Abstract
Stutter invariant properties play a special role in statebased model checking: they are the properties that can be checked using partial order reduction (POR), an indispensable optimization. There are algorithms to decide whether an LTL formula or Büchi automaton (BA) specifies a stutterinvariant property, and to convert such a BA to a form that is appropriate for onthefly PORbased model checking.
The interruptible properties play the same role in actionbased model checking that stutterinvariant properties play in the statebased case. These are the properties that are invariant under the insertion or deletion of “invisible” actions. We present algorithms to decide whether an LTL formula or BA specifies an interruptible property, and show how a BA can be transformed to an interrupt normal form that can be used in an onthefly POR algorithm. We have implemented these algorithms in a new model checker named McRERS, and demonstrate their effectiveness using the RERS 2019 benchmark suite.
Keywords
 Model checking
 Action
 Event
 LTL
 Stutterinvariant
Y. Yan—Currently employed at Google.
Download conference paper PDF
1 Introduction
To apply model checking to a concurrent system, one must formulate properties that the system is expected to satisfy. A property may be expressed by specifying acceptable sequences of states, or by specifying acceptable sequences of actions—the events that cause the state to change. Each approach has advantages and disadvantages, and in any particular context one may be more appropriate than the other.
In the statebased context, there is a rich theory involving automata, logic, and reduction for model checking. Some of the core ideas in this theory can be summarized as follows. First, the behavior of the concurrent system is represented by a statetransition system T. One identifies a set \(\textsf {AP}\) of atomic propositions, and each state of T is labeled by the set of propositions which hold at that state. An execution passes through an infinite sequence of states, which defines a trace, i.e., a sequence of subsets of \(\textsf {AP}\). A property is a set of traces, and T satisfies the property if every trace of T is in P.
Properties may be specified by formulas in a temporal logic, such as LTL [26]. There are algorithms (e.g., [37]) to convert an LTL formula \(\phi \) to an equivalent Büchi automaton (BA) \(B_{\phi }\) with alphabet \(2^{\textsf {AP}}\). (Properties may also be specified directly using BAs.) The system T satisfies \(\phi \) if and only if the language of the synchronous product \(T\otimes B_{\lnot \phi }\) is empty. The emptiness of the language can be determined onthefly, i.e., while the reachable states of the product are being constructed.
A property P is stutterinvariant if it is closed under the insertion and deletion of repetitions, i.e., \(s_0s_1\cdots \in P \;\Leftrightarrow \;s_0^{i_0}s_1^{i_1}\cdots \in P\) holds for any positive integers \(i_0,i_1,\cdots \). Many algorithms are known for deciding whether an LTL formula or a BA specifies a stutterinvariant property [22, 24]. There is also an argument that only stutterinvariant properties should be used in practice. For example, suppose that a trace is formed by sampling the state of a system once every millisecond. If we sample the same system twice each millisecond, and there are no state changes in the submillisecond intervals, the second trace will be stutterequivalent to the first. A meaningful property should be invariant under this choice of time resolution.
Stutterinvariant properties are desirable for another reason: they admit the most significant optimization in model checking, partial order reduction (POR, [15, 23, 25]). At each state encountered in the exploration of the product space, an onthefly POR scheme produces a subset of the enabled transitions. Restricting the search to the transitions in those subsets does not affect the language emptiness question. Recent work has revealed that the BA must have a certain form—“SI normal form”—when POR is used with onthefly model checking, but any BA with a stutterinvariant language can be easily transformed into SI normal form [27].
The purpose of this paper is to elaborate an analogous theory for eventbased models. Eventbased models of concurrency are widely used and have been extremely influential for over three decades. For example, process algebras, such as CSP, are eventbased and use labeled transition systems (LTSs) for the semantic model. Eventbased models are the main formalism used in assumeguarantee reasoning (e.g, [10]), and in many other areas. There are mature model checking and verification tools for process algebras and LTSs, and which have significant industrial applications; see, e.g., [13]. Temporal logics, including LTL, CTL, and CTL*, have long been used to specify eventbased systems [3, 7, 12].
We call the class of properties in the action context that are analogous to the stutterinvariant properties in the state context the interruptible properties (Sect. 3). These properties are invariant under “action stuttering” [34], i.e., the insertion or deletion of “invisible” actions. We present algorithms for deciding whether an LTL formula or a BA specifies an interruptible property (Theorems 1 and 2); to the best of our knowledge, these are the first published algorithms for deciding this property of formulas or automata.
Interruptible properties play the same role in actionbased POR that stutterinvariant properties play in statebased POR. In particular, we present an actionbased onthefly POR algorithm that works for interruptible properties (Sect. 4). As with the statebased case, the algorithm requires that the BA be in a certain normal form. We introduce a novel interrupt normal form (Definition 11) for this purpose, and show how any BA with an interruptible language can be transformed into that form. The relation to earlier work is discussed in Sect. 5. The effectiveness of these reduction techniques is demonstrated by applying them to problems in the 2019 RERS benchmark suite (Sect. 6).
2 Preliminaries
Let S be a set. \(2^{S}\) denotes the set of all subsets of S. \(S^*\) denotes the set of finite sequences of elements of S; \(S^\omega \) the infinite sequences. Let \(\zeta =s_0s_1\cdots \) be a (finite or infinite) sequence and \(i\ge 0\). If \(\zeta \) is finite of length n, assume \(i<n\). Then \(\zeta (i)\) denotes the element \(s_i\). For any \(i\ge 0\), \(\zeta ^i\) denotes the suffix \(s_is_{i+1}\cdots \). (\(\zeta ^i\) is empty if \(\zeta \) is finite and \(i\ge n\)).
For \(\zeta \in S^*\) and \(\eta \in S^*\cup S^\omega \), \(\zeta \circ \eta \) denotes the concatenation of \(\zeta \) and \(\eta \).
If \(S\subseteq T\) and \(\eta \) is a sequence of elements of T, \(\eta _S\) denotes the sequence obtained by deleting from \(\eta \) all elements not in S.
2.1 Linear Temporal Logic
Let \({\textsf {Act}}\) be a universal set of actions. We assume \({\textsf {Act}}\) is infinite.
Definition 1
\({\mathsf {Form}}\) (the LTL formulas over \({\textsf {Act}}\)) is the smallest set satisfying:

\({\mathsf {true}}\in {\mathsf {Form}}\),

if \(a\in {\textsf {Act}}\) then \(a\in {\mathsf {Form}}\), and

if f and g are in \({\mathsf {Form}}\), so are \(\lnot f\), \(f\wedge g\), \({\mathbf {X}}{}f\), and \(f{\mathbf {U}}{} g\).
Additional operators are defined as shorthand for other formulas: \({\mathsf {false}}= \lnot {\mathsf {true}}\), \(f\vee g = \lnot ((\lnot f) \wedge \lnot g)\), \(f\rightarrow g = (\lnot f)\vee g\), \({\mathbf {F}}{}f = {\mathsf {true}}{\mathbf {U}}{} f\), \({\mathbf {G}}{}f = \lnot {\mathbf {F}}\lnot f\), and \(f{\mathbf {W}}g = (f{\mathbf {U}}g)\vee {\mathbf {G}}f\). \(\square \)
Definition 2
The alphabet of an LTL formula f, denoted \(\alpha f\), is the set of actions that occur syntactically within f. \(\square \)
Definition 3
The actionbased semantics of LTL is defined by the relation \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\), where \(\zeta \in {\textsf {Act}}^\omega \) and \(f\in {\mathsf {Form}}\), which is defined as follows:

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}{\mathsf {true}}\),

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}a\) iff \(\zeta (0)=a\),

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\lnot f\) iff \(\zeta \not \models _{\scriptscriptstyle {\mathsf {A}}}~f\),

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\wedge g\) iff \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\) and \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}g\),

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}{\mathbf {X}}f\) iff \(\zeta ^1~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\), and

\(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f{\mathbf {U}}{} g\) iff \(\exists i\ge 0\, .\, (\zeta ^i~\models _{\scriptscriptstyle {{\mathsf {A}}}~}g\, \wedge \, \forall j\in 0..i1\, .\, \zeta ^j~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f)\). \(\square \)
When using the actionbased semantics, the logic is sometimes referred to as “Action LTL” or ALTL [11, 12].
The statebased semantics is defined by a relation \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\), where \(\xi \in (2^{{\textsf {Act}}})^\omega \). The definition of \(~\models _{\scriptscriptstyle {{\mathsf {S}}}~}\) is wellknown, and is exactly the same as Definition 3, except that \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}a\) iff \(a\in \xi (0)\). The action semantics are consistent with the state semantics in the following sense. Let \(f\in {\mathsf {Form}}\), and \(\zeta =a_0a_1\cdots \in {\textsf {Act}}^{\omega }\). Let \(\xi =\{a_0\}\{a_1\}\cdots \in (2^{{\textsf {Act}}})^\omega \). Then \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\) iff \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\). The main difference between the state and actionbased formalisms is that in the statebased formalism, any number of atomic propositions can hold at each step. In the actionbased formalism, precisely one action occurs in each step.
Definition 4
Let \(f,g\in {\mathsf {Form}}\). Define

(action equivalence) \(f\equiv _{\scriptscriptstyle {{\mathsf {A}}}}g\) if \((\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f \;\Leftrightarrow \;\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}g)\) for all \(\zeta \in {\textsf {Act}}^\omega \)

(state equivalence) \(f\equiv _{\scriptscriptstyle {{\mathsf {S}}}}g\) if \((\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f \;\Leftrightarrow \;\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}g)\) for all \(\xi \in (2^{{\textsf {Act}}})^\omega \). \(\square \)
The following fact about the statebased semantics can be proved by induction on the formula structure:
Lemma 1
Let \(f\in \mathsf {Form}\) and \(\xi =s_0s_1\cdots \in (2^{\mathsf {Act}})^\omega \). Let \(\xi '=s'_0s'_1\cdots \), where \(s'_i=\alpha f \cap s_i\). Then \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\) iff \(\xi '~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\).
The following shows that action LTL, like ordinary statebased LTL, is a decidable logic:
Proposition 1
Let \(f,g\in {\mathsf {Form}}\), \(A=\alpha f \cup \alpha g\), and
Then \(f\equiv _{\scriptscriptstyle {{\mathsf {A}}}}g \;\Leftrightarrow \;f\wedge h \equiv _{\scriptscriptstyle {{\mathsf {S}}}}g\wedge h\). In particular, action equivalence is decidable.
Proof
Note the meaning of h: at each step in a statebased trace, at most one element of A is true.
Suppose \(f\wedge h \equiv _{\scriptscriptstyle {{\mathsf {S}}}}g\wedge h\). Let \(\zeta =a_0a_1\cdots \in {\textsf {Act}}^\omega \). Let \(\xi =\{a_0\}\{a_1\}\cdots \). We have \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}h\). By the consistency of the state and action semantics, we have
hence \(f\equiv _{\scriptscriptstyle {{\mathsf {A}}}}g\).
Suppose instead that \(f\equiv _{\scriptscriptstyle {{\mathsf {A}}}}g\). We wish to show \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\wedge h \;\Leftrightarrow \;\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}g\wedge h\) for any \(\xi =s_0s_1\cdots \in (2^{{\textsf {Act}}})^\omega \). By Lemma 1, it suffices to assume \(s_i\subseteq A\) for all i.
Let \(\tau \) be any element of \({\textsf {Act}}\setminus A\). (Here we are using the fact that \({\textsf {Act}}\) is infinite, while A is finite.) If \(s_i>1\) for some i, then \(\xi \) violates h and therefore violates both \(f\wedge h\) and \(g\wedge h\). So suppose \(s_i\le 1\) for all i, which means \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}h\). Let \(\zeta =a_0a_1\cdots \), where \(a_i\) is the sole member of \(s_i\) if \(s_i=1\), or \(\tau \) if \(s_i=0\). By Lemma 1, \(\xi ~\models _{\scriptscriptstyle {{\mathsf {S}}}~}f\) iff \(\{a_0\}\{a_1\}\cdots \models _{\scriptscriptstyle {{\mathsf {S}}}~}f\). By the consistency of the action and state semantics, this is equivalent to \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f\). A similar statement holds for g. Hence
The proposition reduces the question of action equivalence to one of ordinary (state) equivalence of LTL formulas, which is known to be decidable ( [26], see also [36, Thm. 24]). \(\square \)
Definition 5
For \(A\subseteq {\textsf {Act}}\) and \(f\in {\mathsf {Form}}\) with \(\alpha f\subseteq A\), let
\(\square \)
2.2 Büchi Automata
Definition 6
A Büchi Automaton (BA) over \({\textsf {Act}}\) is a tuple \((S,\varSigma ,\rightarrow ,S^{0},F)\) where

1.
S is a finite set of states,

2.
\(\varSigma \), the alphabet, is a finite subset of \({\textsf {Act}}\),

3.
\(\rightarrow \subseteq S\times \varSigma \times S\) is the transition relation,

4.
\(S^{0}\subseteq S\) is the set of initial states, and

5.
\(F\subseteq S\) is the set of accepting states. \(\square \)
We will use the following notation and terminology for a BA B. The source of a transition \((s,a,s')\) is s, the destination is \(s'\), and the label is a. We write \(s\xrightarrow {a}s'\) as shorthand for \((s,a,s')\in \rightarrow \), and \(s\xrightarrow {a_{0}a_{1}\ldots a_{n}}s'\) for \(\exists s_{1},s_{2},\ldots s_{n}\in S\, .\, s\xrightarrow {a_{0}}s_{1}\xrightarrow {a_{1}}s_{2}\ldots s_{n}\xrightarrow {a_{n}}s'\). For \(a\in A\) and \(s\in S\), we say a is enabled at s if \(s{\mathop {\rightarrow }\limits ^{a}}s'\) for some \(s'\in S\). The set of all actions enabled at s is denoted \(\textsf {enabled}(B,s)\).
For \(s\in S\), a path in B starting from s is a (finite or infinite) sequence \(\pi \) of transitions such that (1) if \(\pi \) is not empty, the source of \(\pi (0)\) is s, and (2) the destination of \(\pi (i)\) is the source of \(\pi (i+1)\) for all i for which these are defined. If \(\pi \) is not empty, define \({\mathsf {first}}(\pi )\) to be s; if \(\pi \) is finite, define \({\mathsf {last}}(\pi )\) to be the destination of the last transition of \(\pi \). We say \(\pi \) spells the word \(a_0a_1\cdots \), where \(a_i\) is the label of \(\pi (i)\).
An infinite path is accepting if it visits a state in F infinitely often. An (accepting) trace starting from s is a word spelled by an (accepting) path starting from s. An (accepting) trace of B is an (accepting) trace starting from an initial state. The language of B, denoted \(\mathcal {L}(B)\), is the set of all accepting traces of B.
Proposition 2
There is an algorithm that consumes any finite subset A of \(\mathsf {Act}\) and an \(f\in {\mathsf {Form}}\) with \(\alpha f\subseteq A\), and produces a BA B with alphabet A such that \(\mathcal {L}(B)=\mathcal {L}(f,A)\).
Proof
There are wellknown algorithms to produce a BA C with alphabet \(2^{A}\) which accepts exactly the words satisfying f under the state semantics (e.g., [37]). Let B be the same as C, except the alphabet is A and there is a transition \(s\xrightarrow {a}s'\) in B iff there is a transition \(s\xrightarrow {\{a\}}s'\) in C. We have
\(\square \)
In practice, tools that convert LTL formulas to BAs produce an automaton in which an edge is labeled by a propositional formula \(\phi \) over \(\alpha f\). Such an edge represents a set of transitions, one for each \(P\subseteq A\) for which \(\phi \) holds for the valuation that assigns \(\textit{true}\) to each element of P and \(\textit{false}\) to each element of \(A\setminus P\). In this case, the conversion to B entails creating one transition for each \(a\in A\) for which \(\phi \) holds when \(\textit{true}\) is assigned to a and \(\textit{false}\) is assigned to all other actions.
Definition 7
Let \(B_{i} = (S_i,\varSigma _i,\rightarrow _i, S^{0}_i,F_i)\) (\(i=1,2\)) denote two BAs over \({\textsf {Act}}\). The parallel composition of \(B_1\) and \(B_2\) is the BA
where \(\rightarrow \) is defined by
\(\square \)
If we flatten all tuples (e.g., identify \((S_1\times S_2)\times S_3\) with \(S_1\times S_2\times S_3\)) then \(\parallel \) is an associative operator.
Note that in the special case where the two automata have the same alphabet (\(\varSigma _1=\varSigma _2\)), every action is synchronizing, and the parallel composition is the usual “synchronous product.” In this case, \(\mathcal {L}(B_1\parallel B_2)=\mathcal {L}(B_1)\cap \mathcal {L}(B_2)\).
2.3 Labeled Transition Systems
Definition 8
A labeled transition system (LTS) over \({\textsf {Act}}\) is a tuple \((Q,A,\rightarrow ,q^{0})\) for which \((Q,A,\rightarrow ,\{q^0\},Q)\) is a BA over \({\textsf {Act}}\). In other words, it is a BA in which all states are accepting and there is only one initial state. \(\square \)
Definition 9
Let M be an LTS with alphabet A, and f an LTL formula with \(\alpha f\subseteq A\). We write \(M~\models ~f\) if \(\mathcal {L}(M)\subseteq \mathcal {L}(f,A)\). \(\square \)
The following observation is the basis of the automatatheoretic approach to model checking (cf. [36, §4.2]):
Proposition 3
Let M be an LTS with alphabet A and f an LTL formula with \(\alpha f\subseteq A\). Let B be a BA with \(\mathcal {L}(B)=\mathcal {L}(\lnot f,A)\). Then \(M~\models ~f\;\Leftrightarrow \;\mathcal {L}(M\parallel B)=\emptyset \).
Proof
M and B have the same alphabet, so \(\mathcal {L}(M\parallel B)=\mathcal {L}(M)\cap \mathcal {L}(B)\), hence
This set is empty iff \(\mathcal {L}(M)\subseteq \mathcal {L}(f,A)\). \(\square \)
There are various algorithms to determine language emptiness of a BA; in this paper we use the wellknown Nested Depth First Search (NDFS) algorithm [2].
3 Interruptible Properties
3.1 Definition and Examples
An LTS comes with an alphabet, which is a subset A of \({\textsf {Act}}\). By a property over A we simply mean a subset P of \(A^\omega \). We say a trace \(\zeta \in A^\omega \) satisfies P if \(\zeta \in P\). We have already seen two ways to specify properties. An LTL formula f with \(\alpha f\subseteq A\) specifies the property \(\mathcal {L}(f,A)\). A Büchi automaton B with alphabet A specifies the property \(\mathcal {L}(B)\). We next define a special class of properties:
Definition 10
Given sets \(V\subseteq A\subseteq {\textsf {Act}}\), we say a property P over A is Vinterruptible if
An LTL formula f is Vinterruptible if \(\mathcal {L}(f,{\textsf {Act}})\) is Vinterruptible. We say f is interruptible if f is \(\alpha f\)interruptible. The set of all interruptible LTL formulas is denoted \({\mathsf {Intrpt}}\). \(\square \)
The set V is known as the visible set. The definition essentially says that the insertion or deletion of invisible actions (those in \(A\setminus V\)) has no bearing on whether a trace satisfies P. Put another way, the question of whether a trace belongs to P is determined purely by its visible actions. The following collects some basic facts about interruptibility. All follow immediately from the definitions.
Proposition 4
Let \(V\subseteq A\subseteq \mathsf {Act}\), \(P\subseteq A^\omega \) and \(f,g\in {\mathsf {Form}}\). Then all of the following hold:

1.
P is Ainterruptible.

2.
If P is Vinterruptible, and \(V\subseteq V'\), then P is \(V'\)interruptible.

3.
If f is interruptible and \(\alpha f\subseteq A\), then \(\mathcal {L}(f,A)\) is \(\alpha f\)interruptible.

4.
f is interruptible iff the following holds:
$$ \forall \zeta ,\eta \in \mathsf {Act}^\omega \,.\, ( \zeta _{\alpha f}=\eta _{\alpha f} \wedge \zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f ) \Rightarrow \eta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}f. $$ 
5.
If \(\alpha f=\alpha g\) and \(f\equiv _{\scriptscriptstyle {{\mathsf {A}}}}g\) then f is interruptible iff g is interruptible.
Many, if not most, properties that arise in practice are Vinterruptible for the set V of actions that are mentioned in the property. Assuming a, b, and c are distinct actions, we have:

For any \(n\ge 0\), the property “a occurs at most n times” is \(\{a\}\)interruptible, since the insertion or deletion of actions other than a cannot affect whether a word satisfies that property. The same is true for the properties “a occurs at least n times” and “a occurs exactly n times.” These are examples of the bounded existence pattern with global scope in a widely used property specification pattern system [5]. LTL formulas in this category include \({\mathbf {G}}\lnot a\) (a occurs 0 times), \({\mathbf {F}}{}a\) (a occurs at least once), and \({\mathbf {F}}(a\wedge {\mathbf {X}}{\mathbf {F}}{}a)\) (a occurs at least twice).

The property “after any occurrence of a, b eventually occurs”, \({\mathbf {G}}(a\rightarrow {\mathbf {F}}b)\), is \(\{a,b\}\)interruptible. This is the response pattern with global scope [5].

The property “after any occurrence of a, c will eventually occur, and no b will occur until c”, \({\mathbf {G}}(a\rightarrow ((\lnot b){\mathbf {U}}{}c))\), is \(\{a,b,c\}\)interruptible. This is a variation on the absence pattern with afteruntil scope, and is used to specify mutual exclusion [5].
On the other hand, the property “a occurs at time 0”, (LTL formula a) is not \(\{a\}\)interruptible. Neither is “an event other than a occurs at least once” (\({\mathbf {F}}\lnot a\)) nor “only a occurs” (\({\mathbf {G}}{}a\)). The property “every occurrence of a is followed immediately by b,” formula \({\mathbf {G}}(a\rightarrow {\mathbf {X}}{}b)\), is not \(\{a,b\}\)interruptible. The property “after any occurrence of a, c eventually occurs and until then only b occurs,” \({\mathbf {G}}(a\rightarrow {\mathbf {X}}(b{\mathbf {U}}{}c))\), is not \(\{a,b,c\}\)interruptible.
The following provides a useful way to show that two interruptible properties are equal:
Lemma 2
Suppose \(V\subseteq A\subseteq \mathsf {Act}\) and \(P_1\) and \(P_2\) are Vinterruptible properties over A. Let \( \mathcal {F} = V^{\omega } \, \cup \, V^*\circ (A\setminus V)^{\omega }. \) Then \(P_1=P_2\) iff \(P_1\cap \mathcal {F}=P_2\cap \mathcal {F}\).
Proof
Assume \(P_1\cap \mathcal {F}=P_2\cap \mathcal {F}\). Let \(\zeta \in P_1\). If \(\zeta _V\) is infinite, then since \(\zeta _V_V=\zeta _V\), and \(P_1\) is Vinterruptible, \(\zeta _V\in P_1\). But \(\zeta _V\in V^\omega \), so \(\zeta _V\in P_1\cap \mathcal {F}\), and therefore \(\zeta _V\in P_2\). Since \(P_2\) is Vinterruptible, \(\zeta \in P_2\).
If \(\zeta _V\) is finite, there is a prefix \(\theta \) of \(\zeta \) such that \(\zeta =\theta \circ \eta \), with \(\eta \in (V\setminus A)^\omega \). Let \(\xi =\theta _V\circ \eta \). We have \(\xi \in V^*\circ (A\setminus V)^{\omega }\) and \(\xi _V = \zeta _V\), hence \(\xi \in P_1\cap \mathcal {F}\). Therefore \(\xi \in P_2\), and since \(P_2\) is Vinterruptible, \(\zeta \in P_2\). \(\square \)
The elements of \(\mathcal {F}\) are known as the Vinterruptfree words over A.
3.2 Decidability of Interruptibility of LTL Formulas
We next show that interruptibility is a decidable property of LTL formulas. Define \({\textsf {intrpt}}:{\mathsf {Form}}\rightarrow {\mathsf {Form}}\) as follows. Given \(f\in {\mathsf {Form}}\), let \(V=\alpha f\) and \(\hat{V}=\bigvee _{a\in V} a\), and define \(\beta :{\mathsf {Form}}\rightarrow {\mathsf {Form}}\) by
for \(a\in {\textsf {Act}}\) and \(f_1,f_2\in {\mathsf {Form}}\). Let \({\textsf {intrpt}}(f)=\beta (f)\).
Theorem 1
Let f be an LTL formula over \(\mathsf {Act}\). The following hold:

1.
\(\mathsf {intrpt}(f)\) is interruptible.

2.
f is interruptible iff \(\mathsf {intrpt}(f)\equiv _{\scriptscriptstyle {{\mathsf {A}}}}f\).
In particular, interruptibility of LTL formulas is decidable.
Before proving Theorem 1, we give some intuition regarding the definition of \({\textsf {intrpt}}\). Function \(\beta \) can be thought of as consuming a property on Vinterruptfree words (i.e., words in \(V^\omega \cup V^*\circ (A\setminus V)^\omega \)) and extending it to a property on all words (\(A^\omega \)). It is designed so that \(\beta (g)\) is Vinterruptible and agrees with g on Vinterruptfree words. For example, the formula a means “a is the first action” (in an interruptfree word), which extends to the property “a is the first visible action” (in an arbitrary word). The formula \({\mathbf {X}}f_1\) states “\(f_1\) holds after removing the first action,” so \(\beta ({\mathbf {X}}f_1)\) should declare “\(\beta (f_1)\) holds after removing the prefix ending in the first visible action.” That is almost correct, but there is also the possibility that an element of \(A^\omega \) has no visible action, which is the reason for the second clause in the definition of \(\beta ({\mathbf {X}}f_1)\).
The remainder of this subsection is devoted to the proof of Theorem 1. First note that \({\textsf {intrpt}}(f)\) and f have the same alphabet, i.e., \(\alpha {\textsf {intrpt}}(f) = V\).
Proof of Part 1. Say a subformula g of f is good if \(\beta (g)\) is Vinterruptible, i.e.,
We show by induction on formula structure that every subformula of f is good. The case \(g=f\) will show that \({\textsf {intrpt}}(f)\) is interruptible. Assume throughout that \(\zeta _V=\eta _V\).
If \(g={\mathsf {true}}\) then \(\beta (g)={\mathsf {true}}\), so g is clearly good.
If \(g=a\) for some \(a\in {\textsf {Act}}\), then \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g)=(\lnot \hat{V}){\mathbf {U}}a\) iff \(\zeta _V\) is nonempty and \(\zeta _V(0)=a\). Since this depends only on \(\zeta _V\), g is good.
If \(g=\lnot f_1\) and \(f_1\) is good, then g is good because
If \(g=f_1\wedge f_2\), and \(f_1\) and \(f_2\) are good, then g is good because
Suppose \(g={\mathbf {X}}f_1\) and \(f_1\) is good. There are two cases:

Case 1: \(\zeta _V\) is empty. Then no suffix of \(\zeta \) or \(\eta \) satisfies \(\hat{V}\). Hence
$$ \theta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g) \;\Leftrightarrow \;\theta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}{\mathbf {X}}\beta (f_1) \;\Leftrightarrow \;\theta ^1~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1) \ \ \ \ \ (\theta \in \{\zeta ,\eta \}). $$Moreover, \(\zeta ^1_V=\eta ^1_V\) (as both are empty), and \(\beta (f_1)\) is good, so we have \(\zeta ^1~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1) \;\Leftrightarrow \;\eta ^1~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1)\). These show \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g) \;\Leftrightarrow \;\eta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g)\).

Case 2: \(\zeta _V\) is nonempty. Let i be the index of the first occurrence of an element of V in \(\zeta \), and j the similar index for \(\eta \). We have
$$ \zeta ^{i+1}_V = (\zeta _V)^1 = (\eta _V)^1 = \eta ^{j+1}_V. $$As \(f_1\) is good, it follows that \( \zeta ^{i+1}~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1) \;\Leftrightarrow \;\eta ^{j+1}~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1). \) Hence
$$ \zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g) \;\Leftrightarrow \;\zeta ^{i+1}~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1) \;\Leftrightarrow \;\eta ^{j+1}~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1) \;\Leftrightarrow \;\eta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g). $$
Suppose \(g=f_1{\mathbf {U}}f_2\) and \(f_1\) and \(f_2\) are good. We have \(\beta (g) = \beta (f_1){\mathbf {U}}\beta (f_2)\). If \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g)\) then there exists \(i\ge 0\) such that \(\zeta ^i~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_2)\) and \(\zeta ^j~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (f_1)\) for \(j<i\). Now there is some \(i'\ge 0\) such that \(\eta ^{i'}_V=\zeta ^i_V\) and for all \(j'<i'\), there is some \(j<i\) such that \(\eta ^{j'}_V=\zeta ^j_V\). It follows that \(\eta \models \beta (g)\). Hence g is good.
Proof of Part 2. Suppose first that \({\textsf {intrpt}}(f)\equiv _{\scriptscriptstyle {{\mathsf {A}}}}f\). From part 1, \({\textsf {intrpt}}(f)\) is interruptible, so Proposition 4(5) implies f is interruptible.
Suppose instead that f is interruptible. We wish to show \({\textsf {intrpt}}(f)\equiv _{\scriptscriptstyle {{\mathsf {A}}}}f\). By Lemma 2, it suffices to show the two formulas agree on Vinterruptfree words. We will show by induction that for each subformula g of f, \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}g \;\Leftrightarrow \;\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g)\) for all Vinterruptfree \(\zeta \). The case \(g=f\) will complete the proof.
If \(g={\mathsf {true}}\), \(\beta (g)={\mathsf {true}}\) and the condition clearly holds.
If \(g=a\) for some \(a\in {\textsf {Act}}\), \( \zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\beta (g)\;\Leftrightarrow \;\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}(\lnot \hat{V}){\mathbf {U}}a\;\Leftrightarrow \;\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}a, \) as \(\zeta \) is Vinterruptfree.
If \(g=\lnot f_1\) and the inductive hypothesis holds for \(f_1\), then
If \(g=f_1\wedge f_2\) and the inductive hypothesis holds for \(f_1\) and \(f_2\) then
Suppose \(g={\mathbf {X}}f_1\) and the inductive hypothesis holds for \(f_1\). Note that any suffix of a Vinterruptfree word, e.g., \(\zeta ^1\), is also Vinterruptfree. If \(\zeta _V\) is empty,
If \(\zeta _V\) is nonempty, then \(\zeta ~\models _{\scriptscriptstyle {{\mathsf {A}}}~}\hat{V}\), so
If \(g=f_1{\mathbf {U}}f_2\), then applying the inductive hypothesis to \(f_1\) and \(f_2\) yields
Decidability follows from part 2 and Proposition 1. This completes the proof of Theorem 1.
Remark 1
The definition of \(\beta ({\mathbf {X}}f_1)\) is convenient for the proof but shorter definitions also work. If the formula \(f_1\) is satisfied by some word \(\zeta \in (A\setminus V)^{\omega }\), then all such \(\zeta \) satisfy \(f_1\), and the clause \(({\mathbf {G}}\lnot \hat{V})\wedge {\mathbf {X}}\beta (f_1)\) can be replaced by \({\mathbf {G}}\lnot \hat{V}\). Otherwise, that clause can be removed altogether. One can determine whether a formula is satisfied by such a word by replacing every occurrence of every action with \({\mathsf {false}}\).
3.3 Generation of Interruptible LTL Formulas
The following can be used to show that many formulas are interruptible. It establishes a kind of parity pattern involving a class of positive formulas (\({\mathsf {Pos}}\)) and a class of negative formulas (\({\mathsf {Neg}}\)). It is proved in [28].
Proposition 5
There exist \({\mathsf {Pos}},{\mathsf {Neg}}\subseteq {\mathsf {Form}}\) such that (i) for all \(f,f'\in {\mathsf {Form}}\),
and (ii) for all \(a\in \mathsf {Act}\), \(f_1,f_2\in {\mathsf {Intrpt}}\), \(g_1,g_2\in {\mathsf {Pos}}\), and \(h_1,h_2\in {\mathsf {Neg}}\),
Consider the examples from Sect. 3.1. The formula a is positive, so \({\mathbf {F}}{}a\) is interruptible. Since \(\lnot a\) is negative, \({\mathbf {G}}\lnot a\) is interruptible. Since \({\mathbf {F}}{}a\) is interruptible, \(a\wedge {\mathbf {X}}{\mathbf {F}}{}a\) is positive, hence \({\mathbf {F}}(a\wedge {\mathbf {X}}{\mathbf {F}}{}a)\) is interruptible.
Formula \({\mathbf {G}}(a\rightarrow {\mathbf {F}}b)\) is seen to be interruptible as follows. Since \(b\in {\mathsf {Pos}}\), \({\mathbf {F}}b\in {\mathsf {Intrpt}}\), whence \(\lnot a \vee {\mathbf {F}}b\in {\mathsf {Neg}}\). Since this last formula is actionequivalent to \(a\rightarrow {\mathbf {F}}b\), we have \(a\rightarrow {\mathbf {F}}b\in {\mathsf {Neg}}\). Therefore \({\mathbf {G}}(a\rightarrow {\mathbf {F}}b)\in {\mathsf {Intrpt}}\).
Similarly, \((\lnot b){\mathbf {U}}{}c\in {\mathsf {Intrpt}}\), so \(a\rightarrow {\mathbf {X}}((\lnot b){\mathbf {U}}{}c)\in {\mathsf {Neg}}\). This negative formula is actionequivalent to \(a\rightarrow ((\lnot b){\mathbf {U}}{}c)\), whence \({\mathbf {G}}(a\rightarrow ((\lnot b){\mathbf {U}}{}c))\in {\mathsf {Intrpt}}\).
Note that \({\mathsf {Intrpt}}\) and the set of stutterinvariant formulas are not comparable. For example, \(f={\mathbf {F}}(a\wedge {\mathbf {X}}{\mathbf {F}}{}a)\) is interruptible, but not stutterinvariant. In fact f is not actionequivalent to any stutterinvariant formula g, since if there were such a g, the sequence \(aab^\omega \) would satisfy g, but the stutterequivalent sequence \(ab^\omega \) cannot satisfy g. Conversely, the formulas a and \({\mathbf {G}}a\) are both stutterinvariant, but neither is interruptible. The formula \({\mathbf {F}}a\) is both stutterinvariant and interruptible. Finally, the formula \({\mathbf {X}}a\) is neither stutterinvariant nor interruptible.
3.4 Decidability of Interruptibility of Büchi Automata
Definition 11
Let B be a BA with alphabet A, \(V\subseteq A\) (the visible actions), and \(I=A\setminus V\) (the invisible actions). We say B is in Vinterrupt normal form if the following hold for any \(x\in I\), \(a\in A\), and states \(s_1\), \(s_2\), and \(s_3\):

1.
If \(s_1{\mathop {\rightarrow }\limits ^{a}}s_2\) then B has a state \(s_1'\) such that \(s_1{\mathop {\rightarrow }\limits ^{x}}s_1'{\mathop {\rightarrow }\limits ^{a}}s_2\).

2.
If \(s_1{\mathop {\rightarrow }\limits ^{x}}s_2{\mathop {\rightarrow }\limits ^{a}}s_3\) then \(s_1{\mathop {\rightarrow }\limits ^{a}}s_3\) and if \(s_2\) is accepting then \(s_1\) or \(s_3\) is accepting.

