Automatic Verification on the Large*

Farn Wang and Pao-Ann Hsiung
Institute of Information Science, Academia Sinica, Taipei, Taiwan 115, Republic of China
+886-2-27883799 ext. 1717; FAX +886-2-27824814; farn@iis.sinica.edu.tw

Abstract

An automatic verification method from a high-level resource-management standpoint is presented. Various manipulators can be incorporated in the method to construct, refine, reduce, and model-check state space representation. Proper combinations of manipulators can then be picked strategically by users or computers for less resource (time and space) consumption. An algorithm based on group theory to pick a manipulator combination is presented. Verification sessions are conducted to illustrate our idea.

1. Introduction

The general trend of engineering is to package complex technology with simple and friendly interfaces so that more users can be benefited. Since the famous Pentium-bug, people have been anticipating wide acceptance of the technology of computer-aided verification. Indeed, with today's powerful hardware and recently reported verification theory breakthroughs[2, 5], it seems that industrial application of verification theory is becoming more and more real. But most verification packages today are developed based on profound, complex theories that takes years of graduate study to master. Thus inevitably, only projects with big budgets can afford the advantage of computer-aided verification. This work aims at devising a packaging scheme for verification technologies so that users illiterate of verification technology can still benefit from it.

Here we give a brief description of our method which works on concurrent systems. For a system with \( m \) concurrent processes, we assume that we are given their \( m \) behavior descriptions, called state-graphs stored in an array, \( G[1], \ldots, G[m] \) respectively. In traditional approach, a verification procedure will start by constructing the Cartesian product of \( G[1], \ldots, G[m] \), as in table 1(a) with eight processes, to verify the given concurrent system. The state-

```
(a)

verify(G,8,\phi)
state_graph *G;
int 8; /* number of processes */
CTL \phi;
{
    G := G[1] \times G[2] \times \ldots \times G[8];
    check G against \phi;
}
```

```
(b)

verify(G,8,\phi) /* Assume we have reducers C_1, \ldots, C_6 */
state_graph *G;
int 8; /* number of processes */
CTL \phi;
{
    G := G[1] \times G[2];
    G := C_1(G_4(G));
    G := G \times G[3];
    G := C_2(C_3(C_6(G)));
    G := G \times G[4];
    \ldots
    G := G \times G[8];
    G := C_1(C_2(G));
    check G against \phi;
}
```

Table 1. Verification sessions in comparison

graphs of local processes are stored in array \( G \). The standard technology now is symbolic manipulation[3, 15, 4] which can be used in both Cartesian product calculation and model-checking. To cope with resource consumption requirement from different verification tasks, very often ingenious strategies have to be devised to keep space and CPU-time under control. To this end, users have to be knowledgeable of the theory of computer-aided verification and traverse through the final product state-graph \( G \).

On the contrary, our method treats state-graphs as high-

*The work is partially supported by NSC, Taiwan, ROC under grant NSC 87-2213-E-001-007.
level data-objects and defines and implements many theoretically proven manipulators to merge, reduce, check them. From users' standpoint, the goal is to construct a verification procedure which composes a representation for global state space from all the state-graphs with manageable space and CPU-time consumption. There are three types of manipulators in our method: $\times$ for binary merge, \texttt{check()} for model-checking, and \texttt{reducers} for reducing the sizes of state-graphs. With the many manipulators in our method, users can easily test different combinations of manipulators.

In table 1(b), we have another example verification session using our method. Users calculate the binary products of state-graphs and intermittently reduce them with different reducer combinations as the users see fit. It is up to users to pick their combinations of manipulators to reduce resource consumptions (memory and CPU time) to fulfill given verification tasks. Just like a mechanic can buy various components from shelves to build her/his dream car, users of our method can also enjoy the technology of CAV without deep understanding of the component technologies and construct the verification procedure better suits them with the manipulations supported in our method.

At this moment, we have successfully developed the several theoretically sound reducers. For each different verification task, there can be a different reducer combination for it which may cost the least memory space and CPU time. One research issue in our method is how to choose a good reducer combination for a given verification task when the number of reducers is large. In section 5, we also present an algorithm based on group theory\cite{13, 14} to pick an efficient reducer combination for a given verification task.

Section 2 briefly describes our problems. Section 3 presents the general framework of our method. Section 4 briefly describes the manipulators we have implemented so far. Section 5 shows an algorithm which uses group theory to find a local optimal combination of manipulators to counter with state-explosion problem. Section 6 illustrates our idea with experiments. Section 7 is the conclusion.

We shall adopt the following notations. Given a set or sequence $F$, $|F|$ is the number of elements in $F$. For each element $e$ in $F$, we also write $e \in F$. Given a sequence $F$, we let $[F]$ be the set of elements used in $F$. $\mathcal{N}$ is the set of nonnegative integers, $\mathbb{Z}$ is the set of integers, and $\mathbb{R}^+$ is the set of nonnegative reals.

2. Problem presentation

We adopt the framework of model-checking for concurrent systems. That is, each verification task is composed of a pair: a system description in dense-time automata and a specification formula in CTL (Computation Tree Logic)\cite{2, 9, 10}. Due to page-limit, we shall only give brief descriptions of both. Interested readers should be directed to \cite{2, 9, 10}.

A real-time concurrent system is composed of many processes. Each process runs autonomously and interacts with others through read-write operations to global variables and timers. In addition, each process has its own local variables and timers which no other processes can access. For a system with $m$ processes, we shall use integer $1, \ldots, m$ to identify the $m$ processes.

In our formalism, all processes run the same program. Thus the system behavior is totally described by a generic process’ program. We shall describe such a program as a process timed mode-transition system (PTMS). Here we have an example.

Example 1: In Figure 1, we draw the PTMS as a timed automaton which is visually readable. The circles are modes and the starting mode is doubly circled. Inside the circles, we put down the mode names and invariance conditions enforced by $I_p$ in the modes. On each transition, we put down the triggering condition $(\nu)$, if any, above the assignment statements $(=)$, if any. For example, in mode $q_p = 1, 0 \leq x_p \leq 1$ must be true for process $p$ where $x_p$ is a local timer. In mode $q_p = 1$, when $x_p < 1$, process $p$ may assign $p$ to variable $t$, reset $x_p$ to zero, and enter mode $q_p = 2$. We also label each transition with boldface number near their sources for later use.

A CTL formulæ has the following syntax.

$\phi ::= x \sim e | y \in e | \exists \phi | \exists \phi \cup \phi'' | \phi' \phi'' | \neg \phi | \phi' \lor \phi''$

Here $x$ is a timer name, $\sim \in \{\leq, <, =, >, \geq\}$, $e$ is a natural constant, and $y$ is a variable name. $\exists \phi'$ means there exists a computation, from the current state, along which $\phi'$ is always true. $\exists \phi' \cup \phi''$ means there exists a computation, from the current state, along which $\phi'$ is true until $\phi''$ becomes true. Traditional shorthands like $\exists, \forall, \exists, \forall, \forall, \land$, and $\rightarrow$, can all be defined.

Example 2: The mutual exclusion specification of Fischer’s protocol in figure 1 is $\forall x \neg \bigwedge_{1 \leq p < p' \leq m} (q_p = 3 \land q_{p'} = 3)$.
3. General framework of verification

Our method can be embodied in a simple language of verification procedure. The language looks like Pascal or C but supports high-level objects with types of integer, state-graphs, and CTL formulas. In the following, we give an example to illustrate how to define a verification procedure in the language.

Merging of state-graphs is performed by the binary ×. Then we have a set of theoretically proven reducers which can be designed by any one. The control of verification procedure can be achieved with nested for-loops indexed on integers and if-statements with conditions on state-graph sizes, graph construction times, and index variables. In table 2, we have an example verification procedure written in the language. Verification procedures always take three arguments. The first, here G, is an array of state-graphs; the second, here m, the number of state-graphs (processes) in the concurrent system; and the third, here φ, the CTL formulas to check with. The array is declared in C-language style. Line (1) and (2) declare variables of state-graph type and integer type respectively. Line (4) iterates the for-loop to merge and reduce the state-graphs. Lines (6) and (7) calculate two alternative combinations of reducers. The if-structure starting at line (8) chooses the reduction result with first the least size and then the least CPU-time for each iteration. For any state-graph H, we let size(H) = NodeCount(H) + ArcCount(H). NodeCount() is a system-defined function which returns the number of nodes in the argument state-graph. Similarly, another function ArcCount() returns the number of arcs in the argument state-graph. Time() is the CPU time used to construct the state-graph in its argument. After the loop from line (4) to (11) is over, H is a reduced representation for the global state space. Then at line (12), we check H against φ.

