Abstract Dependency Graphs and Their Application to Model Checking
 3 Citations
 4 Mentions
 6.2k Downloads
Abstract
Dependency graphs, invented by Liu and Smolka in 1998, are oriented graphs with hyperedges that represent dependencies among the values of the vertices. Numerous model checking problems are reducible to a computation of the minimum fixedpoint vertex assignment. Recent works successfully extended the assignments in dependency graphs from the Boolean domain into more general domains in order to speed up the fixedpoint computation or to apply the formalism to a more general setting of e.g. weighted logics. All these extensions require separate correctness proofs of the fixedpoint algorithm as well as a onepurpose implementation. We suggest the notion of abstract dependency graphs where the vertex assignment is defined over an abstract algebraic structure of Noetherian partial orders with the least element. We show that existing approaches are concrete instances of our general framework and provide an opensource C++ library that implements the abstract algorithm. We demonstrate that the performance of our generic implementation is comparable to, and sometimes even outperforms, dedicated specialpurpose algorithms presented in the literature.
1 Introduction
Dependency Graphs (DG) [1] have demonstrated a wide applicability with respect to verification and synthesis of reactive systems, e.g. checking behavioural equivalences between systems [2], model checking systems with respect to temporal logical properties [3, 4, 5], as well as synthesizing missing components of systems [6]. The DG approach offers a general and often performanceoptimal way to solve these problem. Most recently, the DG approach to CTL model checking of Petri nets [7], implemented in the model checker TAPAAL [8], won the gold medal at the annual Model Checking Contest 2018 [9].
A DG consists of a finite set of vertices and a finite set of hyperedges that connect a vertex to a number of children vertices. The computation problem is to find a pointwise minimal assignment of vertices to the Boolean values 0 and 1 such that the assignment is stable: whenever there is a hyperedge where all children have the value 1 then also the father of the hyperedge has the value 1. The main contribution of Liu and Smolka [1] is a lineartime, onthefly algorithm to find such a minimum stable assignment.
Recent works successfully extend the DG approach from the Boolean domain to more general domains, including synthesis for timed systems [10], model checking for weighted systems [3] as well as probabilistic systems [11]. However, each of these extensions have required separate correctness arguments as well as adhoc specialized implementations that are to a large extent similar with other implementations of dependency graphs (as they are all based on the general principle of computing fixed points by local exploration). The contribution of our paper is a notion of Abstract Dependency Graph (ADG) where the values of vertices come from an abstract domain given as an Noetherian partial order (with least element). As we demonstrate, this notion of ADG covers many existing extensions of DG as concrete instances. Finally, we implement our abstract algorithms in C++ and make it available as an opensource library. We run a number of experiments to justify that our generic approach does not sacrifice any significant performance and sometimes even outperforms existing implementations.
Related Work. The aim of Liu and Smolka [1] was to find a unifying formalism allowing for a local (onthefly) fixedpoint algorithm running in linear time. In our work, we generalize their formalism from the simple Boolean domain to general Noetherian partial orders over potentially infinite domains. This requires a nontrivial extension to their algorithm and the insight of how to (in the general setting) optimize the performance, as well as new proofs of the more general loop invariants and correctness arguments.
Recent extensions of the DG framework with certainzero [7], integer [3] and even probabilistic [11] domains generalized Liu and Smolka’s approach, however they become concrete instances of our abstract dependency graphs. The formalism of Boolean Equation Systems (BES) provides a similar and independently developed framework [12, 13, 14, 15] predating that of DG. However, BES may be encoded as DG [1] and hence they also become an instance of our abstract dependency graphs.
2 Preliminaries
A set D together with a binary relation \(\sqsubseteq \, \subseteq D\times D\) that is reflexive (\(x \sqsubseteq x\) for any \(x \in D\)), transitive (for any \(x, y, z \in D\), if \(x \sqsubseteq y\) and \(y \sqsubseteq x\) then also \(x \sqsubseteq z\)) and antisymmetric (for any \(x, y \in D\), if \(x \sqsubseteq y\) and \(y \sqsubseteq x\) then \(x = y\)) is called a partial order and denoted as a pair \((D, \sqsubseteq )\). We write \(x \sqsubset y\) if \(x \sqsubseteq y\) and \(x \ne y\). A function \(f: D \rightarrow D'\) from a partial order \((D, \sqsubseteq )\) to a partial order \((D',\sqsubseteq ')\) is monotonic if whenever \(x \sqsubseteq y\) for \(x, y \in D\) then also \(f(x) \sqsubseteq ' f(y)\). We shall now define a particular partial order that will be used throughout this paper.
Definition 1
(NOR). Noetherian Ordering Relation with least element (NOR) is a triple \(\mathcal {D}= (D, \sqsubseteq , \bot )\) where \((D, \sqsubseteq )\) is a partial order, \(\bot \in D\) is its least element such that for all \(d \in D\) we have \(\bot \sqsubseteq d\), and \(\sqsubseteq \) satisfies the ascending chain condition: for any infinite chain \({d_1 \sqsubseteq d_2 \sqsubseteq d_3 \sqsubseteq \dots }\) there is an integer k such that \(d_k = d_{k+j}\) for all \(j > 0\).
We can notice that any finite partial order with a least element is a NOR; however, there are also such relations with infinitely many elements in the domain as shown by the following example.
Example 1
Consider the partial order \(\mathcal {D}= (\mathbb {N}^0 \, \cup \, \{\infty \}, \ge , \infty )\) over the set of natural numbers extended with \(\infty \) and the natural largerthanorequal comparison on integers. As the relation is reversed, this implies that \(\infty \) is the least element of the domain. We observe that \(\mathcal {D}\) is NOR. Consider any infinite sequence \(d_1 \ge d_2 \ge d_3 \dots \). Then either \(d_i = \infty \) for all i, or there exists i such that \(d_i \in \mathbb {N}^0\). Clearly, the sequence must in both cases eventually stabilize, i.e. there is a number k such that \(d_k = d_{k+j}\) for all \(j>0\).
New NORs can be constructed by using the Cartesian product. Let \(\mathcal {D}_i = (D_i, \sqsubseteq _i, \bot _i)\) for all i, \(1 \le i \le n\), be NORs. We define \(\mathcal {D}^n = (D^n, \sqsubseteq ^n, \bot ^n)\) such that \(D^n = D_1\times D_2 \times \cdots \times D_n\) and where \((d_1, \dots , d_n) \sqsubseteq ^n (d'_1, \dots , d'_n)\) if \(d_i \sqsubseteq _i d'_i\) for all i, \(1 \le i \le k\), and where \(\bot ^n = (\bot _1, \dots , \bot _n)\).
Proposition 1
Let \(\mathcal {D}_i \) be a NOR for all i, \(1 \le i \le n\). Then \(\mathcal {D}^n = (D^n, \sqsubseteq ^n, \bot ^n)\) is also a NOR.
In the rest of this paper, we consider only NOR \((D, \sqsubseteq , \bot )\) that are effectively computable, meaning that the elements of D can be represented by finite strings, and that given the finite representations of two elements x and y from D, there is an algorithm that decides whether \(x \sqsubseteq y\). Similarly, we consider only functions \(f: D \rightarrow D'\) from an effectively computable NOR \((D,\sqsubseteq ,\bot )\) to an effectively computable NOR \((D',\sqsubseteq ',\bot ')\) that are effectively computable, meaning that there is an algorithm that for a given finite representation of an element \(x \in D\) terminates and returns the finite representation of the element \(f(x) \in D'\). Let \(\mathcal {F}(\mathcal {D}, n)\), where \(\mathcal {D}=(D,\sqsubseteq ,\bot )\) is an effectively computable NOR and n is a natural number, stand for the collection of all effectively computable functions \(f: D^n \rightarrow D\) of arity n and let \(\mathcal {F}(\mathcal {D}) = \bigcup _{n\ge 0} \mathcal {F}(\mathcal {D}, n)\) be a collection of all such functions.
For a set X, let \(X^*\) be the set of all finite strings over X. For a string \(w \in X^*\) let w denote the length of w and for every i, \(1 \le i \le w\), let \(w^i\) stand for the i’th symbol in w.
3 Abstract Dependency Graphs
We are now ready to define the notion of an abstract dependency graph.
Definition 2

V is a finite set of vertices,

\(E: V \rightarrow V^*\) is an edge function from vertices to sequences of vertices such that \(E(v)^i \not = E(v)^j\) for every \(v \in V\) and every \(1 \le i<j \le E(v)\), i.e. the codomain of E contains only strings over V where no symbol appears more than once,

\(\mathcal {D}\) is an effectively computable NOR, and

\(\mathcal {E}\) is a labelling function \(\mathcal {E}: V \rightarrow \mathcal {F}(\mathcal {D})\) such that \(\mathcal {E}(v) \in \mathcal {F}(\mathcal {D}, {\vert E(v) \vert })\) for each \(v \in V\), i.e. each edge E(v) is labelled by an effectively computable function f of arity that corresponds to the length of the string E(v).
Example 2
An example of ADG over the NOR \(\mathcal {D}= (\{0, 1\}, \{(0,1)\}, 0)\) is shown in Fig. 1a. Here 0 (interpreted as false) is below the value 1 (interpreted as true) and the monotonic functions for vertices are displayed as vertex annotations. For example \(E(A)=B \cdot C \cdot D\) and \(\mathcal {E}(A)\) is a ternary function such that \(\mathcal {E}(A)(x,y,z)=x \vee (y \wedge z)\), and \(E(B)=\epsilon \) (empty sequence of vertices) such that \(\mathcal {E}(B)=1\) is a constant labelling function. Clearly, all functions used in our example are monotonic and effectively computable.
Let us now assume a fixed ADG \(G = (V, E, \mathcal {D}, \mathcal {E})\) over an effectively computable NOR \(\mathcal {D}= (D, \sqsubseteq , \bot )\). We first define an assignment of an ADG.
Definition 3
(Assignment). An assignment on G is a function \(A: V \rightarrow D\).
The set of all assignments is denoted by \(\mathcal {A}\). For \(A,A' \in \mathcal {A}\) we define \(A \le A'\) iff \(A(v) \sqsubseteq A'(v)\) for all \(v \in V\). We also define the bottom assignment \(A_\bot (v) = \bot \) for all \(v \in V\) that is the least element in the partial order \((\mathcal {A}, \le )\). The following proposition is easy to verify.
Proposition 2
The partial order \((\mathcal {A}, \le , A_\bot )\) is a NOR.
Finally, we define the minimum fixedpoint assignment Open image in new window for a given ADG \(G= (V, E, \mathcal {D}, \mathcal {E})\) as the minimum fixed point of the function \(F: \mathcal {A}\rightarrow \mathcal {A}\) defined as follows: \(F(A)(v) = \mathcal {E}(v)(A(v_1), A(v_2), \dots , A(v_k))\) where \(E(v) = v_1 v_2 \dots v_k\).
In the rest of this section, we shall argue that Open image in new window of the function \(F\) exists by following the standard reasoning about fixed points of monotonic functions [16].
Lemma 1
The function \(F\) is monotonic.
Let us define the notation of multiple applications of the function \(F\) by \(F^0 (A) = A\) and \(F^i (A) = F(F^{i1} (A))\) for \(i>0\).
Lemma 2
For all \(i \ge 0\) the assignment \(F^{i} (A_\bot )\) is effectively computable, \(F^{i} (A_\bot ) \le F^{j} (A_\bot )\) for all \(i \le j\), and there exists a number k such that \(F^{k} (A_\bot ) = F^{k+j} (A_\bot )\) for all \(j >0\).
We can now finish with the main observation of this section.
Theorem 1
There exists a number k such that Open image in new window for all \(j \ge k\).
Example 3
The computation of the minimum fixed point for our running example from Fig. 1a is given in Fig. 1b. We can see that starting from the assignment where all nodes take the least element value 0, in the first iteration all constant functions increase the value of the corresponding vertices to 1 and in the second iteration the value 1 propagates from the vertex B to A, because the function \(B \vee (C \wedge D)\) that is assigned to the vertex A evaluates to true due to the fact that \(F^{} (A_\bot )(B)=1\). On the other hand, the values of the vertices D and F keep the assignment 0 due to the cyclic dependencies between the two vertices. As \(F^{2} (A_\bot )=F^{3} (A_\bot )\), we know that we found the minimum fixed point.
As many natural verification problems can be encoded as a computation of the minimum fixed point on an ADG, the result in Theorem 1 provides an algorithmic way to compute such a fixed point and hence solve the encoded problem. The disadvantage of this global algorithm is that it requires that the whole dependency graph is a priory generated before the computation can be carried out and this approach is often inefficient in practice [3]. In the following section, we provide a local, onthefly algorithm for computing the minimum fixedpoint assignment of a specific vertex, without the need to always explore the whole abstract dependency graph.
4 OntheFly Algorithm for ADGs
The idea behind the algorithm is to progressively explore the vertices of the graph, starting from a given root vertex for which we want to find its value in the minimum fixedpoint assignment. To search the graph, we use a waiting list that contains configurations (vertices) whose assignment has the potential of being improved by applying the function \(\mathcal {E}\). By repeated applications of \(\mathcal {E}\) on the vertices of the graph in some order maintained by the algorithm, the minimum fixedpoint assignment for the root vertex can be identified without necessarily exploring the whole dependency graph.
To improve the performance of the algorithm, we make use of an optional userprovided function \( \textsc {Ignore} (A,v)\) that computes, given a current assignment A and a vertex v of the graph, the set of vertices on an edge E(v) whose current and any potential future value no longer effect the value of Open image in new window . Hence, whenever a vertex \(v'\) is in the set \( \textsc {Ignore} (A,v)\), there is no reason to explore the subgraph rooted by \(v'\) for the purpose of computing Open image in new window since an improved assignment value of \(v'\) cannot influence the assignment of v. The soundness property of the ignore function is formalized in the following definition. As before, we assume a fixed ADG \(G = (V, E, \mathcal {D}, \mathcal {E})\) over an effectively computable NOR \(\mathcal {D}= (D, \sqsubseteq , \bot )\).
Definition 4
Example 4
Consider the ADG from Fig. 1a in an assignment where the value of B is already known to be 1. As the vertex A has the labelling function \(B \, \vee \, (C \, \wedge \, D)\), we can see that the assignment of A will get the value 1, irrelevant of what are the assignments for the vertices C and D. Hence, in this assignment, we can move the vertices C and D to the ignore set of A and avoid the exploration of the subgraphs rooted by C and D.
The following lemma formalizes the fact that once the ignore function of a vertex contains all its children and the vertex value has been relaxed by applying the associated monotonic function, then its current assignment value is equal to the vertex value in the minimum fixedpoint assignment.
Lemma 3
Let A be an assignment such that Open image in new window . If \(v_i \in \textsc {Ignore} (A, v)\) for all \(1 \le i \le k\) where \(E(v) = v_1 \cdots v_k \) and \(A(v) = \mathcal {E}(v)(A(v_1), \dots , A(v_k))\) then Open image in new window .

A is the currently computed assignment that is initialized to \(A_\bot \),

W is the waiting list containing the set of pending vertices to be explored,

\( \textsc {Passed} \) is the set of explored vertices, and

\( Dep : V \rightarrow 2^V\) is a function that for each vertex v returns a subset of vertices that should be reevaluated whenever the assignment value of v improves.
The algorithm starts by inserting the root vertex \(v_0\) into the waiting list. In each iteration of the whileloop it removes a vertex v from the waiting list and performs a check whether there is some other vertex that depends on the value of v. If this is not the case, we are not going to explore the vertex v and recursively propagate this information to the children of v. After this, we try to improve the current assignment of A(v) and if this succeeds, we update the waiting list by adding all vertices that depend on the value of v to W, and we test if the algorithm can early terminate (should the root vertex \(v_0\) get its final value). Otherwise, if the vertex v has not been explored yet, we add all its children to the waiting list and update the dependencies. We shall now state the termination and correctness of our algorithm.
Lemma 4
(Termination). Algorithm 1 terminates.
Lemma 5
(Soundness). Algorithm 1 at all times satisfies Open image in new window .
Lemma 6
 1.
 2.
\(v \in W\), or
 3.
\(v \ne v_0\) and \( Dep (v) = \emptyset \), or
 4.
\(A(v)=\mathcal {E}(v)(A(v_1), \ldots , A(v_k))\) where \(v_1\cdots v_k = E(v)\) and for all i, \(1 \le i \le k\), whenever \(v_i \notin \textsc {Ignore} (A, v)\) then also \(v \in Dep (v_i)\).
Theorem 2
Algorithm 1 terminates and returns the value Open image in new window .
5 Applications of Abstract Dependency Graphs
We shall now describe applications of our general framework to previously studied settings in order to demonstrate the direct applicability of our framework. Together with an efficient implementation of the algorithm, this provides a solution to many verification problems studied in the literature. We start with the classical notion of dependency graphs suggested by Liu and Smolka.
5.1 Liu and Smolka Dependency Graphs
In the dependency graph framework introduced by Liu and Smolka [17], a dependency graph is represented as \(G = (V, H)\) where V is a finite set of vertices and \(H \subseteq V \times 2^V\) is the set of hyperedges. An assignment is a function \(A: V \rightarrow \{0,1\}\). A given assignment is a fixedpoint assignment if \((A)(v) = \max _{(v, T) \in H} \min _{v' \in T} A(v')\) for all \(v \in V\). In other words, A is a fixedpoint assignment if for every hyperedge (v, T) where \(T \subseteq V\) holds that if \(A(v')=1\) for every \(v' \in T\) then also \(A(v)=1\). Liu and Smolka suggest both a global and a local algorithm [17] to compute the minimum fixedpoint assignment for a given dependency graph.
5.2 CertainZero Dependency Graphs
Liu and Smolka’s onthefly algorithm for dependency graphs significantly benefits from the fact that if there is a hyperedge with all target vertices having the value 1 then this hyperedge can propagate this value to the source of the hyperedge without the need to explore the remaining hyperedges. Moreover, the algorithm can early terminate should the root vertex \(v_0\) get the value 1. On the other hand, if the final value of the root is 0 then the whole graph has to be explored and no early termination is possible. Recently, it has been noticed [19] that the speed of fixedpoint computation by Liu and Smolka’s algorithm can been considerably improved by considering also certainzero value in the assignment that can, in certain situations, propagate from children vertices to their parents and once it reaches the root vertex, the algorithm can early terminate.
5.3 Weighted Symbolic Dependency Graphs
In this section we show an application that instead of a finite NOR considers an ordering with infinitely many elements. This allows us to encode e.g. the model checking problem for weighted CTL logic as demonstrated in [3, 20]. The main difference, compared to the dependency graphs in Sect. 5.1, is the addition of coveredges and hyperedges with weight.
6 Implementation and Experimental Evaluation
The algorithm is implemented in C++ and the signature of the userprovided interface in order to use the framework is shown in Fig. 2. The structure ADG is the main interface the algorithm uses. It assumes the definition of the type Value that represents the NOR, and the type VertexRef that represents a lightweight reference to a vertex and the bottom element. The type aliased as VRA contains both a Value and a VertexRef and represents the assignment of a vertex. The user must also provide the implementation of the functions: initialVertex that returns the root vertex \(v_0\), getEdge that returns ordered successors for a given vertex, compute that computes \(\mathcal {E}(v)\) for a given assignment of v and its successors, and updateIgnored that receives the assignment of a vertex and its successors and sets the ignore flags.
6.1 Bisimulation Checking for CCS Processes
In our first experiment, we encode using ADG a number of weak bisimulation checking problems for the process algebra CCS. The encoding was described in [2] where the authors use classical Liu and Smolka’s dependency graphs to solve the problems and they also provide a C++ implementation (referred to as DG in the tables). We compare the verification time needed to answer both positive and negative instances of the test cases described in [2].
Figure 3 shows the results where DG refers to the implementation from [2] and ADG is our implementation using abstract dependency graphs. It displays the verification time in seconds and peak memory consumptions in MB for both implementations as well as the relative improvement in percents. We can see that the performance of both algorithms is comparable, slightly in favour of our algorithm, sometimes showing up to 103% speedup like in the case of nonbisimilar processes in leader election of size 8. For nonbisimilar processes modelling alternating bit protocol of size 5 we observe a 19% slowdown caused by the different search strategies so that the counterexample to bisimilarity is found faster by the implementation from [2]. Memorywise, the experiments are slightly in favour of our implementation.
6.2 CTL Model Checking of Petri Nets
The results comparing the speed of model checking are shown in Fig. 4. The 267 model checking executions are ordered by the ratio of the verification time of VerifyPN vs. our implementation referred to as ADG. In the table we show the best two instances for our tool, the middle seven instances and the worst two instances. The results significantly vary on some instances as both algorithms are onthefly with early termination and depending on the search strategy the verification times can be largely different. Nevertheless, we can observe that on the average (middle) experiment IOTPpurchasePTC05M04P03D02:13, we are 78% faster than VerifyPN. However, we can also notice that in the two worst cases, our implementation runs out of memory.
In Fig. 5 we present an analogous table for the peak memory consumption of the two algorithms. In the middle experiment ParamProductionCellPT4:13 we use 42% extra memory compared to VerifyPN. Hence we have a tradeoff between the verification speed and memory consumption where our implementation is faster but consumes more memory. We believe that this is due to the use of the waiting list where we store directly vertices (allowing for a fast access to their assignment), compared to storing references to hyperedges in the VerifyPN implementation (saving the memory). Given the 16 GB memory limit we used in our experiments, this results in the fact that we were able to solve only 144 instances, compared to 218 answers provided by VerifyPN and we run 102 times out of memory while VerifyPN did only 45 times.
6.3 Weighted CTL Model Checking
7 Conclusion
We defined a formal framework for minimum fixedpoint computation on dependency graphs over an abstract domain of Noetherian orderings with the least element. This framework generalizes a number of variants of dependency graphs recently published in the literature. We suggested an efficient, onthefly algorithm for computing the minimum fixedpoint assignment, including performance optimization features, and we proved the correctness of the algorithm.
On a number of examples, we demonstrated the applicability of our framework, showing that its performance is matching those of specialized algorithms already published in the literature. Last but not least, we provided an open source C++ library that allows the user to specify only a few domainspecific functions in order to employ the generic algorithm described in this paper. Experiential results show that we are competitive with e.g. the tool TAPAAL, winner of the 2018 Model Checking Contest in the CTL category [9], showing 78% faster performance on the median instance of the model checking problem, at the expense of 42% higher memory consumption.
In the future work, we shall apply our approach to other application domains (in particular probabilistic model checking), develop and test generic heuristic search strategies as well as provide a parallel/distributed implementation of our general algorithm (that is already available for some of its concrete instances [7, 23]) in order to further enhance the applicability of the framework.
Footnotes
 1.
During the experiments we turned off the query preprocessing using linear programming as it solves a large number of queries by applying logical equivalences instead of performing the statespace search that we are interested in.
Notes
Acknowledgments
The work was funded by the center IDEA4CPS, Innovation Fund Denmark center DiCyPS and ERC Advanced Grant LASSO. The last author is partially affiliated with FI MU in Brno.
References
 1.Liu, X., Smolka, S.A.: Simple lineartime algorithms for minimal fixed points (extended abstract). In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 53–66. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055040CrossRefGoogle Scholar
 2.Dalsgaard, A.E., Enevoldsen, S., Larsen, K.G., Srba, J.: Distributed computation of fixed points on dependency graphs. In: Fränzle, M., Kapur, D., Zhan, N. (eds.) SETTA 2016. LNCS, vol. 9984, pp. 197–212. Springer, Cham (2016). https://doi.org/10.1007/9783319476773_13CrossRefGoogle Scholar
 3.Jensen, J.F., Larsen, K.G., Srba, J., Oestergaard, L.K.: Efficient model checking of weighted CTL with upperbound constraints. Int. J. Softw. Tools Technol. Transfer (STTT) 18(4), 409–426 (2016)CrossRefGoogle Scholar
 4.Keiren, J.J.A.: Advanced reduction techniques for model checking. Ph.D thesis, Eindhoven University of Technology (2013)Google Scholar
 5.Christoffersen, P., Hansen, M., Mariegaard, A., Ringsmose, J.T., Larsen, K.G., Mardare, R.: Parametric verification of weighted systems. In: André, É., Frehse, G. (eds.) SynCoP 2015, OASIcs, vol. 44, pp. 77–90. Schloss Dagstuhl–LeibnizZentrum fuer Informatik, Dagstuhl, Germany (2015)Google Scholar
 6.Larsen, K.G., Liu, X.: Equation solving using modal transition systems. In: Proceedings of the Fifth Annual Symposium on Logic in Computer Science (LICS 1990), Philadelphia, Pennsylvania, USA, 4–7 June 1990, pp. 108–117. IEEE Computer Society (1990)Google Scholar
 7.Dalsgaard, A.E., et al.: Extended dependency graphs and efficient distributed fixedpoint computation. In: van der Aalst, W., Best, E. (eds.) PETRI NETS 2017. LNCS, vol. 10258, pp. 139–158. Springer, Cham (2017). https://doi.org/10.1007/9783319578613_10CrossRefGoogle Scholar
 8.David, A., Jacobsen, L., Jacobsen, M., Jørgensen, K.Y., Møller, M.H., Srba, J.: TAPAAL 2.0: integrated development environment for timedarc Petri nets. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 492–497. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642287565_36CrossRefzbMATHGoogle Scholar
 9.Kordon, F., et al.: Complete Results for the 2018 Edition of the Model Checking Contest, June 2018. http://mcc.lip6.fr/2018/results.php
 10.Cassez, F., David, A., Fleury, E., Larsen, K.G., Lime, D.: Efficient onthefly algorithms for the analysis of timed games. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 66–80. Springer, Heidelberg (2005). https://doi.org/10.1007/11539452_9CrossRefGoogle Scholar
 11.Mariegaard, A., Larsen, K.G.: Symbolic dependency graphs for \(\text{ PCTL }^{>}_{\le }\) modelchecking. In: Abate, A., Geeraerts, G. (eds.) FORMATS 2017. LNCS, vol. 10419, pp. 153–169. Springer, Cham (2017). https://doi.org/10.1007/9783319657653_9CrossRefGoogle Scholar
 12.Larsen, K.G.: Efficient local correctness checking. In: von Bochmann, G., Probst, D.K. (eds.) CAV 1992. LNCS, vol. 663, pp. 30–43. Springer, Heidelberg (1993). https://doi.org/10.1007/3540564969_4CrossRefGoogle Scholar
 13.Andersen, H.R.: Model checking and boolean graphs. In: KriegBrückner, B. (ed.) ESOP 1992. LNCS, vol. 582, pp. 1–19. Springer, Heidelberg (1992). https://doi.org/10.1007/3540552537_1CrossRefGoogle Scholar
 14.Mader, A.: Modal \(\mu \)calculus, model checking and Gauß elimination. In: Brinksma, E., Cleaveland, W.R., Larsen, K.G., Margaria, T., Steffen, B. (eds.) TACAS 1995. LNCS, vol. 1019, pp. 72–88. Springer, Heidelberg (1995). https://doi.org/10.1007/3540606300_4CrossRefGoogle Scholar
 15.Mateescu, R.: Efficient diagnostic generation for Boolean equation systems. In: Graf, S., Schwartzbach, M. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 251–265. Springer, Heidelberg (2000). https://doi.org/10.1007/3540464190_18CrossRefzbMATHGoogle Scholar
 16.Tarski, A.: A latticetheoretical fixpoint theorem and its applications. Pacific J. Math. 5(2), 285–309 (1955)MathSciNetCrossRefGoogle Scholar
 17.Liu, X., Ramakrishnan, C.R., Smolka, S.A.: Fully local and efficient evaluation of alternating fixed points. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 5–19. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054161CrossRefGoogle Scholar
 18.Andersen, H.R.: Model checking and boolean graphs. Theoret. Comput. Sci. 126(1), 3–30 (1994)MathSciNetCrossRefGoogle Scholar
 19.Dalsgaard, A.E., et al.: A distributed fixedpoint algorithm for extended dependency graphs. Fundamenta Informaticae 161(4), 351–381 (2018)MathSciNetCrossRefGoogle Scholar
 20.Jensen, J.F., Larsen, K.G., Srba, J., Oestergaard, L.K.: Local model checking of weighted CTL with upperbound constraints. In: Bartocci, E., Ramakrishnan, C.R. (eds.) SPIN 2013. LNCS, vol. 7976, pp. 178–195. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642391767_12CrossRefGoogle Scholar
 21.Jensen, J.F., Nielsen, T., Oestergaard, L.K., Srba, J.: TAPAAL and reachability analysis of P/T nets. In: Koutny, M., Desel, J., Kleijn, J. (eds.) Transactions on Petri Nets and Other Models of Concurrency XI. LNCS, vol. 9930, pp. 307–318. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662534014_16CrossRefGoogle Scholar
 22.Kordon, F., et al.: Complete Results for the 2016 Edition of the Model Checking Contest, June 2016. http://mcc.lip6.fr/2016/results.php
 23.Joubert, C., Mateescu, R.: Distributed local resolution of Boolean equation systems. In: 13th Euromicro Workshop on Parallel, Distributed and NetworkBased Processing (PDP 2005), 6–11 February 2005, Lugano, Switzerland, pp. 264–271. IEEE Computer Society (2005)Google Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.