Colin Stirling

Model Checking Fixed Point Logic with Chop

This paper examines FLC, which is the modal µ-calculus enriched with a sequential composition operator. Bisimulation invariance and the tree model property are proved. Its succinctness is compared to the modal µ-calculus. The main focus lies on FLCs model checking problem over finite transition systems. It is proved to be PSPACE-hard. A tableau model checker is given and an upper EXPTIME bound is derived from it. For a fixed alternation depth FLCs model checking problem turns out to be PSPACE-complete.

Local Model Checking in the Modal Mu-Calculus

The modal mu-calculus, due to Prat t and Kozen [Pr, Ko], is a natural extension of dynamic logic. It is also one method of obtaining a branching time temporal logic from a modal logic [EL]. Furthermore, it extends Hennessy-Milner logic, thereby offering a natural temporal logic for Milners CCS, and process systems in general. (Discussion of the uses of the mu-calculus for CCS can be found in [GS,Ho,La,St,Sti2].) Within this context we are especially interested in whether or not a particular state, or process, in a finite model satisfies a mu-calculus formula. This is a different enterprise from that addressed by Emerson and Lei [EL] who ask if a given formula is satisfiable in a given finite model. Their model checker appeals to standard approximation techniques for computing the set of states which satisfy a fixpoint formula. But then one has to compute all the states or processes in the model which satisfy that formula. In this paper we present a local model checker for the mu-calculus, as a tableau system. It checks whether or not a particular state satisfies a formula. Instead of using approximation techniques there is an implicit use of fixpoint induction (inspired by [La]). A maximal fixpoint formula, in effect, expresses a safety property. One shows that the assumption that a state has such a property leads to no unforeseen consequences. In contrast, a minimal fixpoint formula expresses a liveness property. Therefore one has to establish that the property holds of a particular state. Formulae involving alternating fixpoints [EL] introduce subtleties. However the resulting tableau system is natural and an equivalent version of it has been implemented by Rance Cleaveland [C1]. In section 2 we describe the syntax and semantics of the modal mu-calculus. A small extension to the calculus, the addition of propositional constants, is detailed in section 3. The model checker, presented as a tableau system, is given in section 4, while the proofs of its soundness, completeness and decidability are the topic of section 6. Finally, in section 5 we use the model checker to analyse a mutual exclusion algorithm when translated into CCS.

Modal and temporal properties of processes

In a clear and well-organized presentation,Modal and Temporal Properties of Processes introduces concurrent processes as terms of an algebraic language comprising a few basic operators, whose behaviours are described using transitions. The book describes how families of such transitions can be arranged as labeled graphs---themselves concrete summaries of the behaviour are determined by transition rules. An extensive use of games for both equivalence and model checking provides an approach that is more conceptually clear than generally employed alternatives.

Modal and temporal logics for processes

Preface We examine modal and temporal logics for processes. In section 1 we introduce concurrent processes as terms of an algebraic language comprising a few basic operators, as developed by Milner, Hoare and others. Their behaviours are described using transitions. Families of transitions can be arranged as labelled graphs, concrete summaries of process behaviour. Various combinations of processes are reviewed. In section 2 modal logic is introduced for describing the capabilities of processes. An important discussion is when two processes may be deemed, for all practical purposes, to have the same behaviour. We discuss bisimulation equivalence as the discriminating power of modal logic is tied to it. This equivalence is initially presented in terms of games. More generally practitioners have found it useful to be able to express temporal properties (such as liveness and safety) of concurrent systems. A logic expressing temporal notions provides a framework for the precise formalization of such speciications. Formulas of the modal logic are not rich enough to express such temporal properties. So extra operators, extremal xed points, are added in section 3. The result is a very expressive temporal logic. The modal and temporal logics provide a repository of useful properties. However it is also very important to be able to verify that an agent has or lacks a particular property. This is the topic of section 4. First we show that property checking can be understood in terms of game playing. We then present sound and complete tableau proof systems for proving temporal properties of processes. The proof method is illustrated on several examples. Finally, concluding comments are contained in section 5.

Bisimulation equivalence is decidable for all context-free processes

Abstract A result originally due to Baeten, Bergstra, and Klop shows that strong bisimulation equivalence for normed BPA processes is decidable. On the other hand, Huynh and Tian, and Groote and Huttel, have proved that all other standard equivalences are undecidable for normed BPA and thus for BPA in general, The open problem remaining has been whether bisimulation is decidable for the full BPA language. In this paper, we answer this question in the affirmative, using a proof technique based on the proof by Caucal of the decidability of language equivalence for simple algebraic grammars. The decision procedure relies on our main result, extending that of Caucal, that the maximal bisimulation of any BPA transition graph is finitely representable as a Thue congruence. The decision procedure consists of two semi-decision procedures, one testing for non-bisimilarity and one testing for bisimilarity.

Modal Mu-Calculi

In the previous chapter we saw that modal formulas are not very expressive. They can not capture enduring traits of processes, the properties definable within temporal logic. However, these longer term properties can be viewed as closure conditions on immediate capabilities and necessities that modal logic captures. By permitting recursive modal equations, these temporal properties are expressible as extremal solutions of such equations. The property “whenever a coin is inserted, eventually an item is collected” is expressed using two recursive modal equations with different solutions. In the previous chapter, least and greatest solutions to recursive modal equations were represented using the fixed point quantifiers μZ and υZ. In this chapter we shall explicitly add these connectives to modal logic, thereby providing a very rich temporal logic.

Modal logics for communicating systems

Abstract Simple modal logics for Milners SCCS and CCS are presented. We offer sound and complete axiomatizations of validity relative to these calculi as models. Also we present compositional proof systems for when a program satisfies a formula. These involve proof rules which are like Gentzen introduction rules except that there are also introduction rules for the program combinators of SCCS and CCS. The compositional rules for restriction (or hiding) and parallel combinators arise out of a simple semantic strategy.

Modal Logics and mu-Calculi: An Introduction

We briefly survey the background and history of modal and temporal logics. We then concentrate on the modal mu-calculus, a modal logic which subsumes most other commonly used logics. We provide an informal introduction, followed by a summary of the main theoretical issues. We then look at model-checking, and finally at the relationship of modal logics to other formalisms.

Local model checking for infinite state spaces

Bradtield, J. and C. Stirling, Local model checking for infinite spaces, Theoretical Computer Science 96 (1992) 157-174. We present a sound and complete tableau proof system for establishing whether a set of elements of an arbitrary transition system model has a property expressed in (a slight extension of) the modal mu-calculus. The proof system, we believe, offers a very general verification method applicable to a wide range of computational systems. In the last twenty years many approaches to program verification have been developed. Hoare’s partial correctness logic for simple while programs gave an early sound and relatively complete proof system. This approach was subsequently extended to total correctness and to richer classes of programs. Dynamic logics offered a more abstract view of Hoare logics, especially in their propositional versions. Pnueli pioneered the use of propositional temporal logics as more general program logics, capable of describing crucial properties of perpetual concurrent systems. A variety of temporal logics have been studied, particularly branching and linear time. Many useful decidability and expressiveness results (relating logics and automata) have been obtained, as well as sound and complete axiomatizations of validity. A slightly earlier tradition in the study of correctness was given by the work on program schemes where second order logics were advocated, especially in the form of the mu-calculus due to de Bakker, de Roever and Park. An elegant generalization of propositional dynamic and temporal logics drawing on this tradition is the propositional modal mu-calculus, due to Pratt and Kozen. The modal mu-calculus has been shown to include Propositional

Actions speak louder than words: proving bisimilarity for context-free processes

J.C.M. Baeten et al. (Lecture Notes in Computer Science, vol. 259, pp. 93-114, 1987) proved that bisimulation equivalence is decidable for irredundant context-free grammars. A much simpler and much more direct proof of this result is provided now. It uses a tableau decision method involving goal-directed rules. The decision procedure yields an upper bound on a tableau depth. Moreover, it provides the essential part of the bisimulation relation between two processes which underlies their equivalence. A second virtue is that it provides a sound and complete equational theory for such processes.<<ETX>>