Improving Partial Order Reductions for Universal ... - Semantic Scholar

Fundamenta Informaticae 33 (1998) 1{23 IOS Press

1

Improving Partial Order Reductions for Universal Branching Time Properties Wojciech Penczek and Maciej Szreter Institute of Computer Science ICS PAS, Warsaw, Poland fpenczek, [email protected]

Rob Gerthy

Intel Microprocessor Products Group Strategic CAD Laboratories (SCL), USA [email protected]

Ruurd Kuiperz

Eindhoven University of Technology Eindhoven, The Netherlands [email protected]

Abstract. The "state explosion problem" can be alleviated by using partial order reduction techniques. These methods rely on expanding only a fragment of the full state space of a program, which is sucient for verifying the formulas of temporal logics LTL?X or CTL?X (i.e., LTL or CTL* without the next state operator). This is guaranteed by preserving either a stuttering maximal trace equivalence or a stuttering bisimulation between the full and the reduced state space. Since a stuttering bisimulation is much more restrictive than a stuttering maximal trace equivalence, resulting in less powerful reductions for CTL?X , we  Partly supported by Esprit under the grant No. 20288 CRIT-2. Address for correspondence: Institute of

Computer Science, ICS PAS, Warsaw, Poland y Address for correspondence: Intel Microprocessor Products Group, Strategic CAD Laboratories (SCL), USA z Address for correpondence: Eindhoven University of Technology, Eindhoven, The Netherlands

study here partial order reductions that preserve equivalences "in-between", in particular a stuttering simulation which is induced by the universal fragment of CTL?X , called ACTL?X . The reductions generated by our method preserve also branching simulation and weak simulation, but surprisingly, they do not appear to be included into the reductions obtained by Peled's method for verifying LTL?X properties. Therefore, in addition to ACTL?X reduction method we suggest also an improvement of the LTL?X reduction method. Moreover, we prove that reduction for concurrency fair version of ACTL?X is more ecient than for ACTL?X .

1. Introduction Automated veri cation of concurrent programs suers inherently from the exponential blowup in the size of the memory required. There are many methods dealing with this problem by alleviating the state explosion problem. One group of these methods, called partial order reductions, exploits the fact that many properties are insensitive to the order in which concurrent operations are executed. Therefore, selecting one such order can be used to reduce the memory and time needed to check these properties. Such methods were studied in [7, 28, 19, 20, 24, 25, 26, 5, 21, 23] and mostly applied to linear time temporal logic (LTL) and branching time temporal logic (CTL*) without the next-state operator as well as to the weak modal mu-calculus. Partial order reductions are aimed at constructing a reduced state graph, based on exploring for each visited state only a subset of the enabled operations, so that only some of the successors of that state are expanded. The subset of the enabled operations is computed by requiring a set of constraints that ensures the correctness of the reduction. In this paper, we give a systematic approach to select appropriate conditions on the subsets of the enabled operations in order to preserve dierent equivalence notions as well as LTL?X , ACTL?X , and CTL?X properties together with their fair versions. The main result of the paper is a method for constructing reduced state spaces preserving ACTL?X and fair-ACTL?X properties as well as simulations insensitive to stuttering. Since ACTL?X is more expressive than LTL?X , our reductions preserve LTL?X properties. It turns out, however, that CTL?X properties are not preserved. So, we improve upon the eciency of the reduction method suggested for CTL?X [5] by paying the price of restricting the language to ACTL?X . It is important to mention that the subset of ACTL?X , called ACTL?X , is a logic of a satisfactory expressiveness [10] and polynomial time model checking algorithm [3]. Another motivation for obtaining a reduction method preserving ACTL?X lies within the fact that ACTL?X properties are preserved by some type of simulation that is insensitive to stuttering. Besides basing our correctness proof on this fact, checking that two structures are equivalent with respect to that type of simulation is itself important for process-algebra style correctness. Moreover, in addition to the reduction method for ACTL?X we suggest also an improvement of the reduction method for LTL?X [19]. Our reduction method, although dierent, is related to the methods suggested for preserving LTL?X properties [25, 19, 20, 21], CTL?X properties [5, 27, 23], and dierent equivalence notions for process algebra [26]. Some of the conditions we impose upon

the subsets of the enabled operations have already been used by Peled and Valmari but for preserving dierent classes of properties and equivalences. Moreover, our proof of correctness of the algorithm, although using the proof approach in [5], is much simpler. This paper is an extended and improved version of [22]. The rest of the paper is organized as follows. In section 2, more motivation for our research is given. Basic notions are introduced in section 3. The algorithm building the reduced state spaces is given in section 4. Section 5 contains the conditions on the subsets of the enabled operations. The correctness of the construction is proved in section 6. In section 7 combinations of our method with the reduction methods for LTL?X and CTL?X are discussed. The eciency of our algorithm is discussed in section 8. The conclusions can be found in section 9.

2. Motivation In order to preserve the properties expressible in temporal logics, various conditions should be satis ed by the selected subsets of the enabled operations (ample sets) when expanding a state space. To preserve LTL?X properties the ample sets either contain only invisible operations (those not changing valuation of states) or all the enabled visible operations (in addition to other conditions). To preserve CTL?X properties the ample sets are restricted to contain only one invisible operation. In the paper [5], the experimental results show that for many systems the reduction of state spaces for CTL?X can be very substantial. These are mainly systems without con icts, but with many invisible operations. The closer analysis of systems for which there are no CTL?X -reductions (even if all the operations are taken as invisible) shows that this happens, when at all the local states of the program subcomponents there is a choice in selecting an invisible operation. Below, we give a simple example of Mutual Exclusion algorithm, which does have this property and therefore its state space cannot be reduced to preserve CTL?X properties. State graphs of component processes are depicted in Figure 1. Process S is a scheduler, which selects one of the other waiting processes to perform synchronized action s (s synchronizes with some si ). The operations s, g, a and si are visible. If there are no actions di , each of these processes may be selected only once. Then CTL?X algorithm generates than full state graph and no reduction is done. Therefore, the interesting question is whether we can verify eciently branching properties for systems like the above. The answer is armative. In this paper we show that by restricting the language of CTL?X to its universal fragment, called ACTL?X , we can oer a new reduction method, which is ecient also for systems with con icts. This is obtained by relaxing the CTL?X conditions on the ample sets. To preserve ACTL?X the ample sets either contain only one invisible operation or all the enabled visible operations (in addition to other conditions). Below, we give experimental results comparing the p.o. reductions preserving CTL?X and ACTL?X for Mutual Exclusion algorithm without di operations. In section 8 we again compare the p.o. reductions, but for the unrestricted version of Mutual Exclusion.

c1

c

i

a

g

b1

d1

b

d

s

i

i

s1

s

i

S

S1

Si

Figure 1. Mutual Exclusion

3. Basic Notions Finite State Distributed Programs De nition 3.1. A distributed alphabet e is a tuple of n  1, not necessarily disjoint, local alphabets, (1 ; 2 ; : : : ; n ), where each i is a non-empty alphabet of operations.

Each such i should be viewed as the set of actions that the i-th component (or process) of the system can engage in. Let  = 1 [ 2 [ : : : [ n and let K = f1; 2; : : : ; ng be the set of indices of the processes. For each a 2 , denote by pr(a) the set fi 2 K j a 2 i g; this is the set of processes that must synchronize in order for a to execute. Given the above, we have:

De nition 3.2. The independence relation over a distributed alphabet e is the relation I = f(a; b) 2    j pr(a) \ pr(b) = ;g.

I.e., actions are independent if they have no way of in uencing each other (because the involved processes are dierent). It is easy to see that (; I ) is a concurrent alphabet in the sense of Mazurkiewicz's trace theory [16]. De nition 3.3. A nite state (distributed) program is a structure P with the following components: 1. for each process i 2 K , a nite nonempty set Si of local-states 2. for each process i 2 K , the initial state i 2 Si of the process i, and Q S  3. for each nonempty process-set X  K , a transition-relation X  i2X i i2X Si  Q Si such that: i2X

Mutual Exclusion (without d operations) k Reduction States Transitions Time 4 None 270 945 0  ACTL?X 96 144 0 CTL?X 270 945 0 5 None 891 3753 1 ACTL?X 224 352 0  CTL?X 891 3753 0 6 None 2916 14337 1 ACTL?X 512 832 1 CTL?X 2916 14337 1 7 None 9477 53217 3 ACTL?X 1152 1920 1 CTL?X 9477 53217 3 8 None 30618 193185 15 ACTL?X 2560 4352 3 CTL?X 30618 193185 15 9 None ACTL?X 5632 9728 6 CTL?X i

Figure 2. CTL?X versus ACTL?X reductions (a) if (SX ; a; SX0 ) 2 X , then X = pr(a), and (b) if (SX ; a; SX0 ); (SX ; a; SX00 ) 2 X , then SX0 = SX00 (determinism of operations), The transition-relation X models the events in which all processes in X synchronize on the same operation.

De nition 3.4. The full state graph of a program P is a directed, edge labeled graph G =

(S; R; ) satisfying the following conditions:  S = Qi2K Si is the full state space,  R  S    S such that s ??a! s0 2 R if there is (SX ; a; SX0 ) 2 X such that sjX = SX and 0 , sji = s0 ji, for i 2 K n X , where jX denotes the projection on the X -components, s0 jX = SX   = (1 ; : : : ; n). A reduced state graph G0 of P is any subgraph of the full state graph G of P such that 0 = . Let s 2 S . The set of operations enabled at s, en(s), is de ned as fa 2  j 9s0 2 S : s ??a! s0 g. A ai si+1 path of program P is a maximal ( nite or in nite) sequence s0 a0 s1 a1 s2


, such that si ??! for every i  0. An execution sequence is a path s0 a0 s1 a1 s2


such that s0 = . A state is reachable if it appears on some execution sequence.

In order to explain the idea of the reduction method we need to de ne the notion of equivalent execution sequences. Intuitively, executions are equivalent if they only dier in the order of their independent actions. De nition 3.5. De ne  as the least congruence in the (standard) string monoid (; ; ) such that (a; b) 2 I ) ab  ba, for all a; b 2 . I.e., w  w0 if there is a nite sequence of strings w0 ; : : : ; wn such that w0 = w, wn = w0 , and for each i < n, wi = uabv , wi+1 = ubav , for some (a; b) 2 I and u; v 2  . Two in nite strings of operations v and v0 are equivalent , v  v0 , if for each nite pre x t of v there is a nite pre x t0 of v0 such that t is a pre x of some string t00 with t0  t00 , and vice versa. Paths, s0 a0 s1 a1


and t0 b0 t1 b1


, of program P are equivalent if the strings of operations a0 a1 : : : and b0 b1 : : : are equivalent. From the intuition that independent actions cannot in uence each other it would also follow that an action that is continuously enabled from some point onwards along a computation cannot be prevented to occur in this computation by actions that are independent of it. De nition 3.6. ([19]) A path s0a0 s1a1


in a state graph is concurrency-fair if there is no operation b 2  and k > 0 such that (b; aj ) 2 I and b 2 en(sj ) for all j > k. Notice that concurrency-fairness is preserved by the equivalence on paths.

Syntax of ACTL?X and CTL?X

Let P V be a nite set of propositions. First, we give a syntax of CTL?X and then restrict it to ACTL?X and other sublanguages. The set of state formulas and the set of path formulas of CTL?X are de ned inductively: S1. every member of PV is a state formula, S2. if ' and are state formulas, then so are :' and ' ^ , S3. if ' is a path formula, then A' is a state formula, P1. any state formula ' is also a path formula, P2. if ', are path formulas, then so are ' ^ and :', P3. if ', are path formulas, then so is U('; ). The modal operator A has the intuitive meaning \for all paths". U denotes the standard Until. CTL?X consists of the set of all state formulae. The following abbreviations will be used: E' def = :A:', F' def = U(true; '), G' def = :F:' .

Sublogics of CTL?X ACTL?X . Negation can be applied only to subformulas that do not contain modalities. ACTL?X . The sublogic of ACTL?X in which the state modality A and the path modalities U,

F and G may only appear paired in the combinations AU, AF and AG. LTL?X . Restriction to formulas of the form A', where ' does not contain A. We usually write ' instead of A' if confusion is unlikely.

Semantics of ACTL?X and CTL?X

Q

Given a program P , a P-valuation function is a function V : i2K Si ?! 2P V . A program P together with a P -valuation function V induces the full model M = (G; V ) for the full state space G and a reduced model M 0 = (G0 ; V 0 ) for any reduced state space G0 of P , where V 0 = V jG0 . To make the de nitions easier, from now on we assume that the edge relation, R, of any model (reduced or otherwise) is total: 8s 2 S 9s0 2 S; a 2  s ??a! s0 . Let M = (G; V ) be a model (full or reduced) and let  = s0 a0 s1


be some (in nite) path of G. Let i denote the sux si ai si+1


of  and (i) denote the state si. Satisfaction of a formula ' in a state s of M , written M; s j= ' or just s j= ', is de ned inductively as follows: S1. s j= q i q 2 V (s), for q 2 P V , S2. s j= :' i not s j= ', s j= ' ^ i s j= ' and s j= , S3. s j= A' i  j= ' for every path  starting at s, P1.  j= ' i s0 j= ' for any state formula ', P2.  j= :' i not  j= ',  j= ' ^ i  j= ' and  j= , P3.  j= U('; ) i there is an i  0 such that i j= and j j= ' for all 0  j < i.

Semantics of concurrency-fair ACTL?X and CTL?X

Concurrency-fair versions of ACTL?X and CTL?X , called cf-ACTL?X and cf-CTL?X , have the same syntax as ACTL?X and CTL?X , but slightly dierent semantics. The dierence is in quanti cation, which is now over the cf-paths rather than over all the paths. So, in the semantics only S3 changes to: S3cf s j= A' i  j= ' for every cf-path  starting at s.

3.1. Behavioral Equivalences We consider here several notions of behavioral equivalences that are preserved under our partial order reductions. Connections between behavioral equivalences and logics allow adapting the reduction for various logical formalisms, including ACTL?X . To give the notions of equivalences, the following de nition of invisibility is needed.

De nition 3.7. An operation a 2  is invisible in a model (G; V ) if whenever s ??a! s0 for a reachable state s, we have V (s) = V (s0 ).

That is, an operation is invisible if by executing it from any reachable state it does not change the valuation. Denote the set of invisible operations by Invis , and let Vis =  n Invis be the set of visible operations. In process algebra, the invisible operations are readily given and marked as  operations. In the sequel we will often ignore actions and write s0 s1


instead of s0 a0 s1


.

De nition 3.8. Let  = s0s1


be a nite path in model M . De ne inductively the stutteringfree projection P r() as follows:  P r(s0) = s0,

 

(


si) = P r(s0


si?1 ) if V (si?1 ) = V (si ), ( ) = P r(s0 : : : si?1 )si , otherwise. For an in nite path  = s0 s1


, the stuttering-free projection P r() is de ned as follows:  if there is j such that V (sj ) = V (sk ) for each k  j , then P r() = P r(s0


sj ),  otherwise,  can be represented by concatenation of in nitely many nite paths 12


such that the valuation of the last state of j is not equal to the valuation of the rst state of j +1 for all j > 0. Then, P r() = P r(1 )P r(2 )


. Let M = ((S; R; ); V ), M 0 = ((S 0 ; R0 ; 0 ); V 0 ) be two models. De nition 3.9. ((cf-)stuttering maximal trace equivalence) Two paths  in M and 0 in M 0 are called stuttering equivalent, denoted  st 0 , if V (P r()(i)) = V 0 (P r(0 )(i)) for all i  0, i.e., the valuations of the stuttering-free projections of  and  0 are the same. Two models M and M 0 are (cf-)stuttering maximal trace equivalent if 1. for each in nite (cf-) path  in M starting at , there is an in nite (cf-) path 0 in M 0 starting at 0 such that  st 0 , 2. the symmetric condition. The following theorem connects (cf-)LTL?X with stuttering maximal trace equivalence: Theorem 3.1. ([19]) Let M and M 0 be two (cf-)stuttering maximal trace equivalent models, where the range of the labeling function V and V 0 is 2P V . Then, M;  j= ' i M 0 ; 0 j= ', for any LTL?X (cf-LTL?X resp.) formula ' over P V . De nition 3.10. (Simulation [10]) A relation s  S 0  S is a simulation if the following conditions hold: 1. 0 s , 2. if s0 s s, then V 0 (s0 ) = V (s) and for every path1  = s0 a0 s1 a1


of M that starts at s (i.e., s = s0 ), there is a path 0 = s00 a00 s01 a01


in M 0 that starts at s0 , such that s0j s sj for each j  0. Model M 0 simulates model M (M s M 0 ) if there is a simulation between the states of M and M 0 . Two models M and M 0 are called simulation equivalent if M s M 0 and M 0 s M . De nition 3.11. (Stuttering simulation [2]) A relation ss  S 0  S is a stuttering simulation between the states of two models M and M 0 if the following conditions hold: 1. 0 s , 2. if s0 s s, then V 0 (s0 ) = V (s) and for every path  = s0 a0 s1 a1


of M that starts at s, there is a path 0 = s00 a00 s01 a01


in M 0 that starts at s0 , a partition B1 ; B2 : : : of , and a partition B 0 1 ; B 0 2 : : : of 0 such that for each j  0, Bj and B 0 j are nonempty and nite, and every state in Bj0 is related by  to every state in Bj . P r s0

P r s0 : : : s i

1 Note that by totality of the edge relation, paths are in nite and, hence, maximal.

Model M 0 stuttering simulates model M (M ss M 0 ) if there is a stuttering simulation between the states of M and M 0 . Two models M and M 0 are called stuttering simulation equivalent if M ss M 0 and M 0 ss M . We also consider concurrency-fair versions of simulations, which are obtained by replacing the occurrences of "path" by "cf-path" in the de nitions of simulation and stuttering simulation. The following theorem connects (cf-)ACTL?X with stuttering simulation equivalence: Theorem 3.2. Let M and M 0 be two (cf-)stuttering simulation equivalent models, where the range of the labeling function V and V 0 is 2P V . Then, M;  j= ' i M 0 ; 0 j= ', for any ACTL?X (cf-ACTL?X , resp.) formula ' over P V .

Proof:

A proof for showing the connection between ACTL* and simulation can be found in [10], whereas the proof for ACTL?X can be obtained by an easy modi cation along the lines of the proof in [2, 5]. A proof for cf-ACTL?X is very similar. The reverse of this theorem, essentially stating that no coarser simulation preserves the truth value of ACTL?X formulas, also holds and can be proved by an easy induction. We conjecture that it also holds for cf-ACTL?X . We now recall the well-know notion of branching simulation and weak simulation. These notions enable to motivate two more notions of simulation, namely visible and divergence insensitive visible simulation. These latter two will be used later on to understand the intuitive meaning of two of the options for constraints to obtain reduction that we explore. De nition 3.12. (Branching simulation [6, 4]) A relation bs  S 0  S is a branching simulation between the states of two models M and M 0 if it satis es the following conditions: 1. 0 bs  and b  2. if s0 bs s and s ?! t, then either b =  and s0 bs t, or there exists a path s0 = s0 ?!   b s1 ?!


?! sn ?! t0 in M 0 such that si bs s for i  n, and t0 bs t. Model M 0 branching simulates model M (M bs M 0 ) if there is a branching simulation between the states of M and M 0 . Two models M and M 0 are called branching simulation equivalent if M bs M 0 and M 0 bs M .    a   Write s =a) s0 if there is a path s = s0 ?! s1 ?!


?! si ?! si+1 ?!


?! sn = s0 . When a is  , the path may be empty, whence s may equal s0 . De nition 3.13. (weak simulation [18]) A relation ws  S 0  S is a weak simulation between two models M and M 0 if it satis es the following conditions: 1. 0 ws  and b b 2. if s0 ws s and s ?! t, then there exists t0 such that s0 =) t0 in M 0 such that t0 ws t. Model M 0 weak simulates model M (M ws M 0 ) if there is a weak simulation between the states of M and M 0 . Two models M and M 0 are called weak simulation equivalent if M ws M 0 and M 0 ws M .

We de ne now a behavioral equivalence that includes conditions on both states and edges. To tie together stuttering simulation, which observes states but ignores transitions, and branching simulation, which observes transitions and ignores states we de ne the following simulation relation:

De nition 3.14. ((cf-)visible simulation [5, 21]) A relation vs  S 0  S is a (cf-) visible simulation between the states of two models M and M 0 if (i) 0 vs , and (ii) whenever s0 vs s, the following conditions hold:

1. V 0 (s0 ) = V (s). a0 b 2. If s ?! t 2 R, then either b is invisible and s0 vs t, or there exists a path s0 = s0 ?! a ?1 a1 b s1 ?!


?! sn ?! t0 in M 0 such that si vs s for i  n, ai is invisible for i < n and t0 vs t. b0 b1 3. If there is an in nite path s = t0 ?! t1 ?!


, where bi is invisible and s0 vs ti for c i  0, then there exists an edge s0 ?! s00 such that c is invisible and s00 vs tj for some j > 0. b0 b1 (3cf. If there is an in nite cf-path s = t0 ?! t1 ?!


, where bi is invisible and s0 vs ti for b01 b00 i  0, then there is an in nite cf-path s0 = t00 ?! t01 ?!


, such that b0j is invisible and t0j vs tj for all j  0 and some jk > 0). n

k

If a relation satis es these clauses except for clause 3), then it is called a divergence insensitive (d.i.) visible simulation Model M 0 (cf-)visible simulates model M (M vs M 0 ) if there is a (cf-)visible simulation between the states of M and M 0 . Two models M and M 0 are called (cf-)visible simulation equivalent if M bs M 0 and M 0 bs M . When all invisible operations are labeled as  , visible simulation is stronger than branching simulation, which in turn is stronger than weak simulation [5]. The interaction between simulations and logics is depicted in Figure 3. The same hierarchy is formed by the cf-versions of simulations and logics. We therefore concentrate on reductions that preserve visible or cf-visible simulation.

3.2. Model checking algorithms Model checking for ACTL?X follows the standard lines of CTL model checking [3, 1]. As far as model checking for concurrency-fair version of ACTL?X is concerned two algorithms can be used as well. The idea relies on the observation that concurrency-fairness can be described in the way similar to justice in the framework, where the information on independent operations is provided [17, 15]. Then, one can apply the standard algorithm for fair CTL [3] or apply the automata-based approach [1]. The automaton representing system is equipped with accepting conditions, which restrict the accepted tree to be composed of the concurrency-fair paths only.

Visible simulation

    ) 

Stuttering simulation [2, 10]

?

ACTL?X , ACTL?X

(without nexttime)

PPP P

PPPP Pq

Branching simulation [6, 4]

?

Weak simulation [11]

?

Universal fragment of Logic HML (with  operations) Figure 3. Connections between simulations and logics

4. The Algorithm The reduction algorithm is based upon a straightforward depth- rst-search (DFS) algorithm (see [5, 21]) to explore or generate a state graph. DFS is a recursive algorithm. It starts at the initial state of the program P . In current state s, DFS selects an unexpanded enabled operation, a say a, and generates the successor state s0 such that s ! s0 . State s is marked OPEN. Then, DFS continues from successor state till no more enabled action is present; then backtracks to the nearest predecessor, which contains unexpanded enabled operation. (For technical reasons, we require that DFS adds generic loops at all the states without successors.) The information whether the state is OPEN is used for detecting cycles. The modi ed DFS generates a reduced state graph G0 for the program P and P -valuation V such that the correctness of the checked property ' under (G0 ; V jG0 ) is the same as under the full model (G; V ) of P . The dierence with the standard DFS is that whenever the reduction algorithm visits a new state and the set of enabled operations en(s0 ) is examined, only a subset of it, denoted E (s0 ), is used to generate successors. The choice of these subsets is constrained by the class of properties that must be preserved. In particular we will ensure that that the model corresponding to G0 is visible simulation equivalent, and hence also stuttering simulation equivalent, to the model corresponding to G (see Theorem 3.2).

5. Preserving LTL?X, ACTL?X, and CTL?X properties In the sequel, let ' be a formula to be checked over the model M , corresponding to the full state graph G, and let M 0 be a submodel of M , corresponding to a reduced state graph G0 generated by the algorithm. In the following example we compare a full model to two reduced models The

rst reduced model is obtained through the LTL?X preserving reduction method from [19]. The example shows that the reduction does not preserve ACTL?X properties. It can be seen from the example that ACTL?X properties are more sensitive to the removal of branching points than LTL?X properties. The second reduced model is obtained through the reduction method for ACTL?X properties, as developed in the present paper. The example shows that the reduction method does not preserve CTL?X properties. Example 5.1. In Figure 4 the branching point after the execution of the visible operation a is omitted in the reduction M 0 , which causes a distinction between the truth value of the ACTL?X property ' in the model M , in which ' does not hold and the model M 0 in which ' holds. The CTL?X property '0 does not hold in the model M , but '0 holds in the model M 00 . Next we consider conditions that constrain the choices of E (s), in case of E (s) 6= en(s). The starting point of partial order reduction is to ensure that for every execution  in M that is excluded from the reduced model there is an equivalent execution 0   that is included in M 0 ; and to ensure this by constraining the choice of E (s) when visiting a new state s. This leads to the following conditions that occur in many variations in LTL?X and CTL?X properties preserving reduction methods [19, 24, 8, 5].

C1 No operation a 2  n E (s) that is dependent on an operation in E (s) can be executed in P

before an operation from E (s) is executed. Thus, condition C1 enforces that any nite sequence of operations taken from s that does not contain an operation from E (s) can be extended by such an operation. There are still executions in M that need not be represented because if an execution cycles, it may be the case that some action a is enabled in each state s on this cycle, but never included in E (s). Whence, we impose C2 On every cycle in the constructed state graph, there is at least one node s for which E (s) = en(s), i.e., for which all the successors of s are expanded. It is not dicult to see that C1 and C2 guarantee that for each concurrency-fair execution sequence in M , there is at least one equivalent execution sequence in M 0 . One way of checking that condition C2 holds is using a somewhat stronger condition stating that if E (s) is a proper a subset of en(s), then no state in fs0 2 S j s ! s0 g is on the search stack of the expansion algorithm. This condition uses the fact that during a depth- rst exploration, cycles are closed exactly when reaching a state that is already on the search stack. This alternative condition allows a simple, low overhead implementation; see previous work on preserving LTL?X properties [20]. Next, observe that validation of the formulas depends on the valuation function of the model so that independence of two actions (hence, equivalence of two computations) in itself is not sucient to ensure that the logic is insensitive to their execution order; the actions might `change' dierent propositions. One approach is to enforce that visible actions cannot be independent, although weaker conditions are possible as well [19, 13]. CD (Vis  Vis ) \ I = ;.

M

M’

p, q

p, q

b

c a

p, q

a b

M’’ p, q

b p, q

p, q

a

p

c a

p, q

a

a

p

c

p

b p

d

p

e

p

d

p, q

e

full model

d

p

p

e

d

p, q

d

c

e p, q

e

preserves LTL -X

d

e

preserves ACTL *-X

Let ' = AG(:p _ q _ AFq _ AF:p), '0 = :EU(p ^ q; p ^ q ^ AGp). Notice that: M 0 j= ', but M 6j= ', whereas M 00 j= '0 , but M 6j= '0 . Figure 4. Reductions for LTL?X and ACTL?X If E (s) satis es C1,C2,CD, then for each cf-path in M , there is at least one stuttering equivalent cf-path in M 0 , so cf-LTL?X is preserved [20]. Another approach is to constrain the (in)visibility of the actions occurring in E (s). A priori, we have the following possibilities (and combinations): C3a E (s) \ Vis 6= ;, i.e., E (s) contains at least one visible operation C3b E (s) \ Vis = ;, i.e., E (s) does not contain any visible operation C3c E (s) \ Invis 6= ;, i.e., E (s) contains at least one invisible operation C3d E (s) \ Invis = ;, i.e., E (s) does not contain any invisible operation The rst two conditions also occur in the paper by Valmari [25, 26] and Peled [21], but are used there to preserve dierent equivalences. Condition C3b is exactly condition C3 for LTL?X , which together with C1 and C2 is sucient for correct LTL?X reductions, as shown by Peled [21]. Note that if E (s) satis es C1 and C3b w.r.t. some independence relation I , then E (s) satis es C1 and C3b w.r.t. I \ ((  ) n (Vis  Vis )) as well. I.e., for this case, we do not need to impose condition CD. In order to preserve CTL?X properties the following condition can be added to C1, C2 and C3b [5]: C4 jE (s)j = 1. Next, consider condition C3a. It follows from C1, C3a and CD that en(s) n E (s)  Invis , i.e., that all visible operations enabled at s are in E (s). Figure 5 shows that ACTL?X (LTL?X ) properties are not preserved under C1,C2,C3a and CD. We will show that reduction under these conditions does preserve cf-visible simulation (so, cf-ACTL?X and cf-LTL?X ) and that

M

M’

p, q

p, q

b

c a

p, q

d

p, q

e a b

a

p

a Invis = {b,c,d,e} Vis = {a}

p

c

b

I = {a} x {b,c,d,e} p

d

p

e

c p

p

d

e

Let ' = AU(p ^ q; AG(p ^ :q)). Then M 6j= ' but M 0 j= ' Figure 5. Reduction under C1, C2, C3a and CD preserving cf-ACTL?X , but not ACTL?X . conditions C1, C3a, C3c and CD suce to preserve LTL?X properties. A result similar to the latter one, but in a framework of stubborn sets, can be found in [25]. In fact, condition C3c can be relaxed to condition C3c', which we formulate at the end of this section. Intuitively, this follows from the fact that condition C3a together with C1 guarantee that for each concurrency fair sequence in M composed of in nitely many visible operations, there is an equivalent one in M 0 . Moreover, for each in nite invisible sequence in M starting at s 2 S 0 , there in an in nite invisible sequence in M 0 starting at s; here we do not need to care of having equivalent sequences. Notice that there still could be a sequence of invisible operations in M , which is not simulated in M 0 . This is because even if E (s) contains an invisible operation, it is not guaranteed that each invisible sequence will be simulated in M 0 . Therefore, conditions C1, C3a, C3c and CD do not suce for preserving ACTL?X properties. We suggest the following simple solution to this problem. First, de ne for each state s 2 S the subset of enabled operations that start in nite invisible sequences in M . Formally, let Inv! (s) = fa 2 Invis j 9s0 : s ??a! s0 starts an in nite path of invisible operations in MP g.

C5 Inv! (s)  E (s), i.e., E (s) contains all the operations starting an in nite invisible path. In the next part of this paper, we show that conditions C1, C3a, CD and C5 suce to preserve

ACTL?X properties. As shown in Figure 4, these conditions do not suce to preserve CTL?X properties. A practical approximation for checking whether operation a starts an in nite path of invisible operations from s = (s1 ; : : : ; sn ) is as follows: for each component i s.t. i 2 pr(a), check whether a starts an in nite invisible path from si. If a starts an in nite invisible path in at least one component, then it is assumed to start an in nite invisible path from s. This approximation might give more operations than those which really start in nite invisible paths in the whole program, therefore allowing less reduction. However, it is safe in the sense that it would not miss any invisible operation starting an in nite invisible path. Finally, observe that

selecting condition C3d does not lead to satisfactory reductions, because sequences of invisible operations in M cannot be simulated in M 0 . The following table and theorem summarizes our results. In the table, the new results of this paper are displayed using bold faces. version | logic no concurrency-fairness concurrency-fairness

LTL?X

ACTL?X

C1,C2,C3b or C1, C3a, C3c', CD

C1,C3a,C5,CD

C1,C2,CD

C1,C2,C3a,CD

CTL?X

C1,C2,C3b,C4 ???

Theorem 5.1. Let M be the full model of a given program P and M 0 be the model correspond-

ing to the reduced state graph G0 generated by our algorithm using dierent combinations of conditions on E (s0 ) for s0 2 S 0 . a) For the conditions C1, C3a and CD, the models M and M 0 are d.i. visible simulation equivalent, b) For the conditions C1, C2, C3a and CD, the models M and M 0 are cf-visible simulation equivalent, c) For the conditions C1, C3a, C3c and CD, the models M and M 0 are stuttering maximal trace equivalent and LTL?X properties equivalent, d) For the conditions C1, C3a, C5 and CD, the models M and M 0 are visible simulation equivalent and ACTL?X properties equivalent.

Proof:

See the next section for the proof of the preservation of equivalences. Preservation stuttering maximal trace equivalence then implies preservation of LTL?X properties (Theorem 3.1), while preservation of (cf-) visible simulation equivalence, being a stronger equivalence than stuttering simulation equivalence implies preservation of ACTL?X (cf-ACTL?X , resp.) properties. (Theorem 3.2). It follows from our proof in Section 6 that condition C3c can be relaxed to the following one: C3c' If Inv! (s) 6= ;, then E (s) \ Invis 6= ;.

6. Correctness of the Algorithm Let M = ((S; R; ); V ) be the model corresponding to the full state graph of program P and M 0 = ((S 0 ; R0 ; 0 ); V 0 ) be the model corresponding to the reduced state-graph generated for P by our partial order reduction algorithm. Remember that 0 =  and V 0 = V jS 0 . Since M 0 is a sub-model of M , it is obvious that, depending on the constraints being used, M either branching simulates or visible simulates M 0 . In order to show the opposite, de ne the following relation:

a0 De nition 6.1. De ne the relation   S  S by s0  s i there exists a path s0 = s0 ?! a ?1 a1 s1 ?!


?! sn = s such that ai is invisible for all i < n. Such a path will be called an n

invisible path. It is easy to see that the relation  is transitive and re exive (but not necessarily symmetric). De nition 6.2. Let  =  \ (S 0  S ). Notice that by de nition,   . We now state and prove the main theorem: Theorem 6.1. Depending on the conditions on E (s) used by the reduction algorithm the following conditions hold: a) For the conditions C1, C3a and CD, the relation  is d.i. visible simulation, b) For the conditions C1, C2, C3a and CD, the relation  is cf-visible simulation, c) For the conditions C1, C3a, C3c and CD, the models M and M 0 are stuttering maximal trace equivalence, d) For the conditions C1, C3a, C5 and CD, the relation  is visible simulation.

Proof: a) First, observe that  = 0 and 0 2 S 0. Hence 0  . Now, let s0  s. Thus, s0  s. Condition 1 of De nition 3.14 is satis ed since according to De nition 6.1, there is an invisible path from s0 to s. Hence, V 0 (s0 ) = V (s). b Next, we show that condition 2 of De nition 3.14 holds. Let s ?! t 2 R. We argue by cases: Case 1. b is invisible.

Immediate from the de nition since there is an invisible path from s0 to t and consequently s0  t, and s0  t.

Case 2. b is visible.

By de nition of , there is n  0 and states s0 = s0 ; s1 ; : : : ; sn = s such that for each a i < n, si ?! si+1 and ai 2 Invis . We will prove the Theorem by induction on n. Base case (n = 0). b As s ?! t is a visible transition, it is in M 0 (remember that en(s) n E (s)  Invis by C1, C3a and CD), so we are done. Inductive step. a a0 sk+1 = s be an Assume that the Theorem holds for all n  k and let s0 = s0 ?!


?! invisible path. Consider two cases: i

k

62 E (s0) for all i  k. Notice that by C3a there is a visible operation in E (s0 ). This operation must be b, since otherwise it would follow from C1 that there are two independent visible b operations, which is not allowed by CD. So, b 2 E (s0 ) and, hence, that s0 ?! t0 for 0 0 some t 2 S . Then, it follows from C1 that b is independent of all ai for i  k. Thus, there is an invisible path labeled by a0


ak from t0 to t. By de nition of , t0  t, which

Case 1.

ai

completes the proof of this case.

Case 2.

ai

2 E (s0 ) for some i  k.

a Let j to be the smallest index such that aj 2 E (s0 ) and let s0 ?! t0 . It follows from C1 that (aj ; ai) 2 I for all i < j . Therefore, we can easily show that there is an invisible path labeled with operations a0


aj ?1 from t0 to sj , which implies that t0  s. Since the length of this path is k , we apply the inductive assumption to t0  s b b and s ?! t, getting a path t0 = t0 ?! t1 ?!


?! tk ?! u0 in M 0 such that ti  s a b u0 is a required path. for i  k and u0  t. Therefore, s0 ?! t0


?! tk ?! j

j

Therefore, the rst two conditions of De nition 3.14 hold and so d.i. visible simulation is preserved by reduction under conditions C1, C3a and CD. b) Now, we show that condition 3cf of De nition 3.14 holds if we additionally impose C2. a a0 0 0 By de nition of  if s  s, then there is an invisible path q1 : s = as0 ?!


a?! sk+1 = s, +1 +2 for some k  0. Assume that there is an in nite cf-path q2 : s = sk+1 ?! sk+2 ?!


, where ak+i is invisible and s0  sk+i for i  0. Then, it is not possible that aj 62 E (s0 ) for all j  0. In the other case it would follow from C1 a +2 +1 that the path s = sk+1 a?! sk+2 ?!


is not concurrency-fair. Let j0 to be the smallest index a such that aj 2 E (s0 ) and let s0 = s00 ?!0 s0j0 . It follows from C1 that (aj ; ai ) 2 I for all i < j . Therefore, we can easily show that there is an invisible path labeled with operations a0


aj ?1 from s0j0 to sj , which implies that s0j0  sj . We continue by induction. Assume that we have a ?1 a already built the path s00 ?!0


?! s0k . Then, there is the path labelled with the operations of fa0 ;


; ak?1g from s0k to sj ?1 , which implies that s0k  sj ?1 . Now, let jk be the smallest index a such that aj 2 E (s0k ) and let s0k ?! s0k+1. This way we obtain the in nite invisible path q0 : a ?1 a a 0 s00 ?!


?! s0k ?!


. It follows from C2 that each operation from fa0 ; a1 ; : : :g apperas in q 0 , since it has to be eventually taken when the cycle is closed. Obviously, all the operations of q 0 are contained in fa0 ; a1 ; : : :g. It follows from the construction that q1 q2 and q 0 are equivalent. Since q2 is concurrency-fair, q1 q2 is so. Therefore, q0 is concurrency-fair. c) In order to prove that M and M 0 are stuttering maximal trace equivalent we impose conditions C1, C3a, C3c, and CD. Then, we need the following lemma. Lemma 6.1. Let s 2 S 0. If therea is an in nite invisible path in M starting at s, then there is a 2 E (s) and s0 2 S 0 such that s ! s0 , and there is an in nite invisible path in M starting at s0 . k

k

k

k

k

j

jk

j

k

k

jk

j

Proof:

k jk

jk

Let s0 a0 s1 a1 : : : be an in nite invisible path in M starting at s0 = s. Consider the following cases: Case 1. a0 2 E (s0 ). We are done. s1 a1 s2 a2


is an in nite invisible path starting at s1 . Case 2. ai 62 E (s0 ) for all i  0. Then, by C3c, there is b 2 E (s0 ) \ Invis such that, by C1, (b; ai ) 2 I for all i  0. Let b s0 ! s0 . Thus, there is an in nite invisible path starting at s0 labeled with a0 a1


.

Case 3.

ai

2 E (s0 ) for some i  1.

a Let j to be the smallest index such that aj 2 E (s0 ) and let s0 ?! t0 . It follows from C1 that (aj ; ai ) 2 I for all i < j . Therefore, we can easily show that there is an invisible path labeled with operations a0


aj ?1 from t0 to sj , which implies that there is an in nite invisible path labeled with a0 a1


aj aj +1 aj +2


starting at t0 . j

Notice that the lemma holds when we relax C3c to C3c'.

Corollary 6.1. Let s 2 S 0. If there in an in nite invisible path in M starting at s, then there

is an in nite invisible path in M 0 starting at s.

Now, we complete the proof that LTL?X properties are preserved. Consider an in nite path  = s0 a0 s1 a1 : : : in M with s0 = . We have to show that there is an in nite path  0 in M 0 starting at 0 such that  st 0 . (The symmetric case is obvious as M 0 is a submodel of M .) Consider the following cases: Case 1. ai 2 Vis for in nitely many i. Then, we get a required in nite path 0 in M 0 by directly applying the fact that 0   and  satis es the rst two conditions of De nition 3.14 (proved above). Case 2. 9k > 0 such that ai 2 Invis for all i  k Let j be the smallest index such that ai 2 Invis for all i  j . Then, it is easy to show, again by directly applying the fact that  satis es the rst two conditions of De nition 3.14, that there is a nite path 1 = s00 a00


s0l in M 0 with s00 = 0 such that s0l  sj and s0


sj and s00


s0l are stuttering equivalent. It follows from the de nition of  and the fact that there is an in nite invisible path in M starting at sj , that there is an in nite invisible path starting at s0l in M . Thus, it follows from Corollary 6.1 that there is an in nite invisible path 2 in M 0 starting at s0l . So, the path 0 = 1 2 is a required in nite path such that  st  0 . This completes the proof of preservation of LTL?X properties. d) Now, we show that condition 3 of De nition 3.14 holds if conditions C1, C3a, C5, and CD are imposed. b0 b1 Assume that there is an in nite path s = t0 ?! t1 ?!


, where bi is invisible and s0  ti for a a0 i  0. By de nition of  if s0  s, then there is an invisible path s0 = s0 ?!


?! sk+1 = s, for some k  0. Since each of the transitions in this path starts an in nite invisible path, it a a0 b0 follows from C5 that it remains in M 0 and therefore the path s0 = s0 ?!


?! sk+1 = s ?! t1 is a required path in M 0 . k

k

7. Combining reduction methods Notice that the sets E (s) computed by the algorithm using our reduction method contain all the visible operations enabled at s. This contrasts with the sets E (s), computed using the LTL?X

M

M’

p, q

p, q

c a

p, q

e

b

a

p

a Invis = {b,c,d,e} Vis = {a,b}

p

c

b

I = {(a,c)} p, q

d

p

e

c

p, q

d

p

e

Figure 6. Our reduction for ACTL?X (hence for LTL?X ) that cannot be achieved by the LTL?X reduction method [15] or CTL?X reduction method, that can only contain invisible operations. This orthogonality of the methods suggests to combine them in order to improve on their eciency. Figure 6 supports our idea by showing a simple model M , which can be reduced to model M 0 using the ACTL?X reduction method, whereas no reductions can be obtained using the reduction method for LTL?X . The interested reader can easily nd a model having a symmetrical property. We can combine the LTL?X reduction method with the ACTL?X reduction method getting reductions preserving LTL?X formulas and we can combine the CTL?X reduction method with the ACTL?X reduction method getting reductions preserving ACTL?X formulas. Consider both the cases. First of all, notice that in order to preserve LTL?X properties we can apply our ACTL?X reduction method without imposing condition C5, but requiring C3c', see Theorem 5.1 c). Next, assume that the full model M has been rst reduced to model M 0 using the LTL?X method and then reduced further to model M 00 using the ACTL?X reduction method. Then, model M 00 preserves LTL?X formulas. Below, we suggest a method for obtaining model M 00 by running a modi ed DFS algorithm only once. The DFS algorithm is modi ed in the following way: for each state s0 2 S 0 rst the algorithm tries to nd E (s0 ) satisfying C1, C2 and C3b, but if fails, then it tries to nd E (s0 ) satisfying C1, C3a,C3c' and CD. Notice that the correctness of this algorithm follows from the fact that the sets E (s0 ) are computed locally at s0 and do not depend on reductions, which have already been made. So, it does not matter whether the algorithm calculates E (s0 ) for s0 2 S or s0 2 S 0 . This method gives better results than the method for LTL?X alone as ACTL?X method of calculating E (s) is applied precisely in the case that the LTL?X reduction method gives E (s0 ) = en(s0 ). Assume that the full model M has been rst reduced to model M 0 using the CTL?X method and then reduced further to model M 00 using the (cf-)ACTL?X reduction method. Then, model M 00 preserves (cf-)ACTL?X formulas. Similarly to the previous case, we suggest a method of obtaining model M 00 by running a modi ed DFS algorithm only once. The DFS algorithm is

Milner's scheduler k states(s) edges(e) time 4 97 241 0 5 241 721 0 6 577 2017 0 7 1,345 5,377 1 8 3,073 13,825 3 9 6,913 34,561 8 10 15,361 84,481 20 11 33,793 202,753 57

only ti and ci visible s e time 13 13 0 16 16 0 19 19 0 22 22 0 25 25 0 28 28 0 31 31 0 34 34 0

Figure 7. Milner's Scheduler: reductions for ACTL?X with ti and ci visible. modi ed in the following way: for each state s0 2 S 0 rst the algorithm tries to nd E (s0 ) satisfying C1, C2, C3b and C4, but if fails, then it tries to nd E (s0 ) satisfying C1, C3a, CD (and C5, resp.). This method gives better results than the method for CTL?X alone as (cf-)ACTL?X method of calculating E (s) is applied precisely if the CTL?X method gives E (s0 ) = en(s0 ).

8. Experimental results The algorithm described above was implemented and several experiments were conducted. As a rst example Milner's scheduler was tested. It's a simple token ring of k cyclic processes C , which upon having received a token, communicate with some system and then concurrently wait for acknowledgment and wait to send the token. Each of component processes Ci can be described by CCS equation Ci = ti
ci
(ai jti mod (k+1) )
Ci . The complete scheduler on k processes is described by Sch k = (t1
nil j C1 j


j Ck ) n t1


tk , where the rst process starts C1 . The operator `j' denotes a concurrent composition, and `
' means sequencing. Lowercase letters correspond to operations. Two letters, where one is barred, e.g., c and c, may synchronize, thus producing an invisible operation. The operator `n' is the restriction operator which, in this case, forces the ti , ti synchronizations to occur. nil is the idle process that does nothing. The table in Figure 7 contains the following data: number of states and edges, time in seconds of generating full and reduced state graphs. We detected that in presented case a cycle is created (that's why numbers of states and transitions are equal). Because of the lack of con icts in every process, the reductions for ACTL?X and CTL?X are the same. Notice that this reduction was obtained when only ti and ci actions were visible. While actions ti and ai are invisible (only ci is visible), identical results may be yielded using CTL?X reduction. Another algorithm we have tested is Mutual Exclusion protocol. State graphs of component

processes are depicted in Figure 1. Recall that process S is a scheduler, which selects one of the other waiting processes to perform synchronized action s (s synchronizes with si ). The operations s, g, a and si are visible. The results obtained by ACTL?X and CTL?X algorithm are presented in Figure 2 and 8. Mutual Exclusion k Reduction States Transitions Time 4 None 486 2457 0  ACTL?X 96 176 1 CTL?X 128 528 0 5 None 1701 10368 1 ACTL?X 224 432 0  CTL?X 304 1472 0 6 None 5832 41553 2 ACTL?X 512 1024 1 CTL?X 704 3904 2 7 None 19683 160380 8 ACTL?X 1152 2368 3 CTL?X 1600 9984 8 8 None  ACTL?X 2560 5376 7 CTL?X 3584 24832 21 9 None ACTL?X 5632 12032 14 CTL?X 7936 60416 62

Figure 8. CTL?X versus ACTL?X reductions

9. Conclusions We have presented new partial order reduction methods for preserving various simulation equivalences and for ACTL?X properties. Speci cally, we have shown reductions that preserve d.i. visible simulation equivalence, hence branching simulation and weak simulation equivalence; reductions that preserve (cf-) visible simulation equivalence, hence stuttering simulation equivalence; and reductions that preserve stuttering maximal trace equivalence. Thus, we also obtained new reduction techniques that preserve LTL?X and (cf-) ACTL?X properties. The usual DFS algorithm was modi ed so that only subsets of the successors from each state are expanded. This allows reducing state spaces, and thus allows reducing the space and time used for this construction and for model checking. ACTL?X is more expressive than LTL?X , whereas ACTL?X has a model-checking algorithm, which is linear in the size of the checked property [3]. These advantages in expressiveness or

eciency can now be combined with the ability to reduce the state graph using partial order methods. Also, we have shown that combining our method with the existing one for LTL?X (CTL?X ) achieves better reductions for LTL?X (ACTL?X , resp.). There are two interesting questions, which are not answered in this paper:  Is there any condition, which when added to C1, C2, and C3b would guarantee correct reductions for ACTL?X , but incorrect for CTL?X ,  Is there any condition, which when added to C1, C3a, CD and C5 would guarantee correct reductions for CTL?X . Adaptation of our algorithm to "on-the- y" model checking (along the lines of [27]) is a subject of our forthcoming paper.

References [1] O. Bernholtz, M. Vardi, P. Wolper, An automata Theoretic Approach to Branching-time Model Checking, Proc. of 6th Annual Workshop on Computer Aided Veri cation, Lecture Notes on Computer Science 818, Springer, 1994, pp. 142{155. [2] M.C. Browne, E.M. Clarke, O. Grumberg, Characterizing Finite Kripke Structures in Propositional Temporal Logic, TCS 59, Elsevier, 1988, pp. 115{133. [3] E.M. Clarke, E.A. Emerson, A.P. Sistla, Automatic Veri cation of Finite State Concurrent Systems Using Temporal Logic Speci cations: A Practical Approach, ACM Transactions on Programming Languages and Systems, 8(2), 1986, pp. 244{263. [4] R. deNicola, F. Vaandrager, Three Logics for Branching Bisimulation, Proc. of LICS, 1990, pp. 118{129. [5] R. Gerth, R. Kuiper, D. Peled, W. Penczek, A Partial Order Approach to Branching Time Logic Model Checking, Information and Computation, Vo. 150, No. 2, 1999, pp. 132{152. [6] R.J. van Glabbeek, W.P. Weijland, Branching time and abstraction in bisimulation semantics, Information Processing 89. Elsevier Science Publishers, 1989, pp. 613{618. [7] P. Godefroid, Using partial orders to improve automatic veri cation methods, in E.M. Clarke, R.P. Kurshan (eds.), Computer Aided Veri cation 1990, DIMACS, Vol 3, 1991, pp. 321{339. [8] P. Godefroid, D. Pirottin, Re ning Dependencies Improves Partial-Order Veri cation Methods (Extended Abstract), LNCS 697, 1993, pp. 438{449. [9] P. Godefroid, P. Wolper, A Partial Approach to Model Checking, Proc. of LICS, 1991, pp. 406{415. [10] O. Grumberg, D.E. Long, Model Checking and Modular Veri cation, Proc. of TOPLAS, LNCS 527, 1991, pp. 250{265. [11] M. Hennessy, R. Milner, Algebraic laws for nondeterminism and concurrency, Journal of the ACM, 32, 1985, pp. 23{52. [12] G.J. Holzmann, Design and Validation of Computer Protocols, Prentice Hall, 1992.

[13] I. Kokkarinen, D. Peled, A. Valmari, Relaxed visibility enhances partial order reductions, CAV'97, LNCS 1254, 1997, pp. 328{340. [14] R. Langerak, Ed Brinksa, J.P. Katoen, Causal ambiguity and partial orders in even structures, Concur'97, LNCS 1243, 1997, pp. 317{331. [15] M. Kwiatkowska, Event fairness and non-interleaving concurrency, Formal Aspects of Computing 1, 1989, pp. 213{228. [16] A. Mazurkiewicz, Trace semantics, in W. Brauer, W. Reisig, G. Rozenberg (eds.), Advances in Petri Nets 1986, LNCS 255, 1987, pp. 279{324. [17] A. Mazurkiewicz, E. Ochmanski, and W. Penczek, Concurrent systems and Inevitability, TCS 64, 1989, pp. 281{304. [18] R. Milner, A Calculus of Communicating Systems, LNCS 92, 1980. [19] D. Peled, All from one, one for all, on model-checking using representatives, 5th conference on Computer Aided Veri cation, Lecture Notes in Computer Science 697, Springer-Verlag, 1993, pp. 409{423. [20] D. Peled, Combining Partial Order Reductions with On-the- y Model-Checking, Journal of Formal Methods in Systems Design, 8, 1996, pp. 39{64. [21] D. Peled, Partial Order Reduction: Linear and Branching Temporal Logics and Process Algebras, POMIV'96, Partial Order Methods in Veri cation, American Mathematical Society, DIMACS, 1996, pp. 233{258. [22] W. Penczek, M. Szreter, R. Gerth, and R. Kuiper, Partial Order Reductions Preserving Simulations. Proc. of Concurrency, Speci cation and Programming (CS&P'99), Warsaw, 1999, pp. 153{172. [23] Y.S. Ramakrishma, S. A. Smolka, Partial-order reduction in the weak modal mu-calculus, LNCS 1243, 1997, pp. 5{24. [24] A. Valmari, Stubborn sets for reduced state space generation, Proc. of 10th International Conference on Application and Theory of Petri Nets, 1989, LNCS 483, pp. 491{515. [25] A. Valmari, A Stubborn attack on state explosion, Proc. 2nd Workshop on Computer Aided Veri cation, LNCS 531, 1980, pp. 156{165. [26] A. Valmari, Stubborn Set Methods for Process Algebras, Proc. of Workshop on Partial Order Methods in Veri cation, American Mathematical Society, DIMACS, 1996, pp. 213{ 232. [27] B. Willems, P. Wolper, Partial-Order Methods for Model-Checking: From Linear Time to Branching Time, Proc. of LICS, 1996, pp. 294{303. [28] P. Wolper, P. Godefroid, Partial-order methods for temporal veri cation, Concurrency Theory 1993, LNCS 715, 1993, pp. 233{246.