An efficient simulation algorithm based on abstract interpretation

An Efﬁcient Simulation Algorithm based on Abstract Interpr etation F R A N C E S C O R A N Z A T O F R A N C E S C O T A P P A RO Dipartimento di Matematica Pura ed Applicata, University of Padov a, Italy { ranzato,t apparo } @ math.unip d.it Abstract A number of algorithms for computing the simulation preorder are av ailable. Let Σ denote the state space,  the transition relation and P sim the partition of Σ induced by simulation equi valence. The algorithms by Henzinger , Henzinger , K opke and by Bloom and Paige run in O ( | Σ ||  | ) -t ime an d, as far as time-complexity is concerned, they are the best av ailable algorithms. Ho wever , these algorithms hav e the drawback of a space complexity that is more than quadratic in t h e size of the state space. The algorithm by Gentilini, Piazza, Policri ti — subsequ ently corrected by van Glabbeek and Ploeger — appears to provide the best compromise between time and space complexity . Gentilini et al. ’ s algorithm runs in O ( | P sim | 2 |  | ) -time w h i le the space comple xity is in O ( | P sim | 2 + | Σ | log | P sim | ) . W e present here a ne w ef ﬁcient simulation algorithm that is obtained as a modiﬁcation of Henzinge r et al. ’ s algorithm and whose correctness is based on some techniques used in applications of abstract interpretation to model checking. Our algorithm runs in O ( | P sim ||  | ) -time and O ( | P sim || Σ | log | Σ | ) -space. Thus, this algorithm improv es the best kno wn time bound while retaining an acceptable space complexity that is in general less than quadratic in the size of the state space. An experimen tal ev aluation showed good comparati ve results with respect to Henzinger , Henzinger and Kop ke’ s algorithm. 1 Introd uction Abstraction techn iques are widely used in model check ing to hide some p roperties of the concrete m odel in order to deﬁne a reduced abstract model where to run the veriﬁcation algor ithm [1, 9] . Ab straction provides an effecti ve solution to deal with the state-explo sion prob lem that arises in model checkin g systems with parallel com ponents [7]. The red uced abstract stru cture is requ ired at least to weakly p reserve a spe ciﬁca- tion language L o f interest: if a form ula ϕ ∈ L is s atisﬁed b y the reduced abstract model then ϕ must hold on the original una bstracted model as well. Ideally , the reduced model should be strongly preserving w .r .t. L : ϕ ∈ L holds on the concre te model if an d on ly if ϕ is satisﬁed by the red uced abstract m odel. On e common approach for abstracting a model consists in deﬁning a logical equiv alence or preo rder on system states that weak ly/strongly preserves a given temporal lan guage. Moreover , this equivalence or p reorder often arises as a beh a viou ral relation in the context of process calcu li [10]. T wo well-known examples are bisimulation equi valence that strongly preser ves expressi ve log ics su ch as CTL ∗ and the fu ll µ - calculus [5] and the simulation pr eorder that ensu res weak p reserv atio n o f univ ersal and existential fragmen ts o f the µ -calculus like A CTL ∗ and ECTL ∗ as well as of linear-time languages like L TL [2 2 , 25]. Simulation equiv alen ce, namely th e equivalence relation ob tained as symmetric reduction o f the simulation preorde r , is particularly interesting because it can p rovide a signiﬁcantly better state space red uction than bisim- ulation equiv alence while retaining th e a bility of strongly preservin g expr essi ve temporal language s like A CTL ∗ . State of the A rt. It is kn o wn that compu ting sim ulation is harder than com puting bisimulation [2 4 ]. L et K = h Σ ,  , ℓ i de note a Kripke structu re on the state space Σ , with tran siti o n relation  and labeling function ℓ : Σ → ℘ ( AP ) , fo r a given set AP of atomic pro positions. Bisimulation equivalence can be com- puted by th e well- kno wn Paige and T arjan’ s [ 26 ] algorithm that runs in O ( |  | log | Σ | ) -time. A number of algorithm s for comp uting simulation eq ui valence exist, th e most well known are by Henzinger, Hen- zinger and Kopke [2 3 ] , Bloom and Paige [2], Bustan and Grumb erg [ 6], T an and Cleav elan d [29] and Gentilini, Piazza an d Policriti [18], this latter subsequently corrected by van Glabbeek an d Ploeger [21]. 1 The algo rithms by Henzinger, Henz inger , Kopke and by Bloom and Paige run in O ( | Σ ||  | ) - time an d, as far a s time-co mplexity is concern ed, they are the best av ailab le algorith ms. Ho wever , bo th these algo- rithms have the drawback o f a space co mplexity that is bou nded fr om below by Ω( | Σ | 2 ) . This is du e to the fact that the simulatio n pre order is compu ted in an explicit way , i.e., for any state s ∈ Σ , the set o f states th at simulate s is explicitly given as outp ut. This quad ratic lower bo und in the size of th e state space is clearly a critical issue in mo del chec king. There is therefor e a strong motiv ation for de- signing simu lation algorithms th at are less demand ing on space r equirements. Bustan and Gru mberg [6] provide a ﬁr st solutio n in this direction. Let P sim denote the partition corr esponding to simulation equiv- alence on K so that | P sim | is the num ber o f simu lation equiv alenc e classes. Then, Bustan and Grum- berg’ s algorith m has a spac e co mplexity in O ( | P sim | 2 + | Σ | log | P sim | ) , alth ough th e time complexity in O ( | P sim | 4 ( |  | + | P sim | 2 ) + | P sim | 2 | Σ | ( | Σ | + | P sim | 2 | )) rem ains a serio us drawback. The simula- tion algorithm by T an and Cleaveland [29] simultaneo usly computes also th e state partition P bis corre- sponding to bisimu lation equiv alence . Unde r the simplif ying assumption of dealing with a total transi- tion relation, this pr ocedure has a time co mplexity in O ( |  | ( | P bis | + log | Σ | )) and a space c omplexity in O ( |  | + | P bis | 2 + | Σ | log | P bis | ) (th e latter f actor | Σ | log | P bis | d oes not appear in [ 29] and takes into accoun t the relation th at map s each state into its bisimulation equivalence class). The algor ithm b y Gentilini, Piazza and Policr iti [ 18] appears to provide the best compromise between time and space com plexity . Gentilini et al. ’ s algorithm r uns in O ( | P sim | 2 |  | ) -time, namely it rem arkably imp roves on Bustan and Grumberg’ s algorithm and is not directly comparable with T an and Cleav elan d’ s algorithm, while the space complexity O ( | P sim | 2 + | Σ | log | P sim | ) is the sam e of Bustan and Gr umberg’ s algorithm and improves on T an and Clea veland ’ s algorithm . Moreover , Gentilini et al. show experimen tally that in most cases their p rocedure improves on T an and Cleav elan d’ s algorithm both in time and space. Main Contributions. This work presents a n e w efﬁ cien t simulation algorith m, called SA , that runs in O ( | P sim ||  | ) -time and O ( | P sim || Σ | lo g | Σ | ) -space. Thus, while retaining an acc eptable space comp le xity that is in genera l less than quad ratic in the size of the state space, our algorith m improves the best known time bound. Let us recall th at a relation R between states is a simulation if for any s, s ′ ∈ Σ such that ( s, s ′ ) ∈ R , ℓ ( s ) = ℓ ( s ′ ) and for any t ∈ Σ such that s  t , there exists t ′ ∈ Σ such that s ′  t ′ and ( t, t ′ ) ∈ R . The n, s ′ simulates s , namely th e pair ( s, s ′ ) belon gs to the simula tion preorder R sim , if there exists a simulation relation R such ( s, s ′ ) ∈ R . Also , s and s ′ are simulation equi valent, n amely they belong to th e same block of the simulation partition P sim , if s ′ simulates s and vice versa. Our simulation alg orithm SA is designed as a modiﬁcatio n of Henz inger , Henzinger and Kopke’ s [23] algorithm , here deno ted by HHK . The space complexity of HHK is in O ( | Σ | 2 log | Σ | ) . This is a con- sequence of the fact that HHK computes explicitly the simulation preord er , n amely it maintain s for any state s ∈ Σ a set of states S im ( s ) ⊆ Σ , called the simulator set of s , which stores states that ar e currently candidates for simulating s . Our algorithm SA com putes instead a sy mbolic representatio n o f the simu- lation pre order , namely it m aintains: (i) a par tition P of th e state space Σ that is always c oarser than the ﬁnal simulation p artition P sim and (ii) a relation R el ⊆ P × P on th e c urrent partition P that encod es the simulation relation between blo cks of simulation equ i valent states. This symbo lic representation is the key both for obtain ing the O ( | P sim ||  | ) time bou nd and f or limitin g the spa ce c omplexity of SA in O ( | P sim || Σ | lo g | Σ | ) , so that memory requ irements may b e lower than quadratic in the size of th e state space. The ba si c idea of o ur approach is to in vestigate whether the logical stru cture of the H HK algo rithm may be p reserved by replacin g the family of sets of states S = { Sim ( s ) } s ∈ Σ with the following state partition P ind uced by S : two states s 1 and s 2 are eq ui valent in P iff for all s ∈ Σ , s 1 ∈ Sim ( s ) ⇔ s 2 ∈ S im ( s ) . Additionally , we store a nd maintain a preo rder relation R el ⊆ P × P on the p artition P that gives rise to a so -called partition -relation pair h P, R el i . Th e logica l meaning o f this data stru cture is that if B , C ∈ P and ( B , C ) ∈ Re l then any state in C is curr ently candid ate to simulate each state in B , while two states s 1 and s 2 in the same block B are curren tly candidates to be simulation equivalent. Hence, a partition- relation pair h P, R el i r epresents the curre nt approx imation of th e simu lation preo rder and in particular P represents the current approx imation of simulation eq ui valence. I t turns out that the infor mation encoded by a partition-re lation pair is en ough for preser ving the logical structure of HHK . In fact, analog ously to 2 the step wise design of th e HHK proced ure, this approach leads us to d esign a basic procedur e BasicSA based on p artition-relation pairs which is th en reﬁned twice i n order to obtain the ﬁnal simulation algorithm SA . The correc tness of SA is proved w .r .t. the basic algo rithm BasicSA and relies on a bstract interpr etation technique s [12, 13]. Mo re speciﬁcally , we exploit some previous results [2 7] that show how standard strong preservation of temporal lang uages in a bstract Kripke structures can be gen eralized by abstract interpreta- tion a nd cast as a so-called completene ss property of a bstract domain s. On the other hand, th e simulation algorithm SA is design ed as an efﬁcient im plementation of the b asic pro cedure BasicSA whe re the sym- bolic r epresentation based o n par tition-relation pairs allows us to replace th e size | Σ | of the state space in the time and spac e bou nds o f HHK with the size | P sim | of the simulation partition in the correspon ding bound s f or SA . Both HHK and SA h a ve b een implemented in C++. This practical ev aluation con sidered benchm arks from th e VL TS (V ery Large T ran siti o n Systems) su ite [30] and some pub licly a vailable Esterel prog rams. The experimental results sho wed that SA outper forms HHK . 2 Backgrou nd 2.1 Pr eli minaries Notatio ns . L et X an d Y b e sets. If S ⊆ X and X is un derstood a s a universe set then ¬ S = X r S . If f : X → Y then the image o f f is denoted by img ( f ) = { f ( x ) ∈ Y | x ∈ X } . When writing a set S of subsets of a given set of integers, e.g. a partition, S is often written in a compac t form like { 1 , 12 , 13 } or { [1] , [12] , [13] } that stand s for { { 1 } , { 1 , 2 } , { 1 , 3 }} . If R ⊆ X × X is any relation then R ∗ ⊆ X × X denotes the reﬂexiv e and transiti ve closure of R . Also, if x ∈ X th en R ( x ) def = { x ′ ∈ X | ( x, x ′ ) ∈ R } . Orders. Let h Q, ≤i be a po set, that may also be den oted by Q ≤ . W e u se th e symb ol ⊑ to d enote pointwise ordering between fun ctions: I f X is any set and f , g : X → Q then f ⊑ g if for all x ∈ X , f ( x ) ≤ g ( x ) . If S ⊆ Q then max ( S ) def = { x ∈ S | ∀ y ∈ S. x ≤ y ⇒ x = y } den otes the set of maximal elements of S in Q . A comp lete lattice C ≤ is also denoted by h C, ≤ , ∨ , ∧ , ⊤ , ⊥i where ∨ , ∧ , ⊤ and ⊥ denote, r especti vely , lub , glb, gr eatest elem ent a nd least element in C . A function f : C → D between complete lattices is additiv e wh en f preserves least up per bound s. Let u s recall that a reﬂexiv e and transitive r elation R ⊆ X × X on a set X is called a preo rder on X . Partitions. A partition P of a set Σ is a set of no nempty subsets of Σ , called blo cks, that are p airwise disjoint an d whose union giv es Σ . Part( Σ) den otes the set of partition s of Σ . If P ∈ Part(Σ) and s ∈ Σ then P ( s ) den otes the block of P that c ontains s . Part(Σ) is end o wed with the f ollo wing standa rd partial order  : P 1  P 2 , i.e. P 2 is co arser than P 1 (or P 1 reﬁnes P 2 ) iff ∀ B ∈ P 1 . ∃ B ′ ∈ P 2 . B ⊆ B ′ . If P 1 , P 2 ∈ Part(Σ) , P 1  P 2 and B ∈ P 1 then parent P 2 ( B ) (when clea r from th e context the subscript P 2 may b e omitted) d enotes the un ique block in P 2 that co ntains B . For a g i ven non empty s u bset S ⊆ Σ called splitter, we denote by Split ( P , S ) the partition ob tained fro m P by replacing each block B ∈ P with the nonempty sets B ∩ S and B r S , where we also allo w no splitting, namely Split ( P , S ) = P (this happen s exactly when S is a u nion of some blocks of P ). Kripke Structures. A transition system (Σ ,  ) co nsists o f a set Σ of states and a tran si tio n relation  ⊆ Σ × Σ . The relation  is to tal wh en fo r any s ∈ Σ there exists some t ∈ Σ such that s  t . The predecessor /successor transfor mers pre  , p ost  : ℘ (Σ) → ℘ (Σ) (whe n clear f rom the co ntext the subscript  may be omitted) are deﬁned as usual: – pre  ( Y ) def = { a ∈ Σ | ∃ b ∈ Y . a  b } ; – p ost  ( Y ) def = { b ∈ Σ | ∃ a ∈ Y . a  b } . Let us remark th at pr e  and p ost  are additive o perators on the complete lattice ℘ (Σ) ⊆ . I f S 1 , S 2 ⊆ Σ then S 1  ∃∃ S 2 iff there exist s 1 ∈ S 1 and s 2 ∈ S 2 such that s 1  s 2 . 3 Giv en a set AP of atomic pro positions (of some sp eciﬁcation lan guage), a K ripke structu re K = (Σ ,  , ℓ ) over A P co nsists o f a transition system (Σ ,  ) tog ether with a state labeling function ℓ : Σ → ℘ ( AP ) . A Kr ipke structu re is called total when its tr ansition relation is total. W e u se th e following no tation: for any s ∈ Σ , [ s ] ℓ def = { s ′ ∈ Σ | ℓ ( s ) = ℓ ( s ′ ) } denotes the equiv alen ce class o f a state s w .r .t. th e labeling ℓ , while P ℓ def = { [ s ] ℓ | s ∈ Σ } ∈ Part(Σ) is the partition indu ced by ℓ . 2.2 Simulation Pre order and Equiv al en ce Recall that a relation R ⊆ Σ × Σ is a simulation on a Kripke structu re K = (Σ ,  , ℓ ) over a set AP of atomic propo sitions if f or any s, s ′ ∈ Σ such tha t ( s, s ′ ) ∈ R : (a) ℓ ( s ) = ℓ ( s ′ ) ; (b) For any t ∈ Σ such that s  t , there exists t ′ ∈ Σ such tha t s ′  t ′ and ( t, t ′ ) ∈ R . If ( s, s ′ ) ∈ R then we say that s ′ simulates s . Th e empty relatio n is a simulation an d simulation r elations are closed under union, so that the largest simulation relation exists. It tur ns out that the largest simulation is a p reorder re lation called simulation preo rder (on K ) and denoted b y R sim . Simulation equ i valence ∼ sim ⊆ Σ × Σ is the symmetr ic r eduction of R sim , namely ∼ sim = R sim ∩ R − 1 sim . P sim ∈ Part (Σ) deno tes the partition correspon ding to ∼ sim and is called simulation partition. It is a well known result i n model checking [14, 22, 2 5] th at the reduction o f K w .r .t. simulation equi va- lence ∼ sim allows us to deﬁne an abstract Kripke structure A sim = h P sim ,  ∃∃ , ℓ ∃ i that strongly preserves the temp oral langu age ACTL ∗ , wh ere: P sim is the abstract state sp ace,  ∃∃ is the abstract transition relatio n between simulation equiv alence classes, wh ile for any blo ck B ∈ P sim , ℓ ∃ ( B ) def = ℓ ( s ) for any rep resen- tati ve s ∈ B . It turn s out that A sim strongly pre serves A CTL ∗ , i.e., for any ϕ ∈ ACTL ∗ , B ∈ P sim and s ∈ B , we h a ve that s | = K ϕ if and only if B | = A sim ϕ . 2.3 Abstract Interpr etation Abstract Domains as Closures. In standard ab st r act interp retation, abstract dom ains can be equi valently speciﬁed either by Galo is co nnections/insertions or by (upper) closur e o perators ( uco’ s) [1 3 ]. These two approa ches are eq ui valent, mo dulo isomorphic represen tations of domain’ s objects. W e follow here the closure oper ator appro ach: th is has the advantage of bein g inde pendent from the representatio n of do- main’ s objects and is ther efore approp riate for reasoning on abstract dom ains indepen dently f rom th eir representatio n. Giv en a state space Σ , th e comp lete l attice ℘ (Σ) ⊆ plays the role of c oncrete domain. Let us re call that an oper ator µ : ℘ (Σ) → ℘ (Σ) is a u co on ℘ (Σ) , th at is an ab stract domain of ℘ (Σ) , w hen µ is mo notone, idempoten t and extensi ve (viz., X ⊆ µ ( X ) ). It is well known that the set uco( ℘ (Σ)) of all uco’ s on ℘ (Σ) , endowed with the poin twise ordering ⊑ , gives rise to the com plete lattice h uco( ℘ (Σ)) , ⊑ , ⊔ , ⊓ , λX. Σ , id i of a ll the abstract domain s of ℘ (Σ) . The p ointwise order ing ⊑ on uco ( ℘ (Σ)) is th e standard or der for comparin g abstract d omains w ith r e ga rd to their precision: µ 1 ⊑ µ 2 means that the d omain µ 1 is a more precise abstraction of ℘ (Σ) than µ 2 , or , equivalently , that the abstract doma in µ 1 is a reﬁnement of µ 2 . A closure µ ∈ uco ( ℘ (Σ)) is uniqu ely determin ed by its ima ge img( µ ) , wh ich coincides with its set of ﬁxpoints, as follows: µ = λY . ∩ { X ∈ img ( µ ) | Y ⊆ X } . Also, a set of subsets X ⊆ ℘ (Σ) is the image of some closure operator µ X ∈ uco( ℘ (Σ)) iff X is a Moore-family of ℘ (Σ) , i.e., X = Cl ∩ ( X ) def = { ∩ S | S ⊆ X } (wher e ∩ ∅ = Σ ∈ Cl ∩ ( X ) ). In othe r t er ms, X is a Moore-family (or Moor e-closed) when X is closed under arb itrary intersection s. In this ca se, µ X = λY . ∩ { X ∈ X | Y ⊆ X } is the corresp onding closure operator . For any X ⊆ ℘ (Σ) , Cl ∩ ( X ) is called the Moore- closure of X , i.e., Cl ∩ ( X ) is the lea st set of subsets of Σ wh ich contains all the subsets in X an d is Mo ore-closed. Moreover , it turns out th at f or any µ ∈ uco( ℘ (Σ)) and any Mo ore-family X ⊆ ℘ (Σ) , µ img( µ ) = µ and img( µ X ) = X . Th us, closur e operator s on ℘ (Σ) are in bijection with Moore-families of ℘ (Σ) . This allows us to consid er a closu re operator µ ∈ uco( ℘ (Σ)) both a s a function µ : ℘ (Σ) → ℘ (Σ) and as a Moo re-family img ( µ ) ⊆ ℘ (Σ) . This is particu larly useful and does n ot give rise to ambiguity since one can distingu ish the use of a closure µ as function or set according to the context. 4 Abstract Doma ins and Partit ions. As shown in [27], it turns out that partitions can be vie wed as par- ticular abstract do mains. L et us recall h ere that any ab stract domain µ ∈ uco( ℘ (Σ)) indu ces a p artition par( µ ) ∈ Part(Σ) that correspond s to the following equi valence relation ≡ µ on Σ : x ≡ µ y iff µ ( { x } ) = µ ( { y } ) . Example 2.1. Let Σ = { 1 , 2 , 3 , 4 } and consider th e following abstract domain s in uco( ℘ (Σ)) that are giv en as intersection -closed s u bsets of ℘ (Σ) : µ = { ∅ , 3 , 4 , 1 2 , 34 , 1234 } , µ ′ = { ∅ , 3 , 4 , 12 , 1 234 } , µ ′′ = { 12 , 123 , 124 , 1234 } . These abstract domains all induce th e same partition P = { [12] , [3] , [4] } ∈ Part(Σ) . For example, µ ′′ ( { 1 } ) = µ ′′ ( { 2 } ) = { 1 , 2 } , µ ′′ ( { 3 } ) = { 1 , 2 , 3 } , µ ′′ ( { 4 } ) = { 1 , 2 , 4 } so that par( µ ′′ ) = P . Forward Completeness. Let u s consider an abstract d omain µ ∈ uco( ℘ (Σ) ⊆ ) , a c oncrete semantic function f : ℘ (Σ) → ℘ (Σ) and a corr esponding abstract semantic functio n f ♯ : µ → µ (for simplic- ity of notation, we co nsider 1-ary func tions). It is well known that the ab stract interpretation h µ, f ♯ i is sound wh en f ◦ µ ⊑ f ♯ ◦ µ holds: this means th at a concrete co mputation f ( µ ( X )) o n an abstract o bject µ ( X ) is corr ectly ap proximated in µ by f ♯ ( µ ( X )) , that is, f ( µ ( X )) ⊆ f ♯ ( µ ( X )) . F o rw ar d complete- ness cor responds to req uire the following strengthenin g of soundness: h µ, f ♯ i is forward complete when f ◦ µ = f ♯ ◦ µ : The intu ition here is that t h e abstrac t fun ction f ♯ is able to m imic f on the abstract d omain µ with no loss o f precision. This is called for w ard co mpleteness because a dual and m ore standard notion of backward completeness may also be considered (see e.g. [19]). Example 2.2. As a toy example, let us co nsider th e fo llo wing abstract do main Sign for rep resenting the sign of a n integer variable: Sign = { ∅ , Z ≤ 0 , 0 , Z ≥ 0 , Z } ∈ uco( ℘ ( Z ) ⊆ ) . The concrete pointwise addition + : ℘ ( Z ) × ℘ ( Z ) → ℘ ( Z ) on sets of integers, that is X + Y def = { x + y | x ∈ X , y ∈ Y } , is approximated in Sign by the abstract a ddition + Sign : Sign × Sign → Sign th at is deﬁned as expected by the follo win g table: + Sign ∅ Z ≤ 0 0 Z ≥ 0 Z ∅ ∅ ∅ ∅ ∅ ∅ Z ≤ 0 ∅ Z ≤ 0 Z ≤ 0 Z Z 0 ∅ Z ≤ 0 0 Z ≥ 0 Z Z ≥ 0 ∅ Z Z ≥ 0 Z ≥ 0 Z Z ∅ Z Z Z Z It turns out that h Sign , + Sign i is forward co mplete, i.e. , for any a 1 , a 2 ∈ Sign , a 1 + a 2 = a 1 + Sign a 2 . It turns ou t that the p ossibility of deﬁning a forward c omplete ab st r act interpretatio n on a gi ven abstract domain µ does n ot depen d on the cho ice o f the abstract functio n f ♯ but depend s on ly on th e abstract domain µ . This means th at if h µ, f ♯ i is forward com plete then the abstract functio n f ♯ indeed coinc ides with the b est correct approxim ation µ ◦ f of th e concrete function f on the ab stract domain µ . Hen ce, for any abstract d omain µ and abstract f unction f ♯ , it turns o ut that h µ, f ♯ i is forward com plete if and o nly if h µ, µ ◦ f i is forward complete. This allows us to deﬁne the notion of forward completen ess in dependently of abstract function s as f ollo ws: an abstract domain µ ∈ uco( ℘ (Σ)) is f orward comp lete f or f (or fo rward f -co mplete) iff f ◦ µ = µ ◦ f ◦ µ . L et us remark that µ is f orward f -com plete iff the image img( µ ) is closed u nder application s of the con crete function f . I f F is a set of c oncrete function s then µ is forward complete for F when µ is forward complete for all f ∈ F . Forward Complete Shells. It tu rns out [19, 27] that any ab stract domain µ ∈ uco( ℘ (Σ)) can b e reﬁned to its forward F -co mplete shell, namely to the most abstra ct domain th at is f orward c omplete for F and reﬁnes µ . This forward F - complete shell of µ is thus deﬁned as S F ( µ ) def = ⊔ { ρ ∈ uco( ℘ (Σ)) | ρ ⊑ µ, ρ is f orward F -comple te } . Forward co mplete shells admit a co nstructi ve ﬁxpoint characterizatio n. Gi ven µ ∈ uco ( ℘ (Σ)) , conside r the operator F µ : uco( ℘ (Σ)) → uco( ℘ (Σ)) deﬁn ed by F µ ( ρ ) def = Cl ∩ ( µ ∪ { f ( X ) | f ∈ F , X ∈ ρ } ) . 5 Thus, F µ ( ρ ) reﬁnes the abstract domain µ by adding the images of ρ for all the functions in F . It turns out that F µ is monoton e an d ther efore admits the greatest ﬁxpoint, de noted by gfp( F µ ) , which pr o v ides the forward F -complete s h ell of µ : S F ( µ ) = gfp( F µ ) . Disjunctive Abstract Doma ins . An abstract domain µ ∈ uco( ℘ (Σ)) is d isjuncti ve (or add iti ve) when µ is additive and this happens exactly when the image img( µ ) is c losed un der ar bitrary un ions. Hence, a disjunctiv e abstract do main is completely d etermined by the imag e of µ on sing letons because f or any X ⊆ Σ , µ ( X ) = ∪ x ∈ X µ ( { x } ) . The intuition is that a d isjuncti ve abstract dom ain does not lose p recision in ap proximating co ncrete set un ions. W e den ote by uco d ( ℘ (Σ)) ⊆ uco( ℘ (Σ)) the set of disjun cti ve abstract domains. Giv en any abstract doma in µ ∈ uco( ℘ (Σ)) , it turns out [1 3 , 20] that µ can be reﬁned to its disjunc- ti ve completion µ d : this is th e most abstract disjunctive domain µ d ∈ uco d ( ℘ (Σ)) tha t reﬁnes µ . The disjunctive completion µ d can be obtain ed by closing the imag e img ( µ ) un der ar bitrary un ions, namely img( µ d ) = Cl ∪ (img( µ )) def = { ∪ S | S ⊆ img( µ ) } , whe re ∪ ∅ = ∅ ∈ Cl ∪ (img( µ )) . It turns o ut that an abstract dom ain µ is disjunctive if f µ is forward com plete for arbitrar y concrete set unions, namely , µ is disjunctiv e iff f or any { X i } i ∈ I ⊆ ℘ (Σ) , ∪ i ∈ I µ ( X i ) = µ ( ∪ i ∈ I µ ( X i )) . Thus, when Σ is ﬁnite, the disjunctive completio n µ d of µ coincides with the forward ∪ -co mplete shell S ∪ ( µ ) of µ . Also, since the predecessor transfor mer pre  preserves set unions, it tu rns ou t tha t the fo rw ar d com plete shell S ∪ , pre  ( µ ) for { ∪ , pre  } can b e obtained by itera ti vely closing the imag e of µ und er pre  and then by taking the disjunctive co mpletion, i . e., S ∪ , pre  ( µ ) = S ∪ ( S pre  ( µ )) . Example 2.3. Let u s con sider the abstract do main µ = { ∅ , 3 , 4 , 1 2 , 34 , 1234 } in Example 2.1. W e have that µ is n ot disjun cti ve becau se 12 , 3 ∈ µ wh ile 12 ∪ 3 = 123 6∈ µ . The disjun cti ve completio n µ d is obtained by closing µ under unions: µ d = { ∅ , 3 , 4 , 1 2 , 34 , 123 , 124 , 1234 } . Some Properties of Abstract Domains. Let us summa rize some easy properties of abstract domain s that will be used in later proo fs. Lemma 2.4. Let µ ∈ uco( ℘ (Σ)) , ρ ∈ uco d ( ℘ (Σ)) , P , Q ∈ Part(Σ) such that P  par( µ ) and Q  par( ρ ) . (i) F o r any B ∈ P , µ ( B ) = µ (par en t par( µ ) ( B )) . (ii) F o r any X ∈ ℘ (Σ) , µ ( X ) = ∪{ B ∈ P | B ⊆ µ ( X ) } . (iii) F o r any X ∈ ℘ (Σ) , ρ ( X ) = ∪{ ρ ( B ) | B ∈ Q, B ∩ X 6 = ∅ } . (iv) par( µ ) = par( µ d ) . Pr oof. ( i) In gen eral, by deﬁnition of par( µ ) , fo r a n y C ∈ par( µ ) and S ⊆ C , µ ( S ) = µ ( C ) . He nce, since B ⊆ parent par( µ ) ( B ) we have that µ ( B ) = µ (parent par( µ ) ( B )) . (ii) Clearly , µ ( X ) ⊇ ∪{ B ∈ P | B ⊆ µ ( X ) } . On the other han d, g i ven z ∈ µ ( X ) , let B z ∈ P be the block in P that contains z . Then, B z ⊆ µ ( B z ) = µ ( { z } ) ⊆ µ ( X ) , so that z ∈ ∪{ B ∈ P | B ⊆ µ ( X ) } . (iii) ρ ( X ) = [as ρ is additive] ∪{ ρ ( { x } ) | x ∈ X } = [as Q  par( ρ ) ] ∪{ ρ ( B x ) | x ∈ X , B x ∈ Q, x ∈ B x } = ∪{ ρ ( B ) | B ∈ Q , B ∩ X 6 = ∅ } . (iv) Since µ d ⊑ µ , we have that p a r( µ d )  par( µ ) . On the other hand, if B ∈ par( µ ) then fo r all x ∈ B , µ d ( { x } ) = µ ( { x } ) = µ ( B ) , so that B ∈ par( µ d ) . 6 3 Simulation Pre order as a F orward Complete Shell Ranzato and T apparo [2 7 ] showed how strong preser v ation of speciﬁcation lan guages in standard abstract models like abstrac t Krip k e structu res can b e g eneralized b y ab stract in terpretation an d cast as a for w ard completen ess property o f gen eric abstra ct doma ins that play the role of abstract mod els. W e rely here on this fra me work in or der to show th at th e simulation preo rder ca n b e c haracterized as a forward complete shell for set unio n and the pred ecessor transform er . Let K = (Σ ,  , ℓ ) be a Kripke structure. Recall that the lab eling function ℓ induces the state partition P ℓ = { [ s ] ℓ | s ∈ Σ } . This pa rtition can be made an abstract domain µ ℓ ∈ uco( ℘ (Σ)) by consider ing the Moore-clo sure of P ℓ that simply adds to P ℓ the empty set and the whole state space, namely µ ℓ def = Cl ∩ ( { [ s ] ℓ | s ∈ Σ } ) . Theorem 3.1. Let µ K = S ∪ , pre ( µ ℓ ) be the forward {∪ , pr e } -c omplete shell of µ ℓ . Then, R sim = { ( s, s ′ ) ∈ Σ × Σ | s ′ ∈ µ K ( { s } ) and P sim = par( µ K ) . Pr oof. Given a disjunctive abstract d omain µ ∈ uco d ( ℘ (Σ)) , deﬁne R µ def = { ( s, s ′ ) ∈ Σ × Σ | s ′ ∈ µ ( { s } ) } . W e p rov e the following three prelim inary facts: (1) µ is forward com plete f or pre iff R µ satisﬁes the following prop erty: for any s, t, s ′ ∈ Σ su ch that s → t an d ( s, s ′ ) ∈ R µ there exists t ′ ∈ Σ such that s ′ → t ′ and ( t, t ′ ) ∈ R µ . Observe that th e disjunctive clo sure µ is fo rw ar d co mplete for pre iff for any s, t ∈ Σ , if s ∈ pr e( µ ( { t } )) then µ ( { s } ) ⊆ pre( µ ( { t } )) , and this happens iff for any s, t ∈ Σ , if s ∈ pre( { t } ) then µ ( { s } ) ⊆ pre( µ ( { t } )) . T his latter statemen t is equiv alent to the fact that for any s, s ′ , t ∈ Σ such th at s → t and s ′ ∈ µ ( { s } ) , there exists t ′ ∈ µ ( { t } ) su ch th at s ′ → t ′ , na mely , for any s, s ′ , t ∈ Σ such th at s → t and ( s, s ′ ) ∈ R µ , there exists t ′ ∈ Σ such tha t ( t, t ′ ) ∈ R µ and s ′ → t ′ . (2) µ ⊑ µ ℓ iff R µ satisﬁes the pro perty that for any s, s ′ ∈ Σ , if ( s, s ′ ) ∈ R µ then ℓ ( s ) = ℓ ( s ′ ) : In fact, µ ⊑ µ ℓ ⇔ ∀ s ∈ Σ . µ ( { s } ) ⊆ µ ℓ ( { s } ) = [ s ] ℓ ⇔ ∀ s, s ′ ∈ Σ . ( s ′ ∈ µ ( { s } ) implies s ′ ∈ [ s ] ℓ ) ⇔ ∀ s, s ′ ∈ Σ . (( s, s ′ ) ∈ R µ implies ℓ ( s ) = ℓ ( s ′ )) . (3) Clearly , giv en µ ′ ∈ uco d ( ℘ (Σ)) , µ ⊑ µ ′ iff R µ ⊆ R µ ′ . Let us show that R µ K = R sim . By deﬁnition , µ K is the most ab stract d isjuncti ve clo sure that is forward complete for pre and reﬁnes µ ℓ . Th us, by the above poin ts (1) and (2), it turns out that R µ K is a simulation on K . Consider n o w any simulation S o n K and the f unction µ ′ def = p ost S ∗ : ℘ (Σ) → ℘ (Σ) . Let u s notice that µ ′ ∈ uco d ( ℘ (Σ)) and S ⊆ S ∗ = R µ ′ . Also, the relation S ∗ is a simulation becau se S is a simu lation. Since S ∗ is a simulation, we ha ve that R µ ′ satisﬁes the conditions of the above poin ts (1 ) an d (2) so that µ ′ is forward c omplete for pre and µ ′ ⊑ µ ℓ . Moreover , µ ′ is disjunctive so th at µ ′ is also f orward comp lete for ∪ . Thu s, µ ′ ⊑ S ∪ , pre ( µ ℓ ) = µ K . Hen ce, by point (3) above, R µ ′ ⊆ R µ K so that S ⊆ R µ K . W e have therefor e shown that R µ K is the largest simulation on K . The fact that P sim = par( µ K ) comes as a dir ect co nsequence becau se for any s, t ∈ Σ , s ∼ sim t iff ( s, t ) ∈ R sim and ( t, s ) ∈ R sim . From R µ K = R sim we o btain that s ∼ sim t iff s ∈ µ K ( { t } ) and t ∈ µ K ( { s } ) if f µ K ( { s } ) = µ K ( { t } ) . This holds if f s and t belong to the same block in par( µ K ) . Thus, the simulation p reorder is character ized as the fo rw ar d comp lete shell of an initial abstract d o- main µ ℓ induced by the labe ling ℓ w . r .t. set un ion ∪ and th e predecessor transfo rmer pre while simulation equiv alen ce is th e p artition indu ced by this forward c omplete shell. Let u s ob serve that set union a nd the predecessor pre pr o v ide the semantics of, respecti vely , logical disjunction and the existential next operator EX . As sh o wn in [27], simulation equ i valence can be also character ized in a pr ecise meaning as th e most abstract domain that strongly preserves the language ϕ ::= atom | ϕ 1 ∧ ϕ 2 | ϕ 1 ∨ ϕ 2 | EX ϕ. Example 3.2. Le t us consider th e Kripke structure K dep icted below where th e atoms p a nd q determine the labeling function ℓ . ?>=< 89:; 1 ( ( p / / ?>=< 89:; 3 p q / / ?>=< 89:; 4 v v ?>=< 89:; 2 p 9 9 t t t t t t t 7 It is simple to o bserve that P sim = { 1 , 2 , 3 , 4 } b ecause: (i) while 3  4 we h a ve that 1 , 2 6∈ pr e (4) so that 1 and 2 are not simu lation equ i valent to 3 ; (ii) while 1  1 we ha ve that 2 6∈ pre(12) so t h at 1 is not simulation equiv alen t to 2 . The abstract domain ind uced by the labelin g is µ ℓ = { ∅ , 4 , 1 23 , 12 3 4 } ∈ uco( ℘ (Σ)) . As observed above, the forward complete shell S ∪ , pre ( µ ℓ ) = S ∪ ( S pre ( µ ℓ )) so that this d omain can be o btained by iterativ ely closing the image of µ ℓ under pre and then by taking the disjunctive completion : – µ 0 = µ ℓ ; – µ 1 = Cl ∩ ( µ 0 ∪ pre( µ 0 )) = Cl ∩ ( µ 0 ∪ { pre( ∅ ) = ∅ , pr e(4) = 3 4 , pre(123) = 12 , pre(1234) = 1234 } ) = { ∅ , 3 , 4 , 1 2 , 34 , 123 , 1234 } ; – µ 2 = Cl ∩ ( µ 1 ∪ pre( µ 1 )) = Cl ∩ ( µ 1 ∪ { pre( 3 ) = 12 , pre (1 2) = 1 , pre(34) = 1234 } ) = { ∅ , 1 , 3 , 4 , 12 , 34 , 1 23 , 1234 } ; – µ 3 = Cl ∩ ( µ 2 ∪ pre( µ 2 )) = µ 2 (ﬁxpoint) . S ∪ , pre ( µ ℓ ) is thus giv en by the disjunctive completion o f µ 2 , i.e., S ∪ , pre ( µ ℓ ) = { ∅ , 1 , 3 , 4 , 12 , 13 , 14 , 34 , 123 , 124 , 134 , 1234 } = µ K . Note that µ K (1) = 1 , µ K (2) = 12 , µ K (3) = 3 an d µ K (4) = 4 . Hen ce, by Theorem 3 .1, th e simulation p reorder is R sim = { (1 , 1 ) , (2 , 2) , (2 , 1) , (3 , 3) , (4 , 4 ) } , while P sim = par( S ∪ , pre ( µ ℓ )) = { 1 , 2 , 3 , 4 } . Theorem 3.1 is one key result for provin g the correctn ess of our simulation algorith m SA while it is not needed for understand ing h o w SA works and ho w to implemen t it efﬁciently . 4 Partition-Relation Pairs Let P ∈ Part(Σ) a nd R ⊆ P × P be any relation on the p artition P . One such pair h P , R i is called a partition-relation pair . A par tition-relation pair h P , R i indu ces a disjunc ti ve clo sure µ h P, R i ∈ uco d ( ℘ (Σ) ⊆ ) as follows: for any X ∈ ℘ (Σ) , µ h P, R i ( X ) def = ∪ { C ∈ P | ∃ B ∈ P . B ∩ X 6 = ∅ , ( B , C ) ∈ R ∗ } . It is easily shown that µ h P, R i is indeed a disjunctiv e uco. Note that, for any B ∈ P and x ∈ B , µ h P, R i ( { x } ) = µ h P, R i ( B ) = ∪ R ∗ ( B ) = ∪{ C ∈ P | ( B , C ) ∈ R ∗ } . This correspon dence is a key lo gical po int for p roving the correc tness of our simula tion algorithm . In fact, our algorith m main tains a partition-relatio n pair, where the rela tion is a preo rder , and ou r pro of of corr ectness depend s on the fact that th is par tition-relation pair logic ally rep resents a cor responding disjunctive abstract domain. Example 4.1. Le t Σ = { 1 , 2 , 3 , 4 } , P = { 12 , 3 , 4 } ∈ Part(Σ) and R = { (12 , 3) , (3 , 4) , (4 , 3) } . Note that R ∗ = { (12 , 12 ) , (12 , 3) , (1 2 , 4) , (3 , 3 ) , (3 , 4 ) , (4 , 3) , (4 , 4) } . The disjunctiv e a bstract d omain µ h P, R i is such th at µ h P, R i ( { 1 } ) = µ h P, R i ( { 2 } ) = { 1 , 2 , 3 , 4 } and µ h P, R i ( { 3 } ) = µ h P, R i ( { 4 } ) = { 3 , 4 } , so that the image of µ h P, R i is { ∅ , 34 , 1234 } . On the other hand, any abstract dom ain µ ∈ uco ( ℘ (Σ)) induces a partition-relatio n pair h P µ , R µ i as follows: – P µ def = par ( µ ) ; – R µ def = { ( B , C ) ∈ P µ × P µ | C ⊆ µ ( B ) } . The following prop erties of partition- relation pa irs will be useful in later proo fs. Lemma 4.2. Let h P , R i b e a pa rtition-r elation pair and µ ∈ uco ( ℘ (Σ)) . (i) P  par( µ h P, R i ) . 8 (ii) h P µ , R µ i = h P µ d , R µ d i . Pr oof. ( i) W e alre ady observed ab ov e th at if B ∈ P and x ∈ B then µ h P, R i ( { x } ) = µ h P, R i ( B ) , so that B ⊆ { y ∈ Σ | µ h P, R i ( { x } ) = µ h P, R i ( { y } ) } wh ich is a block in par( µ h P, R i ) . (ii) By Lem ma 2.4 (iv), P µ = par ( µ ) = par( µ d ) = P µ d . Moreover , R µ = [by deﬁnition] { ( B , C ) ∈ P µ × P µ | C ⊆ µ ( B ) } = [as P µ = P µ d ] { ( B , C ) ∈ P µ d × P µ d | C ⊆ µ ( B ) } = [as µ ( B ) = µ d ( B ) ] { ( B , C ) ∈ P µ d × P µ d | C ⊆ µ d ( B ) } = [by deﬁnition] R µ d . It turns ou t that the above two corresponden ces between partition-relation pairs and disjun cti ve ab stract domains are in verse of each other when the relation is a partial order . Lemma 4 .3. F or any partition P ∈ Part (Σ) , partial or der R ⊆ P × P an d disjunctive a bstr act domain µ ∈ uco d ( ℘ (Σ)) , we have that h P µ h P,R i , R µ h P,R i i = h P , R i and µ h P µ ,R µ i = µ . Pr oof. Le t us show that h P µ h P,R i , R µ h P,R i i = h P , R i . W e ﬁrst prove that P µ h P,R i = P , i.e. par( µ h P, R i ) = P . On th e one hand, by L emma 4.2 (i), P  par( µ h P, R i ) . On the other h and, if x, y ∈ Σ , µ h P, R i ( { x } ) = µ h P, R i ( { y } ) and x ∈ B x ∈ P an d y ∈ B y ∈ P then ( B x , B y ) ∈ R ∗ and ( B y , B x ) ∈ R ∗ . Sin ce R is a partial order, we h a ve that R ∗ = R is a partial order as well, so that B x = B y , namely par( µ h P, R i )  P . Let us prove now that R µ h P,R i = R . In fact, for any ( B , C ) ∈ par( µ h P, R i ) × par( µ h P, R i ) , ( B , C ) ∈ R µ h P,R i ⇔ [by deﬁnition of R µ h P,R i ] C ⊆ µ h P, R i ( B ) ⇔ [by deﬁnition of µ h P, R i ] ( B , C ) ∈ R ∗ ⇔ [since R ∗ = R ] ( B , C ) ∈ R. Finally , let us show that µ h P µ ,R µ i = µ . Since both µ h P µ ,R µ i and µ a re disjunctive it is enough to prove that for all x ∈ Σ , µ h P µ ,R µ i ( { x } ) = µ ( { x } ) . Given x ∈ Σ co nsider the blo ck B x ∈ P µ = par( µ ) con taining x . Then, µ h P µ ,R µ i ( { x } ) = [by deﬁnition of µ h P µ ,R µ i ] ∪{ C ∈ P µ | ( B x , C ) ∈ R ∗ µ } = [ since R ∗ µ = R µ ] ∪{ C ∈ P µ | ( B x , C ) ∈ R µ } = [ by deﬁnition of R µ ] ∪{ C ∈ P µ | C ⊆ µ ( B x ) } = [by Lemma 2.4 (ii)] µ ( B x ) = [since µ ( B x ) = µ ( { x } ) ] µ ( { x } ) . Our simulation alg orithm relies on th e following con dition on a p artition-relation pair h P, R i w . r .t. a transition system (Σ ,  ) which guaran tees th at the correspon ding disjunctiv e ab stract domain µ h P, R i is forward complete for the predecessor pre . Lemma 4.4. Let (Σ ,  ) be a tr ansition syst em and h P, R i be a partition-relation pair w h er e R is r e ﬂe xive. Assume that for any B , C ∈ P , if C ∩ pre( B ) 6 = ∅ then ∪ R ( C ) ⊆ pre( ∪ R ( B )) . Th en, µ h P, R i is forwar d complete for pre . Pr oof. W e prelim inarily show t h e following fact: ( ‡ ) Let µ ∈ uco d ( ℘ (Σ)) and P ∈ Part(Σ) such that P  par( µ ) . T hen, µ is forward complete for pre iff for any B , C ∈ P , if C ∩ pr e ( B ) 6 = ∅ then µ ( C ) ⊆ pre( µ ( B )) . 9 ( ⇒ ) Let B , C ∈ P such that C ∩ pre( B ) 6 = ∅ . Since B ⊆ µ ( B ) we also have th at C ∩ pre( µ ( B )) 6 = ∅ . By f orward comple teness, pr e( µ ( B )) = µ (pre( µ ( B )) . Since P  pa r( µ ) , C ∈ P an d C ∩ µ (pre( µ ( B ))) = C ∩ pre( µ ( B )) 6 = ∅ we have that C ⊆ µ (pr e( µ ( B ))) = pre( µ ( B )) , so tha t, b y applying the monoton e map µ , µ ( C ) ⊆ µ (pre( µ ( B ))) = pre( µ ( B )) . ( ⇐ ) Firstly , we show the following p roperty ( ∗ ) : for any B , C ∈ P , if C ∩ pre( µ ( B )) 6 = ∅ then µ ( C ) ⊆ pr e( µ ( B )) . Since P  par ( µ ) , b y Lemma 2.4 (ii), C ∩ pre( µ ( B )) = C ∩ pre( ∪{ D ∈ P | D ⊆ µ ( B ) } ) , so that if C ∩ pr e( µ ( B )) 6 = ∅ then C ∩ pr e ( D ) 6 = ∅ for some D ∈ P su ch that D ⊆ µ ( B ) . Hen ce, by hypoth esis , µ ( C ) ⊆ pre( µ ( D )) . Since µ ( D ) ⊆ µ ( B ) , we thus obtain that µ ( C ) ⊆ pre( µ ( D )) ⊆ pre ( µ ( B )) . Let us now p rov e that µ is forward complete for pre . W e ﬁrst sh o w the f ollo wing property ( ∗∗ ) : for any B ∈ P , µ (pr e ( µ ( B ))) ⊆ pre( µ ( B )) . I n fact, since P  par( µ ) , we h a ve that: µ (pre( µ ( B ))) = [by Lemm a 2.4 (iii) because µ is additive] ∪{ µ ( C ) | C ∈ P , C ∩ pre( µ ( B )) 6 = ∅ } ⊆ [b y the above property ( ∗ ) ] pre( µ ( B )) . Hence, for any X ∈ ℘ (Σ) , we have t h at: µ (pre( µ ( X ))) = [since, by Lemma 2.4 (iii), µ ( X ) = ∪ i µ ( B i ) for some { B i } ⊆ P ] µ (pre( ∪ i µ ( B i ))) = [since µ and pre are additive] ∪ i µ (pre( µ ( B i ))) ⊆ [by the above pro perty ( ∗∗ ) ] ∪ i pre( µ ( B i )) = [since pre is additiv e] pre( ∪ i µ ( B i )) = [since µ ( X ) = ∪ i µ ( B i ) ] pre( µ ( X )) . Let us now turn to show th e lem ma. By Lemma 4.2 (i), we have that P  par( µ h P, R i ) . By the above fact ( ‡ ) , in ord er to prove th at µ h P, R i is f orward co mplete fo r pr e it is sufﬁcient to show that f or any B , C ∈ P , if C ∩ pre( B ) 6 = ∅ then µ h P, R i ( C ) ⊆ pre( µ h P, R i ( B )) . Thus, assum e that C ∩ pre( B ) 6 = ∅ . W e need to show that ∪ R ∗ ( C ) ⊆ pre( ∪ R ∗ ( B )) . Assume that ( C, D ) ∈ R ∗ , nam ely that there exist { B i } i ∈ [0 ,k ] ⊆ P , for some k ≥ 0 , such that B 0 = C , B k = D a nd for an y i ∈ [0 , k ) , ( B i , B i +1 ) ∈ R . W e show by induction on k that D ⊆ pr e ( ∪ R ∗ ( B )) . ( k = 0 ) This mean s that C = D . Since R is assumed to be reﬂexive, we have that ( C, C ) ∈ R . By hy poth- esis, ∪ R ( C ) ⊆ pr e ( ∪ R ( B )) so that we obtain D = C ⊆ ∪ R ( C ) ⊆ pre( ∪ R ( B )) ⊆ pre( ∪ R ∗ ( B )) . ( k + 1 ) Assume that ( C, B 1 ) , ( B 1 , B 2 ) , ..., ( B k , D ) ∈ R . By ind ucti ve hypothesis, B k ⊆ pre( ∪ R ∗ ( B )) . Note that, by additivity of pre , pre( ∪ R ∗ ( B )) = ∪{ pre( E ) | E ∈ P , ( B , E ) ∈ R ∗ } . Thus, there exists some E ∈ P such that ( B , E ) ∈ R ∗ and B k ∩ pr e( E ) 6 = ∅ . Hen ce, by hyp othesis, ∪ R ( B k ) ⊆ pre( ∪ R ( E )) . Observe that ∪ R ( E ) ⊆ ∪ R ∗ ( E ) ⊆ ∪ R ∗ ( B ) so that D ⊆ ∪ R ( B k ) ⊆ pre( ∪ R ( E )) ⊆ pre( ∪ R ∗ ( B )) . 5 Henzinger , Henzinger and Kop ke’ s Algorithm Our s im ulation algo rithm SA is d esigned as a symbolic modiﬁcation o f Hen zinger , Hen zinger and K opke’ s simulation algor ithm [ 23]. T his algo rithm is designed in three increm ental steps e ncoded by the procedures SchematicSimilari t y , R eﬁne dSimilarity and HHK (called EﬃcientSimilarity in [23]) in Figure 1. Consider any (possibly non total) ﬁnite Kripke structure (Σ ,  , ℓ ) . The idea o f the b asic SchematicSimilarity algorithm is simp le. For each s tate v ∈ Σ , the s imu lator set Sim ( v ) ⊆ Σ contains states that a re candidate s for simulating v . Hence, Sim ( v ) is initialized with all the states having the same labeling as v , that is [ v ] ℓ . The algorithm then proceeds iterati vely as follo ws: if u  v , w ∈ Sim ( u ) but there is no w ′ ∈ Sim ( v ) such that w  w ′ then w ca nnot simulate u and th erefore Sim ( u ) is reﬁned to Sim ( u ) r { w } . 10 SchematicSimilarity () { fo rall v ∈ Σ do Sim ( v ) := [ v ] ℓ ; while ∃ u, v , w ∈ Σ such that ( u  v & w ∈ Sim ( u ) & post  ( { w } ) ∩ Sim ( v ) = ∅ ) d o Sim ( u ) := Sim ( u ) r { w } ; } R eﬁne dSimi larity () { fo rall v ∈ Σ do pr evSim ( v ) := Σ ; if p ost( { v } ) = ∅ then Sim ( v ) := [ v ] ℓ ; else Sim ( v ) := [ v ] ℓ ∩ pre(Σ) ; while ∃ v ∈ Σ such that Sim ( v ) 6 = pr evSim ( v )) do // Inv 1 : ∀ v ∈ Σ . Sim ( v ) ⊆ pr evSim ( v ) // Inv 2 : ∀ u, v ∈ Σ . u  v ⇒ Sim ( u ) ⊆ p re( pr evSim ( v )) R emove := pre( pr evSim ( v )) r pre( Sim ( v )) ; pr evSim ( v ) := Sim ( v ) ; fo rall u ∈ pre( v ) do Sim ( u ) := Sim ( u ) r Re move ; } HHK() { // f orall v ∈ Σ do pr evSim ( v ) := Σ; fo rall v ∈ Σ do if p ost( { v } ) = ∅ then Sim ( v ) := [ v ] ℓ ; else Sim ( v ) := [ v ] ℓ ∩ pre(Σ) ; R emove ( v ) := pre(Σ) r pre( Sim ( v )) ; while ∃ v ∈ Σ such that R emove ( v ) 6 = ∅ do // Inv 3 : ∀ v ∈ Σ . R emove ( v ) = pre( pr evSim ( v )) r pre( Sim ( v )) // pr evSim ( v ) := Sim ( v ); R emove := R emove ( v ) ; R emove ( v ) := ∅ ; fo rall u ∈ pre( v ) do fo rall w ∈ R emove d o if w ∈ Sim ( u ) then Sim ( u ) := Sim ( u ) r { w } ; fo rall w ′′ ∈ pre( w ) su ch that w ′′ 6∈ pre( Sim ( u ) do R emove ( u ) := R emove ( u ) ∪ { w ′′ } ; } Figure 1: HHK Algorithm. 11 This b asic procedu re is then reﬁned to th e algorithm R eﬁne dSimilarity . The key point here is to store for each state v ∈ Σ an addition al set o f states pr evSim ( v ) that is a superset of Sim ( v ) (in variant Inv 1 ) an d contains the states that were in Sim ( v ) in some past iteration where v was selected. If u  v then the inv ariant In v 2 allows to reﬁne Sim ( u ) by scru tinizing only the states in pre( pr evSim ( v )) instead of all the possible states in Σ : In fact, while in SchematicSimilarity , Sim ( u ) is r educed to Sim ( u ) r (Σ r pre( Sim ( v )) , in R eﬁne dSimilarity , Sim ( u ) is reduced in the same way by re moving fro m it th e states in R emove def = pre( pr evSim ( v )) r pre( Sim ( v )) . The initialization of Sim ( v ) th at disting uishes the case p ost( { v } ) = ∅ allows to initially establish the in variant Inv 2 . Let us remark that the original R eﬁne dSimilarity alg orithm presented in [23] contains the f ollo wing bug: the statement pr evSim ( v ) := Sim ( v ) is plac ed just after the in ner for-loop instead of immed iately preceding the inne r for -loo p. It turns out that this is not correct as shown by the following example. Example 5.1 . L et us consider the Krip k e structu re in Exam ple 3 .2 . W e a lready observed that the simulation relation is R sim = { (1 , 1) , (2 , 2) , (2 , 1) , (3 , 3) , (4 , 4) } . Howe ver, o ne can check that the orig inal version of the R eﬁne dSimilarity algorith m in [23] — where the assignment pr evSim ( v ) := Sim ( v ) follows the inner for-loop — provides as output Sim (1 ) = { 1 , 2 } , Sim (2) = { 1 , 2 } , S im (3) = { 3 } , Sim (4) = { 4 } , namely the state 2 appears to simulate the state 1 wh ile this is n ot the case. The p roblem with the o riginal version in [23] of the R eﬁne dSimilarity alg orithm lies in the fact that when v ∈ pre( { v } ) — like in th is e xa mple for state 1 — it may happ en that during the inner for-loop the set S im ( v ) is reﬁned to S im ( v ) r R emove so that if the assignm ent pr evSim ( v ) := Sim ( v ) follows the inn er for-loop then pr evSim ( v ) might be computed as an incorrect subset of the right set. R eﬁne dSimilarity is furthe r reﬁned to the ﬁnal HHK algorith m. The ide a here is that instead of recompu ting at e ach iteratio n of the while-lo op the set R emove := pre( pr evSim ( v )) r pre( Sim ( v )) for the selected state v , a set Remo ve ( v ) is main tained an d incrementally upd ated fo r e ach state v ∈ Σ in such a way that it satisﬁes the inv ariant Inv 3 . The o riginal version of HHK in [23] also suffers fro m a bug th at is a direct conseq uence of the pro blem in R eﬁne dSimilarity described above: within the main while-loop of HHK , th e statement Remo ve ( v ) := ∅ is placed just after th e outermost for-loop instead of immediately pre ceding the outermost for-loop. It is easy to show that this is not corre ct by r esorting again to Example 5.1. The im plementation of HHK exploits a matrix Count ( u, v ) , indexed on states u, v ∈ Σ , such that Count ( u, v ) = | p ost( u ) ∩ Sim ( v ) | , i.e., Count ( u, v ) stores the numb er of transitions from u to some state w ∈ Sim ( v ) . Hence, the test w ′′ 6∈ pre( Sim ( u )) in the innermost f or -lo op can be done in O (1) by checking whether Count ( w ′′ , u ) is 0 o r not. This provides an efﬁcient imp lementation of HHK that runs in O ( | Σ ||  | ) time, while the space complexity is in O ( | Σ | 2 log | Σ | ) , namely it is more than qu adratic in the size of the state space. Let u s remark that the key prop erty f or sho wing the O ( | Σ ||  | ) time b ound is as follows: if a state v is selected at som e iterations i an d j of the wh ile-loop and the iter ation i precedes th e iteration j then R emove i ( v ) ∩ R emove j ( v ) = ∅ , so that th e sets in { R emove i ( v ) | v is selected at some iteration i } are pairwise disjoints. 6 A New Simulation Algorithm 6.1 The Basic Algorithm Let us consider any (po ss ibly non total) ﬁnite Kripke structu re (Σ ,  , ℓ ) . As recalled above, the HHK proced ure maintains f or each state s ∈ Σ a simu lator set Sim ( s ) ⊆ Σ and a rem o ve set Remo ve ( s ) ⊆ Σ . The simulation pre order R sim is encod ed by the outp ut { Sim ( s ) } s ∈ Σ as follows: ( s, s ′ ) ∈ R sim iff s ′ ∈ Sim ( s ) . Hence, the simu lation equiv alence partitio n P sim is o btained as follows: s and s ′ are simulation equivalent if f s ∈ Sim ( s ′ ) and s ′ ∈ Sim ( s ) . Our a lgorithm relies on the id ea of modify ing the HHK proced ure in order to maintain a pa rtition-relation pair h P , R el i in place of { Sim ( s ) } s ∈ Σ , tog ether with a r emov e set R emove ( B ) ⊆ Σ for each blo ck B ∈ P . The basic idea is to r eplace th e family of sets S = { Sim ( s ) } s ∈ Σ with the following state par tition P induc ed by S : s 1 ∼ S s 2 iff f or all s ∈ Σ , s 1 ∈ Sim ( s ) ⇔ s 2 ∈ Sim ( s ) . Th en, a r eﬂe xive relation R el ⊆ P × P on P giv es rise to a partition- relation pair where the intuition is as follows: giv en a state s and a blo ck B ∈ P (i) if s ∈ B then the 12 BasicSA( PartitionR elation h P , R el i ) { 1 while ∃ B , C ∈ P such that ( C ∩ pre( B ) 6 = ∅ & ∪ R el ( C ) 6⊆ pre( ∪ R el ( B )) ) do 2 S := pre( ∪ R el ( B ) ) ; 3 P prev := P ; B prev := B ; 4 P := Split ( P, S ) ; 5 fo rall C ∈ P do Rel ( C ) := { D ∈ P | D ⊆ ∪ R el (parent P prev ( C )) } ; 6 fo rall C ∈ P such that C ∩ pre( B prev ) 6 = ∅ do Rel ( C ) := { D ∈ Rel ( C ) | D ⊆ S } ; 7 } 8 Figure 2: Basic Simulation Algorithm. current s im ulator set for s is a the union of blocks in P that are in relation with B , i.e. Sim ( s ) = ∪ R el ( B ) ; (ii) if s, s ′ ∈ B then s and s ′ are curr ently cand idates to be simulation equ i valent. Th us, a partition-relation pair h P, R el i re presents the curr ent approxim ation of the simulatio n preorder a nd in particular P represents the current approx imation of simulatio n equivalence. Partition-relation pairs have been used by Henzing er , Henzinger and K op ke’ s [23] to compute the sim- ulation p reorder o n effecti vely presented in ﬁnite transition systems, nota bly hy brid a utomata. Henzinger et al. provid e a symbolic p rocedure, called Symb olicSimilarity in [ 23], that is derived as a symboliza- tion th rough partition- relation pairs of th eir basic simu lation algorith m Sch ematicSimilarity in Figure 1. Moreover , partition-relation p airs are also exp loited by Gen tilini et al. [18] in their simulation algorithm for rep resenting simulation relations. The distinctive feature of our use o f p artition-relation pairs is that, by relying on the results in Section 4, we logic ally view partitio n-relation pairs as abstract domain s and therefor e we can rea son on them by using abstract interpr etation. Follo win g Henzin ger et a l. [23], o ur simulation algorith m is designed in thr ee in cremental step s. W e exploit the follo wing results for designin g the basic algorithm. – Theo rem 3.1 tells us that the simulation preor der can be obtain ed from the for w ard {∪ , pre } -complete shell of an initial abstract domain µ ℓ induced by the labeling ℓ . – As shown in Section 4 , a p artition-relation pair ca n be v ie wed as repre senting a disjunctive abstract domain. – Lemm a 4.4 gives us a cond ition on a par tition-relation pair which guara ntees that the corre sponding abstract d omain is forward co mplete for pre . Moreover , this abstract domain is disjunctive as well, being induced by a partition-r elation pair . Thus, the idea consists in iterativ ely and minimally reﬁning an initial partition- relation p air h P , R el i induced by the labeling ℓ until the condition of Lemma 4.4 is satisﬁed: f or all B , C ∈ P , C ∩ pre( B ) 6 = ∅ ⇒ ∪ Rel ( C ) ⊆ pr e( ∪ R el ( B )) . Let us observe that C ∩ pre( B ) 6 = ∅ means tha t C  ∃∃ B . The basic algorith m, called Bas icSA , is in Figure 2. The current partition-re lation pair h P , R el i is reﬁned b y t h e following three steps in BasicSA . I f B is the block of the cu rrent partition P selected by the while-loo p then: (i) the curr ent partition P is split with respect to the set S = pre( ∪ R el ( B )) ; (ii) if C is a newly genera ted blo ck after splitting the current partitio n and parent P prev ( C ) is its par- ent block in th e p artition P prev before the splitting op eration then Rel ( C ) is m odiﬁed so as that ∪ R el ( C ) = ∪ R el (parent P prev ( C )) ; (iii) the curr ent relation Rel is reﬁned for the (n e w and old) blocks C such that C  ∃∃ B by removing from R el ( C ) tho se block s th at are not contain ed in S ; observe that after having split P w .r .t. S it turns out that one such block D eithe r is conta ined in S o r is disjoint with S . 13 Let us remark that althou gh th e symbolic simulation algorithm for inﬁnite graph s Symb olicSimilarity in [23] may app ear similar to our BasicSA algo rithm, it is instead inherently dif feren t due to the follo win g reason: the role p layed by the condition : C  ∃∃ B & ∪ R el ( C ) 6⊆ pr e ( ∪ Rel ( B )) in the while- loop of BasicSA is played in Symb olicSimilarity by: C  ∃∃ ∪ Rel ( B ) & ∪ Re l ( C ) 6⊆ pre( ∪ R el ( B )) , an d th is latter condition is compu tationally har der to check. The following correc tness result formalize s that BasicSA can be viewed as an abstract domain reﬁne- ment algorithm that allows u s to com pute forward co mplete shells for { ∪ , pre } . For a n y ab stract dom ain µ ∈ uco( ℘ (Σ)) , we write µ ′ = BasicSA( µ ) when the algorithm Ba sicSA on an inpu t p artition-relation h P µ , R µ i terminates and outputs a partition-rela tion pair h P ′ , R ′ i such that µ ′ = µ h P ′ ,R ′ i . Theorem 6 .1. Let Σ be ﬁnite. Then, Ba sicSA terminates on an y input domain µ ∈ uco( ℘ (Σ)) and BasicSA( µ ) = S ∪ , pre ( µ ) . Pr oof. Le t h P curr , R curr i and h P next , R next i be, respectively , the current and ne xt partition-relation pair in some iteration of BasicSA( µ ) . By line 5, P next  P curr always holds. Moreover , if P next = P curr then it turns ou t that R next ( R curr : in fact, if B, C ∈ P curr , C ∩ pre( B ) 6 = ∅ and ∪ R curr ( C ) 6⊆ pre( ∪ R curr ( B )) then, by lines 6 and 7 , ∪ R next ( C ) ( ∪ R curr ( C ) bec ause there exists x ∈ ∪ R curr ( C ) such tha t x 6∈ pre( ∪ R curr ( B )) so th at if B x ∈ P next = P curr is th e block tha t contains x then B x ∩ ( ∪ R next ( C )) = ∅ while B x ⊆ ∪ R curr ( C ) . Th us, either P next ≺ P curr or R next ( R curr , so that, since the state spac e Σ is ﬁnite, the procedu re Ba s icSA termina tes. Let µ ′ = BasicSA( µ ) , nam ely , let µ ′ = µ h P ′ ,R ′ i where h P ′ , R ′ i is the outpu t of BasicSA on inp ut h P µ , R µ i . L et {h P i , R i i} i ∈ [0 ,k ] be the sequence o f p artition-relation pairs co mputed b y BasicSA , where h P 0 , R 0 i = h P µ , R µ i and h P k , R k i = h P ′ , R ′ i . Let us ﬁrst o bserve th at for any i ∈ [0 , k ) , P i +1  P i because the current partition is reﬁned by the splitting operation in line 5 . Mo reov er, for any i ∈ [0 , k ) and C ∈ P i +1 , note that ∪ R i +1 ( C ) ⊆ ∪ R i (parent P i ( C )) , becau se th e c urrent relation is modiﬁed only at lines 6 and 7. Let us also observe that for any i ∈ [0 , k ] , R i is a re ﬂe xive relation b ecause R 0 is reﬂexive and the operation s at lines 6- 7 preserve the reﬂexi vity of the cu rrent relation. Let us show this latter fact. I f C ∈ P next is such that C ∩ pr e( B prev ) 6 = ∅ th en because, by hypo thesis, B prev ∈ R prev ( B prev ) , we hav e that C ∩ pre( ∪ R prev ( B prev )) 6 = ∅ so that C ⊆ S = pre( ∪ R prev ( B prev )) . Hence, if C ∈ P next ∩ P prev then C ∈ R next ( C ) , while if C ∈ P next r P prev then, by hypothesis, par en t P prev ( C ) ∈ R prev (parent P prev ( C )) so that, by line 6, C ∈ R next ( C ) also in this case. For any B ∈ P ′ = P k , we have th at µ ′ ( B ) = [by deﬁnition of µ ′ ] ∪ R ∗ k ( B ) ⊆ [as ∪ R k ( B ) ⊆ ∪ R 0 (parent P 0 ( B )) ] ∪ R ∗ 0 (parent P 0 ( B )) = [as P 0 = par( µ ) and R ∗ 0 = R ∗ µ = R µ ] ∪ R µ (parent par( µ ) ( B )) = [by Lemma 4.2 (ii), h par( µ ) , R µ i = h par( µ d ) , R µ d i ] ∪ R µ d (parent par( µ d ) ( B )) = [by deﬁnition of R µ d ] ∪{ C ∈ pa r( µ d ) | C ⊆ µ d (parent par( µ d ) ( B )) } = [by Lemma 2.4 (ii)] µ d (parent par( µ d ) ( B )) = [by Lemma 2.4 (i)] µ d ( B ) . Thus, since, by Lemma 4.2 (i), P ′  par ( µ ′ ) , by Lemma 2.4 (iv), P ′  P µ = par ( µ d ) and both µ ′ and µ d are disjunctive, we hav e that for any X ∈ ℘ (Σ) , µ ′ ( X ) = [by Lemma 2.4 (iii)] ∪{ µ ′ ( B ) | B ∈ P ′ , B ∩ X 6 = ∅ } ⊆ [a s µ ′ ( B ) ⊆ µ d ( B ) ] ∪{ µ d ( B ) | B ∈ P ′ , B ∩ X 6 = ∅ } = [b y Lemma 2.4 (iii)] µ d ( X ) ⊆ [as µ d ⊑ µ ] µ ( X ) . 14 Thus, µ ′ is a reﬁnement of µ . W e have that P ′  par( µ ′ ) , R ′ = R k is ( as shown ab o ve) reﬂexi ve and because h P ′ , R ′ i is th e output p artition-relation pair, for all B , C ∈ P ′ , if C ∩ pre( B ) 6 = ∅ th en ∪ R ′ ( C ) ⊆ pre( ∪ R ′ ( B )) . Hen ce, by Lemma 4 .4 we obtain that µ ′ is f orward complete f or pre . Th us, µ ′ is a disjunctive reﬁnemen t of µ that is fo rward co mplete for pre so that µ ′ ⊑ S ∪ , pre ( µ ) . In ord er to conclu de the proof , let us show that S ∪ , pre ( µ ) ⊑ µ ′ . W e ﬁrst sho w b y inductio n that f or any i ∈ [0 , k ] an d B ∈ P i , we have that ∪ R i ( B ) ∈ img( S ∪ , pre ( µ )) : ( i = 0 ) W e have that h P 0 , R 0 i = h P µ , R µ i so that for any B ∈ P 0 , by Lemma 2.4 (ii), ∪ R 0 ( B ) = ∪{ C ∈ par( µ ) | C ⊆ µ ( B ) } = µ ( B ) . Hence, ∪ R 0 ( B ) ∈ img ( µ ) ⊆ img( S ∪ , pre ( µ )) . ( i + 1 ) Let C ∈ P i +1 = split( P i , pr e( ∪ R i ( B i ))) f or som e B i ∈ P i . If C ∩ pre( B i ) = ∅ then, by lin es 6 - 7, ∪ R i +1 ( C ) = ∪ R i (parent P i ( C )) so that, by indu cti ve hypothesis, ∪ R i +1 ( C ) ∈ img( S ∪ , pre ( µ )) . On th e other hand, if C ∩ pr e ( B i ) 6 = ∅ then, by lin es 6-7, ∪ R i +1 ( C ) = ∪ R i (parent P i ( C )) ∩ pre( ∪ R i ( B i )) . By inductive h ypothesis, we have that ∪ R i (parent P i ( C )) ∈ img ( S ∪ , pre ( µ )) an d ∪ R i ( B i ) ∈ img( S ∪ , pre ( µ )) . Also, since S ∪ , pre ( µ ) is forward c omplete for pre , pre ( ∪ R i ( B i )) ∈ img( S ∪ , pre ( µ )) . Hence, ∪ R i +1 ( C ) ∈ img ( S ∪ , pre ( µ )) . As observed above, R k is reﬂexi ve so that for any B ∈ P k , B ⊆ ∪ R k ( B ) . For an y B ∈ P ′ , we have that S ∪ , pre ( µ )( B ) ⊆ [as B ⊆ ∪ R k ( B ) ] S ∪ , pre ( µ )( ∪ R k ( B )) = [as ∪ R k ( B ) ∈ img ( S ∪ , pre ( µ )) ] ∪ R k ( B ) ⊆ [as R k ⊆ R k ∗ ] ∪ R ∗ k ( B ) = [by deﬁnition] µ ′ ( B ) . Therefo re, fo r any X ∈ ℘ (Σ) , S ∪ , pre ( µ )( X ) ⊆ [as X ⊆ ∪{ B ∈ P ′ | B ∩ X 6 = ∅ } ] S ∪ , pre ( µ )( ∪{ B ∈ P ′ | B ∩ X 6 = ∅ } ) = [as S ∪ , pre ( µ ) is additiv e] ∪{ S ∪ , pre ( µ )( B ) | B ∈ P ′ , B ∩ X 6 = ∅ } ⊆ [as S ∪ , pre ( µ )( B ) ⊆ µ ′ ( B ) ] ∪{ µ ′ ( B ) | B ∈ P ′ , B ∩ X 6 = ∅ } = [as µ ′ is disjunctive, by Lemma 2.4 (iii)] µ ′ ( X ) . W e h a ve therefore sho wn tha t S ∪ , pre ( µ ) ⊑ µ ′ . Thus, Bas ic SA computes the forward {∪ , pre } -comp lete shell of any in put abstract dom ain. As a consequen ce, Ba sicSA allows u s to comp ute both simulation relation an d equiv alen ce wh en µ ℓ is the initial abstract domain. Corollary 6.2. Let K = (Σ ,  , ℓ ) be a ﬁnite Kripke structur e and µ ℓ ∈ uco ( ℘ (Σ)) be the abstr act domain induced by ℓ . Then, BasicSA( µ ℓ ) = h P ′ , R ′ i where P ′ = P sim and, for any s 1 , s 2 ∈ Σ , ( s 1 , s 2 ) ∈ R sim ⇔ ( P sim ( s 1 ) , P sim ( s 2 )) ∈ R ′ . Pr oof. Le t µ K = S ∪ , pre ( µ ℓ ) . By T heorem 6.1, if BasicSA( µ ℓ ) = h P ′ , R ′ i then µ h P ′ ,R ′ i = µ K . By Theorem 3.1, par( µ K ) = P sim . By Lemma 4.2 (i), P ′  par( µ h P ′ ,R ′ i ) = par( µ K ) = P sim . I t re mains to show tha t P sim = par( µ h P ′ ,R ′ i )  P ′ . Let { h P i , R i i} i ∈ [0 ,k ] be th e sequence o f partition-r elation pairs computed b y BasicSA , whe re h P 0 , R 0 i = h P µ ℓ , R µ ℓ i and h P k , R k i = h P ′ , R ′ i . W e show by induction that for any i ∈ [0 , k ] , we h a ve that par( µ h P ′ ,R ′ i )  P i . ( i = 0 ) Since µ h P ′ ,R ′ i ⊑ µ ℓ , we have th at par( µ h P ′ ,R ′ i )  par( µ ℓ ) = P 0 . ( i + 1 ) Consider B ∈ par( µ h P ′ ,R ′ i ) . W e h a ve that P i +1 = split( P i , pr e  ( ∪ R i ( B i ))) fo r some B i ∈ P i . W e have shown in th e proof o f Theorem 6 .1 that ∪ R i ( B i ) ∈ µ K = µ h P ′ ,R ′ i . Since µ h P ′ ,R ′ i is f or - ward complete for pre , we also h a ve that pre( ∪ R i ( B i )) ∈ µ h P ′ ,R ′ i . Hence, B ∩ pre  ( ∪ R i ( B i )) ∈ { ∅ , B } . By ind ucti ve hypoth esis, par( µ h P ′ ,R ′ i )  P i so that there exists som e C ∈ P i such that 15 ReﬁnedSA( PartitionR elation h P, R el i ) { 1 fo rall B ∈ P do pre Pr evR el ( B ) := Σ ; 2 while ∃ B ∈ P such that pre( ∪ R el ( B )) 6 = pre Pr evR el ( B ) do 3 // I n v 1 : ∀ B ∈ P. pre( ∪ R el ( B )) ⊆ pre Pr evR el ( B ) 4 // I n v 2 : ∀ B , C ∈ P . C ∩ pre( B ) 6 = ∅ ⇒ ∪ Rel ( C ) ⊆ pre Pr evR el ( B ) 5 R emove := pre Pr evR el ( B ) r pre( ∪ R el ( B )) ; 6 pre Pr evR el ( B ) := pre( ∪ R el ( B )) ; 7 P prev := P ; B prev := B ; 8 P := Split ( P, pre Pr evR el ( B )) ; 9 fo rall C ∈ P do 10 R el ( C ) := { D ∈ P | D ⊆ ∪ R el (parent P prev ( C )) } ; 11 if C ∈ P r P prev then pre Pr evR el ( C ) := pre Pr evR el (parent P prev ( C )) ; 12 fo rall C ∈ P such that C ∩ pre( B prev ) 6 = ∅ do 13 Rel ( C ) := { D ∈ Rel ( C ) | D ∩ R emove = ∅ } ; 14 } 15 Figure 3: Reﬁned Simulation Algorithm. B ⊆ C . Since P i +1 = split( P i , pr e  ( ∪ R i ( B i ))) , no te that if C ∩ pre  ( ∪ R i ( B i )) 6 = ∅ then C ∩ pre  ( ∪ R i ( B i )) ∈ P i +1 and if C r (pr e  ( ∪ R i ( B i ))) 6 = ∅ then C r (pre  ( ∪ R i ( B i ))) ∈ P i +1 . Mo reover , if B ∩ pre  ( ∪ R i ( B i )) = ∅ then B ⊆ C r (pre  ( ∪ R i ( B i ))) , wh ile if B ∩ pre  ( ∪ R i ( B i )) = B then B ⊆ C ∩ pre  ( ∪ R i ( B i )) . In b oth cases, there exists some D ∈ P i +1 such that B ⊆ D . Thus, P ′ = P sim . The proof of Theorem 6.1 shows that R ′ is reﬂexi ve. Moreover, that proof also sho ws that for an y B ∈ P ′ , ∪ R ′ ( B ) ∈ µ K . Then, for any B ∈ P ′ : ∪ R ′∗ ( B ) = [by deﬁnition of µ h P ′ ,R ′ i ] µ h P ′ ,R ′ i ( B ) ⊆ [because R ′ is reﬂexi ve] µ h P ′ ,R ′ i ( ∪ R ′ ( B )) = [because µ h P ′ ,R ′ i = µ K ] µ K ( ∪ R ′ ( B )) = [because ∪ R ′ ( B ) ∈ µ K ] ∪ R ′ ( B ) and therefo re R ′ is transitiv e. Hence, for any s 1 , s 2 ∈ Σ , ( s 1 , s 2 ) ∈ R sim ⇔ [by Theorem 3.1] s 2 ∈ µ K ( { s 1 } ) ⇔ [because µ K = µ h P ′ ,R ′ i ] s 2 ∈ µ h P ′ ,R ′ i ( { s 1 } ) ⇔ [by deﬁnition of µ h P ′ ,R ′ i ] ( P ′ ( s 1 ) , P ′ ( s 2 )) ∈ R ′∗ ⇔ [because P ′ = P sim and R ′∗ = R ′ ] ( P sim ( s 1 ) , P sim ( s 2 )) ∈ R ′ . 6.2 Reﬁning the Algorithm The Bas icSA algo rithm is reﬁn ed to the ReﬁnedSA proc edure in Fig ure 3. This is obtained by adap ting the ideas of Henzinger et a l. ’ s R eﬁne dSimilarity p rocedure in Figur e 1 to our Ba sicSA algor ithm. The following po ints show that this a lgorithm ReﬁnedSA remains corre ct, i.e . th e in put-output b eha viou rs of BasicSA and ReﬁnedSA are the same. – For any block B of the c urrent partition P , the p redecessors of the bloc ks in the “previous” relation R el prev ( B ) are m aintained as a set pre Pr evR el ( B ) . Initially , at line 2, pr e Pr evR el ( B ) is set to 16 SA( PartitionR elation h P , R el i ) { 1 // f orall B ∈ P do p re Pr evR el ( B ) := Σ; 2 fo rall B ∈ P do R emove ( B ) := Σ r pre( ∪ R el ( B )) ; 3 while ∃ B ∈ P such that R emove ( B ) 6 = ∅ do 4 // I n v 3 : ∀ C ∈ P . R emove ( C ) = pre Pr evR el ( C ) r pre( ∪ Re l ( C )) 5 // I n v 4 : ∀ C ∈ P . Split ( P , pre Pr evR el ( C )) = P 6 // pre Pr evR el ( B ) := pre( ∪ R el ( B )); 7 R emove := R emove ( B ) ; 8 R emove ( B ) := ∅ ; 9 B prev := B ; 10 P prev := P ; 11 P := Split ( P, R emove ) ; 12 fo rall C ∈ P do 13 R el ( C ) := { D ∈ P | D ⊆ ∪ R el (parent P prev ( C )) } ; 14 if C ∈ P r P prev then 15 R emove ( C ) := R emove ( paren t P prev ( C )) ; 16 // pre Pr evR el ( C ) := pre Pr evR el (parent P prev ( C )); 17 R emoveList := { D ∈ P | D ⊆ R emove } ; 18 fo rall C ∈ P such that C ∩ pre( B prev ) 6 = ∅ do 19 fo rall D ∈ R emoveList do 20 if D ∈ R el ( C ) then 21 R el ( C ) := R el ( C ) r { D } ; 22 fo rall s ∈ pre( D ) such that s 6∈ pre( ∪ R el ( C )) do 23 R emove ( C ) := Re m ove ( C ) ∪ { s } ; 24 } 25 Figure 4: The Simulation Algorithm SA . contain all the states in Σ . Then, wh en a b lock B is selected by the w hile-loop at some iteration i , pre Pr evR el ( B ) is up dated at line 7 in o rder t o save the states in pre( ∪ R el ( B )) at this iter ation i . – If C is a newly generated block a fter splittin g P and pa ren t P prev ( C ) is its corr esponding parent block in the par tition b efore splitting then pre Pr evR el ( C ) is set at line 12 as pre Pr evR el (parent P prev ( C )) . Therefo re, since th e c urrent r elation R el decrea ses on ly — i.e., if i and j a re iter ations suc h th at j follows i a nd B , B ′ are block s such th at B ′ ⊆ B then ∪ R el j ( B ′ ) ⊆ ∪ Re l i ( B ) — at each iteratio n, the following invariant Inv 1 holds: for any blo ck B ∈ P , pr e( ∪ R el ( B )) ⊆ pre Pr evR el ( B ) . Initially , In v 1 is satisﬁed because for any block B , pre Pr evR el ( B ) is initialized to Σ at line 2. – The crucial p oint is the in variant Inv 2 : if C  ∃∃ B and D ∈ R el ( C ) then D ⊆ pr e Pr evR el ( B ) . Initially , this in variant p roperty is clearly satisﬁed b ecause fo r any block B , pr e Pr evR el ( B ) is ini- tialized to Σ . Morever , Inv 2 is m aintained at each iteration because at line 6 R emove is set to pre Pr evR el ( B ) r pre( ∪ R el ( B )) and for any block C such that C  ∃∃ B prev if some block D is contained in R emove th en D is removed from R el ( C ) at line 14 . Thus, if the exit co ndition of the wh ile-loop of ReﬁnedSA is satisﬁed then , by inv ariant Inv 2 , the exit condition of BasicSA is satisﬁed as well. Finally , let us rem ark that the exit cond ition of the while-loop, namely ∀ B ∈ P . pre( ∪ R el ( B )) = pre Pr evR el ( B ) , is strictly wea k er tha n the exit cond ition that we would obtain as cou nterpart of the exit condition of the while-loop of Henzing er et al. ’ s R eﬁne dSimilarity proced ure, i.e. ∀ B ∈ P . R el ( B ) = R el prev ( B ) . 17 6.3 The Final Algorithm Follo win g the underly ing ideas that lea d from R eﬁne dSimilarity to HHK , the alg orithm ReﬁnedSA is further reﬁned to its ﬁnal version SA in Figure 4. The idea is that instead of recompu ting at e ach itera- tion of the while-loop the set R emove = pre Pr evR el ( B ) r pre( ∪ R el ( B )) for the selected b lock B , we maintain a set of states R emove ( B ) ⊆ Σ fo r each b lock B o f the current partition. For any block C , R emove ( C ) is up dated in or der to satisfy the in variant condition Inv 3 : R emove ( C ) con tains exactly the set of states that belong to pre Pr evR el ( C ) but are not in pre( ∪ R el ( C )) , where pre Pr evR el ( C ) is logically deﬁned as in ReﬁnedSA but is n ot really stored . Moreover , th e inv ariant condition In v 4 ensures th at, f or any blo ck C , pre Pr evRe l ( C ) is a un ion of blocks of the current p artition. This allo ws us to re place the operation Split ( P , pre( ∪ R el ( B ))) in ReﬁnedSA with the equivalent sp lit operatio n Split ( P , R emove ) . The correctness of such replacement follo ws from the in variant cond ition Inv 4 by exploiting the following general remark. Lemma 6.3 . Let P be a partition, T be a union of blocks in P and S ⊆ T . Th en, Split ( P , S ) = Split ( P , T r S ) . Pr oof. Assum e that B ∩ T = ∅ , so that B ∩ S = ∅ . Then, B ∩ ( T r S ) = B ∩ ( T ∩ ¬ S ) = ∅ = B ∩ S and B r ( T r S ) = ( B ∩ ¬ T ) ∪ ( B ∩ S ) = B = B r S so that B is split n either by T r S nor by S . Otherwise, if B ∩ T 6 = ∅ , because T is a unio n of blocks, then B ⊆ T . Then, B ∩ ( T r S ) = B ∩ ( T ∩ ¬ S ) = B ∩ ¬ S = B r S and B r ( T r S ) = ( B ∩ ¬ T ) ∪ ( B ∩ S ) = B ∩ S so that B is split by T r S in to B 1 and B 2 if and o nly if B is split by S into B 1 and B 2 . W e ha ve thu s shown that Split ( P , S ) = Split ( P , T r S ) . The equiv alence between SA and ReﬁnedSA is a consequence of the following o bserv ation s. – Initially , the inv ariant properties Inv 3 and Inv 4 clearly hold because fo r any block B , pre Pr evRe l ( B ) = Σ . – When a block B prev of the current partition is selected by the while-loop, the corr esponding re- move set R emove ( B prev ) is set to empty at line 9. The inv ariant Inv 3 , na mely ∀ C. R emove ( C ) = pre Pr evR el ( C ) r pre( ∪ R el ( C )) , is maintained at each iteration becau se for any block C such that C  ∃∃ B prev the for-loop at lines 23-2 4 increme ntally adds to Remov e ( C ) all the states s th at are in pre Pr evR el ( C ) but not in pre( ∪ R el ( C )) . – If C is a newly g enerated block after splitting P and parent P prev ( C ) is its cor responding paren t block in the par tition before splitting then Remo ve ( C ) is set to R emove (par en t P prev ( C )) by the for-loop at lines 13- 17. – As in ReﬁnedSA , for any blo ck C such that C  ∃∃ B prev , a ll the blo cks that ar e co ntained in R emove ( B prev ) are removed from R el ( C ) by the for-loop at lines 20-22. If the exit cond ition of the while- loop of SA is satisﬁed then, by In v 1 and Inv 3 , the exit c ondition o f ReﬁnedSA is satisﬁed as well. 18     B 1 = [1 , 3] ~ ~ ~ ~ ~ ~ A A A A / /     B 2 = [4]           / / o o     B 3 = [5 , 7] A A A A ~ ~ ~ ~ ~ ~ o o 1 / / ; ; 2 / / o o O O 3 / / o o c c 4 / / o o O O 5 / / o o ; ; 6 / / o o O O 7 o o c c Figure 5: P ar tition representation. 7 Complexity 7.1 Data Structur es SA is implemented by using the following data structur es. (i) The set of states Σ is represented as a d oubly lin k ed list where each state s ∈ Σ (represen ted as a n integer) stores the list of its predecessors in pre( { s } ) . This provides a representation of the input transition system. Any state s ∈ Σ also sto res a poin ter to the block of the current partition that contains s . (ii) The states of any block B of the cur rent p artition are consecu ti ve in the list Σ , s o that B is repre sented by a reco rd that contains two poin ters to the ﬁrst an d to the last state in B (see Figur e 5). Th is structure allows us to move a state from a block to a dif fer ent block in constant time. Moreover , any block B sto res its correspon ding remove set B . R emove , which is r epresented as a list of ( pointers to) states. (iii) Any block B add itionally stores an in te ger ar ray R elCount that is indexed ov er Σ and is deﬁned as follows: for any x ∈ Σ , B . R elCount ( x ) = P C ∈ Rel ( B ) |{ ( x, y ) | x  y , y ∈ C }| is the numb er of transitions from x to some b lock C ∈ Rel ( B ) . The array R elCount allows to implement in constant time the test s 6∈ pre( ∪ R el ( C )) at lin e 23 as C. RelC ount ( s ) = 0 . (iv) The current p artition is stored as a do ubly linked list P o f blocks. Ne wly gener ated blocks are append ed or pr epended to this list. Block s are scanned from th e b e gin ning of this list by checking whether the correspon ding remove set is e mpty or not. If an em pty remove set of some block B becomes nonemp ty then B is m ov ed to the end of P . (v) T he current relation R el on the current partition P is stored as a resizable | P | × | P | boolean matrix [11, Section 17.4]. The algorithm add s a new entry to this matrix, namely a new row and a new column, as long as a block B is split at line 12 into two ne w blocks B r R emove and B ∩ R emove : the n e w block B r R emove replaces th e old block B in P while a new entry in the matrix R el correspo nds to th e ne w block B ∩ R emove . W e will ob serve later th at the overall number of n e wly generated block s by the splitting operation at line 12 is exactly g i ven by 2( | P sim | − | P in | ) . Hen ce, the to tal num ber of insert operatio ns in the matrix R el is | P sim | − | P in | ≤ | P sim | . Sin ce an insert operation in a resizable array (whose capacity is doubled as n eeded) takes an amor tized constant time, the overall cost o f inserting new entries to the m atrix R el is in O ( | P sim | 2 ) -time. Le t us recall that th e standard C++ vector class implemen ts a resizab le array so th at a resizable boolean ma trix can be easily implemented as a C++ vector of boolean vectors: in this implementatio n, the algorithm adds a new entry to a N × N m atrix b y ﬁrst inserting a new vector o f size N + 1 containin g false values and then by inserting N + 1 false values in the N + 1 bo olean v ecto rs. 7.2 Space and Time Complexity Let B ∈ P in be so me b lock of the initial par tition P in and let h B i i i ∈ It be th e seq uence of all the blo cks selected by the while-loop in a sequence It o f iterations such that: (a) fo r any i ∈ It , B i ⊆ B ; 19 (b) if an iteration j ∈ It follows an iteration i ∈ It , denoted by i < j , th en B j is contained in B i . Observe that B is the pa rent blo ck in P in of all the B i ’ s. Then, one key prop erty of th e SA a lgorithm is that the rem ov e sets in { R emove ( B i ) } i ∈ It are pairwise d isjoint s o that P i ∈ It | Remo ve ( B i ) | ≤ | Σ | . Th is proper ty g uarantees that if the test D ∈ R emoveList at line 20 is po si tive at some iteration i ∈ It then for any b lock D ′ ⊆ D and for any successi ve iteration j > i , with j ∈ It , the test D ′ ∈ R emoveList will be negative. Moreover , if the test D ∈ Rel ( C ) at line 21 is p ositi ve at som e itera tion i ∈ It , so tha t D is rem ov ed from R el ( C ) , then for all the blocks D ′ and C ′ such that D ′ ⊆ D a nd C ′ ⊆ C the test D ′ ∈ R el ( C ′ ) will be n e g ati ve for all the iterations j > i . As a further co nsequence, since a splitting operation Split ( P , R emove ) can be executed in O ( | R emove | ) -tim e, it turns ou t that the overall cost of all the splitting operation s is in O ( | P sim || Σ | ) -time. Furthermore , by using the data structu res d escribed by points (iii) and (v) in Section 7.1, the tests D ∈ R el ( C ) at line 21 and s 6∈ pre( ∪ R el ( C )) at line 23 can be executed in constant time. A care ful ana lysis that exploits these key facts allows us to show tha t the total runnin g time of SA is in O ( | P sim ||  | ) . Theorem 7.1. The algorithm SA runs in O ( | P sim ||  | ) -time and O ( | P sim || Σ | lo g | Σ | ) -space. Pr oof. Le t It d enote the sequence of iter ations of the wh ile-loop fo r some r un of SA , where fo r any i, j ∈ It , i < j m eans that j follows i . More o ver, for any i ∈ It , B i denotes the blo ck selected by the while-loop at lin e 4, R emove ( B i ) 6 = ∅ denotes the correspon ding nonempty remove set, pre( ∪ R el ( B i )) denotes the c orresponding set for B i , while h P i , Rel i i deno tes the partition-relatio n pair at the en try point of the for-loop at line 19. Consider the set B def = { B i ∈ P i | i ∈ It } of selected block s and the following relation on B : B i E B j ⇔ B i ( B j or ( B i = B j & i ≥ j ) It tu rns out that h B , E i is a p oset. I n fact, E is tr i vially r eﬂe xive. Also, E is tr ansiti ve: assum e that B i E B j and B j E B k ; if B i = B j = B k then i ≥ j ≥ k so th at B i E B k ; othe rwise either B i ( B j or B j ( B k so that B i ( B k and therefo re B i E B k . Finally , E is an tis y mmetric: if B i E B j and B j E B i then B i = B j and i ≥ j ≥ i so that i = j . Moreover , B i ⊳ B j denotes the correspond ing strict o rder: this happen s wh en either B i ( B j or B i = B j and i > j . The time complexity bound is sho wn incremen tally by the following poin ts. (A) For any B i , B j ∈ B , if B i ⊆ B j and j < i then R emove ( B i ) ∩ R emove ( B j ) = ∅ . Pr oof. By inv arian t Inv 3 , Re move ( B j ) ∩ pre( ∪ R el j ( B j )) = ∅ . At iteration j , R emove ( B j ) is set to ∅ at line 9. If B j generates, by th e splitting op eration at line 12, two new blocks B 1 , B 2 ⊆ B j then their remove sets are set to ∅ at line 16. Successi vely , SA may add at line 24 of some iteration k ≥ j a state s to the remove set R emove ( C ) of a b lock C ⊆ B j only if s ∈ pre( ∪ R el k ( C )) . W e also have that ∪ R el k ( C ) ⊆ ∪ R el j ( B j ) so that pre( ∪ Re l k ( C )) ⊆ pre( ∪ R el j ( B j )) . Thus, if B i ⊆ B j and i > j then R emove ( B i ) ⊆ pre ( ∪ Rel j ( B j )) . Therefor e, Remove ( B j ) ∩ Remo ve ( B i ) ⊆ R emove ( B j ) ∩ pre( ∪ R el j ( B j )) = ∅ . (B) T he overall number o f n e wly gener ated block s b y th e splitting operation at line 12 is 2( | P sim |− | P in | ) . Pr oof. Let { P i } i ∈ [0 ,n ] be the sequence of partitions computed by SA wh ere P 0 is the initial partition P in , P n is th e ﬁnal partition P sim and for all i ∈ [0 , n − 1] , P i +1  P i . Th e num ber of newly generated block s by one splitting o peration that reﬁnes P i to P i +1 is g i ven by 2( | P i +1 | − | P i | ) . Thus, the overall numbe r of ne wly ge nerated blocks is P n − 1 i =0 2( | P i +1 | − | P i | ) = 2( | P sim | − | P in | ) . (C) T he time com ple x ity of the fo r -loop at line 3 is in O ( | P in ||  | ) . Pr oof. For any B ∈ P in , pre( ∪ R el ( B )) is compu ted in O ( |  | ) -time , so that Σ r pre( ∪ R el ( B )) is co mputed in O ( |  | ) -time a s well. The time co mplexity of th e initialization of the remove sets is therefor e in O ( | P in ||  | ) . (D) Th e overall time co mplexity o f lines 8 and 18 is in O ( | P sim || Σ | ) . Pr oof. Note tha t at line 18 , R emove is a u nion of blocks o f the current partition P . As d escribed in Section 7 .1 (i), each state s also stores a p ointer to the block of the curren t partitio n that contains 20 1 ListOfBlocks Split (PartitionRela tion& P, Se tOfStates S) { 2 ListOfBlocks split = empty; 3 forall s in S do { 4 Block B = s.block; 5 if (B.intersecti on == NULL) then { 6 B.intersection = new Block; 7 if (B.remove == ∅ ) then P.pr epend(B.intersection); 8 else P.append(B. intersection); 9 split.append(B); 10 } 11 move s from B to B.intersectio n; 12 if (B == empty) then { 13 B = copy(B.inte rsection); 14 P.remove(B.inte rsection); 15 delete B.intersection; 16 split.remove(B) ; 17 } 18 } 19 return split; 20 } 21 22 SplittingPr o ce du r e (P,S) { 23 / * P prev = P; * / 24 ListOfBlocks split = Split (P,S); 25 / * assert ( split == {B r S ∈ P | B r S 6∈ P prev }) * / 26 forall B in split do { 27 Rel.addNewEntry (B.intersection); 28 B.intersection. Remove = copy(B.Remove); 29 } 30 forall B in P do 31 forall C in split do Rel(B,C.i ntersection) = Rel(B,C); 32 forall B in split do { 33 forall C in P do Rel(B.interse ction,C) = R el(B,C); 34 forall x in Σ do B.in tersection.RelCount(x) = B.RelCount(x) ; 35 } 36 } Figure 6: C++ Pseudo code Implementation of the Splitting Proced ure. s . The list o f blocks R emoveList is therefore c omputed by scanning a ll the states in R emove ( B i ) , where B i is the selected block at iteration i , so that the overall time com plexity o f lines 8 and 18 is b ounded by 2 P i ∈ It | Remo ve ( B i ) | . For any block E ∈ P sim of the ﬁn al partition we d eﬁne the following subset of iterations: It E def = { i ∈ It | E ⊆ B i } . Since for a n y i ∈ It , P sim  P i , we h a ve that for any i ∈ It there exists some E ∈ P sim such that i ∈ It E . N ote that if i, j ∈ It E and i < j then B j ⊆ B i and, by poin t (A), this implies that R emove ( B i ) ∩ R emove ( B j ) = ∅ . Thus, 2 P i ∈ It | Remo ve ( B i ) | ≤ [by deﬁnition of It E ] 2 P E ∈ P sim P i ∈ It E | Remo ve ( B i ) | ≤ [as the sets in { R emove ( B i ) } i ∈ It E are pairwise disjoint] 2 P E ∈ P sim | Σ | = 2 | P sim || Σ | . (E) Th e o verall time complexity of line 1 0, i.e. of copying the l ist of states of the selected block B , is in O ( | P sim || Σ | ) . Pr oof. For any block E ∈ P sim of the ﬁnal partition we deﬁne the following subset of iterations: It E def = { i ∈ It | E ⊆ R emove ( B i ) } . Since f or any i ∈ It , P sim  P i and R emove ( B i ) is a un ion of b locks of P i , it turns out th at for any i ∈ It th ere exists some E ∈ P sim such that i ∈ It E . Note th at if i, j ∈ It E and i 6 = j then 21 B j ∩ B i = ∅ : this is a co nsequence of point (A) b ecause E ⊆ R emove ( B i ) ∩ Remo ve ( B j ) 6 = ∅ implies that B j 6⊆ B i and B i 6⊆ B j so that B i ∩ B j = ∅ . T hus, P i ∈ It | B i | ≤ [by deﬁnition of It E ] P E ∈ P sim P i ∈ It E | B i | ≤ [as the blocks in { B i } i ∈ It E are pairwise disjoint] P E ∈ P sim | Σ | = | P sim || Σ | . (F) The overall ti m e complexity of lines 11-17 is in O ( | P sim ||  | ) . Pr oof. Figur e 6 describes a C++ pseudo code implem entation o f lines 11- 17. By using the data structures described in Section 7.1, a nd in par ticular in Figure 5, all the operation s of the proce- dure Split take constant time so that any call Split ( P , S ) takes O ( | S | ) time. Let us n o w consider SplittingPr o c e dur e . – The overall time comp le xity of the splitting operation at line 24 is in O ( | P sim || Σ | ) . Each call S pli t ( P , R emove ( B i )) takes O ( | R emove ( B i ) | ) time. Then , an alogously to the p roof of p oint (D), th e overall time co mplexity o f line 24 is bound ed by P i ∈ It | Remo ve ( B i ) | ≤ | P sim || Σ | . – The overall time complexity of the for-loop at lines 2 6-29 is in O ( | P sim || Σ | ) . It is only worth noticing that sinc e the boole an matrix that stores R el is resizable, each oper ation at lin e 27 that ad ds a ne w entry to this resizable matrix ha s an amortized cost in O ( | P sim | ) : in fact, the resizable matrix is just a resizable arr ay A of resizab le array s so that when we ad d a new entry we need to add a new entry to A and then a new entry to each array in A (cf. point (v ) in Section 7.1). Thus, the overall time complexity of line 26 is in O ( | P sim | 2 ) . – The overall time complexity of the for-loop at lines 30-31 is in O ( | P sim | 2 ) . – The overall time complexity of the for-loop at lines 3 2-35 is in O ( | P sim ||  | ) . This is a co n- sequence o f the fact that the overall tim e comp le xity of the for-loops at lines 33 and 34 is in O ( | P sim ||  | ) . Thus, the overall time complexity of SplittingPr o c e dur e ( P, R emove ) is in O ( | P sim ||  | ) . (G) Th e overall time co mplexity o f lines 19-2 1 is in O ( | P sim ||  | ) . Pr oof. For any B i ∈ B , let arr( B i ) def = P x ∈ B i | pr e( { x } ) | denote the number of transitions that end in some state of B i and rem( B i ) def = |{ D ∈ P i | D ⊆ Remov e ( B i ) }| d enote the number of b locks of P i contained in R emove ( B i ) . W e also deﬁne two functions f ⊳ , f E : B → ℘ ( P sim ) as follows: f ⊳ ( B i ) def = { D ∈ P sim | D ∩ ( ∪{ R emove ( B j ) | B j ∈ B , B i ⊳ B j } ) = ∅ } f E ( B i ) def = { D ∈ P sim | D ∩ ( ∪{ R emove ( B j ) | B j ∈ B , B i E B j } ) = ∅ } Let us show the following property: ∀ B i ∈ B . rem( B i ) + | f E ( B i ) | ≤ | f ⊳ ( B i ) | . ( ‡ ) W e ﬁrst observe th at sinc e P sim  P i , r e m( B i ) ≤ |{ D ∈ P sim | D ⊆ R emove ( B i ) }| . Moreover , the sets { D ∈ P sim | D ⊆ Re move ( B i ) } and f E ( B i ) are d isj o int and their union giv es f ⊳ ( B i ) . Hence, rem( B i ) + | f E ( B i ) | ≤ |{ D ∈ P sim | D ⊆ R emove ( B i ) }| + | f E ( B i ) | = |{ D ∈ P sim | D ⊆ R emove ( B i ) } ∪ f E ( B i ) | = | f ⊳ ( B i ) | . 22 Giv en, B k ∈ B , let us show by induction on the height h ( B k ) ≥ 0 o f B k in the poset h B , E i th at P B i E B k arr( B i ) r e m( B i ) ≤ ar r ( B k ) | f ⊳ ( B k ) | . ( ∗ ) ( h ( B k ) = 0 ) : By proper ty ( ‡ ) , r em ( B k ) ≤ | f ⊳ ( B k ) | so that P B i E B k arr( B i ) r e m( B i ) = ar r ( B k ) r e m( B k ) ≤ ar r( B k ) | f ⊳ ( B k ) | . ( h ( B k ) > 0 ) : Let max( { B i ∈ B | B i ⊳ B k } ) = { C 1 , ..., C n } . Note that if i 6 = j then C i ∩ C j = ∅ , so th at P i arr( C i ) ≤ arr( B k ) , since ∪ i C i ⊆ B k . Let us observe that for a n y maxim al C i , f ⊳ ( C i ) ⊆ f E ( B k ) becau se ∪{ R emove ( B j ) | B j ∈ B , B k E B j } ⊆ ∪{ Remo ve ( B j ) | B j ∈ B , C i ⊳ B j } since B k E B j and C i ⊳ B k imply C i ⊳ B j . Hence, we have th at P B i E B k arr( B i ) r e m( B i ) = [by ma ximality of C i ’ s] arr( B k ) r e m( B k ) + P C i P D E C i arr( D ) rem( D ) ≤ [by ind ucti ve hyp othesis on h ( C i ) < h ( B k ) ] arr( B k ) r e m( B k ) + P C i arr( C i ) | f ⊳ ( C i ) | ≤ [as f ⊳ ( C i ) ⊆ f E ( B k ) ] arr( B k ) r e m( B k ) + | f E ( B k ) | P C i arr( C i ) ≤ [as P C i arr( C i ) ≤ ar r( B k ) ] arr( B k ) r e m( B k ) + | f E ( B k ) | a r r( B k ) = arr( B k )(rem( B k ) + | f E ( B k ) | ) ≤ [ by ( ‡ ) , rem( B k ) + | f E ( B k ) | ≤ | f ⊳ ( B k ) ] arr( B k ) | f ⊳ ( B k ) | . Let us now show that th e global time- complexity of lines 19-21 is in O ( | P sim ||  | ) . L et max( B ) = { M 1 , ..., M k } be the ma ximal eleme nts in B so th at f or any i 6 = j , M i ∩ M j = ∅ , and in turn we have that P M i ∈ max( B ) arr( M i ) ≤ |  | . By u sing the data structures described in Section 7.1, th e test D ∈ R el ( C ) at line 21 takes constant time. Then, the ov er all co mplexity o f lines 19-21 is P B i ∈ B arr( B i ) r e m( B i ) = [as th e M i ’ s are max imal in B ] P M i ∈ max( B ) P D E M i arr( D ) rem( D ) ≤ [b y property ( ∗ ) ab o ve] P M i ∈ max( B ) arr( M i ) | P sim | = | P sim | P M i ∈ max( B ) arr( M i ) ≤ [as P M i ∈ max( B ) arr( M i ) ≤ |  | ] | P sim ||  | . (H) Th e overall time co mplexity o f lines 22-2 4 is in O ( | P sim ||  | ) . Pr oof. Let P deno te th e m ultiset of p airs o f blocks ( C , D ) ∈ P i that are scanned at lines 19 -20 at some iteration i ∈ It such th at D ∈ R el i ( C ) . By using the d ata structures described in Section 7.1, the test s 6∈ pre( ∪ R el ( C )) and th e statement R el ( C ) := R el ( C ) r { D } ta k e constant time . Mo re- over , the statemen t R emove ( C ) := R emove ( C ) ∪ { s } also takes constant time becau se if a state s is added to R emove ( C ) at line 24 then s was not already in R emove ( C ) so that th is op eration can be implemented simply by append ing s to the list of states th at repr esents R emove ( C ) . Therefor e, the overall time complexity of th e body of the if-then statement at lines 2 1-24 is P ( C,D ) ∈ P arr( D ) . W e notice the following fact. Let i , j ∈ It such tha t i < j and let ( C , D i ) and ( C, D j ) be p airs of blocks scanned at lines 19 -20, respec ti vely , at iteratio ns i and j such that D j ⊆ D i . Th en, if the test D i ∈ Re l i ( C ) is true at iteration i th en the test D j ∈ Re l j ( C ) is false at iter ation j . This is a consequen ce of the fact th at if D ∈ R el i ( C ) then D is removed fro m R el i ( C ) at lin e 2 2 and ∪ R el j ( C ) ⊆ ∪ R el i ( C ) so that D ∩ ∪ R el j ( C ) = ∅ . Hence , if ( C , D ) , ( C, D ′ ) ∈ P then D ∩ D ′ = ∅ . W e deﬁne the set C def = { C | ∃ D . ( C, D ) ∈ P } and given C ∈ C , the mu ltiset D C def = { D | ( C , D ) ∈ P } . Observe that | C | is bo unded by th e n umber o f block s that appear in 23 Initializ e (Partiti onRelation P ) { forall B in P do { B.Remove = pre(Σ) r pre ( ∪ {C in P | Rel(B,C)}); forall x in Σ do B.RelC ount(x) = 0; } forall B in P do forall y in B do forall x in pre ({y}) do forall C in P such that Rel(C,B) do C.RelCount(x)++; } SA (PartitionRel ation P) { Initializ e (P); forall B in P such that (B.Remove 6 = ∅ ) do { Set Remove = B.Remove; B.Remove = ∅ ; Set B prev = B; SplittingPr oc e dure (P ,Remove); ListOfBlocks RemoveList = {D ∈ P | D ⊆ Remo ve}; forall C in P such that (C ∩ pr e (B prev ) 6 = ∅ ) do forall D in RemoveList do if (Rel(C,D)) then { Rel(C,D) = 0; forall d in D do forall x in pre (d) do { C.RelCount(x)--; if (C.RelCount(x ) == 0) then { C.Remove = C.Remove ∪ {x}; P.moveAtTheEnd(C ); } } } } } Figure 7: C++ Pseudocode Implementation of SA . some partitio n P i , so that by p oint (B), | C | ≤ 2( | P sim | − | P in | ) + | P in | ≤ 2 | P sim | . Moreover , the observation above implies that D C is indeed a set and the blocks in D C are pairwise disjoint. Thus, P ( C,D ) ∈ P arr( D ) = P C ∈ C P D ∈ D C arr( D ) ≤ [as th e block s in D C are pairwise disjoint] P C ∈ C |  | ≤ [as | C | ≤ 2 | P sim | ] 2 | P sim ||  | . Summing up, we have sh o wn that the overall time-co mplexity o f SA is in O ( | P sim ||  | ) . The s p ace co mplexity is in O ( | Σ | log | P sim | + | P sim | + | P sim | 2 + | P sim || Σ | lo g | Σ | ) = O ( | P sim || Σ | lo g | Σ | ) where: – The po inters from any state s ∈ Σ to the block o f the curr ent partition that contain s s are stored in O ( | Σ | log | P sim | ) space. – The curren t p artition P is stored in O ( | P sim | ) space. – The curren t r elation R el is stored in O ( | P sim | 2 ) space. – Each b lock of the c urrent partition store s the correspo nding remove set in O ( | Σ | ) space and the integer array R elCount in O ( | Σ | log | Σ | ) , so th at these glob ally take O ( | P sim || Σ | lo g | Σ | ) space. 8 Experimental Evaluation A pseu docode im plementation o f th e alg orithm SA that shows how the data structu res in Section 7.1 are actually used is in Figure 7, where SplittingPr o c e dur e h as bee n introduced above in Figure 6. W e im- plemented in C++ bo th o ur simulation algorithm SA an d the HHK a lgorithm in order to experimen tally 24 compare th e time a nd space perfor mances of SA and HHK . In ord er to make the compariso n as mean ingful as possible, these two C++ implementation s use the sam e data structures for storin g tr ansitions systems, sets of states and tables. Our bench marks inclu de sy st em s from the VL TS (V ery Large Transition Systems) b enchmark su ite [30] and some p ublicly a vailable Esterel prog rams. Th ese models are repr esented as la beled transition systems (L T Ss ) where labels ar e attache d to transitions. Since the version s of SA and HHK consider ed in this pape r both n eed a s input a Kripke stru cture, nam ely a transition system wher e lab els are attach ed to states, we exploited a proce dure b y Dovier et al. [16] th at transfo rms a L TS M into a Krip ke structure M ′ in such a way that bisimulation and simu lation equivalences on M an d M ′ coincide. Th is tran sformation acts as follows: any lab eled transition s 1 l − → s 2 is r eplaced by two u nlabeled transitions s 1 → n and n → s 2 , where n is a ne w no de that is lab eled with l , while all the origin al states in M have the sam e lab el. Th is labeling provide s an initial partition o n M ′ which is denoted by P in . Hence, this transform ation g ro ws the size of the m odel as follows : the numb er of transitions is doubled and the num ber o f states o f M ′ is th e sum of th e n umber o f states and transition s of M . Also, the mo dels cwi 3 14, v asy 5 9, vasy 25 25 and vasy 8 38 ha ve non total transition relations. The vasy * and cwi * systems are tak en from the VL TS suite, while the remaining systems are the following Esterel programs: WristW atch an d Sh ockDance are taken from the program ming examples of Esterel [ 17 ], ObsArbitrer4 and AtL eastOneAck4 are descr ibed in the technical r eport [3], li f t, NoAck W itho utReq an d one pump are provided togeth er with the fc2symbmin tool that is used by Xev e, a graph ical veriﬁcation en v ironment for Esterel prog rams [4, 31]. Our experimental evaluation was carried ou t on an I ntel Core 2 Du o 1 .86 GHz PC, with 2 GB RAM, runnin g Linu x and GNU g++ 4. The results ar e summarised in T able 1, wh ere we list the nam e o f the transition system, the number of states and transitions of the tran sformed tra nsition system, the number of b locks of the in itial partition, the numb er of blocks o f the ﬁnal simulation equ i valence partition (that is known when one algorithm terminates), the execution time in secon ds and the allocated m emory in MB (this has been obtained by means of glibc-memusage) both for HH K and SA , where o.o.m. means t h at the algorithm ran out of memory (2GB). The com parati ve experimental e valuation shows that SA ou tperforms HHK both in tim e and in spac e. In fact, the experiments demonstrate that SA improves on HHK of abou t tw o orders of magnitude in time and of one order of magnitu de in spa ce. The sum of time and space measures on the eight mod els where both HHK and SA term inate is 64 .555 vs. 1.3 9 seconds in time an d 681.303 vs. 52.102 MB in space. Our experiments con sidered 18 models: HHK termina tes on 8 models while SA terminates on 14 of these 18 models. Also, the s ize of models (states plus tran sit io ns) where SA terminates w .r .t. HHK grows about one order of magnitud e. 9 Conclusion W e presented a n e w e f ﬁcient algorithm for c omputing the simulation preor der in O ( | P sim ||  | ) -time and O ( | P sim || Σ | lo g | Σ | ) -space, where P sim is the partition induced by simulation equiv alence on some Kripke structure (Σ ,  ) . This impr ov es the best av ailab le time boun d O ( | Σ ||  | ) g i ven by Henzinge r , Henzinge r and K opke’ s [23] a nd by Bloom and Paige’ s [2] simulation a lgorithms that howev er suf fe r from a space complexity that is boun ded fro m below by Ω( | Σ | 2 ) . A better space bou nd is given b y Gentilini et al. ’ s [1 8 ] algorithm — subsequently corrected b y van Glabb eek an d Plo e ge r [ 21 ] — who se space complexity is in O ( | P sim | 2 + | Σ | log | P sim | ) , but that run s in O ( | P sim | 2 |  | ) -time. Our a lgorithm is designed as an a daptation of Henzinger et al. ’ s p rocedure and abstract interp retation techniqu es ar e used for pr oving its co rrectness. As future work, we plan to in vestigate wh ether the techniq ues used for designin g this n e w simulation algorithm may be g eneralized an d adap ted to other behavioural eq ui valences like bran ching simulation equiv alen ce (a weakening of branc hing bisimulation equiv alen ce [15]) . It is also interesting to in vestigate whether this new algorithm may admit a symb olic version based on BDDs. Acknowledgements. The authors are g rateful to the ano n y mous referees fo r their d etailed an d help ful comments and to Silvia Crafa for many useful discussions. This work w as partially supported by th e FIRB Project “ Abstract interp retation and mod el ch ecking for the veriﬁcation of em bedded systems”, by the PRIN 2007 Project “ AIDA2007: Abstract Interpretation Design and App lications” and by the Uni versity of 25 Input Output HHK SA Model | Σ | |  | | P in | | P sim | T ime Space T ime Space cwi 1 2 4339 4774 27 2401 22.76 1 191 0. 76 41 cwi 3 14 18548 2 9104 3 123 – o .o.m. 0.9 6 9 vasy 0 1 1513 2448 3 21 1.303 2 7 0.03 0.229 vasy 10 56 67005 1 12312 13 ?? – o.o.m. – o.o. m. vasy 1 4 5647 8928 7 87 37.14 4 07 0.28 2 vasy 18 73 91789 1 46086 18 ?? – o.o.m. – o.o. m. vasy 25 25 50433 5 0432 2521 7 ?? – o. o.m. – o .o.m. vasy 40 60 10001 3 1200 14 4 ?? – o. o.m. – o .o.m. vasy 5 9 15162 1 9352 32 409 – o .o.m. 1. 63 24 vasy 8 2 4 33290 4 8822 12 1423 – o.o.m . 5.95 1 82 vasy 8 3 8 47345 7 6848 82 963 – o .o.m. 8. 15 176 WristW atch 1453 1685 23 1146 1.425 3 1 0.15 6 ShockDan ce 379 459 10 327 0.75 2 0.0 3 0.547 ObsArbitrer4 17389 2 1394 10 159 – o .o.m. 0. 3 11 AtLeastOneAck4 435 507 18 11 2 0.363 2 0.02 0.219 lift 138 163 33 112 0.11 0. 303 0.02 0.10 7 NoAckW ith outReq 1212 1372 18 413 0.703 21 0.1 2 one pump 15774 1792 6 22 3193 – o .o.m. 13 .64 1 94 T able 1: Results o f the experime ntal evaluation. Padov a under t h e Project “Formal metho ds for specifying and verifying beha vio ural proper ties of software systems”. Th is paper is an e xten ded and revised version of [28]. Refer ences [1] C. Baier and J.-P . Katoen. Principles of Mode l Checking . Th e MIT Press, 20 08. [2] B. Blo om a nd R. Paige. T ransfo rmational design an d im plementation o f a new e f ﬁcient solutio n to the ready simulation prob lem. Sci. Comp. Pr ogram. , 24(3):18 9-220, 199 5. [3] A. Bo uali. Xeve: an Esterel V er iﬁcation En viro nment (version v1 3 ). Rappo rt T echnique 2 14/1997, INRIA, 1997. [4] A. Boua li. Xeve: an Estere l veriﬁcation en vironm ent. In Pr oc. 1 0 th CA V , L NCS 1427, pp. 5 00-504, 1998. [5] M.C. Bro wne, E.M. Clarke and O. Grum berg. Characterizing ﬁnite Krip ke structures in pr opositional temporal logic. Theor . Comp. Sci. , 59:11 5-131, 1 988. [6] D. Bu stan and O. Gr umberg. Sim ulation-based minimization . ACM T rans. Comput. Log. , 4 (2):181- 204, 2003. [7] E.M. Clarke, O. Grumberg, S. Jha, Y . Lu, H. V eith. Pro gress on the state explosion problem in model checking . I n Informatics - 10 Y ea r s Back, 10 Y ears Ahead . LNCS 2000, pp. 176-1 94, 20 01. [8] E.M. Clarke, O . Gr umberg and D. Long . Model ch ecking an d abstractio n. A CM T rans. Pr ogram. Lang. Syst. , 16(5):151 2–1542, 1994 . [9] E.M. Clarke, O. Grumberg and D.A. P eled . Model checking . Th e MIT Press, 19 99. [10] R. Clea veland and O. Sokolsky . Equiv alen ce an d p reorder check ing for ﬁn ite-state systems. In J.A. Bergstra, A. Pon se, S.A. Smolka eds., Hand book of Pr o cess Algebra , North- Holland, pp. 3 91- 424, 2001. 26 [11] T .H. Cormen , C.E. L eiserson, R.L. Riv est and C. Stein . In tr oduction to Alg orithms . The MIT Press and McGraw-Hill, 2nd ed., 2001. [12] P . Couso t and R. Cousot. Abstract in terpretation: a un iﬁed lattice mo del for static analysis of prog rams by constructio n or ap proximation of ﬁxpo ints. In Pr oc. 4 th AC M POPL , pp. 23 8–252, 197 7. [13] P . Cousot a nd R. Cousot. Systematic design of pr ogram analysis fram e works. In Pr oc. 6 th AC M POPL , pp. 269–28 2, 1 979. [14] D. Dams, O. Grumberg an d R. Gerth. Generation of reduced models for ch ecking fr agments of CTL . In Pr oc. 5 th CA V , LNCS 697 , pp. 479 –490, 1993. [15] R. De Nicola and F . V a andrager . Thr ee lo gics f or br anching b isimulation. J . ACM , 42 (2):458–4 87, 1995 [16] A. Dovier , C. Piazza and A. Po licriti. An efﬁcient algorithm for computing bisimu lation e qui valence. Theor . Comput. Sci. , 325(1 ):45-67, 20 04. [17] Esterel Pro gramming E xamples. http ://www-sop.inria.fr/esterel.o rg/Html/Do wnloads/Do wn loads.htm [18] R. Gentilini, C. Piazza and A. Po licriti. From bisimulation to simulation: coarsest partitio n prob lems. J. Automated Reasoning , 31(1):73 -103, 20 03. [19] R. Giacobaz zi and E . Quintarelli. Incompletene ss , cou nterexamples and reﬁnemen ts in a bstract m odel checking . I n Pr oc. 8 th SAS , LNCS 2126, pp. 356-37 3, 200 1. [20] R. Giacobazzi and F . Ranzato. Optimal d omains for disjun cti ve abstract inte rpretation. Sci. Comp . Pr ogram. , 32:1 77–210, 1998 . [21] R. van Glabbeek and B. Plo e ger . Correctin g a space -ef ﬁcient simulation algorithm . In Pr o c. 2 0 th CA V , LNCS 5123, pp. 517-5 29, 2008. [22] O. Grumberg and D.E. Lon g. M odel check ing and modular veriﬁcation. ACM T rans. Pr ogram. Lang. Syst. , 16(3) :843–871, 19 94. [23] M.R. Henzing er , T .A. Henzin ger an d P .W . Kopke. Comp uting simulatio ns o n ﬁnite and inﬁnite graphs. In Pr oc. 36 th FOCS , pp. 453– 462, 1 995. [24] A. Kucera and R. M ayr . Why is simulation h arder than b isi m ulation? In Pr oc. 13 th CONCUR , LNCS 2421, pp. 594-6 10, 20 02. [25] C. Loiseaux , S. Graf, J. Sifakis, A. Bou ajjani and S. Bensalem. Property p reserving abstractions fo r the veriﬁcation of concurrent s y stems. F ormal Methods in System Design , 6:1–36, 1995. [26] R. Paige and R.E. T arjan. Th ree p artition r eﬁnement algo rithms. SIAM J. Comput. , 1 6(6):973- 989, 1987 [27] F . Ranzato and F . T ap paro. Generalize d strong preservation by abstract interpretatio n. J. Logic and Computation , 17 (1):157-19 7, 2007. [28] F . Ranzato and F . T apparo . A new efﬁ cien t simulation eq ui valence algo rithm. In P r oc. 22nd IEEE Symp. on Logic in Computer Science (LICS’07) , pp. 171–180 , IEEE Press, 200 7. [29] L. T an and R . Clea veland. Simulation revisited. In Pr oc. 7 th T ACAS , LNCS 2031 , pp. 480– 495, 2 001. [30] The VL TS Benchmark Suite. http://www .inr ialpes.fr/vasy/cadp/resources/benchmark bcg.htm l [31] Xeve: Esterel V eriﬁcation En vir onment. http://www-sop.inr ia.fr/meije/veriﬁcation/Xe ve 27

An efficient simulation algorithm based on abstract interpretation

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment