Verification of Component-based Systems via Predicate Abstraction and Simultaneous Set Reduction by Wang, Qiang & Bliudze, Simon
Verification of Component-Based Systems via
Predicate Abstraction and Simultaneous Set
Reduction
Wang Qiang and Simon Bliudze
École polytechnique fédérale de Lausanne, Switzerland
qiang.wang@epfl.ch
simon.bliudze@epfl.ch
Abstract
This paper presents a novel safety property verification approach for component-based systems
modelled in BIP (Behaviour, Interaction and Priority), encompassing multiparty synchronisation
with data transfer and priority. Our contributions consist of: (1) an on-the-fly lazy predicate
abstraction technique for BIP; (2) a novel explicit state reduction technique, called simultaneous
set reduction, that can be combined with lazy predicate abstraction to prune the search space
of abstract reachability analysis; (3) a prototype tool implementing all the proposed techniques.
We also conduct thorough experimental evaluation, which demonstrates the effectiveness of our
proposed approach.
1998 ACM Subject Classification D.2.4 Software/Program Verification
Keywords and phrases Formal verification, predicate abstraction, component-based system, BIP
Digital Object Identifier 10.4230/LIPIcs.xxx.yyy.p
1 Introduction
BIP [2] is a component-based rigorous system design framework, that advocates the method-
ology of correctness-by-construction. Rigorous system design can be understood as a formal,
accountable and coherent process for deriving trustworthy implementations from high-level
system models, which aims at guaranteeing the essential properties of a design at the earliest
possible design phase, and then automatically generating correct implementations by a
sequence of property preserving model transformations progressively refining the models with
details specific to the target platforms [22].
BIP supports the rigorous design flow with the well-defined BIP modelling language
and an associated tool-set. To model complex systems, the BIP language advocates the
principle of separation of concerns (i.e. computation and coordination), and provides a three-
layered mechanism for this purpose, i.e. Behaviour, Interaction, and Priority. Behaviour
is characterised by a set of atomic components, defined as automata extended with linear
arithmetic. Interaction represents the multiparty synchronisation of atomic components,
among which data transfer may take place. Priority can be used to schedule the interactions
or resolve conflicts when several interactions are enabled simultaneously.
In the BIP framework, DFinder [4] is the dedicated tool for automatic invariant generation
and safety properties verification. DFinder computes an invariant in a compositional manner:
it first computes a component invariant for each component over-approximating its behaviour
and then computes the interaction invariant characterising the coordination constraint of
all components. The invariant of the global system is then the conjunction of component
invariants and the interaction invariant. However, DFinder does not handle system models
© Wang Qiang and Simon Bliudze;
licensed under Creative Commons License CC-BY
Conference title on which this volume is based on.
Editors: Billy Editor and Bill Editors; pp. 1–16
Leibniz International Proceedings in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
2 Verification of Component-Based Systems
with data transfer. This limitation hampers the practical application of DFinder and of
the BIP framework, since data transfer is necessary and common in the design of real-life
systems. Besides, it is not clear in DFinder how to refine the abstraction automatically when
the inferred invariant fails to justify the property.
Some other works on automatic verification of BIP models exist, but they all suffer from
certain limitations. The VCS [14] tool translates a BIP model into a symbolic transition
system and then performs the bounded model checking. It handles data transfer among
components, but only deals with finite domain variables. In [23], a timed BIP model is
translated into Timed Automata and then verified with Uppaal [3]. The translation handles
data transfers, but it is limited to BIP models with finite domain data variables. In [18],
the authors show an encoding of a BIP model into Horn Clauses, which are verified with
Eldarica [17], but they do not handle data transfers on interactions.
In [5], the authors instantiate the ESST (Explicit Scheduler Symbolic Thread) frame-
work [8] for BIP, where a dedicated BIP scheduler is developed to orchestrate the abstract
reachability analysis, and partial order reduction techniques [11] are applied to further boost
the analysis. Although being closely related, our approach is tailored for BIP and leverages
its operational semantics to define the necessary minimal notion of abstract state, as opposed
to that of ESST, where additional component status information and primitive functions
have to be stored to account for the BIP scheduler.
Our approach is inspired by the idea of separation of computation and coordination,
advocated by BIP three-layered modelling mechanism. In brief, we propose to decompose
the verification of component-based systems into two levels by taking advantage of the
structure features of such systems. Thus, we handle the computation of components and
the coordination among components separately. On the computation level, we exploit
the state-of-the-art counterexample guided abstraction refinement technique (e.g. lazy
abstraction [16, 15]) to analyse the behaviour of components; while on the coordination level,
we deal with the redundant interleavings by a novel explicit state reduction technique, called
simultaneous set reduction. The basic idea is that when two concurrent actions are enabled at
the same time, instead of taking into account all the possible interleavings, we may consider
executing them simultaneously. To this end, we make the following contributions in this
paper: (1) we propose an on-the-fly lazy predicate abstraction technique for the verification
of BIP models; (2) we propose a novel explicit state reduction technique (i.e. simultaneous set
reduction) to reduce the search space when performing the abstract reachability analysis; (3)
we have implemented the proposed techniques in our prototype tool and conducted thorough
experimental evaluation, which shows the proposed techniques are promising for verifying
generic BIP models.
2 BIP framework
In this section we introduce the syntax and semantics of a subset of the BIP language, which
encompasses the multiparty synchronisation and data transfer.
2.1 BIP modelling language
We use symbol Var to denote a finite set of variables with both finite and infinite domains. A
guard (or predicate) is a boolean expression over Var . An operation is either an assignment
or a sequence of assignments of the form x := exp, where x ∈ Var and exp is an expression
in linear arithmetic over Var . We denote by Guard and Op the set of guards and operations
Q. Wang and S. Bliudze 3
over Var respectively, and Op includes a special operation skip, which has no effect on
variables in Var . Symbols can be indexed to refer to a specific component.
