A Logic with Reverse Modalities for History-preserving Bisimulations
BB. Luttik and F. D. Valencia (Eds.): 18th International Workshop onExpressiveness in Concurrency (EXPRESS 2011)EPTCS 64, 2011, pp. 104–118, doi:10.4204/EPTCS.64.8 c (cid:13)
I.C.C. Phillips & I. Ulidowski
A Logic with Reverse Modalities for History-preservingBisimulations
Iain Phillips
Department of Computing, Imperial College London, England [email protected]
Irek Ulidowski
Department of Computer Science, University of Leicester, England [email protected]
We introduce event identifier logic (EIL) which extends Hennessy-Milner logic by the addition of(1) reverse as well as forward modalities, and (2) identifiers to keep track of events. We showthat this logic corresponds to hereditary history-preserving (HH) bisimulation equivalence withina particular true-concurrency model, namely stable configuration structures. We furthermore showhow natural sublogics of EIL correspond to coarser equivalences. In particular we provide logicalcharacterisations of weak history-preserving (WH) and history-preserving (H) bisimulation. Logicscorresponding to HH and H bisimulation have been given previously, but not to WH bisimulation(when autoconcurrency is allowed), as far as we are aware. We also present characteristic formulaswhich characterise individual structures with respect to history-preserving equivalences.
The paper presents a modal logic that can express simple properties of computation in the true concur-rency setting of stable configuration structures. We aim, like Hennessy-Milner logic (HML) [19] in theinterleaving setting, to characterise the main true concurrency equivalences and to develop characteristicformulas for them. We focus in this paper on history-preserving bisimulation equivalences.HML has a “diamond” modality h a i f which says that an event labelled a can be performed, takingus to a new state which satisfies f . The logic also contains negation ( ¬ ), conjunction ( ∧ ) and a baseformula which always holds (tt). HML is strong enough to distinguish any two processes which are notbisimilar.We are interested in making true concurrency distinctions between processes. These processes willbe event structures , where the current state is represented by the set of events which have occurred sofar. Such sets are called configurations . Events have labels (ranged over by a , b , . . . ), and different eventsmay have the same label. We shall refer to example event structures using a CCS-like notation, with a | b denoting an event labelled with a in parallel with another labelled with b , a . b denoting two eventslabelled a and b where the first causes the second, and a + b denoting two events labelled a and b whichconflict.In the true concurrency setting bisimulation is referred to as interleaving bisimulation , or IB for short.The processes a | b and a . b + b . a are interleaving bisimilar, but from the point of view of true concurrencythey should be distinguished, and HML is not powerful enough to do this.We therefore look for a more powerful logic, and we base this logic on adding reverse moves. Insteadof the one modality h a i f we have two: forward diamond h a ii f (which is just a new notation for the h a i f of HML) and reverse diamond hh a i f . The latter is satisfied if we can reverse some event labelled with.C.C.Phillips &I.Ulidowski 105 a and get to a configuration where f holds. Such an event would have to be maximal to enable us toreverse it, i.e. it could not be causing some other event that has already occurred.With this new reverse modality we can now distinguish a | b and a . b + b . a : a | b satisfies h a iih b iihh a i tt,while a . b + b . a does not. The formula expresses the idea that a and b are concurrent . Alternatively wesee that a . b + b . a satisfies h a iih b ii¬hh a i tt, while a | b does not. This latter formula expresses the idea that a causes b .The new logic corresponds to reverse interleaving bisimulation [31], or RI-IB for short. In the ab-sence of autoconcurrency, Bednarczyk [3] showed that this is as strong as hereditary history-preservingbisimulation [3], or HH for short, which is usually regarded as the strongest desirable true concurrencyequivalence. HH was independently proposed in [21], under the name of strong history-preserving bisim-ulation.Auto-concurrency is where events can occur concurrently and have the same label. To allow forthis, we need to strengthen the logic. For instance, we want to distinguish a | a from a . a , which is notpossible with the logic as it stands: h a iih a iihh a i tt is satisfied by both processes. We need some way ofdistinguishing the two events labelled with a . We change our modalities so that when we make a forwardmove we declare an identifier (ranged over by x , y , . . . ) which stands for that event, allowing us to refer toit again when reversing it. Now we can write h x : a iih y : a iihh x i tt, and this is satisfied by a | a , but not by a . a . Declaration is an identifier-binding operation, so that x and y are both bound in the formula. Baldanand Crafa [2] also used such declarations in their forward-only logic.With this simple change we now have a logic which is as strong as HH, even with autoconcurrency.We have to be careful that our logic does not become too strong. For instance, we want to ensure thatprocesses a and a + a are indistinguishable. One might think that a + a satisfies h x : a iihh x ih y : a ii¬hh x i tt,while a does not. To avoid this, we need to ensure that x is forgotten about once it is reversed, and socannot be used again. One could make a syntactic restriction that in a formula hh x i f the identifier x is notallowed to occur (free) in f . However this is not actually necessary, as our semantics will ensure that allidentifiers must be assigned to events in the current configuration. So in fact h x : a iihh x ih y : a ii¬hh x i tt isnot satisfied by a + a , since we are not allowed to reverse x as it would take us to a configuration where x is mentioned in h y : a ii¬hh x i tt but x is assigned to an event outside the current configuration. Baldan andCrafa [2] also had to deal with this issue.Our logic is not quite complete, since we wish to express certain further properties. For instance, wewould like to express a reverse move labelled with a , i.e. hh a i f . Instead of adding this directly, we add declarations ( x : a ) f . We can now express hh a i f by the formula ( x : a ) hh x i f (where x does not occur(free) in f ).We also wish to express so-called step transitions , which are transitions consisting of multiple eventsoccurring concurrently. For instance a forward step h a , a ii f of two events labelled with a can be achievedby h x : a iih y : a ii ( f ∧ hh x i tt ) and a reverse step hh a , a i f can be achieved by ( x : a )( y : a )( hh x ihh y i f ∧ hh y i tt ) (both formulas with x and y not free in f ). Thus the reverse steps employ declarations. As well asexpressing reverse steps, declarations allow us to obtain a sublogic which corresponds to weak history-preserving bisimulation (WH).This completes a brief introduction of our logic, which we call Event Identifier Logic , or EIL forshort. Apart from corresponding to HH, EIL has natural sublogics for several other true concurrencyequivalences. Figure 1 shows a hierarchy of equivalences that we are able to characterise, where arrowsdenote proper set inclusion. Apart from the mentioned HH and WH, history-preserving bisimulation (H)is a widely studied equivalence that employs history isomorphism.
Hereditary weak-history preservingbisimulation (HWH) is WH with the hereditary property [3] that deals with reversing of events. Thedefinitions of these equivalences can be found in [12, 31], and are outlined in Section 3.2.06 ALogic withReverse ModalitiesPSfrag replacements HHH HWHWHFigure 1: The hierarchy of history-preserving equivalences.It is natural to ask if, at least for a finite structure, there is a single logical formula which captures allof its behaviour, up to a certain equivalence. Such formulas are called characteristic formulas. They havebeen investigated previously for HML and other logics [16, 35, 1]. We look at characteristic formulaswith respect to three of the equivalences we consider, namely HH, H and WH.The main contribution of the paper is a logic EIL. It could be argued that EIL is a natural andcanonical logic for the true concurrency equivalences considered here in the following sense. Firstly, itsforward and reverse modalities capture faithfully the information of the forward and reverse transitionsin the definitions of the equivalences, Secondly, event identifier environments and event declarations giverise naturally to order isomorphisms for HH, H, HWH and WH. Finally, EIL extends HML and keepswith its spirit of having simple modalities defined seamlessly over a general computation model.Other contributions include the first to our knowledge logics for WH and HWH. Finally, we presentthe first to our knowledge characteristic formulas for HH, H and WH.The paper is organised as follows. We look at related work in Section 2. Then we recall the definitionsof configuration structures and the bisimulation-based equivalences that we shall need in Section 3. Wethen introduce EIL in Section 4, giving examples of its usage. Next we look at how to characterisevarious equivalences using EIL and its sublogics (Section 5). In Section 6 we investigate characteristicformulas. We finish with conclusions and future work.
Previous work on logics for true concurrency can be categorised loosely according to the type of semanticstructure (model) that the satisfaction relation of the logic is defined for. There are logics over config-urations (sets of consistent events) [15, 2] and logics over paths (or computations) [5, 27, 28, 29, 32],although logics in [27, 28, 29] can be seen also as logics over configurations. Other structures such astrees, graphs and Kripke frames are used as models in, for example, [26, 25, 17, 18].The logic in this paper uses simple forward and reverse event identifier modalities that are sufficientto characterise HH. In contrast, Baldan and Crafa [2] achieved an alternative characterisation of HHwith a different modal logic that uses solely forward-only event identifier modalities h x i and ( xxx , ¯ yyy < a z ) .The formula ( xxx , ¯ yyy < a z ) f holds in a configuration if in its future there is an a -labelled event e that canbe bound to z , and f holds. Additionally, e must be (1) caused at least by the events already boundto the events in xxx and (2) concurrent with at least the events already bound to the events in yyy . Severalinteresting sublogics were also identified in [2] that characterise H, pomset bisimulation [4, 12] and stepbisimulation [33, 12] respectively.Goltz, Kuiper and Penczek [15] researched configurations of prime event structures without autocon-currency . In such a setting HH coincides with reverse interleaving bisimulation RI-IB (shown in [3]).Moreover, H coincides with WH. Partial Order Logic (POL) is proposed in [15]. POL contains pastmodalities and the authors stated that it characterises RI-IB (and thus HH). Also, it is conjectured that if.C.C.Phillips &I.Ulidowski 107one restricts POL in such a way that no forward modalities can be nested in a past modality, then such alogic characterises H (and thus WH).Cherief [5] defined a pomset bisimulation relation over paths and shows that it coincides with H (de-fined over configurations). The author then predicted that an extension of HML with forward and reversepomset modalities characterises H. This idea was then developed further by Pinchinat, Laroussinie andSchnoebelen in [32].Nielsen and Clausen defined a d -bisimulation relation ( d b) over paths [27, 29]. Unlike in [5, 32], oneis allowed to reverse independent maximal events in any order. This seemingly small change has a pro-found effect on the strength of the equivalence: d b coincides with HH. It was shown that an extension ofHML with a reverse modality characterises HH when there is no autoconcurrency [27, 29]. Additionally,it was stated (without a proof) [28] that an extension of HML with a reverse event index modality char-acterises HH even in the presence of autoconcurrency. The notion of paths used in [27, 28, 29] inducesa notion of configuration. Hence, their logics could be understood as logics over configurations and re-verse index modality could be seen as a form of our reverse event identifier modality. We would argue,however, that many properties of configurations related to causality and concurrency between events areexpressed more naturally with reverse identifier modalities.Past or reverse modalities, which are central to our logic, were used before in a number of modallogics and temporal logics [20, 7, 6, 26, 15, 23, 24, 30] but only [26, 15] proposed logical characterisa-tions of true concurrency equivalences. Among the rest, HML with backward modalities in [7, 6] definedover paths is shown to characterise branching bisimulation. Finally, Gutierrez introduced a modal logicfor transition systems with independence [17, 18] that has two diamond modalities: one for causallydependent transitions and the other for concurrent transitions with respect to a given transition. In this section we define our computational model (stable configuration structures) and the various bisim-ulation equivalences for which we shall present logical characterisations.
We work with stable configuration structures [13, 14, 12], which are equivalent to stable event struc-tures [36].
Definition 3.1. A configuration structure (over an alphabet Act ) is a pair C = ( C , ℓ ) where C is a familyof finite sets (configurations) and ℓ : S X ∈ C X → Act is a labelling function.We use C C , ℓ C to refer to the two components of a configuration structure C . Also we let E C = S X ∈ C X , the events of C . We let e , . . . range over events, and E , F , . . . over sets of events. We let a , b , c , . . . range over labels in Act . Definition 3.2 ([12]) . A configuration structure C = ( C , ℓ ) is stable if it is • rooted: /0 ∈ C ; connected: /0 = X ∈ C implies ∃ e ∈ X : X \ { e } ∈ C ; • closed under bounded unions: if X , Y , Z ∈ C then X ∪ Y ⊆ Z implies X ∪ Y ∈ C ; • closed under bounded intersections: if X , Y , Z ∈ C then X ∪ Y ⊆ Z implies X ∩ Y ∈ C .Any stable configuration structure is the set of configurations of a stable event structure [12, Thm 5.3]. Definition 3.3.
Let C = ( C , ℓ ) be a stable configuration structure, and let X ∈ C .08 ALogic withReverse Modalities • Causality: d ≤ X e iff for all Y ∈ C with Y ⊆ X we have e ∈ Y implies d ∈ Y . Furthermore d < X e iff d ≤ X e and d = e . • Concurrency: d co X e iff d < X e and e < X d .It is shown in [12] that < X is a partial order and that the sub-configurations of X are precisely thosesubsets Y which are left-closed w.r.t. < X , i.e. if d < X e ∈ Y then d ∈ Y . Furthermore, if X , Y ∈ C with Y ⊆ X , then < Y = < X ↾ Y .Recall that a prime event structure is a set of events with a labelling function, together with a causalityrelation and a conflict relation (between events that cannot be members of the same configuration) [36].The set of configurations of a prime event structure forms a stable configuration structure; prime eventstructures are a proper subclass of stable event structures. All of our examples are given as prime eventstructures or the corresponding CCS expressions. When drawing diagrams of prime event structures weshall, as usual, depict the causal relation with arrows, and the conflict relation with dotted lines. We shallalso suppress the actual events and write their labels instead. Thus if we have two events e and e , bothlabelled with a , in diagrams we shall denote them as a and a , respectively, when we wish to distinguishbetween them. This is justified, since all the notions of equivalence we shall discuss depend on the labelsof the events, rather than the events themselves. Example 3.4.
Consider a prime event structure with events e , e , e all labelled with a , where e causes e and e , e are concurrent with e . The corresponding CCS expression is ( a . a ) | a . The set of configu-rations consists of /0, { e } , { e } , { e , e } , { e , e } and { e , e , e } . Definition 3.5.
Let C = ( C , ℓ ) be a stable configuration structure and let a ∈ Act . We let X e → C X ′ iff X , X ′ ∈ C , X ⊆ X ′ and X ′ \ X = { e } . Furthermore we let X a → C X ′ iff X e → C X ′ for some e with ℓ ( e ) = a .We also define reverse transitions: X e C X ′ iff X ′ e → C X , and X a C X ′ iff X ′ a → C X . The overloading ofnotation whereby transitions can be labelled with events or with event labels should not cause confusion.For a set of events E , let ℓ ( E ) be the multiset of labels of events in E . We define a step transitionrelation where concurrent events are executed in a single step: Definition 3.6.
Let C = ( C , ℓ ) be a stable configuration structure and let A ∈ N Act ( A is a multiset over Act ). We let X A → C X ′ iff X , X ′ ∈ C , X ⊆ X ′ , and X ′ \ X = E with d co X ′ e for all d , e ∈ E and ℓ ( E ) = A .We shall assume in what follows that stable configuration structures are image finite with respect toforward transitions, i.e. for any configuration X and any label a , the set { X ′ : X a → C X ′ } is finite. We define history-preserving bisimulations and illustrate the differences between them with examples.
Definition 3.7.
Let X = ( X , < X , ℓ X ) and Y = ( Y , < Y , ℓ Y ) be partial orders which are labelled over Act .We say that X and Y are isomorphic ( X ∼ = Y ) iff there is a bijection from X to Y respecting the orderingand the labelling. The isomorphism class [ X ] ∼ = of a partial order labelled over Act is called a pomset over
Act . Definition 3.8 ([8, 12]) . Let C , D be stable configuration structures. A relation R ⊆ C C × C D is a weakhistory-preserving (WH) bisimulation between C and D if R ( /0 , /0 ) and if R ( X , Y ) and a ∈ Act then: • ( X , < X , ℓ C ↾ X ) ∼ = ( Y , < Y , ℓ D ↾ Y ) ; • if X a → C X ′ then ∃ Y ′ . Y a → D Y ′ and R ( X ′ , Y ′ ) ; • if Y a → D Y ′ then ∃ X ′ . X a → C X ′ and R ( X ′ , Y ′ ) ..C.C.Phillips &I.Ulidowski 109PSfrag replacements E F a a a a a a a a b b b b b b b b Figure 2: Example 3.12.We say that C and D are WH equivalent ( C ≈ wh D ) iff there is a WH bisimulation between C and D . Definition 3.9 ([34, 12]) . Let C , D be stable configuration structures. A relation R ⊆ C C × C D × P ( E C × E D ) is a history-preserving (H) bisimulation between C and D iff R ( /0 , /0 , /0 ) and if R ( X , Y , f ) and a ∈ Act • f is an isomorphism between ( X , < X , ℓ C ↾ X ) and ( Y , < Y , ℓ D ↾ Y ) ; • if X a → C X ′ then ∃ Y ′ , f ′ . Y a → D Y ′ , R ( X ′ , Y ′ , f ′ ) and f ′ ↾ X = f ; • if Y a → D Y ′ then ∃ X ′ , f ′ . X a → C X ′ , R ( X ′ , Y ′ , f ′ ) and f ′ ↾ X = f .We say that C and D are H equivalent ( C ≈ h D ) iff there is an H bisimulation between C and D .Both H and WH have associated hereditary versions: Definition 3.10 ([3, 21, 12]) . Let C , D be stable configuration structures and let a ∈ Act . Then R ⊆ C C × C D × P ( E C × E D ) is a hereditary H (HH) bisimulation iff R is an H bisimulation and if R ( X , Y , f ) then for any a ∈ Act , • if X a C X ′ then ∃ Y ′ , f ′ . Y a D Y ′ , R ( X ′ , Y ′ , f ′ ) and f ↾ X ′ = f ′ ; • if Y a D Y ′ then ∃ X ′ , f ′ . X a C X ′ , R ( X ′ , Y ′ , f ′ ) and f ↾ X ′ = f ′ .We say that C and D are HH equivalent ( C ≈ hh D ) iff there is an HH bisimulation between C and D . Definition 3.11.
Let C , D be stable configuration structures and let a ∈ Act . Then R ⊆ C C × C D × P ( E C × E D ) is a hereditary WH (HWH) bisimulation if R ( /0 , /0 , /0 ) and if R ( X , Y , f ) and a ∈ Act then: • f is an isomorphism between ( X , < X , ℓ C ↾ X ) and ( Y , < Y , ℓ D ↾ Y ) ; • if X a → C X ′ then ∃ Y ′ , f ′ . Y a → D Y ′ and R ( X ′ , Y ′ , f ′ ) ; • if Y a → D Y ′ then ∃ X ′ , f ′ . X a → C X ′ and R ( X ′ , Y ′ , f ′ ) ; • if X a C X ′ then ∃ Y ′ , f ′ . Y a D Y ′ , R ( X ′ , Y ′ , f ′ ) and f ↾ X ′ = f ′ ; • if Y a D Y ′ then ∃ X ′ , f ′ . X a C X ′ , R ( X ′ , Y ′ , f ′ ) and f ↾ X ′ = f ′ .Also C and D are HWH equivalent ( C ≈ hwh D ) iff there is an HWH bisimulation between C and D .The inclusions in Figure 1 are immediate from the definitions. They are strict inclusions: Example 3.12 ([31]) . Consider event structures E , F in Figure 2, where each event structure has four a -labelled and four b -labelled events. E = F holds for ≈ hwh , and hence for ≈ wh , but not for ≈ h , andhence not for ≈ hh . We now show this. E , F have the same configurations except that { a , a , b } ismissing in F . We define a bisimulation by relating all isomorphic states, and check that it is an HWH.To see that E and F are not H-equivalent, consider /0 a → a → { a , a } in F . This must be matched bymoving to configuration { a i , a i + } in E , where i ∈ { , , } . But then both b i and b i + are possible.However { a , a } in F can only do b . Hence one of the b i and b i + in E cannot be matched to b insuch way that the resulting isomorphism contains the already established pairs (either ( a , a i ) , ( a , a i + ) or ( a , a i + ) , ( a , a i ) ) and is history-preserving.10 ALogic withReverse Modalities Example 3.13.
The Absorption Law [4, 3, 12] ( a | ( b + c )) + ( a | b ) + (( a + c ) | b ) = ( a | ( b + c )) + (( a + c ) | b ) holds for ≈ h , and thus for ≈ wh , but not for ≈ hwh . We now introduce our logic, which we call Event Identifier Logic (EIL). We assume an infinite set ofidentifiers Id , ranged over by x , y , z , . . . . The syntax of EIL is as follows: f :: = tt | ¬ f | f ∧ f ′ | h x : a ii f | ( x : a ) f | hh x i f We include the usual operators of propositional logic: truth tt, negation ¬ f and conjunction f ∧ f ′ . Wethen have forward diamond h x : a ii f , which says that it is possible to perform an event labelled with a and reach a new configuration where f holds. In the formula h x : a ii f , the modality h x : a ii binds all freeoccurrences of x in f . Next we have declaration ( x : a ) f . This says that there is some event with label a in the current configuration which can be bound to x , in such a way that f holds. Here the declaration ( x : a ) binds all free occurrences of x in f . Finally we have reverse diamond hh x i f . This says that itis possible to perform the reverse event bound to identifier x , and reach a configuration where f holds.Note that hh x i does not bind x . Clearly any occurrences of x that get bound by ( x : a ) must be of the form hh x i . We allow alpha-conversion of bound names. We use f , y , . . . to range over formulas of EIL. Example 4.1.
The formula h x : a iih y : a iihh x i tt says that there are events with label a , say e and e , thatcan be bound to x and y such that, after performing e and then e , we can reverse e . Obviously, afterperforming e followed by e , we can always reverse e . This formula could be interpreted as saying thatan event bound to x is concurrent with an event bound to y . Next, consider h x : a iih y : a ii¬hh x i tt. Theformula expresses that an event bound to x causes an event bound to y (because if we could reverse x before y , we would reach a configuration containing y and not x , which contradicts x being a cause of y ). Definition 4.2.
We define fi ( f ) , the set of free identifiers of f , by induction on formulas:. fi ( tt ) = /0 fi ( f ∧ f ) = fi ( f ) ∪ fi ( f ) fi (( x : a ) f ) = fi ( f ) \ { x } fi ( ¬ f ) = fi ( f ) fi ( h x : a ii f ) = fi ( f ) \ { x } fi ( hh x i f ) = fi ( f ) ∪ { x } We say that f is closed if fi ( f ) = /0; otherwise f is open .In order to assign meaning to open formulas, as usual we employ environments which tell us whatevents the free identifiers are bound to. Definition 4.3. An environment r is a partial mapping from Id to events. We say that r is a permissibleenvironment for f and X if fi ( f ) ⊆ dom ( r ) and rge ( r ↾ fi ( f )) ⊆ X .We let /0 denote the empty environment. We let r [ x e ] denote the environment r ′ which agreeswith r except possibly on x , where r ′ ( x ) = e (and r ( x ) may or may not be defined). We abbreviate/0 [ x e ] by [ x e ] . We let r \ x denote r with the assignment to x deleted (if defined in r ).Now we can formally define the semantics of EIL: Definition 4.4.
Let C be a stable configuration structure. We define a satisfaction relation C , X , r | = f where X is a configuration of C , and r is a permissible environment for f and X , by induction onformulas as follows (we suppress the C where it is clear from the context):.C.C.Phillips &I.Ulidowski 111 • X , r | = tt always • X , r | = ¬ f iff X , r = f • X , r | = f ∧ f iff X , r | = f and X , r | = f • X , r | = h x : a ii f iff ∃ X ′ , e such that X e → C X ′ with ℓ ( e ) = a and X ′ , r [ x e ] | = f • X , r | = ( x : a ) f iff ∃ e ∈ X such that ℓ ( e ) = a and X , r [ x e ] | = f • X , r | = hh x i f iff ∃ X ′ , e such that X e C X ′ with r ( x ) = e and X ′ , r | = f (and r is a permissibleenvironment for f and X ′ )For closed f we further define C , X | = f iff C , X , /0 | = f , and C | = f iff C , /0 | = f .In the case of hh x i f , note that even though according to the syntax x is allowed to occur free in f , if x does occur free in f then X , r | = hh x i f can never hold: if r ( x ) = e and X e C X ′ then X ′ , r | = f cannothold, since r is not a permissible environment for f and X ′ , as r assigns a free identifier of f to an eventoutside X ′ . Example 4.5.
Consider the configuration structure from Example 3.4. The empty configuration sat-isfies h x : a iih y : a iihh x i tt: we have /0 , /0 | = h x : a iih y : a iihh x i tt since { e , e } , [ x e , y e ] | = hh x i tt;the latter holds because { e , e } e { e } and r ( x ) = e . Also, /0 , /0 | = h x : a iih y : a ii¬hh x i tt. We have/0 , /0 | = h x : a iih y : a ii¬hh x i tt since { e , e } , [ x e , y e ] | = ¬hh x i tt. This is because { e , e } 6 e { e } as { e } is not a configuration.The closed formula ( x : a ) tt says that there is some event labelled with a in the current configuration: X | = ( x : a ) tt iff ∃ e ∈ X . ℓ ( e ) = a . Returning to Example 3.4, note that as well as { e , e } , [ x e , y e ] | = ¬hh x i tt this also holds: { e , e } , [ x e , y e ] | = ( x : a ) hh x i tt. By the definition of ( x : a ) , thecurrent environment is updated to [ x e , y e ] and we obtain { e , e } , [ x e , y e ] | = hh x i tt. Cor-respondingly, { e , e } , [ x e , y e ] | = ( x : a ) hh x i ( y : a ) hh y i tt. However, { e , e } , [ x e , y e ] =( x : a ) hh x ihh y i tt since { e } , [ x e , y e ] = hh y i tt.We introduce further operators as derived operators of EIL: Notation . Let A = { a , . . . , a n } be a multiset of labels. • ff df = ¬ tt, [ x : a ]] f df = ¬h x : a ii¬ f , f ∨ f = ¬ ( ¬ f ∧ ¬ f ) • Forward step h A ii f df = h x : a ii · · · h x n : a n ii ( f ∧ V n − i = hh x i i tt ) where x , . . . , x n are fresh and distinct(and in particular are not free in f ). We write h a , . . . , a n ii f instead of h{ a , . . . , a n }ii f . In the case n = h a ii f df = h x : a ii f where x is fresh. • Reverse step hh A i f df = ( x : a ) · · · ( x n : a n )( hh x i · · · hh x n i f ∧ V ni = hh x i i tt ) where x , . . . , x n are freshand distinct (and in particular are not free in f ). We write hh a , . . . , a n i f instead of hh{ a , . . . , a n }i f .In the case n = hh a i f df = ( x : a ) hh x i f where x is fresh. Example 4.7.
Consider E , F in Figure 2 and f ≡ [ x : a ]] [ y : a ]] ( h z : b ii¬hh x i tt ∧ h w : b ii¬hh y i tt ) . Weeasily check that E satisfies f and F does not. Next, consider y ≡ h x : a ii ( [ w : c ]] ff ∧ h y : b iihh x i [ z : c ]] ff ) . Then the LHS structure of the Absorption Law in Example 3.13 satisfies y and the RHS doesnot. Strictly speaking, event identifiers are not necessary to distinguish the two pairs of configurationstructures. A formula with simple label modalities h a ii ( [ c ]] ff ∧ h b iihh a i [ c ]] ff ) is sufficient for the theAbsorption Law, and E , F in Figure 2 can be distinguished by a logic with pomset modalities (bothreverse and forward) defined over runs [5, 32].12 ALogic withReverse ModalitiesPSfrag replacements E F a a a a a a a a a a a a a ′ Figure 3: Example 4.8.
Example 4.8.
Consider E , F in Figure 3. There is a non-binary conflict among the three initial a -events (indicated by a dashed ellipsis) defined by requiring that at most two of these events can appearin any configuration. E and F are H equivalent: we define a bisimulation by relating configurationsof identically labelled events (including where a is matched with a ′ ) and check that it is an H. Thestructures are also HWH equivalent. This time we define a bisimulation between order isomorphicconfigurations (of which there only five isomorphism classes: /0, { a } , { a , a } , { a < a } and { a < a , a } ,where events separated by commas are concurrent) and check that it is an HWH. However, E and F are not HH equivalent and event identifiers are indeed necessary to distinguish them. The formula h x : a iih y : a ii ( ¬hh x i tt ∧ h z : a iihh y ih w : a ii¬hh z i tt ∧ h z ′ : a iihh y i¬h w ′ : a ii¬hh z ′ i tt ) is only satisfied by E . Itrequires that x causes y and that z and z ′ are bound to different events because h z : a ii and h z ′ : a ii arefollowed by mutually contradictory behaviours. This is possible in E ( a , a can be followed by either a or a ) but not in F : none of the pairs of causally dependent events offers two different a -events. We wish to show that EIL and its various sublogics characterise the equivalences defined in Section 3.2.Each sublogic of EIL induces an equivalence on configuration structures in a standard fashion:
Definition 5.1.
Let L be any sublogic of EIL. Then L induces an equivalence on stable configurationstructures as follows: C ∼ L D iff for all closed f ∈ L we have C | = f iff D | = f .First we introduce a simple sublogic that allows us to characterise order isomorphism. We define sublogics of EIL, consisting of formulas where only reverse transitions are allowed.
Definition 5.2.
Reverse-only logic EIL ro : f :: = tt | ¬ f | f ∧ f ′ | ( x : a ) f | hh x i f We further define declaration-free reverse-only logic EIL dfro : f :: = tt | ¬ f | f ∧ f ′ | hh x i f These logics are preserved between isomorphic configurations, and characterise configurations up toisomorphism.
Lemma 5.3.
Let C , D be stable configuration structures, and let X , Y be configurations of C , D respec-tively. Suppose that f : X ∼ = Y . Then for any f ∈ EIL ro , and any r (permissible environment for f andX ), we have X , r | = f iff Y , f ◦ r f | = f . .C.C.Phillips &I.Ulidowski 113Recall that r f is an abbreviation for r ↾ fi ( f ) . Function composition is in applicative rather thandiagrammatic order.Given any configuration X we can create a closed formula q X ∈ EIL ro which gives the order structureof X . We make this precise in the following lemma: Lemma 5.4.
Let X be a configuration of a stable configuration structure C . There is a closed formula q X ∈ EIL ro , such that if Y is any configuration of a stable configuration structure D and | Y | = | X | , thenY ∼ = X iff Y | = q X . The next lemma follows fairly immediately from the proof of Lemma 5.4 and from Lemma 5.3:
Lemma 5.5.
Let X be a configuration of a stable configuration structure C . Let { z e : e ∈ X } be distinctidentifiers. Let the environment r X be defined by r X ( z e ) = e (e ∈ X ). There is a formula q ′ X ∈ EIL dfro with fi ( q ′ ) = { z e : e ∈ X } , such that X , r X | = q ′ X and if Y is any configuration of a stable configurationstructure D and | Y | = | X | , then Y ∼ = X iff ∃ r . Y , r | = q ′ X . We start by showing that EIL characterises HH-bisimulation. We then present sublogics of EIL whichcorrespond to H-bisimulation, WH-bisimulation and HWH-bisimulation.Our first result is related to the result of [28] that a logic with reverse event index modality (discussedabove in Section 2) characterises HH.
Theorem 5.6.
Let C , D be stable configuration structures. Then, C ≈ hh D if and only if C ∼ EIL D .Remark . In fact Theorem 5.6 would hold with the logic restricted by not using declarations ( x : a ) f .However we include declarations in EIL because they are useful in defining sublogics for WH, amongother things.We define a sublogic of EIL which characterises history-preserving bisimulation: Definition 5.8.
EIL h is given as follows, where f r is a formula of EIL ro : f :: = tt | ¬ f | f ∧ f ′ | h x : a ii f | ( x : a ) f | f r EIL h is just EIL with hh x : a i f replaced by f r ∈ EIL ro . Thus one is not allowed to go forward aftergoing in reverse. This concept of disallowing forward moves embedded inside reverse moves appearsin [15]. Theorem 5.9.
Let C , D be stable configuration structures. Then, C ≈ h D if and only if C ∼ EIL h D .Remark . Just as for Theorem 5.6, Theorem 5.9 would still hold if we disallow declarations ( x : a ) f .This gives the following more minimal logic, where f r ∈ EIL dfro . f :: = tt | ¬ f | f ∧ f ′ | h x : a ii f | f r We define a sublogic EIL wh of EIL h which characterises weak history-preserving bisimulation. Weget from EIL h to EIL wh by simply requiring that all formulas of EIL wh are closed . Definition 5.11.
EIL wh is given as follows, where f rc is a closed formula of EIL ro (Definition 5.2): f :: = tt | ¬ f | f ∧ f ′ | h a ii f | f rc In the above definition we write h a ii f rather than h x : a ii f since f is closed and in particular x doesnot occur free in f (Notation 4.6). Also we omit declarations ( x : a ) f since they have no effect when f is closed. Of course declarations can occur in f rc .14 ALogic withReverse Modalities Theorem 5.12.
Let C , D be stable configuration structures. Then, C ≈ wh D iff C ∼ EIL wh D . We believe that EIL wh is the first logic proposed for weak history-preserving bisimulation with au-toconcurrency allowed. Goltz et al. [15] described a logic for weak history-preserving bisimulationwith no autoconcurrency allowed, but in this case, weak history-preserving bisimulation is as strong ashistory-preserving bisimulation [12].Just as we weakened EIL h to get EIL wh we can weaken EIL by requiring that forward transitions h x : a ii f are only allowed if f is closed. Again instead of h x : a ii f we write h a ii f . This gives us EIL hwh : Definition 5.13.
EIL hwh is given below, where f c ranges over closed formulas of EIL hwh . f :: = tt | ¬ f | f ∧ f ′ | h a ii f c | ( x : a ) f | hh x i f Plainly EIL wh is a sublogic of EIL hwh as well as of EIL h . Theorem 5.14.
Let C , D be stable configuration structures. Then, C ≈ hwh D iff C ∼ EIL hwh D . With no (equidepth) autoconcurrency, we know that ≈ hwh is as strong as ≈ hh [3, 31]. So EIL hwh isas strong as EIL in this case. In this section we investigate characteristic formulas for three of the equivalences we have considered,namely HH, H and WH. The idea is that we reduce checking whether C and D satisfy the same formulasin a logic such as EIL to the question of whether D satisfies a particular formula c C , the characteristicformula of C , which completely expresses the behaviour of C , at least as far as the particular logicis concerned. As pointed out in [1], this means that checking whether two structures are equivalent ischanged from the problem of potentially having to check infinitely many formulas into a single model-checking problem D | = c C .Characteristic formulas for models of concurrent systems were first investigated in [16], and subse-quently in [35] and other papers—see [1] for further references. As far as we are aware, characteristicformulas have not previously been investigated for any true concurrency logic, although we should men-tion that in [1] characteristic formulas are studied for a logic with both forward and reverse modalities,related to the back and forth simulation of [6].We shall confine ourselves to finite stable configuration structures in this section. Even with thisassumption, it is not obvious that an equivalence such as HH, which employs both forward and reversetransitions, can be captured by a single finite-depth formula. To show that forward and reverse transitionsneed not alternate for ever, we first relate HH to a simple game. Definition 6.1.
Let C , D be finite stable configuration structures. The game G ( C , D ) has two players: A (attacker) and D (defender). The set of game states is S ( C , D ) df = { ( X , Y , f ) : X ∈ C C , Y ∈ C D , f : X ∼ = Y } .The start state is ( /0 , /0 , /0 ) . At each state of the game A chooses a forward (resp. reverse) move e of either C or D . Then D must reply with a corresponding forward (resp. reverse) move e ′ by the other structure.Going forwards we extend f to f ′ and going in reverse we restrict f to f ′ , as in the definition of HH. Thetwo moves produce a new game state ( X ′ , Y ′ , f ′ ) . Then D wins if we get to a previously visited state.Conversely, A wins if D cannot find a move. (Also D wins if A cannot find a move, but that can onlyhappen if both C and D have only the empty configuration.)It is reasonable that D wins if a state is repeated, since if A then chooses a different and better moveat the repeated state, A could have chosen that on the previous occasion..C.C.Phillips &I.Ulidowski 115 Definition 6.2.
Given finite stable configuration structures C , D , let s ( C , D ) df = | S ( C , D ) | , let c ( C ) = max {| X | : X ∈ C C } , and let c ( C , D ) = min { c ( C ) , c ( D ) } .Clearly any play of the game G ( C , D ) finishes after no more than s ( C , D ) moves. We can place anupper bound on s ( C , D ) as follows: Proposition 6.3.
Let C , D be finite stable configuration structures. Then s ( C , D ) ≤ | C C | . | C D | . c ( C , D ) ! . Note that if there is no autoconcurrency, any isomorphism f : X ∼ = Y is unique, and so we can improvethe upper bound on the number of states to s ( C , D ) ≤ | C C | . | C D | . Proposition 6.4.
Let C , D be finite stable configuration structures. Then C ≈ hh D iff defender D has awinning strategy for the game G ( C , D ) .Remark . Certainly game characterisations of HH equivalence have been used many times before; seee.g. [9, 10, 11, 22, 17]. However defender is usually said to win if the play continues for ever, whereaswe say that defender wins if a state is repeated. This is because we are working with finite configurationstructures, rather than, say, Petri nets.
Definition 6.6.
Let f ∈ EIL. The modal depth md ( f ) of f is defined as follows: md ( tt ) df = md ( f ∧ f ′ ) df = max ( md ( f ) , md ( f ′ )) md (( x : a ) f ) df = md ( f ) md ( ¬ f ) df = md ( f ) md ( h x : a ii f ) df = + md ( f ) md ( hh x : a i f ) df = + md ( f ) We can use the game characterisation of HH to bound the modal depth of EIL formulas needed tocheck whether finite structures are HH equivalent:
Theorem 6.7.
Let C , D be finite stable configuration structures. Then C ≈ hh D iff C and D satisfy thesame EIL formulas of modal depth no more than s ( C , D ) + c ( C , D ) . We now define a family of characteristic formulas for HH equivalence, parametrised on modal depth.
Definition 6.8.
Suppose that
Act is finite. Let C be a finite stable configuration structure. We defineformulas c hh X , n ( X a configuration of C ) by induction on n : c hh X , = q ′ X c hh X , n + = q ′ X ∧ ( ^ X e → C X ′ h z e : ℓ ( e ) ii c hh X ′ , n ) ∧ ( ^ a ∈ Act [ x : a ]] _ X e → C X ′ ,ℓ ( e )= a c hh X ′ , n [ x / z e ]) ∧ ( ^ X e C X ′ hh z e i c hh X ′ , n ) Here q ′ X ∈ EIL dfro is as in Lemma 5.5 and fi ( c hh X , n ) = { z e : e ∈ X } . We further let c hh C , n df = c hh/0 , n .Note that c hh X , n ∈ EIL and md ( c hh X , n ) ≤ n + c ( C ) . Theorem 6.9.
Suppose that
Act is finite. Let C , D be finite stable configuration structures. Let s df = s ( C , D ) . Then C ≈ hh D iff D | = c hh C , s . Thus we do not have a single characteristic formula for C , but we can deal uniformly with all D up to a certain size. This is almost as good as having a single characteristic formula for C , since wecan generate a formula of the appropriate size once we have settled on D , so that we have still reducedequivalence checking to checking a single formula. Single characteristic formulas are certainly possiblefor some C s; there remains an open question of whether for all finite C there is a single formula c hh C which works for all D .Matters are simpler for H and WH equivalences, since only forward transitions are employed.16 ALogic withReverse Modalities Definition 6.10.
Suppose that
Act is finite. Let C be a finite stable configuration structure. We defineformulas c h X ( X a configuration of C ) as follows: c h X df = q ′ X ∧ ( ^ X e → C X ′ h z e : ℓ ( e ) ii c h X ′ ) ∧ ( ^ a ∈ Act [ x : a ]] _ X e → C X ′ ,ℓ ( e )= a c h X ′ [ x / z e ]) Here q ′ X ∈ EIL dfro is as in Lemma 5.5. We further let c h C df = c h/0 .Note that c h C ∈ EIL h ; it is well-defined, since maximal configurations form the base cases of therecursion. Also md ( c h X ) ≤ . c ( C ) . Proposition 6.11.
Suppose that
Act is finite. Let C , D be finite stable configuration structures. Then D ≈ h C iff D | = c h C . WH is even easier as formulas are closed:
Definition 6.12.
Suppose that
Act is finite. Let C be a finite stable configuration structure. We defineformulas c wh X ( X a configuration of C ) as follows: c wh X df = q X ∧ ( ^ X a → C X ′ h a ii c wh X ′ ) ∧ ( ^ a ∈ Act [ a ]] _ X a → C X ′ c wh X ′ ) Here q X ∈ EIL ro is as in Lemma 5.4. We further let c wh C df = c wh/0 .Note that c wh C ∈ EIL wh and md ( c wh X ) ≤ . c ( C ) . Proposition 6.13.
Suppose that
Act is finite. Let C , D be finite stable configuration structures. Then D ≈ wh C iff D | = c wh C . We have introduced a logic which uses event identifiers to track events in both forwards and reversedirections. As we have seen, this enables it to express causality and concurrency between events. Thelogic is strong enough to characterise hereditary history-preserving (HH) bisimulation equivalence. Weare also able to characterise weaker equivalences using sublogics. In particular we can characterise weakhistory-preserving bisimulation, which has not been done previously as far as we are aware. We alsoinvestigated characteristic formulas for our logic with respect to HH and other equivalences. Again weare not aware of previous work on characteristic formulas for logics for true concurrency.Baldan and Crafa [2] gave logics for pomset bisimulation and step bisimulation; we have also beenable to characterise these equivalences in our setting, but we had to omit this material for reasons ofspace.In future work we would like to (1) investigate general laws which hold for the logic, (2) look atsublogics characterising other true concurrency equivalences, including equivalences involving reversetransitions from [3, 31], and (3) answer the open question raised in Section 6 about whether there is asingle characteristic formula for a finite structure with respect to HH equivalence.
Acknowledgements.
We are grateful to Ian Hodkinson and the anonymous referees for helpful com-ments and suggestions..C.C.Phillips &I.Ulidowski 117
References [1] L. Aceto, A. Ing´olfsd´ottir & J. Sack (2009):
Characteristic Formulae for Fixed-Point Semantics: A GeneralFramework . In: Proceedings 16th International Workshop on Expressiveness in Concurrency, EXPRESS2009, ElectronicProceedingsinTheoreticalComputerScience 8, pp. 1–15, doi: .[2] P. Baldan & S. Crafa (2010):
A Logic for True Concurrency . In: Proceedingsof21stInternationalConferenceon Concurrency Theory, CONCUR 2010, Lecture Notes in Computer Science 6269, Springer-Verlag, pp.147–161, doi: .[3] M.A. Bednarczyk (1991):
Hereditary history preserving bisimulations or what is the power of the futureperfect in program logics . Technical Report, Institute of Computer Science, Polish Academy of Sciences,Gda´nsk.[4] G. Boudol & I. Castellani (1987):
On the semantics of concurrency: partial orders and transition systems .In: Proceedings of TAPSOFT’87, Lecture Notes in Computer Science 249, Springer-Verlag, pp. 123–137,doi: .[5] F. Cherief (1992):
Back and forth bisimulations on prime event structures . In: Proceedings ofPARLE ’92, Lecture Notes in Computer Science 605, Springer-Verlag, pp. 843–858, doi: .[6] R. De Nicola, U. Montanari & F. Vaandrager (1990):
Back and forth bisimulations . In: Proceedings ofCONCUR ’90, Theories of Concurrency: Unification and Extension, Lecture Notes in Computer Science458, Springer-Verlag, pp. 152–165, doi: .[7] R. De Nicola & F. Vaandrager (1990):
Three Logics for Branching Bisimulation (Extended Abstract) . In:Proceedings,FifthAnnualIEEESymposiumonLogicinComputerScience, IEEE, Computer Society Press,pp. 118–129.[8] P. Degano, R. De Nicola & U. Montanari (1987):
Observational equivalences for concurrency models . InM. Wirsing, editor: Formal Descriptions of Programming Concepts – III, Proceedings of the 3rd IFIP WG2.2Conference, North-Holland, pp. 105–129.[9] S.B. Fr¨oschle (1999):
Decidability of Plain and Hereditary History-Preserving Bisimilarity for BPP . In:Proceedings of Express’99, Electronic Notes in Theoretical Computer Science 27, Elsevier, doi: .[10] S.B. Fr¨oschle (2005):
Composition and Decomposition in True-Concurrency . In: Foundationsof SoftwareScience and Computational Structures, 8th International Conference, FOSSACS 2005, Lecture Notes inComputerScience 3441, Springer-Verlag, pp. 333–347, doi: .[11] S.B. Fr¨oschle & S. Lasota (2005):
Decomposition and Complexity of Hereditary History Preserving Bisimu-lation on BPP . In: CONCUR2005, LectureNotesinComputerScience3653, Springer-Verlag, pp. 263–277,doi: .[12] R.J. van Glabbeek & U. Goltz (2001):
Refinement of actions and equivalence notions for concurrent systems .ActaInformatica37(4/5), pp. 229–327, doi: .[13] R.J. van Glabbeek & G.D. Plotkin (1995):
Configuration structures . In: Proceedingsof 10th AnnualIEEESymposiumonLogicinComputerScience,LICS1995, IEEE Computer Society Press, pp. 199–209, doi: .[14] R.J. van Glabbeek & G.D. Plotkin (2009):
Configuration structures, event structures and Petri nets . Theo-reticalComputerScience 410(41), pp. 4111–4159, doi: .[15] U. Goltz, R. Kuiper & W. Penczek (1992):
Propositional temporal logics and equivalences . In: Proceedingsof3rdInternationalConferenceonConcurrencyTheory,CONCUR1992, LectureNotesinComputerScience630, Springer-Verlag, pp. 222–236, doi: .[16] S. Graf & J. Sifakis (1986):
A Modal Characterization of Observational Congruence on Finite Terms of CCS .InformationandControl68(1-3), pp. 125–145, doi: .
18 ALogic withReverse Modalities [17] J. Gutierrez (2009):
Logics and Bisimulation Games for Concurrency, Causality and Conflict . In: Pro-ceedingsof the 12th InternationalConferenceon Foundationsof Software Scienceand ComputationStruc-tures, FOSSACS 09, Lecture Notes in Computer Science 5504, Springer-Verlag, pp. 48–62, doi: .[18] J. Gutierrez & J.C. Bradfield (2009):
Model-Checking Games for Fixpoint Logics with Partial Order Models .In: Proceedingsofthe20thInternationalConferenceonConcurrencyTheory,CONCUR2009, LectureNotesinComputerScience 5710, Springer-Verlag, pp. 354–368, doi: .[19] M.C.B. Hennessy & R. Milner (1985):
Algebraic laws for nondeterminism and concurrency . JournaloftheAssociationforComputingMachinery32(1), pp. 137–161, doi: .[20] M.C.B. Hennessy & C. Stirling (1985):
The power of the future perfect in program logics . InfomationandControl67, pp. 23–52, doi: .[21] A. Joyal, M. Nielsen & G. Winskel (1996):
Bisimulation from Open Maps . Information and Computation127(2), pp. 164–185, doi: .[22] M. Jurdzinski, M. Nielsen & J. Srba (2003):
Undecidability of domino games and hhp-bisimilarity . Informa-tionandComputation184(2), pp. 343–368, doi: .[23] F. Laroussinie, S. Pinchinat & Ph. Schnoebelen (1995):
Translations between modal logics of reactive sys-tems . TheoreticalComputerScience 140(1), pp. 53–71, doi: .[24] F. Laroussinie & Ph. Schnoebelen (1995):
A hierarchy of temporal logics with past . Theoretical ComputerScience 148, pp. 303–324, doi: .[25] M. Mukund & P.S. Thiagarajan (1992):
A logical characterization of well branching event structures . Theo-reticalComputerScience 96(1), pp. 35–72, doi: .[26] R. De Nicola & G.L. Ferrari (1990):
Observational Logics and Concurrency Models . In: FSTTCS, LectureNotesinComputerScience 472, Springer-Verlag, pp. 301–315, doi: .[27] M. Nielsen & C. Clausen (1994):
Bisimulation for Models in Concurrency . In: Proceedings of 5th In-ternational Conference on Concurrency Theory, CONCUR’94, Lecture Notes in Computer Science 836,Springer-Verlag, pp. 385–400, doi: .[28] M. Nielsen & C. Clausen (1994):
Bisimulation, games, and logic . In: Results and Trends in TheoreticalComputer Science, Lecture Notes in Computer Science 812, Springer-Verlag, pp. 289–306, doi: .[29] M. Nielsen & C. Clausen (1995):
Games and logics for a noninterleaving bisimulation . Nordic Journal ofComputing2(2), pp. 221–249.[30] W. Penczek (1995):
Branching time and partial order in temporal logics . In: TimeandLogic: AComputa-tionalApproach, UCL Press Ltd., pp. 179–228.[31] I.C.C. Phillips & I. Ulidowski (2011):
A Hierarchy of Reverse Bisimulations on Stable Configuration Struc-tures . Mathematical Structures in Computer Science Available at . To appear.[32] S. Pinchinat, F. Laroussinie & Ph. Schnoebelen (1994):
Logical characterizations of truly concurrent bisim-ulation . Technical Report 114, Grenoble.[33] L. Pomello (1986):
Some equivalence notions for concurrent systems – An overview . In: Advances inPetri Nets 1985, Lecture Notes in Computer Science 222, Springer-Verlag, pp. 381–400, doi: .[34] A. Rabinovich & B.A. Trakhtenbrot (1988):
Behavior structures and nets . FundamentaInformaticae11(4),pp. 357–403.[35] B. Steffen & A. Ing´olfsd´ottir (1994):
Characteristic Formulae for Processes with Divergence . InformationandComputation110(1), pp. 149–163, doi: .[36] G. Winskel (1987):
Event structures . In: Advancesin Petri Nets 1986, LectureNotes in Computer Science255, Springer-Verlag, pp. 325–392, doi:10.1007/3-540-17906-2_31