Guard Automata for the Verification of Safety and Liveness of Distributed Algorithms (long version)

Distributed algorithms typically run over arbitrary many processes and may involve unboundedly many rounds, making the automated verification of their correctness challenging. Building on domain theory, we introduce a framework that abstracts infinite-state distributed systems that represent distributed algorithms into finite-state guard automata . The soundness of the approach corresponds to the Scott-continuity of the abstraction, which relies on the assumption that the distributed algorithms are layered . Guard automata thus enable the verification of safety and liveness properties of distributed algorithms.


Introduction
Under the umbrella of parameterized verification, the verification of systems formed of an arbitrary number of agents executing the same code, has attracted quite some attention in the recent years, see for instance [18,9]. Application examples range from distributed algorithms (e.g., for clock synchronization [28] or robot coordination [27]), cache-coherence protocols [25,1], to chemical or biological systems [10]. In all cases, the systems are designed to operate correctly independently of the number of agents. More specifically, distributed algorithms are central to various emblematic applications, including telecommunications, scientific computing, and Blockchain. Automatically proving the correctness of distributed algorithms is a particularly relevant, as stated by Lamport: "Model-checking algorithms prior to submitting them for publication should become the norm" [22]. The task, that the verification community has started to address, is quite challenging, since it aims at validating at once all instances of the algorithm for arbitrarily many processes.
Distributed algorithms with threshold guards are omni-present in solutions for consensus and agreement problems. Typically, these guards also are parameterized, e.g., if the number of processes in a distributed system is n, then it is natural to require that certain actions are taken only if a majority of processes is ready to do so; this results in a parameterized threshold expression of n/2. Due to Blockchain and other current applications these kinds of distributed algorithm enjoy recent attention from the algorithm design community as well as the verification community. the algorithm design community has been studying them for a long time, (see e.g., [11]) and typically provides hand-written proofs based on mathematical models without formal semantics.
For computer-aided verification the first challenge is to develop appropriate modeling formalisms that maintain all behaviors of the original algorithms on the one hand, and on the other hand are abstract and succinct to allow for efficient verification. Several approaches towards efficient verification have recently been proposed.
The threshold automata framework [20] targets asynchronous distributed algorithms with threshold guards and reductions (similar to [23,17]) have been used to show that SMT-based bounded model checking is complete [19]. Later this framework was generalized and generalizations were analyzed regarding decidability [21], and complexity [5]. The current paper also targets threshold distributed algorithms, yet eventually provides an even coarser abstraction to represent their behaviors, thus reducing the overall verification complexity. Moreover, the semantics of distributed algorithms and the soundness of the abstraction rely on domain theory concepts, thus providing a solid mathematical framework to our work. Last but not least, our approach can handle infinite behaviours, in contrast to the threshold automata framework.
The logical fragment of the IVy toolset has also been shown to allow to model threshold guards by axiomising their semantics as quorum systems [7]. For instance, the reason for waiting for quorums of more than n/2 messages is that any two such quorums must intersect at one sender. IVy allows to express these quorum axioms and reduce verification to decidable fragments. Similar intuitions underlie verification results in the heard-of model (HO model) [13]. This computational model for distributed algorithms already targets a high level of abstractions that are sound for communication closed distributed algorithms [12]. Here a consensus logic was introduced in [16] that could be used for deductive verification and cut-off results where provided in [24] that reduce the parameterized verification problem to small finite instances. Compared to this line of work, the distributed algorithms we target share some similarities with these round-based communication closed models. Recently, a threshold automata framework for round-based algorithms was introduced that also uses a small counterexample property for verification in [29]. In contrast, we use domain theory, and particularly Scott continuity to be able to reason on infinite behaviors and thus to capture algorithms that do not necessarily terminate.
Other less related verification frameworks also target distributed algorithms with quite different techniques such as event B [26], array systems [4] or logic and automata theory [3].

Contributions
Using basic domain theory concepts, we provide a rigorous framework to model and verify (asynchronous) distributed algorithms. Our methodology applies to distributed algorithms that are structured in layers (that can be seen as a fine-grain notion of rounds), and may consist of countably many layers, thus capturing round-based distributed algorithms (with no a priori bound on the number of rounds).
In Section 2, we define partially ordered transition systems, which serve to express the semantics our models. Section 3 introduces the low-level model of layered distributed systems to represent threshold based distributed algorithms. The state-space of layered distributed systems being infinite (and even not necessarily finitely representable), we provide several abstraction steps, up to a so-called guard abstraction. The soundness of each step is justified by the Scott-continuity of the corresponding abstraction. Some steps are also complete, and thus do not introduce spurious behaviors. Finally, towards practical verification, we define in Section 4 the guard automaton, a finite-state abstraction of (cyclic) layered distributed systems. It overapproximates the set of infinite behaviors of distributed algorithms, and thus enabling the verification of safety as well as liveness properties. Its construction can be automated with the help of an SMT solver, paving the way to the automated verification of round-based threshold distributed algorithms.

Mathematical Preliminaries
This section presents mathematical notions as well as notations that are used throughout the paper. In particular, it introduces partially ordered sets and Scott topology. The interested reader is referred to [2] for an thorough introduction to domain theory. Sets and multisets. A multiset over a set X is an element of N X . Addition and inclusion over multisets are defined in a natural way. For ξ, ξ ′ ∈ N X two multisets, ξ + ξ ′ ∈ N X is the multiset such that for every x ∈ X, (ξ + ξ ′ ) (x) = ξ(x) + ξ ′ (x). We write ξ ⊑ ξ ′ if for every x ∈ X, ξ(x) ≤ ξ ′ (x). Standard sets can be seen as special cases of multisets with the canonical bijection between the set of subsets of X (2 X ) and the set of functions from X to {0, 1}.
Sequences. For X a set and n ∈ N a natural number, a sequence of elements of X of length n is some u ∈ X {0,...,n−1} . Its length is |u| = n and for i < n, u(i) ∈ X denotes the letter at index i. X * = ⋃ n∈N X {0,...,n−1} (resp. X + = ⋃ n>0 X {0,...,n−1} ) denotes the set of all finite (resp. finite and non-empty) sequences of elements of X. Moreover, X * = X * ∪ X N is the set of finite or infinite sequences of X. For u ∈ X * a finite sequence and v ∈ X * a finite or infinite sequence, we write u ⋅ v for the concatenation of u and v. For u and w two sequences, we write u ≺ w and say that u is a prefix of w if either w is finite and there exists v ∈ X * such that u ⋅ v = w or u = w. For w a sequence and i ≤ |w|, w i is the prefix w of length i.
Closures and bounds for partially ordered sets. Let (X, ⊑) be a partially ordered set, and ξ ⊂ X. The upward-closure of ξ is ↑ξ = {x ∈ X | ∃x ′ ∈ ξ, x ′ ⊑ x}, and ξ is upward-closed if ↑ξ = ξ. Dually, one defines the downward-closure ↓ξ and downward-closed sets. An element x ∈ X is an upper-bound of ξ if for any element x ′ ∈ ξ, x ′ ⊑ x. We write ub(ξ) for the set of upper-bounds of ξ. If it exists (it is then unique), the greatest element of ξ is x ∈ X such that x ∈ ξ and x ∈ ub(ξ). Dually, one defines the notion of least element by reversing the order. If it exists, the least upper bound of ξ is the least element of ub(ξ), and we denote it by ⊔ ξ. Finally ξ is directed if it is non-empty and if for every two elements x, x ′ ∈ ξ, ub({x, x ′ }) ∩ ξ ≠ ∅; intuitively, any finite subset of ξ has an upper-bound in ξ. An interesting particular case of directed case are completely ordered sets which are called chains in this context.

Directed Complete Partially ordered sets (DCPO).
A DCPO is a partially ordered set (X, ⊑) such that any directed subset ξ ⊂ X has a (unique) least upper bound. These partially ordered sets are particularly important in semantics of programming languages.
The Scott Topology on DCPO. Directed complete partial orders are naturally equipped with the Scott topology. A subset ξ of a DCPO (X, ⊑) is Scott-closed if it is downward-closed and if for any directed subset ξ ′ ⊂ ξ, ⊔ ξ ′ ∈ ξ. A subset is Scott-open if its complement in X is Scott-closed. Functions that are continuous for the Scott topology are called Scott-continuous.
is Scott-continuous if and only if for any directed subset ξ ⊂ X, f (⊔(ξ)) = ⊔(f (ξ)). In this paper, a partial function f ∶ X → Y is called Scott-continuous if its domain dom(f ) is Scott-closed and if for any directed subset ξ ⊂ dom(f ), f (⊔ ξ) = ⊔ f (ξ).

Partially Ordered Transition Systems
Building on domain theory, this section introduces a generic model for distributed transition systems, that will capture the semantics of distributed algorithms. An ordering naturally appears on sets of sent messages -that can only grow-and the asynchrony requires the order to be partial only.
A is a set of partial functions, called actions, from X to itself and such that for every a ∈ A and every x ∈ dom(a), x ⊑ a(x).
The above definition uses the convention that ∞ + 1 = ∞. Note that if σ is applicable at x, then the sequence (x t ) t<T +1 is unique. Moreover, the least upper bound ⊔ {x t | t < T + 1} exists because for any t < T , x t ⊑ x t+1 and {x t | t < T + 1} is therefore a chain. When σ = (a t ) t<T is finite, x ⋆ σ = x ⋆ a 0 ⋆ ⋯ ⋆ a T −1 denotes the last element of the monotonous sequence configs(x, σ). In particular, for a ∈ A and x ∈ dom(a), x ⋆ a = a(x). When σ t ∈ A t is defined as the prefix of length t of σ, x t = x ⋆ σ t and it follows: The following lemma will be useful throughout the paper: ▶ Lemma 3. For x ∈ X, the set App(x) of schedules applicable at x is Scott-closed for the prefix ordering and the function: ▶ Definition 4. An abstraction between POTS O = (X, ⊑, A) and O ′ = (X ′ , ⊑, A ′ ) consists of a set abstraction ab X ∶ X → X ′ which is a Scott-continuous function; a monoid abstraction ab A ∶ A * → A ′ * which is a monoid morphism (with slight abuse of notation, ab A also denotes its Scott-continuous extension A * → A ′ * ); both such that for every a ∈ A and every x ∈ dom(a), ab A (a) ∈ A ′ * is applicable at ab X (x) ∈ X ′ and ab X (x ⋆ a) = ab X (x) ⋆ ab A (a).
The last condition of the definition of abstraction translates into the commutativity of the diagram in Figure 1a. The soundness of the abstraction for any (possibly infinite) schedule is stated in the following proposition and illustrated on Figure 1b.
The proof of this proposition is by transfinite induction on the length of schedules: showing that the result holds for finite schedules is easy, and continuity arguments (such as Lemma 3) are then used to extend to infinite schedules.

Layered Distributed Systems and their Abstractions
This section introduces a low-level model for distributed algorithms, whose semantics will be expressed as a POTS. The model is structured in layers, thus restricting the application to algorithms with a specific shape. However, many distributed algorithms from the literature (a) By Definition 4 diagram commutes for any action a ∈ A.
By Proposition 5 diagram commutes for any schedule σ. fall in this class, and minor modifications of other algorithms make them amenable to our techniques. The restriction to layered models is used several times in the theoretical developments that follow.

Layered Distributed Transition Systems
This section introduces Layered Distributed Transition Systems (LDTSs) as a model for distributed algorithms, such as the Phase King algorithm [8]. A simplified version of the algorithm is provided in Algorithm 1. This algorithm operates in rounds, each consisting of three steps: Broadcast a message (ℓ, m) to all process where ℓ is the round index (line 3) Receive the messages (ℓ, _) sent in this round (line 4) Update the process variables according to the received messages (lines 5 to 12) In general, such a series of three instructions, indexed by ℓ ∈ N, is called a layer and it refines the classical notion of rounds: for instance, in Ben-Or's consensus algorithm [6], each round comprises two layers. Note that layers are assumed to be communication-closed [17,14]: the update instruction at layer ℓ only depends on received messages from the same layer.
Distributed algorithms run over a finite set of processes, and at every point in time, the local state of a process is defined by the valuation of its local variables. In this paper, the contents of a sent message is not particularly relevant as it can be deduced from the local state of its sender. Therefore, the communications can be encoded by guards that prevent a process from taking a transition if a condition on the state of other processes is not met. Formally, the syntax of layered distributed transition systems is as follows: if n0 > n 2 + t then return v; Algorithm 1 Inspired by the Phase King Algorithm, this algorithm is a synchronous algorithm targetting the resolution of binary consensus. It executes t+1 rounds. In round ℓ ∈ {0 . . . t}, the local value v of each process is updated either according to the majority, or to the value of the process with id ℓ (the King process).
Intuitively, for ℓ ∈ N, S ℓ is the set of states a process can be in at layer ℓ, and is used to represent that a process has not reached that layer yet. Although trivial, the ordering on S shows sufficient to represent the semantics of distributed algorithms. Moreover, the guards correspond to a condition on messages received from other processes. Having x ∈ guard(s, s ′ ) with x(p) = means that there are no conditions on the messages received from process p, so that a process in state s can go to s ′ even if it has not received any message from p.
To define the semantics of LDTS, recall that the system a priori runs fully asynchronously, so that processes may be in different layers 1 . However, messages may be received by processes even if the sender has later reached a layer. This means that the state of each process at each layer should be recorded in the semantics of a LDTS. An agglomeration of local states is called a configuration. A full configuration additionally stores the messages received by each process, as formalized below: ▶ Definition 7. Let D = (P, S, guard) be an LDTS. A full configuration of D is a pair state(c f ) ∶ P → S + is such that for every p ∈ P and ℓ ∈ N if ℓ < |state(c f )(p)|, then state(c f )(p)(ℓ) ∈ S ℓ and the latter is the state of p in ℓ;

