Checking DeadlockFreedom of Parametric ComponentBased Systems
 4 Citations
 4k Downloads
Abstract
We propose an automated method for computing inductive invariants used to proving deadlock freedom of parametric componentbased systems. The method generalizes the approach for computing structural trap invariants from bounded to parametric systems with general architectures. It symbolically extracts trap invariants from interaction formulae defining the system architecture. The paper presents the theoretical foundations of the method, including new results for the first order monadic logic and proves its soundness. It also reports on a preliminary experimental evaluation on several textbook examples.
Modern computing systems exhibit dynamic and reconfigurable behavior. To tackle the complexity of such systems, engineers extensively use architectures that enforce, by construction, essential properties, such as fault tolerance or mutual exclusion. Architectures can be viewed as parametric operators that take as arguments instances of components of given types and enforce a characteristic property. For instance, clientserver architectures enforce atomicity and resilience of transactions, for any numbers of clients and servers. Similarly, tokenring architectures enforce mutual exclusion between any number of components in the ring.
Parametric verification is an extremely relevant and challenging problem in systems engineering. In contrast to the verification of bounded systems, consisting of a known set of components, there exist no general methods and tools succesfully applied to parametric systems. Verification problems for very simple parametric systems, even with finitestate components, are typically intractable [10, 16]. Most work in this area puts emphasis on limitations determined mainly by three criteria (1) the topology of the architecture, (2) the coordination primitives, and (3) the properties to be verified.
The main decidability results reduce parametric verification to the verification of a bounded number of instances of finite state components. Several methods try to determine a cutoff size of the system, i.e. the minimal size for which if a property holds, then it holds for any size, e.g. Suzuki [20], Emerson and Namjoshi [15]. Other methods identify systems with wellstructured transition relations, for which symbolic enumeration of reachable states is feasible [1] or reduce to known decidable problems, such as reachability in vector addition systems [16]. Typically, these methods apply to systems with global coordination. When theoretical decidability is not of concern, semialgorithmic techniques such as regular model checking [2, 17], SMTbased bounded model checking [3, 14], abstraction [8, 11] and automata learning [13] can be used to deal with more general classes of The interested reader can find a complete survey on parameterized model checking by Bloem et al. [10].
This paper takes a different angle of attack to the verification problem, seeking generality of the type of parametric systems and focusing on the verification of a particular but essential property: deadlockfreedom. The aim is to come up with effective methods for checking deadlockfreedom, by overcoming the complexity blowup stemming from the effective generation of reachability sets. We briefly describe our approach below.
For instance, the bounded system in Fig. 1a consist of component types Semaphore, with one instance, and Task, with two instances. A semaphore goes from the free state r to the taken state s by an acquire action a, and viceversa from s to r by a release action e. A task goes from waiting w to busy u by action b and viceversa, by action f. For the bounded system in Fig. 1a, the interactions are \(\{ a,b_1 \}, \{ a,b_2 \}, \{ e,f_1 \}\) and \(\{ e,f_2 \}\), depicted with dashed lines. Since the number of instances is known in advance, we can view an interaction as a minimal satisfying valuation of the boolean formula \(\varGamma = (a\wedge b_1) \vee (a\wedge b_2) \vee (e\wedge f_1) \vee (e\wedge f_2)\), where the port symbols are propositional variables. Because every instance has finitely many states, we can write a boolean formula \(\varDelta = [\lnot r \vee \lnot (w_1 \vee w_2)] \wedge [\lnot s \vee \lnot (u_1 \vee u_2)]\), this time over propositional state variables, which defines the configurations in which all interactions are disabled (deadlock). Proving that no deadlock configuration is reachable from the initial configuration \(r \wedge w_1 \wedge w_2\), requires finding an overapproximation (invariant) I of the reachable configurations, such that the conjunction \(I \wedge \varDelta \) is not satisfiable.
The basic idea of our method, supported by the DFinder deadlock detection tool [9] for bounded componentbased systems, is to compute an invariant straight from the interaction formula, without going through costly abstract fixpoint iterations. The invariants we are looking for are in fact solutions of a system of boolean constraints \(\varTheta ({\varGamma })\), of size linear in the size of \(\varGamma \) (written in DNF). In our example, \(\varTheta ({\varGamma }) = \bigwedge _{i=1,2} (r \vee w_i) \leftrightarrow (s \vee u_i)\). Finding the (minimal) solutions of this constraint can be done, as currently implemented in DFinder, by exhaustive model enumeration using a SAT solver. Here we propose a more efficient solution, which consists in writing \(\varTheta ({\varGamma })\) in DNF and remove the negative literals from each minterm. In our case, this gives the invariant \(I = (r \vee s) \wedge \bigwedge _{i=1,2} (w_i \vee u_i) \wedge (r \vee u_1 \vee u_2) \wedge (s \vee w_1 \vee w_2)\) and \(I \wedge \varDelta \) is proved unsatisfiable using a SAT solver.
The main contribution of this paper is the generalization of this invariant generation method to the parametric case. To understand the problem, consider the parametric system from Fig. 1, in which a Semaphore interacts with n Tasks, where \(n>0\) is not known in advance. The interactions are described by a fragment of first order logic, in which the ports are either propositional or monadic predicate symbols, in our case \(\varGamma = a \wedge \exists i ~.~ b(i) \vee e \wedge \exists i ~.~ f(i)\). This logic, called Monadic Interaction Logic (\(\mathsf {MIL}\)), is also used to express the constraints \(\varTheta ({\varGamma })\) and compute their solutions. In our case, we obtain \(I = (r \vee s) \wedge [\forall i ~.~ w(i) \vee u(i)] \wedge [r \vee \exists i~.~u(i)] \wedge [s \vee \exists i~.~w(i)]\). As in the bounded case, we can give a parametric description of deadlock configurations \(\varDelta = [\lnot r \vee \lnot \exists i ~.~ w(i)] \wedge [\lnot s \vee \lnot \exists i ~.~ u(i)]\) and prove that \(I \wedge \varDelta \) is unsatisfiable, using the decidability of \(\mathsf {MIL}\), based on an early small model property result due to Löwenheim [19]. In practice, we avoid the model enumeration suggested by this result and check the satisfiability of such queries using a decidable theory of sets with cardinality constraints [18], available in the CVC4 SMT solver [4].
