Exploiting Design Structure in Model Checking

Electronic Notes in Theoretical Computer Science www.elsevier.com/locate/entcs

Exploiting Design Structure in Model Checking Invited Speaker Thomas A. Henzinger Abstract We present the main objectives and approaches of the Mocha project, which is a joint project with Rajeev Alur at the University of Pennsylvania. Model checking is a fully automatic technology for finding design errors by exhaustive statespace exploration. The main problem in model checking is caused by state explosion, namely, that the number of states depends exponentially on the number of components in a system. Much research effort in model checking has focused on efficient data structures and algorithms for exploring very large state graphs. These approaches, however, can only alleviate, not solve, the state-explosion problem. The Mocha project avoids the flattening a system description into its state graph, and instead, attempts to exploit the component structure inherent in many system descriptions. For this purpose, we model check not state graphs (Kripke structures) but so-called Reactive Modules, which provide a compositional model for reactive systems. We exploit the module structure of a system in three ways. First, we decompose proof obligations along module boundaries using assume-guarantee reasoning, which takes into account assumptions about how the environment of a module behaves. Second, we use game-theoretic methods to specify and explore both collaborative and adversarial relationships between modules. Third, we exploit design hierarchy by developing algorithms that efficiently traverse hierarchically organized state spaces. Thomas A., Henzinger University of California, Berkeley

c Elsevier B.V. 1571-0661/$ – see front matter
10.1016/S1571-0661(05)80755-8