Bounded model checking of compositional processes by SUN, Jun et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
7-2008 
Bounded model checking of compositional processes 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Yang LIU 
Jin Song DONG 
Jing SUN 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Software Engineering Commons 
Citation 
SUN, Jun; LIU, Yang; DONG, Jin Song; and SUN, Jing. Bounded model checking of compositional 
processes. (2008). Proceedings of the 2nd IFIP/IEEE International Symposium on Theoretical Aspects of 
Software Engineering, TASE 2008, Nanjing, China, June 17-19. 1-8. Research Collection School Of 
Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/5051 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Bounded Model Checking of Compositional Processes
Jun Sun, Yang Liu and Jin Song Dong
School of Computing,
National University of Singapore
{sunj,liuyang,dongjs}@comp.nus.edu.sg
Jing Sun
Department of Computer Science
The University of Auckland
j.sun@cs.auckland.ac.nz
Abstract
Verification techniques like SAT-based bounded model
checking have been successfully applied to a variety of sys-
tem models. Applying bounded model checking to composi-
tional process algebras is, however, not a trivial task. One
challenge is that the number of system states for process
algebra models is not statically known, whereas explor-
ing the full state space is computationally expensive. This
paper presents a compositional encoding of hierarchical
processes as SAT problems and then applies state-of-the-
art SAT solvers for bounded model checking. The encod-
ing avoids exploring the full state space for complex sys-
tems so as to deal with state space explosion. We devel-
oped an automated analyzer which combines complement-
ing model checking techniques (i.e., bounded model check-
ing and explicit on-the-fly model checking) to validate sys-
tem models against event-based temporal properties. The
experiment results show the analyzer handles large systems.
1. Introduction
Formal verification reveals inconsistencies of the specifi-
cation and thus improves the reliability of the product. The
notion of model checking [14] has been widely accepted
as a successful means of formal verification [9, 5, 2]. The
idea is to exhaustively explore all reachable states of a finite
state machine (which represents an abstract view of a sys-
tem) so as to tell whether a desired property is guaranteed
or not. The original proposal of model checking relies on
exhaustive search through explicit representations of reach-
able system states [14], which is known as explicit model
checking. It suffers from the state space explosion problem.
Later, symbolic model checking was proposed to overcome
this problem by enumerating states symbolically (typically
based on the notion of BDDs [10]). However, human inter-
vention may be required to fine-tune the variable ordering
so as to reduce the size of BDDs. In recent years, bounded
model checking [13] have been proposed to complement ex-
plicit model checking and symbolic model checking with
great success. The idea is to encode finite state machines (as
well as the properties to be verified) as a Boolean formula
that is satisfiable if and only if the underlying state machine
can realize a finite sequence of transitions that reaches states
of interest, and then apply state-of-the-art SAT solvers [1] to
produce counterexamples (if any) efficiently. If such a path
segment cannot be found at a given length k, the search is
continued for larger k. With the rapid development of SAT
solvers, we believe bounded model checking is promising
for formal verification.
Previous works on model checking have been histori-
cally centered around state machines. Model checking tech-
niques have only been applied to event-based formalisms
to a limited extent. To our best knowledge, bounded model
checking has not yet been applied to event-based languages
like Communicating Sequential Processes (CSP [19]) or
CCS. One of the reasons is that unlike in circuit verifica-
tion [12] (where encoding the transition relation is rather
straightforward), encoding the semantics of compositional
processes using Boolean formulae is nontrivial. The number
of system states for process algebra models is not statically
known and exploring the full state space is computation-
ally expensive. This paper presents a compositional encod-
ing of hierarchical processes as SAT problems. State-of-the-
art SAT solvers are then applied for bounded model check-
ing. The encoding avoids exploring the full state space for
complex systems so as to avoid state space explosion. Based
on the idea, a toolkit has been developed to support formal
system specification, simulation and verification (against
temporal properties). The toolkit includes the two comple-
menting model checkers, i.e., an explicit model checker
and a bounded model checker. The advantages of applying
bounded model checking instead of symbolic model check-
ing include that SAT tools usually need far less hand manip-
ulation than BDDs. The experiment results show that our
toolkit has a competitive performance for verifying systems
with large number of states.
The remainder of the paper is organized as follows. Sec-
tion 2 briefly introduces the specification language we are
dealing with. Section 3 presents how to encode semantics of
compositional processes as Boolean formulae at the same
time avoiding state space explosion. Section 4 introduces
the functionalities of our tool in details. Section 5 concludes
this paper.
2. Background
Without loss of generality, we present our idea in the set-
ting of the classic CSP (in which multi-threaded alphabet-
ized parallel plays an important role). A process is defined
by the following syntax,
P =̂ StopA | Skip | RunA | e → P | c?v → P
| c!x → P | P; P | P  P | P  P | P  P
| P  b  Q | P \ A | P ‖ P | P |[ A ]|P
| P ||| P | ‖i Pi | |||i Pi
where A is a set of events, e is an event, b is a Boolean ex-
pression and i is an index. Process StopA never engages in
any event from the set A. Process Skip terminates success-
fully. RunA may perform any sequence of event as long as
the events are from A. Action prefixing e → P is initially
willing to engage in event e and behaves as P afterward.
