Partial-order model checking: A guide for the perplexed

Abstract

Practicing verifiers of finite-state concurrent systems should be able to adapt our partial-order methods for verifying delay-insensitive systems to other verification problems. We answer the question, is it possible to control state explosion arising from various sources during automatic verification (model checking) of delay-insensitive systems? State explosion due to concurrency is handled by introducing a partial-order representation for processes, and defining system correctness as a simple relation between two partial orders on the same set of system events. State explosion due to nondeterminism is handled when the system to be verified has a compact, finite recurrence structure. Backwards branching through representations is a further optimization. In system verification, we start with models of system components that explicitly distinguish concurrency, choice and recurrence structure; during model checking, this a priori structure of components allows us to construct a compact, finite representation of the specification-constrained implementation - without prior composition of system components. The fully-implemented POM verification system has polynomial space and time performance on traditional asynchronous-circuit benchmarks that are exponential in space and time for other verification systems; in general, the cost of running our verification algorithm is proportional to the size of the constructed system representation.