Noname manuscript No.

(will be inserted by the editor)

Symbolic Computation of Strongly Connected Components and Fair Cycles Using Saturation
Yang Zhao Gianfranco Ciardo

the date of receipt and acceptance should be inserted later

Abstract The computation of strongly connected components (SCCs) in discrete-state models is a critical step in formal verication of LTL and fair CTL properties, but the potentially huge number of reachable states and SCCs constitutes a formidable challenge. We consider the problem of computing the set of states in SCCs or terminal SCCs in an asynchronous system. We employ the idea of saturation, which has shown clear advantages in symbolic state-space exploration [9, 30], to improve two previously proposed approaches. We use saturation to speed up state exploration when computing each SCC in the Xie-Beerel algorithm, and we compute the transitive closure of the transition relation using a novel algorithm based on saturation. Furthermore, we show that the techniques we developed are also applicable to the computation of fair cycles. Experimental results indicate that the improved algorithms using saturation achieve a substantial speedup over previous BFS algorithms. In particular, with the new transitive closure computation algorithm, up to 10150 SCCs can be explored within a few seconds.

1 Introduction Finding strongly connected components (SCCs) is a basic problem in graph theory. For discrete-state models, some interesting properties, such as those expressible in LTL [19] and fair CTL [12], are correlated with the existence of SCCs in the state-transition graph. The same problem is also central to the language emptiness check for -automata [17, 19]. For large discrete-state models, it is impractical to nd SCCs using explicit depth-rst Department of Computer Science and Engineering University of California, Riverside {zhaoy, ciardo}@cs.ucr.edu

state-space search [26] since its complexity is at least linear in the size of the graph, motivating the study of symbolic SCC computation. In this paper, the objective is to build the set of states in SCCs. The structure of SCCs in a graph is captured by its quotient graph, obtained by collapsing each SCC into a single node. This graph is acyclic, thus denes a partial order on the SCCs. Terminal SCCs (or bottom SCCs ) are nontrivial SCCs corresponding to leaf nodes in the quotient graph. For Markov chains [25] it is important to classify the reachable states as recurrent (belonging to terminal SCCs) or transient (all other states), since the probability that a Markov chain returns to a given state equals 1 i that state is recurrent. The complexity of these problems arises from two aspects: having to explore a huge state space (almost always the case in real-life problems) and having to deal with a large number of SCCs or terminal SCCs (sometimes the case in real-life problems). The former, known as state explosion [12], is the main obstacle to formal verication due to the obvious burden it imposes on computational resources. Traditional BDD approaches cope with this problem by employing image and preimage computations for state-space exploration but, while successful for fully synchronous systems [6], they do not work as well for asynchronous systems [9]. The latter constitutes the bottleneck for one class of previous work [28, 29], which enumerates SCCs one by one. Section 2.3 analyzes this problem in more detail. We address the computation of states in SCCs or terminal SCCs by improving two previous approaches: one proposed by Xie-Beerel (XB) [28, 29] and one based on computing the transitive closure (TC) of the transition relation [17]. We apply the saturation algorithm [9] to both to cope with the cost of state-space exploration. Our previous work demonstrated clear advantages for

Yang Zhao, Gianfranco Ciardo

saturation in state-space generation [9] (summarized in Section 2.2) and CTL model checking [10, 30] over traditional symbolic approaches. In this paper, we employ saturation for SCC analysis. Saturation greatly improve the XB algorithm over its original version using BFS. With regards to a potentially huge number of SCCs, the TC algorithm has the advantage of exploring all SCCs symbolically instead of enumerating them one by one. However, as previously proposed, computing the TC often requires large amount of runtime and memory [17], to the point that [22] claims that the TC algorithm is infeasible for large examples. To disprove this myth, we propose a new saturation algorithm to compute the TC, making it a practical method of SCC computation for complex systems. Furthermore, we present an algorithm to compute the recurrent states (i.e., states in terminal SCCs) based on the TC. Then, we consider fair cycle detection, a problem related to SCC computation, but even more challenging. In Section 6, we discuss algorithms for detecting fair cycles satisfying Streett fairness (strong fairness) [23]. The remainder of this paper is organized as follows. Section 2 introduces the relevant background on the data structures we use and saturation. Section 3 presents a constrained saturation algorithm that limits state-space exploration to a given set of states. Section 4 introduces an improved XB algorithm using saturation. Section 5 proposes our new algorithm to compute the TC using saturation and the corresponding algorithms for SCC and terminal SCC computation. Section 6 deals with the problem of nding fair cycles. Section 7 compares the performance of our algorithms and Lockstep. We discuss future work in the last section. 2 Preliminaries Consider a discrete-state model (S , Sinit , E , N ) where: the potential state space S is given by the product SL S1 of the nite local state spaces of L submodels, so that each (global) state i is a tuple (iL , , i1 ), where ik Sk , for L k 1; the set of initial states is Sinit S ; the set of (asynchronous) events is E ; the next-state function N : S 2S is described in disjunctively partitioned form as N = E N , where N (i) is the set of states that can be nondeterministically reached in one step when event res in state i. We say that is enabled in state i if N (i) = . Cor1 respondingly, N 1 and N denote the previous-state 1 functions, e.g., N (i) is the set of states that can reach i in one step by ring event .