I Definition 1 (Atomic component). An atomic component is a tuple Bi = (Var i,Loci,Porti,
Transi, l0i), where:
1. Var i is a finite set of variables;
2. Loci is a finite set of control locations;
3. Porti is a finite set of ports, which are labels on the transitions;
4. Transi ⊆ Loci × Guardi × Porti × Opi × Loci is a set of transitions with guards and
operations over Var i.
5. l0i ∈ Loci is the initial control location.
S1 S2
S3
S4 S5
S6
S1 S2
S3
S4 S5
S6
error1
error2
A
B
restart2
insert2
x:=1 y:=z
respond2
error2
[x!=y]
request2
z:=x
y:=0
z:=0
valid2
invalid2
x:=0
y:=0
restart1
insert1
x:=1 y:=z
respond1
error1
[x!=y]
request1
z:=x
y:=0
z:=0
valid1
invalid1
x:=0
y:=0
Figure 1 An example BIP model
The values of atomic component variables can
be transfered to other components upon inter-
action (see Definition 2 below). However, they
cannot be modified by the receiving components.
Transitions are labelled by ports, which form
the interface of atomic components, and are used
for defining the interactions. A port is enabled
iff the transition labelled by this port is enabled.
Given a set of atomic components {Bi}ni=1,
we denote Port =
⋃n
i=1 Porti the set of all the
ports and Var =
⋃n
i=1Var i the set of all the
variables belonging to the components {Bi}ni=1.
Notice that we assume that all Porti and all Var i,
for i = 1, ..., n, are pairwise disjoint. Thus, in
particular, the scope of a variable can be considered to be the component, to which it belongs.
The model in Figure 1 has six variables: x, y and z in each of the two components A and B.
Composition of a set of atomic components is then specified by a set of interactions.
I Definition 2 (Interaction). An interaction γ is a tuple (g, u, op), where u ⊆ Port such that
|u ∩ Porti| ≤ 1, ∀i ∈ [1, n], and g ∈ Guard, op ∈ Op.
Intuitively, an interaction γ specifies a guarded synchronisation among the participating
components: the synchronisation and the corresponding operation (i.e. data transfer) op
can take place only when the guard g is satisfied, and all the ports in u are enabled. When
an interaction is taken, the transitions labelled by these ports are taken synchronously, i.e.
the execution of all the operations associated to the interaction and the involved transitions
constitutes a single atomic operation. When several interactions are enabled at the same
time, priority can be used to schedule the ones to be executed.
I Definition 3 (Priority model). Given a set of interactions Γ, a priority model pi is a strict
partial order on Γ. For γ, γ′ ∈ Γ, we write γ < γ′ if and only if (γ, γ′) ∈ pi, which means that
interaction γ′ has a higher priority than γ.
Given a set of atomic components {Bi}ni=1, a set of interactions Γ = {γi}mi=1, and a
priority model pi, we denote by Γpi(B1, ..., Bn) the system model constructed by composing
atomic components with Γ and pi.
I Example 4. To give an intuitive understanding of the BIP modelling language, we show a
simple BIP model with two components A and B in Figure 1. Each component has three
integer variables and may enter a deadlock state S5 by taking transition error1 or error2 when
4 Verification of Component-Based Systems
the guard x 6= y is true. There is one binary interaction γ = (true, {error1, error2}, skip)
synchronising the two transitions labelled by ports error1 and error2, and all the other
transitions form singleton interactions (e.g. (true, {invalid1}, x := 0; y := 0)). No data
transfer or priority is defined in this model.
2.2 Operational semantics of BIP
To define the operational semantics of BIP, we first introduce the notion of configuration.
I Definition 5 (Configuration of a BIP model). Given a BIP model Γpi(B1, ..., Bn), a configu-
ration is a tuple c ,
(
(l1,x1), ..., (ln,xn)
)
, where each li is a control location of component
Bi, and xi is a valuation of variables in Var i of Bi.
An interaction γ = (g, u, op) is enabled in a configuration c =
(
(l1,x1), ..., (ln,xn)
)
, if the
following two conditions are satisfied: 1) the guard g is satisfied by (xi)ni=1; and 2) for each
component Bi such that u ∩ Porti = {pi}, there is a transition (li, gi, pi, opi, l′i) ∈ Transi
starting from li and labelled by pi, such that guard gi is satisfied by xi.
I Definition 6 (Operational semantics of BIP). Given a BIP model Γpi(B1, ..., Bn), there
is a transition from c =
(
(l1,x1), ..., (ln,xn)
)
to c′ =
(
(l′1,x′1), ..., (l′n,x′n)
)
if there is an
interaction γ = (g, u, op), such that
1. γ is enabled in c ;
2. for each component Bi such that u∩Porti = {pi}, there is a transition (li, gi, pi, opi, l′i) ∈
Transi and x′i = opi
(
op(xi)
)
;
3. for each component Bj such that u ∩ Portj = ∅, we have (l′j ,x′j) = (lj ,xj) ;
4. there does not exist an interaction γ′, such that γ′ is enabled in c and γ′ > γ .
Whenever there is a transition from configuration c to c′, we use the notation c γ−→ c′ to
indicate that this transition is triggered by the interaction γ. Notation op(x) denotes the
application of operation op to the expression x. When op is an assignment of form x := exp,
its semantics can be given by substitution x[exp/x] denoting the valuation of variables, where
the valuation of x is substituted by exp.
