Introduction
With the increase in the complexity of computer systems, it becomes even more important to develop formal methods for ensuring their quality. Early detection of errors requires application of advanced analysis, verification and validation techniques for modelling resources, temporal properties, datatype invariants, and security properties. Various techniques for automated and semi-automated analysis and verification of computer systems have been proposed.
In particular, model-checking has become a very practical technique due to its push-button character. The basic principle behind model-checking is to build a model of the system under consideration together with a formal description of the verified property in a suitable temporal logic. The model-checking algorithm is a decision procedure which in addition to the yes/no answer returns a trace of a faulty behaviour in case the checked property is not satisfied by the model. One of the additional advantages of this approach is that verification can be performed against partial specifications, by considering only a subset of all specification requirements. This allows for increased efficiency by checking correctness with respect to only the most relevant requirements that should be fulfilled. The limiting factor is that the size of the model explodes, i.e. it generally grows exponentially with respect to the size of the system description. To handle state space explosion additional techniques are required. In recent years, research has been conducted in techniques which utilise the combined resources of parallel or distributed computers to further push the borders of still tractable systems. In the first part we give an introductory survey of achievements related to cluster-based LTL model checking finite-state systems.
In the second part we employ the classes of infinite-state systems defined by term rewrite systems and called Process Rewrite Systems (PRS) as introduced by Mayr. PRS subsume a variety of the formalisms studied in the context of formal verification; Petri nets, pushdown automata, and process algebras like BPA, BPP, or PA all serve to exemplify this. We present some extensions of PRS and discuss their basic properties. Also, we explore the model checking problem over these classes with respect to various linear-and branching-time logics. 
Model-Checking Large Finite-State Systems
In this part we focus on finite-state models where one assumes only a finite number of distinct configurations during any arbitrary long execution of a computer system. Although surely limited in a mathematical sense, finite-state models necessary encompass every software system implemented on a digital computer. Model-checking finite-state systems has been applied fairly successfully for verification of quite a few real-life systems. However, its applicability to a wider class of practical systems has been hampered by the so called state explosion problem (i.e. the enormous increase in the size of the state space). For large industrial models, the state space does not completely fit into the main memory of a single state-of-art computer and hence the model-checking algorithm becomes very slow as soon as the memory is exhausted and system starts swapping.
Much attention has been focused on the development of approaches to battle the state space explosion problem. Many techniques, such as abstraction, state compression, state space reduction, symbolic state representation, etc., are used to reduce the size of the problem to be handled allowing thus a single computer to process larger systems. There are also techniques that purely focus on increasing the amount of available computational power. These are, for example, techniques to fight memory limits with efficient utilisation of an external I/O device [1] , [30] , [43] , [64] , or techniques that introduce cluster-based algorithms to employ aggregate power of network-interconnected computers.
Cluster-based algorithms perform their computation simultaneously on a number of workstations that are allowed to communicate and synchronise themselves by means of message passing. Cluster-based algorithms can thus be characterised as parallel algorithms performing in a distributed memory environment. Efficient parallel solution often cannot be achieved by a simple adaptation of a sequential one, in many cases it requires invention of original, novel approaches radically different from those used to solve the same problems sequentially. Parallel algorithms have been successfully applied to symbolic model checking [36] , [37] , analysis of stochastic [39] and timed [6] systems, equivalence checking [9] and other related problems [7] , [10] , [35] . Experimental performance results on clusters of workstations show significant improvements with respect to sequential techniques, both in extension of the size of the problem and in computational times, along with adequate scalability with the number of processors.
As a demonstration of cluster-based verification we consider parallel LTL model-checking. The LTL model-checking problem can be reformulated as a cycle detection problem in an oriented graph and the basic principles behind presented algorithms rely on efficient solutions to detecting cycles in a distributed environment. The best known enumerative sequential algorithms for detection of accepting cycles are the Nested DFS algorithm [27] , [41] (implemented, e.g., in the model checker SPIN [40] ) and SCC-based algorithms originating in Tarjan's algorithm for the decomposition of the graph into strongly connected components (SCCs) [67] . While Nested DFS is more space efficient, SCC-based algorithms produce shorter counterexamples in general. The linear time complexity of both algorithms relies on the postorder as produced by the depth-first search traversal over the graph. It is a well known fact that computing depth-first search postorder is P-complete [61] , hence probably inherently sequential. This means that none of the two algorithms can be easily adapted to work on a parallel machine. A few fundamentally different cluster-based techniques for accepting cycle detection appeared though. They typically perform repeated reachability over the graph. Unlike the postorder problem, reachability is a graph problem which can be parallelised, hence the algorithms might be transformed to cluster-based algorithms that work with reasonable increase in time and space.
