Log In Sign Up

Iterative Variable Reordering: Taming Huge System Families

by   Clemens Dubslaff, et al.
TU Dresden

For the verification of systems using model-checking techniques, symbolic representations based on binary decision diagrams (BDDs) often help to tackle the well-known state-space explosion problem. Symbolic BDD-based representations have been also shown to be successful for the analysis of families of systems that arise, e.g., through configurable parameters or following the feature-oriented modeling approach. The state space of such system families face an additional exponential blowup in the number of parameters or features. It is well known that the order of variables in ordered BDDs is crucial for the size of the model representation. Especially for automatically generated models from real-world systems, family models might even be not constructible due to bad variable orders. In this paper we describe a technique, called iterative variable reordering, that can enable the construction of large-scale family models. We exemplify feasibility of our approach by means of an aircraft velocity control system with redundancy mechanisms modeled in the input language of the probabilistic model checker PRISM. We show that standard reordering and dynamic reordering techniques fail to construct the family model due to memory and time constraints, respectively, while the new iterative approach succeeds to generate a symbolic family model.


page 1

page 2

page 3

page 4


Symblicit Exploration and Elimination for Probabilistic Model Checking

Binary decision diagrams can compactly represent vast sets of states, mi...

Verifying Reachability Properties in Markov Chains via Incremental Induction

There is a scalability gap between probabilistic and non-probabilistic v...

Towards Symbolic Factual Change in DEL

We extend symbolic model checking for Dynamic Epistemic Logic (DEL) with...

Breaking the Limits of Redundancy Systems Analysis

Redundancy mechanisms such as triple modular redundancy protect safety-c...

Learning to Order BDD Variables in Verification

The size and complexity of software and hardware systems have significan...

Reduction Methods on Probabilistic Control-flow Programs for Reliability Analysis

Modern safety-critical systems are heterogeneous, complex, and highly dy...

Institution-based Encoding and Verification of Simple UML State Machines in CASL/SPASS

This paper provides the first correct semantical representation of UML s...

1 Introduction

Model checking is an automated technique for the verification of systems [10, 6], applied in many areas of system design where reliability and correctness are key. The biggest challenge model checking faces is the well-known state-explosion problem that describes the exponential blow up of states in the number of system variables. One prominent approach to cope with the state-explosion problem in model checking is the use of symbolic methods, such as those based on binary decision diagrams (BDDs) [8, 26]. Such symbolic methods are most viable the more redundant or shared behaviors are present in the system description, as symbolic methods can exploit them towards concise representations. It is hence not surprising that symbolic model-checking techniques also have been successfully applied for the analysis of system families those members share lots of common behaviors. Most prominently, in feature-oriented system analysis [34], a member of the system family is characterized by its basic functionalities by means of features. Features can either be active or inactive, possibly leading to system families those size is exponential in the number of features. In case family members have active features in common, they likely share the behaviors of these features, making symbolic methods effective. Despite for feature-oriented systems, also other kinds of configurable systems can benefit from symbolic methods as one easily faces an exponential blow up in the number of configuration parameters.

There are mainly two approaches to construct and analyze system families. The first, called one-by-one approach, constructs and analyzes the model for each family member separately. Differently, within an all-in-one approach, a single family model is constructed and analyzed in a single run. For system families those members share a lot of common behaviors, all-in-one approaches can benefit from symbolic representations and analysis methods by efficiently representing common parts. This usually leads to better analysis times than for one-by-one approaches [12, 34, 15, 9] or even enables an analysis [22, 16].

In this paper, we focus on all-in-one approaches where the family model is symbolically represented using reduced ordered BDDs. Such BDDs are rooted directed graphs where inner nodes are labeled by variable names, each path obeying a given variable order. It is well known that the size of the BDD significantly depends on the chosen variable order [7, 22]. In real-world applications, models subject to verification are usually automatically generated such that ad-hoc variable orders are likely to provide bigger BDD representation than possible with another variable order or even lead to BDD sizes exceeding memory constraints. Reordering algorithms such as sifting [31, 29] help to find suitable variable orders towards a small symbolic representation but are not applicable when the model cannot be constructed a priori due to insufficient memory. A solution is to dynamically reorder BDD variables [18] during model construction, which however comes at the cost of spending much time on reordering. For system families where the family model cannot be constructed due to bad variable orders and dynamic reordering techniques exceed time constraints, we present a third automated method we call iterative variable reordering. The basic idea is to construct parts of the system family, apply variable-reordering techniques towards smaller BDD representations, and then successively add family members until a suitable variable order for the whole family model is found. In this way, the shared behaviors between family members are step-wise incorporated into the symbolic representation. We first used this idea in [16] to enable the construction of a family model of aircraft velocity control loops given in the input language of the prominent probabilistic model checker Prism [23]. The model of [16] was automatically generated from Simulink code [2] using SimPars [28], initially not constructible using the symbolic engine of Prism based on multi-terminal BDDs [11, 19, 4]. Starting with the most basic variant of the aircraft velocity control loop, we step-wise added system variants and applied automated variable reordering capabilities presented in [22] to obtain a suitable variable order such that the whole family model could be constructed. While [16] focused on enabling a reliability analysis of the aircraft velocity control loop, we approach iterative variable reordering in a generic fashion in this paper and present an automated variant of the ad-hoc and handcrafted concepts of [16]. Specifically, our contribution is as follows:

  • we formally specify iterative variable reordering along with heuristics,

  • present an implementation of the algorithm that enables the automated application of iterative variable reordering on Prism family models, and

  • evaluate the approach on an even bigger instance of the velocity control loop model from [16], showing the effectiveness of our implementation.

To the best of our knowledge, we are the first who present a variable reordering technique that is specifically tailored for family models.


In Section 2, we provide foundations on abstract programs that formalize our models, revisit BDDs and variable reordering as well as Prism programs. The generic algorithm of iterative variable reordering is subject of Section 3. In Section 4 we briefly recall redundancy systems and the aircraft velocity control loop model we introduced in [16] which we will use in Section 5 as example for evaluating our implementation. We close the paper with some concluding remarks in Section 6.

2 Foundations

For a given set we denote by its power set, i.e., the set of all subsets of . We call a total order on a finite set an ordered domain. For a finite set of variables we assign to each variable an ordered domain from a set by a function . A variable evaluation over w.r.t. is a function that assigns to each variable a value . We denote by the set of variable evaluations over w.r.t. . In the following, we assume the function to be fixed for a given set of variables and briefly write, e.g., for the set of evaluations over .

We consider programs where is the finite set of variables on which the program is defined, is a set of commands, and is an expression specifying a set of initial variable evaluations that we denote by . Sometimes we use sloppy notations and replace by a single evaluation to represent the initial variable evaluation explicitly. Intuitively, a program defines a state-based semantics where states are variable evaluations in and commands specify how to switch to from one variable evaluation to another. Every program specifies a family of systems through the initial variable evaluations, i.e., we interpret each initial variable evaluation as entry point for a system variant. This kind of interpretation is backed by well-known concepts from feature-oriented and family-based system modeling and analysis [12, 34, 15, 9].

We intentionally defined programs in a rather abstract way, as the concepts presented in this paper are applicable to a wide range of system families described by various specification formalisms. Thus, we also leave out to specify a concrete semantics of programs.

2.1 Symbolic Representations Through Binary Decision Diagrams

Binary decision diagrams (BDDs) [24, 3] were mainly developed as a universal data structure for Boolean functions, i.e., a BDD over a set of Boolean variables describes a function that maps a set of variables assumed to be true to either true or false. Technically, a BDD over is a graph that is rooted, directed, and acyclic and where each node is either terminal and represents a result, i.e., either true or false, or it is a decision node. Each decision node is labeled by a Boolean variable from and has exactly two successor nodes: the -successor node, which stands for assigning false to the respective Boolean variable, and the -successor node, standing for a true assignment, respectively. We refer to the number of nodes in a BDD as size, denoted by

. In the context of model checking, BDDs are used to represent the characteristic function of the transition relation for state-based models.

Reduced Ordered BDDs.

An ordered BDD [7] is a BDD over a total order on Boolean variables where along all paths from the root to a terminal node the order is respected. The graph structure of an ordered BDD for a Boolean function

arises from a binary decision tree for

using the given variable ordering. By merging isomorphic subgraphs, eliminating terminal nodes with the same value, and removing any node whose two successors are isomorphic we obtain reduced ordered BDDs, which we simply abbreviate as BDDs in the following. In such BDDs, every two nodes represent different Boolean functions. Removing redundancies from a decision tree reveals the potential of BDDs for compactly representing Boolean functions. When BDDs are used to represent family models such as programs defined above, behavior shared between family members could lead to concise BDD representations and analysis of the family. For further details on BDDs, we refer to standard textbooks such as [32, 35].