We say that configuration c0 = ((l1,x1), . . . , (ln,xn)) is an initial configuration if li = l0i ,
for all 1 ≤ i ≤ n. A trace is then a sequence of transitions c0 γ1−→ c1 γ2−→ · · · γk−→ ck. A
configuration c is reachable if and only if there exists a trace that starts from the initial
configuration and ends in c.
To encode a safety property, we identify a set of error locations (which are also deadlock
locations, e.g. location S5 in Figure 1), such that a BIP model is safe if and only if no
error locations are reachable. Notice that every safety property verification problem can
be encoded into a reachability problem with additional transitions, interactions and error
locations in the BIP model.
3 On-the-fly lazy predicate abstraction of BIP
In this section, we present our key verification algorithm for BIP which is based on lazy
abstraction [15, 16] and features an on-the-fly exploration of the abstract reachable states.
3.1 Verification algorithm
The main function of our verification algorithm is shown in Algorithm 1. The algorithm
takes a BIP model with the encoding of safety property as input, and explores its reachable
Q. Wang and S. Bliudze 5
state space by constructing an abstract reachability tree (ART). The verification procedure
is sound and complete: the lazy abstraction approach consists in verifying the most abstract
model sufficient to establish a definite result (safe or unsafe). Abstraction is refined every
time a spurious counterexample is found.
Our algorithm constructs the ART by expanding the ART nodes progressively, starting
from the initial one. Whenever an error node is encountered, it generates a counterexample
(line 8) and checks if the counterexample is real (line 9). If the counterexample is real, the
algorithm stops and reports the model is unsafe and a counterexample is found (line 10).
Otherwise, the algorithm will refine the abstraction and restart the exploration (line 12). An
ART node is expanded when it cannot be covered by another one and all its children will be
pushed into the worklist (lines 16 and 17). When a node is covered, the algorithm stops the
expansion from this node by marking it as covered (line 14).
I Definition 7 (ART node). Given a BIP model B = Γpi(B1, ..., Bn), an ART node is a tuple(
(l1, φ1), ..., (ln, φn), φ
)
, where (li, φi) is the local region consisting of the control location li
and the abstract data region φi of component Bi, and φ is the global data region.
A data region is a formula that over-approximates the concrete valuations of variables.
We maintain a global data region φ to keep track of all the variables that are used in data
transfer. An ART node is an error node if at least one of the control location li is an error
location and the data regions are consistent, i.e. φ ∧∧ni=1 φi is satisfiable.
I Definition 8 (Node Covering). An ART node
(
(l1, φ1), ..., (ln, φn), φ
)
is covered by another
node
(
(l′1, φ′1), ..., (l′n, φ′n), φ′
)
if li = l′i and the implication φi ⇒ φ′i is valid for all i ∈ [1, n],
and φ⇒ φ′ is valid.
We say that an ART is safe when all the nodes are either fully expanded or covered, and
there are no error nodes.
3.1.1 Node expansion
The node expansion procedure is shown in Algorithm 2. The procedure first computes the
set of enabled interactions on this node (function EnabledInteraction in line 2). We say that
an interaction γ = (u, g, op) is enabled on an ART node
(
(l1, φ1), ..., (ln, φn), φ
)
if for each
component Bi such that u ∩ Porti = {pi}, there is a transition (li, gi, pi, opi, l′i) ∈ Transi
starting from li and labelled by pi. Notice that the interaction enabledness on an ART node
is different from the one on a BIP configuration. We do not check the satisfiability of the
guards on the ART node, since we are doing lazy abstraction: if an interaction is disabled on
the ART node, the successor node will be inconsistent.
For each enabled interaction γ, the procedure creates a new successor ART node with
dummy elements, which will be updated accordingly (line 4). To update the abstract data
region of Bi, that participates in γ (line 7), the procedure calls ExtractTransition(Transi,
li, pi) in line 8 to extract the participating transition starting from li and labelled by port
pi from the set of transitions Transi, and then builds a sequential composition (denoted by
symbol •) of the guard and operation of this transition (line 11). The new abstract data
region φ′i is then obtained by applying the abstract strongest post-condition SP
pil′
i
ˆopi (φi) to
the previous data region φi (line 12). Our algorithm maintains precisions for both control
location (e.g. l′i) and global region, denoted by pil′i and pi respectively. A precision is a set
of predicates, over which the predicate abstraction is performed. We refer to [16] for more
details. For other components, which do not participate in this interaction, their local regions
and control locations will stay the same (line 15 and 16).
6 Verification of Component-Based Systems
Algorithm 1 Main function
Input: a BIP model B = Γpi(B1, ..., Bn) with encoding of safety property
Output: Either B is safe, or B is unsafe with a counterexample cex
1: create an ART node node0 from the initial state
2: create an ART art with node0 being the root
3: create a worklist wl of ART nodes
4: push node0 into wl
5: while wl 6= ∅ do
6: node← pop(wl)
7: if node is an error node then
8: cex ← CounterExample(node)
9: if cex is real then
10: return B is unsafe with a real counterexample cex
11: else
12: Refine(art, cex)
13: else if node is covered then
14: mark node as covered
15: else
16: Expand(node)
17: push all children of node into wl
18: return B is safe
To update the global region, we need to consider all the participating transitions, since
they may also modify component variables. For this purpose, the procedure creates two
temporary variables g′ and op′ (line 5). Variable g′ is the conjunction of interaction guard and
all the participating transition guards (line 9), and op′ is the sequential composition of the
data transfer and all the participating transitions (line 10). Notice that, since the operations
associated to the transitions modify only variables local to the respective components, the
order of composition is irrelevant. The new global region φ is then updated by applying the
abstract strongest post-condition SPpioˆp(φ) to the previous global region φ (line 18), where
oˆp is the guarded operation composed of g′ and op′. If all abstract strongest post-condition
computations succeed, the new ART node is inserted as the child of node and the edge is
labelled by interaction γ (function AddChild in line 21). Otherwise, this new successor node
does not represent any concrete reachable configurations, thus will be ignored.
3.1.2 Counterexample analysis and abstraction refinement
If an error node is encountered during the exploration of abstract state space, we check if
this error is reachable or not in the concrete state space in two steps. First, our algorithm
constructs a counterexample by backtracking the ART from the error node to the root
(function CounterExample in Algorithm 1). In BIP, we denote a counterexample cex by
a sequence of interactions, labelling the path from the root to the error node. Then, our
algorithm builds a sequential execution trcex of the counterexample cex, such that the
counterexample cex is real if and only if SPtrcex (true) is satisfiable.
Formally, given a counterexample cex = γ1γ2 . . . γk, where for each i ∈ [1, k], interaction
γi = (ui, gi, opi), ui = {pi1, . . . , pit}, our algorithm constructs a sequence trγi of transitions
gi • opi • opij1 • ... • opijt , where the sequence of indices j1, . . . , jt is an arbitrary permutation
of {1, . . . , t}, and opij1 is the operation of transition labelled by port pij1 . Then the sequential
Q. Wang and S. Bliudze 7
Algorithm 2 Node expansion procedure
1: procedure EXPAND(node = ((l1, φ1), ..., (ln, φn), φ) )
2: interactions ← EnabledInteraction(node)
3: for γ = (g, u, op) ∈ interactions do
4: node′ ← ((l′′1 , φ′1), ..., (l′′n, φ′n), φ′)
5: g′ ← g; op′ ← op
6: for Bi ∈ B = Γpi(B1, ..., Bn) do
7: if Porti ∩ u = {pi} then
8: (li, gi, pi, opi, l′i)← ExtractTransition(Transi, li, pi)
9: g′ ← g′ ∧ gi
10: op′ ← op′ • opi
11: ˆopi ← gi • opi
12: φ′i = SP
pil′
i
ˆopi (φi); l
′′
i = l′i
13: if φ′i is false then
14: goto 3
15: else if Porti ∩ u = ∅ then
16: l′′i = li; φ′i = φi
17: oˆp ← g′ • op′
18: φ′ = SPpioˆp(φ)
19: if φ′ is false then
20: goto 3
21: AddChild(γ, node′)
execution of counterexample cex is the sequential composition of all trγi , i.e. trcex =
trγ1 • ... • trγk .
If the analysis reveals that the encountered error location is unreachable in the concrete
state space, the precisions of the abstract analysis must be refined to eliminate the spurious
counterexample by adding new predicates (function Refine in Algorithm 1). Our algorithm
discovers new predicates from the interpolants of trace formula of trcex . If a predicate involves
only variables that are not used in the data transfer, it is added to the precisions associated
to the corresponding control locations. A predicate involving variables that are used in the
data transfer is added to the global precision.
Once the precisions are refined, our algorithm will remove the sub-tree that contains the
spurious counterexample, and then restart the expansion using the refined precisions. We
refer to [15] for more details and the correctness of this abstraction refinement approach.
3.2 Correctness proof
To prove the correctness of Algorithm 1, we need to relate the construction of ART with BIP
operational semantics. We first show that the node expansion procedure creates successor
nodes that cover (or over-approximate) the corresponding reachable configurations.
Let B = Γpi(B1, ..., Bn) be a BIP model, and c =
(
(l1,x1), ..., (ln,xn)
)
be a configuration
of B. Let node =
(
(l′1, φ1), ..., (l′n, φn), φ
)
be an ART node. We say that configuration c
satisfies ART node node (or node covers c), denoted by c |= node, if and only if, for all
i ∈ [1, n], we have li = l′i and xi |= φi, and (xi)ni=1 |= φ.
I Lemma 9. Let node be an ART node for a BIP model B = Γpi(B1, ..., Bn) and node′ be
its successor. Let c be a configuration such that c |= node. If node′ is obtained by performing
8 Verification of Component-Based Systems
interaction γ, then for any configuration c′ such that c γ−→ c′, we have c′ |= node′.
Proof. Suppose c =
(
(l1,x1), ..., (ln,xn)
)
, and node =
(
(l1, φ1), ..., (ln, φn), φ
)
, where xi |=
φi, for each i ∈ [1, n], and (xi)ni=1 |= φ, since c |= node. Suppose the successor configuration
following γ = (g, u, op) is c′ =
(
(l′1,x′1), ..., (l′n,x′n)
)
, and the successor node is node′ =(
(l′′1 , φ′1), ..., (l′′n, φ′n), φ′
)
. To prove c′ |= n′, we have to show that l′i = l′′i and x′i |= φ′i, for all
i ∈ [1, n], and (x′i)ni=1 |= φ′.
Consider a component Bi, such that u∩Porti = {pi}, and let the corresponding transition
in Transi be (li, gi, pi, opi, l′i). Then we have xi |= gi and x′i = opi(op(xi)). According to
Algorithm 2, we have l′′i = l′i and φ′i = SP ˆopi(φi), where ˆopi denotes gi • opi. Based on the
semantics of strongest post-condition, the fact that xi |= φi and φi ∧ gi is satisfiable, we have
x′i |= φ′i. Following a similar argument, we can prove (x′i)ni=1 |= φ′.