Note that Skip =̂  → Stop where =̂ means “is defined
as” and  is a special event denoting termination. The se-
quential composition, P1; P2, behaves as P1 until its termi-
nation and then behaves as P2. One way to introduce diver-
sity of behaviors is through choices. A choice between two
processes is denoted as P1  P2 (for external choice) or
P1  P2 (for internal choice). P1  P2 behaves as P1 un-
til the first event of P2 is engaged, then P1 is interrupted and
P2 takes control. Process P  b  Q behaves as P is b eval-
uates to true. Otherwise, it behaves as Q. Note that a process
can be parameterized in the standard way. A parameter has
the scope of the whole process expression. b is over vari-
ables in scope (as well as possible inputs). Process P \ A
hides observational of occurrences of events from A. Recur-
sion is allowed by process referencing. The semantics of re-
cursion follows Scott’s fixed-point theory.
Let Σ be the set of all visible events, which excludes τ
(invisible event) and . Let αP ⊆ Σ be the alphabet of P.
Parallel composition of two processes is written as P1 ‖ P2,
where common events (αP1 ∩ αP2) of P1 and P2 are syn-
chronized. Interleaving is written as P ||| Q. The general
form of parallel composition is P |[ A ]|Q where events in A
are synchronized by P and Q. Note that P |[αP ∩ αQ ]| ≡
P ‖ Q and P |[∅ ]|Q ≡ P ||| Q. The indexed version of in-
terleaving and parallel composition is written as |||i Pi and‖i Pi respectively. The alphabet of a process can be sepa-
rately defined or otherwise it is the set of events which con-
stitute the process expression.
For simplicity and also the nature of model checking, we
focus on the operational semantics in this paper. The sets
of processes behaviors can equally and equivalently be ex-
tracted from the operational semantics, thanks to congru-
ence theorems. The set of relevant transition rules can be
found in [7] or [21]. Let a⇒ be the transition relation de-
fined by the operational semantics.
Definition A labeled transition system (LTS) is a 3-tuple
(S, I, T) where S is a set of states, I is an initial state and
T : S × Σ× S is a labeled transition relation.
The language of an LTS is the set of (finite or infinite) runs
which start with the initial condition and conform to the
transition relation. The following defines the semantics of
a process as an LTS. The language defined by the process is
that of the LTS.
Definition Let P be a process. The semantics of P is de-
fined as an LTS LP = (S, I, T) where S is the set of
all reachable processes, I is the initial process P and T :
S × αP × S is the smallest transition relation such that
(P1, a, P2) ∈ T ⇔ P1 a⇒ P2.
3. Encoding of Processes
This section is dedicated to a discussion on how to en-
code a given process P as Boolean formulae for bounded
model checking. We start with encoding simple processes
by explicitly building LP and then discuss how to encode
processes for which building LP is not feasible. We remark
that the encoding techniques is not restricted to CSP.
3.1. Encoding Simple Processes
A process P can be encoded by firstly constructing LP
and then encoding LP. Given an LTS, a property to verify
and a bound k, we need to translate the LTS and the negation
of the property into a propositional formula which is satisfi-
able if and only if there is a trace of length k which violates
the property (i.e., a counterexample). Thus, we need to find
an efficient encoding of states, events, and the transition re-
lation. Given L = (S, I, T), we need log2 #S Boolean
variables to encode the states. Let −→xsi = 〈xs1i , xs2i , · · ·〉 be
a finite sequence of Boolean variables used to encode the
states reached after i − 1 steps. The encoding of a state is a
Boolean formula π over−→xsi such that π(−→xsi) = 1 if and only
if the valuation of the variables uniquely identifies the state.
Or equivalently, a state is associated with a unique binary
number and each Boolean variable represents one bit of the
number. Similarly, we use log2 #αL Boolean variables
to encode the alphabet of L. Let −→xei be the variables used to
encode the events. A transition is encoded as a Boolean for-
mula of the following form,
π(−→xsi) ∧ π(−→xei) ∧ π(−→xsi+1)
where −→xsi+1 is a set of fresh variables used to encode the
post-state. Let Π denote the encoding function which maps
a state or event to a Boolean formula given a set of Boolean
variables. Π(P1,−→xsi) ∧ Π(e,−→xei) ∧ Π(P2,−→xsi+1) where
(P1, e, P2) ∈ T is the Boolean coding of the transition in the
above form. Informally, this formula guarantees that if the
transition is to be taken, the pre/post-state and event must
be P1/P2 and e respectively. The transition relation T is en-
coded as the disjunction of all possible transitions, i.e., any
encoded transition may be taken if it can be satisfied.
Ti =
∨{Π(P1,−→xsi) ∧ Π(e,−→xei) ∧ Π(P2,−→xsi+1) |
(P1, e, P2) ∈ T}
Given a bound k for bounded model checking, the en-
coded transition relation must be applied k-times. Every
time a fresh set of variables must be used to encode the
engaged event as well as the target state. Thus, we need
(k + 1) × log2 #S + k × log2 #Σ Boolean variables
to represent state s1 . . sk+1 and e1 . . ek where s1 = I.
Definition An encoding of an LTS is 4-tuple
E = (I, Ti,−→xsi,−→xei) where I = Π(I,−→xs1) is the en-
coded initial state, Ti is the encoded transition rela-
tion as defined above, −→xsi are the variables used to encode
the source state of Ti and −→xei are the variables used to en-
code the labeling events of transitions of Ti.