Variable Reordering.

The size of a BDD crucially depends on the given variable ordering [7]. In fact, there are Boolean functions that can be represented by BDDs of linear and exponential size depending on the chosen variable order. Reordering algorithms such as sifting [31, 29], can be applied to improve the size BDD for a given Boolean function. In case BDDs are used as a representation for state-based models, reordering techniques are applied when the model is constructed. However, when the constructed model is used for BDD-based verification, dynamic reordering during the verification process can also be applied, possibly avoiding bad variable orders in those BDDs that represent intermediate results. A good heuristic for variable orderings is to first decide variables which are “most-influential”, i.e., changed at the beginning of an execution of the modeled system and influence the systems behavior significantly [25].

BDDs over Program Variables.

In our setting, we use BDDs as representation for state-based models of programs, which are defined on possibly non-Boolean variables. However, every element of a finite domain can be represented by a bit vector. Given a finite domain

, we enumerate the domain by a function . Then for an element we use the bit representation of with length , i.e., introduce fresh Boolean variables to represent elements of the domain . In this way, the interpretation of BDDs on Boolean variables can easily be lifted to BDDs over variables of programs. We hence might refer to variables and functions in this general meaning rather than referring to Boolean variables and Boolean functions only. When reordering program variables, we assume that the bit-wise order of the variables is maintained (i.e., bits are not exploded, see [22]).

2.2 Prism Programs

We introduced programs in a generic fashion as tuples . For our case study, we rely on an instance of such programs given by the input language of the probabilistic model checker Prism [23]. In Prism, variables of are assigned to bounded intervals of integers with the standard total order on integers as ordered domain. Possible transitions between states, i.e., variable evaluations, are given by guarded commands [14] collected in . A command has the form

Here, guard is a Boolean expression over arithmetic constraints on variable evaluations, e.g., for is fulfilled in every state where variable x has value 1 and y has a value from the domain of y that is smaller or equal than 5. In case the guard evaluates to true in some state, the command is enabled, leading to a transition into a successor state by updating variables according to updates. An update describes how variables change depending on the current variable evaluation, e.g., x’=1+y changes the value of x to the increment of the value of y. Each update updatei

is chosen with probability

pi for . That is, in every state fulfilling guard the evaluations of the expressions p1, p2, …, pn

constitute a probability distribution, i.e., must sum up to 1.


programs describe stochastic state-based models such as Markov decision processes (MDPs) or discrete Markov chains (DTMCs). For further details on such models, we refer to standard textbooks such as

[30, 6].

Family Models in Prism.

In Prism, initial variable evaluations describe the entry points for system variants in families, specified through a guard encapsulated in an init block. Guards are, as for commands, Boolean expressions over arithmetic constraints on variable evaluations. All variable evaluations that fulfill the guard in the init block will be considered as initial states. For instance, when considering variables with domains and , the following init block specifies two initial states and where , , and :

The described family model would have two members, one system starting in and one starting in . In this paper, we also consider init blocks in conjunctive normal form (CNF) over single variable evaluations. The above block could, e.g., be represented in CNF by

Variable Ordering in Prism.

For its symbolic engines, Prism uses algorithms that rely on Multi-terminal binary decision diagrams [11, 19, 4] (MTBDDs). MTBDDs extend BDDs by allowing for terminal nodes with real values rather than true and false. In Prism they are used as data structure for representing the transition probability matrix of stochastic models. To this end, the performance and memory consumption of an analysis by Prism crucially depends on the variable order inside the MTBDD that represents the model. In Prism, the variable order coincides with the order of variable declarations in the program, enabling reordering methods directly on the source-code level111Recall that we considered commands to be unordered in general programs. We hence always provide a variable order explicitly for Prism programs.. For family models in Prism, [15] showed that a suitable variable order could significantly improve the analysis speed using a hand-crafted approach for tuning variable orders. In [22] automated reordering techniques for Prism models have been presented, also showing that the size of the symbolic representation of the feature-oriented family model of [15] could be reduced even further and yield analysis speed ups.