The algorithms employ specific structural properties of the underlying graphs (often computable in advance from the given system specification), use additional data structures to divide the problem into independent sub-problems, or translate the model-checking problem to another one, which admits efficient parallel solution. Several of the algorithms are based on sequentially less efficient but well parallelizable breadth-first exploration of the graph or on placing bounds limiting the size of the graph to be explored.
Distributed Algorithms for Accepting Cycle Detection
The algorithms are meant for cluster-based computing. The cluster is formed from a network of workstations, there is no shared memory. We describe the main ideas primarily as sequential, leaving thus many technical details related to distributed computation out.
The problem we consider comes out from the automata-based procedure to decide LTL model checking problem as introduced in [68] . The approach exploits the fact that every set of executions expressible by an LTL formula is an ω-regular set and can be described by a Büchi automaton. In particular, the approach suggests to express all system executions by a system automaton and all executions not satisfying the formula by a property or negative claim automaton. These two automata are combined into their synchronous product in order to check for the presence of system executions that violate the property expressed by the formula. The language recognised by the product automaton is empty if and only if no system execution is invalid.
The language emptiness problem for Büchi automata can be expressed as an accepting cycle detection problem in a directed graph. Each Büchi automaton can be naturally identified with an automaton graph which is a directed graph G = (V, E, s, A) where V is the set of vertexes (n = |V |), E is a set of edges (m = |E|), s is an initial vertex, and A ⊆ V is a set of accepting vertexes (a = |A|). We say that a reachable cycle in G is accepting if it contains an accepting vertex. Let A be a Büchi automaton and G A the corresponding automaton graph. Then A recognises a nonempty language iff G A contains an accepting cycle. The LTL model-checking problem is thus reduced to the reachable accepting cycle detection problem in automaton graphs.
We suppose the graph is given implicitly and is generated on demand. This contrasts to the possibility of having an explicit representation -like adjacency matrix -and this gives a better chance to get the solution without actually constructing the entire graph. For this reason our graphs are given by two functions: the one gives the initial vertex and the other function gives for each vertex the set of its immediate successors. The graph is distributed on the workstations using a partition function placing each vertex on some workstation. Algorithm 1. Maximal Accepting Predecessors [19] , [20] A vertex u is a predecessor of a vertex v if there is a non-trivial path from u to v. The main idea behind the algorithm is based on the fact that each accepting vertex lying on an accepting cycle is its own predecessor.
Instead of expensive computing and storing of all accepting predecessors for each (accepting) vertex, the algorithm computes a single representative accepting predecessor for each vertex. We presuppose a linear ordering ≺ of vertexes (given e.g. by their memory representation) and choose the maximal accepting predecessor. For a vertex u we denote its maximal accepting predecessor in the graph G by map G (u). Clearly, if an accepting vertex is its own maximal accepting predecessor (map G (u) = u), it is its own predecessor and it lies on an accepting cycle. Unfortunately, the opposite does not hold in general. It can happen that the maximal accepting predecessor for an accepting vertex on a cycle does not lie on the cycle. Such vertexes can be safely deleted from the set of accepting vertexes (by applying the deleting transformation) and the accepting cycle still remains in the resulting graph. Whenever the deleting transformation is applied to automaton graph G with map G (v) = v for all v ∈ V , it shrinks the set of accepting vertexes by those vertexes that do not lie on any cycle.
As the set of accepting vertexes can change after the deleting transformation has been applied, maximal accepting predecessors must be recomputed. It can happen that even in the modified graph the maximal accepting predecessor function is still not sufficient for cycle detection. However, after a finite number of applications of the deleting transformation an accepting cycle is certified. For an automaton graph without accepting cycles the repetitive application of the deleting transformation results in an automaton graph with an empty set of accepting vertexes.
Time complexity of the algorithm is O(a 2 · m), where a is the number of accepting vertexes. Here the factor a · m comes from the computation of the map function and the factor a relates to the number of iterations.
