ITR: Automated Verification of Asynchronous Software Systems

Gianfranco Ciardo�

Gerald Luettgen†

Project Summary

The proposed research is devoted to the development and implementation of novel sequential and parallel al-gorithms for the verification of asynchronous software systems, such as communication protocols and distributedor embedded software. Existing automated techniques to verification via state–space exploration, in particularsymbolic model checking based on Binary Decision Diagrams (BDDs), focus on verifying synchronous hardwareand software. Although symbolic model checking may in principle be applied to debugging asynchronous soft-ware systems, this poses new challenges which are not or only insufficiently addressed in the literature. Mostimportantly, the inherent complexity of asynchronous software makes state–space exploration a time–boundproblem, in addition to a memory–bound problem. The proposed work addresses these two fundamental limita-tions by developing algorithms that employ Multi–valued Decision Diagrams (MDDs) and Boolean Kroneckeroperators to encode sets of states and transitions, respectively, in contrast to BDDs traditionally used for bothpurposes. This paves the way for exploiting the property of event locality that is inherent in asynchronoussoftware and, thereby, for greatly improving the efficiency of sequential algorithms and enabling their efficientparallelization. The project will focus on the following lines of inquiry:

1. The investigation of design choices for sequential MDD–based state–space generation algorithms exploit-ing event locality, and the development of sequential model checkers on top of these algorithms.

2. Shared–memory and distributed–memory parallelizations of the above algorithms and of the accordingmodel checkers.

3. The conduct of case studies involving access protocols in distributed B–tree algorithms and avionics sys-tems to assess the utility of the work.

This research will greatly enhance the applicability of state–space exploration techniques, especially symbolicmodel checking, to the verification of asynchronous software systems. The implementation of the derived algo-rithms in form of C

���packages will allow an easy integration and comparison with other existing verification

and validation tools, as well as with industrial design tools. The packages will be made web–accessible forremote execution at the College of William and Mary, in order to gather run–time statistics that will enable tofine–tune its performance with increasing experience. Last, but not least, this project is an excellent opportunityfor exposing graduate and undergraduate students to advanced software engineering technologies, as it com-bines the important topics of parallel and distributed algorithms and state–of–the–art verification and debuggingtechniques, whose industrial relevance is on the rise.

�Department of Computer Science, The College of William and Mary, Williamsburg, VA 23187–8795. E–mail: ciardo@cs.wm.edu.

URL: www.cs.wm.edu/ � ciardo (Principal Investigator)†Department of Computer Science, The University of Sheffield, Regent Court, 211 Portobello Street, Sheffield S1 4DP, UK. E–mail:

g.luettgen@dcs.shef.ac.uk. URL: www.dcs.shef.ac.uk/ � luettgen (International Collaborator).

1 Overview

A key component of today’s information technology is the software for distributed embedded systems; examplesinclude mobile applications such as communication and electronic commerce protocols [54, 86], as well asavionics and automotive systems [101, 119]. Despite their growing presence, distributed embedded systems aredifficult and expensive to design and debug. The main challenge lies in the inherent asynchrony of distributedsystems, which may result in subtle and often unanticipated interactions of system components. Thus, the qualityassurance of these systems currently relies on extensive testing. Indeed, industrial practice shows that testingbudgets represent about half of the development costs. Nevertheless, system errors still arise with sometimesdevastating consequences, either financially or for personal safety [100].

Formal verification offers an appealing approach to complement testing with mathematical methods thatdetermine whether a system satisfies its requirements. Formal techniques, relatively new to software engineering,are successfully used in other engineering disciplines. In fluid dynamics, for example, computational airframemodels enable engineers to quickly analyze the quality of different designs. Although this approach does notmake the testing of the real product obsolete, it reduces the need for expensive wind–tunnel testing. Analogously,formal verification can benefit the development of software by assisting in quickly revealing errors, omissions,and inconsistencies in designs and implementations. Research in this area has already led to the emergence offully–automated verification techniques such as temporal–logic model checking [52, 56, 109, 136], which helpmake formal methods accessible to non-specialists. The growing number of case studies involving commercialproducts (see [58] for an overview) and the fact that several vendors, e.g., Cadence, Synopsys, and Telelogic, selltools with formal verification support attest to this development.

Verification of asynchronous software systems. Despite the evident advantages of using automated formalverification in system development, these techniques are very sparsely employed in information technology ap-plications, especially in the development of software for distributed embedded systems. To understand the reasonfor this, we consider the model–checking approach in more detail. Model checking involves the use of decisionprocedures to automatically determine whether a finite–state machine satisfies a specification given as temporal–logic formula. This is done by systematically generating and exploring the state space of the system underconsideration. Since state spaces of real–world software systems tend to be very large, symbolic representationsare frequently used for storing and manipulating them efficiently. Of particular importance for symbolic repre-sentations are Binary Decision Diagrams (BDDs) [1, 27, 28], which triggered the success of model checking inthe hardware industry, as recent articles in the EE Times show [79, 140]. Indeed, the behavior of synchronousdigital circuits can straightforwardly be encoded in BDDs.

However, BDD–based model checking [29, 34, 112] faces serious problems when applied to software sys-tems, especially to asynchronous software. The reason for this is the inherent higher complexity of distributedsystems, as their state spaces tend to explode with the number of system components. This does not only leadto BDDs that are often too large to fit in the memory of a single workstation, but it also requires a fair amountof time for constructing the state spaces. In fact, many engineers use model checking as an advanced debuggingtechnique and expect feedback within minutes, not hours [89]. Hence, when considering asynchronous software,state–space generation and exploration become time–bound problems, in addition to memory–bound problems.Although several efforts have been made to parallelize algorithms for generating and manipulating BDDs onshared–memory and distributed–memory architectures, thereby utilizing the larger memory and higher compu-tation power available on those machines, little or no speed–ups have been achieved. Recent work by the PI ofthis proposal and his international collaborator, however, shows potential for very significant improvements forthe class of asynchronous software systems [38]. This is due to the following observations:

1

• Multi–valued Decision Diagrams (MDDs) [95, 117] and Boolean Kronecker operators [4, 23, 31] canoften be much more compact than BDDs in encoding the state space and next–state function of a globally–asynchronous locally–synchronous system, in particular distributed embedded software.

• Asynchronous software — in contrast to hardware or synchronous software — has an inherent notion oflocality. We refer to this locality as event locality [40], as asynchronous software is usually event–driven.Event locality enables a new class of fundamentally different approaches to symbolic manipulation thathave so far not been explored in the literature.

Our results show that a prototypic sequential algorithm for state–space generation based on these ideas is severalorders of magnitude faster and more memory–efficient than existing BDD–based algorithms [38, 46, 47, 117].While these preliminary achievements are impressive, our findings have also introduced many novel researchquestions and challenges which deserve further investigation; this proposal elaborates on them.

Research agenda. The goal of this research project, which involves a collaboration between the PI at theCollege of William and Mary and an international collaborator at the University of Sheffield, UK, is to developmathematically well–founded and practically useful algorithms for constructing and exploring state–spaces ofasynchronous software systems. The specific topics to be investigated include the following.

• MDD–based algorithms for state–space generation and model checking. We propose to develop andimplement time– and space–efficient sequential state–space generation and model–checking algorithmsfor asynchronous software systems. The novelty of these algorithms, compared to approaches reported byother researchers, will be the use of MDDs and Kronecker operators instead of the much more commonBDDs and, most importantly, the exploitation of event locality and iteration control to affect the order inwhich MDD nodes are explored.

• Parallel implementations of the algorithms. We will investigate parallelizations of the above algorithmsfor shared–memory and distributed–memory architectures. In contrast to related work, the parallelizationwill be done along the notion of event locality. We expect that this will significantly speed–up state–space generation while utilizing the larger memory available on parallel machines, in particular PC clustersand networks of workstations. Major issues to address concern load balancing and cache consistency inthe shared–memory case, and additionally message overhead reduction and termination detection in thedistributed–memory case.

• Tool integration and case studies. We will integrate the sequential and parallel algorithms — as well asthe symbolic model checker built on top of them — in the tool SMART [39]. This will allow us to conducttwo case studies to evaluate all aspects of our research. The first case study deals with the verification ofnew speculative parallel B–tree algorithms. The second case study is concerned with applying symbolicmodel checking to reveal deficiencies in the human–computer interaction between aircraft pilots and digitalflight decks.

The proposed research will greatly enhance the applicability of state–exploration techniques and symbolic modelchecking to the verification and analysis of asynchronous software systems. The implementation of the derivedalgorithms as C++ packages will allow for an easy integration in other existing verification and validation tools,as well as with industrial design tools. Moreover, all algorithms will be made web–accessible for remote ex-ecution at the College of William and Mary, thereby promoting their uptake and dissemination in the widerresearch community. We plan to complement the project with courses, seminars, and reading classes for graduatestudents. The proposed research is an excellent basis for teaching, as it combines the two important topics ofparallel and distributed algorithms and advanced software engineering technologies for debugging and verifyingasynchronous software.

2

2 Background on State–space Generation and Exploration

Sequential techniques and algorithms for state–space generation and exploration can be classified accordingto whether they employ explicit or symbolic representations of state spaces. Of particular importance to thisproposal are symbolic algorithms as well as the relatively few published approaches to their parallelization.

2.1 Sequential Explicit Techniques

Explicit techniques represent state spaces by trees, hash tables, or graphs, where each state corresponds to anentity of the underlying data structure [30, 40, 67, 87]. Thus, the memory needed to store the state space of asystem is linear in the number of the system’s states, which in practice limits explicit state–space techniques tofairly small systems having at most a few million states.

For state–space generation, however, reduction techniques may be applied to reduce the sizes of state spaces.Such techniques minimize state spaces with respect to behavioral equivalences [69], interface specifications [81]provided by the system designer, or partial orders [55, 77, 78, 131, 132, 159] inherent in the interleaving seman-tics for asynchronous systems. Other techniques, such as bit–state hashing [88], focus on storing states using aslittle memory as possible.

For state–space exploration, the most popular technique is temporal–logic model checking [52, 56, 136].Temporal logics [70, 71, 108, 154] support the formulation of assertions about a system’s behavior evolving overtime. To verify a system, one specifies its desired properties as formulas that the system should satisfy. These in-clude safety properties, defining what should always be true of a system, and liveness properties, describing con-ditions that a system must eventually satisfy. For example, one might require that a communications protocol isalways deadlock–free (a safety property) and that it eventually delivers messages (a liveness property). Temporallogic has been the subject of intensive research in the past twenty years. Numerous variants, including Computa-tion Tree Logic (CTL) [52], CTL � [71], the µ–calculus [98, 154], and Linear–time Temporal Logic (LTL) [160],have been designed and techniques for proving systems correct have been developed [84, 109]. When the systemsconsidered are finite–state, “proofs of correctness” may be conducted automatically using decision proceduresknown as model–checking algorithms, implemented in model checkers. Several such approaches working onexplicit representations of system models have been introduced [17, 51, 52, 61, 76, 78, 104, 160], and variouscase studies testify to their practical utility [58]. For good surveys on temporal logics and model checking,see [70, 154] and [56, 109], respectively.

To improve efficiency, model–checking tools [59, 60, 67, 87] often employ partial–order techniques [75, 77,130], reduction methods based on exploiting symmetries of state spaces [53], or both [72]. Moreover, composi-tional [8, 57, 99, 148] and so–called partial [6] approaches to model checking have been developed, to avoid theneed to construct the overall state space of a distributed system by gradually analyzing its components. Finally,it should be mentioned that explicit techniques for state–space generation have proved an especially useful firststep if one is interested in the numerical analysis of Markov processes defined over such state spaces [31, 96].

2.2 Sequential Symbolic Techniques

Symbolic techniques allow one to store and manipulate sets of states in sublinear space. Most of them rely onBinary Decision Diagrams (BDDs) to represent Boolean functions efficiently [1, 27], into which state spacescan be mapped. The advent of BDD–based techniques pushed the manageable sizes of state spaces to 1020 ormore states [34]. A BDD is a compact representation of a full Boolean decision tree over K variables, obtainedby merging common subtrees. In particular, a BDD is ordered if the variables labeling the nodes on any pathfrom the root to a leaf respect the order

�xK ��������� x1 � , and is quasi-reduced if it contains no duplicate nodes.

