CoInDiVinE: Parallel Distributed Model Checker for Component-Based Systems

CoInDiVinE is a tool for parallel distributed model checking of interactions among components in hierarchical component-based systems. The tool extends the DiVinE framework with a new input language (component-interaction automata) and a property specification logic (CI-LTL). As the language differs from the input language of DiVinE, our tool employs a new state space generation algorithm that also supports partial order reduction. Experiments indicate that the tool has good scaling properties when run in parallel setting.

💡 Research Summary

The paper presents CoInDiVinE, an extension of the DiVinE parallel and distributed model checking framework tailored for component‑based systems. The authors introduce a new modeling formalism called component‑interaction automata (CI automata) in which each transition is labeled with a triple (sender, action, receiver). The special symbol “–” denotes open actions (input or output), while ordinary triples represent internal communications. CI automata can be combined hierarchically: leaf automata are primitive components, internal nodes describe compositions with a set of feasible labels, and the root node represents the whole system.

State‑space generation is performed on‑the‑fly by repeatedly computing successor states for a global configuration, which is a tuple of the states of all primitive automata. Two algorithms are discussed. The first, a naïve recursive algorithm, traverses the hierarchy each time a successor is needed, recursively collecting transitions from children and merging them according to the composition parameters. While conceptually simple, this approach incurs repeated memory allocations and does not scale well with large models.

The second algorithm exploits the lowest common ancestor (LCA) concept. Before the main search, the tool pre‑computes the LCA for every pair of primitive automata and the intersection of feasible‑label sets along each path from a leaf to the root. When checking whether a synchronization transition is enabled, the algorithm simply looks up the pre‑computed label sets for the relevant LCA and paths, avoiding repeated traversal. This reduces both time and memory overhead. Experimental results on an 8×8‑core Intel Xeon X7560 show that the LCA‑based method is 30‑50 % faster than the recursive method and scales more gracefully as the number of cores increases.

In addition to parallelism and distribution, CoInDiVinE incorporates partial‑order reduction (POR). The authors combine DiVinE’s topological sort based POR with custom heuristics (conditions C0–C2) designed for CI automata. The reduction dramatically cuts the number of explored transitions: for the SCM, SCR, and TSC benchmark models, the transition count drops by a factor of 12 : 1 to 13 : 1, while the number of states remains essentially unchanged. Importantly, the reduction ratio is independent of the number of threads, indicating that POR works well in highly concurrent hierarchical systems.

The input language of CoInDiVinE resembles DiVinE’s standard syntax but extends it with triple‑labeled transitions and composition declarations. Users can specify feasible labels either by “restrictL” (disallow a set, all others allowed) or “onlyL” (allow a set, all others disallowed). A small example defines two primitive automata A and B, composes them into a composite automaton C with a restriction on certain labels, and declares C as the system. Property specifications are written in CI‑LTL, an extension of linear temporal logic that can refer to component interactions. An auxiliary tool, coin‑prop, attaches a never‑claim automaton generated from a CI‑LTL formula to the model; the combined model is then fed to CoInDiVinE for verification.

The experimental evaluation uses models derived from a case study on a realistic component‑based system (reference