked with seven processes), dtp is a data transfer protocol, snoopy is a cache
coherence protocol, and pftp is a file transfer protocol [10]. For the first example
sieve, the reduction with and without the additional restriction C4 are the same.
Both give (when repeated with different numbers of processes) an exponential
reduction of the state graph. For dtp, the reduction in space and time is very similar
with and without the additional restriction. For snoopy, the CTL&X reduction
generates a state graph that is about 200 bigger in space. For pftp, the reduction
is over twice better in space for the LTL&X reduction.
These results demonstrate that the inclusion of the reduction algorithm is benefi-
cial for all the above examples. A substantial reduction can be achieved with
relatively small cost, as the implementation of the reduction algorithm is simple and
incurs only very small overhead (for further implementation details, refer to [11],
where an efficient LTL&X implementation is described).
4.2. Branching Bisimulation
Verifying whether or not two states are branching bisimilar is done by construct-
ing the minimal branching bisimilar state graph of the program. The most efficient
algorithm for this was published by Vaandrager and Groote in [8] and has time
and space complexity of O(n2+n_m) and O(n+m), respectively, where n and m
are the number of states and edges in the full state graph. For deterministic
programs, [21] presents a more efficient algorithm with time and space complexity
O(n log n+m) and O(n+m), respectively. In [8] it was conjectured that the same
time complexity suffices for minimizing arbitrary state graphs.
By Theorem 3.7, our algorithm generates a state graph that is visible equivalent
and hence also branching equivalent to the full state graph. This raises the possi-
bility of using our algorithm as a preprocessing phase for constructing a minimal
branching bisimilar state graph. The algorithms [8, 21] can thus be applied to a
reduced state graph, instead of the full one.
148 GERTH ET AL.
When a substantial reduction is obtained, with nr<<n states and mr<<m opera-
tions, the space needed by the combined minimization and reduction, which is
O(nr+mr), is much better than O(n+m). We use the same pessimistic algorithmic
check whether a singleton set [a] satisfies condition C1, as in Section 3.2, which
can be done in constant time. Then, the time complexity of the combined minimization
and partial order reduction algorithm is at worst (e.g., when there is no reduction),
the same as the time complexity of the minimization of the full state graph.
The ‘‘benchmark’’ example used here and in the literature is Milner’s scheduler
as described in [15]. This is a simple token ring consisting of k cyclic processes Ci ,
which upon having received the token, communicate with some system and then
concurrently wait for acknowledgment and wait to pass on the token. Process Ci
is described by the CCS equation Ci=t i } ci } (a i | ti mod k+1) } Ci . The complete
scheduler on k processes is described by Schk=(t1 } nil | C1 | } } } |Ck)"t1 } } } tk , where
the first process starts C1 . The operator ‘‘|’’ denotes a concurrent composition and
‘‘ } ’’ means sequencing. Lowercase letters correspond to operations. Two letters,
where one is barred, e.g., c and c , may synchronize, thus producing an invisible
operation. The operator ‘‘"’’ is the restriction operator which, in this case, forces the
ti , t i synchronizations to occur; nil is the idle process that does nothing.
In Fig. 11 we have collected some results for various sizes k of the token ring.
The measurements were done on a 32 MB Sparc 5 workstation The number of
states and edges in the full state graph is given in the second and third columns. We
consider the case where only the communication operations (ci) are visible. We give
the sizes of the state graphs as generated by our algorithm (denoted PO) in the fifth
and sixth columns and the minimal state graphs (as given by an implementation of
the VaandragerGroote algorithm, part of the PSF [13] toolkit) in the eight and
ninth colunms. We see that the resulting reduced state graphs are considerably
smaller than the full state graphs.
We repeated the measurements in another case, where both ci and a i are visible.
Namely, two-thirds of the operations are visible, which defies most of the reduction.
Indeed, as can be seen from Fig. 12, there was no reduction in the number of states,
and the reduction in the number of operations was not substantial (i.e., between
200 and 280). Notice that in this case the minimal state graph is smaller than the
full state graph by only about 340. This case demonstrates that the overhead
incurred by algorithm, when compared to the full state graph generation, was negligible.
FIG. 11. Verifying branching bisimulation with ci visible.
149BRANCHING TIME LOGIC MODEL CHECKING
FIG. 12. Verifying branching bisimulation with ci and a i visible.
From these experiments one can draw the conclusion that it is better to generate
the state graph using the reduction techniques of this paper than it is to generate
the full state graph. For actual branching bisimulation checking, it is probably
better to integrate the bisimulation check with the actual generation process, e.g.,
by using the on-the-fly technique of [4].
5. CONCLUSIONS
We have presented an algorithm for generating reduced state graphs to be used
for model-checking branching temporal properties. The usual DFS expansion
algorithm was modified so that only subsets of the successors from each state are
expanded. This allows reducing the number of states and edges and, thus, allows
reducing the space and time used for this construction and for model checking. The
branching time logics include the temporal logic CTL*&X which is more expressive
than the linear time logic LTL&X . They also include the logic CTL&X , which has
a model-checking algorithm that is linear in the size of the checked property [3].
These advantages in either expressiveness or efficiency can now be combined with
the ability to reduce the state graph using partial order methods.
On the other hand, we have shown that, in general, the reduction of the state
graph for preserving branching properties is more restricted than the one for
LTL&X ; an additional restriction was added, limiting the subset of successors taken
from each state to be either the full set of successors or a singleton set.
Experimental results show that the suggested algorithm results in a substantial
reduction in both space and time over the traditional full state graph exploration.
Also, the algorithm is proved to be beneficial in generating state graphs to verify
branching bisimulation between two structures.
Since the preliminary version of this paper in [5], the research of partial order
reduction for branching time temporal logic and process algebra has gained addi-
tional attention. In [25], a similar result as ours is proven in a different way, relying
on the relation between CTL*&X and LTL&X . This paper also shows how to combine
the partial-order reduction with on-the-fly tree automata based model-checking
[1]. In [24], the requirement that the operations are deterministic is weakened and
more types of bisimulations are studied. Our proof follows [20], which surveys also
other related techniques.
150 GERTH ET AL.
ACKNOWLEDGMENTS
The authors thank Gerard Holzmann for implementing the additional constraint into the partial order
version of SPIN and helping with the experiments. Peter Peters has programmed the branching
bisimulation reduction algorithm. Antti Valmari and Pierre Wolper have provided many invaluable
comments and suggestions.
Received June 9, 1995; final manuscript received September 24, 1998
REFERENCES
1. Bernholtz, O., Vardi, M., and Wolper, P. (1994), An automata theoretic approach to branching time
model checking, in ‘‘Proc. of 6th Annual Workshop on Computer Aided Verification, Stanford, CA,
1994,’’ Lecture Notes on Computer Science, Vol. 818, pp. 142155, Springer-Verlag, New York.
2. Browne, M. C., Clarke, E. M., and Gru mberg, O. (1988), Characterizing finite Kripke structures in
propositional temporal logic, Theoret. Comput. Sci. 59, 115131.
3. Clarke, E. M., Emerson, E. A., and Sistla, A. P. (1986), Automatic verification of finite state
concurrent systems using temporal logic specifications: A practical approach, ACM Trans. Program-
ming Lang. Systems 8 (2), 244263.
4. Fernandez, J.-C., and Mounier, L. (1991), ‘‘On-the-fly’’ verification of behavioral equivalences and
preorders, in ‘‘Computer Aided Verification 1991’’ (K. Larsen and A. Skou, Eds.), Lecture Notes in
Computer Sciences, Vol. 575, pp. 181191, Springer-Verlag, New York.
5. Gerth, R., Kuiper, R., Peled, D., and Penczek, W. (1995), A partial order approach to branching
time logic model checking, in ‘‘ISTCS’95, Third Israel Symposium on Theory on Computing and
Systems,’’ IEEE, Tel Aviv, Israel, pp. 130139.
6. van Glabbeek, R. J., and Weijland, W. P. (1989), Branching time and abstraction in bisimulation
semantics, in ‘‘Information Processing ’89,’’ pp. 613618, Elsevier Science, New York.
7. Godefroid, P. (1991), Using partial orders to improve automatic verification methods, in ‘‘Computer
Aided Verification 1990’’ (E. M. Clarke and R. P. Kurshan, Eds.), DIMACS, Vol. 3, pp. 321339.
8. Groote, J. S., and Vaandrager, F. (1990), An efficient algorithm for branching bisimulation and
stuttering equivalence, in ‘‘International Colloquium on Automata Languages and Programming
1990,’’ Lecture Notes in Computer Science, Vol. 443, pp. 626638, Springer-Verlag, Coventry, UK.
9. Hennessey, M., and Milner, R. (1985), Algebraic laws for nondeterminism and concurrency, J. Assoc.
Comput. Mach. 32, 2352.
10. Holzmann, G. J. (1992), ‘‘Design and Validation of Computer Protocols,’’ PrenticeHall, Englewood
Cliffs, NJ.
11. Holzmann, G. J., and Peled, D. (1994), An improvement in formal verification, in ‘‘FORTE’94,
Formal Description Techniques,’’ pp. 197211, Chapman 6 Hall, Bern, Switzerland.
12. Lichtenstein, O., and Pnueli, A. (1984), Checking that finite-state concurrent programs satisfy their
linear specification, in ‘‘11th ACM Symposium on Principles of Programming Languages,’’ pp. 97107.
13. Mauw, S., and Veltink, G. J. (1990), A process specification formalism, Fund. Inform. 13, 85139.
14. Mazurkiewicz, M. (1987), Trace theory, in ‘‘Advances in Petri Nets 1986,’’ Lecture Notes in
Computer Science, Vol. 255, pp. 279324, Springer-Verlag.
15. Milner, R. (1980), ‘‘A Calculus of Communicating Systems,’’ Lecture Notes in Computer Science,
Vol. 92, Springer-Verlag.
16. deNicola, R., and Vaandrager, F. (1990), Three Logics for Branching Bisimulation, in ‘‘5th IEEE
Symposium on Logic on Computer Science,’’ pp. 118129.
17. deSimone, R., and Vergamini, D. (1989), ‘‘Aboard AUTO,’’ Technical Report 111, INRIA, Centre
Sophia-Antipolis, Valbonne Cedex.
151BRANCHING TIME LOGIC MODEL CHECKING
18. Peled, D. (1993), All from one, one for all, on model-checking using representatives, in ‘‘5th
Conference on Computer Aided Verification,’’ Lecture Notes in Computer Science, Vol. 697,
pp. 409423, Springer-Verlag, Greece.
19. Peled, D. (1994), Combining partial order reductions with on-the-fly model-checking, in ‘‘6th
Conference on Computer Aided Verification,’’ Lecture Notes in Computer Science, Vol. 818, pp. 377390,
Springer-Verlag, Stanford, California. [Also in J. Formal Methods Systems Design 8 (1996), 3964]
20. Peled, D. (1996), Partial order reduction: Linear and branching temporal logics and process
algebras, in ‘‘POMIV ’96, Partial Order Methods in Verification,’’ Am. Math. Soc., DIMACS,
Princeton, NJ.
21. Qin, H. (1991), Efficient Verification of Determinate Processes, in ‘‘Concurrency Theory,’’ Lecture
Notes in Computer Science, Vol. 527, pp. 470479, Springer.
22. Valmari, A. (1989), Stubborn sets for reduced state space generation, in ‘‘10th International
Conference on Application and Theory of Petri Nets,’’ Lecture Notes in Computer Science, Vol. 483,
pp. 491515, Springer-Verlag, Bonn, Germany.
23. Valmari, A. (1990), A Stubborn attack on state explosion, in ‘‘Proc. 2nd Workshop on Computer
Aided Verification,’’ Lecture Notes in Computer Science, Vol. 531, pp. 156165, Springer-Verlag, NJ.
24. Valmari, A. (1996), Stubborn Set Methods for Process Algebras, in ‘‘POMIV ’96, Partial Order
Methods in Verification,’’ Am. Math. Soc., DIMACS, Princeton, NJ, USA.
25. Willems, B., and Wolper, P. (1996), Partial-Order Methods for Model-Checking: From Linear Time
to Branching Time, in ‘‘11th Annual IEEE Symposium on Logic in Computer Science,’’ pp. 294303,
New Brunswick, NJ, USA.
26. Wolper, P., and Godefroid, P. (1993), Partial-order methods for temporal verification, in ‘‘Concurrency
Theory, 1993,’’ Lecture Notes in Computer Science, Vol. 715, pp. 233246, Springer-Verlag, Hildesheim,
Germany.
152 GERTH ET AL.