The paper is structured as follows: Sect. 1 presents existing results for checking deadlockfreedom of bounded systems using invariants, Sect. 2 formalizes the approach for computing invariants using \(\mathsf {MIL}\), Sect. 3 introduces cardinality constraints for invariant generation, Sect. 4 presents the integration of the above results within a verification technique for parametric systems and Sect. 5 reports on preliminary experiments carried out with a prototype tool. Finally, Sect. 6 presents concluding remarks and future work directions. For reasons of space, all proofs are given in [12].
1 Bounded ComponentBased Systems
A component is a tuple \(\mathcal {C}= \langle \mathsf {P}, \mathsf {S}, {s_0}, \varDelta \rangle \), where \(\mathsf {P}= \{ p,q,r,\ldots \}\) is a finite set of ports, \(\mathsf {S}\) is a finite set of states, \({s_0}\in \mathsf {S}\) is an initial state and \(\varDelta \subseteq \mathsf {S}\times \mathsf {P}\times \mathsf {S}\) is a set of transitions written \(s \xrightarrow {{\scriptscriptstyle p}}_{{\scriptscriptstyle }} s'\). To simplify the technical details, we assume there are no two different transitions with the same port, i.e. if \(s_1 \xrightarrow {{\scriptscriptstyle p_1}}_{{\scriptscriptstyle }} s'_1, s_2 \xrightarrow {{\scriptscriptstyle p_2}}_{{\scriptscriptstyle }} s'_2 \in \varDelta \) and \(s_1 \ne s_2\) or \(s'_1 \ne s'_2\) then \(p_1 \ne p_2\). In general, this restriction can be lifted, at the cost of cluttering the presentation.
A bounded system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}},\varGamma \rangle \) consists of a fixed number (n) of components \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \) and an interaction formula \(\varGamma \), describing the allowed interactions. Since the number of components is known in advance, we write interaction formulae using boolean logic over the set of propositional variables \(\mathsf {BVar}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\bigcup _{k=1}^n({\mathsf {P}}^{\scriptscriptstyle {{k}}} \cup {\mathsf {S}}^{\scriptscriptstyle {{k}}})\). Here we intentionally use the names of states and ports as propositional variables.
A boolean interaction formula is either \(a \in \mathsf {BVar}\), \(f_1 \wedge f_2\) or \(\lnot f_1\), where \(f_i\) are formulae, for \(i=1,2\), respectively. We define the usual shorthands \(f_1 \vee f_2\, {\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\lnot (\lnot f_1 \wedge \lnot f_2)\), \(f_1 \rightarrow f_2\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\lnot f_1 \vee f_2\), \(f_1 \leftrightarrow f_2\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,(f_1 \rightarrow f_2) \wedge (f_2 \rightarrow f_1)\). A literal is either a variable or its negation and a minterm is a conjunction of literals. A formula is in disjunctive normal form (DNF) if it is written as \(\bigvee _{i=1}^n\bigwedge _{j=1}^{m_i} \ell _{ij}\), where \(\ell _{ij}\) is a literal. A formula is positive if and only if each variable occurs under an even number of negations, or, equivalently, its DNF forms contains no negative literals. We assume interaction formulae of bounded systems to be always positive.
A Boolean Valuation \(\beta : \mathsf {BVar}\rightarrow \{ \top ,\bot \}\) maps each propositional variable to either true (\(\top \)) or false (\(\bot \)). We write \(\beta \,\models \,f\) if and only if \(f\,=\,\top \), when replacing each boolean variable a with \(\beta (a)\) in f. We say that \(\beta \) is a model of f in this case and write \(f \equiv g\) for \(\mathbf{[\![}f \mathbf{]\!]} = \mathbf{[\![}g \mathbf{]\!]}\), where \(\mathbf{[\![}f \mathbf{]\!]}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\{ \beta \mid \beta \,\models \,f \}\). Given two valuations \(\beta _1\) and \(\beta _2\) we write \(\beta _1 \subseteq \beta _2\) if and only if \(\beta _1(a) = \top \) implies \(\beta _2(a) = \top \), for each variable \(a \in \mathsf {BVar}\). We write \(f \equiv ^{\mathrm {\mu }}g\) for \(\mathbf{[\![}f \mathbf{]\!]}^{\mathrm {\mu }}=\mathbf{[\![}g \mathbf{]\!]}^{\mathrm {\mu }}\), where \(\mathbf{[\![}f \mathbf{]\!]}^{\mathrm {\mu }}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\,\{ \beta \in \mathbf{[\![}f \mathbf{]\!]} \mid \text { for all } \beta ':~ \beta ' \subseteq \beta \text { and } \beta ' \ne \beta \text { only if } \beta ' \not \in \mathbf{[\![}f \mathbf{]\!]} \}\) is the set of minimal models of f.
