Using Decision Diagrams to Compactly Represent the State Space for
  Explicit Model Checking by Zheng, Hao et al.
1Using Decision Diagrams to Compactly Represent
the State Space for Explicit Model Checking
Hao Zheng, Andrew Price, and Chris Myers
Computer Science and Engineering, University of South Florida, Tampa, FL 33620
Abstract— The enormous number of states reachable during
explicit model checking is the main bottleneck for scalability.
This paper presents approaches of using decision diagrams to
represent very large state space compactly and efficiently. This is
possible for asynchronous systems as two system states connected
by a transition often share many same local portions. Using
decision diagrams can significantly reduce memory demand by
not using memory to store the redundant information among
different states. This paper considers multi-value decision di-
agrams for this purpose. Additionally, a technique to reduce
the runtime overhead of using these diagrams is also described.
Experimental results and comparison with the state compression
method as implemented in the model checker SPIN show that
the approaches presented in this paper are memory efficient for
storing large state space with acceptable runtime overhead.
Index Terms— formal verification, model checking, decision
diagrams, state compression
I. INTRODUCTION
Model checking [8] is an automated formal analysis method
for verifying hardware and software systems. It systematically
checks whether a model of a given system satisfies a desired
property such as deadlock freedom and request-response prop-
erties [5]. However, model checking is computationally very
expensive as it searches the entire reachable state space of a
design for errors. Typically, all reachable states found during
reachability analysis need to be stored to avoid searching
the same part of state space multiple times unnecessarily.
As the number of states grows exponentially in the size
of designs under verification, physical memory installed on
typical computers can be exhausted quickly, therefore limiting
model checking to the designs of small sizes. This problem is
well known as state explosion.
In asynchronous designs, multiple components execute con-
currently. When verifying asynchronous designs, generally
interleaving semantics are used to represent the behavior of
such designs. More specifically, when multiple components
are ready to execute in a state, only one component is selected.
This interleaved execution makes sure all possible orderings of
concurrently enabled executions are considered, thus capturing
all possible behavior for verification. The need to consider
This material is based upon work supported by the National Science
Foundation under Grant No. 0546492 and 0930510. Any opinions, findings,
and conclusions or recommendations expressed in this material are those of
the author(s) and do not necessarily reflect the views of the National Science
Foundation.
Hao Zheng and Andrew Price are with the Dept. of Computer Science and
Engineering at the University of South Florida, Tampa, FL. Chris Myers is
with the Dept. of Electrical and Computer Engineering at the University of
Utah, SLC, UT.
all possible interleavings of concurrent executions is the main
cause of state explosion in asynchronous design verification as
the number of interleavings grows exponentially if a design has
a high degree of concurrency, and this leads to an excessively
large state space for even a relatively small system.
In the interleaved execution as described above, only one
component executes and updates the relative portion of a
state, and the remaining portions of the state are unchanged.
Therefore, storing the entire states results in unnecessary
overhead. In model checker SPIN [12], a state compression
method is described where the independent parts of the design
states are considered when representing states. Independent
parts refer to variables including global and local variables
belonging to different processes. An unique copy is created
for each different independent part, and the references to the
copies of independent parts are used to construct the states.
While the above compression method reduces memory
significantly in representing states, there are still a lot of
redundancies in the state representations. As pointed out in
the previous paragraphs, a global state of a design is in fact a
tuple of pointers to the local states. Two states connected by a
state transition may still share a large number of same pointers
in their representations as a state transition typically causes
only a few local changes. Therefore, reducing the redundancy
in the state representations further can improve the scalability
even more. This paper proposes to use the multi-value decision
diagrams to represent the reachable states for explicit model
checking of asynchronous systems. The multi-value decision
diagrams, similar to the well-known binary decision diagrams
(BDD) [3], uses directed acyclic graphs to sets of objects
encoded by typed variables. The compactness of the decision
diagram representations is due to sharing of common portions
of a large number of different objects.
BDDs are widely used in symbolic model checking [4]
where the model checking algorithms and the state represen-
tations are both based on the Boolean operations. However, in
the explicit model checking, individual states are created and
manipulated. Adding individual states into a decision diagram
representation can incur high runtime overhead, and this would
cancel largely the benefit of compact memory footprint of
the decision diagrams. To address this problem, this paper
also proposes to use multi-value decision trees along with the
decision diagrams. Adding states into a decision tree is much
faster, but it requires more memory than a decision diagram.
In this method, a decision tree is used as a buffer where it
stores the reachable states until some threshold is exceeded.
Then, the decision tree is compressed, and merged with the
ar
X
iv
:2
00
4.
14
99
5v
1 
 [c
s.S
E]
  3
0 A
pr
 20
20
decision diagram representing the whole reachable state space.
This approach can significantly reduce the runtime overhead
associated with using the decision diagrams, even though it
may increase the average memory required compared to using
the decision diagrams solely.
In this paper, the multi-value decision diagrams are only
used to store the states found during the depth-first search that
are generally implemented for the explicit model checking of
asynchronous systems. The algorithms themselves remain the
same. Therefore, the previous results to improve scalability
such as partial order reduction [9], [10] can still be used.
The idea of using graph representation to store reachable
states is previously described in [11] where a finite automaton
is used. As indicated in [11], this approach has very high
overhead to use. This paper addresses that problem by using a
decision tree as a buffer to reduce such overhead. Using multi-
value decision diagrams for storing states is also described
in [6]. There are two main differences between this work
and that in [6]. First, the Petri-net models used in [6] are
different from the model used in this work where in this
paper Petri-net transitions are labeled with additional state
space information. Second, [6] uses an exotic search strategy
to achieve high memory efficiency. However, this work uses
multi-value decision diagrams to store reachable states without
altering the depth-first search framework, therefore partial
order reduction can be easily integrated.
II. BACKGROUND
A. Labeled Petri-Nets
This paper uses Labeled Petri-Nets to model asynchronous
systems. Petri-Nets are a common modeling formalism for
asynchronous designs [14], [1]. A Petri-net is a directed graph
with a set of transitions and a set of places. A labeled Petri-
Net is a Petri-net where transitions are labeled with various
information representing a system’s properties and behavior
[17]. Its definition is given as follows.
Definition 2.1: A labeled Petri-net (LPN) is a tuple N =
〈V, P, T, F, µ0, α0, L〉,where
1) V is a set of state variables of the integer type,
2) P is a finite set of places,
3) T is a finite set of transitions,
4) F ⊆ (P × T ) ∪ (T × P ) is a finite set of the flow
relations,
5) µ0 ⊆ P is a finite set of initially marked places,
6) α0 : V → Z is a labeling function that assigns each
variable an initial value,
7) L = 〈Guard,Assign〉 is a pair of labeling functions
for transitions in T , which is defined below.
A simple LPN example is shown in Fig 1. Fig.1(a) shows
a simple asynchronous circuit consisting of three components,
and Fig. 1(b) shows the LPNs for each component in the
circuit. For each component, its LPN has 2 places and 4 transi-
tions. The places are represented as circles, and the transitions
are represented as boxes. Each place is preceded and followed
by one or more transitions, and each transition is preceded
and followed by one or more places. The flow relations are
represented by the edges connecting the transitions and places
[1]. The bullets found in some places are called tokens. Each
place can have at most one token. A place is marked if it has
a token. A marking of LPN, µ ⊆ P is a set of marked places.
The dynamic behavior of a concurrent system is captured
by LPN transitions with labelings. Each transition t ∈ T has
a preset denoted by •t = {p ∈ P |(p, t) ∈ F}, which is
the set of places connected to t, and a postset denoted by
t• = {p ∈ P |(t, p) ∈ F}, which is the set of places to which
t is connected. The preset and postset for places are defined
similarly.
Before defining the transition labels formally, the grammar
used by these labels is introduced first below [17]. The
numerical portion of the grammar is defined as follows:
χ ::= ci | vi | (χ) | − χ | χ+ χ | χ− χ | χ ∗ χ |
χ/χ | χˆχ | χ%χ | NOT(χ) | OR(χ, χ) |
AND(χ, χ) | XOR(χ, χ) | INT(φ)
where ci is an integer constant from Z, and vi is an integer
variable. The functions NOT, OR, AND, and XOR are bit-wise
logical operations assuming a 2’s complement format with
arbitrary precision. INT(φ) returns 1 if the Boolean expression
φ, which is defined below, evaluates to true, or 0 otherwise.
The set Pχ is defined to be all formulas that can be constructed
from the χ grammar.
The Boolean portion of the grammar is as follows:
φ ::= true | false | vi | ¬φ | φ ∧ φ | φ ∨ φ | χ ≡ χ |
χ ≥ χ | χ > χ | χ ≤ χ | χ < χ
where the integer vi is regarded as true if its value is nonzero,
and false otherwise. In this sense, it is similar to the semantics
of the C language. The set Pφ is defined to be all formulas
that can be constructed from the φ grammar.
As in Definition 2.1, each LPN transition is labeled with
an enabling condition and a set of variable assignments. LPN
transition labeling is defined by L = 〈Guard,Assign〉 where
• Guard : T → Pφ labels each LPN transition with a
Boolean expression that defines its enabling condition.
• Assign : T ×V → Pχ labels each LPN transition t ∈ T
and each variable v ∈ V with an integer assignment made
to v when t fires.
For a large complex design, it usually consists of multiple
components. Then, each component is modeled in a LPN
module, and the LPN for the whole design is the parallel
composition of the LPN modules. Let N1, . . ., Nn be the
LPN modules for the components consisting of a design.
The LPN for the design is N = N1‖ . . . ‖Nn where ‖ is
the parallel composition operator for LPNs. In our method,
communications among components are represented by the
shared variables. Shared variables between components Ni
and Nj are variables in Vi ∩ Vj . Moreover, no two LPN
modules share any common places. In other words, ∀i,ji 6=
j ⇒ Pi ∩ Pj = ∅. In Fig. 1, the design is partitioned into
three components for illustration purpose. These components
are represented by LPN modules as shown in M1, M2, and
M3.
(a) (b)
Fig. 1. (a) A simple asynchronous circuit. (b) The LPNs for module M1, M2, and M3. The initial values of variables u, v, w, x, y, and z are 0, 1, 1, 0,
0, and 0, respectively.
B. Reachability Analysis
A basic approach for analyzing the dynamic behavior of a
concurrent system modeled with LPNs is reachability analysis,
which finds all possible state transitions and thus reachable
states for such a system. The reachable state space is typically
represented by a state graph. A state graph is a directed
graph where vertices represent states and edges represent state
transitions.
A state of a LPN module Ni is a pair (µi, σi) where µi
denotes a marking of Ni and σi denotes a vector of values
over variables Vi of Ni. The initial state init of Ni is (µ0, α0).
Given a state si of module Ni, M(si) denotes the marking
of si and σ(si) denotes the state vector of si. Also, for any
expression e ∈ Pχ ∪ Pφ, value(e, si) denotes a function that
returns the value of expression e in state si. As described
in the previous section, the LPN of a design is the parallel
composition of a set of LPN modules, each of which represents
a component in the design. Let N = N1‖ . . . ‖Nn be the LPN
of a design where Ni (1 ≤ i ≤ n) is the LPN module for
the ith component of the design. A global state ~s of N is a
n-tuple (s1, . . . , sn) where each si (1 ≤ i ≤ n) is a local state
of LPN module Ni.
Before describing the reachability analysis, the enabling
condition of the LPN transitions is defined below.
Definition 2.2: Let Ni be a LPN module. A LPN transition
t is enabled in a state s if the following two conditions are
met:
1) •t ⊆ µ(s),
2) value(e, s) is true or not zero for e = Guard(t).
In Fig 1, every transition has its preset included in the initial
marking. In the initial state, the values of variable u and z are
0, Guard(t11), which is u = 0 ∧ z = 0, is evaluated to be
true, therefore transition t11 is enabled in the initial state.
Given a LPN module, the set of transitions enabled in
a state s is denoted by enabled(s). Naturally, the enabled
transitions of the whole design LPN is denoted by enabled(~s ).
The reachable state space of a LPN model can be found
by exhaustively firing every enabled transition starting at the
initial state. Firing a transition may lead to a new state by
generating a new marking and a new state vector according to
the assignments labeled for such transition. Detailed definition
of transition firing can be found in [1]. In this paper, s′ = t(s)
denotes that a new state s′ is produced by firing transition t in
state s in a LPN module. Similarly, ~s ′ = t(~s ) denotes that a
new global state ~s ′ is produced by firing transition t in global
state ~s .
Algorithm 1: search((T, P, F,M0))
stateTable.add(~s 0);1
stateStack.push(~s 0);2
enabledStack.push(enabled(~s 0));3
while stack is not empty do4
~s = stateStack.top();5
E~s = enabledStack.top();6
if E~s = ∅ then7
stateStack.pop();8
enabledStack.pop();9
continue;10
Select t ∈ E~s to fire;11
E~s = E~s \t;12
~s ′ = t(~s );13
if stateTable.contains(~s ) == true then14
stateStack.push(~s ′);15
enabledStack.push(enabled(~s ′));16
stateTable.add(~s ′);17
The procedure to find the reachable state space of a given
LPN model is given in Algorithm 1. Reachable states are
stored in stateTable. During the reachability analysis, after a
LPN transition ti is fired in global state ~s , the local state of
Mi is changed to a new one. In other words, if transition ti is
fired in state ~s = (s1, . . . , si, . . . , sn), a new global state ~s ′
is generated such that ~s ′ = (s′1, . . . , s
′
i, . . . , s
′
n). Observe that
in ~s and ~s ′, many local states might be exactly the same. To
avoid creating fresh copies of the same local states for ~s ′ in
memory, the actual definitions of the distinct local states are
stored in a hash table for each LPN module, and the pointers to
the local states are used to construct the global states. From
now on, ~s = (s1, . . . , sn) is viewed as a tuple of pointers
to the local states si, . . ., and sn. In this way, a local state
is created only once, and its pointer may be referenced many
times in different global states. The similar state representation
is also implemented in the model checker SPIN [12] and Java
PathFinder [2].
In many existing model checkers, the obvious choice of
the data structure for stateTable is hash tables. Even though
inserting and accessing hash tables are usually very efficient,
the memory usage increases exponentially as the number
of states found during the reachability analysis increases
exponentially in the size of a design. Therefore, representing
and storing reachable states compactly is extremely important.
To address this problem, the following sections describe how
the reachable states are represented using graphs, specifically
decision trees and diagrams which may allow very large
number of states to be stored in a relatively small memory
footprint.
III. STATE SPACE REPRESENTATIONS
As described above, different global states might have a
large number of pointers to the same local states. To save
memory even further by avoiding storing the same local state
pointers in different global states, a data structure called multi-
value decision diagram (MDD) is implemented in our method
to store global states found during the reachability analysis.
The concept of MDD [19] is very close to that of binary
decision diagrams (BDDs) [3] in that both use graphs to repre-
sent a set of objects encoded by some variables. The memory
efficiency comes from the sharing of the same variables used
to encode different objects. In BDDs, the variables used for the
encoding are binary variables, while integer variables are used
for the encoding in the case of MDDs. In this sense, BDDs
can be regarded as a special case of MDDs. The structural
representation of the global states in our method is natural
for MDDs. To facilitate the presentation, an unique integer
index is assigned to each local state of a single LPN module.
Therefore, a global state ~s = (s1, . . . , sn) can be regarded as
a tuple of integers where si is the index to a local state of
module i.
A. Multi-Value Decision Trees
This section describes multi-value decision trees to intro-
duce multi-value decision diagrams that are described in the
next section. A multi-value decision tree is a directed acyclic
graph with a single root node, terminal nodes and non-terminal
nodes. The root node does not have incoming edges, and the
terminal nodes do not have any outgoing edges. Each non-
terminal node has a single incoming edge and one or more
outgoing edges. Each edge is labeled with an integer number.
A path is a sequence of edges from the root to one of the
terminal nodes, therefore an integer tuple can be formed by
collecting the integers labeled on the edges on the path. In
other words, a path represents or encodes an integer tuple. An
example of multi-value decision tree is shown in Fig. 2. Note
that a terminal node is drawn for each path in the figure to
(0, 0, 0)
(0, 0, 1)
(0, 1, 0)
(0, 1, 1)
(1, 1, 1)
(1, 1, 2)
0 1
1
1
1








01


0 2


1
0
(a) (b)
Fig. 2. (a) A set of integer triples, (b) The corresponding multi-value
decision tree representation for the set shown in (a).
make presentation clear. In the actual implementation, only a
single terminal node is used, and all paths converge to this
unique terminal node.
In our implementation, two operations are supported for
multi-value decision tree, add and contains. Function add
takes as input an integer tuple, and creates necessary edges in
the decision tree to build a path corresponding to the input
tuple. For example shown in Fig. 2, if a new tuple (1, 1, 3)
is given, it can be added to the decision tree by creating an
edge from node n21 to the terminal node, and this edge is
labeled with 3. If another tuple (1, 1, 1) is given, then no new
edge is created as there is a path existing in the decision tree
corresponding to the given tuple. Function contains also
takes as input an integer tuple, and checks if there is a path in
the decision tree that corresponds to the given tuple. It returns
true if there is, false otherwise. The time complexity of both
functions is linear in the size of the tuples.
The memory efficiency of the decision trees depends on the
similarity of the prefixes of the tuples in the given set. If there
are a large number of tuples with long same prefixes, a lot of
node sharing can reduce the memory usage significantly. On
the other hand, the worst case happens when a large number of
tuples differ on their first elements. In this case, more memory
may be required compared to using hash tables as an edge is
needed for each element in each tuple.
B. Multi-Value Decision Diagrams
A multi-value decision diagram, similar to the decision
trees, is a rooted directed acyclic graph where there is an
unique root node, an unique terminal node, and non-terminal
nodes. In a multi-value decision diagram, the nodes are
partitioned into levels. The number of levels of a decision
diagram is equal to the size of the integer tuples representing
the global states. The root node is at level 0, which is at the
top of the decision diagram. The node at the bottom is the
terminal. Each non-terminal node has a number of outgoing
edges connecting nodes at one level higher or the terminal,
and a number of incoming edges from nodes including the root
node from one level lower. Non-terminal nodes in the decision
diagrams, unlike those in the decision trees, can have multiple
incoming and outgoing edges. A path from the root node to
the terminal node in a decision diagram corresponds an integer
tuple. In the reachability analysis, the decision diagrams are
used to replace the hash tables, therefore our implementation
only supports two operations, union and contains. Since
contains for the decision diagrams is the same as function
contains for the decision trees, union is described in this
section.
Function union takes as inputs two decision diagrams, and
returns a decision diagram that includes all the paths from
either of the two input decision diagrams. During the union
operation, an unique table is maintained to make sure that no
equivalent nodes are created. Before the node equivalence is
defined, let (n, i, n′) be an outgoing edge of node n, and the
set of all outgoing edges of node n is denoted as outgoing(n).
Two nodes n1 and n2 are equivalent, denoted as n1 ≡ n2, if n1
and n2 are the same, or the following conditions are satisfied.
• ∀(n1,i,n′1)∃(n2,i,n′2) n′1 ≡ n′2.
• ∀(n2,j,n′2)∃(n1,j,n′1) n′1 ≡ n′2.
Function union creates a new decision diagram for two input
diagrams as follows. Starting from the root nodes n1 and n2
of the two input decision diagrams, it creates a new node n
by following the rules shown below.
1) For each edge (n1, i, n′1) ∈ outgoing(n1), if there
is no (n2, i, n′2) in outgoing(n2), add (n, i, n
′
1) to
outgoing(n).
2) For each edge (n2, i, n′2) ∈ outgoing(n2), if there
is no (n1, i, n′1) in outgoing(n1), add (n, i, n
′
2) to
outgoing(n).
3) For each edge (n1, i, n′1) ∈ outgoing(n1), if
there is (n2, i, n′2) in outgoing(n2), add (n, i, n
′) to
outgoing(n) where n′ = union(n′1, n
′
2).
During the union operation, whenever a node is created, the
unique table is checked to see if there is an existing node that
is equivalent to the created one. If there exists an equivalent
node, such existing node is returned. Otherwise, the created
node is returned. Multiple decision diagrams can exist at the
same time, and they share the same unique node table. This
allows the node sharing among different decision diagrams.
The union operation may need to make a large number of
calls to function union on different pairs of nodes. To avoid
redundant work and improve efficiency, a cache is maintained
to store pairs of nodes where function union has been applied
and their corresponding results from the union operations. If
later a call to union on the same pair of nodes is made,
then the cached result is returned instead of performing the
expensive union operations again.
After the union operation, if the input decision diagrams
are no longer needed, their nodes can be removed by calling
function remove on the root nodes n as follows.
1) Decrement the reference count of n by 1.
2) If the reference count of n is 0, remove n from the
unique node table, then for each edge (n, i, n′) ∈
outgoing(n), remove(n′).
More detailed description on multi-value decision diagrams
and the commonly supported operations can be found in [19].
In our method, multi-value decision diagrams are used as a
mechanism for storing the reachable states compactly, and the
deletion operation for individual paths is not supported as it
is not needed for the above purpose.
(0, 0, 0)
(0, 0, 1)
(0, 1, 0)
(0, 1, 1)
(1, 1, 1)
(1, 1, 2)
0 1
0, 1
1, 20, 1
1










(a) (b)
Fig. 3. (a) A set of integer triples, (b) The corresponding MDD represen-
tation for the set shown in (a).
1 2
1
1, 20, 1
1










0 2
0, 1
1, 20, 1
1










1




1
0,  1, 2
(a) (b)
Fig. 4. (a) Another multi-value decision diagram, (b) The result from
merging the MDD in Fig .4(a) and the MDD in Fig. 3(b) by the union
operation.
The example in Fig. 3 shows the same set of integer triples
in Fig 2(a) and the corresponding decision diagram. Each edge
is labeled with an integer denoting the index of some local
state. In the figure, an edge may be labeled with more than one
integer. In that case, it corresponds to multiple edges, each of
which is labeled with an integer. Another multi-value decision
diagram is shown in Fig. 4(a), and the result from merging
it with the diagram shown in Fig. 3(b) by function union is
shown in Fig. 4(b). It is straightforward to verify that all the
paths in diagrams in Fig. 3(b) and 4(a) are included in the
diagram shown in Fig. 4(b). The resulting diagram represents
a set of nine integer tuples. Note that in the shown diagrams,
the labels of the nodes are not used to distinguish nodes from
different diagrams, therefore nodes from different diagrams
with the same labels should not be viewed as the same nodes.
C. Using Decision Diagrams in Reachability Analysis
A direct way to use the multi-value decision diagrams in
the reachability analysis shown in Algorithm 1 is to replace
the hash table for stateTable with a decision diagram. First,
let mdd create(~s ) be a function that takes an integer tuple
and returns a multi-value decision diagram with a single
path corresponding to ~s . Then, the code in line 16 in Al-
gorithm 1 can simply be replaced with the following line.
stateTable = union(stateTable, mdd create(~s ′));
Directly using the decision diagrams as shown above is
simple, and can be very efficient in memory usage. However, it
is not very efficient in runtime. This is due to a large number of
union calls as one is made for every new state ~s ′. Since each
union call can incur several operations on node creations
and checks against the unique node table, a large number of
union calls can lead to very high overhead when the number
of reachable states is large.
To address this problem, multi-value decision trees are used
as buffers for a set of states before adding them together into
the decision diagram stateTable. The basic reason is that it
is much more efficient to add a state into a decision tree.
On the other hand, a decision tree generally requires more
memory to store the same number of states than a decision
diagram. In this method, a decision tree is used as a buffer.
The search algorithm adds states into the decision tree first.
When a sufficiently large number of states are added such that
a preset memory threshold is exceeded, this decision tree is
compressed to become a decision diagram, and consequently
merged with the decision diagram pointed by stateTable
by function union. This is a common idea of trading a
reasonable amount of memory for higher runtime efficiency.
Decision trees can be compressed into decision diagrams
by function compress. This function takes a decision tree
rooted at node n, and performs the following operations
recursively.
1) Create a new node n1.
2) For each edge (n, i, n′) ∈ outgoing(n),
a) n′′ = compress(n′).
b) Add edge (n1, i, n′′) into outgoing(n1).
3) Check if there exists an equivalent node to n1 in the
unique node table. If so, return the equivalent node;
otherwise, return n1.
Basically, function compress traverses a decision tree from
the root node, and merges all equivalent nodes.
IV. EXPERIMENTS
The multi-value decision trees and diagrams described in
this paper are implemented in a package, and integrated into
an asynchronous system verification tool Platu, an explicit
model checker implemented in Java. Experiments have been
been performed on a number of examples. These examples in-
clude asynchronous circuit designs from previously published
papers [13], [7], [20], [21], [15]. Other examples are selected
from the BEEM benchmark suite for explicit model checking
[16]. This benchmark includes a large number of models of
communication protocols, mutual exclusion algorithms, etc.
All the examples used in the experiments have medium or high
complexity to show the difference in using the hash tables and
the decision diagrams.
In the experiments, all examples are ran by using the same
depth-first search algorithm but with three different ways
for storing reachable states: hash table, multi-value decision
diagram, and multi-value decision diagram with a decision
tree as buffer to reduce runtime overhead. To have somewhat
fair comparison, the model checker SPIN [12] is not used
in the experiments since SPIN is implemented in C while
Platu is implemented in Java. It is well known that the
Java applications generally have serious memory overhead.
Instead, the state compression technique implemented in SPIN
is also implemented in Platu, and used as the base of state
representation for all three methods representing reachable sets
of states.
Among all the examples, some have very large state space,
and it can take enormous amount of time to find all reachable
states. The main purpose of using the decision diagrams for
storing reachable states is to allow much larger number of
states to be explored in a reasonable amount of time. Hash
tables can be accessed very efficiently, but usually exhaust
memory also very quickly. Therefore, for examples with small
state space, hash tables are a better option. On the other hand,
for large examples, the decision diagrams would allow either
the whole state space or a much larger portion of it to be
stored with some extra runtime. This allows larger examples
to be handled, or improves verification coverage by exploring
significantly more states. In all experiments, upper bounds on
time and memory are set to 900 seconds and 2 GB. The
results collected include the actual runtime, memory usage,
and the total number of reachable states found at termination
of the search algorithm. In cases of time-out or memory-out,
the number of reachable states is recorded. All experiments are
performed on a iMac desktop with a Intel Quad-core processor.
Only a single thread is used for all experiments.
The results are shown in Table I. The first column Column
shows the different models. The numbers enclosed in paren-
thesis for the first few examples indicate the number of state
variables. Since these examples are asynchronous circuits, the
type of their state variables is boolean. The following examples
are the models of mutual exclusion algorithms from the BEEM
benchmarks [16]. The remaining columns are divided into
three groups, one for results from using each different state
representation. Columns under “Base” show results with the
hash table is used. Columns “MDD” show the results with the
MDD alone used. Finally, the columns under “MDD-Hybrid”
show the results with MDD used where a decision tree is
used to speed up the search. Among the five columns in each
group, “Time” and “Mem” show the total runtime and the
peak memory used during the search. Note that the memory
numbers include those used for storing reachable states and
other necessary data structures for the search such as stacks.
Column “|S|” shows the total number of states found at the
termination of the search. Note that this number shows all
reachable states of an example if the run does not time out
(< 900 second) and does not exhaust the allocated memory
(< 2000 MB).
The first conclusion that can be drawn from the table is
that the search using a hash table is the fastest for almost all
examples. For examples with low complexity such as at.4 and
fischer.3. However, using a hash table also causes the search
to exhaust 2 GB for large number of examples as shown by
the cells in the table under “Mem” filled with 2000. On the
other hand, from the columns under “MDD”, the search with
MDD used is significantly slower, and it times out for most
TA
B
L
E
I
R
E
S
U
LT
S
F
R
O
M
U
S
IN
G
D
IF
F
E
R
E
N
T
S
TA
T
E
R
E
P
R
E
S
E
N
TA
T
IO
N
S
O
N
A
S
E
T
O
F
A
S
Y
N
C
H
R
O
N
O
U
S
C
IR
C
U
IT
D
E
S
IG
N
S
A
N
D
M
O
D
E
L
S
O
F
M
U
T
U
A
L
E
X
C
L
U
S
IO
N
E
X
A
M
P
L
E
S
.T
IM
E
IS
IN
S
E
C
O
N
D
S
,A
N
D
M
E
M
O
R
Y
IS
IN
M
B
S
.|S
|I
S
T
H
E
N
U
M
B
E
R
S
O
F
S
TA
T
E
S
F
O
U
N
D
A
T
T
H
E
E
N
D
O
F
R
E
A
C
H
A
B
IL
IT
Y
A
N
A
LY
S
IS
.E
N
T
R
IE
S
FI
L
L
E
D
W
IT
H
9
0
0
U
N
D
E
R
T
IM
E
A
N
D
2
0
0
0
U
N
D
E
R
M
E
M
IN
D
IC
A
T
E
T
IM
E
-O
U
T
A
N
D
M
E
M
O
R
Y
.C
O
L
U
M
N
S
U
N
D
E
R
“B
A
S
E
”
S
H
O
W
R
E
S
U
LT
S
U
S
IN
G
H
A
S
H
TA
B
L
E
S
.C
O
L
U
M
N
S
U
N
D
E
R
“M
D
D
”
S
H
O
W
R
E
S
U
LT
S
U
S
IN
G
M
D
D
S
,W
H
IL
E
T
H
O
S
E
U
N
D
E
R
“M
D
D
-H
Y
B
R
ID
”
S
H
O
W
R
E
S
U
LT
S
U
S
IN
G
M
D
D
S
C
O
M
B
IN
E
D
W
IT
H
D
E
C
IS
IO
N
T
R
E
E
S
A
S
B
U
FF
E
R
S
.
B
as
e
M
D
D
M
D
D
-H
yb
ri
d
M
od
el
s
Ti
m
e
M
em
|S
|
SS
SS
D
Ti
m
e
M
em
|S
|
SS
SS
D
Ti
m
e
M
em
|S
|
SS
SS
D
ar
bN
5
(4
4)
4.
1
53
22
74
72
55
48
1
42
92
5.
3
32
22
74
72
42
91
9
71
09
4.
3
45
22
74
72
52
90
0
50
55
ar
bN
7
(6
2)
29
2
20
00
12
58
29
72
43
09
2
62
91
54
8
11
09
13
80
11
04
25
18
4
12
44
5
44
8
16
39
13
80
11
04
30
80
6
84
20
ar
bN
9
(8
0)
11
3
20
00
90
52
41
7
80
11
0
45
26
32
0
20
00
15
89
25
74
49
66
4
79
46
27
7
20
00
18
24
12
58
65
85
3
91
21
dm
eN
3
(3
3)
2.
77
49
26
79
99
96
75
1
54
69
4.
3
21
26
79
99
62
32
5
12
76
2
2.
4
29
26
79
99
11
16
66
92
41
dm
eN
4
(4
4)
19
9
17
25
15
69
20
28
78
85
4
90
97
32
2
15
5
15
69
20
28
48
73
3
10
12
39
15
2
56
0
15
69
20
28
10
32
37
28
02
1
dm
eN
5
(5
5)
14
9
20
00
12
59
08
03
84
50
2
62
95
90
0
18
81
38
82
33
43
43
13
7
20
64
0
90
0
20
00
66
74
60
07
74
16
2
33
37
3
fif
oN
8
(3
4)
11
9
65
3
35
72
03
6
30
01
7
54
70
90
0
92
4
32
68
85
0
36
32
35
38
10
2
68
9
35
72
03
6
35
02
0
51
84
fif
oN
10
(4
2)
29
2
20
00
94
81
67
3
32
47
1
47
41
90
0
30
1
33
44
60
37
2
11
11
76
7
20
00
13
16
41
88
17
16
3
65
82
m
m
u
(5
5)
90
0
15
28
82
84
88
5
92
05
54
22
90
0
75
7
54
92
49
6
61
03
72
56
90
0
17
01
90
57
02
4
10
06
3
53
25
pi
pe
ct
rl
(5
0)
16
8
20
00
10
48
55
16
62
41
4
52
43
37
6
20
00
14
44
47
26
38
41
7
72
22
39
8
20
00
22
08
23
95
55
48
3
11
04
1
ta
gu
ni
t
(4
8)
26
9
20
00
33
02
66
2
12
27
8
16
51
90
0
19
19
25
46
80
5
28
30
13
27
90
0
17
52
26
68
98
5
29
66
15
23
an
de
rs
on
.6
14
1
20
00
12
01
32
90
85
20
1
60
07
89
7
17
24
18
20
69
17
20
29
8
10
56
1
34
8
17
51
18
20
69
17
52
31
9
10
39
8
an
de
rs
on
.8
41
20
00
90
22
87
9
22
00
70
45
11
18
7
20
00
12
22
24
60
65
36
1
61
11
19
2
20
00
16
14
15
25
84
07
0
80
71
at
.4
10
2
10
18
65
97
24
6
64
67
9
64
81
90
0
76
2
61
59
11
4
68
43
80
83
12
2
16
24
65
97
24
6
54
07
6
40
62
at
.5
15
4
20
00
10
48
90
13
68
11
0
52
45
90
0
10
28
36
51
88
7
40
58
35
52
90
0
17
52
12
58
12
19
13
97
9
71
81
at
.6
16
7
20
00
10
10
04
51
60
48
2
50
50
90
0
11
09
36
51
88
7
40
58
32
93
90
0
17
52
11
60
18
60
12
89
1
66
22
at
.7
36
1
20
00
12
58
30
81
34
85
6
62
92
90
0
50
6
36
51
88
7
40
58
72
17
90
0
17
51
17
68
67
12
19
65
2
10
10
1
ba
ke
ry
.8
21
4
20
00
17
04
28
11
79
63
9
85
21
90
0
75
4
51
82
05
80
57
57
8
68
72
8
90
0
17
51
76
68
08
60
85
20
1
43
79
3
dr
iv
in
g
ph
ils
.3
1
13
43
6
43
6
34
1
14
43
6
43
6
31
1
14
43
6
43
6
31
dr
iv
in
g
ph
ils
.4
20
4
20
00
14
03
98
59
68
82
3
70
20
90
0
57
6
52
17
46
2
57
97
90
58
90
0
17
52
28
67
25
94
31
85
8
16
36
6
dr
iv
in
g
ph
ils
.5
78
20
00
35
99
66
4
46
15
0
18
00
90
0
52
0
22
68
54
0
25
21
43
63
23
0
17
50
35
99
66
3
15
65
1
20
57
fis
ch
er
.3
52
40
9
28
96
70
5
55
70
6
70
82
90
0
32
9
23
63
97
9
26
27
71
85
66
89
7
28
96
70
5
43
88
9
32
29
fis
ch
er
.4
25
34
2
12
72
25
4
50
89
0
37
20
47
1
46
1
12
72
25
4
27
01
27
60
47
11
35
12
72
25
4
27
06
9
11
21
fis
ch
er
.5
34
0
20
00
10
78
03
21
31
70
7
53
90
90
0
55
2
25
05
49
8
27
84
45
39
90
0
17
52
51
99
54
4
57
77
29
68
fis
ch
er
.6
29
9
20
00
82
37
31
6
27
55
0
41
19
90
0
53
3
20
22
33
0
22
47
37
94
90
0
17
51
38
11
18
3
42
35
21
77
fis
ch
er
.7
36
5
20
00
10
63
32
61
29
13
2
53
17
90
0
49
7
27
17
50
6
30
19
54
68
90
0
17
52
79
96
79
0
88
85
45
64
la
m
po
rt
.5
10
13
5
10
66
79
9
10
66
80
79
02
19
51
10
66
79
9
56
14
7
20
91
8
10
.2
11
0
10
66
79
9
10
45
88
96
98
la
m
po
rt
.6
1
11
51
9
51
9
47
1
14
51
9
51
9
37
1
12
51
9
51
9
43
la
m
po
rt
.7
25
2
20
00
18
07
55
14
71
72
8
90
38
90
0
31
0
33
95
40
95
37
72
7
10
95
29
49
7
17
51
38
71
78
45
77
90
3
22
11
2
la
m
po
rt
.8
1
11
50
50
5
1
11
50
50
5
1
11
50
50
5
m
cs
.5
12
7
20
00
12
04
15
13
94
81
5
60
21
90
0
18
01
15
10
66
94
16
78
5
83
88
36
3
20
00
23
01
52
34
63
40
3
11
50
8
pe
te
rs
on
.4
11
14
7
11
19
55
9
10
17
78
76
16
21
68
11
19
55
9
53
31
2
16
46
4
11
16
1
11
19
55
9
10
17
78
69
54
pe
te
rs
on
.5
10
9
20
00
12
58
30
35
11
54
41
62
92
72
7
20
00
23
99
86
63
33
01
1
11
99
9
51
7
20
00
42
20
04
03
81
62
6
21
10
0
pe
te
rs
on
.6
88
20
00
11
11
06
39
12
62
57
55
55
48
6
20
00
13
82
08
28
28
43
8
69
10
30
9
20
00
23
89
72
97
77
33
8
11
94
9
pe
te
rs
on
.7
22
2
20
00
15
97
50
60
71
96
0
79
88
90
0
69
2
11
95
74
62
13
28
6
17
28
0
90
0
17
52
64
06
23
66
71
18
0
36
56
5
ph
ils
.6
*
2.
5
15
9
24
16
60
96
66
4
15
20
14
14
1
24
16
60
17
26
1
17
14
4
61
7
24
16
60
60
41
5
39
2
ph
ils
.7
44
20
00
69
27
03
6
15
74
33
34
64
90
0
17
15
10
25
35
96
11
39
3
59
79
26
1
20
00
10
48
61
77
40
17
7
52
43
ph
ils
.8
7.
2
43
7
91
43
51
12
69
93
20
92
14
4
37
3
91
43
51
63
50
24
51
13
17
07
91
43
51
70
33
5
53
6
sz
ym
an
sk
i.4
20
.4
28
2
23
13
86
3
11
34
25
82
05
46
78
23
13
86
3
50
30
1
29
66
5
21
20
4
23
13
86
3
11
01
84
11
34
2
sz
ym
an
sk
i.5
15
5
20
00
15
90
86
55
10
26
36
79
54
90
0
52
7
48
52
63
13
53
91
8
92
08
0
86
7
17
51
79
51
48
58
91
71
3
45
41
1
A
ve
ra
ge
69
87
5
52
20
22
15
5
16
26
9
49
26
3
10
71
2
examples. At the same time, using MDD allows more states
to be searched with less memory. Take dmeN5 as an example.
using MDD causes the search to time out, but over two times
more states are found with slightly less memory than 2 GB
used. The same conclusion is also observed for anderson.8,
lamport.7, and so on. For some other examples, the search with
the MDD finds less number of states due to the overhead from
converting states into the MDDs as explained before. Finally,
from the columns under “MDD-Hybrid”, the search in this
mode finds much more states for almost every example within
both limits of time and memory. This shows the effectiveness
of using decision trees as buffer for the MDD representation.
To better compare these three representations, two more
values are computed from the results for each example: search
speed (SS) and state space density (SSD). The numbers in
the column under SS show the numbers of states found per
second. This is a rough measure of how fast the search runs.
The numbers in the column under SSD show the numbers of
states per MB of memory. This is a rough measure of the
efficiency of different representations for storing states. For
both measures, it is better and more efficient if the numbers
are larger. The averages of these two measurements are shown
in the last row for every group. From the average numbers, it
can be seen alternatively that using the hash tables leads to the
highest search speed but the least memory efficiency. Using
MDD alone leads to the highest memory efficiency, but it is
the slowest to use. The MDD with the decision tree buffering
achieves good balance between runtime and memory as it is
slight slower than using hash tables, and slightly less memory
efficient than using the MDDs alone. This good balance allows
the search to find much more states for many examples. Take
szymamski.5 as an example, the search exceeds the memory
limits by finding a little over 15 million states when the hash
table is used, while the search runs out of time after finding
about 2 times more states with only 527 MB memory used
when the MDDs alone are used. However, the MDDs with
buffering allow all reachable states to be found under both
time and memory limits.
From the experiments, for examples that take long time to
run for the search using hash tables, using the MDDs would
lead to less number of states to be found as it is more expensive
to use the MDDs even with faster buffering techniques. On
the other hand, for examples that have large state space,
the MDDs are much more efficient. Furthermore, buffering
seems a very promising approach for handling larger designs.
Since the MDDs implemented in Platu are not intensively
optimized, there might be more potential for making them
even more efficient. Meanwhile, it would be interesting to
investigate if using the existing BDD packages such as CUDD
[18] could bring more efficiency as they commonly support
variable recording, which is well known critical for efficiency
and compactness of BDD representations.
One last point to note is that in the work described in this
paper, these different approaches are experimented to find out
how states can be stored efficiently. The depth-first search
algorithm itself remains the same. This indicates that partial
order reduction can be naturally integrated with the MDDs
to allow much larger designs to be handled. However, partial
order reduction is not used in this paper.
V. CONCLUSION
This paper shows how the multi-value decision diagrams
are used to store reachable states efficiently and compactly,
which allows larger designs to be verified, or more states
to be explored thus improving the verification coverage. By
using the decision trees as a buffering technique, the overhead
of using the multi-value decision diagrams is significantly
reduced. In the future, it is interesting to find out how the
binary decision diagrams compare against the multi-value
decision diagrams in the same context. Moreover, combining
the decision diagrams and partial order reduction will also be
investigated.
REFERENCES
[1] J. Ahrens. A compositional approach to asynchronous design verification
with automated state space reduction. Master’s thesis, Univ. of South
Florida, 2007.
[2] G. Brat, K. Havelund, S. Park, and W. V. Java. Pathfinder c a second
generation of a java model-checker. In Workshop on Advances in
Verification, 2000.
[3] R. E. Bryant. Symbolic Boolean manipulation with ordered binary-
decision diagrams. ACM Computing Surveys, 24(3):293–318, 1992.
[4] J. Burch, E. Clarke, D. Long, K. McMillan, and D. Dill. Symbolic
model checking for sequential circuit verification. IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, 13(4):401–
424, 1994.
[5] C.Baier and J.-P.Katoen. Principles of Model Checking. MIT Press,
2008.
[6] G. Ciardo, G. Lttgen, and R. Siminiceanu. Saturation: an efficient
iteration strategy for symbolic state space generation. In PROC. TOOLS
AND ALGORITHMS FOR THE CONSTRUCTION AND ANALYSIS OF
SYSTEMS (TACAS), LNCS 2031, pages 328–342. Springer-Verlag, 2001.
[7] D. Dill. Trace Theory for Automatic Hierarchical Verification of Speed
Independent Circuits. PhD thesis, Carnegie Mellon University, 1988.
[8] E.M.Clarke, O.Grumberg, and D.Peled. Model Checking. MIT Press,
2000.
[9] G.J.Holzmann and D.Peled. An improvement in formal verification. In
roc. Seventh FORTE Conf. Formal Description Techniques, 1994.
[10] P. Godefroid. Partial-Order Methods for the Verification of Concurrent
Systems: An approach to the State-Explosion Problem. PhD thesis,
University of Liege, 1995.
[11] G. Holzmann. The SPIN Model Checker: Primer and Reference Manual.
Addison-Wesley Professional, Cambridge, Mass., 2003.
[12] G. J. Holzmann. The model checker SPIN. Software Engineering,
23(5):279–295, 1997.
[13] A. J. Martin. Self-timed fifo: An exercise in compiling programs into
vlsi circuits. Technical Report 1986.5211-tr-86, California Institute of
Technology, 1986.
[14] T. Murata. Petri nets: Properties, analysis, and applications. In
Proceedings of the IEEE 77(4), pages 541–580, 1989.
[15] C. J. Myers. Computer-Aided Synthesis and Verification of Gate-Level
Timed Circuits. PhD thesis, Stanford University, 1995.
[16] R. Pela´nek. Beem: Benchmarks for explicit model checkers. In Proc.
of SPIN Workshop, volume 4595 of LNCS, pages 263–267. Springer,
2007.
[17] R.A.Thacker, K.R.Jones, C.J.Myers, and H. Zheng. Automatic abstrac-
tion for verification of cyber-physical systems. In 1st International
Conference on Cyber-Physical Systems, 2010.
[18] F. Somenzi. Cudd: Cu decision diagram package.
[19] A. Srinivasan, T. Ham, S. Malik, and R. Brayton. Algorithms for discrete
function manipulation. In Proceedings of Computer-Aided Design,
1990. ICCAD-90. Digest of Technical Papers., 1990 IEEE International
Conference on, pages 92–95, Nov 1990.
[20] K. Stevens, R. Ginosar, and S. Rotem. Relative timing. In Proc. In-
ternational Symposium on Advanced Research in Asynchronous Circuits
and Systems, pages 208–218, 1999.
[21] T. Yoneda and T. Yoshikawa. Using partial orders for trace theoretic
verification of asynchronous circuits. In Proc. of Second International
Symposium on Advanced Research in Asynchronous Circuits and Sys-
tems, pages 152–163, 1996.
