Data Representation and Ecient Solution:

A Decision Diagram Approach

Gianfranco Ciardo
Dept. of Computer Science and Engineering, UC Riverside, CA 92521, USA
[email protected]
Abstract. Decision diagrams are a family of data structures that can
compactly encode many functions on discrete structured domains, that
is, domains that are the cross-product of nite sets. We present some
important classes of decision diagrams and show how they can be eec-
tively employed to derive symbolic algorithms for the analysis of large
discrete-state models. In particular, we discuss both explicit and sym-
bolic algorithms for state-space generation, CTL model-checking, and
continuous-time Markov chain solution. We conclude with some sugges-
tions for future research directions.
Key words: binary decision diagrams, multi-valued decision diagrams,
edge-valued decision diagrams, state-space generation, symbolic model
checking, Kronecker algebra.
1 Introduction
Discrete-state models are useful to describe and analyze computer-based and
communication systems, or distributed software, and many other man-made ar-
tifacts. Due to the inherent combinatorial nature of their interleaving behav-
ior, such models can easily have enormous state spaces, which can make their
computer-supported analysis very dicult. Of course, high-level formalisms such
as Petri nets, queueing networks, communicating sequential processes, and spe-
cialized languages can be eectively used to describe these enormous underlying
state space. However, when a model described in one of these formalisms needs
to be analyzed, the size of the state space remains a major obstacle.
In this contribution, we present decision diagrams, a class of data structures
that can compactly encode functions (or set and relations, or vectors and ma-
trices) on very large but structured domains. Then, we briey summarize some
of the main computational tasks involved in the traditional explicit analysis
of systems, both in a strictly logical setting and in a Markovian setting. Putting
the two together, we then show how these tasks can be eectively performed
symbolically using decision diagrams. We conclude by listing some research
challenges lying ahead.

Work supported in part by the National Science Foundation under grants CNS-
0501747 and ATM-0428880
x
4
x
3
x
2
x
1
+ (x
4
+ x
3
) (x
2
+ x
1
)
0 1
0 1
0 1
0 1 0 1
0 1
x
3
x
2
x
1
+ x
3
(x
2
+ x
1
)
x
2
x
1 x
2
+ x
1
x
1
1 0
x
1
x
2
x
3
x
4
x
4
x
3
x
2
x
1
+ (x
4
+ x
3
) (x
2
+ x
1
)
0 1
0 1
0 1
0 1 0 1
0 1
x
3
x
2
x
1
+ x
3
(x
2
+ x
1
)
x
2
x
1 x
2
+ x
1
x
1
1 0
0 1
0 1 0 1
0 1
x
2
+ x
1
Fig. 1. Fully-reduced vs. quasi-reduced BDDs.
In the following, calligraphic letters (e.g., /, A) denote sets or relations,
lowercase bold letters (e.g., i, j) indicate global state of the system, and lowercase
italic letters (e.g., i, x
k
) indicate local components of the state. Also, B, N, Z,
and R indicate the set 0, 1 of boolean values, the natural numbers, the integers,
and the real numbers, respectively.
2 Decision diagrams: a data structure for structured data
Many classes of decision diagrams have been dened in the literature. This sec-
tion presents some of the most common ones, which will be used in Section 4 to
improve the eciency of discrete-state system analysis.
2.1 Binary decision diagrams
The most widely known and used class of decision diagrams is by far the binary
decision diagrams (BDDs) [3], which provide a compact representation for
functions of the form f : B
L
B, for some nite L N. In particular, if the
BDDs are reduced and ordered [3, 4], properties we assume from now on for all
classes of decision diagrams we discuss, they enjoy several important advantages.
Such BDDs are canonical, thus testing for satisability, i.e.,
is there an i B
L
such that f(i) = 1?
or equivalence, i.e.,
given functions f and g, is f(i) = g(i) for all i B
L
?
can be done in constant time, while important binary operations such as con-
junction, disjunction, and relational product (described in detail later) require
time and memory proportional to the product of the size (number of nodes) of
the argument BDDs, in the worst case.
Formally, an L-variable BDD is an acyclic directed edge-labeled graph where
each of its nodes encodes a function of the form f : B
L
B. The nodes of
the graph are assigned to a level, we let p.lvl denote the level of node p. A
non-terminal node at level k, with L k 1, corresponds to a choice for the
value of the boolean variable x
k
, the k
th
argument to the function, while the two
terminal nodes 0 and 1 correspond to the two possible values of the function. A
node p at level k has two edges, labeled with the possible values of x
k
, 0 and
1. The edge labeled 0, or 0-edge, points to node p[0] while the 1-edge point to
node p[1], where both nodes are at levels below k (this is the ordered property:
nodes are found along any path in an order consistent with the order x
L
, ..., x
1
of the argument variables). Also, nodes must be unique (thus, no node can be a
duplicate of another node at the same level, i.e., have have the same 0-child and
the same 1-child) and non-redundant, i.e., p[0] and p[1] must dier (this is the
fully reduced property). A node p at level k encodes the function v
p
: B
L
B
dened recursively by
v
p
(x
L
, ..., x
1
) =

p if k = 0
x
k
v
p[0]
(x
L
, ..., x
1
) x
k
v
p[1]
(x
L
, ..., x
1
) if k > 0.
Thus, given a constant vector i = (i
L
, ..., i
1
) B
L
, we can evaluate v
p
(i) in O(L)
time. Fig. 1 on the left shows an example of BDD and the boolean functions
encoded by its nodes. On the right, the same set of functions are encoded using
a quasi-reduced version of BDDs , where duplicate nodes are not allowed, but
redundant nodes (shown in gray in the gure) may have to be present, since
edges can only span one level. Such BDDs are still canonical, and, while they
may use more nodes, all their edges connect nodes at adjacent levels, resulting
in simpler manipulation algorithms.
Strictly speaking, a BDD encoding a given function f has a specic root p
such that f = v
p
. In practice, BDD algorithms need to manage multiple functions
on the same domain B
L
, and this is done by storing (without duplicates) all the
roots of these functions, as well as the nodes reached by them, in a single BDD,
often referred to as a BDD forest.
2.2 Multi-valued, multi-terminal, and multi-dimensional extensions
Many variants of BDDs have been dened to extend their applicability or to tar-
get specic applications. This section discusses several terminal-valued vari-
ants, that is, decision diagrams where the value of function f evaluated on ar-
gument i is given by the the terminal node reached when following the path
corresponding to i, just as is the case for BDDs.
Multi-valued decision diagrams (MDDs) [24] encode functions of the form

A B, where the domain

A is the cross-product

A = A
L
A
1
of L
nite sets and each A
k
, for Lk 1, is of the form A
k
= 0, 1, ..., n
k
1, for
some n
k
N. Thus, a non-terminal node at level k corresponds to a multi-way
choice for the argument variable x
k
. The top of Fig. 2 shows, on the left, a quasi-
reduced MDD where redundant nodes p with p[0] = = p[n
k
1] are kept and,
on the right, the same MDD in a fully-reduced version, where its long edges
0 1
0 1 2
0 1
0 1 2
0 1 2 3
0 1 2 0 1 2
0 1
0 1 2 0 1 2
0 1 0 1
x
1
x
2
x
3
x
4
0 1
0 1 2 3
0 1 2 0 1 2
0 1 2
0 1
2 0 1
0 1
0 1 2 3
0 1 2 0 1 2
0 1
0 1 2 0 1 2
0 1 0 1
0 1 2
x
1
x
2
x
3
x
4
1
1 2 3
0 1 2 0 1 2
0 1 1 0 1
0 1 2 0
0
2
Fig. 2. Fully-reduced vs. quasi-reduced, full vs. sparse representation of MDDs.
(spanning multiple levels) are shown with thicker lines. The bottom of the same
gure shows, on the left a default-reduced version of the same MDD where only
edges to the default terminal node 0 can span multiple levels (a still canonical
compromise between the fully-reduced and quasi-reduced versions) and, on the
right, its sparse representation where paths leading to node 0 are not shown.
Graphically, this last representation is quite compact, and it also reects quite
closely how MDDs are implemented in the tool S
m
A
r
T [9].
Multi-terminal BDDs (MTBDDs) [21] can encode functions of the form
B
L
R, by attaching arbitrary values from R to the terminal nodes of a bi-
nary decision diagram. The algebraic decision diagrams (ADDs) [1] are ex-
actly analogous, except were dened to encode function on arbitrary ranges, not
just the reals. The multi-terminal multi-valued decision diagrams (MT-
MDDs), an example of which is shown in Fig. 3 on the left in fully-reduced
version and on the right in quasi-reduced version, naturally extend MTBDDs by
additionally allowing multi-way choices at each node.
A function f :

A o can of course also be thought of as an o-valued one-
dimensional vector of size [

A[. Many applications also need to encode functions of

the form

A

A o, or two-dimensional matrices. An obvious way to accomplish

this is to use a BDD, MDD, MTBDD, or MTMDD with twice as many levels. The
traditional notation uses an unprimed x
k
for the rows, or from, variables,
and a primed x

k
for columns, or to variables. Furthermore, the manipulation
0 1
0 1 2
0 1 2 3
0 1 2 0 1 2
0 1 0 1
0 1 2 0 1 2
5 7 8
x
1
x
2
x
3
x
4
0 1 2
0 1 2 3
0 1 2 0 1 2
0 1 0 1
0 1 2 0 1 2
0 1 0 1 0 1
0 1 0 1
0 1 5 7 8
2 2
Fig. 3. Fully-reduced vs. quasi-reduced MTMDD.
algorithms are more easily written, and usually much more ecient, if the levels
are interleaved, that is, the order of the function parameters is (x
L
, x

L
, ..., x
1
, x

1
).
A similar, but more direct, way to encode such matrices is to use a (boolean-
valued) matrix diagrams (MxDs) [13, 27], where a non-terminal node P at
level k, for Lk 1, has n
k
n
k
edges, so that P[i
k
, i

k
] points to the node to
be reached when x
k
= i
k
and x

k
= i

k
. The top left of Fig. 4 shows a 2L-level
MDD, where L = 2, in sparse format. The encoded (3 2)(3 2) matrix has zero
entries in all but seven positions (the rows and columns of the resulting matrix
are indexed by x
2
2 + x
1
and x

2
2 + x

1
, respectively):
0 1 2 3 4 5
0 0 0 0 0 0 0 0 (x
2
= 0, x
1
= 0)
1 0 0 0 0 1 0 1 (x
2
= 0, x
1
= 1)
2 0 0 0 0 0 0 where 2 (x
2
= 1, x
1
= 0)
3 1 1 1 1 0 0 3 (x
2
= 1, x
1
= 1)
4 0 0 1 0 0 0 4 (x
2
= 2, x
1
= 0)
5 0 0 0 1 0 0 5 (x
2
= 2, x
1
= 1)
MxDs, however, where not introduced just to stress the natural interleav-
ing of unprimed and primed variables, but to exploit a much more fundamental
property often present in large asynchronous systems: the large number of iden-
tity patterns. The top right of Fig. 4 show the MxD encoding the same matrix,
and the gray node in it is an example of an identity: its diagonal edges points
to the same node, the terminal node 1 in this case, while its o-diagonal entries
point to node 0. The bottom left of Fig. 4 shows the identity-reduced version of
MxDs which is commonly employed, where long edges signify skipped identity
nodes; on the right is the sparse format representation, which just lists explicitly
the row-column pairs of indices corresponding to non-zero node entries.
2.3 Edge-valued extensions
Further edge-valued variants of decision diagrams have been dened to rep-
resent functions with a non-boolean range, as MTMDDs and ADDs can, but
0 1 2
2
1 0 1
0 1
0 1 1
1
0 1 1
1
x
/
1
x
1
x
/
2
x
2
x
1
x
2
0 1
0
1
2
2
0 1
0
1
0 1
0
1
0 1
0
1
1
0 1
0
1
2
2
0 1
0
1
0 1
0
1
1
x
1
x
2
x
/
1
x
1
x
/
2
x
2
1
1 1
0 1
1
1
0 1 1 2
2 0 1 1
Fig. 4. Representing a boolean matrix with 2L-level MDDs or with MxDs.
in such a way that the value of the function is not found in a terminal node,
but is distributed over the edges found along a path. The manipulation algo-
rithms are generally more complex, but these classes of decision diagrams can
be exponentially more compact than their respective terminal-valued versions.
Edge-valued BDDs (EVBDDs) [26] encode functions of the form B
L
Z,
by having a single terminal node , which carries no value, and associating
integer values to the edges of the diagram. The value of the function is obtained
by adding the values encountered along the path to corresponding the the
functions argument; the result is a possibly exponentially smaller diagram than
with an MTBDD. Nodes are normalized by scaling their edge values so that the
0-edge has an associated value of 0 (this fact can be used to save storage in a
practical implementation, but is also one way to enforce canonicity), and the root
node has a dangling arc whose associated value is summed to the path value
when evaluating the function, thus it is the value of the function being encoded
when the argument is (0, ..., 0). The EVMDD shown in Fig. 5 on the left is
f (0,...,0)
1 2 3 0
0 18 36 54
1 2 0
0 6
1 2 0
0 1 2
1 0
0 3

12
x
1
x
2
x
3
x
4
1 2 3 0
1 0 2 2
1 2 0
3 0
1 0
0
1 2 0
0 1 6
1 0
4 0

min f

x
1
x
2
x
3
x
4
min f
1 2 3 0
1 0 2 2
1 2 0
3 0
1 0
0
1 2 0
0 1 6
1 0
4 0

1 2 0
0 0 0
1 2 0
0 0 0
Fig. 5. EVMDDs, fully-reduced EV
+
MDDs, and quasi-reduced EV
+
MDDs.
the corresponding version with multi-way choices, it encodes f(x
4
, x
3
, x
2
, x
1
) =

Lk1
x
k

k>h1
n
h
, i.e., the value of (x
4
, x
3
, x
2
, x
1
) interpreted as a mixed-
base integer; the same function would require a full tree, thus exponential space,
if encoded with an MTMDD. Formally, the function v
(,p)
:

A Z encoded by
edge (, p), where Z and p is a node at level k, is dened recursively as
v
(,p)
(x
L
, ..., x
1
) =

if k = 0
+ v
p[x
k
]
(x
L
, ..., x
1
) if k > 0.
The positive edge-valued MDDs (EV
+
MDDs) [14] use a dierent normal-
ization rule where all edge values leaving a node are non-negative or (positive)
, but at least one of them is zero, so that the value associated with the dan-
gling edge is the minimum of the function. To ensure canonicity, an edge with
an associated value of can only point to . EV
+
MDDs can encode arbitrary
partial functions of the form

A N . For example, the function encoded
by the EV
+
MDD in the middle of Fig. 5 cannot be encoded by an EVMDD
because f(0, ..., 0) = , but f is not identically . Furthermore, if the dangling
arc of the EV
+
MDD is allowed to be an arbitrary integer, then , arbitrary partial
functions of the form

A Z can be encoded. The EV
+
MDD shown on
the right of Fig. 5 shows the equivalent quasi-reduced version: the condition for a
node to be redundant (as the additional gray nodes in the gure are) is now that
all of its edges point to the same node and have the same associated value, which
must then be 0, given the normalization requirement. In the gure, long edges
with an associated value of can still exist; alternatively, even those could be
required to span only one level through the introduction of further redundant
node, but this would not further simplify the manipulation algorithms.
We already saw boolean MxDs, but, originally, (real-valued) matrix dia-
grams (MxDs) [13, 27] were introduced to overcome some of the applicability
min f
0 1
0
1
2
2
0 1
0
1
0 1
0
1
7
6
2
1 1
1
1

x
1
x
2
min f
0 1
0
1
2
2
0 1
0
1
0 1
0
1
0 1
0
1
7
6
2
1 1
1
1
1
1

x
/
1
x
1
x
/
2
x
2
min f
1 1
0 1
1
1
0 1 1 2
2 0 1 1
1 2 1 7
1 6 1

Fig. 6. Fully-reduced vs. quasi-reduced real-valued MxDs, and sparse representation.

and eciency limitations encountered when using Kronecker algebra [18] to en-
code the transition rate matrix of large structured Markov chains [5, 7, 20]. These
MxDs can encode functions of the form

A
2
R
0
, that is, non-negative matri-
ces, by having a row and column choice at each node and multiplying (instead
of summing, as for EVMDDs) the values encountered along a path to the single
terminal node . Canonicity is enforced by requiring that the minimum non-zero
edge value in each node be 1, so that the value associated to the dangling arc
is, again, the minimum of the function (alternatively, one can require that the
maximum edge value be 1, so that the value associated to the dangling is the
maximum of the function). Fig. 6 on the left shows a two-level MxD; when an
edge value is zero, the edge goes to and is not shown for clarity, while the
semantic of an edge skipping a level is that a redundant node with an iden-
tity pattern is assumed. Thus, in the gure, f(x
2
, x

2
, x
1
, x

1
) is 7 when x
2
= 2,
x

2
= 1, x
1
= x

1
, and it is 0 when x
2
= 2, x

2
= 1, x
1
,= x

1
. The center of the
same gure shows the quasi-reduced version of this MxD, where the only long
edges are those with an associated value of 0, thus are not shown, while the right
shows its sparse representation.
2.4 Decision diagram manipulation algorithms
So far we have discussed static aspects of various classes of decision diagrams,
i.e., we have seen how decision diagrams can compactly encode functions over
large structured domains. However, their time eciency is just as important as
their ability to save memory. Thus, we now turn to dynamic aspects of their
manipulation. Decision diagram algorithms can usually be elegantly expressed
in a recursive style. Two data structures are essential to achieve the desired
eciency. First, a unique table is required to enforce canonicity. This is a hash
table that can be searched based on the level and the pattern of edges (and
values, in the edge-valued case) of a node, to avoid creating duplicate nodes.
Second, an operation cache is used to look up whether a needed result of some
operation on some nodes has been previously computed. Also this is a hash table,
this time searched on the argument nodes unique identier (e.g., their memory
address) and the operation code.
For example, Fig. 7 shows two BDD algorithms. The rst one, Or, computes
the disjunction of its arguments, i.e., given two functions v
a
, v
b
: B
L
B,
encoded by the two nodes a and b, it computes the node r encoding function v
r
satisfying v
r
(i) = v
a
(i) v
b
(i), for all i B
L
. This algorithm assumes that these
function are encoded in a fully-reduced BDD forest, thus, after testing for trivial
cases that can be directly answered without recursion, it must test the level of
a and b and proceed accordingly. Note that checking whether Cache contains
already a result r for the Or of a and b is essential to eciency; without it, the
complexity would be proportional to the number of paths in the BDDs, not to
the number of nodes in them.
The second algorithm in Fig. 7 computes the so-called relational product r of
an L-level BDD x with a 2L-level BDD t, i.e., v
r
(j)=1 i, v
x
(i)=1v
t
(i, j)=1.
Note that, as the BDDs are assumed to be quasi-reduced, the recursion on x and
t proceeds in lockstep, i.e., level k of x is processed with levels k and k

of t to
compute level k (conceptually k

) of the result, thus there is no need to check

for the levels of the nodes, as in the fully-reduced case.
Edge-valued decision diagram algorithms also operate recursively, but the
arguments passed and returned in the recursions are edges, i.e., (value,node)
pairs, rather than just nodes. For example, Fig. 8 shows an algorithm to compute
the EV
+
MDD (, r) encoding the minimum of the function encoded by the two
EV
+
MDDs (, a) and (, b), i.e., v
(,r)
(i) = minv
(,a)
(i), v
(,b)
(i), or, in other
words, +v
(0,r)
(i) = min+v
(0,a)
(i), +v
(0,b)
(i), for all i

A. The notation
p[i].child and p[i].val is used to denote the node pointed by the i
th
edge, and
the associate value, respectively.
Finally, it should be stressed that the eciency of computing f g for some
arbitrary operator when the functions f and g are encoded by edge-valued
decision diagrams depends on the relative properties of both the operator
and the operator used to combine the values along the paths of the deci-
sion diagram. For example, computing the elementwise minimum or sum of two
functions encoded using EV
+
MDDs is quite ecient, but computing their ele-
mentwise product is obviously more dicult.
3 Discrete state models
We now describe the setting for the classes of system analysis we intend to
perform symbolically, using decision diagrams. First we discuss logical analysis,
then Markov analysis.
3.1 Logic system description and analysis
We consider a discrete-state model (

A, A
init
, T ), where

A is a nite set of states,
A
init


A is the set of initial states, and T

A

A is a transition relation. We
bdd Or(bdd a, bdd b) is fully-reduced version
local bdd r, r0, r1;
local level k;
1 if a = 0 or b = 1 then return b;
2 if b = 0 or a = 1 then return a;
3 if a = b then return a;
4 if Cache contains entry ORcode, |a, b : r) then return r;
5 if a.lvl < b.lvl then compare the levels of nodes a and b
6 k b.lvl ;
7 r0 Or(a, b[0]);
8 r1 Or(a, b[1]);
9 else if a.lvl > b.lvl then
10 k a.lvl ;
11 r0 Or(a[0], b);
12 r1 Or(a[1], b);
13 else a.lvl = b.lvl
14 k a.lvl ;
15 r0 Or(a[0], b[0]);
16 r1 Or(a[1], b[1]);
17 r UniqueTableInsert(k, r0, r1);
18 enter ORcode, |a, b : r) in Cache;
19 return r;
bdd RelProd(bdd x, bdd2 t) is quasi-reduced version
local bdd r, r0, r1;
1 if x = 0 or t = 0 then return 0;
2 if x = 1 and t = 1 then return 1;
3 if Cache contains entry RELPRODcode, x, t : r) then return r;
4 r0 Or(RelProd(x[0], t[0][0]), RelProd(x[1], t[1][0]));
5 r1 Or(RelProd(x[0], t[0][1]), RelProd(x[1], t[1][1]));
6 r UniqueTableInsert(x.lvl, r0, r1);
7 enter RELPRODcode, x, t : r) in Cache;
Fig. 7. Examples of recursive algorithms on fully-reduced and quasi-reduced BDDs.
assume the global model state to be of the form (x
L
, ..., x
1
), where, for L k 1,
each local state variable x
k
takes value from a set A
k
= 0, 1, ..., n
k
1, with
n
k
> 0. Thus,

