key: cord-0049757-b1nelgam
authors: Neele, Thomas; Willemse, Tim A. C.; Wesselink, Wieger
title: Partial-Order Reduction for Parity Games with an Application on Parameterised Boolean Equation Systems
date: 2020-03-13
journal: Tools and Algorithms for the Construction and Analysis of Systems
DOI: 10.1007/978-3-030-45237-7_19
sha: 723c9a80c5c1947c2a2c5ae814527e85c4112da6
doc_id: 49757
cord_uid: b1nelgam

Partial-order reduction (POR) is a well-established technique to combat the problem of state-space explosion. We propose POR techniques that are sound for parity games, a well-established formalism for solving a variety of decision problems. As a consequence, we obtain the first POR method that is sound for model checking for the full modal [Formula: see text]-calculus. Our technique is applied to, and implemented for the fixed point logic called parameterised Boolean equation systems, which provides a high-level representation of parity games. Experiments indicate that substantial reductions can be achieved.

In the field of formal methods, model checking [2] is a popular technique to analyse the behaviour of concurrent processes. However, the arbitrary interleaving of these parallel processes can cause an exponential blowup, which is known as the state-space explosion problem. Several approaches have been identified to alleviate this issue, by reducing the state space on-the-fly, i.e., while generating it. Two established techniques are symmetry reduction [13] and partial-order reduction (POR) [8, 26, 30] . Whereas symmetry reduction can only be applied to systems that contain several copies of a component, POR also applies to heterogeneous systems. However, a major drawback of POR is that most variants at best preserve only a fragment of a given logic, such as LTL or CTL* without the next operator (LTL −X /CTL * −X ) [7] or the weak modal µ-calculus [28] . Furthermore, the variants of POR that preserve a branching time logic impose significant restrictions on the reduction by only allowing the prioritisation of exactly one action at a time. This decreases the amount of reduction achieved.

In this paper, we address these shortcomings by applying POR on parity games. A parity game is an infinite-duration, two-player game played on a directed graph with decorations on the nodes, in which the players even (denoted ) and odd (denoted ) strive to win the nodes of the graph. An application of parity games is encoding a model checking question: a combination of a model, in the form of a transition system, and a formal property, formulated in the modal µ-calculus [16] . In such games, every node v represents the combination of a state s from the transition system and a (sub)formula ϕ. Under a typical encoding, player wins in v if and only if ϕ holds in s.

In the context of model checking, parity games suffer from the same statespace explosion that models do. Exploring the state space of a parity game under POR can be a very effective way to address this. Our contributions are as follows:

-We propose conditions (Def. 4) that ensure that the reduction function used to reduce the parity game is correct, i.e., preserves the winning player of the parity game (Thm. 1). -We identify improvements for the reduction by investigating the typical structure of a parity game that encodes a model checking question. -We illustrate how to apply our POR technique in the context of solving parameterised Boolean equation systems (PBESs) [10] -a fixed point logic closely related to LFP-as a high-level representation of a parity game. -We extend the ideas of [17] with support for non-determinism and experiment with an implementation for solving PBESs. Our approach has two distinct benefits over traditional POR techniques that operate on transition systems. First, it is the first work that enables the use of partial-order reduction for model checking for the full modal µ-calculus. Second, the conditions that we propose are strictly weaker than those necessary to preserve the branching structure of a transition system used in other approaches to POR for branching time logics [7, 28] , increasing the effectiveness of POR.

The experiments with our implementation for solving PBESs are quite promising. Our results show that, in particular, those instances in which PBESs encode model checking problems involving large state spaces benefit from the use of partial-order reduction. In such cases, a significant size reduction is possible, even when checking complex µ-calculus formulae, and the time penalty of conducting the static analysis is more than made up for by the speed-up in the state space exploration phase.

Related Work There are several proposals for using partial-order reduction for branching-time logics. Groote and Sellink [9] define several forms of confluence reduction and prove which behavioural equivalences (and by extension, which fragments of logics) are preserved. In confluence reduction, one tries to identify internal transitions that can safely be prioritised, leading to a smaller state space. Ramakrishna and Smolka [28] propose a notion that coincides with strong confluence from [9] , preserving weak bisimilarity and the corresponding logic weak modal µ-calculus.

Similar ideas are presented by Gerth et al. in [7] . Their approach is based on the ample set method [26] and preserves a relation they call visible bisimulation and the associated logic CTL −X . To preserve the branching structure, they introduce a singleton proviso which, contrary to our theory, can greatly impair the amount of reduction that can be achieved (see our Example 3, page 313).

Valmari [33] describes the stubborn sets method for LTL −X model checking. In general, stubborn sets allow for larger reductions than ample sets. While investigating the use of stubborn sets for parity games, we identified a subtle issue in one of the stubborn set conditions (called D1 in [33] ). When applied to LTSs or KSs, this means that LTL −X is not necessarily preserved. Moreover, using the condition in the setting of parity games may result in games with different winners; for an example, see our technical report [24] . In [21], we further explore the consequences of the faulty condition for stubborn-set based POR techniques that can be found in the literature. We here resort to a strengthened version of condition D1 that does not suffer from these issues.

Similar to our approach, Peled [27] applies POR on the product of a transition system and a Büchi automaton, which represents an LTL −X property. It is important to note, though, that this original theory is not sound, as discussed in [29] . Kan et al. [14] improve on Peled's ideas and manage to preserve all of LTL. To achieve this, they analyse the Büchi automaton that corresponds to the LTL formula to identify which part is stutter insensitive. With this information, they can reduce the state space in the appropriate places and preserve the validity of the LTL formula under consideration.

The recent work by Bønneland et al. [3] is close to ours in spirit, applying stubborn-set based POR to reachability games. Such games can be used for synthesis and for model checking reachability properties. Although the conditions on reduction they propose seem unaffected by the aforementioned issue with D1, unfortunately, their POR theory is nevertheless unsound, as we next illustrate.

In reachability games, player 1 tries to reach one of the goal states, while player 2 tries to avoid them. Bønneland et al. propose a condition R that guarantees that all goal states in the full game are also reachable in the reduced game. However, the reverse is not guaranteed: paths that do not contain a goal state are not necessarily preserved, essentially endowing player 1 with more power. Consider the (solitaire) reachability game depicted on the right, in which all edges belong to player 2 and the only goal state is indicated with grey. Player 2 wins the non-reduced game by avoiding the goal state via the edges labelled with a and then b. However, {b} is a stubborn set-according to the conditions of [3] -in the initial state, and the dashed transitions are thus eliminated in the reduced game. Hence, player 2 is forced to move the token to the goal state and player 1 wins in the reduced game. In the mean time, the authors of [3] confirmed and resolved the issue in [4] .

Outline. We give a cursory overview of parity games in Section 2. In Section 3 we introduce partial-order reduction for parity games, and we introduce a further improvement in Section 3.3. Section 4 briefly introduces the PBES fixed point logic, and in Section 5, we describe how to effectively implement parity-game based POR for PBESs. We present the results of our experiments of using paritygame based POR for PBESs in Section 6. We conclude in Section 7.

Parity games are infinite-duration, two-player games played on a directed graph. The objective of the players, called even (denoted by ) and odd (denoted by ), is to win nodes in the graph.

A parity game is a directed graph G = (V, E, Ω, P), where -V is a finite set of nodes, called the state space; -E ⊆ V × V is a total edge relation;

-Ω : V → N is a function that assigns a priority to each node; and -P : V → { , } is a function that assigns a player to each node.

We write s − → t whenever (s, t) ∈ E. The set of successors of a node s is denoted with succ(s) = {t | s → t}. We use to denote an arbitrary player and to denote its opponent. A parity game is played as follows: initially, a token is placed on some node of the graph. The owner of the node can decide where to move the token; the token may be moved along one of the outgoing edges. This process continues ad infinitum, yielding an infinite path of nodes that the token moves through. Such a path is called a play. A play π is won by player if the minimal priority that occurs infinitely often along π is even. Otherwise, it is won by player .

To reason about moves that a player may want to take, we use the concept of strategies. A strategy σ : V + → V for player is a partial function that determines where moves the token next, after the token has passed through a finite sequence of nodes. More formally, for all sequences s 1 . . . s n such that P(s n ) = , it holds that σ (s 1 . . . s n ) ∈ succ(s n ). If s n belongs tō , σ (s 1 . . . s n ) is undefined. A play s 1 , s 2 , . . . is consistent with a strategy σ if and only if σ(s 1 . . . s i ) = s i+1 for all i such that σ(s 1 . . . s i ) is defined. A player wins in a node s if and only if there is a strategy σ such that all plays that start in s and that are consistent with σ are won by player .

Example 1. Consider the parity game on the right. Here, priorities are inscribed in the nodes and the nodes are shaped according to their owner ( or ). Let π be an arbitrary, possibly empty, sequence of nodes. In this game, the strategy σ , partially defined as σ (πs 1 ) = s 2 and σ (πs 2 ) = s 1 , is winning for in s 1 and s 2 . After all, the minimal priority that occurs infinitely often along (s 1 s 2 ) ω is 0, which is even. Player can win node s 3 with the strategy σ (πs 3 ) = s 4 . Note that player is always forced to move the token from node s 4 to s 3 . ⊓ ⊔

In model checking, arbitrary interleaving of concurrent processes can lead to a combinatorial explosion of the state space. By extension, parity games that encode model checking problems for concurrent processes suffer from the same phenomenon. Partial-order reduction (POR) techniques help combat the blowup. Several variants of POR exist, such as ample sets [26] , persistent sets [8] and stubborn sets [30, 31] . The current work is based on Valmari's stubborn set theory as it can easily deal with nondeterminism [32] .

Partial-order reduction relies on edge labels, here referred to as events and typically denoted with the letter j, to categorise the set of edges in a graph and determine independence of edges. In a typical application of POR, such events and edge labellings are deduced from a high-level syntactic description of the graph structure (see also Section 4). A reduction function subsequently uses these events when producing an equivalent reduced graph structure from the same high-level description. For now, we tacitly assume the existence of a set of events and edge labellings for parity games and refer to the resulting structures as labelled parity games.

A labelled parity game is a triple L = (G, S, ℓ), where G = (V, E, Ω, P) is a parity game, S is a non-empty set of events and ℓ : S → 2 E is an edge labelling.

For the remainder of this section, we fix an arbitrary labelled parity game L = (G, S, ℓ). We write s j − → t whenever s − → t and (s, t) ∈ ℓ(j). The same notation extends to longer executions s j1...jn − −−− → t. We say an event j is enabled in a node s, notation s j − →, if and only if there is a transition s j − → t for some t. The set of all enabled events in a node s is denoted with enabled G (s). An event j is invisible if and only if s j − → t implies P(s) = P(t) and Ω(s) = Ω(t). Otherwise, j is visible. A reduction function indicates which edges are to be explored in each node, based on the events associated to the edges. Given some initial nodeŝ, such a function induces a unique reduced labelled parity game as follows.

Definition 3. Given a nodeŝ ∈ V and a reduction function r : V → 2 S . The reduced labelled parity game induced by r and starting fromŝ is defined as L r = (G r , S, ℓ r ), where ℓ r (j) = ℓ(j) ∩ E r and G r = (V r , E r , Ω, P) is such that:

Note that a reduced labelled parity game is only well-defined when r(s) ∩ enabled G (s) = ∅ for every node s ∈ V r ; if this property does not hold, E r is not total. Even if totality of E r is guaranteed, the same node s may be won by different players in L and L r if no restrictions are imposed on r. The following conditions on r, as we will show, are sufficient to ensure both. Below, we say an event j is a key event in s iff for all executions s

Key events are typically denoted j key .

Definition 4. We say that a reduction function r : V → 2 S is a weak stubborn set iff for all nodes s ∈ V , the following conditions hold 1 :

D1 For all j ∈ r(s) and j 1 / ∈ r(s), .

If r(s) contains an enabled visible event, then it contains all visible events. I

If an invisible event is enabled, then r(s) contains an invisible key event. L For every visible event j, every cycle in the reduced game contains a node s ′ such that j ∈ r(s ′ ).

Below, we also use (weak) stubborn set to refer to the set of events r(s) in some node s. First, note that every key event, which we typically denote by j key , in a node s is enabled in s, by taking n = 0 in D2w; this guarantees totality of E r . Condition D1 ensures that whenever an enabled event is selected for the stubborn set, it does not disable executions not in r(s). A stubborn set can never be empty, due to D2w. In a traditional setting where POR is applied on a transition system, the combination of D1 and D2w is sufficient to preserve deadlocks. Condition V enforces that either all visible events are selected for the stubborn set, or none are. Condition L prevents the so called action-ignoring problem, where a certain event is never selected for the stubborn set and ignored indefinitely. Combined, I and L preserve plays with invisible events only. We use the example below to further illustrate the purpose of-and need forconditions V, I and L. In particular, the example illustrates that the winning player in the original game and the reduced game might be different if one of these conditions is not satisfied.

Example 2. See the three parity games of Figure 1 . From left to right, these games show a reduced game under a reduction function satisfying D1 and D2w but not V, I or L, respectively. In each case, we start exploration from the node calledŝ, using the reduction function to follow the solid edges; consequently, the winning strategy σ for player in the original game is lost.

⊓ ⊔ Note that the games in Figure 1 are from a subclass of parity games called weak solitaire, illustrating the need for the identified conditions even in restricted settings. A game is weak if the priorities along all its paths are non-decreasing, i.e., if s → t then Ω(s) ≤ Ω(t). A game is solitaire if only one player can make non-trivial choices. Weak solitaire games can encode the model checking of safety properties; solitaire games can capture logics such as LTL and ACTL * . Before we argue for the correctness of our POR approach in the next section, we finish with a small example that illustrates how our approach improves over existing methods for branching time logics.

Example 3. The conditions C1-C3 of Gerth et al. [7] preserve LTL −X and are similar in spirit to our conditions. However, to preserve the branching structure, needed for preservation of CTL −X , the following singleton proviso is introduced:

This extra condition can severely impact the amount of reduction achieved: consider the following two processes, where n ≥ 1 is some large natural number.

The cross product of these processes contains (n + 1) 2 states. In the initial state,

} is a valid stubborn set, due to C4. However, the labelled parity game constructed using these processes and the µ-calculus formula νX.([−]X ∧ µY.( − Y ∨ a n true)), has a very similar shape that can be reduced by prioritising transitions that correspond to b i or b ′ i for some 1 ≤ i ≤ n. Note that this formula cannot be represented in LTL; condition C4 is therefore essential for the correctness. While several optimisations for CTL −X model checking under POR are proposed in [19] , unlike our approach, those optimisations only work for certain classes of CTL −X formulas and not in general.

⊓ ⊔

Condition D2w suffices, as we already argued, to preserve totality of the transition relation of the reduced labelled parity game. Hence, we are left to argue that the reduced game preserves and reflects the winner of the nodes of the original game; this is formally claimed in Theorem 1. We do so by constructing a strategy in the reduced game that mimics the winning strategy in the original game. The plays that are consistent with these two strategies are then shown to be stutter equivalent, which suffices to preserve the winner. Fix a labelled parity game L = (G, S, ℓ), a nodeŝ, a weak stubborn set r and the reduced labelled parity game L r = (G r , S, ℓ r ) induced by r andŝ. We assume r andŝ are such that G r has a finite state space. Below, ω is the set containing all natural numbers and the smallest infinite ordinal number.

Definition 5. Let π = s 0 s 1 s 2 . . . and π ′ = t 0 t 1 t 2 . . . be two paths in G. We say π and π ′ are stutter equivalent, notation π π ′ , if and only if one of the following conditions holds:

π and π ′ are both finite and there exists a non-decreasing partial function f : ω → ω, with f (0) = 0 and f (|π|−1) = |π ′ |−1, such that for all 0 ≤ i < |π| and i ′ ∈ [f (i), f (i + 1)), it holds that P(s i ) = P(t i ′ ) and Ω(s i ) = Ω(t i ′ ).

π and π ′ are both infinite and there exists an unbounded, non-decreasing total function f : ω → ω, with f (0) = 0, such that for all i and i ′ ∈ [f (i), f (i + 1)), it holds that P(s i ) = P(t i ′ ) and Ω(s i ) = Ω(t i ′ ).

Lemma 1. All infinite stutter equivalent paths have the same winner.

In the lemmata below, we write → r to stress which transition must occur in G r .

. . , j n / ∈ r(s 0 ) and j ∈ r(s 0 ). Then for some s ′ 0 , . . . , s ′ n , both s 0

for every j i occurring on this execution. Then, the following holds:

- − → . . . for some key event j key and s 0 s 1 · · · s 0 s ′ 0 s ′ 1 . . . . We remark that Lemma 3 also holds for reduced labelled parity games that have an infinite state space, but where all the events are finitely branching. The proof of correctness, viz., Theorem 1, uses the alternative executions described by Lemma 2 and 3. For full details, we refer to [24] ; we here limit ourselves to sketching the intuition behind the application of these lemmata.

Example 4. The structure of Figure 2 , in which parallel edges have the same label, visualises part of a game in which the solid edges labelled j 1 j 2 j 3 are part of a winning play for player . This play is mimicked by path that follows the edges j key j 2 j 1 j ′ key j 3 , drawn with dashes. The new play reorders the events j 1 , j 2 and j 3 according to the construction of Lemma 2 and introduces the key events j key and j ′ key according to the construction of Lemma 3.

The following theorem shows that partial-order reduction preserves the winning player in all nodes of the reduced game. Its proof is inspired by [30] and [2, Lemma 8.21] , and uses the aforementioned lemmata. Theorem 1. If G r has a finite state space then it holds that for every node s in G r , the winner of s in G r is equal to the winner of s in G.

The theory we have introduced identifies and exploits rectangular structures in the parity game. This is especially apparent in condition D1. However, parity games obtained from model checking problems also often contain triangular structures, due to the (sometimes implicit) nesting of conjunctions and disjunctions, as the following example demonstrates. In order to deal with games that contain triangular structures, we propose a condition that is weaker than D2w.

D2t There is an event j ∈ r(s) such that for all j 1 / ∈ r(s), . . . , j n / ∈ r(s), if s − → . . . and s 0 s 1 · · · s 0 s ′ 0 s ′ 1 . . . . We remark that the concepts of triangular and rectangular structures bear similarities to the concept of weak confluence from [9] .

Parity games are used, among others, to solve parameterised Boolean equation systems (PBESs) [10] , which, in turn, are used to answer, e.g., first-order modal µ-calculus model checking problems [5] . In the remainder of this paper, we show how to apply POR in the context of solving a PBES (and, hence, the encoded decision problem). We first introduce PBESs and show how they induce labelled parity games.

Parameterised Boolean equation systems are sequences of fixed point equations over predicate formulae, i.e., first-order logic formulae with second order variables. A PBES is given in the context of an abstract data type, which is used to reason about data. Non-empty data sorts of the abstract data type are typically denoted with the letters D and E. The corresponding semantic domains are D and E. We assume that sorts B and N represent the Booleans and the natural numbers respectively, and have B and N as semantic counterpart. The set of data variables is V, and its elements are usually denoted with d and e. To interpret expressions with variables, we use a data environment δ, which maps every variable in V to an element of the corresponding sort. The semantics of an expression f in the context of such an environment is denoted f δ. For instance, x < 2 + y δ holds true iff δ(x) < 2 + δ(y). To update an environment, we use the notation δ[v/d], which is defined as δ

For lack of space, we only consider PBESs in standard recursive form [22, 23] , a normal form in which each right-hand side of an equation is a guarded formula instead of an arbitrary (monotone) predicate formula. We remark that a PBES can be rewritten to SRF in linear time, while the number of equations grows linearly in the worst case [23, Proposition 2] .

Let X be a countable set of predicate variables. In the exposition that follows we assume for the sake of simplicity (but without loss of generality) that all predicate variables X ∈ X are of type D. We permit ourselves the use of nonuniformly typed predicate variables in our example. Definition 6. A guarded formula φ is a disjunctive or conjunctive formula of the form:

where J is an index set, each f j is a Boolean expression, referred to as guard, every e j is a (bound) variable of sort E j , each g j is an expression of type D and each X j is a predicate variable of type D. A guarded formula φ is said to be total if for each data environment δ, there is a j ∈ J and v ∈ E j such that f j δ[v/e j ] holds true.

The denotational semantics of a guarded formula is given in the context of a data environment δ for interpreting data expressions and a predicate environment η : X → 2 D , yielding an interpretation of X j (g j ) as the truth value g j δ ∈ η(X j ). Given a predicate environment and a data environment, a guarded formula induces a monotone operator on the complete lattice (2 D , ⊆). By Tarski's theorem, least (µ) and greatest (ν) fixed points of such operators are guaranteed to exist. Henceforward, let E = (σ 1 X 1 (d:D) = ϕ 1 (d)) . . . (σ n X n (d:D) = ϕ n (d)) be a fixed, arbitrary PBES in SRF, where σ i ∈ {µ, ν}. The set of bound predicate variables of E, denoted bnd(E), is the set {X 1 , . . . , X n }. If the predicate variables occurring in the guarded formulae ϕ i (d) of E are taken from bnd(E), then E is said to be closed ; we only consider closed PBESs. Every bound predicate variable is assigned a rank, where rank E (X i ) is the number of alternations in the sequence of fixpoint symbols νσ 1 σ 2 . . . σ i . Observe that rank E (X i ) is even iff σ i = ν. We use the function op E : bnd(E) → {∨, ∧} to indicate for each predicate variable in E whether the associated equation is disjunctive or conjunctive. As a notational convenience, we write J i to refer to the index set of the guarded formula ϕ i (d), and we assume that the index sets are disjoint for different equations.

The standard denotational fixed point semantics of a closed PBES associates a subset of D to each bound predicate variable (i.e., their meaning is independent of the predicate environment used to interpret guarded formulae). For details of the standard denotational fixed point semantics of a PBES we refer to [10] . We forego the denotational semantics and instead focus on the (provably equivalent, see e.g. [23, 6] ) game semantics of a PBES in SRF.

and G E is the parity game associated to E. The game G E = (V, E, Ω, P) is defined as:

Note that the parity game G E may have an infinite state space when D is infinite. In practice, we are often interested in the part of the parity game that is reachable from some initial node (X, v); this is often (but not always) finite. This is illustrated by the following example. The six nodes in the parity game which are reachable from (X, true) are depicted in Figure 3 . The horizontally drawn edges all stem from the clause ∃n:N. n ≤ 2 ∧ Y (b, if (b, n, 0) ). Vertical edges stem from the clause b ∧ X(false) (on the left) or the clause true ⇒ Y (false, 0) (on the right). The selfloop also stems from the clause true ⇒ Y (false, 0). Player wins all nodes in this game, and thus true / ∈ E (X).

Reachable part of the parity game underlying the PBES of Example 6, when starting from node (X, true).

As suggested by the above example, each edge is associated to (at least) one clause in E. Consequently, we can use the index sets J i to event-label the edges emanating from nodes associated with the equation for X i . We denote the set of all events in E by evt(E), defined as

, and visible otherwise.

Definition 9. Let G E be the parity game associated to E. The labelled parity game associated to E is the structure (G E , evt(E), ℓ), where G E is as defined in Def. 8, and, for j ∈ J i , ℓ(j) is defined as the set { (X i , v), (X j , w) ∈ E | f j δ[v/d] holds true and w = g j δ[v/d] for some δ}.

A consequence of the partial-order reduction theorem is that a reduced parity game suffices for computing the truth value to X(e) for a given PBES E with X ∈ bnd(E). However, D1, D2w/D2t and L are conditions on the (reduced) state space as a whole and, hence, hard to check locally. We therefore approximate these conditions in such a way that we can construct a stubborn set on-the-fly.

From hereon, let E be a PBES in SRF and (G, S, ℓ), with G = (V, E, Ω, P), its labelled parity game. The most common local condition for L is the stack proviso L S [26] . This proviso assumes that the state space is explored with depth-first search (DFS), and it uses the Stack that stores unexplored nodes to determine whether a cycle is being closed. If so, the node will be fully expanded, i.e., r(s) = S. L S For all nodes s ∈ V r , either succ Gr (s) ∩ Stack = ∅ or r(s) = S.

Locally approximating conditions D1 and D2w requires a static analysis of the PBES. For this, we draw upon ideas from [17] and extend these to properly deal with non-determinism. To reason about which events are independent, we rely on the idea of accordance. Definition 10. Let j, j ′ ∈ S. We define the accordance relations DNL, DNS , DNT and DNA on S as follows:

j left-accords with j ′ if for all nodes s, s ′ ∈ V , if s j ′ j − − → s ′ , then also s jj ′ − − → s ′ . If j does not left-accord with j ′ , we write (j, j ′ ) ∈ DNL.

j square-accords with j ′ if for all nodes s, s 1 , s 2 ∈ V , if s j − → s 1 and s j ′ − → s 2 , then for some s ′ ∈ V , s 1 j ′ − → s ′ and s 2 j − → s ′ . If j does not square-accord with j ′ we write (j, j ′ ) ∈ DNS .

j triangle-accords with j ′ if for all nodes s, s 1 ,

j accords with j ′ if j square-accords or triangle-accords with j ′ . If j does not accord with j ′ we write (j, j ′ ) ∈ DNA.

Note that DNL and DNT are not necessarily symmetric. An illustration of the left-according, square-according and triangle-according conditions is given below.

Accordance relations safely approximate the independence of events. The dependence of events, required for satisfying D2w can be approximated using Godefroid's necessary enabling sets [8] .

Definition 11. Let j be an event that is disabled in some node s. A necessaryenabling set (NES) for j in s is any set NES s (j) ⊆ S such that for every execution s j1...jnj − −−−− → there is at least one j i such that j i ∈ NES s (j).

For every node and event there might be more than one NES. In particular, every superset of a NES is also a NES. A larger-than-needed NES may, however, have a negative impact on the reduction that can be achieved. In a PBES with multiple parameters per predicate variable, computing a NES can be done by determining which parameters influence the validity of guards f j and which parameters are changed in the update functions g j . A more accurate NES may be computed using techniques to extract a control flow from a PBES [15] .

The following lemmata show how the accordance relations and necessaryenabling set can be used to implement conditions D1, D2w and D2t, respectively. A combination of Lemma 5 and 6 in a deterministic setting appeared as Lemma 1 in [17] . Note that as a notational convention we write R(j) to denote the projection {j ′ | (j, j ′ ) ∈ R} of a binary relation.

A reduction function r satisfies D1 in node s ∈ V if for all j ∈ r(s):

if j is disabled in s, then NES s (j) ⊆ r(s) for some NES s ; and if j is enabled in s, then DNL(j) ⊆ r(s).

A reduction function r satisfies D2w in a node s ∈ V if there is an enabled event j ∈ r(s) such that DNS (j) ⊆ r(s).

A reduction function r satisfies D2t in a node s if there is an enabled event j ∈ r(s) such that DNA(j) ⊆ r(s).

More reduction can be achieved if a PBES is partly or completely 'deterministic', in which case some of the conditions can be relaxed. We say that an event j is deterministic, denoted by det (j), if for all nodes t, t ′ , t ′′ ∈ V , if t j − → t ′ and t j − → t ′′ , then also t ′ = t ′′ . This means event-determinism can be characterised as follows:

det (j) iff f j δ and f j δ ′ implies g j δ = g j δ ′ for all δ, δ ′ with δ(d) = δ ′ (d).

The following lemma specialises Lemma 5 and shows how knowledge of deterministic events can be applied to potentially improve the reduction.

Lemma 8. A reduction function r satisfies D1 in a node s if for all j ∈ r(s):

if j is disabled in s, then NES s (j) ⊆ r(s) for some NES s ; and if det (j) and j is enabled in s, then DNS (j) ⊆ r(s) or DNL(j) ⊆ r(s).

if ¬det (j) and j is enabled in s, then DNL(j) ⊆ r(s).

Since relations DNS and DNL are incomparable we cannot decide a priori which should be used for deterministic events. However, Lemma 8 permits choosing one of the accordance sets on-the-fly. This choice can be made based on a heuristic function, similar to the function for NESs proposed in [17] .

We implemented the ideas from the previous section in a prototype tool, called pbespor, as part of the mCRL2 toolset [5] ; it is written in C++. Our tool converts a given input PBES to a PBES in SRF, runs a static analysis to compute the accordance relations (see Section 5), and uses a depth-first exploration to compute the parity game underlying the PBES in SRF. The static analysis relies on an external SMT solver (we use Z3 in our experiments). To limit the amount of static analysis required and to improve the reduction, the implementation contains a rudimentary way of identifying whether the same event occurs in multiple PBES equations. Experiments are conducted on a machine with an Intel Xeon 6136 CPU @ 3 GHz, running mCRL2 with Git commit hash dd36f98875.

To measure the effectiveness of our implementation, we analysed the following mCRL2 models 2 : Anderson's mutual exclusion protocol [1] , the dining philosophers problem, the gas station problem [11] , Hesselink's handshake register [12] , Le Lann's leader election protocol [18] , Milner's Scheduler [20] and the Krebs cycle of ATP production in biological cells (model inspired by [25] ). Most of these models are scalable. Each model is subjected to one or more requirements phrased as mCRL2's first-order modal µ-calculus formulae. Where possible, Table 1 provides a CTL * formula that captures the essence of the requirement.

We analyse the effectiveness of our partial-order reduction technique by measuring the reduction of the size of the state space, and the time that is required to generate the state space. Since the static analysis that is conducted can require a non-neglible amount of time, we pay close attention to the various forms of static analysis that can be conducted. In particular, we compare the total time and effectiveness (in terms of reduction) of running the following static analysis: As a baseline for comparisons, we take a basic static analysis (over-approximated DNL, over-approximated NES, D2w), see column 'basic' in Table 1 . In order to guarantee termination of the static analysis phase, we set a timeout of 200ms per formula that is sent to the solver. Table 1 reports on the statistics we obtained for exploring the full state space and the four possible POR configurations described above; the table is sorted with respect to the time needed for a full exploration. The time we list consists of the time needed to conduct the analysis plus the time needed for the exploration.

For most small instances, the time required for static analysis dominates any speed-up gained by the state space reduction. When the state spaces are larger, achieving a speed-up becomes more likely, while the highest overhead suffered by 'basic' is 55% (Hesselink, cache consistency). Significant reduction can be achieved even for non-trivial properties, such as 'lann.5' with 'no data loss'. Scheduler is an extreme case: its processes have very few dependencies, leading to an exponential reduction, both in terms of the state space size and in terms of time. In several cases, the use of a NES or D2t brings extra reduction (highlighted in bold). Moreover, the extra time required to conduct the additional analysis seems limited. The use of DNL, on the other hand, never pays off in our experiments; it even results in a slightly larger state space in two cases.

We note that there are also models, not listed in Table 1 , where our static analysis does not yield any useful results and no reduction is achieved. Even if in such cases a reduction would be possible in theory, the current static analysis engines are unable to deal with the more complex data types often used in such models; e.g., recursively defined lists or infinite sets, represented symbolically with higher-order constructions. This calls for further investigations into static analysis theories that can effectively deal with complex data.

Finally, we point out that in the case of, e.g., the dining philosophers problem, the relative reduction under the 'no deadlock' property is much better than under the '∀ ∀ eat' property. This demonstrates the impact properties can have on the reductions achievable, and it also points at a phenomenon we have not stressed in the current work, viz., the impact of identifying events on the reductions achievable. We explain the phenomenon in the following example. , which is equivalent to ∀ a i , on this LTS. The event xy represents the transition from fixpoint X into Y , which does not involve an action from the LTS. Note that the complete state space is encoded in the fixpoint X. Due to the absence of some transitions in the part of the state space encoded in fixpoint Y , neither a 1 nor a 2 is according with xy. Hence, the only stubborn set in the initial node is {a 1 , a 2 , xy}, which yields no reduction.

⊓ ⊔ Improving the event identification procedure can yield more reduction. For instance, if, for each i (bound in the universal quantifier), a different event xy i is created, then both a 1 , xy 2 and a 2 , xy 1 will be according. If we disregard the visibility of xy 1 and xy 2 , four nodes can be eliminated.

We have presented an approach for applying partial-order reduction on parity games. This has two main advantages over POR applied on LTSs or Kripke structures: our approach supports the full modal µ-calculus, not just a fragment thereof, and the potential for reduction is greater, because we do not require a singleton proviso. Furthermore, we have shown how the ideas can be implemented with PBESs as a high-level representation. In future work, we aim to gain more insight into the effect of identifying events across PBES equations in several ways. We also want to investigate the possibility of solving a reduced parity game while is it being constructed. In certain cases, one may be able to decide the winner of the original game from this partial solution.

The Performance of Spin Lock Alternatives for Shared-Memory Multiprocessors

Principles of model checking

Partial Order Reduction for Reachability Games

Stubborn Set Reduction for Two-Player Reachability Games

The mCRL2 Toolset for Analysing Concurrent Systems: Improvements in Expressivity and Usability

Proof graphs for parameterised Boolean equation systems

A Partial Order Approach to Branching Time Logic Model Checking

Partial-Order Methods for the Verification of Concurrent Systems

Confluence for process verification

Parameterised boolean equation systems

Debugging ada tasking programs

Invariants for the construction of a handshake register

Better verification through symmetry

Partial order reduction for checking LTL formulae with the next-time operator

Liveness Analysis for Parameterised Boolean Equation Systems

Results on the propositional µ-calculus

Guard-based partial-order reduction

Distributed systems -towards a formal approach

Taking Some Burden Off an Explicit CTL Model Checker

The Inconsistent Labelling Problem of Stutter-Preserving Partial-Order Reduction

Solving Parameterised Boolean Equation Systems with Infinite Data Through Quotienting

Finding compact proofs for infinite-data parameterised Boolean equation systems

Partial-Order Reduction for Parity Games with an Application on Parameterised Boolean Equation Systems

BEEM: Benchmarks for Explicit Model Checkers

All from One, One for All: on Model Checking Using Representatives

Combining partial order reductions with on-the-fly model-checking

Partial-Order Reduction in the Weak Modal Mu-Calculus

What's Wrong with On-the-Fly Partial Order Reduction

A Stubborn Attack on State Explosion

The state explosion problem

Stubborn Set Methods for Process Algebras

Stubborn Set Intuition Explained

), which permits use, sharing, adaptation, distribution and reproduction in any Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/ 4.0/ medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.(2020). https://doi.org/10.10 / -25 07 978-3-030 45231-5