In this paper, i, j, and k denote single states, X and Y denote sets of states, and N , possibly with a subscript or superscript, denotes a next-state function. Locality is a fundamental property enjoyed by asynchronous systems, expresses the fact that most events aect only few systems components: An event is independent of the k th submodel if its enabling does not depend on ik and its ring does not change the value of ik . If is not independent of k th submodel, k is in the support of event , written as k supp(). Let Top () be the top index in supp(), and Ek be the set { E : Top () = k }. Let Nk be the next-state function corresponding to all events in Ek , i.e., Nk = Ek N . The problem of state-space generation refers to computing the set Srch of states reachable from Sinit . Section 2.2 recalls our state-space generation algorithm, saturation, executed prior to SCC computation as a preprocessing step. Thus, Srch , the sets Sk , and their sizes nk are assumed known in the following discussion, and we let Sk = {0, ..., nk 1} without loss of generality. 2.1 Symbolic encoding of discrete-state systems We employ multi-way decision diagrams (MDDs) [18] to encode discrete-state systems. MDDs extend binary decision diagrams (BDDs) by allowing integer-valued variables, thus are suitable for discrete-state models with unknown (but hoped to be bounded) state spaces, such as Petri nets [21]. An MDD has two possible terminal nodes, 0 and 1, and a single root node. A set of states is encoded with an L-level quasireduced MDD. Given a node a, its level is denoted with a.lvl where L a.lvl 0, a.lvl = 0 if a is 0 or 1, and a.lvl = L if a is the root node. If a.lvl = k > 0, then a has nk outgoing edges, each labeled with a dierent ik Sk . The node pointed by the edge labeled with ik is denoted a[ik ] and, if not 0, it must be at level k 1. Turning to the encoding of the next-state functions, locality can be exploited to obtain a compact symbolic expression. Since Ek does not aect iL , . . . , ik+1 , N ((iL , . . . , i1 )) can be obtained as {(iL , . . . , ik+1 )} N ((ik , . . . , i1 )). In other words, N only needs to be applied to the lower k state components, thus, when a set of states is encoded with an MDD, ring N on them only modies the sub-MDDs rooted at level k of the MDD. The next-state function N is encoded using a 2L-level MDD, with levels ordered L, L , ..., 1, 1 , where unprimed and primed levels describe from and to states, respectively, and we let U (k ) = U (k ) = k . We use quasi-identity-fully (QIF) reduced [27] MDDs to encode next-state functions. This means that, for Ek ,

Symbolic Computation of Strongly Connected Components and Fair Cycles Using Saturation

N is encoded with a 2k -level MDD, so that the application of N only needs to start at level Top (). We use lowercase letters to denote MDD nodes and refer to an MDD by its root node, thus, MDD a means the MDD rooted at node a. MDD a encodes a set B (a) Sa.lvl S1 of (sub)-states, corresponding to the paths from a to 1. However, to simplify notation, we identify some global quantities with their MDDs, e.g., N means either the next-state function or the MDD encoding it, depending on the context. Given a set of states X = B (x) = S , the computation of N (X ) can be implemented with the symbolic operator RelProd , which takes an L-level MDD and a 2L-level MDD in input and returns an L-level MDD: N (X ) = B (RelProd (x, N )). In our pseudocode, we use the following functions: (forward image) (backward image) ImageF (x) ImageB (x) RelProd (x, N ), RelProd (x, N 1 ).

mdd SaturateF (mdd s) 1 if InCache SaturateF (s, t) then return t; dont repeat work 2 level k s.lvl ; 3 mdd t 0; 4 foreach i Sk s.t. s[i] = 0 do rst, saturate nodes below 5 t[i] SaturateF (s[i]); 6 endfor; 7 repeat keep ring Nk until reaching convergence 8 foreach i, i Sk s.t. Nk [i][i ] = 0 do 9 t[i ] Union (t[i ], RelProdSat (t[i], Nk [i][i ])); 10 endfor; 11 until t does not change; 12 t InsertUT (t); Unique Table to avoid duplicate nodes 13 CacheAdd SaturateF (s, t); to avoid repeating work later 14 return t; mdd RelProdSat (mdd s, r ) 1 level k s.lvl ; 2 mdd t 0; 3 if s = 1 and r = 1 then return 1; endif; terminal case 4 if InCache RelProdSat (s, r, t) then return t; endif; 5 foreach i, i Sk s.t. r [i][i ] = 0 do 6 t[i ] Union (t[i ], RelProdSat (s[i], r [i][i ])); 7 endfor; 8 t InsertUT (t); analogous to RelProd until here... 9 t SaturateF (t); ...but now we saturate t before returning 10 CacheAdd RelProdSat (s, r, t); 11 return t; Fig. 1 The (forward) saturation algorithm.

Using MDDs does not lead to higher eciency than BDDs, or even than explicit approaches (decision diagrams are, after all, heuristics). Furthermore, as with BDDs, the chosen variable order greatly aects the size and eciency of MDDs, but choosing an optimal variable order is hard [4]. We use MDDs instead of BDDs in our work because it is easier to cope with models whose local state spaces are not known a priori, such as Petri nets, by letting the size of MDD nodes grow on the y during state-space generation [9, 27]. 2.2 State-space generation using saturation All symbolic x state-space generation algorithms use some variant of symbolic image computation. The simplest approach is a breadth-rst search (BFS) directly implementing the denition of Srch as the xed point Sinit N (Sinit ) N 2 (Sinit ) . The forward reachable states from a set of states X can be computed by ReachF (X ) = X N (X ) N 2 (X ) . Analogously, we let ReachB (X ) = X N 1 (X ) N 2 (X ) . Saturation employs a dierent approach, recursively computing local xpoints and exploiting locality in the next-state functions. The key idea is to re events in an order consistent with their Top : we attempt ring events in Ek on node a at level k only after having exhaustively red events in Eh , for all h < k , on nodes below a, until no new states are found. Then, a is saturated if it is a xed point w.r.t. events independent of the levels above k : h, k h 1, Eh , B (a) N (B (a)). Figure 1 shows the pseudocode of the saturation algorithm. Given a discrete-state model, NL , ..., N1 are

globally available. The pseudocode shows a forward exploration, as it uses the next-state functions, but it can naturally be used for backward exploration by replac1 ing Nk with Nk . The input parameter s is the root node to be saturated, thus it is initially set to the root of the MDD encoding Sinit . SaturateF saturates the nodes of MDD s in order, from the bottom level to the top level. Unlike the traditional relational product operation, RelProdSat always returns a saturated MDD. 2.3 Previous work Symbolic SCC analysis has been widely explored [13 16, 22, 24], and much eort has been spent on computing the SCC hull. A family of SCC hull algorithms [24] employing BFS iteration is available. Although closely related, there is crucial dierence between SCC hull computation and our work, because an SCC hull contains not only states in nontrivial SCCs, but also states on the paths between them, constituting a superset of our desired result. In non-probabilistic model checking, computing the SCC hull aims at detecting the existence of reachable fair cycles, which is critical to verify fair CTL, LTL and -automata properties. However, for Markov chains, the aim of SCC analysis is to collect the states belonging to (trivial or nontrivial) terminal SCCs [2, 11],. To this end, an SCC hull must be further decomposed into states in an SCC and those not. To the

Yang Zhao, Gianfranco Ciardo

mdd Lockstep (mdd p) initially, B(p) = Srch 1 if (p = 0) then return 0; 2 mdd s P ickState(p); pick a seed s from B(p) 3 mdd a 0; a accumulates the answer 4 mdd f 0; f accumulates the forward set from s 5 mdd b 0; b accumulates the backward set from s 6 mdd c 0; c will be the SCC containing s, if any 7 mdd f Intersect (ImageF (s), p); 8 mdd b Intersect (ImageB (s), p); 9 while f = 0 and b = 0 do 10 f Union (f, f ); 11 b Union (b, b ); 12 f Di (Intersect (ImageF (f ), p), f ); 13 b Di (Intersect (ImageB (b ), p), b); 14 endwhile; 15 if (f = 0) then 16 mdd v f ; v remembers the set that converged rst, f 17 while Intersect (b , f ) = 0 do continue exploring backward 18 b Di (Intersect (ImageB (b ), p), b); 19 b Union (b, b ); 20 endwhile; 21 else 22 mdd v b; v remembers the set that converged rst, b 23 while Intersect (f , b) = 0 do continue exploring forward 24 f Di (Intersect (ImageF (f ), p), f ); 25 f Union (f, f ); 26 endwhile; 27 endif; 28 if Intersect (f, b) = 0 then 29 c Intersect (f, b); s belongs to the nontrivial SCC c 30 endif; 31 a Union (c,Lockstep (Di (v,c)),Lockstep (Di (p,Union (v,s)))); divide and conquer in the remaining state space 32 return a; mdd XB TSCC (mdd p) initially, B(p) = Srch 1 mdd a 0; a collects the states in nontrivial terminal SCCs 2 mdd s, f, b; 3 while (p = 0) do 4 s P ickState(p); pick a seed s from B(p) 5 f Intersect (ReachF (s), p); 6 b Intersect (ReachB (s), p); 7 if Di (f, b) = 0 then B(f ) is a subset of B(b) 8 a Union (a, f ); add the new terminal SCC to a 9 endif; 10 p Di (p, b); dont consider the states in B(b) again 11 endwhile; 12 return a; Fig. 2 Lockstep for SCC computation and XB algorithm for

best of our knowledge, no existing ecient symbolic algorithm is available for this task. Hence, SCC hull computation algorithms are not applicable to our problem and we will not discuss them further. Instead, we review two categories of related previous work, which can compute the precise set of states in SCCs: the TC and the XB algorithms. Hojati et al. [17] presented a symbolic algorithm to test -regular language containment by computing the TC N N 2 N 3 . Section 5 discusses the TC in more detail. Matsunaga et al. [20] proposed a symbolic procedure to compute the TC but the runtime is so poor that building the TC has long been considered impractical for complex systems. Xie et al. [29] proposed an algorithm, referred to as the XB algorithm in this paper, combining explicit state enumeration and symbolic state-space exploration. They explicitly pick a state as a seed, compute the forward and backward reachable states from the seed, and nd the SCC containing this seed as the intersection of these two sets of states. Bloem et al. [3] presented an improved algorithm called Lockstep (Figure 2) which, given a seed, instead of computing the forward and backward reachable states separately, it alternates BFS iterations between the two so that it can stop as soon as one of the two converges. This optimization achieves a O(n log n) complexity, compared to the O(n2 ) of the XB algorithm, computed in terms of number of image and preimage computations, where n is the number of reachable states. Our experiments show that Lockstep works very well when the number of SCCs is manageable. However, as the number of SCCs grows, the exhaustive enumeration of SCCs becomes an formidable problem for both the XB and the Lockstep algorithms. Xie et al. [28] proposed a similar idea to compute the recurrent states in large Markov chains (XB TSCC in Figure 2). From a randomly picked seed, if the set of forward reachable states B (f ) is a subset of the set of backward reachable states B (b), then B (f ) is a terminal SCC; otherwise, B (b) contains no terminal SCC and can be eliminated from further consideration. Functions ReachF and ReachB were implemented using BFS. Our work is the rst to employ saturation in SCC analysis. The two approaches we propose build upon the above two previous approaches. For the XB algorithm, we replace BFS state-space exploration with saturation. For the TC approach, we propose a new algorithm to compute TC using saturation.

terminal SCC computation.

3 Constrained saturation The motivation behind the constrained saturation algorithm [30] is the computation of the CTL operator

E[aUb], which returns the set of states backward reachable from states satisfying property b through paths satisfying property a. To constrain the state-space exploration to a set of states a, a BFS approach can simply intersect the newly reached states with a after each step. If we used a similar idea in ordinary saturation, however, intersection operations would have to be executed after each event ring, destroying the efciency of saturation. Constrained saturation uses instead a check-and-re strategy that constrains the

Symbolic Computation of Strongly Connected Components and Fair Cycles Using Saturation
mdd ConsSatB (mdd a, mdd s) 1 if InCache ConsSatB (a, s, t) then return t; 2 level l s.lvl ; 3 mdd t 0; 4 foreach i Sl s.t. s[i] = 0 do rst, saturate nodes below 5 if a[i] = 0 then 6 t[i] ConsSatB (a[i], s[i]); 7 else no new state in this sub-space since a[i] = 0 8 t [ i ] s[ i ] ; 9 endif; 10 endfor; 11 repeat compute the local xed point 12 foreach i, i Sl s.t. Nl1 [i][i ] = 0 do 13 if a[i ] = 0 then execute only if the resulting states are in a 14 t[i ] Union (t[i ], ConsRelProdB (a[i ], t[i], Nl1 [i][i ])); 15 endif; 16 until t does not change; 17 t InsertUT (t); 18 CacheAdd ConsSatB (a, s, t); 19 return t; mdd ConsRelProdB (mdd a, mdd s, mdd r ) 1 if s = 1 and r = 1 then return 1; 2 if InCache ConsRelProdB (a, s, r, t) then return t; 3 level l s.lvl ; 4 mdd t 0; 5 foreach i, i Sl s.t. r [i][i ] = 0 do 6 if a[i ] = 0 then execute only if the resulting states are in a 7 t[i ] Union (t[i ], ConsRelProdB (a[i ], s[i], r [i][i ])); 8 endif; 9 endfor; 10 t ConsSatB (a, InsertUT (t)); saturate t before returning 11 CacheAdd ConsRelProdB (a, s, r, t); 12 return t; Fig. 3 Constrained (backward) saturation to compute EU.

as enumerating states one by one in the worst case. However, [9, Theorem 1] demonstrates that saturation can avoid building many MDD node that only appear in intermediate results, thus tends to result in much more compact MDDs. Saturation is experimentally superior to BFS for the local-synchronous-global-asynchronous systems we studied. This is also reected in the comparison with Lockstep in the next section.

4 Using saturation in the XB algorithm A natural improvement to the XB algorithm is to employ saturation to explore the forward and backward reachable states. Figure 4 shows the pseudocode of our algorithms: the two versions of XBSat shown in the gure compute the states in SCCs, or just in the terminal SCCs, respectively. Unlike Lockstep, which uses the set that converges rst to bound the other, our algorithm cannot interleave the two computations or even predict which one will converge rst, since saturation does not run in a step-by-step manner. One obvious approach is then to run a forward and a backward saturation and intersect the results. However, we experimentally found that we can do better by bounding one of the two saturations with the other. In Figure 4, for example, we always bet on forward exploration and use it to bound backward exploration (Line 7). This bet is of course most benecial when (unconstrained) backward exploration is much slower than forward exploration. Thus, there is a trade-o between using the slower BFS, which however allows us to interleave the two explorations, and the faster saturation, which does not. Performance is also aected by which seed is picked in each iteration and, for a fair comparison, we pick the same seed in both algorithms at each iteration. Both our new algorithm and Lockstep improve the original XB algorithm, in dierent ways. Lockstep aims at reducing the number of steps by carefully scheduling the image and preimage computations, while our algorithm leverages event locality. Measuring complexity in number of BFS steps, O(n log n) for Lockstep [3], is not meaningful for saturation, which uses light-weight event rings instead of global image computations. Moreover, we argue that the number of steps is too rough a measure of complexity because the cost of each symbolic step varies greatly, exponentially with the number of levels in the worst case. Instead, saturation aims at reducing the real cost in symbolic manipulation: as mention in Section 3, it avoids building many unnecessary intermediate MDD nodes. Thus, while Lockstep ensures a tight bound on the number of steps, saturation often executes fewer node operations, thus lower runtime and memory requirements. Our experimental results show

exploration to a in each recursive call of the relational product. The idea of constrained saturation is based on the following observation: B (t) = RelProd (s, r) B (a) B (t[i ]) =
iSl

(RelProd (s[i], r[i][i ]) B (a[i ])) ,

where t and s are l-level MDDs encoding sets of states and r is a 2l-level MDD encoding a next-state function. This can be considered an extension of the wellknown ITE operator [5], from boolean to integer variables. The overall process of EU computation based on constrained saturation is shown in Figure 3, where a is the constraint and s is the set being saturated. The key dierences from the saturation algorithm of [9] are marked with a . The new states found by applying a next-state function are guaranteed to satisfy a. Neither saturation nor constrained saturation improve the theoretical computational complexity compared to the corresponding BFS algorithms. First, saturation could degrade to BFS if all events fall in EL . Second, both saturation and BFS may perform as bad

6
mdd XBSat (mdd p) initially, B(p) = Srch 1 if p = 0 then return 0; endif; 2 mdd a 0; 3 mdd s PickState (p); pick a seed s from B(p) 4 mdd f Intersect (ImageF (s), p); 5 mdd b Intersect (ImageB (s), p); 6 mdd f Intersect (SaturateF (f ), p); forward reachable states from s in p 7 mdd b Intersect (ConsSatB (f, b ), p); the intersection of backward and forward reachable states 8 if b = 0 then a b; endif; b = is a set of states in an SCC 9 a Union (a, XBSat (Di (f, b)), XBSat (Di (p, f ))); divide and conquer in the remaining state space 10 return a; 7 mdd b Intersect (SaturateB (b ), p); backward reachable states from s in p 8 if Di (f, b) = 0 then a Union (a, f ); endif; B(f ) is a terminal SCC if B(f ) B(b) 9 a Union (a, XBSat (Di (p, b))); recursion in the remaining state space 10 return a; Fig. 4 Improved XB algorithm using saturation (Lines 7 10 compute SCCs, Lines 710 compute terminal SCCs).

Yang Zhao, Gianfranco Ciardo

events exhaustively until the local xed point is obtained. This procedure ensures the following properties. Property 1: Given a k -level MDD a and 2k -level MDD n, TransClosSat (a, n) returns a 2k -level MDD t s.t. (i, j) B (n), k B (ConsSatB (a, j)) (i, k) B (t). Property 2: TransClosSat (Srch , N 1 )) = T 1 . The top-level pseudocode of the SCC computation using TC is shown as SCC TC in Figure 5. Function TCtoSCC extracts all states i such that (i, i) T 1 . Unlike SCC enumeration algorithms such as XB or Lockstep, a TC approach does not necessarily suer from a large number of SCCs. Nevertheless, due to the complexity of building T 1 , this approach had been considered infeasible for complex systems. By employing saturation, instead, our algorithm to compute T 1 completes on some large models, such as the dining philosopher problem with 1000 philosophers, while, for models containing many SCCs, it may succeed where other algorithms have no hope. Thus, while the TC approach is not as robust as Lockstep, it can be used as an alternative to it when Lockstep cannot enumerate all SCCs. T 1 can also be used to nd recurrent states, i.e., states in terminal SCCs. State j is in a terminal SCC if, for any state i, j i i j. Given two states i, j, let j i mean j i and i j. We can encode this relation with a 2L-level MDD, obtained as T 1 \ T . The pseudocode for this algorithm is shown as TSCC TC in Figure 6. The set {(i, j) | j i} is encoded with a 2L-level MDD r . Then, the set of states {j | i, j i}, which do not belong to terminal SCCs, is computed by existentially quantifying out the unprimed levels (Line 5), and stored in MDD nontscc. All other states are the recurrent states belonging to terminal SCCs. To the best of our knowledge, this is the rst TCbased algorithm for terminal SCC computation. This algorithm is more costly in runtime and memory than SCC computation because of the need to obtain the relation. However, by employing TransClosSat , it works for most of the models we considered. Moreover, for models with a huge number of terminal SCCs, this algorithm is, again, the only feasible approach.

that, for most models we studied, the improved XB algorithm using saturation outperforms Lockstep, sometimes by orders of magnitude. 5 Computing the TC with saturation We now dene the forward and the backward TC, T and T 1 , of a discrete-state model. Denition 1 The transitive closure T Srch Srch contains all (i, j) such that there is a nontrivial (i.e., positive length) path from i to j, denoted by i j. Analogously, we let (i, j) T 1 i j i. T 1 represents relations between pairs of states, and thus it can be encoded with a 2L-level MDD with the same variable order with next-state functions. ik is placed on level k (unprimed level) and jk on level k (primed level), where U (k ) = U (k ) = k . As T and T 1 are symmetric, we focus on the algorithm to compute T 1 . After T 1 has been built, T is obtained by simply swapping the unprimed and primed levels in the MDD encoding T 1 , written as T = Invert (T 1 ). We base our algorithm on the following observation: (i, j) T 1 k N 1 (i)j B (ConsSatB (Srch , s)), where B (s) = {k}. Instead of running saturation on j for each pair (i, j), we propose an algorithm that executes on the 2L-level MDD encoding N 1 . Line 1 in function SCC TC of Figure 5 computes T 1 by calling TransClosSat , which runs bottom-up recursively. As for the constrained saturation in Figure 3, this function runs node-wise on primed level and res lower level

6 Fair cycles One application of the SCC computation is to check the language emptiness of an -automaton. The language of an -automaton is nonempty if there is a nontrivial cycle which satises a certain fairness condition, i.e., a fair cycle. Thus, it is necessary to extend the SCC computation to nding fair cycles. Two widely used fairness conditions are B uchi fairness (weak fairness) and Streett fairness (strong fairness) [12].

Symbolic Computation of Strongly Connected Components and Fair Cycles Using Saturation
mdd SCC TC (N 1 ) 1 mdd T 1 TransClosSat (Srch , N 1 ); 2 mdd SCC TCtoSCC (T 1 ); 3 return SCC ; mdd TransClosSat (mdd a, mdd n) 1 if n = 1 then return 1; endif; 2 if InCache TransClosSat (a, n, t) then return t; endif; 3 level k n .lvl ; L U (k ) 1 4 mdd t 0; 1 5 mdd r NU ; (k ) 6 foreach i, j Sk s.t. n[i][j ] = 0 do 7 if a[j ] = 0 then rst, saturate nodes below 8 t[i][j ] TransClosSat (a[j ], n[i][j ]); 9 else no new path in this sub-space since a[i] = 0 10 t[i][j ] n[i][j ]; 11 endif; 12 endfor; 13 foreach i SU (k) s.t. n[i] = 0 do 14 repeat compute the local xed point 15 foreach j,j SU (k) s.t. n[i][j ] = 0r [j ][j ] = 0a[j ] = 0 do r is applied to the primed levels of n 16 t[i][j ]Union (t[i][j ],TCRelProdSat (a[j ],t[i][j ],r [j ][j ])); 17 endfor; 18 until t does not change; 19 endfor; 20 t InsertUT (t); 21 CacheAdd TransClosSat (a, n, t); 22 return t; t is a 2L-level MDD encoding TransClosSat (a, n) mdd TCRelProdSat (mdd a, mdd n, mdd r ) 1 if n = 1 and r = 1 then return 1; endif; 2 if InCache TCRelProdSat (a, n, r, t) then return t; endif; 3 level k n.lvl ; L U (k ) 1 4 mdd t 0; 5 foreach i SU (k) s.t. n[i] = 0 do 6 foreach j,j SU (k) s.t. n[i][j ] = 0 r [j ][j ] = 0 a[j ] = 0 do r is applied on primed levels in n 7 t[i][j ]Union (t[i][j ],TCRelProdSat (a[j ],n[i][j ],r [j ][j ])); 8 endfor; 9 endfor; 10 t TransClosSat (a,InsertUT (t)); return a saturated result 11 CacheAdd TCRelProdSat (a, n, r, t); 12 return t; mdd TCtoSCC (mdd n) 1 if n = 1 return 1; endif; 2 if InCache TCtoSCC (n, t) then return t; endif; 3 level k n.lvl ; L U (k ) 1 4 mdd t 0; 5 foreach i SU (k) s.t. n[i][i] = 0 do 6 t[i] TCtoSCC (n[i][i]); 7 endfor; 8 t InsertUT (t); 9 CacheAdd TCtoSCC (n, t); 10 return t; t is an L-level MDD enconding {i : (i, i) B(n) Fig. 5 Building the TC using saturation.

mdd TSCC TC (N 1 ) 1 mdd T 1 TransClosSat (N 1 ); 2 mdd T Inverse (T 1 ); swap adjacent levels k and k 3 mdd scc TCtoSCC (T 1 ); 4 mdd r Di (T 1 , T ); 5 mdd nontscc QuantUnpr (r ); quantify out unprimed levels in r , nontscc is an L-level MDD 6 mdd recurrent Di (scc, nontscc); 7 return recurrent; Fig. 6 Computing recurrent states using TC.

Its semantics is expressed by the special case of strong fairness where, in each pair, Ri = Srch and Ci = Fi , thus we focus on strong fairness. Lockstep is also able to nd strongly fair cycles [3], but might suer from SCC renement [3, Figure 4]. This occurs when an SCC intersects a Ri but not Ci . Then, we need to to lter out all states in Ri and run Lockstep on the remaining states in this SCC. This process may enumerate all states in the worst case, as with SCC enumeration. Here, we present a TC approach that avoids enumeration. To the best of our knowledge, this is the rst TC approach for fair cycle detection. The following denes the constrained TC. Denition 2 Given a set of states X , the constrained 1 backward TC is TX = TransClosSat (X , N 1 ).
1 TX species the relation between two states i and 1 j, such that (i, j) TX j t1 t2 . . . i and t1 , t2 , . . . , i X . Thus, the set of states belonging to some (strongly) fair cycle is given by: 1 ) TCtoSCC (TS rch \Rm m=1,...,n

{i | cm Cm , (T (cm , i) T 1 (cm , i))} ,

1 , there is a nontrivial path from i to If (i,i) TS rch\Rm 1 ) returns i that avoids Rm . Thus, TCtoSCC (TS rch \Rm the states in cycles that contain no state in Rm and satisfy strong fairness. If (i,cm ) (T (cm ,i)T 1 (cm ,i)), i belongs to a cycle which contains states in cm . The subformula in the second line corresponds to the states in a cycle containing at least one state in Cm , satisfying strong fairness. The pseudocode in Figure 7 computes the above formula. For each (Rm , Cm ), c encodes the states in cycles that do not intersect Rm , d encodes the states in cycles that intersect Cm , and Cross (Cm , Srch ) returns a 2Llevel MDD encoding the cross-product of Cm and Srch . The cost mainly lies in computing the intersection of T 1 and T , which is similar to computing the relation . Moreover, the complexity grows linearly with the size n of the fairness condition.

Strong fairness is specied with a set of pairs of sets {(R1 , C1 ), . . . , (Rn , Cn )} and a cycle satises it i, for each (Ri , Ci ), either no state of Ri is in the cycle or some state of Ci is in the cycle. Weak fairness is specied with a set of sets of states {F1 , F2 , . . . , Fn }.

8
mdd FairSCC TC (Srch , N 1 , {(R1 , C1 ), . . . , (Rn , Cn )}) 1 mdd T 1 TransClosSat (Srch , N 1 ); 2 mdd T Inverse (T 1 ); 3 mdd s Srch ; 4 foreach m = 1, , n do 5 mdd c TCtoSCC (TransClosSat (Di (Srch , Rm ), N 1 )); 6 mdd d Intersect (T 1 , T ); 7 d QuantUnpr (Intersect (d, Cross (Cm , Srch ))); Cross (Cm ,Srch ) encodes {(cm ,i) : cm Rm i Srch } 8 s Intersect (s, Union (c, d)); 9 endfor; 10 return s; Fig. 7 Computing fair cycles using TC.

Yang Zhao, Gianfranco Ciardo

7 Experimental results rT [8] and report We implemented our algorithms in Sm A experimental results running on an Intel Xeon 3.0Ghz workstation with 3GB RAM under SuSE Linux 9.1. The models, described as Petri nets and translated into rT, include the closed queue the input language of Sm A network (cqn ) of [29], two implementations of arbiters (arbiter 1 , arbiter 2 ) [1], one which guarantees fairness and the other which does not, the queen placement problem (queens ), the dining philosopher problem (phil ), and the leader selection protocol (leader ) [7]. The size for each model is controlled by a parameter N . The number of SCCs (terminal SCCs) and states in SCCs (terminal SCCs) for each model is listed in column SCC count (TSCC count) and column SCC states (TSCC states), respectively. We set and upper bound of 2hr for runtime and 1GB for the unique table (used to canonically store the MDD nodes). The main metrics of our comparison are runtime and peak memory consumption (for unique table plus operation cache, required for ecient dynamic programming implementation of MDD operation), which are measured in seconds and megabytes, respectively. The top part of Table 1 compares three algorithms for SCC computation: the TC algorithm (column TC) of Section 5, the improved XB algorithm (column XBSAT) of Section 4, and Lockstep (column Lockstep). We can see that the improved XB algorithm using saturation is better than Lockstep for most models, in both runtime and memory. Compared with the SCC enumeration algorithms, the TC algorithm is often more expensive but, for queens and arbiter 2 , it completes within the time limit while the other two algorithms fail. For arbiter 2 , our TC algorithm explores over 10150 SCCs in a few seconds, while it is obviously not feasible to exhaustively enumerate all SCCs in reasonable time. To the best of our knowledge, this is the best result of SCC computation reported, conrming the main advantage of the TC algorithm: its insensitivity to the number of SCCs. With the help of our new algorithm,

the TC can be built for some large systems, such as the dining philosopher problem with 1000 philosophers. The bottom part of Table 1 compares three algorithms for terminal SCC computation: XBSat (column XBSat) presented in Sections 4 , TSCC TC (column TC) presented in Sections 5, and the BFS XB algorithm XB TSCC (column XBBFS) shown in Figure 2. The basic trends are similar to those for SCC computation: algorithm XBSat works consistently better than the traditional method, while TSCC TC is less ecient for most models. In the framework of the XB algorithm, computing terminal SCCs is faster than computing SCC because a larger set of states is pruned at each recursion. On the contrary, TSCC TC is more expensive than SCC TC due to the computation of the relation. As a consequence, TSCC TC suers even more from large memory and runtime requirement. Nevertheless, for models with large numbers of terminal SCCs, such as queens , TSCC TC outperforms the BFS XB algorithm. Some conclusions can be drawn from the above results and discussion. First, saturation is eective in speeding up SCC and terminal SCC computation within the framework of the XB algorithm. Second, our new saturation algorithm makes TC computation feasible for some complex models containing up to 10150 states. Third, SCC computation based on TC is superior to SCC enumeration algorithms, which nd SCCs one-byone, for models with huge numbers of SCCs. Although the TC approach is not as robust as Lockstep, especially when the number of SCCs in the model is manageable, we argue that it should be considered as a reasonable alternative worth of further research. Given a new model with an unknown number of existing SCCs, employing both of these approaches at the same time will be ideal. Current trend of multi-core computers provide a possible means of parallelizing these two algorithms. Some of the common data structures, like MDDs encoding the state space and next-state functions, could then even be shared.

8 Conclusion and future work We focused on improving two previous approaches for SCC computation, the Xie-Beerel (XB) and the transitive closure (TC) algorithms, using saturation. For the asynchronous models we study, the improved XB algorithm using saturation achieves a clear speedup and our new algorithm to compute TC using saturation is experimentally shown to be capable of handling models with up to 10150 of SCCs. We argue that the TC-based approach is worth further research because of its ability to deal with models having huge numbers of SCCs.

Symbolic Computation of Strongly Connected Components and Fair Cycles Using Saturation
Results for the SCC computation

Model name
cqn

SCC count 11 16 21 1 1 1 3.22e+4 1.53e+5 7.95e+5 4.37e+6 4 11 26 57 1 1 1 1024 32768 1.05e+6

SCC states 2.09e+10 2.20e+15 2.32e+20 4.96e+62 3.03e+316 9.18e+626 3.23e+4 1.53e+5 7.95e+5 4.37e+6 6.78e+2 9.50e+3 1.25e+5 1.54e+6 2.05e+4 9.83e+5 4.19e+7 1.02e+4 4.91e+5 2.10e+7 (1.64e+151)* TSCC states 2.09e+10 2.18e+15 2.31e+20 2 2 2 1.28e+4 6.11e+4 3.14e+5 1.72e+6 3 4 5 6 2.05e+4 9.83e+5 4.19e+7 1 1 1

TC mem 34.2 64.4 72.7 5.0 33.0 40.5 8.2 45.8 184.8 916.5 6.0 70.3 116.6 24.1 128.3 mo 20.3 20.4 20.4
41.0

phil

queens

leader

arbiter 1

arbiter 2

3.27e+150 Results for the terminal SCC computation

10 15 20 100 500 1000 10 11 12 13 3 4 5 6 10 15 20 10 15 20 500

time 13.6 73.8 687.8 0.5 4.0 7.8 1.6 9.0 60.6 840.6 1.4 73.1 3830.4 to 1.2 63.0 < 0.1 < 0.1 < 0.1
4.0

XBSat mem time 3.4 < 0.1 5.0 0.2 25.8 0.5 3.2 < 0.1 24.5 0.1 29.1 0.3 64.4 14.5 94.2 108.6 170.2 1220.4 to 20.8 < 0.1 25.4 1.1 35.6 40.8 41.6 1494.9 21.4 < 0.1 45.1 < 0.1 709.7 < 0.1 26.2 0.7 31.1 51.8 31.2 2393.3 to XBSat mem time 21.4 < 0.1 23.0 0.3 26.2 0.8 20.9 < 0.1 23.2 < 0.1 26.5 0.2 46.7 2.8 70.6 24.5 98.8 179.4 269.0 1940.81 20.7 < 0.1 24.4 0.9 30.6 26.9 39.0 492.9 20.4 < 0.1 20.4 < 0.1 20.5 < 0.1 20.9 < 0.1 40.6 4.6 450.0 2897.8

Lockstep mem time 4.0 3.9 89.1 44.5 118.7 275.0 52.0 4.5 to to 63.9 12.4 96.3 93.6 281.9 1663.9 to 20.8 < 0.1 23.8 0.3 49.4 6.4 417.2 387.9 21.8 0.1 62.1 6.8 mo 31.1 1.1 211.3 990.3 to to XBBFS mem time 33.5 3.4 59.4 33.7 90.0 280.5 39.2 8.7 to to 62.3 35.1 145.2 364.2 mo mo 21.4 0.1 38.0 4.5 41.1 87.6 44.8 1341.5 22.4 0.4 65.3 23.3 to 39.6 6.4 to to

Model name
cqn

TSCC count 10 15 20 2 2 2 1.28e+4 6.11e+4 3.14e+5 1.72e+6 3 4 5 6 1 1 1 1 1 1

TC mem 37.9 64.8 72.7 26.5 34.3 44.4 36.2 76.5 244.1 mo 26.6 70.6 119.3 24.1 128.3 mo 20.4 20.5 20.5 time 15.5 79.6 691.3 0.5 4.1 11.3 3.0 19.3 205.4 1.5 75.1 3845.3 to 1.2 63.1 < 0.1 < 0.1 < 0.1

phil

queens

leader

arbiter 1

arbiter 2

10 15 20 100 500 1000 10 11 12 13 3 4 5 6 10 15 20 10 15 20

Table 1 Results for SCC and terminal SCC computation. * means a value computed from the model structure, not using XB.

SCC analysis can be an important step to simplify Markov chain analysis and stochastic model checking, as shown in [2, 11]. Our future work is to apply the algorithms in this paper to these topics, where symbolic methods are only scarcely used.

References
1. NuSMV: a new symbolic model checker. Available at http://nusmv.irst.itc.it/. 2. Erika Abrah am, Nils Jansen, Ralf Wimmer, Joost-Pieter Katoen, and Bernd Becker. DTMC model checking by SCC reduction. In QEST, pages 3746, 2010. 3. Roderick Bloem, Harold N. Gabow, and Fabio Somenzi. An Algorithm for Strongly Connected Component Analysis in n log n Symbolic Steps. In Formal Methods in Computer Aided Design, pages 3754. Springer-Verlag, 2000. 4. Beate Bollig and Ingo Wegener. Improving the variable ordering of OBDDs is NP-complete. IEEE Trans. Comp., 45(9):9931002, September 1996.

Acknowledgments This work was supported in part by the National Science Foundation under Grant CCF-1018057 and by a UC MEXUS-CONACYT Collaborative Research Grant.

10 5. Randy E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, 35(8):677691, August 1986. 6. J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 1020 states and beyond. Information and Computation, 98:142170, 1992. 7. Gianfranco Ciardo et al. SMART: Stochastic Model checking Analyzer for Reliability and Timing, User Manual. Available at http://www.cs.ucr.edu/ciardo/SMART/. 8. Gianfranco Ciardo, Robert L. Jones, Andrew S. Miner, and Radu Siminiceanu. Logical and stochastic modeling with SMART. Perf. Eval., 63:578608, 2006. 9. Gianfranco Ciardo, Robert Marmorstein, and Radu Siminiceanu. The saturation algorithm for symbolic state space exploration. Software Tools for Technology Transfer, 8(1):425, February 2006. 10. Gianfranco Ciardo and Radu Siminiceanu. Structural symbolic CTL model checking of asynchronous systems. In Warren Hunt, Jr. and Fabio Somenzi, editors, Proc. CAV, LNCS 2725, pages 4053, Boulder, CO, USA, July 2003. Springer-Verlag. 11. Frank Ciesinski, Christel Baier, Marcus Gr osser, and Joachim Klein. Reduction techniques for model checking Markov decision processes. In Proceedings of the 2008
Fifth International Conference on Quantitative Evaluation of Systems, pages 4554, Washington, DC, USA, 2008.

Yang Zhao, Gianfranco Ciardo 22. Kavita Ravi, Roderick Bloem, and Fabio Somenzi. A comparative study of symbolic algorithms for the computation of fair cycles. In FMCAD 00: Proceedings
of the Third International Conference on Formal Methods in Computer-Aided Design, pages 143160, London, UK,

2000. Springer-Verlag. 23. Shmuel Safra and Moshe Y. Vardi. On omega-automata and temporal logic. In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, 15-17 May 1989, Seattle, Washington, USA, pages 127137. ACM,

1989. 24. Fabio Somenzi, Kavita Ravi, and Roderick Bloem. Analysis of symbolic SCC hull algorithms. In FMCAD 02:
Proceedings of the 4th International Conference on Formal Methods in Computer-Aided Design, pages 88105, Lon-

don, UK, 2002. Springer-Verlag. 25. William J. Stewart. Introduction to the Numerical Solution of Markov Chains. Princeton University Press, 1994. 26. Robert Tarjan. Depth-rst search and linear graph algorithms. In Proceedings of the 12th Annual Symposium on Switching and Automata Theory (swat 1971), pages 114 121, Washington, DC, USA, 1971. IEEE Computer Society. 27. Min Wan and Gianfranco Ciardo. Symbolic state-space generation of asynchronous systems using extensible decision diagrams. In M. Nielsen et al., editors, Proc. 594, Spindler uv Ml yn, Czech Republic, February 2009. Springer-Verlag. 28. Aiguo Xie and Peter A. Beerel. Ecient state classication of nite-state Markov chains. IEEE Trans. on CAD of Integrated Circuits and Systems, 17(12):13341339, 1998. 29. Aiguo Xie and Peter A. Beerel. Implicit enumeration of strongly connected components and an application to formal verication. IEEE Trans. on CAD of Integrated Circuits and Systems, 19(10):12251230, 2000. 30. Yang Zhao and Gianfranco Ciardo. Symbolic CTL model checking of asynchronous systems using constrained saturation. In Zhiming Liu and Anders P. Ravn, editors, Proc.
7th International Symposium on Automated Technology for Verication and Analysis (ATVA), LNCS 5799, pages 368 35th Int. Conf. Current Trends in Theory and Practice of Computer Science (SOFSEM), LNCS 5404, pages 582

IEEE Computer Society. 12. Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 1999. 13. E. Allen Emerson and Chin-Laung Lei. Ecient model checking in fragments of the propositional mu-Calculus). In Proceedings, Symposium on Logic in Computer Science, 16-18 June 1986, Cambridge, Massachusetts, USA, pages 267278. IEEE Computer Society, 1986. 14. Kathi Fisler, Ranan Fraer, Gila Kamhi, Moshe Y. Vardi, and Zijiang Yang. Is there a best symbolic cycle-detection algorithm? In Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2001, pages 420434, Lon-

15.

16. 17. 18.

19.

20.

21.

don, UK, 2001. Springer-Verlag. G. Hachtel, E. Macii, A. Pardo, and F. Somenzi. Markovian analysis of large nite state machines. IEEE Trans. CAD of Integr. Circ. and Syst., 15(12):14791493, December 1996. R. H. Hardin, R. P. Kurshan, S. K. Shukla, and M. Y. Vardi. A new heuristic for bad cycle detection using bdds. Formal Methods in System Design, 18(2):131140, 2001. Ramin Hojati, Herv e J. Touati, Robert P. Kurshan, and Robert K. Brayton. Ecient -regular language containment. In CAV, pages 396409, 1992. Timothy Kam, Tiziano Villa, Robert K. Brayton, and Alberto Sangiovanni-Vincentelli. Multi-valued decision diagrams: theory and applications. Multiple-Valued Logic, 4(12):962, 1998. Yonit Kesten, Amir Pnueli, and Li-on Raviv. Algorithmic verication of linear temporal logic specications. In ICALP 98: Proceedings of the 25th International Colloquium on Automata, Languages and Programming, pages 116, London, UK, 1998. Springer-Verlag. Y. Matsunaga, P.C. McGeer, and R.K. Brayton. On computing the transitive closure of a state transition relation. In Design Automation, 1993. 30th Conference on, pages 260265, June 1993. Tadao Murata. Petri nets: properties, analysis and applications. Proc. of the IEEE, 77(4):541579, April 1989.

381, Macao SAR, China, October 2009. Springer-Verlag.