Note that a BDD can be exponentially more compact than its corresponding decision tree, but the degree of

3

compactness depends on the variable ordering chosen; unfortunately, finding an “optimal” ordering is an NP–complete problem [21]. The most commonly employed type of BDD is the reduced ordered BDD (ROBDD)[27, 28], where redundant nodes having identical children are eliminated. However, both BDDs and ROBDDsare canonical representations of Boolean functions).

The efficient implementation of BDDs requires to essential hash tables: a unique table to store and retrieveBDD nodes, and a cache to eliminate the need of evaluating a Boolean operation on a given combination of nodesmore than once. Several C or C++ manipulation packages for ROBDD are available [18, 22, 93, 137, 139, 149].Their efficiency has traditionally been measured by applying them to well–established circuit benchmarks, suchas ISCAS85 [25] and ISCAS89 [24]; we refer the reader to [146, 161] for extensive performance studies ofsome of these packages. Probably the most important application areas of BDDs are state–space generationand model–checking algorithms [5, 29, 34, 62, 82, 112]. Various commercial tools have been built using theexperience gained with academic model–checking tools [59, 63, 111, 112], and BDD–based techniques havebegun attracting industrial attention [79, 140] for hardware verification. Symbolic model checking has alsobeen investigated for analyzing software, often specified with Petri nets [20, 128, 129, 143, 165]. However, theresulting state spaces are usually too large to be represented using BDDs. One reason is that the behavior ofsoftware cannot be encoded as naturally in BDDs as that of digital circuits.

Several approaches have been studied to further improve the efficiency of BDD–based algorithms. Regard-ing time efficiency, breadth–first BDD–manipulation algorithms [10, 125, 126] have been explored and comparedagainst the traditional depth–first ones. However, the results show no significant speed–ups, although breadth–first algorithms lead to more regular access patterns of hash tables and caches. Regarding space efficiency, afair amount of work has concentrated on choosing appropriate variable orderings and for re–ordering variableson–the–fly [21, 68, 73, 74, 94, 135, 144, 158, 164]. Other sophisticated techniques exploit the component–basedstructure inherent in many digital systems, including partial model checking [7], transition–relation partition-ing [33], and conjunctive decompositions [113]. Moreover, variants of BDDs able to support reasoning aboutaspects of real–time [85, 145, 163] and probability [13, 118] have been suggested. Finally, we point out that afew approaches to symbolic model checking have been developed, which do not rely on decision diagrams butinstead on arithmetic and algebraic representations [11, 19, 20, 32].

2.3 Parallel Techniques

Both explicit and symbolic parallel state–space generation methods have been actively researched. Explicit tech-niques partition state spaces over multiple processors, thereby improving execution time and exploiting the largeroverall main memory available on parallel machines. Many distributed–memory implementations reported in theliterature (e.g. [152]) store states in a two–level hash table, where the use of a universal hashing function de-termining the processor “owning” a state ensures a randomized load balance. The reported speed–up is almostlinear on a 32 node network of workstations (NOW) with a fast connection (Myrinet). In [35] state spaces areaccessed via a hashing function defined on selected state components, in such a way that most transitions arebetween states owned by the same processor. The resulting speed–up is about linear for large enough problems,both on an IBM SP–2 and on a network of SUN Sparc workstations connected via 10Mb Ethernet. A differentapproach is used in [124], where states are stored in a balanced search tree. The first few levels of the tree areduplicated on each processor, while the remaining subtrees are mapped to individual processors. Dynamic loadbalancing is achieved by reassigning entire subtrees to different processors. Also shared–memory algorithmshave been proposed for explicit state–space generation. For example, in [2] state spaces are stored in a B–tree,and an advanced locking mechanism on the tree nodes is used to reduce processor idle time and achieve goodspeed–ups.

Symbolic techniques share many issues with explicit techniques, such as load balancing, communicationoverhead, and termination detection. In addition, the parallelization of the algorithms is a problem in itself since

4

the traditional depth–first recursive BDD algorithms are inherently sequential [166]. Indeed, previous work ondistributed–memory BDD algorithms stresses the ability of using the overall amount of memory on a NOW,but do not achieve meaningful speed–ups compared to single–processor implementations, unless the latter startusing virtual memory. In [138], BDD nodes are considered in a breadth–first order to improve memory accesspatterns and to reduce communication. However, four–processor execution is up to three times slower than for asingle processor. Similarly, [155, 156] show speed–ups only when the sequential execution cannot fit in the mainmemory. Even then, the reported results refer to a specialized Meiko CS–2 machine. In [9], “software pointers”are used for reaching beyond the 232 address–space limitation and solving the problem of pointer meaning acrossdifferent processors, but the approach shows no speed–up at all. In [115], a small speed increase is achievedfor ISCAS85 circuits [25]; the solution time on eight processors is 7% faster at best, but 176% slower at worst,when compared to the same code on a single processor. Only on an ad–hoc example, where the BDD has anexponential size in the number of variables, the speed–up reached 20%.

Better speed–ups have instead been demonstrated for shared–memory BDD algorithms. In [97] a speed–up factor of 10 is achieved using 15 of the 16 processors of an Encore Multimax. The algorithm employs thetraditional BDD top–down recursion followed by bottom–up reduction. In [162] a hybrid approach with a limitedbreadth–first expansion is applied. More precisely, when too many nodes of a given level are in the work queue,the algorithm switches to depth–first, which has much smaller memory overhead. Speed–ups up to a factor offour are achieved on an eight–processor SGI Power Challenge with 1 GB of shared memory.

3 Proposed Work

The advent of BDDs increased the size of manageable state spaces by orders of magnitude and paved the road tosuccessful industrial applications of symbolic model checking for hardware and synchronous software. However,asynchronous software systems pose new challenges for symbolic state–exploration algorithms, for the followingreasons:

• Space limitations. State spaces of real–world distributed and embedded software systems are often beyondthe limits of ordinary workstations. This is even true for BDD–based representations, where the memoryrequirements are linear in the number of BDD nodes, not in the number of encoded states. As the numberof nodes varies during state–space generation, the peak BDD size is a critical factor. On a workstation with1GB RAM, only up to 30 million nodes and their relative cache entries can be stored without making useof virtual or secondary memory.

• Time limitations. The generation of huge state spaces on a state–of–the–art workstation often takes hoursor even days. This is unacceptable to software engineers who are interested in obtaining fast feedback fromautomated verification tools.

In contrast to all related work, we suggest a fundamentally novel way to address these space and time limitationswhen studying asynchronous software systems. We employ Multi–valued Decision Diagrams (MDDs) [95]for encoding state spaces, paired with a Kronecker encoding of the next–state function, which is inspired bytechniques developed for the description and solution of large Markov chains [44, 31, 133, 153]. While beinga relatively straightforward extension of BDDs, MDDs are essential to enable our Kronecker representation,which, in turn, results in completely different symbolic algorithms that exploit the structural [45] properties ofthe system under study and greatly improve space and time requirements.

The key effect of our structural approach is to enable a much finer manipulation of MDD nodes. With almostsurgical precision, we can forecast and apply the effect of each event in an asynchronous system on portionsof the MDD describing its state space, instead of using blunt monolithic applications of the next-state function

5

S4 � �0 � 1 � 2 � 3 �

S3 � �0 � 1 � 2 �

S2 � �0 � 1 �

S1 � �0 � 1 � 2 �

0 1 2 3

0 1 2 0 1 2

0 1 0 1 0 1

0 1 20 1 2 0 1 2

0 1 2

0 1

10

S � �0210 � 1000 � 1010 �1100 � 1110 � 1210 �2000 � 2010 � 2100 �2110 � 2210 � 3010 �3110 � 3200 � 3201 �3202 � 3210 � 3211 �3212 �

Figure 1: A four–level MDD on�0 � 1 � 2 � 3 ��� � 0 � 1 � 2 ��� � 0 � 1 ��� � 0 � 1 � 2 � and the set S it encodes.

encoded as a huge MDD, as traditional approaches do. This will lead to the development of sequential algorithmsfor MDD manipulation and state–space generation, as well as model checkers working on top of these, that aresignificantly more space and time efficient, as illustrated by some of our preliminary results which we willdiscuss in the the next section. The capability of performing localized MDD manipulations will also enablethe development of parallel symbolic state–space generation and model–checking algorithms along lines that arevery different from those explored in the literature, promising significant speed–ups for both shared–memory anddistributed–memory implementations.

3.1 Sequential MDD–based State–space Generation and Model Checking

In the following we address the most important novelties for the proposed sequential algorithms: the use ofmulti–valued decision diagrams and Boolean Kronecker encodings, event locality, and iteration control.

Multi–valued decision diagrams and Kronecker encodings. Given a discrete-state system composed of Ksubsystems, a global state can be represented as a K–tuple of local states. Assuming finite state spaces, wecan enumerate each local state space Sk using traditional state–space generation techniques and identify it withthe range

�0 ������� ��� Sk �� 1 � of integers, for K k 1. Hence, a global state corresponds to a K–tuple of natural

numbers, and a set of states S can be represented by a characteristic function mapping the set SK ��� � ��� S1 to�0 � 1 � , which in turn can be encoded by an MDD [95]. In particular, we use quasi-reduced MDDs, an example

of which is illustrated in Figure 1: An internal node at level k is depicted as an array of � Sk � arcs to nodes atlevel k � 1, and state

�iK ������� � i1 � belongs to the set encoded by the MDD if and only if, starting at the root and

following the ik–th arc when in a node at level k, we reach terminal node 1.The next–state function N is usually encoded as a 2K–level decision diagram over

�xK � yK ��������� x1 � y1 � , where

xk and yk refer to the k–th state component before and after the step, respectively. Figure 2 illustrates insteadour approach on an example Petri net [120, 141] whose places have been partitioned into

�p � , � q � r � , � s � , and�

t � , defining four corresponding subnets. Central to our idea is the automatic extraction of structural informationfrom such a high–level model. First of all, a disjunctively–partitioned next–state function [33] has long beenconsidered effective for asynchronous systems. In our structural approach, this means recognizing a set E ofpossible events so that we can write N ��� α � E Nα, where Nα

�iK ��������� i1 � describes the states reachable from

state�iK ��������� i1 � when event α occurs. We use a further decomposition along a different axis, by expressing the

effect of an event on each submodel (level of the MDD). For example, the occurrence of event/Petri net transitiond changes the local state of the two subnets defined by

�s � and

�t � and no other local states. This is reflected by

the “level � event” table shown on the right of Figure 2: the top two entries in the column for event d are empty,i.e., they are identity matrices. The result is an extremely compact representation of N as the Boolean Kroneckerexpression ∑α � E � K � k � 1 Nk � α or, in other words,

�jK ��������� j1 ��� N

�iK ��������� i1 ����� � α � E ��� k � � K ��������� 1 � � Nk � α � ik � jk � � 1 �

6

a

b c d

e

p

q s

r t

event : a event :�b � c � event : d event : e

S4 � � p0� p1 �� �0 � 1 � N4 � a :

�0 01 0 � N4 � e :

�0 10 0 �

S3 � � q0r0� q1r0� q0r1 �� �0 � 1 � 2 � N3 � a : � 0 1 0

0 0 00 0 0 � N3 � � b � c � : � 0 0 0

0 0 10 1 0 � N3 � e : � 0 0 0

0 0 01 0 0 �

S2 � � s0� s1 �� �0 � 1 � N2 � a :

�0 10 0 � N2 � d :

�0 01 0 �

S1 � � t0� t1 �� �0 � 1 � N1 � d :

�0 10 0 � N1 � e :

�0 01 0 �

Top�a � : 4 Top

� �b � c � � : 3 Top

�d � : 2 Top

�e � : 4

Bot�a � : 2 Bot

� �b � c � � : 3 Bot

�d � : 1 Bot

�e � : 1

Figure 2: A Petri net partitioned into four submodels and the resulting Kronecker matrices encoding N .

Our preliminary results with using MDDs to store the state space and Kronecker encodings to store the next–statefunction, reported in [117], were extremely encouraging, but also raised several important questions that need tobe addressed:

• How to obtain a good partition? The only requirement on the partition defining the subsystems, each ofwhich is then mapped to a different MDD level, is that it is consistent [45] with the Boolean Kroneckerexpression of N . We originally called this property “being in (logical) product–form” [44], since it hasstrong similarities with the analogous one for product–form queuing networks [14], which deals, however,with real–valued quantities. In our tool SMART [39], the system is specified as a Petri net and it is pos-sible to automatically derive the finest consistent partition or, alternatively, to check that a user–specifiedpartition is consistent. However, we have shown in [117] that the partition choice greatly affects the effi-ciency of the computation. While it is clear that the reduced height of MDDs vs. BDDs, which is due tothe use of integer variables instead of binary variables can be an advantage, we also experienced that toofew levels with very large nodes cannot be stored or handled efficiently. Thus, we propose to investigateheuristics to coarsen the finest partition with the goal of reducing space and time requirements. We expectstructural model information, e.g., place–invariants in the case of Petri nets [120], to provide the basis forsuch heuristics.

