Partial-order reduction for parity games and parameterised Boolean equation systems

In model checking, reduction techniques can be helpful tools to fight the state-space explosion problem. Partial-order reduction (POR) is a well-known example, and many POR variants have been developed over the years. However, none of these can be used in the context of model checking stutter-sensitive temporal properties. We propose POR techniques for parity games, a well-established formalism for solving a variety of decision problems, including model checking. As a result, we obtain the first POR method that is sound for the full modal μ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\upmu $$\end{document}-calculus. We show how our technique can be applied to the fixed point logic called parameterised Boolean equation systems, which provides a high-level representation of parity games. Experiments with our implementation indicate that substantial reductions can be achieved.


Introduction
In the field of formal methods, model checking [2] is a popular technique to analyse the behaviour of concurrent processes. However, the arbitrary interleaving of these parallel processes can cause an exponential blow-up, which is known as the state-space explosion problem. Several approaches have been identified to alleviate this issue, by reducing the state space while it is generated. Two established techniques are symmetry reduction [17] and partial-order reduction (POR) [11,32,37]. Whereas symmetry reduction can only be applied to systems that contain several copies of a component, POR also applies to heterogeneous systems. The idea behind POR is that, out of many interleavings arising from commutative behaviour of concurrent processes, exploring just one interleaving is often sufficient to draw conclusions on the properties of the system. This is achieved by exploring only a specific subset of the outgoing transitions in every state that is visited. However, a major drawback of POR is that most variants at best preserve only stutter-insensitive temporal properties. The application of POR is thus limited to fragments of popular logics, namely LTL or CTL* without the next operator (LTL −X /CTL * −X ) [10,39] or the weak modal µ-calculus [35]. Furthermore, most of the variants of POR that preserve the semantics of formulae in a branching time logic impose significant restrictions on the reduction. This decreases the amount of reduction achieved.
In previous work [30], we addressed these shortcomings by applying POR on parity games. A parity game is an infinite-duration, two-player game played on a directed graph with decorations on the nodes, in which the players even (denoted ) and odd (denoted ) strive to win the nodes of the graph. Parity games find common application in model checking, where every node v in the parity game encodes whether a state s in a transition system satisfies a subformula ϕ of a given formal property, formulated in a temporal logic such as the modal µ-calculus [20]. Under a typical encoding, player wins in the node v if and only if ϕ holds in s.
In the context of model checking, parity games suffer from the same state-space explosion that models do. Exploring the state space of a parity game under POR can be a very effective way to address this. We investigated these ideas in [30] and proposed a number of conditions with the aim of preserving the winning player after reduction. Furthermore, we identi-fied a typical structure that occurs in the setting of model checking and exploited this to improve the reduction potential. We showed how this POR technique can be applied in the context of solving a parameterised Boolean equation system (PBES) [13]-a fixed point logic closely related to LFPas a high-level representation of a parity game. Finally, we extended the implementation ideas of [22] with support for non-determinism and applied these to create an experimental implementation, which we used to evaluate our ideas.
After [30] was presented, Antti Valmari noticed an issue with the POR conditions that affects their correctness, that is, the winning player is not necessarily preserved. This problem was subsequently resolved in Thomas Neele's thesis [26] with the introduction of an additional condition called P, for Player. The condition P prevents a situation where our reduction forces one player to hand control of the game to the other player, effectively giving the latter player a chance to win. The current work extends [30] as follows: -The POR conditions are amended with the additional condition P. We show the correctness with completely reworked proofs (Theorem 1). -Extended discussion of the intricacies of applying POR to PBESs. In traditional POR approaches, transition labels are used to determine which transitions should be grouped together. However, this information is lost in the construction of a PBES; grouping related transitions thus relies on heuristics. We show how the choice for such a heuristic may impact reduction. -We include full proofs for the lemmata that show that our implementation satisfies the POR conditions we set.
Our approach has two distinct benefits over traditional POR techniques that operate on transition systems. First, it is the first work that enables the use of partial-order reduction for model checking for the full modal µ-calculus. Second, the conditions that we propose are strictly weaker than those necessary to preserve the branching structure of a transition system used in other approaches to POR for branching time logics [10,35], increasing the effectiveness of POR.
In our implementation of POR for PBESs, it is necessary to first conduct static analysis on the PBES to identify reduction opportunities. Both this preparatory step and the additional computation required during the exploration phase create overhead compared to a regular exploration procedure. Our experiments show, however, that particularly those instances in which PBESs encode model checking problems involving large state spaces benefit from the use of partialorder reduction. In such cases, a significant size reduction is possible, even when checking complex µ-calculus formulae, and the time overhead mentioned above is more than made up for by the reduction in the number of states.

Related Work
The literature is rich with many variants of partial-order reduction; the most prominent are ample sets [32], persistent sets [11] and stubborn sets [37]. These methods are conceptually very similar, although the stubborn set method is the only one that allows reasoning about disabled actions (which label the transition relation), and thus offers more reduction potential. We discuss several extensions and applications of these methods.
There are several proposals for the application of POR in the context of verifying branching-time logics. Groote and Sellink [12] define several forms of confluence reduction and prove which behavioural equivalences (and by extension, which fragments of logics) are preserved. In confluence reduction, one tries to identify internal transitions, typically labelled with the action τ that can safely be prioritised, leading to a smaller state space. Ramakrishna and Smolka [35] propose a notion that coincides with strong confluence from [12], preserving weak bisimilarity and the corresponding logic, the weak modal µ-calculus.
Similar ideas are presented by Gerth et al. [10]. Their approach is based on the ample sets method [32] and preserves a relation that they call visible bisimulation and the associated logic CTL −X . To preserve the branching structure, they introduce a singleton proviso which, contrary to our theory, can greatly impair the amount of reduction that can be achieved (see our Example 3, p. 6).
An approach that does preserve a branching semantics but does not need a singleton proviso is proposed by Valmari and Vogler [41]. Their POR conditions are sufficient for preservation of fair testing equivalence, which is the weakest congruence that preserves livelocks that cannot be exited. This method is thus suited for checking properties under a fairness assumption.
Valmari [38] (see [40] for an up-to-date discussion) describes the stubborn sets method for LTL −X model checking. While investigating the use of stubborn sets for parity games, we identified a subtle issue in one of the stubborn set conditions (called D1 in [40]). When applied to labelled transition systems or Kripke structures, this means that LTL −X is not necessarily preserved. Moreover, using the condition in the setting of parity games may result in games with different winners; see Example 2. In [27], we further explore the consequences of the faulty condition for stubborn-set-based POR techniques that can be found in the literature. We here resort to a strengthened version of condition D1 that does not suffer from these issues.
Peled [33] applies POR on the product of a transition system and a Büchi automaton, which represents an LTL −X property. The resulting product automaton thus encodes both the transition system and the property, in a way similar to parity games, resulting in a POR approach that is similar to ours. It is important to note, though, that this original theory is not sound, as discussed in [36]. Kan et al. [18] improve on Peled's ideas and manage to preserve all of LTL. To achieve this, they analyse the Büchi automaton that corresponds to the LTL formula to identify which part is stutter insensitive. With this information, they can reduce the state space in the appropriate places and preserve the validity of the LTL formula under consideration.
The work of Bønneland et al. [3,4] is close to ours in spirit: they apply POR to reachability games. Such games can be used for synthesis and for model checking reachability properties. The formalism they consider thus has less expressive power than the parity games we consider. Their technique is applied to weighted Petri net games with inhibitor arcs, which are more low-level than our PBESs, and hence some intricacies related to PBESs (see Sect. 4) are avoided. As we already discussed in [30], the conditions proposed in [3] contain a small correctness issue that was later resolved in [4].
Outline We give a cursory overview of parity games in Sect. 2. In Sect. 3 we introduce partial-order reduction for parity games and prove its correctness. A further improvement is introduced in Sect. 3.3. Section 4 briefly introduces the PBES fixed point logic, and in Sect. 5, we describe how to effectively implement parity-game based POR for PBESs. We present the results of our experiments of using paritygame based POR for PBESs in Sect. 6. We conclude in Sect. 7.

Preliminaries
Parity games are infinite-duration, two-player games played on a directed graph. The objective of the players, called even (denoted by ) and odd (denoted by ), is to win nodes in the graph.
-Ω : V → N is a bounded function that assigns a priority to each node; and -P : V → { , } is a function that assigns a player to each node.
We write s → t whenever (s, t) ∈ E. The set of successors of a node s is denoted with succ(s) = {t | s → t}. We use to denote an arbitrary player and to denote its opponent. Furthermore, we write V = {v | P(v) = } for the set of nodes that belong to .
A parity game is played as follows: initially, a token is placed on some node of the graph. The owner of the node can decide where to move the token; the token may be moved Fig. 1 Example of a parity game along one of the outgoing edges. This process continues ad infinitum, yielding an infinite path of nodes that the token moves through. Such an infinite path is called a play. A play π is won by player if the minimal priority that occurs infinitely often along π is even. Otherwise, it is won by player 1 . Note that at least one priority occurs infinitely often on π because Ω is bounded. We stress that we consider min parity games (smaller priorities dominate larger priorities); max parity games (larger priorities dominate) are also commonly found in literature.
To reason about moves that a player may want to take, we use the concept of strategies. A strategy σ : V * · V → V for player is a function that determines where moves the token next, after the token has passed through a finite sequence of nodes. More formally, for all non-empty paths A player wins in a node s if and only if there is a strategy σ such that all plays that start in s and that are consistent with σ are won by player . Fig. 1. Here, priorities are inscribed in the nodes and the nodes are shaped according to their owner ( or ). Let π be an arbitrary, possibly empty, sequence of nodes. In this game, the strategy σ , partially defined as σ (π s 1 ) = s 2 and σ (π s 2 ) = s 1 , is winning for in s 1 and s 2 . After all, the minimal priority that occurs infinitely often along (s 1 s 2 ) ω is 0, which is even. Player can win node s 3 with the strategy σ (π s 3 ) = s 4 . Note that player is always forced to move the token from node s 4 to s 3 .

Example 1 Consider the parity game in
The strategies σ and σ used in the above example are memoryless; a strategy σ is called memoryless if and only if σ (πs) is equivalent for all histories π . In fact, memoryless strategies are sufficient for determining the winner of a node: as shown by Zielonka [42], for all players , parity games G and nodes s, there is a winning -strategy for s in G if and only if there is a winning memoryless -strategy for s in G. In the remainder, we mostly use memoryless strategies and specify them as a partial function σ : V → V . Only in the proof of Theorem 1, we apply strategies with memory.

Partial-order reduction
In model checking, arbitrary interleaving of concurrent processes can lead to a combinatorial explosion of the state space. By extension, parity games that encode model checking problems for concurrent processes suffer from the same phenomenon. Partial-order reduction (POR) techniques help combat the blow-up. The current work is based on Valmari's theory of stubborn sets [37] and its extension to LTL −X model checking [38] as it can easily deal with nondeterminism [39].
The name "partial-order reduction" came from the idea that if two events occur concurrently, then it is artificial to say that one of them occurred before the other. Therefore, the "occurred before" relation is thought of as a partial order. Permutations of concurrent events span equivalence classes of executions. According to this idea, to analyse the behaviour of the system, it suffices to represent each equivalence class by a single execution. This intuition has proven misleading. When constructing representatives that are kept for executions that are not kept, most "partial order" methods not only permute, but also remove and add events. Furthermore, the property being verified has a strong influence on what needs to be kept. However, the term "partial order" has persisted.

Weak stubborn sets
Partial-order reduction relies on edge labels, here referred to as events and typically denoted with the letter a. In a typical application of POR, such events and edge labelling are deduced from a high-level syntactic description of the graph structure (see also Sect. 4). A reduction function subsequently uses these events when producing an equivalent reduced graph structure from the same high-level description, such that the answer to the verification question is not changed. For now, we tacitly assume the existence of a set of events and edge labelling for parity games and refer to the resulting structures as labelled parity games. For the purpose of defining labelled parity games as a structure on top of parity games, we define edge labels in a somewhat unusual way. This does not affect the theory in any way.
is a parity game, A is a set of events and : A → 2 E is an edge labelling; it is required that for all (s, t) ∈ E there is at least one a ∈ A such that (s, t) ∈ (a).
For the remainder of this section, we fix an arbitrary labelled parity game L = (G, A, ). We write s a − → t whenever s → t and (s, t) ∈ (a). The same notation extends to labelled paths, which we call executions: s The set of all enabled events in a node s is denoted with enabled L (s).
The set of events A has a subset I whose elements are called invisible, such that for every a ∈ I, s a − → t implies P(s) = P(t) and Ω(s) = Ω(t) for all s, t ∈ V . The elements of A\I are visible. This definition allows an implementation to over-approximate A\I, i.e., if it is too difficult to find out whether s a − → t implies P(s) = P(t) and Ω(s) = Ω(t) for all s, t ∈ V , then a may be classified as visible.
A reduction function indicates which edges are to be explored in each node, based on the events associated to the edges. Given some initial nodeŝ, such a function induces a unique reduced labelled parity game as follows.
Definition 3 Given a nodeŝ ∈ V and a reduction function r : V → 2 A , the reduced labelled parity game induced by r and starting fromŝ is defined as L r = (G r , A, r ), where G r = (V r , E r , Ω r , P r ) and r are such that: be the transition relation under r , then V r = {s |ŝ E * s} is the set of nodes reachable with E , where E * is the reflexive transitive closure of E , and E r = E ∩(V r ×V r ) is the restricted transition relation; -Ω r and P r are the respective restrictions of Ω and P on Note that a reduced labelled parity game is only welldefined when r (s)∩enabled L (s) = ∅ for every node s ∈ V r ; if this property does not hold, E r is not total. Even if totality of E r is guaranteed, the same node s may be won by different players in L and L r if no restrictions are imposed on r . In case the reduced game is finite, the following conditions on r , as we will show, are sufficient to ensure both. Below, we say an event a is a key event in s iff for all executions s a 1 ...a n −−−→ s such that a 1 / ∈ r (s), . . . , a n / ∈ r (s), we have s a − →. (The underlying intuition will be explained later.) Key events are typically denoted a key . Note that every key event is enabled, by taking n = 0.

Definition 4 Given a labelled parity game
where G = (V , E, Ω, P), we say that a reduction function r : V → 2 A is a weak stubborn set for L iff for all nodes s ∈ V , the following conditions hold 2 : D1 For all a ∈ r (s) and a 1 / ∈ r (s), . . . , a n / ∈ r (s), if s invisible key event. L For every visible event a, every cycle in the reduced game contains a node s such that a ∈ r (s ). P If there is an event a ∈ r (s) and a node t such that s a − → t and P(s) = P(t), then r (s) = A.
Below, we also use the term (weak) stubborn set to refer to the set of events r (s) in some node s. Originally [37], the set r (s) was constructed so that, if there is an enabled event, it always contained an enabled event that could not be disabled by events outside r (s). This is the origin of the word "stubborn" in its name: at least one event in r (s) is determined to happen and cannot be prevented by the outside world.
We sketch the intuition behind the stubborn set conditions. Condition D1 ensures that whenever an enabled event is selected for the stubborn set, it does not disable executions not in r (s). Hence, executions that are removed from the state space can still be mimicked, albeit with a slightly different order of events. (The events a and a 1 , . . . , a n are commuted.) The key event required by D2w must be enabled (as mentioned above), which guarantees totality of E r . Furthermore, condition D1 applies in particular to key events, and thus executions that are removed can always be mimicked via a key event. In this sense, D1 and D2w together capture the core idea of POR: reduce the number of similar interleavings that are explored. In a traditional setting where POR is applied on a transition system, the combination of D1 and D2w is sufficient to preserve deadlocks, hence their name.
To preserve the winning player in a parity game, we, furthermore, require conditions V, I and L, which originate from the LTL −X -preserving stubborn set method [38], and condition P, which is specific for parity games. Condition V ensures that reduction only occurs when the mimicking execution produced by D1 does not reorder visible events compared to the executions that are pruned from the state space. Condition L prevents the so called action-ignoring problem, where a certain visible event is never selected for the stubborn set and ignored indefinitely. Since we assumed the reduced game is finite, such indefinite ignoring can only happen on cycles; this is thus properly addressed by L. Condition I ensures that if the game has an invisible infinite execution from some state, then also the reduced game has one.
In the traditional setting of POR for transition systems, the LTL −X method using conditions D1, D2w, V, I and L was designed to show that each infinite (or deadlocking) execution has a stuttering-equivalent representative in the reduce transition system. Our parity game setting adds to this the problem that control of the token may move from one player to another. We thus need the additional condition P; this guarantees that the winning player is preserved in roughly the following way. Let s be a node that is won by in the original game and π an execution that is consistent with a winning strategy for in s. When the loser is in control of the token in the reduced game, wherever it moves the token next, the token will stay in nodes that loses in the original game. On the other hand, when the winner is in control of the token, the LTL −X arguments for representative paths apply until loses control. When that happens, condition P ensures that all original events chosen by in π have been executed also in the reduced game. Invisible events may have been added compared to the original execution π , but the -node t that the token ends up in can also be reached by in the original game by following those same invisible events. Hence, the winner also wins t in the original game. Thus, as sketched above, we are able to reduce those parts the game that belong to a single player, and where multiple paths exist that observe the same priorities (up to stuttering).
We use the example below to further illustrate the purpose of-and need for-conditions V, I, L and P. In particular, the example illustrates that the winning player in the original game and the reduced game might be different if one of these conditions is not satisfied.

Example 2
First, see the labelled parity games of Fig. 2. These four games show a reduced game under a reduction function satisfying D1 and D2w but not I, L, V or P, respectively. In each case, we start exploration from the node called s, using the indicated reduction function inŝ; for all other nodes s we have r (s ) = A. This yields the respective games that only contain the solid nodes and edges; the dashed parts have been pruned. Consequently, the winning strategy for player in the original game (highlighted in grey in the figures) is lost. The example in Fig. 2d, showing the necessity of condition P, is due to Antti Valmari. Our previous work [30] did not contain condition P and may thus fail to preserve the winner in this game. Now consider the parity game of Fig. 3, which is inspired by an example from Valmari and Hansen [40]. Here, the condition L is replaced by a weaker condition which states that for all visible events a, every strongly connected component (SCC) in the reduced game must contain a node s such that a ∈ r (s). This condition is often called S in the literature. Remark that the two leftmost nodes form an SCC and we have a 1 ∈ r (ŝ), thus satisfying S. However, condition L is not satisfied in the cycle consisting of only the bottom-left node.
Finally, consider the parity game in Fig. 4. This game shows that, if instead of condition D1 as presented in the current work, we use the original formulation [38] For all a ∈ r (s) and then the winning player is not necessarily preserved. We refer the reader to [28] for an in-depth discussion of this problem in the setting of LTL −X model checking.
Note that the games in Figs. 2a-c and 3 are from a subclass of parity games called weak solitaire, illustrating the need for the identified conditions even in restricted settings. A game is solitaire iff at most one player can make non-trivial choices, i.e., the player owns a node with more than one outgoing edge. A game is weak iff the priorities along all its paths are non-decreasing, i.e., if s → t then Ω(s) ≤ Ω(t). The game in Fig. 2d is weak, but not solitaire. Conversely, the game in Fig. 4 is solitaire, but not weak. Weak solitaire games can encode the model checking of safety properties, solitaire games can capture logics such as LTL and ∀CTL * [14] (the universal fragment of CTL * ) and weak games can be used to check CTL properties.
Before we argue for the correctness of our POR approach in the next section, we shortly demonstrate how our approach improves over existing methods for branching time logics. On top of the basic conditions C1-C3, which preserve LTL −X and are similar in spirit to our conditions D1 through L, Gerth et al. [10] propose the following singleton proviso: This extra condition helps preserve the branching structure and is thus needed for preservation of CTL −X . However, it can severely impact the amount of reduction achieved; see the following example.

Example 3
Consider the two transition systems below, where n ≥ 1 is some large natural number.
The cross-product of these transition systems contains (n + 1) 2 states.
Assume we want to check the CTL-property ϕ = ∀ ∃ a n , where a n is true in a state if and only action a n is enabled, on this cross-product. This property expresses: "for all reachable states, there is a path to a state where a n is enabled", which does not hold. There is no equivalent formula in LTL, and hence, condition C4 is required for POR to preserve this property.
In the initial stateŝ, neither r (ŝ) = {a 1 , a 1 } nor r (ŝ) = {b 1 , b 1 } is a valid stubborn set, due to C4. Other choices for r (ŝ) are ruled out by the remaining conditions, so we are forced to set r (ŝ) = A. A similar argument applies to all other states and thus no reduction can be achieved.
Alternatively, we can choose to attack our model checking problem by encoding it in a parity game. For this, we use a µ-calculus formula which corresponds to ϕ, namely a n true)). The resulting labelled parity game is depicted in Fig. 5. When not explicitly indicated, horizontal edges are labelled with events b i and b i (and therefore drawn twice), vertical edges are labelled with events a i and a i and diagonal edges are labelled with c. This game contains 2(n + 1) 2 + 1 nodes: there is one node for each combination of state (of which there are (n + 1) 2 ) and fixpoint variable (X and Y ) in the formula, and one auxiliary node.
Applying POR with our conditions D1 through P allows choosing r (v) = {b 1 , b 1 } in the initial nodev; an analogous choice can be made in the other nodes. This ultimately results in a game of 3(n + 1) nodes, which we can solve to answer our model checking question.
While several optimisations for CTL −X model checking under POR are proposed in [24], unlike our approach, those optimisations can only be applied to certain classes of CTL −X formulas and not in general.

Correctness
Condition D2w suffices, as we already argued, to ensure totality of the transition relation of the reduced labelled parity game. Hence, we are left to argue that the reduced game preserves and reflects the winner of the preserved nodes of the original game; this is formally claimed in Theorem 1. We do so by constructing a strategy in the reduced game that mimics the winning strategy in the original game. We use stutter equivalence (formally defined below) to compare plays that follow these strategies and use this to conclude that the mimicking strategy we constructed is winning in the reduced game. This reasoning is based on [9].
We introduce a couple of auxiliary lemmata, required for our main correctness theorem. Fix a labelled parity game , a nodeŝ, a weak stubborn set r and the reduced labelled parity game L r = (G r , A, r ), with G r = (V r , E r , Ω r , P r ), induced by r and s. We assume r andŝ are such that V r is of finite size. Given a path π = s 0 s 1 s 2 . . . (either in G or G r ), we define the nostutter trace, notation no-stut(π ), as the sequence of those Ω(s i ) such that i = 0 or Ω(s i ) = Ω(s i−1 ).

Lemma 1 All infinite stutter equivalent paths have the same winner.
Proof Let π = s 0 s 1 s 2 . . . be an infinite path and p the minimal priority that occurs infinitely often on π . Take an arbitrary infinite path ρ such that no-stut(π ) = no-stut(ρ).
If no-stut(π ) is finite, then p must be its last element and p is in fact the only priority that occurs infinitely often on π . The same then applies to ρ: p is the only priority that occurs infinitely often on ρ.
Otherwise, if no-stut(π ) is infinite, then it is equal to Ω(s 0 )Ω(s 1 )Ω(s 2 ) . . . where finite repetitions are collapsed. This operation does not influence which priorities occur infinitely often. Hence, p is also the minimal priority that occurs infinitely often in no-stut(ρ) and, consequently, on ρ.
Since p is the minimal priority that occurs infinitely often on both π and ρ, they must have the same winner.
Our second lemma provides a basic stubborn set fact on the availability of key transitions.

Lemma 2
If, for some event a, it holds that s a − → and a / ∈ r (s), then r (s) contains an invisible key event in s.
Proof If a is invisible, r (s) contains at least one invisible key event, due to I.
Otherwise, if a is visible, we obtain a key event a key ∈ r (s) from D2w. In case a key is visible, we violate condition V with the assumption that a / ∈ r (s) and since a key is enabled by the key event property. We conclude that a key is invisible.
In the lemmata below, we write → r to stress which transition must occur in G r .
Proof Assume the executions are of the shape π = s 0 If a is visible, then our assumption that a ∈ r (s 0 ) means that r (s 0 ) contains an enabled visible event, and, by V, it contains all visible events. Thus the events a 1 , . . . , a n , which we assumed are not in r (s 0 ), must be invisible. We get Ω(s 0 ) = Ω(s 1 ) = · · · = Ω(s n ) and Ω(s 0 ) = Ω(s 1 ) = · · · = Ω(s n ).
. . for some invisible event a key , and it holds that π ρ.
Proof Let a key ∈ r (s 0 ) be an invisible key event, obtained through Lemma 2 by s 0 The key event property gives us, for each i, a state s i,i such that s i a key − − → s i,i . In case π has finite length n, we can simply apply D1 to the execution s 0 If π is infinite, we use a reasoning similar to that of König's Lemma [21]. We can apply D1 to obtain a finite execution Fig. 6 Example of how a 1 , a 2 , a 3 is mimicked by introducing a key and a key and moving a 2 to the front (dashed trace). Transitions that are drawn in parallel have the same label a key is invisible, D1 furthermore gives us s k a key − − → s i,k for every i ≥ 0 and 1 ≤ k < i. We prove by induction that for every k, there is s k such that s 0 Because there are only finitely many states, there is a state s 0 that is the same as s i,0 for infinitely many values of i. This constitutes the base case.
To prove the induction step, we observe that all or all but one of the infinitely many i with s i,k = s k satisfy i > k, and thus have an s i,k+1 such that s k a k+1 −−→ s i,k+1 . Infinitely many of these s i,k+1 are the same state, again because there are only finitely many states. This state qualifies as s k+1 .
Then we define ρ = s 0 We remark that Lemma 4 also holds for reduced labelled parity games that have an infinite state space, but where all the events are finitely branching. Before we continue with the next lemmata, we first consider a short example to provide some intuition on how Lemmata 3 and 4 can be applied to construct alternative paths in the reduced game.

Example 4
The structure of Fig. 6, in which parallel edges have the same label, visualises part of a game in which the execution π = s a 1 a 2 a 3 − −−− → (drawn with solid edges) is part of a play that traverses nodes of player . If we assume a 1 / ∈ r (s), then π does not exist in the reduced game. However, it might be possible to mimic π through the path that follows the edges a key a 2 a 1 a key a 3 (drawn with dashes). The new play reorders the events a 1 , a 2 and a 3 according to the construction of Lemma 3 and introduces the key events a key and a key according to the construction of Lemma 4. Note that existence of a key is only guaranteed if a 3 / ∈ r ( ) (the stubborn set in the fourth node of the mimicking path).
We now continue with two lemmata that, respectively, show how finite and infinite executions from the original game can be mimicked in the reduced game. Showing the relation between the paths π , ρ i , ρ i and π i from the proof of Lemma 5 Proof We use induction to prove, for some m and each 0 ≤ i ≤ m, the existence of the following executions for some These executions, and also π , are connected; we have s 0 = t 0 , t i = t i,0 , u 0 = s n and u l(i) = t i,k(i) (see Fig. 7). Below, let P(ρ i ρ i ) be the sequence of node owners observed along ρ i ρ i . The induction assumption, furthermore, contains: The intuition behind the hypothesised executions is as follows: ρ i contains transitions of π that we have been able to mimic in the reduced game after i steps, as well as key events that were necessarily introduced along the way. Those same key events can also be used to extend π in the original game, this is the execution κ i . The transitions from π that are still to be mimicked make up ρ i .
For the induction step, we distinguish two cases when k(i) > 0. The situation where k(i) = 0 will be handled at the end of the proof.
Finally, for (3), we reason that the last event will not be moved forward unless it is the only event in ρ i , i.e., j = k(i) implies k(i) = 1. Assume that a i,1 , . . . , a i,k(i)−1 / ∈ r (t i ) and a i,k(i) ∈ r (t i ). By our initial assumption on the owners of nodes in π , we have P(t i,k(i)−1 ) (3) = P(s 0 ) = P(s n ) (3) = P(t i,k(i) ) so a i,k(i) must be visible 3 and, by D1, enabled in t i . Condition V thus requires that all visible events are in r (t i ); a i,1 , . . . , a i,k(i)−1 are not, so they must all be invisible. We can deduce: Thus, the antecedent of condition P is fulfilled by the transition t i a i,k(i) − −− → r t i+1 , and we have to set r (t i ) = A. This then contradicts our assumption that a i,1 , . . . , a i,k(i)−1 / ∈ r (t i ), unless k(i) = 1. So, after moving the event a i, j to the front, we must have P(ρ i ρ i ) = P(ρ i+1 ρ i+1 ) for one of the following reasons: a i, j is invisible: in this case the vertical transitions a i, j is visible and j < k(i): now the events a i,0 , . . . , a i, j−1 must be invisible by V, since we assumed that they are not contained in r (t i ). This gives us P(t i,0 ) = · · · = P(t i, j−1 ) and P(t i+1,0 ) = · · · = P(t i+1, j−1 ). By j < k(i) and assumption (3), we obtain P(t i, j−1 ) = P(t i, j ), which together with the previous equalities gives us a i, j is visible and j = k(i): as we argued above, this implies that k(i) = 1. Thus, a i, j was already at the front and ρ i ρ i and ρ i+1 ρ i+1 actually coincide. The result P(ρ i ρ i ) = P(ρ i+1 ρ i+1 ) follows trivially.
We also have i + k(i) = (i + 1) + k(i + 1), and we conclude that (3) remains valid: In the opposite case none of a i,1 , . . . , In that case, we obtain an invisible key event a key ∈ r (t i ) from Lemma 2 by t i The key event property yields the transition t i,k(i) a key − − → t i+1,k(i+1) , to which we can apply Lemma 3 to obtain t i We choose b i+1 = a key and  a i+1,1 . . . a i+1,k(i+1) = a i,1 . . . a i,k(i) . We call this "introducing a key event". Note that l(i + 1) = l(i) + 1 (since k(i + 1) = k(i)), so we need to extend κ i , for which we use the transition t i,k(i) a key − − → t i+1,k(i+1) , yielding u l(i+1) = t i+1,k(i+1) and a key = c l(i+1) . The invisibility of a key gives 3 Here it is important that (in)visibility concerns not only priorities, but also node ownership, otherwise we would not be able to derive visibility of a i,k(i) . us: no-stut(π ) (1) = no-stut(π κ i ) = no-stut(π κ i+1 ), and so (1) also holds for i + 1. The invisibility of a key = b i+1 = c l(i+1) also allows us to deduce (2) = no-stut(s 0 So (2) remains valid in the step from i to i + 1.
Since a key is invisible, ρ i+1 is simply extended with one more node belonging to P(s 0 ) and, by D1, we have P(t i, j ) = P(t i+1, j ) for all 0 < j ≤ k(i), so it follows that (3) remains valid as well: As the proof of Lemma 6 will show in more detail, due to condition L and finiteness of the reduced game, the introduction of a key event can only happen at most |V r | consecutive times before a cycle is closed and some a i, j necessarily occurs in r (t i ). Thus, we are guaranteed to eventually reach an iteration m such that k(m) = 0. In that case, ρ m is empty and all events in π have been mimicked, so we can stop the induction. We obtain the required executions ρ = ρ m and κ = κ m .
In the opposite case none of a i,1 , a i,2 , . . . is in r (s i ).  a key and  a i+1,1 a i+1,2 . . . = a i,1 a i,2 . . .. Furthermore, invisibility of a key gives no-stut(s 0 So (IH) remains valid in the step from i to i + 1.
Since we have shown that (IH) holds for every i ≥ 0, it follows that no-stut(ρ) is a prefix of no-stut(π ). To show that no-stut(ρ) and no-stut(π ) are in fact equal, we assume that no-stut(ρ) is a proper prefix of no-stut(π ) and try to derive a contradiction.
The fact that no-stut(ρ) is a proper prefix means that it must be finite, and hence there is an i such that no-stut(ρ) = no-stut(s 0 By the latter fact and the proper prefix property, there is a v such that Ω(s i,v−1 ) = Ω(s i,v ), and so a i,v is visible. We use the smallest such v.
Observe that if D1 is applied at s i to move event a i, j to the front, where j > v, or D2w is applied, then a i+1,k = a i,k for 1 ≤ k ≤ v. If the same also happens at s i+1 then a i+2,k = a i,k for 1 ≤ k ≤ v, and so on, either forever or until D1 is applied such that j ≤ v, whichever comes first. We show next that the latter comes first.
Because S r is finite, we may let n = i + |S r |. By the pigeonhole principle, s i , …, s n cannot all be distinct. So the execution s i b i+1 ...b n − −−−− → s n contains a cycle. L implies that there is i ≤ l < n such that a i,v ∈ r (s l ). This guarantees that there is the smallest h such that i ≤ h < i + |S r | and {a i,1 , . . . , a i,v } ∩ r (s h ) = ∅. Observe that at any step i ≤ i < h, whether D1 is applied to move a i , j forward, where j > v, or D2w is applied to introduce a key event, we have a i +1,v = a i ,v . Furthermore, for all i ≤ i < h, V and the fact that a i,v / ∈ r (s i ) imply that b i must be invisible, so the priorities occurring before and after a i,v are preserved, that is, In the latter case, s i ,v−1 = s i +1,v−1 and Repeating the argument at most v times proves that there To be able to lift our knowledge about mimicking executions in the reduced game to mimicking strategies, we need to formalise the relation between paths through nodes belonging to player and partial strategies for . Given a (possibly infinite) path π = s 1 s 2 . . . where all nodes, except the last node (if it exists), belong to , the partial strategy σ π induced by π is such that σ π (s 1 . . . s i ) = s i+1 for all i < |π |. Conversely, given a node s 1 belonging to and a strategy σ for such that σ (s i ) = s i+1 , the induced path is the longest sequence π = s 1 s 2 . . . such that P(s i ) = for all i < |π |. We are now ready to present our main correctness result. The overarching reasoning in its proof is also used in [9] to create parity game equivalence relations that preserve the winning player.

Theorem 1 If G r has a finite state space then it holds that for every node s in G r , the winner of s in G r is equal to the winner of s in G.
Proof We first give a short outline of the proof. Let s be an arbitrary node in G r and let be the player that wins s in G, with σ as its winning strategy. To show that s is also won by in G r , we need to construct a strategy σ r in G r and show that it is indeed a winning strategy for in s. The latter is achieved by showing that for any G r -play π r starting in s and consistent with σ r , there is a stutter equivalent G-play π starting in s and consistent with σ . Since σ is a winning strategy for , π must be won by and, by Lemma 1, so must π r . We can then conclude that all G r -plays starting from s and consistent with σ r are won by , and hence σ r is a winning strategy for in s. This yields the final result that also wins s in G r . Let π s = s 0 s 1 . . . be the path induced by some node s ∈ G and σ , where s = s 0 . If π s is infinite, then the token stays in nodes owned by . We apply Lemma 6 to obtain a path ρ s in G r and define σ s to be the partial strategy induced by ρ s .
Otherwise, π s is finite and ends in a node owned by . Here, we can apply Lemma 5 to obtain paths ρ s in G r and κ s in G, such that π s π s κ s ρ s and, except for the last, all nodes in ρ s belong to . This gives rise to the partial strategy σ s that is induced by ρ s .
Repeating this procedure for every node s owned by yields a set of partial strategies σ s such that σ s is defined only for the prefixes of the paths ρ s that we constructed above. We create a total strategy σ r in G r by setting σ r (s 0 . . . s n ) = σ s i (s i . . . s n ) if s i . . . s n is a prefix of ρ s i , where s i . . . s n is the longest non-empty suffix of s 0 . . . s n wholly belonging to . If s i . . . s n is not a prefix of ρ s i , then an arbitrary successor of s n in G r may be chosen for σ r (s 0 . . . s n ).
What remains is to show that for all plays consistent with σ r , there is a stutter equivalent play consistent with σ . Let π r = s 0 s 1 . . . be an arbitrary play in G r and assume it is consistent with σ r . We break up π r into maximal subsequences π i = s i . . . s j (respectively, π = s i . . . ) such that P(s i ) = . . . P(s j−1 ) = P(s j ) (respectively, P(s i ) = P(s i+1 ) = . . . ) and show how these can be transformed into subsequences π i to create a play π such that π π r and π is consistent with σ . Note that there is an overlap of one node between adjacent subsequences π i and π i+1 ; these nodes will be preserved by our transformation.
Let π i = s i . . . s j or π = s i . . . be such a maximal subsequence. If P(s i ) = , then π i is trivially consistent with σ , since σ only concerns -nodes. We thus choose π i = π i .
Otherwise, if P(s i ) = , we use maximality of π i to deduce that σ r (s 0 . . . s k ) = σ s i (s i . . . s k ) for all k such that i ≤ k < j, respectively, i ≤ k when π i is infinite. We constructed the partial strategy σ s i from ρ s i and π i is consistent with σ s i , so π i must coincide with ρ s i . During the construction of ρ s i we showed that it is stutter-equivalent to π s i , which was derived from and is consistent with σ . In the infinite case, we thus choose π i = π s i . In the finite case, we have to ensure s j is also the last node in π i , so it can be joined up with π i+1 . This is achieved by setting π i = π s i κ s i , which we also showed to be stutter-equivalent to ρ s i . Furthermore κ s i contains only nodes owned by , so π s i κ s i is still consistent with σ .
In all three cases, we have for each i, π i π i and π i and π i have the same first and, if finite, last nodes. We define π as the play π 0 π 1 . . . , with the aforementioned overlap removed. Stutter-equivalence of π r and π follows from stutter-equivalence of the subsequences.

Optimising D2w
The theory we have introduced identifies and exploits rectangular structures in the parity game. This is especially apparent in condition D1. However, parity games obtained from model checking problems also often contain triangular structures, due to the (sometimes implicit) nesting of conjunctions and disjunctions, as the following example demonstrates.

Example 5
Consider the process (a b) · c, in which actions a and b are executed in (interleaved) parallel, and action c is executed upon termination of both a and b. In the context of this process, the µ-calculus property μX .([a]X ∧ [b]X ∧ − true), also expressible in LTL, expresses that the action c must unavoidably be done within a finite number of steps; clearly this property holds true of the process. Below, the transition system is depicted on the left and a possible parity game encoding of our liveness property on this state space is depicted on the right. The edges in the labelled parity game that originate from the subformula − true are labelled with d. In order to deal with games that contain triangular structures, we propose a condition that is weaker than D2w.

D2t
There is an event a ∈ r (s) such that for all a 1 / ∈ r (s), . . . , a n / ∈ r (s), if s With the fact that a key is invisible and s i a key − − → s i or s i = s i , we conclude that π π .
We remark that the concepts of triangular and rectangular structures bear similarities to the concept of weak confluence from [12].

Parameterised Boolean equation systems
Parity games are used, among others, to solve parameterised Boolean equation systems (PBESs) [13], which, in turn, are used to answer, e.g., first-order modal µ-calculus model checking problems [5]. In the remainder of this paper, we show how to apply POR in the context of solving a PBES (and, hence, the encoded decision problem). We first introduce PBESs and show how they induce labelled parity games.
A parameterised Boolean equation system is a sequence of fixed point equations over predicate formulae, i.e., firstorder logic formulae with second order variables. A PBES is given in the context of an abstract data type, which is used to reason about data. Non-empty data sorts of the abstract data type are typically denoted with the letters D and E. The corresponding semantic domains are D and E. We assume that sorts B and N represent the Booleans and the natural numbers respectively, and have B and N as semantic counterpart. The set of data variables is V, and its elements are usually denoted with d and e. To interpret expressions with variables, we use a data environment δ, which maps every variable in V to an element of the corresponding sort. The semantics of an expression f in the context of such an environment is denoted f δ. For instance, x < 2 + y δ holds true iff δ(x) < 2 + δ(y). To update an environment, we use For conciseness, we only consider PBESs in standard recursive form (SRF) [29], a normal form in which each right-hand side of an equation is a guarded formula instead of an arbitrary (monotone) predicate formula. We remark that a PBES can be rewritten to SRF in linear time, while the number of equations grows linearly in the worst case [29,Proposition 2]. For a formalisation of the transformation to SRF, see [26, section 3.1].
Let X be a countable set of predicate variables. In the exposition that follows we assume for the sake of simplicity (but without loss of generality) that all predicate variables X ∈ X are of type D. We permit ourselves the use of nonuniformly typed predicate variables in our example.

Definition 6
A guarded formula φ is a disjunctive or conjunctive formula of the form: where J is an index set, each f j is a Boolean expression, referred to as guard, every e j is a (bound) variable of sort E j , each g j is an expression of type D and each X j is a predicate variable of type D. A guarded formula φ is said to be total if for each data environment δ, there is a j ∈ J and v ∈ E j such that f j δ[v/e j ] holds true.
We refer to the conjuncts, respectively, disjuncts, of a guarded formula as clauses. The denotational semantics of a guarded formula is given in the context of a data environment δ for interpreting data expressions and a predicate environment η : X → 2 D , yielding an interpretation of X j (g j ) as the truth value g j δ ∈ η(X j ). Given a predicate environment and a data environment, a guarded formula induces a monotone operator on the complete lattice (2 D , ⊆). By Tarski's theorem, least (μ) and greatest (ν) fixed points of such operators are guaranteed to exist.

Definition 7 A parameterised Boolean equation in SRF normal form is an equation that has the shape
where φ(d) is a total guarded formula in which d is the only free data variable. A parameterised Boolean equation system in SRF is a sequence of parameterised Boolean equations in SRF, in which no two equations have the same left-hand side variable.

Henceforward, let
be a fixed, arbitrary PBES in SRF, where σ i ∈ {μ, ν}. The set of bound predicate variables of E, denoted by bnd(E), is the set {X 1 , . . . , X n }. If the predicate variables occurring in the guarded formulae ϕ i (d) of E are taken from bnd(E), then E is said to be closed; we only consider closed PBESs. Every bound predicate variable is assigned a rank, where rank E (X i ) is the number of alternations in the sequence of fixpoint symbols νσ 1 σ 2 . . . σ i . The sequence of fixpoint symbols in this definition is prepended with a ν to ensure that rank E (X i ) is even if and only if σ i = ν. We use the function op E : bnd(E) → {∨, ∧} to indicate for each predicate variable in E whether the associated equation is disjunctive or conjunctive. As a notational convenience, we write J i to refer to the index set of the guarded formula ϕ i (d), and we assume that the index sets are disjoint for different equations.
Note that for the sake of simplicity, we only consider PBESs in which each equation carries the same parameter d:D. The theory presented in the following can be straightforwardly extended to support PBESs where each equation has a different number of parameters, something we also permit ourselves in the examples.

Semantics
The standard denotational fixed point semantics of a closed PBES associates a subset of D to each bound predicate variable (i.e., their meaning is independent of the predicate environment used to interpret guarded formulae). For details of the standard denotational fixed point semantics of a PBES we refer to [13]. We forego the denotational semantics and instead focus on the (provably equivalent, see e.g. [6,29]) game semantics of a PBES in SRF. Below, recall that, in the PBES E that we fixed, each predicate variable X i carries a data parameter named d and uses the set J i to index the clauses in its right-hand side.
where X i ∈ bnd(E) and G E is the parity game associated with E. The game G E = (V , E, Ω, P) is defined as: In the definition of the transition relation E, the successors of (X i , v) are exactly those (X j , w) which may influence the validity of the right-hand side ϕ i of X i ; this does not depend on whether ϕ i is disjunctive or conjunctive. Note that the parity game G E may have an infinite state space when D is infinite. In practice, we are often interested in the part of the parity game that is reachable from some initial node (X , v); this is often (but not always) finite. We illustrate the PBES semantics with an example.

Example 6 Consider the following PBES E in SRF:
The six nodes in the parity game G E which are reachable from (X , true) are depicted in Fig. 8. We study the clause ∃n:N .n ≤ 2 ∧ Y (b, n) in detail. The conditions n ≤ 2 δ[true/b] and true, 2 = b, n δ[true/b] from Definition 8 are satisfied if δ(n) = 2. Hence, the edge (X , true) → Fig. 8 Reachable part of the parity game underlying the PBES of Example 6, when starting from node (X , true) (Y , true, 2) is present in the game. In fact, all three horizontal edges at the top stem from this same clause.
The leftmost vertical edge originates from the clause b∧Z , while the horizontal edge from Z to (Y , false, 0) originates from true ∧ Y (false, 0). The remaining edges, including the selfloop, are induced by the clause true ⇒ Y (false, 0).
All plays in this game end in the node (Y , false, 0) and iterate there ad infinitum. Since its priority is odd, all plays -and consequently all nodes -are won by player odd. This means that the semantics of E satisfies true / ∈ E (X ).
As suggested by the above example, each edge is associated with (at least) one clause in E. Consequently, we can use the index sets J i to event-label the edges emanating from nodes associated with the equation for X i . We denote the set of all events in E by evt(E), defined as evt(E) = X i ∈bnd(E) J i . Definition 9 Let G E be the parity game associated with E. The labelled parity game associated with E is the structure (G E , evt(E), ), where G E is as defined in Definition 8, and, for j ∈ J i , we have It follows from the definition that the event j ∈ J i is invisible if rank E (X i ) = rank E (X j ) and op E (X i ) = op E (X j ), and visible otherwise. Since solving the parity game G corresponding to a PBES E also yields a solution for E (Definition 8) and POR preserves the solution of a parity game (Theorem 1), it suffices to solve a reduced game G r to obtain a (partial) solution to E.
As discussed before, our main application domain is model checking. When checking a µ-calculus formula ϕ on a transition system T , we typically only need to determine whether the initial node of T satisfies ϕ. That corresponds to finding the solution of a single node (X , v) in the PBES that encodes T and ϕ. Our approach is thus, given a PBES E, to compute a reduced game G r , starting from (X , v), and then determine the winner of (X , v) in G r . If G r is sufficiently smaller than the full game G and the overhead of computing the reduction function r is limited, this is faster than solving the PBES through the full game G.

Choice of edge labelling
The labelled parity game derived from a PBES E associates exactly one event with every clause in E. However, our POR correctness theorem (Theorem 1) in principle allows any edge labelling as long as the stubborn set conditions are satisfied. The choice for the labelling function does influence the amount of reduction that can be achieved. In the extreme cases that every edge has a unique label or all edges are labelled the same, no reduction can be achieved. The below example shows a case for which our current labelling function hinders reduction.

Example 7
Consider the SRF-PBES below, where the name of each clause is indicated on the right, and its labelled parity game in Fig. 9.
Note that a 2 and a 4 are visible; the other events are invisible. It is impossible to reduce the parity game: the only viable location is (X , true), but it does not allow stubborn sets smaller than {a 1 , a 2 , a 4 }. Setting r ((X , true)) = {a 1 } is not possible due to D2w, since a 1 is not a key event in that case. Conversely, r ((X , true)) = {a 2 } is not allowed by D1. Furthermore, if we have a 2 ∈ r ((X , true)), then V requires that a 4 ∈ r ((X , true)). However, if we label both the a 1 edge and the a 3 edge with a, then it becomes possible to set r ((X , true)) = {a}.
The example suggests that it can be beneficial to use the same event for multiple clauses. Specifying which clauses should correspond to the same event can be done with an equivalence relation on clauses. The next definition formalises the parity game that follows from such an equivalence relation.

Definition 10
Let E be an SRF-PBES, R ⊆ evt(E) × evt(E) an equivalence relation on events and evt(E) /R the corresponding set of equivalence classes. Then, the labelled parity game corresponding to E and R is the structure (G E , evt(E) /R, ), where G E is the parity game corresponding to E, and, for all X i ∈ bnd(E) and J ∈ evt(E) /R, the labelling (J ) is defined as follows: Here, an event J ∈ evt(E) /R is invisible if and only if all its constituting clauses j ∈ J are invisible. Henceforth, we adopt the strategy to identify two clauses j and j when the corresponding conditions and update expressions are syntactically equal, i.e., we set j R j iff f j = f j and g j = g j .

PBES solving using POR
A consequence of the partial-order reduction theorem is that a reduced parity game suffices for computing the truth value to X (e) for a given PBES E with X ∈ bnd(E). However, D1, D2w/D2t and L are conditions on the (reduced) state space as a whole and, hence, hard to check locally. We therefore approximate these conditions in such a way that we can construct a stubborn set while generating the state space.
From hereon, let E again be a PBES in SRF with equations of the shape σ i X i (d:D) = ϕ i and (G, A, ), with G = (V , E, Ω, P), its labelled parity game. The most common local condition for L is the stack proviso L S [32]. This proviso assumes that the state space is explored with depthfirst search (DFS), and it uses the Stack that stores unexplored nodes. Any transition leading back from the current node to a node in the DFS stack closes a cycle. In that case, the node must be fully expanded, i.e., r (s) = A. The following should thus hold for all nodes s ∈ V r encountered during exploration: We use the color proviso [8], which improves on the above condition with some additional bookkeeping of which nodes on the stack are or will be fully expanded. As a result, not every transition that leads back to the DFS stack requires its originating node to be fully expanded, improving reduction potential.
Locally approximating conditions D1 and D2w requires a static analysis of the PBES. For this, we draw upon ideas from [22] and extend these to properly deal with non-determinism. In the following definitions, any relation on the set A of events is also a relation on equivalence classes of clauses in the PBES, see Definition 10. Furthermore, if the event a corresponds to the clauses that contain condition f a , statements such as "for all s ∈ V , it holds s a − →" can be approximated on the PBES level by checking whether the event a occurs in each right-hand side of the PBES and evaluating the expression ∀d:D.∃e a :E a . f a , where d is the data parameter carried by each equation in our PBES E. Whether this closed Boolean expression is equal to true or equal to false can, for example, be determined with the help of an SMT-solver.
To reason about which events are independent, we rely on the idea of accordance. Note that DNL and DNT are not necessarily symmetric relations. An illustration of the conditions for left-according, square-according and triangle-according is given in Fig. 10.
For the case of left-accordance, we illustrate how the definition can be translated to an analysis on the level of PBESs. Recall that a clause ∃e j :E j . f j ∧ X j (g j ) (respectively ∀e j :E j . f j ⇒ X j (g j )) contains a condition f j as well as an update expression g j that determines what the next state is. The expression f j , respectively, g j , depends on the data parameter d of the surrounding equation, as well as on the quantified variable e j . We write f j (d, e j ), respectively, g j (d, e j ), to make this explicit. Given an event a (or, equivalently, equivalence class of clauses), we write X i a → Y if and only if there is a j ∈ a ∩ J i such that Y = X j , i.e., a clause j ∈ a occurs in the right-hand side of X i and leads to Y . With this, left-accordance of a with b can be characterised exactly by This expression considers whether the left-accordance condition is satisfied by the data expressions f a , f b , g a and g b contained in E, as well as by the presence of clauses in different equations (as captured by a → and b → ). Accordance relations safely approximate the independence of events. The dependence of events, required for satisfying D2w, can be approximated using Godefroid's necessary enabling sets [11].

Definition 12
Let a be an event that is disabled in some node s. A necessary-enabling set (NES) for a in s is any set NES s (a) ⊆ A such that for every execution s a 1 ...a n a − −−− → there is at least one a i such that a i ∈ NES s (a).
For every node and event there might be more than one NES. In particular, every superset of a NES is also a NES. A larger-than-needed NES may, however, have a negative impact on the reduction that can be achieved. Given a PBES, computing a NES can be done in a similar fashion as the accordance relations, by constructing an expression over elements of the clauses and analysing their presence in each equation.
The following lemmata show how the accordance relations and necessary-enabling set can be used to implement conditions D1, D2w and D2t, respectively. A combination of Lemmata 8 and 9 in a deterministic setting appeared as Lemma 1 in [22]. Note that as a notational convention we write R(a) to denote the projection {b | (a, b) ∈ R} of a binary relation.

Lemma 8 A reduction function r satisfies D1 in node s ∈ V if for all a ∈ r (s):
-if a is disabled in s, then NES s (a) ⊆ r (s) for some NES s ; and -if a is enabled in s, then DNL(a) ⊆ r (s).
Proof Let s be an arbitrary node and let r be a reduction function that satisfies the conditions above. Furthermore, let s a 1 ...a n a − −−− → s n be an execution such that a 1 / ∈ r (s), . . . , a n / ∈ r (s) and a ∈ r (s). We distinguish the following cases: -If a is disabled in s, it must hold that NES s (a) ⊆ r (s) for some NES s . However, according to the definition of a necessary-enabling set, at least one of a 1 , . . . , a n is contained in NES s (a) and thus in r (s). Since this contradicts our assumption that a 1 / ∈ r (s), . . . , a n / ∈ r (s), we conclude that the execution s a 1 ...a n a − −−− → s n does not exist, and so D1 is satisfied.
-If a is enabled in s, it must be that DNL(a) ⊆ r (s). Since that implies a 1 , . . . , a n / ∈ DNL(a), it follows that for every a i and all nodes t, t 1 and t , the following holds:  We conclude that the conditions of D1 are satisfied.

Lemma 9 A reduction function r satisfies D2w in a node s ∈ V if there is an enabled event a ∈ r (s) such that DNS(a) ⊆ r (s).
Proof Let s a 1 ...a n −−−→ s n be an execution such that all a 1 , . . . , a n / ∈ r (s) and let a ∈ r (s) ∩ enabled(s) be an event such that DNS(a) ⊆ r (s). We deduce that a 1 , . . . , a n / ∈ DNS(a), and thus the following implication holds for all a i and nodes t, t 1 and t 2 :  Proof Let s a 1 ...a n −−−→ s n be an execution such that all a 1 , . . . , a n / ∈ r (s) and let a ∈ r (s) ∩ enabled(s) be an event such that DNA(a) ⊆ r (s). We distinguish two cases: -It holds that a 1 , . . . , a n ∈ DNT (a). Since a 1 / ∈ r (s), . . . , a n / ∈ r (s) and r (s) ⊇ DNA(a) = DNS(a) ∩ DNT (a), we can deduce that a 1 , . . . , a n / ∈ DNS(a). By following the same reasoning as in the proof of Lemma 9, we derive the validity of D2t.
By first applying the square-according relation from left to right on the events a and a 1 , . . . , a i−1 and then applying the triangle-according relation on a and a i , we derive the existence of the dashed transitions in the following figure. More reduction can be achieved if a PBES is partly or completely "deterministic", in which case some of the conditions can be relaxed. We say that an event a is deterministic, denoted by det(a), if for all nodes t, t , t ∈ V , if t a − → t and t a − → t , then also t = t . This means event-determinism can be characterised as follows: det(a) iff f a δ and f a δ implies g a δ = g a δ for all δ, δ with δ(d) = δ (d).
The following lemma specialises Lemma 8 and shows how knowledge of deterministic events can be applied to potentially improve the reduction. Proof Let s be an arbitrary node and let r be a reduction function that satisfies the conditions above. For the cases where a is disabled or a is enabled and DNL(a) ⊆ r (s), see the proof of Lemma 8. Here, we only consider the new case where a is deterministic and enabled in s and DNS(a) ⊆ r (s).
Let s a 1 ...a n −−−→ s n a − → s n be an execution such that a 1 / ∈ r (s), . . . , a n / ∈ r (s) and a ∈ r (s) and let s a − → s . The following implication holds for all a i and nodes t, t 1 and t 2 : Since a is deterministic it follows that s n = s n . Regardless of whether a is invisible, the transitions s i a − → s i are present for every 1 ≤ i < n, and thus D1 is satisfied.
Since relations DNS and DNL are incomparable we cannot decide a priori which should be used for deterministic events. However, Lemma 11 permits the choice between DNS and DNL to be made individually for every state, so we can do this during exploration of the state space. This choice can be made based on a heuristic function, similar to the function for NESs proposed in [22].
As sketched above, both the accordance relations and the NESs can be computed based on the condition f a and update expression g a associated with each clause, as well as the presence of clauses captured by a → . Evaluation of the expressions constructed in this way can be computationally expensive, so often it is better to compute a (cheaper) approximation. In a PBES with multiple parameters per predicate variable, this can, for example, be done by analysing which parameters influence the validity of condition f a and which parameters are changed in the update functions g a Two clauses a and b that operate on disjoint sets of parameters are often left-and square-according (depending on a → and b → ). NESs may be approximated using techniques to extract control flow graphs from a PBES [19], although we have not done so.

Experiments
We implemented the ideas from the previous section in a prototype tool, called pbespor, as part of the mCRL2 toolset [5]; it is written in C++. Our tool converts a given input PBES to a PBES in SRF, runs a static analysis to compute the accordance relations (see Sect. 5), and uses a depth-first exploration to compute the parity game underlying the PBES in SRF. Since our previous work [30], we have updated the implementation to produce stubborn sets that adhere to the new condition P. The static analysis relies on an external SMT solver. (We use Z3 in our experiments.) Experiments are conducted on a machine with four Intel Xeon 6136 CPUs @ 3.00GHz and 3TB of RAM, running mCRL2 with Git commit hash b7976da39c4e. All our code is single-threaded, so similar performance may be obtained on a more modest machine.
To measure the effectiveness of our implementation, we analysed the following models, encoded in mCRL2 4 : Anderson's mutual exclusion protocol [1], the dining philosophers problem, the gas station problem [15], Hesselink's handshake register [16], Le Lann's leader election protocol [23], Milner's Scheduler [25] and the Krebs cycle of ATP production in biological cells (model inspired by [31]). Most of these models are scalable, i.e., the number of components can easily be adjusted. Each model is subjected to one or more requirements phrased as mCRL2's first-order modal µ-calculus formulae. If possible, Table 1 provides a CTL * formula that captures the essence of the requirement.
We analyse the effectiveness of our partial-order reduction technique by measuring the reduction of the size of the state space, and the time that is required to generate the state space. Since the static analysis that is conducted can require a non-negligible amount of time, we pay close attention to the various forms of static analysis that can be conducted. In particular, we compare the total time and effectiveness (in terms of reduction) of running the following static analysis: -computing left-accordance (the relation DNL) vs. overapproximating it with the complete relation. -computing a NES vs. over-approximating it with the set of all events A. -using D2w vs. the use of D2t (i.e., use Lemma 9 vs. Lemma 10); As a baseline for comparisons, we take a basic static analysis (over-approximated DNL, over-approximated NES, D2w), see column "basic" in Table 1. In order to guarantee termination of the static analysis phase, we set a timeout of 200 ms per formula that is sent to the solver. Table 1 reports on the statistics we obtained for exploring the full state space and the four possible POR configurations described above; the table is sorted with respect to the time needed for a full exploration. The time we list consists of the time needed to conduct the analysis plus the time needed for the exploration. For most small instances, the time required for static analysis dominates any speed-up gained by the state space reduction. When the state spaces are larger, it becomes more likely to achieve a speed-up, while the highest overhead suffered by "basic" is 55% (Hesselink, cache consistency). Significant reduction can be achieved even for non-trivial properties, such as "lann.5" with "no data loss". Scheduler is an extreme case: its processes have very few dependencies, leading to an exponential reduction, both in terms of the state space size and in terms of time. In several cases, the use of a NES or D2t brings extra reduction (highlighted in bold). Moreover, the extra time required to conduct the additional analysis seems limited. The use of DNL, on the other hand, never pays off in our experiments; it even results in a slightly larger state space in two cases. These results are very similar to those of our earlier experiments [30], and thus, the addition of condition P has little impact on the reduction for these particular PBESs.
We note that there are also models, not listed in Table 1, where our static analysis does not yield any useful results and no reduction is achieved. Even if in such cases a reduction would be possible in theory, the current static analysis engines are unable to deal with the more complex data types often used in such models; e.g., recursively defined lists or infinite sets, represented symbolically with higher-order constructions. This calls for further investigations into static analysis theories that can effectively deal with complex data.
Furthermore, we remark that all the models we listed here contain symmetry: two or more processes that show almost the same behaviour. This may mean that our results cannot be generalised to non-symmetric models, although [7] suggests that partial-order reduction and symmetry reduction exploit different aspects of a model.
Finally, we point out that in the case of, e.g., the dining philosophers problem, the relative reduction under the "no deadlock" property is much better than under the "∀ ∀ eat" property. This demonstrates the impact properties can have on the reductions achievable and the importance of the way edges are labelled. We explain this in the following example.  Table 1, we denoted formulae of this shape as ∀ ∀ a i . Below, the names of each of the clauses are indicated on the right.
The event x y represents the transition from fixpoint X into Y , which does not involve an action from the transition system. Note that the complete state space is encoded once in the fixpoint X and twice in Y , albeit with a subset of the transitions. In the corresponding labelled parity game, depicted in Fig. 11b, no reduction can be achieved.
To achieve reduction in this example, we need to do three things. First, the quantifier in the clause x y needs to be unfolded; this yields two clauses, namely Y (b 0 , b 1 , false) (name x y 0 ) and Y (b 0 , b 1 , true) (name x y 1 ). Furthermore, we should identify clauses j 0 and j 0 (resp. j 1 and j 1 ); the resulting event is called a 0 (resp. a 1 ). Lastly, we have to change the fixpoint of X to ensure x y 0 and x y 1 are invisible. Remark that this does not change the solution of the PBES. In that case, four nodes can be eliminated, see Fig. 11c.
In the experiments, we achieve the identification of clauses j 0 and j 0 (resp. j 1 and j 1 ) by partially instantiating the PBES [34]. This procedure is implemented in the mCRL2 tool pbesinst. In the example above, instantiating parameter b:B of Y results in two new equations: The clauses in these equations can be identified with the first two clauses in the right-hand side of X with our original strategy based on syntactic equivalence of the condition and update expressions.

Conclusion
We have presented an approach for applying partial-order reduction on parity games. This has two main advantages over POR applied on labelled transition systems or Kripke structures: our approach supports the full modal µ-calculus, not just a fragment thereof, and the potential for reduction is greater, because we do not require a singleton proviso.  (c) Fig. 11 A transition system and two parity games showing that, although the transition system can be reduced, it is not always possible to reduce the corresponding parity game. After tweaking the edge labelling, some reduction is possible Furthermore, we have shown how the ideas can be implemented with PBESs as a high-level representation. In future work, we aim to gain more insight into the effect of identifying events across PBES equations in several ways. We also want to investigate the possibility of solving a reduced parity game while is it being constructed. In certain cases, one may be able to decide the winner of the original game from this partial solution.