Higher-Order Quantifier Elimination, Counter Simulations and Fault-Tolerant Systems

We develop quantifier elimination procedures for fragments of higher order logic arising from the formalization of distributed systems (especially of fault-tolerant ones). Such procedures can be used in symbolic manipulations like the computation of pre/post images and of projections. We show in particular that our procedures are quite effective in producing counter abstractions that can be model-checked using standard SMT technology. In fact, very often in the current literature verification tasks for distributed systems are accomplished via counter abstractions. Such abstractions can sometimes be justified via simulations and bisimulations. In this work, we supply logical foundations to this practice, by our technique for second order quantifier elimination. We implemented our procedure for a simplified (but still expressive) subfragment and we showed that our method is able to successfully handle verification benchmarks from various sources with interesting performances.


Introduction
There is an increasing interest concerning algorithmic methods (and, in particular, quantifier elimination methods) applying to second order logic, as witnessed by recent dedicated workshops [40]. Quoting from the textbook [25] "In recent years there has been an increasing use of logical methods and significant new developments have been spawned in several areas of computer science, ranging from artificial intelligence and software engineering to agent-based systems and the semantic web. In the investigation and application of logical methods there is a tension between: (i) the need for a representational language strong enough to express domain knowledge of a particular application, and the need for a logical formalism general enough to unify several reasoning facilities relevant to the application, on the one hand, and (ii) the need to enable computationally feasible reasoning facilities, on the other hand. Second-order logics are very expressive and allow us to represent domain knowledge with ease, but there is a high price to pay for the expressiveness. Most second-order logics are incomplete and highly undecidable. It is the quantifiers which bind relation symbols that make second-order logics computationally unfriendly. It is therefore desirable to eliminate these second-order quantifiers, when this is mathematically possible; and often it is." However, most known applications of second-order quantifier elimination concern modallike logics or knowledge representation area (see again [25]), with limited -if not negligible at all -impact on other areas of computer science, like formal methods. In this paper, we are partially filling this gap, by developing specialized second order elimination techniques applying to the verification of distributed (especially fault-tolerant) algorithms. In designing the fragments of second order logic to which our algorithms apply, we are strictly guided by our intended main applications, although we feel that our contribution could be interesting also in a general logical context.

The Challenge of Verification of Distributed Systems
The automated, formal verification of distributed algorithms is a crucial, although challenging, task. The processes executing these algorithms communicate with one another, their actions depend on the messages received, and their number is arbitrary. These characteristics are captured by so called reactive parameterized systems. The task of validating or refuting properties of these systems is daunting, due to the difficulty of limiting the possible evolutions, thus having to deal with genuinely infinite-state systems.
Building accurate declarative models of these systems requires powerful formalisms, involving arrays [28], [29] and, in the fault-tolerant case, also some fragment of higher-order logic [21], [4] (this is needed in order to have some form of comprehension to play with cardinalities of definable sets). On the other hand, for a long time, it has been observed that counter systems [18,19,22] can be sufficient to specify many problems (like cache coherence or broadcast protocols) in the distributed algorithms area. Recently, counter abstractions have been effectively used also in the verification of fault-tolerant distributed protocols [3,34,35,38]. It should be noticed that, unlike what happens in the old framework of [18,19,22], these new applications are often (although not always) based on abstractions that can only simulate the original algorithms and such simulation may sometimes be the result of an apriori reasoning on the characteristics of the algorithm, embedded into the model. Despite this fact, all runs from the original specifications are represented in the simulations with counter systems (this is in fact the formal content of the notion of a 'simulation'), thus for instance safety certifications for the simulating model apply also to the original model. The advantage of this approach is that, as it is evident e.g. from the experiments in [3], verification of counter systems is very well supported by the existing technology. In fact, although basic problems about counter systems are themselves undecidable, the sophisticated machinery (predicate abstraction [24], IC3 [17,32], etc.) developed inside the SMT community leads to impressively performing tools like μZ [33], nuXmv [13], SeaHorn [31].... which are nowadays being used to solve many verification problems regarding counter systems.
Being conscious that building simulations requires in any case some human interaction, we tried to build in this paper a uniform framework. Our framework relies on recent powerful techniques for deciding cardinality and array constraints [4,6,43]; we shall exploit these techniques in order to obtain quantifier elimination results in a higher order context. Via these quantifier elimination results, we shall show how to automatically build the best possible counter simulations users can obtain once they fix (i) the specification of the system, (ii) possibly some helpful invariants and (iii) the counter variables involved in the projected simulation (such variables are cardinality counters for definable sets). We demonstrate the effectiveness of our approach by producing, for some common benchmarks, counter systems simulations which are effectively model-checked by current SMT-based tools.

A Toy Example
Let us begin by illustrating our methodology via a first example, the MESI protocol (the same simple technique applies to all examples from e.g. [2]). The MESI protocol is a cache coherence protocol; here we analyze the simplified version reported in the extended version of [2] (in Appendix A.3 in the supplementary material we shall make a detailed analysis of the original algorithm from [47]). We have a finite set Proc of N identical processes; each process i can take a local state L(i) within the enumerated set

Data = {(m)odified, (e)xclusive, (s)hared, (i)nvalid} .
Initially all processes are in state i and the system can evolve from L to L according to one of the four nondeterministic rules: For i = 1, . . . , 4, we let (τ + i ) be the conjunction of (τ i ) with the 8 equalities (1)-(2) above. A similar transformation is done for the formula (ι), expressing the system initialization, namely ∀i L(i) = i: this is modified to (ι + ) by conjoining to it the first 4 equations above (namely the equations (1)). Now, observe that the safety property we are interested in, namely that processes in state m cannot coexist with processes in state s, can be expressed in terms of arithmetic properties of our counters as z m > 0 → z s = 0. Thus, from an observational point of view, only counter arithmetics is relevant.
How to approximate the whole specification of the system using just the above counters? The idea is to existentially quantify and then eliminate the higher order variable L from the formulae (ι + ), (τ + 1 ) − (τ + 4 ): we shall see that this is possible in this and in many cases. In our case, after applying the quantifier elimination procedure, we get In this new system, the only variables are the arithmetic variables z i , z s , z e , z m ; we will show that the new system simulates the old system 'in the best possible way' (in the sense formally explained in Sect. 4.1) using the variables z i , z s , z e , z m . 1 Since the property to be checked is a safety property, we can hope to check it for the new (simpler) system: if we succeed, we get the desired safety certification for the original system. This is in fact what happens: an SMT-based tool like μZ or nuXmv (among others) is able to solve the new safety problem instantaneously.

Our Four-Steps Plan
It should now be clear what is our general strategy: (1) system specifications are formulated in higher order logic, i.e. using a declarative formalism which is sufficiently expressive and close to informal specifications; (2) counters for definable sets are added by the user to the system specification, in such a way that the observationally relevant properties can be reformulated as arithmetic properties of these counters; (3) higher order variables are eliminated, by applying an automatic procedure; (4) the resulting system is finally model-checked by using an SMT-based tool for counter systems.
In this plan, only steps (1)-(2) require manual intervention (we shall better discuss these steps in Sect. 7); step (3) is effective every time the syntactic restrictions for our quantifier elimination procedures are matched; step (4) is subject to two risks, namely the fact that model-checkers may not terminate on such (often undecidable) arithmetical problems and the fact that simulations may introduce spurious traces. Non-termination, giving the actual state of the art (much progress has been made both at the theoretical and at the practical level) is less frequent than one can imagine. There are positive theoretical results: besides classical achievements [1,28] showing that backward search terminates for coverability problems whenever system states carry a wqo ordering, additional recent results [39] show that the system diameter may be (unexpectedly!) finite, thus reducing search to bounded model checking. Concerning the second risk, notice that if spurious traces arise, they can be recognized because SMT-tools supply concrete numerical values for counterexamples; then, one can try to go back to step (2) and to refine the abstraction by adding more counters for definable sets. In fact, the design of a good counter abstraction for a specific property to be verified requires some manual ingenuity, because it is true that our results guarantee the existence of a best counter abstraction once the integer variables are fixed, but one can get better and better counter abstractions by adding further integer variables expressing the cardinality of definable finite sets. One should not however exceed with the number of these variables: adding a full set of counters for e.g. n Boolean flags requires an exponential number of counters, which may be unfeasible and cause SMT-based model checkers to get in trouble in the final verification phase. In principle, it might also be the case that no invariant involving just arithmetic counters exists (in which case all attempts relying on counter abstractions are bound to fail), but both theoretical results and practical experiments show that very often counter abstractions are successful.

Structure of the Paper
The paper is structured as follows: in Sect. 2 we supply syntactic background and in Sect. 3 we state and prove our quantifier elimination results. In Sect. 4 we introduce our formalism for system specifications and show how quantifier elimination can be used to compute arithmetic projections (i.e. best counter simulations). Section 5 shows how a restricted (more tractable) format for system specifications can be handled inside our tool ArcaSim; Sect. 6 describes the set of benchmarks used in our experiments and report ArcaSim performances. Finally, in Sect. 7 we discuss related and future work. In the electronic Appendix A in the supplementary material we run three representative examples in full detail; the electronic Appendix is available on the publisher website. Preliminary versions of the material included in this paper were presented in the Workshops [26,27].

Higher Order Logic and Flat Constraints
In order to have enough expressive power, we use higher order logic, more specifically Church's type theory (see e.g. [7] for an introduction to the subject). 2 It should be noticed, however, that our primary aim is to supply a framework for model-checking and not to build a deductive system. Thus we shall introduce below only suitable languages (via higher order signatures) and a semantics for such languages -such semantics can be specified e.g. inside any classical foundational system for set theory. In addition, as typical for model-checking, we want to constrain our semantics so that certain sorts have a fixed meaning: the primitive sort Z has to be interpreted as the (standard) set of integers, the sort Ω has to be interpreted as the set of truth values {tt, ff}; moreover, some primitive sorted operations like +, 0, S (addition, zero, successor for natural numbers) and ∧, ∨, →, ¬ (Boolean operations for truth values) must have their natural interpretation. Some sorts might be enumerated, i.e. they must be interpreted as a specific finite 'set of values' {a 0 , . . . , a k }, where the a i 's are mentioned among the constants of the language and are assumed to be distinct. Finally, we may ask for a primitive sort to be interpreted as a finite set (by abuse, we shall call such sorts finite): for instance, we shall constrain in this way the sort Proc modeling the set of processes in a distributed system. In addition, if a sort is interpreted into a finite set, we may constrain some numerical parameter (typically, the parameter we choose for this is named N) to indicate the cardinality of such finite set. The notion of constrained signature below incorporates all the above requirements in a general framework. A constrained signature Σ consists of a set of (primitive) sorts and of a set of (primitive) sorted function symbols, 3 together with a class C Σ of Σ-structures, called the models of Σ. Using primitive sorts, types can be built up using exponentiation (= functions type); terms can be built up using variables, function symbols, as well as λ-abstraction and functional application.

Remark 1
In the standard model-checking literature, C Σ is a singleton; here we must allow many structures in C Σ , because our model-checking problems are parametric: the sort modeling the set of processes of our system specifications must be interpreted onto a finite set whose cardinality is not a priori fixed. Our definition of a 'constrained signature' is analogous to the definition of a 'theory' in SMT literature; in fact, in SMT literature, a 'theory' is just a pair given by a signature and a class of structures. When transferred to a higher order context, such definition coincides with that of a 'constrained signature' above (thus our formal framework is very similar to e.g. that of [51]).
Our constrained signatures always include the sort Ω of truth-values; terms of type Ω are called formulae (we use greek letters α, β, . . . , φ, ψ, . . . for them). For a type S, the type S → Ω is indicated as ℘ (S) and called the power set of S; if S is constrained to be interpreted as a finite set, Σ might contain a cardinality operator : ℘ (S) −→ Z, whose interpretation is assumed to be the intended one ( s is the number of the elements of s -as such it is always a nonnegative number). If φ is a formula and S a type, we use {x S | φ} or just {x | φ} for λx S φ. We assume to have binary equality predicates for each type; universal and existential quantifiers for formulae can be introduced by standard abbreviations (see e.g. [44]). We shall use the roman letters x, y, . . . , i, j, . . . , v, w, . . . for variables (of course, each variable is suitably typed, but types are left implicit if confusion does not arise). Bold letters like v (or underlined letters like x) are used for tuples of free variables; below, we indicate with t(v) the fact that the term t has free variables included in the list v (whenever this happens, we say that t is a v-term, or a v-formula if it has type Ω). The result of a simultaneous substitution of the tuple of variables v by the tuple of (type matching) terms u in t is denoted by t(u/v) or directly as t(u).
Given a tuple of variables v, a Σ-interpretation of v in a model M ∈ C Σ is a function I mapping each variable onto an element of the correponding type (as interpreted in M). The evaluation of a term t(v) according to I is recursively defined in the standard way and is written as t M,I . A Σ-formula φ(v) is true under M, I iff it evaluates to tt (in this case, we may also say that v M,I satisfies φ); φ is valid iff it is true for all models M ∈ C Σ and all interpretations I of v over M. We write | Σ φ (or just | φ) to mean that φ is valid and φ | Σ ψ (or just φ | ψ) to mean that φ → ψ is valid; we say that φ and ψ are Σ-equivalent (or just equivalent) iff φ ↔ ψ is valid.

Flat Cardinality Constraints
Let us fix a constrained signature Σ for the remaining part of the paper. Such Σ should be adequate for modeling parameterized systems, hence we assume that Σ consists of: (i) the integer sort Z, together with some parameters (i.e. free individual constants) as well as all operations and predicates of linear arithmetic (namely, 0, 1, +, −, =, <, ≡ n ); (ii) the enumerated truth value sort Ω, with the constants tt, ff and the Boolean operations on them; (iii) a finite sort Proc, whose cardinality is constrained to be equal to the arithmetic parameter N (in the applications, this sort is used to represent the processes acting in our distributed systems); (iv) a further sort Data, with appropriate operations, modeling local data; we assume that (a) first-order quantifier elimination holds for Data, meaning that all first-order formulae built up from Data-atoms (i.e. from variables of type Data using operations and predicates relative to the sort Data) are equivalent to quantifier-free ones; (b) ground (i.e. variable-free) Data-atoms are equivalent to ⊥ or to . In principle, we could consider having finitely many signatures for data instead of just one, but this generalization is only apparent because one can use product sorts and recover component sorts via suitable pairing and projection operations.
If Data is an enumerated sort, we call Σ finitary; the subsignature Σ 0 of Σ obtained by restricting to sorts and operations in (i)-(ii) is called the arithmetic subsignature of Σ.
In the syntactic definitions below, we freely take inspiration from [4], however the present framework is greatly simplified because we do not view Proc as a subsort of Z, like in [4]; in addition, notice that Σ does not contain operations or relation symbols specific to the sort Proc (apart from equality) -this restriction reduces terms of sort Proc to just variables.
Below, besides integer variables (namely variables of sort Z), data variables (namely variables of sort Data) and index variables (namely variables of sort Proc), we use two other kinds of variables, that we call array-ids and matrix-ids. An array-id is a variable of type Proc → Data or of type Proc → Z and a matrix-id is a variable of type Proc → (Proc → Data) or of type Proc → (Proc → Z). Array-ids and matrix-ids of codomain sort Z are called arithmetical array-ids or matrix-ids; if Data is enumerated, array-ids and matrix-ids of codomain sort Data are called finitary. If M is a matrix-id and i, y are index variables, we may write M i (y) or M(i, y) instead of M(i)(y).
Let us now introduce some useful classes of formulae. -Open formulae: these are built up from atomic formulae containing arithmetic parameters and the above mentioned variables, using Boolean connectives only (no binders, i.e. no λ-abstractors and no quantifiers). -1-Flat formulae: these are formulae of the kind φ( where φ(z 1 , . . . , z n ), ψ 1 , . . . , ψ n are open and x is a variable of type Proc. -Given an index variable i, a formula φ is said to be i-uniform with respect to a matrix-id M (resp. an array-id a) iff i is not used as a bounded variable in φ and the only terms occurring in φ containing an occurrence of M (resp. of a) are of the kind M i (y) (resp. a(i)) for a variable y. Notice that, some quantified formulae can be rewritten as 1-flat formulae: for instance Remark 2 1-Flat formulae of this paper are slightly different from the flat formulae of [4,5] (they roughly correspond to the flat formulae of degree 1 of [5]); the definition here is not recursive and is simplified by the fact that we do not have nonvariable terms of type Proc; on the other hand, we allow matrix-ids to occur in our formulae, whereas the syntax of [4,5] is restricted to array-ids.

Remark 3
In the applications, we typically use matrix-ids M(i, x) in the finitary case where Data is the set of Boolean truth values: M(i, x) asserts for instance that x sent a message of a certain type to i. This allows to count the number of such messages received by i via the term {x | M(i, x)} (according to our notational conventions, this is the term {x | M i (x)}). The definition of a i-uniform formula is meant precisely to make such terms available: they are used in order to formalize standard benchmarks like the byzantine broadcast primitive protocol (see Appendix A.1 in the supplementary material).

Quantifier Elimination
In this technical section we state and prove the quantifier elimination results we need. Let us fix a constrained signature Σ like in Sect. 2.1. We first investigate in a closer way our open formulae. Notice first that if an open formula is pure (i.e. it does not contain array-ids or matrix-ids), then it is a Boolean combination of arithmetic, index or data atoms, where: -arithmetic atoms are built up from variables of sort Z, parameters (i.e free constants of sort Z), by using =, <, ≡ n as predicates and +, −, 0, 1 as function symbols; -index atoms are of the kind i = j, where i, j are variables of sort Proc (we do not consider further operations and predicates for this sort -apart from equality -in this paper); -data atoms are built up from variables of sort Data by applying some specific set of predicates and operations (predicates include equality, all arguments of such predicates and operations are of type Data).
By assumption (see Sect. 2.1), quantifier elimination holds for first-order Data-formulae, but this result extends very easily to all pure first-order formulae. We state this formally as a Lemma:

Lemma 1 Any pure first-order formula is equivalent to an open pure first-order formula.
Proof Using prenex formula transformations, it is sufficient to show how to eliminate a quantifier ∃x α, where α is open and pure. Actually, using disjunctive normal forms, we can assume that α is a conjunction of literals. Pushing the existential quantifier inside, we can assume that such literals are all arithmetic, all index or all data literals, depending on the sort of x. The case of arithmetic literals is covered by Presburger quantifier elimination [49], whereas the case of data literals is covered by our assumption. It remains to consider the case of index literals; excluding trivial cases where the existential quantifier is redundant or eliminable by substitution, we are left with the case where α is x = y 1 ∧ · · · ∧ x = y n . By introducing a disjunction of cases (and by distributing the existential quantifier over such disjunction and removing redundant variables), we reduce to a disjunction of formulae of the kind The latter is equivalent to N >n ∧ i = j y i = y j , wheren is 1 + · · · + 1 (n -times).
In case array-ids and matrix-ids do not occur, 1-flat formulae can also be trivialized: 4

Lemma 2 A 1-flat formula without array-ids and matrix-ids is equivalent to a pure formula.
Proof Let us eliminate subterms t of the kind {x | α} (with pure α) inside a pure formula φ. We can first remove from α arithmetic and data atoms, as well as index atoms not containing x, by the following equivalence (let A be the atom to be removed): By Venn regions decomposition, we can assume that α is a conjunction of literals: in fact, if {α 1 , . . . , α k } is a Venn regions decomposition of α, then {x | α} is sematically equal to k j=1 {x | α j }. In addition, if t is of the kind {x | x = i ∧ α}, we can remove it using the equivalence: Thus we are left only with the case in which t is {x | n s=1 x = i s }; we can also assume that φ entails s =s i s = i s (otherwise we can force this by making φ a disjunction of case distinctions). Then we can remove t using Once all t are removed (one by one), the statement is proved.
It is now convenient to introduce a notation for open (not necessarily pure) formulae (from now on we shall reserve the letters α, β, . . . to first-order pure formulae, to recognize them).
where α(z, k, e, d) is pure, z is a tuple of arithmetic variables, k is a tuple of index variables, d is a tuple of data variables, a is a tuple of array-ids (the e might be arithmetic or Datavariables depending on the types of the a); if a = a 1 , . . . , a n and k = k 1 , . . . , k m , then a(k) is the tuple . . , a n (k 1 ), . . . , a n (k m ) so that the matching tuple of arithmetic or data variables e can be indexed as e 11 , . . . , e nm . A 1-flat formula without matrix-ids is then written as or (with some abuse of notation) shortly as where β is a tuple of formulae (we use the convention that {x | β} stands for the tuple of Displaying 1-flat formulae with matrix-ids requires an even more complex notation, that we will not use though. These notations are apparently cumbersome but have the merit of displaying the essential information on how our formulae are built up from pure formulae.

Lemma 3 If φ is an open formula and d are arithmetic and data variables, then ∃d φ is equivalent to an open formula.
Proof Let φ be α(z, k, a(k), d) as in (3) and let d be data variables. 5 Suppose that d = d d ; then ∃d α(z, k, e, d), by Lemma 1, is equivalent to a pure formula β(z, k, e, d ), so that, applying a substitution, ∃d α(z, k, a(k)/e, d) is equivalent to β(z, k, a(k)/e, d ), which is as desired. The case in which d are arithmetic variables is treated similarly.
We now state a first quantifier elimination result (this is essentially Theorem 4 from [5], we nevertheless report the proof for the sake of completeness): Theorem 1 Suppose that φ is a 1-flat formula containing the array ids a, a (and not containing matrix-ids); then the formula ∃a φ is equivalent to a formula ∃e ψ, where the e are arithmetic and data variables, ψ is 1-flat and contains only the array-ids a.
Proof We start with a formula having the form where k are index variables, z arithmetic variables and d data variables. We can first get rid of the terms a(k), a (k), as follows. Suppose that a = a 1 , . . . , a n , a = a 1 , . . . , a n and k = k 1 , . . . , k m ; we introduce new variables e = e 11 , . . . , e nm , e 11 , . . . , e n m and rewrite (5) as Thus it will be sufficient to eliminate the ∃a from formulae of the kind (here the d include the old d and the e -the latter are existentially quantified and will remain such in the final outcome). If we suppose that β is β 1 , . . . , β t , we can set K := ℘ ({1, . . . , t}) and introduce for every r ∈ K a new existentially quantified arithmetic variable u r , thus rewriting (6) as where u is the tuple formed by the u r 's (varying r ) and β r is the 'Venn region' l∈r β l ∧ l / ∈r ¬β l ; the formula γ is obtained from γ 0 by replacing, for all l, the term {x | β l } with l∈r u r . Notice that at this point γ is pure and the new β r 's are a partition (i.e. they are mutually inconsistent and r β r is valid).
To continue, following the technique in [4], we need a further 'Venn region decomposition' (here data quantifiers ∃y can be eliminated using Lemma 3). We claim that the formula (7) is equivalent to the formula obtained by prefixing the existential quantifiers ∃u r (varying r ∈ K ), ∃u S (varying S ∈ ℘ (K )) and ∃u r ,S (varying S ∈ ℘ (K ) and r ∈ K ) to the formula Suppose that (8) is satisfied under the assignment I to the free variables occurring in it (for simplicity, we use the same name for a free variable and for the integer assigned to it by I). Let us assume that Proc is interpreted (up to a finite sets bijection) as the interval [0, N); we need to define for all i ∈ [0, N ) the tuple a (i) -namely a s (i), for all s = 1, . . . , n . For every r = 1, . . . , K this must be done in such a way that there are exactly u r elements taken (8) is true, we know that for every S ∈ ℘ (K ) the number of the i's such that i S = S is u S ; for every r ∈ S, pick u r ,S among them and, for these selected i, let the s-tuple a (i) be equal to an s-tuple y such that β r (z, i, k, a(i), y, d ) holds (for this tuple y, since the β r 's are a partition, β h (z, i, k, a(i), y, d ) does not hold, if h = r ). Since u S = r ∈S u r ,S and since S u S is equal to N (because the formulae r ∈S ∃y β r ∧ r / ∈S ∀y¬β r are a partition), the definition of the a is complete. The formula (7) is true by construction.
On the other hand suppose that the matrix of (7) is satisfiable under an assignment I; we need to find I(u S ), I(u r ,S ) (we again indicate them simply as u S , u r ,S ) so that (8) is true (the u r are already given since (7) is true). For u S there is no choice, since u S = {x | δ S (z, x, k, a(x), d )} must hold; for u r ,S , we take it to be the cardinality of the set of the i such that β r (z, i, k, a(i), a (i), d ) holds under I and S = {h ∈ K | ∃y β h (z, i, k, a(i), y, d ) holds under I}. In this way, for every S, the equality u S = r ∈S u r ,S holds and for every r , the equality u r = S∈℘ (K ),r ∈S u r ,S holds too. Thus the formula (8) becomes true under our extended I.
The following Corollary follows from Theorem 1 and Lemmas 2,1:

Corollary 1 Suppose that φ is a 1-flat formula containing the array ids a (and not containing matrix-ids); then the formula ∃a φ is equivalent to an open pure formula.
Notice that the above result (as it happens with all our quantifier elimination results) immediately implies that 1-flat formulae not containing matrix-ids are decidable for satisfiability.
If the sort Data is enumerated and all array-ids are finitary, we can improve Corollary 1 above by including an extra quantified variable, as shown in the following Theorem (the Theorem is useful for some benchmarks, see Appendix A in the supplementary material for an example): Proof Let Data be enumerated as {a 0 , . . . , a k }; let z be the arithmetic variables occurring freely in (9) and let k = k 1 , . . . , k n be the index variables occurring freely in (9) (thus i is not among the k and the y are not among the z). We can assume that the y are arithmetic variables because, since Data is enumerated, existential data variables can be elimitated via disjunctions. For simplicity, we assume that (9) contains only one array-id, let it be a. 6 Before working on the formula (9), it is better to make some preprocessing steps. Our final aim is to produce a formula logically equivalent to (9), which is a disjunction of existentially quantified formulae whose matrices are pure open formulae: in this way the extra existentially quantified variables we introduce can be eliminated in the very end using Lemma 1. We need also to introduce extra information to complete (9): this extra information is achieved by rewriting (9) as a disjunction (each disjunct formalizes a suitable guess) and by operating on each disjunct separately.
Concretely, we shall freely assume that ∀i ∃y φ in (9) is of the kind where • the formula Diff(k) says that the k are pairwise distinct (i.e. it is i = j k i = k j ): this can be assumed without loss of generality, because one can guess a partition (introducing a disjunction over all partitions) and make the appropriate replacements so as to keep only one representative for each equivalence class of variables; • since Data is enumerated we can guess (via a disjunction) for each k i the a l i which is the value of a(k i ) (then, all occurrences of the term in the remaining part of the formula can be replaced by this a l i ); • the u j are fresh arithmetic variables indicating the cardinality of the set of indices whose a-value is a j (these u j are the extra existentially quantified variables to be eliminated in the very end by Lemma 1); • β are open formulae as displayed and φ is a 1-flat formula as displayed (notice that the terms a(k i ) do not occur anymore here, because we can assume that they have been replaced by the corresponding a l i ).
We now operate further transformations on the subformula ∀i ∃y φ : we want to show that this formula is equivalent to a 1-flat formula (hence without the quantifier ∀i), so that the claim of the Theorem follows from an application of Corollary 1 and Lemma 1 -by these results in fact all quantified variables in (9) can be eliminated in favor of a pure open formula in which only the k, z occur. When manipulating ∀i ∃y φ below, we assume all the information we have from (10), namely that the k are all distinct and that the values of the a(k i ) are known.
As a first step, we can distinguish the case in which i is equal to some of the k from the case in which it is different from all of them; in the latter case, we can also guess the value of a(i). This observation shows that ∀i φ is equal to the conjunction of an open formula (expressing what happens if i is equal to any of the k) with the conjunctions (varying a j in our enumerated data) (11) where the φ , β are obtained from the φ , β by replacing a(i) with a j . Again, it will be sufficient to show that (11) is equivalent to an open formula.
First observe that φ is obtained from a pure formula by replacing arithmetic variables with the terms {x | β (z, y, x, i, k, a(x))}; since equality is the only predicate of sort Proc (and there are no function symbols of sort Proc), the only atoms of sort Proc that might occur in a pure formula are of the kind i = k s , k s = k s for some s = s , but these can all be replaced by ⊥ because we have Diff(i, k) in the antecedent of the implication of (11). As a consequence φ can be displayed as A similar observation applies also to the β , however here we must take into consideration also atoms of the kind x = i, x = k s . Thus, the β are built up using Boolean connectives from atoms of the kind x = i, x = k s , from arithmetic atoms A(z, y) and from Data-atoms that might contain the term a(x). We can disregard arithmetic atoms, because for each such atoms A(z, y) we may rewrite φ as Thus the β can be displayed as β (x, i, k, a(x)).
When x = i or x = k s (for some s) the β can be simplified to or ⊥ because we know the values of a(i), a(k s ) (and as a consequence the numbers In conclusion we have that, for some tuple of numbers m 7 that can be computed, we have that (11) is equivalent to where β is obtained from β by replacing the atoms x = i, x = k s with ⊥. Fix now some β s from the tuple β ; for every enumerated data a k , each of the formulae β s (a k ) simplify to either or ⊥ and, since we know that u k = {x | a(x) = a k } from (10), we can deduce that } is equal to either 0 (in case β s (a k ) simplifies to ⊥) or to u k − n k , where n k is the number of the k, i for which we know that a(k), a(i) is equal to a k . As a consequence {x | Diff(x, i, k) ∧ β (a(x))} is equal to k (u k − n k ) (where the sum extends to all k such that β s (a k ) simplifies to ).
All this can be summarized by saying that we can rewrite (13) as where the formulae θ j are pure (the tuple u is the tuple of the u j from (10)). By Presburger quantifier elimination, we can drop the ∃y, thus getting Since now θ j does not contain occurrences of i, we can rewrite this as and finally as This is a 1-flat formula. To sum up, our original formula (9) is equivalent to a formula of the kind ∃a ∃u ϑ, where ϑ is 1-flat. Then (after swapping the quantifiers ∃a ∃u) we can first use Theorem 1 to remove ∃a and then Lemma 1 to produce an equivalent pure open formula (involving just the arithmetic variables z and the index variables k).
In case we have uniformity, we can further extend the above result to cover formulae in which arithmetic array-ids and matrix-ids occur.

Remark 4
Let us continue the considerations we made in Remark 3. We saw there that, when building i-uniform (also 1-flat) formulae, we can employ terms counting the messages received by a process i. Suppose that in our protocol we want to say for instance that all processes i having received enough messages (e.g. messages from some qualified majority of the network) are allowed to change their status into some 'accepting' status: to express this, we need a formula of the kind ∀i φ, where φ is i-uniform 1-flat (this is the case for instance of the examples of Appendix A in the supplementary material). Next Theorem guarantees that we can indeed eliminate the higher order quantifiers over array-ids and matrix-ids from (a slight generalized set of) such formulae. Proof The first step is to remove ∃M for each M ∈ M, using uniformity. In fact, by uniformity, M occurs in φ only inside terms of the kind M i (y) (for some index variable y); thus, applying a reverse skolemization step, we can rewrite (18) as (here the b are existentially quantified array-ids: formula (18) is the skolemization of (19)). Then we swap the existential quantifiers ∃b∃y and apply Theorem 1 to the subformula ∃b φ(· · · b/M i · · · ), thus obtaining a formula of the kind ∃a ∀i ∃y ∃e ψ where the e are further arithmetic or data variables, ψ is 1-flat and contains only the array-id a. Let us now split the a as a , a , where the a are i-uniform and the a are finitary (notice that the syntactic transformations of Theorem 1 maintain the i-uniformity of the a ). We can apply the same anti-skolemization argument to the a and rewrite ∃a a ∀i ∃y ∃e ψ as ∃a ∀i ∃z ∃y ∃e ψ(z/a (i)), where the z are fresh arithmetic variables replacing the terms a (i) in ψ. Now Theorem 2 can be used to eliminate the a .

System Specifications and Simulations
We now turn to verification applications. The behavior of a system can be modeled through a transition system, which is a tuple such that (i) W is the set of possible configurations, (ii) W 0 ⊆ W is the set of initial configurations, (iii) AP is a set of 'atomic propositions', (iv) V : W −→ AP is a function labeling each state with the set of propositions 'true in it', (v) R ⊆ W × W is the transition relation: w 1 Rw 2 describes how the system can 'evolve in one step'.

Definition 1
We say that the transition system T = (W , W 0 , R , AP, V ) simulates the transition system T = (W , W 0 , R, AP, V ) (notice that AP is the same in the two systems) iff there is a relation ρ ⊆ W × W (called simulation) such that If the converse ρ op of ρ is also a simulation, then ρ is said to be a bisimulation and T and T are said to be bisimilar.
Bisimilar systems are equivalent in the sense that the properties expressible in common temporal logic specifications (e.g. in CT L, LT L, CT L * , etc.) are invariant under bisimulations; simulation is also useful as important properties (like safety properties, or more generally properties expressible in sublogics like AC T L) can be transferred from a system to the systems simulated by it (but not vice versa).
We write T ≤ T iff W ⊆ W and the inclusion is a simulation. This relation is a partial order and notice that if T simulates T and T ≤ T , then T also simulates T ; in this case, the simulation supplied by T is said to be stronger or better (in fact, one has more chances of establishing an AC T L-property of T by using T than by using T ).
The above formalism of transition systems is often too poor, because it cannot cover rich features arising in concrete applications. That is why we need higher order logic, namely constrained signatures as introduced in Sect. 2. Constrained signatures are used for our system specifications as follows: where (i) Σ is a constrained signature, (ii) v is a tuple of variables, (iii) Φ, ι are v-formulae and AP is a set of v-formulae, (iv) τ is a (v, v )-formula (here the v are renamed copies of the v) such that In the above definition, the v are meant to be the variables specifying the system status, ι is meant to describe initial states, τ is meant to describe the transition relation and the AP are the 'observable propositions' we are interested in. The v-formula Φ, as it is evident from (20), describes an invariant of the system (known to the user). Of course, since in our expressive type theory higher order quantifiers are available, it would be easy to write down the 'best possible' invariant describing in a precise way the set of reachable states; however, the v-formula for such invariant might involve logical constructors lying outside the tractable fragments we plan to use. On the other hand, invariants are quite useful -and often essential -in concrete verification tasks, that is why we included them in Definition 2.
It is now clear how to associate a transition system with any system specification:

Definition 3
The transition system associated with the system specification S = (Σ, v, Φ, ι, τ, AP) is the transition system T S given by (v) for φ(v) ∈ AP S , we have that V (φ) contains precisely the states satisfying φ(v).

Simulations
Model-checking a transition system like T S might be a terribly difficult task, that is why it might be useful to replace it with a (bi)similar, simpler system: in our applications, we shall try to replace S by some S whose variables are all integer variables. To this aim, we 'project' S onto a subsystem S , i.e. onto a system comprising only some of the variables of S. In order to give a precise definition of what we have in mind, we must first consider subsignatures: here a subsignature Σ 0 of Σ is a signature obtained from Σ by dropping some symbols of Σ and taking as Σ 0 -models the class C Σ 0 of the restrictions M |Σ 0 to the Σ 0 -symbols of the structures M ∈ C Σ . Definition 4 Let S = (Σ, v, Φ, ι, τ, AP) be a system specification; a sub-system specification of it is a system The following fact is immediate: Projection simulations are ordered according to the ordering of the simulations of S they produce, i.e. we say that S 0 is stronger or better than S 0 iff T S 0 ≤ T S 0 . Once Σ 0 , v 0 are fixed, one may wonder whether there exists the best projection simulation over Σ 0 , v 0 . The following easy result supplies a (practically useful) sufficient condition: If we let S 0 be the subsystem specification (Σ 0 , v 0 , Φ 0 , ι 0 , τ 0 , AP), then the projection simulation π S 0 is the best projection simulation over Σ 0 , v 0 .
is a subsystem specification of S is clear; let us now pick another subsystem specification S = (Σ 0 , v 0 , Φ , ι , τ , AP) of S inducing a projection simulation over the same subsignature Σ 0 and the same sub-tuple of variables v 0 . According to (21), we have To understand the meaning of the above proposition, one should keep in mind that there is no reason why the Σ-formulae ∃v 1 Φ, ∃v 1 ι and ∃v 1 ∃v 1 (Φ ∧ τ ) should be equivalent to Σ 0 -formulae (in our applications, Σ 0 contains only the sort and the symbols of linear firstorder arithmetic, so no higher-order variables are allowed in Σ 0 -formulae). Thus, the road map to apply Proposition 2 is to prove some quantifier-elimination results in order to find Σ 0 -formulae equivalent to ∃v 1 Φ, ∃v 1 ι, ∃v 1 ∃v 1 (Φ ∧ τ ).
Such quantifier elimination results will supply the best possible projected simulation onto the set of the selected variables, as informally mentioned in the toy example of Sect. 1.2.

Bisimulations
For the sake of completeness, we make a little digression on bisimulations (in fact, in some lucky cases, the best projection simulation is also a bisimulation). The content of this digression will not be used in the rest of the paper.
For considerations involving bisimulations, it is useful to consider special kinds of subsignatures, those whose models are quite close to the models of the original signature: we say that Σ 0 is a core subsignature iff every Σ 0 -model is the restriction of a unique (up to isomorphism) Σ-model. As a typical example (used in our applications) of this situation, consider a signature Σ containing the sorts Z, Ω (with the usual operations), some enumerated sorts, and a finite sort Proc whose cardinality is constrained by a parameter N (we do not have operations on Proc, just the cardinality function on ℘ (Proc)). Suppose that now we consider the subsignature Σ 0 containing just Z and Ω (with inherited operations) and the parameter N: this is evidently a core subsignature, because the interpretation of enumerated sorts and of the sort Proc is uniquely determined-up to isomorphism-by the Σ 0 -reduct. Proposition 3 Let S 0 be a core sub-system specification of S (S and S 0 are as displayed in Definition 4) and let v := v 0 , v 1 . Then π S 0 is a bisimulation iff the following conditions Proof We need to show that assuming the four conditions of Definition 1 for both π S 0 and its converse relation is the same as assuming the three conditions above. First notice that condition (iv) of Definition 1 is trivially satisfied (both for π S 0 and its converse relation) because the formulae in AP are v 0 -formulae in the signature Σ 0 according to the definition of a subsystem specification (Definition 4). Similarly, conditions (i)-(iii) of Definition 1 are also guaranteed for π S 0 by Definition 4, so that such conditions are relevant only for the converse of π S 0 .
Since S 0 is a core sub-system specification of S, asking that "every (v 0 ) M 0 ,I 0 satisfying Φ 0 comes (by restriction to Σ 0 , v 0 ) from some (v) M,I satisfying Φ" 9 is the same as asking condition (i) above: the only possible candidate for M is the unique extension of M 0 to Σ, hence the above statement under quotation marks holds just in case Similarly, it is now evident that condition (ii) of Definition 1 for the converse of π S 0 is the same as condition (ii) above and condition (iii) of Definition 1 for the converse of π S 0 is the same as condition (iii) above.
Notice that condition (i) is the same in Proposition 2 and in Proposition 3. Moreover, using such condition (i) (and the fact that ι 0 (v 0 ) | Σ 0 Φ 0 (v 0 ), see Definition 2) it is not difficult to see that condition (ii) of Proposition 3 is stronger than the corresponding condition (ii) of Proposition 2; the same observation applies also to conditions (iii) and (iii) in case we make the additional mild and obvious assumption that

Arithmetic Projections
Let now S = (Σ, v, Φ, ι, τ, AP) be a system specification based on a signature Σ as discussed in Sect. 4.1. The variables v of S include some integer variables v 0 and in addition variables for arrays and matrices. If a is an array variable, then a(y) represents a local status of the process y; if M is a matrix variable, then M i (y) represents the content of a message received by i from y (or, in other words, sent by y to i). 10 Let us suppose that v = v 0 v 1 , where v 1 is the tuple of array and matrix variables and the v 0 are all the integer variables of the system. We suppose also that the formulae in AP-namely the formulae expressing observable properties-are all open v 0 -formulae (in particular, they are all Σ 0 -formulae, where Σ 0 is the arithmetic subsignature of Σ).
Let S = (Σ, v 0 v 1 , Φ, ι, τ, AP) be as above; a subsystem specification of the kind S 0 = (Σ 0 , v 0 , Φ 0 , ι 0 , τ 0 , AP) is called a counter abstraction of S; as usual, counter abstractions are ordered according to the ordering of the simulations of S they produce, i.e. we say that S 0 is stronger than S 0 iff T S 0 ≤ T S 0 . We are interested in sufficient conditions on Φ, ι, τ ensuring the existence of a strongest counter abstraction.
Proof We apply Proposition 2. Let us rename the arithmetic variables v 0 as z; then v 1 is the tuple of array-ids a; we also abbreviate k 1 , . . . , k n as k. We need to show that a formula of the kind ∃a ∃k α(z, k, a(k), {x | β(z, x, k, a(x), a(k) is equivalent to a pure arithmetic formula. 11 But this is indeed the case: just swap the existential quantifiers and apply Corollary 1 and Lemma 1. The result follows because there are no ground index atoms and all ground data atoms are equivalent to or to ⊥, according to our assumptions from Sect. 2.1.
Next result concerns specifications using matrix-ids in a finitary signature. 10 A conventional value may be employed to specify that no message has been sent at all. We do not model time passing and message scheduling in this paper. 11 In view of condition (iii) of Proposition 2, we need also the observation that formulae of the kind ∃k φ (for 1-flat φ) are closed under conjunctions.

Theorem 5 Let the sort Data be enumerated and let Φ, ι, τ be disjunctions of formulae of the kind ∃k ∀i ∃y φ (23)
where φ is 1-flat, k are index variables, y are arithmetic and data variables and i is an index variable such that all matrix variables and all non-finitary array variables from v are i-uniform in φ; then S = (Σ, v 0 v 1 , Φ, ι, τ, AP) has a strongest (effectively computable) counter abstraction.
Proof Similar to the proof of Theorem 4, using Theorem 3 instead of Corollary 1.
Strongest counter abstractions (typically computed via Theorems 4,5) will be called arithmetic projections.
In the next section, we describe the infrastructure we deployed, leveraging the presented formal results, so as to model distributed fault-tolerant algorithms and to verify their properties.

Implementation
The quantifier elimination procedures relying on Theorems 1, 2, 3 are very expensive: the procedure of Theorem 1 requires a double exponential blow-up and includes as subprocedures other expensive algorithms, like quantifier elimination in Presburger arithmetic. Although we feel that the above results are needed if one wants to build and then process some formal precise declarative models derived out of the original pseudo-code of fault-tolerant algorithms (see our detailed analysis in Appendix A in the supplementary material for an example of what we mean), from a practical point of view it is often possible to build coarser models requiring a less expressive language. For instance, one trick that is often used in the literature (see e.g. [46]) is to replace a Boolean-valued matrix-id M(i, x) by an arithmetic array a(i) representing the term {x | M(i, x)} (the intended meaning is that, in this way, we only count the number of the M-messages received by process i, disregarding the source of these messages). Quite often, the loss of expressivity due to such abstractions does not prevent the possibility of formalizing the dynamics of the evolution of the whole system in a satisfactory way.
For the above reasons, we designed a restricted input specification language for our tool ArcaSim: we describe below such a language and we supply a milder quantifier elimination procedures applying to it. In the experimental Sect. 6 below, we shall see that such restricted language is sufficient to handle benchmarks from different sources.

The ARCASIM Tool
ArcaSim accepts system specifications matching the syntactic format explained below and produces as output a file in the Horn SMT_Lib format, ready to be model-checked e.g. by μZ [33], the fixpoint engine of the SMT solver Z3. In successful cases, μZ produces an invariant (entirely expressed in terms of our counters) which guarantees the safety of the original system.
A specification file for ArcaSim should first contain declarations for -parameters, -integer variables, -arithmetic array-ids, -enumerated array-ids.
Parameters include a symbol N denoting the (finite but unknown) number of processes acting in the system; moreover, with each enumerated array-id, a number m is associated, whose meaning is that of telling the tool that the values of such array-id are taken into the set {0, . . . , m − 1}.
Then counters definitions are introduced: these must have the form of equalities z i = {x | ψ i (x)}, where ψ i is a Boolean combination of data atoms (in the restricted ArcaSim language the constrained signature Σ is assumed to be finitary, i.e. that the sort Data is enumerated).
The system transition is given as a single (index variable) universally quantified disjunction of cases of the form where: (i) φ j1 (a(i)/y, z) is obtained from a conjunction of arithmetic atoms φ j1 (y, z) by replacing some arithmetic variables y with terms of the kind a(i) (notice that the above introduced counters for definable sets may occur here); (ii) φ j2 (i) is a Boolean combination of data formulae containing the free variable i. Notice that primed arithmetic array-ids cannot occur in φ j1 , whereas both primed and unprimed enumerated array-ids can occur in φ j2 .
The initial formula follows the same syntax as the transition formula (but only one disjunct is allowed), whereas the formula expressing the (negation of the) safety property must be an arithmetic formula containing only counters, integer variables and parameters.
We underline that the above limitations to the formats of transitions, initial and safety formulae are due to an implementation choice: our theoretical results from Sects. 3 and 4are much richer, however we realized that most standard benchmarks can be formalized in the above restricted ArcaSim language.
In order to produce a file for μZ , ArcaSim applies the following simplified procedure for quantifier elimination.
(i) First, it eliminates (from the arithmetic part φ i1 of each transition case) the arithmetic array-ids by reverse skolemization and Presburger quantifier elimination: the formal justification for this is that, for an arithmetic array-id a, we have that ∃a ∀i j (φ j1 (a(i))∧ φ j2 ) is equivalent to ∀i ∃z j (φ j1 (z) ∧ φ j2 ) and finally to ∀i j (∃z φ j1 (z) ∧ φ j2 ) -in this last formula the ∃z can be eliminated via Presburger quantifier elimination. (ii) Then, the whole transition is rewritten as a disjunction of formulae of the kind where we have, besides the counter definitions z k = {x | ψ k (x)}, a Boolean assignment α (seen as a conjunction of literals) to the arithmetic atoms occurring in the problem, and a single-variable universally quantified formula ∀x θ(x) built up from data atoms only: the formal justification for this is that an arithmetic assignment can be guessed and that, in presence of it, arithmetic atoms can be everywhere replaced by or ⊥.
(iii) Auxiliary counters are now introduced: we have one counter z f for each function f associating values to enumerated array-ids and their primed copies. In detail, z f counts the cardinality of the set The set of counters z f is much richer than the set of the user-defined original counters. There are two reasons for that: first, the user might have decided to introduce only a relatively small set of counters, the set of counters he feels it could be sufficient to get an appropriate simulation. Second (more important!), the user can only introduce static counters, whereas the z f are dynamic counters: they count how many processes make each possible change of values for their enumerated array-ids. 12 The original counters are expressed as linear combinations of these new dynamic counters; in addition, in each disjunct (25), the universally quantified formula ∀x θ(x) is replaced by the equation N = f z f , where f is 0 or 1 depending on whether the formula defining the set (26) counted by z f is consistent or not with θ . Contrary to what one might expect, the quantifier elimination steps in (i) and (iv) are not so problematic, because of the special shapes of the arithmetic formulae arising from the benchmarks we analyzed. In fact, we did not even use a full Presburger quantifier elimination module in ArcaSim for the reasons we are going to explain. In our examples, the quantifier elimination problems in (i) involve just easy ('difference bounds'-like) constraints and those in (iv) are usually solved by a substitution (in other words, the formula where a variable z needs to be eliminated from, always contains an equality like z = t). 13 Notice also that, in case a difficult integer quantifier elimination problem arises, shifting to the (better behaved from the complexity viewpoint) Fourier-Motzkin real arithmetic quantifier elimination procedure is a sound strategy: this is because, in the end, the tool needs to produce just a simulation (i.e. an abstraction). Although ArcaSim was prepared to make such a shifting to Fourier-Motzkin procedure, it never applied it during our experiments.
The step (ii) basically amounts to an "all sat" problem (i.e. to the problem of listing all Boolean assignments satisfying a formula), which is difficult but can be handled efficiently. The real bottleneck seems to be the need of introducing in (iii) a large amount of auxiliary 'dynamic' counters: future work should concentrate on improving heuristics here. 12 If, for instance, there are two array-ids a 1 , a 2 each of them taking values from the set {1, 2, 3}, then we have one dynamic counter for every 4-tuple from {1, 2, 3}: a 4-tuple is seen as a function f from {a 1 , a 2 , a 1 , a 2 } into {1, 2, 3} and the corresponding counter z f counts the number of the processes x such that a 1 (x) = f a 1 , a 2 (x) = f a 2 , a 1 (x) = f a 1 , a 2 (x) = f a 2 . 13 In case a maximum choice of static counters is made by the user, one can even formally prove that this is always the case.

Our Experiments
In this section we report our experiments; the source files for the benchmarks are available at https://homes.di.unimi.it/~pagae/ARCASIM/, while the ArcaSim executables are available at the link http://users.mat.unimi.it/users/ghilardi/arca_tools/.

Classes of Problems Considered
We analyzed several benchmarks representative of different classes of problems. In the following, we analyze the peculiarities and complexity of modeling the algorithms belonging to each class. In Appendix A in the supplementary material, three models are described in detail. Most of the verified algorithms are synchronous and round-based, i.e. they assume that within a round both each process performs the computation of the algorithm for that round, and messages sent in the round are delivered to their destinations by the end of the same round. The few exceptions are highlighted. Only safety properties of the algorithms are verified with the proposed tool; liveness properties are considered just when they can be rewritten as safety properties (one way to get such a safety reformulation is to strenghten a liveness property by asking that a desired event must happen within a specified number of rounds). All experiments have been conducted on a PC equipped with Intel Core i7-7700 processor 3.60 GHz and operating system Linux Ubuntu 18.04 (64 bits).

Agreement Algorithms with Either Omission or Malicious Failures.
The algorithms of this class consider a set of N processes residing on different hosts and communicating through a data network. Processes must reach an agreement about some value, in spite of possibile failures of some of them. Faulty processes may either (i) omit to send or receive some of the messages considered by the algorithm (benign failures), or (ii) maliciously fail (byzantine failures) reporting fake information. In the latter case, malicious processes might also coalesce in order to fool honest processes. In the former case, a process may also fail crash, that is, from a certain point on no message is anymore sent or received.
In order to express our problems within the restricted language explained in Sect. 5 (i.e. in the ArcaSim format), all the models just consider the behavior of correct processes, while faulty ones are abstracted away. (This is a technique used also in [34,35,[37][38][39]).
Both omission and byzantine failures are modeled by using a global variable f , whose value may be upper bounded by e.g. the algorithm resilience t. The number of correct processes is thus N − f , and every message sent by a correct process is received by all other correct processes. Using the counter abstraction, we disregard the identities of processes sending a certain message; we simply impose that-if cm is the number of correct processes sending a certain kind of message-then each correct process receives in between cm and cm + f messages of that kind, where cm is the worst case of all faulty processes actually failing, and cm + f is the best case of all faulty processes behaving correctly. As far as omission failures are considered, faulty processes may or may not send their messages. As far as byzantine failures are concerned, independently of their state faulty processes may send whatever message they want (or none at all), and even send different messages to different destinations.
The verification results for this set of algorithms are reported in Table 1, where we show the considered algorithm, the property to be verified and the conditions under which it is verified, the number of transitions produced by ArcaSim and its running time, the running time of Z3 to process the file produced by ArcaSim and the outcome of the verification. In order to properly understand the results in the Table, recall that when the μZ module of Z3 gives a sat answer, this means that there exists a safety invariant for the abstracted counter system (so that the original system is also safe); on the contrary, an unsat answer by Z3 means that the safety condition for the abstracted counter system is violated (which is likely -but not necessarily -implying that the original is not safe). 14 The One-Third (OT) algorithm [11] solves the Consensus problem in case of benign failures. Formally, the problem is defined as follows: each process starts with its own initial value. By the end of the algorithm, processes must decide for one of those values so that the following properties are satisfied: Agreement whenever two processes have reached a decision, the values they have decided on must be equal. Integrity -Weak Validity if all processes propose the same initial value, they must decide on that value. Irrevocability if a process has decided on a value it does not revoke its decision later. No upper bound is needed on the number of faulty processes. As for all other Consensus algorithms considered in this work, we limited the set of possibile initial values to {0, 1} (this is often not a limitation, see the 0-1 theorems from [46]). The Irrevocability property requires to check that never in the future a revocation occurs. For OT and the other Consensus algorithms mentioned in the sequel, we verified it by reformulating Irrevocability as a safety property: an integer global variable dec is used, which is initialized to 0, and whose value becomes 1 whenever a process having already decided for a value v takes a decision for a value v = v. The unsafe condition is dec > 0 and-through backward search-we check whether a state with dec = 1 can be reached from the initial condition with all processes undecided and with no constraint on their initial values.
Formal verification highlighted something that was not evident in the original formulation of some problems, that is, it allowed to discover that some properties in the problems enunciations are indeed "trivial"; in fact, they cannot be violated for any number of faulty processes. This is the case for the Weak Validity property of OT: if all processes own the same initial value, there is no way to decide for a different value, considering that processes cannot lie.
The Uniform Voting algorithm (UV) [16] similarly solves the Consensus problem in the presence of benign failures. The solved problem is analogous to that defined for OT, reformulating the Integrity property as follows: "Any decision value is the initial value of some process" (which is also indicated as Strong Validity). In order to guarantee the Agreement and Irrevocability property, UV requires the system to satisfy a P nosplit condition that imposes that communication failures must not partition the network, that is, there cannot exist two subsets of processes such that processes belonging to the same subset communicate amongst themselves, but processes belonging to different subsets not. We omitted to include the P nosplit property in our models because-by abstracting away the processes identities, and just counting both the number of processes performing a certain action and the number of messages received whatever are their sources-we cannot represent the identities of communicating processes and thus there is no way to model the property within the restricted  The Coordinated UV algorithm (CoUV) [16] derives from UV and solves the same problem under the same conditions. Differently from UV-which adopts a distributed communication pattern where each process communicates with all the others-CoUV adopts a rotating coordinator paradigm such that at each round a process behaves as coordinator, to which other processes send their values and which tries to help them decide. The Simplified CoUV (SiCoUV) [16] shortens the algorithm execution with slight modifications of the process computation that allow to reduce the number of rounds needed to decide. In both cases, the rotating coordinators have been modeled by using a local variable C[x] that assumes three values indicating whether x already has been, currently is, or never was so far a coordinator. At the beginning of each round, a coordinator is nondeterministically taken from the yet unelected processes. These two algorithms show the impact of central coordination on correctness. Both satisfy Agreement also in the presence of partitions: processes in the same partition as the coordinator decide according to its indications, while partitioned processes do not decide. Yet, in CoUV, they may retain some value different from that chosen by the coordinator. If partitions change later and the new coordinator is a previously partitioned process with a value different from that disseminated by the previous coordinator, then a process may change its decision, thus violating Irrevocability. By contrast, in SiCoUV, the simplification-consisting in voting just for the value received by the coordinator of the current phase or for no value at all-prevents processes owning values from previous coordinators to vote for those values, thus possibly inducing inconsistent decisions for stale values.
U T ,E,α [10] solves the Consensus problem without the Irrevocability property, in the presence of byzantine failures. It requires the system to fulfill two properties, namely that the number of malicious messages received by each process in each round is ≤ α < N /2 (P α property), and that the total number of received correct messages is > N /2 (P sa f e property). Various combinations of both α and P sa f e have been considered in our verifications.
In [9], an algorithm is proposed to solve Consensus in asynchronous systems with byzantine failures and a resilience t < N /5. Such an algorithm may also work in synchronous systems if the number of faulty processes is upper bounded by O( √ N ). In this case, we modeled an asynchronous system in that no time quantization is reproduced, but just a division in phases as in the original algorithm. In the first phase, a process waits till it receives at least N − t messages; it decides the value to diffuse subsequently and switches to the next phase. In the second phase, a process waits till it receives at least N − t messages and tries to decide. If this is not possible, the process goes back to the first phase. Leveraging the backward search, we started from the configurations in which the considered property is violated. The algorithm runs in which the sufficient number of messages is not receivedwhich do not lead to any action-are unimportant; we verified whether the cases in which actions are undertaken by the processes can lead to an unsafe state. As a resilience value we used t < N /5 as in the original paper, which actually leads to a safe result. Moreover-since the article ignores the lower bound on the resilience for Byzantine failures (t < N /3 [48])we considered the case of violation of this lower bound which correctly gives unsafe results.
The Byzantine Broadcast Primitive (BBP) [55] aims at achieving agreement among the processes about the messages to deliver. This algorithm tolerates byzantine failures and requires that the number t of faulty processes is such that N > 3t. BBP is a round-based algorithm operating in synchronous systems. It fulfills the following properties: Correctness If correct process p broadcasts ( p, m, k) in round k, then every correct process accepts ( p, m, k) in the same round. Unforgeability If process p is correct and does not broadcast ( p, m, k), then no correct process ever accepts ( p, m, k). Relay If a correct process accepts ( p, m, k) in round r > k, then every other correct process accepts ( p, m, k) in round r + 1 or earlier.
The Relay property asks to check all the states reachable from the configurations satisfying the hypothesis; as this is not possibile, we had to re-write this property as two separate safety properties sequentially verified. In Appendix A.1 in the supplementary material, we explain in detail this procedure. Formal verification reveals that Correctness and Relay properties cannot be violated for any number of faulty processes. The Correctness property cannot be violated since the threshold for acceptance is equal to the minimum number of correct processes, and the initial broadcast is performed by a correct process and thus received by all correct processes; hence, there is no way for a correct process to not receive enough echo's. The Relay property cannot be violated because a correct accepting process must have received at least N − 2t echo's from correct processes; those echo's are received by each correct process, all correct processes send their own echo, and as a consequence there are N − t correct echo's around that allow each correct process to decide.
The Send Receive Broadcast Primitive (SRBP) algorithm from [54] is proposed as a basis for clock synchronization in systems affected by benign failures. It requires an upper bound t on the number f of faulty processes, i.e., N > 2t and t ≥ f . The algorithm satisfies the same properties as BBP, with the broadcast message consisting in a time signal (round k). The same two-steps verification of the Relay property is adopted as for BBP. In this case as well, formal verification shows that Unforgeability and Relay properties cannot be violated. The former trivially follows from the fact that no message is around and faulty processes cannot lie. The latter follows from considerations similar to the case of BBP.

Agreement and Reliable Multicast Algorithms with Crash Failures
The algorithms considered for this category have in common a failure model such that processes behave correctly until they possibly fail, but from the failure on no action is anymore taken, nor any message is sent or received (fail-stop model). Crash failures may partially disrupt the broadcast transmission of a message in the sense that the message may reach just a subset of its destinations.
Although counter-intuitive, these failures are harder to model than both omission and byzantine failures. We describe the state of each process with a local variable F that can assume three values, indicating if the process is (so far) correct, if it crashed in the past, or if it is crashing in the current algorithm step and it will send only part of the messages scheduled to be transmitted currently. In the last case, by the end of the step the process is moved to the crashed processes and it will do nothing in the future. At every step, the sum of both crashing and crashed processes must not exceed the algorithm resilience.
The results for these algorithms are reported in Table 2. FloodSet [45] is a Consensus algorithm that satisfies the same properties as OT, with no resilience and terminating after f + 1 rounds with f the number of crashed processes in the current run. Processes circulate the values received in the previous rounds; in the last round, processes decide either for the unique value they received, or for a default value if more values have been observed. FloodMin [45] is a Consensus algorithm that solves the k-agreement problem: the algorithm runs for f /k + 1 rounds-with f defined as before-after which it is requested that the values decided upon by the processes are in a set of cardinality at most k. This reduces to classical Consensus for k = 1. FloodMin guarantees both the Weak Validity and the Strong Validity properties defined before. We performed experiments with two values of k, and with a set V of initial values of cardinality either 2 or 3.
FC [50] is a Consensus algorithm that guarantees both Agreement and Strong Validity as defined above; it terminates at round t + 1 with t < N the algorithm resilience, and f ≤ t number of actually crashed processes; the decision is the smallest received value.
EDAC [15] as well solves Consensus, but it considers the Weak Validity property. This algorithm is early-deciding in the sense that-if a process does not detect new failures in the current round-it decides, differently from the above three algorithms.The problem of modeling this algorithm is that it would require each process to record the observed crashes (a process is assumed having crashed when no expected message is received from it in the current round), which should be modeled with bi-dimensional arrays, not available in ArcaSim. Considering the syntactic constraints of ArcaSim, the fact that (i) no message is anymore received from a process after it crashes and (ii) a crashed process is detected within at most the following round by all alive processes, we abstracted this part of the algorithm by using a global variable cnum that counts the crashed processes and is incremented for all processes as soon as a new crash is observed by the first process.
UTRB1 [8] solves the Uniform Timed Reliable Broadcast problem, which guarantees the following properties: 15 Validity: If a correct process broadcasts a message m, then all correct processes eventually deliver m. Integrity: For any message m, each process delivers m at most once and only if some process actually broadcasts m. Uniform Agreement: If any process delivers a message m then all correct processes eventually deliver m. Timeliness: There exists a known constant Δ such that if the broadcast of a message m is initiated at time t, no process delivers m after t + Δ.
Following the pen-and-paper correctness proof of UTRB1, we applied the Timeliness property to instantiate the "eventual" attribute and verified that both uniform agreement and validity are reached by round f + 1. As far as Integrity is concerned, we separately checked its two components, by verifying that (i) if no process broadcasts m then no process delivers it, and (ii) each process delivers m at most once; both conditions are checked at round f + 1 when the algorithm run terminates.

Cache Coherence and Mutual Exclusion Algorithms
The MESI [47] and MOESI [53] algorithms have been designed to guarantee cache coherence. This problem affects shared-memory multi-processors systems where more than one process at a time may access the same memory location and copy the content to its processor's cache, but the algorithms must guarantee that at most one process at a time is allowed to modify its copy, and successive read operations to the same location must return the most updated value. The problem of verifying these algorithms w.r.t. the safety property above lies in the fact that there may be more processes in the same state-and thus satisfying the same guard-but just one of them is allowed to fire at a time; this feature differentiates the algorithms in question from pure counter-based algorithms. In order to model this characteristic, we used both a global variable f lag that is initialized to 0, becomes 1 when one of the processes in either the invalid or the shared state prepares to fire, and returns to 0 after the process has performed its operation, and a local array variable F[x] that is initialized to 0, becomes 1 for a process in either invalid or shared state that is selected to fire, and returns to 0 when that process fires. We constrain the system such that #{x|F[x] = 1} ≤ 1, that is, at most one process at a time-in one between the invalid and the shared state-may be selected to perform some operation. By contrast, in the system just one process at a time may be in either the modified or the exclusive state, and hence the constraint is not applied to those processes. Dekker [20] is a classical mutual exclusion algorithm that guarantees that no more than one process is in critical section. We used local variables T [x] to record what process has the turn, and W E[x] as the local flag to record that process x wants to enter the critical section. As before, we use a constraint imposing that #{x|T [x] = 1} ≤ 1, that is, it is the turn of at most one process at a time; this way T [x] takes the place of the global variable turn in Dekker's algorithm. A variable ST [x] records whether x is currently in the critical section.
The results achieved with these algorithms are shown in Table 3.

Qualitative Comparison with Other Tools
Other tools in the literature aim at verifying safety properties for distributed algorithms. In [46], Consensus algorithms are considered, a specification language ConsL is proposed, and cutoff bounds are supplied to reduce the parameterized verification to a setting with finite number of processes. Amongst the algorithms studied in [46], there are the algorithms OT, UV, CoUV, SiCoUV and Ben-Or described above, whose safety we verified for an unlimited number of processes using ArcaSim. Although the time spent by ArcaSim for verification was greater than that obtained by ConsL-ConsL latency is on the order of tens of milliseconds for the cited algorithms-it succeeded in performing the computation and within reasonable time.
In this section, we present a qualitative comparison between ArcaSim and ByMC [38], which is a verification framework proposed for the validation of threshold algorithms, that is, algorithms where an action is performed when a certain number of messages are received, regardless of who generated them. The comparison was performed by manually "transcripting" some ByMC examples-provided by the virtual machine version 2.4.0 downloaded from [36]-into ArcaSim. The transcription was conducted trying to maintain maximum fidelity to the ByMC models, by developing ArcaSim models that use the same variables and counters as the equivalent ByMC model, define arithmetic assertions equivalent to the assumptions in the ByMC model, and include one transition for each computation step in the ByMC model. For the sake of better comparison, ByMC was run using Z3 as underlying SMT solver. Clearly, ByMC and ArcaSim are two really different approaches to the verification of distributed algorithms: ByMC considers asynchronous algorithms while ArcaSim is more oriented to model synchronicity and some properties are modeled by introducing a bound-usually provided in the original algorithms' descriptions-on the time at which safety must be checked; the two underlying logical paradigm have different expressiveness. Yet, we were interested in investigating whether ArcaSim is able to deal with the same benchmarks as ByMC. Table 4 reports the results; the ByMC time was obtained by adding the displayed system and user times.
The considered algorithms are as follows: STRB [55] is the same as the previously described BBP algorithm (we adopt here the ByMC nomenclature to emphasize that this is a different model mimicking the ByMC one). ABA (Asynchronous Byzantine Agreement) [12] slightly modifies the Agreement problem definition supplied before, and satisfies the following properties: Correctness If the transmitter is correct, all the correct processes decide on its value. Unforgeability If the transmitter is malicious, then either no correct process will decide or they will all decide on the same value. ABA tolerates < N /3 malicious failures; it may work in asynchronous systems, which are modeled with processes that wait until a sufficient number of messages is received to perform some action. NBAC (Non-blocking atomic commitment) [30] aims at reaching an agreement amongst processes about an action to perform, and satisfies the following properties: Agreement No two processes decide differently. Termination Every correct process eventually decides. Abort-validity Abort is the only possible decision if some process votes no. Commit-validity Commit is the only possible decision if every process votes yes and no process crashes.
We did not consider the Termination property as it is a liveness property that cannot be managed by ArcaSim. FRB (Folklore Reliable broadcast) [23] is an algorithm aiming at distributing a message to all alive processes in a system; it works in asynchronous systems and tolerates just crash failures. It satisfies both a Correctness and an Unforgeability property equal to those previously defined for BBP.
To sum up, we believe that the main strength of our approach lies in its declarative (thus expressive and flexible) nature: nevertheless, our first ArcaSim implementation for the restricted fragment of Sect. 5 shows that many benchmarks from disparate literature can be effectively handled in our uniform framework with reasonable performances.

Conclusions and Related Work
We introduced a plain technique for automatically building counter simulations of system specifications: the technique consists of modeling system specifications in higher order logic, then of introducing counters for definable sets and finally of exploiting quantifier elimination results to get rid of higher order variables. Such technique is quite flexible and since, whenever it applies, it always supplies the best simulation, it should be in principle capable to cover all results obtainable via counter abstractions. We underline some further important specific features of our approach.
First of all, the approach is purely declarative: our starting point is the informal description of the algorithms (e.g. in some pseudo-code) and the first step we propose is a direct translation into a standard logical formalism (typically, classical Church type theory), without relying for instance on ad hoc automata devices or on ad hoc specification formalisms. We believe that this choice can ensure flexibility and portability of our methods.
Secondly, the amount of human interaction we require is nevertheless confined to design choices: although the final outcome of our investigations should be the integration of our techniques into some logical framework, the key leading to their success relies almost entirely on results (satisfiability and quantifier elimination algorithms) belonging to the realm of decision procedures. In fact, the quantifier elimination results presented in this paper (Theorems 1, 2, 3) are of interest by themselves and go far beyond the well-known case of Boolean Algebras with Presburger Arithmetic (BAPA) [42], because they are not confined to fragments where sets are uninterpreted.
Although we are claiming that the fully declarative approach is the main merit of our approach, we are aware that a full automation is, in the present status of the art, far from reachable. In particular, contrarily to what happens in other verification areas, a uniform established standard for the specification of distributed system is not available. Moreover, even when some form of pseudo-code for an algorithm is supplied in the original source papers, its translation into higher order logic is not completely obvious and requires a careful analysis. In principle, higher order logic is a quite powerful and expressive formalism, so that one might claim that "everything" is expressible in it; however, designing a detailed translation from some fragment of pseudo-code into transition systems expressed in higher order logic is far from obvious and surely requires deep specific work, to be attacked in quite differently oriented papers. In this paper, we just made a syntactic classification of higher-order specifications to which quantifier elimination applies; the question whether a given higher-order specification can be symbolically tranformed up to logical equivalence into a specification falling within the syntactic shape to which our theorems apply, is another, terribly difficult, question to which only very limited answers can be provided. All in all, manual intervention is required even in this stage, especially if one wants to go beyond strict syntactic matching. However, in concrete cases our approach can be really effective: in the online available supplementary material to this paper, we made a careful detailed analysis of three concrete examples, starting from informal description, to pseudo-code specification, to translation into higher-order transition systems, to mechanical verification via counter abstractions.
A potentially weak point to be taken care is the complexity of our algorithms: in fact, the procedure for quantifier elimination used in the proof of Theorems 1, 2, 3 produces superexponential blow-up of the formulae it is applied to. Notice however that, when building a counters simulation of a concrete algorithm, such a heavy procedure is applied to each instruction (or to each block of instructions) separately, i.e. not to the whole code instance. Moreover, it is not difficult to realize (going through e.g. the computation details from the online available suplementary material) that it is hardly the case that the quantifier elimination procedure is applied in its full generality: in fact, it is always applied to smaller fragments, where complexity presumably drastically reduces (similarly to what happens for satisfiability algorithms, compare e.g. Theorems 2 and 3 in [4]). The same observation applies also to the instances of the Presburger quantifier elimination procedure that are invoked in our manipulations: usually, they are confined to difference bounds formulae or to formulae where quantifiers can be eliminated by simple instantiations. The identification of such small fragments and the study of the related complexities is important for future work and preliminary to any implementation effort.
Another delicate point is related to the syntactic limitations we require on the formulae describing system specifications (see the statements of Theorems 4 and 5): such syntactic limitations are needed to ensure higher order quantifier elimination. Although it seems that a significant amount of benchmarks are captured despite such limitations, it is essential to develop techniques applying in more general cases. To this aim, we observe that just overapproximations are needed to build simulations and that, even if the best simulation may not exist, still practically useful simulations might be produced. In fact, quantifier elimination is just an extreme solution to symbol elimination problems. Symbol elimination and interpolation are well-known techniques to build invariants, abstractions and over-approximations, and for this reason their investigation has deserved considerable attention in the automated reasoning literature [41]; still, extensions to higher-order fragments need to be attacked and might be useful in our context.
To conclude, we mention some recent work on the verification of fault-tolerant distributed systems, starting from our own previous contributions. The additional original contributions with respect to our previous paper [4] and its journal version [5] are due to the fact that we are moving from bounded model-checking and invariant checking to the much more challenging task of full model-checking via invariant synthesis. As discussed in [5] (Sect. 7), standard model-checking techniques are difficult to apply in the present context of faulttolerant distributed systems because Pre-and Post-image computations are very expensive and lead to fragments for which full decision procedures seem not to be available. That is why we tried here a different approach, via counter simulations. While developing such a different approach, we established further new quantifier elimination results for higher-order fragments (Theorems 2 and 3above): we believe that these new results, although tailored to our specific applications, are of some independent interest from a logical and a technical point of view.
Papers [34,35,37,39] represent a very interesting and effective research line (summarized in [38]), where cardinality constraints are not directly handled but abstracted away using counters. In this sense, this research line looks similar to the methodology we applied in this paper (and in contrast to the alternative methodology we adopted in our previous paper [4]); however, abstraction in [38] and in related papers is not obtained via logical formalizations and quantifier elimination, but via a special specification language ('parametric Promela') and/or via special devices, called 'threshold automata'. A comparison with the counter systems we obtain is not immediate and not always possible because the authors of [38] work on asynchronous (not round-based) versions of the algorithms and because their method suffers of some lack of expressiveness whenever local counters are unavoidable. On the other hand, they are able to certify also liveness properties, whereas at the actual stage we can only do that by making reductions to safety or bounded model checking problems (we applied this method in our experiments, usually taking bounds for reductions from the literature on distributed algorithms-such bounds are often trivially suggested by the round-based structure of our benchmarks).
Paper [11] directly handles cardinality constraints for interpreted sets by employing specifically tailored abstractions and some incomplete inference schemata at the level of the decision procedures. Nontrivial invariant properties are synthesized and checked, based on Horn constraint solving technology; this is the same technology we rely on in our final step, however the counter systems we get are 'as accurate as possible', in the sense stated in our main Theorems 4 and 5.
Paper [21] introduces an expressive logic, specifically tailored to handle consensus problems (whence the name 'consensus logic' C L). Such logic employs arrays with values into power set types, hence it is naturally embedded in a higher order logic context. Paper [21] is not concerned with simulations and bisimulations, rather it uses an incomplete algorithm in order to certify invariants. A smaller fragment (identified via several syntactic restrictions) is introduced in the final part of the paper and a decidability proof for it is sketched.
Cutoff approaches are often employed in the literature on verification of distributed systems: in such approaches, problems involving unboundly many processes are reduced to particular cases where only a finite number of processes has to be considered (as soon as such number is determined, finite state model checking techniques apply). For a recent paper in the area, specifically tailored to fault-tolerant distributed algorithms, see [46].
Finally, we mention the effort made by the interactive theorem proving community in formalizing and verifying fault-tolerant distributed algorithm (see e.g. [14]); such approach is a natural complement to ours.
Funding Open access funding provided by Università degli Studi di Milano within the CRUI-CARE Agreement. The work was conducted in the framework of SEED Project "Situational awareness in critical Infrastructure Environment (SENTINEL)" funded by the Università degli Studi di Milano.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.