Algorithm 2. Eliminating Bad States [24]
The accepting cycle detection problem can be directly reformulated as a question whether the automaton graph contains a nontrivial accepting strongly connected component.
The inspiration for the algorithm is taken from symbolic algorithms for cycle detection, namely from SCC hull algorithms. SCC hull algorithms compute the set of vertexes containing all accepting components. Algorithms maintain the approximation of the set and successively remove non-accepting components until they reach a fixpoint. Different strategies to remove non-accepting components lead to different algorithms. An overview, taxonomy, and comparison of symbolic algorithms can be found in independent reports [34] and [60] .
The enumerative algorithm works on individual vertexes rather than on sets of vertexes as is the case in symbolic approach. A component is removed by removing its vertexes. The algorithm employs two rules to remove vertexes of non-accepting components:
-if a vertex is not reachable from any accepting vertex then the vertex does not belong to any accepting component and -if a vertex has in-degree zero then the vertex does not belong to any accepting component.
Note that an alternative set of rules can be formulated as -if no accepting vertex is reachable from a vertex then the vertex does not belong to any accepting component and -if a vertex has out-degree zero then the vertex does not belong to any accepting component.
This second set of rules results in an algorithm which works in a backward manner and we will not describe it explicitly here. The algorithm in its forward version requires the entire automaton graph to be generated first. The same is true for the backward version. Moreover, the backward version actually needs to store the edges to be able to perform backward reachability. This is however payed out by relaxing the necessity to compute successors, which is in fact a very expensive operation in practise.
Time
complexity of the algorithm is O(h · m)
where h is the height of the SCC tree. A positive aspect of the algorithms is their effectiveness for weak automaton graphs. A graph is weak if each SCC component of G is either fully contained in A or is disjoint with A. For weak graphs one iteration of the SCCbased algorithm is sufficient to decide accepting cycles. The studies of temporal properties [29] , [25] reveal that verification of up to 90% of LTL properties leads to weak automaton graphs.
Algorithm 3. Maximal Number of Accepting Predecessors [18]
Consider the maximal number of accepting vertexes on a path from the source to a vertex, where the maximum is taken over all paths. For vertexes on an accepting cycle the maximum does not exist because extending a path along the cycle adds at least one accepting vertex.
For computing the maximal number of accepting predecessors the algorithm maintains for every vertex v its "distance" label d(v) giving the maximal number of accepting predecessors, parent vertex p(v), and status If all vertexes are either scanned or unreached then d gives the maximal number of accepting predecessors. Moreover, the parent graph G p is the graph of these "maximal" paths. More precisely, the parent graph is a subgraph
Different strategies for selecting a labelled vertex to be scanned lead to different algorithms. When using FIFO strategy to select vertexes, the algorithm runs in O(m · n) time in the worst case. For graphs with reachable accepting cycles there is no "maximal" path to the vertexes on an accepting cycle and the scanning method must be modified to recognise such cycles. The algorithm employs the walk to root strategy which traverses a parent graph. The walk to root strategy is based on the fact (see e.g. [26] ) that any cycle in parent graph G p corresponds to an accepting cycle in the automaton graph.
The walk to root method tests whether G p is acyclic. Suppose the parent graph G p is acyclic and an edge (u, v) is relaxed, i.e. d(v) is decreased. This operation creates a cycle in G p if and only if v is an ancestor of u in the current G p . Before applying the operation, we follow the parent pointers from u until we reach either v or s. If we stop at v a cycle is detected. Otherwise, the relaxation does not create a cycle. However, since the path to the initial vertex can be long, the cost of edge relaxation becomes O(n) instead of O (1) . In order to optimise the overall computational complexity, amortisation is used to pay the cost of checking G p for cycles. More precisely, the parent graph G p is tested only after the underlying algorithm performs Ω(n) relaxations. The running time is thus increased only by a constant factor. The worst case time complexity of the algorithm is thus O(n · m).
Algorithm 4. Back-Level Edges [2]
The algorithm builds on breadth-first search (BFS) exploration of the graph. BFS is typically used in graph algorithms that work with distances and distances can also be used to characterise cycles in a graph.
