Departmental Papers (CIS)

Date of this Version

July 2002

Document Type

Conference Paper


From the 14th International Conference, CAV 2002 Copenhagen, Denmark, July 27–31, 2002.


Inspired by the success of model checking in hardware and protocol verification, model checking techniques for software have been the focus of a lot of research in the last few years [5,3,2,6]. Model checking can be applied only to relatively small models due to its inherently high computational requirements, and there are two complementary trends to address scalability. The model extraction approach, exemplified by projects such as Bandera [6] and SLAM [3], involves constructing inputs to model checkers by abstracting programs written in languages such as C and Java. The model-based design approach, exemplified by modeling notations such as Statecharts [7], promotes design using high-level models that are compiled into code. Our research agenda is to develop model checking techniques for model-based design of software.

Modern software design languages promote hierarchy as one of the key constructs for structuring complex specifications. The input language to our model checker is based on hierarchic reactive modules [1]. This choice was motivated by the fact that, unlike STATECHARTS and other languages, in hierarchic reactive modules, the notion of hierarchy is semantic with an observational trace-based semantics and a notion of refinement with assume-guarantee rules. The first contribution of this paper is the Hermes toolkit that implements hierarchic reactive modules. Our implementation has a visual front-end and XML-based back-end, consistent with modern software design tools, and is in Java.

There are two basic techniques for reachability analysis. Enumerative model checkers such as SPIN [8] perform an on-the-fly exploration of the state-space using a depth-first search, while symbolic model checkers such as SMV [9] perform a breadth-first search by manipulating sets of states, rather than individual states, encoded typically by ordered binary (or multi-valued) decision diagrams. Since the two approaches are incomparable, and have been shown to be successful, Hermes supports both enumerative and symbolic reachability analysis. In this paper, we report progress on exploiting the structuring information in the behavioral hierarchy of the input model to speed up the exploration of reachable state-space of the model for both the approaches. More information about the tool is available at

Subject Area

CPS Formal Methods

Publication Source

Lecture Notes in Computer Science: Computer Aided Verification



Start Page


Last Page




Copyright/Permission Statement

The original publication is available at



Date Posted: 13 December 2005