Checking Qualitative Liveness Properties of Replicated Systems with Stochastic Scheduling
 2 Citations
 1.6k Downloads
Abstract
We present a sound and complete method for the verification of qualitative liveness properties of replicated systems under stochastic scheduling. These are systems consisting of a finitestate program, executed by an unknown number of indistinguishable agents, where the next agent to make a move is determined by the result of a random experiment. We show that if a property of such a system holds, then there is always a witness in the shape of a Presburger stage graph: a finite graph whose nodes are Presburgerdefinable sets of configurations. Due to the high complexity of the verification problem (nonelementary), we introduce an incomplete procedure for the construction of Presburger stage graphs, and implement it on top of an SMT solver. The procedure makes extensive use of the theory of wellquasiorders, and of the structural theory of Petri nets and vector addition systems. We apply our results to a set of benchmarks, in particular to a large collection of population protocols, a model of distributed computation extensively studied by the distributed computing community.
Keywords
Parameterized verification Liveness Stochastic systems1 Introduction
Replicated systems consist of a fully symmetric finitestate program executed by an unknown number of indistinguishable agents, communicating by rendezvous or via shared variables [14, 16, 41, 46]. Examples include distributed protocols and multithreaded programs, or abstractions thereof. The communication graph of replicated systems is a clique. They are a special class of parameterized systems, i.e., infinite families of systems that admit a finite description in some suitable modeling language. In the case of replicated systems, the (only) parameter is the number of agents executing the program.
Verifying a replicated system amounts to proving that an infinite family of systems satisfies a given property. This is already a formidable challenge, made even harder by the fact that we want to verify liveness (more difficult than safety) against stochastic schedulers. Loosely speaking, stochastic schedulers select the set of agents that should execute the next action as the result of a random experiment. Stochastic scheduling often appears in distributed protocols, and in particular also in population protocols—a model much studied in distributed computing with applications in computational biology^{1}—that supplies many of our case studies [9, 58]. Under stochastic scheduling, the semantics of a replicated system is an infinite family of finitestate Markov chains. In this work, we study qualitative liveness properties, stating that the infinite runs starting at configurations of the system satisfying a precondition almost surely reach and stay in configurations satisfying a postcondition. In this case, whether the property holds or not depends only on the topology of the Markov chains, and not on the concrete probabilities.
We introduce a formal model of replicated systems, based on multiset rewriting, where processes can communicate by shared variables or multiway synchronization. We present a sound and complete verification method called Presburger stage graphs. A Presburger stage graphs is a directed acyclic graphs with Presburger formulas as nodes. A formula represents a possibly infinite inductive set of configurations, i.e., a set of configurations closed under reachability. A node \(\mathcal {S}\) (which we identify with the set of configurations it represents) has the following property: A run starting at any configuration of \(\mathcal {S}\) almost surely reaches some configuration of some successor \(\mathcal {S}'\) of \(\mathcal {S}\), and, since \(\mathcal {S}'\) is inductive, get trapped in \(\mathcal {S}'\). A stage graph labels the node \(\mathcal {S}\) with a witness of this property in the form of a Presburger certificate, a sort of ranking function expressible in Presburger arithmetic. The completeness of the technique, i.e., the fact that for every property of the replicated system that holds there exists a stage graph proving it, follows from deep results of the theory of vector addition systems (VASs) [52, 53, 54].
Unfortunately, the theory of VASs also shows that, while the verification problems we consider are decidable, they have nonelementary computational complexity [33]. As a consequence, verification techniques that systematically explore the space of possible stage graphs for a given property are bound to be very inefficient. For this reason, we design an incomplete but efficient algorithm for the computation of stage graphs. Inspired by theoretical results, the algorithm combines a solver for linear constraints with some elements of the theory of wellstructured systems [2, 39]. We report on the performance of this algorithm for a large number of case studies. In particular, the algorithm automatically verifies many standard population protocols described in the literature [5, 8, 20, 22, 23, 28, 31], as well as liveness properties of distributed algorithms for leader election and mutual exclusion [3, 40, 42, 44, 50, 59, 61, 64].
Related Work. The parameterized verification of replicated systems was first studied in [41], where they were modeled as counter systems. This allows one to apply many efficient techniques [11, 24, 37, 47]. Most of these works are inherently designed for safety properties, and some can also handle fair termination [38], but none of them handles stochastic scheduling. To the best of our knowledge, the only works studying parameterized verification of liveness properties under our notion of stochastic scheduling are those on verification of population protocols. For fixed populations, protocols can be verified with standard probabilistic model checking [13, 65], and early works follow this approach [28, 31, 60, 63]. Subsequently, an algorithm and a tool for the parameterized verification of population protocols were described in [21, 22], and a first version of stage graphs was introduced in [23] for analyzing the expected termination time of population protocols. In this paper we overhaul the framework of [23] for liveness verification, drawing inspiration from the safety verification technology of [21, 22]. Compared to [21, 22], our approach is not limited to a specific subclass of protocols, and captures models beyond population protocols. Furthermore, our new techniques for computing Presburger certificates subsume the procedure of [22]. In comparison to [23], we provide the first completeness and complexity results for stage graphs. Further, our stage graphs can prove correctness of population protocols and even more general liveness properties, while those of [23] can only prove termination. We also introduce novel techniques for computing stage graphs, which compared to [23] can greatly reduce their size and allows us to prove more examples correct.
There is also a large body of work on parameterized verification via cutoff techniques: one shows that a specification holds for any number of agents iff it holds for any number of agents below some threshold called the cutoff (see [6, 26, 30, 34, 46], and [16] for a comprehensive survey). Cutoff techniques can be applied to systems with an array or ring communication structure, but they require the existence and effectiveness of a cutoff, which is not the case in our setting. Further parameterized verification techniques are regular model checking [1, 25] and automata learning [7]. The classes of communication structures they can handle are orthogonal to ours: arrays and rings for regular model checking and automata learning, and cliques in our work. Regular model checking and learning have recently been employed to verify safety properties [29], liveness properties under arbitrary schedulers [55] and termination under finitary fairness [51]. The classes of schedulers considered in [51, 55] are incomparable to ours: arbitrary schedulers in [55], and finitaryfair schedulers in [51]. Further, these works are based on symbolic statespace exploration, while our techniques are based on automatic construction of invariants and ranking functions [16].
2 Preliminaries
Let \(\mathbb {N}\) denote \(\{0, 1, \ldots \}\) and let E be a finite set. A unordered vector over E is a mapping \(V :E \rightarrow \mathbb {Z}\). In particular, a multiset over E is an unordered vector \(M :E \rightarrow \mathbb {N}\) where M(e) denotes the number of occurrences of e in M. The sets of all unordered vectors and multisets over E are respectively denoted \(\mathbb {Z}^E\) and \(\mathbb {N}^E\). Vector addition, subtraction and comparison are defined componentwise. The size of a multiset M is denoted \(M = \sum _{e \in E} M(e)\). We let \(E^{\langle k \rangle }\) denote the set of all multisets over E of size k. We sometimes describe multisets using a setlike notation, e.g. Open image in new window or equivalently Open image in new window is such that \(M(f) = 1\), \(M(g) = 2\) and \(M(e) = 0\) for all \(e \not \in \{f, g\}\).
Presburger Arithmetic. Let X be a set of variables. The set of formulas of Presburger arithmetic over X is the result of closing atomic formulas, as defined in the next sentence, under Boolean operations and firstorder existential quantification. Atomic formulas are of the form \(\sum _{i=1}^k a_i x_i \sim b\), where \(a_i\) and b are integers, \(x_i\) are variables and \(\sim \) is either < or \(\equiv _m\), the latter denoting the congruence modulo m for any \(m \ge 2\). Formulas over X are interpreted on \(\mathbb {N}^X\). Given a formula \(\phi \) of Presburger arithmetic, we let \(\llbracket \phi \rrbracket \) denote the set of all multisets satisfying \(\phi \). A set \(E \subseteq \mathbb {N}^X\) is a Presburger set if \(E = \llbracket \phi \rrbracket \) for some formula \(\phi \).
