Algorithmic Verification of Component-based Systems by Wang, Qiang
POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES
acceptée sur proposition du jury:
Prof. A. Lenstra, président du jury
Prof. V. Kuncak, Dr S. Bliudze, directeurs de thèse
Dr A. Cimatti, rapporteur
Prof. S. Bensalem, rapporteur
Prof. M. Odersky, rapporteur
Algorithmic Verification of Component-based Systems
THÈSE NO 7753 (2017)
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
PRÉSENTÉE LE 6 JUIN 2017
 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS
LABORATOIRE D'ANALYSE ET DE RAISONNEMENT AUTOMATISÉS
PROGRAMME DOCTORAL EN INFORMATIQUE ET COMMUNICATIONS 
Suisse
2017
PAR
Qiang WANG

The best way out is always through.
— Robert Frost
To my family. . .

Acknowledgements
I would like to thank my advisor Prof.Joseph Sifakis, for giving me the opportunity to join
his research group in EPFL, and also his guidances and support on my graduate study. This
work would not have been possible without his technical and moral supports. He introduced
me to the ﬁeld of formal methods, and opened doors for me in the research community. His
enthusiastic supervision will long be a source of encouragement to me. I would also like to
thank Dr.Simon Bliudze, my co-advisor, for his countless explanations and everything he did
to guide me through the PhD. I am also grateful to Prof.Viktor Kuncak, for hosting me in the
last few months and giving me the chance to ﬁnish my PhD. Many thanks to secretary Mrs
Ariane Staudenmann and Mrs Sylvie Jankow for the organizations of my study. Thanks for
being patient with my stubbornness !
I want to express my deepest gratitude to Dr. Alessandro Cimatti, who offered me the oppor-
tunity to study in his group for a few months. It was a great pleasure for me to work closely
with Dr.Alessandro Cimatti, Dr.Marco Roveri and Dr.Sergio Mover. I have learned a lot from
them and I could not have this work done without their help. Thanks to Alessandro again
for taking time to review this dissertation. I also want to thank Prof.Helmut Veith, Dr.Igor
Konnov and Dr.Tomer Kotek for sharing their thoughts and insights on formal veriﬁcation.
It was a wonderful experience and a very productive collaboration to work with them. I am
also grateful to the other jury members Prof.Martin Odersky, Prof.Arjen Lenstra, Prof.Saddek
Bensalem for taking time to serve my defense and review this dissertation.
I would like to take this opportunity to thank my family for their constant moral support. I
want to give my special appreciations to Dr.Tongkai Zhao for providing me the opportunity to
study abroad, to Prof.Chaojing Tang, Dr.Chao Feng, Dr.Xingtong Liu for helping me with the
business in China, and to Prof.Mingsheng Ying for his kind recommandations. Last but not
least, many thanks to the talented students in Prof.Sifakis’s group Eduard Baranov, Anastasia
Mavridou, Alina Zolotukhina, Stefanos Skalistis, Wajeb Saab, and my friends Lin Yuan, Xing Bi,
Fengyun Liu, Weitian Zhao, Bin Zhang, Zhicong Huang, Shiming Ou, Mengjun Li, Hua Gao,
Samantha Meylan, Arthur Meylan, Marguerite Delcourt, Yanguang Yang and many others with
whom I have shared the good moments over the years. Thanks to Benjamin Wesolowski for
proofreading the French abstract, and Sebastian Stich, Philippe Heer for proofreading the
German abstract. To whom I may have forgotten to mention here, I owe you a sincere apology
and thank you !
Lausanne, 27 March 2017 Wang Qiang
i

Abstract
This dissertation discusses algorithmic veriﬁcation techniques for concurrent component-
based systems modeled in the Behavior-Interaction-Priority (BIP) framework with both
bounded and unbounded concurrency.
BIP is a component framework for mixed software/hardware system design in a rigorous
and correct-by-construction manner. System design is deﬁned as a formal, accountable and
coherent process for deriving trustworthy and optimised implementations from high-level
system models and the corresponding execution platform descriptions. The essential prop-
erties of a system model are guaranteed at the earliest possible design phase, and a correct
implementation is then automatically generated from the validated high-level system model
through a sequence of property preserving model transformations, which progressively reﬁnes
the model with details speciﬁc to the target execution platform.
BIP comes with a well-deﬁned formal modeling language and a toolchain to support the rigor-
ous system design. The BIP modeling language offers a three-layered modeling mechanism, i.e.
Behavior, Interaction, and Priority for constructing complex system behavior and architectures.
Behavior is characterized by a set of components, which are formally deﬁned as automata
extended with local data variables. Interaction speciﬁes the multiparty synchronization of
components, among which data transfer may take place. Priority can be used to schedule the
interactions or resolve conﬂicts when several interactions are enabled simultaneously. The
key principle of this three-layered modeling mechanism is the separation of concerns, i.e.
system behavior is captured by a set of components, and system coordination is modeled by
interactions and priorities.
In BIP, algorithmic veriﬁcation techniques are applied to ensure the essential safety properties
of the system designs. The ﬁrst major contribution of this dissertation is an efﬁcient safety
veriﬁcation technique for BIP system models, where the number of participating components
is ﬁxed and the data variables can have inﬁnite domains, but their manipulation is limited
to linear arithmetic. The key insight of our technique is to take advantage of the structure
features of the BIP system and handle the computation in the components and coordination
between the components in the veriﬁcation separately. On the computation level, we apply
the state-of-the-art counterexample abstraction techniques to reason about the behavior of
components and explore all the possible reachable states ; while on the coordination level,
we exploit both partial order techniques and symmetry reduction techniques to handle the
state space explosion problem due to concurrency, and reduce the redundant interleavings of
concurrent interactions. We have implemented the proposed techniques in a prototype tool
iii
Acknowledgements
and carried out a comprehensive performance evaluation on a set of BIP system models.
The second major contribution of this dissertation is a uniform design and veriﬁcation frame-
work for parameterized systems based on BIP. Parameterized systems are systems consisting
of homogeneous processes, and the parameter indicates the number of such processes in
the system. A parameterized system, therefore, describes an inﬁnite family of systems, where
instances of the family can be obtained by ﬁxing the value of the parameter. Veriﬁcation of
correctness of such systems amounts to verifying the correctness of every member of the
inﬁnite family described by the system.
First of all, we propose the ﬁrst order interaction logic (FOIL) as a formal language for parame-
terized system architectures and communication primitives. This logic is powerful enough
to express architectures found in distributed systems, including the classical architectures :
token-passing rings, rendezvous cliques, broadcast cliques, rendezvous stars. We also identify
a fragment of FOIL that is well-suited for the speciﬁcation of parameterized BIP systems and
prove its decidability. Second, we provide a framework for the integration of mathematical
models from the parameterized model checking literature in an automated way. With our new
framework, we close the gap between the mathematical formalisms and algorithms from the
parameterized veriﬁcation research and the practice of parameterized veriﬁcation, which is
usually done by engineers who are not familiar with the details of the literature. Finally, we
provide a preliminary prototype implementation of the proposed framework. Our prototype
tool takes a parameterized BIP design as its input and identiﬁes the classical model checking
results which can be applies to this BIP design.
Keywords : Component-based design, Concurrent system, Model checking, Algorithmic veriﬁ-
cation, Parameterized veriﬁcation, Predicate abstraction, Partial order reduction, Symmetry
reduction, Well-structured transition system
iv
Zusammenfassung
Diese Dissertation diskutiert algorithmische Veriﬁkationstechniken für parallel laufende kom-
ponenten basierte Systeme, die im BIP-Framework (Behavior, Interaction, Priority) mit sowohl
begrenzter als auch unbegrenzter Parallelität modelliert sind.
BIP ist ein Komponenten framework für gemischte Software/Hardware Systementwicklung
welches mit einer rigorosen konstruktionsbegleitenden Korrektur ausgestattet ist. Systemen-
twicklung ist deﬁniert als ein formaler, rechenschaftspﬂichtiger und kohärenter Prozess zur
Ableitung vertrauenswürdiger und optimierter Implementierungen aus hochrangigen System-
modellen und den entsprechenden Ausführungsplattformbeschreibungen. Die wesentlichen
Eigenschaften eines Systemmodells werden in der frühestmöglichen Entwicklungsphase
garantiert und eine korrekte Implementierung erfolgt dann automatisch aus dem zertiﬁzierten
hochrangigem Systemmodell durch eine Sequenz von zielplattformspeziﬁschen Transforma-
tionen, welche die Modelligenschaften bewahren und das Modell schrittweise verfeinern.
BIP ist mit einer klar deﬁnierten formalen Modelliersprache und einer Werkzeugkette zur
Unterstützung der rigorosen Systementwicklung ausgestattet. Die BIP-Modellierungssprache
bietet einen dreischichtigen Modellierungsmechanismus, d.h. Verhalten, Interaktion und
Priorität, für den Aufbau komplexer Systemverhalten und Architekturen. Das Verhalten ze-
ichnet sich durch einen Satz von Komponenten aus, welche formal als Automaten, erweitert
mit linearer Arithmetik, deﬁniert sind. Interaktion gibt die Multi-party Synchronisation von
datenübertragender Komponenten an. Priorität kann verwendet werden um die Interaktionen
zu planen oder Konﬂikte zu lösen, wenn mehrere Interaktionen gleichzeitig aktiviert werden.
Das Hauptprinzip dieses dreischichtigen Modellierungsmechanismus ist die Trennung von
Aufgaben, d.h. das Systemverhalten wird durch einen Satz von Komponenten erfasst und die
Systemkoordination wird durch Interaktionen und Prioritäten modelliert.
ImBIPwerden algorithmische Veriﬁkationstechniken angewendet umdiewesentlichen Sicher-
heitseigenschaften der Systementwicklung zu gewährleisten. Der erste wesentliche Beitrag
dieser Dissertation ist eine efﬁziente Sicherheitsüberprüfungstechnik für BIP-Systemmodelle
mit einer festen Anzahl an teilnehmenden Komponenten. Die Schlüsseleigenschaft unser-
er Technik ist, dass sie die Struktur BIP-Systeme nutzt um die Berechnung und Koordina-
tion bei der Überprüfung separat zu behandeln. Auf der Berechnungsstufe wenden wir die
State-of-the-Art-Gegenbeispiel-Abstraktionstechniken an, um das Verhalten der Komponen-
ten zu begründen und alle möglichen erreichbaren Zustände zu untersuchen. Auf der Ko-
ordinationsebene nutzen wir Halbordnungs- und Symmetriereduktionstechniken um das
Zustandsraum-Explosions-Problem aufgrund von Parallelität zu behandeln und die redun-
v
Acknowledgements
danten Wechselwirkungen von gleichzeitigen Interaktionen zu reduzieren. Wir haben die
vorgeschlagenen Techniken in einem Prototyp-Tool implementiert und eine umfassende
Performanceevaluierung auf einem Satz von BIP-Systemmodellen vollzogen.
Der zweiteHauptbeitrag dieserDissertation ist ein einheitliches Entwicklungs- undVeriﬁzierungs-
Tool für parametrisierte BIP-Systeme. Parametrisierte Systeme sind Systeme, die aus homoge-
nen Prozessen bestehen, wobei der Parameter die Anzahl solcher Prozesse im System angibt.
Ein parametrisiertes System beschreibt daher eine unendliche Familie von Systemen, in welch-
er Instanzen der Familie durch Festlegung des Parameters erhalten werden. Die Überprüfung
der Fehlerfreiheit solcher Systeme beläuft sich auf das Überprüfen der Fehlerfreiheit jedes
Mitglieds der unendlichen Familie, die durch das System beschrieben wird.
Zunächst schlagenwir die Interaktionslogik ersterOrdnung als formale Sprache für parametrisierte
Systemarchitekturen und Kommunikationsprimitive vor. Diese Logik ist leistungsfähig genug
um Architekturen in verteilten Systemen auszudrücken, darunter die klassischen Architek-
turen wie Token-Passing Ringe, Rendezvous Cliquen, Broadcast Cliquen und Rendezvous
Stars. Wir identiﬁzieren auch ein Fragment der Interaktionslogik erster Ordnung welches gut
geeignet ist für die Beschreibung von parametrisierten BIP-Modellen und beweisen seine
Entscheidbarkeit. Zweitens stellen wir ein Framework für die automatische Integration von
mathematischen Modelle aus der parametrisierten Modellprüfungsliteratur bereit. Mit un-
serem neuen Framework schliessen wir die Kluft zwischen den mathematischen Formalis-
men und Algorithmen aus der parametrisierten Veriﬁkationsforschung und der Praxis der
parametrisierten Veriﬁkation, die in der Regel von Ingenieuren durchgeführt wird, die mit den
Details der Literatur nicht vertraut sind. Schliesslich stellen wir eine vorläuﬁge Prototypenim-
plementierung des vorgeschlagenen Frameworks zur Verfügung. Unser Prototyp-Tool nimmt
ein parametrisiertes BIP-Design als Eingabe und identiﬁziert die klassischen Modellveriﬁka-
tionsresultate, welche auf dieses BIP-Design angewendet werden können.
Stichwörter: Komponentenbasiertes Design, Gleichzeitiges System, Modellprüfung, Algorith-
mische Veriﬁkation, Parametrierte Veriﬁkation, Eigenschafts Abstraktion, Partielle Auftragsre-
duktion, Symmetrieverkleinerung, Gut strukturiertes Übergangssystem
vi
Résumé
Cette dissertation traite des techniques de vériﬁcation algorithmique pour les systèmes con-
currents basés sur les composants, modélisés dans le cadre BIP (Behavior, Interaction, Priority)
avec des concurrences bornées et non bornées.
BIP est un framework de composants pour la conception rigoureuse et correcte par construc-
tion de systèmes de systèmes logiciels/matériels mixtes. La conception du système est déﬁnie
comme un processus formel, responsable et cohérent pour obtenir des implémentations
ﬁables et optimisées à partir de modèles de systèmes de haut niveau et des descriptions
des plates-formes d’exécution correspondantes. Les propriétés essentielles d’un modèle de
système sont garanties à la phase de conception la plus précoce possible et une implémenta-
tion correcte est ensuite générée automatiquement à partir du modèle de système de haut
niveau certiﬁé par une suite de transformations préservant les propriétés du modèle, qui
afﬁne progressivement le modèle avec des détails spéciﬁques à la plate-forme d’exécution
cible.
BIP est livré avec un langage de modélisation formel bien déﬁni et une chaîne d’outils pour
soutenir la conception rigoureuse du système. Le langage de modélisation BIP offre un mécan-
isme de modélisation à trois couches pour construire des comportements et des architectures
de systèmes complexes, c’est-à-dire Comportement, Interaction et Priorité. ’Comportement’
est caractérisé par un ensemble de composants qui sont formellement déﬁnis comme des au-
tomates étendus par des variables de données locales. ’Interaction’ spéciﬁe la synchronisation
multipartite des composants parmi lesquels le transfert de données peut avoir lieu. ’Priorité’
peut être utilisée pour planiﬁer les interactions ou résoudre les conﬂits lorsque plusieurs inter-
actions sont activées simultanément. Le principe clé de ce mécanisme de modélisation à trois
couches est la séparation des préoccupations, c’est-à-dire que le comportement du système
est capté par un ensemble de composantes, et la coordination du système est modélisée par
des interactions et des priorités.
Dans BIP, des techniques de vériﬁcation algorithmique sont appliquées pour assurer les pro-
priétés de sécurité essentielles des conceptions du système. La première contribution majeure
de cette dissertation est une technique efﬁcace de vériﬁcation de la sécurité pour les modèles
de systèmes BIP avec un nombre ﬁxe de composants participants. L’idée principale de notre
technique est de proﬁter des fonctionnalités du système BIP et gérer le calcul et la coordination
dans la vériﬁcation séparément. Au niveau du calcul, nous appliquons les techniques d’ab-
straction de contre-exemple pour raisonner sur le comportement des composants et explorer
tous les états accessibles possibles ; alors qu’au niveau de la coordination, nous exploitons des
vii
Acknowledgements
techniques d’ordre partiel et de réduction de symétrie pour gérer le problème de l’explosion
de l’espace des états en raison de la simultanéité, et réduisons les interrelations redondantes
des interactions simultanées. Nous avons implémenté les techniques proposées dans un outil
prototype et évalué l’efﬁcacité sur un ensemble de modèles de systèmes BIP.
La deuxième contribution majeure de cette dissertation est un cadre de conception et de
vériﬁcation uniforme pour les systèmes paramétrés basés sur BIP. Les systèmes paramétrés
sont des systèmes consistant en des processus homogènes, où le paramètre indique le nombre
de tels processus dans le système. Un système paramétré décrit donc une famille inﬁnie
de systèmes où les instances de la famille peuvent être obtenues en ﬁxant le paramètre. La
vériﬁcation de l’exactitude de ces systèmes revient à vériﬁer l’exactitude de chaque membre
de la famille inﬁnie décrite par le système.
Tout d’abord, nous proposons la logique d’interaction du premier ordre comme langage formel
pour les architectures système paramétrées et les primitives de communication. Cette logique
est assez puissante pour exprimer les architectures trouvées dans les systèmes distribués,
y compris les architectures classiques : anneaux de passage de jetons, cliques de rendez-
vous, cliques de diffusion, étoiles de rendez-vous. Nous identiﬁons un fragment de la logique
d’interaction du premier ordre bien adapté à la speciﬁcation des modèles BIP paramétrés et
prouvons sa décidabilité. Deuxièmement, nous fournissons un framework pour l’intégration
de modèles mathématiques issus de la littérature sur la vériﬁcation de modèles paramétrés
de manière automatisée. Avec notre nouveau framework, nous comblons l’écart entre les
formalismes mathématiques et les algorithmes de la littérature sur la vériﬁcation paramétrée
et la pratique de la vériﬁcation paramétrer, ce qui est généralement fait par des ingénieurs qui
ne sont pas familiers avec les détails de la littérature. Enﬁn, nous fournissons un prototype
préliminaire d’une implémentation du framework proposé. Notre outil prototype prend une
conception BIP paramétrée comme entrée et identiﬁe les résultats classiques de vériﬁcation
de modèle qui peuvent s’appliquer à cette conception BIP.
Mot Clef : Conception de composants, Système concurrent, Vériﬁcation de modèles, Vériﬁ-
cation algorithmique, Vériﬁcation paramétrée, Abstraction de prédicat, Réduction d’ordre
partiel, Réduction de symétrie, Système de transition bien structuré
viii
Contents
Acknowledgements i
Abstract (English/Français/Deutsch) iii
List of ﬁgures xiii
List of tables xv
1 Introduction 1
1.1 Rigorous system design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 BIP component framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 The role of formal veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Evolution of formal veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Challenges and contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.1 Algorithmic veriﬁcation of systems with bounded concurrency . . . . . . 10
1.3.2 Modeling and verifying systems with unbounded concurrency . . . . . . 11
1.4 Organization of this dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Preliminary and system model 15
2.1 Labeled transition system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Invariant veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3 BIP modeling framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3.1 Syntactic BIP model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.2 BIP operational semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 Encoding BIP into Symbolic Transition System . . . . . . . . . . . . . . . . . . . 24
3 Veriﬁcation of concurrent systems 27
3.1 Abstraction techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1.1 Abstract interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1.2 Predicate abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.1.3 Counterexample guided abstraction reﬁnement . . . . . . . . . . . . . . . 29
3.1.4 Lazy abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Partial order reduction techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.1 Ample set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.2 Stubborn set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
ix
Contents
3.2.3 Persistent set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2.4 Partial order reduction for safety properties . . . . . . . . . . . . . . . . . 36
4 Veriﬁcation of BIP with bounded concurrency 39
4.1 Lazy abstraction of BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.1.1 Data structures for veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.1.2 Main veriﬁcation algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.3 Node expansion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.4 Abstraction reﬁnement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1.5 Correctness proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.2 Persistent set reduction for BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.2.1 Combining persistent set reduction with lazy abstraction . . . . . . . . . 48
4.2.2 Computing persistent set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3 Experimental evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.3.1 Comparing lazy abstraction to persistent set reduction . . . . . . . . . . . 53
4.3.2 Comparing to IC3 and IPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.3.3 Cumulative plots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.4 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5 Further techniques for improving reductions 65
5.1 Simultaneous set reduction for BIP . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.1.1 Motivating example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
5.1.2 Combining simultaneous set reduction with lazy abstraction . . . . . . . 67
5.1.3 Computing simultaneous set . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.1.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.2 Experimental evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.2.1 Comparing to lazy abstraction with reductions . . . . . . . . . . . . . . . 73
5.2.2 Comparing to IC3 and IPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.2.3 Cumulative plots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.3 Partial order reduction under symmetry . . . . . . . . . . . . . . . . . . . . . . . 80
5.3.1 Motivating example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.3.2 Symmetry reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.3.3 Persistent set under symmetry . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.4 Experimental evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.4.1 Scatter plots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.4.2 Cumulative plots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.5 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6 Design and veriﬁcation of parameterized systems in BIP 95
6.1 Parameterized BIP without priorities . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.1 FOIL: First order interaction logic . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.2 Interactions as FOIL structures . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.2 Parameterized model checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
x
Contents
6.3 Decidability results for parameterized BIP . . . . . . . . . . . . . . . . . . . . . . 103
6.3.1 Well-structured transition system . . . . . . . . . . . . . . . . . . . . . . . 104
6.3.2 Well-structured parameterized BIP . . . . . . . . . . . . . . . . . . . . . . 105
6.4 A framework of automated parameterized veriﬁcation in BIP . . . . . . . . . . . 108
6.5 Identifying the architecture of a parameterized BIP model . . . . . . . . . . . . . 108
6.5.1 The common templates for BIP semantics . . . . . . . . . . . . . . . . . . 110
6.5.2 Pairwise rendezvous in a clique . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.5.3 Broadcast in a clique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.5.4 Token rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.5.5 Pairwise rendezvous in a star . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.6 Prototype implementation and experiments . . . . . . . . . . . . . . . . . . . . . 115
6.7 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7 Conclusions and perspectives 119
7.1 Summary of the dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.2 Perspectives of the future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
A Appendix 123
A.1 An ATM transaction protocol in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . 124
A.2 A leader election protocol in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
A.3 A quorum consensus protocol in BIP . . . . . . . . . . . . . . . . . . . . . . . . . 127
A.4 A railway control protocol in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
A.5 Statistics for lazy abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
A.6 Statistics for lazy abstraction with persistent set reduction . . . . . . . . . . . . . 133
A.7 Statistics for lazy abstraction with simultaneous set reduction . . . . . . . . . . 136
A.8 Statistics for lazy abstraction with persistent set reduction under symmetry . . 139
Bibliography 151
Curriculum Vitae 153
xi

List of Figures
1.1 The BIP instantiation of the rigorous system design ﬂow . . . . . . . . . . . . . . . . . 2
1.2 BIP layered modeling framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 BIP toolchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 Ticket mutual exclusion protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Ticket mutual exclusion protocol in BIP language . . . . . . . . . . . . . . . . . . . . 21
2.3 Temperature Control System in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 Temperature control system in BIP language . . . . . . . . . . . . . . . . . . . . . . . 23
3.1 Counterexample guided abstraction reﬁnement loop . . . . . . . . . . . . . . . . . . 30
3.2 A counterexample trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3 Relations between ample, stubborn and persistent sets . . . . . . . . . . . . . . . . . 37
3.4 An example for illustrating the ignoring problem . . . . . . . . . . . . . . . . . . . . . 37
4.1 Example for illustrating partial order reduction for BIP . . . . . . . . . . . . . . . . . . 46
4.2 Example showing independent interactions don’t commute on abstract states . . . . . 47
4.3 Lazy abstraction vs. lazy abstraction with persistent set reduction . . . . . . . . . . . 54
4.4 Runtime of plain lazy abstraction subroutines . . . . . . . . . . . . . . . . . . . . . . 55
4.5 Runtime of lazy abstraction with persistent set reduction subroutines . . . . . . . . . 56
4.6 Lazy abstraction vs. IC3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.7 Lazy abstraction with persistent set reduction vs. IC3 . . . . . . . . . . . . . . . . . . 58
4.8 Lazy abstraction vs. IPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.9 Lazy abstraction with persistent set reduction vs. IPA . . . . . . . . . . . . . . . . . . 60
4.10 Cumulative plot of time for all benchmarks . . . . . . . . . . . . . . . . . . . . . . . . 61
4.11 Cumulative plot of time for safe benchmarks . . . . . . . . . . . . . . . . . . . . . . . 61
4.12 Cumulative plot of time for unsafe benchmarks . . . . . . . . . . . . . . . . . . . . . 61
4.13 Cumulative plot of ART size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.14 Cumulative plot of ART size for safe benchmarks . . . . . . . . . . . . . . . . . . . . . 62
4.15 Cumulative plot of ART size for unsafe benchmarks . . . . . . . . . . . . . . . . . . . 62
5.1 The ﬁrst example for illustrating simultaneous set . . . . . . . . . . . . . . . . . . . . 66
5.2 The second example for illustrating simultaneous set . . . . . . . . . . . . . . . . . . 72
5.3 Examples for comparing simultaneous and persistent sets . . . . . . . . . . . . . . . 72
5.4 Lazy abstraction vs. lazy abstraction with simultaneous set reduction . . . . . . . . . 74
xiii
List of Figures
5.5 Lazy abstraction with persistent set reduction vs. lazy abstraction with simultaneous set
reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.6 Runtime of lazy abstraction with simultaneous set reduction subroutines . . . . . . . 76
5.7 Lazy abstraction with simultaneous set reduction vs. IC3 . . . . . . . . . . . . . . . . 77
5.8 Lazy abstraction with simultaneous set reduction vs. IPA . . . . . . . . . . . . . . . . 78
5.9 Cumulative plot of time for all benchmarks . . . . . . . . . . . . . . . . . . . . . . . . 79
5.10 Cumulative plot for safe benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.11 Cumulative plot for unsafe benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.12 Cumulative plot of ART size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.13 Cumulative plot of ART size for safe benchmarks . . . . . . . . . . . . . . . . . . . . . 80
5.14 Cumulative plot of ART size for unsafe benchmarks . . . . . . . . . . . . . . . . . . . 81
5.15 Ticket mutual exclusion protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.16 Lazy abstraction vs. lazy abstraction with reduction under symmetry . . . . . . . . . 87
5.17 Lazy abstraction with persistent set reduction vs. lazy abstraction with reduction under
symmetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.18 Lazy abstraction with simultaneous set reduction vs. lazy abstraction with reduction
under symmetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.19 IC3 vs. lazy abstraction with reduction under symmetry . . . . . . . . . . . . . . . . . 89
5.20 Runtime of lazy abstraction with reduction under symmetry subroutines . . . . . . . 91
5.21 Cumulative plot of time for all benchmarks . . . . . . . . . . . . . . . . . . . . . . . . 92
5.22 Cumulative plot of time for safe benchmarks . . . . . . . . . . . . . . . . . . . . . . . 92
5.23 Cumulative plot of time for unsafe benchmarks . . . . . . . . . . . . . . . . . . . . . 92
6.1 Component type of Milner’s scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.2 Component type of a barrier synchronization protocol . . . . . . . . . . . . . . . . . . 100
6.3 Component type of a semaphore example . . . . . . . . . . . . . . . . . . . . . . . . 100
6.4 Framework of automated parameterized veriﬁcation in BIP . . . . . . . . . . . . . . . 109
xiv
List of Tables
4.1 Percentage of persistent set reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.1 Percentage of simultaneous set reduction . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.2 Percentage of partial order reduction under symmetry . . . . . . . . . . . . . . . . . . 90
6.1 Experimental results of identifying architecture models. . . . . . . . . . . . . . . . . . 115
A.1 Veriﬁcation statistics for lazy abstraction . . . . . . . . . . . . . . . . . . . . . . . 132
A.2 Veriﬁcation statistics for lazy abstraction with persistent set reduction . . . . . 135
A.3 Veriﬁcation statistics for lazy abstraction with simultaneous set reduction . . . 138
A.4 Veriﬁcation statistics for lazy abstraction with persistent set reduction under
symmetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
xv

1 Introduction
Computer technology has become ubiquitous in daily life. The past few decades witnessed a
widespread deployment of embedded systems on controlling communication, transportation
and medical systems. The consequences of system failure can transcend mere annoyance
and may have profound negative effects on our lives, due to our ever-increasing reliance on
embedded systems, both at the personal and the organizational level (e.g. the explosion of the
ﬁrst launch of Ariane 5 1). The correctness and robustness of embedded systems are ever more
important. Paradoxically, as the embedded system complexity escalates tremendously, current
design techniques and tools can hardly ensure sufﬁciently reliable systems at affordable costs.
The development of reliable and robust embedded systems remains a grand challenge in both
computer science and system engineering [91, 134]. The main culprit is understood as the
lack of rigorous theories and techniques for embedded system design [92].
The design of embedded systems differs radically from pure software design. Embedded
system design must account not only for functional properties but also for extra-functional
requirements regarding the use of execution platform resources such as time and energy.
However, the systems being currently built are based on empirical approaches. Designers
use different frameworks, which are only loosely coupled to build sub-systems that are sub-
sequently composed into complete systems. The lack of an underlying unifying semantic
framework and rigorous theoretical foundations makes it difﬁcult to ensure that the implicit
assumptions made during the design of sub-systems are satisﬁed after integration.
Further, the predictability of the system behaviour is impossible to guarantee at design time
and therefore, a costly posteriori validation remains the only means for ensuring the correct-
ness of the design with respect to the functional or extra-functional properties. Despite its
high complexity, this posteriori validation usually goes from the implementation level back
to model level, which cannot take advantage of the original design and in most cases, would
be computationally infeasible for large implementations. Therefore, we need a new design
methodology to develop correct implementations of systems in a predictable manner.
1. https://en.wikipedia.org/wiki/Ariane_5
1
Chapter 1. Introduction
1.1 Rigorous system design
Rigorous system design [133, 135] has been proposed in response to the grand challenge
of design, manufacture and validation of large scale reliable mixed hardware and software
systems (e.g. cyber-physical systems). The main objective of the rigorous system design
methodology is to develop the theories, methods and tools for building reliable systems in a
predictable manner.
Rigorous system design follows the component-based approach, where complex system
models are constructed by assembling simple atomic components with some composition
entities. Atomic components are characterized by abstractions that ignore implementation
details and only describe behavior relevant to their composition, e.g. transfer functions,
interfaces. Composition entities are then used to build complex compound components from
atomic ones. Component-based design allows to build large-scale systems in an incremental
and predictable manner.
Rigorous system design can also be understood as a formal, accountable and coherent process
for deriving trustworthy and optimised implementations from high-level system models and
the corresponding execution platform descriptions. The essential properties of system models
are guaranteed at the earliest possible design phase using formal veriﬁcation techniques.
Correct implementations are then automatically generated from validated high-level system
models through a sequence of property preservingmodel transformations, which progressively
reﬁne the model with details speciﬁc to the target execution platform.
Figure 1.1 – The BIP instantiation of the rigorous system design ﬂow
Figure 1.1 illustrates the rigorous system design ﬂow, as it is instantiated in the Behaviour-
Interaction-Priority (BIP) framework [19]. One starts by designing the application model,
either directly in BIP or through a transformation from a domain speciﬁc language. The
model consists of a set of atomic components and connectors. Atomic components model the
application activities, from the control point of view, as ﬁnite state automaton. Each transition
of an autamaton has an associated C function call, which realises functional computations
and interaction with the environment (e.g. network communication protocols). This allows
strict separation of concerns between control and functional behaviour. Connectors deﬁne all
possible interactions between atomic components. Overall behaviour of the application is
deﬁned by the BIP operational semantics and enforced at run-time by the BIP Engine. This
allows strict separation of concerns between stateful behaviour of individual components and
2
1.1. Rigorous system design
stateless coordination of their concurrent execution.
The individual components are veriﬁed to prove elementary safety properties, such as ab-
sence of local deadlock, and satisfaction of basic requirements. These elementary properties,
serve as a basis for the proof of global properties, obtained by construction. Until recently,
by-construction correctness provided by the BIP design ﬂow illustrated in Figure 1.1 was
limited to the fact that automatically generated executable code was guaranteed to satisfy
the properties established on the corresponding BIP models. Correctness of the high-level
application model was limited to deadlock freedom or had to be established by current model
checking techniques.
The application model is then extended with additional components modeling the target
platform to obtain the system model, which is used to perform platform speciﬁc analyses
and the optimisation of performance through the exploration of the design space (memories,
buses, mapping of software components to hardware elements etc.). Finally, the model is
enriched with platform speciﬁc information (e.g. communication primitives) and, after remov-
ing components modelling hardware elements, executable code is automatically generated.
Proving that the assumptions made at the modeling level to justify the separation of concerns
hold, indeed, at the platform level, guarantees that all the properties established throughout
the design process also hold for the generated code.
1.1.1 BIP component framework
BIP [19] is a component-based framework for rigorous system design. It addresses the fol-
lowing three main challenges to pursue essentials of the rigorous system design: 1) the devel-
opment of a uniform modeling framework with well deﬁned semantics for the incremental
composition of heterogeneous components; 2) the development of veriﬁcation methods for
essential safety properties in order to guarantee the correctness of the high-level system de-
signs, and 3) the development of automated support for component integration, validation
and code generation, meeting the given requirements.
BIP comes with a well deﬁned modeling language and an associated toolset (shown in Fig-
ure 1.3 2) to implement the rigorous design ﬂow. BIP modeling language provides primitives
for building composite components as the composition of simpler components, and it deﬁnes
a common semantic model that can be used at all stages throughout the design ﬂow. BIP
also provides formal veriﬁcation tools to check the deadlock-freedom of components, as
well as advanced techniques to ensure by-construction correctness of the design. In BIP, the
implementation (i.e. C++ code) can be automatically generated from the high-level system
model using speciﬁc code generators by taking into account the speciﬁc execution platforms
and environment.
2. This ﬁgure and the subsequent one are from the BIP website http://www-verimag.imag.fr/
Rigorous-Design-of-Component-Based.html.
3
Chapter 1. Introduction
Figure 1.2 – BIP layered modeling framework
BIP language provides a three-layered modeling mechnism as shown in Figure 1.2. It allows
building complex system models by coordinating three layers of modeling: 1) Behavior is de-
scirbed by a set of components, each of which is formally speciﬁed as a ﬁnite state automaton
extended with local data variables. Transition labels of the automaton are exported as ports,
which are used to deﬁne the coordination between components. 2) Interaction speciﬁes the
coordination between components. An interaction is formally deﬁned as a ﬁnite set of ports,
and essentially it speciﬁes a multiparty synchronization of the transitions, whose labels are
the connected ports. 3) Priority is used to schedule the interactions or resolve conﬂicts when
several interactions are enabled simultaneously.
BIP has clean operational semantics that describes the behavior of a composite component as
the composition of the behaviors of its atomic components. A detailed introduction to BIP
modeling language and its semantics is given in Chapter 2.
Figure 1.3 – BIP toolchain
BIP toolset includes the translators that translate various programming models, e.g. Simulink,
4
1.1. Rigorous system design
Lustre into BIP, and the source-to-source transformers that can transform one BIP model
into another, e.g. a Send/Receive BIP model that is used in the distributed environment. It
also includes compilers that generate executable code for various dedicated engines. The
deadlock-freedom of the system model can be automatically checked, using the dedicated
model checker DFinder. Currently, DFinder can only handle systems without data transfer
among components. This limitation hampers the practical application of DFinder and of the
BIP framework, since data transfer is necessary and common in the design of real-life systems.
1.1.2 The role of formal veriﬁcation
Being able to check or assert correctness of the system under design using scalable formal
veriﬁcation techniques is an essential requirement in rigorous system design.
As opposed to the logic circuit synthesis and certiﬁed code generators for highly critical
systems, such as SCADE Suite 3, most of the system and software design workﬂows do not
combine veriﬁcation of system models with guarantees that the ﬁnal system satisﬁes the
veriﬁed properties. This is due to the decoupling of modeling and veriﬁcation tools. The most
common workﬂow consists in verifying or simulating systems with dedicated modeling tools,
such as MathLab/Simulink, then manually implementing the resulting solutions. As a result,
the ﬁnal executable code is not guaranteed to respect the veriﬁed properties, since errors
may be introduced during the manual implementation phase. Another approach consists
in extracting models from the implementation code for subsequent validation by existing
or dedicated model checkers. This approach, on one hand, does not beneﬁt from design-
time analysis. On the other hand, the inevitable post-veriﬁcation modiﬁcations of the system
are costly, due to the difﬁculty of establishing the backward link between the automatically
extracted model and the source code.
As discussed above, rigorous system design ﬂow in BIP advocates correct-by-construction
design. The system implementation, which is automatically generated executable is guaran-
teed to satisfy the properties established on the corresponding BIP models. While we still
rely on correctness of the individual components to establish by-construction correctness
of the global system model. Until recently, correctness of the high-level application model
was limited to deadlock freedom. We still lack methods and tools to check general safety
requirements of the high-level application model.
Differing from simulation or testing techniques, formal veriﬁcation provides a rigorous way
to prove or disprove that a system model meets the given requirements. The system being
checked is usually modeled as a state machine and the property is speciﬁed as a formula
in some temporal logic. In order to check if the system satisﬁes the given property, formal
veriﬁcation usually uses an exhaustive search procedure (either explicitly or symbolically)
on the state space of the system model to check if the given property is satisﬁed on every
reachable state. If the property is violated, a counterexample is generated as the diagnostics to
3. http://www.esterel-technologies.com/products/scade-suite/
5
Chapter 1. Introduction
help designers correct their designs.
Moreover, the growing power of formal veriﬁcation tools makes the use of formal methods in
complex embedded system design possible, as reported in [122]. Notably, formal veriﬁcation
has been successfully used in industry to help build reliable and secure systems. For instance,
as reported in [123], formal methods have been successfully used at Amazon Web Services to
solve difﬁcult design problems and to build reliable web services. The authors reported that
at Amazon seven teams have used TLA+ 4 to ﬁnd subtle but serious bugs that they would not
have found using other techniques, and also to devise optimized complex algorithms without
sacriﬁcing quality. Another example is the High-Assurance Cyber Military Systems(HACMS)
program launched by Defense Advanced Research Projects Agency (DARPA) to create tech-
nologies to make networked embedded systems dramatically harder to attack 5. Speciﬁcally,
HACMS is pursuing a formal methods-based approach to the creation of high-assurance vehi-
cles, where high assurance is deﬁned to mean functionally correct and satisfying appropriate
safety and security properties [67].
1.2 Evolution of formal veriﬁcation
In this section, we give an overview of the development of formal veriﬁcation. We postpone
the elaboration of the relevant theories to Chapter 3.
In the early time, Floyd-Hoare logic [71, 93] and Dijkstra’s predicate transformer [52] laid
theoretical foundations of the modern (semi-)automated veriﬁcation techniques. In [93], a
formal framework for deducing the correctness of programs was introduced, also known as
Floyd-Hoare logic. Given a piece of program C , and two assertions P, Q, Floyd-Hoare logic
establishes the correctness proof in the form of {P }C {Q} (i.e. Hoare triple), which intuitively
means if the assertion P holds, then after the execution of C , the assertion Q must hold (if the
execution of C terminates). Dijkstra’s predicate transformer semantics of programs can be
understood as a reformulation of Floyd-Hoare logic. It provides a way to reduce the problem
of proving a Hoare triple to the problem of proving a ﬁrst order formula.
In [48], a unifying framework, known as abstract interpretation, was proposed for automatic
program analysis and veriﬁcation. Since the computation of the concrete semantics of a
program (i.e. the set of reachable states) is computationally infeasible in general, the idea
of abstract interpretation is to map the concrete property (i.e. a set of concrete states) to an
abstract property (i.e. an element in the abstract domain), and then computes the abstract
semantics of the program (i.e. an over-approximation of the set of concrete reachable states).
Abstract interpretation provides a disciplined way of building analysis over abstract domains.
Independently in [43] and [129], a technique, widely known as model checking, was proposed
as an automated approach to check if a given mathematical structure satisﬁes a formal logic
4. http://lamport.azurewebsites.net/tla/tla.html
5. http://www.darpa.mil/program/high-assurance-cyber-military-systems
6
1.2. Evolution of formal veriﬁcation
speciﬁcation. In model checking, a system is formally described as a ﬁnite state machine,
and the property being checked is speciﬁed as formulae in temporal logics [112]. Then model
checking algorithmically enumerates all the states of the state machine to determine if it
satisﬁes a temporal logic speciﬁcation. Model checking has been successfully applied to
hardware and protocol veriﬁcation, which typically gives rise to relatively smaller state spaces.
However, it does not apply to real programs, due to the large or even inﬁnite-state spaces.
Even for the hardware and protocol, the state space grows exponentially with the number
of participating processes or components in the system, which makes automated model
checking computationally infeasible. This problem is known as state explosion problem.
Over the last decades, a lot of effort have been made to tackle the state explosion problem,
and numerous advances in model checking, abstract interpretation and constraint solving
have pushed the frontiers of formal veriﬁcation. We highlight the main achievements below.
Early attempts to deal with the state space explosion problem leverages on signiﬁcant algorith-
mic advances that come in the form of symbolic techniques for succinctly representing large
sets of states as formulas. In symbolic model checking [116], states and transition relations are
symbolically represented as binary decision diagrams (BDD) that can be manipulated efﬁ-
ciently. While in bounded model checking [24], the unfolding of the transition system and the
property being checked are encoded as a formula in propositional logic, whose satisﬁability
can be checked using SAT solvers [18]. The capability of such techniques is still limited by the
underlying routines that manipulate the symbolic data structures.
One prevalent way to address the state explosion problem is to employ abstraction [109].
Informally speaking, abstraction aims at minimising the system model to be veriﬁed in such
a way that automated veriﬁcation of the abstract model becomes computationally feasible,
while the desired properties are still preserved by the abstraction. Abstraction relies on the
observation that in most cases the system model contains information irrelevant to the desired
properties. Discarding such information reduces the veriﬁcation burden dramatically. In
the past decades, various abstraction techniques have been developed. In [79], predicate
abstraction was proposed as a speciﬁc technique that over-approximates the semantics of a
program and constructs a ﬁnite state abstraction of the program, where each abstract state
represents possibly inﬁnitely many concrete program states. This technique enables direct
application of ﬁnite state model checking approaches to programs which have large or inﬁnite
state spaces. Since then, predicate abstraction has been widely investigated in research. In
[106, 107, 138], efﬁcient SMTbased symbolic techniques for constructing predicate abstraction
were studied. It has also been successfully applied in practice [50, 15, 16, 69].
Generally abstraction results in an over-approximation, which may introduce false positives.
In other words, veriﬁcation of the abstract system may conclude that the property is vio-
lated, which is not the case for the concrete system. The counterexample guided abstraction
reﬁnement (CEGAR) [39] approach offers a solution to this problem. Speciﬁcally, given a coun-
terexample (a faulty execution) found by analyzing the ﬁnite-state abstraction, CEGAR either
7
Chapter 1. Introduction
conﬁrms that the counterexample is real, i.e. it corresponds to a concrete execution, or pro-
poses a reﬁned abstraction in which this counterexample is eliminated. Advanced abstraction
reﬁnement techniques based on Craig interpolant have been popularized in [117, 118, 120].
Predicate abstraction and Craig interpolant abstraction reﬁnement have been successfully
applied in practice. Notably, The SLAM project [17], initiated by Microsoft Research, applied
such techniques to build an industrial toolchain for verifying Windows device driver APIs, and
inspired a large interests in automated software veriﬁcation research.
Alternatively to the model checking and abstraction techniques, a proof rule for invariance
properties of transition systems was proposed in [113], which is also known as deductive veri-
ﬁcation approach. In order to prove an invariance property, deductive veriﬁcation approach
aims at ﬁnding a stronger assertion that entails the invariance property, and then proves that
the assertion is inductive, which is done by ﬁrst checking that all the initial states satisfy the
invariance property, and then checking that from the set of states satisfying the assertion, one
cannot reach a state that violates the assertion in one step. Deductive veriﬁcation provides
a partial solution to the veriﬁcation of invariance property, and it leaves open the questions
of how to ﬁnd the auxiliary predicate. More recently, a novel technique for constructing the
inductive invariant incrementally, called IC3 in [32] (and also called PDR in [55]), has been
proposed.
The attention of the above mentioned techniques are mainly focused on the veriﬁcation
problem for systems of ﬁxed size, i.e. the number of participating processes or components
is ﬁxed. There are systems where the number of participating processes is not ﬁxed a priori,
but given as a parameter. Such systems can be widely found in the distributed context, e.g.
consensus protocols, where the number of participating processes could be arbitrary large.
The veriﬁcation problem for such systems, known as parameterized veriﬁcation, asks whether
the desired properties hold on system of all sizes.
Though being undecidable in general [11, 136], many interesting results and decidable frag-
ments have been obtained. One technique to prove that a fragment of the parameterized
veriﬁcation problem is decidable is by reduction to the coverability problem of well-structured
transition system, whose decidability is known [1, 66]. Well-known well-structured transition
systems include Petri net, vector addition systems. Another technique is by reduction to a ﬁnite
collection of classical veriﬁcation problems, known as cutoff techniques [60, 74, 58, 42, 10].
That is, in order to prove a property holds on system of all sizes, it is sufﬁcient to prove the
property holds for system instances up to a ﬁxed size, i.e. cutoff. However, cutoff does not
always exist. If it does exist, cutoff varies according to the property and the state machine of
the process being checked.
There is also a wide range of techniques that aim at solving the parameterized veriﬁcation
problem automatically, instread of obtaining the decidability results. Counter abstraction
[127, 74] is one of such widely used techniques. The idea is that, for systems consisting of
an unbounded number of components, where each component is modeled as a ﬁnite state
8
1.3. Challenges and contributions
automaton, we only keep track of the number of components in each control location, instead
of tracking the exact control locations of all components. It abstracts a parameterized system
into a ﬁnite state system, which can be checked by using either classical model checking
techniques, or well-structured transition system based techniques [5, 6].
In [126], the authors extend the deductive veriﬁcation approach to parameterized systems.
The key insight is to compute a quantiﬁed inductive invariant, which can prove properties for
all system sizes. The proposed way to compute such a quantiﬁed invariant is to ﬁrst construct
an invariant for a system of ﬁxed size, and then generalize this invariant to the parameterized
case. However, it is not guaranteed that the obtained invariant is inductive, or strong enough to
prove the desired property. In [30, 3], regular model checking is proposed as general framework
for algorithmic veriﬁcation of inﬁnite-state systems. In this approach, sets of system states are
represented via regular languages and automata. Symbolic procedures based on automata
manipulation can be applied to perform traversals of the inﬁnite search space induced by a
parameterized system. In [75, 76], the authors propose using array-based systems to model
parameterized systems, and then apply a backward reachability analysis procedure, which
symbolically computes pre-images of the set of unsafe states, and checks safety and ﬁxpoint
by using SMT solving. In [104], the authors propose the method of network invariant for
verifying temporal properties of parameterized systems. The idea is to ﬁnd a single ﬁnite state
automaton (network invariant) that soundly abstracts the parallel composition of n processes.
The soundness is obtained by showing a simulation relation between the network invariant
and the concrete systems.
Automated veriﬁcation andparameterized veriﬁcation still remain very active areas of research,
particularly for concurrent and distributed systems. This brief survey is biased towards the
focus of this dissertation. We remark that there is a wide range of reduction techniques for
algorithmic veriﬁcation of concurrent systems, called partial order reduction [77, 124, 46, 139],
that rely on the partial order semantics of concurrent systems. We postpone the elaborations
to Chapter 3. For detailed explanations of each veriﬁcation technique, we refer to the various
books on formal veriﬁcation [47, 13, 81, 28].
1.3 Challenges and contributions
The high-level contributions of this dissertation comprise new modeling framework and
veriﬁcation algorithms that push the frontiers of algorithmic veriﬁcation of component-based
systems modeled in BIP framework with both bounded and unbounded concurrency. By
systems with bounded concurrency, we mean the systems that consist of a ﬁxed number
of components, and with unbounded concurrency, we mean the systems that consist of
a parameterized number of components. These contributions have been published in the
following articles:
1. Formal veriﬁcation of inﬁnite-state BIP models, Bliudze, Simon and Cimatti, Alessandro
9
Chapter 1. Introduction
and Jaber, Mohamad and Mover, Sergio and Roveri, Marco and Saab, Wajeb and Wang,
Qiang, International SymposiumonAutomated Technology for Veriﬁcation andAnalysis
(ATVA 2015), pages 326–343, 2015, Springer.
2. Veriﬁcation of component-based systems via predicate abstraction and simultaneous set
reduction, Qiang, Wang and Bliudze, Simon, International Symposium on Trustworthy
Global Computing (TGC 2015), pages 147–162, 2015, Springer.
3. Parameterized systems in BIP: design andmodel checking, Konnov, Igor and Kotek, Tomer
and Wang,Qiang and Veith, Helmut and Bliudze, Simon and Sifakis, Joseph, Proceedings
of the 27th International Conference on Concurrency Theory (CONCUR 2016), pages
30–1, 2016, Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.
4. Exploiting Symmetry for Efﬁcient Veriﬁcation of Inﬁnite-State Component-Based Systems,
Wang, Qiang, International Symposium on Dependable Software Engineering: Theories,
Tools, and Applications (SETTA 2016), pages 246–263, 2016, Springer.
1.3.1 Algorithmic veriﬁcation of systems with bounded concurrency
As we discussed in the previous section, the BIP modeling language offers a three-layered
modeling mechanism, i.e. Behavior, Interaction, and Priority, for constructing complex sys-
tem behavior and architectures. Behavior is characterized by a set of components, which are
formally deﬁned as automata extended with linear arithmetic. Interaction speciﬁes the mul-
tiparty synchronization of components, among which data transfer may take place. Priority
can be used to schedule the interactions or resolve conﬂicts when several interactions are
enabled simultaneously. The key insight underlying this three-layered modeling mechanism
is the principle of separation of concerns, that is, system computation is captured by a set of
components, and system coordination is modeled by interaction and priority.
Our approach is inspired by the Explicit Scheduler Symbolic Thread (ESST) approach to efﬁ-
cient veriﬁcation of SystemC programs [130]. In brief, we aim at decomposing the veriﬁcation
of inﬁnite-state component-based systems into two levels by taking advantage of the struc-
tural features of such systems, and, thus, we palliate the state space explosion by handling the
computation in the components and the coordination among components separately.
On the computation level, we exploit the state-of-the-art counterexample guided abstraction
reﬁnement technique, to deal with the sequential computations and explore the reachable
states of each individual component; while on the coordination level, we resolve the redun-
dant interleavings of concurrent interactions by applying explicit state partial order reduction
techniques [77, 78, 124, 125, 46, 139, 140]. Speciﬁcally, we combine the lazy abstraction with
interpolant based abstraction reﬁnement [90, 88, 119] and the persistent set partial order
reduction for BIP. We have implemented the proposed veriﬁcation techniques based on the
Kratos model checker [36]. We also propose two further techniques to improve the reductions
of redundant interleavings. The ﬁrst technique aims at exploring as many independent inter-
actions as possible simultaneously in one step, and the second technique exploits the system
10
1.3. Challenges and contributions
symmetry to improve the persistent set reduction.
These contributions are elaborated, respectively, in Chapters 4 and 5.
We remark that in the BIP framework, DFinder [22, 21] is a dedicated tool for invariant gen-
eration and deadlock detection. DFinder computes the system invariant in a compositional
manner: it ﬁrst computes a component invariant over-approximating the reachable states of
each component and then computes an interaction invariant over-approximating the global
reachable states. The system invariant is then the conjunction of all component invariants and
the interaction invariant. Though being scalable for large system models, DFinder does not
handle system models with data transfer, which hampers the practical application of DFinder
and of the BIP framework, since data transfer is necessary and common in the design of
real-life systems (e.g. message passing). Besides, when the inferred invariant fails to prove the
property, DFinder produces a single state as the counterexample other than an execution path.
By the time DFinder was developed, it was not clear how to efﬁciently reﬁne the abstraction
automatically from the single state. In [95], the authors present an encoding of a subset of BIP
models into Horn Clauses, which are solved by the model checker ELDARICA [94]. However,
the encoding does not handle data transfer on interactions. As the current stage of their work,
the encoding still requires massive manual work.
An efﬁcient instantiation of the ESST framework [130] for BIP has been presented in [26].
This ESST based technique encodes the components as preemptive threads with predeﬁned
primitive functions and utilizes a dedicated stateful BIP scheduler to orchestrate the abstract
reachability analysis of the components. The scheduler interacts with components via primi-
tive functions, and also respects BIP operational semantics. Moreover, partial order reduction
techniques [78] are applied in the scheduler to reduce its state space.
1.3.2 Modeling and verifying systems with unbounded concurrency
Parameterized systems are systems consisting of homogeneous processes, where the parame-
ter indicates the number of such processes in the system. A parameterized system, therefore,
describes an inﬁnite family of systems where instances of the family can be obtained by ﬁxing
the parameter value. Veriﬁcation of the correctness of such systems amounts to verifying the
correctness of every member of the inﬁnite family described by the system. This problem is
undecidable in general [136]. However, many efforts have been invested into extending of
classic model checking to the parameterized case, leading to numerous parameterized model
checking echniques (see [28] for a recent survey).
Unfortunately, often parameterized model checking techniques come with their own mathe-
matical models, which makes their practical application difﬁcult. To perform parameterized
model checking, the user needs to apply deep knowledge from the literature. First, the user
needs to manually inspect the parameterized models and match them with the mathemati-
cal formalisms from the relevant available parameterized veriﬁcation techniques. Using the
11
Chapter 1. Introduction
match, the users would then apply the decidability results (if any) for the parameterized
models, e.g. by computing a cutoff or translating the parameterized model into the language
of a particular tool for the speciﬁc architecture.
Thus, there is a gap between the mathematical formalisms and algorithms from the parameter-
ized veriﬁcation research and the veriﬁcation in practice, which is usually done by engineers
who are not familiar with the details of the literature. We aim at closing this gap by introducing
a framework for design and veriﬁcation of parameterized systems in BIP. With this framework,
we make the following speciﬁc contributions:
1. We propose the ﬁrst-order interaction logic (FOIL) within BIP framework as a formal
language for architectures of parameterized systems, i.e. system topologies and commu-
nication mechanisms. FOIL is powerful enough to express architectures found in param-
eterized systems, including the classical architectures: token-passing rings, rendezvous
cliques, broadcast cliques, rendezvous stars. We also identify a decidable fragment of
FOIL, which is important for practical applicability..
2. We investigate the decidability of the veriﬁcation of parameterized BIP models, where
components are descirbed by ﬁnite state automata, and the system architecture is
speciﬁed by a FOIL formula. We prove that this problem is undecidable in general,
and also identify certain decidable fragments, relying on the well-structured transition
system theory [1, 66].
3. We provide a framework for the integration of mathematical models from the parameter-
ized model checking literature in an automated way: given a parameterized BIP design,
our framework detects parameterized model checking techniques that are applicable to
this design. We present how to identify the system architecture automatically by the use
of SMT solvers and standard (non-parameterized) model checkers.
4. We provide a preliminary prototype implementation of the proposed framework. Our
prototype tool takes a parameterized BIP design as its input and detects whether one
of the following classical results applies to this BIP design: the cut-off results for token-
passing rings by Emerson & Namjoshi [60], the VASS-based algorithms by German
& Sistla [74], and the undecidability and decidability results for broadcast systems
by Abdulla et al. [1] and Esparza et al. [64]. More importantly, our framework is not
speciﬁcally tailored to the mentioned techniques.
We remark that our framework builds on the notions of BIP, which allows us to express complex
notions in a terminology understood by engineers. Moreover, our framework allows an expert
in parameterized model checking to capture seminal mathematical models found in the
veriﬁcation literature, e.g. [74, 64, 60, 42].
These contributions are elaborated in Chapter 6.
12
1.4. Organization of this dissertation
1.4 Organization of this dissertation
The rest of the dissertation is organized as follows:
– In Chapter 2, we present some preliminaries of safety property veriﬁcation, and introduce
the BIP modelling language, which we use in this dissertation as the formal system model,
and its operational semantics. We also present a symbolic encoding of BIP system models
as symbolic transition systems.
– In Chapter 3, we review the most relevant veriﬁcation techniques for concurrent systems, in
particular, abstraction and partial order reduction technqiues.
– In Chapter 4, we present the main veriﬁcation techniques for the class of BIP models with a
ﬁxed number of components. In particular, we present an instantiation of the lazy predicate
abstraction technique and a partial order reduction for BIP, and also their combination. We
also present comprehensive experimental evaluations of the proposed techniques against
the state-of-the-art veriﬁcation techniques in the end of this chapter.
– In Chapter 5, we present two further techniques for improving partial order reductions.
First, we investigate how to explore independent interactions simultaneously, instead of
postponing them as in the other classical partial order reduction approaches. Second, we
study how to exploit system symmetries to improve the reductions. We also present their
combinations with lazy abstraction and the experimental evaluations.
– In Chapter 6, we present the design and uniform veriﬁcation framework for parameterized
systems in BIP, that is the systems with unbounded number of participating components.
We ﬁrst present an extension of the current BIP framework to enable the modelling of a wide
range of parameterized systems. Then we present an automated veriﬁcation framework
that can incorporate the existing parameterized veriﬁcation techniques. We also present
some decidability results for certain fragments of parameterized BIP models.
– In Chapter 7, we summarize this dissertation and also present some perspectives and future
work.
13