A = A
L
A
1
and we write T (i
L
, ..., i
1
, i

K
, ..., i

1
), or T (i, i

),
if the model can move from the current state i to a next state i

in one step.
The rst step in system analysis is often the computation of the reachable
state space. The goal is to nd the set A
reach
of states reachable from the initial
set of states A
init
according to the transition relation T . Let ii

mean that
state i can reach state i

in one step, i.e., (i, i

) T , which we also write as

i

T (i) with a slight abuse of notation. Then, the reachable state space is
A
reach
= j : d > 0, i
(1)
i
(2)
i
(d)
i
(1)
A
init
j = i
(d)
.
Further logic analysis might involve searching for deadlocks or proving certain
liveness properties. In general, such questions can be expressed in some temporal
evmdd Min(level k, evmdd (, a), evmdd (, b)) is quasi-reduced version
local evmdd (, r), r0, ..., rn
k
1, (

, a

), (

, b

);
1 if = then return (, b);
2 if = then return (, a);
3 min(, );
4 if k = 0 then return (, ); the only node at level 0 is
5 if Cache contains entry MINcode, a, b, : (, r)) then return ( + , r);
6 for i = 0 to n
k
1 do
7 a

a[i].child;
8

+ a[i].val ;
9 b

b[i].child;
10

+ b[i].val ;
11 ri Min(k1, (

, a

), (

, b

)); continue downstream

12 r UniqueTableInsert(k, r0, ..., rn
k
1);
13 enter MINcode, a, b, : (, r)) in Cache;
14 return (, r);
Fig. 8. A recursive algorithms for EV
+
MDDs.
logic. Here, we assume the use of computation tree logic (CTL) [17, 23]. This
requires a Kripke structure, i.e., augmenting our discrete state model with a set
of atomic propositions / and a labeling function L :

A 2
A
giving, for each
state i

A, the set of atomic propositions L(i) / that hold in i. Then, the
syntax of CTL is as follows:
if a /, a is a state formula;
if p and p

are state formulas, p, p p

, and p p

are state formulas;

if p and p

are state formulas, Xp, Fp, Gp, pUp

, pRp

are path formulas;

if q is a path formula, Eq and Aq are state formulas.
The semantic of CTL assigns a set of model states to each state formula
p, thus, CTL operators must occur in pairs: a path quantier, E or A, must
always immediately precede a temporal operator, X, F, G, U, R. For brevity, we
discuss only the semantics of the operator pairs EX, EU, and EG, since these are
complete, meaning that they can be used to express any of the other seven CTL
operators through complementation, conjunction, and disjunction:
AXp = EXp,
EFp = E[true U p],
E[pRq] = A[pUq],
AFp = EGp,
A[p U q] = E[q U p q] EGq,
A[pRq] = E[pUq], and
AGp = EFp,
where true is a predicate that holds in any state.
Let T and Q be the sets of states satisfying two CTL formulas p and q,
respectively. Then, the sets of states satisfying EXp, EpUq, and EGp are:
A
EXp
= i : i

, ii

T,
A
EpUq
= i : d>0, i
(1)
i
(d)
i =i
(1)
i
(d)
Q c, 1c<d, i
(c)
T,
A
EGp
= i : d>0, i
(1)
i
(d)
i =i
(1)
c, 1cd, i
(c)
T.
Fig. 9 shows the pseudocode to compute the set of states satisfying EXp,
EpUq, and EGp, or, more precisely, to label these states, assuming that the
states satisfying the CTL formulas p and q have already been labeled. In other
words, the labels corresponding to the subformulas of a CTL formulas are as-
signed rst; of course, at the innermost level, the labeling corresponding to
atomic propositions is just given by the labeling function L of the Kripke struc-
ture. Unlike state-space generation, these algorithms walk backwards in the
transition relation, thus use the inverse transition relation T
1
instead of T .
3.2 Markov system description and analysis
A discrete-state model or a Kripke structure can be extended by associating
timing information to each state-to-state transition. If the time required for
each transition is an exponentially distributed random variable independently
sampled every time the state is entered and if all the transitions out of each state
are racing concurrently, this denes an underlying continuous-time Markov
chain (CTMC). Formally, a CTMC is a stochastic process X
t
: t R with a
discrete state space A
reach
satisfying the memoryless property, that is:
r 1, t >t
(r)
> >t
(1)
, i, i
(1)
, ..., i
(r)
A
reach
,
PrX
t
= i [ X
t
(r) = i
(r)
, ..., X
t
(1) = i
(1)
= PrX
t
= i [ X
t
(r) = i
(r)
.
We limit our discussion to homogeneous CTMCs, where the above probability
depends on t and t
(r)
only through the dierence t t
(r)
, i.e.,
PrX
t
= i [ X
t
(r) = i
(r)
= PrX
tt
(r) = i [ X
0
= i
(r)
.
Let
t
be the probability vector denoting the probability
t
[i] = PrX
t
= i
of each state i A
reach
at time t 0. A homogeneous CTMC is then described
by its initial probability vector
0
, satisfying

0
[i] > 0 i A
init
and by its transition rate matrix R, dened by
i, j A
reach
, R[i, j] =

0 if i = j
lim
h0
PrX
h
= j[X
0
= i/h if i ,= j
ExplicitBuildEX(p) is
1 . |i .
reach
: p labels(i); initialize . with the states satisfying p
2 while . ,= do
3 pick and remove a state i

from .;
4 for each i T
1
(i

) do state i can transition to state i

5 labels(i) labels(i) |EXp;

ExplicitBuildEU(p, q) is
1 . |i .
reach
: q labels(i); initialize . with the states satisfying q
2 for each i . do
3 labels(i) labels(i) |E[pUq];
4 while . ,= do
5 pick and remove a state i

from .;
6 for each i T
1
(i

) do state i can transition to state i

7 if E[pUq] , labels(i) and p labels(i) then

8 labels(i) labels(i) |E[pUq];
9 . . |i;
ExplicitBuildEG(p) is
1 . |i .
reach
: p labels(i); initialize . with the states satisfying p
2 build the strongly connected components in the subgraph of T induced by .;
3 } |i : i is in one of these strongly connected component;
4 for each i } do
5 labels(i) labels(i) |EGp;
6 while } , = do
7 pick and remove a state i

from };
8 for each i T
1
(i

) do state i can transition to state i

9 if EGp , labels(i) and p labels(i) then

10 labels(i) labels(i) |EGp;
11 } } |i;
Fig. 9. Explicit CTL model checking algorithms.
or its innitesimal generator matrix Q, dened by,
i, j A
reach
, Q[i, j] =

l=i
R[i, l] if i = j
R[i, j] if i ,= j.
The short-term, or transient, behavior of the CTMC is found by computing
the transient probability vector
t
, which is the solution of the ordinary dier-
ential equation d
t
/dt =
t
Q with initial condition
0
, thus it is given by the
matrix exponential expression
t
=
0
e
Qt
. The long-term, or steady-state, be-
havior is found by computing the steady-state probability vector = lim
t

t
;
if the CTMC is irreducible (since we assume that A
reach
is nite, this implies
that A
reach
is a single strongly-connected component), is independent of
0
and is the unique solution of the homogeneous linear system Q = 0 subject to

iX
reach
[i] = 1. The probability vectors and
t
are typically used to eval-
real[n] Jacobi (real[n]
(old)
, h, real[n, n] R) is
local real[n]
(new)
;
1 repeat
2 for j = 1 to [.
reach
[
3
(new)
[j] h[j]
P
i:R[i,j]>0