Given an LTS L and its encoding E , we say E is sound if
and only if E and L are trace-equivalent, i.e., every trace al-
lowed by Lmust be allowed by E and vice versa. The above
encoding of an LTS is sound as we can show that the en-
coded transition relation conforms to T and the encoded ini-
tial condition conforms to I. Given an encoding of the sys-
tem E , a property φ to verify and a bound k, the proposi-
tional formula constructed is of the following form,
[[E , φ]]k =̂ I ∧
∧k
i=1 Ti ∧ [[¬φ]]k
where [[¬φ]]k is the encoded negation of the given property
(with regards to k). We leave it to Section 4 for detailed dis-
cussion. A satisfiability solution to the above formula gives
a counterexample of the property, which satisfies the initial
condition and the transition relation up to k-steps and vio-
lates the property.
In the following, we write EP to denote the encoding of
P. Explicitly constructing LP = (SP, IP, TP) is however
not always desirable for several reasons. Firstly, SP (and
therefore TP) may not be finite. For instance, processes like
P =̂ b → Skip  (a → P; c → Skip) or P =̂ a → (P ||| P)
allow unbounded recursion or replication and, thus, may re-
sult in infinite reachable process expressions. Our experi-
ences, however, show that processes of the above forms are
rather rare in practice. Without loss of generality, we assume
that SP is always finite. Optimally, the number of Boolean
variables needed to encode SP is log2 #SP. However, de-
termining the exact size of SP requires traversing through
all reachable states, which is often undesirable due to state
space explosion. For instance, assume #SQ = n, the inter-
leaving of m copies of Q (say P) has nm states. One remedy
is to encode the LQ (if its size is manageable) and then com-
pose EQ to generate EP so as to avoid constructing LP.
3.2. Composing Encodings
A rich set of operators can be used to compose pro-
cesses as illustrated in Section 2. Among all operators, it
is the indexed parallel composition or indexed interleaving
(which we refer to as indexed concurrency) which causes
state space explosion. Given P which contains indexed con-
currency, instead of building LP we shall deduce EP from
the encoding of its sub-components. In the following, we
show how to compose the encoding of sub-components
for various composition. In order to draw connections be-
tween transitions of different processes running in parallel,
a global event-to-Boolean encoding is established before-
hand. In the following, let Π(e,−→xe) be the formula encod-
ing e using variables −→xe. Given −→xsi = 〈xs1i , xs2i , · · · , xsni 〉
where i ∈ {1, 2} as two sequences of Boolean variables of
the same length, we write −→xs1 ⇔ −→xs2 to mean xs11 ⇔ xs12 ∧
xs21 ⇔ xs22 ∧ · · · ∧ xsn1 ⇔ xsn2. To further abuse nota-
tions, we write −→xs1 ∪ −→xs2 to denote the sequence of vari-
ables which contains both variables in −→xs1 and −→xs2 and is
then sorted (according to the unique variables ID).
Definition Let P = |||nj=1 Pj. Let EPj =
(IPj , T Pji ,−→xsPji ,−→xePji ). The encoding of P is
(IP, T Pi ,−→xsPi ,−→xePi ) where IP =
∧n
j=1 IPj ,−→xsPi =
⋃n
j=1
−→xsPji ,
−→xePi = −→xePji and T Pi =
∨n
j=1(T Pji ∧
∧
m=j(
−→xsPmi ⇔ −→xsPmi+1)).
Note that the variables used to encode each Pj are disjoint.
The encoded initial condition of P is the conjunction of
the encoded initial conditions of each sub-component. In-
tuitively, this says that when the composition is initialized,
all sub-components must be at its initial state. The pred-
icate −→xsPmi ⇔ −→xsPmi+1 means that Pm remains in the same
state. The encoded transition relation is the disjunction of
a set of clauses, each of which states that a transition of Pj
may be taken and the states of other sub-components are
unchanged. Thus, any transition of a sub-component can
be taken without affecting other sub-components. Indexed
parallel composition is handled similarly. The complication
is that the alphabet of a sub-component may actually con-
tain more events than those constitute the process expres-
sion. The following definition shows that by manipulating
the encoded transition relations of the sub-components, the
encoded transition relation of the composition shall be ex-
actly the conjunction of the encoded transition relations of
the sub-components.
Definition Let P = ‖nj=1 Pi. Let EPj = (IPj , T Pji ,−→xsPji ,−→xePji ).
The encoding of P is (IP, T Pi ,−→xsPi ,−→xePi ) where
IP = ∧nj=1 IPj , −→xsPi =
⋃n
j=1
−→xsPji , −→xePi = −→xePji , and
T Pi is defined as follows,
T Pi =
∧n
j=1(T Pji ∨
∨{Π(e,−→xei) ∧ −→xsi ⇔ −→xsi+1 |
e ∈ αPj ∧ e ∈ αP ∪ {τ}})
The transition relation T Pji is extended with clauses to al-
low events not in αPi but in αP (including τ ) to occur freely
without changing the status of this sub-component. Because
the encoded transition relation of each sub-component is
conjuncted and we use the same set of variables to encode
the events, an event can be engaged if and only if every sub-
component participates in it. This construction guarantees
that the encoded transition relation of the composition al-
lows only runs which conform to the semantics. It avoids
constructing LP by paying the price of extra transitions.
