 Research
 Open Access
 Published:
A symbolic model checking approach in formal verification of distributed systems
Humancentric Computing and Information Sciences volume 9, Article number: 4 (2019)
Abstract
Model checking is an influential method to verify complex interactions, concurrent and distributed systems. Model checking constructs a behavioral model of the system using formal concepts such as operations, states, events and actions. The model checkers suffer some weaknesses such as state space explosion problem that has high memory consumption and time complexity. Also, automating temporal logic is the main challenge to define critical specification rules in the model checking. To improve the model checking weaknesses, this paper presents Graphical Symbolic Modeling Toolkit (GSMT) to design and verify the behavioral models of distributed systems. A behavioral modeling framework is presented to design the system behavior in the forms of Kripke structure (KS) and Labeled Transition System (LTS). The behavioral models are created and edited using a graphical user interface platform in four layers that include a design layer, a modeling layer, a logic layer and a symbolic code layer. The GSMT generates a graphical modeling diagram visually for creating behavioral models of the system. Also, the temporal logic formulas are constructed according to some functional properties automatically. The executable code is generated according to the symbolic model verifier that user can choose the original model or reduced model with respect to a recursive reduced model. Finally, the generated code is executed using the NuSMV model checker for evaluating the constructed temporal logic formulas. The code generation time for transforming the behavioral model is compared to other model checking platforms. The proposed GSMT platform has outperformed evaluation than other platforms.
Introduction
Today, distributed systems have developed complex components more and more [1, 2]. By increasing performance of complex systems such as service composition [3], task scheduling [4] and fault tolerance [5], simulation analysis cannot evaluate entire of the system levels [6, 7]. Also, the simulation results are rested to some design under test platforms [8] that omit the part of the existing state space of the system [9]. Formal verification is a mathematically correctness provable approach for the complex distributed systems which is wellsuitable for NPhard problems [10, 11]. Recent scientific studies analyzed their case studies using mathematical verification approaches such as model checking [4, 12,13,14,15,16,17,18], process algebra [19,20,21,22,23,24], formal concept analysis [25] and theorem proving [26,27,28,29] methods.
Among the mentioned approaches, model checking [30] is a wellknown verification technique to evaluate the functional properties of a distributed system automatically [31, 32]. The main goal of the model checking is to find the property violations and limitations in the system behavior with the counterexamples [33]. However, there are some limitations for model checking such as state space explosion and temporal logic design [34]. For improving these limitations, the symbolic model checking [35, 36] with Binary Decision Diagram (BDD) has been presented by McMillan [34]. Some industrial tools such as NuSMV [37], PAT [38], Spin [39], and UPPAAL [40] are wellknown for analyzing the system behavior correctness [41,42,43]. But, these tools have some limitations such as weak graphical user interface, the complexity of programming language and generating the automated temporal specification rules for verifying the system behavior [44,45,46,47]. To illustrate the temporal logic formulas, some model checkers such as NuSMV have supported the generated specification rules in forms of Linear Temporal Logic (LTL) and Computation Tree Logic (CTL) [17, 37, 48,49,50]. Also, creating a critical specification rule for checking in the generated state space of the system behavior is an important challenge for model checkers. When the state space increases exponentially, checking and discovering the critical specification rules to measure the correctness of the system is confused [51, 52]. As yet, model checkers do not guarantee automated specification rules generation [53, 54]. In addition, a model checker needs to automated formal design that supports the Kripke structure (KS) and Labeled Transition System (LTS) modeling methods. In model checking, some characteristic points consolidate an irrefrangible relationship between integrated abstract model and the concrete system behavior. The characteristic points include specifying descriptive features, designing precise model, configuring desired feature selection, and generating comprehensive specification rules. This relationship is confident that the correctness of the integrated abstract model using model checking is very reliable to evaluate concrete system behavior. If we emphasize some characteristic points for designing and modeling system behavior [55], then the accurate verification results are obtained from model checking.
This paper presents an easy to use and userfriendly Graphical Symbolic Modeling Toolkit (GSMT) to simplify model checking the system behavior. We advocate the use of fully automated designing methods to check the correctness of the system behavior. The refinement of design, modeling and verification levels lead the behavior correctness procedure to increase the accuracy. An integrated architecture is also designed for each level according to the simple relationship among the existing objects of the proposed framework. This framework not only follows the contributions of the existing model checkers but also adds some important points to verify the system behavior using model checking. The contributions of this research are as follows:

Presenting a graphical model checking framework to facilitate the system behavior design.

Providing a modeling platform to support the KS and LTS models.

Generating the LTL and CTL specification rules of the system model according to the functional properties such as deadlock, reachability, and safety conditions.

Presenting a highlevel order of recursive reduced Kripke and labeled models to ameliorate the state space explosion problem.

Facilitating the verification procedure using NuSMV.
The paper structure is organized as follows, “Related work” section illustrates a brief review of the presented related frameworks and toolsets. In “GSMT framework” section, we address a conceptual explanation of the GSMT framework. Also, this section introduces the current four layers in the automated verification approach. Moreover, the formal descriptions of the system behavior are illustrated to handle the model checking the specification rules. “Experimental analysis” depicts a descriptive case study to evaluate the verification procedure for the proposed framework with the other approaches according to some experimental results. Finally, “Conclusion and future work” provides the conclusion and some open subjects on this topic as the future works.
Related work
In this section, some related studies are discussed briefly which contain modeling and descriptive translators and automated verification frameworks according to some important features and challenges.
Castelluccia et al. [56] presented a formal framework to design web applications according to the UML method. The key feature of this framework is based on LTS model checking and CTL formulas. First, a design of the model is generated in forms of the UMLbased platform with the XMI format. Then, the framework translated the proposed UMLbased platform to the extensible SMV codes.
Li et al. [54] proposed a translator framework to exchange Programmed Logic Controllers (PLC) for executable verification codes using utility block chart language. The framework presented a formal modeling approach to specifying the model structure using a Boolean explanation method. The model is translated to some modules of SMV codes. This translator supports just CTL formulas to embed in code generation. Designing the model structure is not automatic because the extensibility of the model checking approach is covered. Also, this framework supports a commandline authentication to avoid invalid inputs according to its powerful editor environment. The main disadvantages of this framework are as follows: the requirement patterns as the specification rules are input manually; the LTL formulas are not supported; the framework has not illustrated the correctness of the functional properties such as reachability and deadlock.
Abdelsadiq [57] presented a highlevel modeling framework for Contractual BusinesstoBusiness relations (CB2B) to apply econtract models in the ebusiness management system. The CB2B models support a set of the conceptual model that includes truths, actions, responsibilities and exclusions for checking contract agreement. First, the designed model translated to Event–Condition–Action (ECA) structure according to Process Metalanguage (Promela) language. Then, a set of simple LTL formulas is generated manually. Both temporal specifications and ECA model are translated to executable codes for the Spin model checker. The main limitations of this framework are as follows: (1) the design level of the formal modeling is omitted; (2) specification rules are very simple; (3) an editable platform for user interface has not been indicated.
Caltais et al. [58] proposed a framework conversion to interact between the System Modelling Language (SysML)based models and NuSMV symbolic model checker. The SysMLJa is a toolset that translates the structural SysMLbased models in forms of block diagrams and state diagrams to symbolic modules of SMV codes. This translation is retrieved from the LTS model by some events and actions. The relationships between each block/state diagram are converted to a transition command in SMV code. Some specification rules are input at the end of the SMV codes manually. There are some limitations in this framework as follows: (1) the generation of specification rules has not been considered in the structure of the framework; (2) the graphical modeling stage is omitted in this framework.
Furthermore, Deb et al. [59] have presented an inherent sequence state transition modeling transformation framework for concurrent systems. They used the Naive algorithm to handle the rise of the state space. First, requirements are translated to the LTS model with respect to a set of sequences states. In the editor environment, the LTS model is converted according to the Multidimensional Lattice Paths (MLP) to the SMV codes. The framework can add a simple CTL formula to the generated SMV code to verify it. However, when a large model is loaded in this framework, the state space has been increased highly. When the system behavior has a multitenant structure, the translated modules cannot interact with them by transition methods. In addition, the functional properties have not been verified in this framework using NuSMV.
Meenakshi et al. [60] have presented a converter environment between Simulink models and input language of model checkers automatically. The system engineers can develop the structural models in Simulink environments such as MATLAB informally. Hence, this converter tool can be useful to transform the Simulink model as the input to a formal description approach in forms of NuSMV model checker codes. The proposed tool covers all of the block diagrams that organize the structural model of the Simulink. There are some limitations in this tool compared with the other instruments: the LTL specifications are not considered in this tool to translate into SMV codes; a graphical modeling diagram is not illustrated to avoid the state space examination. In addition, the practical feature of this model does not support a complex industrial model for translating to the SMV codes.
Vinárek et al. [61] proposed a translator framework between use case models and NuSMV model checker. The authors described a formal explanation of the Formal verification of Annotated Models (FOAM) framework using a user/actor model. The use case model is converted to a textual behavior automaton based on a priority connection. The textual behavior automaton is translated to a configurable LTS model [62]. The main disadvantages of this tool are as follows: first, this translator has not the editor environment to illustrate code generation; second, this tool has not covered the LTL specifications for checking the correctness of the use case models. There is just a demo environment for this tool rather than a practical translator environment.
Szwed [63] presented a translator plugin to convert a business model to executable model checking code. This plugin specifies all of the direct elements of the business model that connect with each symbolic state in the business layer. In translation procedure, a set of the business processes are specified as the atomic states and the business tasks are specified as the events. The CTL formulas are added by the user manually. A graphical model is presented after translating SMV codes. Some limitations of this plugin are as follow: The verification method is executed without any correctness procedure; also, the LTL formulas are not supported. However, the execution time and reachability states are not compared with the other frameworks.
Jiang and Qiu [64] have proposed an Spin2NuSMV (S2N) converter framework between Spin models and NuSMV codes. This framework presents a conversion procedure for transforming a highlevel model in forms of Promela language into a lowlevel model as a state transition system in SMV code. Each process in the Spin model has been translated to a state with events coverage asynchronously. However, this framework cannot support the temporal logic transformation since NuSMV covers both LTL and CTL logics and Spin just generates LTL logic in the opposite. In addition, when a complex model is transformed into the SMV codes, some channels connection between processes are omitted.
Szpyrka et al. [65] have presented a translator framework to convert state graph of a colored Petrinet model to an executable SMV code. Each net is converted to a state and each guard is transformed into an atomic proposition. The translated model is shown in forms of a Kripke model in NuSMV. A graphical reachability graph is generated after the translation procedure that is very confused and irregular. Also, the translated model is not displayed as a graphical model. This tool has a simple environment that imports a Petrinet model and translates to the SMV code in editor environment. The temporal logic formulas are added to end of the code manually. Also, the timedPetrinet models cannot translate to SMV codes.
According to the discussed and reviewed translator frameworks in model checking approach, the comparison of the related frameworks has illustrated in Table 1. The main factors of this view include existed case study, the modeling method, design method, temporal logic provision, and model checker interaction. All of the translator frameworks added the temporal specifications to the SMV code manually. Our presented framework generates all of the temporal logics in forms of the embedded specification rules in SMV code. In addition, NuSMV supports two temporal logics to design the specification rules of the system.
To the best of our knowledge, all related frameworks proposed a translator to provide both code generation/execution. Also, editor platforms support just one modeling template such as LTS or KS and one temporal logic formula for the system behavioral model. At complementing with them, our GSMT framework presents (1) automated design approach for formal descriptions of the system, (2) a compositional behavioral modeling for system behavior in forms of LTS and KS models, (3) generating the visual model diagram of the designed behavior, (4) constructing detailed temporal logic formulas in terms of CTL and LTL, and (5) symbolic automated verification approach using NuSMV.
GSMT framework
This section provides a conceptual description of the proposed framework with some key explanations. The important feature of the GSMT is its flexible modeling and checking capability that represents the common collaboration between two main steps of the formal verification approach. This flexibility is the prominent point of a translator framework that supports all technical features of the behavioral correctness of a complex system. In this section, the framework architecture is explained comprehensively. Also, the presented recursive reduction approach is illustrated in this section.
GSMT behavioral models
The GSMT navigates the behavioral model to a complete design, actual modeling, and automated translation approach. Figure 1 displays a conceptual architecture of GSMT. The GSMT architecture includes four dependent layers as follow: design, modeling, logic and symbolic code. After designing the proposed model, a behavioral model is constructed by the framework. The behavioral model is translated to an LTS or KS model. The translated model can get two results for converting to the final SMV code that includes the original model and reduced model. Concurrently in the logic layer, the specification rules are generated automatically. Then, the final generated code is executed in NuSMV to check the generated specification rules automatically.
Design layer is an interactive level to navigate the fundamental of behavioral model features. This layer has performed following three obligations:

Specifying design type of the behavioral model in forms of KS or LTS.

Creating the structural features of the behavioral model such as states, actions, and atomic propositions.

Creating the system exploration according to the relationship between the features.
Figure 2 illustrates a flowchart diagram that describes the design layer in the GSMT framework. First, the design method is specified for constructing a behavioral model. Depending on the statebased or actionbased model checking approaches, two methods can be chosen for this procedure in terms of KS and LTS. When the design method is specified, the basic features of the behavioral model such as states, transitions and actions should be initialized. We address a formal description of the existing methods briefly.
For the KS model, there are some features according to Kripke structure definition [66, 67]. The method is a statebased framework and the states are labeled with a name. The user can input a set of states and atomic propositions for the initialization section.
Definition 1
A Kripke structure is a fivetuple KS = (Q, I, P, R, L) where [68]:

Q is a set of states.

I is the set of initial states: \(I \in Q\).

P is a set of atomic propositions.

R is a set of transition relations \(R \subseteq Q \times Q\).

L is a state labeling function \({\text{L}}:Q \to 2^{\text{p}}\).
In the above definition, a path can be defined on the behavioral model as follow:
Definition 2
A Kripke path KP is a finite sequence of the states and transitions starting from the state q_{1} and finishing at the state q_{n} that \(\left( {q_{1} \;\;{\text{and}}\;\;q_{n} \in Q,\;\;\; {\text{p}} \in P} \right)\) denoted as [69]:
In the next method, the model is constructed as an LTS model that is the eventbased framework and the transitions are labeled with a name [70, 71]. The user can initialize a set of states and actions to design the behavioral model.
Definition 3
A Labeled Transition System LT is a 4tuple LT = (S, M, A, T) where:

S is a set of states.

M is the set of initial state: \(M \in S\).

A is a set of actions.

T is a total transition relation: \(T \subseteq S \times A \times S\).
This means, the relation \(s_{1} \mathop \to \limits^{a} s_{2} \left( {s_{ 1} , \;s _{2} \in S\;\;{\text{and}}\;\; {\text{a}} \in A} \right)\) is used for stating that \(\left( {s_{1} ,\;{\text{a}},\; s_{2} } \right) \in T\).
Also, in the second method, a path on the behavioral model is described as follow:
Definition 4
A Labeled path LP in the second method is a finite sequence of the events and actions starting from the state s_{1} and finishing at the state \(s_{n} \left( {s_{1} \;{\text{and}}\;\;s_{n} \in S} \right)\) denoted as [72]:
By using the Kripke Path KP and the Labeled Path LP, we create the state space exploration for the proposed behavioral models in model checking.
Modeling layer is a visual interaction level illustrating the graphical models of the behavioral model. This layer is classified to the following three steps:

Configuring the transition relations between the expected attributes in the behavioral model.

Translating the configurable relations to the graphbased relation machine.

Generating a graphical state exploration diagram according to the graphbased relation machine.
Figure 3 shows the modeling layer architecture for generating a visual state exploration diagram in the GSMT framework. First, each transition relation in the behavioral model is constructed according to the formulated paths in the above definitions. Due to the importance of the relation handling between expected states, transmitting the states by each event or an atomic proposition is done automatically. In this situation, any transition relation is not omitted in a complex behavioral model. After configuring the formal transition relations, a graphbased relation machine is translated for mapping on the state space exploration. This translation is based on the GraphViz^{Footnote 1} tool as a visual modeling software. Finally, a graphical state exploration diagram for the designed behavioral model has generated automatically. The generated output model is produced in form of dot format that has a hierarchical drawing architecture for modeling the system behavior. We prepare the editable version of the modeling format for the user that can save it to the other viewable formats like an image. Due to having the simple language structure in GraphViz, this platform is chosen for increasing the flexibility.
The logic layer is a formal descriptive level to demonstrate the temporal logic formulas in verification of the behavioral model. This layer has the following features:

Extracting the transition relations as a set of specification rules.

Converting the specification rules to a formulabased platform in forms of the LTL and CTL.

Generating the existent permutation temporal formulas for all of the specification rules.
Figure 4 shows the logic layer architecture to the automated construction of the temporal logic specifications in terms of reachability, deadlock, liveness, and safety conditions. Initially, the set of states, atomic propositions and actions are extracted to the permutation of the transition relations in a Finite State Machine (FSM). According to the following descriptions of the temporal logics, the conversion procedure is done for each property checking which includes deadlock condition, reachability asset, safeness property and liveness condition. For showing the specification properties, we explain CTL and LTL briefly.
The CTL syntax is described as follows [16]:

True is a true proposition.

The p is an atomic proposition where the \(\alpha\) formula can hold atomic proposition p with a sentence or statement according to following syntax \(\alpha\) (p) which is both true or false value.

The \(\alpha\) is ranged over CTL formulas.

The \(\neg \alpha\) (not), \(\alpha \wedge \alpha^{{\prime }}\) (and) and \(\alpha \vee \alpha^{{\prime }}\) (or) are logical syntaxes on the formulas.

A (always) and E (eventually) are the general quantifiers on all of the paths.

G (globally), X (next state) and F (in the future) are contracted in the entire of each path.
Also, LTL syntax is explained as follow [73, 74]:

True is a true proposition.

The q is an atomic proposition where a \(\beta\) formula gets atomic proposition q with a declarative statement according to following syntax \(\beta\) (q) which is both true or false value.

The \(\beta\) is a range over LTL formulas.

The \(\neg \beta\) (not), \(\beta \wedge \beta^{\prime }\) (and) and \(\beta \vee \beta^{{\prime }}\) (or) are logical syntaxes on the formulas.

G (globally), X (next state) and F (in the future) are contracted in the entire of each path.

The \(\beta U\beta^{\prime }\) means that \(\beta\) is true and enabled until \(\beta^{{\prime }}\) is activated.
According to the specified temporal syntaxes, three categorizations are performed to generate all of the expected specification rules in the system behavior automatically. The user can select each property according to the model analysis. The generated temporal properties are added to the end of the code. For example, we have the simple template of some specification properties for the LTS model as follows:

(Deadlock freedom) AG !(state & action);

(Liveness) AG (state & action) → AF (state & action);

(Reachability) AG (EF(state & action → state & action));
Symbolic code layer is a fully automated verification approach for executing the generated symbolic codes in the NuSMV interactive model checker. This layer navigates the following tasks:

Translating the expected attributes to the hierarchically structured programming platform.

Transforming the hierarchically structured platform to the SMV codes.

Adding the generated specification formulas to the end of the code.

Reducing the expected attributes to ameliorate the state space explosion.

Confirming the reduced behavioral model as the optimally generated SMV code.

Generating the executable SMV code for automated verification in NuSMV.
Figure 5 displays the symbolic code layer architecture to automated verification of the behavioral model. First, the modeled structure is translated to a hierarchicalbased platform to preserve the expected transition relations. Then, the hierarchicalbased platform is transformed into the SMV code configuration. In this position, the user has two methods for producing final code. The original SMV code of the behavioral model via the expected specification rules are generated automatically. Also, the user can request the reduced behavioral model to ameliorate the state space explosion in a complex system. The GSMT generates a reduced SMV code for executing in the NuSMV. In the verification phase, the NuSMV reads the generated code and transforms it into a flat hierarchical model. Then, the existing variables are encoded for constructing Ordered Binary Decision Diagram (OBDD) [75] platform. Finally, the constructed model is built for checking the behavioral correctness of the system.
After describing the GSMT architecture, we present the recursive reduction approach for the GSMT.
Recursive reduced model
The reduced model generally is based on a linear reduction in some related approaches [70, 76,77,78]. The complex systems have a set of impermissible states that are composed of the parallel relational processes. The similarity of the attributes and transition relations increase the number of state space size. Whatever the number of states and transitions are decreased, the state space is compacted because the size of the state space has been increased exponentially. We use a vicinity matrix for recursive reduced model. To describe the state space reduction, the first step is ordering the vicinity matrix of the state space according to the transition relations. After generating the vicinity matrix, a recursive reduced algorithm is executed for refining the state space. According to the reduction algorithms [76, 77], we have a minimization equivalence method that the model size is defined for comparing the minimality and reduced model [76].
Definition 5
Model size is shown by S_{m} with the number of states and transitions. In other words, we conclude \(\left {{\text{S}}_{\text{m}} } \right \le \left {{\text{S}}_{\text{m}}^{{\prime }} } \right\) if and only if the number of all attributes (states and transitions) of the S_{m} is smaller than \({\text{S}}_{\text{m}}^{{\prime }}\) [79].
Definition 6
The S_{m} is an original model and S_{R} is its reduced model. A minimal equivalence M_{e} is an equal relation, when \(\left {{\text{S}}_{\text{R}} } \right \le \left {{\text{ S}}_{\text{m}} } \right\) (the size of the reduced model is smaller than the original model), then \({\text{S}}_{\text{m}} \equiv {\text{S}}_{\text{R}}\) (the original model is equivalence with reduced model) if and only if the minimal equivalence \({\text{S}}_{\text{R}} \approx M_{e} \approx {\text{S}}_{\text{m}}\) is established. Consequently, the reduced model S_{R} is replaced on the original model S_{m} for ameliorating the state space explosion [67].
Figure 6a is the original KS model by a set of states (S_{0}, S_{1}, S_{2}, S_{3}, S_{4}, S_{5}, S_{6}) and Fig. 6b is a reduced KS model. In the original Kripke model, there are three states S_{3}, S_{4} and S_{5} by same atomic proposition {x} in the KS model that are merged together in set of labeling functions ((S_{0}, {x}), (S_{1}, {z}), (S_{2}, {y}), (S_{3}, S_{4}, S_{5}, {x}), (S_{6}, {z})). First, a vicinity matrix is created for the original Kripke model.
Figure 7 depicts the design of the vicinity matrix for the original and reduced models. For a sample, in the original matrix (Fig. 7a), there are two neighborhood values according to the transition relation method. When the value of S_{1}S_{3} is equal to the value of S_{1}S_{4} (PS_{i, j} = PS_{i, j+1}) that means there is a same proposition for the proposed states, then the reduced approach is applied. Initially, the S_{4} and S_{5} are transmitted to the \(S_{3}^{\prime }\) and the proposition {x} is omitted for them. Second, each inputted edge to the S_{4} and S_{5} is inputted to the \(S_{3}^{\prime }\) and each outputted edge from the S_{4} and S_{5} is outputted from the \(S_{3}^{\prime }\). Then, the remaining Kripke model is mapped to the new Kripke model as a reduced model (Fig. 7b) by set of states (\(S_{0}^{\prime }\), \(S_{1}^{\prime }\), \(S_{2}^{\prime }\), \(S_{3}^{\prime }\), \(S_{4}^{\prime }\)) and set of labeling functions ((\(S_{0}^{\prime }\), {x}), (\(S_{1}^{\prime }\), {z}), (\(S_{2}^{\prime }\), {y}), (\(S_{3}^{\prime }\), {x}), (\(S_{4}^{\prime }\), {z})). The number of two states and three edges are deleted from the original Kripke model. Finally, the relation of minimal equivalence between K_{Original} and \({\text{K}}_{\text{Reduced}}^{{\prime }}\) is established as follows:
The size of the reduced Kripke model is lower than original Kripke model  \({\text{K}}_{\text{Reduced}}^{{\prime }}\)  \(\le\)  K_{Original}  and the original Kripke model is equivalence with reduced Kripke model \({\text{K}}_{\text{Original}} \equiv {\text{K}}_{\text{Reduced}}^{{\prime }}\).
Figure 8 depicts the recursively reduced algorithm based on the vicinity matrix of labeling functions. This algorithm provides two conditions for the reduced model for searching each matrix array. First, both neighbor values by a vicinity condition are specified if S(i, j) = S(i, j + 1), then the reduction procedure is applied. Second, each loop condition occurs for two states if S(i, j) = S(j, i), then the reduction procedure is applied. Searching matrix arrays are done until there is no array that applies in two conditions.
Experimental analysis
This section illustrates some experimental case studies to evaluate the GSMT framework. First, a brief exploration of the GSMT environment is presented. Then, some case studies are illustrated to demonstrate the performance evaluation of the framework. Finally, the verification results are shown in this section.
User interface of GSMT
The framework consists of three main windows that include modeling method selection, KS model window, and LTS model.
In Fig. 9, a Kripke model platform is shown for creating Example 1 as a case study. Following sections illustrate the important regions in KS platform. At the first stage, the designer can input initial information for the behavioral model. The reduction method, generating temporal logics and generating SMV codes are done automatically. In the main text, all the existing layers have been illustrated with manual or automatic conditions.

Add propose state: the user inputs a set of existing states on Add propose state button. The defined states are listed in the state list manually.

Add initial state: the user should select an initial state from the state list which the initial state is displayed in the First state box manually.

Add transition relation: it shows the transition relations that are constructed in forms of From/To structure. All of the transition relations are listed in transition relation list box. The interaction simplicity is a key point for users and engineers to design and model a complex system using GSMT manually.

Add AP: it specifies the atomic propositions of each state using Add AP button manually.

Generate behavioral model: it consists of a button which generates a graphical state transition diagram in form of the GraphViz output based on own structure codes automatically.

Generate symbolic code: it is a symbolic code generation for constructing the final SMV code in the following textbox. This textbox is an editable platform for copying and modifying the SMV code. When the checkbox reduce is checked, then the model is reduced according to the reduction approach and the reduced final SMV code is generated. Also, the framework generates the new graphical diagram for reduced model automatically.

Specification generators: by selecting the specification rules, the GSMT produces the temporal formulas automatically. In the column of CTL specification generator, there are 4 specification rules for adding to the end of the SMV code automatically.

For example, the deadlock and reachability properties are selected to generate and add in the code. In addition, the LTL specification generator column has three specification rules. In Fig. 9, all of the properties are selected to add the end of the code.
Example 1
This example illustrates a translation procedure for a Kripke model to the SMV code. A verification approach is done based on the NuSMV model checker automatically. According to Definition 1, the formal description of the Kripke structure of Example 1 is as follow:

Set of the states Q = (S1, S2, S3, S4, S5, S6).

The initial state I = S1.

The set of atomic propositions P = (p, q, r).

The set of transition relations R = {(S1, S2), (S2, S3), (S2, S4), (S3, S5), (S4, S6)}.

The state labelling functions L = ((S1, {p}), (S2, {q}), (S3, {q}), (S4, {p, q}), (S5, {p, r}), (S6, {p, r}).
Figure 10 shows the graphical state transition diagram of Example 1 that is generated automatically using GSMT. After modeling the proposed behavioral model of the Example 1, the final SMV code is generated according to the symbolic code platform. The verification results of the Example 1 are as follows:

The execution time of this model is 158.5 ms,

Generating 18 deadlockfree properties,

Generating 180 reachability properties,

Generating 180 liveness properties,

Generating 720 safety properties.
Figure 11 illustrates the executed SMV code in NuSMV for Example 1 automatically. In this figure, there is no deadlock problem in the example. The existing reachable states of the proposed model is 64 with system diameter 5. The numbers of allocated OBDD states are 297. After checking the CTL specifications, the 50% of the generated deadlock properties is true, the 77% of the reachability properties is true, the 100% of the liveness properties is true, and the 92% of the safety properties is true. The total number of the generated CTL properties of the Example 1 is 1098.
Figure 12 shows the LTS window for constructing the Example 2 as the suggested case study. According to the specified numbers of Fig. 12, the translation procedure of the LTS to the final SMV code is shown.

Add propose state: the user inputs a set of existing states on Add propose state button. The defined states are listed in the state list manually.

Add initial state: the user should select an initial state from the state list which the initial state is displayed in the First state box manually.

Add action: the user inputs a set of existing actions on Add propose action button manually.

Add initial action: the user selects an initial action from the action list which the initial action is shown in the First action box manually.

Add transition relation: it shows the transition relations that are constructed in forms of From/To/By structure. All of the transition relations are listed in transition relation list box manually.

Generate a behavioral model: it consists of a button which generates a graphical state transition diagram in form of the GraphViz output automatically.

Generate symbolic code: it is a symbolic code generation for constructing the final SMV code in the following textbox. This textbox is an editable platform for copying and modifying the SMV code. When the checkbox reduce is checked, then the model is reduced according to the reduction approach and the reduced final SMV code is generated. Also, the framework generates the new graphical diagram for reduced model automatically.

Specification generators: by selecting the specification rules, the GSMT produces the temporal formulas automatically. In the column of CTL specification generator, there are 4 specification rules for adding to the end of the SMV code automatically.
Example 2
This example illustrates a translation procedure for a labeled model to the SMV code. A modeling and verification approach is done based on the NuSMV model checker automatically. According to Definition 3, the formal description of the LTS of Example 2 is as follow:

Set of the state S = (S1, S2, S3, S4, S5, S6).

The initial state M = S1.

The set of atomic propositoins A = (a1, a2, a3, a4, a5, a6).

The set of transition relations T = {(S1, a1, S2), (S2, a2, S3), (S2, a2, S4), (S3, a3, S5), (S4, a4, S6), (S5, a5, S6), (S5, a3, S3), (S6, a6, S1)}.
Figure 13 shows the graphical state transition diagrams for Example 2 that is generated automatically using GSMT. Figure 13a shows the original LTS model and Fig. 13b depicts the reduced LTS model after applying the reduce approach on the original model. After modeling the proposed behavioral model of the Example 2, the final SMV code is generated according to the symbolic code platform. The verification results of the Example 2 are as follows:

The execution time of this model is 328.9 ms;

Generating 42 deadlockfree properties;

Generating 1260 reachability properties;

Generating 1260 liveness properties;

Generating 3450 safety properties.
Figure 14 illustrates the executed SMV code of Example 2 in the NuSMV automatically. In this figure, there is no deadlock problem. The existing reachable states of the proposed model is 2680 with system diameter 5. The numbers of allocated OBDD states are 296. After checking the CTL specifications, the 55% of the generated deadlock properties is true, the 75% of the reachability properties is true, the 100% of the liveness properties is true, and the 94% of the safety properties is true. The total number of the generated CTL properties of the Example 2 is 6012.
Performance evaluation
For comparing the performance of GSMT and the other translator frameworks, some test case examples are analyzed. In this experiment, an Intel^{®} Core™ i56200U @ 2.30 GHz CPU, and 8 GB memory in Windows 10 have been used.
The first level of the performance evaluation is analyzing the verification time of the original and reduced models that we perform some test cases to analyze the GSMT framework. The details of these test cases are illustrated in Table 2. These case studies are generated randomly.
Figure 15 demonstrates the verification time for ten test cases (10 to 100,000 state explorations) in forms of original and reduced models. This result specifies that the reduced model of the GSMT provides a substantial performance in the verification time. When the number of the state space attributes are increased, the verification time of the state exploration is grown. In this situation, the reduced model can significantly decrease the verification time of system verification.
Also, Table 3 shows the number of states and transitions of 10 test cases of Table 2 in order to the percentage of state space reduction using the proposed recursive reduced model of the GSMT framework. The reduction average of the state space using GSMT is 18.54%. The reduced models have minimal equivalency relations with the original models.
The second level of the performance analysis is to compare the code generation time for ten test cases (10 to 100,000 state explorations). We implemented the existing case studies in three famous translator frameworks SysMLja [58], IStar [59], and FOAM [61] to compare with the performance of the GSMT framework. Since the selected framework supports just the LTS model, the structure of existing examples has been considered in forms of LTS for a fair measurement. Figure 16 depicts the code generation time for specifying the case studies. By increasing the number of the states and transitions in each example, the generation time is grown exponentially. As the result, the GSMT framework generates the final code by minimum time.
Discussion
Some model checking converters follow up a standard translation architecture such as a design code structure, the specification properties definition, and an executive verifiable code. The proposed framework not only supports the standard platforms but also represents a specification rules generator, behavioral model generation, and space reduction approach. However, interconnecting some verification approaches such as process algebraic methods and theorem proving tools is a key challenge in complex software and hardware development. The experimental results acquired via some individual test cases obviously demonstrate that the recursive reduction method improves significantly the execution and verification time. Nevertheless, the increasing of the generated specification rules can influence code generation complexity and rise to check the time of the properties negatively, and enhancement of the system correctness positively. The limitations of the GSMT framework can be improved with applying the evolutionary algorithms in the model checking approach. For example, the reduction time of the reduced model can significantly be decreased using greedy algorithms. For analyzing the completeness and soundness of a complex system, the model checking approach is timeconsuming and the theorem proving frameworks such as Isabelle^{Footnote 2} and SPASSD^{Footnote 3} tools can influence to prove these problems. Also, middleware converters between the concrete and the verifiable model are very useful to correctness evaluation of the complex systems. The important challenge of these converters is the approximation of the verifiable model to the implementation model. Table 4 shows the comparison of the related frameworks and the GSMT according to the verification environment factors in terms of code generation mode, editor layer, graphical modeling creation, property generation section, and reduction approach. In this evaluation, the GSMT support all of the verification environment factors automatically.
Conclusion and future work
In this research, a GSMT is presented with respect to simplifying the behavioral modeling software systems. It consists of the behavioral modeling in form of the LTS and the KS, generating a graphical state exploration diagram of the behavioral model, generating the expected specification rules automatically, translating the behavioral model to the SMV codes, and reduction of the state space. The important functionality of the GSMT is the implementation of the syntactic reduced approach that ameliorates the state space explosion. Also, the framework generates the specification rules for proofing the correctness of the model automatically. In order to use the NuSMV, the GSMT supports both the LTL and CTL formulas to add the final code for execution in the interactive environment. The experimental results of the GSMT shown that this framework has usability and simplicity for behavioral modeling software and hardware systems. In comparison analysis, the reduction approach can significantly decrease the execution time for model verification. In addition, the framework has a sufficient execution time for generating final executable SMV code rather than the other translation model checking frameworks. In checking the generated specification properties for each model in average, the 55% of the generated deadlock properties is true, the 73.5% of the reachability properties is true, the 100% of the liveness properties is true, and the 93% of the safety properties is true. In the future work, we will add some key features such as contracting the formal specification using picalculus and model checking in an integrated framework, improving the specification rules generation according to behavioral model satisfactory, refining the state space reduction percentage for the complex systems, and applying the multiaction transition associations for decreasing the state space complexity.
References
Mitsch S, Passmore GO, Platzer A (2014) Collaborative verificationdriven engineering of hybrid systems. Math Comput Sci 8:71–97
Li Y, Tao F, Cheng Y, Zhang X, Nee AYC (2017) Complex networks in advanced manufacturing systems. J Manuf Syst 43:409–421
Vakili A, Navimipour NJ (2017) Comprehensive and systematic review of the service composition mechanisms in the cloud environments. J Netw Comput Appl 81:24–36
Keshanchi B, Souri A, Navimipour NJ (2017) An improved genetic algorithm for task scheduling in the cloud environments using the priority queues: formal verification, simulation, and statistical testing. J Syst Softw 124:1–21
Glaßer C, Pavan A, Travers S (2011) The fault tolerance of NPhard problems. Inf Comput 209:443–455
Higashino WA, Capretz MAM, Bittencourt LF (2016) CEPSim: modelling and simulation of complex event processing systems in cloud environments. Future Gener Comput Syst 65:122–139
Suh YK, Lee KY (2018) A survey of simulation provenance systems: modeling, capturing, querying, visualization, and advanced utilization. Hum Centric Comput Inf Sci 8:27
Dill DL (1998) What’s between simulation and formal verification? (extended abstract). In: Presented at the proceedings of the 35th annual design automation conference, San Francisco, California, USA
Li K, Liu L, Zhai J, Kosgoftaar TM, Shao M, Liu W (2017) Reliability evaluation model of componentbased software based on complex network theory. Qual Reliab Eng Int 33(3):543–550
Khan W, Ullah H, Ahmad A, Sultan K, Alzahrani AJ, Khan SD et al (2018) CrashSafe: a formal model for proving crashsafety of Android applications. Hum Centric Comput Inf Sci 8:21
Kim J, Won Y (2017) Patch integrity verification method using dual electronic signatures. J Inf Process Syst 13
Hu K, Lei L, Tsai WT (2016) Multitenant verificationasaservice (VaaS) in a cloud. Simul Model Pract Theory 60:122–143
Jafari Navimipour N (2015) A formal approach for the specification and verification of a Trustworthy Human Resource Discovery mechanism in the Expert Cloud. Expert Syst Appl 42:6112–6131
Jafari Navimipour N, Habibizad Navin A, Rahmani AM, Hosseinzadeh M (2015) Behavioral modeling and automated verification of a Cloudbased framework to share the knowledge and skills of human resources. Comput Ind 68:65–77
Souri A (2016) Formal specification and verification of a data replication approach in distributed systems. Int J Next Gener Comput 7(1):18–37
Souri A, Jafari Navimipour N (2014) Behavioral modeling and formal verification of a resource discovery approach in Grid computing. Expert Syst Appl 41:3831–3849
Souri A, Norouzi M, Safarkhanlou A, Sardroud SHEH (2016) A dynamic data replication with consistency approach in data grids: modeling and verification. Balt J Mod Comput 4:546
Shen VRL, Wang YY, Yu LY (2016) A novel blood pressure verification system for home care. Comput Stand Interfaces 44:42–53
Rezaee A, Rahmani AM, Movaghar A, Teshnehlab M (2014) Formal process algebraic modeling, verification, and analysis of an abstract Fuzzy Inference Cloud Service. J Supercomput 67:345–383
Ruiz MC, Cazorla D, Pérez D, Conejero J (2016) Formal performance evaluation of the Map/Reduce framework within cloud computing. J Supercomput 72:3136–3155
Hermanns H, Herzog U, Katoen JP (2002) Process algebra for performance evaluation. Theoret Comput Sci 274:43–87
Tini S, Larsen KG, Gebler D (2017) Compositional bisimulation metric reasoning with probabilistic process calculi. Log Methods Comput Sci 12(4):2627
Chen X, Wang L (2017) Exploring fog computing based adaptive vehicular data scheduling policies through a compositional formal methodPEPA. IEEE Commun Lett. 2017
Challenger M, Mernik M, Kardas G, Kosar T (2016) Declarative specifications for the development of multiagent systems. Comput Stand Interfaces 43:91–115
Hao F, Sim DS, Park DS, Seo HS (2017) Similarity evaluation between graphs: a formal concept analysis approach. JIPS 13:1158–1167
Sardar MU, Hasan O, Shafique M, Henkel J (2017) Theorem proving based formal verification of distributed dynamic thermal management schemes. J Parallel Distrib Comput 100:157–171
Srikanth A, Sahin B, Harris WR (2017) Complexity verification using guided theorem enumeration. In: Proceedings of the 44th ACM SIGPLAN symposium on principles of programming languages, pp 639–652
Xue T, Ying S, Wu Q, Jia X, Hu X, Zhai X et al (2017) Verifying integrity of exception handling in serviceoriented software. Int J Grid Util Comput 8:7–21
Copet PB, Marchetto G, Sisto R, Costa L (2017) Formal verification of LTEUMTS and LTE–LTE handover procedures. Comput Stand Interfaces 50:92–106
Edmund J, Clarke M, Grumberg O, Peled DA (1999) Model checking. MIT Press, Cambridge
LeitnerFischer F, Leue S (2013) Causality checking for complex system models. In: Giacobazzi R, Berdine J, Mastroeni I (eds) Proceedings of verification, model checking, and abstract interpretation: 14th international conference, VMCAI 2013, Rome, Italy, January 20–22, 2013. Springer Berlin Heidelberg, Berlin, pp 248–267
Merelli E, Paoletti N, Tesei L (2017) Adaptability checking in complex systems. Sci Comput Program 115–116:23–46
Baier C, Katoen JP (2008) Principles of model checking (representation and mind series). The MIT Press, Cambridge
McMillan KL (1993) Symbolic model checking. Kluwer Academic Publishers, Norwell
Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1992) Symbolic model checking: 1020 states and beyond. Inf Comput 98:142–170
Souri A, Norouzi M (2015) A new probable decision making approach for verification of probabilistic realtime systems. In: 2015 6th IEEE international conference on software engineering and service science (ICSESS), pp 44–47
Cimatti A, Clarke E, Giunchiglia F, Roveri M (2000) NuSMV: a new symbolic model checker. Int J Softw Tools Technol Transfer 2:410–425
Sun J, Liu Y, Dong JS (2008) Model checking CSP revisited: introducing a process analysis toolkit. In: International symposium on leveraging applications of formal methods, verification and validation, pp 307–322
Holzmann GJ (1997) The model checker SPIN. IEEE Trans Softw Eng 23:279–295
Bengtsson J, Larsen K, Larsson F, Pettersson P, Yi W (1995) UPPAAL—a tool suite for automatic verification of realtime systems. In: International hybrid systems workshop, pp 232–243
Podivinsky J, Cekan O, Lojda J, Zachariasova M, Krcma M, Kotasek Z (2017) Functional verification based platform for evaluating fault tolerance properties. Microprocess Microsyst 52:145–159
Wang S, Huang K (2016) Improving the efficiency of functional verification based on test prioritization. Microprocess Microsyst 41:1–11
Balasubramaniyan S, Srinivasan S, Buonopane F, Subathra B, Vain J, Ramaswamy S (2016) Design and verification of CyberPhysical Systems using TrueTime, evolutionary optimization and UPPAAL. Microprocess Microsyst 42:37–48
Kaufmann P, Kronegger M, Pfandler A, Seidl M, Widl M (2015) Intra and interdiagram consistency checking of behavioral multiview models. Comput Lang Syst Struct 44(Part A):72–88
LópezFernández JJ, Guerra E, de Lara J (2016) Combining unit and specificationbased testing for metamodel validation and verification. Inf Syst 62:104–135
Amálio N, Glodt C (2015) A tool for visual and formal modelling of software designs. Sci Comput Program 98(Part 1):52–79
Holzmann GJ, Joshi R, Groce A (2008) New challenges in model checking. In: Grumberg O, Veith H (eds) 25 years of model checking: history, achievements, perspectives, Springer Berlin Heidelberg, Berlin, pp 65–76
Bozzano M, Villafiorita A (2006) The FSAP/NuSMVSA safety analysis platform. Int J Softw Tools Technol Transfer 9:5
Głuchowski P (2016) NuSMV model verification of an airport traffic control system with deontic rules. In: Zamojski W, Mazurkiewicz J, Sugier J, Walkowiak T, Kacprzykj (eds) Dependability engineering and complex systems: proceedings of the eleventh international conference on dependability and complex systems DepCoSRELCOMEX. June 27–July 1, 2016, Brunów, Poland, Springer International Publishing, Cham, pp 195–206
Safarkhanlou A, Souri A, Norouzi M, Sardroud SEH (2015) Formalizing and verification of an antivirus protection service using model checking. Procedia Comput Sci 57:1324–1331
Ngo VC, Legay A (2018) Formal verification of probabilistic SystemC models with statistical model checking. J Softw Evol Process 30:e1890
Li W, Hayes JH, Antoniol G, Guéhéneuc YG, Adams B (2016) Error leakage and wasted time: sensitivity and effort analysis of a requirements consistency checking process. J Softw Evol Process 28:1061–1080
Mercorio F (2013) Model checking for universal planning in deterministic and nondeterministic domains. AI Commun 26:257–259
Li J, Qeriqi A, Steffen M, Yu IC. Automatic translation from FBDPLCprograms to NuSMV for model checking safetycritical control systems. 2016
Sharma PK, Ryu JH, Park KY, Park JH, Park JH (2018) LiFi based on security cloud framework for future IT environment. Hum Centric Comput Inf Sci 8:23
Castelluccia D, Mongiello M, Ruta M, Totaro R (2006) WAVer: a model checkingbased tool to verify web application design. Electron Notes Theor Comput Sci 157:61–76
Abdelsadiq A (2013) A toolkit for model checking of electronic contracts
Caltais G, LeitnerFischer F, Leue S, Weiser J (2016) SysML to NuSMV model transformation via objectorientation
Deb N, Chaki N, Ghose A (2016) Extracting finite state models from i* models. J Syst Softw 121:265–280
Meenakshi B, Bhatnagar A, Roy S (2006) Tool for translating Simulink models into input language of a model checker
Vinárek J, Ŝimko V, Hnĕtynka P (2015) Verification of usecases with FOAM tool in context of cloud providers. In: 2015 41st euromicro conference on software engineering and advanced applications, pp 151–158
Simko V, Hauzar D, Hnetynka P, Bures T, Plasil F (2015) Formal verification of annotated textual usecases. Comput J 58:1495–1529
Szwed P (2015) Verification of ArchiMate behavioral elements by model checking. In: Saeed K, Homenda W (eds) Computer information systems and industrial management: 14th IFIP TC 8 international conference, CISIM 2015, Warsaw, Poland, September 24–26, 2015, proceedings, Springer International Publishing, Cham, pp 132–144
Jiang Y, Qiu Z (2012) S2N: model transformation from SPIN to NuSMV. In: Presented at the PROCEEDINGS of the 19th international conference on Model Checking Software, Oxford, UK
Szpyrka M, Biernacka A, Biernacki J (2014) Methods of translation of petri nets to NuSMV language. In: CS&P, pp 245–256
Browne MC, Clarke EM, Grümberg O (1987) Characterizing Kripke structures in temporal logic. In: presented at the The International Joint Conference on theory and practice of software development on TAPSOFT ‘87, Pisa, Italy
Reniers MA, Willemse TAC (2011) Folk theorems on the correspondence between statebased and eventbased systems. In: Černá I, Gyimóthy T, Hromkovič J, Jefferey K, Králović R, Vukolić M, et al. (eds) SOFSEM 2011: theory and practice of computer science: 37th conference on current trends in theory and practice of computer science, Nový Smokovec, Slovakia, January 22–28, 2011. Proceedings, Springer Berlin Heidelberg, Berlin, pp 494–505
GhobaeiArani M, Rahmanian AA, Souri A, Rahmani AM (2018) A mothflame optimization algorithm for web service composition in cloud computing: simulation and verification. Softw Pract Exp 48:1865–1892
Souri A, Nourozi M, Rahmani AM, Navimipour NJ (2018) A model checking approach for user relationship management in the social network. Kybernetes. https://doi.org/10.1108/K0220180092092
Bouneb M, Saidouni DE, Ilie JM (2015) A reduced maximality labeled transition system generation for recursive Petri nets. Formal Aspects Comput 27:951–973
Sibay GE, Braberman V, Uchitel S, Kramer J (2013) Synthesizing modal transition systems from triggered scenarios. IEEE Trans Softw Eng 39:975–1001
Souri A, Rahmani AM, Jafari Navimipour N (2018) Formal verification approaches in the web service composition: a comprehensive analysis of the current challenges for future research. Int J Commun Syst 31:1–27
Rozier KY (2011) Linear temporal logic symbolic model checking. Comput Sci Rev 5:163–203
Zhao Y, Rozier KY (2014) Formal specification and verification of a coordination protocol for an automated air traffic control system. Sci Comput Program 96(Part 3):337–353
Bollig B (2016) On the minimization of (complete) ordered binary decision diagrams. Theory Comput Syst 59:532–559
Sharma A (2012) A two step perspective for Kripke structure reduction. arXiv preprint arXiv:1210.0408
Gradara S, Santone A, Villani ML, Vaglini G (2004) Model checking multithreaded programs by means of reduced models. Electron Notes Theor Comput Sci 110:55–74
Flanagan C, Godefroid P (2005) Dynamic partialorder reduction for model checking software. In: Presented at the proceedings of the 32nd ACM SIGPLANSIGACT symposium on principles of programming languages, Long Beach, California, USA
Reniers MA, Schoren R, Willemse TAC (2014) Results on embeddings between statebased and eventbased systems. Comput. J 57:73–92
Authors’ contributions
All authors read and approved the final manuscript.
Acknowledgements
Not applicable.
Competing interests
The authors declare that they have no competing interests.
Availability of data and materials
Not applicable.
Funding
No funding was received.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Souri, A., Rahmani, A.M., Navimipour, N.J. et al. A symbolic model checking approach in formal verification of distributed systems. Hum. Cent. Comput. Inf. Sci. 9, 4 (2019). https://doi.org/10.1186/s136730190165x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s136730190165x
Keywords
 Model checking
 Temporal logic
 Reduced model
 Kripke structure
 Labeled Transition System