3.
If \(s_1{\mathop {\rightarrow }\limits ^{x}}s_2\) then \(s_1{\mathop {\rightarrow }\limits ^{y}}s_2\) for all \(y\in I\).
Proposition 6
Suppose B is in Vinterrupt normal form. Then \(\mathcal {L}(B)\) is Vinterruptible.
Proof
Suppose \(\zeta ,\eta \in A^\omega \), \(\zeta \in \mathcal {L}(B)\), and \(\zeta _V=\eta _V\). We wish to show \(\eta \in \mathcal {L}(B)\). Let \(\pi \) be an accepting path for \(\zeta \).
Assume \(\zeta _V\) is infinite. By Definition 11(2), we can remove all invisible transitions from the accepting path \(\pi \), and the result is an accepting path that spells \(\zeta _V\). By Definition 11(1), we can insert any arbitrary finite sequence of invisible transition between two consecutive visible transitions; we can therefore construct an accepting path for \(\eta \).
If \(\zeta _V\) is finite, proceed as above to form an accepting path which spells a finite prefix of \(\eta \) followed by an infinite word of invisible actions. By Definition 11(3), that infinite suffix can be transformed to spell any infinite word of invisibles, and in that way one obtains an accepting path for \(\eta \). \(\square \)
Given any BA \(B=(S,A,T,S^0,F)\) and a visible set \(V\subseteq A\), define a BA \({\textsf {norm}}(B,V)\) as follows: if \(V=A\), \({\textsf {norm}}(B,V)=B\), otherwise \({\textsf {norm}}(B,V)\) is \(\hat{B}=(\hat{S},A,\hat{T},\hat{S}^0,\hat{F})\), where
The set \(\hat{S}\) consists of the original states \(\hat{u}\), the sharp states \(u^\sharp \), and one additional state DIV. The mapping from S to \(\hat{S}\) defined by \(u\mapsto \hat{u}\) is injective and preserves acceptability and visible transitions, i.e., for any \(u,v\in S\) and \(a\in V\), \(u{\mathop {\rightarrow }\limits ^{a}}v\;\Leftrightarrow \;\hat{u}{\mathop {\rightarrow }\limits ^{a}}\hat{v}\). It follows that paths in B in which all labels are visible correspond onetoone with paths through original states in \(\hat{B}\) in which all labels are visible. Note that every invisible transition in \(\hat{B}\) is a selfloop or ends in a sharp state or DIV. Moreover, all transitions in \(\hat{B}\) ending in a sharp state or DIV are invisible.
Proposition 7
For any BA B with alphabet A, and any visible set \(V\subseteq A\), \(\mathsf {norm}(B,V)\) is in Vinterrupt normal form.
Proof
To see Definition 11(1), suppose \(s_1{\mathop {\rightarrow }\limits ^{a}}s_2\). If \(s_1{\mathop {\rightarrow }\limits ^{x}}s_1\), take \(s_1'=s_1\). Otherwise, \(s_1=\hat{u}\) for some \(u\in F\setminus D\), and we can take \(s_1'=u^\sharp \).
For Definition 11(2), suppose \(s_1{\mathop {\rightarrow }\limits ^{x}}s_2{\mathop {\rightarrow }\limits ^{a}}s_3\). We need to show \(s_1{\mathop {\rightarrow }\limits ^{a}}s_3\) and if \(s_2\) is accepting then \(s_1\) or \(s_3\) is accepting. If \(s_1=s_2\), the result is clear, so assume \(s_1\ne s_2\). There are then two cases: \(s_2={\textsf {DIV}}\) or \(s_2=u^\sharp \) for some \(u\in F\setminus D\).
If \(s_2={\textsf {DIV}}\), then \(a\in I\) and \(s_3={\textsf {DIV}}\), and we have \(s_1{\mathop {\rightarrow }\limits ^{a}}{\textsf {DIV}}\). As DIV is accepting, the desired conclusion holds.
If \(s_2=u^\sharp \), then \(s_1=\hat{u}\), which is accepting. There are again two cases: either \(s_3=u^\sharp \) or \(s_3=\hat{v}\) for some \(v\in S\). If \(s_3=u^\sharp \) then \(a\in I\) and \(\hat{u}{\mathop {\rightarrow }\limits ^{a}}u^\sharp \), as required. If \(s_3=\hat{v}\), then \(a\in V\) and therefore \(u{\mathop {\rightarrow }\limits ^{a}}v\), hence \(\hat{u}{\mathop {\rightarrow }\limits ^{a}}\hat{v}\), as required.
Definition 11(3) is clear from the definition of \(\hat{T}\). \(\square \)
Theorem 2
\(\mathcal {L}(B)\) is Vinterruptible iff \(\mathcal {L}(\mathsf {norm}(B,V)) = \mathcal {L}(B)\). In particular interruptibility for Büchi Automata is decidable.
Proof
Let \(P_1=\mathcal {L}(B)\) and \(P_2=\mathcal {L}({\textsf {norm}}(B,V))\). By Proposition 7, \({\textsf {norm}}(B,V)\) is in Vinterrupt normal form, so by Proposition 6, \(P_2\) is Vinterruptible. Hence one direction is clear: if \(P_1=P_2\), then \(P_1\) is Vinterruptible.
So suppose \(P_1\) is Vinterruptible. We wish to show \(P_1=P_2\). By Lemma 2, it suffices to show the two languages contain the same Vinterruptfree words.
Suppose \(\zeta \) is a Vinterruptfree word in \(P_1\). If \(\zeta \in V^\omega \) then an accepting path \(\theta \) in B maps to the accepting path \(\hat{\theta }\) in \(\hat{B}\), and \(\zeta \in P_2\). So assume \(\zeta \in V^*I^\omega \). Then an accepting path in B has a prefix \(\theta \) of visible transitions ending in a state \(u\in D\). That prefix corresponds to a path \(\hat{\theta }\) in \(\hat{B}\) ending in \(\hat{u}\). As \(u\in D\), \(\hat{u}{\mathop {\rightarrow }\limits ^{x}}\hat{u}\) for all \(x\in I\). If u is accepting, we get an accepting path for \(\zeta \) that follows \(\hat{\theta }\) and then loops at \(\hat{u}\). If u is not accepting then \(u\in D\setminus F\), and \(\hat{u}{\mathop {\rightarrow }\limits ^{x}}{\textsf {DIV}}\) for all \(x\in I\). Since \({\textsf {DIV}}\) is accepting and \({\textsf {DIV}}{\mathop {\rightarrow }\limits ^{x}}{\textsf {DIV}}\) for all \(x\in I\), we again get an accepting path for \(\zeta \) in \(\hat{B}\).
Suppose now that \(\zeta \) is a Vinterruptfree word in \(P_2\). Assume \(\zeta \in V^{\omega }\). An accepting path for \(\zeta \) cannot pass through a sharp state or \({\textsf {DIV}}\), because only invisible transitions end in those states. So the path passes through only original states, and therefore corresponds to an accepting path in B.
Suppose \(\zeta \in V^*I^{\omega }\). An accepting path for \(\zeta \) in \(\hat{B}\) consists of a prefix \(\hat{\theta }\) of visible transitions followed by an infinite accepting path \(\xi \) of invisible transitions. As above, \(\hat{\theta }\) corresponds to a path \(\theta \) in B ending in a state u.
We claim that \(\xi \) cannot pass through a sharp state. This is because all invisible transitions departing from a sharp state are self loops. But sharp states are not accepting, while \(\xi \) is an accepting path of invisible transitions. It follows that each transition in \(\xi \) is a selfloop or terminates in DIV.
We now claim \(u\in D\). For suppose the first transition in \(\xi \) is a selfloop on \(\hat{u}\). According to the definition of \(\hat{T}\), this implies \(u\in D\cup (S\setminus F)\). Hence, if \(u\not \in D\) then u is not accepting, and all invisible transitions departing from \(\hat{u}\) are selfloops, contradicting the fact that \(\xi \) is an accepting path. If, on the other hand, the first transition in \(\xi \) is \(\hat{u}{\mathop {\rightarrow }\limits ^{x}}{\textsf {DIV}}\), for some \(x\in I\), then the definition of \(\hat{T}\) implies \(u\in D\), establishing the claim.
So \(u\in D\), i.e., there is an accepting path \(\rho \) in B starting from u and consisting of all invisible transitions. The accepting path obtained by concatenating \(\theta \) and \(\rho \) spells a word which, projected onto V, equals \(\zeta _V\). Since \(P_1\) is Vinterruptible, \(\zeta \in P_1\). This completes the proof that \(P_1=P_2\).
The theorem reduces the problem of determining Vinterruptibility to a problem of determining equivalence of two Büchi Automata, which can be done using language intersection, complement, and emptiness algorithms for BAs [37]. \(\square \)
4 OntheFly Partial Order Reduction
4.1 General Theory and Soundness Theorem
Let \(M=(Q,A,T,q^0)\) be an LTS, \(V\subseteq A\), and \(B=(S,A,\delta ,S^0,F)\) a Vinterruptible BA. The goal of onthefly POR is to explore a subautomaton \(R'\) of \(R=M\parallel B\) with the property that \(\mathcal {L}(R)=\emptyset \;\Leftrightarrow \;\mathcal {L}(R')=\emptyset \).
A function \(\textsf {amp} :Q\times S\rightarrow 2^{A}\) is an ample selector if \(\textsf {amp} (q,s)\subseteq \textsf {enabled}(M,q)\) for all \(q\in Q, s\in S\). Each \(\textsf {amp} (q,s)\) is an ample set. An ample selector determines a BA \(R'={\textsf {reduced}}(R,\textsf {amp} )\) which has the same states, accepting states, and initial state as R, but only a subset of the transitions:
We now define some constraints on an ample selector that will be used to guarantee the reduced product space has nonempty language if the full space does. First we need the usual notion of independence:
Definition 12
Let M be an LTS with alphabet A, and \(a,b\in A\). We say a and b are independent if both of the following hold for all states q and \(q'\) of M:

1.
\((q{\mathop {\rightarrow }\limits ^{a}}q'\wedge b\in \textsf {enabled}(M,q)) \Rightarrow b\in \textsf {enabled}(M,q')\)

2.
\(q\xrightarrow {ab}q' \;\Leftrightarrow \;q\xrightarrow {ba}q'\).
We say a and b are dependent if they are not independent. \(\square \)
Note that, in contrast with [1], we do not assume actions are deterministic. We can now define the four constraints:
 C0:

For all \(q\in Q\), \(s\in S\): \(\textsf {enabled}(M,q)\ne \emptyset \Rightarrow \textsf {amp} (q,s)\ne \emptyset \).
 C1:

For all \(q\in Q\), \(s\in S\): on any trace in M starting from q, no action outside of \(\textsf {amp} (q,s)\) but dependent on an action in \(\textsf {amp} (q,s)\) can occur without an action in \(\textsf {amp} (q,s)\) occurring first.
 C2:

For all \(q\in Q\), \(s\in S\): if \(\textsf {amp} (q,s)\ne \textsf {enabled}(M,q)\), then \(\textsf {amp} (q,s)\cap V=\emptyset \).
 C3:

For all \(a\in A\): on any cycle in \(R'\) for which a is enabled in R at each state, there is some state (q, s) on the cycle for which \(a\in \textsf {amp} (q,s)\).
Theorem 3
Let M be an LTS with alphabet A, \(V\subseteq A\), B a BA with alphabet A in Vinterrupt normal form, \(R=M\parallel B\), and \(\textsf {amp} \) an ample selector satisfying \(\mathbf {C0}\)–\(\mathbf {C3}\). Then \(\mathcal {L}(\mathsf {reduced}(R,\textsf {amp} ))=\emptyset \;\Leftrightarrow \;\mathcal {L}(R)=\emptyset \).
The requirement that B be in interrupt normal form is necessary. A counterexample when that condition is not met is given in Fig. 1. Note a and b are independent, and a is invisible. The ample set for product states 0 and 1 is \(\{a\}\); the ample set for product state 2 is \(\{a,b\}\). Hence C3 holds because a state on the sole cycle is fully enabled. After normalizing B (and removing unreachable states), this problem goes away: in any reduced space, the ample sets must retain the atransitions, and state \(0^\sharp \) must be fully enabled since it has an aselfloop, so the accepting cycle involving the two states will remain.
The remainder of this section is devoted to the proof of Theorem 3. The proof is similar to that of the analogous theorem in the statebased case [27], but some changes are necessary and we include the proof for completeness.
Let \(\theta \) be an accepting path in R. An infinite sequence of accepting paths \(\pi _0,\pi _1,\ldots \) will be constructed, where \(\pi _0=\theta \). For each \(i\ge 0\), \(\pi _i\) will be decomposed as \(\eta _i\circ \theta _i\), where \(\eta _i\) is a finite path of length i in \(R'\), \(\theta _i\) is an infinite path, and \(\eta _i\) is a prefix of \(\eta _{i+1}\). For \(i=0\), \(\eta _0\) is empty and \(\theta _0=\theta \).
Assume \(i\ge 0\) and we have defined \(\eta _j\) and \(\theta _j\) for \(j\le i\). Write
Then \(\eta _{i+1}\) and \(\theta _{i+1}\) are defined as follows. Let \(E=\textsf {amp} (q_0,s_0)\). There are two cases:
Case 1: \(a_1\in E\). Let \(\eta _{i+1}\) be the path obtained by appending the first transition of \(\theta _i\) to \(\eta _i\), and \(\theta _{i+1}\) the path obtained by removing the first transition from \(\theta _i\).
Case 2: \(a_1\not \in E\). Then there are two subcases:
Case 2a: Some operation in E occurs in \(\theta _i\). Let n be the index of the first such occurrence. By C1, \(a_j\) and \(a_n\) are independent for \(1\le j<n\). By repeated application of the independence property, there is a path in M of the form
By C2, \(a_n\) is invisible. By Definition 11, B has an accepting path of the form
Composing these two paths yields a path in R. Removing the first transition (labeled \(a_n\)) yields \(\theta _{i+1}\). Appending that transition to \(\eta _i\) yields \(\eta _{i+1}\).
Case 2b: No operation in E occurs in \(\theta _i\). By C0, E is nonempty. Let \(b\in E\). By \(\mathbf{C2 }\), every action in \(\theta _i\) is independent of b. As in the case above, we obtain a path in R
and define \(\theta _{i+1}\) and \(\eta _{i+1}\) as above.
Let \(\eta \) be the limit of the \(\eta _i\), i.e., \(\eta (i)=\eta _{i+1}(i)\). It is clear that \(\eta \) is an infinite path in \(R'\), but we must show it passes through an accepting state infinitely often. To see this, define integers \(d_i\) for \(i\ge 0\) as follows. Let \(\xi _i=s_0s_1\cdots \) be the sequence of BA states traced by \(\theta _i\). Let \(d_i\) be the minimum \(j\ge 0\) such that \(s_j\) is accepting. Note that \(d_i=0\) iff \({\mathsf {last}}(\eta _i)\) is accepting.
Suppose \(i\ge 0\) and \(d_i>0\). If Case 1 holds, then \(d_{i+1}=d_i1\), since \(\xi _{i+1}=\xi _i^1\). It is not hard to see that if Case 2 holds, \(d_{i+1}\le d_i\). Note that in Case 2a, if \(d_i=n\), the accepting state \(s_n\) is removed, but Definition 11(2) guarantees that at least one of \(s_{n1}\) and \(s_{n+1}\) is accepting. In the worst case (\(s_{n1}\) is not accepting), we still have \(d_{i+1}=n\).
We claim there are an infinite number of \(i\ge 0\) such that Case 1 holds. Otherwise, there is some \(i>0\) such that Case 2 holds for all \(j\ge i\). Let a be the first action in \(\theta _i\). Then for all \(j\ge i\), a is the first action of \(\theta _j\) and a is not in the ample set of \({\mathsf {last}}(\eta _j)\). Since the number of states of R is finite, there is some \(k>i\) such that \({\mathsf {last}}(\eta _k)={\mathsf {last}}(\eta _i)\). Hence there is a cycle in \(R'\) for which a is always enabled but never in the ample set, contradicting C3.
If \(\eta \) does not pass through an accepting state infinitely often, there is some \(i\ge 0\) such that for all \(j\ge i\), \({\mathsf {first}}(\theta _j)\) is not accepting. But then \((d_j)_{j\ge i}\) is a nondecreasing sequence of positive integers which strictly decreases infinitely often, a contradiction.
4.2 Ample Sets for a Parallel Composition of LTSs
We now describe the specific method used by McRERS to select ample sets. Since this method is similar to existing approaches, such as [32, Algorithm 4.3], we just outline the main ideas.
Let \(n\ge 1\), \(P=\{1,\ldots ,n\}\), and let \(M_1,\ldots , M_n\) be LTSs over \({\textsf {Act}}\). Write \(M_i=(Q_i,A_i,\rightarrow _i,q^0_i)\) and
For \(a\in A\), let \(\textsf {procs} (a)=\{i\in P\mid a\in A_i\}\). It can be shown that if a and b are dependent actions, then \(\textsf {procs} (a)\cap \textsf {procs} (b)\ne \emptyset \).
Let \(q=(q_1,\ldots ,q_n)\in Q\) and \(E_i=\textsf {enabled}(M_i,q_i)\) for \(i\in P\). Let
Suppose \(C\subseteq P\) is closed under \(R_q\), i.e., for all \(i\in C\) and \(j\in P\), \((i,j)\in R_q \Rightarrow j\in C\). This implies that if \(a\in E_i\) for some \(i\in C\) then \(\textsf {procs} (a)\subseteq C\). Define
Let \(E=\textsf {enabled}(C,q)\). Note \(E\subseteq \bigcup _{i\in C}E_i\). Hence for any \(a\in E\), \(\textsf {procs} (a)\subseteq C\).
Lemma 3
On any trace in M starting from q, no action outside of E but dependent on an action in E can occur without an action in E occurring first.
Proof
Let \(\zeta \) be a trace in M starting from q, such that no element of E occurs in \(\zeta \). We claim no action involving C (i.e., an action a for which \(\textsf {procs} (a)\cap C\ne \emptyset \)) can occur in \(\zeta \). Otherwise, let x be the first such action. Then \(x\in E_i\), for some \(i\in C\), so \(\textsf {procs} (x)\subseteq C\). As \(x\not \in E\), \(x\not \in \textsf {enabled}(M,q)\). So some earlier action y in \(\zeta \) caused x to become enabled, and therefore \(\textsf {procs} (x)\cap \textsf {procs} (y)\ne \emptyset \), hence \(\textsf {procs} (y)\cap C\ne \emptyset \), contradicting the assumption that x was the first action involving C in \(\zeta \).
Now any action b dependent on an action \(a\in E\) must satisfy \(\textsf {procs} (a)\cap \textsf {procs} (b)\) is nonempty. Since \(\textsf {procs} (a)\subseteq C\), \(\textsf {procs} (b)\cap C\) is nonempty. Hence no action dependent on an action in E can occur in \(\zeta \). \(\square \)
We now describe how to find an ample set in the context of NDFS. Let (q, s) be a new product state that has just been pushed onto the outer DFS stack. The relation \(R_q\) defined above gives P the structure of a directed graph. Suppose that graph has a strongly connected component \(C_0\) such that all of the following hold for \(E=\textsf {enabled}(C_0,q)\):

1.
\(E\ne \emptyset \),

2.
\(E\cap V=\emptyset \),

3.
\(\textsf {enabled}(C',q)=\emptyset \) for all SCCs \(C'\) reachable from \(C_0\) other than \(C_0\), and

4.
E does not contain a “back edge”, i.e., if \((q,s){\mathop {\rightarrow }\limits ^{a}}\sigma \) for some \(a\in E\) and \(\sigma \in Q\times S\), then \(\sigma \) is not on the outer DFS stack.
Then set \(\textsf {amp} (q,s)=E\). If no such SCC exists, set \(\textsf {amp} (q,s)=\textsf {enabled}(M,q)\). It follows that C0–C4 hold. Note that the union C of all SCCs reachable from \(C_0\) is closed under \(R_q\), and \(\textsf {enabled}(C,q)=E\), so Lemma 3 guarantees C1. For C3, we actually have the stronger condition that in any cycle in the reduced space, at least one state is fully enabled. In our implementation, the SCCs are computed using Tarjan’s algorithm. Among all SCCs \(C_0\) satisfying the conditions above, we choose one for which \(\textsf {enabled}(C_0,q)\) is minimal.
One known issue when combining NDFS with onthefly POR is that the inner DFS must explore the same subspace as the outer DFS, i.e., \(\textsf {amp} \) must be a deterministic function of its input (q, s) [18]. To accomplish this, McRERS stores one additional integer j in the state: j is the root node of the SCC \(C_0\), or \(1\) if the state is fully enabled. The outer search saves j in the state, and the inner search uses j to reconstruct the SCC \(C_0\) and the ample set E.
5 Related Work
There has been significant earlier research on the use of partial order reduction to model check LTSs (or the closely related concept of process algebras); see, e.g., [14, 16, 30,31,32,33, 35]. To understand how this previous work relates to this paper, we must explain a subtle, but important, distinction concerning how a property is specified. In much of this literature, a property of an LTS with alphabet A is essentially a pair \(\pi =(V, T)\), where \(V\subseteq A\) is a set of visible actions and T is a set of (finite and infinite) words over V. A property in this sense specifies acceptable behaviors after invisible actions have been removed. (See, e.g., Def. 2.4 and preceding comments in [32].) We can translate \(\pi \) to a property P in our sense by taking its inverse image under the projection map:
Note that P is Vinterruptible by definition. Hence the need to distinguish interruptible properties does not arise in this context.
Much of the earlier work on POR for LTSs deals with the “offline” case, i.e., the construction of a subspace of M that preserves certain classes of properties. In contrast, Theorem 3 deals with an onthefly algorithm, i.e., the construction of a subspace of \(M\parallel B\). The onthefly approach is an essential optimization in model checking, but recent work in the statebased formalism has shown that offline POR schemes do not always generalize easily to onthefly algorithms [27].
One work that does describe an onthefly model checking algorithm for LTSs is [32] (see also [17], which deals with the same ideas in a state formalism). The property is specified by a tester process B. Consistent with the notion of property described above, the alphabet of B does not include the invisible actions. Hence, in the parallel composition \(M\parallel B\), the tester does not move when M executes an invisible action. In order to specify both finite and infinite words of visible actions, the tester has two kinds of accepting states: “livelock monitor states” and “infinite trace monitor states.” (Two additional classes of states for detecting other kinds of violations are not relevant to the discussion here.) A version of the stubborn set theory is used to define the reduced space, and a special condition is used to solve the “ignoring problem” (instead of our C3). It would be interesting to compare this algorithm with the one described here.
There are many algorithms for reducing or even minimizing the size of an LTS while preserving various properties, e.g., bisimulation equivalence [8] or divergence preserving bisimilarity [6]. These algorithms could be applied to the individual components of a parallel composition (taking all visible and communication actions to be “visible”), as a preprocessing step before beginning the model checking search. An exploration of these algorithms, and how they impact POR, is beyond the scope of this paper, but we hope to explore that avenue in future work.
The RERS Challenge [9, 19,20,21] is an annual event involving a number of different categories of large model checking problems. The “parallel LTL category,” offered from 2016 on, is directly relevant to this paper. Each problem in that category consists of a Graphviz “dot” file specifying an LTS as a parallel composition, and a text file containing 20 LTL formulas. The goal is to identify the formulas satisfied by the LTS. The solutions are initially known only to the organizers, and are published after the event. The RERS semantics for LTSs, LTL, and satisfiability are exactly the same as in this paper.
The methods for generating the LTS and the properties are complicated, and have varied over the years, but are designed to satisfy certain hardness guarantees. The approach described in [29] is “...based on the weak refinement ...of convergent systems which preserves an interesting class of temporal properties.” It can be seen that the properties preserved by weak refinement are exactly the interruptible properties. While [29] does not describe a method for determining whether a property is interruptible, the authors have informed us that they developed a sufficient condition for an LTL formula to be interruptible, and used this in combination with a random method to generate the formulas for 2016 and 2019. Our analysis (Sect. 6) confirms that all formulas from 2016 and 2019 are interruptible, while 2017 and 2018 contain some noninterruptible formulas.
There is a wellknown way to translate a system and property expressed in an actionbased formalism to a statebased formalism. The idea is to add a shared variable \(\textit{last}\) which records the last action executed. An LTL formula over actions can be transformed to one over states by replacing each action a with the predicate \(\textit{last}=a\). This is the approach taken in the Promela representations of the parallel problems provided with the RERS challenges.
This translation is semanticspreserving but performancedestroying. Every transition writes to the shared variable \(\textit{last}\), so any statebased POR scheme will assume that no two transitions commute. Furthermore, since the property references \(\textit{last}\), all transitions are visible. This effectively disables POR, even when the property is stutterinvariant, as can be seen in the poor performance of Spin on the RERS Promela models (Sect. 6). It is possible that there are more effective Spin translations; [34, §2.2], for example, suggests not updating \(\textit{last}\) on invisible actions, and adding a global boolean variable that is flipped on every visible action (in addition to updating \(\textit{last}\)). We note that this would also require modifying the LTL formula, or specifying the property in some other way. In any case, it suggests another interesting avenue for future work.
6 Experimental Results and Conclusions
We implemented a model checker named McRERS based on the algorithms described in this paper. McRERS is a library and set of command line tools. It is written in sequential C and uses the Spot library [4] for several tasks: (1) determining equivalence of LTL formulas, (2) determining language equivalence of BAs, and (3) converting an LTL formula to a BA. The source code for McRERS as well as all artifacts related to the experiments discussed in this section, are available at https://vsl.cis.udel.edu/cav2020. The experiments were run on an 8core 3.7GHz Intel Xeon W2145 Linux machine with 256 GB RAM, though McRERS is a sequential program and most experiments required much less memory.
As described in Sect. 5, each edition of RERS includes a number of problems, each of which comes with 20 LTL formulas. The numbers of problems for years 2016–2019 are, in order, 20, 15, 3, and 9, for a total of 47 problems, or \(47*20=940\) distinct model checking tasks. (Some formulas become identical after renaming propositions.) We used the McRERS property analyzer to analyze these formulas to determine which are interruptible; the algorithm used is based on Theorem 1. The results show that all formulas from 2016 and 2019 are interruptible, which agrees with the expectations of the RERS organizers. In 2017, 22 of the 300 formulas are not interruptible; these include

,

, and

.
In 2018, 3 of the 60 formulas are not interruptible. In summary, only 25 of the 940 tasks involve noninterruptible formulas. The total runtime for the analysis of all 940 formulas was 6 s.
We next used the McRERS automaton analyzer to create BAs from each of the interruptible formulas, and then to determine which of these Spotgenerated BAs was not in interrupt normal form. This uses a straightforward algorithm that iterates over all states and checks the conditions of Definition 11. For each BA not in normal form, the analyzer transforms it to normal form using function \({\textsf {norm}}\) of Sect. 3.4. Interestingly, all of the Spotgenerated BAs in 2016 and 2019 were already in normal form. Four of the BAs from interruptible formulas in 2017 were not in normal form; all of these formulas had the form \({\mathbf {F}}[a\vee ((\lnot b){\mathbf {W}}c)]\). In 2018, 6 interruptible formulas have nonnormal BAs; these formulas have several different nonisomorphic forms, some of which are quite complex. The details can be seen on the online archive. The total runtime for this analysis (including writing all BAs to a file) was 11 s.
The McRERS model checker parses RERS “dot” and property files to construct an internal representation of a parallel composition \(M=M_1\parallel \cdots \parallel M_n\) of LTSs and a list of LTL formulas. Each formula f is converted to a BA B; if f is interruptible and B is not already in normal form, B is transformed to normal form. The NDFS algorithm is used to determine language emptiness, and if f is interruptible, the POR scheme described in Sect. 4 is also used. States are saved in a hash table.
One other simple optimization is used regardless of whether f is interruptible. Let \(\alpha M\) denote the set of actions labeling at least one transition in M, and define \(\alpha B\) similarly. If \(\alpha M\ne \alpha B\), then all transitions labeled by an action in \((\alpha M\setminus \alpha B)\cup (\alpha B\setminus \alpha M)\) are removed from the \(M_i\) and B; all unreachable states and transitions in the \(M_i\) and B are also removed. This is repeated until \(\alpha M=\alpha B\).
We applied the model checker to all problems in the 2019 benchmarks. Interestingly, all 180 tasks completed, with the correct results, using at most 8 GB RAM; the times are given in Fig. 2.
We also ran these problems with POR turned off, to measure the impact of that optimization. As is often the case with POR schemes, the difference is dramatic. The nonPOR tests ran out of memory on our 256 GB machine after problem 106. We show the resources consumed for a representative task in Fig. 3; this property holds, so a complete search is required. In terms of number of states or time, the performance differs by about 5 orders of magnitude.
As explained in Sect. 5, the RERS Spin models can not be expected to perform well. We ran the latest version of Spin on these using DCOLLAPSE compression. We show the result for just the first task in Fig. 4. There is at least a 4 order of magnitude performance difference (measured in states or time) between the tools. An examination of Spin’s output in verbose mode reveals the problem to be as described in Sect. 5: the full set of enabled transitions is explored at each transition due to the update of the shared variable.
The 2016 RERS problems are more challenging for McRERS. The problems are numbered from 101 to 120. To scale beyond problem 111, with a memory bound of 256 GB, additional reduction techniques, such as the component minimization methods discussed in Sect. 5, must be used. We plan to carry out a thorough study of those methods and how they interact with POR.
References
Clarke Jr., E.M., Grumberg, O., Kroening, D., Peled, D., Veith, H.: Model Checking, 2nd edn. MIT press, Cambridge (2018). https://mitpress.mit.edu/books/modelcheckingsecondedition
Courcoubetis, C., Vardi, M., Wolper, P., Yannakakis, M.: Memoryefficient algorithms for the verification of temporal properties. Formal Methods Syst. Des. 1(2), 275–288 (1992). https://doi.org/10.1007/BF00121128
De Nicola, R., Vaandrager, F.: Action versus state based logics for transition systems. In: Guessarian, I. (ed.) LITP 1990. LNCS, vol. 469, pp. 407–419. Springer, Heidelberg (1990). https://doi.org/10.1007/3540534792_17
DuretLutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, É., Xu, L.: Spot 2.0 — a framework for LTL and \(\omega \)automata manipulation. In: Artho, C., Legay, A., Peled, D. (eds.) ATVA 2016. LNCS, vol. 9938, pp. 122–129. Springer, Cham (2016). https://doi.org/10.1007/9783319465203_8
Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Property specification patterns for finitestate verification. In: Proceedings of the Second Workshop on Formal Methods in Software Practice, FMSP 1998, pp. 7–15. ACM, New York (1998). https://doi.org/10.1145/298595.298598
Eloranta, J., Tienari, M., Valmari, A.: Essential transitions to bisimulation equivalences. Theor. Comput. Sci. 179(1–2), 397–419 (1997). https://doi.org/10.1016/S03043975(96)002812
Fantechi, A., Gnesi, S., Ristori, G.: Model checking for actionbased logics. Formal Methods Syst. Des. 4(2), 187–203 (1994). https://doi.org/10.1007/BF01384084
Fernandez, J.C.: An implementation of an efficient algorithm for bisimulation equivalence. Sci. Comput. Programm. 13(2), 219–236 (1990). https://doi.org/10.1016/01676423(90)90071K
Geske, M., Jasper, M., Steffen, B., Howar, F., Schordan, M., van de Pol, J.: RERS 2016: parallel and sequential benchmarks with focus on LTL verification. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9953, pp. 787–803. Springer, Cham (2016). https://doi.org/10.1007/9783319471693_59
Gheorghiu Bobaru, M., Păsăreanu, C.S., Giannakopoulou, D.: Automated assumeguarantee reasoning by abstraction refinement. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 135–148. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540705451_14
Giannakopoulou, D.: Model checking for concurrent software architectures. Ph.D. thesis, Imperial College of Science, Technology and Medicine, University of London (1999). https://pdfs.semanticscholar.org/0215/b74b21112520569f6e6b930312e228c90e0b.pdf
Giannakopoulou, D., Magee, J.: Fluent model checking for eventbased systems. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 257–266. ESEC/FSE11, Association for Computing Machinery, New York (2003). https://doi.org/10.1145/940071.940106
GibsonRobinson, T., et al.: FDR: from theory to industrial application. In: GibsonRobinson, T., Hopcroft, P., Lazić, R. (eds.) Concurrency, Security, and Puzzles. LNCS, vol. 10160, pp. 65–87. Springer, Cham (2017). https://doi.org/10.1007/9783319510460_4
GibsonRobinson, T., Hansen, H., Roscoe, A.W., Wang, X.: Practical partial order reduction for CSP. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 188–203. Springer, Cham (2015). https://doi.org/10.1007/9783319175249_14
Godefroid, P. (ed.): PartialOrder Methods for the Verification of Concurrent Systems  An Approach to the StateExplosion Problem. LNCS, vol. 1032. Springer, Heidelberg (1996). https://doi.org/10.1007/3540607617
Groote, J.F., Mathijssen, A., Reniers, M., Usenko, Y., van Weerdenburg, M.: The formal specification language mCRL2. In: Brinksma, E., Harel, D., Mader, A., Stevens, P., Wieringa, R. (eds.) Methods for Modelling Software Systems (MMOSS). No. 06351 in Dagstuhl Seminar Proceedings, Internationales Begegnungs und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany (2007). http://drops.dagstuhl.de/opus/volltexte/2007/862
Hansen, H., Penczek, W., Valmari, A.: Stutteringinsensitive automata for onthefly detection of livelock properties. Electron. Notes Theor. Comput. Sci. 66(2), 178–193 (2002). https://doi.org/10.1016/S15710661(04)804110. FMICS 2002, 7th International ERCIM Workshop in Formal Methods for Industrial Critical Systems (ICALP 2002 Satellite Workshop)
Holzmann, G., Peled, D., Yannakakis, M.: On nested depth first search. In: The Spin Verification System, DIMACS  Series in Discrete Mathematics and Theoretical Computer Science, vol. 32, pp. 23–31. AMS and DIMACS (1997). https://bookstore.ams.org/dimacs32/
Jasper, M., et al.: The RERS 2017 challenge and workshop (invited paper). In: SPIN 2017, pp. 11–20. ACM (2017). https://doi.org/10.1145/3092282.3098206
Jasper, M., et al.: RERS 2019: combining synthesis with realworld models. In: Beyer, D., Huisman, M., Kordon, F., Steffen, B. (eds.) TACAS 2019. LNCS, vol. 11429, pp. 101–115. Springer, Cham (2019). https://doi.org/10.1007/9783030175023_7
Jasper, M., Mues, M., Schlüter, M., Steffen, B., Howar, F.: RERS 2018: CTL, LTL, and reachability. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11245, pp. 433–447. Springer, Cham (2018). https://doi.org/10.1007/9783030034214_27
Michaud, T., DuretLutz, A.: Practical stutterinvariance checks for \(\omega \)regular languages. In: Fischer, B., Geldenhuys, J. (eds.) SPIN 2015. LNCS, vol. 9232, pp. 84–101. Springer, Cham (2015). https://doi.org/10.1007/9783319234045_7
Peled, D.: Combining partial order reductions with onthefly modelchecking. Formal Methods Syst. Des. 8(1), 39–64 (1996). https://doi.org/10.1007/BF00121262
Peled, D., Wilke, T.: Stutterinvariant temporal properties are expressible without the nexttime operator. Inf. Process. Lett. 63(5), 243–246 (1997). https://doi.org/10.1016/S00200190(97)001336
Peled, D.: All from one, one for all: on model checking using representatives. In: Courcoubetis, C. (ed.) CAV 1993. LNCS, vol. 697, pp. 409–423. Springer, Heidelberg (1993). https://doi.org/10.1007/3540569227_34
Pnueli, A.: The temporal logic of programs. In: Proceedings of the 18th Annual Symposium on Foundations of Computer Science, SFCS 1977, pp. 46–57. IEEE Computer Society (1977). https://doi.org/10.1109/SFCS.1977.32
Siegel, S.F.: What’s wrong with onthefly partial order reduction. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 478–495. Springer, Cham (2019). https://doi.org/10.1007/9783030255435_27
Siegel, S.F., Yan, Y.: Actionbased model checking: Logic, automata, and reduction (extended version). Technical report UDCIS20200515, University of Delaware (2020). http://vsl.cis.udel.edu/pubs/action.html
Steffen, B., Jasper, M.: Propertypreserving parallel decomposition. In: Aceto, L., et al. (eds.) Models, Algorithms, Logics and Tools. LNCS, vol. 10460, pp. 125–145. Springer, Cham (2017). https://doi.org/10.1007/9783319631219_7
Sun, J., Liu, Y., Dong, J.S.: Model checking CSP revisited: introducing a process analysis toolkit. In: Margaria, T., Steffen, B. (eds.) ISoLA 2008. CCIS, vol. 17, pp. 307–322. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540884798_22
Valmari, A.: Stubborn sets for reduced state space generation. In: Rozenberg, G. (ed.) ICATPN 1989. LNCS, vol. 483, pp. 491–515. Springer, Heidelberg (1991). https://doi.org/10.1007/3540538631_36
Valmari, A.: Onthefly verification with stubborn sets. In: Courcoubetis, C. (ed.) CAV 1993. LNCS, vol. 697, pp. 397–408. Springer, Heidelberg (1993). https://doi.org/10.1007/3540569227_33
Valmari, A.: Stubborn set methods for process algebras. In: Proceedings of the DIMACS Workshop on Partial Order Methods in Verification, POMIV 1996, pp. 213–231. American Math. Soc., New York (1997). http://dl.acm.org/citation.cfm?id=266557.266608
Valmari, A.: The state explosion problem. In: Reisig, W., Rozenberg, G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 429–528. Springer, Heidelberg (1998). https://doi.org/10.1007/3540653066_21
Valmari, A.: More stubborn set methods for process algebras. In: GibsonRobinson, T., Hopcroft, P., Lazić, R. (eds.) Concurrency, Security, and Puzzles. LNCS, vol. 10160, pp. 246–271. Springer, Cham (2017). https://doi.org/10.1007/9783319510460_13
Vardi, M.Y.: An automatatheoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G. (eds.) Logics for Concurrency: Structure versus Automata. LNCS, vol. 1043, pp. 238–266. Springer, Heidelberg (1996). https://doi.org/10.1007/3540609156_6
Vardi, M.Y.: Automatatheoretic model checking revisited. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 137–150. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540697381_10
Acknowledgements
We are grateful to Marc Jasper of TU Dortmund for answering many of our questions about the RERS benchmarks, and for coining the term “interruptible” to describe the class of properties that are the topic of this paper. This material is based upon work by the RAPIDS Institute, supported by the U.S. Department of Energy, Office of Science, Office of Advanced Scientific Computing Research, Scientific Discovery through Advanced Computing (SciDAC) program. Funding was also provided by DoE award DESC0012566, and by the U.S. National Science Foundation award CCF1319571.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2020 The Author(s)
About this paper
Cite this paper
Siegel, S.F., Yan, Y. (2020). ActionBased Model Checking: Logic, Automata, and Reduction. In: Lahiri, S., Wang, C. (eds) Computer Aided Verification. CAV 2020. Lecture Notes in Computer Science(), vol 12225. Springer, Cham. https://doi.org/10.1007/9783030532918_6
Download citation
DOI: https://doi.org/10.1007/9783030532918_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030532901
Online ISBN: 9783030532918
eBook Packages: Computer ScienceComputer Science (R0)