Example The following specifies the classic dining
philosophers problem [19],
Phil(i) = think.i → get.i.(i + 1)%N → get.i.i
→ eat.i → put.i.(i + 1)%N → put.i.i
→ Phil(i)
Fork(i) = get.i.i → put.i.i → Fork(i) 
get.((i − 1)%N).i → put.((i − 1)%N).i
→ Fork(i)
Phils(N) = ‖N−1i=0 (Phil(i) ‖ Fork(i))
where N is the number of philosophers, get.i.j (put.i.j) is the
action of the i-th philosopher picking up (putting down) the
j-th fork. Assuming N = 5 and x1, x2, x3 are used to en-
code the events, the event encoding is shown in the follow-
ing table (and the rest are ignored for brevity).
Event Encoding Event Encoding
think.0 ¬ x1 ∧ ¬ x2 ∧ ¬ x3 put.0.1 x1 ∧ ¬ x2 ∧ ¬ x3
get.0.1 ¬ x1 ∧ ¬ x2 ∧ x3 put.0.0 x1 ∧ ¬ x2 ∧ x3
get.0.0 ¬ x1 ∧ x2 ∧ ¬ x3 get.4.0 x1 ∧ x2 ∧ ¬ x3
eat.0 ¬ x1 ∧ x2 ∧ x3 put.4.0 x1 ∧ x2 ∧ x3
The following is the encoded transition relation
T Phil(0)‖Fork(0)1 .
T Phil(0)1 ∧ T Fork(0)1
∨ (x1 ∧ x2 ∧ ¬ x3 ∧ x4 ⇔ x7 ∧ x5 ⇔ x8 ∧ x6 ⇔ x9)
∨ (x1 ∧ x2 ∧ x3 ∧ x4 ⇔ x7 ∧ x5 ⇔ x8 ∧ x6 ⇔ x9))
∨ (¬ x1 ∧ ¬ x2 ∧ ¬ x3 ∧ x10 ⇔ x12 ∧ x11 ⇔ x13)
∨ (¬ x1 ∧ ¬ x2 ∧ x3 ∧ x10 ⇔ x12 ∧ x11 ⇔ x13))
∨ (¬ x1 ∧ x2 ∧ x3 ∧ x10 ⇔ x12 ∧ x11 ⇔ x13))
∨ (x1 ∧ ¬ x2 ∧ ¬ x3 ∧ x10 ⇔ x12 ∧ x11 ⇔ x13))
where x4, x5, x6 (x7, x8, x9) are used to encode the pre-state
(post-state) of Phil(0) and x10, x11 (x12, x13) are used to en-
code the pre-state (post-state) of Fork(0). 
A large class of systems can be specified as an indexed par-
allel composition or indexed interleaving of multiple sub-
components which have relatively small number of states,
e.g., PhilsN is specified as an indexed parallel composition
of philosopher and fork fairs. For such systems, we encode
each sub-component by explicitly constructing the LTS and
then apply the above construction to build the composed
transition relation. Nonetheless, if a process P which con-
tains indexed concurrency is further composed with other
processes using operators like ,  and ; , or amended us-
ing operators like \, we shall be able to deduce the encod-
ing of the composition from the encoding of P (and others).
For instance, assuming the given process is Phils(N); Q,
we must not explore all states of Phils(N) in order to en-
code the given process.
Definition Let P = M  N. Let EM =
(IM, T Mi ,−→xsMi ,−→xeMi ) be the encoding of M. Let
EN = (IN , T Ni ,−→xsNi ,−→xeNi ). The encoding of P
is (IP, T Pi ,−→xsPi ,−→xePi ) where IP = IM ∧ IN ,−→xsPi = −→xsMi ∪ −→xsNi ∪ {xci}, −→xePi = −→xeMi = −→xeNi , and
T Pi = (xci ∧ T Mi ∧ xci+1) ∨ (¬ xci ∧ T Ni ∧ ¬ xci+1)
where xci is a fresh control variable.
The encoded initial condition has no constraints on xc1 and
thus xc1 can be either true or false initially (which means
transitions from P or Q can be taken). Once one of the
choices has been taken, xci remains the same as xc1 for all
i and thus a later step must respect the choice made at the
first step. This captures the semantics of choices. Note that
 is handled in the same way as  and  are equivalent in
the trace semantics [19].
Definition Let P = M  N. Let EM =
(IM, T Mi ,−→xsMi ,−→xeMi ) be the encoding of M. Let
EN = (IN , T Ni ,−→xsNi ,−→xeNi ). The encoding of P
is (IP, T Pi ,−→xsPi ,−→xePi ) where IP = IM ∧ IN ,−→xsPi = −→xsMi ∪ −→xsNi ∪ {xci}, −→xePi = −→xeMi = −→xeNi , and
T Pi = (¬ xci ∧ T Mi ∧ ¬ xci+1) ∨ (T Ni ∧ xci+1) where xci
is a fresh control variable.
Interrupt can be viewed as a biased choice. Note that ¬ xci
is true if and only if M has not yet been interrupted. If a tran-
sition of TM is taken, xci+1 remains false so that next tran-
sition can be taken from TM or TN . Whenever a transition
of TN is taken, xci+1 must be true, which forbids all transi-
tions from TM .
