BMC via On-the-Fly Determinization  by Jussila, Toni et al.
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume89.html 17 pages
BMC via On-the-Fly Determinization
Toni Jussila a,1,2 Keijo Heljanko b,2,3 Ilkka Niemela¨ a,2
a Helsinki University of Technology
Laboratory for Theoretical Computer Science
P.O. Box 5400, FIN-02015 HUT, Finland
b University of Stuttgart
Institute for Formal Methods in Computer Science
Universita¨tsstr. 38, D-70569 Stuttgart, Germany
Abstract
The paper develops novel bounded model checking (BMC) techniques for labeled
transition systems. The aim is to increase the eﬃciency of BMC by exploiting the
inherent concurrency in the product of LTSs in order to cover more executions of
the product within a given bound. This is done by considering a non-standard
execution model, step executions, where multiple actions can take place simulta-
neously and where component LTSs are determinized on-the-ﬂy, i.e., a component
may be in a set of states in a step instead of in just one as in standard interleaving
executions. Step executions can be further restricted to a subclass called process
executions without losing reachable states. For bounded model checking of reacha-
bility properties of the product of LTSs the paper presents translation schemes from
LTSs to a constrained Boolean circuit such that satisfying valuations of the circuit
correspond to step (process) executions of the product. The translation schemes
have been implemented and some experimental comparisons performed. The results
show that the bound needed for step and process executions is in most cases lower
than in interleaving executions and that the running time of the model checker
using process executions is smaller than using steps. Moreover, the performance
compares favorably to a state-of-the-art interleaving BMC implementation in the
NuSMV system.
1 The ﬁnancial support from Nokia Foundation and Helsinki Graduate School of Computer
Science and Engineering is gratefully acknowledged.
2 The ﬁnancial support from the Academy of Finland (Project 53695) is gratefully acknowl-
edged.
3 The ﬁnancial support from the Academy of Finland (grant for research work abroad) and
FET project ADVANCE contract No IST-1999-29082 are gratefully acknowledged.
c©2003 Published by Elsevier Science B. V. CC BY-NC-ND license.  Open access under 
Jussila et al.
1 Introduction
Bounded model checking (BMC) is a veriﬁcation technique that considers only
executions of bounded length of the chosen formalism [1]. The general model
checking problem for linear temporal logic (LTL) is known to be PSPACE-
complete, but the bounded case is inNP (assuming the used bound to be given
in unary encoding). The very idea is to compile the system under veriﬁcation,
the property to be veriﬁed and a bound k on the length of the execution to a
propositional formula having a model iﬀ the system has an execution of length
k that violates the property. The methodology has been successfully applied
in industrial setting [2,3].
The aim of the paper is to develop eﬃcient BMC techniques for systems
modeled as products of labeled transition systems (LTSs) by exploiting the in-
herent concurrency in the systems. The basic idea is to cover more executions
of a system within a given bound in a way that the size of the encoding is not
substantially increased, i.e., it remains linear w.r.t. the bound. The standard
approach to BMC is to use interleaving executions where exactly one action is
occurring at a time. Here the idea is to encode interleaving executions more
compactly by allowing multiple occurrences of actions in diﬀerent components
of the system simultaneously. This kind of an approach has already been in-
vestigated using 1-safe Petri nets as the system model and employing step and
process executions of Petri nets with encouraging results [9,8].
The novelty in this paper is a technique that exploits independence of
actions in a synchronizing system of LTSs so that multiple independent actions
can take place in diﬀerent component LTSs simultaneously. This technique
is further combined with an on-the-ﬂy determinization construction where for
each component a set of states in which that component can be is maintained.
By using determinization the number of diﬀerent executions the product can