• How do partitioning and variable ordering interrelate? It is well known that variable ordering affects thesizes of BDDs and MDDs. We expect heuristics derived for model partitioning to be strongly influencedby the order in which the K subsystems are considered. Indeed, it is likely that good heuristics will haveto consider both variable ordering and partition ordering. In comparison to BDDs where only the variableordering needs to be chosen, our approach certainly provides greater flexibility, but also presents a morechallenging optimization problem.

• How can MDD nodes be shared efficiently? While state–space generation builds a single MDD, modelchecking operates on multiple sets of states, each encoded as an MDD on the same set of K variables. Forefficiency, nodes must be shared between different MDDs, just as in BDD approaches [12, 116, 135, 157,158]. Using MDDs instead of BDDs does not complicate matters in this respect. However, in conjunctionwith the advanced ideas we discuss next, where MDDs are not necessarily traversed from top to bottom,keeping track of nodes belonging to different MDDs requires more complex solutions.

7

Event locality. Key improvements we propose emerge from the inherent event locality [40] of asynchronousevent–driven systems. In such systems, the occurrence of an event changes only some components of the globalstate vector. Due to our mapping of subsystems to MDD levels, we can exploit event locality to explore MDDsonly between the maximum level Top

�α � and the minimum level Bot

�α � affected by each event α. This range

of levels (see Figure 2) can be extracted automatically from the high–level description of the system prior tostate–space generation. To benefit from this observation, we access MDD nodes by “jumping in the middle”of MDDs, to level Top

�α � , rather than always starting MDD operations at the root, as is done by traditional

approaches. Moreover, operations on MDDs — such as those corresponding to the union or intersection of theencoded state spaces — can update nodes in–place rather than returning their results by creating new nodes, asis done in previous works. These observations led us to the prototypic algorithms reported in [38], where wedemonstrated up to one of order of magnitude speed–ups over those in [117]. Furthermore, the improvementgrows with the height of MDDs. Accessing nodes in the middle and updating them in place, however, means thatthey may become non–unique and have to be deleted. We then need to notify upstream nodes, i.e., nodes towardsthe roots, of this change, while traditional BDD approaches only have to follow links downstream, i.e., towardsthe leaves. In this research context, several issues remain open:

• What are the design choices regarding level–wise data structures? Most of a memory’s node stores thearcs to its descendants. Exploiting locality implies that we need to store, organize, and provide accessto nodes by levels. Our adoption of quasi–reduced MDDs already helps this task: forcing arcs to spanonly one level simplifies and reduces node storage, possibly more than offsetting the space occupied byredundant nodes. We need experimental data to establish whether this is a good trade–off. Also, regardingthe upstream propagation of work, several solutions should be explored.

• Can we exploit locality to reduce cache memory requirements? For state–space generation, when exploringevent α in a node at level Top

�α � , our algorithms access that node once, directly. Traditional approaches

instead access that node once for each of its incoming arcs, and use the operation cache to make all but thefirst access inexpensive. Hence, we can save memory by storing in the cache the result of exploring α onlyin nodes at levels below Top

�α � and up to Bot

�α � , but not at level Top

�α � itself. Additional ways to save

on cache entries along these lines should be explored.

• Should the partitioning and variable–ordering heuristics favor a high degree of event locality? The par-tition chosen for the model determines the levels affected by an event α, while the submodel order de-termines the distance between Top

�α � and Bot

�α � . Execution time improves when most events interest a

small range of levels; thus, our partitioning and ordering heuristics should try to minimize, for example,∑α � E

�Top

�α � � Bot

�α ��� . Figure 2 illustrates another interaction between locality and partitioning: observe

that we have merged events b and c into a single macro–event�b � c � , since both affect only level 3 of the

MDD. Reducing the number of events that need to be considered increases the efficiency of state–spacegeneration, and, in the example, this would not be possible if we would assign places q and r to differentsubnets. However, we must remember that the main goal of the partitioning and ordering heuristics is toreduce the size of the generated MDDs.

Iteration control. Another aspect we intend to explore in conjunction with event locality concerns the or-der in which MDD nodes and system events are considered by fixed–point operations such as those needed forstate–space generation or symbolic model checking [56, 112]. In our initial experiments with state–space genera-tion [38], we partitioned the events E into K classes, EK ��������� E1, where Ek containing all events affecting level kand possibly lower levels, i.e., all α for which Top

�α � � k. Then, we explored the MDD nodes not in depth–first

or breadth–first fashion starting at the root, but by levels. More precisely, we directly access all nodes at thebottom level, 1, and apply the next–state function for the events in E1. Then we consider all the nodes at level 2,

8

and so on, up to the nodes at the top level, K. This completes one iteration. The intuition behind this approachis to find as many new states as soon as we can. This simple idea to guide event exploration works very well,and it can even reduce the number of iterations required for convergence: by exploring events affecting higherlevels after those affecting lower levels, we effectively increase the likelihood of performing multiple next-statefunction steps in a single iteration. For example, employing this idea, the classic model of the dining philosophersand that of a slotted ring network converge in two and N � 2

�2 iterations, respectively, instead of the 2N

�1 and

N2 � 16 iterations required by the standard BDD approach used in [129]; here, N is a model parameter affectingthe implied state–space sizes.

However, we achieved by far the largest impact along these lines using the idea of saturation [46]. Given theMDD encoding the initial system states, we consider each node at level k, starting from level 1 and moving up,and repeatedly apply all events in Ek to it until no more states are found, i.e., until the set encoded by the nodehas reached a fixed point with respect to Ek. This saturation can cause the creation of new nodes at lower levels,which are then recursively saturated right away before completing the saturation of the nodes above them. Theresulting algorithm has many desirable properties: the unique table needs to store only the saturated nodes, andthese are likely to remain useful throughout the execution (any unsaturated node placed in the unique table bytraditional algorithms is instead guaranteed to be eventually deleted); the operation caches are used in a muchmore localized way, thus their memory requirements are greatly reduced; finally, an event is explored on nodeswhose descendant are saturated, thus we again increase the likelihood of finding new states early. Saturation isquite innovative in that it has no concept of global fixed–point iteration: state–space generation ends when theroot MDD node is reached and saturated.

Each of our improvements (MDDs, Kronecker encodings, locality, and saturation) has a cumulative effect. Ta-ble 1 compares their preliminary implementation in our tool SMART with the widely–known model checkerSMV, or to be precise, its public–domain incarnation NuSMV [50] that is implemented around optimized, stan-dard BDD–based techniques. In addition to the dining philosophers model from the NuSMV distribution, weconsider models of a slotted ring network [129], a round–robin mutual exclusion protocol [81], and a flexiblemanufacturing system [49], all of them parameterized by an integer N affecting the state–space sizes. For eachmodel we report the final and peak memory (in kilobytes) required to store the state space and the runtime (inseconds), for a small value of N and for the largest value of N that NuSMV or SMART can comfortably solve. Thetable clearly shows that our algorithm outperforms classical algorithms by up to four orders of magnitudein time and over three orders of magnitude in memory, and the gap keeps increasing as models grow.

Model checking. The abovementioned very encouraging results in state–space generation prompt us to adaptour ideas to the more general setting of symbolic model checking, for which the most challenging question is thefollowing:

• Can we use iteration control strategies for model–checking? We have clearly shown that saturation excelsat state–space generation, which is essentially analogous to the EF operator in CTL. The EG operator,instead, requires to restrict the exploration only to paths along which a certain property q holds at all times.This is traditionally done by alternating one step of the previous–state function1 and one intersection withthe set of states where q holds. This would apparently preclude the possibility of applying saturation, whichhas no concept of “step.” However, a structural analysis of the high–level model can help, since it allowsus to determine which events may affect predicate q. We can then apply saturation only for those that donot affect q, while using the traditional approach for the ones that do. Analogously, more efficient fairnesschecks might be possible as well by using saturation–based iterations that isolate events affecting (or not

1In our setting, the previous–state function is simply obtained by transposing our Kronecker matrices encoding the next–state function.

9

N Reachable Final memory (kB) Peak memory (kB) Time (sec, 800MHz P-III)states SMART NuSMV SMART NuSMV SMART NuSMV

Dining Philosophers (N MDD levels)50 2.23 � 1031 18 10,800 22 10,819 0.15 5.90

200 2.47 � 10125 74 27,155 93 72,199 0.68 12,905.7010,000 4.26 � 106269 3,749 — 4,686 — 877.82 —Slotted Ring Network (N MDD levels)

10 8.29 � 109 4 5,287 28 10,819 0.13 5.5015 1.46 � 1015 10 9,386 80 13,573 0.39 2,039.50

200 8.38 � 10211 1,729 — 120,316 — 902.11 —Round Robin Mutual Exclusion (N+1 MDD levels)

20 4.72 � 107 18 7,300 20 7,306 0.07 0.80100 2.85 � 1032 356 16,228 372 26,628 3.81 2,475.30300 1.37 � 1093 3,063 — 3,109 — 140.98 —

Flexible Manufacturing System (19 MDD levels)10 4.28 � 106 16 1,707 26 11,238 0.05 9.4020 3.84 � 109 55 14,077 101 31,718 0.20 1,747.80

250 3.47 � 1026 25,507 — 69,087 — 231.17 —

Table 1: Time and memory requirements: SMART (MDD/Kronecker–based) vs. NuSMV (BDD–based).

affecting) a certain property. The feasibility and effectiveness of such an approach will need extensiveinvestigation.

Due to the subtleties of the many issues involved in devising an efficient sequential model checker, we areplanning to formally proof its correctness with the help of a theorem prover, such as PVS [127]. This requiresbuilding a library for reasoning about shared MDDs and devising proof strategies/tactics that can dischargeproofs of simple statements automatically. While this requires some effort that will largely be put–in by theinternational collaborator, it will almost certainly permit one useful insights into the properties of our model–checking algorithm, which might in turn be exploited to improve the algorithm further.

3.2 Shared–memory and Distributed–memory Algorithms

Especially when studying distributed software, the sizes of MDDs grow very rapidly. Hence, parallel algorithmsfor MDD–manipulations might be the answer for providing results in a timely manner. Unlike previous ap-proaches to parallelize BDD operations mentioned in the background section, we intend to find parallelism at theevent level by exploiting event locality. For distributed–memory approaches, this will not only allow us to utilizethe significantly larger main memory available on PC–clusters and networks of workstations, but also providethe much needed speed–up that has eluded researchers so far.

Parallelization for shared–memory architectures. For the design of shared–memory algorithms we will fo-cus on investigating the following major issues:

• What sources of parallelism should be exploited? Our sequential approach lends itself to both event–basedparallelism, where each event is explored by a single thread over entire MDDs, and level–based parallelism,where all events are explored by a single thread over a given level. It is possible that the best option willbe a mixture of the two. Neither kind of parallelization has been considered for symbolic state–spacegeneration or symbolic model–checking before.

10

• How to maintain cache consistency? Regardless of the parallelization choice, it is certain that the operationcaches will be examined by many threads. Since cache look–up is an extremely frequent operation, it willbe imperative to use cache access protocols which do not result in large run–time penalties. Hence, suchprotocols must either avoid the use of locks or use them very progressively.

• How to minimize idle time? With event–based parallelism, threads will require locks on individual MDDnodes to ensure exclusive access. The algorithms to be developed must exploit the large number of MDDnodes to their advantage, reducing the likelihood of threads having to wait at locked nodes.

Our shared algorithms will be initially developed on the four-processor Sun workstations available in the PI’sdepartment, under Pthreads [103]; if needed, the PI will secure access to multiprocessors with larger number ofnodes. To assess the effectiveness of our parallelizations in terms of run–time results, these algorithms will beapplied to the same case studies as the sequential algorithms. In addition, the algorithms will also be formallyverified.

Parallelization for distributed–memory architectures. For distributed–memory architectures, the algorithmswe intend to develop will focus on two important goals, namely achieving parallelism and reducing communica-tion overhead. Event locality will play a key role for achieving both goals.

• How to achieve high, scalable levels of parallelism? Assuming that the number K of levels is larger thanthe number N of processors, we can partition the levels into N contiguous ranges and assign each range toa different processor. Then, event locality will allow us to trigger event exploration at the required locallevels and events in different ranges will be naturally explored in parallel, without the obvious bottleneckof having to start all work at the top level of MDDs. Alternatively, we will explore the allocation ofindividual nodes to processors, with the goal of keeping the range of most events within a single processor,as much as possible. However, this will imply more complex pointer management, and the run–time costsof this choice should be carefully evaluated against the increased flexibility. Since many of the allocationheuristics will be based on purely structural considerations, they can be taken into account in a preliminaryanalysis step, prior to any fixed–point iteration.

• How to achieve memory and load balance? With a partition of levels over processors, memory and loadunbalance can be corrected by shifting the border between ranges. With the finer granularity achieved byassigning nodes to processors, balancing should be easier. Another issue to consider when partitioning thelevels or nodes over the available processors will be the number of arcs connecting nodes on different pro-cessors. This is analogous to a problem we discussed in [35] for explicit state–space generation, althoughassessing the effect of different design decisions is much harder in the symbolic case we intend to tackle.

• How to best manage message passing? In most MDD manipulations, work requests will be propagatedtowards the MDD leaves, while the results will be propagated towards the MDD roots. According toour strategies for parallelization, this requires to pass messages between different processors. While thefrequently used technique of batching messages allows for lowering communication overhead, it will haveto be carefully tuned to limit the danger of increasing processor idle time.

• What procedure should be used to detect termination? In [35], we used a barrier synchronization [122] fordetecting termination. However, many options for termination detection exist in a distributed environment;see [110] for an extensive taxonomy of such algorithms. The best algorithm to fit our needs will have to beevaluated carefully.

11

We plan to implement the distributed algorithms using MPI (either MPICH or LAM) [147] and run them onBeowulf–style PC–clusters [151]. One such large cluster is already available to the PI, whose department is amember of the College of William and Mary Computational Science Cluster. As with our previous algorithms,the distributed ones will also formally proved analyzed using a theorem prover, to ensure their correct operation.

3.3 Tool Integration, Benchmarking, and Case Studies

To evaluate our research, we will first employ our sequential and parallel MDD–manipulation algorithms todevelop and implement model checkers for the temporal logic CTL [52] within our tool SMART [39]. Theutility of our algorithms are then evaluated in two ways. First, their performance will be analyzed using anovel benchmark that we are planning to devise. Second, we will conduct two case studies which promise tobe particularly challenging. One case study deals with the verification of new access protocols in distributedB–tree algorithms. The other case study concerns the application of formal verification to investigate issues ofhuman–computer interaction in avionics systems, a problem in which our international collaborator has expertise.Together, the case studies are meant to be illustrative of the application areas targeted by the proposed work.

Tool integration. The algorithms we are going to develop will be implemented in SMART, a modeling tool forthe logical and timing analysis of complex systems, which is developed under direction of the PI at the Collegeof William and Mary and is written in C++.

Interfacing and input languages. The architecture of SMART has a clear separation between the front–end(user–visible interface, languages, and high–level formalisms) and the back–end (state–space generators, Markovsolvers, and discrete–event simulators). This means that inserting new “solution” modules, such as model check-ers, can be done with relatively little effort, as most of the remaining code is not affected by such modifications.As a consequence, any high–level formalism, as well as any other solution module requiring state–space gener-ation as a preliminary step, can immediately make use of the new techniques we will provide. For the type ofapplications we envision, one very appropriate language front–end, namely Petri nets [120, 141], is already fullyimplemented. It is currently being extended by constructs that allow for an easier component–based specifica-tion of systems. This will in particular support elegant specifications of distributed software systems which areconsidered in this proposal. As previous work has shown, it is also easy to integrate MDD-based manipulationroutines [38, 46, 47, 117] into SMART.

Symbolic model checking. SMART supports the description of “atomic propositions” as expressions relatingthe number of tokens in the places of a Petri net. Then, building on these propositions, SMART provides thefunctionality of a basic CTL [52] model checker. However, much work still needs to be done in this area, bothto provide witnesses and counter–examples, and to increase its efficiency to the same level of our state–spacegeneration algorithms: our goal is to remove one of the qualitative differences between symbolic state–spacegeneration and symbolic model checking mentioned in [161]. We plan to build a full–strength symbolic CTLmodel checker on top of our sequential and parallel MDD packages, as well as a better interface for inputtingCTL formulas into SMART and an output facility for complex witness or counter–example paths. With theefficient underlying MDD–manipulation routines we envision and our advanced iteration control, we expectSMART to be very time and space efficient when verifying asynchronous software. It should also be mentionedthat our implementation in form of C

� �packages will allow an easy integration and comparison with existing

verification and validation tools other than SMART, as well as with industrial design tools.

Benchmarking. As indicated earlier, the performance of symbolic model checkers is usually measured by apply-ing them to the well–established ISCAS85 [25] and ISCAS89 [24] benchmarks that include hardware examplesystems taken from circuit design. These systems have a synchronous semantics and thus the ISCAS benchmarksare not applicable to our model-checking algorithms, which are after all targeted towards verifying asynchronous

12

software systems. Indeed, the current literature does not provide any suitable benchmark for such asynchronoussystems, with many papers just briefly studying one or two small example systems each. In this light, we willdevise a new benchmark by systematically collecting a variety of asynchronous example systems that have beenstudied by those software engineers who are interested in the application of formal methods, as well as otherexample systems analyzed by concurrency theoreticians. This benchmark will be well–documented and madeavailable to the wider research community via the Internet. Of course, it will be used for evaluating the perfor-mance of the algorithms devised within this project. In addition, our algorithms will be made web–accessiblefor remote execution at the College of William and Mary. This allows for gathering run–time statistics that willenable to fine–tune the algorithms’ performance with increasing experience.

Case study: Parallel algorithm verification. The first case study focuses on a shared–memory algorithmfor parallel B–tree manipulation, currently being investigated by the PI [123]. B–trees [15] are a popular datastructure to index very large data sets frequently used in database applications including distributed databases forbanking and reservation systems. The need to allow concurrent access to B–trees, e.g., for distributed databases,was already recognized in [16], where a seminal mechanism based on various levels of node locks is described.Reader and writer processes descend the B–tree from its root, locking nodes before accessing their keys andcontents. A read lock on a node allows other readers, but not writers, to access it, while a write lock prohibitsother processes to access the node. However, locks introduce severe performance problems, both because theyreduce parallelism and because accessing a lock requires a substantial number of processor cycles on someparallel machines. The first problem is especially important with traditional concurrent access algorithms [16],where a process starts locking the root of the B–tree and continues locking nodes down on a path towards theleaves, unlocking them only when safe. For example, a writer unlocks a node only if its (locked) descendant onthe path is not full. This means that the first few levels of B–trees often contain several locked nodes and reducethe potential parallelism.

The approach we are investigating uses speculative computing in a B–tree environment with batched deletion,i.e., the set of keys is never decreased during concurrent operations. Readers do not lock nodes at all, but simplyrecord the modification count of the nodes encountered on their search path. If they find the sought key, theyare assured of correct operation. Otherwise, they check the current modification counts of the nodes on the pathagainst the recorded ones; if they match, they are again assured of correct operation, else they abort and restart theread. Such an approach can greatly increase parallelism if read operations constitute a majority of the accesses.Furthermore, it can speed up the execution if locks are expensive to acquire, since reads need no locks at all.

The correctness of our speculative approach, however, is quite hard to establish, as all possible interleav-ings of multiple writer and reader executions must be taken into account. Traditional testing is inadequate todiscover possible errors due to infrequent race conditions. We strongly believe that our parallel MDD–basedstate–exploration techniques will enable the investigation of the algorithm for realistic operating environments.In particular, we plan to model check whether the algorithm’s potential executions do not introduce any incon-sistencies in B–tree nodes (a safety property) and that every reader and writer is eventually permitted access (aliveness property). This will testify to the use of model checking in engineering practice.

Case study: Analyzing mode confusion. Deficiencies in human–computer interaction are increasingly con-tributing to incidents and accidents in air traffic [90]. Recent advancements in digital flight decks pose severalchallenges to aircraft pilots. As an example, consider flight guidance systems that are part of airborne flightcontrol systems. Flight guidance systems continuously determine the difference between the actual state of anaircraft — its position, speed, and attitude as measured by its sensors — and its desired state as indicated by thecrew or via the flight management system. In response, the system generates commands to minimize this differ-ence, which the autopilot may then translate into movements of the aircraft’s actuators. The complexity of the

13

underlying algorithms may, in situations of high workload, confuse pilots about the actual state in which the flightguidance system is. In human–factors research, this kind of confusion is referred to as mode confusion [102].

Our international collaborator has been involved with preliminary research aimed at identifying potentialsources of mode confusion, including the formal modeling and verification of a few simple, mostly synchronous,components of an idealized flight guidance system [114]. These were modeled as finite state machines, andthe mode–confusion properties of interest were specified as temporal–logic formulas. Investigated propertiesincluded (i) inconsistent behaviors, e.g., whether a switch or dial has different functionality in different systemstates, (ii) ignored operator inputs, e.g., whether a crew input does not eventually result in the desired change ofstate, and (iii) indirect mode changes, e.g., whether the system changes its state without crew input. Conventionalsymbolic model checking techniques turned out to be well suited for checking these properties [107, 121]. Theobtained results were very well received by avionics researchers and encourage us to continue the chosen path ofemploying symbolic model checking to analyze mode confusion.

In the proposed study, we plan to investigate new mode confusion properties involving the gathering anddisplay of mode information in the cockpit, by modeling large parts of real–world flight decks. In fact, manyproperties of interest can only be thoroughly analyzed when also several parts of the operating environment offlight guidance and flight control systems, such as switching panels, displays, and sensor and actuator behavior,are taken into account. This will lead to distributed asynchronous models with enormous state spaces that cannotbe handled by existing symbolic state–space exploration techniques — at least not if results are to be returnedwithin seconds, as hoped by human–factors researchers. Hence, this study will be an excellent candidate for ournovel parallel symbolic model–checking algorithms. In addition, we also expect the results to be of great interestto the avionics community.

3.4 Schedule and Distribution of Work

The first year of the project will concentrate on developing and implementing sequential algorithms for MDD–based state–space generation in which the PI, the co–PI, and the two graduate students will participate. ThePI and one student will focus on the algorithms’ design, while the co–PI and the other student will addresstheir proof of correctness, focusing in particular on proving correct cache management in conjunction with ouroptimizations. The integration of a model–checking front–end in the Petri net tool SMART [39] will also beaddressed in the first year. Our sequential algorithms will be fine–tuned in the second year and made web–accessible. Performance results will be collected by applying the algorithms to standard benchmark applicationsintroduced in the literature as well as to our two proposed case studies.

Work on both shared–memory and distributed–memory algorithms will begin in the second year. The PI andthe co–PI will oversee the designs regarding both directions, and each graduate student will specialize in oneof them. The aspects of exploiting event–locality and iteration control, which are already addressed in the firstyear, will continue to be investigated in the second year, as new issues are likely to emerge when parallelizingour algorithms. As with the sequential algorithms, the parallel algorithms will be implemented by the graduatestudents as soon as they are designed. By the beginning of the third year, the parallel algorithms will be madeavailable online. The third year will see a substantial implementation and experimentation effort on both shared–memory and distributed–memory algorithms. The last six months of the project will be dedicated to fine–tuningthese algorithms, to gather run–time statistics on execution and memory behavior, and to assess the speed–ups ofthe shared–memory and distributed–memory implementations.

Work on the proposed case studies will be done throughout the duration of the project. While the PI and onegraduate student will concentrate on verifying the concurrent B–tree algorithm, the co–PI together with the otherstudent will address the analysis of mode–confusion.

14

3.5 Synergy between Research and Education

The proposed research focuses on parallel and distributed algorithms for decision diagrams, targeting the applica-tion area of software verification. Knowledge of parallel and distributed algorithms and the ability to implementthem is an essential skill that all graduate students must acquire, and most of them are very much interestedin doing so. Decision diagrams are a data structure that should ideally be mastered by any graduate student aswell. Unfortunately, decision diagrams are often ignored in a standard curriculum, no doubt due to their rela-tively recent emergence as a useful and important data structure. The project we propose will provide ampleresearch opportunities for the graduate students involved, allowing them to learn about both parallel and dis-tributed algorithms and decision diagrams. It is certain that the project will also provide material for several PhDdissertations.

The investigators currently teach two courses related to the proposed research in the Department of ComputerScience at the College of William and Mary. The PI teaches the advanced graduate course CSci 746: Discrete–state Stochastic Models, where about 25% of the lectures are concerned with the concept of state space andtransition graph as well as with efficient techniques for their management. The co–PI, who has an adjunctassistant professor appointment in the department, teaches the course CSci 780: Program Verification, dedicatedto the mathematical foundations of program verification and analysis.

A new graduate, seminar–style course on Decision Diagram Technologies is being planned by the investi-gators. This will be a further vehicle to attract graduate students to the proposed topic, in addition to the threestudents already working on state–space techniques with the investigators. The first one, A. Miner, is now com-pleting his PhD work. A good portion of his thesis deals with decision diagrams and related structures, witha particular focus on stochastic modeling applications [40, 41, 117, 118]. The second student, R. Siminiceanu,is in his second year of the PhD program and has already co–authored a paper on improved decision diagramtechniques [38]. This paper describes the results of work he performed together with the PI (his advisor) and theco–PI (the external member of his PhD committee) during a summer stay at ICASE, the employer of the co–PI.The third student, M. Griffith, is completing her MS project on partial state–space generation using probabilisticmethods with the PI and has just been formally accepted in the PhD program.

The PI and co–PI strongly believe in the importance of implementing new research results in usable proto-types, with the goal of applying them to real–world problems. The tool SMART [40] is being successfully usedat the College of William and Mary as the platform for such prototypes, providing a synergistic advantage forall involved students, so far one undergraduate, one MS, and four PhD students. Regarding applications, theinvestigators will target both government agencies and private industries, where the enhanced abilities providedby the proposed research will enable the supported students to become involved with real projects. One partic-ular opportunity is in the area of aerospace applications, thanks to the investigators relations to NASA LangleyResearch Center and to the Virginia Space Grant Consortium.

4 Results from Prior NSF Support

Prof. Ciardo is the PI (with Prof. E. Smirni of William and Mary as co–PI) of NSF grant CCR-0098278, “EffectiveTechniques and Tools for Resource Management in Clustered Web Servers”, $279,485, 7/16/2001 - 7/15/2004.Currently, Wei (Helen) Sun, an MS student, and Alma Riska, a PhD student, are being supported by this project.In addition, Eric Davis, an undergraduate student, joined our group and is working on clustering techniques forweb workload characterization for his Honor’s project. Even if the project just started recently, we already haveexciting results. We have introduced EQUILOAD, a new parameterized size-based request allocation policy thatcan be used in clustered web servers to achieve both excellent memory locality and load balance. One publicationsupported by this grant is [48], which appeared in a special issue of the journal Performance Evaluation. A secondpublication, in which we develop a dynamic self-adjusting mechanism to adjust EQUILOAD’s parameters based

15

on the history of requests seen by the web server cluster, was just recently accepted to ICDCS (InternationalConference on Distributed Computing Systems) [142].

Prof. Ciardo was also the PI (with Prof. D. Nicol of Dartmouth College as co–PI) on the project “IntegratedModeling Project”, $36,500, 9/1/1995 - 8/31/1996, a subcontract from Duke University on NSF grant EEC-9418765. In the first year, the award supported a graduate student’s work on a prototype implementation of anew distributed state space generation algorithm for Markov models, which showed excellent speed–up [35, 124].In the second year, a second graduate student was supported to work on discrete-event simulation of models withboth discrete and continuous components [42] (subsequently selected to be extended and published in IEEE TSE[43]) and on non-Markov processes [36] (also in this case the paper was selected for publication in extendedversion, in Performance Evaluation [37]).

16

References Cited

[1] S.B. Akers. Binary decision diagrams. IEEE Transactions on Computers, C–27(6):509–516, 1978.

[2] S.C. Allmaier, M. Kowarschik, and G. Horton. State space construction and steady–state solution ofGSPNs on a shared–memory multiprocessor. In PNPM ’97 [134], pages 112–121.

[3] R. Alur and T. Henzinger, editors. Computer Aided Verification (CAV ’96), volume 1102 of Lecture Notesin Computer Science, New Brunswick, NJ, USA, July 1996. Springer–Verlag.

[4] V. Amoia, G. De Micheli, and M. Santomauro. Computer-oriented formulation of transition-rate matricesvia Kronecker algebra. IEEE Trans. Rel., 30:123–132, June 1981.

[5] H.R. Andersen. Model checking and Boolean graphs. Theoretical Computer Science, 126(1):3–30, April1994.

[6] H.R. Andersen. Partial model checking. In LICS ’95 [106], pages 398–407.

[7] H.R. Andersen, J. Staunstrup, and N. Maretti. Partial model checking with ROBDDs. In Brinksma [26],pages 35–49.

[8] H.R. Andersen, C. Stirling, and G. Winskel. A compositional proof system for the modal µ-calculus. InLICS ’94 [105], pages 144–153.

[9] P. Arunachalam, C. Chase, and D. Moundanos. Distributed binary decision diagrams for verification oflarge circuits. In ICCD ’96 [92], pages 365–370.

[10] P. Ashar and M. Cheong. Efficient breadth–first manipulation of binary decision diagrams. In IEEEInternational Conference on Computer Aided Design (ICCAD ’94), pages 622–627, San Jose, CA, USA,November 1994. IEEE Computer Society Press.

[11] G.S. Avrunin. Symbolic model checking using algebraic geometry. In Alur and Henzinger [3], pages26–37.

[12] H. Babu and T. Sasao. Shared multi–terminal binary decision diagrams for multiple–output functions.IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, E81–A(12):2545–2553, December 1998.

[13] C. Baier, E.M. Clarke, V. Hartonas-Garmhausen, and M. Kwiatkowska. Symbolic model checking forprobabilistic processes. In P. Degano, R. Gorrieri, and A. Marchetti-Spaccamela, editors, 24th Inter-national Colloquium on Automata, Languages and Programming (ICALP ’97), volume 1256 of LectureNotes in Computer Science, pages 430–440, Bologna, Italy, July 1997. Springer–Verlag.

[14] F Baskett, K. M. Chandy, R. R. Muntz, and F. Palacios-Gomez. Open, closed, and mixed networksof queues with different classes of customers. Journal of the Association for Computing Machinery,22(2):335–381, April 1975.

[15] R. Bayer and C. McCreight. Organization and maintenance of large ordered indexes. Acta Informatica,1(3):173–189, 1972.

[16] R. Bayer and M. Schkolnick. Concurrency of operations on B–trees. Acta Informatica, 9:1–21, 1977.

1

[17] G. Bhat, R. Cleaveland, and O. Grumberg. Efficient on–the–fly model checking for CTL � . In LICS ’95[106], pages 388–397.

[18] A. Biere. ABCD: An experimental BDD library, 1998. See http://iseran.ira.uka.de/ armin/abcd/.

[19] A. Biere, A. Cimatti, E.M. Clarke, M. Fujita, and Y. Zhu. Symbolic model checking using SAT proceduresinstead of BDDs. In 36th ACM/IEEE Conference on Design Automation (DAC ’99), pages 317–320, NewOrleans, LA, USA, June 1999. ACM Press.

[20] A. Biere, A. Cimatti, E.M. Clarke, and Y. Zhu. Symbolic model checking without BDDs. In R. Cleave-land, editor, 2nd International Conference on Foundations of Tools and Algorithms for the Constructionand Analysis of Systems (TACAS ’99), volume 1579 of Lecture Notes in Computer Science, pages 193–207,Amsterdam, The Netherlands, April 1999. Springer–Verlag.

[21] B. Bollig and I. Wegener. Improving the variable ordering of OBDDs is NP–complete. IEEE Transactionson Computers, 45, 1996.

[22] K.S. Brace, R.L. Rudell, and R.E. Bryant. Efficient implementation of a BDD package. In DAC ’90 [65],pages 40–45.

[23] John W. Brewer. Kronecker products and matrix calculus in system theory. IEEE Trans. Circ. and Syst.,CAS-25:772–781, September 1978.

[24] F. Brglez, D. Bryan, and K. Kozminski. Combinational profiles of sequential benchmark circuits. In 1989IEEE International Symposium on Circuits and Systems (ISCAS ’89), pages 1924–1934, Portland, OR,USA, May 1989. IEEE Computer Society Press.

[25] F. Brglez and H. Fujiwara. A neutral netlist of 10 combinational benchmark circuits and a target translatorin Fortran. In 1985 IEEE International Symposium on Circuits and Systems (ISCAS ’85), pages 695–698,New York, NY, USA, June 1985. IEEE Computer Society Press.

[26] E. Brinksma, editor. 3rd International Workshop on Tools and Algorithms for the Construction and Anal-ysis of Systems (TACAS ’97), volume 1217 of Lecture Notes in Computer Science, Enschede, The Nether-lands, April 1997. Springer–Verlag.

[27] R.E. Bryant. Graph–based algorithms for Boolean function manipulation. IEEE Transactions on Com-puters, 35(8):677–691, August 1986.

[28] R.E. Bryant. Symbolic Boolean manipulation with ordered binary–decision diagrams. ACM ComputingSurveys, 24(3):393–418, September 1992.

[29] R.E. Bryant. Binary decision diagrams and beyond: Enabling technologies for formal verification. InIEEE International Conference on Computer–Aided Design (ICCAD ’95), pages 236–245, Los Alamitos,CA, USA, November 1995. IEEE Computer Society Press.

[30] P. Buchholz. Hierarchical structuring of superposed GSPNs. In PNPM ’97 [134], pages 81–90.

[31] Peter Buchholz, Gianfranco Ciardo, Susanna Donatelli, and Peter Kemper. Complexity of memory-efficient Kronecker operations with applications to the solution of Markov models. INFORMS J. Comp.,12(3):203–222, 2000.

[32] T. Bultan, R. Gerber, and W. Pugh. Symbolic model checking of infinite state systems using Presburgerarithmetic. In Grumberg [83], pages 400–411.

2

[33] J.R. Burch, E.M. Clarke, and D.E. Long. Symbolic model checking with partitioned transition relations.In A. Halaas and P.B. Denyer, editors, International Conference on Very Large Scale Integration, pages49–58, Edinburgh, Scotland, August 1991. North–Holland.

[34] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and L.J. Hwang. Symbolic model checking:1020 states and beyond. Information and Computation, 98(2):142–170, June 1992.

[35] G. Ciardo, J. Gluckman, and D.M. Nicol. Distributed state–space generation of dicrete–state stochasticmodels. INFORMS Journal on Computing, 10(1):82–93, 1998.

[36] G. Ciardo and G. Li. Efficient approximate transient analysis for a class of deterministic and stochasticPetri nets. In IEEE International Computer Performance and Dependability Symposium (IPDS ’98), pages34–43, Durham, NC, USA, September 1998. IEEE Computer Society Press.

[37] G. Ciardo and G. Li. Efficient approximate transient analysis for a class of deterministic and stochasticPetri nets. Performance Evaluation, 35:109–129, 1999.

[38] G. Ciardo, G. Luttgen, and R. Siminiceanu. Efficient symbolic state–space construction for asynchronoussystems. In M. Nielsen and D. Simpson, editors, 21st International Conference on Application and Theoryof Petri Nets (ICATPN 2000), Lecture Notes in Computer Science, pages 103–122, Aarhus, Denmark, June2000. Springer–Verlag.

[39] G. Ciardo and A.S. Miner. SMART: Simulation and Markovian Analyzer for Reliability and Timing. InIEEE International Computer Performance and Dependability Symposium (IPDS ’96), page 60, Urbana–Champaign, IL, USA, September 1996. IEEE Computer Society Press.

[40] G. Ciardo and A.S. Miner. Storage alternatives for large structured state spaces. In R. Marie, B. Plateau,M. Calzarossa, and G. Rubino, editors, 9th International Conference on Modelling Techniques and Toolsfor Computer Performance Evaluation (Tools ’97), volume 1245 of Lecture Notes in Computer Science,pages 44–57, St. Malo, France, June 1997. Springer–Verlag.

[41] G. Ciardo and A.S. Miner. A data structure for the efficient Kronecker solution of GSPNs. In P. Buchholz,editor, 8th International Workshop on Petri Nets and Performance Models (PNPM ’99), pages 22–31,Zaragoza, Spain, September 1999. IEEE Computer Society Press.

[42] G. Ciardo, D.M. Nicol, and K. Trivedi. Discrete–event simulation of fluid stochastic Petri nets. InPNPM ’97 [134], pages 217–225.

[43] G. Ciardo, D.M. Nicol, and K. Trivedi. Discrete–event simulation of fluid stochastic Petri nets. IEEETransactions on Software Engineering, 25(2):207–217, March/April 1999.

[44] G. Ciardo and M. Tilgner. On the use of Kronecker operators for the solution of generalized stochasticPetri nets. Technical Report 96–35, Institute for Computer Applications in Science and Engineering,Hampton, VA, USA, May 1996.

[45] Gianfranco Ciardo. What a structural world. In Reinhard German and Boudewijn Haverkort, editors, Proc.9th Int. Workshop on Petri Nets and Performance Models (PNPM’01), pages 3–16, Aachen, Germany,September 2001. IEEE Comp. Soc. Press. Invited keynote paper.

[46] Gianfranco Ciardo, Gerald Luettgen, and Radu Siminiceanu. Saturation: An efficient iteration strategy forsymbolic state space generation. In Tiziana Margaria and Wang Yi, editors, Proc. Tools and Algorithms

3

for the Construction and Analysis of Systems (TACAS), LNCS 2031, pages 328–342, Genova, Italy, April2001. Springer–Verlag.

[47] Gianfranco Ciardo, Robert Marmorstein, and Radu Siminiceanu. Symbolic state space generation forfinite models with unknown bounds. Submitted for publication to CAV 2002.

[48] Gianfranco Ciardo, Alma Riska, and Evgenia Smirni. EQUILOAD: A load balancing policy for clusteredWeb servers. Perf. Eval., 46(2-3):101–124, October 2001.

[49] Gianfranco Ciardo and Kishor S. Trivedi. A decomposition approach for stochastic reward net models.Perf. Eval., 18(1):37–59, 1993.

[50] A. Cimatti, E.M. Clarke, F. Giunchiglia, and M. Roveri. NUSMV: a new Symbolic Model Verifier. InN. Halbwachs and D. Peled, editors, Proceedings Eleventh Conference on Computer-Aided Verification(CAV’99), number 1633 in Lecture Notes in Computer Science, pages 495–499, Trento, Italy, July 1999.Springer.

[51] E.M. Clarke and E.A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic.In D. Kozen, editor, Logics of Programs: Workshop, volume 131 of Lecture Notes in Computer Science,pages 52–71, Yorktown Heights, NY, USA, May 1981. Springer–Verlag.

[52] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic verification of finite–state concurrent systems us-ing temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, April 1986.

[53] E.M. Clarke, T. Filkorn, and S. Jha. Exploiting symmetry in model checking. In Courcoubetis [64], pages450–462.

[54] E.M. Clarke, O. Grumberg, H. Hiraishi, S. Jha, D.E. Long, K.L. McMillan, and L.A. Ness. Verification ofthe Futurebus+ cache coherence protocol. Formal Methods in System Design, 6(2):217–232, March 1995.

[55] E.M. Clarke, O. Grumberg, M. Minea, and D. Peled. State space reduction using partial order techniques.Software Tools for Technology Transfer, 2(3):279–287, November 1999.

[56] E.M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.

[57] E.M. Clarke, D.E. Long, and K.L. McMillan. Compositional model checking. In 4th Annual Sympo-sium on Logic in Computer Science (LICS ’89), pages 353–362, Asilomar, CA, USA, June 1989. IEEEComputer Society Press.

[58] E.M. Clarke and J.M. Wing. Formal methods: State of the art and future directions. ACM ComputingSurveys, 28(4):626–643, 1996.

[59] R. Cleaveland, J. Gada, P. Lewis, S. Smolka, O. Sokolsky, and S. Zhang. The Concurrency Factory—Practical tools for the specification, simulation, verification, and implementation of concurrent systems. InG.E. Blelloch, K.M. Chandy, and S. Jagannathan, editors, Specification of Parallel Algorithms, volume 18of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pages 75–90, Piscataway,NJ, USA, May 1994. American Mathematical Society.

[60] R. Cleaveland and S. Sims. The NCSU Concurrency Workbench. In Courcoubetis [64], pages 394–397.

[61] R. Cleaveland and B. Steffen. A linear–time model–checking algorithm for the alternation–free modalµ–calculus. Formal Methods in System Design, 2:121–147, 1993.

4

[62] O. Coudert, C. Berthet, and J.C. Madre. Verification of sequential machines using Boolean functionalvectors. In L.J.M. Claesen, editor, IFIP International Workshop on Applied Formal Methods for CorrectVLSI Design, pages 111–128, Leuven, Belgium, November 1989. North–Holland.

[63] O. Coudert, J.C. Madre, and H. Touati. TiGeR user guide edition (Version 1.0), December 1993.

[64] C. Courcoubetis, editor. Computer Aided Verification (CAV ’93), volume 697 of Lecture Notes in Com-puter Science, Elounda, Greece, June/July 1993. Springer–Verlag.

[65] 27th ACM/IEEE Design Automation Conference (DAC ’90), Orlando, FL, USA, June 1990. IEEE Com-puter Society Press.

[66] 33rd ACM/IEEE Design Automation Conference (DAC ’96), Las Vegas, NV, USA, June 1996. ACM Press.

[67] D.L. Dill. The Murphi verification system. In Alur and Henzinger [3], pages 390–393.

[68] R. Drechsler, B. Becker, and A. Jahnke. On variable ordering and decomposition type choice in OKFDDs.IEEE Transactions on Computers, 47(12):1398–1403, 1998.

[69] W. Elseaidy, J. Baugh, and R. Cleaveland. Verification of an active control system using temporal processalgebra. Engineering with Computers, 12:46–61, 1996.

[70] E.A. Emerson. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical ComputerScience, volume B, pages 995–1072. North–Holland, 1990.

[71] E.A. Emerson and J.Y. Halpern. ‘Sometime’ and ‘not never’ revisited: On branching versus linear timetemporal logic. Journal of the Association for Computing Machinery, 33(1):151–178, 1986.

[72] E.A. Emerson, S. Jha, and D. Peled. Combining partial order and symmetry reductions. In Brinksma [26],pages 19–34.

[73] S.J. Friedman and K.J. Supowit. Finding the optimal variable ordering for binary decision diagrams. IEEETransaction on Computers, 39(5):710–713, May 1990.

[74] M. Fujita, H. Fujisawa, and Y. Matsunaga. Variable ordering algorithms for ordered binary decisiondiagrams and their evaluation. IEEE Transactions on Computer–Aided Design of Integrated Circuits andSystems, 12(1):6–12, January 1993.

[75] R. Gerth, R. Kuiper, D. Peled, and W. Penczek. A partial order approach to branching time logic modelchecking. In Third Israel Symposium on Theory on Computing and Systems, pages 130–139, Tel Aviv,Israel, 1995. IEEE.

[76] R. Gerth, D. Peled, M. Vardi, and P. Wolper. Simple on–the–fly automatic verification of linear temporallogic. In Protocol Specification Testing and Verification (PSTV ’95), pages 3–18, Warsaw, Poland, 1995.Chapman & Hall.

[77] P. Godefroid. Partial–order Methods for the Verification of Concurrent Systems — An Approach to theState–explosion Problem, volume 1032 of Lecture Notes in Computer Science. Springer–Verlag, 1996.

[78] P. Godefroid and P. Wolper. A partial approach to model checking. Information and Computation,110(2):305–326, May 1994.

[79] R. Goering. Model checking expands verification’s scope. EE Times, 939, February 3, 1997.

5

[80] G. Gopalakrishnan and P. Windley, editors. 2nd International Conference on Formal Methods inComputer–Aided Design (FMCAD ’98), volume 1522 of Lecture Notes in Computer Science, Palo Alto,CA, USA, November 1998. Springer–Verlag.

[81] S. Graf, B. Steffen, and G. Luttgen. Compositional minimisation of finite state systems using interfacespecifications. Formal Aspects of Computing, 8(5):607–616, 1996.

[82] ”The VIS Group”. VIS: a system for verification and synthesis. In R. Alur and T. Henzinger, editors,Proc. 8th Int. Conf. Computer Aided Verification, New Brunswick, NJ, July 1996.

[83] O. Grumberg, editor. Computer Aided Verification (CAV ’97), volume 1254 of Lecture Notes in ComputerScience, Haifa, Israel, June 1997. Springer–Verlag.

[84] B.T. Hailpern. Verifying Concurrent Processes Using Temporal Logic, volume 129 of Lecture Notes inComputer Science. Springer–Verlag, 1982.

[85] T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking for real–time systems.Information and Computation, 111:193–244, 1994.

[86] G.J. Holzmann. Design and Validation of Computer Protocols. Prentice Hall, 1991.

[87] G.J. Holzmann. The model checker Spin. IEEE Transactions on Software Engineering, 23(5):279–295,May 1997. Special issue on Formal Methods in Software Practice.

[88] G.J. Holzmann. An analysis of bitstate hashing. Formal Methods in System Design, 13(3):287–305,November 1998.

[89] G.J. Holzmann and M.H. Smith. Software model checking — Extracting verification models from sourcecode. Formal Methods for Protocol Engineering and Distributed Systems, pages 481–497, October 1999.

[90] D. Hughes and M. Dornheim. Automated cockpits: Who’s in charge? Aviation Week & Space Technology,January 30 / February 6, 1995.

[91] IEEE International Conference on Computer–Aided Design (ICCAD ’93), Santa Clara, CA, USA, Novem-ber 1993. IEEE Computer Society Press.

[92] IEEE International Conference on Computer Design (ICCD ’96), Austin, TX, USA, October 1996. IEEEComputer Society Press.

[93] G. Janssen. The Eindhoven BDD package. Eindhoven University of Technology, The Netherlands, 1994.Available at ftp://ftp.ics.ele.tue.nl/pub/users/geert/bdd.tar.gz.

[94] S.-W. Jeong, B. Plessier, G.D. Hachtel, and F. Somenzi. Variable ordering for binary decision diagrams.In The European Conference on Design Automation, pages 447–451, Brussels, Belgium, March 1992.IEEE Computer Society Press.

[95] T. Kam, T. Villa, R.K. Brayton, and A. Sangiovanni-Vincentelli. Multi–valued decision diagrams: Theoryand applications. Multiple–Valued Logic, 4(1–2):9–62, 1998.

[96] P. Kemper. Numerical analysis of superposed GSPNs. IEEE Transactions on Software Engineering,22(4):615–628, September 1996.

6

[97] S. Kimura and E.M. Clarke. A parallel algorithm for constructing binary decision diagrams. In IEEE Inter-national Conference on Computer Design (ICCD ’90), pages 220–223, Cambridge, MA, USA, September1990. IEEE Computer Society Press.

[98] D. Kozen. Results on the propositional µ–calculus. Theoretical Computer Science, 27(3):333–354, 1983.

[99] O. Kupferman and M. Y. Vardi. On the complexity of branching modular model checking. In I. Lee andS. A. Smolka, editors, 6th International Conference on Concurrency Theory (CONCUR ’95), volume 962of Lecture Notes in Computer Science, pages 408–422, Philadelphia, PA, USA, August 1995. Springer–Verlag.

[100] N.G. Leveson. Safeware: System Safety and Computers. Addison Wesley, 1995.

[101] N.G. Leveson, M. Heimdahl, M. Hildreth, H. Reese, and J. Ortega. Experiences using Statecharts for asystem requirements specification. In 6th International Workshop on Software Specification and Design,pages 31–41, Como, Italy, October 1991. IEEE Computer Society Press.

[102] N.G. Leveson, L.D. Pinnel, S.D. Sandys, S. Koga, and J.D. Reese. Analyzing software specifications formode confusion potential. In Workshop on Human Error and System Development, Glasgow, UK, March1997.

[103] B. Lewis and D. Berg. Multithreaded Programming with Pthreads. Sun Microsystems Press, MountainView, CA, 1998.

[104] O. Lichtenstein and A. Pnueli. Checking that finite state concurrent programs satisfy their linear speci-fication. In 12th Annual ACM Symposium on Principles of Programming Languages (POPL ’85), pages97–107, Orlando, FL, USA, January 1985. IEEE Computer Society Press.

[105] 9th Annual Symposium on Logic in Computer Science (LICS ’94), Versailles, France, July 1994. IEEEComputer Society Press.

[106] 10th Annual Symposium on Logic in Computer Science (LICS ’95), San Diego, CA, USA, July 1995. IEEEComputer Society Press.

[107] G. Luttgen and V. Carreno. Analyzing mode confusion via model checking. In D. Dams, R. Gerth,S. Leue, and M. Massink, editors, Theoretical and Practical Aspects of SPIN Model Checking (SPIN ’99),volume 1680 of Lecture Notes in Computer Science, pages 120–135, Toulouse, France, September 1999.Springer–Verlag.

[108] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer–Verlag,Berlin, Germany, 1992.

[109] Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems. Springer–Verlag, New York, USA,1995.

[110] J. Matocha and T. Camp. A taxonomy of distributed termination detection algorithms. Journal of Systemsand Software, 43(3):207–221, November 1998.

[111] K.L. McMillan. Symbolic Model Checking: An Approach to the State–explosion Problem. PhD thesis,Carnegie–Mellon University, Pittsburgh, PA, USA, 1992.

[112] K.L. McMillan. Symbolic Model Checking. Kluwer Academic Publishers, 1993.

7

[113] K.L. McMillan. A conjunctively decomposed Boolean representation for symbolic model checking. InAlur and Henzinger [3], pages 13–24.

[114] S.P. Miller. Specifying the mode logic of a flight guidance system in CoRE and SCR. In M. Ardis, editor,2nd Workshop on Formal Methods in Software Practice (FMSP ’98), pages 44–53, Clearwater Beach, FL,USA, March 1998. ACM Press.

[115] K. Milvang-Jensen and A.J. Hu. BDDNOW: A parallel BDD package. In Gopalakrishnan and Windley[80], pages 501–512.

[116] S. Minato, N. Ishiura, and S. Yajima. Shared binary decision diagrams with attributed edges for efficientBoolean function manipulation. In DAC ’90 [65], pages 52–57.

[117] A.S. Miner and G. Ciardo. Efficient reachability set generation and storage using decision diagrams. InJ. Kleijn and S. Donatelli, editors, 20th International Conference on Application and Teory of Petri Nets(ICATPN ’99), volume 1639 of Lecture Notes in Computer Science, pages 6–25, Williamsburg, VA, USA,June 1999. Springer–Verlag.

[118] A.S. Miner, G. Ciardo, and S. Donatelli. Using the exact state space of a Markov model to computeapproximate stationary measures. In Jim Kurose and Philippe Nain, editors, 2000 ACM SIGMETRICSConference on Measurement and Modeling of Computer Systems, pages 207–216, Santa Clara, CA, USA,June 2000. ACM Press.

[119] J.J. Moskwa and J.K. Hedrick. Modeling and validation of automotive engines for control algorithmdevelopment. ASME Journal of Dynamic Systems, Measurement and Control, 114(2):278–285, June 1992.

[120] T. Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541–579,April 1989.

[121] D. Naydich and J. Nowakowski. Flight guidance system validation using Spin. Technical ReportNASA/CR–1998–208434, Odyssey Research Associates, Ithaca, NY, USA, June 1998. NASA ContractorReport, NASA Langley Research Center, Hampton, VA, USA.

[122] D.M. Nicol. Non–commital barrier synchronization. Parallel Computing, 21:529–549, 1995.

[123] D.M. Nicol and G. Ciardo. Scalable B–tree construction on a shared–memory multiprocessor. In prepa-ration.

[124] D.M. Nicol and G. Ciardo. Automated parallelization of discrete state–space generation. Journal ofParallel and Distributed Computing, 47(2):153–167, December 1997.

[125] H. Ochi, N. Ishiura, and S. Yajima. Breadth–first manipulation of SBDD of Boolean functions for vectorprocessing. In 28th ACM/IEEE Design Automation Conference (DAC ’91), pages 413–416, Los Alamitos,CA, USA, June 1991. IEEE Computer Society Press.

[126] H. Ochi, K. Yasuoka, and S. Yajima. Breadth–first manipulation of very large binary–decision diagrams.In ICCAD ’93 [91], pages 48–55.

[127] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verification for fault-tolerant systems: Pro-legomena to the design of PVS. IEEE Transactions on Software Engineering, 21(2):107–125, February1995.

8

[128] E. Pastor and J. Cortadella. Efficient encoding schemes for symbolic analysis of Petri nets. In IEEEConference on Design, Automation and Test in Europe (DATE ’98), pages 790–795, Paris, France, March1998. IEEE Computer Society Press.

[129] E. Pastor, O. Roig, J. Cortadella, and R.M. Badia. Petri net analysis using Boolean manipulation.In R. Valette, editor, 15th International Conference on the Application and Theory of Petri Nets(ICATPN ’94), volume 815 of Lecture Notes in Computer Science, pages 416–435, Zaragoza, Spain, June1994. Springer–Verlag.

[130] D.A. Peled. Combining partial order reductions with on–the–fly model–checking. Formal Methods inSystem Design, 8(1):39–64, January 1996.

[131] D.A. Peled. Ten years of partial order reduction. In A.J. Hu and M.Y. Vardi, editors, 10th InternationalConference on Computer Aided Verification (CAV ’98), volume 1427 of Lecture Notes in Computer Sci-ence, pages 17–28, Vancouver, Canada, June 1998. Springer–Verlag.

[132] D.A. Peled, V.R. Pratt, and G.J. Holzmann, editors. Partial Order Methods in Verification, volume 29of DIMACS Series in Discrete Mathematics and Theoretical Computer Science. American MathematicalSociety, 1997.

[133] Brigitte Plateau. On the stochastic structure of parallelism and synchronisation models for distributedalgorithms. In Proc. 1985 ACM SIGMETRICS Conf. on Measurement and Modeling of Computer Systems,pages 147–153, Austin, TX, USA, May 1985.

[134] 7th International Workshop on Petri Nets and Performance Models (PNPM ’97), St. Malo, France, June1997. IEEE Computer Society Press.

[135] H. Preuss and A. Srivastav. Blockwise variable orderings for shared BDDs. In L. Brim, J. Gruska, andJ. Zlatuska, editors, 23rd Symposium on Mathematical Foundations of Computer Science (MFCS ’98), vol-ume 1450 of Lecture Notes in Computer Science, pages 636–647, Brno, Czech Republic, 1998. Springer–Verlag.

[136] J.P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In M. Dezani-Ciancaglini and U. Montanari, editors, 5th International Symposium in Programming, volume 137 ofLecture Notes in Computer Science, pages 337–351, Torino, Italy, April 1982. Springer–Verlag.

[137] R.K. Ranjan and J.V. Sanghavi. CAL–2.0: Breadth–first manipulation based BDD library. University ofCalifornia, Berkeley, CA, USA, June 1997. Available at www-cad.eecs.berkeley.edu/Research/cal bdd/.

[138] R.K. Ranjan, J.V. Sanghavi, R.K. Brayton, and A. Sangiovanni-Vincentelli. Binary decision diagrams onnetwork of workstations. In ICCD ’96 [92], pages 358–364.

[139] R.K. Ranjan, J.V. Sanghavi, R.K. Brayton, and A. Sangiovanni-Vincentelli. High performance BDDpackage based on exploiting memory hierarchy. In DAC ’96 [66], pages 635–640.

[140] T. Rathje and S. Sandler. CPU formal verification receives a boost. EE Times, 927, November 11, 1996.

[141] W. Reisig. Petri Nets: An Introduction. Springer, Berlin, Germany, 1985.

[142] Alma Riska, Wei Sun, Evgenia Smirni, and Gianfranco Ciardo. AdaptLoad: effective balancing in clus-tered Web servers under transient load conditions. In Proc. Int. Conf. Distr. Comp. Syst., Vienna, Austria,July 2002. To appear.

9

[143] O. Roig, J. Cortadella, and E. Pastor. Verification of asynchronous circuits by BDD–based model checkingof Petri nets. In G. De Michelis and M. Diaz, editors, 16th International Conference on the Applicationand Theory of Petri Nets (ICATPN ’95), volume 815 of Lecture Notes in Computer Science, pages 374–391, Torino, Italy, June 1995. Springer–Verlag.

[144] R. Rudell. Dynamic variable ordering for ordered binary decision diagrams. In ICCAD ’93 [91], pages139–144.

[145] J. Ruf and T. Kropf. Using MTBDDs for composition and model checking of real–time systems. InGopalakrishnan and Windley [80], pages 185–202.

[146] E. M. Sentovich. A brief study of BDD package performance. In Srivas and Camilleri [150], pages389–403.

[147] M. Snir, S. Otto, S. Huss-Lederman, D. Walker, and J. Dongarra. MPI: The Complete Reference. MITPress, Cambridge, MA, 1996.

[148] O.V. Sokolsky and S.A. Smolka. Incremental model checking in the modal µ–calculus. In D.L. Dill,editor, Computer Aided Verification (CAV ’94), volume 818 of Lecture Notes in Computer Science, pages351–363, Stanford, CA, USA, June 1994. Springer–Verlag.

[149] F. Somenzi. CUDD: CU decision diagram package. University of Colorado, Boulder, CO, USA, April1997. Available at http://vlsi.colorado.edu/ fabio.

[150] M. Srivas and A. Camilleri, editors. 1st International Conference on Formal Methods in Computer–Aided Design (FMCAD ’96), volume 1166 of Lecture Notes in Computer Science, Palo Alto, CA, USA,November 1996. Springer–Verlag.

[151] T.L. Sterling, J. Salmon, D.J. Becker, and D.F. Savarese. How to Build a Beowulf: A Guide to the Imple-mentation and Application of PC Clusters. MIT Press, Cambridge, MA, USA, May 1999.

[152] U. Stern and D. Dill. Parallelizing the Murphi verifier. In Grumberg [83], pages 256–267.

[153] William J. Stewart, Karim Atif, and Brigitte Plateau. The numerical solution of stochastic automata net-works. Eur. J. of Oper. Res., 86:503–525, 1995.

[154] C. Stirling. Modal and temporal logics. In S. Abramsky, D. Gabbay, and T.S.E. Maibaum, editors, Hand-book of Logic in Computer Science, volume 2, pages 477–563. Oxford University Press, 1992.

[155] T. Stornetta. Implementation of an efficient parallel BDD package. Master’s thesis, University of Califor-nia at Santa Barbara, CA, USA, December 1995.

[156] T. Stornetta and F. Brewer. Implemention of an efficient parallel BDD package. In DAC ’96 [66], pages641–644.

[157] N. Takahashi, N. Ishiura, and S. Yajima. Fault simulation for multiple faults using shared BDD repre-sentation of fault sets. In IEEE International Conference on Computer-Aided Design (ICCAD ’91), pages550–553, Santa Clara, CA, USA, November 1991. IEEE Computer Society Press.

[158] S. Tani, K. Hamaguchi, and S. Yajima. The complexity of the optimal variable ordering problems ofa shared binary decision diagram. IEICE Transactions on Communications/Electronics/Information andSystems, 1996.

10

[159] A. Valmari. A stubborn attack on the state explosion problem. In E.M. Clarke and R.P. Kurshan, edi-tors, Computer–Aided Verification (CAV ’90), volume 3 of DIMACS Series in Discrete Mathematics andTheoretical Computer Science, pages 25–42, Piscataway, NJ, USA, June 1990. American MathematicalSociety.

[160] M. Vardi and P. Wolper. An automata–theoretic approach to automatic program verification. In Sympo-sium on Logic in Computer Science (LICS ’86), pages 332–344, Cambridge, MA, USA, June 1986. IEEEComputer Society Press.

[161] B. Yang, R.E. Bryant, D.R. O’Hallaron, A. Biere, O. Coudert, G. Janssen, R.K. Ranjan, and F. Somenzi. Aperformance study of BDD–based model checking. In Gopalakrishnan and Windley [80], pages 255–289.

[162] B. Yang and D.R. O’Hallaron. Parallel breadth–first BDD construction. In Proceedings of the ACMSIGPLAN Symposium on Principles and Practice of Parallel Programming (PPOPP ’97), volume 32, 7 ofACM SIGPLAN Notices, pages 145–156, Las Vegas, NV, USA, June 1997. ACM Press.

[163] J. Yang, A.K. Mok, and F. Wang. Symbolic model checking for event–driven real–time systems. ACMTransactions on Programming Languages and Systems, 19(2):386–412, March 1997.

[164] Yeh and Kuo. Variable ordering for ordered binary decision diagrams by a divide–and–conquer approach.IEE Proceedings on Computers and Digital Techniques, 144, 1997.

[165] T. Yoneda, H. Hatori, A. Takahara, and S.-I. Minato. BDDs vs. zero–suppressed BDDs: For CTL symbolicmodel checking of Petri nets. In Srivas and Camilleri [150], pages 435–449.

[166] S. Zhang, O. Sokolsky, and S.A. Smolka. On the parallel complexity of model checking and the µ–calculus. In LICS ’94 [105], pages 154–163.

11

Rationale for our international collaboration

Much of the inspiration for the proposed research can be traced back to a collaboration between the PI and Dr.Gerald Luettgen, beginning in Summer 1999. At that time, Dr. Luettgen was a Staff Scientist at the Institute forComputer Applications in Science and Engineering (ICASE), NASA Langley Research Center, Hampton, VA,and the PI visited ICASE as a Summer Visitor.

The PI, whose original background is in Petri nets, stochastic Petri nets, numerical solution of Markov chains,and performance modeling, had begun working on Kronecker representations for large Markov chains and multi–valued decision diagrams for the efficient storage of their state spaces. Dr. Luettgen, whose background is insteadin formal methods, semantics of specification and programming languages, had started applied research on modelchecking for problems of interest to NASA, such as mode confusion in cockpits.

During that summer the two, together with Radu Siminiceanu, a graduate student at William and Mary, beganconsidering the applicability of MDD techniques to the general state–space generation and symbolic model–checking settings. Since then, they have collaborated on two fundamental papers, each of which has substantiallyadvanced the efficiency of state–space generation. Although Dr. Luettgen is now a Senior Lecturer in ComputerScience at the University of Sheffield, UK, the collaboration with the PI is ongoing. Dr. Luettgen is currently anexternal member of Mr. Siminiceanu’s PhD Committee and visited William and Mary in January 2002 for theProposal Defense; conversely, Dr. Luettgen’s students are using the SMART tool, developed by the PI, in theirresearch at the University of Sheffield.

By supporting this collaboration, the National Science Foundation will enable the ongoing continuation ofthis research and will increase the PI’s ability of reaching a wider audience for the results to be developed.

GIANFRANCO CIARDOAssociate Professor of Computer Science

Department of Computer Science Phone: (757) 221–3478College of William and Mary Fax: (757) 221–1717P.O. Box 8795 E–mail: ciardo@cs.wm.eduWilliamsburg, VA 23187–8795 URL: www.cs.wm.edu/ � ciardo

Research interests: Performability evaluation of fault-tolerant and distributed computer systems. Distributedalgorithms and compositional approaches for the logical or stochastic analysis of large models. Verification andperformance analysis of concurrent software. Model-checking. Petri nets and stochastic Petri nets. Specificationformalisms and solution algorithms for modeling tools.

Professional preparation:

• April 1989: PhD in Computer Science, Duke University, Durham, NC.• July 1982: Laurea summa cum laude in Computer Science, University of Torino, Italy.

Appointments:

• August 1997 – present: Associate Professor, August 1992 – July 1997: Assistant Professor, Department ofComputer Science, College of William and Mary, Williamsburg, VA.

• Spring 2000: Sabbatical visit, HP Labs, Palo Alto, CA.• September 1988 – July 1992: Member Tech. Staff, Software Productivity Consortium, Herndon, VA.

Selected awards:

• July 2001 – July 2004: PI, “Effective techniques and tools for resource management in clustered webservers”, NSF, $279,485.

• March 1999 – February 2002: PI, “Advanced Structures and Algorithms for State–space Based Perfor-mance, Reliability, and Performability Evaluation of Computer Systems”, NASA, $333,788.

• May 1993 – May 1996: co–PI, “Parallel Algorithms for the Simulation and Analysis of Stochastic PetriNets”, NASA, $248,380.

Five publications most relevant to the project:

1. G. Ciardo, G. Luettgen, and R. Siminiceanu. Saturation: an efficient iteration strategy for symbolic statespace generation. In T. Margaria and W. Yi, eds., Proc. Tools and Algor. for the Constr. and Analysis ofSystems (TACAS), LNCS 2031, pp. 328-342, Genova, Italy, March 2001.

2. G. Ciardo, G. Luettgen, and R. Siminiceanu. Efficient Symbolic State–space Construction for Asyn-chronous Systems. In M. Nielsen and D. Simpson, editors, 21st International Conference on Applicationand Theory of Petri Nets (ICATPN 2000), Lecture Notes in Computer Science 1825, pp. 103-122 Aarhus,Denmark, June 2000. Springer–Verlag.

3. A. Miner and G. Ciardo. Efficient Reachability Set Generation and Storage Using Decision Diagrams.In S. Donatelli and H. Kleijn, editors, 20th International Conference on Application and Theory of PetriNets (ICATPN ’99), volume 1639 of Lecture Notes in Computer Science, pages 6–25, Williamsburg, VA,June 1999. Springer–Verlag.

4. G. Ciardo and A. Miner. A Data Structure for the Efficient Kronecker Solution of GSPNs. In P. Buchholz,editor, 8th International Workshop on Petri Nets and Performance Models (PNPM ’99), pages 22–31,Zaragoza, Spain, September 1999. IEEE Comp. Soc. Press.

5. G. Ciardo, J. Gluckman, and D. Nicol. Distributed State–space Generation of Discrete–state StochasticModels. INFORMS Journal of Computing, 10(1):82–93, 1998.

Five other publications:

1. D. Nicol and G. Ciardo. Automated Parallelization of Discrete State–space Generation. Journal of Paralleland Distributed Computing, 47:153–167, 1997.

2. A. Miner, G. Ciardo, and S. Donatelli. Using the Exact State Space of a Markov Model to Compute Ap-proximate Stationary Measures. In 2000 ACM SIGMETRICS Conference on Measurement and Modelingof Computer Systems, pp. 207-216, Santa Clara, CA, June 2000. IEEE Comp. Soc. Press.

3. G. Ciardo, D. Nicol, K. Trivedi. Discrete–event Simulation of Fluid Stochastic Petri Nets. IEEE Transac-tions on Software Engineering, 25(2):207–217, 1999.

4. P. Buchholz, G. Ciardo, S. Donatelli, and P. Kemper. Complexity of memory-efficient Kronecker opera-tions with applications to the solution of Markov models. INFORMS J. Comp., 12(3), 2000.

5. G. Ciardo and E. Smirni. An Efficient Technique for the Analysis of QBD–processes by Aggregation.Performance Evaluation, 36/37:71–93, 1999.

Synergistic activities:

• Associate Editor, IEEE Transactions on Software Engineering (since February 2001).• Keynote Speaker, PNPM (Petri Net and Performance Models), Aachen, Germany, Sept. 2001.• Co-Organizer of the Dagstuhl Seminar on Performance and Dependability Modelling with Stochastic Petri

Nets, Saarbrucken, Germany, May 1995. Visiting Professor at Berlin University of Technology, Germany(Fall 1992) and University of Torino, Italy (Fall 1999). Lecturer, First Euro Summerschool on Trends inComputer Science: Formal Methods and Performance Analysis, July 2000, Nijmegen, the Netherlands.

• Leader of the SMART development team, a tool integrating high–level stochastic modeling formalismsand solution techniques. SMART was released in December, 2001.

• General Chair, ICATPN, June 1999, Williamsburg, VA. This prestigious conference devoted to theory andapplications of Petri net has been held in the US only twice in its 21-year history.

Collaborators: P. Buchholz (Dresden Univ. of Techn., Germany), L. Cherkasova (HP Labs, Palo Alto, CA),S. Donatelli (Univ. Torino, Italy), R. German (Berlin Univ. of Techn., Germany), G. Hommel (Berlin Univ.of Techn., Germany), P. Kemper (Univ. of Dortmund, Germany), L. Leemis (College of William and Mary,Williamsburg, VA), C. Lindemann (Univ. of Dortmund, Germany), G. Luettgen (Univ. of Sheffield, UK), J. Mup-pala (Hong Kong Univ. of Science and Techn., China), D. Nicol (Dartmouth College), M. Squillante (IBM,T.J. Watson Research Center, NY), W. Stewart (NC State Univ.), Y. Takahashi (Tokyo Inst. of Tech., Japan),M. Tilgner (Tokyo Inst. of Tech., Japan), R. Zijal (Berlin Univ. of Tech., Germany).

Past and present graduate students (all at the College of William and Mary): H. Kim (Undergraduate Honors,1994), C. Ji (MS, 1996), D. Galayda (MS, 1997), G. Li (MS, 1998), J. Maddalon (MS, 1999), S. Griffith (MS,2000), A. Mangalam (MS, 2000), P. Sugden (MS, 1999), A. Miner (PhD, 2000), R. Jones (PhD, expected 2001),R. Siminiceanu (PhD, expected 2002), R. Marmorstein (MS, expected 2002). W. Sun (MS, expected 2002).

Thesis advisor: K.S. Trivedi (Duke University, Durham, NC).

Budget Justification

Faculty salary: One month of summer support with standard benefits (FICA at 7.65%) is requested for the PIfor the first and second year of the contract, and two months for the third year.

Graduate students: Support is requested for two graduate students for each year of the project. The requestedsum includes nine months half–time support during the academic year plus three months full–time support duringthe summer session. Standard benefits ($900 for health insurance, FICA at 7.65% of the summer salary) and thestudents’ tuition ($5,720 per student per year, under Other Direct Costs) are also requested.

Travel: Funds are requested to attend two domestic (assumed cost: $1500/trip) and two international (assumedcost $2,000/trip) conferences each year. Approximately half of the domestic travel support will be used for thegraduate students involved in the project, in order to provide them with first–hand exposure to world–class re-searchers. The conferences of interest include those traditionally dedicated to formal verification, such as theACM/IEEE Design Automation Conference, the IEEE International Conference on Computer–Aided Design,the International Conference on Formal Methods in Computer–Aided Design (FMCAD), the ACM SIGSOFTInternational Symposium on Software Testing and Analysis (ISSTA), the International Conference on ComputerAided Verification (CAV), and the International Conference on Foundations of Tools and Algorithms for theConstruction and Analysis of Systems (TACAS). However, we also intend to present our results at broad con-ferences on software engineering, where our proposed research can make a faster practical impact by targetingsoftware practitioners: a prime example of such venues is, of course, the International Conference on SoftwareEngineering (ICSE).

Materials and supplies: The requested funds are to pay for incidental expenses associated with the research,including presentation materials and publication costs, as well as for manuals and books.

Equipment: Funds are requested in the first year for three Pentium workstations with 1GB RAM and a largeand fast hard disk. Initially, these will be used by the graduate students, the PI, and the international collaboratorfor development and experimentation. Once our algorithms are implemented in the SMART package, they willbe made available for remote execution on these workstations, which will be web–accessible. This will allow usto gather essential algorithmic performance data on a wide range of applications.

Participant support costs: Support is requested for our international collaborator, Dr. Gerald Luettgen, to visitthe PI twice a year, once for approximately four weeks in the summer and once for approximately two weeksduring the winter break. The costs for his participation are anticipated to be $1,250 per week for stipend; $1,850per trip for air travel, ground transportation, and car rental; and $100 per day for subsistence (hotel and meals).

Indirect costs: The indirect cost rate of the College of William and Mary is 45%, charged on the Modified TotalDirect Cost (MDTC), which do not include equipment and tuition.

NOTE: Actual cost figures mentioned above are estimates for the first year; we assume an increase of 5% peryear for the second and third years.

Facilities, Equipment and Other Resources

The Department of Computer Science at the College of William and Mary provides a network of fast Pentiumworkstations running the Linux operating system, plus several Sun workstations for specialized tasks, runningvarious flavor of Unix. These are available to the graduate students to perform both their classwork and theirresearch and are connected through Fast Ethernet. In addition, each faculty member’s office has a Pentiumworkstation.

For advanced work on distributed–memory and shared–memory algorithms and their performance study, thedepartment, as part of the College of William and Mary Computational Science Cluster, was recently awarded aMajor Research Instrumentation grant from the National Science Foundation to acquire a Beowulf–style clusterwith three subsystems. Two of these subsystems are Pentium–based and have 32 and 64 processors, respec-tively, as well as different interconnection networks, while the third subsystem contain four Sun multiprocessormachines with four processors each.