TEXTS IN COMPUTER SCIENCE Editors David Gries Fred B. Schneider Springer Science+Business Media, LLC TEXTS IN COMPUTER SCIENCE A/agarandPeriyasamy, Specification of Software Systems Aptand O/derog, Verification of Sequential and Concurrent Programs, Second Edition Backand von Wright, Refinement Calculus Beid/er, Data Structures and Aigorithms Bergin, Data Structure Programming Brooks, C Programming: The Essentials for Engineers and Scientists Brooks, Problem Solving with Fortran 90 Dandamudi, Introduction to Assembly Language Programming Fitting, First-Order Logic and Automated Theorem Proving, Second Edition Grillmeyer, Exploring Computer Science with Scheme HomerandSe/man, Computability and Complexity Theory /mmerman, Descriptive Complexity Ja/ote, An Integrated Approach to Software Engineering, Second Edition Kizza, Ethical and Social Issues in the Information Age Kozen, Automata and Computability Liand Vitanyi, An Introduction to Kolmogorov Complexity and ItsApplications, Second Edition (continuedafterindex) Colin Stirling MODAL AND TEMPORAL PROPERTIES OF PROCESSES With45 Illustrations f springer Colin Stirling DivisionofInformatics UniversityofEdinburgh EdinburghEH93JZUK [email protected] SeriesEditors DavidGries FredB.Schneider DepartmentofComputerScience DepartmentofComputerScience 415BoydStudiesResearchCenter UpsonHall TheUniversityofGeorgia CornellUniversity Athens,GA30605, USA Ithaca,NY14853-7501,USA LibraryotCongressCataloging-in-PublicalionData Stirling,ColinP. ModalandtemporalpropertlesofprocessesIColinSlirling. p. cm.- (Textsincomputerseience) tncludesbibliographicalreferencesandindex. ISBN978-1-4419-3153-5 ISBN978-1-4757-3550-5(eBook) DOI10.1007/978-1-4757-3550-5 1.Computerlogic. 2.Parallelprocessing(Electroniccomputers) I.Tille. 11.Series. QA76.9.L63S752001 004'.35-dc21 00-067924 Printedonacid-freepaper. ©2001SpringerScience+BusinessMediaNewYork OriginallypublishedbySpringer-VerlagNewYork,Incin2001. Softcoverreprintofthehardcover1stedition2001 All rights reserved.Thisworkmaynotbetranslatedorcoplsd inwholeorinpartwithoutthewritten permissionofthepublisherSpringerScience+BusinessMedia,LLC, exceptforbriefexcerptsinconneclionwithreviewsorscholarlyanalysls.Useinconnectionwith anyformotinformationstorageandretrieval,electronicadaptatlon,computersonware,orbysimilaror dissimilarmethodologynowknownornereatterdevelopedisforbldden, The use otgeneral descriplive names,traue names, trademarks, etc.,inthis publication, even ifthe formerarenotespeciallyidentified,isnottobetakenasasignthatsuchnamesasunderstoodbythe TradeMarksandMerchandiseMarksAc!,mayaccordinglybeusedfreelybyanyone. ProductionmanagedbyTimothyTaylor;manufacturingsupervlsedbyEricaBresler. Typesetpagespreparedusingtheauthor's~Tp<28filesbyTheBartlettPress,Inc.,Marietta,GA. 987 6 5 4 3 2 1 Ta Sarah andSusie Preface In this book we examine modal and temporal logics for processes. First, we in troduce concurrentprocesses astermsofanalgebraic language comprisingafew basicoperators. Their behavioursaredescribed usingtransitions. Familiesoftran sitions can be arranged as labelIed graphs, concrete summaries of the behaviour ofprocesses.Variouscombinationsofprocesses and their resulting behaviour,as determined by the transition mies, are reviewed. Next, simple modal logics are introducedfordescribingthecapabilitiesofprocesses. An important discussion point occurs when two processes may be deemed to havethe same behaviour. Such anabstraction can bepresentedby defining an appropriatebehaviouralequivalencebetweenprocesses.Amoreabstractapproach istoconsiderequivalence interms ofhavingthesamepertinentproperties. There isspecial emphasis withbisimulation equivalence,sincethediscriminatingpower ofmodal logic istiedtoit. More generally, practitioners have found it useful to be able to express tem poral properties of concurrentsystems,especially Iivenessand safety properties. A safety property amounts to "nothing bad ever happens," whereas a Iiveness property expresses "somethinggood does eventually happen,"The crucial safety property ofamutual exclusion algorithm isthatnotwoprocessesareeverintheir critical sectionsconcurrently.Andanimportantlivenessproperty isthat,whenever a process requests execution of its critical section, then eventually it is granted. Cyclic propertiesof systemsare also salient: for instance,part of a specification of a scheduler is that it must continually perform a particular sequence of ac tions. A logic expressing temporal notions provides a framework for the precise formalisation ofsuch specifications. Forrnulas of the modal logic are not rich enough to express such temporal properties,soanextra,fixedpointoperator,isadded.Theresultisaveryexpressive viii Preface temporal logic, modal mu-calculus.However, itisalso very importanttobe able to verify that anagent has ordoes nothave aparticularproperty. Thetextaims tobereasonably introductory,sothatparts ofthe bookcould be used at undergraduate level, as weIl as at more advanced levels. I have used the materialinthiswayatEdinburgh.Theextensive useofgamesforbothequivalence and model checkingispartly pedagogical, since they are soconceptuallyclear. Parts ofthe book have been presented previously at various summerschools overtheyears,andIwishtothankalltheorganisersforallowing metopresentthis material.Ishould also like tothank currentandprevious colleaguesatEdinburgh forbuildingsuchaninteIlectuaIly stimulatingenvironmenttoworkin.Inparticular, I wish to thank Julian Bradfield (a pioneer of infinite state model checking and whoallowedmetousehisTeXtreeconstructorforbuilding derivation trees),Olaf Burkart, Kim Larsen (who introduced me to modal mu-calculus), Robin Milner (from whomIlearnt about process calculusandbisimulationequivalence),Perdita Stevens and David Walker. Colin Stirling Edinburgh, UnitedKingdom Contents Preface vii List ofFigures xi 1 Processes 1 1.1 First examples 1 1.2 Concurrentinteraction 8 1.3 Observabletransitions 17 1.4 Renamingandlinking 21 1.5 More combinationsofprocesses 25 1.6 Sets ofprocesses . 28 2 Modalitiesand Capabilities 31 2.1 Hennessy-Milnerlogic I . 32 2.2 Hennessy-Milnerlogic11 . 36 2.3 Algebraicstructureandmodal properties 39 2.4 Observablemodallogic . 42 2.5 Observablenecessity and divergence 47 3 Bisimulations 51 3.1 Processequivalences 51 3.2 Interactivegames 56 3.3 Bisimulationrelations 64 3.4 Modal propertiesand equivalences 69 3.5 Observablebisimulations 72 3.6 Equivalencechecking . 77 x Contents 4 TemporalProperties 83 4.1 Modal propertiesrevisited 83 4.2 Processesand their runs . 85 4.3 The temporal logic CTI.. . 89 4.4 Modal formulas with variables 91 4.5 Modal equationsand fixedpoints 95 4.6 Duality... . . . ..... . .. 100 5 Modal Mu-Calculus 103 5.1 Modallogic with fixedpoints .. . . . . 104 5.2 Macrosand normal formulas . 107 5.3 Observablemodallogic with fixedpoints 110 5.4 Preservationofbisimulationequivalence 112 5.5 Approximants . 115 5.6 Embedded approximants 121 5.7 Expressingproperties .. 128 6 VerifyingTemporalProperties 133 6.1 Techniquesfor verification 133 6.2 Propertycheckinggames 135 6.3 Correctnessofgames 144 6.4 CTL games .... . 147 6.5 Parity games . . . . . 151 6.6 Decidingparity games 156 7 Exposing Structure 163 7.1 Infinite statesystems 164 7.2 Generalisingsatisfaction 165 7.3 Tableaux I 168 7.4 Tableaux II . . . . . . . 173 References 183 Index 187 List of Figures 1.1 The transitiongraph for Cl 2 1.2 A vending machine 3 1.3 The transitiongraphfor Yen 3 1.4 Afamilyofcounters . . . . 4 1.5 The transitiongraph forCti 4 1.6 FlowgraphsofUserand Cop . 10 1.7 Flow graph ofCop IUser . . . . 11 1.8 Flow graph ofCop IUser IUser 11 1.9 Flow graph of(Cop IUser)\K 11 1.10 A levelcrossing 12 1.11 Flow graphsofthecrossingand itscomponents 13 1.12 Transitiongraph ofCrossing . . . . . . . . . . 14 1.13 Asimpleprotocol 14 1.14 Protocoltransitiongraph when there isone messagem. 15 1.15 Aslot machine . . . . . . . . . . . . . . . . . . . . . . . 15 1.16 Observabletransitiongraphsfor (CIU)\{in,ok}andUcop 20 1.17 Flow graph ofn instancesofB,and BI I...Ia.. 22 1.18 The flowgraph ofCy' 23 1.19 Flow graphofCy~ ICyzICy; ICy~ 24 3.1 Twoclocks . . . . . . . . . 52 3.2 Three vending machines . . 54 3.3 Gamegraphfor G(CI, CIs) 58 3.4 Reducedgame graph for G(CI,CIs) 59 3.5 Gamegraphfor (Ven2,Ven3) .. 60 3.6 Gameplay . 74 3.7 Asimplifiedslot machine . 79