1.1 Execution Semantics of Bounded Systems
A marking for a PN \(N= \langle S,T,E \rangle \) is a function Open image in new window . A marked Petri net is a pair \(\mathcal {N}=(N,\mathrm {m}_0)\), where \(\mathrm {m}_0\) is the initial marking of \(N= \langle S,T,E \rangle \). We consider that the reader is familiar with the standard execution semantics of a marked PN. A marking \(\mathrm {m}\) is reachable in \(\mathcal {N}\) if and only if there exists a sequence of transitions leading from \(\mathrm {m}_0\) to \(\mathrm {m}\). We denote by \(\mathcal {R}({\mathcal {N}})\) the set of reachable markings of \(\mathcal {N}\). A set of markings \(\mathcal {M}\) is an invariant of \(\mathcal {N}=(N,\mathrm {m}_0)\) if and only if \(\mathrm {m}_0 \in \mathcal {M}\) and \(\mathcal {M}\) is closed under the transitions of \(N\). A marked PN \(\mathcal {N}\) is 1safe if \(\mathrm {m}(s) \le 1\), for each \(s \in S\) and each \(\mathrm {m}\in \mathcal {R}({\mathcal {N}})\). In the following, we consider only marked PNs that are 1safe. In this case, any (necessarily finite) set of reachable markings can be defined by a boolean formula, which identifies markings with the induced boolean valuations. A marking \(\mathrm {m}\) is a deadlock if for no transition is enabled in \(\mathrm {m}\) and let \(\mathcal {D}({\mathcal {N}})\) be the set of deadlocks of \(N\). A marked PN \(\mathcal {N}\) is deadlockfree if and only if \(\mathcal {R}({\mathcal {N}}) \cap \mathcal {D}({\mathcal {N}}) = \emptyset \). A sufficient condition for deadlock freedom is \(\mathcal {M} \cap \mathcal {D}({\mathcal {N}}) = \emptyset \), for some invariant \(\mathcal {M}\) of \(\mathcal {N}\).
In the rest of this section, we fix a bounded system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}},\varGamma \rangle \), where \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \), for all \(k \in [1,n]\) and \(\varGamma \) is a positive boolean formula, over propositional variables denoting ports. The set of executions of \(\mathcal {S}\) is given by the 1safe marked PN \(\mathcal {N}_\mathcal {S}= (N,\mathrm {m}_0)\), where \(N=(\bigcup _{i=1}^n {\mathsf {S}}^{\scriptscriptstyle {{i}}},T,E)\), \(\mathrm {m}_0(s)=1\) if and only if \(s \in \{ {{s_0}}^{\scriptscriptstyle {{i}}} \mid i\in [1,n] \}\) and \(T\), \(E\) are as follows. For each minimal model \(\beta \in \mathbf{[\![}\varGamma \mathbf{]\!]}^{\mathrm {\mu }}\), we have a transition \(\mathfrak {t}_\beta \in T\) and edges \((s_i, \mathfrak {t}_\beta ), (\mathfrak {t}_\beta , s'_i) \in E\), for all \(i \in [1,n]\) such that \(s_i \xrightarrow {{\scriptscriptstyle p_i}}_{{\scriptscriptstyle }} s'_i \in {\varDelta }^{\scriptscriptstyle {{i}}}\) and \(\beta (p_i) = \top \). Moreover, nothing else is in T or E.
For example, the marked PN from Fig. 2 describes the set of executions of the bounded system from Fig. 1a. Note that each transition of the PN corresponds to a minimal model of the interaction formula \(\varGamma = a\wedge b_1 \vee a\wedge b_2 \vee e\wedge f_1 \vee e\wedge f_2\), or equivalently, to the set of (necessarily positive) literals of some minterm in the DNF of \(\varGamma \).
1.2 Proving Deadlock Freedom of Bounded Systems
A bounded system \(\mathcal {S}\) is deadlockfree if and only if its corresponding marked PN \(\mathcal {N}_\mathcal {S}\) is deadlockfree. In the following, we prove deadlockfreedom of a bounded system, by defining a class of invariants that are particularly useful for excluding unreachable deadlock markings.
Given a Petri Net \(N= (S, T, E)\), a set of places \(W \subseteq S\) is called a trap if and only if Open image in new window . A trap W of \(N\) is a marked trap of the marked PN \(\mathcal {N}= (N,\mathrm {m}_0)\) if and only if \(\mathrm {m}_0(s)=\top \) for some \(s \in W\). A minimal marked trap is a marked trap such that none of its strict subsets is a marked trap. A marked trap defines an invariant of the PN because some place in the trap will always be marked, no matter which transition is fired. The trap invariant of \(\mathcal {N}\) is the least set of markings that mark each trap of \(\mathcal {N}\). Clearly, the trap invariant of \(\mathcal {N}\) subsumes the set of reachable markings of \(\mathcal {N}\), because the latter is the least invariant of \(\mathcal {N}\) and invariants are closed under intersection^{1}.
Lemma 1
Lemma 2
Let \(\mathcal {S}\) be a bounded system with interaction formula \(\varGamma \) and \(\beta \) be a boolean valuation. Then \(\beta \in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}\) iff \(\{ s \mid \beta (s) = \top \}\) is a marked trap of \(\mathcal {N}_\mathcal {S}\). Moreover, \(\beta \in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\) iff \(\{ s \mid \beta (s) = \top \}\) is a minimal marked trap of \(\mathcal {N}_\mathcal {S}\).
Because \(\varTheta ({\varGamma })\) and \( Init ({\mathcal {S}})\) are boolean formulae, it is, in principle, possible to compute the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) by enumerating the (minimal) models of \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) and applying the definition from Lemma 1. However, model enumeration is inefficient and, moreover, does not admit generalization for the parametric case, in which the size of the system is unknown. For these reasons, we prefer a computation of the trap invariant, based on two symbolic transformations of boolean formulae, described next.
For a formula f we denote by \({f}^+\) the positive formula obtained by deleting all negative literals from the DNF of f. We shall call this operation positivation. Second, for a positive boolean formula f, we define the dual formula \(\left( {f}\right) ^{\sim }\) recursively on the structure of f, as follows: \(\left( {f_1 \wedge f_2}\right) ^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, {f_1}^{\sim } \vee {f_2}^{\sim }\), \(\left( {f_1 \vee f_2}\right) ^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, {f_1}^{\sim } \wedge {f_2}^{\sim }\) and \({a}^{\sim } \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, a\), for any \(a \in \mathsf {BVar}\). Note that \({f}^{\sim }\) is equivalent to the negation of the formula obtained from f by substituting each variable a with \(\lnot a\) in f.