2 Preliminary and system model
In this chapter, we ﬁrst present some preliminaries of formal invariant veriﬁcation. Then we
present the BIP modeling language for systems that consist of a ﬁxed number of components.
In the end, we present an encoding of BIP system model as symbolic transition system.
2.1 Labeled transition system
We denote by V a set of integer variables, and the symbol V ranges over all possible valuations
of variables. We also denote by EV the set of expressions, andFV the set of formulae in the
theory of linear arithmetic over V. We denote by V |= φ the statement that a valuation V
satisﬁes a formula φ ∈FV . We denote by V[x := e] the substitution of variable x by expression
e in the valuation V. As usual, we use primed variables to represent the state of the system
after one step. The priming notation is extended to formulae and assignments in the standard
way.
In this dissertation, we use labeled transition systems to deﬁne the operational semantics of
computing systems.
Deﬁnition 2.1.1 (Labeled transition system) A labeled transition system (LTS) is deﬁned by a
tupleT = 〈C,Σ,R,C0〉, which consists of
1. a set of states C;
2. a set of transition labels Σ;
3. a set of transition relations R ⊆C×Σ×C;
4. a set of initial states C0 ⊆C.
For simplicity, we denote a transition 〈c, t,c ′〉 ∈R by c t−→ c ′. A transition t is enabled in the state
c , if c
t−→ c ′ , for some c ′ ∈C. An LTS is deterministic if c t−→ c1 and c t−→ c2 implies c1 = c2, for any
c ∈C and t ∈Σ. In this dissertation, we focus on deterministic transition systems.
15
Chapter 2. Preliminary and system model
A trace (or an execution) of a transition system is a sequence of transitions from a given state.
We denote a trace by the sequence of transition labels. For instance, the sequence of transitions
c
t1−→ c1 t2−→ . . . tn−→ c ′ is represented as c t1t2...tn−−−−−→ c ′.
A state c is reachable if there is a trace c0
t1...tn−−−→ c, where c0 ∈C0 and ti ∈Σ, for each i ∈ [1,n].
Given a state c, we denote by en(c)⊂Σ the set of transitions enabled in state c. A state c is a
deadlock state if there is no such t ∈ Σ, and c ′ ∈ C that c t−→ c ′. We denote by RS the set of all
reachable states.
A set of states can also be represented by its characteristic predicate, that is, a predicate
represents all the states that satisfy it. Given a predicate p, we deﬁne the post operator as
follows:
post (p,R)= {c ′ ∈C | ∃c ∈C,p(c)∧ (c, t ,c ′) ∈R}
In other words, post(p,R) characterises the set of states that are reachable from the states
satisfying the predicate p in one step by taking a transition in R. For instance, post(C0,R)
represents the set of states that are reachable from the initial states in one step. More generally,
the set of reachable states within i steps can be deﬁned as follows using the post operator:
RSi =C0∨post (C0,R)∨ . . .∨post i (C0,R)
where post i represents the i th applications of post.
2.2 Invariant veriﬁcation
An invariant is a safety property, which requires that ’something bad’ should never happen
in all possible executions of the system. An invariant is often given by a condition φ for the
system states and requires thatφ holds for all reachable states. Formally it is deﬁned as follows.
Deﬁnition 2.2.1 (Invariant) Given a labeled transition systemT = 〈C,Σ,R,C0〉, a formula φ is
an invariant ofT if ∀c ∈RS, state c satisﬁes φ.
Problem 2.2.2 (Invariant veriﬁcation) Given a labeled transition systemT = 〈C,Σ,R,C0〉 and
an invariant property φ, the invariant veriﬁcation problem asks whether for every state c that is
reachable from an initial state c0 ∈C0, i.e. c ∈RS, holds c |=φ.
One simple way to verify an invariant of a given labeled transition systemT is to compute the
set of reachable states RS by repeatedly applying the post operator until a ﬁxpoint is reached.
The existence of least ﬁxpoint is guaranteed by the monotonic property of the post operator.
16
2.3. BIP modeling framework
We refer to [132] for more details. The invariant veriﬁcation problem can be solved by checking
whether all the states RS satisfy the invariant or not. However, this approach does not work
well in practise: the state space is frequently much too large to be exhaustively explored, and
the ﬁxpoint computation hardly converge, due to either data space explosion or concurrent
interleavings.
Another approach to prove that a formula φ is an invariant is to construct another formula φi
and prove that φi is inductive invariant such that φi =⇒ φ.
Deﬁnition 2.2.3 (Inductive invariant) Given a labeled transition system T = 〈C,Σ,R,C0〉, a
formula φ is an inductive invariant if the following two conditions hold:
1. ∀c ∈C0, c |=φ, and
2. ∀c ∈C, (c |=φ)∧ (c, t,c ′) ∈R =⇒ (c ′ |=φ′).
where φ′ is the formula obtained by replacing all the variables in φ by the corresponding primed
ones.
Using the post operator, the second condition of inductive invariant can also be speciﬁed as
post(p,R) =⇒ p, or equally p = p∨post (p,R). Thus, the strongest inductive invariant can
be expressed as the least ﬁxpoint of the post operator, which characterizes exactly the set of
reachable states RS. However, computing the least ﬁxpoint is computationally expensive as
stated above. We remark that ﬁnding inductive invariants automatically is a difﬁcult task, and
it remains an active research area in formal veriﬁcation. We refer to [113] for more information
about invariant veriﬁcation.
An invariant property can also be speciﬁed dually by a set of error states Cer ror that violate
the invariant. We sayT is safe with respect to Cer ror , if no states in Cer ror are reachable, i.e.
the intersection of Cer ror and RS is empty. Suppose the characterizing predicate of the set of
error states is per ror . Equivalently, we say that T is safe with respect to Cer ror , if ¬per ror is
an invaraint ofT. Thus, the error-states reachability problem can be viewed as an invariant
veriﬁcation problem and vice versa. In this thesis, we do not differentiate them and focus
on devising efﬁcient techniques to solve the invariant veriﬁcation problem for concurrent
systems, in particular the component-based systems.
2.3 BIP modeling framework
In this section, we present the fragment of the BIP language with multiparty synchroniza-
tion and priority. The BIP language only allows describing systems with ﬁxed structure and
interaction topology. First, we present the syntactic BIP model 1.
1. There are two versions of BIP. We present the new version in this dissertation. We omit the langauge differ-
ences between these two versions, which are minor. For more information we refer to http://www-verimag.imag.
fr/New-BIP-tools.html.
17
Chapter 2. Preliminary and system model
2.3.1 Syntactic BIP model
A BIP model contains a ﬁnite set of components. Each component is an instantiation of a
component type, which is formally deﬁned as a ﬁnite state automaton extended with data.
Deﬁnition 2.3.1 (Component type) A BIP component type is deﬁned as a tupleB = 〈V,L,P,E,〉,
where
1. V is a ﬁnite set of variables;
2. L is a ﬁnite set of control locations;
3. P is a ﬁnite set of communication port types;
4. E ⊆ L×P×FV ×EV ×L is a ﬁnite set of transition edges extended with guards inFV and
operations in EV ;
5.  ∈ L is an initial control location.
Given a tuple of component types B¯ = B0 ∪ ·· · ∪Bk−1, and a tuple of natural numbers n¯ =
〈n0, . . . ,nk−1〉, where ni , i ∈ [0,k −1] represents the number of instantiations of component
type Bi , For each i ∈ [0,k−1], we denote by Bi [ j ], j ∈ [1,ni ] instantiations of the component
type Bi , where every element of Bi has a local copy in Bi [ j ]. We denote by Pi the set of ports
instantiated from the type Pi .
Since we have a ﬁnite number of components, we can refactor the index of components and
for the presentation simplicity, we denote by {Bi }ni=1 the set of components instantiated from
all types B¯, and we do not distinguish the variables, control locations and the transitions of
component type Bi from its local copies, when it is clear from the context.
Transition edges in a component are labeled by ports, which form the interface of the com-
ponent. Ports are used for communication or synchronization with other components. We
assume that, from each control location, every pair of outgoing transitions have different
ports, and the ports of different components are disjoint. Thus, transitions with the same
ports are not enabled simultaneously. Given a component violating such assumptions, we can
easily transform it into the required form by renaming the ports, while still retaining the BIP
expressiveness power. For the simplicity of presentation, we denote in the sequel the identity
of the unique component where port type p is deﬁned by id(p).
Component coordination is realised by deﬁning the set of allowed interactions, which synchro-
nise transitions of different components. In BIP systems with a ﬁxed number of component,
an interaction is represented as a ﬁnite set of ports.
Deﬁnition 2.3.2 (Interaction) A BIP interaction is deﬁned as a tuple γ= 〈g ,P, f 〉, where g ∈
FV , f ∈ EV and P ⊆⋃ni=1Pi , P = , and for all i ∈ [1,n], |P∩Pi | ≤ 1.
18
2.3. BIP modeling framework
An interaction consists of a guard condition, a set of connected ports and an operation on the
variables, which are deﬁned in the connected components. Condition |P∩Pi | ≤ 1 imposes the
restriction that an interaction can connect at most one port from each component.
Intuitively, an interaction deﬁnes a guarded multiparty synchronization with data transfer:
an interaction γ is enabled only if the guard g is enabled, and when γ is executed, the data
transfer speciﬁed by f is executed ﬁrst, and then the transitions labeled by the ports in P are
taken simultaneously. We denote by Γ a ﬁnite set of interactions.
Priority can be used to resolve the conﬂicts among interactions.
Deﬁnition 2.3.3 (Priority) Given a set of interactions Γ, a priority model Π is a strict partial
order on Γ. For γ,γ′ ∈ Γ, we write γ< γ′ if and only if (γ,γ′) ∈Π, which means that interaction
γ′ has a higher priority than γ.
We remark that priority restricts the coordination of the system. Thus, ignoring the priority
would be a safe over-approximation in terms of the invariant veriﬁcation.
In BIP, we can construct a compound component by composing a ﬁnite number of com-
ponents with interactions, and then use this compound component as a building block to
construct a hierarchical model. However, in this dissertation, we do not consider hierarchical
models. A BIP model is a single ﬂat compound component, constructed by composing atomic
components with interactions.
Deﬁnition 2.3.4 (BIP Model) A BIP model is a tupleMBIP = 〈{Bi }ni=1,Γ,Π〉, where {Bi }ni=1 is a
ﬁnite set of components, Γ is a ﬁnite set of interactions for all components, andΠ is a priority
model on Γ.
In the rest of this section, we use two examples to illustrate the BIP modeling framework.
Example 2.3.5 (Ticket mutual exclusion protocol [110]) Figure 2.1 depicts a BIP model of
the ticket mutual exclusion protocol with two processes. The protocol works as follows. Upon
entering the critical section, each process requests a fresh ticket from the controller, then the
process waits until its ticket equals to the number to be served next. When leaving the critical
section, the process resets its ticket and the controller increases the number to be served by one.
Notice that all the variables are local to the component where they are deﬁned.
We model the process by a component with one integer variable t i cketi , and three control
locations Ii , Wi , and Ci , i ∈ {1,2}, where Ci represents the critical section. Each component also
deﬁnes three ports requesti , enteri and leavei , representing the transitions of requesting the
ticket, entering and leaving the critical section respectively.
19
Chapter 2. Preliminary and system model
S
leave request
enter
[t i cket2 = next ]
request1
enter1
leave1
request1
W1
C1
t i cket1 = 0
leave1
enter1
enter
request
enter2
leave2
request2
I2
W2
C2
t i cket2 = 0
enter2
leave2 request2
I1
t i cket1 =number
[t i cket1 =next ]
number ++
next ++
leave
ticket2 = number
Figure 2.1 – Ticket mutual exclusion protocol
The synchronisations between the controller component and the processes are deﬁned by six
interactions. Each interaction is depicted as a wire in Figure 2.1. The ports connected by a
wire are synchronized. When a port belongs to several interactions (e.g. the leave port of the
central component), it must be synchronised through exactly one of them each time that it is
ﬁred. An interaction may also have a guard, e.g. the interaction {enter1,enter } is guarded by
[t i cket1 = next ], and an operation, e.g. upon ﬁring of the interaction {request1,request },
the operation ticket1 = number updates the variable t i cket1 to number . For simplicity, the
constant guard true and the empty assignment are omitted.
To request a ticket number, the process i (i ∈ [1,2]) synchronizes its transition requesti with the
controller’s transition request, whereby the process copies the value of number to ticketi . This is
achieved by interactions (true, {requesti , request}, t i cketi = number), where i ∈ [1,2]. To enter
the critical section, a process synchronizes its transition enter with the controller’s transition
enter. This is achieved by interactions ( [t i cketi = next], {enteri , enter}, skip), i ∈ [1,2]. To leave
the critical section, a process synchronizes its transition leave with the controller’s transition
leave. It is denoted by interactions (true, {leavei , leave}, skip), i ∈ [1,2].
Initially the controller sets both number and next to be 1, and the local variable of each process
is 0. The mutual execlusion property requires that the two processes cannot enter the critical
location at the same time.
This model is speciﬁed in the BIP language as shown in Figure 2.2.
Example 2.3.6 (Temperature control system [9]) In Figure 2.3, we show a graphical represen-
tation of the BIP model of a coolant temperature control system in a reactor tank. There are three
atomic components: controller in the middle, and two rods on left and right side. These three
20
2.3. BIP modeling framework
1   	

2
3  	 	  	 
4  	 	  			 
5
6 	 	  	 
7 	 	 
8 	 	 	
9
10  	  	 		 	
11  	  	 		 		
12  	  	 	 
13
14   
15
16 	 	     !" 	  !"#
17  	 $  	    %%"#
18  	 $  	 
19   $  	   	 %%"#
20 
21
22 	 	    
23 	 	  		
24
25  	  	 		 			
26  	  	 		 			
27  	  	 	 
28
29   & '& (
30
31 	 	 
32  	 $  	 '
33  	 $ ' 	 (
34   $ ( 	   		  )"#
35 
36
37 	 	  	(		  !& 	  *
38 $ + !  *,
39 
40
41 	 	  		(			  !& 		  *
42 $ + !  *,
43   !  *   !-    *-
44 
45
46 	 	  		.(			  !& 		  *
47 $ + !  *,
48   !  * /  *-   !-"#
49 
50
51   	  	 
52  	 	 
53  	   !
54  	   *
55
56 	 		.(	 !	-	!& !- 	
57 	 		.(	 *	-	*& *- 	
58 	 		(	 !	!-	 & -	!
59 	 		(	 *	*-	 & -	*
60 	 	(	 !!- & -!
61 	 	(	 **- & -*
62 
63 
Figure 2.2 – Ticket mutual exclusion protocol in BIP language
21
Chapter 2. Preliminary and system model
component are composed by ﬁve interactions: (tr ue, {tick, tick1, tick2},skip), (tr ue, {cool,cool1},
skip), (tr ue, {cool,cool2},skip), (tr ue, {reset,reset1},skip), and (tr ue, {reset,reset2},skip). No
guards or actions are deﬁned in these interactions.
The temperature of the tank (denoted by the variable t in the controller) rises with the rate of
υr = 1◦/s, modeled by the transition (S3, tick, tr ue, t := t +1,S3). When the temperature reaches
the upper bound of 100◦, the controller will refrigerate the tank by moving one of the two rods
(i.e. ﬁring one of the interactions {cool,cool1}, {cool,cool2}). The temperature will then decrease
with the rate of υd = 1◦/s. When the temperature the lower bound of 50◦, the controller removes
the rod from the coolant (i.e. ﬁring the corresponding interaction {reset,reset1} or {reset,reset2}).
A rod can be moved again only when 100 time units have elapsed after the last movement, e.g.
transition (S1,cool1,[c1 >= 100],skip,S2)
reset
t:=0
reset2
c2 := 0
reset1
c1 := 0
tick
t:=t+1
reset1 reset2
[c1 ≥ 100]
cool1 cool
[c2 ≥ 100]
cool2
[t=50]
S1
S2
S3
S4
S1
S2
controller rod2rod1
[t ≥ 100]
cool2cool1
tick tickt:=t-1 t i ck2t i ck1
t i ck1 t i ck2
c1 := c1+1
t i ck1
cool reset
c2 := c2+1
t i ck2
Figure 2.3 – Temperature Control System in BIP
This model is speciﬁed in the BIP language as shown in Figure 2.4.
2.3.2 BIP operational semantics
A state of a BIP model comprising the components {Bi }ni=1, with each Bi = 〈Vi ,Li ,Pi ,Ei ,i 〉,
is a tuple c = 〈〈l1,V1〉, . . . ,〈ln ,Vn〉〉, where for all i ∈ [1,n], li ∈ Li and Vi is a valuation of Vi . A
state c0 is initial if for all i ∈ [1,n], li = i and Vi is the initial valuation ofVi . A state c is an error
if for some i ∈ [1,n], li is an error location. We say an interaction γ= 〈g ,P, f 〉 is enabled in a
state c = 〈〈l1,V1〉, . . . ,〈ln ,Vn〉〉, if⋃ni=1 Vi |= g and for every component Bi , such that P∩Pi = ,
there is an edge 〈li ,P∩Pi ,gi , fi , l ′i 〉 ∈ Ei and Vi |= gi .
The labeled transition system semantics of a BIP model is deﬁned as follows.
22
2.3. BIP modeling framework
1   	

2  	
   
3
4 	   	
5   
6
7  	
  	
  		
8  	
  	
  

9  	
  	
  
10
11    
12
13  	  	    
14 	  !
	  	  	    "  
15 	  !
	  	 
16 	 		 !
	  	   
	#  $ 
17 	 
 !
	  	  	    
18 
19
20 	   %	
	
 
21   
22
23  	
  	
  		
24  	
  	
  &
25  	
  	
  
26
27   ' (
28
29  	 ' 	    
30 	 		 !
	 ' 	 (  
	#  $ 
31 	  !
	 ' 	 ' 	    "  
32 	 & !
	 ( 	 '  
	#   ) 	    
33 	  !
	 ( 	 ( 	    *  
34 
35
36 		
      

37 ! +  
 ,
38 
39
40 		
   - 
  
  

41 !+
 
 
,
42 
43
44 	 	.   	
 
45 	 	 	 
	 
46 	 	 	 
	 
47 	 	 %	
	
 	
	
 
48
49 		
   	
	
/		  
	/		
50 		
   	
	
/		  
	/		
51 		
  & 	
	
/&  
	/

52 		
  & 	
	
/&  
	/

53 		
 - 
	/  
	/  	
	
/
54 
55 
Figure 2.4 – Temperature control system in BIP language
23
Chapter 2. Preliminary and system model
Deﬁnition 2.3.7 (BIP operational semantics) Given a BIP model MBIP = 〈{Bi }ni=1,Γ,Π〉, its
operational semantics is deﬁned by a labeled transition systemTBIP = 〈CBIP ,ΣBIP ,RBIP ,C0BIP 〉,
where
1. CBIP is the set of states as deﬁned above,
2. ΣBIP = Γ,
3. RBIP is the set of transitions, such that there is a transition from a state c to another c ′, if
and only if there is an interaction γ= 〈g ,P, f 〉 such that,
(a) γ is enabled in c;
(b) for each component Bi such that P∩Pi = , there is an edge 〈li ,P∩Pi ,gi , fi , l ′i 〉 ∈ Ei ,
then V′i =Vi [ fi ( f (V))];
(c) for each component Bi such that P∩Pi =, l ′i = li and V′i =Vi ;
(d) there does not exist an interaction γ′, such that γ′ is enabled in c and γ′ > γ.
4. C0BIP is the set of initial states.
Notation Vi [ f (V)] represents the update of variable evaluation Vi by the function application
f (V). For instance, suppose Vi = x = 1, and f (V) = x ++, then Vi [ f (V)] = x = 2. Notation
fi ( f (V)) denotes the sequential applications of function f and fi . For simplicity, we denote by
c
γ−→ c ′ that there is a transition from state c to state c ′, following the interaction γ.
For the invariant veriﬁcation of BIP models with a ﬁxed number of components, we can
encode into the reachability of a set of locations, i.e. error locations. A BIP model is safe if no
error states are reachable. Notice that any safety property can be encoded as a reachability
problem by adding additional components.
2.4 Encoding BIP into Symbolic Transition System
In this section, we brieﬂy present the encoding of BIP into symbolic transition systems, orig-
inally introduced in [26], which enables a direct application of the state-of-the-art model
checkers for inﬁnite-state systems, such as the NUXMV [33] symbolic model checker, to verify
BIP models.
Deﬁnition 2.4.1 (Symbolic transition system) A symbolic transition system is deﬁned as a
tuple STS = 〈V,φC0 ,φR〉, where
1. V is a ﬁnite set of variables;
2. φC0 (V) is a ﬁrst-order formula over V deﬁning the set of initial states;
3. φR(V,V′) is a ﬁrst-order formula over V∪V′ deﬁning the transition relation.
The semantic of a symbolic transition system can be given in terms of an LTS (see for exam-
ple [112]).
24
2.4. Encoding BIP into Symbolic Transition System
Given a BIP model MBIP = 〈{Bi }ni=1,Γ,Π〉, the encoding as a symbolic transition system
STSMBIP = 〈V,φC0 ,φR〉 is the following.
Variables. First, the set of variables is deﬁned as:
V =⋃ni=1 {loci }∪⋃ni=1 {v |v ∈Vi }∪⋃ni=1 {vp |p ∈ Pi }∪ {vΓ}
where for all i ∈ [1,n], Vi is the set of variables in component Bi and we preserve the domain
of each variable v ∈Vi in the encoding. We introduce a variable loci for each component Bi
to encode its control locations, and for each port p ∈ Pi , we also introduce a boolean variable
vp , representing the status of the port, being enabled or disabled. Besides, we introduce an
enumerative variable vΓ, which represents the set of interactions Γ.
Initial condition. The initial condition is deﬁned as:
φC0 =
n∧
i
(loci = l0i ∧
∧
v∈Vi
v = v0)
The initial valuations of port variables and the interaction variable vΓ are arbitrary.
Transition relation. The transition relation is the following:
φR =
n∧
i=1
(Trei ∧Trpi )∧φΓ∧φΠ
where Trei encodes the edges of the component Bi , Trpi encodes the conditions when the port
p is enabled in component Bi , φΓ encodes the interaction, and φΠ encodes the priorities. In
the following, let ΓBi be the set of all the interactions in which the component Bi participates
and Γe be the set of interactions that involve the port that labels the edge e.
The encoding of the edges in component Bi is deﬁned as:
Trei =
∨
e=〈li ,pe ,ge , fe ,l ′i 〉∈Ei
loci = li ∧ loc ′i = l ′i ∧ ge ∧
∨
γ∈ΓBi
vΓ = γ∧
∧
γ∈ΓBi
(
vΓ = γ→ fe ( fγ(V′,V))
)∧ ∧
γ∈ΓBi
(
vΓ = γ→
∧
x∈Vi
x ′ = x)
where the expression fe( fγ(V′,V)) is a symbolic encoding of function application fe of the
transition e and the function application fγ of the interaction γ= 〈gγ,Pγ, fγ〉 2.
The encoding of the port enablement Trpi is deﬁned as:
2. Note that, while in our deﬁnition fγ is a single assignment, the approach can be easily generalized to
sequential programs by applying a single-static assignment (SSA) transformation.
25
Chapter 2. Preliminary and system model
Trpi =
∧
p∈Pi
(
vp ↔
∨
〈l ,p,g ,op,l ′〉∈Ei
(
loci = l ∧ g
))
That is, a port p is enabled if one of the transitions labeled by p is enabled.
Finally, the conditions that constrain the interactions to their ports and the priorities among
the interactions are deﬁned as:
φΓ =
∧
γ=〈gγ,Pγ,opγ〉∈Γ
∧
p∈Pγ
vΓ = γ→ (vp ∧ gγ)
φΠ =
∧
(γ2,γ1)∈Π,γ1=〈gγ1 ,Pγ1 ,opγ1 〉
(gγ1 ∧
∧
p∈Pγ1
vp )→ vΓ = γ2
The encoding preserves the BIP semantics. It is not hard to prove the correctness of the
encoding. The initial conﬁguration is precisely characterised by the formula φC0 , where loci is
constrained to the initial locations of the corresponding component, and each component
variable is also assigned to the initial value. The transition relation is also characterised
precisely, since the variable vΓ can be assigned to the value representing a single interaction γ
at a time, which will enable the corresponding transitions of the components. The encoding
of φΓ ensures that vΓ gets the value only if γ is enabled in the corresponding state of the BIP
model. The valuations of the additional variables vp and vΓ do not alter the state space: their
valuations are constrained by the formulae Trpi and φΓ to reﬂect the BIP semantics.
26
3 Veriﬁcation of concurrent systems
In this chapter, we review the most relevant techniques for algorithmic veriﬁcation of inﬁnite-
state concurrent systems. We present these techniques in the following two categories: 1) ab-
straction techniques for resolving the data state explosion problem, and 2) partial order
techniques for reducing the number of redundant interleavings due to concurrency.
3.1 Abstraction techniques
Veriﬁcation of the transition system with an inﬁnite or large state space is computationally
hard. A prevalent way to reduce the state space size is to employ abstraction, as discussed in
Chapter 1. The basic idea of abstraction is to construct a smaller abstract transition system,
that soundly over-approximates the concrete system, such that safety of the abstract system
entails the safety of the concrete one. However, the inverse does not hold in general: unsafety
of the abstract system does not entail the unsafety of the concrete system. A general framework
to formalize abstraction and its soundness is abstract interpretation [48].
3.1.1 Abstract interpretation
Given a transition system T = 〈C,Σ,R,C0〉, we denote the the concrete property domain by
D = (2C ,⊆). As we discussed in Section 2.2, invariant veriﬁcation boils down to the ﬁxpoint
computation of the post operator. In order to avoid the expensive ﬁxpoint computation in
the concrete domain, abstract interpretation works in an abstract property domain, denoted
byD, performs the ﬁxpoint computation in this abstract domain, and then maps the result
back to the concrete domain. The correctness of the abstract analysis can be established by a
correspondence between the concrete and abstract domains, called Galois connection.
Deﬁnition 3.1.1 (Galois connection) Let (D,⊆) and (D,) be the concrete and abstract prop-
erty domain respectively, a pair of (monotone) functions (α,β) deﬁnes a Galois connection
between these two domains, where α :D →D and β :D →D, iff for all a ∈D and b ∈D,
27
Chapter 3. Veriﬁcation of concurrent systems
the following holds:
α(a) b ⇔ a ⊆β(b)
Usually, α is called abstraction function, and β is called the concretisation function. Galois
connection preserves the order in the corresponding domain: if the abstraction α(a) of an
element a ∈D is smaller than b ∈D in the abstract domain, then a ∈D is smaller than the
concretisation β(b) of b ∈D in the concrete domain. Intuitively, order preserving ensures
the soundess of the analysis: computation in the abstract domain will always be a safe over-
approximation.
The abstraction of the computation in the concrete domain is then captured by the following
deﬁnition.
Deﬁnition 3.1.2 (Function abstraction) Given a concrete domain (D,⊆), an abstract domain
(D,) and a Galois connection (α,β), a function f  ∈D →D is an abstraction of a function
f  ∈D →D iff
α◦ f  ◦β f 
where ◦ denotes functional composition.
f  is the exact function abstraction of f  when f  = α◦ f  ◦β. In this case, we also say f  is
the induced abstraction of f  by the Galois connection (α,β). In particular, if f = post , then
function f  is the abstract post predicate transformer, which can be used to approximate the
concrete reachable states.
Abstract interpretation provides a general framework to automate program analysis, where
the crux is to design a suitable abstract property domain.
3.1.2 Predicate abstraction
As an instantiation of the abstract interpretation framework, predicate abstraction [79] uses
a ﬁnite set of predicates to construct the abstract domain. The predicates usually denote
properties of the state and are expressed as formulae, modulo some background theory, over
the state variables. The abstraction is deﬁned by the value of these predicates in any concrete
state of the system. The fundamental operation in predicate abstraction can be described
as the following. Given a formula φ and a set of predicates P = {p1, ...,pn}, generate the most
precise approximation (either under-approximation or over-approximation) of φ using P .
Over the decades, many techniques have been proposed to compute predicate abstraction
efﬁciently [50, 69, 106, 107, 138].
28
3.1. Abstraction techniques
We describe the predicate abstraction as it was presented in the seminal paper [79] and in
the framework of abstract interpretation. Suppose the set of predicates is P = {p1, ...,pn}, the
abstract domain isD = (2P ,), where the order  is subset inclusion. Given an abstract state
P1  P , and a transition relation R, the successor abstract state P ′1 is then deﬁned as follows:
P ′1 = {p ∈ P | post (
∧
P1,R) =⇒ p is valid}
where
∧
P1 represent the conjunction of all the predicates in P1.
The abstraction function of predicate abstraction α : 2C → 2P is deﬁned as follows:
α(C ′)= {p ∈ P |C ′ ∩ {c|c |= p} = }.
and the concretization function β : 2P → 2C is deﬁned by:
β(P ′)= {c | c |=∧P ′}.
the induced abstraction of the post operator under predicate abstraction is deﬁned by:
post  =α◦post ◦β
The reachable states of the concrete transition system can be approximated by computing the
least ﬁxpoint of post  in the abstract domain. However, since predicate abstraction computes
an over-approximation, the analysis may report a false positive, i.e. a spurious counterexample.
To reﬁne the precision of the abstract analysis and eliminate the spurious counterexamples,
the counterexample guided abstraction reﬁnement (CEGAR) technique was proposed in
[39, 40].
3.1.3 Counterexample guided abstraction reﬁnement
The process of CEGAR reasoning is depicted in Figure 3.1. Starting with an initial abstraction
(possibly an empty set of predicates in predicate abstraction), we check if the current abstrac-
tion is able to prove the correctness or not. If no error is reported, then we can conclude the
safety of the system. Otherwise, we check if the reported error is real or not. If the error is
real, then we conclude the unsafety of the system and report a counterexample. If the error
is unreal, then we eliminate this spurious error and reﬁne the abstraction. After a successful
reﬁnement, we will repeat the above analysis until we either prove the correctness or a real
counterexample is found.
We now elaborate two important subroutines of CEGAR techniques, i.e. counterexample
analysis and abstraction reﬁnement.
29
Chapter 3. Veriﬁcation of concurrent systems
1: compute abstraction
4: refine abstraction
2: check abstraction
3: check feasibility
transition system
[feasible]
counterexample
[no error]
safe
Figure 3.1 – Counterexample guided abstraction reﬁnement loop
Suppose the abstract analysis produces a counterexample as shown in Figure 3.2, where the
node in blue represents an error state, one way to check if it is a real counterexample is to build
a trace formula φγ1 ∧φγ2 ∧ . . .∧φγn corresponding to the single static assignment form of the
statements in the trace, and check its satisﬁability by using an SMT solver. If the constructed
trace formula is satisﬁable, then the counterexample is real. Otherwise, it is spurious.
2 30 1 n
γ1 γ2 γ3 γn
Figure 3.2 – A counterexample trace
When a spurious counterexample is found, it must be eliminated by reﬁning the precision
of the abstract analysis. In predicate abstraction, reﬁning the abstraction boils down to dis-
covering new important predicates to enrich the abstract property domain. One advanced
technique to solve this problem relies on using Craig interpolation [49, 118, 120].
Deﬁnition 3.1.3 (Craig interpolant) Given a pair of formulae (φA ,φB ), such that the conjunc-
tion φA∧φB is unsatisﬁable, a Craig interpolant for (φA ,φB ) is a formula φ′A with the following
properties:
1. φA =⇒ φ′A,
2. φ′A ∧φB is unsatisﬁable and
3. φ′A only refers to the common non-logic symbols of φA and φB .
Given a spurious counterexample trace c1
γ1γ2...γn−−−−−−→ cn , there are n−1 possible ways of splitting
the unsatisﬁable formulaφγ1∧φγ2∧. . .φγn into two formulas (φγ1∧·· ·∧φγi ,φγi+1∧·· ·∧φγn ), for
30
3.1. Abstraction techniques
i ∈ [1,n−1], preserving the order of interactions. For a given splitting, e.g. (φγ1 ,φγ2 ∧ . . .∧φγn )
we can compute an interpolant φ and derive a predicate from it. This predicate is then added
to the abstract domain to reﬁne the abstraction. The chief advantage of interpolants derived
from refutations of unsatisﬁable formulae is that they capture the facts that the prover derived
about φγ1 in showing that φγ1 is inconsistent with φγ2 ∧ . . .∧φγn . Thus, if the prover tends to
ignore irrelevant facts and focus on relevant ones, we can think of interpolation as a way of
ﬁltering out irrelevant information from φγ1 .
The CEGAR approach (based on predicate abstraction and interpolation) has been widely
investigated in literature and successfully applied in practice in program and software veriﬁca-
tion. An incomplete list of available tools that performpredicate abstraction includes the SLAM
toolkit [15, 16, 14], BLAST toolkit [90, 88], SATABS model checker [41], and CPAchecker [23].
3.1.4 Lazy abstraction
In the traditional predicate abstraction, e.g. [15], an abstract transition system is ﬁrst con-
structed eagerly and then used for model checking. A bottleneck of this approach is the
construction of the abstract transition system, which may be very inefﬁcient. Lazy abstraction
[90, 88, 119] avoids the expensive construction of the abstract transition system and performs
the abstraction only when necessary.
In combination with counterexample guided reﬁnement, lazy abstraction provides a powerful
technique to address the data state explosion problem for the veriﬁcation of sequential pro-
grams. It also relies on predicate abstract domain to approximate the concrete states. In lazy
abstraction, programs are represented as control ﬂow graphs.
Deﬁnition 3.1.4 (Control ﬂow graph) A control ﬂow graph is a tuple CFG = (V,L,E, l0), con-
sisting of a set of variables V, a set of control locations L, a set of transition edges E ⊆ L× (EV ∪
FV)×L and a initial control location l0.
Lazy abstraction performs a forward reachability analysis and constructs an abstract reachabil-
ity tree (ART) to approximate the concrete reachable states. The construction of ART proceeds
by expanding the ART nodes, starting with the initial one. To expand a node, we ﬁrst check if it
represents an error location. If an error location is reached, we then check if the path from
the root to this error node represents a real counterexample or not. One way to conduct this
check is to symbolically simulate this path from the initial states. If the path is feasible, then a
real counterexample is reported. Otherwise, we will identify the location from which the path
becomes infeasible, and restart the construction from this location using a reﬁned abstract
domain.
Then we check if the current node can be covered by some other nodes. If it is covered, we can
stop the exploration from the covered node, since it represents a subset of states of the covering
31
Chapter 3. Veriﬁcation of concurrent systems
node. Otherwise, we expand the current node and compute all the abstract successors. We
then add all the successors in the tree as the children nodes, and process them later.
The ART node expansion looks at the control location of the node, and for each outgoing edge
in the control ﬂow graph, a new successor node is created. The computation in [90] is slightly
different from that of [119]. In [90], predicate abstraction is used to approximate the post
operator, while in [119], no actual post operator is used. The state formula of the successor
node is obtained from the interpolation.
The ART construction terminates when all leaf nodes are either covered or fully expanded. An
ART is safe if no errors states are found. If the ART construction terminates, lazy abstraction
returns either a safe ART as the safety proof for the given program, or a counterexample.
However, the termination is not guaranteed in general.
3.2 Partial order reduction techniques
Abstraction techniques presented in the previous sections can resolve the data explosion
problem. There is, however, another source of state explosion that cannot be handled by
abstraction techniques. In concurrent systems, the state space also grows exponentially to the
number of components in the systems. This is due to interleavings of concurrent transitions.
Dedicated techniques for handling concurrency and for reducing the number of interleavings
are generally called partial order reduction (POR) techniques [77, 78, 124, 125, 46, 139, 140,
141]. The observation is that many interleavings in concurrent systems are equivalent in the
sense that they lead to the same ﬁnal state, though in different execution order. The basic idea
of POR is to explore only one representative interleaving out of all equivalent ones.
In order to select the equivalent interleavings, POR makes use of the independence property
of concurrent transitions, i.e. when concurrent transitions are independent, their executions
do not interfere with each other, and changing the order of interleaving does not change the
ﬁnal state. Formally, the concept of transition independence is deﬁned as follows.
Deﬁnition 3.2.1 (Transition independence) Given a labeled transition systemT = 〈C,Σ,R,C0〉,
two transitions t1, t2 ∈Σ are independent, if in every state c ∈C, the following two conditions
hold:
1. if t1 is enabled in c, and c
t1−→ c ′, then t2 is enabled in c iff t2 is enabled in c ′; and symmet-
rically for the case of t2.
2. if t1, t2 are both enabled in c, and c
t1t2−−→ c ′1, c
t2t1−−→ c ′2, then c ′1 = c ′2.
Independent transitions neither disable nor enable each other. Simultaneously enabled in-
dependent transitions commute with each other and different execution orders result in the
same ﬁnal state. It is worthy of notice that the above deﬁnition of independence is uncondi-
32
3.2. Partial order reduction techniques
tional, i.e. for all states in C. Independence is also a global property. One has to look at every
possible reachable state in order to obtain the precise independence relation.
Similarly, given a sequence of transitions t1 . . . ti tj . . . tn , where ti and tj are independent,
permutating ti and tj will result in an equivalent transition sequence in the sense that they
both lead to the same ﬁnal state. More generally, given a state c ∈C, if c t1...tn−−−→ c1 and c
t′1...t
′
n−−−→ c2,
and t′1 . . . t
′
n can be obtained from t1 . . . tn by successively permutating adjacent independent
transitions, then we have c1 = c2.
In the literature, traces that can be obtained from each other by successively permuting adja-
cent commutable transitions are called Mazurkiewicz’s traces [115]. If the intermediate states
of the traces are irrelavant to the property of interest, e.g. deadlocks, only one interleaving
trace out of all Mazurkiewics’s traces need be explored, thus saving the veriﬁcation effort by
exploring a reduced reachable state space.
In algorithmic veriﬁcation, POR essentially performs a selective search to explore a subset of
the whole state space, as shown in Algorithm 1. A selective search takes as inputs a transition
systemT to be explored, and a reduction function f POR :C → 2Σ , which is used to select the
subset of explored transitions on each state. It basically operates as a classical state space
search, e.g. DFS, except that, at each state reached during the search, it computes and explores
a subset of all the enabled transitions on this state, using a reduction function f POR . The other
enabled transitions are postponed to be explored in the future or possibly ignored.
Algorithm 1 Basic selective search
1: procedure SELECTIVESEARCH(T, f POR )
2: Stack, Hi stor y initially empty
3: push C0 into Stack
4: while Stack =  do
5: pop c from Stack
6: if c ∉Hi stor y then
7: push c into Hi stor y
8: T = f POR (c)
9: for t ∈ T do
10: c ′ = post (c, t )
11: push c ′ into Stack
Clearly, a selective search only reaches a subset of all the reachable states, thus, constructs a
reduced transition system deﬁned as follows.
Deﬁnition 3.2.2 (Reduced labeled transition system) Given a labeled transition systemT =
〈C,Σ,R,C0〉, a reduced transition system constructed by using a reduction function f POR is a
tupleTr = 〈Cr ,Σr ,Rr ,C0〉, where C0 ⊆Cr ⊆C, and if c ∈Cr , t ∈ f POR (c), and c t−→ c ′, then c ′ ∈Cr
and (c, t,c ′) ∈Rr .
33
Chapter 3. Veriﬁcation of concurrent systems
If the set of enabled transitions to be explored, i.e. f POR (c) is chosen properly, the reduced
reachable state space Cr may be signiﬁcantly smaller than C, while still preserving the same
properties as the full reachable state space. It is important to notice that POR avoids generating
the full reachable state space, and constructs the reduced one directly. Depending on the
reduction function f POR , POR approaches can be roughly classiﬁed into three categories: the
ample set approach [124, 125, 46, 47], the stubborn set approach [139, 140, 141, 143], and
the persistent set approach [77, 78, 68, 147]. In the following, we review the key insights of
these POR approaches, and refer to the various research articles for the speciﬁc algorithms for
computing such sets.
3.2.1 Ample set
Ample-set-based partial order reduction makes use of the property of transition independence
in Deﬁnition 3.2.1. We denote the reduction function by f ample .
Deﬁnition 3.2.3 (Ample set) For a state c, a set of transitions f ample(c) is called an ample set
iff it satisﬁes the following two conditions:
A0. if en(c) = , then f ample (c) = ;
A1. if c
t1...tn−−−→ and ti ∉ f ample(c),∀i ∈ [1,n], then ti ,∀i ∈ [1,n] is independent with all transi-
tions in f ample (c).
It has been proved that POR based on an ample set reduction function preserves all the
deadlocks of the full state space [47].
Theorem 3.2.4 ([47]) Given a labeled transition systemT = 〈C,Σ,R,C0〉, and a deadlock state
cd ∈C, c0 t1...tn−−−→ cd , c0 ∈C0, if the reduction function f POR (c0) obeys the conditions A0 and A1
in Deﬁnition 3.2.3, then there is a permutation t′1 . . . t
′
n of t1 . . . tn sucht that c0
t′1...t
′
n−−−→ cd in the
reduced transition systemTr .
Proof 3.2.5 The proof proceeds by induction on the length of the trace. The conclusion holds
trivally when n = 0.
If n > 0, then f ample (c0) contains an enabled transition t. If none of t1 . . . tn is in f ample (c0), then
cd
t−→ by A1, contradicting the assumption that cd is a deadlock. So there must be a smallest
index i such that ti ∈ f ample(c0). Let ci−1 and ci be the states such that c0 t1...ti−1−−−−→ ci−1 ti−→ ci .
Furthermore, let c ′1 be the state such that c0
ti−→ c ′1. Then by A1, applying independence i −1
times, we have that c ′1
t1...ti−1−−−−→ c ′i . Since the transition system is deterministic, c ′i = ci . So c0
ti−→
c ′1
t1...ti−1−−−−→ c ′i
ti+1...tn−−−−−→ cd . Hence, by the fact that c ′1 is in the reduced transition system, and the
induction hypothesis that the conclusion holds for traces of length n−1, we conclude that it
also holds for traces of length n.
34
3.2. Partial order reduction techniques
3.2.2 Stubborn set
With the stubborn set approach, transition independence is not explicitly assumed.
Deﬁnition 3.2.6 (Stubborn set) For a state c, a set of transitions f stubb(c) is called a stubborn
set iff the following conditions hold:
S0. if en(c) = , then f stubb(c) = ;
S1. for each transition t ∈ f stubb(c), which is is disabled in state c, if c t1...tn−−−→ cn and ti ∉
f stubb(c), for all i ∈ [1,n], then t is also disabled in state cn;
S2. for each transition t ∈ f stubb(c), which is enabled in state c, and c t−→ c ′, if c t1...tn−−−→ cn
and ti ∉ f stubb(c), for all i ∈ [1,n], then there is another state c ′n, such that cn
t−→ c ′n and
c ′ t1...tn−−−→ c ′n.
A stubborn set may contain both enabled and disabled transitions. Condition S1 says that
disabled transitions in the stubborn set remain disabled, while outside transitions take place.
Condition S2 says that enabled transitions in the stubborn set commute with sequences of
outside transitions. Sets satisfying the above conditions are also called strong stubborn sets.
It is possible to change the third condition S3 such that instead of requiring all enabled
transitions in a stubborn set remain enabled while outside transitions occur, we only require
one of them exists and remains enabled. Sets in this case are often called weak stubborn sets.
The following theorem states that every ample set is also a strong stubborn set when the
transition system is deterministic [143].
Theorem 3.2.7 ([143]) Assume that transition system is deterministic, then every ample set
f ample (c) is also a strong stubborn set in state c.
Proof 3.2.8 Condition A0 implies S0. Furthermore, S2 follows directly from A1 and S1 follows
from the fact that f ample (c)⊆ en(c).
However, the opposite does not hold in general.
3.2.3 Persistent set
Persistent-set-based partial order reduction relies on the conditional transition independence
in a single state, instead of the unconditional one as in Deﬁnition 3.2.1.
Deﬁnition 3.2.9 (Conditional transition independence) Given a labeled transition system
T = 〈C,Σ,R,C0〉, two transitions t1, t2 ∈Σ are independent in a state c ∈C, iff the following two
conditions hold:
35
Chapter 3. Veriﬁcation of concurrent systems
1. if t1 is enabled in c, and c
t1−→ c ′, then t2 is enabled in c iff t2 is enabled in c ′; and symmet-
rically for the case of t2.
2. if t1, t2 are both enabled in c, and c
t1t2−−→ c ′1, c
t2t1−−→ c ′2, then c ′1 = c ′2.
The only difference from Deﬁnition 3.2.1 is that the independence is considered in a single
state, instead of the whole state space.
Deﬁnition 3.2.10 (Persistent set) For a state c, a set of transitions f per s(c) is called a persistent
set iff the following two conditions hold,
P0. f per s(c)⊆ en(c);
P1. for every trace c = c0 t1...tn−−−→ cn, with ti ∉ f per s(c), i ∈ [1,n], all transitions in f per s(c) are
independent of ti in state ci−1.
Intuitively, a set of transitions is called persistent in a state if whatever transition one takes
from this state, while remaining outside of the set, does not interfere with all the transitions in
the set.
The following theorem says that persistent set and strong stubborn set are equivalent when
the transition system is deterministic, as stated in [78] and in [143].
Theorem 3.2.11 ([143, 78]) Assume that the transition system is deterministic, then every
nonempty persistent set is also a strong stubborn set and all the enabled transitions of a strong
stubborn set give a persistent set.
Proof 3.2.12 Condition P0 implies S1 and if a persistent set is nonempty, then it implies S0.
Further, condition P1 implies S2.
Assume a stubborn set f stubb(c), let f per s(c) = f stubb(c)∩ en(c). Let t ∈ f per s(c), c t1−→ c1 t2−→
c2 . . .
tn−→ cn, and ti ∉ f per s(c), for i ∈ [1,n]. Then S2 implies that there are states c ′1, . . . ,c ′n−1 such
that c ′ t1−→ c ′1
t2−→ c ′2 . . .
tn−→ cn. By giving t1 . . . ti instead of t1 . . . tn, we can conclude that ci t−→ c ′i , for
i ∈ [1,n]. Thus, S2 implies that for all i ∈ [1,n], t is independent of ti in ci−1, which means that
the set f per s(c) is persistent.
To summarize, for deterministic transition systems, the relation between the notions of ample
set, stubborn set and persistent set is shown in the Figure 3.3. That is, ample set implies strong
stubborn set and strong stubborn set is equivalent to persistent set.
3.2.4 Partial order reduction for safety properties
All the reduction functions above only guarantee the preservation of deadlocks in the reduced
system. However, in general, preservation of safety properties cannot be guaranteed. This is
36
3.2. Partial order reduction techniques
Strong stubborn setAmple set
Persistent set
implies
equivalent to
Figure 3.3 – Relations between ample, stubborn and persistent sets
due to the ignoring problem [139, 140, 46, 13], that is, when cycles are encountered during the
state space exploration, the behaviour (local reachable states) of some component may be
completely ignored on the states visited in the selective search. An example illustrating the
ignoring problem is shown in Figure 3.4. We only show the automata of the two components.
No interactions are deﬁned to synchronize the transitions. Transitions of the two components
can only interleave.
In the intial state (c,c1), set {t} satisﬁes the ample set conditions A0 and A1, however, if we
only explore the transition t, we would ignore all the reachable states of the component on
the right-hand side. Thus, if the property being veriﬁed concerns the reachable states of that
component, the above set would not be sufﬁcient.
c2
c1
c
t2t1t
Figure 3.4 – An example for illustrating the ignoring problem
In order to avoid the ignoring problem, partial order reduction techniques usually introduce
an additional condition S:
S. For every transition t ∈ en(c), there exists a trace c = c0 t1−→ c1 t2−→ c2 . . . tn−→ cn , where
ti ∈ f POR (ci−1), such that t ∈ f POR (cn).
This condition ensures that every enabled transition will occur at least once in the reduced
state space. In the above example, both {t1} and {t, t1} satisfy this additional condition. Thus,
either can be selected in the initial state.
37