Definition Let P = M; N. Let EM = (IM, T Mi ,−→xsMi ,−→xeMi )
be the encoding of M. Let EN = (IN , T Ni ,−→xsNi ,−→xeNi ). The
encoding of P is (IP, T Pi ,−→xsPi ,−→xePi ) where IP = IM ∧¬ xc1, −→xsPi = −→xsMi ∪ −→xsNi ∪ {xci}, −→xePi = −→xeMi = −→xeNi , and
T Pi is defined as follows: where xci is a fresh variable,
¬ xci ∧ T Mi ∧ (¬Π(,−→xei) ∧ ¬ xci+1 ∨
Π(,−→xei) ∧ xci+1 ∧ IN) ∨ xci ∧ T Ni
Initially, ¬ xc1 must be true. Note that ¬ xci is true if and
only if M has not yet terminated. Intuitively, a sequential
composition can be viewed a delayed choice whereby tran-
sitions from N can only be taken after a  transition has
been taken in M. xci and IN is true once a transition of M
labeled with  has been taken. Because transitions from M
are guarded with ¬ xci, no transition from M can be taken
afterwards.
Other compositional operators are handled similarly by
manipulating the encoded transition relations of the sub-
components and introducing control variables if necessary.
For instance, if some events of an encoded process are to be
hidden (i.e., P\A), those events are renamed, i.e., the label e
of a transition is encoded as Π(τe,−→xei) instead of Π(e,−→xei).
Note that hiding different events results in different τ transi-
tions. This prevents synchronization between different hid-
den events.
Given a process P, if P contains no indexed concurrency,
we construct LP and then apply the encoding in Section 3.1.
Otherwise, each sub-component of the indexed interleaving
or parallel composition is encoded first. The encoding of
P is then composed by applying the compositional encod-
ing. If a sub-component of the indexed interleaving or paral-
lel (say Q) contains indexed concurrency as well, the same
procedure is repeated so as to encode Q. Note that for pro-
cesses like P = a → P ||| · · · ||| P, this construction is not
feasible (and thus we have to construct LP). Nonetheless,
for most interesting systems in which there is no unbounded
replication (or recursion), this construction not only termi-
nates but results in Boolean formulae of manageable size,
which can be efficiently solved by SAT-solvers.
Theorem 3.1 Let P be a process. EP is the encoding of P
as defined above. EP is trace-equivalent to LP.
This theorem states that our encoding is sound. It is proved
by structural induction. The base case is when a process
contains no indexed concurrency, i.e., the encoding in Def-
inition 3.1 is sound. Then we prove the induction step by
showing the compositional encoding preserves the equiva-
lence. We skipped the proof for brevity.
4. THE PROCESS ANALYSIS TOOLKIT
We developed an analyzer to apply bounded model
checking and on-the-fly explicit model checking. The ana-
lyzer has been implemented in C# and is publicly available
at our web site [23]. It consists of three main compo-
nents: a specification editor, a simulator and two com-
plementing model checkers. The editor provides a user
friendly interface (with featured text editing, syntax high-
lighting, multi threading execution, multi-documents en-
vironment, etc) for users to introduce system models
(i.e., the full CSP syntax is supported) as well as de-
sirable properties (i.e., the full temporal logic syntax is
supported). The system models are parsed into internal rep-
resentations, which are used for both simulation and ver-
ification. The simulator takes in the system models and
allows users to perform various simulation tasks: com-
plete states generation based on the execution graph,
random simulation, user interactive simulation, trace re-
play and so on. In this section, we focus on the event-based
on-the-fly/bounded model checking.
4.1. Temporal Properties
We support temporal logic verification, which comple-
ments the established tools like FDR [21] (which verifies
process refinement relationships). Because we are dealing
with an event-based formalism, we extend standard Linear
Temporal Logic (LTL) with events so that properties con-
cerning both states and events can be stated and verified.
The extended LTL is as follows.
Definition Let Pr be a set of propositions. An extended
LTL formula is,
φ ::= p | a | ¬φ | φ ∧ ψ | ©φ | φ |φ | φUψ
where p ranges over Pr and a ranges over Σ. Let π =
〈P0, x0, P1, x1, · · ·〉 be an infinite sequence of events. Let πi
be the suffix of π starting in Pi.
πi  p ⇔ Pi  p
πi  a ⇔ xi−1 = a
πi  ¬φ ⇔ ¬(πi  φ)
πi  φ ∧ ψ ⇔ πi  φ ∧ πi  ψ
πi ©φ ⇔ πi+1  φ
πi  φ ⇔ ∀ j ≥ i • πj  φ
πi φ ⇔ ∃ j ≥ i • πj  φ
πi  φUψ ⇔ ∃ j ≥ i • πj  ψ ∧ ∀ k |
i ≤ k ≤ j − 1 • πj  φ
Example The following specifies a desirable property of
PhilsN :eat0 ∧ eat1 · · ·eatN−1 where reads
as “always” and  reads as “eventually”. The property
states that every philosopher will always eventually eat, i.e.,
no one starves. 
The simplicity of writing formulas concerning events as in
the above example is not purely a matter of aesthetics. It
may yield gains in time and space [11]. Given an extended
LTL formula, a trace equivalent Bu¨chi automaton is con-
structed efficiently using the state-of-the-art conversion pro-
posed in [18]. In other words, we adapt an automata-based
approach for explicit LTL model checking as Spin [20].
Note that for efficient reasons, the Bu¨chi automata are
transition-labeled (instead of state-labeled).
Example The following is the Bu¨chi Automaton generated
from the negation of the formulaeat0 ∧ eat1,
s0s1 s2
*
-eat0
-eat0
-eat1
-eat1
where s0 is the initial state, s1 and s2 are two accepting
states and ∗ means the transition is unguarded. ¬ e means
the transition can be labeled with any event but e. 
Let B¬φ be the Bu¨chi automaton constructed from prop-
erty¬φ. In the explicit model checking approach, the prod-
uct of B¬φ and P is generated (same as in Spin). Explicit
model checking is to determine the emptiness of LP × B,
i.e., explore on-the-fly whether the product contains a loop
which is composed of at least one accepting state. Finite
traces are extended to infinite ones in a standard way. In
the presence of a counterexample, on-the-fly model check-
ing usually produces a trace leading to a bad state or a loop
quickly (refer to Section 4.2). However, the counterexample
produced may be extremely long because it relies on a depth
first search. Bounded model checking may then be used to
produce a shorter trace which leads to the same bad state
or loop. Though because of the Bu¨chi automata, the gener-
ated counterexample may not be the shortest. Nonetheless,
our bounded model checker can be used as a separate model
checker.
For bounded model checking, because LP may not be
built, we encode the Bu¨chi automaton and then compose it
with the encoding of the model (i.e., EP). Given a guard
g labeled with a transition of B, let Π(g,−→xeBi ,−→xsBi+1) be
the encoded guard, e.g., Π(e,−→xeBi ) if g is an event e or¬Π(e,−→xeBi ) if g is an event ¬ e or Π(g1,−→xeBi ,−→xsBi+1) ∧
Π(g2,−→xeBi ,−→xsBi+1) if g is g1 ∧ g2.
Definition Let P be a process. Let EP = (IP, T Pi ,−→xsPi ,−→xei).
Let B be a Bu¨chi automaton (S, I, T, F) . EB =
(IB, T Bi ,−→xsBi ,−→xei) where
T Bi =
∨{ΠB(s,−→xsBi ) ∧ Π(g,−→xeBi ,−→xsBi+1) ∧
ΠB(s′,−→xsBi+1) | (s, g, s′) ∈ T}
The encoding of the product of P and B is (I, Ti,−→xsi,−→xei)
where I = IB ∧ IP, −→xsi = −→xsPi ∪ −→xsBi and Ti = T Pi ∧ T Bi .
Because P and B share the same alphabet as well as the
variables to encode the events, transitions of P and B are
always synchronized. P violates the property if and only
if the language of P × B is not empty. Let FB(−→xsi) =∨{ΠB(s,−→xsi) | s is an accepting state of B} be the encoded
accepting states. The following theorem states the correct-
ness of our bounded model checking.
Theorem 4.1 Given a process P, and a Bu¨chi automaton B
constructed from¬φ, let EP×B = (I, Ti,−→xsi,−→xei) be the en-
coding of P×B. Let k to be a bound. The following formula
is satisfiable iff there is a counterexample of size k.
[[P, φ]]k = I ∧
∧k
i=1 Ti ∧ [[¬φ]]k
where [[¬φ]]k is∨k−1i=1 {−→xsk ⇔ −→xsi ∧
∨k
j=i{FB(−→xsj)}}.
The proof is sketched in the following. A solution to [[P, φ]]k
is an assignment of true or false to ⋃k+1i=1 −→xsi and
⋃k
i=1
−→xei
as well as the control variables (if any), from which we can
identify a finite run 〈s1, e1, s2, e2, · · · , sk, ek, sk+1〉. Because
I must be true, s1 is an initial state. Because Ti must be true,
by Theorem 3.1, si
ei⇒ si+1 for all 1 ≤ i ≤ k. Thus, the se-
quence of states/events identified must be a run of P (as
well as a finite prefix of a trace of φ). The constraint [[¬φ]]k
states that the finite run must contain a loop, i.e., xsk ⇔ xsi
for some i, and the loop must contain at least one accept-
ing state, i.e., there exists some j satisfying j ≥ i ∧ j ≤ k
such that sj is accepting. Therefore, the finite run identifies
an infinite trace which is allowed by P and violates φ.
4.2. Performance Evaluation
In this section, we present a number of experiments to
show the feasibility of applying SAT-based model check-
ing to process algebras. The effectiveness of our composi-
tional encoding is straightforward. If compositional encod-
ing is applied, the encoding time is often negligible and the
size of the formula is comparable to that of the formula gen-
erated by constructing the LTS1.
For timely efficiency, we compare our analyzer with
FDR and Spin. FDR is de facto model checker for CSP,
which has been actively developed for years. We choose
Spin over others because it is the most established explicit
model checker and its input language is loosely based on
CSP. Note that partial order reduction, which partly makes
Spin very successful, has been implemented in our analyzer.
We choose not to compare our bounded model checker with
nuSMV because SMV focuses a different application do-
main (i.e., circuit verification), in which often the transition
relation is known statically. Our bounded model checker
has been evaluated with two award wining SAT solvers, i.e.,
MiniSAT and RSAT [1].
Figure 1 summarizes the performance using three bench-
mark models, i.e., the dining philosopher problem as in Ex-
ample 3.2 (against the property in Example 4.1), the clas-
sic readers/writers problem and Milner’s cyclic scheduler.