For each component Bi such that u ∩ Porti = ∅, since it does not participate the
interaction, its state is unchanged. Thus, the satisfaction relation trivially holds. J
I Theorem 10 (Correctness of on-the-fly lazy predicate abstraction of BIP). Given a BIP model
B, and for every terminating execution of Algorithm 1, we have the following properties:
1. if Algorithm 1 returns a real counterexample path cex, then there is a concrete execution
c
cex−−→ c′ from an initial configuration c and an error configuration c′ in B;
2. if Algorithm 1 returns a safe ART, then for every reachable configuration c of B, there is
an ART node that covers this configuration.
Proof. (Sketch) In the safe case, the conclusion follows from Lemma 9 and an induction proof
on the execution path to the reachable configuration c. In the unsafe case, the conclusion
holds because the counterexample analysis boils down to a symbolic simulation. J
4 Simultaneous set reduction for BIP
In this section, we present a novel reduction technique, which can be combined with on-the-fly
lazy predicate abstraction to reduce the search space of reachability analysis. The idea is
based on the observation that in component-based systems, when two concurrent interactions
are enabled at the same time (e.g. interactions {insert1} and {insert2} in Figure 1), we
may consider executing them simultaneously instead of taking into account all the possible
interleavings in the reachability analysis. First of all, we have to formalise the constraints
imposed on the set of interactions, which can be executed simultaneously, in order to make
sure no error location is missed during the reachability analysis.
4.1 Simultaneous set constraints
Two interactions can be executed simultaneously only when they are independent.
I Definition 11 (Independent interactions). Two interactions γ1 and γ2 are independent if
for every configuration c, the following conditions hold:
1. if γ1 is enabled in c, then γ2 is enabled in c iff γ2 is enabled in c′, where c
γ1−→ c′.
2. if γ1 and γ2 are both enabled in c, then c′1 = c′2, where c
γ1;γ2−−−→ c′1, and c γ2;γ1−−−→ c′2.
Since independence relation is a global property, in the sequel we will instead use the
valid dependence relation.
I Definition 12 (Valid dependency relation). A valid dependence relation D over a set
of interactions Γ is a symmetric, reflexive relation such that for every (γ1, γ2) /∈ D, the
interactions γ1 and γ2 are independent interactions.
Q. Wang and S. Bliudze 9
In BIP context, we can compute a valid dependency relation statically from the specifica-
tions: two interactions are dependent if they share one common component. It is worthy to
notice that our independency and dependency relations also work for abstract analysis.
However, independency is not enough. For instance, in the example BIP model in Figure 1,
suppose we want to expand the node
(
(S3, φA), (S4, φB), φ
)
, where component A is in control
location S3 and component B is in control location S4. The set of enabled interactions
is {{request1}, {restart2}}. Notice that interaction {error1, error2} is disabled since port
error1 is disabled. The two interactions {request1} and {restart2} are independent, however,
if we execute them simultaneously we will miss the following (fragment) counterexample
from this node: {request1}, {respond1}, {error1, error2}. This observation tells us to take
into account the future executions when firing interactions simultaneously.
I Definition 13 (Simultaneous set). A set of interactions SSet on configuration c is called a
simultaneous set if the following two constraints are satisfied:
1. all the interactions in SSet are independent;
2. for each α ∈ SSet, let c α−→ c1 β1−→ ... βn−−→ cn+1 be a finite execution fragment starting
with α, then for each α′ ∈ SSet, such that α′ 6= α, all βi are independent of α′.
Intuitively, the second constraint means that whatever one does from the simultaneous
set should still be independent from the others in the set. We remark that simultaneous set
is different from the ample set [10] in that members in ample set are interdependent, and
interleavings should be taken into account.
We use notation AG to represent the full reachable state space, and AR to represent
reduced reachable state space. A transition in AR is denoted by c
SSet(c)−−−−−→ c′, where SSet(c)
is a simultaneous set on c. A trace in AR is then labelled by a sequence of simultaneous
sets, e.g. c0
SSet(c0)−−−−−→ c1 SSet(c1)−−−−−→ . . . SSet(ck−1)−−−−−−−→ ck. Similarly, we say that a configuration c
is reachable in AR if and only if there exists a trace that starts from the initial configuration
and ends up with c. However, a trace in AR is not a trace of AG, but a representation of
several equivalent traces.
I Definition 14 (Semantics of simultaneous set). Given a configuration c, a transition
c
SSet(c)−−−−−→ c′ in AR denotes a set of transition sequences {c γ1−→ ... γk−→ c′|∀i ∈ [1, k], γi ∈
SSet(c) and |SSet(c)| = k} in AG.
Each transition sequence c γ1−→ ... γk−→ c′ is a representation of c SSet(c)−−−−−→ c′. Inductively, we
can also define the representation of a trace in AR. Based on the definition of simultaneous
set, it is easy to see that each representation of a trace in AR is a trace in AG.
The correctness of simultaneous set reduction for deadlock state reachability analysis is
stated in the following theorem.
I Theorem 15 (Correctness of simultaneous set reduction). Let e be an error configuration.
If there is a trace ρg leading to e in AG, then there is also a trace ρr leading to e in AR.
Proof. Assume ρg = c0
γ0−→ · · · γn−2−−−→ cn−1, where cn−1 = e. The proof proceeds by using
complete induction on the number of configurations in ρg. For the base case |ρg| = 1, the
result trivially holds since the initial configuration is also the error one. Assume the theorem
holds for all the cases |ρg| <= n, where n >= 1, then we prove it also holds for |ρg| = n+ 1.