4 Veriﬁcation of BIP with bounded con-
currency
In this chapter, we focuse on the algorithmic veriﬁcation of component-based systems mod-
eled in BIP with bounded concurrency, i.e. systems with a ﬁxed number of components. Given
the signiﬁcant progress on algorithmic veriﬁcation of concurrent inﬁnite-state systems in
the past decade, as discussed in the previous chapter, we leverage on the state-of-the-art
abstraction techniques to analyze the behavior of inﬁnite-state BIP components. Meanwhile,
inspired by the ESST approach [130], in order to handle the concurrent interactions between
components, we incorporate partial order reduction techniques to reduce the redundant
interaction interleavings in the abstract reachability analysis.
In the sequel, we ﬁrst present a lazy abstraction with interpolant-based abstraction reﬁnement
algorithm for BIP. Then we present a persistent set based partial order reduction for BIP and
show how to combine it with lazy abstraction succinctly. Last but not the least, we present a
comprehensive experimental evaluations of the proposed technique against the state-of-the-
art.
This chapter is based on the following publication:
– Formal veriﬁcation of inﬁnite-state BIP models, Bliudze, Simon and Cimatti, Alessandro and
Jaber, Mohamad and Mover, Sergio and Roveri, Marco and Saab, Wajeb and Wang, Qiang,
International Symposium on Automated Technology for Veriﬁcation and Analysis (ATVA
2015), pages 326–343, 2015, Springer.
The author proposed the algorithm of lazy abstraction with reduction for BIP and did the
correctness proofs with the help of Dr. Sergio Mover, Dr. Marco Roveri and Dr. Alessandro
Cimatti. The implementation is based on the Kratos model checker [36]. In the above article,
there is also the symbolic encoding of BIP into nuXmv (presented in Section 2.4), which
was initiated by Dr. Simon Bliudze, and implemented by Wajeb Saab, Dr. Mohamad Jaber,
separately from mine. The author formalized the encoding.
39
Chapter 4. Veriﬁcation of BIP with bounded concurrency
4.1 Lazy abstraction of BIP
4.1.1 Data structures for veriﬁcation
As in lazy abstraction, we compute an abstract reachability tree (ART) to over approximate all
the reachable states. The ART for the veriﬁcation of BIP is deﬁned as follows.
Deﬁnition 4.1.1 (Abstract reachability tree) An abstract reachability tree for a BIP model
MBIP = 〈{Bi }ni=1,Γ,Π〉 is deﬁned as a tuple T = (Nodes,Root,Edges,Covering), where
1. Nodes is a set of tree nodes;
2. Root ∈Nodes is the unique root node;
3. Edges⊆Nodes×Γ×Nodes is a set of tree edges;
4. Covering ⊆Nodes×Nodes is the covering relation between tree nodes.
An ART node represents an over-approximation of a set of BIP system states. Edges of the
ART are labeled by interactions. They model both the branches of the control ﬂow of each
component, and the interleavings of concurrent interactions in different components. A path
in an ART is then a sequence of interactions.
For a BIP model, an ART node is deﬁned as follows.
Deﬁnition 4.1.2 (ART node) An ART node for a BIP model MBIP = 〈{Bi }ni=1,Γ,Π〉 is deﬁned
as a tuple η = 〈〈l1,φ1〉, . . . ,〈ln ,φn〉,φ〉, where for each i ∈ [1,n], 〈li ,φi 〉 is the local region of
component Bi with the control location li and the abstract data region φi , and φ is the global
data region.
The abstract data region φi over-approximates the valuations of variables in the control
location li . We also maintain a global data region φ to keep track of the relations of the
variables that are used in data transfer. The reason is that when data transfer is present,
we may use predicates containing variables from different components in the abstraction
structure, which cannot be expressed by using predicates only containing variables from the
same component. It is worthy of noticing that the presence of data transfer prevents us from
discovering modular proofs for component-based systems in the way similar to [83, 84].
A node is consistent if the conjunction of all data regions, i.e. φ∧∧ni=1φi is satisﬁable. An
inconsistent node does not represent any concrete states. An ART node is an error node if
some control location li is an error location and the data regions of the node are consistent,
i.e. φ∧∧ni=1φi is satisﬁable.
A state c = 〈〈l1,V1〉, . . . ,〈ln ,Vn〉〉 is covered by an ART node η= 〈〈l ′1,φ1〉, . . . ,〈l ′n ,φn〉,φ〉, denoted
by c |= η, if for all i ∈ [1,n], li = l ′i and Vi |=φi and ∧ni=1Vi |=φ. A node can also be covered by
another one, as deﬁned in the following.
40
4.1. Lazy abstraction of BIP
Deﬁnition 4.1.3 (Node covering) Given twoARTnodesη= 〈〈l1,φ1〉, ...,〈ln ,φn〉,φ〉,η′ = 〈〈l ′1,φ′1〉,
...,〈l ′n ,φ′n〉,φ′〉, we say η is covered by η′, if the following conditions hold:
1. li = l ′i ,
2. the implication φi ⇒φ′i is valid for all i ∈ [1,n], and
3. the implication φ⇒φ′ is valid.
Intuitively speaking, a node η is covered by another one η′, if the set of states approximated by
η is a subset of the states approximated by η′. Moreover, the possible successors of η are also
reachable from η′. Then it is safe to stop the exploration from η. An ART is complete if all the
nodes are either fully expanded or covered. An ART is safe if it is complete and contains no
error nodes.
4.1.2 Main veriﬁcation algorithm
The main veriﬁcation algorithm is shown in Algorithm 2. It takes a BIP model as input, and
explores an over-approximation of all the possible reachable states by constructing an ART.
When it terminates, it either returns a safe ART, concluding the model is safe, or reports a
counterexample. The termination is not guaranteed in general [1, 56].
The ART construction proceeds with expanding the ART nodes. Upon expanding a node, it ﬁrst
checks if this node indicates an error. If an error node is detected, it generates a counterexam-
ple path by invoking function BuildCEX and checks if the counterexample path represents a
real trace or not. If the counterexample is real, then the algorithms reports the counterexample
and stops the analysis. Otherwise, it reﬁnes the abstraction by function Reﬁne and continues
the ART construction after reﬁning the abstraction successfully. Then if the node is not an
error not, it checks if this node can be covered by a previous explored node. If it can be covered,
the algorithm stops the expansion from this node and marks it as covered, and proceeds
some other uncovered nodes. Finally, a node is expanded if it is neither an error nor covered
by another one. To expand a node, it ﬁrst computes all the possible enabled interactions by
function EnabledInteraction, and then computes the successor nodes by function Expand. All
the consistent successor nodes are inserted in the ART to be expanded later.
We elaborate the node expansion and counterexample guided abstraction reﬁnement in
details in the subsequent sections.
4.1.3 Node expansion
To expand an ART node, the set of structurally enabled interactions is ﬁrst computed by
the function EnabledInteraction in Algorithm 2. We say that an interaction γ = 〈g ,P, f 〉 is
structurally enabled in an ART node η= 〈〈l1,φ1〉, ...,〈ln ,φn〉,φ〉, if for each component Bi such
that P ∩Pi = {pi }, there is a transition 〈li ,gi ,pi , fi , l ′i 〉 ∈ Ei , which starts from li and is labeled
by the involving port pi . Basically this computation extracts the control location of each
41
Chapter 4. Veriﬁcation of BIP with bounded concurrency
Algorithm 2 Lazy abstraction of BIP
Input: a BIP modelMBIP and an error state
Output: eitherMBIP is safe, or a counterexample cex
1: create an ART node η0 for the initial state
2: create an ART T with the root η0
3: create a worklist wl of ART nodes
4: push η0 into wl
5: while wl =  do
6: η← pop(wl )
7: if η is an error node then
8: cex ← BuildCEX(η)
9: if cex is real then
10: return cex
11: else
12: Reﬁne(T, cex)
13: else if η is covered then
14: mark η as covered
15: else
16: Γenab ← EnabledInteraction(η)
17: Expand(η, Γenab)
18: push all children of η into wl
19: returnMBIP is safe
component from the given node, and then looks up the possible transitions starting from
these control locations, and marks them as structurally enabled transitions. Then if all the
participating transitions of an interaction are structurally enabled, we say this interaction is
structurally enabled.
Notice that the structural enabledness on an ART node is different from the interaction
enabledness on a BIP state in Section 2.3. We do not check the satisﬁability of the interaction
or transition guards on the ART node. It is safe to do so when we are doing lazy abstraction:
if an interaction is disabled on the ART node due to the unsatisﬁability of guards, then the
successor node will be inconsistent, i.e. the conjunction ∧ni=1φ′i ∧φ′ is unsatisﬁable in the
successor node. Thus, a disabled interaction will lead to an inconsistent successor node, which
will be later discarded.
Suppose the set of enabled interactions on node η is Γenab = {γ1, . . . ,γk }, then for each i ∈
[1,k], γi = 〈gi ,Pi , fi 〉, Pi = {p1, ...,pl }, and for each p ∈ Pi , 〈l ,g ,p, f , l ′〉 ∈ Eid(p), we denote
g , f by gp and fp respectively. We expand the node η and create a successor node η′ =
〈〈l ′1,φ′1〉, ...,〈l ′n ,φ′n〉,φ′〉 for interaction γi , according to the following rule:
1. φ′j = post(φi ∧φ, oˆp j ), for each j ∈ [1,n], such that Pi ∩Pj = {p j } and oˆp j = if gi ∧ gp j
then fi ; fp j ,
2. φ′j =φ j , for j ∈ [1,n], such that Pi ∩Pj =,
42
4.1. Lazy abstraction of BIP
3. φ′ = post (φ, oˆp), oˆp = if gi ∧∧p∈Pi gp then fi ; fp1 ; ...; fpl ,
Given a set of enabled interactions Γenab , the pseudo-code of the node expansion is shown
in Algorithm 3. For each enabled interaction γ ∈ Γenab , we create a new ART node η′ as the
successor of current node η. For each component Bi , that participates in γ, we invoke function
ExtractTransition(Ei , li ,pi ) to extract the participating transition starting from li and labelled
by port pi from the set of transitions Ei . We omit the details of this function, since it is simply a
membership check. Then we compute the new abstract data regionφ′i by applying the abstract
strongest post-condition post (φi ∧φ, oˆp j ). For other components, which do not participate
in this interaction, their abstract data regions and control locations remain the same. To
update the global region, we need to consider all the participating transitions, since they may
modify variables in data transfer and change the global data region. We create two temporary
variables g ′ and op′, where variable g ′ is the conjunction of the interaction guard and all the
participating transition guards, and op′ is the sequential composition of the data transfer and
all the participating transitions. Notice that data transfer should always be executed before
all the participating transitions, but the execution order of component transitions does not
matter, since they only access the local variables in the components. The new global region φ
is then updated by applying the abstract strongest post-condition post (φ, oˆp), where oˆp is the
guarded operation composed of g ′ and op′. Finally, if all the abstract strongest post-condition
computations succeed, the new ART node η′ is inserted and the edge is labeled by interaction
γ. Otherwise, this new successor node η′ is inconsistent and discarded.
Algorithm 3 Node expansion
1: procedure EXPAND(η= 〈〈l1,φ1〉, . . . ,〈ln ,φn〉,φ〉, Γ)
2: for γ= 〈g ,P, f 〉 ∈ Γ do
3: η′ ← 〈〈l ′′1 ,φ′1〉, . . . ,〈l ′′n ,φ′n〉,φ′〉
4: g ′ ← g
5: op′ ← f
6: for each Bi inMBIP do
7: if Pi ∩P = {pi } then
8: 〈li ,gi ,pi , fi , l ′i 〉← ExtractTransition(Ei , li , pi )
9: g ′ ← g ′ ∧ gi
10: op′ ← op′; fi
11: ˆopi ← gi ; fi
12: 〈l ′′i ,φ′i 〉 = 〈l ′i ,post (φ∧φi , ˆopi )〉
13: if ¬φ′i then
14: break
15: else if Pi ∩P = then
16: 〈l ′′i ,φ′i 〉 = 〈li ,φi 〉
17: oˆp← g ′;op′
18: φ′ = post (φ, oˆp)
19: if ¬φ′ then
20: break
21: AddChild(η, γ, η′)
43
Chapter 4. Veriﬁcation of BIP with bounded concurrency
4.1.4 Abstraction reﬁnement
If an error node is encountered during the ART construction in Algorithm 2, function BuildCEX
is called to construct a counterexample path by backtracking the ART from the current error
node to the root node. In BIP, we denote a counterexample cex by the sequence of interactions,
labeling the path in the ART from the root to the error node.
To check if the counterexample cex is real or not, we ﬁrst construct a sequential execution trace
trcex. Suppose the counterexample is cex = γ1γ2 . . .γk , where for each i ∈ [1,k], interaction
γi = 〈gi ,Pi , fi 〉, Pi = {pi1, . . . ,pit }, trγi = gi ; fi ; f iπ(1); . . . ; f iπ(t ), where π is an arbitrary permuta-
tion in {1, . . . , t }, and f i
π( j ) is the operation of transition labeled by port p
i
π( j ). The trace of
counterexample is the sequential composition of all trγi , i.e. trcex = trγ1 ; . . . ; trγk . We say that
the counterexample cex is real if and only if the ﬁrst order encoding of trcex is satisﬁable, or
equivalently post (true, tracecex) = false. Otherwise, the counterexample is spurious.
If a spurious counterexample is found, we must eliminate the spurious counterexample and
reﬁne the abstraction. Our computes a sequent interpolant from the ﬁrst order encoding
of trcex [88, 119], and extract the predicates from the interpolant and use them to reﬁne the
abstraction (function Reﬁne in Algorithm 2).
4.1.5 Correctness proof
In order to prove the correctness of lazy abstraction algorithm for BIP, we need to relate the
construction of ART with BIP operational semantics. We ﬁrst show that the node expansion
in Algorithm 3 creates successor nodes, which safely over-approximate the corresponding
reachable states in BIP operational semantics.
Lemma 4.1.4 Let η be an ART node of a BIP modelMBIP and η′ be a successor of η following
interaction γ, and let c be a concrete state such that c |= η, then for every concrete state c ′ such
that c
γ−→ c ′, we have c ′ |= η′.
Proof 4.1.5 Assume c = 〈〈l1,V1〉, . . . ,〈ln ,Vn〉〉, and η= 〈〈l1,φ1〉, . . . ,〈ln ,φn〉,φ〉, we have Vi |=φi ,
for each i ∈ [1,n], and ∧ni=1 Vi |= φ, since c |= η. Assume also the successor of c following γ =
〈g ,P, f 〉 is c ′ = 〈〈l ′1,V′1〉, . . . ,〈l ′n ,V′n〉〉, and the successor of node η is η′ = 〈〈l ′′1 ,φ′1〉, . . . ,〈l ′′n ,φ′n〉,φ′〉.
In order to prove c ′ |= n′, we have to show that l ′i = l ′′i and V′i |= φ′i , for all i ∈ [1,n], and∧n
i=1 V
′
i |=φ′.
Consider the component Bi , such that P ∩Pi = {pi }, i.e. component Bi participates the interac-
tion γ, and let the participating transition in Ei be 〈li ,gi ,pi , fi , l ′i 〉. Then we have Vi |= gi and
V′i = fi ( f (Vi )) according to the operational semantics of BIP.
Then according to Algorithm 3, we have l ′′i = l ′i andφ′i = post (φi∧φ, ˆopi ), where ˆopi denotes the
sequential composition gi ; f ; fi . Based on the semantics of abstract strongest post-condition, and
44
4.2. Persistent set reduction for BIP
the fact that Vi |=φi and φi ∧ gi is satisﬁable, we have V′i |=φ′i . Following a similar argument,
we can prove
∧n
i=1 V
′
i |=φ′.
For each component Bi such that P ∩Pi =, since it does not participate the interaction, its
state is unchanged. Thus, the satisfaction relation trivially holds.
Then the following theorem states the correctness of our lazy abstraction algorithm for BIP.
Theorem 4.1.6 Given a BIP modelMBIP and an error state encoding the invariant property,
for every terminating execution of Algorithm 2, we have the following properties:
1. if Algorithm 2 returns a counterexample, then there is a concrete trace from an initial
state to an error state inMBIP;
2. if Algorithm 2 returns a safe ART, then for every reachable state ofMBIP, there is an ART
node that covers it.
Proof 4.1.7 Suppose Algorithm 2 returns a counterexample cex = γ1γ2 . . .γk , then according
to the counterexample analysis presented in Section 4.1.4, we know that post (true, tracecex) is
satisﬁable, which means the counterexample cex represents a concrete trace inMBIP.
Suppose Algorithm 2 returns a safe ART, we prove that for every reachable state c, there is an
ART node η that covers c. The proof is by induction on the length of trace from the initial state to
c. The base case holds trivially since we create the initial node from the initial state.
Assume the conclusion holds for all traces of length n, i.e. if c0
γ1...γn−−−−→ cn, then there is an ART
node η that covers state cn, Now suppose state c is reachable by a trace of length n + 1, i.e.
c0
γ1...γn−−−−→ cn γn+1−−−→ c, because cn |= η, and based on Lemma 4.1.4, we conclude that the successor
node η′ of η following interaction γn+1 also covers c. This concludes the proof of the theorem.
4.2 Persistent set reduction for BIP
In lazy abstraction, all interleavings of concurrent interactions are explored, which may re-
sult in visiting some redundant states. Considering the example in Figure 4.1, in the initial
state (S, I1, I2) (only show control locations for simplicity), both interactions {tr y1} and {tr y2}
are enabled, and explored in lazy abstraction. However, both interleavings {tr y1}; {tr y2} and
{tr y2}; {tr y1} lead to the same ﬁnal state (S,W1,W2). These interleavings can be seen as equiv-
alent, since the intermediate state is of no interest to our veriﬁcation (i.e. wether (C1,C2) is
reachable or not). It is thus preferable to explore only one interleaving of the two.
In this section, we present the persistent-set-based partial order reduction for BIP, that aims
at selecting one representative interaction interleaving out of all equivalent ones in state space
exploration. First of all, we introduce the following deﬁnition of interaction independence.
45
Chapter 4. Veriﬁcation of BIP with bounded concurrency
S
enter
leave
enter1
leave1
tr y1
W1
C1
enter1
enter2
leave2
tr y2
I2
W2
C2
enter2
I1
leave
[¬ f l ag ][ f l ag ]
f l ag = f al se f lag = tr ue
leave1 leave2
enter
Figure 4.1 – Example for illustrating partial order reduction for BIP
Deﬁnition 4.2.1 (Interaction independence) Two interactions γ1 and γ2 are independent in
state c, if the following condition hold:
1. if γ1 is enabled in c, then γ2 is enabled in c iff γ2 is enabled in c ′, where c
γ1−→ c ′; and
symmetrically for the case if γ2 is enabled in c.
2. if γ1 and γ2 are both enabled in c, and c
γ1γ2−−−→ c ′1, c
γ2γ1−−−→ c ′2, then c ′1 = c ′2.
Independence relation in the above deﬁnition is a global property, and in order to check if two
interactions are independent or not, we have to look at every possible state in the state space
of the transition system. Hence, computing the precise independence relation may be as hard
as the invariant veriﬁcation problem. Static analysis of the system model is usually used to
obtian an under-approximation of the independence relation.
We remark that the above deﬁnes a conditional independence relation, as in [78, 147], i.e.
two interactions are deﬁned as independent with respect to a single state. This deﬁnition
works well with explicit-state model checking, where individual concrete states are visited
and checked. However, in this dissertation, we aim at applying partial order reductions to
abstraction structures (e.g. ART), where the conditional independence may not hold. Consider
the interactions with this two actions x := z + y and x := z, they are independent on state
(x = 1, y = 0,z = 1) (actually any state with y = 0). Now suppose the predicate we use for
abstraction is x = z, the current abstract state then x = z, on which it is unclear whether y = 0
or not. Thus, it is unable to conclude whether the two actions are independent or not.
Furthermore, independent interactions do not commute on abstract states. For instance,
consider a BIP model with only two components and the following two simple interactions
γ1 = 〈tr ue, {p1},x1 = x1+1〉 and γ2 = 〈tr ue, {p2},x2 = x2+1〉, that is, each of the two compo-
nents increment a local integer variable by 1. It is obvious they are independent in the concrete
transition system, and from the initial state (x1 = 0,x2 = 0), the two interleavings γ1;γ2 and
γ2;γ1 will lead to the same state (x1 = 1,x2 = 1). Now suppose the predicate language of the
abstraction structure is given by b1 = (x1 > x2), b2 = (x1 = x2) and b3 = (x1 = x2+1) and their
46
4.2. Persistent set reduction for BIP
negations. Then starting from the initial abstract state ¬b1∧b2∧¬b3, interleaving γ1;γ2 leads
to an abstract state ¬b1 ∧b2¬b3 (with an intermediate state b1 ∧¬b2 ∧b3), while another
interleaving γ2;γ1 leads to a different abstract state ¬b1 ∧¬b3 (with an intermediate state
¬b1∧¬b2∧¬b3).
x1 = 1, x2 = 2x1 = 2, x2 = 1
γ1
γ2
γ2
x1 = 1, x2 = 1
x1 = 2, x2 = 2
γ1
γ1 γ2
b1∧¬b2∧b3 ¬b1∧¬b2∧¬b3
γ1γ2
¬b1∧b2∧¬b3 ¬b1∧¬b3
¬b1∧b2∧¬b3
Figure 4.2 – Example showing independent interactions don’t commute on abstract states
Thus, we cannot simply lift the Deiﬁnition 4.2.1 to abstraction structures. These concerns
motivate the following deﬁnition of abstract independence. Recall that β is the concretisation
function that maps an abstract state to the concrete ones.
Deﬁnition 4.2.2 (Abstract independence) Two interactions γ1 and γ2 are independent in an
abstract state η, if for all states c ∈β(η), the following conditions hold:
1. if γ1 is enabled in c, then γ2 is enabled in c iff γ2 is enabled in c ′, where c
γ1−→ c ′; and
symmetrically for the case if γ2 is enabled in c.
2. if γ1 and γ2 are both enabled in c, and c
γ1γ2−−−→ c ′1, c
γ2γ1−−−→ c ′2, then c ′1 = c ′2.
We can see that independence in all states in Deﬁnition 3.2.1 implies abstract independence,
and it is also preferable to use the independence in Deﬁnition 3.2.1, given the fact that it is
easier to compute. In the sequel, by independent interactions we mean the interactions that
are independent in all states.
The question is whether it is still sound if we only explore one interaction sequence out of two
interleavings in the abstract analysis, given two independent interactions. Our ﬁrst observation
is that in lazy abstraction, since we keep track of the control locations, the set of outgoing
interactions in each ART node will always contain the set of interactions in each concrete
system state represented by this node. The second observation is that though independent
interactions do not commute on abstract states, they still commute on the reachable concrete
states represented by the abstract states. The following lemma formalizes this observation and
ensures that exploiting independence on abstraction structures is still sound. Recall that post
is the abstract post operator.
Lemma 4.2.3 Let γ1 and γ2 be two independent interactions, and let η be an abstract state,
then for all c ∈ β(post(post(η,γ1)),γ2), we have that if there is a state c1 ∈ β(η), such that
c = post (post (c1,γ1),γ2), then c ∈β(post (post (η,γ2)),γ1).
47
Chapter 4. Veriﬁcation of BIP with bounded concurrency
Proof 4.2.4 Assume we have c = post (post (c1,γ1),γ2), since γ1 and γ2 are independent, then
we also have c = post (post(c1,γ2),γ1). According to the semantics of post , it holds that c ∈
β(post (post (η,γ2),γ1)).
Similarly, we can conclude that sequences of interaction interleavings that can be obtained
from each other by permuting adjcent independent interactions are also equivalent. Exploring
one interleaving sequence out of all equivalent ones would not miss any reachable concrete
states. Thus, it is still sound to perform selective search on abstraction structures.
Then the question is how we can select the set of interactions to be explored on an abstract
state. For this purpose, we deﬁne the persistent set as in Deﬁnition 3.2.10, but on an abstract
state.
Deﬁnition 4.2.5 A set of interactions Γper in an abstract state η is persistent if the following
conditions hold:
1. Γper ⊆ en(η) and Γper = if and only if en(η)=;
2. for every execution η
γ1...γn−−−−→ ηn, where γi ∉ Γper , i ∈ [1,n], γn is abstractly independent
with all interactions in Γper ;
3. for every execution η= η0 γ1...γn−−−−→ ηn, where ηn is implied by some ηi , i ∈ [0,n−1], and for
every γ ∈ en(η j ), j ∈ [1,n], there is k ∈ [1,n] such that γ ∈ Γper (ηk ).
The ﬁrst two conditions ensure the deadlocks are preserved, and the third one is required
when reasoning about the general safety properties.
A persistent set in an abstract state may not be persistent on the represented concrete states,
since an interaction enabled on an abstract state may not be enabled on some represented
concrete states. However, the persistent set in an abstract state is a safe over-approximation.
4.2.1 Combining persistent set reduction with lazy abstraction
In order to combine the persistent set reudction with lazy abstraction for BIP, we incorporate
the selective search in the abstract reachability analysis of lazy abstraction. The new algorithm
is listed in Algorithm 4. It constructs a reduced ART in a similar way to Algorithm 2. More
speciﬁcally, when we expand an ART node in the abstract reachability analysis, instead of
computing successor nodes for all possible enabled interactions, we only compute the ones
that follow the interactions in the persistent set. The exploration of the interactions outside of
the persistent set are postponed.
To solve the ignoring problem illustrated in Section 3.2.4, the new algorithm will also have to
detect if a cycle occurs, before expanding an ART node. We say a cycle occurs, if the control
locations of a node have been visited before in the ART path to this node. In case a cycle is
48
4.2. Persistent set reduction for BIP
Algorithm 4 Lazy abstraction with persistent set reudction for BIP
Input: a BIP modelMBIP and an error state
Output: eitherMBIP is safe, or a counterexample cex
1: create an ART T with initial node η0
2: create a worklist wl and push η0 into wl
3: while wl =  do
4: η← pop(wl )
5: if IsError(η) then
6: cex ← BuildCEX(η)
7: if cex is real then
8: return cex
9: else
10: Reﬁne(T, cex)
11: else if Cycle(η) then
12: FullyExpand(Predecessor(η)), and add all successors into wl
13: mark η as covered
14: else if Covering(η) then
15: mark η as covered
16: else
17: ΓP ← PersistentSet(η)
18: Expand(η, ΓP ), and add all successors into wl
19: returnMBIP is safe
detected, the predecessor of this node will be fully expanded by function FullyExpand to avoid
some interactions are postponed forever. Basically, in the new algorithm, we expand the set of
interactions, which are outside of the persistent set of this node. This is a stronger guarantee
that implies the second condition of persistent set in Deﬁnition 4.2.5. Detailed elaboration of
techniques for solving the ignoring problem can be found in [65].
If no cycle is detected, then the new algorithm computes the set of selected interactions using
the function PersistentSet. We elaborate the implementation details of this function in the next
subsection. Then the node is expanded according to interactions in the persistent set and all
the consistent successors are added into the ART. We remark that the actual implementation
of persistent set computation does not affect the integration. Any optimization or new persis-
tent set computation implementations can be easily incorporated without jeopardizing the
correctness of the algorithm.
The following theorem states the correctness of the new algorithm.
Theorem 4.2.6 Given a BIP modelMBIP and an error state encoding the invariant property,
for every terminating execution of Algorithm 4, we have the following properties:
1. If a counterexample is returned, then it is concrete counterexample inMBIP;
2. If a safe ART is returned, then for every reachable state c inMBIP, there is an ART node η such
that c |= η.
49
Chapter 4. Veriﬁcation of BIP with bounded concurrency
Proof 4.2.7 Item 1 holds for the same argument with Theorem 4.1.6. In the following, we prove
the second item.
According to Theorem 4.1.6, for every reachable state c inMBIP, there is a node ηw in the ART
returned by Algorithm 2 such that c |= ηw. Suppose the path to node ηw is η0 γ1...γn−−−−→ ηn, where
η0 is the root and ηn = ηw.
Now we prove that there is another path in the ART returned by Algorithm 4, η0
γ′1...γ
′
n−−−−→ η′n, such
that γ′1 is in the persistent set Γper (η0) and c |= η′n.
Case 1 : if ηw is a deadlock node, then we show that at least one interaction γi , i ∈ [1,n] in
the path η0
γ1...γn−−−−→ ηn is in the persistent set Γper (η0). Otherwise, suppose that none of
interactions γi , i ∈ [1,n] is in the persistent set Γper (η0), then by the second condition of
persistent set in Deﬁnition 4.2.5, the interactions in persistent set Γper (η0) will still be
enabled in ηn, which controdicts the assumption that ηw is a deadlock node.
Thus, there is at least one interaction γi , i ∈ [1,n] in the persistent set Γper (η0). Assume
the ﬁrst such interaction is γ j , j ∈ [1,n], then for all interactions γk ,k < j , we have γ j is
independent with γk . Thus, γ j can be moved to the beginning of the path. The new path
would be the same one with γ1 . . .γn, except γ j has been moved to the ﬁrst.
Then applying 4.2.3, we can conclude that c |= η′n.
Case 2 : if ηw is not a deadlock node, but covered by some other node in the same path, assume
the covering node is ηi , i ∈ [0,n−1]. Assume also no interactions in the persistent set
Γper (η0) occur inγ j , j ∈ [1, i ]. Thenwe know that interactions inΓper (η0) are also enabled
in ηi and ηn as well. Then according to the third condition of persistent set in Deﬁnition
4.2.5, we know that at least one interaction in Γper (η0) occurs in γ j , j ∈ [i +1,n]. Let γk ,
k ∈ [i +1,n] be the ﬁrst such interaction, then for the same reason as the case 1, γk can be
shifted to the beginning of the path. The new path would be the same one with γ1 . . .γn,
except γk has been moved to the ﬁrst.
Then applying 4.2.3, we can conclude that c |= η′n.
Case 3 : if ηw is covered by some node in another path. It is equivalent to prove the conclusion
for another path. Since our models are ﬁnite branching, we are guaranteed that there is a
path such that argument in case 2 applies.
Case 4 : if ηw is not covered, then it is possible to extend the path, where case 2 or case 3 applies.
4.2.2 Computing persistent set
In this section, we present an algorithm to compute a persistent set in an ART node by means
of static analysis of BIP model. This algorithm is an actural implementation of the function
PersistentSet in Algorithm 4.
The basic idea is to ﬁnd static criteria for selecting persistent set that can be checked efﬁciently
by a syntactic analysis of the high-level formal description of the system. It is static in the sense
50
4.2. Persistent set reduction for BIP
the persistent set is constructed on the basis of the current state, without knowing its future
states. This is important, since the future states are not known when the state is expanded.
First, we elaborate how to obtain the dependence relation D of interactions. We compute
the dependence relation statically from the control ﬂow of the system model a priori: two
interactions are dependent if they share a common component. This will give us an over-
approximation of the dependency relationD. That is, if (γ1,γ2) ∈D, then γ1 and γ2 are consid-
ered as dependent, though they may be independent in the reachable state space. We take the
complement ofD as an under-approximation of the independence relation.
For simplicity, given an interaction γ, we denote in the sequel byDγ the set of interactions that
are dependent with γ, and we denote byIγ the compliment ofDγ, i.e. the set of interactions
that are independent with γ.
We now introduce the deﬁnition of an enabling set for a disabled interaction in an ART node.
Deﬁnition 4.2.8 (Enabling set) Let γ be a disabled interaction in an ART node η, an enabling
set for γ in η is a set of interactionsNγ, such that for all sequences of interactions η
γ1...γn−−−−→ η′ γ−→,
there is at least one interaction γi ∈Nγ, i ∈ [1,n].
An enabling set of a disabled interaction in an ART node characterizes the interactions that
may interfere with the disabled interaction in the control ﬂow. A disabled interaction can be
taken only if some interactions in its enabling set are taken ﬁrst.
To compute an enabling set for a disabled transition, we use a ﬁne-grained static analysis.
Formally, given a disabled interaction γ= 〈g ,P, f 〉 in an ART node η= 〈〈l1,φ1〉, ...,〈ln ,φn〉,φ〉,
for each component Bi such that P ∩Pi = {pi }, and there is no such an outgoing transition
(li ,gi ,p ′i , fi , l
′
i ) ∈ Ei that p ′i = pi , then we say another interaction γ′ = 〈g ′,P ′, f ′〉 is in the
enabling setNγ of γ, if P ′ ∩Pi = {p ′i }, and there is a path in Bi from li to a control location,
where pi is an outgoing transition.
Finally, we present the algorithm for computing a persistent set in Algorithm 5. The algorithm
builds a persistent set incrementally by making sure the following conditions hold:
1. Γstub contains at least one enabled interaction if the set of enabled interactions on η is
non-empty;
2. for each disabled interaction γ ∈ Γstub , then there is an enabling set Nγ, such that
Nγ ⊆ Γstub ;
3. for each enabled interaction γ ∈ Γstub , thenDγ ⊆ Γstub .
The following theorem states that the set of enabled interactions in the returned set is indeed
a persistent set.
Theorem 4.2.9 Let Γstub(η) be a set returned by Algorithm 5, and let Γ′ be the set of all enabled
interactions in Γstub(η), then Γ
′ is a persitent set in the given ART node η.
51
Chapter 4. Veriﬁcation of BIP with bounded concurrency
Algorithm 5 Persistent set computation
1: procedure PERSISTENTSET(η,MBIP)
2: Γwork = {γ} such that γ is enabled on η
3: Γstub =
4: while Γwork =  do
5: pick some γ ∈ Γwork
6: Γwork = Γwork −γ, Γstub = Γstub ∪ {γ}
7: if γ is enabled then
8: Γwork = Γwork ∪Dγ\Γstub
9: else
10: Nγ = EnablingSet (γ,η,MBIP)
11: Γwork = Γwork ∪Nγ\Γstub
12: return Γstub
Proof 4.2.10 Suppose Γ′ is not a persistent set on the ART node η, then there is a path η
γ1−→
η1
γ2−→ η2 . . . γn−→ ηn γ−→, such that for all i ∈ [1,n], γi ∉ Γ′, and γ depends on some interaction γ′
in Γ′.
Assume γ is enabled on η, then γ is also enabled on η and should be included in the set Γ, and
Γ′ as well, since it depends on γ′, Contradicting the assumption.
Assume γ is disabled on η, however, since it is enabled on ηn, there must be a nonempty enabling
set for γ on the node η. Moreover, there is at least one interaction γ j ,1≤ j ≤ n in this enabling
set, and according to the assumption, γ j is disabled on η, otherwise γ j should be in Γ′. Then by
repeating the same reasoning, there is an interaction γ j ′ ,1≤ j ′ < j in the enabling set for γ j and
γ j ′ is diabled on η. In the end, we can conclude that γ1 is in some enabling set and is disabled in
η, which contradicts the assumption.
Thus, Γ′ is indeed a persistent set.
4.3 Experimental evaluation
We have implemented the proposed veriﬁcation techniques for BIP based on the Kratos
software model checker [36], the symbolic model checker nuXmv [33] and the SMT solver
MathSAT5 [38]. To evaluate the performance of the proposed techniques, we carried out a
comprehensive experimental evaluation, where we took a set of benchmarks from the litera-
ture [26], and modeled them in the BIP framework. The benchmarks include the ticket mutual
exclusion protocol, the ATM transaction model, the leader election algorithm, and a Quorum
consensus algorithm and the reactor temperature control system. For each benchmark, we
also create a unsafe version with manually injected faults. All these benchmarks are inﬁnite-
state and scalable with respect to the number of components. In the experiments we create
ten instantiations for each benchmark model. In total we have 120 models. The details of all
the benchmark models are provided in the Appendix. All the experiments have been run on a
52
4.3. Experimental evaluation
64-bit Linux PC with a 2.8 GHz Intel i7-2640M CPU, with a memory limit of 4Gb and a time
limit of 300 seconds per benchmark.
In the experiments, we run the following two conﬁgurations of our prototype tool: 1) plain lazy
abstraction, denoted by ’plain’ in the plots; 2) lazy abstraction with persistent set reduction,
denoted by ’pset’ in the plots. For simplicity, we call lazy abstraction with persistent set
reduction as persistent set reduction in the sequel. We compare them to two other inﬁnite-
state veriﬁcation techniques implemented in nuXmv [33]: the state-of-the-art IC3 algorithm
for software model checking [37] (IC3 in the sequel) and the implicit predicate abstraction
model checking [138] (IPA in the sequel). For the translation from BIP to nuXmv, we refer
to the encoding in 2. We measure both the running time of solving both safe and unsafe
benchmarks, and the memory consumption for the three conﬁgurations of our prototype tool
in terms of the number of created ART nodes. We do not compare the performance of our
tool to DFinder [21] or the work [95], since they do not handle data transfer in interaction, or
inﬁnite-state models.
We present the evaluations in the following subsections. The detailed statistics data is attached
in the Appendix A.5, and Appendix A.6.
4.3.1 Comparing lazy abstraction to persistent set reduction
In Figure 4.3, we compare the two conﬁgurations of our prototype tool, and show the scatter
plots of time for solving each benchmark. 1 In the plots (and all the subsequent scatter plots),
symbol × represents a safe benchmark, and ◦ represents an unsafe benchmark. A point in
the plots indicates the analysis time taken by the algorithms represented by x-axis and y-axis.
From the plot, we can see that combining persistent set reduction improves the performance
of lazy abstraction for both safe and unsafe benchmarks. However, the improvement is not
signiﬁcant.
In order to understand the performance of lazy abstraction and the impact of persistent set
reduction, we collect the time used by each subroutine of the algorithms and compare them in
the bar plots in Figure 4.4 and Figure 4.5. Each bar in the plot represents the total analysis time
for a benchmark model, with different colors showing the time used by different subroutines.
We only depict the results with total runtime greater than 1 second. The one in the left depicts
the results with runtime greater than 10 seconds, and the one in the right depicts the results
with runtime from 1 second to 10 seconds.
In plain lazy abstraction, the total runtime consists of the time of transfer function compu-
tation i.e. the abstract post image computation, the time of coverage check, and the time of
counterexample analysis and reﬁnement. The results are shown in Figure 4.4, from which we
can see that the most expensive routines of lazy abstraction are the computation of transfer
function and the coverage check.
1. Red diagonal guides provide a reference for comparison, each indicating shift of one order of magnitude.
53
Chapter 4. Veriﬁcation of BIP with bounded concurrency
????
??
???
????
???? ?? ??? ????
??
??
?????
????
??????
Figure 4.3 – Lazy abstraction vs. lazy abstraction with persistent set reduction
In lazy abstraction with persistent set reduction, it contains all the subroutines of lazy ab-
straction, and has additionally the time of persistent set computation and the time of cycle
detection. The results are shown in Figure 4.5. We can see that in addition to the expensive
subroutines of transfer function computation and coverage check, the cycle detection also
contributes signiﬁcantly to the total runtime. This subroutine is necessary for persistent set
reduction to solve the ignoring problem. In fact, as also noticed in [142] recently, solving the
ignoring problem using cycle detection is computationally expensive, since whenever a cycle
is found, we have to fully expand all the postponed interactions, and visit a large number of
redundant states. Mostly, it is the bottleneck and harm the power of partial order reduction.
We also measure the effect of partial order reduction as the percentage of successful reductions
over the total number of attempts. That is, one ART node expansion accounts for a reduction
attempt, and a successful reduction would explore only a strict subset of all the enabled
interactions, while a failed reduction would explore all the enabled interactions. We only list
the results for the solvable benchmarks, and for the simplicity of presentation, we abbreviate
the list of entries that have 0 percentage from the same benchmark with only one entry. The
result is shown in Table 4.1.
The result in Table 4.1 shows that persistent set reduction as presented in this dissertation has
limited reduction power on the set of benchmarks we have. There are a number of benchmarks,
where no successful reductions are achieved, i.e. the ticket mutual exclusion protocol and
the reactor temperature control system, and the unsafe version of the railway control system.
Except for the reason that the static persistent set is nonoptimal [2], another main reason
54
4.3. Experimental evaluation
Figure 4.4 – Runtime of plain lazy abstraction subroutines
55
Chapter 4. Veriﬁcation of BIP with bounded concurrency
Figure 4.5 – Runtime of lazy abstraction with persistent set reduction subroutines
56
4.3. Experimental evaluation
is that these models are highly synchronized, i.e. every two interactions have one common
component involved. Thus, our interaction dependence analysis (we say two interactions are
dependent if they share one common component) reports that all interaction are dependent,
and no reductions are achieved on these benchmarks. This may also explain why the overall
improvements of persistent set reduction are less signiﬁcant, as shown in the scatter plot in
Figure 4.3.
To summarize, we mainly evaluate the performance of lazy abstraction and the impact of
persistent set reduction in this subsection. We ﬁnd that persistent set reduction improves the
abstract analysis, but at the same time, it brings the task of solving the ignoring problem, which
harms the overall improvements. And the power of persistent set reduction is largely affected
by the precision of the dependence analysis. A coarse dependence analysis is computationally
cheap, but may give little reduction achievement. In our measurements, it can only reduce
models that exhibit a high degree of concurrency and interleaving.
model percentage model percentage
atm_safe_02 0.500000 atm_safe_03 0.492674
atm_safe_04 0.442058 atm_unsafe_02 0.402583
leader_election_safe_02 0.400000 leader_election_safe_03 0.543478
leader_election_safe_04 0.481553 leader_election_safe_05 0.410788
leader_election_unsafe_02 0.466667 leader_election_unsafe_03 0.555556
leader_election_unsafe_04 0.465347 leader_election_unsafe_05 0.395445
quorum_safe_02 0.297872 quorum_safe_03 0.327189
quorum_safe_04 0.320191 quorum_safe_05 0.285627
quorum_unsafe_02 0.400000 quorum_unsafe_03 0.400000
quorum_unsafe_04 0.400000 quorum_unsafe_05 0.400000
quorum_unsafe_06 0.400000 quorum_unsafe_07 0.400000
quorum_unsafe_08 0.400000 quorum_unsafe_09 0.400000
quorum_unsafe_10 0.400000 quorum_unsafe_11 0.400000
railway_control_safe_02 0.250000 railway_control_safe_03 0.380282
railway_control_safe_04 0.404762 railway_control_safe_05 0.368159
railway_control_safe_06 0.208363 railway_control_safe_07 0.166628
railway_control_safe_08 0.253109 railway_control_unsafe 0.000000
temperature_safe 0.000000 temperature_unsafe 0.000000
ticket_safe 0.000000 ticket_unsafe 0.000000
Table 4.1 – Percentage of persistent set reduction
4.3.2 Comparing to IC3 and IPA
In this subsection, we compare each of our conﬁgurations to both IC3 and IPA in terms of the
running time for solving each benchmark. The results are shown in the following scatter plots.
57
Chapter 4. Veriﬁcation of BIP with bounded concurrency
????
??
???
????
???? ?? ??? ????
???
?????
????
??????
Figure 4.6 – Lazy abstraction vs. IC3
????
??
???
????
???? ?? ??? ????
???
????
????
??????
Figure 4.7 – Lazy abstraction with persistent set reduction vs.
IC3
58
4.4. Related work
In Figure 4.6, and Figure 4.7, we show the comparisons with IC3. We can see that for unsafe
benchmarks, persistent set reduction is faster than IC3 for most unsafe benchmarks, though
there are some exceptions that persistent set reduction runs out of time. For safe benchmarks,
our techniques are comparable to IC3, while there are a number of models that can be solved
by IC3, but the other techniques run out of time.
In Figure 4.8, and Figure 4.9, we compare each of our techniques to IPA. For safe benchmarks,
plain lazy abstraction is comparable to IPA and persistent set reduction perform slightly better.
For unsafe benchmarks, our techniques always perform better. IPA is unable to solve any
unsafe benchmarks.
4.3.3 Cumulative plots
In this subsection, we present the cumulative plots that indicate the number of benchmark
models that can be solved by each technique (y-axis) within the given time (x-axis). In Figure
4.10, we plot the cumulative time of solving the benchmarks for all techniques. The plot shows
that overall IC3 can solve more benchmark models within the time limits. In total, IC3 has
solved 84 benchmark models, IPA has solved 25 models and plain lazy abstraction, persistent
set reduction have solved 63, 68 models respectively.
In Figure 4.11 and Figure 4.12, we plot the cumulative time of solving safe and unsafe bench-
marks respectively. The plot in Figure 4.11 shows that for safe benchmarks, IC3 is able to solve
more benchmark models. The other techniques are comparable, while persistent set reduction
performs slightly better. For most unsafe benchmarks, our techniques are faster than IC3.
There are still some unsafe models that can be solved by IC3, while our techniques run out
of time or memory. There is no data in Figure 4.12 for IPA, since it fails to solve all the unsafe
benchmarks.
We also measure the memory usage of our techniques in terms of the size of ART. We collect
the number of nodes that are needed to solve each benchmark model. The cumulative plots
are shown in Figure 4.13, Figure 4.14 and Figure 4.15. They show that for solving the same
amount benchmarks, plain lazy abstraction needs to create more ART nodes than the other
one, thus consuming more memory usage.
4.4 Related work
Many work on algorithmic veriﬁcation of safety properties can be found in literature. Below,
we review the most closely related ones to this dissertation.
In a seminal paper on veriﬁcation of inﬁnite-state systems [1], the authors prove some general
decidability results and propose a backward reachability analysis technique for safety veriﬁ-
cation, relying on the well-structured transition system framework [66]. In [56], the authors
present a uniform forward reachability analysis procedure for inﬁnite-state systems based on
59
Chapter 4. Veriﬁcation of BIP with bounded concurrency
????
??
???
????
???? ?? ??? ????
???
?????
????
??????
Figure 4.8 – Lazy abstraction vs. IPA
????
??
???
????
???? ?? ??? ????
???
????
????
??????
Figure 4.9 – Lazy abstraction with persistent set reduction vs.
IPA
60
4.4. Related work
???
???
???
???
???
???
???
???
???? ?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
???
???
Figure 4.10 – Cumulative plot of time for all benchmarks
??
???
???
???
???
???
???
???
?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
???
???
Figure 4.11 – Cumulative plot of time for safe benchmarks
??
???
???
???
???
???
???
???
????? ???? ?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
???
Figure 4.12 – Cumulative plot of time for unsafe benchmarks
61
Chapter 4. Veriﬁcation of BIP with bounded concurrency
???
???
???
???
???
???
??? ???? ????? ?????? ???????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
Figure 4.13 – Cumulative plot of ART size
??
???
???
???
???
???
???? ????? ?????? ???????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
Figure 4.14 – Cumulative plot of ART size for safe benchmarks
??
???
???
???
???
???
???
??? ???? ????? ??????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
Figure 4.15 – Cumulative plot of ART size for unsafe bench-
marks
62
4.4. Related work
the construction of a covering graph. Later in [90, 88], the authors present an abstract forward
reachability analysis technique for sequential programs based on predicate abstraction and
interpolation-driven abstraction reﬁnement. However, these techniques can hardly scale for
the concurrent system models we consider in this dissertation. The main reason is that they
do not resolve the state explosion problem resulting from concurrency, which is one of the
major obstacles for the veriﬁcation of component-based systems. On the other hand, partial
order reduction is the dedicated technique to deal with concurrency. Though several partial
order reduction techniques are adopted to software veriﬁcation [96, 68, 147, 102], they still
suffer from the inefﬁciency of reasoning about arithmetic.
In the following, we roughly classify the techniques for efﬁcient veriﬁcation of inﬁnite-state
concurrent systems into the following categories: 1) combination of symbolic reasoning and
explicit reductions; 2) compositional reasoning.
Attempts to combine partial order techniques with abstraction techniques for efﬁcient veriﬁ-
cation of concurrent software have also been made in [36, 145]. In [36], the authors propose
the Explicit Scheduler, Symbolic Thread (ESST) veriﬁcation framework for multi-threaded
programs with a preemptive and stateful scheduler. However, atomic synchronization among
transitions is not supported. The work in [145] combines lazy abstraction with interpolant
algorithm for sequential programs [119] and dynamic partial order reduction [102] for the
veriﬁcation of generic multi-threaded programs with pointers. They put the emphasis on
shared-variable concurrency, and do not leverage the separation between coordination and
computation, which is the core of our approach. Recently, in [86] the author considers com-
bining abstraction technique with stubborn set reduction for CSP models. In [8], the authors
combine ample-set-based partial order reduction with BDD-based symbolic model checking.
But no abstraction is involved. In [87], the authors extends stubborn-set-based partial order
reduction to real-time models with zone abstraction.
With respect to compositional reasoning, the most relevant works are [70, 89, 111, 29, 34, 83,
128]. In [70], the authors present a thread modular veriﬁcation technique for multi-threaded
programs, relying on the assume-guarantee style reasoning [101]. In this approach, each
thread is veriﬁed against its environment assumption, which is the disjunction of the guaran-
tees of all the other threads. The guarantee of each thread models all the possible global state
update performed by this thread. Initially the guarantee is the empty relation, and is iteratively
extended during the veriﬁcation process. Later in [89], the authors extend the thread modular
veriﬁcation with counterexample-guided predicate abstraction reﬁnement and apply their
resuts to the data race detection. In [111], the authors formalize thread modular veriﬁcation in
the abstract interpretation framework, and prove that thread modular veriﬁcation essentially
is Cartesian abstract interpretation. In [29], the authors also present an assume-guarantee
abstraction reﬁnement technique for compositional veriﬁcation of component-based systems.
However, the system models being veriﬁed are ﬁnite-state and without data transfer. In [34],
the authors present a modular veriﬁcation technique for software components in C. Their
approach consists in, ﬁrst, abstracting each component as a ﬁnite-state automaton by using
63
Chapter 4. Veriﬁcation of BIP with bounded concurrency
predicate abstraction, then checking whether the ﬁnite-state automaton speciﬁcation simu-
lates the obtained abstractions. The applied abstraction technique is eager in the sense that
an abstract transition system is construcuted prior to the acual analysis, as opposed to the lazy
abstraction we apply, where the abstract transition system is constructed on the ﬂy and as only
far as necessary. In [83, 84], the authors propose a compositional veriﬁcation technique for
multi-threaded programs, where proof rules are encoded as recursion-free Horn clauses and
auxiliary assertions are automatically computed and reﬁned using predicate abstraction and
interpolation. In [80], the authors propose to use horn clauses as a general representation of
various proof rules, e.g. deductive proof rule, rely guarantee and assume guarantee proof rule.
It allows us to automatically synthesis program veriﬁcation tools, using horn clause solver as
backend engine. Later in [128], the authors combine this compositional veriﬁcation technique
with a reduction technique based on Lipton’s theory of reduction [108]. Reduction is applied
as a program transformation that inserts atomic section based on a lockset analysis. At present,
their tool still requires manual transformations. Moreover, the programming model is quite
different from ours. They handle shared-variable concurrency, whereas in BIP we consider
multiparty synchronisation and data transfer.
64
5 Further techniques for improving
reductions
In this chapter, we present two further techniques for improving the performance of partial
order reductions for BIP. The ﬁrst technique is called simultaneous set reduction. As opposed
to persistent set reduction, where the explorations of independent interactions are possibly
postponed, simultaneous set reduction tries to explore the independent interactions in a
single step. Since no interactions are postponed to explore, simultaneous set reduction does
not need to solve the ignoring problem, thus, avoiding the expensive cycle detection.
Secondly, we present an advanced reduction technique for a particular class of BIP models,
which have certain symmetric structure features, e.g. component symmetries. Symmetries are
very common in most component-based designs. For instance, a system model consisting of
one server and several identical users is symmetric with respect to the users. Permutating the
indexes of the users would not affect the satisfaction of certain safety properties, e.g. dead-
locks, that is, if one state is a deadlock state, then permutating the indexes of the symmetric
components in the state does not change the deadlock. Thus, we can view the set of states that
are identical under certain permuations as equivalent. In the state space exploration, we can
select and visit only one representative of these equivalent states ideally, if the properties to be
veriﬁed are invariant under symmetries. In the second part of this chapter, we investigate how
to exploit symmetries of component-based systems to improve the efﬁciency of partial order
reductions, the persistent set reduction in particular.
This chapter is based on the following publications:
– Veriﬁcation of component-based systems via predicate abstraction and simultaneous set
reduction, Qiang, Wang and Bliudze, Simon, International Symposium on Trustworthy
Global Computing (TGC 2015), pages 147–162, 2015, Springer.
– Exploiting Symmetry for Efﬁcient Veriﬁcation of Inﬁnite-State Component-Based Systems,
Wang, Qiang, International Symposium on Dependable Software Engineering: Theories,
Tools, and Applications (SETTA 2016), pages 246–263, 2016, Springer.
The author proposed the veriﬁcation algorithms, and did the implementations as well.
65
Chapter 5. Further techniques for improving reductions
5.1 Simultaneous set reduction for BIP
In this section, we present a new reduction technique for BIP, called simultaneous set reduc-
tion. It also makes use of the interaction independence in Deﬁnition 3.2.1. However, differing
from the persistent set reduction, which aims at avoiding the redundant interleavings of inde-
pendent interactions, simultaneous set reduction executes as many independent interactions
as possible simultaneously in one step.
In the sequel, we illustrate the idea by using an example, and then formalize the conditions
imposed on the set of interactions, which can be executed simultaneously, and prove that
no deadlocks are missed in the reduced reachable state space. In the end, we present how to
combine it with lazy predicate abstraction, and how to compute the simultaneous set.
5.1.1 Motivating example
Example 5.1.1 In Figure 5.1, we show a simple BIP model with two components B1 and
B2. Each component deﬁnes three local integer variables and may enter the deadlock state
S5 by taking transition er ror1 or er ror2 when the guard [x = y] holds. One binary interac-
tion 〈true, {er ror1,er ror2},skip〉 is deﬁned to synchronize the two transitions labeled by ports
er ror1 and er ror2 to take the system to an error state. Besides, all the other transitions form
singleton interactions, e.g. 〈true, {inval id1},x = 0; y = 0〉. No data transfer is deﬁned in this
model.
er ror1
er ror2
B1
B2
restar t2
inser t2
x=1 y=z
respond2
er ror2
[x = y]
request2
z=x
y=0
z=0
val id2
x=0
y=0
restar t1
inser t1
x=1 y=z
respond1
er ror1
[x = y]
request1
z=x
y=0
z=0
x=0
y=0S1 S2
S3
S4 S5
S6
val id1
S1 S2
S3 S6
S5S4inval id2
inval id1
Figure 5.1 – The ﬁrst example for illustrating simultaneous set
On the initial state c0 = 〈〈S1,x = 0, y = 0,z = 0〉,〈S1,x = 0, y = 0,z = 0〉〉, There are two enabled
interactions γ1 = 〈tr ue, {inser t1},x = 1; y = 0;z = 0〉 and γ2 = 〈tr ue, {inser t2},x = 1; y = 0;z =
0〉. It is easy to see that they are independent interactions, thus, the two interleavings γ1;γ2
66
5.1. Simultaneous set reduction for BIP
and γ2;γ1 will lead to the same state c = 〈〈S2,x = 1, y = 0,z = 0〉,〈S2,x = 1, y = 0,z = 0〉〉.
In persistent set reduction, one interleaving out of the two is selected and explored. While in
this simultaneous set reduction, we consider executing the two interactions simultaneously in
one step in the abstract reachability analysis. The ﬁrst question is that in order to preserve all
the deadlock states in the reduced state space, what conditions should we impose on the set
of interactions to be executed simultaneously?
The very ﬁrst condition is independece. However, independence is not sufﬁcient. Consider
the model in Figure 5.1, suppose we want to expand the node η= 〈〈S3,φA〉,〈S4,φB 〉,φ〉, where
component B1 is at control location S3 and component B2 is at control location S4, we ﬁrst
compute the set of enabled interactions Γenab = {{request1}, {restar t2}}. Notice that inter-
action {er ror1,er ror2} is disabled, because port er ror1 is disabled in component B1. Since
the two interactions {request1} and {restar t2} are independent, we may execute then simul-
taneously, however, in case of doing so, we would miss the following (fragment) counterex-
ample from this node: {request1}; {respond1}; {er ror1,er ror2}. The reason is that although
interaction {er ror1,er ror2} is disabled on node η, it becomes enabled when interactions
{request1}; {respond1} are executed.
Thus, when ﬁring interactions simultaneously in one step, we have to make sure that no
counterexample traces would be ignored in the future executions.
5.1.2 Combining simultaneous set reduction with lazy abstraction
Formally, we deﬁne the set of interactions that can be safely executed in one step as a simulta-
neous set.
Deﬁnition 5.1.2 A set of enabled interactions Γsim on a state c is a simultaneous set, iff the
following two conditions hold:
1. all the interactions in Γsim are independent in c;
2. for each interaction γ ∈ Γsim and each execution c γ−→ c0 γ1...γn−−−−→ cn, if there is γ′ ∈ Γsim \{γ}
such that γ′ ∉ {γ1, ...,γn}, then γn is independent of all interactions in Γsim \ {γ}.
Notice the difference between simultaneous set the persistent set in Deﬁnition 3.2.10: inter-
actions in a persistent set are inter-dependent, and their interleavings should be taken into
account, while in a simultaneous set, interactions are independent and their interleavings can
be avoided.
The second condition in the above deﬁnition means that in each execution starting from
an interaction in a simultaneous set, the interactions appearing in the execution should be
independent of all the interactions in the simultaneous set, unless all the interactions in the
simultaneous set have been executed.
67
Chapter 5. Further techniques for improving reductions
In order to prove the correctness of simultaneous set reduction, we introduce the following
deﬁnitions. Given a BIP model MBIP and its transition system TBIP , we denote by T RBIP
the reduced transition system. A transition in T RBIP is denoted by c
Γsim−−−→ c ′, where Γsim is a
simultaneous set on c . Notice that the transition inT RBIP may no longer be transition inTBIP ,
but a representation of several transition sequences.
Formally, suppose Γsim = {γ1 . . .γk }, a transition c Γsim−−−→ c ′ in the reduced transition system
T RBIP represents a set of transition sequences c
γi1 ...γik−−−−−→ c ′ inTBIP , where i1, . . . , ik is a permuta-
tion of 1, . . . ,k. We say that each transition sequence c
γi1 ...γik−−−−−→ c ′ is a concretization of c Γsim−−−→ c ′.
It is not hard to see for each simultaneous set of size k, there are k factorial concretizations.
The concretizations of a trace inT RBIP are extended in the standard way.
The correctness of simultaneous set reduction with respect to deadlock states reachability
analysis is stated in the following theorem.
Theorem 5.1.3 Every reachable deadlock state inTBIP is also reachable inT RBIP .
Proof 5.1.4 Assume that state ce is a deadlock state in TBIP , which is reachable by the trace
ρ, then we prove that ce is also reachable in T RBIP . The proof is by complete induction on the
number of states in the trace ρ.
For the base case of |ρ| = 1, the result trivially holds since the initial state is the deadlock. Assume
the theorem holds for all the cases of |ρ| <= n, where n >= 1, then we prove it also holds for
|ρ| = n+1. Assume that ρ = c0 γ0−→ c1 γ1···γn−1−−−−−−→ ce , we show how to construct a trace ρr inT RBIP
that represents ρ and also results in the deadlock state ce .
If the simultaneous set on state c0 is Γ0sim = {γ0}, then ρr is ρ. If Γ0sim = {βi |i ∈ [1,k]}∪ {γ0}, we
have that all interactions βi should be executed in ρ, i.e. for each βi , i ∈ [1,k], there must be
an interaction γ j , j ∈ [1,n−1] such that βi = γ j . Otherwise, suppose there is an interaction
βi , i ∈ [1,k], which is not present in ρ, then according to the deﬁnition of simultaneous set, βi
must be independent with all interactions γ j , j ∈ [1,n−1], then βi should also be enabled on
state ce , contradicting the fact that ce is a deadlock state.
Then by permuting adjcent independent interactions, we can obtain the following trace ρ′ =
c0
γ0β1···βk−−−−−−→ ck+1 γk+1···γn−1−−−−−−−→ ce , where the sequence of interactions c0 γ0β1···βk−−−−−−→ ck+1 is a concretiza-
tion of the transition labeled by the simultaneous set Γ0sim, i.e. c0
Γ0sim−−−→ ck+1. Based on the
induction hypothesis, the sequence of interactions ck+1
γk+1...γn−1−−−−−−−→ ce is also a concretization of
some trace ρ′r inT RBIP . Thus, ρr is the concatenation of (c0
Γ0sim−−−→ ck+1) and ρ′r , concluding the
proof.
More generally, simultaneous set also preserves the reachability of local component states.
The proof of the following theorem is straightforward. Since no interactions are postponed or
68
5.1. Simultaneous set reduction for BIP
ignored, there is no need to solve the ignoring problem.
Theorem 5.1.5 Given a BIP system model MBIP, and its labeled transition system TBIP , if
〈li ,Vi 〉 is a local state of component i , then there is a state c ′ = 〈〈l1,V1〉′, . . . ,〈ln ,Vn〉′〉 ∈ CBIP ,
such that 〈li ,Vi 〉 = 〈li ,Vi 〉′.
In order to combine the simultaneous set reduction with lazy abstraction for BIP, we ﬁrst lift
the simultaneous set deﬁnition to abstract states as in Deﬁnition 4.2.5. Then we modify the
Algorithm 2 to obtian the combination. The new algorithm is listed in Algorithm 6. It differs
from Algorithm 2 in that when expanding a node, instead of creating successor nodes fror each
enabled interaction in Γenab , it ﬁrst computes the set of simultaneous sets Γsim by invoking the
function SimultaneousSet, which will be elaborated in the next subsection, and then creates a
successor node for each simultaneous set in Γsim . Notice that since a simultaneous set is a set
of interactions, the node expansion procedure should also be accordingly adjusted. We also
remark that we do not need cycle detection or full node expansion in the new algorithm, since
no interactions are postponed to execute in the simultaneous set reduction.
Algorithm 6 Lazy abstraction with simultaneous set reduction for BIP
Input: a BIP modelMBIP and an error state
Output: eitherMBIP is safe, or a counterexample cex
1: create an ART T with initial node η0
2: create a worklist wl
3: push η0 into wl
4: while wl =  do
5: η← pop(wl )
6: if IsError(η) then
7: cex ← BuildCEX(η)
8: if cex is real then
9: return cex
10: else
11: Reﬁne(T, cex)
12: else if Covering(η) then
13: mark η as covered
14: else
15: ΓS ← SimultaneousSet(η)
16: for each Γ ∈ ΓS do
17: Expand(η, Γ)
18: push the successor into wl
19: returnMBIP is safe
The following theorem states the correctness of Algorithm 6.
Theorem 5.1.6 Given a BIP modelMBIP and an error state encoding the invariant property,
for every terminating execution of Algorithm 6, the following two properties hold:
69
Chapter 5. Further techniques for improving reductions
1. If a counterexample is returned, then it is a concrete counterexample inMBIP;
2. If a safe ART is returned, thenMBIP is safe.
Proof 5.1.7 If a counterexample is returned, we know that it is a feasible execution. If an ART
is returned, and suppose there is a concrete execution to a deadlock state, then according to
Theorem 5.1.3 and Theorem 4.1.6, we can conclude that this execution should also be in the
abstraction, concluding the assumption that a safe ART is returned.
5.1.3 Computing simultaneous set
In this section, we present an implmentation of function SimultaneousSet in Algorithm 6,
which computes the set of simultaneous sets on an ART node. The independence relation
is obtained in the same way as in Section 4.2.2. The implementation is listed in Algorithm 7.
It uses two additional functions EnabledInteraction and DisabledInteraction. Function Dis-
abledInteraction computes the set of disabled interactions on an ART node, which is the
complement of the set of enabled interactions.
Algorithm 7 Simultaneous set computation
Input: an ART node η= 〈〈l1,φ1〉, . . . ,〈ln ,φn〉,φ〉
Output: a set of simultaneous sets Γsim
1: ΓE ← EnabledInteraction(η)
2: ΓD ← DisabledInteraction(η)
3: create a worklist of interaction sets wl
4: push ΓE into wl
5: while wl =  do
6: Γ← pop(wl)
7: if exists γ1,γ2 ∈ Γ, s.t. γ1,γ2 are dependent then
8: copy1 ← Γ− {γ1}
9: copy2 ← Γ− {γ2}
10: push copy1,copy2 into wl
11: else if exists γ1,γ2 ∈ Γ, γ3 ∈ ΓD ,
s.t. γ3,γ1 are dependent, and γ3,γ2 are dependent then
12: copy1 ← Γ− {γ1}
13: copy2 ← Γ− {γ2}
14: push copy1,copy2 into wl
15: else
16: if Γsim does not contain Γ then
17: push Γ into Γsim
The basic idea is that starting from the set of enabled interactions, the algorithm progressively
reﬁnes this set by splitting it into two sets, meaning that this set of interactions cannot be
executed simultaneously. The criterion of splitting a set is the following: 1) either the two
interactions from the set are dependent; 2) or they are independent with each other, but
dependent with a disabled interaction. Then this set is split into two sets, each of which is
70
5.1. Simultaneous set reduction for BIP
obtained by removing one of the interactions. Otherwise, if all interactions are independent of
each other and with the disabled interactions, then the set is a simultaneous set and is added
into the result set Γsim . The following theorem states the correctness of Algorithm 7.
Theorem 5.1.8 Let Γsim be a set returned by Algorithm 7, then Γsim is a set of simultaneous
sets on the given ART node.
Proof 5.1.9 Suppose there is a set Γ ∈ Γsim, and Γ is not a simultaneous set on the given ART
node η. However, from the computation in Algorithm 7, we know that all interactions in Γ are
independent. Then the reason preventing it from being a simultaneous set is that there is a
ﬁnite execution η
α−→ η0 β1−→ η1 . . .ηn−1 βn−→ ηn, where α ∈ Γ and there is an interaction β ∈ Γ and
β ∉ {β1, . . . ,βn},βn is dependent with some interaction γ ∈ Γ. Ifβn is enabled on η, then γ andβn
should be in two different simultaneous sets. The above ﬁnite execution meets the simultaneous
set deﬁnition. Thus, βn is disabled on η, and based on the computation in Algorithm 7, α and γ
should be splitted into two sets, which contradicts our assumption that α,γ ∈ Γ. This concludes
the proof.
We remark that the above algorithm for computing a simultaneous set is only correct for BIP
models we consider in this dissertation. Adopting the computation to other formalizations,
e.g. Petri net, may not result in a correct simultaneous set that preserves deadlock states.
Consider the followingmodel in Figure 5.2, consisting of two componentsB1 andB2. The initial
states of the two components are S1 and S3 respectively. The only interaction synchronizes
transition t5 in component B1 with transition t4 in component B2. Clearly, the two transitions
t1 and t2 are independent on the initial state, however, the set {t1, t2} is not a simultaneous
set. To see why, consider the execution {t2}{t3}{t4, t5} from the initial state, according to the
deﬁnition of simultaneous set, {t1} should be independent of all the subsequent interactions
after {t2}, i.e. {t3} and {t4, t5}, which is not the case, since {t1} is dependent with {t4, t5}. Thus,
the set {t1, t2} does not form a simultaneous set. Our algorithm does not return the set {t1, t2}
as a simultaneous set on the initial state, because both interactions t1 and t2 are dependent
with the disabled interaction {t4, t5}.
Considering the complexity of computing simultaneous set in Algorithm 7, we assume that,
given two interactions γ1 and γ2, it takes O (1) time for the dependence check with precom-
puted dependence relation. The while loop executes at most |ΓE | times, where |ΓE | denotes
the number of enabled interactions in ΓE . Since in each loop execution at most two interac-
tions will be split and one simultaneous set will be added into the worklist. In the worst case,
|ΓE |2∗|ΓD | checks are needed to ﬁnd the two interactions to be split in each loop execution.
Thus, the worst case time complexity of Algorithm 7 is O (|ΓE |3∗|ΓD |) in terms of the number
of interactions in the model.
71
Chapter 5. Further techniques for improving reductions
B2
S3
S6
S5
S4
t4
t2
S1
S2
B1
t1
t5 t4
t5
t3
Figure 5.2 – The second example for illustrating simultaneous set
5.1.4 Discussions
In this subsection, we compare the simultaneous set reduction and persistent set reduction
through an example borrowed from [143]. Arguably, it is not clear which of the two approaches,
persistent set reduction and simultaneous set reduction has better performance. We try to
give a preliminary theoretical comparison.
Consider ﬁrst the example model in the left of Figure 5.3, which consists of n concurrent com-
ponents. Each component deﬁnes three control locations and two transitions. No interactions
between the components are enforced, thus, every component executes independently.
Clearly, there are n!2n different executions in this model, yielding a state space of size 3n .
On the initial state, there are 2n possible simultaneous sets, each of which consists of one
transition from each component. Simultaneous set reduction yields a reduced state space
of size 2n +1. In contrast, persistent set reduction executes one component at a time, which
yields a state space with 2n+1−1 states. Both reductions gain a signiﬁcant saving over the full
reachable state space, and moreover, simultaneous set yields approximately half additional
saving over persistent set.
... ...
Bn
S1
S2 S3
γn2γn1
B1
S1
S2 S3
γ12γ11
Bn
S1
S2
S4
S3
γn2γn1
γn3 γn4
B1
S1
S2
S4
S3
γ12γ11
γ13 γ14
Figure 5.3 – Examples for comparing simultaneous and persistent sets
However, there is no guarantee that simultaneous set always outperforms persistent set.
Consider now the example model in the right part of Figure 5.3, where each component has
two additional transitions leading to a single terminal state. In this case, simultaneous set
72
5.2. Experimental evaluation
results in 2n +2 states, while properly implemented persistent set can construct a reduced
state space of size 3∗n+1, which is tremendously better than simultaneous set reduction.
To conclude, in general there is no deﬁnite guarantee that one reduction outperforms the
other one. Furthermore, in [143] the authors argue that in the best case, persistent set has the
potential to offer good reductions that can never be achieved by simultaneous set reduction.
Regrettably, the authors also noticed that there is no clear guarantee to obtain such a good
reduction for persistent set reduction. Moreover, in persistent set reduction one has to resolve
the ignoring problem in order to verify general safety properties. In our experiences, this task is
computationally hard and affects the reduction performance of persistent set signiﬁcantly. In
the next section of experimental evaluation, we will compare the power of the two reductions
for the practical point of view.
5.2 Experimental evaluation
We have implemented the proposed veriﬁcation techniques for BIP. To evaluate the perfor-
mance of the proposed techniques, we carried out a comprehensive experimental evaluation,
where we took the set of benchmarks in the previous experiments. The details of all the bench-
mark models are provided in the Appendix. All the experiments have been run on a 64-bit
Linux PC with a 2.8 GHz Intel i7-2640M CPU, with a memory limit of 4Gb and a time limit of
300 seconds per benchmark.
In the experiments, we denote by ’simset’ in the plots our new technique and compare it to
the following techniques: 1) plain lazy abstraction, denoted by ’plain’ in the plots; 2) lazy ab-
straction with persistent set reduction, denoted by ’pset’; 3) the state-of-the-art IC3 algorithm
for software model checking [37] implemented in nuXmv [33], denoted by ’IC3’; 4) implicit
predicate abstraction model checking [138], denoted by ’IPA’. We do not compare the perfor-
mance of our tool to DFinder [21] or the work [95], since they do not handle data transfer in
interaction, or inﬁnite-state models.
The detailed statistics data is attached in the Appendix A.7.
5.2.1 Comparing to lazy abstraction with reductions
In this subsection, we compare the lazy abstraction with simultaneous set reduction (simul-
taneous set reduction for simplicity) to plain lazy abstraction and to lazy abstraction with
persistent set reduction (persistent set reduction for simplicity). In Figure 5.4 and Figure 5.5,
we show the scatter plots of time for solving each benchmark. In the plots, symbol× represents
a safe benchmark, and ◦ represents an unsafe benchmark. A point in the plots indicates the
analysis time taken by the algorithms represented by x-axis and y-axis.
From the plots, we can conclude that 1) persistent set is slightly faster than simultaneous set
on safe benchmarks, while simultaneous set is faster on unsafe benchmarks; 2) simultaneous
73
Chapter 5. Further techniques for improving reductions
????
??
???
????
???? ?? ??? ????
???
??
?
?????
????
??????
Figure 5.4 – Lazy abstraction vs. lazy abstraction with simul-
taneous set reduction
????
??
???
????
???? ?? ??? ????
???
??
?
????
????
??????
Figure 5.5 – Lazy abstraction with persistent set reduction vs.
lazy abstraction with simultaneous set reduction
74
5.2. Experimental evaluation
model percentage model percentage
atm_safe_02 0.727273 atm_safe_03 0.873747
atm_unsafe_02 0.727273 leader_election_safe_02 0.400000
leader_election_safe_03 0.458333 leader_election_safe_04 0.525253
leader_election_safe_05 0.551122 leader_election_unsafe_02 0.666667
leader_election_unsafe_03 0.500000 leader_election_unsafe_04 0.534884
leader_election_unsafe_05 0.529703 quorum_safe_02 0.171429
quorum_safe_03 0.057971 quorum_safe_04 0.031311
quorum_unsafe_02 0.111111 quorum_unsafe_03 0.000000
railway_control_safe 0.000000 railway_control_unsafe 0.000000
temperature_safe 0.000000 temperature_unsafe 0.000000
ticket_safe 0.000000 ticket_unsafe 0.000000
Table 5.1 – Percentage of simultaneous set reduction
set is also faster than plain lazy abstraction on unsafe benchmarks, while on safe benchmarks,
simultaneous set and plain lazy abstraction are comparable. One possible reason of the result
that simultaneous set reduction works slightly better than persistent set on unsafe benchmarks
is that in persistent set reduction, we blindly postpone the explorations of some interactions,
which may have the effect of enlarge the length of counterexample, while, in simultaneous
set we on the contrary shorten the length of executions by executing several interactions
altogether, thus resulting in detecting a counterexample possibly faster.
As in the previous experiments, we also collect the time used by each subroutine of the algo-
rithms and show them in the following bar plots. In simultaneous set reduction, it contains all
the subroutines of lazy abstraction, and the time of simultaneous set computation, indicated
as ’time_of_por’ in the plots. The results are shown in Figure 5.6. We also only depict the
results with total runtime greater than 1 second. The one in the left depicts the results with
runtime greater than 10 seconds, and the one in the right depicts the results with runtime
from 1 second to 10 seconds. From the plots we can see that the most expensive routines
are the computation of transfer function and the coverage check, which is the same with
lazy abstraction. Comparing to the persistent set reduction, simultaneous set reduction does
not have the time of cycle detection, since it does not need to solve the ignoring problem.
This may be the potential superiority over persistent set reduction for general safety property
veriﬁcation. The plots also show that our present simultaneous set computation is not efﬁcient
in some cases.
We also measure the percentage of successful reductions over the total attempts. The result
is shown in Table 5.1. The benchamrks without any successful reductions are the railway
control system, the ticket mutual exclusion protocol and the reactor temperature control
system. It has less reduction achievements than persistent set reduction (shown in Table 4.1),
which may explain the fact that on safe benchmarks persistent set reduction works better
than simultaneous set reduction, as shown in Figure 5.5. A plausible result is that for unsafe
75
Chapter 5. Further techniques for improving reductions
Figure 5.6 – Runtime of lazy abstraction with simultaneous set reduction subroutines
76
5.2. Experimental evaluation
????
??
???
????
???? ?? ??? ????
???
?? ???
????
??????
Figure 5.7 – Lazy abstraction with simultaneous set reduction
vs. IC3
versions of railway control system, simultaneous set reduction obtains no reduction, while
still outperforms the plain lazy abstraction. The reason is that in simultaneous set reduction
we reorder the interactions to be explored, such that the interactions leading to the error state
are always explored ﬁrst. In plain lazy abstraction, the order of the interactions to be explored
is chosen randomly.
5.2.2 Comparing to IC3 and IPA
We also compare each of our conﬁgurations to both IC3 and IPA in terms of the running
time for solving each benchmark. The results are shown in the scatter plots in Figure 5.7 and
Figure 5.8.
In Figure 5.7, we show the comparison with IC3. We can see that for unsafe benchmarks, simul-
taneous set reduction outperforms IC3. For safe benchmarks, our technique is comparable to
IC3, while there are a number of models that can be solved by IC3, but the other technique
runs out of time. In Figure 5.8, we show the comparison to IPA. For both safe and unsafe
benchmarks, simultaneous set reduction performs better. IPA is unable to solve any unsafe
benchmarks.
77
Chapter 5. Further techniques for improving reductions
????
??
???
????
???? ?? ??? ????
???
??? ???
????
??????
Figure 5.8 – Lazy abstraction with simultaneous set reduction
vs. IPA
5.2.3 Cumulative plots
In this subsection, we present the cumulative plots that indicate the number of benchmark
models that can be solved by each technique (y-axis) within the given time (x-axis). In Fig-
ure 5.9, we plot the cumulative time of solving the benchmarks for all techniques. The plot
shows that overall IC3 can solve more benchmark models within the time limits. In total,
IC3 has solved 84 benchmark models, IPA has solved 25 models and plain lazy abstraction,
persistent set reduction and simultaneous set reduction have solved 63, 68, 70 models re-
spectively. Among the three conﬁgurations of our prototype tool, persistent set reduction and
simultaneous set reduction work better than plain lazy abstraction as expected. Simultaneous
set reduction solves slightly more models than persistent set reduction.
In Figure 5.10 and Figure 5.11, we plot the cumulative time of solving safe and unsafe bench-
marks respectively. The plot in Figure 5.10 shows that for safe benchmarks, IC3 is able to solve
more benchmark models. The other techniques are comparable, while persistent set reduction
performs slightly better.
For unsafe benchmarks, our techniques performmuchbetter than IC3.However, simultaneous
set reduction solves almost the same amout of safe benchmarks as plain lazy abstraction.
Only for unsafe benchmarks, it is able to solve more and faster than lazy abstraction. In other
words, simultaneous set reduction is more efﬁcient to ﬁnd counterexamples. This result is
reasonable because with simultaneous set reduction, some independent interactions are
executed simultaneously, thus reducing both the length of counterexamples and the time
78
5.2. Experimental evaluation
???
???
???
???
???
???
???
???
???? ?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
???
Figure 5.9 – Cumulative plot of time for all benchmarks
??
???
???
???
???
???
???
???
?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
???
Figure 5.10 – Cumulative plot for safe benchmarks
??
???
???
???
???
???
???
???
???
????? ???? ?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
Figure 5.11 – Cumulative plot for unsafe benchmarks
79
Chapter 5. Further techniques for improving reductions
???
???
???
???
???
???
???
??? ???? ????? ?????? ???????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
?? ???
Figure 5.12 – Cumulative plot of ART size
??
???
???
???
???
???
???? ????? ?????? ???????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
?? ???
Figure 5.13 – Cumulative plot of ART size for safe benchmarks
to detect them. There is no data in Figure 5.11 for IPA, since it fails to solve all the unsafe
benchmarks.
We also measure the memory usage of our techniques in terms of the size of ART. We collect the
number of nodes that are needed to solve each benchmark model. The cumulative plots are
shown in Figure 5.12, Figure 5.13 and Figure 5.14. They show that for solving the same amount
benchmarks, plain lazy abstraction needs to create more ART nodes than the other two, thus
consuming more memory usage. The other two are comparable, though simultaneous set
reduction creates less ART nodes for solving unsafe benchmarks.
5.3 Partial order reduction under symmetry
In this section, we focuse on the class of BIP system models, which have certain symmetry
features, and present how to exploit such symmetries to improve partial order reduction.
We build this work on top of the framework presented in Chapter 4. First of all, we extend
the notion of interaction independence in Deﬁnition 4.2.1 by taking into account the system
80
5.3. Partial order reduction under symmetry
??
???
???
???
???
???
???
???
???
??? ???? ????? ??????
??
?
??
???
???
??
??
??
?
??????????????
?????
????
?? ???
Figure 5.14 – Cumulative plot of ART size for unsafe bench-
marks
symmetries, i.e. two interactions are independent if they commute under some symmetries.
The original deﬁnition of independence is then a special case of this one with identical
symmetry. Second, we adopt the persistent set based partial order reduction technique [78] by
relying on this new notion of independence and show how to combine it with lazy abstraction
of BIP presented in Chapter 4. We have also implemented the proposed veriﬁcation algorithm
and performed a set of experiments. The results show that for systems with certain symmetries,
our new algorithm outperforms the others signiﬁcantly.
5.3.1 Motivating example
We illustrate the basic idea of our veriﬁcation approach, using the ticket mutual exclusion
protocol.
Example 5.3.1 (Ticket mutual exclusion protocol [110]) Consider again the ticket mutual
exclusion protocol in Figure. 5.15. Upon entering the critical section Ci , i = 1,2, each pro-
cess requests a fresh ticket from the controller, then the process waits until its ticket is with the
number to be served next. When leaving the critical section, the process resets the ticket and the
controller increases the number to be served by one.
Assumewe start the state space exploration from the initial state 〈〈I1, t i cket1 = 0〉,〈S,number =
1,next = 1〉,〈I2, t i cket2 = 0〉〉, then the following two interactions γ1,γ2 will have to be ex-
plored,whereγ1 = 〈tr ue, {request ,request1}, t i cket1 = number 〉, andγ2 = 〈tr ue, {request ,
request2}, t i cket2 =number 〉. Apparently, this two interactions γ1,γ2 are not independent
according to Deﬁnition 4.2.1, since they both modify the variable number in the controller,
and the interleavings γ1;γ2 and γ2;γ1 lead to two different states, that is, 〈〈W1, t i cket1 =
1〉,〈S,number = 3,next = 1〉,〈W2, t i cket2 = 2〉〉 and 〈〈W1, t i cket1 = 2〉,〈S,number = 3,next =
1〉,〈W2, t i cket2 = 1〉〉.
81
Chapter 5. Further techniques for improving reductions
S
leave request
enter
[ticket2 = next]
request1
enter1
leave1
request1
W1
C1
ticket1 = 0
leave1
enter1
enter
request
enter2
leave2
request2
I2
W2
C2
ticket2 = 0
enter2
leave2 request2
I1
ticket1 = number
[ticket1 = next]
number ++
next++
leave
ticket2 = number
Figure 5.15 – Ticket mutual exclusion protocol
Our observation is that under the following permutation of the process components π= {1 →
2,2 → 1}, the above two states become identical. Further, mutual exclusion is also invariant
under this permutation. Thus, only one of the two states is needed to verify the mutual exclu-
sion property. However, instead of participating the state space using symmetry reduction as
in [61, 45, 98], we take a different view that under the above permutation, the two interactions
γ1,γ2 commute with each other, and the partial order reductions presented in Chapter 4 can
be reﬁned by using this new commutativity property.
5.3.2 Symmetry reduction
Initially proposed in [61, 45, 98], symmetry reduction is a useful tool to reduce the search space
during the veriﬁcation of a transition system. It exploits the symmetry of a transition system.
Intuitively, a transition system has symmetry if the transition relations remain invariant when
states are rearranged by certain permutations.
Deﬁnition 5.3.2 A symmetry of a labeled transition systemT = 〈C,Σ,R,C0〉 is a permutation π
over C∪Σ, that satisﬁes the following conditions:
1. π(C)=C and π(Σ)=Σ, and
2. 〈c1,γ,c2〉 ∈R iff 〈π(c1),π(γ),π(c2)〉 ∈R, and
3. π(C0)=C0.
Given a transition systemT, the set of all symmetries ofT forms a group under the function
composition, denoted by Aut (T). However, obtaining Aut (T) is computationally expensive,
since one has to explore the whole state space. In practice, subgroups of Aut (T), which can be
obtained from the high-level system structure are used. Example subgroups include rotation
group, full component symmetry group and also the Cartesian product of such subgroups.
82
5.3. Partial order reduction under symmetry
A subgroup G ⊆ Aut (T) induces an equivalence relation ≡G on T as follows: s ≡G t ⇔∃π ∈
G .s = π(t). The equivalence relation ≡G is also called the orbit relation, and it induces a
quotient modelTG , which is bisimilar toT [61, 45]. Model checking of a symmetric property,
i.e. a property remains invariant under permutations in G , can be performed on the quotient
model. We remark that deadlock states are trivially invariant under symmetry permutations.
As noticed in [44], under arbitrary symmetries, detecting state equivalence is as hard as
the graph isomorphism problem. In order to bypass the orbit relation, for some speciﬁc
symmetry subgroups, e.g. full component symmetry, rotation symmetry, one can select some
representatives from the orbit relation and deﬁne a mapping funtion that computes these
representatives [45, 62, 63]. Then during the state space exploration, states are dynamically
mapped to their respective representatives.
5.3.3 Persistent set under symmetry
In this section, we extend the persistent set based partial order reduction [78] by taking
into account the system symmetries. First of all, we generalize the deﬁnition of interaction
independence.
Deﬁnition 5.3.3 Given a symmetry groupG , two interactions γ1 and γ2 are independent under
symmetryG , if and only if for every state c in the global system, there is a symmetry permutation
π ∈G , such that the following conditions hold:
1. if γ1 is enabled in c, then γ2 is enabled in c iff γ2 is enabled in c ′, where c
γ1−→ c ′.
2. if γ1 is enabled in c, then γ2 is enabled in c iff γ2 is enabled in c ′, where c
γ1−→ c ′.
3. if γ1 and γ2 are both enabled in c, then c ′1 =π(c ′2), where c
γ1γ2−−−→ c ′1, and c
γ2γ1−−−→ c ′2.
This new deﬁnition differs the one in Deﬁnition 4.2.1 in that two interactions are viewed as
indepdenent if their executions commute under some symmetry permutations. As before, for
a given interaction γ, we denote byDγ the set of interactions that are not independent under
symmetry.
In the previous chapter, we obtain an under-approximation of independence relation statically
from system speciﬁcation: two interactions are independent if they do not share a common
component. Though being easy to obtain, this approximation is too coarse, and many indepen-
dent transitions are ignored. For instance, the following two interactions in Figure 5.15, γ1 =
〈[t i cket1 = next ], {enter,enter1}, skip〉, and γ2 = 〈[t i cket2 = next ], {enter,enter2}, skip〉,
are independent, but using the above static analysis, they are considered as dependent.
In this chapter, we apply a ﬁner static analysis to check if two interactions are independent or
not. Given two interactions γ1 = 〈g1,P1, f1〉, γ2 = 〈g2,P2, f2〉, we check if they are independent
by checking the validity of the following three formulae:
83
Chapter 5. Further techniques for improving reductions
1 ∀c.∃c ′.c |= g1∧c γ1−→ c ′ =⇒ (c |= g2 ≡ c ′ |= g2)
2 ∀c.∃c ′.c |= g2∧c γ2−→ c ′ =⇒ (c |= g1 ≡ c ′ |= g1)
3 there is a permutation π ∈ G , such that the formula ∀c.∃c1,c2.c |= g1 ∧ c |= g2 ∧ c γ1γ2−−−→
c1∧c γ2γ1−−−→ c2 =⇒ c1 =π(c2) is valid.
Considering the complexity, the number of interactions is linear to the size of the system
model. Thus, the number of validity checks is also linear to the size of system model. In
order to detect the state equivalence under symmetry, one intuitive approach is to traverse all
permutations in the symmetry group G . However, this would blow up the analysis, even for
full component symmetry group, whose complexity is factorial in the number of components.
As in [63], we use a sorting function that maps a state to a representative in the orbit relation,
then two states are equivalent if they can be mapped to the same representative. The sorting
function requires a total order on the symbolic states of each component. We say a symbolic
state c1 is greater than another c2 if c1 > c2 is valid.
Since we focus on inﬁnite-state systems, our new partial order reduction should apply to
a symbolic abstraction structure, e.g. an abstract reachability tree. As in section 4.2, we say
two interactions are independent under a symmetry G on an abstract state η, if they are
independent on every concrete state of η.
As also noticed in section 4.2, the independent transitions do not commute under symmetry
on symbolic abstraction structures. However, the following lemma shows that independent
transitions still commute under symmetry on the concrete states represented by the abstrac-
tion structures. Thus, exploiting independence on the symbolic abstraction structure is still
sound.
Lemma 5.3.4 Let γ1 and γ2 be two independent transitions under a symmetry permutation π,
and let η be an abstract state, then for all c ∈β(post (post (η,γ1)),γ2), if there is a state c1 ∈β(η),
such that c = post (post (c1,γ1),γ2), then π(c) ∈β(post (post (η,γ2)),γ1).
Proof 5.3.5 Assume we have c = post (post (c1,γ1),γ2), since γ1 and γ2 are independent under
symmetry π, then we also have π(c)= post (post (c1,γ2),γ1). According to the semantics of post ,
it holds that π(c) ∈β(post (post (η,γ2),γ1)).
We then extend the persistent set in Deﬁnition 3.2.10 by relying on the notion of independence
under symmetry and by generalising to the symbolic abstraction structure.
Deﬁnition 5.3.6 Given a symmetry G , a set of interactions Γ in an abstract state η is persistent
under G , if the following conditions hold:
1. Γ⊆ en(η) and Γ= if and only if en(η)=;
2. for every trace η
γ1...γn−−−−→ ηn, where γi ∉ Γ, i ∈ [1,n], γn is abstractly independent under
symmetry G with all interactions in Γ;
84
5.3. Partial order reduction under symmetry
3. for every execution η= η0 γ1...γn−−−−→ ηn, where ηn is implied by some ηi , i ∈ [0,n−1], and for
every γ ∈ en(η j ), j ∈ [1,n], there is k ∈ [1,n] such that γ ∈ Γ(ηk ).
We remark that a persistent set on an abstract state may not be a persistent set on some of its
concrete states, because some interactions may be disabled on the concrete states. But the set
of enabling interactions constitute a persistent set.
We also use Algorithm 5 in section 4.2 to compute the persistent set, and the intergration
with lazy abstraction is straightforward as in Algorithm 4. We skip the elaboration here. The
following theorem states the correctness of selective search over symbolic abstraction structure
by using this new persistent set above.
Theorem 5.3.7 Given a BIP modelMBIP, and an error state encoding a safety property that is
invariant under symmetry, for every terminating execution of Algorithm 4 with persistent set
under symmetry in Deﬁnition 5.3.6, the following properties hold:
1. If a counterexample is returned, then there is concrete counterexample inMBIP;
2. If a safe ART is returned, thenMBIP satisﬁes the given safety property.
Proof 5.3.8 Item 1 holds for the same argumentwith Theorem 4.1.6. In order to prove the second
item, in the following we prove that the returned ART safely over approximates the reachable
states ofMBIP, that is, for every reachable state c inMBIP, there is a symmetry permutation π,
and an ART node η such that π(c) |= η. The proof is similar to the one in 4.2.6.
According to Theorem 4.1.6, for every reachable state c inMBIP, there is a node ηw in the ART
returned by plain lazy abstraction in Algorithm 2, such that c |= ηw. Suppose the path to node
ηw is η0
γ1...γn−−−−→ ηn, where η0 is the root and ηn = ηw.
Now we prove that there is another path in the ART returned by Algorithm 4 with persistent set
under symmetry, η0
γ′1...γ
′
n−−−−→ η′n, such that γ′1 is in the persistent set Γ(η0) and π(c) |= η′n for some
permutation π.
Case 1 : if ηw is a deadlock node, then we show that at least one interaction γi , i ∈ [1,n]
in the path η0
γ1...γn−−−−→ ηn is in the persistent set Γ(η0). Otherwise, suppose that none
of interactions γi , i ∈ [1,n] is in the persistent set Γ(η0), then by the second condition
of persistent set in Deﬁnition 5.3.6, the interactions in persistent set Γ(η0) will still be
enabled in ηn, which controdicts the assumption that ηw is a deadlock node.
Thus, there is at least one interaction γi , i ∈ [1,n] in the persistent set Γ(η0). Assume the
ﬁrst such interaction is γ j , j ∈ [1,n], then for all interactions γk ,k < j , we have γ j is
independent with γk . Thus, γ j can be moved to the beginning of the path. The new path
would be the same one with γ1 . . .γn, except γ j has been moved to the ﬁrst.
Then applying 5.3.4, we can conclude that π(c) |= η′n.
85
Chapter 5. Further techniques for improving reductions
Case 2 : if ηw is not a deadlock node, but covered by some other node in the same path, assume
the covering node is ηi , i ∈ [0,n−1]. Assume also no interactions in the persistent set Γ(η0)
occur in γ j , j ∈ [1, i ]. Then we know that interactions in Γ(η0) are also enabled in ηi and
ηn as well. Then according to the third condition of persistent set in Deﬁnition 5.3.6, we
know that at least one interaction in Γ(η0) occurs in γ j , j ∈ [i +1,n]. Let γk , k ∈ [i +1,n]
be the ﬁrst such interaction, then for the same reason as the case 1, γk can be shifted to
the beginning of the path. The new path would be the same one with γ1 . . .γn, except γk
has been moved to the ﬁrst.
Then applying 5.3.4, we can conclude that π(c) |= η′n.
Case 3 : if ηw is covered by some node in another path. It is equivalent to prove the conclusion
for another path. Since our models are ﬁnite branching, we are guaranteed that there is a
path such that argument in case 2 applies.
Case 4 : if ηw is not covered, then it is possible to extend the path, where case 2 or case 3 applies.
5.4 Experimental evaluation
We have implemented the proposed veriﬁcation technique in our prototype model checker for
BIP. In the experimental evaluation, we took a subset of the benchmarks from the previous
experiments, which have certain component symmetries. These include the ticket mutual
exclusion protocol in star topology, a leader election protocol in ring topology, and a consen-
sus protocol in star topology. All these benchmarks are scalable in terms of the number of
components, and all are inﬁnite-state, and they all use data transfer on interactions. We model
them in BIP and for each benchmark, we create a safe and an unsafe version, and for each
version, we have 10 instances. All the experiments are performed on a 64-bit Linux PC with a
2.8 GHz Intel i7-2640M CPU, with a memory limit of 4Gb and a time limit of 300 seconds per
benchmark.
We run the following conﬁgurations of our prototype tool and compare the running time for
solving the benchmarks: 1) plain lazy abstraction of BIP (represented as ’plain’ in the plots);
2) lazy abstraction with persistent set reduction (represented as ’pset’ in the plots); 3) lazy
abstraction with simultaneous set reduction (represented as ’simset’ in the plots); 4) our new
algorithm (represented as ’sympor’ in the plots). For simplicity, we call this new algorithm as
reduction under symmetry in the sequel. We also compare to a variant of the the state-of-the-
art invariant veriﬁcation algorithm IC3 [37]. We do not compare with DFinder [21], since it
does not handle data transfer.
The detailed statistics data is attached in the Appendix A.8.
5.4.1 Scatter plots
In the ﬁrst experiment, we compare our new algorithm to the others in terms of the running
time for solving each benchmark. The scatter plots are shown in the Figure 5.16, Figure
86
5.4. Experimental evaluation
????
??
???
????
???? ?? ??? ????
??
?
??
?
?????
????
??????
Figure 5.16 – Lazy abstraction vs. lazy abstraction with reduc-
tion under symmetry
5.17, Figure 5.18 and Figure 5.19. In all plots, symbol × represents a safe benchmark, and
◦ represents an unsafe benchmark. A point in the plots indicates the analysis time of the
algorithms represented by x-axis and y-axis.
In Figure 5.16, Figure 5.17 and Figure 5.18, we compare our new algorithm ’sympor’ to plain
lazy abstraction, lazy abstraction with persistent set reduction and lazy abstraction with
simultaneous set reduction respectively. The results show that our new algorithm is always
faster to prove the correctness, while for unsafe benchmark models, our new algorithm is less
faster than the others. In Figure 5.19, we compare our new algorithm to IC3 and we ﬁnd that
for both safe benchmarks and unsafe ones, our new algorithm is always more efﬁcient.
The result that our new algorithm is more efﬁcient to prove the correctness is as expected,
since in our new algorithm more reduction power is gained by exploiting symmetry. The
percentage of the successful reduction for each solvable benchmark mdoel is listed in Table
5.2. This percentage does not measure the reduction of the search space, but the ratio of
successful reductions over all attempts. That is, a positive percentage means that in some
node expansion, a successful reduction is achieved and explorations of some interactions are
ignored, but we do not count how many interactions are ignored. Percentage ’1’ in the table
means that in every node expansion, a successful reduction is achieved. Comparing to the
percentage of persistent set reduction in Table 4.1, we can see that our new algorithm achieves
more reductions. For instance, for the ticket mutual exclusion protocol, persistent set without
considering symmetry is unable to obtain any reduction, which is, however overcame by our
87
Chapter 5. Further techniques for improving reductions
????
??
???
????
???? ?? ??? ????
??
?
??
?
????
????
??????
Figure 5.17 – Lazy abstraction with persistent set reduction
vs. lazy abstraction with reduction under symmetry
????
??
???
????
???? ?? ??? ????
??
?
??
?
?? ???
????
??????
Figure 5.18 – Lazy abstraction with simultaneous set reduc-
tion vs. lazy abstraction with reduction under symmetry
88
5.4. Experimental evaluation
??
???
????
?? ??? ????
??
?
??
?
???
????
??????
Figure 5.19 – IC3 vs. lazy abstraction with reduction under
symmetry
new algorithm.
model percentage model percentage
leader_election_safe_02 1.000000 leader_election_safe_03 1.000000
leader_election_safe_04 1.000000 leader_election_safe_05 1.000000
leader_election_safe_06 1.000000 leader_election_safe_07 1.000000
leader_election_safe_08 1.000000 leader_election_safe_09 1.000000
leader_election_safe_10 1.000000 leader_election_safe_11 1.000000
leader_election_unsafe_02 0.466667 leader_election_unsafe_03 0.555556
leader_election_unsafe_04 0.465347 leader_election_unsafe_05 0.395445
quorum_safe_02 0.297872 quorum_safe_03 0.327189
quorum_safe_04 0.320191 quorum_safe_05 0.285627
quorum_unsafe_02 0.400000 quorum_unsafe_03 0.400000
quorum_unsafe_04 0.400000 quorum_unsafe_05 0.400000
quorum_unsafe_06 0.400000 quorum_unsafe_07 0.400000
quorum_unsafe_08 0.400000 quorum_unsafe_09 0.400000
quorum_unsafe_10 0.400000 quorum_unsafe_11 0.400000
ticket_safe_02 0.230769 ticket_safe_03 0.142857
ticket_safe_04 0.049645 ticket_safe_05 0.037185
ticket_unsafe_02 0.500000 ticket_unsafe_03 0.600000
ticket_unsafe_04 0.666667 ticket_unsafe_05 0.714286
ticket_unsafe_06 0.750000 ticket_unsafe_07 0.777778
89
Chapter 5. Further techniques for improving reductions
ticket_unsafe_08 0.800000 ticket_unsafe_09 0.818182
ticket_unsafe_10 0.833333 ticket_unsafe_11 0.846154
Table 5.2 – Percentage of partial order reduction under symmetry
In order to understand the result that for unsafe benchmarks, our new algorithm takes more
time to detect the counterexamples, we draw the plots that show the running time of each
subroutine, as in the previous sections. For our new algorithm, the subroutines constitute the
computation of transfer function, i.e. the ART node expansion, the computation of persistent
set, the computation of node coverage, the cycle detection, the counterexample analysis and
abstraction reﬁnement, and also the computation of independence relation. The result is
depicted in Figure 5.20. We split the plot into two parts, the ﬁrst one depicts the results with
time greater than 5 seconds, and the second one depicts the rest.
The plots show that for the models that can be solved quickly, e.g. within 5 seconds, the
computation of independence relation contributes a major part to the total running time.
Most of these models are the unsafe ones. We believe that this is the main reason of taking
longer to detect counterexamples for our new algorithm. The other algorithms do not have
this cost of independence relation computation. They use static analysis of the system model
to approximate the independence relation, whose cost is negligible. The plot also shows that
for models that take more veriﬁcation time, the costs of coverage check and cycle detection
are signiﬁcant.
5.4.2 Cumulative plots
In Figure 5.21, we plot the cumulative time (x-axis) of solving a number of benchmarks (y-axis).
A point (x, y) in the plot tells us the total number y of benchmarks, each of which can be
veriﬁed in the given time bound x by the corresponding method. We remark that time x is
not the accumulation of the analysis time of all y benchmarks. We see that our new algorithm
can always solve more instances in a given time bound than IC3, while comparing to other
algorithms, it is not always faster, but can still solve more instances in a larger time bound.
This tells that the analysis time of our new algorithm grows slower than the other algorithms.
In Figure 5.22 and Figure 5.23, we plot the cumulative time of solving safe and unsafe bench-
marks respectively. For safe benchmarks, our new algorithm is always more efﬁcient than all
the others. While for unsafe benchmarks, our new algorithm is less faster, due to the reasons
we have discussed above.
5.5 Related work
Relevant partial order reduction and abstraction techniques have already been discussed in
the previous chapter. Exceptionally, we remark that in [144], the authors explore an idea, which
90
5.5. Related work
Figure 5.20 – Runtime of lazy abstraction with reduction under symmetry subroutines
91
Chapter 5. Further techniques for improving reductions
??
???
???
???
???
???
???
???
???? ?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
??????
Figure 5.21 – Cumulative plot of time for all benchmarks
??
??
??
??
???
???
???
???
???
?? ??? ???? ?????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
??????
Figure 5.22 – Cumulative plot of time for safe benchmarks
??
???
???
???
???? ?? ??? ????
??
?
??
???
???
??
??
??
?
?? ??????
?????
????
?? ???
???
??????
Figure 5.23 – Cumulative plot of time for unsafe benchmarks
92
5.5. Related work
is similar to our simultaneous set approach, to compute the reachable states of a Petri net as a
covering step graph. Independent transitions of a Petri net are also ﬁred simultaneously under
certain conditions. However, in their work no abstraction is used.
State space symmetries have been extensively investigated in model checking community over
the decades, leading to a variety of symmetry reduction techniques [61, 45, 98, 63]. However,
most work focuses on ﬁnite state systems. We refer to [121, 146] for the detailed review.
In [53], the authors propose a symmetry aware counterexample guarded abstraction reﬁne-
ment technique for replicated non-recursive C programs. Their abstraction technique is eager
in the sense that an abstraction model is constructed ﬁrst, which differs from our lazy abstrac-
tion technique. In [57, 97], the authors investigate how to combine symmetry reduction with
ample-set-based partial order reduction. However, both work focus on ﬁnite state models,
and no abstraction techniques are used.
93

