A partial order reduction algorithm without the Proviso by Gopalakrishnan, Ganesh & Nalumansu, Ratan
A Partial Order Reduction Algorithm 
without the Proviso
Ratan  N a l u m a s u  
G a n esh  G o p a la k r i shn a n
UUCS-98-017
Department of Computer Science 
University of Utah 
Salt Lake City, UT 84112 USA
August 19, 1998 
A b s t r a c t
This paper presents a partial order reduction algorithm, called Two phase, that preserves stutter free 
LTL properties. Two phase dramatically reduces the number of states visited compared to previous 
partial order reduction algorithms on most practical protocols. The reason can be traced to a step 
of the previous algorithms, called the proviso step, that specifies a condition on how a state that 
closes a loop is expanded. Two phase avoids this step, and uses a new execution approach to obtain 
the reductions. Two phase can be easily combined with an on-the-fly model-checking algorithm 
to reduce the memory requirements further. Furthermore a simple but powerful selective-caching 
scheme can also be added to Two phase. Two phase has been implemented in a model-checker 
called PV (Protocol Verifier) and is in routine use on large problems.
Keywords: Partial order reductions, explicit enumeration, temporal logic, on-the-fly model-checking, 
concurrent protocol verification
1 I n t r o d u c t i o n
With the increasing scale of software and hardware systems and the corresponding increase in 
the number and complexity of concurrent protocols involved in their design, formal verification 
of concurrent protocols is an important practical need. Automatic verification of finite state systems 
based on explicit state enumeration methods [CES86 , Hol91, Dil96, HP96] have shown consider­
able promise in real-world protocol verification problems and have been used with success on many 
industrial designs [Hol97,DPN93], Using most explicit state enumeration tools, a protocol is mod­
eled as a set of concurrent processes communicating via shared variables and/or communication 
channels [HP96, Dil96], The tool generates the state graph represented by the protocol and checks 
for the desired temporal properties on that graph. A common problem with this approach is that 
state graphs of most practical protocols are quite large, and the size of the graph can often increase 
exponentially with the size of the protocol, commonly referred to as state explosion.
The interleaving model of execution used by these tools is one of the major causes of state explosion. 
This is shown through a simple example in Figure 1. Figure 1(a) shows a system with two processes 
PI and P2, and Figure 1 (b) shows the state space of this example. If the property under consideration 
does not involve at least one of the variables X and Y, then one of the two shaded states need not be 
generated, thus saving one state. A straightforward extension of this example to n  processes would 
reveal that an interleaving model of execution would generate 2" states where n  +  1 would suffice.
Partial order reductions attempt to bring such reductions by exploiting the fact that in realistic pro­
tocols, there are many transitions that “commute” with each other, and hence it is sufficient to 
explore those transitions in any one order to preserve the truth value of the temporal property under 
consideration. In essence, from every state, a partial order reduction algorithm selects a subset of 
transitions to explore, while a normal graph traversal such as depth first search (DFS) algorithm 
would explore all transitions. Partial order reduction algorithms play a very important role in miti­
gating state explosion, often reducing the computational and memory cost by an exponential factor.
(a) Simple sys- (b) State graph
tem
Figure 1: (b) shows the state graph of PI and P2 in (a).
1
This paper presents a new partial order reduction algorithm called Two phase, that in most prac­
tical cases outperforms existing implementations of the partial order reductions. The algorithm is 
implemented in a tool called PV (“Protocol Verifier”) that finds routine application in our research.
To our knowledge, so far there have been only two partial order reduction algorithms which have 
implementations: the algorithm presented in [Pel96, HP94] and [God95], The [Pel96, HP94] al­
gorithm is implemented in the explicit state enumeration model-checker SPIN, and also in implicit 
state exploration tools VIS and COSPAN [ABHQ97, K L M ' 97, NK95]. The [God95] algorithm 
is implemented in PO-PACKAGE tool. Both these algorithms solve the ignoring problem by us­
ing provisos, whose need was first recognized by Valmari [Val92]. Provisos ensures that the sub­
set of transitions selected at a state do not generate a state that is in the stack maintained by the 
DFS algorithm. If a subset of transitions satisfying this check cannot be found at a state s, then 
all transitions from s  are executed by the DFS algorithm. The provisos used in the two imple­
mentations, [God95] and [HP94], differ slightly. The [God95] algorithm (and also the [HGP92] 
algorithm) require that at least one of the selected transitions do not generate a state in the stack, 
where as [HP94] requires the stronger condition that no selected transition generates a state in the 
stack. The stronger proviso is sufficient to preserve all stutter free linear time temporal logic (LTL- 
X) formulae (safety and liveness), where as the weaker proviso preserves only stutter free safety 
properties [HGP92, HP94, Pel93, Pel96]. We observed that in a large number of practical exam­
ples arising in our problem domain, such as validation of directory based coherence protocols and 
scrver-client protocols, the provisos cause all existing partial order reduction algorithms to be in­
effective. As an example, on invalidate, a distributed shared memory protocol described later, the 
algorithm of [HP94] aborts its search by running out of memory after generating more than 270,000 
states when limited to 64MB memory usage. The algorithm of [God95] also aborts its search after 
generating a similar number of states. We believe, based on our intuitions, that protocols of this com­
plexity ought to be easy for on-the-fly explicit enumeration tools to handle—an intuition confirmed 
by the fact that our partial order reduction algorithm, Two phase, that does not use the proviso, 
finishes comfortably on this protocol. In fact, as showed in Section 6 , in all non-trivial examples, 
Two phase outperforms proviso based algorithms. Two phase is implemented in a model-checker 
called PV (“Protocol Verifier”). The tool can be obtained by contacting the authors.
The first major difference between Two phase and other partial order reduction algorithms is the 
way the algorithms expand a given state. Other partial order reduction algorithms attempt to expand 
each state visited during the search using a subset of enabled transitions at that state. To address 
the ignoring problem, the algorithms use a proviso (or a condition very similar to the provisos). 
Two phase search strategy is completely different: when it encounters a new state x,  it first expands 
the state using only deterministic transitions in its first phase resulting in a state y.  (Informally, 
deterministic transitions are the transitions that can be taken at the state without effecting the truth 
property of the property being verified.) Then in the second phase, y  is expanded completely. The 
advantage of this search strategy is that it is not necessary to use a proviso. As the results in Section 6 
show, this often results in a much smaller graph.
The second major difference is that Two phase naturally supports selective caching in conjunction
2
with on-the-fty model-checking. An explicit enumeration search algorithm typically saves the list 
of visited states in a hash table (“cached”). Since the number of visited states is large, it would 
be beneficial if not all visited states need to be stored in the hash table, referred to as selective 
caching. On-the-fly model-checking means that the algorithm finds if the property is true or not 
as the state graph of the system is being constructed (as opposed to finding only after the graph is 
completely constructed). It is difficult to combine the on-the-fly model-checking algorithm, partial- 
order reductions, and selective-caching together due to the need to share information among these 
three aspects. [HPY96] showed that previous attempts at combining proviso based algorithms with 
the on-the-fly algorithm of [CVWY90] have been erroneous. However, thanks to the simplicity 
of the first phase of Two phase algorithm, it can be combined easily with the on-the-fly algorithm 
of [CVWY90]. Also Two phase lends itself to be used in conjunction with a simple but effective 
selective-caching strategy, and its correctness is very easy to establish.
To summarize, the contributions of this paper are:
1. A new partial order reduction algorithm called Two phase that does not use the proviso,
2. A proof of correctness of Two phase,
3. A selective caching scheme that can be quite naturally integrated with Two phase, and
4. An evaluation of performance of the algorithm compared to other implementations using the 
PV model-checker.
The rest of the paper is organized as follows. Section 2 presents definitions and background. Sec­
tion 3 presents the basic depth first search algorithm, the partial order reduction algorithm of [Pel96] 
(algorithms in [Val92, HP94, God95] are very similar), and Two phase, as well as a proof that Two 
phase preserves all LTL-X properties. Section 5 presents the on-the-fly model-checking algorithm 
of [CVWY90], and discusses on how it can be combined with Two phase. This section also presents 
a selective caching strategy and shows how it can be combined with Two phase. Section 6  compares 
the performance of [Pel96] algorithm (implemented in Spin) with that of Two phase, (implemented 
in PV), and provides a qualitative explanation of the results. Finally, Section 7 provides concluding 
remarks.
R e la ted  w o rk
Lipton [Lip75] suggested a technique to avoid exploring the entire state graph to find if a concur­
rent system deadlocks. Lipton notes that execution of some transitions can be postponed as much 
as possible (right movers) and some transitions can be executed as soon as possible (left movers) 
without affecting the deadlocks. Partial order reductions can be considered as a generalization of 
this idea to verify richer properties than just deadlocks.
3
Valmari [Val92, Val93] has presented a technique based on stubborn sets to construct a reduced 
graph to preserve the truth value of all stutter free LTL formulae. The [Val92] algorithm uses a 
general version of the proviso mentioned above. The [Val93] algorithm does not use the proviso, 
but avoids the ignoring problem by choosing “large stubborn sets”. [GW92,GP93,God95] present 
a partial order theory based on traces to preserve safety properties, using a slight variation of the 
proviso, implemented in PO-PACKAGE. [Pel96] presents a partial order reduction algorithms based 
on ample sets and the strong proviso. [HP94] presents an algorithm very similar to and based on the 
algorithm of [Pel96], implemented in S p in  [HP96]. The [Pel96] algorithm is discussed in Section 3. 
Since the implementations of the two algorithms are similar, whenever one algorithm fails to bring 
much reductions, so does the other.
The version of the proviso discussed earlier, first appeared in [Pel93], is shown to be sufficient to 
preserve all liveness properties. In [Val92] a more general condition for correctness is given: if (a) 
every elementary loop in the reduced graph contains at least one state where all global transitions 
(visible transitions in their terminology) are expanded, (b) at every state s, if there is an enabled 
local transition, then the set of transitions chosen to be expanded at s contains at least one local 
transition then the reduced graph preserves all LTL-X formulae on global transitions. Two phase 
does not use the provisos, and instead uses deterministic transitions to bring the reductions. Two 
phase has been previously reported in [NG97b,NG97a, NG96].
2 Definitions and Notation
We assume a process oriented modeling language with each process maintaining a set of local 
variables that only it can access. The value of these local variables form the local state of the 
process. For convenience, we assume that each process maintains a distinguished local variable 
called program counter (“control state”). A concurrent system or simply system consists of a set 
of processes, a set of global variables and point-to-point channels of finite capacity to facilitate 
communication among the processes. The global state, or simply the “state” of the system consists 
of local states of all the processes, values of the global variables, and the contents of the channels. S  
denotes the set of all possible states (“syntactic state”) of the system, obtained simply by taking the 
Cartesian product of the range of all variables (local variables, global variables, program counters, 
and the channels) in the system. The range of all variables (local, global, and channels) is assumed 
to be finite, hence S  is also finite.
Each program counter of a process is associated with a finite number of transitions. A transition of 
a process P  can read/write the local variables of P ,  read/write the global variables, send a message 
on the channel on which it is a sender, and/or receive a message from the channel for which it is a 
receiver. A transition may not be enabled in some states (for example, a receive action on a channel 
is enabled only when the channel is non-empty). If a transition t  is enabled in a state s  €  S,  then it 
is uniquely defined. Non-determinism can be simulated simply by having multiple transitions from 
a given program counter. We use t, t  to indicate a transition, s  6  S  to indicate a state in the system,
4
t ( s )  to indicate the state that results when t is executed from s, P  to indicate a sequential process
in the system, and pc(s,P ) to indicate the program counter (control state) of P  in s,  and pc(t) to
indicate the program counter with which the transition t  is associated.
local: A transition (a statement) is said to be local if it does not involve any global variable.
global: A transition is said to be global  if it involves one or more global variables. Two global 
transitions of two different processes may or may not commute, while two local transitions of 
two different processes commute.
in ternal: A control state (program counter) of a process is said to be internal if all the transitions 
associated with it are local transitions.
unconditionally safe: A local transition t is said to be unconditionally safe if, for all states s €  S,  
if t  is enabled (disabled) in s  €  <5, then it remains enabled (disabled) in t  (s) where t  is 
any transition from another process. Note that if t is an unconditionally safe transition, by 
definition it is also a local transition. From this observation, it follows that executing t 
and t  in either order would yield the same state, i.e., t and t commute. This property of 
commutativity forms the basis of the partial order reduction theories.
Note that channel communication statements are not unconditionally safe: if a transition t  in 
process P attempts to read, and the channel is empty, then the transition is disabled; however, 
when a process Q writes to that channel, t  becomes enabled. Similarly, if a transition t  of 
process P attempts to send a message through a channel, and the channel is full, then t  is 
disabled; when a process Q consumes a message from the channel, t  becomes enabled.
conditionally safe: A conditionally safe transition t  behaves like an unconditionally safe transition 
in some of the states characterized by a safe execution condition p( t)  C S.  More formally, a 
local transition t of process P  is said to be conditionally safe whenever, in state s G p{t ) ,  if t 
is enabled (disabled) in 5 , then t is also enabled (disabled) in t  (s) where t  is a transition of 
proccss other than P .  In other words, t  and t  commute in states represented by p(t ).
Channel communication primitives are conditionally safe. If t is a receive operation on chan­
nel c, then its safe execution condition is “c is not empty”. Similarly, if t is a send operation 
on channel c, then its safe execution condition is “c is not full”.
safe: A transition t  is safe in a state s  if t is an unconditionally safe transition or t is conditionally 
safe whose safe execution condition is true in s, i.e., s  6  p(t ).
determ inistic: A process P  is said to be deterministic in s,  written deterministicP, s), if the control 
state of P  in s  is internal, all transitions of P  from this control state are safe, and exactly one 
transition of P  is enabled.
independent: Two transitions t  and t  are said to be independent of each other iff at least one of 
the transitions is local, and they belong to different processes.
5
The partial order reduction algorithms such as [Val92,Pel96,HP94,God95] use the notion of ample 
set  based on safe transitions. Our Two phase algorithm uses the notion of deterministic to bring 
reductions. The proof of correctness of Two phase algorithm uses the notion of independent transi­
tions.
2.1 Linear temporal logic and Biichii automaton
A LTL-X formulae is a LTL formulae without the next time operator X .  Formally, system LTL-X 
(linear-time logic without next time operator or stutter free LTL) is defined from atomic proposi­
tions p i  . . .  p n by means of boolean connectives, □ (“always”), O (“eventually”), and U (“until”) 
operators. If a  =  <*(0)... a(u>) is an infinite sequence of states that assign a truth value to p\ . . .  
p n, 4> a LTL-X formulae, then the satisfaction relation a  j= <f> is defined as follows:
a N Pi iff a ( 0 ) \= Pi
a p (f)\ A <pj iff n  (= <t>\ and a 1=  <h
a h iff - 1(0 <t>)
a h □<£ iff Vt >  0 a ( i ) . . c*(u;) |= 4>
a = O (f> iff 3i  >  0 a ( i ) 5 T 4>
a h <p\U<t> 2 iff 3i  >  0 a ( i ) ■ • 1= <f>2
and VO V
VI i : a (
If M  is a concurrent system, then M  \= <f> is true iff for each sequence a  generated by M  from the 
initial state, a  \= <f>.
Biichii automaton [vL90] are non-deterministic finite automata with an acceptance condition to 
specify which infinite word (w-word) is accepted by the automaton. Formally, a Biichii automaton 
is a tuple A  =  (Q, qo, E, A, F)  where Q  is the set of the states, <70 is the initial state, E is the 
input, A  C Q  x E x Q,  and F  C Q  is the set of final states. A run of A  on an a;-word a  =  
a ( 0 ) a ( l ) . . .  from E w is an infinite sequence of states o  =  cr(0 ) a ( l ) . .. such that <r(0 ) =  qo and 
(a ( i) , a ( i ) ,  cr('j +  1)) 6  A. The sequence a  is accepted by A  iff at least one state of F  appears 
infinitely often in a.
The model-checking problem, M  f=  cf>, may be viewed as an automata-theoretic verification prob­
lem, L( M)  C L(4>) where L( M)  and L(cf>) are languages accepted by M  and the linear-time 
temporal formulae 4> respectively. If an u> automaton such as the Biichii automaton A ^  accepts 
the language L((j>), the verification problem of L( M)  C L((f>) can be answered by constructing the 
state graph of the synchronous product of M  and A ^ ,  S  =  M  <8> A ^ .  If any strongly connected 
components of the graph represented by S  satisfies the acceptance condition of A then and only 




/* No s ta t e s  a re  v i s i t e d  */  
V, := <t>;
/*  No edges a re  v i s i t e d  */ 
Ef := 4>;
d f s ( I n i t i a l S t a t e ) ;
}
d fs (s )
}
V, := V, ♦ {s};
| 1 | fo reach  enabled  t r a n s i t io n  t  in  s do 
[~2~] Ef := Ef + { (S , t , t  (S) }; 
i f  t  (s ) £ Vf then 
d f s ( t ( s ) ) 
end i f  
endforeach
Figure 2: Basic depth first search algorithm
3 Basic DFS and Proviso Based Partial Order Reduction Algorithms
Figure 2 shows the basic depth first search (DFS) algorithm used to construct the full state graph a 
protocols. Vf  is a hash table (“visited”) used to cache all the states that are already visited. Statement 
[T] shows that the algorithm expands all transitions from a given state. Statement [T] shows how the 
algorithm constructs the state graph of the system in Ef .
Partial order reduction based search algorithms attempt to replace [7] by choosing a subset of tran­
sitions. The idea is that if two transitions t and t commute with each other in a state s and if the 
property to be verified is insensitive to the execution order of t and t , then the algorithm can ex­
plore t(s), postponing examination of t  to t (s ).  O f course, care must be exercised to ensure that no 
transition is postponed forever, commonly referred to as the ignoring problem. The essential nature 
of these algorithms is shown as d f s .p o  Figure 3. This algorithm also uses a m p le  ( s )  to select a 
subset of transitions to expand at each step. When a m p le  ( s )  returns a proper subset of enabled 
transitions, the following conditions must hold: (a) the set of transitions returned commute with 
all other transitions, (b) none of the transitions result in a state that is currently being explored (as 
indicated by its presence in r e d s e t  variable maintained by d f s .p o ) .
The intuitive reasoning behind the condition (b) is that, if two states s  and .s’ can reach each other, 
then without this condition s might delegate expansion of a transition to s and vice versa, hence 
never exploring that transition at all. Condition (b), sometimes referred to as reduction proviso or 
simply proviso,  is enforced by the highlighted line in a m p le  ( s ). If a transition, say t, is postponed 
at s,  then it must be examined at a successor of s  to avoid the ignoring problem. However, if t ( s )  
itself being explored (i.e., t ( s )  G r e d s e t ) ,  then a circularity results if t (s )  might have postponed 
t. To break the circularity, a m p le ( s )  ensures that t,(s) is not in r e d s e t .  As we shall see in 
Section 5.1, the dependency of a m p le  on r e d s e t  to evaluate the set of transitions has some very 
important consequences when on-the-fly model-checking algorithms are used.
7
d fs_ p o (s )
{
/* Record th e  f a c t  th a t  s i s  p a r t ly  
expanded in  r e d s e t  */ 
r e d s e t  := r e d s e t  + {s};
Vr := VT + {s};
/* am ple(s) uses r e d s e t  */
| 1 | fo reach  t r a n s i t io n  t  
in  am ple(s) do 
|~2~| Er : =Er+{ ( s , t , t  (s) } ; 
i f  t  (s ) £ Vr then 
d f s _ p o ( t ( s ) ); 
e n d if ; 
end fo reach ;
/* s i s  com pletely  expanded. So 
remove i t  from re d s e t  */ 




fo r  each p rocess P do 
a c ce p tab le  := tru e ;
T := a l l  t r a n s i t io n s  t  of P 
such th a t  p c ( t)  = p c (s ,P ) ;  
fo reach  t  in  T do 
i f ( t  i s  g lo b a l)  or 
( t  i s  enabled and_
or( t ( s )  G re d se t)
( t  i s  c o n d it io n a l ly  sa fe  
and s £ p (t ) ) then 
ac cep tab le  := f a ls e ;  
en d if  
endforeach  ;
i f  acce p tab le  and T has a t  l e a s t  
one enabled t r a n s i t io n  
r e tu rn  enabled  t r a n s i t io n s  in  T; 
e n d if ;  
endforeach;
/* No acce p tab le  su b se t of 
t r a n s i t io n s  i s  found */ 
r e tu rn  a l l  enabled t r a n s i t io n s ;
}
Figure 3: Proviso based partial order reduction algorithm
3.1 Efficacy of partial order reductions
The partial order reduction algorithm shown in Figure 3 can reduce the number of states by an 
exponential factor [HP94, Pel96]. However, in many practical protocols, the reductions are not as 
effective as they can be. The reason can be traced to the use of proviso. This is motivated using 
the system shown in Figure 4. Figure 4(a) shows a system consisting of two sequential processes 
PI and P2 that do not communicate at all, i.e., t\ . . .  74 commute with 75 . . .  t&. The total number 
of states in this system is 9. The optimal reduced graph for this system contains 5 states, shown in 
Figure 4(b).
Figure 4(c) shows the state graph generated by the partial order reduction algorithm of Figure 3. 
This graph is obtained as follows. The initial state is <sO,sO>. ample(<sO,sO>) may return either 
{7*1, T3} or {75, 77}. Without loss of generality, assume that it returns {71, 73}, resulting in states 
<sl,sO> and <s2,s0>. Again, without loss of generality, assume that the algorithm chooses to 
expand <sl,sO> first, where transitions {72} of P\ and {75, 77} of Pi  are enabled. T2(< sl,s0 >) = 
<sO,sO>, and when dfs_po(<sl,sO>) is called, redset={<sO ,sO >}. As a result ample(<sl,sO>) 
cannot return {72}; it returns {75, 77}. Executing 75 from (<sl,sO>) results in < s l,s l> , the third 
state in the figure. Continuing this way, the graph shown in Figure 4(c) is obtained. Note that this 
system contains all 9 reachable states in the system, thus showing that a proviso based partial order 
reduction algorithm might fail to bring appreciable reductions. As confirmed by the examples in
(a) System (b) Optimal graph
(c) Graph by d f  s .p o
Figure 4: A trivial system, and its optimal reduced graph, and the reduced graph generated by 
d f  s_po
Section 6 , the algorithm may not bring much reductions in realistic protocols also.
4 The Two Phase Algorithm
As the previous contrived example, the size of the reduced graph generated by a proviso based 
algorithm can be quite high. This is true even for realistic reactive systems. In most reactive 
systems, a transaction typically involves a subset of processes. For example, in a server-client 
model of computation, a server and a client may communicate without any interruption from other 
servers or clients to complete a transaction. After the transaction is completed, the state of the 
system is reset to the initial state. If the partial order reduction algorithm uses the proviso, state 
resetting cannot be done as the initial state will be in the stack until the entire reachability analysis 
is completed. Since at least one process is not reset, the algorithm generates unnecessary states, 
thus increasing the number of states visited, as already demonstrated in Figure 4. Section 6 will 
demonstrate that in realistic systems also the number of extra states generated due to the proviso 
can be high.
We propose a new algorithm, Two phase (Figure 5), that does not use the proviso, thus avoiding gen­
erating the extra states. In the first phase ( p h a s e l ) ,  T w o p h ase  executes deterministic processes 
resulting in a state s . In the second phase, all enabled transitions at s  are examined. Two phase 
algorithm outperforms d f  s_po (and PO-PACKAGE) when the proviso is invoked often; confirmed 
by the examples in Section 6 . Note that p h a s e l  is more general than coercening of actions. In 
coercening of actions, two or more actions of a given process are combined together to form a larger 




Vr : = 4>;
Ey := <p;




p h a s e l (in)
s : = i n ; 
l i s t  := {s}; 
pa th  := {}; 
fo reach  p ro cess  P do
w hile  ( d e te rm in is t ic ( s , P ))
/* Let t  be th e  only enabled 
t r a n s i t io n  in  P */ 
o ld s  := s ; 
s := t ( o l d s );
p a th  := pa th  + { (o ld s , t ,  s)} 
i f  (s € l i s t )
goto NEXT_PR0C; 
endi f
| 1 | l i s t  := l i s t  + {s}; 
endw hile;
NEXT_PROC: /* next p ro cess  */ 
endforeach ; 
r e tu rn (p a th ,  s) ;
Twophase(s)
{
/* Phase 1 */
(path , s) := p h a s e l ( s ) ;
/* Phase 2: C la ss ic  DFS */ 
i f  s <£Vr then
/ * fe  i s  used in  proof */
1 Vr ■= Vr + a l l  s t a t e s  in  p a th ;
2 Er := Er + p a th ;
_T fe  := fe  + {s};
fo reach  enabled t r a n s i t io n  t  do 
|~3~| Er : = Er + (s , t , t  (s ) ) ; 
i f  t  (s ) £ VT then  
Twophase(t (s ) ) ;  
en d if ;  
endforeach; 
e l se
[ 1 ' | Vr := Vr + a l l  s ta t e s  in  p a th ; 
| 2 * | Er := Er + pa th ; 
e n d if ;
Figure 5: Two phase algorithm
4.1 Correctness of Two phase algorithm
We show that the graph generate by T w o p h ase , G r=(Vr , E r), satisfies a LTL-X property <f> iff the 
graph generated by d f s ,  G /=(V /, E j ) ,  also satisfies (f>.
Lem m a 1 (Termination) All calls made to p h a s e l  and T w o p h ase  terminate.
Proof: In p h a s e l ,  a new state is added to l i s t  every time the w h i l e  loop is executed. Since 
the number of states in the system is finite, the loop terminates, hence so does the p h a s e l .  Simi­
larly, at least one new state is added to Vr every time T w o p h ase  is called recursively. Hence these 
calls also terminate. □
10
Notation: If G=(V,E) is a graph, then a sequence of G is of the form Si-^S2 - ^ 3 . . where each 
Si is in V, and 1) is in E. A sequence may be finite or infinite, o,  p, o \ , p\  etc. are used
to denote sequences. If a  =  . . .  Sj . . .  is a sequence in G, cr(i). . .  a ( j )  indicates the
subsequence . .  .Sj ,  and a ( i ) . . .  cr(inf) indicates the subsequence of a  starting from S{ till
the end of a  (if a  is finite, this is equivalent to . . .  sn "^*'n+i where .Sn-^Sn+i is the last
transition of a).  □
From the construction, it is clear that G r is a subgraph of G f .  Hence all paths in G r are also paths in 
G j ,  hence if G j  satisfies cf) so does G r . Now we show that if G f  violates (j), then so does G r. Let a  
be a path in G f  starting from the initial state that reveals the violation of </>. The construction below 
shows how to transform a  successively obtaining “equivalent” sequences ct*, . . .  cr„ =  p,  where p  
is a sequence of transitions in G r that shows the violation of cf). To do so, first we need to establish 
that from every state x  G VT, there is a path to a state y  G Vr where y  is completely expanded. Note 
that when a state y  is completely expanded, T w o p h ase  adds y  to f  e  on line
Lem m a 2 (ReachFE) If x  is a state in VT, then there is a finite sequence of l lx G G r, of length 
zero or more such that a  takes a: to a state y  G f  e . In addition, (s, t, s  ) is a transition in n x where 
t  belongs to process P ,  then P  is deterministic in s.
Proof: The proof is by constructing n x that satisfies the lemma, x  is added to VT either on line Q j 
or | I* | in T w o p h ase . We show that the lemma holds by a simple induction on the order in which 
the states are added to VT.
Induction basis: During the first call of T w o p h ase , Vr is empty; hence the then clause of the 
outermost i f  statement is executed. At this time, all states in p a t h  are added to Vr, and s  is 
completely expanded by the foreach statement, x  is a state in p a t h ,  the lemma holds with y  = s ,  
with o  being a sub path of p a t h  starting from x.
Induction hypothesis: Assume that the lemma holds for states added to V> during the first i calls of 
T w o p h ase .
Induction Step: x  is added to Vr in i  +  1 th call of T w o p h ase . There are two cases to consider: 
Case i: x  is added to VT on [ jj . This case is similar to the induction basis: the lemma holds with 
y  = s  and a  is a sub path of p a t h  from x  to s .
Case ii: x  is added to VT on | 1* [ (in the else clause). In this case s  is already in Vr . By induction 
hypothesis, there is a finite sequence, o  from s  to y  where y  is in f e .  Let p  be the sub path of 
p a t h  from a: to s . The lemma holds with o  being concatenation of p  and 0  . □
Note 1 If a  =  . . .  is a (finite or infinite) sequence in G j ,  I is a local transition of process P ,
no transitions of P  are in o , and I is enabled at s i ,  then a  =  s i — • • ■ ‘s a sequence in G f  
obtained by prepending I to a , and o  and o  satisfy the same set of LTL-X formulae on the global  
transitions.
Note 2 If o  and o' are two sequences in G f  starting from x and the sequence of transitions in o' is
11
a permutation of the sequence of transitions in a  such that only consecutive independent transitions 
are reordered, then a  and a  satisfy the same set of LTL-X formulae on the global transitions.
Lem ma 3 Let p  =  . . .  .sn be a subsequence of IIX for some x  G Vr , and
t.m be the first transition of some process P  in p. If p  a sequence in Gy starting from si and does 
not contain t m then p  contains no transitions from P.  (This implies that t rn is independent of all 
transitions in p).
Proof: Assume that the lemma is false, i.e., p  contains a transition u of P  such that u ^  t.m. We 
show that this leads to a contradiction. From the assumptions that S m ^ m + i  >s 'n n x, t m and u 
belong to the same process, u is executed in p  it is clear that:
0 1  u and t m are safe at s rn
0 2  tm is enabled at s m, and u  is disabled at s m,
0 3  u continues to be disabled from every state in a sequence starting from s m until at least t t is
executed,
0 4  u is executed in p  after some finite number of transitions, and
0 5  none of the transitions in . . .  fm_ i belong to P.
We transform an initial segment of po =  P successively into p \ ,  pv . . .  prn~ i such that 
C l p  and pi are identical for the first i transitions, and
C2 if u is executed at some state in pi then it is also executed at some state (possibly different) in 
Pi+l-
By construction pi and Ylx are identical up to the first i  transitions. Now we construct p;+ i from p l 
such that pi+-\ and IIX are identical up to first i +  1 transitions and if u is executed in some state in 
P i  then it is also executed in some state in p»+i. Finally we show that u  is not executed in all state 
of p m- 1, which implies that it is not executed in any state of po =  p, leading to a contradiction with 
(04 ) above. There are two cases to consider.
Case 1: (Figure 6 ) ti+ i does not appear in pi at all. pi+i is constructed by simply inserting 1 at 
the appropriate position as shown in the Figure 6 . If u is in pi then it will also be in pi+i.
Case 2: (Figure 7) £j+i appears in pi. pi+ i is obtained by moving t i+1 such that it is executed from 
Sj+i- (Since fj+i is a local transition and is enabled at s*+i, this reordering is allowed.) If u is in 
P i ,  then it is also in pi+i.
12
a subsequence of f]W
Figure 6 : p ,+1 is obtained from pi by adding the <!+i to p t
a subsequence of nW
Figure 7: pi+ \ is obtained from pi by moving ^ + i into the appropriate position
13
At the end of the construction, the first rn — 1 transitions of pm- 1 are ti is not in
P m -i,  and u is disabled at every state after s m in pm~\ (observation 03). In other words, u is not 
in pm- 1- From C2, we can conclude that u is not in po =  p, which contradicts (04). □
Lemma 4 Let a  be a (finite or infinite) sequence from a state z  in G  f .  If a: is also in Vr , then 
there is a sequence p  from x  in G r that satisfies exactly the same set of LTL-X formulae on global 
transitions as a.
Proof: The proof is by constructing a p  that satisfies the lemma. This construction is very similar 
to the construction in Lemma 3. The construction is by transforming a  successively in cti, o<z 
. . .  such that at each step, the validity of LTL formulae are not affected, and the last sequence is p 
(if a  is infinite the construction is also infinite). If a  contains no transitions (i.e., a  =  x), then p  is 
equal to a.  Otherwise, let a  =  x-^ ty . . .  cr(inf), i.e., let the first transition be a.
Case 1: x  is either expanded by T w o p h ase  in phase 2 or £ is expanded in phase 1 by transition a. 
From the algorithm it is clear that y  6  VT. In this case, p  also starts with a, and the p(2 ) . . .  p(inf) 
is obtained by this construction from y  and <r(2 ) . . .  er(inf).
Case 2: x  is expanded in phase 1 by transition 61 different from a. Let HT (Lemma 2) be the finite 
sequence (2: =  . . . S j -^ S j+ i .
Case 2.1: a is in {6 1 . . .  bj}.  Let t  be the smallest 1 <  t  <  j  such that 6* =  a. In this case let 
sequence p  be (x — a’i)-^  . . .  St. (Construction continues at “Case 2 (Contd)” below.)
Case 2.2: a is not in {6 1 . . .  bj}.  In this case, let t  be j  +  1, and p  be Ylx (i.e., p  =  (x =
.. st). (Construction continues at “Case 2 (Contd)” below.)
Case 2 (Contd): By construction, p  =  (x  =  Si)-^V . . . s t - x ' - f s i  is in Gr , and s jA a (s t)  is in G r. 
By Lemma 3, all transitions in p  are independent of a. Now <ti, 0 2  ■ ■ ■ (?t- 1 are constructed such 
that ai  and p  are identical up to the first i transitions. (Since p  is in G r, the <Tj(l). . .  <7j(z +  1) is 
also in G r). Let <tq be a. Oi+\ is obtained from er, as follows.
Case 2.a: 6,+1 does not occur in Oi(i +  1 ) . . . cr;(inf). From Lemma 3, &i+i is independent of all 
transitions in <7i(i +  1 ) . . .  cr(inf). <7j+i obtained by inserting bi+\ into <7; at position i +  1. From 
Note 1, Oi and &i+i satisfy the same set of LTL-X formulae on global transitions. (Construction 
continues at “Case 2 (Contd)” below.)
Case 2.b: bj+i first appears in a l (i -f 1 ) . . .  crj(inf) at I th position. Again from Lemma 3, 6l+i is 
independent of all transitions in <Ji(i +  1 ) . . .  Oi(l — 1). In this case, crj+i is obtained from Oi by 
moving 6{+i from /th position to the i +  1th position. By Note 2, and <7,+1 satisfy the same set 
of LTL-X formulae on global transitions. (Construction continues at “Case 2 (Contd)” below.) 
Case 2 (Contd): By construction, the first t — 1 transitions of a t - \  are the transitions of p,  and 
the t  th transition is a. The initial segment of p  will be the first t  transitions of i.e., (x  =
si)~V-S2 . . . 1  ^> '.stA a(s(). From the construction of p , it is clear that this segment is in G r- 
p( t  +  2 ) . . .  p(inf) is obtained by recursively applying this construction to the sequence +
2 ) . . .  CTjt(inf) from the state a(sf+ i). □
Theorem 1 Let <f> be a LTL-X formulae on global transitions. <f> holds in G j  from the initial state
14
iff it holds in G r generated by T w o p h ase .
Proof: If <p is true in G / ,  then since G r is a subgraph of G / ,  it is also true in G r. If 0  is false 
in G f ,  let a  be a sequence starting from initial state that shows the violation. Since initial state is 
added to Vr , by the above lemma, a p  €  G r can be constructed that reveals the violation of </>. □
5 On-the-Fly Model-checking
A model-checking algorithm is said to be on-the-fly if it examines the state graph of the system as 
it builds the graph to find the truth value of the property under consideration. If the truth value of 
the property can be evaluated by inspecting only a subgraph, then the algorithm need not generate 
the entire graph. Since state graph of many protocols is quite large, an on-the-fly model-checking 
algorithm might be able to find errors in protocols that are otherwise impossible to analyze.
As discussed in Section 2.1, the model checking problem M  \= <f> can be equivalently viewed as 
answering the question if the graph represented by S  =  M  ® A ^ ,  the synchronous product of 
the model M  and the Biichii automaton representing -><£, does not contain any paths satisfying the 
acccptancc condition of A The algorithms d f  s  and d f  s_po are not on-the-fly model-checking 
algorithms since they construct the graph in E f  or E r, which must be analyzed later to find if the 
acceptance condition of the Biichii automaton A _,0 is met or not. Note that E f  and Er holds the 
information about the edges traversed as part of the search.
The condition that there is an infinite path in E ( Ef  or E r ) that satisfies the acceptance condition of 
.A-,0 can be equivalently expressed as there is a strongly connected component (SCC) in the graph 
that satisfies the acceptance condition. Tarjan [Tar72] presented a DFS based on-the-fly algorithm 
to compute SCCs without storing any edge information. Since space is at a premium for most 
verification problems, not having to store the edge information can be a major benefit of using this 
algorithm. This algorithm uses one word overhead per state visited and traverses the graph twice.
[CVWY90] presents an on-the-fly model-checking algorithm, shown in Figure 8 , to find if a graph 
has at least one infinite path satisfying a Biichii acceptance condition. Note that while Tarjan’s 
algorithm can find all strongly connected components that satisfy the acceptance condition of 
A [CVWY90] algorithm is guaranteed to find only one infinite path satisfying the acceptance 
condition. Since presence of such an infinite path implies that the property is violated, it is usually 
sufficient to find one infinite path. The attractiveness of the [CVWY90] algorithm comes from the 
fact that it can be implemented with only one bit per state compared to one word per state in the 
case of Tarjan’s algorithm. This algorithm, shown in Figure 8 , consists of two DFS searches, d f  s i  
and d f  s 2 . The outer dfs, d f  s i ,  is very similar to d f  s , except that instead of maintaining Ef ,  the 
algorithm calls an inner dfs, d f  s 2 , after an accept state is fully expanded, and d f  s 2 finds if that 




VI :=</); V2 := <f>; 
d f s l ( I n i t i a l S t a t e ) ;
/* o u te r  




d fs  */
:= VI + {s};
f o r e a c h  e n a b l e d  t r a n s i t i o n  t  
i f  t ( s )  £ V I  t h e n  
d f s ( t ( s ) ) ;  
e n d i f ;  
e n d f o r e a c h ;
2 i f  s i s  an accep t s t a t e  and 
/* C a ll n e s te d  d fs  */ 
s £ V2 then
seed : = s ; 
d f s 2 ( s ) ; 
e n d if ; 
e n d if ;
/* in n er 




d fs  */
:= V2 + {s}; 
do | 1 1 fo reach  enabled t r a n s i t io n  t  do 
i f  t(s )= se e d  then e r r o r ( ) ;  
e l s e i f  t ( s )  $ V2 then 
d f s 2 (t (s ) ); 
e n d if ; 
endforeach;
Figure 8 : On-the-Fly Model-checking algorithm
violating cf> can be found from the stack needed to implement d f s l  and d f  s 2 .
This figure assumes that full state graph is being generated. To use it along with partial order re­
ductions, statements labeled [Tj can be appropriately modified to use the transitions in a m p le  ( s ) 
(when used in conjunction with d f  s .p o )  or with the search strategy of Two phase. Earlier attempts 
at combining this on-the-fly model-checking algorithm with the d f s .p o  have been shown to in­
correct in [HPY96], The reason is that a m p le  ( s )  depends on r e d s e t ,  hence when a state s is 
expanded on the highlighted lines in d f s l  and d f  s 2 , a m p le  ( s )  might evaluate to different val­
ues. If a m p le  ( s ) returns the different set of transitions in d f s l  and d f  s2 , even if an accept state 
s is reachable from it self in the graph constructed by d f s l ,  d f  s 2 might not be able to prove that 
fact. Since the information in r e d s e t  is different for d f s l  and d f  s2 , a m p le  ( s )  may indeed 
return different transitions, leading to an incorrect implementation. [HPY96] solves the problem us­
ing the following scheme: a m p le  ( s )  imposes an ordering on the processes in the system. When 
a m p le  ( s )  cannot choose a process, say Pi, in d f s l  due to the proviso, they choose a m p le  ( s )  
to be equal to all enabled transitions of s. In addition, one bit of information is recorded in V I to 
indicate that s is completely expanded. When s  is encountered as part of d f  s 2 , this bit is inspected 
to find if a m p le  ( s )  must return all enabled transitions or if it must return a subset of transitions 
without requiring the proviso. This strategy reduces the opportunities for obtaining effective re­
ductions, but it is deemed a good price to pay for the ability to use the on-the-fly model-checking 
algorithm.