The following theorem gives the main result of this section, the symbolic computation of the trap invariant of a bounded system, directly from its interaction formula.
Theorem 1
Intuitively, any satisfying valuation of \(\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) defines an initially marked trap of \(\mathcal {N}_\mathcal {S}\) and a minimal such valuation defines a minimal such trap (Lemma 2). Instead of computing the minimal satisfying valuations by model enumeration, we directly cast the above formula in DNF and remove the negative literals. This is essentially because the negative literals do not occur in the propositional definition of a set of places^{4}. Then the dualization of this positive formula yields the trap invariants in CNF, as a conjunction over disjunctions of propositional variables corresponding to the places inside a minimal initially marked trap.
Just as any invariants, trap invariants can be used to prove absence of deadlocks in a bounded system. Assuming, as before, that the interaction formula is given in DNF as \(\varGamma = \bigvee _{k=1}^N\bigwedge _{\ell =1}^{M_k} p_{k\ell }\), we define the set of deadlock markings of \(\mathcal {N}_\mathcal {S}\) by the formula Open image in new window . This is the set of configurations in which all interactions are disabled. With this definition, proving deadlock freedom amounts to proving unsatisfiability of a boolean formula.
Corollary 1
A bounded system \(\mathcal {S}\) with interaction formula \(\varGamma \) is deadlockfree if the boolean formula \(\left( {{[\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})]}^+}\right) ^{\sim } \wedge \varDelta ({\varGamma })\) is unsatisfiable.
2 Parametric ComponentBased Systems
From now on we shall focus on parametric systems, consisting of a fixed set of component types \({\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}\), such that the number of instances of each type is not known in advance. These numbers are given by a function Open image in new window , where \(\mathsf {M}(k)\) denotes the number of components of type \({\mathcal {C}}^{\scriptscriptstyle {{k}}}\) that are active in the system. To simplify the technical presentation of the results, we assume that all instances of a component type are created at once, before the system is started^{5}. For the rest of this section, we fix a parametric system \(\mathcal {S}= \langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \), where each component type \({\mathcal {C}}^{\scriptscriptstyle {{k}}} = \langle {\mathsf {P}}^{\scriptscriptstyle {{k}}}, {\mathsf {S}}^{\scriptscriptstyle {{k}}}, {{s_0}}^{\scriptscriptstyle {{k}}}, {\varDelta }^{\scriptscriptstyle {{k}}} \rangle \) has the same definition as a component in a bounded system and \(\varGamma \) is an interaction formula, written in the fragment of first order logic, defined next.
2.1 Monadic Interaction Logic

\(\mathfrak {U}\,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, [1,\max _{k=1}^n \mathsf {M}({k})]\) is the universe of instances, over which variables range,

\(\nu : \mathsf {Var}\rightarrow \mathfrak {U}\) is a valuation mapping variables to elements of the universe,

\(\iota : \mathsf {Pred}\rightarrow 2^{\mathfrak {U}}\) is an interpretation of predicates as subsets of the universe.
Structures are partially ordered by pointwise inclusion, i.e. for \(\mathcal {I}_i=(\mathfrak {U},\nu _i,\iota _i)\), for \(i=1,2\), we write \(\mathcal {I}_1 \subseteq \mathcal {I}_2\) iff \(\iota _1(p) \subseteq \iota _2(p)\), for all \(p \in \mathsf {Pred}\) and \(\mathcal {I}_1 \subset \mathcal {I}_2\) iff \(\mathcal {I}_1 \subseteq \mathcal {I}_2\) and \(\mathcal {I}_1 \ne \mathcal {I}_2\). As before, we define the sets \(\mathbf{[\![}\phi \mathbf{]\!]} = \{ \mathcal {I}\mid \mathcal {I}\,\models \,\phi \}\) and \(\mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }} = \{ \mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]} \mid \forall \mathcal {I}' ~.~ \mathcal {I}' \subset \mathcal {I}\rightarrow \mathcal {I}' \not \in \mathbf{[\![}\phi \mathbf{]\!]} \}\) of models and minimal models of a \(\mathsf {MIL}\) formula, respectively. Given formulae \(\phi _1\) and \(\phi _2\), we write \(\phi _1 \equiv \phi _2\) for \(\mathbf{[\![}\phi _1 \mathbf{]\!]} = \mathbf{[\![}\phi _2 \mathbf{]\!]}\) and \(\phi _1 \equiv ^{\mathrm {\mu }}\phi _2\) for \(\mathbf{[\![}\phi _1 \mathbf{]\!]}^{\mathrm {\mu }} = \mathbf{[\![}\phi _2 \mathbf{]\!]}^{\mathrm {\mu }}\).
2.2 Execution Semantics of Parametric Systems
Example 1
The execution semantics of a parametric system \(\mathcal {S}\) is the marked PN \(\mathcal {N}_\mathcal {S}= (N,\mathrm {m}_0)\), where \(N = (\bigcup _{k=1}^n {\mathsf {S}}^{\scriptscriptstyle {{k}}} \times [1,\mathsf {M}({k})], T, E)\), \(\mathrm {m}_0(({{s_0}}^{\scriptscriptstyle {{k}}}, i)) = 1\), for all \(k \in [1,n]\) and \(i \in [1,\mathsf {M}({k})]\), and the sets of transitions T and edges E are defined next. For each minimal model \(\mathcal {I}= (\mathfrak {U},\nu ,\iota ) \in \mathbf{[\![}\varGamma \mathbf{]\!]}^{\mathrm {\mu }}\), we have a transition \(\mathfrak {t}_\mathcal {I}\in T\) and the edges \(((s_i,k),\mathfrak {t}_\mathcal {I}), (\mathfrak {t}_\mathcal {I},(s'_i,k)) \in E\) for all \(i \in [1,n]\) such that \(s_i \xrightarrow {{\scriptscriptstyle p_i}}_{{\scriptscriptstyle }} s'_i \in {\varDelta }^{\scriptscriptstyle {{i}}}\) and \(k \in \iota (p_i)\). Moreover, nothing else is in T or E.