6 Design and veriﬁcation of parameter-
ized systems in BIP
In this chapter, we focuse on the modeling and veriﬁcation of parameterized systems, where
the number of components in the system is not ﬁxed a priori. The veriﬁcation problem asks
whether the property holdes for all system instances. Many efforts have been made in the past
decades to identify decidable fragments and draw the boundaries between decidability and
undecidability. The decidability depends on several factors, with the most important being the
underlying communication graph (e.g. rings, stars, cliques), and the means of synchronization
(e.g. token passing with/without information-carrying tokens, broadcast). However, there is no
uniform framework that can capture various computational models that occur in the literature,
or enables automatic veriﬁcation of parameterized systems. As discussed in Chapter 1, there is
also a gap between the mathematical formalisms from the parameterized veriﬁcation research
and the veriﬁcation practice. That is, in order to verify a parameterized system, the engineers
have to understand the underlying mathematical model of the system and then identify
the suitable veriﬁcation techniques if any. This might be a difﬁcult task since it requires a
deep understanding of the subtle differences between various mathematical models. Thus, a
uniform modeling and automatic veriﬁcation framework would be useful.
We ﬁrst present a uniform modeling framework for parameterized systems, by extending the
current BIP component framework introduced in Chapter 2. The core of this framework is
a formal language for system architecture and communciation primitives, called ﬁrst order
interaction logic. We show that many interesting parameterized systems can be uniformly
speciﬁed in this logic. Then we present how to perform automated parameterized veriﬁcation
within our new framework. We also present some decidability results for the veriﬁcation of
parameterized BIP models.
This chapter is based on the following publication:
– Parameterized systems in BIP: design and model checking, Konnov, Igor and Kotek, Tomer
and Wang, Qiang and Veith, Helmut and Bliudze, Simon and Sifakis, Joseph, Proceedings of
the 27th International Conference on Concurrency Theory (CONCUR 2016), pages 30–1,
2016, Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik.
95
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
The idea of modeling parameterized systems using ﬁrst order interaction logic was initiated by
Prof.Joseph Sifakis. The author formalized it and applied it to the veriﬁcation of parameterized
systems with the help of other collaborators. The author also did the prototype implementa-
tion, and proved the decidability results.
6.1 Parameterized BIP without priorities
We rely on the notions of BIP component type and interaction introduced in Chapter 2. Recall
that a component type is a transition system B = 〈V,L,P,E,〉 over the ﬁnite sets L and P.
We will put the following restrictions on the parameterized BIP framework: 1) states of the
components do not have speciﬁc internal structure, or integer variables; 2) we do not consider
interaction priorities.
Since in parameterized systems, we have an unbounded number of components communi-
cating with each other, thus, the number of interactions is unbounded, and an interaction
may also involve unbounded number of actions, the explicit representation of interactions as
sets, which is the way how we represent interactions in Chapter 2, becomes infeasible.
In this dissertation, we propose the ﬁrst order interaction logic as a uniform and formal
language for system topologies and coordination mechanisms in parameterized systems.
6.1.1 FOIL: First order interaction logic
In this section, we ﬁx a tuple of component types 〈B0, . . . ,Bk−1〉.
FOIL vocabulary. For each port p ∈Pi of an i th component type, we introduce a unary port
predicate with the same name p. Further, we introduce a tuple of constants n¯ = 〈n0, . . . ,nk−1〉,
which represent the number of components of each type. We also assume the standard
vocabulary of Presburger arithmetics, that is, 〈0,1,≤,+〉.
FOIL syntax. Assume an inﬁnite set of index variables I . We say that ψ is a ﬁrst order
interaction logic formula, if it is constructed according to the following grammar:
ψ ::= p(i ) | ¬ψ |ψ1∧ψ2 |ψ1∨ψ2 | ∃i ::t ype j :φ.ψ | ∀i ::t ype j :φ.ψ ,
where p ∈P0∪·· ·∪Pk−1, i ∈I , andφ is a formula in Presburger arithmetic over index variables
and the vocabulary 〈0,1,≤,+, n¯〉.
Informally, Q i ::t ype j :φ. ψ, where Q ∈ {∃,∀}, restricts the index variable i to be associated
with the component type B j . Notice, however, that the syntax of FOIL does not enforce
type correctness of ports. For instance, one can write a formula ∃i ::t ype j : p(i ) with some
p ∈P j . While this formula is syntactically correct, since it is not in line with Deﬁnition 2.3.2 of
96
6.1. Parameterized BIP without priorities
interaction given in Section 2.3, where it requires that an interaction can only involve a port
deﬁned in some component. To this end, we say that a FOIL formula is natural, if for each of
its subformulae Q i ::t ype j :φ.ψ(i ), for Q ∈ {∃,∀}, and every atomic formula p(i ) ofψ, it holds
that p ∈P j . From here on, we assume that all FOIL formulae we consider in this disseration
are natural.
FOIL semantics. We give semantics of a FOIL formula by the means of structures. A ﬁrst-
order interaction logic structure (FOIL structure) is a pair ξ= (N,αξ), which consists of the set
of natural numbers, i.e. the domain of ξ, the interpretation αξ of all unary predicates and of
the constants n¯. The symbols 0, 1, ≤, and + have the natural interpretations over N.
By σ :I →Nwe denote an assignment that gives values to free variables inψ, and by σ[x → j ]
we denote the assignment that differs from σ in that the index variable x is mapped to the
value j . For a FOIL structure ξ and an assignment σ, the semantics of FOIL is formally given
as follows (the semantics of Boolean operators and universal quantiﬁers is deﬁned in the
standard way):
ξ,σ |=FOIL p(i ) iff αξ(p) is true on σ(i )
ξ,σ |=FOIL ∃i ::t ype j :φ.ψ iff there is l ∈ [0,αξ(nj )) such that
ξ,σ[i → l ] |=FOIL ψ and ξ,σ[i → l ] |=FO φ
where |=FO to denotes the standard ’models’ relation of ﬁrst-order logic.
Finally, for a FOIL formula ψ without free variables and a structure ξ, we write ξ |=FOIL ψ,
if ξ,σ0 |=FOIL ψ for the valuation σ0 that assigns 0 to every index i ∈I . Since ψ has no free
variables, our choice of σ0 is arbitrary: for all σwe have ξ,σ |=FOIL ψ if and only if ξ,σ0 |=FOIL ψ.
Decidability. It is easy to show that although checking validity of a FOIL formula is undecid-
able, FOIL contains an important fragment, which is known to be decidable:
Theorem 6.1.1 (Decidability of FOIL) The following results about FOIL hold:
(i) Validity of FOIL sentences is undecidable.
(ii) Validity of FOIL sentences in which all additions are of the form i +1 is decidable.
Proof 6.1.2 (i) FOIL contains Presburger arithmetic with unary predicates, in which satis-
ﬁability is undecidable [85]. (ii) The formula j = i + 1 is deﬁnable in FOIL by i ≤ j ∧ j =
i ∧ψconsecutive(i , j ), whereψconsecutive(i , j )=∀ ::t ypet . ( j ≤ ∧≤ i )→ (= i ∨= j ), where
t is the type of i and j . Hence, we can rewrite any FOIL sentenceψ in which all additions are
of the form i +1 as an equi-satisﬁable ﬁrst-order logic sentenceψ′ without using addition (+).
The sentenceψ′ belongs to WS1S, the weak monadic second order theory of (N,0,1,≤), which is
decidable, see [137].
97
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
In the following, we only refer to addition with i +1.
6.1.2 Interactions as FOIL structures
In contrast to Deﬁnition 2.3.2 of a standard interaction, which is represented explicitly as
a ﬁnite set of ports, we use ﬁrst order interaction logic formulae to deﬁne all the possible
interactions in parameterized systems. Our key insight is that each structure of a formula
uniquely deﬁnes at most one interaction, and the set of all possible interactions is the union
of the interactions derived from the structures satisfying the formula.
Intuitively, if p(i ) evaluates to true in a structure, then the i th instance of the respective
component type — uniquely identiﬁed by a port — takes part in the interaction identiﬁed
with the structure. Thus, we can reconstruct a standard BIP interaction from a FOIL structure
by taking the set of ports, whose indices are evaluated to true by the unary predicates.
Formally, given a FOIL structure ξ= (N,αξ), we deﬁne the γξ = {(p,m) | j ∈ [0,k), p ∈P j , m ∈
[0,αξ(nj )), αξ(p)(m)= true}, where the notation (p,m) denotes the port p of the mth compo-
nent.
Notice that not every γξ is an interaction in the sense of Deﬁnition 2.3.2. Indeed, γξ may
include several ports of the same component. We say that ξ induces an interaction, if γξ is an
interaction in the sense of Deﬁnition 2.3.2.
Deﬁnition 6.1.3 (Parameterized BIP Model) A parameterized BIP model is a tupleMPBIP =
〈B, n¯,ψ,〉, where B= 〈B0, . . . ,Bk−1〉 is a tuple of component types,ψ is a sentence in FOIL over
the port predicates and a size tuple n¯ = 〈n0, . . . ,nk−1〉, and  is a linear constraint over n¯.
The tuple n¯ consists of the size parameters for all component types, and the constraint 
restricts these parameters, e.g. the formula n0 = 1∧n1 ≥ 10 requires every instance of the
parameterized BIP model to contain only one component of the ﬁrst type and at least ten
components of the second type. The sentenceψ in FOIL restricts both the system topology
and the communication mechanisms.
Deﬁnition 6.1.4 (PBIP Instance) Given a parameterized BIP modelMPBIP = 〈B, n¯,ψ,〉 and
a tuple of natural numbers N¯ , a PBIP instance is a BIP modelMBIP = 〈B,Γ〉, whereB and Γ
are deﬁned as follows:
1. the numbers N¯ satisfy the size constraint ,
2. the set of componentsB is {Bi [ j ] | i ∈ [0,k), j ∈ [0,Nj )}, and
3. the set of interactions Γ is the set of all interactions γξ satisfying ψ and referring to the
ports of components with indices up to the numbers in N¯ , that is, ξ |=FOIL ψ andαξ(n¯)= N¯ .
98
6.1. Parameterized BIP without priorities
For a given PBIP instance model, its semantics is deﬁned as in Deﬁnition 2.3.7. The labeled
transition system semantics for a parameterized BIP model is then the union of all the transi-
tion systems, one for each PBIP instance.
Example 6.1.5 (Broadcast in a star) Let 〈〈B0,B1〉,〈n0,n1〉,ψ,〉 be a parameterized BIP model
with two component types and the size constraint ≡ (n0 = 1). We also assume component type
B0 has only one port called send and component type B1 deﬁnes only one port called receive,
i.e. P0 = {send} and P1 = {receive}. The FOIL formulaψ=∃i ::t ype1. send(i ) speciﬁes broadcast
from the component B0[0], the center of the star, to the leaves of type B1. The set of interactions
deﬁned by ψ consists of all sets of ports of the form {(send,0)}∪ {(receive,d) | d ∈ D)} for all
D ⊆ [0,n1) (including D =).
Example 6.1.6 (Milner’s scheduler [60]) The components of a token ring schedule tasks in suc-
cession along the ring. We follow the formulation by Emerson & Namjoshi [60]. The component
type B0 is:
S0 S1 S2
S3
S4
    
ﬁ
 
ﬁ
 

Figure 6.1 – Component type of Milner’s scheduler
A component has the token if it is in locations S0, S1, or S4. A component must have the token
when it initiates a task (by interacting on port start). The token is then sent to the component’s
neighbor by interaction on port snd. The component then waits until (a) its initiated task has
ﬁnished, and (b) the component has received the token again. When both (a) and (b) have
occurred, the component may initiate a new task. Note that (a) and (b) may occur in either
order.
The parameterized BIP model of Milner’s scheduler is 〈〈B0〉,〈n0〉,ψ, true〉, where
ψ = ∃i , j ::t ype0 : ( j = (i +1) mod n0). snd(i )∧ r cv( j )∧ψonly(i , j )
ψonly(i , j ) = ∀ ::t ype0 :  = i ∧ = j . ¬(snd()∨ r cv())
ψ is a formula without free variables which holds for a structure ξ if its induced interaction
γξ is a send-receive interaction along some edge i → j of the ring, where j is i +1 modulo n0.
ψonly(i , j ) excludes any component other than i and j from participating in the interaction.
The modulo notation abbreviates the expression (i = n0−1→ j = 0)∧ (i < n0−1→ j = i +1).
We discuss how to ensure that exactly one component starts with the token in Section 6.5.4.
Example 6.1.7 (Barrier [28]) Here we consider a barrier synchronization protocol, cf. [28,
Example 6.6]. The component type B0 is: (the self-loops are labeled by the ports loopms, loopnt ,
and loopsl)
99
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
 
	
	


 
		
Figure 6.2 – Component type of a barrier synchronization protocol
The initial location is neutral. A synchronization episode consists of three stages: (i) First, a single
component enters the barrier by moving to master. (ii) Then, each of the others components
moves to slave. (iii) Finally, the master triggers a broadcast and all components leave the barrier
into neutral.
The parameterized BIPmodel of the barrier synchronization protocol is 〈〈B0〉,〈n0〉,ψ, true〉,
whereψ=ψgo∨ψfollow∨ψexit , and
ψgo = ∃i ::t ype0. go(i ) ∧∀ j ::t ype0 : i = j . loopnt( j )
ψfollow = ∃i ::t ype0. loopms(i )∧∀ j ::t ype0 : i = j .ψﬂlw-loop( j )
ψexit = ∀i ::t ype0. exi t (i )
ψﬂlw-loop( j ) = follow( j )∨ loopnt( j )∨ loopsl( j )
ψgo,ψfollow, andψexit describe the interactions of stages (i), (ii), and (iii) respectively.
Example 6.1.8 (Semaphore) This example has two component types, the semaphore type B0
on the right and the process type B1 on the left:
 

	



ﬁ
Figure 6.3 – Component type of a semaphore example
The system has exactly one semaphore and may have an unbounded number of processes. The
components communicate by pairwise rendezvous on a star whose center is the semaphore.
The processes start in the initial location idle and the semaphore starts in the initial location
free. Any process c may rendezvous with the semaphore by an interaction between the begin
port of the process and the request port of the semaphore. Once such an interaction occurs, the
only possible next interaction is between the same process c and the semaphore; this interaction
consists of the process c’s ﬁnish port and the semaphore’s release port. The semaphore is now
free to interact with any process c ′.
We model this semaphore example by a parameterized BIPmodel 〈〈B0,B1〉,〈n0,n1〉,ψ,〉, where
100
6.2. Parameterized model checking
≡ (n0 = 1),ψ=ψrequest ∨ψrelease, and
ψrequest = ∃i ::t ype0 : i = 0. ∃ j ::t ype1. request(i )∧begin( j )∧ψonly( j )
ψrelease = ∃i ::t ype0 : i = 0. ∃ j ::t ype1. release(i )∧ﬁnish( j )∧ψonly( j )
ψonly( j ) = ∀ ::t ype0 :  = j . ¬(begin()∨ﬁnish())
ψrequest describes the request-begin interactions. ψrelease describes the release-ﬁnish inter-
actions. ψonly( j ) excludes any component of type B1, other than j , from participating in the
interaction.
Example 6.1.9 (Guarded protocol [59]) This example considers a class of parameterized sys-
tems, called guarded protocols [59].
We assume a single component type and specialize the atomic propositions to be the ﬁnite set of
control locations. Assume φ( j ) is a boolean formula over atomic propositions of a component,
indexed with a free index variable j . A disjunctive guard is of the form ∃ j ::t ype0 : j = i .φ( j ),
where i is a free index variable of the same type with j and φ( j ) is a disjunction over atomic
propositions of component j . A disjunctive guarded protocol is a parameterized system, whose
transitions are associated with disjunctive guards.
A disjunctive guard protocol can be speciﬁed in one-type parameterized BIP model 〈〈B〉,〈n〉,ψ,〉
as follows. On each control location q of the component type, there is a self-loop transi-
tion loopq. For a given guarded transition (q,∃i , j ::t ype0 : j = i .φ( j ),p,q ′), where p is the
port, φ( j ) = q1( j )∨ q2( j ) . . .∨ qk( j ), and q1,q2, . . . ,qk are control locations, it can be sim-
ulated by a pairwise rendezvous deﬁned by the following FOIL formula: ∃i , j ::t ype0 : j =
i .p(i )∧ (loopq1 ( j )∨ loopq2 ( j ) . . .∨ loopqk ( j )), where loopq1 , . . . , loopqk are self-loop transi-
tions on locations q1, . . . ,qk respectively.
Similarly, a conjunctive guard is of the form ∀ j ::t ype0. j = i .φ( j ), and a conjunctive guarded
protocol is a parameterized system, whose transitions are associated with conjunctive guards.
Given a guarded transition (q,∀ j ::t ype0 : j = i .φ( j ),p,q ′), where φ( j ) is of the same form as
above, it can be simulated by the following FOIL formula: ∃i ::t ype0.∀ j ::t ype0 : j = i . p(i )∧
(loopq1 ( j )∨ loopq2 ( j ) . . .∨ loopqk ( j )), where loopq1 , . . . , loopqk are self-loop transitions on
locations q1, . . . ,qk respectively.
6.2 Parameterized model checking
In this section, we review the syntax and semantics of the indexed version of CTL∗, called
ICTL, which is often used to specify the properties of parameterized systems [28]. Though we
use indexed temporal logics to deﬁne the standard parameterized model checking problem,
these logics are not the focus of this paper. Further, we introduce the parameterized model
checking problem for parameterized BIP design, and show its undecidability.
101
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
Syntax. For a set of index variablesI , the ICTL state formulae are written according to the
grammar:
θ ::= true | at(q, i ) | ¬θ | θ1∧θ2 | ∃i ::t ype j :φ. θ | ∀i ::t ype j :φ. θ | Eϕ | Aϕ,
where q is a location from
⋃
0≤ j<k L j , and i is an index from the setI , and ϕ is a path formula
(to be deﬁned below), and φ is a formula in Presburger arithmetic over size variables n¯ and
index variables from the setI .
The path formulae are written according to the following grammar:
ϕ ::= θ | ¬ϕ | ϕ1∧ϕ2 | Xϕ | Fϕ | Gϕ | ϕ1Uϕ2, where θ is a state formula.
Example 6.2.1 In ICTL, the response property in Example 6.1.6 can be written as ∀i ::t ype0 :
0≤ i < n0. AG(at(S0, i )→ AF at(S1, i )), and the mutual exclusion property in Example 6.1.8
can be written as ¬(∃i , j ::t ype1 : 0≤ i < n1∧0≤ j < n1∧ j = i : (at(busy, i )∧at(busy, j ))).
Semantics. Given a BIPmodelMBIP with the transition systemTBIP (i.e.TBIP = 〈C,Σ,R,C0〉
by deﬁnition 2.3.7), we inductively deﬁne the semantics of ICTL formulae. We brieﬂy discuss
semantics to highlight the role of quantiﬁers in indexed temporal logics. For further discussions
and additional deﬁnitions, we refer the reader to a textbook, e.g. see [47].
State formulae are interpreted over a conﬁguration s and a valuation of index variablesσ :I →
N (the semantics of Boolean operators and universal quantiﬁers is deﬁned in the standard
way):
TBIP , s,σ |=ICTL at(q, i ) iff q = s( j ,σ(i )), where q ∈ L j
TBIP , s,σ |=ICTL ∃i ::t ype j :φ. θ iff for some l ∈ [0,Nj ), bothTBIP , s,σ[i → l ] |=ICTL θ and
〈N,0,1,≤,+, N¯〉 ,σ[i → l ] |=FO φ
TBIP , s,σ |=ICTL Eϕ iff TBIP ,ρ,σ |=ICTL ϕ for some inﬁnite path ρ starting from s
Path formulae are interpreted over an inﬁnite path ρ, and the valuation function σ as follows
(the semantics for Boolean operators and temporal operators F and G is deﬁned in the
standard way):
TBIP ,ρ,σ |=ICTL θ iff TBIP , s,σ |=ICTL θ, where s is the ﬁrst conﬁguration of the path ρ
TBIP ,ρ,σ |=ICTL Xϕ iff TBIP ,ρ1,σ |=ICTL ϕ
TBIP ,ρ,σ |=ICTL ϕ1Uϕ2 iff ∃ j ≥ 0.∀i < j .TBIP ,ρ j ,σ |=ICTL ϕ2 andTBIP ,ρi ,σ |=ICTL ϕ1,
where ρi is the sufﬁx of the path ρ starting with the i th conﬁguration.
Finally, given a formulaϕwithout free variables, we say thatTBIP satisﬁesϕ, written asTBIP |=ICTL
ϕ, ifTBIP , s0,σ0 |=ICTL ϕ for the valuation σ0 that assigns zero to each index from the setI .
102
6.3. Decidability results for parameterized BIP
The choice of σ0 is arbitrary, as for all σ, it holds that TBIP , s0,σ |=ICTL ϕ if and only if
TBIP , s0,σ0 |=ICTL ϕ.
Now we are at a position to formulate the parameterized model checking problem for BIP:
Problem 6.2.2 (Parameterized model checking) The veriﬁcation problem for a parameter-
ized BIPmodel 〈B, n¯,ψ,〉 and an ICTL state formula θ without free variables, is whether every
instanceMBIP satisﬁes θ.
Not surprisingly, Problem 6.2.2 is undecidable in general.
Theorem 6.2.3 (Undecidability) Given a two-countermachineM2, one can construct an ICTL-
formula G¬hal t and a parameterized BIP modelMPBIP = 〈B, n¯,ψ,〉 that simulates M2 and
has the property: M2 does not halt if and only ifMBIP |=G¬hal t for all instances ofMPBIP.
Proof 6.2.4 The idea is to simulate a multi-valued token passing ring system within parame-
terized BIP, and in [60] the authors have shown how to simulate a two-counter machine with a
multi-valued token ring, thus, combining them gives us the full proof of the theorem.
Fix a ﬁnite set T of token values with |T | ≥ 2 and the component type B0 = 〈V,L,P,E,〉, where
1) control locations are partitioned into three sets: L = LT ∪ LN ∪ {star t }. Locations in LT
represent holding the token, while the ones in LT are without the token; 2)  = star t ; 3) the set of
ports is P = {sendt ,recei vet | t ∈ T }∪ {ini t_token, ini t }; 4) every transition (q, sendt ,q ′) ∈ E
for token t ∈ T satisﬁes q ∈ LT and q ′ ∈ LN , and every transition (q,recei vet ,q ′) ∈ E for token
t ∈ T satisﬁes q ′ ∈ LT and q ∈ LN . Transition (star t , ini t_token,q ′) ∈ E, q ′ ∈ LT initializes the
component with a token, and transition (star t , ini t ,q ′) ∈ E, q ′ ∈ LN initializes the component
without a token.
Then the parameterized BIP model isMPBIP = 〈〈B0〉,〈n0〉,n0 ≥ 2,ψ〉, where ψ=ψ1∨ψ2 and
ψ1 =∨t∈T (∃x, y :: t ype0 : 0≤ x, y < n0∧(y = x+1mod n0).sendt (x)∧recei vet (y)∧¬(ini t (x)∨
ini t (y)∨ ini t_token(x)∨ ini t_token(y))∧∧t ′ =t ¬(sendt ′(x)∨ recei vet ′(x)∨ sendt ′(y)∨
recei vet ′(y))∧∀z :: t ype0 : 0 ≤ z < n0 ∧ z = x ∧ z = y.¬(∧t ′′∈T sendt ′′(z)∨ recei vet ′′(z)∨
ini t (z)∨ ini t_token(z))), and ψ2 = ∃x :: t ype0.∀y :: t ype0 : 0 ≤ x < n0 ∧ 0 ≤ y < n0 ∧ y =
x.ini t_token(x)∧ ini t (y)∧¬ini t (x)∧¬ini t_token(y)∧∧t∈T ¬(sendt (x)∨ recei vet (x)∨
sendt (y)∨ recei vet (y)).ψ1 speciﬁes the pairwise rendezvous between a component x and its
neighbour x+1 for token passing, whileψ2 distributes the token initially in the ring.
6.3 Decidability results for parameterized BIP
In this section, we present a fragment of parameterized BIP models, called well-structured
parameterized BIP, and prove that certain safety properties are decidable for this class of BIP.
First of all, we review the theory of the well-structured transition system [1, 66].
103
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
6.3.1 Well-structured transition system
The theory of well-structured transition system is a powerful tool for the veriﬁcation of inﬁnite-
state systems. In brief, well-structured transition systems are transition systems, whose sets of
states are well-quasi ordered and whose transition relations exhibit the monotonicity property
with respect to awell-quasi ordering.Well-known computationmodels that arewell-structured
include, e.g. communication ﬁnite state automaton, Petri nets.
A preorder on a set D, denoted by , is a reﬂexive and transitive binary relation on D. A set
U ⊆D is said to be upward closed with respect to  if d ∈U and d  d ′ implies d ′ ∈U . Given
d ∈D, we deﬁne byU (d)= {d ′ | d  d ′} the upward closure of d with respect to preorder .
Given a set B ⊆D, we deﬁne similarlyU (B)=⋃b∈BU (b). The preorder  is said to be a well
quasi-order if for all inﬁnite sequences d0,d1,d2, . . . in D , there are i , j , i < j , such that di  dj .
Equivalently, if a preorder is a well quasi-order, then there is no inﬁnite sequence of upward
closed sets.
For an upward closed set U , we deﬁne a minor set of U to be the set Min(U ), such that
U (Min(U )) =U and for all c,c ′ ∈ Min(U ), if c  c ′, then c = c ′. Elements in Min(U ) are
also called the generators of U . Assume that  is a well quasi-order, then the minor set of
an upward closed set is ﬁnite. Otherwise, we would have an inﬁnite set of incomparable
elements, contradicting the assumption of a well quasi-order. Every upward closed set can be
represented by its minor set.
Deﬁnition 6.3.1 (Monotonicity) Given a labeled transition systemT = 〈C,Σ,R,C0〉 and a pre-
order  on the state space C, the transition relation R is monotonic with respect to , if for each
c1,c2,c3 ∈C, c1  c2 and 〈c1, t ,c3〉 ∈R, there is c4 ∈C, such that c3  c4 and 〈c2, t ′,c4〉 ∈R.
Monotonicity means that greater states can always simulate smaller ones. Thus, any ﬁnite
executions can be simulated from above, starting from a greater state.
Deﬁnition 6.3.2 (Well-structured transition system) Given a labeled transition system T =
〈C,Σ,R,C0〉 and a preorder  on the state space C,T is well-structured, if the following condi-
tions hold:
1.  is a well quasi-order;
2. R is monotonic with respect to ;
3. for each state c ∈C, the minor set Min(pre(U (c))) is computable.
The coverability problem for well-structured transition system is deﬁned as follows: given a
well-structured transition system with the preorder , and an upward closed setU of states,
the coverability problem asks if some states inU are reachable from some initial states. It is
known that this problem is decidable for well-structured transition system, and can be solved
104
6.3. Decidability results for parameterized BIP
by a general symbolic algorithm [1, 66, 131]. The algorithm performs a backwards reachability
analysis from the set of bad states and checke if some initial states can be reached. Starting
from an upward closed setU of bad states, the algorithm repeatedly applies the predecessor
computation, and generates a sequenceU0,U1,U2, . . . of upwards closed sets, whereU0 =U ,
andUi+1 =Ui ∪pre(Ui ) for i ≥ 0. Intuitively, eachUi represents the set of states from which
U is reachable within i steps. The iteration terminates when we reach a point i > 0 such
thatUi =Ui−1. In such a case,Ui consists of the set of states from whichU is reachable. The
termination is guaranteed when  is a well quasi-order.
6.3.2 Well-structured parameterized BIP
We consider the fragment of parameterized BIP models with clique topology and a single
component type. Extensions to multi-typed models are straightforward.
We identify a fragment of the ﬁrst order interaction logic, called upward closed FOIL. For
this purpose, we deﬁne an preorder ≺ over the FOIL structures. Given two structures ξ and
ξ′, we denote by ξ≺ ξ′ if αξ(n1)<αξ′(n1) and there is a monotonic injection h : [0,αξ(n1)) →
[0,αξ′(n1)) such that for all p ∈P1, if αξ(p)(i ) evaluates to true, for some i ∈ [0,αξ(n1)), then
αξ′(p)( j ) evaluates to true, for some j ∈ [0,αξ′(n1)), j = h(i ).
Deﬁnition 6.3.3 (Upward closed FOIL) A FOIL formulaψ is upward closed if for all structures
ξ,ξ′, such that ξ |=FOIL ψ and ξ≺ ξ′, then it holds ξ′ |=FOIL ψ.
In terms of BIP interactions, an upward closed FOIL formula ψ has the following property.
Given two structures ξ and ξ′ ofψ, suppose the two induced interactions are γξ = {(p, i ) | p ∈
P1, i ∈ [0,αξ(n1)), αξ(p)(i )= true} and γξ′ = {(p, j ) | p ∈ P1, j ∈ [0,αξ′(n1)), αξ′(p)( j )= true},
respectively. If ξ≺ ξ′, then there is a monotonic injection h : [0,αξ(n1)) → [0,αξ′(n1)), such that
for each (p, i ) ∈ γξ, there is j = h(i ) and (p, j ) ∈ γξ′ . Intuitively, if ξ≺ ξ′, then the interaction
γξ is a subset of the interaction γξ′ under an injective mapping on the port indices. Upward
closedness means that adding more ports still preserve the validity of the interaction.
Example upward closed FOIL formulae includes the ones with only existential quantiﬁers.
FOIL formulae with positive predicates in the scope of universal quantiﬁers are not upward
closed in general.
Example 6.3.4 Consider the FOIL formula ψ = ∃i ::t ype1. send(i ) in Example 6.1.5. FOIL
formula ψ is in the upward closed fragment, since for instance, given a structure ξ, where
αξ(n1) = 2, and αξ(send)(0) = tr ue, αξ(send)(1) = f al se, then for any structure ξ′, if ξ ≺ ξ′,
we have αξ′(send)(0)= tr ue. It holds that ξ′ |=ψ.
Example 6.3.5 Consider the FOIL formulaψ=ψgo∨ψfollow∨ψexit in Example 6.1.7. It is not
in the upward closed fragment, because of ψexit =∀i ::t ype0.exi t(i ). One can check that, for
105
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
instance, given a structure ξ, where αξ(n0) = 2, and αξ(exi t)(0) = tr ue, αξ(exi t)(1) = tr ue,
there is another structure ξ′, where αξ′(n0)= 3, and αξ′(exi t)(0)= tr ue, αξ′(exi t)(1)= tr ue,
αξ′(exi t )(2)= f al se, such that ξ≺ ξ′, but it does not hold that ξ′ |=ψexit .
Given a parameterized BIP modelMPBIP = 〈B, n¯,ψ,〉, we say thatMPBIP is well-structured
if its LTSTPBIP = 〈CPBIP ,ΣPBIP ,RPBIP ,C0PBIP 〉 is well-structured, i.e. the union of LTSs of all
instance models is well-structured.
The preorder PBIP on the state space CPBIP is deﬁned as follows. Given two states c =
q0 . . .qm−1 ∈CPBIP and c ′ = q ′0 . . .q ′n−1 ∈CPBIP , we denote by c PBIP c ′ if there is a monotonic
injection h : [0,m) → [0,n), such that qi = q ′h(i ) for each i ∈ [0,m), m ≤ n. It has been shown
in [5] that this preorder is a well quasi-order. We remark that this preorder PBIP is different
from the order ≺ over FOIL structures.
Proposition 6.3.6 Given a parameterized BIP model MPBIP = 〈B, n¯,,ψ〉, suppose its LTS
TPBIP = 〈CPBIP ,ΣPBIP ,RPBIP ,C0PBIP 〉. Ifψ is in upward closed FOIL, then RPBIP is monotonic
with respect to the preorder PBIP .
Proof 6.3.7 We have to prove that ∀c1,c ′1,c2, if c1
γ−→ c ′1 and c1 PBIP c2, then ∃c ′2, c2
γ′−→ c ′2 and
c ′1 PBIP c ′2. If the interaction γ in state c1 is induced by the FOIL structure ξ1, then due to the
fact that ψ is upward closed we know that in state c2, there is another structure ξ2, ξ1 ≺ ξ2,
which deﬁnes an interaction γ′. Then it is sufﬁcient to prove that γ′ is enabled in c2 and labels
the transition c2
γ′−→ c ′2.
Assume c1 = q0 . . .qm1−1 and c2 = q ′0 . . .q ′m2−1, since c1 PBIP c2, then there is a monotonic
injection h : [0,m1) → [0,m2), for all i ∈ [0,m1), qi = q ′h(i ). Using the injection h, we can derive
a new structure ξ2 from ξ1, where αξ2 (n)=m2, and for each p ∈P1, αξ2 (p)( j )= tr ue, for some
j ∈ [0,m2), ifαξ2 (p)(i )= tr ue, for some i ∈ [0,m1) and j = h(i ). Thus, ξ1 ≺ ξ2. Sinceψ is upward
closed, we have ξ2 |=ψ. Then for each port (p, i ) ∈ γ, we have (p, j ) ∈ γ′, where j = h(i ).
Since (p, i ) is enabled on qi , and qi = q ′h(i ), then (p, j ) is also enabled on q ′h(i ). Thus, γ′ is enabled
on state c2, which completes the whole proof.
The following theorem states that if we restrict FOIL formulae to the upward closed fragment,
the parameterized BIP model is well-structured.
Theorem 6.3.8 Given a parameterized BIP modelMPBIP = 〈B, n¯,,ψ〉, if the FOIL formulaψ
is upward closed, thenMPBIP is well-structured with respect to the preorder PBIP .
Proof 6.3.9 Assume the LTS ofMPBIP is 〈CPBIP ,ΣPBIP ,RPBIP ,C0PBIP 〉, according to Proposition
6.3.6, the transition relation RPBIP is monotonic with respect to PBIP . Moreover, since the
106
6.3. Decidability results for parameterized BIP
preorder PBIP is a well quasi-order, it remains to prove that for each state c ∈CPBIP , the minor
set Min(pre(U (c))) is computable. In fact, Min(pre(U (c))) equals to Min(pre(c)), if ψ is
upward closed. In other words, in order to compute the predecessors of an upward closed set, we
only need to compute the predecessors of the generators.
It sufﬁces to prove that ∀c ′ ∈ U (c) and ∀c1 ∈ CPBIP ,c1 γ
′
−→ c ′, then ∃c2 ∈ CPBIP ,c2 γ−→ c and
c1 ∈U (c2).
Suppose c = qc0 . . .qcm−1, c1 = qc10 . . .qc1m−1, and c ′ = qc
′
0 . . .q
c ′
m′−1, c2 = qc20 . . .qc2m′−1. Since c ′ ∈U (c),
i.e. c PBIP c ′, then there is a monotonic injection h : [0,m) → [0,m′), m ≤m′, qci = qc
′
j , for each
i ∈ [0,m), j ∈ [0,m′) and j = h(i ). Using h, we construct c1 from c2 as follows: qc1i = qc2j , for each
i ∈ [0,m), j ∈ [0,m′) and j = h(i ). By construction, we have c2 ∈U (c1).
Assume the FOIL structure for interaction γ′ is ξγ′ , we can construct another structure ξγ from
ξγ′ using the above h, such that αξ(p)(i )=αξ′(p)( j ), for each i ∈ [0,m), j ∈ [0,m′) and j = h(i ).
Sinceψ is upward closed, ξγ |=ψ, otherwise, it violates the assumption ξγ′ |=ψ.
From the construction of c1 and ξγ, it’s straightforward to see that the interaction γ is also
enabled on c1 and labels the transition c1
γ−→ c. This completes the proof.
Example 6.3.10 In this example, we show that the disjunctive guarded protocol in Example
6.1.9 is well-structured.
First of all, we deﬁne the preorder on the state space. Given two states c = (q1,q2, ...,qm), c ′ =
(q ′1,q
′
2, ...,q
′
n), and m ≤ n, we deﬁne c  c ′ if and only if ∃h : [1,m] → [1,n], such that for each
i ∈ [1,m], qi = q ′h(i ). This preorder is useful for characterizing certain safety properties, e.g.
mutual exclusion, as upward closed sets. Since if a state violates the mutual exclusion property,
then any larger state would also violate the mutual exclusion property. Then we show that the
disjunctive guard protocol exhibits a monotonic transition with respect to this preorder.
Suppose a guarded transition (q,∃ j ::t ype0. j = i .φ( j ),p,q ′) is enabled in state c = (q1,q2, ...,qm)
for process i , i.e. qi = q and ∃ j ::t ype0. j = i , such that q j |=φ( j ), then this guarded transition is
also enabled in any state c ′ = (q ′1,q ′2, ...,q ′n), c  c ′. This is because that if c  c ′, there is j ′ ∈ [1,n],
such that j ′ = h( j ) for j ∈ [1,m] and q ′j ′ = qj , thus, q ′j ′ |=φ( j ′). Suppose furthur the successor
state of c is ct , it would not be hard to see that there is a successor state c ′t of c
′, such that ct  c ′t .
Similarly, we can prove that conjunctive guarded protocol is not well-structured with respect to
the above preorer. This is because the transition relation deﬁned by a conjunctive guard does not
guarantee the monotonicity property, i.e. adding more states may turn the conjunctive guard to
be unsatisﬁable.
We consider the following veriﬁcation problem for parameterized BIP.
Problem 6.3.11 Given a parameterized BIP model MPBIP = 〈B, n¯,ψ,〉 and an ICTL state
107
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
formula θ with only temporal operator G and universal path quantiﬁer A and existential
quantiﬁer ∃, and without free variables, this veriﬁcation problem asks whether it holds that
every instance modelMBIP satisﬁes θ.
Corollary 6.3.12 The above veriﬁcation problem for a parameterized BIP model MPBIP =
〈B, n¯,,ψ〉 is decidable, ifψ is upward closed.
Proof 6.3.13 The set of states satisfying ICTL formulae with only temporal operator G and
universal path quantiﬁer A and existential quantiﬁer ∃ and without free variables are upward
closed sets. Then the decidability proof follows directly from Theorem 6.3.8 and the result that
coverability problem is decidable for well-structured transition system [1, 131].
6.4 A framework of automated parameterized veriﬁcation in BIP
In this section, we present a general framework for automated parameterized veriﬁcation
in BIP. It is shown in Figure 6.4. It takes as input a parameterized system design speciﬁed in
parameterized BIP, and then identiﬁes the architecture model of the given system. According to
the identiﬁcation, a suitable parameterized veriﬁcation technique is chosen. The development
of parameterized veriﬁcation technique is orthogonal to the architecture identiﬁcation. In the
rest of this dissertation, we focuse on the latter task.
Architecture identiﬁcation plays an important step in our veriﬁcation framework. Param-
eterized BIP can capture various speciﬁc architectures: token rings, broadcast in cliques,
rendezvous in stars, etc. In the non-parameterized case, knowing the architecture is not
crucial, as there are model checking algorithms that apply in general to arbitrary transition
systems. However, the architecture dramatically affects both the decidability and the tech-
niques of parameterized model checking. It is crucial to understand the architecture model in
parameterized case in order to achieve automation.
6.5 Identifying the architecture of a parameterized BIP model
In this section, we present how to identify system architectures automatically, and show the
applications to parameterized veriﬁcation. For the sake of exposition, we assume that the
parameterized BIP models have only one component type. Our identiﬁcation framework
extends easily to the general case.
Given an architectureA , e.g. the token ring architecture, an expert in parameterized model
checking creates formula templates in FOIL (FOIL-templates) and in temporal logic (TL-
templates). FOIL-templates describe the system topology and communication mechanism
for architectureA . TL-templates describe the behavior of the component type required by
architectureA , e.g. in a token ring, a component which does not have the token cannot send.
108
6.5. Identifying the architecture of a parameterized BIP model
parameterized
design in BIP
token pass-
ing ring?
cutoff re-
sults [[60]]
pairwise ren-
dezvous in clique?
cutoff re-
sults [[74]]
broadcast
in clique?
well-structured
transition
system [[1]]
yet another model
your favorite
technique
no
no
no
yes
yes
yes
yes
Figure 6.4 – Framework of automated parameterized veriﬁcation in BIP
These templates are designed once for all parameterized BIP models compliant withA . In the
sequel, TL-templates are only used for token rings, thus we omit them from the discussion of
other architectures.
Given a parameterized BIP model 〈〈B〉,〈n〉,ψ,〉 — not necessarily compliant with the ar-
chitecture A — the templates for the architecture A are instantiated to ﬁrst-order formu-
lae ϕFOIL1 , . . . ,ϕ
FOIL
m , and temporal logic formulae ϕ
TL
1 , . . . ,ϕ
TL