Assume ρg = c0
γ0−→ c1 γ1−→ · · · γn−2−−−→ cn−1 γn−1−−−→ cn, where cn = e, and the simultaneous
set on configuration c0 that contains interaction γ0 is SSet(c0). If SSet(c0) is a singleton
set, then ρr is ρg. If SSet(c0) = {βi|i ∈ [1, k]} ∪ {γ0}, according to the definition of
10 Verification of Component-Based Systems
simultaneous set, βi is independent of γj , for all i ∈ [1, k], and j ∈ [1, n − 1], then βi
should be enabled on configuration cn, which contradicts with the fact that cn is a deadlock
state. Thus, all βi should be executed, i.e. for each βi there must exist a γj such that
βi = γj . Then by permuting independent interactions, we obtain an equivalent trace
ρ′g = c0
γ0−→ c1 β1−→ · · · βk−→ γk+1−−−→ · · · γn−1−−−→ cn. The sequence of interactions γ0−→ β1−→ · · · βk−→ is
a representation of the simultaneous set SSet(c0), while based on the induction hypothesis
the rest is a representation of some trace in AR. They all together prove our theorem. J
4.2 Combining simultaneous set reduction with lazy predicate
abstraction
To combine the simultaneous set reduction with lazy predicate abstraction of BIP, we modify
the node expansion procedure in Algorithm 2 by replacing the function EnabledInteraction in
line 2 with Algorithm 3, such that instead of creating a new successor node for each possible
interaction (line 3), we create a new successor node for each simultaneous set. Notice that
since a simultaneous set is a set of interactions, the successor computation (the loop in line
3) should also be slightly adjusted.
Algorithm 3 computes the set of simultaneous sets on an ART node. It uses two addi-
tional functions EnabledInteraction and DisabledInteraction. Function DisabledInteraction
computes the set of disabled interactions on an ART node, which is simply the complement
of the set of enabled interactions.
Algorithm 3 Simultaneous set computation
Input: an ART node node = ((l1, φ1), ..., (ln, φn), φ)
Output: a set of simultaneous sets SSets
1: enabled_interactions ← EnabledInteraction(node)
2: disabled_interactions ← DisabledInteraction(node)
3: create a worklist of interaction sets wl
4: push enabled_interactions into wl
5: while wl 6= ∅ do
6: current_set ← pop(wl)
7: if exists γ1, γ2 ∈ current_set, s.t. γ1, γ2 are dependent then
8: copy1 ← current_set − {γ1}
9: copy2 ← current_set − {γ2}
10: push copy1, copy2 into wl
11: else if exists γ1, γ2 ∈ current_set, γ3 ∈ disabled_interactions,
s.t. γ3, γ1 are dependent, and γ3, γ2 are dependent then
12: copy1 ← current_set − {γ1}
13: copy2 ← current_set − {γ2}
14: push copy1, copy2 into wl
15: else
16: if SSets does not contain current_set then
17: push current_set into SSets
The basic idea is that starting from the set of enabled interactions, the algorithm
progressively refines this set by splitting it into two sets. If two interactions from the set are
dependent (line 7), or they are independent of each other, but dependent with a disabled
interaction (line 11), then this set is split into two, each of which is obtained by removing
Q. Wang and S. Bliudze 11
one of the interactions (lines 8, 9 and 12, 13). Otherwise, if all interactions are independent
of each other and with the disabled interactions, then the set is a simultaneous set and is
added into the result set SSets.
Assume that, given two interactions γ1 and γ2, it takes O(1) time for the dependence
check with precomputed dependence relation on lines 7 and 11. The while loop (line 5)
executes at most |enabled_interactions| times, where |enabled_interactions| denotes the
number of enabled interactions on the input ART node, since in each loop execution at most
two interactions will be split and one simultaneous set will be added into the worklist wl. In
the worst case, |enabled_interactions|2 ∗ |disabled_interactions| checks need to be performs
to find the two interactions to be split. Thus, the worst case time complexity of Algorithm 3
is O(|enabled_interactions|3 ∗ |disabled_interactions|).
The correctness of Algorithm 3 is straightforward, according to the simultaneous set
constraints in Definition 13.
I Theorem 16 (Correctness of lazy predicate abstraction with simultaneous set reduction).
Given a BIP model, and for every terminating execution of the combination of Algorithm 1
and Algorithm 3, the two properties of Theorem 10 still hold.
Proof. (Sketch) Algorithm 3 computes the set of simultaneous sets on an ART node. A
simultaneous set on an ART node is a simultaneous set on the configurations that are covered
by this ART node. Therefore, the theorem follows from Theorem 15. J
5 Experimental evaluation
We implemented the proposed techniques in our prototype tool BIPChecker, based on the
symbolic model checker nuXmv and the SMT solver MathSAT. In the experimental evaluation,
we took a set of benchmarks from the literature, including the untimed temperature and
railway control system [18], the ATM transaction model [4], the leader election algorithm [1],
and the Quorum consensus algorithm [12]. We modelled them in the BIP framework and
verified different safe and unsafe invariant properties. All these benchmarks 1) are scalable
in terms of the number of components; 2) are infinite-state, using potentially unbounded
integer variables and 3) feature data transfer on interactions. A description of the features of
all the benchmarks is listed in Table 1 in Appendix A.
 10
 20
 30
 40
 50
 60
 70
 0.1  1  10  100
nu
mb
er 
of 
be
nc
hm
ark
s
Total time (sec)
OLAOLA+SSR
Figure 2 Cumulative plot of time for solv-
ing all benchmarks
All the experiments have been performed on
a 64-bit Linux PC with a 2.8 GHz Intel i7-2640M
CPU, with a memory limit of 4Gb and a time
limit of 300 seconds per benchmark. We refer to
our website1 for all the benchmarks and the tool.
We run two configurations of BIPChecker:
OLA and OLA+SSR, where OLA stands for on-
the-fly lazy abstraction, and SSR stands for the
simultaneous set reduction. We do not compare
the performance of our tool with DFinder [4]
and VCS [14], since they do not handle data
transfer and infinite-state models respectively.
The comparison of OLA and OLA+SSR on the full set of benchmarks is shown in Figure 2
and Figure 3.
1 http://risd.epfl.ch/bipchecker
12 Verification of Component-Based Systems
 0.1
 1
 10
 100
 0.1  1  10  100
OL
A+
SS
R
OLA
safeunsafe
Figure 3 Scatter plot of time for solving
each benchmark
In Figure 2, we plot the cumulative time (x-
axis) to solve an increasing number of bench-
marks (y-axis), and in Figure 3, we show the
scatter plot of time for solving each benchmark.2
The plots show that simultaneous set reduction
can improve the performance in general when it
is combined with the on-the-fly lazy abstraction.
In particular, from Figure 3 we find that for safe
models, OLA is comparable to OLA+SSR, while
for unsafe models, OLA+SSR is always more
efficient than OLA. In other words, OLA+SSR
is more efficient to find counterexamples. This
phenomenon can be explained because with simul-
taneous set reduction, some independent interac-
tions are executed simultaneously, thus reducing
the length of execution steps and being faster to
detect counterexamples.
In Figure 4, we plot the cumulative number of ART nodes (x-axis), that are created to
solve an increasing number of benchmarks (y-axis), and in Figures 5, we show the scatter
plot of number of ART nodes that are used to solve each individual benchmark. The plots
justify our claim that simultaneous set reduction can improve the performance, especially
for counterexample detection, from another aspect, i.e. the number of ART nodes that are
explored during the reachability analysis.
 10
 20
 30
 40
 50
 60
 70
 100  1000  10000  100000
nu
mb
er 
of 
ins
tan
ces
number of nodes
OLAOLA+SSR
Figure 4 Cumulative plot of created nodes
for solving all benchmarks
 100
 1000
 10000
 100000
 100  1000  10000  100000
OL
A+
SS
R
OLA
safeunsafe
Figure 5 Scatter plot of created nodes for
solving each benchmark
6 Related work
Although there are plenty of works on safety property verification in literature, we review
the most related ones in two aspects. With respect to combining abstraction techniques with
2 Red diagonal guides provide a reference for comparison, each indicating shift of one order of magnitude.
Q. Wang and S. Bliudze 13
explicit state reduction techniques, the works most related to ours are [8, 9, 24]. In [8, 9]
the authors propose two ESST-based verification techniques for multi-threaded programs
with a preemptive and stateful scheduler (e.g. SystemC [20] and FairThreads [7]). The work
in [24] combines classical lazy abstraction and partial order reduction [11] for the verification
of generic multi-threaded programs with pointers. The difference between these works and
ours is that they combine the abstraction techniques with classical partial order reduction
techniques, (e.g. persistent set approach [11] and ample set approach [10]) in which one
reduces the interleavings of concurrent transitions by exploring only a representative subset
of all enabled transitions. In our approach, we leverage the BIP operational semantics to
tackle this issue by executing concurrent interactions simultaneously.
With respect to the compositional verification, the most related ones are [6, 13, 21]. In [6]
the authors presents an assume-guarantee abstraction refinement technique for compositional
verification of component-based systems. However, the target system model is finite state
and without data transfer. In [13] the authors propose a compositional verification technique
for multi-threaded programs based on abstract interpretation framework. This algorithm
relies on solving recursion-free Horn clauses to refine the abstraction. Later the work in [21]
combines this method with a reduction technique based on Lipton’s theory of reduction [19].
The programming model is quite different from ours. They handle shared variable concurrent
programs, whereas BIP does not provide communication through shared variables, but only
multiparty synchronisation and data transfer.
7 Conclusion
In this paper we proposed a generic approach to safety property verification of BIP models,
which combines on-the-fly lazy abstraction and simultaneous set reduction technique. We
also implemented our techniques in the BIPChecker tool. The experimental evaluation
demonstrates the efficiency of the proposed approach. As future work we will investigate
more efficient reduction techniques for component-based systems, that can boost the abstract
reachability analysis, such as property guided reduction.
Acknowledgements We want to thank Alessandro Cimatti, Marco Roveri and Sergio Mover
for the instructive guidance during our collaboration that enabled this work and for their
help with the nuXmv model checker and the MathSAT SMT solver. We are also very grateful
to the anonymous reviewers for their careful reading of the paper. Although we could not
take all of their comments into account in the current version, we will definitely do so in our
future work.
References
1 Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. The MIT Press,
2008.
2 A. Basu, S. Bensalem, M. Bozga, J. Combaz, M. Jaber, Thanh-Hung Nguyen, and J. Sifakis.
Rigorous component-based system design using the BIP framework. Software, IEEE, 2011.
3 Gerd Behrmann, Alexandre David, Kim Guldstrand Larsen, John Håkansson, Paul Pet-
tersson, Wang Yi, and Martijn Hendriks. UPPAAL 4.0. In QEST, 2006.
4 Saddek Bensalem, Marius Bozga, Thanh-Hung Nguyen, and Joseph Sifakis. D-finder: A
tool for compositional deadlock detection and verification. In CAV, 2009.
14 Verification of Component-Based Systems
5 Simon Bliudze, Alessandro Cimatti, Mohamad Jaber, Sergio Mover, Marco Roveri, Wajeb
Saab, and Qiang Wang. Formal verification of infinite-state BIP models. In ATVA, 2015.
To appear.
6 Mihaela Gheorghiu Bobaru, Corina S. Pasareanu, and Dimitra Giannakopoulou. Auto-
mated assume-guarantee reasoning by abstraction refinement. In CAV, 2008.