Distance of a vertex u ∈ V , d(u), is the length of a shortest path from the initial vertex to the vertex u. The set of vertexes with the same distance is called
The key observation connecting the cycle detection problem with the backlevel edge concept is that every cycle contains at least one back-level edge. Backlevel edges are therefore used as triggers which start a cycle detection. However, it is too expensive to test every back-level edge for being a part of a cycle. The algorithm therefore integrates several optimisations and heuristics to decrease the number of tested edges and speed-up the cycle test.
The BFS procedure which detects back-level edges runs in time O(m + n). Each back-level edge has to be checked to be on a cycle, which requires linear time O(m + n) as well. In the worst case there can be O(m) back-level edges, hence the overall time complexity of the algorithm is O(m.(m + n)).
The algorithm performs well on graphs with small number of back-level edges. In such cases the performance of the algorithm approaches the performance of reachability analysis, although, the algorithm performs full LTL model checking. On the other hand, a drawback shows up when a graph contains many back-level edges. In such a case, frequent revisiting of vertexes in the second phase of the algorithm causes the time of the computation to be high.
The level-synchronised BFS approach also allows to involve BFS-based Partial Order Reduction (POR) technique in the computation. POR technique prevents some vertexes of the graph from being generated while preserving result of the verification. Therefore, it allows analysis of even larger systems. The standard DFS-based POR technique strongly relies on DFS stack and as such it is inapplicable to cluster-based environment.
Algorithm 5. Dependency Graph [3] , [5] Local cycles in a distributed graph can be detected using standard sequential techniques, therefore, the real problem in cluster-based detection of accepting cycles is the detection of cycles that are split among workstations. The idea of the last algorithm is to construct a smaller graph by omitting those parts of the original graph that are irrelevant for the detection of split cycles.
By a split cycle we mean a cycle that contains at least one cross-edge. An edge (u, v) is a cross-edge if vertexes u and v are owned by two different workstations. Vertex v is called a transfer vertex if there is a cross-edge (u, v). The cluster-based algorithm stores the dependency graph explicitly in a distributed manner. In particular, vertexes of the dependency graph are distributed among the workstations by the same partition function as used for the original graph. To maintain consistency of the dependency graph in a distributed environment, the graph is implemented using a particular data structure called dependency structure.
The algorithm employing dependency structure performs its task in two global steps. In the first step it explores the given graph in order to construct the dependency structure and detect local accepting cycles. If no local accepting cycle is detected, the algorithm continues with the second step. Vertexes that have no successors in the dependency structure are recursively removed from it as they cannot lie on a split cycle. If all vertexes are removed from the structure, there is no split cycle in the original graph. In the other case, the presence of a split cycle is detected.
The algorithm was historically the first cluster-based algorithm for detection of accepting cycles, hence for the full LTL model checking. The original idea of the algorithm builds on backward elimination of vertexes with no successors from the dependency structure. However, any cluster-based algorithm presented in this survey can be combined with the dependency structure in order to detect split accepting cycles.
A Tool for Cluster-Based Verification
A few sequential tools have been developed to support engineers in their verification needs. However, when verification engineers find themselves in the situation of needing resources beyond the capabilities of a single computer, the situation is rather poor. Most of the parallel model-checking algorithms have been implemented as research prototypes which often are not publicly available, usually undocumented, without user interface, unstable (in the sense of "prone to change"), and not optimised. These tools are mainly research vehicles, and as such not ready for widespread use by third parties. Additionally, deployment of tools running on parallel computers is more demanding than for sequential tools. We cite high entrance costs for hardware acquisition, complex software installation procedures, but also consequential costs for maintenance. As a consequence, hardly any benchmark results of parallel and/or distributed model checking algorithms can be compared fairly, since the hardware employed for benchmarks varies from a few workstations also being used for regular tasks, to medium-sized dedicated clusters.
DiVinE (Distributed Verification Environment) is a framework for enumerative model checking of LTL properties on a cluster of workstations that aims to create a distributed state space exploration and analysis tool directed at a significant part of the user base of verification tools, as well as providing hardware to run on. DiVinE consists of a library of common functions (DiVinE Library) on top of which various distributed verification algorithms can be implemented, of a collection of state-of-the-art distributed verification algorithms incorporated into a single software product (DiVinE Tool) which is as easy to install as most sequential tools, and a ready-to-use cluster for users of sequential tools in case they need to run experiments using DiVinE Tool without having access to their own cluster.
DiVinE Tool is thus a parallel, distributed-memory enumerative modelchecking tool for verification of concurrent systems. The tool employs aggregate power of network-interconnected workstations to verify systems whose verification is beyond capabilities of sequential tools.
DiVinE modelling language is rich enough to describe systems made of synchronous and asynchronous processes communicating via shared memory and buffered or unbuffered channels. System properties can be specified either directly in Linear Temporal Logic (LTL) or alternatively as processes describing undesired behaviour of systems under consideration (negative claim automata). Thanks to the DivSPIN project [4] , DiVinE Tool is also capable of verifying models written in ProMeLa.
From the algorithmic point of view, the tool is quite unique as it incorporates several LTL model-checking algorithms, in fact all the above mentioned algorithms are available. Besides these, DiVinE Tool includes also an algorithm for distributed state space generation and an algorithm that performs sequential NestedDFS in a distributed-memory setting.
DiVinE Tool can be deployed either as a complete software package to be installed on a separate Linux cluster or as a small Java application to access a pre-installed clusters. In the first case, basic Linux administrator skills are required to install the tool, but the user is in the full control of environment settings under which distributed algorithms are to be executed and can control the tool from a command line. In the second case, the tool can be used employing DiVinE pre-installed clusters and accessed remotely via a graphical user interface. The graphical user interface (GUI) requires properly installed Java Runtime Environment.
An important part of the DiVinE project is the maintenance of a public server together with a limited number of DiVinE dedicated clusters. For security reasons registered users are allowed to connect to DiVinE public server only. New users can be registered by following instructions given on DiVinE project web pages.
Infinite-State Systems
Current software systems often exhibit an evolving structure and/or operate on unbounded data types. Hence automatic verification of such systems usually requires to model them as infinite-state ones. Various modelling formalisms suited to different kinds of applications have been developed with their respective advantages and limitations. Petri nets, pushdown automata, and process algebras like BPA, BPP, or PA all serve to exemplify this. Here we employ the classes of infinite-state systems defined by term rewrite systems and called Process Rewrite Systems (PRS, [55] ). PRS subsume a variety of the formalisms studied in the context of formal verification (e.g. all the models mentioned above).
A PRS is a finite set of rules t a −→ t where a is an action under which a subterm t can be reduced to a subterm t . Terms are built up from an empty process ε and a set of process constants using (associative) sequential "." and (associative and commutative) parallel " " operators. The semantics of PRS can be defined by labelled transition systems (LTS) -labelled directed graphs whose nodes (states of the system) correspond to terms modulo properties of "." and " " and edges correspond to individual actions (computational steps) which can be performed in a given state. Mayr [55] has also shown that the reachability problem (i.e. given terms t, t : is t reducible to t ?) for PRS is decidable. The relevance of various subclasses of PRS for modelling and analysing programs is shown e.g. in [32] , for automatic verification see e.g. surveys [22] , [63] .
PRS and Its Extensions
Most research (with some recent exceptions, e.g. [15] , [32] , [14] ) has been devoted to the PRS classes from the lower part of the PRS hierarchy, especially to pushdown automata (PDA), Petri nets (PN) and their respective subclasses. We mention the successes of PDA in modelling recursive programs (without process creation) and PN in modelling dynamic creation and synchronisation of concurrent processes (without recursive calls). These two formalisms subsume a notion of a finite state unit (FSU) keeping some kind of global information which is accessible to the redices (the ready to be reduced components) of a PRS term -hence an FSU can regulate rewriting. On the other hand, using an FSU to extend the PRS rewriting mechanism is very powerful since the state-extended version of PA processes (sePA) has a full Turing-power [11] -the decidability of reachability is lost for sePA, including all its superclasses (see Figure 1) .
Here, we present a unified view on PRS classes and their respective extensions of three types: fcPRS classes ( [65] , inspired by concurrent constraint programming [62] ), wPRS classes ( [48] , PRS systems equipped with a weak FSU inspired by weak automata [57] ), and state-extended PRS classes [46] .
Let Const = {X, . . .} be a set of process constants. The set of process terms (ranged over by t, . . .) is defined by the abstract syntax t ::= ε | X | t.t | t t, where ε is the empty term, X ∈ Const is a process constant; and '.' and ' ' mean sequential and parallel compositions respectively. We always work with equivalence classes of terms modulo commutativity and associativity of ' ', associativity of '.', and neutrality of ε, i.e. ε.t = t.ε = t ε = t. We distinguish four classes of process terms as:
1 -terms consisting of a single process constant only, in particular ε ∈ 1, S -sequential terms -terms without parallel composition, e.g. X.Y.Z, P -parallel terms -terms without sequential composition, e.g. X Y Z, G -general terms -terms without any restrictions, e.g.
