Complexity of Liveness in Parameterized Systems
CComplexity of Liveness in Parameterized Systems
Peter Chini
Roland Meyer
Prakash Saivasan
Abstract
We investigate the fine-grained complexity of liveness verification for leader contributor systems.These consist of a designated leader thread and an arbitrary number of identical contributor threadscommunicating via a shared memory. The liveness verification problem asks whether there is aninfinite computation of the system in which the leader reaches a final state infinitely often. Likeits reachability counterpart, the problem is known to be NP -complete. Our results show that, evenfrom a fine-grained point of view, the complexities differ only by a polynomial factor.Liveness verification decomposes into reachability and cycle detection. We present a fixed pointiteration solving the latter in polynomial time. For reachability, we reconsider the two standardparameterizations. When parameterized by the number of states of the leader L and the size ofthe data domain D , we show an ( L + D ) O ( L + D ) -time algorithm. It improves on a previous algorithm,thereby settling an open problem. When parameterized by the number of states of the contributor C ,we reuse an O ∗ (2 C )-time algorithm. We show how to connect both algorithms with the cycle detectionto obtain algorithms for liveness verification. The running times of the composed algorithms matchthose of reachability, proving that the fine-grained lower bounds for liveness verification are met. Theory of computation → Formal languages and automata theory;Theory of computation → Problems, reductions and completeness
Keywords and phrases
Liveness Verification, Fine-Grained Complexity, Parameterized Systems.
Digital Object Identifier
We study the fine-grained complexity of liveness verification for parameterized systemsformulated in the leader contributor model. The model [25, 15] assumes a distinguishedleader thread interacting (via a shared memory) with a finite but arbitrary number ofindistinguishable contributor threads. The liveness verification problem [13] asks whetherthere is an infinite computation of the system in which the leader visits a set of final statesinfinitely often. Fine-grained complexity [12, 9] studies the impact of parameters associatedwith an algorithmic problem on the problem’s complexity like the influence of the contributorsize on the complexity of liveness verification. The goal is to develop deterministic algorithmsthat are provably optimal. We elaborate on the three ingredients of our study.The leader contributor model has attracted considerable attention [25, 15, 13, 30, 16, 22, 7].From a modeling point of view, a variety of systems can be formulated as anonymous entitiesinteracting with a central authority, examples being client-server applications, resource-management systems, and distributed protocols on wireless sensor networks. From analgorithmic point of view, the model has led to positive surprises. Hague [25] proveddecidability of reachability even in a setting where the system components are pushdown © Peter Chini, Roland Meyer, and Prakash Saivasan;licensed under Creative Commons License CC-BYLeibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . F L ] O c t X:2 Complexity of Liveness in Parameterized Systems automata. La Torre et al. [30] generalized the result to any class of components that satisfiesmild assumptions, the most crucial of which being computability of downward closures. Asfor the complexity, Esparza et al. [15, 16] proved
PSPACE -completeness for Hague’s modeland NP -completeness in the setting where the components are given by finite-state automata.The liveness problem was first studied in [13]. Interestingly, liveness has the same complexityas reachability, it is NP -complete for finite-state systems. Fortin et al. [22] generalized thestudy to LTL-definable properties and gave conditions for NEXPTIME -completeness.Fine-grained complexity is a field within parameterized complexity [12, 9]. Parameterizedcomplexity intends to explain the following gap between theory and practice that is observedthroughout algorithmics. Despite a high worst-case complexity, tools may have an easytime solving a problem. Parameterized complexity argues that measuring the complexityof a problem in terms of the size of the input, typically denoted by n , is too rough. Oneshould consider further parameters k that capture the shape of the input or the solutionsought. Then the gap is due to the fact that tools implement an algorithm running in time f ( k ) · poly ( n ). Here, f may be an exponential, but it only depends on the parameter, andthat parameter is small in practice. Problems solvable by such an algorithm are calledfixed-parameter tractable and belong to the complexity class FPT . Fine-grained complexityis the study of the precise function f that is needed, via upper and lower bound arguments.The fine-grained complexity of the reachability problem for the leader contributor modelwas studied in our previous work [7]. We assumed that the components are finite state andconsidered two parameterizations. When parameterized by the size of the contributors C ,we showed that reachability can be solved in time O ∗ (2 C ). The notation O ∗ suppressespolynomial factors in the running time. Interestingly, this is the best one can hope for. Analgorithm with a subexponential dependence on C , to be precise an algorithm running intime 2 o ( C ) , would contradict the so-called exponential time hypothesis ( ETH ). The
ETH [27] is a standard hardness assumption in parametrized complexity that is used to deriverelative lower bounds. The second parameterization is by the size of the leader L and the sizeof the data domain D . We gave an algorithm running in time ( LD ) O ( LD ) . Interestingly, thelower bound is only 2 o (( L + D ) · log( L + D )) . Being away a quadratic factor in the exponent means asubstantial gap for a deterministic algorithm.In the present paper, we study the fine-grained complexity of the liveness verificationproblem. We assume finite-state components and consider the same parameterization as forreachability. The surprise is in the parameterization by L and D . We give an algorithm runningin time ( L + D ) O ( L + D ) . This matches the lower bound and closes the gap for reachability.When parameterized by the size of the contributors, we obtain an O ∗ (2 C ) algorithm.To explain the algorithms, note that a live computation decomposes into a prefix andan accepting cycle. Finding prefixes is a matter of reachability. We show how to combinereachability algorithms with a cycle detection to obtain algorithms that find live computations.The resulting algorithms will run in time O ( Reach ( L , D , C ) · Cycle ( L , D , C )) where Reach ( L , D , C )denotes the running time of the invoked reachability algorithm and Cycle ( L , D , C ) that of thecycle detection. This result allows for considering reachability and cycle detection separately.Our first main contribution is an algorithm for reachability when L and D are given asparameters. It runs in time ( L + D ) O ( L + D ) and significantly improves upon the ( LD ) O ( LD ) -timealgorithm from [7]. Moreover, it is optimal in the fine-grained sense. It closes the gap betweenupper and lower bound. The algorithm works over sketches of computations. A sketch isvalid if there is an actual computation corresponding to it. In [7], we performed a singlevalidity check for each sketch. Here, we show that valid sketches can be build up inductivelyfrom small sketches. To this end, we interleave validity checks with compression phases. Our . Chini, R. Meyer, and P. Saivasan XX:3 algorithm is a dynamic programming on small sketches, exploiting the inductive approach.Our second main result is an algorithm for detecting cycles. We show that the problemis actually solvable in polynomial time. Technically, we employ a characterization of cyclesvia (certain) SCC decompositions of the contributor automaton. These decompositions canbe computed by a fixed point iteration invoking Tarjan’s algorithm [34] in polynomial time.Since Cycle ( L , D , C ) is polynomial, liveness has the same complexity as reachability alsoin the fine-grained sense. With the above result, we obtain the mentioned algorithms forliveness by composing the reachability algorithms with the cycle detection. Related Work.
The parameterized complexity has also been studied for other verificationproblems. Farzan and Madhusudan [17] consider the problem of predicting atomicity viola-tions. Depending on the synchronization, they obtain an efficient fine-grained algorithm resp.prove an
FPT -algorithm unlikely. In [14], the authors give an efficient (fine-grained) algorithmfor the problem of checking TSO serializability. In [5], we studied the fine-grained complexityof bounded context switching [32], including lower bounds on the complexity. In [7], we gavea parameterized analysis of the bounded write-stage restriction, a generalization of boundedcontext switching [2]. The problem turns out to be hard for different parameterizations, andhas a large number of hard instances. In a series of papers [19, 18, 35], Fernau et al. studied
FPT -algorithms for problems from automata theory.Related to leader contributor systems are broadcast networks (ad-hoc networks) [33, 11].These consist of an arbitrary number of finite-state contributors that communicate viamessage passing. There is no leader. This has an impact on the complexity of safety [10, 23]and liveness [6, 3] verification, which drops from NP (leader contributor systems) to P .More broadly, the verification of parameterized systems is an active field of research [4].Prominent approaches are well-structuredness arguments [1, 20] and cut-off results [24].Well-structuredness means the transition relation is monotonic wrt. a well-quasi ordering onthe configurations, a combination that leads to surprising decidability results. A cut-off is abound on the size of system instances such that correctness of the bounded instances entailscorrectness of all instances. Our algorithm uses different techniques. We give a reductionfrom liveness to reachability combined with a polynomial-time cycle check. Reductions fromliveness to reachability or safety are recently gaining popularity in verification [28, 31, 26].For reachability, we then rely on techniques from parameterized complexity [12, 9], namelyidentifying combinatorial objects to iterate over and dynamic programming. We introduce leader contributor systems and the leader contributor liveness problem of interestfollowing [25, 15, 13]. Moreover, we give a short introduction to fine-grained complexity. Forstandard textbooks, we refer to [21, 9, 12].
Leader Contributor Systems. A leader contributor system consists of a designated leaderthread communicating with a number of identical contributor threads via a shared memory.Formally, the system is a tuple S = ( D , a , P L , P C ) where D is the finite domain of theshared memory and a ∈ D is the initial memory value. The leader P L and the contributor P C are abstractions of concrete threads making visible the interaction with the memory.They are defined as finite state automata over the alphabet Op ( D ) = { ! a, ? a | a ∈ D } ofmemory operations. Here, ! a denotes a write of a to the memory, ? a denotes a read of a .The leader is given by the tuple P L = ( Op ( D ) , Q L , q L , δ L ) where Q L is the set of states, X:4 Complexity of Liveness in Parameterized Systems q L ∈ Q L is the initial state, and δ L ⊆ Q L × ( Op ( D ) ∪ { ε } ) × Q L is the transition relation.We extend the relation to words in Op ( D ) ∗ and usually write q −→ w L q for ( q, w, q ) ∈ δ L .The contributor is defined similarly, by P C = ( Op ( D ) , Q C , q C , δ C ).The possible interactions of a thread with the memory depend on the current memoryvalue and the internal state of the thread. To keep track of this information, we use configurations . These are tuples of the form ( q, a, pc ) ∈ CF t = Q L × D × Q tC . Here, pc is a vector storing the current state of each contributor, and there are t ∈ N contributorsparticipating in the computation. The number of participating contributors can be arbitrary,but will be fixed throughout the computation. Therefore, the set of all configurations isgiven by CF = S t ∈ N CF t . A configuration is called initial if it is of the form ( q L , a , pc )where pc ( i ) = q C for each i ∈ [1 ..t ]. We use projections to access the components of aconfiguration. Let π L and π D denote the projections to the leader state resp. the memorycontent, π L (( q, a, pc )) = q and π D (( q, a, pc )) = a . The map π C projects a configuration tothe set of contributor states present in pc , π C (( q, a, pc )) = { pc ( i ) | i ∈ [1 ..t ] } .The current configuration of S may change due to an interaction with the memory oran internal transition. We capture such changes by a labeled transition relation amongconfigurations, → ⊆ CF × ( Op ( D ) ∪ { ε } ) × CF . It contains transitions induced by the leaderand by the contributor. We focus on the former. If there is a write q −→ ! b L q of the leader, weget ( q, a, pc ) −→ ! b ( q , b, pc ). Similarly, a read q −→ ? a L q induces ( q, a, pc ) −→ ? a ( q , a, pc ). Notethat the current memory value has to match the read symbol. An internal transition q −→ ε L q yields ( q, a, pc ) −→ ε ( q , a, pc ). For the transitions induced by the contributors, let pc ( i ) = p and pc = pc [ i = p ], meaning pc ( i ) = p and pc coincides with pc in all other components.A transition p −−−−−→ ! b/ ? a/ε C p yields ( q, a, pc ) −−−−−→ ! b/ ? a/ε ( q, b/a, pc ), like for the leader. Note thattransitions are only defined among configurations involving the same number of contributors.It is convenient to assume that the leader never writes ! a and immediately reads ? a again.In this case, we could replace the corresponding read transition by ε .The transition relation → is generalized to words, denoted by c −→ w c with w ∈ Op ( D ) ∗ .We call such a sequence a computation of S . We also write c → ∗ c if there is a word w with c −→ w c , and c → + c if w has length at least 1. An infinite computation is a sequence σ = c → c → . . . of infinitely many transitions. We call it initialized if c is an initialconfiguration. Since σ involves infinitely many configurations but the set Q L is finite, thereare states of the leader that occur infinitely often along the computation. We denote the setof these states by Inf( σ ) = { q ∈ Q L | ∃ ∞ i : q = π L ( c i ) } . Leader Contributor Liveness.
The leader contributor liveness problem is the task of decidingwhether the leader satisfies a liveness specification while interacting with a number ofcontributors. Formally, given a leader contributor system S = ( D , a , P L , P C ) and a setof final states F ⊆ Q L encoding the specification, the problem asks whether there is aninitialized infinite computation σ such that the leader visits F infinitely often along σ . Since F is finite, this is equivalent to Inf( σ ) ∩ F = ∅ . In this case, σ is called a live computation . Leader Contributor Liveness ( LCL ) Input:
A leader contributor system S = ( D , a , P L , P C ) and final states F ⊆ Q L . Question:
Is there an infinite initialized computation σ such that Inf( σ ) ∩ F = ∅ ? Fine-Grained Complexity.
The problem
LCL is known to be NP -complete [13]. Despite itshardness, it may still admit efficient deterministic algorithms the running times of whichdepend exponentially only on certain parameters. To find parameters that allow for the . Chini, R. Meyer, and P. Saivasan XX:5 construction of such algorithms, one examines the parameterized complexity of LCL . Note thatthe name does not refer to parameterized systems. It stems from measuring the complexitynot only in the size of the input but also in the mentioned parameters.Let Σ be an alphabet. Unlike in classical complexity theory where we consider problemsover Σ ∗ , a parameterized problem P is a subset of Σ ∗ × N . Inputs to P are pairs ( x, k ) with thesecond component k being referred to as the parameter . Problem P is called fixed-parametertractable if it admits a deterministic algorithm deciding membership in P for pairs ( x, k ) intime f ( k ) · | x | O (1) . Here, f is a computable function that only depends on k . Since f usuallydominates the polynomial, the running time of the algorithm is denoted by O ∗ ( f ( k )).While finding an upper bound for the function f amounts to coming up with an efficientalgorithm, lower bounds on f are obtained relative to hardness assumptions. One of thestandard assumptions is the exponential time hypothesis ( ETH ) [27]. It asserts that 3-
SAT cannot be solved in time 2 o ( n ) where n is the number of variables in the input formula. Thelower bound is transported to the problem of interest via a reduction from 3- SAT . Then, f cannot drop below a certain bound unless ETH fails. It is a task of fine-grained complexity to find the optimal function f , where upper and lower bound match.We conduct fine-grained complexity analyses for two parameterizations of LCL . First, weconsider
LCL ( L , D ), the parameterization by the number of states in the leader L and thesize of the data domain D . We show an ( L + D ) O ( L + D ) -time algorithm, matching the lowerbound for LCL from [7]. The second parameterization
LCL ( C ) is by the number of states ofthe contributor C . We give an algorithm running in time O ∗ (2 C ). It also matches the knownlower bound [7]. Therefore, both algorithms are optimal in the fine-grained sense. Theparameterizations LCL ( L ) and LCL ( D ) are unlikely to be fixed-parameter tractable. Theseproblems are hard for W [1], a complexity class comprising intractable problems [7]. A live computation naturally decomposes into a prefix and a cycle. This means that solving
LCL amounts to finding both, a prefix computation and a cyclic computation. However,we need to guarantee that the computations can be linked. The prefix should lead to aconfiguration that the cycle loops on. Since there are infinitely many configurations, weintroduce the finite domain of interfaces. An interface abstracts a configuration to its leaderstate, memory value, and set of contributor states. Hence, an interface can be seen as asummary of those configurations that are suitable for linking prefix and cycle.Our algorithm to solve
LCL works as follows. We start a reachability algorithm for theleader contributor model on the final states that the live computation should visit. After amodification, the algorithm outputs all interfaces witnessing prefixes to those states. Let
Reach ( L , D , C ) denote the running time of the reachability algorithm. We show that theobtained set of interfaces will be of size at most Reach ( L , D , C ). We iterate over the interfacesand pass each to a cycle detection which works over interfaces instead of configurations. If acycle was found, a live computation exists. Let Cycle ( L , D , C ) be the time needed for a singlecycle detection. Then, the running time of the algorithm can be estimated as follows. (cid:73) Theorem 1.
LCL can be solved in time O ( Reach ( L , D , C ) · Cycle ( L , D , C )) . The first step in proving Theorem 1 is to decompose live computations into prefixes andcycles. To be precise, we aim for a decomposition where the cycle is saturated in the sensethat the initial configuration already contains all contributor states that will be encounteredalong the cycle. Knowing these states in advance eases technical arguments when finding
X:6 Complexity of Liveness in Parameterized Systems cycles in Section 5. Formally, a cyclic computation τ = c → ∗ c is called saturated if for eachconfiguration c in τ , we have π C ( c ) ⊆ π C ( c ). We write c → ∗ sat c for a saturated cycle. Thefollowing lemma yields the desired decomposition. If not stated otherwise, proofs and detailsfor the current section are provided in Appendix A. (cid:73) Lemma 2.
There is an infinite initialized computation σ with Inf( σ ) ∩ F = ∅ if and onlyif there is a finite initialized computation c → ∗ c → + sat c with π L ( c ) ∈ F . We would like to decompose
LCL into finding prefix and cycle. But we need to ensure thatthe found computations can be linked at an explicit configuration. For avoiding the latter,we introduce interfaces. An interface is a triple I = ( S, q, a ) ∈ P ( Q C ) × Q L × D consisting ofa set of contributor states S , a state of the leader q , and a memory value a . A configuration c matches the interface I if π C ( c ) = S , π L ( c ) = q , and π D ( c ) = a . We denote this by I ( c ),interpreting I as a predicate. The set of interfaces is denoted by IF. The following lemmashows that the notion allows for decomposing LCL . We can search for prefixes and cyclesseparately. The lemma provides the arguments needed to complete the proof of Theorem 1. (cid:73)
Lemma 3.
Let I ∈ IF . There is a computation c → ∗ c → + sat c with I ( c ) if and only ifthere are computations d → ∗ d and f → + sat f with I ( d ) ∧ I ( f ) . In the following, we turn to our main contributions. We present algorithms for reachabilityand cycle detection and obtain precise values for
Reach ( L , D , C ) and Cycle ( L , D , C ). Further,we modify the reachability algorithms to output interfaces. Then we invoke Theorem 1 toderive algorithms for LCL . The first problem that we consider is finding prefixes.
Leader Contributor Reachability ( LCR ) Input:
A leader contributor system S = ( D , a , P L , P C ) and final states F ⊆ Q L . Question:
Is there an initialized computation c → ∗ c with π L ( c ) ∈ F ?The problem LCR is NP -complete [15]. Its complexity Reach ( L , D , C ) depends on theparameterization. There are two standard parameterizations [7, 8]: LCR ( L , D ) and LCR ( C ).For the parameterization by L and D , we present an algorithm solving LCR ( L , D ) in time( L + D ) O ( L + D ) . The algorithm solves an open problem [7] by matching the known lower bound:unless ETH fails,
LCR cannot be solved in time 2 o (( L + D ) · log( L + D )) . The algorithm and itsmodification for obtaining interfaces are presented in Section 4. (cid:73) Theorem 4.
LCR ( L , D ) can be solved in time ( L + D ) O ( L + D ) . For
LCR ( C ), we modify the reachability algorithm from [7, 8] so that it outputs interfacesthat witness prefixes. We recall the result on the complexity of the algorithm. (cid:73) Theorem 5 ([7, 8]) . LCR ( C ) can be solved in time O (2 C · C · L · D ) . The second task to solve
LCL is detecting cycles. We formalize the problem. It takes aninterface and asks for a saturated cycle on a configuration that matches the interface.
Saturated Cycle ( CYC ) Input:
A leader contributor system S = ( D , a , P L , P C ) and an interface I ∈ IF.
Question:
Is there a computation c → + sat c with I ( c )?We present an algorithm solving CYC in polynomial time. Key to the algorithm is a fixedpoint iteration over certain subgraphs of the contributor. Details are postponed to Section 5. (cid:73)
Theorem 6.
CYC can be solved in time O ( D · ( C + L · D )) . . Chini, R. Meyer, and P. Saivasan XX:7 The theorem shows that
Cycle ( L , D , C ) is polynomial. Hence, by Theorem 1, we obtainthat LCL can be solved in time O ∗ ( Reach ( L , D , C )). This means that liveness verification andsafety verification in the leader contributor model only differ by a polynomial factor. Takingthe precise values for Reach ( L , D , C ) into account, Theorem 1 yields the following. (cid:73) Corollary 7.
LCL ( L , D ) can be solved in time ( L + D ) O ( L + D ) . (cid:73) Corollary 8.
LCL ( C ) can be solved in time O (2 C · L · D · ( L · C + D · C + L · D )) . For the latter result, we are actually more precise in determining the time complexity thanstated in Theorem 1. Both obtained algorithms are optimal. They match the correspondinglower bounds for
LCL that carry over from reachability [7]. Unless
ETH fails,
LCL cannotneither be solved in time 2 o (( L + D ) · log( L + D )) nor in time 2 o ( C ) . We present the algorithm for
LCR ( L , D ). It runs in time ( L + D ) O ( L + D ) and therefore provesTheorem 4. Moreover, with the results from Section 3 and 5, the algorithm can be utilized forsolving LCL in time ( L + D ) O ( L + D ) . Like in [7], the algorithm relies on a notion of witnesses.These are sketches of computations. A witness is valid if there is an actual computationfollowing the sketch. Validity can be checked in polynomial time.The algorithm from [7] iterates over all witnesses and tests validity for each. Hence, thetime complexity of the algorithm is proportional to ( LD ) O ( LD ) , the number of consideredwitnesses. Key to our new algorithm is the fact that we can restrict to so-called shortwitnesses. These are sketches of loop-free computations. We show that validity of witnessescan be checked inductively from validity of short witnesses. We exploit the inductivity by adynamic programming. It runs in time proportional to ( L + D ) O ( L + D ) , the number of shortwitnesses. This yields the desired complexity as stated in Theorem 4. We introduce witnesses and recall the notion of validity. Afterwards, we elaborate on themain idea of our new algorithm: restricting to short witnesses for checking validity.Intuitively, a witness is a compact way to represent computations of a leader contributorsystem. From a computation, a witness only stores the actions of the leader and the positionswhere memory symbols were written by a contributor for the first time. We call thesepositions first writes . From such a position on, we can assume an unbounded supply of thecorresponding memory symbol. There is always a copy of a contributor waiting to provide it.Formally, a witness is a triple x = ( w, q, σ ). The word w = ( q , a )( q , a ) . . . ( q n , a n )represents the run of the leader. It is a sequence from ( Q L × ( D ] {⊥} )) ∗ , containing leaderstates potentially combined with a memory value. The state q ∈ Q L is the target of the leaderrun. First-write positions are specified by σ : [1 ..k ] → [1 ..n ], a monotonically increasing mapwhere k ≤ D . The number of first-write positions k is called the order of x . We denote it by ord ( x ) = k . Moreover, we use Wit for the set of all witnesses. A witness x = ( w, q, σ ) ∈ Wit is called initialized if w begins in the initial state q L of the leader automaton.If a witness corresponds to an actual computation, we call it valid. This means, thewitness encodes a proper run of the leader and moreover, the first writes along the run canbe provided by the contributors. Since the definition of witnesses only specifies first-writepositions but not values, we need the notion of first-write sequences. The latter will allowfor the definition of validity. X:8 Complexity of Liveness in Parameterized Systems A first-write sequence is a sequence of data values β ∈ D ≤ D that are all different. Formally, β i = β j for i = j . We use FW to denote the set of all those sequences. Given a witness x = ( w, q, σ ), we define its validity with respect to a first-write sequence β of length ord ( x ).For being valid, x has to be leader valid along β and contributor valid along β . We makeboth notions more precise. Details regarding this section including formal definitions areavailable in Appendix B. Leader Validity.
The witness is leader valid along β if w encodes a run of the leader thatreaches state q . Reading during the run is restricted to symbols from β : the ‘ -th symbol β ‘ is available for reading once the run arrives at position σ ( ‘ ). Formally, the encoding dependson the memory values a i . If a i = ⊥ , the leader has a transition q i −−→ ! a i L q i +1 . If a i = ⊥ ,the leader either has an ε -transition or reads a symbol available at position i , from the set S β ( i ) = { β ‘ | σ ( ‘ ) ≤ i } . We use LValid β ( x ) to indicate that x is leader valid along β . Contributor Validity.
The witness is contributor valid along β if the contributors canprovide the first writes for w in the order indicated by σ . Let us focus on the i -th firstwrite β i . Providing β i is a question of reachability of the set Q i = { p | ∃ p : p −−→ ! β i C p } in the contributor automaton. More precise, we need a contributor that reaches Q i whilereading only symbols available along w . This means that reading is restricted to earlier firstwrites and symbols written by the leader during w up to position σ ( i ).Let Expr ( x, β . . . β i − ) be the language of available reads. We say that x is valid forthe i -th first write of β if Q i is reachable by a contributor while reading is restricted to Expr ( x, β . . . β i − ). We use CValid iβ ( x ) to indicate this validity. If x is valid for all firstwrites, it is contributor valid along β . Formally, CValid β ( x ) = V i ∈ [1 .. ord ( x )] CValid iβ ( x ).With leader and contributor validity in place, we can define x to be valid along β ifLValid β ( x ) ∧ CValid β ( x ). Again, we use predicate notation. We write Valid β ( x ) if x is validalong β . Validity of a witness along a first-write sequence can be checked in polynomial time. (cid:73) Lemma 9.
Let x ∈ Wit and β ∈ FW . Valid β ( x ) can be evaluated in polynomial time. The algorithm from [7] iterates over witnesses and invokes Lemma 9 to check validity. Thefollowing lemma proves the correctness: validity indicates the existence of a computation. (cid:73)
Lemma 10.
Let q ∈ Q L . There is an initialized computation c → ∗ c with π L ( c ) = q ifand only if there is an initialized x = ( w, q, σ ) ∈ Wit and a β ∈ FW so that
Valid β ( x ) . For obtaining a tractable algorithm, we would like to restrict to short witnesses whenchecking validity. These are witnesses encoding a loop-free run of the leader. The followingtwo observations are crucial to our development.Leader validity can be checked inductively on short witnesses. A witness x can be writtenas a product x = x × x × · · · × x k +1 of smaller witnesses. Each x i encodes that part of theleader run of x happening between two first-write positions σ ( i −
1) and σ ( i ). The witnessconcatenation × appends these runs. Each x i can assumed to be a short witness. There isno need for recording loops of the leader between first writes. We can cut them out.Assume y = x ×· · ·× x i encodes a proper run ρ of the leader that reads from the availablefirst writes β , . . . , β i − . Formally, LValid β ...β i − ( y ). Then, leader validity of y × x i +1 along β . . . β i mainly depends on the newly added witness x i +1 . The reason is that we prolong ρ ,a run of the leader that was already verified. All that we have to remember from ρ is whereit ends. This means that we can shrink y to a short witness. We consecutively cut out . Chini, R. Meyer, and P. Saivasan XX:9 loops from the leader, denoted by Shrink ∗ , until we obtain a loop free witness. Formally, ifLValid β ...β i − ( y ) holds true, we have the equalityLValid β ...β i ( y × x i +1 ) = LValid β ...β i ( Shrink ∗ ( y ) × x i +1 ) . Hence, checking leader validity can be restricted to (concatenations of) short witnesses.Like leader validity, we can restrict contributor validity to short witnesses. The mainreason is that testing validity for the i -th first write only requires limited knowledge aboutearlier first writes. As long as we guarantee that earlier first writes can be provided alonga run of the leader, we do not have to keep track of their precise positions anymore. Thismeans that we can shrink the run when testing validity for the i -th first write.Assume that y = x ×· · ·× x i is known to be contributor valid. Formally, CValid β ...β i − ( y )is true. Note that the first writes considered in y are β , . . . , β i − . We want to checkcontributor validity of y × x i +1 . Since there is only one new first write that we add,namely β i , we have to evaluate CValid iβ ...β i ( y × x i +1 ). Satisfying contributor validity meansthat β i can be provided along y × x i +1 assuming that β , . . . , β i − were already provided. Infact, it is not important where these earlier first writes appeared exactly. We just need thefact that after y , they can assumed to be there. This allows for shrinking y and forgettingabout the precise positions of the earlier first writes. Formally, if CValid β ...β i − ( y ), we haveCValid iβ ...β i ( y × x i +1 ) = CValid iβ ...β i ( Shrink ∗ ( y ) × x i +1 ) . In the next section, we turn the above observations into a recursive definition of validityfor short witnesses. The recursion only involves short witnesses of lower order. Since thenumber of these is bounded by ( L + D ) O ( L + D ) , we can employ a dynamic programming thatchecks validity of short witnesses in time proportional to their number. Before we can formulate the recursion, we need to introduce short witnesses and a concatena-tion operator on the same. A short witness is a witness z = ( w, q, σ ) ∈ Wit where the leaderstates in w = ( q , a ) . . . ( q n , a n ) are all distinct. We use Wit sh to denote the set of all shortwitnesses. Moreover, let Ord( k ) denote the set of those short witnesses that are of order k .Let x = ( w, q, σ ) ∈ Ord( i ) and y = ( w , q , σ ) ∈ Ord( j ) be two short witnesses. Assumethat the first state in w is q , meaning that y starts with the target state of x . Then, the shortconcatenation of x and y is defined to be the short witness x ⊗ y = Shrink ∗ ( x × y ) ∈ Ord( i + j ).The price to pay for the smaller number of short witnesses is a more expensive check forvalidity. Rather than checking validity once for each short witness, we build them up by arecursion along the order, and check validity for each composition. Let z be a short witness.If ord ( z ) = 0, there are no first-write positions. Only leader validity is important:Valid sh ε ( z ) = LValid ε ( z ) . For a short witness z of order k + 1, we define validity along β = β . . . β k +1 ∈ FW byValid sh β ( z ) = _ x ∈ Ord( k ) y ∈ Ord(1) [ z = x ⊗ y ] ∧ LValid β ( x × y ) ∧ CValid k +1 β ( x × y ) ∧ Valid sh β ( x ) . Here β = β . . . β k is the prefix of β where the last element is omitted.The idea behind the recursion is to cut off the last first write β k +1 , check its validity,and recurse on the remaining part. To this end, z is decomposed into two short witnesses X:10 Complexity of Liveness in Parameterized Systems x ∈ Ord( k ) and y ∈ Ord(1). Intuitively, x is the compression of a larger witness that isalready known to be valid and y is the short witness responsible for the last first write. Byour considerations above, we already know that it suffices to check validity for β k +1 with x instead of its expanded form. These are the evaluations LValid β ( x × y ) and CValid k +1 β ( x × y ).To guarantee validity along β , we recurse on Valid sh β ( x ).The following lemma shows the correctness of the recursion. Using Lemma 10, we canwork with short witnesses to discover computations in the given leader contributor system. (cid:73) Lemma 11.
Let q ∈ Q L and β ∈ FW . There is an x = ( w, q, σ ) ∈ Wit with
Valid β ( x ) ifand only if there is an z = ( w , q, σ ) ∈ Wit sh with Valid sh β ( z ) . In this case, init ( x ) = init ( z ) . Note that in the lemma, init ( x ) refers to the first state of w . Similarly for z .It remains to give the algorithm. For each first-write sequence β and each short witness z ,we compute Valid sh β ( z ) by a dynamic programming. To this end, we maintain a table indexedby first-write sequences and short witnesses. An entry for β ∈ FW and z ∈ Wit sh is computedas follows. Let | β | = ord ( z ) = k . We iterate over all short witnesses x ∈ Ord( k − , y ∈ Ord(1)and check whether z = x ⊗ y holds. If so, we compute LValid β ( x × y ) ∧ CValid kβ ( x × y ) andlook up the value of Valid sh β ( x ) in the table. Details on the precise complexity are presentedin Appendix B. (cid:73) Proposition 12.
The set of all valid short witnesses can be computed in time ( L + D ) O ( L + D ) . It is left to explain how interfaces can be obtained from the algorithm. From a valid shortwitness, target state and last memory value can be read off. Contributor states can beobtained by synchronizing the contributor along the witness. This takes polynomial time.Details can be found in Appendix B.
We give an efficient algorithm solving
CYC in time O ( D · ( C + L · D )). This proves Theorem 6.The algorithm relies on a characterization of cycles in terms of stable SCC decompositions.These are decompositions of the contributor automaton into strongly connected subgraphsthat are stable in the sense that they write exactly the symbols they intend to read. With afixed point iteration, we show how to find stable SCC decompositions in the mentioned time.Our algorithm is technically simple. It relies on a fixed point iteration calling Tarjan’salgorithm [34] to obtain SCC decompositions. Hence, the algorithm is easy to implement andshows that stable SCC decompositions are the ideal structure for detecting cycles. Moreover,we can modify the algorithm to detect cycles where the leader necessarily makes a move.We also discovered that cycles can be detected by a non-trivial polynomial-time reductionto the problem of finding cycles in dynamic graphs. Although the latter can be solved inpolynomial time [29], the obtained algorithm for CYC does not admit an efficient polynomial-time complexity. The reason is that the algorithm in [29] repeatedly solves linear programsthat grow large due to the reduction. Compared to this method, our algorithm is moreefficient and technically simpler due to being tailored to the actual problem.
We characterize cycles in terms of stable SCC decompositions. These are decompositions ofthe contributor automaton that can provide themselves with all the symbols that a cyclealong this structure may read. For the definition, we generalize properties of a fixed cycle to . Chini, R. Meyer, and P. Saivasan XX:11 the fact that a saturated cycle exists. We link the latter with an alphabet Γ, a variable forthe set of reads in a saturated cycle. Then we define stable SCC decompositions dependingon Γ. Hence, the search for a cycle amounts to finding a Γ with a stable SCC decomposition.Throughout the section, we fix an interface I = ( S, q, a ) and a saturated cycle τ = c → + sat c with I ( c ). We assume that the set Writes( τ ) = { b ∈ D | d −→ ! b d ∈ τ } is non-empty, τ containsat least one write. If τ contains only reads, then either a contributor or the leader run in an? a -loop, a cycle which is easy to detect. We generalize two properties of τ . Property 1: Strongly connectedness.
Considering the saturated cycle τ , we can observehow the current state of a particular contributor P changes over time. Assume P starts ina state p and visits a state p during τ . Since it runs along the cycle, the contributor willeventually move from p back to p again. This means that in the contributor automaton, thereis a path from p to p and vice versa. Phrased differently, p and p are strongly connected.To make this notion more precise, we define a subgraph of the contributor automaton.Intuitively, it is the restriction of P C to the states and transitions visited along τ . Ratherthan defining it for a single computation τ , we generalize to a set of enabled reads Γ ⊆ D .The directed graph G S (Γ) = ( S, E (Γ)) has as vertices the contributor states S and as edgesthe set E (Γ). The latter are transitions of P C between states in S that are either readsenabled by Γ or writes of arbitrary symbols. Formally, we have( p, p ) ∈ E (Γ) if p −→ ? b C p with b ∈ Γ or p −→ ! b C p with b ∈ D . For the cycle τ = c → + sat c , the induced graph is G S (Γ) where Γ = Writes( τ ). With thegraph in place, we can define our notion of strongly connected states. (cid:73) Definition 13.
Let p, p ∈ S be two states and Γ ⊆ D. We say that p and p are stronglyΓ-connected if p and p are strongly connected in the graph G S (Γ) . Like the classical notion, the above definition generalizes to sets. We say that a set V ⊆ S is strongly Γ -connected if each two states in V are strongly Γ-connected.The saturated cycle τ runs along the SCC decomposition of its induced graph G S (Γ).Following a particular contributor P in τ , we collect the visited states in a set S P ⊆ S . Then, S P is strongly Γ-connected and thus contained in an inclusion maximal strongly connectedset, an SCC of G S (Γ). Hence, the contributors in τ stay within SCCs of the graph. Weassociate with τ the SCC decomposition. Again, we generalize to a given alphabet.Let Γ ⊆ D and V ⊆ S strongly Γ-connected. We call V a strongly Γ -connected component (Γ-SCC) if it is inclusion maximal. The latter means that for each V ⊆ V with V stronglyΓ-connected, we already have V = V . We consider the unique partition of S into Γ-SCCs.Note that by a partition, we mean a collection ( S , . . . , S ‘ ) of pairwise disjoint subsets of S such that S = S i ∈ [1 ..‘ ] S i . The order of a partition is not important for our purpose. (cid:73) Definition 14.
The partition of S into Γ -SCCs is called Γ-SCC decomposition of S . We denote the Γ-SCC decomposition by
SCCdcmp S (Γ). It consists of the vertices of theSCC decomposition of G S (Γ). Hence, we can obtain it from an application of Tarjan’salgorithm [34], a fact that becomes important when computing SCCdcmp S (Γ) in Section 5.2. Property 2: Stability.
Let
SCCdcmp S (Γ) = ( S , . . . , S ‘ ) be the Γ-SCC decompositionassociated with the saturated cycle τ . The writes in τ can be linked with the S i . If a writeoccurs between states p, p ∈ S i , we associate it with the set S i . The writes of the leader all X:12 Complexity of Liveness in Parameterized Systems occur on a cyclic computation q → ∗ L q . The point of assigning writes to sets is the following.Writes that belong to a set can occur on a cycle through a set of the decomposition.We generalize from τ to a given alphabet Γ ⊆ D . Let SCCdcmp S (Γ) = ( S , . . . , S ‘ ) bethe Γ-SCC decomposition of S . The writes of the decomposition is the set of all symbolsthat occur as writes either between the states of S i or in a cycle q → ∗ L q on the leaderwhile preserving the memory content a . Formally, we define the writes to be the unionWrites( S , . . . , S ‘ ) = Writes C ( S , . . . , S ‘ ) ∪ Writes L ( S , . . . , S ‘ ) whereWrites C ( S , . . . , S ‘ ) = { b | p −→ ! b C p with p, p ∈ S i } andWrites L ( S , . . . , S ‘ ) = { b | ∃ u, v : ( q, a ) −−−→ u. ! b.v L ( q, a ) } . Here, → L denotes the transition relation of the automaton P L , a restriction of the leader P L to reads within Writes C ( S , . . . , S ‘ ). The automaton also keeps track of the memory content.We define P L = ( Op ( D ) , Q L × D , ( q L , a ) , δ L ) with the transitions( s, b ) −→ ! b L ( s , b ) if s −→ ! b L s , ( s, b ) −→ ? b L ( s , b ) if s −→ ? b L s and b ∈ Writes C ( S , . . . , S ‘ ) , ( s, b ) −→ ε L ( s, b ) if b ∈ Writes C ( S , . . . , S ‘ ) . The last transitions change the memory content due to a write of a contributor.The following lemma states that writes behave monotonically. This fact will becomeimportant in Section 5.2. We provide a proof in Appendix C. (cid:73)
Lemma 15.
Let Γ ⊆ Γ ⊆ D. We have
Writes(
SCCdcmp S (Γ)) ⊆ Writes(
SCCdcmp S (Γ )) . During the cycle τ , reads are always preceded by corresponding writes. Hence, the writesof the Γ-SCC decomposition, where Γ = Writes( τ ), provide all symbols needed for reading. Infact, we have Writes( SCCdcmp S (Γ)) ⊇ Γ. The following definition generalizes this property. (cid:73)
Definition 16.
Let Γ ⊆ D. The Γ -SCC decomposition SCCdcmp S (Γ) of S is called stable if it provides Γ as its writes, meaning Writes(
SCCdcmp S (Γ)) = Γ . Note that the definition asks for equality instead of inclusion. The reason is that we canexpress stability as a fixed point of a suitable operator. This will be essential in Section 5.2.
Characterization.
The following proposition characterizes the existence of saturated cyclesvia stable SCC decompositions. It is a major step towards the polynomial-time algorithm. (cid:73)
Proposition 17.
There is a saturated cycle τ = c → + sat c with I ( c ) if and only if thereexists a non-empty subset Γ ⊆ D such that SCCdcmp S (Γ) is stable. Proof.
Assume the existence of a saturated cycle τ . Our candidate set is Γ = Writes( τ ). Wealready argued above that Writes( SCCdcmp S (Γ)) ⊇ Γ. If equality holds,
SCCdcmp S (Γ) isstable and Γ is the set we are looking for. Otherwise, we have Writes( SCCdcmp S (Γ)) (cid:41) Γ.In the latter case, we consider Γ = Writes( SCCdcmp S (Γ)) instead of Γ. Since Γ ⊇ Γ,we can apply Lemma 15 and obtain that Writes(
SCCdcmp S (Γ )) contains Γ .Iterating this process yields a sequence of sets (Γ i ) i that is strictly increasing, Γ i (cid:40) Γ i +1 ,and that satisfies Writes( SCCdcmp S (Γ i )) ⊇ Γ i . The sequence is finite since Γ i ⊆ D for all i .Hence, there is a last set Γ d which necessarily fulfills Writes( SCCdcmp S (Γ d )) = Γ d .For the other direction, we need to construct a saturated cycle from a set Γ with stableSCC decomposition. Idea and formal proof are given in Appendix C. (cid:74) . Chini, R. Meyer, and P. Saivasan XX:13 The search for a saturated cycle reduces to finding an alphabet Γ with a stable SCCdecomposition. Following the definition of stability, we can express Γ as a fixed point thatcan be computed by a Kleene iteration [36] in polynomial time. We define the suitableoperator. It acts on the powerset lattice P ( D ) and for a given set X , it computes the writesof the X -SCC decomposition. Formally, it is defined byWrites SCC ( X ) = Writes( SCCdcmp S ( X )) . The operator is monotone and can be evaluated in polynomial time. (cid:73)
Lemma 18.
For X ⊆ X subsets of D, we have Writes
SCC ( X ) ⊆ Writes
SCC ( X ) . More-over, Writes
SCC ( X ) can be computed in time O ( D · ( C + L · D )) . Monotonicity follows from Lemma 15. For the evaluation, let X be given. We applyTarjan’s algorithm on G S ( X ) to compute the X -SCC decomposition SCCdcmp S ( X ). Thistakes linear time. It is left to compute the writes Writes( SCCdcmp S ( X )). For details on thecomputation and the precise complexity we refer to Appendix C.The following lemma states that the non-trivial fixed points of the operator Writes SCC are precisely the sets with a stable SCC decomposition. Hence, searching for a cycle reducesto searching for a fixed point. (cid:73)
Lemma 19.
For Γ = ∅ we have, Γ = Writes
SCC (Γ) if and only if SCCdcmp S (Γ) is stable. Correctness immediately follows from the definition of stability. For finding a suitableset Γ, we employ a Kleene iteration to compute the greatest fixed point of Writes
SCC . Itstarts from Γ = D , the top element of the lattice. At each step, it evaluates Writes SCC (Γ)by invoking Lemma 18. This takes time O ( D · ( C + L · D )). Termination is after at most D steps since at least one element is removed from the set Γ each iteration. Hence, the time tocompute the greatest fixed point of Writes SCC is O ( D · ( C + L · D )). We studied the fine-grained complexity of
LCL , the liveness verification problem for leadercontributor systems. To this end, we first decomposed
LCL into the reachability problem
LCR and the cycle detection
CYC . We focused on the complexity of
LCR . While an optimal O ∗ (2 C )-time algorithm for LCR ( C ) was already known, we presented an algorithm solving LCR ( L , D ) in time ( L + D ) O ( L + D ) . The algorithm is optimal in the fine-grained sense andtherefore solves an open problem. It is a dynamic programming based on a notion of validshort witnesses. Moreover, we showed how to modify both algorithms for LCR so that theyare compatible with a cycle detection and can be used in algorithms solving
LCL .Further, we determined the complexity of
CYC . We presented an efficient fixed pointiteration running in time O ( D · ( C + L · D )). It is based on a notion of stable SCCdecompositions and invokes Tarjan’s algorithm to find them. The result shows that LCL and
LCR admit the same fine-grained complexity.
Acknowledgments.
We thank Arnaud Sangnier for helpful discussions.
X:14 Complexity of Liveness in Parameterized Systems
References P. A. Abdulla and B. Jonsson. Verifying programs with unreliable channels. In
LICS , pages160–170. IEEE, 1993. M. F. Atig, A. Bouajjani, K. N. Kumar, and P. Saivasan. On bounded reachability analysis ofshared memory systems. In
FSTTCS , volume 29 of
LIPIcs , pages 611–623. Schloss Dagstuhl,2014. N. Bertrand, P. Fournier, and A. Sangnier. Playing with probabilities in reconfigurablebroadcast networks. In
FOSSACS , volume 8412 of
LNCS , pages 134–148. Springer, 2014. R. Bloem, S. Jacobs, A. Khalimov, I. Konnov, S. Rubin, H. Veith, and J. Widder.
Decidabilityof Parameterized Verification . Synthesis Lectures on Distributed Computing Theory. Morgan& Claypool Publishers, 2015. P. Chini, J. Kolberg, A. Krebs, R. Meyer, and P. Saivasan. On the complexity of boundedcontext switching. In
ESA , volume 87, pages 27:1–27:15. Schloss Dagstuhl, 2017. P. Chini, R. Meyer, and P.Saivasan. Liveness in broadcast networks. In
NETYS , 2019. P. Chini, R. Meyer, and P. Saivasan. Fine-grained complexity of safety verification. In
TACAS ,volume 10806 of
LNCS , pages 20–37. Springer, 2018. P. Chini, R. Meyer, and P. Saivasan. Fine-grained complexity of safety verification.
CoRR ,abs/1802.05559, 2018. M. Cygan, F. V. Fomin, L . Kowalik, D. Lokshtanov, D. Marx, M. Pilipczuk, M. Pilipczuk,and S. Saurabh. Parameterized algorithms . Springer, 2015. G. Delzanno, A. Sangnier, R. Traverso, and G. Zavattaro. On the complexity of parameterizedreachability in reconfigurable broadcast networks. In
FSTTCS , volume 18 of
LIPIcs , pages289–300. Schloss Dagstuhl, 2012. G. Delzanno, A. Sangnier, and G. Zavattaro. Parameterized verification of ad hoc networks.In
CONCUR , volume 6269 of
LNCS , pages 313–327. Springer, 2010. R. G. Downey and M. R. Fellows.
Fundamentals of Parameterized Complexity . Springer, 2013. A. Durand-Gasselin, J. Esparza, P. Ganty, and R. Majumdar. Model checking parameterizedasynchronous shared-memory systems. In
CAV , volume 9206 of
LNCS , pages 67–84. Springer,2015. C. Enea and A. Farzan. On atomicity in presence of non-atomic writes. In
TACAS , volume9636 of
LNCS , pages 497–514. Springer, 2016. J. Esparza, P. Ganty, and R. Majumdar. Parameterized verification of asynchronous shared-memory systems. In
CAV , pages 124–140, 2013. J. Esparza, P. Ganty, and R. Majumdar. Parameterized verification of asynchronous shared-memory systems.
JACM , 63(1):10:1–10:48, 2016. A. Farzan and P. Madhusudan. The complexity of predicting atomicity violations. In
TACAS ,volume 5505 of
LNCS , pages 155–169. Springer, 2009. H. Fernau, P. Heggernes, and Y. Villanger. A multi-parameter analysis of hard problems ondeterministic finite automata.
JCSS , 81(4):747–765, 2015. H. Fernau and A. Krebs. Problems on finite automata and the exponential time hypothesis.In
CIAA , volume 9705 of
LNCS , pages 89–100. Springer, 2016. A. Finkel and Ph. Schnoebelen. Well-structured transition systems everywhere!
TCS ,256(1-2):63–92, 2001. F. V. Fomin and D. Kratsch.
Exact Exponential Algorithms . Texts in Theoretical ComputerScience. Springer, 2010. M. Fortin, A. Muscholl, and I. Walukiewicz. Model-checking linear-time properties ofparametrized asynchronous shared-memory pushdown systems. In
CAV , volume 8044 of
LNCS , pages 155–175. Springer, 2017. P. Fournier.
Parameterized verification of networks of many identical processes . PhD thesis,University of Rennes 1, 2015. S. M. German and A. P. Sistla. Reasoning about systems with many processes.
JACM ,39(3):675–735, 1992. . Chini, R. Meyer, and P. Saivasan XX:15 M. Hague. Parameterised pushdown systems with non-atomic writes. In
FSTTCS , volume 13of
LIPIcs , pages 457–468. Schloss Dagstuhl, 2011. M. Hague, R. Meyer, S. Muskalla, and M. Zimmermann. Parity to safety in polynomial timefor pushdown and collapsible pushdown systems. In
MFCS , volume 117 of
LIPIcs , pages57:1–57:15. Schloss Dagstuhl, 2018. R. Impagliazzo and R. Paturi. On the complexity of k-SAT.
JCSS , 62(2):367–375, 2001. I. V. Konnov, M. Lazic, H. Veith, and J. Widder. A short counterexample property for safetyand liveness verification of fault-tolerant distributed algorithms. In
POPL , pages 719–734.ACM, 2017. S. R. Kosaraju and G. F. Sullivan. Detecting cycles in dynamic graphs in polynomial time(preliminary version). In
STOC , pages 398–406. ACM, 1988. S. La Torre, A. Muscholl, and I. Walukiewicz. Safety of parametrized asynchronous shared-memory systems is almost always decidable. In
CONCUR , volume 42 of
LIPIcs , pages 72–84.Schloss Dagstuhl, 2015. O. Padon, J. Hoenicke, G. Losa, A. Podelski, M. Sagiv, and S. Shoham. Reducing liveness tosafety in first-order logic.
PACMPL , 2(POPL):26:1–26:33, 2018. S. Qadeer and J. Rehof. Context-bounded model checking of concurrent software. In
TACAS ,volume 3440 of
LNCS , pages 93–107. Springer, 2005. A. Singh, C. R. Ramakrishnan, and S. A. Smolka. Query-based model checking of ad hocnetwork protocols. In
CONCUR , volume 5710 of
LNCS , pages 603–619. Springer, 2009. R. E. Tarjan. Depth-first search and linear graph algorithms.
SICOMP , 1(2):146–160, 1972. T. Wareham. The parameterized complexity of intersection and composition operations onsets of finite-state automata. In
CIAA , volume 2088 of
LNCS , pages 302–310. Springer, 2000. G. Winskel.
The formal semantics of programming languages - an introduction . Foundation ofcomputing series. MIT Press, 1993.
X:16 Complexity of Liveness in Parameterized Systems
AppendixA Proofs of Section 3
We provide proofs and details for Section 3.
Proof of Lemma 2
Given a computation c → ∗ c → + sat c such that π L ( c ) ∈ F , we can iterate the cyclic part toobtain a computation that visits F infinitely often. For the other direction, let σ be an infiniteinitialized computation with Inf( σ ) ∩ F = ∅ . Then, σ visits infinitely many configurationsinvolving a state from F . These constitute an infinite sequence over the finite set CF t . Hence,there is a repeating configuration c and we get c → ∗ c → + c with π C ( c ) ∈ F .It is left to show that we can assume a saturated cycle. We use an idea going back to the copycat lemma [15]. Suppose c → + c is not saturated. Then there is a state p ∈ Q C whichdoes not occur in c but is encountered in a configuration c on the cycle. Let P denote thecontributor that visits p in c . We add a new contributor P cc to the computation that mimicsthe behavior of P . Each time P takes a transition, P cc copycats it immediately. Once P cc reaches p , it does not move any further and stays in p . We apply the procedure for each newstate occurring in the cycle. After having iterated through the cycle, we have collected allthese states and there is a contributor staying in each of them. Now we can run the cyclewithout discovering new states. This yields d → ∗ d → + sat d with π L ( d ) ∈ F , as required. Proof of Lemma 3
Before we give the proof, we introduce a notion for counting contributor states in a configu-ration. Let c = ( q, a, pc ) ∈ CF t with t ∈ N be any configuration and p ∈ Q C a contributorstate. The cardinality card p ( c ) denotes the number of contributors in configuration c thecurrent state of which is p . Formally, we define card p ( c ) = |{ i ∈ [1 ..t ] | pc ( i ) = p }| . We proceed with the proof of Lemma 3.
Proof.
If we are given a computation of the form c → ∗ c → + sat c with I ( c ), we split it intothe prefix c → ∗ c and the cycle c → + sat c . The interface I is clearly matched.For the other direction, let computations d → ∗ d and f → + sat f with I ( d ) ∧ I ( f ) be given.We construct a composed computation c → ∗ c → + sat c with I ( c ) as desired.Let c be a configuration that contains for each state p the maximal amount of contributorsof d and f that are currently in p . Memory and leader state are identical to d and f . Formallywe have, card p ( c ) = max( card p ( d ) , card p ( f )) for each state p ∈ Q C . Moreover, π L ( c ) = π L ( d )and π D ( c ) = π D ( d ). This implies I ( c ).In the following, we show that a live computation involving c can be obtained by the givenprefix and cycle. By the copycat lemma, we can enrich the computation d → ∗ d by contrib-utors such that we get c → ∗ c . In fact, if we have that max( card p ( d ) , card p ( f )) = card p ( d ),we do not have to add contributors for state p . If max( card p ( d ) , card p ( f )) > card p ( d ), weadd contributors for the difference t = max( card p ( d ) , card p ( f )) − card p ( d ). Let P be anycontributor in d currently in state p . Then, we add t copies P cc , . . . , P cc t of P to d . Sincethe behavior of the leader and the memory do not change, we get the prefix c → ∗ c . . Chini, R. Meyer, and P. Saivasan XX:17 The cycle f → + sat f can be simulated on the larger configuration c . Intuitively, thecontributors that do not participate in the cycle, can be ignored. Hence, we obtain thedesired cycle c → + sat c . Note that it is saturated. This completes the proof. (cid:74) Proof of Theorem 1
We assume that we have already modified the reachability algorithm so that it computes allinterfaces that witness a prefix computation. Moreover, this is possible in time
Reach ( L , D , C )and there are at most Reach ( L , D , C ) such interfaces. We prove this assumption to be correctwhen considering corresponding reachability algorithms.We first show the correctness of the algorithm. Each interface I that we iterate overwitnesses the existence of a prefix computation d → ∗ d with I ( d ). If I is a positive instanceof the cycle detection, we get a saturated cycle f → + sat f which satisfies I ( f ). By Lemma 3,we then get a computation of the form c → ∗ c → + sat c with I ( c ). Hence, by Lemma 2, weobtain a live computation.On the other hand, let a live computation be given. By Lemma 2 we can assume it to beof the shape c → ∗ c → + sat c . We let I = ( S, q, a ) be the interface induced by c . Formally, S = π C ( c ), q = π L ( c ), and a = π D ( c ). Since I witnesses the prefix c → ∗ c , the algorithmiterates over I and passes it to the cycle detection. Since the cycle c → + sat c satisfies I ( c ),the cycle detection accepts interface I and the algorithm returns yes .The complexity of the algorithm can be estimated as follows. We compute all interfaces wit-nessing prefix computations by a call to the modified reachability algorithm. This takes time Reach ( L , D , C ). Since we assume that there are at most Reach ( L , D , C ) such interfaces, iteratingover them and passing each to the cycle detection takes time Reach ( L , D , C ) · Cycle ( L , D , C ).Summing up, we get the running time of the algorithm: Reach ( L , D , C ) + Reach ( L , D , C ) · Cycle ( L , D , C ) = O ( Reach ( L , D , C ) · Cycle ( L , D , C )) . Liveness Parameterized by Contributors
We elaborate on the algorithm for
LCL ( C ). To this end, we show that the reachabilityalgorithm for LCR ( C ) from [7, 8] can be used to obtain the required interfaces. We prove thecorrectness of this approach. Finally, we discuss the complexity of the derived algorithm for LCL ( C ) in more detail. Obtaining the Interfaces.
We recall the fine-grained algorithm for
LCR ( C ) presented in [7, 8].Given a leader contributor system S and final states F ⊆ Q L , it decides in time O (2 C · C · L · D )whether there is an initialized computation c → ∗ c of S with π L ( c ) ∈ F . To this end, itcomputes a table T with an entry T [ S ] ⊆ Q L × D for each S ⊆ Q C . The entry T [ S ] containsall pairs ( q, a ) that can be reached via a computation where the contributors discover thestates depicted in the set S .To formalize, we need the concept of incrementing computations. These never deletestates of the contributors. A computation ρ = c → c → · · · → c n is called incrementing if π C ( c i ) ⊆ π C ( c i +1 ) for each i . We also write c → inc c n . The following lemma shows thatthe algorithm computes the interfaces for all incrementing prefixes. (cid:73) Lemma 20.
Let I = ( S, q, a ) ∈ IF be an interface. Then, there is an initialized computation c → ∗ inc c with I ( c ) if and only if ( q, a ) ∈ T [ S ] . For proving the lemma, we first restate a result from [8] showing correctness of the reach-ability algorithm. To this end, we introduce the notion of states of a computation. Let
X:18 Complexity of Liveness in Parameterized Systems ρ = c → c → · · · → c n be a computation. The states of ρ is the set of contributor statesappearing along the computation. These are captured inStates C ( ρ ) = [ i ∈ [1 ..n ] π C ( c i ) . Now we can restate the result. It shows correctness of the algorithm for
LCR ( C ). (cid:73) Lemma 21 ([8]) . Let q ∈ Q L , a ∈ D, and S ⊆ Q C . There is an initialized computation ρ = c → ∗ c with π L ( c ) = q , π D ( c ) = a , and S = States C ( ρ ) if and only if ( q, a ) ∈ T [ S ] . Note that Lemma 20 is slightly different. It explicitly asks for an incrementing computation ρ = c → ∗ inc c such that c matches a given interface I = ( S, q, a ). To bridge the gap, we showthat plain computations can always be mimicked by incrementing ones. (cid:73)
Lemma 22.
There is an initialized computation ρ = c → ∗ c if and only if there is aninitialized incrementing computation ρ inc = d → ∗ inc d with π L ( d ) = π L ( c ) , π D ( d ) = π D ( c ) , and π C ( d ) = States C ( ρ ) . Proof.
If an incrementing computation ρ inc = d → ∗ inc d is given, we set ρ = ρ inc . Therequirements on the projections are met. In particular, we have π C ( d ) = States C ( ρ ) by thefact that ρ is incrementing.For the other direction, let a computation ρ = c → ∗ c be given. Assume, ρ is notincrementing. Otherwise, we are done. There are configurations c i and c i +1 in ρ such that π C ( c i +1 ) does not contain π C ( c i ). This means, there is a state p ∈ π C ( c i ) \ π C ( c i +1 ). Thisstate gets lost by the transition c i → c i +1 , there is only one contributor P with current state p which does a transition to another state.We apply the copycat lemma to get an additional contributor P cc that mimics P . Itcopies every move of P . Once P cc reaches state p , it keeps staying in the state. With thenew contributor, the state does not get deleted and is preserved throughout the computation.We introduce such an additional contributor for each state p that is deleted along ρ . Hence,we obtain an incrementing computation ρ inc = d → ∗ inc d with π C ( d ) = States C ( ρ ). Leaderand memory act the same way as before. We get π L ( d ) = π L ( c ) and π D ( d ) = π D ( c ). (cid:74) We combine Lemma 21 and Lemma 22 to prove Lemma 20.
Proof.
Assume there is an initialized computation ρ = c → ∗ inc c with I ( c ). Then, we get that π L ( c ) = q , π D ( c ) = a and π C ( c ) = S . Since ρ is incrementing, we get that π C ( c ) = States C ( ρ ).Hence, by Lemma 21 we get that ( q, a ) ∈ T [ S ].For the other direction, let ( q, a ) ∈ T [ S ]. By Lemma 21 we get a computation ρ = c → ∗ c with π L ( c ) = q , π D ( c ) = a , and S = States C ( ρ ). Invoking Lemma 22, we obtain anincrementing computation ρ inc = d → ∗ inc d with I ( d ). This completes the proof. (cid:74) Correctness of the Approach.
For applying Theorem 1, we need to show that the interfacesextracted from the reachability algorithm are indeed all interfaces that witness a prefix. Tothis end, we show that restricting to incrementing prefixes is sound and complete. (cid:73)
Lemma 23.
Let q ∈ Q L and a ∈ D. There is a finite initialized computation c → ∗ c → + sat c with π L ( c ) = q and π D ( c ) = a if and only if there is a finite initialized computation d → ∗ inc d → + sat d with π L ( d ) = q and π D ( d ) = a . . Chini, R. Meyer, and P. Saivasan XX:19 Proof.
One direction is trivial. For the other direction, let a computation c → ∗ c → + sat c with π L ( c ) = q and π D ( c ) = a be given. Let the prefix c → ∗ c be denoted by ρ . ByLemma 22 there is an incrementing computation ρ inc : d → ∗ d such that π L ( d ) = q and π D ( d ) = a . Moreover, following the proof of Lemma 22, we observe that the computation ρ inc is obtained from ρ by only adding contributors. This means that the cardinality in eachstate grows, we get that card p ( d ) ≥ card p ( c ) for all p ∈ Q C .Now we simulate the cycle c → + sat c on the larger configuration d . Leader and memoryact as before. Whenever there is a contributor in a certain state p acting in c → + sat c , we canprovide it also from d since card p ( d ) ≥ card p ( c ). Hence, we get a cycle d → + sat d . Note thatsaturatedness is preserved since π C ( d ) ⊇ π C ( c ). (cid:74) Let interface I = ( S, q, a ) witness the existence of a prefix c → ∗ c which is part of a livecomputation c → c → + sat c . By Lemma 23, there is a live computation d → ∗ inc d → + sat d with incrementing prefix. Moreover, the incrementing prefix is witnessed by an interface I = ( S , q, a ) with I ( d ). Hence, we can consider I instead of I . This means that the inter-faces obtained from the reachability algorithm, namely the interfaces witnessing incrementingprefixes actually suffice. With these interfaces we can already witness all prefixes. Complexity of the Algorithm.
Like stated in the proof of Theorem 1, the algorithm for
LCL ( C ) first calls the reachability algorithm for LCR ( C ). According to Theorem 5, this takestime O (2 C · C · L · D ). The algorithm computes the table T which contains all interfaces.Then, we iterate over all interfaces ( S, q, a ) with ( q, a ) ∈ T [ S ] and q ∈ F . Each of theseinterfaces is passed as an input to CYC . The algorithm stops if a cycle is found.We iterate over at most 2 C · L · D many interfaces. Since a single invocation of CYC takes time O ( D · ( C + L · D )), the time needed for the complete iteration is O (2 C · L · D · ( C · D + L · D )).Adding up the time complexities, we obtain the result depicted in Corollary 8. B Proofs of Section 4
We provide proofs and details for Section 4.
Leader Validity.
The leader should visit the sequence of states in w and reach the targetstate q while reading the values in β at the positions indicated by σ . Formally, x = ( w, q, σ )is valid for the leader wrt. β if | β | = ord ( x ) and for all a i the following holds. If a i = ⊥ , theleader has a transition ( q i , ! a i , q i +1 ) ∈ δ L . If a i = ⊥ , we have one of the following: q i = q i +1 or( q i , ε, q i +1 ) ∈ δ L or ( q i , ? b, q i +1 ) ∈ δ L . (Notice here that we slightly vary in our definition fromthe main section i.e. we add an additional condition that q i = q i +1 . This is not a necessaryaddition but only so that the proofs can be greatly simplified.) Here, b is a value in β writtenbefore position i . Formally, b is from the set S β ( i ) = { β ‘ | σ ( ‘ ) ≤ i } . Note that q n +1 = q .We use the predicate LValid β ( x ) = true to denote that x is valid for the leader wrt. β . Contributor Validity.
It is the contributors’ task to provide the first writes along w in theorder indicated by σ . Let α be a first-write sequence of length t with t < ord ( x ). Assumethe first writes in α were already provided and there is a ( t + 1)-st first write that has to beprovided next. To define the expected behavior of the contributors, we make explicit thewrites they can rely on. These stem from the leader and from fellow contributors. For theleader, given a q ∈ Q L and a set Γ ⊆ D of values available to the leader due to first writesof α , we define Loop( q, Γ) = { b | q u. ! b.v −−−→ L q ∧ u. ! b.v ∈ (?Γ ∪ ! D ) ∗ } . This set contains all X:20 Complexity of Liveness in Parameterized Systems memory values that the leader may write in a loop at state q while reading Γ. The valuesthat can be written by the contributors at a certain position are given by S α ( i ). With this,we obtain the regular language of writes available to the contributors: Expr ( x, α ) = Γ ∗ { a , ε } Γ ∗ { a , ε } . . . Γ ∗ j , where Γ i = Loop( q i , S α ( i )) ∪ S α ( i ) . Here, j = σ ( t + 1) is the index of the ( t + 1)-st first write. Moreover, we interpret a i = ⊥ as ε .The witness x is valid for the contributors wrt. β if | β | = ord ( x ) and if each value β i canbe written by a contributor. To be precise, before writing the value, the contributor is onlyallowed to read from Expr ( x, β . . . β i − ). To make this formal, fix i ∈ [1 .. ord ( x )] and let Q i ⊆ Q C be the contributor states that can produce the first write, Q i = { p | ∃ p : p ! β i −−→ C p } .The set Trace C ( Q i ) = { w | ∃ p ∈ Q i : q C w −→ C p } contains the transition sequences that leadto Q i . Let h : Op ( D ) → D ∪ { ε } be the homomorphism that only preserves reads, h (! b ) = ε and h (? b ) = b for each b ∈ D . Then the witness x is valid for the i -th first write of β if Expr ( x, β . . . β i − ) ∩ h ( Trace C ( Q i )) = ∅ . We use CValid iβ ( x ) = true to indicate non-emptiness of the intersection. If x is valid forall first writes, we call x valid for the contributors wrt. β . Formally, the conjunctionCValid β ( x ) = V i ∈ [1 .. ord ( x )] CValid iβ ( x ) has to evaluate to true . Proof of Lemma 9
Validity with respect to the leader is simple to verify: the witness describes a run of theleader the existence of which can be checked in polynomial time. For validity with respectto the contributors one needs to test whether the intersection
Expr (( w, q, σ ) , β . . . β i − ) ∩ h ( Trace C ( Q i )) is non-empty for each first write. Clearly this can be done in polynomial time. Proof of Lemma 10
Here we need to prove that there is a computation of the form c → ∗ c with π L ( c ) = q iffthere is a witness z = ( w, q, σ ) and a first write sequence β such that LValid β ( z ) = true andCValid β ( z ) = true .We first prove the easy direction where we assume the computation of the form c → ∗ c with π L ( c ) = q and prove the existence of the witness. Let the sequence of transitions thatappear in the assumed computation be τ . . . τ n , notice that there can be both transitionsof leader and contributor in the same. Firstly mark all the transitions that belong to theleader (say with a color red). We will construct later the required witness string from thesemarked transitions. Now for each d ∈ D , perform the following. Mark each of the contributortransition of the form τ i = p ! d −→ p with a color say yellow. Now retain the very first transitionmarked yellow and delete rest of them. Complete the process for each of the memory values d ∈ D , if there are no contributor write transitions corresponding to a memory value, wecontinue with the next one. Finally delete all the other contributor transitions that are notmarked, let the resulting sequence be π = τ i . . . τ i j . Further let the sequence of transitionsmarked yellow be τ i . . . τ i k and the sequence marked red be τ i . . . τ i j − k . Notice that thesequence of transitions marked yellow will automatically provide us with the first writesequence, let the sequence be β = d . . . d k [i.e. the sequence of memory values that appearin τ i . . . τ i k , in that order].Now, let σ : [1 ..k ] [1 ..j − k ] be given by ∀ ‘ ∈ [1 ..k ] , σ ( ‘ ) = i ‘ − ‘ , i.e. it simply mapseach first write to the number of leader transitions that occurs before it. . Chini, R. Meyer, and P. Saivasan XX:21 To construct the witness string, let τ i ‘ = ( q ‘ , a ‘ , q ‘ +1 ). The required witness string is givenby w = ( q , x ) . . . ( q j − k , x j − k ), where x i = d if a i =! d for some d ∈ D and x i = ⊥ otherwise.Clearly x = ( w, q, σ ) is the required witness, it is easy to check that LValid β ( x ) = true andCValid β ( x ) = true for the same.For the other direction, we assume that there is a valid witness x = ( w, q, σ ) with respectto a first write sequence β and show that there is a computation of the form c → ∗ c with π L ( c ) = q . Let w = ( q , a ) · · · ( q n , a n ) and let β = b . . . b k . Since the witness is given to bevalid, we have that LValid β ( x ) = true and CValid β ( x ) = true .Since LValid β ( x ) = true , there is a valid sequence of transitions t = τ . . . τ n such that τ i = ( q i , ! a i , q i +1 ) if a i = ⊥ , otherwise τ i = ( q i , x, q i +1 ), where x =? d for some d ∈ D or x = (cid:15) .Further since CValid β ( x ) = true , we have for each i ∈ [1 ..k ], we have that Expr ( x, β [1 ..i − ∩ h ( Trace C ( Q i )) = ∅ . We recall that Expr ( x, α ) = Γ ∗ { a , ε } Γ ∗ { a , ε } . . . Γ ∗ j , whereΓ i = Loop( q i , S α ( i )) ∪ S α ( i ). Now for each i , let γ i be the witness string in Expr ( x, β [1 ..i − ∩ h ( Trace C ( Q i )), these are the reads that the contributor will ever perform (here, β [1 ..i ] = b . . . b i ). Let τ ( γ i ) be sequence of transitions in the contributor that generates such a witnessstring. We let the function π to be a monotonic function that maps each letter occurringin the witness string γ i to the position in the expression i.e. ∀ j ∈ [1 .. | γ i | ], π ( i, j ) = ‘ if γ i [ j ] ∈ Γ ‘ ∪ { a ‘ } , clearly π ( i, j ) < σ ( i ). Intuitively this corresponds to the positions wherethe contributor reads the required symbol. We will also classify the type of the symbols thatoccur in each γ i as being ld , ct , lp corresponding to whether they are read of a leader write/contributor write or a write due to a loop.We let λ to be the function defined as λ ( i, j ) = ld if π ( i, j ) = ‘ and γ i [ j ] = a ‘ , λ ( i, j ) = lp if π ( i, j ) = ‘ and γ i [ j ] ∈ Loop( q ‘ , S β [1 ..i − ( ‘ )) and λ ( i, j ) = ct otherwise. For each λ ( i, j ) = lp ,let Loop( i, j ) be the sequence of transitions that forms a loop and produces γ i [ j ] i.e. itis the sequence of transitions that witnesses a run of the form q ‘ −−−−−−→ u. ! γ i [ j ] .v L q ‘ such that u. ! γ i [ j ] .v ∈ (? S β [1 ..i − ( ‘ ) ∪ ! D ) ∗ .We now show how to extend our sequence of leader transitions t to t ∗ . For each i ∈ [1 ..k ]and for each j ∈ [1 .. | γ i | ], if λ ( i, j ) = lp , then we insert in position before the transitioncorresponding to ‘ = π ( i, j ) in t (i.e. the ‘ th transition in t ) the sequence of transitionsLoop( i, j ). We do this based on the order of i (i.e. we first for it for i = 1, then for i = 2and so on). We will assume that the newly added transitions are colored blue and theoriginal ones white, we will need these colors later to specify the invariant that we willmaintain when constructing the run. Notice that t ∗ can include transitions that reads avalue from the memory. For any d ∈ D , let d ( t ∗ ) represent the number of transitions in t ∗ that read the value d from memory. Similarly, let d ( γ i ) represent the number of times d occurs as a contributor read in γ i (i.e. d ( γ i ) = |{ j | γ i [ j ] = d ∧ λ ( i, j ) = ct }| ). Let d = d ( t ∗ ) + γ ) + · · · γ k ), this will be the number of contributors we will need foreach d ∈ D that contributor can write.We now show how to construct the required run in the leader contributor system, forthis we start with a configuration consisting of the leader initial state and correspondingto each d ∈ { b · · · b k } , we have d many contributors in the initial contributor state. Wewill refer to these set of contributors collectively as [ d ]. The intention is to move themcollectively [i.e. they make similar moves simultaneously till they reach a state from wherethey can produce the letter d ]. To construct the required run, we have one handle intoeach of t ∗ , γ , . . . , γ k that stores the index into these string, let these set of handles be idx = ( idx t ∗ , idx γ , . . . , idx γ k ). We will sometimes omit the subscript when it is clear fromthe context. These handles store the position in the respective strings to indicate the position X:22 Complexity of Liveness in Parameterized Systems up to which the string has been processed, initially they are set to the first location inthe string. The run that we construct will have the property that for each d ∈ D , thereare at-least d ( idx ) = d ( t ∗ [ idx .. ]) + γ [ idx .. ]) + · · · γ k [ idx .. ]) many contributors(including the ones that are yet to reach a state from where d can be written) that canstill produce d (here α [ j.. ] indicates the str α starting from j ). Further we also maintainthe invariant that for any idx , if the number of white symbols in t ∗ [1 .. idx ] = ‘ (denoted Wt ( t ∗ ( idx )) = ‘ ), then for each j such that σ ( j ) ≤ ‘ , idx σ j = | σ j | i.e. at the positionsof first writes the corresponding contributors are available. This follows from the fact that π ( i, j ) ≤ σ ( i ). Finally we also maintain the invariant that the leader process is always in thetarget state of the transition t ∗ ( idx ).We are now ready to construct the required run inductively. For the base case, we startwith the initial configuration with d many contributors (for each d ∈ D ) in their initialstate . Let ρ be the run inductively constructed and let idx be the current index up towhich we have processed. Firstly for each i ∈ [1 ..k ], we make any possible internal movesof τ ( γ i ) starting from the last transition that was executed in this sequence (recall this isthe sequence of moves that generated the witness string γ i ). Suppose for any i ∈ [1 ..j ], if λ ( i, idx γ i ) = ct and γ i ( idx ) = b j for some j ≤ i , then clearly σ ( j ) ≤ Wt ( t ∗ ( idx )) [Forany contributor read, the first write is always before]. From this and our invariant, we havethat there are b j ( idx ) many contributor in the state that can produce b j , we can sendone contributor to write the required value to memory. Following this, we move all thecontributors in [ b j ] to execute the corresponding transition in τ ( γ i ), we also increment idx α i (notice that this would ensure that our invariant is not violated). Suppose for some i ∈ [1 ..k ],we have that λ ( i, idx ) = lp and π ( i, idx ) = Wt ( t ∗ ( idx )) −
1, then clearly there is a loopsequence Loop( i, Wt ( t ∗ ( idx ))) that is present. We execute such a sequence till the loopwrites the required symbol onto shared memory, move the set of contributors [ b i ] to executethe corresponding read transition. We then execute the rest of transitions in the loop. Noticethat executing the loop may require reading contributors, however existence of contributorsthat can provide such symbols is ensured by our invariant. Finally we update the idx bymoving idx t ∗ to position at end of the loop and by incrementing idx γ i . It is easy to seethat even in this case the invariant is maintained. Also notice that we added loops so thatthe loop required by γ i is found earlier to γ j when i < j . Hence we can process each σ i completely before proceeding to the next one.Finally we process the leader. If the current transition t ∗ [ idx ] is a read of the contributor,then we move one contributor to write the corresponding value to memory and make theleader move. We also update the idx by incrementing idx t ∗ . Otherwise we make theleader move and update the idx . If the move of the leader was a write of value to sharedmemory, for each i such that π ( i, idx ) = Wt ( t ∗ ( idx )) and λ ( i, idx ) = ld , we execute thecorresponding transition from τ ( γ i ) which reads the value written by the leader and update idx appropriately. It is easy to see that such a run is the required valid run in the system. Witness Concatenation.
The witness concatenation ( w , q , σ ) × ( w , q , σ ) = ( w .w , q , σ )concatenates the sequences of leader-memory pairs. Note that this may repeat states. The tar-get state is the one of the second witness. The map σ is given by σ : [1 ..i + j ] [1 .. | w | + | w | ]with σ ( ‘ ) = σ ( ‘ ) for all ‘ ≤ i and σ ( ‘ ) = σ ( ‘ − i ) + | w | for all ‘ ∈ [ i + 1 ..i + j ]. Shrink Operator.
Given a witness ( w, q, σ ), the function
Shrink removes the first repetitionof states in w , if any. Let w = ( q , a ) . . . ( q n , a n ) and let x be the least index such that q x = q y for some y = x . Fix the minimal of these y . Then Shrink ( w, q, σ ) = ( w , q, σ ), where . Chini, R. Meyer, and P. Saivasan XX:23 w = ( q , a ) . . . ( q x − , a x − )( q y , a y ) . . . ( q n , a n ). Moreover, σ ( ‘ ) = σ ( ‘ ) if σ ( ‘ ) < x , σ ( ‘ ) = x if x ≤ σ ( ‘ ) ≤ y and σ ( ‘ ) = σ ( ‘ ) − y + x otherwise. If the input is a short witness, Shrink is theidentity. We use
Shrink ∗ for the repeated application of Shrink until a fixed point is reached.
Proof of Lemma 11
Before we turn to the proof of Lemma 11, we prove some auxiliary statements that significantlysimplify the proof. The first lemma states that leader validity of a witness is preserved underrepeatedly applying the shrinking operator. (cid:73)
Lemma 24.
Let β be a first-write sequence and x ∈ Wit a witness with
LValid β ( x ) = true.Then, we have that LValid β ( Shrink ∗ ( x )) = true. Proof.
We show that LValid β ( Shrink ( x )) = true . Then, the above statement follows byinduction. To this end, assume x is given by ( w, q, σ ) with w = ( q , a ) . . . ( q n , a n ). If Shrink ( x ) = x , there is nothing to show. Otherwise, there are indices r < t such that Shrink ( x ) = ( w , q, σ ) where w = ( q , a ) . . . ( q r − , a r − ) . ( q t , a t ) . . . ( q n , a n ). The map σ of the witness is defined by σ ( ‘ ) = σ ( ‘ ) if σ ( ‘ ) < r , σ ( ‘ ) = r if r ≤ σ ( ‘ ) ≤ t , and σ ( ‘ ) = σ ( ‘ ) − t + r for σ ( ‘ ) > t .For proving leader validity, let a i be a symbol in w . Since a i also occurs in w andLValid β ( x ) = true , we get one of the following. (1) There is a write transition q i ! a i −−→ L q i +1 ,(2) q i = q i +1 , (3) there is an ε -transition q i ε −→ L q i +1 , or (4) there is a read transition q i ? b −→ L q i +1 with b ∈ S β ( i ) = { β ‘ | σ ( ‘ ) ≤ i } .For Cases (1) and (3), note that write and ε -transitions carry over from x to Shrink ( x ).The only subtlety occurs when i = r −
1. Validity of x guarantees a transition q r − a r − /ε −−−−−→ L q r .But q r = q t . Hence, we have the needed transition for Shrink ( x ).In Case (2), we get that q i = q i +1 . Since the operator Shrink cuts out the first occurrenceof a repeating state, Case (2) can only happen when i ≥ t . Then, the equality of states isalso true in Shrink ( x ).In the last case, we have to show that the read transition carries over to Shrink ( x ).Essentially, we need to prove that the index shift that occurs when passing from w to w isconsistent with the sets S β ( i ) and S β ( i ) = { β ‘ | σ ( ‘ ) ≤ i } . This means that the read symbol b has to lie in the corresponding set S β ( i ). To this end, we make precise the relations amongthe sets S β ( j ) and S β ( j ) for each index j ∈ [1 ..n ].If j ∈ [1 ..r − S β ( j ) = { β ‘ | σ ( ‘ ) ≤ j } = { β ‘ | σ ( ‘ ) ≤ j } = S β ( j )from the definition of σ . Hence, the sets are equal for indices strictly smaller than r .For j ∈ [ r..t ], first note that S β ( j ) ⊆ S β ( t ) since these sets grow monotonically. Thelatter set can be written as S β ( t ) = { β ‘ | σ ( ‘ ) ≤ t } = { β ‘ | σ ( ‘ ) < r or r ≤ σ ( ‘ ) ≤ t } = { β ‘ | σ ( ‘ ) < r or σ ( ‘ ) = r } . The last equivalence is due to the definition of σ . Since S β ( r ) = { β ‘ | σ ( ‘ ) ≤ r } is equivalentto the last set occurring in the above equations, we obtain that S β ( t ) = S β ( r ) and hence, S β ( j ) ⊆ S β ( r ) for each j ∈ [ r..t ]. X:24 Complexity of Liveness in Parameterized Systems
In the last case, j is an index in [ t + 1 ..n ]. Consider the following transformation steps: S β ( j ) = { β ‘ | σ ( ‘ ) ≤ j } = { β ‘ | σ ( ‘ ) ≤ t or t < σ ( ‘ ) ≤ j } = S β ( t ) ∪ { β ‘ | t < σ ( ‘ ) ≤ j } = S β ( r ) ∪ { β ‘ | t < σ ( ‘ ) ≤ j } . Note that in the last step we used that S β ( t ) = S β ( r ). Now we find an equivalent descriptionfor the latter set in the union. For an index ‘ with σ ( ‘ ) > t , we get by definition that σ ( ‘ ) = σ ( ‘ ) − t + r . Hence, we have that t < σ ( ‘ ) ≤ j if and only if r < σ ( ‘ ) ≤ j − t + r .We can derive the following: S β ( r ) ∪ { β ‘ | t < σ ( ‘ ) ≤ j } = S β ( r ) ∪ { β ‘ | r < σ ( ‘ ) ≤ j − t + r } = S β ( j − t + r ) . Hence, S β ( j ) = S β ( j − t + r ).Assume, from Case (4) we get a transition q i ? b −→ L q i +1 with b ∈ S β ( i ). If i ∈ [1 ..r − b ∈ S β ( i ) = S β ( i ). If i = t , we obtain that b ∈ S β ( t ) = S β ( r ). In the last case, i ∈ [ t + 1 ..n ], we get that b ∈ S β ( i ) = S β ( i − t + r ). Thisproves leader validity of Shrink ( x ) and completes the proof. (cid:74) The following lemma extends the results from Lemma 24. It shows that shrinking operator ,leader validity, and witness concatenation behave well with respect to each other. Moreover, itprovides a way to replace a witness in a concatenation as long as leader validity is guaranteed. (cid:73)
Lemma 25.
Let x = ( w, q, σ ) be a witness of order k and y a witness of order p withinit ( y ) = q . Moreover, let β = β . . . β k + p be a first-write sequence and LValid β ( x × y ) = true. a) We have
LValid β ( x × Shrink ∗ ( y )) = true. b) Let x = ( w , q, σ ) be a witness of order k and let β = β . . . β k be the prefix of β oflength k . If LValid β ( x ) = true, then LValid β ( x × y ) = true. Proof.
We first prove Part a). To this end, we fix some notation that is used throughout theproof. Let w , the word of witness x be given by w = ( q , a ) . . . ( q m , a m ). Let y be the tuple( v, p, τ ) where v = ( q m +1 , a m +1 ) . . . ( q n , a n ) and q k +1 = q . Then, for the concatenation weget x × y = ( w.v, p, σ.τ ). The map σ.τ maps the first writes as depicted in the definition ofthe concatenation: σ.τ ( ‘ ) = σ ( ‘ ) for ‘ ∈ [1 ..k ] and σ.τ ( ‘ ) = τ ( ‘ − k ) + m for ‘ ∈ [ k + 1 ..k + p ].When applying the shrink operator to y , we get that Shrink ( y ) = ( v , p, τ ). Assume that Shrink ( y ) = y , otherwise there is nothing to prove. Then, there are indices r < t such that q r = q t and v = ( q m +1 , a m +1 ) . . . ( q r − , a r − ) . ( q t , a t ) . . . ( q n , a n ). A concatenation with x therefore yields x × Shrink ( y ) = ( w.v , p, σ.τ ) with word w.v = ( q , a ) . . . ( q m , a m ) . . . ( q r − , a r − ) . ( q t , a t ) . . . ( q n , a n ) . and map σ.τ , defined similarly to σ.τ .Now the reasoning is similar to Lemma 24. We obtain the following relation among thesets S β ( j ) = { β ‘ | σ.τ ( ‘ ) ≤ j } and S β ( j ) = { β ‘ | σ.τ ( ‘ ) ≤ j } . For j ∈ [1 ..r − S β ( j ) = S β ( j ). For j ∈ [ r..t ], we get S β ( j ) ⊆ S β ( r ), and S β ( t ) = S β ( r ). Finally, if j ∈ [ t + 1 ..n ], we obtain S β ( j ) = S β ( j − t + r ).For leader validity, fix a symbol a i in w.v . Since LValid β ( x × y ), there are four cases.(1) There is a write transition q i ! a i −−→ L q i +1 . This transition immediately carries over to thewitness x × Shrink ( y ). (2) The states q i and q i +1 are equal. The equality of states is also . Chini, R. Meyer, and P. Saivasan XX:25 true in x × Shrink ( y ). (3) There is an ε -transition q i ε −→ L q i +1 which also carries over. (4)There is a read transition q i ? b −→ L q i +1 with b ∈ S β ( i ). By the above considerations, b alsolies in the suitable set of first writes of the witness x × Shrink ( y ).For the proof of Part b), we adjust the above notation. The witness x = ( w, q, σ ) is givenvia the word w = ( q , a ) . . . ( q m , a m ). Let y = ( v, p, τ ) with word v = ( s , b ) . . . ( s n , b n )and x = ( w , q, σ ) with w = ( p , c ) . . . ( p t , c t ). We consider the two concatenations x × y = ( w.v, p, σ.τ ) and x × y = ( w .v, p, σ .τ ) with words w.v = ( q , a ) . . . ( q m , a m ) . ( s , b ) . . . ( s n , b n ) ,w .v = ( p , c ) . . . ( p t , c t ) . ( s , b ) . . . ( s n , b n ) , and maps σ.τ ( ‘ ) = ( σ ( ‘ ) , if ‘ ∈ [1 ..k ] ,τ ( ‘ ) , if ‘ ∈ [ k + 1 ..k + p ] , σ .τ ( ‘ ) = ( σ ( ‘ ) , if ‘ ∈ [1 ..k ] ,τ ( ‘ ) , if ‘ ∈ [ k + 1 ..k + p ] . To prove leader validity of x × y , pick a symbol in the word w .v . Assume it is c i for an i ∈ [1 ..t ].By the assumption LValid β ( x ) = true , we get that either there is a transition p i ! c i /ε −−−→ L p i +1 or p i = p i +1 or there is a read transition p i ? b −→ p i +1 for an b ∈ S x β ( i ) = { β ‘ ∈ β | σ ( ‘ ) ≤ i } .The first two cases immediately carry over to x × y . In the latter case, we need to show that b lies in the correct set S x × yβ ( i ) = { β ‘ | σ .τ ( ‘ ) ≤ i } . Recall that i ≤ t and that σ .τ ( ‘ ) ≤ t if and only if σ .τ ( ‘ ) = σ ( ‘ ) by definition. But this means that S x β ( i ) = S x × yβ ( i ). Note thatin the discussion, we also cover the special case p t +1 = q = s .Assume the picked symbol is b i for an i ∈ [1 ..n ]. Since LValid β ( x × y ) = true , we eitherget a transition s i ! b i / ? b/ε −−−−−→ L s i +1 or s i = s i +1 where b ∈ S x × yβ ( i + m ) = { β ‘ | σ.τ ( ‘ ) ≤ i + m } .Note the index i + m in the set of first writes. The simple cases carry over to x × y . In thecase of a read transition, consider the following. S x × yβ ( i + m ) = { β ‘ | σ.τ ( ‘ ) ≤ i + m } = { β , . . . , β k } ∪ { β ‘ | m < σ.τ ( ‘ ) ≤ i + m } . The last equation holds by the definition of σ.τ . Moreover, we have that σ.τ ( ‘ ) = τ ( ‘ − k ) + m if and only if σ.τ ( ‘ ) > m . And similarly, σ .τ ( ‘ ) = τ ( ‘ − k ) + t if and only if σ .τ ( ‘ ) > t .Hence, we get the following chain of equalities. S x × yβ ( i + m ) = { β , . . . , β k } ∪ { β ‘ | m < τ ( ‘ − k ) + m ≤ i + m } = { β , . . . , β k } ∪ { β ‘ | t < τ ( ‘ − k ) + t ≤ i + t } = { β , . . . , β k } ∪ { β ‘ | t < σ .τ ( ‘ ) ≤ i + t } = { β ‘ | σ .τ ( ‘ ) ≤ i + t } = S x × yβ ( i + t ) . This shows that b lies in the correct set S x × yβ ( i + t ) and completes the proof. (cid:74) The previous results can be used to show that short validity always implies leader validity. (cid:73)
Lemma 26.
Let z be a short witness of order k and β = β . . . β k a fist-write sequence. If Valid sh β ( z ) = true, then we have that LValid β ( z ) = true. Proof.
We prove the lemma by a case distinction. If ord ( z ) = 0, we get by the definition ofshort validity that β = ε and LValid ε ( z ) = Valid sh ε ( z ) = true . X:26 Complexity of Liveness in Parameterized Systems If ord ( z ) = k + 1 > k < D then, by the recursive definition of short validity, thereare witnesses x ∈ Ord( k ) and y ∈ Ord(1) such that z = x ⊗ y and LValid β ( x × y ) = true .Since z = Shrink ∗ ( x × y ), we get LValid β ( z ) = true by an application of Lemma 24. (cid:74) We use regular languages of the form
Expr ( x, α ) to make visible the writes that contributorscan rely on when providing a next first write. If all first writes of a sequence were alreadyprovided, the language slightly changes due to the availability of all first writes. In this case,we speak of full expressions . The definition is as follows:Let x = ( w, q, σ ) be a witness with w = ( q , a ) . . . ( q n , a n ) and β a first-write sequencewith | β | = ord ( x ). The full expression of x with respect to β is the regular language FullExpr ( x, β ) = Γ ∗ { a , ε } Γ ∗ { a , ε } . . . Γ ∗ n { a n , ε } , where Γ i = Loop( q i , S β ( i )) ∪ S β ( i ) . The next lemma shows that full expressions are preserved under shrinking. (cid:73)
Lemma 27.
For a first-write sequence β and a witness x with LValid β ( x ) = true, we haveFullExpr ( x, β ) = FullExpr ( Shrink ∗ ( x ) , β ) . Proof.
We show that the full expressions are invariant under the shrink operator. Formally,we prove that
FullExpr ( x, β ) = FullExpr ( Shrink ( x ) , β ). Invariance of leader validity undershrinking is due to Lemma 24. Hence, the lemma then follows by induction.Let x = ( w, q, σ ) be the given witness with w = ( q , a ) . . . ( q n , q n ). If Shrink ( x ) = x ,there is nothing to show. Otherwise, there exist indices r < t with q r = q t such that Shrink ( x ) = ( w , q, σ ) where w = ( q , a ) . . . ( q r − , a r − ) . ( q t , a t ) . . . ( q n , a n ). The map σ isgiven by σ ( ‘ ) = σ ( ‘ ) if σ ( ‘ ) < r , σ ( ‘ ) = r if r ≤ σ ( ‘ ) ≤ t , and σ ( ‘ ) = σ ( ‘ ) − t + r otherwise.Considering the full expression defined by the witness x , we obtain FullExpr ( x, β ) = Γ ∗ . { a , ε } . . . Γ ∗ r − . { a r − , ε } . Γ ∗ r . { a r , ε } . . . Γ ∗ t . { a t , ε } . . . Γ ∗ n . { a n , ε } where Γ i = Loop( q i , S β ( i )) ∪ S β ( i ). The full expression defined by Shrink ( x ) is given by FullExpr ( Shrink ( x ) , β ) = Σ ∗ . { a , ε } . . . Σ ∗ r − . { a r − , ε } . Σ ∗ t . { a t , ε } . . . Σ ∗ n . { a n , ε } . To describe Σ i we use the notation S β ( i ) = { β ‘ | σ ( ‘ ) ≤ i } . Then, the sets are givenby Σ i = Loop( q i , S β ( i )) ∪ S β ( i ) for i ∈ [1 ..r − t = Loop( q t , S β ( r )) ∪ S β ( r ), and for i ∈ [ t + 1 ..n ] we have Σ i = Loop( q i , S β ( i − t + r )) ∪ S β ( i − t + r ). Note that we need the casedistinction for the sets Σ i due to the index shift that occurs when going from x to Shrink ( x ).Now we show the equality of the full expressions. To this end, we split them into threeparts and show equality of the single parts. We proceed in three steps. Step 1:
We prove the following equation to be correct:Γ ∗ . { a , ε } . . . Γ ∗ r − . { a r − , ε } = Σ ∗ . { a , ε } . . . Σ ∗ r − . { a r − , ε } . It is enough to show that Γ i = Σ i for i ∈ [1 ..r − S β ( i ) = S β ( i ) for these indices i . Hence, we get the desired equality. Step 2:
We show the middle parts of the expressions to be equal. Formally:Γ ∗ r . { a r , ε } . . . Γ ∗ t . { a t , ε } = Σ ∗ t . { a t , ε } . . Chini, R. Meyer, and P. Saivasan XX:27 From the proof of Lemma 24 we know that S β ( t ) = S β ( r ). Hence, we obtain the equationΣ t = Loop( q t , S β ( r )) ∪ S β ( r ) = Loop( q t , S β ( t )) ∪ S β ( t ) = Γ t . Taking the equivalence intoaccount and dropping a t , it is left to show thatΓ ∗ r . { a r , ε } . . . Γ ∗ t = Γ ∗ t . One inclusion is immediate. For the other one, we show that a r , . . . , a t − are contained in Γ t and that Γ r , . . . , Γ t − are actually subsets of Γ t .Due to validity of x with respect to the leader, LValid β ( x ) = true , we get a run ρ on theleader P L of the form q t = q r ! a r / ⊥ −−−−→ L q r +1 ! a r +1 / ⊥ −−−−−→ L . . . ! a t − / ⊥ −−−−−→ L q t , where q i ⊥ −→ L q i +1 denotes either a read of a symbol b ∈ S β ( i ) or an ε -transition. Since S β ( i ) ⊆ S β ( t ) for each i ∈ [ r..t − ρ are only from the set S β ( t ). This meansthat each a i with i ∈ [ r..t −
1] is either ⊥ or occurs as a write in a loop of q t where reads arerestricted to the set S β ( t ). Phrased differently, a r , . . . , a t − ∈ Loop( q t , S β ( t )) ⊆ Γ t .Fix i ∈ [ r..t − i ⊆ Γ t . To this end, we reconsider the run ρ from aboveand split it into two parts with middle q i . We denote by ρ the first part q t = q r → L · · · → L q i .By ρ , we denote the latter part q i → L · · · → L q t . Let now b ∈ Γ i = Loop( q i , S β ( i )) ∪ S β ( i ).Then, either b ∈ S β ( i ) ⊆ S β ( t ) ⊆ Γ t or b appears as a write on a loop in q i where reading isrestricted to S β ( i ) ⊆ S β ( t ). If b appears as a write, we can append ρ as prefix and ρ aspostfix to the corresponding run. Then, b appears as a write in a loop in q t while reading isrestricted to S β ( t ). Hence, b ∈ Loop( q t , S β ( t )) ⊆ Γ t . Step 3:
We prove the equivalence of the latter parts of the expressions:Γ ∗ t +1 . { a t +1 , ε } . . . Γ ∗ n . { a n , ε } = Σ ∗ t +1 . { a t +1 , ε } . . . Σ ∗ n . { a n , ε } . It suffices to show that Γ i = Σ i for i ∈ [ t + 1 ..n ]. To this end, let i ∈ [ t + 1 ..n ] be fixed. Likebefore, we refer to the proof of Lemma 24 and obtain S β ( i ) = S β ( i − t + r ). It yieldsΣ i = Loop( q i , S β ( i − t + r )) ∪ S β ( i − t + r ) = Loop( q i , S β ( i )) ∪ S β ( i ) = Γ i . Altogether, the full expression is preserved under shrinking. This completes the proof. (cid:74)
A further tool that we use in the proof of Lemma 11 is the blow up of witnesses. It allowsus to increase the order of a first-order witness. Let x = ( w, q, σ ) be a first-order witness.Moreover, let k ∈ N be a natural number such that k < D . Then, we extend x to a witnessof order k + 1 by mapping k first writes to the first position and the remaining first write tothe position indicated by σ . The ( k + 1) -blow up of x is the witness x ( k +1) = ( w, q, σ ( k +1) )where σ ( k +1) : [1 ..k + 1] → [1 ..n ] is given by σ ( k +1) ( i ) = ( , if i ∈ [1 ..k ] ,σ (1) , if i = k + 1 . The following lemma states that the (full) expression of a product is the concatenation of thefull expression of the left factor and the (full) expression of the blow up of the right factor. (cid:73)
Lemma 28.
Let x be a witness of order k < D and y a first-order witness. Moreover, let β = β . . . β k +1 be a first-write sequence and let β denote the prefix β . . . β k . Then we have X:28 Complexity of Liveness in Parameterized Systems a) FullExpr ( x × y, β ) = FullExpr ( x, β ) . FullExpr ( y ( k +1) , β ) , b) Expr ( x × y, β ) = FullExpr ( x, β ) . Expr ( y ( k +1) , β ) . Proof.
We first prove Part a). To this end, we let x = ( w, q, σ ) with w = ( q , a ) . . . ( q n , a n )and y = ( v, p, τ ) with v = ( p , b ) . . . ( p m , b m ) and p = q . Consider the witness concatenation x × y = ( w.v, p, σ.τ ). The full expression of it is given by FullExpr ( x × y, β ) = Γ ∗ . { a , ε } . . . Γ ∗ n . { a n , ε } . Σ ∗ . { b , ε } . . . Σ ∗ m . { b m , ε } . In the language, we have Γ i = Loop( q i , S x × yβ ( i )) ∪ S x × yβ ( i ) for each i ∈ [1 ..n ] and similarlyΣ i = Loop( p i , S x × yβ ( i + n )) ∪ S x × yβ ( i + n ) for i ∈ [1 ..m ].Let i ∈ [1 ..n ]. Then, by definition of σ.τ , we obtain the following: S x × yβ ( i ) = { β ‘ | σ.τ ( ‘ ) ≤ i } = { β ‘ ∈ β | σ ( ‘ ) ≤ i } = S xβ ( i ) . This implies that Γ i = Loop( q i , S xβ ( i )) ∪ S xβ and hence we get the following equality: FullExpr ( x, β ) = Γ ∗ . { a , ε } . . . Γ ∗ n . { a n , ε } . It is left to show that
FullExpr ( y ( k +1) , β ) = Σ ∗ . { b , ε } . . . Σ ∗ m . { b m , ε } . Let the blow up of y be denoted by y ( k +1) = ( v, p, τ ( k +1) ). Then, its full expression is given by FullExpr ( y ( k +1) , β ) = L ∗ . { b , ε } . . . L ∗ m . { b m , ε } , where L ∗ i = Loop( p i , S ( k +1) β ( i )) ∪ S ( k +1) β ( i ) with S ( k +1) β ( i ) = { β ‘ | τ ( k +1) ( ‘ ) ≤ i } . We showthat L i = Σ i for each i ∈ [1 ..m ]. To this end, it is enough to prove the equality of thefirst-write sets S ( k +1) β ( i ) = S x × yβ ( i + n ).By definition, we get the following for i ∈ [1 ..m ]: S ( k +1) β ( i ) = { β ‘ | τ ( k +1) ( ‘ ) ≤ i } = { β , . . . , β k } ∪ ( { β k +1 } , if τ (1) ≤ i, ∅ , otherwise . By definition of the map σ.τ , the sets { β , . . . , β k } and { β ‘ | σ.τ ( ‘ ) ≤ n } are equal. Hence,we can rewrite the above expression. Note that τ (1) >
0. We obtain: S ( k +1) β ( i ) = { β ‘ | σ.τ ( ‘ ) ≤ n } ∪ ( { β k +1 } , if n < τ (( k + 1) − k ) + n ≤ i + n, ∅ , otherwise . Then, by definition it follows S ( k +1) β ( i ) = { β ‘ | σ.τ ( ‘ ) ≤ n } ∪ ( { β k +1 } , if n < σ.τ ( k + 1) ≤ i + n, ∅ , otherwise= { β ‘ | σ.τ ( ‘ ) ≤ i + n } = S x × yβ ( i + n ) . For Part b), consider the expression of x × y Expr ( x × y, β ) = Γ ∗ . { a , ε } . . . Γ ∗ n . { a n , ε } . Σ ∗ . { b , ε } . . . Σ ∗ j , where j + n = σ.τ ( k + 1). Note that this implies j = τ (1). The sets Γ i and Σ i are given byΓ i = Loop( q i , S x × yβ ( i )) ∪ S x × yβ ( i ) for i ∈ [1 ..n ] and Σ i = Loop( p i , S x × yβ ( i + n )) ∪ S x × yβ ( i + n )for i ∈ [1 ..j ]. Note that the first writes refer to β , we have S x × yβ ( i ) = { β ‘ ∈ β | σ.τ ( ‘ ) ≤ i } . . Chini, R. Meyer, and P. Saivasan XX:29 Let i ∈ [1 ..n ]. Then we obtain from the definition of σ.τ : S x × yβ ( i ) = { β ‘ ∈ β | σ ( ‘ ) ≤ i } = S xβ ( i ) . Similarly to the proof of Part a, we obtain
FullExpr ( x, β ) = Γ ∗ . { a , ε } . . . Γ ∗ n . { a n , ε } .It is left to show that Expr ( y ( k +1) , β ) = Σ ∗ . { a , ε } . . . Σ ∗ j . By definition, we obtain Expr ( y ( k +1) , β ) = L ∗ . { b , ε } . . . L ∗ j , where j = τ ( k +1) ( k + 1) = τ (1) = j and L i = Loop( p i , S ( k +1) β ( i )) ∪ S ( k +1) β ( i ). Now let i ∈ [1 ..j ]. Since τ ( k +1) maps the first writes β , . . . , β k to position 1, we obtain: S ( k +1) β ( i ) = { β ‘ ∈ β | τ ( k +1) ( ‘ ) ≤ i } = { β , . . . , β k } . The map σ.τ maps the first writes β , . . . , β k to positions smaller than n . Hence, we get S x × yβ ( i + n ) = { β ‘ ∈ β | σ.τ ( ‘ ) ≤ i + n } = { β , . . . , β k } = S ( k +1) β ( i ) . This implies L i = Σ i and completes the proof. (cid:74) Under certain assumptions, shrinking operator and blow up commute. The next lemmaformalizes this observation. The technical assumption that we have to make is that σ mapsthe (only) first write to the first position in the word of the witness. (cid:73) Lemma 29.
Let x = ( w, q, σ ) be a first-order witness with σ (1) = 1 . Let y = Shrink ∗ ( x ) .For each k < D , we have the equality Shrink ∗ ( x ( k +1) ) = y ( k +1) . Proof.
The witness y is obtained by shrinking x . Hence, we get that y is of the form y = ( w , q, σ ). Note that σ will not change under shrinking since σ (1) = 1 is its only value.Now consider the blow up of x , x ( k +1) = ( w, q, σ ( k +1) ). Due to the definition of the blow up, σ ( k +1) is the constant 1-map.Shrinking x ( k +1) will result in a short witness Shrink ∗ ( x ( k +1) ) = ( w , q, σ ( k +1) ). Notethat the word w coincides with the word of y . Moreover, σ ( k +1) is preserved under shrinkingsince it is the constant 1-map. If we blow up y , we get y ( k +1) = ( w , q, σ ( k +1) ). Hence, weobtain the desired equality which completes the proof. (cid:74) Finally, we need a lemma which transforms a witness into a similar witness that separatesthe last first write. Technically, we need that the first-write map σ is strictly increasing forthe last element it maps. The lemma is key to the induction step in the proof of Lemma 11. (cid:73) Lemma 30.
Let x = ( w, q, σ ) ∈ Wit be a witness of order k + 1 with k < D and β afirst-write sequence with LValid β ( x ) ∧ CValid β ( x ) = true. Then, we can construct a witness ˆ x = ( ˆ w, q, ˆ σ ) with init (ˆ x ) = init ( x ) and LValid β (ˆ x ) ∧ CValid β (ˆ x ) = true that satisfies ˆ σ ( i ) < ˆ σ ( k + 1) for each i ∈ [1 ..k ] . Proof. If x already satisfies σ ( i ) < σ ( k + 1) for any i ∈ [1 ..k ], we set ˆ x = x . Otherwise, let σ ( k + 1) = p . We can write the word w as follows: w = ( q , a ) . . . ( q p − , a p − ) . ( q p , a p ) . . . ( q n , a n ) . The idea in the construction of ˆ w is to prolong the word w by a copy of q p so that twodifferent positions in ˆ w refer to the state. To this end, setˆ w = ( q , a ) . . . ( q p − , a p − ) . ( q p , ⊥ ) . ( q p , a p ) . . . ( q n , a n ) . X:30 Complexity of Liveness in Parameterized Systems
The map ˆ σ is defined by ˆ σ ( i ) = σ ( i ) for i ∈ [1 ..k ] and ˆ σ ( k + 1) = p + 1. Since σ ismonotonically increasing, we obtain the desired property ˆ σ ( i ) < ˆ σ ( k + 1) from the definition.Moreover, ˆ x satisfies init (ˆ x ) = init ( x ). It is left to show that ˆ x is valid for the leader andthe contributors wrt. β .For the leader validity, we fist compare the the sets S β ( j ), associated to x , with ˆ S β ( j ),associated to ˆ x . Since we shift the index in the construction of ˆ w , we will also get an indexshift when moving from S β ( j ) to ˆ S β ( j ). We reflect this in a case distinction. For the firstcase, let j ∈ [1 ..p − S β ( j ) = { β ‘ | ˆ σ ( ‘ ) ≤ j } = { β ‘ | σ ( ‘ ) ≤ j } = S β ( j ) . The equation comes from the fact that ˆ σ ( ‘ ) = σ ( ‘ ) if σ ( ‘ ) ≤ j and j ≤ p − j = p , consider the following equivalence. It follows from ˆ σ ( ‘ ) ≤ p for each ‘ ∈ [1 ..k ] and σ ( ‘ ) ≤ p for any ‘ ∈ [1 ..k + 1].ˆ S β ( p ) = { β , . . . , β k } = S β ( p ) \ { β k +1 } . In the last case, let j ∈ [ p + 1 ..n + 1]. Then, ˆ σ maps all the elements of β to a positionthat is at most j . We have that ˆ S β ( j ) = { β , . . . , β k +1 } . The map σ maps to positions thatare strictly smaller than j , S β ( j −
1) = { β , . . . , β k +1 } . Hence, ˆ S β ( j ) = S β ( j − j ∈ [1 ..n + 1] along the same casedistinction. Let j ∈ [1 ..p − q i ! a i /ε/ ? b −−−−−→ L with b ∈ ˆ S β ( j ) or that q i = q i +1 . By the leader validity of x we get that either the states areequal or that there is a transition q i ! a i /ε/ ? b −−−−−→ L q i +1 with b ∈ S β ( j ). Since ˆ S β ( j ) = S β ( j ) inthat case, leader validity holds for position j .Consider the case j = p . By the definition of ˆ w we have that q p is the state of position p and p + 1. Hence, the states of the positions coincide and leader validity for position p holds.For the last case, let j ∈ [ p + 1 ..n + 1]. By LValid β ( x ) = true we either get that q j − = q j or we obtain a transition q j − a j − /ε/ ? b −−−−−−−→ L q j with b ∈ S β ( j −
1) = ˆ S β ( j ). Hence, leadervalidity also holds in this case and we get that LValid β (ˆ x ) = true .Now we prove that CValid β (ˆ x ) = true . To this end, we show that the positions of thefirst writes within β , a prefix of β . . . β k , under ˆ σ and σ are the same. Let j ∈ [1 ..p ]. Thenˆ S β ( j ) = { β ‘ ∈ β | ˆ σ ( ‘ ) ≤ j } = { β ‘ ∈ β | σ ( ‘ ) ≤ j } = S β ( j ) . Note that for the equality it is important to consider prefixes β which exclude the firstwrite β k +1 . For j ∈ [ p + 1 ..n + 1] we have that ˆ S β ( j ) = { β , . . . , β d } = S β ( j −
1) where β . . . β d = β denotes the considered prefix.Now we prove the equivalence of the expressions induced by x, ˆ x and β . Let i ∈ [1 ..k ]and β = β . . . β i − a prefix. If we use the notation Σ j = Loop( q j , ˆ S β ( j )) ∪ ˆ S β ( j ) andΓ j = Loop( q j , S β ( j )) ∪ S β ( j ), we get the following two expressions: Expr (ˆ x, β ) = Σ ∗ . { a , ε } . . . Σ ∗ ˆ σ ( i ) , Expr ( x, β ) = Γ ∗ . { a , ε } . . . Γ ∗ σ ( i ) . Since i ≤ k , we get that ˆ σ ( i ) = σ ( i ) and ˆ σ ( i ) ≤ p . Thus, ˆ S β ( j ) = S β ( j ) for each j ∈ [1 .. ˆ σ ( i )].This implies that Σ j = Γ j and that the above expressions are the same.For i = k + 1, the first-write sequence of interest is β = β . . . β k . In this case, theexpressions are of the form Expr (ˆ x, β ) = Σ ∗ . { a , ε } . . . Σ ∗ p . { ε } . Σ ∗ p +1 , Expr ( x, β ) = Γ ∗ . { a , ε } . . . Γ ∗ p . . Chini, R. Meyer, and P. Saivasan XX:31 For j ≤ p , we get that ˆ S β ( j ) = S β ( j ) by our earlier consideration. If j = p + 1, we obtainˆ S β ( p + 1) = S β ( p ). Hence, we get that Σ j = Γ j for all j ∈ [1 ..p ] and Σ p +1 = Γ p . Then theexpressions again coincide.Since CValid β ( x ) = V i ∈ [1 ..k +1] CValid iβ ( x ) = true , we get that for each i ∈ [1 ..k + 1], theintersection Expr ( x, β ) ∩ h ( Trace C ( Q i )) is non-empty, where β = β . . . β i − . Now we canreplace Expr ( x, β ) by Expr (ˆ x, β ) in each intersection and obtain that CValid iβ (ˆ x ) = true for each i ∈ [1 ..k + 1] which implies CValid β (ˆ x ) = true . (cid:74) Finally, we turn to the proof of Lemma 11.
Proof.
We fix a state q ∈ Q L and a first-write sequence β . For the first direction of thelemma, let a witness x = ( w, q, σ ) ∈ Wit with LValid β ( x ) ∧ CValid β ( x ) = true be given. First Direction:
By induction on the order of x , we prove a statement slightly strongerthan depicted in the lemma. We show that there is a short witness z = ( w , q, σ ) with init ( z ) = init ( x ), ord ( z ) = ord ( x ), FullExpr ( z, β ) = FullExpr ( x, β ), and Valid sh β ( z ) = true .For the induction basis, consider the case where ord ( x ) = 0. Then, β = ε . We set z = Shrink ∗ ( x ). Note that shrinking preserves initial state, target state, and order. Hence,the short witness z is of the form ( w , q, σ ) with init ( z ) = init ( x ) and ord ( z ) = 0. Recallthat in this case, validity of z is defined by Valid sh ε ( z ) = LValid ε ( z ). Hence, we need to showvalidity of z with respect to the leader. Since LValid ε ( x ) = true by assumption, we obtainfrom Lemma 24 that LValid ε ( z ) = true . It is left to show that the full expressions of z and x coincide. But this follows immediately from Lemma 27.Now assume that ord ( x ) = k + 1 for a k ∈ N with k < D . Then, β = β . . . β k +1 . Wedenote the prefix β . . . β k of the first-write sequence by β . Let σ ( k + 1) = p . Then, we canwrite the word w as w = ( q , a ) . . . ( q p − , a p − ) . ( q p , a p ) . . . ( q n , a n ) . By Lemma 30, we can assume that σ ( i ) < p for each i ∈ [1 ..k ]. We define the word w pre = ( q , a ) . . . ( q p − , a p − ) to be the prefix of w up to the ( p − w po = ( q p , a p ) . . . ( q n , a n ). Moreover, we define the map σ pre tobe the restriction of σ to [1 ..k ]. Formally, σ pre : [1 ..k ] → [1 ..p −
1] with σ pre ( i ) = σ ( i ). Wefurther define σ po to map a single first write to the first position 1, σ po (1) = 1. Intuitively, σ po is the map responsible for the last first write β k +1 . With these definitions we can splitthe witness x into the following two witnesses x pre = ( w pre , q p , σ pre ) and x po = ( w po , q, σ po ) . By definition, we get that x = x pre × x po . Moreover, the orders are given by ord ( x pre ) = k and ord ( x po ) = 1. We want to apply the induction hypothesis to x pre . To this end, we needto show that LValid β ( x pre ) ∧ CValid β ( x pre ) = true .For the leader validity, we use the fact that LValid β ( x ) = true . Let j ∈ [1 ..p − x , either q j = q j +1 or there exists a transition q j ! a j /ε/ ? b −−−−−→ L with b ∈ S β ( j ).For the set S β ( j ), we have the following equivalence: S β ( j ) = { β ‘ ∈ β | σ ( ‘ ) ≤ j } = { β ‘ ∈ β | σ ( ‘ ) ≤ j } = { β ‘ ∈ β | σ pre ( ‘ ) ≤ j } = S pre β ( j ) . The first equality is by definition, the second by the fact that j ≤ p − < σ ( k + 1). Theremaining equalities are again due to definition. Hence, LValid β ( x pre ) = true . X:32 Complexity of Liveness in Parameterized Systems
In order to see that x pre is valid for the contributors wrt. to β , consider the expressionsinduced by x and x pre . Let i ∈ [1 ..k ]. Since S pre β ( j ) = S β ( j ) for j ∈ [1 ..p − Expr ( x pre , β . . . β i − ) = Expr ( x, β . . . β i − ) . Hence, leader validity carries over to the witness x pre : CValid iβ ( x pre ) = CValid iβ ( x ) = true .This means that also the conjunction of these values is true, CValid β ( x pre ) = true .Now we can apply induction to x pre and obtain a short witness c = ( w c , q p , σ c ) ∈ Ord( k )with init ( c ) = q , Valid sh β ( c ) = true , and FullExpr ( c, β ) = FullExpr ( x pre , β ). The witness c is the first of two short witnesses that we will use in the recursion for short validity. Thesecond witness is denoted by d = ( w d , q, σ d ) and is defined by d = Shrink ∗ ( x po ). Then bydefinition, d ∈ Ord(1), init ( d ) = q p , and σ d (1) = 1. Note that target state of c and the initialstate of d match. Hence, the witness concatenation c × d is well-defined.The short witness of interest is then defined by z = c ⊗ d ∈ Ord( k + 1). Hence, ord ( z ) = ord ( x ). Furthermore, we immediately get that z is of the form z = ( w z , q, σ z )and that init ( z ) = init ( c ) = q = init ( x ). It is therefore left to show that z is valid,Valid sh β ( z ) = true , and that the full expressions coincide, FullExpr ( z, β ) = FullExpr ( x, β ).We first focus on the validity of z . To this end, we make use of the recursive definition ofValid sh β ( z ). It is enough to show that LValid β ( c × d ) = true and that CValid k +1 β ( c × d ) = true .Note that [ z = c ⊗ d ] is true by definition and Valid sh β ( c ) = true holds by induction.Leader validity of c × d wrt. β is obtained from the following chain of implications:LValid β ( x ) = ⇒ LValid β ( x pre × x po ) = ⇒ LValid β ( c × x po ) = ⇒ LValid β ( c × d ) . First note that LValid β ( x ) = true by assumption. The first implication is due to the factthat x = x pre × x po . For the second, we use that Valid sh β ( c ) = true . We apply Lemma 26 andobtain that LValid β ( c ) = true . Then, by Lemma 25, we get that LValid β ( c × x po ) = true .The last implication is again an application of Lemma 25 since d = Shrink ∗ ( x po ).Next, we show that CValid k +1 β ( c × d ) = true . To this end, we prove Expr ( x, β ) = Expr ( c × d, β ) . Since CValid k +1 β ( x ) = true by assumption, the equality of expressions implies that alsoCValid k +1 β ( c × d ) evaluates to true . Consider the expression of c × d = ( w c .w d , q, σ c × d ) at β .We have that Expr ( c × d, β ) = FullExpr ( c, β ) . Γ ∗ p , where Γ p = Loop( q p , S c × dβ ( | w c | + 1)) ∪ S c × dβ ( | w c | + 1). The set of first writes S c × dβ ( | w c | + 1)is given by { β ‘ ∈ β | σ c × d ( ‘ ) ≤ | w c | + 1 } . The equality holds since σ c × d ( k + 1) = | w c | + 1, afact that follows from σ d (1) = 1. Since FullExpr ( c, β ) = FullExpr ( x pre , β ), we get that Expr ( c × d, β ) = FullExpr ( x pre , β ) . Γ ∗ p . Now note that S c × dβ ( | w c | + 1) = { β , . . . , β k } . This is due to σ c × d ( ‘ ) = σ c ( ‘ ) ≤ | w c | for all ‘ ∈ [1 ..k ]. Moreover, we have the following equality of sets S xβ ( p ) = { β ‘ ∈ β | σ ( ‘ ) ≤ p } = { β , . . . , β k } = S c × dβ ( | w c | + 1) . Hence, we obtain that Γ p = Loop( q p , S xβ ( p )) ∪ S xβ ( p ). Considering the expression of x at β ,we then get the following Expr ( x, β ) = Expr ( x pre × x po , β ) = FullExpr ( x pre , β ) . Γ ∗ p . Chini, R. Meyer, and P. Saivasan XX:33 since σ ( k + 1) = p . Thus, we have the desired equality.Finally, we prove that the full expressions of z and x coincide. To this end, we start with FullExpr ( x, β ) and transform it step by step to FullExpr ( z, β ). We begin with the followingequalities which are consequences of x = x pre × x po and Lemma 28: FullExpr ( x, β ) = FullExpr ( x pre × x po , β ) = FullExpr ( x pre , β ) . FullExpr ( x ( k +1) po , β ) . Since d = Shrink ∗ ( x po ) and σ po (1) = 1, we get by Lemma 29 that d ( k +1) = Shrink ( x ( k +1) po ).Hence, we obtain from Lemma 27 that FullExpr ( x ( k +1) po , β ) = FullExpr ( d ( k +1) , β ). Note that x ( k +1) is leader valid wrt β since x is. Now we use that FullExpr ( x pre , β ) = FullExpr ( c, β )and get the equality: FullExpr ( x pre , β ) . FullExpr ( x ( k +1) po , β ) = FullExpr ( c, β ) . FullExpr ( d ( k +1) , β ) . We apply Lemma 28 and Lemma 27 again. Note that z = Shrink ∗ ( c × d ) by definition. FullExpr ( c, β ) . FullExpr ( d ( k +1) , β ) = FullExpr ( c × d, β ) = FullExpr ( z, β ) . This completes the first direction of the proof.
Second Direction:
Now let a short witness z = ( w , q, σ ) with Valid sh β ( z ) = true begiven. Like above, we employ induction to prove a slightly stronger statement. We showthat there is a witness x = ( w, q, σ ) ∈ Wit with init ( x ) = init ( z ), order ord ( x ) = ord ( z ), FullExpr ( x, β ) = FullExpr ( z, β ), and LValid β ( x ) ∧ CValid β ( x ) = true .For the induction basis, let ord ( z ) = 0. In this case, β = ε . Set x = z . Then we only needto argue that LValid ε ( x ) = true and CValid ε ( x ) = true . The latter holds since validity forcontributors with empty first-write sequence is always true. Leader validity of x holds sinceLValid ε ( x ) = LValid ε ( z ) = Valid sh ε ( z ) = true . Let ord ( z ) = k + 1 for k < D . Then, the first-write sequence is given by β = β .β k +1 with β = β . . . β k . Since Valid sh β ( z ) = true , we get by the recursive definition of shortvalidity, two witnesses c ∈ Ord( k ) and d ∈ Ord(1) such that z = c ⊗ d , LValid β ( c × d ) = true ,CValid k +1 β ( c × d ) = true , and Valid sh β ( c ) = true . We denote c by ( w c , q c , σ c ) and d similarlyby ( w d , q d , σ d ). Note that init ( c ) = init ( z ) and q d = q .Since c is a valid short witness of order k , we can apply induction. We obtain a witness x = ( w x , q c , σ x ) ∈ Wit with initial state init ( x ) = init ( c ) = init ( z ), order ord ( x ) = k ,full expression FullExpr ( x , β ) = FullExpr ( c, β ), and LValid β ( x ) ∧ CValid β ( x ) = true .The desired witness is x = x × d . Note that the concatenation is well-defined and that itimmediately satisfies x = ( w, q, σ ), init ( x ) = init ( z ), and ord ( x ) = k + 1. Hence, it is left toshow that LValid β ( x ) = true , CValid β ( x ) = true , and that the full expressions of x and z coincide, FullExpr ( x, β ) = FullExpr ( z, β ).We begin with leader validity. Since LValid β ( c × d ) = true and LValid β ( x ) = true , wecan apply Lemma 25. It guarantees that LValid β ( x × d ) = true , which is what we wanted.For contributor validity, consider the following. We have seen that CValid β ( x ) = true by induction. This means that each predicate CValid iβ ( x ) in the conjunction evaluates to true . We look at the corresponding expressions. For x and x = x × d , they are equivalent: Expr ( x , β . . . β i − ) = Expr ( x, β . . . β i − )for each i ∈ [1 ..k ]. The equation is due to σ ( i ) = σ x ( i ) for i ≤ k . Since CValid iβ ( x ) = true ,also the predicate CValid iβ ( x ) evaluates to true for i ∈ [1 ..k ]. It is left to argue that X:34 Complexity of Liveness in Parameterized Systems
CValid k +1 β ( x ) = true . We make use of the fact that CValid k +1 β ( c × d ) = true and we showthat the corresponding expressions of x and c × d coincide. To this end, consider Expr ( x, β ) = Expr ( x × d, β ) = FullExpr ( x , β ) . Expr ( d ( k +1) , β ) . The second equation follows by Lemma 28. Since the full expressions of x and c coincide byinduction, we get the following equations by invoking Lemma 28 again: FullExpr ( x , β ) . Expr ( d ( k +1) , β ) = FullExpr ( c, β ) . Expr ( d ( k +1) , β ) = Expr ( c × d, β ) . This proves that the expressions are the same and that contributor validity carries over to x .We get CValid k +1 β ( x ) = true and hence CValid β ( x ) = true .We show that the full expressions of x and z coincide. To this end, consider FullExpr ( x, β ) = FullExpr ( x , β ) . FullExpr ( d ( k +1) , β )= FullExpr ( c, β ) . FullExpr ( d ( k +1) , β )= FullExpr ( c × d, β )= FullExpr ( z, β ) . The first and the third equation are due to Lemma 28. The second equation holds since thefull expressions of x and c are equivalent. Finally, the last equation is due to Lemma 27which we can apply since z = Shrink ∗ ( c × d ). (cid:74) Proof of Proposition 12
It is left to explain the complexity. Since there are O (( LD ) L ) many short witnesses and O ( D D )first-write sequences, the table has O (( LD ) L · D D ) = ( L · D ) O ( L + D ) many entries.To compute a single entry, we split z into x and y by iterating over the short witnesses oforder k − O (( LD ) L ). Checking whether z = x ⊗ y and evaluating LValid β ( x × y ) ∧ CValid k +1 β ( x × y )can be done in polynomial time. Moreover, the value Valid sh β ( x ) can be looked up in thetable. Hence, computing an entry takes time ( LD ) O ( L ) .The complete table, and hence all the values Valid sh β ( z ), can thus be computed in time( LD ) O ( L + D ) · ( LD ) O ( L ) = ( LD ) O ( L + D ) = ( L + D ) O ( L + D ) . Obtaining the Interfaces
Let z = ( w, q, σ ) with w = ( q , a ) . . . ( q n , a n ) and β a first-write sequence with Valid sh β ( z ) = true . The state q is the target state fixed by the witness. The data value a is the lastsymbol written in a computation along z . It can either be a n or an arbitrary first write in β . What remains is to compute the set of all contributor states while conforming to thegiven short witness. We do this by iterating over all the contributor states and checkingif it is reachable through the short witness. We start with an empty set of reachablecontributors and will inductively build the required set by saturation. For each state ofthe contributor c ∈ Q C , we check whether the contributor can reach the state c from theinitial state, when provided with the short witness as a support from the leader i.e. we check Expr (( w, q, σ ) , | β | ) ∩ h ( Trace C ( { c } )) = ∅ . If the intersection is non empty then we add it tothe set S . Iterating this procedure over all the states of contributor will give us the requiredset of reachable states S . . Chini, R. Meyer, and P. Saivasan XX:35 C Proofs of Section 5
We provide proofs and details for Section 5.
Proof of Lemma 15
Let Γ ⊆ Γ be two subsets of D . Since the set of writes Writes( SCCdcmp S (Γ)) splits intoWrites C ( SCCdcmp S (Γ)) and Writes L ( SCCdcmp S (Γ)), we show the two inclusionsWrites C ( SCCdcmp S (Γ)) ⊆ Writes C ( SCCdcmp S (Γ )) , andWrites L ( SCCdcmp S (Γ)) ⊆ Writes L ( SCCdcmp S (Γ )) . To this end, let
SCCdcmp S (Γ) = ( S , . . . , S ‘ ) and SCCdcmp S (Γ ) = ( T , . . . , T k ) be theΓ-SCC decomposition and the Γ -SCC decomposition of S .For the first inclusion, take an element b ∈ Writes C ( S , . . . , S ‘ ). By definition, there arestates p, p in a set S i and a transition p ! b −→ C p . Since p, p are in S i , they are stronglyconnected in the graph G S (Γ). Hence, the states are also strongly connected in G S (Γ ).In fact, Γ ⊆ Γ implies that all the edges of G S (Γ) are also present in G S (Γ ). Given that( T , . . . T k ) is the Γ -SCC decomposition of S , the states p and p have to lie in one set T j .Hence, b occurs as a write within a set of ( T , . . . , T k ) which means b ∈ Writes C ( T , . . . , T k ).It is left to show the second inclusion. Let b ∈ Writes L ( S , . . . , S ‘ ). Then, there arewords u, v ∈ Op ( D ) ∗ such that ( q, a ) u. ! b.v −−−→ L (Γ) ( q, a ). Recall that → L (Γ) is the transitionrelation of the automaton P L (Γ) . It restricts the transitions of the leader to reads withinthe set Writes C ( S , . . . , S ‘ ) and keeps track of the current memory content. The lattermay change due to a contributor write in Writes C ( S , . . . , S ‘ ). Since we already know thatWrites C ( S , . . . , S ‘ ) ⊆ Writes C ( T , . . . , T k ), the automaton P L (Γ ) contains all the transitionsof P L (Γ) . Hence, the sequence of transitions ( q, a ) u. ! b.v −−−→ L (Γ) ( q, a ) in P L (Γ) can also becarried out in P L (Γ ) . By definition, b ∈ Writes L ( T , . . . , T k ). Proof of Proposition 17
We give an idea for proving the reverse direction. A formal proof will be given afterwards.Let Γ be given. We do not directly construct a saturated cycle, but a balanced computation ρ = c → + d where d and c coincide up to the order of contributor states. Phrased differently, d is a permutation of c . Moreover, ρ is saturated in the above sense. Since d contains thesame contributor states as c , ρ can also be started in d . This yields c → + d where d is anew permutation of c . Since there are only finitely many permutations, we eventually get acomputation c → ∗ e → + sat e and hence, a saturated cycle.Let SCCdcmp S (Γ) = ( S , . . . , S ‘ ). To construct ρ , we first fix the behavior of the leader.Formally, we pick a run ρ L of P L from ( q, a ) to ( q, a ) that, on its way, writes all the symbolsin Writes L ( S , . . . , S ‘ ). Note that such a run exists. We let t denote its length. To execute ρ L properly, we have to provide the reads that it needs on the way. Since these are from theset Writes C ( S , . . . , S ‘ ), we construct supporting runs of the contributors providing them.Let b ∈ Writes C ( S , . . . , S ‘ ). Then, there is a transition from p to p , both in S i , writing b .The idea is to keep enough copies of the source state p to provide b whenever the leader needsit. However, to obtain a balanced computation, we have to transfer the amount of contributorsthat moved from p to p back to p . Since S i is strongly Γ-connected, we know that there is apath p → ∗ p in G S (Γ). Hence, there is a run on P C from p to p reading only symbols fromΓ. With the above transition, we get a cyclic run from p to p . We denote it by cycle( p ). X:36 Complexity of Liveness in Parameterized Systems
In the configuration c , we keep for each symbol b with source state p b exactly t + 1 copiesof the states occurring in cycle( p b ). We assume the contributors in c are grouped into blocks B b ( i ) for i ∈ [1 .. ( t + 1)]. Each block B b ( i ) simulates the run cycle( p b ).When the leader starts to move along ρ L , it might need to read a symbol b . Then, thereis a block B b ( i ) providing b . To balance the block, all remaining transitions in it have to beexecuted. Writes are simple. They can be executed and ignored by other participants. Readtransitions in the block are handled in two different ways.(1) Reads within the set Writes C ( S , . . . , S ‘ ) are already executed in a special initial phase.This explains the ( t + 1)-st copies of the cycles. They are only used to provide these reads.(2) Reads within Writes L ( S , . . . , S ‘ ) are provided by the leader on ρ L . Since the leadertraverses through all symbols in Writes L ( S , . . . , S ‘ ), there is a transition which writes aparticular symbol b for the first time. This write is then used to synchronize with all blocks.The described computation is indeed balanced. For more details, we refer to the formal proof. Proof.
It remains to give a formal proof of the second direction. Let a non-empty set Γ begiven such that the Γ-SCC decomposition
SCCdcmp S (Γ) = ( S , . . . , S ‘ ) is stable. This meansthat Γ = Writes( S , . . . , S ‘ ). We split the set Γ = Γ C ∪ Γ L , where Γ C = Writes C ( S , . . . , S ‘ )are the writes of the contributors and Γ L = Writes L ( S , . . . , S ‘ ) are the writes of the leader.We fix a run of the leader. It is of the form π = ( q, a ) w −→ L ( q, a ) and it writes everysymbol in Γ L . Formally, for each g ∈ Γ L there are u, v ∈ Op ( D ) ∗ such that w = u ! gv . Notethat such a run exists. Potentially, we have to compose several cycles from ( q, a ) to ( q, a ).We denote the length of the run π by t .For each element b ∈ Γ C , let p ( b ) and p ( b ) be two states belonging to a set S i ( b ) ofthe Γ-SCC decomposition such that there is a transition p ( b ) ! b −→ p ( b ). Note that such atransition exists by definition. We call the set of states Gen = { p ( b ) | b ∈ Γ C } the symbolgenerators . Further, we fix a cycle for each symbol b . Letcycle( b ) = p ( b ) → C p ( b ) → C p ( b ) → · · · → C p k ( b ) = p ( b )be a cyclic run in within S i ( b ) , reading only symbols from Γ. Such a run exists since S i ( b ) is strongly connected in the graph G S (Γ). We use States(cycle( b )) to refer to theset { p ( b ) , . . . , p k − ( b ) } of states that appear in cycle( b ). Moreover, given a configuration c = ( p, b, pc ) and a state s , we use c [ s ] to denote the indices of the contributors that arecurrently in state s , c [ s ] = { j | pc ( j ) = s } .We construct a computation ρ . The idea is to support the run π of the leader and toprovide all the needed symbols along its way. Moreover, we need to balance the computation:the number of contributors in a particular state is preserved after executing ρ . This isachieved by moving the contributors along the fixed cycles.For the construction, we start with t + 1 many contributors in each state of cycle( b ), forall symbols b ∈ Γ C . Formally, we choose our initial configuration c in such a way that foreach s ∈ S we have | c [ s ] | = ( ( t + 1) · |{ b ∈ Γ C | s ∈ cycle( b ) }| , if s lies in any cycle1 , otherwise.Note that we add a single contributor in s if the state does not appear in any cycle. Thiscontributor does not move during the computation. The reason is that we can then ensure π C ( c ) = S throughout the computation which keeps ρ saturated. Moreover, we start withthe appropriate leader state and memory value, π L ( c ) = q, π D ( c ) = a . . Chini, R. Meyer, and P. Saivasan XX:37 During ρ , each contributor in a cycle moves to its neighbor by making exactly one move.To this end, we split ρ into two phases: ρ = ρ .ρ . In the first phase ρ , only the contributorsmove and the leader stays idle. The purpose of this phase is to ensure that all contributorscan go to their neighbor in the cycle when reading a symbol from Γ C is required or whenwriting. Reading of other symbols is handled in ρ .Note that we have enough contributors in c to provide each symbol in Γ C exactly t + 1many times. During ρ , we use up one of these contributors for each symbol and provideeach symbol in Γ C once. To realize ρ , let b ∈ Γ C . Pick one of the contributors currentlyin the state p ( b ). It makes a move to p ( b ) and writes b to the memory. This is followedby a transition of every contributor in each of the cycles that can read b and move to theirneighbor. After the move, these contributors stay idle for the remainder of ρ .Let c → ∗ c be the resulting computation. At the end of the computation, each transitionin each copy of a cycle that involves reading a symbol from Γ C is already executed. Further-more, one copy of the symbol generators is exhausted, the corresponding contributors madea move to the next state in the cycle. We still have t contributors in the symbol generatorsleft, | c [ p ( b )] | = t for each b ∈ Γ C .We complete the computation ρ . For any contributor in a state s ∈ cycle( b ) that is nota symbol generator, s / ∈ Gen, we do the following. If the contributor can write a symbolfrom Γ C and move to its neighbor state in cycle( b ), we execute the transition. The writtensymbol is ignored by the other contributors and the leader. After executing these writetransitions, we are at a configuration ˆ c . We get ρ = c → ∗ ˆ c . Still, we have t contributorsin the symbol generators left, | ˆ c [ p ( b )] | = t for each b ∈ Γ C . Hence, the contributors on thecycles that did not do a move so far are either the ones in the symbol generators or onesthat require a symbol written by the leader, a symbol in Γ L .We construct the second phase ρ which shows how the leader runs. Recall that wealready fixed the run π of the leader providing all symbols in Γ L . We execute each transitionof π interleaved with transitions of the contributors while maintaining two invariants. Toformalize them, let i ∈ [1 ..t ]. By Γ iL ⊆ Γ L we denote the set of symbols that the leader haswritten after i many steps of π . The invariants are: (1) All contributors that are currentlyin a state s ∈ cycle( b ) for a b ∈ Γ C but not in Gen and that can reach their neighbor whilereading a symbol from Γ iL , have already performed this transition before the ( i + 1)-st stepof π is taken. (2) Before the ( i + 1)-st step of π gets executed, for each b ∈ Γ C , there areexactly t − i many contributors left that can provide b . These are in the state p ( b ).We construct the computation inductively. Assume, we already executed i − π . We denote the interleaved computation with the transitions of the contributorsby ρ i − . We need a case distinction.If the i -th step of π , denoted by π ( i ), is a write transition, we do not need to providea symbol for the leader. The idea is to execute π ( i ) and to let the contributors read thewritten symbol. Let b ∈ Γ L be that symbol. Then Γ iL = Γ i − L ∪ { b } . We first execute π ( i )and write b to the shared memory. Now, each contributor on a cycle that needs to read a b toarrive at its neighbor takes the corresponding read transition. This maintains Invariant (1).To ensure that (2) also holds, we add the following computation. For each symbol b ∈ Γ C wepick exactly one contributor in p ( b ) and let it write b to the memory. The write is ignoredby others. This way, we consume exactly one copy of these contributors, maintaining (2).If π ( i ) is a read of a symbol b ∈ Γ C , we pick one contributor that is currently in p ( b ).We let it execute its transition p ( b ) ! b −→ p ( b ) to provide b . The transition is followed bythe leader taking π ( i ). Invariant (1) is already ensured at this point since Γ iL = Γ i +1 L . Toguarantee (2), we consume copies for symbols different from b . Let b ∈ Γ C , b = b . We let X:38 Complexity of Liveness in Parameterized Systems one copy of a contributor, currently in p ( b ), perform its write transition on b . The write isignored by others. After executing these transitions, (2) holds.Depending on the case, we add the resulting computation to ρ i − and obtain a newcomputation ρ i . Then we can define ρ = ρ t . Putting things together, we get ρ = ρ .ρ = c → ∗ ˆ c → ∗ c . By the maintained invariants, we get that c is a permutation of c . All contributors tookone transition along a cycle. Hence, the number of contributors in a certain state in c and c are equal. For each s we have: | c [ s ] | = | c [ s ] | . Moreover, since π is a cycle, we get π L ( c ) = a = π L ( c ) and π D ( c ) = a = π D ( c ). Hence, ρ is a balanced computation and canbe applied again to c .Since there are only finitely many permutations of c , applying ρ repeatedly will thereforeyield a computation c → ∗ e → + sat e and hence, a saturated cycle. (cid:74) Proof of Lemma 18
We only need to show that for X ⊆ D , the expression Writes SCC ( X ) can be evaluated in time O ( D · ( C + L · D )). By definition, we have that Writes SCC ( X ) = Writes( SCCdcmp S ( X )).We first compute SCCdcmp S ( X ). To this end, we need to construct the graph G S ( X ).To obtain G S ( X ), we iterate over the transitions in δ C . If the current transition is a readwithin X or a write, we keep it as an edge. Hence, we need O ( | δ C | ) = O ( C · D ) time for theconstruction. Note that a look-up in X can be performed in constant time if we assume that X is a bit-vector with X ( b ) = 1 if and only if b ∈ X .Now we can apply Tarjan’s algorithm to obtain the strongly connected components( G , . . . , G ‘ ) of G S ( X ). Since the algorithm runs in time linear in the number of edges andthe number of vertices, this takes time O ( C + | δ C | ) = O ( C · D ). We obtain the X -SCCdecomposition SCCdcmp S ( X ) = ( S , . . . , S ‘ ) by setting S i to the vertices of G i .It is left to compute the set Writes( S , . . . , S ‘ ). First, we focus on Writes C ( S , . . . , S ‘ ).To compute the set, we iterate over all transitions in δ C . If the current transition is a writebetween two states p, p belonging to the same set S i , we add the corresponding symbol toWrites C ( S , . . . , S ‘ ). We need O ( | δ C | ) = O ( C · D ) time for the iteration. We can performthe check whether p and p lie in the same set S i again in constant time. Summing up, weneeded O ( C · D ) time so far.For computing Writes L ( S , . . . , S ‘ ), we first need to construct the automaton P L . Thestates Q L × D can be added in time O ( L · D ). The transitions of P L are obtained by aniteration over δ L . If the current transition is a write, s ! b −→ L s , then we add D manytransitions: ( s, b ) ! b −→ L ( s, b ), one for each b ∈ D . If the transition is a read of a symbol b , we test whether b ∈ Writes C ( S , . . . , S ‘ ) and add the single transition ( s, b ) ? b −→ L ( s , b ).Adding these transitions takes time O ( | δ L | · D ) = O ( L · D ) where the additional factor D appears either since we add D many transitions in the case of a write. The ε -transitions in P L can be added in time O ( L · D ): we iterate over each symbol b ∈ Writes C ( S , . . . , S ‘ ) andadd L · D many transitions ( s, b ) ε −→ L ( s, b ), one for each pair ( s, b ). Hence, we constructedthe automaton P L in time O ( L · D ). Note that this limits the size of δ L to O ( L · D ).To identify the elements in the set Writes L ( S , . . . , S ‘ ), we iterate over all b ∈ D and testfor each, whether it occurs as a write ! b on a cycle from ( q, a ) to ( q, a ) in P L . The test canbe reduced to a non-emptiness problem. To this end, let P L ( q, a ) be the automaton P L with ( q, a ) as initial and final state. Then, b ∈ Writes L ( S , . . . , S ‘ ) if and only if Op ( D ) ∗ . ! b. Op ( D ) ∗ ∩ L ( P L ( q, a )) = ∅ . . Chini, R. Meyer, and P. Saivasan XX:39 Since the corresponding automaton for Op ( D ) ∗ . ! b. Op ( D ) ∗ has a constant number of states,building the product and deciding non-emptiness can be done in O ( | δ L | ) = O ( L · D ) time.Since the above non-emptiness test has to be executed for each b ∈ D , we get a total time of O ( L · D ) to construct the set Writes L ( S , . . . , S ‘ ).Putting the sets Writes C ( S , . . . , S ‘ ) and Writes L ( S , . . . , S ‘ ) together, we obtain thecomplete set of writes, Writes( S , . . . , S ‘ ) = Writes SCC ( X ). Adding up the complexities, weneeded O ( D · ( C2
We only need to show that for X ⊆ D , the expression Writes SCC ( X ) can be evaluated in time O ( D · ( C + L · D )). By definition, we have that Writes SCC ( X ) = Writes( SCCdcmp S ( X )).We first compute SCCdcmp S ( X ). To this end, we need to construct the graph G S ( X ).To obtain G S ( X ), we iterate over the transitions in δ C . If the current transition is a readwithin X or a write, we keep it as an edge. Hence, we need O ( | δ C | ) = O ( C · D ) time for theconstruction. Note that a look-up in X can be performed in constant time if we assume that X is a bit-vector with X ( b ) = 1 if and only if b ∈ X .Now we can apply Tarjan’s algorithm to obtain the strongly connected components( G , . . . , G ‘ ) of G S ( X ). Since the algorithm runs in time linear in the number of edges andthe number of vertices, this takes time O ( C + | δ C | ) = O ( C · D ). We obtain the X -SCCdecomposition SCCdcmp S ( X ) = ( S , . . . , S ‘ ) by setting S i to the vertices of G i .It is left to compute the set Writes( S , . . . , S ‘ ). First, we focus on Writes C ( S , . . . , S ‘ ).To compute the set, we iterate over all transitions in δ C . If the current transition is a writebetween two states p, p belonging to the same set S i , we add the corresponding symbol toWrites C ( S , . . . , S ‘ ). We need O ( | δ C | ) = O ( C · D ) time for the iteration. We can performthe check whether p and p lie in the same set S i again in constant time. Summing up, weneeded O ( C · D ) time so far.For computing Writes L ( S , . . . , S ‘ ), we first need to construct the automaton P L . Thestates Q L × D can be added in time O ( L · D ). The transitions of P L are obtained by aniteration over δ L . If the current transition is a write, s ! b −→ L s , then we add D manytransitions: ( s, b ) ! b −→ L ( s, b ), one for each b ∈ D . If the transition is a read of a symbol b , we test whether b ∈ Writes C ( S , . . . , S ‘ ) and add the single transition ( s, b ) ? b −→ L ( s , b ).Adding these transitions takes time O ( | δ L | · D ) = O ( L · D ) where the additional factor D appears either since we add D many transitions in the case of a write. The ε -transitions in P L can be added in time O ( L · D ): we iterate over each symbol b ∈ Writes C ( S , . . . , S ‘ ) andadd L · D many transitions ( s, b ) ε −→ L ( s, b ), one for each pair ( s, b ). Hence, we constructedthe automaton P L in time O ( L · D ). Note that this limits the size of δ L to O ( L · D ).To identify the elements in the set Writes L ( S , . . . , S ‘ ), we iterate over all b ∈ D and testfor each, whether it occurs as a write ! b on a cycle from ( q, a ) to ( q, a ) in P L . The test canbe reduced to a non-emptiness problem. To this end, let P L ( q, a ) be the automaton P L with ( q, a ) as initial and final state. Then, b ∈ Writes L ( S , . . . , S ‘ ) if and only if Op ( D ) ∗ . ! b. Op ( D ) ∗ ∩ L ( P L ( q, a )) = ∅ . . Chini, R. Meyer, and P. Saivasan XX:39 Since the corresponding automaton for Op ( D ) ∗ . ! b. Op ( D ) ∗ has a constant number of states,building the product and deciding non-emptiness can be done in O ( | δ L | ) = O ( L · D ) time.Since the above non-emptiness test has to be executed for each b ∈ D , we get a total time of O ( L · D ) to construct the set Writes L ( S , . . . , S ‘ ).Putting the sets Writes C ( S , . . . , S ‘ ) and Writes L ( S , . . . , S ‘ ) together, we obtain thecomplete set of writes, Writes( S , . . . , S ‘ ) = Writes SCC ( X ). Adding up the complexities, weneeded O ( D · ( C2 + L2
We only need to show that for X ⊆ D , the expression Writes SCC ( X ) can be evaluated in time O ( D · ( C + L · D )). By definition, we have that Writes SCC ( X ) = Writes( SCCdcmp S ( X )).We first compute SCCdcmp S ( X ). To this end, we need to construct the graph G S ( X ).To obtain G S ( X ), we iterate over the transitions in δ C . If the current transition is a readwithin X or a write, we keep it as an edge. Hence, we need O ( | δ C | ) = O ( C · D ) time for theconstruction. Note that a look-up in X can be performed in constant time if we assume that X is a bit-vector with X ( b ) = 1 if and only if b ∈ X .Now we can apply Tarjan’s algorithm to obtain the strongly connected components( G , . . . , G ‘ ) of G S ( X ). Since the algorithm runs in time linear in the number of edges andthe number of vertices, this takes time O ( C + | δ C | ) = O ( C · D ). We obtain the X -SCCdecomposition SCCdcmp S ( X ) = ( S , . . . , S ‘ ) by setting S i to the vertices of G i .It is left to compute the set Writes( S , . . . , S ‘ ). First, we focus on Writes C ( S , . . . , S ‘ ).To compute the set, we iterate over all transitions in δ C . If the current transition is a writebetween two states p, p belonging to the same set S i , we add the corresponding symbol toWrites C ( S , . . . , S ‘ ). We need O ( | δ C | ) = O ( C · D ) time for the iteration. We can performthe check whether p and p lie in the same set S i again in constant time. Summing up, weneeded O ( C · D ) time so far.For computing Writes L ( S , . . . , S ‘ ), we first need to construct the automaton P L . Thestates Q L × D can be added in time O ( L · D ). The transitions of P L are obtained by aniteration over δ L . If the current transition is a write, s ! b −→ L s , then we add D manytransitions: ( s, b ) ! b −→ L ( s, b ), one for each b ∈ D . If the transition is a read of a symbol b , we test whether b ∈ Writes C ( S , . . . , S ‘ ) and add the single transition ( s, b ) ? b −→ L ( s , b ).Adding these transitions takes time O ( | δ L | · D ) = O ( L · D ) where the additional factor D appears either since we add D many transitions in the case of a write. The ε -transitions in P L can be added in time O ( L · D ): we iterate over each symbol b ∈ Writes C ( S , . . . , S ‘ ) andadd L · D many transitions ( s, b ) ε −→ L ( s, b ), one for each pair ( s, b ). Hence, we constructedthe automaton P L in time O ( L · D ). Note that this limits the size of δ L to O ( L · D ).To identify the elements in the set Writes L ( S , . . . , S ‘ ), we iterate over all b ∈ D and testfor each, whether it occurs as a write ! b on a cycle from ( q, a ) to ( q, a ) in P L . The test canbe reduced to a non-emptiness problem. To this end, let P L ( q, a ) be the automaton P L with ( q, a ) as initial and final state. Then, b ∈ Writes L ( S , . . . , S ‘ ) if and only if Op ( D ) ∗ . ! b. Op ( D ) ∗ ∩ L ( P L ( q, a )) = ∅ . . Chini, R. Meyer, and P. Saivasan XX:39 Since the corresponding automaton for Op ( D ) ∗ . ! b. Op ( D ) ∗ has a constant number of states,building the product and deciding non-emptiness can be done in O ( | δ L | ) = O ( L · D ) time.Since the above non-emptiness test has to be executed for each b ∈ D , we get a total time of O ( L · D ) to construct the set Writes L ( S , . . . , S ‘ ).Putting the sets Writes C ( S , . . . , S ‘ ) and Writes L ( S , . . . , S ‘ ) together, we obtain thecomplete set of writes, Writes( S , . . . , S ‘ ) = Writes SCC ( X ). Adding up the complexities, weneeded O ( D · ( C2 + L2 · D2