AbstractÐA compositional verification method from a high-level resource-management standpoint is presented for dense-time concurrent systems and implemented in the tool of SGM (State-Graph Manipulators) with graphical user interface. SGM packages sophisticated verification technology into state-graph manipulators and provides a user interface which views state-graphs as basic data-objects. Hence, users do not have to be verification theory experts and do not have to trace inside state-graphs to analyze state and path properties to make the best use of verification theory. Instead, users can construct their own verification strategies based on observation on the state-graph complexity changes after experimenting with some combinations of manipulators. Moreover, SGM allows users to control the complexity of state-graphs through iterative state-graphs merging and reductions before they become out of control. Reduction techniques specially designed for the context of state-graph iteration composition and shared variable manipulations are developed and used in SGM. Experiments on different benchmarks to show SGM performance are reported. An algorithm based on group theory to pick a manipulator combination is presented.
INTRODUCTION
T HE general trend in engineering is to package complex technology with simple and friendly interfaces so that more users can benefit. Since the famous Pentium-bug, people have been anticipating wide acceptance of the technology of computer-aided verification. Indeed, with today's powerful hardware and recently reported verification theory breakthroughs [3] , [8] , it seems that industrial application of verification theory is becoming more and more real. But most verification packages today are developed based on profound, complex theories that take years of graduate study to master. Thus, inevitably, only projects with big budgets can afford the advantage of computer-aided verification. One of the goals of this work is to devise a packaging scheme for verification technologies so that users illiterate in verification technology can still benefit from it.
Here, we give a brief description of our method which works on dense-time concurrent systems. For a system with m concurrent processes, we assume that we are given their m behavior descriptions, called state-graphs, stored in an array, GI; F F F ; Gm; , respectively. In the traditional approach, a verification procedure will start by constructing the Cartesian product of GI; F F F ; Gm, as in Table 1a with eight processes, to verify the given concurrent system. The standard technology now is symbolic manipulation [8] , [19] , [4] , which can be used in both Cartesian product calculation and model-checking. To cope with the resource consumption requirement from different verification tasks, very often ingenious strategies which search through stategraphs for certain state and path properties have to be devised to keep space and CPU-time under control. To this end, users have to be knowledgeable about the theory of computer-aided verification and traverse through the final product state-graph G.
On the contrary, our method treats state-graphs as highlevel data-objects and defines and implements many theoretically proven manipulators to merge, reduce, and check them. From the users' standpoint, the goal is to construct a verification procedure, with the many stategraph manipulators in our library, which composes a representation for global state space from all the stategraphs with manageable space and CPU-time consumption. There are three types of manipulators in our method: Â for binary merge, check() for model-checking, and reducers for reducing the sizes of state-graphs. In between, iterative binary mergings of state-graphs, combinations of reducers can be applied to control the complexity of newly constructed state-graphs. With the many manipulators in our method, users can easily test different combinations of manipulators. In Table 1b , we have another example verification session using our method. Users calculate the binary products of state-graphs and intermittently reduce them with different reducer combinations as the users see fit. One performance advantage of our approach is that the users can control the complexities of state-graphs with onthe-shelf manipulators before those state-graphs become out of control.
Just like a mechanic can buy various on-the-shelf components to build her/his dream car, users of SGM can also enjoy the technology of CAV without deep understanding of the component technologies and construct the verification procedure that better suits them with the manipulations supported in our method. At this moment, we have successfully developed several theoretically sound reducers. From our experiments, different application ordering of different reducers can achieve different complexity reductions. Thus, the performances of the many reduction techniques really depend on each other. This is due to the fact that a reduction technique may need the information derived by another to make further reduction. (See Example 4.) SGM provides a high-level and clean interface for users to experiment with different combinations of manipulators to reduce resource consumptions (memory and CPU time) to fulfill given verification tasks.
For each different verification task, there can be a different reducer combination for it which may cost the least memory space and CPU time. One research issue in our method is how to choose a good reducer combination for a given verification task when the number of reducers is large. In Section 10, we also present an algorithm based on group theory [20] , [21] to pick an efficient reducer combination for a given verification task.
Another contribution of the work is in our design of reduction techniques in the context of iterative composition and global shared variable manipulations. For example, we may have m state-graphs G I ; F F F ; G m constituting a concurrent system and G IXk is generated by composing G I ; G P ; F F F ; G k with k < m. Each of the state-graphs may write specific and unique values to some shared variables. We aim to design reduction techniques on intermediate state-space representations like G IXk by analyzing the distinct values compared with and written to by various parties in the concurrent system. Previous model-checkers like Kronos gain part of their performance by detecting ªdead transitionsº (i.e., transitions which can never be triggered) after generating a Cartesian product of automata. But, Kronos does not allow natural manipulations of global variables and thus is not able to detect dead transitions whose triggering conditions depend on global variable values. To eliminate dead transitions in the context of iterative composition and global shared variables, we have to research into deeper theory of concurrency and work out new techniques. Instead of using the product calculation technique, we used our Lemma 1 to eliminate ªdead transitionsº with locality of global read-write operations of concurrent processes. Moreover, we believe that our approach better utilizes the properties among concurrent global operations and has the potential of reducing spacecomplexity before it becomes uncontrollable in the generation of Cartesian product.
Section 2 defines our problems. Section 3 discusses some related work. Section 4 presents the general framework of our method. Section 5 describes the function and datastructures of our state-graphs. Sections 6 and 7 describe the manipulators we have implemented so far. Section 8 demonstrates SGM in its graphical user interface. Section 9 reports experiments on several benchmarks. Section 10 shows an algorithm which uses group theory to find a local optimal combination of manipulators to counter with stateexplosion problem. Section 11 contains the conclusion, our perspective of using this research as a public framework to enhance the application of verification technology and cooperation throughout the world.