Since our method allows reasoning on state-graphs as whole objects instead of searching for paths in them, users can test different combination of reducers to achieve their verification tasks from a resource management point of view without deep knowledge of the technology and theory inside the manipulators.

4. Manipulators

In this section, we shall first briefly describe some reducers which we have proven correct and implemented. Potential reduction algorithms in the literature can be found in [19, 17, 3, 6, 16, 18, 1, 7, 11].

4.1. Implemented reducers

The three implemented reducers have all been proven in theory to be correct. We refer readers to [23] for details on their operation and correctness. In this paper, we shall only give a sketchy view on how they work.

4.1.1. ReadWrite() : Variable value stability under concurrent read/write

In concurrent systems, each process behaves in a distinct way by writing specific values to and reading specific values from global variables. For example, in Fischer’s mutual exclusion protocol in figure 1, each process writes only two values, 0 and its identifier, to global variable i. Also when a process reads from i, it only cares if the value is zero or its identifier. Whether the present value of i is the identifier of a particular peer process is of no concern to the reading process. This kind of behavior is actually very common in protocol systems.

Suppose we are given a set H of process identifiers. For a given global variable y, we let D_{H,y} be the set of values written to y by processes with identifiers in H but NOT by processes without identifiers in H. In [23], there is a lemma which says that if we know that for an interval, y starts with value not in D_{H,y} and no process with identifier in H is going to write values in D_{H,y} to y, then we can conclude that at any instant in the interval y does not contain any value in D_{H,y}. Such a lemma helps us to get rid of a lot of states which according to the lemma, will never exist. We have implemented a reducer ReadWrite() based on this lemma.
in [23]. In fact, it is observed from experiments that this reducer has wide applicability to many verification tasks. Thus in our implementation, it is implemented inside the merge operator $\times$.

4.1.2. Shield() : shielded timer elimination

In [23], a timer $x$ at a state is defined shielded if
- $x$ is not used in the specification and
- from that state on, no inequalities of $x$ ever change

Boolean values until $x$ is reset again.

It is then proven as a lemma that two states are equivalent with respect to a model-checking problem instance iff the two states are identical except for the readings of those shielded timers. We have implemented a reducer Shield() based on this lemma.

4.1.3. Symmetry() : Region and transition reduction by symmetry

In a real-time concurrent system with identical processes, utilizing symmetry is a must in efficient verification. The idea in our method is very similar to the one presented in [12] except we extend the symmetry to cover timing inequalities of timers in zones. Basically, we use process identifiers in state information. For example, we may have two states \{l = 0; q_1 = 2; x_1 = 0.5 ; q_2 = 1; x_2 = 0.3\} and \{l = 0; q_1 = 1; x_1 = 0.3 ; q_2 = 2; x_2 = 0.5\} for Fischer’s protocol (fig 1) with concurrency $= 2$. By permuting the identifiers of 1 and 2, we find that the two states become the same. Thus in our verification data-structure, we shall label permutations on transitions. According to [12] and [23], the technique is valuable in verifying systems with identical processes. However, this reduction leaves the state-graph as a multi-graph.

5. Automatic reducer combination for efficient verification

At this moment, we have three reducers in addition to the merge operator $\times$. As mentioned in section 4 that from the literature, there are many reduction algorithms with potential to become new reducers. Different reducers may have different impacts on different verification tasks. Moreover, when the number of reducers is large, sometimes it may become difficult for users to pick a good reducer combination to accomplish their verification tasks. In this section, we shall develop an algorithm based on group theory[13, 14] to automatically pick a “locally optimal” combination for a given task.

Suppose we have $n$ reducers: $C_1$, $C_2$, ..., and $C_n$. We shall simplify the verification procedure construction problem to the verification procedure template in table 3. Thus the goal for the construction of efficient verification procedure is restricted to finding a good sequence $i_1, \ldots, i_k$ from the integer interval $[1, n]$ such that the verification procedure costs less space and time.

Before the presentation of our algorithm, we need to clarify what it aims to achieve. In executing a verification task, there can be a trade-off between space and time requirements. By dynamically deducing information while needed and deleting them while not, we can save a lot of memory space. But repetitively and dynamically creating the same piece of information will certainly take up a lot of CPU time. However, we believe for verification tasks, space management is more important than time management because of the state-space explosion phenomenon. Most verification tasks quickly run out of memory instead of taking too long to complete. Thus our algorithm will pick a reducer sequence with predicted “locally minimal” space requirement.