As a remark, unlike in the case of bounded systems, the size of the marked PN \(\mathcal {N}_\mathcal {S}\), that describes the execution semantics of a parametric system \(\mathcal {S}\), depends on the maximum number of instances of each component type. The definition of the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) is the same as in the bounded case, except that, in this case, the size of the boolean formula depends on the (unbounded) number of instances in the system. The challenge, addressed in the following, is to define trap invariants using \(\mathsf {MIL}\) formulae of a fixed size.
2.3 Computing Parametric Trap Invariants
Example 2
We define a translation of \(\mathsf {MIL}\) formulae into boolean formulae of unbounded size. Given a function Open image in new window , the unfolding of a \(\mathsf {MIL}\) sentence \(\phi \) is the boolean formula \(\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \) obtained by replacing each existential [universal] quantifier \(\exists i ~.~ \psi (i)\) [\(\forall i ~.~ \psi (i)\)], for \(i \in {\mathsf {Var}}^{\scriptscriptstyle {{k}}}\), by a finite disjunction [conjunction] \(\bigvee _{\ell =1}^{\mathsf {M}(k)} \psi [\ell /i]\) [\(\bigwedge _{\ell =1}^{\mathsf {M}(k)} \psi [\ell /i]\)], where the substitution of the constant \(\ell \in \mathsf {M}(k)\) for the variable i is defined recursively as usual, except for \(\mathsf {pr}(i)[\ell /i] \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, (\mathsf {pr},\ell )\), which is a propositional variable. Further, we relate structures to boolean valuations of unbounded sizes. For a structure \(\mathcal {I}= (\mathfrak {U},\nu ,\iota )\) we define the boolean valuation \(\beta _\mathcal {I}((\mathsf {pr},\ell )) = \top \) if and only if \(\ell \in \iota (\mathsf {pr})\), for each predicate symbol \(\mathsf {pr}\) and each integer constant \(\ell \). Conversely, for each valuation \(\beta \) of the propositional variables \((\mathsf {pr},\ell )\), there exists a structure \(\mathcal {I}_\beta = (\mathfrak {U},\nu ,\iota )\) such that \(\iota (\mathsf {pr}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \{ \ell \mid \beta ((\mathsf {pr},\ell ))=\top \}\), for each \(\mathsf {pr}\in \mathsf {Pred}\). The following lemma relates the semantics of \(\mathsf {MIL}\) formulae with that of their boolean unfoldings:
Lemma 3
 1.
for each structure \(\mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]}\), we have \(\beta _\mathcal {I}\in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}\) and conversely, for each valuation \(\beta \in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}\), we have \(\mathcal {I}_\beta \in \mathbf{[\![}\phi \mathbf{]\!]}\).
 2.
for each structure \(\mathcal {I}\in \mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }}\), we have \(\beta _\mathcal {I}\in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}^{\mathrm {\mu }}\) and conversely, for each valuation \(\beta \in \mathbf{[\![}\mathrm {B}_{{\mathsf {M}}}\left( {\phi }\right) \mathbf{]\!]}^{\mathrm {\mu }}\), we have \(\mathcal {I}_\beta \in \mathbf{[\![}\phi \mathbf{]\!]}^{\mathrm {\mu }}\).
Considering the \(\mathsf {MIL}\) formula \( Init ({\mathcal {S}}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \bigvee _{k=1}^n \exists i_k ~.~ {{s_0}}^{\scriptscriptstyle {{k}}}(i_k)\), that defines the set of initial configurations of a parametric system \(\mathcal {S}\), the following lemma formalizes the intuition behind the definition of parametric trap constraints:
Lemma 4
Let \(\mathcal {S}\) be a parametric system with interaction formula \(\varGamma \) and \(\mathcal {I}\) be a structure. Then \(\mathcal {I}\,\models \,\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}})\) iff \(\{ (s,k) \mid k \in \iota (s) \}\) is a marked trap of \(\mathcal {N}_{\mathcal {S}}\). Moreover, \(\mathcal {I}\in \mathbf{[\![}\varTheta ({\varGamma }) \wedge Init ({\mathcal {S}}) \mathbf{]\!]}^{\mathrm {\mu }}\) iff \(\{ (s,k) \mid k \in \iota (s) \}\) is a minimal marked trap of \(\mathcal {N}_{\mathcal {S}}\).
We are currently left with the task of computing a \(\mathsf {MIL}\) formula which defines the trap invariant \( Trap ({\mathcal {N}_\mathcal {S}})\) of a parametric componentbased system \(\mathcal {S}=\langle {\mathcal {C}}^{\scriptscriptstyle {{1}}}, \ldots , {\mathcal {C}}^{\scriptscriptstyle {{n}}}, \mathsf {M}, \varGamma \rangle \). The difficulty lies in the fact that the size of \(\mathcal {N}_\mathcal {S}\) and thus, that of the boolean formula \( Trap ({\mathcal {N}_\mathcal {S}})\) depends on the number \(\mathsf {M}({k})\) of instances of each component type \(k \in [1,n]\). As we aim at computing an invariant able to prove safety properties, such as deadlock freedom, independently of how many components are present in the system, we must define the trap invariant using a formula depending exclusively on \(\varGamma \), i.e. not on \(\mathsf {M}\).