have is potentially dramatically reduced, and furthermore invisible transitions
do not contribute to the length of an execution. In this work the concurrent
executions of independent actions combined with on-the-ﬂy determinization
of components are called step executions. Without compromising reachable
states, step executions can be further restricted to process executions satisfying
an extra condition on visible actions taking place simultaneously.
Based on these ideas a technique for bounded model checking of reachabil-
ity properties of the synchronizing product of LTSs is developed by devising
a translation scheme from the LTSs to a constrained Boolean circuit [11] such
that satisfying valuations of the circuit correspond to step executions of the
product. A minor extension of the mapping handles process executions. In
both cases the size of the encoding is linear w.r.t. the bound. For the encod-
ing, Boolean circuits are employed for clarity and compactness. Such circuits
can be translated to propositional formulae in CNF with a linear blow-up by
introducing additional propositional variables using standard techniques [11].
The approach has been applied to a set of examples and the data obtained
2
Jussila et al.
justify the following points. Firstly, the bound needed for step and process
executions is in most cases lower than in the traditional interleaving model.
Secondly, the running times using process executions are often smaller than
using steps. Finally, the results compare favorably to the running times of a
state-of-the-art interleaving BMC implementation [5].
The paper is organized as follows. Section 2 introduces the formalism used
as the modeling language and Sect. 3 Boolean circuits. Section 4 presents
the encoding schemes for both execution models. Section 5 gives test results
comparing step and process executions to NuSMV [4,5] and ﬁnally Sect. 6
concludes.
2 System Modeling Formalism
Concurrent systems speciﬁed as labeled transition systems (LTS) are studied
in this paper. Three execution models for the synchronizing system of LTSs
are introduced. The ﬁrst is the standard interleaving semantics. Thereafter,
the step and process models allowing independent actions to take place si-
multaneously are deﬁned. The section ends with an analysis on the relation
between the diﬀerent models.
Definition 2.1 An LTS is a 4-tuple L = (S, I,Γ,∆) where
• S is a non-empty set of states,
• I ⊆ S is a non-empty set of initial states,
• Γ is a non-empty set of visible actions, and
• ∆ ⊆ S × (Γ∪ {τ})× S, is the transition relation, the elements of which are
called transitions of L, where τ is the invisible action.
The transitions, whose middle component is τ are called internal or invisi-
ble to the environment. LTSs can interact by forming a synchronizing system
L, denoted here by L = (L1, . . . , Ln). Its semantics is deﬁned in terms of
interleaving executions.
Definition 2.2 Let L = (L1, . . . , Ln) be a system of synchronizing LTSs. An
interleaving execution of S is the sequence
S1
a1→ S2 a2→ · · · ak→ Sk+1(1)
where each Si = (s
1
i , . . . , s
n
i ), s
j
i ∈ Sj , i.e. sji is a state of LTS Lj and each
ai ∈ Γ1 ∪ · · · ∪ Γn ∪ {τ}. Furthermore
(i) For all Li, s
i
0 ∈ Ii.
(ii) If ai 
= τ , then (s1i , . . . , sni ) ai→ (s1i+1, . . . , sni+1) such that for all Lj , if
ai ∈ Γj (sji , ai, sji+1) ∈ ∆j otherwise sji+1 = sji .
(iii) If ai = τ , then (s
0
i , . . . , s
n
i )
ai→ (s1i+1, . . . , sni+1) such that for one Lj
(sji , τ, s
j
i+1) ∈ ∆j and ski+1 = ski for k 
= j.
3
Jussila et al.
The deﬁnition above is usually given by ﬁrst deﬁning the synchronized
product of the components constituting the system and then presenting the
executions using that construction. Deﬁnition 1 above is equivalent and better
suited for comparing the traditional model to the new contributions presented
in the paper (Defs. 2.6 and 2.11). These deﬁnitions make use of the following
concepts.
Definition 2.3 The concatenation of the visible actions in the interleaving
execution σI in the order mandated by σI is denoted pr(σI).
Definition 2.4 A state S ′ is reachable iﬀ S ′ is one of the initial states I =
(I1, . . . , In) or there is an execution σ from an initial state S to S
′. A state S ′ is
a deadlock state iﬀ it is reachable and the system cannot make any transitions
from S ′.
Definition 2.5 Let L = (S, I,Γ,∆) be an LTS and S ′ ⊆ S. The τ -closure
of S ′ is the set of states S ′′ ⊆ S such that s ∈ S ′′ iﬀ s ∈ S ′ or there is an
execution from some state in S ′ to s containing only τ -transitions.
The following deﬁnition presents the step executions of the synchronizing
system of LTSs. The model is such that while operating on possibly non-
deterministic LTSs it determinizes them on-the-ﬂy. Therefore, in each position
in the execution each component may be in a set of states instead of just one.
Definition 2.6 Let L = (L1, . . . , Ln) be a synchronizing LTS system. A ﬁnite
step execution σS of L is a sequence
V1
A1→ V2 A2→ . . . Ak→ V(k+1)(2)
such that each Vi is an n-tuple (S
1
i , . . . , S
n
i ), S
j
i ⊆ Sj , 1 ≤ j ≤ n, i.e., each Sji
is a set of states of LTS Lj and each ∅ ⊂ Ai ⊆ Γ1 ∪ · · · ∪ Γn. In addition all
of the following conditions hold:
• In V1 every S
j
1 is the τ -closure of Ij .
• For each Ai and Lj , |Ai ∩ Γj| ≤ 1, i.e., in each step at most one visible
action is executed from each LTS.
• For each Ai, if a ∈ Ai, then for each Lj such that a ∈ Γj there is a transition
(sj , a, s
′
j) ∈ ∆j such that sj ∈ Sji . Furthermore Sj(i+1) is the τ -closure of
the set of states formed by all states s′′ such that (s′, a, s′′) ∈ ∆j and s′ ∈ Sji .
• For each Ai and Lj , if Ai ∩ Γj = ∅ then Sj(i+1) = Sji .
The length of σS, denoted by |σS|, is k. Let lin(σS) denote the set of
all possible linearizations of σS, i.e., the set of strings α1α2 . . . αk such that
αi ∈ lin(Ai), for each i = 1, . . . , k where lin(Ai) is the set of strings obtained
by concatenating the elements in Ai in any order.
Definition 2.7 Let S = (s1, . . . , sn) and V = (S
′
1, . . . , S
′
n), Deﬁne S  V to
mean that each sj ∈ S ′j, 1 ≤ j ≤ n.
4
Jussila et al.
The following theorems characterize the relation between interleaving and
step executions. They assume the synchronizing system L = (L1, . . . , Ln).
Theorem 2.8 Let σI be an (interleaving) execution of the form (1) of L and
|σI| = k. Then there is a step execution σS
V1
{a1}→ V2 {a2}→ · · · {al}→ V(l+1)(3)
of L such that a1a2 . . . al = pr(σI), l ≤ k and S(k+1)  V(l+1).
Theorem 2.9 Let σS be a step execution of L reaching V(k+1). Then for every
state S  V(k+1) there is an interleaving execution σI of L reaching S such that
pr(σI) ∈ lin(σS).
Corollary 2.10 A state S of L = (L1, . . . , Ln) is reachable iﬀ there is a step
execution V1
A1→ V2 A2→ · · · Ak→ V(k+1) such that S  V(k+1) for some k.
The set of step executions of a system contains in most cases diﬀerent ele-
ments intuitively corresponding to the same concurrent behavior. The follow-
ing addition to Deﬁnition 2.6 limits the set without compromising reachable
states.
Definition 2.11 A process execution of L is a step execution of L fulﬁlling
the following condition
• Whenever ai ∈ Ai and i > 1, then there is an LTS Lj ∈ L such that ai ∈ Γj
and there is an action ak ∈ Ai−1 ∩ Γj .
A step execution that is not a process execution would be characterized
by the fact that in some global state every LTS participating in an action a
would be in a state where it could take place. It would not, though, be chosen
for immediate execution, but the relevant components would remain idle in
the same states for some steps and only then execute a.
Theorem 2.12 Let σS be step execution of reaching state V . Then there is a
process execution σP reaching V such that |σP| ≤ |σS|.
Corollary 2.13 A state s of L = (L1, . . . , Ln) is reachable iﬀ there is a pro-
cess execution V1
A1→ V2 A2→ · · · Ak→ V(k+1) such that S  V(k+1) for some k.
Intuitively the process executions are step executions which are in a certain
canonical normal form. In fact, this canonical normal form corresponds exactly
to the so called Foata normal form [7] from the theory of Mazurkiewicz traces,
and also to a partial order semantics for 1-safe Petri nets called processes. For
more on this connection, see [8] and further references there. Figure 1 gives
two LTSs, both having the visible actions Γ1 = Γ2 = {a, b}. They will be
used as a running example when the elements of the encoding are presented.
The encoding assumes, without loss of generality that each visible transition
is given a unique label. In the ﬁgure, that label li is given together with the
action associated with the transition.
5
Jussila et al.
L1: s0ˇ❞
L2: s4ˇ❞