3 Iterative Variable Reordering

For this section, let us fix a program on which we explain our approach of iterative variable reordering. We assume to denote the state-based semantics of the program . Furthermore, we assume that there is a uniquely defined symbolic representation of that depends on a variable order , i.e., a total order on the set of variables the program is defined on. For instance, when is a Prism program, could be the MTBDD representation of the program’s semantics in terms of an MDP or DTMC w.r.t. the variable order .

Recall that the purpose of our reordering approach is to enable the construction of a symbolic representation of system families that are not completely constructible ad-hoc from a given . In this paper, “constructability” is understood with respect to given memory and time constraints. The presented method can be only effective in case there is a variable order such that the complete family model is constructible. Note that even though, our presented method does not ensure to yield a constructible family model representation . This is mainly due to intermediate model representations that might be not constructible.

As prerequisites to our presented method, we rely on the following assumptions:

  1. We have given an initial variable evaluation and a variable ordering where is constructible.

  2. We have a reordering method that accepts a symbolic representation of a program and a variable order and returns a variable order such that .

The above assumptions intuitively provide a base for the iteration (1) and a method to iterate (2).

We specify iterative variable reordering as pseudo code in Algorithm 1, where for some evaluation domain we define its representation as conjunctive normal form (CNF) by

Choosing the CNF representing is a design decision that could be replaced by any other equivalent representation by Boolean expressions over arithmetic constraints on variables and domains.

input : Program ; variable order and initial variable evaluation as in assumption (1)
output : Variable order
1 Construct forall  do
3while  do
4       Pick the -minimal where Construct
Algorithm 1 Iterative variable reordering

The algorithm is instantiated with the initial variable order and initial evaluation from which we know by assumption (1) that the symbolic representation is constructible. The actual construction is performed in line 1, directly followed by a reordering step to initialize the variable order (line 2). Then, the evaluation domain based on is specified in line 4, while in line 5 the goal evaluation domain provides the sets of all values a variable can evaluate to in an initial variable evaluation of . The algorithm then iteratively adds values for variables to the evaluation domain that are used in an initial variable evaluation of until the goal evaluation domain is reached (line 6-10). This is done by always selecting as the variable that is minimal w.r.t. . After constructing , i.e., the symbolic representation of the program with the additional option evaluating , the symbolic representation is reordered using and is updated to a new variable order for which

due to assumption (2). The algorithm terminates always in case the intermediate symbolic representations could be constructed (see line 9) as is strictly increasing, is finite, and in each iteration step and for all we have as an invariant.

3.1 Optimization Heuristics

The basic iterative variable reordering algorithm provided by Algorithm 1 can be extended by various optimization heuristics. Such heuristics could enable or fasten the process of finding a suitable variable reorder that allows for the construction of . We focus here on the following variations:

Step size:

For a given integer called step size, we repeat line 7 and 8 times, i.e., increase the evaluation domain by elements.

-min/max selection:

In line 7, we choose the -minimal or -maximal instead the -minimal.

The ratio behind the step-size heuristics is that programs with many variables might waste a lot of time with reordering while adding more family members in one iteration while they could also provide a suitable variable order where the symbolic representation is already constructible. The two latter heuristics provide a form of adaptivity to the selection of variables. For instance, when already has most influential variables at the beginning of the order, adding family members for influential variables could lead to symbolic representations not constructible anymore or, the other way around, less influential variables in front of the variable order could only lead to small changes in the reordered order. Adding variants to variables usually increases their influence on the operational behavior. It is likely that then, this variable appears more in front of the reorder, following the rule of “most influential” variables [25] in case for BDDs as symbolic representation. Choosing -maximal variables adds variants to those variables that are not as influential, somehow balancing their effect on the size of the symbolic representation.

4 Redundancy System Models

To support our implementation and evaluation of the iterative variable reordering, this section is devoted to a brief summary of the approach of [16] and the models investigated in this paper.

Redundancy systems are systems where components might be replicated to increase fault tolerance of the overall system. For instance, some component could be protected by triplicating the component and process the replicas’ results through a majority voting mechanism towards a single output, implementing the well-known triple modular redundancy (TMR) principle. Analyzing each instance of the redundancy system easily becomes infeasible as the number of possible protection combinations grows exponentially in the number of protectable components. In [16] we proposed to use family-based approaches for the analysis of redundancy systems, motivated by the fact that introducing redundancies in components also introduces common behaviors. Such common behaviors are likely to be concisely representable using symbolic techniques. We illustrated the benefits of our approach by a reliability analysis of redundancy systems modeled in Simulink [33], a widely used framework for model-based system design. A Simulink design comprises blocks that describe the behavior of the system, connected by arrows standing for control and data flow. An example of a Simulink design is provided in Figure 1, borrowed from the Simulink example set [2].

Figure 1: The Simulink aircraft velocity control loop (VCL) model

4.1 Simulink Models with Redundancy

To introduce redundancy mechanisms into Simulink models, we consider syntactic transformation rules that describe how to obtain protected blocks from non-protected ones. In this paper, we consider the following redundancy mechanisms [16]:


The block is duplicated and both outputs are compared. In case their output differs a dedicated failure state is reached. Otherwise, the output is the one of both blocks.


Following the principle of triple modular redundancy principle, the block is triplicated and the output is based on a majority decision.

For Simulink models with protection mechanisms, we introduced a discrete Markov chain (DTMC) family semantics [16] that can be automatically generated using OpenErrorPro [27]. The general workflow of our approach towards a DTMC family out from Simulink models is depicted in Figure 2.

Figure 2: Schema of the approach to obtain DTMC families from annotated Simulink models [16]

First, blocks in the Simulink model are annotated with the types of protections that should be considered, e.g., comparison or voting. In Figure 2, we annotated voting protections for the P and D block (indicated by shaded blocks). Then, the annotated model is transformed to a Simulink model that includes redundancies by replacing every block where protection should be taken into account with a switch block that depends on a fresh switch variable, followed by the actual blocks for the redundancy mechanisms. The role of the switch variable is to select the redundancy mechanism, directing the control flow, e.g., to the triplicated blocks in case of the voting mechanism. The Simulink model with redundancy stands for a family of models with different protection combinations. An error model furthermore assigns to each Simulink block the probability for some fault occurring in this block, introducing stochastics into the model required for a reliability analysis. In [16] we presented a DTMC family semantics as Prism family model generated using the tools SimPars [28] and OpenErrorPro [27]. For this, we employed a meta-model representation as Dual-graph Error Propagation Model (DEPM) [27] (see also Figure 2).

4.2 The Velocity Control Loop Model

We illustrate our approach of iterative variable reordering described in Section 3 on a Prism program that stems from an aircraft velocity control loop (VCL) with redundancies described in [16]. Our model is a simplified version of the aircraft model borrowed from the Simulink example set [2] that itself is based on a long-haul passenger aircraft flying at cruising altitude and speed, adjusting the fuel flow rate to control the aircraft velocity. Figure 1 shows the Simulink model where all blocks are amendable for protection mechanisms. In [16] we applied three different kinds of redundancy mechanisms on eight of these blocks, leading a Prism DTMC family model with family members, each member standing for one protection combination. The Prism family model generated by OpenErrorPro [27] could not immediately be constructed by Prism’s symbolic engine. We hence had to apply two (handcrafted) optimizations to enable a reliability analysis of the VCL redundancy system: reset value optimization [20, 17] and iterative variable reordering. While reset value optimization speeded up the analysis time, iterative variable reordering was the technique that enabled the construction of the model.

In this paper, we use a variant of the VCL model of [16] as starting point where neither reset value optimization nor hand-crafted iterative variable reordering has been applied to and where 13 blocks could be protected with either voting or comparison mechanisms.

5 Implementation and Evaluation

In this section, we report on an implementation of the iterative variable reordering for family models expressed in the input language of Prism that follows Algorithm 1 and includes the optimization heuristics detailed in Section 3.

5.1 Implementation

Our implementation is done in Python and takes as input a Prism family model, a parameter specifying the variable selection heuristics (-minimal, -minimal, or -maximal), and the step size of the iteration. The advantage of the heuristics is that the construction of the model can be parallelized trying different heuristics on multi-core systems to eventually obtain a suitable variable order that renders the whole system family to be constructible even when some heuristics are slow or not successful.


Prism provides a faster model construction for non-family models, i.e., models without an init block, than for family models as evaluating the init-block expression relies on SAT solving, an NP-complete problem [21]. Hence, we implemented the initial construction step in line 1 of Algorithm 1 for a model representation without init block. For later constructions (line 9 of Algorithm 1) generated an init block for as indicated.

5.2 Evaluation

We evaluated our implementation on the Prism DTMC family generated from a Simulink VCL redundancy model (see Section 4) where 13 blocks are marked as protectable by comparison or voting mechanisms. Thus, we applied iterative variable reordering on a family model with protection variants, more than 24 times the number of protections considered in [16]. Note that we did not apply reset value optimization [20, 17] as in [16]. All experiments are carried out on a Linux server system2222 Intel Xeon E5-2680 (Octa Core, Sandy Bridge) running at 2.70 GHz with 384 GB of RAM; Turbo Boost and Hyper Threading disabled; Debian GNU/Linux 9.1. with a memory bound of 30 GB of RAM, running the Prism version presented in [22].

Heuristic Comparison.

First, we evaluate the different heuristics implemented. Table 1 shows the situation of the implementation as snapshot after 20 minutes.

variable selection step size iteration combinations states nodes
-minimal 1 22 177 147 8.67 97 386
2 12 531 441 6.19 130 321
3 7 118 098 6.29 101 766
4 5 59 049 1.25 88 054
-minimal 1 22 177 147 8.67 97 386
2 12 531 441 7.37 153 189
3 7 118 098 8.17 138 287
4 5 59 049 1.19 163 882
-maximal 1 12 4 096 9.47 126 338
2 10 59 049 6.83 139 991
3 5 7 776 1.25 251 944
4 5 59 049 9.71 225 711
Table 1: Performance of the heuristics within 20 minutes

As expected, the higher the step size, the less iterations could be performed by the iterative variable reordering. On our model, -minimal and -minimal selection heuristics perform best with step size 2. For both heuristics, the complete family model with its protection variants was constructed within half an hour. It is not surprising that step size 2 is a good choice as we considered two redundancy mechanisms for each block, i.e., in each step all redundancies for each block contribute to the family model at once.

Iteration Statistics.

For step size of 2 and using -minimal variable selection, we detail the statistics of every iteration until the whole family model has been constructed in Table 2. We shaded the iteration that was reached after 45 minutes of computation time (cf. the shaded row in Table 1).

#nodes time [s]
iteration combinations states before after model reorder
0 1 113 891 24 816 23 359 7.40 2.67
1 3 347 401 24 576 23 329 7.81 2.87
2 9 1.06 24 545 23 319 7.36 2.93
3 27 3.93 48 413 33 647 8.48 4.76
4 81 1.19 35 185 33 664 8.30 4.55
5 243 4.05 52 497 40 431 9.18 6.12
6 729 1.54 69 535 48 888 13.76 8.07
7 2 187 6.65 94 022 55 835 23.57 11.00
8 6 561 3.00 73 242 62 636 28.55 9.75
9 19 683 1.85 132 279 76 518 73.55 18.14
10 59 049 1.25 95 740 79 420 76.40 14.63
11 177 147 8.67 120 565 97 386 155.03 19.08
12 531 441 6.19 205 962 130 321 360.38 33.37
13 1 594 323 4.87 256 662 160 798 723.02 41.08
1 502.80 179.00
Table 2: Step-wise statistics of -maximal

In the column combinations, the family size of the intermediate family is listed. Column #nodes shows the number of MTBDD-nodes used to represent that family model before applying reordering (cf. line 10 of Algorithm 1) and thereafter. The last row indicates the time required to construct the model (cf. line 9 of Algorithm 1) and to perform reordering (cf. line 10 of Algorithm 1).

Alternative Approaches.

Clearly, there are alternative methods that could be used to enable an analysis of large-scale system families when the family model cannot be constructed in an ad-hoc fashion. The first is to switch from an all-in-one approach to a one-by-one approach, i.e., analyzing every family member in isolation. However, even the smallest family member (see Table 2, first iteration) required more than 7 seconds for the construction of the model. One could hence expect at least seconds of construction time for all family members, which would correspond to more than one year of construction time on our test system. Second, one could apply dynamic reordering techniques as implemented in the probabilistic model checker Storm [13]. With this method, the variable order on the MTBDD is dynamically changed during the model-construction process. However, even with smaller families, e.g., the VCL family model from [16] where only 8 protectable blocks were considered, model construction did not finish within days. We hence conclude that, at least for the VCL family models we generated, iterative variable reordering is the only technique we considered and yielded a successful model construction.

6 Concluding Remarks

In this paper we presented iterative variable reordering as a generic method to cope with the problem of constructing family models of huge system families. While our implementation supports models specified in the input language of the probabilistic model checker Prism, the formally defined algorithm is applicable to a wide range of analysis tools that use variable-order sensitive symbolic representations for their models and support some kind of reordering mechanism. For instance, the verification of large feature-oriented system families according to [12] those verification is based on the BDD engine of NuSMV also could benefit from our approach. By supporting system families given as Prism programs, our implementation can be directly applied on feature-oriented systems specified in ProFeat [9]. Our methods could be also viable for family-based parameter synthesis [5]. Experiments on such system families are left for future work.


We would like to thank Joachim Klein who extended Storm with support for family models, used to validate that dynamic reordering techniques are not viable for the VCL example.


  • [1]
  • [2] Verify Model Using Simulink Control Design and Simulink Verification Blocks (accessed 19/02/2019).
  • [3] S. B. Akers (1978): Binary Decision Diagrams. IEEE Transactions Computers 27(6), pp. 509–516, doi:
  • [4] R. I. Bahar, E. A. Frohm, C. M. Gaona, G. D. Hachtel, E. Macii, A. Pardo & F. Somenzi (1997): Algebraic Decision Diagrams and Their Applications. Formal Methods in System Design 10(2/3), pp. 171–206, doi:
  • [5] C. Baier & C. Dubslaff (2018): From Verification to Synthesis under Cost-Utility Constraints. ACM SIGLOG News 5(4), pp. 26–46, doi:
  • [6] C. Baier & J.-P. Katoen (2008): Principles of Model Checking. MIT Press.
  • [7] R. E. Bryant (1986): Graph-Based Algorithms for Boolean Function Manipulation. IEEE Transactions on Computers 35, pp. 677–691, doi:
  • [8] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill & L. J. Hwang (1992): Symbolic Model Checking: 10 States and Beyond. Inform. and Comp. 98(2), pp. 142–170, doi:
  • [9] P. Chrszon, C. Dubslaff, S. Klüppelholz & C. Baier (2018): ProFeat: feature-oriented engineering for family-based probabilistic model checking. Formal Aspects of Computing 30(1), pp. 45–75, doi:
  • [10] E. Clarke, O. Grumberg & D. Peled (2000): Model Checking. MIT Press.
  • [11] E. M. Clarke, M. Fujita, P. C. McGeers, K. L. McMillan, J. C.-Y. Yang & X.-J. Zhao (1993): Multi-terminal binary decision diagrams: An efficient data structure for matrix representation. In: Proc. International Workshop on Logic & Synthesis, doi:
  • [12] A. Classen, P. Heymans, P.-Y. Schobbens & A. Legay (2011): Symbolic model checking of software product lines. In: Proceedings of the 33rd International Conference on Software Engineering, ICSE 2011, Waikiki, Honolulu , HI, USA, May 21-28, 2011, pp. 321–330, doi:
  • [13] C. Dehnert, S. Junges, J.-P. Katoen & M. Volk (2017): A Storm is Coming: A Modern Probabilistic Model Checker. In: 29th Int. Conf. on Computer Aided Verification (CAV), LNCS 10427, Springer, pp. 592–600, doi:
  • [14] E. W. Dijkstra (1975): Guarded Commands, Nondeterminacy and Formal Derivation of Programs. Commun. ACM 18(8), pp. 453–457, doi:
  • [15] C. Dubslaff, C. Baier & S. Klüppelholz (2015): Probabilistic Model Checking for Feature-Oriented Systems. Transactions on Aspect-Oriented Software Development 12, pp. 180–220, doi:
  • [16] C. Dubslaff, K. Ding, A. Morozov, C. Baier & K. Janschek (2019): Breaking the Limits of Redundancy Systems Analysis. In: Proceedings of the 29th European Safety and Reliability Conference, Research Publishing, Singapore, pp. 2317–2325, doi:
  • [17] C. Dubslaff, A. Morozov, C. Baier & K. Janschek (2020): Reduction Methods on Probabilistic Control-flow Programs for Reliability Analysis. CoRR abs/2004.06637. Available at
  • [18] E. Felt, G. York, R. Brayton & A. Sangiovanni-Vincentelli (1993): Dynamic variable reordering for BDD minimization. In: Proceedings of EURO-DAC 93 and EURO-VHDL 93- European Design Automation Conference, pp. 130–135, doi:
  • [19] M. Fujita, P.C. McGeer & J.C.-Y. Yang (1997): Multi-Terminal Binary Decision Diagrams: An Efficient Data Structure for Matrix Representation. Formal Methods in System Design 10(2-3), pp. 149–169, doi:
  • [20] H. Garavel & W. Serwe (2006): State space reduction for process algebra specifications. Theoretical Computer Science 351(2), pp. 131 – 145, doi: Algebraic Methodology and Software Technology.
  • [21] M. R. Garey & D. S. Johnson (1979): Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman & Company.
  • [22] J. Klein, C. Baier, P. Chrszon, M. Daum, C. Dubslaff, S. Klüppelholz, S. Märcker & D. Müller (2018):

    Advances in probabilistic model checking with PRISM: variable reordering, quantiles and weak deterministic Büchi automata

    Intern. Journal on Software Tools for Technology Transfer 20(2), pp. 179–194, doi:
  • [23] M. Kwiatkowska, G. Norman & D. Parker (2011): PRISM 4.0: Verification of Probabilistic Real-time Systems. In G. Gopalakrishnan & S. Qadeer, editors: Proc. 23rd International Conference on Computer Aided Verification (CAV’11), LNCS 6806, Springer, pp. 585–591, doi:
  • [24] C. Y. Lee (1959): Representation of Switching Circuits by Binary-Decision Programs. Bell System Technical Journal 38(4), pp. 985–999, doi:
  • [25] S. Malik, A.R. Wang, R.K. Brayton & A. Sangiovanni-Vincentelli (1988): Logic verification using binary decision diagrams in a logic synthesis environment. In: Computer-Aided Design, 1988. ICCAD-88. Digest of Technical Papers., IEEE International Conference on, pp. 6–9, doi:
  • [26] K. L. McMillan (1993): Symbolic Model Checking. Kluwer, doi:
  • [27] A. Morozov, K. Ding, M. Steurer & K. Janschek (2019): OpenErrorPro: A New Tool for Stochastic Model-Based Reliability and Resilience Analysis. In: 30th IEEE International Symposium on Software Reliability Engineering, ISSRE 2019, Berlin, Germany, October 28-31, 2019, pp. 303–312, doi:
  • [28] A. Morozov, K. Janschek, T. Krüger & A. Schiele (2016): Stochastic Error Propagation Analysis of Model-Driven Space Robotic Software Implemented in Simulink. In: Proceedings of the 3rd Workshop on Model-Driven Robot Software Engineering, MORSE ’16, Association for Computing Machinery, New York, NY, USA, pp. 24–31, doi:
  • [29] S. Panda & F. Somenzi (1995): Who Are the Variables in Your Neighborhood. In: Proc. Computer-Aided Design (ICCAD’95), IEEE, pp. 74–77, doi:
  • [30] M. L. Puterman (1994): Markov Decision Processes. Wiley, doi:
  • [31] R. Rudell (1993): Dynamic variable ordering for ordered binary decision diagrams. In: IEEE/ACM International Conference on Computer-Aided Design (ICCAD-93)., pp. 42–47, doi:
  • [32] F. Somenzi (1999): Binary Decision Diagrams. In: Calculational System Design, volume 173 of NATO Science Series F: Computer and Systems Sciences, IOS Press, pp. 303–366.
  • [33] The MathWorks Inc. (2018): MATLAB and Statistics Toolbox Release 2018b. Natick, Massachusetts, United States.
  • [34] T. Thüm, S. Apel, C. Kästner, I. Schaefer & G. Saake (2014): A Classification and Survey of Analysis Strategies for Software Product Lines. ACM Comput. Surv. 47, pp. 1–45, doi:
  • [35] I. Wegener (2000): Branching Programs and Binary Decision Diagrams: Theory and Applications. Monographs on Discrete Mathematics and Applications. SIAM, doi: