key: cord-0049758-824pvok9
authors: Lang, Frédéric; Mateescu, Radu; Mazzanti, Franco
title: Sharp Congruences Adequate with Temporal Logics Combining Weak and Strong Modalities
date: 2020-03-13
journal: Tools and Algorithms for the Construction and Analysis of Systems
DOI: 10.1007/978-3-030-45237-7_4
sha: 28c3fcd382b882da46706e2cdc94c394b0f677bc
doc_id: 49758
cord_uid: 824pvok9

We showed in a recent paper that, when verifying a modal [Formula: see text]-calculus formula, the actions of the system under verification can be partitioned into sets of so-called weak and strong actions, depending on the combination of weak and strong modalities occurring in the formula. In a compositional verification setting, where the system consists of processes executing in parallel, this partition allows us to decide whether each individual process can be minimized for either divergence-preserving branching (if the process contains only weak actions) or strong (otherwise) bisimilarity, while preserving the truth value of the formula. In this paper, we refine this idea by devising a family of bisimilarity relations, named sharp bisimilarities, parameterized by the set of strong actions. We show that these relations have all the nice properties necessary to be used for compositional verification, in particular congruence and adequacy with the logic. We also illustrate their practical utility on several examples and case-studies, and report about our success in the RERS 2019 model checking challenge.

This paper deals with the verification of action-based, branching-time temporal properties expressible in the modal μ-calculus (L μ ) [31] on concurrent systems consisting of processes composed in parallel, usually described in languages with process algebraic flavour. A well-known problem is the state-space explosion that happens when the system state space exceeds the available computer memory.

Compositional verification is a set of techniques and tools that have proven efficient to palliate state-space explosion in many case studies [18] . They may either focus on the construction of the state space reduced for some equivalence relation, such as compositional state space construction [24, 32, 36, 43, [45] [46] [47] , or on the decomposition of the full system verification into the verification of (expectedly smaller) subsystems, such as compositional reachability analysis [49, 10] , assume-guarantee reasoning [41] , or partial model checking [1, 34] .

In this paper, we focus on property-dependent compositional state space construction, where the reduction to be applied to the system is obtained by analysing the property under verification. We will refine the approach of [37] which, given a formula ϕ of L μ to be verified, shows how to extract from ϕ a maximal hiding set of actions and a reduction (minimization for either strong [40] or divergence-preserving 3 branching -divbranching for short -bisimilarity [20, 23] ) that preserves the truth value of ϕ. The reduction is chosen according to whether ϕ belongs to an L μ fragment named L dbr μ , which is adequate with divbranching bisimilarity. This fragment consists of L μ restricted to weak modalities, which match actions preceded by (property-preserving) sequences of hidden actions, as opposed to traditional strong modalities α ϕ 0 and [α] ϕ 0 , which match only a single action satisfying α. If ϕ belongs to L dbr μ , then the system can be reduced for divbranching bisimilarity; otherwise, it can be reduced for strong bisimilarity, the weakest congruence preserving full L μ . We call this approach of [37] the mono-bisimulation approach.

We refine the mono-bisimulation approach in [35] , by handling the case of L μ formulas containing both strong and weak modalities. To do so, fragments named L strong μ (A s ) extend L dbr μ with strong modalities matching only the actions belonging to a given set A s of strong actions. This induces a partition of the parallel processes into those containing at least one strong action and those not containing any, so that a formula ϕ ∈ L strong μ (A s ) is still preserved if the processes containing strong actions are reduced for strong bisimilarity and the other ones for divbranching bisimilarity. We call this refined approach the combined bisimulations approach. Guidelines are also provided in [35] to extract a set of strong actions from particular L μ formulas encoding the operators of widely-used temporal logics, such as CTL [11] , ACTL [39] , PDL [15] , and PDL-Δ [44] . This approach is implemented on top of the CADP verification toolbox [19] , and experiments show that it can improve the capabilities of compositional verification on realistic case studies, possibly reducing state spaces by orders of magnitude.

In this paper, we extend these results as follows: (1) We refine the approach by devising a family of new bisimilarity relations, called sharp bisimilarities, parameterized by the set of strong actions A s . They are hybrid between strong and divbranching bisimilarities, where strong actions are handled as in strong bisimilarity whereas weak actions are handled as in divbranching bisimilarity.

(2) We show that each fragment L strong μ (A s ) is adequate with the corresponding sharp bisimilarity, namely, L strong μ (A s ) is precisely the set of properties that are preserved by sharp bisimilarity (w.r.t. A s ) on all systems. (3) We show that, similarly to strong and divbranching bisimilarities, every sharp bisimilarity is a congruence for parallel composition, which enables it to be used soundly in a compositional verification setting. (4) We define an efficient state space reduction algorithm that preserves sharp bisimilarity and has the same worstcase complexity as divbranching minimization. Although it is not a minimization (i.e., sharp bisimilar states may remain distinguished in the reduced state space), it coincides with divbranching minimization whenever the process it is applied to does not contain strong actions, and with strong minimization in the worst case. Therefore, applying this reduction compositionally always yields state space reduction at least as good as [35] , which itself is an improvement over [37] . (5) At last, we illustrate our approach on case studies and compare our new results with those of [35, 37] . We also report about our recent success in the RERS 2019 challenge, which was obtained thanks to this new approach.

The paper is organized as follows: Sections 2 and 3 introduce the necessary background about process descriptions and temporal logic. Section 4 defines sharp bisimilarity, states its adequacy with L strong μ (A s ), and its congruence property for parallel composition. Section 5 presents the reduction algorithm and shows that it is correct and efficient. Section 6 illustrates our new approach on the case studies. Section 7 discusses related work. Finally, Section 8 concludes and discusses research directions for the future. The proofs of all theorems presented in this paper and a detailed description of how we tackled the RERS 2019 challenge are available in a Zenodo archive. 4

We consider systems of processes whose behavioural semantics can be represented using an LTS (Labelled Transition System).

where Σ is a set of states, A ⊆ A is a set of actions, −→ ⊆ Σ × A × Σ is the (labelled) transition relation, and p init ∈ Σ is the initial state. We may write Σ P , A P , −→ P for the sets of states, actions, and transitions of an LTS P , and init(P ) for its initial state. We assume that P is finite and write |P | st (resp. |P | tr ) for the number of states (resp. transitions) of P . We write p a −→ p for

LTS can be composed in parallel and their actions may be abstracted away using the parallel composition and action mapping defined below, of which action hiding, cut (also known as restriction), and renaming are particular cases.

Let P, Q be LTS and A sync ⊆ A\{τ }. The parallel composition of P and Q with synchronization on A sync , writ-

Let P be an LTS and ρ : A P → 2 A be a total function. We write ρ(A P ) for the image of ρ, defined by a∈AP ρ(a). We write ρ(P ) for the LTS (Σ P , ρ(

}. An action mapping ρ is admissible if τ ∈ A P implies ρ(τ ) = {τ }. We distinguish the following admissible action mappings:

We write "cut A in P " for ρ(P ).

ρ is an action renaming if (∃f :

We write "rename f in P " for ρ(P ).

Parallel composition and action mapping subsume all abstraction and composition operators encodable as networks of LTS [42, 18, 33] , such as synchronization vectors 5 and the parallel composition, hiding, renaming, and cut operators of CCS [38] , CSP [8] , mCRL [26] , LOTOS [29] , E-LOTOS [30] , and LNT [9] .

LTS can be compared and reduced modulo well-known bisimilarity relations, such as strong [40] and (div)branching [20, 23] bisimilarity. We do not give their definitions, which can easily be found elsewhere (e.g., [35] ). They are special cases of Definition 7 (page 7), as shown by Theorem 1 (page 9). We write ∼ (resp. ∼ dbr ) for the strong (resp. divbranching) bisimilarity relation between states. We write min str (P ) (resp. min dbr (P )) for the quotient of P w.r.t. strong (resp. divbranching) bisimilarity, i.e., the LTS obtained by replacing each state by its equivalence class. The quotient is the smallest LTS of its equivalence class, thus computing the quotient is called minimization. Moreover, these bisimilarities are congruences for parallel composition and admissible action mapping. This allows reductions to be applied at any intermediate step during LTS construction, thus potentially reducing the overall cost. However, since processes may constrain each other by synchronization, composing LTS pairwise following the algebraic structure of the composition expression and applying reduction after each composition can be orders of magnitude less efficient than other strategies in terms of the largest intermediate LTS. Finding an optimal strategy is impossible, as it requires to know the size of (the reachable part of) an LTS product without actually computing the product. One generally relies on heuristics to select a subset of LTS to compose at each step of LTS construction. In this paper, we will use the smart reduction heuristic [12, 18] , which is implemented within the SVL [17] tool of CADP [19] . This heuristic tries to find an efficient composition order by analysing the synchronization and hiding structure of the composition. [31] ). The modal μ-calculus (L μ ) is built from action formulas α and state formulas ϕ, whose syntax and semantics w.r.t. an LTS P = (Σ, A, −→, p init ) are defined as follows:

where X ∈ X are propositional variables denoting sets of states, δ : X → 2 Σ is a context mapping propositional variables to sets of states, [ ] is the empty

Action formulas α are built from actions and Boolean operators. State formulas ϕ are built from Boolean operators, the possibility modality α ϕ 0 denoting the states with an outgoing transition labelled by an action satisfying α and leading to a state satisfying ϕ 0 , and the minimal fixed point operator μX.ϕ 0 denoting the least solution of the equation X = ϕ 0 interpreted over 2 Σ . The usual derived operators are defined as follows: Boolean connectors true = ¬false and ϕ 1 ∧ ϕ 2 = ¬(¬ϕ 1 ∨ ¬ϕ 2 ); necessity modality [α] ϕ 0 = ¬ α ¬ϕ 0 ; and maximal fixed point operator νX.ϕ 0 = ¬μX.¬ϕ 0 [¬X/X], where ϕ 0 [¬X/X] is the syntactic substitution of X by ¬X in ϕ 0 . Syntactically, and [] have the highest precedence, followed by ∧, then ∨, and finally μ and ν. To have a welldefined semantics, state formulas are syntactically monotonic [31] , i.e., in every subformula μX.ϕ 0 , all occurrences of X in ϕ 0 fall in the scope of an even number of negations. Thus, negations can be eliminated by downward propagation. We now introduce the weak modalities of the fragment L dbr μ , proposed in [37] .

μ [37] ). We write α τ for an action formula such that τ ∈ [[α τ ]] A and α a for an action formula such that τ / ∈ [[α a ]] A . We consider the following modalities, their L μ semantics, and their informal semantics:

Ultra-weak: p is source of a path whose transition labels satisfy α τ , leading to a state that satisfies ϕ 2 , while traversing only states that satisfy ϕ 1 . Weak: p is source of a path whose transition labels satisfy α τ , leading to a state that satisfies ϕ 1 and α a ϕ 2 , while traversing only states that satisfy ϕ 1 . Weak infinite looping: p is source of an infinite path whose transition labels satisfy α τ , while traversing only states that satisfy ϕ 1 .

We also consider the three dual modalities

adequate with divbranching bisimilarity consists of L μ from which the modalities a ϕ and [a] ϕ are replaced by the ultra-weak, weak, and weak infinite looping modalities defined above.

We identify fragments of L μ parameterized by a set of strong actions A s , as the set of state formulas whose action formulas contained in strong modalities satisfy only actions of A s . 

In [35] , we also provide guidelines for extracting a set A s from particular L μ formulas encoding the operators of widely-used temporal logics, such as CTL [11] , ACTL [39] , PDL [15] , and PDL-Δ [44] . [35] .)

The latter example shows that to a formula ϕ may correspond several minimal sets of strong actions A s . Indeed, either the a 1 true or the a 2 true modality can be made part of a weak modality, but not both in the same formula.

We define the family of sharp bisimilarity relations below. Each relation is hybrid between strong and divbranching bisimilarities, parameterized by the set of strong actions, such that the conditions of strong bisimilarity apply to strong actions and the conditions of divbranching bisimilarity apply to all other actions.

there exists q such that (p , q ) ∈ R and either of the following hold:

Similarly to strong, branching, and divbranching bisimilarities, sharp bisimilarity is an equivalence relation as it is the union of all sharp bisimulations. The quotient of an LTS P w.r.t. sharp bisimilarity is unique and minimal both in number of states and number of transitions. Figure 1 satisfy P i ∼ As P i (i ∈ 1..7). We give the smallest relation between P i and P i , whose symmetric closure is a sharp bisimulation w.r.t. A s and the weakest condition for P i to be minimal. Unlike divbranching, states on the same τ -cycle are not necessarily sharp bisimilar: in P 7 , if a ∈ A s then p 0 and p 2 are not sharp bisimilar. , which is minimal. We see that sharp bisimilarity reduces more than strong bisimilarity when at least one action (visible or invisible) is weak. Here, τ is the only weak action and the minimized LTS is smaller than the one minimal for strong bisimilarity (only p 1 and p 2 are strongly bisimilar).

If τ ∈ A s , then case (2) of Definition 7 cannot apply, i.e., τ -transitions cannot be totally suppressed. As a consequence, looking at case (3), if τ -transitions are present in state q 0 then, due to symmetry, they must have a counterpart in state p. As a result, finite sequences of τ -transitions are preserved. Sharp may however differ from strong bisimilarity in the possibility to compress circuits of τ -transitions that would remain unreduced, as illustrated in Example 4 below.

∈ A s , then the LTS of Figure 2 (b) (which is minimal for strong bisimilarity) can be reduced to the LTS of Figure 2 (c).

Next theorems are new. Theorem 1 expresses that sharp bisimilarity w.r.t. a set of strong actions A s is strictly stronger than w.r.t. any set of strong actions strictly included in A s . Unsurprisingly, it also establishes that sharp coincides with divbranching when the set of strong actions is empty, and with strong when 

it comprises all actions (including τ ). It follows that the set of sharp bisimilarity relations equipped with set inclusion forms a complete lattice whose supremum is divbranching bisimilarity and whose infimum is strong bisimilarity.

Theorem 2 expresses that sharp bisimilarity w.r.t. A s preserves the truth value of all formulas of L strong μ (A s ), and Theorem 3 that two LTS verifying exactly the same formulas of L strong μ (A s ) are sharp bisimilar. We can then deduce that L strong μ (A s ) is adequate with ∼ As , as expressed by Corollary 1. Theorems 4 and 5 express that sharp bisimilarity is a congruence for parallel composition and admissible action mapping. It follows that it is also a congruence for hide, cut, and rename, as expressed by Corollary 2.

P and ϕ ∈ L strong μ (A s ) then P |= ϕ iff P |= ϕ. Theorem 3. If (∀ϕ ∈ L strong μ (A s )) P |= ϕ iff Q |= ϕ, then P ∼ As Q.Theorem 4. If P ∼ As P , Q ∼ As Q then P |[A sync ]| Q ∼ As P |[A sync ]| Q .

A s ρ(P ), where A s = ρ(A s ) \ ρ(A P \ A s ).

We write A τ for A ∪ {τ }. If P ∼ As P then:

These theorems and corollaries generalize results on strong and divbranching bisimilarity. In particular, the side conditions of Corollary 2 are always true when A s = ∅ (divbranching) or A s = A (strong).

Since every admissible network of LTS can be translated into an equivalent composition expression consisting of parallel compositions and admissible action mappings, Theorems 4 and 5 imply some congruence property at the level of networks of LTS. However, one must be careful on how the synchronization rules preserve or modify the set of strong actions of components.

In the sequel, we establish formally the relationship between sharp bisimilarity and sharp τ -confluence, a strong form of τ -confluence [27] defined below in a way analogous to strong τ -confluence in [28] . It is known that every τ -transition that is τ -confluent is inert for branching bisimilarity, i.e., its source and target states are branching bisimilar. There are situations where τ -confluence can be detected locally, thus enabling on-the-fly LTS reductions. We present an analogous result that might have similar applications, namely, every τ -transition that is sharp τ -confluent is inert for (divergence-unpreserving) sharp bisimilarity. 

The difference between strong τ -confluence and sharp τ -confluence is the addition of condition (2) , which can be removed to obtain the very same definition of strong τ -confluence as [28] . Strong τ -confluence thus coincides with sharp τconfluence w.r.t. the empty set of actions. Sharp τ -confluence not only requires that other transitions of the source state of a confluent transition also exist in the target state, but also that the converse is true for strong actions.

If a transition is sharp τ -confluent w.r.t. A s , then it is also sharp τ -confluent w.r.t. any subset of A s . In particular, sharp τ -confluence is stronger than strong τ -confluence (which is itself stronger than τ -confluence). Theorem 6 formalizes the relationship between sharp τ -confluence and divergence-unpreserving sharp bisimilarity. This result could be lifted to sharp bisimilarity by adding a condition on divergence in the definition of sharp τ -confluence. Theorem 6 illustrates a form of reduction that one can expect using sharp bisimilarity when τ / ∈ A s , namely compression of diamonds of sharp τ -confluent transitions, which are usually generated by parallel composition. The strongest form of sharp τ -confluence (which could be called ultra-strong τ -confluence) is when all visible actions are strong. In that case, every visible action present in the source state must be also present in the target state, and conversely. The source and target states are then sharp bisimilar w.r.t. the set of visible actions. Yet, it is interesting to note that they are not necessarily strongly bisimilar, sharp bisimilarity w.r.t. all visible actions being weaker than strong bisimilarity.

There exist weaker forms of τ -confluence [27, 50] , which accept that choices between τ -confluent and other transitions are closed by arbitrary sequences of τ -confluent transitions rather than sequences of length 0 or 1. It could be interesting to investigate how the definition of sharp τ -confluence could also be weakened, while preserving inertness for sharp bisimilarity.

The interest of sharp bisimilarity in the context of compositional verification is the ability to replace components by smaller but still equivalent ones, as allowed by the congruence property. To do so, we need a procedure that enables such a reduction. This is what we address in this section.

A procedure to reduce an LTS P for sharp bisimilarity is proposed as follows: (1) Build P , consisting of P in which all τ -transitions that immediately precede a transition labelled by a strong action (or all τ -transitions if τ is itself a strong action) are renamed into a special visible action κ ∈ A\ A P ; (2) Minimize P for divbranching bisimilarity; (3) Hide in the resulting LTS all occurrences of κ. The renaming of τ -transitions into κ allows them to be considered temporarily as visible transitions, so that they are not eliminated by divbranching minimization. 8 This algorithm is now defined formally.

Let P be an LTS and A s be a set of strong actions. Let κ ∈ A\A P be a special visible action. We write red As (P ) for the reduction of P defined as the LTS "hide κ in min dbr (P )", where P = (Σ P , A P ∪ {κ}, −→, init(P )) and −→ is defined as follows:

It is clear that red As (P ) is a reduction, i.e., it cannot have more states and transitions than P . Since the complexities of the transformation from P to P and of hiding κ are at worst linear in |P | tr , the complexity of the whole algorithm is dominated by divbranching minimization, for which there exists an algorithm 9 of worst-case complexity O(m log n), where m = |P | tr and n = |P | st [25] .

As regards correctness, Theorem 7 states that red As (P ) is indeed sharp bisimilar to P . Theorem 8 indicates that the reduction coincides with divbranching minimization if the LTS does not contain any strong action, with strong minimization if τ is a strong action or if the LTS does not contain τ , and that the resulting LTS has a size that lies in between the size of the minimal LTS for divbranching bisimilarity and the size of the minimal LTS for strong bisimilarity.

For any LTS P , we have P ∼ As red As (P ). Theorem 8. The following hold for any LTS P : (1) if A P ∩ A s = ∅ then red As (P ) = min dbr (P ), (2) if τ / ∈ A P \ A s then red As (P ) = min str (P ), and (3) |min dbr (P )| st ≤ |red As (P )| st ≤ |min str (P )| st ∧ |min dbr (P )| tr ≤ |red As (P )| tr ≤ |min str (P )| tr .

Although sharp reduction is effective in practice, as will be illustrated in the next section, it may fail to compress τ -transitions that are inert for sharp bisimilarity, as show the following examples.

Example 5. Consider the LTS of Figure 2 (a) (page 9). Its reduction using the above algorithm consists of the three steps depicted below:

1. τ -to-κ renaming 2. Divbranching min.

The reduced LTS (obtained at step 3) has one more state and two more transitions than the minimal LTS shown in Figure 2(b) . Even though all visible actions are strong, our reduction compresses more than strong bisimilarity (recall that the minimal LTS for strong bisimilarity has 7 states and 8 transitions). In general, our reduction reduces more than strong bisimilarity 10 as soon as τ / ∈ A s (which is the case for most formulas in practice). Example 6. In Figure 1 (page 8) , if a ∈ A s then red As (P 1 ) = P 1 , red As (P 2 ) = P 2 , and red As (P 6 ) = P 6 , i.e., reduction yields the minimal LTS. Yet, red As (P 3 ) = P 3 = P 3 , i.e., the sharp τ -confluent transition p 0 τ −→ P3 p 2 is not compressed. Similarly, P 4 , P 5 , and P 7 are not minimized using red As .

Devising a minimization algorithm for sharp bisimilarity is left for future work. It could combine elements of existing partition-refinement algorithms for strong and divbranching minimizations, but the following difficulty must be taken into account (basic knowledge about partition-refinement is assumed):

-A sequence of τ -transitions is inert w.r.t. the current state partition if both its source, target, and intermediate states are in the same block. To refine a partition for sharp bisimilarity, one must be able to compute efficiently the set of non-inert transitions labelled by weak actions and reachable after an arbitrary sequence of inert transitions. The potential presence of inert cycles has to be considered carefully to avoid useless computations. 10 The result of reduction is necessarily strong-bisimulation minimal, because if a transition p τ −→ p is renamed into κ, then it is also the case of a τ -transition in every state bisimilar to p, which remains bisimilar after the renaming. In addition, the subsequent divbranching minimization step necessarily merges strongly bisimilar states.

-In the case of divbranching bisimilarity, every τ -cycle is inert and can thus be compressed into a single state. This is usually done initially, using the Tarjan algorithm for finding strongly connected components, whose complexity is linear in the LTS size. This guarantees the absence of inert cycles (except self τ -loops) all along the subsequent partition-refinement steps. However, τ -cycles are not necessarily inert for sharp bisimilarity, as illustrated by LTS P 7 in Figure 1 (page 8) . Therefore, τ -cycles cannot be compressed initially. Instead, a cycle inert w.r.t. the current partition may be split into several sub-blocks during a refinement step. To know whether the sub-blocks still contain inert cycles, the Tarjan algorithm may have to be applied again.

Although red As is not a minimization, we will see that it performs very well when used in a compositional setting. The reason is that (1) only a few of the system actions are strong, which limits the number of τ -transitions renamed to κ, and (2) sharp τ -confluent transitions most often originate from the interleaving of τ -transitions that are inert in the components of parallel composition. The above reduction algorithm removes most inert transitions in individual (sequential) LTS, thus limiting the number of sharp τ -confluent transitions in intermediate LTS. Still, better reductions can be expected with a full minimization algorithm, which will compress all τ -transitions that are inert for sharp bisimilarity.

We experimented sharp reduction on the examples presented in [35] (consisting of formulas containing both weak and strong modalities), namely the TFTP (Trivial File Transfer Protocol) and the CTL verification problems on parallel systems of the RERS 2018 challenge. For lack of space, see [35] for more details about these case studies. In both cases, we composed parallel processes in the same order as we did using the combined bisimulations approach, but using sharp bisimilarity instead of strong or divbranching bisimilarity to reduce processes. Experiments were done on a 3GHz/12GB RAM/8-core Intel Xeon computer running Linux, using the specification languages and 32-bit versions of tools provided in the CADP toolbox version 2019-d "Pisa" [19] .

The results are given in Figures 3 (TFTP) and 4 (RERS 2018), both in terms of the size of the largest intermediate LTS, the size of the final LTS (LTS obtained after the last reduction step, on which the formula is checked), memory consumption, and time. Each subfigure contains three curves corresponding to the mono-bisimulation approach (using strong bisimulation to reduce all LTS), the combined bisimulations approach, and the sharp bisimulation approach. The former two curves are made from data that were already presented in [35] . Note that the vertical axis of all subfigures is on a logarithmic scale. In the RERS 2018 case, the mono-bisimulation approach gives results only for experiments 101#22 and 101#23, all other experiments failing due to state space explosion. 11 These results show that sharp bisimilarity incurs much more LTS reduction than the combined bisimulations approach, by a factor close to the one obtained when switching from the mono-bisimulation approach to the combined bisimulations approach. However, in the case of the RERS 2018 examples, this gain on LTS size does not always apply to time and/or memory consumption in the same proportions, except for experiment 103#22. This suggests that our implementation of minimization could be improved.

These experiments were conducted after closing of the RERS 2018 challenge. Encouraged by the good results obtained with these two approaches, we participated to the 2019 edition 12 , where 180 CTL problems were proposed instead of 9 in 2018. The models on which the properties had to be verified have from 8 to 70 parallel processes and from 29 to 234 actions. Although the models had been given in a wealth of different input formats (communicating automata, Petri nets in PNML format with NUPN information [16] , and Promela) suitable for a large number of model checking tools, no other team than ours participated to the parallel challenges. This is a significant difference with 2018, when the challenge was easier, allowing three teams (with different tools) to participate.

We applied smart sharp reduction to these problems, using a prototype program that extracts strong actions automatically from (a restricted set of) CTL formulas used in the competition. 13 This allowed the 180 properties to be checked automatically in less than 2.5 hours (CPU time), and using about 200 MB of RAM only, whereas using strong reduction failed on most of the largest problems. The largest intermediate graph obtained for the whole set of problems has 3364 states. All results were correct and we won all gold medals 14 in this category. 15 Details are available in the Zenodo archive mentioned in the introduction.

The paper [48] defines on doubly-labelled transition systems (mix between Kripke structure and LTS) a family of bisimilarity relations derived from divbranching bisimilarity, parameterized by a natural number n, which preserves CTL* formulas whose nesting of next operators is smaller or equal to n. Similar to our work, they show that this family of relations (which is distinct from sharp bisimilarity in that there is no distinction between weak and strong actions) fills the gap between strong and divbranching bisimilarities. They apply their bisimilarity relation to slicing rather than compositional verification.

The paper [2] proposes that, if the formula contains only so-called selective modalities, of the form (¬α 1 ) * .α 2 ϕ 0 , then all actions but those satisfying 12 http://rers-challenge.org/2019 13 The paper [35] presents identities that were used to extract such strong actions. 14 A RERS gold medal is not a ranking but an achievement, not weakened by the low number of competitors. We also won all gold medals in the "verification of LTL properties on parallel systems" category, using an adaptation of this approach. 15 http://cadp.inria.fr/news12.html α 1 or α 2 can be hidden, and the resulting system can be reduced for τ * .aequivalence [14] . Yet, there exist formulas whose strong modalities α ϕ 0 cannot translate into anything but the selective modality (¬true) * .α ϕ, meaning that no action at all can be hidden. In this case, τ * .a equivalence coincides with strong bisimilarity and thus incurs much less reduction than sharp bisimilarity. Moreover, it is well-known that τ * .a-equivalence is not a congruence for parallel composition [7] , which makes it unsuitable to compositional verification, even to check formulas that contain weak modalities only.

The adequacy of L dbr μ with divbranching bisimilarity is shown in [37] . This paper also claims that ACTL\X is as expressive as L dbr μ and thus also adequate with divbranching bisimilarity, but a small mistake in the proof had the authors omit that the L dbr μ formula τ @ cannot actually be expressed in ACTL\X. It remains true that ACTL\X is preserved by divbranching bisimilarity.

In [13] , it is shown that ACTL\X is adequate with divergence sensitive branching bisimilarity. This bisimilarity relation is equivalent to divbranching bisimilarity [21] [22] [23] only in the case of deadlock-free LTS, but it differs in the presence of deadlock states since it does not distinguish a deadlock state from a self τ -loop (which can instead be recognized in L dbr μ with the τ @ formula).

This work enhances the reductions that can be obtained by combining compositional LTS construction with an analysis of the temporal logic formula to be verified. In particular, known results about strong and divbranching bisimilarities have been combined into a new family of relations called sharp bisimilarities, which inherit all nice properties of their ancestors and refine the state of the art in compositional verification.

This new approach is promising. Yet, to be both usable by non-experts and fully efficient, at least two components are still missing: (1) The sets of strong actions, which are a key ingredient in the success of this approach, still have to be computed either using pencil and paper or using tools dedicated to restricted logics; automating their computation in the case of arbitrary L μ formulas is not easy, but likely feasible, opening the way to a new research track; finding a minimal set of strong actions automatically is challenging, and since it is not unique, even more challenging is the quest for the set that will incur the best reductions. (2) Efficient algorithms are needed to minimize LTS for sharp bisimilarity; they could probably be obtained by adapting the known algorithms for strong and divbranching minimizations (at least using some kind of signaturebased partition refinement algorithm in the style of Blom et al. [3] [4] [5] in a first step), but this remains to be done.

Partial model checking

Selective mu-calculus and formula-based equivalence of transition systems

A Distributed Algorithm for Strong Bisimulation Reduction of State Spaces

Distributed State Space Minimization

Distributed branching bisimulation minimization by inductive signatures

Grid'5000: A large scale and highly reconfigurable experimental grid testbed

Safety for branching time semantics

A Theory of Communicating Sequential Processes

Reference Manual of the LNT to LOTOS Translator (Version

Enhancing Compositional Reachability Analysis with Context Constraints

Automatic verification of finite-state concurrent systems using temporal logic specifications

Smart Reduction

Three logics for branching bisimulation

On the Fly" Verification of Behavioural Equivalences and Preorders

Propositional dynamic logic of regular programs

Nested-Unit Petri Nets

SVL: a Scripting Language for Compositional Verification

Compositional Verification of Asynchronous Concurrent Systems Using CADP

CADP 2011: A Toolbox for the Construction and Analysis of Distributed Processes

Branching-Time and Abstraction in Bisimulation Semantics (extended abstract). CS R8911, Centrum voor Wiskunde en Informatica, Amsterdam (1989), also in proc

Branching bisimilarity with explicit divergence

Computation tree logic with deadlock detection

Branching Time and Abstraction in Bisimulation Semantics

Compositional Minimization of Finite State Systems

An o(m log n) algorithm for computing stuttering equivalence and branching bisimulation

The Syntax and Semantics of μCRL

Confluence for process verification

State space reduction using partial τ -confluence

LOTOS -A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour. International Standard 8807, International Organization for Standardization -Information Processing Systems -Open Systems Interconnection

International Standard 15437:2001, International Organization for Standardization -Information Technology

Results on the propositional μ-calculus

Compositional State Space Generation from LOTOS Programs

EXP.OPEN 2.0: A Flexible Tool Integrating Partial Order, Compositional, and On-the-fly Verification Methods

Partial Model Checking using Networks of Labelled Transition Systems and Boolean Equation Systems

Compositional verification of concurrent systems by combining bisimulations

A Tool for Hierarchical Design and Simulation of Concurrent Systems

Property-Dependent Reductions Adequate with Divergence-Sensitive Branching Bisimilarity

Communication and Concurrency

Action versus State based Logics for Transition Systems

Concurrency and Automata on Infinite Sequences

In transition from global to modular temporal reasoning about programs. Logic and Models of Concurrent Systems

Compositional model checking is lively -extended version

An Algorithmic Procedure for Checking Safety Properties of Protocols

Propositional dynamic logic of looping and converse

An Incremental Approach to Reachability Analysis of Distributed Programs

Hierarchy-Based Incremental Reachability Analysis of Communication Protocols

Compositional State Space Generation

Next-preserving branching bisimulation

Compositional Reachability Analysis Using Process Algebra

Weak confluence and τ -inertness

Acknowledgements. The authors thank Hubert Garavel, who triggered our collaboration between Grenoble and Pisa, and Wendelin Serwe for his comments on earlier versions of this paper. They also thank the anonymous referees for the pertinence of their comments, which allowed significant improvements of this paper.

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.