since the nodes use the same baud rate and re-synchronize at every edge detected on the bus. A major characteristic of the bus protocol is the auto-.
Automatic Compositional Minimization in CTL Model Checking Massimiliano Chiodo Magneti Marelli, Pavia, Italy Thomas R. Shiple, Alberto L. Sangiovanni-Vincentelli, Robert K. Brayton Department of EECS, University of California, Berkeley, CA 94720
Abstract We describe a method for reducing the complexity of CTL model checking on a system of interacting finite state machines. The method consists essentially of reducing each component machine with respect to the property we want to verify, and then verifying the property on the composition of the reduced components. The procedure is fully automatic and produces an exact result. We assess the potential of our approach on real-world examples, and demonstrate the method on a circuit.
1 Introduction Temporal logic model checking procedures are potentially powerful verification tools for finite state systems [16, 6]. However, when the system under examination consists of several communicating parallel machines, the potential arises for an explosion in the size of the representation of the composition. Traditionally, the size of a system is identified with the number of states, and hence the issue is referred to as the state-explosion problem. The introduction of symbolic representations, based on binary decision diagrams (BDDs) [2], and symbolic verification procedures [9, 18, 3], made it possible to verify complex systems that could not be handled by techniques based on explicit representations. However, just as with explicit representations, the size of the parallel composition may still be too large to handle. Methods proposed to avoid the construction of the complete state graph, and therefore to avoid the representation explosion, can be split into two categories, compositional verification and compositional minimization [11]. In the first category, one tries to deduce properties of a composition of processes by reasoning on the individual components and their interactions, without ever building the composed system. In the second category, one tries to reduce or minimize the components in such a way that their composition yields a smaller, yet semantically equivalent, model of the total system. As an example of the first category, Wolper [19] inductively verifies complex systems by looking for network invariants, that is properties that, if satisfied by a network of n identical processes, will be satisfied by a network of n + 1 processes. Kurshan and McMillan have attempted
a similar approach [14]. As another example of compositional verification, Grumberg et al. [12, 8] define subsets of the logics CTL� and CTL, namely 8CTL� and 8CTL, where only universal path quantification is allowed. For these logics, if all the component machines satisfy a given property, then the composition also satisfies that property. However, these logics are strictly less expressive than CTL� and CTL, respectively. As for compositional minimization, Kurshan [15] uses property-dependent homomorphic reductions, which “relax” the behavior of the component machines, to produce component machines that have fewer states than the original ones. The !-regular properties he wants to verify are preserved under such user-provided reductions. As another example of compositional minimization, the model checking algorithm based on the interface rule, proposed by Clarke et al. [7], is a fully automatic technique that allows verification of properties of a single (main) machine within a system of interacting machines. Here, the other (side) machines are minimized [13] by hiding those output variables of the side machines which the main machine cannot observe. This reduction is property independent in that the reduction is valid for any property on the main machine. The main limitation of this approach is that it cannot handle CTL formulas which specify properties of multiple interacting machines. Finally, Burch [4] describes a technique for efficiently computing the existential quantification of variables from a product of component transition relations, a central computation in symbolic model checking. By quantifying out variables from such a product as early as possible, one can avoid forming explicitly the complete product machine, and hence, potentially avoid an explosion in the BDDs. However, the applicability of this technique and the amount of reduction achieved depend heavily on the structure of the system and on the user-supplied order in which the component transition relations are processed. It is our opinion that to make formal verification a usable tool in design, fully automatic techniques whose details are transparent to the user must be developed to attack large, complex problems typical of electronic system design. Our goal is to verify CTL properties on a system of interacting finite state machines. The approach we take is to extract from the compo-
nent machines the behavior relevant to the verification of a given property, and use only these subcomponents to build the representation of a reduced system that preserves all of the behavior needed to verify the property. In this regard, our approach falls into the compositional minimization category. Our approach is fully automated and returns an exact result; that is the reduced system is verified if and only if the complete system is verified. Note that in our work, “reduction” of a machine means reducing the size of the representation of the machine by removing irrelevant behavior. This differs, for example, from the usage of the term in COSPAN [15], where reduction means making a machine smaller by adding behavior. In this paper we focus on assessing the potential of our technique on real systems. A more formal description of the method and detailed proofs of the theorems presented in this paper are given in [5]. Section 2 gives definitions that will be used in the paper and introduces CTL. In Section 3 we summarize our technique. In Section 4 we apply our method to a circuit and discuss the results. Finally, Section 5 presents conclusions and future developments.