This model describes a protocol for coordination of N read-
ers and N writers accessing a shared resource. The prop-
erty to verify is reachability of an erroneous situation (i.e.,
wrong readers/writers coordination). Milner’s cyclic sched-
uler describes a scheduler for N concurrent processes. The
processes are scheduled in cyclic fashion so that the first
process is reactivated after the N-th process has been acti-
vated. The property to verify is that a process must even-
tually be scheduled. Details of the models and more exper-
iments can be found at [23]. Note that the experiment re-
1 Depends on whether the processes are strongly coupled or not.
Dining Philosophiers
1
10
100
1000
10000
100000
5 6 7 8 9 10 11 12 13 14 15 16
Ti
m
e
(S
e
c
.
)
FDR SPIN
PAT-Exp PAT-SAT
Readers-Writers
1
10
100
1000
10000
8 9 10 11 12 13 14 15 16 17
Ti
m
e 
(S
ec
.
)
FDR SPIN
PAT-Exp PAT-SAT
Milner's Scheduler
1
10
100
1000
10000
100000
5 6 7 8 9 10 11 12 13 14
Ti
m
e 
(S
ec
.)
FDR SPIN
PAT-Exp PAT-SAT
Dining Philosopher SAT Experiments
1
100
10000
1E+06
1E+08
1E+10
1E+12
1E+14
1E+16
1E+18
1E+20
1E+22
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
No. of Vars
Est. No. of States
Time (Sec.)
Figure 1. Performance Evaluation with a 2.0 GHz Intel Core Duo CPU and 1 GB memory
sults on FDR should be taken with a grain of salt, since the
results are obtained by showing a (failure) refinement rela-
tionship between the system model and a process capturing
the property to verify. For the dining philosopher example
(the left-upper chart), our on-the-fly explicit model checker
(referred as PAT-Exp) performs best to produce a coun-
terexample. Our bounded model checker (referred as PAT-
SAT) outperforms Spin for 13 or more philosophers. The
main reason is that the LTL to Bu¨chi automata conversion
in Spin suffers from large LTL formulae, i.e., takes more
time and produces bigger automata. All verifiers outper-
forms FDR (except PAT-SAT for small number of philoso-
phers because of the encoding overhead), which is not fea-
sible for more than 12 philosophers. For the readers/writers
example, all verifiers except FDR produces a counterexam-
ple efficiently. Note that for every experiment Spin takes
less than a few seconds to build model-specific executables.
For the Milner’s example, the full state space (which is ex-
ponentially increasing without partial order reduction) must
be explored because the property to verify is true. SAT out-
performs FDR for 12 or more processes. This suggests that
SAT-based model checking has the potential to handle large
state space. Moreover, the current implementation of PAT-
SAT may be improved by orders of magnitude should we
incorporate recently development on incremental bounded
model checking and more [22, 24]. Nonetheless, bounded
model checking currently is mainly for falsification (if with-
out a proper threshold bound). The time taken by Spin and
PAT-Exp remains constant. This should be credited to the
partial order reduction. In the future, sophisticated opti-
mization techniques like symmetry reduction will be incor-
porated into our analyzer. The right-bottom chart summa-
rizes the performance our SAT-based verifier in terms of the
size of the generated formula, the time needed for encoding
and solving against the number of states of the model. The
estimated number of states increase exponentially whereas
the number of Boolean variables and the time needed in-
crease much slower.
5. Conclusion and Future Works
In summary, we have developed a way to encode com-
positional system models without explicitly exploring all
research states. In addition, a self-contained toolkit has
been developed for system specification and verification.
We have implemented a user-friendly environment for writ-
ing CSP specification, a simulator for examining and vi-
sualizing possible dynamic system behaviors, an explicitly
model checker and a bounded model checker. Experiment
results show that our analyzer does verification rather effi-
ciently. Though presented in the framework of CSP, our en-
coding of compositional processes may be applied to other
formal specification languages and notations. The toolkit
is a starting point for verification support for formal spec-
ification languages and notations. We are extending the
input language with more expressiveness power so as to
broaden the application domain, i.e., arrays, global vari-
ables, etc. Since our toolkit is designed to be extensible,
we plan to support more specification languages like CCS,
π-calculus, Timed Automata (which requires SMT capabil-
ity as in demonstrated in [3]) or integrated formalisms like
Circus or TCOZ.
As for related works, our work is related to the line
of verifiers developed in the formal methods community,
e.g., FDR for CSP, Spin and nuSMV. There are relatively
few analysis tools for CSP, despite its popularity and influ-
ence over quite a number of design languages such as Ada
and occam. The noticeable ones include the model checker
FDR [21], the simulator ProBE and those translators which
transforms CSP models (or its extensions like Timed CSP)
to other models so as to reuse existing verification mech-
anisms [6, 15, 16, 17]. FDR is the only model checker
dedicated to CSP which we are aware of. FDR supports
verification of process refinement relationship as well as
deadlock/livelock-freeness. Compared to FDR, our toolkit
allows system verification based on the full LTL, as well as
deadlock-freeness checking, feasibility test, etc. In the fu-
ture, we plan to extend our toolkit with the full function-
alities of FDR. Spin is the most established explicit model
checker, which has been applied widely. In literature, there
have been a number of bounded model checkers dedicated
to different specification languages. Some noticeable ones
include the first bounded model checker [4], NuSMV [12]
and UCLID [8]. However, as far as the authors know, there
has not yet been a bounded model checker dedicated to pro-
cess algebras, which have a compositional nature.