Thanks to the independence of p h a s e l  on global variables including Vr, when p h a s e l  ( s )  is
16
called in d f  s 2 , the resulting state is exactly same as when it is called in d f s  1. Hence the on-the- 
fly model-checking algorithm can be used easily in conjunction with Two phase. In Section 5.2, it 
is argued that the combination of this on-the-fly model-checking algorithm, the selective caching 
technique can be used directly with Two phase.
5.1 Selective caching
Both T w o p h ase  and d f s .p o ,  when used in conjunction with the [CVWY90] algorithm, obviate 
the need to maintain E r . However, memory requirements to hold Vr , for most practical protocols, 
can be still quite high. Selective caching refers to the class of techniques where instead of saving 
every state visited in Vr, only a subset of states are saved.
There is a very natural way to incorporate a selective caching into T w o p h ase . Instead of adding 
l i s t  to VT only s  can be added. This guarantees that a given state always generates the same 
subgraph beneath it whether it is expanded as part of outer dfs or inner dfs, hence the [CVWY90] 
can still be used. Adding s instead of l i s t  also means that the memory used for l i s t  in p h a s e l  
can be reused. Even the memory required to hold the intermediate variable l i s t  can be reduced: 
the reason for maintaining this variable is only to ensure that the w h i l e  loop terminates. This can 
be still guaranteed if instead of adding s  to l i s t  unconditionally, it is added only if “s C o l d s ”, 
where <  is any total ordering on S.  PV uses bit-wise comparison as <.
5.2 Combining on-the-fly model-checking and selective caching with Two phase
When the selective caching technique is combined with Two phase, the execution goes as follows: a 
given state is first expanded by p h a s e l ,  then the resulting state is added to VT and fully expanded. 
In other words, Vr contains only fully expanded states, which implies that the state graph starting 
a given state is the same in d f s l  and d f s 2  of the on-the-fly algorithm. Hence, the on-the-fly 
algorithm and selective caching can be used together with Two phase.
6 Experimental Results
As already mentioned, T w o p h ase  outperforms the proviso based algorithm d f s .p o  (implemented 
in SPIN) when the proviso is invoked often, confirmed by the results in Table 1. This table shows 
results of running d f s .p o  and T w o p h ase  (with and without selective caching enabled) on various 
protocols. The column corresponding to d f s .p o  shows the number of states entered in Vr and the 
time taken in seconds by the SPIN. The column “all” column in T w o p h ase  shows the number of 




B5 243/0.34 11/0.33 1/0.3
W5 63/0.33 243/0.39 243/0.3
SC3 17,741/4.6 2,687/1.6 733/1.4
SC4 749,094/127 102,345/41.0 47,405/21.9
Mig 113,628/14 22,805/2.6 9,185/1.7
Inv 961,089/37 60,736/5.2 27,600/3.0
Pftp 95,241/11.0 187,614/30 70,653/19
Snoopy 16,279/4.4 14,305/2.7 8,611/2.4
WA 4.8e+06/340 706,192/31 169,680/21
UPO 4.9e+06/210 733,546/32 176,618/21
ROWO 5.2e+06/330 868,665/44 222,636/32
Table 1: Number of states visited and the time taken in seconds by the d f  s .p o  algorithm and 
T w o p h ase  algorithm on various protocols
The “Selective” column in T w o p h ase  shows the number of states entered in VT or  l i s t  and 
time taken in seconds when T w o p h ase  is run with the selective caching. All verification runs are 
conducted on an Ultra-SPARC-1 with 512MB of DRAM.
Contrived examples: B5 is the system shown in Figure 4(a) with 5 processes. W5 is a contrived 
example to show that T w o p h ase  does not always outperform the d f  s .p o . This system has no de­
terministic states; hence T w o p h ase  degenerates to a full search, while d f  s_po can find significant 
reductions. SC  is a server/client protocol. This protocol consists of n  servers and n  clients. A client 
chooses a server and requests for a service. A service consists of a two round trip messages between 
server and client and some local computations, d f  s .p o  cannot complete the graph construction 
for n  =  4, when the memory is limited to 64MB; when the memory limit is increased to 128MB it 
generates 750k states.
DSM protocols: Mig and inv are two cache coherency protocols used in the implementation of 
distributed shared memory (DSM) using a directory based scheme in Avalanche multiprocessor 
[CKK96], In a directory based DSM implementation, each cache line has a designated node that 
acts as its “home”, i.e., the node that is responsible for maintaining the coherency of the line. When a 
node needs to access the line, if it does not have the required permissions, it contacts the home node 
to obtain the permissions. Both mig and inv have two cache lines and four processes; two processors 
act as home nodes for the cache lines and the other two processors access the cache lines. Both 
algorithms can complete the analysis of Mig within 64MB of memory, but on inv, d f  s .p o  requires 
128MB of memory T w o p h ase  on the other hand finishes comfortably generating a modest 27,600 
states (with selective caching) or 60,736 states (without selective caching) in 64MB.
18
Protocols in Spin distribution: Pftp and snoopy protocols are provided as part of Spin  distribu­
tion. On pftp, d f  s_po  generates fewer states than T w o p h ase  without state caching. The reason 
is that there is very little determinism in this protocol. Since T w o p h ase  depends on determinism 
to bring reductions, it generates a larger state space. However, with state caching, the number of 
states in the hash table goes down by a factor of 2.7. On snoopy, even though T w o p h ase  generates 
fewer states, the number of states generated d f  s .p o  and T w o p h ase  (without selective caching) is 
very close to obtain any meaningful conclusion. The reason for this is two-fold. First, this protocol 
contains some determinism, which helps T w o p h ase . However, there are a number of deadlocks in 
this protocol. Hence, the proviso is not invoked many times. Hence the number of states generated 
is very close.
Memory model verification examples: WA, UPO, and ROWO test the interaction of PA (Pre­
cision Architecture from Hewlett-Packard) memory ordering rules with the runway bus proto­
col [BCS96, GGH+97]. Runway is a high-performance split-transaction bus designed to support 
cache coherency protocols required to implement a symmetric multiprocessor (SMP). These three 
protocols consist of two HP PA models connected to the runway bus, executing read and write in­
structions. These property of interest is whether the PA/runway system correctly implements mem­
ory consistency rules called write atomicity (WA), and uniprocessor ordering (UPO), and read-order, 
write-order (ROWO) [Col92]. On these protocols, the number of states saved by d f  s_po is approx­
imately 25 times larger than the number of states saved by T w o p h ase  (with selective caching).