(old)
[i] R[i, j];
4
(new)

(new)
/(
(new)
1);
5
(old)

(new)
;
6 until converged;
7 return
(new)
;
real[n] GaussSeidel (real[n] , h, real[n, n] R) is
1 repeat
2 for j = 1 to [.
reach
[
3 [j] h[j]
P
i:R[i,j]>0
[i] R[i, j];
4 /( 1);
5 until converged;
6 return ;
real[n] Uniformization(real[n] 0, real[n, n] P, real q, t, natural M) is
local real[n] t;
1 t 0;
2 0;
3 Poisson e
qt
;
4 for k = 1 to M do
5 t t + Poisson;
6 P;
7 Poisson Poisson q t/k;
8 return t;
Fig. 10. Numerical solution algorithms for CTMCs (n = [.
reach
[).
uate expected instantaneous reward measures. For example, a reward function
r : A
reach
R species the rate at which a reward is generated in each state,
and its expected value in steady state is computed as

iX
reach
[i]r(i).
It is also possible to evaluate accumulated reward measures over a time inter-
val [t
1
, t
2
], in either the transient (t
1
< t
2
< ) or the long term (t
1
< t
2
= ).
The numerical algorithms and the issues they raise are similar to those for in-
stantaneous rewards discussed above, thus we omit them for brevity.
In practice, for exact steady-state analysis, the linear systemQ = 0 is solved
using iterative methods such as Jacobi or Gauss-Seidel, since the matrix Q is
typically extremely large and quite sparse. If Q is stored by storing matrix R, in
sparse row-wise or column-wise format, and the diagonal of Q, as a full vector,
the operations required for these iterative solution methods are vector-matrix
multiplications, i.e., vector-column (of a matrix) dot products. In addition to Q,
the solution vector must be stored, and most iterative methods (such as Jacobi)
require one or more auxiliary vectors of the same dimension as , [A
reach
[. For
extremely large CTMCs, these auxiliary vectors may impose excessive memory
requirements.
If matrix R is stored in sparse column-wise format, and vector h contains the
expected holding time for each state, where h[i] = 1/Q[i, i], then the Jacobi
method can be written as in Fig. 10, where
(new)
is an auxiliary vector and
the matrix R is accessed by columns, although the algorithm can be rewritten
to access matrix R by rows instead. The method of Gauss-Seidel, also shown in
Fig. 10, is similar to Jacobi, except the newly computed vector entries are used
immediately; thus only the solution vector is stored, with newly computed
entries overwriting the old ones. The Gauss-Seidel method can also be rewritten
to access R by rows, but this is not straightforward, requires an auxiliary vector,
and adds more computational overhead [19].
For transient analysis, the uniformization method is most often used, as it
is numerically stable and uses straightforward vector-matrix multiplications as
its primary operations (Fig. 10). The idea is to uniformize the CTMC with a
rate q max
iX
reach
[Q[i, i][ and obtain a discrete-time Markov chain with
transition probability matrix P = Q/q + I. The number of iterations M must
be large enough to ensure that

M
k=0
e
qt
(qt)
k
/k! is very close to 1.
4 Putting it all together: structured system analysis
We are now ready to show how the logical and numerical analysis algorithms of
the previous section can be implemented symbolically using appropriate classes
of decision diagrams. Most of these algorithms compute the xpoint of some
functional, i.e., a function transformer, where the xpoint is a function encoded
as a decision diagram.
4.1 Symbolic state space generation
State space generation is one of the simplest examples of symbolic xpoint com-
putation, and arguably the most important one. The reachable state space A
reach
can be characterized as the smallest solution of the xpoint equation
A A
init
T (A).
Algorithm Bfs in Fig. 11 implements exactly this xpoint computation, where
sets and relations are stored using L-level and 2L-level MDDs, respectively, i.e.,
node p encodes the set A
p
having characteristic function v
p
satisfying
v
p
(i
L
, ..., i
1
) = 1 (i
L
, ..., i
1
) A
p
.
The union of sets is simply implemented by applying the Or operator of Fig.
7 to their characteristic functions, and the computation of the states reachable in
one step is implemented by using function RelProd, also from Fig. 7 (of course,
the MDD version of these functions must be employed if MDDs are used instead
of BDDs). Since it performs a breadth-rst symbolic search, algorithm Bfs halts
in exactly as many iterations as the maximum distance of any reachable state
from the initial states.
Many high-level formalisms can be used to implicitly describe the state space
by specifying the initial state or states, thus A
init
, and a rule to generate the
states reachable in one step form each state, thus T . Most formalisms are not
only structured in the sense that they dene the model state through L vari-
ables (x
L
, . . . , x
1
), which is of course required for any symbolic approach, but also
asynchronous, in the sense that they disjunctively partition [8] the transition
relation T according to a set c of events. When T is expressed as T =

eE
T
e
,
it is usually more ecient to deviate from a strict breadth-rst approach. Al-
gorithm BfsChaining in Fig. 11 implements a chaining approach [31] where the
eect of applying each event is immediately accumulated as soon as it is com-
puted. Chaining is based on the observation that the number of symbolic itera-
tions might be reduced if the application of asynchronous events is compounded
sequentially. While the search order is not strictly breadth-rst anymore when
chaining is used, the number of iterations of the repeat loop is at most as large
as for breadth-rst search, and usually much smaller. However, the eciency of
symbolic state-space generation is determined not just by the number of itera-
tions but also by their cost, i.e., by the size of the MDDs involved. In practice,
chaining has been shown to be quite eective in many models, but its eective-
ness can be greatly aected by the order in which events are applied.
Much larger eciency improvements, however, can be usually achieved with
the Saturation algorithm [12, 16]. Saturation is motivated by the observation
that, in many distributed systems, interleaving semantic implies that multiple
events may occur, each exhibiting a strong locality, i.e., aecting only a few state
variables. We associate two sets of state variables with each event e:
1
M
(e)=x
k
: i =(i
L
, ..., i
1
), i

=(i

L
, ..., i

1
), i

T
e
(i) i
k
,=i

k
and
1
D
(e)=x
k
: i =(i
L
, ..., i
1
), j =(j
L
, ..., j
1
), h,=k, i
h
=j
h
T
e
(i),= T
e
(j)=,
the state variables that can be modied by e or that can disable e, respectively.
Then, we let
Top(e) = maxk : x
k
1
M
(e) 1
D
(e)
be the highest state variable, thus MDD level, aected by event e, and we par-
tition the event set c into c
k
= e : Top(e) = k, for L k 1.
Saturation computes multiple lightweight nested xpoints Starting from
the quasi-reduced MDD encoding A
init
, Saturation begins by exhaustively ap-
plying events e c
1
to each node p at level 1, until it is saturated, i.e., until

eE1
T
e
(A
p
) A
p
. Then, it saturates nodes at level 2 by exhaustively applying
to them all the events e c
2
, with the proviso that, if any new node at level 1
is created in the process, it is immediately saturated (by ring the events in c
1
on it). The approach proceeds in bottom-up order, until the events in c
L
have
been applied exhaustively to the topmost node r. At this point, the MDD is
saturated,

eE
T
e
(A
r
) A
r
, and r encodes the reachable state space A
reach
.
Experimentally, Saturation has been shown to be often several orders of
magnitude more ecient than symbolic breadth-rst iterations in both memory
and time, when employed on asynchronous systems. Extensions of the Saturation
algorithm have also been presented, where the size and composition of the local
mdd Bfs(mdd .init) is
local mdd p;
1 p .init;
2 repeat
3 p Or(p, RelProd(p, T ));
4 until p does not change;
5 return p;
mdd BfsChaining(mdd .init) is
local mdd p;
1 p .init;
2 repeat
3 for each e c do
4 p Or(p, RelProd(p, Te));
5 until p does not change;
6 return p;
mdd Saturation(mdd .init) is assumes quasi-reduced MDDs
1 return Saturate(L, .init);
mdd Saturate(level k, mdd p) is
local mdd r, r0, ..., rn
k
1;
1 if p = 0 then return 0;
2 if p = 1 then return 1;
3 if Cache contains entry SATcode, p : r) then return r;
4 for i = to n
k
1 do
5 ri Saturate(k 1, p[i]); rst, be sure that the children are saturated
6 repeat
7 choose e c
k
, i, j .
k
, such that ri ,= 0 and Te[i][j] ,= 0;
8 rj Or(rj, RelProdSat(k 1, ri, Te[i][j]));
9 until r0, ..., rn
k
1 do not change;
10 r UniqueTableInsert(k, r0, ..., rn
k
1);
11 enter SATcode, p : r) in Cache;
12 return r;
mdd RelProdSat(level k, mdd q, mdd2 f) is
local mdd r, r0, ..., rn
k
1;
1 if q = 0 or f = 0 then return 0;
2 if Cache contains entry RELPRODSATcode, q, f : r) then return r;
3 for each i, j .
k
such that q[i] ,= 0 and f[i][j] ,= 0 do
4 rj Or(rj, RelProdSat(k 1, q[i], f[i][j]));
5 r Saturate(k, UniqueTableInsert(k, r0, ..., rn
k
1));
6 enter RELPRODSATcode, q, f : r) in Cache;
7 return r.
Fig. 11. Symbolic breadth-rst, chaining, and Saturation state-space generation.
state spaces A
k
is not known prior to generating the state space; rather, the local
state spaces are built on-the-y alongside the (global) reachable state space
during the symbolic iterations [11, 16].
4.2 Symbolic CTL model checking
Moving now to symbolic CTL model checking, we need MDD-based algorithms
for the EX, EU, and EG operators. The rst requires no xpoint computation,
as it can be computed in one step:
A
EXp
= T
1
(T)
The set of states satisfying EpUq can instead be characterized as the smallest
solution of the xpoint equation
A Q (T T
1
(A)),
while the set of states satisfying EGp can be characterized as the largest solution
of the xpoint equation
A T T
1
(A).
Fig. 12 shows the pseudocode for a breadth-rst-style symbolic implemen-
tation of these three operators. Again, all sets and relations are encoded using
L-level and 2L-level MDDs, respectively. Chaining and Saturation versions of the
symbolic EU algorithm are possible when T is disjunctively partitioned. These
are usually much more ecient in terms of both memory and time [15].
4.3 Symbolic Markov analysis
Approaches that exploit the structured representation of the transition rate ma-
trix R of a CTMC have been in use for over two decades, based on Kronecker
algebra [18]. Formally, such approaches require R to be the submatrix corre-
sponding to the reachable states of a matrix

R R
|
b
X
b
X|
expressed as a sum of
Kronecker products:
R =

R[A
reach
, A
reach
] where

R =

eE

R
e
and

R
e
=

Lk1
R
e,k
.

R
e
is the transition rate matrix due to event e and can be decomposed as
the Kronecker product of L matrices R
e,k
R
|
b
X
b
X|
, each expressing the con-
tribution of the local state x
k
to the rate of event e [20, 30]. Recall that the
Kronecker product of two matrices A R
nrnc
and B R
mrmc
is a matrix
AB R
nrmrncmc
satisfying
i
a
0, ..., n
r
1, j
a
0, ..., n
c
1, i
b
0, ..., m
r
1, j
b
0, ..., m
c
1,
(AB)[i
a
m
r
+ i
b
, j
a
m
c
+ j
b
] = A[i
a
, j
a
] B[i
b
, j
b
].
The algorithms for the numerical solution of CTMCs shown in Fig. 10 essen-
tially perform a sequence of vector-matrix multiplications at their core. Thus,
the ecient computation of y x A or y y+x A, when A, or, rather,

A, is
encoded as a Kronecker product

Lk1
A
k
, has been studied at length [6]. The
mdd SymbolicBuildEX(mdd 1, mdd2 T
1
) is
local mdd .;
1 . RelProd(1, T
1
); perform one backward step in the transition relation
2 return .;
mdd SymbolicBuildEU(mdd 1, mdd Q, mdd2 T
1
) is
local mdd O, ., }, :;
1 . Q; initialize the currently known result with the states satisfying q
2 repeat
3 O .; save the old set of states
4 } RelProd(., T
1
); perform one backward step in the transition relation
5 : And(}, 1); perform set intersection to discard states not satisfying p
6 . Or(:, .); add to the currently known result
7 until O = .;
8 return .;
mdd SymbolicBuildEG(mdd 1, mdd2 T
1
) is
local mdd O, ., };
1 . 1; initialize . with the states satisfying p
2 repeat
3 O .; save the old set of states
4 } RelProd(., T
1
); perform one backward step in the transition relation
5 . And(., });
6 until O = .;
7 return .;
Fig. 12. Symbolic CTL model checking algorithms for the EX, EU, and EG operators.
well-known shue algorithm [18, 20] or other algorithms presented in [6] can be
employed to compute this product, but their eciency stems from two properties
common to all algorithms for decision diagram manipulation. First, the object
being encoded (A, in this case) can be structured into L levels (the matrices
A
k
, in this case). Second, some kind of caching is used to avoid recomputing the
result of operations already performed.
One disadvantage of earlier Kronecker-based approaches for the steady-state
or transient solution of a CTMC was that the probability vector R
|X
reach
|
was actually stored using a possibly much larger probability vector R
|
b
X|
,
to simplify state indexing. Correctness was achieved by ensuring that [i] = 0
for all i

A A
reach
, but the additional computational and, especially, memory
overhead was substantial. Decision diagrams helped rst by providing an e-
cient encoding for state indices. Given the MDD for A
reach


A, an EV
+
MDD
encoding the lexicographic state indexing function :