In the following, we shall first present a structure for reducer sequence groups. Then based on the structure, we shall define local optimality of reducer sequences and present an algorithm for predicting a locally most efficient reducer sequence.

5.1. Structure of reducer sequence groups

Given a set \{C_1, \ldots, C_n\} of $n$ reducers, a reducer sequence is a sequence like $C_{i_1}C_{i_2} \ldots C_{i_k}$ such that \{i_1, \ldots, i_k\} = $k$ and \{i_1, \ldots, i_k\} $\subseteq$ \{1, \ldots, n\}. Suppose we are given a reducer sequence $\gamma = C_{i_1}C_{i_2} \ldots C_{i_k}$. A binary permutation $(j, j')$ on $\gamma$ is a pair of integers, such that $1 \leq j < j' \leq k$, and denotes an operation on $\gamma$ which switches the position of $C_{i_j}$ and $C_{i_{j'}}$ in the sequence. Formally speaking, $\gamma(j, j') = C_{i_1}C_{i_2} \ldots C_{i_k}$ such

![Table 3. A verification procedure template](image)

137
that \( C_{ij} = C_{ij'}, \ C_{ij'} = C_{ik} \), and for all \( 1 \leq h \leq k \) with \( h \neq j \) and \( h \neq j' \), \( C_{kh} = C_{kh} \).

By group theory [13, 14], it is known that every permutation can be constructed as a sequential composition of binary permutations. This further implies that for any two reducer sequences \( \gamma, \gamma' \) composed of the same set of reducers, there is a finite sequence \( \theta_1 \ldots \theta_h \) of binary permutations such that \( \gamma \theta_1 \theta_2 \ldots \theta_h = \gamma' \). For convenience, we adopt left-associativity to interpret the ordering of permutation operations. Thus all reducer sequences composed of the same set of reducers form a connected graph.

We now have to define operations between reducer sequences composed of different sets of reducers. This can be done by the \textit{append} operation. Given reducer sequence \( \gamma = C_{i_1} C_{i_2} \ldots C_{i_k} \) and a reducer \( C \not\subset \{ C_{i_1}, C_{i_2}, \ldots, C_{i_k} \} \), \( \gamma C \) is exactly the new reducer sequence \( C_{i_1} C_{i_2} \ldots C_{i_k} C \).

The following lemma depicts the structures of reducer sequence groups. Remember that at the end of section 1, we defined that for any sequence \( F \), \( |F| \) is the set of elements in \( F \). Due to page-limit, the proof is omitted.

**Lemma 1:** Given a set \( \{ C_1, \ldots, C_n \} \) of reducers, for any two reducer sequences \( \gamma, \gamma' \) constructed from the set, there is a sequence \( \lambda = \gamma_1 \gamma_2 \ldots \gamma_k \) of reducer sequences such that

- \( \gamma = \gamma_i \);
- \( \gamma' = \gamma_k \); and
- for all \( 1 \leq i < k \), one of the following three is true.
  - for some \( 1 \leq j < j' \leq k \), \( \gamma_i(j, j') = \gamma_{i+1} \); or
  - for some \( C \in \{ C_1, \ldots, C_n \} \) - \( [\gamma_i] \), \( \gamma_i C = \gamma_{i+1} \); or
  - for some \( C \in \{ C_1, \ldots, C_n \} - [\gamma_i] \), \( \gamma_i = \gamma_{i+1} C \).

With the operations of binary permutations and appending, we know that we can draw a undirected \textit{reducer sequence graph} (CSG) for a given set of reducers. The nodes in a CSG are reducer sequences while the arcs are determined by if the two nodes can be related by a binary permutation or an appending operation. In fig 2, we have a CSG for three reducers. Lemma 1 says that such a graph is connected.

Two reducer sequences in a CSG are called \textit{neighbors} to each other if we can go from one to the other by a binary permutation or an appending operation. Suppose we have a valuation \( \mathcal{V} \) on all reducer sequences in a CSG=(\( \Gamma, \Omega \)) such that \( \Gamma \) is the set of nodes (reducer sequences), \( \Omega \) is the set of edges, and for all \( \gamma \in \Gamma \), \( \mathcal{V}(\gamma) \in \mathbb{R}^+ \). A reducer sequence \( \gamma \) in the CSG is called a \textit{local minimum} if \( \mathcal{V}(\gamma) \leq \mathcal{V}(\gamma') \) for every neighbor \( \gamma' \) of \( \gamma \) in the CSG.

