Checking Qualitative Liveness Properties of Replicated Systems with Stochastic Scheduling

We present a sound and complete method for the verification of qualitative liveness properties of replicated systems under stochastic scheduling. These are systems consisting of a finite-state program, executed by an unknown number of indistinguishable agents, where the next agent to make a move is determined by the result of a random experiment. We show that if a property of such a system holds, then there is always a witness in the shape of a Presburger stage graph: a finite graph whose nodes are Presburger-definable sets of configurations. Due to the high complexity of the verification problem (non-elementary), we introduce an incomplete procedure for the construction of Presburger stage graphs, and implement it on top of an SMT solver. The procedure makes extensive use of the theory of well-quasi-orders, and of the structural theory of Petri nets and vector addition systems. We apply our results to a set of benchmarks, in particular to a large collection of population protocols, a model of distributed computation extensively studied by the distributed computing community.


Introduction
Replicated systems consist of a fully symmetric finite-state program executed by an unknown number of indistinguishable agents, communicating by rendez-vous or via shared variables [36,12,42,14].Examples include distributed protocols and multithreaded programs, or abstractions thereof.The communication graph of replicated systems is a clique.They are a special class of parameterized systems, i.e., infinite families of systems that admit a finite description in some suitable modeling language.In the case of replicated systems, the (only) parameter is the number of agents executing the program.
Verifying a replicated system amounts to proving that an infinite family of systems satisfies a given property.This is already a formidable challenge, but it is made even more difficult by the fact that correctness problems for distributed protocols require to check liveness properties against a class of schedulers.Indeed, liveness properties are known to be harder to verify than safety properties, and scheduling adds additional problems.
We address the verification of liveness properties of replicated systems with stochastic scheduling.Loosely speaking, stochastic schedulers select the set of agents that should execute the next action as the result of a random experiment.Stochastic scheduling often appears in distributed protocols, and in particular also in population protocols-a model much studied in distributed computing with applications in computational biology 4 -that supplies many of our case studies [8,54].Under stochastic scheduling, the semantics of a replicated system is an infinite family of finite-state Markov chains.In this work, we study qualitative liveness properties, stating that the infinite runs starting at configurations satisfying a precondition almost surely reach and stay in configurations satisfying a postcondition.In this case, whether the property holds or not depends only on the topology of the Markov chains, and not on the concrete probabilities.
We present a formal model of replicated systems, based on multiset rewriting, that encompasses both shared variables and multiway synchronization, and introduce a sound and complete verification method, called Presburger stage graphs.These are directed acyclic graphs whose nodes are Presburger formulas representing possibly infinite inductive sets of configurations, i.e., sets of configurations closed under reachability.Such a graph has the property that successors of a node S represent sets of configurations that will eventually be visited from configurations of S. A stage graph supplies a witness of this fact in the form of a Presburger certificate, a sort of ranking function expressible in Presburger arithmetic.Completeness, meaning that for every property that holds there is a stage graph proving that it holds, follows from deep results of the theory of vector addition systems (VASs) [47,48,49].
Unfortunately, the theory of VASs also shows that, while the verification problems we consider are decidable, they have non-elementary computational complexity [28].As a consequence, verification techniques that systematically explore the space of possible stage graphs for a given property are bound to be very inefficient.For this reason, we design an incomplete but efficient algorithm for the computation of stage graphs.Inspired by theoretical results, the algorithm combines a solver for linear constraints with some elements of the theory of wellstructured systems [34,2].We report on the performance of this algorithm for a large number of case studies.In particular, it automatically verifies many standard population protocols described in the literature [23,7,4,17,18,15,26], and liveness properties of distributed algorithms for leader election and mutual exclusion [45,57,60,39,37,35,55,3].
Related work.The parameterized verification of replicated systems was first studied in [36], where it was shown that they can be modeled as counter systems.This allows to apply many efficient techniques.Most are inherently designed for safety properties [43,32,10,19], and some can also handle fair termination properties [33], but none of these works can handle stochastic scheduling.To the best of our knowledge, the only works studying parameterized verification of liveness properties under our notion of stochastic scheduling are those dealing with the verification of population protocols.For fixed populations this problem can be tackled with standard probabilistic model checking [61,11], and early work on the automatic verification of population protocols follows this approach [23,26,56,59].Subsequently, an algorithm and a tool for the parameterized verification of population protocols were described in [17,16], and a first version of stage graphs was introduced in [18] for analyzing the expected termination time of population protocols.In essence, we overhaul the framework of [18] for liveness verification, drawing inspiration from the safety verification technology of [17,16].Compared to [17,16], our approach is not a priori limited to a specific subclass of protocols, and captures models beyond population protocols.Furthermore, our new techniques for computing Presburger certificates essentially subsume the procedure of [17].In comparison to [18], we provide the first completeness and complexity results for stage graphs, which we redesigned for liveness verification.
There is also a large body of work on parameterized verification of systems via a cutoff property: a given system satisfies a specification ϕ for any number of agents iff it satisfies ϕ for any number of agents below some threshold called the cutoff (e.g., see [21,29,25,42,5], and [14] for a comprehensive survey).This approach can also be applied to systems with an array or ring communication structure, but it requires the existence and effectiveness of a cutoff, which is not the case in our setting.Other important parameterized verification techniques are regular model checking [20,1] and automata learning [6].The classes of communication structures they can handle are orthogonal to ours: arrays and rings for regular model checking and automata learning, and cliques in our work.Regular model checking and learning have recently been employed to verify safety properties [24], liveness properties under arbitrary schedulers [50] and termination under finitary fairness [46].The classes of schedulers considered in [50,46] are incomparable to ours: arbitrary schedulers in [50], and finitary-fair schedulers in [46].Another significant difference is that these works are based on symbolic state-space exploration, while our techniques are based on automatic construction of invariants and ranking functions [14].

Preliminaries
Let N denote {0, 1, . ..} and let E be a finite set.A unordered vector over E is a mapping V : E → Z.In particular, a multiset over E is an unordered vector M : E → N where M (e) denotes the number of occurrences of e in M .The sets of all unordered vectors and multisets over E are respectively denoted Z E and N E .Vector addition, subtraction and comparison are defined componentwise.The size of a multiset M is denoted |M | = e∈E M (e).We let E k denote the set of all multisets over E of size k.We sometimes describe multisets using a set-like notation, e.g.M = f, g, g or equivalently M = f, 2 • g is such that M (f ) = 1, M (g) = 2 and M (e) = 0 for all e ∈ {f, g}.
Presburger arithmetic.Let X be a set of variables.The set of formulas of Presburger arithmetic over X is the result of closing atomic formulas, as defined in the next sentence, under Boolean operations and first-order existential quantification.Atomic formulas are of the form k i=1 a i x i ∼ b, where a i and b are integers, x i are variables and ∼ is either < or ≡ m , the latter denoting the congruence modulo m for any m ≥ 2. Formulas over X are interpreted on N X .Given a formula φ of Presburger arithmetic, we let φ denote the set of all multisets satisfying φ.A set E ⊆ N X is a Presburger set if E = φ for some formula φ.

Replicated systems
A configuration is a multiset C of states, which we interpret as a global state with C(q) agents in each state q ∈ Q.
For every t = (x, y) ∈ T with x = X 1 , X 2 , . . ., X k and and, if so, can occur, leading to the configuration C ′ = C + ∆(t).If t is not enabled at C, then we say that it is disabled.We use the following reachability notation: Observe that, by definition of transitions, A run is an infinite sequence We write post * (C) and pre * (C) for L = T * , and post (C) and pre(C) for L = T .Stochastic scheduling.We assume that, given a configuration C, a probabilistic scheduler picks one of the transitions enabled at C. We only make the following two assumptions about the random experiment determining the transition: first, the probability of a transition depends only on C, and, second, every transition enabled at C has a nonzero probability of occurring.Since C * − → C ′ implies |C| = |C ′ |, the number of configurations reachable from any configuration C is finite.Thus, for every configuration C, the semantics of P from C is a finite-state Markov chain rooted at C. Example 1.Consider the replicated system P = (Q, T ) of arity 2 with states Q = {A Y , A N , P Y , P N } and transitions T = {t 1 , t 2 , t 3 , t 4 }, where Intuitively, at every moment in time, agents are either Active or Passive, and have output Yes or No, which corresponds to the four states of Q.This system is designed to satisfy the following property: for every configuration C in which all agents are initially active, i.e., C satisfies , then eventually all agents stay forever in the "yes" states {A Y , P Y }, and otherwise all agents eventually stay forever in the "no" states {A N , P N }.△

Qualitative model checking
Let us fix a replicated system P = (Q, T ).Formulas of linear temporal logic (LTL) on P are defined by the following grammar: where φ is a Presburger formula over Q.We look at φ as an atomic proposition over the set N Q of configurations.Formulas of LTL are interpreted over runs of P in the standard way.We abbreviate ♦ϕ ≡ true U ϕ and ϕ ≡ ¬♦¬ϕ.
Let us now introduce the probabilistic interpretation of LTL.A configuration C of P satisfies an LTL formula ϕ with probability p if Pr[C, ϕ] = p, where Pr[C, ϕ] denotes the probability of the set of runs of P starting at C that satisfy ϕ in the finite-state Markov chain rooted at C. The measurability of this set of runs for every C and ϕ follows from well-known results [61].The qualitative model checking problem consists of, given an LTL formula ϕ and a set of configurations I, deciding whether Pr[C, ϕ] = 1 for every C ∈ I.We will often work with the complement problem, i.e., deciding whether Pr[C, ¬ϕ] > 0 for some C ∈ I.
In contrast to the action-based qualitative model checking problem of [30], our version of the problem is undecidable due to adding atomic propositions over configurations (see the appendix for a proof): Theorem 1.The qualitative model checking problem is not semi-decidable.
It is known that qualitative model checking problems of finite-state probabilistic systems reduces to model checking of non-probabilistic systems under an adequate notion of fairness.Definition 1.A run of a replicated system P is fair if for every possible step C t − → C ′ of P the following holds: if the run contains infinitely many occurrences of C, then it also contains infinitely many occurrences of C t C ′ .So, intuitively, if a run can execute a step infinitely often, it eventually will.It is readily seen that a fair run of a finite-state transition system eventually gets "trapped" in one of its bottom strongly connected components, and visits each of its states infinitely often.Hence, fair runs of a finite-state Markov chain have probability one.The following proposition was proved in [30] for a model slightly less general than replicated systems; the proof can be generalized without effort: Proposition 1 ([30, Prop. 7]).Let P be a replicated system, let C be a configuration of P, and let ϕ be an LTL formula.It is the case that Pr[C, ϕ] = 1 iff every fair run of P starting at C satisfies ϕ.
We implicitly use this proposition from now on.In particular, we define: Definition 2. A configuration C satisfies ϕ with probability 1, or just satisfies ϕ, if every fair run starting at C satisfies ϕ, denoted by C |= ϕ.We let ϕ denote the set of configurations satisfying ϕ.
Liveness specifications for replicated systems.We focus on a specific class of temporal properties for which the qualitative model checking problem is decidable and which is large enough to formalize many important specifications.Using wellknown automata-theoretic technology, the verification techniques we develop for this class can also be extended to all properties describable in action-based LTL, see e.g.[30].
The stable termination problem is the qualitative model checking problem for I = ϕ pre and ϕ = ϕ Π given by a stable termination property Π = (ϕ pre , Φ post ).
Example 2. Let us reconsider the system from Example 1.We can formally specify that all agents will eventually agree on the majority output Yes or No. Let Π Y = (ϕ Y pre , ϕ Y post ) and Π N = (ϕ N pre , ϕ N post ) be defined by: The system satisfies the property specified in Example 1 iff it satisfies Π Y and Π N .As an alternative (weaker) property, we could specify that the system always stabilizes to either output by

Stage graphs
In the rest of the paper, we fix a replicated system P = (Q, T ) and a stable termination property Π = (ϕ pre , Φ post ), where Φ post = {ϕ 1 post , . . ., ϕ k post }, and address the problem of checking whether P satisfies Π.We start with some basic definitions on sets of configurations.
-Let C, C ′ be sets of configurations.We say that C leads to C ′ , denoted C C ′ , if for all C ∈ C, every fair run from C eventually visits a configuration of Note that certificates only require the existence of some executions decreasing f , not for all of them to to decrease it.Despite this, we have: Proposition 2. For all inductive sets C, C ′ of configurations, it is the case that: C leads to C ′ iff there exists a certificate for C C ′ .
The proof, which can be found in the appendix, depends on two properties of replicated systems with stochastic scheduling.First, every configuration has only finitely many descendants.Second, for every fair run and for every finite execution C w − → C ′ , if C appears infinitely often in the run, then the run contains infinitely many occurrences of C w − → C ′ .We can now introduce stage graphs: Definition 4 (stage graph).A stage graph of P for the property Π is a directed acyclic graph whose nodes, called stages, are sets of configurations satisfying the following conditions: 1. every stage is an inductive set; 2. every configuration of ϕ pre belongs to some stage; 3. if C is a non-terminal stage with successors C 1 , . . ., C n , then there exists a certificate for post for some i.
The existence of a stage graph implies that P satisfies Π.Indeed, by conditions 2-3 and repeated application of Proposition 2, every run starting at a configuration of ϕ pre eventually reaches a terminal stage, say C, and, by condition 1, stays in C forever.Since, by condition 4, all configurations of C satisfy some ϕ i post , after its first visit to C every configuration satisfies ϕ i post . A For example, if a configuration satisfies A Y > A N , so does any successor configuration.

△
The following proposition shows that stage graphs are a sound and complete technique for proving stable termination properties.
Proposition 3. System P satisfies Π iff it has a stage graph for Π.Proposition 3 does not tell us anything about the decidability of the stable termination problem.To prove that the problem is decidable, we introduce Presburger stage graphs.Intuitively these are stage graphs whose stages and certificates can be expressed by formulas of Presburger arithmetic.

Definition 5 (Presburger stage graphs).
- n ⇐⇒ ϕ(C, n) for some Presburger formula ϕ(x, y).-A Presburger stage graph is a stage graph whose stages and certificates are all Presburger.
Using a powerful result from [31], we show that: (1) P satisfies Π iff it has a Presburger stage graph for Π (Theorem 2); (2) there exists a denumerable set of candidates for a Presburger stage graph for Π; and (3) there is an algorithm that decides whether a given candidate is a Presburger stage graph for Π (Theorem 3).Together, (1)(2)(3) show that the stable termination problem is semidecidable.To obtain decidability, we observe that the complement of the stable termination problem is also semi-decidable.Indeed, it suffices to enumerate all initial configurations C |= ϕ pre , build for each such C the (finite) graph G C of configurations reachable from C, and check if some bottom strongly connected component B of G C satisfies B |= ϕ i post for all i.This is the case iff some fair run starting at C visits and stays in B, which in turn is the case iff P violates Π.
Theorem 2. System P satisfies Π iff it has a Presburger stage graph for Π.
We observe that testing whether a given graph is a Presburger stage graph reduces to Presburger arithmetic satisfiability, which is decidable [58] and whose complexity lies between 2-NEXP and 2-EXPSPACE [13]: Theorem 3. The problem of deciding whether an acyclic graph of Presburger sets and Presburger certificates is a Presburger stage graph, for a given stable termination property, is reducible in polynomial time to the satisfiability problem for Presburger arithmetic.

Algorithmic construction of stage graphs
At the current state of our knowledge, the decision procedure derived from Theorem 3 has little practical relevance.From a theoretical point of view, the TOWERhardness result of [28] implies that the stage graph may have non-elementary size in the system size.In practice, systems have relatively small stage graphs, but, even so, the enumeration of all candidates immediately leads to a prohibitive combinatorial explosion.
For this reason, we present a procedure to automatically construct (not guess) a Presburger stage graph G for a given replicated system P and a stable termination property Π = (ϕ pre , Φ post ).The procedure may fail, but, as shown in the experimental section, it succeeds for many systems from the literature.
The procedure is designed to be implemented on top of a solver for the existential fragment of Presburger arithmetic.While every formula of Presburger arithmetic has an equivalent formula within the existential fragment [58,27], quantifier-elimination may lead to a doubly-exponential blow-up in the size of the formula.Thus, it is important to emphasize that our procedure never requires to eliminate quantifiers: If the pre-and postconditions of Π are supplied as quantifier-free formulas, then all constraints of the procedure remain in the existential fragment.
We give a high-level view of the procedure (see Algorithm 1), which uses several functions, described in detail in the rest of the paper.The procedure maintains a workset WS of Presburger stages, represented by existential Presburger formulas.Initially, the only stage is an inductive Presburger overapproximation Algorithm 1: procedure for the construction of stage graphs.
PotReach( ϕ pre ) of the configurations reachable from ϕ pre (PotReach is an abbreviation for "potentially reachable").Notice that we must necessarily use an overapproximation, since post * ( ϕ pre ) is not always expressible in Presburger arithmetic 6 .We use a refinement of the overapproximation introduced in [32,17], equivalent to the overapproximation of [19].
In its main loop (lines 2-9), Algorithm 1 picks a Presburger stage S from the workset, and processes it.First, it calls Terminal(S, Φ post ) to check if S is terminal, i.e., whether S |= ϕ i post for some ϕ i post ∈ Φ post .This reduces to checking the unsatisfiability of the existential Presburger formula φ ∧ ¬ϕ i post , where φ is the formula characterizing S. If S is not terminal, then the procedure attempts to construct successor stages in lines 5-9, with the help of three further functions: AsDead, IndOverapprox, and Split.In the rest of this section, we present the intuition behind lines 5-9, and the specification of the three functions.Sections 5 to 7 present the implementations we use for these functions.
Lines 5-9 are inspired by the behavior of most replicated systems designed by humans, and are based on the notion of dead transitions: Definition 6.A transition of a replicated system P is dead at a configuration C if it is disabled at every configuration reachable from C (including C itself ).A transition is dead at a stage S if it is dead at every configuration of S. Given a stage S and a set U of transitions, we use the following notations: -Dead(S): the set of transitions dead at S; -dis(U ) : the set of configurations at which all transitions of U are disabled; -dead(U ) : the set of configurations at which all transitions of U are dead.
Observe that we can compute Dead(S) by checking unsatisfiability of a sequence of existential Presburger formulas: as S is inductive, we have Dead(S) = {t | S |= dis(t)}, and S |= dis(t) holds iff the existential Presburger formula ∃C : φ(C) ∧ C ≥ • t is unsatisfiable, where φ is the formula characterizing S.
Replicated systems are usually designed to run in phases.Initially, all transitions are alive, and the end of a phase is marked by the "death" of one or more transitions, i.e., by reaching a configuration at which these transitions are dead.The system keeps "killing transitions" until no transition that is still alive can lead to a configuration violating the postcondition.The procedure mimics this pattern.It constructs stage graphs in which if S ′ is a successor of S, then the set of transitions dead at S ′ is a proper superset of the transitions dead at S. For this, AsDead(S) computes a set of transitions that are alive at some configuration of S, but which will become dead in every fair run starting at S (line 5).Formally, AsDead(S) returns a set U ⊆ Dead(S) such that S |= ♦dead(U ).
The following proposition, whose proof appears in the appendix, shows that determining whether a given transition will eventually become dead, while decidable, is PSPACE-hard.Therefore, Section 7 describes two implementations of this function, and a way to combine them, which exhibit a good trade-off between precision and computation time.
Proposition 4. Given a replicated system P, a stage S represented by an existential Presburger formula φ and a set of transitions U , determining whether S |= ♦dead(U ) holds is decidable and PSPACE-hard.
If the set U returned by AsDead(S) is nonempty, then we know that every fair run starting at a configuration of S will eventually reach a configuration of S ∩ dead(U ) .So, this set, or any inductive overapproximation of it, can be a legal successor of S in the stage graph.Function IndOverapprox(S, U ) returns such an inductive overapproximation (line 7).To be precise, we show in Section 5 that dead(U ) is a Presburger set that can be computed exactly, albeit in doubly-exponential time in the worst case.The section also shows how to compute overapproximations more efficiently.
If the set U returned by AsDead(S) is empty, then we cannot yet construct any successor of S. Indeed, recall that we want to construct stage graphs in which if S ′ is a successor of S, then Dead(S ′ ) is a proper superset of Dead(S).In this case, we proceed differently and try to split S: Definition 7. A split of some stage S is a set {S 1 , . . ., S k } of (not necessarily disjoint) stages such that the following holds: -Dead(S i ) ⊃ Dead(S) for every 1 ≤ i ≤ k, and -S = k i=1 S i .If there exists a split {S 1 , . . ., S k } of S, then we can let S 1 , . . ., S k be the successors of S in the stage graph.Observe that a stage may indeed have a split.We have Dead(C 1 ∪ C 2 ) = Dead(C 1 ) ∩ Dead(C 2 ), and hence Dead(C 1 ∪ C 2 ) may be a proper subset of both Dead(C 1 ) and Dead(C 2 ): Example 4. Consider the system with states {q 1 , q 2 } and transitions t i : q i → q i for i ∈ {1, 2}.Let S = {C | C(q 1 ) = 0∨C(q 2 ) = 0}, i.e., S is the (inductive) stage of configurations disabling either t 1 or t 2 .The set {S 1 , S 2 }, where

△
The canonical split of S, if it exists, is the set {S ∩ dead(t) | t / ∈ Dead(S)}.As mentioned above, Section 5 shows that dead(U ) can be computed exactly for every U , but the computation can be expensive.Hence, the canonical split can be computed exactly at potentially high cost.Our implementation uses an underapproximation of dead(t) , described in Section 6.

Computing and approximating dead(U )
We show that, given a set U of transitions, -we can effectively compute an existential Presburger formula describing the set dead(U ) , with high computational cost in the worst case, and we can effectively compute constraints that overapproximate or underapproximate dead(U ) , at a reduced computational cost.
Downward and upward closed sets.We enrich N with the limit element ω in the usual way.In particular, n < ω holds for every n ∈ N.An ω-configuration is a mapping C ω : Q → N∪{ω}.The upward closure and downward closure of a set C ω of ω-configurations are the sets of configurations ↑ C ω and ↓ C ω , respectively defined as: A set C of configurations is upward closed if C = ↑ C, and downward closed if C = ↓ C.These facts are well-known from the theory of well-quasi orderings: Lemma 1.For every set C of configurations, the following holds: 1. C is upward closed iff C is downward closed (and vice versa); 2. if C is upward closed, then there is a unique minimal finite set of configurations inf(C), called its basis, such that C = ↑ inf(C); 3. if C is downward closed, then there is a unique minimal finite set of ωconfigurations sup(C), called its decomposition, such that C = ↓ sup(C).
Computing dead(U ) exactly.It follows immediately from Definition 6 that both dis(U ) and dead(U ) are downward closed.Indeed, if all transitions of U are disabled at C, and C ′ ≤ C, then they are also disabled at C ′ , and clearly the same holds for transitions dead at C. Furthermore: Proposition 5.For every set U of transitions, the (downward) decomposition of both sup( dis(U ) ) and sup( dead(U ) ) is effectively computable.
Proof.For every t ∈ U and q ∈ • t, let C ω t,q be the ω-configuration such that C ω t,q (q) = • t(q) − 1 and C ω t,q (p) = ω for every p ∈ Q \ {q}.In other words, C ω t,q is the ω-configuration made only of ω's except for state q which falls short from • t(q) by one.This ω-configurations captures all configurations disabled in t due to an insufficient amount of agents in state q.We have: The latter can be made minimal by removing superfluous ω-configurations.
For the case of sup( dead(U ) ), we invoke [40, Prop.2] which gives a proof for the more general setting of (possibly unbounded) Petri nets.Their procedure is based on the well-known backwards reachability algorithm (see, e.g., [34,2]).⊓ ⊔ Since sup( dead(U ) ) is finite, its computation allows to describe dead(U ) by the following linear constraint7 : However, the cardinality of sup( dead(U ) ) can be exponential [40, Remark for Prop.2] in the system size.For this reason, we are interested in constructing both under-and over-approximations.

Overapproximations of dead(U ) .
For every i ∈ N, define dead(U ) i as: Loosely speaking, dead(U ) i is the set of configurations C such that every configuration reachable in at most i steps from C disables U .We immediately have: Using Proposition 5 and the following proposition, we obtain that dead(U ) i is an effectively computable overapproximation of dead(U ) .
Proposition 6.For every Presburger set C and every set of transitions U , the set post U (C) is effectively Presburger.
Recall that function IndOverapprox(S, U ) of Algorithm 1 must return an inductive overapproximation of dead(U ) .Since dead(U ) i might not be inductive in general, our implementation uses either the inductive overapproximations IndOverapprox i (S, U ) def = PotReach(S ∩ dead(U ) i ), or the exact value IndOverapprox ∞ (S, U ) def = S ∩ dead(U ) .The table of results in the experimental section describes for each benchmark which overapproximation was used.
Underapproximations of dead(U ) : Death certificates.A death certificate for U in P is a finite set C ω of ω-configurations such that: 1. ↓ C ω |= dis(U ), i.e., every configuration of ↓ C ω disables U , and 2. ↓ C ω is inductive, i.e., post If U is dead at a set C of configurations, then there is always a certificate that proves it, namely sup( dead(U ) ).In particular, if C ω is a death certificate for Using Proposition 6, it is straightforward to express in Presburger arithmetic that a finite set C ω of ω-configurations is a death certificate for U : Proposition 7.For every k ≥ 1 there is an existential Presburger formula DeathCert k (U, C ω ) that holds iff C ω is a death certificate of size k for U .

Splitting a stage
Given a stage S, we try to find a set C ω 1 , . . ., C ω ℓ of death certificates for transitions This allows us to split S into S 1 , . . ., S ℓ , where S i def = S ∩ ↓ C ω i .For any fixed size k ≥ 1 and any fixed ℓ, we can find death certificates C ω 1 , . . ., C ω ℓ of size at most k by solving a Presburger formula.However, the formula does not belong to the existential fragment, because the inclusion check S ⊆ ↓ C ω 1 ∪• • •∪↓ C ω ℓ requires universal quantification.For this reason, we proceed iteratively.For every i ≥ 0, after having found C ω 1 , . . ., C ω i we search for a pair (C i+1 , C ω i+1 ) such that (i) C ω i+1 is a death certificate for some t i+1 ∈ T \ Dead(S); An efficient implementation requires to guide the search for (C i+1 , C ω i+1 ), because otherwise the search procedure might not even terminate, or might split S into too many parts, blowing up the size of the stage graph.Our search procedure employs the following heuristic, which works well in practice.We only consider the case k = 1, and search for a pair (C i+1 , C ω i+1 ) satisfying (i) and (ii) above, and additionally: (iii) all components of C ω i+1 are either ω or between 0 and max t∈T,q∈Q Condition (iii) guarantees termination.Intuitively, Condition (iv) leads to certificates valid for sets U ⊆ T \ Dead(S) as large as possible.So it allows us to avoid splits that, loosely speaking, do not make as much progress as they could.Condition (v) allows us to avoid splits with many elements because each element of the split has a small intersection with S.
Example 5. Let P = (Q, T ) be the replicated system where Let S be the set of all configurations C where either C(c) = 0 or C(a i ) = C(b i ) = 0 for all i.It is easy to see that no transition is dead at every configuration of S, i.e., Dead(S) = ∅, but every configuration of S has at least one dead transition: either C(c) = 0 and t c is dead, or C(c) > 0 and all t i ∈ U are dead.
Consider the ω-configurations C ω and D ω defined as follows: C ω is a death certificate for U , and D ω is a death certificate for {t c }.So the pairs ( c , C ω ) and ( a 1 , . . ., a n , b 1 , . . ., b n , D ω ) satisfy (i)-(iii).It is easy to see that they also satisfy (iv) and (v), and that the only split that can be returned by the procedure is {S ∩ ↓ C ω , S ∩ ↓ D ω }.So S is split into only two parts.We now show that, if condition (iv) or (v) is dropped, then the splitting procedure might return splits of cardinality 2 n + 1. Let C ω X is a death certificate for U , and D ω X is a death certificate for {t c } ∪ U .So for every X ∈ M the pairs (X, C ω X ) and (X, D ω X ) satisfy (i)-(iii).Since we have C ω ≤ C ω X , D ω X ≤ C ω X and D ω X ≤ D ω for every X ∈ M, and otherwise the death certificates are pairwise incomparable, condition (iv) is satisfied by all the pairs (X, D ω X ), but it is not satisfied by any of the pairs (X, C ω X ).It follows that if we drop condition (iv) (removing the reference to (iv) in (v)), the splitting procedure might find the split {S ∩ ↓ C ω X | X ∈ M} ∪ {S ∩ ↓ D ω }.Without condition (v), but with (iv), it might find the split {S ∩ ↓ D ω X | X ∈ M} ∪ {S ∩ ↓ D ω }.Both splits have 2 n + 1 elements.

△ 7 Computing eventually dead transitions
Recall that the function AsDead(S) takes an inductive Presburger set S as input, and returns a (possibly empty) set U ⊆ Dead(S) of transitions such that S |= ♦dead(U ).This guarantees S dead(U ) and, since S is inductive, also S S ∩ dead(U ) .By Proposition 4, deciding if there exists a non-empty set U of transitions such that S |= ♦dead(U ) holds is PSPACE-hard, which makes a polynomial reduction to satisfiability of existential Presburger formulas unlikely.So we design incomplete implementations of AsDead(S) with lower complexity.Combining these implementations, the lack of completeness essentially vanishes in practice.
The implementations are inspired by Proposition 2, which shows that S dead(U ) holds iff there exists a certificate f such that: To find such certificates efficiently, we only search for linear functions f (C) = q∈Q a(q) • C(q) with coefficients a(q) ∈ N for each q ∈ Q.

First implementation: Linear ranking functions
Our first procedure computes the existence of a linear ranking function.Proof.Let M be the minimal finite basis of the upward closed set dead(U ) .
For every configuration D ∈ M , let σ D be a shortest sequence that enables some transition of t D ∈ U from D, i.e., such that ⊓ ⊔ It follows immediately from Definition 8 that if r 1 and r 2 are ranking functions for sets U 1 and U 2 respectively, then r defined as r(C) def = r 1 (C) + r 2 (C) is a ranking function for U 1 ∪ U 2 .Therefore, there exists a unique maximal set of transitions U such that S dead(U ) can be proved by means of a ranking function.Further, U can be computed by collecting all transitions t ∈ Dead(S) such that there exists a ranking function r t for {t}.The existence of a linear ranking function r t can be decided in polynomial time via linear programming, as follows.Recall that for every step Thus, the constraints of Definition 8 can be specified as: q∈Q a(q) • x(q) for x ∈ N Q .Observe that a solution may yield a function whose codomain differs from N. However, this is not an issue since we can scale it with the least common denominator of each a(q).

Second implementation: Layers
Transitions layers were introduced in [17] as a technique to find transitions that will eventually become dead.Intuitively, a set U of transitions is a layer if (1) no run can contain only transitions of U , and (2) U becomes dead once disabled; the first condition guarantees that U eventually becomes disabled, and the second that it eventually becomes dead.We formalize layers in terms of layer functions.Condition C2 is expressible in Presburger arithmetic because of Proposition 5.However, instead of computing dead(U ) explicitly, there is a more efficient way to express this constraint.Intuitively, dis(U ) = dead(U ) is the case if enabling a transition u ∈ U requires to have previously enabled some transition u ′ ∈ U .This observation leads to: Proposition 10.A set U of transitions satisfies dis(U ) = dead(U ) iff it satisfies the existential Presburger formula dis-eq-dead(U where x y ∈ N Q is defined by (x y)(q) def = max(x(q) − y(q), 0) for x, y ∈ N Q .This allows us to give the constraint lin-layer(U, a), which is of polynomial size: lin-layer(U, a) def = lin-layer-fun(U, a) ∧ dis-eq-dead(U ).

Comparing ranking and layer functions
The ranking and layer functions of Sections 7.1 and 7.2 are incomparable in power, that is, there are sets of transitions for which a ranking function but no layer function exists, and vice versa.This is shown by the following two systems: ).
Consider the system P 1 , and let S = N Q , i.e., S contains all configurations.Transitions t 2 and t 3 never become dead at A and can thus never be included in any U .Transition t 1 eventually becomes dead, as shown by the linear ranking function r(C) = C(A) + C(B) for U = {t 1 }.But for this U , the condition C2 for layer functions is not satisfied, as dis(U ) ∋ A, A t2 − → A, B ∈ dis(U ) , so dis(U ) = dead(U ) .Therefore no layer function exists for this U .
Consider now the system P 2 , again with S = N Q , and let U = {t 5 }.Once t 5 is disabled, there is no agent in A, so both t 4 and t 5 are dead.So dis(U ) = dead(U ) .The linear layer function ℓ(C) = C(A) satisfies lin-layer-fun(U, a), showing that U eventually becomes dead.As C t4t5 −−→ C for C = A, B , there is no ranking function r for this U , which would need to satisfy r(C) < r(C).
For our implementation of AsDead(S), we therefore combine both approaches.We first compute (in polynomial time) the unique maximal set U for which there is a linear ranking function.If this U is non-empty, we return it, and otherwise compute a set U of maximal size for which there is a linear layer function.

Experimental results
We implemented the procedure of Section 4 on top of the SMT solver Z3 [53].The resulting tool automatically constructs stage graphs that verify stable termination properties for replicated systems.We evaluated it on two sets of benchmarks, described below.The first set contains population protocols, and the second leader election and mutex exclusion algorithms.All tests where performed on a machine with an Intel Xeon CPU E5-2630 v4 @ 2.20GHz and 8GB of RAM.The results are depicted in Figure 2.For parametric families of replicated systems, we always report the largest instance that we were able to verify with a timeout of one hour.For IndOverapprox, from the approaches in Section 5, we use IndOverapprox 0 in the examples marked with * and IndOverapprox ∞ otherwise.
Population protocols.Population protocols [7,8] are replicated systems that compute Presburger predicates following the computation-as-consensus paradigm [9].Depending on whether the initial configuration of agents satisfies the predicate or not, the agents of a correct protocol eventually agree on the output "yes" or "no", almost surely.Example 1 can be interpreted as a population protocol for the majority predicate A Y > A N , and the two stable termination properties that verify its correctness are described in Example 2. To show that a population    protocol correctly computes a given predicate, we thus construct two Presburger stage graphs for the two corresponding stable termination properties.In all these examples, correctness is proved for an infinite set of initial configurations.Our set of benchmarks contains a broadcast protocol [26], three majority protocols (Example 1, [18,Ex. 3], [4]), and multiple instances of parameterized families of protocols, where each protocol computes a different instance of a parameterized family of predicates8 .These include various flock-of-birds protocol families ( [23], [15,Sect. 3], [26, threshold-n]) for the family of predicates x ≥ c for some constant c ≥ 0; two families for threshold predicates of the form a • x ≥ c [7,15]; and one family for remainder protocols of the form a • x ≡ m c [17].Further, we check approximate majority protocols ( [22], [46, coin game], [52]).As these protocols only compute the predicate with large probability but not almost surely, we only verify that they always converge to a stable consensus.
Comparison with [17].The approach of [17] can only be applied to so-called strongly-silent protocols.We are able to verify all six protocols reported in [17].Further, we are also able to verify the protocols Majority [4], Flock-of-birds [15,Sect. 3] and Threshold [15], which are not strongly-silent.Although our approach is more general and complete, the time to verify many strongly-silent protocol does not differ significantly between the two approaches.Exceptions are the Flock-of-birds [23] protocols where we are faster ( [17] reaches the timeout at c = 55) as well as the Remainder and the Flock-of-birds-threshold-n protocols where we are substantially slower ( [17] reaches the timeout at m = 80 and c = 350, respectively).Loosely speaking, the approach of [17] can be faster because they compute inductive overapproximations using an iterative procedure instead of PotReach.In some instances already a very weak overapproximation, much less precise than PotReach, suffices to verify the result.Our procedure can be adapted to accommodate this (it essentially amounts to first running the procedure of [17], and if it is inconclusive then run ours).
Other distributed algorithms.We have also used our approach to verify arbitrary LTL liveness properties of non-parameterized systems with arbitrary communication structure.To verify arbitrary LTL properties we apply standard automata-theoretic techniques.We construct a product of the system and a limit-deterministic Büchi automaton that accepts the negation of the property.Checking that the runs of the product accepted by the automaton have positive probability reduces to checking a stable termination property.
Since we only check correctness of one single finite-state system, we can also apply a probabilistic model checker based on state-space exploration.However, our technique delivers a stage graph, which plays two roles.First, it gives an explanation of why the property holds in terms of invariants and ranking functions, and second, it is a certificate of correctness that can be efficiently checked by independent means.We verify liveness properties for several leader election and mutex algorithms from the literature [39,37,35,55,3,45,57,60] under the assumption of a probabilistic scheduler.For the leader election algorithms, we check that a leader is eventually chosen; for the mutex algorithms, we check that the first process enters its critical section infinitely often.
Comparison with PRISM [44].We compared execution times for verification by our technique and by PRISM on the same models.While PRISM only needs a few seconds to verify a single instance of the mutex algorithms [35,55,3,45,57,60] up to the point where we reach the timeout, it reaches the memory limit for the two leader election algorithms [39,37] already for 70 and 71 processes, respectively, which we can still verify.

Conclusion and further work
We have presented stage graphs, a sound and complete technique for the verification of stable termination properties of replicated systems, an important class of parameterized systems.Using deep results of the theory of Petri nets, we have shown that Presburger stage graphs, a class of stage graphs whose correctness can be reduced to the satisfiability problem of Presburger arithmetic, are also sound and complete.This provides a decision procedure for the verification of termination properties, which is of theoretical nature since it involves a blind enumeration of candidates for Presburger stage graphs.For this reason, we have presented a technique for the algorithmic construction of Presburger stage graphs, designed to exploit the strengths of SMT-solvers for existential Presburger formulas, i.e., integer linear constraints.Loosely speaking, the technique searches for linear functions certifying the progress between stages, even though only the much larger class of Presburger functions guarantees completeness.
We have conducted extensive experiments on a large set of benchmarks.In particular, our approach is able to prove correctness of nearly all the standard protocols described in the literature, including several protocols that could not be proved by the technique of [17], which only worked for so-called stronglysilent protocols.We have also successfully applied the technique to some selfstabilization algorithms, leader election and mutual exclusion algorithms.
Our technique is based on the mechanized search for invariants and ranking functions.It avoids the use of state-space exploration as much as possible.For this reason, it also makes sense as a technique for the verification of liveness properties of non-parameterized systems with a finite but very large state space.

