Computation Tree Logic with Deadlock Detection
COMPUTATION TREE LOGIC WITH DEADLOCK DETECTION
ROB VAN GLABBEEK a , BAS LUTTIK b , AND NIKOLA TR ˇCKA ca National ICT Australia, and School of Comp. Sc. and Engineering, University of New South Wales,Sydney, Australia e-mail address : [email protected] b,c
Dept. of Math. & Comp. Sc., Technische Universiteit Eindhoven, The Netherlands e-mail address : { s.p.luttik,n.trcka } @tue.nl Abstract.
We study the equivalence relation on states of labelled transition systems ofsatisfying the same formulas in Computation Tree Logic without the next state modality(
CTL − X ). This relation is obtained by De Nicola & Vaandrager by translating labelledtransition systems to Kripke structures, while lifting the totality restriction on the latter.They characterised it as divergence sensitive branching bisimulation equivalence.We find that this equivalence fails to be a congruence for interleaving parallel composi-tion. The reason is that the proposed application of CTL − X to non-total Kripke structureslacks the expressiveness to cope with deadlock properties that are important in the contextof parallel composition. We propose an extension of CTL − X , or an alternative treatmentof non-totality, that fills this hiatus. The equivalence induced by our extension is charac-terised as branching bisimulation equivalence with explicit divergence, which is, moreover,shown to be the coarsest congruence contained in divergence sensitive branching bisimu-lation equivalence. Introduction
CTL ∗ [7] is a powerful state-based temporal logic combining linear time and branching timemodalities; it generalises the branching time temporal logic CTL [6].
CTL ∗ is interpretedin terms of Kripke structures, directed graphs together with a labelling function assigningto every node of the graph a set of atomic propositions. As the next state modality X is incompatible with abstraction of the notion of state, it is often excluded in high-levelspecifications. By CTL ∗− X we denote CTL ∗ without this modality. To characterise theequivalence induced on states of Kripke structures by validity of CTL ∗− X formulas, Browne,Clarke & Grumberg [3] defined the notion of stuttering equivalence . They proved that twostates in a finite Kripke structure are stuttering equivalent if and only if they satisfy thesame CTL ∗− X formulas, and moreover, they established that this is already the case if andonly if the two states satisfy the same CTL − X formulas. F.4.1, D.2.4.
Key words and phrases: temporal logic, deadlock, parallel composition, stuttering equivalence, branchingbisimulation equivalence, explicit divergence.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-5 (4:5) 2009 c (cid:13)
R. van Glabbeek, B. Luttik, and N. Trˇcka CC (cid:13) Creative Commons
R. VAN GLABBEEK, B. LUTTIK, AND N. TRˇCKA
There is an intuitive correspondence between the notions of stuttering equivalence onKripke structures and branching bisimulation equivalence [10] on labelled transition sys-tems (LTSs), directed graphs of which the edges are labelled with actions. De Nicola &Vaandrager [5] have provided a framework for constructing natural translations betweenLTSs and Kripke structures in which this correspondence can be formalised. Stutteringequivalence corresponds in their framework to a divergence sensitive variant of branchingbisimulation equivalence, and conversely, branching bisimulation equivalence corresponds toa divergence blind variant of stuttering equivalence. The latter characterises the equivalenceinduced on states of Kripke structures by a divergence blind variant of validity of
CTL ∗− X formulas.In [6, 7, 3] and other work on CTL ∗ , Kripke structures are required to be total , meaningthat every state has an outgoing transition. These correspond with LTSs that are deadlock-free . In the world of LTSs requiring deadlock-freeness is considered a serious limitation,as deadlock is introduced by useful process algebraic operators like the restriction of CCSand the synchronous parallel composition of CSP. Conceptually, a deadlock may arise asthe result of an unsuccessful synchronisation attempt between parallel components, andoften one wants to verify that the result of a parallel composition is deadlock-free. This is,of course, only possible when working in a model of concurrency where deadlocks can beexpressed.Through the translations of [5] it is possible to define the validity of CTL ∗− X formulason states of LTSs. To apply CTL ∗− X -formulas to LTSs that may contain deadlocks, DeNicola & Vaandrager [5] consider Kripke structures with deadlocks as well, and hence liftthe requirement of totality. They do so by using maximal paths instead of infinite paths inthe definition of validity of CTL ∗− X formulas. Without further changes, this amounts to theaddition of a self-loop to every deadlock state. As a consequence, CTL ∗− X formulas cannotsee the difference between a state without outgoing transitions (a deadlock ) and one whoseonly outgoing transition constitutes a self-loop (a livelock ), and accordingly a deadlock stateis stuttering equivalent to a livelock state that satisfies the same atomic propositions. Thispaper will challenge the wisdom of this set-up.We observe that for systems with deadlock, the divergence sensitive branching bisimu-lation equivalence of [5] fails to be a congruence for interleaving operators. We characterisethe coarsest congruence contained in divergence sensitive branching bisimulation equiva-lence as the branching bisimulation equivalence with explicit divergence introduced in [10].This equivalence differs from divergence sensitive branching bisimulation equivalence in thatit distinguishes deadlock and livelock. For deadlock-free systems the equivalences coincide.Having established that the framework of [5] turns CTL ∗− X into a logic on LTSs thatinduces an equivalence under which interleaving parallel composition fails to be compo-sitional, we propose two adaptations to this framework that both make CTL ∗− X inducebranching bisimulation equivalence with explicit divergence and thus restore composition-ality. Our first adaptation preserves the treatment of non-totality of [5] as well as theirtranslations between LTSs and Kripke structures, but extends the language CTL ∗− X so thatit can distinguish deadlock from successful termination. Our second adaptation preservesthe totality requirement on Kripke structures but modifies the translation from LTSs toKripke structures. One of our main results is that both adaptations are equivalent in thesense that they induce equally expressive logics on LTSs. In the following two paragraphswe discuss these adaptations in more detail. TL WITH DEADLOCK DETECTION 3
That divergence sensitive branching bisimulation equivalence is not a congruence forinterleaving operators means that there are properties of concurrent systems, pertaining totheir deadlock behaviour, that (in the framework of [5]) cannot be expressed in
CTL ∗− X ,but that can be expressed in terms of the validity of a CTL ∗− X formula on the result ofputting these systems in a given context involving an interleaving operator. We find thisunsatisfactory, and therefore propose an extension of CTL ∗− X in which this type of propertycan be expressed directly. We obtain that two states are branching bisimulation equivalentwith explicit divergence if and only if they satisfy the same formulas in the resulting logic.Treating CTL − X in the same way leads either to an extension of CTL − X or, equivalently,to a modification of its semantics. The new semantics we propose for CTL − X is a validextension of the original semantics [6] to non-total Kripke structures. It slightly differsfrom the semantics of [5] and it is arguably better suited to deal with deadlock behaviour.Instead of extending CTL ∗− X or modifying CTL − X we also achieve the same effect byamending the translation from LTSs to Kripke structures in such a way that every LTS mapsto a total Kripke structure. This amended translation consist of any of the translations inthe framework of [5] followed by a postprocessing stage introducing a fresh state s δ , labelledby a fresh atomic proposition expressing the property of having deadlocked, and a transitionfrom all deadlock states, and s δ itself, to s δ . Adding self-loops and a fresh atomic propositionexpressing deadlock (or just a fresh atomic proposition expressing deadlock) to deadlockstates themselves does not have the desired effect, for it yields logics that are too expressive.From the point of view of practical applications our work allows the rich tradition ofverification by equivalence checking to be combined with the full expressive power of CTL ∗− X .In equivalence checking, three properties of the chosen equivalence have been found indis-pensable [2]: compositionality—in particular parallel composition being a congruence—is acrucial requirement to combat the state explosion problem; the ability to represent dead-lock is crucial in ascertaining deadlock-freedom; and abstraction from internal activity—andthus from the concept of a “next state”—is crucial to get a firm grasp of correctness. Ourwork is the first that allows specification by arbitrary CTL ∗− X formulas to be incorporatedin this framework, without giving up any of these essential properties.Given the existence of adequate translations between LTSs and Kripke structures, wecould have presented the results of this paper entirely within the framework of Kripke struc-tures, or entirely within the framework of LTSs. Using Kripke structures only would entaildefining a parallel composition on Kripke structures—which is possible by lifting the paral-lel composition on LTSs through the appropriate translations. However, Kripke structuresare traditionally used for global descriptions of systems; building system descriptions mod-ularly by parallel composition, while worrying about deadlocks that may be introduced inthis process, would be a novel approach in itself. For establishing the results of this paperit is much more appropriate to build on the rich tradition of composing LTSs by parallelcomposition, and the known importance of deadlock behaviour within this framework.Using just LTSs, on the other hand, would require lifting CTL ∗− X to the world of LTSs. Here we could build on the work of De Nicola and Vaandrager [4], who defined the logic
ACTL ∗ on LTSs and showed that it corresponds neatly, through the translations of [5], A tempting alternative appears to be to use the weak modal µ -calculus [15] instead of CTL ∗− X . Thisis the modal µ -calculus of Kozen [12] with weak action modalities hh α ii and [[ a ]] instead of h a i and [ a ] inorder to abstract from internal activity. However, as observed in [15], this logic cannot distinguish statesthat are weakly bisimilar , and hence, contrary to what is suggested in the introduction of [15], lacks theexpressiveness of CTL ∗− X . R. VAN GLABBEEK, B. LUTTIK, AND N. TRˇCKA with
CTL ∗ on Kripke structures. However, whereas abstracting from the notion of state in CTL ∗ can be done elegantly by removing the next state modality X from the language, in ACTL ∗ this additionally requires parametrising the until -modality by two action formulas [4]. Doing this would make the resulting logic ACTL ∗− X appear less than a wholly canonicalaction-based incarnation of CTL ∗− X , and the reader might wonder whether the failure of ACTL ∗− X to generate an equivalence on LTSs that is a congruence for parallel compositionwould be due to it being an imperfect rendering of CTL ∗− X in the action-based world.By presenting our analysis directly for CTL ∗− X , we make clear that this is not thecase, and the problem stems from CTL ∗− X itself. Having to work in both LTSs and Kripkestructures, with translations between them, appears to be a small price to pay. In addition,we feel that in many applications, such as process algebra with data, in may be preferableto work directly in a model of concurrency that features both state and action labels, andthus benefits from the ability to smoothly combine LTSs and Kripke structures [16].Nevertheless, all our work applies just as well to ACTL ∗− X , with the very same problemsand the very same solutions.At the end of the paper we briefly consider Linear Temporal Logic without the nextstate modality ( LTL − X ). The equivalence induced by the validity of LTL − X -formulas is nota congruence for interleaving parallel composition either. The coarsest coarsest congruenceincluded in the equivalence induced by the validity of LTL − X -formulas is obtained much inthe same way as the coarsest congruence included in the equivalence induced by the validityof CTL − X -formulas. Adding the ∞ -modality to LTL − X , however, yields a logic that inducesa strictly finer equivalence than the obtained congruence.2. CTL ∗− X and stuttering equivalence We presuppose a set AP of atomic propositions . A Kripke structure is a tuple ( S, L , → )consisting of a set of states S , a labelling function L : S → AP and a transition relation → ⊆ S × S . For the remainder of the section we fix a Kripke structure ( S, L , → ).A finite path from s is a finite sequence of states s , . . . , s n such that s = s and s k −→ s k +1 for all 0 ≤ k < n . An infinite path from s is an infinite sequence of states s , s , s , . . . such that s = s and s k −→ s k +1 for all k ∈ ω . A path is a finite or infinitepath. A maximal path is an infinite path or a finite path s , . . . , s n such that ¬∃ s ′ . s n −→ s ′ .We write π ☎ π ′ if the path π ′ is a suffix of the path π , and π ✄ π ′ if π ☎ π ′ and π = π ′ .Temporal properties of states in S are defined using CTL ∗− X formulas. Definition 2.1.
The classes Φ of
CTL ∗− X state formulas and Ψ of CTL ∗− X path formulas aregenerated by the following grammar: ϕ ::= p | ¬ ϕ | ^ Φ ′ | ∃ ψ ψ ::= ϕ | ¬ ψ | ^ Ψ ′ | ψ U ψ with p ∈ AP , ϕ ∈ Φ, Φ ′ ⊆ Φ, ψ ∈ Ψ and Ψ ′ ⊆ Ψ.In case the cardinality of the set of states of our Kripke structure is less than some infinitecardinal κ , we may require that | Φ ′ | < κ and | Ψ ′ | < κ in conjunctions, thus obtaining a set of formulas rather than a proper class. Normally, S is required to be finite, and accordingly CTL ∗− X admits finite conjunctions only. In fact it suffices to require that for every state s the cardinality of the set of states reachable from s isless than κ . TL WITH DEADLOCK DETECTION 5 a ) sp (cid:11) (cid:11) (cid:19) (cid:19) t p ( ( (cid:15) (cid:15) up (cid:15) (cid:15) x q yq u u b ) sp (cid:11) (cid:11) (cid:19) (cid:19) t p ( ( (cid:15) (cid:15) up (cid:15) (cid:15) x q yq u u Figure 1: Difference between a) ≈ dbs and b) ≈ s . Definition 2.2.
We define when a
CTL ∗− X state formula ϕ is valid in a state s (notation: s | = ϕ ) and when a CTL ∗− X path formula ψ is valid on a maximal path π (notation: π | = ψ )by simultaneous induction as follows: − s | = p iff p ∈ L ( s ); − s | = ¬ ϕ iff s = ϕ ; − s | = V Φ ′ iff s | = ϕ for all ϕ ∈ Φ ′ ; − s | = ∃ ψ iff there exists a maximal path π from s such that π | = ψ ; − π | = ϕ iff s is the first state of π and s | = ϕ ; − π | = ¬ ψ iff π = ψ ; − π | = V Ψ ′ iff π | = ψ for all ψ ∈ Ψ ′ ; and − π | = ψ U ψ ′ iff there exists a suffix π ′ of π such that π ′ | = ψ ′ , and π ′′ | = ψ for all π ☎ π ′′ ✄ π ′ .A formula ψ U ψ ′ says that, along a given path, ψ holds until ψ ′ holds. One writes ⊤ forthe empty conjunction (which is always valid), F ψ for ⊤ U ψ (“ ψ will hold eventually ”) and G ψ for ¬ F ¬ ψ (“ ψ holds always (along a path)”).The above is the standard interpretation of CTL ∗− X [7, 3], but extended to Kripke structuresthat are not required to be total. Following [5], this is achieved by using maximal paths inthe definition of validity of CTL ∗− X formulas, instead of the traditional use of infinite paths[7, 3]. The resulting definition generalises the traditional one, because for total Kripkestructures a path is maximal iff it is infinite.An equivalent way of thinking of this generalisation of CTL ∗− X to non-total Kripkestructures is by means of a transformation that makes a Kripke structure K total by theaddition of a self-loop s −→ s to every deadlock state s , together with the convention that aformula is valid in a state of K iff it is valid in the same state of the total Kripke structureobtained by this transformation. It is not hard to check that this yields the same notion ofvalidity as our Definition 2.2.The divergence blind interpretation of [5] (notation: s | = db ϕ and π | = db ψ ) is obtainedby dropping the word “maximal” in the fourth clause of Definition 2.2. In contrast, wecall the the standard interpretation divergence sensitive , because it does not abstract from divergences , i.e., infinite paths consisting of states with the same label. For instance, inFigure 1a we have t | = ∃ G p , due to the divergence t, t, t, . . . , whereas u = ∃ G p . Under thedivergence blind interpretation there is no formula distinguishing these two states. Definition 2.3. A colouring is a function C : S → C , for C any set of colours . R. VAN GLABBEEK, B. LUTTIK, AND N. TRˇCKA
Given a colouring C and a (finite or infinite) path π = s , s , s , . . . from s , let C ( π ) bethe sequence of colours obtained from C ( s ) , C ( s ) , C ( s ) , . . . by contracting all its (finite orinfinite) maximal consecutive subsequences C, C, C, . . . to C . The sequence C ( π ) is calleda C -coloured trace of s ; it is complete if π is maximal.A colouring C is [fully] consistent if two states of the same colour always satisfy thesame atomic propositions and have the same [complete] C -coloured traces. Two states s and t are divergence blind stuttering equivalent , notation s ≈ dbs t , if there exists a consistentcolouring C such that C ( s ) = C ( t ). They are (divergence sensitive) stuttering equivalent ,notation s ≈ s t , if there exists a fully consistent colouring C such that C ( s ) = C ( t ). Thedifference between ≈ dbs and ≈ s is illustrated in the following example. Example 2.4.
Consider the Kripke structure and its colouring depicted in Figure 1a. Thiscolouring is consistent, implying s ≈ dbs t ≈ dbs u and x ≈ dbs y , but it is not fully consistentbecause state t has a complete trace while u does not. Note that t has, due to theself-loop, a complete coloured trace that consists of just the colour of a p -labelled state,whereas the unique complete coloured trace of u contains the colour of a q -labelled statetoo. Since a consistent colouring assigns different colours to states with different labels,every fully consistent colouring must assign different colours to states t and u , i.e. it mustbe that t s u . One such colouring is given in Figure 1b. This colouring shows that x ≈ s y . Lemma 2.5.
Let C be a colouring such that two states with the same colour satisfy thesame atomic propositions and have the same C -coloured traces of length two. Then C isconsistent.Proof. Suppose C ( s ) = C ( t ) and C , C , C , . . . is an infinite coloured trace of s . Then,for i >
0, there are states s i and finite paths π i from s i − to s i , such that C ( π i ) = C i − , C i .With induction on i > t i with C ( s i ) = C ( t i ) and finite paths ρ i from t i − to t i such that C ( ρ i ) = C i − , C i . Namely, the assumption about C allows us to find ρ i given t i − , and then t i is defined as the last state of ρ i . Concatenating all the paths ρ i yields aninfinite path ρ from t with C ( ρ ) = C , C , C , . . . .The case that C ( s ) = C ( t ) and C , . . . , C n is a finite coloured trace of s goes likewise. Lemma 2.6.
Let C be a colouring such that two states with the same colour satisfy thesame atomic propositions and have the same C -coloured traces of length two, and the samecomplete C -coloured traces of length one. Then C is fully consistent.Proof. Suppose C ( s ) = C ( t ) and σ is a complete C -coloured trace of s . Then σ = C ( π ) fora maximal path π from s . By Lemma 2.5, σ is also a C -coloured trace of t . It remains toshow that it is a complete C -coloured trace of t . Let ρ be a path from t with C ( ρ ) = σ . If ρ is infinite, we are done. Otherwise, let t ′ be the last state of ρ . Then C ( t ′ ) is the last colourof σ . Therefore, there is a state s ′ on π such that the suffix π ′ of π starting from s ′ is amaximal path with C ( π ′ ) = C ( s ′ ) = C ( t ′ ). By the assumption about C , C ( t ′ ) must also be acomplete C -coloured trace of t ′ , i.e. there is a maximal path ρ ′ from t ′ with C ( ρ ′ ) = C ( t ′ ).Concatenating ρ and ρ ′ yields a maximal path ρ ′′ from t with C ( ρ ′′ ) = σ .The following two theorems were proved in [5] and [3], respectively, for states s and t in afinite Kripke structure. Here we drop the finiteness restriction. Theorem 2.7. s ≈ dbs t iff s | = db ϕ ⇔ t | = db ϕ for all CTL ∗− X state formulas ϕ . TL WITH DEADLOCK DETECTION 7
Proof. “Only if”: Let C be a consistent colouring. With structural induction on ϕ and ψ we show that C ( s ) = C ( t ) ⇒ ( s | = db ϕ ⇔ t | = db ϕ ) and C ( π ) = C ( ρ ) ⇒ ( π | = db ψ ⇔ ρ | = db ψ ) . The case ϕ = p for p ∈ AP follows immediately from Definition 2.3. The cases ϕ = ¬ ϕ ′ and ϕ = V Φ ′ follow immediately from the induction hypothesis.Suppose C ( s ) = C ( t ) and s | = db ∃ ψ . Then there exists a path π from s such that π | = db ψ . C ( π ) is a coloured trace of s , and hence of t . Thus there must be a path ρ from t with C ( π ) = C ( ρ ). By induction, ρ | = db ψ . Hence, t | = db ∃ ψ .The case ψ ∈ Φ follows since the first states of two paths with the same colour also havethe same colour. The cases ψ = ¬ ψ ′ and ψ = V Ψ ′ follow immediately from the inductionhypothesis.Finally, suppose C ( π ) = C ( ρ ) and π | = db ψ U ψ ′ . Then there exists a suffix π ′ of π suchthat π ′ | = db ψ ′ and π ′′ | = db ψ for all π ☎ π ′′ ✄ π ′ . As C ( π ) = C ( ρ ), there must be a suffix ρ ′ of ρ such that C ( π ′ ) = C ( ρ ′ ) and for every path ρ ′′ such that ρ ☎ ρ ′′ ✄ ρ ′ there exists apath π ′′ with π ☎ π ′′ ✄ π ′ such that C ( π ′′ ) = C ( ρ ′′ ). By induction, this implies ρ ′ | = db ψ ′ and ρ ′′ | = db ψ for all ρ ☎ ρ ′′ ✄ ρ ′ . Hence ρ | = db ψ U ψ ′ .“If”: Let C be the colouring given by C ( s ) = { ϕ ∈ Φ | s | = db ϕ } . It suffices to showthat C is consistent. So suppose C ( s ) = C ( t ). Trivially, s and t satisfy the same atomicpropositions. By Lemma 2.5 it remains to show that s and t have the same coloured tracesof length two. Suppose s has a coloured trace C, D . Let s , . . . , s k be a path from s suchthat C ( s i ) = C for 0 ≤ i < k and C ( s k ) = D = C . Let U = { u | there is a path from t to u and C ( u ) = C } , V = { v | there is a path from t to v and C ( v ) = D } .For every u ∈ U pick a CTL ∗− X formula ϕ u ∈ C − C ( u ) (using negation on a formula in C ( u ) − C if needed), and for every v ∈ V pick a CTL ∗− X formula ϕ ′ v ∈ D − C ( v ). Now s | = db ∃ ( V u ∈U ϕ u ) U ( V v ∈V ϕ ′ v ) and, as C ( s ) = C ( t ), also t | = db ∃ ( V u ∈U ϕ u ) U ( V v ∈V ϕ ′ v ).Thus, there is a path t , . . . , t ℓ from t such that t ℓ | = db V v ∈V ϕ ′ v and t j | = db V u ∈U ϕ u for0 ≤ j < ℓ . It follows that t ℓ
6∈ V and t j
6∈ U for 0 ≤ j < ℓ . Hence C ( t ℓ ) = D and C ( t j ) = C for 0 ≤ j < ℓ , so C, D is also a coloured trace of t . Theorem 2.8. s ≈ s t iff s | = ϕ ⇔ t | = ϕ for all CTL ∗− X state formulas ϕ .Proof. “Only if” goes exactly as in the previous proof, reading | = for | = db , but requiring C to be fully consistent and, in the second paragraph, the paths π and ρ to be maximal and C ( π ) to be a complete coloured trace of s and t .“If” goes as in the previous proof, but this time we have to show that C is fully consis-tent. Thus, applying Lemma 2.6, and assuming C ( s ) = C ( t ), we additionally have to showthat s and t have the same complete coloured traces of length one. Let π be a maximalpath from s with C ( π ) = C . Let U = { u | there is a path from t to u and C ( u ) = C } .For every u ∈ U pick a CTL ∗− X formula ϕ u ∈ C − C ( u ). Now s | = ∃ G ( V u ∈U ϕ u ) and, as C ( s ) = C ( t ), also t | = ∃ G ( V u ∈U ϕ u ). Thus, there is a maximal path ρ from t such that t ′ | = V u ∈U ϕ u for all states t ′ in ρ . It follows that t ′
6∈ U . Hence C ( t ′ ) = C and thus C ( ρ ) = C . R. VAN GLABBEEK, B. LUTTIK, AND N. TRˇCKA
Since ⇔ is an equivalence relation on predicates, we obtain the following corollary to The-orems 2.7 and 2.8. Corollary 2.9. ≈ dbs and ≈ s are equivalence relations. Note that, for any colouring C , the C -coloured traces of a state s are completely determinedby the complete C -coloured traces of s , namely as their prefixes. Hence, any colouringthat is fully consistent is certainly consistent, and thus ≈ s is a finer (i.e. smaller, morediscriminating) equivalence relation than ≈ dbs .Above, the divergence blind interpretation of CTL ∗− X is defined by using paths insteadof maximal paths. It can equivalently be defined in terms of a transformation on Kripkestructures, namely the addition of a self-loop s −→ s for every state s . Now s ≈ dbs t holdsin a certain Kripke structure iff s ≈ s t holds in the Kripke structure obtained by addingall these self-loops. This is because the colour of a path doesn’t change when self-loops areadded to it, and up to self-loops any path is maximal. Likewise, s | = db ϕ in the originalKripke structure iff s | = ϕ in the modified one.Just like ≈ dbs can be expressed in terms of ≈ s by means of a transformation on Kripkestructures, by means of a different transformation, at least for finite Kripke structures, ≈ s can be expressed in terms of ≈ dbs . This is done in [5], Definitions 3.2.6 and 3.2.7.3. Branching bisimulation equivalence in terms of coloured traces
We presuppose a set A of actions with a special element τ ∈ A . A labelled transitionsystem (LTS) is a structure ( S, → ) consisting of a set of states S and a transition relation → ⊆ S × A × S . For the remainder of the section we fix an LTS ( S, → ). We write s a −→ s ′ for ( s, a, s ′ ) ∈ → .A path from s is an alternating sequence s , a , s , a , . . . of states and actions, endingwith a state if the sequence is finite, such that s = s and s k − a k −−→ s k for all relevant k >
0. A maximal path is an infinite path or a finite path s , a , s , a , . . . , a n , s n such that ¬∃ a, s ′ . s n a −→ s ′ . We write π ☎ π ′ if the path π ′ is a suffix of the path π , and π ✄ π ′ if π ☎ π ′ and π = π ′ . Definition 3.1. A colouring is a function C : S → C , for C any set of colours .For π = s , a , s , a , . . . a path from s , let C ( π ) be the alternating sequence of coloursand actions obtained from C ( s ) , a , C ( s ) , a , . . . by contracting all finite maximal con-secutive subsequences C, τ, C, τ, . . . , τ, C and all infinite maximal consecutive subsequences
C, τ, C, τ, . . . to C . The sequence C ( π ) is called a C -coloured trace of s ; it is complete if π ismaximal; it is divergent if it is finite whilst π is infinite.A colouring C is [fully] consistent if two states of the same colour always have thesame [complete] C -coloured traces. Two states s and t are (divergence blind) branchingbisimulation equivalent , notation s ↔ b t , if there exists a consistent colouring C such that C ( s ) = C ( t ).They are divergence sensitive branching bisimulation equivalent , notation s ↔ λb t , ifthere exists a fully consistent colouring C such that C ( s ) = C ( t ). In the beginning of this section we proposed a transformation that adds a self-loop s −−→ s merelyto every deadlock state s . Both transformations make any Kripke structure total. However, whereas theprevious transformation preserves the divergence sensitive interpretation of CTL ∗− X , the current one preservesthe divergence blind interpretation, and expresses it in terms of the divergence sensitive one. TL WITH DEADLOCK DETECTION 9
A consistent colouring preserves divergence if two states of the same colour alwayshave the same divergent C -coloured traces. Two states s and t are branching bisimulationequivalent with explicit divergence , notation s ↔ ∆ b t , if there exists a consistent, divergencepreserving colouring C with C ( s ) = C ( t ). a ) sτ (cid:15) (cid:15) τ (cid:10) (cid:10) τ (cid:20) (cid:20) tτ ( ( a (cid:15) (cid:15) ua (cid:15) (cid:15) va (cid:15) (cid:15) x y z τ u u b ) sτ (cid:15) (cid:15) τ (cid:10) (cid:10) τ (cid:20) (cid:20) tτ ( ( a (cid:15) (cid:15) ua (cid:15) (cid:15) va (cid:15) (cid:15) x y z τ u u c ) sτ (cid:15) (cid:15) τ (cid:10) (cid:10) τ (cid:20) (cid:20) tτ ( ( a (cid:15) (cid:15) ua (cid:15) (cid:15) va (cid:15) (cid:15) x y z τ u u Figure 2: Difference between a) ↔ b , b) ↔ λb , and c) ↔ ∆ b .The difference between ↔ b , ↔ λb , and ↔ ∆ b is illustrated in the following example. Example 3.2.
Consider first the LTS and its colouring depicted in Figure 2a. This colour-ing is consistent and we have s ↔ b t ↔ b u ↔ b v and x ↔ b y ↔ b z . It is not fully consistentbecause state t has a complete trace whereas u has not. It is easy to see that every fullyconsistent colouring must assign different colours to states t and u , and so that t λb u .One such colouring is given in Figure 2b and it shows that u ↔ λb v and x ↔ λb y ↔ λb z . Note,however, that this colouring, although fully consistent, does not preserve divergence. State v has a divergent trace a whereas u has not, and similarly state z has a divergenttrace whereas y has not. Any colouring that preserves divergence must assign differentcolours to states u and v and to states y and z , meaning that u ∆ b v and y ∆ b z . Onesuch colouring is given in Figure 2c. It shows that x ↔ ∆ b y . In fact, these are the only two(different) states that are branching bisimulation equivalent with explicit divergence.In the definition of ↔ ∆ b above, consistency and preservation of divergence appear as twoseparate properties of colourings. Instead we could have integrated them by adding an extrabit (∆) at the end of those finite coloured traces that stem from infinite paths. Likewise, ↔ λb could have been defined by adding such an extra bit at the end of those finite colouredtraces that stem from maximal paths.Lemmas 2.5 and 2.6 about colourings on Kripke structures apply to labelled transitionsystems as well. The proofs are essentially the same. Lemma 3.3.
Let C be a colouring such that two states with the same colour have the same C -coloured traces of length three (i.e. colour - action - colour). Then C is consistent. Lemma 3.4.
Let C be a consistent colouring such that two states with the same colour havethe same complete C -coloured traces of length one. Then C is fully consistent. Lemma 3.5.
Let C be a consistent colouring such that two states with the same colour havethe same divergent C -coloured traces of length one. Then C preserves divergence.Proof. Exactly like the proof of Lemma 2.6, but letting σ be a divergent C -coloured traceof s ; π, π ′ infinite paths; C ( t ′ ) a divergent C -coloured trace of t ′ ; and ρ ′ , ρ ′′ infinite paths. Branching bisimulation equivalence and branching bisimulation equivalence with explicitdivergence were originally defined in Van Glabbeek & Weijland [10]. There, only finite coloured traces are considered, and a consistent colouring was defined as a colouring withthe property that two states have the same colour only if they have the same finite colouredtraces. By Lemma 3.3 this yields the same concept of consistent colouring as Definition 3.1above.In [10], a consistent colouring is said to preserve divergence if no divergent state has thesame colour as a nondivergent state. Here a state s is divergent if it is the starting point ofan infinite path of which all nodes have the same colour. This is the case if s has a divergentcoloured trace of length one. Now Lemma 3.5 says that the definition of preservation ofdivergence from [10] agrees with the one proposed above. Hence the concepts of branchingbisimulation and branching bisimulation with explicit divergence of [10] agree with ours. Theorem 3.6. ↔ b , ↔ λb and ↔ ∆ b are equivalence relations.Proof. We show the proof for ↔ b ; the other two cases proceed likewise.We will regard any equivalence relation on S as a colouring, the colour of a state beingits equivalence class. Conversely, any colouring can be considered as an equivalence relationon states.The diagonal on S (i.e., the binary relation { ( s, s ) | s ∈ S } ) is a consistent colouring,so ↔ b is reflexive. That ↔ b is symmetric is immediate from the required symmetry ofcolourings.To prove that ↔ b is transitive, suppose s ↔ b t and t ↔ b u . So there exist consistentcolourings C and D with C ( s ) = C ( t ) and D ( t ) = D ( u ). Let E be the finest equivalencerelation containing C and D . Then E ( s ) = E ( t ) = E ( u ). It suffices to show that E isconsistent.First of all note that the E -colour of a state is completely determined by its C -colour,as well as by its D -colour: C ( p ) = C ( q ) ⇒ E ( p ) = E ( q ) and D ( p ) = D ( q ) ⇒ E ( p ) = E ( q ) forall p, q ∈ S . Thus, if two states have the same sets of C -coloured traces or the same sets of D -coloured traces, they must also have the same sets of E -coloured traces.Suppose E ( p ) = E ( q ). Then there must be a sequence of states ( p i ) ≤ i ≤ n such that p = p , q = p n and for 0 ≤ i < n we have either C ( p i ) = C ( p i +1 ) or D ( p i ) = D ( p i +1 ). As C and D are consistent colourings, p i and p i +1 have the same C -coloured traces or the same D -coloured traces. In either case they also have the same E -coloured traces. This holds for0 ≤ i < n , so p and q have the same E -coloured traces. Thus E is consistent. Lemma 3.7.
Let C be a consistent colouring and s ∈ S . Then the complete C -colouredtraces of s consist of the C -coloured traces of s that are infinite, divergent, or maximal, inthe sense that they cannot be extended.Proof. By definition, infinite and divergent C -coloured traces of s are complete. Let σ be amaximal C -coloured trace of s , and let π be a path from s such that C ( π ) = σ . Let π ′ bean extension of π to a maximal path. As σ is a maximal C -coloured trace, in the sense thatit cannot be extended, we have C ( π ′ ) = σ . Hence σ is a complete C -coloured trace of s .Now let σ be a complete C -coloured trace of s that is not infinite, nor a divergent C -coloured trace of s . In that case σ = C ( π ) for π a finite maximal path from s . Let t be the last state of π . We have ¬∃ a, t ′ . t a −→ t ′ . Suppose, towards a contradiction, that σ is not maximal, i.e. there is a path π ′ from s such that C ( π ′ ) is a proper extension of σ .Then there must be a state u on π ′ with C ( u ) = C ( t ), such that u has a coloured trace σ ′ TL WITH DEADLOCK DETECTION 11 of length >
1, which is a suffix of C ( π ′ ). As C is consistent, σ ′ is also a coloured trace of t ,contradicting ¬∃ a, t ′ . t a −→ t ′ .As for Kripke structures, for any colouring C , the C -coloured traces of a state s are theprefixes of the complete C -coloured traces of s . Moreover, Lemma 3.7 says that the complete C -coloured traces of a state s are completely determined by the C -coloured traces of s together with the divergent C -coloured traces of s . Hence, any colouring that is consistentand preserves divergence is also fully consistent. Therefore, ↔ ∆ b is finer than ↔ λb , which isfiner than ↔ b .The difference between ↔ λb and ↔ ∆ b is that only the latter sees the difference betweenthose maximal finite coloured traces that stem from finite paths (ending in deadlock ) andthose that stem from infinite paths (ending in livelock ). For deadlock-free LTSs (having nostates s with ¬∃ a, s ′ . s a −→ s ′ ) the equivalences ↔ λb and ↔ ∆ b coincide.4. Translating between Kripke structures and labelled transition systems
We presuppose a set A of actions with a special element τ ∈ A , and a set AP of atomicpropositions . A doubly labelled transition system (L TS) is a structure ( S, L , → ) that consistsof a set of states S , a labelling function L : S → AP and a labelled transition relation → ⊆ S × A × S . From an L TS one naturally obtains an LTS by omitting the labellingfunction L , and a Kripke structure by replacing the labelled transition relation by one fromwhich the labels are omitted. We call these the LTS or Kripke structure associated to theL TS. An L TS ( S, L , → ) is consistent if it satisfies the following three conditions:(i) if s a −→ t , then ( L ( s ) = L ( t ) iff a = τ );(ii) if s a −→ t , s ′ a −→ t ′ and L ( s ) = L ( s ′ ), then L ( t ) = L ( t ′ ); and(iii) if s a −→ t , s ′ b −→ t ′ , L ( s ) = L ( s ′ ) and L ( t ) = L ( t ′ ), then a = b .Consistent L TSs were introduced in De Nicola & Vaandrager [5] for studying relationshipsbetween notions defined for Kripke structures and notions defined for LTSs. Condition (i)states that a transition is unobservable in the underlying Kripke structure (i.e., a transitionbetween states with the same label) if and only if it is an unobservable transition in theunderlying labelled transition system (i.e., a τ -transition). Condition (ii) expresses thatthe label of the target state of a transition is completely determined by the label of thesource state and the label of the transition. Consequently, the label of a state t reachablefrom a state s is completely determined by the label of s and the sequence of labels of thetransitions leading from s to t . Condition (iii) says that the label of a transition is fullydetermined by the labels of its source and target state. Example 4.1.
The three L TSs from Figure 3a are not consistent because they violateconditions (i), (ii), and (iii), respectively; the L TS in Figure 3b is consistent.Many semantic equivalences on LTSs, such as ↔ b , ↔ λb and ↔ ∆ b , are considered in theliterature; for an overview see [8]. Definition 4.2.
Any semantic equivalence ∼ on LTSs extends to L TSs by declaring, forall states s and t in an L TS, that s ∼ t iff L ( s ) = L ( t ) and s ∼ t in the associated LTS.Any semantic equivalence ∼ on Kripke structures extends to L TSs by declaring, for allstates s and t in an L TS, that s ∼ t iff s ∼ t in the associated Kripke structure. a ) pa , , pa (cid:7) (cid:7) (cid:14)(cid:14)(cid:14)(cid:14)(cid:14)(cid:14)(cid:14) a (cid:23) (cid:23) q r pa (cid:7) (cid:7) (cid:14)(cid:14)(cid:14)(cid:14)(cid:14)(cid:14)(cid:14) b (cid:23) (cid:23) q q b ) pa (cid:1) (cid:1) (cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3)(cid:3) a (cid:15) (cid:15) b (cid:29) (cid:29) ;;;;;;;;; q τ / / q r Figure 3: a) Three inconsistent L TSs and b) a consistent L TS.The following theorem was proved in [5] for finite consistent L TSs. Here we drop thefiniteness restriction.
Theorem 4.3.
On a consistent L TS, ≈ dbs equals ↔ b , and ≈ s equals ↔ λb .Proof. Suppose s ≈ dbs t [or s ≈ s t ]. Then there is a colouring C on the states of the L TSthat is [fully] consistent on the associated Kripke structure K and satisfies C ( s ) = C ( t ). Bydefinition, this entails L ( s ) = L ( t ). It remains to show that C is [fully] consistent on theassociated LTS L. So let C ( p ) = C ( q ), and let σ be a [complete] coloured trace of p in L.Using symmetry, it suffices to show that σ is also a [complete] coloured trace of q in L. Let ρ be obtained by omitting all actions from the alternating sequence of states and actions σ . Using direction “only if” of clause (i) in the definition of a consistent L TS, ρ must bea [complete] coloured trace of p in K. As C is [fully] consistent on K, ρ must also be a[complete] coloured trace of q in K. Finally, using clauses (i) “only if” and (iii), σ must bea [complete] coloured trace of q in L.Now suppose s ↔ b t [or s ↔ λb t ]. Then L ( s ) = L ( t ) and there is a colouring C onthe states of the L TS, with C ( s ) = C ( t ), that is [fully] consistent on L. Let D be thecolouring given by D ( p ) := ( C ( p ) , L ( p )) for all p ∈ S , so that D ( p ) = D ( q ) ⇔ [ C ( p ) = C ( q ) ∧ L ( p ) = L ( q )]. It suffices to show that D is [fully] consistent on K. The requirement D ( p ) = D ( q ) ⇒ L ( p ) = L ( q ) is built into the definition of D . So let D ( p ) = D ( q ), and let ν be a [complete] D -coloured trace of p in K. Using symmetry, it suffices to show that ν is also a [complete] D -coloured trace of q in K. Using clause (i) “only if”, there must bea [complete] D -coloured trace ρ of p in L such that ν is obtained from ρ by omitting itsactions. Let σ be the [complete] C -coloured trace of s in K obtained from ρ by omitting thesecond component of each D -colour of a state. As C ( p ) = C ( q ) and C is [fully] consistent onL, σ must also be a [complete] C -coloured trace of q in L. By applying clauses (i) “if” and(ii) one derives that ρ is a [complete] D -coloured trace of q in L. Therefore, again usingclause (i) “only if”, ν must be a [complete] D -coloured trace of q in K. Observation 4.4.
For every Kripke structure K there exists a consistent L TS D such thatK is the Kripke structure associated to D.One way to obtain D is to label any transition s −→ t by the pair ( L ( s ) , L ( t )) (or simplyby L ( t )) when L ( s ) = L ( t ), or τ when L ( s ) = L ( t ). An alternative is the label ( L ( s ) − L ( t ) , L ( t ) − L ( s )), where ( ∅ , ∅ ) is identified with τ .Unlike the situation for Kripke structures (Observation 4.4) it is not the case that everyLTS can be obtained as the LTS associated to a consistent L TS. A simple counterexampleis presented in [5]. Thus, in encoding LTSs as L TSs, it is in general not possible to keepthe set of states the same.
Definition 4.5. An LTS-to-L TS transformation η consist of a function taking any LTS L toa consistent L TS η (L), and in addition taking any state s in L to a state η ( s ) in η (L). Such TL WITH DEADLOCK DETECTION 13 a transformation should at least satisfy s ↔ λb t ⇔ η ( s ) ↔ λb η ( t ), that is, it preserves (“ ⇒ ”)and reflects (“ ⇐ ”) divergence sensitive branching bisimulation equivalence, and likewise for ↔ b , and ↔ ∆ b .A common LTS-to-L TS transformation is presented in [5]. It takes an LTS L = ( S, → ) toan L TS η (L) by inserting a new state halfway along any transition s a −→ t with a = τ . Thisnew state is labelled { a } , and each of the two transitions replacing s a −→ t (from s to thenew state and from there to t ) is labelled a . Transitions s τ −→ t are untouched. One takes η ( s ) = s for s ∈ S and all such states from L are labelled with the same dummy symbolin η (L). (Consult [5] for the formal definition and examples.) In [5] it is shown that thistransformation preserves and reflects ↔ λb ; the same proof applies to ↔ b and ↔ ∆ b .An LTS-to-L TS transformation η yields an LTS-to-Kripke-structure transformationthat we also call η , namely the one transforming an LTS L into the Kripke structureassociated to η (L). In fact, using Theorem 4.3 and Observation 4.4, any LTS-to-Kripke-structure transformation η that preserves and reflects the required equivalences can beobtained in this way.An LTS-to-L TS transformation η makes it possible to define when a state s in an LTSsatisfies a CTL ∗− X formula ϕ . Namely, one defines s | = η ϕ iff η ( s ) | = ϕ . This way, CTL ∗− X can be used as temporal logic on LTSs. Theorem 4.6.
Let s and t be states in an LTS, and let η be an LTS-to-L TS transformation.Then s ↔ b t iff s | = η db ϕ ⇔ t | = η db ϕ for all CTL ∗− X state formulas ϕs ↔ λb t iff s | = η ϕ ⇔ t | = η ϕ for all CTL ∗− X state formulas ϕ .Proof. This is an immediate consequence of the requirement that η preserves and reflects ↔ b and ↔ λb , in combination with Theorems 2.7, 2.8 and 4.3.5. Parallel composition
For a behavioural equivalence to be useful in a process algebraic setting, it is essential thatit is a congruence for the operations under consideration. In this section we prove that ↔ ∆ b and ↔ b are congruences for the merge or interleaving operator k . This operator is often usedto represent (asynchronous) parallel composition. However, ↔ λb fails to be a congruence for k . We characterise the least discriminating congruence that makes all the distinctions of ↔ λb as ↔ ∆ b . In the following definition we provide the necessary and sufficient conditionsfor a binary operation on the set of states of an LTS to qualify as a merge. Definition 5.1.
A binary operation k on the states of an LTS is a merge if for all s, t, u ∈ S and for all a ∈ A it holds that s k t a −→ u iff − there exists s ′ ∈ S such that s a −→ s ′ and u = s ′ k t ; or − there exists t ′ ∈ S such that t a −→ t ′ and u = s k t ′ .The structural operational semantics of any process calculus that includes an operation forpure interleaving generates an LTS with merge. Moreover, any LTS can be augmented toan LTS with merge, for instance through a transition system specification [1] that includesall states of the original LTS as constants and a binary operation k with the usual structuraloperational rules for interleaving parallel composition. Henceforth we deal with LTSs witha merge k . a ) aa (cid:15) (cid:15) ∆0 τ (cid:9) (cid:9) ↔ λb b ) 0 k aa (cid:15) (cid:15) λb ∆0 k aa (cid:15) (cid:15) τ (cid:13) (cid:13) k k τ K K Figure 4: ↔ λb is not a congruence for parallel composition Theorem 5.2.
The relation ↔ ∆ b is a congruence for k , i.e., if s ↔ ∆ b t and u ↔ ∆ b v , then s k u ↔ ∆ b t k v .Proof. Let R be the reflexive and transitive closure of the relation { ( p k q, p ′ k q ′ ) | p ↔ ∆ b p ′ & q ↔ ∆ b q ′ } . Let C be the function that assigns to each state its equivalence class with respect to R .It suffices to prove that C is a consistent divergence preserving colouring. So suppose C ( r ) = C ( r ′ ). Using Lemmas 3.3 and 3.5 it suffices to show that r and r ′ have the same C -coloured traces of length three and the same divergent C -coloured traces of length one. Itis straightforward, but notationally cumbersome, to establish this in the special case that r = p k q and r ′ = p ′ k q ′ with p ↔ ∆ b p ′ and q ↔ ∆ b q ′ . The general case then follows byinduction on the length of a chain of pairs from the relation displayed above showing thatthe pair ( r, r ′ ) is in its reflexive and transitive closure.A similar proof shows that also ↔ b is a congruence for k . However, ↔ λb is not. Example 5.3.
Consider an LTS with merge that contains a state 0 without outgoingtransitions, a state ∆0 with a τ -loop (an outgoing τ -labelled transition to itself) and noother outgoing transitions, and a state a with a a −→ ↔ λb ∆0. Figure 4a shows the fragment consisting of the states 0,∆0 and a of the LTS under consideration. Figure 4b shows a fragment where the merge isapplied. Observe that 0 k a λb ∆0 k a . The reason is that ∆0 k a has a maximal path thatstays in its initial state, whereas 0 k a has not. This problem does not apply to ↔ b because0 k a ↔ b ∆0 k a . It does not apply to ↔ ∆ b because 0 ∆ b ∆0.The example above involves a deadlock state, namely 0. This is unavoidable, as on LTSswithout deadlock ↔ λb coincides with ↔ ∆ b (cf. Section 3) and hence is a congruence for k .The standard solution to the problem of an equivalence ∼ failing to be a congruence fora desirable operator Op is to replace it by the coarsest congruence for Op that is includedin ∼ [13]. Applying this technique to the current situation, the coarsest congruence for k included in ↔ λb turns out to be ↔ ∆ b . Theorem 5.4. ↔ ∆ b is the coarsest congruence for k that is included in ↔ λb . Strictly speaking, we merely show that ↔ ∆ b is the coarsest congruence for k that is included in ↔ λb and satisfies the Fresh Atom Principle (FAP). This principle, described in [9], is satisfied by a semanticequivalence ∼ on LTSs when ∼ on an LTS L can always be obtained as the restriction of ∼ on any givenlarger LTS of which L is a subLTS, and whose transition labels may be drawn from a larger set of actions TL WITH DEADLOCK DETECTION 15
Proof.
We have already seen that ↔ ∆ b is a congruence for k , and that it is included in ↔ λb .To show that it is the coarsest, we need to show that if ∼ is any congruence for k thatis included in ↔ λb , then ∼ is included in ↔ ∆ b . So let ∼ be such a congruence and assume s ∼ t . We need to show that s ↔ ∆ b t . Let a be an action that does not occur in any pathfrom s or t . Since ∼ is a congruence for k , we have s k a ∼ t k a , where a is the state fromExample 5.3. As ∼ is included in ↔ λb we obtain s k a ↔ λb t k a . Let C be a fully consistentcolouring with C ( s k a ) = C ( t k a ). Define the colouring D by D ( p ) = C ( p k a ) for p a statereachable from s or t , and D ( p ) = p otherwise. Then D ( s ) = D ( t ). It suffices to show that D is consistent and preserves divergence, implying s ↔ ∆ b t .So suppose D ( p ) = D ( q ) with p = q . Then C ( p k a ) = C ( q k a ).First we show that p and q have the same D -coloured traces. Let σ be a D -colouredtrace of p . Then σ is also a C -coloured trace of p k a . As p k a and q k a have the samecomplete C -coloured traces, they surely have the same C -coloured traces (for the colouredtraces of a state are the prefixes of its complete coloured traces). Hence σ is a C -colouredtrace of q k a . As p is reachable from s or t , the action a cannot occur in σ . Therefore, σ must also be a D -coloured trace of q . By symmetry, any D -coloured trace of q is also a D -coloured trace of p , and hence p and q have the same D -coloured traces.Next, we show that p and q have the same divergent D -coloured traces. So let σ be adivergent D -coloured trace of p . Then σ is also a divergent C -coloured trace of p k a . Hence σ is a complete C -coloured trace of p k a and thus also of q k a . As the action a cannot occurin σ , it is not possible that σ stems from a finite maximal path from q k a . Therefore, σ must be a divergent C -coloured trace of q k a , and hence a divergent D -coloured trace of q .Again invoking symmetry, p and q have the same divergent D -coloured traces.It follows that D is consistent and preserves divergence; thus s ↔ ∆ b t .So if one is in search of a semantics such that, for s and t states in an LTS, − if there is a CTL ∗− X state formula ϕ such that s | = η ϕ but t = η ϕ , then s and t shouldbe distinguished, − if s and t can be distinguished after placing them in a context k u for some u , thenthey should be distinguished to start with, and − no two states should be distinguished unless this is required by the previous two condi-tions,then branching bisimulation semantics with explicit divergence is the answer, for s ↔ ∆ b t ifffor all u and all ϕ ∈ Φ we have s k u | = η ϕ ⇔ t k u | = η ϕ .6. Adding deadlock detection to
CTL ∗− X We saw above that there are important properties of states s in an LTS that can be expressedin terms of a context k u and a CTL ∗− X formula ϕ , namely as s k u | = η ϕ , but that cannotbe directly expressed in terms of CTL ∗− X . This is somewhat unsatisfactory, and thereforewe propose an extension of CTL ∗− X in which this type of property can be expressed directly.We add a path modality ∞ that is valid on a path π iff π is infinite. This path modality, than those of L. FAP allows us to use the state a that figures in the proof of Theorem 5.4, regardless ofwhether such a state, or the fresh action a , occurs in the given LTS or not. FAP is satisfied by virtuallyall semantic equivalences documented in the literature, and can be used as a sanity check for meaningfulequivalences [9]. or actually an equally expressive one, was studied prior by Kaivola & Valmari [11] in thecontext of Linear Temporal Logic without the next state operator—see Section 9. Definition 6.1.
The syntax of
CTL ∗∞ is given by ϕ ::= p | ¬ ϕ | ^ Φ ′ | ∃ ψ ψ ::= ϕ | ¬ ψ | ^ Ψ ′ | ψ U ψ | ∞ with p ∈ AP , ϕ ∈ Φ, Φ ′ ⊆ Φ, ψ ∈ Ψ and Ψ ′ ⊆ Ψ.Validity is defined as in Definition 2.2, but adding the clause − π | = ∞ iff the path π is infinite.We write ∃ ∞ ψ for ∃ ( ∞ ∧ ψ ); this formula holds in a state s if there exists an infinite path π from s such that π | = ψ . Likewise ∀ ∞ ψ = ∀ ( ∞ → ψ ) holds in s if for all infinite paths π from s we have that s | = ψ . These constructs are dual , in the sense that s | = ¬∃ ∞ ψ iff s | = ∀ ∞ ¬ ψ .The negation of ∞ holds for a maximal path π iff π is finite, and hence ends in adeadlock. It is tempting to simply extend CTL ∗− X with a state formula δ such that s | = δ iff ¬∃ s ′ . s −→ s ′ . This would make it possible to express ∞ as ¬ F δ . However, this would makethe resulting logic too expressive: the two states in the Kripke structure ◦ −→ ◦ (with theempty labelling) are branching bisimulation equivalent with explicit divergence, yet theywould be distinguished by this extension of CTL ∗− X , as only the last state satisfies δ . CTL ∗∞ is an extension of CTL ∗− X . There is no need for a similar extension of CTL ∗ , for δ can be expressed as ¬∃ X ⊤ . In particular, CTL ∗∞ is not more expressive than CTL ∗ .The definition of branching bisimulation equivalence with explicit divergence lifts easilyto Kripke structures: s ↔ ∆ b t , for s and t states in a Kripke structure, iff there exists aconsistent and divergence preserving colouring C such that C ( s ) = C ( t ). Here divergencepreserving is defined as in Section 3; by Lemma 3.5, this time applied to Kripke structures,a consistent colouring preserves divergence iff, for any states s and t , C ( s ) = C ( t ) impliesfor any infinite path π from s with C ( π ) = C ( s )there is an infinite path ρ from t with C ( ρ ) = C ( t ). Theorem 6.2. s ↔ ∆ b t iff s | = ϕ ⇔ t | = ϕ for all CTL ∗∞ state formulas ϕ .Proof. “Only if” goes as in the proof of Theorem 2.7, reading | = for | = db , requiring C to be consistent and divergence preserving , and, in the second paragraph, requiring the paths π and ρ to be maximal and C ( π ) to be a complete coloured trace of s and t . Here we use thatif a colouring is consistent and divergence preserving, then two states with the same colourmust also have the same complete coloured traces. This follows from Lemma 3.7, this timeapplied to Kripke structures.There is one extra case to check. Suppose C ( π ) = C ( ρ ) and π | = ∞ , but ρ = ∞ . Thenthe last state t of ρ has the same colour C ( t ) as one of the states s of π . Let π ′ be the(infinite) suffix of π starting at s . Then C ( π ′ ) = C ( s ) = C ( t ), yet there is no infinite pathfrom t , contradicting that C is divergence preserving.“If” goes as in the proof of Theorem 2.7, but this time we also have to show that C preserves divergence. So let s and t be states and π an infinite path from s with C ( π ) = C ( s ) = C ( t ) = C . Let U = { u | there is a path from t to u and C ( u ) = C } . TL WITH DEADLOCK DETECTION 17
For every u ∈ U pick a CTL ∗∞ formula ϕ u ∈ C − C ( u ). Now s | = ∃ ∞ G ( V u ∈U ϕ u ) and, as C ( s ) = C ( t ), also t | = ∃ ∞ G ( V u ∈U ϕ u ). Thus, there is an infinite path ρ from t such that t ′ | = V u ∈U ϕ u for all states t ′ in ρ . It follows that t ′
6∈ U . Hence C ( t ′ ) = C and thus C ( ρ ) = C . 7. Adding deadlock detection to
CTL − X CTL − X is the sublogic of CTL ∗− X that only allows path formulas of the form ϕ U ϕ ′ and ¬ ( ϕ U ϕ ′ ), where ϕ and ϕ ′ are state formulas. Equivalently, it can be defined as onlyallowing path formulas of the form ϕ U ϕ ′ and G ϕ , for we have s | = ∃ G ϕ iff s | = ∃¬ ( ⊤ U ¬ ϕ ) s | = ∃¬ ( ϕ U ϕ ′ ) iff s | = ∃ [( ¬ ϕ ′ ) U ¬ ( ϕ ∨ ϕ ′ )] ∨ ∃ G ¬ ϕ ′ . Theorems 2.7 and 2.8 are also valid when using
CTL − X instead of CTL ∗− X , for their proofsuse no other temporal constructs than ∃ ( ϕ U ϕ ′ ) and ∃ G ϕ .A natural proposal for CTL ∞ would be to add the path quantifier ∃ ∞ to CTL − X , thusyielding the syntax ϕ ::= p | ¬ ϕ | V Φ ′ | ∃ ( ϕ U ϕ ) | ∃ ∞ ( ϕ U ϕ ) | ∃ G ϕ | ∃ ∞ G ϕ . However, we can economise on that, for s | = ∃ ∞ ( ϕ U ϕ ′ ) iff s | = ∃ ( ϕ U ( ϕ ′ ∧ ∃ ∞ G ⊤ )) s | = ∃ G ϕ iff s | = ∃ ∞ G ϕ ∨ ∃ ( ϕ U ( ∀ G ϕ ))where ∀ G ϕ is an abbreviation for ¬∃ ( ⊤ U ¬ ϕ ). Hence CTL ∞ can be given by the syntax ϕ ::= p | ¬ ϕ | ^ Φ ′ | ∃ ( ϕ U ϕ ) | ∃ ∞ G ϕ . It follows immediately from the proof of Theorem 6.2 that this language is sufficientlyexpressive to characterise branching bisimulation equivalence with explicit divergence:
Theorem 7.1. s ↔ ∆ b t iff s | = ϕ ⇔ t | = ϕ for all CTL ∞ formulas ϕ . It is tempting to simply write ∃ ∞ G as ∃ G ; that is, to keep the same syntax as for CTL − X butdefine its semantics in such a way that ∃ ( ϕ U ϕ ′ ) asks merely for a finite path, whereas ∃ G ϕ asks for an infinite one. This deadlock sensitive interpretation of CTL − X is an alternativefor the interpretation of [5]. It is consistent with the classical interpretation of CTL [7, 3],as for total Kripke structures there is no difference between ∃ ∞ and ∃ .8. The deadlock extension of Kripke structures
Following De Nicola & Vaandrager [5] we have applied
CTL ∗− X to non-total Kripke structuresby using maximal instead of infinite paths in the definition of validity. As remarked inSection 2, the same effect can be obtained by transforming a non-total Kripke structureinto a total one by adding a self-loop s −→ s to every deadlock state s , and applying thestandard CTL ∗− X semantics to the resulting total Kripke structure. However, the latter doesnot apply to CTL ∗∞ , because the self-loop s −→ s invalidates the formula ∃¬∞ that holdsin any deadlock state s . Here we define another transformation on Kripke structures thatmakes every Kripke structure total, and allows the encoding of CTL ∗∞ in terms of CTL ∗− X . K : p (cid:18) (cid:18) (cid:15) (cid:15) / / qr D (K) : p (cid:18) (cid:18) (cid:15) (cid:15) / / q (cid:15) (cid:15) r / / s δ δ T T Figure 5: Deadlock extension of a Kripke structure
Definition 8.1.
The deadlock extension D (K) of a Kripke structure K is obtained by theaddition of a fresh state s δ , labelled by the fresh atomic proposition δ , together with atransition from s δ and from every deadlock state in K to s δ .An example of this transformation is depicted in Figure 5. Theorem 8.2.
Let K be a Kripke structure, with states s and t . Then s ↔ ∆ b t within theKripke structure K iff s ↔ ∆ b t within the Kripke structure D (K) .Proof. “If”: Let D be a consistent and divergence preserving colouring on D (K). Note that D ( s δ ) = D ( s ) for any state s = s δ in D (K). Let C be the restriction of D to the states of K.Then the C -coloured traces of a state s in K equal the D -coloured traces of s in D (K), butwith the colour D ( s δ ) omitted from the end of such traces. It follows that C is consistent.It preserves divergence by Lemma 3.5.“Only if”: Let C be a consistent and divergence preserving colouring on K. Extend itto a colouring D on D (K) by assigning a fresh colour δ to the extra state s δ of D (K). Itsuffices to check that D is consistent and divergence preserving. Claim.
From any state s in K with the same colour as a deadlock state t in K theremust be a path π to a deadlock state such that C ( π ) = C ( t ). Proof of claim . As t has no C -coloured traces of length two, neither does s , and as t hasno divergent C -coloured traces, neither does s . Thus, all paths from s are finite and onlypass through states with colour C ( t ). Application of the claim . The D -coloured traces of length two of a state s = s δ in D (K)are the C -coloured traces of length two of the state s in K, together with the trace C ( t ) δ incase s has the same colour as a deadlock state t in K. Thus D is consistent by Lemma 2.5,and preserves divergence by Lemma 3.5.The “if”-direction of the theorem, with a similar proof, also applies to ≈ s and ≈ dbs ,but the “only if”-direction does not. As a counterexample, let K be a Kripke structure witha deadlock state d (having no outgoing transitions) and a livelock state l (with a self-loopas its only one outgoing transition); neither state satisfies any atomic propositions. In Kwe have d ≈ s l , and hence d ≈ dbs l , but in D (K) we have d dbs l , and hence d s l .Considering that Kripke structures of the form D (K) are total, and that on total Kripkestructures ≈ s and ↔ ∆ b coincide, it is in fact impossible to define a transformation like D for which Theorem 8.2 holds for both ↔ ∆ b and ≈ s .Now let η be an arbitrary LTS-to-L TS-transformation, yielding an LTS-to-Kripke-structure transformation that is also called η (see Section 4). Then D ◦ η is not a validLTS-to-Kripke-structure transformation as intended in [5], for it fails to preserve ↔ λb / ≈ s and ↔ b / ≈ dbs (cf. Definition 4.5). Yet, it satisfies s ↔ ∆ b t ⇔ D ◦ η ( s ) ≈ s D ◦ η ( t ) TL WITH DEADLOCK DETECTION 19 (because s ↔ ∆ b t ⇔ η ( s ) ↔ ∆ b η ( t ) ⇔ D ◦ η ( s ) ↔ ∆ b D ◦ η ( t ) and on total Kripke structures ↔ ∆ b and ≈ s coincide), and as such it is a suitable transformation for defining validity of CTL ∗− X formula on states in LTSs. We obtain: Corollary 8.3.
Let s and t be states in an LTS, and let η be an LTS-to-L TS transforma-tion. Then s ↔ ∆ b t iff s | = D ◦ η ϕ ⇔ t | = D ◦ η ϕ for all CTL ∗− X state formulas ϕ . Thus, one way to make
CTL ∗− X suitable for dealing with deadlock behaviour on LTSs is tostick to total Kripke structures and translate LTSs to Kripke structures by a translation D ◦ η instead of a transformation η as proposed in [5]. This way branching bisimulationequivalence with explicit divergence becomes the natural counterpart of stuttering equiva-lence on Kripke structures, and we have the modal characterisation of Corollary 8.3.An alternative is to stick to more natural transformations η meeting the criteria on Def-inition 4.5, apply the definition of validity of CTL ∗− X formulas to non-total Kripke structuresas in [5], and extend CTL ∗− X to CTL ∗∞ as indicated in Section 6.Below we show that these solutions lead to equally expressive logics on LTSs. Definition 8.4.
Given a set of atomic propositions, let
CTL ∗ δ be the logic CTL ∗− X extendedwith an extra atomic proposition δ . The mappings D from CTL ∗∞ to CTL ∗ δ formulas and E from CTL ∗ δ to CTL ∗∞ formulas are defined inductively by D ( p ) = p E ( p ) = p D ( ¬ ϕ ) = ¬ δ ∧ ¬ D ( ϕ ) E ( ¬ ϕ ) = ¬ E ( ϕ ) D ( V i ∈ I ϕ i ) = V i ∈ I D ( ϕ i ) E ( V i ∈ I ϕ i ) = V i ∈ I E ( ϕ i ) D ( ∃ ψ ) = ∃ D ( ψ ) E ( ∃ ψ ) = ∃ E ( ψ ) D ( ¬ ψ ) = ¬ δ ∧ ¬ D ( ψ ) E ( ¬ ψ ) = ¬ E ( ψ ) D ( V i ∈ I ψ i ) = V i ∈ I D ( ψ i ) E ( V i ∈ I ψ i ) = V i ∈ I E ( ψ i ) D ( ψ U ψ ′ ) = D ( ψ ) U D ( ψ ′ ) E ( ψ U ψ ′ ) = ( E ( ψ ) U δ ψ ′ ) ∨ ( E ( ψ ) U E ( ψ ′ )) D ( ∞ ) = ¬ F δ E ( δ ) = ¬⊤ . Here δ ψ ′ = (cid:26) δ if s δ | = ∃ ψ ′ ¬⊤ otherwise , and ψ U δ abbreviates ¬∞ ∧ G ψ .We remark that checking whether s δ | = ∃ ψ ′ is simple: just substitute ⊤ for δ and ⊥ forall other atomic propositions in ψ ′ , while simplifying subformulas ψ U ψ to ψ . The latteris justified because the unique infinite path starting from s δ has only itself as suffix. Theorem 8.5.
Let K be a Kripke structure and s a state in K . Then for any CTL ∗∞ stateformula ϕ we have s | = ϕ in K iff s | = D ( ϕ ) in D (K) , and for any CTL ∗ δ state formula ϕ we have s | = ϕ in D (K) iff s | = E ( ϕ ) in K .Proof. For a state formula ϕ , let [[ ϕ ]] K denote the set of states s in K with s | = ϕ . Likewise,for a path formula ψ , [[ ψ ]] K denotes the set of maximal paths π in K with π | = ϕ . Notethat there is a bijective correspondence between the maximal paths in K and those in D (K)not starting in s δ . A straightforward structural induction shows that [[ ϕ ]] K = [[ D ( ϕ )]] D (K) for any CTL ∗∞ state formula ϕ and, up to the aforementioned bijective correspondence,[[ ψ ]] K = [[ D ( ψ )]] D (K) for any CTL ∗∞ path formula ψ .For the second statement, let π δ be the unique path in D (K) starting in s δ . A straight-forward structural induction shows that [[ ϕ ]] D (K) − { s δ } = [[ E ( ϕ )]] K for any CTL ∗ δ stateformula ϕ and, up to the above bijective correspondence, [[ ψ ]] D (K) − { π δ } = [[ E ( ψ )]] K for any CTL ∗ δ path formula ψ . In CTL ∗∞ the path modality ∞ is equally expressive as the path modality ψ U δ of Defi-nition 8.4, saying of a path that it is finite and all its suffixes satisfy ψ . This is because π | = ψ U δ ⇔ π | = ¬∞ ∧ G ψ and π | = ∞ ⇔ π | = ¬ F δ ⇔ π | = ¬⊤ U δ . In thislight, the encoding D of CTL ∗∞ into CTL ∗ δ merely adds a conjunct ¬ δ here and there. Theseconjuncts are not optional; they enable, for instance, the correct translation of the CTL ∗∞ path formula G p by the CTL ∗ δ formula ¬ δ ∧ G ( δ ∨ p ).Recall that in Section 6 we considered extending CTL ∗− X with a state formula δ suchthat s | = δ iff ¬∃ s ′ . s −→ s ′ . We then argued that this would make the resulting logic tooexpressive. Note that in our current proposal the atomic proposition δ only holds in thefresh state s δ of the deadlock extension D (K) of a Kripke structure K and not in any ofthe original states of K. As a consequence, in CTL ∗∞ , which does not have the next statemodality X , we can express the property that deadlock is unavoidable (when all paths froman original state of K lead to deadlock), but we still cannot express the property of beingdeadlocked (i.e., the property that holds in an original state of K iff no further transitionsare possible). Theorem 8.6.
Also the logics
CTL δ and CTL ∞ are equally expressive.Proof. This follows because D can be restricted to a mapping from CTL ∞ to CTL δ formulaand E to a mapping from CTL ∞ to CTL δ formula. In particular, D ( ∃ ( ϕ U ϕ ′ )) = ∃ ( D ( ϕ ) U D ( ϕ ′ )) D ( ∃ G ∞ ϕ ) = ∃ G ( ¬ δ ∧ D ( ϕ )) E ( ∃ ( ϕ U ϕ ′ )) = (cid:26) ∃ ( E ( ϕ ) U E ( ϕ ′ )) ∨ ∃ ( E ( ϕ ) U ( ¬∃ ∞ G ⊤ ∧ ∃ G E ( ϕ ))) if s δ | = ϕ ′ ∃ ( E ( ϕ ) U E ( ϕ ′ )) otherwiseand E ( ∃ G ϕ ) = (cid:26) ∃ G ∞ E ( ϕ ) if s δ | = ϕ ′ ∃ G E ( ϕ ) otherwise . Linear temporal logic with deadlock detection
Linear Temporal Logic [14] (
LTL ) is the sublogic of
CTL ∗ that allows propositional variables p ∈ AP but no other state formulas to be used as path formulas. Path formulas are appliedto states by an implicit universal quantification: s | = ψ iff s | = ∀ ψ . In this section we explorethe programme of this paper in the setting of LTL − X ( LTL without the next state modality),and compare the results with the branching time case.First we characterise the equivalence induced on the states of a Kripke structure( S, L , → ) by validity of LTL − X formulas. We can conveniently use the notion of com-plete coloured traces in this characterisation, observing that L is a colouring in the senseof Definition 2.3. We write s ≈ L t if the states s and t have the same complete L -colouredtraces. Now two states satisfy the same LTL − X formulas iff they have the same complete L -coloured traces. Theorem 9.1. s ≈ L t iff s | = ψ ⇔ t | = ψ for all LTL − X formulas ψ .Proof. “Only if”: Note that, to show that s ≈ L t implies s | = ψ ⇔ t | = ψ , it suffices toprove that if L ( π ) = L ( ρ ) then π | = ψ ⇔ ρ | = ψ . We proceed by structural induction on ψ . TL WITH DEADLOCK DETECTION 21
From L ( π ) = L ( ρ ) it follows that the first states of π and ρ have the same colour, andhence if ψ = p with p ∈ AP then π | = ψ ⇔ ρ | = ψ . The cases ψ = ¬ ψ ′ and ψ = V Ψ ′ followimmediately from the induction hypothesis.Finally, let ψ = ψ ′ U ψ ′′ and suppose that π | = ψ . Then there exists a suffix π ′ of π such that π ′ | = ψ ′′ and π ′′ | = ψ ′ for all π ☎ π ′′ ✄ π ′ . As L ( π ) = L ( ρ ), there must be a suffix ρ ′ of ρ such that L ( π ′ ) = L ( ρ ′ ) and for every path ρ ′′ such that ρ ☎ ρ ′′ ✄ ρ ′ there existsa path π ′′ with π ☎ π ′′ ✄ π ′ such that L ( π ′′ ) = L ( ρ ′′ ). By induction, this implies ρ ′ | = ψ ′′ and ρ ′′ | = ψ ′ for all ρ ☎ ρ ′′ ✄ ρ ′ . Hence ρ | = ψ .“If”: Suppose that s L t . Then, without loss of generality, there exists a maximalpath ρ from t such that for all maximal paths π from s it holds that L ( π ) = L ( ρ ); we definean LTL − X formula ψ such that s | = ψ , while t = ψ .First, we define for every colour C , which is a subset of AP , a formula ψ ( C ) withthe property that π | = ψ ( C ) iff the first state of π has colour C . (A possible definition of ψ ( C ) would be V p ∈ C p ∧ V p C ¬ p ; however, one can economise on the cardinality of thisconjunction by including only one conjunct for every other colour D that actually occursin the underlying Kripke structure—this way we meet the cardinality restriction imposedin Section 2.) For every maximal path π from s such that L ( ρ ) is not a prefix of L ( π ), let ψ π = ( · · · (( ψ ( C )) U ( ψ ( C ))) U · · · ) U ( ψ ( C k )) , where C , C , . . . , C k is the shortest prefix of L ( ρ ) that is not also a prefix of L ( π ). Forevery maximal path π from t such that L ( ρ ) is a prefix of L ( π ), let ψ π = ¬ ( · · · (( ψ ( D )) U ( ψ ( D ))) U · · · ) U ( ψ ( D k )) , where D , D , . . . , D k is the shortest prefix of L ( π ) that is not also a prefix of L ( ρ ). Notethat in either case we have ρ | = ψ π while π = ψ π . Now, define ψ by ψ = ¬ ^ { ψ π | π a maximal path from s } . It is not hard to check that in a Kripke structure with less then κ states, for κ an infinitecardinal, less than κ of the formulas ψ π are different. Now, since ρ is a path from t suchthat ρ = ψ , it follows that t = ψ . On the other hand, since π = ψ π , it follows that π | = ψ for all paths π from s , and hence s | = ψ .In order to lift this notion of equivalence from Kripke structures to LTSs, consider a trivialcolouring T , assigning the same colour to all states in an LTS, and write s = λT t if s and t have the same complete T -coloured traces. In [8], = λT was called divergence sensitive traceequivalence . The following counterpart of Theorem 4.3 indicates that = λT is on LTSs what ≈ L is on Kripke structures: Theorem 9.2.
On a consistent L TS ≈ L equals = λT .Proof. If π is a path from a state s and ρ a path from t in a consistent L TS ( S, L , → ), then L ( π ) = L ( ρ ) ⇔ L ( s ) = L ( t ) ∧ T ( π ) = T ( ρ )where L ( π ) denotes the L -coloured trace in the associated Kripke structure (thus, forgettingthe actions) and T ( π ) denotes the trivially coloured trace in the associated LTS (thus,keeping the visible actions, but forgetting the colours). This is an immediate consequenceof the definition of consistency, and it immediately implies the theorem. In order to make LTS-to-L TS transformations useful for applying LTL on LTSs they shouldbe required to preserve and reflect = λT —the transformation of [5] trivially has this property.We then obtain: Corollary 9.3.
Let s and t be states in an LTS, and let η be an LTS-to-L TS transformationpreserving and reflecting = λT . Then s = λT t iff s | = η ψ ⇔ t | = η ψ for all LTL − X formulas ψ . The very same counterexample as used in Section 5 shows that = λT fails to be a congruencefor k : we have 0 = λT ∆0, yet 0 k a = λT ∆0 k a . We proceed to characterise the coarsestcongruence for k that is included in = λT . We write s = ∆ λT t if s and t have the samecomplete T -coloured traces as well as the same divergent T -coloured traces; by analogywith the branching bisimulation variants we propose to call = ∆ λT trace equivalence withexplicit divergence . Theorem 9.4. = ∆ λT is the coarsest congruence for k that is included in = λT .Proof. Let T ( s ) denote the set of T -coloured traces of a state s , T λ ( s ) its set of complete T -coloured traces, and T ∆ ( s ) its set of divergent ones. Clearly T ∆ ( s ) ⊆ T λ ( s ) ⊆ T ( s ).Note that T ( s ) is completely determined by T λ ( s ), namely as its set of initial prefixes.Furthermore, let T ∗ ( s ) denote the set of finite T -coloured traces of s and T ∞ ( s ) its set ofinfinite ones. Also T ∗ ( s ) and T ∞ ( s ) are completely determined by T λ ( s ), and T ∞ ( s ) ⊆ T λ ( s ).For any two sets of sequences S and T , let S k T denote the set of those sequences which canbe obtained by interleaving a sequence of S with a sequence of T . Now we have T ( s k t ) = T ( s ) k T ( t ) T ∗ ( s k t ) = T ∗ ( s ) k T ∗ ( t ) T ∞ ( s k t ) = T ∞ ( s ) k T ( t ) ∪ T ( s ) k T ∞ ( s ) T ∆ ( s k t ) = T ∆ ( s ) k T ∗ ( t ) ∪ T ∗ ( s ) k T ∆ ( s ) T λ ( s k t ) = T ∞ ( s k t ) ∪ T ∆ ( s k t ) ∪ T λ ( s ) k T λ ( t ) . This implies that = ∆ λT is a congruence. By construction it is included in = λT .Now let ∼ be any congruence for k that is included in = λT , and assume s ∼ u . Weneed to show that s = ∆ λT u . We know already that T λ ( s ) = T λ ( u ). So let σ ∈ T ∆ ( u ). Bysymmetry, it suffices to show that σ ∈ T ∆ ( s ). Let a be an action that does not occur inany path from s . Since ∼ is a congruence for k , we have s k a ∼ t k a , where a is the statefrom Example 5.3. As ∼ is included in = λT we obtain s k a = λT t k a . Since σ ∈ T ∆ ( u ) andthe empty trace ε is in T ∗ ( a ), we have σ ∈ T ∆ ( u k a ) ⊆ T λ ( u k a ) = T λ ( s k a ). Since ε T λ ( a )it must be that σ ∈ T ∆ ( s k a ) and hence σ ∈ T ∆ ( s ).So far the situation is analogous with the branching time case. However, from here onthe development is different. Adding the ∞ -modality to LTL − X does not merely add theexpressiveness to the logic to make it characterise = ∆ λT . Instead LTL ∞ (obtained from LTL − X by adding the ∞ -modality) characterises a strictly finer equivalence. We define L -coloureddeadlock traces as L -coloured traces that stem from finite maximal paths, i.e. paths endingin a deadlock state, and for s, t states in a Kripke structure ( S, L , → ) we write s ≈ ∆ δ L t if s and t have the same complete L -coloured traces, the same divergent L -coloured traces, andthe same L -coloured deadlock traces. Likewise, for s, t states in an LTS we write s = ∆ δT t if s and t have the same complete T -coloured traces, the same divergent T -coloured traces, andthe same T -coloured deadlock traces. In [8], = ∆ δT was called divergence sensitive completedtrace equivalence . In light of the proof of Theorem 9.2 it is straightforward to establish thaton a consistent L TS the preorders ≈ ∆ δ L and = ∆ δT coincide. TL WITH DEADLOCK DETECTION 23
Theorem 9.5. s ≈ ∆ δ L t iff s | = ψ ⇔ t | = ψ for all LTL ∞ formulas ψ .Proof. Let L δ ( π ) be the L -coloured trace of a path π as given in Definition 2.3, but witha symbol δ tagged at the end iff π is finite and maximal (i.e. ending in deadlock). Then s ≈ ∆ δ L t iff for every path π from s there is a path ρ from t such that L δ ( π ) = L δ ( ρ ), andvice versa.“Only if”: To show that s ≈ ∆ δ L t implies s | = ψ ⇔ t | = ψ , it suffices to prove that if L δ ( π ) = L δ ( ρ ) then π | = ψ ⇔ ρ | = ψ . This proceeds exactly as in the proof of Theorem 9.1,except that there is one extra case to consider, namely that ψ = ∞ : Suppose π | = ∞ . Then L δ ( π ) does not end in δ , so L δ ( ρ ) does not end in δ , so ρ | = ∞ .“If”: Suppose that s ∆ δ L t . Then, without loss of generality, there exists a maximalpath ρ from t such that for all maximal paths π from s it holds that L δ ( π ) = L δ ( ρ ). Asin the proof of Theorem 9.1 we define an LTL − X formula ψ such that s | = ψ , while t = ψ .For π a maximal path from s such that L ( π ) = L ( ρ ), we define the formula ψ π exactly asin the proof of Theorem 9.1. In case L ( π ) = L ( ρ ) but L δ ( π ) = L δ ( ρ ) we take ψ π to be ∞ or ¬∞ . The definition of ψ remains the same. Corollary 9.6.
Let s and t be states in an LTS, and let η be an LTS-to-L TS transformationpreserving and reflecting = ∆ δT . Then s = ∆ δT t iff s | = η ψ ⇔ t | = η ψ for all LTL ∞ formulas ψ . The deadlock extension of Definition 8.1 gives the same result.
Theorem 9.7.
Let s and t be states in an LTS, and let η be an LTS-to-L TS transformationpreserving and reflecting = ∆ δT . Then s = ∆ δT t iff s | = D ◦ η ψ ⇔ t | = D ◦ η ψ for all LTL − X formulas ψ .Proof. Just like Corollary 8.3, this follows immediately from the observations that s ≈ ∆ δ L t within a Kripke structure K iff s ≈ ∆ δ L t within the Kripke structure D (K) (cf. Theorem 8.2),and that on total Kripke structures the equivalence relations ≈ ∆ δ L and ≈ L coincide.Kaivola & Valmari [11] study equivalences on LTSs with the property that underall plausible transformations of LTSs into Kripke structures two equivalent states (trans-formed into states of Kripke structures) satisfy the same formulas in either LTL − X or LTL ∞ .They characterise the coarsest such congruences for a selection of standard process algebraoperators—including the merge, but also a partially synchronous parallel composition aswell as nondeterministic choice—as NDFD -equivalence (for
LTL − X ) and CFFD -equivalence(for
LTL ∞ ). In turns out that neither = ∆ λT nor = ∆ δT are congruences for the partiallysynchronous parallel composition, or for nondeterministic choice. Hence to satisfy the re-quirement of being a congruence for these operators, NDFD -equivalence is necessarily finerthan = ∆ λT , and CFFD -equivalence is necessarily finer than = ∆ δT . The question of raising theexpressiveness of LTL − X to the level where it characterises NDFD- or CFFD-equivalencedirectly remains open. 10. Conclusion
In this paper we enabled
CTL − X and CTL ∗− X to be used as logics on labelled transitionsystems (LTSs) while taking deadlock behaviour into account. This could be accomplishedby adding a modality to CTL ∗− X , by adapting the semantics of the G -modality (in CTL − X ),or by adapting the translations from [5] from LTSs to Kripke structures. We have shownthat these approaches all lead to equally expressive logics on LTSs. Our work allows the rich tradition of verification by equivalence checking to be combined with the full expressivepower of CTL ∗− X . Taking advantage of this possibility is left for further research. Acknowledgements.
We are grateful to the referees for their many helpful suggestions.
References [1] L. Aceto, W.J. Fokkink & C. Verhoef (2001):
Structural operational semantics.
In J.A. Bergstra, A.Ponse & S.A. Smolka, editors:
Handbook of Process Algebra , Elsevier, pp. 197-292.[2] J.A. Bergstra, A. Ponse & S.A. Smolka, editors (2001):
Handbook of Process Algebra , Elsevier.[3] M.C. Browne, E.M. Clarke & O. Grumberg (1988):
Characterizing finite Kripke structures in proposi-tional temporal logic.
Theoretical Computer Science
59, pp. 115–131.[4] R. De Nicola & F.W. Vaandrager (1990):
Action versus State based Logics for Transition Systems.
InI. Guessarian, editor: Proceedings LITP Spring School on Theoretical Computer Science:
Semantics ofSystems of Concurrent Processes , La Roche Posay, France 1990. LNCS 469, Springer, pp. 407-419.[5] R. De Nicola & F.W. Vaandrager (1995):
Three logics for branching bisimulation.
Journal of the ACM
Using branching time temporal logic to synthesize synchronizationskeletons.
Science of Computer Programming ‘Sometimes’ and ‘Not Never’ revisited: on branching time versuslinear time temporal logic.
Journal of the ACM
The linear time - branching time spectrum II.
In E. Best, editor:
ProceedingsCONCUR’93 , LNCS 715, Springer, pp. 66–81.[9] R.J. van Glabbeek (2005):
A characterisation of weak bisimulation congruence.
In A. Middeldorp,V. van Oostrom, F. van Raamsdonk & R. de Vrijer, editors:
Processes, Terms and Cycles: Steps on theRoad to Infinity: Essays Dedicated to Jan Willem Klop on the Occasion of His 60th Birthday , LNCS3838, Springer, pp. 26–39.[10] R.J. van Glabbeek & W.P. Weijland (1996):
Branching time and abstraction in bisimulation semantics.
Journal of the ACM
The weakest compositional semantic equivalence preserving Nexttime-less Linear Temporal Logic.
In W.R. Cleaveland, editor:
Proceedings CONCUR’02 , LNCS 630, Springer,pp. 207–221.[12] D. Kozen (1983):
Results on the propositional mu-calculus.
Theoretical Computer Science
27, pp. 333–354.[13] R. Milner (1989):
Communication and Concurrency . Prentice Hall, Englewood Cliffs.[14] A. Pnueli (1977):
The Temporal Logic of Programs. In Proceedings FOCS’77 , IEEE Computer SocietyPress, pp. 46-57.[15] Y.S. Ramakrishna & S. Smolka (1997):
Partial-order reduction in the weak modal mu-calculus.
In A.Mazurkiewicz & J. Winkowski, editors:
Proceedings CONCUR’97 , LNCS 1243, Springer, pp. 5–24.[16] N. Trˇcka (2007):
Silent Steps in Transition Systems and Markov Chains . PhD thesis, Eindhoven Uni-versity of Technology.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http:// reative ommons.org/li enses/by-nd/2.0/http:// reative ommons.org/li enses/by-nd/2.0/