Checking Deadlock-Freedom of Parametric Component-Based Systems

We propose an automated method for computing inductive invariants applied to check deadlock-freedom for parametric component-based systems. The method generalizes the approach for computing structural trap invariants from bounded to parametric systems with general architectures. It symbolically extracts trap invariants from a monadic interaction formula characterizing the system architecture. The paper presents the theoretical foundations of the method including new results for the first order monadic logic and proves its soundness. It also provides preliminary illustrations on examples.

Modern computing systems exhibit dynamic and reconfigurable behavior.To tackle the complexity of such systems, engineers extensively use architectures that enforce, by construction, essential properties, such as fault tolerance or mutual exclusion.Architectures can be viewed as parametric operators that take as arguments instances of components of given types and enforce a characteristic property.For instance, client-server architectures enforce atomicity and resilience of transactions, for any numbers of clients and servers.Similarly, token-ring architectures enforce mutual exclusion between any number of components in the ring.
Parametric verification is an extremely relevant and challenging problem in systems engineering.In contrast to the verification of bounded systems, consisting of a known set of components, there exist no general methods and tools succesfully applied to parametric systems.Verification problems for very simple parametric systems, even with finite-state components, are typically intractable [9,5].Most work in this area puts emphasis on limitations determined mainly by three criteria (1) the topology of the architecture, (2) the coordination primitives, and (3) the properties to be verified.
The main decidability results reduce parametric verification to the verification of a bounded number of instances of finite state components.Several methods try to determine a cut-off size of the system, i.e. the minimal size for which if a property holds, then it holds for any size, e.g.Suzuki [13], Emerson and Namjoshi [8].Other techniques use abstraction to generate from the parametric system a finite-state system or a decidable infinite-state system which preserves the property to be verified.Typically, these methods apply to systems with global coordination, such as in the work of German and Sistla [9], that reduce these systems to vector addition systems.Another work in this direction is regular model-checking [6].The interested reader can find a complete survey on parameterized model checking by Bloem et al. [5].This paper takes a different angle of attack to the verification problem, seeking generality of the type of parametric systems and focusing on the verification of a particular but essential property: deadlock-freedom.The aim is to come up with effective methods for checking deadlock-freedom, by overcoming the complexity blowup stemming from the effective generation of reachability sets.We briefly describe our approach below.
A system is the composition of a finite number of component instances of given types, using interactions that follow the Behaviour-Interaction-Priorities (BIP) paradigm [3].To simplify the technical part, we assume that components and interactions are finite abstractions of real-life systems.An instance is a finite-state transition system whose edges are labeled by ports.The instances communicate synchronously via a number of simultaneous interactions involving a set of ports each, such that no data is exchanged during interactions.If the number of instances in the system is fixed and known in advance, we say that the system is bounded, otherwise it is parametric.For instance, the bounded system in Figure 1a consist of component types Semaphore, with one instance, and Task, with two instances.A semaphore goes from the free state r to the taken state s by an acquire action a, and viceversa from s to r by a release action e.A task goes from waiting w to busy u by action b and viceversa, by action f .For the bounded system in Figure 1a, the interactions are {a, b 1 }, {a, b 2 }, {e, f 1 } and {e, f 2 }, depicted with dashed lines.Since the number of instances is known in advance, we can view an interaction as a minimal satisfying valuation of the boolean formula , where the port symbols are propositional variables.Because every instance has finitely many states, we can write a boolean formula ∆ = [¬r ∨ ¬(w 1 ∨ w 2 )] ∧ [¬s ∨ ¬(u 1 ∨ u 2 )], this time over propositional state variables, which defines the configurations in which all interactions are disabled (deadlock).Proving that no deadlock configuration is reachable from the initial configuration r ∧w 1 ∧w 2 , requires finding an over-approximation (invariant) I of the reachable configurations, such that the conjunction I ∧ ∆ is not satisfiable.
The basic idea of our method, supported by the D-Finder deadlock detection tool [4] for bounded component-based systems, is to compute an invariant straight from the interaction formula, without going through costly abstract fixpoint iterations.The invariants we are looking for are in fact solutions of a system of boolean constraints Θ(Γ), of size linear in the size of Γ (written in DNF).In our example, Θ(Γ) = i=1,2 (r ∨ w i ) ↔ (s ∨ u i ).Finding the (minimal) solutions of this constraint can be done, as currently implemented in D-Finder, by exhaustive model enumeration using a SAT solver.Here we propose a more efficient solution, which consists in writing Θ(Γ) in DNF and remove the negative literals from each minterm.In our case, this gives the invariant I = (r ∨ s) ∧ i=1,2 (w i ∨ u i ) ∧ (r ∨ u 1 ∨ u 2 ) ∧ (s ∨ w 1 ∨ w 2 ) and I ∧ ∆ is proved unsatisfiable using a SAT solver.
The main contribution of this paper is the generalization of this invariant generation method to the parametric case.To understand the problem, consider the parametric system from Figure 1, in which a Semaphore interacts with n Tasks, where n > 0 is not known in advance.The interactions are described by a fragment of first order logic, in which the ports are either propositional or monadic predicate symbols, in our case Γ = a∧∃i .b(i)∨e∧∃i .f (i).This logic, called Monadic Interaction Logic (MIL), is also used to express the constraints Θ(Γ) and compute their solutions.In our case, we obtain As in the bounded case, we can give a parametric description of deadlock configurations ∆ = [¬r ∨ ¬∃i .w(i)] ∧ [¬s ∨ ¬∃i .u(i)] and prove that I ∧ ∆ is unsatisfiable, using the decidability of MIL, based on an early small model property result due to Löwenheim [11].In practice, we avoid the model enumeration suggested by this result and check the satisfiability of such queries using a decidable theory of sets with cardinality constraints [10], available in the CVC4 SMT solver [1].
The paper is structured as follows: §1 presents existing results for checking deadlockfreedom of bounded systems using invariants, §2 formalizes the approach for computing invariants using MIL, §3 introduces cardinality constraints for invariant generation, §4 presents the integration of the above results within a verification technique for parametric systems and §5 reports on preliminary experiments carried out with a prototype tool.Finally, §6 presents concluding remarks and future work directions.For reasons of space, all proofs are given in [7].

Bounded Component-based Systems
A component is a tuple C = P, S, s 0 , ∆ , where P = {p, q, r, . ..} is a finite set of ports, S is a finite set of states, s 0 ∈ S is an initial state and ∆ ⊆ S × P × S is a set of transitions written s p − → s .To simplify the technical details, we assume there are no two different transitions with the same port, i.e. if s In general, this restriction can be lifted, at the cost of cluttering the presentation.
A bounded system S = C 1 , . . ., C n , Γ consists of a fixed number (n) of components C k = P k , S k , s 0 k , ∆ k and an interaction formula Γ, describing the allowed interactions.Since the number of components is known in advance, we write interaction formulae using boolean logic over the set of propositional variables BVar def = n k=1 (P k ∪ S k ).A boolean interaction formula is either a ∈ BVar, f 1 ∧ f 2 or ¬ f 1 , where f i are formulae, for i = 1, 2, respectively.We define the usual shorthands . A literal is either a variable or its negation and a minterm is a conjunction of literals.A formula is in disjunctive normal form (DNF) if it is written as n i=1 m i j=1 i j , where i j is a literal.A formula is positive if and only if each variable occurs under an even number of negations, or, equivalently, its DNF forms contains no negative literals.We assume interaction formulae of bounded systems to be always positive.
A boolean valuation β : BVar → { , ⊥} maps each propositional variable to either true ( ) or false (⊥).We write β | = f if and only if f = , when replacing each boolean variable a with β(a) in f .We say that β is a model of f in this case and write f ≡ g for In the rest of this section, we fix a bounded system S = C 1 , . . ., C n , Γ , where and Γ is a positive boolean formula, over propositional variables denoting ports.

Execution Semantics of Bounded Systems
We use 1-safe marked Petri Nets to define the set of executions of a bounded system.A Petri Net (PN) is a tuple N = S , T, E , where S is a set of places, T is a set of transitions, S ∩ T = ∅, and and lift these definitions to sets of nodes, as usual.
A marking for a PN N = S , T, E is a function m : S → N. A transition t is enabled in m if and only if m(s) > 0 for each place s ∈ • t.The transition relation of N is defined as follows.For all markings m, m and all transitions t, we write m t − → m whenever t is enabled in m and m (s) = m(s) − E(s, t) + E(t, s), for all s ∈ S .Given two markings m and m , a finite sequence of transitions σ = t 1 , . . ., t n is a firing sequence, written m σ − → m if and only if either (i) n = 0 and m = m , or (ii) n ≥ 1 and there exist markings In the following, we consider only marked PNs that are 1-safe.In this case, any (necessarily finite) set of reachable markings can be defined by a boolean formula, which identifies markings with the induced boolean valuations.
A marking m is a deadlock if for no marking m and no transition t, do we have m t − → m .Let D(N) be the set of deadlocks of N. A marked PN N is deadlock-free if and only if R(N)∩D(N) = ∅.A sufficient condition for deadlock freedom is M∩D(N) = ∅, for some invariant M of N.
The set of executions of the bounded system S is given by the 1-safe marked PN N S = (N, m 0 ), where N = ( n i=1 S i , T, E), m 0 (s) = 1 if and only if s ∈ {s For example, the marked PN from Figure 2 describes the set of executions of the bounded system from Figure 1a.Note that each transition of the PN corresponds to a minimal model of the interaction formula or equivalently, to the set of (necessarily positive) literals of some minterm in the DNF of Γ.

Proving Deadlock Freedom of Bounded Systems
A bounded system S is deadlock-free if and only if its corresponding marked PN N S is deadlock-free.In the following, we prove deadlock-freedom of a bounded system, by defining a class of invariants that are particularly useful for excluding unreachable deadlock markings.
Given a Petri Net N = (S , T, E), a set of places W ⊆ S is called a trap if and only if W • ⊆ • W. A trap W of N is a marked trap of the marked PN N = (N, m 0 ) if and only if m 0 (s) = for some s ∈ W. A minimal marked trap is a marked trap such that none of its strict subsets is a marked trap.A marked trap defines an invariant of the PN because some place in the trap will always be marked, no matter which transition is fired.
Lemma 1.Given a bounded system S, the boolean formula: Proof : Let N S = (N, m 0 ), where N = (S , T, E).First, we prove that m 0 | = Trap(N S ).Let S = {s 1 , . . ., s k } be a marked trap of N S .Since S is marked, m 0 (s i ) = for some i ∈ Next, we describe a method of computing trap invariants that does not explicitly enumerate all the marked traps of a marked PN.First, we consider a trap constraint Θ(Γ), derived from the interaction formula Γ, in linear time.By slight abuse of notation, we define, for a given port p ∈ P i of the component C i , for some i ∈ [1, n], the pre-and post-state of p in C i as • p def = s and p • def = s , where s p − → s is the unique rule 1 involving p in ∆ i , and • p = p • def = ⊥ if there is no such rule.Assuming that the interaction formula is written in DNF as Γ = N k=1 M k =1 p k , we define the trap constraint: We also consider the formula Init(S) def = n k=1 s 0 k defining the initial marking of the system, and prove the following: Lemma 2. Let S be a bounded system with interaction formula Γ and β be a boolean valuation.Then Given a trap S ⊆ Q of N, we have the following equivalences: is a propositional variable.Then for each transition t β ∈ T , we have: Because Θ(Γ) and Init(S) are boolean formulae, it is, in principle, possible to compute the trap invariant Trap(N S ) by enumerating the (minimal) models of Θ(Γ)∧Init(S) and applying the definition from Lemma 1.However, model enumeration is inefficient and, moreover, does not admit generalization for the parametric case, in which the size of the system is unknown.For these reasons, we prefer a computation of the trap invariant, based on two symbolic transformations of boolean formulae, described next.
For a formula f we denote by f + the positive formula obtained by deleting all negative literals from the DNF of f .In lack of a better term, we shall call this operation positivation.Second, for a positive boolean formula f , we define the formula ( f ) ∼ recursively on the structure of f , as follows: ( and a ∼ def = a, for any a ∈ BVar.Note that f ∼ is equivalent to the negation of the formula obtained from f by substituting each variable a with ¬a in f .This operation, called dualization, applies only to positive formulae and is undefined elsewhere.Lemma 3. Given boolean formulae f and g, we have f ≡ g only if f + ∼ ≡ g + ∼ .
Proof : If f ≡ g, the set of minterms in the DNF of f is identical to the one of g, modulo commutativity of conjunctions.Then the set of minterms in the DNF of f + equals the one of g + , thus f + ≡ g + .Second, the CNF of f + ∼ is the same of the CNF of g + ∼ , as both are obtained directly from the DNF of f + and g + , respectively, by interchanging disjunctions with conjunctions.
The following theorem gives the main result of this section, the symbolic computation of the trap invariant of a bounded system, directly from its interaction formula.Theorem 1.For any bounded system S, with interaction formula Γ, we have: Proof : For a boolean valuation β, we denote by µ β the complete minterm β(a)= a ∧ β(a)=⊥ ¬a.By Lemma 2 we obtain the equivalence: The equivalence of the statement is obtained by applying Lemma 3.
Just as any invariants, trap invariants can be used to prove absence of deadlocks in a bounded system.Assuming, as before, that the interaction formula is given in DNF as This is the set of configurations in which all interactions are disabled.With this definition, proving deadlock freedom amounts to proving unsatisfiability of a boolean formula.
Proof : Let N S = (N, m 0 ), where N = (S , T, E) and define the set of deadlock markings: ¬s Suppose, by contradiction, that S is not deadlock-free, thus R(N S ) ∧ Dead(N S ) has a satisfying valuation β.Because Trap(N S ) defines an invariant of N S and R(N S ) defines its least invariant, we have