7 Conclusion
We presented a new partial order reduction algorithm Two phase that does not use the proviso, and 
formally proved that it preserves all LTL-X properties on global variables. We also showed how the 
algorithm can be combined with an on-the-fly model-checking algorithm. Since the algorithm does 
not use the proviso, it outperforms previous algorithms on protocols where the proviso is invoked 
often. Two phase also naturally lends itself to be used in conjunction with a simple yet powerful 
selective caching scheme. Two phase is implemented in a model-checker called PV which can be 
obtained by contacting the authors.
References
[ABHQ97] R. Alur, R. K. Brayton, T. A. Henzinger, and S. Qadeer. Partial-order reduction in 
symbolic state space exploration. Lecture Notes in Computer Science, 1254, 1997.
[BCS96] William R. Bryg, Kenneth K. Chan, and Nicholas S.Fiduccia. A high-performance, 
low-cost multiprocessor bus for workstations and midrange servers. Hewlett-Packard 













[CES861 E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state 
concurrent systems using temporal logic specifications. ACM Transactions on Pro­
gramming Languages and Systems, 8(2):244-263, 1986.
John B. Carter, Chen-Chi Kuo, and Ravindra Kuramkote. A comparison of software 
and hardware synchronization mechanisms for distributed shared memory multipro­
cessors. Technical Report UUCS-96-011, University of Utah, Salt Lake City, UT, 
USA, September 1996.
W. W. Collier. Reasoning About Parallel Architectures. Prentice-Hall, Englewood 
Cliffs, NJ, 1992.
C. Courcoubetis, M. Vardi, P. Wolper, and M. Yannakakis. Memory efficient algo­
rithms for the verification of temporal properties. In Computer Aided Verification, 
pages 233-242, June 1990.
David Dill. The Stanford murphi verifier. In Rajeev Alur and Thomas A. Henzinger, 
editors, Computer Aided Verification, volume 1102 of Lecture Notes in Computer Sci­
ence, pages 390-393, New Brunswick, New Jersey, July 1996. Springer-Verlag. Tool 
demo.
David L. Dill, Seungjoon Park, and Andreas Nowatzyk. Formal specification of ab­
stract memory models. In Gaetano Borriello and Carl Ebeling, editors, Research on 
Integrated Systems, pages 38-52. MIT Press, 1993.
G. Gopalakrishnan, R. Ghughal, R. Hosabettu, A. Mokkedem, and R. Nalumasu. For­
mal modeling and validation applied to a commercial coherent bus: A case study. In 
Hon F. Li and David K. Probst, editors, CHARME, Montreal, Canada, 1997.
Patrice Godefroid. Partial-Order Methods for the Verification o f Concurrent Systems: 
An approach to the State-Explosion Problem. PhD thesis, Univerite De Liege, 1994­
95.
Patrice Godefroid and Didier Pirottin. Refining dependencies improves partial-order 
verification methods. In Computer Aided Verification, pages 438-450, Elounda, 
Greece, June 1993.
P. Godefroid and P. Wolper. Using partial orders for the efficient verification of dead­
lock freedom and safety properties. In Kim G. Larsen and Arne Skou, editors, Com­
puter Aided Verification, volume 575 of LNCS, pages 332-342, Berlin, Germany, July 
1992. Springer.
Gerard Holzmann, Patrice Godefroid, and Didier Pirottin. Coverage preserving re­
duction strategies for reachability analysis. In International Symposium on Protocol 
Specification, Testing, and Verification, Lake Buena Vista, Florida, USA, June 1992.
















G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineer­
ing, 23(5):279-295, May 1997. Special issue on Formal Methods in Software Practice.
Gerard Holzmann and Doron Peled. An improvement in formal verification. In Pro­
ceedings o f  Formal Description Techniques, Bern, Switzerland, October 1994.
Gerard J. Holzmann and Doron Peled. The state of s p i n . In Rajeev Alur and 
Thomas A. Henzinger, editors. Computer Aided Verification, volume 1102 of Lecture 
Notes in Computer Science, pages 385-389, New Brunswick, New Jersey, July 1996. 
Springer-Verlag. Tool demo.
G.J. Holzmann, D. Peled, and M. Yannakakis. On nested depth first search. In The 
SPIN Verification System, pages 23-32. American Mathematical Society, 1996. Proc. 
of the Second SPIN Workshop.
Robert P. Kurshan, Vladimir Levin, Marius Minea, Doron Peled, and Husnu Yenigun. 
Verifying hardware in its software context. In International Conference on Computer 
Aided Design, San Jose, CA, USA, 1997.
R. P. Kurshan. Computer-Aided Verification o f  Coordinating Processes: The 
Automata-Theoretic Approach. Princeton University Press, 1994.
Richard J. Lipton. Reduction: A method of proving properties of parallel programs. 
CACM,  18(12):717-721, December 1975.
Ratan Nalumasu and Ganesh Gopalakrishnan. Partial order reductions without the 
proviso. Technical Report UUCS-96-008, University of Utah, Salt Lake City, UT, 
USA, August 1996.
Ratan Nalumasu and Ganesh Gopalakrishnan. A new partial order reduction algorithm 
for concurrent system verification. In CHDL,  pages 305 — 314, Toledo, Spain, April 
1997. Chapman Hall, ISBN 0 412 78810 1.
Ratan Nalumasu and Ganesh Gopalakrishnan. PV: a model-checker for verifying ltl- 
x properties. In Fourth NASA Langley Formal Methods Workshop, pages 153-161. 
NASA Conference Publication 3356, 1997.
Ratan Nalumasu and Robert P. Kurshan. Translation between S/R and Promela. Tech­
nical Report ITD-95-27619V, Bell Labs, July 1995.
Doron Peled. All from one, one for all: On model checking using representatives. In 
Computer Aided Verification, pages 409-423, Elounda, Greece, June 1993.
Doron Peled. Combining partial order reductions with on-the-fly model-checking. 
Journal o f  Formal Methods in Systems Design, 8 (l):39-64, 1996. also in Computer 
Aided Verification, 1994.
R. Tarjan. Depth-first search and linear graph algorithms. SIAM Journal on Computing,  




[Val92] Antti Valmari. A stubborn attack on state explosion. Journal o f  Formal Methods in 
Systems Design, 1:297-322, 1992. Also in Computer Aided Verification, 1990.
Antti Valmari. On-the-fly verification with stubborn sets. In Computer Aided Verifica­
tion, pages 397^408, Elounda, Greece, June 1993.
J. van Leeuwen, editor. Handbook o f  Theoretical Computer Science, Volume B: Formal 
Models and Semantics. Elsevier /  MIT Press, 1990.
22