References
[1] SAT Competition. http://www.satcompetition.org/.
[2] R. Alur, L. J. Jagadeesan, J. J. Kott, and J. V. Olnhausen.
Model-Checking of Real-Time Systems: A Telecommunica-
tions Application (Experience Report). In Proc. of the 19th
Inter. Conf. on Soft. Eng. (ICSE’97), pages 514–524, 1997.
[3] A. Armando, J. Mantovani, and L. Platania. Bounded Model
Checking of Software Using SMT Solvers Instead of SAT
Solvers. In Proc. of the 13th Inte. SPIN Workshop on Model
Checking Software (SPIN 2006), pages 146–162, 2006.
[4] A. Biere, A. Cimatti, E. M. Clarke, and Y. S. Zhu. Symbolic
Model Checking without BDDs. In Proc. of the 5th Inter.
Conf. on Tools and Algorithms for Construction and Analy-
sis of Systems (TACAS’99), pages 193–207. Springer, 1999.
[5] A. Biere, E. M. Clarke, R. Raimi, and Y. S. Zhu. Verifiying
Safety Properties of a Power PC Microprocessor Using Sym-
bolic Model Checking without BDDs. In Proc. of the 11th
Inter. Conf. on Computer Aided Verification (CAV’99), pages
60–71. Springer, 1999.
[6] P. Brooke. A Timed Semantics for a Hierarchical Design No-
tation. PhD thesis, University of York, 1999.
[7] S. D. Brookes, A. W. Roscoe, and D. J. Walker. An Opera-
tional Semantics for CSP. Technical report, 1986.
[8] R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Convergence
Testing in Term-Level Bounded Model Checking. In Proc.
of the 12th IFIP WG 10.5 Advanced Research Working Conf.
on Correct Hardware Design and Veri. Methods (CHARME
2003), pages 348–362, 2003.
[9] J. R. Burch, E. M. Clarke, K. L. McMillan, and D. L.
Dill. Sequential Circuit Verification Using Symbolic Model
Checking. In Proc. of the 27th ACM/IEEE Design Automa-
tion Conf. (DAC’90), pages 46–51, 1990.
[10] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and
L. J. Hwang. Symbolic Model Checking: 1020 States and
Beyond. Inf. Comput., 98(2):142–170, 1992.
[11] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and
N. Sinha. State/Event-Based Software Model Checking. In
Proc. of the 4th Inter. Conf. on Integrated Formal Methods
(IFM 2004), pages 128–147, 2004.
[12] A. Cimatti, E. M. Clarke, E. Giunchiglia, F. Giunchiglia,
M. Pistore, M. Roveri, R. Sebastiani, and A. Tacchella.
NuSMV 2: An OpenSource Tool for Symbolic Model
Checking. In Proc. of the 14th Inter. Conf. on Computer
Aided Veri. (CAV 2002), pages 359–364, 2002.
[13] E. M. Clarke, A. Biere, R. Raimi, and Y. S. Zhu. Bounded
Model Checking Using Satisfiability Solving. Formal Meth-
ods in System Design, 19(1):7–34, 2001.
[14] E. M. Clarke, O. Grumberg, and D. A. Peled. Model Check-
ing. The MIT Press, 2000.
[15] J. S. Dong, P. Hao, S. C. Qin, J. Sun, and Y. Wang. Timed
Patterns: TCOZ to Timed Automata. In Proc. of the 6th In-
ter. Conf. on Formal Engineering Methods (ICFEM 2004),
pages 483–498. Springer, 2004.
[16] J. S. Dong, P. Hao, J. Sun, and X. Zhang. A Reasoning
Method for Timed CSP Based on Constraint Solving. In
Proc. of the 8th Inter. Conf. on Formal Engineering Meth-
ods (ICFEM 2006), pages 342–359. Springer, 2006.
[17] J. S. Dong, Y. Liu, J. Sun, and X. Zhang. Verification of
Computation Orchestration Via Timed Automata. In Proc.
of the 8th Inte. Conference on Formal Engineering Methods
(ICFEM 2006), 2006.
[18] P. Gastin and D. Oddoux. Fast LTL to Bu¨chi Automata
Translation. In Proc. of the 13th Inter. Conf. on Computer
Aided Verification (CAV 2001), pages 53–65. Springer, 2001.
[19] C.A.R. Hoare. Communicating Sequential Processes. Inter.
Series in Computer Science. Prentice-Hall, 1985. New ver-
sion at www.usingcsp.com/cspbook.pdf.
[20] G. J. Holzmann. The Model Checker SPIN. IEEE Trans. on
Soft. Eng., 23(5):279–295, 1997.
[21] A.W. Roscoe. The Theory and Practice of Concurrency.
Prentice-Hall, 1997.
[22] O. Strichman. Accelerating Bounded Model Checking
of Safety Properties. Formal Methods in System Design,
24(1):5–24, 2004.
[23] J. Sun, Y. Liu, and J. S. Dong. A
Simulator and Model Checker for CSP.
http://www.comp.nus.edu.sg/˜liuyang/pat/, 2007.
[24] Wenhui Zhang. SAT-Based Verification of LTL Formulas.
In Proc. of the 11th International Workshop FMICS 2006,
pages 277–292, 2006.