7 F. Boussinot. FairThreads: mixing cooperative and preemptive threads in C. Concurrency
and Computation: Practice and Experience, 2006.
8 Alessandro Cimatti, Iman Narasamdya, and Marco Roveri. Software model checking with
explicit scheduler and symbolic threads. Logical Methods in Computer Science, 2012.
9 Alessandro Cimatti, Iman Narasamdya, and Marco Roveri. Verification of parametric
system designs. In FMCAD, 2012.
10 Edmund M. Clarke, Jr., Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press,
Cambridge, MA, USA, 1999.
11 Patrice Godefroid. Partial-Order Methods for the Verification of Concurrent Systems: An
Approach to the State-Explosion Problem. Springer-Verlag, 1996.
12 Rachid Guerraoui, Viktor Kuncak, and Giuliano Losa. Speculative linearizability. In PLDI,
2012.
13 Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. Predicate abstraction and
refinement for verifying multi-threaded programs. In POPL, 2011.
14 Fei He, Liangze Yin, Bow-Yaw Wang, Lianyi Zhang, Guanyu Mu, and Wenrui Meng. VCS:
A verifier for component-based systems. In ATVA, 2013.
15 Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth L McMillan. Abstrac-
tions from proofs. In ACM SIGPLAN Notices. ACM, 2004.
16 Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstrac-
tion. In POPL, 2002.
17 Hossein Hojjat, Filip Konecný, Florent Garnier, Radu Iosif, Viktor Kuncak, and Philipp
Rümmer. A verification toolkit for numerical transition systems - tool paper. In FM, 2012.
18 Hossein Hojjat, Philipp Rümmer, Pavle Subotic, and Wang Yi. Horn clauses for communi-
cating timed systems. In HCVS, 2014.
19 Richard J. Lipton. Reduction: A method of proving properties of parallel programs. Com-
mun. ACM, 1975.
20 IEEE 1666: SystemC language Reference Manual, 2005.
21 Corneliu Popeea, Andrey Rybalchenko, and Andreas Wilhelm. Reduction for compositional
verification of multi-threaded programs. In FMCAD, 2014.
22 Joseph Sifakis. Rigorous system design. Foundations and Trends in Electronic Design
Automation, 2013.
23 Chen Su, Min Zhou, Liangze Yin, Hai Wan, and Ming Gu. Modeling and verification of
component-based systems with data passing using BIP. In ICECCS, 2013.
24 Bjoern Wachter, Daniel Kroening, and Joel Ouaknine. Verifying multi-threaded software
with Impact. In FMCAD, 2013.
Q. Wang and S. Bliudze 15
A Description of benchmarks
The first column tells which benchmark is considered, and the second column indicates how
many lines of code there are in the model. From the third column to the last one, they
represent the number of atomic components, variables, control locations and the number of
interactions in the model respectively. For instance, in the first row, atm_1 represents the
instance 1 of the ATM transaction model and there are 79 lines of code, 4 atomic components,
8 integer variables, 34 control locations and 16 interactions in this instance.
In the experiments, we create both safe and unsafe versions for each benchmark, with
respect to the property being checked. Particularly, we created 2 different variants of ATM
transaction models in terms of the property being checked, (i.e. local vs global).
Table 1 Summary of all benchmarks
Benchmark L.O.C Atom Variable Location Interaction
atm_1 79 4 8 34 16
atm_2 92 6 12 51 24
atm_3 102 8 16 68 32
atm_4 112 10 20 85 40
atm_5 122 12 24 102 48
atm_6 132 14 28 119 56
atm_7 142 16 32 136 64
atm_8 152 18 36 153 72
atm_9 162 20 40 170 80
atm_10 172 22 44 187 88
quorum_1 80 4 14 15 10
quorum_2 85 5 18 19 14
quorum_3 90 6 22 23 18
quorum_4 95 7 26 27 22
quorum_5 100 8 30 31 26
quorum_6 105 9 34 35 30
quorum_7 110 10 38 39 34
quorum_8 115 11 42 43 38
quorum_9 120 12 46 47 42
quorum_10 125 13 50 51 46
mutual_exclusion_1 68 3 4 12 15
mutual_exclusion_2 78 4 5 15 21
mutual_exclusion_3 85 5 6 18 27
mutual_exclusion_4 92 6 7 21 33
mutual_exclusion_5 99 7 8 24 39
mutual_exclusion_6 106 8 9 27 45
mutual_exclusion_7 113 9 10 30 51
mutual_exclusion_8 120 10 11 33 57
mutual_exclusion_9 127 11 12 36 63
mutual_exclusion_10 134 12 13 39 69
leader_election_1 59 4 6 14 11
leader_election_2 66 6 9 21 16
leader_election_3 73 8 12 28 21
16 Verification of Component-Based Systems
leader_election_4 80 10 15 35 26
leader_election_5 87 12 18 42 31
railway_control_1 59 3 1 15 11
railway_control_2 68 4 1 21 16
railway_control_3 74 5 1 27 21
railway_control_4 80 6 1 33 26
railway_control_5 86 7 1 39 31
railway_control_6 92 8 1 45 36
railway_control_7 98 9 1 51 41
railway_control_8 104 10 1 57 46
railway_control_9 110 11 1 63 51
railway_control_10 116 12 1 69 56
temerature_control_1 50 3 3 9 6
temerature_control_2 53 4 4 12 8
temerature_control_3 56 5 5 15 10
temerature_control_4 59 6 6 18 12
temerature_control_5 62 7 7 21 14
temerature_control_6 65 8 8 24 16
temerature_control_7 68 9 9 27 18
temerature_control_8 71 10 10 30 20
temerature_control_9 74 11 11 33 22
temerature_control_10 77 12 12 36 24
