Logics for Concurrency: Structure versus Automata (Lecture Notes in Computer Science)

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen Advisory Board: W. Brauer

D. Gries

J. Stoer

1043

Faron Moiler Graham Birtwistle (Eds.)

Logics for Concurrency Structure versus A u t o m a t a

~ Springer

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornetl University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands

Volume Editors Faron Moller Department ofTeleinformatics, Kungl Tekniska H6gskolan Electrum 204, S-164 40 Kista, Sweden Graham Birtwistle School of Computer Studies, University of Leeds Woodhouse Road, Leeds LS2 9JT, United Kingdom

Cataloging-in-Publication data applied for

Die Deutsche Bibliothek - CIP-Einheitsaufnahme

Logics for concurrency : s t r u c t u r e versus a u t o m a t a / F a r o n M o l l e r ; G r a h a m B i r t w i s t l e (ed.). - B e r l i n ; H e i d e l b e r g ; N e w York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Santa C l a r a ; S i n g a p o r e ; T o k y o 9 S p r i n g e r , 1996 (Lecture notes in computer science ; Voi. 1043) ISBN 3-540-60915-6 NE: Moiler, Faron [Hrsg.]; GT

CR Subject Classification (1991): F.3, F.4, E l , F.2

ISBN 3-540-60915-6 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer -Verlag. Violations are liable for prosecution under the German Copyright Law. 9 Springer-Verlag Berlin Heidelberg 1996 Printed in Germany Typesetting: Camera-ready by author SPIN 10512588 06/3142 - 5 4 3 2 1 0

Printed on acid-free paper

Preface This volume is a result of the VIII TH BANFF HIGHER ORDER WORKSHOP held from August 27th to September 3rd, 1994, at the Banff Centre in Banff, Canada. The aim of this annual workshop (of which the VIII TH was the final) was to gather together researchers studying a specific, well-focussed topic, to present and contrast various approaches to the problems in their area. The workshop has been locally organised and hosted in Banff by Graham Birtwistle, at that time Professor of Computer Science at the University of Calgary, but currently Professor of Formal Methods at the University of Leeds. Originally the topics were chosen to reflect some aspect of higher-order reasoning, thus justifying the name of ~he workshop series, but the topics were allowed to diversify more and more as the years passed, so that the higher-order aspect became less and less adhered to. Thus for example, the previous three workshops were subtitled Functional Programming Research (1991, chaired by John Hughes, Glasgow); Advanced Tutorials on Process Algebra (1992, chaired by Faron Moller, Edinburgh); and Advanced Tutorials on Asynchronous Hardware Design (1993, chaired by A1 Davis, HP Labs, Palo Alto). The final workshop, held in 1994, was subtitled Logics for Concurrency: Structure versus Automata and was chaired by Faron Moller, Stockholm. The basic motivation for the workshop was to explore the apparent dichotomy which 9 exists in the area of process logics, particularly in the study of various temporal logics. On the one hand, the traditional approach has exploited automatatheoretic techniques which have been studied for decades; this approach is dominant in research carried out in North America. On the other hand, the "Eurotheory" approach is based more on exploiting structural properties involving aspects such as congruence and decomposability. The relaxed workshop format of having a set of three lectures from each of five speakers spread over eight days allowed this dichotomy to be revealed, dissected, and discussed in detail, providing for a great deal of friendly debate between proponents of each school. The five series of lectures were presented by Samson Abramsky (London); E. Allen Emerson (Austin); Voram Hirshfeld (Tel Aviv) and Faron Moller (Stockholm); Colin Stirling (Edinburgh); and Moshe Vardi (Rice). The proceedings of the workshop series have generally only been available informally; indeed they have usually only been informal documents, sometimes nothing more than photocopies of slides. However, as the final workshop so successfully met its goal of creating an environment for contrasting approaches, it was deemed a worthy exercise by all of the lecturers to provide post-workshop tutorial-style lecture notes, which explored the individual presentations with the benefit of hindsight, so as to provide a record of the presentations and discussions carried out at the workshop.

vI A c k n o w l e d g e m e n t s . The workshop from which this volume emerged was made possible through an operating grant from the Natural Sciences and Engineering Research Council of Canada. The ever-obliging staff of the Banff Centre made sure that everything ran smoothly and to plan. Professor Richard Guy presented an entertaining evening lecture midway through the workshop on Conway's "Game of Life," demonstrating how to construct a computer from components of "Life" such as gliders, ponds, spaceships, and eaters. Professor Przemys!aw Prusinkiewicz ("Dr P") gave an equally delightful after-dinner lecture following the final-evening banquet in which he presented a fascinating range of fractally-generated plants, including fractal reproductions of the works of Monet and Van Gogh. The notes included in this volume were reviewed openly and extensively by the editors and the various authors, as well as the following people, most of whom were attendees of the workshop (more specific acknowledgements are included with the various papers): Howard Barringer, Rick Blute, Robin Cockett, Oystein Haugen, Carton Kirkwood, Orna Kupferman, Phil Scott, David Spooner, Perdita Stevens, and David Walker. Finally, we would like to thank the lecturers themselves for their efforts in producing the following carefully considered lecture notes.

December 1995

Faron Moller, Stockholm Graham Birtwistle, Leeds

Contributors SAMSON ABRAMSKY is currently Professor of Computer Science at Imperial College of Science, Technology and Medicine, London, but will be moving to the University of Edinburgh in January 1996 to take up the newly-created Chair of Theoretical Computer Science. He has a Diploma in Computer Science from Cambridge University,and a P h D in Computer Science from London University. His research includes: domain theory in logicalform, the lazy lambda calculus, computational interpretationsof linear logic,strictnessanalysisfor higher-order and polymorphic functions, proofs as processes, game semantics and full abstraction for PCF, and interaction categories. His research interests include: programming language semantics and logics;concurrency; semantics-based program analysis;linear logic; and the integration of functional and process-based programming paradigms.

E. ALLEN EMERSON is a Bruton Centennial Professor in the Computer Sciences Department at the University of Texas at Austin. His general research interests include formal methods, distributed computing, real-time systems, logics of programs, and other applications of logic to computer science. Areas of special interest include the complexity and expressiveness of logical formalisms and automata on infinite objects. He has published a variety of papers in these areas. He received the BS degree in Mathematics from the University of Texas at Austin, and the PhD degree in Applied Mathematics from Harvard University. He serves on the editorial boards of several journals relating to formal methods and applied logic.

SIMON GAY is a Lecturer in Computer Science at Royal Holloway, University of London. He has an MA in Mathematics and a Diploma in Computer Science from the University of Cambridge, and a PhD in Computer Science from the University of London. His research interests include programming language semantics, concurrency theory, type theory, and linear logic. His current work focuses on the interaction categories approach to type systems for concurrency. YORAM HIRSHFELD received an MSc in Mathematics (non-standard analysis) from the Hebrew University, Jerusalem in 1969, and a PhD in Mathematical Logic (models of arithmetic) from Yale in 1972. Since then he has been at Tel Aviv University where his mathematical areas of research have been centred on mathematical logic, model theory and non-standard analysis. Since 1987 his main interests have been with applications of logic to computer science, particularly in concurrency theory.

viii

FAI:tON MOLLER is currently Vikariat Professor of Distributed Systems in the Department of Teleinformatics at the Kungl Tekniska HSgskolan, Stockholm. He finished his PhD thesis in Edinburgh under Robin Mitner's guidance in 1988. In his thesis he studied the decomposability of concurrent systems and its theoretical applicability. His present interests include the study of infinite state systems, particularly with a view of exploiting decomposability, as well as formalisms for real-time systems and automated proof systems. RAJAGOPAL NAGARAJAN is currently completing his PhD degree at Imperial College of Science, Technology and Medicine, London under the supervision of Professor Samson Abramsky. He received a Bachelor's degree in Chemical Engineering from the Indian Institute of Technology, Madras, and a Master's degree in Computer Science from the University of Delaware, Newark. He was employed as a Computer Scientist at ORA Corporation, Ithaca, New York, and as a Research Associate at the University of Calgary. His research interests include logic, concurrency theory, programming language semantics, automated reasoning, specification and verification of hardware and software, and semantic techniques for complexity. COLIN STIR.LING is Professor of Computer Science at the University of Edinburgh. He has researched for over 10 years in the theory of computation, particularly in concurrency theory and the application of modal and temporal logics to this area. With David Walker he introduced the notion of local model checking using semantic tableaux. He has also applied this technique to decidability results for bisimulation equivalence. MosIJ~. Y. VAaDI is a Noah Harding Professor and Chair of Computer Science at Rice University. His research interests include database theory, finite-model theory, knowledge theory, and program specification and verification. Before joining Rice University in 1993, he was a department manager at the IBM Almaden Research Center. Vardi is the recipient of 3 IBM Outstanding Innovation Awards. He was the program chair of the 6th ACM Symposium on the Principles of Database Systems (1987), the 2nd Conference on Theoretical Aspects of Reasoning about Knowledge (1988), and the 8th IEEE Symposium on Logic in Computer Science (1993). He is currently an editor of Information and Computation and the Journal of Computer and System Sciences.

Table of Contents Introduction

.............................................................

1

Specification Structures and Propositions-as-Types for Concurrency SAMSON ABRAMSKY, SIMON GAY AND RAJAGOPAL NAGARAJAN . . . . . . . . . . 5 1

Introduction ........................................................

5

2

Specification S t r u c t u r e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

3

Interaction Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

12

3.1 T h e I n t e r a c t i o n C a t e g o r y S P r o c

12

2.1 E x a m p l e s of Specification S t r u c t u r e s

...............................

3.2 T h e I n t e r a c t i o n C a t e g o r y . A S P r o c

4

5

10

...........................

22

.............................

3.3 A S P r o c

as a C a t e g o r y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

3.4 . A S P r o c

as a * - A u t o n o m o u s C a t e g o r y . . . . . . . . . . . . . . . . . . . . . . . . . .

24

3.5 T i m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

Specification S t r u c t u r e s for D e a d l o c k - F r e e d o m . . . . . . . . . . . . . . . . . . . . . .

25

4.1 T h e S y n c h r o n o u s Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25

4.2 T h e A s y n c h r o n o u s Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

4.3 C o n s t r u c t i n g Cyclic N e t w o r k s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

The Dining Philosophers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

A u t o m a t e d Temporal Reasoning about Reactive Systems E. ALLEN EMERSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

41

1

Introduction .......................................................

41

2

Preliminaries ......................................................

43

2.1 R e a c t i v e S y s t e m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43

2.2 T e m p o r a l Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

2.3 M a n u a l versus M e c h a n i c a l R e a s o n i n g . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

2.4 C T L * , C T L , a n d P L T L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

2.5 M u - c a l c u l u s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

: .......

: ...................

3

Model Checking ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

Decision P r o c e d u r e s I: T a b l e a u - t h e o r e t i c A p p r o a c h . . . . . . . . . 4.1 O v e r v i e w . . . . . . . . .

5

6

51 56

: .......

: ...........................................

58 : 58

4.2 T a b l e a u - b a s e d Decision P r o c e d u r e for C T L . . . . . . . . . . . . . . . . . . . . .

59

Decision P r o c e d u r e s II: A u t o m a t a - t h e o r e t i c A p p r o a c h

63

..............

5.1 Linear T i m e a n d A u t o m a t a on Infinite S t r i n g s . . . . . . . . . . . . . . . . . .

64

5.2 B r a n c h i n g T i m e and Tree A u t o m a t a

65

...........................

Expressiveness versus C o m p l e x i t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Tradeoffs . . . . . . . . . . . . . . . . . . . . . . . . . .

,. . . . . . . . . . . . . . . . . . . . . . . . . . .

6.2 Expressiveness Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

74 75 75

6.3 C o m p l e x i t y S u m m a r y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

77

6.4 A u t o m a t o n Ineffable Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80

6.5 M u - c a l c u l u s is E q u i v a l e n t to Tree A u t o m a t a . . . . . . . . . . . . . . . . . . . .

81

6.6 Restricted T e m p o r a l Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

92

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

92

Decidability Results in Automata and P r o c e s s T h e o r y YORAM

i

HIRSHFELD AND

FARON

MOLLER

............................... 102

Preface ........................................................... G r a m m a r s and Processes .........................................

102 103

1.1 Context-Free G r a m m a r s ...................................... 1.2 Processes .....................................................

104 105

1.3 Context-Free Processes

106

.......................................

1.4 Concurrent Context-Free Processes ............................ 107 1.5 T h e Process Algebras B P A and B P P .......................... 109 2

Bisimulation Equivalence

.........................................

2.1 Composition and Decomposition

112

.............................. 116

2.2 E q u i v a l e n c e - P r e s e r v i n g T r a n s f o r m a t i o n s . . . . . . . . . . . . . . . . . . . . . . .

118

3

D e c i d a b i l i t y Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

120 121

3.2 C o n c u r r e n t C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

125

4

A l g o r i t h m s for N o r m e d Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

130

4.1 C o n t e x t - F r e e Processes

130

.......................................

4.1.1 A l g o r i t h m i c concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

4.1.2 Simple context-free g r a m m a r s . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

4.2 C o n c u r r e n t C o n t e x t - F r e e Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144

Modal and Temporal

Logics for Processes

COLIN STIRLING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

149 149 150

1.1 First examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

150

1.2 C o n c u r r e n t i n t e r a c t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

154

1.3 Observable t r a n s i t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 R e n a m i n g a n d l i n k i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

158 162

1.5 More c o m b i n a t i o n s of processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

164

Modalities a n d C a p a b i l i t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166

2.1 H e n n e s s y - M i l n e r logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

2.2 More m o d a l logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

168

xI 2.3 Process equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

170

2.4 I n t e r a c t i v e g a m e s and b i s i m u l a t i o n s . . . . . . . . . . . . . . . . . . . . . . . . . . .

173

2.5 M o d a l p r o p e r t i e s and equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 O b s e r v a b l e b i s i m u l a t i o n s

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

177 .

.

.

.

2.7 E q u i v a l e n c e checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4

179 181

Temporal Properties ..............................................

184

3.1 M o d a l p r o p e r t i e s revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

184

3.2 Processes a n d their runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

185

3.3 M o d a l e q u a t i o n s and fixed p o i n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

188

3.4 M o d a l m u - c a l c u l u s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

190

3.5 A p p r o x i m a n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193

3.6 E m b e d d e d a p p r o x i m a n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

197

3.7 P r e s e r v a t i o n of b i s i m u l a t i o n e q u i v a l e n c e . . . . . . . . . . . . . . . . . . . . . . .

200

3.8 E x p r e s s i n g p r o p e r t i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

202

Verifying T e m p o r a l P r o p e r t i e s 4.1 G a m e s a n d c o n s ta n t s

5

.

....................................

.........................................

206 206

4.2 T a b l e a u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

211

4.3 R e f i n e m e n t of g a m e s a n d t a b l e a u x

............................

215

4.4 G a m e g r a p h s a n d a l g o r i t h m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

219

4.5 G e n e r a l i z i n g t a b l e a u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

221

4.6 Well f o u n d e d n e s s

227

.............................................

Concluding Comments ............................................

232

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

234

A n A u t o m a t a - T h e o r e t i c A p p r o a c h t o Linear T e m p o r a l Logic MOSHE Y. VARDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

238

1

Introduction ......................................................

238

2

Automata Theory

239

................................................

2.1 A u t o m a t a on F i n i t e W o r d s - C lo s u r e . . . . . . . . . . . . . . . . . . . . . . . . . .

239

2.2 A u t o m a t a on Infinite W o r d s - C l o s u r e . . . . . . . . . . . . . . . . . . . . . . . .

241

2.3 A u t o m a t a on F i n i t e W o r d s - A l g o r i t h m s . . . . . . . . . . . . . . . . . . . . . .

245

2.4 A u t o m a t a on Infinite W o r d s - A l g o r i t h m s . . . . . . . . . . . . . . . . . . . . .

247

2.5 A u t o m a t a on F i n i t e W o r d s - A l t e r n a t i o n . . . . . . . . . . . . . . . . . . . . . .

248

2.6 A u t o m a t a on Infinite W o r d s - A l t e r n a t i o n . . . . . . . . . . . . . . . . . . . .

251

3

Linear T e m p o r M Logic a n d A u t o m a t a on Infinite W o r d s . . . . . . . . . . .

253

4

Applications ......................................................

256

4.1 S a t i s f i a b i l i t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

256

4.2 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

256

4.3 S y n t h es i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

258

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

263

Introduction There has been a great deal of effort spent on developing methodologies for specifying and reasoning about the logical properties of systems, be they hardware or software. Of particular concern are issues involving the verification of safety and liveness conditions, which may be of mammoth importance to the safe functioning of a system. While there is a large body of techniques in existence for sequential program verification, current technologies and programming languages permit for ever greater degrees of distributed computation, which make for a substantial increase in both the conceptual complexity of systems, as well as the complexity of the techniques for their analysis. One fruitful line of research has involved the development of process logics. Although I-Ioare-style proof systems have been successful for reasoning about sequential systems, they have only been of minor impact when primitives for expressing concurrent computation are introduced. Of greater importance in this instance are, for example, dynamic, modal, and temporal logics. Such logics express capabilities available to a computation at various points of time during its execution. Two major varieties of such logics exist: linear-time logics express properties of complete runs, whilst branching-time logics permit a finer consideration of when choices within computation paths are made. The study of such logics is now quite broad and detailed. There is, however, a perceived dichotomy which exists in the area of temporal logic research; a divide which appears to be defined to a large extent by geography (though, as with all things, this :division is far from clear-cut). On the one hand, the North American approach has exploited automata-theoretic techniques which have been studied for decades. The benefit of this is the ability to adapt theoretical techniques from traditional automata theory. Hence, for example, to verify that a particular system satisfies a particular property, one would construct an automaton which represents in essence the cartesian product of the system in question with the negation of the property in question, and thus reduce the problem to one of emptiness of the language generated by an automaton. One obvious drawback to this approach is the overhead incurred in constructing such an automaton: even if the system being analysed can be represented by a finite-state automaton, this automaton will typically be of a size which is exponential in its description (due to the so-called state space explosion problem), and hence this approach to the verification problem will be (at least) exponential in the worst case. Of course this approach is inapplicable to infinite-state systems unless you first introduce symbolic techniques for encoding infinite sets of states efficiently. On the other hand, the "Eurotheory" approach to the verification problem is based more on exploiting structural properties. The essence of this approach is to work as far as possible with the syntactic system and property descriptions

rather than their semantic interpretations as automata. Typically this involves the development of tableau-based proof systems which exploit congruence and decomposition properties. This allows more of a so-called "local" model checking technique which feasibly could handle even infinite-state systems, as the overhead of constructing the relevant semantic automata is avoided. Whichever approach is considered, there are common goals which are stressed. Firstly and of utmost importance, the methodology must be faithful to the system descriptions being modelled, as well as to the intended properties being defined. The methodology must be sound with respect to its intended purpose. Of great importance as well is the ability to automate the techniques; as economically- and safety-critical systems being developed become more and more complex, the need for automated support for their verification becomes an imperative of ever greater importance. Mechanical procedures for carrying out the verification of such properties are required due to the sheer magnitude of the systems to be verified. Beyond this, such algorithms must be tractable. There will clearly be trade-offs between the expressivity of a formalism employed to define system properties, and the complexity of the verification of these properties. The verification procedures, beyond being sound, must be effective, as well as of an acceptable level of time- and space-complexity. In this volume are to be found five tutorial-style presentations of various approaches to the verification problem, each of which addresses some or all of the above concerns. Themes which arise repeatedly throughout the presentations are: -

-

What are suitable formalisms for expressing system properties? How expressive are these formalisms?

- How difficult are they to employ, both conceptually and computationally? -

What are the advantages and drawbacks when comparing formalisms?

Three of the five presentations concentrate on linear- and branching-time temporal logics (Emerson, Stirling, Vardi); one on process equivalence with an emphasis on infinite-state systems (I-Iirshfeld & Molier); and the fifth on a novel category-theoretic approach to verification (Abramsky, Gay & Nagarajan). Each contribution can be taken in isolation to form the basis of a short course of study, the length of each being reflected in the length of the contribution. However, the presentations generally contrast and complement each other in often delightful ways, so the ideal approach to studying this volume would be to keep this complementary nature of the presentations in mind. We finish this introduction with a brief synopsis of each of the five contributions appearing in this volume.

The paper by Samson Abramsky, Simon Gay, and Rajagopal Nagarajan, Specification structures and propositions-as-types for concurrency, introduces the reader via "Hoare triples" to specification structures, a framework for combining general notions of logical properties with general methods for verification. These are then employed within the authors' earlier framework of interaction categories for synchronous and asynchronous processes to provide a mechanism for expressing properties. Interaction categories were introduced to unify transformational and reactive programming paradigms, which respectively represent general frameworks underlying functional programming and concurrent computation. The mechanism developed resembles the provision of a type system for process algebras which can be used to support verification. As examples of the application of the approach, the paper details how a specification structure can be provided to permit the expression of deadlock-freedom. In the end, the problem of the dining philosophers is used to great effect to demonstrate the application of the techniques in practice. The paper by E, Allen Emerson, Automated temporal reasoning about reactive systems, presents a wide range of complexity and expressiveness results for a number of linear- and branching-time temporal logics. The paper stresses the trade-offs between the complexity of various algorithms for satisfiability and model-checking, presenting essentially optimal automated algorithms for a number of such problems, and the expressibility of the different temporal logics. The two varieties of algorithms, automata-theoretic and tableau-based, are explored and interestingly contrasted. This in-depth overview is presented with an emphasis on underlying intuition, and includes an extensive bibliography for the reader to follow up the topics discussed in far greater detail. The paper by Yoram Hirshfeld and Faron Moller, Decidability results for automata and process theory, invites the reader to investigate the theory of contextfree grammars in a process-theoretic framework, where composition (juxtaposition of symbols)represents either sequential composition or parallel composition. It is demonstrated how each of these interpretations leads to a familiar process algebra. Many standard results are encountered, for example that regular grammars give rise to finite-state automata. However, surprising and unexpected results are also encountered, particularly regarding the decidability of process equivalence between automata denoted by general context-free grammars; these results contrast strikingly with the well-known undecidability results in language theory for context-free languages. Beyond this, non-trivial sub-classes are identified where tractable algorithms are proven to exist for the process equivalence problem. The paper by Colin Stir!ing, Modal and temporal logics for processes, motivates and presents the modal mu-calculus, a very expressive temporal logic, as

a simple modal logic (Hennessy-Milner logic) equipped with fixed points for expressing safety and liveness properties. The presentation opens with a discussion of processes and transition graphs, the model of concurrent computation over which temporal properties are defined. Modal properties are then introduced in the guise of expressing capabilities, and fixed points are then motivated for defining perpetual properties. A novel feature of the presentation is the use of games as an intuitive framework for explaining satisfiability, as well as for introducing tableau-based algorithms for the model-checking problem. One benefit of this "local" model checking approach is its applicability to the verification of properties of infinite-state processes, a theme which is explored in detail in the presentation. Finally, the paper by Moshe Vardi, An automata-theoretic approach to linear temporal logicl presents the reader with an introduction to the theory of automata on infinite words by way of the more familiar theory of automata on finite words, and demonstrates its use for analysing linear-time temporal properties of infinite computations. Its application to each of program specification, verification, and synthesis is carefully motivated and demonstrated.

Specification Structures and Propositions-as-Types for Concurrency* Samson A b r a m s k y

Simon Gay

Rajagopal Nagarajan

Department of Computing, Imperial College of Science, Technology and Medicine, London, UK. email: {sa, sjg3 ,rn4}@doc. ic. ac.uk.

Abstract. Many different notions of "property of interest" and methods of verifying such properties arise naturally in programming. A general framework of "Specification Structures" is presented for combining different notions and methods in a coherent fashion. This is then applied to concurrency in the setting of Interaction Categories. As an example, we present a type system for concurrent processes strong enough to guarantee deadlock-freedom, and expressive enough to allow the treatment of some standard examples from the literature. This is illustrated using the classic Dining Philosophers problem.

1

Introduction

Type Inference and Verification are two main paradigms for constraining the behaviour of programs in such a way as to guarantee some desirable properties. Although they are generally perceived as rather distinct, on closer inspection it is hard to make any very definite demarcation between them; type inference rules shade into compositional proof rules for a program logic. Indeed, type inference systems, even for the basic case of functional programming languages, span a broad spectrum in terms of expressive power. Thus, ML-style types [31] are relatively weak as regards expressing behavioural constraints, but correspondingly tractable as regards efficient algorithms for "type checking". System F types [21] are considerably more expressive of polymorphic behaviour, and System F typing guarantees Strong Normalization. However, System F cannot express the fact that a program of type list[nat] ~ list[nat] is actually a sorting function. Martin-LSf type theory, with dependent types and equality types, can express complete total correctness specifications. In the richer theories, t y p e checking is undecidable [35]. * This research was supported by EPSRC project "Foundational Structures in Computer Science", and EU projects "CONFER" (ESPRIT BRA 6454) and "COORDINATION" (ESPRIT BRA 9102).

One might try to make a methodological distinction: post-hoc verification vs. constructions with intrinsic properties. However, this is more a distinction between ways in which Type Inference/Verification can be deployed than between these two formal paradigms. We suggest that it is the rule rather t h a n the exception that there are many different notions o f "properties of interest" for a given computational setting. Some examples: -

Even in the most basic form of sequential programming, it has proved fruitful to separate out the aspects of partial correctness and termination, and to use different methods for these two aspects [16].

- In the field of static analysis, and particularly in the systematic framework of abstract interpretation [23], a basic ingredient of the methodology is to use a range of non-standard interpretations to gain information about different properties of interest. -

In concurrency, it is standard to separate out classes of properties such as safety, liveness, and fairness constraints, extending into a whole temporal hierarchy, and to apply different methods for these classes [27].

The upshot of this observation is that no one monolithic type system will serve all our purposes. Moreover, we need a coherent framework for moving around this space of different classes of properties. The basic picture we offer to structure this space is the "tower of categorieS": Co ~"~Cl +-"~Cq +-~-"~"~Ck. The idea behind the picture is that we have a semantic universe (category with structure) Co, suitable for modelling some computational situation, but possibly carrying only a very rudimentary notion of "type" or "behavioural specification". The tower arises by refining Co with richer kinds of property, so that we obtain a progressively richer setting for performing specification and verification 1. We will now proceed to formalize this idea of enriching a s e m a n t i c universe with a refined notion of property in terms of Specification Struc-

tures. a Of course, non-linear patterns of refinement--trees or dags rather than sequences-can also be considered, but the tower suffices to establish the m~n ideas.

2

Specification Structures

The notion of specification structure, at least in its most basic form, is quite anodyne, and indeed no more than a variation on standard notions from category theory. Nevertheless, it provides an alternative view of these standard notions which is highly suggestive, particularly from a Computer Science point of view. Similar notions have been studied, for a variety of purposes, by Burstall and McKinna [28], O'Hearn and Tennent [32], and Pitts [33]. D e f i n i t i o n 1. Let C be a category. A sl~ecification structure S over C is defined by the following data: - a set P A of "properties over A", for each object A of C. - a relation RA,B C_ P A • C(A, B) x P B for each pair of objects A, B of C. We write ~ { f } r for RA,B(Cp, f , r ("Hoare triples"). This relation is required to satisfy the following axioms, for f : A ~ B, g : B --* C, ~ E P A , C E PB and0EPC: ~{idA)~ ~p{f}r162

'.- ~ { f ;g)8

(sl) (s2)

The axioms (sl) and (s2) are typed versions of the standard Hoare logic axioms for "sequentiM composition" and "skip" [16]. Given C and S as above, we can define a new category Cs. The objects are pairs (A,~) with n e 0b(C) and ~ e P A . A morphism f : ( d , ~ ) --* (B, r is a morphism f : A --* B in C such that ~ { f } r Composition and identities are inherited from C; the axioms (sl) and (s2) ensure that Cs is a category. Moreover, there is an evident faithful functor

C~Cs given by A ~ (A,~). In fact, the notion of "specification structure on C" is coextensive with that of "faithful functor into C'. Indeed, given such a functor F : D -+ C, we can define a specification structure by: P A = {~ e Oh(D)I F(~ ) = A}

(by faithfulness, a is unique if it exists). It is easily seen t h a t this passage from faithful functors to specification structures is (up to equivalence) inverse to t h a t from S to C ~-~ C s . A more revealing connection with s t a n d a r d notions is yielded by the observation t h a t specification structures on C correspond exactly to lax functors from C t o T6~l, the category of sets and relations. Indeed, given a specification structure S on C, the object part of the corresponding functor R : C --+ T~el is given by P, while for the arrow part we define

R ( f ) = {(~, r

~{f}r

T h e n (sl) and (s2) become precisely the s t a t e m e n t t h a t R is a lax functor with respect to the usual order-enrichment o f T & / b y inclusion of relations: idR(A) C R(idA)

R(f) ; R(g) g R(f ;g). Moreover, the functor (2 ~ C s is the lax fibration arising from the Grothendieck construction applied to R. The notion of specification structure acquires more substance when there is additional structure on C which should be rifted to Cs. Suppose for example t h a t C is a monoidal category, i.e. there is a bifunctor | : Ca --+ C, an object I, and natural isomorphisms

assocA,B,C : (A | B) | C ~- A | (B | C) unitlA : unitrA :

I | A-

A

A| I ~ A

satisfying the s t a n d a r d coherence equations [26]. A specification s t r u c t u r e for C must then correspondingly be extended with an action |

: PA • PB ~ P(A | B)

and an element u E P I satisfying, for f : A --+ B, f ' : A' --+ B' and properties ~o, ~#, r r 0 over suitable objects: qo{f)r qo'{f')r ==~ ~o @ ~o'{f | f ' } r @ r

| r | O{a socA,B,c} | (r | O) u| r @ u{unitrA}~. Such an action extends the corresponding lax functor R : C --+ T~el to a lax monoidal functor to Rzl equipped with its s t a n d a r d monoidal structure based on the cartesian product.

Now assume t h a t C is symmetric monoidai closed, with natural isom o r p h i s m symmA, B : A @ B = B | A, and internal h o m --o given by the adjunction C(A @ B , C ) ~ - C ( A , B - o C).

Writing A ( f ) : A ~ B --o C for the m o r p h i s m corresponding to f : A @ B --* C under the adjunction, we require an action ---OA,B: P A

P B ~ P ( A --o B )

•

and axioms

~P| r162 -o r

7~ | r

|

~

|

,{ewlA,B}r ~ { A ( f ) } r ---o ~o.

Going one step further, suppose t h a t C is a . - a u t o n o m o u s category, i.e. a model for the multiplicative fragment of classical linear logic [11], with linear negation ( - ) • where for simplicity we assume t h a t A •177= A. T h e n we require an action (--)A~: P A --* P A • satisfying 7~•177_- ~p --o r = | r177177 Under these circumstances all this structure on C lifts to Cs. For example, we define

(A, 7~) | (B, r = (A | B, ~p|

r

(A, 7~)• = ( A • (A, ~2) --o (B, r = (A --o B, ~ ---OA,S r All the constructions on morphisms in Cs work exactly as t h e y do in C, the above axioms guaranteeing t h a t these constructions are well-defined in Cs. For example, if f : (A, 7~) --* (B, r and g : (A', 7~') --+ (B', r then f| (A | A',7~ | 7~') --* ( B | B ' , r | r Moreover, all this structure is preserved by the faithful functor C *-~ Cs. The above example of structure on C is illustrative. Exactly similar definitions can be given for a range of structures, including:

]0

- models of Classical (or I n t u i t i o n i s t i c ) L i n e a r Logic including the additives and exponentials [10] - cartesian closed categories [15] - models of polymorphism [15].

2.1

Examples of Specification Structures

In each case we specify the category C, the assignment of properties P to objects and the Hoare triple relation. . C = Set, P X = X , a { f } b =_ f ( a ) = b. In this case, Cs is the category of pointed sets. . C = T~l, P X = P X , S { R } T = Vx E S.{y [ x R y } C_ T. This i s essentially a typed version of dynamic logic [25], with the "Hoare triple relation" specialized to its original setting. If we take S|

sk=x\s then Cs becomes a model of Classical Linear Logic. . C = "r~el, P X = { C c_ x 21 c = C ~ C n idx = ~ } ,

C { R } D ~ x C x t, x R y , x'Ry' ~ y D y ~. C | D =

{((x,x'),(y,y'))lxCy

^ x'Dy'}

C~. = X 2 \ ( C U i d x ) . CS is the category of coherence spaces and linear maps [20]. . c : s e t , p x = { ~ : ~ -~ x I W e x . 3 ~ s { f } t - 3• ~ w . / o s ~_ t o ~

e ~ . ~ ( ~ ) = ~},

where ~,~ is the n t h partial recursive function in some acceptable numbering [34]. T h e n Cs is the category of modest sets, seen as a full subcategory of w-Set [10].

1]

. C = the category of SFP domains, PD = gY2(D)(the compact-open subsets of D),

U { f } Y =_ U g f - l ( Y ) . This yields (part of) Domain Theory in Logical Form [2], the other part arising from the local lattice-theoretic structure of the sets PD and its interaction with the global type structure. 6. C = games and partial strategies, as in [9], PA = all sets of infinite plays, U{a}V iff a is winning with respect to U, V in the sense Of [7]. Then Cs is the category of games and winning strategies of [7]. These examples show the scope and versatility of these notions. Let us return to our picture of the tower of categories:

Co ~ C 1 ~ C 2 ~ . - .

~Ck.

Such a tower arises by progressively refining Co by specification structures S ] , . . . , Sk so that

c +1 =

)s,+l.

Each such step adds propositional information to the underlying "raw" computational entities (morphisms of Co). The aim of verification in this framework is to "promote" a morphism from ~ to Ej, i < j. That is, to promote a Co morphism f : A ~ B to a Ck morphism

f : (A, ~ 1 , - . . , ~k) ~ (B, •1,..., ~)k) is precisely to establish the "verification conditions" k

A

i=l

Once this has been done, by whatever means model checking, theorem proving, manual verification, etc. the morphism is now available in Ck to participate in typing judgements there. In this way, a coherent framework for combining methods, including both compositional and non-compositional approaches, begins to open up. We now turn to the specific applications of this framework which i n fact originally suggested it, in the setting of the first author's interaction categories.

]2

3

Interaction Categories

Interaction Categories [1, 3, 4, 6] are a new paradigm for the semantics of sequential and concurrent computation. This term encompasses certain known categories (the category of concrete data structures and sequential algorithms [12], categories of games [7], geometry of interaction categories [8]) as well as several new categories for concurrency. The fundamental examples of concurrent interaction categories are 8T'roc, the category of synchronous processes, and AbV)roc, the category o f asynchronous processes. These categories will be defined in this section; others will be constructed later by means of specification structures over SProc and .,4S'f)roc. The general picture of these categories is that the objects are types, which we also think of as specifications; the morphisms are concurrent; processes which satisfy these specifications; and composition is interaction, i.e. an ongoing sequence of communications. The dynamic nature of composition in interaction categories is one of the key features, and is in sharp contrast to the functional composition typically found in categories of mathematical structures. There is not yet a definitive axiomatisation of interaction categories, although some possibilities have been considered [18]. The common features of the existing examples are that they have .-autonomous structure, which corresponds to the multiplicative fragment of classical linear logic [20]; products and coproducts, corresponding to the additives of linear logic, and additional temporal structure which enables the dynamics of process evolution to be described. Furthermore, SProc has suitable structure to interpret the exponentials ! and ?, and is thus a model of full classical linear logic. 3.1

T h e I n t e r a c t i o n C a t e g o r y ,S'Proc

In this section we briefly review the definition of SProc, the category of synchronous processes. Because the present paper mainly concerns the use of specification structures for deadlock-freedom, we omit the features of SProc which will not be needed in later sections. More complete definitions c a n be found elsewhere [1, 6, 18]. An object of SProc is a pair A = (~'A, SA) in which "~A is an alphabet (sort) of actions (labels) and SA C_n~pr~/E~ is a safety specification, i.e. a non-empty prefix-closed subset of Z~. If A is an object of 8Proc, a process of type A is a process P with sort ~A such that traces(P) C SA. Our notion of process is labelled transition system, with strong bisimulation

13

as the equivalence. We will usually define processes by means of labelled transition rules. If P is a labelled transition system, traces(P) is the set of sequences labelling finite paths from the root. The set of sequences labelling finite and infinite paths is alltraces(P) and the set of sequences labelling infinite paths is inftraces(P). The following coinductive definition is equivalent to this description.

alltraces(P)

aef {e} U {aa I P

~' Q, a E

alltraces(Q)}

traces(P) clef { a E alltraces(P) [ a is finite} inftraces(P) de__f{a E alltraces(P)[ a is infinite}. The fact that P is a process of type A is expressed by the notation P : A. The most convenient way of defining the morphisms of SProc is first to define a .-autonomous structure on objects, and then say that the morphisms from A to B are processes of the internal hom type A --o B. This style of definition is typical of interaction categories; definitions of categories of games [7] follow the same pattern. Given objects A and B, the object A | B has

EA| SA|

X ES d~f {a E Z ~ S

I fst*(~) E SA,srld*(o') E ,5'B}.

The duality is trivial on objects: A • a cf A. This means that at the level of types, ,ST)roc makes no distinction between input and output. Because communication in SProc consists of Synchronisation rather than valuepassing, processes do not distinguish between input and output either. The definition of | makes clear the extent to which processes in SProc are synchronous. An action performed by a process of type A @ B consists of a pair of actions, one from the alphabet of A and one from that of B. Thinking of A and B as two ports of the process, synchrony means that at every time step a process must perform an action in every one of its ports. For simplicity, we shall work with .-autonomous categories in which A •177= A, and A --o B d_ef (A @ B• • A ~2 B ~ f (A • | B-L) • In SProc, we have A = A J-, and hence A ~g B = A ---o B = A | B. Not all interaction categories exhibit this degeneracy of structure: in particular the category S7)rocD of deadlock-free pro cesses, which will b e defined in Section 4, gives distinct interpretations to | and ~.

14 A morphism p : A --+ B of ,gl~oc is a process p of type A --r B (so p has to satisfy a certain safety specification). Since A ---o B = A | B in ,b'Proc, this amounts to saying t h a t a morphism from A to B is a process of type A | B. The reason for giving the definition in terms of --r is that it sets the p a t t e r n for all interaction category definitions, including cases in which there is less degeneracy. I f p : A--* B and q : B ~ C t h e n the c o m p o s i t e p ; q : A--* C i s defined by labelled transitions. P (a,b! p,

q (b,c) q,

P ; q (a,c! pl ; ql At each step, the actions in the common type B have to match. The processes being composed constrain each other's behaviour, selecting the possibilities which agree in B. For example, if p and q are as shown:

then p ; q is this tree.

(a, C)

This ongoing communication is the "interaction" of interaction categories. If the processes in the definition terminated after a single step, so that each could be considered simply as a set of pairs, then the labelled transition rule would reduce to precisely the definition of relationM composition. This observation leads to the ~:~oc slogan: processes are relations

extended in time. The identity morphisms are synchronous buffers or wires: whatever is received by ida : A ~ .4 in the left copy of _4 is instantaneously transm i t t e d to the right copy (and vice versa--there is no real directionality). The following auxiliary definition helps to define the identity processes. If P is a process with sort N and S C_'~pr~1 2;* then the process P[S, Mso with sort •, is defined by the transition rule

p

a,.Q

aES

a Qr(S/a)

15

where S/a ~f {a I aa E S}. Note that the condition a E S in the transition rule refers to the singleton sequence a r a t h e r t h a n the action a. We make no notational distinction between these uses of a. The identity morphism idA : A ~ A is defined by ida ~f id [SA---oA where the process id with sort Z A is defined by the transition rule

aESA id

(a,a!

id.

Proposition 2. SProc is a category.

Proof. The proof that composition is associative and that identities work correctly uses a coinductive argument to show that suitable processes are bisimilar. Full details can be found elsewhere [1, 6]. []

,5~voc a s a . - A u t o n o m o u s Category The definitions of @ and ( - ) • can now be extended to morphisms, making t h e m into functors. If p : A~Candq:B--+Dthenp|174177 :C • • are defined b y transition rules.

P (a,c! p,

q (b,d! q,

P (a,c! p,

P | q ((a,b),(c,d)! ff | q,

p• (c,~! p,•

The tensor unit I is defined by

z~I de--f{*)

SI clef {,n In < W).

The following notation provides a useful way of defining the structural morphisms needed to specify the rest of the , - a u t o n o m o u s structure. If P is a process with sort Z , and f : Z --" Z ~ is a partial function, then P[f] is the process with sort ~ defined by P

~, Q

a E dora(f)

p[f] .f(a! Q[f]. The canonical isomorphisms unitlA : I | A ~ A, unitrA : A | I ~ A, assocA,B,C : A | (B | C) -~ (A | B) @ C and symmA, B : A @ B - B @ A are defined as follows. Here we are using a pattern-matching notation t o define the partial functions needed for the relabelling operations; for

16

example, (a, a) ~-* ((,, a), a) denotes the partial function which has the indicated effect when its arguments are equal. unitlA unitrA

def

ida[(a, def idA[(a,a) =

def

((,, a),a)] ((a, ,),a)]

((a,(b,c)),((a,b),c))] ((a,b),(b,a))].

assoCA,B,C def symmA,B

If f : A | B --+ C then A ( f ) : A ~ (B --o C) is defined b y

A ( f ) def f [ ( ( a , b ) , e ) ~ (a,(b,e))]. The evaluation morphism APA,B : (A --o B) | A --~ B is defined by def

APA, B = idA--oB[((a,b),(a,b))~--~ (((a,b),a),b)]. All of the structural morphisms are essentially formed from identities, and the only difference between f and A ( f ) is a reshuffling of ports. In each of the above uses of relabelling, the partial function on sorts is defined by means of a pattern-matching notation; the function is only defined for arguments which fit the pattern. If P is a process of type A then P[a ~ (.,a)] is a morphism I A which can be identified with P. This agrees with the view of global elements (morphisms from I, in a .-autonomous category) as inhabitants of types. P r o p o s i t i o n 3. SProc is a compact closed category.

Proof. Verifying the coherence conditions for | is straightforward, given the nature of the canonical isomorphisms as relabelled identities. The properties required of A and Ap are equally easy to check. Since ( - ) • is trivial, it is automatically an involution. This gives the ,-autonomous structure; compact closure follows from the coincidence of | and ~g. E] C o m p a c t C l o s u r e a n d M u l t i - C u t As we have already seen the linear type structure of SProc is quite degenerate. Specification structures can be used to enrich the specifications of SProc to stronger behavioural properties. This will have the effect of "sharpening up" the linear type structure so that the degeneracies disappear. Our point here is that the looser type discipline of 6"Proc can actually be useful in that it permits the flexible construction of a large class of processes within a typed framework. In particular, compact closure validates

17

a very useful typing rule which we call the multi-cut. (This is actually Gentzen's MIX rule [19] b u t we avoid the use of this term since Girard has used it for quite a different rule in the context of Linear Logic.) The usual Cut Rule

F F,A

~ A,A •

~-F,A allows us to plug two modules together by an interface consisting of a single "port" [5]:

A

A•

This allows us to connect processes in a tree structure

o o o

9

.

.

.

.

.

o o o

b u t not to construct cyclic interconnection networks

t8

~ 1 7 6 1 7 6

such as the Scheduler described in [30]. The problem with building a cycle is at the last step where we have already connected

To connect

we must plug both a ancl fl simultaneously into the existing network. This could be done if we had the following "binary" version of the cut rule

r,A~,A~

~ ~,A~,A~

~F,A or more generally the "multi-cut": F- F, A

F- F', A • f- F, F'

This rule is not admissible in Linear Logic and cannot in general be interpreted in Linear Categories. However it can always be canonically interpreted in a compact closed category (and hence in particular in SProc) as the following construction shows. Let [' = A 1 , . . . A m , F' = B 1 , . . . B , ~ , A = C 1 , . . . C k . We write .4 = A1 |

"" |

A,~,

[~

"~ B1 (~ "'" ~ B n ,

C ~ = (c~ | 1 7 4

C -'- C1 ~ * .. ~ C k

~ ~- c,* | 1 7 4

]9 Suppose t h a t the proofs of F F, A and ~- F ~, A r are interpreted by morphisms 1:I , A | C', g : I > /3' | C • respectively. T h e n we can construct the required m o r p h i s m I as follows:

~ .4 @/~

I l"

(unit)

I@I f|

(4 | ~) | ([~ | ~L) (canonical isos)

|

| Cl~) | ...| (Ck | C t )) | JB (evaluation)

A|174174174 1

(unit)

A| (Note t h a t in a compact closed category I = _l_ so A • = A - o I.) In the case where k = 1 this construction is the internalization of composition in the category (using the a u t o n o m o u s s t r u c t u r e ) s o it properly generalizes the s t a n d a r d interpretation of Cut. For some related notions which have arisen in work on coherence in compact closed categories, see [13, 24].

20

,5"Proc as a L i n e a r C a t e g o r y ,57)roc also has structure corresponding to the linear logic exponentials ! and ?. We will not need this structure in the present paper; details can be found elsewhere [1, 6, 18].

Non-determinism We can define the non-deterministic s u m exactly as in CCS. If p, q : A --+ B then p + q is defined by P (~,b! p,

q (a,b! q,

P + q (~,b! p,

P + q (a,b! q,

For any objects A and B, there is a m o r p h i s m nil : A --* B which has no transitions. The non-deterministic sum and the nil morphisms exist for quite general reasons: SProc has biproducts, and it is standard t h a t this yields a commutative monoid structure on every homset [26]. In the present p a per, we have defined + directly as we will not make any other use of the products, and coproducts. T i m e So far, none of the constructions in SProc have m a d e use of the fact t h a t morphisms are processes with dynamic behaviour. Everything t h a t has been discussed applies equally well to the category of sets and relations. T h e next step is to justify the claim t h a t 579roc looks like "relations extended in time" by defining some structure which allows the temporal aspects of the category to be manipulated. The basic construction dealing with time is the unit delay functor O. It is defined on objects by

%f {*} + SOA

{E} u

I e SA}.

It is notationally convenient to write , instead of inl(.), assuming t h a t * r ZA. Given f : A --* B, O f : OA ~ O B is defined by the single transition O f ~ f. It is straightforward to check t h a t O is indeed a functor. In fact it is a strict monoidal functor. P r o p o s i t i o n 4. There are isomorphisms monA,S: (OA) | (OB) --* O(A | B) (natural in A and B ) and monun[t : I --* 0 I .

21 Proof. monunit : I ~ O I is defined by

monunit ("*! id/ where

~'I =

{o}. monA, B : (OA) | (OB) ~ O(A | B) is defined by monA,B ((*'*)"2 idA|

In both cases the inverse is obtMned by considering the process as a morphism in the opposite direction. It is easy to check that these are isomorphisms and that mon is natural. [] The most important feature of O is that it has the u n i q u e f i x e d p o i n t p r o p e r t y ( U F P P ) [6]: for any objects A and B, and any morphisms f : A ~ 9 that

and g : OB --+ B there is a unique morphism h : A ~ B such

A

B 9

f

g

, 9

OB

commutes. We will not go into the applications of this property in the present paper, except to mention that it supports guarded recursive definitions [1, 6, 18] and is an important part of a proposed axiomatisation of interaction categories [18]. Apart from 9 there are two other delay functors: the initial delay and the propagated delay A. These are the same as the operators used by Milner [29, 30] to construct CCS from SCCS, and they can also b e used to construct asynchronous processes in the synchronous framework of S P r o c . However, when analysing asynchronous problems it is much more convenient to work in a different category, AS7)roc, which we will define shortly. For this reason, we will give only the basic definitions of the delay functors here, and not dwell on their properties. The functors ~ and A are defined on objects by

26Ade=fl + ~A S,bA d=ef {.r~O. ] (?Z < 0)) A (or E SA)) 2AA a_--ef1 + ZA S,aa d__ef{e} O {al ,n, a2 ,n2 a3 . . . [ ( n i < w ) A ( a l a 2 a 3 . . . E SA)}

22

and on morphisms by transition rules.

f (.,.! ~f

f (o,b! f,

f (a,b! f,

~ f (a,b! f,

A f (a,b! ~ A f'

Both of these functors are monads. Full details can be found elsewhere [1, 6, 18]. 3.2

The Interaction C a t e g o r y .A~Vroc

The theory of interaction categories is not restricted to the synchronous model of concurrency which underliew the category SProc. There is also a category of asynchronous processes, ~ r o c , which we will now define. In this context, asynchrony means the capacity to delay; in particular, an asynchronous process can delay in some of its ports while performing observable actions in others. Because we do not wish to distinguish between processes which differ only in the amount by which they delay at certain points, we now consider processes to be labelled transition systems modulo observation equivalence (weak bisimulation) [30] rather than strong bisimulation. In CCS there is a single silent action, v, which is used by all processes to represent delay. In the typed framework of interaction categories we no longer have a global set of actions, so it is necessary to specify a silent action rA in each type A. Thus an object of JtYProc contains an extra piece of information compared to an object of SProc. This enables observation equivalence classes of typed processes to be defined: when considering processes of type A, the action 7"A is used as the silent action in the standard definition o f observation equivalence. The approach we will take to defining operations on asynchronous processes is to define them by labelled transition rules, and then check that they are well-defined on observation equivalence classes. The definition of JtSProc in this section is slightly different from the original definition [4], where an action was taken to be a set of labels and the silent action was ~. The definition used here emphasises the essential difference between r and SProc, namely the introduction of rA and the use of observation equivalence. 3.3

.ASProc as a C a t e g o r y

An object of .A~qProc is a triple A = (,~A, TA, SA), in which ZA is a set of actions, rA E ZA is the silent action, SA C_~pr~10bAct(A)* is a safety

23

specification, and 0bAct(A) acf SA -- {rA} is the set of observable actions of A. A process with sort Z and silent action r E Z is un observation equivalence class of synchronisation trees with label set Z. A process P of type A, written P : A, is a process P with sort ZA and silent action rA such t h a t obtraces(P) C SA, where allobtraces(P) dCf {~} U {aa I P:=~Q, a E allobtraces(Q)}

obtraces(P) infobtraces(P)

de=f{o" E allobtraces(P) l a is finite} de=f{a E allobtraces(P)I cr is infinite}

Just as in SProc the morphisms are defined via the object part of the , - a u t o n o m o u s structure. Given objects A and B, the object A | B has SAGB

def z~A • ~E,B def

TAGB = (TA, TB)

SAGS dr {a E 05Act(ZAGS)* l a[A E SA, arB E S s } where, for a E 0bAct(ZAGB), ~[A def { ~ st((~) if otherwise fst((~) # vA and for a E 0bAct(ZAGB)*, a[A is obtained by concatenating the individual (~ [A. T h e projection a [B is defined similarly. Notice t h a t taking rAGs = (TA, 7-B) means t h a t a process with several ports delays by simultaneously delaying in its individual ports. The duality is trivial on objects: A • de=fA. A m o r p h i s m p : A --* B of AS"Proc is a process p such t h a t p : A --o B. I f p : A--* B and q : B--+ C, then the c o m p o s i t e p ; q : A ~ C i s defined by labelled transitions.

P (~,~'.! p,

q (~'B,c! q,

P ; q (~,~c! p,; q

P ; q ('~A,c!P ; q,

P (~,b! p,

q (b,c) q,

P ; q (~,c! pl ; ql The first two rules allow either process to make a transition independently, if no communication is required. The third rule allows the processes to

24

communicate by performing the same action in the port B. Any of the actions a, b, c can be r; if b = r s in the third rule, then two simultaneous independent transitions are made. It is necessary to prove that composition is weU-defined on observation equivalence classes, but we will not give the details here. As in 5"Proc, it is straightforward to prove t h a t if f : A - . B and g : B --~ C, then f ; g satisfies the safety specification necessary to be a morphism A --+ C. Although .AS'Proc is a category of asynchronous processes, the identity morphisms are still synchronous buffers. As a candidate identity morphism, a synchronous buffer seems likely to work, given the definition of composition; of course, once it has been shown to be an identity, no other choice is possible. The identity morphism idA : A --, A is defined as in 3Proc: idA def id ISA--oA where the process id with sort ZA is defined by

aEEA id (a'a! id. Just as in 5"~oc, if P is a process with sort ,U and S C n~pr~s ,U* then the process P[S, also with sort Z , is defined by the transition rule

P

t%

,Q

PrS 3.4

aES

a Qr(S/a).

.AS"Proc as a , - A u t o n o m o u s

Category

I f p : A --* C and q : B --+ D then p @ q : A | -~ C | andpX : C • --* A • are defined by transition rules. The rules for | illustrate the asynchronous n a t u r e of JISProc; the two processes can make transitions either independently or simultaneously.

q (b,d! q,

P (~,c! p,

P | q ((~,~B),(c,~n)! p, | q P (a,c! p,

q (b,d! q,

P @ q ((a,b),(c,d)! p, | q,

P|

((~-A,b),(~'c,d)! P | q, P (~,c! p,

pX (c,~! p,•

The tensor unit I is defined by

ae=f{ri}

S1 aef

25

The morphisms expressing the symmetric monoidal closed structure are defined as in SProc, by combining identities.

P r o p o s i t i o n 5..ASProc is a compact closed category. N o n - d e t e r m i n i s m It turns out that dLVProc has only weak biproducts. The construction of an addition on the homsets can still be carried out, but it yields r.P + r.Q. This is not surprising, as the CCS operation + is not well-defined on observation equivalence classes. In later sections we will often construct processes by means of guarded sums such as a.P+b.Q, which can be given direct definitions in terms of labelled transitions.

3.5

Time

In AVProc, t h e delay monads $ and A are less meaningful than in SProc, since delay is built into all the definitions. But the unit delay functor 9 is still important. On objects it is defined by

def 7- 9

= rA

So A dJ

V

[

SA}.

If f : A --~ B then O f : OA -~ OB is defined by the transition O f (*'*! f .

P r o p o s i t i o n 6. O is a functor, and has the UFPP. Proof. As in SProc. 4

Specification Structures

4.1

[] for Deadlock-Freedom

T h e S y n c h r o n o u s Case

We shall now describe a specification structure D for SProc such that b-TProcD will be a category of deadlock-free processes, closed under all the type constructions described above (and several more omitted in this introductory account). This specification structure has a number of remarkable features: - The typing rule for composition in ~
26

- The concepts and techniques used in defining this specification structure and verifying t h a t it has the required properties represent a striking transfer of techniques from Proof T h e o r y (Tait-Girard proofs of Strong Normalization [21]) to concurrency. This is m a d e possible by our framework of interaction categories and specification structures. We begin with some preliminary definitions. Firstly we define a binary process combinator p n q by the transition rule , pl

p

q a , p,

p~q

a 9 ql

ql.

N o t e that p I-1 q is the meet of p and q with respect to the simulation pre-order [30]. Let STL be the set of processes labelled over/2. We define, for p f i STL: p J, - Vs E Z;*,q E ST~.p

s

9

q=v3aEs

a 9 r.

We read p + as "p is deadlock-free", i.e. it can never evolve into the nil process. An important point is that we need to restrict attention to those objects of SProe whose safety specifications do not force processes to deadlock. The object A is progressive if

V8 E SA.3a E EA.sa

C= Sa.

By considering just the progressive objects, we can be sure that there are deadlock-free processes of every type. Finally, the key definition: p _L q = ( p F l q ) t .

We can think of p ,L q as expressing the fact t h a t "p passes the test q"; but note that _ _L _ is symmetric so the rSles of p and q, tester and testee, can be interchanged freely. Now we lift this symmetric relation to a self-adjoint Galois connection on sets of processes in a standard fashion [14]: p -L U = V q E U. p-L q U l =- { P l P "L U}.

Since ( - ) • is a self-adjoint Galois connection, it satisfies U•177177 _ U•

27 We are now ready to define the specification structure D on the subcategory of SProc which consists of just the progressive objects.

P A = {U C_ STEAI Vp E U. ( p : A) A ( p ~ ) , U # O , U = U J-• (Compare with the definition of candidats in [20], and with Linear Realizability Algebras [8]).

U@ v ~ f {p| u

v

{p E U,q E V ) •177

(u x | v•

•

U --'oVd~e~-f(u|177 • T h e Hoare triple relation is defined by means of a satisfaction relation between processes and properties. If p : A and U E PA t h e n

p~U

r

pEU

and

v{y}v

f

v --o v.

P r o p o s i t i o n 7. These definitions yield a specification structure D on 5"Proc; all the type structure on 5"Proc described in Section 3 can be lifted to ST:~rocD. We illustrate the proof of this proposition by sketching the verification of the key case for composition, i.e. the cut rule:

V{p}V

Y{q)W p:(A,U)-*(B,V)

U{p; q}W

q:(B,V)-+(C,W)

p; q: (A,U) --* (C,W)

To verify U{p ; q}W we must show t h a t , for all r E U a n d s E W • r | s s p ; q, i.e. t h a t ((r @ s) M (p ;q)) ~. By some elementary process algebra, ((r | s) M ( p ; q)) = (r ;p) M (q; s) where we regard r as a m o r p h i s m r : I -+ A and s as a m o r p h i s m s : C -+ I. Thus it suffices to prove t h a t

(r;p) i ( q ; s ) which holds since r E U,p E U --o V implies r ; p E V and similarly s E W ~ , q E V --o W implies t h a t q ;s E V • It can be shown t h a t in general, U @ V is properly included in U ~3 V, and hence in SProcD the operations of | and ~ are distinct. Thus the specification structure leads to a category which, as a model of linear logic, is less degenerate t h a n the original SProc.

28 4.2

The Asynchronous

Case

The category ~PrOCD allows synchronous problems to be analysed for deadlock-freedom, but there are also m a n y asynchronous systems which we would like to verify. The obvious approach to reasoning about asynchronous deadlock-freedom is tb use the delay operators of 8ProcD to represent asynchrony, and then proceed as before. However, experience has shown that when this is done the only deadlock-free behaviours which the types can guarantee to exist are those in which all the processes in the system delay. Hence we need a version of the specification structure D over AST~roc. This section describes the construction, and illustrates it with an application to the dining philosophers problem. When we try to define a specification structure for deadlock-freedom over ASProc, two complications arise which were not present in the synchronous case. The first is to do with divergence, or livelock. Suppose there are morphisms f : A ~ B and g : B ~ C, each of which runs forever but only does actions in B. Then even if f and g do not deadlock each other, the result of composing t h e m is a morphism which does no observable actions at all--under observation equivalence this is the same as the nil process, which is deadlocked. This shows that when dealing with asynchronous processes, it is insufficient simply to guarantee that processes can always communicate with each other when composed. The second technical problem is t h a t because convergence of a process will mean the ability to continue performing observable actions, there are no convergent processes of type I in .ASProc, and hence no properties over I. This means t h a t the asynchronous deadlock-free category will have no tensor unit; in order to retain the ability to use the *-autonomous structure in calculations, a different object will have to be used instead. We will not discuss this issue in the present paper. To solve the first problem we can adapt Hoare's solution of a similar problem [22]. He considers processes with one input and one output, which can be connected together in sequence. This is actually quite close to the categorical view in some ways: these processes have the "shape" of morphisms and can be composed, although there are no identity processes. More to the point, he is interested in conditions on processes which ensure that connecting t h e m together does not lead to divergence. Restating the question in the categorical framework, if f : A -~ B and g : B --* C, what is the condition that f ; g does not diverge? Hoare's solution is to specify that f should be left-guarded or g right-guarded. Left-guardedness means that every infinite trace of f should contain infinitely m a n y observable actions in A; similarly, right-guardedness means that every infinite

29

trace of g should contain infinitely many observable actions in C. If f is left-guarded it has no infinite behaviours which only involve actions in B, so no m a t t e r what g does there can be no divergent behaviour of f ; g. Symmetrically, if g is right-guarded then f ; g does not diverge. If a process is to be a morphism in a category, it must be composable b o t h on the left and on the right; this means that it needs to be b o t h leftguarded and right-guarded. Requiring that a morphism be b o t h left- and right-guarded, i.e. that every infinite trace must contain infinitely many observable actions in both ports, amounts to a specification of fairness. W h a t we need for deadlock-freedom is a category in which all the morphisms are fair in this sense. This issue only arises in the asynchronous case, since in a synchronous category it is impossible for an infinite trace of a process to have anything other than an infinite sequence of actions in each port.

:T'Proc The category $'Proc (fair processes) has objects A = (ZA, TA,:SA, FA). The first three components of an object are exactly as in YiSTProc.The fourth, FA, is a subset of 0 b A c t ( A ) ~ such that all finite prefixes of any trace in FA are in SA. The interaction category operations on objects are defined as in .4SProc, with the addition that The Category

nedFA FA|

aed{s E ObAct(A | B)~ l s[A E FA, s[B e FB}

FOA nod

I

rA}.

A process in .TT)rocis almost the same as a process in .4SProc, except that there now has to be a way of specifying which of the infinite traces of a synchronisation tree are to be considered as actuM infinite behaviours of the process. This is done by working with pairs (P, Tp) in which P is an .4SProc process and O ~ Tp C infobtraces(P). Only the infinite traces in Tp are viewed as behaviours of P , even though the tree P m a y have m a n y other infinite traces. There is a condition for this specification of valid infinite traces to be compatible with transitions: if P a Q then

Tp D {as ts E TQ}. A process of type A in .T'Proc is a pair (P, Tp) as above, in w h i c h P is a process of type (ZA, TA, SA) in .AS'Proc, and Tp C_FA. Equivalence of processes is defined by (P, Tp) = (Q,TQ) ~ (P ,~ Q) A (Tp = TQ)

30 where the relation ~ is observation equivalence; thus equivalence in .T'Proc is a refinement of equivalence in AgProc. As usual, a morphism from ~4 to B is a process of type A --o B. The identity morphism on A in iPProc is (]dA, FA--oA) where idA is the identity on (ZA, 7A, SA) in .ASProc. It will often be convenient to refer to ~ r o c processes by their first components, and just consider the second components as extra information when necessary; thus the process (P, Tp) m a y simply be written P. For composition, if (f, T]): A --+ B and (g, Tg): B --. C then (f, T]); (g, Tg) ~ f ( f ; g, Tf;g) where

Tl;g d___ef{s 9 infobtraces(f ;g) I 3t 9 Tf,u 9 Tg.[trA = srd, trB = uIB, uIC = siC]}. It is straightforward to check that if T! C_ FA--oB and Tg C FB~C then

Tf;g C_FA--oC. The functorial action of | is defined by (f, Tf)Q(g,Tg) ~f (fQg, Tf| where, for f : A --* C and g : B --* D,

Tf|

~f {s 9 infobtraces(f | g) I s r(A, C) 9 TI, s r(B, D) 9 Tg, s 9 FA|174

}.

This definition discards the infinite behaviours of f | g which correspond to unfair interleavings. Effectively, this means that we are assuming the existence of a fair scheduler for parallel composition; keeping the treatment of fairness at the level of specifications, we do not say anything about how such a scheduler might be implemented. .T'Proc inherits the ,-autonomous structure of r because all the structural morphisms, being essentially identities, are fair and the abstraction operation does not affect fairness. The exception to this is t h a t there is no tensor unit: 0 b A c t ( I ) = ~ , so it is not possible to define Ft. P r o p o s i t i o n 8..Pl:'roc is a compact closed category without units. The definition of $-Proc is very close to the definition of a specification structure over AST)roc--additional properties (the fairness specifications) are defined at each type, and satisfaction of these properties by processes is defined. However, iPProc does not actually arise from a specification structure. The reason is the assumption of fair interleaving in the definition of | When a specification structure S is defined over a category C, functors on (2 are lifted to Cs by checking t h a t their actions in C

31

preserve the Hoare triple relations. By contrast, the | functors on ~ r o c and j ~ r o c have different actions on morphisms. The specification structure for deadlock-freedom can now be defined over the progressive subcategory 5rProcp~ of PProc, which now consists of those objects for which every safe trace can be extended to a valid infinite trace. The definitions are very similar to those for SProc. The essential difference is that convergence of a process means the ability to keep doing observable actions. Furthermore, the choice of next action should not commit the process to a branch of behaviour which can lead only to a disallowed infinite trace. If P : A then P ~ means -

whenever P ~ Q there is a E ObAct(A) and a process R such t h a t Q-~.R, and there is t E infobtraces(R) such t h a t sat E Tp.

The definition of equivalence of ~CT)roc processes P and Q, requiring P ~ Q and Tp = TQ, permits the possibility t h a t although P and Q are not observation equivalent it is only the presence of branches corresponding to invalid infinite traces which causes observation equivalence to fail. However, if a process is convergent t h e n there is no branch along which all infinite traces are invalid, so this situation does not arise. In the specification structure for deadlock-freedom over ~roc, a property is a set of convergent processes and satisfaction is membership, just as in the synchronous case. This means that all the deadlock-free processes considered are convergent, and the equivalence behaves well for them. It is not, however, possible to require t h a t 9C7~rocshould consist only of convergent processes, because convergence in itself is not preserved by composition. It is only when convergence is combined with satisfaction of suitable deadlock-free types that composition works. Given P and Q of type A in A~roc, P ~ Q is defined exactly as in r

p

a pI

Q a, Q!

P n Q ~. P' ~Q~. If P and Q have type A in ~Proc and Tp n TQ ~ 0, then P R Q can be converted into an ,T~roc process of type A by defining TpnQ de=fTp N TQ. Orthogonality is now defined by

P _l_Q ~ T p N T Q ~ 0 and (P[7Q)~. It is extended to sets of processes exactly as in the synchronous case. For each object A, PDA is again the set of •177 sets of convergent

32

processes of type A. Satisfaction is membership, and all of the operations on properties are defined exactly as before. The proof that D satisfies the composition axiom is similar to the proof in the synchronous case, but is complicated by the presence of silent actions. If f : A --* B and g : B ~ C in .~Proc, communication between f and g when f;g is formed can include periods in which the common action in B is 7B. This means that several cases arise in the proof, depending on whether f and g are delaying or performing observable actions, and fairness is crucial in dealing with them. Details of the proof can be found

in [lS]. The proof that identity morphisms satisfy the correct properties is the same as in the synchronous case. Hence P r o p o s i t i o n 9. D is a specification structure over ~TT~roc~T. The asynchronous deadlock-free category is called .T~rocD. For each type A there is a process maxA which has every non-deadlocking behaviour allowed by the safety specification of A. It is defined by a e 0bAct(A) a

maxA

' maxA/a

with TmaxA ---- F A. Note that a process maxA could be defined in this way for any ~:~roc object A; maxA is simply the process which exhibits every behaviour permitted by the safety specification SA. In general maxA might have deadlocking behaviours, but because we are working in YPro%r, every safe trace can be extended indefinitely and so maxA never terminates. The process maxA is orthogonal to every convergent process of type A: writing Proc(A) for the set of all convergent processes of type A, we have maxA I Proc(A). In fact, Proc(A) • = {maxA}. Proc(A) is a valid property over A, as is {maxA}, and they are mutually related by ( - ) • The deadlock-free type (A, {rnaxA}) specifies an input port, because it forces all possible actions to be accepted. The type (A, Proc(A)) specifies an output, because any selection of actions is allowed. From now on, we denote Proc(A) and {rnaxA} by outA and inA respectively, so that in i = OUtA and out S = inA. It is not hard to prove P r o p o s i t i o n 10.

o u t A x2 o u t B ---- O u t A x ~ B .

I f P : A in ~'Proc and P $ then P ~ outA and so P : (A, outA) in .~-7)rocD. Combined with the previous result, this gives

33 Proposition

11. If P : A1 ~2"" "~2A= in .TT)roc and P I, then in .TT)rocD, P : (Al,outA1) ~ ' " " ~ (An,outAn).

This result is very useful for applications, as we shall see in the next section. Another useful fact is that if the safety specification of A is such that in every state there is a unique allowable next action, then inA = outA. 4.3

Constructing Cyclic Networks

The deadlock-free categories SPrOCD and .~PrOCD are not compact closed, which means that the categorical structure no longer supports the construction of arbitrary process networks. Any non-cyclic structure can be constructed, using the fact that the category is ,-autonomous, but additional proof rules are needed to form cycles. Suppose that P : (F,U) ~ ( X , V ) ~ ( X • J-) in .~']~OCD. There is an obvious condition that forming T by connecting the X and X J- ports should not cause a deadlock: that every trace s of P with srX = srX x can be extended by an action (~t,x,x) of P. The action x could be r x , as it is permissible for the sequence of communications between the X and X • ports to pause, or the action tuple ~ could be r r , but not both. Again, to obtain P : (F, U) in ~rocD it is also necessary to ensure that the specification U can still be satisfied while the communication is taking place. The possibility of divergence does not have to be considered separately. It is conceivable that P could have a non-deadlocking infinite behaviour in which no observable actions occur in F, but the corresponding behaviour of P would be unfair because it would neglect the ports in F. Thus it is sufficient to state a condition which guarantees that forcing X and X • to communicate does not affect the actions available i n t h e other ports. This condition can be expressed in terms of ready pairs. The definition of readies(P) for an ~l)roc process P of type A is initials(P) aef {a E ObAct(A) I 3Q.P=~Q} readies(P) de__f{(~,X) I 3Q.[(P=~Q) A ( X = initials(Q))]}.

The condition cycle(P) is now - For every (s, A) E readies(P) such that s i x = s~X • and every action (~, x, y) E A, there is z E ~ x such that Vr~x~gx. ~ (-5,z, z) E A.

34

This leads to a proof rule for cycle formation.

P : (P,U)~(X,V),e(X• P:(r,v)

•

cycle(P)

This rule illustrates one of the main features of our approach--the combination of type-theoretic and traditional verification techniques. Typically, the construction of a process will be carried out up to a certain point by means of the linear combinators, and its correctness will be guaranteed by the properties of the type system. This phase of the verification procedure is completely compositional. However, if cyclic connections are to be formed, some additional reasoning about the behaviour of the process is needed. The nature of this reasoning is embodied in the above proof rule. The rule is not compositional, in the sense that the internal structure of P must be examined to some extent in order to validate the condition cycle(P), but the departure from compositionality is only temporary. Once the hypotheses of the proof rule have been established, the result is that P has a type, and can be combined with other processes purely on the basis of that type. 5

The Dining Philosophers

The problem of the dining philosophers [22] provides a good example of working with the category of asynchronous deadlock-free processes. Our analysis of it will make use of the proof rule for cycle formation, introduced in the previous section, and thus illustrates the combination of type-theoretic arguments with more traditional reasoning. T h e example itself is well-known in the concurrency literature, but it is worth reviewing the scenario here before plunging into an analysis. In a college there are five philosophers, who spend their lives seated around a table. In the middle of the table is a large bowl of spaghetti; also on the table are five forks, one between each pair of philosophers. Each philosopher spends most of his time thinking, but occasionally becomes hungry and wants to eat. In order to eat, he has to pick up the two nearest forks; when he has finished eating, he puts the forks down again. The problem consists of defining a concurrent system which models this situation; there are then various questions which can be asked about its behaviour. One is about deadlock-freedom: is it possible for the system to reach a state in which nothing further can happen, for example because the forks have been picked up in an unsuitable way? Another is about fairness: do all the philosophers get a chance to eat, or is it possible

35 for one of t h e m to be excluded forever? The reason for looking at the dining philosphers example in this paper is to illustrate techniques for reasoning about deadlock-freedom, but because of the way in which the asynchronous deadlock-free category has been constructed, fairness has to be considered as well. A philosopher can be modelled as a process with five possible actions: eating, picking up the left fork, putting down the left fork, picking up the right fork, and putting down the right fork. Calling these actions e, lu, Id, ru, rd respectively, a CCS definition of a philosopher could be P = lu.ru.e.ld.rd.P. There is no action corresponding to thinking: a philosopher is deemed to be thinking at all times, unless actually doing something else. In A.qProc a philosopher has three ports: one for the eating action and one each for the left and right forks. The type of the fork ports is X , defined by ~ x de=f{U, d, r x } and with Sx requiring u and d to alternate, starting with u. The type of the eating port is Y defined by ~y clef{e, Ty} and with Sy allowing all traces. The philosopher process can be typed as P : X • ~, Y ~ X. A fork has four actions, lu, ld, ru and rd. For the usage of these names by the fork to match their usage by the philosophers, the necessary convention is that if a fork does the action lu, it has been picked up from the right. A possible definition of a fork is K = lu.ld.K + r u . r d . K and it can be typed as K : X • ~ X. Five philosophers and five forks can be connected together in the desired configuration, illustrated in Figure 1, by using the compact closed structure of .ASProc, as usual. The next step is to transfer everything to Y'Proc and then to ~'ProcD. To construct the P and K processes in .T'Proc, fairness specifications must be added to the types X and Y, and the acceptable infinite behaviours of P and K must be specified. This will be done in such a way that P and K satisfy the appropriate fairness specifications. For both X and Y the fairness specification can simply be all infinite traces. This means that there is no fairness requirement on the actions within a port, but only between ports. For the t y p e s of the philosopher and the fork, F x x ~ y ~ x consists of the infinite traces whose projections into the three ports are all infinite, and similarly Fx• x . To convert the .A.S'Proc process P into an .TTVroc process, it is sufficient to take Tp = infobtraces(P). It is then clear that Tp C_ F x . ~ g y ~ x b.ecause the behaviour of P simply cycles around all the available actions. Also, P is convergent because its behaviour consists of just one infinite branch. However, K has unfair infinite behaviours--for example, there is

36

( )

Fig. 1. Process Configuration for the Dining Philosophers an infinite trace in which the ru and rd actions never appear. Thus TK must be defined in such a way as to eliminate these undesirable infinite traces, and this can easily be done by taking TK = F x x ~ x . Then K is convergent, because any of its finite behaviours can be extended to a fair infinite behaviour by choosing a suitable interleaving from that point on. This approach means that this section is not addressing the issue of how fairness can be achieved in the dining philosophers problem--to do that, the implementation of a fair scheduler would have to be considered. As already stated, this problem has been introduced as an example of compositional reasoning about deadlock-freedom; fairness only appears in the minimal possible way needed for the categorical approach to be applicable. Typing the philosopher and fork processes in ~7~rocD requires suitable properties over the types X and Y. For Y, outy can be used. Because Y has only one observable action, outy = out~-. Similarly for X, the set outx can be used, and because the safety specification of X is such that in each state there is only one action available, outx = out~. Because K : X • in ~'Proc and K is convergent, K ~ outx• ~ o u t x and so K : (X, o u t x ) • (X, outx) in YProcD. Similarly, P : (X, ootx) • *g (Y, o u t r ) ~ (X, outz) in F79rocD. These typings mean that any number of philosophers and forks can be connected together in a line, and the resulting process is

37

guaranteed to be deadlock-free. Interestingly, this applies not only to the "correct" configuration in which philosophers and forks alternate, but also to other possibilities such as a sequence of forks with no philosophers. The interesting step of the construction consists of completing the cycle by connecting the X and X j- ports at opposite ends of a chMn in which forks and philosophers alternate. Because .TProcD is not compact closed, the proof rule of the previous section must be used. First of all, some traditional analysis based On reasoning about the state of the system is useful. For the moment, the e actions can be ignored as they do not have any impact on deadlocks in this system. The following cases cover all possibilities for a state. 1. If there is Pi such that both adjacent forks are down, it can pick up the left fork. 2. If there is P~ whose right fork is up and whose left fork is down, it can either put down the right fork (if it has just put down the left fork) or pick up the left fork (if its neighbour has the right fork). 3. If all forks are up and some Pi has both its forks, it can put down the left fork. 4. If all forks are up and every P~ has just one fork, they all have their left forks, and there is a deadlock. The last case is the classic situation in which the dining philosophers may deadlock--each philosopher in turn picks up the left fork, and then they are stuck. In terms of ready sets, there is a state in which every possible next action has non-matching projections in the two X ports. In Hoare's formulation of the dining philosophers problem [22] the philosophers are not normally seated, but have to sit down before attempting to pick up their forks. This means that the possibility of deadlock can be removed by adding a f o o t m a n , who controls when the philosophers sit down. The footman ensures that at most four philosophers are seated at any one time, which means that there is always a philosopher with an available fork on both sides; in this way, the deadlocked situation is avoided. However, implementing this solution involves a major change to the system: there is a new process representing the footman, the philosopher processes have extra ports on which they interact with the footman, and consequently their types need to be re-examined. It is more convenient to use an alternative approach, which will now be described. One of the philosophers is replaced by a variant, pi, which picks up the forks in the opposite order. So PI = r u . l u . e . r d . l d . P ~in CCS notation.

38

Intuitively, this prevents the deadlocking case from arising, because even if the four Ps each pick up their left fork, P ' is still trying to pick up its right fork (which is already in use) and so one of the Ps has a chance to pick up its right fork as well. The check that there are no deadlocks takes the form of a case analysis, as before. 1. If all the forks are up and some philosopher has both its forks, it can put one of t h e m down, whether it is P or P'. 2. If all the forks are up a n d every philosopher has just one, either they all have their left fork or all the right. If t h e y all have their left fork, then P ' can put down its left fork. If they all have their right fork, then any P can put down its right fork. 3. If two adjacent forks are down, then the philosopher in between them can pick one of them up, whether it is P or P'. 4. Otherwise there is the configuration u - p h i l 1 - d - p h i l 2 - u - p h i l 3. -

-

If p h i l 2 is P and has its right fork, it can put down the right fork. If phil 2 is P and doesn't have its right fork, it can pick up the left fork.

- If phil 2 is P' and has its right fork, it can pick up the left fork. If phil 2 is P' and doesn't have its right fork, then phil 3 m u s t be P and has its left fork. Then if p h i l a ' s right fork is down, p h i l 3 can pick it up. If the right fork is up and p h i l 3 has it, it can put down the left fork. Otherwise, p h i l 4 is P and has its left fork. Continuing this argument for each p h i l / with i /> 4 leads eventually to either a possible action, or cyclically back t o ' i = 1 and the deduction that p h i l 1 has its left fork. In the latter case, since p h i l 1 is P, it can pick up its right fork. To recast this argument in terms of checking the condition on the final cyclic connection, suppose that the final connection is between the P ' process a n d t h e fork on its right. Each case of the argument either produces a communication between P ' and this fork, or produces a communication elsewhere in the cycle, which m e a n s that there is an action of the system in which the two ports to be connected both delay. This shows that the cycle condition is satisfied, and the proof rule can be applied.

39

Acknowledgements We would like to thank Rick Blute, Robin Cockett, Phil Scott and David Spooner for their detailed reviews of this p~per. References 1. S. Abramsky, S. J. Gay, and R. Nagarajan. Interaction categories and foundations of typed concurrent programming. In M. Broy, editor, Deductive Program Design: Proceedings of the 1994 Marktoberdor] International Summer School, NATO ASI Series F: Computer and Systems Sciences. Springer-Verlag, 1995. Also available as theory/papers/Abramsk://marktoberdorf.ps.gz via anonymous ftp to theory, doc. ic. ac.uk. 2. S. Abramsky. Domain theory in logical form. Annals of Pure and Applied Logic, 51:1-77, 1991. 3. S. Abramsky. Interaction Categories (Extended Abstract). In G. L. Burn, S. J. Gay, and M. D. Ryan, editors, Theory and Formal Methods 1993: Proceedings of

the First Imperial College Department of Computing Workshop on Theory and Formal Methods, pages 57-70. Springer-Verlag Workshops in Computer Science, 1993. 4. S. Abramsky. Interaction Categories and communicating sequential processes. In A. W. Roscoe, editor, A Classical Mind: Essays in Honour of C. A. R. Hoare, pages 1-15. Prentice Hall International, 1994. 5. S. Abramsky. Proofs as processes. Theoretical Computer Science, 135:5-9, 1994. 6. S. Abramsky. Interaction Categories I: Synchronous processes. Paper in preparation, 1995. 7. S. Abramsky and R. Jagadeesan. Games and full completeness for multiplicative linear logic. Journal of Symbolic Logic, 59(2):543 - 574, June 1994. 8. S. Abramsky and R. Jagadeesan. New foundations for the geometry of interaction. Information and Computation, 111(1):53-i19, 1994. 9. S. Abramsky, It. Jagadeesan, and P. Malacaria. Full abstraction for PCF (extended abstract). In M. Hagiya and J. C. Mitchell, editorsl Theoretical Aspects of Computer Software. International Symposium TA CS'9~, number 789 in Lecture Notes in Computer Science, pages 1-15, Sendai, Japan, April 1994. Springer-Verlag. 10. A. Asperti and G. Longo. Categories, Types and Structures : An introduction to category theory for the working computer scientist. Foundations of Computing Series. MIT Press, 1991. 11. M. Bart. .-autonomous categories and linear logic. Mathematical Structures in Computer Science, 1(2):159-178, July 1991. 12. G. Berry and P.-L. Curien. Theory and practice of sequential algorithms: the kernel of the applicative language CDS. In J. C. Reynolds and M. Nivat, editors, Algebraic Semantics, pages 35-84. Cambridge University Press, 1985. 13. R. Blute. Linear logic, coherence and dinaturality. Theoretical Computer Science, I15(I):3-41, 1993. 14. P. M. Cohn. Universal Algebrai volume 6. D. Reidel, 1981. 15. R. L. Crole. Categories ]or Types. Cambridge University Press, 1994. 16. J . W . de B~kker. Mathematical Theory of Program Correctness. Prentice tIall International, 1980.

40 17. W. P. de Roever. The quest for compositionality--a survey of assertion based proof systems for concurrent programs, Part I: Concurrency based on shared variables. In Proceedings of the IFIP Working Conference, 1985. 18. S. J. Gay. Linear Types for Communicating Processes. PhD thesis, University of London, 1995. Available as t h e o r y / p a p e r s / G a y / t h e s i s .ps .gz via anonymous ftp to t h e o r y .doc. i c . ac .uk. 19. G. Centzen. Investigations into logical deduction. In M. E. Szabo, editor, The Collected Papers of Gerhard Gentzen. North-Holland, 1969. 20. J.-Y. Girard. Linear Logic. Theoretical Computer Science, 50(1):1-102, 1987. 21. J.-Y. Girard, Y. Lafont, and P. Taylor. Proofs and Types, volume 7 of Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, 1989. 22. C. A. R. Hoare. Communicating SequentialProcesses. Prentice Hall, 1985. 23. N. D. Jones and F. Nielson. Abstract interpretation. In S. Abramsky, D. Gabbay, and T. Maibaum, editors, Handbook of Logic in Computer Science, volume 4. Oxford University Press, 1995. To appear. 24. G. M: Kelly and M. L. Laplaza. Coherence for compact closed categories. Journal of Pure and Applied Algebra, 19:193-213, 1980. 25. D. C. Kozen and J. Tiuryn. Logics of programs. In van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages 789-840. North Holland, 1990. 26. S. Mac Lane. Categories for the Working Mathematician. Springer-Verlag, Berlin, 1971. 27. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, 1992. 28. J. McKinna and R. Burstall. Deliverables: A categorical approach to program development in type theory. In Proceedings of Mathematical Foundation of Computer Science, 1993. 29. R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science, 25:267-310, 1983. 30. R. Milner. Communication and Concurrency. Prentice Hall, 1989. 31. R. Milner, M. Torte, and R. Harper. The Definition of Standard ML. MIT Press, 1990. 32. P. W. O'Hearn and R. D. Tennent. Relational parametricity and local variables. In Proceedings, 20th ACM Symposium on Principles of Programming Languages. ACM Press, 1993. 33. A. M. Pitts. Relational properties of recursively defined domains. In 8th Annual Symposium on Logic in Computer Science, pages 86-97. IEEE Computer Society Press, Washington, 1993. 34. R. Soare. Recursively Enumerable Sets and Degrees. Perspectives in Mathematical Logic. Springer-Verlag, Berlin, t987. 35. J. B. Wells. Typability and type checking in the second-order )~-calculus are equivalent and undecidable. In Proceedings, Ninth Annual 1EEE Symposium on Logic in Computer Science. IEEE Computer Society Press, 1994.

Automated Temporal Reasoning about Reactive Systems E. Allen Emerson University of Texas at Austin, Austin, Tx 78712, USA

A b s t r a c t . There is a growing need for reliable methods of designing correct reactive systems such as computer operating systems and air traffic control systems. It is widely agreed that certain formalisms such as temporal logic, when coupled with automated reasoning support, provide the most effective and reliable means of specifying and ensuring correct behavior of such systems. This paper discusses known complexity and expressiveness results for a number of such logics in common use and describes key technical tools for obtaining essentially optimal mechanical reasoning algorithms. However, the emphasis is on underlying intuitions and broad themes rather than technical intricacies.

1

Introduction

There is a growing need for reliable methods of designing correct reactive systems. These systems are characterized by ongoing, typically nonterminating and highly nondeterministic behavior. Examples include operating systems, network protocols, and air traffic control systems. There is widespread agreement that some type of temporal logic, or related formalism such as a u t o m a t a on infinite objects, provides aft extremely useful framework for reasoning about reactive programs. The "classical" approach to the use of temporal logic for reasoning about reactive programs is a manual one, where one is obliged to construct by hand a proof of program correctness using axioms and inference rules in a deductive system. A desirable aspect of some such proof systems is that they m a y be formulated so as to be "compositional', , which facilitates development of a program hand in hand with its proof of correctness by systematically composing together proofs of constituent subprograms. Even so, manual proof construction can be extremely tedious and error prone, due to the large number of details that must be attended to. Hence, correct proofs for large programs are often very difficult to construct and to organize in an intellectually manageable fashion. It is not entirely clear that it is realistic to expect manual proof construction to be feasible for large-scale reactive systems.

42 We have historically advocated an alternative, automated approach to reasoning about reactive systems (cf. [Em81], [CE81], [EC82]). 1 The basic idea is that certain important questions associated with (propositional) temporal logic are decidable: 1. The Model Checking Problem - Given a finite state transition graph M and a temporal logic specification formula f, is M a model of f ? This is useful in automatic verification of (finite state) reactive programs. 2. The Satisfiability Problem - Given a temporal logic specification formula f , does there exist a model M of f ? This is useful in automatic synthesis of (finite state) reactive programs. Thus automated program reasoning, in various forms, is possible in principle. The limiting factors are: a. the complexity of the decision procedures, and b. the expressiveness of the logics. We will discuss these factors, their interaction with each other, and their impact on the promise and pitfalls of automated program reasoning. We will sketch known complexity and expressiveness results for a number of representative logics and formalisms. In particular, we shall focus on (i) Computation Tree Logic (CTL) and its variants such as CTL*, (ii) the Mu-Calculus, and (iii) tree automata. We shall also discuss key technical tools for obtaining essentially optimal decision procedures. In the case of model checking, the upshot is that, in practice, the complexity as a function of the structure size is usually the dominating factor, and in this regard we have for most useful logics, in effect, efficient algorithms. For this reason, model checking has been .applied quite successfully to verify correctness of (and to debug) "real-world" applications. A potentially serious limitation to model checking, however, is that of state space explosion: e.g., the global state graph of a concurrent system with n individual processes can be of size exponential in n. A variety of strategies for ameliorating this state explosion problem, including symbolic model checking and state reduction techniques, have been explored in the literature and remain a topic, of current research interest (cf. [Ku94]). In the case of testing satisfiability, for the rather simple logic CTL, a tableau construction suffices to obtain the Small Model Theorem, which asserts that any satisfiable formula f has a "small" (exponential size) model M; exponential time decidability follows. This permits us to synthesize reactive programs from CTL specifications in a wholly mechanical way. The model M defines a program meeting Specification f. I f f is inconsistent, the decision procedure says so, and the specification must be reformulated. A potentially serious drawback here is, 1 It seems that nowadays there is widespread agreement that some type of automation is helpful, although this opinion is not unanimous.

43 of course, the complexity of the decision procedure. Somewhat surprisingly, a Simplified CTL (SCTL) with radically restricted syntax is still useful (e.g., for program synthesis) and is decidable in polynomial time. For logics with greater expressive power, such as CTL* and the Mu-Calculus, we reduce satisfiability to nonemptiness of tree automata. Here pertinent technical tools include determinization and complementation of such automata on infinite strings and trees. Finally, we remark on some more intimate connections among tree automata, temporal logics, and the Mu-Calculus. For example, Mu-calculus formulae are simply alternating tree automata. The remainder of this paper is organized as follows. Section 2 discusses preliminary material including the nature of reactive systems, temporal logic in general, and manual versus mechanical reasoning; also covered in section 2 are the technical definitions of the specific logics we focus on. A brief overview of model checking is given in section 3. The tableau-based approach to decision procedures is described and illustrated on CTL in section 4. The automata-theoretic approach to decision procedures is discussed and illustrated on CTL* in section 5. Section 6 discusses expressiveness and complexity issues, including a general overview, tradeoffs, and a summary of key results. Also considered in section 6 are efficiently decidable temporal logics. Finally, some concluding remarks are given in section 7.

2 2.1

Preliminaries Reactive S y s t e m s

The ultimate focus of our concern is the development of effective methods for designing reactive systems (cf. [Pn86]). These are computer hardware and/or computer software systems that usually exhibit concurrent or parallel execution, where many individual processes and subcomponents are running at the same time, perhaps competing for shared resources, yet coordinating their activities to achieve a common goal. These processes and subcomponents may be geographically dispersed so that the computation is then distributed. The cardinM characteristic of reactive systems, however, is the ongoing nature of their computation. Ideally, reactive systems exhibit nonterminating behavior. There are many important practical examples of reactive systems. These include: computer operating systems; network communication protocols; computer hardware circuits; automated banking teller networks; and air traffic control systems. The semantics of reactive systems can thus be given in terms of infinite sequences of computation states. The computation sequences may in turn be organized into infinite computation trees. The branching behavior of these reactive systems is typicMly highly nondeterministic, owing to a variety of factors

44 including the varying speeds at which processes execute, uncertainty over the time required for messages to be transmitted between communicating processes, and "random" factors in the environment. Because of this high degree of nondeterminism, the behavior of reactive systems is to a high degree unpredictable, and certainly irreproducible in practice. For this reason, the use of testing as a means of ascertaining correctness of a reactive system is even more infeasible than it is for sequential programs. Accordingly, the use of appropriate formal methods for precisely specifying and rigorously verifying the correct behavior of reactive systems becomes even more crucial in the case of reactive systems. 2.2

T e m p o r a l Logic

One obvious difficulty is that formalisms originally developed for use with sequent'ial programs that are intended to terminate, and are thus based on initial state - final state semantics are of little value when trying to reason about reactive systems, since there is in general no finM state. Pnueli [Pn77] was the first to recognize the importance of ongoing reactive systems and the need for a formalism suitable for describing nonterminating behavior. Pnueli proposed the use of temporal logic as a language for specifying and reasoning about change over time. Temporal logic in its most basic form corresponds to a type of modal tense logic originally developed by philosophers (cf. [RU71]). It provides such simple but basic temporal operators as Fp (sometime p) and Gp (always p), that, Pnueli argued, can be combined to readily express many important correctness properties of interest for reactive systems. Subsequent to the appearance of [Pn77], hundreds , perhaps thousands, of papers developing the theory and applications of temporal logic to reasoning about reactive systems were written. Dozens, if not hundreds, of systems of temporal logic have been investigated, both from the standpoint of basic theory and from the standpoint of applicability to practical problems. To a large extent the trend was to enrich (and "elaborate") Pnueli's original logic thereby yielding logics of increasingly greater expressive power. The (obvious) advantage is that more expressive logics permit handling of a wider range of correctness properties within the same formalism. More recently, there has been a counter-trend toward "simplified" logics tailored for more narrowly construed applications. In any event, there is now a widespread consensus that some type of temporal logic constitutes a superior way to specify and reason about reactive systems. There is no universal agreement on just which logics are best, but we can make some general comments, temporal logics can be classified along a number of dimensions: 1. point-based, where temporal assertions are true or false of moments in time, versus interval-based, where temporal assertions are true or false of intervals of time.

45 2. future-tense only versus future-and-past-tense operators. 3. linear time, where temporal assertions are implicitly universally quantified over ~ll possible executions of a reactive system, versus branching time, where temporal assertions include explicit path quantifiers and are interpreted over the computation trees describing system execution 4. propositional versus first order It is our sense that the majority of the work on the use of temporal logic to reason about reactive systems has focussed on propositional, point-based, futuretense systems. There are a large number of users of both .the linear time and the branching time frameworks. We ourselves have some preference for branching time, since in its full generality it subsumes the linear time framework. We shall ,thus focus on the systems CTL, CTL* discussed below along with the "ultimate branching time logic", the Mu-calculus, and PLTL, ordinary linear temporal logic. It is to be re-emphasized we are always restricting our attention to propositional logics, which turn out to be adequate for the bulk of our needs. 2.3

Manual versus Mechanical Reasoning

Because of the difficulty of establishing correctness of computer programs in general and the special subtleties associated with reactive systems in particular a great deal of of effort has gone into developing formM methods for reasoning about program correctness. There is a vast literature (cf. [MP92]) on the use of manual "proof systems", where a program's behavior is specified in some formal assertion language or logic, often a dialect of temporal logic, and then a rigorous mathematical proof is given, using axioms and inference rules in a deductive system for the logic, that the program meets its specification. Manual proofs of program correctness offer both advantages and disadvantages. The advantages are rather obvious. In principle, it is possible to be completely formal in conducting the proof, thereby obtMning an absolute guarantee of soundness. In practice, working with complete, true formality is more problematic to achieve, and some level of quasi-formal argument is substituted instead. 2 These quasi-formal arguments can themselves still be useful, providing some degree of assurance that the program is - more or less - correct. Moreover, the quasi-formnl arguments can mirror the informal style of a good human mathematician. Unfortunately, this does permit errors in the argument to creep in, 2 This is more along the line of the working mathematician's notion of rigorous, but not strictly formal. To us, a strictly formal proof is conducted by simply performing symbol manipulations. There should exist an algorithm which, given a text that is alleged to constitute a strictly formal proof of an assertion, mechanically checks that each step in the proof is legitimate, say, an instance of an axiom or results from previous steps by application of an inference nile.

46 and it seems to us that complete formalization is, given the current state of knowledge about formal systems and notations, not likely to be practical in the manual setting. We point out that there are additional drawbacks to manual proof construction of program correctness. Just as for any proof, ingenuity and insight are required to develop the proof. The problem is complicated by the vast amount of tedious detail that must be coped with, which must in general be organized in subtle ways in formulating "loop invariants", and so forth. There may be so much detail that it is difficult to organize the proof in an intellec.tually manageable fashion. The upshot is that the whole task of manual proof construction becomes extremely error prone. One source of errors is that strong temptation to replace truly formal reasoning by quasi-formal reasoning. This is seen through-out the literature on manual program verification, and it frequently leads to errors. We feel compelled to assert the following (perhaps controversial): Claim. Manual verification will not work for large-scale reactive systems. Our justification is that the task is error-prone to an overwhelming degree. Even if strictly formal reasoning were used throughout, the plethora of technical detail would be overwhelming. By analogy, consider the task of a human adding 100000 decimal numbers of 1000 digits each. This is rudimentary in principle but likely impossible in practice for any human to perform accurately. Similarly, the verification of 1000000 or even 100000 line programs by hand will not be feasible. The transcription errors alone will be prohibitive. For these reasons plus the convenience of automation, we therefore believe that it is important to focus on mechanical reasoning about program correctness using temporal logic and related formalisms. There are at least four approaches to explore: 0. Mechanical assistance for verification of programs using a validity tester applied to assertions of the form Pl A . . . A Pk ~ q. Intuitively, Pl, . . . , Pk are assertions already proved to hold for the program and q is a new assertion to be established for the program. 1. Mechanical verification that a given finite state program M meets a specification p formulated in temporal logic, using a model checking algorithm (cf. ICE81], [QS82], [CES86], [gu94]). 2. Mechanical synthesis of a program M meeting a temporal specification p using a decision procedure for testing satisfiability (cf. [EC82, MW84, PR89]). 3. Executable temporal logic specifications. This approach [BFGGO89] may be viewed as an elegant variation of the synthesis approach. While synthesis might be seen as a 'process of compiling temporal logic specifications, in contrast, this approach amounts to interpreting the specifications on-the-fly.

47 We note that approach 0, while less ambitious than approach 2, relies on the technical machinery of approach 2, a decision procedure for satisfiability/validity. Actually, it can be argued that approaches 1 and 3 also rely heavily on approach 2. In any event, in the sequel, we shall focus on approach 1, model checking, and approach 2, decision procedures for satisfiability. 2.4

CTL*, C T L , a n d P L T L

In this section we provide the formal syntax and semantics for three representative systems of propositional temporal logic. Two of these are branching time temporM logics: CTL and its extension CTL*. The simpler branching time logic, CTL (Computational Tree Logic), allows basic temporal operators of the form: a path quantifier--either A ("for all futures") or E ("for some f u t u r e " followed by a single one of the usual linear temporal operators G ("always"), F ("sometime"), X ("nexttime"), or U ("until"). It corresponds to what one might naturally first think of as a branching time logic. CTL is closely related to branching time logics proposed in [La80], [EC80], [QS82], [BPM83], and was itself proposed in ICE81]. However, its syntactic restrictions limit its expressive power so that, for example, correctness under fair scheduling assumptions cannot be expressed. We therefore also consider the much richer language CTL*, which is sometimes referred to informally as full branching time logic. The logic CTL* extends CTL by allowing basic temporal operators where the path quantifier (A or E) is followed by an arbitrary linear time formula, allowing boolean combinations and nestings, over F, G, X, and U. It was proposed as a unifying framework in [EH86], subsuming a number of other systems, including both CTL and PLTL. The system PLTL (Propositional Linear temporal logic) is the "standard" linear time temporal logic widely used in applications (cf. [Pn77], [MP92]). Syntax We now give a formal definition of the syntax of CTL*. We inductively define a class of state formulae (true or false of states) using rules S1-3 below and a class of path formulae (true or false of paths) using rules P1-3 below: S1 $2 $3 P1 P2 P3

Each atomic proposition P is a state formula If p, q are state formulae then so are p A q, -~p If p is a path formula then Ep, Ap are state formulae Each state formula is also a path formula If p, q are path formulae then so are p A q, -~p If p, q are path formulae then so are Xp, pUq

The set of state formulae generated by the above rules forms the language CTL*. The other connectives can then be introduced as abbreviations in the

48 usual way: pV q abbreviates ~ ( ~ p A ~q), p ~ q abbreviates -~pV q, p r q abbreviates p ~ q A q ~ p, Fp abbreviates trueUq, and Gp abbreviates -~F'~p. We oo

oo

also let F p abbreviate GFp ("infinitely often"), G p abbreviate FGp ("almost everywhere"), and (pBq) abbreviate -~((-~p)Uq) ("before"). R e m a r k : We could take the view that Ap abbreviates -~E'~p, and give a more terse syntax in terms of just the primitive operators E, A, -~, X, and U. However, the present approach makes it easier to give the syntax of the sublanguage CTL below. The restricted logic CTL is obtained by restricting the syntax to disallow boolean combinations and nestings of linear time operators. Formally, we replace rules P1-3 by P0

If p, q are state formulae then Xp, pUq are path formulae.

The set of state formulae generated by rules S1-3 and P0 forms the language CTL. The other boolean connectives are introduced as above while the other temporal operators are defined as abbreviations as follows: E F p abbreviates E(trueUp), AGp abbreviates -~EF'~p, A F p abbreviates A(trueVp), and EGp abbreviates -~AF-~p. (Note: this definition can be seen to be consistent with that of CTL*.) Finally, the set of path formulae generated by rules S1,P1-3 define the syntax of the linear time logic PLTL. Semantics A formula of CTL* is interpreted with respect to a structure M = ( S , R , L ) where S is the set of states, R is a total binary relation C S x S (i.e., one where Vs 6 S3t 6 S(s,t) 6 R), and L: S --4 2AP is a labeling which associates with each state s a set L(s) consisting of all atomic proposition symbols in the underlying set of atomic propositions A P intended to be true at state s. We may view M as a labeled, directed graph with node set S, arc set R, and node labels given by L. A fullpath of M is an infinite sequence so, sl, s 2 , . . , of states such that Vi (si, s~+l) 6 R. We use the convention that x = (so, sl, s~,...) denotes a fullpath, and that x i denotes the suffix path (si,si+l,si+2,...). We write M, so ~ p (respectively, M, x ~ p) to mean that state formulap (respectively, path formula p) is true in structure M at state so (respectively, of fullpath z). We define inductively as follows:

49 S1 M, so ~ P i f f P E L ( s o ) $2 M So ~ p A q iff M, so ~ p a n d M , so ~ q M so ~ -~p iff it is not the ease that M, so ~ p $3 M so ~ Ep iff 3 fullpath x = (so, sl, s2,...) in M, M, x ~ p M so ~ Ap iff V fullpath x = (so, si, s2,...) in M, M, x ~ p P1 M x ~ p iff M, so ~ p P2 M x ~ p A q i f f i , x ~ p and i , x ~ q M x ~ -~p iff it is not the case that M, x ~ -~p P3 M x ~ pUq iff 3i [U, x i ~ q and Vj (j < i implies M, xJ ~ p)] M x ~ X p iff M, x 1 ~ p A formula of CTL is also interpreted using the CTL* semantics, using rule P3 for path formulae generated by rule P0. Similarly, a formula of PLTL, which is a "pure path formula" of CTL* is interpreted using the above CTL* semantics. We say that a state formulap (resp., path formulap) is valid provided that for every structure M and every state s (resp., fullpath x) in M we have M, s ~ p (resp., M, x ~ p). A state formulap (resp., path formulap) is satisfiable provided that for some structure M and some state s (resp., fullpath x) in M we have M, s ~ p (resp., M, x ~ p).

Alternative and Generalized Semantics We can define CTL* and other logics over various generalized notions of structure. For example, we could consider more general structures M = (S, X, L) where S is a set of states and L a labeling of states as usual, while X C S ~ is a family of infinite computation sequences (fullpaths) over S. The definition of CTL* semantics carries over directly, with path quantification restricted to paths in X, provided that "a fullpath x in M " is understood to refer to a fullpath x in X. Usually, we want X to be the set of paths generated by a binary relation R (cf. [Em83]). Another generalization is to define a multiprocess structure, which is a refinement of the above notion of a "monolithic" structure that distinguishes between different processes. Formally, a multiprocess structure M = (S, R, L) where S is a set of states, R is a finite family { R 1 , . . . , Rk} of binary relations Ri on S (intuitively, Ri represents the transitions of process i) such that R = OR is total (i.e. Vs E S 3 t E S (s,t) E R ) , L associates with each state an interpretation of the proposition symbols at the state.

50 Just as for a monolithic structure, a multiprocess structure may be viewed as a directed graph with labeled nodes and arcs. Each state is represented by a node that is labeled by the atomic propositions true there, and each transition relation Ri is represented by a set of arcs that are labeled with index i. Since there may be multiple arcs labeled with distinct indices between the same pair of nodes, technically the graph-theoretic representation is a directed multigraph. Now we can define nexttime operators relativized to process indices. For example, we can extend CTL to allow

M, s ~ E X i p iff 3t ( (s, t) E Ri and M, t ~ p) M, s ~ A X i p iff Vt ( (s, t) E R~ implies M, t ~ p) We can further generalize the semantics for CTL*. The previous formulation of CTL* over uniprocess structures refers only to the atomic formulae labeling the nodes. However, it is straightforward t o extend it to include, in effect, arc assertions indicating which process performed the transition corresponding to an arc. This extension is needed to formulate the technical definitions of fairness constraints, so we briefly describe it. Now, a fullpath z = (so, dl, sl, d2, s2,...), depicted below dl d2 d3 d4 9

---).

9

---),

9

--).

9

--~

,,.

so 81 s2 83 is an i n f i n i t e s e q u e n c e of states

si alternating with relation indices di+l such that (si, si+l) E Rdi+l, indicating that process di+l caused the transition from si to si+l. We also assume that there are distinguished propositions enl, . . . , enk, exl, . . . , eXk, where intuitively enj is true of a state exactly when process j is enabled, i.e., when a transition by process j is possible, and exj is true of a transition when it *is performed by process j. Technically, each enj is an atomic proposition--and hence a state formula--true of exactly those states in domain M, so ~ enj iffs0 E domain Rj = {s E S : 3t E S (s,t) E Rj} while each exj is an atomic arc assertion--and a path formula such that M , z ~ exj iff dl = j. Fairness constraints (cf. [Fr86], [EL87]) can now be precisely captured: - Unconditional fairness, which asserts that each process is executed infinitely oo

often, can be expressed as Aie[l:k](Fexi ). - Weak fairness,which asserts that each process which is continuously enabled oo

oo

is repeatedly executed, can be expressed as Aie[l:h](Geni ~ Fexi) - Strong fairness, which asserts that each process which is enabled infinitely co

oo

often is executed infinitely often can be expressed as Aie[l:k](Feni ~ Fex~) We can define a single type of general structure which subsumes all of those above. We assume an underlying set of state symbols interpreted over states,

5] as well as an additional set of arc assertion symbols that are interpreted over transitions (s, t ) E R. Typically we think of L((s, t)) as the set of indices (or names) of processes which could have performed the transition (s, t). A (generalized) fullpath is now a sequence of states si alternating with arc assertions di as depicted above. Now we say that a general structure M = (S, R, X, L) where S is a set of states, R is a total binary relation C S x S, X is a set of fullpaths over R, and L is a mapping associating with each state s an interpretation L(s) of all state symbols at s, and with each transition (s, t) E R an interpretation of each arc assertion at (s, t). There is no loss of generality due to including R in the definition: for any set of fullpaths X, let R = {(s, t) E S x S : there is a fullpath of the form ystz in X where y is a finite sequence of states and z an infinite sequence of states in S); then all consecutive pairs of states along paths in X are related by R. The extensions needed to define CTL* over such a general structure M are straightforward. The semantics of path quantification as specified in rule $3 carries over directly to the general M, provided that a "full path in M" refers to one in X. If d is an arc assertion we have that: M, x ~ d iff d E L((so, sl)) Alternative Syntax Here the essential idea is that of a basic modality. A formula of CTL* is a basic modality provided that it is of the form Ap or Ep where p itself contains no A's or E's, i.e., p is an arbitrary formula of PLTL. Similarly, a basic modality of CTL is of the form Aq or Eq where q is one of the single linear temporal operators F , G, X, or U applied to pure propositional arguments. A CTL* (respectively, CTL) formula can now be thought of as being built up out of boolean combinations and nestings of basic modalities (and atomic propositions). 2.5

.Mu-calculus

CTL* provides one way of extending CTL. In this section we describe another way of extending CTL. We can view CTL as a sublanguage of the propositional Mu-Calculus L# (cf. [Ko83], [EC80]). The propositional Mu-Calculus provides a least fixpoint operator (#) and a greatest fixpoint operator (u) which make it possible to give fixpoint characterizations of the branching time modalities. Intuitively, the Mu-Calculus makes it possible to characterize the modalities in terms of recursively defined tree-like patterns. For example, the C T L assertion

52

EFp (along some computation path p will become true eventually) can be characterized as #Z.p V EXZ, the least fixpoint of the functional p V E X Z where Z is an atomic proposition variable (intuitively ranging over sets of states) and EX denotes the existential nexttime operator. We first give the formal definition of the Mu-Calculus. Syntax The formulae of the propositional Mu-Calculus (1)-(6): (1) (2) (3) (4) (5) (6)

Lit are those generated by rules

/~tomic proposition constants P, Q Atomic proposition variables Y, Z , . . . EXp, where p is any formula. -~p, the negation of formula p. p A q, the conjunction of formulae p, q. pY.p(Y), where p(Y) is any formula syntactmally monotone in the proposi: tional variable Y, i.e., all free 3 occurrences of Y in p(Y) fall under an even number of negations.

The set of formulae generated by the above rules forms the language Lp. The other connectives are introduced as abbreviations in the usual way: p A q abbreviates -~(-~pA-~q), AXp abbreviates -~EX-~p, uY.p(Y) abbreviates -~pY.-~p(-~X), etc. Intuitively, pY.p(Y) (vY.p(Y)) stands for the least (greatest, resp.) fixpoint of p(Y), EXp (AXp) means p is true at some (every) successor state reachable from the current state, A means "and", etc. We use IP[ to denote the length (i.e., number of symbols) of p.4 We say that a formula q is a subformula of a formula p provided that q, when viewed as a sequence of symbols, is a substring ofp. A subformula q o f p is said to be proper provided that q is not p itself. A top-level (or immediate) subformula is a maximal proper subformula. We use SF(p) to denote the set of subformulae of p. The fixpoint operators/t and v are somewhat analogous to the quantifiers S and V. Each occurrence of a propositional variable Y in a subformula pY.p(Y) (or vY.p(Y)) of a formula is said to be bound. All other occurrence are free. By renaming variables if necessary we can assume that the expression pY.p(Y) (or vY.p(Y)) occurs at most once for each Y. A sentence (or closed formula) is a formula that contains no free propositional variables, i.e., every variable is bound by e i t h e r / t or t,. A formula is said to be in positive normal form (PNF) provided that no variable is quantified twice Defined below. 4 Alternatively, we can define ]p] as the size of the syntax diagram for p.

53 and all the negations are applied to atomic propositions only. Note that every formula can be put in PNF by driving the negations in as deep as possible using DeMorgan's Laws and the dualities "~pY.p(Y) = vY.'~p('~Y),-,vY.p(Y) = #Y.',p(-,Y). (This can at most double the length of the formula). Subsentences and proper subsentences are defined in the same way as subformulae and proper sub formulae. Let tr denote either/~ or v. If Y is a bound variable of formula p, there is a unique ju or v subformula ~ry.p(y) of p in which Y is quantified. Denote this subformula by crY. Y is called a p-variable if cry = p y ; otherwise, Y is called a v-variable. A cr-subformula (cr-subsentence, rasp.) is a subformula (subsentence) whose main connective is either/~ or v. We say that q is a top-level cr-subformula of p provided q is a proper e-subformula of p but not a proper tr-subformula of any other ~-subformula of p. Finally, a basic modality is a ~-sentence that has no proper cr-subsentences.

Semantics We are given a set ,U of atomic proposition constants and a set /1 of atomic proposition variables. We let A P denote Z U / ' . Sentences of the propositional Mu-Calculus L~u are interpreted with respect to a structure M = (S, R, L) as before. The power set of S, 2 s, may be viewed as t h e complete lattice (2 s, S, 0, C, U, n). Intuitively, we identify a predicate with the set of states which make it true. Thus, false which corresponds to the empty set is the b o t t o m element, true which corresponds to S is the top element, and implication (Vs E SIP(s) :~ Q(s)]) which corresponds to simple set-theoretic containment ( P c Q) provides the partial ordering on the lattice. Let v : 2 s --+ 2 s be given; then we say that r is monotonic provided that P C_ Q implies r ( P ) g v(Q). Theorem Then

( T a r s k i - K n a s t e r ) . Let v : 2 s --+ 2 s be a monotonic functional.

(a) pY.r(Y) = n { Y : r(Y) = Y} = n {Y : r ( Y ) C_ Y}, (b) vY.r(Y) = U { Y : r(Y) = Y} = O { Y : r(Y) D__Y } , (c) pY.r(Y) = Ui 7-i (false) where i ranges over all ordinals of cardinality at most that of the state space S, so that when S is finite i ranges over [0:lSI] , and (d). vY.r(Y) = Oi r i (true) where i ranges over all ordinals of cardinality at most 9that of the state space S, so that when S is finite i ranges over [0:[SI]. A formula p with free variables Y1,..-iYn is thus interpreted as a mapping

pM from (2s) n to 2 5, i.e., it is interpreted as a predicate transformer. We write

54

P(Y1,..., Yn) to denote that all free variables of p are among Y1,..., Yn. A valuation 1), denoted (V1,..., Vn), is an assignment of the subsets of S, V1,..., Vn, to free variables Y1,..., Yn, respectively. We use pM(I)) to denote the value o f p on the (actual) arguments V1,..., Vn (cf. [EC80], [Ko83]). The operator pM is defined inductively as follows:

(1)

pM(v)

= {s : s 9 S and P 9 L(s)} for any atomic propositional constant

P9

(2)

CV) = v,

(3) (p^ q)M(v) = p (V) n qM(v) (4) = S\(p (v)) (5) (EXp)M(~)) = {s: 3t 9 pM(I)), (s, t) 9 R} (6) pYI.p(Y1)M(I )) = n{S' g s : p(Y1)M(s ', V2,..., Vn) C_S'} Note that our syntactic restrictions on monotonicity ensure that least (as well as greatest) fixpoints are well-defined. Usually we write M, s ~ p (respectively, M, s ~ p(Y)) instead of s E pM (respectively, s E pM(y)) to mean that sentence (respectively, formula) p is true in structure M at state s (under valuation P). When M is understood, we write simply s ~ p. Extensions Just as for CTL and CTL*, we have the multiprocess versions of the Mu-calculus. One possible formulation is to use EXip for "there exists a successor state satisfying p, reached by some step of process i". Dually, we then also have AXip. The classical notation, going back to PDL [FL79], would write < i > p and [i]p, respectively. Discussion We can get some intuition for the the Mu-Calculus by noting the following extremal fixpoint characterizations for CTL properties:

E F P - #Z.P V E X Z A G P =_vZ.P A A X Z A F P = pZ.P V A X Z E G P - vZ.P A E X Z A(P V Q) - ttZ.Q v (P A A X Z ) E ( P U Q) - pZ.Q v (P A E X Z ) For these properties, as we see, the fixpoint characterizations are simple and plausible. It is not too difficult to give rigorous proofs of their correctness [EC80],

55 [EL86]. However, it turns out that it is possible to write down highly inscrutable Mu-calculus formulae for which there is no readily apparent intuition regarding their intended meaning. As discussed subsequently, the Mu-calculus is a very rich and powerful formalism so perhaps this should come as no surprise. We will comment here that Mu-calculus formulas are really representations of alternating finite state a u t o m a t a on infinite trees (see section 6.5). Since even such basic a u t o m a t a as deterministic finite state automata on finite strings can be quite complex "cans of worms", we should again not be so surprised at potential inscrutability. On the other hand, many Mu-calculus characterization of correctness properties are elegant, and the formalism seems to have found increasing favor, especially in Europe, owing to its simple and elegant underlying mathematical structure. One interesting measure of the "structural complexity" of a Mu-calculus formula is its alternation depth. Intuitively, the alternation depth refers to the depth of nesting of alternating/~'s and u's. The alternation must be "significant", entailing a subformula of the forms

(,) #Y.p(vZ.q(Y, Z)) or t,Y.p(I.tZ.q(Y, Z)) where, for example, a #'d Y occurs within the scope of uZ or u'd Y occurs within the scope of a / t Z . All the basic modalities AFq, AGq, EFq, etc. of CTL can be expressed in the Mu-Calculus with alternation depth 1 as illustrated above. So can all CTL formula. For example, EFAGq has the Mu-Calculus characterization ItY.(EXY V u Z. (PA A X Z)), which is still of alternation depth 1 since while u Z appears inside /tY, the "alternation" does not have Y inside v Z and does not match the above form (*). A property such as E(P*Q)*R, meaning there exists a path matching the regular expression (P*Q)*R, can be expressed by #Y.I~Z.(P A E X Z V (Q A E X Y ) V R, which is still of alternation depth 1: On the other hand, properties associated w i t h fairness require alternation co

depth 2. For example, E F P (along some path P occurs infinitely often) can oo

be characterized by uY.t~Z.EX(P A Y V Z). It can be shown that E F P is not expressible by any alternation depth 1 formula (cf. [EC80] [EL86]). Let L/~k denote the Mu-Calculus L/t restricted to formulas of alternation depth at most k. It turns out that most all modal or temporal logics of programs can be translated into L#I or L/~2, often succinctly (cf. [EL86]). Interestingly, it is not known if higher alternation depths form a true hierarchy of expressive power. The question has some bearing on the complexity of model checking in the overall Mu-calculus as discussed in section 7.

56 3

Model

Checking

One of the more promising techniques in automated temporal reasoning about reactive systems began with the advent of efficient temporal logic model checking [CE81] (cf. [Em81], [QS82], [CES86]). The basic idea is that the global state transition graph of a finite state reactive system defines a (Kripke) structure in the sense of temporal logic (cf. [Pn77]), and we can give an efficient algorithm for checking if the state graph defines a model of a given specification expressed in an appropriate temporal logic. While earlier work in the protocol community had addressed the problem of analysis of simple teachability properties, model checking provided a powerful, uniform specification language in the form of temporal logic along with a single, efficient verification algorithm which automatically handled a wide variety of correctness properties, including both safety and liveness properties, with equal ease. Technically, the Tarski-Knaster theorem can be understood as providing a systematic basis for model checking. The specifications can be formulated in the Mu-calculus or in other logics such as CTL which, as noted above, are readily translatable into the Mu-calculus. For example, to calculate the states where the CTL basic modality E F P holds in structure M = (S, R, L), we use the fixpoint characterization E F P =_ ~Z.r(Z), with r(Z) - P V E X Z . We successively calculate the ascending chain of approximations

"r(false) C_v2(false) C_ ... C_ vk(false) for the least k _< IS] such that ~(false) = rk+l(false). The intuition here is just that each "ri(false) corresponds to the set of states which can reach P within at most distance i; thus, P is reachable from state s iff P is reachable within i steps from s for some i less than the size of M iff s E r i (false) for some such i less than the size of M. This idea can be easily generalized to provide a straightforward model checking algorithm for all of CTL and even the entire Mucalculus. 5 The Tarski-Knaster theorem handles the basic modalities. Compound formulae built up by nesting and boolean combinations are handled by recursive descent. A naive implementation runs in time complexity O((IMllpl)k+l) for input structure M and input formula p with/z, v formulas nested k deep. Some improvements are possible as described in section 6.3. The above model checking algorithm has been dubbed a global algorithm because it computes for the (closed) formula f over structure M the set fM of all states of M where f is true. A technical characteristic of global model checking algorithms is that with each subformula g of the specification f there is calculated the associated set of state gM. A potential practical drawback is that all the states of the structure M are examined. 5 Model checking for PLTL and CTL* can be performed as discussed in section 6.3.

57 In practice, we are often only interested in checking truth of f at a particular state so. This gives rise to local model checking algorithms which in the best case may not examine all states of the structure M, although in the worst case they may have to (ef. [SW89]). In this connection, note that model checkers are a type of decision procedure and provide yes/no answers. It turns out that, in practice, model checkers are often used for debugging as well as verification. In industrial environments it seems that the capacity of a model checker to function as a debugger is perhaps better appreciated than their utility as a tool for verifying correctness. Consider the empirical fact that most designs are initially wrong and must go through a sequence of corrections/refinements before a truly correct design is finally achieved. Suppose one aspect of correctness that we wish to check is that a simple invariance property of the form AGgood holds provided the system M is started in the obviously good initial state so. It seems quite likely t h a t the invariance may in fact not hold of the initial faulty design due to conceptually minor but tricky errors in the fine details, s Thus, during many iterations of the design process, we have that in fact M, so ~ "EF-~good. It would be desirable to circumvent the global strategy of examining all of M to calculate the set EF-~good M and then checking whether so is a member of that set. If there does exist a -~good state reachable from so, once it is detected it is no longer necessary to continue the search examining M. This is the heuristic underlying local model checking algorithms. Many of them involve depth first search from the start state so looking for confirming or refuting states or cycles; once found, the algorithm can terminate often "prematurely" having determined that the formula must be true or must be false at so on the basis of the portion M examined during the limited search. Of course, it may be that all states must be examined before finding a refutation to AGgood. Certainly, once a truly correct design is achieved, all states reachable from so must be examined. But in many practical cases, a refutation may be found quickly after limited search. All the above discussion concerns what is referred to as extensional model checking or as explicit state model checking, since it is assumed that the structure M including all of its nodes and arcs explicitly represented using data structures such as adjacency lists or adjacency matrices. An obvious limitation then is the state explosion problem. Given a reactive system composed on n sequential processes running in parallel, its global state graph will be essentially the product of the individual local process state graphs. The number of global states thus grows exponentially in n. For particular systems it may happen that the final global state graph is of a tractable size, say a few hundred thousand states plus transitions. A number of practical systems can be modeled at a useful level of 6 This is a scenario where model checkers should be particularly useful.

58 abstraction by state graphs of this size, and extensional model checking can be a helpful tool. On the other hand, it can quickly become infeasible to represent the global state graph for large n. Even a banking network with 100 automatic teller machines each having just 10 local states, could yield a global state graph of astronomical size amounting to about 10 l~176 states. A major advance has been the introduction of symbolic model checking techniques (cf. [McM92], [Pi90], [CM90]) which are - in practice- often able to succinctly represent and model check over state graphs of size 101~176 states and even considerably larger. The key idea is represent the state graph in terms of a boolean characteristic function which is in turn represented by a Binary Decision Diagram (BDD) (cf. [Sr86]). SDD-based model checkers have been remarkably effective and useful for debugging and verification of hardware circuits. For reasons not well understood, BDDs are able to exploit the regularity that is readily apparent even to the human eye in m a n y hardware designs. Because software typically lacks this regularity, BDD-based model checking seems less helpful for software verification. We refer the reader to [McM92] for an extended account of the utility of BDDs in hardware verification. There has thus been great interest in model checking methods that avoid explicit construction of the global state graph. In some cases, it is possible to give methods that work directly on the program text itself as an implicit representation of the state graph. Some approaches use process algebras such as CCS or formalisms such as Petri-nets to represent programs. This facilitates succinct representation of (possibly infinite) families of states and exploitation of the compositional structure of programs (cf. [BS92]) in performing a more general type of local model checking. The drawback is that the general method can no longer be fully automated, for such basic reasons as the unsolvability of the halting problem over infinite state spaces. Still, such partially automated approaches are intriguing.

4

Decision

4.1

Procedures

I: T a b l e a u x - t h e o r e t i c

Approach

Overview

In this section we discuss decision procedures for testing satisfiability of temporal logic formulas. Basic Idea O: Prove the small model property for the logic, which asserts that if a formula f is satisfiable then it has a finite model of size bounded by some function of the length of f, This then yields a nondeterministic algorithm: Guess a candidate model of bounded size. - Check it for genuineness. -

59 For m a n y logics the process can be improved: Basic Idea 1: Eliminate the nondeterminism: -

-

Build a small tableau graph encoding (essentially all) potential models of f . "Pseudo-model-check" the tableau, ensuring t h a t it contains a structure in which all eventualities are fulfillable; since invariances turn out to take care of themselves in tableau, this structure defines a genuine model of f .

For m a n y logics the tableau method is natural, powerful, and appropriate. C T L is such a logic. A key advantage is that there is a fairly direct correspondence between the organization of the tableau and the syntax of the formula. However, for some logics (such as CTL*) the tableau method, as normally conceived, breaks down. There is no apparent way to derive a natural tableau graph encoding all possible models of a formula from its syntax. Instead we can fall back upon what is widely viewed as the standard p a r a d i g m today: Basic Idea 2: The automata-theoretic approach: Build a finite state a u t o m a t o n on infinite objects (strings or trees) accepting (essentially all) models of f . - Test it for nonemptiness. -

Basic Idea 2 subsumes Basic Idea 1. For logics to which the tableau m e t h o d is applicable, the tableau can be viewed as defining an a u t o m a t o n . For other logics, we can build an a u t o m a t o n when it is not possible to build a tableau because we can appeal to certain difficult combinatorial constructions from the theory of a u t o m a t a on infinite objects. The most i m p o r t a n t of these is determinization of a u t o m a t a . 7 The power of a u t o m a t a theory seems to lie in a reservoir of deep combinatorial results t h a t show how to construct an a u t o m a t o n corresponding to a formula, even though t h a t correspondence is by no mear~s apparent. Of course, this opacity could be viewed as a drawback, but it seems to be inherent in the problem. 4.2

Tableau-based Decision Procedure

for CTL

The basic idea underlying the tableau m e t h o d is as follows. Given a formula f , we initially construct a tableau graph T, based on systematic case analysis. The nodes of T are essentially sets of subformulae of f . T h e "meaning" of a node is the conjunction of all its associated subformulas, and a node is thought of as a state satisfying those subformulas in a potential model of f . The nodes of T 7 It seems that in most cases complementation is what is really needed. Complemenration" for infinite string automata can be accomplished without determinization (cf. e.g. [SVW87]). However, for automata on infinite trees it is not clear that complementation can be performed without determinization of w-string automata.

60 thus correspond to a partitioning/covering of the state space of potential models, based on which subformulae do and do not hold at a state. We then successively prune from T nodes which are inconsistent; for example, nodes which assert that a formula is presently both true and false, or rlodes which assert that something eventually happens while it really does not. After all such pruning is performed whatever remains is the final tableau which encodes all potential models, if any, of f . Below we describe the method in greater detail. We build an initial tableau To which is a bipartite graph consisting of ORnodes D and AND-nodes C, where each node is a set of formulae whose "meaning" is their conjunction. We will then prune the tableau, deleting inconsistent nodes. To is constructed starting with Do = {f0}. In general, we have a method, described below, of decomposing an OR-node D to get its set of AND-node successors C~, and another method for constructing the OR-node successors Dj of AND-node C. If any set C~ already appears in the the tableau, we make it a successor of D. Thus, a set of formulae appears at most once as an AND-node in the' tableau. Similarly for OR-nodes. This bounds the size of To. We perform a-/3-expansion to systematically decompose a given OR-node D that we are testing for satisfiability into boolean combinations of e l e m e n t a r y formulae, which are atomic propositions P, their negations "~P, and nexttime formulae A X f , E X f . In this way, D is shown to be equivalent to certain boolean combinations of assertions about now and nexttime. To do this decomposition, we note that each n o n e l e m e n t a r y formula may be classified as either a conjunctive formula a = a l A c~2 or a disjunctive formula/3 - / 3 1 V/32. Plainly, f A g is an a formula, while f V g is a/3 formula. A temporal modality is classified as a or /3 on the basis on its fixpoint characterization in the Mu-calculus. For example, (assuming the .structure is total) A F h = h V A X A F h is a / 3 formula, while A G h -- h A A X A G h is an a formula. Thus, given D we perform cr-/3-expansion to its formula and the resulting subformulae as long as possible. This yields a collection { C 1 , . . . , Ck} of sets of formula such that D=C1V...VCk

thereby justifying the term OR-node for D. Let C be such a Ci. C is downward closed: ~ E C implies a l , a 2 E C; /3 E C implies/31 E C or/32 E C. It follows that C is equivalent to its subset of elementary formula which is of the general form { P , . . ., -~Q, A X 9 1 , . . ., A X g k , E X h l , . . . , E X h l } .

Hence, to create the successors of C, we let for j E [1: g], D j = { g l , . - . ,gk, h i } . We have that C is satisfiable iff D1 is satisfiable and ... and Dk is satisfiable.

6]

This justifies the use of the term AND-node for C. After completing the construction of the initial tableau To, it is pruned by repeatedly applying the following deletion rules until the tableau stabilizes, yielding the final tableau T1 which is conceivably empty. 1. Delete any node C which contains both a proposition P and its negation -hR.

2. Delete any node C One of whose original successors Di has been deleted, or which has no successors to begin with. 3. Delete any node D all of whose original successors have been deleted. 4. Delete any node C containing an eventuality which is not "fulfillable" within the current version of the tableau (as described in detail below). We explain rule 4 in greater detail. An eventuality is a formula such as asserts that something does eventually happen. It is necessary to ensure that there is a certificate of its indeed happening present in the tableau. If, e.g., EFh is in Co, then there should be a path in the tableau from Co to a node C with h E C. This path defines a directed acyclic subgraph, DAG[C0, EFh], rooted at Co certifying fulfillment of EFh starting from Co. E(gUh) is handled similarly. Fulfillment of AFh in Co means, roughly speaking, that there should be a subtree rooted at C in the tableau all of whose frontier nodes C contain h. More precisely, there should be a finite, directed acyclic graph, DAG[C0, AFh], rooted at Co all of whose frontier nodes are AND-nodes C ~ containing h with the following stipulations on interior nodes: if interior OR-node D is in DAG[Co,AFh] precisely one of its tableau successors C is also in DAG[Co,AFh]; if interior AND-node C is in DAG[Co, AFh], all of its tableau successors D t , . . . , Dk are in DAG[Co,AFh]. To handle A(gUh), DAG[Co,A(gUh)] is defined similarly. The existence of such DAG's can be checked efficiently by an iterative process amounting to model checking, taking into account the OR-nodes intervening between AND-nodes. P r o p o s i t i o n 4.1. The original formula f0 is satisfiable iff the final tableau T1 contains a node C containing f0. P r o o f ( S k e t c h ) . To facilitate the argument, we define for every AND-node C and every eventuality e, DAGG[C,e] to be DAG[C,e] with interior OR-nodes elided if e E C , and, otherwise, to be some fixed, acyclic graph with exactly one C successor for each D successor of C. DAGG[C,e] is thus a potential "chunk" of a model certifying that (i) C has sufficient successors to satisfy its subformulae of the form EXhj and (ii) e, if present in C is fulfilled by the time the frontier is reached. Note that these DAGGs can be spliced together by identifying nodes in the frontier of one with the roots of others. Suppose this is done in an exhaustive and

EFh, E(gUh), AFh, or A(gUh) which

62 systematic way as shown in Figure 1. Here S1,..., SN are all the AND-nodes, i.e. the "states" of the tableau and el, . . , em are all the eventualities. We have a matrix whose entries are all the DAGG[Si,ej]'s spliced together as shown.

9 .

A L

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

level 1

0 O 0

~ j J J~

s

$1

level 2

9

9

S2

SN

level m

I.

I I I I

I I I I

-I

Fig. 1. Model formed from DAGGs

In the resulting graph, observe that each node is propositionally consistent, satisfies its EXh formulas, its AXg formulas, and its invariances such as AGh are also satisfied. The latter follows by downward closure and correctness of AX's: if AGh labels a node S, by downward closure, so do h and AXAGh. Hence all successors S~,..., S" are labeled AGh and so on. In this way, invariances may be seen to take care of themselves. The only possible problem is that eventualities may not be fulfilled. But, if an eventuality, such as ej = AFh, is not fulfilled along some path, the formula AFh is propagated along in the label of all the nodes of that path. Eventually, the path must hit (the root S of) some DAGG[S,AFh] at level j and go through its frontier where h occurs thereby fulfilling the eventuality.

63 Thus we see, that in this systematically constructed graph, call it M1, for any node C, we have/141, C ~ AC. If there is a C containing f0 then f0 is satisfiable. This establishes "soundness" of the decision procedure. Completeness of the algorithm may be established as follows. If f0 is satisfiable then there is a model M and state so such that M, so ~ f0. Without loss of generality, we may assume M has been unwound into a tree-like model. Let M ~ be the quotient structure obtained from M by identifying all states of M that satisfy exactly the same AND-node label. It follows that M ~ defines a pseudo-model of f0 that is contained within the tableau throughout its pruning. The essential point is that if an eventuality such as AFq holds at a state s in M there is a subtree of M rooted at s whose frontier nodes contain q. This subtree can be collapsed to yield DAG[Cs,AFq] in the tableau where Cs is the ANDnode for s. Hence, C, will never be eliminated on account of its eventuality AFq being unfulfilled. O The size of the tableau To is exponential in n = If01 since there are at most O(n) different subformulas that can appear in AND-nodes and OR-nodes. The pruning procedure can be implemented to run in time polynomial in IT01, yielding an exponential time upper bound. A matching lower bound can be established by simulating alternating polynomial space Turing machines (cf. [FL79]) Thus, we have (eft [EH85], [EC82]) T h e o r e m 4.2. CTL satisfiability is deterministic exponential time complete.

5

Decision

Procedures

II: Automata-theoretic

Approach

There has been a resurgence of interest in finite state a u t o m a t a on infinite objects, due to their close connection to temporal logic. They provide an important alternative approach to developing decision procedures for testing satisfiability for propositional temporal logics. For linear time temporal logics the tableau for formula P0 can be viewed as defining a finite state a u t o m a t o n on infinite strings that accepts a string iff it defines a model of the formula P0. The satisfiability problem for linear logics is thus reduced to the nonemptiness problem of finite a u t o m a t a on infinite strings. In a related but somewhat more involved fashion, the satisfiability problem for branching time logics can be reduced to the nonemptiness problem for finite a u t o m a t a on infinite trees. For some logics, the only known decision procedures of elementary time complexity (i.e., of time complexity bounded by the composition of a fixed number of exponential functions), are obtained by reductions to finite a u t o m a t a on infinite trees. The use of automata transfers some difficult combinatorics onto the automata-theoretic machinery. Investigations into such automata-theoretic decision procedures has been a fruitful and active area of research.

64 5.1

Linear T i m e a n d A u t o m a t a o n Infinite S t r i n g s

We first review the basics of automata-theoretic approach for linear time. (See [Va9?] for a more comprehensive account.) The tableau construction for CTL can be specialized, essentially by dropping the path quantifiers to define a tableau construction for PLTL, remembering that in a linear structure, Epo =- Apo =- Po. The extended closure of a PLTL formula Po, ecl(po), is defined to be {q,--q : q appears in some AND-node C }. The (initial) tableau for p0 c a n then be simplified to be a structure T = (S, R, L) where S is the set of AND-nodes, i.e., states, R C S x S consists of the transitions (s, t) defined by the rule (s, t) E R exactly when V formula X p E ecl(po), X p E s iff p E t, and L(s) = s, for each sES. We may view the tableau for PLTL formula p0 as defining the transition diagram of a nondeterministic finite state automaton .4 which accepts the set of infinite strings over alphabet ~ = 2 A P that are models of p0, by letting the arc (u, v) be labeled with AtomicPropositions(v), i.e., the set of atomic propositions in v (cf. [ES83]). Technically, `4 is a tuple of the form (Q, ~ , J , s0,~) where Q = S t9 {so} is the state set, so g S is a unique start state, J is defined so that J(s0,a) -= { states s e S : P0 E s and AtomicPropositions(s) = a} for each a E E, J(s,a) -- { states t E S : (s,t) E R and AtomicPropositions(t) = a}. The acceptance condition ~ is described below below. A run r of `4 on input x - a l a 2 a 3 . . . E ~ is an infinite sequence of states s o s l s 2 . . , such that Vi > 0 ~i(si,ai+l) D. {Si+l}. Note that Vi > ] AtomicPropositions(si) -" hi. The automaton ,4 accepts input x iff there is a run r on x that satisfies the acceptance condition ~. Several different types of acceptance conditions ~ may be used. For Muller acceptance, we are given a family ~- of sets of states. Letting I n r denote the set of states in Q that appear infinitely often along r, we say that run r meets the Muller condition provided that I n r E Y:. For a pairs automaton (cf. [McN66], [Ra69]) acceptance is defined in terms of a finite list ((m~D1, GREEN1),..., (REDk,GREENk))of pairs of sets of automaton states (which may be thought of as pairs of colored lights where ,4 flashes the red light of the first pair upon entering any state of the set RED1, etc.): r satisfies the pairs condition iff there exists a pair i E [1..k] such that REDi flashes finitely often and GREEN/ flashes infinitely often. It is often convenient to assume the pairs acceptance condition is given formally by a temporal logic formula 4} =

Vifi[1..k] (~ GREEN/A - ~ RED/). Similarly,

a complemented pairs ( cf. [St81] ) automaton has the negation of the pairs condition as its acceptance condition; i.e., for all pairs i E [1..k], infinitely often CrtEEN/ flashes implies that REDi flashes infinitely often too. The complemented pairs acceptance condition can oo

oo

given formally by a temporal logic formula 4~ = A/ell:k] FGREENI =~ FRED/. A special case of both pairs and complemented pair conditions is the Buchi [Bu62]

65 oo

acceptance condition. Here there is a single GREEN light and r = FGrtEEN. A final acceptance condition that we mention is the parity acceptance condition [Mo84] (cf. [EJ9]]). Here we are given a finite list ( C 1 , . . . , Ck) of sets of states which we think of as colored lights. The condition is that the highest index color Ci which flashes infinitely often should be of even parity. Any run of `4 would correspond to a model of P0, in that Vi >_ 1, x / A{ formulae p : p E si}, except that eventualities might not be fulfilled. To check fulfillment, we can easily define acceptance in terms of complemented pairs. If eel(po) has m eventualities (plVql), ..., (PrnUqm), we let .4 have m pairs (RED/,GREEN/)of lights. Each time a state containing (p/Uq/) is entered, flash REDi; each time a state containing qi is entered flash GREEN/. A run r is accepted iff for each i E [l:m], there are infinitely many RED/ flashes implies there are infinitely many GREEN/ flashes iff every eventuality is fulfilled iff the input string z is a model of P0. We can convert .4 into an equivalent nondeterministic Buchi a u t o m a t o n .41, where acceptance is defined simply in terms of a single GREEN light flashing infinitely often. We need some terminology. We say that the eventuality (pUq) is pending at state s of run r provided that (pUq) E s and q ~ s. Observe that run r of.4 on input z corresponds to a model of p0 iffnot(3 eventuality (pUq) e eel(po), (pUq) is pending almost everywhere along r) iff V eventuality (pUq) E ecl(po), (pUq) is not pending infinitely often along r. The Buchi automaton .41 is then obtained from .4 augmenting the state with an m + 1 valued counter. The counter is incremented from i to i + 1 mod (m + 1) when the ith eventuality, (piUqi) is next seen to be not pending along the run r. When the counter is reset to 0, flash GrtEEN and set the counter to 1. (If m = 0, flash GREEN in every state.) Now observe that there are infinitely many GREEN flashes iff Vi E [1 :m] (piUqi) is not pending infinitely often iff every pending eventuality is eventuality fulfilled iff the input string z defines a model of p0. Moreover, .4a still has ezp([ Po D'O([ p0 1) = ezP(I Po [) states.

5.2

Branching Time and Tree Automata

Similarly, the tableau construction for a branching time logic with relatively simple modal/ties such as CTL can be viewed as defining a Buchi tree a u t o m a t o n that, in essence, accepts all models of a candidate formula P0. (More precisely, every tree accepted by the automaton is a model of P0, and if P0 is satisfiable there is some tree accepted by the automaton.) General automata-theoretic techniques for reasoning about a number of relatively simple logics, including CTL, using Buchi tree a u t o m a t a have been described by Vardi and Wolper [VW84]. However, it is for richer logics such as CTL* that the use of tree a u t o m a t a become essential.

66 Tree Automata We describe finite a u t o m a t a on labeled, infinite binary trees (cf. [Ra69]). s The set {0, 1}* m a y be viewed as an infinite binary tree, where the e m p t y string A is the root node and each node u has two successors: the 0-successor u0 and the 1-successor ul. A finite (infinite) path through the tree is a finite (resp., infinite) sequence x = u0, Ul, u 2 , . . , such t h a t each node ui+l is a successor of node ui. If E is a n alphabet of symbols, an infinite binary Z-tree is a labeling L which m a p s {0, 1}* ~ Z, i.e., a binary tree where each node is labeled with a symbol from Z. A finite automaton A on infinite binary Z-trees is a tuple (Z, Q, J, q0, ~) where Z is the finite, n o n e m p t y input alphabet for the input tree, Q is the finite, n o n e m p t y set of states of the a u t o m a t o n , J : Q x E --+ 2 Q• is the nondeterministic transition function, q0 E Q is the start state of the automaton, and is an acceptance condition as described previously. A run of .A on the input Z-tree L is, intuitively, an annotation of the input tree with a u t o m a t o n states consistent with the transition function J. FormMly, a run is a function p : {0, 1}* --+ Q such that for all v 9 {0, 1}*, (p(vO), p(vl)) 9 $(p(v),L(v)) and p(A) = q0. We say that .4 accepts input tree L iff there exists a run p of ,4 on L such that for all infinite paths x starting at the root of L if r = p o x is the sequence of states `4 goes through along p a t h x, then the acceptance condition ~ holds along r.

Tree A u t o m a t a R u n n i n g on Graphs N o t e that an infinite binary tree L' m a y be viewed as a "binary" structure M = ( S , R , L ) where S = {0,1}*, R = R0 U R1 with R0 = {(s, s0) : s E S} and R1 = {(s, sl) : s E S}, and L = L'. We could alternatively write M = (S, n0, n l , L). We can also define a notion of a tree a u t o m a t o n running on an appropriately labeled "binary" directed graphs, t h a t are not trees. Such graphs, if accepted, serve as witnesses to the nonemptiness of tree a u t o m a t a . We make the following definitions.

8 CTL* and the other logics we study, have the property that their models can be unwound into an infinite tree. In particular, in [ESi84] it was shown that a CTL* formula of length k is satisfiable iff it has an infinite tree model with finite branching bounded by k, i.e. iff it is satisfiable over a k-cry tree. Our exposition of tree automata can be easily generalized k-cry trees. We consider only binary trees to simplify the exposition, and for consistency with the classical theory of tree automata.

67

A binary structure M = (S, Ro, R1, L) consists of a state set S and labeling L as before, plus a transition relation R0 (9 R1 decomposed into two functions: R0 : S ) S, where Ro(s) specifies the 0-successor of s, and R1 : S ) S, where Rl(S) specifies the 1-successor of s. A run of automaton .4 on binary structure M = (S, R0, R1, L) starting at so E S i s a m a p p i n g p : S - + Q s u c h that Vs E S, (p(Ro(s)), p(Rl(s))) E 5(p(s), i(s)) and p(so) = qo. Intuitively, a run is a labeling of U with states of .4 consistent with the local structure of .4's "transition diagram". T h e Transition D i a g r a m of a Tree A u t o m a t o n The transition function J of a tree automaton ,4 as above can be viewed in a n a t ural way as defining a transition diagram T, which facilitates the development of algorithms for testing nonemptiness. The transition diagram T of,4 is a bipartite AND/OR-graph where the set Q of states o f , 4 comprises the set of OR-nodes, while the AND-nodes define the allowable moves of the automaton. Intuitively, OPt-nodes indicate that a nondeterministic choice has to be made (depending on the input label), while the AND=nodes force the automaton along all directions. For example, suppose that for automaton .4, (f(s, a) = {(tl, U l ) , . . . , (tin, Urn)} and (f(s, b) = {(Vl, w l ) , . . . , (vn, wn)} then the transition diagram contains the portion shown in Figure 2. R e m a r k : The resemblance of the transition diagram of a tree automaton to a CTL tableau is striking. In fact, they are really the same except that in CTL the models are built out of AND-nodes, while for tree automata the models are built out of OR-nodes as we shall see below. In fact, an alternative, equivalent formulation of tree automata [GH82] has the transition function information presented by a left transition function 50 : Q x S ) 2 q giving the possible left successor states together with an independent right transition function (fl : Q• ~ ) 2Q giving the possible right successor states. For this dual formulation of tree automaton the transition diagram is just as for CTL with models built out of OR-nodes. One Symbol Alphabets For purposes of testing nonemptiness, without loss of generality, we can restrict our attention to tree automata over a single letter alphabet, and, thereby, subsequently ignore the input alphabet. Let `4 = (Q, E,5, q0,~) be a tree automaton over input alphabet Z. Let `41 = (Q, E~, (i~,q0, r be the tree automaton over one letter input alphabet ~ = (c} obtained from ,4 by, intuitively, taking the same transition diagram but now making all transitions on symbol c. Formally, `4~ is identical to `4 except that the input alphabet is E ~ and the transition function (i' is defined by ~'(q, c) = U a ~ (i(q, a). Then ,4 is nonempty iff`4' is nonempty.

68

@@@| 9

= OR-nodes (states of .A)

= AND-nodes (transitions on a)

Fig. 2. Portion of tree automaton transition diagram

Henceforth, we therefore assume that we are dealing with tree automata over a one symbol alphabet.

Generation and Containment It is helpful to reconsider the notion of run to take advantage of the organization of the transition diagram of an automaton. Intuitively, there is a run of tree automaton `4 on binary structure M starting at so in M provided M is generated from .4 by unwinding .4's transition diagram so that (a) So in M corresponds to q0 in .4, and (b) each state of M is a copy of an OR-node of .4, and, moreover, each state's successors are consistent with the transition diagram. We say that a binary structure M is contained in .4 provided M is generated by unwinding .4 starting starting at So E M and q0 E .4 and, moreover, (a copy of) M is a subgraph of T. L i n e a r Size M o d e l T h e o r e m The following theorem is from [Em85] (cf. [VS85]). Its significance is that it provides the basis for our method of testing nonemptiness of pairs automata;

69 it shows the existence of a small binary structure accepted by the a u t o m a t o n contained in its transition diagram, provided the a u t o m a t o n is nonempty. T h e o r e m 5.1 ( L i n e a r Size M o d e l T h e o r e m ) . Let A be a ~ree aut o m a t o n over a one symbol alphabet with pairs acceptance condition r = Then a u t o m a t o n .A accepts some tree T if[ ,4 accepts some binary model M , of size linear in the size of ,4, which is a structure contained in the transition diagram of A. P r o o f . (=*-) For r a pairs condition, [HR72] shows that, if.A accepts some tree M0, then it accepts some finite binary model M1 starting at some state so E/1//1. We will explain, roughly, how M1 is obtained in the case of 9 involving a single pair. Along every p a t h z of M0 there is a first node u with these properties: (i) u is labeled with a u t o m a t o n state q, (ii) there is a first node v along x strictly before u also labeled with a u t o m a t o n state q, and (iii) the set of a u t o m a t o n states in the interval along z from v to u coincides with the set of states t h a t appear infinitely often along z. The set of all such nodes u forms the frontier of a finite subtree of M0. M1 is formed from this finite subtree by identifying each u with its v (i.e., redirecting the predecessor of each u into its v). M1 is a structure generated by ,4. In the case of one pair, it follows t h a t M1, so ~ A~. 9 Given any such finite structure M1 of A ~ generated by .A we can obtain a (necessarily finite) structure M contained in .A. If two distinct nodes s and t of M1 have the same labeling with states of ,4, then we can eliminate one of t h e m as follows. A t t e m p t to delete s by redirecting all its predecessors u to have t as a successor instead. More precisely, delete all edges of the form (u, s) and replace t h e m by edges of the form (u, t). If the resulting structure, call it M t, is a model of Ar we have reduced the number of "duplicates", such as s and t by one. If not, try replacing t by s instead. If M s, the resulting structure is a model of A4~ we are done. However, if b o t h these replacements fail to yield a model of A ~ , each m u s t yield a model of E - ~ , i.e. each introduces a bad cycle. In M t the bad cycle is of the form (where u is a predecessor of s in M1) u-+t--+...--+u, where except for the first transition (u,t) the suffix p a t h from t to u is in the original MI: In M s the bad cycle is of the form (where v is a predecessor of t in M1) v--+s-+...-+v, where except for the first transition (v, s) the suffix p a t h from s to v is in the original M1. But, these two suffix paths in M1 together with the edges (u, s), and (v, t) in M1 form a bad cycle in MI: u--+s--+...-+v--+t--+...--4u. This contradicts t h a t M1 was a model of A~. 9 The technical fine point is that cycles satisfying the one pair condition are closed under union. This is not so for multiple pairs. However, a slightly more subtle construction can be used to get M1 in the case of multiple pairs (cf. [HR72]).

70 By repeatedly eliminating duplicates in this way we eventually get the desired model M contained in ,4. ( ~ ) Any model M contained in A such that M, so ~ A ~ can plainly be unwound into a tree that is accepted by `4. [] We can now use the Linear Size Model Theorem to establish the following result (cf. [EJ88]). T h e o r e m 5.2. The problem of testing nonemptiness of pairs tree automata is NP-complete. p r o o f sketch: Membership in NP (cf. [Em85], [VS85]): Given a pairs tree automaton, if it accepts some tree, then a linear size modelexists contained within its transition diagram. Guess that model. Use the (efficient FairCTL) model checking algorithm of [EL87] to verify in deterministic polynomial time oo

oo

that A(Vi (FGREENi A G-~REDi)) holds. NP-hardness is established by reduction from 3-SAT (cf. [SJ88]). [] Our overall approach to testing nonemptiness is formulated in terms of "pseudo-model checking". We write ,4, q0[[- f to indicate that `4 is a pseudomodel of f at qo; the technical definition is that there is a binary model M contained in `4 such that M, q0 ~ f. Observe that for pairs automaton ,4 with acceptance condition 4, ,4 is nonempty iff ,4, q0[[ - A~. For simplicity, we illustrate how pseudo-model checking can be performed in a very rudimentary case. Suppose that 4~ = FGREEN, so that we are dealing with a finitary acceptance condition where along each path the GREEN light should flash (at least) once. We wish to pseudo- model check ,4, q0[[- AFGREEN. We will reduce this here to ordinary model checking by fixpoint calculation. We start with the fixpoint characterization AFGREEN _----#Z.GREEN V A X Z . But notice that we cannot directly use this fixpoint characterization, on account of the presence of both OR-nodes and intervening AND-nodes in the diagram of ,4. Instead, we use lAY.GREENV E X A X Y . The inserted " E X " skips over the intervening ANDnodes appropriately. Now, A, qo[[ - AFGREEN iff `4, q0 ~ lAY.GREENV E X A X Y . This simple idea can be generalized considerably to handle pairs acceptance oo oo (cf [EJ88]). Let r be the pairs condition VieI(~FREDi A FGREENi) where I ---[l:n] is the index set for the pairs and I - i denotes I \ (i). We pseudo-model check Ar based on a fixpoint characterization in terms of simple formulae A F and A G and by induction on the number of pairs. A ~ = IAY.r(Y) where

r(Y) = V AFAG(('.I~ED~V.Y) A A(FGREENIV O-i)) iE1

The pseudo-model checking algorithm of the transition diagram of ,4 must simultaneously search for a graph contained within ,4 and check that it defines a

7] model of the pairs condition Ar It successively calculates the set of states where r i (false) is "satisfiable" in the transition diagram using Tarski-Knaster approximation. The effective size of the above fixpoint characterization is exponential in the number of pairs. The pseudo-model checking algorithm runs in time proportional to the size of the fixpoint characterization and polynomial in the size of the transition diagram. It is shown in [EJ88] that this yields a complexity of (mn) ~ for an automaton with transition diagram of size m and n pairs. This bound is thus polynomial in the number of automaton states, with the degree of the polynomial proportional to the number of pairs. This polynomial complexity in the size of the state diagram turns out to be significant in applications to testing satisfiability as explained below. Related results on the complexity of testing nonemptiness of tree automata may be found in [EJ88], [PR89], [SJ91].

Decision P r o c e d u r e for CTL* For branching time logics with richer modalities such as CTL*, the tableau construction is not directly applicable. Instead, the problem reduces to constructing a tree automaton that accepts some tree iff the formula is satisfiable. This tree automaton will in general involve a more complicated acceptance condition such as pairs or complemented pairs, rather than the simple Buchi condition. Somewhat surprisingly, the only known way to build the tree automaton involves difficult combinatoriM arguments and/or appeals to delicate automata-theoretic results such as McNaughton's construction ([McN66]) for determinizing automata on infinite strings, or subsequent improvements [ESS3], [SaS8], [EJ89]. The original CTL* formula f0 can be converted, by the introduction of auxiliary propositions, into a normal form fl that is satisfiable iff the original formula is, but where path quantifiers are nested to depth at most 2. For example,

EFAFEGP EFAFQ1 A AG(Q1 =_EGP) ,~ EFQ2 A AG(Q2 -- AFQ1) A AG(Qi - EGP) Here g ~ h means that g is satisfiable iff h is satisfiable. By using propositional reasoning, we can further the simplify our task of testing satisfiability of fl to testing satisfiability of boolean combinations of subformulae of the form Apo, Epo, and AGEpo where P0 is a pure linear time formula. More precisely, we build tree automata for each of these three forms. A composite product automaton can then be readily obtained for fl and tested for satisfiability. It turns out that it is easy to build tree automata for Epo and AGEpo. Rather surprisingly, the crucial and difficult step is building the tree automaton the

72 branching time modalities of the form Apo, in terms of the w-string automaton for the corresponding linear time formula p. We explain the difficulty that manifests itself with just the simple modality

Apo. The naive approach to get a tree automaton for Apo would be to simply build the w-string automaton for P0 and then run it it down all paths of the input tree. However, while this seems very natural, it does not, in fact, work. To see this, consider two infinite paths zy and zz in the input tree which start off with the same common finite prefix x but eventually separate to follow two different infinite suffixes y or z. It is possible that p0 holds along both paths xy and zz, but in order for the nondeterministic automaton to accept, it might have to "guess" while reading a particular symbol of the finite prefix x whether it will eventually read the suffix y or the suffix z. The state the string automaton guesses for y is in general different from the state it guesses for z. Consequently, no single run of a tree automaton based on a nondeterministic string automaton can lead to acceptance along all paths. Of course, if the string automaton is deterministic the above difficulty vanishes. We should therefore ensure that the string automaton for p0 is determinized before constructing the tree automaton. The drawback is that determinization is an expensive operation. However, it appears to be unavoidable. For a linear temporal logic formula P0 of length n we can construct an equivalent Buchi nondeterministic finite state automaton on w-strings of size ezp(n). We can then get tree automata for Epo and AGEpo of size ezp(n). However, for Apo, use of classical automata-theoretic results yields a tree automaton of size triple exponential in n. (Note: by triple exponential we mean exp(exp(ezp(n))), etc.) The large size reflects the exponential cost to build the string automaton as described above for a linear time formula P0 plus the double exponential cost of McNaughton's construction to determinize it. For a CTL* formula of length n, nonemptiness of the composite tree a u t o m a t o n can be tested in exponential time to give a decision procedure of deterministic time complexity quadruple exponential in n. An improvement in the determinization process makes an exponential improvement possible. In [ES83] it was shown that, due to the special structure of the string a u t o m a t a derived from linear temporal logic formulae, such string a u t o m a t a could be determinized with only single exponential blowup. This reduced the complexity of the CTL* decision procedure to triple exponential. Further improvement is possible as described below. The size of a tree automaton is measured in terms of two parameters: the number of states and the number of pairs in the acceptance condition. A careful analysis of the tree automaton constructions in temporal decision procedures shows that the number of pairs is logarithmic in the number of states, and for CTL* we get an automaton with a double exponential number of states and

73 a single exponential number of pairs. 10 As described in the previous section, an algorithm of [EJ88] shows how to test nonemptiness in time polynomial in the number of states, while exponential in the number of pairs. For CTL* this yields a decision procedure of deterministic double exponential time complexity, matching the lower bound of [VS85]. For the Mu-calculus (and PDL-A (cf. [St81])) similar techniques techniques can be applied to get a single exponential decision procedure (cf. [EJ88], [SE84]). Other Comments

on Automata

There are distinct advantages to thinking automata-theoretically. First, for obtaining decision procedures, automata-theoretic techniques provide the only known methods of obtaining elementary time decision procedures for some very expressive logics such as CTL* and the Mu-calculus. The techniques are general and uniform. For example, the techniques above can be combined to yield a single exponeritiM decision procedure for the Mu-calculus [EJ88]. This was a problem which again was not obviously in elementary, much less exponential time (cf. [KP83], [SE84]). Secondly, automata can provide a general, uniform framework encompassing essentially all aspects temporal reasoning about reactive systems (cf. [VW84]], [VW86], [Va87], [AKS83], [Ku94]). Automata themselves have been proposed as a potentially useful specification language. Automata, moreover, bear an obvious relation to temporal structures, the state transition graphs of concurrent programs, etc. This makes it possible to account for various types of temporal reasoning applications such as program synthesis [PR89] and model checking in a conceptuMly uniform fashion [VW86]. Verification systems based on automata have also been developed ( cf. [Ku86]). Thus, temporal reasoning has benefited from automata. But the converse holds as well, with much work on automata inspired by and/or using ideas from temporal and modal logics. The more improved nonemptiness algorithm for pairs tree automata discussed above uses the notion of transition diagram for a tree automaton and exploits the relationship to a CTL tableau. New types of automata on infinite objects have also been proposed to facilitate reasoning in temporal logic (cf. [St81], [VS85], [MP87a], [EL87]). Exponential improvements (down to single exponential) in the complexity of determinization of w-string automata appeared in .a special case in [ES83] and in the general case in [Sa88]. Exponential improvements (again down to single exponential) in the cost of complementation of such automata have appeared in [SVW87] (cf. [EJ89]). Not only 10 Some intuition for this phenomenon can be gained by considering the case of CTL. In a naive formulation, a tree automaton for a CTL formula would use one complemented pair of lights for each eventuality to check its fulfillment. The number of lights is thus linear in the formula length while the tableau/transition diagram size is exponential in the formula length.

74 do determinization and complementation of string automata have fundamental applications to decision procedures for temporal and modal logics, but they are basic problems to the theory of automata on infinite objects in their own right.

6

Expressiveness

versus

Complexity

Two of the most important characteristics of a temporal or modal logic intended for reasoning about programs are (i) its expressiveness, referring to which correctness properties it can and cannot express; and (ii) its complexity, referring to the computational cost of performing various types of mechanical reasoning operations such as model checking and satisfiability/validity testing in the logic. Expressiveness can be characterized in several ways. Theoretical results can be established to show that, e.g., logic L1 is strictly subsumed in expressive power by logic L2. Accordingly, let us write L1 < L2 to mean that every property expressible by a formula of L1 is Mso expressible by a formula of L2 but that there is at least one property expressible by a formula of L2 that is not expressible by any formula of L1. We analogously write L1 - L2 and L1 < L2. It is then possible to establish various hierarchies and other relations of expressive power among logics. Thus, it is possible to characterize expressiveness of one logic relative to another. Another possibility is to take a particular logic or formalism as a reference standard providing, in an sense, an absolute yardstick against which other logics are compared. We will see some examples of both relative and absolute expressiveness subsequently. In practice, we may be more concerned with what specific correctness properties can and cannot be expressed within a formalism. While in general the more expressive the better, it is often sufficient to just be able to express invariance AGp, leads-to/temporal implication AG(p ==~ AFq), and a few other simple properties. A significant practical issue is how conveniently can we capture a desired property. A related theoretical issue concerns succinctness of specifications. This refers to the economy of descriptive power of a formalism: how long a formula is required to a capture a property? Two formalisms can be of equivalent raw expressive power, yet differ radically in succinctness. For example, P L T L and FOLLO (the First Order Language of Linear Order) n are equivalent in expressive power, but FOLLO can be nonelementarily more succinct, meaning that the translation of FOLLO into PLTL may cause a blowup in length not bounded by any fixed composition of exponential functions. We may ask if this means that FOLLO is better suited than PLTL for specification and reasoning about reactive programs? Probably not. Even though FOLLO can be astronomically more succinct, 11 FOLLO is essentially a formalization of the right hand side of the definition of the temporal operators; e.g., FP corresponds to 3t(t > 0 A P(t)).

75 it is quite possible that it is too succinct. Certainly, it is known that the complexity of mechanical reasoning in it would be nonelementary. PLTL, on the other hand, seems to provide a good combination of expressive power, succinctness, and complexity of mechanical reasoning (as does C T L in the branching time framework). 12 6.1

Tradeoffs

In general, the goals of work in this area are (a) to formulate the most expressive logic possible with the lowest complexity decision problem relevant to the application at hand; and (b) to understand the tradeoffs between complexity and expressiveness. In connection with point (b), it is worth noting that there is some relationship between the syntactic complexity of temporal logic formula and the computational complexity of their decision procedures. This appears related to the size and structure of the a u t o m a t o n (that would be) constructed for the formula. However, the relationship is somewhat intricate.

6.2

Expressiveness Hierarchy

The hierarchy shown below illustrates some of the key points regarding expressiveness that we would like to emphasize.

CTL =- CTL + < C T F < CTL* < PDL-A < L# -- Tree A u t o m a t a

The first thing to note is that (finite state, pairs) tree a u t o m a t a coincide in expressive power with the Mu-calculus. Since virtually all mechanical reasoning operations can be performed in terms of tree a u t o m a t a and all branching time logics can, it turns out, be translated into tree automata, it is reasonable to take tree automata as a reference standard for branching time expressibility. 13 12 Actually, rather little research effort has gone into work on succinctness. Particularly valuable topics might include: identification of tractable and useful fragments of FOLLO (or equivalently S1S), use of w-regular expressions as a specification language, and general efforts to gain a deeper understanding of the relation between syntactic Complexity of a formula and the cost of mechanical reasoning w.r.t, the formula. 13 In this connection, there is one minor technical caveat about comparing apples and oranges in the context of expressiveness: tree automata as originally defined run on infinite binary trees and can distinguish "left" from "right". In contrast, logics such as CTL* (or the the Mu-calculus with A X , E X as opposed to <0>, [0], <1>, [1]) are interpreted over models of arbitrary arity but cannot distinguish "left" from "right". There are a variety of ways to formulate a uniform, compatible framework permitting

76 We next note that the logic PDL-A is strictly subsumed in expressive power by the Mu-calculus. PDL-A is the Propositional Dynamic Logic with infinite repetition operator; in essence, it permits assertions whose basic modalities are of the form E~ where ~ is an w-regular expression (cf. [St81]). PDL-A can be translated into the Mu-calculus essentially because w-regulai expressions can be translated into the "linear time" Mu-calculus (cf. [EL86]). For example, P*Q pZ.Q v (P A X Z) and P~ =_ v Y . P A X Z. Similarly, E P* Q - # Z . Q v ( P A E X Z) and E P ~ =_ u Y . P A E X Z . The general translation can be conducted along these lines. It can be shown, however, that vY. <1> YA <2> Y is not expressible in PDL-A, over ternary structures with directions/arc labels 0, 1, 2 (cf. [Niw84]). We also have that CTL* is strictiy subsumed in expressive power by PDL-A. CTL* can be translated into PDL-A through use of tl~e following main idea: each linear time formula h defines; using the tableau construction, an equivalent Buchi automaton (cf. [ES83]) which can be translated into an equivalent wregular expression a. Thus, the basic modMity E h of CTL* maps to E a in PDL-A. Because w-regular expressions are strictly more expressive than PLTL (cf. [MP71], [Wo83]), there are properties expressible in PDL-A that cannot be captured by any CTL* formula. E ( P ; true) ~ is perhaps the classic example of such a property. It is worth noting that CTL* syntax can be described in a sort of shorthand: B(F, G, X, U, A, -~, o). This means that the basic modalities of CTL* are of the form A or E (for a Branching time logic) followed by a pure linear time formula built up from the linear time operators F, G, X, U, the boolean connectives A,-~, with nestings/compositions allowed as indicated by o. Then we have the expressiveness results below (cf. [EH86]). We next compare CTL* with CTF, which is the precursor to CTL and CTL*, oo

going back to [ECS0]. CTF may be described as the logic B(F, G, X, U, F, A, -~): Plainly, any CTF formula is a CTL* formula. The difference, syntactically, is that CTF does not permit arbitrary nesting of linear time formulas in its basic co

modalities, although it does permit the special infinitary operator(s) F (and in effect its dual ~) to support reasoning about fairness. However, the CTL* basic modality A ( F ( P A X P ) ) is not a CTF formula and, moreover, can be shown to be inequivalent to any CTF formula. Thus, CTL* is strictly more expressive than CTF. The logic CTL + is given as B(F, G, X, U, A, -~), permitting basic modalities with linear time components that are boolean combinations of the linear time operators F, G, X, U. Thus, CTL + is a sublanguage of CTF, omitting the infinimeaningful comparisons. One way is to compare "symmetric" tree automata, which do not distinguish left from right, interpreted over binary trees with branching time logics. See also the amorphous tree automata of [BG93]. The Mu-calculus would be equivalent to tree automata in any such reasonable common framework.

77 o(3

(3o

oo

tary operator F and its dual G. It can be shown that, for example, E F P is not expressible in CTL +. Thus, CTL + is strictly subsumed in expressive power by CTF. The last logic shown, CTL, is B(F, G, X, U), whose basic modalities permit just a single linear temporal operator F, G, X, U following A or E. Plainly CTL is a sublanguage of CTL +. Conversely, every formula of CTL + can be translated into an equivalent CTL formula9 The essence of the translation is that the CTL + formula E(FP1 A FP2) is equivalent to the CTL formula EF(P1 A EFP2) V

EF(P~ ^ EFP1). Finally, we comment again that comparisons of raw expressive power do not necessarily hold in like kind for succinctness. For example, even though CTL is equivalent in raw expressive power to CTL +, the translation of CTL + into CTL can be effected with an exponential blowup. The CTL + formula E(FP1 A FP2 A 9 A FPn) is translated into the following equivalent but long CTL formula:

V il,i2,...,i,t

is a p e r m u t a t i o n

EF(PI1 A EF(Pi 2 ^ . . . ^ EFPI,~)) o f [l:rt]

Furthermore, while CTL* is less expressive than P D L - A it can be exponentially more succinct. 6.3

C o m p l e x i t y Summary

The table below summarizes key complexity results for automated temporal reasoning. The left column indicates the logic under consideration, the associated entry in the middle column characterizes the complexity of the logic's model checking problem, while the associated right column entry describes the complexity of the satisfiability problem. Each row describes a particular logic: PLTL, CTL, CTL*, and the Mu-calculus.

Logic PLTL CTL CTL* L/~(k)

Model Satisfiability Checking Testing PSPACE-complete PSPACE-complete O(IM I 9exp(IpoD) time P-complete EXPTIME-complete O(]M[-IP01) time PSPACE-complete 2EXPTIME-complete O([M[- exp([poD) time NP N co-NP EXPTIME-complete ([M[. [p0[)~ time

78 The first row deals with PLTL, whose complexity was first analyzed in [SC85]. (cf. [Va9?]). PLTL model checking can be polynomially transformed to PLTL satisfiability testing. The essential point is that the "structure" of a structure M can be described by a PLTL formula where the nexttime operator and extra propositions are used to characterize what states are present what are the successors of each state. The satisfiability problem of PLTL is PSPACE-complete. In practice, this bound amounts to a decision procedure of complexity exp(n) for an input formula h of length n. The decision procedure is a speciMization of that for CTL: build the exponential sized tableau for the formula, which may be viewed as a Buchi nfa on infinite strings and tested for nonemptiness in time polynomial in the size of of the automaton. It is possible,in fact, to build the automaton on-the-fly, keeping track of only an individual node and a successor node at any given time, guessing an accepting path in nondeterministic polynomial space34 This serves to show membership in PSPACE for satisfiability testing of PLTL and for model checking of PLTL by virtue of the above-mentioned reduction. By a generic reduction from PSPACE-bounded Turing machines, PLTL model checking can be shown to be PSPACE-hard; it then follows that PLTL satisfiability testing is also PSPACE-hard. An important multi-parameter analysis of PLTL model checking was performed by Lichtenstein and Pnueli [LP85], yielding a bound of O(IM I 9exp(Ihl) ) for an input structure M and input formula h. The associated algorithm is simple and elegant. We wish to check whether there is a path starting at a given state so in M satisfying the PLTL formula h. (We clarify why we have formulated the PLTL model checking problem in just this way below.) To do that, first build the tableau 7- for h. Then form essentially the product graph M x 7-, view it as a tableau, and test it for satisfiability. This amounts to looking for a path through the product graph whose projection onto the second coordinate defines a model of h that, by virtue of the projection onto its first coordinate, must also be a path in M. Vardi and Wolper [VW86] made the important recognition that this construction could be described still more cleanly and uniformly in purely automata-theoretic terms. Use 7- to define an associated Buchi nfa ,4. Then define a Buchi automaton B that is the product of M and .A, and simply test B for nonemptiness. Along with the above algorithm and its complexity analysis, the following "Lichtenstein-Pnueli thesis" was formulated: despite the potentially daunting exponential growth of the complexity of PLTL model checking in the size of the specification h formula, it is the linear complexity in the size of the input structure M which matters most for applications, since specifications tend to 14 See the very interesting work by Barringer et. al [BFGGO89] on executable temporal logics extending this idea.

79 be quite short while structures tend to be very large. Thus, the argument goes, the exponential growth is tolerable for small specifications, and we are fortunate that the cost grows linearly in the structure size. Our main point of concern thus should be simply the structure size. There appearsto be a good deal of empirical, anecdotal evidence that the Lichtenstein-Pnueli thesis is often valid in actual applications. As further noted in a forthcoming section, very simple assertions expressible in a fragment of CTL are often useful. On the other hand, it is also possible to find instances where the Lichtenstein-Pnueli thesis is less applicable. We remark that we have formulated the PLTL model checking problem to test, in effect, M, so ~ Eh. However, in applications using the linear time framework, we want to know whether all computations of a program satisfy a specification h'. This amounts to checking M, so ~ Ah ~. It is, of course, enough to check M, so ~: E('~h ~) which the Lichtenstein-Pnueli formulation handles. Since PLTL is trivially closed under complementation we thus have a workable, efficient solution to the "all paths" problem in terms of of the Lichtenstein-Pnueli formulation. (cf. [EL87]). The next row concerns CTL. CTL model checking is P-complete. Membership in P was established in ICE81] by a simple algorithm based on the Tarski-Knaster theorem. This was improved to the bound O([M]]f] ) for input structure M and CTL formula f in [CES86]. Satisfiability testing for CTL is complete for deterministic exponential time [EH85]. The upper bound established using the tableau method was discussed previously. The lower bound follows by a generic reduction from alternating polynomial space Tm's (cf. [FL79]). We next consider CTL*. Its model checking problem is of the same complexity as for PLTL. It is PSPACE-complete with a multi-parameter bound of O([M[. ezp([f])). The lower bound follows because the PLTL model checking problem is a special case of the CTL* model checking problem. The upper bound follows because, as noted above,. Ah = ~E~h, and by using recursive descent to handle boolean connectives and nested path quantifiers. In particular, to check the formula E ( F A G P A GAFQ), first check A G P and label all states where it holds with auxiliary proposition P~ ; next check A F Q and label all states where it holds with auxiliary proposition Q~ ; finally, check E ( F P ~A GQ/). Of course, in practice it is not really necessary to introduce the auxiliary propositions. It is simply enough to observe that subformulas A G P and A F Q are state formulas that can be used to first label the states where they are found to hold before evaluating the top level formula. CTL* satisfiability can be tested in deterministic double exponential time by building a tree automaton of essentially double exponential size and then testing it for nonemptiness as discussed previously. The lower bound follows by a generic reduction from alternating exponential space Tm's [VS85].

80 Finally, we come to the complexity of the Mu-calculus, L#. There are a number of interesting open questions concerning model checking in the Mucalculus. First, a "tight" bound is not known. We do know that it is in NP N co-NP [EJS93]. There are not too many such problems known. It suggests that we ought to be able to show that it is in P, but it has so far resisted all efforts to do so by a number of researchers. On the other hand, were it, say, shown to be NP-complete then we would get that NP = co-NP, which seems highly unlikely. The argument establishing membership in NP follows from observing that, given a structure M and a Mu-calculus formula f , a nondeterministic T m can guess a "threaded" annotation of the states and edges in M with "ranked" subformulas. The ranks indicate how many times a #-formula can be unwound and the threads indicate whether subformula f at state s generates subformula g at a successor state t. It is then only necessary to check that this annotation is propositionally consistent at each state and well-founded. Membership in co-NP follows because the Mu-calculus is trivially closed under negation. However, we can say more about useful fragments of the Mu-calculus. Recall the notion of alternation depth of a Mu-calculus formula referring to the depth of "significant" nestings of alternating least and greatest fixpoints. We use Lpk to indicate the Mu-calculus fragment where formulas are restricted to alternation depth k. Using the Tarski-Knaster theorem and basic monotonicity considerations, a time bound of O((IM I 9Ill) k+l) can be shown (cf. [EL86]). Subsequent work has addressed improving the degree of the polynomial to simply k (cf. [An93], [CS93]). In fact, this can be improved to about O((tM I 9 Ill) k/2) (cf. [Lo§ by a technique that trades time for space and stores, roughly, all intermediate results. However, this method also uses space about O((IM ] 9 Ill)k~2). In contrast, the straightforward algorithm only uses about O(IM 19Ifl) space. Of course, all known "practical" properties including all those expressible in PDL-A are in L/~2 and can be model checked in low order polynomial time. Finally, satisfiability testing for the Mu-calculus is in deterministic exponential time [EJ88], as shown by building a tree automaton essentially equivalent to the Mu-calculus formula and testing it for nonemptiness. The lower bound of being deterministic exponential time hard again follows by simulating alternating polynomial space Wm's. 15

6.4

A u t o m a t o n Ineffable P r o p e r t i e s

While finite state a u t o m a t a on infinite trees seem a good reference standard for logics of the sort we have been considering, it is worth noting that there are some types of reasonably properties correctness properties which are not expressible by any finite state tree automaton. One such property we refer to as "uniform inevitability". 15 or by succinctly encoding CTL.

8] The property of (ordinary) inevitability of P is expressed by the CTL formula

A F P . This is of the general form Y computation 3 time P; note that the time i a which P occurs along a given computation path depends on the specific path. The property of uniform inevitability is of the general form 3 time Y computation P. That is, there is a single, uniform time i such that along all computation paths P holds at exactly time i. Interestingly, it can be shown that uniform inevitability is not definable by any finite state automaton on infinite trees [Em87]. The argument is akin to that used to establish the pumping lemma for ordinary context free languages. However, uniform inevitability is definable by a type of pushdown tree automata. 6.5

M u - c a l c u l u s is E q u i v a l e n t t o T r e e A u t o m a t a

The Mu-calculus is equivalent in expressive power to tree automata. This result was first given in [EJ91]. We will discuss t h a t argument and the information that Can be extracted from it. But first we note that the result can be rather easily obtained by using translation through SnS concatenated with other known results. In [KP83] it was established that the Mu-calculus can be translated into SnS: Lp < SnS. Earlier, IRa69] established the basic result that tree automata are equivalent to SnS: ta --__SnS. Later, [Niw88] showed that for a restricted Mu-calculus, call it R/z, we have ta = R#. By definition, Rju < L/~. Putting it all together, Lp _< SnS-- ta = R# < Lp We conclude that Lp --- ta. The limitation of the above argument is t h a t many appeals to the Complementation Lemma are made in the proof of the step SnS -=- ta in IRa69]. The Complementation Lemma asserts that if tree language L is accepted by a finite state pairs automaton on infinite trees, the complement language L is also accepted by some finite state pairs tree automaton on infinite trees. The original proof of Rabin IRa69] was extraordinarily difficult and intricate, and the Lemma remains one of the technically most challdnging results in the field. Because of its technically formidable nature as well as its importance to applications involving decidability of logical theories 16, a number of authors have attempted to give simpler proofs of the Complementation Lemma (cf. [RAT1], [GH82], [Mu84]). Arguments were given in [EJ91] (a) to prove directly that ta -= Lp ; and showing how to use that to (b) give a simplified proof of the Complementation Lemma by translation through the Mu-calculus. The equivalence (a) is established by showing Lp < ata < ta-=- R# < Lp 18 We emphasize that CTL* and Lp satisfiability seem to require string automaton determinization or tree automaton complementation.

82 where ata denotes the class of alternating tree a u t o m a t a (which are defined technically below). All of these translations from left-to-right are direct. None involves the Complementation Lemma. We can then accomplish the simplified proof (b) of the Complementation L e m m a based on the following simple idea: given a a tree automaton ,4 there is an equivalent Lp formula f . The negation of f , -~f, is certainly also a f o r m u l a o f Lp since Lp is trivially closed under syntactic negation. Therefore, -~f can then be translated into an equivalent tree automaton which recognizes precisely the complement of the set of trees recognized by A. R e m a r k : The restricted Mu-calculus, Rp, of [Niw88] consists of formulas f, g, ... built up from constructs of these forms: atomic proposition constants and their negations P, Q, -~P, -~Q..., atomic proposition variables Y, Z , . . . , restricted conjunctions of the form P A EXoY A EX1Z, disjunctions f V g, and least and greatest fixpoint operators i.tY.f(Y), ~,Y.f(Y). Since it is not syntactically closed under complementation, nor obviously semantically closed (as the general A is missing) 17, we cannot use it directly to establish the Complementation Lemma.

L/~ into ata The idea underlying the translation of Lp into ata is simple: a Mu-calculus formula is an alternating tree automaton. In more detail, the syntax diagram of a Mu-calculus formula may be viewed as (a particular formulation of) the transition diagram of an alternating tree automaton that checks the local structure of the input tree to ensure that it has the organization required by the formula. As the alternating automaton runs down the input tree, "threads" from the syntax diagram are unwound down each path; in general, there may be multiple threads going down the same path of the tree due to conjunctions in the formula. We remark that it is these conjunctions and associated multiple threads which make the automaton an alternating one. For example, the syntax diagram of pY.P V ( < 0 > YA < 1 > Y) is shown in Figure 3. As indicated, there is a node in the syntax diagram for each subformula and an edge from each formula to its immediate subformulae. In addition, there is an edge from each occurrence of Y back to #Y. The transition diagram consists of AND-nodes and OR-nodes. All nodes are OR-nodes except those corresponding to connective A. is Each node has an input symbol, usually an implicit r indicating, as usual, that no input is consumed. The automaton starts in state pY, from which it does an ~ move into state V. In state V it makes a nondeterministic choice. The automaton may enter state 17 It is semantically closed but the proof requires an appeal to the Complementation Lemma. is Matters are simplified by noting that over a binary tree 0,1 are functions, not just relations.

83

%

%9 %

% %

/\ P

%

%

V

%

/

A

I

t I t ! ! !

<( )>

I I I I

I I / I

Y"

I

/S

s S

Fig. 3. Syntax diagram of pY.P V (<0> YA <1> Y)

P. In this case it checks the input symbol labeling the current node to see if it matches P, in which case it accepts; otherwise, it rejects. Alternatively, the automaton may enter state A, which is an AND-node and from which it will exercise universal nondeterminism. From A the automaton launches two new threads of control: < 0 > down the left branch and < l > down the right branch. Then state < 0 > does an e move to ensure that at the left successor node the automaton is in state Y from which does an e move into pY, Similarly, state < 1 > does an ~ move to ensure that at the right successor node the automaton is in state Y and then I.tY. Etc. Acceptance is handled by colored lights placed to ensure that p-regeneration 19 is well-founded. One way to do this is to associate a pair of lights (REDi, GrtEEN~) with each eventuality # ~ . f . Whenever the eventuality # ~ .f is regenerated along along a thread, indicated in the syntax diagram by traversing the edge re-entering the node for/tY/from within the scope of/~Y~, flash GREENi. Whenever the scope of #Y~ is exited, flash RED~. Thus, /~Y~.f is regenerated infinitely often along a 19 Informally, this refers to recursive unfolding of p- formulae.

84 oo

oo

thread iff F GrtEENi A ~FREDi holds along it. Call a thread meeting the associated pairs condition bad. Then the Mu-calculus formula is true of the input tree iff the associated ata accepts the tree by virtue of the existence of a run on the tree such t h a t all threads of all paths of the run are good (i.e., not bad). This amounts to acceptance by the complemented pairs condition Ai(FGREENi ::~ FRED/)

Nondeterminization Next, we must discuss the "nondeterminization" of an alternating tree automaton needed to show ata _< ta. First, however, we make precise the notion of such an alternating tree automaton. An a t a `4 is just like an ordinary, nondeterministic ta except that it has both existential and universal nondeterminism. This is reflected in its transition function which permits transitions of the form 6(q, a) = {({r~,...,r~l},{s~,...,s~}),...,({r~,...,rklk},{s~,...,skmk})}. The meaning is that when a u t o m a t o n .4 is in state q at current node v of the input tree which is labeled with symbol a, then .4 first uses existential nondeterminism to choose among k alternative next moves. Each possible existential next move is specified by a pair of the form ({r~,.. . , r iti ) , { s l , . . . , s ~ n ' } ) , with 1 < i < k. Then the a u t o m a t o n exercises universal nondeterminism to go into all of the states r l , . . . , r ili on the left successor node v0 and into all of the states s ii, . . . , sm' on the right successor node vl. As usual, the a u t o m a t o n .4 starts out in a designated start state q0 on the root node A of the input tree. By applying the above transitions a run of .4 on the input tree is constructed. This run is not just a labeling of the nodes of the input tree with a u t o m a t o n states, but a superposition of a tree of threads (sequences of a u t o m a t o n states) on the input tree. If q is the tip of a thread z a node v, which is labeled by symbol a, and (i(q, a) is of the form above, then z branches into extending threads of the form z r ~ , . . . , zrel i corresponding to the left successor v0, and z s ~ , . . . , zs i"~ , corresponding to the right successor vl. Any infinite tree comprised of threads in this way constitutes a run o f . 4 on the input tree. The a u t o m a t o n ,4 accepts the input tree provided there exists a run on the input tree such t h a t along every p a t h every thread meets the acceptance condition of the a u t o m a t o n (Buchi, pairs, etc.). Note that a run p of.4 on an input tree m a y be viewed as a tree superimposed on the input tree. Thee m a y be two or more copies of the same a u t o m a t o n state q as the tip of two different finite threads corresponding to a particular tree node. These copies of q m a y make different existential moves. One therefore cannot merge such different copies of q as the "threads" t h a t would result would in general be different from those in the original run. However, for a history free alternating tree automaton, if it has an accepting run, it has an accepting run in which the existential choices depend only on the

85 current state and position in the tree (and not the thread of which it is a tip). Thus, such a history free run will not necessarily be a tree superimposed on the input tree, but a dag, with intuitively threads intertwined down each tree branch, such that there is only a single copy of each automaton state at each tree node. Along a path through the input tree, the coSafra construction (cf. [EJ89], [Sa92]) can be used to bundle together the collection of infinitely many threads along the path, which are choked through a finite number of states at each node. Finally, it turns out that the alternating tree automaton corresponding to a Mu-calculus formula is history free. The intuitive justification is that at each existential choice node, one can take the choice of least rank, ensuring that p's are fulfilled as soon as possible. Remark: An alternative method of nondeterminization is to essentially construct the tree automaton for testing satisfiability of a Mu-calculus formula as in [SE84]. A sharpening of this construction builds a tree automaton equivalent to the Mu-calculus formula. Basically, perform a tableau construction to get a local automaton checking the invariance properties inherent in the formula. Conjoin it with a global automaton that checks well-foundedness of p-regenerations. The global automaton is obtained as follows: Build an w-string automaton that guesses a bad thread through the tableau along which some p-formula is regenerated infinitely often, in violation of the requirement that it should be wellfounded. Then use the coSafra construction to simultaneously determinize and complement that string automaton, The tree automaton that runs the resulting string automaton down all paths of the tree is the desired global automaton that checks the liveness properties associated with p-formulas.

6.6

Restricted Temporal Logics

If one considers longstanding previous trends in the work on decision procedures for (propositional) temporM and modal logics of programs, one observes the following characteristics: - There has been a continual emphasis toward logics of increasingly greater expressive power. - Most work has sought the most expressive temporal logic decidable in single exponential time deterministically; this is a consequence of the fact that the temporal logic subsumes ordinary propositional logic and the reasonable presumption that P r NP, strongly suggesting that we can not do better in general. - A quest for increasing generality and richness of of expressive power. We now discuss a possibly promising counter-trend (cf. [ESS89]) toward more limited logics with these characteristics:

86 - The limited logics exhibit greater specificity; they are tailored for particular applications. - The limited logics are of restricted expressive power. The restrictions may limit both raw expressive power and economy of descriptive power. - They are intended to support efficient, polynomial time decision procedures. We will focus on the restricted logics from [ESSS9] and lEES90]. It can be quite delicate to obtain a logic that is restricted, efficiently decidable, and at the same time useful. Some of the implications of these requirements are: We must give up propositional logic in its full generality, since obviously any logic subsuming propositional logic must be at least NP-hard. - The atomic propositions should be disjoint and exhaustive. Otherwise, if we allow overlapping propositions, there can be as many as 2 n subsets of n propositions, yielding an immediate combinatorial explosion. (In practice, this restriction may not be that onerous in our applications. For example, we may wish to describe a program which may be in any of n locations. This may be described using propositions at-locl,...,at-lOCn. - The overall syntax should be simplified. One simplification is to restrict formulas to be of the form: A assertion; t h a t is, to be a conjunction of simpler assertions. Note that for purposes of program specification A is more fundamental than V- One typically wants a program that meets a conjunction of criteria. Another simplification is to limit the depth of nesting of temporal operators. Deeply nested temporal modalities are rarely used in practice anyway.

-

Simplified

C T L

We first consider Simplified CTL (SCTL). It turns out that SCTL corresponds precisely to the fragment of CTL actually used in program synthesis in [EC82]. The formulae of SCTL are conjunctions of assertions of the following forms: P V . . . V P~ -initial assertions AG(Q V . . . Ol) - invariance assertions AG(P ~ A F ( R V . . . V R)) - leads-to assertions A G ( P ~ A((Q V . . . V Q')Us(R V . . . R ' ) ) - assurance assertions - AG(P ~ AX(Q, V . . . v Q~)A - successor assertions E X ( R V . . . V R') A . . . A E X ( S V. . . V S~))

-

-

-

-

over an alphabet of disjoint, exhaustive propositions P, P~, Q, Q~, R, R~,..., etc., subject to the following Euclidean Syntactic Constraint (ESC): If an SCTL formula has conjuncts of the form A G ( P =~ AFQ) and AG(P ~ A X ( . . . R V . . . ) . . . ) then AG(R ~ AFQ) must also be a conjunct of the formula.

87 The ESC ensures that eventualities are recoverable from propositions alone. The significance in practice of the ESC is that, while it is a restriction, it permits the specification of "history-free" processes. This means that the eventualities pending at each state S of a process are the same irrespective of t h e path taken by the process from its initial state to S. The restricted syntax of S C T L permits the decision procedure of CTL to be simplified yielding a polynomial time decision procedure for formulas of SCTL. To understand in broad terms why this is possible in it helpful to think automata-theoretically [VW84]. The a u t o m a t o n / t a b l e a u for a CTL formula m a y be thought of as the product of the local automaton (the nexttime tableau) with the global automaton, which is itself the product of an eventuality a u t o m a t o n for each eventuality such as AFP. The size of the whole a u t o m a t o n is thus the size of the the nexttime tableau times the product of the sizes of each eventuality automaton. An eventuality automaton for, say, A F P has 2 states, one for A F P being pending, one for it it being fulfilled (or not required to be satisfied). Thus, the size of the whole automaton is exponential in the number of eventualities. However, if the set of pending eventualities can be determined from set of atomic propositions, as is the case with SCTL owing to the ESC, then the local automaton can serve as the entire automaton. The SCTL decision procedure then amounts to:

-

Construct the nexttime tableau for the input formula f0 using the nexttime assertions. Each atomic proposition P is an AND-node of the tableau. Each such AND-node P gets sets of successor AND-nodes, intermediated by ORnodes, based on the nexttime assertion 2~ associated with P . For example, AG(P ~ AX(Q1 v Q2 v R1 V R2) A EXQ1 A EX(R1 V R2)) would have two OR-node successors, one with AND-node Q1 as a successor, the other with AND-nodes R1, R2 as successors. This is the local automaton .4io. By virtue of the ESC it is also the entire automaton. The initial assertions determine the "start state".

- Check .410 for "nonemptiness". Repeatedly delete "bad" nodes from its transition diagrams. There is associated with every node a set eventualities e that must be fulfiliable. The key step is to ensure that e a c h such e is fulfillable by finding the appropriate DAG[Q,e]'s as for ordinary CTL.

Example: Consider the SCTL formula comprised of the conjunction of the following assertions: 20 Without loss of generality we may assume there is only one.

88

(P V Tt) AG(P V R V S V T) AG(P ~ A X S A EXS) AG(R ~ A X ( R Y T) A EXT) AG(S ::~ A X ( P V R) A E X P A EXR) AG(T :::vA X ( P Y T) A E X ( P Y T) AG(P :=~AFT) AG(S ~ AFT) We get the initial tableau shown in Figure 4 (i). Since A F T is not fulfillable at node P, delete P . Propagate the deletion to any incident edges as well as OR-nodes whose only successors were P. The resulting tableau is shown in Figure 4 (ii). Node S violates its successor assertion because it no longer has a P successor. Thus, S is deleted and its now spurious successor OR-node, In Figure 4 (iii) the final pruned tableau is shown. It induces the model shown in Figure 4 (iv).

Restricted Linear Temporal Logic We now consider another logic that turns out to be efficiently decidable: Restricted Linear Temporal Logic (RLTL). It is presented, for the sake of uniformity, in CTL-like syntax. But the path quantifiers are all A's; hence, any satisfiable formula has a linear model, and it may be viewed as a linear time logic. Alternatively, the path quantifiers may all be elided to get formulae that are literally within the syntax of PLTL. Formulae are now conjunctions of assertions of the following forms:

AG(Q V . . . Q') - AG(P =~ A F ( R Y . . . V R~)) AG(P =~ AX(Q V . . . V Q')) -

-

- invariance assertions - leads-to assertions - successor assertions

where again propositions are disjoint and exhaustive. There is no Euclidean Syntactic Constraint or related restriction. Nonetheless, we can establish the following T h e o r e m Satisfiability of RLTL can be tested in deterministic polynomial time. P r o o f i d e a . The basic idea is simple: Build the nexttime tableau. The input formula is satisfiable iff the tableau has a total, self-fulfilling strongly connected

89

(i)

57) (fi)

(iii)

(iv)

Fig. 4. SCTL decision procedure example

subgraph C. The latter means that if any AF(Q V V Q') appears in C, then one of Q , . . . , Q' also appears in C. Thus it suffices to build the initial tableau, split into SCC's, delete non-self-fulfilling SCC's, until stabilization.

Example: Consider the RLTL formula comprised of the conjunction of the following assertions:

90

AG(P V Q V R V S V T ) AG(P ~ AXQ) AG(R =~ A X P ) AG(T ~ A X ( P V R)) AG(Q ::~ A X ( R Y S)) AG(S ~ A X ( R V S)) AG(Q :* AFP) AG(S ::~ AFT) The initial nexttime tableau is shown in Figure 5 (a). It is partitioned into SCC's: {{T},{P,Q,R,S}}. The SCC {T} is deleted because it is not total. The node S is deleted from SCC {P, Q, R, S}. because AFh is not fulfillable. See Figure 5 (b) Then the remainder of this SCC is split into SCC's yielding {{P, Q, R}}. The sole remaining SCC of this collection, {P, Q, R}, is total and self-fulfilling. Hence, any infinite path through it defines a model of the original specification as in Figure 5 (c).

Restricted

Initialized

Linear

Temporal

Logic.

We now illustrate that the boundary between efficient decidability and worst case intractability can be quite delicate. Certainly, RLTL is highly restricted. While useful specifications can be formulated in RLTL, many properties cannot be expressed. One very basic type of assertion that was omitted was an initial assertion. Let us define Restricted Initialized Linear temporal logic (RILTL) to be the logic permitting formulas which are conjunctions of assertions of the form: -

P V ... V P ' - initial assertions

- AG(Q v...Q')

- AG(P ::~ A F ( R V . . . V R~)) - AG(P ::v AX(Q v . . . v Q~))

-

invariance assertions - leads-to assertions - successor assertions

where one again propositions are disjoint and exhaustive, and there is no Euclidean Syntactic Constraint or related restriction. In other words, RILTL equals RLTL plus an initial assertion. Most surprisingly, this small change increases the complexity: T h e o r e m The satisfiability problem for RILTL is NP-hard. The idea behind the proof is as follows. Given a state graph M, such as that shown in Figure 6, we can capture its structure by a formula fM that is a simple

~~

o-q

0

(

(

()

./ \

9

~Z

|

92 conjunction of RILTL successor assertions, such as

AG(I ~ AXB)A AG(B ~ AX(C V D))A AG(C ~ AXH)A AG(D :v AXH)A AG(H ~ AXH) (Here we assume, for ease of exposition, that a unique proposition labels each node.) We thereby reduce model checking over M to RILTL satisfiability: M, I

E(FBAFCAFH) iff fMAIAAG(I ~ AFB)AAG(I ~ AFC)AAG(I ::v AFH) is satisfiable. We can generalize this argument to reduce arbitrary model checking problems of the form M, so ~ E(FP1 A... FPn) to RILTL satisfiability. This restricted form of the PLTL model checking problem is known to be NP-hard as established by Sistla and Clarke [SC85]. (The intuition is that it is necessary to consider all possible permutations that the Pi can occur in.) 7

Conclusion

Due to the proliferation of computer microelectronics and associated safety critical software, there is an undeniable and growing need to find effective methods of constructing correct reactive systems. One factor these systems have in common beyond their nondeterministic, ongoing, reactive nature is that they are complex. While it is conceivable that it is easy to describe in general terms what such a system is supposed to do (e.g., provide an air traffic control system), it appears quite difficult to "get the details straight". Temporal logic appears to to provide a good handle on precisely stating just what behavior is to occur when at a variety of levels of detail. Automation of temporal reasoning appears to offer a good handle on actually keeping track of the myriad of associated points of fine detail. A c k n o w l e d g e m e n t s This work was supported in part by NSF grant CCR9415496 and by SRC contract 95-DP-388. We also thank Howard Barringer, Colin Stirling, and Moshe Vardi for most helpful comments on a preliminary version of this paper. References [An93]

[AKS83]

Anderson, H. R., Verification of Temporal Properties of Concurrent Systems, Ph.D. Dissertation, Computer Science Department, Aarhus Univ., Denmark, June 1993. Aggarwal S., Kurshan R. P., Sabnani K. K., "A Calculus for Protocol Specification and Validation", in Protocol Specification, Testing and Verification III, H. Ruden, C. West (ed.'s), North-Holland 1983, 19-34.

93

[AI(86]

Apt, K. and Kozen, D., Limits for Automatic Verification of Finite State Systems, IPL vol. 22, no. 6., pp. 307-309, 1986. [BFGGO89] Barringer, H., Fisher, M., Gabbay, D., Gough, G., and Owens, R., Metatem: A Framework for Programming in Temporal Logic. In Proc. of the REX Workshop on Stepwise Refinement of Distributed Systems: Models, Formalisms, Correctness, Mook, The Netherlands, Springer LNCS, no. 430, June 1989. [BKP84] Barringer, H., Kuiper, R., and Pnueli, A., Now You May Compose Temporal Logic Specifications, STOC84. [BKP86] Barringer, H., Kuiper, R., and Pnueli, A., A Really Abstract Concurrent Model and its Temporal Logic, pp. 173-183, POPL86. [BPM83] Ben-Ari, M., Pnueli, A. and Manna, Z. The Temporal Logic of Branching Time. Acta Informatica vol. 20, pp. 207-226, 1983. [BG93] Bernholtz~ O., and Grumberg G., Branching T i m e Temporal Logic and Amorphous Automata, Proc. 4th Conf. on Concurrency Theory, Hildesheim, Springer LNCS no. 715, pp. 262-277, August 1993. Bradfield, J., and Stirling, C., "Local Model Checking for Infinite State [BS92] Spaces", Theor. Comp. Sci., vol. 96, pp. 157-174, 1992. [BCD85] Browne, M., Clarke, E. M., and Dill, D. Checking the Correctness of sequential Circuits, Proc. 1985 IEEE Int.. Conf. Comput. Design, Port Chester, NY pp. 545-548 [BCDM86a] Browne, M., Clarke, E. M., and Dill, D,, and Mishra, B., Automatic verification of sequential circuits using Temporal Logic, IEEE Trans. Comp. C-35(12), pp. 1035-1044, 1986 Bryant, R., Graph-based algorithms for boolean function manipulation, [Br86] IEEE Trans. on Computers, C=35(8), 1986. [Su62] Buchi, J. R., On a Decision Method in restricted Second Order Arithmetic, Proc. 1960 Inter. Congress on Logic, Methodology, and Philosophy of Science, pp. 1-11. [CE81] Clarke, E. M., and Emerson, E. A., Design and Verification of Synchronization Skeletons using Branching Time Temporal Logic, Logics of Programs Workshop, IBM Yorktown Heights, New York, Springer LNCS no. 131., pp. 52-71, May 1981. [CES86] Clarke, E. M., Emerson, E. A., and Sistla, A. P., Automatic Verification of Finite State Concurrent System Using Temporal Logic, 10th ACM Symp. on Principles of Prog. Lang., Jan. 83; journal version appears in A C M Trans. on Prog. Lang. and Sys., vol. 8, no. 2, pp. 244-263, April 1986. [CFJ93] Clarke, E. M., Filkorn, T., Jha, S. Exploiting Symmetry in .Temporal Logic Model Checking, 5th International Conference on Computer Aided Verification, Crete, Greece, June 1993. [CGBS8] Clarke, E. M., Grumberg, O., and Brown, M., Characterizing Kripke Structures in Temporal Logic, Theor. Comp. Sci., 1988 [CG86] Clarke, E. M., Grumberg, O. and Browne, M.C., Reasoning about Networks with Many Identical Finite State Processes, Proc. 5th ACM PODC, pp. 240-248, 1986.

94

[CG87] [CGSTb] [CM83]

[CGB89] [CS931

[C193]

[cvw85] [CM90]

[DGG93] [Di76] [DC86] [Em81]

[Em83] [Em85]

[EC80]

[EC82]

Clarke, E. M. and Grumberg, O., Avoiding the State Explosion Problem In Temporal Model Checking, PODC87. Clarke, E. M. and Grumberg, O. Research on Automatic Verification of Finite State Concurrent Systems, Annual Reviews in Computer Science, 2, pp. 269-290, 1987 Clarke, E. M., Mishra, B., Automatic Verification of Asynchronous Circuits, CMU Logics of Programs Workshop, Springer LNCS ~164, pp. 101-115, May 1983. Clarke, E. M., Grumberg, O., and Brown, M., Reasoning about Many Identical Processes, Inform. and Comp., 1989 Cleaveland, R. and Steffan, B., A Linear-Time Model-Checking Algorithm for the Alternation-Free Modal Mu-calculus, Formal Methods in System Design, vol. 2, no. 2, pp. 121-148, April 1993. Cleaveland, R., Analyzing Concurrent Systems using the Concurrency Workbench, Functional Programming, Concurrency, Simulation, and Automated Reasoning Springer LNCS no. 693, pp. 129-144, 1993. Courcoubetis, C., Vardi, M. Y., and Wolper, P. L., Reasoning about Fair Concurrent Programs, Proc. 18th STOC, Berkeley, Cal., pp. 283-294, May 86. Coudert, O., and Madre, J. C., Verifying Temporal Properties of Sequential Machines without building their State Diagrams, Computer Aided Verification '90, E. M. Clarke and R. P. Kurshan, eds., DIMACS, Series, pp. 75-84, June 1990. Dams, D., Grumberg, O., and Gerth, R., Generation of Reduced Models for checking fragments of CTL, CAV93, Springer LNCS no. 697, 1993. Dijkstra, E. W. , A Discipline of Programming, Prentice-Hall, 1976. Dill, D. and Clarke, E.M., Automatic Verification of Asynchronous Circuits using Temporal Logic, IEEE Proc. 133, Pt. E 5, pp. 276-282, 1986. Emerson, E. A., Branching Time Temporal Logics and the Design of Correct Concurrent Programs, P h . D . Dissertation, Division of Applied Sciences, Harvard University, August 1981. Emerson, E. A., Alternative Semantics for Temporal Logics, Theor. Comp. Sci., v. 26, pp. 121-130, 1983. E.A. Emerson, "Automata, Tableaux, and Temporal Logics", Proc. Workshop on Logics of Programs, Brooklyn College, pp. 79-87, Springer LNCS no. 193, June 1985. Emerson, E. A., and Clarke, E. M., Characterizing Correctness Properties of Parallel Programs as Fixpoints. Proc. 7th Int. Colloquium on Automata, Languages, and Programming, Lecture Notes in Computer Science #85, Springer-Verlag, 1981. Emerson, E. A., and Clarke, E. M., Using Branching Time Temporal Logic to Synthesize Synchronization Skeletons, Science of Computer Programming, vol. 2, pp. 241-266, Dec. 1982.

95 lEES90]

[EH85]

[EH86]

[EJ88]

[E J89]

[EJ91] [EJS93]

[EL86]

[EL87]

[ES93]

[ES83]

[ESS89] [Em87] [Em90]

[FL79] [Fr86]

Emerson, E. A., Evangelist, M., and Srinivasan, J., On the Limits of Efficient Temporal Satisfiability, Proc. of the 5th Annual IEEE Symp. on Logic in Computer Science, Philadelphia, pp. 464-477, June 1990. Emerson, E. A., and Halpern, J. Y., Decision Procedures and Expressiveness in the Temporal Logic of Branching Time, Journal of Computer and System Sciences, vol. 30, no. 1, pp. 1-24, Feb. 85. Emerson, E. A., and Halpern, J. Y., 'Sometimes' and 'Not Never' Revisited: On Branching versus Linear Time Temporal Logic, JACM, vol. 33, no. 1, pp. 151-178, Jan. 86. Emerson, E. A. and Jutla, C. S., "Complexity of Tree Automata and Modal Logics of Programs", Proc. 29th IEEE Foundations of Computer Sci., 1988 Emerson, E. A., and Jutla, C. S., On Simultaneously Determinizing and Complementing w-automata, Proceedings of the 4th IEEE Symp. on Logic in Computer Science (LICS), pp. 333-342, 1989. Emerson, E. A., and Jutla, C. S. "Tree Automata, Mu-Calculus, and Determinacy", Proc. 33rd IEEE Syrup. on Found. of Comp Sci., 1991 Emerson, E. A., Jutla, C. S., and Sistla, A. P., On Model Checking for Fragments of the Mu-calculus, Proc. of 5th Inter. Conf. on Computer Aided Verification, Elounda, Greece, Springer LNCS no. 697, pp. 385396, 1993. Emerson, E. A., and Lei, C.-L., Efficient Model Checking in Fragments of the Mu-calculus, IEEE Symp. on Logic in Computer Science (LICS), Cambridge, Mass., June, 1986. Emerson, E. A., and Lei, C.-L.m Modalities for Model Checking: Branching Time Strikes Back, pp. 84-96, ACM POPL85; journal version appears in Sci. Comp. Prog. vol. 8, pp 275-306, 1987. Emerson, E. A., and Sistla, A. P., Symmetry and Model Checking, 5th International Conference on Computer Aided Verification, Crete, Greece, June 1993full version to appear in Formal Methods in System Design. Emerson, E. A., and Sistla, A. P., Deciding Full Branching Time Logic, Proc. of the Workshop on Logics of Programs, Carnegie-Mellon University, Springer LNCS no. 164, pp. 176-192, June 6-8, 1983; journal version appears in Information ~ Control, vol. 61, no. 3, pp. 175-201, June 1984. Emerson, E. A., Sadler, T. H. , and Srinivasan, J. Efficient Temporal Reasoning, pp 166-178, 16th ACM POPL, 1989. Emerson, E. A., Uniform Inevitability is Finite Automaton Ineffable, Information Processing Letters, v. 24, pp. 77-79, 30 January 1987. Emerson, E. A., Temporal and Modal Logic, in Handbook of Theoretical Computer Science, vol. B, (J. van Leeuwen, ed.), Elsevier/North-Holland, 1991. Fischer, M. J., and Ladner, R. E, Propositional Dynamic Logic of Regular Programs, JCSS vol. 18, pp. 194-211, 1979. Francez, N., Fairness, Springer-Verlag, New York, 1986

96 [GPSS80]

[GS92] [GH82] [HT87]

[HS86] [Ha79] [HA84]

[HS84] [HS84] [Ho78]

[Ha82] [HO80] [HR72]

[ID93] [Je94]

[JR91] [Ka68]

[Ko87]

Gabbay, D., Pnueli A., Shelah, S., Stavi, J., On The Temporal Analysis of Fairness, 7th Annual ACM Syrup. on Principles of Programming Languages, 1980, pp. 163-173. German, S. M. and Sistla, A. P. Reasoning about Systems with many Processes, Journal of the ACM, July 1992, Vol 39, No 3, pp 675-735. Gurevich, Y., and Harrington, L., "Trees, Automata, and Games", l$th ACM STOC, 1982. Haler, T., and Thomas, W., Computation Tree Logic CTL* and Path Quantifiers in the Monadic Theory of the Binary Tree, ICALP87. Knowledge and Common Knowledge in a Distributed Environment, Proc. 3rd ACM Syrup. PODC, pp. 50-61. Halpern, J. Y. and Shoham, Y., A Propositional Modal Logic of Time Intervals, IEEE LICS, pp. 279-292, 1986. Harel, D., Dynamic Logic: Axiomatics and Expressive Power, PhD Thesis, MIT, 1979; also available in Springer LNCS Series no. 68, 1979. Harel, D., Dynamic Logic, in Handbook of Philosophical Logic vol. II: Extensions of Classical Logic, ed. D. Gabbay and F. Guenthner, D. Reidel Press, Boston, 1984, pp. 497-604. Applications, 16th STOC, pp. 418-427, May 84. Hart, S., and Sharir, M., Probabilistic Temporal Logics for Finite and Bounded Models, 16th STOC, pp. 1-13, 1984. Hart, S. and Sharir, M. Probabilistic Temporal Logics for Finite and Bounded Models, 16th ACM STOC, pp. 1-13, 1984. Hoare, C. A. R., Communicating Sequential Processes, CACM, vol. 21, no. 8, pp. 666-676, 1978. Hailpern, B., Verifying Concurrent Processes Using Temporal Logic, Springer-Verlag LNCS no. 129, 1982. Hailpern, B. T., and Owicki, S. S., Verifying Network Protocols Using Temporal Logic, In Proceedings Trends and Applications 1980: Computer Network Protocols, IEEE Computer Society, 1980, pp. 18-28. Hossley, R., and Rackoff, C, The Emptiness Problem For Automata on Infinite Trees, Proc. 13th IEEE Symp. Switching and Automata Theory, pp. 121-124, 1972. Ip, C-W. N., Dill, D. L., Better Verification through Symmetry, CHDL, April 1993. Jensen, K., Colored Petri Nets: Basic Concepts, Analysis Methods, and Practical Use, vol. 2: Analysis Methods, EATCS Monographs, SpringerVerlag, 1994. Jensen, K., and Rozenberg, G. (eds.), High-level Petri Nets: Theory and Application, Springer-Verlag, 1991. Kamp, Hans, Tense Logic and the Theory of Linear Order, PhD Dissertationl UCLA 1968. Koymans, R., Specifying Message Buffers Requires Extending Temporal Logic, PODC87.

97

[Ko83] [KP81I [KP83]

[KT87] [Ku86]

[Ku94] [LR86]

[La80]

[La83] [LPS81]

[LS82] [LP851

[LPZ85]

[Lo+94]

[MPS2a]

[MP8~]

Kozen, D., Results on the Propositionnal Mu-Calculus, Theor. Comp. Sci., pp. 333-354, Dec. 83 Kozen, D. and Parikh, R. An Elementary Proof of Completeness for PDL, Theor. Comp. Sci., v. 14, pp. 113-118, 1981 Kozen, D., and Parikh, R. A Decision Procedure for the Propositional Mu-calculus, Proc. of the Workshop on Logics of Programs, CarnegieMellon University, Springer LNCS no. 164, pp. 176-192, June 6-8, 1983. Kozen, D. and Tiuryn, J., Logics of Programs, in Handbook of Theoretical Computer Science, (J. van Leeuwen, ed.), Elsevier/North-Holland, 1991. Kurshan, R. P.," Testing Containment of omega-regular Languages", Bell Labs Tech. Report 1121-86101.0-33 (1986); conference version in R. P. Kurshan, "Reducibility in Analysis of Coordination", LNCIS 103 (1987) Springer-Verlag 19-39. Kurshan, R. P., Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach Princeton University Press, Princeton, New Jersey 1994. Ladner, R. and Reif, J. The Logic of Distributed Protocols, in Proc. of Conf. On Theor. Aspects of reasoning about Knowledge, ed. J Halpern, pp. 207-222, Los Altos, Cal., Morgan Kaufmann Lamport, L., Sometimes is Sometimes "Not Never"---on the Temporal Logic of programs, 7th Annual ACM Symp. on Principles of Programming Languages, 1980, pp. 174-185. Lamport, L., What Good is Temporal Logic?, Proc. IFIP, pp. 657-668, 1983. Lehmann. D., Pnueli, A., and Stavi, J., Impartiality, Justice and Fairness: The Ethics of Concurrent Termination, ICALP 1981, LNCS Vol. 115, pp 264-277. Lehmann, D., and Shelah, S. Reasoning about Time and Chance, Inf. and Control, vol. 53, no. 3, pp. 165-198, 1982. Litchtenstein, O., and Pnueli, A., Checking That Finite State Concurrent Programs Satisfy Their Linear Specifications, POPL85, pp. 97-107, Jan. 85. Lichtenstein, O, Pnueli, A. ,and Zuck, L. The Glory of the Past, Brooklyn College Conference on Logics of Programs, Springer-Verlag LNCS, June 1985. Long, D., Browne, A., Clarke, E., Jha, S., Marrero, W., An Improved Algorithm for the Evaluation of Fixpoint Expressions, Proc. of 6th Inter. Conf. on Computer Aided Verification, Stanford, Springer LNCS no. 818, June 1994. Manna, Z., and Pnueli, A., Verification of Concurrent Programs: The Temporal Framework, in The Correctness Problem in Computer Science, Boyer & Moore (eds.), Academic Press, pp. 215-273, 1982. Manna, Z. and Pnueli, A., Verification of Concurrent Programs: Temporal Proof Principles, in Proc. of Workshop on Logics of Programs, D. Kozen (ed.), Springer LNCS ~131, pp. 200-252, 1981.

98 IMPS2]

[MP83] IMP84]

[MP87a] [MP87b] [MW78]

[MW841 IMP92] [McM921 [McN661 IMP71] [MC80] [Me74]

[Mo84]

[Mu84]

[Mo83] [Mu63] [NDOG86]

[Niw84] [NiwS8]

Manna, Z. and Pnueli, A , Verification of Concurrent Programs: A Temporal Proof System, Proc. 4th School on Advanced Programming, Amsterdam, The Netherlands, June 82. Manna, Z. and Pnueli, A., How to Cook a Proof System for your Pet Language, ACM Symp. on Princ. of Prog. Languages, pp. 141-154, 1983. Manna, Z. and Pnueli, A., Adequate Proof Principles for Invariance and Liveness Properties of Concurrent Programs, Science of Computer Programming, vol. 4, no. 3, pp. 257-290, 1984. Manna, Z. and Pnueli, A. Specifcation and Verification of Concurrent Programs by Y-automata, Proc. 14th ACM POPL, 1987 Manna, Z. and Pnueli, A. A Hierarchy of Temporal Properties, PODC7. Manna, Z., and Waldinger, R., Is "sometimes" sometimes better than "always"?: Intermittent assertions in proving program correctness, CACM, vol. 21, no. 2, pp. 159-172, Feb. 78 Manna, Z. and Wolper, P. L., Synthesis of Communicating Processes from Temporal Logic Specifications, vol. 6, no. 1, pp. 68-93, Jan. 84. Manna, Z. and Pnueli, A., Temporal Logic of Reactive and Concurrent Systems: Specification, Springer-Verlag, 1992 McMillan, K., Symbolic Model Checking: An Approach to the State Explosion Problem, Ph. D. Thesis, Carnegie-Mellon University, 1992. McNaughton, R., Testing and Generating Infinite Sequences by a Finite Automaton, Information and Control, Vol. 9, 1966. McNaughton, R. and Pappert, S. Counter-Free automata, MIT Press, 1971. Mead, C. and Conway, L., Introduction to VLSI Systems, AddisonWesley, Reading, Mass., 1980. Meyer, A. R., Weak Monadic Second Order Theory of One Successor is Not Elementarily Recursive, Boston Logic Colloquium, Springer-Verlag Lecture Notes in Math. no. 453, Berlin/New York, 1974. Mostowski, A. W., Regular Expressions for Infinite Trees and a Standard Form of Automata, Proc. 5th. Symp on Computation Theory, Zaborow, Poland, pp. 157-168, Springer LNCS no. 208, 1984. Muchnik, A. A., Games on Infinite Trees and Automata with Dead-ends: a New Proof of the Decidability of the Monadic Theory of Two Successors, Semiotics and Information, 24, pp. 17-40, 1984 (in Russian). Moszkowski, B., Reasoning about Digital Circuits, PhD Thesis, Stanford Univ, 1983. Muller, D. E., Infinite Sequences and Finite Machines, 4th Ann. IEEE Symp. of Switching Theory and Logical Design, pp. 3-16, 1963. Nguyen, V., Demers, A., Owicki, S., and Giles, D., A Model and Temporal Proof System for Networks of Processes, Distr. Computing, vol. 1, no. 1, pp 7-25, 1986 Niwinski, D., unpublished manuscript. Niwinski, D., Fixed Points versus Infinite Generation, Proc. 3rd IEEE Symp. on Logic in Computer Science, pp. 402-409, 1988.

99 [OL82]

[PW84]

[Pi90]

[Pi921

[Pe81] [Pn771 [Pn81] [Pn83] [Pn841

[Pn85] [Pn86]

[PR89]

[PR89b]

[Pr81] [Pr67]

[RU71] [QS82] [QS83]

Owicki, S. S., and Lamport, L., Proving Liveness Properties of Concurrent Programs, ACM Trans. on Programming Languages and Syst., Vol. 4, No. 3, July 1982, pp. 455-495. Pinter, S., and Wolper, P. L., A Temporal Logic for Reasoning about Partially Ordered Computations, Proc. 3rd ACM PODC, pp. 28-37, Vancouver, Aug. 84 Pixley, C., A Computational Theory and Implementation of Sequential Hardware Equivalence, CAV'90 DIMACS series, vol.3 (also DIMACS Tech. Report 90-3 1), eds. R. Kurshan and E. Clarke, June 1990. Pixley, C., A Theory and Implementation of Sequential Hardware Equivalence, IEEE Transactions on Computer-Aided Design, pp. 1469-1478, vol. 11, no. 12, 1992. Peterson, G. L., Myths about the Mutual Exclusion Problem, Inform. Process. Letters, vol. 12, no. 3, pp. 115-116, 1981. Pnueli, A., The Temporal Logic of Programs, 18th annual IEEE-CS Syrup. on Foundations of Computer Science, pp. 46-57, 1977. Pnueli, A., The Temporal Semantics of Concurrent Programs, Theor. Comp. Sci., vol. 13, pp 45-60, 1981. Pnueli, A., On The Extremely Fair Termination of Probabilistic Algorithms, 15 Annual ACM Symp. on Theory of Computing, 1983, 278-290. Pnueli, A., In Transition from Global to Modular Reasoning about Concurrent Programs, in Logics and Models of Concurrent Systems, ed. K. R. Apt, Springer, 1984. Pnueli, A., Linear and Branching Structures in the Semantics and Logics of Reactive Systems, Proceedings of the 12th ICALP, pp. 15-32, 1985. Pnueli, A., Applications of Temporal Logic to the Specification and Verification of Reactive Systems: A Survey of Current Trends, in Current Trends in Concurrency: Overviews and Tutorials, ed. J. W. de Bakker, W.P. de Roever, and G. Rozenberg, Springer LI~CS no. 224, 1986. A. Pnueli and R. Rosner, On the Synthesis of a Reactive Module, 16th Annual ACM Syrup. on Principles of Programing Languages, pp. 179-190, Jan. 1989. A. Pnueli and R. Rosner, On the Synthesis of an Asynchronous Reactive Module, Proc. 16th Int'l Colloq. on Automata, Languages, and Programming, Stresa, Italy, July, 1989, pp. 652=671, Springer-Verlag LNCS no. 372. Pratt, V., A Decidable Mu-Calculus, 22nd FOCS, pp. 421-427, 1981. Prior, A., Past, Present, and Future, Oxford Press, 1967. Rescher, N., and Urquhart, A., Temporal Logic, Springer-Verlag, 1971. Queille, J. P., and Sifakis, J., Specification and verification of concurrent programs in CESAR, Proc. 5th Int. Symp. Prog., Springer LNCS no. 137, pp. 195-220, 1982. QueiUe, J. P., and Sifakis, J., Fairness and Related Properties in Transition Systems, Acta Informatica, vol. 19, pp. 195-220, 1983.

100

[Ra69] [R~72] [P,a71] [RU71] [deR76]

[s~ssJ

[Sa92] [si83] [sc85] [SCFM84] [Si85] [SVW87] [SMS82]

[SMV83] [St81]

[SES4]

[SW89]

[st93]

Rabin, M. O., "Decidability of Second Order Theories and Automata on Infinite Trees", Trans. AMS, 141(1969), pp. 1-35. Rabin, M. O., Automata on Infinite Objects and Church's Problem, Conf. Board. of Math. Sciences, Regional Series in Math. no. 13, Amer. Math. Soc., Providence, Rhode Island, 1972. Rackoff, C., The Emptiness and Complementation Problems for Automata on Infinite Trees, Master's Thesis, EECS Dept, MIT, 1971. Rescher, N. and Urquhart, A., Temporal Logic, Springer-Verlag, New York, 1971. de Roever, W. P., Recursive Program Schemes: Semantics and Proof Theory, Math. Centre Tracts no. 70, Amsterdam, 1976. Safra, S., On the complexity of omega-automata, Proc. 29th IEEE FOCS, pp. 319-327, 1988. Safra, S., Exponential Determinization for w-Automata with Strong Fairness Acceptance Condition, Proceedings of the 24th Annual ACM Symposium on the Theory of Computing, pp. 275-282, Victoria, May 1992. Sistla, A. P., Theoretical Issues in the Design of Distributed and Concurrent Systems, PhD Thesis, Harvard Univ., 1983. Sistla, A. P., and Clarke, E. M., The Complexity of Propositional Linear Temporal Logic, J. ACM, Vol. 32, No. 3, pp.733-749. Sistla, A. P., Clarke, E. M., Francez, N., and Meyer, A. R., Can Message Buffers be Axiomatized in Temporal Logic?, Information & Control, vol. 63., nos. 1/2, Oct./Nov. 84, pp. 88-112. Sistla, A. P., Characterization of Safety and Liveness Properties in Temporal Logic, PODC85. Sistla, A. P., Vardi, M. Y., and Wolper, P. L., The Complementation Problem for Buchi Automata with Applications to Temporal Logic, Theor. Comp. Sci., v. 49, pp 217-237, 1987. Schwartz, R., and Melliar-Smith, P. From State Machines to Temporal Logic: Specification Methods for Protocol Standards, IEEE Trans. on Communication, COM-30, 12, pp. 2486-2496, 1982. Schwartz, R., Melliar-Smith, P. and Vogt, F. An Interval Logic for HigherLevel Temporal Reasoning, Proc. 2nd ACM PODC, Montreal, pp. 173186, Aug. 83. Streett, R., Propositional Dynamic Logic of Looping and Converse, PhD Thesis, MIT, 1981; journal version appears in Information and Control 54., 121-141, 1982. Streett, R., and Emerson, E. A., The Propositional Mu-Calculus is Elementary, ICALP84, pp 465 -472, July 84; journal version appears as An Automata Theoretic Decision Procedure for the Propositional Mucalculus, Information and Computation v. 81, no. 3, June 1989. Stirling, C., and Walker, D., Local Model Checking in the Mu-calculus, pp. 369-383, Springer LNCS no. 351, 1989. Stifling, C., Modal and Temporal Logics. in Handbook of Logic in Computer Science, (D. Gabbay, ed.) Oxford, 1993

101

[Ta55] [Wh79]

[Wh91] [Va85] [Va87]

[Va88] [Va9?]

[vs85]

[vw83] [vw84] [vw86] [Wo83] [Wo82] [Wo85] [Wo86] [Wo87]

Tarksi, A., A Lattice-Theoretical Fixpoint Theorem and its Applications, Pacific. J. Math., 55, pp. 285-309, 1955. Thomas, W., Star-free regular sets of omega-sequences, Information and Control, v. 42, pp. 148-156, 1979 Thomas, W., Automata on Infinite objects, in Handbook of Theoretical Computer Science, vol. B, (J. van Leeuwen, ed.), Elsevier/North-Holland, 1991. Vardi, M., The Taming of Converse: Reasoning about Two-Way Computations, Proc. Workshop on Logics of Programs, Brooklyn, NY, LNCS no. 193, Springer-Verlag, pp. 413-424, 1985. Vardi, M., Verification of Concurrent Programs: The Automata-theoretic Framework, Proc. IEEE LICS, pp. 167-176, June 87 Vardi, M. A Temporal Fixpoint Calculus, POPL, 1988. Vardi, M, An Automata-theoretic Approach to Linear Temporal Temporal Logic, this volume. Vardi, M. and Stockmeyer, L., Improved Upper and Lower Bounds for Modal Logics of Programs, Proc. 17th ACM Symp. on Theory of Computing, pp. 240-251, 1985. Vardi, M. and Wolper, P., Yet Another Process Logic, in Proc. CMU Workshop on Logics of Programs, Springer LNCS no. 164, pp. 501-512, 1983. Vardi, M. and Wolper, P., Automata Theoretic Techniques for Modal Logics of Programs, STOC 84; journal version in JCSS, vol. 32, pp. 183221, 1986. Vardi, M., and Wolper, P. , An Automata-theoretic Approach to Automatic Program Verification, Proc. IEEE LICS, pp. 332-344, 1986. Wolper, P., Temporal Logic can be More Expressive, FOCS 81; journal version in Information and Control, vol. 56, nos. 1-2, pp. 72-93, 1983. Wolper, P., Synthesis of Communicating Processes from Temporal Logic Specifications, Ph.D. Thesis, Stanford Univ., 1982. Wolper, P., The Tableau Method for Temporal Logic: An Overview, Logique et Analyse, v. 28, June-Sept. 85, pp. 119-136, 1985. Wolper, P., Expressing Interesting Properties of Programs in Propositional Temporal Logic, ACM Symp. on Princ. of Prog. Lang., pp. 184-193, 1986. Wolper, P., On the Relation of Programs and Computations to Models of Temporal Logic, in Temporal Logic and Specification, Springer-Verlag LNCS no. 398, April 1987.

Decidability Results in A u t o m a t a and Process Theory Yoram Hirshfeld

Faron Moller

School of Mathematical Sciences Tel Aviv University Ramat-Aviv 69978 ISRAEL

Department of Teleinformatics Kungl Tekniska HSgskolan S-164 40 Kista SWEDEN

email: [email protected]

email: [email protected]

Preface The study of Process Algebra has received a great deal of attention since the pioneering work in the 1970s of the likes of R. Milner and C.A.R. Hoare. This attention has been merited as the formalism provides a natural framework for describing and analysing systems: concurrent systems are described naturally using constructs which have intuitive interpretations, such as notions of abstractions and sequential and parallel composition. The goal of such a formalism is to provide techniques for verifying the correctness of a system. Typically this verification takes the form of demonstrating the equivalence of two systems expressed within the formalism, respectively representing an abstract specification of the system in question and its implementation. However, any reasonable process algebra allows the description of any computable function, and the equivalence problem--regardless of what reasonable notion of equivalence you consider--is readily seen to be undecidable in general. Much can be accomplished by restricting attention to (communicating) finite-state systems where the equivalence problem is just as quickly seen to be decidable. However, realistic applications, which typically involve infinite entities such as counters or timing aspects, can only be approximated by finite-state systems. Much interest therefore lies in the problem of identifying classes of infinite-state systems in which the equivalence problem is decidable. Such questions are not new in the field of theoretical computer science. Since the proof by Moore [50] in 1956 of the decidability of language equivalence for finite-state automata, language theorists have been studying the decidability problem over classes of automata which express languages which are more expressive than the class of regular languages generated by finite-state automata. Bar-Hillel, Perles and Shamir [3] were the first to demonstrate in 1961 that the class of languages defined by context-free grammars was too wide to permit a

103

decidable theory for language equivalence. The search for a more precise dividing line is still active, with the most outstanding open problem concerning the decidability of language equivalence between deterministic push-down automata. W h e n exploring the decidability of the equivalence checking problem, the first point to settle is the notion of equivalence which you wish to consider. In these notes we shall be particularly interested not in language equivalence but in bisimulation equivalence as defined by Park and used to great effect by Milner. Apart from being the fundamental notion of equivalence for several process algebraic formalisms, this behavioural equivalence has several pleasing mathematical properties, not least of which being that--as we shall discover--it is decidable over process classes for which all other common equivalences remain undecidable, in particular over the class of processes defined by context-free grammars. Furthermore in a particularly interesting class of processes--namely the normed deterministic processes--all of the standard equivalences coincide, so it is sensible to concentrate on the most mathematically tractable equivalence when analysing properties of another equivalence. In particular, by studying bisimulation equivalence we shall rediscover old theorems about the decidability of language equivalence, as well as provide more efficient algorithms for these decidability results than have previously been presented. We expect that the techniques which can be exploited in the study of bisimulation equivalence will prove to be useful in tackling other language theoretic problems, notably the problem of deterministic push-down automata. A c k n o w l e d g e m e n t s These notes were first produced for a series of lectures at the VIII Banff Higher Order Workshop "Theories of Concurrency: Structure vs Automata". We would like to thank the organiser of the workshop series Graham Birtwistle for allowing us the opportunity and the motivation for producing the notes, as well as a forum in which to present the material. We would also like to thank all of our colleagues with whom we have worked on or discussed the results presented in these notes, which themselves contain little of novelty except in their presentation. Notably we would like to acknowledge Didier Caucal, S0ren Christensen, Hans Hiittel, Petr Jan6ar, Mark Jerrum, Robin Milner and Colin Stirling.

1

Grammars

and Processes

In these notes we consider infinite-state processes defined by context-free grammars. The purpose of such a study is to provide results in both process theory, where one is interested in the behaviour of systems, as well as classical automata theory, where one is interested in the languages defined by automata. In each case we are interested in deciding properties, notably equivalences between pro-

104

cesses or automata. It is a classical result that the equivalence problem for context-free grammars is undecidable. However we shall demonstrate that the analogous problem--as we define i t - - i n the process theoretic framework is in fact decidable. This does not just feed positively into process theory; by taking such a non-standard process-theoretic approach to the classical theory we open up new techniques for tackling classical problems. For example, we shall demonstrate that our techniques for process theory naturally apply to problems in automata theory regarding deterministic automata. 1.1

Context-Free

Grammars

A context-free grammar (CFG) is a 4,tuple G = (V, T, P, S), where 9 V is a finite set of variables; 9 T is a finite set of terminals which is disjoint from V; C_ V • (V U T)* is a finite set of production rules, written X --~ c~ for (X, c~) E P . We shall assume that some rule X --~ a exists in P for each variable X E V; and

9 P

9 S E V is the start symbol. The production rules are extended to be defined over the domain (V OT)* by allowing 7Xfl --* 7c~)3 for each 7, fl E (V U T)* whenever X --* a is a production rule of the grammar. A word w E T* (that is, a string of terminals) is generated by a string a E (V U T)* iff a --** w. The (context-free) language defined by the grammar, denoted L(G), is the set of words which can be generated from the start symbol S. More generally, the language L ( a ) generated by a string a is the set of words which it can generate, and hence L(G) = L(S). The norm of a string of symbols (~ E (V U T)*, written norm(a), is the length of a shortest word which can be generated from a via productions in P. In particular, the norm of the empty string e is 0; the norm of a terminal symbol a E T is 1; and the norm is additive, that is, norm(a/~) = norm(a) + norm(fl). A grammar is normed iff all of its variable have finite norm. Notice that the language defined by a grammar is nonempty exactly when its start symbol has finite norm. A grammar is guarded iff each of its production rules is of the form X --+ ac~ where a E T. If moreover each c~ E V* then the grammar is in Greibach normal form (GNF). If furthermore each such c~ is of length at most k, then it is in kGreibach normal form (k-GNF). A 1-GNF grammar is called a regular grammar as such grammars generate precisely the regular languages which do not contain the empty string e. Finally, if within a guarded grammar we have that a = fl whenever X --~ ac~ and X --+ aj3 are both production rules of the grammar for

105

some X E V and some a E T, then the g r a m m a r is deterministic, and simple if the g r a m m a r is in Greibach n o r m a l form. /

Example

\

1 Consider the grammar G = ( { X , Y } , { a , b } , P , X ) %

where P

con-

/

sists of the rules X ~ aY This guarded The norm of generates the normal f o r m

Y --* aYb

Y --~ b

grammar generates the (context-free) language { akb k : k > 0 }. Y is 1 and the norm of X is 2, as Y generates the word b and X word ab. Hence the grammar is normed. A grammar in Greibach which generates the same language is given by the rules X --* a Y

Y --+ a Y Z

Y --* b

Z --* b

Notice t h a t an u n n o r m e d variable cannot generate any finite words. T h u s any u n n o r m e d variables m a y be removed f r o m a g r a m m a r , along with any rules involving them, w i t h o u t affecting the language generated by the g r a m m a r . 1.2

Processes

We shall define a process as an extension of the usual n o t i o n of a nondeterministic finite-state a u t o m a t a where we m a y now allow an infinite set of states and where we generally do not consider final states. We m a y consider a state to be final if there are no transitions evolving f r o m it. However, the intention of a process is to allow an analysis of its r u n t i m e behaviour rather t h a n simply the sequences of transitions which lead to a final state. A process is thus a labelled transition system (LTS), a 4-tuple P = (S, A, , c~0) where 9 S is a set of states; 9 A is some set of actions which is disjoint f r o m S; 9

S • A x S is a transition relation, written c~ a ~ j3 for (c~, a, fl) E ~. We shall extend this definition by reflexivity and transitivity to allow c~ s ~ fl for s E A * ; and ~ C_

9 c~0 E S is the initial state. T h e norm of a process state a E S, written n o r m ( a ) , is the length of the shortest transition sequence f r o m t h a t state to a t e r m i n a l state, t h a t is, a state f r o m which no transitions evolve. A process is normed iff all of its states have finite norm.

106

A process is image-finite if for each c~ E S and each a E A the set {;3 " c~ a f~ } is finite. We also refer to states of a process as being image-finite if the r process itself is image-finite. Finally, if we have t h a t / 3 = 3' whenever ~ ) ;3 a and c~ ) "y are b o t h transitions of the process for some ~ E S and some a E A, then the process is deterministic. We also refer to states of a process as being deterministic if the process itself is deterministic. We m a y abstract away from the behaviour of a process P and define the language L(c~) which is defined by a state ~ of the process as the set of strings s E A* such that c~ -s ) I~ where/3 is a terminated state, that is, where there are no transitions evolving from ;3. The language generated by the process P is then given as L(P) = L(c~o). 1.3

Context-Free

Processes

In the theory of formal languages one generally associates a context-free g r a m m a r with a push-down a u t o m a t a , a finite-state a u t o m a t a with a single push-down stack. Such devices are known to characterise the expressive power of contextfree grammars; that is, they generate exactly the class of context-free languages. In these notes, we take a different automata-theoretic view of g r a m m a r s by embedding the stack into the states, so as to make the infinite-states explicit. The loss of the stack and burden of an infinite-state control is more than balanced by the gain in having a uniform treatment of state. T h e reader m a y equally interpret our a u t o m a t a as stateless (that is, single-state) push-down a u t o m a t a where the contents of the missing push-down stack are now represented within the state. This interpretation can be gleaned from Example 2. However, we do not pursue this aspect in these notes. To a given CFG G = (V, T, P, S) we associate the process 8 ( G ) = ( ( Y U T)*, T,

), S ) where

%

, is defined to be the least relation satisfying ac~

~ ~~

a

and X~' a ) ~ , whenever X ~ ~ is a rule of the g r a m m a r and o~ , ;3. Such a process will be termed a conte~t-free process. The intuition behind context-free processes is t h a t terminals and variables represent basic processes capable of exhibiting behaviour (performing transitions), while the composition of variables and terminals represents a sequential composition of the component processes. As such the leftmost symbol in the composition provides the transitions of the process. In terms of g r a m m a r derivations, this in effect corresponds to a leftmost derivation.

E x a m p l e 2 The grammar of Example 1 which generates the language { akb k

k > 0 } defines the following process.

"

107

( ~

a

D

,

a

9

,

a

,

,f a

9 9 9

,

...

Behaviourally, this process represents a simple form of counter: it performs precisely as many b transitions as a transitions.

From this example it is clear to see that the definition of n o r m in the process sense is consistent with the definition of n o r m in the g r a m m a r sense. In particular, a normed g r a m m a r will give rise to a normed process. Furthermore the language defined by the process associated with a g r a m m a r is the same as the language defined by the g r a m m a r itself. Notice that in the case of a CFG in Greibach normal form the state set of the associated context-free process need only be V* as any sequence of transitions from any element of V* (in particular from the start state S) must lead to a state given by another element of V*. For the same reason the state set of the process associated with a regular g r a m m a r need only be the finite set V, which coincides with an expectation that the regular processes (those given by g r a m m a r s generating regular languages) are finite-state processes. 1.4

Concurrent

Context-Free

Processes

To a given C F G G = ( V , T , P , S ) we associate the process C(G) = T)*, T,

),

S) where

/(Y U

~ is defined to be the least relation satisfying c~ag a

)

~/3 and c~X/3 a ~ ~Tfl whenever either X ~ a 7 is a rule of the g r a m m a r or X --* b is a rule of the g r a m m a r with b E V ( V U T ) * and b a ~ 7. Such a process will be termed a concurrent context-free process. The intuition behind concurrent context-free processes is that the composition of variables and terminals represents a parallel composition of the component processes, and as such any symbol in the composition can contribute the next transition rather than simply the leftmost symbol. In terms of g r a m m a r derivations, this in effect corresponds to an arbitrary derivation rather t h a n the leftmost derivation scheme adopted in context-free processes. T h e exception to this rule is the basic transition steps defined by the guarded production rules. Notice that a corollary of the concurrent nature of such processes is that the composition of symbols representing the states is commutative, so t h a t for ex-

108

ample the concurrent context-free process generated by X Y is the same as that generated by Y X , where X and Y are variables of a CFG. E x a m p l e 3 Consider the guarded grammar consisting of the production rules X --* a X b

X --~ c X d

This grammar defines the following concurrent context-free process (modulo commutativity of symbols). a___r --U--

a

d

---U-

a a

i

-'--b----

This process represents a form of two.counter, or more properly a multiset or bag: two types of tokens can be inserted into and removed from the bag, the first being inserted with an a transition and removed with a b transition, and the second being inserted with a c transition and removed with a d transition. Hence at any moment during the execution of this process there will have been at least as many a transitions as b transitions and at least as many c transitions as d transitions.

Again it is clear that the n6rm of a concurrent context-free process is consistent with the norm of the corresponding grammar. In particular, the grammar and process in the above example are unnormed as the start symbol X is unnormed. As noted above a corollary of this is that the language generated by the grammar (equivalently the process) is empty. Note though that this process still exhibits an interesting behaviour; abstracting away from a process all but the language which it generates is generally too coarse an interpretation for the study of processes. One final point to note is that the class of languages generated by concurrent context-free processes is incomparable to the class of context-free languages

109

generated by context-free processes. One direction of this claim is almost immediate from Example 3: although this process generates the empty language, it can be easily modified by adding the production rules X --* ab and X -* cd to the defining grammar to generate the language of all strings over the alphabet {a, b, c, d} in which the number of as is the same as the number ofbs, the number of cs is the same as the number of ds, and any prefix contains no more bs than as and no more ds than cs. This language is quickly seen not to be a context-free .language. For the reverse implication, Christensen [12] demonstrates that the context-free language { anb n : n > 0 } generated by the context-free process of Example 2 cannot be given by any concurrent context-free process. However, the class of languages generated by concurrent context-free processes is contained within the class of context-sensitive languages, as they are easily seen to be given by grammars which include context-sensitive rules of the form X Y --~ Y X for commuting variables. 1.5

The

Process

Algebras

BPA

and

BPP

We have defined context-free and concurrent context-free processes as particular semantic interpretations of context-free grammars. However their history is more truthfully given in the process algebra framework. In particular there are two well-studied process algebras which give rise to these two classes. We briefly outline here the process algebraic framework by describing these two process algebras. B P A : Basic P r o c e s s A l g e b r a A process algebra is defined by some term algebra along with a particular transitional semantic interpretation assigned to the constructs of the algebra. A process is then given by a finite set of process equations Xi = Ei

" l
where each E~ is an expression over the particular term algebra with free variables taken from the collection of Xis. In the case of the Basic Process Algebra (BPA) of Bergstra and Klop [4] the form of the expressions Ei is given by the following syntax equation. E

::= a

I

Xi

I

E+F

I

EF

where a is taken from some finite set of atomic actions A. Informally, each a E A represents an atomic process, Xi represents the process expression Ei, E 4- F represents a choice of behaving as process E or process F, and E F represents the sequential composition of processes E and F. Formally the semantic interpretation of these constructs is given by the least relation ) C_ P • A • ( P U {e}) satisfying the following rules.

110

a

a )g

Ei a ' G Xi a ' G

E a~G E+F a,G

F a>G E+F a+G

E

EF

"'G

a~GF

(Note that we absorb the symbol e into terms, so as to read ~E as E.) It is not difficult to recognise the correspondence between context-free processes and BPA processes. Roughly speaking, the variables and terminals of a CFG correspond to the variables and actions of a BPA process, with sequencing of symbols being naturally carried across both formalisms and a choice of production rules in a grammar corresponding to the choice operator in the algebra.' Thus for example, the context-free process of Example 2 can be given as the BPA process {

def

Z

-~. a Y ,

Y

def

= aYb + b }.

More formally, given a CFG G = (V, T, P, S) we can define the equivalent BPA process BPA(G) =

X

=

~{E

" X--*E6P}

" X6V

For the reverse direction a bit of care is needed to handle summation. Given a BPA process

P=

{ Xi =,=

~_,{E~j

" l<_j<_n~}

" l
}

we first assume that the terms Eli do not involve the summation operator; this is acceptable as such subterms can be replaced by newly-introduced variables with their obvious defining equations. Then we can define the equivalent CFG G(P) with variables Xi and production rules Xi ---' Eij. We leave it to the reader to verify that these transformations are valid, in the sense that for every CFG G, S ( a ) and BPA(G) describe the same (that is, isomorphic) process, and that for every BPA process P, P and S(G(P)) describe the same processes. We could restrict the syntax by allowing not general sequencing E F but rather simply action prefixing aE as is done by Milner [48]. We would be left with the following syntax equation for terms. E

::=

a

I

X~

I E+F

I aE

The effect of this modification would be to restrict ourselves to an algebra corresponding to regular grammars and hence generating the class of finite-state processes. BPP: Basic Parallel Processes Basic Parallel Processes (BPP) are defined by a process algebra given by including a parallel combinator [[ within the algebra of regular processes. Hence the term algebra is given by the following syntax equation.

111

E ::=a

I

l aE

I EfIF

The semantic interpretation of the new construct is given by the following rules. E E[IF

~G ~,G[]F

F E[IF

a,G ~,E[IG

(Note that we also absorb the symbol e into parallel terms, so as to read E [I e and e II S as E.) Again it is straightforward to recognise the correspondence between concurrent context-free processes and B P P processes. For example, the context-free process of Example 3 can be given as the B P P process

{X

de=f a(X I[ b) + c(X II d)}.

As above we can define a B P P process B P P ( G ) for any grammar G and a CFG G(P) for any B P P process P such that for every CFG G, C(G) and B P P ( G ) decribe the same processes, and for every B P P process P , P and C(G(P)) dscribe the same processes. We leave the definitions, as well as the proofs of these correspondences, to the reader. There is yet another natural interpretation of concurrent context-free processes which comes from the study of Petri nets. A (labelled place/transition) Petri net is simply a (finite) directed bipartite graph with the two partitions of nodes referred to as places and transitions respectively. A marking of a net is an assignment of some natural number to each of the places. A transition is enabled in a particular marking of a net if the value of the marking of each place is at least as large as the number of arcs leading from that place to the transition in question. A firing of an enabled transition entails first deducting from the value of the marking of each place an amount equal to the number of arcs leading from that place to the enabled transition in question, and then adding to the value of the marking of each place an amount equal to the number of arcs leading to that marking from the transition. We can then define Petri net processes by taking the set of markings of a particular net as the set of states of a process, and the firings of the enabled transitions as the transitions of the process. If we restrict attention to nets whose transitions all have a single incoming transition, then we define precisely the class of guarded concurrent context-free processes. We leave the proof of this correspondence for the reader to consider, but demonstrate it with the following example.

E x a m p l e 4 Consider the context-free grammar consisting of the production

rules X --~ aY

Y --* b X X

112

Clearly neither of the variables X or Y is normed; hence interpreted as a contextfree process, this degenerates to the finite-state process consisting of a neverending cycle of "ab" transitions. However, viewed as a concurrent context-free process, we have a much more interesting behaviour. It corresponds to the following B P P process and Petri net. a

{Xy de__fdefa Y ,

b(x IfX) b This grammar defines the following concurrent context-free process.

ooo

Typically the expressions Ei allowed in process definitions within a given process algebra are restricted to being guarded, in the sense that every occurrence of a variable Xi appears within a subexpression of the form aEi This corresponds in the grammar framework to a restriction to guarded grammars. We shall demonstrate the importance of this restriction later when we discuss transformations from arbitrary grammars into equivalent Greibach normal form grammars.

2

Bisimulation

Equivalence

We can straightforwardly define language equivalence between CFGs by saying that two grammars G1 and G2 are language equivalent, denoted G1 "~L G2, if L(G1) = L(G2). This definition applies equally well to processes. However in these notes we shall be concentrating on a much stricter notion of process

113

equivalence, namely bisimulation equivalence. In this section we shall define this notion and present the properties which it possesses which motivate our choice of emphasis. We shall furthermore demonstrate analogies to the Greibach normal form theorem for grammars demonstrating that CFGs and context-free processes and concurrent context-free processes may be represented (upto isomorphism, and hence bisimulation equivalence) by grammars in Greibach normal form. Definition 5 Let (S, A, ---~, so) be a process. A relation T~ C S • S is a bisimulation iff whenever ((~, fl) E Tt we have that * ifc~ a o~' thenfl * iffl

a fl, f o r s o m e f l , with(o~',fl')ETr

and

a , f l ' thenc~ a a ' f o r s o m e o ~ ' w i t h ( a ' , f l ' ) E T r

c~ and fl are bisimulation equivalent or bisimilar, written a ~ fl, iff (~, fl) E Tr for some bisimulation Tr This definition can easily be extended to compare states of different processes by simply considering the disjoint union of the two processes. L e m m a 6 ~ = U{T~ " 7~ is a bisimulation relation} is the maximum bisim. ulation relation. P r o o f An arbitrary union of bisimulation relations is itself a bisimulation relation. [] We can extend the notion of bisimilarity to a relation over grammars and strings of symbols in a grammar by considering the processes associated with the grammars. Note however that we can in fact do this in two ways, by considering either context-free processes or concurrent context-free processes. Unless explicitly stated otherwise, we shall mean the (sequential) context-free process interpretation when considering the process generated by a grammar. We shall see that bisimulation equivalence is strictly finer than language equivalence. However this distinction vanishes if we restrict our attention to normed deterministic processes. This fact, along with various other elegant properties enjoyed by bisimulation equivalence, motivates us to concentrate on this stronger equivalence in these notes. In this way not only will we explore solutions to problems in process theory, but we shall also tackle long-standing problems in formal language theory regarding deterministic language classes.

E x a m p l e 7 Consider the following two context-free processes.

114

X ~ ab

X ~ ac

Y ---~ a Z

Z -* b

Z --+ c

Q a

a

b

c

.The g r a m m a r s defining these two processes are certainly language equivalent. H o w e v e r , they are not b i s i m u l a t i o n equivalent, as the processes which they define are not bisimilar.

Lemma

8 ,-~ is an equivalence relation.

P r o o f Reflexivity is established by demonstrating { (c~, c~) : (~ E S } to be a bisimulation; s y m m e t r y is established by demonstrating 7~ -1 to be a bisimulation whenever 7~ is; transitivity is established by demonstrating 7~S to be a bisimulation whenever ~ and S are. These are all straightforward. []

Lemma

9 I f c~ ~ fl and a - - ~ a ' f o r s E A* then ~ --2-* fl' such that o/ ..~ fl'.

P r o o f Given a bisimulation ~ relating a and fl, it is a simple induction on the length of s E A* to demonstrate t h a t if a ' , a ' then fl 8 , / y with (a', fl') E 7~. []

C o r o l l a r y 10 I f c~ ,~ fl then o~ "~L ft. P r o o f If a ~ fl then s E L ( a ) iff a ' ~ a ' where a ' is a t e r m i n a t e d state, which by the previous l e m m a holds iff fl " ~ fl' where fl' is a t e r m i n a t e d state, which finally holds iff s E L ( f l ) . []

C o r o l l a r y 11 I f a ~ fl then n o r m ( a ) = norm(fi)

115

[]

P r o o f Immediate from the previous corollary.

L e m m a 12 For normed deterministic c~ and fl, if o~ '~L fl then ot .~ ~. P r o o f It suffices to demonstrate that the relation ~ (a, fl) " a "~L ~ and ce~ %

normed deterministic } is a bisimulation relation.

[]

We shall occasionally exploit the following alternative stratified definition of bisimulation due to Milner. D e f i n i t i o n 13 Let (S,A, ),So) be a process. We inductively define the following sequence of binary relations over S: o~ N o ~ f o r every o~, fl E S, and f o r k > 0, c~ "~k+l fl iff we have that 9 ifo~od 9 iffl

then~

a,fl'then~

a,fllforsomefll

witha'..~k/31;

and

a , a' f o r some cd with a' "~k fl'.

L e m m a 14 I f c~ ~. fl then a "~k fl f o r all k > O. Conversely, f o r image-finite o~, if ~ ~ k fl f o r all k > 0 then c~ ,~ #. P r o o f The first implication requires a simple induction on k, whereas the second implication requires that we demonstrate that the relation { (a, fl) : a " k fl for all k > 0 and a image-finite } is a bisimulation. Each of these obligations is straightforward. []

E x a m p l e 15 Consider the following image-infinite context-free process. X---~ X a X---*a

Y ---~Y a Y---~a

a-...L\- I / a

Y---m Z Z---~aZ

...

116

The states X and Y are clearly not bisimilar, as the state Z cannot be bisimilar to a k f o r any k >_ O. H o w e v e r X "~k Y f o r each k >_ 0 as Z ~ k a k.

We shall generally be restricting our attention to guarded grammars, which we can easily verify generate image-finit e processes. This will allow us a useful technique for demonstrating bisimilarity, namely inductively showing that each "~k relation holds. Furthermore, as shall be seen in Subsection 2.2, any guarded grammar can be transformed into a bisimilar one which is in Greibach normal form (with respect to either interpretation of composition), and hence we shall eventually consider only Greibach normal form context-free processes, ie, those processes given by a grammar in Greibach normal form. 2.1

Composition

and

Decomposition

An important property of bisimulation equivalence which we shall exploit is the following congruency result, which is valid under either interpretation of composition. L e m m a 16 Given a C F G G = (V, T, P, S) and ~, ~', fl, fl' e ( V U T)*, if ~ ..~ fi and (~ ,,~ /~' then ~ 1 ,~ flfll, regardless of whether we interpret this g r a m m a r as a context-firee process or a concurrent context-free process. P r o o f In either case, we can demonstrate that the relation ~ ( ~ ,

flfl~) "

%

fl and ~ ,-* fl~ } is a bisimulation, from which the result follows.

O

Complementing our congruency property we have an obvious potential technique for the analysis of a process built up as a composition, namely decomposing the process into simpler components. In general this notion is not suitably provided for, but for the class of normed processes we get a unique factorisation result regardless of whether we interpret composition as sequential or parallel composition. We say that an elementary process X E V is p r i m e (with respect to bisimilarity ,,~ as well as the particular interpretation of composition which we are considering) i f f X ~ (~/? entails c~ = e or fl = e. We shall demonstrate our two results here separately, namely that normed Greibach normal form context-free processes and normed concurrent Greibach normal form context-free processes can be decomposed in a unique fashion into such prime components. For the sequential case, we start with the following cancellation lemma. L e m m a 17 I f a, ~ and 7 are Greibach normal f o r m context-free processes and i f 7 is normed then ~'/ ..~ f17 implies c~ .~ ft. P r o o f We can demonstrate that the relation

117 t"

"1

(a, fl)

" there exists 7 such that norm(7 ) < c~ and a 7 "~ f17

is a bisimulation, from which the result follows.

[]

The assumption in this lemma that 7 is normed cannot be dropped, as can be readily seen by considering the following counterexample. Consider the processes X and Y whose only transitions are X a ~ r and Y a ~ Y; then X Y ,,~ Y, but clearly X 7~ T h e o r e m 18 Normed Greibach normal form context-free processes admit unique

(up to bisimilarity) prime decompositions. P r o o f Existence may be established by induction on the norm. For uniqueness, suppose that a = X 1 . . . X p ,~ Y1...Yq = fl are prime decompositions of bisimilar processes a and fl, and that we have established the uniqueness of prime decompositions for all a ' E V* with n o r m ( a ' ) < norm(a). If p = 1 or q = 1 then uniqueness is immediate. Otherwise suppose that X1 a ~ 7 is a norm-reducing transition that is matched by ]I1 a, 8, so that 7X2 ... Xp ,~ ~Y2... Yq. By the inductive hypothesis, the prime decompositions of these two processes are equal (up to ,,,), entailing Xp ,,, Yq. Hence, by Lemmas 16 and 17, X 1 . . . X p - 1 ~ Y1...Yq-1, and uniqueness then follows from a second application of the inductive hypothesis. [] Notice that this theorem fails for unnormed processes. The reason for failure is immediately apparent from the observation that a ,-~ aft for any unnormed a and, any ft. T h e o r e m 19 Normed concurrent Greibach normal form context-free processes

admit unique (up to bisimilarity) prime decompositions. P r o o f Again, existence may be established by induction on the norm. For uniqueness, suppose that a = P1klP~2---Pmk'~ ,~ p ~ l p ~ 2 . . . p ~ = .6 represents a counterexample of smallest norm; that is, all 7 with norm(7 ) < norm(a) ( = norm(fl)) have unique prime decompositions, the Pis are primes, but i exists such that ki # li. We may assume that the Pis are ordered by nondecreasing norms, and then we may choose this i so that kj = lj whenever j > i. We shall furthermore assume without loss of generality that ks > Ii. We distinguish three cases, and in each case show that process a may perform a norm-reducing transition a a, al that cannot be matched by any transition fl a ~ fl, with a ' ~ fl' (or vice versa with the roles of a and /? reversed), which will supply our desired contradiction'. Observe that by minimality of the counterexample if a ' and fl' are to be bisimilar then their prime decompositions must be identical.

118

C a s e I . If kj > 0 for some j < i, then we may let c~ perform some normreducing transition via process Pj. Process fl cannot match this transition, as it cannot increase the exponent Ii without decreasing the exponent of some prime with norm greater than that of Pi. C a s e II. If kj > 0 for some j > i,' then we may let a perform a norm-reducing transition via process Pj that maximises (after reduction into primes) the increase in the exponent ki. Again the process fl is unable to match this transition. C a s e I I I . If the process a = p/k~ is a prime power, then note that lj 0 for all j > i by choice of i, and that ki > 2 by the definition of "prime." If li > 0, then we may let j3 perform a norm-reducing transition via Pi; this transition cannot be matched by c~, since it would require the exponent ki to decrease by at least two. If li = 0 on the other hand, then we may let c~ perform a norm-reducing transition via Pi; this transition cannot be matched by fl, since fl is unable to increase the exponent li. These cases are inclusive, so the theorem is proved.

D

C o r o l l a r y 20 I f c~, fl and 7 are normed concurrent Greibach normal form

context-free processes then ~7 ~ f17 implies o~ .~ ft. P r o o f Immediate.

O

Notice that for concurrent Greibach normal form context-free processes, unique decomposition and cancellation again each fail, for similar reasons to the sequential case. 2.2

Equivalence-Preserving

Transformations

In this section we demonstrate how to transform an arbitrary guarded CFG into a bisimilar (and hence also language equivalent) CFG in Greibach normal form. This transformation will be valid for interpreting grammars either as context-free processes or concurrent context-free processes. Furthermore these transformations only involve a linear increase in the size of the grammar (that is, the number of symbols appearing in the production rules of the grammar), more precisely, an increase of only twice the size of the terminal alphabet. Combining this with the usual technique (from [33]) for transforming an arbitrary CFG not generating the empty word ~ into guarded form gives an alternative proof of the usual Greibach normal form theorem. Let G = (V, T, P, S) then be an arbitrary guarded CFG. We can define a new grammar G = (V,T, JB, S) as follows. Firstly we let V = {Ya

" ~r E V U T }

119

and S = Ys. The production rules of P are defined by Ya "* a for each a E T, and Yx --* aEa for each X E V and each rule X --~ a a in P , where Ee = r and Eaa = YaEa for ~r E V U T. L e m m a 21 G ... G. That is, S(G) ,.~ S(G). Proof

Let T~ = ~ (a, Ea)

" a E (V U T)* ~. We shall demonstrate t h a t

%

is a bisimulation relation, from which we shall conclude t h a t S .-. E s = S. To do this it suffices to demonstrate t h a t a " > /3 if and only if E~ ~, EZ for all a E (V U T)* . .Certainly this is true for a = ~. It is equally true for a = a/3 with a E T as each of a/3 and E,# = YaE# has only one transition, namely aft ~,/3 and E~a a ~ EZ respectively. Finally it is true for a = X/3 with X E V as Xfl ~ ' 7 if and only if X ~ a6 is a rule of P and 7 = 6/3, which is true if and only if Y x ~ aE~ is a rule o f / ~ (and still 7 = 6/3), which in turn is true if and only if E x ~ = Y x E # ~, E6E~ = E~. []

L e m m a 22 C(G) ,~ C(G). f

P r o o f As for the previous case we can demonstrate t h a t T~ = ~ (a, Ea) (V U T)* } is a bisimulation relation by demonstrating t h a t a

"

E

a ~/3 if and only

ifEa a, E~ for a l l a E ( V U T ) * . Suppose then t h a t a a~ /3. This can occur in one of two ways: either c~ = 7a6 a n d / 3 = 76, in which case we have ~a = ~'rYa~t a , E.rE t = E#; or else a = 7X6 and 13 = 7y6 where X ~ ay is a rule of P , in which case we have E~ = ETYxE~ a ~ ETEnE6 = E#. Similarly we can show t h a t i f E ~ a , E ~ t h e n a a~/3. [] Extending these transformations to the process algebras BPA and B P P using the transformations given in Subsection 1.5 provides us with an efficient transformation into standard form processes analogous to Greibach normal form. However this w o r k s only for guarded processes. For example, the unguarded g r a m m a r given in Example 15 clearly cannot be transformed into a bisimilar g r a m m a r in Greibach normal form. This stands in contrast to the classical result stating t h a t any g r a m m a r can be transformed into a language equivalent Greibach normal form grammar; this transformation can in fact be carried out so that the size of the resulting g r a m m a r is at most the square of the size of the original g r a m m a r . We can weaken the definition of guarded, saying t h a t a g r a m m a r is weakly guarded if we cannot rewrite any variable X using a positive number of rewrites into a string Xc~ for some a. Equivalently if we define an ordering between variables by X > Y whenever X --* Y a for some a, then the g r a m m a r is weakly guarded if this ordering is well-founded. The above transformations are

120

then valid, though the resulting grammars may be exponentially larger than the original grammars. We leave it to the reader to verify these facts, in particular by considering the transformation of the weakly guarded grammar given by X1 ~ a, X1 ~ b, and for each 0 < k < n, Xk+l ~ X k a and Xk+l "* Xkb. A (bisimulation) equivalent grammar in Greibach normal form is necessarily exponentially larger than this original grammar.

3

Decidability Results

If we consider the class of regular (finite-state) processes, theh bisimulation equivalence is readily seen to be decidable: To check if ~ ,~/~ we simply need to enumerate all binary relations over the finite-state space of ~ and/~ which include the pair ((~,/~) and check if any of these is by definition a bisimulation relation. Language equivalence is similarly known to be decidable for finite-state automata. This can be seen by noting that regular grammars can be transformed easily into normed deterministic grammars; the decidability of language equivalence then follows from the decidability of bisimilarity along with Corollary 10 and Lemma 12. As soon as we move to a class of infinite-state processes, the decision problem for bisimulation equivalence becomes nontrivial. For image-finite processes, the nonequivalence problem is quickly seen to be semi-decidable--given the computability of the transition relation--using L e m m a 14, noting that the relations ~k are all trivially computable. However there would appear to be potentially infinitely many pairs of states to check individually in order to verify the bisimilarity of a pair of states. We may also be led to believe that the equivalence problem for bisimulation checking is undecidable given the classic result concerning the undecidability of language equivalence. However it turns out that bisimulation equivalence is in fact decidable for both context-free processes and concurrent context-free processes. In this section we shall concentrate on presenting these two results. The result concerning context-free processes is due to Christensen, Hiittel and Stirling [18], while that concerning concurrent context-free processes is due to Christen'sen, Hirshfeld and Moller [15]. One immediate corollary of the former result is the result of Korenjak and Hoperoft [44] that language equivalence is decidable for simple grammars. We shall henceforth simplify our study, using the results of the previous section, by assuming that our grammars are in Greibach normal form. Let us then fix some Greibach normal form grammar G = (V, T, P, S). Our problem is to decide a -,~ fl for ~, fl E V*, first in the case where we interpret the grammar as a context-free process, and then in the case where we interpret the grammar as a concurrent context-free process. Notice that such processes are image-finite,

121

so we may use the fact that bisimilarity is characterised by the intersection of our stratified bisimulation relations. Also, as nonequivMence is semi-decidable, we only need demonstrate semi-decidability of the equivalence problem. 3.1

Context-Free

Processes

Based on the congruency result of L e m m a 16 for context-free processes, we define the following notion. Let T~ be some binary relation over V*. We define ~ to be the least congruence with respect to composition which contains 7~. T h a t is, - is the least equivalence relation which contains 7~ and contains the pair (as',/3/31) whenever it contains each of (c~, 13) and (a', 13'). Our technique will rely on the following definition due to Caucal [10]. D e f i n i t i o n 23 A relation Tl C_ V* x V* is a Caucal base iff whenever (a, 13) E T~ we have that * ifce

a)e~ I then13

* if13~t3'

thena

a)131forsome131 w i t h a 1~131; a a'forsomea

and

I witha'~13'.

Hence the definition of a Caucal base differs from that of a bisimulation only in how the derivative states a ~ and 13~are related; in defining T~ to be a bisimulation, we would need these derivative states to be related by 7~ itself and not just by T~

the (typically much larger) congruence -- . A Caucal base then is in some sense a basis for a bisimulation. The importance of this idea is encompassed in the following theorem. 7~

T h e o r e m 24 ( C a u c a l ) I f T~ is a Caucal base, then -- is a bisimulation. In T~

particular, -- C ,,~. P r o o f We demonstrate that if a ~ fl then the two clauses given by the definition 7r

of - being a bisimulation hold true, thus demonstrating Te -- to be a bisimulation. The proof of this we carry out by induction on the depth of inference of 7r or _---- 13. 7~

If a -- 13 follows from (a, 13) E T~ then the result follows from T~ being a Caucal base. R If a _---/3follows from one of the congruence closure conditions, then the result easily follows by induction, using the above congruency lemma. []

C o r o l l a r y 25 a -~/3 iff (a,/3) E T~ for some Caucal base T~.

122

P r o o f Immediate.

[]

It now becomes apparent that in order to demonstrate bisimilarity between terms, we needn't produce a complete (infinite) bisimulation relation which contains the pair; rather it suffices simply to produce a Caucal base which contains the pair. W h a t we shM1 demonstrate is that this corollary can be strengthened to a finite characterisation of bisimulation, in that we shall describe a finiie Tr

relation 7~ satisfying -- = ..~. This relation Tr will clearly be a CaucM base, and our semi-decidability result (and hence the decidability result itself) will be established, taking into account the following. L e m m a 26 It is semi-decidable w h e t h e r a given finite binary relation Tr over V* is a Caucal base.

P r o o f We need simply check that each pair (a, ;3) of the finite relation Tr satisfies the two clauses of the definition of a Caucal base, which requires testing (in parallel) if each transition for o n e of a and fl has a matching transition from the other. This matching t e s t - - t h a t is, checking if the derivative states Tr

Tr

are related by - --is itself semi-decidable, as the relation -- is semi-decidable. [] Our semi-decision procedure for checking a ,~ ;3 then consists of enumerating all finite binary relations over V* containing the pair (c~, fl) and checking (in parallel) if any one of them is a Caucal base. We thus concentrate on defining Tr

the finite relation T~ satisfying = = ~*. We first present some technical results, starting with the following unique solutions lemma. L e m m a 27 I f (~ ~ 7o~ and ;3 ~, "7;3 f o r s o m e "7 r E then o~ ,,, ;3. P r o o f Let 7~ { (~a, 6;3) " o~ ,,~ "Ta and fl ,-, "7;3 for some "7 ~ r }. We may demonstrate straightforwardly that -~7r is a bisimulation, from which we may deduce our desired result. [] An important finiteness result on which our argument hangs is given by the following. L e m m a 28 I f c~'7 ,~ /37 f o r infinitely m a n y n o n - b i s i m i l a r 7, then ~ ..,/3. Proof

We shall

show

that 7~ = { (a, ;3) " a 7 "~ ;37 for infinitely many non-

bisimilar 7 } is a bisimulation, from which our result will follow. Let (c~,;3) E 7~, and suppose that c~ a ~ a,. Since c~ r e, by Lemma 27 there can only be one 7 (up to bisimilarity) such that a 7 ,-~ 7, so we must have that

123

r ~. Thus for infinitely many non-bisimilar 7 we must have fl a ) fir such that a~'y N fl-~7- Since ~ is image-finite, we must have that fl a , ~ such that at-/,,~ fit7 for infinitely many non-bisimilar 7- Hence we must have (a t, fit) E TO. Similarly if (a, fl) E Tr and fl a) fit then a ~) a t such that (a t, fit) E TO. [] We may split the set of variables into two disjoint sets V = N O U with the variables in N being normed and those in U being unnormed. Our motive in this is based on the following lemma. L e m m a 29 If X is unnormed then X a ,,~ X for all a, P r o o f We can immediately verify that { (X, X a ) bisimulation.

" X is unnormed [ is

a

[]

Hence we need only ever consider states a E N* U N ' U , the others being immediately rewritable into such a bisimilar state by erasing all symbols following the first unnormed variable. The argument relies on recognising when a term may be broken down into a composition of somehow simpler terms. To formalise this concept we start with the following definition. D e f i n i t i o n 30 A pair ( X a , Yfl) satisfying X a ,,, Y fl is decomposable if X and Y are normed, and for some 7, 9 X ,,~ Y 7 and 7or ,,~ fl; or . yNX7

andTfl,~a.

The situation would be clear if all bisimilar pairs were decomposable; indeed we shall exploit this very property of normed processes--which follows there from our unique decomposability result--in in Section 4. However we can demonstrate that there is in some sense only a finite number of ways that decomposability Can fail. This crucial point in our argument is formalised in the following lemma. We consider two pairs ( X a , Yfl) and ( X a ' , Yfl') to be distinct if a r ~t or fl 7L fit. L e m m a 31 For any X , Y E V, any set of the form 7~ = { ( X a , Y ~ )

" X a , Y ~ E N* U N * U , X a , ~ Yfl, and ( X a , Yfl) not decomposable }

which contains only distinct paws must be finite. P r o o f If X, Y E U then clearly ~ can contain at most the single pair (X, Y).

124

IfX EUandY

W)r

" iEI}thenforeachiEIwe

must have that X _w ) ai such that ai "~/3/. But then by image-finiteness there can be only a finite number of non-bisimilar such/3/. Suppose then that X , Y

E N and t h a t 7~

{ (Xai,Y/3i)

" i E I ~ is

infinite. Without loss of generality, assume t h a t norm(Y) < n o r m ( X ) , and t h a t y w) r with length(w) = norm(Y). Then for each i E I we must have t h a t X ~ ) "/i such t h a t ~fiai "~/3i. By image-finiteness, we can have only finitely m a n y such ~'i, so we must have that X w, 7 for some 3~ such t h a t ~/cq ,-~/3i holds for infinitely m a n y i E I; by distinctness these ~is must all be non-bisimilar. For these i E I we must then have that X a i ,~ YT~i, But then by L e m m a 28 we must have that X --~ YT, contradicting non-decomposability. [] We are now ready to demonstrate our m a i n result, t h a t there is a finite

7r

relation 7~ satisfying =__ -- N. This will be done by induction using the following well-founded ordering _ft.

Definition 32 Define the measure s on N* UN*U as follows. For a E N* and X E U, let s(a) = s ( a X ) = n o r m ( a ) . Then

let(OL1,Ot2)__E (/31,/32) ij~ ma~x(s(a,), s(a2) ) _~ max(8(/31), 8(/32)).

Lemma33

Let T~o be the largest set { ( X , a )

letT~l be the largest set { (Xc~,Y/3)

" X E N and X - a }, and

" X a , Y/3 E N * U U N*, X a .~ Y/3, and

(Xc~, Y/3) not decomposable } which contains only distinct pairs, and containing minimal elements with respect lo C_. Then R = 7~o U T~I is a finite relation 7r satisfying =_ = ..~. Proof

T~

Firstly, 7~0 and T~1 must both be finite. Also we must have _-- _ ~.

7r

We will demonstrate by induction on E_ that X a ~ Yfl implies X a - Yfl If (Xa, Yfl) is decomposable, then X, Y E N and (without loss of generality) assume that X ,~ Y~/ and 7 a ,,~ ft. Then s(Ta ) < s(Y^/a) = s(Xa) and

7~

s(fl) < s(Yfl), so (7c~,/3) if_ (Xa, Yfl). Hence by induction 7c~ _~/3. Then from

T~

(x,

n o we get x a = Y/3. Suppose then that (Xa, Yfl) is not decomposable. Then ( X a ~, Y/3~) E T~I for some a ~ ,~ a and/3~ ,-~/3 with (a',/3~) E_ (a,/3). 9 If X, Y E N, then (a, fl), (a', fl') r- ( X a , Yfl), so (a, a ' ) , (/3,/3') E (Xa, Y/3). Thus by induction a -_9 IfX

a n d / 3 -/3~, so X a -- Xa~TIY/3 ~ =_ Y/3.

E N and Y E U, then fl = fl' = r and X a ,~ Y.

s(a) < s(Xa), so ( a , a ~) r- (Xa, Y).

Also s ( a ' ) <

7r

Thus by induction a _ = a ~, so

125 "R,

X a = X a I ~- Y. A symmetric argument applies for the case when X E U and Y E N. * IfX, YEU,

Tr

thenc~=a~=fl=fl'=r

ET~l, S O X ~ - - Y f l . []

T h e o r e m 34 Bisimulation equivalence is decidable for guarded context-free pro-

cesses. P r o o f I m m e d i a t e from the preceding argument.

[]

Unfortunately, as the decidability follows from two semi-decision procedures, we have no method of determining a complexity bound on the problem, and it is immediately apparent that the procedure is impractical for use. In Section 4 we shall go some way towards rectifying this situation, by exploiting the special nature of normed processes to provide a polynomial-time decision procedure for that subclass of context-free processes. 3.2

Concurrent

Context-Free

Processes

Our demonstration of the decidability of bisimulation equivalence for concurrent context-free processes uses a vastly different technique than in the case of context-free processes. In particular, rather than construct a semantic representation for bisimulation equivalence, we devise a syntactic characterisation which exploits the commutative nature of the composition, representing states a E V* k l yk2 compactly in the form y..1 "'2 "'" X~" where V = { X1, X 2 , . . . , X,~ }. We shall hence assume that the production rules are in the form X1 --* aX~ 1 " .X~", and otherwise read sequences of variables modulo commutativity, so that for example if a = X ~ ' - " X n k" a n d fl = X~ ~ . . - X S , we shall recognise aft as

x ~ + ~ , ... x ~ . + z . . Our technique will rely on the following well-founded ordering r- on such elements of V*. D e f i n i t i o n 35 X ~ ' . . . X ~ "

v- X~ 1 . . . x ~ " and for all i < j we have that ki = li.

iff there exists j such that kj < lj

It is straightforward to verify that E is indeed well-founded. We present here a tableau decision procedure for checking bisimilarity. Our tableau system is a goal directed equationM proof system with rules built around equations either of the form a = fl where a,fl E V*, or of the f o r m ~ i E I aic~i = ~ j E j b j f l j where I and J are finite index sets, each al,bj E A, and each ~i,flj E V*. NotationMly, we read ~ i e o aioq as r and )-'~ie{0} aioq as a0a0.

126

T h e u n d e r s t a n d i n g we m a k e of s u m f o r m s is as a listing of the transitions which are i m m e d i a t e l y available to a process; as such, we shall interpret these terms as processes themselves. Each rule has the f o r m

E=F 9..

El=F1

E, =F,

possibly with a side condition. T h e premise of the rule represents a goal to be achieved whereas the consequents represent (sufficient) subgoals to be established in order t o achieve the goal. A tableau for E = F is a m a x i m a l p r o o f tree whose root is labelled E = F and where the labelling of i m m e d i a t e successors of a node are determined according to the rules of the tableau s y s t e m presented in Table 1. For the presentation of rule R E c we introduce the n o t a t i o n unf(c~) for c~ E V* to m e a n the unfolding of c~ defined as follows: unf(X~'...X~")

=

E l0

aX~'+I~'"X~'+I'-I'"X~"+I"

E Xi---*aX

zl

x

...X~

In

We shall denote nodes in a tableau by n (with roots also denoted by r) possibly with subscripts; If a node n has label E = F we write n : E = F . In building t a b l e a u x the rules are only applied to nodes t h a t ate not terminal. A terminal node can either be successful or unsuccessful. A successful terminal node is one labelled a = a, while an unsuccessful t e r m i n a l node is one labelled either a a = b~ such t h a t a r b or a a = e or e = bfl. A tableau is successful if and only if all terminal nodes are successful; otherwise it is unsuccessful. Nodes of the f o r m n : a = fl are called basic nodes. W h e n building t a b l e a u x basic nodes m i g h t dominate other basic nodes; we say t h a t a basic node n : a 7 = or n : ~f = a 7 dominates any node n ~ : a = fl or n ~ : fl = a which appears above n in the tableau in which a "1 ~ and to which rule R,EC is applied. Whenever a basic node dominates a previous one, we apply one of the SUB rules to reduce the terms before a p p l y i n g the REC rule.

Example

36 Consider the concurrent context-free process given by the following

grammar. X1 ---* a X 1 X 4

X2 ---+aX3

X3 ~ a X 3 X 4 X3 ~ bX2

X4 ---* b

We can verify semantically that X1 "~ X2. A successful tableau for X1 = X2 is given as follows.

127

REC

u n f ( ~ ) ----u n f ( ~ )

{

SUM

p q E i = I a i a i ---- ~jffil bjjSj aiozi = b](i)~](i)

{

i=1

bjl~j = ag(j)otg(j)

}"

j=l

where f : { 1 , . . . , p } --+ { 1 , . . . , q } g : { 1 , . . . , q } --+ {1 . . . . ,p}

ac~ = a/~ PREFIX

,~=~ at7 = ~5

StmL

~-~=a ~5=o~ 7

StmR

a=B7

if the d o m i n a t e d node is labelled o~ = fl or 1~ = a with c~ ~

if the d o m i n a t e d node is labelled a = fl or B = a with a ~

T a b l e 1: R u l e s of t h e t a b l e a u s y s t e m .

Xl

~

X2

REC

aX1X4 = aX3 PREFIX XaX4

= X3

X2X4

= Xa

StmL REc

aX3X4 + bX2 = aXaX4 + bZ2 SUM

aX3X4 = aX3X4

bX2 = bX2

XaX4 = XaX4

)(2 = Xa

PREFIX

Lemma

PREFIX

3 7 Every tableau f o r o~ = 13 is finite.

Furthermore, there is only a

finite n u m b e r of tableaux f o r o~ = ft. Proof

S u p p o s e t h a t we h a v e a t a b l e a u w i t h r o o t l a b e l l e d c~ = ft. I t c a n o n l y

b e i n f i n i t e if t h e r e exists a n i n f i n i t e p a t h t h r o u g h it, as e v e r y n o d e h a s f i n i t e

128

branching degree. Hence suppose 7r is such an infinite p a t h starting at the root r : c~ = ~. The p a t h zr can only be infinite if it contains infinitely m a n y basic nodes to which the tableau rule REc is applied. This is due to the wellfoundedness of the ordering ~ on V* which is decreased through applications of the SUB rules. Thus from the p a t h 7r we can form an infinite sequence S of (DO nodes {ni : c~i = ~i9 }i=1 by collecting (in order of appearance) the basic nodes along 7r to which the rule REc is applied. Hence n l : c~t = ~1 represents the root, n2 : c~2 = f12 represents the second node along 7r at which REC is applied, and so on. An expression c~ can be viewed as a vector ~ of JTVn: the value of the /th coordinate of ~, denoted ~(i), indicates the n u m b e r of occurrences of variable Xi in a. Thus we can represent the sequence S by an infinite sequence of vectors {~i}i~176 where ~i 6 / W 2n for all i. The first n coordinates represent ai and the last coordinates represent ill. Consider the infinite sequence { fii (1) } ~ 1 consisting of all the first coordinates of vectors of the sequence S. If this sequence has an upper bound we extract from S an infinite sequence $1 of vectors {v, }i=1 with the property that the first coordinate of ~i remains constant throughout $1. If the sequence {fii(1)}~l does not have an upper bound we extract from S an infinite sequence $1 of vectors {vi}i~l with the property t h a t the first coordinate of vi is nondecreasing, i.e. ~ ( 1 ) < ~j(1) whenever i < j. Continuing in this fashion we arrive at an infinite ~9 OO sequence S2n of vectors {w,}i=l with the property that all coordinate sequences are nondecreasing. But then every node in this sequence is dominated by every node after it, so the rule REc cannot be applied to any of these nodes, as a SUB rule is applicable. For the proof of the second part, we note t h a t if there were an infinite number of tableaux, then since there are only a finite number of partial tableaux of a given finite size, there must be an infinite sequence of partial tableaux, each of which being derived from the previous by the application of some rule to the node most recently introduced. But then this sequence provides a tableau with an infinite p a t h through it, which by the first part cannot be. [] We now proceed to show the soundness and completeness of the tableau system. Theorem

38 ( C o m p l e t e n e s s )

If a ,,, fl then there exists a successful tableau

for~=Z. P r o o f Suppose a ,-, j3. If we can construct a tableau for a = / ? with the property t h a t any node n : E = F satisfies E ,,* F, then by L e m m a 37 t h a t construction must terminate and each terminal will be successful. Thus the tableau itself will be successful. We can construct such a tableau if we verify t h a t each rule of the tableau system is forward sound in the sense that if the antecedent as well as all nodes

129

above relate bisimilar processes then it is possible to find a set of consequents relating bisimilar processes. It is easily verified t h a t the rules are indeed forward sound in this sense. Notice in particular t h a t t h e rule REC reflects the expansion law for parallel composition [48] and that forward soundness of the SUB rules follows from the fact that bisimilarity is a congruence. [] The proof of soundness of the tableau system relies on the alternative stratified characterisation of bisimulation equivalence. Theorem

39 ( S o u n d n e s s )

I f there is a successful tableau for a = fl then c~ ,.~

/3. P r o o f Suppose t h a t we have a tableau for c~ = / 3 , and that ~ 7~/3. We shall construct a m a x i m a l p a t h ~r = {nl : El = Fi} through this tableau starting at the root a = / 3 in which Ei 7~ Fi for each i. Hence the terminal node of this p a t h cannot be successful, so there can be no successful tableau for c~ =/3. While constructing ~r, we shall at the same time construct the sequence of integers {mi : Ei 7~rn, Fi and Ei "~j Fi for all j < mi}. We shall also prove along the way t h a t this sequence is nonincreasing, and strictly decreasing through applications of the rule PREFIX. Given ni : Ei = Fi and mi, we get ni+t : Ei+l = Fi+l and mi+l according to the following cases: * If REC is applied to ni, then the consequent is n i + l and mi+l = mi. 9 If SUM is applied to ni, then there must be some consequent n i + l : Ei+l = Fi+l with Ei+l 7~m~ Fi+l and Ei+l ~ i Fi+l for all j < mi, so mi+l = mi. * If PREFIX is applied to ni, then the consequent is ni+l and mi+l = rni - 1 . 9 If SuBL is applied to ni : Ei = Fi then Ei = Fi must be of the f o r m a 7 = ~ with dominated node nj : a = 13 ( a -7/3). Since between nj and ni there must have been an intervening application of the rule PREFIX, we must have t h a t mi < m j . We take the node ni+l :/37 = ~, and show t h a t we have some valid rni+l < mi, that is, that/33' 7Lrn~ ~. But this follows from a "~-n/3 and a 7 7~,~ ~. The arguments for the other possible applications of the SUB rules are identical. T h a t the above conditions hold of the resulting p a t h is now clear.

[]

We are now in a position to infer the decidability of bisimulation equivalence on concurrent context-free processes. In order to decide the validity of a = fl we simply start listing tableaux for a = fl and stop and answer "yes" if a successful tableau has been found. If we list all of the finite number of finite tableaux (systematically, so that we recognise when they have all been listed) and fail to

130

discover a successful one, then we answer "no". By soundness and completeness of the tableau system, we know that this procedure will always give the right answer. Thus the decidability result is established. T h e o r e m 40 Bisimulation equivalence is decidable for guarded concurrent context-free processes. P r o o f Immediate from the preceding argument.

[]

Unlike the previous argument for context-free processes, we have a single decision :procedure for determining equivalence rather than two opposing semidecision procedures, so we could feasibly extract some complexity measure on deciding equivalence. However, the complexity measure which we could immediately extract, being based on our the particular well-founded ordering C on V*, would fail even to be primitive recursive, so once again our decision procedure is impractical. However, again in the normed case we can exploit particular properties to extract a polynomial-time decision procedure. This we also carry out in Section 4.

4

A l g o r i t h m s for N o r m e d P r o c e s s e s

In the previous section we demonstrated the decidability of bisimulation equivalence over both the class of context-free processes and the class of concurrent context-free processes. However, the computational complexity of the algorithms which we presented shows them to be of little practical value. To overcome this deficiency we concentrate in this section on developing efficient algorithms for deciding bisimilarity within these classes of processes. What we demonstrate in fact are polynomial algorithms for the problem of deciding equivalences over the subclasses of normed processes. These algorithms will both be based on an exploitation of the decomposition properties enjoyed by normed processes; however, despite the apparent similarity of the two problems, different methods appear to be required. For our algorithms, we fix a normed context-free grammar G = (V, T, P, S) in Greibach normal form. Our problem then is to determine efficiently--that is, in time which is polynomial in the size n (the number of symbols in the production rules) of the grammar--whether or not c~ --, fl for c~, j3 E V*, where we interpret these first as context-free processes and then as concurrent contextfree processes. 4.1

Context-Free

Processes

Our basic idea is to exploit the unique prime decomposition theorem by decomposing process terms sufficiently far to be able to establish or refute the

131

equivalence we are considering. Further, we try to construct these decompositions by a refinement process which starts with an overly generous collection of candidate decompositions. As the algorithm progresses, invalid decompositions will gradually be weeded out. Assume that the variables V are ordered by non-decreasing norm, so that X < Y implies norm(X) < norm(Y). A base is a set B of pairs (Y, X ~ ) , where X, Y 9 V, a 9 Y*, X < Y and norm(Y) = n o r m ( X a ) . We insist that B contains at most one pair of the form (Y, X a ) for each choice of variables X, Y, so that the cardinality of B is at most O(n2). A base B is full iff whenever Y ,,~ X f l with Y > X there exists a pair (Y, Xc~) 9 B such that c~ ,-~ /~. In particular, (X, X ) 9 B for all X 9 V. The key idea is that infinite relations on V*, in particular that of bisimilarity, may be expressed as the congruence closure of a finite base. L e m m a 41 If the base B is full then ,,, C ~ . P r o o f This result may be proved by induction on norm; however, the effort would be unnecessary, as in Subsection 4.1.1 we shall encounter a procedure which given a full base B constructs a binary relation on V* that contains ,~ B

and is contained by = .

D t~

Let ~B be some relation satisfying ~ C_ - 5 C = whenever B is full. At a high level, the exact choice of the relation --~ is immaterial, as the proof B

of correctness relies only on the inclusions ,-~ C ------B C -- ; later we shall fix a particular --B which is computable in polynomial time. It is here that the algorithmic subtlety lies, as efficiency demands a careful choice of =t~ 9 Our task is to discover a full base that contains only semantically sound decomposition pairs. To do this, we start with a full (though necessarily small) base, and then proceed to refine the base iteratively whilst maintaining fullness. Informally, we are proposing that at any instant the current base should ~ n s i s t of pairs (X, a) representing candidate decompositions, that is, pairs such that the relationship X ,,~ a is consistent with information gained so far. The refinement step is as follows. Given a base B, define the sub-base B C B to be the set of pairs (X, c~) 9 B such that 9 if X .A_,/3 then a

~ ~ 7 with j3 -=t~ 7, and

9 ifa

a~j3with/~--=z7.

~TthenX

L e m m a 42 If B is full then B is full. P r o o f Suppose Y ~ Xj3 with Y _> X. By fullness of B, there exists a pair (Y, Xc~) 9 B such that ~ -,~ /~. We show that the pair (Y, X a ) survives the

132

refinement step, to be included in B. Note that, since ,,~ is a congruence, Y ,,~ Xc~. Thus, if Y _2_, 7 then X a a ~ 6 for some 6 satisfying 6 -~ 7. By fullness of B and Lemma41, 6 -t3 7. Similarly, i f X ~ ~ > 6 then Y a ~ 7 with 7 "" 6, and hence 7 --t~ 6. The pair (Y~ X a ) therefore satisfies the conditions for inclusion in B. [] In general, the refinement step makes progress, i.e., the new base B is strictly contained in the base B from which it was derived. If, however, no progress occurs, an important deduction may be made. L e m m a 43 If B = 13 then =t3 C ,,~. B

P r o o f The relation --n is contained in = , the congruence closure of B, so B must be a Caucal base. Now apply Theorem 24. [] Note that by iteratively applying the refinement step B := B to a full initial base, we are guaranteed by the preceding three lemmas to stabilise at some full base B for which _-__~ = N. We are now left with the task of constructing our initial base B0. This is achieved as follows. For each X E V and each 0 _< u _< norm(X), let [X]v be some process that can be reached from X via a sequence of u norm-reducing transitions. (Note that some norm-reducing transition is available to every process.) L e m m a 44 The base 13o = ~ (Y, X[Y]norm(X))

" X~Y E V

and X < Y ~ is

]

full. P r o o f Suppose Y ,~ X/~ with X _< Y, and let v = norm(X); then (Y, X[Y]v) E B0 for some [Y]~ such that Y ' > [Y]v in v norm-reducing steps, where s E A V. But the norm-reducing sequence Y ' ~ [Y]~ can only be matched by X/~ ' ~/3. Hence [Y]~ -~/?, and B0 must be full. [] The basic structure of our procedure for deciding bisimilarity between normed processes a and/3 is now clear: simply iterate the refinement procedure B := from the initial base B = B0 until it stabilises at the desired base B, and then test a -=t3/3. By the preceding four lemmas, this test is equivalent to a ,,~/3. So far, we have not been specific about which process [X]v is to be selected among those reachable from X via a sequence of u norm-reducing transitions. A suitable choice is provided by the following recursive definition. For each variable X E V, let a x E V* be some process reachable from X by a single norm-reducing transition X " ~ a x . Then, -

[Xfl]p =

{ [/~]p-norm(X), [c~x]p_l/3,

if p_> norm(X); if p < norm(X).

133

L e m m a 45 With this definition for [.]~, the base Bo introduced in Lemma ,t4

may be explicitly constructed in polynomial time; in particular, every pair in Bo has a compact representation as an element of V • V*. P r o o f It is easily checked that the natural recursive algorithm based on the definition is polynomial-time bounded. O We have already observed that B0 contains O(n 2) pairs, so the refinement procedure is iterated at most O(n 2) times. It remains to define the relation = n and show that it may be computed in polynomial time. Once this has been done, it is clear that the entire decision procedure runs in polynomial time. T h e o r e m 46 There is a polynomial-time (in the lengths of the words a and fl,

and the size of the defining grammar) procedure for deciding bisimilarity of two normed context-free processes a and ft. Recall that the only condition we impose on the relation -t3

is that it

B

satisfies the inclusions -~ C ---B _ -= whenever B is full. This flexibility in the specification of ---s is crucial to us, and it is only by carefully exploiting this flexibility that a polynomial-time decision procedure for =-B can be achieved. The definition and computation of --~ is the subject of the following section. 4.1.1

Algorithmic

concerns

Central to the definition of the relation ---B is the idea of a decomposing function. A function g : V ---+ V* is a decomposing function of order q if either g(X) = X or g(X) = X 1 X 2 . . . X p with 1 < p < q and Xi < X for each 1 < i < p. Such a function g can be extended to the domain V* in the obvious fashion by defining g(e) = e and g(Xa) = g(X)g(c~). We then define g*(~) for E V* to be the limit of gt(~) as t --* ~ ; owing to the restricted form of g we know that it must be eventually idempotent, that is, that this limit must exist. The notation g[X ~-+ a] will be used to denote the function that agrees with g at all points in V except X, where its value is a. The definition of the relation --B may now be given. For base B and decomposing function g, the relation a = ~ / ? . i s defined b y the following decision procedure: 9 if g*(c~) = g*(fl) then the result is true; 9 otherwise let X and Y (with X < Y) be the leftmost mismatching pair of symbols in the words g*(c~) and g*(fl); -

if (Y, XT) 9 B then the result is given by a - ~ fl, where 9 = g[Y ~-+

xT];

134

- otherwise the result is false. Finally, let --=t~ be _--~d where Id is the identity function. L e m m a 47

-6

C --- and ,,~ C -t~ whenever B is full.

P r o o f The first inclusion is easily confirmed , since for any g constructed by the B

algorithm for computing --B , it is the case that X =_ g ( X ) for each X E V. For the second inclusion, suppose that a ,~ /3 and at some point in our procedure for deciding a --t~ fl we have that g* (a) # g* (fl), and that we have only ever updated g with mappings X ~ 7 satisfying X -,~ 7. Let X and Y (with X < Y) be the leftmost mismatching pair. Then Y ,~ X 7 must hold for some 7, and so, by fullness, (Y, XT) E B for some 7 with Y ,,* XT. So the procedure does not terminate with a false result, but instead updates g with this new semantically sound mapping and continues. [] Finally, we are left with the problem of deciding g*(a) = g*(/3), all other elements in the definition of ---t~ being algorithmically undemanding. Note that the words g*(a) and g*(/3) will in general be of exponential (in n) length, so we cannot afford to compute them explicitly. We shall begin by assuming that the function g is of order 2, that is, maps a single variable to at most two variables; this simplification may be achieved using a standard polynomial-time reduction to Chomsky normal form. In the sequel, let n denote the total number of variables after this reduction to what is essentially Chomsky normal form, and let V refer to this extended set of variables. We say that the positive integer r is a period of the word a E V* if 1 < r < length(a), and the symbol at position p in a is equal to the symbol at position p + r in a, for all p in the range 1 < p < length(a) - r. Our argument will be easier to follow if the following lemma is borne in mind; we state it in the form given by Knuth, Morris and Pratt. L e m m a 48 I f r and s are periods of a E Y * , and r + s < length(a) + gcd(r, s), then gcd(r, s) is a period of a. P r o o f See [43, Lemma 1]; alternatively the lemma is easily proved from first principles. [] For a, fl E V*, we shall use the phrase alignment of a against/3 to refer to a particular occurrence of a as a subword of/3. Note that if two alignments of a against/3 overlap, and one alignment is obtained from the other by translating a through r positions, then r is a period of a. Suppose X, ]I, Z E V, and let a = g * ( X ) , /3 = g * ( Y ) , and 7 = g*(Z). Our strategy is to determine, for all triples X, Y, and Z, the set of alignments of a against/37 that include the first

135

I

~ = g*(X)

I

I fl = g*(Y)

I t

7 - - g*(Z)

First symbol of 7, and ith of Figure 1: A alignment of ~ that spans ~ and 7 symbol of 7 (see Figure 1). Such alignments, which we call spanning, may be specified by giving the index i of the symbol in a that is matched against the first symbol in 7. It happens that the sequence of all indices i that correspond to valid alignments forms an arithmetic progression. This fact opens the way to computing all alignments by dynamic programming: first with the smallest variable X and Y, Z ranging over V, then with the next smallest X and ]I, Z ranging over V, and so on. L e m m a 49 Let a, 6 E V* be words, and I be the set of all indices i such that there exists an alignment of (~ against 6 in which the ith symbol in a is matched to a distinguished symbol in 6. Then the elements of I form an arithmetic progression. P r o o f Assume that there are at least three alignments, otherwise there is nothing to prove. Consider the leftmost, next-to-leftmost, and rightmost possible alignments of c~ against 6. Suppose the next-to-leftmost alignment is obtained from the leftmost by translating c~ though r positions, and the rightmost from the next-to-leftmost by translating a through s positions. Since r and s satisfy the condition of Lemma 48, we know that gcd(r, s) is a period of (~; indeed, since there are by definition no alignments between the leftmost and next-to-leftmost, it must be the case that r -- gcd(r, s), i.e., that s is a multiple of r. Again by Lemma 48, any alignment other than the three so far considered must also have the property that its offset from the next-to-leftmost is a multiple of r. Thus the set of all alignments of c~ against 6 can be obtained by stepping from the leftmost to the rightmost in steps of r. This completes the proof, but it is worth observing for future reference, that in the case that there are at least three alignments of c~ against 6 containing the distinguished symbol, then c~ must be periodic, i.e., expressible in the form = eka, where k >_ 2 and cr is a (possibly empty) strict initial segment of e. D In the course of applying the dynamic programming technique to the problem at hand, it is necessary to consider not only spanning alignments of the form illustrated in Figure 1, but also inclusive alignments: those in which a = g* (X) appears as a subword of a single word fl = g* (Y). Fortunately, alignments of this kind are easy to deduce, once we have computed the spanning alignments.

136 O/

I

I

I ........

~

Figure 2: Trapping an alignment L e m m a 50 Suppose spanning alignments of o~ = g*(X) against 7 -- g*(Z) and 7 ~ = g*(Z ~) have been pre-computed for a particular X and all Z, Z ~ E V. Then it is possible, in polynomial time, to compute, for any Y and any distinguished position p in 13 = g* (Y), all alignments of (~ against ~ that include p. P r o o f Consider the sequence

{ g. (.:0)) },

{

g. }, { g. (y:2)), g.

}, :

of partitions of fl = g*(Y), obtMned by the following procedure. InitiMly, s e t y(0) = y . Then, for i > 1, suppose that g.(yj(i-1)) is the block of the ( i - 1)th partition that contains the distinguished position p, and let Z = y ( i - D be the symbol generating that block. Let the ith partition be obtained from the ( i - 1)th by splitting that block into two--g*(Z') and g*(Z")--where where g(Z) = Z ' Z " . The procedure terminates when g(Z) = Z, a condition which is bound to hold within at most n steps. Observe that, aside from in the trivial case when length(a) -- 1, any alignment of c~ containing position p will be at some stage "trapped," so that the particular occurrence of the subword a in fl is contained in g*(Yj(i))g*(Yj(+)), but not in g. (yj(0) or g* (Yj(+))separately (see Figure 2). For each such situation, we may compute the alignments that contain position p. (By Lemma 49, these form an arithmetic progression.) Each Mignment of that includes p is trapped at least once by the partition refinement procedure. 9The required result is the union of at most n arithmetic progressions, one for each step of the refinement procedure. Lemma 49 guarantees that the union of these arithmetic progressions will itself be an arithmetic progression. Thus the result may easily be computed in time O(n) by keeping track of the leftmost, next-to-leftmost, and rightmost points. [] The necessary machinery is now in place, and it only remains to show how spanning alignments of the form depicted in Figure 1 may be computed by

137

"

I

= g'ix)

I

[ = r

"

I

It- [ p

3'=r

• r

Figure 3: Dynamic programming: inductive step o~!

I

og I!

I

I

I

z t ff

I "T

P

Figure 4: Dynamic programming: the leftmost alignment dynamic programming, with X ranging in sequence from the smallest variable up to -the largest. If g(X) = X, the task is trivial, so suppose g(X) = X ' X ' . The function g induces a natural partition of d = g*(X) into a ' = g*(X') and a " = g*(X"); suppose it is a " that includes p, the first symbol in 3' (see Figure 3.) We need to discover the valid alignments of cd against fl, and conjoin these with the spanning alignments--that we assume have already been computed--of a " against fl and 3'. Consider the leftmost valid alignment of a " and let p' be the position immediately to the left of cr Figure 4). We distinguish two kinds of alignments for

o~ =

o~1or tl.

CASE I. The alignment of a' against ~3' includes position p'. These alignments can be viewed as conjunctions of spanning alignments of a " (which are precomputed) with inclusive alignments of a' (which can be computed on demand using Lemma 50). The valid alignments in this case are thus an intersection of two arithmetic progressions, which is again an arithmetic progression. CASE II. The alignment of c~' against f13' does not includes position p', i.e., ties entirely to the right ofp'. If there are just one or two spanning alignments of a " against ~ and % then we simply check exhaustively, using Lemma 50, which, if any, extend to alignments of c~ against/~3'. Otherwise, we know that a " has the form p%r with k > 2, and ~ a strict initial segment of p; choose p to minimise length(e ). A match of a " will extend to a match of a only if c / = cr'pm, where or' is a strict final segment of e. (Informally, a' is a smooth continuation of the periodic word a " to the left. Thus either every alignment of c~" extends to one of a = a % " , or none does, and it is easy to determine which is the case. As in Case I, the result is an arithmetic progression. The above arguments were all for the situation in which it is the word a "

138

that contains p; the other situation is covered by two symmetric cases--Case I ~ and Case II~--which are as above, but with the roles of a I and a" reversed. To complete the inductive step of the dynamic programming algorithm, it is only necessary to take the union of the arithmetic progressions furnished by Cases I, II, I ~, and II~: this is straightforward, as the result is known to be an arithmetic progression by Lemma 49. At the completion of the dynamic programming procedure, we have gained enough information to check arbitrary alignments, both spanning and inclusive, in polynomial time. From there it is a short step to the promised result. L e m m a 51 There is a polynomial-time (in the lengths of o~and/3, and the size

of the description of g) algorithm for the problem of deciding g*(~) = g*(fl) for arbitrary o~,~ E V*. In the case that g*(o~) r g*(fl), the algorithm returns the leftmost position at which there is a mismatch. P r o o f Let ~ = ]I1112...]I,. Apply the partition refinement procedure used in the proof of Lemma 50 to the word c~ to obtain a word c~I = X1X2 . . . X r with the property that each putative alignment of g*(Xi) against the corresponding g*(Yj) or g*(Yj)g*(Yj+l) is either inclusive or spanning. This step extends the length of a by at most an additive term length(~)n. Now test each Xi either directly, using the precomputed spanning alignments, or indirectly, using Lemma 50. In the case that g*(a) • g*(~), determine the leftmost symbol Xi such that g*(X~) contains a mismatch. If g(Xi) = X~ we are done. Otherwise, let g*(X~) = ZZ', and test whether g*(Z) contains a mismatch: if it does, reeursively determine the leftmost mismatch in g*(Z); otherwise determine the leftmost mismatch in g* (ZI). During the dynamic programming phase, there are O(n 3) subresults to be computed (one for each triple X, Y, Z E V), each requiring time O(n); thus the time-complexity of this phase is O(n4). Refining the input a to obtain cd, and checking alignments of individual symbols of cd takes further time O(n 2 length(~fl)). The overall time complexity of a naive implementation is therefore O(n 4 + n 2 length(c~fl)). []

4.1.2

Simple context-free grammars

Recall that a simple grammar is a context-free grammar in Greibach normal form such that for any pair (X, a) consisting of a variable X and terminal a, there is at most one production of the form X :-* ac~. The decision procedure given by Korenjak and Hopcroft [44] for deciding language equivalence between simple grammars is doubly exponential; this time complexity was recently improved improved by Caucal [11] to be singly exponential. Hence this result represents

139

the first polynomial algorithm for the (language) equivalence problem for simple grammars. T h e o r e m 52 There is a polynomial-time algorithm for deciding equivalence of

simple grammars P r o o f To obtain a polynomial-time decision procedure for deciding language equivalence of simple context-free grammars, we merely recall from Corollary 10 and L e m m a 12 that in the case of normed simple grammars, language equivalence and bisimulation equivalence coincide. We can restrict attention to normed grammars, as any unnormed grammar can be transformed into a languageequivalent normed grammar by removing productions containing unnormed nonterminals. (Note that this transformation does not preserve bisimulation equivalence, which makes it inapplicable for reducing the unnormed case to the n o r m e d case in checking bisimilarity.) Thus language equivalence of simple grammars may be checked in polynomial time b y the procedure presented in the previous two sections. []

4.2

Concurrent

Context-Free

Processes

To demonstrate that we can decide bisimilarity between concurrent context-free processes in polynomial time, we require a vastly different technique than that used for the sequential case; nonetheless the technique still relies completely on the unique factorisation property. To start off, we assume without loss of generality that the variables are given in order of non-decreasing norm, so that norm(X1) < norm(X~) < . . . < norm(Xn). Define the size of monomial a E V* to be the sum of the lengths of the binary encodings of the various exponents appearing in the monomial; the size of a production X a, fl to be the length of the triple (X, a, fl), encoded in binary; and the size of a context-free grammar G to be the sum of the sizes of all the productions contained within it. Our aim is to prove the following. T h e o r e m 53 Suppose the set V* of processes is defined by a normed, context-

free grammar G in Greibach normal form. There is a polynomial-time (in the size of ~, /3, and G) algorithm tO decide (~ ~ /3 for arbitrary (~,/3 E V*. To prepare for the description of the algorithm and the proof of the theorem, we require some definitions and a few preparatory lemmas. To ensure a smooth development, the proofs of the lemmas are deferred to the end of the section. Suppose T~ is any relation on V*. We say that a pair (c~,/3) E V* x V* satisfies (norm-reducing) expansion in TI if * if c~ a ) a~ is a norm-reducing transition t h e n / 3 c~17r

a ~ /3~ for some/3~ with

140

and 9 if ~ ~ ~/3' is a norm-reducing transition then a a ' T~ ~'.

a ~ a ' for some a ' with

Observe that a relation T~ is a bisimulation if every pair (a,/3) E T~ satisfies expansion in ~. Observe also that if ~ is an equivalence relation (respectively, congruence) then the relation "satisfies (norm-reducing) expansion in 7~" is an equivalence relation (respectively, congruence). Define a unique decomposition base, ~P, to be a pair (II, F), where II = II(7:)) = { P 1 , . . . , P r } _C V is a set of primes, and F = F(:D) is a set of pairs (X, p~l ... pr~r), one for each non-prime elementary process X E V - II. The set F may be viewed as specifying, for each non-prime process X, a decomposition of X into primes.* A unique decomposition base defines an equivalence relation --79 on V*: the relation (~ = v / 3 holds between c~,/3 E V* if the prime decompositions of c~ and/3 are equal (as monomials). L e m m a 54 Let :D be a unique decomposition base. Then: (i) the equivalence relation =-79 is a congruence with cancellation, t which 79

coincides with =-, the smallest congruence containing F(T)); (ii) there is a polynomial-time (in the size of o~ and/3) algorithm to decide o~ =_79~ for arbitrary c~,/3 E V* ; (iii) the relation =_79 is a bisimulation provided every pair in F(:D) satisfies expansion within =-79 ; this condition may be checked by a polynomial-time algorithm; (iv) the maximal bisimulation ,~ coincides with the congruence =-79 , where :D represents the unique decomposition in ,,,. The next lemma allows us to shrink a congruence, defined by a unique decomposition base, whenever it is strictly larger than the maximal bisimulation. L e m m a 55 Let 7) be a unique decomposition base such that the congruence =-79 is norm-preserving and strictly contains the maximal bisimulation ,.~. Then it is possible, in polynomial time, to find (a representation of) a relation - on V* such that: (i) the relation c~ - / 3 is decidable in polynomial time (in the sum of the sizes of ~ and/3); *These "primes" axe n o t in general t h e primes with r e s p e c t to t h e m a x i m a l bisimulation, which were tile s u b j e c t of T h e o r e m 19. tThus, in a d d i t i o n to satisfying t h e conditions of a congruence, - - ~ h a s t h e p r o p e r t y t h a t c~ _--v t3 whenever c~"/-l~ ~lY.

141

(ii) the relation - is a congruence; (iii) there is a variable X E V that is decomposable in - v (iv) the inclusions ,,~ C_ - C - - v

but not in - ;

hold.

The final lemma allows us to "smooth out" an unmanageable congruence into a congruence defined by a unique decomposition base. L e m m a 56 Let ~ be a norm-preserving, p o l y n o m i a l - t i m e computable congruence satisfying ~ C_ =_-, where N d e n o t e s ' m a x i m a l bisimulation. T h e n there is a decomposition base 2), computable in polynomial time, such that ,,~ c_ - 9 c_ - .

With the three preceding lemmas in place, the procedure for deciding bisimulation equivalence writes itself; in outline it goes as follows. (1) Let the congruence =- be defined b y c~ -- ~ iff n o r m ( a ) = norm(fl). (2) Compute a decomposition base 7) with ,~ C -=9 _C - , using L e m m a 56. (3) If -----9 is a bisimulation--a condition that can be checked in polynomial time using L e m m a 54--then halt and return the relation - 9 9 (4) Compute a congruence - satisfying ,-~ C_ - C --9 , using L e m m a 55. Go to step 2. The proof of the main result is virtually immediate. P r o o f o f T h e o r e m 53 On each iteration of the loop formed by lines (2)-(4), the number of primes increases by at least one. Thus the number of iterations is bounded by n, and each iteration requires only polynomial time by the three preceding lemmas. [] We complete the section by providing the missing proofs of the various lemmas.

P r o o f o f L e m m a 54 (i) It is easy to check that -z) is a congruence with cancellation containing F(/)); thus - v certainly includes - , the smallest congruence containing F(O). On the other hand, if a - v fl, then fl can be obtained from a via a finite sequence of substitutions chosen from F(O), and the reverse inclusion holds. (ii) The algorithm may be modelled directly on the definition of - v . (iii) Suppose a ~ v fl and let c~ = ~ p ~ l . . . p a r =V fl be the common prime decomposition of c~ and ft. By assumption, the pairs (c~, p~l , . . p ~ ) and (fl, p~l ... prar) both satisfy expansion in - z ~ , and so then does the pair (a, fl), by transitivity of the relation "satisfies expansion in --~ ."

142

(iv) This part follows from Theorem 19. This concludes the proof of the lemma.

[:3

P r o o f o f L e m m a 55 Define the relation = as follows: for all c,,/3 E V*, the relationship a = / 3 holds iff a --~/3 and the pair (a,/3) satisfies expansion in --~9 9 We must demonstrate that - satisfies conditions (i)-(iv) in the statement of the lemma. i The relationship a = fl is clearly decidable in polynomial time: an algorithm follows directly from the definition of - . ii The relation = is the intersection of two congruences, and hence itself a congruence. iii If the 'congruence - v is not a bisimulation then, by Lemma 54, there is a first (non-prime) variable X such that the pair (Z, P ~ . . . P T " ) E F(:D) does not satisfy expansion in -=v 9 We show that X is indecomposable with respect to the relation =. Suppose to the contrary that X is decomposable, that is to say, X = a E V*, where a contains only variables smaller than X. By definition of =, the pair (X, a) satisfies expansion in = v , and X =z~ a = ~ P ~ ... P ~ ' . By minimality of X, for every non-prime variable Y occurring in a, the pair (Y,P~'...P~') e F(:D) satisfies expansion in ----v. Thus the pair (a, P ~ ... PrX~), and by transitivity the pair (X, p~x . . . p [ , ) , satisfies expansion in = v , contradicting the choice of X. iv It is clear that the relation = is contained in = v 9 On the other hand, if a ,-, fl then the pair (a,/3) satisfies expansion in --, and hence in -=v ; it follows that a =/3. This concludes the proof of the lemma.

[]

P r o o f o f L e m m a 56 As before, assume that variables are in order of nondecreasing norm. Given a congruence = __D -~ on V* we define, by induction, a unique decomposition base :P~ for { X 1 , . . . , X~}*, with primes 1I(2)) = { P 1 , . . . , P~}, such that: * the inclusion = v i C_ = holds on the set { X 1 , . . . , Xi}*; * i f X j =z,i p~l . . . p : ~ is the decomposition of Xj, for some j < i, then the pair (Xj, P ~ ' . . . P [ , ) satisfies norm-reducing expansion in =z,, ;

143

9 if Xj ,,, Q ~ ' . . . Q~' is the prime decomposition of Xj with respect to ,~, for some j < i, then Xj --~i Q~I ... Q~,~;~ 9

if P ~ : . . . p i t = p ~ l . . , pflr and the pair ( p [ 1 . . . p f r , p ~ x . . , pfl,) satisfies norm-reducing expansion in =z~,, then ( x : , . . . , xr) = (Yl,.-., Yr).

Assume that there exists a unique decomposition base :Di for { X : , . . . , Xi}* that satisfies these properties. We wish to demonstrate that :Di may be extended to a unique decomposition base Di+l for { X 1 , . . . , Xi+:}* Mso satisfying conditions (a)-(d) above; this involves finding, in polynomial time, a consistent decomposition for the variable Xi+l. The extension of the unique decomposition base is achieved as follows. By condition (d) we know that there is at most one product P ~ ' . . . P~" of primes of/9i such that Xi+: ==-P[~... P[" and such that the pair (Xi+:, P~' ... P[~) satisfies norm-reducing expansions in - - ~ . If there is such a product, it is declared as the decomposition of Xi+:; otherwise Xi+: is declared to be prime. It is clear that conditions (a) and (b) continue to hold. To show (c), assume that Xi+: "~ Q ~ . . , Q ~ is the prime decomposition of Xi+: with respect to the maximal bisimulation ,,,. Note that if Xi+: is prime with respect to ,,, then there is nothing to prove, so we may assume the decomposition is non-trivial. Let Q1 =9~ c~1, . . . , Qt =9~ c~t be the prime decompositions of Q:, 99 ., Q,t with respect to --9,. Then Xi+: -- c ~ : . .. at~t, where, it. will be observed, the right-hand side is a product of primes with respect to - 9 ~ . The pairs (Qj, aj) satisfy norm-reducing expansion in --9,, by condition (b), and the pair Xi+: " Q~'... Q~' satisfies norm-reducing expansions in -z~,, b y virtue of Xi+: and Q ~ ... Q ~ being bisimilar; it follows by transitivity that the pair (Xi+l, c~' .. 9a~") also satisfies norm:reducing expansion in --9,- Thus, by the uniqueness condition (d), Xi+: ----9,+1 c~' . . . a ~ ' must be the chosen prime decomposition of Xi+l with respect to --z~,+a. To show (d), assume to the contrary that II(:Di+:) = { P : , . . . , Pr} is the set of primes with respect to =9,+,, and that the pair (c~, fl), where a = p~l ... par and fl = P ( ~ . . . P ~ ' , is a counterexample to condition (d): that is, c~ - /?, ( a : , . . . , a~) 5~ ( b : , . . . , br), and the pair (a, fl) satisfies norm-reducing expansions in --9~+1. We demonstrate that this assumption leads to a contradiction. Let j be the largest index such that aj ~ bj, and assume, without loss of generality, that aj > bj. We distinguish three cases: CASE I. If ak > 0 for some k < j, then let a perform some norm-reducing transition via process Pk. Process/3 cannot match this transition, since it cannot increase the exponent bj without decreasing some exponent t o t h e right of bj. ~Again, note t h a t Q 1 , . . . , Qt, although primes with respect to ,,~, are not in general primes with respect to ---~i"

144

CASE II. Ifak > Ofor some k > j, then let c~ perform a norm-reducing transition via process Pk that maximises the increase in the exponent aj. Again the process fl is unable to match this transition. CASE ]II. The monomial ~ = pjaj is a power of a prime with respect to - ~ + 1 . Note that bk = 0 for all k > j by choice of j, and aj > 2, otherwise, Pj would not be prime with respect t o / ) i + 1 . If bj > 0, let/3 perform a normreducing transition via Pj; this transition cannot be matched by c~, since it would require the exponent aj to decrease by at least two. Finally, if bj = 0, then let (r perform a norm-reducing transition via Pj; this transition cannot be matched by/3, since/3 is unable to increase the exponent bj. This completes the inductive step. It only remains to show that the extension of ~Di to :D~+I may be computed in polynomial time. We need to investigate the possibility that Xi+l may be expressed as Xi+l =- P ~ ...Pr~ where the pair (Xi+I,P~ ~ . . . P f ' ) satisfies norm-reducing expansion in =-v~. Recall that effecting the transition X a )/3 may be viewed as multiplication b y / 3 / X ; thus the transition a a )/3 may occur precisely if of~ = c~/3/X is a monomial (i.e., the exponent of X is non-negative), in which case a~ is the resulting process. Now choose any norm-reducing transition Xi+l a ) ~ E { X 1 , . . . , Xi}*, and let c~ - V , P~a 999p a r be the prime decomposition of c~. If this transition is to be matched by/3 = p~l ... prz~ then (r//3 must be one of a finite set of possibilities, one for each production in G. Thus there are only as many possibilities for the process/3 as there are productions in G; for each possibility it is easy to check whether (i) Xi+l - P;" . . . P f ' , and (ii) the pair ( X i + I , P ~ I . . . P f ' ) satisfies norm-preserving expansion in - v ~ . Thus the extension of :Di to :Di+l may indeed be computed in polynomial time. [2

References [1]

P. Aczel. Non-well-founded Sets. CSLI Lecture Notes 14, Stanford University, 1988.

[2]

J.C.M. Baeten, J.A. Bergstra and J.W. Klop. Decidability of bisimulation equivalence for processes generating context-free languages. Journal of the A C M 40, pp653-682, 1993.

[3] Y.

Bar-Hillel, M. Perles and E. Shamir. On formal properties of simple phrase structure grammars. Zeitschrifl fiir Phonetik, Sprachwissenschafl, und Kommunikationsforschung 14, pp143-177, 1961.

145

[4]

J.A. Bergstra and J.W. Klop. Algebra of Communicating Processes with

Abstraction. Theoretical Computer Science 37, pp77-121, 1985.

[5]

G. Boudol. Notes on algebraic calculi of processes. In K. Apt (ed), Logics and Models of Concurrent Systems, NATO ASI Series f13, 1985.

[6]

J.C. Bradfield. Verifying Temporal Properties of Systems. Birkh/iuser, 1991.

[7]

E. Brinksma. Information Processing Systems - Open Systems Interconnection - LOTOS - A formal description technique based upon the temporal ordering of observable behaviouL Draft International Standard ISO8807, 1988.

[8] S.D. Brookes, C.A.R. Hoare and A.W. Roscoe. A theory of Communicating Sequential Processes. Journal of the ACM 31, pp560-599, 1984. [9] O. Burkart and B. Steffen. Model checking for context-free processes. In Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes in Computer Science 630, pp123-137. Springer-Verlag, 1992. [10] D. Caucal. Graphes canoniques des graphes alg~briques. Informatique Thdorique el Applications (RAIRO) 24(4), pp339-352, 1990. [11] D. Caucal. A fast algorithm to decide on the equivalence of stateless DPDA. Informatique Thdorique et Applications (RAIRO) 27(1), pp23-48, 1993. [12] S. Christensen. Decidability and Decomposition in Process Algebras. Ph.D. Thesis ECS-LFCS-93-278, Department of Computer Science, University of Edinburgh, 1993. [13] S. Christensen. Distributed bisimilarity is decidable for a class of infinitestate processes. In Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes in Computer Science 630, pp148-161. Springer-Verlag, 1992. [14] S. Christensen, Y. Itirshfeld and F. Moller. Decomposability, decidability and axiomatisability for bisimulation equivalence on basic parallel processes. In Proceedings of LICS93. IEEE Computer Society Press, 1993. [15] S. Christensen, Y. Hirshfeld and F. Moller. Bisimulation equivalence is decidable for basic parallel processes. In proceedings of CONCUR93, E. Best (ed), Lecture Notes in Computer Science 715, pp143-157, Springer-Verlag, 1993. [16] S. Christensen, Y. Hirshfeld and F. Moller. Decidable subsets of CCS. The Computer Journal 37(4), pp233-242, 1994.

146

[17] S. Christensen and H. Hiittel. Decidability issues for infinite-state processes - a survey. Bulletin of the EATCS 51, pp156-166, October 1993. [18] S. Christensen, H. Hiittel and C. Stifling. Bisimulation equivalence is decidable for all context-free processes. In Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes in Computer Science 630, pp138-147. Springer-Verlag, 1992. [19] J. Esparza and M. Nielsen. Decidability issues for Petri nets - a survey. Bulletin of the EATCS 52, pp245-262, February 1994. [20] E.P. Friedman. The inclusion problem for simple languages. Theoretical Computer Science 1, pp297-316, 1976. [21] R.J. van Glabbeek. The linear time-branching time spectrum. In Proceedings of CONCUR 90, J. Baeten, J.W. Klop (eds), Lecture Notes in Computer Science 458, pp278-297. Springer-Verlag, 1990. [22] J.F. Groote. A short proof of the decidability of bisimulation for normed BPA processes. Information Processing Letters 42, pp167-171, 1991. [23] J.F. Groote and H. Hiittel. Undecidable equivalences for basic process algebra. Information and Computation, 1994. [24] J.F. Groote and F. Moller. Verification of parallel systems via decomposition. In Proceedings of CONCUR 92, W.R. Cleaveland (ed), Lecture Notes in Computer Science 630, pp62-76. Springer-Verlag, 1992. [25] Y. Hirshfeld. Petri Nets and the Equivalence Problem. In Proceedings of CSL'93, K. Meinke (ed), Lecture Notes in Computer Science SpringerVerlag, 1994. [26] Y. Hirshfeld. Deciding equivalences in simple process algebras. In Proceedings of a 3-day Workshop on Bisimulation, Amsterdam, April, 1994. [27] Y. I'Iirshfeld, M. Jerrum and F. Moller, A polynomial algorithm for deciding bisimilarity of normed context-free processes. Submitted to Theoretical Computer Science, 1994. [28] Y. Hirshfeld, M. Jerrum and F. Moiler, A polynomial algorithm for deciding bisimulation equivalence of normed basic parallel processes. Submitted to Mathematical Structures in Computer Science, 1994. [29] Y. Hirshfeld and F. Moller. A fast algorithm for deciding bisimilarity of normed context-free processes. In Proceedings of CONCUR'94, J. Parrow (ed), Lecture Notes in Computer Science. Springer-Verlag, 1994.

147

[30] M. Hennessy. Algebraic Theory of Processes. MIT Press, 1989. [31] C.A.R. Hoare. Communicating Sequential Processes. Communications of the ACM 21, pp666-677, 1978. [32] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1988. [33] J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 1979. [34] It. Hfittel. Decidability, Behavioural Equivalences and Infinite Transition Graphs. Ph.D. Thesis ECS-LFCS-91-191, Department of Computer Science, University of Edinburgh, 1991. [35] H. Hfittel. Undecidable equivalences for basic parallel processes. In Proceedings of FSTTCS'93, 1993. [36] H. Hfittel and C. Stirling. Actions speak louder than words: proving bisimilarity for context-free processes. In Proceedings of LICS'91, IEEE Computer Society Press, pp376-386, 1991. [37] D.T. Huynh and L. Tian. On deciding readiness and failure equivalences for processes. Technical report UTDCS-31-90, Department of Computer Science, University of Texas at Dallas, September 1990. [38] D.T. Huynh and L. Tian. Deciding bisimilarity of normed context-free processes is in ~P. Theoretical Computer Science 123, pp183-197, 1994. [39] D.T. Huynh and L. Tian. On deciding some equivalences for concurrent processes. Informatique Th orique et Applications (RAIRO) 28(1), pp5171, 1994. [40] P. JanSar. Decidability questions for bisimilarity of Petri nets and some related problems. In Proceedings of STACS'94, P. Enjalbert, E.W. Mayr and K.W. Wagner (eds), Lecture Notes in Computer Science 775, pp581592, Springer-Verlag, 1994. [41] P.C. Kanellakis and S.A. Smolka. CCS expressions, finite-state processes and three problems of equivalence. Information and Computation (86), pp43-68, 1990. [42] S.C. Kleene. Representation of events in nerve nets and finite automata. In Automata Studies, pp3-42, Princeton University Press, Princeton, 1956 [43] D.E. Knuth, J.H. Morris, and V.R. Pratt, Fast pattern matching in strings, SIAM Journal on Computing 6, pp323-350, 1977.

148

[44] A. Korenjak and J. Hopcroft. Simple deterministic languages. In Proceedings of 7th IEEE Switching and Automata Theory conference, pp36-46, 1966. [45] W.S. McCullock and W. Pitts A logical calculus of the ideas immanent in nervous activity. Bull Math Biophysics 5, pp115-133, 1943. [46] R. Milner. Processes: a mathematical model of computing agents. In Proceedings of Logic Colloquium'73, Rose and Shepherdson (eds), pp157-174, North Holland, 1973. [47] R. Milner. A Calculus of Communicating Systems. Lecture Notes in Computer Science 92, Springer-Verlag, 1980. [48] R. Milner. Communication and Concurrency. Prentice-Hall, 1989. [49] R. Milner and F. Moller.. Unique decomposition of processes. Theoretical Computer Science 107, pp357-363, 1993. [50] E.F. Moore. Gedanken experiments on sequential machines. In Automata Studies, pp129-153, Princeton University Press, Princeton, 1956 [51] D. Muller and P. Schupp. The theory of ends, pushdown automata and second order logic. Theoretical Computer Science 37, pp51-75, 1985. [52] R. Paige and R.E. Tarjan. Three partition refinement algorithms. SIAM Journal on Computing 16, pp937-989, 1987. [53] D.M.R. Park. Concurrency and Automata on Infinite Sequences. Lecture Notes in Computer Science 104, pp168-183, Springer Verlag, 1981. [54] W. Reisig. Petri Nets: An Introduction. E A T C S Monographs on Theoretical Computer Science, Springer-Verlag, 1985. [55] L.J. Stockmeyer. The polynomial time hierarchy. Theoretical Computer Science 3, ppl-22, 1977.

Modal and Temporal Logics for Processes Colin Stifling Dept. of Computer Science University of Edinburgh Edinburgh EH9 3JZ, UK email: cps~dcs.ed.a~.uk Preface We examine modal and temporal logics for processes. In section 1 we introduce concurrent processes as terms of an algebraic language comprising a few basic operators, as developed by Milner, Hoare and others. Their behaviours are described using transitions. Families of transitions can be arranged as labelled graphs, concrete summaries of process behaviour. Various combinations of processes are reviewed. In section 2 modal logic is introduced for describing the capabilities of processes. An important discussion is when two processes may be deemed, for all practical purposes, to have the same behaviour. We discuss bisimulation equivalence as the discriminating power of modal logic is tied to it. This equivalence is initially presented in terms of games. More generally practitioners have found it useful to be able to express temporal properties (such as liveness and safety) of concurrent systems. A logic expressing temporal notions provides a framework for the precise formalization of such specifications. Formulas of the modal logic are not rich enough to express such temporal properties. So extra operators, extremal fixed points, are added in section 3. The result is a very expressive temporal logic. The modal and temporal logics provide a repository of useful properties. However it is also very important to be able to verify that an agent has or lacks a particular property. This is the topic of section 4. First we show that property checking can be understood in terms of game playing. We then present sound and complete tableau proof systems for proving temporal properties of processes. The proof method is illustrated on several examples. Finally, concluding comments are contained in section 5. A c k n o w l e d g e m e n t s : Earlier versions of this paper have been presented at the 4th European Summer School in Logic, Language and Information, University of Essex, 1992; at the Tempus Summer School for Algebraic and Categorical Methods in Computer Science, Masaryk University, Brno, 1993; and the Summer School in Logic Methods in Concurrency, Aarhus University, 1993. I would like to thank the organisers and the participants of these summer schools, and of the Banff higher order workshop. I would also like to thank Julian Bradfield for use of his Tex tree constructor for building derivation trees and Carton Kirkwood, Faron Moller, Perdita Stevens and David Walker for comments on earlier drafts.

150

1

Processes

Process theory introduces processes as terms of an algebraic language comprising a few basic operators. Transitions of the form E a ) F , that process E may become F by performing the action a, feature prominently, underpinning the behavioural meaning of a process. Structured rules guide their derivation in the sense that the transitions of a compound process are determined by those of its components. Families of transitions can be arranged as labelled graphs, concrete summaries of the behaviour of processes. Here we review various combinations of processes and their resulting behaviour as determined by the transition rules. 1.1

First examples

A simple example of a process (courtesy of Hoare [40]) is a clock that perpetually ticks, Cl d_cft i c k . C / . We adopt the usual convention that names of actions such as t i c k are in lower case whereas names of processes have an initial capital letter. The defining expression for Cl invokes a prefix operator . which forms the process a.E from the action a and the process E. The facility for defining processes d___~f,relating a process name with a process expression, is recursive as both occurrences of Cl name the same process. The behaviour of Cl is very elementary: it can only perform the action t i c k and in so doing becomes Cl again. This is deducible from the rules for transitions. First is the axiom for the prefix operator when a is an action and E a process:

Its meaning is that process a.E may perform (respond to, participate in, or accept) the action a and evolve into the process E. An instance is the transition r tick) Cl. Next is the transition rule for d___ef,which is presented as a goal directed inference rule: R.~.(~__) P

a, F def E "~) F P = E

Provided that E may become F by performing a and that the side condition P ~ f E is fulfilled, it follows that P a ) F . Using these two rules we can show Cl tick Cl:

Cl ~ic~) Cl CI d__eftick. Cl tick. Cl tick) Cl This proof of Cl tick) C! Is presented with the desired conclusion as antecedent which follows from the axiom instance beneath it via an application of R(def) The behaviour of Cl can be visually summarized as in figure 1. The ingredients of this graph (called a labelled transition system) are process terms and

151

tick

Fig. 1. The transition graph for Cl

directed labelled arcs between them. Each vertex is a process term, and one of them is Cl which can be thought of as the root. All the possible transitions from each vertex, those that are provable from the rules for transitions, are represented. A second example, a very simple vending machine, is defined in figure 21 Here + (which has wider scope than .) is the choice operator from Milner's

Ven de=f2p. Venb + 1p. Vent clef Venb = blg.collectb. Ven def Vent = l i t t l e . c o l l e c t , . V e n .

Fig. 2. A vending machine

CCS, Calculus of Communicating Systems, [52]. Initially Ven may accept a 2p or lp coin; then a button, b i g or l i t t l e , may be depressed depending on which coin was deposited; finally, after an item is collected the process reverts to its initial state Ven. Transition rules for +, justifying this description of Ven, are: R(+)

EI+E~ a F E1 a ~ F

El+E2 a~F E2 a ' F

t

The proof of the transition Ven 2p Venb is1:

Ven 2p~ Venb 2p. Venb -.1-lp. Vent 2p~ Venb 2p. Venb 2p ~ Venb The final transition is an axiom instance; an application of the first R(+) rule to it yields the intermediate transition; and the goal therefore follows using the rule R(d--ef): The transition graph for Ven is presented in figure 3. 1 In proofs of transitions we usually omit explicit mention of side conditions in the application of a rule such as R(~f).

152

~coll:ct~.Ven

collect/.Yen

Fig. 3. The transition graph for Ve.

A transition E a ~ F can be viewed as an assertion which is derivable from the rules for transitions. To find out what transitions are possible from E it suffices to examine its main combinator and the possible transitions of its components. There is an analogy with rules for expression evaluation: for instance, to evaluate (3 • 2) + 4 it suffices to evaluate the components 3 • 2 and 4, and then sum their values. Such families of rules give rise to a structured operational semantics in the style of [59]. However, whereas the essence of an expression is to be evaluated, the essence of a process is to act. Families of processes can be defined using indexing. A simple case is the set of counters {Cti : i 6 N} of figure4. The counter Ct3 can increase to

Cto

clef

Cto Cti+l = up. Cti+2 + down. Cti =

up.

Ctl +

round.

deI

Fig. 4. A family of counters

Ct4 by performing up, or decrease to Ct2 by performing down. Each m e m b e r Cti determines the same transition graph which contains an infinite number of different vertices: such graphs are infinite state in contrast to the finite state graphs of figures 1 and 3. The operator + is frequently extended to indexed families ~ { E i where I is a set of indices. R(~)

: i 6 I}

~'~{Ei : i e I} a F Ej a , F j6I

A special case is when the indexing set I is empty. By the rule R ( ~ ) this process has no transitions as the subgoal can never be fulflled. In CCS this nil process is abbreviated to 0 (and to S T O P in Hoare's CSP, Communicating Sequential Processes, [40]). Thus t i c k . 0 can only do a single tick before terminating. Actions can be viewed as ports or channels, means by which processes can interact. It is then also i m p o r t a n t to consider the passage of d a t a between processes along these channels or through these ports. In CCS input of data at a

153

port named a is represented by the prefix a(x).E where a(x) binds free occurrences of x in E. (In CSP a(x) is written a?x.) Now a no longer names a single action but instead represents the set {a(v) : v E D} where D is the appropriate family of d a t a values. The transition axiom for this prefix input f o r m is:

a(x).E

R(in)

a(l)! E{v/x}

rED

where E{v/x} is the process t e r m which is the result of replacing all free occurrences of x in E with v ~. Output at a port n a m e d a is represented in CCS by the prefix "5(e).E where e is a data expression. The overbar - symbolizes output at the n a m e d port. (In CSP ~(e) is written a!e.) The transition rule for output depends on extra machinery for expression evaluation. Assume t h a t Val(e) is the d a t a value in D (if there is one) to which e evaluates: I R(out)

"5(e).E

E

Val(e) = v

The a s y m m e t r y between input and output is illustrated in the following process t h a t copies a value from i n and then sends it through out:

Cop %f in(x).o--~(x). Cop For any v 6 D the transition

Cop i=(,,)"5"~(v).Cop is derived as follows:

Cop Cop i.(o?

R(in),

Cop

(6-~(=).Cop){v/=} is 6-~(v).Cop. This latter process has only one possible transition, o--~(v). Cop ~-~(~) Cop, an instance of R(out) as we assume t h a t Val(v) is v. Whenever Cop inputs a value at i n it immediately disgorges it through out. The size of the transition graph for Cop

The subgoal is an instance of

as

depends on the size of the data domain D and is finite when D is a finite set. Input actions and indexing can b e mingled, as in the following description of a family of registers where both i and x have type N:

Regi clef~ ( i ) . R e g i + write(x).Reg x Reg i can output the value i at the port r e a d , or instead it car~ be u p d a t e d by being written to at w r i t e . We shall implicitly assume different expression types, such as boolean expressions. For instance when i is an integer, Val(even(i)) = true if i is even and is false otherwise. This allows us to use conditionals in the definition of a process, as exemplified by S which sieves numbers: 2 a(x).E can be viewed as an abbreviation for ~{a,,.E{v/x} : V e D}, writing a~ instead of a(v).

154

S d+f i n ( z ) . i f even(x) t h e n o--ffte(z).S else -5-ff-to(Z).S Below are the transition rules for this conditional.

R(ifl)

i f b t h e n E1 else E2 ~ E1 ~ ~ E I

E'

I Val(b) = true

I

R(if2) if b t h e n E1 else E2 ~ ~ E' Val(b) = false E2

a ~E'

E x a m p l e 1 Consider the following family of processes for i > 1:

T(i) dee i f even(i) t h e n "J-~(i).T(i/2) else "J'~(i).T((3i + 1)/2) T(5) performs the transition sequence T(5) ;~(]) T(8) o-~(s) T(4) o-~(4) T(2), and then cycles through the transitions T(2) ~-~(~) T(1) "-~(~) T(2).

1.2

[]

C o n c u r r e n t interaction

A compelling feature of process theory is its modelling of concurrent interaction. A prevalent approach is to appeal to handshake communication as primitive. At any one time only two processes may communicate at a port or along a channel. In CCS the resultant communication is a completed internal action. Each incomplete, or observable, action a has a partner ~, its co-action. Moreover the action ~ is a which means that a is also the co-action of ~. The partner of a parametrized action in(v) is i-~(v). Simultaneously performing an action and its co-action produces the internal action r which is a complete action and so does not have a partner. Concurrent composition of E and F is expressed as the process E [ F. The crucial transition rule for [ which conveys communication is:

R(lcom)

E l F ", E a E'

E'[F' ~ F'

Consider a potential user of the copier Cop of the previous section who first writes a file before sending it through the port in: Sser d=e f . r i t e ( z ) . User=

User= def=

Wet

As soon as User has written the file v it becomes the process User, which can communicate with Cop. Rule R(] corn) licenses the following proofS: a We assume that [ has greater scope than the other process operators: the process "5"5-i(v).Cop ] User is therefore the parallel composition of o---~(v).Cop and User.

155

Cop I User~ ", ~-~(,).Cop l User Cop i,(o) ~-a~(v). Cop

User~ ~(~ User

in(z).~-~(~). Cop i,(~? ~-a~(v). Cop ~(~). User ~(~), User Through this communication the value v is sent from the user to the copier. Data is thereby passed from one process to another. When the actions a and do not involve values, the resulting communication is a synchronization. Various users can share the copying resource, Cop I ( Uservl I Userv2) admits two users, but only one at a time is allowed to employ it. So other transition rules for I are needed, permitting components to proceed without communicating. These rules are: R(I) E I F - 2 - ~ E ' I F

E a EI

ElF F

"'ELF' "~F t

In the first of these rules the process F does not contribute to the action a which E performs. An example derivation is:

Cop I ( Uservl I Userv~) ~, -5-ff'f(vl).Cop I ( User I Userv2) Cop i=(vl) o--~(vl). Cop in(~).o---~(~). Cop

in(v 1) ~ .

) out(vl).Cop

Uservl I Userv2 ~(vl) User I Userv2 Yser, l V,(~l)) User

:(v:). User :('~) User The goal transition reflects a communication between Cop and User, l, and so User~2 does not contribute to it. The process Cop I (Useful I UServ2) is not forced to engage in communication, it may instead perform an input in(v) action or an output action i-~(vl) or i-~(v2). The behaviour of the users sharing the copier is not affected by order of parallel subcomponents or by placement of brackets. (Cop I User, l) I Userv2 and Uservl I (Cop I Userv2) have the same capabilities as Cop I (Uservl I Userv2). These three process expressions have isomorphic transition graphs, and therefore in the sequel we omit brackets between multiple concurrent processes 4. The parallel operator is expressively powerful. It can be used to describe infinite state systems without invoking infinite indices or value spaces. A simple example is the counter Cut given by Cnt d__efup.(Cnt I down.0). It can perform up and become Cnt I down.0 which in turn can also perform up and thereby becomes Cnt I down.0 I down.0, and so on. Figure 5 offers an alternative pictorial representation of the copier Cop and its user process User. Such diagrams are called ]:low graphs by Milner [52] (and should be distinguished from transition graphs). A flow graph summarizes the

156

Cop wri~~User

wri~e~

~~n

~ln~ Cop

out

User ~ ~ . ~ n ~ Cop

Fig. 5. The flow graphs of

~ out:

User,Cop,CopI Userand CopI User[ User

potential movement of information flowing into and out of ports, and also exhibits the ports through which a process is in principle willing to communicate. In the case of User the incoming arrow to the port labelled w r i t e represents input whereas the outgoing arrow from i--~ symbolizes output. The flow graph for Cop I Userhas the crucial feature that there is a potential linkage between the output port in of Userand its input in Cop permitting information to circulate from Userto Cop when communication takes place. However this port is still available for other users: both users in Cop I User I User are able to communicate, at different times, with Cop. Consider now the situation where a user has private access to a copier. This is modelled using an abstraction or encapsulation operator which conceals ports or channels. In CCS there is a restrictionoperator \ J where J ranges over families of incomplete actions (thereby excluding r). Let K be the set {in(v) : v 6 D} where D is the space of values that could be accessed through in. In the process (Cop I User)\K the port in is inaccessible from the outside. Its flow graph is pictured in figure 6 where the linkage without names at the ports represents that they are concealed from other users. This flow graph can therefore be simplified as in the second diagram of figure 6. The visual effect of \ J on flow graphs is underpinned by its transition rule, where the set 7 i s {~ : a 6 J}. 4 Section 2.4 provides further justification for this.

157

wri:e~ User~

~~ Cop ~-out

out

Fig. 6. Flow graphs of

(Cop I User)\K

R(\)

E\J a , F\J E a~F a~JOJ

I

!

The behaviour of E \ J is part of that of E. The presence of \ K prevents Cop in (Cop I User)\K from ever doing an i n transition except in the context of a communication with User. This therefore enforces communication between these two components. The only available transition after an initial write transition,

(Cop] User)\K . r i t . ( ~ ) ( C o p [ User~)kK, is the communication whose proof is:

(Cop] User~)\K T (-6-~(v).Cop [ User)\K Cop l User~ *, o--~(v).Cop I User

Cop i.(o? -o-~(v). cop

User~ r.(~! User

in(~).o-~(~). Cop ~;(~!-~-~(v). Cop r~(v). User ~(~? User The second user in (Cop I User)\K I User has no access to the copier. As the operator \ J is intended to conceal ports, we shall usually abbreviate any set of actions of the form {a(v) : v E D} within a restriction to {a}: for instance the restriction \ K above is more succinctly expressed as \ { i n } . Process descriptions can become quite large, especially when they consist of multiple components in parallel. So we shall employ abbreviations of process expressions using the relation - where P = F means that P abbreviates F . E x a m p l e 1 The mesh of abstraction and concurrency is further revealed in the following finite state example (without data) of a level crossing of figure 7 from [17] consisting of three components. The actions c a r and t r a i n represent the approach of a car and a train, up is the gates opening for the car, c c r o s s is the car crossing, down closes the gates, g r e e n is the receipt of a green signal by the train, t c r o s s is the train crossing, and r e d automatically sets the light red. Unlike most crossings it keeps the barriers down except when a car actually

158

Road Rail Signal

def

= car.up.cc--ff-fh~.do~-a.Road ~ train.green.tcross.rod.Rail d_efg~-d-ff.red. Signal Jr fi-ff.down.Signal

Crossing .~ (Road[ Rail I Signal) \ {greon, red, up, do~n} Fig. 7. A level crossing

approaches and tries to cross. The flow graphs of the components and the overall system are depicted in figure 8, as is its transition graph. [] An i m p o r t a n t arena for the use of process descriptions is modelling protocols [58]. An example is Protocol of figure 9 taken from [69] which models a simple communications protocol that allows a message to be lost during transmission. Its flow graph is the same as that of Cop earlier, and the size of its transition graph depends on the space of messages. The sender transmits any message it receives at the port i n to the medium. In turn the m e d i u m m a y transmit the message to the receiver, or instead the message m a y be lost, an action modelled as the silent r action, in which case the m e d i u m sends a timeout signal to the sender and the message is retransmitted. On receiving a message the receiver outputs it at the port o u t and then sends an acknowledgement directly to the sender (which we assume cannot be lost). Having received the acknowledgement, the sender m a y again receive a message at port in. Although the flow graphs for Protocol and for Cop are the same, their levels of detail are very different. It turns out that these two processes are equivalent in the sense defined in section 2.6. As process descriptions they are very different. Cop is close to a specification, as its desired behaviour is given merely in terms of what it does, or how it m a y react. In contrast Protocol is closer to an implementation as it is defined in terms of how it is built from simpler components. E x a m p l e 2 The slot machine in figure 10 is an infinite state system (from [17]). Its flow graph is also depicted there. A coin is input (the action s l o t ) and then after some silent activity either a loss is output or a winning sum of money. It consists of three components; IO which handles the taking and paying out of money, Bn a bank holding n pounds, and D the wheel-spinning decision component. O 1.3

Observable transitions

A natural extension of the transition relations a ~ is to finite length sequences of actions or traces a l . . . an. Assume that w ranges over such sequences (with r as the e m p t y trace). The notation E ~o ~ F represents t h a t E m a y perform the trace w and become F . The next transition rule captures this generalization:

159

$ car

I green

green o

I ccross

~ red

I

~ red

car

train ~

w

~tcross

Crossing wiF

.

_

_

ccross

\

Es. train IE6

K

ETkk

carl'9

/

= {green, red, up, down}

Eo =- Crossing Ea = ( u p . ~ . d o , n . R o a d

I Rail I Signal)\K

E~ - ( noaa Igreen.%-6F6~.~-d~Raill Signal) \ K

E3 --( u p . ~ . d o w a . R o a d I green.tcr~ E,

- ( cc--6T6~.do,n.Road

l Rail

l Signal)\K

ldown.Signal)\K

E5 - ( Ro~d l tc--F6~.~-~.Rail lre&Sivnal) \ K

E6 = ( ~ . d o w a . R o a d l green.tcross.red.Rail I down.Signal) \ K E7 = (up.~.do,n.Roadltc-UF6~.~.Rail l red.Sianal) \ K E, E9 Eao Ell

=_ ( d-~,~.no~a l Rail l do,n.Sianal) \ K - ( noad l Wd.R.il l red.Sian~t) \ K = (T6~.Road l gree~ t c r o a s . ~ . R a i l l dowa.Sianal) \ K = (up.~.do.n.Road l ~-ff~.Rail Ired.Sianal)\K

Fig. 8. Flow graphs of the crossing and its components, and its transition graph

160

Sender Sendl (,) Medium Medl (y) Receiver

d~=fin(x).~(x).Sendl(x) %f ms:~(,).Sendl (,) + ok.Sender d_,_fsm(y).Medl(y) de-4~i-f(y).Medium + r.~'g.Medium ~' mr(z).'6~(z).-~.Receiver

Protocol = (Sender I Medium I Receiver) \ { sm, ms, mr, ok} Fig. 9. A simple protocol IO

Bn m

d,__~slot.bank.(lost.loss.IO + release(y).~Tn(y).lO) dealb ~ k . ~ ( , + X).l*ft(y).8, dej max(z).(lost.left(z).D + ~ { ~ ( y ) . Y ~ ( z - y).D : 1 <_ y < z})

S M , =_ (IOIBn ]D)\{bank, max, l e f t , release} loss

win

Fig. 10. A slot machine

E alP) r R(tr)

E

~, E E

~>E'

E'

~~

For instance, the crossing of figure 7 performs the cycle Crossing ~ Crossing, when w is t r a i n r ~ c r o s s r. There is an important difference between the completed internal r action and incomplete actions. An incomplete action is observable in the sense that it can be interacted with in a parallel context. Assume that E may at some time perform the action ok, and that F is a resource. Within the process ( E ] ~-k.F)\{ok} accessibility to this resource is triggered only when E performs ok. Here observation of ok is the same as the release of the resource. The silent action r can not be observed in this fashion. Consequently an important abstraction of the behaviour of processes is away clef

from silent activity. Consider a slightly different copier C =

in(x).o---ut(x).o--k.C,

161

and a user U, defined as write(z).i-n(z).ok.U, who writes a file before sending it through i n and then waits for an acknowledgement. The behaviour of (C[ U)\{• ok} is very similar to that of Ucop dr grite(z).o---~(z). Ucop. The only difference in their capabilities is internal activity. Both are initially only able to perform a write action. But afterwards Ucop outputs immediately whereas the other process must first perform a communication before outputing and then r again before a second write can happen. When abstracting from silent actions this difference disappears: outwardly both processes repeatedly write and output. Therefore we now define another family of transition relations between processes which epitomizes observable behaviour. Given a trace w the subsequence of w restricted to the set of actions J, denoted by w r J, is the remainder of w when actions outside of J are erased. For instance ( t r a i n T t e r o s s r ) [ { ~ } = t e r o s s , and r r [ { ~ } = r Associated with any trace w is its observable trace, the suhsequence w I (9 when (9 is a universal set of observable actions (containing at least all the actions mentioned in this work apart from v). For example the observable trace derived from t r a i n r l ; c r o s s v is t r a i n t c r o s s . Observable traces are either empty or built from observable actions. Consequently we can introduce the notion that E may perform the observable trace w and evolve into F: we use the standard notation E ~ F to represent this. A transition rule for such traces utilizes R(tr) and [: [ R(Tr)

E ~ r E '~F

u=w

[(9

Observable traces can also be built from their observable components. The extended observable transition Crossing ~r~i~ros~ Crossing is the result of gluing together the two transitions Crossing t~= E and E t ~ Crossing when the intermediate state is either E2 or Es of figure 8. Following [52] we therefore define a new family of transition relations which underpin observable traces. A label in this family is either the empty sequence ~ or an observable action a: [ R(:::~)

E=:~E

E :=~ E'

E

E=------~F ~,E I Et~F

E'

a ~ F'

F' =:~ F

The observable behaviour of a process can also be visually encapsulated as a graph. As in section 1.1 the ingredients of this graph are process terms related by directed labelled arcs. Each arc is either ~ or :=~ where a is observable. Consequently there are two behaviour graphs associated with any process. Although both graphs contain the same vertices, they differ in their labelled arcs. Observable graphs are more complex than their counterparts built from the single

162

arrow transitions. However the abundance of arcs may result in redundant vertices, for when minimized with respect to notions of observable equivalence, the graphs may be dramatically simplified as their vertices are fused. In this way the observable transitions of a process offer an abstraction from its behaviour. 1.4

Renaming and linking

The processes Cop and User are essentially one place buffers, taking in a value and later expelling it. Assume that B is a canonical buffer, B gel i(z).~(x).B. Cop is the process B when port i is i n and o is out and User is B when i is w r i t e and o is in. Relabelling of ports or actions can be made explicit, as in CCS with a renaming combinator. The crux of renaming is a function mapping actions into actions. To ensure pleasant algebraic properties (see section 2.7) a renaming function f is subject to a few restrictions. First it should respect complements: for any observable a the actions f(a) and f(~) are co-actions. Second f should also preserve values passing between ports, f(a(v)) is an action b(v) with the same value, and for any other value w the action f(a(w)) is b(w). Finally it should conserve the silent action, f ( r ) = r. Associated with any function f obeying these conditions is the renaming operator Ill which when applied to a process E is written as E[f], and is the process E whose actions are relabelled according to f . Following [52] a renaming function f is usually abbreviated to its essential part: when the ai are distinct observable actions bl/al,..., bn/a, represents the function f which renames ai to bi, and leaves any other action c unchanged. For instance Cop abbreviates the process B [ i n / i , out/o], as we maintain the convention that i n stands for the family {in(v) : v 6 D} and i for {i(v) : v 6 D}, and so i n / i symbolizes the function which maps i(v) to in(v) for each v. The transition rule for renaming is: R([f])

E[f] a F[f] a = f(b) E b~F

which is used in the derivations of the following pair of transitions. B[in/i,

out/o] i,(v) (5(v).B)[in/i, out/o] ~(~) B[in/i, out/o]

An important feature of processes is that they can be built from simpler components. Consider for instance how to construct an n-place buffer, when n > 1, following [52], by linking together n instances of B in parallel. The flow graph of n copies of B is pictured in figure 11. For this to become an nplace buffer we need to link and then internalize the contiguous ~ and i ports. Renaming permits linking as the following variants of B show: B1 -- B[ol/o]

Bi+I =_B[oi/i , oi+1/o ] 1 _< j < n - 1

Bn = B [ o . _ l / i ]

163 D

:C o _Qo -

$

-

~ Fig. 11. Flow graph of n instaaices of B, and B1 I .-- I B,,

The flow graph of B1 I ... I Bn is also depicted in figure 11, and contains the intended links. The n-place buffer is the result of internalizing these links,

(B1 I... I B,)\{ox,...,o,-1}. A more involved example from [52] is the construction of a scheduler from small cycling components. Assume n tasks when n > 1, and that action ai initiates the ith task whereas bi signals its completion. The scheduler timetables the order of task initiation, ensuring that the sequence of actions al ... an is performed cyclically starting with al. The tasks may terminate in any order, but a task can not be restarted until its previous performance has finished. So the scheduler must guarantee that the actions ai and bi happen alternately for each i. Let Cy I be a cycler of length four, Cy I def a.e.b.d.Cyt, whose flow graph is illustrated in figure 12. In this case the flow graph is very close to the transition graph, and so we have circled the a label to indicate that it is initially active. A first attempt at building'the required scheduler is as a ring of Cy ~ eyclers.

C'

- CV[,

l/a, el~c, h/b,e,,/aq

Cy i =- (d.Cy')[ai/a, ci/c, bi/b,-6i_l/d] 1 < i < n When n is four the flow graph of the process Cy~ I Cy~ I Cy~3 I Cy~4 with initial states marked is depicted in figure 12. Next the ci actions are internalized. Let Sched~ abbreviate the process (Cy~ I Cy~ I Cy~ I Cy~)\{cl,..., c4}. The flow graph shows how the tasks must be initiated cyclically (when the ci actions are internalized): for example a3 can only happen once al and then a2 have both happened. Moreover no task can be reinitiated until its previous performance has terminated: action a3 cannot recur until b3 has happened. However Sched~ does not permit all possible acceptable behaviour. A simple case is that action b4 depends on bl, so task four can not terminate before the initial task. The solution in [52] to this problem is to redefine the cycler as follows,

Cy de=fa.c.(b.d.Cy + d.b.Cy), and to use the same renaming functions. Let Cy i for 1 < i < n be the process (d.Cy)[ai/a, ci/c, bi/b,'~i,1/aq, and let Cy t be Cy[al/a, o/e, bt/b,'~n/d]. The required scheduler, Sched,, is the following process, (Cy 1 I ' " I CYn)\{el,...,Cn}.

164

_

%

b~

a

Fig. 12. Flow graph of

1.5

_

C

Cy' and Cy~ I Cy~ ] Cy~ ] Cy~

More combinations of processes

In previous sections we have emphasized the process combinators of CCS. There is a variety of process calculi dedicated to precise modelling of systems. Besides CCS and CSP there is ACP due to Bergstra and Klop [11, 6], Hennessy's EPL [36], MEIJE defined by Austry, Boudol and de Simone [4, 61], Milner's SCCS [51], and Winskel's general process algebra [72]. Although the behavioural meaning of all the operators of these calculi can be presented using inference rules, their conception reflects different concerns, see [7]. ACP is primarily algebraic, highlighting equations 5. CSP was devised with a distinguished model in mind, the failures model 6, and MEIJE was introduced as a very expressive calculus, initiating general results about families of rules that can be used to define process operators [35]. The general process algebra in [72] has roots in category theory. Moreover users of the process notation can introduce their own operators according to the application at hand. 9 Numerous parallel operators are proposed within the calculi mentioned above. Their transition rules are of two kinds. First, where x is parallel, is a synchronization rule: 5 See section 2.7. 6 See section 2.2 for the notion of failure.

165

E E

x

F

a , E'

ab

E' F ~

x

F' F'

Here ab is the concurrent product of the component actions a and b, and . . . m a y be filled in with a side condition: in the case of I of section 1.2 the actions a and b must be co-actions, and their concurrent product is the silent action. Other rules permit components to act alone. ExF

a)E~xF E -~ E I

ExF F

a)ExFI a ) FI

In the case of [ there are no side conditions when applying these rules. This general format covers a variety of parallel operators. At one extreme is the case when x is a synchronous parallel (as in SCCS), when only the synchronization rule applies thereby forcing maximal concurrent interaction. At the other extreme is a pure interleaving operator when the synchronization rule never applies. In between, are the parallel operators of ACP, CCS, CSP and MEIJE. A different conception of synchronization underlies the parallel operator of CSP (when data is not passed). Synchronization is sharing the same action. Actions now do not have partner co-actions as multiple parallel processes m a y synchronize. Each process instance in CSP has an associated alphabet consisting of those actions in which it is willing to engage. Two processes must synchronize on common actions, belonging to both component alphabets. An alternative presentation which does not require alphabets is to introduce a family of binary parallel operators IlK indexed by a set K of actions which have to be shared. Rules for IlK are: EIIK F a E, IIKF ~ aEK E '~ ) E I F - ~ FI EIIK F E

a E, IIKF a~K '~)E I

EIIK F F

~ EIIK F, a~K a)FI

The operator IlK enforces synchronization. In CCS enforced synchronization is achieved using I and the restriction operator \ K . Restriction also provides a mechanism for abstracting from observable actions by making them silent. Similarly there is a useful abstraction, or hiding, operator in CSP which we represent as \ \ K . Its rules are E\\K ~ F\\K a~K E-2-~ F

E\\K E

r F\\g aEK a)F

There is a variety of extensions to these basic calculi for modelling real time phenomena such as timeouts expressed using either action duration or delay intervals between actions [55, 54], priorities among actions or among processes

166

[24, 21], and the description of stochastic behaviour using probabilistic instead of non-deterministic choice [46]. These extensions are useful for modelling hybrid systems which involve a mixture of discrete and continuous, and can be found in chemical plants, and manufacturing. Processes can also be used to capture foundational models of computation such as Turing machines, counter machines, or parallel random-access machines. This remains true for the following restricted process language where P ranges over process names, a over actions, and I over finite sets of indices: E ::= P I y ~ { a i . E i : i e I} I E1 I E2 I

E\{a}

A process is given as a finite family of definitions {Pi de=~Ei : 1 < i < n} where all the process names in each Ei belong to the set { P 1 , . . . , Pn}. Although process expressions such as the counter Cto (figure 4) the register Reg o (section 1.1) and the slot machine SMo (figure 10) are excluded because their definitions appeal to value passing or infinite sets of indices, their observable behaviour can be described within this restricted process language. Consider, for example, the following finite reformulation [68] of the counter Cto, the process Count:

Count d=e f round.Count + up.(Countl I a.Count)\ {a} Count1 d=e f down.n.0 + up.( Count2 I b.CounQ )\{b} Count2 de_fdown.b.0 + up.( Countl l a.Count2)\{a} A two counter machine can simulate a Turing machine, and can be expressed as a process of the form (Init I Fin I Count I Count')\K, where Init captures initialisation, Fin is the finite state control, and the other components are the two counters. The general significance of this is unclear. First there is not a natural formulation of functions within these process calculi, and in particular there is not a simple account of lambda calculus. Second it is not known what the right criteria are for assessing the expressive power of calculi which model concurrency. Should there be a "canonical" process calculus? Is there a concurrent version of the Church-Turing thesis for sequential programs? Some exciting work has been progressing in this area. Two examples are interaction categories [1], and the ~r-calculus [53]. 2

Modalities

and

Capabilities

Various examples of processes have been presented, from a simple clock to a sophisticated scheduler. In each case a process is a term drawn from a process language built from a small number of operators. Behaviour is determined by the transition rules for these process combinators. These rules may involve side conditions relying on extra information, as is the case when data is involved. The ingredients of a process description are combinators, predicates, and rules which allow us to deduce transitional behaviour.

167

In this section we consider various abstractions from the behaviour of processes. Already we have contrasted finite state from infinite state processes: the size being determined by the behaviour graph generated from a process. We have also distinguished observable transitions, marked by the thicker transition arrows ~ , from their thinner counterparts. An important discussion surrounds the question of when two processes may be deemed, for all practical purposes, to have the same behaviour. Such an abstraction can be presented by defining an appropriate equivalence relation between processes. A more abstract approach is to examine behavioural properties, and to consider equivalence in terms of having the same pertinent properties. Consequently we first define simple logics which can capture process capabilities. 2.1

H e n n e s s y - M i l n e r logic

We now introduce a modal logic for describing local capabilities of processes. Formulas are built from boolean connectives and modal operators [K] ("box K") and (g) ("diamond g " ) where K is a set of actions:

] 9

::=

tt

I

I 'Pi Ar

Ir

vr

I [K]~ I (K)'P I

This modal logic slightly generalizes Hennessy-Milner logic [38, 39], as sets of actions instead of single actions appear in the modalities. For any modal formula 9 we define when a process E has, or satisfies, the property r written E ~ ~. If E fails to have the property 9 we write E ~: r The satisfaction relation ~ between processes and formulas is defined inductively on the structure of formulas: E~tt E~=ff E~A~ E ~r E

iff E ~ 4~ and E ~ g' life ~ or E ~ t/' iffVFE{E' : E :~>E'andaEK}.F~ iffSFE{E' : E a)E, andaEK}.F~

The meanings of modalized formulas appeal to the transition behaviour of a process. To reduce the number of brackets in modalities we write [ a l , . . . , a~] and ( a l , . . . , a~) instead of [ { a l , . . . , a,}l and ({a~,..., a=}). The simple modal formula ( t i c k ) t t expresses a capability for performing the action t i c k , E ~ ( t i c k ) t t iff 3 F E {E' : E ,ir E'}. The clock Cl from section 1.1 has this property. In contrast, [ t i c k ] f f expresses an inability to perform t i c k , E ~ [ t i c k ] f f iff {E' : E ~ir E'} 0. So Ven has this property but Cl fails to have it. Such basic properties can be embedded within modal operators and between boolean connectives. For instance E can perform the trace a l . . . a, just in case it has the corresponding property ( a l ) . . . (an)tt.

168

The formula [ t i c k ] ( ( t i e k ) t t A [ t o c k ] f f ) 7 expresses the property that after any t i c k action it is possible to perform t i c k again but not possible to perform rock. [ K ] f f expresses an inability to initially perform an action in K. In the case of the vending machine Ven a button can not be depressed (before money is deposited), so Ven ~ [big, l i t t l e ] f f . Other interesting properties of Ven are:

- Ven ~ [ 2 p ] ( [ l i t t l e ] f f A ( b i g ) t t ) : after 2p is deposited the little button cannot be depressed whereas the big one can. - Ven ~ [1p, 2p][1p, 2 p i l l : after a coin is entrusted no other coin (2p or lp) may be deposited. - Ven ~ [lp, 2p][big, l i t t l e ] ( c o l l e c t b , c o l l e c t / ) t t : after a coin is deposited and a button is depressed, an item can be collected. Verifying that Ven has these properties is undemanding. Their proofs merely appeal to the inductive definition of the satisfaction relation between processes and formulas. For instance Ven ~ [1p, 2p][1p, 2p]ff iff Venb ~ [1p, 2p]ff and Venz ~ [lp, 2 p i l l , and clearly both of these hold. Similarly establishing that Ven lacks a property, such as (lp)(lp, b i g ) t t , is equally routine. Notice that it is not necessary to construct the transition graph of a process when showing that it has, or fails to have, a property. Actions in the modalities may contain values. For instance the register Reg 5 from section 1.1 has the property (r---e~(5))tt h [{r-'-e-~(k) : k # 5}]ff. Assume that ,4 is a universal set of actions including r: so ,4 = O U {r} where O is described in section 1.3. We let - K abbreviate the set .4 - K, and within modaiities we write - h i , . . . , a , for - { a l , . . . , an}. Moreover we assume that - abbreviates the set - $ (which is just .A). Consequently a process E has the property [ - ] ~ w h e n each F in the set {E' : E a E ' a n d a E , 4 } has the feature 4~. The modal formula [ - ] f f expresses deadlock or termination. Within this modal logic we can also express immediate necessity or inevitability. The property that only a can be performed, that it must be the next action, is given by the formula ( - ) t t A [ - a ] f f . The conjunct ( - ) t t affirms that some act i o n is possible while [ - a ] f f states that every action except a is impossible. After 2p is deposited Ven must perform big, and so Ven ~ [ 2 p ] ( ( - ) t t h [ - b i g ] f f ) .

2.2

M o r e m o d a l logics

Process activity is delineated by the two kinds of transition relation distinguished by the thickness of their arrows ~ and ~ . The latter captures the performance of observable transitions as ~ permits silent activity before and after a happens: the relation =:~ was defined (see section 1.3) in terms of a ~ and the relation ==~ indicating zero or more silent actions. 7 We assume that A and V have wider scope than the modalities [K], (K/, and that brackets are introduced to resolve any further ambiguities as to the structure of a formula: consequently, A is the main connective of the subformula (t ick)ttA[tock]ff.

169

The modal logic of the previous section does not express observable capabilities of processes as silent actions are not accorded a special status. To overcome this it suffices to introduce two new modalities [ ] and (()):

]

i f f V F E {E' : E ~ E ' } . F ~ 4 ~ E ~ (( ))q~iff 3F e {E' : E ~ E'}. F ~ ~ E~[I~

These operators are not definable within the modal logic of the previous section. Using them, supplementary mo~lalities [K] and ((K)) are definable when K is a subset of observable actions O.

[K] 9 de~ [ ] [K] [ ] ~)

((K>>Ode__f (( >>(K}(()>~

The derived meaningsof these modalitiesappeal to the observable transition relations ~ in the same way that their counterparts [K] and (K} appeal to a,. We write [ a l , . . . , a , ] and ((al,...,an)) instead of [{al, .... ,an}] and (<{el,...,an})). The simple modal formula ((tick))tt expresses the observable capability for performing the action t i c k while )tick] f f expresses an inability to tick after any amount of internal activity. Both clocks CI' clef = t i c k . C / ' + r.0 and CIdef= tick. C1 have the property ((tick))tt but Cl' may at any time silently stop ticking, and therefore it also has the property ((tick)) [ t i c k ) f f . E x a m p l e 1 Crossing satisfies [car) [ t r a i n ) ( ( ( ~ ) ) t t V ((~))tt), it fails to satisfy )car] [ t r a i n ) ( ( ( ~ ) ) t t A ((cc-W2-a~))tt).

but []

Modal formulas can also be used to express notions that are basic to the theory of CSP [40]. A process may Perform the observable trace a l . . . an provided that it has the property ((al))... ((an))tt. The formula [ K ) f f expresses that the observable set of actions K is a refusal. The pair ( a l . . . an, K) is an observable failure for a process if it has the property ((al }}... (Can}}([r]ffA [K) f f ) : a process satisfies this formula if it can perform the observable trace al ... an and become stable (unable to perform r) and also be unable to perform any observable action in K. Recall that O is a universal set of observable actions (which does not contain r). Let l - K ) abbreviate )O - K) and similarly for (i-K}}. Moreover let [ - ) and ({-}} be abbreviations for [O] and ((O}}. This means that the modal formula [ - ) f f expresses an inability to perform an observable action: so the process Div has this property when Div de--4fr.Div. The modal logic of the previous section permits the expression of immediate necessity or inevitability. The property that a process must perform a next is given by the formula ( - } t t A [ - a ] f f . However the similarly structured formula ((-}}tt A I - a ) f f does not preclude the possibility that the observable action a becomes excluded through silent activity. For instance both clocks CI and Cl' earlier have the feature ((-}}tt A ) - - t i c k ) f f : CI' has this property because it is able to perform an observable transition (so satisfies ((-}}tt) and is unable to perform any observable action other than t i c k (and so satisfies ) - t i c k ] f f ) . But

170

Cl' may silently break down and therefore be unable to tick. This shortcoming can be surmounted with the strengthened formula [ ] ( ( - / ) t t A [ - t i c k ] f f . Now Cl' ~ [ ] ( ( - ) ) t t because of the silent transition Cl' ~ O. But there is still a question mark over this formula as an expression of necessity. Let Cll be a further clock, Cll cleft i c k . Cll + "r.Cll, which satisfies [ - t i c k ] f f as its only observable transition is that of t i c k . However it also has the property [ ] ( ( - ) ) t t as the set {F : Cll =~ F} contains the sole element Cll which obeys ((-))tt. But interpreting this as the inevitability that t i c k must be performed fails to take into account the possibility that Cll perpetually engages in internal activity and therefore never ticks. A process diverges if it is able to perform internal actions for ever: we write E T i f E diverges following [36], and E ~ if E converges (fails to diverge). So Cll T whereas Cl~ 1. Convergence and divergence are not definable in the modal logics introduced so far. Consequently we introduce another modality [~], similar to [ ], except it contains information about convergence: I Z~[J.]~

iff E l

andVre{E':E~E'}.r~

I

From this we can define the modality [~ K] as [~] [g] [ ]:

E~[,LK]r

iff E ~ a n d V F E { E '

: E=~E'andaeK}.r~r

Other mixtures are also definable: [K 1] as [ ] [K] [J,]; and [$ K ~] as [~] [K] [~]. Thus the stronger necessity ~ ] ((-))1;1; A [ - t i c k ] f f excludes divergence. Features of processes concerning divergence, appealed to in definitions of behavioural refinement [36], can also be expressed as modal formulas in this extended modal logic. For instance the strong property that there can not be divergence throughout the observable trace a l . . . an is given as [~ al ~ ] . . . [1 an 1] t t . 2.3

Process equivalences

Process expressions are intended to be used for describing actual systems. Our discussion has omitted criteria for when two expressions describe the same system. Alternatively we can consider grounds for differentiating process descriptions. Undoubtedly the clock Cl and the vending machine Ven of section 1.1 are different. They are intended as models of distinct kinds of objects. Moreover at every level they differ, their algebraic expressions, their action names, their flow graphs, and their transition graphs. A concrete manifestation of these differences is their initial capabilities. The clock Cl can perform the observable action t i c k whereas Ven can not: CI has the properties ( t i c k ) t t and ( ( t i c k ) ) t t which Ven fails to have. Syntactic differences alone should not be sufficient grounds for distinguishing processes. It is important to allow the possibility that two process descriptions may be equivalent even though they differ markedly in their level of detail. An example is the two descriptions of a counter Cto of figure 4 and Count of section 1.5. An account of process equivalence has practical significance when we

171

view process expressions both as specifications and as descriptions of a possible implementation. Cto is a specification (even the requirement specification) of a counter whereas the finite description Count with its very different structure can be seen as a description of a possible implementation. Similarly the buffer Cop can be seen as a specification of the process Protocol of section 1.2. In this context, a theory of process equivalence could tell us when an implementation meets its specification s . Not only do Cto and Count have the same initial capabilities, but also this feature is preserved as observable actions are performed. There is a similarity between their observable transition graphs, a resemblance which is not immediately easy to define. A simpler case is the following two clocks, Cl d__~ft i c k . Cl and Cl2 d=eft i c k . t i c k . Cl2. Although they have different transition graphs, whatever transitions one of these clocks makes can be matched by the other and the resulting processes also have this property. An alternative basis for suggesting that these two clocks are equivalent starts with the observation that CI and t i c k . CI should count as equivalent expressions since the second is the definition of Cl. A useful principle is that if two expressions are equivalent then replacing one with the other in some other expression should preserve equivalence. For instance, replacing Cl with t i c k . Cl in an expression E should result in an expression which is equivalent to E. In particular, if E is t i c k . CI then t i c k . CI and t i c k . t i c k . Cl are equivalent. As particular names of processes are unimportant this should imply that Cl and Cl2 are also equivalent. The extensionality principle here is that an equivalence should be a congruence, preserved by the various process combinators. For example if the decision component D of the slot machine SMn breaks down then replacing it with an equivalent component should not affect the overall behaviour of the system (up to equivalence). In principle, an equivalence which is also a congruence offers the potential for structured reasoning about combinations of processes, and also the possibility that equivalence proofs may be founded on equational reasoning. Clearly if processes have different initial capabilities then they should not be deemed equivalent. Distinguishability can be extended to many other features, such as initial necessities, traces, and deadlock potentials. We can therefore imagine choosing some simple properties as the basic distinguishable features, and then stipulating that two processes are equivalent if whenever they are placed in a process context the resultant.processes have the same basic properties, and thereby by definition the resulting equivalence is a congruence. This approach is sensitive to three important considerations. First is the choice of what counts as a basic distinguishable property and whether it is to do with observable behaviour as determined by the = ~ and =:~ transitions or the single arrow transitions. Second is the family of process operators that are p e r m i t t e d in process expressions. Finally there is the question as to whether the resulting congruence can be characterized independently of its definition, as preservation of basic properties by all process contexts. a Similar comments could be made about refinement where we would expect an ordering on processes.

172

Interesting work has been done on this topic, mostly however with respect a to the behaviour of processes as determined by the single thin transitions ---*. Candidates for basic distinguishable features include traces and completed traces (given respectively by formulas of the form ( e l ) . . . ( a n ) t t and (a 1 ) . . . ( a , ) [ - ] f f ) . Elegant results are contained within [13, 35, 34] which isolate congruences for traces and completed traces. These cover very general families of process operators whose behavioural meaning is governed by the permissible format of their transition rules. The resulting congruences are independently definable as equivalences 9. Results for observable behaviour include those for the failures model [40] which takes the notion of observable failure as basic. Related results are contained in the testing framework of [36] where processes are tested as to what they may and must do. E x a m p l e 1 Consider the following three vending machines:

Venl

def

-- Ip.lp.(tea.

Venl + coffee. Venl)

def

Ven 2 -----Ip.(Ip.tea. Ven2 + Ip.coffee. Ven2) def Yen3 -- l p . l p . t e a . Ven3 + l p . l p . c o f f e e . Ven3 def

which have the same (observable) traces. Assume a user, Use = l p . l p . t e a . o k . 0 , who only wishes to drink a single tea by offering coins and having done so expresses visible satisfaction as the action ~ . For each of the three vending machines we can build the process ( Veni J Use)\K where K is {1p, t e a , coffee}. When i = 1 there is just one completed trace v v re--k:

(re.11 Vse)\K "'"

(re.1 I 0 ) \ g

and so the user must express satisfaction after some silent activity. In the other two cases there is another completed trace, 7"v:

( Veni I Use)\g ~ ~, (coffee. V~,~ [ t - ~ . ~ . o ) v c The resulting process here is deadlocked. So Venl should not be equivalent to either Ven~ or Ven3. With respect to the failures model of CSP [40] and the testing framework of [36] Ven2 and Ven3 are equivalent. Finer equivalences distmguish them on the basis that once a coin has been inserted in Ven3 any possible successful collection of tea must already be decided. Imagine that after a single coin has been inserted the resulting state is copied for a number of users: in the case of Ven3 all these users must express satisfaction or all of them must deadlock. Let Rep be a process operator that replicates successor processes.

nep( E) " >E' I E' E a~E' 9 They include failures equivalence (expressed in terms of formulas of the form (aa)... (an)[K]ff), two-thirds bisimulation, two-nested simulation equivalence, and bisimulation equivalence.

173

The two processes (Rep( Veni [ Use))\K, i = 2 and i = 3, have different completed traces. When i = 2 it has the completed trace r r r r ~-k

(Rep( Ven2 [ Use)) \ K r r r r ok ( Ven2 I 0 I r which 2.4

Ven2 I ~-dK.-dk.O)\ K

(Rep( Vena [ Use)) \ K fails to have.

[]

I n t e r a c t i v e g a m e s a n d bisimulations

Equivalences for GCS processes begin with the simple idea t h a t an observer can repeatedly interact with a process by choosing an available transition f r o m it. Equivalence of processes is then defined in terms of the ability for these observers to m a t c h their selections so that they can proceed with further corresponding choices. The crucial difference with the approach of the previous section is t h a t an observer can choose a particular transition. Such choices can not be directly simulated in terms of process activity 1~ These equivalences are defined in terms of bisimulation relations which capture precisely what it is for observers to m a t c h their selections. However we proceed with an alternative exposition using games which offer a powerful image for interaction. A pair of processes (E0, F0) is an interactive game to be played by two participants, players I and I I who are the observers who make choices of transitions. A play of the game (E0, F0) is a finite or infinite length sequence of the form (E0, F 0 ) . . . (Ei, Fi) .... Player I a t t e m p t s to show that a conspicuous difference between the initial processes is detectable whereas player II wishes to establish t h a t they can not be distinguished. Suppose an initial part of a play is (E0, F 0 ) . . . ( E j , Fj). The next pair ( E j + I , F j + I ) is determined by one of the following two moves: - ( ): Player I chooses a transition Ej a E j + I from Ej and then chooses a transition with the same label from the other process Fj [ ]: Player I chooses a transition Fj a F j + I from Fj and then chooses a transition with the same label from the other process Ej

player II a ) Fj+I. player II a ~Ej+I.

Player II knows which transition player I chose, and more generally b o t h players know all the previous moves. The play then m a y continue with further moves. The next move in a game play is therefore very straightforward. The important issue is when a player is said to win a play of a game. A game is played until one of the players wins, where the winning circumstances are described in figure 13. If a player is unable to make a move then the other player wins t h a t play of the game. Player II loses when condition 1' holds, when no corresponding transition is available in response to a move from player I, which happens in the 10 For instance if E ~ E1 and E ~-~ E2 then the observer is able to choose either of these, but there is not a "testing" process ~.F which can guarantee this choice in the context (g.F] E)\{a}: the two results (F [ El)\{a} and (F E2)\{a} are equally likely after the synchronization on a.

174

Player II wins

Player I w i n s

1. The play is (E0, F0)... (E~, F~) 1'. The play is (E0, F0)... (En, Fn) and for some a either and there are no available En _2.. E' and not(3F'. Fn _.2_+F') or transitions from E~ or from Fn. F,~ --~ F' and not(3E'. E , --2-* E'). 2. The play is (E0, F0)... (En, Fn) and for some i < n Ei = En and Fi = F~. 3. The play has infinite length. Fig. 13. Winning conditions configuration (En, Fn) when one of these processes is able to perform an initial action which the other can not, and so a manifest difference is detectable. Player I loses in the configuration (En, Fn) when b o t h these processes have terminated or are deadlocked as described in 1. Player II also wins in the other two circumstances, first when there is a repeat configuration, when (En, Fn) has already occurred earlier in the play, as in 2, and second when the play has infinite length. In both these cases player I has been unable to expose a difference between the initial processes. Condition 2 is not necessary, as it is subsumed by 3: however we include it because then an infinite length play is only possible when at least one of the initial processes is infinite state. E x a m p l e 1 Each play of the game (Cl, Cl2), when Cl d__~ft i c k . C / a n d Cl2 de=f t i ok. t i ok. Cl2, has the form ( Cl, Cl2) ( Cl, t i ok. Cl2) ( Cl, Cl2) which ensures th at player I loses because of the repeat configuration. It does not m a t t e r whether player I chooses the { ) or the [ ] move, as player II is guaranteed to win. In the case of the game (Cl, Cls) when Cl5 d_~ft i c k . C / 5 + t i c k . 0 there are plays that player I wins and plays that player II wins. If player I initially moves Cl~ tick 0 then after her opponent makes the move Cl tick Cl, the resulting configuration (Cl, O) obeys condition 1' of figure 13, and so player I wins. Instead if player I chooses the other [ ] move Cl~ ~ Cl5 then player II wins immediately with the transition Cl tick Cl. However player I has the power to win any play of (Cl, Cls) by initially choosing the transition Cl5 tick O. Similarly player II is able to win any play of (Cls, Cls) just by copying any move that player I makes in the other process. [] A strategy for a player is a set of rules which tells her how to move depending on what has happened previously in the play. A player uses the strategy ~r in a play if all her moves in the play obey the rules in ~r. The strategy ~ is a winning strategy if the player wins every play in which she uses It. In example 1 above,

175

player I's winning strategy for the game (Cl,

Cls) consists

of the single rule: if the

current game configuration is (Cl, Cls) choose the transition Cl5 tir 0. In the example game (Cls, Cls), player II's winning strategy contains the two rules: if the current game configuration is (Cls, Cls) and player I has chosen Cl5 tick Cl5 then choose Cls tick Cls, and if it is (Cls, Cls) and player I has chosen Cl5 tick 0 then choose Cl5 tick) 0. It turns out that for any pair of processes one of the players has a winning strategy, and that this strategy is history free in the sense that the rules do not need to appeal to moves that occurred before the current game configuration. E x a m p l e 2 The different choice points in the vending machines Ven2 and Ven 3 of the previous section ensure that player I has a winning strategy for the game

( Ven2, Vena).

[]

E x a m p l e 3 Player II has a winning strategy for the game (B, B') where these def

processes are, B = • I o u t . B and B ' def = i n . B ~+ o u t : B ~. In this case any play has to be of infinite length, and player II's strategy resides with the fact that she is always able to respond to any move by player I. [] E x a m p l e 4 Player II has a winning strategy for ((C I U ) \ { i n , ok}, these processes are: c

U

Uco/)

when

def

= ~(~).o-~(=).~.c

def

= ,rite(z).i-n(z).ok.U Ucop' d,j ,rite(x).r.o--~(x).r.Ucop'

A play has to proceed as follows, modulo the choice of data value:

((c I v)\{in, ok}, Uco/) ((C I ~(v).ok.V)\{in, ok}, r.~--~(v).r. Wool) ((~--~(~).~.C I ok.U)\{in, ok}, o-~(~).r. Ueop') ((~.C I ok.U)\{~n, ok}, ~. Uco/) ((c I v)\{~,, ok}, ~co/). An important feature is that each play has a finite bounded length even though the processes are infinite state. [] When player II has a winning strategy for the game (E, F ) we say that process E is game equivalent to process F. In this circumstance player II is able to win any play irrespective of the moves her opponent makes, and so player I is unable to distinguish between E and F . Player II can always match player I's moves when two processes E and F are game equivalent: by the ( ) move if E a ) E ~ then there is a corresponding transition F --5+ F ' and E ~ and F ' are also game equivalent, and by the [ ] move if F a ) F , then there is also a corresponding transition E a ) E , with E ~ and F ~ game equivalent. This is precisely the criterion for being a bisimulation

176

relation. Bisimulations were introduced 11 by Park [57] as a small refinement of the equivalence defined by Hennessy and Milner in [38, 39, 50]. D e f i n i t i o n 1 A binary relation Tr between processes is a bisimulation just in case whenever (E, F) E Tr and a E .A, 1. i f E a , E ~ t h e n F 2. if F ~ F ~ then E

a , F ~ f o r s o m e F ~ such that (E ~,F I) ET~, and a, E' for some E ~ such that (E ~, F') E 7~.

A binary relation between processes counts as a bisimulation provided that it obeys the two hereditary conditions in this definition. Simple examples of bisimulations are the identity relation and the empty relation. Two processes E and F are bisimulation equivalent (or bisimilar), written E --. F, if there is a bisimulation relation 7~ with (E, F ) E TO. P r o p o s i t i o n 1 The relation ,~ between processes is an equivalence relation. E x a m p l e 5 A classical example of two processes that are not bisimilar is a.(b.O + c.O) and a.b.O + a.c.O. There cannot be a bisimulation relating this pair because it would have to include either (b.0 + c.0, b.0) or (b.0 + c.0, c.0). [] P r o p o s i t i o n 2 I f {TQ : i E I} is a family of bisimulation relations then U{7~i : i E I} is a bisimulation relation.

A corollary of this last Proposition is that the binary relation ~ is the largest bisimulation, as ,~ is U{7~ : 7~ is a bisimulation}. Not surprisingly bisimulation and game equivalence coincide. P r o p o s i t i o n 3 E is game equivalent to F iff E ,,~ F. Parallel Composition is both commutative and associative w i t h respect to bisimulation equivalence (as is +): this permits us to drop bracketing in the case of a process description with multiple parallel components (see the discussion in section 1.2). To show that two processes are bisimilar it is sufficient to exhibit a bisimulation relation which contains them. This offers a very straightforward proof technique for bisimilarity. E x a m p l e 6 The two processes Cat and Ct~o are bisimilar where

Cnt Ct'o tt

%f up.(Cnt Idown.0) der = up. bt 1 def

,~,!

C i+1 = u p . ~ i + 2 + down.C/~

A bisimulation containing the pair ( c n t , Ct~) has to be infinite because these processes are infinite state. Let Ci be the following families of processes for i _> 0 (when brackets are dropped between parallel components): 11 They also occur in a slightly different form in the theory of modal logic as zig-zag relations, see [12].

177

Co = { Cnt [ Oj : j _ > 0 } Ci+l = {E l 0 j I down.0 I ok : E E Ci and j > 0 and k > 0} where F [ 0 ~ = F and F ] 0 i+1 = F [ 0 i [ 0. The relation 7~ = {(E, Ct~) : i >_ 0 and E E C~} is a bisimulation which contains (Cnt, C{o). [] Bisimulation equivalence is also a congruence with respect to all the process combinators introduced in previous sections (including the operator Rep). P r o p o s i t i o n 4 If E ,,* F then for any process G, set of actions K, action a,

and renaming function f, 1. a . E ~ a . F 2. E + G , , ~ F + G

3. E I G ~ F I G

4. E[f] -,, F[f]

7. EIIKG

"-

5. E \ K ~ F \ K 6. E \ \ K ~ F \ \ K FIIKG 8. r e p ( E ) ~ rep(F).

Bisimulation equivalence is a very fine equivalence between processes, reflecting the fact that in the presence of concurrency a more intensional description of process behaviour is needed than for instance its set of traces. For full CCS the question whether two processes are bisimilar is undecidable. As was noted in section 1.5 Turing machines can be "coded" in CCS. Let T M , be this coding of the n-th Turing machine when all observable actions are hidden (using the operator \\ which can be defined in CCS). The undecidable Turing machine halting problem is equivalent to whether or not T M , ~ Div where Div de=f1".Div. However an interesting question is for which subclasses of processes it is decidable. Clearly this is the case for finite state processes, a s there are only finitely many candidates for being a bisimulation. Surprisingly it is also decidable for families of infinite state processes including context-free processes and basic parallel processes [23, 22]. By exploiting the observation in example 4, when the length of a game play is boundedly finite, one can also show decidability of bisimilarity for various classes of value passing processes whose data m a y be drawn from an infinite value space.

2.5

Modal properties and equivalences

Another approach to understanding equivalences between processes is in terms of families of modal properties. Each finite or infinite set of modal formulas F induces an equivalence relation = r on processes12:

E=rF

iff V ~ E F . E ~

iff F ~

E x a m p l e 1 When F consists of all formulas of the form ( a J ... ( a n ) t t the relation - r is traces equivalence. If F contains the formulas { a J . . . ( a n ) [ - ] f f then the induced equivalence is completed traces, and when generalized to formulas 12 Similarly we can also define the preorder induced by F: E C_r F iff Vr E F if E ~ then F ~ r

178 {a1)... {a,,}[K]ff it is failures equivalence. Observable equivalences include observable traces and observable failures equivalence. [] There is an intimate relationship between bisimulation equivalence and having the same modal properties. Let F be the family of all modal formulas built from the boolean connectives and the modal operators {[K], (K/, [ - ] , / ( - / ) , [~]}. Bisimulation equivalence preserves modal properties. P r o p o s i t i o n 1 I f E ,., F then E = r F . The converse of Proposition 1 holds for a restricted set of processes. A process E is immediately image finite if for each a E A the set {F : E a, F} is finite. And E is image finite if every member of {F : 3w E A*. E _2_+F} is immediately image finite. P r o p o s i t i o n 2 I f E and F are image finite and E = r F then E ,,. F . Clearly Proposition 1 remains true for any subset of modal formulas, and Proposition 2 holds for the subset Of modal formulas when the modalities are restricted to be either [a] or (a), a E .4. Under this restriction, these two results are known as the modal characterization o f bisimulation equivalence, due to Hennessy and Milner [38, 39]. This characterization not only reinforces the naturalness of bisimulation equivalence but also suggests that modal logic is well-suited for describing properties of processes. E x a m p l e 2 Consider the family of clocks C//+1 dealt i c k . C// for i _> 0 and the clock Cl clef tick.C/. Let E be the process ~ { C l i : i > 0}, and let F be E + CI. The processes E and F are not bisimilar because the transition F t i r Cl would have to be matched by E tick Cl j for some j > 0, and clearly Cl 7~ CIj. On the other hand E and F satisfy the same modal properties. [] There is an unrestricted characterization result for infinitary modal logic, M ~ , given as follows where I ranges over arbitrary finite and infinite indexing families:

::= A { ~ , : i e r }

I V{,~i : i e z }

I [Iq'~ I (K)~

The satisfaction relation between processes and A and V formulas is defined as expected E~/~{r : iEI} iffE~r E~V{r :iEI} iffE~r The atomic formula t t is defined a s / ~ { ~ : i E 0} and f f as V{~i : i E 0}. P r o p o s i t i o n 3 E ~ F iff E =Moo F . A variety of the proposed equivalences between image finite processes in the linear and branching time spectrum, as summarized in [32], can be presented in

179

terms of games and in terms of - - r when f ' is an appropriate subset of modal formulas. 2.6

Observable bisimulations

In the previous two sections we have seen that there is a close relationship between winning strategies, bisimulation relations, and modal properties. Not one of this trio abstracts from the silent action r, as each appeals to the family of transition relations { a ~: a E .A). By consistently replacing this set with the family of observable transitions as defined in section 1.3, these notions uniformly abstract from r. We can define observable modal logic whose modalities are restricted to the set (~K~, [ ] , ((g)), (()/}. We can also define observable games whose moves appeal to the thicker transition relations = ~ , a E (9 U {e}, and observable bisimulation relations. A play of the observable game (E0, F0) is again a finite or infinite length sequence of pairs (E0, F 0 ) . . . (Ei, F i ) . . . played by the two observers players I and II. The next pair after an initial part of the play (Eo, Fo)...(Ej,Fj) is determined by one of the moves where a E O 13 {e}: - (()): Player I chooses a transition Ej ~ Ej+I chooses a transition with the same label Fj ~ - [ ]: Player I chooses a transition Fi ==~ Fj+I chooses a transition with the same label Ej ~

from Ej and then player II Fi+1 from Fj. from Fj and then player I[ Ej+I from Ej.

A game is played until one of the players wins, where the winning circumstances are depicted in figure 14. The only difference with section 2.4 is that player I is

P l a y e r II wins

Player I wins

1. The play is (E0, F0) ... (En, F,~) 1'. The play is (E0, F0)... (E,, Fn) and for some i < n, and for some a either Ei = En and Fi = Fn. E,~ ==~ E' and not(3F'. F,~ ~ F') or F , ==~ F' and not(3E'. E,, = ~ E'). 2. The play has infinite length. Fig. 14. Winning conditions

always able to make a move (because of the empty.transition). Again a strategy for a player is a set of rules which tells her how to move, and it is winning if the player wins every play in which she uses it. E and F are observably game equivalent if player II has a winning strategy for (E, F ) . Underpinning observable game equivalence is the existence of an observable bisimulation relation whose definition is as in section 2.4 except with respect to observable transitions 3 .

180

D e f i n i t i o n I A binary relation T~ between processes is an observable bisimulation just in case whenever (E, F ) 9 T~ and a 9 O U {e}, 1. ff E =:~ E I then F ~ 2. ff F = ~ F ' then E ~

F I for some F I such that ( E ~, F ~) 9 T~, and E ~ for some E ~ such that (E', F ~) 9 7~.

E and F are observably bisimilar, written E ,~ F , if there is an observable bisimulation relation 13 ~ with (E, F ) E R. The relation "~ has many prope rties in common with ,,~. It is an equivalence relation, and the union of a family of observable bisimulations is also an observable bisimulation, and so ~ is itself an observable bisimulation. Observable bisimulation and observable game equivalence also coincide. P r o p o s i t i o n 1 E is observable game equivalent to F iff E ,~ F. A direct proof that two processes are observably bisimilar consists in exhibiting an observable bisimulation relation containing them. E x a m p l e 1 We show that Protocol ~ Cop by exhibiting an observable bisimulation which contains them. (Again we drop brackets when processes contain multiple parallel components as ] is associative and commutative with respect to this equivalence.) The following relation

((Protocol, Cop)} U {((Sendl(m) I Medium I -~.Receiver)\J, Cop) : m 9 D} U ((( (m).Sendl (m) I Medium l aeceiver)\J, - (m).Cop) : m 9 D } U {((Sendl (m) I Medl(m) ] Receiver)\J, -5-~(m). Cop) : m 9 D} U {((Send1 (rn) ] Medium I -o--ff'~(m).-~-~.Receiver)\J, "o'-~(m). Cop) : m 9 D} U {((Sendl (m) ]~-g.Medium I Receiver)\J, "5-~(rn).Cop) : m 9 D} is an observable bisimulation.

[]

There is also an intimate relationship between observable bisimulation equivalence and observable modal logic, F. P r o p o s i t i o n 2 If E ~, F then E --r F. Notice that this result is not true if we include the modalities [K] and (K), or the divergence sensitive modality [~]. The converse of Proposition 1 holds for observably image finite processes. A process E is immediately image finite if for each a 9 O U {r the set { F : E ~ F } is finite, and E is observably image finite if each member of the set { F : 3w 9 ((9 U {e})*} is immediately image finite. Proposition 3

If E and F are observably image finite and E - F F then

E~F. 13 We have slightly departed from standard terminology, where ~ is called weak bisimflarity, and Definition 1 above defines what is usually called a weak bisimulation relation.

181

So far there is a very smooth transition from previous results concerning the transitions a to observable transitions 3 . This does break down at an important point. Observable bisimilarity is not a congruence for the + operator because of the initial preemptive power of v. The two processes E and v.E are observably bisimilar but for many instances of F the processes E + F and v . E + F are not. In CCS [39, 52] an important equivalence is the largest subset of ~ which is also a congruence. As observable bisimilarity is a congruence for all the other operators 14 of CCS, this congruence, denoted by ~c, can also be described using transitions. For it is only that initial preemptive ~- transition that causes failure. D e f i n i t i o n 2 E ~ F iff 1. E ~ F 2. i f E r ~ E ! t h e n F 3. i f F r , F, then E

T, F1 ~ F ' and E ' ~ F ' for some F1 and F', and r ) E1 ==~ E' and E ' ~ F ' for some E1 and E'.

When E and F are stable (as is the case with Protocol and Cop of example 1) E ~ F implies E ~c F. There is a finer observable bisimulation equivalence called branching bisimulation equivalence which also has a logical characterization [27]: we consider it briefly in section 3.2. Observable bisimilarity and its congruence are not sensitive to divergence. So they do not preserve the strong necessity properties discussed at the end of section 2.2. However it is possible to define equivalences that take divergence into account [36, 40, 71]. 2.7

Equivalence checking

A direct proof that two processes are (observably) bisimilar is to exhibit the appropriate bisimulation relation which contains them. Example 7 of section 2.4 and example 1 of section 2.6 exemplify this proof technique. In the case that processes are finite state this can be done automatically. There is a variety of tools which include this capability including the Edinburgh Concurrency Workbench [25] which exploits efficient algorithms for checking bisimilarity between finite state processes, as developed in [41]. Alternatively equivalence proofs can utilize conditional equational reasoning. There is an assortment of algebraic, and semi-algebraic, theories of processes depending on the equivalence and the process combinators: for details see [36, 40, 6, 52]. It is essential that the equivalence is a congruence. To give a flavour of equational reasoning we present a proof in the equational theory for CCS that a simplified slot machine without data values is equivalent to a streamlined process description. The congruence is ~c which was defined in the previous section. The following are important CCS laws which are used in the proof: 14 More generally only case 2 of Proposition 4 of section 2.4 fails for ~.

182

U.T.X

--~

x -4- r . x

= r.x

a.x

(x + y ) \ K = = a (a.x)\K - - 0 x+O =x

+ y\K if,, r K U K ifa6KUK

The last four are clear from the behavioural meanings of the operators. T h e first two are T-laws and show that we are dealing with an observable equivalence. There is also appeal to a rule schema, called an expansion law by Milner [52], relating concurrency and choice: if xi = ~ { a i j . x i j

: 1 < j < hi} for i : 1 < i < m then Xl ] . . . [ xm = E { a i j . ( x l I ... I xi-1 I xij I xi+l I . . . I xm) : 1 < i < m and 1 <_j <_ hi} + E{W'(Xl [ "'" I Xk-1 I Z k l I Xk+l [ "'" ]Xi-1 [ X i j [Xi'[-1 [ ' ' " [~rrt) : 1 < k < i < m and akt = W/j}

P r o o f rules for recursion are also needed. In the case t h a t E does not contain any occurrence of [, we say that P is guarded in E if all its occurrences in E are within the scope of a prefix a. operator when a is an observable action. This condition guarantees that the equation P = E, when the only process constant E contains is P , has a unique solution up to ~c: t h a t is, if F ~ E { F / P } and G ~ E { G / P } then F ~ G. This justifies the following two conditional rules for recursion: - if P d=efE then P = E. - if P = E and P is guarded in E, and Q = F and Q is guarded in F, and E { Q / P } = F, then P = F. The slot machine S M without data values, and its succinct description S M ' appear in figure 15. We prove that S M = SM'. The idea of the proof is to first simplify S M by showing that it is equal to an expression which does not contain the parallel operator. The proof proceeds on S M using the expansion law and the laws earlier for \ K , 0 and r (and the first recursion rule):

SM

= (,,lot.IO~ [ bar~.B~ [taax.D1)\K = (slo*,.(I01 I B I D) + ba.~.(IO I B~ l D) + taax.(IO I B I D1))\K = ( s l o t . ( I 0 1 [ B [ D))\K + (bank.(IO [ B1 [ D))\K + (taax.(IO [ B [ D1))\K = slot.(I01 I B I D)\K + 0 + 0 = sZot.(I01 [B [D)\K

Let SM1 = (101 [ B [ D ) \ K . By similar reasoning to the above we obtain:

SM1 = r.r.(I02 [ Ze~t.B [ D I ) \ K Assume SM2 - (I02 ] le:~t,.B [ D1)\K. Similarly, SM2 = r.SM3 + r.SM4:

183

I 0 d__._~fslot.IO1 I01 ~f b-~k.I02 I0~ d=ef1ost.Ioss.IO + release.win.IO B

d__~fbank.B1

B1 d__~~-~.left.B

D

de( max.D1

SM

-- (IOIB ID)kK where K = {bank,max, left, release}

DI d___e~lost.left.D + release.left.D

SM' ~f slot.(r.l-~6.SM' + r . ~ S M ' ) Fig. 15. A simplified slot machine

SM3 - (~-~-6.I0 I l e f t . B l i - ~ - t . D ) \ K SM4 - (~-n.IO I l e f t . B I Y C ~ . D ) k K The r-laws are used in the following chain of reasoning

SM3 = (1--6-~,I0 I l e f t . B I Y o - ~ . D ) \ g

= xoss(IO I Xe~t.B I Y ~ . D ) \ K

+ r ( X - ~ . I O JB I D)

= loss.(r.SM + slot.(IO1 Ileft.B lie-{-t.D)\K) + r.loss.SM

= Xo.~.(r.SM + sXot.r.(101 lS fD)\K) + r.Xos~.SM loss.(r.SM + slot.(IO1 I B ID)\K) + r.loss.SM loss.(r.SM + SM) + r.loss.SM loss.r.SM + r.loss.SM

= = = =

r.loss.SM

By similar reasoning SM4 = r.win.SM. Backtracking and substituting equals for equals, and then applying r laws:

S M = slot.SM1 = slot.r.r.SM2

= slot.r.r.(r.SMa + r.SM4) = slot.r.r.(r.r.loss.SM + r.r.,in.SM) = slot.(r.1--ff~.SM + r.win.SM) We have now shown that S M = E where E does not contain the parallel operator, and where S M is guarded in E. The expression E is very close to the definition of S M ' . Clearly E { S M ' / S M } = slot.(r.l--C~.SM' + r.win.SM'), and so by the second recursion rule S M = S M ' which completes the proof.

184

3

Temporal

Properties

ModM logic as introduced in sections 2.1 and 2.2 is able to express local capabilities and necessities of processes such as that t i c k is a possible next (observable) action or that it must happen next. However it cannot express enduring capabilities (such as that t i c k is always possible) or long term inevitabilities (such as that t i c k must eventually happen). These features, especially in the guise of safety or liveness properties, have been found to be very useful when analysing the behaviour of concurrent systems. Another abstraction from behaviour is a run of a process which is a finite or infinite length sequence of transitions. Runs provide a basis for understanding longer term capabilities. Logics where properties are primarily ascribed to runs of systems are called temporal logics. An alternative foundation for temporal logic is to view these enduring features as extremal solutions to recursive modal equations. 3.1

Modal properties revisited

A property separates a set of processes into two disjoint subsets, those with the property and those without it. For example ( t i c k ) t t divides {Cl],tock.C/1} into the two subsets {Cll} and {rock.C/i} when Cll d_._,ftick.rock.C/1. We let n4~ ]0e be the subset of the family of processes s having the modal property ~, the set {E 9 E : ~eE.~ ~}. Consequently any modal formula 9 partitions $ into n~n e and $ - ]4~ The set nO If is definable directly by induction on the structure of 9 provided that s obeys a closure condition described below. First the boolean connectives: Ilttll e = e II~ll e = I 1 ~ ^ ~11 e = H~II e n II~n e

I I ~ v ~11e = II~H e u I1~11e

When # E {[K], (K/, [ ], (( //, [~]} is a modal operator the definition of the subset of processes with the property # ~ appeals to the process transformer I[# If mapping subsets of C into subsets of E.

The operator II# IIe is the semantic analogue of # in the same way that N is the interpretation of A. In the cases of [K] and (K) these transformers are:

H[KI IIe = AN c_ ~. {F 9 ~ : if F

"II(K) IIe = A X C _ E . { F 9

: SE 9

a.., E and a 9 K then E 9 X}

3a 9

a>E}

Of course we would like the direct inductive definition of el9 Jle to coincide with its definition as {E 9 s : E ~ O}. But this is only guaranteed when $

185

is a transition closed set, which obeys the condition if E E E and E a ~ F then also F E E. In the sequel we use :P to range over non-empty transition closed sets. Notice that the set of processes of a transition diagram is transition closed. Therefore we also introduce the notation 7~(E) to be the smallest transition closed set containing E. If a set is transition closed then it is also closed with respect to the thicker transitions :=~ and = ~ . In the following result it is assumed that [[4~ ~' is determined by its inductive definition. P r o p o s i t i o n 1 I f E 9 P then E 9 [[~[[~' iff E ~ q~. The following features will be exploited when we develop the temporal logic later. 2 / f s C 5r and :if: 9 {[K], ( g ) , [ ] , (()), Ill} then IIv n ~ c_ II r II~' n :r, II~ II~' u c c_ I1~ II~' u :r, and II # II~' E c_ H# II~' :r.

Proposition

II 9

A property on a transition closed set of processes is that subset which has def it. Consider the family of clocks P = {C//, Cl : i > 0}, where Cl = t i c k . C / and C//+1 def t i c k . C// for every i > 0. W h a t distinguishes C1 from the rest of :P is its long term capability for ticking endlessly. Each Cl i ticks exactly i times before stopping. This property divides P into the two subsets {Cl} and P - { Cl}. But this feature can not be captured by any single modal formula 15 of the modal logics in sections 2.1 and 2.2. P r o p o s i t i o n 3 For any modal q~, if Cl 9 ~[[~' then there is a j >_ 0 such that for all k > j, el k 9 ~]]~. 3.2

Processes and their runs

Proposition 3 of the previous section shows that modal formulas are not very expressive. Although able to describe immediate capabilities and necessities, they cannot capture more global or long term features of processes. We can contrast the local capability for ticking with the enduring capability for ticking forever, and the urgent inevitability that tick must happen next with the lingering inevitability that tick eventually happens. Another abstraction from behaviour, which throws light on this contrast between immediate and long term, is that of a run of a process E0 which is a finite or infinite length sequence of transitions of the form E0 a l E1 a2 .... When a run has finite length its final process is then unable to perform a transition. So a run from E0 can be viewed as a computation from E0, a maximal performance of actions. Game or bisimulation equivalence, as defined in section 2.4, "preserves" runs as stated by the next Proposition. P r o p o s i t i o n 1 Suppose that Eo "~ Fo, 15 Of course, for each CP there is the formula ( t i c k ) i + l t t which it fails and which holds of Cl.

186

1. i f Eo al ) E i a2 ~ . . . is a run Fo al) F1 i : O < i < n, and 2. if Eo a, ) E i a2 ) . . . infinite length run Fo

-a, ' ~ En is a finite length run f r o m Eo then there a2 ) . . . a, ) Fn f r o m Fo such that El ", Fi f o r all is an infinite length run f r o m Eo then there is an al ' F1 a2 , .. . f r o m Fo such that Ei "~ Fi f o r all i.

Because E0 ,,, F0 implies F0 "~ E0, each run from F0 also has to be matched with a run from E0. A simple consequence is t h a t the clock C! is not bisimilar to any clock Cl i because Cl has a run which cannot be emulated by Cl i. Clearly observable bisimulation equivalence, ~ , from section 2.6 does not preserve runs in the sense of Proposition 1. A simple example is t h a t the infinite run Div r ~ Div r ) . . . has no correlate from r.0 although Div ~ 7".0 when def

Div = v.Div. We m a y try and weaken the matching requirement. For any run

from E0 there is a corresponding run from F0 such t h a t there is a finite or infinite partition across these runs containing equivalent processes. However this induces a finer equivalence than observable bisimulation, called branching bisimulation [33]. It should also be compared with "stuttering" equivalence as proposed within

[19]. Observable bisimilarity does preserve observable runs whose transitions are given by the thicker arrows - - ~ and 3 . B u t there is a drawback because of =:~ transitions. The process C l de f t i c k . C / has the observable inactive run Cl ~ Cl ~ . . . which means t h a t it fails to have the observable property that t i c k must eventually happen. Many significant properties of systems can be understood as features of all their runs. Especially i m p o r t a n t is a classification of properties into safety and liveness, originally due to L a m p o r t [43]. A safety property states that nothing bad ever happens whereas a liveness property expresses that something good does eventually happen. A process has a safety property just in case no run from it contains the bad feature, and it has a liveness property when each of its runs contains the good trait. E x a m p l e 1 A property distinguishing each clock Cl i from Cl is eventual termination. The good characteristic is expressed by the formula [ - ] f f . On the other hand this can also be viewed as defective, as exhaustion of the clock. In which case Cl has the safety property of absence of deadlock, which each Cl i fails. [] E x a m p l e 2 The level crossing of figure 7 should have the crucial safety property that it is never possible for a train and a car to cross at the same time. In terms Of runs this means that no run of Crossing passes through a process that can perform b o t h t c r o s s and c c r o s s as next actions, and so the bad feature is

Liveness and safety properties of a process concern all its runs. We can weaken t h e m to features of some runs. A weak safety property states that something bad does not h a p p e n in some run, and a weak liveness property asserts t h a t

187

something good may eventually happen, that it eventually happens in some run. E x a m p l e 3 A weak liveness property of the slot machine S M , of figure 10 is that it may eventually pay out a windfall: the good thing is given by the formula

(w--i-n(lO6))tt.

[]

There is considerable middle ground between all and some runs, Often we are only interested in liveness and safety in the case of a subset of runs that obey a particular condition. E x a m p l e 4 A desirable property of the level crossing is that whenever a car approaches eventually it crosses: any run containing the action caz also contains the later action c c r o s s . [] Sometimes these conditions are complex and depend on assumptions outwith the possible behaviour of the process itself. For example the protocol of figure 9 fails to have the property that whenever a message is input eventually it is output because of runs where a message is forever retransmitted. However we may make the assumption that the medium must eventually pass to the receiver a repeatedly retransmitted message, and that therefore these deficient runs are thereby precluded. Other properties are important such as cyclic properties: The clock Cll earlier performs t i c k immediately followed by t o e k cyclically starting with t i c k . E x a m p l e 5 The scheduler of section 1.4 ensures that the sequence of actions al . . . an is performed cyclically starting with al. In this example other actions (silent actions and the task termination actions bj) may be interspersed before and after each ai. [] Modal logic expresses properties of processes as their behaviour unfolds through transitions. Temporal logic, on the other hand, ascribes properties to processes by expressing features of some or all of their runs. (For surveys of temporal logic see [31, 49, 64].) In fact there is not a clear demarcation because modal operators can also be viewed as temporal operators, which express "next" : E0~[g]4~ iffforallE0runsE0 E0 ~ ( g ) ~ i f f f o r s o m e E 0 r u n E 0

a , E1 a2 . . . , i f a l E K t h e n E l ~ 4 ~ . a l E1 a2 . . . , al e K a n d E 1 ~45.

In this work we do not base temporal logic upon the notion of a run. It is of course a very useful abstraction. A run is simply a subset of a transition closed set. Although the properties described in the examPles above are not expressible in modal logic of section 2 we shall find appropriate closure conditions on sets of processes which define them, by appealing to inductive definitions built out of modal logic. The idea is, for instance, that a long term capability is just a particular closure of an immediate capability.

188

3.3

Modal equations and fixed points 9

.

9

def

Defimtlonal equahty, - , is indispensable for describing perpetual processes, as in the simple case of the uncluttered clock CI that ticks forever. Imagine adding this facility to modal logic, following Larsen [44]. For instance the modal equation Z dej ( t i c k ) t t stipulates that Z expresses the same property, an ability to perform t i c k , as ( t i c k ) t t . On any transition closed set 7) this characteristic is given by the set ~( t i c k ) t t lilY. def

A more intricate modal equation is Z = ( t i c k ) Z where both occurrences def

of Z select the same trait. Unlike the use of = in the definition of a process, a recursive modal equation may express various properties on a set P, each of which is a subset s of processes obeying the condition E - ~(tick)[[9 s Any such solution E is a fixed point of the function f = AX C :P. [I ( t i c k ) [[9 X, as f(E) = E. The equality can be bisected: E is a prefixed point of f , that is f(s C E, and it is a postfixed point of f which is the other half, s C f(g). These halves can be viewed as closure conditions on any potential solution set E: PRE i f F E E a n d E E T ) andE~iCkFthenEEs POST if E E E then E ~ick F for some F E s One solution is the empty set as it trivially fulfills both conditions. When 7) is { Cl}, the other subset { Cl} also obeys both conditions because of the transition Cl tick Cl. In this instance both candidate solutions are successful fixed points, and they can be ordered by subset, 0 C {Cl}. In the case that 7) is generated by the more sonorous clock Cll deg t i c k . r o c k . Cll that alternately ticks and tocks, there are more candidates for solutions but besides 0 all the rest fail PRE or fail POST 9 With respect to any transition closed set the equation Z de__f( t i c k / Z has both a least and a greatest solution (which m a y coincide) relative to the subset ordering9 The general result guaranteeing this is due to Tarski and Knaster. It shows that the least solution is the intersection of all prefixed points, of all those subsets obeying PRE, and that the greatest solution is the union of all post' fixed points, of all those subsets fulfilling POST. The result applies to arbitrary monotonic functions from subsets of 7) to subsets of P. The set 29 is the set of all subsets of 7), and the function g : 2~' --~ 2~' is monotonic with respect to C if s C .T' implies g(s C g(J=)9 P r o p o s i t i o n 1 If g : 29 --~ 29 is monotonic with respect to C_ then g i. has a least fixed point with respect to C given by N{E c 7) : g(s C s ii. has a greatest fixed point with respect to C given by U{s C_7) : s C_g(E)}. Proposition 1 applies to any modal equation' Z dej ~ when ~P is built from modal operators, boolean connectives, the constants t t and f f , and Z: this follows directly from Proposition 2 of section 3.1, which shows that all these operators induce semantically monotonic functions. Relinquishing the equational

189

format we let pZ. kh express the property given by the least solution of Z de f ~ , and we let uZ. ~P express the property determined by its largest solution. For the equation earlier, the least solution/~Z. ( t i c k ) Z expresses the same property as r irrespective of P, the empty set obeys condition PRE. Much more stimulating is that uZ. ( t i c k ) Z expresses the long-standing capability for performing the action t i c k forever. Let E C :P consist of all those processes E0 that have an infinite length run of the form E0 tick E1 ,ick .... It is clear that E obeys POST, and that it is the largest such set. As shown in section 3.1 this capability is nol expressible within modal logic. More generally, uZ. ( K ) Z expresses a capability for performing K actions forever. Two special cases are striking, uZ. ( - ) Z expresses a capacity for never-ending behaviour and uZ. ( r ) Z captures divergence, the ability to engage in infinite internal chatter. A more composite equation schema is Z def 45 V ( K ) Z where 9 does not contain Z. Any solution 8 C "P divides into the following two closure conditions: PRE ifEEPand(E~4~orE POST i f E E E t h e n E ~ r

a,FforsomeaEKandFEE) a,FforsomeaEKandFEs

thenEEg

Every subset E fulfilling PRE must contain those processes in P with the property 4~, and also includes those processes that fail 4~, but are able to perform a K action and become a process having ~, and so on. Therefore a process E0 has the property #Z. r V ( K ) Z if it has a finite or infinite length run of the form E0 4 0 ... a._~ En ~"~ ... with En ~ 4~ for some n and where each action aj, j < n, belongs to K: that is, E0 is able to perform K actions until 9 holds. The maximal solution, uZ. q~V (K)Z, also includes the extra possibility of performing K actions forever without r ever becoming true. Two general case s of/~Z. ~V ( K ) Z are worth noting. When K is the complete set of actions it expresses weak liveness, that 4~ is eventually true in some run, and when K is the singleton set {r} it expresses that after some silent activity r is true, that is (())4~. Recall that the modality (()) is not definable within the modal logic of section 2.1. Another useful composite schema (assuming again that 45 does not contain Z) is Z d___ef4~A (K)Z. The least solution is of no interest as it is expressed by f f . The maximal solution over ~' is the union of all subsets g obeying the following condition POST POST i f E E E t h e n E ~ 4 ~ a n d E

a,F

for s o m e F E . g a n d a E K

which requires there to be a perpetual run involving only K actions and with 4~ true throughout. A slight weakening is that 9 holds throughout a maximal performance of K actions, as expressed by uZ. q~A ( { K ) Z V [K]ff), and when K is the set of all actions it expresses a weak safety property. The complement of weak liveness is safety. A process fails /JZ.4~ V ( - ) Z if 4~ never becomes true in any run. Similarly the complement of weak safety is liveness. A process lacks uZ. 45 A ( ( - ) Z V [-]~f) if in every run eventually is false. Complements are expressible when negation is freely admitted into

190

formulas with its intended meaning, [I--4~ ~7, is the set of processes • - ~~ II7". But then not every modal equation has extremal solutions, a simple instance is zd--ef --Z. It fails the monotonicity requirement of Proposition 1' However, if def

we restrict the form of an equation Z = 4~ so that every free occurrence of Z in 9 lies within the scope of an even number of negations then mon0tonicity is guaranteed. However, the complement of a formula is also in the logic without the explicit presence of negation. Let ~c be the complement of ~, which is defined inductively as follows (assuming that Z c = Z): ttc

: ff

ffc

: tt

r

([K]4~) r

-

(K)r

c

=

It follows that ~

((K)r r = [K]r c =

~' = : P - [[~[I~'.

If a property is an extremal solution to the equation Z d=ef~ then its comdef ~ c .

plement is the dual solution to Z = Consider convergence which holds of a process when it cannot perform silent actions for ever. The formula vZ. (r)Z expresses its complement, divergence, and so convergence is captured by pZ. [r]Z. More generally pZ. [ - ] Z expresses that all behaviour is finite, that there are no infinite length runs. A strong invariance property is that 9 holds throughout every ongoing performance of K actions. This fails precisely when a process may perform K actions continuously until 4~c holds. Failure here is given by the formula pZ. 4~c V (KIZ whose complement is therefore vZ.~)A [K]Z. A particular case is that [ ] 9 is expressed as vZ. ~ A [r]Z. Safety properties, that nothing bad ever happens, fall under this format. A strong until property is that every continuous performance of K actions eventually leads to the holding of r This is therefore the complement of the formula vZ. g'c A ((K)Z V [ g ] f f ) which is pZ. 9 V ([K]Z A ( g ) t t ) . Liveness properties, that something good must eventually happen, have this form (when K is replaced by - ) . An example is that the slot machine must eventually output (winnings or an indication of loss). A better description is that whenever a coin is input the slot machine must eventually output, a property expressed using both fixed point operators. However embedding fixed point operators within each other goes beyond the simple equational format which motivated their introduction. 3.4

M o d a l mu-calculus

Instead of appealing to modal equations to express temporal properties, we add to modal logic propositional variables ranged over by Z, and the extremal fixed point operators vZ and pZ. As before assume that K ranges over subsets of ,4. The formulas of the logic, modal mu-calculus, are:

191

I 9 ::= z I 4 1 ^ ~ 2

I ,~1v,#2

I[KI41(K)41vZ.41gZ.~ I

The constant formulas t t and f f are definable as vZ. Z and/~Z. Z. However when describing properties we will freely use these constants. In the sequel we let a range over the set {~u,v}. A fixed point formula has the form a Z . 4 in which crZ binds free occurrences of Z in 4~, and an occurrence of Z is free if it is not within the scope of a binder ~Z. We assume that ~rZ has wider scope than the boolean connectives V and A. Formulas m a y contain multiple occurrences of fixed point operators, as in vZ. #Y. vX. [a](((b)X A Z) V [K]Y). Also a Z may bind more than one occurrence of Z, as in vZ. ( t i c k ) g h ( t o c k ) Z . Assume a fixed transition closed set of processes 7). We wish to inductively define when the process E E 7) has a temporal property. Semantic clauses for when a process satisfies a fixed point formula ~rZ.~ are needed. However such clauses depend on interpreting subformulas of 9 with possible free occurrences of variables with respect to subfamilies of 7). The satisfaction relation, ~ , is therefore defined indirectly in terms of n 4 n~, the set of all processes in 7) with the property +. Subformulas containing free propositional variables are dealt with using valuations, functions ranged over by ]2 which assign to each variable Z a subset I;(Z) of processes in 7). A customary updating notation is also assumed: I;[C/Z] is the valuation Y' which agrees with 12 on all variables except Z, when 12'(Z) = C.. The subset of processes in 7) satisfying an arbitrary formula ~ relative to the valuation 1? is inductively defined as the set [[# n~, where for ease of notation we drop 'the superscript 7) which is assumed fixed throughout:

IIz Hv H+^ a~llv H~ v ~'llv H[K]~ IIv II(K)411v IlvZ.+lv Ill, Z.~nv

= = = =

v(z) II+Hv n Ila~llv II~llv u H~Hv II[K]H 114 IIv H(K)I11141Iv = U{~ c_ 7) : E c_ll+llvte/z]} -- f l { c c_ 7) : 114llvt~/zlC_ E}

The subset of 7) with the property Z is that stipulated by the function i;. The semantic clauses for the boolean operators are as in section 3.1, except for the additional valuation component for understanding free variables. The meanings of the modal operators appeal to the transformers [[[K] [[~' and [[( g ) ~ defined in section 3.1. (The derived clauses for the boolean constants are [[t t IIv = 7) and nf f Ilv = 0.) It is straightforward to show that any formula 4 determines the monotonic function ~g C_7). 114IlWte/z] with respect to the variable Z, the valuation 12, and the transition closed set 7). Hence the meanings of the fixed point formulas are instances of Proposition 1 of section 3.3: the greatest fixed point is given as the union of all postfixed points whereas the least fixed point is the intersection of

192

all prefixed points. One consequence is that the meaning of ~Z. ~ is the same as its unfolding r Formulas of the logic without free variables are closed under complement: this follows from the observations in the previous section. In particular (uZ. ~)r is /~Z. ~c and (/~Z. 4~)e is uZ. Ce: for instance (uZ. I~Y. uX. [a](((b)XA Z) V [K]Y)) r is the formula #Z. uY. I~X. (a)(([b]X V Z) A (K)Y). This is not true for open formulas containing free variables. For example the formula Z does not have an explicit complement. However as we employ valuations we are free to introduce the understanding that a free variable Y has the meaning of the complement of a different free variable Z. Modal mu-calculus was originally proposed by Kozen [42] (and also see Pratt [60]) but not for its use here 16. Its roots lie with more general program logics employing extremal fixed points, developed by Park, De Bakker and De Roever, especially when formulated as relational calculi [8, 9, 56]. Kozen developed this logic as a natural extension of propositional dynamic logic. Larsen proposed that Hennessy-Milner logic with fixed points is useful for describing properties of processes [44]. Previously Clarke and Emerson used extremal fixed points on top of a temporal logic for expressing properties of concurrent systems [28]. In the case of a closed formula~ (one without free variables), the subset [1~ [Iv is independent of the particular valuation Y, and so is the same as [[~ ~v, for any other valuation I / . Therefore when 9 is closed we let [[9 ]~' be the subset of processes of P with the temporal property 9 relative to an arbitrary valuation, and we also use the notation E ~ 9 to mean that E E[I r [[~'. More generally when 9 may contain free variables we write E ~ v 4~ whenever E E [[~b ~v. E x a m p l e 1 Entangled fixed point formulas are the most difficult to understand. def D ~ def Assume that D and D ~ are the two processes D = a.D ~ and = b.O + a.D, and that 7' is {D, D ~, 0}. Let r and ~P be the following similar formulas: = uZ. pY. [a](((b)tt A Z) V r ) = #Y. uz. [a](((b)tt V Y) A Z) The formula 9 expresses that b is possible infinitely often throughout any infinite length run consisting wholly of a actions, and so all the processes in P have this property. The set U{E c 7" : E C 1[/~Y.[a](((b)tt A Z) V Y)Uv[e/z]} is 7". To show this we establish that 7" C_ [[#Y. [a](((b)tt A Z ) V Y)[[v[Wz]. This depends on proving that 7, =

I'l{.r c

: II [a](((b)'l;t A Z,) V Y)II(v[~,/z])p:/r]c :r}

Both 0 and D belong to II [a](((b)tt A Z) V Y ) to perform a, and D --~ D' and D' D' a'D.

Ikvtwzj)tz/r]

because 0 is unable

a ~ 0. Therefore :T must also contain D' as

is The modalities here slightly extend those of Kozen's logic as sets of labels may appear within them instead of single labels, and on the other hand Kozen has explicit negation. Kozen calls the logic "propositional mu-calculus" which would be more appropriate for boolean logic with fixed points.

193

In contrast r expresses that the action b is almost always possible throughout any infinite length run consisting only of a actions. This means that ~~ II is the singleton set {0} because 0 has no infinite length runs. First 0 belongs to the intersection ~{:T C P : ~ uZ. [a]((/b)tt V Y) A Z) ~v[~/y]C ~'}. So we show that {0} = U{E c 7~ : E c u [a](((b)tt V Y) A Z) ~(v[{o}/r])[~/z]}.Note t h a t D i r ~ [a](((b)tt V y ) A Z) ]~v[{o}/r])[e/z] as D does not have the property Y under this valuation. So D can not belong to any $ which is a subset of II[a](((b)tt V Y) A Z)[l(v[{o}/r])[e/z]. This means that D is also excluded as its presence in $ would require D ~ to have the property Z under this valuation. [] In section 2.2 we introduced other modal operators which are not definable in the modal logic of section 2.1, namely (()), [ 1, and [11. In the presence of fixed points these modalities are definable as follows (where we assume that Z is not free in ~):

%f . z . 9 v (r)z

[]4 [11 v %f . z . 9 ^ [r]z Therefore the derived modalities ((K)), [ K ] , [1 K] are also definable. For instance, [[K] ~ was defined as 11 [ K ] [ ] ~ which is the fixed point formula PZ. [K](vY. 9 ^ [r]Y) ^ [r]Z. Observable modal mu-calculus is the sublogic when the modalities are restricted to the subset {[ 1, (()), [ K ] , ((K))}, when r ~ K. This fixed point logic is suited for expressing observable properties of processes. An important feature of modal mu-calculus is that it has the finite model property: i f a closed formula holds of some process then there is a fiaite state process satisfying it. A proof of this can be found in [67].

3.5

Approximants

At first sight there is a chasm between the meaning of an extremal fixed point and techniques (other than exhaustive analysis) for actuMly finding the set it defines. There is however a more mechanical method, an iterative technique, due to Tatski and others, for discovering least and greatest fixed points: Let pg be the least and vg the greatest fixed point of the monotonic function g mapping subsets of ~' to subsets of 7~. Suppose we wish to determine the set ug, which is the union of all subsets E that obey E C_ g(E). Let v~ be the full set •, and let v~+lg be the set g(u~g). Clearly g(u~ C. u~ that is ulg C u~ and by monotonicity of g this implies tha~i g(ulg) C g(u~ that is v2g C ulg. Consequently by repeated application of g it follows that g(uSg) C u~g for each i, and so there is a possibly decreasing sequence of sets, P 0 g _D v 1 g_D . . . D P'g D_.... The required set Pg is a subset of each member of this sequence. By definition vg C u~ and therefore g~(Pg) C g~(p0g) for any n where g"(x) is the application of g to x n times. As Pg is a fixed point gn(pg) = pg, and gn(pOg) is the set P"g. If pig is equal to pi+lg then pig is the set Pg, and therefore also pig is Pg for every j > i.

194

These observations suggest a strategy for discovering vg. Iteratively construct the sets rig starting from i = 0, until vZg is the same as its successor vi+Zg. When :P is a finite set containing n processes this iteration must terminate at, or before, the case i = n, and therefore vg is equal to vng. E x a m p l e I Let 7~ be { Cl, t i c k . 0 , 0}, and let g be hE C 7~. II( t i c k ) Z ~v[~/z].

v~ g = P = vlg = n (r, ick)Zllvt,,oa/z] = v2 g = ~ (tiek)Z]lvtv,a/z ] = = II ( t i c k ) z ]vt,../z] =

{Cl, t i e k . 0 , 0 } {el, tick.O} {C/}

{Cl}

Stabilization occurs at the stage vZg as this set is the same as v3g, and consequently is the same a s png for all n > 2. Consequently vg is the singleton set

{o}.

[]

When 7~ is not a finite set of processes, we can still guarantee that vg is reachable iteratively by invoking ordinals as indices. Ordinals can be ordered as follows:

O, 1 , . . . , w , w + 1 , . . . , w + w , w + w + I , . . . Here w is the initial limit ordinal (one without an immediate predecessor) while w + 1 is its successor 17. Assume that c~, fl and ~ range over ordinals. The set va+lg is defined as g(vag) and rag when ~ is a limit ordinal is N{v~g : c~ < ~}. Therefore there is the possibly decreasing sequence

v~

D_ ... D_ uCOg D__v~

D__ ...

The set vg is not only a subset of each member of this sequence, but also appears somewhere within it is, and the first such point is not when the ordinal is a limit. E x a m p l e 2 Let 7~ be the set {C, Bi : / > 0} when C is the cell C ~ f • with ~ : N, and B , + I dej down.Bn for each n. Let g be )~s C ~P. ]1( - ) Z ~v[E/z]. The fixed point vg is the empty set. (The formula vZ. ( - ) Z expresses a capability for infinite behaviour which every member of P lacks.) v~

=P

vlg

= ~(-)Z]lv[~,og/z ] = {C, Bi : i > 1}

= { C , Bi : i > 0 }

vJ+l g = ~ (->Z ~v[,Ja/z] = {C, Bi : i >_ j + 1} The set v~ defined as ~ { u i g : i < w}, is the singleton set {C} as each Bj fails to belong to it. The next iterate is the fixed point, vW+lg is ~( - ) Z Ilv[v~a/z] which is ~1. Here stabilization occurs at vW+Zg with 0 as the fixed point vg. [] lr All the processes considered in this work belong to a countable transition closed set :P, and so we only need to consider those ordinals whose cardinality is at most that of N. a8 The proof is similar to that described for the finite state case eaxlier.

195

The situation for the least fixed point #g is dual. The required set is the intersection of all prefixed points, of all subsets g C_ 79 with the feature that g(g) C g. Assume that/~0g is the empty set, and that i~i+lg is the set g(p~g). Therefore there is the possibly increasing sequence of sets/~0g C pig C . . . C pig C_ ... and #g is a superset of each of the sets i~ig. Again if pig is equal to its successor #i+lg then/~ig is the required fixed point ttg. An iterative method for finding/~g is to construct the sets ju'g starting with p0g until it is the same as its successor. When 79 is finite and consists of n processes this iteration has to terminate at, or before, l~ng.

Example 3 example 1.

Let g be Ag C_ 79.

II [tiek]ee V (-)Z ~VtelZ] when 79 is as in

/~0g = I~

~ag = II[tick]f~ V ( - ) Z Ilvt~og/z] = {0} ~2g = II[ t i c k ] ~ V ( - ) Z Ilvt..~/z] = {tick.O, O} ~3g = [ [ t i c k ] ~ v ( - ) Z nvt..~lZl = {tick,O, o} Stabilization occurs at ju2g which is the required fixed point. Notice that if we consider ug instead then we obtain the following different set.

u~g =

79

= { Cl, t i c k . 0 , 0}

~lg = ~ [ t i c k ] ~ v ( - ) Z Ilvt.o~/z] = 79 This stabilizes at the initial point.

[]

If 79 is not a finite set then again we may need to invoke larger ordinals as indices. The set / ~ + l g is g(p~g), and #Xg is the union set U{pC'g : o~ < ~} when $ is a limit ordinal. Therefore there is the possibly increasing sequence 0g

C_ ... c_ p~g C_ ~ + l g c _ . . .

The set/~g is a superset of each member of this sequence, and also occurs within it, and the first such time is not when the ordinal is a limit. E x a m p l e 4 Consider the following clock Cl'

el'

def

=~{cd:i>_o}

def

CI i+1 = t i c k . C l / CI' describes an arbitrary new clock, which will eventually break down. Let 7) be the set {Cl', Cl i : i > 0}. As all behaviour is finite each process in 79 has the property #Z. [tiek]Z. Let g be the function hE C_79. ~[tiek]Z~v[e/z]. /~0g

= 0

~,Xg

= ~[tick]Zllv[..g/z] = {Cd : j < 1}

p~+lg = B[tick]Z~v[z,g/zl = {C/~ : j < i + 1}

196

So the initial limit point/2~ is U{p~g : i < w} which is {CI j : j > 0}. At the next iteration the required fixed point is reached as/jW+lg is H[t• IIv[g+g/z] which is P, and moreover #~g = P for all oL> w + 1. [] The sets cr"g are approzimants for trg in that they converge towards it. Each v~g approximates vg from above, whereas each p"g approximates/tg from below. In this way an extremal fixed point is the limit of a sequence of approximants. We now provide a more syntactic characterization of these fixed point sets in the extended modal logic Mr of section 2.5. I f g is ,~s C_ :P. 11+ Ilvt~/z] then vg is IIvZ. 4~ IIv and ~tg is IIp Z . + Ilv (both with respect to P). The initial approximant v~ is just 1[t t Ilv and #0g is ]1ff ]Iv. Therefore via is ]]9 ]]v[btvlZ] which is the set 11q~{t,t,/Z} [[v: similarly r is ][~ { f f / Z } ]]v. For each ordinal (~ we define a Z a.~ as a formula of M ~ . As before let $ be a limit ordinal:

v Z O. ~b = 1;1; ~,z~+L ~, = +{~,z ~. + / z } ~,z ~.+ = h ( ~ Z " . + : ~ < ~)

pZ ~ ~ = ff. ~ z "+~. r = + { ~ z ~, ~ , / z } ~,z ~.+ = V ( ~ Z " . + : ~ < ~}

Proposition 1 If g is AE C_ P. IIr Ilv[e/z] then ~"g ordinals a.

= ~ ~Z ~. + IIv/or all

A simple consequence is that we can now give a more direct definition of E ~ v 4~ when r is a fixed point formula: E ~ v vZ. r iff E ~ vZ ". 4~ for all a. E ~ v / ~ Z . 4~ iff E ~ p Z ". 4~ for some a. E x a m p l e 5 In the previous section we contrasted the definitions of [ ] 9 and Ill 4~ in modal mu-calculus. Let vZ. ~P be the formula vZ. 4~A [r]Z (expressing [ ] ~ ) and let pZ. ~ be ~tZ.r A [r]Z (expressing [~]q~)~o. Consider the different approximants these formulas generate: vZ ~ ~0 = t t vZ 1. ~ = (~ A [r]tt v Z 2. g~ = ~ ^ [r]~

=

r

/zZ O. ~ = ff ~ Z ~. ~ = ~ A [r]~ ~z 2.~ = + ^ N ( + ^ [d~)

~ z ~. + = + ^ [ d ( + ^ [ d ( + A . . . [ d + - - . ) ) pZ ~. ~ = + ^ [ d ( + A [ d ( + ^ . . . [ d ( + A [ d ~ ) . . . ) )

The approximant juZi. !/r carries the extra demand that there can not be a sequence of silent actions of length i. Hence [~] ~ requires all immediate v behaviour to eventually peter out. [] 19 It is assumed that Z is not free in r

197

3.6

Embedded approximants

Approximants provide an iterative technique for discovering fixed point sets. All the examples in the previous section involved a single fixed point. In this section we examine the technique in the presence of multiple fixed points, and comment on entanglement of approximants. E x a m p l e 1 The vending machine Ven has the property vZ. [2p, Ip]~P A [-]Z, when r is/zY. ( - ) t t A [--{collectb, co 92 Let 7" be the transition closed set { Ven, Venb, Vent, c o l l e c t b . Ven, c o l l e c t t . Ven}. First using approximants we evaluate the embedded fixed point #, and we abbreviate its ith approximant to #Y~: /,yO : 0 #y1 = II <-bt A [-{collectb,collect,}]Y~v[.vo/v] {r Ven, c o l l e c t t . Ven} /,y2 : II( - b t A [-{coZX.ctb, coner b[~,Y~/n { Venb, Vent, r Ven, c o l l e e t t . Ven} p y 3 = [I(--)i;tA [--{collectb, collecl;t}]Y ~v[uv2/y] 7"

Next the outermost fixed point is evaluated, given that the meaning of # is 7". We abbreviate its ith approximant to vZ i.

vZ ~ = 7) . z ! = II[~p, ap]~ A [-]Zb[~zom =7" Here the embedded fixed point can be evaluated independently of the outermost fixed point. [] Example 1 illustrates how the iterative technique works for formulas with multiple fixed points that are independent of each other. In abstract terms, the formula of example 1 has the form vZ. r gt(y)) where the notation makes explicit which variables can be be free in subformulas: here Z does not occur free within the subformula/,Y, gt(y) but may occur within ~(Z,/,Y. ~P(Y)). Consequently when evaluating the outermost fixed point we have that:

vZ ~ .z 1

= 7' = II*(z, ~v. ~(v))Ilv[~zom

uz ~+x = ~o(z, tN. ~(g))IIv[~z,m Throughout these approximants the meaning of the subformula pY. gt(y) is invariant because it does not contain Z free: consequently ~ltY. ~(Y) [[v[,,z'vz] is the same set as [[laY. ~(Y) ~v[vz~'/z] for any ordinals a and ft.

198

E x a m p l e 2 Assume that D and D' are as in example 1 of section 3.4, where D a D I , D I a , D , a n d D ~ b , 0 , and 79 is {D, D,, 0}. Also recall the pair of formulas # and #. = ,.,z. ~v. [a](((b)tt ^ z ) v Y) ~' = I~Y. v Z . [a](({b)tt V Y) A Z)

Consider now evaluating 4~ using approximants. v Z ~ = 79

pZ 1

- - "

~uY. [a](((b)tt A Z) V Y)Ilvt,.~om #y00 = 0 juY O1 ----- ~[a](((b)tt A Z ) V Y ) I I ( v t . z o / z ] ) t . Y o . / v ) = {0, D} #yO2 = 11[a]((
So v Z 1 = 79 Here calculating v Z 1 depends on cMculating the innermost fixed point when Z is contained within it, and therefore when it initially receives the value v Z ~ for Z. Hence the notation: # y y i represents the ith approximant of the subformula prefaced with/JY when any free occurrence of Z is understood as the approximant v Z i . The case of ~ illustrates this further. t~Y ~ = O t'Y1 = NvZ. [a](((b)tt v Y) v Z ~176= 79 - z ~ - II[a](((b)tt = {0, D} v Z ~ -" II[a](((b)i;t = {o} v Z ~ -" ~[a](((b)i;t = (o} So/~y1 = {0}

^ Z)Ilvt.yo/yl V Y) ^ Z)kvt.Y./YDt,,zoo/z] V Y ) A Z ) ~(v[.yo/y])[vzol/z] V Y ) A Z)II(vt.Y./Yl)t~zo~/z]

~,y2 = II~,z. [a](({b)'t;t V Y ) A Z ) I l v t . v , / v l v Z 1~ = 79

= ~[a](({b)tt V Y ) A Z)[[(v[uYUrl)[~,zlo/z] = {0, O} vz12 = II[a](((b)tt v Y) ^ Z) ~(V[Uyx/y])tvZxa/g] = {o} ~'z~" -- U[a](((b)tr V Y) A Z)II(vt.Y,/Y])t,.z,"/z] = {o} So/~y2 = {0} vZ n

Here we need to evaluate the innermost fixed point with respect to more than one outermost approximant. [3

199

Example 2 illustrates dependency of fixed points. The first formula has the shape vZ. 4~(Z,/~Y. ~V(Z, Y)) where Z is free in the innermost fixed point 9 Evaluation of such a formula using approximants takes the form: vZ ~

= 79

~,z 1 = U+(z, ~,Y. ~(z, Y)) llvt,,~o/z] I~Y ~176= I~ I~Y ~ = ] ~ ( Z , Y )

~(VtvZo[Z])[ljytm/y]

~Y. g~(z, Y))Ilvt,~z,/z] lzy iO --__

~ z ~+' = IlO(z,

I~Y ~1 = ~qz( Z, Y ) [[(v[~,Z'lZl)[uY'o/Y]

The meaning of the subformula pY. ~/'(Z, Y) may vary according to the interpretation of Z. Approximants for uZ. ~ and #Z. ~) start from the sets v Z ~ = 79 and # Z ~ = 0. In principle, there will he fewer calculations if the initial approximants are closer to the required fixed points. A set v Z ~ = C where 7) __DC _DIIuZ. ~ ~ could be a better initial point than 79. This observation can be utilized when evaluating an embedded fixed point formula whose shape is v Z . 4)(Z, uY. ~P(Z, Y ) ) . vZ ~ = P

/./21 ---- [[(~'(Z, pg. ~TI(Z, Y) ) ~l)[vZo/Z] v y ~176= 79

/ty01 = ]lilt(z, Y) U(v[vz~176176 /Y] . z 2 = Uo(z, ~,Y. ~,(z, Y))llvt.z,m To evaluate v Z 2 one needs to calculate U v Y . ~ ( Z , Y ) monotonicity we know that

IIv[uzl/z]. However by

II,Y. ~ ( z , Y)Ilvt,,z,/zj c_ ~~,Y. ~ ( z , Y)Ilvv, z o m c_ 79 Therefore we can use and so on:

II ,.'Y. ~(z, Y) Ilvt,.zo/zl

as the initial approximant v y a 0

200

vZo vza

7) = II~ ( z , ~Y. ~ ( z , v ) ) Uvt,,zo/z] v Y ~176 = O vY~ = II# ( z , Y) ]l(v[vgo/g])[vyoo/y]

vg 2 = IIr

vY. #(Z, Y)) Hvt~zl/z] vYl~ = IIvY. ~(z, Y) ~v[vzo/z] vY 11 = II#(z, Y) II(vt,,zo/zl)t~,r-/Yl

~z~+l = II~(z, ~,Y.~(z, Y)) Ilvt,,z,/zl vY ~+1~ = II~'Y.~(z, Y) Ilvt,,z,/z] ~ y i + U = II#(z, Y) II(vt,,zo/zDt,..r,+,o/r I

This observation can be extended to formulas with multiple embedded maximal fixed points. The situation is dual for least fixed points. Choosing the set E for #Z ~ when 0 C s C ]]/~Z. ~ ]] could be a better starting point than 0. In the case of a formula whose shape is pZ. qb(Z,/zY. ~(Z, Y)), by monotonicity we know that

0 c_ ~ Y . ~ ( z , Y)Ilvt,,z,/z] c_ II~Y. ~ ( z , Y) llvt,,z,,/zl and so the set

izy i+1~

II ~Y. ~(z, Y) Ilvt,.,z,/z] can

be used as the initial approximant

This insight is of no help for evaluating alternating fixed points, such as !It(Z, Y)Ilvt~zo/z] as the initial approximant for ][ laY. ~(Z, Y) ]]v[vzl/z] becaus.e the ordering is now reversed: vZ ~ D.._vZ 1, and so ][laY. kh(Z, Y) ]]v[vzo/z] D_ ~laY. k~(Z, Y)]]v[vzl/z]. We do not know how to approximant a least fixed point from above or a greatest fixed point from below. The amount of alternation of fixed points in a formula has become a crucial measure when developing algorithms for checking properties of finite state systems, see [30, 47]9 v Z . 4~(Z, #Y. k~(Z, Y)). We cannot use the set []pY.

3.7

Preservation of bisiraulation equivalence

Modal logic characterizes strong bisimulation equivalence, as was shown in section 2.5. There are two halves to this result. First, two bisimilar processes have the same modal properties (even when enriched with modalities of section 2.2). Second, two image finite processes with the same modal properties are bisimilar. As modal logic is merely a sublogic of modal mu-calculus the second of these results remains true for this richer logic (and indeed for any extension of modal

201

logic). We may wonder if the restriction to image finite processes is still necessary for this result given that fixed points are expressible using infinitary conjunction and disjunction, and that infinitary modal logic Moo characterizes bisimulation equivalence exactly. Recall the example of the two clocks in section 2.5 that showed t h a t image finiteness is essential in the case of modal logic. The two clocks have the same modal properties but they are not bisimilar. The presence of fixed points allows us to distinguish them because one of the clocks has an infinite tick capability expressed by the formula uZ. (tick) which the other lacks. The following more complex example due to Roope Kaivola shows the continuing need for image finiteness (or a weakened version of it). Let {Qi : i E I} be the set of all finite state processes whose actions belong to {a, b}, and assuming n E N let P(n) def=an.b.P(n+ 1), R def=7~{a.Qi : i E I}, and pd_ef P(1) + R (where a~ is E and a n + l . E is a'~.a.E). The behaviour of P(1) is: P(1) - - ~ P(2) 2 ~ e ( 3 ) ~ t . . .

~"b P ( n + 1) a"+~b...

Consequently P and R are not bisimilar as this would require there to be a finite state process Qj that is bisimilar to b.P(2), which is not possible (via the pumping lemma for regular languages). On the other hand, P and R have the same closed modal mu-calculus properties. It also turns out that two bisimilar processes have the same modal mucalculus properties provided that they are expressed using closed formulas. Let F be this set of closed formulas, and let - / , be as in section 2.5. P r o p o s i t i o n 1 I r E ,~ F then E =-r F. Notice the significance of this result. Bisimilar processes not only have the same safety properties but also the same liveness, fairness, and cyclic properties when expressed using closed formulas. There is an indirect proof of this Proposition via Moo as the set F is a sublogic of it, and bisimulation equivalence preserves properties expressible within it. However we shall show how it can be proved directly, as we wish to expose some of the inductive structure of modal mucalculus. Let 7) be a fixed transition closed set of processes. A subset E of P is bisimulation closed if it obeys the condition: if E E E and F E P and E ,~ F then F E E. Proposition 1 is equivalent to the claim that for any closed 9 and set 7~ the subset [[4} [[ is bisimulation closed. L e m m a 1 If E and yr are bisimulation closed subsets of P then the sets C n y , E U ~-, ~[K] II7' C, and II(K)II ~' E are bisimulation closed. Associated with any subset C of P are the following two subsets: ca={EEC : if E N F and F E T) then F E C} C~={EE7 ) : E..~FandFEE} The set C a is the largest bisimulation closed subset of C, and E ~ is the smallest bisimulation closed superset of s both with respect to P.

202

L e m m a 2 For any subsets S and yr of 79, the sets Sd and gu are bisimulation closed and g d C g C Su. Moreover, if S is bisimulation closed then sd = S~, and if g C_ 9~ then ~ C_.~d and gu C_ yrs. A valuation 1) mapping variables to subsets of 7~ is bisimulation closed if for each variable Z the set 12(Z) is bisimulation closed. Therefore we can associate the two important bisimulation closed valuations 1)d and Vu with any valuation V: for any variable Z the set ])d(Z) = (V(Z)) d and V~(Z) = (V(Z)) ~. Proposition 1 is a corollary of the following result where 9 is an arbitrary formula of modal mu-calculus which therefore may contain free variables. P r o p o s i t i o n 2 / f i) is bisimulation closed then 11q~ [Iv is bisimulation closed. The proof of Proposition 2 is by simultaneous induction on the structure of with the following three propositions: 1. If ]2 is bisimulation closed then ~ IIv is bisimulation closed. 2: If ~r s then ~r s 3. I f g C_ ]]~[[v then g~ C__]]~][v*. This result tells us more than that bisimilar processes have the same properties when expressed using closed formulas. They also have the same properties when expressed by open formulas provided that the meanings of the free variables are bisimulation closed. The proof of this result also establishes that closed formulas of observable modal mu-calculus (built using/he modal operators [ g ] , [ ], ((lC)), and (())) are preserved by observable bisimulation equivalence.

3.8

Expressing properties

Modal mu-caleulus is a very powerful temporal logic which permits expression of a very rich class of properties. In this section we examine how to express a range of properties that pick out important features of processes. Informally a safety property states that some bad feature is Mways precluded. Safety can either be ascribed to states, that bad states can never be reached, or to actions, that bad actions never happen. In the former case if the formula ~c captures those bad states then vZ. 9 A [ - ] Z expresses safety. E x a m p l e 1 The safety property for the crossing of figure 7 is that it is never possible to reach a state where a train and a car are both able to cross: these bad states can be captured by the formula ( [ t c r o s s ] f f V [ccross]ff)% Therefore the required safety property is u Z . ( [ t c r o s s ] f f V [ccross]ff) A [-]Z. [] It is useful to allow the full freedom of the property notation by employing open formulas with free variables and appropriate valuations which capture their intended meaning. For instance i n the case of safety assume that S is the family of bad states, and so the formula uZ. Q A [ - ] Z expresses safety relative to the valuation 12 which assigns 7~ - E to Q. The variable Q has a definite intended meaning as given by V.

203

E x a m p l e 2 A safety property for the slot machine in figure 10 is that it never has a negative amount of money and therefore never pays out more than it contains. To express this we appeal to the open formula uZ.QA[-]Z with the free variable Q relative to the valuation 1) which assigns the set 7) - {SM i : j < 0} to Q. Here a bad state is a slot machine with a negative amount of money. [] The idea is that free variables should only express immediate properties of processes, as in example 2 (and not temporal features). When 12 is bisimulation closed with respect to the free variables of ~, we say that the property expressed by 9 relative to 1) is extensional: by Proposition 2 of the previous section this implies that ~ r IIv is also bisimulation closed 2 of the previous section. The safety formula in example 2 is extensional. If Q expresses a feature such as "has at least three parallel components" then it is intensional. Safety can also be ascribed to actions, that no action in K ever happens, which is expressed by the formula uZ. [ K ] f f A [-]Z. However there is really no distinction between safety in terms of bad states and in terms of bad actions. For the action case is just equivalent to saying that a bad state obeying ([K]ff) c, that is ( K ) t t , can not be reached. A liveness property states that some good feature is eventually fulfilled. Again it can either be ascribed to states, that a good state is eventually reached, or to actions, that a good action eventually happens. If 4~ captures the good states then pZ.4~ V ( ( - ) t t A [-]Z) expresses liveness with respect to state. Note the presence of ( - ) g g to ensure that 9 does become true. In contrast that eventually some action in K happens is expressed by the formula #Z. ( - ) t t A [-K]Z which states that any performance of actions other than K is well-founded, and not because the process terminates. There is not a reformulation of liveness with respect to actions in terms of liveness with respect to state, as a formula of the f o r m / z Z . ~ V ( ( - ) t t A [-]Z) where 4~ does not contain fixed points. For instance it is not expressed by either of the following pair:

(K)tt v (<-)it ^ [-]Z) /zZ. ( ( - ) t t A [ - K ] f f ) V ( ( - ) t t A [-]Z) The first is too weak as it merely states that eventually some action in K is possible without any guarantee that it happens. The second is too strong as it states that eventually only K actions are possible (and therefore must then happen). Weak liveness and safety properties may also be ascribed to states or actions. However recall that weak liveness is the complement of safety and weak safety is the complement of liveness. That 9 is eventually true in some run is given by (vZ. 4~c A [-]Z) c which is the formula #Z. 9 V ( - ) Z . And that some action in K happens in some run is expressed by (uZ. [ K ] f f A [-]Z) c which is the formula #Z. ( K ) t t V ( - ) Z . Weak state safety, that q~ is true throughout some run, is expressed by (/zZ. ~ V ( ( - ) t t A [-]Z)) c, which is the formula vZ. 4i A ( [ - ] f f V (-}Z) and that there is a run where no action in K occurs is (#Z. ( - } t t A

204

[ - K ] Z ) c which is vZ. [ - ] f f V ( - K ) Z . So in the case of weak safety there is the distinction between state and action. Liveness and safety may relate to subsets of runs. For instance they may be triggered by particular actions or states. A simple case is that if action a ever happens then eventually b happens, so any run with an a action must contain a later b action. This is expressed by the formula uZ. [al(ttY. ( - ) t t A [-b]Y)A [-I Z. A safety example is that whenever ~P becomes true, 4~c is then always precluded, expressed by uZ. (~Vc V (kv A uY. 9 A [-]Y)) A [ - ] Z . More complex is the expression of liveness properties under fairness. An example is the property that in any run if the actions b and c happen infinitely often then so does a which is expressed as follows: gZ. (~tX. [b](gV. [c](vVl. X A [-a]Vl) A [ - a ] V ) A [ - ] Z ) Here there is an essential fixed point dependency, as the occurrence of X is free within the fixed point subformula prefaced with vY. E x a m p l e 3 The desirable liveness property for the crossing of figure 7 is that whenever a car approaches the crossing eventually it crosses is captured by the formula

.z.

<->tt ^

^ [-]z

However this only holds if we assume that the signal is fair. Let Q and R be variables and l) a valuation such that Q is true when the crossing is in any state where Rail has the form green.tcross.red.Rail (the states E2, Ea, E6 and El0 of figure 8) and R holds when it is in any state where Road has the form up.~.down.Road (the states El, t33, /37 and E l l ) . The liveness property is: for any run if Q~ is true infinitely often and R ~ is also true infinitely often then whenever a car approaches eventually it crosses. This is expressed by the following open formula relative to

vV.[car](#X.vVl .( Q V [ - - ~ I ( v V 2 . (

RV X ) A [ - - ~ ] Y 2 )

)A[--~]Y1)A[--]Y

The property expressed here is extensional. In this case we can view Q and R as probes in the sense of [70]. [] Another class of properties is until properties' These are of the form # remains true until # becomes true, or in terms of actions K actions happen until a J action occurs (or a mixture of state and action). Again they can be viewed as holding of all runs, or some runs, or of a particular family of runs which obey a condition. The formula/~Y. ~P V (4~ A ( - - ) t t A [-]Y) expresses that 9 holds until ~P in every run. Note here the requirement that ~P does eventually become true. This commitment can be removed by changing fixed points. The property that in every run # remains true unless kV holds does not imply that ~P does become true, and so is expressed as vY. ~PV (r A [-]Y). Sometimes we are only interested in part of the behaviour of a process. There are many ways to understand what part of a behaviour means. A simple case is

205

when attention is restricted to a subset of the actions that a process can perform. Liveness, safety and until properties can therefore be relativized in this way. An example is the property that 4~ is eventually true in any run consisting of K actions. Cyclic properties can also be described in the logic. A simple example is that each even action is rock: if E0 a~ E1 a2 ... is a finite or infinite length run then each action a2i is took. This is expressed as vZ. [ - ] ( [ - - r o c k i e r A [ - ] Z ) . def

The clock Cll = t i c k . t o o k . Cll has this property. It also has the tighter cyclic property that every run involves the repeated cycling of t i c k and r o c k actions, expressed as vZ. [ - t i c k ] f f h [ t i c k ] ( [ - t o c k ] f f A [ - ] Z ) 2~ These properties can also be weakened to some family of runs. Cyclic properties that allow other actions to intervene within a cycle can also be expressed: E x a m p l e 4 Recall the scheduler from section 1.4 which timetables a sequence of tasks, and which must ensure that a task cannot be restarted until its previous performance has finished. Suppose that initiation of one of the tasks is given by the action a and its termination by b. The scheduler therefore has to guarantee the cyclic behaviour a b when other actions may occur before and after each occurrence of a and each occurrence of b. This property can be defined inductively:

cycle(ab) = [b]ff A [a] cycle(ha) A [-a]cycle(ab) cycle(ba) = [a]ff A [b] cycle(ab)/~ [-b] cycle(ba) Here we have left open the possibility that runs have finite length: appropriate occurrences of ( - - ) t t preclude it. An important issue is whether these recursive definitions are to b e interpreted with least or greatest fixed points, or even with a mixture of them. This depends upon whether intervening actions are allowed to go on forever without the next a or b happening. If we prohibit this, the property is expressed as follows: pY. [b]ff A [a](~uZ. [a]ff A [b]Y A [-b]Z) A [-a]Y The number of actions in the cycle can be extended.

[]

Another class of properties is given by counting. An instance is that in each run there are exactly two a actions, given by: /tX. [a](#Y. [a](vZ. [a]ff A [ - ] Z ) A ( - - ) t t A [-a]Y) A ( - - ) t t A [-a]X Another example is that in each run a can only happen finitely often, I.tX. uY. [a]XA

I-elY. However there are also many counting properties that are not expressible in the logic. A notable case is the following property of a buffer (which is a consequence of [62]): the number of out actions never exceeds the number of i n actions. s0 This formula leaves open the possibility that a run has finite length. To preclude it one adds ( - ) t t at the outer and inner level.

206

4

Verifying

Temporal

Properties

A very rich temporal logic has been introduced which is able to describe useful liveness, safety, cyclic and other properties of processes. The next step is to provide techniques for verification, for showing when processes have, o r fail to have, these features. To show that a process has, or fails to have, a modal property we can appeal to the inductive definition of satisfaction between individual processes and formulas, and a proof of a modal property thereby reduces to proofs of subproperties, as stipulated by the inductive definition of satisfaction. Therefore the transition graph of a process is not needed when proving modal properties. However in the case of modal mu-calculus the satisfaction relation between processes and formulas is defined indirectly. The primary semantics of a formula is defined in terms of every process in a transition closed set which has the property. One m e t h o d for determining whether E has r is to first present a transition closed set of processes containing E, second to calculate ~~ IIv with respect to this set, and then finally to check whether E belongs to it. When E has a small transition graph this is a reasonable technique. A s a general method it is cumbersome and not feasible for processes that determine enormous let alone infinite state transition graphs. Moreover, picking out all processes in a transition Closed set which have a weak liveness, safety or cyclic property may involve considerable redundancy if the intention is to show that a particular process has it. An alternative approach to showing that processes satisfy formulas is to appeal to their approximants as described in sections 3.5 and 3.6. A more direct definition of satisfaction is then available. However proofs will now require the use of induction over ordinals, and some care must be taken with limit ordinals. In the presence of embedded fixed points this will require the use of embedded induction. Moreover, we will then lose that simple idea that a proof of a property reduces to proofs of subproperties. Discovering fixed point Sets in general is not easy, and is therefore liable to lead to errors. Instead we would like simpler, and consequently safer, methods for checking whether temporal properties hold. Towards this end we first provide a different characterization of the satisfaction relation between a pro~ess and a formula in terms of games. It turns out that a process has a property just in case player II has a winning strategy for the game associated with this pair. Underpinning player II's successful strategy is the notion of a successful tableau. We therefore also present tableau proof systems for property checking, which were originally developed with David Walker [66] and Julian Bradfield [17]. 4.1

Games and constants

In this section we present an alternative characterization of the satisfaction relation between a process and a formula relative to a valuation in terms of game playing. A property checking game is a pair, a process and a formula, (E, r relative to a valuation N. As with equivalence games there are two players, I and

207

II. Player I a t t e m p t s to show t h a t E fails to have the property 4~ relative to l) whereas player II wishes to establish that E does have ~. Unlike equivalence games, players here do not necessarily move in turn 21. A play of the property checking game (E0,~0) relative to V is a finite or infinite length sequence of the form (E0, ~0). 99(En, 4i,) .... The next move in a play, the step from (Ej, ~ j ) to ( E j + I , ~ + 1 ) and which player makes it is determined by the main connective of ~ i . An essential ingredient is the use of auxiliary propositional constants, ranged over by U, which are introduced as fixed point formulas are met. Suppose an initial part of a play is (E0, r (Ej, 4i/). The next pair ( E j + ~ , ~ j + I ) is determined by one of the moves of figure 16, according the main operator of 4i~ Note the duality between the rules for A and V,

if #~ = #1 A !P2 then player I chooses one of the conjuncts #~: the process Ej+I is Ej and #j+l is #~. i r e i = !/rl V k~2 then player II chooses one of the disjuncts k~i: the process Ej+I is Ej and # j + l is ~i. if Cj = [K]k~ then player I choosesa transition Ej --2-+Ej+I with a E K and #j+l is ~. if ~j = {K)k~ then player II chooses a transition Ej a Ej+I with a E K and ~j+~ is ~. - if ~j = vZ. ~ then player I chooses a new constant U and sets U ~'~f vZ. k~: the process Ej+I is Ej and ~j+l is U. - if ~j = ~tZ. k~ then player II chooses a new constant U and sets U d=efttZ. k~: the process Ej+I is Ej and ~j+l is U. - if ~j = U and U ~f vZ. ~ then player I unfolds the fixed point so ~3+1 is k~{U/Z} and Ej+I is Ej. - if Cj = U and U d=_~f#Z. k~ then player II unfolds the fixed point so 4i+1 is ~{U/Z} and Ej+I is Ej. Fig. 16. Rules for the next move in a game play

[K] and (K), vZ. ~ and #Z. kP as they complement each other. Each time the current game configuration is (E, a Z . ~ ) a new constant U is introduced as an abbreviation for crZ.4~, and at the next step this fixed point is, in effect, unfolded once as the formula becomes r 22. The point of constants is to provide a mechanism for understanding when embedded fixed points recur. The rules for a next move are backwards sound with respect to the intentions of the players. If player I makes the move ( E j + I , O j + l ) from (Ej, Oj) and 21 It is straightforward to reformulate their definition so that players take turns. 22 The decision to make player I responsible for introducing and unfolding constants for maximal fixed point formulas and player II responsible for least fixed points is somewhat axbitrary, as these moves never provide real choice for either player. An alternative exposition is to appeal to a third participant, a referee who makes these moves.

208

Ej+l ~:v

(~j-bl t h e n Ej ~ v 4~j. In contrast, if player II makes this move and Ej+I ~ v 45j+1 then Ej ~ v ~bj. This is clear for the rules which govern boolean and modal operators. In the case of a fixed point formula this follows provided we understand the presence of a constant to be its defined equivalent. Formulas are no longer "pure" as they may contain constants. However we can recover a pure formula from an impure formula by replacing constants with their defined fixed def def points in reverse order of introduction: assuming that U1 - gzl ... Un = grn is the sequence of declarations in order of introduction, the meaning of ~ is just ~P{g/n/Un}... {~Pl/U1}. Consequently the fixed point unfolding principle, that E ~ v a Z . ~ iff E ~ v ~{crZ.r justifies the backwards soundness of the moves determined by constants. A player wins a play of a game in the circumstances depicted in figure 17. If the configuration (E, t t ) or (E, Z) when E E ])(Z) is reached in a play

Player II wins

Player I w i n s

1. The play is (Eo, 40)... (En, 4n) and either 4 . = t t or 4 . = Z and E E I;(Z).

1'. The play is (Eo, 4 0 ) . . . (E,,, 4, 0 and either 4 , = f f or 4 , = Z and E ti~ V(Z).

2. The play is (E0,4o)... (E,,,4~) and 4n = [K]~ and the set {F : E - - ~ F andaE K } = O .

2'. The play is (Eo,4o)... (E~,4,) and 4 . = ( K ) ~ and the set {F : E ~', F and a E K } =O.

3. The play is (Eo,4o)... (E,~,4.) 3'. The play is (Eo, 4 0 ) . . . (En, 4n) and 4~ = U and U ~f uZ. 4 and and 4,~ = U and U d__~f/zZ.4 and Ei=E~anddi=4~fori
then player I cannot refute that E ~ v t t or E ~ v Z, and therefore player II wins. Instead if the configuration reached is (E, ( K ) ~ ) and there are no available transitions from E then player II is unable to establish that E ~ v (K)dL Similar comments apply to the dual conditions 1~ and 2. The other circumstances when a player is said to win a play concern repetition. If the configuration (E, U) is repeated in a play when U abbreviates a maximal fixed point formula then player II wins. Dually if U abbreviates a least fixed point it is player I that

209

wins 23. More generally as a play can have infinite length this repeat condition for winning is generalized. Player I wins an infinite length play if there is a least fixed point constant U which is traversed infinitely often, and player II wins if there is a greatest fixed point constant U which occurs infinitely often, and only one of these can happen. L e m m a 1 If (Eo,~o)... (En, ~ n ) . . . is an infinite length game play then there

is exactly one constant U which for infinitely many j, ~1 = U. This lemma shows the role of constants (as they provide an exact account of when the same fixed point subformula is repeated). As with equivalence games, a strategy for a player is a family of rules which tells her how to move depending on what has happened earlier in the play. A player uses the strategy Ir in a play if all her moves in the play obey the rules in It. The strategy ~ is winning if the player wins every play in which she uses lr. Every game (E, 4~) relative to l; is determined, that is either player I has a winning strategy or player II has a winning strategy, and this strategy is history free in that the rules do not need to appeal to moves that occurred earlier in the play. So a strategy for player I tells her how to move in the game configurations (E, ~1 A ~2), (E, [g]~), (E, vZ. ~) and (E, U) when U dej vZ. (~, and a strategy for player II is similar, as it decides the next configuration when the current one is ( E , ~ I V~2), (E, ( g ) r ( E , # Z . ~ ) and (E, U) when V dee ]AZ.~. Player II has a winning strategy for (E, # ) relative to 13 just in case E has the property 9 relative to 1). T h e o r e m 1 E ~ v ~ iff player H has a winning strategy for the game (E,r

relative to l;. Theorem 1 yields an alternative account of the satisfaction relation between processes and formulas. Game playing does not require explicit calculation of fixed points, nor does it depend on induction over approximant indices. Moreover it does not require the construction of the transition graph of a process. Game playing also maintains the principle that a proof of a property reduces to subproofs of subproperties, provided that we view the unfolding of a fixed point formula as a subformula. There is another feature which could be exploited, the possibility of more sophisticated game playing where moves m a y also be guided by the algebraic structure of a process expression. As an infinite length game play must traverse a particular constant infinitely often, it follows that when E is finite state a play of (E,q~) has finite length. There is also an exponential upper bound on the number of different plays up to renaming of constants of such a game. Property checking of finite state processes via game playing is therefore decidable. However this is not a very time efficient method as the length of a play may be exponential in the number of fixed point operators in a formula. In section 4.3 we provide less costly techniques based on games. For the remainder of this section we illustrate game playing. 23 These two conditions 3 and 3' are in fact redundant. We only include them because they guarantee that any play of (E, ~) has finite length when E is finite state.

210

E x a m p l e 1 Player II has a winning strategy for the game (Cl, uZ. (tick)Z). The only possible play is (Cl, ~Z. (tick)Z) (Cl, U) (Cl, (tick)U) (Cl, U) up to renaming the constant: the winning strategy here is, in effect, the empty set of rules, as player II has to make the move (Cl, U) from the configuration (Cl, (tick)U), and choice of fixed point constants does not affect play. Player II also has a winning strategy for (Cls, vZ. (tick)Z) with respect to the slightly different clock Cl5 deg tick.C/5 + tick.0. A winning play is almost identical to the previous game play, (Cls, uZ. (tick)Z) (Cls, U) (Cls, (tick)U) (Cls, U): the important part of the winning strategy is the rule, if (Cls, (tick)U) is the current configuration then choose (CI~, U) as the next move. [] E x a m p l e 2 Cat is a simple infinite state system, Cat def up.(Cnt I down.0). It has the property that it may do up forever, as the single play of (Cat, ~,Z. (up/Z) is won by player II. However this play has infinite length:

(c.t,

Z)(c.t, u)(c.t, U)(c.t I do.n.0, u)...

Player II wins because the constant U recurs infinitely often. For a similar reason player I wins the only play of (Cat, #Z. [up]Z) as then a least fixed point constant occurs infinitely often. V3 E x a m p l e 3 Assume that D and D ~ are as in example 1 of section 3.4, with D a , D ~,D, a , D a n d D ~ b~0, and let gr be the formula:

I.tY. uZ. [a](((b)tt V Y) A Z) D' (and D) fails to have the property kP, and so player I has a winning strategy for the game (D', ~). The important rules in this strategy are: if (D, ((b)ttVU1)AU2) is the current configuration, for any [/1, 0"2, then choose (D, (b)tt V [/1) and if it is (D', ((b)tt V U1) A [/2) then choose (D', U2). The play proceeds:

(D', ~P)(D', U) (D', uZ. [a](((b)tt V U) A Z)) (D', V) (D', [al(((b)tt V U) A V))(D, ((b)tt V U) A V) (D, (b)tt V U) At this last configuration player II has a choice. If she chooses the first disjunct she then loses because there is not a b transition from D. So the play proceeds:

(D, U) (D, uZ. [al(((b)tt V U) A Z)) (D, W) (D, [al(((b)tt V U) A W)) (D', ((b)tt V U) A W) (D', W) (D', [a](((b)tt V U) h W)) (D, ((b)tt V U) h W) (D, (b)tt V U) Again player II has a choice at (D, (b)tt V U), but both options lose: as D has no b transition she can not choose the first disjunct, and the second disjunct gives a repeat configuration. Note the essential requirement in game playing that a new constant is introduced when a fixed point is met, and so both V and W are introduced for the same fixed point formula. []

211

4.2

Tableaux

When processes are game equivalent, as developed in section 2, a bisimulation relation expresses player II's winning strategy. We now develop a tableau proof system for property checking so that a successful proof tree captures a winning strategy for player II. Here we restrict ourselves to finitely branching processes. The proof system here was first presented in [66]. It is guaranteed to show properties of finite state processes, and is a precursor of a later property checker Which can also establish temporal features of infinite state processes. A proof is built from sequents of the form E ~-w ~ which are analogues of the semantic notion E ~w 4 and of the game configuration (E, 4 ) relative to 1;. Usually the index l; is dropped from Fy 9 The proof system is goal directed, similar in style to the rules we presented for transitions in section 1. Each proof rule has the form

with n _> 1 and possibly with side conditions. The premise sequent E F 4~ is the goal to be achieved (that E has the temporal property 4 ) while the consequents are the subgoals. The rules are presented in figure 18. Again we use

A

EF~A~

EF4~ EF~v~ V EF4~ E F [g]~ [K] E 1 F r ... E n F r

{ f : E - - ~ F and a E K} = { E 1 , . . . , E , }

E F

(g)

EF~ EF~v~ v EF@

(K/+ E - ~ F a n d a e K

FFr

a'Z. E F aZ. + U d~--4~aZ. ~ and U is new Et-U U

E~-U U =deaf Z . ~ E ~- + ( U / Z }

Fig. 18. Tableau rules

auxiliary propositional constants~ ranged over by U, as abbreviations of fixed point formulas. The rules are backwards sound in the sense that if all the consequents of any rule are true then so is the premise goal. This is clear for fixed point formulas provided we understand the presence of a constant to be its defined equivalent as in the previous section.

212

To test whether E has the property 9 relative to V, one tries to achieve the goal E Fv 9 by building a successful tableau, a finite proof tree whose root is labelled with this initial sequent, and where all the leaves are labelled by sequents that are true. Sequents labelling the i m m e d i a t e successors of a node labelled F I- k~ are determined by an application of one of the rules, dependent on the form of ~. As the rules are backwards sound, it follows that if the leaves of a finite proof tree are true then so is the root. So we need to present conditions for when a node in a proof tree counts as a leaf. We assume t h a t the rules above only apply to nodes of a proof tree that are not terminal. A node n labelled with the sequent F F !/+ is terminal if one of the following conditions hold: Successful terminal

Unsuccessful terminal

1.~=tt or~=ZandFEV(Z) 2. ~ = [K]O and the set {E : F a,EandaEK}=O 3. gr = U and U d__.efvZ. 9 and and there is a node above n labelled F h

1'. ~ = f f or ~' = Z and F ~ V(Z) 2 ' . ~ -- (K)O and the set { E : F--~-+ E and a E K } =O 3 / ~ = U and U d__ef#Z. q~ and there is a node above n labelled F h

It is clear that nodes labelled with sequents which obey 1 or 2 are successful as then F has the property ~ relative to 1), and similarly nodes labelled with sequents fulfilling 1~ or 2 ~ are not true. The remaining two conditions are analogues of termination of a finite length game play through repetition, and are pictured in figure 19. It is at this point that we distinguish in the proof theory

9

ef U d= uZ.~

F~-U

U de~ = #Z.~ FFU

:

FI-U

FFU

Successful

Unsuccessful

Fig. 19. Termination through repetition

between the two kinds of fixed points as they are not differentiated by the rules earlier9

213

D e f i n i t i o n 1 A successful tableau for E by 4 is a finite proof tree whose root is labelled with E t-v 4, and all other nodes are labelled with sequents which are the result of an application of one of the rules to the sequent labelled at the node immediately above them, and all of whose leaves are successful (obey conditions 1, 2 or 3 above). A path in a finite proof tree for E0 ~ 40 is a finite sequence of labelled nodes E0 t- 4 0 . . . E n ~ 4n where each one lies directly beneath its predecessor, and where the final node (labelled En ~ 4n) is a leaf. Associated with a path is the game play (E0,40)... ( E , , 4 , ) . In the case of a successful tableau, player II wins each of these plays. Moreover all the possible choices player I can make are present in the proof tree (up to renaming of constants), A successful tableau for E F r is a concrete expression of player II's winning strategy for the game (E, 4), and is therefore a proof that E has the temporal property 4. P r o p o s i t i o n 1 If E F'v 4 has a successful tableau then E ~ v 4. E x a m p l e 1 A complete description of the clock Cl is that it perpetually ticks and can do nothing else. This singular capability is expressed by the following formula, vZ. ([--tick]ff A ( - / t t ) A [-]Z. Below is a proof that C! has this property, where we omit the side conditions on the [K], (K/, #Z, and constant 9rules.

Cl k . z .

^ <-)it) ^ [ - ] z Clk U

Cl e

cl

[-tick]

ct F [-tick]

^ <-)tt) ^ [-]u

^ (->it Ct k (-)it

CI~ U

Cl N tt

There are three kinds of successful leaf here.

[]

E x a m p l e 2 The vending machine Ven, from section 1.1, has the property that whenever 2p is deposited eventually a big item is collected, which is expressed by the formula ~P= uZ. [2p](#Y. ( - ) t t A [ - c o l l ectb]Y) A [-]Z. A successful tableau is presented in two stages in figure 20 where 4 abbreviates the subformula #Y. ( - ) t t A [--collectb]Y, and cb. Ven and ct. Ven abbreviate collectb. Ven and coZlectl. Ven. Notice how similar the subtableaux T1 and T2 are. Later we examine how to amalgamate their proof trees. [] E x a m p l e 3 Let D and 4 be as in example 1 of section 3.4. The resulting successful tableau for D b 4 is presented in figure 21. Notice the important requirement that a new constant is introduced when a fixed point is met. Both V and W abbreviate the same fixed point formula. [] The tableau proof system presented here is complete for finite state processes. This is a consequence of the game characterization of satisfaction.

214 Ven h ~P Venh U

re. F [2p]~ ^ [ - ] u Ven I-- [-]U

Veil F- [2p]~

T1

Venb h

Ven~, h V Venb }- (--)it^ Venb [r

[--r

(--)it

Venb I- [ - c o l l e c t b ] V

Veil 1"- tt

cb. Ven I- V

cb. Veil ~- (-)it A

[-r

cb. Veil }- ( - - ) t t c b . Ven ~- [-collec%]V Ven ~- tt

T1 Venb h U

wil~ F- [2p]~ ^ [ - ] u v~.~ ~- [2p]~

w . ~ ~- [ - ] u Venb I- [-]U cb. Ven F- U

cb. Wn b [2p]~ ^ [ - ] U ~ . Veil ~- [2p]~

cb. wil ~- [-]u Ven h U

T2 Venl b- U

Wn, ~- [2d~ ^ [-]U Vent I- [2p]~

Veto I-

[-]U

Vent I-

[-]U

c~. Ven I- U ~,.

veil F [2p]~ ^ [ - ] v

ct. Veil I- [2p]~

cl. Ven I- [ - ] U Ven I- U

Fig. 20. A successful tableau for Ven

T2

215

DI-~ DFU

D F- I~Y.[a](((b)tt A U) V Y) D~'V

D I- [a](((b}tt A U) V V) D' I- ( ( b ) t t A U) V V

D' t- (b)tt A U D' F"(b)tt

D' F" U

OI-tt

D' I- #Y. [al(((b)tt A U) V Y) D'~-W

D' I- [a](((b)tt A U) V W) D ~ ((b)tt^ u) v w

DFW

D F [a](((b)tt h U) V W)

D' F ((b)tt A u) v w D' F (b)tt A U D'l-(b}tt

D'~-U

OI-tt

Fig. 21. A successful tableau for D t-

P r o p o s i t i o n 2 I f E is a finite state process and E ~ v ~ then E k v 9 has a successful tableau: 4.3

Refinement

of games and tableaux

In this section we refine the definition of game play to provide a more efficient characterization of the satisfaction relation by reintroducing constants. We then show how this refinement affects the construction of tableaux. Figure 16 contains the rules for the next move in a play whose initial part is (E0,4~0)... (Ej, 45j). We now change the rules for introducing constants for fixed points, and divide each of them into two cases. - if 4ij = vZ. ~ and player I has not previously introduced a constant V

dej

216

uZ. ~P then player I chooses a new constant U and sets U ~ f uZ. ~P: the process Ej+I is Ej and ~ j + l is U. def

-

if ~j = / ~ Z . ~ and player II has not previously introduced a constant V = def

pZ. kV then player II chooses a new constant U and sets U = #Z. ~: the process Ej+I is Ej and ~j-]-I is U. - if 4 j = t,Z. kv and player I has previously introduced a constant V d__efvZ. then Ej+I is Ej and ~ j + l is V. - i f ~ j = #Z. ~ and player II has previously introduced a constant V d__cf#Z. ~P then Ej+I is Ej and 4j+1 is V. This change means t h a t constants are reintroduced as abbreviations for the same fixed point formula. All the other moves and who is responsible for t h e m remain unchanged. 9We also need to change the criteria for when a player wins a play. The winning conditions for the earlier games are given in figure 17. We retain the conditions 1, 2, 1~ and 2~: for instance if the configuration reached in a play is (F, [K]kV) and the set {E : r a E and a e K } is e m p t y then player II wins. The other conditions 3, 4, 3 ~ and 4' need to be redefined because constants are reintroduced. An infinite length play m a y now contain more than one constant that recurs infinitely often. The following definition provides a useful notion t h a t will be used in the reformulated termination conditions. D e f i n i t i o n 1 The constant U is active in 9 iff either U occurs in q~, or some def

constant V = erZ.~P occurs in 4, and U is active in ~Z.~P. The discipline of introducing constants ensures t h a t being active is well defined. If U1 def : O'Zl.k[r ...Un def : ~rZn.kVn is the sequence of declarations of distinct constants in order of their initial introduction then although Ui can be active in Uj when i < j it is not possible for Uj to be active in Ui. Activity of a constant can be extended to finite or infinite length sequences of formulas: we say t h a t U is active throughout 4 0 . . . 4n . . . if it is active in each t i The following l e m m a governs the remaining Winning conditions. L e m m a 1 i. / f ( E 0 , 4 0 ) . . . ( E n , 4 n ) is an initial part of a game play and r = 4n for some i < n, then there is a unique constant U which is active throughout r and which occurs there, ~j = U for some j : i <_j <_ n. ii. If (Eo, 4 0 ) . . . (En, 4 n ) . . . is an infinite length game play then there is a unique constant U which occurs infinitely often and is active throughout r . . . 4 , , ... for some j >_ O. A repeat configuration (E, ~P) when ~P is any formula, and not just a constant, terminates play. W h o wins depends on the sequence of formulas between (and including) the identical configurations. There is exactly one constant U which is active throughout this cycle and which occurs within it: if it abbreviates a m a x i m a l fixed point formula then player II wins and otherwise it abbreviates a

217

least fixed point formula and player I wins. This replaces conditions 3 and 3 ~ of figure 17. In any infinite length play there is a unique constant which is traversed infinitely often and which is active for all but a finite prefix: if this constant abbreviates a maximal fixed point formula player II wins and otherwise player I wins. This replaces conditions 4 and 4 ~ of figure 17. These revised termination conditions are pictured in figure 22. Again the conditions 3 and 3 ~ are redundant, and are only included because they guarantee that any play from a finite state process has finite length.

Player I l w i n s

:

U~fvZ.#

Player I wins

:

U~fI~Z.#

(E,~)

T

(E,~I')

T

: (F, U)

U active

: (F, U)

U active

: (E,~)

throughout I

: (E,~)

throughout I

Player II wins

9

U de=fvZ. 9

9

"

U %~ zZ.

o

(Ek, U) : (E3, U)

Player I wins

(Ek~,U) T

(Ej, U) T

U active

. U active (E,~, U)

(E~, U) throughout

throughout

Fig. 22. Revised repeat winning conditions

A strategy is again a set of rules which dictates how a player should move, and it is winning if the player wins every play in which she uses it. For each

218

game (E, ~) one of the players has a winning strategy, which is again history free. T h e o r e m 1 E ~ v ~ iff player II has a winning strategy for (E, ~) relative to 13. When E is a finite state process let IEI be the number of processes in 7~(E), and let I~1 be the size o f ~ (the number of symbols within it). There are at most IEI • I~1 different configurations in any game play (up to renaming of constants). This means that any play of ( E , r has length at most 1 + (IEI • I~1). E x a m p l e 1 A case where game playing is shorter is example 3 of section 4.1. Let D a D', D' a D and D' b_~ 0, and let ~ be I~Y. uZ.[a](((b)ttVY)AZ). Player I's winning strategy for (D ~, ~) is the same as in that example. The play proceeds: (D', ~) (D', U) (D', uZ. [a](((b)tt V U) A Z)) (D', V) (D', [a](((b)tt V U) A V)) (D, ((b)tt V U) A V) (D, (b)tt V U) At this configuration player II has a choice. If she chooses the first disjunct she then loses because there is not a b transition from D. Otherwise the play proceeds: (D, U) (D, uZ. [a](((b)tt V U) A Z)) (D, V) (D, [a](((b)tt V U) A Y)) (D', ((b)tt V U) A V) (D', V) There is now a repeat configuration (D ~, V). Consider the sequence of formulas in this game cycle, between and including these identicM configurations:

Y [a](((b)tt V U) A V) ((b)tt V U) A V (b)tt V U U uZ.[a](((b)ttVU)AZ) [a](((b)ttVU)AV) ((b)ttVU)AV V The constant V is not active throughout this sequence (because it is not active in the formula uZ. [a](((b)tt V U) A Z)). However V is active throughout and also occurs there, and because it abbreviates a least fixed point formula player I is the winner. [] A tableau proof system was introduced in section 4.2 in such a way that a successful tableau concretely represents a winning strategy for player II (when the game process is finite state). Given the refinements above to game playing we now redefine this tableau proof system. The only change to the rules is that when a fixed point formula is met again the same constant is reintroduced, new constants are only introduced for fixed point formulas that have not been met before. To test whether E has the property ~ one tries to build a successful tableau for E ~-v ~ which is a finite proof tree whose root is labelled with this sequent. The leaves have to be successful as defined in section 4.2, except for the case of termination because of repetition. The new conditions for terminating through repetition are:

219

9 :

U~f~Z.r

E~, : F~-U :

T U active throughout

Successful

:

U~fpZ.r

E~,

T

: Ft-U :

U active throughout

Unsuccessful

Again it is at this point that we distinguish in the proof theory between the two kinds of fixed points, as they are not differentiated by the rules earlier. As before a successful tableau for E ~- 9 expresses player II's winning strategy for the game (E, ~) and is therefore a proof that E has the property ~. P r o p o s i t i o n 1 I f E t-v ~) has a successful tableau then E ~ v ~. E x a m p l e 2 The tableau proof that D satisfies q~ = L,Z. pY. [a](((b)tt A Z) V Y) w h e n D a ) D ~ a ) D a n d D ~ b) 0 is given in figure 23. This proof is shorter than the previous proof in figure 21. As U, a maximal fixed point constant, is active throughout the cycle from D ~- V to D ~- V and occurs within it the tableau is successful. [] The tableau proof system presented here is again complete for finite state processes. This is again a consequence of the game chaiacterization of satisfaction. P r o p o s i t i o n 2 I f E is a finite state process and E ~w ~ then E ~-v 4~ has a successful tableau. 4.4

Game graphs and algorithms

Assume that E is a finite state process. The game graph for (E, 4~) relative to ]) is the graph representing all possible plays of the game ( E , ~ ) , of the previous section, modulo a canonical means of choosing constants. The vertices are pairs (F, ~), configurations of a possible game play, and there is a directed edge between two vertices vl ) v2 if a player can make as her next move v2 from vl. Let G ( E , ~ ) be the game graph for ( E , ~ ) , and let IG(E,~)I be its vertex size which we know, from the previous section, is no more than IE[ x Ir The complexity of property checking is NP N co-NP. This follows from the observation that giyen a strategy for player II or player I it is straightforward to check in polynomial time whether or not it is winning: the technique in [29] is easily convertible into game playing.

220

Dt-~ DI--U

D I- #Y. [a](((b)tt A U) v Y) D~-V

D I- [a](((b)tt h U) V V) D' F ((b)tt A U) V V D' F (b)tt A U D' I- (b)tt

D'FU

OFtt

D' t- #Y. [a](((b)tt A U) V Y) D'F V

D' F [a](((b)tt A U) V V) D F ((b)tt A U) V V DFV

Fig. 23. A successful tableau for D b- 4~

We can easily ensure that game playing must proceed to infinity by adding extra moves when a player is stuck (and removing the redundant repeat termination conditions 3 and 31 of the previous section). The resulting game graph is then an alternating automaton: the and-vertices are the configurations from which player I proceeds and the or-vertices are those from which player II moves, and the acceptance condition is given in terms of active constants. See [10] which directly uses alternating automata for property checking. An important open question is whether model checking modal mu-calculus formulas can be done in polynomial time (with respect to IEI x 14~1).One direction for research is to provide a finer analysis of successful strategies, and to be able to describe optimizations of them. New insights may come from the relationship between the games developed here and other graph games where there are such descriptions. The property checking game can be (easily) abstracted into the following graph game. A game is a graph with vertices { 1 , . . . , n} where each vertex i has two directed edges i ---. j l and i * J2. Each vertex is labelled I or II. A play is an infinite path through the graph starting at vertex 1, and player I moves from vertices labelled I and player II from vertices labelled II. The winner of a play is determined by the label of the least vertex i which is traverse.d infinitely often: if i is labelled I then player I wins, and if it is labelled II then player II wins. A

221

player wins the game if she has a winning strategy (which again is history free). For each game one of the players has a winning strategy. Notice that this graph game is described without mention of property checking. Simple stochastic games [26] are graph games where the vertices are labelled I, II or A (average), and where there are two special vertices I-sink and II-sink (which have no outgoing edges). As above each I, II (and A) vertex has two outgoing edges. At an average vertex during a game play a coin is tossed to determine which of the two edges is traversed each having probability 89 More generally one can assume that the two edges are labelled with probabilities of the form a where {3 < p < q < 2"~ for some m, as long as their sum is 1. A game play ends when a sink vertex is reached: player II wins if it is the II-sink, and player I otherwise. The decision question is whether the probability that player II wins is greater than 89 I t is not known whether this problem can be solved in polynomial time, although in [26] it is shown that it does belong to to NPf3coNP. In [48] a "subexponential" (2 ~ algorithm is presented, which works by refining optimal strategies. A polynomial time algorithm for simple stochastic games would imply that extending space bounded alternating Turing machines with randomness does not increase the class of languages that they accept. Mark Jerrum noted that there is a reduction from the graph game to the simple stochastic game. The idea is to add the two sink vertices, and an average vertex il for each vertex i for which there is an edge j ~ i with j > i. Each such edge j ~ i when j > i is changed to j ~ il. And the vertex il has an edge to i, and to I-sink if i is labelled I or to II-sink otherwise. With suitable rational probabilities on the edges, player II has a winning strategy for the graph game iff she has one for the simple stochastic game. 4.5

Generalizing tableaux

We have presented characterizations of when a process has a temporal property using games. We also developed tableau proof systems for verifying that processes have properties. However, a successful proof is only guaranteed in the case that a property holds of a finite state process. We would like a more general proof technique that also allows us to show properties of processes that are infinite state. Even in the finite state case a more general proof m e t h o d may be useful, as a tableau proof may become too unwieldy because of its size. There are various classes of infinite state system. Process definitions may involve explicit parameterization: examples include the counter Cti and register Reg~ of section 1.1, and the slot machine SMn of section 1.2. Each iristantiation of these processes is itself infinite state and contains the other family members within its transition graph. However the parameterization is very useful as it reveals straightforward structural similarities within these families of processes. Another class of processes that is infinite state is entirely due to the presence of data values. The protocol of section 1.2 is a paradigm example. However there are different degrees of involvement of data within these processes, depending on the extent to which data determines future behaviour. At one extreme are

222 examples such as the Protocol which pass data items through the system oblivious of their particular values. A number of authors has identified classes of processes which are in this sense data independent. At the other extreme are systems such as T(i) of section 1.1 where future behaviour strongly depends on the value i. In between are systems such as the register where particular values are essential to change of state. A third class of processes is infinite state independently of parameterization. An instance is the counter Count of section 1.5. Here the system evolves its structure as it performs actions. In certain cases processes that are infinite state in that they determine an infinite state transition graph are in fact bisimulation equivalent to a finite state process. A simple example is that C de f a.C I b.C is bisimilar to C' ~ f a.C' + b.C'. Another interesting subclass of infinite state processes are those for which bisimulation equivalence is decidable. Two examples are the context free processes and the basic parallel processes [23, 22]. A final class of systems is also parameterized. However for each instance of the parameter the system is finite state. Two paradigm examples are the buffer B u f f , and the scheduler Sched,, both from section 1.4. Although the techniques for verification of temporal properties apply to instances they do not apply to the general families. In such cases we would like to prove properties generally, to show for instance that for each n > 1 Sched, is free from deadlock: T h e proof of this requires exposing structure that is common to this whole family. In this section we present a simple generalization of satisfaction, and examine how it can be used to provide a tableau proof system. The full story of this proof system (presented with Julian Bradfield in [18]) continues into the next section. A straightforward generalization of satisfaction is as a relation between a set of processes and a formula. We use the same relation ~ v for this extension. If 79 is a transition closed set with g C 79 then I s ~v r

iff g C II4~ IIv ~

I

As before we write g ~ r when there is no valuation, or when the valuation can be understood from the context. E x a m p l e 1 The family of counters of figure 4, {Cti : i > 0}, has the property [up]([round]ff A [up] (do,n)(down)tt). The following proof uses the expected inductive definition of s ~ 4~ (which is discussed below):

{Ct.i : i >

O} ~ [up]([round]ffA [up](do.n)(down)it)

i} ~ [round]:ffA [up](down)(do.n)tt l} ~ [round]ffand {Ctl : i _> l) ~ [up](doun)(doun)tt i >_ 1} ~ [up](do.n>(down)tt i >__2} ~ (do.n)(down)tt i > 1} ~ (do.n)tt i > 0} ~ tt

iff {Cti : i > iff { Cti : i >

iff iff iff iff

{ Cti { Cti { Cti { Cli

: : : :

This proof is more direct than appealing to induction on process indices.

[]

223

Example 1 utilizes some obvious properties of satisfaction between sets of processes and formulas. Below are necessary and sufficient conditions for all the connectives using a little notation which we shall explain.

E~v~IA~2iffE~vr andE~v~2 E ~V ~1 V ~2 iff 3El, E2. E1 U E2 = E and ~1 ~ E ~ v (K)~

iff there is a choice function f : E

E

ifr E

r

and E2 ~v 4~2 , K(E) and f(E) ~ v

The case of conjunction is the most straightforward. Disjunction is more complex. When E ~ v ~1 V ~2 the set C can be spit into two subsets E1 and E~ with Ei ~ ~i: note that one of these sets could be empty 24. For the modal cases we utilise notation. If E is a set of processes and K is a set of actions then K ( E ) is the set { F : 3 E E E.3a E K. E ._L. F}, which is the set of processes reachable by K transitions from members of E. In example 1 { u p } ( { C t l : i > 0}) = { C t i : i > 1}. The set E has the property [K]~ iff K(E) satisfies 4~. For the diamond modality we appeal to functions. A function f : E > K(E) is a choice function provided that for each E E E there is an a E K with the feature that E a ~ f ( E ) . When f is such a function we let f ( E ) = { f ( E ) : E e E}. The set E satisfies (K)4~ just in case there is a choice function f : E , K ( E ) where f ( E ) satisfies 4~. In example 1 there is the function f : { C t i ; i > 2} , { d o w n } ( { C t i ; i > 2}) given by f ( C t i + l ) = Cti, which justifies one of the proof steps. This leaves the difficult cases of the fixed points. We shall make use of the principles developed in previous sections which appeal to games. Note however that the fixed point unfolding principle holds for the generalized satisfaction relation. We wish to extend the tableau proof system of section 4.2 to encompass sets of processes having a property. Therefore we extend the basic sequent E [-v to E t-v ~, and as usual we drop the index ]) wherever possible. Each proof rule has one of two forms:

possibly with side conditions. As in section 4.2 the premise sequent E F- ~ is the goal to be achieved (that every process in E has the property ~) while the consequents are the subgoals. The tableau proof rules are presented in figure 24. As 9 we are generalizing the proof system of section 4.2 new constants are introduced as fixed point formulas are met: this makes termination less complex than if we generalized the proof system of section 4.3 where constants are reintroduced. There is one new kind of rule, a structural rule Thin, which allows the set of processes in a goal sequent to be expanded. Clearly, the rules are backwards sound. To show that all the processes in E have the property 4~ relative to 13, one tries to achieve the goal E Fv r by building a successful tableau. As before a successful

24 By definition 0 ~ v ~ for any ~.

224

A

v

C=E~

u82

(K) Ef ( FE )(K)# .P r~ f : E -~ K(E) is a choice function

[K] K ( e ) P a'Z.

g l - aZ.q~ U ~f aZ. ~ and U is new EFU

U g F O{U/Z}

o'Z. ~

Thin ~

e C -~"

Fig. 24. Tableaux rules

tableau is a finite proof tree whose root is labelled with this initial sequent, and where all the leaves are labelled by sequents that are successful. Sequents labelling the immediate successors of a node labelled :~ F ~ are determined by an application of one of the rules, either by Thin or by the rule for the main connective of k~. The crucial missing ingredient is when a node counts as a terminal node. The definition of a leaf in a tableau is, as we shall see in the next section, underpinned by the game theoretic characterization of satisfaction. A tableau now captures a whole family of games. For each process in the set of processes on the left hand side of a sequent determines a play from it and the property on the right hand side. A node n labelled by the sequent ~ F !P is terminal in the circumstances described in figure 25. Clearly a node labelled with a sequent

Successful terminal

Unsuccessful t e r m i n a l

I. ~ = tt or

1'. k ~ = f f o r

k~ = Z and Y C_ l;(Z)

= Z and ?" ~ / 2 ( Z )

2. ~ ' = 0

2'. ~P = (K)~ and for some F ~ 7 . K({F}) = 0

3. ~ = U and U ~ f vZ. ~ and there is a node above n

3.' k~ = U and U d___cf#Z. 9 and there is a node above n labelled s F U with ~" _.DE

labelled 8 ~ U with E D ~r

Fig. 25. Tableau terminals

fulfilling 1 or 2 is successful, and similarly any node labelled with 1' or 2' is not

225

true. The other two conditions are generalizations of those for the proof system

:

U~uZ.4

:

C~_F

,

def

:

U = #Z.O

:

~_C

EFU

E.I--U

OrFU

~FU

Successful

Unsuccessful

Fig. 26. "Repeat" termination conditions of section 4.2, and are pictured in figure 26. The justification for the success of condition 3 can be seen by considering any infinite length game play from a process in E with respect to the property U which cycles through the leaf ~" t- U. As :T C ,~ the play continues from this companion node. Such an infinite play must pass through U infinitely often, and is therefore a win for player II. A successful tableau for E ~-v 4i is a finite proof tree all of whose leaves are successful. A successful tableau only contains true leaves. P r o p o s i t i o n 1 I f E b'v q~ has a successful tableau then E ~ v O. However as the proof system stands, the converse is not true. A further termination condition is needed for least fixed point constants. However this condition is a little complex and so we delay its discussion until the next section. Instead we present various examples that can be proved without it. In the following we write E ~- 4~ instead of {E} ~- q~. E x a m p l e 2 It is not possible to show that Cnt has the property uZ. (up)Z using the tableau proof system of section 4.2, when Cnt is the infinite state process, Cnt ~ f u p . ( C n t [ down.0). There is a very simple proof within this more general proof system. Let Cnto be Cnt and let Cnti+l be Cnti I down.0 for any i > 0. Cnt F uZ.

{Cnt

(up)Z

: i _> 0}

. z . (up)Z

{ Cnt~ : i > O} ~- U {Cnt

: i >_ 0}

(up)U

{ Cnti : i >_ l } l- U Notice here the essential use of the Thin rule, and the simple condition for termination. The choice function which we have left implicit maps each Cntl to Cnti§ l . []

226

E x a m p l e 3 The slot machine in figure 10 is infinite state. The safety property, that the machine never pays out more than it has in its bank as described in example 2 of section 3.8, has the following tableau where the falsity of Q indicates that the slot machine owes money:

{ S M . : n >_ O} t- vZ.Q A [ - ] Z c F ~,Z.Q ^ [-]z ~F-U r

QA[-]U

~Q

~

[-Iv g~-u

Here the Thin rule is used to enlarge the set of slot machines to the set ~ which is 7)( SM,~ ). [] The proof system is also applicable to finite state examples, providing a much more succinct presentation of player II's winning strategy for a game. E x a m p l e 4 Recall the level crossing of figure 7. Its safety property is expressed as v Z . ( ~ f f V [cc--5~5~]ff) A [ - ] Z . Let 9 be this formula. We employ the abbreviations in figure 8, and we let E be the full set { E 0 , . . . E l l } . Below is a successful tableau showing that the crossing has this property:

Crossing t-

E~U E F ([~]~

~~ ~ s - {Es, ET} e [ ~ - ~ - ~ 0 ~ f~

v

v [~]~f)

^ [-]u

[~]~f

c ~ [-]u

~ - {E4, E6} e [ ~ ] ~

~ e U

0F ~

Again notice the essential use of the Thin rule at the first step.

[]

E x a m p l e 5 In example 2 of section 4.2 we noted how similar the two subtableaux T1 and T2 are. These can be amalgamated as follows (where the same abbreviations are used):

227

{ Venb, Vent} b U

{ venb, Vent} ~- [2fie ^ [-]u

{ Venb, Vent} t- [2p]~

(genb, genl} ~- [-IV { Venb, Yen,} ~- [-W {cb. Ven, ct. Ven} ~- U

{r Yen, ~t. Ven} F [:p]~ ^ [-]U {r Ven, r Ven} e [2p]r {r Ven, et. Ven} F [-]U Ot"~

0

The terminals have changed slightly. 4.6

Venb U

Well f o u n d e d n e s s

The proof system of the previous section is not complete. An example for which there is not a successful tableau is given by the following cell, C d=ef in(x).Bx when x : N and Bn+l def down.Bn. This cell has the property of eventual termination, I-tZ. [-]Z, The only possible tableau for C b pZ. [ - ] Z up to renaming the constant, and inessential applications of Thin is:

c ~- ~z. [-]z CbU

c ~ [-]u (1) {Bi : i _ > O } b U (2) {Bi : i >_ O} I-- [-]U

(3) {Bi : i > 0 } [ - U The final node (3) is terminal because of the node labelled (1) above it, and it is unsuccessful because U is a least fixed point constant. However any play of the game (C,/~Z. I-]Z) is won by player IL One solution to the problem is to permit induction on top of the current proof system by showing that each Bi has the property U. However we would like to avoid explicit induction principles. Instead we shall present criteria for success which captures player II's winning strategy. This requires one more condition for termination. The additional circumstance for being a leaf node of a proof tree concerns least fixed point constants. A node n labelled by the sequent 2" b U is also a terminal if it obeys the (almost repeat) condition of figure 27. This circumstance is very similar to condition 3 of the previous section except it is with respect

228

def

:

U -- # Z . ~ ~c_E

CFU ~'FU

Fig. 27. New terminal

to a least fixed point constant, and it is also similar to 3' except that the set of processes ~" at the leaf is a subset of C. Not all nodes that obey this new condition are successful. The definition of success (taken from [18]) is intricate, and requires some notation. A leaf which obeys condition 3 of being a terminal from the previous section or the new terminal condition above is called a (r-terminal, where ~r m a y be instantiated by a v or p depending on the kind of constant involved. Suppose node n ' is an immediate successor of n, and n is labelled by E F ~ and n ~ is labelled E ~ h ~ . n:

s

A game play proceeding through (E, ~) where E E E can have as its next configuration (E~,~ ') where E ~ E C' provided the rule applied at n is not Thin. Which possible processes E ~ E C~ can be in this next configuration depend on the structure of ~. This motivates the following notion 9 We say that E ' E E' at n ~ is a dependant of E E E at n if - the rule applied to n is A, V, U, a Z , or Thin, and E - E ~, or - the rule i s [ K ] a n d E a ) E ~ for some a E K, or - the rule is (K), and E ' = f(E) where f is the choice function. All the possibilities are covered here. An example is that each Bi at node (2) in the tableau earlier is a dependant of the same Bi at node (1), and each Bi at (1) is a dependant of C at the node directly above it. Assume t h a t the companion of a cr-terminal is the most recent node above it which makes it a terminal. (There may be more than one node above a aterminal which makes it a leaf, hence we take the lowest one.) Next we define the notion of a trail. D e f i n i t i o n 1 Assume that node nk is a p-terminal and node na is its companion. A trail from process E1 at n l to Ek at nk is a sequence of pairs of nodes and processes (nl, E l ) . . . . , (nk, Ek) such that for all i with 1 _< i < k either

1. Ei+l at ni+l is a dependant of Ei at nl, or

229

2. ni is the immediate predecessor of a #-terminal node n ' (where n I ~ nk) whose companion is nj for some j : 1 < j < i, and ni+l = nj and Ei+l at n ~ is a dependant of El at nl. ((1), B2)((2), B2) ((3), B1) is a simple trail from B~ at (1) to B1 at (3) in the tableau earlier. In this case B2 at (2) is a dependant of B2 at (1), and B1 at (3) is a dependant of B2 at (2). Condition 2 of Definition 1 is needed to take account of the possibility of embedded fixed points as pictured in figure 28. A trail from (n~, E l ) to (nk, E~) may pass through node nj repeatedly before

9 nl

EFU

n3 C~)-V

nk

~'t-U

n'

2-1 t- V

Fig. 28. Embedded terminals: ~" C g and ~'1 C gl.

continuing to nk. In this case nk is a p-terminal but n ~ may be either a p or a u-terminal. In fact node nj here could be na with nk and n ' both sharing the same companion. This can be further iterated when there is another #-companion along the path from nj to n| and a further leaf n ' , and so on. Note that there is an intimate relationship between the sequence of processes in a trail and a sequence of processes in part of a game play from from the companion node to the terminal. Each companion node n of a p-terminal induces a relation Dn: D e f i n i t i o n 2 E t > n F if there is a trail from E at n to F at a p-terminal whose companion is n. We now come to the definition of a successful p-terminal. D e f i n i t i o n 3 A p-terminal whose companion node is n is successful if there is no infinite "descending" chain E0 Dn E1 I>n .... Success means that the relation
230

the game characterization of satisfaction. T h e o r e m 1 g bv 9 has a successful tableau iff g ~ v ~. E x a m p l e 1 The tableau at the start of this section is successful. The only trail from S~+l at (1) to (3) is ((1), B~+I)((2), Bi+l)((3), Bi), and therefore

Bi+l l>(a) B~. Suppose we amend the definition of Bi+l to Bi+l d_efdown.Bi +up.Bi+2. Each Bi+l has the extra capability for performing up. An attempt to prove that C eventually terminates yields the same tableau as at the beginning of the section. However this tableau is now unsuccessful. There are two two trails from Bi+l at (1) to (3): ((1), Bi+I) ((2), Bi+I) ((3), Bi) and ((1), Bi+I) ((2), Bi+l) ((3), Bi+2). Hence, both Bi+l t>(a) Bi and Bi+l t>(a) Bi+2. Consequently there is a variety of infinite decreasing sequences from Bi+l such as Bi+l t>(a) Bi+2 t>(a) Bi+l .... [] E x a m p l e 2 The liveness property of the crossing subject to the assumption of fairness of the signal, as we saw in example 3 of section 3.8, is expressed by the following open formula vY.[car]@l A [-]Y, where ~q is

I~X.vYl.(O V [-r162

V X) A [-r

A [--r162

and where Q holds when the crossing is in any state where Rail can by itself perform green and R holds in any state where Road can by itself perform up. We employ the abbreviations in figure 8, and we let g be the full set {E0, ..., Ell}. The states that Q holds at are E~, E3, E6 and El0 and R holds at El, Ea, ET, and Ell. A proof that the crossing has this property is given in stages in figure 29. In this tableau there is one/~-terminal, labelled (1) whose companion is (c). The relation E>r is well founded as we only have: E1 t>c E4, E4 t>r Es and E3 I:>e E6. Therefore the tableau is successful. [] E x a m p l e 3 The verification that the slot machine has the weak liveness property that a million pounds can be won infinitely often is given by the following successful tableau:

{SMn : n >_O} b vY.I~Z.(~'~(IO6)}Y V ( - ) Z g b vY.#Z.(~"~(IO6))Y Y ( - ) Z s g ~- #Z.(~-n(lO6)>V V ( - ) Z

(x)

v

(2) s t- (w-~(lO6))U V ( - ) V E1 F- (u-~(lO6))U

el

u

(3) s b ( - ) V

(4)

v

231

{ Cros~,,g} F ~Y.[r

A FlY

g }- .Y.[car]~l ^ [-]Y g'F U

E l- [r

^ [-iU

E F [car]~l

c ~- [ - W

{EI,E3,ET,Ell } t- q/1

CI-U

T1 ~1 "~ { E l , E 3 , E 4 , E 6 , E T , E l l }

T1

(e) E~ e v C1 F ~,Y~.(Q v [-r162

v V) ^ [-r162

^ [ - r162

~'1 I- U1

~r I- Q v [ - ~ ] ( l p Y 2 . ( R E, F Q v [-~r

A [-cc-"~ro'-~]Ui

v V) A [ - ~ ] Y 2 )

v V) ^ [-r162 {E3,E~} F Q

c~ e [ - ~ ] v ,

T2

E~ t- UI

T2 {El, E~, E~ , Ell} ~- [ - c c ~ ] ( v Y 2 . ( R v V) A [-cc--SVS-~]Y2)

{E,,E3,E4,E6,Ell} F .Y2.(R v V) ^ [ - ~ ] 8 9 {E,,E3,E4,E6,E~,E~I} ~- . 8 9

v V) ^ [ - ~ ] 8 9

{E1,E3,E~,E6,E~,E.} F U2 {E1,Ez,E,,E6,Er,E. } F ( R v V ) A [ - ~ ] U ~ { EI, E3, E4, E6, ET , Ell } I- R V V {E~,Ea,ET,EI~} I- R

(1) {E4,E~} I- V

Fig. 29. Liveness proof for the Crossing

{ E~ , Ea, E4, E6, ET , E ~ } I- [ - ~ ] U 2 {E~,Ez,E4, E6,ET,E~I} t- U2

232

E is the set of all derivatives. The vital rules in this tableau are the disjunction at node (1), where El is exactly those processes capable of performing a ~in(106) action, and E2 is the remainder; and the (K) rule at node (3), where J" is defined to ensure that s is eventually reached: for a process with less than 10 s in the bank, f chooses events leading towards loss, so as to increase the amount in the bank; and for processes with more than 106, f chooses to release(106). The formal proof requires partitioning s into several classes, each parametrized by an integer n, and showing that while n < 106, n is strictly increasing over a cycle through the classes; then when n = 106, f selects a successor that is not in E2, and so a Chain from E0 through nodes (1), (2), (3), (4) terminates. [] E x a m p l e 4 Consider the following family of processes for i > i from section 1.1:

T(i) dej if even(i)

then

5-~(i).T(i/2)

else

-6~(i):T((3i + 1)/2)

If T(i) for all i _> 1 stabilizes into the cycle T(2) *-'~'(~)T(1) ,-~(1)) T(2) then the following tableau is successful, and otherwise it is not. But which of these holds is not known! {T(i) : i >_ 1} [-/tY. (o--ff[(2))tt V [-]Y {T(i) : i > 1 } F U {T(i) : i > 1} F (o---ff~(2))tt V [-]U

T(2)

{T(i) : i > 1 ^ i # 2} e [ - ] u

T(1) [- tt

{T(i) : i > l } [ - U

The problem is that we dont know if the relation induced by the companion of this leaf is well-founded. [] 5

Concluding

Comments

In previous sections we used modal logic and modal mu-calculus for analysing properties of processes. We also noted the close relationship between bisimilarity and having the same properties. Some of the techniques mentioned, especially in the case of finite state processes, are implemented in the Edinburgh Concurrency Workbench 25. Another tool is the infinite state model checker for Petri nets based on tableaux, described in [16]. An important topic which we have not discussed is to what extent verification can be guided by the theory of processes. Game playing and the tableau proof rules are directed by the logical structure of the property. A simple case of where the theory of processes m a y impinge is the following proof rule that can be added to the tableaux proof systems of sections 4.2 and 4.3 when r is a closed formula. 25 Which is freely available by emailing [email protected], or from the WWW, http://www.dcs.ed.ac.uk/packages/cwb/index.html.

233

EF~

F,,,E

Fh~

This is justified because as we saw in section 3.7 bisimulation equivalence preserves temporal properties. Moreover if r belongs to weak modal mu-calculus then we only need the subgoal F ~ E. Use of this rule could appeal to the theory of bisimulation, and techniques for minimizing process descriptions. Alternatively it could appeal to the equational theory of processes. 9Process behaviour is chronicled through transitions. But processes also have structure, defined as they are from combinators. To what extent can process properties be defined without appealing to transition behaviour, but instead to this algebraic structure? The ascription of boolean combinations of properties to processes does not directly depend on their behaviour: for instance, E satisfies Y kP provided it satisfies one of the disjuncts. Consequently it is the modal (and fixed point) operators that we need to concern ourselves with, how algebraic structure relates to them. Some simple cases are captured in the following lemma. L e m m a 1 i. if a ~ K

then a.E ~ [K]4~ and a.E ~
E \ \ J h ~) E E +\\J

The harder question is how to deal with parallel, some proposals can be found in [63, 45, 2, 3].

234

References 1. Abramsky, S., (1995). Interaction categories, This Volume. 2. Andersen, H., "and Winskel, G. (1992). Compositional checking of satisfaction. Formal Methods in System Design, 1. 3. Andersen, H., Stirling, C., and Winskel, G. (1994)i A compositional proof system for the modal mu-calculus. Procs 9th IEEE Symposium on Logic in Computer Science, 144-153. 4. Austry, D., and Boudol, G. (1984). Algebra de processus et synchronisation. Theoretical Computer Science, 30, 90-131. 5, Baeten, J., Bergstra, J., and Klop, J. (1987). Decidability of bisimulation equivalence for processes generating context-free languages. Lecture Notes in Computer Science, 259, 94-113. 6. Baeten, J, and Weijland, W. (1990). Process Algebra. Cambridge University Press: 7. Baeten, J., Bergstra, J., I-Ioare, C., Milner, R., Parrow, J., and de Simone, R. (1992). The variety of process ~lgebra. Manuscript. 8. De Bakker, J. (1980). Mathematical Theory of Program Correctness, PrenticeHall. 9. De Bakker, J., and De Roever, W. (1973). A calculus for recursive program schemes. In Automata, Languages and Programming, ed. Nivat, M. 167-196, North-Holland. 10. Bernholtz, O., Vardi, M. and Wolper, P. (1994). An automata-theoretic approach to branching-time model checking. Lecture Notes in Computer Science, 818, 142155. 11. Bergstra, J. and Klop, J. (1989). Process theory based on bisimulation semantics. Lecture Notes in Computer Science, 354, 50-122. 12. van Benthem, J. (1984). Correspondence theory. In Handbook of Philosophical Logic, Vol. II, ed. Gabbay, D. and Guenthner, F., 167-248, Reidel. 13. Bloom, B., Istrail, S., and Meyer A. (1988). Bisimulation cant be traced. In 15th Annual Symposium on the Principles of Programming Languages, 229-239. 14. Boudol, G. (1985). Notes on algebraic calculi of processes, in Logics and Models of Concurrent Systems, Springer. 15. Bradfield, J. (1992). Verifying Temporal Properties of Systems. Birkhauser. 16. Bradfield, J. (1993). A proof assistant for symbolic model checking. Lecture Notes in Computer Science, 663, 316-329. 17. Bradfield, J. and Stirling, C. (1990). Verifying temporal properties of processes. Lecture Notes in Computer Science, 458, 115-125. 18. Bradfield, J: and Stirling, C. (1992). Local model checking for infinite state spaces. Theoretical Computer Science, 96, 157-174. 19. Browne, M., Clarke, E., and Grumberg, O. (1988). Characterizing finite Kripke structures in propositional temporal logic. Theoretical Computer Science, 59, 115131. 20. Bruns, G. (1993). A practical technique for process abstraction. Lecture Notes in Computer Science, 715, 37-49. 21. CamiUeri, J., and Winskel, G. (1991). CCS with priority. Procs 6th IEEE Symposium on Logic in Computer Science, 246-255. 22. Christensen, S., Hirshfeld, Y., and Moiler, F. (1993). Bisimulation is decidable for all basic parallel processes. Lecture Notes in Computer Science, 715, 143-157.

235

23. Christensen, S., Hfittel, H., and Stirling, C. (1992). Bisimulation equivalence is decidable for all context-free processes. Lecture Notes in Computer Science, 630, 138-147. 24. Cleaveland, R., and Hennessy, M. (1988). Priorities in process algebra. Proe. 3rd IEEE Symposium on Logic in Computer Science, 193-202. 25. Cleaveland, R, Parrow, J, and Steffen, B. (1989). The concurrency workbench. Lecture Notes in Computer Science, 407, 24-37. 26. Condon, A. (1992). The complexity of stochastic games. Information and Computation, 96, 203-224. 27. De Nicola, R. and Vaandrager, V. (1990). Three logics for branching bisimulation. Proc. 5th IEEE Symposium on Logic in Computer Science, 118-129. 28. Emerson, E, and Clarke, E. (1980). Characterizing correctness properties of parallel programs using fixpoints. Lecture Notes in Computer Science, 85, 169-181. 29. Emerson, E., and Jutla, C. (1991). Tree automata, mu-calculus and determinacy. In Proc. 32rid 1EEE Foundations of Computer Science. 30. Emerson, E, and Lei, C. (1986). Efficient model checking in fragments of the propositional mu-calculus. In Proc. 1st IEEE Symposium on Logic in Computer Science, 267-278. 31. Emerson, E, and Srinivasan, J. (1989). Branching time temporal logic. Lecture Notes in Computer Science, 354, 123-284. 32. van Glabbeek, J. (1990). The linear time-branching time spectrum. Lecture Notes in Computer Science, 458, 278-297. 33. van Glabbeek, J. F., and Weijland, W.P. (1989). Branching time and abstraction in bisimulation semantics. Information Processing Letters, 89, 613-618. 34. Groote, J. (1993). Transition system specifications with negative premises. Theoretical Computer Science, 118, 263-299. 35. Groote, J. and Vaandrager, F. (1989), Structured operational semantics and bisimulation as a congruence. Lecture Notes in Computer Science, 372, 423-438. 36. Hennessy, M. (1988). An Algebraic Theory of Processes. MIT Press. 37. Hennessy, M. and Ingolfsdottir. (1990). A theory of communicating processes with value-passing. Lecture Notes in Computer Science, 443, 209-220. 38. Hennessy, M. and Milner, R. (1980). On observing nondeterminism and concurrency. Lecture Notes in Computer Science, 85, 295-309. 39. Hennessy, M. and Milner, R. (1985). Algebraic laws for nondeterminism and concurrency. Journal of Association of Computer Machinery, 32, 137-162. 40. Hoare, C. (1985). Communicating Sequential Processes. Prentice Hall. 41. Kannellakis, P. and Smolka, S. (1990). CCS expressions, finite state processes, and three problems of equivalence. Information and Computation, 86, 43-68. 42. Kozen, D. (1983). Results on the propositional mu-calculus. Theoretical Computer Science, 27, 333-354. 43. Lamport, L. (1983) Specifying concurrent program modules. A C M Transactions of Programming Language Systems, 6, 190-222. 44. Larsen, K. (1990). Proof systems for satisfiability in Hennessy-Milner logic with recursion. Theoretical Computer Science, 72, 265-288. 45. Larsen, K. (1990). Ideal specification formalism; Lecture Notes in Computer Science , 458, 33-56. 46. Larsen, K. and Skou. (1989). Bisimulation through probabilistic testing. In 16th Annual A CM Symposium on Principles of Programming Languages.

236

47. Long, D., Browne, A., Clarke, E., Jha, S., and Marrero, W. (1994). An improved algorithm for the evaluation of fixpoint expressions. Lecture Notes in Computer Science, 818. 48. Ludwig, W. (1995). A subexponential randomized algorithm for the simple stochastic game problem. Information and Computation, 117, 151-155. 49. Manna, Z, and Pnueli, A. (1991). The Temporal Logic of Reactive and Concurrent Systems. Springer. 50. Milner, R. (1980). A Calculus of Communicating Systems. Lecture Notes in Computer Science, 92. 51. Milner, R. (1983). Calculi for synchrony and azynchrony. Theoretical Computer Science, 25, 267-310. 52. Milner, R. (1989). Communication and Concurrency. Prentice Hall. 53. Milner, R., Parrow, J., and Walker, D. (1992). A calculus of mobile processes, Parts I and II, Information and Computation, 100, 1-77. 54. Moiler, F. and Tofts, C. (1990). A temporal calculus of communicating processes. Lecture Notes in Computer Science, 458, 401-415. 55. Nicollin, X. and Sifakis, J. (1992). An overview and synthesis on timed process algebras. Lecture Notes in Computer Science, 575, 376-398. 56. Park, D. (1969). Fixpoint induction and proofs of program properties. Machine Intelligence, 5, 59-78, Edinburgh University Press 57. Park, D. (1981). Concurrency and automata on infinite sequences. Lecture Notes in Computer Science, 154, 561-572. 58. Parrow, J. (1988). Verifying a CSMA/CD-Protocol with CCS. In Protocol Specification, Testing, and Verification VIII, 373-384. North-Holland. 59. Plotkin, G. (1981). A structural approach to operational semantics. Technical Report, DAIMI FN-19, Aarhus University. 60. Pratt, V. (1982). A decidable mu-calculus, 22nd1EEE Symposium on Foundations of Computer Science, 421-427. 61. Simone, R. de (1985). Higher-level synchronizing devices in Meije-SCCS. Theoretical Computer Science, 37, 245-267. 62. Sistla, P., Clarke, E., Francez, N. and Meyer, A. (1984). Can message buffers be axiomatized in linear temporal logic? Information and Control, 68, 88-112. 63. Stirling, C. (1987). Modal logics for communicating systems, Theoretical Computer Science, 49, 311-347. 64. Stirling, C. (1992) Modal and temporal logics. In Handbook of Logic in Computer Science Vol. 2, ed. Abramsky, S, Gabbay, D, and Ma~baum, T., 477-563, Oxford University Press. 65. Stifling, C. (1995). Local model checking games. Lecture Notes in Computer Science, 962, 1-11. 66. Stirling, C. and Walker, D. (1991). Local model checking in the modal mucalculus. Theoretical Computer Science, 89, 161-177. 67. Streett, R. and Emerson, E. (1989). An automata theoretic decision procedure for the propositional mu-calculus. Information and Computation, 81,249-264. 68. Taubner, D. (19.89). Finite Representations of CCS and TCSP Programs by Automata and Petri Nets. Lecture Notes in Computer Science, 369. 69. Walker, D. (1987). Introduction to a calculus of communicating systems. Technical Report ECS-LFCS-87-22, Dept. of Computer Science, Edinburgh University. 70. Walker, D. (1989). Automated analysis of mutual exclusion algorithms using CCS. Formal Aspects of Computing, 1, 273-292.

237

71. Walker, D. (1990). Bisimulations and divergence. Information and Computation, 85, 202-241. 72. Winskel, G. (1988). A category of labelled Petri Nets and compositional proof system. Procs 8rd 1EEE Symposium on Logic in Computer Science, 142-153. 73. Wolper, P. (1983). Temporal logic can be more expressive. Information and Control, 56, 72-99.

An Automata-Theoretic Approach to Linear Temporal Logic M o s h e Y. Vardi* Rice University Department of Computer Science P.O. Box 1892 Houston, TX 77251-1892, U.S.A. Email: vardi@ es.rice.edu

Abstract. The automata-theoretic approach to linear temporal logic uses the theory of automata as a unifying paradigm for program specification, verification, and synthesis. Both programs and specifications are in essence descriptions of computations. These computations can be viewed as words over some alphabet. Thus, programs and specifications can be viewed as descriptions of languages over some alphabet. The automata-theoretic perspective considers the relationships between programs and their specifications as relationships between languages. By translating programs and specifications to automata, questions about programs and their specifications can be reduced to questions about automata. More specifically, questions such as satisfiability of specifications and correctness of programs with respect to their specifications can be reduced to questions such as nonemptiness and containment of automata. Unlike classical automata theory, which focused on automata on finite words, the applications to program specification, verification, and synthesis, use automata on infinite words, since the computations in which we are interested are typically infinite. This paper provides an introduction to the theory of automata on infinite words and demonstrates its applications to program specification, verification, and synthesis.

1

Introduction

While program verification was always a desirable, but never an easy task, the advent o f concurrent programming has m a d e it significantly more necessary and difficult. Indeed, the conceptual complexity o f concurrency increases the likelihood o f the program conraining errors. To quote from [OL82]: "There is a rather large b o d y o f sad experience to indicate that a concurrent program can withstand very careful scrutiny without revealing its errors" The first step in program verification is to come up with aformal specification o f the program. One o f the m o r e widely used specification languages for concurrent programs is temporal logic [Pnu77, MP92]. Temporal logic comes in two varieties: linear time and branching time ([EH86, Lain80]); we concentrate here on linear time. A linear temporal specification describes the computations o f the program, s o a program satisfies the * Part of this work was done at the IBM Almaden Research Center.

239

specification (is correct) if all its computations satisfy the specification. Of course, a specification is of interest only if it is satisfiable. An unsatisfiable specification cannot be satisfied by any program. An often advocated approach to program development is to avoid the verification step altogether by using the specification to synthesize a program that is guaranteed to be correct. Our approach to specification, verification, and synthesis is based on an intimate connection between linear temporal logic and automata theory, which was discussed explicitly first in [WVS83] (see also [LPZ85, Pei85, Sis83, SVW87, VW94]). This connection is based on the fact that a computation is essentially an infinite sequence of states. In the applications that we consider here, every state is described by a finite set of atomic propositions, so a computation can be viewed as an infinite word over the alphabet of truth assignments to the atomic propositions. The basic result in this area is the fact that temporal logic formulas can be viewed as finite-state acceptors. More precisely, given any propositional temporal formula, one can construct a finite automaton on infinite words that accepts precisely the computations satisfied by the formula [VW94]. We will describe the applications of this basic result to satisfiability testing, verification, and synthesis. Unlike classical automata theory, which focused on automata on finite words, the applications to specification, verification, and synthesis, use automata on infinite words, since the computations in which we are interested are typically infinite. Before going into the applications, w e give a basic introduction to the theory of automata on infinite words. To help the readers build their intuition, we review the theory of automata on finite words and contrast it with the theory of automata on infinite words. For a more advanced introduction to the theory of automata on infinite objects, the readers are referred to [Tho90]. 2

Automata Theory

We are given a finite nonempty alphabet 22. A finite word is an element of S * , i.e., a finite sequence at, ..., an of symbols from S . An infinite word is an element of S ~ i.e., an w-sequence 2 a0, a l , . . , of symbols from S . Automata on finite words define (finitary) languages, i.e., sets of finite words, while automata on infinite words define infinitary languages, i.e., sets of infinite words. 2.1

A u t o m a t a on Finite Words - Closure

A (nondeterministic finite) automaton A is a tuple ( S , S, S t, p, F ) , where 22 is a finite nonempty alphabet, S is a finite nonempty set of states, S O C_ S is a nonempty set of initial states, F C S is the set of accepting states, and p : S x 22 ~ 2 s is a transition function. Intuitively, p(s, a) is the set of states that A can move into when it is in state s and it reads the symbol a. Note that the automaton may be nondeterministic, since it may have many initial states and the transition function may specify many possible transitions for each state and symbol. The automaton A is deterministic if IS~ = 1 and [p(s, a)l < 1 for all states s E S and symbols a E S. An automaton is essentially an z w denotes the first infinite ordinal.

240

edge-labeled directed graph: the states of the automaton are the nodes, the edges are labeled by symbols in S , a certain set of nodes is designated as initial, and a certain set of nodes is designated as accepting. Thus, t E p(s, a) means that that there is edge from s to t labeled with a. When A is deterministic, the transition function p can be viewed as a partial mapping from S • S to S, and can then be extended to a partial mapping from S x S* to S as follows: p(s, e) = s and p(s, xw) = p(p(s, x), w) for x E S and wES*. A run r of A on a finite word w = at, 9 an-1 E z~,* is a sequence so,.. :, sn of n + 1 states in S such that so E S ~ and Si+l E p(si, ai) for 0 < i < n. Note that a nondeterministic automaton can have many runs on a given input word. In contrast, a deterministic automaton can have at most one run on a given input word. The run r is accepting if s,, E F. One could picture the automaton as having a green light that is switched on whenever the automaton is in an accepting state and switched off whenever the automaton is in a non-accepting state. Thus, the run is accepting if the green light is on at the end of the run. The word w is accepted by A if A has an accepting run on w. When A is deterministic, w E L(A) if and only i f p ( s ~ w) E F, where S O = {so). The (finitary) language of A, denoted L(A), is the set of finite words accepted by A. An important property of automata is their closure under Boolean operations, We start by considering closure under union and intersection. Proposition 1. [RS59] Let A l, A2 be automata. Then there is an automaton A such that

L(A) = L(AI) U L(A2). Proof: Let A| = (S, S1, S ~ Pl,/71) and A2 = ( S , $2, S ~ p2, F2). Without loss of generality, we assume that S1 and $2 are disjoint. Intuitively, the automaton A nondeterministically chooses AI or A2 and runs it on the input word. Let A = ( S , S, S O, p, F), where S = S1 U $2, S O = S O U S ~ F = FI U F2, and

p(s, a) = f p'(s' a) if s E $1 [p2(s,a) i f s E $2 It is easy to see that L( A ) = L( A1) U L( A2 ). | We call A in the proof above the union of A1 and A2, denoted A1 U A2. Proposition 2. [RS59] Let A I, A2 be automata. Then there is an automaton A such that

L(A) = L(A1) O L(A2). Proof: Let A1 = (E, $1, S ~ pl, FI) and A2 = ( Z , $2, S ~ p2,/72). Intuitively, the automaton A runs both A1 and A2 on the input word. Let A = ( S , S, S ~ p, F ) , where S = $1 x $2, S O = $1~ x S ~ F = FI • and p((s, t), a) = Pl (s, a) x p2(t, a). It is easy to see that L(A) = L(A1) N L(A2). | We call A in the proof above the product of A1 and A:, denoted A1 x A2. Note that both the union and the product constructions are effective and polynomial in the size of the constituent automata. Let us consider now the issue of complementation. Consider first deterministic automata.

241

P r o p o s i t i o n 3. [RS59] Let A = ( S , S, S ~ p, F) be a deterministic automaton, and let -A = ( S , S, S ~ p, S - F), then L(-A) = S* - L(A).

That is, it is easy to complement deterministic automata; we just have to complement the acceptance condition. This will not work for nondeterministic automata, since a nondeterministic automaton can have many runs on a given input word; it is not enough that some of these runs reject (i.e., not accept) the input word, all runs should reject the input word. Thus, it seems that to complement nondeterministic automaton we.first have to determinize it. Proposition4. [RS59] Let A be a nondeterministic automaton. Then there is a deterministic automaton Aa such that L(Aa) = L(A). Proof: Let A = (S, S, S t, p, F). Then Aa = ( S , 2 s, {so}, pa, Fd). The state set of Aa consists of all sets of states in S and it has a single initial state. The set Fa = {T [ T f3 F ~ 0} is the collection of sets of states that intersect F nontrivially. Finally, pa(T, a) = { t i t E p(s, a) for some s E T}. 1 Intuitively, Aa collapses all possible runs of A on a given input word into one run over a larger state set. This construction is called the subset construction. By combining Propositions 4 and 3 we can complement a nondeterministic automata. The construction is effective, but it involves an exponential blow-up, since determinization involves an exponential blow-up (i.e., i f A has n states, then Aa has 2'* states). As shown in [MF71], this exponential blow-up for determinization and complementation is unavoidable. For example, fix some n > 1. The set of all finite words over the alphabet S = {a, b} that have an a at the nth position from the right is accepted by the automaton A = (S, {0, 1 , 2 , . . . , n}, {0}, p, {n}), where p(0, a) = {0, 1}, p(0, b) = {0}, and p(i, a) = p(i, b) = {i + 1} f o r 0 < i < n. Intuitively, A guesses a position in the input word, checks that it contains a, and then checks that it is at distance n from the right end of the input. Suppose that we have a deterministic automaton Aa = ( S , S, {so}, pa, F) with fewer than 2 n states that accepts this same language. Recall that pa can be viewed as a partial mapping from S x S* to S. Since ISI < 2-, there must be two words uavl and ubv2 of length n for which pa(s ~ nay1) = pd(s ~ ubv2). But then we would have that pa(s ~ uavlu) = pa(s ~ ubv2u); that is, either both uavtu and ubv2u are members of L(Aa) or neither are, contradicting the assumption that L(Aa) consists of exactly the words with an a at the nth position from the right, since lavxul = Ibv2ul = n. 2.2

Automata on Infinite Words - Closure

9 Suppose now that an automaton A = ( S , S, S o , p, F ) is given as input an infinite word w = at, a l , . . , over S . A run r of A on w is a sequence so, sl, .... where so E S O and Si+l E p(si, ai), for all i > 0. Since the run is infinite, we cannot define acceptance by the type of the final state of the run. Instead we have to consider the limit behavior of the run. We define lim(r) to be the set {s [ s = si for infinitely many i's}, i.e., the set of states that occur in r infinitely often. Since S is finite, lim(r) is necessarily nonempty. The run r is accepting if there is some accepting state that repeats in r infinitely often,

242

i.e., lim(r ) N F # 0. If we picture the automaton as having a green light that is switched on precisely when the automaton is in an accepting state, then the run is accepting if the green light is switched on infinitely many times. The infinite word w is accepted by A if there is an accepting run of A on w. The intinitary language of A, denoted L,o (A), is the set of infinite words accepted by A. Thus, A can be viewed both as an automaton on finite words and as an automaton on infinite words. When viewed as an automaton on infinite words it is called a Bfichi automaton [Btic621. Do automata on infinite words have closure properties similar to those of automata on finite words? In most cases the answer is positive, but the proofs may be more involved. We start by considering closure under union. Here the union construction does the fight thing.

Proposition5.

[Cho74] Let A1, A2 be Bachi automata. Then Lo~(AI U A2) = L~ (A1) U

L,~(A2). One might be tempted to think that similarly we have that Lo~(AI x A2) = Lo~(A1) N

Lo~(A2), but this is not the case. The accepting set of A1 x A2 is the product of the accepting sets of AI and A2. Thus, A1 x A2 accepts an infinite word w if there are accepting runs rl and r2 of A1 and A2, respectively, on w, where both runs go infinitely often and simultaneously through accepting states. This requirement is too strong. As a result; Loj (A1 x A2 ) could be a strict subset of L,o (A~) n L~ (A2). For example, define the two Btichi automata A1 = ({a}, {s, t}, {s}, p, {s}) and A2 = ({a}, {s, t}, {s}, p, {t}) with p(s, a) = {t} and p(t, a) = {s}. Clearly we have that L,o (A1) = L,o (A2) = {a ~~}, but L,o (AI x A2) = 0. Nevertheless, closure under intersection does hold. Proposition 6. [Cho74] Let A1, A2 be Bfichi automata. Then there is a Bachi automaton A such that Lo~(A) = Lo~(A1) tq Lo~(A2). Proof: LetA1 = (27, $1, S~1,pl, F1) andA2 = (27, $2, sO, p2, F2). LetA = (27, S, S t, p, F), where S = S I X $2 X {1,2}, S ~ = S~I x S~ x {1}, F = F1 x $2 x {1}, and

(s',t',j) E p((s,t,i),a) i f s ' ~ pl(s,a), t' ~ p2(t,a), a n d i = j , unless i = 1 a n d s E/;1, in which case j = 2, or i = 2 and t E F2, in which case j = 1. Intuitively, the automaton A runs both A1 and A2 on the input word. Thus, the automaton can be viewed has having two "tracks", one for each of A1 and A2. In addition to remembering the state of each track, A also has a pointer that points to one of the tracks (1 or 2). Whenever a track goes through an accepting state, the pointer moves to the other track. The acceptance condition guarantees that both tracks visit accepting states infinitely often, since a run accepts iff it goes infinitely often through F1 x $2 x {1}. This means that the first track visits infinitely often an accepting state with the pointer pointing to the first track. Whenever, however, the first track visits an accepting state with the pointer pointing to the first track, the pointer is changed to point to the second track. The pointer returns to point to the first track only if the second track visits an accepting state. Thus, the second track must also visit an accepting state infinitely often. |

243

Thus, B tichi automata are closed under both union and intersection, though the construction for intersection is somewhat more involved than a simple product. The situation is considerably more involved with respect to closure under complementation. First, as we shall shortly see, Biichi automata are not closed under determinization, i.e., nondeterministic Btichi automata are more expressive than deterministic Biichi automata. Second, it is not even obvious how to complement deterministic Biichi automata. Consider the deterministic Btichi automaton A = (S, S, S ~ p, F ) . One may think that it suffices to complement the acceptance condition, i.e., to replace F by S - F and define = (S, S, S ~ p, S - F). Not going infinitely often through F , however, is not the same as going infinitely often through S - F. A run might go through both F and S - F infinitely often. Thus, L~ (A) may be a strict superset of S ~ - L~o(A). For example, Consider the Btichi automaton A = ({a}, {s,t}, {s},p, {s}) with p(s,a) = {t} and p(t, a) = {s}. We have that Lo~(A) = L~(A) = {a~}. Nevertheless, Biichi automata (deterministic as well as nondeterministic) are closed under complementation. Proposition 7. [Biic62] Let A be a Bfichi automaton over an alphabet 2~. Then there is a (possibly nondeterministic) Bachi automaton-A such that Lo~(-A) = S ~ - L~ (A). The construction in [Btic62] is doubly exponential. This is improved in [SVW87] to a singly exponential construction with a quadratic exponent (i.e., ifA has n states then A has c n2 states, for some constant c > 1). In contrast, the exponent in the construction of Proposition 4 is linear. We will come back later to the complexity of complementation. Let us return to the issue of detenninization. We now show that nondeterministic B0chi automata are more expressive than deterministic Btichi automata. Consider the infinitary language F = (0+ 1)* 1~ i.e., F consists of all infinite words in which 0 occurs only finitely many times. It is easy to see that F can be defined by a nondeterministic Biichi automaton. Let A0 = ({0, 1}, {s, t}, {s}, p, {t}), where p(s, O) = p(s, 1) = {s, t}, p(t, 1) = {t} and p(t, 0) = 0. That is, the states are s and t with s the initial state and t the accepting state, As long as it is in the state s, the automaton A0 can read both inputs 0 and 1. At some point, however, A0 makes a nondeterministic transition to the state t, and from that point on it can read only the input 1. It is easy to see that F = Lo~(A0). In contrast, F cannot be defined by any deterministic Biichi automaton. Proposition 8. Let F = (0 + 1)* 1'~ Then there is no deterministic Bfichi automaton A

such that F = Lo~(A), Proof: Assume by way of contradiction that F = Lo~(A), where A = (S, S, {s ~}, p, F ) for S = {0, 1}, and A is deterministic. Recall that p can be viewed as a partial mapping from S x S* to S. Consider the infinite word w0 = 1`~ Clearly, w0 is accepted by A, so A has an accepting run on wo. Thus, w0 has a finite prefix u0 such that p(s ~ uo) E F. Consider now the infinite word wl = u001 ~ Clearly, Wl is also accepted by A, so A has an accepting run on wl. Thus, wl has a finite prefix uoOul such that p(s ~ u00ul) E F. In a similar fashion we can continue to find finite words ui such that p(s ~ u00Ul0... Oui) E F. Since S is finite, there are i, j, where 0 < i < j, such that p(s ~ u00Ul0... Oui) =

244

p(8 O, uoOUlO...OuiO... OUj). It follows that A has an accepting run on

ztoOuiO...Oui(O...O•j) w . But the latter word has infinitely many occurrences of O, so it is not in F. { Note that the complementary language Z w - F = ( ( 0 + 1) *O)'~ (the set of infinite words in which 0 occurs infinitely often) is acceptable by the deterministic Biichi automaton A = ({0, 11, {s,t}, {s},p, {sl),wherep(s,O) = p(t,O) = {slandp(s, 1) = p(t, 1) = {t}. That is, the automaton starts at the state s and then it simply remembers the last symbol it read (s corresponds to 0 and t corresponds to 1). Thus, the use of nondeterminism in Proposition 7 is essential. To understand why the subset construction does not work for Btichi automata, consider the following two automata over a singleton alphabet: AI = ({a}, {s, t}, {s}, Pl, {t}) and A2 = ({a}, {s, t}, {s}, P2, {t}), where pl(s, a) = {s, t}, pl(t, a) = O, p2(s, a) = {s, t}, and p2(t, a) = {s}. It is easy to see that A1 does not accept any infinite word, since no infinite run can visit the state t. In contrast, A2 accepts the infinite word a ~, since the run (st) ~ is accepting. If we apply the subset construction to both automata, then in both cases the initial state is {s}, pa({s}, a) = {s, t}, and pa({s, t}, a) = {s, t}. Thus, the subset construction can not distinguish between A1 and A2. To be able to determinize automata on finite words, we have to consider a more general acceptance condition. Let S be a finite nonempty set of states. A Rabin condition is a subset G of 2 s • 2 s, i.e., it is a collection of pairs of sets of states, written [(L1, U 1 ) , . , . , (Lk, Uk)] (we drop the external brackets when the condition consists of a single pair). A Rabin automaton A is an automaton on infinite words where the acceptance condition is specified by a Rabin condition, i.e., it is of the form ( S , S, S ~ p, G). A r u n r ofAisacceptingifforsome iwehavethatlim(r)flLi # 0 andlim(r)NUi = 0, that is, there is a pair in G where the left set is visited infinitely often by r while the right set is visited only finitely often by r. Rabin automata are not more expressive than Btichi automata. Proposltion9. [Cho741 Let A be a Rabin automaton, then there is a Bachi automaton

Ab such that L~(A) = Lo~(Ab). Proof: Let A = (S, S, S ~ p, G), where G = [(L1, U1),..., (Lk, Uk)]. It is easy to see that L~(A) = U~=IL~(Ai ), where Ai = (S, S, S ~ p, (Li, Ui)). Since Biichi automata are closed under union, by Proposition 5, it suffices to prove the claim for Rabin conditions that consists of a single pair, say (L, U). The idea of the construction is to take two copies of A, say Al and A2. The Btichi automaton Ab starts in A~ and stays there as long as it "wants". At some point it nondeterministically makes a transition into A2 and it stays there avoiding U and visiting L infinitely often. Formally, Ab = (S, Sb, S ~ Pb, L), where Sb = S • {0} U (S - U), S o = S O • {0}, pb(s,a) = p(s,a) -- U for s E S - U, mid pb((s,O), a) = p(s,a) X

{0} u (p(s, .) - i ) . ! Note that the construction in the proposition above is effective and polynomial in the size of the given automaton.

245

If we restrict attention, however, to deterministic automata, then Rabin automata are more expressive than Btichi automata. Recall the infinitary language F = (0 + 1)* 1W. We showed earlier that it is not definable by a deterministic Btichi automaton. It is easily definable, however, by a Rabin automaton. Let A = ({ 0, 1 }, {s, t }, { s }, p, ({ t }, {s })), where p(s, O) = p(t, 0) = {s}, p(s, 1) = p(t, 1) = {t}. That is, the automaton starts at the state s and then it simply remembers the last symbol it read (s corresponds to 0 and t corresponds to 1). It is easy to see that F = Lo~(A). The additional expressive power of Rabin automata is sufficient to provide closure under determinization. Proposition 10. [McN66] Let A be a Bachi automaton. There is a deterministic Rabin automaton Ad such that L~ (Ad) = Lo~(A).

Proposition 10 was first proven in [McN66], where a doubly exponential construc9tion was provided. This was improved in [Saf88], where a singly exponential, with an almost linear exponent, construction was provided (if A has n states, then Ad has 2o(,, log,) states and O(n) pairs). Furthermore, it was shown in [Saf88] (see also [EJ89]) how the determinization construction can be modified to yield a co-determinization construction, i.e., a construction of a deterministic Rabin automaton A~ such that L~ (Ad) = L-~ - L~ (A~), where S is the underlying alphabet. The co-determinization construction is also singly exponential with an almost linear exponent (again, if A has n states, then A~ has 2 ~ logn) states and O(n) pairs). Thus, combining the codeterminization construction with the polynomial translation of Rabin automata to B tichi automata (Proposition 9), we get a complementation construction whose complexity is singly exponential with an almost linear exponent. This improves the previously mentioned bound on complementation (singly exponential with a quadratic exponent) and is essentially optimal [Mic88]. In contrast, complementation for automata on finite words involves an exponential blow-up with a linear exponent (Section 2.1). Thus, complementation for automata on infinite words is provably harder than complementation for automata on finite words. Both constructions are exponential, but in the finite case the exponent is linear, while in the infinite case the exponent is nonlinear. 2.3

A u t o m a t a on Finite W o r d s - A l g o r i t h m s

An automaton is "interesting" if it defines an "interesting" language, i.e., a language that is neither empty nor contains all possible words. An automaton A is nonempty if L(A) ~ 0; it is nonuniversal if L(A) ~ S*. One of the most fundamental algorithmic issues in automata theory is testing whether a given automaton is "interesting", i.e., nonempty and nonuniversal. The nonemptinessproblem for automata is to decide, given an automaton A, whether A is nonempty. The nonuniversalityproblem for automata is to decide, given an automaton A, whether A is nonuniversal. It turns out that testing nonemptiness is easy, while testing nonuniversality is hard. Proposition 11. [RS59, Jon75]

1. The nonemptiness problem for auwmata is decidable in linear time. 2. The nonemptiness problem for automata is NLOGSPACE-complete.

246

Proof: Let A = (27, S, S ~ p, F ) be the given automaton. Let s, t be states of S. We say that t is directly connected to s if there is a symbol a E E such that t E p(s;a). We say that t is connected to s if there is a sequence s l , . . . , sin, rn > 1, Of States such that sl = s, sn = t, and si+l is directly connected to sl for 1 < i < m. Essentially, t is connected to s if there is a path in A from s to t, where A is viewed as an edge-labeled directed graph. Note that the edge labels are ignored in this definition. It is easy to see that L(A) is nonempty iff there are states s E S O and t E F such that t is connected to s. Thus, automata nonemptiness is equivalent to graph reachability. The claims now follow from the following observations: 1. A breadth-first-search algorithm can construct in linear time the set of all states conncected to a state in S O [CLR90]. A is nonempty iff this set intersects F nontriviaUy. 2. Graph reachability can be tested in nondeterministic logarithmic space. The algorithm simply guesses a state so E S ~ then guesses a state sx that is directly connected to so, then guesses a state s2 that is directly connected to sl, etc., until it reaches a state t E F. (Recall that a nondeterministic algorithm accepts if there is a sequence of guesses that leads to acceptance. We do not care here about sequences of guesses that do not lead to acceptance [GJ79].) At each step the algorithm needs to remember only the current state and the next state; thus, if there are n states the algorithm needs to keep in memory O (log n) bits, since log n bits suffice to describe one state. On the other hand, graph reachability is also NLOGSPACE-hard [Jon751.

II Proposition 12. [MS72] 1. The nonuniversality problem for automata is decidable in exponential time. 2. The nonuniversality problem for automata is PSPACE-complete. Proof: Note that L(A) ~ S* iff S* - L(A) ~ 0 iff L ( ~ ) ~ 0, where A is the complementary automaton of A (see Section 2.1). Thus, to test A for nonuniversality, it suffices to test A for nonemptiness. Recall that A is exponentially bigger than A. Since nonemptiness can be tested in linear time, it follows that nonuniversality can be tested in exponential time. Also, since nonemptiness can be tested in nondetenninistic logarithmic space, nonuniversality can be tested in polynomial space, The latter argument requires some care. We cannot simply construct_A and then test it for nonemptiness, since A is exponentially big. Instead, we construct A "on-the-fly"; whenever the nonemptiness algorithm wants to move from a state tl of A to a state t2, the algorithm guesses t2 and checks that it is directly connected to t 1. Once this has been verified, the algorithm can discard_ tl. Thus, at each step the algorithm n_eeds to keep in memory at most two states of A and there is no need to generate all of A at any single step of the algorithm. This yields a nondeterministic polynomial space algorithm. To eliminate nondeterminism, we appeal to a well-known theorem of Savitch [Say70] which states that

247

N S P A C E ( f ( n ) ) C_ D S P A C E ( I ( n ) 2 ) , for f ( n ) > log n; that is, any nondeterministic algorithm that uses at least logarithmic space can be simulated b y a deterministic algorithm that uses at most quadratically larger amount of space. In particular, any nondeterministic polynomial-space algorithm can be simulated by a deterministic polynomial-space algorithm. To prove PSPACE-hardness, it can be shown that any PSPACE-hard problem can be reduced to the nonuniversality problem. That is, there is a logarithmic-space algorithm that given a polynomial-space-bounded Turing machine M and a word w outputs an automaton AM,,o such that M accepts w iff AM,~o is non-universal [MS72, HU79]. | 2.4

Automata on Infinite Words -

Algorithms

The results for Bfichi automata are analogous to the results in Section 2.3.

Proposition13. 1. [EL85b, ELg5a] The nonemptiness problem for Bfichi automata is decidable in

linear time. 2. [VW94] The nonemptiness problem for Bfichi automata is NLOGSPACE-complete. Proof: Let A = (S, S, S ~ p, F ) be the given automaton. We claim that Lo,(A) is nonempty iff there are states so E SO and t E F such.that t is connected to so and t is connected to itself. Suppose first that Lo, (A) is nonempty. Then there is an accepting run r = s o , sl, 999 of A on some input word. Clearly, si+x is directly connected to si for all i _> 0. Thus, sj is connected to si whenever i < j. Since r is accepting, some t E F occurs in r infinitely often; in particular, there are i, j, where 0 < i < j, such that t = si = sj. Thus, t is connected to so E S Oand t is also connected to itself. Conversely, suppose that there are states so E S o and t E F such that t is connected to so and t is connected to itself. Since t is connected to so, there are a sequence of states Sl, 9 sk and a sequence of symbols a l , . . . , ak such that sk = t and si E p(si-1, ai) for I < i < k. Similarly, since t is connected to itself, there are a sequence of states to,t1,... ,tt and a sequence of symbols b l , . . . , bt such that to = tk = t and ti E p(ti-1, hi) for 1 < i _< I. Thus, ( s o , s l , . . . , s k _ l ) ( t o , t l , . . . , t t _ l ) ~ is an accepting run of A on ( a l , . 9 ak)(bt, 99 9 bl) ~ so A is nonempty. Thus, Biichi automata nonemptiness is also reducible to graph reachability. 1. A depth-first-search algorittma can construct a decomposition of the graph into strongly connected components [CLR90]. A is nonempty iff from a component that intersects S Onontrivially it is possible to reach a nontrivial component that intersects F nontrivially. (A strongly connected component is nontrivial if it contains an edge, which means, since it is strongly connected, that it contains a cycle). 2. The algorithm simply guesses a state so E SO, then guesses a state s~ that is directly connected to so, then guesses a state s2 that is directly connected to s~, etc., until it reaches a state t E F. At that point the algorithm remembers t and it continues to move nondeterministically from a state s to a state s' that is directly connected to s until it reaches t again. Clearly, the algorithm needs only a logarithmic memory, since it needs to remember at most a description of three states at each step.

248

NLOGSPACE-hardness follows from NLOGSPACE-hardness ofnonemptiness for automata on finite words.

Proposition 14. [SVW87]

1. The nonuniversality problem for Bachi automata is decidable in exponential time. 2. The nonuniversality problem for Bfichi automata is PSPACE-complete. P r o o f : Again L~ (A) # L-~ iff LT M - Lo~(A) # 0 iff Lo~(~) # 0, where A is the complementary automaton of A (see Section 2,2). Thus, to test A for nonuniversality, it suffices to test A for nonemptiness. Since A is exponentially bigger than A and nonemptiness can be tested in linear time, it follows that nonuniversality can be tested in exponential time. Also, since nonemptiness can be tested in nondeterministie logarithmic space, nonuniversality can be tested in polynomial space. Again, the polynomial-space algorithm constructs A "on-the-fly". PSPACE-hardness follows easily from the PSPACE-hardness of the universality problem for automata on finite words [Wo182]. I

2.5

Automata on Finite Words - Alternation

Nondeterminism gives a computing device the power of existential choice. Its dual gives a computing device the power of universal choice. (Compare this to the complexity classes NP and co-NP [GJ79]). It is therefore natural to consider computing devices that have the power of both existential choice and universal choice. Such devices are called alternating. Alternation was studied in [CKS81] in the context of Turing machines and in [BL80, CKS81] for finite automata. The alternation formalisms in [BL80] and [CKS81] are different, though equivalent. We follow here the formalism of [BL80]. For a given set X, let B + (X) be the set ofpositive Boolean formulas over X (i.e., Boolean formulas built from elements in X using A and V), where we also allow the formulas true and false. Let Y C_ X. We say that Y satisfies a formula 0 E 13+(X) if the truth assignment that assigns true to the members of Y and assigns false to the members of X - Y satisfes 0. For example, the sets {Sl, s3} and {sl, s4} both satisfy the formula (sl V s2) A (s3 V 84). Consider a nondeterministic automaton A = (27, S, S ~ p, F). The transition function p maps a state s E S and an input symbol a E S to a set of states. Each dement in this set is a possible nondeterministic choice for the automaton's next state. We can represent p using B+(S); for example, p(s, a) = {sl, s2, s3} can be written as p(s, a) = sl V s2 V s3. In alternating automata, p(s, a) can be an arbitrary formula from B + (S). We can have, for instance, a transition

~(8, a) : (81 A 82) V (83 A .54) , meaning that the automaton accepts the word aw, where a is a symbol and w is a word, when it is in the state s if it accepts the word w from both Sl and s2 or from both s3 and

249

s4. Thus, such a transition combines the features 'of existential choice (the disjunction in the formula) and universal choice (the conjunctions in the formula). Formally, an alternating automaton is a tuple A = ( S , S, s t, p, F ) , where S is a finite nonempty alphabet, S is a finite nonempty set of states, s o E S is the initial state (notice that we have a unique initial state), F is a set of accepting states, and p : S x S ~ B + (S) is a transition function. Because o f the universal choice in alternating transitions, a run o f an alternating automaton is a tree rather than a sequence. A tree is a (finite or infinite) connected directed graph, with one node designated as the root and denoted by e, and in which every non-root node has a unique parent (s is theparent of t and t is a child of s if there is an edge from s to t) and the root e has no parent. The level of a node x, denoted Iz I, is its distance from the root e; in particular, lel = 0. A branch fl = x0, X h . . . of a tree is a maximal sequence of nodes such that x0 is the root e and xi is the parent of Xi+l for all i > 0. Note that fl can be finite or infinite. A E-labeled tree, for a finite alphabet S , is a pair (r, T), where r is a tree and T is a mapping from nodes(r) to S that assigns to every node of r a label in S . We often refer to T as the labeled tree. A branch /3 = x0, X l , . . . of T defines an infinite word T(fl) = T(xo), T ( x l ) , . . . consisting o f the sequence of labels along the branch. Formally, a run of A on a finite word w = a0, al, 9 9 9 an- 1 is a finite S-labeled tree r such that r(e) = s o and the following holds: if Ixl = i <., r(x) = s, and p(s, ai) =/9, then x has k children for some k < ISI, and { r ( x l ) , . . . , r ( x k ) } saUsfies 0.

Zl,...

,

Zk,

For example, if p(s ~ at) is (sl V s2) A (s3 V s4), then the nodes of the run tree at level 1 include the label sl or the label s2 and also include the label s3 or the label s4. Note that the depth of r (i.e., the maximal level o f a node in r) is at most n, but not all branches need to reach such depth, since if p(r(x), ai) = true, then x does not need to have any children. Note that if I~1 = i < n and r ( x ) = s, then we cannot have p(s, ai) = false, since false is not satisfiable. The run tree r is accepting if all nodes at depth n are labeled by states in F . Thus, a branch in an accepting run has to hit the true transition or hit an accepting state after reading all the input word. What is the relationship between alternating automata and nondetenninistic automata? It turns out that just as nondeterministic automata have the same expressive power as deterministic automata but they are exponentially more succinct, alternating automata have the same expressive power as nondetenninistic automata but they are exponentially more succinct. We first show that alternating automata are at least as expressive and as succinct as nondeterministic automata. Proposition 15. [BL80, CKS81, Lei81] Let A be a nondeterministic automaton. Then

there is an alternating automaton A , such that L( Aa ) = L( A ). Proof: Let A = (S, S, S ~ p, F). Then Aa = ( S , S U {sO}, s t, pa, F ) , where s o is a new state, and p~ is defined as follows, for b E S and s E S:

- p.(s ~ b) = VtEso,~,ep(t,b) t',

250

- -

p a ( 8 , b) = V t E p ( s , b ) t .

(We take an empty disjunction in the definition of pa to be equivalent to false.) Essentially, the transitions of A are viewed as disjunctions in Aa. A special treatment is needed for the initial slate, since we allow a set of initial states in nondeterministic automata, but only a single initial state in alternating automata. | Note that Aa has essentially the same size as A; that is, the descriptions of A~ and A have the same length. We now show that alternating automata are not more expressive than nondeterministic automata.

Proposition 16.

[BL80, CKS81, Lei81] Let A be an alternating automaton. Then there is a nondeterministic automaton An such that L( An ) = L( A ).

Proof: Let A

= (S, S, s t, p, F ) . Then A,~ = ( S , Sn, {{sO}}, Pn, Fn), where Sn = 2 s, -fin : 2 F, and pn(T, a) = { T ' I T ' satisfies A p(t, a)}. tET

(We lake an empty conjunction in the definition of pn to be equivalent to true; thus, 0 E Pn (0, a).) Intuitively, An guesses a run tree of A. At a given point of a run of An, it keeps in its memory a whole level of the run tree of A. As it reads the next input symbol, it guesses the next level of the run tree of A. | The translation from alternating automata to nondeterministic automata involves an exponential blow-up. As shown in [BL80, CKS81, Lei81], this blow-up is unavoidable. For example, fix some n > 1, and let S = {a, b}. Let l'n be the set of all words that have two different symbols at distance n from each other. That is, 1-'n = { u a v b w

l u, w E S*

and v E

~E'n~l} U { u b v a w

I u, w E .~* a n d v E

L'n-1}.

It is easy to see that Fn is accepted by the nondeterministic automaton A = (S, {p, q} U

{1,..., n} • {p}, p, {q}),wherep(p, a) = {p, (1, a)},p(p, b) = {p, (1, b)},p((a, i), =) = {(a,i + 1)} andp({b,i),z) = {(b,i + 1)} forz e S a n d 0 < i < n,p((a,n),a) = ~, p ( ( a , n ) , b ) = { q } , p ( ( b , n ) , b ) = @,p((b,n),a) = { q } , a n d p ( q , x ) = {q} f o r x 6 S . Intuitively, A guesses a position in the input word, reads the input symbol at that position, moves n positions to the right, and checks that it contains a different symbol. Note that A has 2n + 2 states. By Propositions 15 and 17 (below), there is an alternating automaton Aa with 2n + 3 states that accepts the complementary language ~ = S* - Fn. Suppose that we have a nondeterministic automaton An d = ( S , S, S o , pn d, F ) with fewer than 2 n states that accepts Fn. Thus, An accepts all words ww, where w E S " . Let s 0w , . . . , s w 2n an accepting run of A , d on ww. Since ISI < 2 n, there are two distinct wordu, v E S n suchthats~ = 8 vn . THUS,8 u~ 0 . . . ~ 8 u~ n s~+l, . . . ~ 8 v2n is an accepting rn n of And on uv, but uv ~ Fn since it must have two different symbols at distance n from each other. One advantage of alternating automata is that it is easy to complement them. We first need to define the dual operation on formulas in B + (X). Intuitively, the dual 0 of a

251

formula 0 is obtained from 0 by switching V and A, and by switching true and false. For example, z v (y A z) = ~: A (y V z). (Note that we are considering formulas in B + (X), so we cannot simply apply negation to these formulas.) Formally, we define the dual operation as follows: - ~ = ~:, f o r z E X , -

true = false,

-

false = true,

- (4 ^

=

v Z__-),and

- (c~Vfl)=(6Afl).

Supp_ose now that we are given an alternating automaton A = (27, S, s ~ p, F). Define A = (2?, S, s ~ ~, S - F), where ~(s, a) = p(s, a) for all s E S and a E 2?. That is, p is the dualized transition function. Pro__positionl7. [BL80, CKS81, Lei81] Let A be an alternating automaton. Then

L(A) = Z* - L(A). By combining Propositions 11 and 16, we can obtain a nonemptiness test for alternating automata, Proposition

18. [CKS81]

1. The nonemptiness problem for alternating automata is decidable in exponential time. 2. The nonemptiness problem for alternating automata is PSPACE-complete. Proof: All that remains to be shown is the PSPACE-hardness of nonemptiness. Recall that PSPACE-hardness of nonuniversality was shown in Proposition 12 by a generic reduction. That is, there is a logarithmic-space algorithm that given a polynomial-spacebounded Turing machine M and a word w outputs an automaton AM,w such that M accepts w iffAM,w is nonuniversal. By Proposition 15, there is an alternating automaton Aa such that L(Aa) = L(AM,w ) and A~ has the same size as AM,w. By Proposition 17, L(-A-a~) = S* - L(Aa). Thus, AM,w is nonuniversal iff Taa is nonempty. I

2.6

Automata

on Infinite Words - Alternation

We saw earlier that a nondetenninistic automaton can be viewed both as an automaton on finite words and as an automaton on infinite words. Similarly, an alternating automaton can also be viewed as an automaton on infinite words, in which case it is called an alternating Bfichi automaton [MS87]. Let A = (S, S, s ~ p, F ) be an alternating Btichi automaton. A run of A on an infinite word w = a0, a l , . . , is a (possibly infinite) S-labeled tree r such that r(r = s o and the following holds: if Ix[ = i, r(x) = s, and p(s, ai) = 0, then x has k children x l , . . . , x k , some k < ISI, and { r ( x l ) , . . . , r(xk)} satisfies 0.

for

252

The run r is accepting if every infinite branch in r includes infinitely many labels in F . Note that the run can also have finite branches; if Ix[ = i, r(x) = s, andp(s, ai) = t r u e , then z does not need to have any children. We with alternating automata, alternating Biichi automata are as expressive as nondeterministic Btichi automata. We first show that alternating automata are at least as expressive and as succinct as nondeterministic automata. The proof of the following proposition is identical to the proof of Proposition 19. Proposition ! 9. [MS87] Let A be a nondeterministic Bfichi automaton. Then there is

an alternating Bachi automaton An such that Lo~( Aa ) = L,, ( A ). As the reader may expect by now, alternating B tichi automata are not more expressive than nondeterministic B tichi automata. The proof of this fact, however, is more involved than the proof in the finite-word case. Proposition20. [MH84] Let A be an alternating Bachi automaton. Then there is a

nondeterministic Bachi automaton An such that Loj (An) = Lo~(A ). Proof: As in the finite-word case, An guesses a run of A. At a given point of a run of An, it keeps in its memory a whole level of the run of A (which is a tree). As it reads the next input symbol, it guesses the next level of the run tree of A. The nondeterministic automaton, however, also has to keep information about occurrences of accepting states in order to make sure that every infinite branch hits accepting states infinitely often. To that end, An partitions every level of the run of A into two sets to distinguish between branches that hit F recently and branches that did not hit F recently. Let A = ( S , S , s ~ Then A , = (S, Sn,S~ where S,~ = 2 s x 2 s (i.e., each state is a pair of sets of states of A), S O = {({so}, 0)} (i.e., the single initial state is pair consisting of the singleton set {s o) and the empty set), F , = {0} x 2 s, and -

foru ~ 0, p,~((U, V), a) = {(U', W) [ there exist X, Y c_ S such t h a t X satisfies A t ~ v p(t, a), Y satisfies /~,~v p(t, a), U'=X-F,

andV'=YtO(XOF)},

pn((O, V), a) = {(U', V')I there exists r C_ S such that Y satisfies At~v p(t, a), U' = Y - F, and V' = Y f'l F}. The proof that this construction is correct requires a careful analysis of accepting runs of A, | While complementation of alternating automata is easy (Proposition 17), this is not the case for alternating B tichi automata. Here we run into the same difficulty that we ran into in Section 2.2: not going infinitely often through accepting states is not the same as going infinitely often through non-accepting states. >From Propositions 7, 19 and 20.

253

it follows that alternating Biichi automata are closed under complement, but the precise complexity of complementation in this case is not known. Finally, by combining Propositions 13 and 20, we can obtain a nonemptiness test for alternating Biichi automata. Proposition 21. 1. The nonemptiness problem for alternating Bachi automata is decidable in exponential time. 2. The nonemptiness problem for alternating Bachi automata is PSPACE-complete.

Proof: All that remains to be shown is the PSPACE-hardness of nonemptiness. We show that the nonemptiness problem for alternating automata is reducible to the nonemptiness problem for alternating Biichi automata. Let A = ( S , S, s ~ p, F ) be an alternating automaton. Consider the alternating Biichi automaton A' = ( S , S, s ~ p', 0), where p'(s, a) = p(s, a) for s E S - F and a E S , and p'(s, a) = true for s E F and a E S . We claim that L ( A ) # 0 iff Lw(A') # 0. Suppose first that w E L ( A ) for some w E S*. Then there is an accepting run r of A on w. But then r is also an accepting run of A' on wu for all u E LTM,because p~(s,a) = true for s E F and a E S , so wu E Lw(A'). Suppose, on the other hand, that w E Lo~(A) for some w E L~ . Then there is an accepting run r of A' on w. Since A' has no accepting state, r cannot have infinite branches, so by K6nig's Lemma it must be finite. Thus, there is a finite prefix u of w such that r is an accepting run of A on u, so u E L(A). 1

3

Linear Temporal Logic and Automata on Infinite Words

Formulas of linear-time propositional temporal logic (LTL) are b u t t from a set Prop of atomic propositions and are closed under the application of Boolean connectives, the unary temporal connective X (next), and the binary temporal connective U (until) [Pnu77, GPSS80]. LTL is interpreted over computations. A computation is a function ~ 7r : N --~ 2 Pr~ which assigns truth values to the elements of Prop at each time instant (natural number). For a computation ~r and a point i E ~v, we have that: - ~r, i ~ p for p E Prop i f f p E ~r(i).

- ~r,i~Ar162 - ~r,i ~ -~9 iffnot 7r, i ~ 9

- ~r,i~X~iff~r,i+l~9. - ~r, i ~ ~ U r ifffor some j _> i, wehave ~r,j ~ ~ and for allk, i < k < j, we have Thus, the formula t r u e U 9, abbreviated as F g , says that 9 holds eventually, and the formula -~F~9, abbreviated G 9, says that 9 holds henceforth. For example, the formula G(~request V (requestUgrant)) says that whenever a request is made it holds continuously until it is eventually granted. We will say that 7r satisfies a formula 9, denoted 7r ~ 9, iff ~', 0 ~ 9. Computations can also be viewed as infinite words over the alphabet 2 pr~ . We shall see that the set of computations satisfying a given formula are exactly those accepted

254

by some finite automaton on infinite words. This fact was proven first in [SPH84]. The proof there is by induction on structure of formulas, Unfortunately, certain inductive steps involve an exponential blow-up (e.g., negation corresponds to complementation, which we have seen to be exponential). As a result, the complexity of that translation is nonelementary, i.e., it may involve an unbounded stack of exponentials (that is, the complexity bound is of the form 2n ""

1

where the height of the stack is n.) The following theorem establishes a very simple translation between LTL and alternating Btichi automata. Theorem22. [MSS88, Var94] Given an LTL formula T, one can build an alternating Bachi automaton A~ = ( S, S, s ~ p, F), where Z = 2 Pr~ at/z/IS[ is in O([TI), such that L~ ( A~ ) is exactly the set of computations satisfying the formula T. Proof.- The set S of states consists of all subformulas o f t and their negation (we identify the formula -~mb with r The initial state s o is T itself. The set F of accepting states consists of all formulas in S of the form --,(~Ur It remains to define the transition function p. In this construction, we use a variation of the notion of dual that we used in Section 2.5. Here, the dual 0 of a formula is obtained from 0 by switching V and A, by switching true and false, and, in addition, by negating subformulas in S, e.g., -~p V (q A Xq) is p A (-~q V -~Xq). More formally,. - ~ = --,~, for ~ E S, - true = false, - false = true,

- (,~ A ~) = (~ v ~), and - ( ~ v/~) = ( ~ ^ ~). We can now define p:

p(p, a) = true ifp E a, p(p, a) = false ifp ~ a, - ,o(,~ A r a) = p(,~, a) ^ ,o(r a), - p(-~r a) = p(r ~), -

-

p(Xe,

-

p(~Ur

a ) ---- r

a) : p ( r a) V (p(~, a) A ~ U r

Note that p(r a) is defined by induction on the structure of r Consider now a run r of A~. It is easy to see that r can have two types of infinite branches. Each infinite branch is labeled from some point on by a formula of the form ~Vr or by a formula o f th e form --,(~Ur Since p(-~(~Vr a) = p(r a) A (p(~, a) V --,(~Ur an infinite branch labeled from some point by --,(~Ur ensures that ~Ur indeed falls at that point, since r fails from that point on. On the other hand, an infinite branch labeled from some point by ~Ur does not ensure that ~Ur holds at that point, since it does not ensure that r eventually holds. Thus, while we should allow infinite

255

branches labeled by --,((U~b), we should not allow infinite branches labeled by (UV. This is why we defined F to consists of all formulas in S of the form --,(~U!b). |

Example1. Consider the formula ~ = (X-,p)Uq. The alternating Biichi automaton associated with ~ is A~, = (20',q}, {~, -,to, X-,p, -,X-,p, -~p,p, q, -,q}, ~o, p, {--,~o}), where p is described in the following table. liP(s, {p,q})[p(s, {p})[p(s, true --,p A ~o true -~ false p V ",la false X~p ~p ~p --,p -,X-,pl p p p --,p false false true p true true false q true false true -~q false true false s

9

{q})lp(s,r --,p A 9a p V "!a

~p p true false false true

In the state ~o, if q does not hold in the present state, then A~ requires both X-~p to be satisfied in the present state (that is, --,p has to be satisfied in next state), and it to be satisfied in the next state. As ~ ~ F, A~, should eventually reach a state that satisfies q. Note that many of the states, e.g., the subformulas X - , p and q, are not reachable; i.e., they do not appear in any run of A~,. | By applying Proposition 20, we now get: Coronary23. [VW941 Given an LTL formula ~, one can build a Bachi automaton A~, = (S, S, S ~ p, F), where S = 2 P~~ and ISI is in 2 ~ such that L~(A~,) is exactly the set of computations satisfying the formula ~. The proof of Corollary 23 in [VW94] is direct and does not go through alternating Btichi automata. The advantage of the proof here is that it separates the logic from the combinatorics. Theorem 22 handles the logic, while Proposition 20 handles the combinatorics.

Example2. Consider the formula to = FGp, which requires p to hold from some point on. The Biichi automaton associated with ~ is A~o = (2 {p) , {0, 1}, {0}, p, { 1}), where p is described inthe following table.

slip(s, {p})lp(s, 0)1 90 {0,1} 1 {1}

~0} [

The automaton A~, can stay forever in the state 0. Upon reading p, however, A~, can choose to go to the state 1. Once A~, has made that transition, it has to keep reading p, otherwise it rejects. Note that A~, has to make the transition to the state 1 at some point, since the state 0 is not accepting. Thus, A~o accepts precisely when p holds from some point on. |

256

4 4.1

Applications Satisfiability

An LTL formula ~ is satisfiable if there is some computation ~r such that 7r ~ ~. An unsatisfiable formula is uninteresting as a specification, so unsatisfiability most likely indicates an erroneous specification. The satisfiability problem for LTL is to decide, given an LTL formula ~, whether ~ is satisfiable. Theorem24. [SC85] The satisfiability problem for LTL is PSPACE-complete. Proof: By Corollary 23, given an LTL formula ~, we can construct a Btichi automaton A~,, whose size is exponential in the length of ~, that accepts precisely the computations that satisfy ~. Thus, ~ is satisfiable iff A~ is nonempty. This reduces the satisfiability problem to the nonemptiness problem. Since nonempljness of Btichi automata can be tested in nondeterministic logarithmic space (Proposition 13) and since A~ is of exponential size, we get a polynomial-space algorithm (again, the algorithm constructs A~ "on-the-fly"). To prove PSPACE-hardness, it can be shown that any PSPACE-hard problem can be reduc~l to the satisfiability problem. That is, there is a logarithmic-space algorithm that given a polynomial-space-bounded Turing machine M and a word w outputs an LTL formula ~g,w such that M accepts w iff ~M,w is satisfiable. 1 An LTL formula ~ is valid if for every computation 7r we have that 7r ~ ~. A valid formula is also uninteresting as a specification. The validity problem for LTL is to decide, given an LTL formula ~, whether ~ is valid. It is easy to see that ~o is valid iff - ~ is not satisfiable. Thus, the validity problem for LTL is also PSPACE-complete.

4.2 Verification We focus here onfinite-state programs, i.e., programs in which the variables range over finite domains. The significance of this class follows from the fact that a significant number of the communication and synchronization protocols studied in the literature are in essence finite-state programs [Liu89, Rud87]. Since each state is characterized by a finite amount of information, this information can be described by certain atomic propositions. This means that a finite-state program can be specified using propositional temporal logic. Thus, we assume that we are given a finite-state program and an LTL formula that specifies the legal computations of the program. The problem is to check whether all computations of the program are legal. Before going further, let us define these notions more precisely. A finite-state program over a set Prop of atomic propositions is a structure of the form P = (IV, w0, R, V), where W is a finite set of states, w0 E W is the initial state, R C_ W 2 is a total accessibility relation, and V : W ~ 2 Pr~ assigns truth values to propositions in Prop for each state in W. The intuition is that W describes all the states that the program could be in (where a state includes the content of the memory, registers, buffers, location counter, etc.), R describes all the possible transitions between states (allowing for nondeterminism), and V relates the states to the propositions (e.g., it tells us in what states the proposition request is true). The assumption that R is total

257

(i.e., that every state has a child) is for technical convenience. We can view a terminated execution as repeating forever its last state. Let u be an infinite sequence u0, u l . . . of states in W such that u0 = w0, and uiRui+l for all i > 0. Then the sequence V(uo), V ( u l ) . . . is a computation of P. We say that P satisfies an LTL formula 9 if all computations of P satisfy 9. The verification problem is to check whether P satisfies 9. The complexity of the verification problem can be measured in three different ways. First, one can fix the specification 9 and measure the complexity with respect to the size of the program. We call this measure the program-complexity measure. More precisely, the program complexity of the verification problem is the complexity of the sets {P [ P satisfies 9} for a fixed 9. Secondly, one can fix the program P and measure the complexity with respect to the size of the specification. We call this measure the specification-complexity measure. More precisely, the specification complexity of the verification problem is the complexity of the sets {9 [ P satisfies 9} for a fixed P. Finally, the complexity in the combined size of the program and the specification is the combined complexity. Let C be a complexity class. We say that the'program complexity of the verification problem is in C if {P [ P satisfies 9} E C for any formula 9. We say that the program complexity of the verification problem is hard for C if {P I P satisfies 9} is hard for C for some formula 9. We say that the program complexity of the verification problem is complete for C if it is in C and is hard for C. Similarly, we say that the specification complexity of the verification problem is in C if {9 1P satisfies 9} E C for any program P, we say that the specification complexity of the verification problem is hard for C if {9 1P satisfies 9} is hard for C for some program P, and we say that the specification complexity of the verification problem is complete for C if it is in C and is hard for C. We now describe the automata-theoretic approach to the verification problem. A finite-state program P = (W, w0, R, V) can be viewed as a Biichi automaton A p = (S, W, {w0}, p, W), where 2? = 2 P~~ and s' E p( s , a) iff ( s , s' ) E R and a = V ( s ) . As this automaton has a set of accepting states equal to the whole set of states, any infinite run of the automaton is accepting. Thus, Lo~(Ap) is the set of computations of P. Hence, for a finite-state program P and an LTL formula 9, the verification problem is to verify that all infinite words accepted by the automaton Ap satisfy the formula 9. By Corollary 23, we know that we can build a Btichi automaton A~ that accepts exactly the computations satisfying the formula 9. The verification problem thus reduces to the automata-theoretic problem of checking that all computations accepted by the automaton Ap are also accepted by the automaton A~, that is L~ (Ap) C__Lo~(A~). Equivalently, we need to check that the automaton that accepts Lo~ ( A p ) N L~ (A~) is empty, where L,~('A-7) = L ~ ( A ~ ) = L ~ - Lo~(A~).

First, note that, b y Corollary 23, Lo~(A~) = Lo~(A-,~) and the automaton A-~ has 2~ states. (A straightforward approach, starting with the automaton A~ and then using Proposition 7 to complement it, would result in a doubly exponential blow-up,) To get the intersection of the two automata, we use Proposition 6. Consequently, we can build an automaton for L,~ ( A p ) CI L , z ( A . ~ ) having I W I , 2 ~ states. We need to check this automaton for emptiness. Using Proposition 13, we get the following results.

258

Theorem25. [LP85, SC85, VW861

1. The program complexity of the verification problem is complete for NLOGSPACE. 2. The specification complexity of the verification problem is complete for PSPACE. 3. Checking whether a finite-state program P satisfies an LTL formula ~ocan be done in time O(IPI 92 ~ or in space 0((1~,[ + log IpD2). We note that a time upper bound that is polynomial in the size of the program and exponential in the size of the specification is considered here to be reasonable, since the specification is usually rather short [LP85]. For a practical verification algorithm that is based on the automata-theoretic approach see [CVWY92].

4.3

Synthesis

In the previous section we dealt with verification: we are given a finite-state program and an LTL specification and we have to verify that the program meets the specification. A frequent criticism against this approach, however, is that verification is done after significant resources have already been invested in the development of the program. Since programs invariably contain errors, verification simply becomes part of the debugging process. The critics argue that the desired goal is to use the specification in the program development process in order to guarantee the design of correct programs. This is called program synthesis. It turns out that to solve the program-synthesis problem we need to use automata on infinite trees.

Rabin Tree Automata Rabin tree automatarun on infinitelabeled trees with a uniform branching degree (recall the definition of labeled trees in Section 2.5). The (infinite) kary tree ~-k is the set { 1 , . . . , k}*, i.e., the set of all finite sequences over { 1 , . . . , k}. The elements of rk are the nodes of the tree. If x and xi are nodes of rk, then there is an edge from x to xi, i.e., z is the parent of zi and xi is the child of z. The empty sequence e is the root o f r k . A branch/3 = x0, z l , . . , of rk is an infinite sequence of nodes such that z0 = e, and xi is the parent of zi+l for all i _> 0. A S-labeled k-ary tree T , for a finite alphabet S , is a mapping 7 : 7-k ~ Z that assigns to every node a label. We often refer to labeled trees as trees; the intention will be clear from the context. A branch /3 = a:0, z l , . . , of T defines an infinite word 7(/3) = T(z0), 7-(Xl),... consisting of the sequence of labels along the branch. A k-ary Rabin tree automaton A is a tuple ( S , S, S ~ p, G), where 2 is a finite alphabet, S is a finite set of states, SO C_ S is a set of initial states, G C_ 2 s x 2 s is a Rabin condition, and p : S x S -~ 2 sk is a transition function. The automaton A takes as input Z-labeled k-ary trees. Note that p(s, a) is a set of k-tuples for each state s and symbol a. Intuitively, when the automaton is in state s and it is reading a node x, it nondeterministically chooses a k-tuple ( s l , . . . , sk) in p(s, T ( x ) ) and then makes k copies of itself and moves to the node zi in the state si for i = 1 , . . . , k. A run r : "ok ~ S of A on a Z-labeled k-ary tree 7- is an S-labeled k-ary tree such that the root is labeled by an initial state and the transitions obey the transition function p; that is, r(e) E S ~ and for each node x we have ( r ( x l ) , . . . , r ( z k ) ) E p(r(z), 7-(x)). The run is accepting if r(/3) satisfies G for every branch/3 = z0, x l , . . , of ~-k. That is,

259

for every branch/~ = ~0, xl, .... there is some pair (L, U) E G such that r(xi) E L for infinitely many i's, but r(xi) E U for only finitely many i's. Note that different branches might be satisfied by different pairs in G. The language of A, denoted Lo~(A), is the set of trees accepted by A. It is easy to see that Rabin automata on infinite words are essentially 1-ary Rabin tree automata. The nonemptiness problem for Rabin tree automata is to decide, given a Rabin tree automaton A, whether Lw (A) is nonempty. Unlike the nonemptiness problem for automata on finite and infinite words, the nonemptiness problem for tree automata is highly nontrivial. It was shown to be decidable in [Rab69], but the algorithm there had nonelementary time complexity; i.e., its time complexity could not be bounded by any fixed stack of exponential functions. Later on, elementary algorithms were described in [HR72, Rab72]. The algorithm in [HR72] runs in doubly exponential time and the algorithm in [Rab72] runs in exponential time. Several years later, in [Eme85, VS85], it was shown that the nonemptiness problem for Rabin tree automata is in NP. Finally, in [EJ88], it was shown that the problem is NP-complete. There are two relevant size parameters for Rabin tree automata. The first is the transition size, which is size of the transition function (i.e., the sum of the sizes of the sets Ip(s, a)] for s E S and a E S); the transition size clearly takes into account the the number of states in S. The second is the number of pairs in the acceptance condition G. For our application here we need a complexity analysis of the nonemptiness problem that takes into account separately the two parameters.

Proposition 26. [EJ88, PR89] For Rabin tree automata with transition size m and n pairs, the nonemptiness problem can be solved in time (ran) ~ In other words, the nonemptiness problem for Rabin tree automata can be solved in time that is exponential in the number of pairs but polynomial in the transition size. As we will see, this distinction is quite significant. Realizability The classical approach to program synthesis is to extract a program from a proof that the specification is satisfiable. In [EC82, MW841, it is shown how to extract programs from (finite representations of) models of the specification. In the late 1980s, several researchers realized that the classical approach is well suited to closed systems, but not to open systems [Di189, PR89, ALW89]. In open systems the program interacts with the environment; such programs are called reactive programs [HP85]. A correct reactive program should be able to handle arbitrary actions of the environment. If one applies the techniques of [EC82, MW84] to reactive programs, one obtains programs that can handle only certain actions of the environment. In [PR89, ALW89, Di189], it is argued that the fight way to approach synthesis of reactive programs is to consider the situation as an infinite game between the environment and the program. We are given a finite set W of states and a valuation V : W ~ 2 P r ~ . The intuition is that W describes all the observable states that the system can be in. (We will see later why the emphasis here on observability.) A behavior r over W is an infinite word over the alphabet W. The intended meaning is that the behavior w0, w l , . . , describes a sequence of states that the system goes through, where the transition from wi_ l to wi was caused by the environment when i is odd and by the program when i is even. That is,

260

the program makes the first move (into the first state), the environment responds with the second move, the program counters with the third move, and so on. We associate with r the computation V(r) = V(wo), V(wl), ., and say that r satisfies an LTL formula if V(r) satisfies 9. The goal of the program is to satisfy the specification 9 in the face of every possible move by the environment. The program has no control over the environment moves; it only controls its own moves. Thus, the situation can be viewed as an infinite game between the environment and the program, where the goal of the program is to satisfy the specification 9. Infinite games were introduced in [GS53] and they are of fundamental importance in descriptive set theory [Mos80]. Histories are finite words in W*. The history of a run r = w0, w l , . . , at the even point i > 0, denoted hist(r, i), is the finite word wl, w 3 , . . . , wi-1 consisting of all states moved to by the environment; the history is the empty sequence e for i = 0. A program is a function f : W* ~ W from histories to states. The idea is that if the program is scheduled at a point at which the history is h, then the program will cause a change into the state f(h). This captures the intuition that the program acts in reaction to the environment's actions. A behavior r over W is a run of the program f if si = f(hist(r, i)) for all even i. That is, all the state transitions caused by the program are consistent with the program f . A program f satisfies the specification ~ if every run of f over W satisfies 9. Thus, a correct program can be then viewed as a winning strategy in the game against the environment. We say that ~ is realizable with respect to W and V if there is a program f that satisfies 9, in which case we say that f realizes 9. (In the sequel, we often omit explicit mention of W and V when it is clear from the context.) It turns out that satisfiability of 9 is not sufficient to guarantee realizability of 9.

Example3. Consider the case where Prop = {p}, W = {0, 1}, V(0) = 0, and V(1) = {p}. Consider the formula Gp. This formula requires that p always be true, and it is clearly satisfiable. There is no way, however, for the program to enforce this requirement, since the environment can always moves to the state 0, making p false. Thus, Gp is not realizable. On the other hand, the formula GFp, which requires p to hold infinitely often, is realizable; in fact, it is realized by the simple program that maps every history to the state 1. This shows that realizability is a stronger requirement than satisfiability. | Consider now the specification 9. By Corollary 23, we can build a Btichi automaton A~ = (S, S, S ~ p, F), where S = 2Pr~ and ISI is in 2 ~ such that L~(A~) is exactly the set of computations satisfying the formula ~o. Thus, given a state set W and a valuation V : W ~ 2 Pr~ we can also construct a Biichi automaton A~ = (W, S, S O, p', F ) such that L~ (A~) is exactly the set of behaviors satisfying the formula 9, by simply taking p~(s, w) = p(s, V(w)). It follows that we can assume without loss of generality that the winning condition for the game between the environment and the program is expressed by a Btichi automaton A: the program f wins the game if every run of f is accepted by A. We thus say that the program f realizes a Btichi automaton A if all its runs are accepted by A . We also say then that A is realizable. It turns out that the realizability problem for Btichi automata is essentially the solvability problem described in [Chu63]. (The winning condition in [Chu63] is expressed

261

in S1S, the monadic second-order theory of one successor function, but it is known [Btic62] that S 1S sentences can be translated to Biichi automata.) The solvability problem was studied in [BL69, Rab72]. It is shown in [Rab721 that this problem can be solved by using Rabin tree automata. Consider a program f : W* ---. W. Suppose without loss of generality that W = { 1 , . . . , k}, for some k > 0. The program f can be represented by a W-labeled k-ary tree 7-I. Consider a node z = ioil ... i,,~, where 1 < ii < k for j = 0 . . . . , m. We note that x is a history in W*, and define T / ( x ) = f ( z ) . Conversely, a W-labeled k-ary tree 7- defines a program fT-. Consider a history h = ioil . . . ira, where 1 < ii < k for j = 0 , . . . , m. We note that h is a node of rk, and define fT-(h) = 7-(h). Thus, W-labeled k-ary trees can b e viewed as programs. It is not hard to see that the runs of f correspond to the branches of Ty. Let /~ = z0, 2:1,... be a branch, where x0 = e and ~:j = ~ j - l i j - 1 for j > 0. Then r = 7-(z0), i0, 7-(zl), il, 7-(x2), 999 is a run of f , denoted r(/~). Conversely, if r = i0, i l , . . , is a run of f , then 7-I contains a branch/~(r) = z0, ~:1, 99-, where z0 = e, :ej = xi_li2j+l, and 7-(xj) = i2j f o r j >__0. O n e w a y to visualize thisis to thinkof the edge from the parent z to its child xi as labeled by i. Thus, the run r(fl) is the sequence of edge and node labels along ft. We thus refer to the behaviors r(fl) for branches j3 of a W-labeled k-ary tree 7- as the runs o f T , and we say that 7" realizes a Biichi automaton A if all the runs of 7" are accepted by A. We have thus obtained the following:

Proposition27. A program f realizes a Bachi automaton A iff the tree 7-f realizes A. We have thus reduced the realizability problem for LTL specifications to an automatatheoretic problem: given a Biichi automaton A, decide if there is a tree 7- that realizes A. Our next step is to reduce this problem to the nonemptiness problem for Rabin tree automata. We will construct a Rabin automaton/3 that accepts precisely the trees that realize A. Thus, Lo~(/3) ~ 0 iffthere is atree that realizes A. Theorem28. Given a Bfichi automaton A with n states over an alphabet W = { 1 , . . . , k}, we can construct a k-ary Rabin tree automaton B with transition size k 2O( n logn) and O ( n ) pairs such that Loj ( B ) is precisely the set of trees that realize A. Proof: Consider an input tree T . The Rabin tree automaton B needs to verify that for every branch/3 of T we have that r(/~) E L~ (A). Thus, B needs to "run A in parallel" on all branches of 7-. We first need to deal with the fact that the labels in 7- contain information only about the actions of f (while the information on the actions of the environment is implicit in the edges). Suppose that A = (W, S, S o , p, F ). We first define a Btichi automaton A' that emulates A by reading pairs of input symbols at a time. Let A' = (W 2, S x {0, 1}, S O x {0}, p', S x {1}), where

p'(s, (a, b)) = {(t, O) It ~ p(s', b)

F for some s' E p(s, a) - F } U

{ (t, 1) It ~ p(s', b) for some s' e p(s, a) n F } U {(t, 1) It E p ( J , b) O F for some s' E p(s, a)}.

262

Intuitively, p' applies two transitions of A while remembering whether either transition visited F. Note that this construction doubles the number of states. It is easy to prove the following claim: Claim: A' accepts the infinite word (w0, wl), (w2, w3), 999over the alphabet W 2 iffA accepts the infinite word w0, wl, w2, w3,.., over W. In order to be able to run A' in parallel on all branches, we apply Proposition 10 to A' and obtain a deterministic Rabin automaton Ad such that Lo~(Ad) = L~(A'). As commented in Section 2.2, Ad has 2~ log,~) states and O(n) pairs. Let Aa = (W 2, Q, {q0}, 6, G). We can now construct a Rabin tree automaton that "runs Ad in parallel" on all branches o f T . Let B = (W, Q, {q0}, 6~, G), where 6~is defined as follows: 6'(q,a) - 6(q, (a, 1)) x . - - 6 ( q , (a,k)). Intuitively, B emulates Ad by feeding it pairs consisting of a node label and an edge label. Note that if 6(q, (a, i)) = 0 for some 1 < i < k, then 6~(q, a) = O. Claim: L~,(B) is precisely the set of trees that realize A. It remains to analyze the size of A. It is clear that it has 2 ~ logn)states and O(n) pairs. Since it is deterministic, its transition size is k2 ~ logn). 1 We can now apply Proposition 25 to solve the realizability problem. Theorem29. [ALW89, PR89] The realizability problem for Bfichi automata can be

solved in exponential time. Proof: By Theorem 28, given a Btichi automaton A with n states over an alphabet W = { 1 , . . . , k}, we can construct a k-ary Rabin tree automaton B with transition size k2O(n logn) and and O(n) pairs such that L,~(B) is precisely the set of trees that realize A. By Proposition 26, we can test the nonemptiness of B in time k~176 "=loan). 1 Corollary 30. [PR89] The realizability problem for LTL can be solved in doubly expo-

nential time. Proof: By Corollary 23, given an LTL formula 9, one can build a Biichi automaton A~ with 20(1~1) states such that L~(A~) is exactly the set of computations satisfying the formula 9. By combining this with the bound of Theorem 29, we get a time bound of k 2~(!~'I). 1 In [PR89], it is shown that the doubly exponential time bound of Corollary 30 is essentially optimal. Thus, while the realizability problem for LTL is decidable, in the worst case it can be highly intractable.

Example4. Consider again the situation where Prop = {p}, W = {0, 1}, V(0) = 0, and V(1) = {p}. Let ~ be the formula Gp. We have A~ = (W, {1}, {1}, p, W), where p(1, 1) = {1}, and all other transitions are empty (e.g., p(1,0) = 0, etc.). Note that A~ is deterministic. We can emulate A~, by an automaton that reads pairs of symbols: A~ = (W 2, W x {0, 1}, {(1,0)},p', W x {1}), where p((1,0), (1, 1)) = {(1, 1)}, and all other transitions are empty. Finally, we construct the Rabin tree automaton

263

B = (W, W x {0, 1 }, (1, 0), 6', (L, U)), where 6' (s, a) is empty for all states s and symbol a. Clearly, L~ (B) = 0, which implies that Gp is not realizable. | We note that Corollary 30 only tells us how to decide whether an LTL formula is realizable or not. It is shown in [PR89], however, that the algorithm of Proposition 26 can provide more than just a "yes/no" answer. When the Rabin automaton B is nonempty, the algorithm returns a finite representation of an infinite tree accepted by B. It turns out that this representation can be converted into a program f that realizes the specification. It even turns out that this program is afinite-state program. This means that there are a finite set N , a function g : W* ~ N, a function a l : N x W --~ N, and a function c~2 : N ---, W such that for all h E W* and w E W we have: - f ( h ) = c~2(g(h)) - g(hw) = cq(g(h), w)

Thus, instead of remembering the history h (which requires an unbounded memory), the program needs only to remember g(h). It performs its action a l ( h ) and, when it sees the environment's action w, it updates its memory to a2(g(h), w). Note that this "memory" is internal to the program and is not pertinent to the specification. This is in contrast to the observable states in W that are pertinent to the specification.

Acknowledgements I am grateful to Oystein Haugen, Orna Kupferman, and Faron Moiler for their many comments on earlier drafts of this paper.

References IALW891 M. Abadi, L. Lamport, and P. Wolper. Realizable and unrealizable concurrent program specifications. In Proc. 16th Int. Colloquium on Automata, Languages and Programming, volume 372, pages 1-17. Lecture Notes in Computer Science, SpringerVerlag, July 1989. [BL69] J.R. B~lchi and L.HG. Landweber. Solving sequentialconditions by finite-state strategies. Trans. AMS, 138:295-311, 1969. J.A. Brzozowski and E. Leiss. Finite automata, and sequential networks. Theoretical [BL80I Computer Science, 10:19-35, 1980. lBilc62] J.R. Btlchi. On a decision method in restricted second order arithmetic. In Proc. Internat. Congr. Logic, Method and Philos. Sci. 1960, pages 1-12, Stanford, 1962. Stanford University Press. [Cho74] Y. Choueka. Theories of automata on w-tapes: A simplified approach. J. Computer and System Sciences, 8:117-141, 1974. [Chu63] A. Church. Logic, arithmetics, and automata, In Proc. International Congress of Mathematicians, 1962, pages 23-35. institut Mittag-Leffler, 1963. [CKS811 A.K. Chandra, D.C. Kozen, and L.J. Stockmeyer. Alternation. Journal of the Association for Computing Machinery, 28(1):114-133, January 1981. [CLR90] T.H. Cormen, C.E. Leiserson, and R.L. Rivest. Introduction to Algorithms. Mrr Press, 1990.

264

[cvwv92] C. Courcoubetis, M.Y. Vardi, P. Wolper, and M. Yannakakis. Memory 'efficient [Di1891 [EC82] [EH86] [EJ88]

algorithms for the verification of temporal properties. Formal Methods in System Design, 1:275-288, 1992. D.L. Dill. Trace theory for automatic hierarchical verification of speed independent circuits. MIT Press, 1989. E.A. Emerson and E.M. Clarke. Using branching time logic to synthesize synchronization skeletons. Science of Computer Programming, 2:241-266, 1982. E.A. Emerson and J.Y. Halpem. Sometimes and not never revisited: On branching versus linear time. Journal of the ACM, 33(1):151-178, 1986. E.A. Emerson and C. Jufla. The complexity of tree automata and logics of programs.

In Proceedings of the 29th IEEE Symposium on Foundations of ComputerScience, White Plains, October 1988. E.A. Emerson and C. Jufla. On simultaneously determinizing and complementing toautomata. In Proceedings of the 4th IEEE Symposium on Logic in Computer Science, pages 333-342, 1989. E.A. Emerson and C.-L. Lei. Modalities for model checking: Branching time logic [EL85a] strikes back. In Proceedings of the Twelfth ACM Symposium on Principles of Programming Languages, pages 84-96, New Orleans, Janhary 1985. E.A. Emerson and C.-L. Lei. Temporal model checking under gene~:alized fairness [EL85b] constraints. In Prec. 18th Hawaii International Conference on System Sciences, Hawaii, 1985. [Eme85] E.A. Emerson. Automata, tableaux, and temporal logics. In Prec. Workshop on Logic of Programs, volume 193 of Lecture Notes in Computer Science, pages 79-87. Springer-Verlag, 1985. M. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory [GJ79] ofNP-completeness. W. Freeman and Co., San Francisco, 1979. [GPSS80] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. [EJ89]

In Proceedings ofthe 7th ACM Symposiumon Principles of Programming Languages, [GS53] [HP85]

[HR72] [HU79] [Jon75] [Lam80]

pages 163-173, January 1980. D. Gale and F. M. Stewart. Infinite games ofperfectinformation. Ann. Math. Studies, 28:245-266, 1953. D. Harel and A. Pnueli. On the development of reactive systems. In K. Apt, editor, Logics and Models of Concurrent Systems, volume F-13 of NATO AdvancedSummer Institutes, pages 477-498. Springer-Verlag, 1985. R. Hossley and C.W. Rackoff. The emptiness problem for automata on infinite trees. In Prec. 13th IEEE Symp. on Switching and Automata Theory, pages 121-124, 1972. J.E. Hopcroft and J.D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, New York, 1979. N.D. Jones. Space-bounded reducibility among combinatorial problems. Journal of Computer and System Sciences, 11:68-75, 1975. L. Lamport. Sometimes is sometimes "not never" - on the temporal logic ofprograms.

In Proceedings ofthe 7thACM Symposiumon Principles of Programming Languages, [Lei81l [Liu89] [LP851

pages 174-185, January 1980. Leiss. Succinctrepresentation of regular languages by boolean automata. Theoretical Computer Science, 13:323-330, 1981. M.T. Liu. Protocol engineering. Advances in Computing, 29:79-195, 1989. O. Lichtenstein and A. Pnueli. Checking that finite state concurrentprograms satisfy their linear specification. In Proceedings of the TwelfthA CM Symposium on Principles of Programming Languages, pages 97-107, New Orleans, January 1985.

265

O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In Logics of Programs, volume 193, pages 196-218,Brooklyn, June 1985. Lecture Notes in Computer Science, Springer-Verlag. [MEN66] R. McNaughton. Testing and generating infinite sequences by a finite automaton. Information and Control, 9:521-530, 1966. A.R. Meyer and i . J . Fischer. Economy of description by automata, grammars, and [MF71] formal systems. In Prec. 12th IEEE Syrup. on Switching andAutomata Theory, pages 188-i91, 1971. S. Miyano and T. Hayashi. Alternating finite automata on w-words. Theoretical [MH84] Computer Science, 32:321-330, 1984. M. Michel. Complementation is more difficult with automata on infinite words. [Mic88] CNET, Paris, 1988. [Mos80] Y.N. Moschovakis. Descriptive Set Theory. North Holland, 1980. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: [MP92] Specification. Springer-Verlag, Berlin, January 1992. A.R. Meyer and L.J. Stockmeyer. The equivalence problem for regular expressions [MS72] with squaring requires exponential time. In Proc. 13th IEEE Symp. on Switching and Automata Theory, pages 125-129, 1972. D.E. Muller and EE. Schupp. Alternating automata on infinite trees. Theoretical [MS87] Computer Science, 54,:267-276, 1987. [MSS88] D. E. Muller, A. Saoudi, and E E. Schupp. Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time. In Proceedings 3rd IEEE Symposium on Logic in Computer Science, pages 422-427, Edinburgh, July 1988. [MW84] Z. Manna and E Wolper. Synthesis of communicating processes from temporal logic specifications. ACM Transactions on Programming Languages and Systems, 6(1):68-93, January 1984. S. Owicki and L. Lamport. Proving liveness properties ofconcurrentprograms. ACM [OL82] Transactions on Programming Languages and Systems, 4(3):455-495, July 1982. [Pei85] R. Peikert. o~-regular languages and propositional temporal logic. Technical Report 85-01, ETH, 1985. A. Pnueli. The temporal logic of programs. In Proc. 18th IEEE Symposium on [Pnu77] Foundation of Computer Science, pages 46-57, 1977. A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Proceedings of [PR89] the Sixteenth ACM Symposium on Principles of Programming Languages, Austin, Januery 1989. M.O. Rabin. Decidability of second order theories and automata on infinite trees. [Rab69] Transaction of the AMS, 141:1-35, 1969. M.O. Rabin. Automata on infinite objects and Church's problem. In Regional Conf. [Rab721 Set Math., 13, Providence, Rhode Island, 1972. AMS. [RS59] M.O. Rabin and D. Scott. Finite automata and their decision problems. IBM J. of Research and Development, 3:115-125, 1959. [Rud87] H. Rudin. Network protocols and tools to help produce them. Annual Review of Computer Science, 2:291-316, 1987. [Saf88] S. Safra. On the complexity of omega-automata. In Proceedings of the 29th IEEE Symposium on Foundations of Computer Science, White Plains, October 1988. [Sav70] W.J. Savitch. Relationship between nondeterministic and deterministic tape complexities. J. on Computer and System Sciences, 4:177-192, 1970. [sc85] A.E Sisfla and E.M. Clarke. The complexity of propositional linear temporal logic. J. ACM, 32:733-749, 1985. [LPZ851

266

A.E Sistla. Theoretical issues in the design and analysis of distributed systems. PhD thesis, Harvard University, 1983. [SPH84] R. Sherman, A. Pnueli, and D. Harel. Is the interesting part of process logic uninteresting: a translation from PL to PDL. SlAM J. on Computing; 13(4):825-839, 1984. [SV3V87] A.P. Sistla, M.Y. Vardi, and P. Wolper. The complementation problem for Btlchi automata with applications to temporallogic. Theoretical ComputerScience , 49:217237, 1987. [The90] W. Thomas. Automata on infinite objects. Handbook of theoretical computerscience, pages 165-191, 1990. pCax94] M.Y. Vardi. Nontraditional applications of automata theory. In Prec. Int'l Syrup. on Theoretical Aspects of Computer Software, volume 789, pages 575-597. Lecture Notes in Computer Science, Springer-Verlag, 1994. M.Y. Vardi and L. Stockmeyer. Improved upper and lower bounds for modal logics Ws851 of programs. In Proc 17th ACM Symp. on Theory of Computing, pages 240-251, 1985. [VW861 M.Y. Vardi and P. Wolper. An automata-theoretic approach to automatic program verification. In Proceedings of the First Symposium on Logic in Computer Science, pages 322-331, Cambridge, June 1986. [VW941 M.Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1-37, November 1994. [Vr P. Wolper. Synthesis of Communicating Processes from Temporal Logic Specificat/ons. PhD thesis, Stanford University, 1982. [WVS83] P. Wolper, M.Y. Vardi, and A.P. Sistla. Reasoning about infinite computation paths. In Prec. 24th IEEE Symposium on Foundations of Computer Science, pages 185-194, Tucson, 1983. ISis83]

Lecture Notes in Computer Science For information about Vols. 1-975 please contact your bookseller or Springer-Verlag

Vol. 976: U. Montanari, F. Rossi (Eds.), Principles and Practice of Constraint Programming - - CP '95. Proceedings, 1995. XIII, 651 pages. 1995. Vol. 977: H. Beilner, F. Bause (Eds.), Quantitative Evaluation of Computing and Communication Systems. Proceedings, 1995. X, 415 pages. 1995. Vol. 978: N. Revell, A M. Tjoa (Eds.), Database and 9 Expert Systems Applications. Proceedings, 1995. XV, 654 pages. 1995. Vol. 979: P. Spirakis (Ed,), Algorithms - - ESA '95. Proceedings, 1995. XII, 598 pages. 1995. Vol. 980: A. Ferreira, J. Rolim (Eds.), Parallel Algorithms for Irregularly Structured Problems. Proceedings, 1995. IX, 409 pages. 1995. Vol. 981: I. Wachsmuth, C.-R. Rollinger, W. Brauer (Eds.), KI-95: Advances in Artificial Intelligence. Proceedings, 1995. XII, 269 pages. (Subseries LNAI). Vol. 982: S. Doaitse Swierstra, M. Hermenegildo (Eds.), Programming Languages: Implementations, Logics and Programs. Proceedings, 1995. XI, 467 pages. 1995. Vol. 983: A. Mycroft (Ed.), Static Analysis. Proceedings, 1995. VIII, 423 pages. 1995. Vol. 984: J.-M. Haton, M. Keane, M. Manago (Eds.), Advances in Case-Based Reasoning. Proceedings, 1994. VIII, 307 pages. 1995. Vol. 985: T. Sellis (Ed.), Rules in Database Systems. Proceedings, 1995. VIII, 373 pages. 1995. Vol. 986: Henry G. Baker (Ed.), Memory I~anagement. Proceedings, 1995. XII, 417 pages. 1995. Vol. 987: P.E. Camnrati, H. Eveking (Eds.), Correct Hardware Design and Verification Methods. Proceedings, 1995. VIII, 342 pages. 1995. Vol. 988: A.U. Frank, W. Kuhn (Eds.), Spatial Information Theory. Proceedings, 1995. XIII, 571 pages. 1995. Vol. 989: W. Sch~ifer, P. Botella (Eds.), Software Engineering - - ESEC '95. Proceedings, 1995. XII, 519 pages. 1995. Vol. 990: C. Pinto-Ferreira, N.J. Mamede (Eds.), Progress in Artificial Intelligence. Proceedings, 1995. XIV, 487 pages. 1995. (Subseries LNAI).

Vol. 993: T.C. Fogarty (Ed.), Evolutionary Computing. Proceedings, 1995. VIII, 264 pages. 1995. Vol. 994: M. Hebert, J. Ponce, T. Boult, A. Gross (Eds.), Object Representation in Computer Vision. Proceedings, 1994. VIII, 359 pages. 1995. Vol. 995: S.M. Mailer, W.J. Paul, The Complexity of Simple Computer Architectures. XII, 270 pages. 1995. Vol. 996: P. Dybjer, B. NordstrOm, J. Smith (Eds.), Types for Proofs and Programs9 Proceedings, 1994. X, 202 pages. 1995. Vol. 997: K.P. Jantke, T. Shinohara, T. Zeugmann (Eds.), Algorithmic Learning Theory. Proceedings, 1995. XV, 319 pages. 1995. Vol. 998: A. Clarke, M. Campolargo, N. Karatzas (Eds.), Bringing Telecommunication Services to the People - IS&N '95. Proceedings, 1995. XII, 510 pages. 1995. Vol. 999: P. Antsaklis, W. Kohn, A. Nerode, S. Sastry (Eds.), Hybrid Systems II. VIII, 569 pages. 1995. Vol. 1000: J. van Leeuwen (Ed.), Computer Science Today. XIV, 643 pages. 1995. Vol. 1001: M. Sudan, Efficient Checking of Polynomials and Proofs and the Hardness of Approximation Problems9 XIV, 87 pages. 1995. Vol. 1002: J.J. Kistler, Disconnected Operation in a Distributed File System. XIX, 249 pages. 1995. VOL. 1003: P. Pandurang Nayak, Automated Modeling of Physical Systems. XXI, 232 pages. 1995. (Subseries LNAI). Vol. 1004: J. Staples, P. Eades, N. Katoh, A. Moffat (Eds.), Algorithms and Computation9 Proceedings, 1995. XV, 440 pages. 1995. Vol. 1005! J. Estublier (Ed.), Software Configuration Management. Proceedings, 1995. IX, 311 pages. 1995. Vol. 1006: S. Bhalla (Ed,), Information Systems and Data Management. Proceedings, 1995. IX, 321 pages. 1995. Vol. 1007: A. Bosselaers, B. Preneel (Eds.), Integrity Primitives for Secure Information Systems. VII, 239 pages. 1995. Vol. 1008: B. Preneel (Ed.), Fast Software Encryption. Proceedings, 1994. VIII, 367 pages. 1995.

Vol. 991: J. Wainer, A. Carvalho (Eds.), Advances in Artificial Intelligence. Proceedings, 1995. XII, 342 pages. 1995. (Subseries LNAI).

Vol. 1009: M. Broy, S. J~ihnichen (Eds.), KORSO: Methods, Languages, and Toolsfor the Construction of Correct Software. X, 449 pages. 1995. Vol.

Vol. 992: M. Gori, G. Soda (Eds.), Topics in Artificial Intelligence. Proceedings, 1995. XII, 451 pages. 1995. (Subseries LNAI).

Vol. 1010: M. Veloso, A. Aamodt (Eds.), Case-Based Reasoning Research and Development. Proceedings, 1995. X, 576 pages. 1995. (Subseries LNAI).

Vol. 1011: T. Furuhashi (Ed.), Advances in Fuzzy Logic, Neural Networks and Genetic Algorithms. Proceedings, 1994. (Subseries LNAI).

Vol. 1032: P. Godefroid, Partial-Order Methods for the Verification of Concurrent Systems. IV, 143 pages. 1996.

Vol. 1012: M. Bartogek, J. Staudek, J. Wiedermann (Eds.), SOFSEM '95: Theory and Practice of Informatics. Proceedings, 1995. XI, 499 pages. 1995.

Vol. 1033: C.-H. Huang, P. Sadayappan, U. Banerjee, D. Gelernter, A. Nicolau, D. Padua (Eds.), Languages and Compilers for Parallel Computing. Proceedings, 1995. XIII, 597 pages. 1996.

Vol. 1013: T.W. Ling, A.O. Mendelzon, L. Vieille (Eds.), Deductive and Object-Oriented Databases. Proceedings, 1995. XIV, 557 pages. 1995.

Vol. 1034: G. Kuper, M. Wallace (Eds.), Constraint Databases and Applications. Proceedings, 1995. VII, 185 pages. 1996.

Vol. 1014: A.P. d e l Pobil, M.A. Serna, Spatial Representation and Motion Planning. XII, 242 pages. 1995.

Vol. 1035: S.Z. Li, D.P. Mital, E.K. Teoh, H. Wang (Eds.), Recent Developments in Computer Vision. Proceedings, 1995. XI, 604 pages. 1996.

Vol. 1015: B. Blumenthal, J. Gornostaev, C. Unger (Eds.), Human-Computer Interaction. Proceedings, 1995. VIII, 203 pages. 1995.

Vol. 1036: G. Adorni, M. Zock (Eds.), Trends in Natural Language Generation - An Artificial Intelligence Perspective. Proceedings, 1993. IX, 382 pages. 1996. (Subseries LNAI).

VOL. 1016: R. Cipolla, Active Visual Inference of Surface Shape. XII, 194 pages. 1995. Vol. 1017: M. Nagl (Ed.), Graph-Theoretic Concepts in Computer Science. Proceedings, 1995. XI, 406 pages. 1995. Vol. 1018: T.D.C. Little, R. Gusella {Eds.), Network and Operating Systems Support for Digital Audio and Video. Proceedings, 1995. XI, 357 pages. 1995. Vol. 1019: E. Brinksma, W.R. Cleaveland, K.G. Larsen, T. Margaria, B. Steffen (Eds.), Tools and Algorithms for the Construction and Analysis of Systems. Selected Papers, 1995. VII, 291 pages. 1995. Vol. 1020: I.D. Watson (Ed.), Progress in Case-Based Reasoning. Proceedings, 1995. VIII, 209 pages. 1995. (Subseries LNAI). Vol. 1021: M.P. Papazoglou (Ed.), OOER '95: ObjectOriented and Entity-Relationship Modeling. Proceedings, 1995. XVII, 451 pages. 1995. Vol. 1022: P.H. Hartel, R. Plasmeijer (Eds.), Functional Programming Languages in Education. Proceedings, 1995. X, 309 pages. 1995. Vol. 1023: K. Kanchanasut, J.-J. L6vy (Eds.), Algorithms, Concurrency and Knowlwdge. Proceedings, 1995. X, 410 pages. 1995. Vol. 1024: R.T. Chin, H.H.S. Ip, A.C. Naiman, T.-C. Pong (Eds.), Image Analysis Applications and Computer Graphics. Proceedings, 1995. XVI, 533 pages. 1995. Vol. 1025: C. Boyd (Ed.), Cryptography and Coding. Proceedings, 1995. IX, 291 pages. 1995. Vol. 1026: P.S. Thiagarajan (Ed.), Foundations of Software Technology and Theoretical Computer Science. Proceedings, 1995. XII, 515 pages. 1995. Vol. 1027: F.J. Brandenburg (Ed.), Graph Drawing. Proceedings, 1995. XII, 526 pages. 1996.

Vol. 1037: M. Wooldridge, J.P. MiJller, M. Tambe (Eds.), IntelligentAgents II. Proceedings, 1995. XVI, 437 pages. 1996. (Subseries LNAI). Vol. 1038: W: Van de Velde, J.W. Perram (Eds.), Agents Breaking Away. Proceedings, 1996. XIV, 232 pages. 1996. (Subseries LNAI). Vol. 1039: D. Gollmann (Ed.), Fast Software Encryption. Proceedings, 1996. X, 219 pages. 1996. Vol. 1040: S. Wermter, E. Riloff, G. Scheler (Eds.), Connectionist, Statistical, and Symbolic Approaches to Learning for Natural Language Processing. Proceedings, 1995. IX, 468 pages. 1996. (Subseries LNAI). Vol. 1041: J. Dongarra, K. Madsen, J. Wa~niewski (Eds.), Applied Parallel Computing. Proceedings, 1995. XII, 562 pages. 1996. Vol. 1042: G. WeiB, S. Sen (Eds.), Adaption and Learning in Multi-Agent Systems. Proceedings, 1995. X, 238 pages. 1996. (Subseries LNAI). Vol. 1043: F. Muller, G. Birtwistle (Eds.), Logics for Copcurrency. XI, 266 pages. 1996. Vol. 1044: B. Plattner (Ed.), Broadband Communications. Proceedings, 1996. XIV, 359 pages. 1996. Vol. 1045: B. Butscher, E. Moeller, H. Pusch (Eds.), Interactive Distributed Multimedia Systems and Services. Proceedings, 1996. XI, 333 pages. 1996. Vol. 1046: C. Puech, R. Reischuk (Eds.), STACS 96. Proceedings, 1996. XII, 690 pages. 1996. Vol. 1047: E. Hajnicz, Time Structures. IX, 244 pages. 1996. (Subseries LNAI). .Vol. 1048: M. Proietti (Ed.), Logic Program Syynthesis and Transformation. Proceedings, 1995. X, 267 pages. 1996.

Vol. 1028: N.R. Adam, Y. Yesha (Eds.), Electronic Commerce. X, 155 pages. 1996.

Vol. 1049: K. Futatsugi, S. Matsuoka (Eds.), Object Technologies for Advanced Software. Proceedings, 1996. X, 309 pages. 1996.

Vol. 1029: E. Dawson, J. Goli6 (Eds.), Cryptography: Policy and Algorithms. Proceedings, 1995. XI, 327 pages. 1996.

Vol. 1050: R. Dyckhoff, H. Herre, P. Schroeder-Heister (Eds.), Extensions of Logic Programming. Proceedings, 1996. VII, 318 pages. 1996. (Subseries LNAI).

Vol. 1030: F. Pichler, R. Moreno-Dfaz, R. Albrecht (Eds.), Computer Aided Systems Theory - EUROCAST '95. Proceedings, 1995. XII, 539 pages. 1996.

Vol. 1051: M.-C. Gaudel, J. Woodcock (Eds.), FME '96: Industrial Benefit of Formal Methods. Proceedings, 1996. XII, 704 pages. 1996.

Vol.1031: M. Toussaint (Ed.), Ada in Europe. Proceedings, 1995. XI, 455 pages. 1996.