Variations on Multi-Core Nested Depth-First Search

Recently, two new parallel algorithms for on-the-fly model checking of LTL properties were presented at the same conference: Automated Technology for Verification and Analysis, 2011. Both approaches extend Swarmed NDFS, which runs several sequential NDFS instances in parallel. While parallel random search already speeds up detection of bugs, the workers must share some global information in order to speed up full verification of correct models. The two algorithms differ considerably in the global information shared between workers, and in the way they synchronize. Here, we provide a thorough experimental comparison between the two algorithms, by measuring the runtime of their implementations on a multi-core machine. Both algorithms were implemented in the same framework of the model checker LTSmin, using similar optimizations, and have been subjected to the full BEEM model database. Because both algorithms have complementary advantages, we constructed an algorithm that combines both ideas. This combination clearly has an improved speedup. We also compare the results with the alternative parallel algorithm for accepting cycle detection OWCTY-MAP. Finally, we study a simple statistical model for input models that do contain accepting cycles. The goal is to distinguish the speedup due to parallel random search from the speedup that can be attributed to clever work sharing schemes.

💡 Research Summary

The paper presents a comprehensive experimental study of two recently introduced parallel algorithms for on‑the‑fly LTL model checking, ENDFS and LNDFS, both of which extend the classic Swarmed NDFS approach. Swarmed NDFS runs several independent sequential NDFS instances in parallel, which speeds up bug hunting through random search but offers little benefit when the model is correct because every worker must still explore the entire state space. To improve speed‑up for full verification, ENDFS and LNDFS share global information among workers, but they differ markedly in what they share and how they synchronize.

LNDFS shares only the “red” color globally. When a red DFS finishes, visited states are marked red for all workers, allowing subsequent blue and red searches to prune already explored regions. This reduces duplicate work, especially when many accepting states exist, but requires synchronization when multiple workers start a red search from the same accepting state. Moreover, if the model contains few or no accepting states, the benefit diminishes because workers still have to traverse the whole graph.

ENDFS takes a more optimistic stance: it shares both the blue and red colors globally while keeping the “cyan” (blue stack) and “pink” (red stack) colors local. If during a red search an accepting state that is not yet red is encountered, the state is marked “dangerous”. After the red search terminates, a sequential repair phase runs a standard NDFS on the dangerous states to guarantee correctness. This design avoids the need for a repair strategy in the blue phase and reduces duplicate work, but the sequential repair can become a bottleneck, and red marking is delayed, potentially causing more redundant exploration.

Both algorithms were implemented in the same multi‑core backend of the LTSmin model‑checking suite, using identical optimizations (including the “all‑red” extension) to ensure a fair comparison. The authors evaluated them on an AMD Opteron 16‑core server with 64 GB RAM, running the full BEEM benchmark suite (453 models with LTL properties). They also compared the results with the state‑of‑the‑art parallel BFS‑based algorithm OWCTY‑MAP, as implemented in DIVINE.

Experimental findings show that LNDFS excels on models with many accepting states, achieving higher speed‑ups due to aggressive pruning via the global red set. ENDFS performs better on models with few accepting states, where its global blue sharing reduces redundant work, but its speed‑up is limited by the sequential repair phase. By combining the strengths of both approaches, the authors propose a new algorithm, MC‑NDFS (New M‑C‑NDFS). MC‑NDFS runs the optimistic ENDFS, but when dangerous states are detected it invokes the parallel LNDFS repair instead of a sequential NDFS. Additionally, a simple load‑balancing scheme lets idle workers assist others still in the repair phase. This hybrid approach consistently outperforms both parent algorithms and often matches or exceeds OWCTY‑MAP, especially for weak LTL properties where OWCTY‑MAP is linear‑time.

To disentangle the contribution of pure random search from that of clever work‑sharing, the paper adopts a simple statistical model of parallel random search. The model predicts the expected speed‑up from independent random permutations of the successor function. Empirical results show that actual speed‑ups are significantly higher than the model’s prediction, confirming that the shared‑information mechanisms (global colors, repair strategies) provide a substantial additional benefit beyond random parallelism.

In summary, the study demonstrates that (1) global sharing of search information can dramatically improve multi‑core NDFS performance, (2) the choice of what to share and how to synchronize determines scalability, (3) a hybrid algorithm that merges optimistic global sharing with parallelized repair yields the best overall results, and (4) the observed speed‑ups are not merely a consequence of parallel random search but stem from well‑designed work‑sharing schemes. This work advances the state of the art in parallel on‑the‑fly LTL model checking and provides practical guidance for implementing efficient multi‑core NDFS algorithms.