2.1 Replicated Systems
A replicated system over Q of arity n is a tuple \(\mathcal {P}= (Q,T)\), where \(T \subseteq \bigcup _{k=0}^n Q^{\langle k \rangle } \times Q^{\langle k \rangle }\) is a transition relation containing the set of silent transitions \(\bigcup _{k=0}^n \{ (\textit{\textbf{x}}, \textit{\textbf{x}}) \mid \textit{\textbf{x}} \in Q^{\langle k \rangle }) \}\)^{2}. A configuration is a multiset C of states, which we interpret as a global state with C(q) agents in each state \(q \in Q\).
Example 1
2.2 Qualitative Model Checking
Let us now introduce the probabilistic interpretation of LTL. A configuration C of \(\mathcal {P}\) satisfies an LTL formula \(\varphi \) with probability p if \(\Pr [C, \varphi ] = p\), where \(\Pr [C, \varphi ]\) denotes the probability of the set of runs of \(\mathcal {P}\) starting at C that satisfy \(\varphi \) in the finitestate Markov chain rooted at C. The measurability of this set of runs for every C and \(\varphi \) follows from wellknown results [65]. The qualitative model checking problem consists of, given an LTL formula \(\varphi \) and a set of configurations \({\mathcal {I}}\), deciding whether \(\Pr [C , \varphi ] = 1\) for every \(C \in {\mathcal {I}}\). We will often work with the complement problem, i.e., deciding whether \(\Pr [C, \lnot \varphi ] > 0\) for some \(C\in {\mathcal {I}}\).
In contrast to the actionbased qualitative model checking problem of [35], our version of the problem is undecidable due to adding atomic propositions over configurations (see the full version of the paper [19] for a proof):
Theorem 1
The qualitative model checking problem is not semidecidable.
It is known that qualitative model checking problems of finitestate probabilistic systems reduces to model checking of nonprobabilistic systems under an adequate notion of fairness.
Definition 1
A run of a replicated system \(\mathcal {P}\) is fair if for every possible step \(C \xrightarrow {t} C'\) of \(\mathcal {P}\) the following holds: if the run contains infinitely many occurrences of C, then it also contains infinitely many occurrences of \(C \, t \, C'\).
So, intuitively, if a run can execute a step infinitely often, it eventually will. It is readily seen that a fair run of a finitestate transition system eventually gets “trapped” in one of its bottom strongly connected components, and visits each of its states infinitely often. Hence, fair runs of a finitestate Markov chain have probability one. The following proposition was proved in [35] for a model slightly less general than replicated systems; the proof can be generalized without effort:
Proposition 1
( [35, Prop. 7]). Let \(\mathcal {P}\) be a replicated system, let C be a configuration of \(\mathcal {P}\), and let \(\varphi \) be an LTL formula. It is the case that \(\Pr [C, \varphi ] = 1\) iff every fair run of \(\mathcal {P}\) starting at C satisfies \(\varphi \).
We implicitly use this proposition from now on. In particular, we define:
Definition 2
A configuration C satisfies \(\varphi \) with probability 1, or just satisfies \(\varphi \), if every fair run starting at C satisfies \(\varphi \), denoted by \(C \models \varphi \). We let \(\llbracket \varphi \rrbracket \) denote the set of configurations satisfying \(\varphi \). A set \(\mathcal {C}\) of configurations satisfies \(\varphi \) if \(\mathcal {C}\subseteq \llbracket \varphi \rrbracket \), i.e., if \(C \models \varphi \) for every \(C \in \mathcal {C}\).
Liveness Specifications for Replicated Systems. We focus on a specific class of temporal properties for which the qualitative model checking problem is decidable and which is large enough to formalize many important specifications. Using wellknown automatatheoretic technology, this class can also be used to verify all properties describable in actionbased LTL, see e.g. [35].
The stable termination problem is the qualitative model checking problem for \({\mathcal {I}}= \llbracket \varphi _{\mathrm {pre}}\rrbracket \) and \(\varphi = \varphi _\varPi \) given by a stable termination property \(\varPi = (\varphi _{\mathrm {pre}}, \varPhi _{ post })\).
Example 2
3 Stage Graphs
In the rest of the paper, we fix a replicated system \(\mathcal {P}= (Q,T)\) and a stable termination property \(\varPi = (\varphi _{\mathrm {pre}}, \varPhi _{ post })\), where \(\varPhi _{ post }= \{\varphi _{\mathrm {post}}^1, \ldots , \varphi _{\mathrm {post}}^k\}\), and address the problem of checking whether \(\mathcal {P}\) satisfies \(\varPi \). We start with some basic definitions on sets of configurations.
Definition 3

A set of configurations \(\mathcal {C}\) is inductive if \(C \in \mathcal {C}\) and \(C \rightarrow C'\) implies \(C' \in \mathcal {C}\).

Let \(\mathcal {C}, \mathcal {C}'\) be sets of configurations. We say that \(\mathcal {C}\) leads to \(\mathcal {C}'\), denoted \(\mathcal {C}\leadsto \mathcal {C}'\), if for all \(C \in \mathcal {C}\), every fair run from C eventually visits a configuration of \(\mathcal {C}'\).

A certificate for \(\mathcal {C}\leadsto \mathcal {C}'\) is a function \(f :\mathcal {C}\rightarrow \mathbb {N}\) satisfying that for every \(C \in \mathcal {C}\setminus \mathcal {C}'\), there exists an execution \(C \xrightarrow {*} C'\) such that \(f(C) > f(C')\).
Note that certificates only require the existence of some executions decreasing f, not for all of them to to decrease it. Despite this, we have:
Proposition 2
For all inductive sets \(\mathcal {C}, \mathcal {C}'\) of configurations, it is the case that: \(\mathcal {C}\) leads to \(\mathcal {C}'\) iff there exists a certificate for \(\mathcal {C}\leadsto \mathcal {C}'\).
The proof, which can be found in the full version [19], depends on two properties of replicated systems with stochastic scheduling. First, every configuration has only finitely many descendants. Second, for every fair run and for every finite execution \(C \xrightarrow {w} C'\), if C appears infinitely often in the run, then the run contains infinitely many occurrences of \(C \xrightarrow {w} C'\). We can now introduce stage graphs:
Definition 4
 1.
every stage is an inductive set;
 2.
every configuration of \(\llbracket \varphi _{\mathrm {pre}}\rrbracket \) belongs to some stage;
 3.
if \(\mathcal {C}\) is a nonterminal stage with successors \(\mathcal {C}_1, \ldots , \mathcal {C}_n\), then there exists a certificate for \(\mathcal {C}\leadsto (\mathcal {C}_1 \cup \cdots \cup \mathcal {C}_n)\);
 4.
if \(\mathcal {C}\) is a terminal stage, then \(\mathcal {C}\models \varphi _{\mathrm {post}}^i\) for some i.
Example 3
Figure 1 depicts stage graphs for the system of Example 1 and the properties defined in Example 2. The reader can easily show that every stage \(\mathcal {C}\) is inductive by checking that for every \(C \in \mathcal {C}\) and every transition \(t \in \{t_1, \ldots , t_4\}\) enabled at C, the step \(C \xrightarrow {t_i} C'\) satisfies \(C' \in \mathcal {C}\). For example, if a configuration satisfies \(\text {A}_\text {Y}> \text {A}_\text {N}\), so does any successor configuration. \(\triangleleft \)
The following proposition shows that stage graphs are a sound and complete technique for proving stable termination properties.
Proposition 3
System \(\mathcal {P}\) satisfies \(\varPi \) iff it has a stage graph for \(\varPi \).
Proposition 3 does not tell us anything about the decidability of the stable termination problem. To prove that the problem is decidable, we introduce Presburger stage graphs. Intuitively these are stage graphs whose stages and certificates can be expressed by formulas of Presburger arithmetic.
Definition 5

A stage \(\mathcal {C}\) is Presburger if \(\mathcal {C}= \llbracket \phi \rrbracket \) for some Presburger formula \(\phi \).

A bounded certificate for \(\mathcal {C}\leadsto \mathcal {C}'\) is a pair (f, k), where \(f :\mathcal {C}\rightarrow \mathbb {N}\) and \(k \in \mathbb {N}\), satisfying that for every \(C \in \mathcal {C}\setminus \mathcal {C}'\), there exists an execution \(C \xrightarrow {w} C'\) such that \(f(C) > f(C')\) and \(w \le k\).

A Presburger certificate is a bounded certificate (f, k) satisfying \(f(C)= n \iff \varphi (C,n)\) for some Presburger formula \(\varphi (\textit{\textbf{x}}, y)\).

A Presburger stage graph is a stage graph whose stages and certificates are all Presburger.
Using a powerful result from [36], we show that: (1) \(\mathcal {P}\) satisfies \(\varPi \) iff it has a Presburger stage graph for \(\varPi \) (Theorem 2); (2) there exists a denumerable set of candidates for a Presburger stage graph for \(\varPi \); and (3) there is an algorithm that decides whether a given candidate is a Presburger stage graph for \(\varPi \) (Theorem 3). Together, (1–3) show that the stable termination problem is semidecidable. To obtain decidability, we observe that the complement of the stable termination problem is also semidecidable. Indeed, it suffices to enumerate all initial configurations \(C \models \varphi _{\mathrm {pre}}\), build for each such C the (finite) graph \(G_C\) of configurations reachable from C, and check if some bottom strongly connected component \(\mathcal {B}\) of \(G_C\) satisfies \(\mathcal {B}\not \models \varphi _{\mathrm {post}}^i\) for all i. This is the case iff some fair run starting at C visits and stays in \(\mathcal {B}\), which in turn is the case iff \(\mathcal {P}\) violates \(\varPi \).
Theorem 2
System \(\mathcal {P}\) satisfies \(\varPi \) iff it has a Presburger stage graph for \(\varPi \).
We observe that testing whether a given graph is a Presburger stage graph reduces to Presburger arithmetic satisfiability, which is decidable [62] and whose complexity lies between 2NEXP and 2EXPSPACE [15]:
Theorem 3
The problem of deciding whether an acyclic graph of Presburger sets and Presburger certificates is a Presburger stage graph, for a given stable termination property, is reducible in polynomial time to the satisfiability problem for Presburger arithmetic.
4 Algorithmic Construction of Stage Graphs
At the current state of our knowledge, the decision procedure derived from Theorem 3 has little practical relevance. From a theoretical point of view, the TOWERhardness result of [33] implies that the stage graph may have nonelementary size in the system size. In practice, systems have relatively small stage graphs, but, even so, the enumeration of all candidates immediately leads to a prohibitive combinatorial explosion.
For this reason, we present a procedure to automatically construct (not guess) a Presburger stage graph G for a given replicated system \(\mathcal {P}\) and a stable termination property \(\varPi = (\varphi _{\mathrm {pre}}, \varPhi _{ post })\). The procedure may fail, but, as shown in the experimental section, it succeeds for many systems from the literature.
The procedure is designed to be implemented on top of a solver for the existential fragment of Presburger arithmetic. While every formula of Presburger arithmetic has an equivalent formula within the existential fragment [32, 62], quantifierelimination may lead to a doublyexponential blowup in the size of the formula. Thus, it is important to emphasize that our procedure never requires to eliminate quantifiers: If the pre and postconditions of \(\varPi \) are supplied as quantifierfree formulas, then all constraints of the procedure remain in the existential fragment.
In its main loop (lines 2–9), Algorithm 1 picks a Presburger stage \(\mathcal {S}\) from the workset, and processes it. First, it calls \(\text {Terminal}(\mathcal {S},\varPhi _{ post })\) to check if \(\mathcal {S}\) is terminal, i.e., whether \(\mathcal {S}\models \varphi _{\mathrm {post}}^i\) for some \(\varphi _{\mathrm {post}}^i \in \varPhi _{ post }\). This reduces to checking the unsatisfiability of the existential Presburger formula \(\phi \wedge \lnot \varphi _{\mathrm {post}}^i\), where \(\phi \) is the formula characterizing \(\mathcal {S}\). If \(\mathcal {S}\) is not terminal, then the procedure attempts to construct successor stages in lines 5–9, with the help of three further functions: \(\textit{AsDead}\), \(\textit{IndOverapprox}\), and \(\textit{Split}\). In the rest of this section, we present the intuition behind lines 5–9, and the specification of the three functions. Sections 5, 6 and 7 present the implementations we use for these functions.
Lines 5–9 are inspired by the behavior of most replicated systems designed by humans, and are based on the notion of dead transitions, which can never occur again (to be formally defined below). Replicated systems are usually designed to run in phases. Initially, all transitions are alive, and the end of a phase is marked by the “death” of one or more transitions, i.e., by reaching a configuration at which these transitions are dead. The system keeps “killing transitions” until no transition that is still alive can lead to a configuration violating the postcondition. The procedure mimics this pattern. It constructs stage graphs in which if \(\mathcal {S}'\) is a successor of \(\mathcal {S}\), then the set of transitions dead at \(\mathcal {S}'\) is a proper superset of the transitions dead at \(\mathcal {S}\). For this, \(\textit{AsDead}(\mathcal {S})\) computes a set of transitions that are alive at some configuration of \(\mathcal {S}\), but which will become dead in every fair run starting at \(\mathcal {S}\) (line 5). Formally, \(\textit{AsDead}(\mathcal {S})\) returns a set \(U \subseteq \overline{\textit{Dead}(\mathcal {S})}\) such that \(\mathcal {S}\models \Diamond \text {dead}(U)\), defined as follows.
Definition 6
\(\textit{Dead}(\mathcal {S})\): the set of transitions dead at \(\mathcal {S}\);
\(\llbracket \text {dis}(U)\rrbracket \): the set of configurations at which all transitions of U are disabled;
\(\llbracket \text {dead}(U)\rrbracket \): the set of configurations at which all transitions of U are dead.
Observe that we can compute \(\textit{Dead}(\mathcal {S})\) by checking unsatisfiability of a sequence of existential Presburger formulas: as \(\mathcal {S}\) is inductive, we have \(\textit{Dead}(\mathcal {S}) = \{ t \mid \mathcal {S}\models \text {dis}(t) \}\), and \(\mathcal {S}\models \text {dis}(t)\) holds iff the existential Presburger formula \(\exists C :\phi (C) \wedge C \ge {}^\bullet {t}\) is unsatisfiable, where \(\phi \) is the formula characterizing \(\mathcal {S}\).
The following proposition, whose proof appears in the full version [19], shows that determining whether a given transition will eventually become dead, while decidable, is PSPACEhard. Therefore, Sect. 7 describes two implementations of this function, and a way to combine them, which exhibit a good tradeoff between precision and computation time.
Proposition 4
Given a replicated system \(\mathcal {P}\), a stage \(\mathcal {S}\) represented by an existential Presburger formula \(\phi \) and a set of transitions U, determining whether \(\mathcal {S}\models \Diamond \text {dead}(U)\) holds is decidable and PSPACEhard.
If the set U returned by \(\textit{AsDead}(\mathcal {S})\) is nonempty, then we know that every fair run starting at a configuration of \(\mathcal {S}\) will eventually reach a configuration of \(\mathcal {S}\cap \llbracket \text {dead}(U)\rrbracket \). So, this set, or any inductive overapproximation of it, can be a legal successor of \(\mathcal {S}\) in the stage graph. Function \(\textit{IndOverapprox}(\mathcal {S},U)\) returns such an inductive overapproximation (line 7). To be precise, we show in Sect. 5 that \(\llbracket \text {dead}(U)\rrbracket \) is a Presburger set that can be computed exactly, albeit in doublyexponential time in the worst case. The section also shows how to compute overapproximations more efficiently. If the set U returned by \(\textit{AsDead}(\mathcal {S})\) is empty, then we cannot yet construct any successor of \(\mathcal {S}\). Indeed, recall that we want to construct stage graphs in which if \(\mathcal {S}'\) is a successor of \(\mathcal {S}\), then \(\textit{Dead}(\mathcal {S}')\) is a proper superset of \(\textit{Dead}(\mathcal {S})\). In this case, we proceed differently and try to split \(\mathcal {S}\):
Definition 7
\(\textit{Dead}(\mathcal {S}_i) \supset \textit{Dead}(\mathcal {S})\) for every \(1 \le i \le k\), and
\(\mathcal {S}= \bigcup _{i=1}^k \mathcal {S}_i\).
If there exists a split \(\{\mathcal {S}_1, \ldots , \mathcal {S}_k\}\) of \(\mathcal {S}\), then we can let \(\mathcal {S}_1, \ldots , \mathcal {S}_k\) be the successors of \(\mathcal {S}\) in the stage graph. Observe that a stage may indeed have a split. We have \(\textit{Dead}(\mathcal {C}_1 \cup \mathcal {C}_2) = \textit{Dead}(\mathcal {C}_1) \cap \textit{Dead}(\mathcal {C}_2)\), and hence \(\textit{Dead}(\mathcal {C}_1 \cup \mathcal {C}_2)\) may be a proper subset of both \(\textit{Dead}(\mathcal {C}_1)\) and \(\textit{Dead}(\mathcal {C}_2)\):
Example 4
Consider the system with states \(\{q_1, q_2\}\) and transitions \(t_i :q_i \mapsto q_i\) for \(i \in \{1, 2\}\). Let \(\mathcal {S}= \{ C \mid C(q_1) = 0 \vee C(q_2) = 0 \}\), i.e., \(\mathcal {S}\) is the (inductive) stage of configurations disabling either \(t_1\) or \(t_2\). The set \(\{ \mathcal {S}_1, \mathcal {S}_2 \}\), where \(\mathcal {S}_i = \{ C \in \mathcal {S}\mid C(q_i) = 0 \}\), is a split of \(\mathcal {S}\) satisfying \(\textit{Dead}(\mathcal {S}_i) = \{t_i\} \supset \emptyset = \textit{Dead}(\mathcal {S})\). \( \triangleleft \)
The canonical split of \(\mathcal {S}\), if it exists, is the set \(\{ \mathcal {S}\cap \llbracket \text {dead}(t)\rrbracket \mid t \notin \textit{Dead}(\mathcal {S}) \}\). As mentioned above, Sect. 5 shows that \(\llbracket \text {dead}(U)\rrbracket \) can be computed exactly for every U, but the computation can be expensive. Hence, the canonical split can be computed exactly at potentially high cost. Our implementation uses an underapproximation of \(\llbracket \text {dead}(t)\rrbracket \), described in Sect. 6.
5 Computing and Approximating \(\llbracket \text {dead}(U)\rrbracket \)
we can effectively compute an existential Presburger formula describing the set \(\llbracket \text {dead}(U)\rrbracket \), with high computational cost in the worst case, and
we can effectively compute constraints that overapproximate or underapproximate \(\llbracket \text {dead}(U)\rrbracket \), at a reduced computational cost.
Lemma 1
 1.
\(\mathcal {C}\) is upward closed iff \(\overline{\mathcal {C}}\) is downward closed (and vice versa);
 2.
if \(\mathcal {C}\) is upward closed, then there is a unique minimal finite set of configurations \(\text {inf}(\mathcal {C})\), called its basis, such that Open image in new window;
 3.
if \(\mathcal {C}\) is downward closed, then there is a unique minimal finite set of \(\omega \)configurations \(\text {sup}(\mathcal {C})\), called its decomposition, such that Open image in new window.
Computing \(\varvec{\llbracket \text {dead}(U)\rrbracket }\) Exactly. It follows immediately from Definition 6 that both \(\llbracket \text {dis}(U)\rrbracket \) and \(\llbracket \text {dead}(U)\rrbracket \) are downward closed. Indeed, if all transitions of U are disabled at C, and \(C' \le C\), then they are also disabled at \(C'\), and clearly the same holds for transitions dead at C. Furthermore:
Proposition 5
For every set U of transitions, the (downward) decomposition of both \(\text {sup}(\llbracket \text {dis}(U)\rrbracket )\) and \(\text {sup}(\llbracket \text {dead}(U)\rrbracket )\) is effectively computable.
Proof
For the case of \(\text {sup}(\llbracket \text {dead}(U)\rrbracket )\), we invoke [45, Prop. 2] which gives a proof for the more general setting of (possibly unbounded) Petri nets. Their procedure is based on the wellknown backwards reachability algorithm (see, e.g., [2, 39]). \(\square \)
Proposition 6
For every Presburger set \(\mathcal {C}\) and every set of transitions U, the sets \( pre _U(\mathcal {C})\) and \( post _U(\mathcal {C})\) are effectively Presburger.
Recall that function \(\textit{IndOverapprox}(\mathcal {S}, U)\) of Algorithm 1 must return an inductive overapproximation of \(\llbracket \text {dead}(U)\rrbracket \). Since \(\llbracket \text {dead}(U)\rrbracket ^i\) might not be inductive in general, our implementation uses either the inductive overapproximations \(\textit{IndOverapprox}^i(\mathcal {S}, U) {\mathop {=}\limits ^{\scriptscriptstyle \text {def}}}\textit{PotReach}(\mathcal {S}\cap \llbracket \text {dead}(U)\rrbracket ^i)\), or the exact value \(\textit{IndOverapprox}^\infty (\mathcal {S}, U) {\mathop {=}\limits ^{\scriptscriptstyle \text {def}}}\mathcal {S}\cap \llbracket \text {dead}(U)\rrbracket \). The table of results in the experimental section describes for each benchmark which overapproximation was used.
 1.
Open image in new window, i.e., every configuration of Open image in new window disables U, and
 2.
Open image in new window is inductive, i.e., Open image in new window.
If U is dead at a set \(\mathcal {C}\) of configurations, then there is always a certificate that proves it, namely \(\text {sup}(\llbracket \text {dead}(U)\rrbracket )\). In particular, if \(\mathcal {C}^\omega \) is a death certificate for U then Open image in new window, that is, Open image in new window is an underapproximation of \(\llbracket \text {dead}(U)\rrbracket \)
Using Proposition 6, it is straightforward to express in Presburger arithmetic that a finite set \(\mathcal {C}^\omega \) of \(\omega \)configurations is a death certificate for U:
Proposition 7
For every \(k \ge 1\) there is an existential Presburger formula \( DeathCert _k(U, \mathcal {C}^\omega )\) that holds iff \(\mathcal {C}^\omega \) is a death certificate of size k for U.
6 Splitting a Stage
Given a stage \(\mathcal {S}\), we try to find a set \(\mathcal {C}^\omega _1, \ldots , \mathcal {C}^\omega _\ell \) of death certificates for transitions \(t_1, \ldots , t_\ell \in T \setminus \textit{Dead}(\mathcal {S})\) such that Open image in new window. This allows us to split \(\mathcal {S}\) into \(\mathcal {S}_1, \ldots , \mathcal {S}_\ell \), where Open image in new window.
 (i)
\(\mathcal {C}^\omega _{i+1}\) is a death certificate for some \(t_{i+1} \in T \setminus \textit{Dead}(\mathcal {S})\);
 (ii)
 (iii)
all components of \(C^\omega _{i+1}\) are either \(\omega \) or between 0 and \(\max _{t \in T,q \in Q} {}^\bullet {t}(q)1\);
 (iv)
for every \(\omega \)configuration \(C^ \omega \), if \((C_{i+1}, C^\omega )\) satisfies (i)–(iii), then \(C^\omega _{i+1} \le C^\omega \);
 (v)
for every pair \((C, C^\omega )\), if \((C, C^\omega )\) satisfies (i)–(iv), then \(C^\omega \le C^\omega _{i+1}\).
Condition (iii) guarantees termination. Intuitively, condition (iv) leads to certificates valid for sets \( U \subseteq T \setminus \textit{Dead}(\mathcal {S})\) as large as possible. So it allows us to avoid splits that, loosely speaking, do not make as much progress as they could. Condition (v) allows us to avoid splits with many elements because each element of the split has a small intersection with \(\mathcal {S}\).
An example illustrating these conditions is given in the full version [19].
7 Computing Eventually Dead Transitions
Recall that the function \(\textit{AsDead}(\mathcal {S})\) takes an inductive Presburger set \(\mathcal {S}\) as input, and returns a (possibly empty) set \(U \subseteq \overline{\textit{Dead}(\mathcal {S})}\) of transitions such that \(\mathcal {S}\models \Diamond \text {dead}(U)\). This guarantees \(\mathcal {S}\leadsto \llbracket \text {dead}(U)\rrbracket \) and, since \(\mathcal {S}\) is inductive, also \(\mathcal {S}\leadsto \mathcal {S}\cap \llbracket \text {dead}(U)\rrbracket \).
By Proposition 4, deciding if there exists a nonempty set U of transitions such that \(\mathcal {S}\models \Diamond \text {dead}(U)\) holds is PSPACEhard, which makes a polynomial reduction to satisfiability of existential Presburger formulas unlikely. So we design incomplete implementations of \(\textit{AsDead}(\mathcal {S})\) with lower complexity. Combining these implementations, the lack of completeness essentially vanishes in practice.
7.1 First Implementation: Linear Ranking Functions
Our first procedure computes the existence of a linear ranking function.
Definition 8
 1.
if \(t \in U\), then \(r(C) > r(C')\); and
 2.
if \(t \notin U\), then \(r(C) \ge r(C')\).
Proposition 8
If \(r :\mathcal {S}\rightarrow \mathbb {N}\) is a ranking function for \(\mathcal {S}\) and U, then there exists \(k \in \mathbb {N}\) such that (r, k) is a bounded certificate for \(\mathcal {S}\leadsto \llbracket \text {dead}(U)\rrbracket \).
Proof
Let M be the minimal finite basis of the upward closed set \(\overline{\llbracket \text {dead}(U)\rrbracket }\). For every configuration \(D \in M\), let \(\sigma _D\) be a shortest sequence that enables some transition of \(t_D \in U\) from D, i.e., such that \(D \xrightarrow {\sigma _D} D' \xrightarrow {t_D} D''\) for some \(D'\), \(D''\). Let \(k {\mathop {=}\limits ^{\scriptscriptstyle \text {def}}}\max \{\sigma _D t_D : D \in M\}\).
Let \(C \in \mathcal {S}\setminus \llbracket \text {dead}(U)\rrbracket \). Since \(C \in \overline{\llbracket \text {dead}(U)\rrbracket }\), we have \(C \ge D\) for some \(D \in M\). By monotonicity, we have \(C \xrightarrow {\sigma _D} C' \xrightarrow {t_D} C''\) for some configurations \(C'\) and \(C''\). By Definition 8, we have \(r(C) \ge r(C') > r(C'')\), and so condition (Cert) holds. As \(\sigma _D t_D \le k\), we have that (r, k) is a bounded certificate. \(\square \)
7.2 Second Implementation: Layers
Transitions layers were introduced in [22] as a technique to find transitions that will eventually become dead. Intuitively, a set U of transitions is a layer if (1) no run can contain only transitions of U, and (2) U becomes dead once disabled; the first condition guarantees that U eventually becomes disabled, and the second that it eventually becomes dead. We formalize layers in terms of layer functions.
Definition 9
 C1.
\(\ell (C) > \ell (C')\) for every \(C \in \mathcal {S}\) and every step \(C \xrightarrow {t} C'\) with \(t \in U\); and
 C2.
\(\llbracket \text {dis}(U)\rrbracket = \llbracket \text {dead}(U)\rrbracket \).
Proposition 9
If \(\ell :\mathcal {S}\rightarrow \mathbb {N}\) is a layer function for \(\mathcal {S}\) and U, then \((\ell , 1)\) is a bounded certificate for \(\mathcal {S}\leadsto \llbracket \text {dead}(U)\rrbracket \).
Proof
Let \(C \in \mathcal {S}\setminus \llbracket \text {dead}(U)\rrbracket \). By condition C2, we have \(C \not \in \llbracket \text {dis}(U)\rrbracket \). So there exists a step \(C \xrightarrow {u} C'\) where \(u \in U\). By condition C1, we have \(\ell (C) > \ell (C')\), so condition (Cert) holds and \((\ell , 1)\) is a bounded certificate.
Proposition 10
7.3 Comparing Ranking and Layer Functions
Consider the system \(\mathcal {P}_1\), and let \(\mathcal {S}= \mathbb {N}^Q\), i.e., \(\mathcal {S}\) contains all configurations. Transitions \(t_2\) and \(t_3\) never become dead at Open image in new window and can thus never be included in any U. Transition \(t_1\) eventually becomes dead, as shown by the linear ranking function \(r(C) = C(\text {A}) + C(\text {B})\) for \(U = \{t_1\}\). But for this U, the condition C2 for layer functions is not satisfied, as Open image in new window , so \(\llbracket \text {dis}(U)\rrbracket \ne \llbracket \text {dead}(U)\rrbracket \). Therefore no layer function exists for this U.
Consider now the system \(\mathcal {P}_2\), again with \(\mathcal {S}= \mathbb {N}^Q\), and let \(U = \{t_5\}\). Once \(t_5\) is disabled, there is no agent in \(\text {A}\), so both \(t_4\) and \(t_5\) are dead. So \(\llbracket \text {dis}(U)\rrbracket = \llbracket \text {dead}(U)\rrbracket \). The linear layer function \(\ell (C) = C(\text {A})\) satisfies \(\textit{linlayerfun}(U, \textit{\textbf{a}})\), showing that U eventually becomes dead. As \(C \xrightarrow {t_4 t_5} C\) for Open image in new window , there is no ranking function r for this U, which would need to satisfy \(r(C) < r(C)\).
For our implementation of \(\textit{AsDead}(\mathcal {S})\), we therefore combine both approaches. We first compute (in polynomial time) the unique maximal set U for which there is a linear ranking function. If this U is nonempty, we return it, and otherwise compute a set U of maximal size for which there is a linear layer function.
8 Experimental Results
We implemented the procedure of Sect. 4 on top of the SMT solver Z3 [57], and use the Owl [48] and HOA [12] libraries for translating LTL formulas. The resulting tool automatically constructs stage graphs that verify stable termination properties for replicated systems. We evaluated it on two sets of benchmarks, described below. The first set contains population protocols, and the second leader election and mutual exclusion algorithms. All tests where performed on a machine with an Intel Xeon CPU E52630 v4 @ 2.20 GHz and 8GB of RAM. The results are depicted in Fig. 2 and can be reproduced by the certified artifact [18]. For parametric families of replicated systems, we always report the largest instance that we were able to verify with a timeout of one hour. For \(\textit{IndOverapprox}\), from the approaches in Sect. 5, we use \(\textit{IndOverapprox}^0\) in the examples marked with Open image in new window and \(\textit{IndOverapprox}^\infty \) otherwise. Almost all constructed stage graphs are a chain with at most 3 stages. The only exceptions are the stage graphs for the approximate majority protocols that contained a binary split and 5 stages. The size of the Presburger formulas increases with increasing size of the replicated system. In the worst case, this growth can be exponential. However, the growth is linear in all examples marked with Open image in new window .
Population Protocols. Population protocols [8, 9] are replicated systems that compute Presburger predicates following the computationasconsensus paradigm [10]. Depending on whether the initial configuration of agents satisfies the predicate or not, the agents of a correct protocol eventually agree on the output “yes” or “no”, almost surely. Example 1 can be interpreted as a population protocol for the majority predicate \(\text {A}_\text {Y}> \text {A}_\text {N}\), and the two stable termination properties that verify its correctness are described in Example 2. To show that a population protocol correctly computes a given predicate, we thus construct two Presburger stage graphs for the two corresponding stable termination properties. In all these examples, correctness is proved for an infinite set of initial configurations.
Our set of benchmarks contains a broadcast protocol [31], three majority protocols (Example 1, [23, Ex. 3], [5]), and multiple instances of parameterized families of protocols, where each protocol computes a different instance of a parameterized family of predicates^{5}. These include various flockofbirds protocol families ([28], [20, Sect. 3], [31, thresholdn]) for the family of predicates \(x \ge c\) for some constant \(c \ge 0\); two families for threshold predicates of the form \(\textit{\textbf{a}} \cdot \textit{\textbf{x}} \ge c\) [8, 20]; and one family for remainder protocols of the form \(\textit{\textbf{a}} \cdot \textit{\textbf{x}} \equiv _m c\) [22]. Further, we check approximate majority protocols ([27, 56], [51, coin game]). As these protocols only compute the predicate with large probability but not almost surely, we only verify that they always converge to a stable consensus.
Comparison with [22]. The approach of [22] can only be applied to socalled stronglysilent protocols. However, this class does not contain many fast and succinct protocols recently developed for different tasks [4, 17, 20].
We are able to verify all six protocols reported in [22]. Further, we are also able to verify the fast Majority [5] protocol as well as the succinct protocols Flockofbirds [20, Sect. 3] and Threshold [20]. All three protocols are not stronglysilent. Although our approach is more general and complete, the time to verify many stronglysilent protocol does not differ significantly between the two approaches. Exceptions are the Flockofbirds [28] protocols where we are faster ( [22] reaches the timeout at \(c=55\)) as well as the Remainder and the Flockofbirdsthresholdn protocols where we are substantially slower ( [22] reaches the timeout at \(m=80\) and \(c=350\), respectively). Loosely speaking, the approach of [22] can be faster because they compute inductive overapproximations using an iterative procedure instead of \(\textit{PotReach}\). In some instances already a very weak overapproximation, much less precise than \(\textit{PotReach}\), suffices to verify the result. Our procedure can be adapted to accommodate this (it essentially amounts to first running the procedure of [22], and if it is inconclusive then run ours).
Other Distributed Algorithms. We have also used our approach to verify arbitrary LTL liveness properties of nonparameterized systems with arbitrary communication structure. For this we apply standard automatatheoretic techniques and construct a product of the system and a limitdeterministic Büchi automaton for the negation of the property. Checking that no fair runs of the product are accepted by the automaton reduces to checking a stable termination property.
Since we only check correctness of one single finitestate system, we can also apply a probabilistic model checker based on statespace exploration. However, our technique delivers a stage graph, which plays two roles. First, it gives an explanation of why the property holds in terms of invariants and ranking functions, and second, it is a certificate of correctness that can be efficiently checked by independent means.
We verify liveness properties for several leader election and mutex algorithms from the literature [3, 40, 42, 44, 50, 59, 61, 64] under the assumption of a probabilistic scheduler. For the leader election algorithms, we check that a leader is eventually chosen; for the mutex algorithms, we check that the first process enters its critical section infinitely often.
Comparison with PRISM [49]. We compared execution times for verification by our technique and by PRISM on the same models. While PRISM only needs a few seconds to verify instances of the mutex algorithms [3, 40, 50, 59, 61, 64] where we reach the time limit, it reaches the memory limit for the two leader election algorithms [42, 44] already for 70 and 71 processes, which we can still verify.
9 Conclusion and Further Work
We have presented stage graphs, a sound and complete technique for the verification of stable termination properties of replicated systems, an important class of parameterized systems. Using deep results of the theory of Petri nets, we have shown that Presburger stage graphs, a class of stage graphs whose correctness can be reduced to the satisfiability problem of Presburger arithmetic, are also sound and complete. This provides a decision procedure for the verification of termination properties, which is of theoretical nature since it involves a blind enumeration of candidates for Presburger stage graphs. For this reason, we have presented a technique for the algorithmic construction of Presburger stage graphs, designed to exploit the strengths of SMTsolvers for existential Presburger formulas, i.e., integer linear constraints. Loosely speaking, the technique searches for linear functions certifying the progress between stages, even though only the much larger class of Presburger functions guarantees completeness.
We have conducted extensive experiments on a large set of benchmarks. In particular, our approach is able to prove correctness of nearly all the standard protocols described in the literature, including several protocols that could not be proved by the technique of [22], which only worked for socalled stronglysilent protocols. We have also successfully applied the technique to some selfstabilization algorithms, leader election and mutual exclusion algorithms.
Our technique is based on the mechanized search for invariants and ranking functions. It avoids the use of statespace exploration as much as possible. For this reason, it also makes sense as a technique for the verification of liveness properties of nonparameterized systems with a finite but very large state space.
Footnotes
 1.
Under the name of chemical reaction networks.
 2.
In the paper, we will omit the silent transitions when giving replicated systems.
 3.
This follows easily from the fact that \( post ^*(\psi )\) is not always expressible in Presburger arithmetic for vector addition systems, even if \(\psi \) denotes a single configuration [43].
 4.
Observe that if \(C^\omega (q) = \omega \), then the term “\(C(q) \le \omega \)” is equivalent to “\(\mathbf {true}\)”.
 5.
Notice that for each protocol we check correctness for all inputs; we cannot yet automatically verify that infinitely many protocols are correct, each of them for all possible inputs.
References
 1.Abdulla, P.A.: Regular model checking. Int. J. Softw. Tools Technol. Transf. 14(2), 109–118 (2012). https://doi.org/10.1007/s1000901102168CrossRefGoogle Scholar
 2.Abdulla, P.A., Cerans, K., Jonsson, B., Tsay, Y.: General decidability theorems for infinitestate systems. In: Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science, LICS 1996, New Brunswick, New Jersey, USA, 27–30 July 1996, pp. 313–321. IEEE Computer Society (1996). https://doi.org/10.1109/LICS.1996.561359
 3.Abdulla, P.A., Delzanno, G., Henda, N.B., Rezine, A.: Regular model checking without transducers (on efficient verification of parameterized systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540712091_56CrossRefzbMATHGoogle Scholar
 4.Alistarh, D., Gelashvili, R.: Recent algorithmic advances in population protocols. SIGACT News 49(3), 63–73 (2018). https://doi.org/10.1145/3289137.3289150MathSciNetCrossRefGoogle Scholar
 5.Alistarh, D., Gelashvili, R., Vojnovic, M.: Fast and exact majority in population protocols. In: Georgiou, C., Spirakis, P.G. (eds.) Proceedings of the 34th ACM Symposium on Principles of Distributed Computing, PODC 2015, DonostiaSan Sebastián, Spain, 21–23 July 2015, pp. 47–56. ACM (2015). https://doi.org/10.1145/2767386.2767429
 6.Aminof, B., Rubin, S., Zuleger, F., Spegni, F.: Liveness of parameterized timed networks. In: Halldórsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B. (eds.) ICALP 2015, Part II. LNCS, vol. 9135, pp. 375–387. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662476666_30CrossRefGoogle Scholar
 7.Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987). https://doi.org/10.1016/08905401(87)900526MathSciNetCrossRefzbMATHGoogle Scholar
 8.Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finitestate sensors. In: Chaudhuri, S., Kutten, S. (eds.) Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing, PODC 2004, St. John’s, Newfoundland, Canada, 25–28 July 2004, pp. 290–299. ACM (2004). https://doi.org/10.1145/1011767.1011810
 9.Angluin, D., Aspnes, J., Diamadi, Z., Fischer, M.J., Peralta, R.: Computation in networks of passively mobile finitestate sensors. Distrib. Comput. 18(4), 235–253 (2006). https://doi.org/10.1007/s0044600501383CrossRefzbMATHGoogle Scholar
 10.Angluin, D., Aspnes, J., Eisenstat, D., Ruppert, E.: The computational power of population protocols. Distrib. Comput. 20(4), 279–304 (2007). https://doi.org/10.1007/s0044600700402CrossRefzbMATHGoogle Scholar
 11.Athanasiou, K., Liu, P., Wahl, T.: Unboundedthread program verification using threadstate equations. In: Olivetti, N., Tiwari, A. (eds.) IJCAR 2016. LNCS (LNAI), vol. 9706, pp. 516–531. Springer, Cham (2016). https://doi.org/10.1007/9783319402291_35CrossRefGoogle Scholar
 12.Babiak, T., et al.: The Hanoi omegaautomata format. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015, Part I. LNCS, vol. 9206, pp. 479–486. Springer, Cham (2015). https://doi.org/10.1007/9783319216904_31CrossRefGoogle Scholar
 13.Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
 14.Basler, G., Mazzucchi, M., Wahl, T., Kroening, D.: Symbolic counter abstraction for concurrent software. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 64–78. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_9CrossRefGoogle Scholar
 15.Berman, L.: The complexitiy of logical theories. Theoret. Comput. Sci. 11, 71–77 (1980). https://doi.org/10.1016/03043975(80)900377MathSciNetCrossRefzbMATHGoogle Scholar
 16.Bloem, R., Jacobs, S., Khalimov, A., Konnov, I., Rubin, S., Veith, H., Widder, J.: Decidability of Parameterized Verification. Synthesis Lectures on Distributed Computing Theory. Morgan & Claypool Publishers (2015). https://doi.org/10.2200/S00658ED1V01Y201508DCT013
 17.Blondin, M., Esparza, J., Genest, B., Helfrich, M., Jaax, S.: Succinct population protocols for presburger arithmetic. In: Proceedings of 37th International Symposium on Theoretical Aspects of Computer Science, STACS 2020, 10–13 March 2020, Montpellier, France. LIPIcs, vol. 154, pp. 40:1–40:15. Schloss Dagstuhl  LeibnizZentrum für Informatik (2020). https://doi.org/10.4230/LIPIcs.STACS.2020.40
 18.Blondin, M., Esparza, J., Helfrich, M., Kučera, A., Meyer, P.J.: Artifact evaluation VM and instructions to generate experimental results for the CAV20 paper: checking Qualitative Liveness Properties of Replicated Systems with Stochastic Scheduling. figshare:12295982 (2020). https://doi.org/10.6084/m9.figshare.12295982.v2
 19.Blondin, M., Esparza, J., Helfrich, M., Kučera, A., Meyer, P.J.: Checking qualitative liveness properties of replicated systems with stochastic scheduling. arXiv:2005.03555 [cs.LO] (2020). https://arxiv.org/abs/2005.03555
 20.Blondin, M., Esparza, J., Jaax, S.: Large flocks of small birds: on the minimal size of population protocols. In: Proceedings of 35th Symposium on Theoretical Aspects of Computer Science, STACS 2018, 28 February  3 March 2018, Caen, France. LIPIcs, vol. 96, pp. 16:1–16:14. Schloss Dagstuhl  LeibnizZentrum für Informatik (2018). https://doi.org/10.4230/LIPIcs.STACS.2018.16
 21.Blondin, M., Esparza, J., Jaax, S.: Peregrine: a tool for the analysis of population protocols. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018, Part I. LNCS, vol. 10981, pp. 604–611. Springer, Cham (2018). https://doi.org/10.1007/9783319961453_34CrossRefGoogle Scholar
 22.Blondin, M., Esparza, J., Jaax, S., Meyer, P.J.: Towards efficient verification of population protocols. In: Schiller, E.M., Schwarzmann, A.A. (eds.) Proceedings of 36th ACM Symposium on Principles of Distributed Computing, PODC 2017, Washington, DC, USA, 25–27 July 2017, pp. 423–430. ACM (2017). https://doi.org/10.1145/3087801.3087816
 23.Blondin, M., Esparza, J., Kučera, A.: Automatic analysis of expected termination time for population protocols. In: Schewe, S., Zhang, L. (eds.) Proceedings of 29th International Conference on Concurrency Theory, CONCUR 2018, 4–7 September 2018, Beijing, China. LIPIcs, vol. 118, pp. 33:1–33:16. Schloss Dagstuhl  LeibnizZentrum für Informatik (2018). https://doi.org/10.4230/LIPIcs.CONCUR.2018.33
 24.Blondin, M., Finkel, A., Haase, C., Haddad, S.: The logical view on continuous petri nets. ACM Trans. Comput. Log. (TOCL) 18(3), 24:1–24:28 (2017). https://doi.org/10.1145/3105908MathSciNetCrossRefzbMATHGoogle Scholar
 25.Bouajjani, A., Jonsson, B., Nilsson, M., Touili, T.: Regular model checking. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 403–418. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_31CrossRefGoogle Scholar
 26.Browne, M.C., Clarke, E.M., Grumberg, O.: Reasoning about networks with many identical finite state processes. Inf. Comput. 81(1), 13–31 (1989). https://doi.org/10.1016/08905401(89)900266MathSciNetCrossRefzbMATHGoogle Scholar
 27.Cardelli, L., CsikászNagy, A.: The cell cycle switch computes approximate majority. Sci. Rep. 2(1), 656 (2012). https://doi.org/10.1038/srep00656CrossRefGoogle Scholar
 28.Chatzigiannakis, I., Michail, O., Spirakis, P.G.: Algorithmic verification of population protocols. In: Dolev, S., Cobb, J., Fischer, M., Yung, M. (eds.) SSS 2010. LNCS, vol. 6366, pp. 221–235. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642160233_19CrossRefGoogle Scholar
 29.Chen, Y., Hong, C., Lin, A.W., Rümmer, P.: Learning to prove safety over parameterised concurrent systems. In: Stewart, D., Weissenbacher, G. (eds.) Proceedings of 17th International Conference on Formal Methods in Computer Aided Design, FMCAD 2017, Vienna, Austria, 2–6 October 2017, pp. 76–83. IEEE (2017). https://doi.org/10.23919/FMCAD.2017.8102244
 30.Clarke, E., Talupur, M., Touili, T., Veith, H.: Verification by network decomposition. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 276–291. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540286448_18CrossRefGoogle Scholar
 31.Clément, J., DelporteGallet, C., Fauconnier, H., Sighireanu, M.: Guidelines for the verification of population protocols. In: Proceedings of 31st International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, Minnesota, USA, 20–24 June 2011, pp. 215–224. IEEE Computer Society (2011). https://doi.org/10.1109/ICDCS.2011.36
 32.Cooper, D.C.: Theorem proving in arithmetic without multiplication. Mach. Intell. 7, 91–99 (1972)zbMATHGoogle Scholar
 33.Czerwinski, W., Lasota, S., Lazic, R., Leroux, J., Mazowiecki, F.: The reachability problem for petri nets is not elementary. In: Charikar, M., Cohen, E. (eds.) Proceedings of 51st Annual ACM SIGACT Symposium on Theory of Computing, STOC 2019, Phoenix, AZ, USA, 23–26 June 2019, pp. 24–33. ACM (2019). https://doi.org/10.1145/3313276.3316369
 34.Emerson, E.A., Namjoshi, K.S.: On reasoning about rings. Int. J. Found. Comput. Sci. 14(4), 527–550 (2003). https://doi.org/10.1142/S0129054103001881MathSciNetCrossRefzbMATHGoogle Scholar
 35.Esparza, J., Ganty, P., Leroux, J., Majumdar, R.: Model checking population protocols. In: Lal, A., Akshay, S., Saurabh, S., Sen, S. (eds.) Proceedings of 36th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2016, Chennai, India, 13–15 December 2016. LIPIcs, vol. 65, pp. 27:1–27:14. Schloss Dagstuhl  LeibnizZentrum für Informatik (2016). https://doi.org/10.4230/LIPIcs.FSTTCS.2016.27
 36.Esparza, J., Ganty, P., Leroux, J., Majumdar, R.: Verification of population protocols. Acta Inf. 54(2), 191–215 (2017). https://doi.org/10.1007/s0023601602723MathSciNetCrossRefzbMATHGoogle Scholar
 37.Esparza, J., LedesmaGarza, R., Majumdar, R., Meyer, P., Niksic, F.: An SMTbased approach to coverability analysis. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 603–619. Springer, Cham (2014). https://doi.org/10.1007/9783319088679_40CrossRefGoogle Scholar
 38.Esparza, J., Meyer, P.J.: An SMTbased approach to fair termination analysis. In: Kaivola, R., Wahl, T. (eds.) Proceedings of 15th International Conference on Formal Methods in ComputerAided Design, FMCAD 2015, Austin, Texas, USA, 27–30 September 2015, pp. 49–56. IEEE (2015)Google Scholar
 39.Finkel, A., Schnoebelen, P.: Wellstructured transition systems everywhere!. Theoret. Comput. Sci. 256(1–2), 63–92 (2001). https://doi.org/10.1016/S03043975(00)00102XMathSciNetCrossRefzbMATHGoogle Scholar
 40.Fribourg, L., Olsén, H.: Reachability sets of parameterized rings as regular languages. In: Moller, F. (ed.) Proceedings of 2nd International Workshop on Verification of Infinite State Systems, Infinity 1997, Bologna, Italy, 11–12 July 1997. Electronic Notes in Theoretical Computer Science, vol. 9, p. 40. Elsevier (1997). https://doi.org/10.1016/S15710661(05)80427X
 41.German, S.M., Sistla, A.P.: Reasoning about systems with many processes. J. ACM 39(3), 675–735 (1992). https://doi.org/10.1145/146637.146681MathSciNetCrossRefzbMATHGoogle Scholar
 42.Herman, T.: Probabilistic selfstabilization. Inf. Process. Lett. 35(2), 63–67 (1990). https://doi.org/10.1016/00200190(90)901079MathSciNetCrossRefzbMATHGoogle Scholar
 43.Hopcroft, J.E., Pansiot, J.: On the reachability problem for 5dimensional vector addition systems. Theoret. Comput. Sci. 8, 135–159 (1979). https://doi.org/10.1016/03043975(79)900410MathSciNetCrossRefzbMATHGoogle Scholar
 44.Israeli, A., Jalfon, M.: Token management schemes and random walks yield selfstabilizing mutual exclusion. In: Dwork, C. (ed.) Proceedings of 9th Annual ACM Symposium on Principles of Distributed Computing, PODC 1990, Quebec City, Quebec, Canada, 22–24 August 1990, pp. 119–131. ACM (1990). https://doi.org/10.1145/93385.93409
 45.Jancar, P., Purser, D.: Structural liveness of petri nets is expspacehard and decidable. Acta Inf. 56(6), 537–552 (2019). https://doi.org/10.1007/s00236019003386MathSciNetCrossRefzbMATHGoogle Scholar
 46.Kaiser, A., Kroening, D., Wahl, T.: Dynamic cutoff detection in parameterized concurrent programs. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 645–659. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642142956_55CrossRefGoogle Scholar
 47.Kaiser, A., Kroening, D., Wahl, T.: A widening approach to multithreaded program verification. ACM Trans. Program. Lang. Syst. 36(4), 14:1–14:29 (2014). https://doi.org/10.1145/2629608CrossRefGoogle Scholar
 48.Křetínský, J., Meggendorfer, T., Sickert, S.: Owl: a library for \(\omega \)words, automata, and LTL. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 543–550. Springer, Cham (2018). https://doi.org/10.1007/9783030010904_34CrossRefGoogle Scholar
 49.Kwiatkowska, M., Norman, G., Parker, D.: PRISM 4.0: verification of probabilistic realtime systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 585–591. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642221101_47CrossRefGoogle Scholar
 50.Lehmann, D., Rabin, M.O.: On the advantages of free choice: a symmetric and fully distributed solution to the dining philosophers problem. In: White, J., Lipton, R.J., Goldberg, P.C. (eds.) Proceedings of 8th Annual ACM Symposium on Principles of Programming Languages, POPL 1981, Williamsburg, Virginia, USA, January 1981, pp. 133–138. ACM Press (1981). https://doi.org/10.1145/567532.567547
 51.Lengál, O., Lin, A.W., Majumdar, R., Rümmer, P.: Fair termination for parameterized probabilistic concurrent systems. In: Legay, A., Margaria, T. (eds.) TACAS 2017, Part I. LNCS, vol. 10205, pp. 499–517. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545775_29CrossRefGoogle Scholar
 52.Leroux, J.: Vector addition systems reachability problem (a simpler solution). In: Voronkov, A. (ed.) Proceedings of the Alan Turing Centenary Conference, Turing 100, Manchester, UK, 22–25 June 2012. EPiC Series in Computing, vol. 10, pp. 214–228. EasyChair (2012). https://doi.org/10.29007/bnx2
 53.Leroux, J.: Presburger vector addition systems. In: Proceedings of 28th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2013, New Orleans, LA, USA, 25–28 June 2013. pp. 23–32. IEEE Computer Society (2013). https://doi.org/10.1109/LICS.2013.7
 54.Leroux, J.: Vector addition system reversible reachability problem. Log. Methods Comput. Sci. 9(1) (2013). https://doi.org/10.2168/LMCS9(1:5)2013
 55.Lin, A.W., Rümmer, P.: Liveness of randomised parameterised systems under arbitrary schedulers. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016, Part II. LNCS, vol. 9780, pp. 112–133. Springer, Cham (2016). https://doi.org/10.1007/9783319415406_7CrossRefGoogle Scholar
 56.Moran, P.A.P.: Random processes in genetics. Math. Proc. Cambridge Philos. Soc. 54(1), 60–71 (1958). https://doi.org/10.1017/S0305004100033193MathSciNetCrossRefzbMATHGoogle Scholar
 57.de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540788003_24CrossRefGoogle Scholar
 58.Navlakha, S., BarJoseph, Z.: Distributed information processing in biological and computational systems. Commun. ACM 58(1), 94–102 (2015). https://doi.org/10.1145/2678280CrossRefGoogle Scholar
 59.Nilsson, M.: Regular model checking. Ph.D. thesis, Uppsala University (2000)Google Scholar
 60.Pang, J., Luo, Z., Deng, Y.: On automatic verification of selfstabilizing population protocols. In: Proceedings of 2nd IEEE/IFIP International Symposium on Theoretical Aspects of Software Engineering, TASE 2008, 17–19 June 2008, Nanjing, China, pp. 185–192. IEEE Computer Society (2008). https://doi.org/10.1109/TASE.2008.8
 61.Peterson, G.L.: Myths about the mutual exclusion problem. Inf. Process. Lett. 12(3), 115–116 (1981). https://doi.org/10.1016/00200190(81)90106XCrossRefzbMATHGoogle Scholar
 62.Presburger, M.: Über die Vollständigkeit eines gewissen Systems der Arithmetik ganzer Zahlen, in welchem die Addition als einzige Operation hervortritt. Comptes Rendus du \(\text{I}^\text{ er }\) Congrès des mathématiciens des pays slaves, pp. 192–201 (1929)Google Scholar
 63.Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: towards flexible verification under fairness. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 709–714. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642026584_59CrossRefGoogle Scholar
 64.Szymanski, B.K.: A simple solution to Lamport’s concurrent programming problem with linear wait. In: Lenfant, J. (ed.) Proceedings of 2nd International Conference on Supercomputing, ICS 1988, Saint Malo, France, 4–8 July 1988, pp. 621–626. ACM (1988). https://doi.org/10.1145/55364.55425
 65.Vardi, M.Y.: Automatic verification of probabilistic concurrent finitestate programs. In: Proceedings of 26th Annual Symposium on Foundations of Computer Science, FOCS 1985, Portland, Oregon, USA, 21–23 October 1985, pp. 327–338. IEEE Computer Society (1985). https://doi.org/10.1109/SFCS.1985.12
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.