Our algorithm to pick reducer sequences for efficient verification shall use memory-space consumption increase rate with respect to concurrency as our valuation \( \mathcal{V} \).

5.2. Algorithm to pick a locally most efficient sequence

Suppose we are given a concurrent system presented as \( m \) state-graphs \( G[1], \ldots, G[m] \), with \( m > 4 \), and reducers \( C_1, \ldots, C_n \). Our strategy is to predict the space-complexities of reducer sequences by testing the procedure template on four state-graphs \( (G[1], G[2], G[3], G[4]) \) or some other four picked by users. Since the CSG has size of order \( n \) factorial, it is not feasible to test all the reducer sequences. Our algorithm hinges on the definition of valuations on reducer sequences which reflects how fast the memory space rate and CPU-time consumption rate grow. It will randomly generate a reducer sequence and then start searching the CSG. The search stops when it reaches a local minimal reducer sequence.

There will be two valuations in our method, the major one is for space consumption and the minor one is for CPU-time consumption. We need the minor one because our reducers do not increase the sizes of its argument state-graphs. Thus a naive reducer sequence which leads to minimal space consumption is the sequence of all reducers. However, for a given verification tasks, some reducers may be applied with no effect on the state-graph while still consuming huge amount of CPU-time. Thus it is better if we can also use CPU-time as a minor valuation.
Both the major and the minor valuations are devised on the same idea. Since verification problems usually exhibit at least singly exponential space complexity with respect to concurrency, our algorithm attempts to use the predictions on how fast the exponent base grows as an indication of the memory consumption. If two reducer sequences have the same prediction, then we choose the one with less CPU-time consumption. We define the reduced state-graph $H'_{h}$ inductively with reducer sequence $\gamma$ after each iteration.

- $H'_{2} = \gamma(G[1] \times G[2])$ and
- for each $h > 2$, $H'_{h} = \gamma(H'_{h-1} \times G[h])$

Our algorithm uses the following major valuation $\mathcal{V}_{\gamma}$ to predict the space consumption complexity of a reducer sequence $\gamma$.

$$\mathcal{V}_{\gamma}(\gamma) = \frac{\text{size}(H'_{1})}{\text{size}(H'_{2})} = \frac{(\text{size}(H'_{1}) \times \text{size}(H'_{2}))}{(\text{size}(H'_{2}))^{2}}$$

The design of $\mathcal{V}_{\gamma}(\gamma)$ has the following intuitive. In most verification tasks, complexities are super-exponential. Since we want to predict the complexities of reducer sequences for high concurrency with only composition of up to four processes, we decide to use the "multiplication rate of multiplication rate" as the predicting valuation. The denominator $\text{size}(H'_{2})$ of the first fraction is the multiplication rate of space requirement from concurrency two to three. The numerator $\text{size}(H'_{1})$ of the first fraction is the multiplication rate of space requirement from concurrency three to four. The fraction is thus an indication how fast the space consumption rate multiplies. For most verification tasks for concurrent systems, verification on up to four processes usually takes very little memory space and CPU-time. Thus $\mathcal{V}_{\gamma}(\gamma)$ should be able to give a good prediction on space complexity.

The minor valuation $\mathcal{V}_{\iota}(\gamma)$ is defined similarly in the following way to predict how fast the CPU-time consumption complexity of a reducer sequence $\gamma$ multiplies.

$$\mathcal{V}_{\iota}(\gamma) = \frac{\text{Time}(H'_{1})}{\text{Time}(H'_{2})} = \frac{(\text{Time}(H'_{1})) \times (\text{Time}(H'_{2}))}{(\text{Time}(H'_{2}))^{2}}$$

Table 4 is our algorithm in picking a reducer sequence for efficient verification. The termination of its execution is guaranteed because the CSG is finite and the search stops when $\gamma$ is no greater than its neighbors with respect to $\mathcal{V}_{\gamma}(\gamma)$ and $\mathcal{V}_{\iota}(\iota)$. In section 6, we shall have experiment data to justify our algorithm.

