Specification and verification of communicating systems with value passing

INFORMATION TO USERS

This manuscript has been reproduced from the microfilm master. UMI

films the text directly from the original or copy submitted. Thus, some

thesis and dissertation copies are in typewriter free, while others may be

from any type o f computer printer.

The quality of this reproduction is dependent upon the quality o f the

copy submitted. Broken or indistinct print, colored or poor quality

illustrations and photographs, print bleedthrough, substandard margins,

and improper alignment can adversely afreet reproduction.

In the unlikely event that the author did not send UMI a complete

manuscript and there are missing pages, these will be noted. Also, if

unauthorized copyright material had to be removed, a note will indicate

the deletion.

Oversize materials (e.g., maps, drawings, charts) are reproduced by

sectioning the original, beginning at the upper left-hand comer and

continuing from left to right in equal sections with small overlaps. Each

original is also photographed in one exposure and is included in reduced

form at the back o f the book.

Photographs included in the original manuscript have been reproduced

xerographically in this copy. Higher quality 6” x 9” black and white

photographic prints are available for any photographs or illustrations

appearing in this copy for an additional charge, rnntart UMI directly to

order.

UMI

A Bell & Howell Information Company

300 North Zed) Road, Ann Arbor MI 48106-1346 USA

Specification a n d V erification of C o m m u n icatin g System s w ith Value Passing

by

D ilian Borissov G urov

D ipl. Eng., H igher I n s titu te for M echanical and E lectrical E ngineering, Sofia, B ulgaria, 1989

A D isse rta tio n S u b m itted in P a rtia l Fulfillm ent of th e R equirem ents for th e D egree o f

D O C T O R O F P H IL O S O P H Y

in th e D ep artm en t of C o m p u te r Science

W e accep t th is dissertatio n as conform ing to th e required sta n d a rd

Dr. B.M . K apron, S u p e rv iso r (D ep artm en t o f C o m p u te r Science)ïu n e rv iso r

Dr. H.A. M uller, S u p e rv iso r (D ep artm en t of C o m p u te r Science)

D r. M .H .M . C heng, D e p a ^ m e n ta l M em ber (D e p a rtm e n t of C o m p u te r Science)

o Dr. N. D im opoulos, O u tsid e M em ber (D e p a rtm e n t o f E lectrical a n d C o m p u ter En­

gineering)

D r. M. G re en stre e t, E x te rn a l E xam iner (D e p a rtm e n t of C o m p u te r Science, UBC)

© D ilian Borissov G urov. 1998 U niversity of V icto ria

.All rights reserved. T h is dissertation m ay not be re p ro d u ced in whole or in p a rt, by pho toco p y or o th e r means, w ith o u t th e perm ission o f th e au th o r.

IJ

S upervisors; Dr. B .M . K ap ro n . D r. H .A . M uller

A B S T R A C T

T h e p resen t T hesis ad d resses th e problem o f specification a n d verification of com ­ m u n ic a tin g system s w ith value passing. We a ssu m e th a t such sy ste m s a re described in th e well-known C aicu lu s o f C o m m u n ic atin g S y stem s, o r ra th e r, in its value passing version. As a specification lan g u ag e we propose a n ex tensio n of th e M odal //-C alcu lu s, a p o ly-m o dal first-order logic w ith recursion. For th is logic we develop a p ro o f sy stem for verifying ju d g e m e n ts o f th e form 6 h £ : $ w here £ is a seq u e n tia l CCS te rm a n d 6 is a Booleein a ssu m p tio n a b o u t th e value variables o ccu rrin g free in E an d $ . Proofs co n d u cted in th is p ro o f sy stem follow th e stru c tu re of th e process te rm a n d th e form ula. T h is s y n ta c tic ap p ro ach m ak es proofs easier to c o m p reh en d a n d m ach in e assist. To avoid th e in tro d u c tio n of g lobal p ro o f rules we a d o p t a tech n iq u e o f tagg in g fixpoint fo rm u lae w ith all relevant in fo rm atio n needed for th e discharge of reo ccu rrin g sequents. We p ro v ide such tag g ed form ulae w ith a s u ita b le sem an tics. T h e resu ltin g proof sy ste m is show n to be so u n d in general a n d c o m p le te (relativ e to e x te rn a l reasoning a b o u t values) for a large clciss o f sequential processes and logic form ulae. W e explore th e id ea o f using tags to th re e different settin g s: value passing, e x te n d e d seq u en ts. a n d n eg ativ e tagging.

E x am in ers:

D r. B .M ./K ap ro n , ^ p e r v i s o r (D e p a rtm e n t o f C o m p u te r Science)

______________________________

D r. H.A. MuUer, S u p erv iso r (D e p a rtm e n t of C o m p u te r Science)

D r r M .H .M .^ h e n g , D e;& rtm entcd M em ber (D e p a rtm e n t of C o m p u te r Science)

^D r. N. D im opoulos. O u tsid e M em b er (D e p a rtm e n t o f E lectrical a n d C o m p u te r E n­ g ineering)

C O N T E N T S iii

C o n te n ts

C o n ten ts

iii

L ist o f F ig u res

v

A ck n ow led gem en t

vi

D e d ic a tio n

vii

1

In tro d u ctio n

1

2

M o d els, L ogics, and V erification

9

2.1 L abelled T ran sitio n S y s t e m s ... 9

2.2 C alcu lu s o f C o m m u n icatin g System s ... 12

2.3 M odal Logics an d ^ - C a l c u l i ... 19

2.4 M odel C h e c k in g ... 26

3

V erifica tio n o f V alue P a ssin g CCS P ro c esses

33

3.1 -A. ^ -C alcu lu s for V alue Passing P r o c e s s e s ... 34

3.1.1 S y n t a x ... 37 3.1.2 S e m a n t i c s ... 38 3.2 .A C om p o sitio n al P ro o f System ... 40 3.2.1 S e q u e n t s ... 41 3.2.2 R u le s ... 42 3.2.3 G re atest F i x p o i n t s ... 45 3.2.4 Least F i x p o i n t s ... 48 3.2.5 E xtensions a n d Derived R u l e s ... 50 3.3 E x am p le P r o o f s ... 51

4

C o rrectn ess o f th e P r o o f S ystem

60

4.1 S o u n d n e s s ... 60

4.2 C o m p l e t e n e s s ... 66

4.2.1 C anonical P r o o f s ... 68

4.2.2 T e r m i n a tio n ... 75

C O S T E N T S iv

5 E x ten sio n s

77

5.1 C o m p o s i tio n a l ity ... 77 Ô.2 N egative T a g g i n g ... S2

6 C on clu sion

89

6.1 S u m m a r y ... S9 6.2 E v a lu a tio n ... 90 6.3 D irections for Im provem ent ... 91

L I S T O F F I C W R E S v

L ist o f F ig u res

2.1 sm all L T S ... 10 2.2 T ran sitio n rules for processes... IS

3.1 D en o tatio n of fo rm u lae... 40 3.2 P ro o f R ules... 43 3.3 D erived R ules... 31

A C K N O W L E D G E M E N T vi

A c k n o w le d g e m e n t

[ w ould like to th a n k m y su p erv iso rs Dr. B ruce K ap ro n and Dr. H ausi M illier for

th e ir g u id an ce an d su p p o rt th ro u g h o u t th e tim e o f m y g ra d u a te stu d ie s.

I w ould also like to th a n k Dr. J o h n Ellis, D r. M an tis C heng and m a n y g ra d u a te s tu d e n ts from th e D ep artm en t for c re a tin g a s tim u la tin g research a tm o sp h e re .

Finally. I would like to th a n k m y wife E lena a n d all my friends w hich m ad e my

stay a t th e U niversity a rem ark ab ly p leasan t ex p erien ce.

L ast b u t not least. I w ould like to acknow ledge Dr. Iwan T abakow . th e person

D E D I C A T I O N vii

D e d ic a tio n

To Vlaclimir Vysotskij,

whose horses

C h a p ter 1

In tr o d u c tio n

C o m m u n i c a t i n g S y s t e m s Since th eir in v entio n , com p u ters have evolved from

sim p le calcu lato rs to ex trem ely com plex devices w hich have been e n tru s te d w ith a wide range o f inform ation processing responsibilities. .Alongside w ith in fo rm atio n pro­

cessing. interaction has becom e an increasingly crucial aspect of c o m p u te r sy stem s.

For m any ty p es o f system s this asp e c t is in fact th e m ore im p o rtan t one. C o m m u n i­

catio n protocols, telephone sw itching system s an d m obile robot co n tro l sy ste m s are ex am p les o f system s, w hich fulfill th eir p rim a ry goals by in te ra ctin g w ith o th e r sys­

tem s ra th e r th a n by processing inform ation. T h e te rm s reactive an d real-time sy stem s often refer to system s o f th e above type. In th is thesis we use the te rm c o m m u n ic a t­

ing system to refer to any sy stem for which th e in fo rm atio n processing asp e c t can be

considered less relevant, an d whose in te ra ctio n beh av io u r is of m ain in te re st.

In te ra c tio n can be u n d ersto o d differently d ep en d in g on the pro p erties o f th e com ­

m u n icatio n m edium . It can also be viewed on different levels of a b stra c tio n . H ere we consider only a m ost basic ty p e o f in te ra ctio n , n am ely handshake-type ato m ic in te r­

action betw een two agents, on w hich M ilner’s C alculus of C om m u n icatin g System s

(C C S) is based [Mil89|. T his caiculus has been designed to serve as a th e o re tic a l fo u n d atio n for th e stu d y of concurrency ra th e r th a n as a specification lan g u ag e for

real-w orld applications; nonetheless, th ere a re nu m ero u s p ractical ex am p les w here

C H A P T E R 1. I N T R O D U C T I O N 2

actio n s a re called in C C S ) can have p aram eters, so th a t values in som e d a t a d o m ain

can be tra n s m itte d v ia actions. T h is phenom enon is called value passing: th e resu ltin g

version o f CCS is u su a lly referred to as Value P assing CCS.

O ne significant c o n ce p tu a l difference betw een c o m m u n ic a tin g sy ste m s a n d infor­ m a tio n processing sy ste m s in g en eral is presented by th e rôle o f te rm in a tio n . W hile

te rm in a tio n is u su ally a desired p ro p e rty for in fo rm ation p rocessin g a p p lic a tio n s , in­

d ic a tin g th a t som e ta s k has been successfully co m p leted , for c o m m u n ic a tin g sy stem s it has to be co n sid ered ra th e r a cata stro p h e : te rm in a tio n o f a c o m m u n ic a tin g sy stem

im plies th a t no c o m m u n ic atio n w ith th e system is h encefo rth p o ssib le. M ost ex istin g

form al technicjues for fu n ctio n al analysis an d synthesis of sy ste m s rely on th e notion

o f te rm in a tio n , re p re se n tin g th e beh av io ur of a sy ste m as a m a p p in g fro m som e set o f allow able initial configurations to som e set of d esirab le fin a l configurations. T his

a p p ro a ch is not a d e q u a te for describ in g th e ongoing b eh av io u r o f c o m m u n ic a tin g sys­

te m s. O ne a lte rn a tiv e o p e ra tio n al app ro ach is to consider n o t th e o v erall b eh av io u r,

b u t ju s t th e result o f a single com m u n icatio n , as a m ap p in g b etw een configurations: th e re su ltin g form al n o tio n is called a Labelled T ran sitio n S y ste m (L TS) a n d provides

a sem a n tic fram ew ork for m an y form al no tatio n s for d escrib in g ong o in g sy ste m s be­

h av io u r. including C C S .

.A nother im p o rta n t c h a ra c te ristic of co m m u n icatin g sy ste m s is th a t th e y are in h er­

e n tly distributed: a c o m m u n ic atin g sy stem is usually in te ra c tin g w ith o th e r system s o f th e sam e ty p e, so th e overall sy stem consists of c o m p o n en ts w hich a re co m m u ­

n ic atin g sy stem s th em selv es. T h is brings ab o u t th e q u estio n o f how to rep resen t

a d e q u a te ly global con figu ratio n s as (possibly s tru c tu re d ) co llectio n s o f local config­ u ra tio n s. an d how to com pose co m p o n en t behaviours to form th e b e h a v io u r o f th e

c o m p o site sy stem . T h e ap p ro ach tak en by M ilner is to interleave th e se b eh av io u rs, b u t o th e r ap p ro ach es a re also possible, n o tab ly th e p a rtia l o rd e r se m a n tic s ap p ro ach

C H A P T E R 1. I N T R O D U C T I O N 3

C o m m u n i c a t i n g S y s t e m s D e s ig n A rigorous sy ste m a tic design m ethodology for

co m m u n ic atin g sy stem s would include th e following design phases:

• Specification: from an inform al d escrip tio n o f th e re q u irem en ts to th e sy ste m 's

b eh av io u r a form al specification, w ritte n in a su ita b le form al (e.g.. logic) lan­

guage is derived:

• Modelling: g u id ed by th e form al specification, a form al m odel of th e desired

sy ste m 's b eh av io u r is obtained:

• Verification: th e formal m odel is checked ag ain st th e form al specification to en su re all req u irem en ts are m et. If th ese a re not m e t. th e M odelling p hase is

reen tered :

• Test Generation: from th e m odel, te st su ites are derived to test (v alid ate) th e sy ste m a fte r it has been im plem ented:

• Im plem entation: th e verified m odel is im p le m e n te d in h a rd w are/so ftw a re (T h is

p h ase can be perform ed co n cu rren tly w ith th e previous one):

• Validation: th e im plem ented sy stem is te ste d using th e test suites g e n erate d

earlier.

Such a rigorous m ethodology is rarely used in p ra c tice d u e to th e enorm ous com pe­

titio n a n d p ressu re for early delivery o f softw are p ro d u c ts. P roducers of safety-critical

sy stem s, how ever, c an n o t afford risk and have to en su re th e correct functio n in g of th e ir p ro d u c ts. T h is m eans th a t th ey have to follow a m ore or less rigorous design

m eth o do lo gy like th e above one. T h e tech n iq u es we develop here assum e such a for­

m al a p p ro ach a n d ad d ress th e specification and m ain ly th e verification phases, b u t a re necessarily re la te d to the m odelling phase as well, since th ese th ree phases can n o t

be considered sep arately .

T h e re are two m ain approaches to form ally specifying a co m m u n icatin g sy stem . In th e first o f th ese, th e specification is itse lf a m odel a n d is described in th e sam e

C H A P T E R 1. I N T R O D U C T I O N 4

m o delling language in which th e sy stem is m odelled la te r. T his m odel describes th e b e h av io u r o f th e sy stem as seen from th e en v iro n m en t (in o th er words, its interface b e h av io u r), a n d does no t show th e sy stem 's in te rn a l o rganization. T h en , to verify th e

m odel resu ltin g from th e m odelling phase m eans to show th a t the two m odels, i.e..

specificatio n an d a ctu a l m odel, are equivalent according to some su ita b le n o tio n of

b eh av io u ral equivalence. O ne such notion is bisirnulation equivalence (or o bservation

congruence) [Mil89].

T h e second app ro ach , which we follow here, is a logical one: a co m m u n icatin g

s y ste m is specified w ith a set of logic form ulae ex p ressin g th e p roperties w hich th e

in terface b eh av io u r of th e system is required to possess. T h en , to verify th e m odel

m eans to check w h eth er all form ulae in th e set hold in th is p a rticu lar m odel. T h e process o f accom plishing this is usually called model checking.

T h ese two approaches can com plem ent each o th e r if one w ants to s ta r t w ith a very

high-level specification, which is best given aa a set of p ro p erties, and th en to produce a high-level interface m odel, an d finally to o b ta in th ro u g h a sequence of refinem ents

a m odel d e tailed enough to be im plem ented.

A im o f t h e T h e s i s T his thesis addresses th e following verification problem : G iven

a sy ste m , d escrib ed in Value Passing CCS. an d a sy stem property, describ ed as a

fo rm u la in a su ita b le logic language, check w h eth er th e sy stem possesses th e p ro p e rty

(i.e. th e m odel satisfies th e form ula). T he logic language we consider is th e M odal ^/-C alculus, in tro d u ced by Kozen in [Koz83], w hich we e x te n d with a p p ro p ria te (first-

o rd e r) c o n stru c ts to tak e into account th e values being com m unicated. We p resen t a

p ro o f sy ste m for proving satisfaction betw een a process a n d a form ula which is sound a n d co m p lete for a large class of sequential processes (i.e.. processes not involving

p arallel com position^) and logic form ulae. S oundness of th e proof sy stem m eans th a t

o ne c an n o t derive satisfaction unless it really holds. Completeness on th e o th e r h an d

^ Parallel com position is handled separately with the help o f an additional proof system: this shall be discussed later.

C H A P T E R I. I N T R O D U C T I O N 5

g u aran tees th a t one can alw ays derive such a sa tisfa c tio n w hen it holds. T o geth er,

th ese two p ro p erties of th e p ro o f sy stem g u aran tee th a t one can prove (in this p ro o f sy stem ) th a t a process satisfies a form ula exactly w hen th is is really th e case. Due

to th e expressive pow er o f th e logic, our com pleteness re su lt is necessarily a relative

one: we assum e th a t all reaso n in g concerning th e values being co m m u n icated is done

ex tern ally to th e p resen t p ro o f sy stem .

Proof system s o f th e above kind have been th e focus o f m an y research papers a n d

dissertatio n s. T hese p a p ers differ from our ap p ro ach in th a t th e y refer to th e LTS

o f th e system being verified in ste ad of th e process d e sc rip tio n itself (as for e x am p le

in [Cle90. SW 91. B ra92, BS92. .A.nd93. Dam93. HL95. R at9 7 . RH97]). or in th a t

th e y consider p ro p o sitio n al m o d al //-calculus form ulae only. i.e. do not address value passing (as in m ost of th e above references, as well as in [.■\SVV94. Dam95]).

V a lu e P a s s in g O u r in te re st in value passing com es from th e fact th a t m any com ­

m u n icatin g system s do n o t ju s t carry around values, b u t also use values to achieve a desired d istrib u te d b eh av io u r. For exam ple, in th e .A ltern ating Bit Protocol (.ABP)

special values are passed d u rin g th e com m unication betw een sender, receiver, a n d

m ed iu m , to assure th e c o rre ct tran sm ission of d a ta . If th e value dom ain necessary to achieve a desired d is trib u te d beh av iou r is finite (as it is th e case w ith th e .ABP).

one could a b stra c t from th e values th u s sim plifying th e verification process. T h is,

however, is not alw ays possible. It w ould also require th e form ulae from th e specifi­

catio n to be tra n s la te d accordingly, w hich m ight resu lt in huge and u n read ab le ones. .Another draw back o f a b s tra c tin g from th e values being co m m u n icated is th a t th e resu ltin g process d e sc rip tio n becom es even m ore a b s tra c t an d u n realistic, c re atin g a

dangerous con cep tu al g ap betw een m odel and im p le m e n ta tio n . .After all. w hat m a t­

ters is w hether th e final sy ste m o p erates correctly, a n d not ju s t w hether th e m odel is correct. It is ou r b elief t h a t, if a proof system has b een designed properly, th e

C H A P T E R 1. I N T R O D U C T I O N 6

th e p ro p e rty a n d th e sy ste m ’s behaviour, an d n o t so m uch by the co m p le x ity o f th e

sp ecificatio n a n d m odelling languages. So. if values are tre a te d properly (for e x a m p le sy m b o lically ) th e y sh ou ld not m ake a proof m o re co m p licated unless th e p ro o f really

d t p t n d s on th e values being com m unicated.

C o m p o s i t i o n a l i t y T h e model checking p ro b lem is undecidable for in fin ite s ta te

sy ste m s in g en eral a n d /i-calculus form ulae. T h is m eans th a t verification for value passing processes is in general not fully a u to m a ta b le . It can be s u b sta n tia lly m a ch in e

a ssisted , b u t h u m a n guidance cann o t be dispensed w ith com pletely. . \ p r o o f a ssista n t

w ould red u ce th e in itia l verification goal, consisting in o u r case of a value p a ssin g CCS te rm a n d a ^ -c a lc u lu s form ula, to sub-goals, a n d w ould re p e at this process, g u id ed

by th e u ser, u n til all sub-goals are evidently tru e (for e x am p le axiom s o r m em o rised

th e o re m s in th e p ro o f system ). To be able to g u id e th e deriv^ation process, how ever,

th e u ser has to be a b le to in te rp re t th e in te rm e d ia te sub-goals: in o th e r w ords, th e sub-goals sh o u ld be represented in a way w hich is in tu itiv e and m ean in g fu l to th e

user. .A. n a tu ra l so lu tio n is to represent sub-goals in th e sam e way as th e in itia l goal,

n am ely , in o u r case, as pairs consisting of a value passing CCS term an d a /x-calculus fo rm u la (such p airs a re usually called sequents). In this case the proof o f a secouent

could be g u id ed not ju s t by th e stru c tu re of th e form ula b u t also by th e s tr u c tu r e of

th e process te rm . Such proof system s are usually te rm e d compositional.^

T h e re is also a n o th e r reason for using co m p o sitio n al p roof system s. .An im p o r ta n t

a sp e c t o f a design m ethodology is modularity. A design o f a com pound sy ste m is called

m o d u la r if th e s y ste m 's com ponents have been designed in d ep en d ently by ta k in g in to a cc o u n t th e re q u ire m e n ts for p u ttin g th em to g e th e r. O ne im m ed iate b en efit from

using a m e th o d o lo g y w hich facilitates m o d u lar design is th a t in th e case o f re p e a te d o r sim ila r co m p o n en ts m uch effort can be saved. T h is is called design reuse. In o u r

c o n te x t, th e im p o rta n t issue is modular .specification and verification, w hich req u ires

-T h is term is also used in a weaker sense, meaning th at it handles “com positionally” processes com posed in parallel.

C H A P T E R 1. I N T R O D U C T I O N 7

system s to be specified in such a way th a t th e correctness o f th e c o m p o n e n ts of a sy stem im ply th e correctness o f th e com posite system . T h e n , v erify in g a sy stem

reduces to verifying th e com ponents. C om positional proof sy stem s fa c ilita te m o d u lar

verification in a n a tu ra l way by reducing th e proof of sy stem p ro p e rtie s to proving

properties of co m p o n en ts.

.Another im p o rta n t problem w hich com positional proof sy stem s aim to solve is th e

infam ous state explosion problem: th e global sta te space o f a c o m m u n ic a tin g sy stem

com posed o f several co m p o n en ts running in parallel is of size roughly th e p ro d u c t of th e sizes of th e s ta te spaces o f th e c o n stitu en t processes. T his p h e n o m en o n m akes

verification in tra c ta b le even for relatively sm all practical sy stem s. C o m p o sitio n ality

a tta c k s this problem by reducing th e verification of a global p ro p e rty o f a sy stem to

verifying local p ro p erties of its com ponents. Because of th e significance o f parallel com position to sy ste m design, an d because of some technical reasons to be ex p lain ed

in later ch ap ters, it is useful to sep a ra te th e tre a tm e n t of th is o p e ra to r on processes

from th e rest. Following S tirlin g [StiS7|, we divide our p roof sy stem in two p a rts,

th e first of w hich tre a ts all process com binators except parallel co m p o sitio n , an d th e second for inferring p ro p erties of a process from its parallel c o m p o n en ts.

C o n t r i b u t i o n s T h e m ain co n trib u tio n s of th e present thesis a re th e d ev elo p m en t

o f a su itab le logic for specifying value passing processes, an d th e d e v elo p m en t of a

com positional p ro o f sy stem w hich is sound and com plete for a large class o f processes. .A unifying th e m e in o u r research has been th e a tte m p t to a d a p t th e so c alled tech n iq u e o f tagging (to be ex p lain ed in la te r ch ap ters) to the different p a rts o f o u r p ro o f sy stem .

T h is technique allow s global proof rules to be avoided, and sim plifies co n sid e ra b ly th e

m achine-assistance of th e proof system .

C r e d i t s T h e research p resented here is p a rtly joint work w ith Sergey B erezin from C arnegie M ellon U niversity. M ore specifically, the second p a rt of o u r p ro o f sy stem ,

C H A P T E R 1. I N T R O D U C T I O N S

in his M.Sc. Thesis [Ber95]. For th is p a rt of the proof sy ste m , o u r c o n trib u tio n

lies in collaborating w ith Sergey on m odifying this proof sy stem to em p loy ta g s, an d

a d o p tin g a su itab le sem an tics for tagged form ulae to fa c ilita te an econom ic p ro o f of

soundness an d com pleteness. T h e s tu d y of “negative” tagging p re sen te d here has been

perform ed independently. P a rt of th e results have been published in [G B K 96. BG97].

O r g a n i s a t i o n T h e th esis is organised as follows. T h e next c h a p te r p re sen ts th e background necessary to u n d e rsta n d an d ev'aluate th e co n trib u tio n s of th e p resen t

work. C h ap ter 3 in tro du ces a first-order extension of th e M odal /^-Calculus as a s u it­

ab le specification language for seq u en tial CCS processes w ith value passing, presen ts a proof system which is co m p o sitio n al in th e term stru c tu re o f th e processes a n d em ­

ploys a technique known as tagging to e lim in ate the need for global inference ru les, and

illu strates th e use of th is p ro o f sy stem on som e illum inating ex am p les. T h e following

c h a p te r is d ed icated to th e correctness of th e proof system . C h a p te r 5 in v estig ates o th e r settings in which tagging m ay be a suitable choice, n o ta b ly negative tagging. T h e last c h ap ter su m m arises th e accom plishm ents of this th esis, draw s conclusions

a b o u t the m erits and deficiencies o f th e chosen approach, an d proposes d ire c tio n s for im provem ent and fu tu re research.

C H A P T E R 2. M O D E L S . L O G IC S , A-VD V E R I F I C A T I O N

C h a p ter 2

M o d e ls, L o g ics, an d V erifica tio n

In th is c h ap ter we give th e b ackg ro u n d needed to a p p re c ia te th e resu lts p resen ted

la te r. We first presen t L abelled T ran sitio n System s (LTS) as a s e m a n tic d o m ain for representing th e b eh av io u r o f co m m u n icatin g system s. We n e x t p resen t M ilner's

C aiculus of C o m m u n ic atin g S y stem s (C C S) [Mil89]. T h e n , we discuss th e M odal /.i-

C alculu s as a process logic. T h e last section explains th e ideas b e h in d m odel checking as a technique for verifying sy stem s behaviour.

2.1

L abelled T ra n sitio n S ystem s

T h e semantics, o r m ean in g , of a process language or a process logic is b e st given in a well understood sem an tic d o m a in for representing co m m u n icatin g sy ste m s b eh av io u r.

.A.S discussed alread y in th e In tro d u c tio n , th e approach of re p re se n tin g th e b eh av io u r of a system as a m ap p in g from som e set of allowable in itia l co n fig u ratio n s to som e set o f desirable final co n fig u ratio n s is not ad eq u ate for d e scrib in g th e ongoing be­

hav io u r of c o m m u n icatin g sy stem s. In ste ad , one can consider as a m a p p in g betw een

configurations th e re su lt o f a single com m unication. B ut c o m m u n ic a tin g sy ste m s are

in h e re n tly d istrib u te d . T h is brings a b o u t th e question how to tr e a t local configura­ tions. . \ conceptually sim p le ap p ro a ch is to a b strac t from th ese a n d to in te rle a v e local

behaviours. O th e r ap p roach es a re also possible, notably th e p a rtia l o rd e r sem an tics

C H A P T E R 2. M O D E L S . LOGICS. . \ N D V E R I F I C . \ T I O N 10

T h e in terleav in g approach described above leads to a sim ple model o f b ehaviour

in w hich th e s tru c tu re of states is irrelevant: a s ta te is ch aracterised only by th e sequences o f choices am ong com m unications w hich are offered from this s ta te . T he

resu ltin g m a th e m a tic a l stru c tu re , called labelled transition syste m (LTS). can be de­

fined as a trip le

( S . T . { - ^ c S x S \ t e T } )

co n sistin g o f a set 5 o f states, a set T of transition labels, a n d a set o f transition

relations for each tra n sitio n label [M11S9]. VVe shall use th e infix n o tatio n .s —^ s' for

(s. .s') e —^ . a n d call s ' a f-derivative of s.

If th e size of S is sm all, an LTS can be visualised as a g ra p h whose nodes are th e s ta te s a n d whose edges are labelled. For e x am p le, consider a system w hich allows

th e u ser to d ep ress o n e of two b u tto n s and th e n , d ep en d in g on th e b u tto n depressed,

m akes a "b eep " so u n d or a "boop" sound, an d s to p s .' If we d e n o te th e four even ts as labels depe. depo. beep, and boop. respectively, an LTS d escribing th e above beh av io u r

could be g rap h ically d ep icted as^r

F igure 2.1: .A. sm all LTS

Such a sem a n tic s is called branching-time sem antics, since it contains in fo rm atio n

a b o u t w h at choice o f actions is available at any p a rtic u la r s ta te . In the case of com ­

m u n ic a tin g sy stem s, we shall in te rp re t labels as ’’h a n d sh a k e "-ty p e com m u n icatio n s, also called actions. T h e set .Act o f actions is form ed from a set A of names, th e

'T h is is not really a communicating system , since these actions are not realty "handshake"-type, but the notion of LTS is more general and does not interpret the nature of the labels.

C H A P T E R 2. M O D E L S . LOGICS. .AND V E R I F I C . A T I O N 11

co rresp o n d in g set A o f co-names, an d a pre-defined silent action r . Since actio n s

a re h an d sh ak es betw een two agents, each actio n I E: A U A has its co-action 7: th e re su lt o f a h an d sh ak e is th e silent action. If th e above sy ste m is to be in te rp re te d as

a c o m m u n icatin g sy ste m , then in its initial s ta te it offers th e user to co m m u n ic ate e ith e r th ro u g h a ctio n depe or th ro u g h action depo: th e u ser (as a sy stem ) hcis con­

se q u e n tly to offer th e corresponding co-actions depe o r depo to be able to engage in a c o m m u n icatio n w ith th e system . .A. system engaging in th e silent a ctio n r m eans

th a t th e re is in te rn a l com m unication taking place som ew here betw een co m p o n en ts of

th e sy stem . T h e user has no influence on this actio n , hence its id en tity is considered

irrelev an t: even m ore, its identity is considered as in fo rm atio n th a t one would like to ignore in o rd e r to be ab le to produce m anageable d escrip tio n s of large behaviours.^

.A n a tu ra l q u estio n is when to consider two s ta te s in an LTS as corresp o n din g

to th e sam e b eh av io u r (i.e.. as being behaviourally equivalent). T h e usual a u to m a ta -

th e o re tic notion of equivalence (trace equivalence) is often too weak for p ra c tica l

p urposes since it is not sensitive to deadlocks: tw o sy ste m s can be tra c e equivalent so th a t th e first is deadlock-free while th e second is n o t. T h e m ain reason for this

in sen sitiv ity is th a t tra c es do not reflect th e b ran ch in g s tru c tu re of behaviours. Since

we found b ran ch in g tim e sem antics as being a p p ro p ria te for co m m u n icating system s we should ra th e r choose an equivalence notion sen sitiv e to branching. T h e m ain

g u id elin e should be th e question as to w hat c o n stitu te s a legal experiment, i.e.. w hat do we consider to be o u r means of distinguishing betw een two behaviours? T h e n , two

b eh av io u rs should be considered equivalent if and only if th e y cannot be d istin g u ish ed by any allow able e x p erim en t. In th e case o f co m m u n ic atin g system s it is n a tu ra l to

assu m e th a t e x p erim en ts are sequences of in te ra c tio n s, a n d th a t ex p erim en ters are

co m m u n ic atin g sy stem s them selves. If we a ssu m e th a t th e e x p erim en ter is a b le to "see" a t every s ta te th e choice o f actions offered by th e system s to be co m p ared ,

th e n one n a tu ra lly com es to th e n o tio n of experim ental equivalence in tro d u ce d by de

^This and the following considerations are introduced in [MiI89] at the level of CCS. They are. however, o f sem antic nature, and are therefore presented here.

C H A P T E R 2. M O D E L S . LOGICS. .AND V E R I F I C . A T I O N 12

N icola and H ennessy [NH84], If th e e x p e rim e n te r is also allow ed to c re ate id en tical copies o f the beh av io u rs in any s ta te , th e n to perform e x p e rim e n ts on th e copies, an d

finally to com bine th e results, one arrives a t th e notion o f equivalence with respect

to duplicator experim ents [BM92]. M ilner prefers an even finer equivalence, nam ely bisirnulation. also called observation congruence, originally proposed by Park [P arS l].

Its stro n g version, called strong bisirnulation. is given in [MilS9] as follows:^

P and Q a re equivalent iff, for every action a . every Q -derivative of P is

equivalent to som e Q -derivative of Q , an d conversely.

For p ractical pu rp o ses, strong b isim u latio n is too stro n g an equivalence n o tio n be­ cause it does not a b s tra c t from th e unobservable in tern al co m m u n icatio n rep resen ted

by silent actions ta k in g place in a sy stem . For this reason M ilner also in tro d u ces th e

w eaker equivalences weak bisirnulation an d observation congruence.

.Many o th er equivalence notions have been proposed in th e lite ra tu re . C hoosing

a "good" one is p a rtic u la rly im p o rta n t if one has a d o p te d th e ap proach of d escrib ­

ing b o th th e specification and th e m odel in th e sam e process n o ta tio n , an d to do

verification by show ing th e two descrip tio n s equivalent. T h e n , one should choose an equivalence n o tio n which is fine enough to catch im p o rta n t differences betw een spec­

ification and m o d el, an d is coarse enough to g u a ra n tee th a t verification w ould not fail because of u n im p o rta n t ones. T h e e x p erim en ter is in th is case th e user o f th e

sy stem : it is h ence th e capabilities of th e user w hich sh o u ld also guide th e choice of

an a p p ro p ria te equivalence.

2.2

C alcu lu s o f C om m u n icatin g S y ste m s

T h e process language on which we focus o u r a tte n tio n is CCS an d its value peissing

ex ten sio n . CCS is an algebraic language which defines a to m ic behaviours a n d

opera-"*The experiments corresponding to these notions o f equivalence can be described nicely in terms o f games [Sti96].

C H A P T E R 2. M O D E L S , LOG ICS. A N D V E R I F I C A T I O N 13

to rs for c o n stru c tin g m ore co m p licated behaviours from sim p le r ones. We s ta r t w ith

an inform al overview o f th e language a n d its sem an tics.

Expressions in th e language are te rm e d processes. T h e only ato m ic process is th e

nil process, d e n o te d 0 . which is not cap ab le of p a rtic ip a tin g in any actio n . If « is

an actio n , a n d P is a process, th e n we can c o n stru c t o u t o f th e m a new process a . P

w hich can in itia lly engage in a only, an d behave as P afterw ard s. So ~a.~ can be u n d e rsto o d as a u n a ry o p e ra to r on processes, called prefix. So. process tick.O can

ju s t p a rtic ip a te in one tic k action. T h e b eh av io u r of tick.O can be given by an LTS

having as s ta te s th e tw o processes tick.O a n d 0. a n d a single tu p le tick.O 0. If P and Q are processes, th e n P + Q d en o tes a process w hich can behave e ith e r

as P or as Q . d e p en d in g on th e first actio n chosen. For ex am p le. a .P + b.Q offers to th e e n v iro n m e n t a choice betw een p a rtic ip a tin g in a o r p a rtic ip a tin g in b. If a

is chosen, th e process continues to behave as P . o th e rw ise as Q. In th e case of

a.b.O + rt.c.O we have no n-determ inistic choice: a fte r choosing a th e process decides

n o n -d e te rm in istic a lly w h eth er to co n tin u e as 6.0 o r as c.O . T h is behaviour is b e tte r

ex p lain ed by view ing its LTS:

b 0

-c . O .

It should be d istin g u ish ed from th e b eh av io u r o f a . (6.0 + c.O). where a fte r a th e

C H A P T E R 2. M O D E L S . LOGICS. A N D V E R I F I C .A T I O N 14

a . ( b . O + c . O ) . h . O + c . O

U sing process c o n sta n ts and defining e q u atio n s, one can give nam es to specific processes. For ex am p le, th e n o tatio n P = a .6.0 defines process P as a .6.0. Using

recu rsiv e definitions one can define processes w ith ongoing behaviour: e.g.. process

C lo c k = tic k .C lo c k has th e ability to engage in an infinite sequence of consecutive

tic k a ctio n s. not h er exam ple is a sim p le vending m achine, which can accept a

o n e-cent o r a tw o-cent coin, a fter which a little o r a big b u tto n may be depressed

d ep en d in g on th e coin inserted, an d finally a little or a big item may be collected, upon w hich th e vending m achine e n ters its in itia l s ta te :

V e n = i c . V e n l A 2 c . V e n b V e a l = little.c o lle ctl.V e n \ enb = big.collectb.Ven

T h e LTS of process Ven is as follows:

V e n /

-V t n

c o l i e c t l . I e n

V e n 6 - c o l l e c t b . V'en

C H A P T E R 2. M O D E L S , LO G IC S . A N D V E R I F I C A T I O N 15

process, which is like P an d Q ta k e n to g eth er, but allows also P and Q to in ter­ a c t. Let Buffer^ = in .tr a n s m it.B u ffe r ^ a n d = tr a n sm it.a u t.B u ffe r., be two

one-elem ent buffer processes. T h e n Buffer^^\Buffer2 is a process, which can engage

in an in action an d becom e tr a n s m it.B u ffe r ^ \B u ffe r ,. or en g ag e in t r a n s m i t and

becom e Buffer.^\out.Buffer2 . Process tra n sm it.B u ffe r^ lB u ffe r, can engage in bo th t r a n s m i t and tr a n s m i t , b u t can also engage in an in tern al co m m u n icatio n , i.e.

perform a r-ac tio n . betw een Buffer^ an d Buffer, and becom e B uffer^\aut.B uffer,.