We shall adopt the following notations. Given a set or sequence F , jF j is the number of elements in F . For each element e in F , we also write e P F . x is the set of nonnegative integers, is the set of integers, and is the set of nonnegative reals.
FORMAL PROBLEM DEFINITION
We formally define our dense-time concurrent systems and their CTL model-checking problem, respectively, in two subsections.
Timed Mode Transition Systems
A real-time concurrent system is composed of many processes. Each process runs autonomously and interacts with others through read-write operations to global variables and timers. In addition, each process has its own local variables and timers which no other processes can access. For a system with m processes, we use integer I; F F F ; m to identify the m processes.
Given a timer set H and a variable set F , a state predicate of H and F is a formula constructed according to the following syntax:
y is a variable in F . c; d are natural numbers. p is the process identifier symbol which represents the local process. x; x H are timers in H. $ is an inequality operator in f ; <; ; >; !g. Common shorthands like true, false, conjunction (), and implication (3 ) can be defined. Notationally, we let B H F be the set of all state predicates of H and F .
Definition 1 (PTMTS).
The process timed mode-transition system (PTMTS) is defined to describe behaviors in an atomic process in a real-time concurrent system. It is essentially a 
Here, c and d are natural numbers. is a state predicate in B XX p Y YpÀfqpg denoting the transition triggering condition. is a finite sequence of assignment statements which is executed on the happening of the transition. Each assignment statement in has the following syntax:
y X cY j y X pY j x X HY Again, y P Y Y p À fq p g, x P X X p , p is the process identifier symbol, and c is a natural number. Initially, all timers and variables contain zeros. The processes act by performing transitions in an interleaving fashion, i.e., at any moment, at most one transition can happen. Right before a transition e q p i 3 q p X jY P T p happens, A p is in mode i and is satisfied. On the happening of e, which is instantaneous, variables are assigned new values and timers are reset to zeros according to and then A p enters mode j. In between the happenings of transitions, all variable contents stay unchanged and all timer readings increment at a uniform rate. 
In Fig. 1 , we draw the PTMTS as a timed automaton which is more visually readable. The circles are modes and the starting mode is doubly circled. Inside the circles, we put down the mode names and invariance conditions enforced by I p in the modes. On each transition, we put down the triggering condition (), if any, above the assignment statements (), if any. For example, in mode q p I, H x p I must be true for process p. In mode q p I, when x p < I, process p may assign p to variable l, reset x p to zero, and enter mode q p P. We also label each transition with a boldface number near its source for later use. 
Given a PTMTS
Given a state and a state predicate , we can define ( satisfies ) in a traditional inductive way.
. y c iff y c,
H iff or H Given a state and P , we let be a mapping identical to except that, for each x P X S I p m X p , x x . Given a sequence of assignment statements , we let be a new mapping identical to except that variables are assigned new values and timers are reset to zero according to . 
CTL and Model-Checking
Our verification framework is model-checking. That is, the system description is given in PTMTSs and the specification is given in CTL formulas [3] , [19] and a verification problem instance asks if a given concurrent system with PTMTS processes satisfies a given CTL formula. A CTL formula has the following syntax: [9] , a newer version of SMV, is one tool that will be adopting a high-level user interface. But, they still do not allow users to easily construct verification strategies best fitting their verification tasks.
SPIN [23] is an automated protocol validation system using PROMELA with refining dependencies for efficient partial-order verification [10] , [18] .
Mur Verification System [13] is a language-based verification tool for finite-state concurrent systems with symmetry-based reduction [27] .
Aldebaran [16] is a component of the CADP protocol engineering toolbox developed at INRIA/Verimag with strong/weak (bi)simulation, safety preorder/equivalence, on-the-fly verification techniques [17] , time-abstracting bisimulation implemented [40] . Yet another component in the CADP toolset is XTL Model Checker [33] with states, transitions, and labels handling labeled transition systems.
CAML Prototype [29] has implemented a quotienting technique of moving a parallel system description into a specification formula, trivial equation elimination, and equivalence reduction. KRONOS [11] is a well-known verification tool with minimization algorithms [11] , inactive clock reduction [12] , and clock equality [12] reduction techniques implemented. Kronos does not allow natural manipulations of global variables. We believe that, in the context of iterative composition, Kronos is not able to detect dead transitions whose triggering conditions depend on global variable values. Moreover, Kronos detects dead transitions by generating a Cartesian product of automata, which can be very space-inefficient.
UPPAAL [31] , [30] , [7] is a widely used verification tool for real-time systems with a graphical interface, simulation, quotient construction, minimizations, trivial equation elimination, and equivalence reduction implemented [31] . Memory space explosion was tactically handled by compact data structures [30] and optimized constraint manipulations [7] .
In Section 7.4, we discuss how to reduce state-graph sizes through bypassing internal transitions. Similar concepts may be dated back to the ªinternal actionº of process algebra [22] , [35] . A recent similar concept is the ªinvisible transitionº by Miller and Katz [36] . However, there is both a similarity and a distinction between the concepts of Miller and Katz's ªinvisibleº and our ªinternal.º In the similarity part, both concepts try to hide information which is not interesting to the outside world. In the distinction part, Miller and Katz focus on the observation (i.e., specification) of the users, while we focus on the interaction among peer processes. This distinction drove us to design new techniques with Lemmas 1 and 2. More precisely, the property of ªinvisibility of transitionsº proposed by Miller and Katz depends on the specification, whereas our property of ªinternalº is independent of any specification. A transition may become internal only when verification is performed compositionally.
