Stubborn Sets, Frozen Actions, and Fair Testing

Many partial order methods use some special condition for ensuring that the analysis is not terminated prematurely. In the case of stubborn set methods for safety properties, implementation of the condition is usually based on recognizing the terminal strong components of the reduced state space and, if necessary, expanding the stubborn sets used in their roots. In an earlier study it was pointed out that if the system may execute a cycle consisting of only invisible actions and that cycle is concurrent with the rest of the system in a non-obvious way, then the method may be fooled to construct all states of the full parallel composition. This problem is solved in this study by a method that “freezes” the actions in the cycle. The new method also preserves fair testing equivalence, making it usable for the verification of many progress properties.


Introduction
Ample set [1,2,3], persistent set [4,5], and stubborn set [6,7] methods, or aps set methods in brief, alleviate state explosion by only firing a subset of enabled actions in each constructed state. Statically 4 A. Valmari, W. Vogler / Stubborn Sets, Frozen Actions, and Fair Testing informally explains the intuition behind stubborn sets in general, not yet using frozen actions. In Section 3, the stubborn set method in the presence of frozen actions is developed up to but not including conditions for solving the ignoring problem. The history, intuition, advantages, and disadvantages of such conditions for safety properties is discussed with many examples in Section 4. Also the version used in the present study is presented. It is called SF. Section 5 consists of the proofs that the new conditions guarantee that trace quivalence and fair testing equivalence are preserved.
The validity of SF is ensured by constructing the reduced state space in a certain order and investigating its terminal strong components. An algorithm for this is presented and proven correct in Section 6. Freezing of actions takes place in this algorithm. Section 7 is dedicated to the proof that frozen actions have the properties that we claim they have. Until Section 8, stubborn and warm sets have only been referred to via abstract conditions. This section presents and proves correct an algorithm that constructs sets with the promised properties. The algorithm is old, but has been adapted to the presence of frozen actions. The conclusions are in Section 9.
Frozen actions resemble the div-sets in [16], but also have important differences. In [16], the goal was to improve the performance when preserving divergenge traces (a notion relevant to liveness errors), and actions could be explicitly thawed when creating new states. The present study deals with safety properties and does not explicitly thaw actions when creating new states. (In both [16] and the present study, implicit thawing is possible in the following sense: action a is frozen in state s, and firing some other action in s leads to a state s ′ that has been constructed earlier and where a is not frozen.) This study is based on [17], but is rather a new study than a variant of [17]. This is obvious already by comparing their lengths. In [17], the proofs were sketchy, the result only applied to trace equivalence, and nondeterministic actions were dealt with using an inelegant trick that was designed directly for the formalism in Section 8. This study presents detailed proofs, extends the result to fair testing equivalence, treats nondeterministic actions as first-class citizens, and presents many examples that illustrate the problems in earlier methods that motivated and were solved by the present study.

Background
Throughout most of this study, we will only need the following notions to describe systems under model checking: visible actions, invisible actions, and state space. Formal definitions will be presented below, but let us first discuss the intuition.
An action is the name of a transition. Visible actions are those actions that are directly relevant for the property under verification. For instance, in the case of mutual exclusion, there may be four visible actions: enter 1 , leave 1 , enter 2 , and leave 2 , denoting entering and leaving the critical section by clients 1 and 2. A trace is the sequence of visible actions arising from a finite (not necessarily complete) execution. (This notion is not the same as Mazurkiewicz traces [22].) We expect all traces of the mutual exclusion system to be prefixes of sequences of the form (enter 1 leave 1 | enter 2 leave 2 ) * . In particular, if the system has a trace ending with enter 1 enter 2 or enter 2 enter 1 , then mutual exclusion is violated. Alternatively, the system may be equipped with an extra piece of code that detects the simultaneous presence of both clients in their critical sections, and then executes a visible action named error. In this case, error may be the only visible action.
Invisible actions are those actions that are not visible. It is customary in process algebras to only use one name τ for invisible actions, but our method will need more names. How to apply our method in the traditional process-algebraic setting will be explained later in this section and in Section 8.
If it is not clear whether an action should be visible or invisible, then it should be declared visible. Having too many visible actions does not endanger the correctness of our method. However, it may be detrimental to reduction results.
Actions, state spaces, and executions. The sets of invisible and visible actions are denoted with I and V , respectively. We have I ∩ V = ∅. The state space is a tuple (S, I, V, ∆,ŝ), where S is the set of states,ŝ ∈ S is the initial state, and ∆ ⊆ S × (I ∪ V ) × S is the set of transitions. It is thus an edge-labelled directed graph with a distinguished stateŝ. We do not assume that all states are reachable fromŝ (in the familiar sense defined below), because usually the set of reachable states is not known before verification. Typically there are variables, program counters, etc., each of which has a set of possible values; and the set of states is the Cartesian product of these sets.
A deadlock is a state that has no outgoing transitions. An action a is enabled in state s if and only if there is s ′ such that (s, a, s ′ ) ∈ ∆; it is disabled otherwise. The set of enabled actions in s is denoted with en(s). Therefore, s is a deadlock if and only if en(s) = ∅.
A state is stable if and only if it has no outgoing transition that is labelled with an invisible action. By s 0 −a 1 → s 1 −a 2 → . . . −a n → s n we mean that for every 1 ≤ i ≤ n, (s i−1 , a i , s i ) ∈ ∆. We call it a path or an execution that starts at s 0 . If we use the word "execution" without mentioning the start state, we mean a path that starts atŝ. We may also use the prefix "finite", if there is risk of confusion with infinite executions. An infinite execution is an infinite path that starts at the given state or the initial state, if the start state is not mentioned. An execution is complete if and only if it is infinite or ends in a deadlock. By s −a 1 · · · a n → s ′ we mean that there are s 0 , . . . , s n such that s = s 0 , s 0 −a 1 → . . . −a n → s n , and s n = s ′ . If there is s ′ such that s −a 1 · · · a n → s ′ , we may also write s −a 1 · · · a n →. Infinite paths are denoted with s 0 −a 1 → s 1 −a 2 → . . . or s 0 −a 1 a 2 · · · →.
By |σ| we denote the length of the string σ. The empty string is denoted with ε, that is, |ε| = 0. Therefore, for every state s we have s −ε→ s. To avoid confusion, we declare ε / ∈ I ∪ V . An action a is deterministic if and only if for all states s, s 1 , and s 2 such that s −a→ s 1 and s −a→ s 2 we have s 1 = s 2 . The assumption that all actions are deterministic would simplify the present study a lot. However, we will not make that assumption, because typically it does not hold in process algebras.
State s is reachable from s ′′ if and only if there is a finite path that starts at s ′′ and ends at s. State s is reachable if and only if it is reachable fromŝ. Transition s −a→ s ′ is reachable (from s ′′ ) if and only if s is. Occurrence of a is reachable (from s ′′ ) if and only if some s is reachable (from s ′′ ) such that s −a→. The reachable part of the state space (S, I, V, ∆,ŝ) is (S ′ , I, V, ∆ ′ ,ŝ), where S ′ and ∆ ′ are the sets of the reachable states and reachable transitions. Usually it is not explicitly known before verification. Instead,ŝ is explicitly known and there is a rule that, given an explicitly known state s and an action a, produces all s ′ such that s −a→ s ′ . (The " || " later in this section is an example.) The reachable part can be constructed by letting initially S ′ = {ŝ} and ∆ ′ = ∅. A reachable state s ∈ S ′ is expanded by finding all a and s ′ such that s −a→ s ′ , inserting the triples (s, a, s ′ ) to ∆ ′ , and inserting those of their s ′ to S ′ that are not already there. The algorithm expands once each state that is inserted to S ′ . To do so, it keeps track of the states that have been inserted to S ′ but not yet expanded. The state s is the parent of s ′ , if and only if s ′ was first found by firing a transition s −a→ s ′ .
A strong component of a directed graph is a maximal set of vertices such that for any two vertices u and v in the set, v is reachable from u. (Then also u is reachable from v.) Strong components constitute a partitioning of the set of vertices. A strong component C is terminal if and only if for any u ∈ C and any v that is reachable from u, also v ∈ C.
Parallel state spaces. Stubborn set ideas are not strictly tied to any particular formalism, but, to present examples, it is useful to have some formalism. We consider systems of the form L 1 || · · · ||L N , where L 1 , . . . , L N are state spaces (S i , I i , V i , ∆ i ,ŝ i ). To keep it clear whether an action is visible or invisible, we assume that for every 1 ≤ i ≤ N and 1 ≤ j ≤ N , I i ∩ V j = ∅. The states of the system are of the form s = (s 1 , . . . , s N ). The system executes an action a such that every L i that has a ∈ I i ∪ V i executes a, and the remaining L i stand still. More formally, we define L 1 || · · · || L N as the reachable part of (S, I, V, ∆,ŝ), where S = S 1 × · · · × S N , We adopt the convention that if an action does not appear in a drawing representing L i , then, unless otherwise mentioned, it is not in I i ∪ V i . Furthermore, in drawings, unless otherwise mentioned, a and b are visible; and u, v, and so on are invisible.
The formalism is, in essence, the same as parallel composition of labelled transition systems in process algebras, with different notation for invisible actions. To make the reading of examples easier, we adopt the convention that τ i denotes an invisible action executed solely by L i , that is, τ i ∈ I i and τ i / ∈ I j when j = i. This makes every τ i behave similarly to the τ in process algebras, the only difference being notational: the subscript records the component that executed the τ . Furthermore, we may write (L 1 || · · · || L N ) \ H, where H lists the remaining invisible actions, that is, H = (I 1 ∪ · · · ∪ I N ) \ {τ 1 , . . . , τ N }. Then "\H" can be thought of as the familiar hiding operator in process algebras. For more details on this formalism, please see [14,16,15,10].
Although stubborn set theory does not rely on the notion of concurrent actions, such a notion is useful in examples and when discussing the intuition. Therefore, we define that a and b are concurrent if and only if {a, b} Stubborn set basics. What is explained in this subsection, applies to traditional stubborn set methods. The new idea of frozen actions of the present study will make things more complicated.
Reachable parts of state spaces are often huge. Stubborn set methods compute a reduced state space (S r , I, V, ∆ r ,ŝ) similarly to the computation of the reachable part, but only expand a subset of actions in each state. That is, in each found state s ∈ S r , a stubborn set stubb(s) ⊆ I ∪ V is computed, and only the transitions s −a→ s ′ and their end states s ′ are inserted to ∆ r and S r that have a ∈ stubb(s). For convenience, we use the prefix r-or the subscript r to indicate that an entity belongs to the reduced state space. For instance, an r-path is a path in the reduced state space. Obviously en r (s) ⊆ en(s) but not necessarily vice versa, and every r-path is a path but not necessarily vice versa. We have en r (s) = en(s) ∩ stubb(s). By definition, V r = V , I r = I, andŝ r =ŝ.
The goal is to obtain a smaller state space that can be used for the verification of certain classes of properties. More precisely, the reduced state space contains a counter-example to the property if and only if also the reachable part contains one. In the present study we deal with stuttering-insensitive safety properties. A safety property is a property whose counter-examples can always be expressed in terms of finite executions. Stuttering-insensivity means that the number of invisible actions before the first, after the last, and between any two visible actions does not matter. Most, if not all, properties of interest in verification are stuttering-insensitive.
Stubborn set methods exploit the fact that if a and b are concurrent and both are enabled, then they can be executed in either order and the result is the same. Assume that the goal is to check whether from every reachable state, an occurrence of a is reachable. Consider τ 1 a || τ 2 a . It executes first τ 1 or τ 2 . Then it executes the other one of τ 1 and τ 2 , and then a forever. Typical stubborn set methods fire either only τ 1 or only τ 2 in its initial state, saving one state and two transitions. The above-mentioned property holds both on the full and on the reduced state space. With τ 1 a || τ 2 a , similar saving is obtained. In this case, the property fails on both state spaces, because the system deadlocks. Now consider τ 1 || a . Letŝ denote its initial state. Because τ 1 and a are concurrent, the set {τ 1 } is treated as stubborn by most stubborn set methods. The choice stubb(ŝ) = {τ 1 } constructs the r-transitionŝ −τ 1 → rŝ , after which all encountered states have been investigated. If the analysis stops here, then a was never fired and the property fails on the reduced state space, although it holds on the full state space. This is known as the ignoring problem [13,18]. To solve it, many stubborn set methods have a special requirement, with names such as "cycle condition" and "terminal strong component condition". We will discuss this issue extensively in Section 4. For that purpose, let tsr-component stand for "terminal strong component in the reduced state space".
Trace and fair testing equivalences. If α is a string and A is a set, then let α − A denote the result of the removal of all elements of A from α. That is, ε − A = ε; and if a 1 · · · a n − A = σ, then aa 1 · · · a n − A = σ if a ∈ A and aσ if a / ∈ A. The trace of a finite sequence of actions a 1 · · · a n is a 1 · · · a n − I, that is, it is obtained by removing the invisible actions. By s =σ⇒ s ′ we mean that there is ρ such that σ is its trace (that is, σ = ρ − I) and s −ρ→ s ′ . The notation s =σ⇒ denotes that there is some s ′ such that s =σ⇒ s ′ . A sequence σ is a trace of state s if and only if s =σ⇒. The set of traces of a state space L is Tr(L) = {σ |ŝ =σ⇒} .
Two state spaces L 1 = (S 1 , I 1 , V 1 , ∆ 1 ,ŝ 1 ) and L 2 = (S 2 , I 2 , V 2 , ∆ 2 ,ŝ 2 ) are trace equivalent if and only if V 1 = V 2 and Tr(L 1 ) = Tr(L 2 ). The reason for the condition V 1 = V 2 is the fact that the set of visible actions plays an important role in the definition of refusals and tree failures presented later in this subsection. Trace equivalence only depends on the reachable parts of the state spaces. To verify a stuttering-insensitive safety property it suffices to know the set of traces of the system. This means that if the reduced state space is trace equivalent to the full state space, then it can be used in the verification of all stuttering-insensitive safety properties. Of course, this nice fact is subject to choosing the set of visible actions so that the property can be expressed in terms of them. The set of stuttering-insensitive safety properties covers a very big class of properties, but also suffers from one serious drawback: it does not suffice for verifying that the system does something good, it only suffices for verifying that the system does not do anything bad. Indeed, a system that never executes any visible actions has {ε} as its set of traces, and, therefore, violates no non-trivial safety property. (It does violate the property that says that the system must not have the trace ε, but this is a useless property, because every system violates it.) Fortunately, the method developed in this study preserves also so-called fair testing equivalence [8,9] -as a welcome side-effect. This implies that it preserves properties of the form "in all futures always, there is a future where eventually a occurs". As a matter of fact, fair testing equivalence is the coarsest equivalence that preserves this property and has the property that if a sub-system is replaced by a fair testing equivalent one, then the system as a whole remains fair testing equivalent [9]. Being the coarsest means having the biggest possible equivalence classes and thus maximizing the possibilities of reducing the state space. This is an advantage in compositional approaches to verification.
Fair testing equivalence can also be thought of as preserving progress properties under the assumption that for every state s that is encountered infinitely many times in an infinite execution, every outgoing transition of s is taken infinitely many times in the execution. Intuitively this means that if we are happy with the assumption that in every choice situation that repeats infinitely often, every possibility is eventually tried, then a full range of stuttering-insensitive progress properties can be verified with our method. This is a somewhat weaker notion of progress than traditionally used in linear temporal logic [23], but is easier to use because the user need not formulate any so-called weak or strong fairness assumptions. Definitely it is much better than no progress verification at all.
The downside is that the definition of fair testing equivalence is complicated. A state s refuses a sequence σ of visible actions if and only if s does not have σ as a trace. A state s refuses K ⊆ V * if and only if s refuses every element of K. The sequence ε cannot be refused, but the set ∅ can. A tree failure is a pair (σ, K) ∈ V * × 2 V * such that there is s for whichŝ =σ⇒ s and s refuses K. If K ⊆ V * and π ∈ V * , we define π −1 K = {ρ | πρ ∈ K}. We say that π is a prefix of K if and only if π −1 K = ∅. Two systems L 1 and L 2 are fair testing equivalent if and only if the following hold: 2. For every tree failure (σ, K) of L 1 , either (σ, K) is also a tree failure of L 2 , or there is a prefix π of K such that (σπ, π −1 K) is a tree failure of L 2 .
3. For every tree failure (σ, K) of L 2 , either (σ, K) is also a tree failure of L 1 , or there is a prefix π of K such that (σπ, π −1 K) is a tree failure of L 1 .
If K = ∅, then (σ, K) can be represented in the form (σπ, π −1 K) where π is a prefix of K, by choosing π = ε. However, this does not work if K = ∅, because then ε is not a prefix of K. This is why parts 2 and 3 have the either-part. A system has the trace σ if and only if (σ, ∅) is its tree failure. As a consequence, fair testing equivalence implies trace equivalence.

Local Conditions
Intuition of earlier methods. To understand the motivation of the definitions later in this section, let us first discuss the intuition behind earlier stubborn set methods for trace equivalence, fair testing equivalence, and, indeed, most stubborn set methods.
Assume that s 0 ∈ S r and s 0 =σ⇒. We want s 0 =σ⇒ r . If σ = ε, then obviously s 0 =σ⇒ r s 0 . From now on we assume σ = ε. There is a path s 0 −a 1 → s 1 −a 2 → . . . −a n → s n such that n > 0 and σ = a 1 · · · a n − I. Because we do not want to construct the full state space, we might have a 1 / ∈ en r (s 0 ). Earlier stubborn set methods deal with this problem with the following strategy. The cases have been numbered in reverse order, to match the numbering of conditions that will be presented later.
2. The set en r (s 0 ) may contain an invisible action a that is concurrent with a 1 , . . . , a n or commutes with them for some other reason (for instance, a 1 may read from and a write to a fifo that is neither empty nor full in s 0 , and they do not access other variables in common). Then there are s ′ 0 and s ′ n such that s 0 −a→ s ′ 0 , s n −a→ s ′ n , and s ′ 0 −a 1 · · · a n → s ′ n . We have s 0 =ε⇒ r s ′ 0 =σ⇒ s ′ n and s n =ε⇒ s ′ n . So we have constructed an invisible transition in the reduced state space such that after it, the counter-example is still available. If the stubborn set method can guarantee s ′ 0 =σ⇒ r (which it can), then we get s 0 =σ⇒ r . However, the path s ′ 0 −a 1 · · · a n → s ′ n is of the same length as the original path s 0 −a 1 · · · a n → s n , so we are not any closer to the goal than we were originally.
1. Stubborn set construction algorithms are designed so that if (but not necessarily only if) the previous case does not apply, then for some 1 ≤ i ≤ n, a i ∈ en r (s 0 ) and a i commutes with a 1 , . . . , a i−1 . (How this is obtained will be discussed in Section 8.) In this case there is s ′ 0 such that s 0 −a i → r s ′ 0 −a 1 · · · a i−1 → s i −a i+1 · · · a n → s n . If a i ∈ I, then s 0 =ε⇒ r s ′ 0 =σ⇒ s n . Stubborn set construction algorithms may be designed to also guarantee that if a i ∈ V , then a 1 , . . . , a i−1 are invisible. Then s 0 =a i ⇒ r s ′ 0 =ε⇒ s i =ρ⇒ s n , where ρ is the string such that σ = a i ρ. So in both cases we would get s 0 =σ⇒ r , if we could guarantee s ′ 0 =σ ′ ⇒ r , where σ ′ = σ if a i ∈ I and σ ′ = ρ otherwise. What is more, the path that yields s ′ 0 =σ ′ ⇒ is shorter than the original path s 0 −a 1 · · · a n →. We say that this case consumed a i .
That is, in each r-state, either case 1 or case 2 is available. Case 2 brings us neither closer to nor further from the goal s 0 =σ⇒ r , while case 1 brings us closer to it. As a consequence, if we somehow ensure that case 1 always eventually applies, we get an induction proof that s 0 =σ⇒ r . Unfortunately, ensuring this is far from trivial. The possibility of having an infinite sequence of case 2 without case 1 is how the ignoring problem that was mentioned in Section 2 emerges in proofs. This problem will be solved in Sections 4 and 6.
To prove that the reduced state space is fair testing equivalent to the full state space, proving just s 0 =σ⇒ r s ′ for some s ′ does not suffice. In the proof, we will also need s n =ε⇒ s ′ . Fortunately, the above construction has this property, because in case 1 s ′ 0 =σ ′ ⇒ s n , and in case 2 s n −a→ s ′ n with a ∈ I.
Frozen actions. In the new stubborn set method of the present study, each r-state s has an associated set frozen(s) of frozen actions. We will define stubborn sets such that for every s ∈ S r , frozen(s) ⊆ stubb(s), and define warm(s) = stubb(s) \ frozen(s). Only the elements in warm(s) are used for constructing transitions in the reduced state space. That is, frozen actions are not taken into account when constructing reduced state spaces. However, the sets stubb(s) and frozen(s) may grow, as will be described in Section 6. (They may not shrink.) If frozen(s) grows, then a new warm(s) is immediately computed, yielding a new stubb(s). Therefore, frozen(s) ⊆ stubb(s) always holds, although the values of stubb(s) and frozen(s) may change. Note that, after they have changed, the reduced state space may contain some transitions s −a→ r s ′ such that a ∈ frozen(s). In such a situation, a was warm at some earlier time. At the end of the construction of the reduced state space, warm(s) ∩ en(s) ⊆ en r (s) ⊆ stubb(s) ∩ en(s) holds for every s ∈ S r .
The set of frozen actions of the initial stateŝ is originally empty. When a new r-state s ′ = s is constructed, it inherits the currently frozen actions of its parent state. However, this does not necessarily imply frozen(s) ⊆ frozen(s ′ ) for every s −a→ r s ′ , because s ′ may have been first found via some other transition or may beŝ, and because frozen(s) may grow afterwards.
We will prove in Section 7 that frozen(s) (both the final one and every earlier version) has the following two properties. As we will see later in detail, they imply that if s ∈ S r and s =σ⇒ s ′ , frozen actions are not needed to obtain an r-path s =σ⇒ r s ′′ such that s ′ =ε⇒ s ′′ . F1 says that for every path that starts at s, there is a path with the same start state and sequence of unfrozen (in s) actions, that has no frozen (in s) actions. Furthermore, the end state of the latter path can be reached from the end state of the former path via frozen (in s) actions. F2 says that frozen visible actions cannot become enabled.
F2 If s ∈ S r , s −a 1 · · · a n → s ′ , and a n ∈ frozen(s), then a n ∈ I.
These conditions were designed so that they can be implemented as will be discussed in Section 6, and that they yield the following lemma.
Lemma 3.1. Assume F1 and F2. If s ∈ S r and s =σ⇒ z, then there is z ′ such that s =σ⇒ z ′ , z =ε⇒ z ′ , and the path that yields s =σ⇒ z ′ contains no actions from frozen(s) and is either shorter than or the same path as the path that yields s =σ⇒ z.

Proof:
If s =σ⇒ z contains no frozen actions, then the claim holds trivially with z ′ = z. Otherwise F1 gives most of the claim. We still have to show that the elements of γ and {a 1 , . . . , a n } \ {b 1 , . . . , b m } are invisible. This follows from F2, because s −a 1 · · · a n → s ′ −γ→.
⊓ ⊔ We say that the actions in frozen(s) were consumed from the action sequence a 1 · · · a n of the path s =σ⇒ z. We now have two notions of consuming actions. They will be used in induction proofs, to demonstrate that excluding the base case of the induction, given a path with certain properties, a shorter path with the mentioned properties exists.
New local stubborn set conditions. Traditional stubborn set methods rely on conditions called D1 and D2 that facilitate reasoning of the kind in cases 1 and 2 of the above strategy. They describe how generalized concurrency and independency relations are exploited. We replace them by slightly more complicated conditions D1F and D2F that take frozen actions into account. There also is a third condition D3F that will be used in the correctness proof of the algorithm that guarantees F1 and F2. The implementation of D1F, D2F, and D3F will be discussed in Section 8. In all of the following conditions, we assume that stubb(s 0 ) ⊆ I ∪ V , a ∈ warm(s 0 ), and a 1 , . . . , a n are not in stubb(s 0 ).
D3F If s 0 −a 1 · · · a n → s n −a→ s ′ n , s 0 −a 1 · · · a n → z n −a→ z ′ n , and s n = z n , then s ′ n = z ′ n .
If all actions are deterministic, then D3F can be forgotten since it holds vacuously, and D1F and D2F can be replaced by much simpler conditions given in the following theorem: • If s 0 −a 1 · · · a n a→ s ′ n , then s 0 −aa 1 · · · a n → s ′ n .
• If s 0 −a 1 · · · a n → s n and s 0 −a→, then s n −a→.

Proof:
Assume the if-part of D2F. For each 0 ≤ i ≤ n, an application of the second condition to s 0 −a 1 · · · a i → s i yields an s ′′ i such that s i −a→ s ′′ i . Then the first condition yields s 0 −aa 1 · · · a i → s ′′ i . Let z n = s ′′ n . An application of the first condition to s 0 −a 1 · · · a n a→ z n yields z 0 , . . . , z n−1 such that Therefore, the then-part of D2F holds. Now assume the if-part of D1F. An application of the first condition to s 0 −a 1 · · · a n a→ s ′ n yields s 0 −a→, returning the situation to the previous case. By determinism, the s ′ n provided by D2F is the same state as the s ′ n assumed by D1F.

⊓ ⊔
The traditional D1 and D2 are obtained by choosing frozen(s 0 ) = ∅ and dropping the requirement s i −a→ s ′ i for 0 < i < n. In Section 7 an example will be presented that illustrates the necessity of this requirement in the presence of frozen actions. That this requirement is needed is not a big drawback, because the previous theorem tells that if all actions are deterministic, then the issue does not make a difference; and the standard approach to constructing stubborn sets of nondeterministic actions (Theorem 8.1) automatically guarantees s i −a→ s ′ i for 0 < i < n. Thomas Neele observed recently that s i −a→ s ′ i for 0 < i < n is also needed when stubborn sets are applied to linear temporal logic [21]. There is a set of atomic propositions and a mapping that, for each state, tells which atomic propositions hold and which do not hold on the state. When moving from a state to the next, zero or more atomic propositions change their truth values. Methods for linear temporal logic aim at preserving the sequences of these changes, except that empty sets of changes play the role of the invisible actions and may be added or removed at will during the reduction. Neele pointed out that if s i −a→ s ′ i for 0 < i < n is not assumed, then the sequence of changes caused by a pair a 1 a 2 of visible actions may depend on whether the pair is executed before or after an invisible action a. He constructed a counter-example together with Valmari.
The distinction between invisible and visible actions is taken care of by a condition that says that if the stubborn set contains an unfrozen enabled visible action, then it must contain all visible actions. [11,12] for why V has potential for better reduction results than the corresponding condition C2 in ample set theory.) All the conditions discussed above are satisfied by the choice warm(s) = ∅ (that is, stubb(s) = frozen(s)). However, using ∅ as warm(ŝ) results in a reduced state space that consists of one state and no transitions. Although it sometimes does preserve trace and fair testing equivalences, usually it does not. We will introduce in Section 4 a condition called SF that solves this problem. We will also discuss another, simpler condition that often but not always obtains the same goal. It is called D0VF.
We will later prove that if V ⊆ stubb(s) and warm(s) ∩ en(s) = ∅, then occurrences of visible actions cannot be reached from s. Therefore, D0VF ensures that either s has outgoing transitions in the reduced state space, or the future of s is certainly irrelevant from the point of view of trace and fair testing equivalences.
We call D0VF, D1F, D2F, D3F, and VF local conditions, because they are of the form ∀s ∈ S r : ϕ(s), where ϕ(s) refers to only one r-state. The condition SF that we will introduce in the next section is not local.
The next lemma says that there always is a set that satisfies these conditions. Proof: D1F, D2F, and D3F hold, because the set from which their a 1 , . . . , a n must be picked is empty, forcing n = 0. The then-part of VF and latter part of D0VF hold trivially.

⊓ ⊔
A subset of the conditions allows us to prove also the following two lemmas. Figure 1. (left) Illustrating Lemma 3.4 and its proof. D2F is applied to s 0 −b 1 → r s 1 and D1F is applied to s i −a i+1,1 · · · a i+1,ni+1 → z ′ i (right) Illustrating Lemma 3.5 and its proof. D1F is applied on top and Lemma 3.1 is applied at bottom. States and transitions on yellow background are in the reduced state space Proof: Let s 0 −a 0,1 · · · a 0,n 0 → z 0 be the path causing s 0 =σ⇒ z 0 . The proof applies induction along the path If i < m, we use the values of warm(s i ) and frozen(s i ) at the time when s i −b i+1 → r s i+1 was constructed, and otherwise we use the final values of warm(s m ) and frozen(s m ).
Otherwise {a i+1,1 , . . . , a i+1,n i+1 } ∩ warm(s i ) = ∅. This happens at the latest when i = m. We let j be the smallest such that a i+1,j ∈ warm(s i ) and choose b = a i+1,j . Then D1F yields an s ′ i such that j, these actions are not in warm(s i ), and we already saw that they are not in frozen(s i ) either. In this case, b ∈ V and bσ ′ = σ. Everything that was promised in the claim has been justified above. ⊓ ⊔ Lemma 3.5. Assume F1, F2, D1F, and D2F. Assume that s ∈ S r , s =ε⇒ z, and z refuses K. Either s r-refuses K, or there are s ′ , z ′ , and a prefix ρ of K such that s =ρ⇒ r s ′ =ε⇒ z ′ , z =ρ⇒ z ′ , and the path that yields s ′ =ε⇒ z ′ is shorter than the path that yields s =ε⇒ z.

Proof:
Let s 0 = s, z 0 = z, and s 0 −a 1 · · · a n → z 0 be the path that yields s =ε⇒ z. If s does not rrefuse K, then there is a κ ∈ K such that s =κ⇒ r . Let s = s 0 −b 1 → r . . . −b m → r s m be the corresponding r-path. We apply D2F along this path for i = 0, i = 1, . . . as long as i < m and {a 1 , . . . , a n } ∩ stubb(s i ) = ∅. D2F is applied to s i −a 1 · · · a n → z i and s i −b i+1 → r s i+1 , and it yields a z i+1 such that s i+1 −a 1 · · · a n → z i+1 and Because some a j is in stubb(s i ) and no a j is in frozen(s i ), some a j is in warm(s i ). An application of D1F using the smallest such j yields an s ′ such that s i −a j → r s ′ =ε⇒ z ′ . This reasoning step consumes a j . If {a 1 , . . . , a n } ∩ frozen(s i ) = ∅, then let s ′ = s i . Lemma 3.1 yields a z ′ such that s i =ε⇒ z ′ and z i =ε⇒ z ′ . This reasoning step consumes at least one frozen action.
In both cases, the path that yields s ′ =ε⇒ z ′ is of length less than n, and the choice ρ = b 1 · · · b i − I gives the claim.

Driving Force
We pointed out in the previous section that a condition is needed that forces the stubborn set method to fire actions whenever it is necessary for verification. Such a condition may be nick-named "driving force". In this section we discuss the properties of various such conditions, including D0VF. Early stubborn set methods contained the condition D0 saying that if s ∈ S r and en(s) = ∅, then stubb(s) ∩ en(s) = ∅. In the presence of frozen actions, the corresponding condition would say that if s ∈ S r and en(s) ⊆ frozen(s), then warm(s) ∩ en(s) = ∅. This condition does, however, force the firing of actions also when it is easy to see that it is unnecessary, making the reduced state space grow. For instance, consider the following system with V = {a}. The last component blocks a and the second last blocks v, so a (and v) cannot ever occur. The algorithms presented in this study detect this and fire nothing in the initial state, resulting in a reduced state space that consists of one state and zero transitions. (In this case, it is a correct reduced state space.) D0, on the other hand, forces something to be fired in the initial state. Because no τ i is concurrent with u, a typical stubborn set implementation that obeys D0 would fire all enabled actions in each r-state, resulting in 2 n states and (n + 2)2 n−1 transitions.
What is worse, although D0 forces firing some action, it does not necessarily force ever firing any action that makes progress towards s =σ⇒ r when s ∈ S r and s =σ⇒. We have already seen an example of this: The conditions that have been presented this far allow choosing stubb(ŝ) = {τ 1 }, resulting in a reduced state space that does not preserve the trace a. This is an instance of the ignoring problem.
These problems could be easily solved by, instead of D0, requiring V ⊆ stubb(s) for every s ∈ S r . In the example above with τ 1 , . . . , τ n , we could choose stubb(ŝ) = {a, v}, and thus fire nothing in the initial state. In general, assume that s =a⇒. We have s −a 1 · · · a n → where a n = a ∈ V and no other a i is in V . By Lemma 3.1 we can assume that none of the a i is in frozen(s). If V ⊆ stubb(s), then a n ∈ warm(s). So there is a smallest 1 ≤ i ≤ n such that a i ∈ warm(s). By D1F, there is s ′ such that s −a i → r s ′ −a 1 · · · a i−1 a i+1 · · · a n →. So, in each r-state, progress towards s =a⇒ r is certainly made.
Unfortunately, this very property makes the reduction results bad. Assume that D1F always applies, that is, assume that for each r-state s and each trace σ of s, there is an r-transition that makes progress towards s =σ⇒ r . Consider where V = {a, b}. In each r-state where τ 1 or a is enabled, the method has to fire τ 1 or a to make progress towards s =a⇒ r , and in each r-state where τ 2 or b is enabled, the method has to fire τ 2 or b to make progress towards s =b⇒ r . This results in constructing the full state space. Therefore, we do not ensure that V ⊆ stubb(s) for every s ∈ S r .
Earlier terminal strong component conditions. The first better solution to the ignoring problem was a method that guarantees that for every s ∈ S r and a ∈ en(s), there are s a and an r-path from s to it such that a ∈ stubb(s a ) [13]. A result resembling Lemma 3.4 or 3.5 was proven that said that if s −ρa→ and we start following the r-path from s to s a , then either D1 applies at some point along the path, consuming an action from ρa; or s a is reached. In the latter case, D1 applies at s a , consuming an action from ρa.
To implement the condition, it suffices to focus on tsr-components, because from every r-state, a tsr-component is reachable. Using Tarjan's algorithm [24] similarly to Section 6, the method guarantees that for every tsr-component C and for every a that is enabled in some state of C, C contains a state s a with a ∈ stubb(s a ). When Tarjan's algorithm has completed a tsr-component C, the method checks whether any a is ignored in C. If a is ignored, then by D2 and D1 it is enabled in every state of C but r-occurs in none of them. To check whether a r-occurs in none of them, it suffices to know C and ∆ r . If a is ignored, the stubborn set of the current state is extended to also contain some ignored action.
The drawback of this solution is that similarly to D0, it may fire obviously unnecessary actions.
An alternative is to guarantee that for every s ∈ S r and a ∈ V , there are s a and an r-path from s to it such that a ∈ stubb(s a ) [14]. This method does not fire obviously unnecessary actions in the same sense as the method in [13]. If the tsr-component happens to contain an r-occurrence s −a→ r of a visible action a, then by V, V ⊆ stubb(s). So the remaining problem is, what to do with tsrcomponents that do not contain r-occurrences of visible actions. A technically simple possibility is to choose one state s in it and ensure V ⊆ stubb(s). Requiring V ⊆ stubb(s) for one r-state in each tsr-component is much better than requiring it for every s ∈ S r , but, even if |V | = 1, it still Figure 2. An example where the methods in both [13] and [14] yield unnecessarily bad reduction; V = {a} sometimes fires concurrent actions in the same state, while the method in [13] fires them in different states, yielding better reduction. Figure 2 shows an example. In it, to enable a, it is necessary and sufficient to fire either u ′ or v ′ . Synchronization has been designed so that u ′ and v ′ cannot ever occur. We assume below that the algorithm for constructing stubborn sets is good but not miraculous; for instance, the one in Section 8 would do. The methods in both [13] and [14] would first fire, for instance, the cycleŝ −uuvvw→ rŝ . Then the method in [13] would detect that en(ŝ) = {u, v, τ 6 } and both u and v occur in the cycle, but τ 6 does not. So it would fire τ 6 inŝ. In the resulting state it would either fire τ 6 again, leading back tô s; or fire u or v, constructing even more r-states. In the former case, it would terminate, because now the reduced state space consists of precisely one tsr-component; both u, v, and τ 6 r-occur in it; and no other actions are enabled inŝ.
A good implementation of the method in [14] would never fire τ 6 . On the other hand, because no visible action occurs in the cycleŝ −uuvvw→ rŝ , it would try to ensure that a ∈ stubb(ŝ). Most stubborn set algorithms would not realize that u ′ and v ′ are permanently disabled. Therefore, they would put also u ′ and v ′ into stubb(ŝ). Then they would put u into stubb(ŝ), because u ′ is disabled by the second component, and this fact will remain valid until the second component executes u. They would put also v into stubb(ŝ), because v ′ is disabled by the fourth component, and this fact will remain valid until the fourth component executes v. So they would fire both u and v inŝ.
Two decades later, the good reduction properties of the above solutions were combined by introducing a complicated method that in one state of the tsr-component chooses a set of enabled actions such that each of them should be fired in some state of the tsr-component, but the states need not be the same [11,12]. In the case of Fig. 2, this method would choose {u, v} inŝ, construct (for instance) s −uuvvw→ rŝ , detect that both u and v occur in it, and terminate.
All visible or at least one enabled. Recently it turned out that a simple condition solves the ignoring problem in many, although not all, cases [10,16]. This condition is what D0VF reduces to in the absence of frozen actions. The next theorem characterizes a subset of systems such that D0VF suffices to guarantee that all traces are preserved. The theorem can replace Lemma 5.1 in the next section, yielding a proof that also fair testing equivalence is preserved.
Theorem 4.1. Assume that D0VF, D1F, D2F, VF, F1, and F2 are obeyed. At the end of the construction of the reduced state space, if s is an r-state, z is stable, and s =σ⇒ z, then there is an r-path s =σ⇒ r s ′ that is at most as long as the path that yields s =σ⇒ z. Furthermore, s ′ is r-stable and s ′ =ε⇒ z.

Proof:
Consider all paths of the form s −b 1 · · · b m → r s ′ −a 1 · · · a n → z, where the trace of b 1 · · · b m a 1 · · · a n is σ and m + n is at most the length of the path that yields s =σ⇒ z. At least one such path exists, because we may choose m = 0. We prove that any such path with a minimal n has the promised properties.
To prove that none of the a i is in frozen(s ′ ), we apply Lemma 3.1. It provides a z ′ such that s ′ =ρ⇒ z ′ and z =ε⇒ z ′ , where ρ is the trace of a 1 · · · a n . Because z is stable we have z ′ = z. If any of the a i is in frozen(s ′ ), then the path s ′ =ρ⇒ z ′ is of smaller length than n, contradicting the choice of n.
If any a i is in warm(s ′ ), then D1F is applicable to the first such a i , yielding an s ′′ such that s ′ −a i → r s ′′ −a 1 · · · a i−1 a i+1 · · · a n → z. The trace is not changed because of the following. If a i ∈ I, this is obvious. If a i ∈ V , then V ⊆ stubb(s ′ ) by VF; so a 1 , . . . , a i−1 are not in V since they are not in stubb(s ′ ) by the choice of i. Also this contradicts the choice of n.
So none of the a i is in stubb(s ′ ). If s ′ is not r-stable, then there is an a ∈ I such that s ′ −a→ r . When that transition was constructed, D2F yielded z −a→ r , contradicting the stability of z. So s ′ is r-stable.
Therefore, if s ′ −a→ r , then a ∈ V . By VF V ⊆ stubb(s ′ ) held when that transition was constructed, after which stubb(s ′ ) has not shrunk. If s ′ has no outgoing r-transitions, then V ⊆ stubb(s ′ ) by D0VF.
Because V ⊆ stubb(s ′ ) and none of the a i is in it, the a i are invisible. As a consequence, the trace of a 1 · · · a n is ε and the trace of b 1 · · · b m is σ.
⊓ ⊔ This means that every trace leading to a stable state is preserved, even if the simple condition D0VF is used instead of the complicated tsr-component conditions discussed above. That is, if the system has the property that from every reachable state, a stable state is reachable, then the complicated conditions are not needed. Furthermore, thanks to the following theorem, the user need not know in advance that the system has this property.
Theorem 4.2. Assume that D0VF, D1F, D2F, VF, F1, and F2 are obeyed. At the end of the construction of the reduced state space, if s is an r-state and has the trace σ in the full but not in the reduced state space, then some prefix of σ that s has in the reduced state space leads to an r-state s ′ such that all r-states that are r-reachable from s ′ are r-unstable and have no visible outgoing r-transitions.

Proof:
There are s ′ ∈ S r and some prefix ρa of σ such that s =ρ⇒ r s ′ =a⇒ but not s ′ =a⇒ r . We choose s ′ such that the path s ′ −a 1 · · · a n → that yields s ′ =a⇒ is as short as possible. So a n = a. None of the a j is in frozen(s ′ ), because otherwise Lemma 3.1 would provide a shorter path. None of the a j is in warm(s ′ ), because otherwise, using the smallest possible value of j, D1F would provide either s ′ −a n → r , yielding s ′ =a⇒ r ; or s ′ −a j → r z =a⇒, where z =a⇒ arises from a shorter path than s ′ =a⇒. So no a j is in stubb(s ′ ). Because a n = a ∈ V , we have V ⊆ stubb(s ′ ). From it D0VF implies that warm(s ′ ) ∩ en(s ′ ) = ∅ and VF implies that warm(s ′ ) ∩ en(s ′ ) ∩ V = ∅. So s ′ has outgoing r-transitions, but none of them is labelled with a visible action. Let s ′ −b→ r s ′′ be any of them. An application of D2F to it yields s ′′ −a 1 · · · a n →, that is, an as short as possible path that yields s ′′ =a⇒. Clearly s =ρ⇒ r s ′′ . Therefore, the reasoning applies also to s ′′ and, by induction, to every r-state that is r-reachable from s ′ .

⊓ ⊔
As a consequence, if the reduced state space obeys D0VF, D1F, D2F, VF, F1, and F2, then either the trace and fair testing equivalences are preserved, or the reduced state space exhibits pathological behaviour: it contains a state from which neither a stable state nor any visible activity is reachable. This pathological property can be detected from the reduced state space with well-known linear-time algorithms, by performing a graph search using the edges in reverse and using the deadlocks and tail states of visible transitions as the starting points.
That the reduced state space has this property does not prove that traces are lost. However, by Theorem 4.1, it does prove that the original system cannot reach a stable state from the states in question. If this is considered as sufficient reason for declaring the original system incorrect, then the freezing technique presented in this study is not needed. Instead, the easily implementable conditions D0V, D1, D2, and V suffice. (The proofs of Theorems 4.1 and 4.2 do not use the property that D1F and D2F with empty frozen sets add to D1 and D2, that is, s i −a→ s ′ i holds also when 1 ≤ i < n.) A nasty example. We may, however, want to preserve the traces even when the system can no longer reach a stable state. Then, assuming that actions are never frozen, we run the risk of the problem that is illustrated with Fig. 3. The actions u and τ 2 are invisible. Originally only b is enabled, then only τ 2 , and then only u and τ 2 . After firing s 2 −τ 2 → r s 12 −τ 2 → r s 1 , the algorithm backtracks to s 2 . After firing s 2 −u→ r s 3 , the τ 2 -cycle of L 2 and the aa-sequence of L 4 are concurrent, and b and u are permanently disabled. Assume that in s 3 , the construction of stubborn sets is started with a. Because a is enabled and visible, VF forces to also take b into warm(s 3 ), if a is taken. However, b is disabled because of L 2 . If the stubborn set construction algorithm is good enough, it detects that b is permanently disabled, chooses stubb(s 3 ) = {a, b}, and only fires a in s 3 . However, detecting that an action is permanently disabled is PSPACE-hard in general. So it is not realistic to assume that a stubborn set construction algorithm can always detect that an action is permanently disabled. For the sake of an example, we assume that the algorithm in Section 8 is used without any advanced features. It fails to detect that b is permanently disabled.
Because b is disabled by L 2 and only by it, the algorithm in Section 8 focuses on what L 2 can do next, that is, τ 2 . Because τ 2 is enabled, invisible, not synchronized to by any other component, and its start state has no other outgoing transitions, {τ 2 } qualifies as warm(s 3 ). Also {a, b, τ 2 } qualifies as warm(s 3 ), but {τ 2 } has fewer enabled actions, so the algorithm chooses warm(s 3 ) = {τ 2 }. That is, the method constructs the r-transition s 3 −τ 2 → r s 4 . In the resulting state s 4 the situation is similar to s 3 , so the r-transition s 4 −τ 2 → r s 5 is constructed.
The situation is only slightly more complicated in s 5 . Because u is an alternative for τ 2 , the algorithm takes also u into stubb(s 5 ). The algorithm detects that u is disabled by L 3 which is in a deadlock, so it does not continue analysis further from u. Thus the method constructs (only) the r-transition s 5 −τ 2 → r s 3 . In conclusion, the cycle s 3 −τ 2 → r s 4 −τ 2 → r s 5 −τ 2 → r s 3 is constructed.
At this point, simple methods backtrack from s 5 , s 4 , and s 3 , losing the traces ba and baa. In agreement with Theorem 4.1, every state that is reachable from s 3 (that is, s 3 , . . . , s 11 ) is unstable. In harmony with Theorem 4.2, every r-state that is r-reachable from s 3 (that is, s 3 , s 4 , and s 5 ) is unstable and no occurrences of visible actions are r-reachable from s 3 .
Instead of giving up in s 3 , earlier methods based on tsr-components fire a in it, constructing s 3 −a→ r s 6 . The same behaviour repeats in s 6 and finally in s 9 (except that a is found disabled in s 9 ). The method constructed all states of the full state space, although the τ 2 τ 2 τ 2 -cycle and aasequence are concurrent.
In conclusion, recovery based on tsr-components is actually seldom needed, but when it is needed, then the method is likely to fire the same unnecessary actions again and again (in this case τ 2 ), making the reduced state space grow. The idea of frozen actions was introduced to fix this problem [17]. That publication made the idea work for deterministic actions. Furthermore, because of lack of space, the proofs were sketchy. In the present study we make the idea work also with nondeterministic actions, and present detailed proofs.
Tsr-condition with frozen actions. The following condition is used in the present study. Unlike the very similar condition mentioned above, it does not suffer from the problem of firing in the same state actions that could otherwise be fired in different states. The condition puts all of them in stubb(s ′ ), but thanks to freezing, this is not the same thing as firing them all in s ′ . The implementation of the condition will be discussed in Section 6, and the condition will be used in Section 5 to prove that trace and fair testing equivalences are preserved.
SF At the end of the construction of the reduced state space, for every s ∈ S r there is s ′ ∈ S r such that s =ε⇒ r s ′ and V ⊆ stubb(s ′ ) holds with the final value of stubb(s ′ ).
To see that SF implies D0VF, assume that s obeys SF but has no outgoing r-transitions. Then the s ′ can only be s itself. So V ⊆ stubb(s).
Similarly to D0VF, SF does not necessarily force firing any enabled unfrozen actions, and this can only happen if firing any would be futile. This is because SF allows en r (s ′ ) = ∅ even if en(s ′ ) ⊆ frozen(s ′ ), provided that V ⊆ stubb(s ′ ). In that case, no occurrences of visible actions are reachable from s ′ . To see this, let s ′ =a⇒ where a ∈ V . The elements of frozen(s ′ ) can be consumed with Lemma 3.1, resulting in s ′ −a 1 · · · a n a→ with a ∈ warm(s ′ ). Then D1F can be applied either to a or to some a i , implying en r (s ′ ) = ∅.

Preservation of Trace and Fair Testing Equivalences
Throughout this section, we assume that F1, F2, D1F, D2F, VF, and SF are obeyed, and the situation is at the end of the construction of the reduced state space. (D3F is not needed. D0VF is not mentioned, because it follows from SF.) Based on these assumptions, we prove that trace equivalence and fair testing equivalence are preserved.
Lemma 5.1. If s ∈ S r and s =σ⇒ z, then there are s ′ and z ′ such that s =σ⇒ r s ′ =ε⇒ z ′ and z =ε⇒ z ′ .

Proof:
We prove the claim by induction on the length of the path that yields s =σ⇒ z.
In the base case the length is 0, so σ = ε and s = z. The claim is obtained by choosing s ′ = s = z ′ . Assume now that the path is of positive length. If σ = ε, the claim can be obtained by choosing s ′ = s and z ′ = z. Otherwise σ = ε. By SF there is s V such that s =ε⇒ r s V and V ⊆ stubb(s V ). We apply Lemma 3.4 to this r-path with s 0 = s =σ⇒ z = z 0 . The lemma yields i, s ′ i , z ′ i , b, and σ ′ . Let β = b if b ∈ V and β = ε otherwise, so that σ = βσ ′ . Let s ′ = s ′ i and z ′ = z ′ i . By the lemma, there is an s i such that s =ε⇒ r s i =β⇒ r s ′ =σ ′ ⇒ z ′ and z =ε⇒ z ′ . Furthermore, the path that yields s ′ =σ ′ ⇒ z ′ is shorter than the path that yields s =σ⇒ z. By induction, there are s ′′ and z ′′ such that s ′ =σ ′ ⇒ r s ′′ =ε⇒ z ′′ and z ′ =ε⇒ z ′′ . We have s =βσ ′ ⇒ r s ′′ and z =ε⇒ z ′′ , giving the claim.

Proof:
One direction follows from Lemma 5.1, and the other direction from the fact that every transition of the reduced state space is also a transition of the full state space. ⊓ ⊔ Lemma 5.3. If s ∈ S r , s =ε⇒ z, and z refuses K, then s r-refuses K or there are s ′ and π such that π is a prefix of K, s =π⇒ r s ′ , and s ′ r-refuses π −1 K.

Proof:
We prove the claim by induction on the length of the path that yields s =ε⇒ z.
In the base case the length is 0, so s = z. If s =κ⇒ r for some κ ∈ K, then z = s =κ⇒, contradicting z refuses K. Therefore, s r-refuses K.
Assume now that the path is of positive length. If s does not r-refuse K, then by Lemma 3.5 there are s ′ , z ′ , and a prefix π of K such that s =π⇒ r s ′ =ε⇒ z ′ , z =π⇒ z ′ , and the path that yields s ′ =ε⇒ z ′ is shorter than the path that yields s =ε⇒ z. Because z refuses K, z ′ refuses π −1 K.
⊓ ⊔ Theorem 5.4. The reduced state space is fair testing equivalent to the full state space.

Proof:
Assume that (σ, K) is an r-tree failure. There is s such thatŝ =σ⇒ r s and s r-refuses K. Clearlŷ s =σ⇒ s. By Theorem 5.2, s refuses K. So (σ, K) is a tree failure. Assume that (σ, K) is a tree failure. There is z such thatŝ =σ⇒ z and z refuses K. By Lemma 5.1 there are s ′ and z ′ such thatŝ =σ⇒ r s ′ =ε⇒ z ′ and z =ε⇒ z ′ . Also z ′ refuses K. By Lemma 5.3 either s ′ r-refuses K, implying that (σ, K) is an r-tree failure; or there are s ′′ and π such that π is a prefix of K, s ′ =π⇒ r s ′′ and s ′′ r-refuses π −1 K. So (σπ, π −1 K) is an r-tree failure. ⊓ ⊔

Implementation of SF and Freezing
In this section we present and prove correct an algorithm that guarantees SF, assuming that all stubborn sets obey D0VF and VF. The algorithm also contains the freezing of actions. We will prove in Section 7 that F2 and a strengthened version of F1 are invariant properties of the algorithm. (There we will also assume D1F, D2F, and D3F.) In principle, we should first prove this fact and only after that prove SF. However, both proofs require that the algorithm has been described, and not much is needed on top of the description to prove SF. Therefore, we present the material in "wrong" order. This is correct, because we do not appeal to F1 and F2 in this section. The algorithm is based on the following observation.

Proof:
Assume that every tsr-component C contains a state s C such that V ⊆ stubb(s C ). Let s ∈ S r . Some tsr-component C is r-reachable from s and some state s C in it has V ⊆ stubb(s C ). If the r-path from s to s C contains only invisible actions, then s C plays the role of s ′ of SF for s. Otherwise the path contains an r-transition s ′ −a→ r s ′′ such that a ∈ V . When it was constructed, we had a ∈ warm(s ′ ) ∩ en(s ′ ). At that time, VF implied V ⊆ stubb(s ′ ). Because stubb(s ′ ) does not shrink and V does not change at all, V ⊆ stubb(s ′ ) has held since then. So s ′ plays the role of s ′ of SF for s. Assume now that some tsr-component C does not have such a state. Then its states violate SF. ⊓ ⊔ As a consequence, SF can be implemented by recognizing the tsr-components, and ensuring that each of them contains a state s such that V ⊆ stubb(s). Fig. 4 shows both how this can be done and how actions are frozen. The algorithm is based on the well-known recursive method for constructing (S r , I, V, ∆ r ,ŝ) in depth-first order. It is initially called with DFS(ŝ, ∅). To recognize tsr-components efficiently, Tarjan's algorithm [24] is applied on top of the depth-first search, although its details are not shown in the figure. (A good practical improvement to Tarjan's algorithm has been presented in [25]. It was re-invented and slightly modified in [26].) The root of a strong r-component is the for a ∈ warm(s) ∩ en(s) do 7 for s ′ such that s −a→ s ′ do 8  When an r-state s is constructed, it inherits the current frozen set of its parent state. That it obeys F1 and F2 in s will be proven in Section 7. The algorithm enters the while-loop. In each iteration, it computes a new warm set. By Lemma 3.3, the set of all actions, that is, I ∪ V , satisfies the conditions listed towards the beginning of this section. However, I ∪ V is usually the worst possible from the point of view of reduction results. How a usually better set is found will be described in Section 8.
The algorithm executes all enabled actions in the warm set in all possible ways, storing the resulting r-transitions and entering those of the resulting r-states that have not yet been entered. After the warm set has been processed, several things are possible. The options have been designed so that when the algorithm backtracks from any tsr-component C, there is s ′ ∈ C such that V ⊆ stubb(s ′ ).
If s is not the root of a tsr-component, then backtracking from it does not mean backtracking from a tsr-component. The algorithm treats s as ready and backtracks from it. Otherwise, if the tsr-component contains an r-occurrence s ′ −a→ r of a visible action a, then, similarly to the proof of Lemma 6.1, V ⊆ stubb(s ′ ) by VF. Again, the algorithm backtracks from s. If warm(s) does not contain enabled actions, then V ⊆ stubb(s), because warm(s) obeys D0VF for s. Also this is sufficient justification for backtracking.
In the remaining case, on line 14 the algorithm freezes all actions in the stubborn sets of every state in the tsr-component, resulting in a new frozen set. That it obeys F1 and F2 will be proven in That is, the algorithm does not backtrack from s until either s is no longer the root of a tsrcomponent, or it is but the component contains an s ′ such that V ⊆ stubb(s ′ ). As a consequence, the algorithm does not backtrack from a tsr-component until the component contains an s ′ such that V ⊆ stubb(s ′ ). On the other hand, the algorithm does backtrack from each r-state and thus from each tsr-component for the following reason. Each frozen(s) is bigger than the previous frozen(s), because by line 14 it has the previous one as a subset, by line 10 it is not computed unless it contains a new action, and the only assignments to frozen(s) are those on lines 2 and 14. Therefore, the while-loop will terminate at the latest when frozen(s) = I ∪ V .
In conclusion, the algorithm terminates, and then every tsr-component contains a state s ′ such that V ⊆ stubb(s ′ ). So SF holds by Lemma 6.1. We have proven the following. Theorem 6.2. SF holds at the end of the execution of the algorithm in Fig. 4.
The algorithm tries to compute new warm sets for s one at a time, instead of establishing V ⊆ stubb(s) early on. This is to benefit from the possibility that something else than V ⊆ stubb(s) stops stubb(s) from growing, so that fewer actions would be fired in s. We saw in Section 4 that unnecessary V ⊆ stubb(s) can be detrimental to reduction results.
Interaction with Tarjan's algorithm. Tarjan's algorithm recognizes strong components in depthfirst order, with deepest first. It maintains a component stack that consists of the states that have been found but whose strong component has not yet been completed. A state is pushed to this stack when it is entered during depth-first search. Each state in the component stack has two numbers called index and low-link. The index does not change. The index of any state other thanŝ is bigger than the index of its parent. When s has not yet been backtracked from, its low-link is the smallest index of any state in the component stack to which there is a path from s via the edges that Tarjan's algorithm has so far traversed. After investigating all outgoing edges of s, Tarjan's algorithm tests whether s is the root of a strong component by testing whether its low-link is not smaller than its index. If the answer is yes, Tarjan's algorithm marks all states of the component as fully processed and pops them from the component stack.
To facilitate testing whether or not the component is terminal, a bit may be backward-propagated during the traversal that tells whether a state in another strong component is known to be reachable from the current state. In the case of the root (but not necessarily all other states of the same component) this bit tells reliably whether the component is actually terminal.
To implement line 11 in Fig. 4, these tests are performed outside Tarjan's algorithm, before informing Tarjan's algorithm whether or not the current state has more outgoing edges. The data structures of Tarjan's algorithm are read, but this does not affect Tarjan's algorithm, because they are not modified. If more outgoing edges are added by lines 14 and 4 to 9, from the point of view of Tarjan's algorithm the situation is not different from what it would have been if the added edges had always been there. Therefore, Tarjan's algorithm operates on the final reduced state space, unaffected by the fact that some edges were inserted just before it would have become aware of their non-existence, and the insertion was based on the contents of its data structures.
Examples. In all these examples, a and b are visible and u, v, and so on are not.
Consider again Fig. 3. We already saw that the algorithm constructs the cycle s 3 −τ 2 → r s 4 −τ 2 → r s 5 −τ 2 → r s 3 . When it has done so and is about to backtrack from s 3 , it freezes u and τ 2 , and computes a new warm(s 3 ). This computation returns {a, b}, because now a is the only unfrozen enabled action, and by D0VF, either such an action must be returned or the result must contain V as a subset. So the algorithm constructs s 3 −a→ r s 6 . In s 6 it again only fires a, for the same reason. In the next state s 9 compute stubborn again returns {a, b} but the while-loop fires nothing, because now both a and b are disabled. D0VF holds because V ⊆ warm(s 9 ) ∪ frozen(s 9 ) = {a, b} ∪ {τ 2 , u}.
The example also illustrates that freezing an action prematurely may cause an erroneous result. If τ 2 is frozen already in the initial state, the trace ba is lost.
In general, what happens with an example may depend on the details of the implementation of compute stubborn. The implementation in Section 8 is good in the sense used in this subsection.
In the case of τ 1 a || τ 2 a and τ 1 a || τ 2 a , a good implementation fires first one and in the next state the other of τ 1 and τ 2 , after which it fires a. With the following system, it constructsŝ −σ→ r s where σ is some permutation of τ 1 τ 1 τ 2 τ 2 , and then fires both a and b in s.
A good implementation fires nothing in the initial state of the following system, because {a, v} satisfies V ⊆ {a, v}, D1F, D2F, D3F, and VF: In the case of Fig. 2, a good implementation first constructsŝ −σw→ rŝ where σ is a permutation of uuvv. Then it freezes u, v, w, u ′ , and v ′ , tries the warm set {a} in vain, and terminates. A bad implementation might first constructŝ −τ 6 τ 6 → rŝ , then freeze τ 6 , and then continue like the good implementation.

Validity of F1 and F2
In this section we assume that the stubborn sets obey D1F, D2F, and D3F. We prove that both the original frozen(s) and its later versions satisfy F1 and F2. We first prove that the following strength-ened variant of F1 is an invariant property of the algorithm, that is, every operation that modifies any frozen(s) keeps it valid, assuming it was valid before the operation: , where none of a 1 , . . . , a n is in frozen(s 0 ), then there are z 0 and γ ∈ frozen(s 0 ) * such that s ′ 0 −c 1 · · · c k → z 0 and s ′′ 0 −γ→ z 0 .
We first deal with the initial frozen sets of newly created r-states, that is, those assigned on line 2. The initial call DFS(ŝ, ∅) makes frozen(ŝ) = ∅, so F1' clearly holds with z 0 = s ′′ 0 and γ = ε. The initial frozen sets of the remaining r-states are dealt with by the following lemma.

Proof:
Let s 0 = s ′ . The call makes frozen(s 0 ) = frozen(s) and does not modify any other frozen set. The call was made after constructing s −a→ r s ′ . Because this transition was constructed, we had a / ∈ frozen(s). Because F1' held for frozen(s), we can apply it to s −a→ s ′ −a 1 · · · a n → s ′ 0 −b 1 · · · b m → s ′′ 0 . Doing so immediately gives z 0 and γ with the promised properties.

⊓ ⊔
The only remaining place where any frozen set changes is line 14. It is much more difficult to deal with. Proof: Let the current state be denoted with s 0 , and assume that the execution is currently immediately before the assignment on line 14. This fixes the meaning of all sets whose contents may change. Because the algorithm is on line 14, s 0 is the root of a tsr-component C. Let frozen ′ (s 0 ) = s∈C stubb(s), that is, frozen ′ (s 0 ) denotes the value that the frozen set of s 0 will get due to line 14. We have frozen(s 0 ) ⊆ stubb(s 0 ) ⊆ frozen ′ (s 0 ). We may assume that for every s ∈ S r , F1' currently holds for frozen(s), and we must show that it also holds for frozen ′ (s 0 ). That is, we assume the if-part of F1' using frozen ′ (s 0 ), and prove its then-part. Let β 0 = b 1 · · · b m . If β 0 − frozen ′ (s 0 ) = β 0 − frozen(s 0 ), then the claim follows immediately. So from now on we assume that β 0 − frozen ′ (s 0 ) = β 0 − frozen(s 0 ). Please see Fig. 5. Our next goal is to demonstrate the existence of an r-path . . , s ′′ ℓ , and strings β 1 , γ 1 , . . . , β ℓ , γ ℓ such that s ℓ = s 0 , β ℓ = β 0 − frozen ′ (s 0 ), and, for 1 ≤ i ≤ ℓ, s i −a 1 · · · a n → s ′ i −β i → s ′′ i , s ′′ i−1 −γ i → s ′′ i , and γ i ∈ frozen ′ (s 0 ) * . In terms of Fig. 5, γ i is either γ ′ i (then z i = s ′′ i ) or γ ′ i u i . Because s 0 ∈ C and C is a tsr-component, each s i belongs to C, implying stubb(s i ) ⊆ frozen ′ (s 0 ). By the if-part of F1', none of a 1 , . . . , a n is in frozen ′ (s 0 ).
The path s 0 −a 1 · · · a n → s ′ 0 −β 0 → s ′′ 0 was given in the if-part of F1'. Assume that the paths have been constructed up to s i−1 −a 1 · · · a n → s ′ i−1 −β i−1 → s ′′ i−1 . Because all frozen sets satisfied There are now four cases. a 1 · · · a n β 0 1. If β ′ i has an element in common with warm(s i−1 ), then, by letting u i be the first such element of β ′ i , we get δ i and ρ i such that β ′ i = δ i u i ρ i and δ i has no element in common with warm(s i−1 ). Because β ′ i has no element in common with frozen(s i−1 ), this implies that δ i has no element in common with stubb(s i−1 ). Because none of a j is in frozen ′ (s 0 ) and stubb(s i−1 ) ⊆ frozen ′ (s 0 ), none of a j is in stubb(s i−1 ). So D1F can be applied to s i−1 −a 1 · · · a n → s 2. If case 1 does not apply, β ′ i has no element in common with warm(s i−1 ). Because β ′ i has no element in common with frozen(s i−1 ), β ′ i has no element in common with stubb(s i−1 ). Assume that β ′ i has an element b in common with frozen ′ (s 0 ). There is s b ∈ C such that b ∈ stubb(s b ). Because C is a tsr-component, there is an r-path from s i−1 to s b . We choose b and s b so that the r-path is as short as possible. We choose u i and s i so that s i−1 −u i → r s i is the first step of this r-path. So u i ∈ stubb(s i−1 ) ⊆ frozen ′ (s 0 ) and thus u i does not occur in a 1 · · · a n β ′ i . Although u i may now be frozen, it was warm when s i−1 −u i → r s i was constructed. Therefore, D2F can be applied, yielding s ′ i and s ′′ i such that s i −a 1 · · · a n → s 3. If cases 1 and 2 do not apply, β ′ i has no element in common with frozen ′ (s 0 ). Because all elements removed from β i−1 or β ′ i during earlier steps belong to frozen(s i−1 ) or warm(s i−1 ) and thus to frozen ′ (s 0 ), we have β ′ i = β 0 − frozen ′ (s 0 ) = c 1 · · · c k . Because C is a tsrcomponent, there is an r-path from s i−1 to s 0 . If s i−1 = s 0 , then we choose as short such an r-path as possible, and choose u i and s i so that s i−1 −u i → r s i is the first step of this r-path. Let β i = β ′ i and γ i = γ ′ i u i . Similarly to case 2, an application of D2F yields s ′ i and s ′′ i such that s i −a 1 · · · a n → s If also s i = s 0 , we will have β ′ i+1 = β i = β ′ i = β 0 − frozen ′ (s 0 ) and thus get back to this case. Furthermore, we may choose γ ′ i+1 = ε and z i+1 = s ′′ i .
We have now gone once around s 0 −u 1 · · · u ℓ → r s 0 . We have u i ∈ stubb(s i−1 ) ⊆ frozen ′ (s 0 ), and a 1 · · · a n c 1 · · · c k has no elements in common with frozen ′ (s 0 ). Therefore, we can go around s 0 −u 1 · · · u ℓ → r s 0 a second time, then a third time and so on, repeatedly applying D2F to yield , and so on. More formally, for every 1 ≤ i ≤ ℓ and j ≥ 1, D2F can be applied to s i−1 −a 1 · · · a n → s ′ jℓ+i−1 −c 1 · · · c k → s ′′ jℓ+i−1 and s i−1 −u i → r s i , to obtain s ′ jℓ+i and s ′′ jℓ+i such that s i −a 1 · · · a n → s ′ We have shown s ′ jℓ −c 1 · · · c k → s ′′ jℓ for every j > 0, but not yet for j = 0. For every j ≥ 0 we have s 0 = s jℓ −a 1 · · · a n → s ′ jℓ . Because the reduced state space is finite, there are i and j such that i < j and s ′ iℓ = s ′ jℓ . Let i be the smallest possible. If i > 0, then s ′ (i−1)ℓ = s ′ (j−1)ℓ but s ′ iℓ = s ′ jℓ , contradicting D3F. Therefore, i = 0. Because j > i, we have s ′ jℓ −c 1 · · · c k → s ′′ jℓ . By i = 0 and s ′ iℓ = s ′ jℓ we conclude s ′ 0 −c 1 · · · c k → s ′′ jℓ . We choose z 0 = s ′′ jℓ and γ = γ 1 · · · γ ℓ (u 1 · · · u ℓ ) j−1 and have the then-part of F1'. ⊓ ⊔ F1 becomes invalid also in Fig. 6 middle. The example violates the requirement in D1F and D2F that s i −a→ s ′ i also when 0 < i < n. In Fig. 6 right, D1F, D2F, D3F, VF, and SF hold, and F1' is not invalidated. The example demonstrates that in the proof of Lemma 7.2, s ′ ℓ may be different from s ′ 0 . The algorithm first executeŝ s −uv→ rŝ , then freezes u and v, and finally executesŝ −a→ r in both ways.

Proof:
The initial call makes frozen(ŝ) = ∅. F2 holds vacuously, because ∅ cannot contain a n . Now consider the call on line 9 that corresponds to s −a→ r s ′ . If s ′ −a 1 · · · a n → is a counterexample after line 2, then s −aa 1 · · · a n → was a counter-example beforehand, contradicting the assumption that F2 held before the call.
Finally consider line 14. Let s be the current state, C be the tsr-component whose root is s, a ∈ V , and s −a 1 · · · a n a→. Let us say that s ′ ∈ C is near a if and only if s ′ −αa→ and α is as short as possible. At least some s ′ ∈ C is near a. Because F2 held beforehand, a / ∈ frozen(s ′ ). No element of α is in frozen(s ′ ), because otherwise by F1, α would not be a shortest. No element of α is in warm(s ′ ), because otherwise D1F would yield an r-transition s ′ −u→ r s ′′ and an α ′ such that s ′′ −α ′ a→ and |α ′ | < |α|. So no element of α is in stubb(s ′ ). Also a / ∈ stubb(s ′ ), because otherwise D1F would yield s ′ −a→ r , contradicting line 12.
So D2F can be applied to each s ′ −u→ r s ′′ , yielding s ′′ −αa→. Also s ′′ is near a. Repeating this argument reveals that every s ∈ C is near a. So a / ∈ s ′ ∈C stubb(s ′ ) and the algorithm does not freeze a.
⊓ ⊔ By the above lemmas, and because F1' implies F1, we have the following.

Construction of Warm Sets
The only remaining task is to describe how warm sets can be constructed such that together with the frozen sets they satisfy the local conditions D0VF, D1F, D2F, D3F, and VF. The sets should preferably yield good reduction results. Although the ideas are largely independent of the formalism used for representing systems, for concreteness, we will use the parallel state spaces formalism in Section 2. Let L = (S, I, V, ∆,ŝ) = L 1 || · · · || L N . By en i (s i ) we mean the actions that L i is ready to execute when it is in its local state s i . That is, It is the set of the labels of the edges of L i whose tail is s i . The proof of the following theorem has been developed from [15] and earlier work. The key idea is that in case 1, L i keeps a disabled until an element of warm(s) occurs, and in case 2, a is concurrent with all actions that are not in stubb(s).
Theorem 8.1. Assume that the following hold for s = (s 1 , . . . , s N ) and for every a ∈ warm(s): 1. If a / ∈ en(s), then there is i such that 1 ≤ i ≤ N , a ∈ I i ∪ V i , and a / ∈ en i (s i ) ⊆ stubb(s).
2. If a ∈ en(s), then for every i such that 1 ≤ i ≤ N and a ∈ I i ∪ V i we have en i (s i ) ⊆ stubb(s).

Proof:
Let a 1 / ∈ stubb(s), . . . , a n / ∈ stubb(s). Let first a / ∈ en(s). Obviously s −a→ does not hold, so D2F is vacuously true. We prove now that D1F and D3F are vacuously true as well. By condition 1, there is i such that L i disables a and en i (s i ) ⊆ stubb(s). To enable a, it is necessary that L i changes its state, which requires that some action in en i (s i ) occurs. These are all in stubb(s) and thus distinct from a 1 , . . . , a n . So s −a 1 · · · a n a→ cannot hold.
Let now a ∈ en(s). Our next goal is to show that there are no 1 ≤ j ≤ N and 1 ≤ k ≤ n such that both a and a k are in I j ∪ V j . To derive a contradiction, consider a counter-example where k has the smallest possible value. So none of a 1 , . . . , a k−1 is in I j ∪ V j . If s −a 1 · · · a n →, then there is s ′ such that s −a 1 · · · a k−1 → s ′ −a k →. Obviously a k ∈ en j (s ′ j ). This implies a k ∈ en j (s j ), because L j does not move between s and s ′ since none of a 1 , . . . , a k−1 is in I j ∪ V j . By condition 2, en j (s j ) ⊆ stubb(s). This contradicts a k / ∈ stubb(s). This means that the L j that participate in a are disjoint from the L j that participate in a 1 · · · a n . From this D1F and D2F follow by well-known properties of the parallel composition operator. Regarding D3F, let s n = (s n,1 , . . . , s n,N ) and similarly with s ′ n , z n , and z ′ n . Then s n = z n implies s n,j = z n,j for some L j that participates in a 1 · · · a n . Because L j does not participate in a, we have s ′ n,j = s n,j = z n,j = z ′ n,j , yielding s ′ n = z ′ n . ⊓ ⊔ Let b / ∈ frozen(s). Cases 1 and 2 can be interpreted as spanning rules of the form a s b for each b in en i (s i ), meaning that if a ∈ warm(s), then b must be in stubb(s). We do this only if b / ∈ frozen(s), because such a rule is unnecessary if b ∈ frozen(s), because frozen(s) ⊆ stubb(s) by definition. So a s b actually says that if a ∈ warm(s), then also b must be in warm(s). In case 1, there may be more than one i that satisfies the condition. Although each choice of such an i is correct, we artificially assumed in the examples earlier in this study that the smallest one is chosen, to avoid ambiguity.
To deal with VF, we also add the rule a s b for every a ∈ (en(s) ∩ V ) \ frozen(s) and b ∈ V \ frozen(s). (This is equivalent to adding yet another parallel component ({ŝ}, ∅, V, ∆,ŝ) with ∆ = {(ŝ, a,ŝ) | a ∈ V }.) Whether or not a s b, usually depends on the state s. If A ⊆ I ∪ V , let clsr s (A) (the closure of A) denote the smallest set such that A \ frozen(s) ⊆ clsr s (A) and for every a and b, if a ∈ clsr s (A) and a s b, then also b ∈ clsr s (A). By the definitions, clsr s (A) contains no frozen actions. Furthermore, it satisfies D1F, D2F, D3F, and VF in s in the role of warm(s) (with, as always, stubb(s) = warm(s) ∪ frozen(s)).
If s −a 1 · · · a n → where a n ∈ V and {a 1 , . . . , a n } ∩ frozen(s) = ∅, then a n ∈ clsr s (V ). By D1F, {a 1 , . . . , a n } ∩ clsr s (V ) ∩ en(s) = ∅. Therefore, to focus efforts on actions that are important for preserving all traces, it is reasonable to only use subsets of clsr s (V ) as the warm sets. In Section 6 we assumed that compute stubborn(s, frozen(s)) returns a warm set warm(s) that obeys D0VF, that is, either V ⊆ warm(s) ∪ frozen(s) or warm(s) ∩ en(s) = ∅. If clsr s (V ) contains no enabled actions, this is achieved by returning clsr s (V ), because always V ⊆ clsr s (V ) ∪ frozen(s).
To guarantee D0VF in the opposite case, clsr s ({a}) could be returned for an arbitrary a ∈ clsr s (V ) ∩ en(s). To reduce the number of enabled actions in the resulting set, Tarjan's algorithm may be used to find a strong component of the graph spanned by " s " such that it contains an enabled action but no other strong component reachable from it contains enabled actions. This has been a standard approach in stubborn sets [7,14,11,12], and a very efficient implementation exists in the tool described in [27] (using a " s "-relation derived from another formalism than the one in the present study). The " s " relation is not presented as an explicit directed graph; instead, it is derived as needed similarly to how we derived it from Theorem 8.1.
When the algorithm in Fig. 4 calls compute stubborn again on the same state, the actions in the previous reply have been frozen. Therefore, clsr s (V ) has become smaller and compute stubborn will return a new answer.
To improve reduction results, one may make " s " smaller as long as the property remains valid that every clsr s (A) satisfies D1F, D2F, D3F, and VF. (Because of anomalic counter-examples, that this improves reduction is only a heuristic, not a theorem.) For instance, the purpose of the rules introduced by case 1 of Theorem 8.1 is to ensure that if a is put into the warm set, then it cannot become enabled without some action in the warm set occurring first. However, if L i has no path from s i to a state s ′ i such that a ∈ en i (s ′ i ), then a cannot become enabled at all. This is the case with b and L 2 in Fig. 3, if b has already been executed. In such a situation, no rule of the form a s x is needed, although case 1 implies that such a rule should be added for every x ∈ en i (s i ) \ frozen(s). If L i models a fifo queue, a is enabled, one of a and b reads from and the other writes to the fifo, and L i is their only shared component, then a s b is not needed, despite case 2.

Conclusions
We presented a major improvement to partial order reduction methods for safety properties. Our method also covers a subset of branching time liveness properties including "in all futures always, there is a future where eventually a occurs".
Because of concurrency and other phenomena that make actions commutative (such as writing to and reading from a non-empty non-full fifo), if there is a counter-example to the property under verification, there often are many related counter-examples. To yield correct results, partial order reduction methods preserve at least one of them, and to obtain good reduction, they try to preserve as few additional instances as they can. As was illustrated with the example τ 1 τ 1 a || τ 2 τ 2 b in Section 4, together these have the consequence that the preserved counter-example cannot always be a shortest possible. Instead, the preserved counter-example may contain actions that are irrelevant for it, but were fired because when they were fired, it was not certain that they are not relevant for any counter-example. In the example, firing initially only τ 1 lengthens the shortest preserved counter-example to "b never occurs", firing initially only τ 2 has the same effect to "a never occurs", and firing both would be bad for reduction. Unless special precaution is taken, this leads to the following possibility. Assume that we want to check that a never occurs. Consider τ 1 || τ 2 a . The method may initially choose to focus on (in this case non-existent) counter-examples for which τ 1 is relevant, postponing the development of the other counter-examples to later r-states. However, the firing of τ 1 brings the system back to an r-state that has already been processed, so in the end τ 2 was investigated in no r-state and all counter-examples were lost. This is the ignoring problem. It has forced the introduction of additional conditions to partial order reduction methods, most importantly the cycle condition for liveness properties and terminal strong component conditions for safety properties. They solve the ignoring problem in the sense of guaranteeing correctness. Unfortunately, there are examples showing that they are sometimes very detrimental to reduction results, please see Section 4 and, e.g., [11,12]. Little is known about how they affect reduction results in typical cases.
The major new contribution of [17] and the present study is the freezing of actions. Actions are frozen when they have been investigated but they proved irrelevant for all counter-examples and constituted a futile cycle. Thanks to the use of D0VF, most of the time (and, by Theorem 4.1, for a major class of systems all of the time) the method succeeds in avoiding such actions in the first place. However, because stubborn set construction algorithms cannot always determine whether or not an action is relevant, and because failure to pick a relevant action may compromise correctness, the methods sometimes pick irrelevant actions to be on the safe side. The example in Fig. 3 illustrates that when this happens and the irrelevant actions introduce a cycle in the reduced state space, the phenomenon tends to repeat in subsequent states, with bad consequences to reduction. The freezing of actions is a powerful solution to this problem. Frozen actions are treated as if they did not exist at all, preventing the repetition of the cycle.
Two decades ago, there were two different terminal strong component conditions. As was illustrated with Fig. 2, each of them suffers from a problem that the other one solves. To combine the good parts of both conditions, a complicated condition was employed in [11,12] that in the root of a tsr-component selects a set X of enabled actions, each of which must be fired in some state of the tsr-component. To obtain good reduction results, if such an action has been fired elsewhere in the tsrcomponent, then, if possible, it should not be fired again in the root. The freezing of actions removes from consideration those actions that have been fired in the tsr-component, automatically ensuring that they are not fired again in the root. So the set X need not be implemented and discussed in the correctness proof.
Let us illustrate another problem that has not received sufficient attention. Consider L 1 ||L 2 , where each L i consists of a cycle of i+1 τ i -transitions preceded by an a-transition, and we want to verify that the system lacks the trace aa. Assuming that the stubborn set construction favours τ 1 , the method in the present study constructsŝ −a→ r s −τ 1 τ 1 → r s, freezes τ 1 , constructs s −τ 2 τ 2 τ 2 → r s, freezes τ 2 , and terminates. However, if the algorithm alternates between favouring τ 1 and τ 2 , it constructsŝ −a→ r s −τ 1 τ 2 τ 1 τ 2 τ 1 τ 2 → r s, freezes both τ 1 and τ 2 , and terminates, resulting in a bigger reduced state 32 A. Valmari, W. Vogler / Stubborn Sets, Frozen Actions, and Fair Testing space. In the absence of freezing, if the method favours τ 1 , after constructingŝ −a→ r s −τ 1 τ 1 → r s it would continue by constructing s −τ 2 → r s ′ −τ 1 τ 1 → r s ′ −τ 2 → r s ′′ −τ 1 τ 1 → r s ′′ −τ 2 → r s. Freezing of actions prevents this last scenario, but not the previous one. Further research is needed. Our hypothesis is that the method should favour actions that belong to the same component as the action whose firing led to the creation of the current state.
Another apparently natural topic for further research would be to extend the method to linear time liveness properties. They are currently dealt with by the so-called cycle condition. However, this topic might be less fruitful than it seems, because linear time liveness properties tend to rely on so-called fairness assumptions, and, as was discussed in detail in [28], nobody has so far been able to reasonably combine them to partial order reduction. (For instance, fairness is not mentioned in the partial order reduction chapter of [1].) On the other hand, a big subset of liveness properties is preserved by fair testing equivalence. This is the reason for giving it lots of attention in the present study. It preserves a representative for each counter-example that goes via a state after which the desired activity cannot happen. What it may lose is counter-examples where the only reason for the desired activity not happening is the scheduling of actions. That is, the system infinitely many times chooses an action (like loss of a message, or executing an irrelevant component) that does not make progress towards the desired thing, while an action that does make progress (delivery of the message, executing another component) would have been available. Although linear time liveness with fairness assumptions is the standard approach, we believe that it is less reliable than generally thought and alternative approaches may be worth consideration [29].
Of course, implementing the frozen action method and experimenting with it would be an important topic for future research. Among other things, a data structure for maintaining the frozen sets is needed. It may exploit the fact that only the r-states in the depth-first stack need a frozen set, and the frozen set of an r-state (other thanŝ) is always a superset of the frozen set of its parent.