A Appendix
A.1 Missing proofs for Section 2 We show that the qualitative model checking problem is not semi-decidable.The result holds even for the subclass of replicated systems of arity 2 (i.e., for population protocols) and when I = ϕ 1 and the LTL formula is of the form ϕ = ϕ 2 ∨ ♦ϕ 3 , where ϕ 1 , ϕ 2 and ϕ 3 are quantifier-free Presburger predicates with atomic formulas of the form q=0, q=1, or q≥1 for q ∈ Q.A computation of M starts by executing the first instruction with both counters c 1 and c 2 initialized to zero.The problem of determining whether M halts, i.e., eventually executes the halt instruction, is undecidable [51].Consequently, the problem of whether M does not halt is not even semi-decidable.
We prove our theorem by reducing the non-halting problem for two-counter Minsky machines to the qualitative model checking problem.For a given Minsky machine M, let L I and L II be the sets of all indices i ∈ {1, . . ., m} such that ins i is a Type I and Type II instruction, respectively.We construct a replicated system P = (Q, T ) where and T is the (least) set of transitions satisfying the following: -For every Type I instruction of the form ℓ i : inc c j ; goto ℓ k there is a transition q i Z j → q k O j .
-For every Type II instruction of the form ℓ i : if c j =0 then goto ℓ k else dec c j ; goto ℓ n there are transitions q i Z j → qi Z j , qi Z j → q k Z j , and q i O j → q n Z j .(⇐): Assume there is a certificate for C C ′ .We claim that for every C ∈ C, there exists C ′ ∈ C ′ such that C * − → C ′ .Assume the contrary.By assumption, the definition of certificates and as C is inductive, there are configurations ) for every i ≥ 0. This is impossible as the codomain of f is N, which proves the claim.
We may now prove that C leads to C ′ .Let ρ be a fair run starting at some configuration of C. Since C is inductive, ρ only visits configurations of C. Further, since all configurations visited by ρ have the same size, some configuration C ∈ C is visited infinitely often.By the claim, there exists a sequence C This condition is expressible by a Presburger formula enab w (C, k).Let suff(w) denote the set of sufffixes of w, and let Formula FS(C, ℓ) holds iff there exists a sequence σ ∈ L ′ of length ℓ such that Formula ϕ(C, ℓ) holds iff ℓ is the length of a shortest sequence σ ∈ L ′ such that Checking whether ϕ pre is included in the union of all stages reduces to checking satisfiability of this sentence: Let S be a terminal stage of the graph.Checking that S |= ϕ i post for some i reduces to checking satisfiablity of this sentence: Let (f, k) be a Presburger certificate and ϕ(x, y) be the existential Presburger formula given for f .Checking that ϕ actually describes some function f reduces to checking satisfiability of this sentence: (∀C : ∃y : ϕ(C, y)) ∧ (∀C, y, y ′ : (ϕ(C, y) ∧ ϕ(C, y ′ )) → y = y ′ ) .
Since we have the silent transition ( , ) ∈ T that is always enabled, it suffices to check (f, k) for sequences of length exactly k instead of at most k.We now obtain that (f, k) is a Presburger certificate for S (S 1 ∪ . . .∪ S n ) iff the following sentence is satisfiable: Determining if the given graph is a Presburger stage for Π now amounts to determining satisfiability of the conjunction of all the constructed Presburger sentences.We note that if all Presburger formulas for stages and certificates are quantifier-free and the bounds k on the certificates are given in unary, then the constructed Presburger sentences are of polynomial size and in the ∀∃ fragment.In other words, C |= ♦dead(U ) holds iff at every configuration C ′ reachable from C, some transition from U is enabled at C ′ .It has been observed in [40,Sect. 4] that this notion of liveness is equivalent to liveness of a single transition.Indeed, it suffices to introduce a new transition t † and two new states p † , q † such that: a single agent is initially in state p † , while none is in state q † ; -each transition from U is altered so that it takes an agent in state p † and moves it to state q † ; -t † moves an agent in state q † to state p † .This way, C |= t∈U ¬dead(t) holds in the original system iff C |= ¬dead(t † ) holds in the altered system.Moreover, the alteration of S remains semilinear as one can simply add the conjunct (p † = 1 ∧ q † = 0) to φ.
By [40,Thm. 2], the problem of determining whether C |= ¬dead(t † ) holds for some C ∈ S, is decidable.Although the statement of [40, Thm.2] only covers the specific case of S = N Q , its proof explicitly handles any effective semilinear set S. Therefore, this establishes decidability of our problem.
Let us now show PSPACE-hardness.Observe that replicated systems are Petri nets where states correspond to places and where transitions correspond to transitions and arcs.In fact, replicated systems amount precisely to the class of 1-conservative Petri nets, i.e., where every transition produces as many tokens as it consumes.Since the reachability problem for 1-conservative Petri nets is PSPACE-complete [41], the same holds for the reachability problem for replicated systems defined as: We give a (many-one) reduction from this problem to the following variant of the partial structural liveness problem for replicated systems: Input: a replicated system P = (Q, T ) and a transition t ∈ T , Output: does N Q |= ♦dead(t) hold?
Let us fix a replicated system P = (Q, T ) and configurations C init , C tgt ∈ N Q .We design a replicated system P ′ = (Q ′ , T ′ ) and a transition t tgt ∈ T such that: The validity of this equivalence proves the proposition as it is a special case of the problem we wish to show PSPACE-hard.Note that we are implicitly using the fact that PSPACE = NPSPACE as we deal with " |=" instead of "|=".
Construction.Let us describe P ′ .Its set of states is defined as where q free indicates that a "retired" agent is "free" to move to a state of Q, and where q out indicates that a "retired" agent is permanently retired. Let The purpose of these transitions is respectively to generate the initial configuration C init , and to check whether the target configuration C tgt is present.Let The purpose of transition t clean is to permanently retire agents until there are at most k remaining.Let S def = {s q : q ∈ Q} where s q def = q → q free .Transitions S make the system "lossy" in the sense that agents can non deterministically retire from Q, either temporarily or eventually permanently.Overall, the set of transitions of P ′ is defined as General idea.Let us explain the idea behind the construction of P ′ , which is illustrated in Figure 3.If C tgt is reachable from C init in P, then this is also the case in P ′ , as it can simulate the former.Moreover, if P ′ gets stuck by choosing the wrong transitions, then this does not yield a dead configuration, as lossy transitions S can temporarily retire agents so that t init resets the system to C init .This way, transition t tgt can occur infinitely often from any reachable configuration.
Since P ′ could in principle start from a configuration that differs from C init , there is a risk that t tgt occurs infinitely often even though C init * − → C tgt does not hold in P. Thus, the role of t clean is to permanently retire agents until at most k can move to Q.This ensures that P ′ eventually either sets its non retired agents to C init , or gets stuck.The latter only happens if there are less that k agents.can reach C tgt , which allows t tgt to occur.Since D is arbitrary, the validity of this claim implies that t tgt is not dead at any reachable configuration.Observe that t clean cannot occur at any reachable configuration as there are k agents, while t clean requires k + 1 agents.By definition of S and since D(Q ′ \ {q out }) = k, we have D * − → k • q free .Since t init can occur from the latter, we have D * − → C init .As P ′ contains all transitions from P, this implies that D * − → C tgt in P ′ .Hence, t tgt can occur from there.⇐) Assume C init * − → C tgt does not hold in P. Let us show that N Q ′ |= ♦dead(t tgt ) in P ′ .Let D init ∈ N Q ′ .We must argue "adversarially" that D init can reach a configuration D at which t tgt is dead.
By using "lossy" transitions S repeatedly, we can remove all agents from Q. Hence, D init * − → a • q free , b • q out for some a, b ∈ N. If a > k, then using transition t clean repeatedly, we obtain k agents in state q free and b + (a − k) agents in state q out .In other words, we have If a ′ < k, then all transitions are dead and we are done.Hence, let us assume that a ′ = k.The only enabled transition at this point is t init , which forces P ′ to move to configuration D def = C init + b ′ • q out .Note that t clean is dead at D. Since C tgt is not reachable from C init in P, system P ′ cannot reach C tgt + b ′ • q out either.Moreover, it cannot reach any configuration larger than C tgt + b ′ • q out as the number of agents never changes.Thus, t tgt is dead at D, which completes the proof.As ↓ C ω is downward closed, it suffices to check the constraint for all elements in the decomposition of ↓ C ω , i.e., C ω 1 to C ω k .This gives us the following formula: Together we obtain the following Presburger formula for DeathCert k (U, C ω ): For a fixed k, the size of the formula is polynomial w.r.t. the size of the system.where x y ∈ N Q is defined by (x y)(q) def = max(x(q) − y(q), 0) for x, y ∈ N Q .
Proof.We have that dis(U ) = dead(U ) iff dis(U ) is inductive, that is post T ( dis(U ) ) ⊆ dis(U ) .We show that post T ( dis(U ) ) ⊆ dis(U ) ≡ We start by rewriting the formula as follows: Observe that Y(U, t) is upward closed, as both dis(t) and dis(U ) are upward closed.Therefore, the inclusion check is between two upward closed sets, which amounts to a comparison of their bases.We claim that ↑ X (U, t) = Y(U, t) where Let us prove the claim.Let C = • t + ( • u t • ) ∈ X (U, t) for some u ∈ U .Clearly, C ∈ dis(t) since C ≥ • t.Note that C + ∆(t) = t • + ( • u t • ) ≥ • u.Therefore, C + ∆(t) ∈ dis(U ) and consequently C ∈ Y(U, t).Since this also holds for any configuration C ′ ≥ C, we obtain ↑ X (U, t) ⊆ Y(U, t).
For the other inclusion, let C ∈ Y(U, t).We have C + ∆(t) ≥ • u for some u ∈ U and hence follows Y(U, t) ⊆ ↑ X (U, t) by and likewise for C * − → C ′ .Intuitively, transitions cannot create or destroy agents.
we have C ≥ D for some D ∈ M .By monotonicity, we have C σD − − → C ′ tD − − → C ′′ for some configurations C ′ and C ′′ .By Definition 8, we have r(C) ≥ r(C ′ ) > r(C ′′ ), and so condition (Cert) holds.As |σ D t D | ≤ k, we have that (r, k) is a bounded certificate.

Definition 9 .
A function ℓ : S → N is a layer function for S and U if: C1. ℓ(C) > ℓ(C ′ ) for every C ∈ S and every step C t − → C ′ with t ∈ U ; and C2.dis(U ) = dead(U ) .Proposition 9.If ℓ : S → N is a layer function for S and U , then (ℓ, 1) is a bounded certificate for S dead(U ) .Proof.Let C ∈ S \ dead(U ) .By condition C2, we have C ∈ dis(U ) .So there exists a step C u − → C ′ where u ∈ U .By condition C1, we have ℓ(C) > ℓ(C ′ ), so condition (Cert) holds and (ℓ, 1) is a bounded certificate.Let S be a stage.For every set of transitions U ⊆ Dead(S) we can construct a Presburger formula lin-layer(U, a) that holds iff there there exists a linear layer function for U , i.e., a layer function of the form ℓ(C) = a • C for a vector of coefficients a : Q → Q ≥0 .Condition C1, for a linear function ℓ(C), is expressed by the existential Presburger formula lin-layer-fun(U, a) def = u∈U a • ∆(u) < 0.

Fig. 2 :
Fig. 2: Columns |Q|, |T |, and Time give the number of states and non-silent transitions, and the time for verification.Population protocols are verified for an infinite set of configurations.For parametric families, the smallest instance that could not be verified within one hour is shown in brackets, e.g.(TO: c = 90).Leader election and mutex algorithms are verified for one configuration.The number of processes leading to a timeout is given in brackets, e.g.(TO: 10).

Theorem 1 .
The qualitative model checking problem is not semi-decidable.Proof.A two-counter Minsky machine M is a finite sequence of labeled instructions ℓ 1 : ins 1 , . . ., ℓ m : ins m , ℓ m+1 : halt where every ins i is either a Type I instruction of the form inc c j ; goto ℓ k where j ∈ {1, 2} and 1 ≤ k ≤ m + 1, or a Type II instruction of the form if c j =0 then goto ℓ k else dec c j ; goto ℓ n where j ∈ {1, 2} and 1 ≤ k, n ≤ m + 1.
Proof.(⇒): Assume C leads to C ′ .By definition of the "leads to" relation, for every C ∈ C, there exists C ′ ∈ C ′ such that C * − → C ′ .Hence, the function defined by f (C) = 1 if C ∈ C \ C ′ , and f (C) = 0 otherwise is a certificate for C C ′ .

σ−→Theorem 2 .
C ′ such that C ′ ∈ C ′ .We show that ρ visits C ′ , by induction on |σ|.If |σ| = 0, then C ′ = C and we are done.Assume σ = tτ and C t − → D τ − → C ′ , where t ∈ T .By fairness, D occurs infinitely often in ρ.Since |τ | = |σ| − 1, we can apply the induction hypothesis to τ and conclude that C ′ occurs infinitely often in ρ. ⊓ ⊔ Proposition 3. System P satisfies Π iff it has a stage graph for Π.Proof.(⇐): Assume P has a stage graph for Π.Let B be a terminal stage of the stage graph.By condition 4, B |= ϕ i post for some i, and by inductiveness B |= ϕ i post Let L be the union of the terminal stages of the stage graph.We have L |= k i=1 ϕ i post .By Proposition 2 and conditions 1 and 3 of the definition of a stage graph, every stage C satisfies C L. Therefore every stage C satisfies ♦ k i=1 ϕ i post .By condition 2, we have that ϕ pre |= ♦ k i=1 ϕ i post .Thus C |= ♦ k i=1 ϕ i post for any configuration C ∈ ϕ pre , and hence P |= ϕ Π .(⇒): Assume P satisfies Π.Consider a stage graph with k + 1 stages: an initial stage C in containing the set of all configurations reachable from ϕ pre , and a terminal stage C fi , for every 1 ≤ i ≤ k, containing all configurations satisfying ϕ i post .Conditions 1, 2, and 4 hold by definition.Since P satisfies Π, every fair run from a configuration of the initial stage C in eventually visits a terminal stage C fi , and therefore C in leads to (C f1 ∪. ..∪C f k ).Consequently, Proposition 2 yields a certificate for C in (C f1 ∪ . . .∪ C f k ).⊓ ⊔ System P satisfies Π iff it has a Presburger stage graph for Π.Proof.We say that a configuration C is bottom if C * − → D implies D * − → C. Let B be the set of all bottom configurations of P. Let * ← → denote the mutual reachability relation defined by C * ← → D def ⇐⇒ (C * − → D ∧ D * − → C).It is known from [31, Thm. 13 and Prop.14] that both * ← → and B are (effectively) Presburger.Let S i def = B ∩ ϕ i post for every i ∈ [n].Note that S i is Presburger since it can be written as S i = C ∈ B : ∀D [(C * ← → D) =⇒ (D |= ϕ i post )] .Let S def = S 1 ∪ • • • ∪ S n and let I def = ϕ pre .Note that S and I are Presburger.Since P satisfies Π, we have post * (I) ∩ (B \ S) = ∅.Therefore, by [47, Lem.9.1], there exists an inductive Presburger set I ′ ⊇ I such that post * (I ′ ) ∩ (B \ S) = ∅.Since any set of configurations leads to B, this implies I ′ S. The directed acyclic graph made of I ′ with S 1 , . . ., S n as its successors is a stage graph for Π.Indeed: 1.I ′ and S i are inductive, where the latter follows by definition; 2. ϕ pre = I is a subset of stage I ′ ; 3. I ′ S = (S 1 ∪ • • • ∪ S n ) holds, by the above; and 4. S i |= ϕ i post by definition of S i .It remains to exhibit a Presburger certificate.Since I ′ and S are both Presburger, [48, Cor.XI.3] yields a bounded language L = w * 1 w * 2 • • • w * k ⊆ T * such that I ′ ⊆ pre L (S).Let pre L (S) be the set of configurations C such that C w − → C for some C ′ ∈ S and w ∈ L, and L ′ be the language made of all sequences of L and their suffixes.We have I ′ ⊆ pre L (S) ⊆ pre L ′ (S).For every C ∈ I ′ , let f (C) def = |σ C | where σ C ∈ L ′ is a shortest sequence such that: C σC − − → D for some D ∈ S. Since I ′ is inductive and since L ′ is closed under suffixes, if σ C = tτ and C t − → C ′ , then we have f (C) = f (C ′ )+ 1.Hence, (f, 1) is a bounded certificate for I ′ S. It remains to construct a Presburger formula ϕ(C, ℓ) that holds iff ℓ = f (C).We only consider the case where L = w * for some finite sequence w; the generalization to L = w * 1 w * 2 • • • w * k being straightforward.A simple induction on the length of w shows that the set of configurations that enable w has a unique minimal configuration C w .Further, also by induction on w there exists a vector ∆(w) ∈ Z Q such that C w − → C + ∆(w) for every C ≥ C w .More precisely, ∆(w) = |w| i=1 ∆(w i ).It follows that a configuration C enables sequence w k iff C + i • ∆(w) ≥ C w for every 0 ≤ i < k.Furthermore, if C enables w k , then we have:

4 Proposition 4 .
Given a replicated system P, a stage S represented by an existential Presburger formula φ and a set of transitions U , determining whether S |= ♦dead(U ) holds is decidable and PSPACE-hard.Proof.Let us first establish decidability.It suffices to show decidability of S |= ♦dead(U ), i.e., whether C |= ♦dead(U ) for some C ∈ S. Observe that C |= ♦dead(U ) ⇐⇒ C |= ♦ t∈U dead(t) ⇐⇒ C |= t∈U ¬dead(t).
0, P N > 0 Figure 1 depicts stage graphs for the system of Example 1 and the properties defined in Example 2. The reader can easily show that every stage C is inductive by checking that for every C ∈ C and every transition t ∈ {t 1 , . . ., t 4 } enabled at C, the step Definition 8.A function r : S → N is a ranking function for S and U if for every C ∈ S and every step C t − → C ′ the following holds:1.ift ∈ U , then r(C) > r(C ′ ); and 2. if t / ∈ U , then r(C) ≥ r(C ′ ).Proposition 8.If r : S → N is a ranking function for S and U , then there exists k ∈ N such that (r, k) is a bounded certificate for S dead(U ) .
The problem of deciding whether an acyclic graph of Presburger sets and Presburger certificates is a Presburger stage graph, for a given stable termination property, is reducible in polynomial time to the satisfiability problem for Presburger arithmetic.Proof.First we observe that for any two configurations C, C ′ , we have C − → C ′ iff there exists a transition t such that C ≥ • t and C ′ = C + ∆(t).With that, checking the inductiveness of a Presburger stage S reduces to checking satisfiability of this sentence: