Verification of randomized consensus algorithms under round-rigid adversaries

Randomized fault-tolerant distributed algorithms pose a number of challenges for automated verification: (i) parameterization in the number of processes and faults, (ii) randomized choices and probabilistic properties, and (iii) an unbounded number of asynchronous rounds. This combination makes verification hard. Challenge (i) was recently addressed in the framework of threshold automata. We extend threshold automata to model randomized consensus algorithms that perform an unbounded number of asynchronous rounds. For non-probabilistic properties, we show that it is necessary and sufficient to verify these properties under round-rigid schedules, that is, schedules where processes enter round r only after all processes finished round r-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r-1$$\end{document}. For almost-sure termination, we analyze these algorithms under round-rigid adversaries, that is, fair adversaries that only generate round-rigid schedules. This allows us to do compositional and inductive reasoning that reduces verification of the asynchronous multi-round algorithms to model checking of a one-round threshold automaton. We apply this framework and automatically verify the following classic algorithms: Ben-Or’s and Bracha’s seminal consensus algorithms for crashes and Byzantine faults, 2-set agreement for crash faults, and RS-Bosco for the Byzantine case.


Introduction
Fault-tolerant distributed algorithms like Paxos and Blockchain recently receive much attention.Still, these systems are out of reach with current automated verification techniques.One problem comes from the scale: these systems should be verified for a very large (ideally even an unbounded) number of participants.In addition, many systems (including Blockchain), provide probabilistic guarantees.To check their correctness, one has to reason about randomized distributed algorithms in the parameterized setting.
In this paper, we make first steps towards parameterized verification of fault-tolerant randomized distributed algorithms.We consider consensus algorithms that follow the ideas of Ben-Or [3].Interestingly, these algorithms were analyzed in [17,15] where probabilistic reasoning was done using the probabilistic model checker PRISM [16] for systems of 10-20 processes, while only safety was verified in the parameterized setting using Cadence SMV.From a different perspective, these algorithms extend asynchronous threshold-guarded distributed algorithms from [12,11] with two features (i) a random choice (coin toss), and (ii) repeated executions of the same algorithm until it converges (with probability 1).
A prominent example is Ben-Or's fault-tolerant consensus algorithm [3] given in Figure 1.
It circumvents the impossibility of asynchronous consensus [9] by relaxing the termination requirement to almost-sure termination, i.e., termination with probability 1.Here processes execute an infinite sequence of asynchronous loop iterations, which are called rounds r.Each round consists of two stages where they first exchange messages tagged R, wait until the number of received messages reaches a certain threshold (given as expression over parameters in line 5) and then exchange messages tagged P .In the code, n is the number of processes, among which at most t are Byzantine faulty (which may send conflicting information).The correctness of the algorithm should be verified for all values of the parameters n and t that meet a so-called resilience condition, e.g., n > 3t.Carefully chosen thresholds (n − t, (n + t)/2 and t + 1) on the number of received messages of a given type, ensure agreement, i.e., that two correct processes never decide on different values.At the end of a round, if there is no "strong majority" for a value, i.e., less than (n + t)/2 messages were received (cf.line 13), a process picks a new value randomly in line 16.
While these non-trivial threshold expressions can be dealt with using the methods in [11], several challenges remain.The technique in [11] can be used to verify one iteration of the round from Figure 1 only.However, consensus algorithms should prevent that there are no two rounds r and r such that a process decides 0 in r and another decides 1 in r .This calls for a compositional approach that allows one to compose verification results for individual rounds.
A challenge in the composition is that distributed algorithms implement "asynchronous rounds", i.e., during a run processes may be in different rounds at the same time.
In addition, the combination of distributed aspects and probabilities makes reasoning difficult.Quoting Lehmann and Rabin [18], "proofs of correctness for probabilistic distributed systems are extremely slippery".This advocates the development of automated N. Bertrand, I. Konnov, M. Lazić, J. Widder 29:3 verification techniques for probabilistic properties of randomized distributed algorithms in the parameterized setting.
Contributions.We extend the threshold automata framework from [11] to round-based algorithms with coin toss transitions.For the new framework we achieve the following: 1.For safety verification we introduce a method for compositional round-based reasoning.
This allows us to invoke a reduction similar to the one in [8,6,7].We highlight necessary fairness conditions on individual rounds.This provides us with specifications to be checked on a one-round automaton.

2.
We reduce probabilistic liveness verification to proving termination with positive probability within a fixed number of rounds.To do so, we restrict ourselves to round-rigid adversaries, that is, adversaries that respect the round ordering.In contrast to existing work that proves almost-sure termination for fixed number of participants, these are the first parameterized model checking results for probabilistic properties.

3.
We check the specifications that emerge from points 1. and 2. and thus verify challenging benchmarks in the parameterized setting.We verify Ben-Or's [3] and Bracha's [5] classic algorithms, and more recent algorithms such as 2-set agreement [21], and RS-Bosco [23].

Overview
We introduce probabilistic threshold automata to model randomized threshold-based algorithms.An example of such an automaton is given in Figure 2. Nodes represent local states (or locations) of processes, which move along the labeled edges or forks.Edges and forks are called rules.Labels have the form ϕ → u, meaning that a process can move along the edge only if ϕ evaluates to true, and this is followed by the update u of shared variables.
Additionally, each tine of a fork is labeled with a number in the [0, 1] interval, representing the probability of a process moving along the fork to end up at the target location of the tine.
If we ignore the dashed arrows in Figure 2, a threshold automaton captures the behavior of a process in one round, that is, a loop iteration in Figure 1.
The code in Figure 1 refers to numbers of received messages and, as is typical for distributed algorithms, their relation to sent messages (that is the semantics of send and receive) is not explicit in the pseudo code.To formalize the behavior, the encoding in the threshold automaton directly refers to the numbers of sent messages, and they are encoded in the shared variables x i and y i .The algorithm is parameterized: n is the number of processes, t is the assumed number of faults and f is the actual number of faults.It should be demonstrated to work under the resilience condition n > 3t ∧ t ≥ f ∧ t > 0. For instance, the

29:4
Verification of Randomized Consensus Algorithms under Round-Rigid Adversaries locations J 0 and J 1 capture that a loop is entered with v being 0 and 1, respectively.Sending an (R, r, 0) and (R, r, 1) message is captured by the increments on the shared variables x 0 and x 1 in the rules r 3 and r 4 , respectively; e.g., a process that is in location J 0 uses rule r 3 to go to location SR ("sent R message"), and increments x 0 in doing so.Waiting for R and P messages in the lines 5 and 9, is captured by looping in the locations SR and SP .
In line 7 a process sends, e.g., a (P, r, 0, D) message if it has received n − t messages out of which (n + t)/2 are (R, r, 0) messages.This is captured in the guard of rule r 5 where x 0 + x 1 ≥ n − t − f checks the number of received messages in total, and x 0 ≥ (n + t)/2 − f checks for the specific messages containing 0. The "−f " term models that in the message passing semantics underlying Figure 1, f messages from Byzantine faults may be received in addition to the messages sent by correct processes (modeled by shared variables in Figure 2).
The branching at the end of the loop from lines 10 to 18 is captured by the rules outgoing of SP .In particular rule r 10 captures the coin toss in line 16.The non-determinism due to faults and asynchrony is captured by multiple rules being enabled in the same configuration.
Liveness properties of distributed algorithms typically require fairness constraints, e.g., every message sent by a correct process to a correct process is eventually received.For instance, this implies in Figure 1 that if n − t correct processes have sent messages of the form (R, 1, * ) and (n + t)/2 correct processes have sent messages of the form (R, 1, 0) then every correct process should eventually execute line 7, and proceed to line 9.We capture this by the following fairness constraint: if r 5 is enabled without the help of the f faulty processes but by "correct processes alone"then the source location of rule r 5 , namely SR should eventually be evacuated, that is, its corresponding counter should eventually be 0.
The dashed edges, called round switch rules, encode how a process, after finishing a round, starts the next one.The round number r serves as the loop iterator in Figure 1, and in each iteration, processes send messages that carry r.To capture this, our semantics will introduce fresh shared variables initialized with 0 for each round r.Because there are infinitely many rounds, this means a priori we have infinitely many variables.
As parameterized verification of threshold automata is in general undecidable [14], we consider the so-called "canonic" restrictions here, i.e., only increments on shared variables, and no increments of the same variable within loops.These restrictions still allow us to model many threshold-based fault-tolerant distributed algorithms [11].As a result, threshold automata without probabilistic forks and round switching rules can be automatically checked for safety and liveness [11].Adding forks and round switches is required to adequately model randomized distributed algorithms.Here we will use a convenient restriction that requires that coin-toss transitions only appear at the end of a round, e.g., line 16 of Figure 1.
Intuitively, as discussed in Section 1, a coin-toss is only necessary if there is no strong majority.Thus, all our benchmarks have this feature, and we exploit it in Section 7.
In order to overcome the issue of infinitely many rounds, we prove in Section 6 that we can verify probabilistic threshold automata by analyzing a one-round automaton that fits in the framework of [11].We prove that we can reorder transitions of any fair execution such that their round numbers are in an increasing order.The obtained ordered execution is stutter equivalent with the original one, and thus, they satisfy the same LTL -X properties over the atomic propositions describing only one round.In other words, our targeted concurrent systems can be transformed to a sequential composition of one-round systems.
The main problem with isolating a one-round system is that consensus specifications often talk about at least two different rounds.In this case we need to use round invariants that imply the specifications.For example, if we want to verify agreement, we have to check whether two processes decide different values, possibly in different rounds.We do this in two steps: (i) we check the round invariant that no process changes its decision from round to round, and (ii) we check that within a round no two processes disagree.
Finally, verifying almost-sure termination under round-rigid adversaries calls for distinct arguments.Our methodology follows the lines of the manual proof of Ben Or's consensus algorithm by Aguilera and Toueg [1].However, our arguments are not specific to Ben Or's algorithm, and we apply it to other randomized distributed algorithms (see Section 8).
Compared to their paper-and-pencil proof, the threshold automata framework required us to provide a more formal setting and a more informative proof, also pinpointing the needed hypothesis.The crucial parts of our proof are automatically checked by the model checker ByMC [13].Hence the established correctness stands on less slippery ground, which addresses the mentioned concerns of Lehmann and Rabin.

The Probabilistic Threshold Automata Framework
A probabilistic threshold automaton PTA is a tuple (L, V, R, RC ), where L is a finite set of locations, that contains the following disjoint subsets: initial locations I, final locations F, and border locations B, with |B| = |I|; V is a set of variables.It is partitioned in two sets: Π contains parameter variables, and Γ contains shared variables; R is a finite set of rules; and RC , the resilience condition, is a formula in linear integer arithmetic over parameter variables.
In the following we introduce rules in detail, and give syntactic restrictions on locations.
The resilience condition RC only appears in the definition of the semantics in Section 3.1.
A rule r is a tuple (from, δ to , ϕ, u) where from ∈ L is the source location, δ to ∈ Dist(L) is a probability distribution over the destination locations, u ∈ N |Γ| 0 is the update vector, and ϕ is a guard, i.e., a conjunction of expressions of the form b

Actions.
An action α = (r, k) ∈ Act stands for the execution of a rule r in round k (by a single process).We write α.from for r.from, α.δ to for r.δ to , etc.An action α = (r, k) is unlocked in a configuration σ, if its guard evaluates to true in its round, that is σ, k |= r.ϕ.
An action α = (r, k) is applicable to a configuration σ if α is unlocked in σ, and there is at least one process in the source location r.from, formally, σ. κ[r.from, k] ≥ 1.When an action α is applicable to σ, and when is a potential destination location for the probabilistic action α, we write apply(σ, α, ) for the resulting configuration: parameters are unchanged, shared variables are updated according to the update vector r.u, and the values of counters are modified in a natural way: as a process moves from r.from to in round k, counter κ[r.from, k] is decreased by 1 and κ[ , k] is increased by 1.The probabilistic transition function ∆ is defined by: ∆(σ, α)(σ ) = α.δ to ( ) if apply(σ, α, ) = σ , and 0 otherwise.

Non-probabilistic Counter Systems
Non-probabilistic threshold automata are defined in [12], and they can be seen as a special case of probabilistic threshold automata where all rules are Dirac rules.
With a PTA, one can naturally associate a non-probabilistic threshold automaton, by replacing probabilities with non-determinism.
Definition 1.Given a PTA = (L, V, R, RC ), its (non-probabilistic) threshold automaton is TA PTA = (L, V, R np , RC ) where the set of rules R np is defined as {r = (from, , ϕ, u We write TA instead of TA PTA when the automaton PTA is clear from the context.Every rule from R np corresponds to exactly one rule in R, and for every rule in R there is at least one corresponding rule in R np (and exactly one for Dirac rules).
If we understand a TA as a PTA where all rules are Dirac rules, we can define transitions using the partial function apply in order to obtain an infinite (non-probabilistic) counter system, which we denote by Sys ∞ (TA).Moreover, since in this case R = R np , actions of the PTA exactly match transitions of its TA.We obtain σ by applying t = (r, k) to σ, and write this as σ = t(σ), if and only if for the destination location of r holds that apply(σ, t, ) = σ .
Also, starting from a PTA, one can define the counter system Sys(PTA), and consequently its non-probabilistic counterpart Sys np (PTA).As the definitions of Sys np (PTA) and Sys ∞ (TA) are equivalent for a given PTA, we are free to choose one, and always use Sys ∞ (TA). A Similarly we define an infinite schedule τ = t 1 , t 2 , . .., and an infinite path σ 0 , t 1 , σ 1 , . .., also denoted by path(σ 0 , τ ).An infinite path is fair if no transition is applicable forever from some point on.Equivalently, when a transition is applicable, eventually either its guard becomes false, or all processes leave its source location.
Since every transition in Sys ∞ (TA) comes from an action in Sys(PTA), note that every path in Sys ∞ (TA) is a valid path in Sys(PTA).

Adversaries
As usual, the non-determinism is resolved by a so-called adversary.Let Paths be the set of all finite paths in Sys(PTA).An adversary is a function a : Paths → Act, that given a finite path π selects an action applicable to the last configuration of π.Given a configuration σ and an adversary a, we generate a family of paths, depending on the outcomes of non-Dirac transitions.We denote this set by paths(σ, a).An adversary a is fair if all paths in paths(σ, a) are fair.As usual, the Markov Decision Process (MDP) Sys(PTA) together with an initial configuration σ and an adversary a induce a Markov chain, written M σ a .We write P σ a for the probability measure over infinite paths starting at σ in the latter Markov chain.
We call an adversary a round-rigid if it is fair, and if every sequence of actions it produces can be decomposed to a concatenation of sequences of action of the form where for all k ∈ N, we have that s k contains only Dirac actions of round k, and s p k contains only non-Dirac actions of round k.We denote the set of all round-rigid adversaries by A R .

Atomic Propositions and Stutter Equivalence
The atomic propositions we consider describe non-emptiness of a location ∈ L \ B in a round k, i.e., whether there is at least one process in location in round k.Formally, the set of all such propositions for a round k ∈ N 0 is denoted by AP k = {p( , k) : ∈ L\B}.For every k we define a labeling function By abusing notation, we write " κ[ , k] > 0" and " κ[ , k] = 0" instead of p( , k) and ¬p( , k), resp.

Consensus Properties and their Verification
In probabilistic (binary) consensus every correct process has an initial value from {0, 1}.
It consists of safety specifications and an almost-sure termination requirement, which we consider in its round-rigid variant: Agreement: No two correct processes decide differently.
Validity: If all correct processes have v as the initial value, then no process decides 1 − v.
Probabilistic wait-free termination: Under every round-rigid adversary, with probability 1 every correct process eventually decides.
We now discuss the formalization of these specifications in the context of Ben-Or's algorithm whose threshold automaton is given in Figure 2.

Formalization.
In order to formulate and analyze the specifications, we partition every set I, B, and F, into two subsets I 0 I 1 , B 0 B 1 , and F 0 F 1 , respectively.For every v ∈ {0, 1}, the partitions satisfy the following: (R1) The processes that are initially in a location ∈ I v have the initial value v.
(R2) Rules connecting locations from B and I respect the partitioning, i.e., they connect B v and I v .Similarly, rules connecting locations from F and B respect the partitioning.
We introduce two subsets if and only if it decides v in that round.Now we can express the specifications as follows: Agreement: For both values v ∈ {0, 1} the following holds: Probabilistic wait-free termination: For every round-rigid adversary a Agreement and validity are non-probabilistic properties, and thus can be analyzed on the non-probabilistic counter system Sys ∞ (TA).For verifying probabilistic wait-free termination, we make explicit the following assumption that is present in all our benchmarks: all non-Dirac transitions have non-zero probability to lead to an F v location, for both values v ∈ {0, 1}.
In Section 5 we formalize safety specifications and reduce them to single-round specifications.In Section 6 we reduce verification of multi-round counter systems to verification of single-round systems.In Section 7 we discuss our approach to probabilistic termination.

Reduction to Specifications with one Round Quantifier
Agreement contains two round variables k and k , and Validity considers rounds 0 and k.
Thus, both involve two round numbers.As ByMC can only analyze one round systems [11], the properties are only allowed to use one round number.In this section we show how to check formulas (1) and ( 2) by checking properties that refer to one round.Namely, we introduce round invariants (4) and ( 5), and prove that they imply Agreement and Validity.

29:9
The first round invariant claims that in every round and in every path, once a process decides v in a round, no process ever enters a location from F 1−v in that round.Formally: The second round invariant claims that in every round in every path, if no process starts a round with a value v, then no process terminates that round with value v. Formally: The following proposition is proved using restriction (R2) and by an inductive argument over the round number.

Reduction to Single-Round Counter System
Given a property of one round, our goal is to prove that there is a counterexample to the property in the multi-round system iff there is a counterexample in a single-round system.This is formulated in Theorem 6, and it allows us to use ByMC on a single-round system.
The proof idea contains two parts.First, in Section 6.1 we prove that one can replace an arbitrary finite schedule with a round-rigid one, while preserving atomic propositions of a fixed round.We show that swapping two adjacent transitions that do not respect the order over round numbers in an execution, gives us a legal stutter equivalent execution, i.e., an execution satisfying the same LTL -X properties.
Second, in Section 6.2 we extend this reasoning to infinite schedules, and lift it from schedules to transition systems.The main idea is to do inductive and compositional reasoning over the rounds.To do so, we need well-defined round boundaries, which is the case if every round that is started is also finished; a property we can automatically check for fair schedules.In more detail, regarding propositions for one round, we show that the multi-round transition system is stutter equivalent to a single-round transition system.This holds under the assumption that all fair executions of a single-round transition system terminate, and this can be checked using the technique from [11].As stutter equivalence of systems implies preservation of LTL -X properties, this is sufficient to prove the main goal of the section.

Reduction from arbitrary schedules to round-rigid schedules Definition
The following proposition shows that any finite schedule can be re-ordered into a roundrigid one that is stutter equivalent regarding LTL -X formulas over proposition from AP k , for all rounds k.It is proved using arguments on the commutativity of transitions, similar to [8].
Proposition 4. For every configuration σ and every finite schedule τ applicable to σ, there is a round-rigid schedule τ such that the following holds: (a) Schedule τ is applicable to configuration σ.
Thus, instead of reasoning about all finite schedules of Sys ∞ (TA), it is sufficient to reason about its round-rigid schedules.In the following section we use this to simplify the verification further, namely to a single-round counter system.
C O N C U R 2 0 1 9 29:10 Verification of Randomized Consensus Algorithms under Round-Rigid Adversaries

From round-rigid schedules to single-round counter system
For each PTA, we define a single-round threshold automaton that can be analyzed with the tools of [12] and [11].Roughly speaking, we focus on one round, but also keep the border locations of the next round, where we add self-loops. Figure 3 represents the single-round threshold automaton associated with the PTA from Figure 2. We can prove that for specific fairness constraints, this automaton shows the same behavior as a round in Sys ∞ (TA).
We restrict ourselves to fair schedules, that is, those where no transition is applicable forever.We also assume that every fair schedule of a single-round system terminates, i.e., eventually every process reaches a state from B .Under the fairness assumption we check the latter assumption with ByMC [13].Moreover, we restrict ourselves to non-blocking threshold automata, that is, we require that in each configuration each location has at least one outgoing rule unlocked.As we use TAs to model distributed algorithms, this is no restriction: locations in which no progress should be made unless certain thresholds are reached, typically have self-loops that are guarded with true (e.g.SR and SP ).Thus for our benchmarks one can easily check whether they are non-blocking using SMT (we have to check that there is no evaluation of the variables such that all outgoing rules are disabled).We define the transition relation R as in Sys ∞ (TA), i.e., two configurations are in the relation R k if and only if they (or more precisely, their above described extensions) are in R.   For all the benchmarks in Table 2, ByMC has reported that the specifications hold.By changing n > 3t to n > 2t, we found that rabc-cr can handle more faults (the original n > 3t was needed to implement the underlying communication structure which we assume given in the experiments).In other cases, whenever we changed the parameters, that is, increased the number of faults beyond the known bound, the tool reported a counterexample.

Conclusions
Our proof methodology for almost sure termination applies to round-rigid adversaries only.
As future work we shall prove that verifying almost-sure termination under round-rigid adversaries is sufficient to prove it for more general adversaries.Transforming an adversary into a round-rigid one while preserving the probabilistic properties over the induced paths, comes up against the fact that, depending on the outcome of a coin toss in some step at round k, different rules may be triggered later for processes in rounds less than k.
A few contributions address automated verification of probabilistic parameterized systems [22,4,20,19].In contrast to these, our processes are not finite-state, due to the round numbers and parameterized guards.The seminal work by Pnueli and Zuck [22] requires shared variables to be bounded and cannot use arithmetic thresholds different from 1 and n.
Algorithms for well-structured transition systems [4] do not directly apply to multi-parameter systems produced by probabilistic threshold automata.Regular model checking [20,19] cannot handle arithmetic resilience conditions such as n > 3t, nor unbounded shared variables.

odFigure 1
Figure 1 Pseudo code of Ben-Or's algorithm for Byzantine faults

Figure 2 A
Figure 2 depicts a PTA with border locations B = {I 0 , I 1 }, initial locations I = {J 0 , J 1 }, and final locations F = {E 0 , E 1 , D 0 , D 1 , CT 0 , CT 1 }.The only rule that is not Dirac rule is r 10 , and round switch rules are represented by dashed arrows.

1 Figure 3
Figure 3The single-round threshold automaton TA rd obtained from PTA in Figure2

Definition 5 .
Given a PTA = (L, V, R, RC ) or its TA = (L, V, R np , RC ), we define a singleround threshold automaton TA rd = (L ∪ B , V, R rd , RC ), where B = { : ∈ B} are copies of border locations, and R rd = (R np \ S) ∪ S ∪ R loop , where R loop = {( , , true, 0) : ∈ B } are self-loop rules at locations from B and S = {(from, , true, 0) : (from, , true, 0) ∈ S with ∈ B } consists of modifications of round switch rules.Initial locations of TA rd are the locations from B ⊆ L.For a TA rd and a k ∈ N 0 we define a counter system Sys k (TA rd ) as the tuple(Σ k , I k , R k ).A configuration is a tuple σ = ( κ, g, p) ∈ Σ k ,where σ. κ : D → N 0 defines values of the counters, for D = (L × {k}) ∪ (B × {k + 1}); and σ. g : Γ × {k} → N 0 defines shared variable values; and σ.p ∈ N |Π| 0 is a vector of parameter values.Note that by using D in the definition of σ. κ above, every configuration σ ∈ Sys k (TA rd ) can be extended to a valid configuration of Sys ∞ (TA), by assigning zero to all other counters and global variables.In the following, we identify a configuration in Sys k (TA rd ) with its extension in Sys ∞ (TA), since they have the same labeling function λ k , for every k ∈ N 0 .We define Σ k B ⊆ Σ k , for a k ∈ N 0 , to be the set of all configurations σ where every process is in a location from B, and all shared variables are set to zero in k, formally, σ. g[x, k] = 0 for all x ∈ Γ, and ∈B σ. κ[ , k] = N (p), and σ. κ[ , i] = 0 for all ( , i) ∈ D \ (B × {k}).We call these configurations border configurations for k.The set of initial states I k is a subset of Σ k B .
shows the number of SMT queries (which depends on the structure of the automaton and the specification), column time shows the computation times -either in seconds or in the format HH:MM.As the N-automata have more rules than the P-automata, column |R| shows the figures for N-automata.To save space, we omit the figures for memory use from the table: Benchmarks 1-5 need 30-170 MB, whereas rs-bosco needs up to 1.5 GB per CPU.The benchmark rs-bosco is a challenge for the technique of[11]: Its threshold automaton has 12 threshold guards that can change their values almost in any order.Additional combinations are produced by the temporal formulas.Although ByMC reduces the number of combinations by analyzing dependencies between the guards, it still produces between 11! and 14! SMT queries.Hence, we ran the experiments for rs-bosco on 1024 CPU cores of Grid5000 and gave the wall time results in Table2.(To find the total computing time, multiply wall time by 1024.)ByMC timed out on the property S4 after 1 day (shown as TO).
Two counter systems C 0 and C 1 are stutter equivalent w.r.t.AP k , written C 0 k C 1 , if for every path π from C i there is a path π from C 1−i such that π k π , for i ∈ {0, 1}.C O N C U R 2

Table 2
The experiments for first 5 rows were run on a single computer (Apple MacBook Pro 2018, 16GB).The experiments for last row (rs-bosco) were run in Grid5000 on 32 nodes (2 CPUs Intel Xeon Gold 6130, 16 cores/CPU, 192GB).Wall times are given.

Table 2
presents the computational results of our experiments: column |L| shows the number of automata locations, column |R| shows the number of automata rules, column |S|