2 Background 2.1 FSM Model Our model of finite state machines is based on the Moore model. A synchronous finite state machine with states X and inputs I , is specified by a transition relation T � X � I � X . Each (x; i; x0) 2 T is a transition from present state x 2 X to next state x0 2 X enabled by input i. We require each state to have a next state. Otherwise, we allow nondeterministic and incompletely specified machines. Lastly, in place of the Moore model’s explicit outputs, which are functions of the state variables, our model simply allows the environment to directly observe the state variables. In a system of interacting FSMs, the input to each component machine consists of the present states of the other components, plus external inputs. The definition of the composition of two interacting machines follows. Definition 1 Let A(x; i; x0) and B (y; j; y0 ) be transition relations describing two interacting FSMs. Furthermore, let x; x0 2 X; i 2 Y � I; y; y0 2 Y , and j 2 X � I . The transition relation M defining the behavior of the composition of the two machines A and B is given by a subset of (X � Y ) � I � (X � Y ) where
x; y); k; (x0; y0)) 2 M iff (x; (y; k); x0) 2 A and (y; (x; k); y0 ) 2 B .
((
This definition is easily extended to a system of n interacting machines A1 ; A2 ; : : :; An . Each machine Ai has present state variable xi 2 Xi and next state variable x0i 2 Xi , and takes as input x6=i = [x1; : : :; xi?1; xi+1; : : :; xn], the present state variables of the other machines. The global state of the system is x = [x1 ; : : :; xn] 2 X = X1 � X2 � : : : � Xn . We restrict our attention to closed
_ x
_ x A
A
1
x’
1
_ x
...
2
x’
A
n
x’
2
n
clk x
1
x
x
2
n
_ x
Figure 1: Interacting Finite State Machines systems, that is systems that do not take inputs from the external world. Thus we can represent each Ai by the transition relation Ai (xi; x6=i ; x0i) = Ai (x; x0i) (see Figure 1).
2.2
Paths
The notion of paths will allow us to define succinctly the output of the model checker. Definition 2 A path on the transition relation T , from state x0 to state xk and of length k, is a finite sequence of transitions < (x0 ; i0 ; x1 ); (x1 ; i1 ; x2); : : :; (xk?1; ik?1 ; xk ) >. (A path may have cycles.) If xk belongs to a cycle, the path is said to be infinite. Note that every set of transitions, be it a transition relation or a path, is denoted by its characteristic function implemented as a BDD.
2.3
Computation Tree Logic
We use Computation Tree Logic, or CTL [6], to specify properties of FSMs. The set of all CTL formulas can be defined inductively in terms of a subset of CTL formulas, which we call the base formulas. The choice of this subset is not unique, although the choice for us is not arbitrary (see Section 3.2.3). In the following definition, an atomic proposition P is a function that maps the state variables of a FSM to f0; 1g. That is, P is true in a state x 2 X iff P (x) = 1. Definition 3 The set of CTL formulas F is defined inductively as follows: 1. Every atomic proposition P is a CTL formula.
2. If p and q are CTL formulas, then :p, p � q, 9Xp, 9Gp, and 9[pUq] are CTL formulas.
Xp
The formula 9 , read “p can be true at the next state”, is true in a state s if p is true in some successor of s. 9 , read “p can be true hereafter”, is true in a state s if p is true in every state of some infinite path beginning with s. 9[ ], read “it is possible that q will be eventually true and p will be true until then,” is true in a state s if there is some path beginning with s along which p is true in every
pUq
Gp
state until q is true. The notation s j= F means that formula F is true of state s. Syntactic abbreviations are often used for notational convenience. For example, 8Fp is equivalent to :9G:p and is read “p will be true sometime in the future”; 8Gp is equivalent to :9[trueU :p] and is read “p will be true hereafter.” All Boolean connectives (�, ), 6� etc.) may also be used as abbreviations. CTL, as well as other temporal logics, is especially useful for qualitative time reasoning. We can classify the properties into two major classes: safety properties (or invariants) represented by 8Gp, and liveness properties (or eventualities) represented by p ) 8Fq. In the formula F = 8G(req ) 8F ack), a liveness property is embedded in a safety property. The assertion s0 j= F says that for all states that can be reached from s0 , if req is true, then ack will eventually follow sometime in the future. To understand the applicability of CTL to system design, consider as an example a network of CAN [1] controllers. The CAN (Controller Area Network) protocol is a serial protocol designed for automotive applications, and is a candidate for the European standard for in-vehicle networking. The CAN architecture consists of a number of nodes that communicate with each other by broadcasting messages on a serial bus. Although the nodes are not initially synchronized, the system can be modeled as a synchronous system since the nodes use the same baud rate and re-synchronize at every edge detected on the bus. A major characteristic of the bus protocol is the automatic arbitration of transmission collisions, which is important for safety-critical reactive systems in an automobile. Whenever a node wants to begin a transmission, it has to wait for the bus to be available. The bus is available whenever an end-of-message (EOM) sequence is detected (seven bits at “1”). As soon as the EOM is detected the node sends a start-of-message (SOM) (one bit at “0”), and then begins to transmit a message ID (eleven bits where the seven “1”s sequence is forbidden). One or more nodes can start a transmission at the same time. When a collision arises (that is, some nodes are writing “1”, and some are writing “0”) the bus reads “0”. In this case, the nodes writing “0” do not detect the collision and continue the transmission, whereas the nodes transmitting “1” switch to receiving mode. Since no two nodes share the same IDs, the collisions are automatically arbitrated, and only one node completes the transmission of the ID and can continue with the transmission of the full message. In this way the bus is never idle with pending requests. A circuit implementing a simplified CAN of two nodes will be used in Section 4 to demonstrate our method. Some properties we want to verify on this network are: (1) if node 1 attempts a transmission (TxOn1 ), it will eventually complete it (SentMsg1 ) or will receive an ID from another node (RecMsg1 ), (2) if both nodes attempt a transmission, one of them will complete it, (3) node 1 will never complete a transmission and a reception at the same time, (4) both nodes will never complete a transmission at the same time,
and (5) property 1 holds hereafter. In CTL we have (1) (2) (3) (4) (5)
TxOn1 ) 8F (SentMsg1 + RecMsg1) (TxOn1 � TxOn2 ) ) 8F (SentMsg1 + SentMsg2 ) 8G:(SentMsg1 � RecMsg1 ) 8G:(SentMsg1 � SentMsg2 ) 8G(TxOn1 ) 8F (SentMsg1 + RecMsg1 ))
3 Model Checking 3.1 Model Checking on a Single FSM The model checking problem for CTL is: given a transition relation T for a synchronous finite state machine, and a CTL formula F , find all the states in T satisfying F [10]. The single machine model checker is an integral part of our procedure for model checking on a system of FSMs. The input to our single machine model checker is a transition relation T and a (non-nested) CTL base formula F . The output is a set of transitions T � such that F holds at the present state of each transition. Definition 4 The model checker implements a function mc : 2(X �I �X ) � F ! 2(X �I �X ) . We denote the output of the model checker as T � , that is, T � = mc(T; F ). Given atomic propositions p and q, the output of the model checker for each of the base formulas is as follows: 1. 2. 3. 4.
T � = mc(T; :p) contains all transitions (x; i; x0) 2 T such that p(x) = 0. T � = mc(T; p � q) contains all transitions (x; i; x0) 2 T such that p(x) = 1 and q(x) = 1. T � = mc(T; 9Xp) contains all transitions (x; i; x0) 2 T such that p(x0 ) = 1. T � = mc(T; 9Gp) contains all transitions (x; i; x0) 2 T that belong to some infinite path on which p is true at each present state.
5.
T � = mc(T; 9[pUq]) contains all transitions (x; i; x0) 2 T that have present state in p and belong to some path where p is true until q is true. The union of the present states in T � and the states in q gives the set of states satisfying 9[pUq].
Cases 4 and 5 are computed by fixed point computations. The proof of correctness of our compositional model checker relies on two important properties of our single machine model checker. Proposition 5 Let F be any CTL base formula and let T � = mc(T; F ). Then T � � T . This result follows since the model checker only removes transitions from T ; it never adds transitions. As a consequence, the transition relation returned by the model checker generally describes an incompletely specified machine.
Proposition 6 Let T � = mc(T; F ). If M is another transition relation such that T � � M � T , then mc(M; F ) = T �. This implies that we can delete transitions from T before passing it to the model checker, and still get the same final result, as long as we do not delete any transitions that would be in T � . This result will be used in the model checker for a systems of FSMs to justify the removal of irrelevant transitions from the component machines.
3.2
Model Checking on a System of FSMs
Our goal is to perform CTL model checking on a system of interacting FSMs, where the CTL formulas express properties of the entire system, and not just of a component of the system. Thus, given an array of transition relations specifying a system of n interacting machines A1 ; A2 ; : : :; An, and a (non-nested) CTL base formula F , we want to produce the set of states of the global system that satisfy F . If one wanted to use the single machine model checker directly to solve this problem, one would first build the complete product of the component machines, and then apply the model checker to the complete product. However, this is a naive approach, because there is a distinct possibility that the size of the representation for the product machine will explode. In other words, the size of the representation for each component may be reasonable, but the size of the product may be intractable. In our approach to model checking on a system of FSMs, we first extract the “interesting” part of each component to yield a “reduced” transition relation for each component. We then take the product of the reduced components, and finally, apply the model checker to the reduced product. In this manner, we hope to avoid an explosion in the size of the product machine. We call our procedure cmc, for compositional model checking. It consists of three phases (Figure 2). 3.2.1
Phase 1
In the first phase, for a given formula F we determine the relevant part of each component machine. For a state in the product machine to satisfy F , each state component of the global state must satisfy the projection of F onto the state component’s associated machine. Thus, for each component machine Ai , we project F onto the component, and then apply the model checker to Ai and the projected formula to produce the reduced component machine A�i .
Definition 7 Let Ai (xi; x6=i ; x0i) be a transition relation in a system A1 ; A2 ; : : :; An . Let F be a CTL base formula with atomic proposition p(x) (and q(x), in the case of 9[pUq]). The projection FAi of F onto Ai is obtained by replacing p(x) in F with p(xi) = 9x6=i p(x) (and similarly for q). Since different formulas may yield different reduced component machines, we say that this reduction is property
1
function cmc(array [Ai], F ) f /* project F on Ai and run for i = 1 to n A�i = mc(Ai; FAi );
mc
g
2
/* use DCs to minimize BDD for for i = 1 to n Aˆi = min bdd(Ai ; A�i );
g
3
g
*/
Ai
*/
Q
/* run mc on reduced product */ Mˆ = mc( Aˆ i ; F ); /* existent. quant. next states */ Q = 9x0 Mˆ ; return Q;
Figure 2: Compositional Model Checker dependent. In the worst case, depending on the projected formula and the structure of a given component, there may be no reduction of the component. 3.2.2 Phase 2 By Proposition 5, A�i will have the same or fewer transitions than Ai . If we were using an explicit representation (e.g. state transition graph) for the transition relations, then just by removing transitions, we would be decreasing the size of the representation. However, we are using an implicit representation, namely BDDs, for which there is no such direct correlation. Therefore, for a given machine Ai , our intermediate goal is to find the subset Aˆ i of Ai which contains A�i and has the smallest possible BDD representation. Thus, we treat the set difference Ai ? A�i as a don’t care set which we can use to minimize the size of the BDD for Ai . Currently, we use the restrict operator [9] as a heuristic for finding Aˆ i . Proposition 6 assures us that we can use any transition relation between Ai and A�i and not upset the final result. Hopefully, the BDD size of the product Aˆ i of the reduced machines will be smaller than the complete product machine Ai . Unfortunately, minimizing the sizes of the BDDs for the Ai ’s does not guarantee that we are minimizing the size of the BDD for the product. Only thorough experimentation will indicate the effectiveness of this heuristic.
Q
Q
3.2.3 Phase 3 The final phase of the procedure cmc is to apply the single machine model checker to the original formula F and the product Aˆ i of the minimized components, to determine the states of the product machine that satisfy F . In fact,
Q
we can form the product of the minimized components incrementally, applying the model checker to the partial product after taking the composition with each component. (Of course, this introduces the problem of ordering the reduced components, for which we have not yet developed heuristics.) The following theorem states that applying the model checker to the reduced product gives the same result as if we had taken the naive approach and applied the model checker to the complete product machine.
State space of M (the whole box) State space of B
Q
Q
B
M
Theorem 8 Consider a system of interacting machines A1 ; A2; : : :; An. Let F be any CTL base formula. Then
mc(
Yn ˆ
Yn
i=1
i=1
Ai ; F ) = mc(
Q
Ai; F ):
To see why this technique gives the correct result, that is, computes the set of states of the product machine satisfying the input CTL formula, consider Figure 3. We are given a system M composed of interacting machines A and B , and a CTL base formula F . The state space X � Y of M is the entire box, and the state space X of A is the projection of the box onto the lower horizontal line. Likewise, the state space Y of B is the left vertical line. Suppose QM is the set of states of M satisfying F . Consider the formula FA produced by projecting the formula F onto machine A. In Phase 1, we apply the model checker to machine A with formula FA , to find the set of states QA � X which satisfy FA , disregarding the interaction between A and B . (Actually, the output of the model checker is a set of transitions, A� , and QA is the set of present states of this set of transitions.) Similarly, we produce QB � Y by applying the model checker to B with FB . By this procedure, QM � QA � QB � X � Y . In Phase 2, we may add some transitions back to A� and B � to get Aˆ and Bˆ . This corresponds to adding states to QA and QB to yield Qˆ A and Qˆ B , but we still have QM � Qˆ A � Qˆ B � X � Y . Finally, in Phase 3 we apply the model checker to the product of Aˆ and Bˆ to yield QM . The correctness of our technique relies on our choice of the base formulas for CTL. By allowing only existential path quantifiers in our base formulas, we can guarantee that each reduced component A�i contains every transition that would be present in the output of the model checker when applied to the complete product machine. The intuition behind this is that a component “loses behavior” when composed with the rest of the system, relative to its behavior when viewed independently of the system. On the other hand, our technique fails if we choose as our base formulas those with universal path quantifiers (e.g. 8Xp). To illustrate this, in the example0 of Figure 4 we0 have communicating machines A(x; y; x ) and B (y; x; y ) and propositions p(x) and q(y). State (0,0) in the product machine A � B satisfies the formula 8G(p � q), even though no state of A satisfies the projected formula 8Gp (i.e. QA = ;). Thus, QM 6� QA � QB � X � Y .
A
State space of A
Figure 3: State spaces in a system of interacting FSMs A.B
A
y=0
0,0
0
p
p,q
true
y=1
1 true
B 0
q
true
Figure 4: Interacting FSMs (state (1,0) is not reachable)
3.3
Nested Formulas
As explained above, the procedure cmc takes as input a non-nested, CTL base formula. To handle arbitrarily nested CTL formulas, possibly containing syntactic abbreviations, we define the procedure rcmc, for recursive cmc. The first step of rcmc is to translate the input formula to one in terms of the base operators (e.g. 8G9Fp is translated as :9[trueU :9[trueUp]]). Then, rcmc model checks each subformula by recursive descent based on the inductive definition of CTL, using cmc as a subroutine. We create a “fresh” atomic proposition to represent the set of states that satisfy a given subformula. In this way, we reduce the problem of checking an arbitrary CTL formula to one of checking a series of non-nested, base formulas. This formulation follows that presented in [10].
4 Experiments and Discussion In this section, we demonstrate our compositional technique on a real circuit. The system described here implements the part of ID transmission and arbitration for two CAN nodes. The circuit for one node is shown in Figure 5.
Each node is organized into three component state machines: a main unit node control, a 4-bit counter count 11 which counts the number of bits transmitted or received, and detect eom which monitors the bus to detect an EOM. The node ID is fixed and latched in a shift register. The size of the composed system of all 6 components is 243979 BDD nodes. The properties we want to verify are described in Section 2.3. For each formula, the model checker will return the set of states of the complete system that satisfy the formula; such states may or may not be reachable from the initial state. A postprocessor must be used to determine if the returned set contains the state(s) of interest. For example, we want to know if the initial state satisfies formulas 3, 4, and 5. We ran our compositional model checker on a DECsystem 5900 with a MIPS R3000 CPU at 40MHz and 440Mb of physical memory. For each formula checked (Form), we recorded the size of the largest BDD encountered in the verification process (Max), and took the ratio of this size to the size of the complete product machine (Ratio). CPU time is measured in seconds (CPU). Form Max Ratio CPU
(1) 19207 8% 84
(2) 153747 63% 709
(3) 57 .02% 1
(4) 275366 113% 7041
(5) 275366 113% 7750
It is easy to interpret these results and realize that the actual advantage from using this technique depends heavily on the type of formulas that one wants to verify and on the structure of the FSMs to be checked. First, recall that p ) 8Fq is translated as p ) (:9G:q ). Thus, as the first step in checking formulas 1 and 2, we must check formulas of the form 9G:q. For a given component Ai , if the projection :qAi of :q onto Ai is a “small” set of states, then we can expect some reduction in Ai since few transitions will belong to paths consistent with 9G(:qAi ). For formula 1, :q is (:SentMsg1 � :RecMsg1). Since SentMsg1 and RecMsg1 depend only on the state variables of node control1 , the projection of the first subformula of formula 1 onto node control1 is 9G(:SentMsg1 �:RecMsg1 ). This leads to a reduction of node control1 from 197 to 16 BDD nodes. The projection onto the other components is 9Gtrue, which does not cause any reduction of the other components. However, the good reduction of node control1 leads to an overall reduction in the reduced product (19207 BDD nodes). For formula 2, :q is (:SentMsg1 � :SentMsg2 ). The projection onto node control1 is 9G:SentMsg1 , and as it turns out, there is no reduction of node control1 (likewise for node control2 ). Indeed, this lack of reduction, as compared to that in the case of formula 1, can be partly explained by the fact that :SentMsg1 is a larger set than (:SentMsg1 �:RecMsg1 ). Again, there is no reduction in the other components. However, when we apply the model checker to the partial product node control1 � node control2
bus vo
vi
vi
count_end count_11
node_control
(4−bit)
(2−bit)
eom
detect_eom (3−bit)
reset
node ID (11−bit) SentMsg
RecMsg
Figure 5: CAN node on the projected formula 9G(:SentMsg1 �:SentMsg2 ), we see a reduction from 36098 to 24053 nodes. This leads to a reduced product of size 153747 nodes. When verifying a formula of the type 8Gp, as in formulas 3, 4, and 5, the structure of the FSM to be checked is crucial. Remember that 8Gp is translated as :9[trueU :p], so the first step is to check 9[trueU :p]. If a system is strongly connected, then by definition, for each pair of states s1 and s2 there exists a path from s1 to s2 . Therefore, if :p is not empty, then from every state there is a path to a state in :p, and thus every transition belongs to some path consistent with 9[trueU :p]; hence, no transitions can be eliminated. In the example the system is strongly connected. As expected, no reduction occurs for formulas 4 and 5 since the propositions involved have non-empty projections on all the components. Therefore the full product machine is computed. Furthermore, the size of the BDD computed during the final fixed-point computation (275366) even exceeds the size of the complete product machine. The good performance of formula 3 is explained by the fact that the projection of the proposition onto node control1 is the empty set. Therefore this component is annihilated and so are the successive compositions with the other components. In this case the biggest BDD (57) is simply the size of the biggest component, detect eom1 , before verification. Generally, under proper fairness constraints, many systems are strongly connected (e.g. non terminating programs such as network controllers), at least after a reset sequence has been completed.
5 Conclusions We have described a method for verifying a CTL property on a system of interacting FSMs. By applying propertydependent reductions to the component machines before building the product machine, we hope to be able to verify a wide class of properties (particularly liveness properties) on large systems, with significant reduction in the size of the representation. Our method is fully automatic and produces the exact set of states which satisfy a given CTL property. The core of the compositional model checker has been implemented. It will be part of the verification system being developed at UC Berkeley, a system that will be
tightly linked with the Sequential Interactive Synthesis system [17]. Once a viable user interface to the model checker is completed, we plan to test thoroughly the effectiveness of our method on a variety of examples. Several ideas to increase the power of our approach deserve investigation. One idea is to add transitions to each (original) component to reduce the size of the BDDs. Of course, these transitions must be chosen judiciously so that the final result is not altered. We would like to investigate further the general problem of finding a cover, with a minimal BDD representation, of an incompletely specified function. Also, using a given property as a criterion for repartitioning the original system into a new set of FSMs may lead to smaller BDDs for each component. To handle safety properties better, we want to explore alternative ways to compute the universally quantified invariant properties.
Acknowledgements We wish to thank Kolar L. Kodandapani for his contributions in the early stages of this work. We acknowledge the support of the California MICRO program, DARPA under grant JFI90-073, and an equipment grant from Digital Equipment Corporation.
References [1] D. Arnett, “A High Performance Solution for In-Vehicle Networking - ‘Controller Area Network (CAN),”’ SAE Technical Paper Series, 870823, Apr. 1987. [2] R. E. Bryant, “Graph-Based Algorithms for Boolean Function Manipulation,” IEEE Trans. on Computers, C-35(8), pp. 677-691, Aug. 1986. [3] J. R. Burch, E. M. Clarke, K. L. McMillan, and D. L. Dill, “Sequential Circuit Verification Using Symbolic Model Checking,” in Proc. of 27th Design Automation Conference, pp. 46-51, June 1990. [4] J. R. Burch, E. M. Clarke, and D. E. Long, “Representing Circuits More Efficiently in Symbolic Model Checking,” in Proc. of 28th Design Automation Conference, pp. 403-407, June 1991. [5] M. Chiodo, T. R. Shiple, A. Sangiovanni-Vincentelli, and R. K. Brayton, “Automatic Reduction in CTL Compositional Model Checking,” Memorandum No. UCB/ERL M92/55, Electronics Research Laboratory, College of Engineering, University of California, Berkeley, Jan. 1992. [6] E. M. Clarke, E. A. Emerson, and P. Sistla, “Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications,” ACM Trans. Prog. Lang. Syst., 8(2), pp. 244-263, 1986. [7] E. M. Clarke, D. E. Long, and K. L. McMillan, “Compositional Model Checking,” in Proc. of the 4th Annual Symposium on Logic in Computer Science, Asilomar, CA, June 1989. [8] E. M. Clarke, O. Grumberg and D. E. Long, “Model Checking and Abstraction,” in Proc. of Principles of Programming Languages, Jan. 1992.
[9] O. Coudert, C. Berthet, and J. C. Madre, “Verification of Synchronous Sequential Machines Based on Symbolic Execution,” in Lecture Notes in Computer Science: Automatic Verification Methods for Finite State Systems, vol. 407, editor J. Sifakis, Springer-Verlag, pp. 365-373, June 1989. [10] E. A. Emerson, “Temporal and Modal Logic,” in Handbook of Theoretical Computer Science, editor J. van Leeuwen, Elsevier Science Publishers B.V., pp. 995-1072, 1990. [11] S. Graf and B. Steffen, “Compositional Minimization of Finite State Systems,” in Lecture Notes in Computer Science: Proc. of the 1990 Workshop on Computer-Aided Verification, vol. 531, editors R. P. Kurshan and E. M. Clarke, SpringerVerlag, pp. 186-196, June 1990. [12] O. Grumberg and D. E. Long, “Model Checking and Modular Verification,” in Lecture Notes in Computer Science: Proc. CONCUR ’91: 2nd Inter. Conf. on Concurrency Theory, vol. 527, editors J. C. M. Baeten and J. F. Groote, Springer-Verlag, Aug. 1991. [13] J. E. Hopcroft, “An n log n Algorithm for Minimizing the States in a Finite Automaton,” in The Theory of Machines and Computation, New York: Academic Press, pp. 189-196, 1971. [14] R. P. Kurshan and K. L. McMillan, “A Structural Induction Theorem for Processes,” in Proc. of 8th ACM Symp. on Principles of Distributed Computing, Aug. 1989. [15] R. P. Kurshan, “Analysis of Discrete Event Coordination,” in Lecture Notes in Computer Science: Proc. REX Workshop on Stepwise Refinement of Distributed Systems, Models, Formalisms, Correctness, vol. 430, editors J. W. de Bakker, W. -P. de Roever, and G. Rozenberg, SpringerVerlag, May 1989. [16] Z. Manna and A. Pneuli, “Verification of Concurrent Programs: The Temporal Framework,” in The Correctness Problem in Computer Science, editors R. S. Boyer and J. Strother Moore, Int. Lecture Series in Computer Science, London: Academic Press, pp. 215-273, 1981. [17] E. M. Sentovich, K. J. Singh, C. Moon, H. Savoj, R. K. Brayton, and A. Sangiovanni-Vincentelli, “Sequential Circuit Design Using Synthesis and Optimization,” in Proc. of International Conference on Computer Design, Oct. 1992. [18] H. J. Touati, H. Savoj, B. Lin, R. K. Brayton, and A. Sangiovanni-Vincentelli, “Implicit State Enumeration of Finite State Machines using BDDs,” in Proc. of IEEE International Conference on Computer-Aided Design, pp. 130-133, Nov. 1990. [19] P. Wolper and V. Lovinfosse, “Verifying Properties of Large Sets of Processes with Network Invariants,” in Lecture Notes in Computer Science: Automatic Verification Methods for Finite State Systems, vol. 407, editor J. Sifakis, SpringerVerlag, pp. 68-80, June 1989.