Theorem 2
3 Cardinality Constraints
This section is concerned with the definition of a positivation operator Open image in new window for \(\mathsf {MIL}\) sentences, whose only requirements are that \({\phi }^\oplus \) is positive and \(\phi \equiv ^{\mathrm {\mu }}{\phi }^\oplus \). For this purpose, we use a logic of quantifierfree boolean cardinality constraints [4, 18] as an intermediate language, on which the positive formulae are defined. The translation of \(\mathsf {MIL}\) into cardinality constraints is done by an equivalencepreserving quantifier elimination procedure, described in Sect. 3.1. As a byproduct, since the satisfiability of quantifierfree cardinality constraints is \(\mathsf {NP}\)complete [18] and integrated with SMT [4], we obtain a practical decision procedure for \(\mathsf {MIL}\) that does not use model enumeration, as suggested by the small model property [19]. Finally, the definition of a positive \(\mathsf {MIL}\) formula from a boolean combination of quantifierfree cardinality constraints is given in Sect. 3.2.
3.1 Quantifier Elimination
 1.
if \(i_1=i_j\) is a consequence of \(\theta _k\), for some \(j>1\), let \(\mathrm {qe}({\exists i_1 ~.~ \theta _k}) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \theta _k[i_j/i_1]\).
 2.else, \(\theta _k = \bigwedge _{j \in J_k} \lnot i_1 = i_j \wedge t_k(i_1)\) for some \(J_k \subseteq [2,m]\) and boolean term \(t_k\), and let:$$\begin{array}{rcl} \mathrm {qe}({\exists i_1 ~.~ \theta _k}) &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \mathop {\bigwedge }\nolimits _{J \subseteq J_k} \Big [\mathrm {distinct}\big (\{i_j\}_{j\in J}\big ) \wedge \mathop {\bigwedge }\nolimits _{j \in J} t_k(i_j)\Big ] \rightarrow {\left {t_k}\right } \ge {{J}}+1 \\ \mathrm {qe}({\phi }) &{} \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, &{} \mathop {\bigvee }\nolimits _{k \in K} \varphi _k \wedge \mathrm {qe}({\exists i_1 ~.~ \theta _k}) \end{array}$$
Universal quantification is dealt with using the duality \(\mathrm {qe}({\forall i_1 ~.~ \psi }) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \lnot \mathrm {qe}({\exists i_1 ~.~ \lnot \psi })\). For a prenex formula \(\phi = Q_n i_n \ldots Q_1 i_1 ~.~ \psi \), where \(Q_1, \ldots , Q_n \in \{ \exists ,\forall \}\) and \(\psi \) is quantifierfree, we define, recursively \(\mathrm {qe}({\phi }) \,{\mathop {=}\limits ^{\scriptscriptstyle {\mathsf {def}}}}\, \mathrm {qe}({Q_n i_n ~.~ \mathrm {qe}({Q_{n1} i_{n1} \ldots Q_1 i_1 ~.~ \psi })})\). It is easy to see that, if \(\phi \) is a sentence, \(\mathrm {qe}({\phi })\) is a boolean combination of cardinality constraints. The correctness of the construction is a consequence of the following lemma:
Lemma 5
Given a \(\mathsf {MIL}\) formula \(\phi =Q_n i_n \ldots Q_i i_1 ~.~ \psi \), where \(Q_1, \ldots , Q_n \in \{ \forall ,\exists \}\) and \(\psi \) is a quantifierfree conjunction of equality and predicate atoms, we have \(\phi \equiv \mathrm {qe}({\phi })\).
Example 3
3.2 Building Positive Formulae that Preserve Minimal Models
Let \(\phi \) be a \(\mathsf {MIL}\) formula, not necessarily positive. We shall build a positive formula \({\phi }^\oplus \), such that \(\phi \equiv ^{\mathrm {\mu }}{\phi }^\oplus \). By the result of the last section, \(\phi \) is equivalent to a boolean combination of cardinality constraints \(\mathrm {qe}({\phi })\), obtained by quantifier elimination. Thus we assume w.l.o.g. that the DNF of \(\phi \) is a disjunction of conjunctions of the form \(\bigwedge _{i \in L} {\left {t_i}\right } \ge \ell _i \wedge \bigwedge _{j \in U} {\left {t_j}\right } \le u_j\), for some sets of indices L, U and some positive integers \(\{\ell _i\}_{i \in L}\) and \(\{u_j\}_{j \in U}\).
For a boolean combination of cardinality constraints \(\psi \), we denote by \(\mathrm {P}({\psi })\) the set of predicate symbols that occur in a boolean term of \(\psi \) and by \(\mathrm {P}^+({\psi })\) (\(\mathrm {P}^({\psi })\)) the set of predicate symbols that occur under an even (odd) number of negations in \(\psi \). The following proposition allows to restrict the form of \(\phi \) even further, without losing generality:
Proposition 1
 1.
\({(\phi _1 \vee \phi _2)}^\oplus \equiv ^{\mathrm {\mu }}{\phi _1}^\oplus \vee {\phi _2}^\oplus \),
 2.
\({(\phi _1 \wedge \phi _2)}^\oplus \equiv ^{\mathrm {\mu }}{\phi _1}^\oplus \wedge {\phi _2}^\oplus \), provided that \(\mathrm {P}({\phi _1}) \cap \mathrm {P}({\phi _2}) = \emptyset \).
From now on, we assume that \(\phi \) is a conjunction of cardinality constraints that cannot be split as \(\phi = \phi _1 \wedge \phi _2\), such that \(\mathrm {P}({\phi _1}) \cap \mathrm {P}({\phi _2}) = \emptyset \).
Notice that, restricting the sets of predicates in \(\mathcal {S}_t\) to subsets of \(\mathrm {P}({\phi })\), instead of the entire set of predicates, allows to apply Proposition 1 and reduce the number of complete minterm to be considered. That is, whenever possible, we write each minterm \(\bigwedge _{i \in L} {\left {t_i}\right } \ge \ell _i \wedge \bigwedge _{j \in U} {\left {t_j}\right } \le u_j\) in the DNF of \(\phi \) as \(\psi _1 \wedge \ldots \wedge \psi _k\), such that \(\mathrm {P}({\psi _i}) \cap \mathrm {P}({\psi _j}) = \emptyset \) for all \(1 \le i < j \le k\). In practice, this optimisation turns out to be quite effective, as shown by the small execution times of our test cases, reported in Sect. 5.

for each \(\tau \in \mathcal {L}^+({\phi })\), we have \({\left {\tau }\right } \ge k \equiv \exists i_1 \ldots \exists i_k ~.~ \mathrm {distinct}(i_1,\ldots ,i_k) \wedge \bigwedge _{j=1}^k \tau (j)\) and

for each \(\tau \in \mathcal {L}^({\phi })\), we have \({\left {\tau }\right } \le k \equiv \forall i_1 \ldots \forall i_{k+1} ~.~ \mathrm {distinct}(i_1,\ldots ,i_{k+1}) \rightarrow \bigvee _{j=1}^{k+1} \lnot \tau (i_j)\).
The following lemma proves that the above definition meets the second requirement of positivation operators, concerning the preservation of minimal models.
Lemma 6
Given \(\mathcal {P}\) a finite set of monadic predicate symbols, Open image in new window and Open image in new window sets of constants, for any conjunction \(C = \bigwedge \{ \ell _S \le {\left {t_{S}^{\scriptscriptstyle {\mathcal {P}}}}\right } \wedge {\left {t_{S}^{\scriptscriptstyle {\mathcal {P}}}}\right } \le u_S \mid S \subseteq \mathcal {P} \}\), we have \(C \equiv ^{\mathrm {\mu }}{C}^\oplus \).
Example 4
(contd. from Example 3).
4 Proving Deadlock Freedom of Parametric Systems
Corollary 2
The satisfiability check is carried out using the conversion to cardinality constraints via quantifier elimination Sect. 3.1 and an effective set theory solver for cardinality constraints, implemented in the CVC4 SMT solver [6].
5 Experimental Results
Benchmarks
example  interaction formula  tgen  tsmt  result 

tasksem 1/n  \(\exists i \exists j_1.~ a(i) \wedge b(j_1) ~\bigvee ~ \exists i \exists j_1.~ e(i) \wedge f(j_1)\)  22 ms  20 ms  unsat 
tasksem 2/n  \(\exists i \exists j_1 \exists j_2.~ j_1 \not = j_2 \wedge a(i) \wedge b(j_1) \wedge b(j_2)~\bigvee \) \(\exists i \exists j_1 \exists j_2.~ j_1 \not = j_2 \wedge e(i) \wedge f(j_1) \wedge f(j_2)\)  34 ms  40 ms  unsat 
tasksem 3/n  \(\exists i \exists j_1 \exists j_2 \exists j_3.~ \mathrm {distinct}(j_1,j_2,j_3) \wedge a(i) \wedge b(j_1) \wedge b(j_2) \wedge b(j_3) ~\bigvee \) \(\exists i \exists j_1 \exists j_2 \exists j_3.~ \mathrm {distinct}(j_1,j_2,j_3) \wedge e(i) \wedge f(j_1) \wedge f(j_2) \wedge f(j_3)\)  73 ms  40 ms  unsat 
broadcast 2/n  \(\exists i_1 \exists i_2. i_1 \not = i_2 \wedge b(i_1) \wedge b(i_2) ~\wedge \) \(\forall j.~ j\ne i_1 \wedge j \ne i_2 \rightarrow a(j) ~\bigvee \exists i. f(i)\)  14 ms  20 ms  unsat 
broadcast 3/n  \(\exists i_1 \exists i_2 \exists i_3. \mathrm {distinct}(i_1,i_2,i_3) \wedge b(i_1) \wedge b(i_2) \wedge b(i_3) ~\wedge \) \(\forall j.~ j \ne i_1 \wedge j \ne i_2 \wedge j \ne i_3 \rightarrow a(j) ~\bigvee ~ \exists i. f(i)\)  409 ms  20 ms  unsat 
sync 1/n  \(\exists i. b(i) ~\bigvee ~ \forall i. f(i)\)  5 ms  20 ms  unsat 
sync 2/n  \(\exists i_1 \exists i_2. ~i_1 \not =i_2 \wedge b(i_1) \wedge b(i_2) ~\bigvee ~ \forall i. f(i)\)  7 ms  50 ms  sat 
sync 3/n  \(\exists i_1 \exists i_2 \exists i_3. \mathrm {distinct}(i_1,i_2,i_3) \wedge b(i_1) \wedge b(i_2) \wedge b(i_3) ~\bigvee ~ \forall i. f(i)\)  11 ms  40 ms  sat 
All experiments were carried out on a Intel(R) Xeon(R) CPU @ 2.00 GHz virtual machine with 4 GB of RAM. Table 1 shows separately the times needed to generate the proof obligations (trap invariants and deadlock states) from the interaction formulae and the times needed by CVC4 1.7 to show unsatisfiabilty or come up with a model. All systems considered, for which deadlock freedom could not be shown using our method, have a real deadlock scenario that manifests only under certain modulo constraints on the number n of instances. These constraints cannot be captured by \(\mathsf {MIL}\) formulae, or, equivalently by cardinality constraints, and would require cardinality constraints of the form \({\left {t}\right } = n \mod m\), for some constants Open image in new window .
6 Conclusions
This work is part of a lasting research program on BIP linking two work directions: (1) recent work on modeling architectures using interaction logics, and (2) older work on verification by using invariants. Its rationale is to overcome as much as possible complexity and undecidability issues by proposing methods which are adequate for the verification of essential system properties.
