Natural Projection as Partial Model Checking

Verifying the correctness of a system as a whole requires establishing that it satisfies a global specification. When it does not, it would be helpful to determine which modules are incorrect. As a consequence, specification decomposition is a relevant problem from both a theoretical and practical point of view. Until now, specification decomposition has been independently addressed by the control theory and verification communities through natural projection and partial model checking, respectively. We prove that natural projection reduces to partial model checking and, when cast in a common setting, the two are equivalent. Apart from their foundational interest, our results build a bridge whereby the control theory community can reuse algorithms and results developed by the verification community. Furthermore, we extend the notions of natural projection and partial model checking from finite-state to symbolic transition systems and we show that the equivalence still holds. Symbolic transition systems are more expressive than traditional finite-state transition systems, as they can model large systems, whose behavior depends on the data handled, and not only on the control flow. Finally, we present an algorithm for the partial model checking of both kinds of systems that can be used as an alternative to natural projection.


Introduction
System verification requires comparing a system's behavior against a specification. When the system is built from several components, we can distinguish between local and global specifications. A local specification applies to a single component, whereas a global specification should hold for the entire system. Since these two kinds of specifications are used to reason at different levels of abstraction, both kinds are often needed.
Ideally one aims at freely passing from local to global specifications and vice versa. Most specification formalisms natively support specification composition and there are wellstudied examples of operators for composing them, e.g., logical conjunction, set intersection, and the synchronous product of automata. Unfortunately, the same does not hold for specification decomposition: obtaining local specifications from a global one is, in general, much more difficult.
Over the past decades, many research communities have independently investigated decomposition methods, each focussing on the specification formalisms and assumptions appropriate for their application context. In particular, important results were obtained in the fields of control theory and formal verification.
In control theory, natural projection [40] is exploited to simplify systems built from multiple components, modeled as automata. Natural projection is often applied component-wise to solve the controller synthesis problem, i.e., for synthesizing local controllers from a global specification of an asynchronous discrete-event system [11]. In this way, by interacting only with a single component of a system, local controllers guarantee that the global specification is never violated. By composing local controllers in parallel with other sub-systems, it is possible to implement distributed control systems [41,42].
The formal verification community proposed partial model checking [1] as a technique to mitigate the state explosion problem arising when verifying large systems composed from many parallel processes. Partial model checking tackles this problem by decomposing a specification, given as a formula of the μ-calculus [27], using a quotienting operator, and thereby supporting the analysis of the individual processes independently. Quotienting carries out a partial evaluation of a specification while preserving the model checking problem. Thus for instance, a system built from two modules satisfies a specification if and only if one of the modules satisfies the specification after quotienting against the other [1]. The use of quotienting may reduce the problem size, resulting in smaller models and hence faster verification. Table 1 summarizes some relevant results about the two approaches for finite-state Labeled Transitions Systems; for more details, we refer the reader to Sect. 6. Since natural projection and partial model checking apply to different formalisms, they cannot be directly compared Table 1 Summary of existing results on natural projection and partial model checking for finite-state Labeled Transition Systems Natural projection Partial MC Spec. Lang. FSA [24,37] μ-calculus [1,3] Theory FSA [24,37] L T S [ 1,3] Complexity EXPTIME 1 [19,39] EXPTIME [1,3] Tools TCT [18], IDES3 [35], DESTool [33] mCRL2 [23], CADP [28], MuDiv [2] Notice that the algorithm in [39] runs in PTIME on a specific class of discrete-event systems without defining a common framework. For example, a relevant question is to compare how specifications grow under the two approaches. Although it is known that both may lead to exponential growth (see [26,39] and [3]), these results apply in one case to finite-state automata (FSAs) and in the other case to μ-calculus formulae.
Although decomposition work has been carried out in different communities, there have also been proposals for the cross-fertilization of ideas and methods [17]. For instance, methods for synthesizing controllers using partial model checking are given in [7,31]. The authors of [20] and [22] propose similar techniques, using fragments of the μ-calculus and CTL * , respectively.
One of our starting points was suggested by Ehlers et al. [17], who advocate establishing formal connections between these two approaches. In their words: Such a formal bridge should be a source of inspiration for new lines of investigation that will leverage the power of the synthesis techniques that have been developed in these two areas.
[…] It would be worthwhile to develop case studies that would allow a detailed comparison of these two frameworks in terms of plant and specification modeling, computational complexity of synthesis, and implementation of derived supervisor/controller.
We address the first remark about a formal bridge by showing that, under reasonable assumptions, natural projection reduces to partial model checking and, when cast in a common setting, they are equivalent. To this end, we start by defining a common theoretical framework for both. In particular, we slightly extend both the notion of natural projection and the semantics of the μ-calculus in terms of the satisfying traces. These extensions allow us to apply natural projection to the language denoted by a specification. In addition, we extend the main property of the quotienting operator by showing that it corresponds to the natural projection of the language denoted by the specification, and vice versa (Theorem 3.2).
We also provide additional results that contribute to the detailed comparison, referred to in the second remark. In particular, we propose a new algorithm for partial model checking that operates directly on Labeled Transition Systems (LTS), rather than on the μ-calculus. We prove that our algorithm is correct with respect to the traditional quotienting rules and we show that it runs in polynomial time, like the algorithms based on natural projection.
A preliminary version of the above results have been previously presented in [13], and are systematized and formally proved here. 1 In this paper we additionally lift these results to symbolic Labeled Transition Systems (s-LTS), a slight generalization of symbolic FSAs [15], which themselves substantially generalize traditional FSAs. Roughly speaking, the transitions of an s-LTS carry predicates rather than letters, as LTS do, and can thus handle rich, non-finite alphabets. In particular, the alphabet of an s-LTS is the carrier of an effective boolean algebra, thereby maintaining the operational flavor of transition systems. In the next section, we give an example of a concurrent program running on a GPU that shows the added expressive power of specifications rendered by s-LTSs.
Our lifting of results proceeds in several steps. First we define the notion of symbolic traces composed by transitions with predicates as labels, and we show their relationship to the more standard traces labeled by the elements of a given finite alphabet. More significantly we define symbolic synchronous composition of s-LTSs, which is crucial for composing these richer system specifications. We then introduce novel symbolic versions of partial model checking and of natural projection. Also, for the symbolic case, we prove a theorem (Theorem 5.2) that extends the statement of Theorem 3.2 to the s-LTSs, i.e., that establishes the correspondence between partial model checking and natural projection for s-LTSs. Finally, we define a new algorithm for symbolic partial model checking directly on s-LTSs, and we prove it correct with respect to the symbolic quotienting operator. As expected, our algorithm's time complexity is exponential. This is due to the need to check the satisfiability of the predicates labeling the symbolic transitions.
We have implemented our algorithm for partial model checking on Labeled Transition Systems in the tool available online [14]. Along with the tool, we developed several case studies illustrating its application to the synthesis of both submodules and local controllers. The implementation of the algorithm for s-LTS is still under development. Structure of the paper We start by presenting a motivating example in Sect. 2. Section 3 presents our unified theoretical framework for natural projection and partial model checking as well as its formal properties. In Sect. 4 we present the quotienting algorithm, discuss its properties, and apply it to our running example. We extend our framework to the symbolic transition systems in Sect. 5. Section 5.4 presents our novel symbolic quotienting algorithm. In Sect. 6 we briefly survey the related literature and in Sect. 7 we draw conclusions. The "Technical Appendix" contains all the formal proofs together with the correctness and the complexity of our algorithms. Finally, all the additional material about (i) implementation of the algorithms, (ii) tool usage and (iii) replication of the experiments is available at https:// github.com/gabriele-costa/pests.

A Running Example: A GPU Kernel
In this section we introduce a simple yet realistic example that we use as running throughout the paper. The example illustrates an instance of a system made of two concurrent components, and its global specification consisting of two properties intuitively presented below. We will show how the decomposition of the global specification is done by partially evaluating it against one of the components. Then, we model check the obtained local specification against the other component, so verifying the original global specification. The first of the two properties is expressed through an LTS and discussed in Sect. 4. For the second we take advantage of the richer expressive power of s-LTS to reason about both data and control. In Sect. 5 we show how this enables a fine-grained analysis of the system behavior.
We consider a concurrent program (called kernel) running on a Graphical Processing Unit (GPU). The program implements a producer-consumer schema relying on a circular queue. The program is written in OpenCL, 2 a C-like language for programming GPUs. A sequential application P embodies an OpenCL kernel and uses it to accelerate some computations. In practice, P compiles the kernel at run time, loads it on the GPU memory, and launches its execution, which is carried on by a group of threads running concurrently on the different GPU cores. During the execution, each thread is bound to an identifier, called local id, and threads share a portion of the GPU memory, called local memory. A group of threads can synchronize through a barrier. Intuitively, a barrier is an operator that blocks the execution of each thread at a particular point. When all the threads reach the same barrier, their execution is resumed.
Consider the OpenCL kernel of Fig. 1 that implements a simple producer-consumer schema. Briefly, one instance of the kernel function manager is executed on each core of a GPU. Here, for simplicity, we assume that only two cores exist. A manager kernel iteratively invokes one of two functions, produce and consume, depending on the thread identifier (either 0 or 1) returned by get_local_id(0). Hence, the manager kernel forces each thread to assume one of the two roles, either a producer or a consumer. The two functions use the local memory to share a vector, called buffer, which implements a circular queue. The queue has eight slots: a new item (i.e., a four-byte integer) is inserted (by the producer) in position L [1] and removed (by the consumer) from position L[0]. In practice, the first two bytes of L contain the head and tail pointers of the circular queue. Thus, they are incremented after each enqueue/dequeue operation and set to 0 when they exceed the buffer limit. The two threads iterate until both the producer and the consumer processed exactly *N items.
The code of Fig. 1 suffers from several typical flaws. The first flaw concerns the buffer's consistency. Provided that the buffer's size is at least 8, the two threads cannot cause a buffer overflow. Nevertheless, there is no guarantee that enqueue (line 15) and dequeue (line 5) always occur in the right order. In fact, since the two threads run in parallel with no priority constraints, two unsafe configurations may be reached: (i) the consumer attempts to extract an element from the empty buffer and (ii) the producer attempts to insert an element into a full buffer.
The second potential flaw is a data race. Data races occur when two threads simultaneously access the same, shared memory location and at least one of them modifies the data. When both the threads access the same memory in write mode, it is called a write-write data race. Otherwise we have a write-read data race. The two threads of Fig. 1 handle three pointers to the shared memory space, i.e., L, buffer, and N (line 22). These variables are identified by the local modifier. No data races can occur on N as it is never modified. A write-read data race on buffer happens when the producer and the consumer access the same location. Notice that this happens under conditions similar to those discussed for the buffer consistency, e.g., enqueue and dequeue are not executed in the right order. The case of L is more subtle. Both produce() and consume() modify the four bytes of the variable L (of type int). However, the two functions operate on different bytes, i.e., L[0] and L [1]. The single byte granularity is achieved through a cast to type char * (lines 4 and 14). Hence, no data race actually affects L.
Verifying the correctness of GPU kernels, in general, and producer-consumer schemas, in particular, are active research fields. Static analysis techniques such as [9] and [36] aim at validating a kernel against some specific property, such as absence of data races. The tools based on these techniques support developers by identifying potentially dangerous code. Still, the developer must manually confirm these alerts since the static analysis commonly considers an over-approximation of the program's actual behavior. For instance, GPUVerify [9], a prominent static verification tool, reports a possible write-read data race on L when applied to the kernel of Fig. 1 (see the "Technical Appendix"). As we will see in Sect. 5, we avoid this false positive through our symbolic algorithm.
Systems are usually composed of several modules, in our example the consumer and the producer. Verifying that the system as a whole complies with a specification requires checking that it satisfies a global specification. If the check fails, often there is no indication of which module is not compliant, and thus one must rethink the entire implementation. Instead, through decomposition, one can specialize the specification to operate on the single modules, thereby possibly enhancing the verification of the whole system. In addition, given a global specification and a system missing some components, one can just synthesize the specifications for the missing parts. For instance, as we will show in Example 3, the program in Fig. 1 suffers from a buffer inconsistency flaw. Given a model of the producer, in Sect. 4.2 we decompose a buffer consistency specification into a partial one that the consumer must obey to avoid this misbehavior.

A General Framework
In this section we cast both natural projection and partial model checking in the common framework of Labeled Transition Systems.

Language Semantics Versus State Semantics
Natural projection is commonly defined over (sets of) words [40]. Words are finite sequences of actions, i.e., symbols labeling the transitions between the states of a finite-state automaton (FSA). The language of an FSA is the set of all words that label a sequence of transitions from an initial state to some distinguished state, like a final or marking state. We let L denote the function that maps each FSA to the corresponding language semantics. Given a system Sys and a specification Spec, both FSAs, then Sys is said to satisfy Spec whenever L(Sys) ⊆ L(Spec). Rather than an FSA, here we use a labeled transition system (LTS) to specify a system Sys. An LTS is similar to an FSA, but with a weaker notion of acceptance, where all states are final. We specify our running example below as an LTS. Example 1 (Running example) Consider again the OpenCL program from Sect. 2 where the buffer positions are fixed to 8. Figure 2 depicts a transition system that encodes the specification P for the buffer's consistency, where the symbols e and d represent the (generic) enqueue and dequeue operations, respectively. Intuitively, the threads cannot perform e actions when the buffer is full (state p 8 ) and d actions when the buffer is empty (state p 0 ). Barrier synchronizations do not affect the specification's state. We indicate these actions with self-loops labeled with b. Only the three operations mentioned above are relevant for the specification P. Thus, we do not introduce further action labels.
For partial model checking, the specification Spec is defined by a formula of the μcalculus. The standard interpretation of the formulas is given by a state semantics, i.e., a function that, given an LTS (for a system) Sys and a formula Φ, returns the set of states of Sys that satisfy Φ. A set of evaluation rules formalizes whether a state satisfies a formula or not. Given an LTS Sys and a μ-calculus formula Φ, we say that Sys satisfies Φ whenever its initial state does.
The language semantics of temporal logics is strictly less expressive than the state-based one [21]. A similar fact holds for FSAs and regular expressions [6]. Below we use a semantics from which both the state-based and the language semantics can be obtained.

Operational Model and Natural Projection
We now slightly generalize the existing approaches based on partial model checking and on supervisory control theory used for locally verifying global properties of discrete event systems. We then constructively prove that the two approaches are equally expressive so that techniques from one can be transferred to the other. To this end, we consider models expressed as (finite) labeled transition systems, which describe the behavior of discrete systems. In particular, we restrict ourselves here to deterministic transition systems.

Definition 3.1 A (deterministic) labeled transition system (LTS) is a tuple
where S A is a finite set of states (with ı A the initial state), Σ A is a finite set of action labels, and → A : S A × Σ A → S A is the transition function. We write t = s a − → s to denote a transition, whenever → A (a, s) = s , and we call s the source state, a the action label, and s the destination state.
A trace σ ∈ T of an LTS A is either a single state s or a finite sequence of transitions t 1 ·t 2 ·. . . such that for each t i , its destination is the source of t i+1 (if any). When unnecessary, we omit the source of t i+1 , and write a trace simply as the sequence σ = s 0 a 1 s 1 a 2 s 2 . . . a n s n , alternating elements of S A and Σ A (written in boldface for readability). Finally, we denote by A, s the set of traces of A starting from state s and we write A for A, ı A , i.e., for those traces starting from the initial state ı A .
Example 2 Consider again our running example. Figure 3 depicts the LTSs A and B that model the behavior of the consumer and producer, respectively. On the left-hand side we show the control flow graph (CFG) of the consumer thread where we use a light grey font for the irrelevant instructions. Intuitively, the CFG consists of a loop iterating the execution of the central block. For this reason, the LTS A alternates actions b (for barrier) and d (for dequeue). The CFG of the producer is similar: the only difference is that it increments the tail pointer, rather than the head pointer. Hence, B is symmetric: it performs e (for enqueue) in place of d. The traces starting from the initial states of A and B are, respectively, A = {q 0 , q 0 bq 1 , q 0 bq 1 dq 0 , q 0 bq 1 dq 0 bq 1 , . . .} B = {r 0 , r 0 br 1 , r 0 br 1 er 0 , r 0 br 1 er 0 br 1 , . . .} Typically, a system, or plant in control theory, consists of multiple interacting components running in parallel. Intuitively, when two LTSs are put in parallel, each proceeds asynchronously, except on those actions they share, upon which they synchronize. We render this behavior by means of the synchronous product [4]. In particular, we rephrase the definition given in [40]. Intuitively, A B does not satisfy P(n), for any n > 0. In Fig. 4 Synchronous product A B, where bold transitions denote synchronous moves Next, we generalize the notion of natural projection on languages. Intuitively, natural projection can be seen as the inverse operation with respect to the synchronous product of two LTSs. Indeed, through natural projection one recovers the LTS of one of the components of the parallel composition.

Example 3 Consider again the LTSs
Given a computation of A B, natural projection extracts the relevant trace of one of the two LTSs, including the synchronized transitions (see the second case below). Note that, unlike other definitions, e.g., in [40], our traces are sequences of transitions including both states and actions. We also define the inverse projection in the expected way.

Definition 3.3 Given LTSs
, is defined as follows: Natural projection on the second component B is analogously defined. We extend the natural projection to sets of traces in the usual way: The inverse projection of a trace σ over an LTS A B, in symbols P −1 A (σ ), is defined as Example 4 Consider the following two traces σ 1 = q 0 , r 0 b q 1 , r 1 d q 0 , r 1 e q 0 , r 0 and Two classical properties [40] concerning the interplay between the synchronous product and the natural projection hold. Their proofs are trivial.

Equational -Calculus and Partial Model Checking
Below, we recall the variant of the μ-calculus commonly used in partial model checking called modal equations [1]. A specification is given as a sequence of modal equations, and one is typically interested in the value of the top variable that is the simultaneous solution of all the equations. Equations have variables on the left-hand side and assertions on the right-hand side. Assertions are built from the boolean constants ff and tt, variables x, boolean operators ∧ and ∨, and modalities for necessity [·] and possibility · . Equations also have fix-point operators (minimum μ and maximum ν) over variables x, and can be organized in equation systems.

Definition 3.4 (Syntax of the μ-calculus) Given a set of variables
x ∈ X and an alphabet of actions a ∈ Σ, assertions φ, φ ∈ A are given by the syntax: An equation is of the form x = π φ, where π ∈ {μ, ν}, μ denotes a minimum fixed point equation, and ν a maximum one. An equation system Φ is a possibly empty sequence ( ) of equations, where each variable x occurs in the left-hand side of at most a single equation. Thus Φ is given by A top assertion Φ ↓ x amounts to the simultaneous solution of an equation system Φ onto the top variable x.
We define the semantics of modal equations in terms of the traces of an LTS by extending the usual state semantics of [1] as follows. First, given an assertion φ, its state semantics φ ρ is given by the set of states of an LTS that satisfy φ in the context ρ, where the function ρ assigns meaning to variables. The boolean connectives are interpreted as intersection and union. The possibility modality a φ ρ (respectively, the necessity modality [a]φ ρ ) denotes the states for which some (respectively, all) of their outgoing transitions labeled by a lead to states that satisfy φ. For more details on μ-calculus see [10,27].

Definition 3.5 (Semantics of the μ-calculus [1]) Let
A be an LTS, and ρ : X → 2 S A be an environment that maps variables to sets of A's states. Given an assertion φ, the state semantics of φ is the mapping · : We extend the state semantics from assertions to equation systems. First we introduce some auxiliary notation. The empty mapping is represented by [ ], [x → U ] is the environment where U is assigned to x, and ρ • ρ is the mapping obtained by composing ρ and ρ . Given a function f (U ) on the powerset of S A , let πU . f (U ) be its fixed point. We now define the semantics of equation systems by: and Note that whenever we apply function composition •, its arguments have disjoint domains. Next, we present the trace semantics: a trace starting from a state s satisfies φ if s does.

Definition 3.6 Given an LTS
A, an environment ρ, and a state s ∈ S A , the trace semantics of an assertion φ is a function · : A → S A → (X → 2 S A ) → T, which we also extend to equation systems, defined as follows.
This system consists of two equations. Intuitively, the first equation says that after every e transition a state satisfying the second equation for y is reached ([e]y) and that, from the current state, there must exist at least one d transition ( d tt) The second equation states that there must exist either a e transition or a b transition. In both cases, the reached state must satisfy the x equation. We (since y does not occur in the assertion). Following the Knaster-Tarski theorem, we compute U * = n F n (∅): , the only state that admits d but not e).
We now define when an LTS satisfies an equation system. Recall that A stands for A, ı A .

Definition 3.7 An LTS
The following fact relates the notion of satisfiability defined in terms of the state semantics (| s ) with the one based on the trace semantics (| σ ); its proof is immediate by Definition 3.6.
As previously mentioned, partial model checking is based on the quotienting operation / /. Roughly, the idea is to specialize the specification of a composed system on a particular component. Below, we define the quotienting operation [1] Note that each equation of the system Φ gives rise to a system of equations, one for each state s i of A, all of the same kind, minimum or maximum (thus forming a π-block [3]). This is done by introducing a fresh variable x s i for each state s i . Intuitively, the equation x s i = π φ/ / Σ B s i represents the requirements on B when A is in state s i . Since the occurrence of the variables on the right-hand side depends on A's transitions, Φ ↓ x/ / B A embeds the behavior of A. Definition 3.8 Given a top assertion Φ ↓ x, we define the quotienting of the assertion on an LTS A with respect to an alphabet Σ B as follows.
Example 6 Consider the top assertion Φ ↓ x of Example 5 and the LTSs A and B of Exam- The leftmost equations are obtained by applying the rules of Definition 3.8. Then we simplify on the right-hand sides of the first three equations, i.e., those of x q 0 , x q 1 and y q 0 . In particular, we apply the standard boolean transformations ψ ∧ ff ≡ ff , ψ ∧ tt ≡ ψ, and ψ ∨ ff ≡ ψ.
Finally we reduce the number of equations by removing those unreachable from the top variable x q 0 . For a detailed description of our simplification strategies, see [3]. Therefore This was expected since, as shown in Example 5,

Unifying the Logical and the Operational Approaches
Here we prove the equivalence between natural projection and partial model checking (Theorem 3.2), establishing the correspondence between quotienting and natural projection.
The following theorem states that the synchronous product of two LTSs satisfies a global equation system if and only if its components satisfy their quotients, i.e., their local assertions.

Theorem 3.2 For all A, B, x and Φ on A B,
if and only if any of the following equivalent statements holds:

Quotienting Algorithm
Our algorithm consists of two procedures that are applied sequentially. The first, called quotient (Table 2), builds a non-deterministic transition system starting from two LTSs, i.e., a specification P and an agent A. Moreover, it takes as an argument the alphabet of actions Σ B of the new transition system B. Non-deterministic transition systems have a distinguished label λ, and serve as an intermediate representation. The states of the resulting transition system include all the pairs of states of P and A, except for those that denote a violation of P (line 1). The transition relation (line 3) is defined using the quotienting rules from Sect. 3. Also, note that the relation → is restricted to the states of S (denoted → S ).
The second procedure, called unify (in Table 3) translates a non-deterministic transition system back to an LTS. By using closures over λ, unify groups transition system states. This process is similar to the standard subset construction [24], except that we put an a ∈ Σ B \Γ transition between two groups Q and M only if (i) M is the intersection of the λ-closures of the states reachable from Q with an a transition and (ii) all the states of Q admit at least an a transition leading to a state of M (∧-move). The procedure unify works as follows. Starting from the λ-closure of B's initial state (line 1), it repeats a partition generation cycle (lines [4][5][6][7][8][9][10][11][12][13]. Each cycle removes an element Q from the set S of the partitions to be processed. Then, for all the actions in Σ B \{λ}, a partition M is computed by ∧-move (line 7). If the partition is nonempty, a new transition is added from Q to M (line 9). Also, if M is a freshly generated partition, i.e., M / ∈ R, it is added to both S and R (line 10). The procedure terminates when no new partitions are generated.
Our quotienting algorithm is correct with respect to the quotienting operator and runs in PTIME. More precisely, assuming that Γ , Σ A \Γ , and Σ B \Γ have m elements, and that P and A have n states, the complexity is O(n 6 m 2 ) (see Appendix A.4 for more details). We avoid an exponential blow-up in our algorithm (in contrast to Table 1) since we only consider deterministic transition systems. Note that a determinization step for non-deterministic transition systems is exponential in the worst case. Table 3 The unification algorithm

Application to Our Running Example
Recall from Example 3 that A B does not satisfy the buffer consistency property P. Informally the reason is that the barrier does not prevent the consumer A from accessing the buffer before the producer B. However, the barrier does ensure that iterations of the producer and the consumer are always paired. This implies that only the first position of the buffer is actually used.
We apply our quotienting algorithm to find an A such that A B | P. That is, we solve an instance of the submodule construction problem for B and P. The resulting LTS is given in Fig. 5. Intuitively, A behaves as follows. Initially, it synchronizes (action b) twice to ensure that B enqueues at least one item. Then, it either (i) synchronizes again and moves to the next state or (ii) dequeues an item (action d) and goes back one state. The reason is that each state w i denotes a configuration under which the buffer contains i or i − 1 items. As a result, there cannot be a state w 9 and also the state w 0 can be reached only once at the start. Finally, note that a similar construction also applies to the controller synthesis and verification problems. For the former it suffices to constrain the alphabet of A to only contain synchronization actions, while for the latter we check that the submodule A accepts the empty string.

Quotienting Symbolic Finite-State Systems
In this section, we extend our results to symbolic Finite-State Transition Systems (s-LTSs). This rather expressive formalism is a variant of symbolic Finite State Automata [16] where all states are final. The novelty with respect to a standard LTS (or to an FSA) is that the alphabet is the carrier of an effective boolean algebra and that transitions are enabled by predicates on the possibly infinitely many elements of the algebra. This model allows a convenient representation of large systems, the behavior of which also depends on the data handled, and not only on the control flow as it is the case with a standard LTS.
For example, consider again the OpenCL kernel of Fig. 1 and the kinds of flaws mentioned in Sect. 2. Buffer consistency has been addressed using the model of standard LTSs, because consistency only depends on the actions (enqueue and dequeue) performed. However, when representing data races we cannot abstract away from the affected memory location, the action performed (read/write), and the data involved. We model them using to s-LTSs. In Fig. 6, we show on the left the control-flow graph of our consumer. Since we are interested in the actions on L we highlight them. In the upper part on the right there is the s-LTS for the consumer. Accordingly, we show only the portion with read/write actions that are parametric with respect to the memory address L and its offset. In the bottom part, we display the s-LTS of the consumer.
In this example, one can encode our producer/consumer in a standard LTS, because the operations and data are finite. The price to pay is an exponential growth of the number of resulting labels and, consequently, of the transitions. Clearly, such encodings cannot be done, when data are taken from an infinite domain like the natural numbers or strings from a given alphabet. In these cases there always exists a standard LTS that accepts a language that however is isomoprphic to the given s-LTS (see [16]).
We start by recalling some known notions about s-LTSs, adapting them to our case as needed and illustrating them on our running example. Then, we present our contributions: a symbolic version of (i) the synchronous product operator; (ii) partial model checking and natural projection; and (iii) a quotienting algorithm.

Symbolic Labeled Transition Systems
We start by recalling the definition of an effective boolean algebra and algebraic operators over them that are the building blocks for symbolic LTSs. Given a predicate ϕ of an EBA A, we say that ϕ is satisfiable, in symbols sat A (ϕ), when {|ϕ|} = ∅.
For brevity, we may write A ϕ for A {|ϕ|}.

Example 7
The EBA B encoding the write/read actions of our running example is defined as follows.
-D = {r , w} × Id × N, where Id stands for the set of variable identifiers of a program.
-Ψ includes equality and inequality (on both {r , w} and Id) and ordering relationships between natural numbers.
We use the variables α and β to range over {r , w} and X and Y for generic elements of Id, the bytes of which are identified by their position (variable n). Also, we write α(X , n) : ϕ to denote the predicates of Ψ and we use straightforward abbreviations such as w(L, 0) for α(X , n) : α = w ∧ X = L ∧ n = 0.
We now state the definition of an s-LTS, we introduce its symbolic traces and we show the mapping from the symbolic to the concrete traces. The definition of s-LTS is based on that of s-FA [16]. We next describe the symbolic model of our running example.

Example 8
Consider again the data race flaw for the OpenCL code discussed in Sect. 2. We use the EBA B of Example 7 to model the kernel accesses to the shared memory. The predicate α(X , n) : ϕ specifies the kernel accesses actions α (read or write) on the nth byte of variable X . Here ϕ is a constraint on the values that α, X , and n can assume. Figure 6 on the left shows the CFG of the consumer and an s-LTS modeling it, in the right, upper part. Below, we also show the s-LTS for the producer. Recall that the variable head points to L[0], while tail (see Fig. 1) refers to L[1].

Parallel Composition of s-LTSs
Before proposing a new notion of parallel composition for s-LTSs, it is convenient to introduce an auxiliary operation on EBAs.
We now apply this definition to our running example.

Example 9
The parallel composition of the two s-LTS of Fig. 6 over the synchronization predicates ψ 1 = α(X , n) : α = w ∧ X = L and ψ 2 = α(X , n) : X = L is depicted in Fig. 7. For readability, we omit the transition labels and we instead discuss them here. By the definition of product, a transition's predicate can only belong to three groups: ϕ 1 ∧ ¬ψ 1 , ⊥, ⊥ , ⊥, ϕ 2 ∧¬ψ 2 , ⊥ , or ⊥, ⊥, ϕ 1 ∧ψ 1 , ϕ 2 ∧ψ 2 , where ϕ 1 and ϕ 2 are predicates of the consumer and producer, respectively. Note that the predicates of the second type are not satisfiable since ¬ψ 2 requires that X = L while all the ϕ 2 constrain X = L. Thus, the second group of transitions is empty. A similar observation applies to the predicates of the first group. Indeed, since X = L the only assignment that satisfies ¬ψ 1 is for α = r . Therefore, all these transitions are labeled with r (L, 0), ⊥, ⊥ . We use a thin arrow to denote them. As in Example 3 we use bold arrows to denote synchronous transitions. However, here we need to distinguish them according to their predicates. Analogous to the argument for the first group of transitions, here we have that the first component of a synchronization predicate  The following small technical example illustrates a policy that ensures memory access segmentation and, thus, avoids data races. Fig. 8 that represents a policy specification to prevent data races. Briefly, W accepts any asynchronous operation carried out by each thread individually (left loop). Instead, synchronous operations are only permitted in one case (right loop), i.e., when different bytes are accessed by the two threads.

Example 10 Consider the s-LTS W depicted in
As a final remark, note that the product of Example 9 complies to this policy. Intuitively, the reason is that, for all the transition's predicates of the product, there exists at least one satisfiable predicate among the policy's transitions.

Symbolic Natural Projection and Symbolic Quotienting
We now extend the results of Sect. 4 to the symbolic case. First we lift the natural projection to the traces of an s-LTS M. Afterwards, we define the quotient of M with respect to a pair of synchronization predicates, and give an algorithm for computing it. Finally, we state the relationships between the symbolic versions of natural projection and quotienting. In the following, we overload some names and symbols.

Definition 5.5 (Natural projection) Given two s-LTS
and two synchronization predicates ψ 1 ∈ Ψ 1 and ψ 2 ∈ Ψ 2 , the natural projection on M 1 of a trace σ of M 1 ψ 1 ,ψ 2 M 2 , in symbols P M 1 (σ ), is defined as follows: The natural projection on the second component M 2 is analogously defined. Also, we extend the natural projection to sets of traces in the usual way. Definition 5.6 (Symbolic natural projection) Given two s-LTS M 1 = (Q 1 , A 1 , Δ 1 , ı 1 ) and M 2 = (Q 2 , A 2 , Δ 2 , ı 2 ) and two synchronization predicates ψ 1 ∈ Ψ 1 and ψ 2 ∈ Ψ 2 , the symbolic natural projection on M 1 of a symbolic trace η of M 1 ψ 1 ,ψ 2 M 2 , in symbols Π M 1 (η), is defined as follows: The symbolic natural projection on the second component M 2 is analogously defined and we extend this definition to sets of traces in the usual way.
The inverse projection of a trace σ over an s-LTS and is lifted to sets as usual.

Lemma 5.1 For every s-LTSs M
We now lift the definition of quotienting a μ−equations' system Φ for s-LTSs. The symbolic quotienting operator is Φ/ / ψ 1 ,ψ 2 M, where ψ 1 and ψ 2 are the synchronization predicates for M and for the s-LTS to be synthetized, respectively. The schema is the same of Definition 3.8 except for the cases that handle modalities. Since we are dealing with a product of EBAs, the alphabet symbols are as in Definition 5.3. Moreover, the transitions of M are now labeled by a predicate ψ. Hence, an action d 1 in the scope of a modality is a synchronization only if it satisfies ψ 1 . Instead, if it satisfies ¬ψ 1 , it denotes an asynchronous transition. This results in checking the satisfiability of (ψ ∧ ψ 1 )(d 1 ) and (ψ ∧ ¬ψ 1 )(d 1 ), respectively. Definition 5.7 Given a top assertion Φ ↓ x over the EBA A 1 ψ 1 ,ψ 2 A 2 , we define its quotienting on a s-LTS M = Q, A 1 , Δ, ı , in symbols Φ ↓ x/ / ψ 1 ,ψ 2 M, as follows.
x s n = π ϕ/ / ψ 1 ,ψ 2 s n tt otherwise We next establish the correspondence between symbolic quotienting and symbolic natural projection. To this end, we must redefine the μ−calculus state semantics of Definition 3.5 (and therefore the trace semantics of Definition 3.6) which applies to LTSs, rather than s-LTSs. The new definition is straightforward since, given an s-LTS M = (Q, A, Δ, ı), it only requires introducing the following notation.
As was the case for standard LTS, the synchronous product of two s-LTSs satisfies a global equation system if and only if its components satisfy their quotients, i.e., their local assertions. Note that Lemma 5.1 lifts this result also to symbolic natural projection.

Theorem 5.2 For all M
if and only if any of the following equivalent statements holds:

Quotienting Algorithm
Before introducing the symbolic quotienting algorithm, we recall the definition of Minterms. Intuitively, Minterms are building blocks for translating an s-LTS into an LTS that accepts an isomorphic language. Based on the predicates appearing on transitions, Minterms partition the EBA domain into a finite number of satisfiability regions. It is immediate then to define an isomorphism between these regions and a finite alphabet. Note however that the transitions of the resulting LTS are exponentially many with respect to those of the original s-LTS. The details of our translation are given inside the correctness proof in the "Technical Appendix".
Since our symbolic quotienting algorithm manipulates an s-LTS P encoding a specification over a parallel product M ψ 1 ,ψ 2 N , the predicates on the transitions of P are four-tuples (see Definition 5.4). Therefore the same holds for Minterms(P).
The symbolic quotienting algorithm is given in Table 4. It has the same structure of the algorithm of Table 2, thus we focus here on explaining the relationship between them.
As for the LTS case, our algorithm consists of two main procedures and an auxiliary one. The first, called quotient (Table 4), builds a non-deterministic s-LTS whose states are pairs, given a specification P, an agent M, and a pair of synchronization predicates ψ 1 and ψ 2 . The labels record whether they derive from a transition of M (ψ M ∧ ψ P| 1 ∧ ¬ψ 1 ), of P (ψ P| 2 ∧ ¬ψ 2 ), or whether they denote a synchronization with P (ψ P| 4 ∧ ψ 2 ), provided that sat A (ψ M ∧ ψ P| 3 ∧ ψ 1 ). The second procedure is unify, which differs from the analogous one in Table 3 because Minterms are used in place of plain action labels. The same holds for the auxiliary ∧-move, where the states in the intersection must be reachable through a transition (labeled with ϕ ) that is compatible with the Minterm predicate ϕ, in symbols sat B (ϕ ∧ ϕ ).
Also the symbolic quotienting algorithm is correct with respect to the previous quotienting operator (see the "Technical Appendix"). As expected, it runs in EXPTIME, because of the satisfiability requirements and because the number of Minterms grows exponentially with the transitions of the s-LTS. Of course, one can beforehand transform an s-LTS in an LTS by using Minterms and apply the quotienting algorithm of Sect. 4. The overall process still requires EXPTIME. However, the partial specification obtained in this way will be in the form of an LTS, thus lacking the expressive power of the corresponding s-LTS obtained through symbolic quotienting. Table 4 The symbolic quotienting algorithm for s-LTS Fig. 9 The s-LTS corresponding to W / / ψ 1 ,ψ 2 M 1 . Bold edges denote transitions inΔ * Example 11 We apply the algorithm of Table 4 to compute the quotient W / / ψ 1 ,ψ 2 M 1 , where W is the specification of Example 10 depicted in Fig. 8, M 1 is the s-LTS of the consumer of Example 8, First notice that (for some q and q ) each transition inΔ λ has the form (q, ψ M ∧ ψ P| 1 ∧ ¬ψ 1 , q }). However, ψ M ∧¬ψ 1 is satisfiable only if the sub-formula α(X , n) : X = L ∧ X = L is satisfiable, which is trivially false. For this reasonΔ λ = ∅.
SinceΔ λ = ∅, the set of transitions of the resulting s-LTS is given byΔ B ∪Δ * . Figure 9 shows this, where we use different edge thickness to distinguish between the transitions of Δ B andΔ * .

Related Work
Natural projection is mostly used by the community working on control theory and discreteevent systems. In the 1980s, the seminal works by Wonham et al. (e.g., [41,42]) exploited natural projection-based algorithms for synthesizing both local and global controllers. Other authors continued this line of research and proposed extensions and refinements of these methods, see e.g., [18,19,30,39].
Partial model checking has been successfully applied to the synthesis of controllers. Given an automaton representing a plant and a μ-calculus formula, Basu and Kumar [7] compute the quotient of the specification with respect to the plant. The satisfiability of the resulting formula is checked using a tableau that also returns a valid model yielding the controller. Their tableau works similarly to our quotienting algorithm, but applies to a more specific setting, as they are interested in generating controllers. In contrast, Martinelli and Matteucci [32] use partial model checking to generate a control process for a partially unspecified system in order to guarantee compliance with respect to a μ-calculus formula. The generated controller takes the form of an edit automaton [8]. A quotienting-based approach was also proposed for real-time [29] and hybrid [12] systems. These paradigms aim to accurately model the behavior of, e.g., cyber-physical systems.
Some researchers have proposed techniques based on the verification of temporal logics for addressing the controller synthesis problem. Arnold et al. [5] were among the first to control a deterministic plant with a μ-calculus specification. Also Ziller and Schneider [43] and Riedweg and Pinchinat [34] reduce the problem of synthesizing a controller to checking the satisfiability of a formula in (a variant of) the μ-calculus. A similar approach was presented by Jiang and Kumar [25] and Gromyko et al. [22]. Similarly to [43] and [34], [25] present an approach that reduces the problem of synthesizing a controller to that of checking a CTL formula's satisfiability. In contrast, [22] proposes a method based on symbolic model checking to synthesize controllers. Their approach applies to a fragment of CTL.

Conclusion
Our work provides results that build a bridge between supervisory control theory and formal verification. In particular, we have formally established the relationship between partial model checking and natural projection by reducing natural projection to partial model checking and proving their equivalence under common assumptions. Besides using plain Labeled Transition System for expressing system specifications, we also considered symbolic Labeled Transitions System, whose transitions carry predicates on elements from possibly infinite boolean algebras, instead of letters. Dealing with this richer model required us to introduce new notions, including a new symbolic synchronous product and new symbolic versions of partial model checking and natural projection.
Aside from establishing novel and particularly relevant connections, our work also opens new directions for investigation. Since (symbolic) natural projection is related to language theory in general, there could be other application fields where (symbolic) partial model checking can be used as an alternative. The original formulation of partial model checking applies to the μ-calculus, while our quotienting algorithm works on (symbolic) Labeled Transitions Systems. To the best of our knowledge, no quotienting algorithms exist for formalisms with a different expressive power, such as LTL or CTL, let alone symbolic variants of them.
We are also developing PESTS, a working prototype to handle both LTSs and s-LTSs. The source code and the documentation of our tool are available at https://github.com/gabrielecosta/pests, along with the experiments mentioned below. The performance of PESTS was experimentally assessed in [13] and the results are on the website under the heading "TACAS Experiments". The experiments consisted in solving instances of increasing size of CSP and SCP for LTSs modeling an Unmanned Aerial Vehicles delivery system. Furthermore, we applied PESTS to a more realistic case study concerning the verification of the LTSs modeling a Flexible manufacturing system, 3 available under the heading "Flexible manufacturing system".

A.1 GPUVerify
Below we show an excerpt of the output generated by GPUVerify [9], when executed on our example kernel producer-consumer.c in Fig. 1. The first line invokes the tool. The second line reports the false positive, i.e., that a write-read race is detected on the first byte of L. The rest of the output compares the instructions of the two components that cause the data race.

A.2 Technical Proofs
Here we prove the lemmata and theorems of the paper. We also introduce some relevant definitions on S-LTSs. To start, we introduce an auxiliary definition that roughly acts as a quotienting of an environment ρ. Below, we will write i∈I ρ i for the finite composition of functions ρ i over the elements of an index set I .

Definition A.1 Given a synchronous product
The following lemma intuitively states that quotienting an assertion (and an environment) preserves the semantics, i.e., a state s A , s B satisfies φ if and only if s B satisfies the quotient of φ on B. Indeed, the following statement can be rewritten as φ/ / Σ B s A ∇ B (ρ) = {s B | s A , s B ∈ φ ρ }. A, B, ρ, and φ on A B, s A ,

Lemma A.1 For all
Proof By induction over the structure of φ.
-Cases tt and ff . Trivial.
-Case x. By the definition of ∇ B (ρ).
Then we consider three exhaustive cases.
a ∈ Σ A \Γ . Here s B = s B and (1)  We next extend Lemma A.1 to a system of equations, providing an alternative view of quotienting an assertion on a component of a synchronous product.
where U * is the fixed point computed according to Definition 3.5. Thus, we have that By the induction hypothesis, this reduces to As a consequence, we rewrite (3) to 4 which, after repeatedly applying Definition 3.5 to each element s ∈ S A turns out to be The following corollary is immediate (recall that x s A is the variable corresponding to the quotient of x on s A ). A, B, ρ, x, and Φ on A B,

Theorem 3.1 For all A, B, x, and
Proof By Definition 3.6, it suffices to establish which holds if and only if We conclude by Corollary A.1.

Theorem 3.2 For all A, B, x and Φ on A B,
if and only if any of the following equivalent statements holds: Proof The equivalence of items 1 and 2 and A B | ς Φ ↓ x is in Andersen95partialmodel (with the additional use of Theorem 3.1). The other equivalences follow immediately by Theorem 3.1 (and by the commutativity of ).
We now lift the needed definition and the results above to the symbolic case.

Lemma 5.1 For every s-LTSs M
and synchronization predicates ψ 1 ∈ Ψ 1 and ψ 2 ∈ Ψ 2 the following holds Proof From now on we assume i = 1 as the case for i = 2 is symmetric. We start by observing that, by definition, for every s-LTS M holds that s2c(tr(M)) = M . Thus we rewrite the proof statement as Then we prove by induction that ∀η.s2c(Π M 1 (η)) = P M 1 (s2c(η)). 4 Notice that the order of the x s equations is immaterial as they form a π -block.
The following definition extends Definition A.1.
Now we extend to the symbolic case the auxiliary lemmata A.1 and A.2.

Lemma A.3 For all M
Proof We proceed by induction over φ. The only interesting cases are those for the two modalities, that is, d φ and [d]φ . Each modality only admits three sub-cases depending on whether d = (d 1 , 1), d = (d 2 , 2) or d = ( d 1 , d 2 , 3). We show the first case as the other case is symmetric.
and Φ on the EBA A 1 ψ 1 ,ψ 2 A 2 , we have that which, after repeatedly applying Definition 3.5 to each element s ∈ Q 1 reduces to with all the equations of the following form, where α ∈ Σ A \Γ , β ∈ Σ B \Γ and γ ∈ Γ .
Trivially, the equation system described above corresponds to the non-deterministic transition system obtained by the quotient algorithm. A state (s, r ) results in a variable associated to an assertion that characterizes the outgoing transitions distinguishing among (1) a is required but not done, (2) a is not allowed, (3) λ moves, (4) Σ B , and (5) Γ actions.
Correctness To conclude, we show that all the steps of the algorithms described above correspond to valid transformations, i.e., they preserve equivalence. A detailed description of the first two transformations can be found in [3].
-Constant propagation is applied to remove equations of the form x = μ ff . This step is carried out by the quotient algorithm when removing the corresponding states from the transition system. -Unguardedness removal carries out the following transformation.
All the occurrences of y in the first equation are replaced with the assertion associated to y. Note that this transformation only applies if all the occurrences of y are unguarded, i.e., not under the scope of any modal operator, in the first equation. Also, we extend it to remove redundant recurrences, namely we transform x = μ ϕ ∧ x in x = μ ϕ. In our algorithm, this operation corresponds to a λ-closure. -Variable introduction requires more attention. It is simple to verify that the previous transformations do not preserve the structure of our equations. Indeed, unguardedness removal can introduce in the assertions more instances of the same action modality, while we require exactly one. Concretely, the assertions have the form where v stands for either a variable or ff . If some of the v a i are equal to ff , .). Thus, we replace the conjunctions of variables with [a](y {1,...,k} ) and we introduce a new equation y {1,...,k} = μ y 1 ∧· · ·∧ y k . Clearly, the number of these new variables is bounded by 2 |S| . This transformation, plus unguardedness removal, corresponds to the ∧-move operation. It is simple to see that these transformations restore the format of our encoding, thus denoting an LTS that is the output of our algorithm.
Correctness for s-LTS The proof consists of two steps. We start by defining a translation procedure from an s-LTS M to an isomorphic LTS A M . Our translation is based on the standard Minterms construction algorithm (see [16] for a detailed description). Then, we show that the symbolic quotienting algorithm applied to the s-LTSs P and M returns an s-LTS N such that its translation A N is isomorphic to the output of the quotienting algorithm of Sect Our LTS translation is slightly different. In particular, we construct a labeling function that can be applied to both the s-LTSs of a product so that synchronous transitions are mapped to the same symbol. To this end we apply the Minterms construction to the policy s-LTS P.
Recalling that the EBA of P is A ψ 1 ,ψ 2 B, the definition of Minterms(P) is specialized to which, by definition of , reduces to Note that, by the definition of A ψ 1 ,ψ 2 B, all the predicates ϕ ∈ F belong to three distinguished groups, i.e., ϕ | 1 , ⊥, ⊥ , ⊥, ϕ | 2 , ⊥ or ⊥, ⊥, ϕ | 3 , ϕ | 4 . Thus, there cannot exist any ϕ I ∈ Minterms(P) such that I contains two or more predicates belonging to different groups (since the ⊥ elements would cause such predicate to be unsatisfiable). As a consequence, Minterms(P) preserves these three groups and, possibly, introduces an element for ϕ ∅ .
Starting from Minterms(P), we define two labeling functions f Given an s-LTS M = A, Q, ı, Δ the LTS isomorphic to M (w.r.t. f The LTS isomorphic to P is obtained by applying the labeling function f = f . Note that f is defined. In fact, the domain of f ψ 1 A are the formulas of type ϕ | 1 , ⊥, ⊥ or ⊥, ⊥, ϕ | 3 , ϕ | 4 , whereas the domain of f ψ 2 B are the formulas of type ⊥, ϕ | 2 , ⊥ or ⊥, ⊥, ϕ | 3 , ϕ | 4 (see above). Moreover, the two functions map the formulas belonging to the intersection of their domains to the same values. The only exception is for ϕ ∅ . Indeed f . Nevertheless, we can simply ignore this case as, by construction, ∀s.s ω A −→ and s ω B −→, that is, none of the transitions of P can occur when ϕ ∅ is true. Thus the LTS isomorphic to P = A ψ 1 ,ψ 2 B, Q, ı, Δ is A P = Q, Σ A ∪Σ B ∪Γ , →, ı where To finish, we must show that, given isomorphic inputs, the two algorithms generate isomorphic outputs. To do that we prove that each step of the algorithms preserves the isomorphism. The first step is to show the mapping between the three transition functions of the symbolic quotienting algorithm, i.e.,Δ λ ,Δ B andΔ * , and the three cases of quotienting algorithm, see Table 2 line 3.
To conclude, we observe that there is a plain correspondence between the steps of the two unify procedures with the exception of line 6. However, the transition isomorphism provides us with the required correspondence. This holds because Minterms(P) is tripartite in a way that the elements of each partition are mapped to Γ , Σ B \Γ , and Σ A \Γ . Thus, the restriction to their second and fourth components limits this mapping to Σ B (note that ω B cannot occur on the transitions of B as ϕ ∅ is never satisfied when in conjunction with any other predicate).

A.4 Complexity
We estimate the worst case complexity of the quotient algorithm of Sect. 4. For simplicity, we assume that |Γ | = |Σ A \Γ | = |Σ B \Γ | = m and |S A | = |S P | = n. The first part, i.e., the generation of the non-deterministic transition system, requires at most | → P | · | → A | ≤ n 4 m 2 steps (since both P and A have at most n 2 m transitions). The resulting transition system has at most n 2 states.
Concerning unify, we first observe the following facts. The algorithm works on the λclosures of the states of the non deterministic transition system B. Similarly to the ε-closures of an NFA, they can be computed in advance (see [24]). The cost is cubic with respect to the number of states, i.e., O(n 6 ) in our case. The total number of closures is bounded by n 2 .
At each step, ∧-move computes the sets of the reachable states with a transition labeled by a = λ, starting from one of the closures (which has size at most n 2 ). Since B is built from P and A, both deterministic, for each symbol a and pair of states there is at most one transition labeled with a. Thus, having n 2 states and 2m symbols in Σ B , there are no more than 2n 4 m Σ B -transitions. Thus, in 2n 4 m we obtain the set on which we compute the λ-closure. Recall that we already computed them, so we just need to select the required one.
To conclude, we observe that ∧-move is iterated at most n 2 m times. Indeed, if q, q ∈ λclose({q}) such that q = q and q a − → q (for some a ∈ Σ B ) then q / ∈ λ-close(q ). Therefore, the number of λ-closures stored in S, and thus the algorithm iterations cannot exceed n 2 · 2m. Hence, the overall complexity is O(2n 4 m · n 2 · 2m) = O(n 6 m 2 ).
We already discussed in Sect. 5 the complexity of the symbolic quotienting algorithm.