Let M be a set of control states and Act be a set of actions. Let α, β ∈ {1, S, P, G}, α ⊆ β be the classes of process terms. An (α, β)-sePRS (state extended process rewrite system) Δ is a tuple (R, p 0 , t 0 ), where -R is a finite set of rewrite rules of the form (p, t 1 ) a → (q, t 2 ), where t 1 ∈ α, t 1 = ε, t 2 ∈ β, p, q ∈ M , and a ∈ Act , -a pair (p 0 , t 0 ) ∈ M × β forms the distinguished initial state of the system. Sets of control states and process constants occurring in rewrite rules or in the initial state of Δ are denoted by M (Δ) and Const(Δ) respectively. An (α, β)-sePRS Δ = (R, p 0 , t 0 ) represents a labelled transition system the states of which are pairs (p, t) such that p ∈ M (Δ) is a control state and t ∈ β is a process term over Const (Δ). The transition relation −→ is the least relation satisfying the following inference rules:
To shorten our notation we write pt in lieu of (p, t). The transition relation can be extended to finite words over Act in a standard way. A state qt 2 
{se,w,fc}PN=PN Some classes of (α, β)-PRS correspond to widely known models as finitestate systems (FS, (1, 1)-PRS) , basic process algebras (BPA, (1, S)-PRS), basic parallel processes (BPP, (1, P )-PRS), process algebras (PA, (1, G) 
-PRS), pushdown processes (PDA, (S, S)-PRS, see [23] for justification), and Petri nets (PN, (P, P )-PRS). The classes (S, G)-PRS, (P, G)-PRS and (G, G)-PRS
were introduced and named as PAD, PAN, and PRS by Mayr [55] . Instead of (α, β)-sePRS or (α, β)-wPRS we juxtapose prefixes 'se-' or'w-' respectively with the acronym corresponding to the (α, β)-PRS class. For example, we use wBPP rather than (1, P )-wPRS. Figure 1 describes the hierarchy of PRS classes and their extended counterparts with respect to bisimulation equivalence. If any process in class X can be also defined (up to bisimilarity) in class Y we write X ⊆ Y . If additionally Y ⊆ X holds, we write X Y and say X is less expressive than Y . This is depicted by the line(s) connecting X and Y with Y placed higher than X in Figure 1 . The dotted lines represent the facts X ⊆ Y , where we conjecture that X Y hold.
Expressiveness and Reachability
The strictness (' ') of the PRS-hierarchy has been proved by Mayr [55] , that of the corresponding classes of PRS and fcPRS has been proved in [65] , and the relations among MSA and the classes of fcPRS and wPRS have been studied in [48] . Note that the strictness relations wX seX hold for all X = PA, PAD, PAN, PRS due to our reachability result for wPRS and due to the full Turingpower of sePA [11] .
These proofs together with Moller's result establishing MSA PN [56] complete the justification of Figure 1 -with one exception, namely the relation between the PN and sePA classes. Looking at two lines leaving sePA down to the left and down to the right, we note the "left-part collapse" of (S, S)-PRS and PDA proved by Caucal [23] (up to isomorphism). The right-part counterpart is slightly different due to the just mentioned result that MSA PN and our results that PN sePA ( [47] ).
Let us recall that the reachability problem for PRS is decidable [55] . We note that this problem remains decidable for weakly extended PRS as well:
Theorem 1 ([47]). The reachability problem for wPRS is decidable.
This result deserves some additional remarks. First, it determines the decidability borderline of the reachability problem in the mentioned hierarchy; the problem is decidable for all classes except those with Turing power. In other words, it can be seen as a contribution to studies of algorithmic boundaries of reachability for infinite-state systems.
Second, in the context of verification, one often formulates a property expressing that nothing bad occurs. These properties are called safety properties. The collection of the most often verified properties [29] contains 41% of such properties. Model checking of safety properties can be reduced to the reachability problem. Moreover, many successful verification tools concentrate on reachability only. Therefore, our decidability result can be seen as a contribution to an automatic verification of infinite-state systems as well.
Further, given a labelled transition system (S, Act, −→, α 0 ) with a distinguished action τ ∈ Act, we define a weak trace set of a state s ∈ S as
where s w =⇒ t means that there is some w ∈ Act * such that s w −→ t and w is equal to w without τ actions. Two systems are weak trace equivalent if the weak trace sets of their initial states are the same. So far it has been known that weak trace non-equivalence is semi-decidable for Petri nets (see e.g. [44] ), pushdown processes (due to [21] ), and PA processes (due to [52] ). Using the decidability result, it is easy to show that the weak trace set is recursive for every state of any wPRS. Hence, the weak trace non-equivalence is semi-decidable for (all subclasses of) wPRS.
Finally, our decidability result has been recently applied in the area of cryptographic protocols. Hüttel and Srba [42] define a replicative variant of a calculus for Dolev and Yao's ping-pong protocols [28] . They show that the reachability problem for these protocols is decidable as it can be reduced to the reachability problem for wPRS.
Branching-Time Logics and Studied Problems
A reachability property problem, for a given system Δ and a given formula ϕ, is to decide whether EFϕ holds in the initial state of Δ. Hence, these problems are parametrised by the class to which the system Δ belongs, and by the type of the formula ϕ. In most of practical situations, ϕ specifies error states and the reachability property problem is a formalisation of a natural verification problem whether some error state is reachable in a given system.
In this section we work with fragments of unified system of branching-time logic (UB) [8] . Formulae of UB have the following syntax:
where a ∈ Act is an action. Here, formulae are interpreted over states of sePRS systems. Validity of a formula ϕ in a state pt of a given sePRS system Δ, written (Δ, pt) |= ϕ, is defined by induction on the structure of ϕ: tt is valid for all states; boolean operators have standard meaning; (Δ, pt) |= a ϕ iff there is a state qt such that pt In the following, we deal with six problems parametrised by a subclass of sePRS systems. Let Δ be a given system of the subclass considered. The problem to decide whether -Δ |= ϕ, where ϕ is a given EF formula, is called decidability of EF logic; -Δ |= EFϕ, where ϕ is a given HM formula, is called reachability HM property; -Δ |= EFϕ, where ϕ is a given simple formula, is called reachability simple property; -Δ |= ϕ, where ϕ is a given EG formula, is called decidability of EG logic; -Δ |= EGϕ, where ϕ is a given HM formula, is called evitability HM property; -Δ |= EGϕ, where ϕ is a given simple formula, is called evitability simple property.
We recall that the (full) EF logic is decidable for PAD [54] . It is undecidable for PN [31] . If we consider the reachability HM property problem, then this problem has been shown to be decidable for the classes of PN [45] and PAD [46] . In [49] we have lifted the decidability border for this problem to the wPRS class:
Theorem 2 ([49]). The reachability HM property problem is decidable for wPRS.
A combination of Theorem 2 and [46] , Theorem 22 yields the following corollary.
Theorem 3 ([49]). Strong bisimilarity is decidable between wPRS systems and finite-state ones.
As PRS and its subclasses are proper subclasses of wPRS, it follows that we positively answer the question of the reachability HM property problem for the PRS class and hence the questions of bisimilarity checking the PAN and PRS processes with finite-state ones, which have been open problems, see for example [63] . Their relevance to program specification and verification is advocated, for example, in [46] , [50] .
Further, we mention two extensions of known undecidability results. First, we recall that (full) EF logic is undecidable for PN. An inspection of the proof given in [31] shows that this undecidability result is valid even for seBPP class (also known as multiset automata, MSA). Second, Esparza and Kiehn have proved that EG logic is undecidable for (deterministic) BPP [33] . In [49] we have described a modification of their proof showing that for (deterministic) BPP even the evitability simple property problem is undecidable.
The following table describes the current state of (un)decidability results regarding the six problems defined at the beginning of this section for the classes of PRS hierarchy and their extended counterparts. The results established in this section are typeset in bold. 
Linear-Time Logics and Studied Problems
Here we focus exclusively on (future) Linear Temporal Logic (LTL). The syntax of Linear Temporal Logic (LTL) [59] is defined as follows
where a ranges over Act, X is called next, and U is called until. The logic is interpreted over infinite as well as nonempty finite words of actions. Given a word u = u(0)u(1)u (2) . . . ∈ Act * ∪ Act ω , |u| denotes the length of the word (we set |u| = ∞ if u is infinite). For all 0 ≤ i < |u|, by u i we denote the i th suffix of u,
The semantics of LTL formulae is defined inductively as follows: 
Moreover, we define the following modalities: Fϕ (eventually) standing for tt U ϕ, Gϕ (always) standing for ¬F¬ϕ, F s ϕ (strict eventually) standing for XFϕ, Figure 2 shows an expressiveness hierarchy of all studied basic LTL fragments. Indeed, every basic LTL fragment using standard 1 future modalities is equivalent to one of the fragments in the hierarchy, where equivalence between fragments means that every formula of one fragment can be effectively translated into a semantically equivalent formula of the other fragment and vice versa. For example, LTL(F s , G s ) ≡ LTL(F s ). Further, the hierarchy is strict. For detailed information about expressiveness of future LTL modalities and LTL fragments we refer to [66] .
It is known that LTL model checking of PDA is EXPTIME-complete [12] . LTL model checking of PN is also decidable, but at least as hard as the reachability problem for PN [31] (the reachability problem is EXPSPACE-hard [53] , [51] and no primitive recursive upper bound is known). If we consider only infinite runs, then the problem for PN is EXPSPACE-complete [38] , [54] .
Conversely, LTL model checking is undecidable for all classes subsuming PA [13] , [54] . So far, there are only two positive results for these classes. Bouajjani and Habermehl [13] have identified a fragment called simple PLTL 2 for which model checking of infinite runs is decidable for PA (strictly speaking, simple PLTL 2 is not a fragment of LTL as it can express also some non-regular properties, while LTL cannot). Recently, the model checking problem (of infinite runs) has been shown decidable for PRS and the fragment of LTL capturing exactly fairness properties [16] . Note that this fragment and simple PLTL 2 fragment are incomparable and both are strictly less expressive than LTL(F, G) (also known as Lamport logic), which is again strictly less expressive than LTL(F s , G s ).
Theorem 4 ([17]). The model checking problem for wPRS and LTL(F
This problem is EXPSPACE-hard due to EXPSPACE-hardness of the model checking problem for LTL(F, G) for PN [38] . Our decidability proof does not provide any primitive recursive upper bound as it employs LTL model checking for PN, for which no primitive recursive upper bound is known. We also emphasise that this positive result for LTL(F s , G s ) deals with both finite and infinite runs, and with wPRS rather than with PRS or PA only.
In [17] we have completely located a decidability boundary of the model checking problem for all subclasses of PRS (and wPRS) and all basic LTL fragments. The boundary is depicted in Figure 2 . Obviously, the model checking for wPRS and LTL(X) is decidable. Hence, to prove that the decidability boundary of Figure 2 is drawn correctly, it remains to show the following.
Theorem 5 ([17]). Model checking of PA against LTL(U) is undecidable. Model checking of PA against LTL(
∞ F , X) is undecidable as well.
In the proof of the previous theorem, the PA systems constructed there have only infinite runs. This means that model checking of infinite runs remains undecidable for PA and both LTL( ∞ F , X) and LTL(U).
Conclusions
Early detection of programming errors requires application of advanced program analysis and verification techniques. These techniques range from light-weight simulations over medium-weight static analysis or model checking to heavyweight theorem proving and axiomatic semantics.
In the paper we examined some techniques to handle extremely large finitestate and infinite-state systems. For huge finite systems the cluster-based parallel verification is a natural option. Parallel verification is not the ultimate solution to the state explosion problem by itself. However, in combination with other techniques, we can verify models that are orders of magnitude larger than systems we would be able to handle with purely sequential techniques.
However, many systems have unbounded (i.e. potentially infinite) state spaces. As an example can serve systems with unbounded data types (e.g. queues, channels, or stacks of activation records), parametric systems (i.e. n concurrently running copies), or systems with a dynamically evolving structure (e.g. dynamic creation of processes). Hence, by modelling some nontrivial reality, we can not often avoid (at least potentially) infinite-state systems. Here, we have employed Process Rewrite Systems. Although it is clear that only a small class of real problems can have automated verification procedures, algorithmic boundaries of this class have been intensively studied. We have presented some of the recent (un)decidability results on model-checking of infinite-state systems specified by Process Rewrite System mechanism (possibly extended with a weak finite-state control unit).
