Computing Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT by Khomenko V
School of Computing Science,
University of Newcastle upon Tyne
Computing Shortest Violation Traces
in Model Checking Based on Petri Net
Unfoldings and SAT
Victor Khomenko
Technical Report Series
CS-TR-841
April 2004
Copyright c©2004 University of Newcastle upon Tyne
Published by the University of Newcastle upon Tyne,
School of Computing Science, Claremont Tower, Claremont Road,
Newcastle upon Tyne, NE1 7RU, UK.
Computing Shortest Violation Traces in Model Checking
Based on Petri Net Unfoldings and SAT
Victor Khomenko
School of Computing Science, University of Newcastle
Newcastle upon Tyne NE1 7RU, U.K.
e-mail: Victor.Khomenko@ncl.ac.uk
Abstract. Model checking based on the causal partial order semantics of Petri nets
is an approach widely applied to cope with the state space explosion problem. One of
the ways to exploit such a semantics is to consider (finite prefixes of) net unfoldings
— themselves a class of acyclic Petri nets — which contain enough information, albeit
implicit, to reason about the reachable markings of the original Petri nets.
One of the possibilities for the verification process is to build a finite and complete prefix
and use it for constructing a Boolean formula such that any satisfying assignment to
its variables yields a trace violating the property being checked. (And if there are no
satisfying assignments then the property is not violated.)
In this paper a method for computing the shortest violation traces (which can greatly
facilitate debugging the system) is proposed. Experimental results demonstrate that it
can achieve significant reductions in the size of the Boolean formula as well as in the time
required to compute a shortest violation trace, when compared with a na¨ıve approach.
Keywords: Shortest trace, Model checking, Petri net unfolding, SAT, Boolean circuit.
1 Introduction and basic notions
A distinctive characteristic of reactive concurrent systems is that their sets of local states have
descriptions which are both short and manageable, and the complexity of their behaviour comes
from highly complicated interactions with the external environment rather than from compli-
cated data structures and manipulations thereon. One way of coping with this complexity
problem is to use formal methods and, especially, computer aided verification tools implement-
ing model checking (see, e.g., [2]) — a technique in which the verification of a system is carried
out using a finite representation of its state space.
The main drawback of model checking is that it suffers from the state space explosion
problem [15]. That is, even a relatively small system specification can (and often does) yield
a very large state space. To cope with this, several techniques have been developed, which
usually aim either at a compact representation of the full state space of the system, or at the
generation of its reduced (though sufficient for a given verification task) state space. Among
them, a prominent technique is McMillan’s (finite prefixes of) Petri Net unfoldings (see, e.g., [5,
11]). They rely on the partial order view of concurrent computation, and represent system states
implicitly, using an acyclic net, called a prefix.
Most of ‘interesting’ model checking problems for safe (i.e., 1-bounded) Petri nets are
PSPACE-complete [4], and unfolding such a net allows to reduce this complexity class down
to NP (or even P for some problems). Though the size of a finite and complete unfolding
prefix can be exponential in the size of the original Petri net, in practice it is often relatively
small.
A model checking problem formulated for a prefix can usually be translated into some
canonical problem, e.g., an integer programming one [10], a problem of finding a stable model
of a logic program [7], or a Boolean satisfiability problem (SAT) as in this paper. Then an
appropriate solver can be used for efficiently solving it. Such a combination ‘unfolder & solver’
turns out to be quite powerful in practice, and has already been used in a number of papers.
2 V. Khomenko
1.1 Petri nets
A net is a triple N
df
= (P, T, F ) such that P and T are disjoint sets of respectively places and
transitions, and F ⊆ (P × T ) ∪ (T × P ) is a flow relation. A marking of N is a multiset M of
places, i.e., M : P → N
df
= {0, 1, 2, . . .}. The standard rules about drawing nets are adopted in
this paper, viz. places are represented as circles, transitions as boxes, the flow relation by arcs,
and the marking is shown by placing tokens within circles. As usual, •z
df
= {y | (y, z) ∈ F}
and z•
df
= {y | (z, y) ∈ F} denote the pre- and postset of z ∈ P ∪ T , and •Z
df
=
⋃
z∈Z
•z and
Z•
df
=
⋃
z∈Z z
•, for all Z ⊆ P ∪ T . In this paper, the presets of transitions are restricted to be
non-empty, i.e., •t 6= ∅ for every t ∈ T . A net system is a pair Υ
df
= (N,M0) comprising a finite
net N and an initial marking M0. It is assumed that the reader is familiar with the standard
notions of the Petri nets theory, such as the enabledness and firing of a transition, marking
reachability and deadlock (see, e.g., [14] for a brief introduction).
1.2 Unfolding prefix
A finite and complete unfolding prefix pi of a Petri net Υ is a finite acyclic net which implicitly
represents all the reachable states of Υ together with transitions enabled at those states. Intu-
itively, it can be obtained through unfolding Υ , by successive firings of transition, under the
following assumptions: (a) for each new firing a fresh transition (called an event) is generated;
(b) for each newly produced token a fresh place (called a condition) is generated. The unfolding
is infinite whenever Υ has an infinite run; however, if Υ has finitely many reachable states then
the unfolding eventually starts to repeat itself and can be truncated (by identifying a set of
cut-off events) without loss of information, yielding a finite and complete prefix. The sets of
conditions, events and cut-off events of the prefix are denoted by B, E and Ecut , respectively.
(Note that Ecut ⊆ E).
Efficient algorithms exist for building such prefixes [5, 8], which ensure that the number of
non-cut-off events |E\Ecut | in a complete prefix can never exceed the number of reachable states
of Υ . Moreover, complete prefixes are often exponentially smaller than the corresponding state
graphs, especially for highly concurrent Petri nets, because they represent concurrency directly
rather than by multidimensional ‘diamonds’ as it is done in state graphs. For example, if the
original Petri net consists of 100 transitions which can fire once in parallel, the state graph will
be a 100-dimensional hypercube with 2100 vertices, whereas the complete prefix will coincide
with the net itself. Another example, viz. a Petri net modelling two dining philosophers, and a
finite and complete prefix of its unfolding, are shown in Figure 1. One can observe that if this
example is scaled, the size of the prefix is linear in the number of dining philosophers, even
though the number of reachable states grows exponentially.
Since pi is acyclic, the transitive closure of its flow relation is a partial order < on B ∪ E,
called the causality relation. (The reflexive order corresponding to < will be denoted by ≤.)
Intuitively, all the events which are smaller than an event e ∈ E w.r.t. < must precede e in
any valid execution containing e. Two nodes x, y ∈ B∪E are in conflict, denoted x#y, if there
are distinct events e, f ∈ E such that •e ∩ •f 6= ∅ and e ≤ x and f ≤ y. Intuitively, no valid
execution can contain two events in conflict. Two nodes x, y ∈ B ∪ E are concurrent, denoted
x co y, if neither y#y′ nor y ≤ y′ nor y′ ≤ y. Intuitively, two concurrent events can be enabled
simultaneously, and executed in any order, or even concurrently. For example, in the prefix
shown in Figure 1(b) the following relationships hold: e1 < e7, e7#e8 (due to the choices at c2
and c3) and e3 co e4.
Due to its structural properties (such as acyclicity), the reachable markings of Υ can be
represented using configurations of pi. A configuration is a set of events C ⊆ E \Ecut such that
for all e, f ∈ C, ¬(e#f) and, for every e ∈ C, f < e implies f ∈ C. For example, in the net
shown in Figure 1(b) {e1, e3, e4} is a configuration whereas {e1, e2, e3, e5} and {e1, e3, e7} are
not (the former includes events in conflict, e3#e5, while the latter does not include e4 < e7).
Intuitively, a configuration is a partial-order execution, i.e., an execution where the order of
Shortest Traces in Model Checking 3
p1
p2
p3
p4
p5
p6t1
t2
t3
t4t5
p7
p8
p9
p10
p11
p12
p13
p14 t6
t7
t8
t9 t10
(a)
c1p1
c2p7
c3p8
c4p9
c5p2
c6p3
c7p10
c8p11
c9
p4
c10
p5
c11
p12
c12
p13
c13
p6
c14
p14
c15 p1
c16 p7
c17 p8
c18 p7
c19 p8
c20 p9
e1
t1
e2
t6
e3
t2
e4
t3
e5
t7
e6
t8
e7
t4
e8
t9
e9
t5
cut-off
e10
t10
cut-off
(b)
Fig. 1. A Petri net modelling two dining philosophers (a) and a finite and complete prefix of its
unfolding (b).
firing of some of its events (viz. concurrent ones) is not important; e.g., the configuration
{e1, e3, e4, e7} corresponds to two totally ordered executions: e1e3e4e7 and e1e4e3e7. Since a
configuration can correspond to multiple executions, it is often much more efficient in model
checking to explore configurations rather than executions.
After starting pi from the implicit initial marking (whereby one puts a single token in
each condition which does not have an incoming arc) and executing all the events in C, one
reaches the marking denoted by Cut(C). Mark(C) denotes the corresponding marking of Υ ,
reached by firing a transition sequence corresponding to the events in C. It is remarkable
that each reachable marking of Υ is Mark(C) for some configuration C, and, conversely, each
configuration C generates a reachable marking Mark(C). Thus various behavioural properties
of Υ can be re-stated as the corresponding properties of pi, and then checked, often much more
efficiently.
1.3 Boolean satisfiability
The Boolean satisfiability problem (SAT) consists in finding a satisfying assignment, i.e., a
mapping A : Varϕ → {0, 1} defined on the set of variables Varϕ occurring in a given Boolean
expression ϕ such that ϕ evaluates to 1. This expression is often assumed to be given in the
conjunctive normal form (CNF)
ϕ =
n∧
i=1
∨
l∈Li
l ,
4 V. Khomenko
x1
x2
x3
x4
∨
∧
⊕
g1
g2
g3
[g1 ⇐⇒ (¬x1 ∨ x2 ∨ x3 ∨ x4)] ∧ [g2 ⇐⇒ (x1 ∧ x2 ∧ x3 ∧ x4)] ∧ [g3 ⇐⇒ (g1 ⊕ g2)]
≡
[(¬g1 ∨ ¬x1 ∨ x2 ∨ x3 ∨ x4) ∧ (g1 ∨ x1) ∧ (g1 ∨ ¬x2) ∧ (g1 ∨ ¬x3) ∧ (g1 ∨ ¬x4)]∧
[(g2 ∨ ¬x1 ∨ ¬x2 ∨ ¬x3 ∨ ¬x4) ∧ (¬g2 ∨ x1) ∧ (¬g2 ∨ x2) ∧ (¬g2 ∨ x3) ∧ (¬g2 ∨ x4)]∧
[(¬g1 ∨ ¬g2 ∨ ¬g3) ∧ (¬g1 ∨ g2 ∨ g3) ∧ (g1 ∨ ¬g2 ∨ g3) ∧ (g1 ∨ g2 ∨ ¬g3)]
Fig. 2. Conversion of a Boolean circuit into a Boolean expression in the CNF.
i.e., it is represented as a conjunction of clauses, which are disjunctions of literals, each literal l
being either a variable or the negation of a variable. It is assumed that no two literals in the
same clause correspond to the same variable.
In order to solve a Boolean satisfiability problem, SAT solvers perform exhaustive search
assigning the values 0 or 1 to the variables. To reduce the search space, they use various
heuristics (see, e.g., [17] for a brief overview).
Some of the leading SAT solvers, e.g., zChaff [13], can be used in the incremental mode,
i.e., after solving a particular SAT instance the user can slightly change it (e.g., by adding
and/or removing a small number of clauses) and execute the solver again. This is often much
more efficient than solving these related instances as independent problems, because on the
subsequent runs the solver can use some of the useful information (e.g., learnt clauses, see [17])
collected so far.
1.4 Boolean circuits
A Boolean circuit (see, e.g., [16]) computes a multiple-output Boolean function of Boolean
input variables x1, . . . , xn. It consists of a finite number k of gates G1, . . . , Gk. Each gate
Gi is labelled by a Boolean function fi chosen from some fixed set of Boolean functions F .
(In this paper, F comprises all the unary and binary Boolean functions and conjunctions
and disjunctions of arbitrary arity with arbitrary input inversions.) A Boolean circuit can be
represented by an acyclic directed graph, where the input variables and the constants 0 and 1
are its sources, and the vertex representing the gate Gi has arity(fi) numbered incoming edges
from its predecessors in the graph. (If fi is commutative, the numbering of edges does not have
to be specified.) In pictures, each gate is represented as a circle with the function shown within
it, and input inversions are shown as ‘bubbles’. Note that F is closed w.r.t. input inversions,
and so they can be incorporated into the corresponding gate function.
The Boolean function fv computed at a vertex v of this acyclic graph is defined induc-
tively as follows. If the vertex is an input variable xj then fv(x1, . . . , xn)
df
= xj , and if it
is a constant c ∈ {0, 1} then fv(x1, . . . , xn)
df
= c. Otherwise, the vertex is some gate Gi, and
fv(x1, . . . , xn)
df
= fi(p1, . . . , parity(fi)), where p1, . . . , parity(fi) are the functions computed at the
predecessors of this vertex in the graph. The output vector (v1, . . . , vm), where vi is some vertex
of the graph, describes what the circuit computes, namely the multiple-output Boolean func-
Shortest Traces in Model Checking 5
tion (fv1 , . . . , fvm). In particular, any boolean formula with the signature F can be represented
as a circuit.
It turns out that a Boolean circuit can be efficiently encoded by a Boolean expression ϕ
in the CNF depending on the variables Varϕ corresponding to the vertices of the graph rep-
resenting the circuit (except 0 and 1) such that for any assignment A : Varϕ → {0, 1}, A
is a satisfying assignment of ϕ iff for every v ∈ Varϕ, fv(A(x1), . . . , A(xn)) = A(v) (where
the variables are denoted by the same symbol as the corresponding vertices of the graph) and
A(0)
df
= 0 and A(1)
df
= 1.
The expression ϕ is constructed as follows. For each gate Gi, a new Boolean variable gi
representing its output is created, a Boolean equation relating gi to the inputs of Gi is written,
and these equations are converted into the CNF. This process is illustrated in Figure 2. Note
that for the gates labelled with Boolean functions of bounded arity, the sizes of the correspond-
ing equations (and their CNFs) are bounded by a constant; moreover, for the gates labelled
by multiple-input conjunctions and disjunctions, the size of the equations (and their CNFs) is
proportional to the number of gate inputs. Thus the size of the resulting Boolean expression
in the CNF is linear in the size of the circuit.
1.5 Model checking based on Petri net unfoldings
This paper concentrates on the following approach to model checking. First, a finite and com-
plete prefix of the Petri net unfolding is built, and it is then used for constructing a Boolean
formula encoding the model checking problem at hand. (It is assumed that the property being
checked is the unreachability of some unsafe states, e.g., deadlock freeness.) This formula is
unsatisfiable iff the property holds, and such that any satisfying assignment to its variables
yields a trace violating the property being checked.
Typically such a formula would have for each non-cut-off event e of the prefix a variable
confe (the formula might also contain other variables), and for every satisfying assignment A,
the set of events C
df
= {e | confe = 1} is a configuration such that Mark(C) violates the property
being checked. The formula often has the form CONF ∧ VIOL. The role of the configuration
constraint, CONF , is to ensure that C is a configuration of the prefix (not just an arbitrary
set of events). CONF can be defined as the conjunction of the formulae∧
e∈E\Ecut
∧
f∈•(•e)
(confe → conff ) and
∧
e∈E\Ecut
∧
f∈((•e)•\{e})\Ecut
¬(confe ∧ conff ) .
The former formula ensures that if e ∈ C then its immediate predecessors are also in C, i.e., C
is downward closed w.r.t. <. The latter one ensures that C contains no conflicts.1 CONF can
be transformed into the CNF by applying the rules x → y ≡ ¬x ∨ y and ¬(x ∧ y) ≡ ¬x ∨ ¬y.
For example, the configuration constraint for the prefix shown in Figure 1(b) is
(confe3→confe1)∧(confe4→confe1)∧(confe5→confe2)∧(confe6→confe2)∧(confe7→confe3)∧
(confe7→confe4)∧(confe8→confe5)∧(confe8→confe6)∧¬(confe3∧confe5)∧¬(confe4∧confe6) .
The role of the violation constraint, VIOL, is to express the property violation condition
for a configuration C, so that if a configuration C satisfying this constraint is found then the
property does not hold, and any ordering of events in C consistent with < is a violation trace.
For example, for deadlock checking VIOL can be defined as2∧
e∈E
( ∨
f∈•(•e)
¬conff ∨
∨
f∈(•e)•\Ecut
conff
)
.
1 This formula might be quadratic in the size of the prefix. A linear translation is possible, but it is
more complicated and not discussed here, as it is not the main topic of this paper.
2 This formula can be optimised [7], but the described simple translation is sufficient for the purposes
of this paper.
6 V. Khomenko
input : ϕ — a Boolean formula
output : T — the shortest violation trace or UNSAT
A← SAT Assignment(ϕ)
if A = UNSAT
then
T ← UNSAT
stop
T ← Extract Trace(A)
r ← |T |
l← 0
while l < r do
t← d(l + r)/2e
A← SAT Assignment(ϕ ∧ Threshold t)
if A = UNSAT
then
l = t + 1
else
T ← Extract Trace(A)
r ← |T |
Fig. 3. An algorithm for computing shortest violation traces.
This formula requires for each event e (including cut-off events) that some of the direct causal
predecessors of e has not fired or some of the non-cut-off events (including e unless it is cut-off)
consuming tokens from •e has fired, and thus e is not enabled. This formula is already in the
CNF.
For example, the violation constraint for the deadlock checking problem formulated for the
prefix shown in Figure 1(b) is
confe1∧confe2∧(¬confe1∨confe3)∧(¬confe1∨confe4)∧(¬confe2∨confe5)∧(¬confe2∨confe6)∧
(¬confe3∨¬confe4∨confe7)∧(¬confe5∨¬confe6∨confe8)∧¬confe7∧¬confe8 .
1.6 Shortest violation traces
Note that in general the computed violation trace can be quite long, which might make it
difficult to locate the error, as the designer has to inspect this trace in order to find and
eliminate the source of the problem. (And parts of such long traces often describe incidental
system activity which is unrelated to the problem.) Thus computing shortest possible violation
traces can greatly facilitate the debugging process.
A quite obvious algorithm for computing the shortest violation trace is shown in Figure 3,
where SAT Assignment(ϕ) is a function computing a satisfying assignment for a Boolean
formula ϕ and returning UNSAT in case ϕ is unsatisfiable (it is usually implemented by a call
to some off-the-shelf SAT solver, e.g., zChaff [13]), Extract Trace(A) is a function extracting
the violation trace from a satisfying Boolean assignment A, and Threshold t is the threshold
constraint |{e | confe = 1}| ≤ t. This algorithm uses a binary search to compute the length of
the shortest trace still exhibiting the violation. If the property holds (i.e., if ϕ is unsatisfiable)
then this algorithm does not have any additional overhead compared with the original model
checking algorithm, but in the case of errors the SAT solver is called several times with larger
formulae, and so the overhead might be quite significant. This situation is somewhat alleviated
by the fact that SAT instances are very similar to each other (in fact, even the formulae of the
form Threshold t, described in detail further in this paper, change very little when t changes)
and thus can be efficiently solved in the incremental mode (see Section 1.3). Moreover, if the
Shortest Traces in Model Checking 7
x1 • • • xn
Counter
≤t
z
Fig. 4. An implementation of a threshold constraint.
x
≤t
z
=⇒
x1 x2 x3 • • • xk
1 f1 f2 f3 • • • fk
z
fi
df
=
{
∧ if ti = 0
∨ otherwise
Fig. 5. An implementation of a comparator, where the inputs x1, . . . , xk are interpreted as the bi-
nary representation of a non-negative integer (least significant digit first) and t1, . . . , tk is the binary
representation of t.
user has run out of patience he can simply terminate the execution of the algorithm and get
the shortest trace computed so far.
What still needs describing is the construction of the formula Threshold t for a given t. It
turns out that one can exploit some problem-specific optimisations in order to significantly
reduce the size of this formula as well as the computation effort required for solving the corre-
sponding SAT instances. This is the main topic of this paper.
2 Basic translation of a threshold constraint
Threshold t can be expressed as a pseudo-Boolean constraint
∑
e∈E\Ecut
confe ≤ t, where arith-
metical operations are used instead of logical ones. The other constraints can also be converted
into a similar form, and the problem can be solved by a 0–1 integer linear programming solver.
However, SAT solvers tend to be more efficient in practice, and so in many cases it would be
advantageous to express Threshold t as a purely Boolean constraint.
A possible implementation of Threshold t as a Boolean circuit is shown in Figure 4. It
consists of two parts: the counter and the comparator. The counter circuit has n inputs and
dlog2 ne + 1 outputs, and its purpose is to count the number of ones among its inputs and
return the result as a binary number. The purpose of the comparator is to compare the result
of the counter with a given constant t.
Note that the counter circuit does not depend on t and so the corresponding part of the
formula does not have to be changed between the calls to the SAT solver in the algorithm
shown in Figure 3. A possible implementation of the comparator is shown in Figure 5. Note
that it does depend on t, and so the corresponding part of the formula has to be amended from
call to call. However, the size of the comparator is just O(log n). Thus this implementation of
the threshold constraint is beneficial if the SAT solver is used in the incremental mode. The
rest of this section is devoted to the counter circuit.
8 V. Khomenko
x1 x2
Σ1
x3 x4
Σ1
x5 x6
Σ1
x7 x8
Σ1
Σ2 Σ2
z
Σ3
Fig. 6. An implementation of a counter as a balanced tree of adders.
x y
z
Σk =⇒
x1 y1
z1
h/a
x2 y2
z2
f/a • • •
• • • xk yk
zk
f/a
zk+1
Fig. 7. An implementation of a k-bit adder Σk, comprising a half-adder cell and k− 1 full-adder cells.
Figure 6 illustrates an implementation of the counter as a tree of adders, where each adder
is built of half-adder and full-adder cells, as shown in Figure 7.3 A half-adder cell adds up
two one-bit numbers, producing a one-bit result and a carry bit. A full-adder cell adds up two
one-bit numbers and a carry from the previous cell of the adder, producing a one-bit result
and a carry bit. Figure 8 shows possible implementations of these cells.
The described circuit can be converted to a linear-size formula in the CNF, as described in
Section 1.4. However, a somewhat shorter formula can be obtained using Boolean minimisation
when translating half-adder and full-adder cells. With assistance of the Boolean minimiser Es-
presso [1], the formula
(¬x ∨ ¬y ∨ ¬z) ∧ (x ∨ ¬y ∨ z) ∧ (x ∨ y ∨ ¬z) ∧ (y ∨ ¬co) ∧ (¬x ∨ co ∨ z) ∧ (¬co ∨ ¬z) ,
with 2 new variables, 6 clauses and 16 literals was obtained for a half-adder cell, and the
formula
(ci ∨¬x∨ y ∨ z)∧ (ci ∨ x∨¬y ∨ z)∧ (¬ci ∨¬x∨ y ∨¬z)∧ (¬ci ∨ x∨¬y ∨¬z)∧ (¬ci ∨ co ∨ z)∧
(ci ∨ ¬co ∨ ¬z) ∧ (¬x ∨ ¬y ∨ co) ∧ (x ∨ y ∨ ¬co) ∧ (¬ci ∨ ¬x ∨ ¬y ∨ z) ∧ (ci ∨ x ∨ y ∨ ¬z) ,
with 2 new variables, 10 clauses and 36 literals was obtained for a full-adder cell.
With these improvements, the size of the CNF formula corresponding to the counter can
be calculated by solving the following recurrences for the number of auxiliary variables (corre-
sponding to the outputs of the gates), clauses and literals (for simplicity, it is assumed that n is
3 The depth of this circuit is O(log2 n). [16] describes a circuit of linear size and O(log n) depth based
on carry-save adders, but that translation is larger by a constant factor. Since the depth of the
circuit is not important for the purposes of this paper, while the size is of paramount importance,
the described circuit was chosen.
Shortest Traces in Model Checking 9
x y
z
coh/a =⇒
x y
⊕ ∨
z
co
ci
x y
z
cof/a =⇒
x y
h/a
ci
z
h/a
∨ co
Fig. 8. An implementation of half-adder and full-adder cells.
a power of 2; note that the top-level adder contains one half-adder cell and log2 n−1 full-adder
cells): {
var(n) = 2 + 2(log2 n− 1) + 2var(n/2)
var(1) = 0 ,{
cl(n) = 6 + 10(log2 n− 1) + 2cl(n/2)
cl(1) = 0 ,{
lit(n) = 16 + 36(log2 n− 1) + 2lit(n/2)
lit(1) = 0 .
The solutions of these recurrences are
var(n) = 4n− 2 log2 n− 4
cl(n) = 16n− 10 log2 n− 16
lit(n) = 52n− 36 log2 n− 52 ,
i.e., even though the size of the formula is linear in the number of the circuit’s inputs, the
multiplicative constants hidden in this O(n) translation are quite large. Next section tries
to remedy this situation by exploiting the structure of the prefix to improve the described
translation.
3 Exploiting the structure of the prefix
The content of this section is the main contribution of this paper. It turns out that the structure
of the prefix can be exploited to reduce the size of the counter circuit. Below, two heuristics
are described, one utilising the conflicts between the events in the prefix, and the other making
use of the causality relation.
3.1 Exploiting the conflicts
One can observe that if a set E ′ ⊆ E \ Ecut of events which are in conflict with each other
(i.e., E′ is a clique in the graph corresponding to the relation #) then no two events from E ′
can belong to the same configuration. The configuration constraint ensures that at most one
10 V. Khomenko
of the variables confe corresponding to the events in E
′ is assigned the value 1, i.e., 1 ≥ |{e ∈
E′ | confe = 1}| =
∨
e∈E′ confe, and so a single ∨-gate is sufficient to count the number of
variables assigned the value 1.
Definition 1 (#-cluster). A set of events E ′ ⊆ E \ Ecut is a #-cluster if for all distinct
events e, f ∈ E′, e#f .
Thus the non-cut-off events of the prefix are partitioned into #-clusters, then ∨-gates are
used to count in each #-cluster the number of variables corresponding to its events and assigned
the value 1, and a counter (hopefully, of a much smaller size) is used to count the number of
outputs of these ∨-gates having the value 1. Since the translation of an ∨-gate into a Boolean
expression is much smaller than the translation of a counter, one can expect reductions in the
size of the resulting formula. For example, {{e1}, {e2}, {e3, e5}, {e4, e6}, {e7, e8}} is a possible
partition into #-clusters of the non-cut-off events of the prefix shown in Figure 1(b).
When partitioning the non-cut-off events of the prefix into #-clusters, it is advantageous
to make the number of such #-clusters as small as possible. (When the number of #-clusters
is large, the size of the counter grows; in particular, for the trivial partition with each event
forming its own #-cluster the translation degrades to the one described in the previous section.)
Thus one can formulate an optimisation problem of partitioning the non-cut-off events of a
prefix into the smallest number of #-clusters. Unfortunately, a decision version of this problem
turns out to be NP-complete.
Proposition 1 (NP-completeness of the Partition into #-clusters problem). Given
an unfolding prefix pi and a k ∈ N, the problem of deciding whether the set of non-cut-off events
of pi can be partitioned into at most k #-clusters is NP-complete.
Proof. The proof of NP-hardness is by reduction from the Partition into Cliques problem,
which is known to be NP-complete (see [6, Problem GT15]) and can be formulated as follows:
Given an undirected graph G(V,E) and a k ∈ N, decide whether the set of vertices
of G be partitioned into at most k cliques (trivial cliques comprising a single vertex are
admissible).
The reduction of this problem to the Partition into #-clusters problem is illustrated in
Figure 9. Each vertex of G is replaced by a transition and a place with a token having this
transition in its postset, and each edge of G is replaced by a place with a token, having the two
transitions corresponding to the vertices incident to this edge in its postset. By construction,
=⇒
Fig. 9. Reduction of the Partition into Cliques problem to the Partition into #-clusters problem.
this Petri net is acyclic (since no place has incoming arcs), and any of its transitions can fire at
most once. The unfolding of this Petri net coincides with the net itself (except that the tokens
are removed), and no event is cut-off. Moreover, the conflict relation on the set of its events
is isomorphic to G, and any partition of the set of events into at most k #-clusters yields a
partition of G into the same number of cliques. Thus the Partition into #-clusters problem is
NP-hard.
The problem is trivially in NP, as one can guess the partition and then check its validity
and size in polynomial time. Thus the problem is NP-complete. ut
Shortest Traces in Model Checking 11
input : pi — a finite and complete prefix
output : P# — a partition of E \ Ecut into #-clusters
P# ← ∅
for e ∈ E \ Ecut in any order consistent with < do
/* find #-clusters to which e might be added */
Clusters ← ∅
/* for convenience, assume that the prefix starts with a (virtual) initial event ⊥ */
/* such that •⊥
df
= ∅ and ⊥• comprises the minimal w.r.t. < conditions */
for f ∈ •(•e) do
/* f is in some #-cluster in P# since f < e */
for g ∈ GetCluster(P#, f) do
for h ∈ (g•)• do
if GetCluster(P#, h) 6= ∅
then Clusters ← Clusters ∪ {GetCluster(P#, h)}
/* else h is not in any of the built #-clusters yet and is skipped */
for Cl ∈ Clusters do
/* check if e is in conflict with each event in Cl , avoiding */
/* traversing the prefix and using only local tests instead */
if ∀l ∈ Cl :
/* e and l are in direct conflict */
•e ∩ •l 6= ∅ ∨
/* or e and l have distinct predecessors in the same #-cluster */
∃e′ ∈ •(•e) ∃l′ ∈ •(•l) : e′ 6= l′ ∧GetCluster(P#, e
′) = GetCluster(P#, l
′)
then
/* e can be added to this #-cluster */
P# ← (P# \ {Cl}) ∪ {Cl ∪ {e}}
break off the loop and continue the loop for the next e
/* failed to add e to any of the existing #-clusters — a new #-cluster is created */
P# ← P# ∪ {{e}}
Fig. 10. An algorithm for partitioning E \ Ecut into #-clusters.
When computing the shortest violation trace, one does not want to spend too much effort
on building the threshold constraint, as the process of building it can easily become more
time consuming then model checking itself. Therefore, in the actual implementation, a fast
‘greedy’ algorithm for partitioning the set of events into #-clusters was adopted, which is
justifiable in the view of the above result. Figure 10 shows this algorithm, where the function
GetCluster(P#, e) returns the #-cluster Cl ∈ P# containing the event e or ∅ if no #-cluster
in P# contains e. Note that the order of processing required in the main loop of the algorithm is
not problematic, as the existing unfolding algorithms [5, 8] output events in an order consistent
with <.
3.2 Exploiting the causality relation
The method described above allowed for simplification of the threshold constraint by exploiting
the conflict relation between the events in the prefix. It turns out that the causality relation
can also be exploited to reduce the size of the translation even further.
Definition 2. Let Cl and Cl ′ be two #-clusters. Cl  Cl ′ if for each event e′ ∈ Cl ′ there
exists an event e ∈ Cl such that e < e′. A sequence of #-clusters Cl1  Cl2  · · ·  Clk is
called a -chain.
For example, {e4, e6}  {e7, e8} is a -chain of the prefix shown in Figure 1(b).
12 V. Khomenko
y1 y2 y3 y4 y5 y6 y7 y8
z4z3z2z1
∧∧ ∧
∨
∧∧ ∧ ∧
∨
Fig. 11. An implementation of an eight-input counter with the values of inputs constrained to be in
a non-increasing order.
It follows from this definition that if Cl  Cl ′ and an event e′ ∈ Cl ′ belongs to a con-
figuration C then some event e ∈ Cl also belongs to C. Suppose Cl 1  Cl2  · · ·  Clk
is a -chain and y1, . . . , yk are the outputs of the ∨-gates corresponding to these #-clusters.
The configuration constraint ensures that in any satisfying assignment the sequence of val-
ues of y1, . . . , yk is non-increasing. This allows one to count the number of ones among these
values much more efficiently than by a counter described in the previous section. Indeed, the
encoding of the inputs is very similar to the 1-hot encoding, which can be obtained from
y1, . . . , yk as ¬y1, y1 ∧ ¬y2, y2 ∧ ¬y3, . . . , yk−1 ∧ ¬yk, yk and subsequently converted into the
binary code using an encoder. A somewhat smaller circuit is shown in Figure 11; its outputs zi,
i ∈ {1, . . . , dlog2 ke+ 1}, are computed as⌈
k−2
i−1
2i
⌉∨
j=0
y2i(j+ 1
2
) ∧ ¬y2i(j+1) ,
where yj
df
= 0 if j > k.
Thus one can partition the acyclic directed graph G corresponding to the  relation on
the #-clusters into -chains, then build for each -chain a circuit similar to the one shown
in Figure 11 and finally construct an adder tree similar to that in Figure 6, but with the
bottom layer comprised of the built counters rather than half-adders. The algorithm shown in
Figure 12 does this trying to balance the tree. SelectMin(Q) finds a pair (c,m) ∈ Q (where c
is a circuit and m ∈ N is the maximum value this circuit can output) with the minimum value
of m, and Add(c1, c2) constructs a circuit which computes the sum of values computed by c1
and c2 (i.e., an adder is put ‘on top’ of c1 and c2). Note that Q is a priority queue and can
be efficiently implemented as either a binary heap or simply by keeping a list of circuits for
each m.
When partitioning G into -chains, it is advantageous to make the number of such
-chains as small as possible, in order to reduce the number of adders in the adder tree.
Thus one can formulate an optimisation problem of partitioning G into the smallest number
of -chains. This is essentially the well-known minimum vertex-disjoint path cover problem
(zero-length paths comprising a single vertex are admissible).
This problem is NP-complete for general graphs, since checking the existence of a Hamilto-
nian path is equivalent to checking whether it is possible to cover the vertices of a given graph
by a single vertex-disjoint path. Nevertheless, for acyclic graphs (note that G is acyclic) it
Shortest Traces in Model Checking 13
input : Q — a non-empty set of pairs (c, m), where c is a circuit and m ∈ N
output : c — a circuit
while |Q| > 1 do
(c1, m1)← SelectMin(Q)
Q← Q \ {(c1, m1)}
(c2, m2)← SelectMin(Q)
Q← Q \ {(c2, m2)}
Q← Q ∪ {(Add(c1, c2), m1 + m2)}
/* now |Q|=1 */
(c, m)← SelectMin(Q)
return c
Fig. 12. An algorithm for building a tree of adders.
can be reduced to the maximum matching problem on a bipartite graph, and solved in poly-
nomial time. The reduction is illustrated in Figure 13. The undirected graph Ĝ is build as
follows. For each vertex v of G, Ĝ contains vertices v
′ and v′′, and for each arc (v, w) of
G, Ĝ contains an (undirected) arc {v
′, w′′}. One can see that Ĝ is bipartite, and there
is a one-to-one correspondence between the arcs of any matching of this graph and the arcs of
some vertex-disjoint path cover of G, and vice versa. Since a minimum vertex-disjoint path
cover of G contains the maximum number of arcs among all such path covers, it corresponds
to a maximum matching of Ĝ.
v1
v2
v3
v4
v5
v6
v7
v8
=⇒
v′1 v
′
2 v
′
3 v
′
4 v
′
5 v
′
6 v
′
7 v
′
8
v′′1 v
′′
2 v
′′
3 v
′′
4 v
′′
5 v
′′
6 v
′′
7 v
′′
8
Fig. 13. Reduction of the minimum vertex-disjoint path cover problem to the maximum matching
problem in a bipartite graph. The matching {{v′1, v
′′
3 }, {v
′
3, v
′′
6 }, {v
′
6, v
′′
8 }} corresponds to the path cover
{v1 → v3 → v6 → v8, v2, v4, v5, v7}, and the maximum matching {{v
′
1, v
′′
3 }, {v
′
3, v
′′
2 }, {v
′
6, v
′′
8 }, {v
′
7, v
′′
6 }}
corresponds to the minimum path cover {v1 → v3 → v2, v7 → v6 → v8, v4, v5}.
In [9], an O(n5/2) algorithm for solving the maximum matching problem on bipartite graphs
was proposed. However, one should bear in mind that G is given implicitly, and can be very
large. (It is not uncommon to have an unfolding prefix with hundreds thousands events.)
Therefore, using an exact algorithm for solving this problem might be either too memory
demanding (if G is built explicitly), or too slow due to the need of working with an implicitly
represented graph (checking whether there is an arc between two vertices of G is quite
expensive in such a case, as one might have to traverse the whole prefix). Thus a fast ‘greedy’
algorithm for partitioning the set of #-clusters into -chains has been designed. It is shown
in Figure 14, where function Last(Ch) returns the last #-cluster in the -chain Ch.
Note that the order of processing required in the main loop of this algorithm is easy to
ensure if P# was computed by the algorithm in Figure 10. Indeed, let l be the total order
on the non-cut-off events of the prefix consistent with < in which the events were processed
in the main loop of the algorithm in Figure 10. It can be extended to a total order · on the
14 V. Khomenko
input : pi — a finite and complete prefix
P# — a partition of E \ Ecut into #-clusters
output : P — a partition of P# into -chains
P ← ∅
for Cl ∈ P# in any order consistent with  do
/* find -chains to which Cl can be appended, avoiding */
/* traversing the prefix and using only local tests instead */
Clusters ←
( ⋂
e∈Cl{GetCluster(P#, f) | f ∈
•(•e)}
)
∩ {Last(Ch) | Ch ∈ P}
if Clusters 6= ∅ then
/* Cl can be appended to an existing -chain */
select a longest -chain Ch ∈ P such that Last(Ch) ∈ Clusters
P ← (P \ {Ch}) ∪ {Ch → Cl}
else
/* failed to append Cl to any of the existing -chains — a new -chain is created */
P ← P ∪ {Cl}
Fig. 14. An algorithm for partitioning the set of #-clusters into -chains.
#-clusters as follows: Cl· Cl ′ iff minl Cl l minl Cl
′. In each #-cluster, the minimal w.r.t. l
event is the chronologically first event in it, i.e., · coincides with the order of creation of the
#-clusters, and so one can easily ensure that P# is ordered according to · . If Cl  Cl
′ then
e′
df
= minl Cl
′ is a causal successor of some event e ∈ Cl . Since l is total and consistent with <,
minl Cl l e
′, and so Cl· Cl ′. Thus · is consistent with , and the algorithm in Figure 14
can process the #-clusters in P# in this order.
4 Experimental results
The proposed method has been tested with the zChaff SAT solver [13], and the popular set of
deadlock checking benchmarks collected by J.C. Corbett [3] has been attempted. (For obvious
reasons, only examples with deadlocks from this collection were used.) All the experiments
were conducted on a PC with PentiumTM IV/2.8GHz processor and 512M RAM.
The experimental results are shown in Table 1, where the meaning of the columns is as
follows (from left to right): the name of the problem; the number of non-cut-off events in the
prefix; the lengths of the first computed and a shortest violation traces; the number of #-
clusters and -chains computed by the algorithms in Figures 10 and 14; the size (the number
of new variables, clauses and literals) of the translation of the counter circuit for the basic
translation described in Section 2 and for the improved one described in Section 3; and the
time taken by the SAT solver to compute the first violation trace and the time taken by the
algorithm in Figure 3 to compute a shortest violation trace using the basic and the improved
translations of the counter.
The experiments show that in many cases the first computed violation trace was much longer
than a shortest one, with the results for the Sent benchmarks being particularly impressive.
This confirms that in practice computing shortest violation traces can indeed facilitate the
debugging process and save a lot of designer’s time.
One can see that the number of #-clusters and -chains is usually quite small compared to
the number of non-cut-off events in the prefix, and thus the reduction in the size of the formula
is quite significant. It is possible to evaluate the maximum reduction which can be achieved
by the improved translation over the basic one as follows. In the ideal case, all the events in
the prefix would be in conflict with each other, and so the counter circuit can be implemented
as a single ∨-gate. Such an implementation results in one new variable (for the gate’s output),
n + 1 clauses and 3n + 1 literals in the corresponding CNF formula, where n = |E \ Ecut |.
Shortest Traces in Model Checking 15
Problem Prefix Trace Partitions Translation of counter Time
Basic Improved
|E\Ecut | 1
st shortest #-cl -ch vars cls lits vars cls lits 1st Basic Improved
Q 7229 75 21 179 25 28881 115479 375221 520 8781 26031 <1 3 1
Speed 1663 24 4 30 9 6620 26436 85832 98 1952 5806 <1 1 <1
Dac(6) 53 6 6 23 11 195 761 2437 72 279 833 <1 <1 <1
Dac(9) 95 9 9 35 17 359 1409 4527 116 460 1372 <1 <1 <1
Dac(12) 146 12 12 47 23 564 2236 7230 160 662 2000 <1 <1 <1
Dac(15) 206 43 15 59 29 802 3182 10292 205 864 2600 <1 <1 <1
Dp(6) 66 6 6 18 6 247 973 3135 55 222 628 <1 <1 <1
Dp(8) 120 8 8 24 8 461 1823 5885 75 341 987 <1 <1 <1
Dp(10) 190 10 10 30 10 737 2919 9431 96 475 1381 <1 <1 <1
Dp(12) 276 12 12 36 12 1082 4306 13954 119 635 1861 <1 <1 <1
Elev(1) 98 9 9 16 5 374 1478 4770 43 222 640 <1 <1 <1
Elev(2) 496 22 12 24 7 1960 7812 25336 65 685 2017 <1 <1 <1
Elev(3) 2266 30 15 32 9 9033 36095 117239 94 2549 7607 <1 <1 <1
Elev(4) 9598 23 18 40 11 38354 153366 498344 117 9950 29798 2 27 3
Hart(25) 101 26 26 76 26 385 1519 4897 218 826 2528 <1 <1 <1
Hart(50) 201 51 51 151 51 783 3109 10061 440 1684 5188 <1 <1 <1
Hart(75) 301 76 76 226 76 1180 4692 15196 666 2566 7942 <1 <1 <1
Hart(100) 401 101 101 301 101 1581 6299 20425 888 3424 10602 <1 <1 <1
Key(2) 454 52 42 103 18 1792 7140 23152 285 1309 3761 <1 <1 <1
Key(3) 4057 53 43 223 41 16194 64730 210284 680 6123 18051 <1 20 2
Key(4) 35905 65 44 407 82 143582 574286 1866352 1269 39797 118855 <1 548 224
Mmgt(1) 38 6 6 11 2 136 528 1686 25 98 250 <1 <1 <1
Mmgt(2) 385 8 8 26 7 1518 6050 19622 80 618 1806 <1 <1 <1
Mmgt(3) 3312 10 10 36 6 13217 52831 171631 98 3584 10658 <1 <1 <1
Mmgt(4) 25945 12 12 44 7 103741 414915 1348381 119 26273 78693 77 86 80
Sent(25) 176 34 3 40 3 684 2716 8790 69 370 1028 <1 <1 <1
Sent(50) 201 59 3 65 3 783 3109 10061 98 480 1302 <1 <1 <1
Sent(75) 226 84 3 90 3 883 3509 11361 123 579 1549 <1 <1 <1
Sent(100) 251 109 3 115 3 980 3888 12574 149 681 1803 <1 <1 <1
Table 1. Experimental results for deadlock checking.
The corresponding parameters for the basic translation were computed in Section 2, and the
improvement ratios for new variables, clauses and literals are (4n − 2 log2 n − 4)/1 ≈ 4n,
(16n − 10 log2 n − 16)/(n + 1) ≈ 16 and (52n − 36 log2 n − 52)/(3n + 1) ≈ 17
1
3 , respectively.
Thus the reduction ratio for variables can grow unboundedly with n, whereas for clauses and
literals it is bounded by 16 and 17 13 , respectively.
The improvement ratios for the benchmarks in Table 1 are plotted in Figure 15. One can
see that for the number of new variables, the reduction ratio indeed grows with the size of
the prefix (though not as fast as in the ideal case), and is between two and three orders of
magnitude for large benchmarks. For clauses and literals, the improvement rate also grows
with the size of the prefix, and comes surprisingly close to the best possible ratio for large
benchmarks. Moreover, it should be noted that since the improved translation uses a lot of
multiple-input ∨-gates, the corresponding CNF formula has many clauses of length two, which
makes the SAT instance easier for the solver.
The comparison of the running times of the algorithms shows that, except one test case,
it was not too time-consuming to compute a shortest violation trace (this is probably due
to the fact that only a few benchmarks are large). Moreover, the improved approach has a
clear advantage over the basic one in terms of time. The only benchmark where computing the
shortest violation trace by the improved method took significantly more time than just solving
the original model checking problem was Key(4). (Note that for Mmgt(4) the increase in time
was quite modest, which can be explained by the fact that the first computed violation trace
was already optimal and very short.) In general, however, one can expect a significant increase
in time when computing the shortest violation traces, due to the following phenomenon, related
to phase transition [12]. Let t∗ be the length of the shortest violation trace. If t is significantly
larger than t∗, adding the constraint Threshold t to the formula will exclude only a few satisfying
assignments, and the resulting formula will not be much harder for the solver than the original
one. On the other hand, if t is significantly smaller than t∗, adding Threshold t to the formula
will yield an overconstrained SAT instance which usually can be quickly proven unsatisfiable. A
16 V. Khomenko
Fig. 15. Improvement ratios.
hard situation can occur when t is close to t∗. In such a case, if the SAT instance is satisfiable,
it often has only a small number of satisfying assignments (and thus such an assignment might
be difficult to find), and if it is unsatisfiable, it might be hard to show this. Section 1.6 discusses
how the impact of this phenomenon can be alleviated in practice.
5 Conclusions and future work
Although performed testing was limited in scope, one can draw some conclusions about the
efficiency of the proposed approach. Computing shortest violation traces can facilitate the
debugging process and save a lot of designer’s time, since in many cases the first computed
violation trace is much longer than a shortest one. According to the experimental results, for
large problem instances it can reduce the number of new variables in the formula by two–
three orders of magnitude, and achieve almost optimal reduction in the number of clauses
and literals, i.e., the length of the CNF formula corresponding to the threshold constraint was
surprisingly close to that for a single multiple-input ∨-gate! The possible directions for future
research include:
– Using a Boolean minimiser to derive short formulae not only for half-adder and full-adder
cells but also for adders with a small (e.g., up to a certain constant) number of inputs.
(Note that the majority of adders in the adder tree are small).
– Exploiting the structure of the prefix to reduce the size of other pseudo-Boolean constraints
encountered when dealing with various model checking problems.
Acknowledgements The author would like to thank Keijo Heljanko for fruitful discussions.
Shortest Traces in Model Checking 17
References
1. R. Brayton, G. Hachtel, C.McMullen and A. Sangiovanni-Vincentelli: Logic Minimization Algo-
rithms for VLSI Synthesis. Kluwer Academic Publishers (1984).
2. E. M. Clarke, O. Grumberg and D. Peled: Model Checking. MIT Press (1999).
3. J. C. Corbett: Evaluating Deadlock Detection Methods for Concurrent Software. IEEE Transac-
tions on Software Engineering 22(3) (1996) 161–180.
4. J. Esparza: Decidability and Complexity of Petri Net Problems — an Introduction. In: Lectures
on Petri Nets I: Basic Models, W. Reisig and G. Rozenberg (Eds.). Springer-Verlag, Lecture Notes
in Computer Science 1491 (1998) 374–428.
5. J. Esparza, S. Ro¨mer and W. Vogler: An Improvement of McMillan’s Unfolding Algorithm. Formal
Methods in System Design 20(3) (2002) 285–310.
6. M. Garey and D. Johnson: Computers and Intractability — A Guide to the Theory of NP-comple-
teness. Freeman (1979).
7. K. Heljanko: Using Logic Programs with Stable Model Semantics to Solve Deadlock and Reacha-
bility Problems for 1-Safe Petri Nets. Fundamentae Informaticae 37(3) (1999) 247–268.
8. K. Heljanko, V. Khomenko and M. Koutny: Parallelization of the Petri Net Unfolding Algorithm.
Proc. of International Conference on Tools and Algorithms for the Construction and Analysis of
Systems (TACAS’2002), J. -P. Katoen and P. Stevens (Eds.). Springer-Verlag, Lecture Notes in
Computer Science 2280 (2002) 371–385.
9. J. E. Hopcroft and R. M. Karp: An n5/2 Algorithm for Maximum Matching in Bipartite Graphs.
SIAM Journal on Computing 2(4) (1973) 225–231.
10. V. Khomenko, M. Koutny and A. Yakovlev: Detecting State Coding Conflicts in STGs Using Inte-
ger Programming. Proc. of International Conference on Design, Automation and Test in Europe
(DATE’2002), C. D. Kloos and J. Franca (Eds.). IEEE Computer Society Press (2002) 338–345.
11. K. L. McMillan: Using Unfoldings to Avoid State Explosion Problem in the Verification of Asyn-
chronous Circuits. Proc. of International Conference on Computer Aided Verification (CAV’1992),
G. von Bochmann and D. K. Probst (Eds.). Springer-Verlag, Lecture Notes in Computer Science
663 (1992) 164–174.
12. D. Mitchell, B. Selman and H. Levesque: Hard and Easy Distributions of SAT Problems. Proc. of
American Conference on Artificial Intelligence (AAAI’1992), AAAI Press, California US (1992)
459–465.
13. S. Moskewicz, C. Madigan, Y. Zhao, L. Zhang and S. Malik: Chaff: Engineering an Efficient SAT
Solver. Proc. of Design Automation Conference (DAC’2001), ASME Technical Publishing (2001)
530–535.
14. T. Murata: Petri Nets: Properties, Analysis and Applications. Proceedings of the IEEE 77(4) (1989)
541–580.
15. A. Valmari: The State Explosion Problem. In: Lectures on Petri Nets I: Basic Models, W. Reisig
and G. Rozenberg (Eds.). Springer-Verlag, Lecture Notes in Computer Science 1491 (1998) 429–
528.
16. I. Wegener: The Complexity of Boolean Functions. Wiley-Teubner Series in Computer Science
(1987).
17. L. Zhang and S. Malik: The Quest for Efficient Boolean Satisfiability Solvers. Proc. of International
Conference on Computer Aided Verification (CAV’2002), E. Brinksma and K. G. Larsen (Eds.).
Springer-Verlag, Lecture Notes in Computer Science 2404 (2002) 582–595.