A N can be
easily built. Its denition is such that (i) is the number of reachable states pre-
ceding i in lexicographic order, if i A
reach
, and is otherwise. This EV
+
MDD
has exactly the same number of nodes and edges as the MDD encoding A
reach
.
For example, Fig. 13 shows a reachable state space A
reach
, the MDD encoding
it, and the EV
+
MDD encoding . To compute the index of a state, sum the
.
reach
=
8
<
:
0 1 1 1 1 1 2 2 2 2 2 3 3 3 3 3 3 3 3
2 0 0 1 1 2 0 0 1 1 2 0 1 2 2 2 2 2 2
, , , , , , , , , , , , , , , , , ,
1 0 1 0 1 1 0 1 0 1 1 1 1 0 0 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 1 2
9
=
;
.4 = |0, 1, 2, 3
.3 = |0, 1, 2
.2 = |0, 1
.1 = |0, 1, 2
1
1 2 3
0 1 2 0 1 2
0 1 1 0 1
0 1 2 0
0
2
1 2 3
0 1 2 0 1 2
0 1 1 0 1
0 1 2 0
0
2
0 1 6 11
0 1 2 0 2 4
0 1 3
0 3 0 1
0
0
0
0

Fig. 13. Encoding the lexicographic state indexing function using EV

+
MDDs.
values found on the corresponding path: (2, 1, 1, 0) = 6 + 2 + 1 + 0 = 9; if a
state is unreachable, the path is not complete: (0, 2, 0, 0) = 0 + 0 + = .
With this encoding of , the probability vector can be stored in a full array of
size [A
reach
[, instead of [

A[, with little indexing overhead, making the Kronecker

approach much more memory ecient.
However, at their best, the Kronecker algorithms that have been presented
in the literature can barely match the eciency of good decision diagram algo-
rithms. Thus, we limit our discussion to the latter, and, in particular, to MxDs,
which were indeed dened as a more general and ecient alternative to a Kro-
necker encoding. In this context, an MxD can be seen as a generalization of a
Kronecker encoding, as both multiply L elements, corresponding to the L local
states, to obtain an entry of the encoded matrix, and both exploit the likely
occurrence of an identity matrix at any level to avoid useless multiplications
by 1. In addition, MxD can encode arbitrary matrices

R
e
, even those that
are cannot be expressed as a Kronecker product of L local matrices, and can
reect the actual reachability of states. This means that, given the MDD encod-
ing A
reach
and an MxD encoding a matrix

R such that

R[A
reach
, A
reach
] = R,
we can enforce the fact that the entries of

R should be 0 for any unreachable
row i

A A
reach
. Alternatively, these spurious nonzero entries can be dealt
with explicitly, by testing for reachability, when using Gauss-Seidel iterations,
which are best implemented with access-by-column to R (with the Kronecker
approach, only this second explicit ltering of the spurious entries is possible).
real[n] VectorMatrixMult(real[n] x, mxd node A, evmdd node ) is
local natural s; state index in x
local real[n] y;
local sparse real c;
1 s 0;
2 for each j = (jL, ..., j1) .
reach
in lexicographic order do s = (j)
3 c GetCol (L, A, , jL, ..., j1); build column j of A using sparse storage
4 y[s] ElementWiseMult(x, c); x uses full storage, c uses sparse storage
5 s s + 1;
6 return y;
sparse real GetCol (level k, mxd node M, evmdd node , natural j
k
, ..., j1) is
local sparse real c, d;
1 if k = 0 then return [1]; a vector of size one, with its entry set to 1
2 if Cache contains entry COLcode, M, , j
k
, ..., j1 : c) then return c;
3 c 0; initialize the results to all zero entries
4 for each i
k
.
k
such that M[i
k
, j
k
].val ,= 0 and [i
k
].val ,= do
5 d GetCol (k 1, M[i
k
, j
k
].child, [i
k
].child, j
k1
, ..., j1);
6 for each i such that d[i] ,= 0 do
7 c[i + [i
k
].val] c[i + [i
k
].val] + M[i
k
, j
k
].val d[i];
8 enter COLcode, M, , j
k
, ..., j1 : c) in Cache;
9 return c;
Fig. 14. MxD-based vector-matrix multiplication algorithm (n = [.
reach
[).
We now discuss algorithm VectorMatrixMult of Fig. 14, which multiplies a
full real vector x of size [A
reach
[ by the submatrix

A[A
reach
, A
reach
], where

A is
encoded by an MxD rooted at node A. For simplicity, we ignore the value of the
incoming dangling edge, i.e., we assume that = 1. In practice, we could enforce
this assumption by allowing the root node A, and only it, to be unnormalized,
so that its entries are multiplied by . Also for simplicity, we assume that the
MxD is quasi-reduced, thus A.lvl = L. The correctness of this algorithm does
not depend on the absence of spurious entries in

A, since the lexicographic state
indexing function, encoded by an EV
+
MDD with root edge (0, ), is used to
select only the rows corresponding to reachable states.
Algorithm VectorMatrixMult operates by building the column of

A corre-
sponding to each reachable state j. As such column is usually very sparse, it is
stored in a sparse data structure, not as a full array. The key procedure is GetCol
[29], which recursively builds the required column, ltering out entries corre-
sponding to unreachable rows. Once the column c is returned, VectorMatrixMult
can perform an ecient multiplication of x
T
c, by simply examining the nonzero
entries of c and using direct access to the corresponding entries of x. Note that,
since the columns j are built in lexicographic order, the state index s can be
simply incremented for each new column.
The algorithm just presented is considered the current state-of-the-art, but it
nevertheless shares an important limitation with all hybrid approaches (includ-
ing Kronecker-based ones): the vector x, thus the probability vector , uses full
storage, thus requires O([A
reach
[) memory. Sparse storage does not help (since
none of its entries is zero if the CTMC is ergodic) and symbolic storage usu-
ally requires even more memory, since the MTMDD or the EV
+
MDD (or its
multiplicative analogue where edge values are multiplied along the path) end up
being close to a tree with as many leaves as reachable states. Strictly symbolic
approaches where not only R but also is stored using decision diagrams have
been successful so far only when many states share the same probability, usu-
ally a clear indication that the CTMC exhibits strong symmetries, and is thus
lumpable [25].
5 Conclusion and future areas of research
Major advances in our capability of analyzing large and complex systems have
been already achieved through the use of decision diagram techniques. Never-
theless, several research challenges still lie ahead.
Variable ordering heuristics. It is well known that the ordering of the L
state variables can exponentially aect the size of the decision diagrams, thus the
eciency of their manipulation. Unfortunately, nding an optimal variable order
is known to be a hard problem [2], thus, heuristics for either the static ordering
(at the beginning of the analysis, prior to building any decision diagram) or
the dynamic ordering (during the analysis, if the decision diagrams become too
large) of state variables have been proposed with varying degree of success [22].
Most approaches have been targeted at BDDs and breadth-rst iterations.
We have begun considering the special requirements of Saturation and MDDs
in [32, 10], but much more work is required to explore heuristics for arbitrary
classes of decision diagrams and their manipulations.
Strictly symbolic numerical CTMC solution. As mentioned, hybrid solu-
tion approaches for CTMCs are probably as ecient as they can be, at least in a
general setting, i.e., unless the model belongs to a special class whose properties
can be exploited to gain some eciency on a case-by-case basis. A strictly sym-
bolic approach, possibly allowing for a controlled level of approximation, might
then be a very valuable contribution. Along these lines, an approach that uses ex-
act symbolic representations of A
reach
and R but an approximate representation
for has been proposed [28], but much more work is required.
References
1. R. I. Bahar, E. A. Frohm, C. M. Gaona, G. D. Hachtel, E. Macii, A. Pardo, and
F. Somenzi. Algebraic decision diagrams and their applications. Formal Methods
in System Design, 10(2/3):171206, Apr. 1997.
2. B. Bollig and I. Wegener. Improving the variable ordering of OBDDs is NP-
complete. IEEE Trans. Comp., 45(9):9931002, Sept. 1996.
3. R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE
Trans. Comp., 35(8):677691, Aug. 1986.
4. R. E. Bryant. Symbolic boolean manipulation with ordered binary-decision dia-
grams. ACM Comp. Surv., 24(3):293318, 1992.
5. P. Buchholz. Structured analysis approaches for large Markov chains. Applied
Numerical Mathematics, 31(4):375404, 1999.
6. P. Buchholz, G. Ciardo, S. Donatelli, and P. Kemper. Complexity of memory-
ecient Kronecker operations with applications to the solution of Markov models.
INFORMS J. Comp., 12(3):203222, 2000.
7. P. Buchholz, J. P. Katoen, P. Kemper, and C. Tepper. Model-checking large struc-
tured Markov chains. J. Logic & Algebraic Progr., 56(1/2):6997, 2003.
8. J. R. Burch, E. M. Clarke, and D. E. Long. Symbolic model checking with parti-
tioned transition relations. In A. Halaas and P.B. Denyer, editors, Int. Conference
on Very Large Scale Integration, pages 4958, Edinburgh, Scotland, Aug. 1991.
IFIP Transactions, North-Holland.
9. G. Ciardo, R. L. Jones, A. S. Miner, and R. Siminiceanu. Logical and stochastic
modeling with SMART. Perf. Eval., 63:578608, 2006.
10. G. Ciardo, G. L uttgen, and A. J. Yu. Improving static variable orders via invari-
ants. In Proc. 28th International Conference on Application and Theory of Petri
nets and Other Models of Concurrency (ICATPN), Siedlce, Poland, June 2007.
Springer-Verlag. To appear.
11. G. Ciardo, R. Marmorstein, and R. Siminiceanu. Saturation unbound. In H. Gar-
avel and J. Hatcli, editors, Proc. Tools and Algorithms for the Construction and
Analysis of Systems (TACAS), LNCS 2619, pages 379393, Warsaw, Poland, Apr.
2003. Springer-Verlag.
12. G. Ciardo, R. Marmorstein, and R. Siminiceanu. The saturation algorithm for
symbolic state space exploration. Software Tools for Technology Transfer, 8(1):4
25, Feb. 2006.
13. G. Ciardo and A. S. Miner. A data structure for the ecient Kronecker solution
of GSPNs. In P. Buchholz, editor, Proc. 8th Int. Workshop on Petri Nets and
Performance Models (PNPM99), pages 2231, Zaragoza, Spain, Sept. 1999. IEEE
Comp. Soc. Press.
14. G. Ciardo and R. Siminiceanu. Using edge-valued decision diagrams for symbolic
generation of shortest paths. In M. D. Aagaard and J. W. OLeary, editors, Proc.
Fourth International Conference on Formal Methods in Computer-Aided Design
(FMCAD), LNCS 2517, pages 256273, Portland, OR, USA, Nov. 2002. Springer-
Verlag.
15. G. Ciardo and R. Siminiceanu. Structural symbolic CTL model checking of asyn-
chronous systems. In W. Hunt, Jr. and F. Somenzi, editors, Computer Aided
Verication (CAV03), LNCS 2725, pages 4053, Boulder, CO, USA, July 2003.
Springer-Verlag.
16. G. Ciardo and A. J. Yu. Saturation-based symbolic reachability analysis using
conjunctive and disjunctive partitioning. In D. Borrione and W. Paul, editors,
Proc. CHARME, LNCS 3725, pages 146161, Saarbr ucken, Germany, Oct. 2005.
Springer-Verlag.
17. E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skele-
tons using branching time temporal logic. In Proc. IBM Workshop on Logics of
Programs, LNCS 131, pages 5271, London, UK, 1981. Springer-Verlag.
18. M. Davio. Kronecker products and shue algebra. IEEE Trans. Comp., C-30:116
125, Feb. 1981.
19. D. D. Deavours and W. H. Sanders. On-the-y solution techniques for stochastic
Petri nets and extensions. In Proc. 7th Int. Workshop on Petri Nets and Perfor-
mance Models (PNPM97), pages 132141, Saint-Malo, France, June 1997. IEEE
Comp. Soc. Press.
20. P. Fernandes, B. Plateau, and W. J. Stewart. Ecient descriptor-vector multipli-
cation in stochastic automata networks. J. ACM, 45(3):381414, 1998.
21. M. Fujita, P. C. McGeer, , and J. C.-Y. Yang. Multi-terminal binary decision
diagrams: an ecient data structure for matrix representation. Formal Methods in
System Design, 10:149169, 1997.
22. O. Grumberg, S. Livne, and S. Markovitch. Learning to order BDD variables in
verication. J. Art. Int. Res., 18:83116, 2003.
23. K. L. McMillan. Symbolic Model Checking. Kluwer, 1993.
24. T. Kam, T. Villa, R. Brayton, and A. Sangiovanni-Vincentelli. Multi-valued deci-
sion diagrams: theory and applications. Multiple-Valued Logic, 4(12):962, 1998.
25. J. G. Kemeny and J. L. Snell. Finite Markov Chains. D. Van Nostrand-Reinhold,
New York, NY, 1960.
26. Y.-T. Lai and S. Sastry. Edge-valued binary decision diagrams for multi-level hier-
archical verication. In Proceedings of the 29th Conference on Design Automation,
pages 608613, Los Alamitos, CA, USA, June 1992. IEEE Computer Society Press.
27. A. S. Miner. Ecient solution of GSPNs using canonical matrix diagrams. In
R. German and B. Haverkort, editors, Proc. 9th Int. Workshop on Petri Nets and
Performance Models (PNPM01), pages 101110, Aachen, Germany, Sept. 2001.
IEEE Comp. Soc. Press.
28. A. S. Miner, G. Ciardo, and S. Donatelli. Using the exact state space of a Markov
model to compute approximate stationary measures. In J. Kurose and P. Nain,
editors, Proc. ACM SIGMETRICS, pages 207216, Santa Clara, CA, USA, June
2000. ACM Press.
29. A. S. Miner and D. Parker. Symbolic representations and analysis of large state
spaces. In C. Baier, B. R. Haverkort, H. Hermanns, J.-P. Katoen, and M. Siegle,
editors, Validation of Stochastic Systems, LNCS 2925, pages 296338. Springer-
Verlag, 2004.
30. B. Plateau. On the stochastic structure of parallelism and synchronisation models
for distributed algorithms. In Proc. ACM SIGMETRICS, pages 147153, Austin,
TX, USA, May 1985.
31. O. Roig, J. Cortadella, and E. Pastor. Verication of asynchronous circuits by
BDD-based model checking of Petri nets. In G. De Michelis and M. Diaz, editors,
Proc. 16th Int. Conf. on Applications and Theory of Petri Nets, LNCS 935, pages
374391, Turin, Italy, June 1995. Springer-Verlag.
32. R. Siminiceanu and G. Ciardo. New metrics for static variable ordering in decision
diagrams. In H. Hermanns and J. Palsberg, editors, Proc. Tools and Algorithms for
the Construction and Analysis of Systems (TACAS), LNCS 3920, pages 90104,
Vienna, Austria, Mar. 2006. Springer-Verlag.