. The ﬁrst-order logic formulae
restrict the set of interactions expressed by the FOIL formula ψ. The temporal logic for-
mulae restrict the behavior of the component type B. The identiﬁcation criterion is as fol-
lows: if ϕFOIL1 ∧·· ·∧ϕFOILm valid 1 and B |=TL ϕTL1 ∧·· ·∧ϕTL holds, then the parameterized model
〈〈B〉,〈n〉,ψ,〉 is compliant with the architectureA . In practice, we use an SMT solver to check
validity of the FOIL formulae and a model checker to check that the component typeB satisﬁes
the temporal formulae.
In the rest of this section we construct FOIL-templates and TL-templates for well-known
architectures: cliques of processes communicating via broadcast, cliques of processes com-
municating via rendezvous, token rings, processes organized in a star and communicating via
rendezvous. We show that the provided templates identify the architectures in a sound way.
1. A FOIL formula without free variables is valid if it is satisﬁed by all FOIL structures ξ.
109
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
6.5.1 The common templates for BIP semantics
As we discussed in Section 6.1.2, not every FOIL structure induces a BIP interaction. We show
that one can write an FOIL-template that restricts FOIL structures to be BIP interactions. The
following template ηFOILinteraction(P1) expresses that there is no interaction with more than one
active port belonging to the same component: ∀ j ::t ype1.∧p,q ∈P1, q =p ¬p( j )∨¬q( j )
As expected, the template ηFOILinteraction(P1) restricts FOIL structures to BIP interactions:
Proposition 6.5.1 Let P1 be a set of ports, and η be the instantiation of ηFOILinteraction with P1. A
FOIL structure ξ satisﬁes η if and only if ξ induces an interaction.
In the following, we often need to express that a component has at least one active port.
template active( j )≡∨p∈P1 p( j ). We omit the parameterization of active( j ) byP1 for to simplify
notation.
6.5.2 Pairwise rendezvous in a clique
In BIP, two components communicate with pairwise rendezvous, if each of them has an active
port — forming an interaction — and the other components do not have active ports. In this
case, both components make their transitions simultaneously, and the other components
stutter on their states. Pairwise rendezvous has been widely used as a basic primitive in the
parameterized model checking literature, e.g. in [74, 10].
FOIL-templates. We construct a template using two formulae ηFOIL≤2 (P1) and η
FOIL
≥2 (P1):
– The formula ηFOIL≤2 (P1) expresses that every interaction has at most two ports:
∀i , j , ::t ype1. active(i )∧active( j )∧active()→ i = j ∨ j = ∨ i = .
– The formula ηFOIL≥2 (P1) expresses that every interaction has at least two ports:
∃i , j ::t ype1 : i = j . active(i )∧active( j ).
We show that the combination of ηFOILinteraction, η
FOIL
≥2 , and η
FOIL
≤2 deﬁnes pairwise rendezvous com-
munication in cliques of all sizes:
Theorem 6.5.2 Given a one-type parameterized BIPmodel 〈〈B〉,〈n〉,ψ,〉, if (ψ∧ηFOILinteraction)↔
(ηFOILinteraction∧ηFOIL≥2 ∧ηFOIL≤2 ) is valid, then for every instance BN ,Γ, the following holds:
1. every interaction is of size 2, that is, |γ| = 2 for γ ∈ ΓN¯ , and
2. for every pair of indices i and j such that 0≤ i , j <N and i = j and every pair of ports
p,q ∈P1, there is a FOIL structure ξ such that ξ |=FOIL ψ∧p(i )∧q( j ).
Proof 6.5.3 Fix an instance BN ,Γ of 〈〈B〉,〈n〉,ψ,〉.
110
6.5. Identifying the architecture of a parameterized BIP model
To show Point 1, ﬁx an interaction γ of BN ,Γ. By Deﬁnition 6.1.4, there is a FOIL structure ξ such
that ξ |=FOIL ψ and γ = γξ. As ξ induces an interaction, by Proposition 6.5.1, we immediately
have that γξ satisﬁes an instantiation of η
FOIL
interaction. Hence, since (ψ∧ηFOILinteraction)↔ (ηFOILinteraction∧
ηFOIL≥2 ∧ηFOIL≤2 ) is valid we conclude that ξ also satisﬁes ηFOIL≥2 ∧ηFOIL≤2 . This immediately gives us the
required equality |γξ| = 2.
To show Point 2, ﬁx a pair of indices i and j such that 0 ≤ i , j < N and i = j and a pair of
ports p,q ∈P1. The set γ= {(p, i ), (q, j )} is an interaction. Obviously, one can construct a FOIL
structure ξ that induces γ. Since i = j and |γξ| = 2, it holds that ξ |=FOIL ηFOILinteraction∧ηFOIL≥2 ∧ηFOIL≤2 .
Thus, since (ψ∧ηFOILinteraction)↔ (ηFOILinteraction∧ηFOIL≥2 ∧ηFOIL≤2 ) is valid, it follows that ξ |=FOIL ψ. From
this and that ξ induces the interaction γ, we conclude that ξ |=FOIL ψ∧p(i )∧q( j ).
In Theorem 6.5.2, the right-hand side of the equivalence does not restrict pairs of ports that
are included into interactions, e.g., it does not require the ports to be the same. Thus, if the
formulaψ is more restrictive than the right-hand side of the equivalence, validity will not hold.
Obviously, one can further restrict the equivalence to reﬂect additional constraints on the
allowed pairs of ports.
Applications. Theorem 6.5.2 gives us a criterion for identifying parameterized BIP models,
where all processes may interact with each other using rendezvous communication. To verify
such parameterized BIP models, we can immediately invoke the seminal result by German &
Sistla [74, Sec. 4]. Their result applies to speciﬁcations written in indexed linear temporal logic
without the operator X .
More formally, we say that an ICTL path formula χ(i ) is a LTL\X formula, if χ has only one
index variable i and χ does not contain quantiﬁers ∃,∀, A, E , nor temporal operator X . Given a
parameterized BIP model 〈〈B〉,〈n〉,ψ,〉 and a LTL\X formula χ, one can check in polynomial
time, whether every instance BN , Γ satisﬁes the formula E ∃i ::type1 : true. χ(i ).
6.5.3 Broadcast in a clique
In BIP, components communicate via broadcast, if there is a “trigger” component whose
sending port is active, and the other components either have their receiving port active, or
have no active ports. In this section, we denote the sending port with send and the receiving
port with receive. Our results can be easily extended to treat multiple sending and receiving
ports. In a broadcast step, all the components with the active ports make their transitions
simultaneously. Broadcasts were extensively studied in the parameterized model checking
literature [64, 131].
One way to enforce all the processes to receive a broadcast, if they are ready to do so, is to use
priorities in BIP: an interaction has priority over any of its subsets. In BIP without priorities —
considered in this paper — one can express broadcast by imposing the following restriction
111
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
on the structure of the component type B: every location has a transition labeled with the
port receive. This restriction enforces all interactions to involve all the components, though
some of the components may not change their location by ﬁring a self-loop transition. This
requirement can be statically checked on the transition system of B, and if the component
type does not fulﬁll the requirement, it is easy to modify the component type’s transition
system by adding required self-loops.
FOIL-templates. First, we deﬁne the formula ηFOILbcast(P1), which guarantees that every inter-
action includes one sending port by one component and the receiving ports of the other
components:
∃i ::t ype1. send(i )∧∀ j ::t ype1 : j = i . recei ve( j )
We show that the combination of ηFOILinteraction and η
FOIL
bcast deﬁnes broadcast in cliques of all sizes:
Theorem 6.5.4 Given a one-type parameterized BIPmodel 〈〈B〉,〈n〉,ψ,〉, if (ψ∧ηFOILinteraction)↔
(ηFOILbcast ∧ηFOILinteraction) is valid, then for every instance BN ,Γ, the following holds:
1. every interaction is of size N consisting of one send port and receive ports.
2. for every index c, such that 0≤ c <N, there is a FOIL structure ξ satisfying the following:
ξ |=FOIL ψ∧ send(c)∧∀ j ::type1 : j = c. receive( j ).
Proof 6.5.5 The proof follows the same principle as the proof of Theorem 6.5.2.
Applications. Theorem 6.5.4 gives a criterion for identifying parameterized BIP models in
which all components may send and receive broadcast. Its implications are two-fold. First,
it is well-known that parameterized model checking of safety properties is decidable [1] (cf.
the discussion in [64]), and there are tools for well-structured transition systems applicable
to model checking of parameterized BIP. Second, parameterized model checking of liveness
properties is undecidable [64]. From the user’s perspective, this indicates the need to construct
abstractions, or to use semi-decision procedures.
Identifying sending and receiving ports. Now we illustrate how to automatically detect the
sending and receiving ports in a parameterized BIP model. We say that a port p ∈ P1 in the
component type may be a sending port, if in every interaction exactly one component uses
this port. Similarly, we say that a port q ∈P1 in the component type may be a receiving port, if
in every interaction all but one component use this port. Intuitively, we have to enumerate all
port types and check, whether they are acting as sending ports or receiving ports. Formally, to
ﬁnd, if p is a potential sending port and q is a potential receiving port, we check, whether the
112
6.5. Identifying the architecture of a parameterized BIP model
following is valid:
ψ∧ηFOILinteraction∧∃i ::type1.p(i )∨q(i )
→
(
∃i ::t ype1. p(i )∧∀ j ::t ype1 : j = i . q( j )
)
6.5.4 Token rings
Token ring is a classical architecture: (i) all processes are arranged in a ring, and (ii) one
component owns the token and can pass it to its neighbors. It is easy to express token-passing
with rendezvous, so we re-use the formulae from Section 6.5.2. We assume that there is a pair
of ports: the port send giving away the token and the port receive accepting the token. We do
not allow the token to change its type, as the parameterized model checking problem in this
case is undecidable [136, 60]. Nevertheless, it is easy to extend our results to multiple token
types. Here the token is passed in one direction, i.e. every component can only receive the
token from one neighbor and send it to the other neighbor.
TL-templates. Following the standard assumption [60], we require that every process sends
and receives the token inﬁnitely often. We encode this requirement as a local constraint in a
form of an LTL formula that is checked against the component type (not a BIP instance):
G
(
recei ve →X (¬recei ve U send)
)
∧G
(
send →X(¬send U recei ve))
The left conjunct forces a component to eventually send the token, if the component has
received the token. The right conjunct does not allow a component to send the token twice
without receiving the token before the second send.
FOIL-templates. We extend the pairwise rendezvous templates with an additional for-
mula ηFOILbcast(P1) that restricts the interactions to be performed only among the neighbors
in one direction:
∃i , j ::t ype1. ( j = (i +1) mod n1). active(i )∧active( j )∧ send(i )∧ recei ve( j )
Note that the modulo notation “ j = (i+1) mod n1” can be seen as syntactic sugar, as it expands
into (i =n1−1→ j = 0)∧ (i <n1−1→ j = i +1).
Theorem 6.5.6 Given a one-type parameterized BIPmodel 〈〈B〉,〈n〉,ψ,〉, if (ψ∧ηFOILinteraction)↔
(ηFOILinteraction∧ηFOIL≥2 ∧ηFOIL≤2 ∧ηFOILuniring ) is valid, then every instance BN ,Γ satisﬁes:
1. every interaction γ ∈ ΓN¯ is of the form {send(c),receive(d)} for some indices c and d such
that 0≤ c,d <N and d = (c+1) mod N, and
113
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
2. for every index c such that 0 ≤ c < N and the index d = (c +1) mod N, there is a FOIL
structure ξ such that ξ |=FOIL ψ∧ send(c)∧ receive(d).
Proof 6.5.7 The proof follows the same principle as the proof of Theorem 6.5.2.
Distributing the token. The token ring architecture assumes that initially only one com-
ponent has the token. Emerson & Namjoshi [60] assumed that the token was distributed
using a “daemon”, but this primitive is obviously outside of the token ring architecture. Our
framework encompasses token distribution. To this end, we restrict the transition system of
the component as follows:
– We assume that the location set L1 of the component type B1 is partitioned into two sets:
Ltok1 is the set of locations possessing the token, and L
ntok
1 is the set of locations without the
token. The initial location does not possess the token: 0 ∈ Lntok1 .
– We assume that there are two auxiliary ports called master and slave that are only used in
a transition from the initial location 0. There are only two transitions involving 0: the
transition from 0 to a location in Ltok1 that broadcasts via the portmaster, and the transition
from 0 to a location in Lntok1 that receives the broadcast via the port slave. The broadcast
interaction can be checked with the constraints similar to those in Section 6.5.3.
Applications. Theorem 6.5.6 gives us a criterion of identifying parameterized BIP models
that express a unidirectional token ring. This criterion has a great impact: one can apply
non-parameterized BIP tools to verify parameterized BIP designs expressing token rings. As
Emerson & Namjoshi showed in their celebrated paper [60], to verify parameterized token
rings, it is sufﬁcient to run model checking on rings of small size. The bound on the ring
size — called a cut-off — depends on the speciﬁcation and typically requires two or three
components.
6.5.5 Pairwise rendezvous in a star
In a star architecture, one component acts as the center, and the other components com-
municate only with the center. The components communicate via rendezvous considered
in Section 6.5.2. This architecture is used in client-server applications. Parameterized model
checking for the star architecture was investigated by German & Sistla [74]. We assume that a
parameterized BIP model contains two component types: B1 with only one instance, and B2
that may have many instances.
FOIL-templates. The essential requirements of rendezvous communication are deﬁned in
Section 6.5.2. We add the following restriction that the center is involved in every interac-
114
6.6. Prototype implementation and experiments
Benchmark Architecture model Outcome Time (sec.) Memory (MB)
Milner’s scheduler uni-directional token ring positive 0.068 ≤ 10
Milner’s scheduler broadcast in clique negative 0.016 ≤ 10
Semaphore pairwise rendezvous in star positive 0.096 ≤ 10
Semaphore pairwise rendezvous in clique negative 0.084 ≤ 10
Barrier broadcast in clique positive 0.028 ≤ 10
Barrier pairwise rendezvous in star negative 0.008 ≤ 10
Table 6.1 – Experimental results of identifying architecture models.
tion ηFOILcenter :
∃i ::t ype1. active1(i )
By restricting  to have only one instance of type B1, we arrive at the following simple theorem,
which to a large extent is a consequence of Theorem 6.5.2:
Theorem 6.5.8 Given a two-component parameterized BIPmodel 〈〈B1,B2〉,〈n1,n2〉,ψ,〉, if
(ψ∧ηFOILinteraction)↔ (ηFOILinteraction∧ηFOIL≥2 ∧ηFOIL≤2 ∧ηFOILcenter) and ↔ (n1 = 1) are both valid, then every
instance 〈B1,B2〉〈N1,N2〉,Γ admits only the rendezvous interactions with the center, i.e. the only
component of type B1.
Applications. Theorem 6.5.8 gives us a criterion for identifying parameterized BIP models,
where the user processes communicate with the coordinator via rendezvous. To verify such
parameterized BIP models, we can immediately invoke several results by German & Sistla [74,
Sec. 3]. First, one can analyze such parameterized BIP models for deadlocks, which is of
extreme importance to the practical applications of BIP. Second, the results [74] reduce pa-
rameterized model checking to reachability in Petri nets, which allows one to use the existing
tools for Petri nets.
6.6 Prototype implementation and experiments
We have implemented a prototype of the framework introduced in Section 6.5. This prototype
uses the templates for pairwise rendezvous and broadcast in cliques, tokens rings, and ren-
dezvous in stars. The implementation uses nuXmv [33] formodel-checking andZ3 [51] for SMT-
solving. To deal with quantiﬁers, we run a customized solver with tactic ’qe’ (i.e. quantiﬁer elim-
ination). The implementation and benchmarks are available at http://risd.epﬂ.ch/parambip.
Table 6.1 summarizes our experiments with three benchmarks. The column “Outcome” in-
dicates, whether the benchmark was recognized to have the given architecture (positive), or
not (negative). The experiments were performed on a 64-bit Linux machine with 2.8GHz ×
115
Chapter 6. Design and veriﬁcation of parameterized systems in BIP
4 CPU and 7.8GiB memory. We conducted the experiments with two kinds of templates: the
original architecture of the benchmark, and an architecture different from the original one. In
all cases, the architectures were identiﬁed as expected. Our preliminary experiment results
demonstrate both the correctness and the efﬁciency of our technique. In the future, we will
implement a full-featured tool and perform thorough experimental evaluations.
6.7 Related work
In the research line of parameterized veriﬁcation, one of the widely used techniques is based
on the framework of well-structured transition system [1, 66, 131]. A well-structured transition
system naturally generalises several inﬁnite-state models such as Petri nets. In [1, 66], the
authors show that for certain safety properties, such as coverability, are decidable on this
class of systems. They also present a practical backward reachability analyses algorithm, and
the termination is guaranteed by the fact that such systems are monotonic with respect to a
well-quasi ordering. Given a parameterized system, we look at its transition system, which
deﬁnes its operational semantics. If the transition system is well-structured, then certain safety
properties are decidable and the algorithmic veriﬁcation can be achieved via a backward
reachability analysis from the error states. However, in most cases well-structureness is rarely
satisﬁed. A solution to this problem is the monotonic abstraction [5, 7, 6]. In this abstraction
technique, parameterized systems containing global conditions within guards are abstracted
into a well-structured one in order to apply algorithmic veriﬁcation. Later, in [4], the authors
extend monotonic abstraction to CEGAR style reasoning.
Regular model checking [30, 3] is another widely used technique being developed for algo-
rithmic veriﬁcation of several classes of inﬁnite-state systems whose conﬁgurations can be
modeled as words over a ﬁnite alphabet. Examples include parameterized systems consist-
ing of an arbitrary number of homogeneous ﬁnite-state processes connected in a linear or
ring-formed topology, and systems that operate on queues, stacks, integers, and other linear
data structures. The main idea is to use regular languages as the representation of sets of
conﬁgurations, and ﬁnite-state transducers to describe transition relations. In general, the
veriﬁcation problems considered are all undecidable, so the work has consisted in developing
semi-algorithms, and decidability results for restricted cases.
Besides the backward analysis of well-structured systems, the ﬁrst notable forward algorithm
to solve the coverability problem was proposed in [103] for Petri net. In [56], the authors
attempt to generalise the forward algorithm for broadcast protocols, a class of well-structured
systems that are made up of an unbounded number of ﬁnite state processes communicating
via rendezvous and broadcast. They present a forward reachability analysis algorithm for such
systems based on the construction of a covering graph. However, in [64], the authors show
that the algorithm in [56] may not terminate for broadcasting protocols and the termination is
retained by applying the backward reachability analysis based on well-structured transition
system. A forward reachability analysis technique, called Expand, Enlarge and Check (EEC), is
116
6.7. Related work
proposed in [73, 72], It is a general algorithmic schema that allows to deﬁne forward analysis
techniques to solvle the coverability problem of well-structured transition system.
In [20], the authors propose to model parameterized systems using a single WS1S transition
system, where WS1S refers to the weak monadic second order theory of one successor. In
a WS1S transition system, variables are set (second order) variables and transitions can be
expressed as WS1S formulae. The idea is that set variables encode the set of processes that
reside in certain control locations. They also present techniques to abstract a WS1S transition
system into a ﬁnite state system, which can be automatically veriﬁed.
In [12], the authors present a compositional veriﬁcation technique for parameterized component-
based timed systems. Their technique relies on a cutoff result to reduce the parameterized
veriﬁcation to the veriﬁcation of ﬁnite state systems. The cutoff result is obtained by restricting
the formulae used to describe the parameterized systems to a certain fragment, which has a
small model theorem [100].
In line of modeling system architectures, the authors proposed Dynamic BIP to model ﬁxed
size, but dynamic architectures, where interactions of components may evolve during the
execution [31]. In a recent work [114], conﬁguration logic is proposed as a formal speciﬁcation
of architecture families. Our ﬁrst order interaction logic differs from the conﬁguration logic
in that a formula in interaction logic describes a certain architecutre, while in conﬁguration
logic, formulae describe a set of architectures.
117

7 Conclusions and perspectives
In this chapter, we ﬁrst conclude the dissertation by describing the main objectives of this
work and the goals we have achieved. Then we also give some directions for the future work.
7.1 Summary of the dissertation
While algorithmic veriﬁcation has made impressive advances recently thanks to the novel
symbolic model checking techniques, such as lazy abstraction [90, 88], interpolation [119],
IC3/PDR for hardware [32, 55] and for software [35, 37, 25], concurrent systems that consist of
either bounded or unbounded number of components still pose a formidable challenge of
efﬁcient veriﬁcation.
The effectiveness of model checking in the presence of bounded concurrency is severely
limited by the state explosion caused by interleavings of interactions, which are not handled
by the above mentioned symbolic model checking techniques. Consequently, the ﬁrst insight
of this disseration is that combining techniques that can reduce the redundant interaction
interleavings, such as partial order reduction [139, 124, 78] would be feasible way to improve
the scalability of the symbolic model checking techniques.
We have presented an efﬁcient safety property veriﬁcation technique for inﬁnite-state BIP
models with a ﬁxed number of components in this dissertation. Our technique is based on
the idea of combining abstraction techniques with partial order reductions. Particularly, our
technique applies sophisticated counterexample guided abstraction reﬁnement techniques to
reason about the sequential computations in the atomic components, and also incorporates
the persistent set based partial order reduction technique to deal with concurrent interactions
between the components. We have implemented the proposed technique and the experimen-
tal evaluations justify our arguments about the competitiveness and efﬁciency of the proposed
technique. Moreover, we have also presented two advanced reductions for BIP. The ﬁrst one
reduces the redundant interleavings by exploring independent interactions simultaneously
as many as possible, and the second one exploits the system symmetries to improve the
119
Chapter 7. Conclusions and perspectives
persistent set reduction for the class of models that exhibit such symmetries.
Another source of state explosion is due to the unboundedness of the number of participating
components in the system. Veriﬁcation of the system with an unbounded number of compo-
nents is also known as parameterized veriﬁcation, in which the task is to prove the correctness
for all instrances of the system. Being undecidable in its general form [11], there are therefore
roughly two approaches to circumvent this problem: one is to identify decidable fragments
and devise veriﬁcation techniques for them, such as the cutoff techniques [60, 42] that decom-
poses the parameterized veriﬁcation problem into several ﬁnite-state veriﬁcation problems,
and another one gives rise to incomplete methods, that apply abstractions or approximations
to achieve efﬁciency, such as the counter abstraction [127].
Whether the parameterized veriﬁcation problem for a concurrent system is decidable de-
pends on several factors, the most important being the underlying communication graph
(e.g. rings, stars, cliques), and the means of synchronization (e.g. token passing with/without
information-carrying tokens, broadcast). We refer to [28] for more details. Unfortunately, there
is currently no uniform concurrent system model in the literature. Hence, if one is faced with
a parameterized veriﬁcation problem for a given system, it is difﬁcult to tell whether there is a
published computational model that naturally captures the system’s semantics. One of the key
insight of this dissertation is that it is useful to provide a uniform framework that incorporates
many of the foundational computational models that have appeared in the parameterized
model checking literature on undecidability and decidability.
To this end, we have extended the current BIP framework to provide a general model for uni-
form concurrent systems that captures a large class of systems from the literature. Our model
includes different forms of communication, like token-passing, rendezvous, or broadcast, as
well as different communication graphs, like cliques, rings, stars. We also have showed that
our framework encompasses several prominent parameterized model checking techniques.
To our understanding, other seminal results that can be integrated into our framework are as
follows: the cut-off results for disjunctive and conjunctive guards [59], network decomposi-
tion techniques [42, 10], and techniques based on well-structured transition systems [1] and
monotonic abstraction [6].
As the core of our framework, ﬁrst-order interaction logic extends propositional interaction
logic [27]. Other extensions of propositional interaction logic are Dynamic BIP [31] and conﬁg-
uration logic [114]. Dynamic BIP extends propositional interaction logic with quantiﬁcation,
but is not expressive enough to write Presburger arithmetic formulas. Conﬁguration logic uses
second-order formulas to represent sets of topologies. The beneﬁt of using FOIL is in using
SMT solvers, which is essential for the design of a practical framework.
120
7.2. Perspectives of the future work
7.2 Perspectives of the future work
For the algorithmic veriﬁcation of component-based systems with bounded concurrency,
we believe that offering partial order semantics to the abstraction techniques is an aspiring
way to tackle the state explosion problem. Following this idea, one direction we would like
to explore in the future is how to combine partial order reduction techniques with IC3/PDR
style reasoning, in particular the Tree-based IC3 [35] for concurrent software veriﬁcation. In
fact, similar idea has already been investigated recently in [82], where a dynamic reduction
technique that extends Lipton’s original work [108] has been proposed and incorporated into
IC3 for the model checking of concurrent software. Their reduction technique differs from the
partial order reduction techniques in that they use specialized encodings to instrument the
multi-threaded programs such that interleavings of independent actions will not be explored
in the model checking. Though sharing the same goal of avoiding redundant interleavings, no
persistent set is used in their reduction.
Orthogonally, it is noticed in [2] that persistent set based partial order reduction is not optimal
in the sense that multiple representatives of a Mazurkiewicz trace might be explored even
with the precise persistent set. Thus, optimal reduction techniques, e.g. the one in [2], might
achieve more enhancement when combining with abstraction techniques. It is also noticed
in [82, 143] that in partial order reduction techniques, usually an up-front static analysis of
the system model is conducted in order to obtain an over-approximation of the dependence
relation and the set of transitions to be explored. The accuracy of the static analysis turns
into a severe bottleneck for good reductions. Techniques that can improve the accuracy of
static analysis might result in better reductions. Besides, we also plan to apply our prototype
to some real-life systems that are constructed in BIP, e.g. the software running in the control
and data management subsystem (CDMS) of CubETH satellite [99].
On the other hand, making formal veriﬁcation beneﬁcial in practice requires not only efﬁcient
algorithmic veriﬁcation algorithm, but also some useful diagnostic information that can
help a human understand why the system under veriﬁcation might actually be correct or
incorrect. For instance, sometimes when the veriﬁer reports a real counterexample, it might
not be easy for the programmers to ﬁgure out the core sources of the violation, in particular
when the counterexample is tedious. In this case, we believe that techniques that can either
automatically localize the faults [148], or produce diagnosis for explaining the bugs [105]
would be useful in order to assist the programmers to understand what is neccessary in the
counterexample to cause the violation.
As for the veriﬁcation of parameterized systems, it is a less developed domain, compared to
the non-parameterized case. For the future work, ﬁrst of all we plan to fully implement the
proposed parameterized veriﬁcation framework in a prototype tool that integrates multiple
parameterized model checking techniques to verify parameterized BIP designs.
An interesting topic we would like to talk about in the next step is the veriﬁcation of parame-
terized systems with mixed architectures. The current veriﬁcation techniques can only handle
121
Chapter 7. Conclusions and perspectives
systems with a ﬁxed architecture, however, in reality systems may have a mixed architecture,
such as the mixture of star and ring topology. The cutoff results for the star or ring topology
may not apply in this case, due to the interference of each other. It is unclear to us now how to
reuse the results of a single architecture for a mixed architecture.
We will also investigate novel parameterized veriﬁcation techniques for component-based
systems. For the safety properties, parameterized veriﬁcation essentially boils down to the
computation of quantiﬁed inductive invariants that are strong enough to imply the properties.
We would consider how to compute such an invariant in a compositional way as in [22], that is,
we ﬁrst compute an invariant for each component type and an invariant for the interactions
of all components, and then the invariant of the global system is obtained as the conjunction
of both. The difﬁculty in the parameterized case is how to produce a quantiﬁed invariant that
talks about all the instances of the parameterized system. One possible way to achieve this
goal, as reported in [54], might be the following: we ﬁrst compute an invariant for a small
number of instances, and then generalize it for all instances. Further, we can use the failed
generalization to guide the strengthening of the invariant, as in IC3 [32].
Finally, we will also study the second-order extensions of FOIL to express more complex archi-
tectures such as server-client whose coordinator is chosen non-deterministically. Nevertheless,
this is a long-term effort.
122
A Appendix
123
Appendix A. Appendix
A.1 An ATM transaction protocol in BIP
1   	

2     
3     	 
4    
5   
6   
7       
8      
9       
10      
11     	 
12     	 
13       
14        
15   !" #" $" %" &" '"  (()(
16   !  * + !,-  + ,- .
17   / !  #
18   / #  $
19   / $  %
20   / $  &  * + ,-  + ,-.
21   / %  '
22   / &  !
23   / '  &
24    / &   (()(   0+ 
25 
26    	
27   	
28   	
29   
30       
31      
32       
33      
34     	 	
35     	 	
36       
37      	 
38      
39   !" #" $" %" &" '" 1" 2" 3" !,
40   ! *	 + ,- 	 + ,-  + ,- .
41   / !  #
42   / #  $
43   / $  1
44   / $  2
45   / 1  3
46   / 3  3  * +  4 !-.
47  	 / 3  !,   5+ !,  *	 +
	 -.
48   / !,  2
49   / 2  !
50 
51    6 #  !"   #
52 / 7  !  # 8
53 
54      # 	  " 	 
55 / 7   8
56     *9 + 9 -.
57 
124
A.1. An ATM transaction protocol in BIP
58     	
  
59 
   
60 
61    	 
62   	 	 
63   	 	 
64     
65     
66    	
 	 	 
67    	
   
68    	
 
  
  
69    	
 	 	 
70    	
   
71    	
 
  
  
72    !"	  			 #  	
73    !"	  			 #  	
74    !"	  
	 	
	 #  
	
75    !"	  
	 	
	 #  
	
76    !"	   	 #  
77    !"	   	 #  
78    !"	  
"
 	
"
 #  
"

79    !"	  
"
 	
"
 #  
"

80    !"	  "
 	"
 #  "

81    !"	  "
 	"
 #  "

82    			
   	 #  
83    			
   	 #  
84    			
  $
%$ $
%$ # 	 $
%$
85    			
  $
%$ $
%$ # 	 $
%$
86 
87 
88 &'()* 	))+) # 	 ))+) 
125
Appendix A. Appendix
A.2 A leader election protocol in BIP
1   	

2  	   		 
3  	   
4     	 
5   	 
6   
7  	  	 		 		 
8  	  	 		 
9  	  	   
10  	  	  	 
11  	  	  
12    
13     !	  " #$  " $%
14   	   
15  	 	   
16   	     	 	  "" 
17   	     	 	  & 
18  	 	     	 	  '   ! " 	  $%
19 
20    ( 
21   
22  	  	 		 	
23  	  	 		 
24    
25     ! " #$%
26  	 	   
27   	   
28 
29 	   )		  		 )
30   )
31   ) * !)+ " + $%
32 
33 	   	 
34  
35 
36  ,    
37
38    	 -
39    	 -
40   ( .
41   ( .
42 	 ) -.-+ .+ 	
43 	 ) -.-+ .+ 	
44 	 ) .-.+  -+ 	
45 	 ) .-.+  -+ 	
46 	 	 -+ 
47 	 	 -+ 
48 	 	 /-+
49 	 	 /-+
50 	 	 )-+ 	
51 	 	 )-+ 	
52 
53 
54 /0-1)23 -+  -+ 
126
A.3. A quorum consensus protocol in BIP
A.3 A quorum consensus protocol in BIP
1   	

2  	
   
  
3  	
   	  
4  	
   
    
5 	   	
 
6    
	 	
7   
8   
9   
10  	
  	
 
    
	 	
11  	
  	
 
  
 
12  	
  	
 	  
13  	
  	
 
  
14  	
  	
 
  

 
15    !"
16  	  	 # 
	 	$% $&%  $&%  $%'
17 	  (
	  	  
18 	  (
	  	  	 #$ )%'
19 	 
 (
	  	 !
20 	  (
	 ! 	 "
21 	 

 (
	 " 	 
22 
23 	   *
 
24   	
25   	 
26   	
27  	
  	
 	    	
28  	
  	
 	     	
29  	
  	
 
  	+

	
 
30  	
  	
 
  

 
31    ! +,,-,
32  	  	 #	 $ &% 	 $ &% 	 $ &%'
33 	  (
	  	  	 #	 $ 	 %'
34 	  (
	  	 ! 	 #	 $ 	 %'
35 	 	+

	
 (
	 ! 	 +,,-,  
		 .$ 	  
36 	 

 (
	 ! 	   
		 $$ 	  
37 
38 	   

 
39   
40    
	 	
41   
42  	
  	
 
  
   
	 	
43  	
  	
 
  
    
	 	
44  	
  	
 
   
45   ,+++  +/0  1,
46  	 1, 	 # $&%  $&%  
	 	 $&%'
47 	 
 (
	 1, 	 +/0 	 #$ 
	 	 %'
48 	 
 (
	 ,+++ 	 +/0
49 	  (
	 +/0 	 ,+++
50 
51 		
   -23	  
  	  


52 ( 
 


53 	 
 

 	4 # 

5 $ 
5% '
54 
55 		
   4	23
  
  
  


56 ( 
 


57 	 
 

 	4 # 

5$
5% 

5$
5%'
58 
127
Appendix A. Appendix
59     	
		   		   
60    
61          
   

62 
63      ! "	 
64  
65 
66  #   # 
67
68  # $# $%%
69  # $# $&&
70  # ' ( 
71  #    
72     ! ) %$% 
73     ! ) &$& 
74     ! 	 *%$% *
75     ! 	 *&$& *
76    	
+ $!%	 % $%   %
77    	
+ $!&	 % $&   %
78    	
+ $!%	 & $%   &
79    	
+ $!&	 & $&   &
80    	
  	$!%  $%  
81    	
  	$!&  $&  
82    ,+ $%-  %$%   (  %
83    ,+ $&-  %$&   (  %
84    ,+ $%-  &$%   (  &
85    ,+ $&-  &$&   (  &
86     ! (.(.
87     ! ()(
88 
89 
90 /0+	1).	  (.)),) 
128
A.4. A railway control protocol in BIP
A.4 A railway control protocol in BIP
1   	
	
2     		 
3    			  
4   
5 
6      		   		  
7     
8 
9     
10   
11 !    		 " 
12 !    		 
13 !    		 # 
14 !    		 # 
15 !    		 
16 !    		  
17  	 $	  %  	
18 	  $	  & '()*
19  "  $	  %
20  #  %  	
21    	  $	
22  #  %  $	
23    %  %  &' +)*
24    %  $	   ,(  & ' ()*
25 
26    - 
27    
28   
29 !    		 " 
30 !    		 # 
31 !    		 # 
32 !    		 . 
33 !    		 . 
34 !    		 . 
35 !    		 
36 !    		 
37 !    		  
38  	   / 0 1
39 	    &  ' ()  ' ()*
40  "    
41        & '  +)*
42         ,/(  & '()*
43  #    /    '' (
44  #    0    2' (
45  .  /    &  ' )*
46  .  0  
47      1
48  .  1    &  ' ()*
49 
50      
51   - 
52      
53      
54  	 3.4.
55  	 3. 4. 
56  	 3. 4. 
57  	 34
58  	 34
129
Appendix A. Appendix
59    	
   
60    	
   
61    	
   
62    	
   
63        
64        
65        
66        
67         
68         
69       
70       
71 
72 
73  !"#$!  % 
   % 
 
A.5 Statistics for lazy abstraction
130
A.5. Statistics for lazy abstraction
0
at
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
14
0s
32
3.
0
0.
0
30
4.
0
0.
00
8s
6.
0
0s
0.
0
79
0.
0
0.
54
40
35
s
0.
47
60
28
s
6.
0
0.
0
27
8.
0
0.
0
1
at
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
29
.8
7
0s
70
02
.0
0.
0
66
99
.0
0.
00
80
02
s
6.
0
0s
0.
0
72
22
.0
19
.2
89
2s
8.
86
85
5s
6.
0
0.
0
66
73
.0
0.
0
2
at
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
30
5.
51
0s
71
77
.0
0.
0
65
53
.0
0.
26
40
16
s
24
.0
0s
20
.0
31
04
6.
0
28
.7
77
8s
26
7.
76
9s
8.
0
0.
0
24
90
.0
0.
0
3
le
ad
er
_e
le
ct
io
n
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
47
0s
12
7.
0
0.
0
10
8.
0
0.
01
2s
2.
0
0s
0.
0
78
.0
0.
31
20
18
s
0.
04
40
04
s
6.
0
0.
0
41
.0
0.
0
4
le
ad
er
_e
le
ct
io
n
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
6.
38
0s
12
53
.0
0.
0
11
26
.0
0.
02
s
3.
0
0s
0.
0
99
1.
0
4.
77
63
s
0.
78
80
5s
12
.0
0.
0
41
1.
0
0.
0
5
le
ad
er
_e
le
ct
io
n
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
18
3.
11
0s
19
59
1.
0
0.
0
18
29
9.
0
0.
06
40
05
s
4.
0
0s
0.
0
17
89
6.
0
14
7.
12
9s
27
.6
17
7s
21
.0
0.
0
47
96
.0
0.
0
6
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
27
0s
82
.0
0.
0
76
.0
0.
00
4s
1.
0
0s
0.
0
45
.0
0.
16
40
12
s
0.
02
00
02
s
3.
0
0.
0
58
.0
0.
0
7
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
4.
45
0s
87
0.
0
0.
0
82
6.
0
0.
00
80
01
s
2.
0
0s
0.
0
69
0.
0
3.
40
42
1s
0.
65
60
39
s
9.
0
0.
0
45
8.
0
0.
0
8
q
u
o
ru
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
30
0s
31
3.
0
0.
0
27
9.
0
0.
01
20
01
s
2.
0
0s
1.
0
25
5.
0
0.
79
20
43
s
0.
30
80
24
s
4.
0
0.
0
21
7.
0
0.
0
9
q
u
o
ru
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
8.
46
0s
17
92
.0
0.
0
16
24
.0
0.
02
80
04
s
3.
0
0s
1.
0
15
46
.0
4.
78
03
1s
3.
01
21
8s
7.
0
0.
0
14
62
.0
0.
0
10
q
u
o
ru
m
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
53
.7
8
0s
95
40
.0
0.
0
87
53
.0
0.
08
40
06
s
4.
0
0s
1.
0
85
42
.0
26
.4
25
7s
22
.8
69
4s
10
.0
0.
0
83
56
.0
0.
0
11
q
u
o
ru
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
27
0s
79
.0
0.
0
75
.0
0.
00
4s
1.
0
0s
1.
0
44
.0
0.
17
60
11
s
0.
00
80
01
s
5.
0
0.
0
51
.0
0.
0
12
q
u
o
ru
m
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
37
0s
11
2.
0
0.
0
10
8.
0
0.
00
40
01
s
1.
0
0s
1.
0
50
.0
0.
26
40
15
s
0.
00
4s
5.
0
0.
0
71
.0
0.
0
13
q
u
o
ru
m
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
48
0s
15
1.
0
0.
0
14
7.
0
0.
00
4s
1.
0
0s
1.
0
56
.0
0.
33
60
22
s
0.
00
8s
5.
0
0.
0
94
.0
0.
0
14
q
u
o
ru
m
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
61
0s
19
6.
0
0.
0
19
2.
0
0.
00
4s
1.
0
0s
1.
0
62
.0
0.
42
40
28
s
0.
01
2s
5.
0
0.
0
12
0.
0
0.
0
15
q
u
o
ru
m
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
72
0s
24
7.
0
0.
0
24
3.
0
0.
00
4s
1.
0
0s
1.
0
68
.0
0.
52
40
32
s
0.
01
2s
5.
0
0.
0
14
9.
0
0.
0
16
q
u
o
ru
m
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
92
0s
30
4.
0
0.
0
30
0.
0
0.
00
8s
1.
0
0s
1.
0
74
.0
0.
68
80
44
s
0.
00
8s
5.
0
0.
0
18
1.
0
0.
0
17
q
u
o
ru
m
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
99
0s
36
7.
0
0.
0
36
3.
0
0.
01
20
01
s
1.
0
0s
1.
0
80
.0
0.
76
00
48
s
0s
5.
0
0.
0
21
6.
0
0.
0
18
q
u
o
ru
m
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
1.
20
0s
43
6.
0
0.
0
43
2.
0
0.
00
8s
1.
0
0s
1.
0
86
.0
0.
84
80
54
s
0.
01
20
01
s
5.
0
0.
0
25
4.
0
0.
0
19
q
u
o
ru
m
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
1.
26
0s
51
1.
0
0.
0
50
7.
0
0.
01
60
01
s
1.
0
0s
1.
0
92
.0
0.
95
20
61
s
0.
01
60
01
s
5.
0
0.
0
29
5.
0
0.
0
20
q
u
o
ru
m
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
1.
38
0s
59
2.
0
0.
0
58
8.
0
0.
01
20
01
s
1.
0
0s
1.
0
98
.0
1.
05
20
7s
0.
02
00
01
s
5.
0
0.
0
33
9.
0
0.
0
21
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
2
u
n
sa
ti
sﬁ
ab
le
0.
12
0s
96
.0
0.
0
94
.0
0s
1.
0
0s
1.
0
10
5.
0
0.
06
40
03
s
0.
01
20
02
s
0.
0
0.
0
86
.0
0.
0
22
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
3
u
n
sa
ti
sﬁ
ab
le
0.
39
0s
34
7.
0
0.
0
33
5.
0
0.
00
4s
1.
0
0s
1.
0
35
6.
0
0.
23
60
15
s
0.
08
40
05
s
0.
0
0.
0
31
7.
0
0.
0
23
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
4
u
n
sa
ti
sﬁ
ab
le
1.
57
0s
13
30
.0
0.
0
12
76
.0
0.
01
2s
2.
0
0s
1.
0
13
75
.0
0.
84
00
59
s
0.
41
60
19
s
0.
0
0.
0
10
56
.0
0.
0
24
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
5
u
n
sa
ti
sﬁ
ab
le
10
.3
6
0s
71
04
.0
0.
0
66
81
.0
0.
06
40
04
s
2.
0
0s
1.
0
64
73
.0
5.
24
43
3s
3.
64
42
3s
0.
0
0.
0
34
60
.0
0.
0
25
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
6
u
n
sa
ti
sﬁ
ab
le
51
.8
2
0s
32
51
2.
0
0.
0
30
03
3.
0
0.
70
00
43
s
3.
0
0s
1.
0
27
47
1.
0
26
.1
01
6s
18
.4
49
2s
0.
0
0.
0
92
76
.0
0.
0
26
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
7
u
n
sa
ti
sﬁ
ab
le
21
0.
68
0s
10
85
91
.0
0.
0
99
51
0.
0
13
.6
28
9s
4.
0
0s
1.
0
81
05
1.
0
94
.2
61
9s
67
.6
44
2s
0.
0
0.
0
23
88
8.
0
0.
0
27
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
8
u
n
sa
ti
sﬁ
ab
le
26
4.
92
0s
13
34
29
.0
0.
0
12
24
94
.0
28
.3
69
8s
5.
0
0s
1.
0
88
68
3.
0
11
2.
44
3s
71
.9
48
5s
0.
0
0.
0
59
69
3.
0
0.
0
28
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
30
.0
0.
0
31
.0
0s
0.
0
0s
0.
0
24
.0
0.
00
4s
0s
0.
0
0.
0
31
.0
0.
0
29
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
70
.4
3
0s
85
45
.0
0.
0
74
92
.0
0.
48
00
27
s
31
.0
0s
31
.0
50
57
.0
52
.0
47
2s
15
.2
49
s
0.
0
0.
0
51
5.
0
0.
0
30
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
21
6.
75
0s
27
07
3.
0
0.
0
24
00
5.
0
1.
32
40
8s
62
.0
0s
31
.0
13
62
3.
0
16
3.
01
4s
42
.9
78
7s
0.
0
0.
0
81
5.
0
0.
0
31
te
m
p
er
at
u
re
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
61
0s
18
4.
0
0.
0
80
.0
0.
01
6s
7.
0
0s
22
.0
59
.0
1.
02
00
6s
0.
33
20
24
s
0.
0
0.
0
37
.0
0.
0
32
te
m
p
er
at
u
re
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
97
0s
23
9.
0
0.
0
99
.0
0.
01
20
01
s
7.
0
0s
22
.0
71
.0
1.
30
40
8s
0.
46
80
29
s
0.
0
0.
0
49
.0
0.
0
33
te
m
p
er
at
u
re
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
2.
49
0s
29
4.
0
0.
0
11
8.
0
0.
00
40
01
s
7.
0
0s
22
.0
83
.0
1.
60
41
s
0.
54
00
35
s
0.
0
0.
0
61
.0
0.
0
34
te
m
p
er
at
u
re
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
2.
88
0s
34
9.
0
0.
0
13
7.
0
0.
01
60
01
s
7.
0
0s
22
.0
95
.0
1.
91
61
1s
0.
61
60
47
s
0.
0
0.
0
73
.0
0.
0
35
te
m
p
er
at
u
re
_s
af
e_
06
u
n
sa
ti
sﬁ
ab
le
3.
48
0s
40
4.
0
0.
0
15
6.
0
0.
01
6s
7.
0
0s
22
.0
10
7.
0
2.
26
41
4s
0.
77
60
54
s
0.
0
0.
0
85
.0
0.
0
36
te
m
p
er
at
u
re
_s
af
e_
07
u
n
sa
ti
sﬁ
ab
le
3.
89
0s
45
9.
0
0.
0
17
5.
0
0.
01
60
04
s
7.
0
0s
22
.0
11
9.
0
2.
54
81
6s
0.
93
60
58
s
0.
0
0.
0
97
.0
0.
0
37
te
m
p
er
at
u
re
_s
af
e_
08
u
n
sa
ti
sﬁ
ab
le
4.
27
0s
51
4.
0
0.
0
19
4.
0
0.
01
20
01
s
7.
0
0s
22
.0
13
1.
0
2.
84
01
8s
0.
94
00
58
s
0.
0
0.
0
10
9.
0
0.
0
38
te
m
p
er
at
u
re
_s
af
e_
09
u
n
sa
ti
sﬁ
ab
le
4.
80
0s
56
9.
0
0.
0
21
3.
0
0.
00
80
01
s
7.
0
0s
22
.0
14
3.
0
3.
22
02
s
1.
04
80
7s
0.
0
0.
0
12
1.
0
0.
0
39
te
m
p
er
at
u
re
_s
af
e_
10
u
n
sa
ti
sﬁ
ab
le
5.
20
0s
62
4.
0
0.
0
23
2.
0
0.
01
60
02
s
7.
0
0s
22
.0
15
5.
0
3.
50
82
2s
1.
15
20
7s
0.
0
0.
0
13
3.
0
0.
0
40
te
m
p
er
at
u
re
_s
af
e_
11
u
n
sa
ti
sﬁ
ab
le
5.
94
0s
67
9.
0
0.
0
25
1.
0
0.
01
2s
7.
0
0s
22
.0
16
7.
0
3.
95
22
5s
1.
29
20
8s
0.
0
0.
0
14
5.
0
0.
0
41
te
m
p
er
at
u
re
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
5.
0
0.
0
6.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
6.
0
0.
0
42
te
m
p
er
at
u
re
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
06
0s
6.
0
0.
0
7.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
7.
0
0.
0
43
te
m
p
er
at
u
re
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
05
0s
7.
0
0.
0
8.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
8.
0
0.
0
44
te
m
p
er
at
u
re
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
06
0s
8.
0
0.
0
9.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
9.
0
0.
0
45
te
m
p
er
at
u
re
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
06
0s
9.
0
0.
0
10
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
8s
0s
0.
0
0.
0
10
.0
0.
0
46
te
m
p
er
at
u
re
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
07
0s
10
.0
0.
0
11
.0
0s
0.
0
0s
0.
0
2.
0
0.
01
20
01
s
0s
0.
0
0.
0
11
.0
0.
0
47
te
m
p
er
at
u
re
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
07
0s
11
.0
0.
0
12
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
12
.0
0.
0
48
te
m
p
er
at
u
re
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
06
0s
12
.0
0.
0
13
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
13
.0
0.
0
49
te
m
p
er
at
u
re
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
07
0s
13
.0
0.
0
14
.0
0s
0.
0
0s
0.
0
2.
0
0.
01
2s
0s
0.
0
0.
0
14
.0
0.
0
50
te
m
p
er
at
u
re
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
06
0s
14
.0
0.
0
15
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
8s
0s
0.
0
0.
0
15
.0
0.
0
51
ti
ck
et
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
24
0s
51
.0
0.
0
43
.0
0s
2.
0
0s
0.
0
36
.0
0.
14
00
08
s
0.
02
40
02
s
5.
0
0.
0
27
.0
0.
0
131
Appendix A. Appendix
52
ti
ck
et
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
19
.7
4
0s
17
25
.0
0.
0
12
27
.0
0.
07
20
05
s
14
.0
0s
0.
0
12
82
.0
15
.6
21
s
3.
07
61
8s
36
.0
0.
0
23
2.
0
0.
0
53
ti
ck
et
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
9.
0
0.
0
10
.0
0s
0.
0
0s
0.
0
5.
0
0.
00
4s
0s
0.
0
0.
0
10
.0
0.
0
54
ti
ck
et
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
06
0s
16
.0
0.
0
17
.0
0s
0.
0
0s
0.
0
6.
0
0.
00
8s
0s
0.
0
0.
0
17
.0
0.
0
55
ti
ck
et
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
06
0s
25
.0
0.
0
26
.0
0s
0.
0
0s
0.
0
7.
0
0.
00
80
01
s
0s
0.
0
0.
0
26
.0
0.
0
56
ti
ck
et
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
08
0s
36
.0
0.
0
37
.0
0s
0.
0
0s
0.
0
8.
0
0.
01
20
02
s
0s
0.
0
0.
0
37
.0
0.
0
57
ti
ck
et
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
07
0s
49
.0
0.
0
50
.0
0s
0.
0
0s
0.
0
9.
0
0.
01
60
01
s
0s
0.
0
0.
0
50
.0
0.
0
58
ti
ck
et
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
10
0s
64
.0
0.
0
65
.0
0s
0.
0
0s
0.
0
10
.0
0.
02
40
02
s
0s
0.
0
0.
0
65
.0
0.
0
59
ti
ck
et
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
10
0s
81
.0
0.
0
82
.0
0s
0.
0
0s
0.
0
11
.0
0.
02
80
02
s
0s
0.
0
0.
0
82
.0
0.
0
60
ti
ck
et
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
15
0s
10
0.
0
0.
0
10
1.
0
0s
0.
0
0s
0.
0
12
.0
0.
02
80
02
s
0s
0.
0
0.
0
10
1.
0
0.
0
61
ti
ck
et
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
14
0s
12
1.
0
0.
0
12
2.
0
0s
0.
0
0s
0.
0
13
.0
0.
04
40
02
s
0s
0.
0
0.
0
12
2.
0
0.
0
62
ti
ck
et
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
17
0s
14
4.
0
0.
0
14
5.
0
0s
0.
0
0s
0.
0
14
.0
0.
04
80
03
s
0s
0.
0
0.
0
14
5.
0
0.
0
Ta
b
le
A
.1
–
V
er
iﬁ
ca
ti
o
n
st
at
is
ti
cs
fo
r
la
zy
ab
st
ra
ct
io
n
.F
ro
m
th
e
se
co
n
d
co
lu
m
n
,e
ac
h
re
p
re
se
n
ts
m
o
d
el
,r
es
u
lt
,t
o
ta
lr
u
n
n
in
g
ti
m
e,
ti
m
e
o
fp
ar
ti
al
o
rd
er
re
d
u
ct
io
n
,n
u
m
b
er
o
f
tr
an
sf
er
s,
n
u
m
b
er
o
f
re
d
u
ct
io
n
at
te
m
p
ts
,n
u
m
b
er
o
f
n
o
d
es
cr
ea
te
d
,t
im
e
o
f
re
ﬁ
n
em
en
ts
,n
u
m
b
er
o
f
re
ﬁ
n
em
en
ts
,t
im
e
o
f
cy
cl
e
d
et
ec
ti
o
n
,n
u
m
b
er
o
f
lo
ca
lp
re
d
ic
at
es
,n
u
m
b
er
o
f
co
ve
ra
ge
ch
ec
k,
ti
m
e
o
f
tr
an
sf
er
s,
ti
m
e
o
f
co
ve
ra
ge
ch
ec
k,
n
u
m
b
er
o
f
gl
o
b
al
p
re
d
ic
at
es
,n
u
m
b
er
o
f
su
cc
es
sf
u
lr
ed
u
ct
io
n
s,
ar
ts
iz
e
an
d
n
u
m
b
er
o
fc
yc
le
d
et
ec
ti
o
n
s
re
sp
ec
ti
ve
ly
.
132
A.6. Statistics for lazy abstraction with persistent set reduction
A.6 Statistics for lazy abstraction with persistent set reduction
133
Appendix A. Appendix
0
at
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
65
0.
00
4s
16
4.
0
66
.0
15
3.
0
0s
2.
0
0.
06
80
06
s
0.
0
12
4.
0
0.
39
60
18
s
0.
07
60
09
s
3.
0
33
.0
14
6.
0
15
1.
0
1
at
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
5.
30
0.
01
60
01
s
16
83
.0
54
6.
0
16
34
.0
0.
00
40
01
s
2.
0
0.
45
20
3s
0.
0
13
61
.0
3.
42
42
1s
1.
03
20
7s
3.
0
26
9.
0
16
27
.0
16
32
.0
2
at
m
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
61
.1
7
0.
34
40
2s
16
63
3.
0
42
37
.0
16
27
3.
0
0.
00
4s
2.
0
9.
96
86
4s
0.
0
13
91
3.
0
35
.9
94
2s
11
.8
92
7s
3.
0
18
73
.0
16
26
6.
0
16
27
1.
0
3
at
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
83
.2
8
0s
28
84
.0
92
9.
0
26
48
.0
0.
23
60
15
s
24
.0
13
.4
24
8s
20
.0
97
16
.0
14
.2
92
9s
51
.7
19
2s
8.
0
37
4.
0
84
3.
0
10
14
8.
0
4
le
ad
er
_e
le
ct
io
n
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
31
0s
78
.0
20
.0
68
.0
0.
00
40
01
s
2.
0
0.
00
80
01
s
0.
0
60
.0
0.
20
40
13
s
0.
01
6s
6.
0
8.
0
24
.0
60
.0
5
le
ad
er
_e
le
ct
io
n
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
94
0.
00
4s
34
0.
0
92
.0
32
0.
0
0.
02
00
02
s
3.
0
0.
04
80
02
s
0.
0
30
2.
0
1.
50
01
s
0.
09
20
07
s
12
.0
50
.0
94
.0
30
2.
0
6
le
ad
er
_e
le
ct
io
n
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
17
.7
5
0.
01
20
01
s
21
40
.0
51
5.
0
20
34
.0
0.
04
80
03
s
4.
0
0.
18
80
1s
0.
0
20
02
.0
14
.4
60
9s
2.
06
81
2s
21
.0
24
8.
0
52
9.
0
20
02
.0
7
le
ad
er
_e
le
ct
io
n
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
14
0.
41
0.
04
40
03
s
12
83
1.
0
28
92
.0
12
30
0.
0
0.
16
00
1s
5.
0
1.
21
60
7s
0.
0
12
25
0.
0
10
8.
53
1s
25
.9
41
6s
26
.0
11
88
.0
29
08
.0
12
25
0.
0
8
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
24
0s
56
.0
15
.0
53
.0
0s
1.
0
0.
00
4s
0.
0
44
.0
0.
14
00
08
s
0.
01
20
02
s
3.
0
7.
0
43
.0
44
.0
9
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
1.
64
0s
29
5.
0
81
.0
28
4.
0
0.
00
8s
2.
0
0.
06
80
06
s
0.
0
26
5.
0
1.
25
20
8s
0.
11
20
06
s
9.
0
45
.0
15
6.
0
26
5.
0
10
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
24
.4
5
0.
01
20
02
s
21
58
.0
50
5.
0
20
86
.0
0.
03
20
03
s
3.
0
0.
24
80
11
s
0.
0
20
53
.0
18
.3
85
1s
4.
13
22
6s
18
.0
23
5.
0
11
79
.0
20
53
.0
11
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
22
8.
11
0.
02
s
13
32
5.
0
28
98
.0
12
96
7.
0
0.
11
60
07
s
4.
0
1.
80
41
2s
0.
0
12
91
6.
0
16
6.
79
8s
49
.7
07
1s
21
.0
11
46
.0
72
64
.0
12
91
6.
0
12
q
u
o
ru
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
72
0.
00
4s
12
5.
0
47
.0
11
8.
0
0.
01
20
02
s
3.
0
0.
07
60
06
s
1.
0
14
0.
0
0.
38
40
24
s
0.
14
40
09
s
6.
0
14
.0
74
.0
15
8.
0
13
q
u
o
ru
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
5.
57
0.
02
00
02
s
66
3.
0
21
7.
0
61
8.
0
0.
04
80
02
s
8.
0
0.
95
20
57
s
1.
0
10
36
.0
2.
41
61
6s
1.
64
01
s
7.
0
71
.0
44
5.
0
11
51
.0
14
q
u
o
ru
m
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
31
.2
4
0.
07
20
04
s
28
78
.0
83
7.
0
27
02
.0
0.
12
40
08
s
14
.0
6.
25
23
8s
1.
0
63
79
.0
10
.1
92
7s
13
.4
60
8s
10
.0
26
8.
0
23
86
.0
68
86
.0
15
q
u
o
ru
m
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
18
3.
56
0.
09
60
09
s
12
98
6.
0
32
56
.0
12
25
6.
0
0.
29
60
21
s
19
.0
33
.5
42
1s
1.
0
34
71
3.
0
47
.2
27
s
97
.2
10
1s
14
.0
93
0.
0
10
60
8.
0
36
90
1.
0
16
q
u
o
ru
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
06
0s
21
.0
10
.0
22
.0
0s
0.
0
0s
0.
0
13
.0
0.
00
4s
0s
0.
0
4.
0
22
.0
16
.0
17
q
u
o
ru
m
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
07
0s
24
.0
10
.0
25
.0
0s
0.
0
0s
0.
0
13
.0
0.
01
20
01
s
0s
0.
0
4.
0
25
.0
16
.0
18
q
u
o
ru
m
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
08
0s
27
.0
10
.0
28
.0
0s
0.
0
0.
00
4s
0.
0
13
.0
0.
00
80
01
s
0s
0.
0
4.
0
28
.0
16
.0
19
q
u
o
ru
m
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
09
0s
30
.0
10
.0
31
.0
0s
0.
0
0s
0.
0
13
.0
0.
00
40
01
s
0s
0.
0
4.
0
31
.0
16
.0
20
q
u
o
ru
m
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
08
0s
33
.0
10
.0
34
.0
0s
0.
0
0s
0.
0
13
.0
0.
01
60
01
s
0s
0.
0
4.
0
34
.0
16
.0
21
q
u
o
ru
m
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
09
0.
00
8s
36
.0
10
.0
37
.0
0s
0.
0
0s
0.
0
13
.0
0.
01
20
03
s
0s
0.
0
4.
0
37
.0
16
.0
22
q
u
o
ru
m
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
11
0.
00
40
01
s
39
.0
10
.0
40
.0
0s
0.
0
0s
0.
0
13
.0
0.
02
00
02
s
0s
0.
0
4.
0
40
.0
16
.0
23
q
u
o
ru
m
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
10
0.
01
2s
42
.0
10
.0
43
.0
0s
0.
0
0s
0.
0
13
.0
0.
00
80
01
s
0s
0.
0
4.
0
43
.0
16
.0
24
q
u
o
ru
m
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
12
0.
00
80
01
s
45
.0
10
.0
46
.0
0s
0.
0
0s
0.
0
13
.0
0.
00
8s
0s
0.
0
4.
0
46
.0
16
.0
25
q
u
o
ru
m
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
12
0.
01
6s
48
.0
10
.0
49
.0
0s
0.
0
0s
0.
0
13
.0
0.
01
60
01
s
0s
0.
0
4.
0
49
.0
16
.0
26
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
2
u
n
sa
ti
sﬁ
ab
le
0.
15
0s
84
.0
24
.0
82
.0
0s
1.
0
0.
01
20
01
s
1.
0
93
.0
0.
06
00
04
s
0.
01
20
01
s
0.
0
6.
0
74
.0
93
.0
27
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
3
u
n
sa
ti
sﬁ
ab
le
0.
43
0.
02
00
01
s
27
6.
0
71
.0
26
4.
0
0s
1.
0
0.
04
40
04
s
1.
0
28
5.
0
0.
22
40
12
s
0.
06
00
06
s
0.
0
27
.0
24
6.
0
28
5.
0
28
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
4
u
n
sa
ti
sﬁ
ab
le
1.
54
0.
08
40
03
s
97
1.
0
21
0.
0
91
7.
0
0.
01
2s
2.
0
0.
21
60
16
s
1.
0
99
8.
0
0.
75
60
47
s
0.
24
00
16
s
0.
0
85
.0
74
1.
0
99
8.
0
29
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
5
u
n
sa
ti
sﬁ
ab
le
6.
01
0.
19
20
09
s
35
92
.0
60
3.
0
33
37
.0
0.
07
20
05
s
2.
0
0.
82
40
5s
1.
0
31
57
.0
2.
96
81
8s
1.
34
00
8s
0.
0
22
2.
0
23
93
.0
31
57
.0
30
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
6
u
n
sa
ti
sﬁ
ab
le
55
.0
1
0.
97
60
56
s
24
30
3.
0
27
98
.0
21
82
4.
0
0.
72
80
45
s
3.
0
11
.2
24
7s
1.
0
19
35
0.
0
24
.2
81
5s
12
.3
80
8s
0.
0
58
3.
0
65
05
.0
19
35
0.
0
31
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
7
u
n
sa
ti
sﬁ
ab
le
23
4.
05
3.
24
01
9s
87
62
9.
0
87
32
.0
78
38
9.
0
14
.4
60
9s
4.
0
58
.4
63
6s
1.
0
59
74
8.
0
86
.6
73
4s
45
.9
02
9s
0.
0
14
55
.0
16
66
5.
0
59
74
8.
0
32
ra
il
w
ay
_c
o
n
tr
o
l_
sa
fe
_0
8
u
n
sa
ti
sﬁ
ab
le
30
8.
91
10
.4
12
6s
11
22
35
.0
11
82
1.
0
10
13
00
.0
29
.6
41
9s
5.
0
64
.0
52
s
1.
0
67
97
5.
0
10
4.
07
4s
49
.1
11
1s
0.
0
29
92
.0
41
22
5.
0
67
97
5.
0
33
ra
il
w
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
30
.0
5.
0
31
.0
0s
0.
0
0s
0.
0
24
.0
0.
00
8s
0s
0.
0
0.
0
31
.0
24
.0
34
ra
il
w
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
78
.5
6
0s
85
45
.0
12
17
.0
74
92
.0
0.
46
00
3s
31
.0
10
.9
92
7s
31
.0
50
57
.0
50
.4
55
1s
14
.6
04
9s
0.
0
0.
0
51
5.
0
50
57
.0
35
ra
il
w
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
25
1.
30
0.
00
8s
27
07
3.
0
34
82
.0
24
00
5.
0
1.
38
80
9s
62
.0
32
.2
98
s
31
.0
13
62
3.
0
16
3.
55
8s
42
.6
42
7s
0.
0
0.
0
81
5.
0
13
62
3.
0
36
te
m
p
er
at
u
re
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
84
0s
18
4.
0
55
.0
80
.0
0.
01
20
02
s
7.
0
0.
32
00
17
s
22
.0
59
.0
1.
01
20
6s
0.
32
80
27
s
0.
0
0.
0
37
.0
59
.0
37
te
m
p
er
at
u
re
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
2.
52
0s
23
9.
0
66
.0
99
.0
0.
00
80
01
s
7.
0
0.
44
00
25
s
22
.0
71
.0
1.
36
40
9s
0.
41
60
25
s
0.
0
0.
0
49
.0
71
.0
38
te
m
p
er
at
u
re
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
2.
81
0s
29
4.
0
77
.0
11
8.
0
0.
02
00
01
s
7.
0
0.
49
60
27
s
22
.0
83
.0
1.
59
61
1s
0.
50
40
27
s
0.
0
0.
0
61
.0
83
.0
39
te
m
p
er
at
u
re
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
3.
39
0s
34
9.
0
88
.0
13
7.
0
0.
01
2s
7.
0
0.
58
40
35
s
22
.0
95
.0
1.
94
41
2s
0.
63
60
41
s
0.
0
0.
0
73
.0
95
.0
40
te
m
p
er
at
u
re
_s
af
e_
06
u
n
sa
ti
sﬁ
ab
le
4.
05
0s
40
4.
0
99
.0
15
6.
0
0.
01
60
01
s
7.
0
0.
74
00
48
s
22
.0
10
7.
0
2.
26
01
4s
0.
73
60
44
s
0.
0
0.
0
85
.0
10
7.
0
41
te
m
p
er
at
u
re
_s
af
e_
07
u
n
sa
ti
sﬁ
ab
le
4.
68
0.
00
40
01
s
45
9.
0
11
0.
0
17
5.
0
0.
02
00
01
s
7.
0
0.
84
80
54
s
22
.0
11
9.
0
2.
52
01
6s
0.
82
00
51
s
0.
0
0.
0
97
.0
11
9.
0
42
te
m
p
er
at
u
re
_s
af
e_
08
u
n
sa
ti
sﬁ
ab
le
5.
25
0.
00
4s
51
4.
0
12
1.
0
19
4.
0
0.
01
2s
7.
0
0.
93
60
55
s
22
.0
13
1.
0
2.
89
61
8s
0.
93
20
6s
0.
0
0.
0
10
9.
0
13
1.
0
43
te
m
p
er
at
u
re
_s
af
e_
09
u
n
sa
ti
sﬁ
ab
le
5.
85
0.
00
4s
56
9.
0
13
2.
0
21
3.
0
0.
02
00
01
s
7.
0
1.
00
80
6s
22
.0
14
3.
0
3.
22
01
9s
1.
02
40
7s
0.
0
0.
0
12
1.
0
14
3.
0
44
te
m
p
er
at
u
re
_s
af
e_
10
u
n
sa
ti
sﬁ
ab
le
6.
15
0.
01
6s
62
4.
0
14
3.
0
23
2.
0
0.
01
2s
7.
0
1.
08
40
6s
22
.0
15
5.
0
3.
56
02
3s
1.
13
60
7s
0.
0
0.
0
13
3.
0
15
5.
0
45
te
m
p
er
at
u
re
_s
af
e_
11
u
n
sa
ti
sﬁ
ab
le
6.
63
0.
00
80
01
s
67
9.
0
15
4.
0
25
1.
0
0.
01
2s
7.
0
1.
17
20
6s
22
.0
16
7.
0
3.
86
82
4s
1.
24
40
9s
0.
0
0.
0
14
5.
0
16
7.
0
46
te
m
p
er
at
u
re
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
5.
0
1.
0
6.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
6.
0
2.
0
47
te
m
p
er
at
u
re
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
05
0s
6.
0
1.
0
7.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
7.
0
2.
0
48
te
m
p
er
at
u
re
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
06
0s
7.
0
1.
0
8.
0
0s
0.
0
0s
0.
0
2.
0
0s
0s
0.
0
0.
0
8.
0
2.
0
49
te
m
p
er
at
u
re
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
06
0s
8.
0
1.
0
9.
0
0s
0.
0
0s
0.
0
2.
0
0.
00
80
01
s
0s
0.
0
0.
0
9.
0
2.
0
50
te
m
p
er
at
u
re
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
05
0.
00
4s
9.
0
1.
0
10
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
10
.0
2.
0
51
te
m
p
er
at
u
re
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
05
0s
10
.0
1.
0
11
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
11
.0
2.
0
134
A.6. Statistics for lazy abstraction with persistent set reduction
52
te
m
p
er
at
u
re
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
06
0s
11
.0
1.
0
12
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
80
01
s
0s
0.
0
0.
0
12
.0
2.
0
53
te
m
p
er
at
u
re
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
07
0s
12
.0
1.
0
13
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
13
.0
2.
0
54
te
m
p
er
at
u
re
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
06
0s
13
.0
1.
0
14
.0
0s
0.
0
0s
0.
0
2.
0
0.
01
2s
0s
0.
0
0.
0
14
.0
2.
0
55
te
m
p
er
at
u
re
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
06
0s
14
.0
1.
0
15
.0
0s
0.
0
0s
0.
0
2.
0
0.
00
8s
0s
0.
0
0.
0
15
.0
2.
0
56
ti
ck
et
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
28
0s
51
.0
24
.0
43
.0
0.
00
40
01
s
2.
0
0.
01
2s
0.
0
36
.0
0.
17
60
11
s
0.
02
00
01
s
5.
0
0.
0
27
.0
36
.0
57
ti
ck
et
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
21
.3
0
0s
17
25
.0
57
0.
0
12
27
.0
0.
06
80
04
s
14
.0
1.
47
20
8s
0.
0
12
82
.0
15
.1
49
s
3.
20
42
s
37
.0
0.
0
23
2.
0
12
82
.0
58
ti
ck
et
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
06
0s
9.
0
4.
0
10
.0
0s
0.
0
0s
0.
0
5.
0
0s
0s
0.
0
0.
0
10
.0
5.
0
59
ti
ck
et
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
06
0s
16
.0
5.
0
17
.0
0s
0.
0
0s
0.
0
6.
0
0.
00
8s
0s
0.
0
0.
0
17
.0
6.
0
60
ti
ck
et
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
06
0s
25
.0
6.
0
26
.0
0s
0.
0
0s
0.
0
7.
0
0.
01
20
01
s
0s
0.
0
0.
0
26
.0
7.
0
61
ti
ck
et
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
08
0s
36
.0
7.
0
37
.0
0s
0.
0
0s
0.
0
8.
0
0.
01
60
01
s
0s
0.
0
0.
0
37
.0
8.
0
62
ti
ck
et
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
08
0.
00
4s
49
.0
8.
0
50
.0
0s
0.
0
0s
0.
0
9.
0
0.
01
60
01
s
0s
0.
0
0.
0
50
.0
9.
0
63
ti
ck
et
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
08
0.
00
40
01
s
64
.0
9.
0
65
.0
0s
0.
0
0s
0.
0
10
.0
0.
02
00
01
s
0s
0.
0
0.
0
65
.0
10
.0
64
ti
ck
et
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
10
0.
00
40
01
s
81
.0
10
.0
82
.0
0s
0.
0
0s
0.
0
11
.0
0.
02
80
01
s
0s
0.
0
0.
0
82
.0
11
.0
65
ti
ck
et
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
13
0s
10
0.
0
11
.0
10
1.
0
0s
0.
0
0s
0.
0
12
.0
0.
04
40
03
s
0s
0.
0
0.
0
10
1.
0
12
.0
66
ti
ck
et
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
14
0.
00
80
01
s
12
1.
0
12
.0
12
2.
0
0s
0.
0
0s
0.
0
13
.0
0.
04
40
02
s
0s
0.
0
0.
0
12
2.
0
13
.0
67
ti
ck
et
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
16
0.
01
6s
14
4.
0
13
.0
14
5.
0
0s
0.
0
0s
0.
0
14
.0
0.
05
60
05
s
0s
0.
0
0.
0
14
5.
0
14
.0
Ta
b
le
A
.2
–
Ve
ri
ﬁ
ca
ti
o
n
st
at
is
ti
cs
fo
r
la
zy
ab
st
ra
ct
io
n
w
it
h
p
er
si
st
en
ts
et
re
d
u
ct
io
n
.F
ro
m
th
e
se
co
n
d
co
lu
m
n
,e
ac
h
re
p
re
se
n
ts
m
o
d
el
,r
es
u
lt
,t
o
ta
lr
u
n
n
in
g
ti
m
e,
ti
m
e
o
f
p
ar
ti
al
o
rd
er
re
d
u
ct
io
n
,n
u
m
b
er
o
f
tr
an
sf
er
s,
n
u
m
b
er
o
f
re
d
u
ct
io
n
at
te
m
p
ts
,n
u
m
b
er
o
f
n
o
d
es
cr
ea
te
d
,t
im
e
o
f
re
ﬁ
n
em
en
ts
,n
u
m
b
er
o
f
re
ﬁ
n
em
en
ts
,t
im
e
o
fc
yc
le
d
et
ec
ti
o
n
,n
u
m
b
er
o
fl
o
ca
lp
re
d
ic
at
es
,n
u
m
b
er
o
fc
ov
er
ag
e
ch
ec
k,
ti
m
e
o
ft
ra
n
sf
er
s,
ti
m
e
o
fc
ov
er
ag
e
ch
ec
k,
n
u
m
b
er
o
fg
lo
b
al
p
re
d
ic
at
es
,n
u
m
b
er
o
fs
u
cc
es
sf
u
lr
ed
u
ct
io
n
s,
ar
ts
iz
e
an
d
n
u
m
b
er
o
fc
yc
le
d
et
ec
ti
o
n
s
re
sp
ec
ti
ve
ly
.
135
Appendix A. Appendix
A.7 Statistics for lazy abstraction with simultaneous set reduction
136
A.7. Statistics for lazy abstraction with simultaneous set reduction
0
at
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
2.
06
0s
39
4.
0
55
.0
34
0.
0
0.
00
4s
3.
0
0.
0
33
8.
0
1.
53
21
s
0.
38
40
19
s
6.
0
40
.0
32
6.
0
1
at
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
69
.8
7
0.
01
20
01
s
85
43
.0
49
9.
0
66
18
.0
0.
00
80
01
s
5.
0
0.
0
68
80
.0
51
.3
47
2s
15
.6
41
s
9.
0
43
6.
0
65
93
.0
2
at
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
11
7.
32
0s
43
73
.0
55
.0
36
42
.0
0.
09
20
03
s
24
.0
20
.0
13
99
3.
0
26
.5
49
7s
87
.8
89
5s
8.
0
40
.0
13
79
.0
3
le
ad
er
_e
le
ct
io
n
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
27
0s
60
.0
5.
0
50
.0
0s
2.
0
0.
0
31
.0
0.
19
20
11
s
0.
00
8s
6.
0
2.
0
19
.0
4
le
ad
er
_e
le
ct
io
n
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
91
0s
33
8.
0
24
.0
27
6.
0
0s
3.
0
0.
0
16
5.
0
1.
68
81
s
0.
06
40
04
s
12
.0
11
.0
10
2.
0
5
le
ad
er
_e
le
ct
io
n
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
15
.8
1
0.
03
60
02
s
18
33
.0
99
.0
15
64
.0
0.
00
8s
3.
0
0.
0
12
43
.0
13
.7
92
9s
1.
27
20
8s
18
.0
52
.0
89
5.
0
6
le
ad
er
_e
le
ct
io
n
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
13
4.
94
0.
35
60
23
s
11
71
0.
0
40
1.
0
99
62
.0
0.
00
80
01
s
5.
0
0.
0
78
39
.0
11
8.
53
9s
10
.6
68
7s
24
.0
22
1.
0
39
13
.0
7
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
16
0s
36
.0
3.
0
33
.0
0s
1.
0
0.
0
13
.0
0.
08
40
05
s
0s
3.
0
2.
0
22
.0
8
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
1.
05
0.
00
4s
21
1.
0
10
.0
17
7.
0
0s
2.
0
0.
0
65
.0
0.
88
40
53
s
0.
02
00
01
s
9.
0
5.
0
82
.0
9
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
10
.2
6
0.
02
00
02
s
12
82
.0
43
.0
10
32
.0
0s
3.
0
0.
0
54
0.
0
9.
40
45
9s
0.
28
80
19
s
18
.0
23
.0
34
7.
0
10
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
11
1.
41
0.
20
80
12
s
79
30
.0
20
2.
0
65
53
.0
0.
01
20
01
s
4.
0
0.
0
44
29
.0
10
1.
21
s
3.
92
02
5s
21
.0
10
7.
0
21
84
.0
11
q
u
o
ru
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
01
0s
21
1.
0
35
.0
19
0.
0
0.
00
4s
3.
0
1.
0
26
0.
0
0.
66
40
39
s
0.
19
20
12
s
6.
0
6.
0
13
9.
0
12
q
u
o
ru
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
8.
93
0.
01
20
01
s
13
73
.0
13
8.
0
11
85
.0
0.
01
60
02
s
5.
0
1.
0
28
79
.0
4.
85
63
1s
3.
34
02
s
8.
0
8.
0
10
76
.0
13
q
u
o
ru
m
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
78
.7
2
0.
05
20
01
s
10
55
8.
0
51
1.
0
87
78
.0
0.
04
80
04
s
9.
0
1.
0
25
75
1.
0
37
.6
62
3s
37
.9
38
4s
12
.0
16
.0
67
82
.0
14
q
u
o
ru
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
08
0s
24
.0
9.
0
25
.0
0s
0.
0
0.
0
14
.0
0.
00
80
01
s
0s
0.
0
1.
0
25
.0
15
q
u
o
ru
m
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
08
0s
29
.0
9.
0
30
.0
0s
0.
0
0.
0
14
.0
0.
01
20
02
s
0s
0.
0
0.
0
30
.0
16
q
u
o
ru
m
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
08
0s
32
.0
9.
0
33
.0
0s
0.
0
0.
0
14
.0
0.
00
80
01
s
0s
0.
0
0.
0
33
.0
17
q
u
o
ru
m
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
09
0s
35
.0
9.
0
36
.0
0s
0.
0
0.
0
14
.0
0.
01
6s
0s
0.
0
0.
0
36
.0
18
q
u
o
ru
m
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
09
0s
38
.0
9.
0
39
.0
0s
0.
0
0.
0
14
.0
0.
02
00
02
s
0s
0.
0
0.
0
39
.0
19
q
u
o
ru
m
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
09
0.
00
4s
41
.0
9.
0
42
.0
0s
0.
0
0.
0
14
.0
0.
01
60
01
s
0s
0.
0
0.
0
42
.0
20
q
u
o
ru
m
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
11
0.
00
4s
44
.0
9.
0
45
.0
0s
0.
0
0.
0
14
.0
0.
02
40
01
s
0s
0.
0
0.
0
45
.0
21
q
u
o
ru
m
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
11
0.
00
8s
47
.0
9.
0
48
.0
0s
0.
0
0.
0
14
.0
0.
02
00
02
s
0s
0.
0
0.
0
48
.0
22
q
u
o
ru
m
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
13
0.
02
40
02
s
50
.0
9.
0
51
.0
0s
0.
0
0.
0
14
.0
0.
01
2s
0.
00
4s
0.
0
0.
0
51
.0
23
q
u
o
ru
m
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
14
0.
03
60
01
s
53
.0
9.
0
54
.0
0s
0.
0
0.
0
14
.0
0.
01
60
03
s
0s
0.
0
0.
0
54
.0
24
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
2
u
n
sa
ti
sﬁ
ab
le
0.
35
0.
00
4s
16
2.
0
22
.0
15
3.
0
0s
1.
0
1.
0
15
1.
0
0.
22
80
17
s
0.
04
8s
0.
0
0.
0
14
3.
0
25
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
3
u
n
sa
ti
sﬁ
ab
le
1.
94
0.
09
20
05
s
76
1.
0
67
.0
69
0.
0
0s
1.
0
1.
0
68
7.
0
1.
24
00
7s
0.
41
60
29
s
0.
0
0.
0
67
9.
0
26
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
4
u
n
sa
ti
sﬁ
ab
le
14
.0
7
2.
69
61
7s
39
65
.0
17
6.
0
33
17
.0
0s
1.
0
1.
0
33
13
.0
7.
84
44
8s
2.
38
01
5s
0.
0
0.
0
33
05
.0
27
ra
ilw
ay
_c
o
n
tr
o
l_
sa
fe
_0
5
u
n
sa
ti
sﬁ
ab
le
15
2.
96
98
.2
66
1s
17
94
5.
0
42
9.
0
14
16
1.
0
0s
1.
0
1.
0
14
15
6.
0
38
.5
38
4s
10
.1
92
6s
0.
0
0.
0
14
14
8.
0
28
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
15
.0
4.
0
16
.0
0s
0.
0
0.
0
9.
0
0.
00
4s
0s
0.
0
0.
0
16
.0
29
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
06
0s
17
.0
4.
0
18
.0
0s
0.
0
0.
0
9.
0
0.
00
80
01
s
0s
0.
0
0.
0
18
.0
30
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
06
0.
00
4s
19
.0
4.
0
20
.0
0s
0.
0
0.
0
9.
0
0s
0s
0.
0
0.
0
20
.0
31
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
07
0s
21
.0
4.
0
22
.0
0s
0.
0
0.
0
9.
0
0.
00
4s
0s
0.
0
0.
0
22
.0
32
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
05
0s
23
.0
4.
0
24
.0
0s
0.
0
0.
0
9.
0
0.
00
8s
0s
0.
0
0.
0
24
.0
33
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
06
0s
25
.0
4.
0
26
.0
0s
0.
0
0.
0
9.
0
0s
0s
0.
0
0.
0
26
.0
34
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
07
0s
27
.0
4.
0
28
.0
0s
0.
0
0.
0
9.
0
0.
00
80
01
s
0s
0.
0
0.
0
28
.0
35
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
07
0s
29
.0
4.
0
30
.0
0s
0.
0
0.
0
9.
0
0.
00
4s
0s
0.
0
0.
0
30
.0
36
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
06
0s
31
.0
4.
0
32
.0
0s
0.
0
0.
0
9.
0
0.
01
20
01
s
0s
0.
0
0.
0
32
.0
37
ra
ilw
ay
_c
o
n
tr
o
l_
u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
07
0.
00
4s
33
.0
4.
0
34
.0
0s
0.
0
0.
0
9.
0
0.
00
80
01
s
0s
0.
0
0.
0
34
.0
38
te
m
p
er
at
u
re
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
36
0s
18
4.
0
3.
0
80
.0
0.
00
8s
7.
0
22
.0
59
.0
0.
90
00
53
s
0.
24
40
18
s
0.
0
0.
0
37
.0
39
te
m
p
er
at
u
re
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
67
0s
23
9.
0
4.
0
99
.0
0.
01
60
02
s
7.
0
22
.0
71
.0
1.
20
40
7s
0.
30
80
19
s
0.
0
0.
0
49
.0
40
te
m
p
er
at
u
re
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
2.
07
0s
29
4.
0
5.
0
11
8.
0
0.
00
8s
7.
0
22
.0
83
.0
1.
44
41
s
0.
41
60
18
s
0.
0
0.
0
61
.0
41
te
m
p
er
at
u
re
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
2.
44
0s
34
9.
0
6.
0
13
7.
0
0.
01
20
01
s
7.
0
22
.0
95
.0
1.
72
81
1s
0.
49
60
31
s
0.
0
0.
0
73
.0
42
te
m
p
er
at
u
re
_s
af
e_
06
u
n
sa
ti
sﬁ
ab
le
2.
81
0.
00
4s
40
4.
0
7.
0
15
6.
0
0.
01
20
01
s
7.
0
22
.0
10
7.
0
1.
93
61
1s
0.
56
40
41
s
0.
0
0.
0
85
.0
43
te
m
p
er
at
u
re
_s
af
e_
07
u
n
sa
ti
sﬁ
ab
le
3.
22
0.
00
4s
45
9.
0
8.
0
17
5.
0
0.
00
4s
7.
0
22
.0
11
9.
0
2.
24
41
3s
0.
60
80
47
s
0.
0
0.
0
97
.0
44
te
m
p
er
at
u
re
_s
af
e_
08
u
n
sa
ti
sﬁ
ab
le
3.
69
0.
00
4s
51
4.
0
9.
0
19
4.
0
0.
01
2s
7.
0
22
.0
13
1.
0
2.
55
21
6s
0.
72
00
46
s
0.
0
0.
0
10
9.
0
45
te
m
p
er
at
u
re
_s
af
e_
09
u
n
sa
ti
sﬁ
ab
le
4.
28
0.
00
4s
56
9.
0
10
.0
21
3.
0
0.
01
20
01
s
7.
0
22
.0
14
3.
0
2.
90
81
9s
0.
84
80
47
s
0.
0
0.
0
12
1.
0
46
te
m
p
er
at
u
re
_s
af
e_
10
u
n
sa
ti
sﬁ
ab
le
4.
75
0.
00
4s
62
4.
0
11
.0
23
2.
0
0.
01
20
01
s
7.
0
22
.0
15
5.
0
3.
15
62
s
0.
90
80
56
s
0.
0
0.
0
13
3.
0
47
te
m
p
er
at
u
re
_s
af
e_
11
u
n
sa
ti
sﬁ
ab
le
5.
03
0.
01
20
01
s
67
9.
0
12
.0
25
1.
0
0.
01
20
01
s
7.
0
22
.0
16
7.
0
3.
48
82
1s
0.
96
80
62
s
0.
0
0.
0
14
5.
0
48
te
m
p
er
at
u
re
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
05
0s
5.
0
1.
0
6.
0
0s
0.
0
0.
0
2.
0
0s
0s
0.
0
0.
0
6.
0
49
te
m
p
er
at
u
re
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
04
0s
6.
0
1.
0
7.
0
0s
0.
0
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
7.
0
50
te
m
p
er
at
u
re
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
05
0s
7.
0
1.
0
8.
0
0s
0.
0
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
8.
0
51
te
m
p
er
at
u
re
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
05
0s
8.
0
1.
0
9.
0
0s
0.
0
0.
0
2.
0
0.
00
4s
0s
0.
0
0.
0
9.
0
137
Appendix A. Appendix
52
te
m
p
er
at
u
re
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
06
0s
9.
0
1.
0
10
.0
0s
0.
0
0.
0
2.
0
0.
00
80
01
s
0s
0.
0
0.
0
10
.0
53
te
m
p
er
at
u
re
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
06
0.
00
4s
10
.0
1.
0
11
.0
0s
0.
0
0.
0
2.
0
0.
00
40
01
s
0s
0.
0
0.
0
11
.0
54
te
m
p
er
at
u
re
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
05
0s
11
.0
1.
0
12
.0
0s
0.
0
0.
0
2.
0
0.
00
80
01
s
0s
0.
0
0.
0
12
.0
55
te
m
p
er
at
u
re
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
06
0s
12
.0
1.
0
13
.0
0s
0.
0
0.
0
2.
0
0.
01
20
01
s
0s
0.
0
0.
0
13
.0
56
te
m
p
er
at
u
re
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
06
0.
00
4s
13
.0
1.
0
14
.0
0s
0.
0
0.
0
2.
0
0.
01
20
01
s
0s
0.
0
0.
0
14
.0
57
te
m
p
er
at
u
re
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
07
0.
01
20
01
s
14
.0
1.
0
15
.0
0s
0.
0
0.
0
2.
0
0.
01
20
01
s
0s
0.
0
0.
0
15
.0
58
ti
ck
et
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
22
0s
51
.0
8.
0
43
.0
0s
2.
0
0.
0
36
.0
0.
13
60
1s
0.
01
6s
5.
0
0.
0
27
.0
59
ti
ck
et
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
18
.4
0
0s
19
24
.0
22
.0
13
01
.0
0.
04
00
01
s
12
.0
0.
0
14
43
.0
14
.5
44
9s
3.
23
22
s
31
.0
0.
0
22
8.
0
60
ti
ck
et
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
06
0s
9.
0
4.
0
10
.0
0s
0.
0
0.
0
5.
0
0.
00
8s
0s
0.
0
0.
0
10
.0
61
ti
ck
et
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
06
0s
16
.0
5.
0
17
.0
0s
0.
0
0.
0
6.
0
0.
00
40
01
s
0s
0.
0
0.
0
17
.0
62
ti
ck
et
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
06
0s
25
.0
6.
0
26
.0
0s
0.
0
0.
0
7.
0
0.
00
4s
0s
0.
0
0.
0
26
.0
63
ti
ck
et
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
16
0s
36
.0
7.
0
37
.0
0s
0.
0
0.
0
8.
0
0.
01
60
01
s
0s
0.
0
0.
0
37
.0
64
ti
ck
et
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
08
0s
49
.0
8.
0
50
.0
0s
0.
0
0.
0
9.
0
0.
00
8s
0s
0.
0
0.
0
50
.0
65
ti
ck
et
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
0.
09
0.
00
4s
64
.0
9.
0
65
.0
0s
0.
0
0.
0
10
.0
0.
02
00
01
s
0s
0.
0
0.
0
65
.0
66
ti
ck
et
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
0.
10
0.
00
80
01
s
81
.0
10
.0
82
.0
0s
0.
0
0.
0
11
.0
0.
02
40
01
s
0s
0.
0
0.
0
82
.0
67
ti
ck
et
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
0.
13
0.
00
4s
10
0.
0
11
.0
10
1.
0
0s
0.
0
0.
0
12
.0
0.
03
20
02
s
0s
0.
0
0.
0
10
1.
0
68
ti
ck
et
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
0.
14
0.
02
40
01
s
12
1.
0
12
.0
12
2.
0
0s
0.
0
0.
0
13
.0
0.
03
60
03
s
0s
0.
0
0.
0
12
2.
0
69
ti
ck
et
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
0.
17
0.
04
40
03
s
14
4.
0
13
.0
14
5.
0
0s
0.
0
0.
0
14
.0
0.
04
40
02
s
0s
0.
0
0.
0
14
5.
0
Ta
b
le
A
.3
–
Ve
ri
ﬁ
ca
ti
on
st
at
is
ti
cs
fo
r
la
zy
ab
st
ra
ct
io
n
w
it
h
si
m
u
lt
an
eo
u
s
se
tr
ed
u
ct
io
n
.F
ro
m
th
e
se
co
n
d
co
lu
m
n
of
th
e
ta
b
le
,e
ac
h
re
p
re
se
n
ts
m
od
el
,r
es
u
lt
,
to
ta
lr
u
n
n
in
g
ti
m
e,
ti
m
e
o
fp
ar
ti
al
o
rd
er
re
d
u
ct
io
n
,n
u
m
b
er
o
ft
ra
n
sf
er
s,
n
u
m
b
er
o
fr
ed
u
ct
io
n
at
te
m
p
ts
,n
u
m
b
er
o
fn
o
d
es
cr
ea
te
d
,t
im
e
o
fr
eﬁ
n
em
en
ts
,
n
u
m
b
er
o
fr
eﬁ
n
em
en
ts
,n
u
m
b
er
o
fl
o
ca
lp
re
d
ic
at
es
,n
u
m
b
er
o
fc
ov
er
ag
e
ch
ec
k,
ti
m
e
o
ft
ra
n
sf
er
s,
ti
m
e
o
fc
ov
er
ag
e
ch
ec
k,
n
u
m
b
er
o
fg
lo
b
al
p
re
d
ic
at
es
,
n
u
m
b
er
o
fs
u
cc
es
sf
u
lr
ed
u
ct
io
n
s,
ar
ts
iz
e
re
sp
ec
ti
ve
ly
.
138
A.8. Statistics for lazy abstraction with persistent set reduction under symmetry
A.8 Statistics for lazy abstraction with persistent set reduction un-
der symmetry
139
Appendix A. Appendix
le
ad
er
_e
le
ct
io
n
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
11
0s
14
.0
5.
0
0.
00
4s
1.
0
0s
0.
18
40
11
7.
0
0.
0
0s
0.
02
80
01
s
3.
0
5.
0
13
.0
13
.0
13
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
32
0s
19
.0
9.
0
0.
00
4s
1.
0
0s
0.
43
20
27
9.
0
0.
0
0s
0.
03
60
02
s
3.
0
9.
0
18
.0
18
.0
18
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
1.
53
0s
24
.0
12
.0
0s
1.
0
0s
0.
65
60
41
11
.0
0.
0
0s
0.
03
20
02
s
3.
0
12
.0
23
.0
23
.0
23
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
1.
92
0s
29
.0
15
.0
0.
00
4s
1.
0
0s
1.
03
20
60
13
.0
0.
0
0s
0.
03
60
02
s
3.
0
15
.0
28
.0
28
.0
28
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
06
u
n
sa
ti
sﬁ
ab
le
1.
99
0.
00
4s
34
.0
18
.0
0.
00
4s
1.
0
0s
1.
79
61
10
15
.0
0.
0
0.
00
40
01
s
0.
04
80
03
s
3.
0
18
.0
33
.0
33
.0
33
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
07
u
n
sa
ti
sﬁ
ab
le
2.
94
0.
00
4s
39
.0
21
.0
0.
00
4s
1.
0
0s
2.
71
21
70
17
.0
0.
0
0.
00
4s
0.
07
20
05
s
3.
0
21
.0
38
.0
38
.0
38
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
08
u
n
sa
ti
sﬁ
ab
le
3.
34
0s
44
.0
24
.0
0.
00
40
01
s
1.
0
0s
3.
17
62
00
19
.0
0.
0
0s
0.
06
00
04
s
3.
0
24
.0
43
.0
43
.0
43
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
09
u
n
sa
ti
sﬁ
ab
le
3.
69
0.
00
4s
49
.0
27
.0
0.
00
4s
1.
0
0s
3.
48
82
20
21
.0
0.
0
0s
0.
06
80
05
s
3.
0
27
.0
48
.0
48
.0
48
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
10
u
n
sa
ti
sﬁ
ab
le
4.
60
0.
00
4s
54
.0
30
.0
0.
00
8s
1.
0
0s
4.
41
22
80
23
.0
0.
0
0s
0.
07
60
04
s
3.
0
30
.0
53
.0
53
.0
53
.0
le
ad
er
_e
le
ct
io
n
_s
af
e_
11
u
n
sa
ti
sﬁ
ab
le
5.
29
0s
59
.0
33
.0
0.
01
20
01
s
1.
0
0s
5.
08
03
20
25
.0
0.
0
0s
0.
07
60
05
s
3.
0
33
.0
58
.0
58
.0
58
.0
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
37
0s
56
.0
15
.0
0s
1.
0
0.
01
2s
0.
16
80
10
43
.0
0.
0
0.
01
2s
0.
10
40
07
s
3.
0
7.
0
53
.0
44
.0
44
.0
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
1.
83
0.
00
8s
29
5.
0
81
.0
0.
00
8s
2.
0
0.
03
20
03
s
0.
41
60
26
15
6.
0
0.
0
0.
08
40
05
s
1.
13
60
7s
9.
0
45
.0
28
4.
0
26
5.
0
26
5.
0
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
20
.8
1
0.
02
40
02
s
21
58
.0
50
5.
0
0.
02
40
01
s
3.
0
0.
27
60
17
s
0.
49
60
31
11
79
.0
0.
0
3.
40
82
1s
15
.9
25
s
18
.0
23
5.
0
20
86
.0
20
53
.0
20
53
.0
le
ad
er
_e
le
ct
io
n
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
20
3.
58
0.
02
80
02
s
13
32
5.
0
28
98
.0
0.
11
20
07
s
4.
0
1.
66
41
1s
1.
12
80
70
72
64
.0
0.
0
42
.5
78
7s
15
2.
30
9s
21
.0
11
46
.0
12
96
7.
0
12
91
6.
0
12
91
6.
0
q
u
o
ru
m
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
1.
49
0.
00
40
01
s
12
5.
0
47
.0
0.
00
4s
3.
0
0.
08
00
06
s
0.
62
00
39
74
.0
1.
0
0.
12
00
07
s
0.
40
00
23
s
6.
0
14
.0
11
8.
0
14
0.
0
15
8.
0
q
u
o
ru
m
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
6.
99
0.
00
80
01
s
66
3.
0
21
7.
0
0.
04
80
01
s
8.
0
1.
00
80
6s
1.
36
00
80
44
5.
0
1.
0
1.
64
81
s
2.
32
01
5s
7.
0
71
.0
61
8.
0
10
36
.0
11
51
.0
q
u
o
ru
m
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
32
.4
6
0.
03
20
02
s
28
78
.0
83
7.
0
0.
12
40
07
s
14
.0
5.
74
43
8s
2.
38
01
50
23
86
.0
1.
0
12
.8
76
8s
9.
88
46
2s
10
.0
26
8.
0
27
02
.0
63
79
.0
68
86
.0
q
u
o
ru
m
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
18
0.
00
0.
11
20
07
s
12
98
6.
0
32
56
.0
0.
36
00
23
s
19
.0
31
.5
02
s
3.
66
42
30
10
60
8.
0
1.
0
91
.5
81
7s
45
.8
30
9s
14
.0
93
0.
0
12
25
6.
0
34
71
3.
0
36
90
1.
0
q
u
o
ru
m
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
66
0s
21
.0
10
.0
0s
0.
0
0s
0.
58
00
37
22
.0
0.
0
0s
0.
00
8s
0.
0
4.
0
22
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
1.
35
0s
24
.0
10
.0
0s
0.
0
0s
1.
24
80
80
25
.0
0.
0
0s
0.
00
80
01
s
0.
0
4.
0
25
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
2.
06
0s
27
.0
10
.0
0s
0.
0
0s
1.
89
21
20
28
.0
0.
0
0s
0.
00
8s
0.
0
4.
0
28
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
3.
15
0s
30
.0
10
.0
0s
0.
0
0s
2.
99
21
90
31
.0
0.
0
0s
0.
01
2s
0.
0
4.
0
31
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
4.
69
0.
00
4s
33
.0
10
.0
0s
0.
0
0s
4.
58
02
90
34
.0
0.
0
0s
0.
01
60
01
s
0.
0
4.
0
34
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
6.
28
0.
00
4s
36
.0
10
.0
0s
0.
0
0s
6.
04
83
80
37
.0
0.
0
0s
0.
00
80
01
s
0.
0
4.
0
37
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
7.
95
0.
00
40
01
s
39
.0
10
.0
0s
0.
0
0s
7.
75
64
90
40
.0
0.
0
0.
00
4s
0.
01
2s
0.
0
4.
0
40
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
9.
88
0s
42
.0
10
.0
0s
0.
0
0.
00
4s
9.
57
26
00
43
.0
0.
0
0s
0.
01
60
01
s
0.
0
4.
0
43
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
12
.2
2
0.
00
4s
45
.0
10
.0
0s
0.
0
0s
11
.6
72
70
0
46
.0
0.
0
0s
0.
02
00
02
s
0.
0
4.
0
46
.0
13
.0
16
.0
q
u
o
ru
m
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
14
.8
8
0.
00
8s
48
.0
10
.0
0s
0.
0
0s
14
.6
84
90
0
49
.0
0.
0
0s
0.
01
60
02
s
0.
0
4.
0
49
.0
13
.0
16
.0
ti
ck
et
_s
af
e_
02
u
n
sa
ti
sﬁ
ab
le
0.
23
0.
00
40
01
s
29
.0
13
.0
0.
00
8s
2.
0
0.
00
4s
0.
06
40
04
9.
0
0.
0
0.
00
80
01
s
0.
06
80
03
s
5.
0
3.
0
22
.0
18
.0
18
.0
ti
ck
et
_s
af
e_
03
u
n
sa
ti
sﬁ
ab
le
1.
32
0s
17
5.
0
56
.0
0.
02
00
01
s
6.
0
0.
03
20
01
s
0.
16
00
10
23
.0
0.
0
0.
03
60
03
s
0.
86
80
55
s
20
.0
8.
0
12
2.
0
79
.0
79
.0
ti
ck
et
_s
af
e_
04
u
n
sa
ti
sﬁ
ab
le
23
.2
4
0.
00
4s
19
05
.0
42
3.
0
0.
17
60
1s
15
.0
1.
28
40
8s
0.
29
60
18
17
.0
0.
0
2.
56
81
7s
17
.2
17
1s
40
.0
21
.0
11
78
.0
96
8.
0
96
8.
0
ti
ck
et
_s
af
e_
05
u
n
sa
ti
sﬁ
ab
le
16
2.
55
0.
00
80
01
s
88
22
.0
15
06
.0
0.
48
80
28
s
18
.0
23
.0
77
4s
0.
50
40
32
91
.0
0.
0
63
.0
83
9s
68
.9
88
3s
44
.0
56
.0
60
82
.0
10
71
4.
0
10
71
4.
0
ti
ck
et
_u
n
sa
fe
_0
2
sa
ti
sﬁ
ab
le
0.
12
0s
7.
0
4.
0
0s
0.
0
0s
0.
06
40
03
8.
0
0.
0
0s
0s
0.
0
2.
0
8.
0
5.
0
5.
0
ti
ck
et
_u
n
sa
fe
_0
3
sa
ti
sﬁ
ab
le
0.
23
0s
10
.0
5.
0
0s
0.
0
0s
0.
16
80
10
11
.0
0.
0
0s
0.
00
40
01
s
0.
0
3.
0
11
.0
6.
0
6.
0
ti
ck
et
_u
n
sa
fe
_0
4
sa
ti
sﬁ
ab
le
0.
36
0s
13
.0
6.
0
0s
0.
0
0s
0.
29
20
18
14
.0
0.
0
0s
0.
00
4s
0.
0
4.
0
14
.0
7.
0
7.
0
ti
ck
et
_u
n
sa
fe
_0
5
sa
ti
sﬁ
ab
le
0.
56
0s
16
.0
7.
0
0s
0.
0
0.
00
4s
0.
46
00
29
17
.0
0.
0
0s
0.
00
40
01
s
0.
0
5.
0
17
.0
8.
0
8.
0
ti
ck
et
_u
n
sa
fe
_0
6
sa
ti
sﬁ
ab
le
0.
77
0s
19
.0
8.
0
0s
0.
0
0s
0.
67
60
42
20
.0
0.
0
0s
0.
00
8s
0.
0
6.
0
20
.0
9.
0
9.
0
ti
ck
et
_u
n
sa
fe
_0
7
sa
ti
sﬁ
ab
le
1.
06
0s
22
.0
9.
0
0s
0.
0
0s
0.
96
40
60
23
.0
0.
0
0s
0.
00
8s
0.
0
7.
0
23
.0
10
.0
10
.0
ti
ck
et
_u
n
sa
fe
_0
8
sa
ti
sﬁ
ab
le
1.
37
0s
25
.0
10
.0
0s
0.
0
0s
1.
26
40
80
26
.0
0.
0
0s
0.
00
8s
0.
0
8.
0
26
.0
11
.0
11
.0
ti
ck
et
_u
n
sa
fe
_0
9
sa
ti
sﬁ
ab
le
1.
78
0s
28
.0
11
.0
0s
0.
0
0s
1.
64
41
00
29
.0
0.
0
0s
0.
00
80
01
s
0.
0
9.
0
29
.0
12
.0
12
.0
ti
ck
et
_u
n
sa
fe
_1
0
sa
ti
sﬁ
ab
le
2.
12
0.
00
4s
31
.0
12
.0
0s
0.
0
0s
1.
98
01
20
32
.0
0.
0
0s
0.
00
80
01
s
0.
0
10
.0
32
.0
13
.0
13
.0
ti
ck
et
_u
n
sa
fe
_1
1
sa
ti
sﬁ
ab
le
2.
66
0.
00
8s
34
.0
13
.0
0s
0.
0
0s
2.
35
21
50
35
.0
0.
0
0s
0.
00
80
01
s
0.
0
11
.0
35
.0
14
.0
14
.0
Ta
b
le
A
.4
–
V
er
iﬁ
ca
ti
o
n
st
at
is
ti
cs
fo
r
la
zy
ab
st
ra
ct
io
n
w
it
h
p
er
si
st
en
t
se
t
re
d
u
ct
io
n
u
n
d
er
sy
m
m
et
ry
.F
ro
m
th
e
ﬁ
rs
t
co
lu
m
n
o
ft
h
e
ta
b
le
,e
ac
h
re
p
re
se
n
ts
m
o
d
el
,r
es
u
lt
,t
o
ta
lr
u
n
n
in
g
ti
m
e,
ti
m
e
o
fp
ar
ti
al
o
rd
er
re
d
u
ct
io
n
,n
u
m
b
er
o
ft
ra
n
sf
er
s,
n
u
m
b
er
o
fr
ed
u
ct
io
n
at
te
m
p
ts
,t
im
e
o
fr
eﬁ
n
em
en
ts
,n
u
m
b
er
o
f
re
ﬁ
n
em
en
ts
,t
im
e
of
cy
cl
e
d
et
ec
ti
on
,t
im
e
of
in
d
ep
en
d
en
ce
an
al
ys
is
,a
rt
si
ze
,n
u
m
b
er
of
lo
ca
lp
re
d
ic
at
e,
ti
m
e
of
co
ve
ra
ge
ch
ec
k,
ti
m
e
of
tr
an
sf
er
s,
n
u
m
b
er
of
gl
o
b
al
p
re
d
ic
at
e,
n
u
m
b
er
o
fs
u
cc
es
sf
u
lr
ed
u
ct
io
n
s,
n
u
m
b
er
o
fn
o
d
es
cr
ea
te
d
,n
u
m
b
er
o
fc
ov
er
ag
e
ch
ec
k,
n
u
m
b
er
o
fc
yc
le
d
et
ec
ti
o
n
s
re
sp
ec
ti
ve
ly
.
140
Bibliography
[1] P. A. Abdulla, K. Cerans, B. Jonsson, and Yih-Kuen Tsay. General decidability theorems
for inﬁnite-state systems. In Proceedings of the 11th Annual IEEE Symposium on Logic
in Computer Science, LICS ’96, pages 313–, Washington, DC, USA, 1996. IEEE Computer
Society.
[2] Parosh Abdulla, Stavros Aronis, Bengt Jonsson, and Konstantinos Sagonas. Optimal
dynamic partial order reduction. In ACM SIGPLAN Notices, volume 49, pages 373–384.
ACM, 2014.
[3] Parosh Aziz Abdulla. Regular model checking. International Journal on Software Tools
for Technology Transfer (STTT), 14(2):109–118, 2012.
[4] Parosh Aziz Abdulla, Yu-Fang Chen, Giorgio Delzanno, Frédéric Haziza, Chih-Duo Hong,
and Ahmed Rezine. Constrained monotonic abstraction: A cegar for parameterized
veriﬁcation. In International Conference on Concurrency Theory, pages 86–101. Springer,
2010.
[5] Parosh Aziz Abdulla, Giorgio Delzanno, Noomene Ben Henda, and Ahmed Rezine. Reg-
ular model checking without transducers (on efﬁcient veriﬁcation of parameterized
systems). In TACAS, 2007.
[6] Parosh Aziz Abdulla, GiorgioDelzanno,NoomeneBenHenda, andAhmedRezine. Mono-
tonic abstraction: on efﬁcient veriﬁcation of parameterized systems. International
Journal of Foundations of Computer Science, 20(05):779–801, 2009.
[7] Parosh Aziz Abdulla, GiorgioDelzanno, andAhmedRezine. Parameterized veriﬁcation of
inﬁnite-state processes with global conditions. In International Conference on Computer
Aided Veriﬁcation, pages 145–157. Springer, 2007.
[8] Rajeev Alur, Robert K. Brayton, Thomas A. Henzinger, Shaz Qadeer, and Sriram K. Raja-
mani. Partial-order reduction in symbolic state-space exploration. Formal Methods in
System Design, 18(2):97–116, 2001.
[9] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A Henzinger, P-H Ho,
Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine. The algorithmic
analysis of hybrid systems. Theoretical computer science, 138(1):3–34, 1995.
[10] B. Aminof, T. Kotek, S. Rubin, F. Spegni, and H. Veith. Parameterized model checking of
rendezvous systems. In CONCUR. 2014.
141
Bibliography
[11] Krzysztof R Apt and Dexter C Kozen. Limits for automatic veriﬁcation of ﬁnite-state
concurrent systems. Information Processing Letters, 22(6):307–309, 1986.
[12] La˘cra˘mioara As¸tefa˘noaei, Souha Ben Rayana, Saddek Bensalem, Marius Bozga, and
Jacques Combaz. Compositional veriﬁcation of parameterised timed systems. In NASA
Formal Methods Symposium, pages 66–81. Springer, 2015.
[13] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. The MIT Press,
2008.
[14] Thomas Ball, Vladimir Levin, and Sriram K. Rajamani. A decade of software model
checking with SLAM. Communications of the ACM, 54(7):68–76, July 2011.
[15] Thomas Ball, Rupak Majumdar, Todd Millstein, and Sriram K. Rajamani. Automatic
predicate abstraction of C programs. In Proceedings of the ACM SIGPLAN 2001 Confer-
ence on Programming Language Design and Implementation, PLDI ’01, pages 203–213,
New York, NY, USA, 2001. ACM.
[16] Thomas Ball, Andreas Podelski, and Sriram K. Rajamani. Boolean and cartesian abstrac-
tion for model checking C programs. In Proceedings of the 7th International Conference
on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2001, pages
268–283, London, UK, UK, 2001. Springer-Verlag.
[17] Thomas Ball and Sriram K Rajamani. The slam toolkit. In International Conference on
Computer Aided Veriﬁcation, pages 260–264. Springer, 2001.
[18] Clark W Barrett, Roberto Sebastiani, Sanjit A Seshia, and Cesare Tinelli. Satisﬁability
modulo theories. Handbook of satisﬁability, 185:825–885, 2009.
[19] A. Basu, B. Bensalem, M. Bozga, J. Combaz, M. Jaber, T. H. Nguyen, and J. Sifakis. Rigor-
ous component-based system design using the BIP framework. IEEE Software, 28(3):41–
48, May 2011.
[20] Kai Baukus, Saddek Bensalem, Yassine Lakhnech, and Karsten Stahl. Abstracting WS1S
systems to verify parameterized networks. In Proceedings of the 6th International
Conference on Tools and Algorithms for Construction and Analysis of Systems: Held As
Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS
2000, TACAS ’00, pages 188–203, London, UK, UK, 2000. Springer-Verlag.
[21] Saddek Bensalem, Marius Bozga, Thanh-Hung Nguyen, and Joseph Sifakis. D-ﬁnder: A
tool for compositional deadlock detection and veriﬁcation. In International Conference
on Computer Aided Veriﬁcation, pages 614–619. Springer, 2009.
[22] Saddek Bensalem, Marius Bozga, Joseph Sifakis, and Thanh-Hung Nguyen. Composi-
tional veriﬁcation for component-based systems and application. In International Sym-
posium on Automated Technology for Veriﬁcation and Analysis, pages 64–79. Springer,
2008.
[23] Dirk Beyer and M Erkan Keremoglu. CPAchecker: A tool for conﬁgurable software
veriﬁcation. In International Conference on Computer Aided Veriﬁcation, pages 184–190.
Springer, 2011.
142
Bibliography
[24] Armin Biere, Alessandro Cimatti, Edmund Clarke, and Yunshan Zhu. Symbolic model
checking without bdds. In International conference on tools and algorithms for the
construction and analysis of systems, pages 193–207. Springer, 1999.
[25] Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher. Counterexample to
induction-guided abstraction-reﬁnement (ctigar). In Proceedings of the 16th Interna-
tional Conference on Computer Aided Veriﬁcation - Volume 8559, pages 831–848, New
York, NY, USA, 2014. Springer-Verlag New York, Inc.
[26] Simon Bliudze, Alessandro Cimatti, Mohamad Jaber, Sergio Mover, Marco Roveri, Wajeb
Saab, and Qiang Wang. Formal veriﬁcation of inﬁnite-state bip models. In International
Symposium on Automated Technology for Veriﬁcation and Analysis, pages 326–343.
Springer, 2015.
[27] Simon Bliudze and Joseph Sifakis. The algebra of connectors: Structuring interaction in
bip. In Proceedings of the 7th ACM &Amp; IEEE International Conference on Embedded
Software, EMSOFT ’07, pages 11–20, New York, NY, USA, 2007. ACM.
[28] R. Bloem, S. Jacobs, A. Khalimov, I. Konnov, S. Rubin, H. Veith, and J. Widder. Decidability
of parameterized veriﬁcation. Synthesis Lectures on Distributed Computing Theory, 2015.
[29] Mihaela Gheorghiu Bobaru, Corina S. Pasareanu, and Dimitra Giannakopoulou. Auto-
mated assume-guarantee reasoning by abstraction reﬁnement. In CAV, pages 135–148,
2008.
[30] Ahmed Bouajjani, Bengt Jonsson, Marcus Nilsson, and Tayssir Touili. Regular model
checking. In International Conference on Computer Aided Veriﬁcation, pages 403–418.
Springer, 2000.
[31] Marius Bozga, Mohamad Jaber, Nikolaos Maris, and Joseph Sifakis. Modeling dynamic
architectures using dy-bip. In Proceedings of the 11th International Conference on
Software Composition, SC’12, pages 1–16, Berlin, Heidelberg, 2012. Springer-Verlag.
[32] Aaron R Bradley. Sat-based model checking without unrolling. In International Work-
shop on Veriﬁcation, Model Checking, and Abstract Interpretation, pages 70–87. Springer,
2011.
[33] Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro
Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. The nuXmv
symbolic model checker. In Armin Biere and Roderick Bloem, editors, CAV, volume 8559
of Lecture Notes in Computer Science, pages 334–342. Springer, 2014.
[34] Sagar Chaki, Edmund Clarke, Alex Groce, Somesh Jha, and Helmut Veith. Modular
veriﬁcation of software components in C. In Proceedings of the 25th International
Conference on Software Engineering, ICSE ’03, pages 385–395. IEEE Computer Society,
2003.
[35] Alessandro Cimatti and Alberto Griggio. Software model checking via ic3. In Proceedings
of the 24th International Conference on Computer Aided Veriﬁcation, CAV’12, pages
277–293, Berlin, Heidelberg, 2012. Springer-Verlag.
143
Bibliography
[36] Alessandro Cimatti, Alberto Griggio, Andrea Micheli, Iman Narasamdya, and Marco
Roveri. Kratos: A software model checker for systemc. In Proceedings of the 23rd
International Conference on Computer Aided Veriﬁcation, CAV’11, pages 310–316, Berlin,
Heidelberg, 2011. Springer-Verlag.
[37] Alessandro Cimatti, Alberto Griggio, Sergio Mover, and Stefano Tonetta. Ic3 modulo
theories via implicit predicate abstraction. In International Conference on Tools and
Algorithms for the Construction and Analysis of Systems, pages 46–61. Springer, 2014.
[38] Alessandro Cimatti, Alberto Griggio, Bastiaan Joost Schaafsma, and Roberto Sebastiani.
The mathsat5 smt solver. In International Conference on Tools and Algorithms for the
Construction and Analysis of Systems, pages 93–107. Springer, 2013.
[39] Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith.
Counterexample-guided abstraction reﬁnement. In International Conference on Com-
puter Aided Veriﬁcation, pages 154–169. Springer, 2000.
[40] Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith.
Counterexample-guided abstraction reﬁnement for symbolic model checking. Journal
of the ACM (JACM), 50(5):752–794, 2003.
[41] Edmund Clarke, Daniel Kroening, Natasha Sharygina, and Karen Yorav. Satabs: Sat-
based predicate abstraction for ANSI-C. In International Conference on Tools and
Algorithms for the Construction and Analysis of Systems, pages 570–574. Springer, 2005.
[42] Edmund Clarke, Muralidhar Talupur, Tayssir Touili, and Helmut Veith. Veriﬁcation by
network decomposition. In International Conference on Concurrency Theory, pages
276–291. Springer, 2004.
[43] Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchronization
skeletons using branching-time temporal logic. In Logic of Programs, Workshop, pages
52–71, London, UK, UK, 1982. Springer-Verlag.
[44] Edmund M Clarke, E Allen Emerson, Somesh Jha, and A Prasad Sistla. Symmetry
reductions in model checking. In CAV, 1998.
[45] Edmund M Clarke, Reinhard Enders, Thomas Filkorn, and Somesh Jha. Exploiting
symmetry in temporal logic model checking. Formal Methods in System Design, 1996.
[46] Edmund M Clarke, Orna Grumberg, Marius Minea, and Doron Peled. State space
reduction using partial order techniques. STTT, 1999.
[47] Edmund M. Clarke, Jr., Orna Grumberg, and Doron A. Peled. Model Checking. MIT
Press, Cambridge, MA, USA, 1999.
[48] Patrick Cousot and Radhia Cousot. Abstract interpretation: A uniﬁed lattice model for
static analysis of programs by construction or approximation of ﬁxpoints. In Proceedings
of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages,
POPL ’77, pages 238–252, New York, NY, USA, 1977. ACM.
[49] William Craig. Three uses of the herbrand-gentzen theorem in relating model theory
and proof theory. The Journal of Symbolic Logic, 22(03):269–285, 1957.
144
Bibliography
[50] Satyaki Das, David L Dill, and Seungjoon Park. Experience with predicate abstraction.
In Computer Aided Veriﬁcation, pages 160–171. Springer, 1999.
[51] Leonardo De Moura and Nikolaj Bjørner. Z3: An efﬁcient smt solver. In Proceedings of the
Theory and Practice of Software, 14th International Conference on Tools and Algorithms
for the Construction and Analysis of Systems, TACAS’08/ETAPS’08, pages 337–340, Berlin,
Heidelberg, 2008. Springer-Verlag.
[52] Edsger W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of
programs. Commun. ACM, 18(8):453–457, August 1975.
[53] Alastair F Donaldson, Alexander Kaiser, Daniel Kroening, Michael Tautschnig, and
Thomas Wahl. Counterexample-guided abstraction reﬁnement for symmetric concur-
rent programs. Formal Methods in System Design, 2012.
[54] Michael Dooley and Fabio Somenzi. Proving parameterized systems safe by generalizing
clausal proofs of small instances. In International Conference on Computer Aided
Veriﬁcation, pages 292–309. Springer, 2016.
[55] Niklas Een, Alan Mishchenko, and Robert Brayton. Efﬁcient implementation of property
directed reachability. In Formal Methods in Computer-Aided Design (FMCAD), 2011,
pages 125–134. IEEE, 2011.
[56] E. A. Emerson and K. S. Namjoshi. On model checking for non-deterministic inﬁnite-
state systems. In Proceedings of the 13th Annual IEEE Symposium on Logic in Computer
Science, LICS ’98, pages 70–, Washington, DC, USA, 1998. IEEE Computer Society.
[57] E Allen Emerson, Somesh Jha, and Doron Peled. Combining partial order and symmetry
reductions. In TACAS. 1997.
[58] E. Allen Emerson and Vineet Kahlon. Reducing model checking of the many to the few.
In Proceedings of the 17th International Conference on Automated Deduction, CADE-17,
pages 236–254, London, UK, UK, 2000. Springer-Verlag.
[59] E Allen Emerson and Vineet Kahlon. Model checking guarded protocols. In Logic in
Computer Science, 2003. Proceedings. 18th Annual IEEE Symposium on, pages 361–370.
IEEE, 2003.
[60] E. Allen Emerson and Kedar S. Namjoshi. Reasoning about rings. In Proceedings of
the 22Nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages,
POPL ’95, pages 85–94, New York, NY, USA, 1995. ACM.
[61] E Allen Emerson and A Prasad Sistla. Symmetry and model checking. Formal methods
in system design, 1996.
[62] E Allen Emerson and Richard J Treﬂer. From asymmetry to full symmetry: New tech-
niques for symmetry reduction in model checking. In CHDVM. 1999.
[63] E Allen Emerson and Thomas Wahl. Dynamic symmetry reduction. In TACAS. 2005.
[64] J. Esparza, A. Finkel, and R. Mayr. On the veriﬁcation of broadcast protocols. LICS, 1999.
[65] Sami Evangelista and Christophe Pajault. Solving the ignoring problem for partial
order reduction. International Journal on Software Tools for Technology Transfer (STTT),
12(2):155–170, 2010.
145
Bibliography
[66] Alain Finkel and Ph Schnoebelen. Well-structured transition systems everywhere!
Theoretical Computer Science, 256(1):63–92, 2001.
[67] Kathleen Fisher. Using formal methods to enable more secure vehicles: Darpa’s hacms
program. SIGPLAN Not., 49(9):1–1, August 2014.
[68] Cormac Flanagan and Patrice Godefroid. Dynamic partial-order reduction for model
checking software. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on
Principles of Programming Languages, POPL ’05, pages 110–121. ACM, 2005.
[69] Cormac Flanagan and Shaz Qadeer. Predicate abstraction for software veriﬁcation. In
Proceedings of the 29th ACMSIGPLAN-SIGACT SymposiumonPrinciples of Programming
Languages, POPL ’02, pages 191–202. ACM, 2002.
[70] Cormac Flanagan and Shaz Qadeer. Thread-modular model checking. In International
SPIN Workshop on Model Checking of Software, pages 213–224. Springer, 2003.
[71] Robert W. Floyd. Assigning meanings to programs. In J. T. Schwartz, editor, Mathe-
matical Aspects of Computer Science, volume 19 of Proceedings of Symposia in Applied
Mathematics, pages 19–32, Providence, Rhode Island, 1967. American Mathematical
Society.
[72] G. Geeraerts, J. F. Raskin, and L. Van Begin. Expand, enlarge and check: New algorithms
for the coverability problem of wsts. J. Comput. Syst. Sci., 72(1):180–203, February 2006.
[73] Gilles Geeraerts, Jean-François Raskin, and Laurent Van Begin. Expand, enlarge, and
check: New algorithms for the coverability problem of wsts. In International Conference
on Foundations of Software Technology and Theoretical Computer Science, pages 287–
298. Springer, 2004.
[74] Steven M. German and A. Prasad Sistla. Reasoning about systems with many processes.
J. ACM, 39(3):675–735, July 1992.
[75] Silvio Ghilardi, Enrica Nicolini, Silvio Ranise, and Daniele Zucchelli. Towards smt
model checking of array-based systems. In International Joint Conference on Automated
Reasoning, pages 67–82. Springer, 2008.
[76] Silvio Ghilardi and Silvio Ranise. Mcmt: A model checker modulo theories. In Interna-
tional Joint Conference on Automated Reasoning, pages 22–29. Springer, 2010.
[77] Patrice Godefroid. Using partial orders to improve automatic veriﬁcation methods. In
Proceedings of the 2nd International Workshop on Computer Aided Veriﬁcation, CAV ’90,
pages 176–185, London, UK, UK, 1991. Springer-Verlag.
[78] Patrice Godefroid. Partial-Order Methods for the Veriﬁcation of Concurrent Systems: An
Approach to the State-Explosion Problem. Springer-Verlag, 1996.
[79] Susanne Graf and Hassen Saïdi. Construction of abstract state graphs with PVS. In
Computer aided veriﬁcation, pages 72–83. Springer, 1997.
[80] Sergey Grebenshchikov, Nuno P. Lopes, Corneliu Popeea, and Andrey Rybalchenko.
Synthesizing software veriﬁers fromproof rules. InProceedings of the 33rd ACMSIGPLAN
Conference on Programming Language Design and Implementation, PLDI ’12, pages
405–416, New York, NY, USA, 2012. ACM.
146
Bibliography
[81] Orna Grumberg and Helmut Veith, editors. 25 Years of Model Checking - History, Achieve-
ments, Perspectives, volume 5000 of Lecture Notes in Computer Science. Springer, 2008.
[82] Henning Günther, Alfons Laarman, Ana Sokolova, and Georg Weissenbacher. Dynamic
reductions for model checking concurrent software. In International Conference on
Veriﬁcation, Model Checking, and Abstract Interpretation, pages 246–265. Springer, 2017.
[83] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. Predicate abstraction and
reﬁnement for verifying multi-threaded programs. In Proceedings of the 38th Annual
ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’11,
pages 331–344. ACM, 2011.
[84] Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko. Threader: A constraint-
based veriﬁer formulti-threaded programs. InCAV, volume 6806 of LNCS, pages 412–417.
Springer, 2011.
[85] J. Y Halpern. Presburger arithmetic with unary predicates is π11 complete. The Journal
of Symbolic Logic, 1991.
[86] Henri Hansen. Abstractions for transition systems with applications to stubborn sets,
pages 104–123. Lecture Notes in Computer Science. Springer International Publishing,
1 2017.
[87] Henri Hansen, Shang-Wei Lin, Yang Liu, Truong Khanh Nguyen, and Jun Sun. Diamonds
are a girl’s best friend: Partial order reduction for timed automata with abstractions. In
Computer Aided Veriﬁcation - 26th International Conference, CAV 2014, Held as Part of
the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 18-22, 2014. Proceedings,
pages 391–406, 2014.
[88] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth L. McMillan. Ab-
stractions from proofs. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium
on Principles of Programming Languages, POPL ’04, pages 232–244, New York, NY, USA,
2004. ACM.
[89] Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Shaz Qadeer. Thread-modular
abstraction reﬁnement. In International Conference on Computer Aided Veriﬁcation,
pages 262–274. Springer, 2003.
[90] Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstrac-
tion. ACM SIGPLAN Notices, 2002.
[91] Thomas A. Henzinger and Joseph Sifakis. The embedded systems design challenge. In
Proceedings of the 14th International Conference on Formal Methods, FM’06, pages 1–15,
Berlin, Heidelberg, 2006. Springer-Verlag.
[92] Thomas A. Henzinger and Joseph Sifakis. The discipline of embedded systems design.
Computer, 40(10):32–40, October 2007.
[93] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM,
12(10):576–580, October 1969.
147
Bibliography
[94] Hossein Hojjat, Filip Konecˇny`, Florent Garnier, Radu Iosif, Viktor Kuncak, and Philipp
Rümmer. A veriﬁcation toolkit for numerical transition systems. In International
Symposium on Formal Methods, pages 247–251. Springer, 2012.
[95] Hossein Hojjat, Philipp Rümmer, Pavle Subotic, and Wang Yi. Horn clauses for commu-
nicating timed systems. arXiv preprint arXiv:1412.1153, 2014.
[96] Gerard J. Holzmann. The model checker SPIN. IEEE Trans. Software Eng., 23(5):279–295,
1997.
[97] Radu Iosif. Symmetry reductions for model checking of concurrent dynamic software.
STTT, 2004.
[98] C Norris Ip and David L Dill. Better veriﬁcation through symmetry. Formal methods in
system design, 1996.
[99] Anton Ivanov, Louis Masson, Stefano Rossi, Federico Belloni, Reto Wiesendanger, Volker
Gass, Markus Rothacher, Christine Hollenstein, Benjamin Männel, Patrick Fleischmann,
Heinz Mathis, Martin Klaper, Marcel Joss, and Erich Styger. CubETH: low cost GNSS
space experiment for precise orbit determination. Technical report, 2014.
[100] Taylor T. Johnson and Sayan Mitra. A small model theorem for rectangular hybrid
automata networks. InProceedings of the 14th Joint IFIPWG6.1 International Conference
and Proceedings of the 32Nd IFIP WG 6.1 International Conference on Formal Techniques
for Distributed Systems, FMOODS’12/FORTE’12, pages 18–34, Berlin, Heidelberg, 2012.
Springer-Verlag.
[101] Cliff B Jones. Speciﬁcation and design of (parallel) programs. In IFIP congress, volume 83,
pages 321–332, 1983.
[102] Vineet Kahlon, Chao Wang, and Aarti Gupta. Monotonic partial order reduction: An
optimal symbolic partial order reduction technique. In Proceedings of the 21st Inter-
national Conference on Computer Aided Veriﬁcation, CAV ’09, pages 398–413, Berlin,
Heidelberg, 2009. Springer-Verlag.
[103] Richard M. Karp and Raymond E. Miller. Parallel program schemata. J. Comput. Syst.
Sci., 3(2):147–195, May 1969.
[104] Yonit Kesten, Amir Pnueli, Elad Shahar, and Lenore D. Zuck. Network invariants in
action. In Proceedings of the 13th International Conference on Concurrency Theory,
CONCUR ’02, pages 101–115, London, UK, UK, 2002. Springer-Verlag.
[105] Sepideh Khoshnood, Markus Kusano, and Chao Wang. Concbugassist: Constraint solv-
ing for diagnosis and repair of concurrency bugs. InProceedings of the 2015 International
Symposium on Software Testing and Analysis, ISSTA 2015, pages 165–176, New York, NY,
USA, 2015. ACM.
[106] Shuvendu K Lahiri, Randal E Bryant, and Byron Cook. A symbolic approach to predicate
abstraction. In Computer Aided Veriﬁcation, pages 141–153. Springer, 2003.
[107] Shuvendu K Lahiri, Robert Nieuwenhuis, and Albert Oliveras. SMT techniques for fast
predicate abstraction. In Computer Aided Veriﬁcation, pages 424–437. Springer, 2006.
148
Bibliography
[108] Richard J. Lipton. Reduction: A method of proving properties of parallel programs.
Commun. ACM, 1975.
[109] C. Loiseaux, S. Graf, J. Sifakis, A. Bouajjani, and S. Bensalem. Property preserving
abstractions for the veriﬁcation of concurrent systems. Form.Methods Syst. Des., 6(1):11–
44, January 1995.
[110] Nancy A. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers Inc., San Fran-
cisco, CA, USA, 1996.
[111] Alexander Malkis, Andreas Podelski, and Andrey Rybalchenko. Thread-modular veriﬁ-
cation is cartesian abstract interpretation. In International Colloquium on Theoretical
Aspects of Computing, pages 183–197. Springer, 2006.
[112] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Speciﬁ-
cation. Springer-Verlag, 1992.
[113] Zohar Manna and Amir Pnueli. Temporal Veriﬁcation of Reactive Systems: Safety.
Springer-Verlag New York, Inc., New York, NY, USA, 1995.
[114] Anastasia Mavridou, Eduard Baranov, Simon Bliudze, and Joseph Sifakis. Conﬁguration
logics: Modelling architecture styles. In Revised Selected Papers of the 12th International
Conference on Formal Aspects of Component Software - Volume 9539, FACS 2015, pages
256–274, New York, NY, USA, 2016. Springer-Verlag New York, Inc.
[115] A Mazurkiewicz. Trace theory. In Advances in Petri Nets 1986, Part II on Petri Nets:
Applications and Relationships to Other Models of Concurrency, pages 279–324, New
York, NY, USA, 1987. Springer-Verlag New York, Inc.
[116] Kenneth L McMillan. Symbolic model checking. In Symbolic Model Checking, pages
25–60. Springer, 1993.
[117] Kenneth L McMillan. Interpolation and sat-based model checking. In International
Conference on Computer Aided Veriﬁcation, pages 1–13. Springer, 2003.
[118] Kenneth L McMillan. Applications of craig interpolants in model checking. In Interna-
tional Conference on Tools and Algorithms for the Construction and Analysis of Systems,
pages 1–12. Springer, 2005.
[119] Kenneth L McMillan. Lazy abstraction with interpolants. In Computer Aided Veriﬁcation,
pages 123–136. Springer, 2006.
[120] Kenneth L McMillan. Interpolants and symbolic model checking. In International
Workshop on Veriﬁcation, Model Checking, and Abstract Interpretation, pages 89–90.
Springer, 2007.
[121] Alice Miller, Alastair Donaldson, and Muffy Calder. Symmetry in temporal logic model
checking. ACM Comput. Surv., 2006.
[122] Steven P Miller, Michael W Whalen, and Darren D Cofer. Software model checking takes
off. Communications of the ACM, 53(2):58–64, 2010.
[123] Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael
Deardeuff. How amazonweb services uses formal methods. Commun. ACM, 58(4):66–73,
March 2015.
149
Bibliography
[124] Doron Peled. All from one, one for all: On model checking using representatives. In
Proceedings of the 5th International Conference on Computer Aided Veriﬁcation, CAV ’93,
pages 409–423, London, UK, UK, 1993. Springer-Verlag.
[125] Doron Peled. Ten years of partial order reduction. In Proceedings of the 10th Interna-
tional Conference on Computer Aided Veriﬁcation, CAV ’98, pages 17–28, London, UK,
UK, 1998. Springer-Verlag.
[126] Amir Pnueli, Sitvanit Ruah, and Lenore D. Zuck. Automatic deductive veriﬁcation
with invisible invariants. In Proceedings of the 7th International Conference on Tools
and Algorithms for the Construction and Analysis of Systems, TACAS 2001, pages 82–97,
London, UK, UK, 2001. Springer-Verlag.
[127] Amir Pnueli, Jessie Xu, and Lenore D. Zuck. Liveness with (0, 1, infty)-counter abstrac-
tion. In Proceedings of the 14th International Conference on Computer Aided Veriﬁcation,
CAV ’02, pages 107–122, London, UK, UK, 2002. Springer-Verlag.
[128] Corneliu Popeea, Andrey Rybalchenko, and Andreas Wilhelm. Reduction for composi-
tional veriﬁcation of multi-threaded programs. In FMCAD, pages 187–194. IEEE, 2014.
[129] Jean-Pierre Queille and Joseph Sifakis. Speciﬁcation and veriﬁcation of concurrent
systems in cesar. In Proceedings of the 5th Colloquium on International Symposium on
Programming, pages 337–351, London, UK, UK, 1982. Springer-Verlag.
[130] Marco Roveri, Iman Narasamdya, and Alessandro Cimatti. Software model checking
with explicit scheduler and symbolic threads. Logical Methods in Computer Science, 8,
2012.
[131] S. Schmitz and P. Schnoebelen. The power of well-structured systems. In CONCUR,
2013.
[132] Joseph Sifakis. A uniﬁed approach for studying the properties of transition systems.
Theoretical Computer Science, 18(3):227–258, 1982.
[133] Joseph Sifakis. Rigorous system design. Foundations and Trends® in Electronic Design
Automation, 6(4):293–362, April 2013.
[134] Joseph Sifakis. System design automation: Challenges and limitations. Proceedings of
the IEEE, 103(11):2093–2103, 2015.
[135] Joseph Sifakis, Saddek Bensalem, Simon Bliudze, and Marius Bozga. A theory agenda
for component-based design. In Software, Services, and Systems - Essays Dedicated to
Martin Wirsing on the Occasion of His Retirement from the Chair of Programming and
Software Engineering, volume 8950 of Lecture Notes in Computer Science, pages 409–439.
Springer, 2015.
[136] I. Suzuki. Proving properties of a ring of ﬁnite-state machines. Inf. Process. Lett., 1988.
[137] W. Thomas. Languages, automata, and logic. Springer, 1997.
[138] Stefano Tonetta. Abstract model checking without computing the abstraction. In FM
2009: Formal Methods, pages 89–105. Springer, 2009.
150
Bibliography
[139] Antti Valmari. A stubborn attack on state explosion. In Computer-Aided Veriﬁcation,
pages 156–165. Springer, 1990.
[140] Antti Valmari. Stubborn sets for reduced state space generation. In Proceedings of the
10th International Conference on Applications and Theory of Petri Nets: Advances in Petri
Nets 1990, pages 491–515, London, UK, UK, 1991. Springer-Verlag.
[141] Antti Valmari. A state space tool for concurrent system models expressed in C++. In
Jyrki Nummenmaa, Outi Sievi-Korte, and Erkki Mäkinen, editors, Proceedings of the
14th Symposium on Programming Languages and Software Tools (SPLST’15), Tampere,
Finland, October 9-10, 2015., volume 1525 of CEUR Workshop Proceedings, pages 91–105.
CEUR-WS.org, 2015.
[142] Antti Valmari. Stop it, and be stubborn&excl;. ACM Trans. Embed. Comput. Syst.,
16(2):46:1–46:26, January 2017.
[143] Antti Valmari and Henri Hansen. Stubborn set intuition explained. In Lawrence Cabac,
Lars Michael Kristensen, and Heiko Rölke, editors, Petri Nets and Software Engineering.
International Workshop, PNSE’16, Torun´, Poland, June 20-21, 2016. Proceedings, volume
1591 of CEUR Workshop Proceedings, pages 213–232. CEUR-WS.org, 2016.
[144] François Vernadat, Pierre Azéma, and François Michel. Covering step graph. In Proceed-
ings of the 17th International Conference on Application and Theory of Petri Nets, pages
516–535, London, UK, UK, 1996. Springer-Verlag.
[145] Bjorn Wachter, Daniel Kroening, and Joel Ouaknine. Verifying multi-threaded software
with impact. In Formal Methods in Computer-Aided Design (FMCAD), 2013, pages
210–217. IEEE, 2013.
[146] Thomas Wahl and Alastair Donaldson. Replication and abstraction: Symmetry in auto-
mated formal veriﬁcation. Symmetry, 2010.
[147] Chao Wang, Zijiang Yang, Vineet Kahlon, and Aarti Gupta. Peephole partial order
reduction. In TACAS 2008, volume 4963 of LNCS, pages 382–396. Springer, 2008.
[148] W Eric Wong, Ruizhi Gao, Yihao Li, Rui Abreu, and Franz Wotawa. A survey on software
fault localization. IEEE Transactions on Software Engineering, 42(8):707–740, 2016.
151

Wang Qiang
qiang. wang@ epfl. ch
EDUCATION
PhD candidate in computer and communication science 2013-
Ecole Polytechnique Federale de Lausanne
I am currently a PhD candidate under the supervision of Prof.Joseph Sifakis, focusing on
algorithmic veriﬁcation of component-based systems as well as parameterized veriﬁcation.
MSc. in information and communication science 2010-2013
National University of Defense Technology, China
Master thesis: formal analysis of security protocols.
Graduate with third-class merit.
BSc. in information and communication science 2006-2010
National University of Defense Technology, China
Bachelor thesis: provable security of Elliptic Curve cryptography algorithms.
Outstanding undergraduate ranking 2nd out of 155.
AWARDS
1. Third-class merit awarded by president of National University of Defense Technology
in 2012.
2. Outstanding undergraduate student award in 2010.
3. Second place in Chinese National Mathematics Competition in 2009.
4. Third place in Chinese National Information Security Competition in 2008.
PUBLICATIONS
1. Exploiting Symmetry for Eﬃcient Veriﬁcation of Inﬁnite-State Component-Based
Systems, International Symposium on Dependable Software Engineering: Theories,
Tools, and Applications (SETTA 2016), pages 246–263, 2016, Springer.
2. Parameterized systems in BIP: design and model checking. With Igor Konnov,
Tomer Kotek, Helmut Veith, Simon Bliudze and Joseph Sifakis. 27th International
Conference on Concurrency Theory (CONCUR 2016). (Corresponding author)
3. Formal veriﬁcation of inﬁnite state BIP models. With Simon Bliudze, Alessandro
Cimatti, Mohamad Jaber, Sergio Mover, Marco Roveri, Wajeb Saab. 13th Interna-
tional Symposium on Automated Technology for Veriﬁcation and Analysis (ATVA
2015). (Corresponding author)
153
4. Veriﬁcation of component-based systems via predicate abstraction and simultaneous
set reduction. With Simon Bliudze. 10th International Symposium on Trustworthy
Global Computing (TGC 2015). (Corresponding author)
5. SeBip: a symbolic symbolic executor for BIP. With Simon Bliudze. 20th Interna-
tional Conference on Engineering of Complex Computer Systems (ICECCS 2015).
(Corresponding author)
6. Automatic fault localization for BIP. With Lei Yan, Simon Bliudze, Xiaoguang
Mao. 1st Symposium on Dependable Software Engineering: Theories, Tools and
Applications (SETTA 2015). (Corresponding author)
7. TOA: A tag-owner-assisting RFID authentication protocol toward access control
and ownership transfer. With Xie, W. and Xie, L. and Zhang, C. and Wang, C.
and Tang, C. Security and Communication Networks. Volume 7, May 2014, Pages
934-944.
8. RFID seeking: Finding a lost tag rather than only detecting its missing. With Xie,
W. and Xie, L. and Zhang, C. and Xu, J. and Zhang, Q. and Tang, C. Journal of
Network and Computer Applications, Volume 42, June 2014, Pages 135-142.
SOFTWARE
1. Kratos4BIP: a model checker for inﬁnite-state component-based systems in BIP.
2. BIPChecker: a model checker for parameterized component-based systems in BIP
154