Before we leave this section, there is a legitimate question to ask: why do we only use four processes to predict the complexity? Indeed, we can use a larger number of processes to make more accurate prediction with redefinition of $\mathcal{V}_{\gamma}(\gamma)$ as, say

$$\mathcal{V}_{\gamma}(\gamma) = \frac{\text{size}(H'_{10})}{\text{size}(H'_{20})} = \frac{(\text{size}(H'_{10})) \times (\text{size}(H'_{20}))}{(\text{size}(H'_{20}))^{2}}$$

But this prediction will cost more space and CPU-time to calculate. And for a lot of inefficient reducer sequences, they may already run out of memory before the construction of $H'_{8}$. Thus, "four" is a safe minimum which allows most reducer sequences to complete their predictions.

6. Experiment

We have conducted experiments on our methods of verification on the large. At this moment, we have implemented the merge operator $\times$, three reducers: readwrite(), shield(), and symmetry(). We test our method on Fischer’s timed mutual exclusion protocol in figure 1 and the simple mutual exclusion protocol in figure 3. In the following, we have collected data on the effects of different reducer sequences.

In table 5 and 6, we have shown the graph sizes in mode counts, transition counts, and their sums for small mutual exclusion protocol (figure 3) and the Fischer’s protocol (figure 1) respectively.

Now we compare the data with our predicting valuation $\mathcal{V}_{\gamma}(\gamma)$. In table 5, for reducer sequence $A$, $B$, $C$, $D$, and $E$, $\mathcal{V}_{\gamma}(A) = \frac{42,000,000}{2,200} \approx 0.809$, $\mathcal{V}_{\gamma}(B) = \frac{32,000,000}{2,000} \approx 0.851$, $\mathcal{V}_{\gamma}(C) \approx 0.810$, $\mathcal{V}_{\gamma}(D) \approx 0.789$, and $\mathcal{V}_{\gamma}(E) \approx 0.789$. As we can see that the valuation indeed gives a good prediction of how fast the multiplication rate grows. It is observed that by permuting the shield() and the symmetry() reducer, there is no difference made with respect to the space complexity prediction. Thus we can further calculate $\mathcal{V}_{\gamma}(D) = \frac{0.64}{0.64} = 0.64$ and $\mathcal{V}_{\gamma}(E) = 0.6$. And we see from table 5, reducer sequence $E$ indeed looks like to have the smallest space and time complexity.

In table 6, for reducer sequence $A$, $B$, $C$, $D$, and $E$, $\mathcal{V}_{\iota}(A) = \frac{230,000,000}{52,252} \approx 1.246$, $\mathcal{V}_{\iota}(B) = \frac{181,000,000}{76,000} \approx 0.905$, $\mathcal{V}_{\iota}(C) \approx 0.946$, $\mathcal{V}_{\iota}(D) \approx 0.752$, and $\mathcal{V}_{\iota}(E) \approx 0.752$. Again the valuation indeed gives a good prediction of how fast the multiplication rate grows. Since reducer sequence $D$ and $E$ tie in space complexity predica-
### Table 4. Our reducer sequence picking algorithm

<table>
<thead>
<tr>
<th>n</th>
<th>2</th>
<th>3</th>
<th>4</th>
<th>5</th>
<th>6</th>
<th>7</th>
<th>8</th>
</tr>
</thead>
<tbody>
<tr>
<td>A</td>
<td>14/28/42</td>
<td>571/165/222</td>
<td>203/746/949</td>
<td>725/3040/3765</td>
<td>2646/12003/14649</td>
<td>10469/49411/59880</td>
<td>O/M</td>
</tr>
<tr>
<td>B</td>
<td>11/22/33</td>
<td>51/149/200</td>
<td>215/817/1032</td>
<td>850/3759/4609</td>
<td>3311/15864/19175</td>
<td>13430/66567/79997</td>
<td>O/M</td>
</tr>
<tr>
<td>C</td>
<td>8/14/22</td>
<td>15/35/50</td>
<td>24/68/92</td>
<td>35/116/151</td>
<td>46/171/217</td>
<td>60/251/311</td>
<td>76/357/433</td>
</tr>
<tr>
<td>D</td>
<td>6/11/17</td>
<td>12/29/41</td>
<td>20/58/78</td>
<td>30/100/130</td>
<td>42/157/199</td>
<td>56/231/287</td>
<td>72/324/396</td>
</tr>
<tr>
<td>E</td>
<td>6/11/17</td>
<td>12/29/41</td>
<td>20/58/78</td>
<td>30/100/130</td>
<td>42/157/199</td>
<td>56/231/287</td>
<td>72/324/396</td>
</tr>
</tbody>
</table>

D: ×, readwrite(), shield(); C: ×, readwrite(), symmetry()
C: ×, readwrite(); shield(); E: ×, readwrite(), symmetry(), shield(); O/M: Out of Memory

### Table 5. Small Mutual Exclusion Protocol Example

<table>
<thead>
<tr>
<th>n</th>
<th>2</th>
<th>3</th>
<th>4</th>
<th>5</th>
<th>6</th>
<th>7</th>
<th>8</th>
</tr>
</thead>
<tbody>
<tr>
<td>A</td>
<td>14/28/42</td>
<td>571/165/222</td>
<td>203/746/949</td>
<td>725/3040/3765</td>
<td>2646/12003/14649</td>
<td>10469/49411/59880</td>
<td>O/M</td>
</tr>
<tr>
<td>B</td>
<td>11/22/33</td>
<td>51/149/200</td>
<td>215/817/1032</td>
<td>850/3759/4609</td>
<td>3311/15864/19175</td>
<td>13430/66567/79997</td>
<td>O/M</td>
</tr>
<tr>
<td>C</td>
<td>8/14/22</td>
<td>15/35/50</td>
<td>24/68/92</td>
<td>35/116/151</td>
<td>46/171/217</td>
<td>60/251/311</td>
<td>76/357/433</td>
</tr>
<tr>
<td>D</td>
<td>6/11/17</td>
<td>12/29/41</td>
<td>20/58/78</td>
<td>30/100/130</td>
<td>42/157/199</td>
<td>56/231/287</td>
<td>72/324/396</td>
</tr>
<tr>
<td>E</td>
<td>6/11/17</td>
<td>12/29/41</td>
<td>20/58/78</td>
<td>30/100/130</td>
<td>42/157/199</td>
<td>56/231/287</td>
<td>72/324/396</td>
</tr>
</tbody>
</table>

7. Conclusion

We propose a method which treats state-graphs as data-objects and allows the definition of state-graph manipulators as a user-friendly way to package complex technology of computer-aided verification. The success of the method depends on if many more state-graph manipulators can be developed and proven correct.

### References


Table 6. Fischer's Mutual Exclusion Protocol Example

<table>
<thead>
<tr>
<th></th>
<th>#Modes/#Transitions</th>
<th>Construction Time (seconds)</th>
</tr>
</thead>
<tbody>
<tr>
<td>A</td>
<td>70/160/230</td>
<td>28593/120850/149443</td>
</tr>
<tr>
<td></td>
<td>0.06</td>
<td>218.65</td>
</tr>
<tr>
<td>B</td>
<td>31/70/101</td>
<td>1224/4149/5173</td>
</tr>
<tr>
<td></td>
<td>0.07</td>
<td>12.85</td>
</tr>
<tr>
<td></td>
<td>0.95</td>
<td>5804/28451/34255</td>
</tr>
<tr>
<td></td>
<td>0.08</td>
<td>204.99</td>
</tr>
<tr>
<td>C</td>
<td>36/60/116</td>
<td>1270/6357/7627</td>
</tr>
<tr>
<td></td>
<td>0.08</td>
<td>185.80</td>
</tr>
<tr>
<td></td>
<td>3.30</td>
<td>O/M</td>
</tr>
<tr>
<td>D</td>
<td>16/35/51</td>
<td>76/247/323</td>
</tr>
<tr>
<td></td>
<td>0.07</td>
<td>2.92</td>
</tr>
<tr>
<td></td>
<td>0.61</td>
<td>130/472/602</td>
</tr>
<tr>
<td></td>
<td>0.07</td>
<td>204/810/1014</td>
</tr>
<tr>
<td></td>
<td>0.89</td>
<td>10.69</td>
</tr>
<tr>
<td>E</td>
<td>39/109/148</td>
<td>76/247/323</td>
</tr>
<tr>
<td></td>
<td>0.08</td>
<td>4.66</td>
</tr>
<tr>
<td></td>
<td>0.89</td>
<td>130/472/602</td>
</tr>
<tr>
<td></td>
<td>0.08</td>
<td>204/810/1014</td>
</tr>
<tr>
<td></td>
<td>0.89</td>
<td>17.87</td>
</tr>
<tr>
<td></td>
<td>0.89</td>
<td>61.19</td>
</tr>
<tr>
<td></td>
<td>0.89</td>
<td>212.40</td>
</tr>
</tbody>
</table>


