A Detailed Account of The Inconsistent Labelling Problem of Stutter-Preserving Partial-Order Reduction

One of the most popular state-space reduction techniques for model checking is partial-order reduction (POR). Of the many different POR implementations, stubborn sets are a very versatile variant and have thus seen many different applications over the past 32 years. One of the early stubborn sets works shows how the basic conditions for reduction can be augmented to preserve stutter-trace equivalence, making stubborn sets suitable for model checking of linear-time properties. In this paper, we identify a flaw in the reasoning and show with a counter-example that stutter-trace equivalence is not necessarily preserved. We propose a stronger reduction condition and provide extensive new correctness proofs to ensure the issue is resolved. Furthermore, we analyse in which formalisms the problem may occur. The impact on practical implementations is limited, since they all compute a correct approximation of the theory.


Introduction
In the field of formal methods, model checking is a push-button technique for establishing the correctness of systems according to certain criteria. A fundamental issue in model checking is the state-space explosion problem: the size of the state space can grow exponentially with the number of concurrent components, due to all their possible interleavings. One of the prime methods of reducing the number of states is partial-order reduction (POR). The literature contains many different implementations of POR, but they are all centred around the idea that some interleavings may be considered similar and thus only one interleaving from each equivalence class needs to be explored. The main variants of POR are ample sets [Pel93], persistent sets [God96] and stubborn sets [Val91b,VH17]. The basic conditions set out by each of these variants can be strengthened, such that the resulting conditions are sufficient for the preservation of stutter-trace equivalence. The extra conditions resolve the so-called action-ignoring problem [Val91b]. Since LTL without the next operator (LTL −X ) is invariant under finite stuttering, this allows one to check most LTL properties under POR.
However, the correctness proofs for these methods are intricate and not reproduced often. For stubborn sets, LTL −X -preserving conditions and an accompanying correctness result were first presented in [Val91a]; the corresponding proofs appeared in [Val92]. When attempting to reproduce the proof of [Val92, Theorem 2] (see also Theorem 2.5 in the current work), we were unable to show that the two alternative paths considered by [Val92, Construction 1], a core component of the proof, are stutter equivalent. The consequence is that stutter-trace equivalence is not necessarily preserved, contrary to what the theorem states! We call this the inconsistent labelling problem.
The essence of the problem is that POR in general, and the proofs in [Val92] in particular, reason mostly about actions, which label the transitions. In POR theory, the only relevance of the state labelling is that it determines which actions must be considered visible. On the other hand, stutter-trace equivalence and the LTL semantics are purely based on state labels. The correctness proof in [Val92] does not deal properly with this disparity. Consequently, any application of stubborn sets in LTL −X model checking is possibly unsound, both for safety and liveness properties. In literature, the correctness of several theories [LPvdPH16, LW19,Val96] relies on the incorrect theorem.
In earlier work [NVW20], we identified the inconsistent labelling problem and investigated the theoretical and practical consequences. As detailed in ibid., the problem is witnessed by a counter-example, which is valid for weak stubborn sets and, with a small modification, in a non-deterministic setting for strong stubborn sets. A slight strengthening of one of the stubborn set conditions is sufficient to repair the issue (Theorems 5.2 and 5.3 in the current work). The fix is local, in the sense that it reduces the reduction potential in those places where the inconsistent labelling problem might otherwise occur. Petri nets can be susceptible to the issue, depending on what notion of invisibility and what types of atomic propositions are used. We used this knowledge about formalisms in which the inconsistent labelling problem may manifest itself to determine its impact on related work. The investigation in [NVW20] shows that probably all practical implementations of stubborn sets compute an approximation which resolves the inconsistent labelling problem. Furthermore, POR methods based on the standard independence relation, such as ample sets and persistent sets, are not affected. The current paper improves on [NVW20] with extended explanation and full proofs. In particular, we introduce each of the existing stubborn set conditions with reworked proofs to aid the reader's intuition.
The rest of the paper is structured as follows. In Section 2, we introduce the basic concepts of transition systems and stutter-trace equivalence. Section 3 introduces the stubborn set conditions one by one and shows what they preserve through several lemmata. Our counter-example to the preservation of stutter-trace equivalence is presented in Section 4. We propose a solution to the inconsistent labelling problem in Section 5, together with an updated correctness proof. Sections 6 and 7 discuss several settings in which correctness is not affected. Finally, Section 8 discusses related work and Section 9 presents a conclusion.

Preliminaries
2.1. Labelled State Transition Systems and Paths. Since LTL relies on state labels and POR relies on edge labels, we assume the existence of some fixed set of atomic propositions AP to label the states and a fixed set of edge labels Act, which we will call actions. Actions are typically denoted with the letter a.
Definition 2.1. A labelled state transition system, short LSTS, is a directed graph TS = (S, →,ŝ, L), where: • S is the state space; • → ⊆ S × Act × S is the transition relation; •ŝ ∈ S is the initial state; and • L : S → 2 AP is a function that labels states with atomic propositions.
We write s a − → s whenever (s, a, s ) ∈ →. An action a is enabled in a state s, notation Given a path π = s 0 . . , the trace of π is the sequence of state labels observed along π, viz. L(s 0 )L(s 1 )L(s 2 ) . . . . The no-stutter trace of π, notation no-stut(π), is the sequence of those L(s i ) such that i = 0 or L(s i ) = L(s i−1 ).
A set I of invisible actions is chosen such that if (but not necessarily only if) a ∈ I, then for all states s and s , s a − → s implies L(s) = L(s ). Note that this definition allows the set I to be under-approximated. An action that is not invisible is called visible. The projection of a 1 . . . a n on the visible actions is the result of the removal of all elements of I from a 1 . . . a n . We denote it with vis I (a 1 . . . a n ). The notion extends naturally to infinite sequences a 1 a 2 . . .. We furthermore lift the function vis to paths, such that vis I (s 0 a 1 − → s 1 a 2 − → . . . ) = vis I (a 1 a 2 . . . ). The subscript I is omitted when it is clear from the context.
We say TS is deterministic if and only if s a − → s 1 and s a − → s 2 imply s 1 = s 2 , for all states s, s 1 and s 2 and actions a. To indicate that TS is not necessarily deterministic, we say TS is non-deterministic.
2.2. Petri Nets. Petri nets are a widely-known formalism for modelling concurrent processes and have seen frequent use in the application of stubborn set theory [BJLM19, LW19, VH17, Var05]. We will use Petri nets for presenting examples. In Section 7, we will also reassess the correctness of some published POR theories that use Petri nets. Other than that, the theory in the present paper is fairly general, that is, it does not depend on Petri Nets.
A Petri net (P, T, W,m) contains a set of places P and a set of structural transitions T . These sets are disjoint. In this paper they are finite. Figure 1 shows an example of a Petri net. Places are drawn as circles and structural transitions as rectangles.
Arcs between places and structural transitions and their weights are specified via a total function W : (P × T ) ∪ (T × P ) → N. The values W (p, t) and W (t, p) are called weights. There is an arc from place p to structural transition t, drawn as an arrow, if and only if W (p, t) > 0; and similarly in the opposite direction if and only if W (t, p) > 0. If W (p, t) >  or W (t, p) > 1, then it is written as a number next to the arc. Figure 1 contains 11 arcs of weight 1, three arcs of weight 2, and one arc of weight 3.
A marking m : P → N is a function that assigns a number of tokens to each place. Let M denote the set of all markings. A Petri net has an initial markingm. The initial marking of the example satisfiesm(p 3 ) = 2,m(p 1 ) =m(p 4 ) =m(p 6 ) = 1 andm(p 2 ) =m(p 5 ) = 0.
Structural transition t is enabled in marking m if and only if m(p) ≥ W (p, t) for every p ∈ P , and disabled otherwise. In our example, t 1 , t 3 and t 6 are enabled. Becausem(p 3 ) = 2 but W (p 3 , t 4 ) = 3, t 4 is disabled. An enabled transition may occur resulting in the marking m such that m (p) = m(p) − W (p, t) + W (t, p) for every p ∈ P . We denote this with m t − → m , and extend the notation to paths similarly to Section 2.1. If m is the marking such thatm t 1 − → m in our example, then m(p 1 ) = 0, m(p 2 ) = 1, and m(p) =m(p) for the remaining places. Ifm t 3 − → m , then m (p 4 ) = 0 and m (p) =m(p) for the remaining places. A marking m is reachable if and only if there are t 1 , . . . , t n such thatm t 1 ...tn −−−→ m. Let M reach denote the set of reachable markings, and → the restriction of → on M reach × T × M reach . Assume that a set of atomic propositions AP and a function L : M reach → 2 AP are given. A Petri net together with these induces the LSTS (M reach , → ,m, L ). In this context Act = T .
It is customary to abuse notation by forgetting about the distinction between → and → , and using the same symbol for both. This is done because it is often not known in advance whether a marking is reachable, making it impractical to define → instead of →. Similarly instead of L , it is customary to define a function L from all markings M to 2 AP , let L be its restriction on M reach , and abuse notation by using the same symbol for both. These are general practice instead of being restricted to Petri nets.
2.3. Weak and Stutter Equivalence. Stubborn sets save effort by constructing, instead of the full LSTS TS = (S, →,ŝ, L), a reduced LSTS TS r = (S r , → r ,ŝ, L r ) such that S r ⊆ S, → r ⊆ → and L r is the restriction of L on S r (more details will be given in Section 3). To reason about the similarity of an LSTS TS and its reduced LSTS TS r , we introduce the notions weak equivalence, which operates on actions, and stutter equivalence, which operates on states. For the purpose of the discussion in Section 7, these concepts respectively depend on a set of actions and a labelling function.
Definition 2.2. Two paths π and π are weakly equivalent with respect to a set of actions A, notation π ∼ A π , if and only if they are both finite or both infinite, and their respective projections on Act \ A are equal, i.e., vis A (π) = vis A (π ).
Definition 2.3. Paths π and π are stutter equivalent under L, notation π L π , if and only if they are both finite or both infinite, and they yield the same no-stutter trace under L.
We typically consider weak equivalence with respect to the set of invisible actions I. In that case, we simply refer to the equivalence as weak equivalence and we write π ∼ π , which intuitively means that π and π contain the same visible actions. We also omit the subscript for stutter equivalence when reasoning about the labelling function of the LSTS under consideration and write π π . Note that stutter equivalence is invariant under finite repetitions of state labels, hence its name. We lift both equivalences to LSTSs, and say that TS and TS are weak-trace equivalent iff for every complete initial path π in TS , there is a weakly equivalent complete initial path π in TS and vice versa. Likewise, TS and TS are stutter-trace equivalent iff for every complete initial path π in TS , there is a stutter equivalent complete initial path π in TS and vice versa. In general, weak equivalence and stutter equivalence are incomparable, even for complete initial paths. However, for some LSTSs, these notions are related in a certain way. We formalise this in the following definition.
It follows from the definition that, if an LSTS TS is labelled consistently and weak-trace equivalent to a subgraph TS , then TS and TS are also stutter-trace equivalent.
Stubborn sets as defined in the next section aim to preserve stutter-trace equivalence between the original and the reduced LSTS. The motivation behind this is that two stuttertrace equivalent LSTSs satisfy exactly the same formulae [BK08] in LTL −X . The following theorem, which is frequently cited in the literature [LPvdPH16,LW19,Val96], aims to show that stubborn sets indeed preserve stutter-trace equivalence. Its original formulation reasons about the validity of an arbitrary LTL −X formula. Here, we give the alternative formulation based on stutter-trace equivalence. The original proof correctly establishes the four items listed below. For a long time it was believed that they suffice to ensure that TS r gives the same truth values to LTL −X formulas as TS gives. While investigating the application of stubborn sets to parity games [NWW20], Thomas Neele (the main author of the current paper, but not the author of this sentence) took the effort of checking this self-evident "fact", and found out that it does not hold. We call this the inconsistent labelling problem. A counter-example is in Section 4.
(1) Every initial deadlocking path of TS has a weakly equivalent initial deadlocking path in TS r . (2) Every initial deadlocking path of TS r has a weakly equivalent initial deadlocking path in TS . (3) Every initial infinite path of TS has a weakly equivalent initial infinite path in TS r . (4) Every initial infinite path of TS r has a weakly equivalent initial infinite path in TS .
Because the four items in this list are sufficient for TS ∼ TS r , the issue could be resolved with the additional requirement that TS is consistently labelled, which would yield TS TS r (since TS r is a subgraph of TS , see Definition 3.1). However, this requirement is rather strong; we propose a more local solution in Section 5.

Stubborn Sets
3.1. Basic Ideas. In POR, reduction functions play a central role. A reduction function r : S → 2 Act indicates which actions to explore in each state. When starting at the initial stateŝ, a reduction function induces a reduced LSTS as follows.
Definition 3.1. Let TS = (S, →,ŝ, L) be an LSTS and r : S → 2 Act a reduction function. Then the reduced LSTS induced by r is defined as TS r = (S r , → r ,ŝ, L r ), where L r is the restriction of L on S r , and S r and → r are the smallest sets such that the following holds: •ŝ ∈ S r ; and • If s ∈ S r , s a − → s and a ∈ r(s), then s ∈ S r and s a − → r s .
Note that we have → r ⊆ →.
In the first paper on stubborn sets [Val88], the set r(s) was constructed so that if enabled actions exist, then it contains an enabled action that the outside world cannot disable. This inspired the thought that the set is "stubborn", that is, determined to do something and not letting the outside world prevent it. Much more than this is needed to make TS r yield correct answers to verification questions concerning TS . Furthermore, some more recent methods do not necessarily put an enabled action in r(s) even if enabled actions do exist. So the name is imprecise, but has remained in use.
The main question now is how to implement a practical reduction function so that answers to interesting verification questions can be obtained from the reduced LSTSs. Because this publication is about fixing an error that had been lurking for decades, we feel appropriate to present the full proof of the affected theorem anew as clearly as possible, in more detail than originally, to minimise the possibility that other errors remain. To this end, we proceed in small steps.
We first discuss the motivating example from Figure 1, reproduced here in Figure 2. Assume that we know that the places adjacent to t 3 are p 3 and p 4 ; they contain 2 and 1 tokens, respectively; the transitions adjacent to p 3 and p 4 are t 2 to t 5 ; and the arcs between them and their weights are as is shown in Figure 2. That is, we know the black part but not the grey part in the figure. Although our knowledge is incomplete, we can reason as follows that t 3 is enabled and remains enabled until t 3 or t 5 occurs. It is enabled by the numbers of tokens in p 3 and p 4 , and by the weights of the arcs from them to t 3 . An occurrence of t 2 does not decrement the numbers of tokens in p 3 and p 4 , so it cannot disable t 3 . The same applies to t 1 and t 6 . An occurrence of t 4 decrements the number of tokens in p 3 (but not in p 4 ). However, thanks to the arc weight 2, it is guaranteed to leave at least 2 tokens in p 3 . So it cannot disable t 3 either. This is an example of the kind of observations that stubborn set methods exploit. Together with some other observations that will be discussed soon, it will let us choose a 1 a n a a 1 a n a Figure 3. Visual representation of why D1 holds on the example.
r(s) = {t 3 , t 5 , t 6 }, where s denotes the marking shown in Figure 2. Unfortunately, the observation is Petri net-specific. We now introduce a more abstract notion that captures the same idea: t 3 is a key action of r(s) = {t 3 , t 5 , t 6 } in the sense of the following definition.
Definition 3.2. An action a is a key action of r(s) in s if and only if for all paths s a 1 ...an − −−− → s such that a 1 / ∈ r(s), . . . , a n / ∈ r(s), it holds that s a − →.
We typically denote key actions by a key . Note that a key action must be enabled in s: by setting n = 0, we have s = s and s a − →. Many stubborn set methods assume that the sets r(s) satisfy the following condition.
D2w: If enabled (s) = ∅, then r(s) contains a key action in s.
In Figure 2, t 5 is not a key action of {t 3 , t 5 , t 6 }, because it is disabled. Also t 6 is not, because the sequence t 1 t 2 t 4 disables it.
On the other hand, we now show that t 3 , t 5 and t 6 have another property that stubborn set methods exploit: Figure 3 holds for each of them in the role of a and any finite sequence of elements of {t 1 , t 2 , t 4 } in the role of a 1 . . . a n . We call t 1 , t 2 and t 4 the outside transitions.
Although the outside transitions can disable t 6 , they cannot enable it again, because none of them can add tokens to p 6 . Therefore, if t 6 is enabled after the occurrence of some sequence a 1 . . . a n of outside transitions, then it was enabled in the original marking s and in every marking between s and s n . This is illustrated by the first implication in Figure 3, with t 6 in the role of a. The first implication applies to t 3 as well, because its right-hand side applies, because t 3 is a key action of {t 3 , t 5 , t 6 } in s.
Neither t 3 nor t 6 can disable outside transitions, because although they temporarily consume tokens from p 3 or p 6 , they put the same number of tokens back to them; and the outside transitions do not need tokens from p 4 . This yields the second implication in the figure. Furthermore, Petri nets are commutative in the sense that if m t t − → m and m tt − → m , then m = m . The last implication in the figure holds because of this.
The implication chain also applies to t 5 as a, but for a different reason: t 5 is disabled, and no sequence of outside transitions can enable it, because only t 6 can enable it. Therefore, no member of the chain holds for t 5 , so the chain holds vacuously. Again, we appealed to particular properties of Petri nets. To make the ideas applicable to a wide variety of formalisms for representing systems, we introduce the following condition, which is required to hold for all r(s). It is illustrated in Figure 4. We showed above that it holds for r(s) = {t 3 , t 5 , t 6 } in Figure 2.
D1: For all states s 1 , . . . , s n , s n and all a ∈ r(s) and a 1 / ∈ r(s), . . . , a n / ∈ r(s), if s a 1 − → · · · an −→ s n a − → s n , then there are states s , s 1 , . . . , 3.2. Deadlock Detection and Its Implementation. The conditions D2w and D1 are important, because they suffice for proving that all reachable deadlocks of the full LSTS are present also in the reduced LSTS. Furthermore, the deadlocks can be reached in the reduced LSTS by re-ordering the actions in the paths in the full LSTS that lead to them. In the theory below, recall that → r indicates which transitions occur in the reduced LSTS. Proof. We prove the claim by induction on n. If n = 0 then s n = s 0 and a 1 . . . a n = ε, so the claim holds trivially with b 1 . . . b n = ε.
From now on, let n > 0. We have s 0 a 1 − → and thus enabled (s 0 ) = ∅. By D2w, r(s 0 ) contains a key action a key . If none of a 1 , . . . , a n is in r(s 0 ), then by definition s n a key − − →. However, that cannot be the case, because we assumed that s n is a deadlock. Therefore, there is 1 ≤ i ≤ n such that a i ∈ r(s 0 ). We choose the smallest such i, yielding a j / ∈ r(s 0 ) for 1 ≤ j < i. By this choice, D1 applies with a i in the role of a. So there are states s 0 , s 1 , . . . , s i−1 such that s i−1 = s i and s 0 As a consequence, s 0 The preservation of deadlocks needs also the following facts, which are easy to check from the definitions. To implement this deadlock detection method, an algorithm is needed that, given state s, computes a set r(s) that satisfies D1 and D2w. We already illustrated with Figure 2 that this may depend on the details of the formalism used to represent the system under verification. Because it is sometimes very difficult to check whether D1 and D2w hold, the algorithms rely on formalism-specific heuristics that may give a false negative but cannot give a false positive. The set of all actions satisfies D1 and D2w. While it yields no reduction, it can be used as a fall-back when attempts to find a better set fail.
The algorithm design problem also involves a trade-off between the time it takes to compute the set, and the quality of the set: smaller sets tend to result in smaller reduced LSTSs (although this issue is not straightforward [VH17]). In the case of 1-safe Petri nets, testing whether a singleton set {t} is a valid r(s) for the purpose of preserving all deadlocks is PSPACE-hard [VH11]. This means that there is not much hope of a fast algorithm that always yields the best possible r(s).
Instead, algorithms range from quick and simple that exploit only the most obvious reduction possibilities, to very complicated that spend unreasonable amounts of time and memory in trying to find a set with few enabled actions. For instance, after finding out that t 5 may disable t 3 in Figure 2, {t 3 } must be rejected as a candidate r(s). A simple algorithm might revert to the set of all actions, while a more complicated algorithm might try {t 3 , t 5 }, detect that t 6 might enable t 5 , try {t 3 , t 5 , t 6 }, and find out that it works.
Fortunately, the kind of analysis that led us from {t 3 } to {t 3 , t 5 , t 6 } is not at all too expensive, if we are okay with some imperfection. It can be performed in linear time by formulating it as the problem of finding certain kinds of maximal strongly connected components in a directed graph whose edges t t represent the notion "if t ∈ r(s), then also t ∈ r(s)" (e.g., [VH17]). The result is optimal in a sense that is meaningful albeit not perfect [VH11]. (In the light of PSPACE-hardness, we should not expect perfection.) One of the things that it cannot optimise is which enabled action to choose as a key action, if many are available. In our example, it would have been possible to choose t 1 or t 6 instead of t 3 . Because t 6 may be disabled by t 4 , which is disabled until t 2 occurs, which is disabled until t 1 occurs, the choice of t 6 introduces the edges t 6 t 4 t 2 t 1 . The resulting r(s) would be {t 1 }, because t 1 is enabled and does not compete for tokens with any other transition. That is, the algorithm is clever enough to drop t 6 in favour of t 1 , but not clever enough to drop t 3 in favour of t 1 .
The linear time algorithm discussed above makes all enabled actions in r(s) its key actions. Some other stubborn set methods than the deadlock detection method exploit this (e.g., [Val17]), so it is a good idea to make it show in the conditions. Therefore, an alternative to D2w has been defined that says that all enabled actions in r(s) must be key actions. To avoid choosing r(s) = ∅ when there are enabled actions, yet another condition D0 is introduced. Clearly D0 and D2 together imply D2w, and D2w implies D0. Methods that build on D2 are called strong stubborn set methods, while those only assuming D2w are weak.
Please remember that the set Act of all actions is partitioned to the set I ⊆ Act of invisible actions and the set Act \ I of visible actions. We recall how D1 was used in the proof of Theorem 3.3. The full LSTS contains the path s 0 and a j / ∈ r(s) for 1 ≤ j < i. D1 implies the existence of s 0 and the path s 0 This pattern repeats in many proofs in the stubborn set theory. The following condition guarantees that when using the pattern, the projection of the action sequence on the visible actions does not change.
contains an enabled visible action. By V, r(s) contains all visible actions. Because none of a 1 , . . . , a i−1 is in r(s), they must be invisible. So vis(a i a 1 . . . a i−1 ) = a i = vis(a 1 . . . a i−1 a i ).
The application of Lemma 3.4 to the proof of Theorem 3.3 yields the following.
Theorem 3.5. Assume that each r(s) obeys D1, D2w and V. If s ∈ S r and s n is a deadlock in TS , then for all paths π = s a 1 ...an This theorem almost gives item (1) of the list in Section 2.3. What is missing is We now have sufficient background on stubborn sets to illustrate the inconsistent labelling problem, but insufficient background to illustrate it in a street-credible context. Therefore, we continue and develop the LTL −X -preserving stubborn set method in full, and postpone the illustration of the inconsistent labelling problem to Section 4.
3.3. Infinite Paths. In the remainder of this paper, we will assume that the reduced LSTS is finite. This assumption is needed to make the next lemma hold in the presence of non-deterministic actions. It will be used in proving that each infinite path in TS maps to an infinite path in TS r with certain properties.
Lemma 3.6. Assume that r(s 0 ) obeys D1, D2w and V, and the reduced LSTS is finite.
. . for some action a key . If, furthermore, a key is visible, then all the a i are invisible.
Proof. We use König's Lemma type of reasoning [Kön27]. Let a key ∈ r(s 0 ) be some key action for r(s 0 ). Its existence follows from D2w. By the key action property there are s 0,0 , If a key is visible, then V and a n / ∈ r(s 0 ) for n ≥ 1 imply that a 1 , a 2 , . . . are invisible. By D1, for each i and each 0 ≤ j < i there are s i,j such that s 0 Figure 5. We prove by induction that for every k, there is s k such that s 0 a key − − → r s 0 (for k = 0) or s k−1 a k − → s k (for k > 0), and s k = s i,k for infinitely many values of i.
Because there are only finitely many states, there is a state s 0 that is the same as s i,0 for infinitely many values of i. This constitutes the base case.
To prove the induction step, we observe that all or all but one of the infinitely many i with s i,k = s k satisfy i > k, and thus have an s i,k+1 such that s k a k+1 − −− → s i,k+1 . Infinitely many of these s i,k+1 are the same state, again because there are only finitely many states. This state qualifies as s k+1 .
In the opposite case none of a i,1 , a i,2 , . . . is in r(s i ). By D2w, r(s i ) contains at least one key action. To present later a further result, we choose an invisible key action if available, and otherwise a visible one. Lemma 3.6 yields s i+1 such that s i a key − − → r s i+1 key and a i+1,1 a i+1,2 . . . = a i,1 a i,2 . . .. We call this "introducing a key action". If a key ∈ I, then the equations both hold, so (1) or (2) remains valid in the step from i to i + 1. Otherwise, a key is visible. Lemma 3.6 says that a i,1 , a i,2 , . . . are invisible. Then both (1) and (2)   If (1) holds for every i ≥ 0, then vis(ρ) is a prefix of vis(π). Otherwise there is i such that (2) holds. For that and every bigger i, vis(π) is a prefix of vis(s 0 The above result is a step towards item (3) of the list in Section 2.3, but not sufficient as such. Instead, vis(π) = vis(ρ) is needed. We next add a condition, viz. condition I, guaranteeing that vis(ρ) is a prefix of vis(π). Then we add another condition (viz. L) for the opposite direction.
I: If an invisible action is enabled, then r(s) contains an invisible key action.
Lemma 3.8. If I is added to the assumptions of Lemma 3.7, then vis(ρ) is a prefix of vis(π).
Proof. Consider the proof of Lemma 3.7. By Lemma 3.6, when none of a i,1 , a i,2 , . . . is in r(s i ), then either a key or a i,1 is invisible. Obviously a i,1 is enabled in r(s i ). So I guarantees that there is an invisible key action. This makes (1) remain true throughout the proof of Lemma 3.7, from which the claim follows.
Both V and I are easy to take into account in -based algorithms for computing strong stubborn sets. It is much harder to ensure that vis(π) is a prefix of vis(ρ). The following condition is more or less the best known. It is usually implemented by constructing the reduced LSTS in depth-first order so that cycles can be recognised, and using a set that contains all visible actions as r(s) in one or the other end of the edge that closes the cycle.
L: For every visible action a, every cycle in the reduced LSTS contains a state s such that a ∈ r(s).
Lemma 3.9. If L is added to the assumptions of Lemma 3.7, then vis(π) is a prefix of vis(ρ).
Proof. To derive a contradiction, assume that vis(π) is not a prefix of vis(ρ). By Lemma 3.7, vis(ρ) is a proper prefix of vis(π). Therefore, vis(ρ) is finite, that is, there is i such that vis(ρ) = vis(s 0 These contradict (2) in the proof of the lemma, so (1) holds. By it and the proper prefix property, there is v such that a i,v is visible. We use the smallest such v.
Observe that if D1 is applied at s i to move action a i,j to the front, where j > v, or D2w is applied, then a i+1,k = a i,k for 1 ≤ k ≤ v. If the same also happens at s i+1 then a i+2,k = a i,k for 1 ≤ k ≤ v, and so on, either forever or until D1 is applied such that j ≤ v, whichever comes first. We show next that the latter comes first.
Because S r is finite, we may let n = i + |S r |. By the pigeonhole principle, s i , . . . , s n cannot all be distinct. So the path s i b i+1 ...bn − −−−− → s n contains a cycle. L implies that there is i ≤ < n such that a i,v ∈ r(s ). This guarantees that there is the smallest h such that i ≤ h < i + |S r | and {a i,1 , . . . , a i,v } ∩ r(s h ) = ∅. Observe that at any step i ≤ i < h, whether D1 is applied to move a i ,j forward, where j > v, or D2w is applied to introduce a key action, we have a i +1,v = a i ,v . By D1, b h+1 is one of a h,1 , . . . , a h Repeating the argument at most v times proves that there is i ≤ h < i + v|S r | such that b h+1 = a i,v . Because a i,v is visible, this contradicts vis(ρ) = vis(s 0 We have proven the following. This theorem gives item (3) of the list in Section 2.3. Item (4) follows immediately from → r ⊆ →. We have proven items (1) to (4) of the list in Section 2.3. Before we continue with an example of the conditions at work, we restate them for convenience. Recall that weak stubborn sets assume that conditions D1, D2w, V, I and L hold for all r(s), while strong stubborn sets assume D0, D1, D2, V, I and L for all r(s). Actions v and w must be declared visible, because they may change the truth value of q (v from false to true and w in the opposite direction). In the LSTS such events manifest themselves as transitions whose one end state is white and the opposite end state is grey, labelled with v or w. Please notice that not every occurrence of a visible action must change the truth value. For instance, if there were initially two tokens in p 5 , then bothm avvw − −− → andm avwv − −− → would be possible, the first one inducing the label sequence ∅∅{q}{q}{q}, and the second ∅∅{q}∅{q}.

An Example. Consider the Petri net and its LSTS in
Actions a, b, c and d may be invisible. In this case, we choose the set of invisible actions to be maximal, i.e., I = {a, b, c, d}. In the initial state s 1 , we have r(s 1 ) = {a}. Remark that a is a key action in s 1 , since for all prefixes π of v(bc) ω , we have s 1 πa −→. That is, {a} satisfies D2w in s 1 . It also satisfies D1, because it is easy to check that for those π and s for which s 1 πa −→ s holds, also s 1 aπ −→ s holds. In states s 3 and s 4 we must have b ∈ r(s 3 ), respectively c ∈ r(s 4 ), by condition I. Condition L can be satisfied in the cycle consisting of s 3 and s 4 by either setting w ∈ r(s 3 ) or w ∈ r(s 4 ); here we have opted for the latter. Actually, w ∈ r(s 4 ) is also enforced by D1,

Counter-Example
Consider the LSTS in Figure 7, which we will refer to as TS C . There is only one atomic proposition q, which holds in the grey states and is false in the other states. The initial stateŝ is marked with an incoming arrow. First, note that this LSTS is deterministic. The actions a 1 , a 2 and a 3 are visible and a and a key are invisible.
In the initial state, we choose r(ŝ) = {a, a key }, which is a weak stubborn set by the following reasoning. Conditions D2w and I are satisfied, since a key is an invisible key action inŝ. The pathŝ a 1 a 2 − −− → commutes with both a and a key (andŝ a 1 − → furthermore commutes with a key ), satisfying D1. Conditions V and L are trivially true. In all other states s, we choose r(s) = Act.
As a result, we obtain a reduced LSTS TS C r that does not contain the dashed states and transitions. The original LSTS contains the trace ∅{q}∅∅{q} ω , obtained by following the path with actions a 1 a 2 aa ω 3 . However, the reduced LSTS does not contain a stutter equivalent trace. This is also witnessed by the LTL −X formula (q ⇒ (q ∨ ¬q)), which holds for TS C r , but not for TS C . A very similar example can be used to show that strong stubborn sets suffer from the same problem. Consider again the LSTS in Figure 7, but assume that a = a key , making the LSTS no longer deterministic. Now, r(ŝ) = {a} is a strong stubborn set: D0 is satisfied because r(s) ∩ enabled (s) = {a} and D2 and I are satisfied because a is an invisible key action. Condition D1 holds as well, since there is pathŝ aa 1 a 2 −−−→ s (respŝ aa 1 − − → s ) for every path of the shapeŝ a 1 a 2 a −−−→ s (resp.ŝ a 1 a − − → s ). Conditions V and L are trivially true as before. Again, the trace ∅{q}∅∅{q} ω is not preserved in the reduced LSTS. In Section 5.3, we will see why the inconsistent labelling problem does not occur for deterministic systems under strong stubborn sets. The core of the problem lies in the fact that condition D1, even when combined with V, does not enforce that the two paths it considers are stutter equivalent. Consider the paths s a − → and s a 1 a 2 a −−−→ and assume that a ∈ r(s) and a 1 / ∈ r(s), a 2 / ∈ r(s). Condition V ensures that at least one of the following two holds: (i) a is invisible, or (ii) a 1 and a 2 are invisible. Half of the possible scenarios are depicted in Figure 8; the other half are symmetric. Again, the grey states (and only those states) are labelled with {q}.
The two cases delimited with a solid line are problematic. In both LSTSs, the paths s a 1 a 2 a −−−→ s and s aa 1 a 2 −−−→ s are weakly equivalent, since a is invisible. However, they are not stutter equivalent, and therefore these LSTSs are not labelled consistently. The topmost of these two LSTSs forms the core of the counter-example TS C , with the rest of TS C serving to satisfy condition D2/D2w.

Strengthening Condition D1
To fix the issue with inconsistent labelling, we propose to strengthen condition D1 as follows 1 .
1 Based on a comment by one of the journal's reviewers, we noticed that condition D1' can be weakened further, by changing the last sentence to: "Furthermore, if none of a1, . . . , an is visible, then si a − → s i for every 1 ≤ i < n." This weakening additionally allows a reduction in the bottom-middle LSTS of Figure 8, although this is hard to exploit in practice (see Section 5.2). However, given the nature of this study, we chose to not make any last-minute changes to avoid making new mistakes. This choice was further motivated by the following remark by another reviewer (for which we are grateful): "I really carefully checked all the results and proofs and can accept the arguments and conclusions." Condition D1' is very similar to condition C1 [GKPP99], which is common in the context of ample sets. However, C1 requires that action a is globally independent of each of the actions a 1 , . . . , a n , while D1' merely requires a kind of local independence. Persistent sets [God96] also rely on a condition similar to D1', and require local independence. Thus, under ample sets and persistent sets, the vertical transitions s i a − → s i are always present, and hence they do not suffer from the inconsistent labelling problem.

Correctness.
To show that D1' indeed resolves the inconsistent labelling problem, we amend the lemmata and proofs of Section 3. The core of the revised argument lies in a new version of Lemma 3.4 that relates the state labels of the two paths considered by D1'.
Proof. If a is invisible, then D1' enforces that s i a − → s i for every 1 ≤ i < n. Thus, we have L(s i ) = L(s i ) for 1 ≤ i ≤ n and π ρ follows. From now on assume that a is visible. Because D1' only applies if a ∈ r(s), r(s) contains an enabled visible action. By V, r(s) contains all visible actions. Because none of a 1 , . . . , a n is in r(s), they must be invisible and we have L(s 0 ) = L(s 1 ) = . . . = (L n ) and L(s 0 ) = L(s 1 ) = . . . = L(s n ). So the traces of π and ρ are L(s 0 ) n+1 L(s n ) and L(s 0 )L(s n ) n+1 , respectively. We conclude that π ρ.
We use the same reasoning to derive the existence of a transition s k a key − − → s k for every k > 0 in the proof of Lemma 3.6, which yields the stronger result that, if a key is invisible, no-stut(π) = no-stut(ρ). The other lemmata are changed by replacing every occurrence of vis by no-stut. Furthermore, in the proof of Lemma 3.9, we reason about a visible action a i,v that actually changes the state labelling. This results in the following two theorems that replace Theorems 3.5 and 3.10 respectively.
Theorem 5.2. Assume that each r(s) obeys D1', D2w and V. If s ∈ S r , s n is a deadlock in TS , then for all paths π = s a 1 ...an − −−− → s n , there is a path ρ = s b 1 ...bn − −−− → r s n such that no-stut(π) = no-stut(ρ). With → r ⊆ →, it follows immediately that the replacement of condition D1 by D1' is sufficient to ensure the reduced transition system TS r is stutter-trace equivalent to the original transition system TS . Thus, the problem with Theorem 2.5 is resolved. 5.2. Implementation. As discussed in Section 3.2, most, if not all, implementations of stubborn sets approximate D1 based on a binary relation on actions. This relation may even (partly) depend on the current state s, in which case we write s , and it should be such that condition D1 is satisfied whenever a ∈ r(s) and a s a together imply a ∈ r(s). A set satisfying D0, D1, D2, V and I or D1, D2w, V and I can be found by searching for a suitable strongly connected component in the graph (Act, s ). Condition L is dealt with by other techniques.
Practical implementations construct s by analysing how any two actions a and a interact. If a is enabled, the simplest (but not necessarily the best possible) strategy is to make a s a if and only if a and a access at least one place (in the case of Petri nets) or variable (in the more general case) in common. This can be relaxed, for instance, by not considering commutative accesses, such as writing to and reading from a FIFO buffer. As a result, s can only detect reduction opportunities in (sub)graphs of the shape s s 1 . . . s n−1 s n s s 1 . . . s n−1 s n a 1 a n a a 1 a n a a a where a ∈ r(s) and a 1 / ∈ r(s), . . . , a n / ∈ r(s). The presence of the vertical a transitions in s 1 , . . . , s n−1 implies that D1' is also satisfied by such implementations. 5.3. Deterministic LSTSs. As already noted in Section 4, strong stubborn sets for deterministic systems do not suffer from the inconsistent labelling problem. The following lemma, which also appeared as [Val17, Lemma 4.2], shows why.
Proof. Let TS be a deterministic LSTS, π = s 0 a 1 − → s 1 a 2 − → · · · an −→ s n a − → s n a path in TS and r a reduction function that satisfies D1 and D2. Furthermore, assume that a ∈ r(s 0 ) and a 1 / ∈ r(s 0 ), . . . , a n / ∈ r(s 0 ). By applying D1, we obtain the path π = s 0 a − → s 0 a 1 − → · · · an −→ s n , which satisfies the first part of condition D1'. With D2, we have s i a − → s i i for every 1 ≤ i ≤ n. Then, we can also apply D1 to every path s 0 Since TS is deterministic, every path π i must coincide with a prefix of π . We conclude that s i i = s i and so the requirement that s i a − → s i for every 1 ≤ i ≤ n is also satisfied.

Safe Logics
In this section, we will identify two logics, viz. reachability and CTL −X , which are not affected by the inconsistent labelling problem. This is either due to their limited expressivity or the additional POR conditions that are required on top of the conditions we have introduced so far. 6.1. Reachability properties. Although the counter-example of Section 4 shows that stutter-trace equivalence is in general not preserved by stubborn sets, some fragments of LTL −X are preserved. One such class of properties is reachability properties, which are of the shape f or f , where f is a formula not containing temporal operators.
Theorem 6.1. Let TS be an LSTS, r a reduction function that satisfies either D0, D1, D2, V and L or D1, D2w, V and L and TS r the reduced LSTS. For all possible labellings l ⊆ AP , TS contains an initial path to a state s such that L(s) = l iff TS r contains an initial path to a state s such that L(s ) = l.
Proof. The "if" case is trivial, since TS r is a subgraph of TS . For the "only if" case, we reason as follows. Let TS = (S, →,ŝ, L) be an LSTS and π = s 0 a 1 − → · · · an −→ s n an initial path, i.e., s 0 =ŝ. We mimic this path by repeatedly taking some enabled action a that is in the stubborn set, according to the following schema. Below, we assume the path to be mimicked contains at least one visible action. Otherwise, its first state would have the same labelling as s n .
(1) If there is an i such that a i ∈ r(s 0 ), we consider the smallest such i, i.e., a 1 / ∈ r(s 0 ), . . . , a i−1 / ∈ r(s 0 ). Then, we can shift a i forward by D1, move towards s n along s 0 a i − → s 0 and continue by mimicking s 0 (2) If all of a 1 / ∈ r(s 0 ), . . . , a n / ∈ r(s 0 ), then, by D0 and D2 or by D2w, there is a key action a key in s 0 . By the definition of key actions and D1, a key leads to a state s 0 from which we can continue mimicking the path s 0 −→ s n . Note that L(s n ) = L(s n ), since a key is invisible by condition V.
The second case cannot be repeated infinitely often, due to condition L. Hence, after a finite number of steps, we reach a state s n with L(s n ) = L(s n ).
We remark that more efficient mechanisms for reachability checking under POR have been proposed, such as condition S [VH17], which can replace L, or conditions based on up-sets [Sch00]. Another observation is that model checking of LTL −X properties can be reduced to reachability checking by computing the cross-product of a Büchi automaton and an LSTS [BK08], in the process resolving the inconsistent labelling problem. Peled [Pel96] shows how this approach can be combined with POR, but please note the correctness issues detailed in [Sie19].
6.2. Deterministic LSTSs and CTL −X Model Checking. In this section, we consider the inconsistent labelling problem in the setting of CTL −X model checking. When applying stubborn sets in that context, stronger conditions are required to preserve the branching structure that CTL −X reasons about. Namely, the original LSTS must be deterministic and one more condition needs to be added [GKPP99]: C4: Either r(s) = Act or r(s) ∩ enabled (s) = {a} for some a ∈ Act.
We slightly changed its original formulation to match the setting of stubborn sets. A weaker condition, calledÄ8, which does not require determinism of the whole LSTS is proposed in [Val97]. With C4, strong and weak stubborn sets collapse, as shown by the following lemma.
Lemma 6.2. Conditions D2w and C4 together imply D0 and D2. Figure 9. Example of a Petri net whose LSTS suffers from the inconsistent labelling problem.
Proof. Let TS be an LSTS, s a state and r a reduction function that satisfies D2w and C4. Condition D0 is trivially implied by C4. Using C4, we distinguish two cases: either r(s) contains precisely one enabled action a, or r(s) = Act. In the former case, this single action a must be a key action, according to D2w. Hence, D2, which requires that all enabled actions in r(s) are key actions, is satisfied. Otherwise, if r(s) = Act, we consider an arbitrary action a that satisfies D2's precondition that s a − →. Given a path s a 1 ...an − −−− →, the condition that a 1 / ∈ r(s), . . . , a n / ∈ r(s) only holds if n = 0. We conclude that D2's condition s a 1 ...ana − −−−− → is satisfied by the assumption s a − →.
It follows from Lemmata 5.4 and 6.2 and Theorems 5.2 and 5.3 that CTL −X model checking of deterministic systems with stubborn sets does not suffer from the inconsistent labelling problem. The same holds for conditionÄ8, as already shown in [Val97].

Petri Nets
In this section, we discuss the impact of the inconsistent labelling problem on Petri nets. Contrary to Section 2.2, here we assume the LSTS of a Petri net has the set of all markings M as its set of states. This does not affect the correctness of POR, as long as the set of reachable states M reach is finite. As before, we assume that the LSTS contains some labelling function L : M → 2 AP . More details on how a labelling function arises from a Petri net are given below. Like in the Petri net examples we saw earlier, markings and structural transitions take over the role of states and actions respectively. Note that the LSTS of a Petri net is deterministic. We want to stress that all the theory in this section is specific for the semantics defined in Section 2.2.
Example 7.1. Consider the Petri net with initial markingm on left of Figure 9. Here, all arcs are weighted 1, except for the arc from p 5 to t 3 , which is weighted 2. Its LSTS is infinite, but the substructure reachable fromm is depicted on the right. The number of tokens in each of the places p 1 , . . . , p 6 is inscribed in the nodes, the state labels (if any) are written beside the nodes.
The LSTS practically coincides with the counter-example of Section 4. Only the selfloops are missing and the state labelling, with atomic propositions q, q p and q l , differs slightly; the latter will be explained later. For now, note that t and t key are invisible and 8:20
In the remainder of this section, we fix a Petri net (P, T, W,m) and its LSTS (M, → ,m, L). Below, we consider three different types of atomic propositions. Firstly, polynomial propositions [BJLM19] are of the shape f (p 1 , . . . , p n ) k where f is a polynomial over p 1 , . . . , p n , ∈ {<, ≤, >, ≥, =, =} and k ∈ Z. Such a proposition holds in a marking m iff f (m(p 1 ), . . . , m(p n )) k. A linear proposition [LW19] is similar, but the function f over places must be linear and f (0, . . . , 0) = 0, i.e., linear propositions are of the shape k 1 p 1 +· · ·+k n p n k, where k 1 , . . . , k n , k ∈ Z. Finally, we have arbitrary propositions [Var05], whose shape is not restricted and which can hold in any given set of markings.
Several other types of atomic propositions can be encoded as polynomial propositions. For the purpose of introducing several variants of invisibility, we reformulate and generalise the definition of invisibility from Section 2. Given an atomic proposition q ∈ AP , a relation R ⊆ M × M is q-invisible if and only if (m, m ) ∈ R implies q ∈ L(m) ⇔ q ∈ L(m ). We consider a structural transition t q-invisible iff its corresponding relation {(m, m ) | m t − → m } is q-invisible. Invisibility is also lifted to sets of atomic propositions: given a set AP ⊆ AP , relation R is AP -invisible iff it is q-invisible for all q ∈ AP . If R is AP -invisible, we plainly say that R is invisible. AP -invisibility and invisibility carry over to structural transitions. We sometimes refer to invisibility as ordinary invisibility for emphasis. Note that the set of invisible structural transitions I is no longer an under-approximation, but contains exactly those structural transitions t for which m t − → m implies L(m) = L(m ) (cf. Section 2).
We are now ready to introduce three orthogonal variations on invisibility.
Definition 7.2. Let R ⊆ M × M be a relation on markings. Then, is polynomial and for all pairs of markings (m, m ) ∈ R, we have that f (m(p 1 ), . . . , m(p n )) = f (m (p 1 ), . . . , m (p n )); or q is not polynomial and R is q-invisible.
Intuitively, under reach q-invisibility, all pairs of reachable markings (m, m ) ∈ R have to agree on the labelling of q. For value invisibility, the value of the polynomial f must never change between two markings (m, m ) ∈ R. Reach and value invisibility are lifted to structural transitions and sets of atomic propositions as before, i.e., by taking Strong invisibility does not take the presence of a transition m t − → m into account, and purely reasons about the effects of t. Value invisibility and strong invisibility are new in the current work, although strong invisibility was inspired by the notion of invisibility that is proposed by Varpaaniemi in [Var05]. Our definition of strong invisibility weakens the conditions of Varpaaniemi.
We indicate the sets of all value, reach and strongly invisible structural transitions with I v , I r and I s respectively. Since I v ⊆ I, I s ⊆ I and I ⊆ I r , the set of all their possible combinations forms the lattice shown in Figure 10. In the remainder, the weak equivalence relations that follow from each of the eight invisibility notions are abbreviated, e.g., ∼ I r sv becomes ∼ r sv .
Example 7.4. Consider again the Petri net and LSTS from Example 7.1. We can define q l and q p as linear and polynomial propositions, respectively: • q l := p 3 + p 4 + p 6 = 0 is a linear proposition, which holds when neither p 3 , p 4 nor p 6 contains a token. Structural transition t is q l -invisible, because m t − → m implies that m(p 3 ) = m (p 3 ) ≥ 1, and thus neither m nor m is labelled with q l . On the other hand, t is not value q l -invisible (by the transition 101100 t − → 101010) or strongly reach q l -invisible (by 010100 and 010010). However, t key is strongly value q l -invisible: it moves a token from p 4 to p 6 and hence never changes the value of p 3 + p 4 + p 6 . • q p := (1 − p 3 )(1 − p 5 ) = 1 is a polynomial proposition, which holds in all reachable markings m where m(p 3 ) = m(p 5 ) = 0 or m(p 3 ) = m(p 5 ) = 2. Structural transition t is reach value q p -invisible, but not q p -invisible (by 002120 t − → 002030) or strongly reach q p invisible. Strong value q p -invisibility of t key follows immediately from the fact that the adjacent places of t key , viz. p 4 and p 6 , do not occur in the definition of q p .
This yields the state labelling which is shown in Example 7.1.
Given a weak equivalence relation R ∼ and a stutter equivalence relation R , we write R ∼ R to indicate that R ∼ and R yield consistent labelling (Definition 2.4). We spend the rest of this section investigating under which notions of invisibility and propositions from the literature, the LSTS of a Petri net is labelled consistently. More formally, we check for each weak equivalence relation R ∼ and each stutter equivalence relation R whether R ∼ R . This tells us when existing stubborn set theory can be applied without problems. The two lattices containing all weak and stuttering equivalence relations are depicted in Figure 11; each dotted arrow represents a consistent labelling result. Before we continue, we first introduce an auxiliary lemma.
Theorem 7.8 Theorem 7.6 Figure 11. Two lattices containing variations of weak equivalence and stutter equivalence, respectively. Solid arrows indicate a subset relation inside the lattice; dotted arrows follow from the indicated theorems and show when the LSTS of a Petri net is labelled consistently.
Lemma 7.5. Let I be a set of invisible structural transitions and L some labelling function. If for all t ∈ I and paths π = m 0 . . , it holds that π L π , then ∼ I L . Proof. We assume that the following holds for all paths and t ∈ I: To prove ∼ I L , we need to consider two initial paths π and π such that π ∼ I π and prove that π L π (see Definition 2.4). The proof proceeds by induction on the combined number of invisible structural transitions (taken from I) in π and π . In the base case, π and π contain only visible structural transitions, and π ∼ I π implies π = π since Petri nets are deterministic. Hence, π L π .
For the induction step, we take as hypothesis that, for all initial paths π and π that together contain at most k invisible structural transitions, π ∼ I π implies π L π . Let π and π be two arbitrary initial paths such that π ∼ I π and the total number of invisible structural transitions contained in π and π is k. We consider the case where an invisible structural transition is introduced in π , the other case is symmetric. Let π = σ 1 σ 2 for some σ 1 and σ 2 . Let t ∈ I be some invisible structural transition and π = σ 1 tσ 2 such that σ 2 and σ 2 contain the same sequence of structural transitions. Clearly, we have π ∼ I π . Here, we can apply our original assumption ( †), to conclude that σ 2 tσ 2 , i.e., the extra stuttering step t thus does not affect the labelling of the remainder of π . Hence, we have π L π and, with the induction hypothesis, π L π . Note that π and π together contain k + 1 invisible structural transitions.
In case π and π together contain an infinite number of invisible structural transitions, π ∼ I π implies π L π follows from the fact that the same holds for all finite prefixes of π and π that are related by ∼ I .
The following theorems each focus on a class of atomic propositions and show which notion of invisibility is required for the LSTS of a Petri net to be labelled consistently.
In the proofs, we use a function d t , defined as d t (p) = W (t, p) − W (p, t) for all places p, which indicates how structural transition t changes the state. Furthermore, we also consider functions of type P → N as vectors of type N |P | . This allows us to compute the pairwise addition of a marking m with d t (m + d t ) and to indicate that t does not change the marking (d t = 0).
Theorem 7.6. Under reach value invisibility, the LSTS underlying a Petri net is labelled consistently for linear propositions, i.e., ∼ r v l .
It follows from Theorems 7.10 and 7.11 and transitivity of ⊆ that Theorems 7.6, 7.8 and 7.9 cannot be strengthened further. In terms of Figure 11, this means that the dotted arrows cannot be moved downward in the lattice of weak equivalences and cannot be moved upward in the lattice of stutter equivalences. The implications of these findings on related work will be discussed in the next section.

Related Work
There are many works in the literature that apply stubborn sets. We will consider several works that aim to preserve LTL −X and discuss whether they are correct when it comes to the inconsistent labelling problem. Furthermore, we also identify several unrelated issues.
Liebke and Wolf [LW19] present an approach for efficient CTL model checking on Petri nets. For some formulas, they can reduce CTL model checking to LTL model checking, which allows greater reductions under POR. They rely on the incorrect LTL preservation theorem, and since they apply the techniques on Petri nets with ordinary invisibility, their theory is incorrect (Theorem 7.10). Similarly, the overview of stubborn set theory presented by Valmari and Hansen in [VH17] applies reach invisibility and does not necessarily preserve LTL −X . Varpaaniemi [Var05] also applies stubborn sets to Petri nets, but relies on a visibility notion that is stronger than strong invisibility. The correctness of these results is thus not affected (Theorem 7.9).
A generic implementation of weak stubborn sets for the LTSmin model checker is proposed by Laarman et al. [LPvdPH16]. They use abstract concepts such as guards and transition groups to implement POR in a way that is agnostic of the input language. The theory they present includes condition D1, which is too weak and thus incorrect, but the accompanying implementation follows the framework of Section 5.2, and thus it is correct by Theorems 5.2 and 5.3. The implementations proposed in [VH17,Wol18] are similar, albeit specific for Petri nets. Several works [GRHRW15, HLL + 14] perform action-based model checking and thus strive to preserve weak trace equivalence or inclusion. As such, they do not suffer from the problems discussed here, which applies only to state labels. Other recent work [DL16] relies on ample sets, and is thus not affected, or only considers safety properties [Laa18].
Although Beneš et al. [BBČ + 09, BBB + 11] rely on ample sets, and not on stubborn sets, they also discuss weak trace equivalence and stutter-trace equivalence. In fact, they present an equivalence relation for traces that is a combination of weak and stutter equivalence. The paper includes a theorem that weak equivalence implies their new state/event equivalence [BBB + 11, Theorem 6.5]. However, the counter-example in Figure 12a shows that this consistent labelling theorem does not hold. Here, the action τ is invisible, and the two paths in this transition system are thus weakly equivalent. However, they are not stutter equivalent, which is a special case of state/event equivalence. Although the main POR correctness result [BBB + 11, Corollary 6.6] builds on the incorrect consistent labelling theorem, its correctness does not appear to be affected. An alternative proof can be constructed based on the reasoning presented in Section 5.1.
Bønneland et al. [BJLM19] apply stubborn-set based POR to two-player Petri nets, and their reachability semantics expressed as a reachability game. Since their approach only concerns reachability, it is not affected by the inconsistent labelling problem (see Section 6). Unfortunately, their POR theory is nevertheless unsound, contrary to what is claimed in [BJLM19, Theorem 17]. In reachability games, player 1 tries to reach one of the goal states, while player 2 tries to avoid them. Bønneland et al. propose a condition R that guarantees that all goal states in the full game are also reachable in the reduced game. However, the reverse is not guaranteed: paths that do not contain a goal state are not necessarily preserved, essentially endowing player 1 with more power. Consider the (solitaire) reachability game depicted in Figure 12b, in which all edges belong to player 2 and the only goal state is indicated with grey. Player 2 wins the non-reduced game by avoiding the goal state via the edges labelled with a and then b. However, {b} is a stubborn set-according to the conditions of [BJLM19]-in the initial state, and the dashed transitions are thus eliminated in the reduced game. Hence, player 2 is forced to move the token to the goal state and player 1 wins in the reduced game. In the mean time, the authors of [BJLM19] confirmed and resolved the issue in [BJL + 21].
The current work is not the first to point out mistakes in POR theory. In [Sie19], Siegel presents a flaw in an algorithm that combines POR with ample sets and on-the-fly model checking [Pel96]. In that setting, POR is applied on the product of an LSTS and a Büchi automaton. We briefly sketch the issue here. Let q be a state of the LSTS and s a state of the Büchi automaton. While investigating a transition (q, s) a − → (q , s ), condition C3, which-like condition L-aims to solve the action ignoring problem, incorrectly sets r(q, s ) = enabled (q) instead of r(q, s) = enabled (q). The issue is repaired by setting r(q, s) = enabled (q), but only for a certain subclass of Büchi automata. The setting considered by Laarman and Wijs [LW14] is similar: they discuss how to apply stubborn sets during parallel nested depth-first search in the product of an LSTS and a Büchi automaton. Both the correctness argument and the implementation are based on [LPvdPH16], thus -by the discussion above -incorrect in theory, but correct in practice.

Conclusion
We discussed the inconsistent labelling problem for preservation of stutter-trace equivalence with stubborn sets. The issue is relatively easy to repair by strengthening condition D1. For Petri nets, altering the definition of invisibility can also resolve inconsistent labelling depending on the type of atomic propositions. The impact on applications presented in related works seems to be limited: the problem is typically mitigated in the implementation, since it is very hard to compute D1 exactly. This is also a possible explanation for why the inconsistent labelling problem has not been noticed for so many years.
Since this is not the first error found in POR theory [Sie19], a more rigorous approach to proving its correctness, e.g. using proof assistants, would provide more confidence.