1

Compositional Model Checking of Concurrent
Systems
Hao Zheng, Senior Member, IEEE, Zhen Zhang, Member, IEEE, Chris J. Myers, Fellow, IEEE, Emmanuel
Rodriguez, and Yingying Zhang

/.01!&)2)&!3)'$,.*(.#+'

Abstract— This paper presents a compositional framework
to address the state explosion problem in model checking of
concurrent systems. This framework takes as input a system
model described as a network of communicating components in
a high-level description language, finds the local state transition
models for each individual component where local properties
can be verified, and then iteratively reduces and composes the
component state transition models to form a reduced global
model for the entire system where global safety properties can be
verified. The state space reductions used in this framework result
in a reduced model that contains the exact same set of observably
equivalent executions as in the original model, therefore, no false
counter-examples result from the verification of the reduced
model. This approach allows designs that cannot be handled
monolithically or with partial-order reduction to be verified
without difficulty. The experimental results show significant scaleup of this compositional verification framework on a number of
non-trivial concurrent system models.

I. I NTRODUCTION
Model checking is a very effective approach to finding
concurrency bugs compared against simulation or testing.
However, the biggest hurdle for model checking of highly
concurrent systems is the large number of interleavings among
local executions, which causes state explosion. On the other
hand, many of these interleavings are irrelevant to the properties under verification. Therefore, they should be avoided as
much as possible to simplify the verification complexity.
This paper presents a compositional model checking framework that aims to verify complex highly concurrent systems.
Fig. 1 shows the verification flow that is the basis of the framework presented in this paper. In this framework, it is assumed
that a concurrent system under verification is described as a
network of communicating components in some high-level
description language. In the first step, the components are
decoupled from each other and their state transition models
are generated using a local state space construction method
[41]. For each component, its state transition model preserves
all essential interface interactions with its neighbors. Therefore, it includes all behaviors of this component as allowed
by its neighboring components. Once the component state
transition models are obtained, local properties defined for the
individual components can be verified. However, the generated
component state transition models may include extra behaviors
that would not exist when the whole system is considered,
so local verification may cause false negative results. These
Hao Zheng, Emmanual Rodriguez, and Yingying Zhang are with the CSE
dept., University of South Florida, Tampa, FL 33620. Zhen Zhang and Chris
Myers are with the ECE dept., University of Utah, Salt Lake City, UT 84112.

!!!!"#$%&!'(%()!'*%$)!$#+'(,-$(.#+
4#5*#+)+(!'(%()!'*%$)!
5#3)&'
"#$%&!,)3-$(.#+!!!!!!!!!!!4#5*#'.(.#+
6)3-$)3!0&#7%&!5#3)&
8#3)&!$1)$9.+0
Fig. 1.

The verification flow for the compositional framework.

false negatives are due to the inherent local nature of the
component state space models. In the next step, the component
state transition models are reduced and composed iteratively,
and eventually a reduced global state transition model for
the entire system is obtained where the model checking of
global properties can be performed, and the negative results
of the local properties can be discharged or confirmed. As
the full global state space model for the whole system is
never considered, much larger systems can be handled by this
framework.
The key to the success of this framework is state space
reduction. In some existing work [26], reduction is conservative in that more behavior may be introduced, but all
essential behaviors are preserved during reduction. This is
necessary since no real errors can be missed when verifying
the reduced model. However, false errors may be introduced
at the same time. When an error is found while verifying
such a reduced model, it needs to be checked whether it is
real on the concrete model. If reduction is too coarse, the
number of false errors may become excessive, and checking
these false errors can become the bottleneck. As shown later,
this framework is integrated with a number of effective state
space reductions [42] that can remove certain state transitions
and states from a state transition model in such a way that the
behavior of the model that is essential to verification remains
the same. The reduced global state transition model produced
at the end is equivalent to the concrete model of the whole
system with respect to the properties under verification. This

method is sound and complete in that the reduced global model
is verified to be correct if, and only if, the concrete model for
the whole system is correct.
The reduction method presented in this paper is similar, in
some degree, to the partial order reduction method [29] as both
try to identify and remove certain transitions to eliminate stutter equivalent paths. Partial order reduction relies on the notion
of transition dependencies to identify and remove redundant
interleavings during state space search such that some stutter
equivalent execution sequences are avoided, thus reducing the
complexity of verifying the whole system. However, determining transition dependencies can be as difficult as computing
the global state space. Therefore, they are often computed
conservatively to ensure soundness of the verification results.
This conservative computation causes partial order reduction
to be less effective or even useless in some situations. On the
other hand, our method can effectively remove all invisible
transitions that correspond to stutter equivalent execution sequences as it considers the generated state space models where
the necessary information is available for such reduction.
Another difference is that partial order reduction is applied
to the whole system, while this framework builds a reduced
global state space model compositionally.
Although the individual pieces used in this framework have
been presented separately in previous work [41], [42], the main
contribution of this work is a framework that integrates them as
a whole to support effective compositional model checking of
global, as well as, local properties of large concurrent systems.
This paper also presents the correctness proofs to show that
this framework is sound and complete for safety properties.
Finally, this framework is generalized to handle distributed
algorithm and concurrent program models, in addition to
asynchronous circuit designs.
This paper is organized as follows. Section II briefly reviews
the necessary background for this paper. Section III describes a
method for constructing local state space models from a highlevel description of a system. Section IV presents a number
of state space reductions that can remove all invisible state
transitions and redundant states within the local state space
models such that these models before and after reduction
show the same behavior on the interface. This section also
proves that the global state space model formed by composing
the reduced local models shows the same interface behavior
as the concrete global model. Section V demonstrates the
effectiveness of this framework on a number of non-trivial
concurrent system models including various mutual exclusion
algorithms and some asynchronous circuit designs. The last
section concludes the paper and points out some future work
that can improve this method.

This paper considers a finite system as a parallel composition of a number of components, k1≤i≤n Mi , where each
component is defined as follows.
Definition 2.1: (System Model) The model of a finite state
component is a tuple Mi = (Vi , initi , Ai ) where:
• Vi is a finite set of variables,
|V |
• initi ∈ Z i is the initial state,
• Ai is a finite set of actions that define how states are
changed when actions in Ai are executed. Let Vg ⊆ Vi ,
Vsupp ⊆ Vi , and Vupd ⊆ Vi . Each action α ∈ Ai is
specified with (g, va) where:
– Guard g : Z |Vg | → {true, false} maps an assignment
over Vg to a truth value.
– Assignment va : Z |Vsupp | → Z |Vupd | maps an
assignment over Vsupp to an assignment over Vupd .
Let wr(α) return Vupd , the set of variables that action α
updates.
Let s(v) return the value of v in state s. Two states s1 and
C
s2 are consistent on a set of variables C, denoted as s1 = s2 ,
iff ∀v ∈ C, s1 (v) = s2 (v) holds.
An action α = (g, va) is enabled in a state s if g(s) = true.
enb(s) is used to denote all actions enabled in s. An action
can be executed once it is enabled. The successor state s0 after
executing an enabled action α is denoted by α(s). Executing
action α updates variables in wr(α) while the variables in
Vi −wr(α)

Vi − wr(α) remains unchanged, i.e. s0
=
s.
This paper considers safety properties. Every component
includes a special variable safe i ∈ Vi . This variable is
initialized to 1. It is reset to 0 when an action is executed
if a safety condition is violated in a state. If safe i = 0 in
state s, enb(s) is assumed to be empty. This can be done by
conjoining a predicate safe i = 1 to the guard of every action.
A large and complex system usually consists of components
connected in a network where communications can be done
through shared variables. Let Mi = (Vi , initi , Ai ), 1 ≤ i ≤ n,
be n components as defined in Definition 2.1. A concurrent
system k1≤i≤n Mi is defined if the following condition holds,


Cij
∀1 ≤ i, j ≤ n, initi = initj ∧ (Ai ∩ Aj = ∅)
where Cij = Vi ∩ Vj . A Mi -state si is referred to as a local
state of Mi . A state of M is referred to as a global state, which
is a total assignment to all variables in ∪1≤i≤n Vi . A global
state s is defined by a n−tuple of local states (s1 , . . . , sn ) if
Cij

∀1 ≤ i, j ≤ n, si = sj ,
and it is formed by merging variable assignments in all local
states, denoted as s = Σ(s1 , . . . , sn ), such that:
V

∀1 ≤ i ≤ n, s(v) =i si (v).
II. BACKGROUND
A. System Modeling
This section presents a simple formalism to describe the
behavior of concurrent systems. Let V = (v1 , . . . , vn ) be
a finite set of variables that take their values from a single
domain Z ⊂ Z where Z is the set of integers. Each s ∈ Z |V |
is also referred to as a state over V .

A concurrent system k1≤i≤n Mi , if defined, is M
(V, init, A) such that:

=

V = ∪1≤i≤n Vi , init = Σ(init1 , . . . , initn ), A = ∪1≤i≤n Ai .
Consider a component Mi = (Vi , initi , Ai ) in a concurrent
system M = k1≤i≤n Mi . Let Ci = ∪i6=j Cij be the set of
variables of Mi that are shared with some other components.

Therefore, Vi − Ci is the set of invisible variables of Mi . A
Mi -action α is visible if wr(α)∩Ci 6= ∅. Such an action is also
referred to as Mi -visible. Let Avis
= {α ∈ Ai | α is visible}
i
be the set of all visible actions of Mi . A Mj -action α is
external to Mi if wr(α) ∩ Vi 6= ∅. Predicate ext(Mi , α) is
defined such that it holds if action α local to a different
component is external to Mi . For each component Mi in
k1≤i≤n Mi , the set of external actions is defined as follows:
Ext i = {α | ∀j 6= i, α is a Mj -action and ext(Mi , α)}.
Intf i = Avis
i ∪ Ext i is the set of interface actions that update
the shared variables Ci of component Mi . For s0 = α(s), the
following property holds.
V −C
s0 = i s if α ∈ (Ai − Intf i )
Fig. 2 shows a simple example of a concurrent system with
three components. In this example, variable x is shared by M2
and M3 , y is shared by M1 and M3 , and z is shared by all
three components. All the other variables are invisible in their
respective components. M1 -actions t11 and t12 are invisible
as they only modify the invisible variable v, while M1 -actions
t13 and t14 are visible, and they are external to M3 . Similar
information about the invisible and external actions can be
derived for M2 and M3 , as well.
B. State Graph
This paper uses state graphs (SGs) to represent the state
transition level semantics for concurrent systems.
Definition 2.2: (State Graph) A state graph for a concurrent
system M is a tuple G = (S, ı, R, F ) where
1) S is a finite non-empty set of states,
2) ı ∈ S is the initial state.
3) R ⊆ S × (A ∪ Ext) × S is the set of state transitions.
4) F ⊆ S is a set of unsafe states.
The SG definition is used to represent both concurrent
systems and their components. In the above definition, Ext
is the set of external actions that the environment of M can
execute and change the shared variables of M . As shown later,
the method presented in this paper needs to construct local
state graphs for the components in a concurrent system. If
a component Mi in a system M = k1≤i≤n Mi communicates
with some other components through shared variables, its local
state graph contains not only the state transitions on local
actions but also those on external actions to take into account
updates on shared variables caused by actions executed in the
other components that are external to Mi . Then, in Gi =
(Si , ıi , Ri , Fi ) for Mi , Si is the set of local states, Ri is
the set of state transitions on local actions in Ai of Mi or
on actions in Ext i external to Mi , ıi = initi , and Fi =
{si ∈ Si | si (safe i ) = 0}. The local SG for a communicating
component Mi in a system captures the behavior as defined
in Mi , as well as, the updates on its shared variables by
the visible actions of other components in the system. If
G = (S, ı, R, F ) is for a system M = k1≤i≤n Mi , Ext = ∅,
S and R are the set of global states and the set of global state
transitions of M , respectively, ı = Σ(init1 , . . . , initn ), and
F ⊆ S such that for each s ∈ F , if there exists 1 ≤ i ≤ n
such that s(safe i ) = 0.

Fig. 3 shows the local state graphs for the components of
the system shown in Fig. 2. The variable assignments for
the local states of each component are shown to the left of
the corresponding local state graph. Each local state graph in
Fig. 3 includes some external transitions drawn with dotted
lines. For example, in G1 , (p0 , t34 , p1 ) and (p3 , t33 , p4 ) are
external as t33 and t34 are defined in M3 . When either action
is executed, variable z is changed, and this change results in
state transitions in M1 , M2 , as well as, M3 since variable z
is shared by all three components.
Executions of a concurrent system are represented by paths
in SGs. Given a state graph G = (S, ı, R, F ), a path of G
α1
α0
is a sequence ρ = s0 −→s
1 −→ . . . such that ı = s0 and
∀i ≥ 0, ∃α s.t. (si , αi , si+1 ) ∈ R. The trace of a path ρ,
denoted as tr(ρ), is α0 α1 , . . .. Given a zero length path which
has no state transitions, its trace is . In G, s0 = α(s) if
(s, α, s0 ) ∈ R. Similarly, state s0 is reachable from s through
a sequence of actions is denoted as s0 = α0 . . . αn (s) if
∀0 ≤ i ≤ n, (si , αi , sn ) ∈ R, s0 = s and sn= s0 . State s is
reachable in G if s is reachable from the initial state through
a trace. A path is referred to as a failure if it leads to a state
s ∈ F . The set of all failures in G is denoted as F(G).
The set of all the other paths in G is denoted as L(G), and
L(G) ∩ F(G) = ∅.
Given a concurrent system M = k1≤i≤n Mi , its state graph
can be constructed using reachability analysis by executing
exhaustively every enabled action in every state starting from
the initial state. A general depth-first search algorithm for
reachability analysis is shown in Algorithm 1. Checking safety
properties can be done on-the-fly. Alternatively, a local state
graph can be constructed for each component first, and then
the global state graph of the entire system can be constructed
by composing the local state graphs.
Definition 2.3: (Parallel Composition) Let Gi
=
(Si , ıi , Ri , Fi ) be the local SGs for components Mi in
a system k1≤i≤n Mi . Also, let A = ∪1≤i≤n Ai . The parallel
composition k1≤i≤n Gi is defined as G = (S, ı, R, F ) where
1) S = {Σ(s1 , . . . , sn )} such that ∀Σ(s1 , . . . , sn ) ∈ S,
Vi ∩Vj

∀1 ≤ i, j ≤ n, si ∈ Si ∧ sj ∈ Sj ∧ si = sj .
2) ı = Σ(ı1 , . . . , ın ) ∈ S.
3) R ⊆ S × A × S such that for each (s, α, s0 ) ∈ R,
s = Σ(s1 , . . . , sn ) ∈
/ F and s0 = Σ(s01 , . . . , s0n ), and for
each 1 ≤ i ≤ n,
a) (si , α, s0i ) ∈ Ri if α is a Mi −action or ext(Mi , α),
b) si = s0i , otherwise.
4) F = {s ∈ S | ∃1 ≤ i ≤ n s.t. s(safe i ) = 0}
In the above definition, when several processes execute
concurrently, they synchronize on updates on shared variables,
and proceed independently, otherwise. If any local state is not
safe, the whole global state is regarded as not safe. The parallel
composition is commutative and associative as the construction
of composite states and composite state transitions is independent of order of composition. While the proof of this fact is
straightforward by Definition 2.3, it is lengthy, so it is omitted.
The global state graph for the whole system shown in Fig. 2
generated by Algorithm 1 or by the parallel composition of
the state graphs shown in Fig. 3 is shown in Fig. 4.

M1
V1
init1
A1
where
t11
t12
t13
t14
Fig. 2.

=
=
=
=

(V1 , init1 , A1 );
{z, v, y};
(z = 0, v = 1, y = 0);
{t11 , t12 , t13 , t14 };

=
=
=
=

(v
(v
(y
(y

=1∧z
=0∧z
=1∧v
=0∧v

= 1, v := 0);
= 0, v := 1);
= 1, y := 0);
= 0, y := 1);

=
=
=
=
=
=

=
=
=
=

(V2 , init2 , A2 );
{z, w, x};
(z = 0, w = 1, x = 0);
{t21 , t22 , t23 , t24 };

=
=
=
=

(w = 1 ∧ z = 1, w := 0);
(w = 0 ∧ z = 0, w := 1);
(x = 1 ∧ w = 1, x := 0);
(x = 0 ∧ w = 0, x := 1);

M3
V3
init3
A3
where
t31
t32
t33
t34

=
=
=
=

(V3 , init3 , A3 );
{x, y, u, z};
(x = 0, y = 0, u = 0, z = 0);
{t31 , t32 , t33 , t34 };

=
=
=
=

(u = 1 ∧ x = 0 ∧ y = 0, u := 0);
(u = 0 ∧ x = 1 ∧ y = 1, u := 1);
(z = 1 ∧ u = 1, z := 0);
(z = 0 ∧ u = 0, z := 1);

An example of a simple concurrent system with three components communicating over shared variables x, y, and z.
GG1 3
G2
G1
G1
G3
G2
G2

t 34

p0
p1
p2
p3
p4
p5

M2
V2
init2
A2
where
t21
t22
t23
t24

init1
(z = 1, v
(z = 1, v
(z = 1, v
(z = 0, v
(z = 0, v

=
=
=
=
=

1, y
0, y
0, y
0, y
1, y

=
=
=
=
=

0)
0)
1)
1)
1)

p0
t 13

p1

p5

t 11

t 12

p2

p4

t 14

Local SG G1 for M1

p3

t 33

t 34

q0
t 23

t 34

p 0s
t 34

0

t 31

t 13

t 13

s9

t 34t

q0
pt
s0 = init
s t0 3 031 s 9
t 34 0, z = 1)
34 = t0, y = 0, u =
s1 = (x
t 23
t 23
13 t 13
s2 =t 34(x
y = 0,s u =
1)
p 1= s1,
q1 0, z q=
8 p5
7
5
s3 = st(x = 0, yt 23= 1, ut = 0, z =
1)
11
1
21
t
t
13
t
t
t
24
s4 = (x =
=
1, u = 0, z =221)
12
14 1, y s
6
p
q
q
p
2
2
ss52 = (x =s 31, y4 = 1, u = 1, z =
4 1)
t 24= 1, y =
t 14
t 33 1, u t=
s6t 14= (x
24 1, z = 0)
t 33
t 32 t 33 s
s
s7 = (x
4 =
q 3z = 0)
5 0, u = 1,
p 31, y =
s8 = (x = 0, y = 1, u = 1, z = 0)
s9 = (x = 0, y = 0, u = 1, z = 0)

q0
t 23

23

G3

q0 = init2
p
q
q1 s 7 q5
q
p5 s8
q 1 = (z 5= 1, wt = 11, x
s 1 = 0) t 23t 21 t
t 211
11 t
t
24
t
t 22
q2 = (z =22 1, w = 0, x =12
140)
s 6 13
ps 2 0, x p=4 s1)
q2
q4
qq32 = (zq 4= 1, w =
2
3
24 1)
t24
t 14t 0, x t=
qt 424 = (z = 0, w =
33
14
t
t
33 t 32
s 4t=
q5 =q 3(z33= 0, w = 1,p 3x
1) s 5 q 3 33

Local SG G2 for M2

t 31

s0

s8

s1

t 24

s2

t 14
t 24

t 14

s4

s9

t 13

t 34

s6

s3

t 23

s7

t 23

t 13

t 33

t 32

s5

Local SG G3 for M3

Fig. 3. The local state graphs and the state labelings for the components in the system shown in Fig. 2. State transitions drawn in dotted lines are due to
the execution of the external transitions.

Algorithm 1: DFS (k1≤i≤n Mi )
Input: A system description of n components.
Output: A global state graph.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

ı := Σ(init1 , . . . , initn );
S := S ∪ ı;
stack.push((ı, enb(ı)));
while stack is not empty do
(s, E) := stack.top();
if E = ∅ then
stack.pop();
continue;
Select α ∈ E to execute, and remove it from E;
s0 := α(s);
if ∃1 ≤ i ≤ n s.t. si (safe i ) = 0 then
F := F ∪ {s};
continue;
R := R ∪ {(s, α, s 0 )};
if s0 ∈
/ S then
stack.push((s0 , enb(s0 )));
S := S ∪ s0 ;

C. State Graph Equivalence
The procedure described in this paper achieves its efficiency
by applying reductions described in Section IV to produce a
simpler, equivalent SG that represents the behavior of the same
component in a system with less details. Two SGs, Gi and G0i ,
for the same component, Mi , are equivalent if when they are
composed with a SG, Gj , for another component, Mj , failure
paths exist in the composite with Gi if and only if they exist
in the composite with G0i , and they have the same set of nonfailure paths that are stutter equivalent. The rest of the section
formalizes state graph equivalence.
First, it is necessary to introduce the concept of autofailure.

! !"

! $#
! $"

! ##

! ##

! !#

! ##

! $#
! #"

! $"
! #"

! $"

! #"
! #!

! $#

! $!

! !!

Fig. 4.

! $!

! #$

! !$

! $!
! #!

! #$
! $$

! $$
! $$

! #!

! #$

The global state graph for the system as described in Fig. 2.

Given a failure path of a component, it may enter the failure
state through a sequence of transitions on local actions.
However, the real cause of the failure can be traced back to a
state resulting from an external action in the environment. This
fact is because if the environment changes shared variables
to a state in which it becomes possible for a failure to be
reached by local actions, then no component exists that can be
composed with this component that prevents this failure path
from being possible. This situation is referred to as autofailure
α0
α1
manifestation in [21]. Given a failure path ρ = s0 −→
s1 −→
. . ., if there exists i ≥ 0 such that αi is an external action, and
α0
αi
for all k > i, αk is a local action, then s0 −→
. . . , si −→
si+1
is the autofailure prefix, denoted as PrefAF (ρ). At this point
in the trace ρ, there is no action by the environment that
can prevent a failure from occurring. When ρ is not a failure
path, PrefAF (ρ) = ρ. If ρ does not have any external actions,
PrefAF (ρ) = s0 , and its trace, is empty, i.e. . Such a path

is referred to as an initial autofailure. Note that all initial
autofailures of a component are regarded as being equivalent.
C
In Gi for a component Mi , s0 =i s holds for s and
0
0
s in a state transition (s, α, s ) if α ∈
/ Intf i . Such state
transitions are called invisible. Two paths are called stutter
equivalent if they only differ in their corresponding invisible
state transitions [22]. Two failure paths ρ and ρ0 are stutter
equivalent if PrefAF (ρ) is stutter equivalent to PrefAF (ρ0 ).
These ideas are formalized in the definition below.
Definition 2.4 (Stutter Equivalence): Let Gi and G0i be two
SGs for Mi , and ρ ∈ L(Gi ) ∪ F(Gi ) and ρ0 ∈ L(G0i ) ∪ F(G0i )
be two paths, respectively. ρ and ρ0 are stutter equivalent,
denoted as ρ ≈ ρ0 , if
tr(PrefAF (ρ))/Intf i = tr(PrefAF (ρ0 ))/Intf i .
Note that in the definition above t/X denotes the projection
of the trace t = α0 α1 . . . over a set of actions X, and it returns
another trace where all actions not in X are removed and all
other actions remain in place.
Suppose ρ0 is a failure path in G0i . If ρ0 is not an autofailure,
and there is a path ρ in Gi such that it has a prefix that is
stutter equivalent to the autofailure prefix of ρ0 , then ρ is also
regarded as a failure. In such a case, path ρ0 is referred to as
a failure approximation to ρ.
Definition 2.5 (Failure Approximation): Let Gi and G0i be
two SGs for Mi , and ρ ∈ L(Gi ) ∪ F(Gi ) and ρ0 ∈ F(G0i )
be two paths. ρ0 is a failure approximation to ρ, denoted as
ρ ≈Fi ρ0 , if
tr(ρ0 )/Intfi is a prefix of tr(ρ)/Intfi .
The equivalence of two state graphs Gi and G0i for a single
component Mi can now be defined as follows:
Definition 2.6 (State Graph Equivalence): Gi and G0i are
two equivalent SGs for Mi , denoted as Gi ≈ G0i , if all the
following conditions hold.
(
∀ρ ∈ F(Gi ), ∃ρ0 ∈ F(G0i ) s.t. ρ ≈Fi ρ0 and
(1)
∀ρ0 ∈ F(G0i ), ∃ρ ∈ F(Gi ) s.t. ρ ≈ ρ0
and

(

∀ρ ∈ Pi , ∃ρ0 ∈ Pi0 s.t. ρ ≈ ρ0 and
∀ρ0 ∈ Pi0 , ∃ρ ∈ Pi s.t. ρ ≈ ρ0

(2)

where
Pi = L(Gi ) − {ρ ∈ L(Gi ) | ∃ρ0 ∈ F(G0i ) s.t. ρ ≈Fi ρ0 }
Pi0 = L(G0i ) − {ρ ∈ L(G0i ) | ∃ρ0 ∈ F(G0i ) s.t. ρ ≈Fi ρ0 }
According to the above definition, for two SGs Gi and G0i ,
F(Gi ) = ∅ iff F(G0i ) = ∅, and all their non-failure paths
that do not have failure approximations in F(G0i ) are stutter
equivalent. The reason that paths with failure approximations
in F(G0i ) are not considered in the definition is that these paths
are redundant in terms of finding failures.
Next, the preservation of the SG equivalence by the parallel
composition is considered. Consider G1 kG2 for M1 kM2 . If
there is another SG G01 such that G1 ≈ G01 , then the following
property shows that the behavior of the composition of two
SGs remains unchanged if one of the SGs is replaced with
another equivalent one.
G1 kG2 ≈ G01 kG2 .

(3)

The complete proof for Property 3 involves constructing
paths in G1 kG2 and G01 kG2 from the paths in G1 , G01 and
G2 , respectively, by following Definition 2.3, and showing that
they are stutter equivalent or one is a failure approximation to
the other. It is mechanical and long, and omitted due to the
page limit. Instead, this property can be intuitively understood
with the following argument.
Let A12 = (A1 ∩Ext 2 )∪(A2 ∩Ext 1 ). Also, let ρ1 ∈ F(G1 )
and ρ01 ∈ F(G01 ) such that ρ1 ≈F1 ρ01 . Note that this step
always succeeds as G1 ≈ G01 . Also, let ρ2 ∈ L(G2 ) ∪ F(G2 )
such that tr(ρ1 )/A12 = tr(ρ2 )/A12 and tr(ρ01 )/A12 is a prefix
of tr(ρ2 )/A12 . Compose ρ1 and ρ2 first. If there are two
transitions on ρ1 and ρ2 , respectively, in a composite state
during the composition such that their actions are not in A12 ,
one is selected to build the composite state transition and the
next composite state. Remember the order of all selections
made when composing ρ1 and ρ2 . Let ρ be the resulting path
from composing ρ1 and ρ2 following that order of action
selections. Then, apply the same order of action selections
when ρ01 and ρ2 are composed, and let ρ0 be the resulting path.
It can be seen that ρ and ρ0 have the same trace on Intf 1 ∪ A2
up to the last action in tr(ρ01 ). Since Σ(ı1 , ı2 ) = Σ(ı01 , ı2 ),
ρ0 is a failure approximation to ρ by Definition 2.5. The
same conclusion can be drawn for the above two compositions
with all possible orders of action selections. Apply the same
argument to all paths ρ1 ∈ F(G1 ) and ρ01 ∈ F(G01 ) and
to all paths in F(G2 ), it can be seen that Condition 1 in
Definition 2.6 holds.
Similarly, apply the same argument to paths in L(G1 )
and L(G01 ), and to the paths in L(G2 ), and Condition 2 in
Definition 2.6 can be shown to hold. Therefore, Property 3
can be shown to hold by Definition 2.6.
III. L OCAL S TATE G RAPH C ONSTRUCTION
This section describes an approach for constructing local
state graphs for a concurrent system. This approach reduces
complexity by not considering interleavings of the invisible
state transitions from different components. This paper generalizes the method described in [41] for asynchronous circuit
verification to the system models and state graphs in Section II.
Consider a concurrent system M = k1≤i≤n Mi . The local
state graph construction method builds a SG Gi for each
component Mi from an empty context, and gradually expands
it by including all states and state transitions allowed by its
neighboring components. The main idea is as follows. Initially,
the value of the shared variables that each component depends
on is fixed to be what is defined in the initial state. Then, this
method iteratively performs the following two steps.
1) For every individual component, ignore the changes on
the shared variables caused by other components, and
use the standard state space search method such as the
one shown in Algorithm 1 to find all states and state
transitions as defined.
2) For every two local state graphs, Gi and Gj , if the
above step finds a new state transition (sj , α, s0j ) in Gj
such that ext(Mi , α) holds, then a state transition on
α reflecting the changes on the shared variables as in

Algorithm 2: findLocalSG(M1 , . . . , Mn )
Input: Mi = (Vi , initi , Ai ), 1 ≤ i ≤ n: components.
Output: Gi (1 ≤ i ≤ n): local state graph for Mi .
1
2
3
4
5
6
7
8

9
10
11
12
13

foreach Mi do
Create a SG Gi := DFS (Mi );
new
Wi := true;
while 1≤i≤n newi do
foreach 1 ≤ i ≤ n do
newi0 := f alse;
foreach 1 ≤ j ≤ n s.t. i 6= j do
if ((newi ∨ newj ) ∧ ∃α ∈ Aj s.t. ext(Mi , α))
then
expand(Mi , Gi , Gj );
if new transitions are added into Gi then
newi0 := true;
foreach 1 ≤ i ≤ n do
newi := newi0 ;

Algorithm 3: expand(Mi , Gi , Gj )
Input: Mi = (Vi , initi , Ai ).
Input: Gχ = (Sχ , initχ , Rχ ), χ ∈ {i, j}.
Output: Gi expanded with external transitions from Gj .
1
2
3
4
5

The above two tasks are performed repeatedly until no new
state transitions can be added to any local state graph.
Algorithm 2 shows this method at the top level where
the input is the set of components of a concurrent system,
and the output is the set of the generated local state graphs.
Initially, a local state graph Gi is generated for each individual
component Mi using the DFS as shown in Algorithm 1
without considering how other components might change the
shared variables (line 2). Each Gi is also assigned with a
variable newi to indicate if it is expanded with new state
transitions (line 3). As long as any newi is true, the algorithm
repeats the steps in line 4 − 15. For every Gi and Gj such
that Gj includes state transitions that are external to Gi and
some new state transitions are added into at least one of them,
function expand(Gi , Gj ) is called to factor the changes on
the shared variables from Gj into Gi . If Gi is expanded with
new state transitions, variable newi0 is set to true to prepare
for the next iteration.
Function expand is defined in Algorithm 3. It takes as input
a component, Mi and two local state graphs, Gi and Gj , and
considers every state transition (sj , α, s0j ) in Gj such that α is
external to Gi , and it is checked against every state si in Gi . If
si and sj are consistent on their shared variables C = Vi ∩ Vj ,
a new state s0i and a new external state transition (si , α, s0i )
V −C
C
are added into Gi such that s0i = s0j while s0i i= si . The
rationale behind this operation is as follows. The state of the
invisible variables of Gj is not visible to Gi , and from the
point of view of Gi , it only knows that whenever the values
of the shared variables in C are those in sj , their values may
be changed to those in s0j after α is executed in Gj . The
changes on the shared variables are carried over to Gi as
external state transitions, which may cause some new states to
be added into Gi . If so, a state space search procedure modified
from Algorithm 1 is applied to Gi to find all reachable states

C

if si = sj then
C

Create a new state s0i such that s0i = s0j ∧
V −C

6
7
8
9
10
11
12

(sj , α, s0j ) is added to Gi . Adding these external state
transitions into Gi may introduce new states and state
transitions. Then, apply step 1 again.

C := Vi ∩ Vj ;
foreach (sj , α, s0j ) ∈ Rj ∧ α ∈ Aj ∧ ext(Mi , α) do
foreach si ∈ Si do

si i= s0i ∧ s0i (safe i ) = s0j (safe j );
Ri := Ri ∪ (si , α, s0i );
if s0i ∈
/ Si then
Si := Si ∪ s0i ;
if s0i (saf ei ) = 0 then
Fi := Fi ∪ {s0i };
else
DFS (Mi , Gi , s0i );

and state transitions from these new states, and add them
into Gi . This procedure, DFS (Mi , Gi , s0i ), takes as input a
component description, Mi , its state graph, Gi , and a state,
s0i , performs the standard depth-first search, and expands Gi
with new reachable states and state transitions from s0i . Since
this algorithm is very similar to Algorithm 1, it is omitted.
Now consider an example where the above algorithms are
applied to build the local state graphs for the simple concurrent
system as shown in Fig 2. The partial local state graphs generated during the course of applying these algorithms are shown
in Fig. 5. The local state graphs in Fig. 5(a) are the results of
applying Algorithm 1 to individual components ignoring all
other components at the beginning of Algorithm 2. In the first
iteration, since G1 and G2 have transitions external to G3 , and
vice versa, Algorithm 3 is applied to pairs consisting of G3 and
either G1 or G2 . expand(G3 , G1 ) and expand(G3 , G2 ) have
no effect on G3 as G1 and G2 do not have any state transitions.
expand(G1 , G3 ) and expand(G2 , G3 ) add an external state
transition on t34 to G1 and G2 , respectively. These external
state transitions subsequently result in more local states added
into G1 and G2 . The partial local state graphs after the
first iteration are shown in Fig. 5(b). In the next iteration,
expand(G3 , G1 ) and expand(G3 , G2 ) add more external state
transitions into G3 , and subsequently more states are found for
G3 as a result. The partial local state graphs after the second
iteration are shown in Fig. 5(c). After two more iterations,
every local state graph reaches a fixpoint, and the algorithms
terminate. The final local state graphs are shown in Fig. 3.
The following lemma shows that the global SG as the
parallel composition of the local state graphs, Gi , constructed
with Algorithm 2 for k1≤i≤n Mi is the same as the global SG
constructed directly from k1≤i≤n Mi with Algorithm 1.
Lemma 3.1: Let M = k1≤i≤n Mi be a concurrent system,
and G = DFS (M ). If Gi are local state graphs constructed
for Mi with Algorithm 2, then the following statement is true:
G = k1≤i≤n Gi .

%"

%%

!!

#!

%#

Algorithm 4: afr(Gi )
Input: An SG Gi = (Si , ıi , Ri , Fi ) for component
Mi = (Vi , initi , Ai ).
Output: Gi after autofailure reduction.

"!

$ #$

""

(a)

1

#!

!!
$ $%
$ ""

$ $%

$ $%

!"

(b)

"!

3

""

#"

4
5

$ #"

!#
$ "%

2

6

##
$ #%

!$

7

#$

8
9

#!

!!
$ $%
$ ""

!"

$ #"

!#
$ "%

(c)

$ $%

$ $%

""

#"

$ #%

##
$ #%

!$

"#
#$

"!

$ "%

"$

"'

" % $ $#

"&

$ #%

$ $$

Fig. 5. Figures in (a)-(c) show the partial local state graphs generated in the
first few steps when running Algorithm 2.

Proof: Let G0 = k1≤i≤n Gi and V = ∪1≤i≤n Vi . Obviously,
ı = ı0 as both are Σ(ı1 , . . . , ın ).
Consider an arbitrary state transition (ı, α, s) in G such that
V
s = α(ı) in G. Suppose α is a Mi -action. Then, s =i α(ı) and
V −Vi
s = ı. We need to show that state transition (ı0 , α, s0 ) such
V
V −V
that s0 =i α(ı0 ) and s0 = i ı0 exists in G0 . Since α is a Mi 0
action, (ıi , α, si ) such that s0i = α(ıi ) exists in Gi . Then, for
every 1 ≤ i ≤ n such that i 6= j,
0
0
• If ext(Mj , α) holds, (ıj , α, sj ) exists in Gj by AlgoVi ∩Vj

Vj −Vi

rithm 3 such that s0j = s0i ∧ s0j = ı0j .
0
0
• If ext(Mj , α) does not hold, sj = ıj .
By Definition 2.3, a state s0 = Σ(s01 , . . . , s0n ) and a state
transition (ı0 , α, s0 ) are added into S 0 and R0 of G0 such that
V

foreach bad ∈ Fi do
foreach (s1 , α, s2 ) ∈ Ri such that s2 = bad do
if s1 = ıi and α is a Mi -action then
return ({ıi }, ıi , ∅, {ıi });
if α is a Mi -action then
Ri := Ri − (s1 , α, s2 );
s1 (saf ei ) := 0;
Fi := Fi ∪ {s1 };
Remove unreachable states and transitions;

V −V

s0 =i α(ı0 ) ∧ s0 = i ı0 .
This implies s = s0 .
Therefore, for every action α, R(ı, α, s) holds iff R(ı0 , α, s0 )
holds such that s = s0 . Add s into S, and s0 into S 0 . Also note
that si (saf ei ) = 0 iff s0i (saf ei ) = 0. Therefore, s is added
into F iff s0 is added into F 0 .
Then, for each pair of such successor states s and s0 of ı
and ı0 , respectively, we can show that s and s0 have the same
set of outgoing state transitions and the same set of successor
states based on the similar reasoning for the initial states. By
applying such reasoning recursively on the new pairs of states,
eventually, we can show that S = S 0 , ı = ı0 , R = R0 , and
F = F 0 , thus G = G0 .
IV. S TATE G RAPH R EDUCTIONS
The state graph of a system can be obtained by composing
the local state graphs after they are constructed as shown

in the last section. However, directly composing the local
state graphs defeats the purpose of compositional construction
in that the interleaving of the invisible state transitions can
cause the state space to explode quickly during the parallel
composition. To address this problem, this section presents
several state graph reductions to simplify the local state graphs
before they are composed in order to control the complexity.
It is shown that the reduced state graphs are equivalent to the
original ones. This implies that any safety properties hold or
fail in the reduced state graphs if, and only if, they hold or
fail in the original ones without using the reductions.
A. Autofailure Reduction
Autofailure reduction is to replace a failure trace, ρ, with a
new failure trace PrefAF (ρ) where the local actions preceding
the failure state are removed. The idea of autofailure reduction
is introduced in [21], but it is only used to canonicalize trace
structures for hierarchical verification. Autofailure reduction
is first adopted as part of an interface refinement method for
modular model checking in [39]. In this paper, it is integrated
with other reductions into this framework.
Algorithm 4 shows how autofailure reduction works. For
each state transition (s1 , α, s2 ) such that s2 is a failure state,
it is skipped if α is an external action; otherwise, it is removed,
and s1 is changed to a failure state. The algorithm repeats until
all transitions entering the set of failure states are on external
actions, or a transition (s1 , α, s2 ) is encountered where s1 is
the initial state and α is a local action. In the latter case,
an empty state graph with a single initial failure state is
returned to indicate that the corresponding component can fail
irrespective of how the environment behaves.
The following lemma shows that the state graph after the
autofailure reduction is equivalent to the original one.
Lemma 4.1: Let Gi be a local state graph for component
Mi in k1≤i≤n Mi . Then, the following statement holds.
Gi ≈ afr(Gi )
Proof: afr(Gi ) = Gi if Fi of Gi is empty or all state transitions in Ri that enter Fi are on external actions. Therefore,
Gi ≈ afr(Gi ).
Now, suppose that Gi contains (s1 , α, s2 ) such that α is a
Mi -action, and s2 ∈ Fi . Let ρ be a failure path in Gi such

G1 G1

t 33

t
t 3433

p1

t 11

p2

t 33 t t 33
14

p0

p0

t 34
t 13

p 1p

t 11

p 2p

5

t 12
4

t 14
t 33

p3

p3

t 13

p5
t 12

p4
t 33

p0

t 33 t 34t 33 t 34t
13

p0

pp1
5

p1

t 11

t 11

p5

t 12

pp2
4

p2

t 33 t t 33
14

t 14
t 33

p3

Algorithm 5: ser (Gi )
t 13

p3

t 12

p4
t 33

1
2
3
4
5
6
7

(a)

(b)

Fig. 6. (a) The state graph for the modified M1 in Fig. 2, (b) The resulting
state graph after autofailure reduction.

8

Algorithm 6: reducePath (Gi , s1 , s2 )
1

that tr(ρ) = α0 . . . αn and sn ∈ Fi . Suppose that all actions
αi in tr(ρ) such that k + 1 ≤ i ≤ n (k ∈ {0} ∪ Z+ and
0 ≤ k ≤ n) are Mi -actions. With Algorithm 4, ρ can reduce
to become ρ0 such that tr(ρ0 ) = α0 . . . αk and sk ∈ Fi . This
shows that for every ρ ∈ F(Gi ), there is a ρ0 ∈ F(afr(Gi ))
such that ρ ≈Fi ρ0 . From the above discussion, it can be seen
that for every such ρ0 ∈ F(afr(Gi )), there is a ρ ∈ F(Gi )
such that PrefA (ρ) = ρ0 . Therefore, this proves Condition (1)
in Definition 2.6.
Next, consider every path ρ ∈ L(Gi ) that does not have
a failure approximation in F(afr(Gi )). No state on ρ is
converted to a failure state by Algorithm 4, therefore ρ exists
in afr(Gi ). Since every non-failure path in afr(Gi ) exists
in Gi , this shows that Condition (2) in Definition 2.6 holds.
Hence, Gi ≈ afr(Gi ).
As an example, consider a modified version of the model
in Fig. 2 that allows action t33 in M3 to execute right after
t34 , and adding an action t15 into M1 such that it causes an
assertion failure when state (z = 0, v = 0, y = 0) is reached
in M1 . The partial state graph for the modified M1 is shown
in Fig. 6(a). The state labeled with π is a failure state. In
this state graph, when t33 is executed in state p2 , a new state
p6 = (z = 0, v = 0, y = 0) is reached where three actions,
t12 , t14 and t15 , are enabled. After executing t15 , a failure
state is reached. Actually, the root cause to this failure is the
execution of t33 in state p2 . After autofailure reduction, p6 is
converted to a failure state, while states reachable from p6 are
removed. The reduced state graph is shown in Fig. 6(b).
B. Stutter Equivalent Reduction
The interleaving of invisible state transitions in different
local state graphs is the major source for state explosion during
parallel composition. The traditional abstraction techniques
collapse the invisible state transitions into single states [12].
This often introduces extra paths and false failures. To address
this problem, this paper presents the stutter equivalent reduction. The basic idea is to remove all invisible state transitions
in a state graph while maintaining the same set of stutter
equivalent paths with respect to its interface. As a result, it
produces a stutter equivalent path with only visible transitions
for each path in a state graph. Alternatively, it can be viewed as
a step of shortening a given path by passing over the invisible
transitions, but it does not introduce any new paths. Therefore,
no false failures can be created.

foreach (s1 , α1 , s2 ) ∈ Ri s.t. α1 ∈
/ Intf i do
Ri := Ri − {(s1 , α1 , s2 )};
if s2 ∈ Fi then
Fi := Fi ∪ {s1 };
else
reducePath(Gi , s1 , s2 );
Remove all invisible state transitions from Gi ;
Remove unreachable states and state transitions from Gi ;

2
3
4
5
6
7
8
9

foreach (s2 , α2 , s3 ) ∈ R do
if α2 ∈ Intf i then
Ri := Ri ∪ {(s1 , α2 , s3 )};
else
Ri := Ri − {(s2 , α2 , s3 )};
if s3 ∈ Fi then
Fi := Fi ∪ {s1 };
else
reducePath(G, s1 , s3 );

Algorithm 5 shows the top level procedure ser(Gi ) for
stutter equivalent reduction on a state graph Gi . For each
invisible state transition (s1 , α1 , s2 ), it searches forward from
s2 following invisible state transitions in a depth-first manner
until a visible transition or a failure state π is encountered.
If a failure state is encountered after a sequence of invisible
state transitions are traversed, s1 is converted to a failure state.
Otherwise, Algorithm 6 creates a new visible transition to
replace the sequences of invisible state transitions traversed,
and it is added into Ri . After all invisible transitions are
handled, they are removed from Gi . Consequently, some other
states and transitions may become unreachable, and are also
removed.
Fig. 7 shows an example how a SG in Fig. 7(a) is reduced
by stutter equivalent reduction to become the one shown in
Fig. 7(b). In this example, suppose all invisible transitions are
labeled by ζ. Then, for each visible transition from states si+1 ,
sj+1 , and sk+1 , a new transition is created for states si , sj , and
sk , respectively. Six new state transitions are added to preserve
the same visible behavior. In this case, only three invisible
transitions are removed. Therefore, without further reduction,
the reduced SGs can actually be more complex with more
transitions added. In the next section, algorithms are described
to identify and remove redundancies in the reduced SGs.
The following lemma asserts that a SG and the one resulting
from the stutter equivalent reduction are equivalent.
Lemma 4.2: Given a state graph Gi , Gi ≈ ser(Gi ).
Proof: The proof is based on how procedure ser(Gi ) works.
It is straightforward to see that for every path ρ in Gi that
does not include any invisible transitions, the same path also
αi+1
αi
exists in ser(Gi ). For a path ρ = . . . si −→
si+1 −−−→
si+2 . . . such that αi is invisible, then there exists a path ρ0 =
αi+1
. . . si −−−→ si+2 . . . in ser(Gi ), and ρ ≈ ρ0 .

si

si

ζ

αi αi

sj sj
sk

s i +1

s i +1 α i+ 2 α i+ 2

α i+1 α i+1

ζ

αj αj

sk

ζ

ζ

s j +1s j +1

α j+2 α j+2

α j+1 α j+1

ζ

ζ

s k +1 α k + 2

s k +1

α k +1 α k +1

αk αk

(a)

α k+2

α i+ 2 α i+ 2
α α i+ 2

s i sαii+1 α i+1 s i +1 s i +1
αi

sj

αi

sj

α j+1

αj αj

sk sk

α i+1 α i+1

α j+1

ζ
s is i ζ s is+1i +1

i+ 2

ααi i

α j+2 α j+2

ζ
s sj j ζ s sj +1j +1

s j +1α j+2 α j+2

s j +1

α j+1 α j+1

ααj j

α k+2α k+2
α k+ 2α k+ 2

α k +1 α k +1

si si
α iα i

α iα i

s js j

α jα j

s i +1
s i +1
αiαi

s j s+1j +1
α jα j

ππ

ππ

(a)

(b)

Fig. 7. In the figures, invisible transitions are labeled with ζ. (a) An example
SG with invisible state transitions. (b) The SG from (a) after the observably
equivalent reduction handles an invisible transition (si , si+1 ). (c) The SG
from (a) after all invisible transitions are handled and removed.

α αj j

s ks k

s k +1s k +1

α
α k α k α k +1 k +1

αα
i i

(b)

Fig. 8. (a) An example state graph with a failure state. (b) The state graph
from (a) after the stutter equivalent and the failure equivalent reductions with
the unreachable state si removed.

Algorithm 7: Reduce (G)
αi+1

Conversely, for every path ρ0 = . . . si −−−→ si+2 . . . in
ser(Gi ), either the same path exists in Gi , or it is reduced
αi+1
αi
from a path ρ = . . . si −→
si+1 −−−→ si+2 . . . in Gi such that
αi is invisible, and it holds that ρ ≈ ρ0 .
C. Failure Equivalent Reduction
The stutter equivalent reduction in the last section can
introduce nondeterminism. Nondeterminism exists if there are
two state transitions (s, α1 , s1 ) and (s, α2 , s2 ) such that α1 =
α2 and s1 6= s2 . This is a result from the reduction while
preserving the equivalence, and often leads to redundancy.
Therefore, removing such redundancy can simplify the complexity of the state graphs.
This section considers a simple form of redundancy due to
nondeterminism based on the following understanding: if the
same action executed in a state may or may not cause a failure
nondeterministically, it is always regarded as causing a failure.
It is formalized in the following definition.
Definition 4.1: Let (s, α1 , s1 ) and (s, α2 , s2 ) be two state
transitions in a state graph G such that s2 ∈ F and s1 6= s2 .
(s, α1 , s1 ) is failure equivalent to (s, α2 , s2 ) if α1 = α2 .
Failure equivalent transitions are redundant in that their
existence does not affect the verification results, therefore, they
can simply be removed. Consequently, all the resulting unreachable states are also removed, leading to more reductions.
Let fer(G) be a procedure to remove failure equivalent
transitions in G. The following lemma asserts that the reduced
state graph is equivalent to the original one.
Lemma 4.3: Given a state graph G, G ≈ fer(G).
The proof is obvious, and not shown due to the page limit.
Fig. 8 shows an example of failure equivalent transitions. Fig. 8(a) is an example state graph. After the stutter
equivalent reduction, there are two nondeterministic state
transitions in the resulting state graph: (sj , αj , sk ) and
(sj , αj , π). (sj , αj , sk ) is redundant as it is failure equivalent
to (sj , αj , sk ) . After it is removed by the failure equivalent
reduction, sk becomes unreachable, and is also removed. The
reduced state graph is shown in Fig. 8(b).
D. Bisimulation Equivalent Reduction
The stutter equivalent reduction removes all invisible state
transitions from state graphs, therefore all paths in the reduced

1
2
3
4
5

G = afr(G);
G = ser(G);
G = fer(G);
G = eqr(G);
return G;

state graphs are stutter free. The reduced state graph often
contains a lot of redundancies. The failure equivalent reduction
described in the last section only handles a special case of
such redundancies. This section considers removing redundant
states in general. Two states are redundant if every path from
one state has a stutter equivalent path from the other state, and
vice versa.
To remove all redundant states, we use an algorithm to
compute the bisimulation quotient of the state graphs as
described in [3], and this reduction is referred to as eqr(G) in
this paper. The following lemma is the direct result of the well
known fact that a state transition model and its bisimulation
quotient are path equivalent.
Lemma 4.4: Given a state graph G, and let eqr(G) return
the bisimulation quotient of G. G ≈ eqr(G).
Proof: Directly from Lemma 7.6 in [3].
E. Overall Reduction
All these reductions are integrated into a single reduction
function Reduce(G) in Algorithm 7 which is used in compositional minimization. In function Reduce(G), the autofailure
reduction is applied first as it can remove a lot of states
and state transitions while preserving all failure paths. This
may lead to a lower complexity in state graphs, making
the following steps simpler. The failure equivalent reduction
and the bisimulation quotient computing are applied after the
stutter equivalent reduction. This is because the redundancies
are mainly introduced after the stutter equivalent reduction
is applied. The following theorem shows that using these
reductions together results in a reduced SG that is equivalent
to the original one.
Theorem 4.1: Given a state graph G, G ≈ Reduce(G).
Proof: By Lemma 4.1, 4.2, 4.3, and 4.4.
The following theorem asserts that the reduced global state
graph by the parallel composition of the reduced local state

t 34

G1

G2

p0

q0

p1
t 14

t 33

q4

s2
t 14

t 33

s9

t 13

t 34

t 24

q3

t 34

s0
t 23

t 24

p4
p3

Fig. 9.

t 34

q1

t 13

G3

s8
s1 t
14
s3

s6

t 24

s4

t 23

s7

t 23

t 13

t 33

Local State graphs reduced from those in Fig. 3.

! !"

! #"
! $"

! !"

! #!

! $!

! $"
! #"

! !!

! #!

! $!

Fig. 10. The reduced global state graph by the parallel composition of the
reduced local state graphs in Fig. 9.

graphs is equivalent to the global state graph obtained directly
for the whole system.
Theorem 4.2: Let M = k1≤i≤n Mi be a concurrent system,
and G = DFS (M ). If Gi are local state graphs constructed
for Mi with Algorithm 2, then the following statement is true:
G ≈ k1≤i≤n Reduce(Gi ).
Proof: By Property 3, Lemma 3.1, and Theorem 4.1.
F. Example
Refer to the state graphs shown in Fig. 3. After applying all
reductions described in this paper, they are reduced to the ones
as shown in Fig. 9. Composing these reduced local state graphs
results in the reduced global state graph as shown in Fig. 10.
This reduced global state graph contains 9 states, compared
to 20 states in the unreduced one for the same example as
shown in Fig. 4. Although this small example does not show
significant benefits from the reductions, for large designs this
compositional minimization framework often leads to dramatic
improvements in runtime and memory usage, and allows much
larger designs to be handled than what can be handled by the
monolithic methods.
V. E XPERIMENTAL R ESULTS
The compositional model checking framework presented
in this paper has been implemented in a concurrent system
verification tool, P latu, an explicit state model checker written
in Java. Experiments have been performed on a set of examples including several non-trivial asynchronous circuit designs
including a first-in-first-out buffer design (fifo) in [32], a tree
arbiter (arb) and a distributed mutual exclusion element (dme)
in [21], a pipeline controller (pipectrl) in an asynchronous microprocessor design in [40], an asynchronous implementation

of a memory management unit (mmu) in [34], and a number of
models of mutual exclusion algorithms from [36]. There are a
large number of models in [36]. Since P latu does not support
channel communications, only the models without channels
are selected. Furthermore, selected models that can be handled
easily with the monolithic approach are also ignored.
In the experiments, the dme, arb, and fifo examples are partitioned according to their natural structures. In other words,
each cell is a component. The pipectrl example is partitioned
into five component, each of which contains ten logic gates.
The mmu example is partitioned by following the structure
provided in [34] where each component defines an output
that is used by other components. Each BEEM example is
organized as a network of communicating processes, therefore
each process is treated naturally as a component.
All models are experimented with using both P latu and
SPIN, a well known model checker that is widely used in
various applications. For every model, each component is
specified with several local properties that are guaranteed to
hold. The purpose is to show that no failures are reported by
P latu as shown in previous sections. Moreover, this allows a
comparison with SPIN on correct systems where the full state
space needs to be traversed as SPIN can find failures very fast.
In all experiments, upper bounds on time and memory are
set to 900 seconds and 2 GB. The results collected include
the actual runtime, memory usage, and the total number of
reachable states found at termination of the search algorithm.
All experiments are performed on a MacBook Pro notebook
with a Intel Dual-core processor. However, only a single thread
is used for all experiments. The results are shown in Table I.
In the table, the first column shows the design names. For
asynchronous circuit implementations, a number is associated
to indicate the number of variables in the corresponding model.
For asynchronous circuit implementations, the variables used
in the models are Boolean. For the examples from the BEEM
benchmark, more information about their models can be found
in [36]. The columns under Monolithic show the results
from using the traditional DFS on the whole designs. The
columns under SPIN show the results from using the SPIN
model checker with partial-order reduction. The last three
columns under CompMin show the results from using P latu.
In these columns, Time is the total runtime, Mem is the
total memory used, and |S| shows the total number of states
found. Specifically, the column |S| under CompMin shows
the total number of states in the largest SG found during the
entire course of the compositional model checking process.
The largest SGs are recorded because their sizes in general
determine whether the whole process can be finished or not,
therefore, their sizes need to be carefully controlled. In cases
of time-out or memory-out, the corresponding entries in the
table are filled with −. Comparing the results from running
SPIN and Platu is not exactly fair as SPIN is implemented in
C while Platu is in Java, which usually has noticeably higher
memory overhead. Therefore, we believe if this framework is
implemented in C, the results could be further improved.
From Table I, it can be seen that the traditional monolithic
search method fails to finish quickly for most of the asynchronous circuit examples. This is understandable due to the

TABLE I
C OMPARISON OF THE RESULTS FROM USING THE MONOLITHIC , PARTIAL - ORDER REDUCTION AND THE REDUCTION METHODS . T IME IS IN SECONDS ,
AND MEMORY IS IN

MB S . |S| IS THE NUMBERS OF STATES FOUND . F OR THE RESULTS UNDER C OMP M IN , |S| IS THE NUMBER OF STATES OF THE
LARGEST SG ENCOUNTERED DURING THE WHOLE COURSE OF COMPOSITIONAL MINIMIZATION .

Designs
Name
arbN3 (26)
arbN5 (44)
arbN7 (62)
arbN9 (80)
arbN15 (134)
fifoN3 (14)
fifoN5 (22)
fifoN8 (34)
fifoN10 (42)
fifoN20 (82)
fifoN50 (202)
fifoN100 (402)
fifoN200 (802)
fifoN300 (1202)
dmeN3 (33)
dmeN4 (44)
dmeN5 (55)
dmeN8 (88)
dmeN9 (99)
dmeN10 (110)
pipectrl (50)
mmu (55)
at.3
at.4
fischer.3
fischer.4
fischer.6
lamport.5
lamport.6
lamport.7
Peterson.2
Peterson.3
Phils.6
Phils.8
syzmanski.3
syzmanski.4
syzmanski.5

Time
0.315
8.105
−
−
−
0.119
0.733
199.353
−
−
−
−
−
−
3.589
1235
−
−
−
−
−
−
37
102
52
25
312
10
0.88
−
2
3
−
−
18
20.4
−

Monolithic
Mem
2.4
61.538
−
−
−
4.8
16.253
845
−
−
−
−
−
−
26.1
1032
−
−
−
−
−
−
283
1018
409
342
1372
135
66
−
80
92
−
−
174
282
−

|S|
3756
227472
−
−
−
644
20276
3572036
−
−
−
−
−
−
267, 999
15.7M
−
−
−
−
−
−
1711621
6597246
2896750
1272254
8237316
1066799
976246
−
124704
170156
−
−
1128424
2313863
−

Time
0.01
1.35
−
−
−
0.01
0.06
27.2
−
−
−
−
−
−
0.225
13.5
−
−
−
−
−
−
3.9
17
7.7
2.8
21
0.2
0.9
9.6
0.15
0.1
−
−
1.59
3.7
−

state explosion problem. However, it is surprising to see that
SPIN with partial-order reduction does not do any better. For
all arb and fifo examples, SPIN cannot find any reduction,
and the numbers of states found by SPIN are exactly the
same as those found by the monolithic approaches for arb
and fifo. For some dme examples, SPIN does slightly better
in terms of reduction in the number of states. On the other
hand, SPIN quickly uses up 2 GB memory for the other
dme examples. One possible explanation is that the partialorder reduction implemented in SPIN relies on the information
about transition independency, which is obtained by examining
structures of the Promela models. Since these asynchronous
circuit examples are connections of basic logic gates, it may be
difficult for SPIN to extract sufficient transition independency
information from their Promela models for effective reduction.
On the other hand, the approach described in this paper
can finish all examples in the table quickly. For all arb, fifo,
and dme examples with regular structures, the total runtime
and memory usage grow polynomially in the number of
components in the examples. For pipectrl and mmu with

SPIN
Mem
2.781
71.695
−
−
−
2.195
6.593
1087.211
−
−
−
−
−
−
19.706
553.421
−
−
−
−
−
−
167
509
251
150
654
8.7
68
305
77
73
−
−
118
179
−

|S|
3756
227472
−
−
−
644
20276
3572036
−
−
−
−
−
−
117270
4678742
−
−
−
−
−
−
1771622
6597247
2896707
1272356
8321730
152131
976246
4720821
114516
35142
−
−
998974
2137070
−

Time
0.087
0.18
0.46
0.89
1.33
0.015
0.017
0.11
0.08
0.11
0.35
0.76
1.56
3.02
0.15
0.18
0.2
0.31
0.32
0.38
0.84
1.7
11.7
58
15
4.2
21.6
3.5
6.9
31.9
2.3
2.3
0.37
0.45
4.4
3.9
97

CompMin
Mem
|S|
3.89
52
4.3
52
6.61
52
7.43
52
9.87
52
3.39
20
3.62
20
4.03
20
4.38
20
4.7
20
6.14
20
7.67
20
11.1
20
14.3
20
9
248
10.4
248
11.9
248
16.8
248
17.3
248
18.2
248
7.8
864
17.2
2812
220
1599744
815
6461412
231
1676595
175
399256
687
2192512
49.6
94776
55
4960
291
1479156
29
515
31
754
10.9
96
11.2
96
56
9632
52.8
6375
386
298054

irregular structures where SPIN fails, P latu finishes them
quickly using a very small amount of runtime and memory.
For the pipectrl example, a safety failure is found. The same
safety failure is also found by the monolithic approach after
about 30 minutes on a much more powerful machine.
The significant improvements from the above experiments
are mainly due to the loosely coupled nature of the asynchronous circuit examples. For all arb, fifo, and dme examples,
each component connects to two or three neighboring components with simple communication interfaces. This loosely
coupled structure allow the reductions to remove significantly
larger portions of the irrelevant details from the initial and
the intermediate SGs before the final reduced global SG is
constructed. Usually, the largest SGs encountered during the
compositional model checking process are the ones generated
initially from high-level descriptions. Take fifoN# as an example. This design is a number of buffer cells connected in
a chain, and each cell interfaces with exactly two neighbors.
Note that all invisible transitions of each component can be
removed as all properties are local. First, G1 and G2 are

TABLE II
E XPERIMENTS OF USING DIFFERENT ORDERINGS TO COMPOSE LOCAL
SG S TO FORM THE GLOBAL REDUCED SG.

Designs
pipectrl
mmu
fischer.4
syzmanski.4

Time
0.84
1.7
4.2
3.9

CompMin
Mem
|S|
7.8
864
17.2
2812
175
399256
52.8
6375

Time
8.1
15.9
33.4
6.2

CompMin−1
Mem
|S|
22.3
4631
63
47303
721
1539684
117
109715

reduced, and then composed to form G12 . Then, all invisible
transitions in this intermediate SG with respect to G3 are
removed resulting in G012 . Next, G012 is composed with the
reduced G3 . The final reduced SG can be found by repeating
these steps until all local SGs are composed. In each step,
the size of the intermediate SGs is never larger than the
size of the component SGs initially generated with the local
SG construction method. For mmu, it has a more complex
structure, and the interface of some components are more
complex. In this case, the largest SG is encountered when
constructing an intermediate SG, and more time and memory
are required to finish this example even though it has a smaller
number of state variables than some other examples.
The results from running the examples from the BEEM
benchmark show a similar situation, however, reduction is
not as impressive. All these examples are coupled much
more tightly than the previous asynchronous circuit examples.
For all BEEM examples, communications among different
processes are through shared variables, and there is little or
no internal behavior in each process. Take at.3 and at.4 as
examples. Each process has a very small number of invisible
variables, therefore each process SG cannot be reduced too
much. This leads to the final reduced SGs being almost
as large as the ones from running the monolithic search
on the entire models. In cases where SPIN can finish, it
can finish faster and use less memory. This is because the
compositional approach needs to construct the local SGs first
whose complexity can blow up as the shared variables are
usually not fully constrained. The other factors contributing to
the worse performance include the complexity of all the SG
reductions, especially the bisimulation quotient computation,
and the large size of the intermediate SGs during the SG
composition stage. On the other hand, even for these tightly
coupled examples, the limited reduction obtained still leads to
significant reduction in the overall runtime and total memory
required in comparison with the monolithic approach.
Among all the reduction techniques, two of those involve
local states that are failures. Both autofailure and failure
equivalent reductions can potentially trim large portions of
the state space, thus leading to significant reductions in the
complexity of the SGs. To show this point, mmu is run again,
but without using the above two reductions. The results are
much worse as now it takes 38.2 seconds and 496 MB memory
to build the reduced global SG with over 320, 000 states found
in the largest SG.
During the SG composition stage, it is critical to keep the
interface of the intermediate SGs as small and as constrained

as possible in order to contain the size of the intermediate SGs.
Therefore, the ordering for composing local SGs to form the
global reduced SG has a big impact on the overall performance
of the compositional method. To illustrate this point, several
examples are selected to run the compositional method again
but with different composition orderings. The results are
shown in Table II. For convenience, the results for the same
examples under method CompMin in Table I are copied into
Table II under the same name, while the results obtained
by using a different composition ordering are shown under
CompMin−1 also in Table II. In this experiment, the orderings
used to obtain the results in Table I are perturbed so that the
interface of the intermediate SGs is not tightly constrained.
From Table II, the results show that a slight change to the
composition orderings can cause significant negative impact
on the performance of this method. For example, finishing
fischer.4 now takes about 33 seconds and 721 MB memory
while with the better ordering it only takes about 4 second
and 175 MB memory to finish. The same pattern can be
observed for the other examples. Also note that there exist
other orderings that would cause this compositional method
not to be able to finish within the time and memory limits.
Therefore, it is critical to determine an appropriate composition ordering for any example to achieve good performance.
A fully automatic approach for selecting a good composition
order is described in [18]. For a composition strategy including
a bounded number of connected processes, heuristics in [18]
use a metric to estimate combined effect of the internal and
interleaving transitions created after the composition, and pick
the composition strategy with the highest metric score.
P latu can prove correctness for systems without any flaws
much more effectively. However, the framework implemented
in P latu carries noticeable overhead of constructing and
reducing local SGs. For faulty systems, failures can be shown
only after the reduced global SG is constructed at the end
while the monolithic approach usually terminates after the first
failure is found. Therefore, a highly optimized model checker
like SPIN can often finish more quickly for systems with flaws.
Moreover, the performance of the presented framework
critically depends on the efficiency and effectiveness of the
local SG construction method. It works well for systems where
the interfaces among components are simple. If sophisticated
communications are used among components, the performance
of the local SG construction can become a bottleneck, or even
cause the whole framework to fail from the beginning. Take
anderson.2 from [36] as an example. This example has a tiny
state space and the monolithic approach can finish it instantly.
However, the local SG construction uses up 2 GB memory
and cannot finish building the local SGs for this example.
Peterson.4 in [36] is another example. These negative results
indicate the need of a better and more effective local SG
construction method in order to make the presented framework
more practical to a wider range of applications.
VI. R ELATED W ORK
Compositional verification is essential to address the state
explosion problem in model checking large systems. The

soundness and completeness of compositional verification are
proved systematically in [43] based on a CSP-like processalgebraic language. The compositional methods can be roughly
classified into compositional reasoning or compositional minimization. Assume-guarantee based compositional reasoning
[5], [14], [27], [28], [33] does not construct the global state
space. Instead, the verification of a system is broken into
separate analyses for each module of the system. The result
for the entire system is derived from the results of the verified
individual modules. When verifying each module, assumptions
about the environments with which the modules interact are
needed for sound verification, and must be discharged later.
The success of compositional reasoning relies on the discovery of appropriate environment assumptions for every module.
This is typically done by hand. If the modules have complex interactions with their environments, generating accurate
environment assumptions can be challenging. Therefore, the
requirement of manually finding assumptions has been a factor
limiting the practical use of compositional reasoning. The
semantic foundations of compositional state-based reasoning
about concurrency is presented in [19]. In recent years, various
approaches to automated assumption generation for compositional reasoning have been proposed and [6] provides a
survey of several major approaches. The framework presented
in [2] introduces a heuristic form of the assume-guarantee
modular reasoning for asynchronous systems. In the learningbased approaches, assumptions represented by deterministic
finite automata are generated with the L∗ learning algorithm
and analysis of local counter-examples [35], [1], [15], [25],
[11], [7], [24], [37]. The learned assumptions can result
in orders of magnitude reduction in verification complexity.
However, these approaches may generate assumptions with
too many states and fail verification in some cases [35], [1].
An automated interface refinement method is presented in
[39] where the models of the system modules are refined,
and the extra behavior is removed by extracting the interface
interactions among these modules. Although the capability of
compositional reasoning methods has been demonstrated by
verifying large examples, and advances of these methods have
demonstrated the ability to reason about a global property
represented as a conjunctive form of local specifications in
[31], it is difficult in general for them to handle inherently
global properties such as deadlock freedom. To address issues
with learning based methods, [16], [4] present alternative
compositional reasoning methods based on computing local
invariants. These methods support checking deadlocks [4] or
arbitrary LTL properties [16].
Compositional minimization [10], [26], [30], on the other
hand, iteratively constructs the local model for each component in a system, minimizes it, and composes it with the
minimized models of other components. Eventually, a reduced
global model is formed for the entire system where verification
is performed. To contain the size of the intermediate results,
user-provided context constraints are required. The need for
the user-provided context constraints may also be a problem
because the user-provided constraints may be overly restrictive, thus resulting in real design errors escaping detection.
Similar work is also described in [12], [13]. Heuristics that

automatically determine the ordering of composition has been
proposed in [17] and [18] for action-based labeled transition
systems for process-algebraic languages. Compositional minimization has been successfully used in the verification of
various systems [9], [8], [23], [38].
Compared to [15], [25], [7], this work allows global as
well as local properties to be verified while the work in [15],
[25], [7] considers local properties specified for individual
components. This work is similar to [30]. However, [30] does
not specify how the individual component state transition
models are generated in the first place. On the other hand, this
work uses a compositional reachability analysis to generate
component state transition models automatically [41]. Another
difference is that this work is based on a different state
transition model than the labeled transition systems used in
[15], [25], [7], [30]. Finally, compared to [26], the verification
method in this work is complete and sound indicating that no
false counter-examples are possible.
VII. C ONCLUSION
This paper presents a compositional verification framework
with a number of state graph reductions to lower the verification complexity while not introducing extra paths that might
cause false failures nor reducing any essential behaviors. In
other words, the reduction methods are sound and complete.
Based on initial experimental results, these reductions work
well on a number of asynchronous circuit examples and the
models of several mutual exclusion algorithms from the BEEM
benchmark suite. Future work includes experiments on more
diverse examples including communication protocols and multithreaded programs to fully demonstrate its potential. Additionally, it is necessary to develop effective approaches that
make abstract counter-examples in the reduced SG concrete
by recovering the reduced information for better debugging.
ACKNOWLEDGMENT
This material is based upon work supported by the National
Science Foundation under Grant No. 0930510 and 0930225.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the authors and do
not necessarily reflect the views of the National Science
Foundation.
R EFERENCES
[1] R. Alur, P. Madhusudan, and W. Nam. Symbolic compositional verification by learning assumptions. In Proc. Int. Conf. on Computer Aided
Verification, volume 3576 of LNCS, pages 548 – 562. Springer-Verlag,
2005.
[2] N. Amla, E. A. Emerson, K. S. Namjoshi, and R. J. Trefler. Visual
specifications for modular reasoning about asynchronous systems. In
Proceedings of the 22Nd IFIP WG 6.1 International Conference Houston
on Formal Techniques for Networked and Distributed Systems, FORTE
’02, pages 226–242, London, UK, UK, 2002. Springer-Verlag.
[3] C. Baier and J. P. Kateon. Principles of Model Checking. MIT Press,
Cambridge, Mass., 2008.
[4] S. Bensalem, M. Bozga, T.-H. Nguyen, and J. Sifakis. D-finder: A tool
for compositional deadlock detection and verification. In CAV, 2009.
[5] S. Berezin, S. Campos, and E. Clarke. Compositional reasoning in model
checking. In COMPOS, volume 1536 of LNCS, pages 81–102. SpringerVerlag, Sept. 1998.

[6] S. Berezin, S. V. A. Campos, and E. M. Clarke. Compositional reasoning
in model checking. In de Roever et al. [20], pages 81–102.
[7] M. Bobaru, C.S.Pasareanu, and D. Giannakopoulou. Automated assumeguarantee reasoning by abstraction refinement. In Proc. Int. Conf. on
Computer Aided Verification, LNCS. Springer-Verlag, 2008.
[8] H. Boudali, P. Crouzen, B. R. Haverkort, M. Kuntz, and M. Stoelinga.
Architectural dependability evaluation with arcade. In DSN, pages 512–
521. IEEE Computer Society, 2008.
[9] H. Boudali, P. Crouzen, and M. Stoelinga. A compositional semantics
for dynamic fault trees in terms of interactive markov chains. In ATVA,
pages 441–456, 2007.
[10] D. Bustan and O. Grumberg. Modular minimization of deterministic
finite-state machines. In Proceedings the 6th International workshop on
Formal Methods for Industrial Critical Systems (FMICS’01), July 2001.
[11] S. Chaki, E. Clarke, N. Sinha, and P. Thati. Automated assume-guarantee
reasoning for simulation conformance. In Proc. Int. Conf. on Computer
Aided Verification, LNCS, pages 534 – 547. Springer-Verlag, 2005.
[12] S. Cheung and J. Kramer. Context constraints for compositional
reachability analysis. ACM Transations on Software Engineering and
Methodology, 5(4):334–377, 1996.
[13] S. Cheung and J. Kramer. Checking safety properties using compositional reachability analysis. ACM Trans. Softw. Eng. Methodol., 8(1):49–
78, 1999.
[14] E. Clarke, D. Long, and K. McMillan. Compositional model checking.
In Proceedings of the 4th Annual Symposium on Logic in computer
science, pages 353–362, Piscataway, NJ, USA, 1989. IEEE Press.
[15] J. Cobleigh, D. Giannakopoulou, and C. Pasareanu. Learning assumptions for compositional verification. In Proc. Int. Conf. on Tools and
Algorithms for Construction and Analysis of Systems (TACAS), volume
2619 of LNCS, pages 331–346. Springer-Verlag, 2003.
[16] A. Cohen, K. S. Namjoshi, and Y. Sa’ar. Split: A compositional ltl
verifier. In Proc. of the 22nd Int. Conf. on Computer Aided Verification,
CAV’10, pages 558–561. Springer-Verlag, 2010.
[17] P. Crouzen and H. Hermanns. Aggregation ordering for massively
compositional models. In L. Gomes, V. Khomenko, and J. M. Fernandes,
editors, ACSD, pages 171–180. IEEE Computer Society, 2010.
[18] P. Crouzen and F. Lang. Smart reduction. In Proceedings of the 14th
international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice
of software, FASE’11/ETAPS’11, pages 111–126, Berlin, Heidelberg,
2011. Springer-Verlag.
[19] F. S. de Boer and W. P. de Roever. Compositional proof methods for
concurrency: A semantic approach. In de Roever et al. [20], pages
632–646.
[20] W. P. de Roever, H. Langmaack, and A. Pnueli, editors. Compositionality: The Significant Difference, International Symposium, COMPOS’97,
Bad Malente, Germany, September 8-12, 1997. Revised Lectures, volume
1536 of Lecture Notes in Computer Science. Springer, 1998.
[21] D. Dill. Trace Theory for Automatic Hierarchical Verification of Speed
Independent Circuits. PhD thesis, Carnegie Mellon University, 1988.
[22] E.M.Clarke, O.Grumberg, and D.Peled. Model Checking. MIT Press,
2000.
[23] H. Garavel and H. Hermanns. On combining functional verification and
performance evaluation using cadp. In L.-H. Eriksson and P. A. Lindsay,
editors, FME, volume 2391 of Lecture Notes in Computer Science, pages
410–429. Springer, 2002.
[24] M. Gheorghiu, D. Giannakopoulou, and C. Psreanu. Refining interface
alphabets for compositional verification. In O. Grumberg and M. Huth,
editors, Tools and Algorithms for the Construction and Analysis of
Systems, volume 4424 of Lecture Notes in Computer Science, pages
292–307. Springer Berlin Heidelberg, 2007.
[25] D. Giannakopoulou, C.S.Pasareanu, and H. Barringer. Component verification with automatically generated assumptions. Automated Software
Engineering, pages 297–320, 2005.
[26] S. Graf, B. Steffen, and G. Luttgen. Compositional minimization of
finite state systems using interface specifications. Formal Aspects of
Computation, 8(5):607–616, 1996.
[27] O. Grumberg and D. Long. Model checking and modular verification.
ACM Trans. on Prog. Lang. and Sys., 16(3):843–871, May 1994.
[28] T. Henzinger, S. Qadeer, and S. Rajamani. You assume, we guarantee:
methodology and case studies. In Proc. Int. Conf. on Computer Aided
Verification, pages 440–451. Springer, 1998.
[29] G. J. Holzmann and D. Peled. An improvement in formal verification. In
Proceedings of the 7th IFIP WG6.1 International Conference on Formal
Description Techniques VII, pages 197–211, London, UK, UK, 1995.
Chapman & Hall, Ltd.

[30] J. Krimm and L. Mounier. Compositional state space generation from
lotos programs. In Proc. Int. Conf. on Tools and Algorithms for
Construction and Analysis of Systems (TACAS), pages 239–258, London,
UK, 1997. Springer-Verlag.
[31] A. Lomuscio, B. Strulo, N. G. Walker, and P. Wu. Assume-guarantee
reasoning with local specifications. Int. J. Foun. Comp. Sci., 24(4), 2013.
[32] A. J. Martin. Self-timed fifo: An exercise in compiling programs into
vlsi circuits. Technical Report 1986.5211-tr-86, California Institute of
Technology, 1986.
[33] K. L. Mcmillan. A methodology for hardware verification using
compositional model checking. Technical report, Cadence Berkeley
Labs, 1999.
[34] C. J. Myers. Computer-Aided Synthesis and Verification of Gate-Level
Timed Circuits. PhD thesis, Stanford University, 1995.
[35] W. Nam and R. Alur. Learning based symbolic assume-guarantee
reasoning with automatic decomposition. In Proc. Int. Symposium on
Automated Technology for Verification and Analysis (ATVA), volume
4218 of LNCS, 2006.
[36] R. Pelánek. Beem: Benchmarks for explicit model checkers. In Proc.
of SPIN Workshop, volume 4595 of LNCS, pages 263–267. Springer,
2007.
[37] R. Singh, D. Giannakopoulou, and C. Psreanu. Learning component
interfaces with may and must abstractions. In T. Touili, B. Cook, and
P. Jackson, editors, Computer Aided Verification, volume 6174 of LNCS,
pages 527–542. Springer Berlin Heidelberg, 2010.
[38] F. Tronel, F. Lang, and H. Garavel. Compositional verification using
cadp of the scalagent deployment protocol for software components. In
E. Najm, U. Nestmann, and P. Stevens, editors, FMOODS, volume 2884
of Lecture Notes in Computer Science, pages 244–260. Springer, 2003.
[39] H. Yao and H. Zheng. Automated interface refinement for compositional
verification. IEEE Transaction on Computer-aided Design of Integrated
Circuits and Systems, 28(3):433–446, 2009.
[40] T. Yoneda and T. Yoshikawa. Using partial orders for trace theoretic
verification of asynchronous circuits. In Proc. International Symposium
on Advanced Research in Asynchronous Circuits and Systems. IEEE
Computer Society Press, Mar. 1996.
[41] H. Zheng. Compositional reachability analysis for efficient modular verification of asynchronous designs. IEEE Transactions on COMPUTERAIDED DESIGN of Integrated Circuits and Systems, 29(3), March 2010.
[42] H. Zheng, E. Rodriguez, Y. Zhang, and C. Myers. A compositional
minimization approach for large asynchronous design verification. In
Proc. of the 19th Int. Conf. on Model Checking Software, SPIN’12,
pages 62–79, Berlin, Heidelberg, 2012. Springer-Verlag.
[43] J. Zwiers, W. P. de Roever, and P. van Emde Boas. Compositionality and
concurrent networks: Soundness and completeness of a proofsystem. In
W. Brauer, editor, ICALP, volume 194 of Lecture Notes in Computer
Science, pages 509–519. Springer, 1985.

Hao Zheng Hao Zheng received the M.S. and
Ph.D degrees in Electrical Engineering from the
University of Utah, Salt Lake City, UT, in 1998 and
2001, respectively. He worked as a research scientist for IBM Microelectronics Division from 2001
to 2004 to help make model checking a standard
step in a ASIC design flow. He join the Computer
Science and Engineering Department at University
of South Florida in 2004, and currently he is an
associate professor. His research interests include
formal methods in cyber-physical system design and
verification, parallel and distributed computing, and reconfigurable computing.
His recent research includes development algorithms and methods that make
model checking scalable to large complex systems. Dr. Zheng received an NSF
CAREER award in 2006, and an USF Outstanding Research Achievement
award in 2007.

Zhen Zhang Zhen Zhang received the B.E. degree
in Electrical and Electronic Engineering in 2007
from Dublin Institute of Technology, Dublin, Ireland, and the M.Phil degree in Computer Science
in 2009 from the University of Manchester, Manchester, United Kingdom. He is currently pursuing his
Ph.D. degree at the University of Utah, Salt Lake
City, UT. His research interest is in the stochastic
verification of cyber-physical systems. His current
research is on the theory and algorithmic implementation of state space reduction techniques for the
model checking of large concurrent systems.

Chris J. Myers Chris J. Myers received the B.S.
degree in Electrical Engineering and Chinese history
in 1991 from the California Institute of Technology,
Pasadena, CA, and the M.S.E.E. and Ph.D. degrees
from Stanford University, Stanford, CA, in 1993
and 1995, respectively. He is a Professor in the
Department of Electrical and Computer Engineering,
University of Utah, Salt Lake City, UT. Dr. Myers
is the author of over 120 technical papers and the
textbooks Asynchronous Circuit Design and Engineering Genetic Circuits. He is also a co-inventor on
4 patents. His research interests include asynchronous circuit design, formal
verification of analog/mixed signal circuits and cyber-physical systems, and
modeling, analysis, and design of genetic circuits. Dr. Myers received an NSF
Fellowship in 1991, an NSF CAREER award in 1996, and best paper awards
at the 1999 and 2007 Symposiums on Asynchronous Circuits and Systems.
Dr. Myers is a Fellow of the IEEE, and he is a Member of the Editorial
Boards for the IEEE Transactions on VLSI Systems, IEEE Design & Test
Magazine, and Springer journal on Formal Methods in System Design.

REU in Computer Science and Engineering

Emmanuel Rodríguez
Emmanuel
Rodriguez Emmanuel Rodriguez re1. Bio Sketch
ceived his B.S. degree in Computer Engineering
1.1 Home Institution:
University of South Florida
from the University of South Florida in 2011. He
1.2 working
Major: with Dr HaoComputer
started
Zheng asScience
an undergraduate 1.3
research
assistant in 2010
Classification:
Seniorand then a gradate
research assistant in 2011. His main effort was
1.4 USF
Hao Zheng, Ph.D.
focused
on Advisor/Mentor:
developing and implementing
novel and
more1.5efficient
algorithms
and
methods
foronmodel
Professional
Goals:
Continue
research
automated
checking of large and complex
logicconcurrent
reasoning inprograms.
graduate school
His work was the basis of this
paper
and two
andjournal
have the
opportunity
to apply
other conference papers. Hemy
also
helped
to
maintain
experience in the real world.
an online version control system for Dr Zheng’s research. He is currently
working for Jagged Peak as a Software Engineer.

2. Abstract

A Software Package for Automated Logic Reasoning
E. Rodriguez, H. Zheng
1
University of South Florida
Zhang
Zhang received a M.S.
DepartmentYingying
of Computer
ScienceYingying
and Engineering

from Beijing University of Chemical Technology in
2006,
and a M.S. degree in Computer Engineering
erodrig9@mail.usf.edu
from University of South Florida in 2013. Currently,
Keywords: And Inverter Graph, Automated
Reasoning,
DigitalatCircuit,
Hardware
Verification,
she is aLogic
software
engineer
Medtel
Serivces
Inc.,
Software
Tampa, Florida. Her main research interest is formal
verification for software and hardware, primarily in
In order to thoroughly test a digital circuit
design,
every space
possible
input combination
must
be checked
the area
of state
reduction
and timing
analysis
on the design against its specifications.
However,
sequential
circuits with a large of number of
techniques
forformodel
checking.
inputs this method requires a significant amount of time. The development of a software package for
automated logic reasoning is our approach to reduce the amount of time required to verify a design.
Using our software package, a digital circuit design may be automatically tested against its
specifications. Rather than manipulating individual input vectors, the software package manipulates
sets of input vectors and design states, which are characterized by the Boolean functions. We chose
to use an And Inverter Graph (AIG) data structure to represent the Boolean functions, and have
implemented efficient algorithms for common Boolean logic operations based on this data structure.

