Questions: Model Checking

Concurrent systems have astronomically many possible thread interleavings. Testing randomly samples a few interleavings per test run, easily missing rare race conditions. Model checking exhaustively explores every reachable state under every possible interleaving, providing a mathematical guarantee that the property holds or producing a concrete counterexample. The tradeoff is that the model must be finite-state and small enough to explore, which requires abstracting away implementation details.

Answer: True

If component A has n states and component B has m states, their composition has up to n * m states. With k components of n states each, the system has up to n^k states. A protocol with 10 processes each having 100 states has up to 100^10 = 10^20 reachable states — far beyond what explicit enumeration can handle. This exponential blowup is the central challenge in model checking and has motivated decades of research into symbolic methods (BDDs), abstraction (CEGAR), and partial-order reduction.

In practice, the most common outcome of early model checking attempts is finding bugs, not confirming correctness. The counterexamples are step-by-step traces that engineers can replay and analyze, unlike the abstract 'assertion violated' messages from testing. Clarke, Emerson, and Sifakis received the 2007 Turing Award for model checking largely because counterexample-driven debugging proved so effective in hardware and protocol verification.