The set of full configurations is denoted
Note that S is a DCPO since each of its directed subsets is finite. C f is isomorphic to the Cartesian product [(P, =) → (S + , ≺)] × [(P 2 × N, =) → (S , ⊑)] and is therefore a DCPO too.
At a full configuration c f ∈ C f , two types of actions may happen, corresponding to receptions and internal transitions. First, a process p ∈ P may receive a message that was sent in layer ℓ ∈ N by a process p ′ ∈ P ; this action is denoted rec (p, ℓ, p ′ ). Second, a process p ∈ P may move from a state s ∈ S ℓ to state s ′ ∈ S ℓ+1 , denoted tr (p, s, s ′ ). The effect of actions on full configurations is formally defined as follows: ▶ Definition 8. The set of actions of an LDTS D = (P, S, guard) is received(c f ′ ) = received(c f ) Note that the reception actions are always enabled. So defined, the semantics of an LDTS is a POTS O f D = (C f , ⊑, A f ); in particular, the notions of schedules and abstractions apply.
▶ Example 9. Consider the Phase King algorithm run by three correct processes and a Byzantine one. The Byzantine process is not represented explicitly (P = {p 0 , p 1 , p 2 } only contains correct processes) but the guards of the LDTS account for the messages it may send. Also, the King is chosen at each round non-deterministically, abstracting process ids. A correct process in layer ℓ may be in one of four states S ℓ = {v 0 , v 1 , k 0 , k 1 }, where k x (resp. v x ) represents that the local value of v is x ∈ {0, 1} and that the process is currently King (resp. not King). A full configuration, say c f , is depicted top-left of Figure 2. The sequence states process p 0 went through so far is state(c f )(p 0 ) = v 0 ⋅ k 1 ⋅ v 1 . Also, received(c f )(p 0 )(p 2 )(0) = v 1 represents that process p 0 received the message that process p 2 was in state v 1 at layer 0. In contrast, p 0 does not know the state of p 2 at layer 2 (represented by a blank space instead of for commodity). Thus, in c f , the message sent by process p 2 at layer 2 has yet to be received by p 0 . The action rec (p 0 , p 2 , 2) corresponding to this reception is therefore enabled at c f . The resulting configuration c f ⋆ rec (p 0 , p 2 , 2) would be identical to c f except for received(c f ⋆ rec (p 0 , p 2 , 2))(p 0 )(p 2 )(2) = state(c f )(p 2 )(2) = v 1 instead of . The reception rec (p 0 , p 1 , 2) can also happen at c f ⋆ rec (p 0 , p 2 , 2). The resulting configuration c f ′ = c f ⋆ rec (p 0 , p 2 , 2) ⋆ rec (p 0 , p 1 , 2) coincides with c f except for Now p 0 has received more than n 2 + t messages in {v 1 , k 1 } so that it updates its value to 1 in the next round. Therefore, the action tr

Abstracting Received Messages
The partially ordered transition system O f D is fine-grained and rather complex to analyze, therefore the aim of the rest of this section is to define simpler POTS, that preserve or overapproximate the semantics of O f D . The successive steps are represented in Figure 2. The information of messages received by each process is used to check enabledness of transitions. However, the received messages necessarily form a subset of the sent messages.

Full Configuration
Th. 12 Th. 19 Using the notion of abstraction, this section proves that received messages can be forgotten without losing any information. Instead, it suffices to require the existence of a subset of sent messages that would enable a transition. Changing views from received messages to sent ones is often implicit [21, 20] and without restrictions it may introduce spurious counter-examples (see Example 13). By imposing that each message appears in at most one guard in the transitions taken by a process, the layering hypothesis guarantees that the abstraction is complete (Theorem 12). This abstraction is then used to provide a characterization of reachable configurations (Theorem 15), including those reachable via an infinite schedule. A succinct configuration is an element of C s = P → S + . For c s ∈ C s , p ∈ P , ℓ < |c s (p)| and s ∈ S, c s (p)(ℓ) = s means that process p is/was in state s at layer ℓ. As before, if ℓ ≥ |c s (p)|, then c s (p)(ℓ) = , representing that process p has not reached layer ℓ yet. So-defined, the projection state ∶ C f → C s abstracts C f into C s , so that the reception actions become useless. The set of succinct actions is then One can define enabledness of a succinct action, and its effect. For a succinct configuration c s ∈ C s and a succinct action coincides with c s for any other process.
The first two conditions of enabledness are analogous to the case of the full semantics (see Definition 8). The last condition however replaces the guard of the edge with its upper closure. This derives from the fact that the condition now deals with sent messages instead of received ones, and the latter can only be smaller than the former.
Altogether, the succinct semantics of the LDTS consists of the POTS O s D = (C s , ⊑, A s ), whose definition is justified by the following proposition: ▶ Example 11. Consider the succinct configuration c s in the top right of Figure 2. It is obtained by applying state to the full configuration c f on the left. In Example 9, the full schedule Propositions 10 and 5 entail that the succinct abstraction is sound in the sense that it does not remove any existing behavior, and properties that hold on every execution of the succinct model also hold on the full semantics. However, in general, abstractions are not complete and they may introduce new behaviors (for instance, schedules without any reception actions may be applicable in the simplification but not in the full model). Nevertheless, the succinct abstraction is complete: there always exists an applicable full schedule corresponding to each applicable succinct schedule.
▶ Theorem 12. Let σ s ∈ A s * be a succinct schedule applicable at an initial configuration To prove Theorem 12 one transforms each action [p ∶ s → s ′ ] into a finite schedule of the form (rec (p, p u , ℓ)) u<U ⋅ tr (p, s, s ′ ), carefully choosing the receptions to ensure that the last transition is enabled. To do so, the difficulties are twofold. First, the full schedule (rec (p, p u , ℓ)) u<U ⋅ tr (p, s, s ′ ) not only depends on [p ∶ s → s ′ ], but also on the current configuration. Therefore one cannot define a trivial abstraction. Second, this method requires a way to control the buffers of received messages throughout the schedule. Indeed, one should avoid that a process receives too many messages to take a transition, as 'un-receiving' messages in impossible. This is where the layered structure comes into play, and ensures that when a process receives messages enabling a transition, no earlier transition required these.
▶ Example 13. As explained, the layering assumption is crucial in Theorem 12. Consider the non layered distributed transition system with four states a, b, c, x, and two processes p, p ′ . Let c f be the initial full configuration with state(c f )(p) = a and state(c f )(p ′ ) = x. Intuitively, in this counterexample, the guards are set such that the first transition tr Process p would thus have to 'forget' that it received a message from p ′ in order to take the second transition, which is impossible in the full semantics.
In contrast, the succinct semantics does not record whether p has already received the message from p ′ when approaching the second transition. The succinct schedule is therefore applicable at state(c f ) which would contradict Theorem 12 for unlayered distributed transition systems. Imposing that each message appears at most in one guard along the execution of a process, the layered hypothesis prevents this type of counterexamples.
The advantage of the succinct semantics over the full one is that the guards can only become true during an execution. This monotony property, combined with the layered hypothesis, entail the possibility to check that a configuration is reachable a posteriori, simply by verifying that the guards of the transitions that are taken are verified in the last configuration. In particular, this avoids building explicitly the schedule at all intermediate configurations. This is formally stated in the following definition and theorem.
▶ Theorem 15. Let c s , c s′ ∈ C s be two succinct configurations such that c s is coherent. Then the following statements are equivalent: c s ⊑ c s′ and c s′ is coherent. There exists a (possibly infinite) schedule σ s ∈ A s * applicable at c s such that c s ⋆ σ s = c s′ .

Counter Abstraction
The theory presented so far dealt with a fixed set P of processes. As an advantage, the guards of the edges could be any condition on the set of received messages, but as a drawback, it is impossible to represent parameterised systems where the number of processes is not fixed. To remedy this downside, this section introduces layered threshold automata (LTA). While this model is syntactically similar to threshold automata [20], its semantics in terms of a POTS is novel. Natural abstractions between the semantics of LDTS and LTA can then be presented, proving that LTA form a faithful representation of distributed algorithms, in contrast to unrestricted threshold automata.
The guards are monotonous, i.e. for any guard g ∈ guard(S 2 ), for any valuation The set of parameters R typically includes the number n of processes and an upper bound t on the number of faulty processes. Intuitively, the guards represent the conditions on sent messages for taking the corresponding transition. The monotony assumption therefore requires that guards in the algorithms concern received messages only, which may be any subset of the sent messages.
In the remainder of this section, T = (R, S, guard) is a fixed LTA. A configuration c of T is defined by: a parameter valuation param(c) ∈ R → N that remains constant during an execution; a counting mapping κ(c) ∈ S → N where κ(c)(s) = k means that k processes have visited the state s; flow counters flow(c) ∈ (⋃ ℓ∈N S ℓ × S ℓ+1 ) → N where flow(c)(s, s ′ ) = k means that k processes moved from s to s ′ . Moreover, processes that leave a state must have entered it, therefore, configuations should also verify the following flow conditions: One can easily check that configuration c ′ verifies the flow conditions.
The semantics of the LTA T is defined as the POTS O T = (C, ⊑, A).
For ρ ∈ N R , the set of configurations that have ρ as parameters and n processes initially There is a strong link between LTA and LDTS. More precisely, fix a valuation ρ ∈ N R . Consider P ρ a set of ρ(n) processes, and the LDTS D ρ = (P ρ , S, guard ρ ) where the function . Proposition 17 holds for any parameter valuation ρ ∈ N R . Thus, a single LTA represents infinitely-many LDTS, one for each parameter valuation.
Similarly to the case of LTA, one can define coherence of configurations for LDTS, and obtain an equivalent of Theorem 15 at the counter abstraction level.
▶ Theorem 19. Let c, c ′ ∈ C ρ be two configurations such that c is counter coherent. Then the following statements are equivalent: The flow conditions and the counter coherence can easily be encoded as a set of linear arithmetic formulas that do not depend on the number of processes. In particular, if the LTA is finite, then the resulting set of equations is finite as well, making the reachability problem decidable in this case (for initial and target states represented by linear arithmetic formulas). This can be used to verify not only safety properties, but also liveness properties as configurations represent potentially infinite behaviors and contain information about the whole execution. Theorem 19 differs from the threshold automata approach [20] because a schedule does not need to be explicitely built. In particular, the layering assumption implies that the order in which guards become true is irrelevant, which simplifies a lot the SMT queries. More importantly, our approach applies to infinite automata where methods based on bounding the diameter of the transition system have little chance of succeeding.

Guard Abstraction
Consider an LTA T = (R, S, guard). Even when S is finite, its configuration set C is infinite as the number of processes n is unbounded. When S is infinite, then C is infinite in two dimensions: it consists of infinitely many variables that may take infinitely many values. The guard abstraction presented here aims at partitioning these values into finitely many classes.
The resulting model will however remain infinite, if S is. Consider a set G ⊂ PA(S ∪ R) of monotonous guards, that is, every g ∈ G is a linear arithmetic formulas with free variables in S ∪ R such that for ρ ∈ N R and κ, κ ′ ∈ N S , if κ ≤ κ ′ pointwise and if ρ, κ ⊧ g, then ρ, κ ′ ⊧ g as well.
Intuitively, the guard abstraction only records the valuations of the guards, not the number of processes in each state. For this idea to succeed, the valuations of the guards must converge during an execution, which is guaranteed by the following proposition.

Guard Automata towards Practical Implementation
While Theorem 19 suffices to verify finite LTA through the counter abstraction, it falls short at capturing infinite models that arise for instance from round-based algorithms. This section introduces guard automata as a finite-state abstraction which is sound, yet, unsurprisingly, not complete in general and may introduce spurious counterexamples.

Cyclic LTA
Towards algorithmic considerations and practical implementations, the rest of the paper focuses on round-based distributed algorithms, which can be captured by cyclic LTA. Intuitively, a cyclic LTA is used to model an LTA that repeats a finite series of layers indefinitely.
is a finite set of guards such that for ℓ < k, s c ∈ S c ℓ and s c′ ∈ S c , guard c (s c , s c′ ) ∈ PA(R ∪ S c ℓ ) and if s c′ ∉ S c ℓ+1 mod k , then guard c (s c , s c′ ) = false.
Unfolding a k-CLTA yields an infinite-state acyclic LTA unfold (R, S c , guard c ). Formally unfold (R, S c , guard c ) = (R, S, guard) with: meaning that any free variable s c′′ ∈ S c that appears in guard c (s c , s c′ ) gets replaced with (s c′′ , ℓ). In any other case, guard is false.

Guard Automaton
From the guard abstraction, one can construct a finite-state automaton that represents the set of reachable configurations of a cyclic LTA.
Let T c = (R, S c , guard c ) be a k-CLTA equipped with a finite set of guards expressed in Presburger arithmetic: In practice, G c will include all guards appearing in the LTA, as well as the events that need to be observed.
A CLTA can be unfolded into an infinite-state LTA, by concatenating copies of T c . In order for the guard abstraction to be formally defined, copies of the guards in G c for each new layer are required. For ℓ ∈ N a layer index and g c ∈ G c ℓ mod k a guard, unfold G ℓ (g c ) = g c [s c ← (s c , ℓ) for s c ∈ S c ℓ mod k ] denotes the guard obtained by replacing every free occurrence of a variable s c ∈ S c ℓ mod k in g c by (s c , ℓ). The converse folding operation is defined by: is the set of guards at layer ℓ and G = ⋃ ℓ∈N G ℓ the set of all guards.
The guard abstraction maps every configuration of unfold(T c ) to a set of guards that hold in that configuration. Formally, ω and unfold G is the converse operation that applies unfold G ℓ to the elements of layer ℓ in the sequence. Doing so, a configuration c ∈ C defines a (possibly infinite) word γ c 0 γ c 1 . . . over the finite alphabet Σ = ⋃ ℓ<k 2 G c ℓ as represented in Figure 4. Figure 4 From a configuration to a word over the finite alphabet of the guard automaton.
For ℓ < k a layer index, γ c ∈ 2 G c ℓ and γ c′ ∈ 2 G c ℓ+1 mod k guard valuations of layer ℓ and the next layer, one can use an SMT solver to check whether γ c′ is a successor γ c . Precisely, the SMT query asks for the existence of x ∈ N S c ℓ , y ∈ N S c ℓ+1 mod k and e ∈ N S c ℓ ×S c ℓ+1 mod N such that the valuation of guards (1), flow condition (2) and counter coherence (3) are verified.
The guard automaton is a finite automaton whose language overapproximates the set of reachable configurations. It bears similarities with de Bruijn graphs [15] used e.g. in bioinformatics. If E ℓ ⊂ 2 G c ℓ × 2 G c ℓ+1 mod k denotes the set of all pairs γ c , γ c′ that verify conditions (1) and and (3), one can build the set E = ⋃ ℓ<k E ℓ .
where: Σ is both the alphabet and the set of states. 2 G c 0 ⊂ Σ is the set of initial states. E ⊂ Σ 2 defined above is the set of edges, equipped with src ∶ E → Σ (resp. dest ∶ E → Σ) that defines the source state (resp. destination state) of every edge, and label ∶ E → Σ associates a label to each edge defined by label(γ c , γ c′ ) = γ c . An infinite run (e ℓ ) ℓ<∞ of the guard automaton defines a word word ((e ℓ ) ℓ<∞ ) = label(e 0 ) ⋅ label(e 1 ) ⋅ ⋯ , and L(GA G (T c )) ⊂ Σ ω denotes the language of GA G (T c ).
The guard abstraction transforms c into the guard configuration bottom-left of Figure 2. Here, we chose the set of guards G c to consist of s > 0 for each s ∈ S c and of the guards of the LTA. The alphabet Σ contains e.g., (T ⋅ T ⋅ ⋅ ⋅ ⋅ ⋅ T ). SMT queries determine whether two letters may appear successively, in order to build the guard automaton. For instance, according to the first two layers of eval G (c), (T ⋅ T ⋅ ⋅ ⋅ ⋅ ⋅ T ) can be followed by (T ⋅ T T ⋅ ⋅ ⋅ ⋅T ). There will therefore be a transition between these two states in the guard automaton.
▶ Theorem 24. Let c ∈ C be a configuration of unfold(T c ) and eval G (c) ∈ 2 G its guard abstraction. If c is counter-coherent, then fold G (eval G (c)) ∈ L(GA G (T c )).
By soundness of the guard automaton construction, a property which holds on configurations that correspond to runs of GA G (T c ) also holds on the configurations of unfold(T c ). A simple verification procedure thus consists in checking that L(GA G (T c )) is included in a given language of correct configurations. At a first glance, it might seem that only safety properties can be checked. However, the guard automaton also represents configurations reachable by infinite schedules, making the verification of liveness properties feasible.  which the king broadcasts what it thinks is the majority. The set of guards at the first layer is G c 0 = {v 0 > 0, v 1 > 0} and at the second layer G c 1 consists of k 0,0 +k 1,0 > 0, k 0,1 +k 1,1 > 0, p 0 +k 0,0 +k 0,1 > 0, p 1 +k 1,0 +k 1,1 > 0, 2(k 0,0 +k 0,1 +p 0 +f ) > n+2t and 2(k 1,0 +k 1,1 +p 1 +f ) > n+2t.
Restricting to valuations with ∑ s∈S ℓ s+f = n (fairness) and k 0,0 +k 0,1 +k 1,0 +k 1,1 ≤ 1 (at most one king), the resulting guard automaton has 3 states in even layers and 11 in odd layers. Writing [formula] for the set of letters in 2 G c for which formula holds, one can show: Therefore, either every chosen king is Byzantine (4), or all processes agree on a value after a non-Byzantine king is chosen (5 or 6).
In general, although is it sound, the guard automaton construction is not complete: the language may contain words that correspond to no configuration of the LTA. As usual for incomplete methods, heuristics can be used to remove some spurious counterexamples.

Conclusion
This paper presented a methodology, based on domain theory, to represent and analyze distributed algorithms. Infinite-state models are abstracted into finite-state guard automata, on which one can check safety and liveness properties.
Optimizing and benchmarking the guard automaton implementation is on our current agenda to demonstrate the applicability of our methodology by verifying safety and liveness of standard distributed algorithms from the literature. A more long-term research objective is to build on the current contribution to develop a rigorous framework for the verification of randomized distributed algorithms.
as the destination of a schedule is always greater than its source. Consider a directed set ζ ⊂ A * and define σ = ⊔ ζ. By monotony, Again, ↓ζ contains all the finite prefixes of σ and,

Proof of Proposition 5
▶ Proposition 5. Let (ab X , ab A ) be an abstraction between O = (X, ⊑, A) and x ∈ X be an element, and σ ∈ A * a schedule. If σ is applicable at x, then ab A (σ) is applicable at ab X (x) and ab X ( Proof. The result can be shown by (transfinite) induction on the length of the schedules. The most involved case is the one of infinite schedules, where continuity of the abstractions (ab X and ab A ), as well as Lemma 3 are used. If σ = ε, then both σ and ab A (σ) = ε are applicable at any configuration. In particular, Consider T ∈ N and suppose the result holds for any schedule of length T . Consider a schedule σ = (a t ) t<T +1 ∈ A T +1 of length T + 1 applicable at a configuration x ∈ X. Then necessarily, the prefix of length T of σ is also applicable at x, and the induction hypothesis gives: Then, the following holds: Definition of an abstraction The result therefore holds for any finite schedule. Let now σ be an infinite schedule. For t ∈ N, consider σ t ∈ A t the finite prefix of length t of σ. Then, This proves the result for infinite schedules, and concludes the induction proof. Proof. This proof consists simply of checking that the conditions of Definition 4 are met.
The continuity of state holds as it is a projection. For rec (p, p ′ , ℓ) ∈ A f and c f ∈ c f , rec (p, p ′ , ℓ) does not modify the states of the processes. Therefore, Consider c f ∈ C f and tr (p, s, s ′ ) ∈ A f applicable at c f . The non-direct part of this proof is to verify that simpl(tr (p, s, s ′ )) = [p ∶ s → s ′ ] is applicable at state(c f ). The fact that state(c f ⋆ tr (p, s, s ′ )) = state(c f ) ⋆ [p ∶ s → s ′ ] follows directly from the definition. Therefore, for any a f ∈ A f applicable at a full configuration c f ∈ C f , simpl(a f ) is applicable at state(c f ) and state(c f ⋆ a f ) = state(c f ) ⋆ simpl(a f ) which concludes the proof. ◀

Proof of Theorem 12
▶ Theorem 12. Let σ s ∈ A s * be a succinct schedule applicable at an initial configuration c s ∈ C s . Then, there exists a full schedule σ f ∈ A f * applicable at a full configuration The proof of Theorem 12 requires the following lemma: Then there exists σ f ∈ A f * applicable at c f such that: Define the finite sequence (q u ) u<U as an enumeration of the set {q ∈ P | x(q) ≠ } (this set is finite because P is finite).
The fact that simpl(σ f ) = [p ∶ s → s ′ ] is easily verified, and Propositions 5 and 10 concludes the argument.
Moreover, the reception actions present in the schedules only affect the messages received by process p at layer ℓ and none of the other, therefore the second property holds as well. ◀ Proof of Theorem 12. Consider c f ∈ C f defined with state(c f ) = c s and for any p, p ′ ∈ P and ℓ ∈ N, received(c f )(p)(p ′ )(ℓ) = .
The remainer of the proof consists in creating a partial monotonous function concr ∶ A s * → A f * such that: if σ s ∈ A s * is applicable at c s , concr(σ s ) ∈ A f * is applicable at c f . simpl(concr(σ s )) = σ s For σ s ∈ A s * applicable at c s , for any p ∈ P and ℓ ∈ N such that no action [p ∶ s → _] with s ∈ S ℓ appears in σ s , received(c f ⋆ concr(σ s ))(p)(_)(ℓ) = . Extending the function concr to a Scott-continuous function on A s * → A f * can then conclude the proof.
The function concr ∶ A s * → A f * is defined inductively as follow: concr(ε) = ε. This clearly satisfies the requirements.
The theorem is therefore proven when σ s is finite. Consider now an infinite schedule σ s ∈ A s * . Then consider σ f = ⊔{concr(σ s t ) | t ∈ N}. By Lemma 3, σ f is applicable at c f (because all the concr(σ s t ) are). Moreover, by continuity, Proposition 10 then allows us to conclude. ◀

Proof of Theorem 15
▶ Theorem 15. Let c s , c s′ ∈ C s be two succinct configurations such that c s is coherent. Then the following statements are equivalent: c s ⊑ c s′ and c s′ is coherent. There exists a (possibly infinite) schedule σ s ∈ A s * applicable at c s such that c s ⋆ σ s = c s′ .
Proof. The two implications will be shown separately. Beginning with the reciprocal, one needs to show that for a coherent configuration c s , ∈ C s and an applicable schedule σ s ∈ A s * , if c s′ = c s ⋆ σ s then c s ⊑ c s′ and c s′ is coherent. The fact that c s ⊑ c s′ is immediate. Only the coherence of c s′ needs to be proven by induction on the schedule σ s .
If σ s = ε, then c s′ = c s and the result holds. Suppose that the result holds for a finite schedule σ s ∈ A s * . Consider an action [p ∶ s → s ′ ] ∈ A s , and suppose that σ s ⋅ [p ∶ s → s ′ ] is applicable at c s . Then σ s is also applicable at c s and by induction hypothesis, c s′′ = c s ⋆ σ s is coherent.
For the direct implication, one need to show that for two configurations c s , c s′ ∈ C s , if both configurations are coherent and and c s ⊑ c s′ , then there exists a schedule σ s applicable at c s such that c s ⋆ σ s = c s′ .
Let n = ρ(n) be the number of processes. This proof will use a notion of similarity between configurations that is expressed below: The second component is indeed always strictly lower than n as k = n implies c s′ (_)(ℓ+1) = c s (_)(ℓ + 1) which contradicts the definition of ℓ.
The element ⊺ is then added as the maximum.
The proof will use the following lemmas: ▶ Lemma B.2. For any c s ∈ C s , sim c s is Scott-continuous.

Proof.
First, the monotony. Consider c s′ ⊑ c s′′ ⊑ c s . If c s′′ = c s , then sim c s (c s′′ ) = ⊺ and immediately sim c s (c s′ ) ≤ sim c s (c s′′ ). Suppose now that c s′′ ≠ c s . Then also c s′ ≠ c s .
Additionally, (c s ⋆ a s )(p)(ℓ + 1) ⊑ c s′ (p)(ℓ + 1), and as the rest of c s is left unchanged by the action of a s , (c s ⋆ a s ) ⊑ c s′ .
Or there still exists p ′ ∈ P such that (c s ⋆ a s )(p ′ )(ℓ + 1) ≠ c s′ (p ′ )(ℓ + 1). In this case, k < n − 1 and sim c s′ (c s ⋆ a s ) = (ℓ, k + 1) > sim c s ′ (c s ). ◀ Back to the proof of the theorem itself, consider two coherent configurations c s ⊑ c s′ . Define the set of finite schedules: If there exists σ s ∈ X c s ,c s′ such that c s ⋆ σ s = c s′ , then the proof is finished. Suppose that for any σ s ∈ X c s ,c s′ , c s ⋆ σ s ≠ c s′ .
Then X c s ,c s ′ is non empty as ε ∈ X c s ,c s′ . Moreover, for any σ s ∈ X c s ,c s′ , c s ⋆ σ s is coherent (previous proof) and Lemma B.3 is therefore applicable for the pair of configurations c s ⋆ σ s ⊑ c s′ . This gives an action a s ∈ A s applicable at c s ⋆ σ s such that sim c s ′ (c s ⋆ σ s ) < sim c s ′ ((c s ⋆ σ s ) ⋆ a s ). This in turn prove that σ s ⋅ a s ∈ X c s ,c s ′ .
Therefore X c s ,c s′ contains an infinite chain (σ s i ) i∈N such that for any i ∈ N, sim c s′ (c s ⋆ σ s i ) < sim c s ′ (c s ⋆ σ s i+1 ). Define σ s = ⊔{σ s i | i ∈ N}. Consider (ℓ, k) ∈ N × {0 . . . n − 1}. As ↓(ℓ, k) is finite, there exists i ∈ N such that (ℓ, k) ≤ sim c s′ (c s ⋆ σ s i ). Therefore, As this hold for any (ℓ, k) ∈ N × {0 . . . n − 1}, we derive sim c s′ (c s ⋆ σ s ) = ⊺. In turn this means that c s ⋆ σ s = c s′ and the proof is complete. ◀ B. Finally, ↑guard ρ (s, s ′ ) ⊂ guard ρ (s, s ′ ) which concludes the proof. ◀ Proof of Proposition 17. The verification that count C s ρ (c s ρ ) ∈ C ρ is immediate. The rest of the proof consists in checking that the conditions of Definition 4 are met. The following lemma shows useful to prove the continuity of the abstraction: ▶ Lemma B.5. For any ℓ ∈ N, s ∈ S ℓ and s ′ ∈ S ℓ+1 , the following functions are monotonous: c s ↦ {p ∈ P ρ |c s (p)(ℓ) = s and c s (p)(ℓ + 1) = s ′ } Proof. The arguments for both functions are the same. Only the monotony of φ s will be detailed.
Consider c s′ as being equal to c s everywhere except for c s′ (p)(ℓ + 1) = s ′ . Clearly c s ⊑ c s′ . Moreover, κ(count C s ρ (c s′ ))(s ′ ) = κ(count C s ρ (c s ))(s ′ ) + 1 ≤ κ(c)(s ′ ) and similarly, flow(count C s ρ (c s′ ))(s, s ′ ) = flow(count C s ρ (c s ))(s, s ′ ) + 1 ≤ flow(c)(s, s ′ ). As count C s ρ (c s ) is equal to count C s ρ (c s′ ) everywhere else, count C s ρ (c s′ ) ⊑ c ′ and c s′ ∈ X. Additionally, consider If k ′ < n, then sim c ′ (count C s ρ (c s′ )) = (ℓ, k+1) and sim c ′ (count C s ρ (c s )) < sim c ′ (count C s ρ (c s′ )). If not, then k ′ = n and the following hold: ∀s ∈ S ℓ+1 , κ(count C s ρ (c s′ ))(s) ≤ κ(c)(s) Therefore, ∀s ∈ S ℓ+1 , κ(count C s ρ (c s′ ))(s) = κ(c)(s) Which means that sim c ′ (count C s ρ (c s )) < sim c ′ (count C s ρ (c s′ )) as well. By contradiction, suppose that for any c s ∈ X, sim c ′ (count C s ρ (c s )) < ⊺. Then the last point shows the existence of an infinite sequence (c s i ) i∈N ∈ X N such that for any i ∈ N, As X is Scott-closed, c s ∈ X. By monotony of count C s ρ and sim c ′ , for any i ∈ N, sim c ′ (count C s ρ (c s i )) ≤ sim c ′ (count C s ρ (c s )). Moreover, for any (ℓ, k) ∈ N × {0 . . . , n − 1}, ↓(ℓ, k) is finite, this means that there exists i ∈ N such that (ℓ, k) ≤ sim c ′ (count C s ρ (c s i )). Therefore, for any (ℓ, k) ∈ N × {0 . . . , n − 1}, (ℓ, k) ≤ sim c ′ (count C s ρ (c s )). This proves that sim c ′ (count C s ρ (c s )) = ⊺. Therefore, there exists c s ∈ C s ρ such that count C s ρ (c s ) ⊑ c ′ and sim c ′ (count C s ρ (c s )) = ⊺ which concludes the proof. 3. This point is almost a direct consequence of the previous one. Indeed, for any c ′ ∈ C ρ , if there exists c s ∈ C s ρ such that count C s ρ (c s ) ⊑ c ′ , then the proof is finished. However, finding such a c s requires to at least define its first layer. This is done in the following. Build a finite sequence s 0 , . . . , s k−1 ∈ S 0 containing all the states of layer 0 such that κ(c ′ )(s j ) > 0. Consider also an ordering p 0 , . . . , p n−1 of the finite set of processes P ρ . Then build And count C s ρ (c s )(s j ) = c ′ (s j ). Therefore, for any s ∈ S 0 , κ(count C s ρ (c s ))(s) = c ′ (s), and for s ∉ S 0 , κ(count C s ρ (c s ))(s) = 0. Therefore, count C s ρ (c s ) ⊑ c ′ which concludes the proof. ◀ Proof of Theorem 19. Proposition 17 yields the direct implication of Theorem 19. Indeed, for two counter-coherent configurations c ⊑ c ′ ∈ C, item 3 implies that there exists c s ∈ C s ρ such that count C s ρ (c s ) = c. Then, item 2 yields the existence of c s′ ∈ C s ρ such that c s ⊑ C s′ and count C s ρ (c s′ ) = c ′ . Now, by item 1 both c s and c s′ are coherent. Therefore, Theorem 15 applies and implies that there exists a schedule σ s ∈ A s * applicable at c s and such that c s ⋆ σ s = c s′ . Finally, Proposition 17 entails that the counter abstraction of this schedule is applicable at c and that c ⋆ count A s ρ (σ s ) = c ′ . Let us now show the converse implication. Consider σ ∈ A * applicable at c such that c⋆σ = c ′ . Consider ℓ ∈ N, s ∈ S ℓ and s ′ ∈ S ℓ+1 such that flow(c ′ )(s, s ′ ) > 0. If flow(c)(s, s ′ ) > 0, then by hypothesis, c ⊧ guard(s, s ′ ). As guard(s, s ′ ) is monotonous, and as κ(c) ⊑ κ(c ′ ), c ′ ⊧ guard(s, s ′ ) as well. In the other case, the action [s → s ′ ] must appear in σ. Define σ = σ ′ ⋅ [s → s ′ ] ⋅ σ ′′ . Then the same reasoning can be applied replacing c with c ⋆ σ ′ , which concludes the proof. ◀
Proof. Notice that the monotony of the guards in G implies the monotony of the function eval G . Consider a directed set of configurations X ⊂ C, consider g ∈ G and s ∈ S a variable that appear in g. By continuity of κ ∶ C → N S , ⊔ κ(X)(s) = κ(⊔ X)(s) which is finite. Therefore, the left-hand least upper bound is reached at a configuration c s ∈ X with κ(c s )(s) = κ(⊔ X)(s).
For every variable s that appear in g, build such a configuration c s ∈ X. As X is directed, there exists a common upper bound c ∈ X to all of the c s (The set of variables that appear in g is finite). Then, κ(c) is equal to κ(⊔ X) on all the variables that appear in g and therefore, c ⊧ g if and only if ⊔ X ⊧ g. Meaning that g ∈ ⊔ eval G (X) if and only if g ∈ eval G (⊔ X).
As this holds for every g ∈ G, ⊔ eval G (X) = eval G (⊔ X) which concludes the proof. ◀

C Complements for Section 4 Proof of Theorem 24
▶ Theorem 24. Let c ∈ C be a configuration of unfold(T c ) and eval G (c) ∈ 2 G its guard abstraction. If c is counter-coherent, then fold G (eval G (c)) ∈ L(GA G (T c )).
Proof. Consider a counter-coherent configuration c ∈ C. Let fold G (eval G (c)) = γ c 0 ⋅ γ c 1 ⋅ ⋯ . The proof of this theorem consists in checking that for any ℓ ∈ N, (γ c ℓ , γ c ℓ+1 ) ∈ E. This requires the existence of some valuations x ℓ ∈ N S c ℓ mod k , y ℓ ∈ N S c ℓ+1 mod k and e ℓ ∈ N S c ℓ mod k ×S c ℓ+1 mod k such that the flow conditions (1) and (2) as well as the counter coherence (3) are locally verified at layer ℓ. Let φ ℓ denote the conjunction of the formulas (1), (2) and (3).
The idea of the proof is that x, y and e are already provided by κ(c) and flow(c) which verify φ ℓ by hypothesis. However, the proof is somewhat complicated by the fact that both κ(c) and flow(c) concerns variables in ⋃ ℓ∈N {(s c , ℓ) | s c ∈ S c ℓ mod k } and not S c . However, the conditions in φ were built such that: ] ⊧ φ ℓ Hence, valuations for x and y can be obtained from κ(c) and flow(c) as described above and (γ c ℓ , γ c ℓ+1 ) ∈ E ℓ which concludes the proof. ◀

Incompleteness of the Guard Automaton
As announced in the main part of the paper, the guard automaton abstraction is incomplete in general. The choice of the set of guards G can lead to different guard automata and in A guard automaton for reliable broadcast, the construction assumes f ≤ t, 2t < n and v 0 The complete version of the automaton in Figure 6a. The dashed rectangle represents the state that was split in two compared to Figure 6a.
turns to different sets of configurations. This can be illustrated on the LTA of Figure 3b, which is not cyclic, but for which however, a guard automaton can be defined. Consider the set of guards G = G 0 ∪ G 1 ∪ G 2 with: The guard automaton generated by these guards is represented Figure 6a. Notably, this guard automaton can generate a configuration where the guards {v 0 > 0, v 1 > 0, x > 0, acc > 0} are true, but not the guard v 1 ≥ t + 1 − f , corresponding to (T F T, T, T ). Assuming that such a configuration exists, there are at most t−f processes in v 1 and, as the only process in x must have come from v 1 , there are also at most t−f processes in x. But it is assumed that t−f < n−t−f meaning that the guard of (x, acc) is not verified. Therefore, acc = 0 which is a contradiction.
The reason why this configuration was added is because the guards in the second layer do not provide enough information to distinguish the different configurations. In this case, adding the guard x ≥ n − t − f solves the issue as shown in Figure 6b.
In practice, the set G will contain at least the guards that appear in the LTA. However, this condition is not sufficient to ensure the completeness of the guard automaton. G 1 = {a ′ > 0, b ′ > 0, ab > 0, ba > 0, a ′ + b ′ + ab + ba ≥ 3, ab + ba = 1}. For the sake of simplicity, consider only the state of the guard automaton where a + b ≥ 3, ba > 0, a ′ + b ′ + ab + ba ≥ 3 and ab + ba = 1 holds. The resulting automaton is represented Figure 8. The idea behind this example is to implement a simple counter. Every two layers, a single process moves either from a to b or from b to a. As the guard automaton does not 'remember' exactly how many processes are in each state, a lot of configurations generated by this automaton will not be instanciable in the LTA. For example, the run represented Figure 9 can be generated by the guard automaton, but it cannot be concretised. Indeed, it starts with b = 0, then increments and decrements b by one, and end up with b > 0.
Eliminating this kinds of spurious counter-example can be tricky. A first solution is to add additional guards. For example, adding the guard b > 1 to the automaton on Figure 8 would eliminate the counter-example on Figure 9. However, in a general case, 'guessing' such guards might not be possible. A more satisfying approach is to increase the order of the guard automata. So far, only guard automata of order 2 have been defined, meaning that each edge consists of the valuation of 2 successive layers. The notion can be generalised to more layers. For n ≥ 2, the guard automaton of order n is defined as GA n G (T c ) = (Σ n−1 , E, 2 G c 0 × ⋯ × 2 G c n−1 , src, dest, label) where: Σ n−1 is the set of states.