✴
l1, a
❙
❙
❙❙✇
l2, a

l3, a
❄
l5, a
❞s1 ❞s2 ❞s5
❙
❙
❙❙✇
τ


✴
τ
✙
l4, b
❄
l6, b
❞s3 ❞s6
Fig. 1. Running Example
3 Boolean Circuits
The synchronizing systems of LTSs are translated to Boolean circuits. This
section, based on the presentation of [11], introduces the concept and the
associated terminology. A Boolean circuit is a directed acyclic graph where
the nodes are called gates. The gates can be divided to three categories:
• input gates that have no incoming edges nor an associated Boolean function,
• intermediate gates that have both incoming and outgoing edges and an
associated Boolean function and
• output gates with incoming edges and an associated Boolean function but
no outgoing edges.
A truth valuation for a circuit with gates V is a function τ : V → {true,
false}. A valuation is consistent with the circuit if τ(v) = f(τ(v1), . . . , τ(vk))
for each non-input gate v where f is the Boolean function associated to v and
v1, . . . , vn are the gates with edges to v. The constrained satisﬁability problem
for Boolean circuits is formulated as follows: given that gates c+ ⊆ V must be
true and c− ⊆ V must be false, is there a consistent valuation that respects
these constraints, i.e., is there a satisfying valuation? The constrained Boolean
circuit satisﬁability problem is obviously NP-complete under the plausible
assumption that each Boolean function in the system can be evaluated in
polynomial time.
The encoding in the present work applies Boolean circuits where the fol-
lowing standard Boolean functions appear as gates: ¬ (negation), ∨ (disjunc-
tion), ∧ (conjunction), and → (implication). In addition a function of the
from crUL(v1, . . . , vk) is used. It evaluates to true in a valuation τ iﬀ for the
cardinality c of the set {τ(v) = true | v ∈ {v1, . . . , vk}} holds that L ≤ c ≤ U
where L and U are ﬁxed constants 0 ≤ L ≤ U . The function crUL represents
actually a family of functions of which the following two forms are used in the
paper: cr10 (at most one true) and cr
1
1 (exactly one true).
4 Encoding
This section presents the structure of the Boolean circuits encoding the step
and process executions of the synchronizing system of n LTSs. For represen-
tational purposes the gates that appear are given certain illustrative names
6
Jussila et al.
brieﬂy explained in Table 1. An in-depth description of them follows in sub-
sequent sections with references to ﬁgures of gates drawn from the running
example.
Table 1
Translation Predicates
Gate Description
ex(a, t) Action a is executed at time t, input gate.
in(s, t) Execution is in state s at time t.
sc(L, t) Component L scheduled at time t.
ex(l, t) Transition l is executed at time t.
uv(L, t) Unique visible transition from L at time t.
ni(t) Disable idling at time t.
enok(a, t) Execution of action a implies that it is enabled at time t.
en(a, t) Action a is enabled at time t.
The encoding assumes that the LTSs do not have loops containing only
τ -transitions involving more than one state. If that is the case, the corre-
sponding component can be preprocessed so that the resulting LTS simulates
all the executions of the original. The preprocessing step computes the maxi-
mal strongly connected components Ci of the LTS restricted to τ -transitions
and replaces each Ci with a single state having as incoming and outgoing
transitions the union of those in the set of states in Ci.
The representation follows certain conventions. The variable k is used to
denote the length of the execution and the variables s, t, a and l are used
to describe arbitrary states, positions in the execution, actions and transition
labels, respectively. Based on the division of gates given in Sect. 3, the circuit
is composed as follows. Firstly, some gates, namely those labeled with ex(a, t)
act as inputs. This special role is marked with two concentric circles. Secondly,
the labels ex(tr, t) and sc(L, t) are attached to intermediate gates. Thirdly,
the gates uv(L, t) and ni(t) are outputs constrained to true. This is reﬂected
in the ﬁgures in which they appear by the symbol T appearing on the right
side of the gate.
The gates labeled in(s, t) can appear in diﬀerent roles based on the value
of t. Gates describing the initial states, i.e. in(s, 1) are inputs constrained
to true and false depending on whether a state s is an initial state or not.
For positions 1 < t ≤ k the gates are intermediate and for the ﬁnal position,
i.e., in(s, k + 1) they are output gates. When the translation scheme is
augmented with a circuit detecting reachability properties, these gates are its
inputs. The following subsections present the reasoning for all the gates and
the section is concluded by a complete translation algorithm.
7
Jussila et al.
4.1 Control Flow
For encoding the control ﬂow of the LTSs the idea is that the in(s, t) gates
serve to provide information regarding the progress of execution. For any
initial state s of an LTS, in(s, 1) is an input gate and is asserted true. This is
in accordance with the fact that in the outset the execution in each component
is in the initial states. In general, the execution may be in some state at time
t+ 1 iﬀ one of the following cases is true.
• The state was reached already at t and not left in step t.
• The state is reached due to it belonging to the τ -closure of some state
reached via actions in step t.
• The state is reached by taking some of its incoming visible transitions in
step t.
Therefore the gate encoding the progress of control ﬂow is a disjunction
of the above three cases. Figure 2 gives an instance encoding the case for
the state s3 of the running example. The disjuncts encode the cases from the
left to the right. For instance, taking the leftmost disjunct, if in(s3, t − 1)
is true (state reached in the previous step) and sc(L1, t) is false (component
L1 remained idle in step t), then in(s3, t) has to be true, i.e. the component
remains in state s3. It should be noted that τ -transitions from a state to itself
can (and should) be ignored in the deﬁnition.
∨in(s3, t + 1)
✟✟
✟✟
✟✟✯
❍❍
❍❍
❍❍✻
∧ ∨ ∨
❆❑
✻✂
✂
✂✍ ✁✕ ❆❑ ✁✕ ❆❑
in(s1, t + 1)

in(s2, t + 1)

ex(l3, t)

ex(l4, t)
in(s3, t)
¬

sc(L1, t)
Fig. 2. Progress of Control Flow
The deﬁnition makes use of the sc(L, t) and ex(l, t) gates. The former
captures the fact that a component L is scheduled iﬀ a visible action in its
alphabet is executed.
The reasoning behind the latter, the ex(l, t) gate, is as follows. A transition
is traversed in position t iﬀ the action it is labeled with is executed in position
∨sc(L1, t)
✁
✁
✁✕
❆
❆
❆❑
✐
ex(a, t)
✐
ex(b, t)
ex(l6, t) ∧
✁
✁
✁✕
❆
❆
❆❑
✐
ex(b, t)

in(s5, t)
cr10uv(L1, t) T
✁
✁
✁✕
❆
❆
❆❑
✐
ex(a, t)
✐
ex(b, t)
∨ni(t) T
✁
✁
✁✕
❆
❆
❆❑
✐
ex(a, t)
✐
ex(b, t)
Fig. 3. Elements Illustrating Encoding from Running Example
8
Jussila et al.
t and the control ﬂow is in its source state. It should be noted that the
deﬁnition is not circular, but the control ﬂow in position t together with the
executed transitions deﬁne the control ﬂow in position t + 1. The second
picture from the left in Fig. 3 illustrates the gate for the transition l6 in the
running example.
So far, the subcircuits presented have been deﬁnitions of the elements used
in the encoding. To achieve correspondence with step and later process exe-
cutions additional constraints need to be imposed. A step (process) execution
has the property that only a single visible action is allowed to take place in a
single component in each step. The arrangement to handle this is by using a
cardinality constraint asserted true. An instance is given in Fig. 3 (the second
one from the right).
The encoding may be further enhanced with a gate that disables idling.
If such a gate is not added, the resulting circuit encodes step executions up
to k whereas with it the executions are of precisely length k. Thus the gate
limits the search space. As a downside short deadlocks may be missed if
the veriﬁcation process is started with too large a bound. Idling is disabled
iﬀ some visible action is executed, for the running example the gate is the
rightmost in Fig. 3.
4.2 Synchronization
The synchronization of LTSs mandates that a visible action may be executed
iﬀ every LTS whose alphabet contains the action participates. So far, this has
not been reﬂected in the subcircuits containing the input gates ex(a, t). The
condition is implemented by demanding that the executed action is enabled
in each component having that label in its alphabet. An action a is enabled
in a component iﬀ it is in some state with an outgoing transition labeled a.
The situation for the running example is illustrated in the two subcircuits on
the left in Fig. 4.
→enok(a, t) T
✁
✁
✁✕
❆
❆
❆❑
✐
ex(a, t)
∧
✁
✁
✁✕
❆
❆
❆❑

en(a, L1, t)

en(a, L2, t)
∨en(a, L1, t)
✻

in(s0, t)
T→pr(b, t)
✁
✁
✁✕
❆
❆
❆❑
✐
ex(b, t)
∨
✁
✁
✁✕
❆
❆
❆❑

sc(L0, t− 1)

sc(L1, t− 1)
Fig. 4. Constraining the Input Gates (left, middle) and Enforcing Scheduling (right)
4.3 Translation Algorithm for Step Executions
Assume L = (L1, . . . , Ln) and a given bound k. Then the algorithm con-
structing a Boolean circuit encoding step executions of L of length k is as
9
Jussila et al.
❞ dl(k + 1)T
✻✞
✝

✆
❞❞✘✿ FSOK (k + 1 )UFS(k + 1 ) TFS (k + 1 )✲
❞❞❞
✻ ✻ ✻ ✻❞ ❞ ❞ ❞ V (k + 1 )
✻ ✻ ✻ ✻✞
✝

✆EX(a, k) ✲❞❞❞
ENOK (k)
UV (k)
NI(k)
T✘✿✲
❞❞❞
✻ ✻ ✻ ✻❞ ❞ ❞ ❞ V (k)
✻ ✻ ✻ ✻
❞ ❞ ❞ ❞ V (2 )
✻ ✻ ✻ ✻✞
✝

✆EX(a, 1) ✲❞❞❞
ENOK (1 )
UV (1)
NI(1)
T✘✿✲
❞❞❞
✻ ✻ ✻ ✻❞ ❞ ❞ ❞ V (1 )
Fig. 5. Schematic Diagram of the Circuit
follows:
(i) To capture the requirement that each Li is in the τ -closure of its initial
states in V1 add the gate in(s, 1) for all states s and constrain them to
true if the above condition holds and false otherwise.
(ii) For all positions 1 ≤ t ≤ k, add the following subcircuits:
(a) For all states s ∈ S1 ∪ . . .∪ Sn, include the subcircuit for in(s, t+1).
(b) For all the components Lj , add the subcircuit for sc(Lj , t).
(c) For all transitions with visible actions l ∈ ∆1 ∪ . . . ∪ ∆n, add the
subcircuit for ex(l, t).
(d) For each LTS Lj , add the subcircuit for uv(Lj, t) and constrain it to
true.
(e) Add the circuit for ni(t) and constrain it to true.
(f) For all visible actions a, add the subcircuit for enok(a, t) and con-
strain it to true.
(g) For all components Lj , add the subcircuit for en(a, Lj , t) for all its
visible actions.
The structure of the circuit is schematically given in Fig. 5. In the bottom
is the initial state V (1) and on the top the last state V (k + 1) and a circuit
for deadlock detection (introduced in Sect. 4.5). The unconstrained input
gates appear on the left and the constrained outputs on the right, the labels
capitalized to indicate that they denote several actual gates.
Let SC(L, k) be the (step) circuit obtained by the translation algorithm.
Given a satisfying truth valuation α for SC(L, k) call an α-execution the
execution V1
A1→ . . . Ak→ V(k+1) where the elements in each Vi are the states s with
α(in(s, i)) = true and the elements in Ai the actions a having α(ex(a, i)) =
true.
Theorem 4.1 If the Boolean circuit SC(L, k) has a satisfying truth valuation
α, then there is an α-execution V1
A1→ · · · Ak→ Vk+1 which is a step execution.
10
Jussila et al.
Theorem 4.2 If V1
A1→ · · · Ak→ Vk+1 is a step execution of L, it is an α-
execution for some satisfying valuation α of SC(L, k).
4.4 Process Executions
As can be seen from Deﬁnitions 2.6 and 2.11 the diﬀerence between step and
process executions is rather simple. Indeed, the resulting circuit needs only
one additional element. Namely, if an action is executed at t + 1, then some
participating component had to be scheduled in step t. On the right in Fig. 4
is an instance from the running example (executing action b in step 2).
The encoding algorithm needs the following addition for all 1 < t ≤ k.
(h) For all the visible actions a ∈ Σ1∪· · · ∪Σn add the subcircuit pr(a, t)
and constrain it to true.
Figure 5 illustrates the circuit for step executions. Process executions
would be modeled by adding the PR(t) vector to the right hand side of the
ﬁgure. Let PR(L, k) be the (process) circuit obtained with the augmented
algorithm.
Theorem 4.3 If the Boolean circuit PR(L, k) has a satisfying truth valuation
α, then there is an α-execution V1
A1→ · · · Ak→ Vk+1 which is a process execution.
Theorem 4.4 If V1
A1→ · · · Ak→ Vk+1 is a process execution of L, it is an α-
execution for some satisfying valuation α of PR(L, k).
4.5 Reachability Properties
In Corollaries 2.10 and 2.13 it is stated that both step and process executions
preserve the ﬁnal states of the executions. Therefore, any state predicate con-
cerning such a state can be studied with the presented approach. 4 A dead-
lock, i.e., a state with no outgoing transitions, is a particularly interesting case
among such properties.
The synchronizing system of LTSs can deadlock as a combination of two
conditions. Firstly, components may end up in states with no outgoing tran-
sitions. Secondly, single components may indeed be able to proceed, but their
synchronizing counterparts are in states where synchronization is not possible.
Thus a deadlock could be detected with circuits encoding such demands
only based on the in(s, k + 1) gates. The former condition is simple and
can be detected by static analysis. The latter is more diﬃcult to encode
compactly. Therefore, deadlock detection is implemented by introducing a
4 There is a subtle issue which should be noted. The presented translation method assumes
the following: if in a state s the state predicate to be studied holds, then in all states
reachable from s by using only τ -moves the predicate also holds, i.e. you cannot get out of
a “bad” state by using only τ -moves. If some τ -moves do not respect this property, they
must be converted to visible actions before the veriﬁcation is started.
11
Jussila et al.
new input gate, fs(s, L), for each component L and each state s with only
visible outgoing actions.
The encoding is based on the reasoning that if there is a deadlocking
interleaving execution, then the set of states reached in the associated step
or process execution reaches a state V(k+1) such that the deadlocking state
S  V(k+1). The new input gate captures a single representative s from each
component L so that if the gate fs(s, L) evaluates to true the state s is the
representative from the component L in V(k+1).
The gate has to be constrained in the following way. Firstly, an obvious
soundness criterion is that a state has to be in V(k+1) for it to be a candi-
date. Secondly, to mandate the collection of ﬁnal states to be a state of the
interleaving executions, they have to be constrained to precisely one in each
component. Instances from the component L1 of the running example are
given on the left in Fig. 6. 5
→fsok(s0, L1) T
✁
✁
✁✕
❆
❆
❆❑
✐
fs(s0, L1)

in(s0, k + 1)
cr11ufs(L1) T
✁
✁
✁✕
❆
❆
❆❑
✐
fs(s0, L1)
✐
fs(s3, L1)
∧fen(a)
✁
✁
✁✕
❆
❆
❆❑

fen(a, L1)

fen(a, L2)
∧dl(k + 1) T
✒ ❅¬ ¬
✻ ✻
fen(a)

fen(b)
Fig. 6. State Predicate (Deadlock) Analysis
Having deﬁned the fs gates a deadlock can be detected by the analysis
of enabled actions in the ﬁnal state. Whether the an action is enabled is
computed with the same mechanism as in the previous steps (an instance given
in the middle of Fig. 4). However, this is done for the chosen representative of
the set of ﬁnal states. Thus, the in(s, t) gate is replaced by the fs(s ,L) gate
and a new gate fen(a, L) standing for “action a is enabled in the ﬁnal state in
component L” is introduced.
An action is globally enabled in the ﬁnal state iﬀ it is enabled in the ﬁnal
states of all the components carrying transitions labeled with that action.
Finally, a deadlock is a state where no action is globally enabled. The case for
action a in the running example is illustrated on the right of Fig. 6, where the
secong image from the right, deﬁning the gate fen(a), encodes the cases when
action a is enabled in the ﬁnal state. The rightmost picture is the deadlock
detection gate for the entire example, its inputs being the gates labeled fen(ac)
for all the elements in the alphabet.
It should be noted that compared to the interleaving model, step and
process executions may lose some of the intermediate states. However, it
is not impossible to reason about them, provided that all state changes of
interest to us can be observed through the occurrences of visible actions. The
5 This idea of guessing a ﬁnal state combination can be used to compactly encode arbitrary
state predicates.
12
Jussila et al.
exact details of the following construction are left for further work, here just
the main ideas are sketched. An additional component, called an observer
automaton, can be added to the system. It observes the visible actions taking
place by having all of them in its alphabet. Now any stuttering invariant
safety property (which can be expressed as a regular language) can be reduced
into the question of whether the observer automaton can reach a particular
state. For the syntactic safety subset of LTL−X , the linear temporal logic
LTL without the next-time operator X, a ﬁnite automaton construction tool
is available [13].
5 Test Results
To test the eﬃciency of the presented method it is compared against the
following state-of-the-art implementations:
• NuSMV BMC, a BMC implementation using interleaving semantics,
• NuSMV BDD, an implementation of the BDD-based symbolic model check-
ing.
A set of test cases has been adopted from [6] taking those cases known
to deadlock. The test cases are provided as LTS (fsa), Promela and SMV
speciﬁcations, the input format for NuSMV being the last one. Thus, the
comparison task is easy. The results of the tests are given in Table 2 with the
following columns:
• Problem instance,
• St. k, bound for step executions, i.e., the smallest number of steps such
that a deadlock is reached,
• St. s, running time for step executions as measured by /usr/bin/time,
• Pr. k and Pr. s, similarly for process executions,
• SMV k and SMV s, bound and time for NuSMV BMC [5],
• SMV bdd, running time for NuSMV BDD [4].
The tests were carried out with an AMD Athlon machine with a 1400
MHz CPU and 1 Gigabyte of memory running the Linux operating system.
With the problem Dartes, no results could be obtained within a reasonable
time limit (1 hour) using either NuSMV BMC or NuSMV BDD, therefore the
entries are of the form N/A.
The results for the Boolean circuits were obtained by using a tool [12] to
translate LTSs to Boolean circuits and then using the BCZChaﬀ system [10]
which ﬁrst translates a circuit to CNF DIMACS form [10] and then solves it
with zChaﬀ version 2001.2.17 [15]. The fact that both the presented method
and NuSMV BMC use zChaﬀ as the back end adds credibility to their com-
parison. The running time for the step and process executions is the sum of
generating the Boolean circuit from the speciﬁcations and solving it for the
13
Jussila et al.
Table 2
Test Results (BCZCHAFF)
Problem St. k St. s Pr. k Pr.s SMV k SMV s SMV BDD s
Dartes 31 2.0 31 0.53 N/A N/A N/A
DP(12) 1 0.028 1 0.028 > 8 830 0.12
Elev(1) 3 0.056 3 0.034 8 3.0 0.05
Elev(2) 5 0.16 5 0.11 11 3.1 0.17
Elev(3) 7 0.42 7 0.27 14 410 0.64
Elev(4) 9 1.6 9 0.74 17 120 2.7
Key(2) 35 510 35 200 > 30 2100 0.10
Key(3) 36 200 36 780 > 21 2700 0.27
Key(4) 37 10 37 11 > 19 3200 0.73
Key(5) 38 15 38 140 > 18 1900 3.2
Mmgt(3) 7 0.32 7 0.29 10 14 0.13
Mmgt(4) 8 0.77 8 0.35 12 73 0.25
Q(1) 9 0.25 9 0.25 > 11 1500 2.0
Hart(25) 50 1.2 50 0.71 51 7.0 0.12
Hart(50) 100 5.1 100 3.1 101 130 0.54
Hart(75) 150 12 150 7.6 151 990 1.9
Hart(100) 200 22 200 15 201 4800 5.5
Sentest(25) 33 0.63 33 0.7 38 4.2 0.12
Sentest(50) 58 2.1 58 2.3 63 40 0.45
Sentest(75) 83 4.5 83 5.1 88 220 1.5
Sentest(100) 108 8.0 108 8.3 113 980 4.6
Dac(15) 2 0.014 2 0.014 3 0.27 0.11
Speed(1) 4 0.038 4 0.030 7 0.13 0.07
given bound. The running time for NuSMV BMC is composed of generating
the CNF instance and solving it for exactly the given bound.
Even though the test cases do not have a lot of non-determinism it can be
seen that the non-standard execution models compare favorably in terms of
the bound and running time to those of NuSMV BMC. Compared to BDD-
based model checking the results reiterate the fact that BMC is at its best in
ﬁnding short deadlocks.
Experiments indicate that with these examples it sometimes takes zChaﬀ
far longer to prove a formula unsatisﬁable than to ﬁnd a satisfying truth
assignment with instances of comparable sizes. The phenomenon is most
apparent in the example Key(4) where the time limit of one hour is exceeded
with an unsatisﬁable instance modeling process executions of length 29. The
test cases and the tool translating LTSs to Boolean circuits are available for
download at [12].
14
Jussila et al.
6 Conclusions and Related Work
The paper studies bounded model checking of reachability properties of a
system represented as consisting of synchronizing LTSs. Two nonstandard
execution models, step and process executions, are proposed to capture sets
of interleaving executions in a compact form.
The paper presents two translation schemes from LTSs to Boolean circuits.
In the ﬁrst case, the resulting circuit encodes precisely the step executions
of the system of LTSs under consideration and in the second the process
executions. The encoding is compact leading to a circuit linear in the size
of the bound k, more precisely O((∑j(|Sj| + |∆j | + |Γj |)) · k) where Sj , ∆j
and Γj are the state space, transition relation and visible actions of LTS
Lj, respectively. The encoding uses Boolean functions outside traditional
propositional logic, namely cardinality constraints of the form cr10 and cr
1
1,
but the bound holds were the use of them disallowed. Such a function with
indegree i can namely be simulated using O(i) new ∨,∧ and ¬ gates. The
approach is backed by a set of test cases showing that the running times
compare favorably to a state-of-the-art interleaving BMC implementation in
the NuSMV system.
The presented approach is considered only for models where the LTSs are
presented explicitly. Translations from symbolical representations, like SMV
models, is an interesting research problem for future work.
The idea for the paper arose as a comparison to the work done in [8]. The
paper presents a BMC procedure to reachability check 1-safe Petri nets with
step and process semantics. In addition to the diﬀerent modeling the approach
does not use determinization and neither does it as eﬃciently handle τ -actions
(there they contribute to the execution length). The paper considers some of
the same examples presented here. However, a direct comparison was omitted
due to some inconsistencies in the state spaces of the fsa and 1-safe Petri
net models. The diﬀerences could be traced to the fsa to 1-safe Petri net
conversion performed in [14].
So far, only the veriﬁcation of reachability properties has been considered,
whereas LTL−X model checking is left for future work. In [9] a translation of
LTL−X for step semantics is given using a logic programming approach.
Acknowledgement
The authors would like to warmly thank T. A. Junttila for creating the tool
BCZCHAFF, and for fruitful discussions.
References
[1] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checking without
BDDs. In Tools and Algorithms for the Construction and Analysis of Systems
15
Jussila et al.
(TACAS’1999), volume 1579 of Lecture Notes in Computer Science, pages 193–
207. Springer, 1999.
[2] A. Biere, E. Clarke, R. Raimi, and Y. Zhu. Verifying safety properties of a
PowerPC microprocessor using symbolic model checking without BDDs. In
Formal Methods in Computer Aided Design, volume 1633 of Lecture Notes in
Computer Science, pages 60–71. Springer, November 2000.
[3] P. Bjesse, T. Leonard, and A. Mokkedem. Finding bugs in Alpha microprocessor
using satisﬁability solvers. In Proceedings of the 13th International Conference
of Computer Aided Verification(CAV’2001), volume 2102 of Lecture Notes in
Computer Science, pages 454–464. Springer, 2001.
[4] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore, M. Roveri,
R. Sebastiani, and A. Tacchella. NuSMV 2: An opensource tool for symbolic
model checking. In Proceeding of the 14th International Conference on
Computer-Aided Verification (CAV’2002), volume 2404 of Lecture Notes in
Computer Science, pages 359–364. Springer, July 2002.
[5] A. Cimatti, M. Pistore, M. Roveri, and R. Sebastiani. Integrating BDD-based
and SAT-based symbolic model checking. In Proceedings of 4th International
Workshop on Frontiers of Combining Systems, April 2002.
[6] J. C. Corbett. Evaluating deadlock detection methods for concurrent software.
IEEE Transactions on Software Engineering, 22(3), 1996.
[7] V. Diekert and Y. Me´tivier. Partial commutation and traces. In Handbook of
formal languages, Vol. 3, pages 457–534. Springer, Berlin, 1997.
[8] K. Heljanko. Bounded reachability checking with process semantics. In
Proceedings of the 12th International Conference on Concurrency Theory
(CONCUR’2001), pages 218–232, August 2001.
[9] K. Heljanko and I. Niemela¨. Bounded LTL model checking with stable models.
Theory and Practice of Logic Programming (TPLP), 2003. Accepted for
publication. (CoRR: arXiv:cs.LO/0305040).
[10] T. A. Junttila. Boolean circuit tools (including BCZChaﬀ), May 2003.
http://www.tcs.hut.fi/~tjunttil/circuits.
[11] T. A. Junttila and I. Niemela¨. Towards an eﬃcient tableau method for
boolean circuit satisﬁability testing. In Computational Logic - CL 2000; First
Internatinal Conference, volume 1861 of Lecture Notes in Artificial Intelligence,
pages 553–567, London, UK, July 2000. Springer, Berlin.
[12] T. Jussila. A BMC tool translating LTSs to boolean circuits, May 2003.
http://www.tcs.hut.fi/~tjussila/otf.
[13] T. Latvala. Eﬃcient model checking of safety properties. In Model Checking
Software. 10th International SPIN Workshop, volume 2648 of Lecture Notes in
Computer Science, pages 74–88. Springer, 2003.
16
Jussila et al.
[14] S. Melzer and S. Ro¨mer. Deadlock checking using net unfoldings. In Proceeding
of 9th International Conference on Computer Aided Verification (CAV’97),
volume 1254 of Lecture Notes in Computer Science, pages 352–363. Springer,
June 1997.
[15] M. Moskewicz, Y. Madigan, L. Zhao, L. Zhang, and S. Malik. Chaﬀ:
Engineering an eﬃcient SAT solver. In 39th Design Automation Conference,
July 2001.
17