Parametric Component-based Systems
From now on we shall focus on parametric systems, consisting of a fixed set of component types C 1 , . . ., C n , such that the number of instances of each type is not known in advance.These numbers are given by a function M : [1, n] → N, where M(k) denotes the number of components of type C k that are active in the system.To simplify the technical presentation of the results, we assume that all instances of a component type are created at once, before the system is started2 .For the rest of this section, we fix a parametric system S = C 1 , . . ., C n , M, Γ , where each component type C k = P k , S k , s 0 k , ∆ k has the same definition as a component in a bounded system and Γ is an interaction formula, written in the fragment of first order logic, defined next.k=1 Pred k .Moreover, we consider that Var k ∩Var = ∅ and Pred k ∩Pred = ∅, for all 1 ≤ k < ≤ n.For simplicity's sake, we assume that all predicate symbols in Pred are of arity one.For component types C k , such that M(k) = 1 and predicate symbols pred ∈ Pred k , we shall write pred instead of pred(1), as in the interaction formula of the system from Figure 1b.The syntax of the monadic interaction logic (MIL) is given below:

Monadic Interaction Logic
A sentence is a formula in which all variables are in the scope of a quantifier.A formula is positive if each predicate symbol occurs under an even number of negations.The semantics of MIL is given in terms of structures I = (U, ν, ι), where: - is the universe of instances, over which variables range, -ν : Var → U is a valuation mapping variables to elements of the universe, -ι : Pred → 2 U is an interpretation of predicates as subsets of the universe.For a structure I = (U, ν, ι) and a formula φ, the satisfaction relation I | = φ is defined as: is the valuation that acts as ν, except for i, which is assigned to m. Whenever I | = φ, we say that I is a model of φ.It is known that, if a MIL formula has a model, then it has a model with universe of cardinality at most exponential in the size (number of symbols) of the formula [11].This result, due to Löwenheim, is among the first decidability results for a fragment of first order logic.
Given structures , for all p ∈ Pred and I 1 ⊂ I 2 iff I 1 ⊆ I 2 and I 1 I 2 .As before, we define the sets ]} of models and minimal models of a MIL formula, respectively.Given formulae φ 1 and φ 2 , we write

Execution Semantics of Parametric Systems
We consider the interaction formulae of parametric systems to be finite disjunctions of formulae of the form below: where ϕ, ψ +1 , . . ., ψ +m are conjunctions of equalities and disequalities involving index variables.Intuitively, the formulae (1) state that there are at most component instances that engage in a multiparty rendez-vous interaction on ports p 1 (i 1 ), . . ., p (i ), together with a broadcast to the ports p +1 (i +1 ), . . ., p +m (i +m ) of the instances that fulfill the constraints ψ +1 , . . ., ψ +m .Observe that, if m = 0, the above formula corresponds to a multiparty (generalized) rendez-vous interaction ∃i 1 . . .∃i ∧ ϕ ∧ j=1 p j (i j ).An example of peer-to-peer rendez-vous is the parametric system from Figure 1.Another example of broadcast is given below.
Example 1.Consider the parametric system obtained from an arbitrary number of Worker components (Figure 3), where Any pair of instances can jointly execute the b (begin) action provided all others are taking the a (await) action.Any instance can also execute alone the f (finish) action.
f (i 1 ) u(i 2 ) b(i 1 ) The execution semantics of a parametric system S is the marked PN N S = (N, m 0 ), where and the sets of transitions T and edges E are defined next.For each minimal model As a remark, unlike in the case of bounded systems, the size of the marked PN N S , that describes the execution semantics of a parametric system S, depends on the maximum number of instances of each component type.The definition of the trap invariant Trap(N S ) is the same as in the bounded case, except that, in this case, the size of the boolean formula depends on the (unbounded) number of instances in the system.The challenge, addressed in the following, is to define trap invariants using MIL formulae of a fixed size.

Computing Parametric Trap Invariants
To start with, we define the trap constraint of an interaction formula Γ consisting of a finite disjunction of (1) formulae , as a finite conjunction of formulae of the form below: where, for a port p ∈ P k of some component type C k , • p(i) and p(i) • denote the unique predicate atoms s(i) and s (i), such that s p − → s ∈ ∆ k is the (unique) transition involving p in T k , or ⊥ if there is no such rule.Example 2. For example, the trap constraint for the parametric (rendez-vous) system in Figure 1b Analogously, the trap constraint for the parametric (broadcast) system in Figure 3 is: To prove the correctness of the above parametric trap constraint definition, we define a translation of MIL formulae into boolean formulae of unbounded size.Given a function M : [1, n] → N, the unfolding of a MIL sentence φ is the boolean formula B M (φ) obtained by replacing: each existential quantifier ∃i .ψ(i), for i ∈ Var k , by a finite disjunction M(k) =1 ψ[ /i], each universal quantifier ∀i .ψ(i), for i ∈ Var k , by a finite conjunction M(k)  =1 ψ[ /i], where the substitution of the constant ∈ M(k) for the variable i is defined recursively as usual, except for pred(i)[ /i] def = (pred, ), which is a propositional variable.Further, we relate structures to boolean valuations of unbounded sizes as follows.For a structure I = (U, ν, ι) we define the boolean valuation β I ((pred, )) = if and only if ∈ ι(pred), for each predicate symbol pred and each integer constant .Conversely, for each valuation β of the propositional variables (pred, ), there exists a structure Considering the MIL formula Init(S) def = n k=1 ∀i k .s 0 k (i k ), that defines the set of initial configurations of a parametric system S, the following lemma proves the correctness of the above parametric trap constraint definition: Lemma 5. Let S be a parametric system with interaction formula Γ and I be a structure.Then and define the bounded system: It is not hard to prove that N S is the same as N U(S) , thus their marked traps coincide.
The following equivalences follow from Lemma 4: As we aim at computing an invariant able to prove safety properties, such as deadlock freedom, independently of how many components are present in the system, we must define the trap invariant using a formula depending exclusively on Γ, i.e. not on M.
Observe first that Trap(N S ) can be equivalently defined using only the minimal marked traps of N S , which, by Lemma 5, are exactly the sets {(s, k) | k ∈ ι(s)}, defined by some structure (U, ν, ι) ∈ [[Θ(Γ) ∧ Init(S)]] µ .Assuming that the set of structures [[Θ(Γ) ∧ Init(S)]] µ , or an over-approximation of it, can be defined by a positive MIL formula, the trap invariant is defined using a generalization of boolean dualisation to predicate logic, defined recursively, as follows: The crux of the method is the ability of defining, given an arbitrary MIL formula φ, a positive MIL formula φ ⊕ that preserve its minimal models, formally φ ≡ µ φ ⊕ .Because of quantification over unbounded domains, a MIL formula φ does not have a disjunctive normal form and thus one cannot define φ ⊕ by simply deleting the negative literals in DNF, as was done for the definition of the positivation operation (.) + , in the propositional case.For now we assume that the transformation (.) ⊕ of monadic predicate formulae into positive formulae preserving minimal models is defined (a detailed presentation of this step is given next in §3) and close this section with a parametric counterpart of Theorem 1.
Before giving the proof of the main result of this section, we shall be needing a few technical lemmas.For a set S of boolean valuations, let S↑ def = {β | ∃β ∈ S .β ⊆ β} be its upward closure.A set S of boolean valuations is upward-closed iff S = S↑.The following lemma shows that the set of models of a positive boolean formula is upwardclosed and thus uniquely determined by its minimal elements.Lemma 6.Given a positive boolean formula f , we have Lemma 7. Given a MIL sentence φ with quantified variables i 1 , . . ., i n and a function [ .We obtain the following equivalences:

Cardinality Constraints
This section is concerned with the definition of a positivation operator (.) ⊕ for MIL sentences, whose only requirements are that φ ⊕ is positive and φ ≡ µ φ ⊕ .For this purpose, we use a logic of quantifier-free boolean cardinality constraints [10,1] as an equivalent intermediate language, on which the positive formulae are defined.The translation of MIL into cardinality constraints is done by an equivalence-preserving quantifier elimination procedure, described in §3.1.As a byproduct, since the satisfiability of quantifier-free cardinality constraints is NP-complete [10] and integrated with SMT [1], we obtain a practical decision procedure for MIL that does not use model enumeration, as suggested by the small model property [11].Finally, the definition of a positive MIL formula from a boolean combination of quantifier-free cardinality constraints is given in §3.2.
We start by giving the definition of cardinality constraints.Given the set of monadic predicate symbols Pred, a boolean term is generated by the syntax: When there is no risk of confusion, we borrow the terminology of boolean logic and say that a term is in DNF if it is a disjunction of conjunctions (minterms).We also write t 1 → t 2 if and only if the implication is valid when t 1 and t 2 are interpreted as boolean formulae, with each predicate symbol viewed as a propositional variable.Two boolean terms t 1 and t 2 are said to be compatible if and only if t 1 ∧ t 2 is satisfiable, when viewed as a boolean formula.
For a boolean term t and a first-order variable i ∈ Var, we define the shorthand t(i) recursively, as (¬t 1 )(i) Given a positive integer n ∈ N and t a boolean term, we define the following cardinality constraints, by MIL formulae: We shall further use cardinality constraints with n = ∞, by defining |t| ≥ ∞ def = ⊥ and |t| ≤ ∞ def = .The intuitive semantics of cardinality constraints is formally defined in terms of structures I = (U, ν, ι) by the semantics of monadic predicate logic, given in the previous.For instance, |p ∧ q| ≥ 1 means that the intersection of the sets p and q is not empty, whereas |¬p| ≤ 0 means p contains all elements from the universe.

Quantifier Elimination
Given a sentence φ, written in MIL, we build an equivalent boolean combination of cardinality constraints qe(φ), using quantifier elimination.We describe the elimination of a single existential quantifier and the generalization to several existential or universal quantifiers is immediate.Assume that φ = ∃i 1 .k∈K ψ k (i 1 , . . ., i m ), where K is a finite set of indices and, for each k ∈ K, ψ k is a quantifier-free conjunction of atomic propositions of the form i j = i , P(i j ) and their negations, for some j, ∈ [1, m].We write, equivalently, φ ≡ k∈K ϕ k ∧ ∃i 1 .θ k (i 1 , . . ., i m ), where ϕ k does not contain occurrences of i 1 and θ k is a conjunction of literals of the form P(i 1 ), ¬P(i 1 ), i 1 = i j and ¬i 1 = i j , for some j ∈ [2, m].For each k ∈ K, we distinguish the following cases: 1 2. else, θ k = j∈J k ¬i 1 = i j ∧ t k (i 1 ) for some J k ⊆ [2, m] and boolean term t k , and let: Universal quantification is dealt with using the duality qe(∀i 1 .ψ) def = ¬qe(∃i 1 .¬ψ).For a prenex formula φ = Q n i n . . .Q 1 i 1 .ψ, where Q 1 , . . ., Q n ∈ {∃, ∀} and ψ is quantifierfree, we define, recursively qe(φ) It is easy to see that, if φ is a sentence, qe(φ) is a boolean combination of cardinality constraints.The correctness of the construction is a consequence of the following lemma: and ψ is a quantifier-free conjunction of equality and predicate atoms, we have φ ≡ qe(φ).

Building Positive Formulae that Preserve Minimal Models
Let φ be a MIL formula, not necessarily positive.We shall build a positive formula φ ⊕ , such that φ ≡ µ φ ⊕ .By the result of the last section, φ is equivalent to a boolean combination of cardinality constraints qe(φ), obtained by quantifier elimination.Thus we assume w.l.o.g. that the DNF of φ is a disjunction of conjunctions of the form i∈L |t i | ≥ i ∧ j∈U t j ≤ u j , for some sets of indices L, U and some positive integers { i } i∈L and {u j } j∈U .
For a boolean combination of cardinality constraints ψ, we denote by P(ψ) the set of predicate symbols that occur in a boolean term of ψ and by P + (ψ) (P − (ψ)) the set of predicate symbols that occur under an even (odd) number of negations in ψ.The following proposition allows to restrict the form of φ even further, without losing generality: Proposition 1.Given MIL formulae φ 1 and φ 2 , for any positivation operator (.) ⊕ , the following hold: 1.
From now on, we assume that φ is a conjunction of cardinality constraints that cannot be split as φ = φ 1 ∧ φ 2 , such that P(φ 1 ) ∩ P(φ 2 ) = ∅.
Let us consider a cardinality constraint |t| ≥ that occurs in φ.Given a set P of predicate symbols, for a set of predicates S ⊆ P, the complete boolean minterm corresponding to S with respect to P is t P S def = p∈S p ∧ p∈P\S ¬p.Moreover, let S t def = {S ⊆ P(φ) | t S → t} be the set of sets S of predicate symbols for which the complete minterm t S implies t.Finally, each cardinality constraint |t| ≥ is replaced by the equivalent disjunction 4 , in which each boolean term is complete with respect to P(φ): Note that because any two complete minterms t S and t T , for S T , are incompatible, then necessarily Notice that, restricting the sets of predicates in S t to subsets of P(φ), instead of the entire set of predicates, allows to apply Proposition 1 and reduce the number of complete minterm to be considered.That is, whenever possible, we write each minterm i∈L |t i | ≥ i ∧ j∈U t j ≤ u j in the DNF of φ as ψ 1 ∧ . . .∧ ψ k , such that P(ψ i ) ∩ P(ψ j ) = ∅ for all 1 ≤ i < j ≤ k.In practice, this optimisation turns out to be quite effective, as shown by the small execution times of our test cases, reported in §5.
The second step is building, for each conjunction C = { S ≤ t P(φ) S ∧ t P(φ)

S
≤ u S | S ⊆ P(φ)}5 , as above, a positive formula C ⊕ , that preserves its set of minimal models [[C]] µ .The generalization to arbitrary boolean combinations of cardinality constraints is a direct consequence of Proposition 1.Let L + (φ) (resp.L − (φ)) be the set of positive boolean combinations of predicate symbols p ∈ P + (φ) (resp.¬p, where p ∈ P − (φ)).Further, for a complete minterm t P S , we write t P S + (t P S − ) for the conjunction of the positive (negative) literals in t P S .Then, we define: The following lemma proves that the above definition meets the second requirement of positivation operators, concerning the preservation of minimal models.Similarly, the result of positivation applied to the second conjunct of the DNF cardinality constraint corresponding to the system in Figure 3 is given below: Here, the number of elements in w is at least 2 and, in any structure I = (U, ν, ι), we must have ι(u) ⊆ ι(w) and at most one element in ι(w) \ ι(u).Consequently, the intersection of the sets ι(u) and ι(w) must contain at least one element, i.e. |u ∧ w| ≥ 1.
The Proof of Lemma 9 This is the most intricate technical result of the paper, that requires several additional notions, which are the concern of this section.If t is any boolean term, its interpretation in the structure I = (U, ν, ι) is the set t I ⊆ U defined recursively, as follows: Fact 2 Given MIL formulae φ 1 and φ 2 , we have Given a conjunction C = { S ≤ t P S ∧ t P S ≤ u S | S ⊆ P} of cardinality constraints involving all complete minterms with respect to P, for some arbitrary MIL formula φ, Lemma 9 requires showing that [ . We shall do this in two stages: 1. We express [[C]]↑ using the reachability set of a vector addition system with states of a special form, that is, moreover, definable as the set of solutions of an integer linear system.2. We use Hoffman's Circulation Theorem [12,Theorem 11.2] to show that the set of solutions of the linear system above defines [[C ⊕ ]].The developments of the two points rely on the observation that, each model of a cardinality constraint is uniquely defined, up to the renaming of its elements, by the positive cardinality of each complete minterm.In the following we shall consider this fact implicit and work with mappings of minterms into positive integer values, instead of first order structures.

Vector Addition Systems The goal of this paragraph is to reduce the problem [[C]]↑= [[C
⊕ ]] of equivalence between sets of first order structures to the resolution of a linear integer system.To begin with observe that, given an arbitrary MIL formula φ, if I | = φ, then any structure obtained from I by a renaming of its elements is also a model of φ.This is because φ uses only equalities and disequalities, which cannot distigush the particular identity of elements.In other words, [[φ]] is closed under isomorphic transformations of structures.
In the following, we assume that the finite set P of predicate symbols is indexed by a total order .Then any set S ⊆ P corresponds to a word w S which is the sequence of its elements, in the order.Moreover, let lex be the lexicographic order induced by .The following definition introduces a total order on sets of predicate symbols, that is compatible with the subset ordering.Definition 1.Given sets S , T ⊆ P, where P is totally ordered via , we define the total order S † T if and only if one of the following holds: 1. S ⊆ T , or 2. S T and w S lex w T .
As usual, we write S † T for S † T and S T .Let t I def = ||(t P S ) I || S ⊆P be the vector of cardinalities of the interpretations for all complete minterms in the structure I, arranged in the † order.In the following, we sometimes refer to this vector as the cardinality vector of the structure I.
Since the interpretations of the complete minterms w.r.t P are pairwise disjoint, for any predicate symbol p ∈ P, we have p I = p∈S (t P S ) I .Using the recursive definitions above, we can write any boolean term as a finite union of complete minterms, which corresponds to the DNF of the boolean formula associated with it.Hence, for any cardinality constraint |t| ≥ n, we have I | = |t| ≥ n if and only if k i=1 ||(t P S i ) I || ≥ n, where t P S 1 , . . ., t P S k is the set of complete minterms that occur in the DNF of t.In general, for a boolean combination of cardinality constraints φ, we write t I | = φ if and only if the formula obtained by replacing each term |t| with the sum above is logically valid.A formal definition can be given recursively, on the structure of φ.
At this point, we can identify the set of models [[φ]], where φ is any boolean combination of cardinality constraints, by the set of vectors {t I | t I | = φ}, up to isomorphism of first order structures.It remains now to define upward closures in the same way.A first remark is that, because the set [[φ]] is closed under isomorphism, so is its upward closure [[φ]]↑.However, the definition of [[φ]]↑ in terms of vectors t I requires a partial order that captures the pointwise inclusion between structures I ⊆ I .Definition 2. Given structures I and I with the same universe, we define the relation t I ≺ 1 t I if and only if there exists a set S ⊆ P and a predicate symbol p ∈ S such that: 1 T ) I || = ||(t P T ) I ||, for all T ⊆ P, such that T S and T S \ {p}.We denote by the reflexive and transitive closure of the ≺ 1 relation.
Lemma 10.For a boolean combination of cardinality constraints φ, the following hold: 1.
Proof : (1) One shows that, for any structure I, we have ] such that t I t I .(i) ⇒ (ii) We let I = I and prove t I t I .If, for all predicate symbols p ∈ P, we have p I = p I , then I = I and t I = t I follows.Assuming that this is not the case, let p be an arbitrary predicate symbol such that p I ⊂ p I .We build a sequence of structures I = I 0 , . . ., I k such that p I 0 ⊃ . . .⊃ p I k and t I 0 1 . . . 1 t I k .Let u ∈ p I \ p I be an element and let S u def = {q ∈ P | u ∈ q I }.Clearly, we have that p ∈ S u .Let I 1 = (U, ν, ι 1 ) be the structure such that ι 1 (p) = ι(p) \ {u} and ι 1 (q) = ι(q) for all q ∈ P \ {p}.It is not hard to see that: -||(t P S u ) I || = ||(t P S u ) T ) I || = ||(t P T ) I 1 ||, for all T ⊆ P, such that T S u and T S u \ {p}.By Definition 2, we have t I 0 1 t I 1 .We continue chosing elements u ∈ p I \ p I until no such elements can be found, then pick another predicate symbol for which I and I differ.In this way we obtain a finite sequence of structures {I j } n j=0 , such that I j 1 I j+1 for all 0 ≤ j < n, thus t I t I , as required.(ii) ⇒ (i) By induction on the length of the sequence of structures I = I 0 , . . ., I k = I such that t I 0 1 . . . 1 t I k .In the base case k = 0, we have t I = t I , thus we have t I | = φ and consequently I ∈ [[φ]], by point (1).For the induction step k > 0, we observe that t I 0 1 t I 1 implies the existence of a structure I 1 ⊂ I 0 which is isomorphic to I 1 , thus t I 1 = t I 1 .By the induction hypothesis, there exists I ∈ [[φ]] such that I ⊆ I 1 , hence I ⊆ I, as required.
In the following, we define a vector addition system whose reachability relation matches the partial order on cardinality vectors t I .Definition 3.An n-dimensional vector addition system (VAS) is a finite set of vectors The fact that c, c ∈ N n is important here, because configurations of a VAS are not allowed to contain negative values.For a finite sequence σ = v i 1 . . .v i k of vectors from V, we write c . Moreover, we write c * − → V P c when σ is not important.
For a vector v ∈ {−1, 0, 1} 2 ||P|| and a set S ⊆ P, let v(S ) be the entry in v corresponding to S .Moreover, for some predicate symbol p ∈ S , we denote by v(S , p) the vector u such that u(S ) = −1, u(S \ {p}) = 1 and u(T ) = 0, for all T ⊆ P such that T S and T S \ {p}.Intuitively, v(S , p) transfers an element from t P S into t P S \{p} , thus decreasing the cardinality of t P S and increasing that of t P S \{p} by one, respectively.We now define the 2 ||P|| -dimensional VAS V P def = {v(S , p) | S ⊆ P, p ∈ S }.This particular VAS captures the partial order on cardinality vectors as a reachability relation, as stated by the lemma below: Lemma 11.For any two structures I and I sharing the same universe, we have t I t I if and only if t I * − → V P t I .
Proof : "⇒" For any two structures I 1 and I 2 , sharing the same universe, we have t I 1 ≺ 1 t I 2 iff there exists a set S ⊆ P and a predicate symbol p ∈ S such that: , for all T ⊆ P, such that T S and T S \ {p}.Then, using the fact that t I (S ) = ||(t P S ) I ||, for all S ⊆ P, we establish that t I 1 ≺ 1 t I 2 .Hence t I t I implies the existence of a sequence σ of vectors from V P such that t I σ − → V P t I ."⇐" For any two configurations c and c , if c v − → V P c for some vector v ∈ V P , then c 1 c , by Definition 2. Consequently, t I σ − → V P t I implies t I t I , by straightforward induction on the length of σ.
For a tuple of variables x = x 1 , . . ., x k and a valuation ν mapping these variables into Z, we denote by ν(x) the tuple of integers ν(x 1 ), . . ., ν(x k ) .The following lemma gives an equivalent condition for the existence of an execution in V P , that ends in a given configuration: S ⊆P and y = [y S ] T S ⊆P be column vectors of variables and {k S ,p | S ⊆ P, p ∈ S } be variables.Then for any positive valuation ν of the variables x and y, the following are equivalent: 1. ν can be extended to a positive solution of the integer linear system: Proof : "⇒" Consider the sequence of vectors ν(y) = c 0 , c 1 , . . ., c k = ν(x), such that c i+1 = c i + v(S i+1 , p i+1 ) for all 1 ≤ i < k and the sequence of vectors v(S 1 , p 1 ), . . ., v(S k , p k ) occur in order, each vector v(S i , p i ) occurring ν(k S i ,p i ) ≥ 0 times in the sequence.To show that this is an execution of V P , observe that each sequence of entries c 0 (S ), . . ., c k (S ), for some S ⊆ P is first increased, then decreased, zero or more times.Because c 0 (S ) ≥ 0 and c k (S ) ≥ 0, we have that c i (S ) ≥ 0, for all 0 ≤ i ≤ k.Since the choice of S was arbitrary, every vector c i has only positive entries, hence the sequence is an execution of V P ."⇐" Immediate, since in every execution ν(y) * − → V P ν(x), each vector v(S , p) occurs a positive number of times and let ν(k S ,p ) be that number.

Turning back to the original problem [[C]]↑= [[C
⊕ ]], we notice that the set of vectors {t I | ∃I .t I | = C ∧ t I t I }, which corresponds (up to isomorphism) to the left-hand side of the required equality, is the set of vectors ν(y), where ν is a positive solutions of the linear system below: The formal argument combines the results of Lemmas 10, 11 and 12. Next, we show that the right-hand side corresponds to the linear system obtained by eliminating the x and {k S ,p | S ⊆ P, p ∈ S } variables from the above system.
Circulations in a Weighted Graph We eliminate the k S ,p variables from (2) using Hoffman's Circulation Theorem, given below.Let G = (V, E) be a directed graph, where V is a finite set of vertices and E ⊆ V × V a set of edges.Further, we associate each edge in G a lower and upper capacity, formally L : E → N and U : E → N ∪ {∞}, such that L(e) ≤ U(e), for all e ∈ E. For brevity, we call G = (V, E, L, U) a capacitated graph in the following.Given a vertex v ∈ V, we denote by • v (v • ) the set of incoming (outgoing) edges with destination (source) v.We lift these notations to sets of vertices in the usual way.A circulation is a mapping X : E → N such that, for all v ∈ V, we have We encode the existence of positive solutions of the linear integer system (2) as a circulation problem in the capacitated graph G P [y] = (2 P ∪ {ζ}, E P , L P , U P ), where: ζ 2 P is a special vertex, not a subset of P, -y is a tuple of parameters, indexed by sets of predicate symbols, for each set S ⊆ P there exists an edge e = (ζ, S ), with L P (e) = U P (e) = y(S ), for each set S ⊆ P, there exists an edge e = (S , ζ), with L P (e) = S and U P (e) = u S , for each nonempty set S ⊆ P and each predicate symbol p ∈ S , there exists an edge e = (S , S \ {p}), with L(e) = 0 and U(e) = ∞.Moreover, nothing else is in E P , L P and U P , respectively.For example, given P = {a, b, c}, the graph G P is depicted in Figure 4.The following lemma relates the existence of positive solutions of the linear integer system (2) with the existence of a circulation in G P [y].  ) if e = (S , S \ {p}), for some p ∈ S .We prove that X is a circulation in G P .The condition L P (e) ≤ X(e) ≤ U P , for all e ∈ E P is immediate, because either L P (e) = 0 and U P (e) = ∞ or it follows directly from (2).It remains to check that e ∈ • u X(e) = e ∈ u • X(e), for any vertex u ∈ 2 P ∪ {ζ}.If u = ζ, we have S ⊆P ν(x(S )) = S ⊆P ν(y(S )), because the sum of the elements of each vector v(S , p) is zero, for any S ⊆ P and p ∈ S .Else, if u is some set S ⊆ P, we have ν(x(S )) + p∈S ν(k S ,p ) = ν(y(S )) + q S ν(k S ∪{q},q ).(b) ⇒ (a) Given a circulation X in G P , we define ν as follows, for all S ⊆ P: ν(y(S )) = X(e), where e = (ζ, S ), -ν(x(S )) = X(e), where e = (S , ζ), -ν(k S ,p ) = X(e), where e = (S , S \ {p}), for some p ∈ S .By definition, ν is a positive valuation.It remains to show that ν is indeed a solution of (2).The condition S ≤ ν(x(S )) ≤ u S is clearly satisfied for each S ⊆ P, because L P (e) = S and U P (e) = u S , for each edge e = (S , ζ).To prove the remaining condition, observe that ν(x(S )) + p∈S ν(k S ,p ) = ν(y(S )) + q S ν(k S ∪{q},q ), for each S ⊆ P, which leads to ν(x) = S ⊆P,p∈S ν(k S ,p ) • v(S , p) + ν(y), as required.
Theorem 3 gives an equivalent condition for the existence of a circulation in G P [y].In the following, we write another linear system, with unknowns y only, that captures this condition.A set of sets S ⊆ 2 P is downward closed iff any subset of a set in S is in Subsequently, Lemmas 11 and 12 prove that the left-hand side of the latter equality is the set of positive solutions of the linear system (2), restricted to the tuple of variables y = y S S ⊆P .By Hoffman's Circulation Theorem (Theorem 3), this is the set of positive solutions to the linear system (3), obtained from the elimination of the x and k S ,p variables from (2).Finally, this set is exactly the righthand side of the equality above, as a result of interpreting the definition of C ⊕ in terms of vertices of the capacitated graph G P [y], on which the circulation theorem was applied.

Proving Deadlock Freedom of Parametric Systems
We have gathered all the ingredients necessary for checking deadlock freedom of parametric systems, using our method based on trap invariant generation (Figure 5).In particular, we derive a trap constraint Θ(Γ) directly from the interaction formula Γ, both of which are written in MIL.Second, we compute a positive formula that preserves the set of minimal models of Θ(Γ) ∧ Init(S), by first converting the MIL formula into a quantifier-free cardinality constraint, using quantifier elimination, and deriving a positive MIL formula from the latter.The conjunction between the dual of this positive formula and the formula ∆(Γ) that defines the deadlock states is then checked for satisfiability.Formally, given a parametric system S, with an interaction formula Γ written in the form (1), the MIL formula characterizing the deadlock states of the system is the following: ∆(Γ) def = ∀i 1 . . .∀i .ϕ → j=1 ¬ • p j (i j ) ∨ +m j= +1 ∃i j .ψ j ∧ ¬ • p j (i j ) We state a sufficient verification condition for deadlock freedom in the parametric case: Corollary 2. A parametric system S = C 1 , . . ., C n , M, Γ is deadlock-free if (Θ(Γ) ∧ Init(S)) ⊕ ∼ ∧ ∆(Γ) → ⊥ The satisfiability check is carried out using the conversion to cardinality constraints via quantifier elimination §3.1 and an effective set theory solver for cardinality constraints, implemented in the CVC4 SMT solver [2].

Experimental Results
To assess our method for proving deadlock freedom of parametric component-based system, we ran a number of experiments on systems with a small numbers of rather simple component types, but with nontrivial interaction patterns, given by MIL formulae.The task-sem i/n examples, i = 1, 2, 3, are generalizations of the parametric Task-Semaphore example depicted in Figure 1b, in which n Tasks synchronize using n Semaphores, such that i Tasks interact with a single Semaphore at once, in a multiparty rendez-vous.In a similar vein, the broadcast i/n examples, i = 2, 3 are generalizations of the system in Figure 3, in which i out of n Workers engage in rendez-vous on the b port, whereas all the other stay idle -here idling is modeled as a broadcast on the a ports.Finally, in the sync i/n examples, i = 1, 2, 3, we consider systems composed of n Workers (Figure 1b) such that either i out of n instances simultaneously interact on the b ports, or all interact on the f ports.Notice that, for i = 2, 3, these systems have a deadlock if and only if n 0 mod i.This is because, if n = m mod i, for some 0 < m < i, there will be be m instances that cannot synchronize on their b port, in order to move from w to u, in order to engage in the f broadcast.
All experiments were carried out on a Intel(R) Xeon(R) CPU @ 2.00GHz virtual machine with 4GB of RAM.Table 1 shows separately the times needed to generate the proof obligations (trap invariants and deadlock states) from the interaction formulae and the times needed by CVC4 1.7 to show unsatisfiabilty or come up with a model.All systems considered, for which deadlock freedom could not be shown using our method, have a real deadlock scenario that manifests only under certain modulo constraints on the number n of instances.These constraints cannot be captured by MIL formulae, or, equivalently by cardinality constraints, and would require cardinality constraints of the form |t| = n mod m, for some constants n, m ∈ N.
Our approach sheds new light on the intricacy of the interaction structure between components.This clearly depends on the topology of the architecture but also on the multiplicity of interactions.Centralized control systems seem to be the easier to verify (parametric systems with single controller and without interaction between components).For distributed control systems, easier to check seem to be systems where interactions between components are uniform each component of a class interacts in the same manner with all the other components.
The hardest case corresponds to systems where interaction between components depends on a neighborhood which usually implies some arithmetic relation between indices.To model such systems MIL should be extended with arithmetic predicates on indices.This is the objective of a future work direction.

[ 1 ,
k], thus m 0 | = k i=1 s i .Because the choice of S is arbitrary, we have m 0 | = Trap(N S ).Second, let m ∈ [[Trap(N S )]] and t ∈ T such that m t − → m .We prove that m | = Trap(N S ).Let S = {s 1 , . . ., s k } be a marked trap of N S .Then m | = s i for some i ∈ [1, k] and, because S is a trap, m | = s j for some j ∈ [1, k].Since the choice of S was arbitrary, we obtain m | = Trap(N S ).
is a marked trap of N S .Furthermore, β is a minimal model of Θ(Γ) ∧ n i=1 s 0 i iff for each valuation β ⊆ β, such that β β, we have β | = Θ(Γ) ∧ n i=1 s 0 i .But then, no strict subset of {s | β(s) = } is a marked trap of N S , thus {s | β(s) = } is a minimal marked trap of N S .
and we apply Lemma 2.We are currently left with the task of computing a MIL formula which defines the trap invariant Trap(N S ) of a parametric component-based system S = C 1 , . . ., C n , M, Γ .The difficulty lies in the fact that the size of N S and thus, that of the boolean formula Trap(N S ) depends on the number M(k) of instances of each component type k ∈[1, n].

Lemma 9 .
Given P a finite set of monadic predicate symbols, { S ∈ N} S ⊆P and {u S ∈ N ∪ {∞}} S ⊆P sets of constants, for any conjunction C = { S ≤ t P S ∧ t P S ≤ u S | S ⊆ P}, we have C ≡ µ C ⊕ .Example 4. (contd.from Example 3) Consider the first minterm of the DNF of the cardinality constraint obtained by quantifier elimination in Example 3, from the system in Figure 1b.The result of positivation for this minterm is given below: ¬r ∧ ¬s ∧ |w ∧ ¬u| ≤ 0 ∧ |u ∧ ¬w| ≤ 0 ∧ 1 ≤ |w| ⊕ = 1 ≤ |u ∧ w| Intuitively, the negative literals ¬r and ¬s may safely disapear, because no minimal model will assign r or s to true.Further, the constraints |w ∧ ¬u| ≤ 0 and |u ∧ ¬w| ≤ 0 are equivalent to the fact that, in any structure I = (U, ν, ι), we must have ι(u) = ι(w).Finally, because |w| ≥ 1, then necessarily |u ∧ w| ≥ 1.

2 Next,Fact 1
we generalize upward closures and upward closed sets from boolean valuations to first order structures as follows.If S is a set of structures sharing the same universe, then S↑ def = {I | ∃I ∈ S .I ⊆ I} denotes its upward closure.Moreover, S is upward closed iff S = S↑.Then we have the following facts, whose proofs are folklore: Given a positive MIL formula φ, the set [[φ]] is upward closed.Proof : By induction on the structure of φ.
by induction on the structure of φ.The base case φ = |t| ≥ n is by definition and the inductive steps are routine.(2) We show that, for any structure I = (U, ν, ι), the following are equivalent: (i) there exists I ∈ [[φ]] such that I ⊆ I, and (ii) there exists I ∈ [[φ]

eTheorem 3 .
∈ • v X(e) = e∈v • X(e) and L(e) ≤ X(e) ≤ U(e), for all e ∈ E. The following is known as Hoffman's Circulation Theorem[12, Theorem 11.2]:Given a capacitated graph G = (V, E, L, U), there exists a circulation in G if and only if e ∈ • S L(e) ≤ e ∈ S • U(e), for each set of vertices S ⊆ V.

Lemma 13 .
Given a set P of predicate symbols and a positive valuation ν of the variables y, the following are equivalent:[y abc , y abc ] , y ab ] [y ac , y ac ]

3 .
because the complete minterms are pairwise disjoint, in each structure I, we have τ I = t P S + →τ (t P S ) I , for all τ ∈ L + (φ) and τ I = t P S − →τ (t P S ) I , for all τ ∈ L − (φ), 4. for each positive solution ν of (3), there exists a structure I ∈ [[C ⊕ ]] such that ν(y S ) = ||(t P S ) I || and viceversa, each structure I ∈ [[C ⊕ ]] induces a positive solution of (3), where ν(y S ) = ||(t P S ) I ||, for all S ⊆ P. To summarize, we prove that C ≡ µ C ⊕ by proving the equivalent statement [[C]]↑= [[C ⊕ ]].Since both the left and the right-hand side of this equality are sets of structures closed under isomorphism, we reduce the problem to an equivalence between sets of integer tuples {t I | I ∈ [[C]]↑} = {t I | I ∈ [[C ⊕ ]]}.By Lemma 10, this is equivalent to {t

Fig. 5 :
Fig. 5: Verification of Parametric Component-based Systems and T , E are as follows.For each minimal model β ∈ [[Γ]] µ , we have a transition t β ∈ T and edges (s i , t β ), (t β , s i

Table 1 :
∃i 1 ∃i 2 .i 1 i 2 ∧ b(i 1 ) ∧ b(i 2 ) ∀i. f (i) 7 ms 50 ms sat sync 3/n ∃i 1 ∃i 2 ∃i 3 .distinct(i 1 , i 2 , i 3 ) ∧ b(i 1 ) ∧ b(i 2 ) ∧ b(i 3 ) ∀i. f (i)11 ms 40 ms sat Benchmarks on verification by using invariants.Its rationale is to overcome as much as possible complexity and undecidability issues by proposing methods which are adequate for the verification of essential system properties.