The presented results are applicable to a large class of architectures characterized by the \(\mathsf {MIL}\). A key technical result is the translation of \(\mathsf {MIL}\) formulas into cardinality constraints. This allows on the one hand the computation of the \(\mathsf {MIL}\) formula characterizing the minimal trap invariant. On the other hand, it provides a decision procedure for \(\mathsf {MIL}\), that leverages from recent advances in SMT, implemented in the CVC4 solver [6].
Footnotes
 1.
The intersection of two or more invariants is again an invariant.
 2.
We have assumed that each port is associated a unique transition rule.
 3.
See [5] for a proof.
 4.
If the DNF is \((p \wedge q) \vee (p \wedge \lnot r)\), the dualization would give \((p \vee q) \wedge (p \vee \lnot r)\). The first clause corresponds to the trap \(\{ p,q \}\) (either p or q is marked), but the second does not directly define a trap. However, by first removing the negative literals, we obtain the traps \(\{ p,q \}\) and \(\{ r \}\).
 5.
This is not a limitation, since dynamic instance creation can be simulated by considering that all instances are initially in a waiting state, which is left as result of an interaction involving a designated “spawn” port.
 6.
Throughout this paper, we consider that \(\bigwedge _{i \in I} \phi _i = \top \) if \(I=\emptyset \).
 7.
The constraints \({\left {t}\right } \le u\) are dealt with as \(\lnot ({\left {t}\right } \ge u+1)\).
 8.
Missing lower bounds \(\ell _S\) are replaced with 0 and missing upper bounds \(u_S\) with \(\infty \).
References
 1.Abdulla, P.A.: Well (and better) quasiordered transition systems. Bull. Symb. Log. 16(4), 457–515 (2010)MathSciNetCrossRefGoogle Scholar
 2.Abdulla, P.A., Delzanno, G., Henda, N.B., Rezine, A.: Regular model checking without transducers (on efficient verification of parameterized systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540712091_56CrossRefzbMATHGoogle Scholar
 3.Alberti, F., Ghilardi, S., Sharygina, N.: A framework for the verification of parameterized infinitestate systems*. In: CEUR Workshop Proceedings, vol. 1195, pp. 302–308, January 2014Google Scholar
 4.Bansal, K., Reynolds, A., Barrett, C.W., Tinelli, C.: A new decision procedure for finite sets and cardinality constraints in SMT. In: Olivetti, N., Tiwari, A. (eds.) IJCAR 2016. LNCS (LNAI), vol. 9706, pp. 82–98. Springer, Cham (2016). https://doi.org/10.1007/9783319402291_7CrossRefGoogle Scholar
 5.Barkaoui, K., Lemaire, B.: An effective characterization of minimal deadlocks and traps in petri nets based on graph theory. In: 10th International Conference on Application and Theory of Petri Nets, ICATPN 1989, pp. 1–21 (1989)Google Scholar
 6.Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_14CrossRefGoogle Scholar
 7.Basu, A., et al.: Rigorous componentbased system design using the BIP framework. IEEE Softw. 28(3), 41–48 (2011)MathSciNetCrossRefGoogle Scholar
 8.Baukus, K., Bensalem, S., Lakhnech, Y., Stahl, K.: Abstracting WS1S systems to verify parameterized networks. In: Graf, S., Schwartzbach, M. (eds.) TACAS 2000. LNCS, vol. 1785, pp. 188–203. Springer, Heidelberg (2000). https://doi.org/10.1007/3540464190_14CrossRefzbMATHGoogle Scholar
 9.Bensalem, S., Bozga, M., Nguyen, T., Sifakis, J.: Dfinder: a tool for compositional deadlock detection and verification. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 614–619. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_45CrossRefGoogle Scholar
 10.Bloem, R., et al.: Decidability of Parameterized Verification: Synthesis Lectures on Distributed Computing Theory. Morgan & Claypool Publishers, San Rafael (2015)CrossRefGoogle Scholar
 11.Bouajjani, A., Habermehl, P., Vojnar, T.: Abstract regular model checking. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 372–386. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540278139_29CrossRefGoogle Scholar
 12.Bozga, M., Iosif, R., Sifakis, J.: Checking deadlockfreedom of parametric componentbased systems (2018). Technical report. arXiv:1805.10073
 13.Chen, Y., Hong, C., Lin, A.W., Rümmer, P.: Learning to prove safety over parameterised concurrent systems. In: 2017 Formal Methods in Computer Aided Design, FMCAD 2017, Vienna, Austria, 2–6 October 2017, pp. 76–83 (2017)Google Scholar
 14.Conchon, S., Goel, A., Krstić, S., Mebsout, A., Zaïdi, F.: Cubicle: a parallel smtbased model checker for parameterized systems. In: Madhusudan, P., Seshia, S.A. (eds.) Computer Aided Verification, pp. 718–724 (2012)Google Scholar
 15.Emerson, E.A., Namjoshi, K.S.: Reasoning about rings. In: POPL 1995 Proceedings, pp. 85–94 (1995)Google Scholar
 16.German, S.M., Sistla, A.P.: Reasoning about systems with many processes. J. ACM 39(3), 675–735 (1992)MathSciNetCrossRefGoogle Scholar
 17.Kesten, Y., Maler, O., Marcus, M., Pnueli, A., Shahar, E.: Symbolic model checking with rich assertional languages. Theor. Comput. Sci. 256(1), 93–112 (2001)MathSciNetCrossRefGoogle Scholar
 18.Kuncak, V., Nguyen, H.H., Rinard, M.C.: Deciding Boolean algebra with Presburger arithmetic. J. Autom. Reason. 36(3), 213–239 (2006)MathSciNetCrossRefGoogle Scholar
 19.Löwenheim, L.: Über Möglichkeiten im Relativkalkül. Math. Ann. 470, 76–447 (1915)zbMATHGoogle Scholar
 20.Suzuki, I.: Proving properties of a ring of finitestate machines. Inf. Process. Lett. 28(4), 213–214 (1988)MathSciNetCrossRefGoogle Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.