If we wish to stop th e e n v iro n m e n t from interfering in th is in te rn a l co m m u nica­

tio n . we can hide t r a n s m i t and t r a n s m i t using th e CCS restriction o p e ra to r: pro­

cess ( Bufferi\B uffer2 ) \ { t r a n s m i t } can engage initially in in only, thus becom ing ( tr a n s m it.B u ffe r i\B u ffe r2 ) \ { t r a n s m i t } . th e n in r only, becom ing ( B u ffe i\\a u t.B u ffe r2 ) \{ t r a n s m . i t } . which can engage in b o th in and out. .\ renaming o p e ra to r is also pro­

vided to allow for reuse of a lread y defined processes. For ex am p le, b o th Buffer^ and

Buffer, can be defined via B u ffer = in .o u t.B u ffe r as follows:

Bufffi'i = B u f fe i\ tr a n s m it / out\ B uffer, = B u ffe r [ tr a n s m it/in \

So. a tw o-elem ent buffer can be defined using two one-elem ent buffers as:

T w oBuffer = ( B u f fe r [ tr a n s m i t / o u t \ \ B u f f e r [ t r a n s m i t / i n ] ) \ { t r a n s m i t }

O f course, a t th is high level o f a b stra c tio n there is no difference betw een process

B u ffer = in .o u t.B u ffe r and C lo c k = tick.to ck.C lo ck except for th e different nam es

o f actions: what is m issing in B u ffe r to be really appreciated as a one-elem ent buffer

a re th e values being c o m m u n icated . T h e version of CCS pro vid in g a n o ta tio n for co m m u n icated values is called V alue Passing CCS: in this lan g uag e we could specify

C H A P T E R 2. M O D E L S . LO G IC S . .AND V E R I F I C A T I O N 16

Buffer = i n ( x ) .o u t{ x ) .B u ffe r

w here .r ranges over som e pre-definecl d o m ain D of values. If D is th e set o f n a tu ra l

n u m bers, th e n B u ffer can engage in itia lly in any of th e actio n s i n{l ) . in{'2). in('.i). e tc .. becom ing resp ectiv ely B u ffer . o u t(2 ).B uffer . o u t{'i).B u ffe r . e tc . T h u s,

in p u t actions have b in d in g pow er in th e Value Passing CCS.

T h e original d efin itio n of CCS has in ste ad of th e b in ary choice o p e ra to r + th e o p e ra to r called s u m m a tio n (also having binding pow er), w here / is a n indexing

set. In our value p assin g version o f CCS we choose I to coincide w ith th e d o m a in D

o f values, an d use values in ste ad o f indices.'’ For ex am p le, th e process S x cm^(.r).0 is

read y to p u t o u t an y value from th e resp ectiv e dom ain.

.A. m ore in te re stin g e x am p le show ing th e higher m odelling pow er of th e value pass­

ing extension w ould be a sim p le te lle r m achine which accepts a n d offers cash w ith o u t

g iving credit:

T eller(b ala nce) = D eposit{balance) + W ith d ra w a l[b a la n c e ) D epo sit{balance) = d e p o sit{a m o u n t).T e lle r(b a la n c e -f a m o u n t) W ith d r a w a l(b a la n c e ) = E a m a u n t

if 0 < a m o u n t < balance

t h e n w ith d r a w { a m o u n t).T e lle r { b a la n c e — a m o u n t )

.After th is inform al in tro d u c tio n to CCS.® we are ready to present th e form al

s y n ta x and sem an tics o f th e language. We assum e a set A o f names, ran g ed over by

a. each nam e having a n o n -n eg ativ e arity. Let £ denote th e set A u A of labels, ranged

over by /. a n d let a d e n o te a. W e also assum e a set D of values, value expressions

e a n d Boolean ex p ressio n s 6 b u ilt from variables x . y . z , . . . (possibly in d e x e d ), value

c o n stan ts d an d a rb itra ry o p e ra to r sym bols defined in th e d o m a in . We use t t a n d ff

to den o te th e usual B oolean c o n sta n ts “tr u e ” and “false.”

^This does not decrease the expressiveness o f the language, provided we drop the convention that input actions have binding power.

C H A P T E R 2. M O D E L S . LOG IC S. .AND V E R I F I C A T I O N 17

Agent expressions E over A a n d D a re generated by th e g ra m m a r:'

E ::= 0 \ k.E \ E + E \ Six E \ E \ E \ E \ E | E{H } |

if 6

th e n

E | .A{e) - ::= a (.r ) j a ( e ) ( r

H ere .4 are agent constants, each hav in g a defining eq u atio n

.4 (f ) A E

w here th e rig h t-h an d side E m ay c o n ta in no free variables e x ce p t th e ones in x . U Ç £

a re restriction sets, a n d E. : C C a re relabelling functions satisfy in g E{1) = H (/)

a n d E ( r ) = r. In p u t actions a n d in fin ite sum m ation have b in d in g pow er. Closed ag en t expressions (i.e.. expressions w ith no free variables) a re te rm e d processes and

are ranged over by P . Q ___

T he sem an tics of a CCS process'* is given in term s of an LTS w hose s ta te s are

processes, i.e.. closed ag en t expressions, a n d whose tra n sitio n lab els a re a ctio n s, i.e.. e ith e r r or of th e form 1(d). w here / € £ a n d d € D. T h e set of a c tio n s is d e n o ted .Act

an d is ranged over by a . W hat re m a in s to be defined is th e set o f tra n s itio n relatio n s

o f th e LTS.^ .4 d e n o ta tio n a l ap p ro a ch to giving sem antics for a process w ould define th e LTS o f th e process th ro u g h th e LTSs o f th e sub-expressions o f th e process: for

ex am p le, it would define th e LTS for a . P th ro u g h the LTS for P. possibly by e x ten d in g

th e la tte r w ith th e s ta t e a .P and w ith th e tu p le a.P —^ P. M iln er p re ferred to give

a transitional sem a n tic s to his calcu lu s by giving transition rules for in ferrin g th e tra n sitio n s of a c o m p o site process from th e tran sitio n s o f its c o m p o n e n t processes. F igure 2.2 presents su ch a set of tra n s itio n rules. We use th e u su a l n o ta tio n for te rm

s u b stitu tio n , an d use \e \ and [6| to d e n o te th e values of e a n d b. respectively.

.An LTS of th e ty p e described above is called transition closed if w henever th e

hypotheses of a rule a re satisfied (i.e .. th e re are processes in th e set of s ta te s o f th e

‘ VVe use vectors o f variables, expressions etc. when the arity is o f no particular relevance. ^VVe shall not give a sem antics for open agent expressions here.

C H A P T E R 2. M O D E L S . LOGICS. .AND V E R I F I C A T I O N IS R( r ) — — - R{in) ---’-j--- R{aut) - a ( f ) . £ ^ E1 / / . 1 ' « ( e l . p ' i i a ’ p P ' P' P \ P> P. + p T i' p ; ^ < + - ' P . ? r ^ P ! , , £[<r/x| ^ p p . ^ p;____ p . ^ p : E x E ^ P Py\P2 Pi\P', Pi P'l D ,,_\ P-2 PA___ R ( |/ ) n r n - ^ n \ \ n _{P , \ P , ^ P [ \ P ,} R ( k )_{' ' ' p ^ \ p . , - U p , \ p ^} P p> - p I pt R ( \ ) P ~ J . P — 1-1 i i ’ R ( = ) — P z j T H ( / ) = (' P \ U ^ P ' \ U P { E } P ' { Z }

i f 6 t h e f p -^

M = “

‘^< = >

f / ! Z p

^

F ig u re 2.2: T ransition rules for processes.

LTS which are in th e corresponding tra n sitio n relatio n s), th e n th e conclusion also holds (i.e.. the two processes occurring in th e conclusion are in th e set of states of th e

LTS. and they are in th e respective tra n sitio n relatio n ). G iven a set of processes, we

a re interested in th e least tra n sitio n closed LTS co n tain in g these. T his LTS has th e

p ro p e rty th a t two processes are in a given tra n sitio n relatio n if an d only if this can be derived using th e rules. It is by such LTSs th a t we give m ean ing to processes. T h is

sty le of providing a sem an tics for processes is not very in tu itiv e, since it is not alw ays

obvious, as it is for ex am p le in th e case w ith P e tri nets, w h at tra n sitio n s are enabled

in a CCS process involving several parallel co m p o n en ts. It is. however, tech n ically very elegant and econom ic, w hich m akes it preferable for th e o re tic al investigations.

Let us see. for ex am p le, w hat behaviour these rules specify for process Buffer =

in{.r).out{x).Buffer. O n e w ould expect to be able to esta b lish Buffer P,/ a n d

Pd Buffer for any d Ç: D an d a p p ro p ria te processes P j. T his can be acaieved

as follows, .\xiom rule R (in ) im plies th a t i n ( x ) . o u t ( x ) . B u f f e r o u t { d ) . B u f f e r , a n d axiom rule R(ouO im plies th a t out{d).Buffer Buffer. From th e first of th e se

follows by rule R( = ) t h a t B u f f e r o u t { d ) . B u f f e r , and ta k in g P j to be out (d).Buffer

C H A P T E R 2. M O D E L S . LOG ICS . A N D V E R I F I C A T I O N 19

2.3

M odal Logics an d /i-C alcu li

W hen specifying a co m m u n icatin g sy ste m , vve are usually in te re ste d in th e observable

p ro p erties only. i.e.. w hat sequences of choices of actions we observe w hen in te ra ctin g

w ith th e system . Since we are talk in g a b o u t capabilities for in te ra c tio n it is n a tu ra l to use M odal Logics for describing such p roperties.

. \ sim ple m odal logic for describing local capabilities for in te ra c tio n is Hennessy-

M ilner Logic ( HML) [HMSO]. T h e form ulae of HML are easy to define:

• th e prepositional c o n sta n ts t t a n d ff are formulae:

• if and a re form ulae, th en so a re $ V and A an d

• if (D is a form ula a n d a is an actio n , th en (o ) $ and [o] ^ a re form ulae.

T h e m eaning of these form ulae can be given in term s of LTS by specifying w hen

a process P of th e LTS satisfies a form ula 4». T his is d enoted P \= and can be defined as follows:

P tt always holds, i.e. t t m eans "tru e":

P [= ff never holds, i.e. ff m eans "false": P [ = < & V ^ i f f P [ = < & o r P ^ ' & :

P | = ( & A ^ i f f P ^ $ a n d P \= 'i:

P )= (a ) $ iff th e re is an Q -derivative P' of P so th a t P' |= P [= [q] ^ iff for every a -d e riv a tiv e P' of P . P' ^

We shall refer to th is style of giving sem an tics to form ulae as local, or intensional.

sem antics.

For exam ple. P ^ (a) t t m eans sim p ly th a t P can engage in an a action, w hile P 1= [a]ff m eans th a t it can n o t. For th e vending m achine process Y e n described in

C H A P T E R 2. M O D E L S . LO G IC S. A N D V E R I F I C A T I O N 20

big it em to be selected a fte r 2c have been in serted , but not if only Ic has been in s e rte d .

T h e lack o f negation in th e logic is not in c id e n tal: it can easily be show n (by referrin g to d eM o rg an -ty p e equivalences) th a t every HML form ula involving n e g atio n (if vve

allow neg atio n in th e logic) has a negation-free equivalent.

HM L is in fact a poly-m odal logic: in ste a d o f having ju s t th e tw o m o d a litie s [ ] an d

{) as is th e case w ith C lassical M odal Logic w here th ere is ju s t a single "accessib ility " (i.e.. tra n sitio n ) relatio n . HM L has a w hole fam ily of such m o d alities, n a m ely a "box"

m o d a lity a n d a "d iam o n d ' m o d a lity for each actio n corresponding to th e re sp e c tiv e

tra n s itio n relations.

T h e properties th a t a re expressible in HM L are local, or n e x t-s te p . p ro p e rtie s in th e sense th a t th e y allow only th e im m e d ia te capabilities for in te ra c tio n (a n d

in te rn a l action) of a process to be d escribed. Properties of m ore g en eral te m p o ra l

c h a ra c te r like "always 0 " or "ev en tu ally are not expressible in th is logic. T h is co n cern s also silent actio n s. For ex am p le, we can express in HML a p ro p e rty o f th e

form "process P can p erfo rm a silent a ctio n an d offer a afterw ard s": how ever, w hen

specify in g th e in te ra ctio n b eh av io u r of a sy stem vve sh o u ld n 't d is c rim in a te b etw een o ne o r m ore silent actions in a row. but should ra th e r be only able to sp ea k of internal

activity in general, like process P can engage in som e intern al a c tiv ity a n d offer a

a fte rw a rd s" . .Additional m odaJities have b een suggested in th e lite ra tu re for sp ecify in g

such p ro p erties [Sti96].

If vve are to specify p ro p e rtie s like "alw ays or "eventually vve e n te r th e

re a lm o f T em poral Logics. C o m p u ta tio n T ree Logic (C T L ). proposed by C la rk e a n d

E m erso n [CESl]. is ju s t o ne ex am p le for such a logic. It has e x p lic it c o n stru c ts for "alw ay s", "eventually"' a n d "u n til." as well as p a th quantifiers. . \ m ore eco n o m ic

a p p ro a c h , leading a t th e sam e tim e to a m ore powerful logic, is to use H M L as a basis an d to add recursion: th e price to be paid is the in tu itiv en ess o f th e re su ltin g

logic. C onsider th e recursive e q u atio n Z = (a) Z . where Z is a p ro p o sitio n a l v ariab le. .A p ro p e rty would be a so lu tio n to th is e q u a tio n if every process satisfy in g it has

C H A P T E R 2. M O D E L S , LO G IC S, A N D V E R I F I C A T I O N 21

an a-clerivative satisfying th e sam e pro p erty . F o rtu n ately every such e q u a tio n has

a so lu tio n : unfo rtu n ately how ever it is not necessarily unique, ff is one so lu tio n to

th e above equation, since ff = (a) ff. but th is solution is of little in te re st. n o t her

p ro p e rty satisfying th e e q u a tio n would be th e c a p a b ility of engaging in a n in fin ite

seq u en ce o f a actions. T h e re can be o th e r solutions as well: th e m en tio n e d tw o p ro p e rtie s however (th e second o f which is n o t expressible in HML) are th e least a n d th e greatest ones w .r.t. logic im p licatio n , a n d are hence uniquely c h a ra c te riz a b le . In

fact, an y equation o f th e so rt Z = $ . w here is allowed to include o ccu rren ces o f th e

p ro p o sitio n al variable Z . has a least and a g re a te s t solution d en o ted /iZ .$ a n d t/Z.<&. respectively. This is an im m e d ia te consequence of T arski's hxedpoint^° th e o re m for

c o m p le te lattices [Tax55].

T h e logic resulting from ad d in g least a n d g re a test hxpoint form ulae to H M L is

called th e Modal ^-C a lc u lu s, w hich vvcis in tro d u ce d by Kozen [KozS3|. b u t was de­

veloped earlier by P ark [Par69] in a m ore g eneral relational settin g . S tirlin g [Sti92]

suggests a slight g eneralizatio n o f this logic by allow ing sets I\ of actio ns to a p p e a r in th e "box" and "diam ond'" m o d alities, and by using th e n o tatio n " ~ I \ " to a b b re v ia te

"A ct — A " and " to a b b re v ia te "Act — {}" (i.e. Act itself). T h e re su ltin g logic

allow s m any other logics, like D ynam ic Logic and C T L . to be co n v en ien tly e n co d e d

(see. e.g .. [Dam94]).

Let us consider som e p ro p erties which a re often im p o rtan t in p ra c tic a l a p p lic a ­ tio n s. a n d give th e ir fo rm alisatio n in (S tirlin g 's extension of) th e M odal ^ -C a lc u lu s:

• .A. com m unicating sy ste m is called deadlock free if regardless of how we in te ra c t

w ith it there is alw ays a co m m u n icatio n , possibly an in te rn a l one. in w hich

th e system can engage. Deadlock freedom can be expressed by th e fo rm u la

u Z . ( —) t t A [—] Z , saying th a t som e a ctio n is enabled, an d w h atev er a c tio n is

ta k e n the sam e p ro p e rty holds again. In o th e r words, th e re is alw ays so m e a c tio n which is en ab led . N ote th a t th e least h xpoint w ouldn’t be o f a n y use

C H A P T E R 2. MO D EL S, LOGICS. A N D V E R I F I C A T I O N 22

here since it is equivalent to “false".

• A ctio n a is always enabled: i/Z . (a ) ttA [—] Z . In general. :/Z.<& A [—] Z form alises

th e safety, or invariant, p ro p e rty "always

• .A lictlock is th e cap ab ility of engaging in in te rn a l ch atter, i.e. in an infinite

seq u en ce of r actions. Livelock freedom can be form alised as /j.Z. [r] Z .

• T h e p ro p e rty th a t action a can p o ten tia lly becom e enabled is fo rm alisab le as

f s Z . { a ) t t V ( —) Z (i.e. e ith e r a is e n ab le d right away, or o th erw ise we can d o so m eth in g so th a t th e sam e p ro p e rty holds afterw ards, and so on. b u t not

forever).

• .Action a is eventually to be chosen: fiZ. ( —) t t A [—a] Z (i.e. if we in te ra c t w ith tlie sy stem but avoid choosing a, then sooner or la te r vve will arriv e a t a point

w here only a is offered).

• T h e re is a sequence of in teractio n s so th a t a is enabled infinitely o ften along th is sequence: i/Z.jiY. {a) Z V {—a) Y . T his p ro p e rty is not expressible in C TL .

.As m e n tio n ed above, th e form ulae of this logic are often difficult to in te rp re t. We

gave little ju stific a tio n as to why th e above form ulae express the m entioned p ro p erties.

L'nlike C T L w hich formalises notions of tim e a b o u t which hum ans have a stro n g

in tu itio n , th e M odal ^-C alculus is a typical ex am p le of a logic language w hich is th e p ro d u c t o f th eo retical investigations in a search for expressive power, econom y, and

eleg an ce, ra th e r th a n intuitiveness. T herefore, using th is form alism rec{uires som e

tra in in g a n d thorough u n d erstan d in g o f its form al sem antics, which we a re a b o u t to

e x p lain .

T h e form ulae of the M odal //-C alculus can be defined as follows:

• P ro p o sitio n al variables are form ulae:

C H A P T E R 2. M O D E L S . LOG ICS . A N D V E R I F I C A T I O N 23

• if $ is a form ula an d a is an a ctio n , th e n (a ) $ an d [a] $ are form ulae; a n d

• if is a form ula an d Z is a p ro p ositio n al variable, then f i Z . ^ a n d i / Z . ^ a re also

form ulae.

T h e logic co n stants ff and t t a re definable as /xZ .Z and i/ Z . Z . respectively.

It is not easy to give a local sem an tics for h x p o in t form ulae: th is we do la te r by

em p lo y in g ap p ro x im an t form ulae. It is far m ore convenient to p resen t th e sem a n tic s

of .Modal ^(-Calculus form ulae extensionally. i.e.. by dehning for every fo rm u la th e

set of processes satisfying it. We call th is set th e denotation o f th e fo rm u la. T h e

d e n o ta tio n has to be dehned relativ e to a LTS an d a valuation V m ap p in g su b se ts of th e set o f states o f th e LTS to p ro p o sitio n al variables, since $ or som e su b -fo rm u lae of

it can co n tain free occurrences o f p ro p o sitio n al variables. For a hxed LTS. we d e h n e th e d e n o ta tio n ||$ ||y of a M odal //-C alcu lu s form ula inductively as follows:

P l l v A V ( Z ) A l l ^ l l v U l l ' ^ l I v |1<& A A _{l l < ^ l l v n | | ' 5 |lv} l l ( o) «&l l v A I I M L ( | | $ | I W A I I H l l v ( l l ^ l l v ) W p z . n v A ^ X . ||* ^ ||v [A 7 Z ] l k z . $ | l v A u X . il< & ||v [A /Z ]

w here //.V ./(.V ) and u X . f { X ) d e n o te th e least an d th e g reatest h x p o in ts of a m a p ­ ping / . an d where th e following s ta te tran sfo rm ers a re used:

I I W I I v =

I

3P' € X. P ^ P' }

||to]||y A

\ X . { P \ ^ P ' . P ^ P' i mp l i e s P ' € X ]

T h e valu atio n V[.V/Z] is as V b u t m ap p in g th e set .V to Z. We can d e h n e sa tisfa c tio n

C H A P T E R 2. M O D E L S , LO G IC S, A N D V E R I F I C A T I O N 24

P h v < & = p ^ \ m \ v

As m e n tio n e d above, th e existence of least a n d g re a test hxpoints is g u a ra n te e d

by T arsk i's h x e d p o in t th e o re m for com plete la ttic e s [Tarôô]. This th e o re m says th a t every m o n o to n e m ap p in g over a com plete la ttic e has a least and a g re a te s t h x p o in t.

T h e la ttic e vve have in o u r case is form ed by th e set S of states (processes) to g e th e r

w ith set in clusio n Ç . It is sim p le to show th a t in th e absence of neg atio n in o u r logic th e tra n sfo rm e rs A.A. are all m o n o to n e w .r.t. set inclusion (i.e .. X i Ç A'>

im plies l|^||J[X i/Z ] ^

T h ere a re tw o m a in ways o f ch aracterisin g {xf a n d u f for m onotone m a p p in g s on co m p lete la ttic e s . O n e one h a n d , they can be p re se n te d as:

,1! ' = n { - v I x D f ( x ) }

1/ / = u {.V I .V Ç n x ) }

T h e o th e r a p p ro a c h is to refer to fixpoint approximants. This c h a ra c te ris a tio n often

leads to a b e tte r u n d e rsta n d in g of th e form ulae o f th e Modal /(-C alculus. Let O rd den o te th e class o f all o rd in al s, a n d let 7 a n d A ran g e over ordinals and lim it o rd in als,

respectively. F ix p o in t ap p ro x im a n ts are d eh n ed in d u ctiv ely as follows:

/ ( » / a {} a . 9

/C+ 7 a / ( / ( - / ) = / ( z / '7 )

p V = L À < .\p V (/-v =

It can be show n th a t th e following eq u atio n s hold:

t C — U-KeOrd f

— fXy&Ord f

C H A P T E R 2. MO D EL S. LO G IC S. A:VD VE R IF IC .A T IO N 25

F u rth e rm o re , f i f and i / f a re ap p ro x im an ts them selves: this m eans th a t th e above

sequences stabilise a fte r som e o rd in al, called th e closure ordinal o f /.if a n d u f . re­

sp ectiv ely . an d becom e eq u al to / i f an d u f . T h e closure ordinal is th e first ordinal

K such th a t / C f = resp. u'^f = and its c ard in ality is bound by th e

c a rd in a lity of th e carrier set of th e com plete lattice.

In th e co n tex t of th e M odal /^-Calculus we can define a p p ro x im an t form ulae (using

in fin ite conjunctions and d isju n c tio n s) as follows:

= ff u°Z.<^ i ff

i $ [ /i^ Z .$ /Z ] f/^ + 'Z .$ i <&[z/^Z.<&/Z] / C Z . ^ = V . ^ \ / / ''Z . $ z /'Z .$ = A-,<\i^‘'Z.<&

a n d we o b ta in th e following ch aracterisatio n of satisfaction^^:

P (= v f i Z . ^ iff P [= v / P Z . ^ for s o m e 7 .

P )= v u Z . ^ iff P u~' Z . ^ for all 7 .

.\s a consequence, least fixpoint form ulae are su itab le for expressing livene.-^s (i.e.

e v e n tu a lity ) properties, w hile g re a test fixpoint form ulae are su ita b le for expressing

safety (i.e. invariant) p ro p erties. T h e more com plicated reactivity p ro p erties'^ usu­

ally necessary for specifying co m m u n icating system s req u ire nesting (a lte rn a tio n ) of

fix p o in ts o f different kind.

Let us now see how th is definition helps in u n d e rstan d in g M odal ^-C alcu lu s for­

m ulae. Let us consider th e fo rm u la /iZ. [a] Z. Its first few fixpoint a p p ro x im a n ts are:

‘^These two clauses, together with the ones we gave above for HML formulae, can be considered as giving a local semantics for the Modal /%-Calculus.