Partial Model Checking using Networks of Labelled Transition Systems and Boolean Equation Systems

. Partial model checking was proposed by Andersen in 1995 to verify a temporal logic formula compositionally on a composition of processes. It consists in incrementally incorporating into the formula the behavioural information taken from one process — an operation called quotienting — to obtain a new formula that can be veriﬁed on a smaller composition from which the incorporated process has been removed. Sim-pliﬁcations of the formula must be applied at each step, so as to maintain the formula at a tractable size. In this paper, we revisit partial model checking. First, we extend quotienting to the network of labelled transition systems model, which subsumes most parallel composition operators, including m among n synchronisation and parallel composition using synchronisation interfaces, available in the E-Lotos standard. Second, we reformulate quotienting in terms of a simple synchronous product between a graph representation of the formula (called formula graph) and a process, thus enabling quotienting to be implemented eﬃciently and easily, by reusing existing tools dedicated to graph compositions. Third, we propose simpliﬁcations of the formula as a combination of bisimulations and reductions using Boolean equation systems applied directly to the formula graph, thus enabling formula simpliﬁcations also to be implemented easily and eﬃciently. Finally, we describe an implementation in the Cadp ( Construction and Analysis of Distributed Processes ) toolbox and present some experimental results in which partial model checking uses hundreds of times less memory than on-the-ﬂy model checking.


Introduction
Concurrent safety critical systems can be verified using model checking [14], i.e., automatic evaluation of a temporal property against a model of the system.Although successful in many applications, model checking may face state explosion, particularly when the number of concurrent processes grows.
State explosion can be tackled by divide-and-conquer approaches regrouped under the vocable compositional verification, which take advantage of the compositional structure of the concurrent system.One such approach, which we call compositional model generation in this paper, consists in building the model of the system -usually an Lts (Labelled Transition System) -in a stepwise manner, by successive compositions and minimisations modulo equivalence relations, possibly using interface constraints [23,27] to avoid explosion of intermediate compositions.Tools using this approach [19,28,29,16] are available in the Cadp (Construction and Analysis of Distributed Processes) [20] toolbox.
In this paper, we explore a dual approach named partial model checking, proposed by Andersen [2,4] for concurrent processes running asynchronously and composed using Ccs parallel composition and restriction operators.For a modal µ-calculus [26] formula ϕ and a process composition P 1 || . . .||P n , Andersen uses an operation ϕ/ /P 1 called quotienting of the formula ϕ w.r.t. the process P 1 , so that P 1 || . . .||P n satisfies ϕ if and only if the smaller composition P 2 || . . .||P n satisfies ϕ/ /P 1 .In addition, simplifications can (must) be applied to ϕ/ /P 1 to reduce its size.Partial model checking is the incremental application of quotienting and simplifications, so that state explosion is avoided if the size of intermediate formulas can be kept sufficiently small.
Partial model checking has been adapted and used successfully in various contexts, such as state-based models [5,6], synchronous state/event systems [10], and timed systems [9,12,[31][32][33].It has also been specialised for security properties [34].More recently, it has been generalised to the full Ccs process algebra, with an application to the verification of parameterised systems [8].
In this paper, we focus on partial model checking of the modal µ-calculus applied to (untimed) concurrent asynchronous processes.By considering only binary associative composition operators, previous works [2,4,8] are not directly applicable to more general operators, such as m among n synchronisation and parallel composition by synchronisation interfaces [21], present in the E-Lotos standard and variants [13,25].Our first contribution in this paper is thus a generalisation of partial model checking to networks of Ltss [28], a general model that subsumes parallel composition, hiding, cutting, and renaming operators of standard process languages (Ccs, Csp, µCrl, Lotos, E-Lotos, etc.).
In realistic cases, partial model checking handles huge formulas and processes, thus requiring efficient implementations.Our second contribution is a reformulation of quotienting as a simple synchronous product, which can itself be represented in the network model, between a graph representing the formula (called a formula graph) and the behaviour graph of a process, thus enabling efficient implementation using existing tools dedicated to graph manipulations.Our third contribution is the reformulation of formula simplifications as a combination of graph reductions and partial evaluation of the formula graph using a Bes (Boolean Equation System) [1].Verifying modal µ-calculus formulas of arbitrary alternation depth is generally exponential in the size of the process graph, while verifying the alternation-free fragment remains of linear complexity.Our fourth contribution is a specialisation of the technique to alternation-free µ-calculus formulas.Finally, we present an implementation in Cadp and a case-study that illustrates the complementarity between partial and on-the-fly model checking.
Paper Overview.The modal µ-calculus is presented in Sect.2, networks of Ltss in Sect.3, the generalisation of quotienting to networks and its reformulation as a synchronous product in Sect.4, simplification rules in Sect.5, rules specific to alternation-free µ-calculus formulas in Sect.6, our implementation in Sect.7, a case study in Sect.8, and concluding remarks in Sect.9.

The Modal µ-Calculus
An Lts (Labelled Transition System) is a tuple (Σ, A, −→, s 0 ), with Σ a set of states, A a set of labels, −→ ⊆ Σ × A × Σ the (labelled) transition relation, and s 0 ∈ Σ the initial state.Properties of Ltss can be expressed in the modal µ-calculus [26], whose syntax and semantics are defined in the table below.
A propositional context ρ is a partial function mapping propositional variables to sets of states and ρ ⊘ [U/X] stands for a propositional context identical to ρ except that X is mapped to U .The interpretation [[ϕ]] ρ (also written [[ϕ]] if ρ is empty) of a state formula on an Lts in a propositional context ρ (which maps each variable free in ϕ to a set of states) denotes the subset of states satisfying ϕ in that context.The Boolean connectors are interpreted as usual in terms of set operations.The possibility modality a ϕ 0 (resp.the necessity modality [a] ϕ 0 ) denotes the states for which some (resp.all) of their outgoing transitions labelled by a lead to states satisfying ϕ 0 .The minimal fix-point operator µX.ϕ 0 (resp.the maximal fix-point operator νX.ϕ 0 ) denotes the least (resp.greatest) solution of the equation X = ϕ 0 interpreted over the complete lattice 2 Σ , ∅, Σ, ∩, ∪, ⊆ .A state s satisfies a closed formula ϕ if and only if s ∈ To ensure a proper definition of fix-point operators, it suffices that formulas ϕ are syntactically monotonic [26], i.e., have an even number of negations on every path between a variable occurrence X and the µ or ν operator that binds X. Negations can then be eliminated from formulas using the identities defining the derived operators.We write φ the formula obtained after eliminating all negations in ϕ.A formula ϕ is alternation-free if there is no sub-formula of φ of the form µX.ϕ 1 (resp.νX.ϕ 1 ) containing a sub-formula of the form νY.ϕ 2 (resp.µY.ϕ 2 ) such that X ∈ fv (ϕ 2 ).The fix-point sign of a variable X in ϕ is µ (resp.ν) if φ[X] has the form µX.ϕ (resp.νX.ϕ).
In this paper, we consider block-labelled formulas ϕ in which each propositional variable X is labelled by a unique natural number k, called its block number.Initially, we require that in every sub-formula of φ of the form µX k .ϕ0 (resp.νX k .ϕ0 ), every sub-formula µY k ′ .ϕ 1 (resp.νY k ′ .ϕ 1 ) satisfies k ′ ≥ k, and every sub-formula νY k ′ .ϕ 1 (resp.µY k ′ .ϕ 1 ) satisfies k ′ > k.In addition, variables bound in disjoint sub-formulas may have the same block number only if they have the same fix-point sign, and by convention, block number 0 must be a µ-block (so that k > 0 in any formula νX k .ϕ).We write blocks(ϕ) the set of block numbers occurring in ϕ.A block-labelled formula ϕ is alternation-free if k ′ ≥ k for all X k ∈ bv(ϕ) and all Y k ′ ∈ fv(ϕ[X k ]).Any unlabelled formula is alternation-free if and only if it can be block-labelled to satisfy that constraint.
In the remainder of this paper, we will consider block-labelled formulas ϕ in disjunctive form, i.e., built only using the operators shown in the table above.

Networks of LTSs
Networks of LTSs (or networks for short) are inspired from the Mec [7] and Fc2 [11] synchronisation vectors and were introduced in [28] as an intermediate model to represent compositions of Ltss using various operators.Background.We write n..m for the set of integers ranging from n to m, or the empty set if n > m.A vector v of size n is a total function on 1..n.For i ∈ 1..n, we write v[i] for v applied to i, denoting the element of v stored at index i.We write (e 1 , . . ., e n ) for the vector v of size n such that (∀i ∈ 1..n) v[i] = e i .In particular, () is a vector of size 0. Given n ≥ 1 and i ∈ 1..n, v \i denotes the projection of v on to the set of indices 1..n \ {i}, defined as the vector of size n − 1 such that (∀j ∈ 1..i − 1) A network of LTSs N of size n is a pair (S, V ), where S is a vector of Ltss (called individual LTSs) of size n, and V is a set of synchronisation rules, each rule having the form (t, a) with a a label and t a vector of size n, called the synchronisation vector, of labels and occurrences of a special symbol • distinct from any label.We write Σ i , A i , −→ i , and s 0 i for the sets of states and labels, the transition relation, and the initial state of S[i].N can be associated to a (global) Lts lts (N ) which is the parallel composition of individual Ltss.Each (t, a) ∈ V defines transitions labelled by a, obtained either by synchronisation (if more than one index i is such that t The network of Ltss model subsumes most hiding, renaming, cutting, and parallel composition operators present in process algebras (Ccs, Csp, Lotos, µCrl, etc.), but also more expressive operators, such as m among n synchronisation and parallel composition using synchronisation interfaces [21] present in E-Lotos [25] and Lotos NT [13].For instance, the rules {((a, a, •), a), ((a, •, a), a), ((•, a, a), a)} realize 2 among 3 synchronisation on a. Sub-network extraction.Computing the interactions of a process P i with its environment in a composition of processes || j∈1..n P j is easy when || is a binary and associative parallel composition operator, since || j∈1..n P j = P i || (|| j∈1..n\{i} P j ).However, as argued in [21], binary and associative parallel composition operators are of limited use when considering, e.g., m among n synchronisation.A more involved operation named sub-network extraction is necessary for networks.N = (S, V ) being a network of size n, we assume a function α (t, a) that assigns an unused label to each (t, a) ∈ V .Given i ∈ 1..n, we define N \i = (S \i , V \i ) the sub-network of N modeling the environment of S[i] in N , where N is semantically equivalent to the network ((S[i], lts (N \i )), V ′ ) with V ′ the following set of rules, which define the interactions between S[i] and N \i : ) is a unique interaction label between S[i] and N \i , which aims at avoiding erroneous interactions in case of nondeterministic synchronisation.Note that if a had been used instead of α a in the above synchronisation rules, then the composition of N \3 with P 3 would have enabled, in addition to the (correct) binary synchronisations on a between P 1 and P 2 and between P 1 and P 3 , the (incorrect) multiway synchronisation on a between the three of P 1 , P 2 , and P 3 .Indeed, the label a resulting from the synchronisation between P 1 and P 2 in N \3 -rule ((a, a), a) in N \3 -could synchronise with the label a in P 3 -rule ((a, a), a) in the composition between N \3 and P 3 .Note however that t[i] can be used instead of α(t, a) when the network does not have nondeterministic synchronisation on t[i], as is the case for b and α b in this example.In this paper we use α(t, a) uniformly to avoid complications.

Quotienting for Networks using Networks
To check a closed formula ϕ on a network N = (S, V ), one can choose an Lts S[i], compute the quotient of the formula ϕ with respect to S[i], and check the resulting quotient formula on the smaller (at least in number of individual Ltss, but also hopefully in global Lts size) network N \i .The quotient formula is written ϕ / / ∅ i s i 0 and defined as follows for formulas in disjunctive form: This definition generalises Andersen's [2], specialised for Ccs, to networks.The major difference is the definition of ( a ϕ 0 ) / / B i s, Ccs composition corresponding to vectors ((a, •), a), ((•, a), a), or ((a, a), τ ), a and a being an action and its co-action, making the use of special labels α(t, a) not necessary.A slightly minor difference is that we use µ-calculus terms instead of equations.Any subformula produced by quotienting has the same block number as the original sub-formula, reflecting the order of equation blocks in Andersen's work.The set B keeps track of new variables already introduced in the quotient formula.Quotienting is well-defined, because formulas are finite, every ϕ[X k ] has the form µX k .ϕ0 , and the size of the set B is bounded by  We now show that quotienting can be implemented as a network that realises a product between an Lts encoding the formula (called a formula graph) and an individual Lts of the network under verification.The formula graph corresponding to a formula ϕ in disjunctive form is an Lts whose states are identified with sub-formulas of ϕ and whose transitions are labelled by ∨, ¬, µ k (k being a block number), and a (a being any action of the network under verification).The initial state of the formula graph is ϕ, ff is a deadlock state, and each sub-formula has transitions as follows: Formula graphs are finite, connected, and every circular path (i.e., from one state to itself) contains at least one transition that is labelled by µ k .We write enc (ϕ) the formula graph of ϕ.Conversely, every formula graph P = (S, A, →, s 0 ) can be decoded into the closed formula dec (P, s 0 , ∅) as follows, where E is a mapping of the form {s → k | s ∈ Σ ∧ k ∈ N}: This definition implies that a deadlock state decodes as ff (empty disjunction).dec is well-defined, the mapping E ensuring termination.Although the states of a formula graph are identified by formulas, only the transition labels are required for decoding.In figures, states will be be simply identified by numbers.
Example 4. The formula graph corresponding to the formula µX 0 .(a tt)∨ b X 0 introduced in Ex. 3 is depicted in Fig. 2 (left), where 0 denotes the initial state.
Proof.This is a corollary of the more general property stating that for every sub-formula Using this encoding, the quotienting of a formula ϕ with respect to the ith Lts of a network N = (S, V ) can be realised as a synchronous product, using the network ((enc (ϕ), S[i]), V / / i ), where V / / i denotes the following set of rules: Proposition 2. If P = lts ((enc (ϕ), S[i]), V / / i ) then dec (P, (ϕ, s i 0 ), ∅) = ϕ / / ∅ i s i 0 , modulo commutativity, idempotence, and renaming of each propositional variable Proof.A state of P has the form (φ, s), where φ is a sub-formula of ϕ and s is a state of S[i].The proof uses a slighty more general lemma: if Working with formulas in disjunctive form is crucial: branches in the formula graph denote disjunctions between sub-formulas (or-nodes).During composition between the formula graph and an individual Lts, the impossibility to synchronise on a modality a (no transition labelled by t[i] in the current state of the individual Lts) denotes invalidation of the corresponding sub-formula, which merely disappears, in conformance with the equality ff ∨ ϕ 0 = ϕ 0 .

Formula Graph Simplifications
The size (number of states) of a formula graph of size n quotiented with respect to an Lts of size m is bounded by n × m.Hence, as observed by Andersen [2], simplifications are needed to keep intermediate quotiented formulas at a reasonable size.We present in Fig. 3 several simplifications applying to formula graphs, as conditional rules of the form "l r (cond )" where l and r are subsets of transition relations, such that every variable representing a state (written s, s 1 , s 2 , . ..) or a label (written σ, σ 1 , σ 2 , . ..) in r or in the condition cond must occur in l.It means that all transitions matching the left-hand side so that cond is satisfied can be replaced by the transitions of the right-hand side.Elimination of ∨-transitions (1).This rule is essential to eliminate the transitions labelled by ∨ introduced by synchronisation rules of the form (( a , t[i]), ∨) during quotienting.It can be achieved efficiently by applying reduction modulo τ * .aequivalence [17], ∨-transitions being interpreted as internal (τ ) transitions.Elimination of double-negations (2).This rule can be used after the previous one to simplify formulas of the form ¬¬ϕ, which may appear, e.g., in the quotienting of ¬ a ¬ϕ ′ with an Lts that offers an action synchronising with a.
(1) s1 Elimination of µ-transitions (3).The transition from s 1 to s 2 denotes a propositional variable X k s1 , which does not occur free in the formula if at least one of the following sufficient (and checkable in linear time) conditions holds: (i) s 1 and s 2 are not in the same strongly connected component; (ii) s 1 satisfies the recursive condition "s 1 has a single predecessor p, distinct from the initial state, and either p has a single µ-transition to s 1 or p satisfies this condition, recursively".This condition is well-founded as long as it is applied to reachable states.Evaluation of constant sub-formulas (4-7).To decide whether a state denotes a sub-formula that evaluates to a constant in any context, we consider the following Bes, consisting in blocks T k and F k (k ∈ 0..n) of respective signs µ and ν, n being the greatest block number in the formula graph.Blocks are ordered so that k < k ′ implies T k (resp.F k ) is before T k ′ (resp.F k ′ ): We consider only the variables reachable from T 0 s0 or F 0 s0 , s 0 being the initial state of the formula graph.A state s denotes tt (resp.ff ) if the Boolean variables T k s (resp.F k s ) evaluate to tt in all (reachable) blocks k.Due to the presence of modalities, there may be states s and blocks k such that T k s and F k s are both false, indicating that the corresponding sub-formula is not constant.Intuitively, T k s expresses that s evaluates to tt in block k if one of its successors following a transition labelled by ∨ or µ k ′ evaluates to tt, or one of its successors following a transition labelled by ¬ evaluates to ff.Variable F k s expresses that state s evaluates to ff in block k if all its successors following transitions labelled by ∨, µ k ′ , or modalities (by applying the identity a ff = ff ) evaluate to ff and all its successors following transitions labelled by ¬ evaluate to tt.Regarding fix-point signs, observe that F X k respectively evaluate to tt and ff , reflecting that µX k .X k evaluates to ff as expected.
Repeated applications of quotienting progressively eliminate modalities, until none of them remains in the formula graph, which then necessarily evaluates to a constant equal to the result of evaluating the formula on the whole network.Sharing of equivalent sub-formulas.In addition to the above rules, reducing a formula graph modulo strong bisimulation does not change its decoding, modulo idempotence, renaming of propositional variables, and unification of equivalent variables defined in the same block.Strong bisimulation reduction can thus decrease the size of intermediate formula graphs.The reader may note that the heuristic to determine that two variables denote equivalent sub-formulas given in Andersen's work [2] is similar to the definition of strong bisimulation on Ltss.
A careful comparison between the simplifications proposed by Andersen [2] and ours would be useful and is left for further work.Example 6.After applying the above simplifications to the formula graph of Ex. 5, we obtain the (smaller) formula graph depicted in Fig. 2 (right), which corresponds to the formula ( a tt) ∨ ( α a tt) ∨ ( α b a tt).
Example 7. The graph corresponding to µX 0 .(a µY 0 .b X 0 ) ∨ c X 0 reduces as expected to a deadlock state representing the constant ff (left as an exercise).

Simplification of Alternation-Free Formula Graphs
Simplifications apply to µ-calculus formulas of arbitrary alternation depth.We focus here on the alternation-free µ-calculus fragment, which has a linear-time model checking complexity [15] and is therefore more suitable for scaling up to large Ltss.We propose a variant of constant sub-formula evaluation specialised for alternation-free formulas, using alternation-free Bess [1].
Even in the case of alternation-free formulas, the above Bes is not alternation-free due to the cyclic dependency between T k and F k , e.g., when evaluating sequences of ¬-transitions.In Fig. 4, we propose a refinement of this Bes, which splits each variable T k s of sign µ into two variables T +k s of sign µ and F −k s of sign ν, which evaluate to true iff the sub-formula corresponding to state s is preceded by an even (for T +k s ) or odd (for F −k s ) number of negations and evaluates to true.Variable F k s is split similarly.This Bes is a generalisation, for formula graphs containing negations and modalities, of the Bes characterising the solution of alternation-free Boolean graphs outlined in [35].
For general formulas, this Bes is not alternation-free due to the cyclic dependencies between T k and F k ′ , of different fix-point signs.Yet, for alternation-free block-labelled formulas, it is alternation-free, since each dependency from T k to F k ′ (or from F k to T k ′ ) always traverses a µ-transition preceded by an odd number of negations, which switches to a different block number k ′ > k.

Implementation
We have implemented partial model checking of alternation-free µ-calculus formulas using Cadp, which provided much of what was needed: -Individual processes can be described in the language Lotos [24], or in the Lotos NT variant of E-Lotos [25], among others, for which Cadp contains tools to generate Ltss automatically.-Process compositions can be described in the Exp.Open 2.0 language [28], which provides various parallel composition operators, such as synchronisation vectors [7], process algebra operators (Lotos, Ccs, Csp, µCrl), and the generalised parallel composition operator of E-Lotos [21].It also provides generalised operators for hiding, renaming, and cutting labels based on a representation of label sets using regular expressions.The Exp.Open 2.0 tool compiles its input into a network of Ltss.It then generates C code for representing the transition relation [18], so that the Lts can be either generated or traversed on-the-fly using various libraries.For partial model checking, the Exp.Open 2.0 tool has been slightly extended both to implement sub-network extraction and to generate the network representing the parallel composition between the formula graph and a chosen individual Lts.-Alternation-free µ-calculus formulas can be handled by the Evaluator 3.5 on-the-fly model checker [38], in which an option has been added for compiling a formula into a formula graph.-Reductions modulo τ * .aequivalence and strong bisimulation are achieved using respectively the Reductor and Bcg Min tools of Cadp.
Elimination of double-negations, of µ-transitions, and evaluation of constant formulas have been implemented in a new prototype tool (1, 000 lines of C code), which relies on the Caesar Solve library [37] for solving alternation-free Bes.Finally, selection of the Lts w.r.t. which the formula is quotiented at each step is done using the principles described in [16] for networks of Ltss.

Experimentation
We have used partial model checking in a case-study in avionics, namely the verification of a communication protocol between a plane and the ground, based on Tftp (Trivial File Transfer Protocol )/Udp (User Datagram Protocol ) [22].
The system consists in two instances of the Tftp connected by Udp using a Fifo buffer.We considered five scenarios, named A to E, depending whether each instance may write and/or read a file.We also checked the (alternation-free) µ-calculus (branching-time) properties named A01 to A28, studied in [22], both using the well-established on-the-fly model checker Evaluator 3.5 [38] of Cadp and using the partial model checking approach described in this paper.These experiments were done on a 64-bit computer with 148 gigabytes of memory.
The results summarized in Tab. 1 give, for each scenario, the Lts size in kilostates (ks), and for each property, the peak of memory in megabytes (MB) used by on-the-fly model checking (column fly) and partial model checking (column pmc).Some properties being irrelevant to some scenarios (e.g., they concern a read or write operation absent in the corresponding scenario), they have not been checked, explaining the shaded cells.The symbol "⋆" corresponds to unfinished verifications that used too much memory.For lack of space, times are not reported but each partial model checking experiment that used less than 100 MB of memory took from a few seconds to less than a minute.Note that the major part of time and memory are used by formula simplifications, as compared to the low complexity of the synchronous product operation used for quotienting.
These results confirm that partial model checking may be much more efficient (up to 600 times less memory in this example) than on-the-fly model checking.For several properties, we observe that partial model checking sometimes allows complete evaluation of formulas before they have been quotiented with respect to all individual Ltss, because the truth value of the formula is independent of some individual Lts.However, in a few cases, partial model checking leads to combinatorial explosion (properties A12, A13, A15, and A17) while on-thefly model checking is efficient.This is inherent to the structure of the system, intermediate quotients needing to capture a large part of the behaviour before the truth value of the formula can be computed.This shows that both approaches are complementary and worthy of being used concurrently.

Conclusion
The original contributions of this paper are the following: (1) Partial model checking has been generalised to the network model, which subsumes many parallel composition operators.(2) An efficient implementation of quotienting with respect to an individual Lts has been proposed, using a simple synchronous product between this Lts and a graph representation of the formula.A key is the representation of the formula in a disjunctive form (using negations), which turns every node of the formula graph into an or-node.(3) An efficient implementation of formula simplifications has also been proposed, using a combination of existing algorithms (such as reductions modulo equivalence relations), simple transformations, and traversals of the formula graph using a Bes.Using a graph equivalence relation to simplify the formula was already proposed in [8], where the formula was translated into an and-or-graph and then reduced modulo strong bisimulation.We use a weaker relation (τ * .aequivalence) that enables more reduction of the formula graph, and we apply it directly on simple Ltss, thus allowing efficient Lts reduction tools to be used without any modification.Our simplifications integrate smoothly in the approach, both quotienting and simplifications applying to the same graph representation, without encoding and decoding formulas back and forth.(4) A specialisation to the case of alternation-free formulas (using alternation-free Bes) has also been presented, showing that partial model checking may result in much better performance than complementary approaches, such as on-the-fly model checking.Only small software developments were required, thanks to the wealth of functionalities available in Cadp.The approach would be also applicable to formulas of arbitrary alternation depth using a solver for Bes of arbitrary alternation depth.
The implementation of quotienting as a synchronous product opens the way for combining partial model checking with techniques originating from compositional model generation, such as (compositional) τ -confluence reduction [30,36,40], or restriction using interface constraints following the approach developed in [23] and refined in [19,27,29].Note also that partial model checking and compositional model generation are complementary.Although it is difficult in general to know which of them will be most efficient, a reasonable methodology is to try compositional model generation first (because one then obtains a single model on which all formulas of interest can be evaluated).In case of failure, partial model checking can then be used for each formula.
As future work, we also plan to study partial model checking of certain µcalculus formulas of alternation depth 2 describing the existence of complex cycles (e.g., νX.µY.( b X ∨ a Y ), expressing the infinite repetition of sequences belonging to the regular language a * .b),which can still be checked in lineartime using specialised Bes resolution algorithms [39] generalising the detection of accepting cycles in Büchi automata.

Example 3 .
The µ-calculus formula µX 0 .a tt∨ b X 0 (existence of a path of zero or more b leading to an a) can be rewritten to disjunctive form as µX 0 .a ¬ff ∨ b X 0 .Quotienting of this formula with respect to P 3 in the network N introduced in Ex. 1 yields the formula µX 0 0 .a ¬ff ∨ α a ¬ff ∨ α b µX 0 2 .a ¬ff ∨ ff .

Table 1 .
Experimental results for the Tftp/Udp case study