From the above, we notice that, although different techniques have been implemented in the various wellknown tools, yet if a user needs to apply two or more different techniques to a verification task and if those techniques were implemented in different tools, then the user will have to expend great effort trying to either translate the output results of one tool to the input format of another tool or make some strong assumptions of technique application that may be invalid. Even with one verification tool, users still face a delimma. On one side, without a userfriendly interface for users to construct high-level verification strategy, it may become difficult for the tools to figure out the right combination of existing reduction techniques for a given verification task. On the other side, for new users, to acquaint themselves with the reasoning structures of various tools in order to maximize verification efficiency can just be too costly and too time-consuming for their jobs. Such painstaking efforts could be avoided if various compatible techniques could be collected, implemented, and integrated into a single environment in which users can flexibly fine-tune their verification strategy. SGM is proposed with this motivation in mind.
GENERAL FRAMEWORK OF VERIFICATION
Our method can be embodied in a simple language of verification procedure. The language looks like Pascal or C, but supports high-level objects with types of integer, state-graphs, and CTL formula. In the following, we give an example to illustrate how to define a verification procedure in the language.
Merging of state-graphs is performed by the binary Â. Then, we have a set of theoretically proven reducers which can be designed by anyone. The control of verification procedure can be achieved with nested for-loops indexed on integers and if-statements with conditions on stategraph sizes, graph construction times, and index variables. In Table 2 , we have an example verification procedure written in the language. Verification procedures always take three arguments. The first, here G, is an array of stategraphs; the second, here m, the number of state-graphs (processes) in the concurrent system; and the third, here , the CTL formula to check with. The array is declared in Clanguage style. Lines (1) and (2) declare variables of stategraph type and integer type, respectively. Line (4) iterates the for-loop to merge and reduce the state-graphs. Lines (6) and (7) calculate two alternative combinations of reducers. The if-structure starting at line (8) chooses the reduction result with, first, the least size and, then, the least CPU-time for each iteration. For any state-graph H, we let sizeH NodeCountH ArcCountH. NodeCount() is a system-defined function which returns the number of nodes in the argument state-graph. Similarly, another function, ArcCount(), returns the number of arcs in the argument state-graph. Time() is the CPU time used to construct the state-graph in its argument. After the loop from lines (4) to (11) is over, H is a reduced representation for the global state space. Then, at line (12), we check H against .
Since our method allows reasoning on state-graphs as whole objects instead of searching for paths in them, users can test different combinations of reducers to achieve their verification tasks from a resource management point of 
IMPLEMENTATION OF STATE GRAPHS
A state-graph G for process set H fi I ; i P ; F F F ; i h g is a multigraph (allowing more than one arc from one node to the other) and is conceptually implemented as a tuple, G hV ; v H ; XState; E; XP air; XP roc; Xtion; XP ermi:
Each element in V is a region which represents a set of states. v H is the initial region. For each v P V , XStatev is a condition true for all states represented by v. Specifically, in XStatev, we record the following information:
. The values of all local and global discrete variables (including q p ) in H. . The Difference-Bound Matrix [2] , [14] which records the differences among all local and global timers in H up to the biggest timing constant used in the input PTMTS. . Some propositions prepared by manipulators in SGM for the use of other manipulators. For example, we may use Lemma 1 in Section 7.1 to infer that, at some states, l p must be false. Thus, when we say two states are in the same regions, we mean they are identical with respect to their information recordings.
E is the set of arcs among nodes in V . For each e P E,
. XP aire v; v H describes the source and destination of arc e. . XP roce P fI; F F F ; mg defines the index of the process which makes the transition corresponding to e.
. Xtione is an index representing the transition which corresponds to e. . XP erme is a permutation of process identifiers I through m and is needed because we implement reduction with symmetry [15] . State-graphs are multigraphs because there can be more than one transition leading from one node to the other. Reduction by symmetry also adds multiplicity to arcs between pairs of nodes. From XP roc and Xtion, we can reach informations about triggering conditions and assignment statements.
ON-THE-FLY MERGING OF STATE-GRAPHS
In this section, we shall first briefly describe our merge manipulator, Â, which merges two state-graphs into a new one which represents a finer description of the global state-space. Suppose we are given two state-graphs, with i P fI; Pg, G i hV i ; v iXH ; XState i ; E i ; XP air i ; XP roc i ; Xtion i ; XP erm i i f o r p r o c e s s s e t H i fp iXI ; p iXP ; F F F ; p iXm i g s u c h t h a t H I H P Y. ÂG I ; G P (or G I Â G P in infix notations), computed with the procedure in Table 3 , is a new stategraph constructed with on-the-fly technique from G I and G P for process set H I H P . The reader should be mindful that the output of a merge operation is not a plain Cartesian product. It also contains information for reduction information needed for further composition and reduction (like symmetry reduction). Since the merge is in an on-the-fly style, some inconsistent state representations can be discarded before being generated. Lemma 2 in Section 7.2 derives a path-based property for timer-elimination and can be used to deduce the behaviorequivalence among states. The lemma is established in the context of iterative composition of state-graphs. Lemma 2 predicts, in a given state, whether the value of a clock will be used again before being reset by considering the behavior structure in G IXk and the read-write values used in the other m À k state-graphs for the clock. Section 7.3 discusses how we adapt the technique of verification by symmetry [15] to dense-time systems. Section 7.4 discusses how we can exploit the fact that some transitions becomes internal only after an intermediate state-graph, like G IXk , is generated.
Variable Value Stability under Concurrent
Read/Write Lemma 1. Suppose we are given a variable y and a finite run segment h ; t h hI ; t hI F F F k ; t k such that, for all h i < k, i goes to iI without making an assignment to y on a transition from a process with an identifier in H.
. If we enter state h with an assignment y X aY , then, for all h i < k; t i t t iI ,
. If we enter state h without an assignment to y but with a triggering condition y a, then, for all h i < k; t i t t iI , i t V bPDHXyÀfag y T b. . If we enter state h without an assignment to y but with a triggering condition y T a with a P D HXy , then, for all h i < k; t i t t iI , i t y T a.
Proof. If the values in D HXy are not going to be written to y by other processes with identifiers not in H, since we have the full knowledge that processes with identifiers in H will neither write values in D HXy to y along the segment, thus the lemma must hold. t u
Our SGM takes advantage of Lemma 1 in the following way: In a given state-graph, we have a set of nodes each representing a set (region) of states. Lemma 1 is first applied to deduce the truth values of propositions about valuations of discrete variables in the nodes. Certain nodes can be eliminated because of invalidated invariance conditions. Certain transitions can also be eliminated due to invalidated triggering conditions. After such elimination, the stategraph size is, hopefully, reduced.
Example 3. In the state-graph in Fig. 2 , which is part of the state-graph generated for Fischer's timed mutual exclusion algorithm in Fig. 1 , the square boxes represent nodes (regions) while the arcs represent transitions with transition indices and process identifiers labeled by their sides. The crossed-out arcs represent transitions detected as untriggerible by Lemma 1. For example, in node 2, we can deduce l T I and, thus, conclude transition R I will never be triggered from node 2. Thus, Lemma 1 can be used to early delete arcs and nodes which eventually are unreachable in the final state-graphs.
Irrelevance of Shielded Timers
. À; ; ftrue; falseg if P À. . À; ; f g if is atomic and T P À. . À; ; X fXb j b P À; ; g. .
Here, we assume that Xtrue false; Xfalse true; true true true; true false true; false false false;
and false true true. Then, À is shielded in w.r.t. iff jÀ; ; j I, which means the values of are independent of atoms in À in state . For instance, in Example 1, timing atom set fH x p ; x p Ig is shielded i n a n y s t a t e w h i c h s a t i s f i e s q p H w . r . t .
Definition 4 (Timer shieldedness). Suppose we are given a model-checking problem instance with system S and CTL formula . A timing atom in one of the following forms: x $ c, x c $ x H d, and x H c $ x d is called an x's timing atom. Let U x be the set of all timing atoms of x used in the model-checking problem instance. A timer x is shielded in a state for the problem instance iff 1. x is not used in the specification and 2. for any k P x and Erun H ; t H I ; t I F F F k ; t k F F F F F F ; if either a. k > H and kÀI goes to k on a transition 3 such that jU x ; kÀI t kÀI ; j > I or b. k ! H and, for some t P H; t kI À t k , jU x ; k t;Î p m I p j > I; then there is a H < h < k such that hÀI goes to h on a transition
Case 2a is a state property which says a transition can be either allowed to or forbidden from happening due to different valuations of timing atoms in U x . Case 2b is a state property which says a region can be entered or not due to different valuations of timing atoms in U x . Case 2 is a path property which intuitively says that if the current reading of timer x is not tested (with invariance conditions or triggered transitions) before it is reset, then the current reading of timer x is of no influence to system behavior in the future. H only differ at readings of x. Assume the construction is impossible because there is at least k > H such that e k can be triggered in the Erun, but cannot be triggered in the H Erun due to either unsatisfied triggering condition (Case 2a in Lemma 2) or unsatisfied invariance condition (Case 2b). Since the only difference between the two runs is caused by the different readings of x in and H , this implies either U x ; kÀI t k À t kÀI ; > I or U x ; k ; V I p m I p > I, which again implies, by our shieldedness condition, that, before e k , there is another transition which has reset x to zero in both runs. This means kÀI t k À t kÀI x H kÀI t k À t kÀI x, which is a contradiction to our assumption. Thus, we know the construction can be made and, by induction on the subformula structure, we can show the ªiffº relation. t u
Here is how we plan to use Lemma 2. In the set of nodes in a state-graph, after application of Lemma 2, we can eliminate some pieces of information (actually columns and rows in zone matrices and timing atoms) from the recordings of nodes. After such elimination, we may hopefully find out some nodes are indistinguishable now and we only have to keep only one representative node in each of such indistinguishable groups. Thus, the state-graph size can be reduced.
Example 4. In Fig. 3 , part of the state-graph generated for Fischer's timed mutual exclusion algorithm in Fig. 1 , we illustrate how Lemma 2 works. Fig. 3 can be thought as a reduction from Fig. 2 . Let us examine how this reduction is possible. By analyzing the intermediate state-graphs G after merging the state-graphs for processes 1, 2, and 3, we can deduce that, in Fig. 2 , x I is shielded in node 2, x P is shielded in node 5, and x I ; x P are shielded in both nodes 3 and 6. To convince ourselves of these, let us look at node 2 and timer x I . Condition 1 is obviously satisfied (check Example 2). Condition 2 can be established as follows: In node 2, process 1 is in mode q I P from which x I is read only by process 1 with transition R I before any reset. But, from Example 3, we already knew that, from mode q I P, transition R I is not triggerible.
Thus, we deduce Conditions 1 and 2 are both satisfied. After shielding the clocks in different nodes, we find that, according to Lemma 2, nodes 3 and 6 are equivalent. Thus, we can just keep one of them. However, we note for readers that the shieldedness of the timers in this example is detected only after we have eliminated arcs using Lemma 1. This implies that application ordering among reducers can affect verification performance.
Symmetry through Index Permutation
We extend the technique of reduction by symmetry [15] to dense-time systems. The idea is to attach process identifer permutation to arcs in state-graphs. Only one node among those equivalents under process identifier permutation will be kept. This usually results in factorial reduction in stategraph sizes. By applying the reduction by symmetry technique, we can further reduce the structure in Fig. 3 to the one in Fig. 4 , which is again part of the state-graph generated for Fischer's timed mutual exclusion algorithm in Fig. 1 . Note that there is a new arc from node 0 labeled with P P now. On the same arc, we also label the permutation of P; I.
As we see, reduction by symmetry transforms a stategraph into a multigraph. In fact, a lot of the arcs can also be eliminated to save memory space. We adopt a two-fold approach to this aspect.
. For CTL specification which is symmetric to all process identifiers, we shall also reduce those arcs which are equivalent under permutation by process identifiers. It can be shown that such reduction will not affect the answer of model-checking. . For asymmetric CTL specification, we still do the arc reduction with symmetry technique. But, when actually model-checking a CTL specification against a state-graph whose arcs have been reduced with symmetry technique, SGM will dynamically reconstruct the arcs which were reduced. Once the evaluation from one node to another is done, the arcs dynamically constructed will then be discarded. Such dynamic reconstruction and discarding can increase the efficiency of memory space management.
Internal Transition Bypassing
Suppose we are given a model-checking problem with dense-time concurrent system S, of m processes, and CTL formula . Given a set H of processes in S, we let Y H be the set of discrete variables either read or written to by the processes in H. A discrete variable y is said to be internal to H iff . y P Y H y T P Y fI;FFF;mgÀH ; . y is not used in . In other words, an internal variable of a process set H is neither accessed by process not in H nor used by the specification. For example, all local variables of a process are internal variables of any state-graph. A variable which is not internal is called a visible variable. For example, all global variables of a system are visible variables.
Reading and writing of variables occurs on transitions in their triggering conditions and assignment statements, respectively. A transition 3 is said to be internal to process H iff its triggering condition and assignment statements only access internal variables of H. Note that does not reset any timer variables, either local or global. Otherwise, the progress of time is not continuous and outside processes may thus speculate on the occurrence time of the transition.
Given a region v, we let XStatev=I be the new region recording obtained from v by discarding all conditions on variables from I. Specifically, XStatev=I is obtained from v by deleting those values recordings for variables in I and those literals with variables in I. Our BIT reduction procedure is shown in Table 4 .
Example 5. We have a token ring in Fig. 5 of four processes with template state-graph A p . t I ; t P ; t Q ; t R are the tokens. For each I p m, token t p is internal to process set fp7R I; pg where 7 is the modulo operator. Mode q p I is the critical section. To check for mutual e
x c l u s i o n , i t i s e n o u g h t o m o d el -c h e c k o n
Vt uXq I I q P I, which we assume to be the specification. After merging the state-graphs for A Q and A R , we find the path in Fig. 6 . Note that, in A Q Â A R , q Q , q R , and t R are all internal. Thus, according to our algorithm in Table 4 , the arc from node 0 to node 1 can be bypassed.
USER INTERFACE
We have implemented a text-based user-interface and a window-based user-interface for SGM. They all support high-level verification in which users can manipulate stategraphs as basic data-objects.
Verification Procedure Language
The input language of SGM is called Verification Procedure Language (VPL), which consists of three parts for system description, specification, and state-graph manipulation. System description corresponds to the timed automata model of real-time systems as defined later in this section. Specification corresponds to a TCTL specification. Manipulation corresponds to a list of actions on state-graphs. The following denotes a basic input file structure, where ± starts a comment line.
± (1) System Description Part automata Client : i = 1..11; clock ...; The above SGM input allows easy change of a system's degree of concurrency by simply changing the first line. SGM strives to maintain a parametric input description so that users do not have to write 11 automata descriptions or rewrite everything whenever a process is added or removed. In Table 5 , we have the VPL description of Fischer's timed mutual exclusion protocol.
In VPL, we support the full syntax of TCTL formulas through various keywords, such as all_paths(V), exists_path(W), henceforth(t u), eventually(}), etc. The specification begins with the keyword verify. Users can easily specify a TCTL formula using the user-friendly keywords. For example, all_paths means for all paths in the state-graph starting from the initial mode. For our running example of 3-automata Fischer's timed mutual exclusion protocol (FMEP) [28] , [1] , [32] , the TCTL specification is as follows: Coming to the final part of a VPL input, state-graph manipulation, this part is required only in the batch mode of SGM. It allows the user flexibility in choosing which manipulators to apply, when to apply, and in what sequence to apply. Arguments of manipulators are state-graphs, which are defined in Sections 6 and 7.
In the last part of SGM input, state-graphs are variables which have to be declared first. Then, a list of manipulations follows the declaration. A simple manipulation can be either the merging of two state-graphs such as g [3] := merge_graph(g [1] , g [2] ); or the application of a single reduction technique on some state-graph such as shield_clock(g [3] ); or model-checking a state-graph such as model_check(g [3] ); or printing a state-graph such as print_graph(g [3] );, where g [1] , g [2] , g [3] are all state-graph variables. More complex programming constructs are also provided, such as for-loops and ifthen-else statements, for more dynamic selections of manipulator sequences. These are omitted due to page limits. ± print global graph
Graphical User Interface
Besides a human-readable input language, user-friendly verification is achieved by SGM through: 1) three user interfaces, including graphical, interactive, and batch, 2) two manipulation modes. A user has to first create a text input file using VPL (Section 8.1).
In the graphical mode, as shown in Fig. 7 , after a user loads an input file, SGM displays the system as a set of boxes, where each box represents a state-graph. Each box has some basic visible information, including its size and component processes. Detailed information of each stategraph (box) can be obtained by opening the boxes. After selecting two state-graphs (boxes), one can merge them through a Merge Graph command in the SGM menu and a new state-graph (box) is created which represents their merger. A state-graph (box) can be selected for applying any manipulator in the SGM Reduce menu. The manipulators will be described in detail in the next section.
EXPERIMENTS
We perform two experiments on SGM. First, we run SGM against several academic as well as industrial examples, with various reducer sequences, to show that it is possible for nonexpert users to easily come up with their own verification strategy with SGM. Second, we compare SGM's performance with two other popular model-checkers for real-time systems, that is, UPPAAL and Kronos, to show that, even for nonexperts, reasonable performance can be achieved in SGM.
Application Examples
We present the results of five application examples which illustrate the benefit of allowing user-flexibility in manipulating state-graphs and of the high-level perception of system verification. On experimentation, we observe that different verification tasks require different manipulator sequences to best reduce the intermediate state-graphs and to help in saving the most computing resources, such as processor time and memory space. While, for some verification tasks, a manipulator may not be applicable or compatible, there are also tasks for which a manipulator not only provides no reduction, but also consumes computing resources without any benefit. Since SGM allows a user complete control over what kind of manipulators to apply or not to apply, the user can find the best manipulator sequences suited for a particular verification task.
The five application examples presented here include:
4. priority-based task execution control mechanism in the PATHO real-time operating system [38] , [6] , [5] , and 5. ring network token passing.
Fischer's Timed Mutual Exclusion Protocol
This protocol [28] , [1] , [32] was used for illustration throughout the article. (Check Fig. 1.) We applied SGM to the protocol with 11 processes. In Table 6 , we show the experiment results with three different reduction sequences applied after each intermediate state-graph is generated from merging. Each column represents the state-graph sizes (in #Modes: number of modes and #Transitions: number of transitions) and CPU time used to generate the state-graphs for the corresponding number of processes. Note, in all rows, the numbers in the last column drop drastically from those in the column next to last. This is because, once all processes are merged, the causality can be fully determined and a lot of assumptions of variable values in the regions of the global state-graph can then be determined as unfounded. Note the little difference between reduction sequences (D) and (E) due to the alteration of ordering of reducer application. Although both sequences result in the same final effect, that is, they reduce the intermediate stategraphs to the same size, the decrease rate is not the same. The first sequence decreases the state-graph sizes more quickly than the second sequence. This is observable from Fig. 8 . Further, comparing the time taken by the two sequences for state-graph reductions, we see from Fig. 9 that it is also the first sequence that uses a shorter time. Thus, we conclude the first sequence is a better manipulation of the state-graphs.
Graphical User Interface for a Simple Calculator
This is a real project example from the Institute of Information Science, Academia Sinica, Taiwan. The project goal was to develop a generator of graphical user interfaces (GUI). The example considered here is a GUI for a simple calculator. The generator created a set of condition/action rules governing the behavior of a calculator GUI. Due to the large number of rules, it was difficult to verify if a resulting GUI behaved in the same way as a real calculator. It was also difficult to comprehend how large the state space would be and how the state space could be reduced. Thus, SGM came in handy in such a situation. We collaborated with the project members to verify the GUI rules created by their generator.
The set of rules was transformed into a corresponding set of timed automata and input to SGM. Each rule was modeled by a single timed automaton with one mode and one or more looping transitions. The rule condition was mapped to a triggering condition of the transitions. The is shown in Fig. 10 . The rule says that if button ªQº is clicked and ªvalueº equals to ªINITIALº or ªINPUT,º then value is assigned ªINPUT.º The set of automata obtained from the rules are shown in Fig. 11 . We experimented with two versions of the GUI rule set: one with a distinction between each number input (H; I; F F F ; W) and another with a distinction between only zero and nonzero numbers. The second version is a correct model because only one of the rules (a division rule) required the operand (number input) to be nonzero, while the other rules made no distinction among the input numbers.
On applying the manipulators read_write() and shield_ variables() after each merge(), we found a significant reduction in state-graph sizes. For the first version, the reduction was as much as 73.6 percent for transitions and 24.7 percent for modes. For the second version, the reduction was as much as 89.7 percent for transitions and 72.7 percent for modes. More detailed readings are tabulated in Tables 7 and 8 for versions 1 and 2 , respectively.
CSMA/CD Network Communication Protocol
This protocol [39] , [26] , [37] resolves the competition between several message senders using a multiaccess channel. As shown in Fig. 12 , whenever two or more senders send their messages about the same time, they all detect a collision, wait a random amount of time, and retransmit their messages. If is the largest propagation delay, then a sender can be sure that there will be no collision if none is detected within P. For example, on a 10Mbps Ethernet, the worst case round trip propagation delay is P SI:Ps. We need to verify that, when one sender begins transmitting, there always exists a computation that leads to a successful transmission. As shown in Table 9 , each of the manipulators implemented in SGM was applied to this protocol example.
We observed that there were intriguing interactions among the manipulators. For example, if read_write() was applied before symmetry() (sequences (A), (B), (F), and (I)), the final state-graph sizes were significantly smaller than if read_write() was not applied before symmetry() (sequences (C), (D), (E), (G), (H), (J), and (N)). This is due to read_write() creating an invariant literal set associated with each node in a state-graph and these literal sets can be used by symmetry() to achieve a greater reduction. Furthermore, on one hand, if read_write() was applied before other manipulators (sequences (A) and (B)), it turned out that applying symmetry() before applying shield_clock() produced better results in terms of greater reductions obtained. On the other hand, if read_write() was not applied (sequences (G) and (H)) or was applied last (sequences (C) and (D)), then the opposite holds true, that is, applying shield_clock() before applying symmetry() gave greater reduction results.
After experimenting with all possible sequences of manipulators, we found that the best sequence (as evident from Table 9 ) is sequence (B), that is, {merge_graph(), read_write(), symmetry(), shield_clock()}, which is different from that for FMEP.
PATHO Task Execution
In contrast to the above two examples, this is an asymmetric system since task execution in the real-time operating system PATHO [38] , [6] , [5] is based on task priority. Each task has an index i, with the smallest index having the highest priority. As shown in Fig. 13 , a task executes (enters Run mode) only if no other higher priority tasks are pending and no task is currently running. Otherwise, the task is said to be pending (enters the Pend mode). Each task needs one time unit for execution and two instances of the task are separated by at least 20 time units. A task is said to be dead if there is not enough time for it to finish execution before another instance of the same task starts. We need to verify that, for less than 20 tasks, all tasks can be executed in a timely fashion.
Due to asymmetricity, symmetry() is not applicable here. As shown in Table 10 , on applying the two manipulators, read_write() and shield_clock(), we observed that their order (D) and (E) ). Further, we also applied bypass_internal_transition() and shield_ variables(), both of which gave no reductions at all in this case. This is intuitive as there are no internal variables in this example, whereas the reductions by those two manipulators depended on the existence of internal variables. Finally, the best sequence obtained for this example was sequence (D), namely, {merge_graph(), shield_clock(), read_write()}.
Ring Network
Here, we apply SGM to the timed version of the ring network in Fig. 5 . From Table 11 , we can observe that the read_write() and BIT manipulators in sequence (C) reduce the intermediate state-graph sizes and achieve a greater reduction compared to that in sequence (B) with only read_write() applied.
Two versions of the ring network were experimented with with SGM: one timed and one untimed. From Table 12 , we can observe that, in this version, the application of BIT (in sequence (C)) results in a greater final reduction than that with only read_write() (in sequence (B) ). There was no reduction on the intermediate state-graphs.
Performance Comparison with UPPAAL and Kronos
We compare the performance of SGM, Kronos (version 2. read-write analysis, shielded clock, and symmetry. As shown in Table 13 , it is possible for nonexpert users to benefit from the user-friendly interface of SGM and come up with reasonable verification performance.
AUTOMATIC REDUCER COMBINATION FOR EFFICIENT VERIFICATION
At this moment, we have four reducers in addition to the merge operator Â. As mentioned in Section 3, from the literature, there are many reduction algorithms with the potential to become new reducers in SGM. Different reducers may have different impacts on different verification tasks. Moreover, when the number of reducers is large, sometimes it may become difficult for users to pick a good reducer combination to accomplish their verification tasks.
In this section, we shall develop an algorithm based on group theory [20] , [21] to automatically pick a ªlocally optimalº combination for a given task. Suppose we have n reducers: R I ; R P ; F F F , and R n . We shall simplify the verification procedure construction problem to the verification procedure template in Table 14 . Thus, the goal for the construction of efficient verification procedure is restricted to finding a good sequence i I ; F F F ; i k from the integer interval I; n such that the verification procedure costs less space and time.
Before the presentation of our algorithm, we need to clarify what it aims to achieve. In executing a verification task, there can be a trade-off between space and time requirements. By dynamically deducing information while needed and deleting it while not, we can save a lot of memory space. But, repetitively and dynamically creating the same piece of information will certainly take up a lot of CPU time. However, we believe, for verification tasks, space management is more important than time management because of the state-space explosion phenomenon. Most verification tasks quickly run out of memory instead of taking too long to complete. Thus, our algorithm will pick a reducer sequence with predicted ªlocally minimalº space requirement.
In the following, we shall first present a structure for reducer sequence groups. Then, based on the structure, we shall define local optimality of reducer sequences and present an algorithm for predicting a locally most efficient reducer sequence.
Structure of Reducer Sequence Groups. Given a set fR I ; F F F ; R n g of n reducers, a reducer sequence is a sequence l i k e R i I R i P F F F R i k s u c h t h a t jfi I ; F F F ; i k gj k a n d 
H on is a pair of integers such that I j < j H k and denotes an operation on which switches the position of R ij and R i j H in the sequence. Formally speaking, j; j
and, for all I h k with h T j and h T j H , R i h R ih . By group theory [20] , [21] , it is known that every permutation can be constructed as a sequential composition of binary permutations. This further implies that, for any two reducer sequences ;
H composed of the same set of reducers, there is a finite sequence I F F F h of binary permutations such that I P F F F h H . For convenience, we adopt left-associativity to interpret the ordering of permutation operations. Thus, all reducer sequences composed of the same set of reducers form a connected graph.
We now have to define operations between reducer sequences composed of different sets of reducers. This can be done by the append operation. Given reducer sequence R i I R i P F F F R i k and a reducer R T P fR i I ; R i P ; F F F ; R i k g, R is exactly the new reducer sequence
The following lemma depicts the structures of reducer sequence groups. Given a sequence F , we let F be the set of elements used in F . lemma 3. Given a set fR I ; F F F ; R n g of reducers, for any two reducer sequences ; H constructed from the set, there is a sequence I P F F F k of reducer sequences such that
H k , and . for all I i < k, one of the following three is true:
With the operations of binary permutations and appending, we know that we can draw an undirected reducer sequence graph (RSG) for a given set of reducers. The nodes in an RSG are reducer sequences, while the arcs are determined by whether the two nodes can be related by a binary permutation or an appending operation. In Fig. 14 , we have an RSG for three reducers. Lemma 3 says that such a graph is connected.
Two reducer sequences in an RSG are called neighbors to each other if we can go from one to the other by a binary permutation or an appending operation. Suppose we have a valuation on all reducer sequences in an q À; such that À is the set of nodes (reducer sequences), is the set of edges, and, for all P À, P R . A reducer sequence in the RSG is called a local minimum if H for every neighbor H of in the RSG. Our algorithm to pick reducer sequences for efficient verification will use memory-space consumption increase rate with respect to concurrency as our valuation .
Algorithm to Pick a Locally Most Efficient Sequence
Suppose we are given a concurrent system presented as m state-graphs GI; F F F ; Gm, with m > R, and reducers R I ; F F F ; R n . Our strategy is to predict the space-complexities of reducer sequences by testing the procedure template on four state-graphs (GI; GP; GQ; GR or some other four picked by users). Since the RSG has size of order n factorial, it is not feasible to test all the reducer sequences. Our algorithm hinges on the definition of valuations on reducer sequences which reflects how fast the memory space rate and CPU-time consumption rate grow. It will randomly generate a reducer sequence and then start searching the RSG. The search stops when it reaches a local minimal reducer sequence. There will be two valuations in our method: T^he major one is for space consumption and the minor one is for CPUtime consumption. We need the minor one because our reducers do not increase the sizes of its argument stategraphs. Thus, a naive reducer sequence which leads to minimal space consumption is the sequence of all reducers. However, for a given verification tasks, some reducers may be applied with no effect on the state-graph while still consuming a huge amount of CPU-time. Thus, it is better if we can also use CPU-time as a minor valuation.
Both the major and the minor valuations are devised on the same idea. Since verification problems usually exhibit at least singly exponential space complexity with respect to concurrency, our algorithm attempts to use the predictions of how fast the exponent base grows as an indication of the memory consumption. If two reducer sequences have the same prediction, then we choose the one with less CPUtime consumption. We define the reduced state-graph H h inductively with reducer sequence after each iteration.
. H P GI Â GP and
. for each h > P, H h H hÀI Â Gh. Our algorithm uses the following major valuation to predict the space consumption complexity of a reducer sequence :
The design of s has the following intuitive: In most verification tasks, complexities are super-exponential. Since we want to predict the complexities of reducer sequences for high concurrency with only composition of up to four processes, we decide to use the ªmultiplication rate of multiplication rateº as the predicting valuation. The denominator sizeH Q sizeH P of the first fraction is the multiplication rate of space requirement from concurrency two to three. The numerator sizeH R sizeH Q of the first fraction is the multiplication rate of space requirement from concurrency three to four. The fraction is thus an indication of how fast the space consumption rate multiplies. For most verification tasks for concurrent systems, verification on up to four processes usually takes very little memory space and CPUtime. Thus, s should be able to give a good prediction on space complexity.
The minor valuation t is defined similarly in the following way to predict how fast the CPU-time consumption complexity of a reducer sequence multiplies: Table 15 is our algorithm for picking a reducer sequence for efficient verification. The termination of its execution is guaranteed because the RSG is finite and the search stops when is no greater than its neighbors with respect to s and t . In Section 10.2, we will have experimental data to justify our algorithm.
Before we leave this section, there is a legitimate question to ask: Why do we only use four processes to predict the complexity? Indeed, we can use a larger number of processes to make more accurate prediction with redefinition of s as, say,
But, this prediction will cost more space and CPU-time to calculate. And, for a lot of inefficient reducer sequences, they may already run out of memory before the construction of H V . Thus, ªfourº is a safe minimum which allows the reducer sequences to complete their predictions.
Experiment
We test our method on Fischer's timed mutual exclusion protocol in Fig. 1 and the simple mutual exclusion protocol in Fig. 15 . In Tables 16 and 17 , we have shown the graph sizes in mode counts, transition counts, and their sums for small mutual exclusion protocol (Fig. 15) and the Fischer's protocol (Fig. 1) , respectively. Now, we compare the data with our predicting valuation s . In Table 16 Table 17 . At this moment, we do not have experimental data to tell if our predicting valuation will be correct on very large concurrency.
CONCLUSION AND FUTURE WORK
We propose a method which treats state-graphs as dataobjects and allows the definition of state-graph manipulators as a user-friendly way to package the complex technology of computer-aided verification. The success of the method depends on whether many more state-graph manipulators can be developed and proven correct.
In the future, hopefully, our idea of state-graph manipulators can be used as a public framework for the verification of real-world projects. In such a framework, an easy-to-plug-in application program interface (API) should be defined and standardized so that researchers and developers can design, implement, and register their manipulators and everybody else can benefit from their achievements. Such a framework is very much like the Internet model and will certainly help in promoting the application of verification technology and cooperation of researchers throughout the world. However, certification methods for new manipulators will then become important issues.
